From d1f2a6d9f71cf50318f4891c84aeedb975553896 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 3 Nov 2020 13:55:25 +0100
Subject: [PATCH] gpg: Switch to AES256 for symmetric encryption in de-vs mode.

* g10/gpg.c (set_compliance_option): For AES256 and SHA256 in de-vs
mode.
* g10/encrypt.c (setup_symkey): Add extra compliance check.
(encrypt_simple): Avoid printing a second error oncplinace failure.
--

Because we used the RFC4880 mode as base for the de-vs mode we got
3DES as symmetric encryption algorithm.  With the default gnupg mode
that was already used.  The new extra compliance checks are added to
detect whether a --personal-cipher-preference or --cipher-algo option
tried to override the algorithms.  They are still possible but now
non-compliant algorithms will throw an error.

Manual testing can be done with commands like this:

  gpg --no-options --compliance=de-vs \
   --personal-cipher-preferences "S1 S7" \
   --pinentry-mode loopback -v --passphrase abc -ac </etc/motd

Here the command fails due to IDEA (S1) being the preferred cipher
algorithm.  Using "--s2k-digest-algo SHA1" instead of
--personal-cipher-preferences will also fail.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 g10/encrypt.c | 31 ++++++++++++++++++++++++++++---
 g10/gpg.c     |  4 +++-
 2 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/g10/encrypt.c b/g10/encrypt.c
index 40169e1e5..a021c0e07 100644
--- a/g10/encrypt.c
+++ b/g10/encrypt.c
@@ -325,7 +325,11 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
       if (rc)
         {
           iobuf_close (inp);
-          log_error (_("error creating passphrase: %s\n"), gpg_strerror (rc));
+          if (gpg_err_code (rc) == GPG_ERR_CIPHER_ALGO
+              || gpg_err_code (rc) == GPG_ERR_DIGEST_ALGO)
+            ; /* Error has already been printed.  */
+          else
+            log_error (_("error creating passphrase: %s\n"), gpg_strerror (rc));
           release_progress_context (pfx);
           return rc;
         }
@@ -530,12 +534,33 @@ gpg_error_t
 setup_symkey (STRING2KEY **symkey_s2k, DEK **symkey_dek)
 {
   int canceled;
+  int defcipher;
+  int s2kdigest;
+
+  defcipher = default_cipher_algo ();
+  if (!gnupg_cipher_is_allowed (opt.compliance, 1, defcipher,
+                                GCRY_CIPHER_MODE_CFB))
+    {
+      log_error (_("cipher algorithm '%s' may not be used in %s mode\n"),
+		 openpgp_cipher_algo_name (defcipher),
+		 gnupg_compliance_option_string (opt.compliance));
+      return gpg_error (GPG_ERR_CIPHER_ALGO);
+    }
+
+  s2kdigest = S2K_DIGEST_ALGO;
+  if (!gnupg_digest_is_allowed (opt.compliance, 1, s2kdigest))
+    {
+      log_error (_("digest algorithm '%s' may not be used in %s mode\n"),
+		 gcry_md_algo_name (s2kdigest),
+		 gnupg_compliance_option_string (opt.compliance));
+      return gpg_error (GPG_ERR_DIGEST_ALGO);
+    }
 
   *symkey_s2k = xmalloc_clear (sizeof **symkey_s2k);
   (*symkey_s2k)->mode = opt.s2k_mode;
-  (*symkey_s2k)->hash_algo = S2K_DIGEST_ALGO;
+  (*symkey_s2k)->hash_algo = s2kdigest;
 
-  *symkey_dek = passphrase_to_dek (default_cipher_algo (),
+  *symkey_dek = passphrase_to_dek (defcipher,
                                    *symkey_s2k, 1, 0, NULL, &canceled);
   if (!*symkey_dek || !(*symkey_dek)->keylen)
     {
diff --git a/g10/gpg.c b/g10/gpg.c
index ae890ca9e..79732abef 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -2239,7 +2239,9 @@ set_compliance_option (enum cmd_and_opt_values option)
       set_compliance_option (oOpenPGP);
       opt.compliance = CO_DE_VS;
       opt.def_aead_algo = 0;
-      /* Fixme: Change other options.  */
+      /* We divert here from the backward compatible rfc4880 algos.  */
+      opt.s2k_digest_algo = DIGEST_ALGO_SHA256;
+      opt.s2k_cipher_algo = CIPHER_ALGO_AES256;
       break;
 
     default: