diff options
| author | Werner Koch <[email protected]> | 2020-11-03 12:55:25 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2020-11-03 14:37:40 +0000 |
| commit | d1f2a6d9f71cf50318f4891c84aeedb975553896 (patch) | |
| tree | 4eb834d41464de4ad8288f7293d7f7ccb6af4dd0 /g10/gpg.c | |
| parent | gpg: Allow setting notations with the empty string as value. (diff) | |
| download | gnupg-d1f2a6d9f71cf50318f4891c84aeedb975553896.tar.gz gnupg-d1f2a6d9f71cf50318f4891c84aeedb975553896.zip | |
gpg: Switch to AES256 for symmetric encryption in de-vs mode.
* g10/gpg.c (set_compliance_option): For AES256 and SHA256 in de-vs
mode.
* g10/encrypt.c (setup_symkey): Add extra compliance check.
(encrypt_simple): Avoid printing a second error oncplinace failure.
--
Because we used the RFC4880 mode as base for the de-vs mode we got
3DES as symmetric encryption algorithm. With the default gnupg mode
that was already used. The new extra compliance checks are added to
detect whether a --personal-cipher-preference or --cipher-algo option
tried to override the algorithms. They are still possible but now
non-compliant algorithms will throw an error.
Manual testing can be done with commands like this:
gpg --no-options --compliance=de-vs \
--personal-cipher-preferences "S1 S7" \
--pinentry-mode loopback -v --passphrase abc -ac </etc/motd
Here the command fails due to IDEA (S1) being the preferred cipher
algorithm. Using "--s2k-digest-algo SHA1" instead of
--personal-cipher-preferences will also fail.
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'g10/gpg.c')
| -rw-r--r-- | g10/gpg.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -2239,7 +2239,9 @@ set_compliance_option (enum cmd_and_opt_values option) set_compliance_option (oOpenPGP); opt.compliance = CO_DE_VS; opt.def_aead_algo = 0; - /* Fixme: Change other options. */ + /* We divert here from the backward compatible rfc4880 algos. */ + opt.s2k_digest_algo = DIGEST_ALGO_SHA256; + opt.s2k_cipher_algo = CIPHER_ALGO_AES256; break; default: |