Home GnuPG
Diffusion GnuPG d1f2a6d9f71c

gpg: Switch to AES256 for symmetric encryption in de-vs mode.

Description

gpg: Switch to AES256 for symmetric encryption in de-vs mode.

* g10/gpg.c (set_compliance_option): For AES256 and SHA256 in de-vs
mode.
* g10/encrypt.c (setup_symkey): Add extra compliance check.
(encrypt_simple): Avoid printing a second error oncplinace failure.

Because we used the RFC4880 mode as base for the de-vs mode we got
3DES as symmetric encryption algorithm. With the default gnupg mode
that was already used. The new extra compliance checks are added to
detect whether a --personal-cipher-preference or --cipher-algo option
tried to override the algorithms. They are still possible but now
non-compliant algorithms will throw an error.

Manual testing can be done with commands like this:

gpg --no-options --compliance=de-vs \
 --personal-cipher-preferences "S1 S7" \
 --pinentry-mode loopback -v --passphrase abc -ac </etc/motd

Here the command fails due to IDEA (S1) being the preferred cipher
algorithm. Using "--s2k-digest-algo SHA1" instead of
--personal-cipher-preferences will also fail.

  • Signed-off-by: Werner Koch <wk@gnupg.org>

Details

Provenance
wernerAuthored on Nov 3 2020, 1:55 PM
Parents
rGe1bafa3574cc: gpg: Allow setting notations with the empty string as value.
Branches
Unknown
Tags
Unknown