gpg: Do not allow old cipher algorithms for encryption.

* g10/gpg.c: New option --allow-old-cipher-algos.
(set_compliance_option): Set --rfc4880bis explictly to SHA256 and
AES256.  Allow old cipher algos for OpenPGP, rfc4880, and rfc2440.
* g10/options.h (opt): Add flags.allow_old_cipher_algos.
* g10/misc.c (print_sha1_keysig_rejected_note): Always print the note
unless in --quiet mode.
* g10/encrypt.c (setup_symkey): Disallow by default algos with a
blocklengt < 128.
(encrypt_crypt): Ditto.  Fallback by default to AES instead of 3DES.
* g10/pkclist.c (algo_available): Take care of old cipher also.
(select_algo_from_prefs): Use AES as implicit algorithm by default.

* tests/openpgp/defs.scm (create-gpghome): Set allow-old-cipher-algos.
--

GnuPG-bug-id: 3415

1 files changed, 33 insertions, 2 deletions

diff --git a/g10/encrypt.c b/g10/encrypt.c
index a021c0e07..388c3db74 100644
--- a/g10/encrypt.c
+++ b/g10/encrypt.c
@@ -538,6 +538,17 @@ setup_symkey (STRING2KEY **symkey_s2k, DEK **symkey_dek)
   int s2kdigest;
 
   defcipher = default_cipher_algo ();
+  if (openpgp_cipher_blocklen (defcipher) < 16
+      && !opt.flags.allow_old_cipher_algos)
+    {
+      log_error (_("cipher algorithm '%s' may not be used for encryption\n"),
+		 openpgp_cipher_algo_name (defcipher));
+      if (!opt.quiet)
+        log_info (_("(use option \"%s\" to override)\n"),
+                  "--allow-old-cipher-algos");
+      return gpg_error (GPG_ERR_CIPHER_ALGO);
+    }
+
   if (!gnupg_cipher_is_allowed (opt.compliance, 1, defcipher,
                                 GCRY_CIPHER_MODE_CFB))
     {
@@ -741,10 +752,18 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
          entry for 3DES, and the pk_list cannot be empty.  In this
          case, use 3DES anyway as it's the safest choice - perhaps the
          v3 key is being used in an OpenPGP implementation and we know
-         that the implementation behind any v4 key can handle 3DES. */
+         that the implementation behind any v4 key can handle 3DES.
+         Note that we do not support v3 keys since version 2.2 so the
+         above description gives only historical background. */
       if (cfx.dek->algo == -1)
         {
-          cfx.dek->algo = CIPHER_ALGO_3DES;
+          /* If does not make sense to fallback to the rfc4880
+           * required 3DES if we will reject that algo later.  Thus we
+           * fallback to AES anticipating RFC4880bis rules.  */
+          if (opt.flags.allow_old_cipher_algos)
+            cfx.dek->algo = CIPHER_ALGO_3DES;
+          else
+            cfx.dek->algo = CIPHER_ALGO_AES;
         }
 
       /* In case 3DES has been selected, print a warning if any key
@@ -770,6 +789,18 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
       cfx.dek->algo = opt.def_cipher_algo;
     }
 
+  if (openpgp_cipher_blocklen (cfx.dek->algo) < 16
+      && !opt.flags.allow_old_cipher_algos)
+    {
+      log_error (_("cipher algorithm '%s' may not be used for encryption\n"),
+		 openpgp_cipher_algo_name (cfx.dek->algo));
+      if (!opt.quiet)
+        log_info (_("(use option \"%s\" to override)\n"),
+                  "--allow-old-cipher-algos");
+      rc = gpg_error (GPG_ERR_CIPHER_ALGO);
+      goto leave;
+    }
+
   /* Check compliance.  */
   if (! gnupg_cipher_is_allowed (opt.compliance, 1, cfx.dek->algo,
                                  GCRY_CIPHER_MODE_CFB))