[PATCH GnuPG STABLE-BRANCH-2-4] gpg: Sync compliance mode cleanup with master

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Feb 4 05:52:59 CET 2025 

* g10/gpg.c (set_compliance_option): Clean up option settings for
compliance modes.
* doc/gpg.texi: note that --allow-old-cipher-algos must come after any
compliance setting.

--

This makes it possible to reset all options affected by any non-gnupg
compliance mode to their default values by using --compliance=gnupg.

This synchronizes the compliance mode behaviors with the master
branch, including commits:

- 54a8770aeb20eb9e18b5e95e51c376ec7820f8f6
- 0bdf5859935e3db15baaf5d0d96b723ddbd2acd5
- 04d58ff8475575f22a5ee1fb8c4f2c2dca0b5522
- aa46ba28ba75fc479b407c572c723b51b22d4a73
- 4b2729b983bf3c6c1186ebdf1962f64d8cb1b3a1
- c2ff47d5bcd2953fc2095ef2242af2c7e9cd4420

GnuPG-Bug-id: 7501
Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
---
 doc/gpg.texi |  4 +++-
 g10/gpg.c    | 51 +++++++++++++++++++++++++++++----------------------
 2 files changed, 32 insertions(+), 23 deletions(-)

diff --git a/doc/gpg.texi b/doc/gpg.texi
index 7e80a293a..474ed66ac 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -3691,7 +3691,9 @@ blocks of 64 bits; modern algorithms use blocks of 128 bit instead.
 To avoid certain attack on these old algorithms it is suggested not to
 encrypt more than 150 MiByte using the same key.  For this reason gpg
 does not allow the use of 64 bit block size algorithms for encryption
-unless this option is specified.
+unless this option is specified.  Some compliance modes already set or
+clear this flag and thus this flag should be used after a compliance
+mode setting.
 
 @item --allow-weak-digest-algos
 @opindex allow-weak-digest-algos
diff --git a/g10/gpg.c b/g10/gpg.c
index 1a96db989..d9daade72 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -2265,17 +2265,14 @@ set_compliance_option (enum cmd_and_opt_values option)
 {
   switch (option)
     {
-    case oOpenPGP:
-    case oRFC4880:
-      /* This is effectively the same as RFC2440, but with
-         "--enable-dsa2 --no-rfc2440-text --escape-from-lines
-         --require-cross-certification". */
-      opt.compliance = CO_RFC4880;
-      opt.flags.dsa2 = 1;
+    case oGnuPG:
+      /* set up default options affected by policy compliance: */
+      opt.compliance = CO_GNUPG;
+      opt.flags.dsa2 = 0;
       opt.flags.require_cross_cert = 1;
       opt.rfc2440_text = 0;
-      opt.allow_non_selfsigned_uid = 1;
-      opt.allow_freeform_uid = 1;
+      opt.allow_non_selfsigned_uid = 0;
+      opt.allow_freeform_uid = 0;
       opt.escape_from = 1;
       opt.not_dash_escaped = 0;
       opt.def_cipher_algo = 0;
@@ -2283,35 +2280,45 @@ set_compliance_option (enum cmd_and_opt_values option)
       opt.cert_digest_algo = 0;
       opt.compress_algo = -1;
       opt.s2k_mode = 3; /* iterated+salted */
+      opt.s2k_digest_algo = 0;
+      opt.s2k_cipher_algo = DEFAULT_CIPHER_ALGO;
+      break;
+    case oOpenPGP:
+    case oRFC4880:
+      set_compliance_option (oGnuPG);
+      /* This is effectively the same as RFC2440, but with
+         "--enable-dsa2 --no-rfc2440-text --escape-from-lines
+         --require-cross-certification". */
+      opt.compliance = CO_RFC4880;
+      opt.flags.dsa2 = 1;
+      opt.allow_non_selfsigned_uid = 1;
+      opt.allow_freeform_uid = 1;
       opt.s2k_digest_algo = DIGEST_ALGO_SHA1;
       opt.s2k_cipher_algo = CIPHER_ALGO_3DES;
       opt.flags.allow_old_cipher_algos = 1;
       break;
     case oRFC2440:
+      set_compliance_option (oGnuPG);
       opt.compliance = CO_RFC2440;
-      opt.flags.dsa2 = 0;
+      opt.flags.require_cross_cert = 0;
       opt.rfc2440_text = 1;
       opt.allow_non_selfsigned_uid = 1;
       opt.allow_freeform_uid = 1;
       opt.escape_from = 0;
-      opt.not_dash_escaped = 0;
-      opt.def_cipher_algo = 0;
-      opt.def_digest_algo = 0;
-      opt.cert_digest_algo = 0;
-      opt.compress_algo = -1;
-      opt.s2k_mode = 3; /* iterated+salted */
       opt.s2k_digest_algo = DIGEST_ALGO_SHA1;
       opt.s2k_cipher_algo = CIPHER_ALGO_3DES;
       opt.flags.allow_old_cipher_algos = 1;
       break;
-    case oPGP7:  opt.compliance = CO_PGP7;  break;
-    case oPGP8:  opt.compliance = CO_PGP8;  break;
-    case oGnuPG:
-      opt.compliance = CO_GNUPG;
+    case oPGP7:
+      set_compliance_option (oGnuPG);
+      opt.compliance = CO_PGP7;
+      break;
+    case oPGP8:
+      set_compliance_option (oGnuPG);
+      opt.compliance = CO_PGP8;
       break;
-
     case oDE_VS:
-      set_compliance_option (oOpenPGP);
+      set_compliance_option (oGnuPG);
       opt.compliance = CO_DE_VS;
       /* We divert here from the backward compatible rfc4880 algos.  */
       opt.s2k_digest_algo = DIGEST_ALGO_SHA256;
-- 
2.47.2

More information about the Gnupg-devel mailing list