* keygen.c (get_parameter_algo): Never allow generation of the

deprecated RSA-E or RSA-S flavors of PGP RSA. (ask_algo): Allow generation of RSA sign and encrypt in expert mode. Don't allow ElGamal S+E unless in expert mode. * helptext.c: Added entry keygen.algo.rsa_se.
2024-11-04 20:38:50 +01:00 · 2002-05-07 07:24:29 +00:00 · 2002-05-07 07:24:29 +00:00 · 0295445a4c
commit 0295445a4c
parent 2e56b988c8
3 changed files with 34 additions and 4 deletions
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@ -1,3 +1,11 @@
+2002-05-07  Werner Koch  <wk@gnupg.org>
+
+	* keygen.c (get_parameter_algo): Never allow generation of the
+	deprecated RSA-E or RSA-S flavors of PGP RSA.
+	(ask_algo): Allow generation of RSA sign and encrypt in expert
+	mode.  Don't allow ElGamal S+E unless in expert mode.
+	* helptext.c: Added entry keygen.algo.rsa_se.
+
 2002-05-07  David Shaw  <dshaw@jabberwocky.com>

 	* keyedit.c (sign_uids): If --expert it set, allow re-signing a
--- a/g10/helptext.c
+++ b/g10/helptext.c
@ -94,6 +94,12 @@ static struct helptexts { const char *key; const char *help; } helptexts[] = {
 "with them are quite large and very slow to verify."
 )},

+{ "keygen.algo.rsa_se", N_(
+"In general it is not a good idea to use the same key for signing and\n"
+"encryption.  This algorithm should only be used in certain domains.\n"
+"Please consult your security expert first."
+)},
+

 { "keygen.size", N_(
 "Enter the size of the key"
--- a/g10/keygen.c
+++ b/g10/keygen.c
@ -780,10 +780,13 @@ ask_algo (int addmode, unsigned int *r_usage)
    tty_printf(    _("   (%d) DSA (sign only)\n"), 2 );
    if( addmode )
 	tty_printf(    _("   (%d) ElGamal (encrypt only)\n"), 3 );
-    tty_printf(    _("   (%d) ElGamal (sign and encrypt)\n"), 4 );
+    if (opt.expert)
+        tty_printf(    _("   (%d) ElGamal (sign and encrypt)\n"), 4 );
    tty_printf(    _("   (%d) RSA (sign only)\n"), 5 );
    if (addmode)
        tty_printf(    _("   (%d) RSA (encrypt only)\n"), 6 );
+    if (opt.expert)
+      tty_printf(    _("   (%d) RSA (sign and encrypt)\n"), 7 );

    for(;;) {
 	answer = cpr_get("keygen.algo",_("Your selection? "));
@ -794,6 +797,14 @@ ask_algo (int addmode, unsigned int *r_usage)
 	    algo = 0;	/* create both keys */
 	    break;
 	}
+	else if( algo == 7 && opt.expert ) {
+	    if (cpr_get_answer_is_yes ("keygen.algo.rsa_se",_(
+		"The use of this algorithm is deprecated - create anyway? "))){
+              algo = PUBKEY_ALGO_RSA;
+              *r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_SIG;
+              break;
+            }
+	}
 	else if( algo == 6 && addmode ) {
 	    algo = PUBKEY_ALGO_RSA;
            *r_usage = PUBKEY_USAGE_ENC;
@ -804,7 +815,7 @@ ask_algo (int addmode, unsigned int *r_usage)
            *r_usage = PUBKEY_USAGE_SIG;
 	    break;
 	}
-	else if( algo == 4 ) {
+	else if( algo == 4 && opt.expert) {
 	    if( cpr_get_answer_is_yes("keygen.algo.elg_se",_(
 		"The use of this algorithm is deprecated - create anyway? "))){
 		algo = PUBKEY_ALGO_ELGAMAL;
@ -1329,12 +1340,17 @@ get_parameter_value( struct para_data_s *para, enum para_name key )
 static int
 get_parameter_algo( struct para_data_s *para, enum para_name key )
 {
+    int i;
    struct para_data_s *r = get_parameter( para, key );
    if( !r )
 	return -1;
    if( isdigit( *r->u.value ) )
-	return atoi( r->u.value );
-    return string_to_pubkey_algo( r->u.value );
+	i = atoi( r->u.value );
+    else
+        i = string_to_pubkey_algo( r->u.value );
+    if (i == PUBKEY_ALGO_RSA_E || i == PUBKEY_ALGO_RSA_S)
+      i = 0; /* we don't want to allow generation of these algorithms */
+    return i;
 }

 /*