security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

gpg: Remove options --pgp2 and --rfc1991. 

* g10/gpg.c (oRFC1991, oPGP2): Remove
(opts): Remove --pgp2 and --rfc1991.
* g10/options.h (CO_PGP2, CO_RFC1991): Remove.  Remove all users.
(RFC2440, PGP2): Remove.  Remove all code only enabled by these
conditions.
* tests/openpgp/clearsig.test: Remove --rfc1991 test.
--

The use of PGP 2.c is considered insecure for quite some time
now (e.g. due to the use of MD5).  Thus we remove all support for
_creating_ PGP 2 compatible messages.
This commit is contained in:
Werner Koch 2014-08-12 10:36:30 +02:00
parent 49c9a958e0
commit 2b8d8369d5
14 changed files with 51 additions and 249 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
NEWS
View File

@ -1,6 +1,9 @@
Noteworthy changes in version 2.1.0-betaxxx (unreleased)
--------------------------------------------------------
* gpg: Removed the option --pgp2 and --rfc1991 and the ability to
create PGP-2 compatible messages.
Noteworthy changes in version 2.1.0-beta751 (2014-07-03)
--------------------------------------------------------

12
doc/gpg.texi
View File

@ -1476,7 +1476,7 @@ Set what trust model GnuPG should follow. The models are:
@item classic
@opindex trust-mode:classic
This is the standard Web of Trust as used in PGP 2.x and earlier.
This is the standard Web of Trust as introduced by PGP 2.
@item direct
@opindex trust-mode:direct
@ -2342,9 +2342,11 @@ behavior. Note that this is currently the same thing as
Reset all packet, cipher and digest options to strict RFC-2440
behavior.
@ifclear gpgtowone
@item --rfc1991
@opindex rfc1991
Try to be more RFC-1991 (PGP 2.x) compliant.
Try to be more RFC-1991 (PGP 2.x) compliant. This option is
deprecated will be removed in GnuPG 2.1.
@item --pgp2
@opindex pgp2
@ -2367,6 +2369,12 @@ This option implies
@end ifclear
It also disables @option{--textmode} when encrypting.
This option is deprecated will be removed in GnuPG 2.1. The reason
for dropping PGP-2 support is that the PGP 2 format is not anymore
considered safe (for example due to the use of the broken MD5 algorithm).
Note that the decryption of PGP-2 created messages will continue to work.
@end ifclear
@item --pgp6
@opindex pgp6
Set up all options to be as PGP 6 compliant as possible. This

2
g10/cipher.c
View File

@ -56,7 +56,7 @@ write_header( cipher_filter_context_t *cfx, IOBUF a )
memset( &ed, 0, sizeof ed );
ed.len = cfx->datalen;
ed.extralen = blocksize+2;
ed.new_ctb = !ed.len && !RFC1991;
ed.new_ctb = !ed.len;
if( cfx->dek->use_mdc ) {
ed.mdc_method = DIGEST_ALGO_SHA1;
gcry_md_open (&cfx->mdc_hash, DIGEST_ALGO_SHA1, 0);

46
g10/encrypt.c
View File

@ -104,8 +104,8 @@ encrypt_seskey (DEK *dek, DEK **seskey, byte *enckey)
static int
use_mdc(PK_LIST pk_list,int algo)
{
/* RFC-1991 and 2440 don't have MDC */
if(RFC1991 || RFC2440)
/* RFC-2440 don't has MDC */
if (RFC2440)
return 0;
/* --force-mdc overrides --disable-mdc */
@ -174,7 +174,7 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
compress_filter_context_t zfx;
text_filter_context_t tfx;
progress_filter_context_t *pfx;
int do_compress = !RFC1991 && default_compress_algo();
int do_compress = !!default_compress_algo();
pfx = new_progress_context ();
memset( &cfx, 0, sizeof cfx);
@ -206,19 +206,13 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
if (opt.textmode)
iobuf_push_filter( inp, text_filter, &tfx );
/* Due the the fact that we use don't use an IV to encrypt the
session key we can't use the new mode with RFC1991 because it has
no S2K salt. RFC1991 always uses simple S2K. */
if ( RFC1991 && use_seskey )
use_seskey = 0;
cfx.dek = NULL;
if ( mode )
{
int canceled;
s2k = xmalloc_clear( sizeof *s2k );
s2k->mode = RFC1991? 0:opt.s2k_mode;
s2k->mode = opt.s2k_mode;
s2k->hash_algo = S2K_DIGEST_ALGO;
cfx.dek = passphrase_to_dek (NULL, 0,
default_cipher_algo(), s2k, 4,
@ -279,7 +273,7 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
push_armor_filter (afx, out);
}
if ( s2k && !RFC1991 )
if ( s2k )
{
PKT_symkey_enc *enc = xmalloc_clear( sizeof *enc + seskeylen + 1 );
enc->version = 4;
@ -335,7 +329,7 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
pt->timestamp = make_timestamp();
pt->mode = opt.textmode? 't' : 'b';
pt->len = filesize;
pt->new_ctb = !pt->len && !RFC1991;
pt->new_ctb = !pt->len;
pt->buf = inp;
pkt.pkttype = PKT_PLAINTEXT;
pkt.pkt.plaintext = pt;
@ -478,13 +472,13 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
compress_filter_context_t zfx;
text_filter_context_t tfx;
progress_filter_context_t *pfx;
PK_LIST pk_list, work_list;
PK_LIST pk_list;
int do_compress;
if (filefd != -1 && filename)
return gpg_error (GPG_ERR_INV_ARG);
do_compress = opt.compress_algo && !RFC1991;
do_compress = !!opt.compress_algo;
pfx = new_progress_context ();
memset( &cfx, 0, sizeof cfx);
@ -510,19 +504,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
}
}
if(PGP2)
{
for (work_list=pk_list; work_list; work_list=work_list->next)
if (!(is_RSA (work_list->pk->pubkey_algo)
&& nbits_from_pk (work_list->pk) <= 2048))
{
log_info(_("you can only encrypt to RSA keys of 2048 bits or "
"less in --pgp2 mode\n"));
compliance_failure();
break;
}
}
/* Prepare iobufs. */
#ifdef HAVE_W32_SYSTEM
if (filefd == -1)
@ -592,13 +573,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
if (cfx.dek->algo == -1)
{
cfx.dek->algo = CIPHER_ALGO_3DES;
if (PGP2)
{
log_info(_("unable to use the IDEA cipher for all of the keys "
"you are encrypting to.\n"));
compliance_failure();
}
}
/* In case 3DES has been selected, print a warning if any key
@ -687,7 +661,7 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
pt->timestamp = make_timestamp();
pt->mode = opt.textmode ? 't' : 'b';
pt->len = filesize;
pt->new_ctb = !pt->len && !RFC1991;
pt->new_ctb = !pt->len;
pt->buf = inp;
pkt.pkttype = PKT_PLAINTEXT;
pkt.pkt.plaintext = pt;
@ -895,7 +869,7 @@ write_pubkey_enc_from_list (PK_LIST pk_list, DEK *dek, iobuf_t out)
keyid_from_pk( pk, enc->keyid );
enc->throw_keyid = (opt.throw_keyid || (pk_list->flags&1));
if (opt.throw_keyid && (PGP2 || PGP6 || PGP7 || PGP8))
if (opt.throw_keyid && (PGP6 || PGP7 || PGP8))
{
log_info(_("you may not use %s while in %s mode\n"),
"--throw-keyid",compliance_option_string());

87
g10/gpg.c
View File

@ -205,11 +205,9 @@ enum cmd_and_opt_values
oMaxCertDepth,
oLoadExtension,
oGnuPG,
oRFC1991,
oRFC2440,
oRFC4880,
oOpenPGP,
oPGP2,
oPGP6,
oPGP7,
oPGP8,
@ -573,11 +571,9 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_n (oGnuPG, "no-pgp6", "@"),
ARGPARSE_s_n (oGnuPG, "no-pgp7", "@"),
ARGPARSE_s_n (oGnuPG, "no-pgp8", "@"),
ARGPARSE_s_n (oRFC1991, "rfc1991", "@"),
ARGPARSE_s_n (oRFC2440, "rfc2440", "@"),
ARGPARSE_s_n (oRFC4880, "rfc4880", "@"),
ARGPARSE_s_n (oOpenPGP, "openpgp", N_("use strict OpenPGP behavior")),
ARGPARSE_s_n (oPGP2, "pgp2", "@"),
ARGPARSE_s_n (oPGP6, "pgp6", "@"),
ARGPARSE_s_n (oPGP7, "pgp7", "@"),
ARGPARSE_s_n (oPGP8, "pgp8", "@"),
@ -2484,11 +2480,6 @@ main (int argc, char **argv)
/* Dummy so that gpg 1.4 conf files can work. Should
eventually be removed. */
break;
case oRFC1991:
opt.compliance = CO_RFC1991;
opt.force_v4_certs = 0;
opt.escape_from = 1;
break;
case oOpenPGP:
case oRFC4880:
/* This is effectively the same as RFC2440, but with
@ -2530,7 +2521,6 @@ main (int argc, char **argv)
opt.s2k_digest_algo = DIGEST_ALGO_SHA1;
opt.s2k_cipher_algo = CIPHER_ALGO_3DES;
break;
case oPGP2: opt.compliance = CO_PGP2; break;
case oPGP6: opt.compliance = CO_PGP6; break;
case oPGP7: opt.compliance = CO_PGP7; break;
case oPGP8: opt.compliance = CO_PGP8; break;
@ -3238,78 +3228,7 @@ main (int argc, char **argv)
log_clock ("start");
/* Do these after the switch(), so they can override settings. */
if(PGP2)
{
int unusable=0;
if(cmd==aSign && !detached_sig)
{
log_info(_("you can only make detached or clear signatures "
"while in --pgp2 mode\n"));
unusable=1;
}
else if(cmd==aSignEncr || cmd==aSignSym)
{
log_info(_("you can't sign and encrypt at the "
"same time while in --pgp2 mode\n"));
unusable=1;
}
else if(argc==0 && (cmd==aSign || cmd==aEncr || cmd==aSym))
{
log_info(_("you must use files (and not a pipe) when "
"working with --pgp2 enabled.\n"));
unusable=1;
}
else if(cmd==aEncr || cmd==aSym)
{
/* Everything else should work without IDEA (except using
a secret key encrypted with IDEA and setting an IDEA
preference, but those have their own error
messages). */
if (openpgp_cipher_test_algo(CIPHER_ALGO_IDEA))
{
log_info(_("encrypting a message in --pgp2 mode requires "
"the IDEA cipher\n"));
unusable=1;
}
else if(cmd==aSym)
{
/* This only sets IDEA for symmetric encryption
since it is set via select_algo_from_prefs for
pk encryption. */
xfree(def_cipher_string);
def_cipher_string = xstrdup("idea");
}
/* PGP2 can't handle the output from the textmode
filter, so we disable it for anything that could
create a literal packet (only encryption and
symmetric encryption, since we disable signing
above). */
if(!unusable)
opt.textmode=0;
}
if(unusable)
compliance_failure();
else
{
opt.force_v4_certs = 0;
opt.escape_from = 1;
opt.force_v3_sigs = 1;
opt.pgp2_workarounds = 1;
opt.ask_sig_expire = 0;
opt.ask_cert_expire = 0;
opt.flags.allow_weak_digest_algos = 1;
xfree(def_digest_string);
def_digest_string = xstrdup("md5");
xfree(s2k_digest_string);
s2k_digest_string = xstrdup("md5");
opt.compress_algo = COMPRESS_ALGO_ZIP;
}
}
else if(PGP6)
if(PGP6)
{
opt.disable_mdc=1;
opt.escape_from=1;
@ -3675,7 +3594,7 @@ main (int argc, char **argv)
else if(opt.s2k_mode==0)
log_error(_("you cannot use --symmetric --encrypt"
" with --s2k-mode 0\n"));
else if(PGP2 || PGP6 || PGP7 || RFC1991)
else if(PGP6 || PGP7)
log_error(_("you cannot use --symmetric --encrypt"
" while in %s mode\n"),compliance_option_string());
else
@ -3726,7 +3645,7 @@ main (int argc, char **argv)
else if(opt.s2k_mode==0)
log_error(_("you cannot use --symmetric --sign --encrypt"
" with --s2k-mode 0\n"));
else if(PGP2 || PGP6 || PGP7 || RFC1991)
else if(PGP6 || PGP7)
log_error(_("you cannot use --symmetric --sign --encrypt"
" while in %s mode\n"),compliance_option_string());
else

38
g10/keyedit.c
View File

@ -518,19 +518,6 @@ sign_uids (estream_t fp,
KBNODE node, uidnode;
PKT_public_key *primary_pk = NULL;
int select_all = !count_selected_uids (keyblock) || interactive;
int all_v3 = 1;
/* Are there any non-v3 sigs on this key already? */
if (PGP2)
{
for (node = keyblock; node; node = node->next)
if (node->pkt->pkttype == PKT_SIGNATURE &&
node->pkt->pkt.signature->version > 3)
{
all_v3 = 0;
break;
}
}
/* Build a list of all signators.
*
@ -894,29 +881,6 @@ sign_uids (estream_t fp,
if (duration)
force_v4 = 1;
/* Is --pgp2 on, it's a v3 key, all the sigs on the key are
currently v3 and we're about to sign it with a v4 sig? If
so, danger! */
if (PGP2 && all_v3 &&
(pk->version > 3 || force_v4) && primary_pk->version <= 3)
{
tty_fprintf (fp, _("You may not make an OpenPGP signature on a "
"PGP 2.x key while in --pgp2 mode.\n"));
tty_fprintf (fp, _("This would make the key unusable in PGP 2.x.\n"));
if (opt.expert && !quick)
{
if (!cpr_get_answer_is_yes ("sign_uid.v4_on_v3_okay",
_("Are you sure you still "
"want to sign it? (y/N) ")))
continue;
all_v3 = 0;
}
else
continue;
}
if (selfsig)
;
else
@ -1773,7 +1737,7 @@ keyedit_menu (ctrl_t ctrl, const char *username, strlist_t locusr,
break;
case cmdADDPHOTO:
if (RFC2440 || RFC1991 || PGP2)
if (RFC2440)
{
tty_printf (_("This command is not allowed while in %s mode.\n"),
compliance_option_string ());

10
g10/keygen.c
View File

@ -341,16 +341,6 @@ keygen_set_std_prefs (const char *string,int personal)
if ( !openpgp_cipher_test_algo (CIPHER_ALGO_CAST5) )
strcat(dummy_string,"S3 ");
strcat(dummy_string,"S2 "); /* 3DES */
/* If we have it, IDEA goes *after* 3DES so it won't be
used unless we're encrypting along with a V3 key.
Ideally, we would only put the S1 preference in if the
key was RSA and <=2048 bits, as that is what won't
break PGP2, but that is difficult with the current
code, and not really worth checking as a non-RSA <=2048
bit key wouldn't be usable by PGP2 anyway. -dms */
if (PGP2 && !openpgp_cipher_test_algo (CIPHER_ALGO_IDEA) )
strcat(dummy_string,"S1 ");
/* The default hash algo order is:
SHA-256, SHA-1, SHA-384, SHA-512, SHA-224.

10
g10/misc.c
View File

@ -1191,8 +1191,6 @@ compliance_option_string(void)
case CO_GNUPG: return "--gnupg";
case CO_RFC4880: return "--openpgp";
case CO_RFC2440: return "--rfc2440";
case CO_RFC1991: return "--rfc1991";
case CO_PGP2: return "--pgp2";
case CO_PGP6: return "--pgp6";
case CO_PGP7: return "--pgp7";
case CO_PGP8: return "--pgp8";
@ -1220,14 +1218,6 @@ compliance_failure(void)
ver="OpenPGP (older)";
break;
case CO_RFC1991:
ver="old PGP";
break;
case CO_PGP2:
ver="PGP 2.x";
break;
case CO_PGP6:
ver="PGP 6.x";
break;

6
g10/options.h
View File

@ -121,7 +121,7 @@ struct
int force_ownertrust;
enum
{
CO_GNUPG, CO_RFC4880, CO_RFC2440, CO_RFC1991, CO_PGP2,
CO_GNUPG, CO_RFC4880, CO_RFC2440,
CO_PGP6, CO_PGP7, CO_PGP8
} compliance;
enum
@ -307,14 +307,12 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode;
/* Compatibility flags. */
#define GNUPG (opt.compliance==CO_GNUPG)
#define RFC1991 (opt.compliance==CO_RFC1991 || opt.compliance==CO_PGP2)
#define RFC2440 (opt.compliance==CO_RFC2440)
#define RFC4880 (opt.compliance==CO_RFC4880)
#define PGP2 (opt.compliance==CO_PGP2)
#define PGP6 (opt.compliance==CO_PGP6)
#define PGP7 (opt.compliance==CO_PGP7)
#define PGP8 (opt.compliance==CO_PGP8)
#define PGPX (PGP2 || PGP6 || PGP7 || PGP8)
#define PGPX (PGP6 || PGP7 || PGP8)
/* Various option flags. Note that there should be no common string
names between the IMPORT_ and EXPORT_ flags as they can be mixed in

16
g10/pkclist.c
View File

@ -928,7 +928,7 @@ build_pk_list (ctrl_t ctrl,
/* Hidden recipients are not allowed while in PGP mode,
issue a warning and switch into GnuPG mode. */
if ((rov->flags&2) && (PGP2 || PGP6 || PGP7 || PGP8))
if ((rov->flags&2) && (PGP6 || PGP7 || PGP8))
{
log_info(_("you may not use %s while in %s mode\n"),
"--hidden-recipient",
@ -978,7 +978,7 @@ build_pk_list (ctrl_t ctrl,
/* Hidden encrypt-to recipients are not allowed while
in PGP mode, issue a warning and switch into
GnuPG mode. */
if ((r->flags&1) && (PGP2 || PGP6 || PGP7 || PGP8))
if ((r->flags&1) && (PGP6 || PGP7 || PGP8))
{
log_info(_("you may not use %s while in %s mode\n"),
"--hidden-encrypt-to",
@ -1344,10 +1344,7 @@ select_algo_from_prefs(PK_LIST pk_list, int preftype,
dropped from 4880 but is still relevant to GPG's 1991
support. All this doesn't mean IDEA is actually
available, of course. */
if(PGP2 && pkr->pk->version<4 && pkr->pk->selfsigversion<4)
implicit=CIPHER_ALGO_IDEA;
else
implicit=CIPHER_ALGO_3DES;
implicit=CIPHER_ALGO_3DES;
break;
@ -1359,12 +1356,7 @@ select_algo_from_prefs(PK_LIST pk_list, int preftype,
mode, and that's the only time PREFTYPE_HASH is used
anyway. -dms */
/* MD5 is there for v3 keys with v3 selfsigs when --pgp2 is
on. */
if(PGP2 && pkr->pk->version<4 && pkr->pk->selfsigversion<4)
implicit=DIGEST_ALGO_MD5;
else
implicit=DIGEST_ALGO_SHA1;
implicit=DIGEST_ALGO_SHA1;
break;

2
g10/revoke.c
View File

@ -473,7 +473,7 @@ create_revocation (const char *filename,
goto leave;
}
if (keyblock && (PGP2 || PGP6 || PGP7 || PGP8))
if (keyblock && (PGP6 || PGP7 || PGP8))
{
/* Use a minimal pk for PGPx mode, since PGP can't import bare
revocation certificates. */

4
g10/server.c
View File

@ -320,10 +320,6 @@ cmd_encrypt (assuan_context_t ctx, char *line)
goto leave;
}
/* Fixme: Check that we are using real files and not pipes if in
PGP-2 mode. Do all the other checks we do in gpg.c for aEncr.
Maybe we should drop the PGP2 compatibility. */
/* FIXME: GPGSM does this here: Add all encrypt-to marked recipients
from the default list. */

51
g10/sign.c
View File

@ -509,11 +509,6 @@ hash_for (PKT_public_key *pk)
return DIGEST_ALGO_SHA1;
}
else if (PGP2 && pk->pubkey_algo == PUBKEY_ALGO_RSA && pk->version < 4 )
{
/* Old-style PGP only understands MD5 */
return DIGEST_ALGO_MD5;
}
else if (opt.personal_digest_prefs)
{
/* It's not DSA, so we can use whatever the first hash algorithm
@ -659,7 +654,7 @@ write_plaintext_packet (IOBUF out, IOBUF inp, const char *fname, int ptmode)
pt->timestamp = make_timestamp ();
pt->mode = ptmode;
pt->len = filesize;
pt->new_ctb = !pt->len && !RFC1991;
pt->new_ctb = !pt->len;
pt->buf = inp;
init_packet(&pkt);
pkt.pkttype = PKT_PLAINTEXT;
@ -710,7 +705,7 @@ write_signature_packets (SK_LIST sk_list, IOBUF out, gcry_md_hd_t hash,
/* Build the signature packet. */
sig = xmalloc_clear (sizeof *sig);
if (opt.force_v3_sigs || RFC1991)
if (opt.force_v3_sigs)
sig->version = 3;
else if (duration || opt.sig_policy_url
|| opt.sig_notations || opt.sig_keyserver_url)
@ -819,7 +814,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
&& (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
goto leave;
if(!opt.force_v3_sigs && !RFC1991)
if(!opt.force_v3_sigs)
{
if(opt.ask_sig_expire && !opt.batch)
duration=ask_expire_interval(1,opt.def_sig_expire);
@ -832,13 +827,6 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
if( (rc = build_sk_list (locusr, &sk_list, PUBKEY_USAGE_SIG )) )
goto leave;
if(PGP2 && !only_old_style(sk_list))
{
log_info(_("you can only detach-sign with PGP 2.x style keys "
"while in --pgp2 mode\n"));
compliance_failure();
}
if (encryptflag
&& (rc=build_pk_list (ctrl, remusr, &pk_list, PUBKEY_USAGE_ENC)))
goto leave;
@ -986,7 +974,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
if( !multifile )
iobuf_push_filter( inp, md_filter, &mfx );
if( detached && !encryptflag && !RFC1991 )
if( detached && !encryptflag)
afx->what = 2;
if( opt.armor && !outfile )
@ -1029,7 +1017,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
}
/* Write the one-pass signature packets if needed */
if (!detached && !RFC1991) {
if (!detached) {
rc = write_onepass_sig_packets (sk_list, out,
opt.textmode && !outfile ? 0x01:0x00);
if (rc)
@ -1135,7 +1123,7 @@ clearsign_file( const char *fname, strlist_t locusr, const char *outfile )
int rc = 0;
SK_LIST sk_list = NULL;
SK_LIST sk_rover = NULL;
int old_style = RFC1991;
int old_style = 0;
int only_md5 = 0;
u32 duration=0;
@ -1143,7 +1131,7 @@ clearsign_file( const char *fname, strlist_t locusr, const char *outfile )
afx = new_armor_context ();
init_packet( &pkt );
if(!opt.force_v3_sigs && !RFC1991)
if(!opt.force_v3_sigs)
{
if(opt.ask_sig_expire && !opt.batch)
duration=ask_expire_interval(1,opt.def_sig_expire);
@ -1156,16 +1144,9 @@ clearsign_file( const char *fname, strlist_t locusr, const char *outfile )
if( (rc=build_sk_list( locusr, &sk_list, PUBKEY_USAGE_SIG )) )
goto leave;
if( !old_style && !duration )
if(!duration )
old_style = only_old_style( sk_list );
if(PGP2 && !only_old_style(sk_list))
{
log_info(_("you can only clearsign with PGP 2.x style keys "
"while in --pgp2 mode\n"));
compliance_failure();
}
/* prepare iobufs */
inp = iobuf_open(fname);
if (inp && is_secured_file (iobuf_get_fd (inp)))
@ -1311,7 +1292,7 @@ sign_symencrypt_file (const char *fname, strlist_t locusr)
memset( &cfx, 0, sizeof cfx);
init_packet( &pkt );
if(!opt.force_v3_sigs && !RFC1991)
if(!opt.force_v3_sigs)
{
if(opt.ask_sig_expire && !opt.batch)
duration=ask_expire_interval(1,opt.def_sig_expire);
@ -1343,7 +1324,7 @@ sign_symencrypt_file (const char *fname, strlist_t locusr)
/* prepare key */
s2k = xmalloc_clear( sizeof *s2k );
s2k->mode = RFC1991? 0:opt.s2k_mode;
s2k->mode = opt.s2k_mode;
s2k->hash_algo = S2K_DIGEST_ALGO;
algo = default_cipher_algo();
@ -1389,7 +1370,7 @@ sign_symencrypt_file (const char *fname, strlist_t locusr)
/* Write the symmetric key packet */
/*(current filters: armor)*/
if (!RFC1991) {
{
PKT_symkey_enc *enc = xmalloc_clear( sizeof *enc );
enc->version = 4;
enc->cipher_algo = cfx.dek->algo;
@ -1410,12 +1391,10 @@ sign_symencrypt_file (const char *fname, strlist_t locusr)
/* Write the one-pass signature packets */
/*(current filters: zip - encrypt - armor)*/
if (!RFC1991) {
rc = write_onepass_sig_packets (sk_list, out,
opt.textmode? 0x01:0x00);
if (rc)
goto leave;
}
rc = write_onepass_sig_packets (sk_list, out,
opt.textmode? 0x01:0x00);
if (rc)
goto leave;
write_status_begin_signing (mfx.md);

13
tests/openpgp/clearsig.test
View File

@ -23,17 +23,6 @@ for i in $plain_files plain-large ; do
done
# ======================================
# and once more to check rfc1991
# ======================================
if have_pubkey_algo "RSA"; then
for i in $plain_files plain-large ; do
$GPG -u $usrname3 --rfc1991 --digest-algo md5 --clearsign -o x --yes $i
$GPG --verify x
done
fi
# ======================================
# and one with long lines
# ======================================
@ -100,7 +89,7 @@ cat >y <<EOF
}
/* ask for file and hash it */
- if( c->sigs_only ) {
+ if( c->sigs_only )
+ if( c->sigs_only )
rc = hash_datafiles( c->mfx.md, NULL,
c->signed_data, c->sigfilename,
n1? (n1->pkt->pkt.onepass_sig->sig_class == 0x01):0 );