* configure.ac [W32]: Always set DISABLE_KEYSERVER_PATH.

* export.c (parse_export_options): New option
export-reset-subkey-passwd.
(do_export_stream): Implement it.

* misc.c (get_libexecdir): New.
* keyserver.c (keyserver_spawn): Use it

ChangeLog

@@ -1,3 +1,7 @@
+2005-07-19  Werner Koch  <wk@g10code.com>
+
+	* configure.ac [W32]: Always set DISABLE_KEYSERVER_PATH.
+
 2005-06-21  Werner Koch  <wk@g10code.com>
 
 	Released 1.4.2rc2.

NEWS

@@ -36,6 +36,8 @@ Noteworthy changes in version 1.4.2
       replace the import-unusable-sigs/export-unusable-sigs options
       from version 1.4.1.
 
+    * New export option export-reset-subkey-passwd.
+
 
 Noteworthy changes in version 1.4.1 (2005-03-15)
 ------------------------------------------------

TODO

@@ -74,3 +74,5 @@
   * Add the NEWSIG status.
 
   * Delete a card key as well as a wiping.
+
+  * Make 2 strings translatable in export.c after releasing 1.4.2.

configure.ac

@@ -153,6 +153,7 @@ use_bzip2=yes
 use_exec=yes
 card_support=yes
 agent_support=yes
+disable_keyserver_path=no
 
 AC_ARG_ENABLE(minimal,
    AC_HELP_STRING([--enable-minimal],[build the smallest gpg binary possible]),
@@ -371,7 +372,7 @@ dnl LDAP is defined only after we confirm the library is available later
       AC_HELP_STRING([--disable-keyserver-path],
         [disable the exec-path option for keyserver helpers]),
       [if test "$enableval" = no ; then
-  	 AC_DEFINE(DISABLE_KEYSERVER_PATH,1,[define to disable exec-path for keyserver helpers])
+         disable_keyserver_path=yes
       fi],enableval=yes)
     AC_MSG_RESULT($enableval)
   fi
@@ -483,6 +484,7 @@ case "${host}" in
                    we use a simplified version of gettext])
         AC_DEFINE(HAVE_W32_SYSTEM,1,
                   [Defined if we run on a W32 API based system])
+        disable_keyserver_path=yes
         have_dosish_system=yes
         need_dlopen=no
         try_gettext="no"
@@ -547,6 +549,11 @@ if test "$have_dosish_system" = yes; then
 fi
 AM_CONDITIONAL(HAVE_DOSISH_SYSTEM, test "$have_dosish_system" = yes)
 
+if test "$disable_keyserver_path" = yes; then
+    AC_DEFINE(DISABLE_KEYSERVER_PATH,1,
+              [define to disable exec-path for keyserver helpers])
+fi
+
 AC_SUBST(MPI_OPT_FLAGS)
 GNUPG_SYS_SYMBOL_UNDERSCORE
 

doc/README.W32

@@ -19,6 +19,9 @@ Directory".  The installer does not change the PATH environment
 variable to include this directory.  You might want to do this
 manually.
 
+Note, that this registry entry is also used to locate the keyserver
+helper programs (e.g. gpgkeys_ldap).
+
 Below the Installation directory, you will find directories named
 "Doc", "gnupg.nls" and "Src".  The latter will be used for distributed
 patched, if any, and to store the source file if they have been

doc/gpg.sgml

@@ -1478,6 +1478,15 @@ exported if the user IDs are not usable.  This is the same as running
 the --edit-key command "clean uids" before export.  Defaults to no.
 </para></listitem></varlistentry>
 
+<varlistentry>
+<term>export-reset-subkey-passwd</term>
+<listitem><para>
+When using the "--export-secret-subkeys" command, this option resets
+the passphrases for all exported subkeys to empty.  This is useful
+when the exported subkey is to be used on an unattended amchine where
+a passphrase won't make sense. Defaults to no.
+</para></listitem></varlistentry>
+
 </variablelist>
 </para></listitem></varlistentry>
 
@@ -1657,6 +1666,8 @@ Sets a list of directories to search for photo viewers and keyserver
 helpers.  If not provided, keyserver helpers use the compiled-in
 default directory, and photo viewers use the $PATH environment
 variable.
+Note, that on W32 system this value is ignored when searching for
+keyserver helpers.
 </para></listitem></varlistentry>
 
 <varlistentry>

g10/ChangeLog

@@ -1,3 +1,12 @@
+2005-07-19  Werner Koch  <wk@g10code.com>
+
+	* export.c (parse_export_options): New option
+	export-reset-subkey-passwd.
+	(do_export_stream): Implement it.
+
+	* misc.c (get_libexecdir): New.
+	* keyserver.c (keyserver_spawn): Use it
+
 2005-07-18  Werner Koch  <wk@g10code.com>
 
 	* tdbio.c (open_db): Check for EROFS.  Suggested by Bryce Nichols.

g10/export.c

@@ -54,6 +54,9 @@ parse_export_options(char *str,unsigned int *options,int noisy)
       {"export-clean",EXPORT_CLEAN_SIGS|EXPORT_CLEAN_UIDS,NULL},
       {"export-clean-sigs",EXPORT_CLEAN_SIGS,NULL},
       {"export-clean-uids",EXPORT_CLEAN_UIDS,NULL},
+
+      {"export-reset-subkey-passwd", EXPORT_RESET_SUBKEY_PASSWD, NULL},
+
       /* Aliases for backward compatibility */
       {"include-local-sigs",EXPORT_LOCAL_SIGS,NULL},
       {"include-attributes",EXPORT_ATTRIBUTES,NULL},
@@ -382,7 +385,7 @@ do_export_stream( IOBUF out, STRLIST users, int secret,
 
 	    if( secret == 2 && node->pkt->pkttype == PKT_SECRET_KEY )
 	      {
-		/* we don't want to export the secret parts of the
+		/* We don't want to export the secret parts of the
 		 * primary key, this is done by using GNU protection mode 1001
 		 */
 		int save_mode = node->pkt->pkt.secret_key->protect.s2k.mode;
@@ -390,6 +393,53 @@ do_export_stream( IOBUF out, STRLIST users, int secret,
 		rc = build_packet( out, node->pkt );
 		node->pkt->pkt.secret_key->protect.s2k.mode = save_mode;
 	      }
+	    else if (secret == 2 && node->pkt->pkttype == PKT_SECRET_SUBKEY
+                     && (opt.export_options&EXPORT_RESET_SUBKEY_PASSWD))
+              {
+                /* If the subkey is protected reset the passphrase to
+                   export an unprotected subkey.  This feature is
+                   useful in cases of a subkey copied to an unattended
+                   machine where a passphrase is not required. */
+                PKT_secret_key *sk_save, *sk;
+
+                sk_save = node->pkt->pkt.secret_key;
+                sk = copy_secret_key (NULL, sk_save);
+                node->pkt->pkt.secret_key = sk;
+
+                log_info ("about to export an unprotected subkey\n");
+                switch (is_secret_key_protected (sk))
+                  {
+                  case -1:
+                    rc = G10ERR_PUBKEY_ALGO;
+                    break;
+                  case 0:
+                    break;
+                  default:
+                    if (sk->protect.s2k.mode == 1001)
+                      ; /* No secret parts. */
+                    else if( sk->protect.s2k.mode == 1002 ) 
+                      ; /* Card key stub. */
+                    else 
+                      {
+                        rc = check_secret_key( sk, 0 );
+                      }
+                    break;
+                  }
+                if (rc)
+                  {
+                    node->pkt->pkt.secret_key = sk_save;
+                    free_secret_key (sk);
+                    /* FIXME: Make translatable after releasing 1.4.2 */
+                    log_error ("failed to unprotect the subkey: %s\n",
+                               g10_errstr (rc));
+                    goto leave;
+                  }
+
+		rc = build_packet (out, node->pkt);
+
+                node->pkt->pkt.secret_key = sk_save;
+                free_secret_key (sk);
+              }
 	    else
 	      {
 		/* Warn the user if the secret key or any of the secret

g10/keyserver.c

@@ -865,6 +865,7 @@ keyserver_spawn(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
   struct parse_options *kopts;
   struct exec_info *spawn;
   const char *scheme;
+  const char *libexecdir = get_libexecdir ();
 
   assert(keyserver);
 
@@ -886,7 +887,7 @@ keyserver_spawn(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
      Unix-like systems (since we're going to give a full path to
      gpgkeys_foo), but on W32 it prevents loading any DLLs from
      directories in %PATH%. */
-  set_exec_path(GNUPG_LIBEXECDIR);
+  set_exec_path(libexecdir);
 #else
   if(opt.exec_path_set)
     {
@@ -900,9 +901,9 @@ keyserver_spawn(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
 #endif
     {
       /* Specify a full path to gpgkeys_foo. */
-      command=m_alloc(strlen(GNUPG_LIBEXECDIR)+strlen(DIRSEP_S)+
+      command=m_alloc(strlen(libexecdir)+strlen(DIRSEP_S)+
 		      strlen(GPGKEYS_PREFIX)+strlen(scheme)+1);
-      strcpy(command,GNUPG_LIBEXECDIR);
+      strcpy(command,libexecdir);
       strcat(command,DIRSEP_S);
     }
 
@@ -1324,8 +1325,9 @@ keyserver_spawn(int action,STRLIST list,KEYDB_SEARCH_DESC *desc,
       }
 
  fail:
-  m_free(line);
-  m_free(searchstr);
+  xfree(line);
+  xfree(searchstr);
+
 
   *prog=exec_finish(spawn);
 

g10/main.h

@@ -126,6 +126,7 @@ int parse_options(char *str,unsigned int *options,
 		  struct parse_options *opts,int noisy);
 char *unescape_percent_string (const unsigned char *s);
 char *default_homedir (void);
+const char *get_libexecdir (void);
 
 
 /*-- helptext.c --*/

g10/misc.c

@@ -1146,3 +1146,36 @@ default_homedir (void)
 
   return dir;
 }
+
+
+/* Return the name of the libexec directory.  The name is allocated in
+   a static area on the first use.  This function won't fail. */
+const char *
+get_libexecdir (void)
+{
+#ifdef HAVE_W32_SYSTEM
+  static int got_dir;
+  static char *dir;
+
+  if (!got_dir)
+    {
+      dir = read_w32_registry_string ("HKEY_LOCAL_MACHINE",
+                                      "Software\\GNU\\GnuPG",
+                                      "Install Directory");
+      if (dir && !*dir)
+        {
+          /* To avoid problems with using an empty dir we don't allow
+             for that. */
+          free (dir);
+          dir = NULL;
+        }
+      got_dir = 1;
+    }
+
+  if (dir)
+    return dir;
+  /* Fallback to the hardwired value. */
+#endif /*HAVE_W32_SYSTEM*/
+
+  return GNUPG_LIBEXECDIR;
+}

g10/options.h

@@ -261,6 +261,7 @@ struct {
 #define EXPORT_MINIMAL                   (1<<3)
 #define EXPORT_CLEAN_SIGS                (1<<4)
 #define EXPORT_CLEAN_UIDS                (1<<5)
+#define EXPORT_RESET_SUBKEY_PASSWD       (1<<6)
 
 #define LIST_SHOW_PHOTOS                 (1<<0)
 #define LIST_SHOW_POLICY_URLS            (1<<1)