From 91ae3e7fb66271691f6fe507262a62fc7e2663a3 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 6 Mar 2019 17:58:39 +0100 Subject: [PATCH] agent: Re-introduce --enable-extended-key-format. * agent/gpg-agent.c (oEnableExtendedKeyFormat): Re-introduce. (parse_rereadable_options): Handle it in a special way. * agent/protect.c (agent_protect): Be safe and set use_ocb only to 1 or 0. * tools/gpgconf-comp.c: Add --enable-extended-key-format again. -- This is required for backward compatible with profiles. Signed-off-by: Werner Koch --- agent/agent.h | 6 +++++- agent/gpg-agent.c | 11 +++++++++-- agent/protect.c | 2 +- doc/gpg-agent.texi | 15 +++++++++------ tools/gpgconf-comp.c | 3 +++ 5 files changed, 27 insertions(+), 10 deletions(-) diff --git a/agent/agent.h b/agent/agent.h index 3a29dc817..0f804cd8b 100644 --- a/agent/agent.h +++ b/agent/agent.h @@ -124,7 +124,11 @@ struct passphrase change. */ int enable_passphrase_history; - /* If set the extended key format is used for new keys. */ + /* If set the extended key format is used for new keys. Note that + * this may vave the value 2 in which case + * --disable-extended-key-format won't have any effect and thus + * effectivley locking it. This is required to support existing + * profiles which lock the use of --enable-extended-key-format. */ int enable_extended_key_format; int running_detached; /* We are running detached from the tty. */ diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c index 27a3f7135..d9e2bbf25 100644 --- a/agent/gpg-agent.c +++ b/agent/gpg-agent.c @@ -113,6 +113,7 @@ enum cmd_and_opt_values oMaxPassphraseDays, oEnablePassphraseHistory, oDisableExtendedKeyFormat, + oEnableExtendedKeyFormat, oUseStandardSocket, oNoUseStandardSocket, oExtraSocket, @@ -254,6 +255,7 @@ static ARGPARSE_OPTS opts[] = { #endif ), ARGPARSE_s_n (oDisableExtendedKeyFormat, "disable-extended-key-format", "@"), + ARGPARSE_s_n (oEnableExtendedKeyFormat, "enable-extended-key-format", "@"), ARGPARSE_s_u (oS2KCount, "s2k-count", "@"), ARGPARSE_s_u (oS2KCalibration, "s2k-calibration", "@"), @@ -268,7 +270,6 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oNoUseStandardSocket, "no-use-standard-socket", "@"), /* Dummy options. */ - ARGPARSE_s_n (oNoop, "enable-extended-key-format", "@"), ARGPARSE_end () /* End of list */ @@ -906,7 +907,13 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) opt.enable_passphrase_history = 1; break; - case oDisableExtendedKeyFormat: opt.enable_extended_key_format = 0; break; + case oEnableExtendedKeyFormat: + opt.enable_extended_key_format = 2; + break; + case oDisableExtendedKeyFormat: + if (opt.enable_extended_key_format != 2) + opt.enable_extended_key_format = 0; + break; case oIgnoreCacheForSigning: opt.ignore_cache_for_signing = 1; break; diff --git a/agent/protect.c b/agent/protect.c index eda247f27..61fb8f45d 100644 --- a/agent/protect.c +++ b/agent/protect.c @@ -623,7 +623,7 @@ agent_protect (const unsigned char *plainkey, const char *passphrase, int have_curve = 0; if (use_ocb == -1) - use_ocb = opt.enable_extended_key_format; + use_ocb = !!opt.enable_extended_key_format; /* Create an S-expression with the protected-at timestamp. */ memcpy (timestamp_exp, "(12:protected-at15:", 19); diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index 770da17b0..d518c246b 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -585,16 +585,19 @@ local gpg-agent and use its private keys. This enables decrypting or signing data on a remote machine without exposing the private keys to the remote machine. -@item --disable-extended-key-format +@item --enable-extended-key-format +@itemx --disable-extended-key-format +@opindex enable-extended-key-format @opindex disable-extended-key-format Since version 2.3 keys are created in the extended private key format. Changing the passphrase of a key will also convert the key to that new format. This new key format is supported since GnuPG version 2.1.12 -and thus there should be no need to disable it. However, this options -allows to revert to the old behaviour for new keys; be aware that keys -are never migrated back to the old format. The advantage of the -extended private key format is that it is text based and can carry -additional meta data. +and thus there should be no need to disable it. The disable option +allows to revert to the old behavior for new keys; be aware that keys +are never migrated back to the old format. However if the enable +option has been used the disable option won't have an effect. The +advantage of the extended private key format is that it is text based +and can carry additional meta data. @anchor{option --enable-ssh-support} @item --enable-ssh-support diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c index 83283940c..2ae79d91d 100644 --- a/tools/gpgconf-comp.c +++ b/tools/gpgconf-comp.c @@ -508,6 +508,9 @@ static gc_option_t gc_options_gpg_agent[] = { "enable-putty-support", GC_OPT_FLAG_NONE, GC_LEVEL_BASIC, "gnupg", "enable putty support", GC_ARG_TYPE_NONE, GC_BACKEND_GPG_AGENT }, + { "enable-extended-key-format", GC_OPT_FLAG_RUNTIME, GC_LEVEL_INVISIBLE, + NULL, NULL, + GC_ARG_TYPE_NONE, GC_BACKEND_GPG_AGENT }, { "Debug", GC_OPT_FLAG_GROUP, GC_LEVEL_ADVANCED,