gpg: New option --forbid-gen-key.

* g10/gpg.c (oForbidGenKey, opts): New option.
(mopt): New local struct
(gen_key_forbidden): New.
(main): Set and handle the option.
--

In large system installation it is sometimes useful to make it a bit
harder for users to generate their own keys.  An example is a policy
to not use on-disk keys.

g10/gpg.c

@@ -440,6 +440,7 @@ enum cmd_and_opt_values
     oNoIncludeKeyBlock,
     oChUid,
     oForceSignKey,
+    oForbidGenKey,
 
     oNoop
   };
@@ -907,6 +908,7 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_s (oChUid,      "chuid",      "@"),
   ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"),
   ARGPARSE_s_n (oUseKeyboxd,    "use-keyboxd", "@"),
+  ARGPARSE_s_n (oForbidGenKey,  "forbid-gen-key", "@"),
   /* Options which can be used in special circumstances. They are not
    * published and we hope they are never required.  */
   ARGPARSE_s_n (oUseOnlyOpenPGPCard, "use-only-openpgp-card", "@"),
@@ -1025,6 +1027,12 @@ static int maybe_setuid = 1;
 static unsigned int opt_set_iobuf_size;
 static unsigned int opt_set_iobuf_size_used;
 
+/* Collection of options used only in this module.  */
+static struct {
+  unsigned int forbid_gen_key;
+} mopt;
+
+
 static char *build_list( const char *text, char letter,
 			 const char *(*mapf)(int), int (*chkf)(int) );
 static void set_cmd( enum cmd_and_opt_values *ret_cmd,
@@ -1036,6 +1044,8 @@ static void add_keyserver_url( const char *string, int which );
 static void emergency_cleanup (void);
 static void read_sessionkey_from_fd (int fd);
 
+
+
 /* NPth wrapper function definitions. */
 ASSUAN_SYSTEM_NPTH_IMPL;
 
@@ -2292,8 +2302,13 @@ set_compliance_option (enum cmd_and_opt_values option)
 }
 
 
-
-
+static void
+gen_key_forbidden (void)
+{
+  write_status_failure ("gen-key", gpg_error (GPG_ERR_NOT_ENABLED));
+  log_error (_("This command is not allowed while in %s mode.\n"),
+             "forbid-gen-key");
+}
 
 
 /* This function called to initialized a new control object.  It is
@@ -3703,6 +3718,10 @@ main (int argc, char **argv)
             opt.flags.full_timestrings = 1;
             break;
 
+          case oForbidGenKey:
+            mopt.forbid_gen_key = 1;
+            break;
+
 	  case oNoop: break;
 
 	  default:
@@ -4683,18 +4702,25 @@ main (int argc, char **argv)
                     }
                 }
             }
-          quick_generate_keypair (ctrl, username, x_algo, x_usage, x_expire);
+          if (mopt.forbid_gen_key)
+            gen_key_forbidden ();
+          else
+            quick_generate_keypair (ctrl, username, x_algo, x_usage, x_expire);
           xfree (username);
         }
         break;
 
       case aKeygen: /* generate a key */
-	if( opt.batch ) {
+        if (mopt.forbid_gen_key)
+          gen_key_forbidden ();
+	else if( opt.batch )
+          {
 	    if( argc > 1 )
 		wrong_args("--generate-key [parameterfile]");
 	    generate_keypair (ctrl, 0, argc? *argv : NULL, NULL, 0);
-	}
-	else {
+          }
+	else
+          {
             if (opt.command_fd != -1 && argc)
               {
                 if( argc > 1 )
@@ -4707,11 +4733,13 @@ main (int argc, char **argv)
               wrong_args ("--generate-key");
             else
               generate_keypair (ctrl, 0, NULL, NULL, 0);
-	}
+          }
 	break;
 
       case aFullKeygen: /* Generate a key with all options. */
-	if (opt.batch)
+        if (mopt.forbid_gen_key)
+          gen_key_forbidden ();
+	else if (opt.batch)
           {
 	    if (argc > 1)
               wrong_args ("--full-generate-key [parameterfile]");
@@ -4759,7 +4787,10 @@ main (int argc, char **argv)
                    }
                 }
             }
-          keyedit_quick_addkey (ctrl, x_fpr, x_algo, x_usage, x_expire);
+          if (mopt.forbid_gen_key)
+            gen_key_forbidden ();
+          else
+            keyedit_quick_addkey (ctrl, x_fpr, x_algo, x_usage, x_expire);
         }
 	break;