From c5d7a332c8401e24263f0e235824f5862e37433a Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 4 Apr 2024 16:39:14 +0200 Subject: [PATCH] gpg: Do not allow to accidently set the RENC usage. * g10/keygen.c (print_key_flags): Print "RENC" if set. (ask_key_flags_with_mask): Remove RENC from the possible set of usages. Add a direct way to set it iff the key is encryption capable. -- This could be done by using "set your own capabilities" for an RSA key. In fact it was always set in this case. GnuPG-bug-id: 7072 --- g10/keygen.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/g10/keygen.c b/g10/keygen.c index c2acf74c3..763d23ee4 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -2177,6 +2177,9 @@ print_key_flags(int flags) if(flags&PUBKEY_USAGE_AUTH) tty_printf("%s ",_("Authenticate")); + + if(flags&PUBKEY_USAGE_RENC) + tty_printf("%s ", "RENC"); } @@ -2209,10 +2212,14 @@ ask_key_flags_with_mask (int algo, int subkey, unsigned int current, togglers = "11223300"; } + /* restrict the mask to the actual useful bits. */ + /* Mask the possible usage flags. This is for example used for a * card based key. For ECDH we need to allows additional usages if - * they are provided. */ + * they are provided. RENC is not directly poissible here but see + * below for a workaround. */ possible = (openpgp_pk_algo_usage (algo) & mask); + possible &= ~PUBKEY_USAGE_RENC; if (algo == PUBKEY_ALGO_ECDH) possible |= (current & (PUBKEY_USAGE_ENC |PUBKEY_USAGE_CERT @@ -2281,6 +2288,12 @@ ask_key_flags_with_mask (int algo, int subkey, unsigned int current, want to experiment with a cert-only primary key. */ current |= PUBKEY_USAGE_CERT; } + else if ((*s == 'r' || *s == 'R') && (possible&PUBKEY_USAGE_ENC)) + { + /* Allow to set RENC or an encryption capable key. + * This is on purpose not shown in the menu. */ + current |= PUBKEY_USAGE_RENC; + } } break; }