agent: Use OCB for key protection with --enable-extended-key-format.

* agent/protect.c (PROT_DEFAULT_TO_OCB): Remove macro. (agent_protect): Make the default protection mode depend on the extend key format option. Signed-off-by: Werner Koch <wk@gnupg.org>
2024-12-22 10:19:57 +01:00 · 2017-04-02 20:02:55 +02:00 · 2017-04-02 20:02:55 +02:00 · d24375271b
commit d24375271b
parent 0039d7107b
2 changed files with 3 additions and 7 deletions
--- a/agent/protect.c
+++ b/agent/protect.c
@ -42,11 +42,6 @@
 #include "../common/sexp-parse.h"


-/* To use the openpgp-s2k3-ocb-aes scheme by default set the value of
- * this macro to 1.  Note that the caller of agent_protect may
- * override this default.  */
-#define PROT_DEFAULT_TO_OCB 0
-
 /* The protection mode for encryption.  The supported modes for
   decryption are listed in agent_unprotect().  */
 #define PROT_CIPHER        GCRY_CIPHER_AES128
@ -580,7 +575,7 @@ agent_protect (const unsigned char *plainkey, const char *passphrase,
  int have_curve = 0;

  if (use_ocb == -1)
-    use_ocb = PROT_DEFAULT_TO_OCB;
+    use_ocb = opt.enable_extended_key_format;

  /* Create an S-expression with the protected-at timestamp.  */
  memcpy (timestamp_exp, "(12:protected-at15:", 19);
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@ -579,7 +579,8 @@ the passphrase of a key will also convert the key to that new format.
 Using this option makes the private keys unreadable for gpg-agent
 versions before 2.1.12.  The advantage of the extended private key
 format is that it is text based and can carry additional meta data.
-
+Note that this option also changes the key protection format to use
+OCB mode.

@anchor{option --enable-ssh-support}
@item --enable-ssh-support