1
0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-18 14:17:03 +01:00

agent: Use OCB for key protection with --enable-extended-key-format.

* agent/protect.c (PROT_DEFAULT_TO_OCB): Remove macro.
(agent_protect): Make the default protection mode depend on the extend
key format option.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2017-04-02 20:02:55 +02:00
parent 0039d7107b
commit d24375271b
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 3 additions and 7 deletions

View File

@ -42,11 +42,6 @@
#include "../common/sexp-parse.h" #include "../common/sexp-parse.h"
/* To use the openpgp-s2k3-ocb-aes scheme by default set the value of
* this macro to 1. Note that the caller of agent_protect may
* override this default. */
#define PROT_DEFAULT_TO_OCB 0
/* The protection mode for encryption. The supported modes for /* The protection mode for encryption. The supported modes for
decryption are listed in agent_unprotect(). */ decryption are listed in agent_unprotect(). */
#define PROT_CIPHER GCRY_CIPHER_AES128 #define PROT_CIPHER GCRY_CIPHER_AES128
@ -580,7 +575,7 @@ agent_protect (const unsigned char *plainkey, const char *passphrase,
int have_curve = 0; int have_curve = 0;
if (use_ocb == -1) if (use_ocb == -1)
use_ocb = PROT_DEFAULT_TO_OCB; use_ocb = opt.enable_extended_key_format;
/* Create an S-expression with the protected-at timestamp. */ /* Create an S-expression with the protected-at timestamp. */
memcpy (timestamp_exp, "(12:protected-at15:", 19); memcpy (timestamp_exp, "(12:protected-at15:", 19);

View File

@ -579,7 +579,8 @@ the passphrase of a key will also convert the key to that new format.
Using this option makes the private keys unreadable for gpg-agent Using this option makes the private keys unreadable for gpg-agent
versions before 2.1.12. The advantage of the extended private key versions before 2.1.12. The advantage of the extended private key
format is that it is text based and can carry additional meta data. format is that it is text based and can carry additional meta data.
Note that this option also changes the key protection format to use
OCB mode.
@anchor{option --enable-ssh-support} @anchor{option --enable-ssh-support}
@item --enable-ssh-support @item --enable-ssh-support