mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-10 13:04:23 +01:00
* export.c (do_export_stream): Warn the user when exporting a secret key
if it or any of its secret subkeys are protected with SHA1 while simple_sk_checksum is set. * parse-packet.c (parse_key): Show when the SHA1 protection is used in --list-packets. * options.h, build-packet.c (do_comment), g10.c (main): Rename --no-comment as --sk-comments/--no-sk-comments (--no-comment still works) and make the default be --no-sk-comments.
This commit is contained in:
David Shaw
parent
7d217ecd7a
commit
d5d974536e
@ -1,3 +1,16 @@
|
||||
2002-05-07 David Shaw <dshaw@jabberwocky.com>
|
||||
|
||||
* export.c (do_export_stream): Warn the user when exporting a
|
||||
secret key if it or any of its secret subkeys are protected with
|
||||
SHA1 while simple_sk_checksum is set.
|
||||
|
||||
* parse-packet.c (parse_key): Show when the SHA1 protection is
|
||||
used in --list-packets.
|
||||
|
||||
* options.h, build-packet.c (do_comment), g10.c (main): Rename
|
||||
--no-comment as --sk-comments/--no-sk-comments (--no-comment still
|
||||
works) and make the default be --no-sk-comments.
|
||||
|
||||
2002-05-07 Werner Koch <wk@gnupg.org>
|
||||
|
||||
* keygen.c (get_parameter_algo): Never allow generation of the
|
||||
@ -8,7 +21,7 @@
|
||||
|
||||
2002-05-07 David Shaw <dshaw@jabberwocky.com>
|
||||
|
||||
* keyedit.c (sign_uids): If --expert it set, allow re-signing a
|
||||
* keyedit.c (sign_uids): If --expert is set, allow re-signing a
|
||||
uid to promote a v3 self-sig to a v4 one. This essentially
|
||||
deletes the old v3 self-sig and replaces it with a v4 one.
|
||||
|
||||
|
||||
@ -196,7 +196,7 @@ write_fake_data( IOBUF out, MPI a )
|
||||
static int
|
||||
do_comment( IOBUF out, int ctb, PKT_comment *rem )
|
||||
{
|
||||
if( !opt.no_comment ) {
|
||||
if( opt.sk_comments ) {
|
||||
write_header(out, ctb, rem->len);
|
||||
if( iobuf_write( out, rem->data, rem->len ) )
|
||||
return G10ERR_WRITE_FILE;
|
||||
|
||||
56
g10/export.c
56
g10/export.c
@ -152,6 +152,9 @@ do_export_stream( IOBUF out, STRLIST users, int secret, int onlyrfc, int *any )
|
||||
|
||||
|
||||
while (!(rc = keydb_search (kdbhd, desc, ndesc))) {
|
||||
int sha1_warned=0;
|
||||
u32 sk_keyid[2];
|
||||
|
||||
if (!users)
|
||||
desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
|
||||
|
||||
@ -172,23 +175,29 @@ do_export_stream( IOBUF out, STRLIST users, int secret, int onlyrfc, int *any )
|
||||
}
|
||||
}
|
||||
|
||||
/* we can't apply GNU mode 1001 on an unprotected key */
|
||||
if( secret == 2
|
||||
&& (node = find_kbnode( keyblock, PKT_SECRET_KEY ))
|
||||
&& !node->pkt->pkt.secret_key->is_protected )
|
||||
{
|
||||
log_info(_("key %08lX: not protected - skipped\n"),
|
||||
(ulong)keyid_from_sk( node->pkt->pkt.secret_key, NULL) );
|
||||
continue;
|
||||
}
|
||||
node=find_kbnode( keyblock, PKT_SECRET_KEY );
|
||||
if(node)
|
||||
{
|
||||
PKT_secret_key *sk=node->pkt->pkt.secret_key;
|
||||
|
||||
/* no v3 keys with GNU mode 1001 */
|
||||
if( secret == 2 && node->pkt->pkt.secret_key->version == 3 )
|
||||
{
|
||||
log_info(_("key %08lX: PGP 2.x style key - skipped\n"),
|
||||
(ulong)keyid_from_sk( node->pkt->pkt.secret_key, NULL) );
|
||||
continue;
|
||||
}
|
||||
keyid_from_sk(sk,sk_keyid);
|
||||
|
||||
/* we can't apply GNU mode 1001 on an unprotected key */
|
||||
if( secret == 2 && !sk->is_protected )
|
||||
{
|
||||
log_info(_("key %08lX: not protected - skipped\n"),
|
||||
(ulong)sk_keyid[1]);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* no v3 keys with GNU mode 1001 */
|
||||
if( secret == 2 && sk->version == 3 )
|
||||
{
|
||||
log_info(_("key %08lX: PGP 2.x style key - skipped\n"),
|
||||
(ulong)sk_keyid[1]);
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
/* and write it */
|
||||
for( kbctx=NULL; (node = walk_kbnode( keyblock, &kbctx, 0 )); ) {
|
||||
@ -232,6 +241,21 @@ do_export_stream( IOBUF out, STRLIST users, int secret, int onlyrfc, int *any )
|
||||
node->pkt->pkt.secret_key->protect.s2k.mode = save_mode;
|
||||
}
|
||||
else {
|
||||
/* Warn the user if the secret key or any of the secret
|
||||
subkeys are protected with SHA1 and we have
|
||||
simple_sk_checksum set. */
|
||||
if(!sha1_warned && opt.simple_sk_checksum &&
|
||||
(node->pkt->pkttype==PKT_SECRET_KEY ||
|
||||
node->pkt->pkttype==PKT_SECRET_SUBKEY) &&
|
||||
node->pkt->pkt.secret_key->protect.sha1chk)
|
||||
{
|
||||
/* I hope this warning doesn't confuse people. */
|
||||
log_info("Warning: secret key %08lX does not have a "
|
||||
"simple SK checksum\n",(ulong)sk_keyid[1]);
|
||||
|
||||
sha1_warned=1;
|
||||
}
|
||||
|
||||
rc = build_packet( out, node->pkt );
|
||||
}
|
||||
|
||||
|
||||
16
g10/g10.c
16
g10/g10.c
@ -150,7 +150,8 @@ enum cmd_and_opt_values { aNull = 0,
|
||||
#ifdef __riscos__
|
||||
oStatusFile,
|
||||
#endif /* __riscos__ */
|
||||
oNoComment,
|
||||
oSKComments,
|
||||
oNoSKComments,
|
||||
oNoVersion,
|
||||
oEmitVersion,
|
||||
oCompletesNeeded,
|
||||
@ -405,7 +406,9 @@ static ARGPARSE_OPTS opts[] = {
|
||||
#ifdef __riscos__
|
||||
{ oStatusFile, "status-file" ,2, N_("|[file]|write status info to file") },
|
||||
#endif /* __riscos__ */
|
||||
{ oNoComment, "no-comment", 0, "@"},
|
||||
{ oNoSKComments, "no-comment", 0, "@"},
|
||||
{ oNoSKComments, "no-sk-comments", 0, "@"},
|
||||
{ oSKComments, "sk-comments", 0, "@"},
|
||||
{ oCompletesNeeded, "completes-needed", 1, "@"},
|
||||
{ oMarginalsNeeded, "marginals-needed", 1, "@"},
|
||||
{ oMaxCertDepth, "max-cert-depth", 1, "@" },
|
||||
@ -1045,7 +1048,8 @@ main( int argc, char **argv )
|
||||
case oNoVerbose: g10_opt_verbose = 0;
|
||||
opt.verbose = 0; opt.list_sigs=0; break;
|
||||
case oQuickRandom: quick_random_gen(1); break;
|
||||
case oNoComment: opt.no_comment=1; break;
|
||||
case oSKComments: opt.sk_comments=1; break;
|
||||
case oNoSKComments: opt.sk_comments=0; break;
|
||||
case oNoVersion: opt.no_version=1; break;
|
||||
case oEmitVersion: opt.no_version=0; break;
|
||||
case oCompletesNeeded: opt.completes_needed = pargs.r.ret_int; break;
|
||||
@ -1089,7 +1093,7 @@ main( int argc, char **argv )
|
||||
opt.rfc1991 = 1;
|
||||
opt.rfc2440 = 0;
|
||||
opt.force_v4_certs = 0;
|
||||
opt.no_comment = 1;
|
||||
opt.sk_comments = 0;
|
||||
opt.escape_from = 1;
|
||||
break;
|
||||
case oOpenPGP:
|
||||
@ -1447,7 +1451,7 @@ main( int argc, char **argv )
|
||||
opt.force_mdc = 0;
|
||||
opt.disable_mdc = 1;
|
||||
opt.force_v4_certs = 0;
|
||||
opt.no_comment = 1;
|
||||
opt.sk_comments = 0;
|
||||
opt.escape_from = 1;
|
||||
opt.force_v3_sigs = 1;
|
||||
opt.pgp2_workarounds = 1;
|
||||
@ -1463,7 +1467,7 @@ main( int argc, char **argv )
|
||||
{
|
||||
opt.force_mdc=0;
|
||||
opt.disable_mdc=1;
|
||||
opt.no_comment=1;
|
||||
opt.sk_comments=0;
|
||||
opt.escape_from=1;
|
||||
opt.force_v3_sigs=1;
|
||||
opt.ask_sig_expire=0;
|
||||
|
||||
@ -69,7 +69,7 @@ struct {
|
||||
char *def_recipient;
|
||||
int def_recipient_self;
|
||||
int def_cert_check_level;
|
||||
int no_comment;
|
||||
int sk_comments;
|
||||
int no_version;
|
||||
int marginals_needed;
|
||||
int completes_needed;
|
||||
|
||||
@ -1561,7 +1561,7 @@ parse_key( IOBUF inp, int pkttype, unsigned long pktlen,
|
||||
if( list_mode ) {
|
||||
printf(", algo: %d,%s hash: %d",
|
||||
sk->protect.algo,
|
||||
sk->protect.sha1chk? ""
|
||||
sk->protect.sha1chk?" SHA1 protection,"
|
||||
:" simple checksum,",
|
||||
sk->protect.s2k.hash_algo );
|
||||
if( sk->protect.s2k.mode == 1
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user