1
0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-25 15:27:03 +01:00

* export.c (do_export_stream): Warn the user when exporting a secret key

if it or any of its secret subkeys are protected with SHA1 while
simple_sk_checksum is set.

* parse-packet.c (parse_key): Show when the SHA1 protection is used in
--list-packets.

* options.h, build-packet.c (do_comment), g10.c (main): Rename
--no-comment as --sk-comments/--no-sk-comments (--no-comment still works)
and make the default be --no-sk-comments.
This commit is contained in:
David Shaw 2002-05-07 15:21:57 +00:00
parent 7d217ecd7a
commit d5d974536e
6 changed files with 67 additions and 26 deletions

View File

@ -1,3 +1,16 @@
2002-05-07 David Shaw <dshaw@jabberwocky.com>
* export.c (do_export_stream): Warn the user when exporting a
secret key if it or any of its secret subkeys are protected with
SHA1 while simple_sk_checksum is set.
* parse-packet.c (parse_key): Show when the SHA1 protection is
used in --list-packets.
* options.h, build-packet.c (do_comment), g10.c (main): Rename
--no-comment as --sk-comments/--no-sk-comments (--no-comment still
works) and make the default be --no-sk-comments.
2002-05-07 Werner Koch <wk@gnupg.org>
* keygen.c (get_parameter_algo): Never allow generation of the
@ -8,7 +21,7 @@
2002-05-07 David Shaw <dshaw@jabberwocky.com>
* keyedit.c (sign_uids): If --expert it set, allow re-signing a
* keyedit.c (sign_uids): If --expert is set, allow re-signing a
uid to promote a v3 self-sig to a v4 one. This essentially
deletes the old v3 self-sig and replaces it with a v4 one.

View File

@ -196,7 +196,7 @@ write_fake_data( IOBUF out, MPI a )
static int
do_comment( IOBUF out, int ctb, PKT_comment *rem )
{
if( !opt.no_comment ) {
if( opt.sk_comments ) {
write_header(out, ctb, rem->len);
if( iobuf_write( out, rem->data, rem->len ) )
return G10ERR_WRITE_FILE;

View File

@ -152,6 +152,9 @@ do_export_stream( IOBUF out, STRLIST users, int secret, int onlyrfc, int *any )
while (!(rc = keydb_search (kdbhd, desc, ndesc))) {
int sha1_warned=0;
u32 sk_keyid[2];
if (!users)
desc[0].mode = KEYDB_SEARCH_MODE_NEXT;
@ -172,23 +175,29 @@ do_export_stream( IOBUF out, STRLIST users, int secret, int onlyrfc, int *any )
}
}
/* we can't apply GNU mode 1001 on an unprotected key */
if( secret == 2
&& (node = find_kbnode( keyblock, PKT_SECRET_KEY ))
&& !node->pkt->pkt.secret_key->is_protected )
{
log_info(_("key %08lX: not protected - skipped\n"),
(ulong)keyid_from_sk( node->pkt->pkt.secret_key, NULL) );
continue;
}
node=find_kbnode( keyblock, PKT_SECRET_KEY );
if(node)
{
PKT_secret_key *sk=node->pkt->pkt.secret_key;
/* no v3 keys with GNU mode 1001 */
if( secret == 2 && node->pkt->pkt.secret_key->version == 3 )
{
log_info(_("key %08lX: PGP 2.x style key - skipped\n"),
(ulong)keyid_from_sk( node->pkt->pkt.secret_key, NULL) );
continue;
}
keyid_from_sk(sk,sk_keyid);
/* we can't apply GNU mode 1001 on an unprotected key */
if( secret == 2 && !sk->is_protected )
{
log_info(_("key %08lX: not protected - skipped\n"),
(ulong)sk_keyid[1]);
continue;
}
/* no v3 keys with GNU mode 1001 */
if( secret == 2 && sk->version == 3 )
{
log_info(_("key %08lX: PGP 2.x style key - skipped\n"),
(ulong)sk_keyid[1]);
continue;
}
}
/* and write it */
for( kbctx=NULL; (node = walk_kbnode( keyblock, &kbctx, 0 )); ) {
@ -232,6 +241,21 @@ do_export_stream( IOBUF out, STRLIST users, int secret, int onlyrfc, int *any )
node->pkt->pkt.secret_key->protect.s2k.mode = save_mode;
}
else {
/* Warn the user if the secret key or any of the secret
subkeys are protected with SHA1 and we have
simple_sk_checksum set. */
if(!sha1_warned && opt.simple_sk_checksum &&
(node->pkt->pkttype==PKT_SECRET_KEY ||
node->pkt->pkttype==PKT_SECRET_SUBKEY) &&
node->pkt->pkt.secret_key->protect.sha1chk)
{
/* I hope this warning doesn't confuse people. */
log_info("Warning: secret key %08lX does not have a "
"simple SK checksum\n",(ulong)sk_keyid[1]);
sha1_warned=1;
}
rc = build_packet( out, node->pkt );
}

View File

@ -150,7 +150,8 @@ enum cmd_and_opt_values { aNull = 0,
#ifdef __riscos__
oStatusFile,
#endif /* __riscos__ */
oNoComment,
oSKComments,
oNoSKComments,
oNoVersion,
oEmitVersion,
oCompletesNeeded,
@ -405,7 +406,9 @@ static ARGPARSE_OPTS opts[] = {
#ifdef __riscos__
{ oStatusFile, "status-file" ,2, N_("|[file]|write status info to file") },
#endif /* __riscos__ */
{ oNoComment, "no-comment", 0, "@"},
{ oNoSKComments, "no-comment", 0, "@"},
{ oNoSKComments, "no-sk-comments", 0, "@"},
{ oSKComments, "sk-comments", 0, "@"},
{ oCompletesNeeded, "completes-needed", 1, "@"},
{ oMarginalsNeeded, "marginals-needed", 1, "@"},
{ oMaxCertDepth, "max-cert-depth", 1, "@" },
@ -1045,7 +1048,8 @@ main( int argc, char **argv )
case oNoVerbose: g10_opt_verbose = 0;
opt.verbose = 0; opt.list_sigs=0; break;
case oQuickRandom: quick_random_gen(1); break;
case oNoComment: opt.no_comment=1; break;
case oSKComments: opt.sk_comments=1; break;
case oNoSKComments: opt.sk_comments=0; break;
case oNoVersion: opt.no_version=1; break;
case oEmitVersion: opt.no_version=0; break;
case oCompletesNeeded: opt.completes_needed = pargs.r.ret_int; break;
@ -1089,7 +1093,7 @@ main( int argc, char **argv )
opt.rfc1991 = 1;
opt.rfc2440 = 0;
opt.force_v4_certs = 0;
opt.no_comment = 1;
opt.sk_comments = 0;
opt.escape_from = 1;
break;
case oOpenPGP:
@ -1447,7 +1451,7 @@ main( int argc, char **argv )
opt.force_mdc = 0;
opt.disable_mdc = 1;
opt.force_v4_certs = 0;
opt.no_comment = 1;
opt.sk_comments = 0;
opt.escape_from = 1;
opt.force_v3_sigs = 1;
opt.pgp2_workarounds = 1;
@ -1463,7 +1467,7 @@ main( int argc, char **argv )
{
opt.force_mdc=0;
opt.disable_mdc=1;
opt.no_comment=1;
opt.sk_comments=0;
opt.escape_from=1;
opt.force_v3_sigs=1;
opt.ask_sig_expire=0;

View File

@ -69,7 +69,7 @@ struct {
char *def_recipient;
int def_recipient_self;
int def_cert_check_level;
int no_comment;
int sk_comments;
int no_version;
int marginals_needed;
int completes_needed;

View File

@ -1561,7 +1561,7 @@ parse_key( IOBUF inp, int pkttype, unsigned long pktlen,
if( list_mode ) {
printf(", algo: %d,%s hash: %d",
sk->protect.algo,
sk->protect.sha1chk? ""
sk->protect.sha1chk?" SHA1 protection,"
:" simple checksum,",
sk->protect.s2k.hash_algo );
if( sk->protect.s2k.mode == 1