[git] GnuPG - branch, STABLE-BRANCH-2-2, updated. gnupg-2.2.4-10-ge1e35db
by Werner Koch
cvs at cvs.gnupg.org
Thu Jan 18 13:45:10 CET 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, STABLE-BRANCH-2-2 has been updated
via e1e35db510c9222e7a7dc208c2e49df556954170 (commit)
from 6fb5713f4a6976900cc70c140e61043b6ef688d1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e1e35db510c9222e7a7dc208c2e49df556954170
Author: Werner Koch <wk at gnupg.org>
Date: Thu Jan 18 13:38:23 2018 +0100
gpg: Fix the use of future-default with --quick-add-key.
* g10/keygen.c (parse_key_parameter_part): Add arg clear_cert.
(parse_key_parameter_string): Add arg suggested_use and implement
fallback. Change callers to pass 0 for new arg.
(parse_algo_usage_expire): Pass the parsed USAGESTR to
parse_key_parameter_string so that it can use it in case a subkey is
to be created.
--
The problem here was that future-default gives the primary and subkey
algorithm. However, when using future-default for adding a key, the
second part was always used which is for encryption. If the caller
now wanted to create a signing subkey using the future-default
parameters this did not worked.
gpg --batch --passphrase "" --quick-add-key FPR future-default encr
aready worked as did
gpg --batch --passphrase "" --quick-add-key FPR ed25519 sign
but
gpg --batch --passphrase "" --quick-add-key FPR future-default sign
does only work with this fix.
GnuPG-bug-id: 3747
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/g10/keygen.c b/g10/keygen.c
index 01f3de0..8de6538 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -2895,9 +2895,11 @@ generate_user_id (KBNODE keyblock, const char *uidstr)
* success is returned. On error an error code is returned. Note
* that STRING may be modified by this function. NULL may be passed
* for any parameter. FOR_SUBKEY shall be true if this is used as a
+ * subkey. If CLEAR_CERT is set a default CERT usage will be cleared;
+ * this is useful if for example the default algorithm is used for a
* subkey. */
static gpg_error_t
-parse_key_parameter_part (char *string, int for_subkey,
+parse_key_parameter_part (char *string, int for_subkey, int clear_cert,
int *r_algo, unsigned int *r_size,
unsigned int *r_keyuse,
char const **r_curve)
@@ -3048,6 +3050,10 @@ parse_key_parameter_part (char *string, int for_subkey,
if (!for_subkey)
keyuse |= PUBKEY_USAGE_CERT;
+ /* But if requested remove th cert usage. */
+ if (clear_cert)
+ keyuse &= ~PUBKEY_USAGE_CERT;
+
/* Check that usage is actually possible. */
if (/**/((keyuse & (PUBKEY_USAGE_SIG|PUBKEY_USAGE_AUTH|PUBKEY_USAGE_CERT))
&& !pubkey_get_nsig (algo))
@@ -3119,14 +3125,16 @@ parse_key_parameter_part (char *string, int for_subkey,
* -1 := Both parts
* 0 := Only the part of the primary key
* 1 := If there is one part parse that one, if there are
- * two parts parse the second part. Always return
- * in the args for the primary key (R_ALGO,....).
+ * two parts parse the part which best matches the
+ * SUGGESTED_USE or in case that can't be evaluated the second part.
+ * Always return using the args for the primary key (R_ALGO,....).
*
*/
gpg_error_t
parse_key_parameter_string (const char *string, int part,
+ unsigned int suggested_use,
int *r_algo, unsigned int *r_size,
- unsigned *r_keyuse,
+ unsigned int *r_keyuse,
char const **r_curve,
int *r_subalgo, unsigned int *r_subsize,
unsigned *r_subkeyuse,
@@ -3165,18 +3173,31 @@ parse_key_parameter_string (const char *string, int part,
*secondary++ = 0;
if (part == -1 || part == 0)
{
- err = parse_key_parameter_part (primary, 0, r_algo, r_size,
+ err = parse_key_parameter_part (primary, 0, 0, r_algo, r_size,
r_keyuse, r_curve);
if (!err && part == -1)
- err = parse_key_parameter_part (secondary, 1, r_subalgo, r_subsize,
+ err = parse_key_parameter_part (secondary, 1, 0, r_subalgo, r_subsize,
r_subkeyuse, r_subcurve);
}
else if (part == 1)
{
/* If we have SECONDARY, use that part. If there is only one
- * part consider this to be the subkey algo. */
- err = parse_key_parameter_part (secondary? secondary : primary, 1,
- r_algo, r_size, r_keyuse, r_curve);
+ * part consider this to be the subkey algo. In case a
+ * SUGGESTED_USE has been given and the usage of the secondary
+ * part does not match SUGGESTED_USE try again using the primary
+ * part. Noet thar when falling back to the primary key we need
+ * to force clearing the cert usage. */
+ if (secondary)
+ {
+ err = parse_key_parameter_part (secondary, 1, 0,
+ r_algo, r_size, r_keyuse, r_curve);
+ if (!err && suggested_use && r_keyuse && !(suggested_use & *r_keyuse))
+ err = parse_key_parameter_part (primary, 1, 1 /*(clear cert)*/,
+ r_algo, r_size, r_keyuse, r_curve);
+ }
+ else
+ err = parse_key_parameter_part (primary, 1, 0,
+ r_algo, r_size, r_keyuse, r_curve);
}
xfree (primary);
@@ -3263,7 +3284,7 @@ get_parameter_algo( struct para_data_s *para, enum para_name key,
* for the curve etc. That is a ugly but demanded for backward
* compatibility with the batch key generation. It would be
* better to make full use of parse_key_parameter_string. */
- parse_key_parameter_string (NULL, 0,
+ parse_key_parameter_string (NULL, 0, 0,
&i, NULL, NULL, NULL,
NULL, NULL, NULL, NULL);
@@ -3997,7 +4018,7 @@ quick_generate_keypair (ctrl_t ctrl, const char *uid, const char *algostr,
unsigned int keyuse, subkeyuse;
const char *curve, *subcurve;
- err = parse_key_parameter_string (algostr, -1,
+ err = parse_key_parameter_string (algostr, -1, 0,
&algo, &size, &keyuse, &curve,
&subalgo, &subsize, &subkeyuse,
&subcurve);
@@ -4376,7 +4397,7 @@ generate_keypair (ctrl_t ctrl, int full, const char *fname,
#endif
, "--full-generate-key" );
- err = parse_key_parameter_string (NULL, -1,
+ err = parse_key_parameter_string (NULL, -1, 0,
&algo, &size, &keyuse, &curve,
&subalgo, &subsize,
&subkeyuse, &subcurve);
@@ -4923,6 +4944,7 @@ parse_algo_usage_expire (ctrl_t ctrl, int for_subkey,
}
err = parse_key_parameter_string (algostr, for_subkey? 1 : 0,
+ usagestr? parse_usagestr (usagestr):0,
&algo, &nbits, &use, &curve,
NULL, NULL, NULL, NULL);
if (err)
-----------------------------------------------------------------------
Summary of changes:
g10/keygen.c | 46 ++++++++++++++++++++++++++++++++++------------
1 file changed, 34 insertions(+), 12 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list