* keygen.c (get_parameter_algo): Never allow generation of the

deprecated RSA-E or RSA-S flavors of PGP RSA.
(ask_algo): Allow generation of RSA sign and encrypt in expert
mode.  Don't allow ElGamal S+E unless in expert mode.
* helptext.c: Added entry keygen.algo.rsa_se.

3 files changed, 34 insertions, 4 deletions

diff --git a/g10/ChangeLog b/g10/ChangeLog
index f649f0793..c181ec7c7 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,11 @@
+2002-05-07  Werner Koch  <[email protected]>
+
+	* keygen.c (get_parameter_algo): Never allow generation of the
+	deprecated RSA-E or RSA-S flavors of PGP RSA.
+	(ask_algo): Allow generation of RSA sign and encrypt in expert
+	mode.  Don't allow ElGamal S+E unless in expert mode.
+	* helptext.c: Added entry keygen.algo.rsa_se.
+
 2002-05-07  David Shaw  <[email protected]>
 
 	* keyedit.c (sign_uids): If --expert it set, allow re-signing a
diff --git a/g10/helptext.c b/g10/helptext.c
index d94bf85de..0150c549c 100644
--- a/g10/helptext.c
+++ b/g10/helptext.c
@@ -94,6 +94,12 @@ static struct helptexts { const char *key; const char *help; } helptexts[] = {
 "with them are quite large and very slow to verify."
 )},
 
+{ "keygen.algo.rsa_se", N_(
+"In general it is not a good idea to use the same key for signing and\n"
+"encryption.  This algorithm should only be used in certain domains.\n"
+"Please consult your security expert first."
+)},
+
 
 { "keygen.size", N_(
  "Enter the size of the key"
diff --git a/g10/keygen.c b/g10/keygen.c
index 4f8b49e6d..d5b647314 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -780,10 +780,13 @@ ask_algo (int addmode, unsigned int *r_usage)
     tty_printf(    _("   (%d) DSA (sign only)\n"), 2 );
     if( addmode )
 	tty_printf(    _("   (%d) ElGamal (encrypt only)\n"), 3 );
-    tty_printf(    _("   (%d) ElGamal (sign and encrypt)\n"), 4 );
+    if (opt.expert)
+        tty_printf(    _("   (%d) ElGamal (sign and encrypt)\n"), 4 );
     tty_printf(    _("   (%d) RSA (sign only)\n"), 5 );
     if (addmode)
         tty_printf(    _("   (%d) RSA (encrypt only)\n"), 6 );
+    if (opt.expert)
+      tty_printf(    _("   (%d) RSA (sign and encrypt)\n"), 7 );
 
     for(;;) {
 	answer = cpr_get("keygen.algo",_("Your selection? "));
@@ -794,6 +797,14 @@ ask_algo (int addmode, unsigned int *r_usage)
 	    algo = 0;	/* create both keys */
 	    break;
 	}
+	else if( algo == 7 && opt.expert ) {
+	    if (cpr_get_answer_is_yes ("keygen.algo.rsa_se",_(
+		"The use of this algorithm is deprecated - create anyway? "))){
+              algo = PUBKEY_ALGO_RSA;
+              *r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_SIG;
+              break;
+            }
+	}
 	else if( algo == 6 && addmode ) {
 	    algo = PUBKEY_ALGO_RSA;
             *r_usage = PUBKEY_USAGE_ENC;
@@ -804,7 +815,7 @@ ask_algo (int addmode, unsigned int *r_usage)
             *r_usage = PUBKEY_USAGE_SIG;
 	    break;
 	}
-	else if( algo == 4 ) {
+	else if( algo == 4 && opt.expert) {
 	    if( cpr_get_answer_is_yes("keygen.algo.elg_se",_(
 		"The use of this algorithm is deprecated - create anyway? "))){
 		algo = PUBKEY_ALGO_ELGAMAL;
@@ -1329,12 +1340,17 @@ get_parameter_value( struct para_data_s *para, enum para_name key )
 static int
 get_parameter_algo( struct para_data_s *para, enum para_name key )
 {
+    int i;
     struct para_data_s *r = get_parameter( para, key );
     if( !r )
 	return -1;
     if( isdigit( *r->u.value ) )
-	return atoi( r->u.value );
-    return string_to_pubkey_algo( r->u.value );
+	i = atoi( r->u.value );
+    else
+        i = string_to_pubkey_algo( r->u.value );
+    if (i == PUBKEY_ALGO_RSA_E || i == PUBKEY_ALGO_RSA_S)
+      i = 0; /* we don't want to allow generation of these algorithms */
+    return i;
 }
 
 /*