summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2023-03-27 11:37:49 +0200
committerWerner Koch <wk@gnupg.org>2023-03-27 11:47:28 +0200
commitab35d756d86438db124fa68aa633fe528ff8be50 (patch)
treec4d3ea165d795b897a0ac0df1fdd3144fefba1eb
parentgpg: New command --quick-add-adsk (diff)
downloadgnupg2-ab35d756d86438db124fa68aa633fe528ff8be50.tar.xz
gnupg2-ab35d756d86438db124fa68aa633fe528ff8be50.zip
agent: New option --restricted for PRESET_PASSPHRASE.
* agent/command.c (cmd_preset_passphrase): Add option. * agent/preset-passphrase.c (oRestricted): New. (opts): Add option --restricted. (main): Set option. (preset_passphrase): Use option. -- We use a different cache for connections from the extra-socket. However, with gpg-preset-passphrase is only able to preset a passphrase into the regular cache. Further, a restricted connection may not use PRESET_PASSPHRASE. To solve this we add an new option to preset the passphrase into the "restricted" cache. For the gpg-preset-passphrase tool we also add the option --restricted. Note that this does not yet work with gpg-preset-passphrase --forget.
-rw-r--r--agent/command.c13
-rw-r--r--agent/preset-passphrase.c9
2 files changed, 19 insertions, 3 deletions
diff --git a/agent/command.c b/agent/command.c
index 2e996d096..9481f47c3 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -2491,14 +2491,17 @@ cmd_passwd (assuan_context_t ctx, char *line)
static const char hlp_preset_passphrase[] =
- "PRESET_PASSPHRASE [--inquire] <string_or_keygrip> <timeout> [<hexstring>]\n"
+ "PRESET_PASSPHRASE [--inquire] [--restricted] \\\n"
+ " <string_or_keygrip> <timeout> [<hexstring>]\n"
"\n"
"Set the cached passphrase/PIN for the key identified by the keygrip\n"
"to passwd for the given time, where -1 means infinite and 0 means\n"
"the default (currently only a timeout of -1 is allowed, which means\n"
"to never expire it). If passwd is not provided, ask for it via the\n"
"pinentry module unless --inquire is passed in which case the passphrase\n"
- "is retrieved from the client via a server inquire.\n";
+ "is retrieved from the client via a server inquire. The option\n"
+ "--restricted can be used to put the passphrase into the cache used\n"
+ "by restricted connections.";
static gpg_error_t
cmd_preset_passphrase (assuan_context_t ctx, char *line)
{
@@ -2509,6 +2512,7 @@ cmd_preset_passphrase (assuan_context_t ctx, char *line)
int ttl;
size_t len;
int opt_inquire;
+ int opt_restricted;
if (ctrl->restricted)
return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
@@ -2517,6 +2521,7 @@ cmd_preset_passphrase (assuan_context_t ctx, char *line)
return set_error (GPG_ERR_NOT_SUPPORTED, "no --allow-preset-passphrase");
opt_inquire = has_option (line, "--inquire");
+ opt_restricted = has_option (line, "--restricted");
line = skip_options (line);
grip_clear = line;
while (*line && (*line != ' ' && *line != '\t'))
@@ -2579,7 +2584,11 @@ cmd_preset_passphrase (assuan_context_t ctx, char *line)
if (!rc)
{
+ int save_restricted = ctrl->restricted;
+ if (opt_restricted)
+ ctrl->restricted = 1;
rc = agent_put_cache (ctrl, grip_clear, CACHE_MODE_ANY, passphrase, ttl);
+ ctrl->restricted = save_restricted;
if (opt_inquire)
{
wipememory (passphrase, len);
diff --git a/agent/preset-passphrase.c b/agent/preset-passphrase.c
index df6da00e3..4cf624462 100644
--- a/agent/preset-passphrase.c
+++ b/agent/preset-passphrase.c
@@ -63,11 +63,13 @@ enum cmd_and_opt_values
oNoVerbose = 500,
oHomedir,
+ oRestricted,
aTest };
static const char *opt_passphrase;
+static int opt_restricted;
static gpgrt_opt_t opts[] = {
@@ -79,6 +81,7 @@ static gpgrt_opt_t opts[] = {
{ oForget, "forget", 256, "forget passphrase"},
{ oHomedir, "homedir", 2, "@" },
+ { oRestricted, "restricted", 0, "put into the restricted cache"},
ARGPARSE_end ()
};
@@ -156,7 +159,9 @@ preset_passphrase (const char *keygrip)
return;
}
- rc = asprintf (&line, "PRESET_PASSPHRASE %s -1 %s\n", keygrip,
+ rc = asprintf (&line, "PRESET_PASSPHRASE %s%s -1 %s\n",
+ opt_restricted? "--restricted ":"",
+ keygrip,
passphrase_esc);
wipememory (passphrase_esc, strlen (passphrase_esc));
xfree (passphrase_esc);
@@ -232,6 +237,8 @@ main (int argc, char **argv)
case oForget: cmd = oForget; break;
case oPassphrase: opt_passphrase = pargs.r.ret_str; break;
+ case oRestricted: opt_restricted = 1; break;
+
default : pargs.err = 2; break;
}
}