diff options
author | Werner Koch <wk@gnupg.org> | 2023-03-27 11:37:49 +0200 |
---|---|---|
committer | Werner Koch <wk@gnupg.org> | 2023-03-27 11:47:28 +0200 |
commit | ab35d756d86438db124fa68aa633fe528ff8be50 (patch) | |
tree | c4d3ea165d795b897a0ac0df1fdd3144fefba1eb | |
parent | gpg: New command --quick-add-adsk (diff) | |
download | gnupg2-ab35d756d86438db124fa68aa633fe528ff8be50.tar.xz gnupg2-ab35d756d86438db124fa68aa633fe528ff8be50.zip |
agent: New option --restricted for PRESET_PASSPHRASE.
* agent/command.c (cmd_preset_passphrase): Add option.
* agent/preset-passphrase.c (oRestricted): New.
(opts): Add option --restricted.
(main): Set option.
(preset_passphrase): Use option.
--
We use a different cache for connections from the extra-socket.
However, with gpg-preset-passphrase is only able to preset a
passphrase into the regular cache. Further, a restricted connection
may not use PRESET_PASSPHRASE. To solve this we add an new option to
preset the passphrase into the "restricted" cache. For the
gpg-preset-passphrase tool we also add the option --restricted.
Note that this does not yet work with gpg-preset-passphrase --forget.
-rw-r--r-- | agent/command.c | 13 | ||||
-rw-r--r-- | agent/preset-passphrase.c | 9 |
2 files changed, 19 insertions, 3 deletions
diff --git a/agent/command.c b/agent/command.c index 2e996d096..9481f47c3 100644 --- a/agent/command.c +++ b/agent/command.c @@ -2491,14 +2491,17 @@ cmd_passwd (assuan_context_t ctx, char *line) static const char hlp_preset_passphrase[] = - "PRESET_PASSPHRASE [--inquire] <string_or_keygrip> <timeout> [<hexstring>]\n" + "PRESET_PASSPHRASE [--inquire] [--restricted] \\\n" + " <string_or_keygrip> <timeout> [<hexstring>]\n" "\n" "Set the cached passphrase/PIN for the key identified by the keygrip\n" "to passwd for the given time, where -1 means infinite and 0 means\n" "the default (currently only a timeout of -1 is allowed, which means\n" "to never expire it). If passwd is not provided, ask for it via the\n" "pinentry module unless --inquire is passed in which case the passphrase\n" - "is retrieved from the client via a server inquire.\n"; + "is retrieved from the client via a server inquire. The option\n" + "--restricted can be used to put the passphrase into the cache used\n" + "by restricted connections."; static gpg_error_t cmd_preset_passphrase (assuan_context_t ctx, char *line) { @@ -2509,6 +2512,7 @@ cmd_preset_passphrase (assuan_context_t ctx, char *line) int ttl; size_t len; int opt_inquire; + int opt_restricted; if (ctrl->restricted) return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); @@ -2517,6 +2521,7 @@ cmd_preset_passphrase (assuan_context_t ctx, char *line) return set_error (GPG_ERR_NOT_SUPPORTED, "no --allow-preset-passphrase"); opt_inquire = has_option (line, "--inquire"); + opt_restricted = has_option (line, "--restricted"); line = skip_options (line); grip_clear = line; while (*line && (*line != ' ' && *line != '\t')) @@ -2579,7 +2584,11 @@ cmd_preset_passphrase (assuan_context_t ctx, char *line) if (!rc) { + int save_restricted = ctrl->restricted; + if (opt_restricted) + ctrl->restricted = 1; rc = agent_put_cache (ctrl, grip_clear, CACHE_MODE_ANY, passphrase, ttl); + ctrl->restricted = save_restricted; if (opt_inquire) { wipememory (passphrase, len); diff --git a/agent/preset-passphrase.c b/agent/preset-passphrase.c index df6da00e3..4cf624462 100644 --- a/agent/preset-passphrase.c +++ b/agent/preset-passphrase.c @@ -63,11 +63,13 @@ enum cmd_and_opt_values oNoVerbose = 500, oHomedir, + oRestricted, aTest }; static const char *opt_passphrase; +static int opt_restricted; static gpgrt_opt_t opts[] = { @@ -79,6 +81,7 @@ static gpgrt_opt_t opts[] = { { oForget, "forget", 256, "forget passphrase"}, { oHomedir, "homedir", 2, "@" }, + { oRestricted, "restricted", 0, "put into the restricted cache"}, ARGPARSE_end () }; @@ -156,7 +159,9 @@ preset_passphrase (const char *keygrip) return; } - rc = asprintf (&line, "PRESET_PASSPHRASE %s -1 %s\n", keygrip, + rc = asprintf (&line, "PRESET_PASSPHRASE %s%s -1 %s\n", + opt_restricted? "--restricted ":"", + keygrip, passphrase_esc); wipememory (passphrase_esc, strlen (passphrase_esc)); xfree (passphrase_esc); @@ -232,6 +237,8 @@ main (int argc, char **argv) case oForget: cmd = oForget; break; case oPassphrase: opt_passphrase = pargs.r.ret_str; break; + case oRestricted: opt_restricted = 1; break; + default : pargs.err = 2; break; } } |