diff options
| author | Мирослав Николић <wk@gnupg.org> | 2014-11-27 20:41:37 +0100 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2014-11-27 20:41:37 +0100 |
| commit | f173cdcdfbfd083b035516a406c2c754f38a0ace (patch) | |
| tree | b1f162fcb7e39ade104379129f6731aacdce2344 /common | |
| parent | agent: Make auditing of the option list easier. (diff) | |
| download | gnupg2-f173cdcdfbfd083b035516a406c2c754f38a0ace.tar.xz gnupg2-f173cdcdfbfd083b035516a406c2c754f38a0ace.zip | |
gpg-agent: Add restricted connection feature.
* agent/agent.h (opt): Add field extra_socket.
(server_control_s): Add field restricted.
* agent/command.c: Check restricted flag on many commands.
* agent/gpg-agent.c (oExtraSocket): New.
(opts): Add option --extra-socket.
(socket_name_extra): New.
(cleanup): Cleanup that socket name.
(main): Implement oExtraSocket.
(create_socket_name): Add arg homedir and change all callers.
(create_server_socket): Rename arg is_ssh to primary and change
callers.
(start_connection_thread): Take ctrl as arg.
(start_connection_thread_std): New.
(start_connection_thread_extra): New.
(handle_connections): Add arg listen_fd_extra and replace the
connection starting code by parameterized loop.
* common/asshelp.c (start_new_gpg_agent): Detect the use of the
restricted mode and don't fail on sending the pinentry environment.
* common/util.h (GPG_ERR_FORBIDDEN): New.
Diffstat (limited to 'common')
| -rw-r--r-- | common/asshelp.c | 20 | ||||
| -rw-r--r-- | common/util.h | 6 |
2 files changed, 23 insertions, 3 deletions
diff --git a/common/asshelp.c b/common/asshelp.c index e675fdad8..51ef17227 100644 --- a/common/asshelp.c +++ b/common/asshelp.c @@ -504,9 +504,23 @@ start_new_gpg_agent (assuan_context_t *r_ctx, err = assuan_transact (ctx, "RESET", NULL, NULL, NULL, NULL, NULL, NULL); if (!err) - err = send_pinentry_environment (ctx, errsource, - opt_lc_ctype, opt_lc_messages, - session_env); + { + err = send_pinentry_environment (ctx, errsource, + opt_lc_ctype, opt_lc_messages, + session_env); + if (gpg_err_code (err) == GPG_ERR_FORBIDDEN + && gpg_err_source (err) == GPG_ERR_SOURCE_GPGAGENT) + { + /* Check whether we are in restricted mode. */ + if (!assuan_transact (ctx, "GETINFO restricted", + NULL, NULL, NULL, NULL, NULL, NULL)) + { + if (verbose) + log_info (_("connection to agent is in restricted mode\n")); + err = 0; + } + } + } if (err) { assuan_release (ctx); diff --git a/common/util.h b/common/util.h index dd5fdb14c..a6f86069a 100644 --- a/common/util.h +++ b/common/util.h @@ -35,6 +35,12 @@ #include <errno.h> /* We need errno. */ #include <gpg-error.h> /* We need gpg_error_t and estream. */ +/* These error codes are used but not defined in the required + libgpg-error version. Define them here. */ +#if GPG_ERROR_VERSION_NUMBER < 0x011200 /* 1.18 */ +# define GPG_ERR_FORBIDDEN 251 +#endif + /* Hash function used with libksba. */ #define HASH_FNC ((void (*)(void *, const void*,size_t))gcry_md_write) |