diff options
| author | Werner Koch <wk@gnupg.org> | 2014-09-17 15:12:08 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2014-09-17 15:12:08 +0200 |
| commit | 457bce5cd39146df047e4740162125c32c738789 (patch) | |
| tree | 915fe264027c168e0c0610c983ef9d72c6e90a72 /g10/revoke.c | |
| parent | gpg: Use algorithm id 22 for EdDSA. (diff) | |
| download | gnupg2-457bce5cd39146df047e4740162125c32c738789.tar.xz gnupg2-457bce5cd39146df047e4740162125c32c738789.zip | |
gpg: Improve passphrase caching.
* agent/cache.c (last_stored_cache_key): New.
(agent_get_cache): Allow NULL for KEY.
(agent_store_cache_hit): New.
* agent/findkey.c (unprotect): Call new function and try to use the
last stored key.
* g10/revoke.c (create_revocation): Add arg CACHE_NONCE and pass to
make_keysig_packet.
(gen_standard_revoke): Add arg CACHE_NONCE and pass to
create_revocation.
* g10/keygen.c (do_generate_keypair): Call gen_standard_revoke with
cache nonce.
--
This patch adds two features:
1. The key for the last passphrase successfully used for unprotecting
a key is stored away. On a cache miss the stored away passphrase is
tried as well. This helps for the common GPG use case of having a
signing and encryption (sub)key with the same passphrase. See the
code for more comments.
2. The now auto-generated revocation certificate does not anymore
popup a passphrase prompt. Thus for standard key generation the
passphrase needs to be given only once (well, two with the
confirmation).
Diffstat (limited to 'g10/revoke.c')
| -rw-r--r-- | g10/revoke.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/g10/revoke.c b/g10/revoke.c index 67f62e5cc..019c62c0a 100644 --- a/g10/revoke.c +++ b/g10/revoke.c @@ -443,7 +443,8 @@ create_revocation (const char *filename, struct revocation_reason_info *reason, PKT_public_key *psk, kbnode_t keyblock, - const char *leadintext, int suffix) + const char *leadintext, int suffix, + const char *cache_nonce) { int rc; iobuf_t out = NULL; @@ -466,7 +467,7 @@ create_revocation (const char *filename, rc = make_keysig_packet (&sig, psk, NULL, NULL, psk, 0x20, 0, opt.force_v4_certs? 4:0, 0, 0, - revocation_reason_build_cb, reason, NULL); + revocation_reason_build_cb, reason, cache_nonce); if (rc) { log_error (_("make_keysig_packet failed: %s\n"), g10_errstr (rc)); @@ -511,9 +512,10 @@ create_revocation (const char *filename, by gpg's interactive key generation function. The certificate is stored at a dedicated place in a slightly modified form to avoid an accidental import. PSK is the primary key; a corresponding secret - key must be available. */ + key must be available. CACHE_NONCE is optional but can be used to + help gpg-agent to avoid an extra passphrase prompt. */ int -gen_standard_revoke (PKT_public_key *psk) +gen_standard_revoke (PKT_public_key *psk, const char *cache_nonce) { int rc; estream_t memfp; @@ -573,7 +575,7 @@ gen_standard_revoke (PKT_public_key *psk) reason.code = 0x00; /* No particular reason. */ reason.desc = NULL; - rc = create_revocation (fname, &reason, psk, NULL, leadin, 3); + rc = create_revocation (fname, &reason, psk, NULL, leadin, 3, cache_nonce); xfree (leadin); xfree (fname); @@ -662,7 +664,7 @@ gen_revoke (const char *uname) if (!opt.armor) tty_printf (_("ASCII armored output forced.\n")); - rc = create_revocation (NULL, reason, psk, keyblock, NULL, 0); + rc = create_revocation (NULL, reason, psk, keyblock, NULL, 0, NULL); if (rc) goto leave; |