From ab35d756d86438db124fa68aa633fe528ff8be50 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 27 Mar 2023 11:37:49 +0200 Subject: agent: New option --restricted for PRESET_PASSPHRASE. * agent/command.c (cmd_preset_passphrase): Add option. * agent/preset-passphrase.c (oRestricted): New. (opts): Add option --restricted. (main): Set option. (preset_passphrase): Use option. -- We use a different cache for connections from the extra-socket. However, with gpg-preset-passphrase is only able to preset a passphrase into the regular cache. Further, a restricted connection may not use PRESET_PASSPHRASE. To solve this we add an new option to preset the passphrase into the "restricted" cache. For the gpg-preset-passphrase tool we also add the option --restricted. Note that this does not yet work with gpg-preset-passphrase --forget. --- agent/command.c | 13 +++++++++++-- agent/preset-passphrase.c | 9 ++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) (limited to 'agent') diff --git a/agent/command.c b/agent/command.c index 2e996d096..9481f47c3 100644 --- a/agent/command.c +++ b/agent/command.c @@ -2491,14 +2491,17 @@ cmd_passwd (assuan_context_t ctx, char *line) static const char hlp_preset_passphrase[] = - "PRESET_PASSPHRASE [--inquire] []\n" + "PRESET_PASSPHRASE [--inquire] [--restricted] \\\n" + " []\n" "\n" "Set the cached passphrase/PIN for the key identified by the keygrip\n" "to passwd for the given time, where -1 means infinite and 0 means\n" "the default (currently only a timeout of -1 is allowed, which means\n" "to never expire it). If passwd is not provided, ask for it via the\n" "pinentry module unless --inquire is passed in which case the passphrase\n" - "is retrieved from the client via a server inquire.\n"; + "is retrieved from the client via a server inquire. The option\n" + "--restricted can be used to put the passphrase into the cache used\n" + "by restricted connections."; static gpg_error_t cmd_preset_passphrase (assuan_context_t ctx, char *line) { @@ -2509,6 +2512,7 @@ cmd_preset_passphrase (assuan_context_t ctx, char *line) int ttl; size_t len; int opt_inquire; + int opt_restricted; if (ctrl->restricted) return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); @@ -2517,6 +2521,7 @@ cmd_preset_passphrase (assuan_context_t ctx, char *line) return set_error (GPG_ERR_NOT_SUPPORTED, "no --allow-preset-passphrase"); opt_inquire = has_option (line, "--inquire"); + opt_restricted = has_option (line, "--restricted"); line = skip_options (line); grip_clear = line; while (*line && (*line != ' ' && *line != '\t')) @@ -2579,7 +2584,11 @@ cmd_preset_passphrase (assuan_context_t ctx, char *line) if (!rc) { + int save_restricted = ctrl->restricted; + if (opt_restricted) + ctrl->restricted = 1; rc = agent_put_cache (ctrl, grip_clear, CACHE_MODE_ANY, passphrase, ttl); + ctrl->restricted = save_restricted; if (opt_inquire) { wipememory (passphrase, len); diff --git a/agent/preset-passphrase.c b/agent/preset-passphrase.c index df6da00e3..4cf624462 100644 --- a/agent/preset-passphrase.c +++ b/agent/preset-passphrase.c @@ -63,11 +63,13 @@ enum cmd_and_opt_values oNoVerbose = 500, oHomedir, + oRestricted, aTest }; static const char *opt_passphrase; +static int opt_restricted; static gpgrt_opt_t opts[] = { @@ -79,6 +81,7 @@ static gpgrt_opt_t opts[] = { { oForget, "forget", 256, "forget passphrase"}, { oHomedir, "homedir", 2, "@" }, + { oRestricted, "restricted", 0, "put into the restricted cache"}, ARGPARSE_end () }; @@ -156,7 +159,9 @@ preset_passphrase (const char *keygrip) return; } - rc = asprintf (&line, "PRESET_PASSPHRASE %s -1 %s\n", keygrip, + rc = asprintf (&line, "PRESET_PASSPHRASE %s%s -1 %s\n", + opt_restricted? "--restricted ":"", + keygrip, passphrase_esc); wipememory (passphrase_esc, strlen (passphrase_esc)); xfree (passphrase_esc); @@ -232,6 +237,8 @@ main (int argc, char **argv) case oForget: cmd = oForget; break; case oPassphrase: opt_passphrase = pargs.r.ret_str; break; + case oRestricted: opt_restricted = 1; break; + default : pargs.err = 2; break; } } -- cgit v1.2.3