Re: gpg-preset-passphrase and extra agent socket

Mon, 27 Mar 2023 03:35:49 -0700 

On Sat, 25 Mar 2023 18:56, xeyrion--- said:

> The difference seems to be that normal socket uses ".0" as cache key while
> extra socket uses ".1" and therefore misses?

You are right.  I forgot about this.

You need to wait for the next version or apply the attached patch and
run gpg-preset-passphrase with the option --restricted to address the
other cache.


Shalom-Salam,

   Werner


-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein

From ab35d756d86438db124fa68aa633fe528ff8be50 Mon Sep 17 00:00:00 2001
From: Werner Koch <w...@gnupg.org>
Date: Mon, 27 Mar 2023 11:37:49 +0200
Subject: [PATCH GnuPG] agent: New option --restricted for PRESET_PASSPHRASE.

* agent/command.c (cmd_preset_passphrase): Add option.

* agent/preset-passphrase.c (oRestricted): New.
(opts): Add option --restricted.
(main): Set option.
(preset_passphrase): Use option.
--

We use a different cache for connections from the extra-socket.
However, with gpg-preset-passphrase is only able to preset a
passphrase into the regular cache.  Further, a restricted connection
may not use PRESET_PASSPHRASE.  To solve this we add an new option to
preset the passphrase into the "restricted" cache.  For the
gpg-preset-passphrase tool we also add the option --restricted.

Note that this does not yet work with gpg-preset-passphrase --forget.
---
 agent/command.c           | 13 +++++++++++--
 agent/preset-passphrase.c |  9 ++++++++-
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/agent/command.c b/agent/command.c
index 2e996d096..9481f47c3 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -2491,14 +2491,17 @@ cmd_passwd (assuan_context_t ctx, char *line)
 
 
 static const char hlp_preset_passphrase[] =
-  "PRESET_PASSPHRASE [--inquire] <string_or_keygrip> <timeout> [<hexstring>]\n"
+  "PRESET_PASSPHRASE [--inquire] [--restricted] \\\n"
+  "                  <string_or_keygrip> <timeout> [<hexstring>]\n"
   "\n"
   "Set the cached passphrase/PIN for the key identified by the keygrip\n"
   "to passwd for the given time, where -1 means infinite and 0 means\n"
   "the default (currently only a timeout of -1 is allowed, which means\n"
   "to never expire it).  If passwd is not provided, ask for it via the\n"
   "pinentry module unless --inquire is passed in which case the passphrase\n"
-  "is retrieved from the client via a server inquire.\n";
+  "is retrieved from the client via a server inquire.  The option\n"
+  "--restricted can be used to put the passphrase into the cache used\n"
+  "by restricted connections.";
 static gpg_error_t
 cmd_preset_passphrase (assuan_context_t ctx, char *line)
 {
@@ -2509,6 +2512,7 @@ cmd_preset_passphrase (assuan_context_t ctx, char *line)
   int ttl;
   size_t len;
   int opt_inquire;
+  int opt_restricted;
 
   if (ctrl->restricted)
     return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
@@ -2517,6 +2521,7 @@ cmd_preset_passphrase (assuan_context_t ctx, char *line)
     return set_error (GPG_ERR_NOT_SUPPORTED, "no --allow-preset-passphrase");
 
   opt_inquire = has_option (line, "--inquire");
+  opt_restricted = has_option (line, "--restricted");
   line = skip_options (line);
   grip_clear = line;
   while (*line && (*line != ' ' && *line != '\t'))
@@ -2579,7 +2584,11 @@ cmd_preset_passphrase (assuan_context_t ctx, char *line)
 
   if (!rc)
     {
+      int save_restricted = ctrl->restricted;
+      if (opt_restricted)
+        ctrl->restricted = 1;
       rc = agent_put_cache (ctrl, grip_clear, CACHE_MODE_ANY, passphrase, ttl);
+      ctrl->restricted = save_restricted;
       if (opt_inquire)
         {
 	  wipememory (passphrase, len);
diff --git a/agent/preset-passphrase.c b/agent/preset-passphrase.c
index df6da00e3..4cf624462 100644
--- a/agent/preset-passphrase.c
+++ b/agent/preset-passphrase.c
@@ -63,11 +63,13 @@ enum cmd_and_opt_values
   oNoVerbose = 500,
 
   oHomedir,
+  oRestricted,
 
 aTest };
 
 
 static const char *opt_passphrase;
+static int opt_restricted;
 
 static gpgrt_opt_t opts[] = {
 
@@ -79,6 +81,7 @@ static gpgrt_opt_t opts[] = {
   { oForget,  "forget",  256, "forget passphrase"},
 
   { oHomedir, "homedir", 2, "@" },
+  { oRestricted,  "restricted", 0, "put into the restricted cache"},
 
   ARGPARSE_end ()
 };
@@ -156,7 +159,9 @@ preset_passphrase (const char *keygrip)
       return;
     }
 
-  rc = asprintf (&line, "PRESET_PASSPHRASE %s -1 %s\n", keygrip,
+  rc = asprintf (&line, "PRESET_PASSPHRASE %s%s -1 %s\n",
+                 opt_restricted? "--restricted ":"",
+                 keygrip,
 		 passphrase_esc);
   wipememory (passphrase_esc, strlen (passphrase_esc));
   xfree (passphrase_esc);
@@ -232,6 +237,8 @@ main (int argc, char **argv)
         case oForget: cmd = oForget; break;
         case oPassphrase: opt_passphrase = pargs.r.ret_str; break;
 
+        case oRestricted: opt_restricted = 1; break;
+
         default : pargs.err = 2; break;
 	}
     }
-- 
2.32.0

Attachment: openpgp-digital-signature.asc
Description: PGP signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to