agent: Show "no secret key" instead of "card removed".

* agent/findkey.c (agent_key_from_file): Check the error of read_key_file again. * agent/pkdecrypt.c (agent_pkdecrypt): Restore error if no card was found. Also remove useless condition. -- The first patch fixes a likely merge error. The second is about the actual return code: If we have no smardcard but simply try to decrypt with the current smartcard we should return the originla error code. GnuPG-bug-id: 5170 Fixes-commit: eda3c688fc2e85c7cd63029cb9caf06552d203b4
2025-01-02 12:01:32 +01:00 · 2023-03-01 16:49:40 +01:00 · 2023-03-01 16:49:40 +01:00 · 1aaadede76
commit 1aaadede76
parent 523b3e1773
2 changed files with 20 additions and 4 deletions
--- a/agent/findkey.c
+++ b/agent/findkey.c
@ -1186,6 +1186,15 @@ agent_key_from_file (ctrl_t ctrl, const char *cache_nonce,
    return gpg_error (GPG_ERR_NO_SECKEY);

  err = read_key_file (grip? grip : ctrl->keygrip, &s_skey, &keymeta);
+  if (err)
+    {
+      if (gpg_err_code (err) == GPG_ERR_ENOENT)
+        err = gpg_error (GPG_ERR_NO_SECKEY);
+      else
+        log_error ("findkey: error reading key file: %s\n",
+                   gpg_strerror (err));
+      return err;
+    }

  /* For use with the protection functions we also need the key as an
     canonical encoded S-expression in a buffer.  Create this buffer
--- a/agent/pkdecrypt.c
+++ b/agent/pkdecrypt.c
@ -74,8 +74,7 @@ agent_pkdecrypt (ctrl_t ctrl, const char *desc_text,
    no_shadow_info = 1;
  else if (err)
    {
-      if (gpg_err_code (err) != GPG_ERR_NO_SECKEY)
-        log_error ("failed to read the secret key\n");
+      log_error ("failed to read the secret key\n");
      goto leave;
    }

@ -88,7 +87,7 @@ agent_pkdecrypt (ctrl_t ctrl, const char *desc_text,
          goto leave;
        }

-      if (agent_is_tpm2_key (s_skey))
+      if (s_skey && agent_is_tpm2_key (s_skey))
 	err = divert_tpm2_pkdecrypt (ctrl, ciphertext, shadow_info,
                                     &buf, &len, r_padding);
      else
@ -96,7 +95,15 @@ agent_pkdecrypt (ctrl_t ctrl, const char *desc_text,
                                &buf, &len, r_padding);
      if (err)
        {
-          log_error ("smartcard decryption failed: %s\n", gpg_strerror (err));
+          /* We restore the original error (ie. no seckey) is no card
+           * has been found and we have no shadow key.  This avoids a
+           * surprising "card removed" error code.  */
+          if ((gpg_err_code (err) == GPG_ERR_CARD_REMOVED
+               || gpg_err_code (err) == GPG_ERR_CARD_NOT_PRESENT)
+              && no_shadow_info)
+            err = gpg_error (GPG_ERR_NO_SECKEY);
+          else
+            log_error ("smartcard decryption failed: %s\n", gpg_strerror (err));
          goto leave;
        }