security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-20 14:37:08 +01:00
Code Activity

gpgsm: Add command option "offline".

Browse Source 
* sm/server.c (option_handler): Add "offline".
(cmd_getinfo): Ditto.
* sm/certchain.c (is_cert_still_valid):
(do_validate_chain):
* sm/gpgsm.c (gpgsm_init_default_ctrl): Default "offline" to the value
of --disable-dirmngr.
* sm/call-dirmngr.c (start_dirmngr_ext): Better also check for
ctrl->offline.
--

Adding this option makes it easier to implement the corresponding
feature in gpgme.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2015-06-29 11:03:58 +02:00
parent d2fdf2e1b6
commit 2c9c46e2a2
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
6 changed files with 151 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
doc/gpgsm.texi
View File

@ -462,6 +462,7 @@ will not have on your local keybox), the operator can tell both your IP
address and the time when you verified the signature. address and the time when you verified the signature.
@anchor{gpgsm-option --validation-model}
@item --validation-model @var{name} @item --validation-model @var{name}
@opindex validation-model @opindex validation-model
This option changes the default validation model. The only possible This option changes the default validation model. The only possible
@ -554,6 +555,7 @@ may be given (@pxref{how-to-specify-a-user-id}).
Write output to @var{file}. The default is to write it to stdout. Write output to @var{file}. The default is to write it to stdout.
@anchor{gpgsm-option --with-key-data}
@item --with-key-data @item --with-key-data
@opindex with-key-data @opindex with-key-data
Displays extra information with the @code{--list-keys} commands. Especially Displays extra information with the @code{--list-keys} commands. Especially
@ -561,6 +563,7 @@ a line tagged @code{grp} is printed which tells you the keygrip of a
key. This string is for example used as the file name of the key. This string is for example used as the file name of the
secret key. secret key.
@anchor{gpgsm-option --with-validation}
@item --with-validation @item --with-validation
@opindex with-validation @opindex with-validation
When doing a key listing, do a full validation check for each key and When doing a key listing, do a full validation check for each key and
@ -1152,7 +1155,9 @@ Assuan manual for details.
* GPGSM EXPORT:: Export certificates. * GPGSM EXPORT:: Export certificates.
* GPGSM IMPORT:: Import certificates. * GPGSM IMPORT:: Import certificates.
* GPGSM DELETE:: Delete certificates. * GPGSM DELETE:: Delete certificates.
* GPGSM GETAUDITLOG:: Retrieve an audit log.
* GPGSM GETINFO:: Information about the process * GPGSM GETINFO:: Information about the process
* GPGSM OPTION:: Session options.
@end menu @end menu
@ -1342,6 +1347,7 @@ may be issued as a progress indicator.
@node GPGSM LISTKEYS @node GPGSM LISTKEYS
@subsection List available keys @subsection List available keys
@anchor{gpgsm-cmd listkeys}
To list the keys in the internal database or using an external key To list the keys in the internal database or using an external key
provider, the command: provider, the command:
@ -1441,6 +1447,23 @@ this requires that the usual escape quoting rules are done.
The certificates must be specified unambiguously otherwise an error is The certificates must be specified unambiguously otherwise an error is
returned. returned.
@node GPGSM GETAUDITLOG
@subsection Retrieve an audit log.
@anchor{gpgsm-cmd getauditlog}
This command is used to retrieve an audit log.
@example
GETAUDITLOG [--data] [--html]
@end example
If @option{--data} is used, the audit log is send using D-lines
instead of being sent to the file descriptor given by an OUTPUT
command. If @option{--html} is used, the output is formated as an
XHTML block. This is designed to be incorporated into a HTML
document.
@node GPGSM GETINFO @node GPGSM GETINFO
@subsection Return information about the process @subsection Return information about the process
@ -1457,10 +1480,113 @@ Return the version of the program.
@item pid @item pid
Return the process id of the process. Return the process id of the process.
@item agent-check @item agent-check
Return success if the agent is running. Return OK if the agent is running.
@item cmd_has_option @var{cmd} @var{opt} @item cmd_has_option @var{cmd} @var{opt}
Return success if the command @var{cmd} implements the option @var{opt}. Return OK if the command @var{cmd} implements the option @var{opt}.
The leading two dashes usually used with @var{opt} shall not be given. The leading two dashes usually used with @var{opt} shall not be given.
@item offline
Return OK if the connection is in offline mode. This may be either
due to a @code{OPTION offline=1} or due to @command{gpgsm} being
started with option @option{--disable-dirmngr}.
@end table
@node GPGSM OPTION
@subsection Session options.
The standard Assuan option handler supports these options.
@example
OPTION @var{name}[=@var{value}]
@end example
These @var{name}s are recognized:
@table @code
@item putenv
Change the session's environment to be passed via gpg-agent to
Pinentry. @var{value} is a string of the form
@code{<KEY>[=[<STRING>]]}. If only @code{<KEY>} is given the
environment variable @code{<KEY>} is removed from the session
environment, if @code{<KEY>=} is given that environment variable is
set to the empty string, and if @code{<STRING>} is given it is set to
that string.
@item display
Set the session environment variable @code{DISPLAY} is set to @var{value}.
@item ttyname
Set the session environment variable @code{GPG_TTY} is set to @var{value}.
@item ttytype
Set the session environment variable @code{TERM} is set to @var{value}.
@item lc-ctype
Set the session environment variable @code{LC_CTYPE} is set to @var{value}.
@item lc-messages
Set the session environment variable @code{LC_MESSAGES} is set to @var{value}.
@item xauthority
Set the session environment variable @code{XAUTHORITY} is set to @var{value}.
@item pinentry-user-data
Set the session environment variable @code{PINENTRY_USER_DATA} is set
to @var{value}.
@item include-certs
This option overrides the command line option
@option{--include-certs}. A @var{value} of -2 includes all
certificates except for the root certificate, -1 includes all
certicates, 0 does not include any certicates, 1 includes only the
signers certicate and all other positive values include up to
@var{value} certificates starting with the signer cert.
@item list-mode
@xref{gpgsm-cmd listkeys}.
@item list-to-output
If @var{value} is true the output of the list commands
(@pxref{gpgsm-cmd listkeys}) is written to the file descriptor set
with the last OUTPUT command. If @var{value} is false the output is
written via data lines; this is the default.
@item with-validation
If @var{value} is true for each listed certificate the validation
status is printed. This may result in the download of a CRL or the
user being asked about the trustworthiness of a root certificate. The
default is given by a command line option (@pxref{gpgsm-option
--with-validation}).
@item with-secret
If @var{value} is true certificates with a corresponding private key
are marked by the list commands.
@item validation-model
This option overrides the command line option
@option{validation-model} for the session.
(@pxref{gpgsm-option --validation-model}.)
@item with-key-data
This option globally enables the command line option
@option{--with-key-data}. (@pxref{gpgsm-option --with-key-data}.)
@item enable-audit-log
If @var{value} is true data to write an audit log is gathered.
(@pxref{gpgsm-cmd getauditlog}.)
@item allow-pinentry-notify
If this option is used notifications about the launch of a Pinentry
are passed back to the client.
@item with-ephemeral-keys
If @var{value} is true ephemeral certificates are included in the
output of the list commands.
@item no-encrypt-to
If this option is used all keys set by the command line option
@option{--encrypt-to} are ignored.
@item offline
If @var{value} is true or @var{value} is not given all network access
is disabled for this session. This is the same as the command line
option @option{--disable-dirmngr}.
@end table @end table
@mansect see also @mansect see also

2
sm/call-dirmngr.c
View File

@ -198,7 +198,7 @@ start_dirmngr_ext (ctrl_t ctrl, assuan_context_t *ctx_r)
gpg_error_t err; gpg_error_t err;
assuan_context_t ctx; assuan_context_t ctx;
if (opt.disable_dirmngr) if (opt.disable_dirmngr || ctrl->offline)
return gpg_error (GPG_ERR_NO_DIRMNGR); return gpg_error (GPG_ERR_NO_DIRMNGR);
if (*ctx_r) if (*ctx_r)

6
sm/certchain.c
View File

@ -957,7 +957,7 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp,
{ {
gpg_error_t err; gpg_error_t err;
if (opt.no_crl_check && !ctrl->use_ocsp) if (ctrl->offline || (opt.no_crl_check && !ctrl->use_ocsp))
{ {
audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK, audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK,
gpg_error (GPG_ERR_NOT_ENABLED)); gpg_error (GPG_ERR_NOT_ENABLED));
@ -1749,9 +1749,9 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
if (opt.no_policy_check) if (opt.no_policy_check)
log_info ("policies not checked due to %s option\n", log_info ("policies not checked due to %s option\n",
"--disable-policy-checks"); "--disable-policy-checks");
if (opt.no_crl_check && !ctrl->use_ocsp) if (ctrl->offline || (opt.no_crl_check && !ctrl->use_ocsp))
log_info ("CRLs not checked due to %s option\n", log_info ("CRLs not checked due to %s option\n",
"--disable-crl-checks"); ctrl->offline ? "offline" : "--disable-crl-checks");
} }
if (!rc) if (!rc)

1
sm/gpgsm.c
View File

@ -2067,6 +2067,7 @@ gpgsm_init_default_ctrl (struct server_control_s *ctrl)
ctrl->include_certs = default_include_certs; ctrl->include_certs = default_include_certs;
ctrl->use_ocsp = opt.enable_ocsp; ctrl->use_ocsp = opt.enable_ocsp;
ctrl->validation_model = default_validation_model; ctrl->validation_model = default_validation_model;
ctrl->offline = opt.disable_dirmngr;
} }

1
sm/gpgsm.h
View File

@ -201,6 +201,7 @@ struct server_control_s
int validation_model; /* 0 := standard model (shell), int validation_model; /* 0 := standard model (shell),
1 := chain model, 1 := chain model,
2 := STEED model. */ 2 := STEED model. */
int offline; /* If true gpgsm won't do any network access. */
}; };

19
sm/server.c
View File

@ -309,6 +309,16 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
{ {
ctrl->server_local->no_encrypt_to = 1; ctrl->server_local->no_encrypt_to = 1;
} }
else if (!strcmp (key, "offline"))
{
/* We ignore this option if gpgsm has been started with
--disable-dirmngr (which also sets offline). */
if (!opt.disable_dirmngr)
{
int i = *value? !!atoi (value) : 1;
ctrl->offline = i;
}
}
else else
err = gpg_error (GPG_ERR_UNKNOWN_OPTION); err = gpg_error (GPG_ERR_UNKNOWN_OPTION);
@ -1093,10 +1103,12 @@ static const char hlp_getinfo[] =
" pid - Return the process id of the server.\n" " pid - Return the process id of the server.\n"
" agent-check - Return success if the agent is running.\n" " agent-check - Return success if the agent is running.\n"
" cmd_has_option CMD OPT\n" " cmd_has_option CMD OPT\n"
" - Returns OK if the command CMD implements the option OPT."; " - Returns OK if the command CMD implements the option OPT.\n"
" offline - Returns OK if the conenction is in offline mode.";
static gpg_error_t static gpg_error_t
cmd_getinfo (assuan_context_t ctx, char *line) cmd_getinfo (assuan_context_t ctx, char *line)
{ {
ctrl_t ctrl = assuan_get_pointer (ctx);
int rc = 0; int rc = 0;
if (!strcmp (line, "version")) if (!strcmp (line, "version"))
@ -1113,7 +1125,6 @@ cmd_getinfo (assuan_context_t ctx, char *line)
} }
else if (!strcmp (line, "agent-check")) else if (!strcmp (line, "agent-check"))
{ {
ctrl_t ctrl = assuan_get_pointer (ctx);
rc = gpgsm_agent_send_nop (ctrl); rc = gpgsm_agent_send_nop (ctrl);
} }
else if (!strncmp (line, "cmd_has_option", 14) else if (!strncmp (line, "cmd_has_option", 14)
@ -1148,6 +1159,10 @@ cmd_getinfo (assuan_context_t ctx, char *line)
} }
} }
} }
else if (!strcmp (line, "offline"))
{
rc = ctrl->offline? 0 : gpg_error (GPG_ERR_GENERAL);
}
else else
rc = set_error (GPG_ERR_ASS_PARAMETER, "unknown value for WHAT"); rc = set_error (GPG_ERR_ASS_PARAMETER, "unknown value for WHAT");