security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-03 12:11:33 +01:00
Code Activity

gpgsm: Add command option "offline".

Browse Source 
* sm/server.c (option_handler): Add "offline".
(cmd_getinfo): Ditto.
* sm/certchain.c (is_cert_still_valid):
(do_validate_chain):
* sm/gpgsm.c (gpgsm_init_default_ctrl): Default "offline" to the value
of --disable-dirmngr.
* sm/call-dirmngr.c (start_dirmngr_ext): Better also check for
ctrl->offline.
--

Adding this option makes it easier to implement the corresponding
feature in gpgme.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2015-06-29 11:03:58 +02:00
parent d2fdf2e1b6
commit 2c9c46e2a2
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
6 changed files with 151 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
doc/gpgsm.texi
View File

@ -462,6 +462,7 @@ will not have on your local keybox), the operator can tell both your IP
address and the time when you verified the signature.
@anchor{gpgsm-option --validation-model}
@item --validation-model @var{name}
@opindex validation-model
This option changes the default validation model. The only possible
@ -554,6 +555,7 @@ may be given (@pxref{how-to-specify-a-user-id}).
Write output to @var{file}. The default is to write it to stdout.
@anchor{gpgsm-option --with-key-data}
@item --with-key-data
@opindex with-key-data
Displays extra information with the @code{--list-keys} commands. Especially
@ -561,6 +563,7 @@ a line tagged @code{grp} is printed which tells you the keygrip of a
key. This string is for example used as the file name of the
secret key.
@anchor{gpgsm-option --with-validation}
@item --with-validation
@opindex with-validation
When doing a key listing, do a full validation check for each key and
@ -1152,7 +1155,9 @@ Assuan manual for details.
* GPGSM EXPORT:: Export certificates.
* GPGSM IMPORT:: Import certificates.
* GPGSM DELETE:: Delete certificates.
* GPGSM GETAUDITLOG:: Retrieve an audit log.
* GPGSM GETINFO:: Information about the process
* GPGSM OPTION:: Session options.
@end menu
@ -1342,6 +1347,7 @@ may be issued as a progress indicator.
@node GPGSM LISTKEYS
@subsection List available keys
@anchor{gpgsm-cmd listkeys}
To list the keys in the internal database or using an external key
provider, the command:
@ -1441,6 +1447,23 @@ this requires that the usual escape quoting rules are done.
The certificates must be specified unambiguously otherwise an error is
returned.
@node GPGSM GETAUDITLOG
@subsection Retrieve an audit log.
@anchor{gpgsm-cmd getauditlog}
This command is used to retrieve an audit log.
@example
GETAUDITLOG [--data] [--html]
@end example
If @option{--data} is used, the audit log is send using D-lines
instead of being sent to the file descriptor given by an OUTPUT
command. If @option{--html} is used, the output is formated as an
XHTML block. This is designed to be incorporated into a HTML
document.
@node GPGSM GETINFO
@subsection Return information about the process
@ -1457,10 +1480,113 @@ Return the version of the program.
@item pid
Return the process id of the process.
@item agent-check
Return success if the agent is running.
Return OK if the agent is running.
@item cmd_has_option @var{cmd} @var{opt}
Return success if the command @var{cmd} implements the option @var{opt}.
Return OK if the command @var{cmd} implements the option @var{opt}.
The leading two dashes usually used with @var{opt} shall not be given.
@item offline
Return OK if the connection is in offline mode. This may be either
due to a @code{OPTION offline=1} or due to @command{gpgsm} being
started with option @option{--disable-dirmngr}.
@end table
@node GPGSM OPTION
@subsection Session options.
The standard Assuan option handler supports these options.
@example
OPTION @var{name}[=@var{value}]
@end example
These @var{name}s are recognized:
@table @code
@item putenv
Change the session's environment to be passed via gpg-agent to
Pinentry. @var{value} is a string of the form
@code{<KEY>[=[<STRING>]]}. If only @code{<KEY>} is given the
environment variable @code{<KEY>} is removed from the session
environment, if @code{<KEY>=} is given that environment variable is
set to the empty string, and if @code{<STRING>} is given it is set to
that string.
@item display
Set the session environment variable @code{DISPLAY} is set to @var{value}.
@item ttyname
Set the session environment variable @code{GPG_TTY} is set to @var{value}.
@item ttytype
Set the session environment variable @code{TERM} is set to @var{value}.
@item lc-ctype
Set the session environment variable @code{LC_CTYPE} is set to @var{value}.
@item lc-messages
Set the session environment variable @code{LC_MESSAGES} is set to @var{value}.
@item xauthority
Set the session environment variable @code{XAUTHORITY} is set to @var{value}.
@item pinentry-user-data
Set the session environment variable @code{PINENTRY_USER_DATA} is set
to @var{value}.
@item include-certs
This option overrides the command line option
@option{--include-certs}. A @var{value} of -2 includes all
certificates except for the root certificate, -1 includes all
certicates, 0 does not include any certicates, 1 includes only the
signers certicate and all other positive values include up to
@var{value} certificates starting with the signer cert.
@item list-mode
@xref{gpgsm-cmd listkeys}.
@item list-to-output
If @var{value} is true the output of the list commands
(@pxref{gpgsm-cmd listkeys}) is written to the file descriptor set
with the last OUTPUT command. If @var{value} is false the output is
written via data lines; this is the default.
@item with-validation
If @var{value} is true for each listed certificate the validation
status is printed. This may result in the download of a CRL or the
user being asked about the trustworthiness of a root certificate. The
default is given by a command line option (@pxref{gpgsm-option
--with-validation}).
@item with-secret
If @var{value} is true certificates with a corresponding private key
are marked by the list commands.
@item validation-model
This option overrides the command line option
@option{validation-model} for the session.
(@pxref{gpgsm-option --validation-model}.)
@item with-key-data
This option globally enables the command line option
@option{--with-key-data}. (@pxref{gpgsm-option --with-key-data}.)
@item enable-audit-log
If @var{value} is true data to write an audit log is gathered.
(@pxref{gpgsm-cmd getauditlog}.)
@item allow-pinentry-notify
If this option is used notifications about the launch of a Pinentry
are passed back to the client.
@item with-ephemeral-keys
If @var{value} is true ephemeral certificates are included in the
output of the list commands.
@item no-encrypt-to
If this option is used all keys set by the command line option
@option{--encrypt-to} are ignored.
@item offline
If @var{value} is true or @var{value} is not given all network access
is disabled for this session. This is the same as the command line
option @option{--disable-dirmngr}.
@end table
@mansect see also

2
sm/call-dirmngr.c
View File

@ -198,7 +198,7 @@ start_dirmngr_ext (ctrl_t ctrl, assuan_context_t *ctx_r)
gpg_error_t err;
assuan_context_t ctx;
if (opt.disable_dirmngr)
if (opt.disable_dirmngr || ctrl->offline)
return gpg_error (GPG_ERR_NO_DIRMNGR);
if (*ctx_r)

6
sm/certchain.c
View File

@ -957,7 +957,7 @@ is_cert_still_valid (ctrl_t ctrl, int force_ocsp, int lm, estream_t fp,
{
gpg_error_t err;
if (opt.no_crl_check && !ctrl->use_ocsp)
if (ctrl->offline || (opt.no_crl_check && !ctrl->use_ocsp))
{
audit_log_ok (ctrl->audit, AUDIT_CRL_CHECK,
gpg_error (GPG_ERR_NOT_ENABLED));
@ -1749,9 +1749,9 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
if (opt.no_policy_check)
log_info ("policies not checked due to %s option\n",
"--disable-policy-checks");
if (opt.no_crl_check && !ctrl->use_ocsp)
if (ctrl->offline || (opt.no_crl_check && !ctrl->use_ocsp))
log_info ("CRLs not checked due to %s option\n",
"--disable-crl-checks");
ctrl->offline ? "offline" : "--disable-crl-checks");
}
if (!rc)

1
sm/gpgsm.c
View File

@ -2067,6 +2067,7 @@ gpgsm_init_default_ctrl (struct server_control_s *ctrl)
ctrl->include_certs = default_include_certs;
ctrl->use_ocsp = opt.enable_ocsp;
ctrl->validation_model = default_validation_model;
ctrl->offline = opt.disable_dirmngr;
}

1
sm/gpgsm.h
View File

@ -201,6 +201,7 @@ struct server_control_s
int validation_model; /* 0 := standard model (shell),
1 := chain model,
2 := STEED model. */
int offline; /* If true gpgsm won't do any network access. */
};

19
sm/server.c
View File

@ -309,6 +309,16 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
{
ctrl->server_local->no_encrypt_to = 1;
}
else if (!strcmp (key, "offline"))
{
/* We ignore this option if gpgsm has been started with
--disable-dirmngr (which also sets offline). */
if (!opt.disable_dirmngr)
{
int i = *value? !!atoi (value) : 1;
ctrl->offline = i;
}
}
else
err = gpg_error (GPG_ERR_UNKNOWN_OPTION);
@ -1093,10 +1103,12 @@ static const char hlp_getinfo[] =
" pid - Return the process id of the server.\n"
" agent-check - Return success if the agent is running.\n"
" cmd_has_option CMD OPT\n"
" - Returns OK if the command CMD implements the option OPT.";
" - Returns OK if the command CMD implements the option OPT.\n"
" offline - Returns OK if the conenction is in offline mode.";
static gpg_error_t
cmd_getinfo (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
int rc = 0;
if (!strcmp (line, "version"))
@ -1113,7 +1125,6 @@ cmd_getinfo (assuan_context_t ctx, char *line)
}
else if (!strcmp (line, "agent-check"))
{
ctrl_t ctrl = assuan_get_pointer (ctx);
rc = gpgsm_agent_send_nop (ctrl);
}
else if (!strncmp (line, "cmd_has_option", 14)
@ -1148,6 +1159,10 @@ cmd_getinfo (assuan_context_t ctx, char *line)
}
}
}
else if (!strcmp (line, "offline"))
{
rc = ctrl->offline? 0 : gpg_error (GPG_ERR_GENERAL);
}
else
rc = set_error (GPG_ERR_ASS_PARAMETER, "unknown value for WHAT");