gpg: Fix leftover unprotected card backup key.

* agent/command.c (cmd_learn): Add option --reallyforce. * agent/findkey.c (agent_write_private_key): Implement reallyforce. Also add arg reallyforce and pass it along the call chain. * g10/call-agent.c (agent_scd_learn): Pass --reallyforce with a special force value. * g10/keygen.c (card_store_key_with_backup): Use that force value. -- This was a regression in 2.2.42. We took the easy path to fix it by getting the behaviour back to what we did prior to 2.2.42. With GnuPG 2.4.4 we use an entire different and safer approach by introducing an ephemeral private key store. GnuPG-bug-id: 6944
2025-07-03 22:56:33 +02:00 · 2024-01-24 11:29:24 +01:00 · 2024-01-24 11:29:24 +01:00 · 3b69d8bf71
commit 3b69d8bf71
parent 9938e8d3f4
10 changed files with 51 additions and 27 deletions
--- a/agent/findkey.c
+++ b/agent/findkey.c
@ -82,7 +82,8 @@ fname_from_keygrip (const unsigned char *grip, int for_new)
 * recorded as creation date.  */
 int
 agent_write_private_key (const unsigned char *grip,
-                         const void *buffer, size_t length, int force,
+                         const void *buffer, size_t length,
+                         int force, int reallyforce,
                         const char *serialno, const char *keyref,
                         const char *dispserialno,
                         time_t timestamp)
@ -165,10 +166,13 @@ agent_write_private_key (const unsigned char *grip,
  /* Check that we do not update a regular key with a shadow key.  */
  if (is_regular && gpg_err_code (is_shadowed_key (key)) == GPG_ERR_TRUE)
    {
-      log_info ("updating regular key file '%s'"
-                " by a shadow key inhibited\n", oldfname);
-      err = 0;  /* Simply ignore the error.  */
-      goto leave;
+      if (!reallyforce)
+        {
+          log_info ("updating regular key file '%s'"
+                    " by a shadow key inhibited\n", oldfname);
+          err = 0;  /* Simply ignore the error.  */
+          goto leave;
+        }
    }
  /* Check that we update a regular key only in force mode.  */
  if (is_regular && !force)
@ -1704,12 +1708,13 @@ agent_delete_key (ctrl_t ctrl, const char *desc_text,
 * Shadow key is created by an S-expression public key in PKBUF and
 * card's SERIALNO and the IDSTRING.  With FORCE passed as true an
 * existing key with the given GRIP will get overwritten. If
- * DISPSERIALNO is not NULL the human readable s/n will also be
- * recorded in the key file.   */
+ * REALLYFORCE is also true, even a private key will be overwritten by
+ * a shadown key.  If DISPSERIALNO is not NULL the human readable s/n
+ * will also be recorded in the key file.  */
 gpg_error_t
 agent_write_shadow_key (const unsigned char *grip,
                        const char *serialno, const char *keyid,
-                        const unsigned char *pkbuf, int force,
+                        const unsigned char *pkbuf, int force, int reallyforce,
                        const char *dispserialno)
 {
  gpg_error_t err;
@ -1737,7 +1742,7 @@ agent_write_shadow_key (const unsigned char *grip,
    }

  len = gcry_sexp_canon_len (shdkey, 0, NULL, NULL);
-  err = agent_write_private_key (grip, shdkey, len, force,
+  err = agent_write_private_key (grip, shdkey, len, force, reallyforce,
                                 serialno, keyid, dispserialno, 0);
  xfree (shdkey);
  if (err)