mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-18 14:17:03 +01:00
gpg: Fix leftover unprotected card backup key.
* agent/command.c (cmd_learn): Add option --reallyforce. * agent/findkey.c (agent_write_private_key): Implement reallyforce. Also add arg reallyforce and pass it along the call chain. * g10/call-agent.c (agent_scd_learn): Pass --reallyforce with a special force value. * g10/keygen.c (card_store_key_with_backup): Use that force value. -- This was a regression in 2.2.42. We took the easy path to fix it by getting the behaviour back to what we did prior to 2.2.42. With GnuPG 2.4.4 we use an entire different and safer approach by introducing an ephemeral private key store. GnuPG-bug-id: 6944
This commit is contained in:
parent
9938e8d3f4
commit
3b69d8bf71
@ -422,7 +422,8 @@ void start_command_handler_ssh (ctrl_t, gnupg_fd_t);
|
|||||||
gpg_error_t agent_modify_description (const char *in, const char *comment,
|
gpg_error_t agent_modify_description (const char *in, const char *comment,
|
||||||
const gcry_sexp_t key, char **result);
|
const gcry_sexp_t key, char **result);
|
||||||
int agent_write_private_key (const unsigned char *grip,
|
int agent_write_private_key (const unsigned char *grip,
|
||||||
const void *buffer, size_t length, int force,
|
const void *buffer, size_t length,
|
||||||
|
int force, int reallyforce,
|
||||||
const char *serialno, const char *keyref,
|
const char *serialno, const char *keyref,
|
||||||
const char *dispserialno, time_t timestamp);
|
const char *dispserialno, time_t timestamp);
|
||||||
gpg_error_t agent_key_from_file (ctrl_t ctrl,
|
gpg_error_t agent_key_from_file (ctrl_t ctrl,
|
||||||
@ -548,6 +549,7 @@ gpg_error_t s2k_hash_passphrase (const char *passphrase, int hashalgo,
|
|||||||
gpg_error_t agent_write_shadow_key (const unsigned char *grip,
|
gpg_error_t agent_write_shadow_key (const unsigned char *grip,
|
||||||
const char *serialno, const char *keyid,
|
const char *serialno, const char *keyid,
|
||||||
const unsigned char *pkbuf, int force,
|
const unsigned char *pkbuf, int force,
|
||||||
|
int reallyforce,
|
||||||
const char *dispserialno);
|
const char *dispserialno);
|
||||||
|
|
||||||
|
|
||||||
@ -628,7 +630,8 @@ void agent_card_killscd (void);
|
|||||||
|
|
||||||
|
|
||||||
/*-- learncard.c --*/
|
/*-- learncard.c --*/
|
||||||
int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force);
|
int agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context,
|
||||||
|
int force, int reallyforce);
|
||||||
|
|
||||||
|
|
||||||
/*-- cvt-openpgp.c --*/
|
/*-- cvt-openpgp.c --*/
|
||||||
|
@ -2499,7 +2499,7 @@ card_key_available (ctrl_t ctrl, gcry_sexp_t *r_pk, char **cardsn)
|
|||||||
|
|
||||||
/* (Shadow)-key is not available in our key storage. */
|
/* (Shadow)-key is not available in our key storage. */
|
||||||
agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno);
|
agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno);
|
||||||
err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0,
|
err = agent_write_shadow_key (grip, serialno, authkeyid, pkbuf, 0, 0,
|
||||||
dispserialno);
|
dispserialno);
|
||||||
xfree (dispserialno);
|
xfree (dispserialno);
|
||||||
if (err)
|
if (err)
|
||||||
@ -3159,7 +3159,7 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec,
|
|||||||
|
|
||||||
/* Store this key to our key storage. We do not store a creation
|
/* Store this key to our key storage. We do not store a creation
|
||||||
* timestamp because we simply do not know. */
|
* timestamp because we simply do not know. */
|
||||||
err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0,
|
err = agent_write_private_key (key_grip_raw, buffer, buffer_n, 0, 0,
|
||||||
NULL, NULL, NULL, 0);
|
NULL, NULL, NULL, 0);
|
||||||
if (err)
|
if (err)
|
||||||
goto out;
|
goto out;
|
||||||
|
@ -1042,7 +1042,7 @@ cmd_readkey (assuan_context_t ctx, char *line)
|
|||||||
/* Shadow-key is or is not available in our key storage. In
|
/* Shadow-key is or is not available in our key storage. In
|
||||||
* any case we need to check whether we need to update with
|
* any case we need to check whether we need to update with
|
||||||
* a new display-s/n or whatever. */
|
* a new display-s/n or whatever. */
|
||||||
rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0,
|
rc = agent_write_shadow_key (grip, serialno, keyid, pkbuf, 0, 0,
|
||||||
dispserialno);
|
dispserialno);
|
||||||
if (rc)
|
if (rc)
|
||||||
goto leave;
|
goto leave;
|
||||||
@ -1855,16 +1855,18 @@ cmd_learn (assuan_context_t ctx, char *line)
|
|||||||
{
|
{
|
||||||
ctrl_t ctrl = assuan_get_pointer (ctx);
|
ctrl_t ctrl = assuan_get_pointer (ctx);
|
||||||
gpg_error_t err;
|
gpg_error_t err;
|
||||||
int send, sendinfo, force;
|
int send, sendinfo, force, reallyforce;
|
||||||
|
|
||||||
send = has_option (line, "--send");
|
send = has_option (line, "--send");
|
||||||
sendinfo = send? 1 : has_option (line, "--sendinfo");
|
sendinfo = send? 1 : has_option (line, "--sendinfo");
|
||||||
force = has_option (line, "--force");
|
force = has_option (line, "--force");
|
||||||
|
reallyforce = has_option (line, "--reallyforce");
|
||||||
|
|
||||||
if (ctrl->restricted)
|
if (ctrl->restricted)
|
||||||
return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
|
return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
|
||||||
|
|
||||||
err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL, force);
|
err = agent_handle_learn (ctrl, send, sendinfo? ctx : NULL,
|
||||||
|
force, reallyforce);
|
||||||
return leave_cmd (ctx, err);
|
return leave_cmd (ctx, err);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2427,11 +2429,11 @@ cmd_import_key (assuan_context_t ctx, char *line)
|
|||||||
err = agent_protect (key, passphrase, &finalkey, &finalkeylen,
|
err = agent_protect (key, passphrase, &finalkey, &finalkeylen,
|
||||||
ctrl->s2k_count);
|
ctrl->s2k_count);
|
||||||
if (!err)
|
if (!err)
|
||||||
err = agent_write_private_key (grip, finalkey, finalkeylen, force,
|
err = agent_write_private_key (grip, finalkey, finalkeylen, force, 0,
|
||||||
NULL, NULL, NULL, opt_timestamp);
|
NULL, NULL, NULL, opt_timestamp);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
err = agent_write_private_key (grip, key, realkeylen, force,
|
err = agent_write_private_key (grip, key, realkeylen, force, 0,
|
||||||
NULL, NULL, NULL, opt_timestamp);
|
NULL, NULL, NULL, opt_timestamp);
|
||||||
|
|
||||||
leave:
|
leave:
|
||||||
|
@ -1070,7 +1070,7 @@ convert_from_openpgp_native (ctrl_t ctrl,
|
|||||||
&protectedkey, &protectedkeylen,
|
&protectedkey, &protectedkeylen,
|
||||||
ctrl->s2k_count))
|
ctrl->s2k_count))
|
||||||
agent_write_private_key (grip, protectedkey, protectedkeylen,
|
agent_write_private_key (grip, protectedkey, protectedkeylen,
|
||||||
1/*force*/, NULL, NULL, NULL, 0);
|
1/*force*/, 0, NULL, NULL, NULL, 0);
|
||||||
xfree (protectedkey);
|
xfree (protectedkey);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
@ -1079,7 +1079,7 @@ convert_from_openpgp_native (ctrl_t ctrl,
|
|||||||
agent_write_private_key (grip,
|
agent_write_private_key (grip,
|
||||||
*r_key,
|
*r_key,
|
||||||
gcry_sexp_canon_len (*r_key, 0, NULL,NULL),
|
gcry_sexp_canon_len (*r_key, 0, NULL,NULL),
|
||||||
1/*force*/, NULL, NULL, NULL, 0);
|
1/*force*/, 0, NULL, NULL, NULL, 0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -82,7 +82,8 @@ fname_from_keygrip (const unsigned char *grip, int for_new)
|
|||||||
* recorded as creation date. */
|
* recorded as creation date. */
|
||||||
int
|
int
|
||||||
agent_write_private_key (const unsigned char *grip,
|
agent_write_private_key (const unsigned char *grip,
|
||||||
const void *buffer, size_t length, int force,
|
const void *buffer, size_t length,
|
||||||
|
int force, int reallyforce,
|
||||||
const char *serialno, const char *keyref,
|
const char *serialno, const char *keyref,
|
||||||
const char *dispserialno,
|
const char *dispserialno,
|
||||||
time_t timestamp)
|
time_t timestamp)
|
||||||
@ -165,10 +166,13 @@ agent_write_private_key (const unsigned char *grip,
|
|||||||
/* Check that we do not update a regular key with a shadow key. */
|
/* Check that we do not update a regular key with a shadow key. */
|
||||||
if (is_regular && gpg_err_code (is_shadowed_key (key)) == GPG_ERR_TRUE)
|
if (is_regular && gpg_err_code (is_shadowed_key (key)) == GPG_ERR_TRUE)
|
||||||
{
|
{
|
||||||
log_info ("updating regular key file '%s'"
|
if (!reallyforce)
|
||||||
" by a shadow key inhibited\n", oldfname);
|
{
|
||||||
err = 0; /* Simply ignore the error. */
|
log_info ("updating regular key file '%s'"
|
||||||
goto leave;
|
" by a shadow key inhibited\n", oldfname);
|
||||||
|
err = 0; /* Simply ignore the error. */
|
||||||
|
goto leave;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
/* Check that we update a regular key only in force mode. */
|
/* Check that we update a regular key only in force mode. */
|
||||||
if (is_regular && !force)
|
if (is_regular && !force)
|
||||||
@ -1704,12 +1708,13 @@ agent_delete_key (ctrl_t ctrl, const char *desc_text,
|
|||||||
* Shadow key is created by an S-expression public key in PKBUF and
|
* Shadow key is created by an S-expression public key in PKBUF and
|
||||||
* card's SERIALNO and the IDSTRING. With FORCE passed as true an
|
* card's SERIALNO and the IDSTRING. With FORCE passed as true an
|
||||||
* existing key with the given GRIP will get overwritten. If
|
* existing key with the given GRIP will get overwritten. If
|
||||||
* DISPSERIALNO is not NULL the human readable s/n will also be
|
* REALLYFORCE is also true, even a private key will be overwritten by
|
||||||
* recorded in the key file. */
|
* a shadown key. If DISPSERIALNO is not NULL the human readable s/n
|
||||||
|
* will also be recorded in the key file. */
|
||||||
gpg_error_t
|
gpg_error_t
|
||||||
agent_write_shadow_key (const unsigned char *grip,
|
agent_write_shadow_key (const unsigned char *grip,
|
||||||
const char *serialno, const char *keyid,
|
const char *serialno, const char *keyid,
|
||||||
const unsigned char *pkbuf, int force,
|
const unsigned char *pkbuf, int force, int reallyforce,
|
||||||
const char *dispserialno)
|
const char *dispserialno)
|
||||||
{
|
{
|
||||||
gpg_error_t err;
|
gpg_error_t err;
|
||||||
@ -1737,7 +1742,7 @@ agent_write_shadow_key (const unsigned char *grip,
|
|||||||
}
|
}
|
||||||
|
|
||||||
len = gcry_sexp_canon_len (shdkey, 0, NULL, NULL);
|
len = gcry_sexp_canon_len (shdkey, 0, NULL, NULL);
|
||||||
err = agent_write_private_key (grip, shdkey, len, force,
|
err = agent_write_private_key (grip, shdkey, len, force, reallyforce,
|
||||||
serialno, keyid, dispserialno, 0);
|
serialno, keyid, dispserialno, 0);
|
||||||
xfree (shdkey);
|
xfree (shdkey);
|
||||||
if (err)
|
if (err)
|
||||||
|
@ -69,7 +69,7 @@ store_key (gcry_sexp_t private, const char *passphrase, int force,
|
|||||||
buf = p;
|
buf = p;
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = agent_write_private_key (grip, buf, len, force,
|
rc = agent_write_private_key (grip, buf, len, force, 0,
|
||||||
NULL, NULL, NULL, timestamp);
|
NULL, NULL, NULL, timestamp);
|
||||||
xfree (buf);
|
xfree (buf);
|
||||||
return rc;
|
return rc;
|
||||||
|
@ -297,9 +297,12 @@ send_cert_back (ctrl_t ctrl, const char *id, void *assuan_context)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Perform the learn operation. If ASSUAN_CONTEXT is not NULL and
|
/* Perform the learn operation. If ASSUAN_CONTEXT is not NULL and
|
||||||
SEND is true all new certificates are send back via Assuan. */
|
SEND is true all new certificates are send back via Assuan. If
|
||||||
|
REALLYFORCE is true a private key will be overwritten by a stub
|
||||||
|
key. */
|
||||||
int
|
int
|
||||||
agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force)
|
agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context,
|
||||||
|
int force, int reallyforce)
|
||||||
{
|
{
|
||||||
int rc;
|
int rc;
|
||||||
struct kpinfo_cb_parm_s parm;
|
struct kpinfo_cb_parm_s parm;
|
||||||
@ -414,7 +417,7 @@ agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force)
|
|||||||
|
|
||||||
agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno);
|
agent_card_getattr (ctrl, "$DISPSERIALNO", &dispserialno);
|
||||||
rc = agent_write_shadow_key (grip, serialno, item->id, pubkey,
|
rc = agent_write_shadow_key (grip, serialno, item->id, pubkey,
|
||||||
force, dispserialno);
|
force, reallyforce, dispserialno);
|
||||||
xfree (dispserialno);
|
xfree (dispserialno);
|
||||||
}
|
}
|
||||||
xfree (pubkey);
|
xfree (pubkey);
|
||||||
|
@ -807,13 +807,15 @@ agent_askpin (ctrl_t ctrl,
|
|||||||
* to stdout. */
|
* to stdout. */
|
||||||
int
|
int
|
||||||
agent_write_private_key (const unsigned char *grip,
|
agent_write_private_key (const unsigned char *grip,
|
||||||
const void *buffer, size_t length, int force,
|
const void *buffer, size_t length,
|
||||||
|
int force, int reallyforce,
|
||||||
const char *serialno, const char *keyref,
|
const char *serialno, const char *keyref,
|
||||||
const char *dispserialno, time_t timestamp)
|
const char *dispserialno, time_t timestamp)
|
||||||
{
|
{
|
||||||
char hexgrip[40+4+1];
|
char hexgrip[40+4+1];
|
||||||
char *p;
|
char *p;
|
||||||
|
|
||||||
|
(void)reallyforce;
|
||||||
(void)force;
|
(void)force;
|
||||||
(void)timestamp;
|
(void)timestamp;
|
||||||
(void)serialno;
|
(void)serialno;
|
||||||
|
@ -745,6 +745,11 @@ learn_status_cb (void *opaque, const char *line)
|
|||||||
* card-util.c
|
* card-util.c
|
||||||
* keyedit_menu
|
* keyedit_menu
|
||||||
* card_store_key_with_backup (Woth force to remove secret key data)
|
* card_store_key_with_backup (Woth force to remove secret key data)
|
||||||
|
*
|
||||||
|
* If force has the value 2 the --reallyforce option is also used.
|
||||||
|
* This is to make sure the sshadow key overwrites the private key.
|
||||||
|
* Note that this option is gnupg 2.2 specific because since 2.4.4 an
|
||||||
|
* ephemeral private key store is used instead.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
agent_scd_learn (struct agent_card_info_s *info, int force)
|
agent_scd_learn (struct agent_card_info_s *info, int force)
|
||||||
@ -764,6 +769,7 @@ agent_scd_learn (struct agent_card_info_s *info, int force)
|
|||||||
|
|
||||||
parm.ctx = agent_ctx;
|
parm.ctx = agent_ctx;
|
||||||
rc = assuan_transact (agent_ctx,
|
rc = assuan_transact (agent_ctx,
|
||||||
|
force == 2? "LEARN --sendinfo --force --reallyforce" :
|
||||||
force ? "LEARN --sendinfo --force" : "LEARN --sendinfo",
|
force ? "LEARN --sendinfo --force" : "LEARN --sendinfo",
|
||||||
dummy_data_cb, NULL, default_inq_cb, &parm,
|
dummy_data_cb, NULL, default_inq_cb, &parm,
|
||||||
learn_status_cb, info);
|
learn_status_cb, info);
|
||||||
|
@ -5201,8 +5201,11 @@ card_store_key_with_backup (ctrl_t ctrl, PKT_public_key *sub_psk,
|
|||||||
if (err)
|
if (err)
|
||||||
log_error ("writing card key to backup file: %s\n", gpg_strerror (err));
|
log_error ("writing card key to backup file: %s\n", gpg_strerror (err));
|
||||||
else
|
else
|
||||||
/* Remove secret key data in agent side. */
|
{
|
||||||
agent_scd_learn (NULL, 1);
|
/* Remove secret key data in agent side. We use force 2 here to
|
||||||
|
* allow overwriting of the temporary private key. */
|
||||||
|
agent_scd_learn (NULL, 2);
|
||||||
|
}
|
||||||
|
|
||||||
leave:
|
leave:
|
||||||
xfree (ecdh_param_str);
|
xfree (ecdh_param_str);
|
||||||
|
Loading…
x
Reference in New Issue
Block a user