mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-20 14:37:08 +01:00
* minip12.c (parse_bag_encrypted_data): Print error if a bad
passphrase has been given. * gpg-agent.texi (Invoking GPG-AGENT): Add a few words about the expected pinentry filename. * import.c (parse_p12): Write an error status line for bad passphrases. Add new arg CTRL and changed caller. * export.c (export_p12): Likewise.
This commit is contained in:
parent
4604ae8e99
commit
530a0a91c4
3
TODO
3
TODO
@ -86,7 +86,8 @@ might want to have an agent context for each service request
|
|||||||
* doc/
|
* doc/
|
||||||
** Explain how to setup a root CA key as trusted
|
** Explain how to setup a root CA key as trusted
|
||||||
** Explain how trustlist.txt might be managed.
|
** Explain how trustlist.txt might be managed.
|
||||||
|
** Document watchgnupg
|
||||||
|
** Write a script to generate man pages from texi.
|
||||||
|
|
||||||
* Requirements by the BSI
|
* Requirements by the BSI
|
||||||
** Support authorityKeyIdentifier.keyIdentifier
|
** Support authorityKeyIdentifier.keyIdentifier
|
||||||
|
@ -1,3 +1,8 @@
|
|||||||
|
2004-09-29 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* minip12.c (parse_bag_encrypted_data): Print error if a bad
|
||||||
|
passphrase has been given.
|
||||||
|
|
||||||
2004-09-28 Werner Koch <wk@g10code.com>
|
2004-09-28 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
* protect.c (agent_unprotect): Fixed wiping of CLEARTEXT. Thanks
|
* protect.c (agent_unprotect): Fixed wiping of CLEARTEXT. Thanks
|
||||||
|
@ -379,7 +379,6 @@ crypt_block (unsigned char *buffer, size_t length, char *salt, int iter,
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
parse_bag_encrypted_data (const unsigned char *buffer, size_t length,
|
parse_bag_encrypted_data (const unsigned char *buffer, size_t length,
|
||||||
int startoffset, const char *pw,
|
int startoffset, const char *pw,
|
||||||
@ -393,7 +392,7 @@ parse_bag_encrypted_data (const unsigned char *buffer, size_t length,
|
|||||||
char salt[8];
|
char salt[8];
|
||||||
unsigned int iter;
|
unsigned int iter;
|
||||||
unsigned char *plain = NULL;
|
unsigned char *plain = NULL;
|
||||||
|
int bad_pass = 0;
|
||||||
|
|
||||||
where = "start";
|
where = "start";
|
||||||
if (parse_tag (&p, &n, &ti))
|
if (parse_tag (&p, &n, &ti))
|
||||||
@ -495,12 +494,21 @@ parse_bag_encrypted_data (const unsigned char *buffer, size_t length,
|
|||||||
|
|
||||||
where = "outer.outer.seq";
|
where = "outer.outer.seq";
|
||||||
if (parse_tag (&p, &n, &ti))
|
if (parse_tag (&p, &n, &ti))
|
||||||
|
{
|
||||||
|
bad_pass = 1;
|
||||||
goto bailout;
|
goto bailout;
|
||||||
|
}
|
||||||
if (ti.class || ti.tag != TAG_SEQUENCE)
|
if (ti.class || ti.tag != TAG_SEQUENCE)
|
||||||
|
{
|
||||||
|
bad_pass = 1;
|
||||||
goto bailout;
|
goto bailout;
|
||||||
|
}
|
||||||
|
|
||||||
if (parse_tag (&p, &n, &ti))
|
if (parse_tag (&p, &n, &ti))
|
||||||
|
{
|
||||||
|
bad_pass = 1;
|
||||||
goto bailout;
|
goto bailout;
|
||||||
|
}
|
||||||
|
|
||||||
/* Loop over all certificates inside the bab. */
|
/* Loop over all certificates inside the bab. */
|
||||||
while (n)
|
while (n)
|
||||||
@ -611,6 +619,13 @@ parse_bag_encrypted_data (const unsigned char *buffer, size_t length,
|
|||||||
gcry_free (plain);
|
gcry_free (plain);
|
||||||
log_error ("encryptedData error at \"%s\", offset %u\n",
|
log_error ("encryptedData error at \"%s\", offset %u\n",
|
||||||
where, (p - buffer)+startoffset);
|
where, (p - buffer)+startoffset);
|
||||||
|
if (bad_pass)
|
||||||
|
{
|
||||||
|
/* Note, that the following string might be used by other programs
|
||||||
|
to check for a bad passphrase; it should therefore not be
|
||||||
|
translated or changed. */
|
||||||
|
log_error ("possibly bad passphrase given\n");
|
||||||
|
}
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -882,6 +882,8 @@ export_p12_file (const char *fname)
|
|||||||
release_passphrase (pw);
|
release_passphrase (pw);
|
||||||
if (rc)
|
if (rc)
|
||||||
{
|
{
|
||||||
|
if (opt_status_msg && gpg_err_code (rc) == GPG_ERR_BAD_PASSPHRASE )
|
||||||
|
log_info ("[PROTECT-TOOL:] bad-passphrase\n");
|
||||||
log_error ("unprotecting key `%s' failed: %s\n",
|
log_error ("unprotecting key `%s' failed: %s\n",
|
||||||
fname, gpg_strerror (rc));
|
fname, gpg_strerror (rc));
|
||||||
xfree (key);
|
xfree (key);
|
||||||
|
@ -1,5 +1,8 @@
|
|||||||
2004-09-29 Werner Koch <wk@g10code.com>
|
2004-09-29 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* gpg-agent.texi (Invoking GPG-AGENT): Add a few words about the
|
||||||
|
expected pinentry filename.
|
||||||
|
|
||||||
Changed license of the manual stuff to GPL.
|
Changed license of the manual stuff to GPL.
|
||||||
|
|
||||||
* gnupg.texi (Top): New menu item Helper Tools.
|
* gnupg.texi (Top): New menu item Helper Tools.
|
||||||
|
@ -52,9 +52,17 @@ GPG_TTY=`tty`
|
|||||||
export GPG_TTY
|
export GPG_TTY
|
||||||
@end smallexample
|
@end smallexample
|
||||||
|
|
||||||
|
@noindent
|
||||||
It is important that this environment variable always reflects the
|
It is important that this environment variable always reflects the
|
||||||
output of the @code{tty} command.
|
output of the @code{tty} command.
|
||||||
|
|
||||||
|
Please make sure that a proper pinentry program has been installed
|
||||||
|
under the default filename (which is system dependant) or use the
|
||||||
|
option @code{pinentry-pgm} to specify the full name of that program.
|
||||||
|
It is often useful to install a symbolic link from the actual used
|
||||||
|
pinentry (e.g. @file{/usr/bin/pinentry-gtk}) to the expected
|
||||||
|
one (e.g. @file{/usr/bin/pinentry}).
|
||||||
|
|
||||||
@c man end
|
@c man end
|
||||||
|
|
||||||
@noindent
|
@noindent
|
||||||
|
@ -1,3 +1,9 @@
|
|||||||
|
2004-09-29 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* import.c (parse_p12): Write an error status line for bad
|
||||||
|
passphrases. Add new arg CTRL and changed caller.
|
||||||
|
* export.c (export_p12): Likewise.
|
||||||
|
|
||||||
2004-09-14 Werner Koch <wk@g10code.com>
|
2004-09-14 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
* certchain.c (gpgsm_validate_chain): Give expired certificates a
|
* certchain.c (gpgsm_validate_chain): Give expired certificates a
|
||||||
|
31
sm/export.c
31
sm/export.c
@ -65,7 +65,8 @@ typedef struct duptable_s *duptable_t;
|
|||||||
|
|
||||||
|
|
||||||
static void print_short_info (ksba_cert_t cert, FILE *fp);
|
static void print_short_info (ksba_cert_t cert, FILE *fp);
|
||||||
static gpg_error_t export_p12 (const unsigned char *certimg, size_t certimglen,
|
static gpg_error_t export_p12 (ctrl_t ctrl,
|
||||||
|
const unsigned char *certimg, size_t certimglen,
|
||||||
const char *prompt, const char *keygrip,
|
const char *prompt, const char *keygrip,
|
||||||
FILE **retfp);
|
FILE **retfp);
|
||||||
|
|
||||||
@ -423,7 +424,7 @@ gpgsm_p12_export (ctrl_t ctrl, const char *name, FILE *fp)
|
|||||||
|
|
||||||
|
|
||||||
prompt = gpgsm_format_keydesc (cert);
|
prompt = gpgsm_format_keydesc (cert);
|
||||||
rc = export_p12 (image, imagelen, prompt, keygrip, &datafp);
|
rc = export_p12 (ctrl, image, imagelen, prompt, keygrip, &datafp);
|
||||||
xfree (prompt);
|
xfree (prompt);
|
||||||
if (rc)
|
if (rc)
|
||||||
goto leave;
|
goto leave;
|
||||||
@ -587,6 +588,7 @@ popen_protect_tool (const char *pgmname,
|
|||||||
"--homedir", opt.homedir,
|
"--homedir", opt.homedir,
|
||||||
"--p12-export",
|
"--p12-export",
|
||||||
"--prompt", prompt?prompt:"",
|
"--prompt", prompt?prompt:"",
|
||||||
|
"--enable-status-msg",
|
||||||
"--",
|
"--",
|
||||||
keygrip,
|
keygrip,
|
||||||
NULL);
|
NULL);
|
||||||
@ -610,7 +612,7 @@ popen_protect_tool (const char *pgmname,
|
|||||||
|
|
||||||
|
|
||||||
static gpg_error_t
|
static gpg_error_t
|
||||||
export_p12 (const unsigned char *certimg, size_t certimglen,
|
export_p12 (ctrl_t ctrl, const unsigned char *certimg, size_t certimglen,
|
||||||
const char *prompt, const char *keygrip,
|
const char *prompt, const char *keygrip,
|
||||||
FILE **retfp)
|
FILE **retfp)
|
||||||
{
|
{
|
||||||
@ -621,6 +623,7 @@ export_p12 (const unsigned char *certimg, size_t certimglen,
|
|||||||
FILE *infp = NULL, *outfp = NULL, *fp = NULL;
|
FILE *infp = NULL, *outfp = NULL, *fp = NULL;
|
||||||
char buffer[1024];
|
char buffer[1024];
|
||||||
pid_t pid = -1;
|
pid_t pid = -1;
|
||||||
|
int bad_pass = 0;
|
||||||
|
|
||||||
if (!opt.protect_tool_program || !*opt.protect_tool_program)
|
if (!opt.protect_tool_program || !*opt.protect_tool_program)
|
||||||
pgmname = GNUPG_DEFAULT_PROTECT_TOOL;
|
pgmname = GNUPG_DEFAULT_PROTECT_TOOL;
|
||||||
@ -674,8 +677,22 @@ export_p12 (const unsigned char *certimg, size_t certimglen,
|
|||||||
buffer[pos - (c == '\n')] = 0;
|
buffer[pos - (c == '\n')] = 0;
|
||||||
if (cont_line)
|
if (cont_line)
|
||||||
log_printf ("%s", buffer);
|
log_printf ("%s", buffer);
|
||||||
|
else
|
||||||
|
{
|
||||||
|
if (!strncmp (buffer, "gpg-protect-tool: [PROTECT-TOOL:] ",34))
|
||||||
|
{
|
||||||
|
char *p, *pend;
|
||||||
|
|
||||||
|
p = buffer + 34;
|
||||||
|
pend = strchr (p, ' ');
|
||||||
|
if (pend)
|
||||||
|
*pend = 0;
|
||||||
|
if ( !strcmp (p, "bad-passphrase"))
|
||||||
|
bad_pass++;
|
||||||
|
}
|
||||||
else
|
else
|
||||||
log_info ("%s", buffer);
|
log_info ("%s", buffer);
|
||||||
|
}
|
||||||
pos = 0;
|
pos = 0;
|
||||||
cont_line = (c != '\n');
|
cont_line = (c != '\n');
|
||||||
}
|
}
|
||||||
@ -731,6 +748,14 @@ export_p12 (const unsigned char *certimg, size_t certimglen,
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
*retfp = outfp;
|
*retfp = outfp;
|
||||||
|
if (bad_pass)
|
||||||
|
{
|
||||||
|
/* During export this is the passphrase used to unprotect the
|
||||||
|
key and not the pkcs#12 thing as in export. Therefore we can
|
||||||
|
issue the regular passphrase status. FIXME: replace the all
|
||||||
|
zero keyid by a regular one. */
|
||||||
|
gpgsm_status (ctrl, STATUS_BAD_PASSPHRASE, "0000000000000000");
|
||||||
|
}
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
28
sm/import.c
28
sm/import.c
@ -55,7 +55,7 @@ struct stats_s {
|
|||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
static gpg_error_t parse_p12 (ksba_reader_t reader, FILE **retfp,
|
static gpg_error_t parse_p12 (ctrl_t ctrl, ksba_reader_t reader, FILE **retfp,
|
||||||
struct stats_s *stats);
|
struct stats_s *stats);
|
||||||
|
|
||||||
|
|
||||||
@ -341,7 +341,7 @@ import_one (CTRL ctrl, struct stats_s *stats, int in_fd)
|
|||||||
Base64Context b64p12rdr;
|
Base64Context b64p12rdr;
|
||||||
ksba_reader_t p12rdr;
|
ksba_reader_t p12rdr;
|
||||||
|
|
||||||
rc = parse_p12 (reader, &certfp, stats);
|
rc = parse_p12 (ctrl, reader, &certfp, stats);
|
||||||
if (!rc)
|
if (!rc)
|
||||||
{
|
{
|
||||||
any = 1;
|
any = 1;
|
||||||
@ -572,13 +572,14 @@ popen_protect_tool (const char *pgmname,
|
|||||||
|
|
||||||
|
|
||||||
/* Assume that the reader is at a pkcs#12 message and try to import
|
/* Assume that the reader is at a pkcs#12 message and try to import
|
||||||
certificates from that stupid format. We will alos store secret
|
certificates from that stupid format. We will also store secret
|
||||||
keys. All of the pkcs#12 parsing and key storing is handled by the
|
keys. All of the pkcs#12 parsing and key storing is handled by the
|
||||||
gpg-protect-tool, we merely have to take care of receiving the
|
gpg-protect-tool, we merely have to take care of receiving the
|
||||||
certificates. On success RETFP returns a temporary file with
|
certificates. On success RETFP returns a temporary file with
|
||||||
certificates. */
|
certificates. */
|
||||||
static gpg_error_t
|
static gpg_error_t
|
||||||
parse_p12 (ksba_reader_t reader, FILE **retfp, struct stats_s *stats)
|
parse_p12 (ctrl_t ctrl, ksba_reader_t reader,
|
||||||
|
FILE **retfp, struct stats_s *stats)
|
||||||
{
|
{
|
||||||
const char *pgmname;
|
const char *pgmname;
|
||||||
gpg_error_t err = 0, child_err = 0;
|
gpg_error_t err = 0, child_err = 0;
|
||||||
@ -588,6 +589,7 @@ parse_p12 (ksba_reader_t reader, FILE **retfp, struct stats_s *stats)
|
|||||||
char buffer[1024];
|
char buffer[1024];
|
||||||
size_t nread;
|
size_t nread;
|
||||||
pid_t pid = -1;
|
pid_t pid = -1;
|
||||||
|
int bad_pass = 0;
|
||||||
|
|
||||||
if (!opt.protect_tool_program || !*opt.protect_tool_program)
|
if (!opt.protect_tool_program || !*opt.protect_tool_program)
|
||||||
pgmname = GNUPG_DEFAULT_PROTECT_TOOL;
|
pgmname = GNUPG_DEFAULT_PROTECT_TOOL;
|
||||||
@ -682,7 +684,12 @@ parse_p12 (ksba_reader_t reader, FILE **retfp, struct stats_s *stats)
|
|||||||
;
|
;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
{
|
||||||
log_info ("%s", buffer);
|
log_info ("%s", buffer);
|
||||||
|
if (!strncmp (buffer, "gpg-protect-tool: "
|
||||||
|
"possibly bad passphrase given",46))
|
||||||
|
bad_pass++;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
pos = 0;
|
pos = 0;
|
||||||
cont_line = (c != '\n');
|
cont_line = (c != '\n');
|
||||||
@ -698,6 +705,7 @@ parse_p12 (ksba_reader_t reader, FILE **retfp, struct stats_s *stats)
|
|||||||
log_info ("%s\n", buffer);
|
log_info ("%s\n", buffer);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/* If we found no error in the output of the cild, setup a suitable
|
/* If we found no error in the output of the cild, setup a suitable
|
||||||
error code, which will later be reset if the exit status of the
|
error code, which will later be reset if the exit status of the
|
||||||
child is 0. */
|
child is 0. */
|
||||||
@ -738,5 +746,17 @@ parse_p12 (ksba_reader_t reader, FILE **retfp, struct stats_s *stats)
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
*retfp = certfp;
|
*retfp = certfp;
|
||||||
|
|
||||||
|
if (bad_pass)
|
||||||
|
{
|
||||||
|
/* We only write a plain error code and not direct
|
||||||
|
BAD_PASSPHRASE because the pkcs12 parser might issue this
|
||||||
|
message multiple times, BAd_PASSPHRASE in general requires a
|
||||||
|
keyID and parts of the import might actually succeed so that
|
||||||
|
IMPORT_PROBLEM is also not appropriate. */
|
||||||
|
gpgsm_status_with_err_code (ctrl, STATUS_ERROR,
|
||||||
|
"import.parsep12", GPG_ERR_BAD_PASSPHRASE);
|
||||||
|
}
|
||||||
|
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user