1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

agent: Use the sysconfdir for a pattern file.

* agent/genkey.c (do_check_passphrase_pattern): Use make_filename.
This commit is contained in:
Werner Koch 2021-08-20 16:22:05 +02:00
parent db5dc7a91a
commit 5ed8e598fa
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 35 additions and 5 deletions

View File

@ -25,6 +25,7 @@
#include <string.h> #include <string.h>
#include <ctype.h> #include <ctype.h>
#include <assert.h> #include <assert.h>
#include <unistd.h>
#include "agent.h" #include "agent.h"
#include "../common/i18n.h" #include "../common/i18n.h"
@ -103,6 +104,7 @@ do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
pid_t pid; pid_t pid;
int result, i; int result, i;
const char *pattern; const char *pattern;
char *patternfname;
(void)ctrl; (void)ctrl;
@ -113,11 +115,34 @@ do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
if (!pattern) if (!pattern)
return 1; /* Oops - Assume password should not be used */ return 1; /* Oops - Assume password should not be used */
if (strchr (pattern, '/') || strchr (pattern, '\\')
|| (*pattern == '~' && pattern[1] == '/'))
patternfname = make_absfilename_try (pattern, NULL);
else
patternfname = make_filename_try (gnupg_sysconfdir (), pattern, NULL);
if (!patternfname)
{
log_error ("error making filename from '%s': %s\n",
pattern, gpg_strerror (gpg_error_from_syserror ()));
return 1; /* Do not pass the check. */
}
/* Make debugging a broken config easier by printing a useful error
* message. */
if (gnupg_access (patternfname, F_OK))
{
log_error ("error accessing '%s': %s\n",
patternfname, gpg_strerror (gpg_error_from_syserror ()));
xfree (patternfname);
return 1; /* Do not pass the check. */
}
infp = gnupg_tmpfile (); infp = gnupg_tmpfile ();
if (!infp) if (!infp)
{ {
err = gpg_error_from_syserror (); err = gpg_error_from_syserror ();
log_error (_("error creating temporary file: %s\n"), gpg_strerror (err)); log_error (_("error creating temporary file: %s\n"), gpg_strerror (err));
xfree (patternfname);
return 1; /* Error - assume password should not be used. */ return 1; /* Error - assume password should not be used. */
} }
@ -127,6 +152,7 @@ do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
log_error (_("error writing to temporary file: %s\n"), log_error (_("error writing to temporary file: %s\n"),
gpg_strerror (err)); gpg_strerror (err));
fclose (infp); fclose (infp);
xfree (patternfname);
return 1; /* Error - assume password should not be used. */ return 1; /* Error - assume password should not be used. */
} }
fseek (infp, 0, SEEK_SET); fseek (infp, 0, SEEK_SET);
@ -135,7 +161,7 @@ do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
i = 0; i = 0;
argv[i++] = "--null"; argv[i++] = "--null";
argv[i++] = "--", argv[i++] = "--",
argv[i++] = pattern, argv[i++] = patternfname,
argv[i] = NULL; argv[i] = NULL;
assert (i < sizeof argv); assert (i < sizeof argv);
@ -154,6 +180,8 @@ do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
putc ('\xff', infp); putc ('\xff', infp);
fflush (infp); fflush (infp);
fclose (infp); fclose (infp);
xfree (patternfname);
return result; return result;
} }

View File

@ -453,10 +453,12 @@ to 1.
@opindex check-sym-passphrase-pattern @opindex check-sym-passphrase-pattern
Check the passphrase against the pattern given in @var{file}. When Check the passphrase against the pattern given in @var{file}. When
entering a new passphrase matching one of these pattern a warning will entering a new passphrase matching one of these pattern a warning will
be displayed. @var{file} should be an absolute filename. The default be displayed. If @var{file} does not contain any slashes and does not
is not to use any pattern file. The second version of this option is start with "~/" it is searched in the system configuration directory
only used when creating a new symmetric key to allow the use of (@file{@value{SYSCONFDIR}}). The default is not to use any
different patterns for such passphrases. pattern file. The second version of this option is only used when
creating a new symmetric key to allow the use of different patterns
for such passphrases.
Security note: It is known that checking a passphrase against a list of Security note: It is known that checking a passphrase against a list of
pattern or even against a complete dictionary is not very effective to pattern or even against a complete dictionary is not very effective to