security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

agent: Use the sysconfdir for a pattern file. 

* agent/genkey.c (do_check_passphrase_pattern): Use make_filename.
This commit is contained in:
Werner Koch 2021-08-18 19:21:22 +02:00
parent b89b1f35c2
commit 661c2ae966
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 34 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
agent/genkey.c
View File

@ -102,6 +102,7 @@ do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
pid_t pid;
int result, i;
const char *pattern;
char *patternfname;
(void)ctrl;
@ -112,11 +113,34 @@ do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
if (!pattern)
return 1; /* Oops - Assume password should not be used */
if (strchr (pattern, '/') || strchr (pattern, '\\')
|| (*pattern == '~' && pattern[1] == '/'))
patternfname = make_absfilename_try (pattern, NULL);
else
patternfname = make_filename_try (gnupg_sysconfdir (), pattern, NULL);
if (!patternfname)
{
log_error ("error making filename from '%s': %s\n",
pattern, gpg_strerror (gpg_error_from_syserror ()));
return 1; /* Do not pass the check. */
}
/* Make debugging a broken config easier by printing a useful error
* message. */
if (gnupg_access (patternfname, F_OK))
{
log_error ("error accessing '%s': %s\n",
patternfname, gpg_strerror (gpg_error_from_syserror ()));
xfree (patternfname);
return 1; /* Do not pass the check. */
}
infp = gnupg_tmpfile ();
if (!infp)
{
err = gpg_error_from_syserror ();
log_error (_("error creating temporary file: %s\n"), gpg_strerror (err));
xfree (patternfname);
return 1; /* Error - assume password should not be used. */
}
@ -126,6 +150,7 @@ do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
log_error (_("error writing to temporary file: %s\n"),
gpg_strerror (err));
fclose (infp);
xfree (patternfname);
return 1; /* Error - assume password should not be used. */
}
fseek (infp, 0, SEEK_SET);
@ -134,7 +159,7 @@ do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
i = 0;
argv[i++] = "--null";
argv[i++] = "--",
argv[i++] = pattern,
argv[i++] = patternfname,
argv[i] = NULL;
log_assert (i < sizeof argv);
@ -153,6 +178,8 @@ do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
putc ('\xff', infp);
fflush (infp);
fclose (infp);
xfree (patternfname);
return result;
}

10
doc/gpg-agent.texi
View File

@ -434,10 +434,12 @@ to 1.
@opindex check-sym-passphrase-pattern
Check the passphrase against the pattern given in @var{file}. When
entering a new passphrase matching one of these pattern a warning will
be displayed. @var{file} should be an absolute filename. The default
is not to use any pattern file. The second version of this option is
only used when creating a new symmetric key to allow the use of
different patterns for such passphrases.
be displayed. If @var{file} does not contain any slashes and does not
start with "~/" it is searched in the system configuration directory
(@file{@value{SYSCONFDIR}}). The default is not to use any
pattern file. The second version of this option is only used when
creating a new symmetric key to allow the use of different patterns
for such passphrases.
Security note: It is known that checking a passphrase against a list of
pattern or even against a complete dictionary is not very effective to