agent: New option --check-sym-passphrase-pattern.

* agent/gpg-agent.c (oCheckSymPassphrasePattern): New. (opts): Add --check-sym-passphrase-pattern. (parse_rereadable_options): Set option. (main): Return option info. * tools/gpgconf-comp.c: Add new option. * agent/agent.h (opt): Add var check_sym_passphrase_pattern. (struct pin_entry_info_s): Add var constraints_flags. (CHECK_CONSTRAINTS_NOT_EMPTY): New to replace a hardwired 1. (CHECK_CONSTRAINTS_NEW_SYMKEY): New. * agent/genkey.c (check_passphrase_pattern): Rename to ... (do_check_passphrase_pattern): this to make code reading easier. Handle the --check-sym-passphrase-pattern option. (check_passphrase_constraints): Replace arg no_empty by a generic flags arg. Also handle --check-sym-passphrase-pattern here. * agent/command.c (cmd_get_passphrase): In --newsymkey mode pass CHECK_CONSTRAINTS_NEW_SYMKEY flag. * agent/call-pinentry.c (struct entry_parm_s): Add constraints_flags. (struct inq_cb_parm_s): New. (inq_cb): Use new struct for parameter passing. Pass flags to teh constraints checking. (do_getpin): Pass constraints flag down. (agent_askpin): Take constrainst flag from the supplied pinentry struct. -- Requirements for a passphrase to protect a private key and for a passphrase used for symmetric encryption are different. Thus a the use of a different pattern file will be useful. Note that a pattern file can be used to replace the other passphrase constraints options and thus we don't need to duplicate them for symmetric encryption. GnuPG-bug-id: 5517 Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-02 22:46:30 +02:00 · 2021-08-13 13:42:31 +02:00 · 2021-08-13 13:42:31 +02:00 · 7c45a69eb9
commit 7c45a69eb9
parent 22c5461b4a
7 changed files with 89 additions and 29 deletions
--- a/agent/call-pinentry.c
+++ b/agent/call-pinentry.c
@ -91,6 +91,7 @@ struct entry_parm_s
  size_t size;
  unsigned char *buffer;
  int status;
+  unsigned int constraints_flags;
 };


@ -865,10 +866,17 @@ generate_pin (void)


 /* Handle inquiries. */
+struct inq_cb_parm_s
+{
+  assuan_context_t ctx;
+  unsigned int flags;  /* CHECK_CONSTRAINTS_... */
+};
+
+
 static gpg_error_t
 inq_cb (void *opaque, const char *line)
 {
-  assuan_context_t ctx = opaque;
+  struct inq_cb_parm_s *parm = opaque;
  gpg_error_t err;
  const char *s;
  char *pin;
@ -884,10 +892,10 @@ inq_cb (void *opaque, const char *line)
      else
        {
          percent = estimate_passphrase_quality (pin);
-          if (check_passphrase_constraints (NULL, pin, 0, NULL))
+          if (check_passphrase_constraints (NULL, pin, parm->flags, NULL))
            percent = -percent;
          snprintf (numbuf, sizeof numbuf, "%d", percent);
-          err = assuan_send_data (ctx, numbuf, strlen (numbuf));
+          err = assuan_send_data (parm->ctx, numbuf, strlen (numbuf));
          xfree (pin);
        }
    }
@ -909,14 +917,14 @@ inq_cb (void *opaque, const char *line)
        err = gpg_error_from_syserror ();
      else
        {
-          if (check_passphrase_constraints (NULL, pin, 0, &errtext))
+          if (check_passphrase_constraints (NULL, pin, parm->flags, &errtext))
            {
              if (errtext)
                {
                  /* Unescape the percent-escaped errtext because
                     assuan_send_data escapes it again. */
                  errtextlen = percent_unescape_inplace (errtext, 0);
-                  err = assuan_send_data (ctx, errtext, errtextlen);
+                  err = assuan_send_data (parm->ctx, errtext, errtextlen);
                }
              else
                {
@ -926,7 +934,7 @@ inq_cb (void *opaque, const char *line)
            }
          else
            {
-              err = assuan_send_data (ctx, NULL, 0);
+              err = assuan_send_data (parm->ctx, NULL, 0);
            }
          xfree (errtext);
          xfree (pin);
@ -945,11 +953,11 @@ inq_cb (void *opaque, const char *line)
              err = gpg_error (GPG_ERR_GENERAL);
              goto leave;
            }
-          if (!check_passphrase_constraints (NULL, pin, 0, NULL))
+          if (!check_passphrase_constraints (NULL, pin, parm->flags, NULL))
            {
-              assuan_begin_confidential (ctx);
-              err = assuan_send_data (ctx, pin, strlen (pin));
-              assuan_end_confidential (ctx);
+              assuan_begin_confidential (parm->ctx);
+              err = assuan_send_data (parm->ctx, pin, strlen (pin));
+              assuan_end_confidential (parm->ctx);
              xfree (pin);
              goto leave;
            }
@ -1333,14 +1341,18 @@ do_getpin (ctrl_t ctrl, struct entry_parm_s *parm)
  int saveflag = assuan_get_flag (entry_ctx, ASSUAN_CONFIDENTIAL);
  gnupg_fd_t sock_watched = ctrl->thread_startup.fd;
  npth_t thread;
+  struct inq_cb_parm_s inq_cb_parm;

  rc = watch_sock_start (&sock_watched, &thread);
  if (rc)
    return rc;

+  inq_cb_parm.ctx = entry_ctx;
+  inq_cb_parm.flags = parm->constraints_flags;
+
  assuan_begin_confidential (entry_ctx);
  rc = assuan_transact (entry_ctx, "GETPIN", getpin_cb, parm,
-                        inq_cb, entry_ctx,
+                        inq_cb, &inq_cb_parm,
                        pinentry_status_cb, &parm->status);
  assuan_set_flag (entry_ctx, ASSUAN_CONFIDENTIAL, saveflag);
  /* Most pinentries out in the wild return the old Assuan error code
@ -1493,6 +1505,7 @@ agent_askpin (ctrl_t ctrl,
      parm.size = pininfo->max_length;
      *pininfo->pin = 0; /* Reset the PIN. */
      parm.buffer = (unsigned char*)pininfo->pin;
+      parm.constraints_flags = pininfo->constraints_flags;

      if (errtext)
        {