mirror of
git://git.gnupg.org/gnupg.git
synced 2025-07-02 22:46:30 +02:00
agent: New option --check-sym-passphrase-pattern.
* agent/gpg-agent.c (oCheckSymPassphrasePattern): New. (opts): Add --check-sym-passphrase-pattern. (parse_rereadable_options): Set option. (main): Return option info. * tools/gpgconf-comp.c: Add new option. * agent/agent.h (opt): Add var check_sym_passphrase_pattern. (struct pin_entry_info_s): Add var constraints_flags. (CHECK_CONSTRAINTS_NOT_EMPTY): New to replace a hardwired 1. (CHECK_CONSTRAINTS_NEW_SYMKEY): New. * agent/genkey.c (check_passphrase_pattern): Rename to ... (do_check_passphrase_pattern): this to make code reading easier. Handle the --check-sym-passphrase-pattern option. (check_passphrase_constraints): Replace arg no_empty by a generic flags arg. Also handle --check-sym-passphrase-pattern here. * agent/command.c (cmd_get_passphrase): In --newsymkey mode pass CHECK_CONSTRAINTS_NEW_SYMKEY flag. * agent/call-pinentry.c (struct entry_parm_s): Add constraints_flags. (struct inq_cb_parm_s): New. (inq_cb): Use new struct for parameter passing. Pass flags to teh constraints checking. (do_getpin): Pass constraints flag down. (agent_askpin): Take constrainst flag from the supplied pinentry struct. -- Requirements for a passphrase to protect a private key and for a passphrase used for symmetric encryption are different. Thus a the use of a different pattern file will be useful. Note that a pattern file can be used to replace the other passphrase constraints options and thus we don't need to duplicate them for symmetric encryption. GnuPG-bug-id: 5517 Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch
parent
22c5461b4a
commit
7c45a69eb9
7 changed files with 89 additions and 29 deletions
|
|
@ -89,9 +89,11 @@ nonalpha_count (const char *s)
|
|||
|
||||
|
||||
/* Check PW against a list of pattern. Return 0 if PW does not match
|
||||
these pattern. */
|
||||
these pattern. If CHECK_CONSTRAINTS_NEW_SYMKEY is set in flags and
|
||||
--check-sym-passphrase-pattern has been configured, use the pattern
|
||||
file from that option. */
|
||||
static int
|
||||
check_passphrase_pattern (ctrl_t ctrl, const char *pw)
|
||||
do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
|
||||
{
|
||||
gpg_error_t err = 0;
|
||||
const char *pgmname = gnupg_module_name (GNUPG_MODULE_NAME_CHECK_PATTERN);
|
||||
|
|
@ -99,9 +101,17 @@ check_passphrase_pattern (ctrl_t ctrl, const char *pw)
|
|||
const char *argv[10];
|
||||
pid_t pid;
|
||||
int result, i;
|
||||
const char *pattern;
|
||||
|
||||
(void)ctrl;
|
||||
|
||||
pattern = opt.check_passphrase_pattern;
|
||||
if ((flags & CHECK_CONSTRAINTS_NEW_SYMKEY)
|
||||
&& opt.check_sym_passphrase_pattern)
|
||||
pattern = opt.check_sym_passphrase_pattern;
|
||||
if (!pattern)
|
||||
return 1; /* Oops - Assume password should not be used */
|
||||
|
||||
infp = gnupg_tmpfile ();
|
||||
if (!infp)
|
||||
{
|
||||
|
|
@ -124,7 +134,7 @@ check_passphrase_pattern (ctrl_t ctrl, const char *pw)
|
|||
i = 0;
|
||||
argv[i++] = "--null";
|
||||
argv[i++] = "--",
|
||||
argv[i++] = opt.check_passphrase_pattern,
|
||||
argv[i++] = pattern,
|
||||
argv[i] = NULL;
|
||||
log_assert (i < sizeof argv);
|
||||
|
||||
|
|
@ -156,12 +166,17 @@ take_this_one_anyway (ctrl_t ctrl, const char *desc, const char *anyway_btn)
|
|||
|
||||
|
||||
/* Check whether the passphrase PW is suitable. Returns 0 if the
|
||||
passphrase is suitable and true if it is not and the user should be
|
||||
asked to provide a different one. If FAILED_CONSTRAINT is set, a
|
||||
message describing the problem is returned in
|
||||
*FAILED_CONSTRAINT. */
|
||||
* passphrase is suitable and true if it is not and the user should be
|
||||
* asked to provide a different one. If FAILED_CONSTRAINT is set, a
|
||||
* message describing the problem is returned at FAILED_CONSTRAINT.
|
||||
* The FLAGS are:
|
||||
* CHECK_CONSTRAINTS_NOT_EMPTY
|
||||
* Do not allow an empty passphrase
|
||||
* CHECK_CONSTRAINTS_NEW_SYMKEY
|
||||
* Hint that the passphrase is used for a new symmetric key.
|
||||
*/
|
||||
int
|
||||
check_passphrase_constraints (ctrl_t ctrl, const char *pw, int no_empty,
|
||||
check_passphrase_constraints (ctrl_t ctrl, const char *pw, unsigned int flags,
|
||||
char **failed_constraint)
|
||||
{
|
||||
gpg_error_t err = 0;
|
||||
|
|
@ -170,6 +185,7 @@ check_passphrase_constraints (ctrl_t ctrl, const char *pw, int no_empty,
|
|||
char *msg1 = NULL;
|
||||
char *msg2 = NULL;
|
||||
char *msg3 = NULL;
|
||||
int no_empty = !!(flags & CHECK_CONSTRAINTS_NOT_EMPTY);
|
||||
|
||||
if (ctrl && ctrl->pinentry_mode == PINENTRY_MODE_LOOPBACK)
|
||||
return 0;
|
||||
|
|
@ -247,8 +263,9 @@ check_passphrase_constraints (ctrl_t ctrl, const char *pw, int no_empty,
|
|||
and pattern. The actual test is done by an external program.
|
||||
The warning message is generic to give the user no hint on how to
|
||||
circumvent this list. */
|
||||
if (*pw && opt.check_passphrase_pattern &&
|
||||
check_passphrase_pattern (ctrl, pw))
|
||||
if (*pw
|
||||
&& (opt.check_passphrase_pattern || opt.check_sym_passphrase_pattern)
|
||||
&& do_check_passphrase_pattern (ctrl, pw, flags))
|
||||
{
|
||||
if (!failed_constraint)
|
||||
{
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue