Merge branch 'master' into gniibe/t6275

2025-07-03 22:56:33 +02:00 · 2022-12-05 12:01:06 +09:00 · 2022-12-05 12:01:06 +09:00 · ac87fc1a9b
commit ac87fc1a9b
parent 97cbb507fa 1a85ee9a43
50 changed files with 1123 additions and 292 deletions
--- a/agent/all-tests.scm
+++ b/agent/all-tests.scm
@ -27,9 +27,10 @@
   (parse-makefile-expand filename expander key))

 (map (lambda (name)
-	(test::binary #f
-		      (path-join "agent" name)
-		      (path-join (getenv "objdir") "agent" name)))
+        (let ((name-ext (string-append name (getenv "EXEEXT"))))
+	  (test::binary #f
+		        (path-join "agent" name-ext)
+		        (path-join (getenv "objdir") "agent" name-ext))))
      (parse-makefile-expand (in-srcdir "agent" "Makefile.am")
 			     (lambda (filename port key) (parse-makefile port key))
 			     "module_tests")))
--- a/agent/command.c
+++ b/agent/command.c
@ -2935,7 +2935,7 @@ cmd_import_key (assuan_context_t ctx, char *line)


 static const char hlp_export_key[] =
-  "EXPORT_KEY [--cache-nonce=<nonce>] [--openpgp] <hexstring_with_keygrip>\n"
+  "EXPORT_KEY [--cache-nonce=<nonce>] [--openpgp|--mode1003] <hexkeygrip>\n"
  "\n"
  "Export a secret key from the key store.  The key will be encrypted\n"
  "using the current session's key wrapping key (cf. command KEYWRAP_KEY)\n"
@ -2943,9 +2943,10 @@ static const char hlp_export_key[] =
  "prior to using this command.  The function takes the keygrip as argument.\n"
  "\n"
  "If --openpgp is used, the secret key material will be exported in RFC 4880\n"
-  "compatible passphrase-protected form.  Without --openpgp, the secret key\n"
-  "material will be exported in the clear (after prompting the user to unlock\n"
-  "it, if needed).\n";
+  "compatible passphrase-protected form.  If --mode1003 is use the secret key\n"
+  "is exported as s-expression as storred locally.  Without those options,\n"
+  "the secret key material will be exported in the clear (after prompting\n"
+  "the user to unlock it, if needed).\n";
 static gpg_error_t
 cmd_export_key (assuan_context_t ctx, char *line)
 {
@ -2958,7 +2959,7 @@ cmd_export_key (assuan_context_t ctx, char *line)
  gcry_cipher_hd_t cipherhd = NULL;
  unsigned char *wrappedkey = NULL;
  size_t wrappedkeylen;
-  int openpgp;
+  int openpgp, mode1003;
  char *cache_nonce;
  char *passphrase = NULL;
  unsigned char *shadow_info = NULL;
@ -2969,6 +2970,10 @@ cmd_export_key (assuan_context_t ctx, char *line)
    return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));

  openpgp = has_option (line, "--openpgp");
+  mode1003 = has_option (line, "--mode1003");
+  if (mode1003)
+    openpgp = 0;
+
  cache_nonce = option_value (line, "--cache-nonce");
  if (cache_nonce)
    {
@ -3003,11 +3008,17 @@ cmd_export_key (assuan_context_t ctx, char *line)
    }

  /* Get the key from the file.  With the openpgp flag we also ask for
-     the passphrase so that we can use it to re-encrypt it.  */
-  err = agent_key_from_file (ctrl, cache_nonce,
-                             ctrl->server_local->keydesc, grip,
-                             &shadow_info, CACHE_MODE_IGNORE, NULL, &s_skey,
-                             openpgp ? &passphrase : NULL, NULL);
+   * the passphrase so that we can use it to re-encrypt it.  In
+   * mode1003 we return the key as-is.  FIXME: if the key is still in
+   * OpenPGP-native mode we should first convert it to our internal
+   * protection.  */
+  if (mode1003)
+    err = agent_raw_key_from_file (ctrl, grip, &s_skey, NULL);
+  else
+    err = agent_key_from_file (ctrl, cache_nonce,
+                               ctrl->server_local->keydesc, grip,
+                               &shadow_info, CACHE_MODE_IGNORE, NULL, &s_skey,
+                               openpgp ? &passphrase : NULL, NULL);
  if (err)
    goto leave;
  if (shadow_info)
@ -4150,6 +4161,11 @@ command_has_option (const char *cmd, const char *cmdopt)
      if (!strcmp (cmdopt, "newsymkey"))
        return 1;
    }
+  else if (!strcmp (cmd, "EXPORT_KEY"))
+    {
+      if (!strcmp (cmdopt, "mode1003"))
+        return 1;
+    }

  return 0;
 }
--- a/agent/cvt-openpgp.c
+++ b/agent/cvt-openpgp.c
@ -802,9 +802,10 @@ convert_from_openpgp_main (ctrl_t ctrl, gcry_sexp_t s_pgp, int dontcare_exist,
  if (!list)
    goto bad_seckey;
  value = gcry_sexp_nth_data (list, 1, &valuelen);
-  if (!value || valuelen != 1 || !(value[0] == '3' || value[0] == '4'))
+  if (!value || valuelen != 1
+      || !(value[0] == '3' || value[0] == '4' || value[0] == '5'))
    goto bad_seckey;
-  is_v4 = (value[0] == '4');
+  is_v4 = (value[0] == '4' || value[0] == '5');

  gcry_sexp_release (list);
  list = gcry_sexp_find_token (top_list, "protection", 0);
@ -948,7 +949,7 @@ convert_from_openpgp_main (ctrl_t ctrl, gcry_sexp_t s_pgp, int dontcare_exist,
  gcry_sexp_release (top_list); top_list = NULL;

 #if 0
-  log_debug ("XXX is_v4=%d\n", is_v4);
+  log_debug ("XXX is v4_or_later=%d\n", is_v4);
  log_debug ("XXX pubkey_algo=%d\n", pubkey_algo);
  log_debug ("XXX is_protected=%d\n", is_protected);
  log_debug ("XXX protect_algo=%d\n", protect_algo);