mirror of
git://git.gnupg.org/gnupg.git
synced 2025-07-03 22:56:33 +02:00
agent: New option --check-sym-passphrase-pattern.
* agent/gpg-agent.c (oCheckSymPassphrasePattern): New.
(opts): Add --check-sym-passphrase-pattern.
(parse_rereadable_options): Set option.
(main): Return option info.
* tools/gpgconf-comp.c: Add new option.
* agent/agent.h (opt): Add var check_sym_passphrase_pattern.
(struct pin_entry_info_s): Add var constraints_flags.
(CHECK_CONSTRAINTS_NOT_EMPTY): New to replace a hardwired 1.
(CHECK_CONSTRAINTS_NEW_SYMKEY): New.
* agent/genkey.c (check_passphrase_pattern): Rename to ...
(do_check_passphrase_pattern): this to make code reading
easier. Handle the --check-sym-passphrase-pattern option.
(check_passphrase_constraints): Replace arg no_empty by a generic
flags arg. Also handle --check-sym-passphrase-pattern here.
* agent/command.c (cmd_get_passphrase): In --newsymkey mode pass
CHECK_CONSTRAINTS_NEW_SYMKEY flag.
* agent/call-pinentry.c (struct entry_parm_s): Add constraints_flags.
(struct inq_cb_parm_s): New.
(inq_cb): Use new struct for parameter passing. Pass flags to teh
constraints checking.
(do_getpin): Pass constraints flag down.
(agent_askpin): Take constraints flag from the supplied pinentry
struct.
--
Requirements for a passphrase to protect a private key and for a
passphrase used for symmetric encryption are different. Thus a
the use of a different pattern file will be useful. Note that a
pattern file can be used to replace the other passphrase constraints
options and thus we don't need to duplicate them for symmetric
encryption.
GnuPG-bug-id: 5517
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 7c45a69eb9
agent: New option --check-sym-passphrase-pattern.
This commit is contained in:
Werner Koch
parent
9832566e45
commit
c6a4a660fd
6 changed files with 88 additions and 30 deletions
|
|
@ -90,9 +90,11 @@ nonalpha_count (const char *s)
|
|||
|
||||
|
||||
/* Check PW against a list of pattern. Return 0 if PW does not match
|
||||
these pattern. */
|
||||
these pattern. If CHECK_CONSTRAINTS_NEW_SYMKEY is set in flags and
|
||||
--check-sym-passphrase-pattern has been configured, use the pattern
|
||||
file from that option. */
|
||||
static int
|
||||
check_passphrase_pattern (ctrl_t ctrl, const char *pw)
|
||||
do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
|
||||
{
|
||||
gpg_error_t err = 0;
|
||||
const char *pgmname = gnupg_module_name (GNUPG_MODULE_NAME_CHECK_PATTERN);
|
||||
|
|
@ -100,9 +102,17 @@ check_passphrase_pattern (ctrl_t ctrl, const char *pw)
|
|||
const char *argv[10];
|
||||
pid_t pid;
|
||||
int result, i;
|
||||
const char *pattern;
|
||||
|
||||
(void)ctrl;
|
||||
|
||||
pattern = opt.check_passphrase_pattern;
|
||||
if ((flags & CHECK_CONSTRAINTS_NEW_SYMKEY)
|
||||
&& opt.check_sym_passphrase_pattern)
|
||||
pattern = opt.check_sym_passphrase_pattern;
|
||||
if (!pattern)
|
||||
return 1; /* Oops - Assume password should not be used */
|
||||
|
||||
infp = gnupg_tmpfile ();
|
||||
if (!infp)
|
||||
{
|
||||
|
|
@ -125,7 +135,7 @@ check_passphrase_pattern (ctrl_t ctrl, const char *pw)
|
|||
i = 0;
|
||||
argv[i++] = "--null";
|
||||
argv[i++] = "--",
|
||||
argv[i++] = opt.check_passphrase_pattern,
|
||||
argv[i++] = pattern,
|
||||
argv[i] = NULL;
|
||||
assert (i < sizeof argv);
|
||||
|
||||
|
|
@ -174,12 +184,17 @@ take_this_one_anyway (ctrl_t ctrl, const char *desc)
|
|||
|
||||
|
||||
/* Check whether the passphrase PW is suitable. Returns 0 if the
|
||||
passphrase is suitable and true if it is not and the user should be
|
||||
asked to provide a different one. If FAILED_CONSTRAINT is set, a
|
||||
message describing the problem is returned in
|
||||
*FAILED_CONSTRAINT. */
|
||||
* passphrase is suitable and true if it is not and the user should be
|
||||
* asked to provide a different one. If FAILED_CONSTRAINT is set, a
|
||||
* message describing the problem is returned at FAILED_CONSTRAINT.
|
||||
* The FLAGS are:
|
||||
* CHECK_CONSTRAINTS_NOT_EMPTY
|
||||
* Do not allow an empty passphrase
|
||||
* CHECK_CONSTRAINTS_NEW_SYMKEY
|
||||
* Hint that the passphrase is used for a new symmetric key.
|
||||
*/
|
||||
int
|
||||
check_passphrase_constraints (ctrl_t ctrl, const char *pw, int no_empty,
|
||||
check_passphrase_constraints (ctrl_t ctrl, const char *pw, unsigned int flags,
|
||||
char **failed_constraint)
|
||||
{
|
||||
gpg_error_t err = 0;
|
||||
|
|
@ -188,6 +203,7 @@ check_passphrase_constraints (ctrl_t ctrl, const char *pw, int no_empty,
|
|||
char *msg1 = NULL;
|
||||
char *msg2 = NULL;
|
||||
char *msg3 = NULL;
|
||||
int no_empty = !!(flags & CHECK_CONSTRAINTS_NOT_EMPTY);
|
||||
|
||||
if (ctrl && ctrl->pinentry_mode == PINENTRY_MODE_LOOPBACK)
|
||||
return 0;
|
||||
|
|
@ -265,8 +281,9 @@ check_passphrase_constraints (ctrl_t ctrl, const char *pw, int no_empty,
|
|||
and pattern. The actual test is done by an external program.
|
||||
The warning message is generic to give the user no hint on how to
|
||||
circumvent this list. */
|
||||
if (*pw && opt.check_passphrase_pattern &&
|
||||
check_passphrase_pattern (ctrl, pw))
|
||||
if (*pw
|
||||
&& (opt.check_passphrase_pattern || opt.check_sym_passphrase_pattern)
|
||||
&& do_check_passphrase_pattern (ctrl, pw, flags))
|
||||
{
|
||||
if (!failed_constraint)
|
||||
{
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue