diff --git a/agent/agent.h b/agent/agent.h index 4d28effa4..45f71eb19 100644 --- a/agent/agent.h +++ b/agent/agent.h @@ -128,6 +128,11 @@ struct pinentry-mode=loopback is allowed. */ int allow_loopback_pinentry; + /* Allow the use of an external password cache. If this option is + enabled (which is the default) we send an option to Pinentry + to allow it to enable such a cache. */ + int allow_external_cache; + int keep_tty; /* Don't switch the TTY (for pinentry) on request */ int keep_display; /* Don't switch the DISPLAY (for pinentry) on request */ diff --git a/agent/call-pinentry.c b/agent/call-pinentry.c index 64c64a957..5c3743aa4 100644 --- a/agent/call-pinentry.c +++ b/agent/call-pinentry.c @@ -408,23 +408,26 @@ start_pinentry (ctrl_t ctrl) } - /* Indicate to the pinentry that it may read from an external cache. + if (opt.allow_external_cache) + { + /* Indicate to the pinentry that it may read from an external cache. - It is essential that the pinentry respect this. If the cached - password is not up to date and retry == 1, then, using a version - of GPG Agent that doesn't support this, won't issue another pin - request and the user won't get a chance to correct the - password. */ - rc = assuan_transact (entry_ctx, "OPTION allow-external-password-cache", - NULL, NULL, NULL, NULL, NULL, NULL); - if (rc && gpg_err_code (rc) != GPG_ERR_UNKNOWN_OPTION) - return unlock_pinentry (rc); + It is essential that the pinentry respect this. If the + cached password is not up to date and retry == 1, then, using + a version of GPG Agent that doesn't support this, won't issue + another pin request and the user won't get a chance to + correct the password. */ + rc = assuan_transact (entry_ctx, "OPTION allow-external-password-cache", + NULL, NULL, NULL, NULL, NULL, NULL); + if (rc && gpg_err_code (rc) != GPG_ERR_UNKNOWN_OPTION) + return unlock_pinentry (rc); + } { /* Provide a few default strings for use by the pinentries. This may help a pinentry to avoid implementing localization code. */ - static struct { const char *key, *value; int mode; } tbl[] = { + static struct { const char *key, *value; int what; } tbl[] = { /* TRANSLATORS: These are labels for buttons etc used in Pinentries. An underscore indicates that the next letter should be used as an accelerator. Double the underscore for @@ -435,7 +438,7 @@ start_pinentry (ctrl_t ctrl) { "yes", N_("|pinentry-label|_Yes") }, { "no", N_("|pinentry-label|_No") }, { "prompt", N_("|pinentry-label|PIN:") }, - { "pwmngr", N_("|pinentry-label|_Save in password manager") }, + { "pwmngr", N_("|pinentry-label|_Save in password manager"), 1 }, { "cf-visi",N_("Do you really want to make your " "passphrase visible on the screen?") }, { "tt-visi",N_("|pinentry-tt|Make passphrase visible") }, @@ -448,6 +451,8 @@ start_pinentry (ctrl_t ctrl) for (idx=0; tbl[idx].key; idx++) { + if (!opt.allow_external_cache && tbl[idx].what == 1) + continue; /* No need for it. */ s = _(tbl[idx].value); if (*s == '|' && (s2=strchr (s+1,'|'))) s = s2+1; diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c index c846ab494..659aa2c29 100644 --- a/agent/gpg-agent.c +++ b/agent/gpg-agent.c @@ -119,6 +119,7 @@ enum cmd_and_opt_values oNoAllowMarkTrusted, oAllowPresetPassphrase, oAllowLoopbackPinentry, + oNoAllowExternalCache, oKeepTTY, oKeepDISPLAY, oSSHSupport, @@ -168,6 +169,10 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oDisableScdaemon, "disable-scdaemon", /* */ N_("do not use the SCdaemon") ), ARGPARSE_s_n (oDisableCheckOwnSocket, "disable-check-own-socket", "@"), + + ARGPARSE_s_s (oExtraSocket, "extra-socket", + /* */ N_("|NAME|accept some commands via NAME")), + ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"), ARGPARSE_s_n (oBatch, "batch", "@"), @@ -200,6 +205,8 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oIgnoreCacheForSigning, "ignore-cache-for-signing", /* */ N_("do not use the PIN cache when signing")), + ARGPARSE_s_n (oNoAllowExternalCache, "no-allow-external-cache", + /* */ N_("disallow the use of an external password cache")), ARGPARSE_s_n (oNoAllowMarkTrusted, "no-allow-mark-trusted", /* */ N_("disallow clients to mark keys as \"trusted\"")), ARGPARSE_s_n (oAllowMarkTrusted, "allow-mark-trusted", "@"), @@ -207,6 +214,7 @@ static ARGPARSE_OPTS opts[] = { /* */ N_("allow presetting passphrase")), ARGPARSE_s_n (oAllowLoopbackPinentry, "allow-loopback-pinentry", N_("allow caller to override the pinentry")), + ARGPARSE_s_n (oSSHSupport, "enable-ssh-support", N_("enable ssh support")), ARGPARSE_s_n (oPuttySupport, "enable-putty-support", #ifdef HAVE_W32_SYSTEM @@ -215,7 +223,6 @@ static ARGPARSE_OPTS opts[] = { /* */ "@" #endif ), - ARGPARSE_s_s (oExtraSocket, "extra-socket", "@"), /* Dummy options for backward compatibility. */ ARGPARSE_o_s (oWriteEnvFile, "write-env-file", "@"), @@ -557,6 +564,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) opt.enable_passhrase_history = 0; opt.ignore_cache_for_signing = 0; opt.allow_mark_trusted = 1; + opt.allow_external_cache = 1; opt.disable_scdaemon = 0; disable_check_own_socket = 0; return 1; @@ -623,6 +631,9 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread) case oAllowLoopbackPinentry: opt.allow_loopback_pinentry = 1; break; + case oNoAllowExternalCache: opt.allow_external_cache = 0; + break; + default: return 0; /* not handled */ } @@ -1056,6 +1067,8 @@ main (int argc, char **argv ) GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME); es_printf ("ignore-cache-for-signing:%lu:\n", GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME); + es_printf ("no-allow-external-cache:%lu:\n", + GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME); es_printf ("no-allow-mark-trusted:%lu:\n", GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME); es_printf ("disable-scdaemon:%lu:\n", diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index 469c76203..dea462e0d 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -377,6 +377,19 @@ Allow clients to use the loopback pinentry features; see the option @option{pinentry-mode} for details. @end ifset +@ifset gpgtwoone +@item --no-allow-external-cache +@opindex no-allow-external-cache +Tell Pinentry not to enable features which use an external cache for +passphrases. + +Some desktop environments prefer to unlock all +credentials with one master password and may have installed a Pinentry +which employs an additional external cache to implement such a policy. +By using this option the Pinentry is advised not to make use of such a +cache and instead always ask the user for the requested passphrase. +@end ifset + @item --ignore-cache-for-signing @opindex ignore-cache-for-signing This option will let @command{gpg-agent} bypass the passphrase cache for all @@ -762,6 +775,7 @@ again. Only certain options are honored: @code{quiet}, @code{debug-pinentry}, @code{no-grab}, @code{pinentry-program}, @code{default-cache-ttl}, @code{max-cache-ttl}, @code{ignore-cache-for-signing}, +@code{no-allow-external-cache}, @code{no-allow-mark-trusted}, @code{disable-scdaemon}, and @code{disable-check-own-socket}. @code{scdaemon-program} is also supported but due to the current implementation, which calls the diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c index d0d938f25..cf2d18845 100644 --- a/tools/gpgconf-comp.c +++ b/tools/gpgconf-comp.c @@ -538,6 +538,9 @@ static gc_option_t gc_options_gpg_agent[] = { "ignore-cache-for-signing", GC_OPT_FLAG_RUNTIME, GC_LEVEL_BASIC, "gnupg", "do not use the PIN cache when signing", GC_ARG_TYPE_NONE, GC_BACKEND_GPG_AGENT }, + { "no-allow-external-cache", GC_OPT_FLAG_RUNTIME, + GC_LEVEL_BASIC, "gnupg", "disallow the use of an external password cache", + GC_ARG_TYPE_NONE, GC_BACKEND_GPG_AGENT }, { "no-allow-mark-trusted", GC_OPT_FLAG_RUNTIME, GC_LEVEL_ADVANCED, "gnupg", "disallow clients to mark keys as \"trusted\"", GC_ARG_TYPE_NONE, GC_BACKEND_GPG_AGENT },