agent: Add option --no-allow-external-cache.

* agent/agent.h (opt): Add field allow_external_cache. * agent/call-pinentry.c (start_pinentry): Act upon new var. * agent/gpg-agent.c (oNoAllowExternalCache): New. (opts): Add option --no-allow-external-cache. (parse_rereadable_options): Set this option. -- Pinentry 0.9.2 may be build with libsecret support and thus an extra checkbox is displayed to allow the user to get passwords out of an libsecret maintained cache. Security aware user may want to avoid this feature and may do this at runtime by enabling this option. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-02 22:46:30 +02:00 · 2015-05-11 18:08:44 +02:00 · 2015-05-11 18:08:44 +02:00 · d7293cb317
commit d7293cb317
parent 02d5e12054
5 changed files with 53 additions and 13 deletions
--- a/agent/agent.h
+++ b/agent/agent.h
@ -128,6 +128,11 @@ struct
     pinentry-mode=loopback is allowed.  */
  int allow_loopback_pinentry;

+  /* Allow the use of an external password cache.  If this option is
+     enabled (which is the default) we send an option to Pinentry
+     to allow it to enable such a cache.  */
+  int allow_external_cache;
+
  int keep_tty;      /* Don't switch the TTY (for pinentry) on request */
  int keep_display;  /* Don't switch the DISPLAY (for pinentry) on request */

--- a/agent/call-pinentry.c
+++ b/agent/call-pinentry.c
@ -408,23 +408,26 @@ start_pinentry (ctrl_t ctrl)
    }


-  /* Indicate to the pinentry that it may read from an external cache.
+  if (opt.allow_external_cache)
+    {
+      /* Indicate to the pinentry that it may read from an external cache.

-     It is essential that the pinentry respect this.  If the cached
-     password is not up to date and retry == 1, then, using a version
-     of GPG Agent that doesn't support this, won't issue another pin
-     request and the user won't get a chance to correct the
-     password.  */
-  rc = assuan_transact (entry_ctx, "OPTION allow-external-password-cache",
-			NULL, NULL, NULL, NULL, NULL, NULL);
-  if (rc && gpg_err_code (rc) != GPG_ERR_UNKNOWN_OPTION)
-    return unlock_pinentry (rc);
+         It is essential that the pinentry respect this.  If the
+         cached password is not up to date and retry == 1, then, using
+         a version of GPG Agent that doesn't support this, won't issue
+         another pin request and the user won't get a chance to
+         correct the password.  */
+      rc = assuan_transact (entry_ctx, "OPTION allow-external-password-cache",
+                            NULL, NULL, NULL, NULL, NULL, NULL);
+      if (rc && gpg_err_code (rc) != GPG_ERR_UNKNOWN_OPTION)
+        return unlock_pinentry (rc);
+    }


  {
    /* Provide a few default strings for use by the pinentries.  This
       may help a pinentry to avoid implementing localization code.  */
-    static struct { const char *key, *value; int mode; } tbl[] = {
+    static struct { const char *key, *value; int what; } tbl[] = {
      /* TRANSLATORS: These are labels for buttons etc used in
         Pinentries.  An underscore indicates that the next letter
         should be used as an accelerator.  Double the underscore for
@ -435,7 +438,7 @@ start_pinentry (ctrl_t ctrl)
      { "yes",    N_("|pinentry-label|_Yes") },
      { "no",     N_("|pinentry-label|_No") },
      { "prompt", N_("|pinentry-label|PIN:") },
-      { "pwmngr", N_("|pinentry-label|_Save in password manager") },
+      { "pwmngr", N_("|pinentry-label|_Save in password manager"), 1 },
      { "cf-visi",N_("Do you really want to make your "
                     "passphrase visible on the screen?") },
      { "tt-visi",N_("|pinentry-tt|Make passphrase visible") },
@ -448,6 +451,8 @@ start_pinentry (ctrl_t ctrl)

    for (idx=0; tbl[idx].key; idx++)
      {
+        if (!opt.allow_external_cache && tbl[idx].what == 1)
+          continue;  /* No need for it.  */
        s = _(tbl[idx].value);
        if (*s == '|' && (s2=strchr (s+1,'|')))
          s = s2+1;
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@ -119,6 +119,7 @@ enum cmd_and_opt_values
  oNoAllowMarkTrusted,
  oAllowPresetPassphrase,
  oAllowLoopbackPinentry,
+  oNoAllowExternalCache,
  oKeepTTY,
  oKeepDISPLAY,
  oSSHSupport,
@ -168,6 +169,10 @@ static ARGPARSE_OPTS opts[] = {
  ARGPARSE_s_n (oDisableScdaemon, "disable-scdaemon",
                /* */             N_("do not use the SCdaemon") ),
  ARGPARSE_s_n (oDisableCheckOwnSocket, "disable-check-own-socket", "@"),
+
+  ARGPARSE_s_s (oExtraSocket, "extra-socket",
+                /* */       N_("|NAME|accept some commands via NAME")),
+
  ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"),

  ARGPARSE_s_n (oBatch,      "batch",        "@"),
@ -200,6 +205,8 @@ static ARGPARSE_OPTS opts[] = {

  ARGPARSE_s_n (oIgnoreCacheForSigning, "ignore-cache-for-signing",
                /* */    N_("do not use the PIN cache when signing")),
+  ARGPARSE_s_n (oNoAllowExternalCache,  "no-allow-external-cache",
+                /* */    N_("disallow the use of an external password cache")),
  ARGPARSE_s_n (oNoAllowMarkTrusted, "no-allow-mark-trusted",
                /* */    N_("disallow clients to mark keys as \"trusted\"")),
  ARGPARSE_s_n (oAllowMarkTrusted,   "allow-mark-trusted", "@"),
@ -207,6 +214,7 @@ static ARGPARSE_OPTS opts[] = {
                /* */                    N_("allow presetting passphrase")),
  ARGPARSE_s_n (oAllowLoopbackPinentry, "allow-loopback-pinentry",
                                   N_("allow caller to override the pinentry")),
+
  ARGPARSE_s_n (oSSHSupport,   "enable-ssh-support", N_("enable ssh support")),
  ARGPARSE_s_n (oPuttySupport, "enable-putty-support",
 #ifdef HAVE_W32_SYSTEM
@ -215,7 +223,6 @@ static ARGPARSE_OPTS opts[] = {
                /* */           "@"
 #endif
                ),
-  ARGPARSE_s_s (oExtraSocket, "extra-socket", "@"),

  /* Dummy options for backward compatibility.  */
  ARGPARSE_o_s (oWriteEnvFile, "write-env-file", "@"),
@ -557,6 +564,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
      opt.enable_passhrase_history = 0;
      opt.ignore_cache_for_signing = 0;
      opt.allow_mark_trusted = 1;
+      opt.allow_external_cache = 1;
      opt.disable_scdaemon = 0;
      disable_check_own_socket = 0;
      return 1;
@ -623,6 +631,9 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)

    case oAllowLoopbackPinentry: opt.allow_loopback_pinentry = 1; break;

+    case oNoAllowExternalCache: opt.allow_external_cache = 0;
+      break;
+
    default:
      return 0; /* not handled */
    }
@ -1056,6 +1067,8 @@ main (int argc, char **argv )
              GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME);
      es_printf ("ignore-cache-for-signing:%lu:\n",
              GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME);
+      es_printf ("no-allow-external-cache:%lu:\n",
+              GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME);
      es_printf ("no-allow-mark-trusted:%lu:\n",
              GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME);
      es_printf ("disable-scdaemon:%lu:\n",