security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-02-01 16:33:02 +01:00
Code Activity

gpg: Avoid extra pinentries for each subkey in --export-secret-keys.

Browse Source 
* agent/command.c (cmd_export_key): Actually implement the cache_nonce
feature.
* g10/export.c (do_export_stream): Make use of a cache_nonce.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2014-11-02 17:51:30 +01:00
parent d95f05c314
commit f8c993fbe2
3 changed files with 35 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
agent/command.c
View File

@ -2127,16 +2127,19 @@ cmd_export_key (assuan_context_t ctx, char *line)
char *cache_nonce; char *cache_nonce;
char *passphrase = NULL; char *passphrase = NULL;
unsigned char *shadow_info = NULL; unsigned char *shadow_info = NULL;
char *pend;
int c;
openpgp = has_option (line, "--openpgp"); openpgp = has_option (line, "--openpgp");
cache_nonce = option_value (line, "--cache-nonce"); cache_nonce = option_value (line, "--cache-nonce");
if (cache_nonce) if (cache_nonce)
{ {
for (; *line && !spacep (line); line++) for (pend = cache_nonce; *pend && !spacep (pend); pend++)
; ;
if (*line) c = *pend;
*line++ = '\0'; *pend = '\0';
cache_nonce = xtrystrdup (cache_nonce); cache_nonce = xtrystrdup (cache_nonce);
*pend = c;
if (!cache_nonce) if (!cache_nonce)
{ {
err = gpg_error_from_syserror (); err = gpg_error_from_syserror ();
@ -2163,7 +2166,8 @@ cmd_export_key (assuan_context_t ctx, char *line)
/* Get the key from the file. With the openpgp flag we also ask for /* Get the key from the file. With the openpgp flag we also ask for
the passphrase so that we can use it to re-encrypt it. */ the passphrase so that we can use it to re-encrypt it. */
err = agent_key_from_file (ctrl, NULL, ctrl->server_local->keydesc, grip, err = agent_key_from_file (ctrl, cache_nonce,
ctrl->server_local->keydesc, grip,
&shadow_info, CACHE_MODE_IGNORE, NULL, &s_skey, &shadow_info, CACHE_MODE_IGNORE, NULL, &s_skey,
openpgp ? &passphrase : NULL); openpgp ? &passphrase : NULL);
if (err) if (err)
@ -2190,6 +2194,24 @@ cmd_export_key (assuan_context_t ctx, char *line)
goto leave; goto leave;
} }
err = convert_to_openpgp (ctrl, s_skey, passphrase, &key, &keylen); err = convert_to_openpgp (ctrl, s_skey, passphrase, &key, &keylen);
if (!err && passphrase)
{
if (!cache_nonce)
{
char buf[12];
gcry_create_nonce (buf, 12);
cache_nonce = bin2hex (buf, 12, NULL);
}
if (cache_nonce
&& !agent_put_cache (cache_nonce, CACHE_MODE_NONCE,
passphrase, CACHE_TTL_NONCE))
{
assuan_write_status (ctx, "CACHE_NONCE", cache_nonce);
xfree (ctrl->server_local->last_cache_nonce);
ctrl->server_local->last_cache_nonce = cache_nonce;
cache_nonce = NULL;
}
}
} }
else else
{ {

6
g10/call-agent.c
View File

@ -2152,8 +2152,10 @@ agent_import_key (ctrl_t ctrl, const char *desc, char **cache_nonce_addr,
/* Receive a secret key from the agent. HEXKEYGRIP is the hexified /* Receive a secret key from the agent. HEXKEYGRIP is the hexified
keygrip, DESC a prompt to be displayed with the agent's passphrase keygrip, DESC a prompt to be displayed with the agent's passphrase
question (needs to be plus+percent escaped). On success the key is question (needs to be plus+percent escaped). If CACHE_NONCE_ADDR
stored as a canonical S-expression at R_RESULT and R_RESULTLEN. */ is not NULL the agent is advised to first try a passphrase
associated with that nonce. On success the key is stored as a
canonical S-expression at R_RESULT and R_RESULTLEN. */
gpg_error_t gpg_error_t
agent_export_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc, agent_export_key (ctrl_t ctrl, const char *hexkeygrip, const char *desc,
char **cache_nonce_addr, char **cache_nonce_addr,

6
g10/export.c
View File

@ -777,6 +777,7 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret,
strlist_t sl; strlist_t sl;
int indent = 0; int indent = 0;
gcry_cipher_hd_t cipherhd = NULL; gcry_cipher_hd_t cipherhd = NULL;
char *cache_nonce = NULL;
*any = 0; *any = 0;
init_packet (&pkt); init_packet (&pkt);
@ -914,6 +915,8 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret,
clean_key (keyblock, opt.verbose, (options&EXPORT_MINIMAL), NULL, NULL); clean_key (keyblock, opt.verbose, (options&EXPORT_MINIMAL), NULL, NULL);
/* And write it. */ /* And write it. */
xfree (cache_nonce);
cache_nonce = NULL;
for (kbctx=NULL; (node = walk_kbnode (keyblock, &kbctx, 0)); ) for (kbctx=NULL; (node = walk_kbnode (keyblock, &kbctx, 0)); )
{ {
if (skip_until_subkey) if (skip_until_subkey)
@ -1124,7 +1127,7 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret,
{ {
char *prompt = gpg_format_keydesc (pk, char *prompt = gpg_format_keydesc (pk,
FORMAT_KEYDESC_EXPORT,1); FORMAT_KEYDESC_EXPORT,1);
err = agent_export_key (ctrl, hexgrip, prompt, NULL, err = agent_export_key (ctrl, hexgrip, prompt, &cache_nonce,
&wrappedkey, &wrappedkeylen); &wrappedkey, &wrappedkeylen);
xfree (prompt); xfree (prompt);
} }
@ -1246,6 +1249,7 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret,
keydb_release (kdbhd); keydb_release (kdbhd);
if (err || !keyblock_out) if (err || !keyblock_out)
release_kbnode( keyblock ); release_kbnode( keyblock );
xfree (cache_nonce);
if( !*any ) if( !*any )
log_info(_("WARNING: nothing exported\n")); log_info(_("WARNING: nothing exported\n"));
return err; return err;