agent: Use the sysconfdir for a pattern file.

* agent/genkey.c (do_check_passphrase_pattern): Use make_filename.

2 files changed, 35 insertions, 5 deletions

diff --git a/agent/genkey.c b/agent/genkey.c
index b36c26550..877717c2e 100644
--- a/agent/genkey.c
+++ b/agent/genkey.c
@@ -25,6 +25,7 @@
 #include <string.h>
 #include <ctype.h>
 #include <assert.h>
+#include <unistd.h>
 
 #include "agent.h"
 #include "../common/i18n.h"
@@ -103,6 +104,7 @@ do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
   pid_t pid;
   int result, i;
   const char *pattern;
+  char *patternfname;
 
   (void)ctrl;
 
@@ -113,11 +115,34 @@ do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
   if (!pattern)
     return 1; /* Oops - Assume password should not be used  */
 
+  if (strchr (pattern, '/') || strchr (pattern, '\\')
+      || (*pattern == '~' && pattern[1] == '/'))
+    patternfname = make_absfilename_try (pattern, NULL);
+  else
+    patternfname = make_filename_try (gnupg_sysconfdir (), pattern, NULL);
+  if (!patternfname)
+    {
+      log_error ("error making filename from '%s': %s\n",
+                 pattern, gpg_strerror (gpg_error_from_syserror ()));
+      return 1; /* Do not pass the check.  */
+    }
+
+  /* Make debugging a broken config easier by printing a useful error
+   * message.  */
+  if (gnupg_access (patternfname, F_OK))
+    {
+      log_error ("error accessing '%s': %s\n",
+                 patternfname, gpg_strerror (gpg_error_from_syserror ()));
+      xfree (patternfname);
+      return 1; /* Do not pass the check.  */
+    }
+
   infp = gnupg_tmpfile ();
   if (!infp)
     {
       err = gpg_error_from_syserror ();
       log_error (_("error creating temporary file: %s\n"), gpg_strerror (err));
+      xfree (patternfname);
       return 1; /* Error - assume password should not be used.  */
     }
 
@@ -127,6 +152,7 @@ do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
       log_error (_("error writing to temporary file: %s\n"),
                  gpg_strerror (err));
       fclose (infp);
+      xfree (patternfname);
       return 1; /* Error - assume password should not be used.  */
     }
   fseek (infp, 0, SEEK_SET);
@@ -135,7 +161,7 @@ do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
   i = 0;
   argv[i++] = "--null";
   argv[i++] = "--",
-  argv[i++] = pattern,
+  argv[i++] = patternfname,
   argv[i] = NULL;
   assert (i < sizeof argv);
 
@@ -154,6 +180,8 @@ do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
     putc ('\xff', infp);
   fflush (infp);
   fclose (infp);
+
+  xfree (patternfname);
   return result;
 }
 
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index c1bdfdb2e..78adf8f2b 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -453,10 +453,12 @@ to 1.
 @opindex check-sym-passphrase-pattern
 Check the passphrase against the pattern given in @var{file}.  When
 entering a new passphrase matching one of these pattern a warning will
-be displayed. @var{file} should be an absolute filename.  The default
-is not to use any pattern file.  The second version of this option is
-only used when creating a new symmetric key to allow the use of
-different patterns for such passphrases.
+be displayed.  If @var{file} does not contain any slashes and does not
+start with "~/" it is searched in the system configuration directory
+(@file{@value{SYSCONFDIR}}).  The default is not to use any
+pattern file.  The second version of this option is only used when
+creating a new symmetric key to allow the use of different patterns
+for such passphrases.
 
 Security note: It is known that checking a passphrase against a list of
 pattern or even against a complete dictionary is not very effective to