From 457bce5cd39146df047e4740162125c32c738789 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 17 Sep 2014 15:12:08 +0200 Subject: gpg: Improve passphrase caching. * agent/cache.c (last_stored_cache_key): New. (agent_get_cache): Allow NULL for KEY. (agent_store_cache_hit): New. * agent/findkey.c (unprotect): Call new function and try to use the last stored key. * g10/revoke.c (create_revocation): Add arg CACHE_NONCE and pass to make_keysig_packet. (gen_standard_revoke): Add arg CACHE_NONCE and pass to create_revocation. * g10/keygen.c (do_generate_keypair): Call gen_standard_revoke with cache nonce. -- This patch adds two features: 1. The key for the last passphrase successfully used for unprotecting a key is stored away. On a cache miss the stored away passphrase is tried as well. This helps for the common GPG use case of having a signing and encryption (sub)key with the same passphrase. See the code for more comments. 2. The now auto-generated revocation certificate does not anymore popup a passphrase prompt. Thus for standard key generation the passphrase needs to be given only once (well, two with the confirmation). --- g10/revoke.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'g10/revoke.c') diff --git a/g10/revoke.c b/g10/revoke.c index 67f62e5cc..019c62c0a 100644 --- a/g10/revoke.c +++ b/g10/revoke.c @@ -443,7 +443,8 @@ create_revocation (const char *filename, struct revocation_reason_info *reason, PKT_public_key *psk, kbnode_t keyblock, - const char *leadintext, int suffix) + const char *leadintext, int suffix, + const char *cache_nonce) { int rc; iobuf_t out = NULL; @@ -466,7 +467,7 @@ create_revocation (const char *filename, rc = make_keysig_packet (&sig, psk, NULL, NULL, psk, 0x20, 0, opt.force_v4_certs? 4:0, 0, 0, - revocation_reason_build_cb, reason, NULL); + revocation_reason_build_cb, reason, cache_nonce); if (rc) { log_error (_("make_keysig_packet failed: %s\n"), g10_errstr (rc)); @@ -511,9 +512,10 @@ create_revocation (const char *filename, by gpg's interactive key generation function. The certificate is stored at a dedicated place in a slightly modified form to avoid an accidental import. PSK is the primary key; a corresponding secret - key must be available. */ + key must be available. CACHE_NONCE is optional but can be used to + help gpg-agent to avoid an extra passphrase prompt. */ int -gen_standard_revoke (PKT_public_key *psk) +gen_standard_revoke (PKT_public_key *psk, const char *cache_nonce) { int rc; estream_t memfp; @@ -573,7 +575,7 @@ gen_standard_revoke (PKT_public_key *psk) reason.code = 0x00; /* No particular reason. */ reason.desc = NULL; - rc = create_revocation (fname, &reason, psk, NULL, leadin, 3); + rc = create_revocation (fname, &reason, psk, NULL, leadin, 3, cache_nonce); xfree (leadin); xfree (fname); @@ -662,7 +664,7 @@ gen_revoke (const char *uname) if (!opt.armor) tty_printf (_("ASCII armored output forced.\n")); - rc = create_revocation (NULL, reason, psk, keyblock, NULL, 0); + rc = create_revocation (NULL, reason, psk, keyblock, NULL, 0, NULL); if (rc) goto leave; -- cgit v1.2.3