agent: Add option --no-allow-external-cache.

* agent/agent.h (opt): Add field allow_external_cache.
* agent/call-pinentry.c (start_pinentry): Act upon new var.
* agent/gpg-agent.c (oNoAllowExternalCache): New.
(opts): Add option --no-allow-external-cache.
(parse_rereadable_options): Set this option.
--

Pinentry 0.9.2 may be build with libsecret support and thus an extra
checkbox is displayed to allow the user to get passwords out of an
libsecret maintained cache.  Security aware user may want to avoid
this feature and may do this at runtime by enabling this option.

Signed-off-by: Werner Koch <[email protected]>

5 files changed, 54 insertions, 14 deletions

diff --git a/agent/agent.h b/agent/agent.h
index 4d28effa4..45f71eb19 100644
--- a/agent/agent.h
+++ b/agent/agent.h
@@ -128,6 +128,11 @@ struct
      pinentry-mode=loopback is allowed.  */
   int allow_loopback_pinentry;
 
+  /* Allow the use of an external password cache.  If this option is
+     enabled (which is the default) we send an option to Pinentry
+     to allow it to enable such a cache.  */
+  int allow_external_cache;
+
   int keep_tty;      /* Don't switch the TTY (for pinentry) on request */
   int keep_display;  /* Don't switch the DISPLAY (for pinentry) on request */
 
diff --git a/agent/call-pinentry.c b/agent/call-pinentry.c
index 64c64a957..5c3743aa4 100644
--- a/agent/call-pinentry.c
+++ b/agent/call-pinentry.c
@@ -408,23 +408,26 @@ start_pinentry (ctrl_t ctrl)
     }
 
 
-  /* Indicate to the pinentry that it may read from an external cache.
-
-     It is essential that the pinentry respect this.  If the cached
-     password is not up to date and retry == 1, then, using a version
-     of GPG Agent that doesn't support this, won't issue another pin
-     request and the user won't get a chance to correct the
-     password.  */
-  rc = assuan_transact (entry_ctx, "OPTION allow-external-password-cache",
-			NULL, NULL, NULL, NULL, NULL, NULL);
-  if (rc && gpg_err_code (rc) != GPG_ERR_UNKNOWN_OPTION)
-    return unlock_pinentry (rc);
+  if (opt.allow_external_cache)
+    {
+      /* Indicate to the pinentry that it may read from an external cache.
+
+         It is essential that the pinentry respect this.  If the
+         cached password is not up to date and retry == 1, then, using
+         a version of GPG Agent that doesn't support this, won't issue
+         another pin request and the user won't get a chance to
+         correct the password.  */
+      rc = assuan_transact (entry_ctx, "OPTION allow-external-password-cache",
+                            NULL, NULL, NULL, NULL, NULL, NULL);
+      if (rc && gpg_err_code (rc) != GPG_ERR_UNKNOWN_OPTION)
+        return unlock_pinentry (rc);
+    }
 
 
   {
     /* Provide a few default strings for use by the pinentries.  This
        may help a pinentry to avoid implementing localization code.  */
-    static struct { const char *key, *value; int mode; } tbl[] = {
+    static struct { const char *key, *value; int what; } tbl[] = {
       /* TRANSLATORS: These are labels for buttons etc used in
          Pinentries.  An underscore indicates that the next letter
          should be used as an accelerator.  Double the underscore for
@@ -435,7 +438,7 @@ start_pinentry (ctrl_t ctrl)
       { "yes",    N_("|pinentry-label|_Yes") },
       { "no",     N_("|pinentry-label|_No") },
       { "prompt", N_("|pinentry-label|PIN:") },
-      { "pwmngr", N_("|pinentry-label|_Save in password manager") },
+      { "pwmngr", N_("|pinentry-label|_Save in password manager"), 1 },
       { "cf-visi",N_("Do you really want to make your "
                      "passphrase visible on the screen?") },
       { "tt-visi",N_("|pinentry-tt|Make passphrase visible") },
@@ -448,6 +451,8 @@ start_pinentry (ctrl_t ctrl)
 
     for (idx=0; tbl[idx].key; idx++)
       {
+        if (!opt.allow_external_cache && tbl[idx].what == 1)
+          continue;  /* No need for it.  */
         s = _(tbl[idx].value);
         if (*s == '|' && (s2=strchr (s+1,'|')))
           s = s2+1;
diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
index c846ab494..659aa2c29 100644
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@@ -119,6 +119,7 @@ enum cmd_and_opt_values
   oNoAllowMarkTrusted,
   oAllowPresetPassphrase,
   oAllowLoopbackPinentry,
+  oNoAllowExternalCache,
   oKeepTTY,
   oKeepDISPLAY,
   oSSHSupport,
@@ -168,6 +169,10 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_n (oDisableScdaemon, "disable-scdaemon",
                 /* */             N_("do not use the SCdaemon") ),
   ARGPARSE_s_n (oDisableCheckOwnSocket, "disable-check-own-socket", "@"),
+
+  ARGPARSE_s_s (oExtraSocket, "extra-socket",
+                /* */       N_("|NAME|accept some commands via NAME")),
+
   ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"),
 
   ARGPARSE_s_n (oBatch,      "batch",        "@"),
@@ -200,6 +205,8 @@ static ARGPARSE_OPTS opts[] = {
 
   ARGPARSE_s_n (oIgnoreCacheForSigning, "ignore-cache-for-signing",
                 /* */    N_("do not use the PIN cache when signing")),
+  ARGPARSE_s_n (oNoAllowExternalCache,  "no-allow-external-cache",
+                /* */    N_("disallow the use of an external password cache")),
   ARGPARSE_s_n (oNoAllowMarkTrusted, "no-allow-mark-trusted",
                 /* */    N_("disallow clients to mark keys as \"trusted\"")),
   ARGPARSE_s_n (oAllowMarkTrusted,   "allow-mark-trusted", "@"),
@@ -207,6 +214,7 @@ static ARGPARSE_OPTS opts[] = {
                 /* */                    N_("allow presetting passphrase")),
   ARGPARSE_s_n (oAllowLoopbackPinentry, "allow-loopback-pinentry",
                                    N_("allow caller to override the pinentry")),
+
   ARGPARSE_s_n (oSSHSupport,   "enable-ssh-support", N_("enable ssh support")),
   ARGPARSE_s_n (oPuttySupport, "enable-putty-support",
 #ifdef HAVE_W32_SYSTEM
@@ -215,7 +223,6 @@ static ARGPARSE_OPTS opts[] = {
                 /* */           "@"
 #endif
                 ),
-  ARGPARSE_s_s (oExtraSocket, "extra-socket", "@"),
 
   /* Dummy options for backward compatibility.  */
   ARGPARSE_o_s (oWriteEnvFile, "write-env-file", "@"),
@@ -557,6 +564,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
       opt.enable_passhrase_history = 0;
       opt.ignore_cache_for_signing = 0;
       opt.allow_mark_trusted = 1;
+      opt.allow_external_cache = 1;
       opt.disable_scdaemon = 0;
       disable_check_own_socket = 0;
       return 1;
@@ -623,6 +631,9 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
 
     case oAllowLoopbackPinentry: opt.allow_loopback_pinentry = 1; break;
 
+    case oNoAllowExternalCache: opt.allow_external_cache = 0;
+      break;
+
     default:
       return 0; /* not handled */
     }
@@ -1056,6 +1067,8 @@ main (int argc, char **argv )
               GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME);
       es_printf ("ignore-cache-for-signing:%lu:\n",
               GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME);
+      es_printf ("no-allow-external-cache:%lu:\n",
+              GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME);
       es_printf ("no-allow-mark-trusted:%lu:\n",
               GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME);
       es_printf ("disable-scdaemon:%lu:\n",
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 469c76203..dea462e0d 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -377,6 +377,19 @@ Allow clients to use the loopback pinentry features; see the option
 @option{pinentry-mode} for details.
 @end ifset
 
+@ifset gpgtwoone
+@item --no-allow-external-cache
+@opindex no-allow-external-cache
+Tell Pinentry not to enable features which use an external cache for
+passphrases.
+
+Some desktop environments prefer to unlock all
+credentials with one master password and may have installed a Pinentry
+which employs an additional external cache to implement such a policy.
+By using this option the Pinentry is advised not to make use of such a
+cache and instead always ask the user for the requested passphrase.
+@end ifset
+
 @item --ignore-cache-for-signing
 @opindex ignore-cache-for-signing
 This option will let @command{gpg-agent} bypass the passphrase cache for all
@@ -762,6 +775,7 @@ again.  Only certain options are honored: @code{quiet},
 @code{debug-pinentry},
 @code{no-grab}, @code{pinentry-program}, @code{default-cache-ttl},
 @code{max-cache-ttl}, @code{ignore-cache-for-signing},
+@code{no-allow-external-cache},
 @code{no-allow-mark-trusted}, @code{disable-scdaemon}, and
 @code{disable-check-own-socket}.  @code{scdaemon-program} is also
 supported but due to the current implementation, which calls the
diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
index d0d938f25..cf2d18845 100644
--- a/tools/gpgconf-comp.c
+++ b/tools/gpgconf-comp.c
@@ -538,6 +538,9 @@ static gc_option_t gc_options_gpg_agent[] =
    { "ignore-cache-for-signing", GC_OPT_FLAG_RUNTIME,
      GC_LEVEL_BASIC, "gnupg", "do not use the PIN cache when signing",
      GC_ARG_TYPE_NONE, GC_BACKEND_GPG_AGENT },
+   { "no-allow-external-cache", GC_OPT_FLAG_RUNTIME,
+     GC_LEVEL_BASIC, "gnupg", "disallow the use of an external password cache",
+     GC_ARG_TYPE_NONE, GC_BACKEND_GPG_AGENT },
    { "no-allow-mark-trusted", GC_OPT_FLAG_RUNTIME,
      GC_LEVEL_ADVANCED, "gnupg", "disallow clients to mark keys as \"trusted\"",
      GC_ARG_TYPE_NONE, GC_BACKEND_GPG_AGENT },