agent: New option --check-sym-passphrase-pattern.

* agent/gpg-agent.c (oCheckSymPassphrasePattern): New. (opts): Add --check-sym-passphrase-pattern. (parse_rereadable_options): Set option. (main): Return option info. * tools/gpgconf-comp.c: Add new option. * agent/agent.h (opt): Add var check_sym_passphrase_pattern. (struct pin_entry_info_s): Add var constraints_flags. (CHECK_CONSTRAINTS_NOT_EMPTY): New to replace a hardwired 1. (CHECK_CONSTRAINTS_NEW_SYMKEY): New. * agent/genkey.c (check_passphrase_pattern): Rename to ... (do_check_passphrase_pattern): this to make code reading easier. Handle the --check-sym-passphrase-pattern option. (check_passphrase_constraints): Replace arg no_empty by a generic flags arg. Also handle --check-sym-passphrase-pattern here. * agent/command.c (cmd_get_passphrase): In --newsymkey mode pass CHECK_CONSTRAINTS_NEW_SYMKEY flag. * agent/call-pinentry.c (struct entry_parm_s): Add constraints_flags. (struct inq_cb_parm_s): New. (inq_cb): Use new struct for parameter passing. Pass flags to teh constraints checking. (do_getpin): Pass constraints flag down. (agent_askpin): Take constrainst flag from the supplied pinentry struct. -- Requirements for a passphrase to protect a private key and for a passphrase used for symmetric encryption are different. Thus a the use of a different pattern file will be useful. Note that a pattern file can be used to replace the other passphrase constraints options and thus we don't need to duplicate them for symmetric encryption. GnuPG-bug-id: 5517 Signed-off-by: Werner Koch <[email protected]>
author: Werner Koch <[email protected]> 2021-08-13 11:42:31 +0000
committer: Werner Koch <[email protected]> 2021-08-13 11:42:31 +0000
commit: 7c45a69eb988e9c0329d75900af0c5b1e47291b7 (patch)
tree: 96ced8bfada21a95699d862e4b44ad8025c43573 /agent/genkey.c
parent: indent: Add a git blame ignore file (diff)
download: gnupg-7c45a69eb988e9c0329d75900af0c5b1e47291b7.tar.gz
gnupg-7c45a69eb988e9c0329d75900af0c5b1e47291b7.zip
1 files changed, 27 insertions, 10 deletions
diff --git a/agent/genkey.c b/agent/genkey.c
index c7cfc6910..3ed63f663 100644
--- a/agent/genkey.c
+++ b/agent/genkey.c
@@ -89,9 +89,11 @@ nonalpha_count (const char *s)
 
 
 /* Check PW against a list of pattern.  Return 0 if PW does not match
-   these pattern.  */
+   these pattern.  If CHECK_CONSTRAINTS_NEW_SYMKEY is set in flags and
+   --check-sym-passphrase-pattern has been configured, use the pattern
+   file from that option.  */
 static int
-check_passphrase_pattern (ctrl_t ctrl, const char *pw)
+do_check_passphrase_pattern (ctrl_t ctrl, const char *pw, unsigned int flags)
 {
   gpg_error_t err = 0;
   const char *pgmname = gnupg_module_name (GNUPG_MODULE_NAME_CHECK_PATTERN);
@@ -99,9 +101,17 @@ check_passphrase_pattern (ctrl_t ctrl, const char *pw)
   const char *argv[10];
   pid_t pid;
   int result, i;
+  const char *pattern;
 
   (void)ctrl;
 
+  pattern = opt.check_passphrase_pattern;
+  if ((flags & CHECK_CONSTRAINTS_NEW_SYMKEY)
+      && opt.check_sym_passphrase_pattern)
+    pattern = opt.check_sym_passphrase_pattern;
+  if (!pattern)
+    return 1; /* Oops - Assume password should not be used  */
+
   infp = gnupg_tmpfile ();
   if (!infp)
     {
@@ -124,7 +134,7 @@ check_passphrase_pattern (ctrl_t ctrl, const char *pw)
   i = 0;
   argv[i++] = "--null";
   argv[i++] = "--",
-  argv[i++] = opt.check_passphrase_pattern,
+  argv[i++] = pattern,
   argv[i] = NULL;
   log_assert (i < sizeof argv);
 
@@ -156,12 +166,17 @@ take_this_one_anyway (ctrl_t ctrl, const char *desc, const char *anyway_btn)
 
 
 /* Check whether the passphrase PW is suitable. Returns 0 if the
-   passphrase is suitable and true if it is not and the user should be
-   asked to provide a different one.  If FAILED_CONSTRAINT is set, a
-   message describing the problem is returned in
-   *FAILED_CONSTRAINT.  */
+ * passphrase is suitable and true if it is not and the user should be
+ * asked to provide a different one.  If FAILED_CONSTRAINT is set, a
+ * message describing the problem is returned at FAILED_CONSTRAINT.
+ * The FLAGS are:
+ *   CHECK_CONSTRAINTS_NOT_EMPTY
+ *       Do not allow an empty passphrase
+ *   CHECK_CONSTRAINTS_NEW_SYMKEY
+ *       Hint that the passphrase is used for a new symmetric key.
+ */
 int
-check_passphrase_constraints (ctrl_t ctrl, const char *pw, int no_empty,
+check_passphrase_constraints (ctrl_t ctrl, const char *pw, unsigned int flags,
 			      char **failed_constraint)
 {
   gpg_error_t err = 0;
@@ -170,6 +185,7 @@ check_passphrase_constraints (ctrl_t ctrl, const char *pw, int no_empty,
   char *msg1 = NULL;
   char *msg2 = NULL;
   char *msg3 = NULL;
+  int no_empty = !!(flags & CHECK_CONSTRAINTS_NOT_EMPTY);
 
   if (ctrl && ctrl->pinentry_mode == PINENTRY_MODE_LOOPBACK)
     return 0;
@@ -247,8 +263,9 @@ check_passphrase_constraints (ctrl_t ctrl, const char *pw, int no_empty,
      and pattern.  The actual test is done by an external program.
      The warning message is generic to give the user no hint on how to
      circumvent this list.  */
-  if (*pw && opt.check_passphrase_pattern &&
-      check_passphrase_pattern (ctrl, pw))
+  if (*pw
+      && (opt.check_passphrase_pattern || opt.check_sym_passphrase_pattern)
+      && do_check_passphrase_pattern (ctrl, pw, flags))
     {
       if (!failed_constraint)
         {
author	Werner Koch <[email protected]>	2021-08-13 11:42:31 +0000
committer	Werner Koch <[email protected]>	2021-08-13 11:42:31 +0000
commit	7c45a69eb988e9c0329d75900af0c5b1e47291b7 (patch)
tree	96ced8bfada21a95699d862e4b44ad8025c43573 /agent/genkey.c
parent	indent: Add a git blame ignore file (diff)
download	gnupg-7c45a69eb988e9c0329d75900af0c5b1e47291b7.tar.gz gnupg-7c45a69eb988e9c0329d75900af0c5b1e47291b7.zip