Re: symmetric passphrase with remote (extra, restricted) gpg-agent

Mon, 26 Feb 2024 06:15:37 -0800 

Hi again!

you may want to try the attached patch.  It is against the current 2.4
head but should apply also to somewhat older versions.  If this solves
your problem, it can go into 2.4.5 soon.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein

From 4025da324903093736f238329274f5e234f5339e Mon Sep 17 00:00:00 2001
From: Werner Koch <w...@gnupg.org>
Date: Sun, 25 Feb 2024 15:55:14 +0100
Subject: [PATCH GnuPG] agent: Allow GET_PASSPHRASE in restricted mode.

* agent/command.c (cmd_get_passphrase): Allow use in restricted mode
but ignore the cacheid.
--

The use case is symmetric encryption via the extra-socket.  To avoid
that the gpg running on the server has access to the cache we set the
cache id to NULL so that the cache is not used at all.
---
 agent/command.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/agent/command.c b/agent/command.c
index 20ae08e9f..100b97f57 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -1988,9 +1988,6 @@ cmd_get_passphrase (assuan_context_t ctx, char *line)
   struct pin_entry_info_s *pi2 = NULL;
   int is_generated;
 
-  if (ctrl->restricted)
-    return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
-
   opt_data = has_option (line, "--data");
   opt_check = has_option (line, "--check");
   opt_no_ask = has_option (line, "--no-ask");
@@ -2039,7 +2036,9 @@ cmd_get_passphrase (assuan_context_t ctx, char *line)
   if (!desc)
     return set_error (GPG_ERR_ASS_PARAMETER, "no description given");
 
-  if (!strcmp (cacheid, "X"))
+  /* The only limitation in restricted mode is that we don't considere
+   * the cache.  */
+  if (ctrl->restricted || !strcmp (cacheid, "X"))
     cacheid = NULL;
   if (!strcmp (errtext, "X"))
     errtext = NULL;
@@ -2121,7 +2120,7 @@ cmd_get_passphrase (assuan_context_t ctx, char *line)
           entry_errtext = NULL;
           is_generated = !!(pi->status & PINENTRY_STATUS_PASSWORD_GENERATED);
 
-          /* We don't allow an empty passpharse in this mode.  */
+          /* We don't allow an empty passphrase in this mode.  */
           if (!is_generated
               && check_passphrase_constraints (ctrl, pi->pin,
                                                pi->constraints_flags,
-- 
2.39.2

Attachment: openpgp-digital-signature.asc
Description: PGP signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to