[PATCH 7/8] g10: add cleartext parameter to receive_seckey_from_agent()
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sat May 21 01:41:10 CEST 2016
* g10/export.c, g10/main.h (receive_seckey_from_agent): add cleartext
parameter, enabling retrieval of the secret key, unlocked.
* g10/export.c (do_export_stream): send cleartext as 0
* g10/keygen.c (card_store_key_with_backup): use cleartext=0 to ensure
that smartcard backups are all passphrase-locked.
---
g10/export.c | 15 ++++++++++++---
g10/keygen.c | 2 +-
g10/main.h | 1 +
3 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/g10/export.c b/g10/export.c
index 695bbef..54c72a2 100644
--- a/g10/export.c
+++ b/g10/export.c
@@ -1042,10 +1042,15 @@ print_status_exported (PKT_public_key *pk)
* Then, parse the decrypted key data in transfer format, and put
* secret papameters into PK.
*
+ * if CLEARTEXT is 0, store the secret key material
+ * passphrase-protected. otherwise, store secret key material in the
+ * clear.
+ *
* CACHE_NONCE_ADDR is used to share nonce for multple key retrievals.
*/
gpg_error_t
receive_seckey_from_agent (ctrl_t ctrl, gcry_cipher_hd_t cipherhd,
+ int cleartext,
char **cache_nonce_addr, const char *hexgrip,
PKT_public_key *pk)
{
@@ -1061,7 +1066,7 @@ receive_seckey_from_agent (ctrl_t ctrl, gcry_cipher_hd_t cipherhd,
log_info ("key %s: asking agent for the secret parts\n", hexgrip);
prompt = gpg_format_keydesc (pk, FORMAT_KEYDESC_EXPORT,1);
- err = agent_export_key (ctrl, hexgrip, prompt, 1, cache_nonce_addr,
+ err = agent_export_key (ctrl, hexgrip, prompt, !cleartext, cache_nonce_addr,
&wrappedkey, &wrappedkeylen);
xfree (prompt);
@@ -1089,7 +1094,10 @@ receive_seckey_from_agent (ctrl_t ctrl, gcry_cipher_hd_t cipherhd,
err = gcry_sexp_sscan (&s_skey, NULL, key, realkeylen);
if (!err)
{
- err = transfer_format_to_openpgp (s_skey, pk);
+ if (cleartext)
+ err = cleartext_secret_key_to_openpgp (s_skey, pk);
+ else
+ err = transfer_format_to_openpgp (s_skey, pk);
gcry_sexp_release (s_skey);
}
@@ -1485,7 +1493,8 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret,
}
else if (!err)
{
- err = receive_seckey_from_agent (ctrl, cipherhd, &cache_nonce,
+ err = receive_seckey_from_agent (ctrl, cipherhd,
+ 0, &cache_nonce,
hexgrip, pk);
if (err)
{
diff --git a/g10/keygen.c b/g10/keygen.c
index 7a07109..83962c2 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -3957,7 +3957,7 @@ card_store_key_with_backup (ctrl_t ctrl, PKT_public_key *sub_psk,
goto leave;
}
- err = receive_seckey_from_agent (ctrl, cipherhd, &cache_nonce, hexgrip, sk);
+ err = receive_seckey_from_agent (ctrl, cipherhd, 0, &cache_nonce, hexgrip, sk);
if (err)
{
log_error ("error getting secret key from agent: %s\n", gpg_strerror (err));
diff --git a/g10/main.h b/g10/main.h
index 5b5947e..99ba164 100644
--- a/g10/main.h
+++ b/g10/main.h
@@ -383,6 +383,7 @@ gpg_error_t export_pubkey_buffer (ctrl_t ctrl, const char *keyspec,
void **r_data, size_t *r_datalen);
gpg_error_t receive_seckey_from_agent (ctrl_t ctrl, gcry_cipher_hd_t cipherhd,
+ int cleartext,
char **cache_nonce_addr, const char *hexgrip,
PKT_public_key *pk);
--
2.8.1
More information about the Gnupg-devel
mailing list