1 /* call-pinentry.c - Spawn the pinentry to query stuff from the user
2 * Copyright (C) 2001, 2002, 2004, 2007, 2008,
3 * 2010 Free Software Foundation, Inc.
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
30 #ifndef HAVE_W32_SYSTEM
31 # include <sys/wait.h>
32 # include <sys/types.h>
42 #ifdef _POSIX_OPEN_MAX
43 #define MAX_OPEN_FDS _POSIX_OPEN_MAX
45 #define MAX_OPEN_FDS 20
49 /* Because access to the pinentry must be serialized (it is and shall
50 be a global mutually exclusive dialog) we better timeout pending
51 requests after some time. 1 minute seem to be a reasonable
53 #define LOCK_TIMEOUT (1*60)
55 /* The assuan context of the current pinentry. */
56 static assuan_context_t entry_ctx;
58 /* The control variable of the connection owning the current pinentry.
59 This is only valid if ENTRY_CTX is not NULL. Note, that we care
60 only about the value of the pointer and that it should never be
62 static ctrl_t entry_owner;
64 /* A mutex used to serialize access to the pinentry. */
65 static npth_mutex_t entry_lock;
67 /* The thread ID of the popup working thread. */
68 static npth_t popup_tid;
70 /* A flag used in communication between the popup working thread and
72 static int popup_finished;
76 /* Data to be passed to our callbacks, */
81 unsigned char *buffer;
87 /* This function must be called once to initialize this module. This
88 has to be done before a second thread is spawned. We can't do the
89 static initialization because Pth emulation code might not be able
90 to do a static init; in particular, it is not possible for W32. */
92 initialize_module_call_pinentry (void)
94 static int initialized;
98 if (npth_mutex_init (&entry_lock, NULL))
105 /* This function may be called to print infromation pertaining to the
106 current state of this module to the log. */
108 agent_query_dump_state (void)
110 log_info ("agent_query_dump_state: entry_ctx=%p pid=%ld popup_tid=%p\n",
111 entry_ctx, (long)assuan_get_pid (entry_ctx), (void*)popup_tid);
114 /* Called to make sure that a popup window owned by the current
115 connection gets closed. */
117 agent_reset_query (ctrl_t ctrl)
119 if (entry_ctx && popup_tid && entry_owner == ctrl)
121 agent_popup_message_stop (ctrl);
126 /* Unlock the pinentry so that another thread can start one and
127 disconnect that pinentry - we do this after the unlock so that a
128 stalled pinentry does not block other threads. Fixme: We should
129 have a timeout in Assuan for the disconnect operation. */
131 unlock_pinentry (gpg_error_t rc)
133 assuan_context_t ctx = entry_ctx;
139 log_debug ("error calling pinentry: %s <%s>\n",
140 gpg_strerror (rc), gpg_strsource (rc));
142 /* Change the source of the error to pinentry so that the final
143 consumer of the error code knows that the problem is with
144 pinentry. For backward compatibility we do not do that for
145 some common error codes. */
146 switch (gpg_err_code (rc))
148 case GPG_ERR_NO_PIN_ENTRY:
149 case GPG_ERR_CANCELED:
150 case GPG_ERR_FULLY_CANCELED:
151 case GPG_ERR_ASS_UNKNOWN_INQUIRE:
152 case GPG_ERR_ASS_TOO_MUCH_DATA:
153 case GPG_ERR_NO_PASSPHRASE:
154 case GPG_ERR_BAD_PASSPHRASE:
155 case GPG_ERR_BAD_PIN:
159 rc = gpg_err_make (GPG_ERR_SOURCE_PINENTRY, gpg_err_code (rc));
165 err = npth_mutex_unlock (&entry_lock);
168 log_error ("failed to release the entry lock: %s\n", strerror (err));
170 rc = gpg_error_from_errno (err);
172 assuan_release (ctx);
177 /* To make sure we leave no secrets in our image after forking of the
178 pinentry, we use this callback. */
180 atfork_cb (void *opaque, int where)
182 ctrl_t ctrl = opaque;
187 const char *name, *assname, *value;
189 gcry_control (GCRYCTL_TERM_SECMEM);
191 while ((name = session_env_list_stdenvnames (&iterator, &assname)))
193 /* For all new envvars (!ASSNAME) and the two medium old
194 ones which do have an assuan name but are conveyed using
195 environment variables, update the environment of the
198 || !strcmp (name, "XAUTHORITY")
199 || !strcmp (name, "PINENTRY_USER_DATA"))
201 value = session_env_getenv (ctrl->session_env, name);
203 gnupg_setenv (name, value, 1);
211 getinfo_pid_cb (void *opaque, const void *buffer, size_t length)
213 unsigned long *pid = opaque;
216 /* There is only the pid in the server's response. */
217 if (length >= sizeof pidbuf)
218 length = sizeof pidbuf -1;
221 strncpy (pidbuf, buffer, length);
223 *pid = strtoul (pidbuf, NULL, 10);
229 /* Fork off the pin entry if this has not already been done. Note,
230 that this function must always be used to acquire the lock for the
231 pinentry - we will serialize _all_ pinentry calls.
234 start_pinentry (ctrl_t ctrl)
237 const char *full_pgmname;
239 assuan_context_t ctx;
241 assuan_fd_t no_close_list[3];
244 unsigned long pinentry_pid;
246 struct timespec abstime;
247 char *flavor_version;
250 npth_clock_gettime (&abstime);
251 abstime.tv_sec += LOCK_TIMEOUT;
252 err = npth_mutex_timedlock (&entry_lock, &abstime);
255 if (err == ETIMEDOUT)
256 rc = gpg_error (GPG_ERR_TIMEOUT);
258 rc = gpg_error_from_errno (rc);
259 log_error (_("failed to acquire the pinentry lock: %s\n"),
270 log_info ("starting a new PIN Entry\n");
272 #ifdef HAVE_W32_SYSTEM
278 #ifndef HAVE_W32_SYSTEM
279 gpg_error_t tmperr = gpg_error (gpg_err_code_from_errno (errno));
281 log_error ("error flushing pending output: %s\n", strerror (errno));
282 /* At least Windows XP fails here with EBADF. According to docs
283 and Wine an fflush(NULL) is the same as _flushall. However
284 the Wine implementaion does not flush stdin,stdout and stderr
285 - see above. Let's try to ignore the error. */
286 #ifndef HAVE_W32_SYSTEM
287 return unlock_pinentry (tmperr);
291 full_pgmname = opt.pinentry_program;
292 if (!full_pgmname || !*full_pgmname)
293 full_pgmname = gnupg_module_name (GNUPG_MODULE_NAME_PINENTRY);
294 if ( !(pgmname = strrchr (full_pgmname, '/')))
295 pgmname = full_pgmname;
299 /* OS X needs the entire file name in argv[0], so that it can locate
300 the resource bundle. For other systems we stick to the usual
301 convention of supplying only the name of the program. */
303 argv[0] = full_pgmname;
308 if (!opt.keep_display
309 && (value = session_env_getenv (ctrl->session_env, "DISPLAY")))
311 argv[1] = "--display";
319 if (!opt.running_detached)
321 if (log_get_fd () != -1)
322 no_close_list[i++] = assuan_fd_from_posix_fd (log_get_fd ());
323 no_close_list[i++] = assuan_fd_from_posix_fd (fileno (stderr));
325 no_close_list[i] = ASSUAN_INVALID_FD;
327 rc = assuan_new (&ctx);
330 log_error ("can't allocate assuan context: %s\n", gpg_strerror (rc));
333 /* We don't want to log the pinentry communication to make the logs
334 easier to read. We might want to add a new debug option to enable
336 #ifdef ASSUAN_NO_LOGGING
337 assuan_set_flag (ctx, ASSUAN_NO_LOGGING, !opt.debug_pinentry);
340 /* Connect to the pinentry and perform initial handshaking. Note
341 that atfork is used to change the environment for pinentry. We
342 start the server in detached mode to suppress the console window
344 rc = assuan_pipe_connect (ctx, full_pgmname, argv,
345 no_close_list, atfork_cb, ctrl,
346 ASSUAN_PIPE_CONNECT_DETACHED);
349 log_error ("can't connect to the PIN entry module '%s': %s\n",
350 full_pgmname, gpg_strerror (rc));
351 assuan_release (ctx);
352 return unlock_pinentry (gpg_error (GPG_ERR_NO_PIN_ENTRY));
357 log_debug ("connection to PIN entry established\n");
359 value = session_env_getenv (ctrl->session_env, "PINENTRY_USER_DATA");
363 if (asprintf (&optstr, "OPTION pinentry-user-data=%s", value) < 0 )
364 return unlock_pinentry (out_of_core ());
365 rc = assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
368 if (rc && gpg_err_code (rc) != GPG_ERR_UNKNOWN_OPTION)
369 return unlock_pinentry (rc);
372 rc = assuan_transact (entry_ctx,
373 opt.no_grab? "OPTION no-grab":"OPTION grab",
374 NULL, NULL, NULL, NULL, NULL, NULL);
376 return unlock_pinentry (rc);
378 value = session_env_getenv (ctrl->session_env, "GPG_TTY");
382 if (asprintf (&optstr, "OPTION ttyname=%s", value) < 0 )
383 return unlock_pinentry (out_of_core ());
384 rc = assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
388 return unlock_pinentry (rc);
390 value = session_env_getenv (ctrl->session_env, "TERM");
394 if (asprintf (&optstr, "OPTION ttytype=%s", value) < 0 )
395 return unlock_pinentry (out_of_core ());
396 rc = assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
400 return unlock_pinentry (rc);
405 if (asprintf (&optstr, "OPTION lc-ctype=%s", ctrl->lc_ctype) < 0 )
406 return unlock_pinentry (out_of_core ());
407 rc = assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
411 return unlock_pinentry (rc);
413 if (ctrl->lc_messages)
416 if (asprintf (&optstr, "OPTION lc-messages=%s", ctrl->lc_messages) < 0 )
417 return unlock_pinentry (out_of_core ());
418 rc = assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
422 return unlock_pinentry (rc);
426 if (opt.allow_external_cache)
428 /* Indicate to the pinentry that it may read from an external cache.
430 It is essential that the pinentry respect this. If the
431 cached password is not up to date and retry == 1, then, using
432 a version of GPG Agent that doesn't support this, won't issue
433 another pin request and the user won't get a chance to
434 correct the password. */
435 rc = assuan_transact (entry_ctx, "OPTION allow-external-password-cache",
436 NULL, NULL, NULL, NULL, NULL, NULL);
437 if (rc && gpg_err_code (rc) != GPG_ERR_UNKNOWN_OPTION)
438 return unlock_pinentry (rc);
441 if (opt.allow_emacs_pinentry)
443 /* Indicate to the pinentry that it may read passphrase through
444 Emacs minibuffer, if possible. */
445 rc = assuan_transact (entry_ctx, "OPTION allow-emacs-prompt",
446 NULL, NULL, NULL, NULL, NULL, NULL);
447 if (rc && gpg_err_code (rc) != GPG_ERR_UNKNOWN_OPTION)
448 return unlock_pinentry (rc);
453 /* Provide a few default strings for use by the pinentries. This
454 may help a pinentry to avoid implementing localization code. */
455 static struct { const char *key, *value; int what; } tbl[] = {
456 /* TRANSLATORS: These are labels for buttons etc used in
457 Pinentries. An underscore indicates that the next letter
458 should be used as an accelerator. Double the underscore for
459 a literal one. The actual to be translated text starts after
460 the second vertical bar. Note that gpg-agent has been set to
461 utf-8 so that the strings are in the expected encoding. */
462 { "ok", N_("|pinentry-label|_OK") },
463 { "cancel", N_("|pinentry-label|_Cancel") },
464 { "yes", N_("|pinentry-label|_Yes") },
465 { "no", N_("|pinentry-label|_No") },
466 { "prompt", N_("|pinentry-label|PIN:") },
467 { "pwmngr", N_("|pinentry-label|_Save in password manager"), 1 },
468 { "cf-visi",N_("Do you really want to make your "
469 "passphrase visible on the screen?") },
470 { "tt-visi",N_("|pinentry-tt|Make passphrase visible") },
471 { "tt-hide",N_("|pinentry-tt|Hide passphrase") },
478 for (idx=0; tbl[idx].key; idx++)
480 if (!opt.allow_external_cache && tbl[idx].what == 1)
481 continue; /* No need for it. */
482 s = L_(tbl[idx].value);
483 if (*s == '|' && (s2=strchr (s+1,'|')))
485 if (asprintf (&optstr, "OPTION default-%s=%s", tbl[idx].key, s) < 0 )
486 return unlock_pinentry (out_of_core ());
487 assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
493 /* Tell the pinentry that we would prefer that the given character
494 is used as the invisible character by the entry widget. */
495 if (opt.pinentry_invisible_char)
498 if ((optstr = xtryasprintf ("OPTION invisible-char=%s",
499 opt.pinentry_invisible_char)))
501 assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
503 /* We ignore errors because this is just a fancy thing and
504 older pinentries do not support this feature. */
509 if (opt.pinentry_timeout)
512 if ((optstr = xtryasprintf ("SETTIMEOUT %lu", opt.pinentry_timeout)))
514 assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
516 /* We ignore errors because this is just a fancy thing. */
521 /* Tell the pinentry the name of a file it shall touch after having
522 messed with the tty. This is optional and only supported by
523 newer pinentries and thus we do no error checking. */
524 tmpstr = opt.pinentry_touch_file;
525 if (tmpstr && !strcmp (tmpstr, "/dev/null"))
528 tmpstr = get_agent_socket_name ();
533 if (asprintf (&optstr, "OPTION touch-file=%s", tmpstr ) < 0 )
537 assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
544 /* Ask the pinentry for its version and flavor and streo that as a
545 * string in MB. This information is useful for helping users to
546 * figure out Pinentry problems. */
550 init_membuf (&mb, 256);
551 if (assuan_transact (entry_ctx, "GETINFO flavor",
552 put_membuf_cb, &mb, NULL, NULL, NULL, NULL))
553 put_membuf_str (&mb, "unknown");
554 put_membuf_str (&mb, " ");
555 if (assuan_transact (entry_ctx, "GETINFO version",
556 put_membuf_cb, &mb, NULL, NULL, NULL, NULL))
557 put_membuf_str (&mb, "unknown");
558 put_membuf (&mb, "", 1);
559 flavor_version = get_membuf (&mb, NULL);
563 /* Now ask the Pinentry for its PID. If the Pinentry is new enough
564 it will send the pid back and we will use an inquire to notify
565 our client. The client may answer the inquiry either with END or
566 with CAN to cancel the pinentry. */
567 rc = assuan_transact (entry_ctx, "GETINFO pid",
568 getinfo_pid_cb, &pinentry_pid,
569 NULL, NULL, NULL, NULL);
572 log_info ("You may want to update to a newer pinentry\n");
575 else if (!rc && (pid_t)pinentry_pid == (pid_t)(-1))
576 log_error ("pinentry did not return a PID\n");
579 rc = agent_inq_pinentry_launched (ctrl, pinentry_pid, flavor_version);
580 if (gpg_err_code (rc) == GPG_ERR_CANCELED
581 || gpg_err_code (rc) == GPG_ERR_FULLY_CANCELED)
582 return unlock_pinentry (gpg_err_make (GPG_ERR_SOURCE_DEFAULT,
587 xfree (flavor_version);
593 /* Returns True if the pinentry is currently active. If WAITSECONDS is
594 greater than zero the function will wait for this many seconds
597 pinentry_active_p (ctrl_t ctrl, int waitseconds)
604 struct timespec abstime;
607 npth_clock_gettime (&abstime);
608 abstime.tv_sec += waitseconds;
609 err = npth_mutex_timedlock (&entry_lock, &abstime);
612 if (err == ETIMEDOUT)
613 rc = gpg_error (GPG_ERR_TIMEOUT);
615 rc = gpg_error (GPG_ERR_INTERNAL);
621 err = npth_mutex_trylock (&entry_lock);
623 return gpg_error (GPG_ERR_LOCKED);
626 err = npth_mutex_unlock (&entry_lock);
628 log_error ("failed to release the entry lock at %d: %s\n", __LINE__,
635 getpin_cb (void *opaque, const void *buffer, size_t length)
637 struct entry_parm_s *parm = opaque;
642 /* we expect the pin to fit on one line */
643 if (parm->lines || length >= parm->size)
644 return gpg_error (GPG_ERR_ASS_TOO_MUCH_DATA);
646 /* fixme: we should make sure that the assuan buffer is allocated in
647 secure memory or read the response byte by byte */
648 memcpy (parm->buffer, buffer, length);
649 parm->buffer[length] = 0;
656 all_digitsp( const char *s)
658 for (; *s && *s >= '0' && *s <= '9'; s++)
664 /* Return a new malloced string by unescaping the string S. Escaping
665 is percent escaping and '+'/space mapping. A binary Nul will
666 silently be replaced by a 0xFF. Function returns NULL to indicate
667 an out of memory status. Parsing stops at the end of the string or
668 a white space character. */
670 unescape_passphrase_string (const unsigned char *s)
674 buffer = d = xtrymalloc_secure (strlen ((const char*)s)+1);
677 while (*s && !spacep (s))
679 if (*s == '%' && s[1] && s[2])
701 /* Estimate the quality of the passphrase PW and return a value in the
704 estimate_passphrase_quality (const char *pw)
706 int goodlength = opt.min_passphrase_len + opt.min_passphrase_len/3;
713 for (length = 0, s = pw; *s; s++)
717 if (length > goodlength)
719 return ((length*10) / goodlength)*10;
723 /* Handle the QUALITY inquiry. */
725 inq_quality (void *opaque, const char *line)
727 assuan_context_t ctx = opaque;
734 if ((s = has_leading_keyword (line, "QUALITY")))
736 pin = unescape_passphrase_string (s);
738 rc = gpg_error_from_syserror ();
741 percent = estimate_passphrase_quality (pin);
742 if (check_passphrase_constraints (NULL, pin, NULL))
744 snprintf (numbuf, sizeof numbuf, "%d", percent);
745 rc = assuan_send_data (ctx, numbuf, strlen (numbuf));
751 log_error ("unsupported inquiry '%s' from pinentry\n", line);
752 rc = gpg_error (GPG_ERR_ASS_UNKNOWN_INQUIRE);
759 /* Helper for agent_askpin and agent_get_passphrase. */
761 setup_qualitybar (ctrl_t ctrl)
764 char line[ASSUAN_LINELENGTH];
765 char *tmpstr, *tmpstr2;
770 /* TRANSLATORS: This string is displayed by Pinentry as the label
771 for the quality bar. */
772 tmpstr = try_percent_escape (L_("Quality:"), "\t\r\n\f\v");
773 snprintf (line, DIM(line), "SETQUALITYBAR %s", tmpstr? tmpstr:"");
775 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
776 if (rc == 103 /*(Old assuan error code)*/
777 || gpg_err_code (rc) == GPG_ERR_ASS_UNKNOWN_CMD)
778 ; /* Ignore Unknown Command from old Pinentry versions. */
782 tmpstr2 = gnupg_get_help_string ("pinentry.qualitybar.tooltip", 0);
787 /* TRANSLATORS: This string is a tooltip, shown by pinentry when
788 hovering over the quality bar. Please use an appropriate
789 string to describe what this is about. The length of the
790 tooltip is limited to about 900 characters. If you do not
791 translate this entry, a default english text (see source)
793 tooltip = L_("pinentry.qualitybar.tooltip");
794 if (!strcmp ("pinentry.qualitybar.tooltip", tooltip))
795 tooltip = ("The quality of the text entered above.\n"
796 "Please ask your administrator for "
797 "details about the criteria.");
799 tmpstr = try_percent_escape (tooltip, "\t\r\n\f\v");
801 snprintf (line, DIM(line), "SETQUALITYBAR_TT %s", tmpstr? tmpstr:"");
803 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
804 if (rc == 103 /*(Old assuan error code)*/
805 || gpg_err_code (rc) == GPG_ERR_ASS_UNKNOWN_CMD)
806 ; /* Ignore Unknown Command from old pinentry versions. */
815 PINENTRY_STATUS_CLOSE_BUTTON = 1 << 0,
816 PINENTRY_STATUS_PIN_REPEATED = 1 << 8,
817 PINENTRY_STATUS_PASSWORD_FROM_CACHE = 1 << 9
820 /* Check the button_info line for a close action. Also check for the
821 PIN_REPEATED flag. */
823 pinentry_status_cb (void *opaque, const char *line)
825 unsigned int *flag = opaque;
828 if ((args = has_leading_keyword (line, "BUTTON_INFO")))
830 if (!strcmp (args, "close"))
831 *flag |= PINENTRY_STATUS_CLOSE_BUTTON;
833 else if (has_leading_keyword (line, "PIN_REPEATED"))
835 *flag |= PINENTRY_STATUS_PIN_REPEATED;
837 else if (has_leading_keyword (line, "PASSWORD_FROM_CACHE"))
839 *flag |= PINENTRY_STATUS_PASSWORD_FROM_CACHE;
848 /* Call the Entry and ask for the PIN. We do check for a valid PIN
849 number here and repeat it as long as we have invalid formed
850 numbers. KEYINFO and CACHE_MODE are used to tell pinentry something
853 agent_askpin (ctrl_t ctrl,
854 const char *desc_text, const char *prompt_text,
855 const char *initial_errtext,
856 struct pin_entry_info_s *pininfo,
857 const char *keyinfo, cache_mode_t cache_mode)
860 char line[ASSUAN_LINELENGTH];
861 struct entry_parm_s parm;
862 const char *errtext = NULL;
865 unsigned int pinentry_status;
868 return 0; /* fixme: we should return BAD PIN */
870 if (ctrl->pinentry_mode != PINENTRY_MODE_ASK)
872 if (ctrl->pinentry_mode == PINENTRY_MODE_CANCEL)
873 return gpg_error (GPG_ERR_CANCELED);
874 if (ctrl->pinentry_mode == PINENTRY_MODE_LOOPBACK)
876 unsigned char *passphrase;
879 *pininfo->pin = 0; /* Reset the PIN. */
880 rc = pinentry_loopback(ctrl, "PASSPHRASE", &passphrase, &size,
881 pininfo->max_length - 1);
885 memcpy(&pininfo->pin, passphrase, size);
887 pininfo->pin[size] = 0;
888 if (pininfo->check_cb)
890 /* More checks by utilizing the optional callback. */
891 pininfo->cb_errtext = NULL;
892 rc = pininfo->check_cb (pininfo);
896 return gpg_error(GPG_ERR_NO_PIN_ENTRY);
899 if (!pininfo || pininfo->max_length < 1)
900 return gpg_error (GPG_ERR_INV_VALUE);
901 if (!desc_text && pininfo->min_digits)
902 desc_text = L_("Please enter your PIN, so that the secret key "
903 "can be unlocked for this session");
905 desc_text = L_("Please enter your passphrase, so that the secret key "
906 "can be unlocked for this session");
909 is_pin = !!strstr (prompt_text, "PIN");
911 is_pin = desc_text && strstr (desc_text, "PIN");
913 rc = start_pinentry (ctrl);
917 /* If we have a KEYINFO string and are normal, user, or ssh cache
918 mode, we tell that the Pinentry so it may use it for own caching
919 purposes. Most pinentries won't have this implemented and thus
920 we do not error out in this case. */
921 if (keyinfo && (cache_mode == CACHE_MODE_NORMAL
922 || cache_mode == CACHE_MODE_USER
923 || cache_mode == CACHE_MODE_SSH))
924 snprintf (line, DIM(line), "SETKEYINFO %c/%s",
925 cache_mode == CACHE_MODE_USER? 'u' :
926 cache_mode == CACHE_MODE_SSH? 's' : 'n',
929 snprintf (line, DIM(line), "SETKEYINFO --clear");
931 rc = assuan_transact (entry_ctx, line,
932 NULL, NULL, NULL, NULL, NULL, NULL);
933 if (rc && gpg_err_code (rc) != GPG_ERR_ASS_UNKNOWN_CMD)
934 return unlock_pinentry (rc);
936 snprintf (line, DIM(line), "SETDESC %s", desc_text);
937 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
939 return unlock_pinentry (rc);
941 snprintf (line, DIM(line), "SETPROMPT %s",
942 prompt_text? prompt_text : is_pin? L_("PIN:") : L_("Passphrase:"));
943 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
945 return unlock_pinentry (rc);
947 /* If a passphrase quality indicator has been requested and a
948 minimum passphrase length has not been disabled, send the command
950 if (pininfo->with_qualitybar && opt.min_passphrase_len )
952 rc = setup_qualitybar (ctrl);
954 return unlock_pinentry (rc);
959 snprintf (line, DIM(line), "SETERROR %s", initial_errtext);
960 rc = assuan_transact (entry_ctx, line,
961 NULL, NULL, NULL, NULL, NULL, NULL);
963 return unlock_pinentry (rc);
966 if (pininfo->with_repeat)
968 snprintf (line, DIM(line), "SETREPEATERROR %s",
969 L_("does not match - try again"));
970 rc = assuan_transact (entry_ctx, line,
971 NULL, NULL, NULL, NULL, NULL, NULL);
973 pininfo->with_repeat = 0; /* Pinentry does not support it. */
975 pininfo->repeat_okay = 0;
977 for (;pininfo->failed_tries < pininfo->max_tries; pininfo->failed_tries++)
979 memset (&parm, 0, sizeof parm);
980 parm.size = pininfo->max_length;
981 *pininfo->pin = 0; /* Reset the PIN. */
982 parm.buffer = (unsigned char*)pininfo->pin;
986 /* TRANSLATORS: The string is appended to an error message in
987 the pinentry. The %s is the actual error message, the
988 two %d give the current and maximum number of tries. */
989 snprintf (line, DIM(line), L_("SETERROR %s (try %d of %d)"),
990 errtext, pininfo->failed_tries+1, pininfo->max_tries);
991 rc = assuan_transact (entry_ctx, line,
992 NULL, NULL, NULL, NULL, NULL, NULL);
994 return unlock_pinentry (rc);
998 if (pininfo->with_repeat)
1000 snprintf (line, DIM(line), "SETREPEAT %s", L_("Repeat:"));
1001 rc = assuan_transact (entry_ctx, line,
1002 NULL, NULL, NULL, NULL, NULL, NULL);
1004 return unlock_pinentry (rc);
1007 saveflag = assuan_get_flag (entry_ctx, ASSUAN_CONFIDENTIAL);
1008 assuan_begin_confidential (entry_ctx);
1009 pinentry_status = 0;
1010 rc = assuan_transact (entry_ctx, "GETPIN", getpin_cb, &parm,
1011 inq_quality, entry_ctx,
1012 pinentry_status_cb, &pinentry_status);
1013 assuan_set_flag (entry_ctx, ASSUAN_CONFIDENTIAL, saveflag);
1014 /* Most pinentries out in the wild return the old Assuan error code
1015 for canceled which gets translated to an assuan Cancel error and
1016 not to the code for a user cancel. Fix this here. */
1017 if (rc && gpg_err_source (rc)
1018 && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1019 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1022 /* Change error code in case the window close button was clicked
1023 to cancel the operation. */
1024 if ((pinentry_status & PINENTRY_STATUS_CLOSE_BUTTON)
1025 && gpg_err_code (rc) == GPG_ERR_CANCELED)
1026 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_FULLY_CANCELED);
1028 if (gpg_err_code (rc) == GPG_ERR_ASS_TOO_MUCH_DATA)
1029 errtext = is_pin? L_("PIN too long")
1030 : L_("Passphrase too long");
1032 return unlock_pinentry (rc);
1034 if (!errtext && pininfo->min_digits)
1036 /* do some basic checks on the entered PIN. */
1037 if (!all_digitsp (pininfo->pin))
1038 errtext = L_("Invalid characters in PIN");
1039 else if (pininfo->max_digits
1040 && strlen (pininfo->pin) > pininfo->max_digits)
1041 errtext = L_("PIN too long");
1042 else if (strlen (pininfo->pin) < pininfo->min_digits)
1043 errtext = L_("PIN too short");
1046 if (!errtext && pininfo->check_cb)
1048 /* More checks by utilizing the optional callback. */
1049 pininfo->cb_errtext = NULL;
1050 rc = pininfo->check_cb (pininfo);
1051 if (gpg_err_code (rc) == GPG_ERR_BAD_PASSPHRASE
1052 && pininfo->cb_errtext)
1053 errtext = pininfo->cb_errtext;
1054 else if (gpg_err_code (rc) == GPG_ERR_BAD_PASSPHRASE
1055 || gpg_err_code (rc) == GPG_ERR_BAD_PIN)
1056 errtext = (is_pin? L_("Bad PIN") : L_("Bad Passphrase"));
1058 return unlock_pinentry (rc);
1063 if (pininfo->with_repeat
1064 && (pinentry_status & PINENTRY_STATUS_PIN_REPEATED))
1065 pininfo->repeat_okay = 1;
1066 return unlock_pinentry (0); /* okay, got a PIN or passphrase */
1069 if ((pinentry_status & PINENTRY_STATUS_PASSWORD_FROM_CACHE))
1070 /* The password was read from the cache. Don't count this
1071 against the retry count. */
1072 pininfo->failed_tries --;
1075 return unlock_pinentry (gpg_error (pininfo->min_digits? GPG_ERR_BAD_PIN
1076 : GPG_ERR_BAD_PASSPHRASE));
1081 /* Ask for the passphrase using the supplied arguments. The returned
1082 passphrase needs to be freed by the caller. */
1084 agent_get_passphrase (ctrl_t ctrl,
1085 char **retpass, const char *desc, const char *prompt,
1086 const char *errtext, int with_qualitybar,
1087 const char *keyinfo, cache_mode_t cache_mode)
1091 char line[ASSUAN_LINELENGTH];
1092 struct entry_parm_s parm;
1094 unsigned int pinentry_status;
1098 return gpg_error (GPG_ERR_BAD_PASSPHRASE);
1100 if (ctrl->pinentry_mode != PINENTRY_MODE_ASK)
1102 if (ctrl->pinentry_mode == PINENTRY_MODE_CANCEL)
1103 return gpg_error (GPG_ERR_CANCELED);
1105 if (ctrl->pinentry_mode == PINENTRY_MODE_LOOPBACK)
1108 size_t len = ASSUAN_LINELENGTH/2;
1110 return pinentry_loopback (ctrl, "PASSPHRASE",
1111 (unsigned char **)retpass, &size, len);
1113 return gpg_error (GPG_ERR_NO_PIN_ENTRY);
1116 rc = start_pinentry (ctrl);
1121 prompt = desc && strstr (desc, "PIN")? L_("PIN:"): L_("Passphrase:");
1124 /* If we have a KEYINFO string and are normal, user, or ssh cache
1125 mode, we tell that the Pinentry so it may use it for own caching
1126 purposes. Most pinentries won't have this implemented and thus
1127 we do not error out in this case. */
1128 if (keyinfo && (cache_mode == CACHE_MODE_NORMAL
1129 || cache_mode == CACHE_MODE_USER
1130 || cache_mode == CACHE_MODE_SSH))
1131 snprintf (line, DIM(line), "SETKEYINFO %c/%s",
1132 cache_mode == CACHE_MODE_USER? 'u' :
1133 cache_mode == CACHE_MODE_SSH? 's' : 'n',
1136 snprintf (line, DIM(line), "SETKEYINFO --clear");
1138 rc = assuan_transact (entry_ctx, line,
1139 NULL, NULL, NULL, NULL, NULL, NULL);
1140 if (rc && gpg_err_code (rc) != GPG_ERR_ASS_UNKNOWN_CMD)
1141 return unlock_pinentry (rc);
1145 snprintf (line, DIM(line), "SETDESC %s", desc);
1147 snprintf (line, DIM(line), "RESET");
1148 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1150 return unlock_pinentry (rc);
1152 snprintf (line, DIM(line), "SETPROMPT %s", prompt);
1153 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1155 return unlock_pinentry (rc);
1157 if (with_qualitybar && opt.min_passphrase_len)
1159 rc = setup_qualitybar (ctrl);
1161 return unlock_pinentry (rc);
1166 snprintf (line, DIM(line), "SETERROR %s", errtext);
1167 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1169 return unlock_pinentry (rc);
1172 memset (&parm, 0, sizeof parm);
1173 parm.size = ASSUAN_LINELENGTH/2 - 5;
1174 parm.buffer = gcry_malloc_secure (parm.size+10);
1176 return unlock_pinentry (out_of_core ());
1178 saveflag = assuan_get_flag (entry_ctx, ASSUAN_CONFIDENTIAL);
1179 assuan_begin_confidential (entry_ctx);
1180 pinentry_status = 0;
1181 rc = assuan_transact (entry_ctx, "GETPIN", getpin_cb, &parm,
1182 inq_quality, entry_ctx,
1183 pinentry_status_cb, &pinentry_status);
1184 assuan_set_flag (entry_ctx, ASSUAN_CONFIDENTIAL, saveflag);
1185 /* Most pinentries out in the wild return the old Assuan error code
1186 for canceled which gets translated to an assuan Cancel error and
1187 not to the code for a user cancel. Fix this here. */
1188 if (rc && gpg_err_source (rc) && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1189 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1190 /* Change error code in case the window close button was clicked
1191 to cancel the operation. */
1192 if ((pinentry_status & PINENTRY_STATUS_CLOSE_BUTTON)
1193 && gpg_err_code (rc) == GPG_ERR_CANCELED)
1194 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_FULLY_CANCELED);
1197 xfree (parm.buffer);
1199 *retpass = parm.buffer;
1200 return unlock_pinentry (rc);
1205 /* Pop up the PIN-entry, display the text and the prompt and ask the
1206 user to confirm this. We return 0 for success, ie. the user
1207 confirmed it, GPG_ERR_NOT_CONFIRMED for what the text says or an
1208 other error. If WITH_CANCEL it true an extra cancel button is
1209 displayed to allow the user to easily return a GPG_ERR_CANCELED.
1210 if the Pinentry does not support this, the user can still cancel by
1211 closing the Pinentry window. */
1213 agent_get_confirmation (ctrl_t ctrl,
1214 const char *desc, const char *ok,
1215 const char *notok, int with_cancel)
1218 char line[ASSUAN_LINELENGTH];
1220 if (ctrl->pinentry_mode != PINENTRY_MODE_ASK)
1222 if (ctrl->pinentry_mode == PINENTRY_MODE_CANCEL)
1223 return gpg_error (GPG_ERR_CANCELED);
1225 return gpg_error (GPG_ERR_NO_PIN_ENTRY);
1228 rc = start_pinentry (ctrl);
1233 snprintf (line, DIM(line), "SETDESC %s", desc);
1235 snprintf (line, DIM(line), "RESET");
1236 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1237 /* Most pinentries out in the wild return the old Assuan error code
1238 for canceled which gets translated to an assuan Cancel error and
1239 not to the code for a user cancel. Fix this here. */
1240 if (rc && gpg_err_source (rc) && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1241 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1244 return unlock_pinentry (rc);
1248 snprintf (line, DIM(line), "SETOK %s", ok);
1249 rc = assuan_transact (entry_ctx,
1250 line, NULL, NULL, NULL, NULL, NULL, NULL);
1252 return unlock_pinentry (rc);
1256 /* Try to use the newer NOTOK feature if a cancel button is
1257 requested. If no cancel button is requested we keep on using
1258 the standard cancel. */
1261 snprintf (line, DIM(line), "SETNOTOK %s", notok);
1262 rc = assuan_transact (entry_ctx,
1263 line, NULL, NULL, NULL, NULL, NULL, NULL);
1266 rc = GPG_ERR_ASS_UNKNOWN_CMD;
1268 if (gpg_err_code (rc) == GPG_ERR_ASS_UNKNOWN_CMD)
1270 snprintf (line, DIM(line), "SETCANCEL %s", notok);
1271 rc = assuan_transact (entry_ctx, line,
1272 NULL, NULL, NULL, NULL, NULL, NULL);
1275 return unlock_pinentry (rc);
1278 rc = assuan_transact (entry_ctx, "CONFIRM",
1279 NULL, NULL, NULL, NULL, NULL, NULL);
1280 if (rc && gpg_err_source (rc) && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1281 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1283 return unlock_pinentry (rc);
1288 /* Pop up the PINentry, display the text DESC and a button with the
1289 text OK_BTN (which may be NULL to use the default of "OK") and wait
1290 for the user to hit this button. The return value is not
1293 agent_show_message (ctrl_t ctrl, const char *desc, const char *ok_btn)
1296 char line[ASSUAN_LINELENGTH];
1298 if (ctrl->pinentry_mode != PINENTRY_MODE_ASK)
1299 return gpg_error (GPG_ERR_CANCELED);
1301 rc = start_pinentry (ctrl);
1306 snprintf (line, DIM(line), "SETDESC %s", desc);
1308 snprintf (line, DIM(line), "RESET");
1309 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1310 /* Most pinentries out in the wild return the old Assuan error code
1311 for canceled which gets translated to an assuan Cancel error and
1312 not to the code for a user cancel. Fix this here. */
1313 if (rc && gpg_err_source (rc) && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1314 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1317 return unlock_pinentry (rc);
1321 snprintf (line, DIM(line), "SETOK %s", ok_btn);
1322 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL,
1325 return unlock_pinentry (rc);
1328 rc = assuan_transact (entry_ctx, "CONFIRM --one-button", NULL, NULL, NULL,
1330 if (rc && gpg_err_source (rc) && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1331 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1333 return unlock_pinentry (rc);
1337 /* The thread running the popup message. */
1339 popup_message_thread (void *arg)
1343 /* We use the --one-button hack instead of the MESSAGE command to
1344 allow the use of old Pinentries. Those old Pinentries will then
1345 show an additional Cancel button but that is mostly a visual
1347 assuan_transact (entry_ctx, "CONFIRM --one-button",
1348 NULL, NULL, NULL, NULL, NULL, NULL);
1354 /* Pop up a message window similar to the confirm one but keep it open
1355 until agent_popup_message_stop has been called. It is crucial for
1356 the caller to make sure that the stop function gets called as soon
1357 as the message is not anymore required because the message is
1358 system modal and all other attempts to use the pinentry will fail
1359 (after a timeout). */
1361 agent_popup_message_start (ctrl_t ctrl, const char *desc, const char *ok_btn)
1364 char line[ASSUAN_LINELENGTH];
1368 if (ctrl->pinentry_mode != PINENTRY_MODE_ASK)
1369 return gpg_error (GPG_ERR_CANCELED);
1371 rc = start_pinentry (ctrl);
1376 snprintf (line, DIM(line), "SETDESC %s", desc);
1378 snprintf (line, DIM(line), "RESET");
1379 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1381 return unlock_pinentry (rc);
1385 snprintf (line, DIM(line), "SETOK %s", ok_btn);
1386 rc = assuan_transact (entry_ctx, line, NULL,NULL,NULL,NULL,NULL,NULL);
1388 return unlock_pinentry (rc);
1391 err = npth_attr_init (&tattr);
1393 return unlock_pinentry (gpg_error_from_errno (err));
1394 npth_attr_setdetachstate (&tattr, NPTH_CREATE_JOINABLE);
1397 err = npth_create (&popup_tid, &tattr, popup_message_thread, NULL);
1398 npth_attr_destroy (&tattr);
1401 rc = gpg_error_from_errno (err);
1402 log_error ("error spawning popup message handler: %s\n",
1404 return unlock_pinentry (rc);
1406 npth_setname_np (popup_tid, "popup-message");
1411 /* Close a popup window. */
1413 agent_popup_message_stop (ctrl_t ctrl)
1420 if (!popup_tid || !entry_ctx)
1422 log_debug ("agent_popup_message_stop called with no active popup\n");
1426 pid = assuan_get_pid (entry_ctx);
1427 if (pid == (pid_t)(-1))
1428 ; /* No pid available can't send a kill. */
1429 else if (popup_finished)
1430 ; /* Already finished and ready for joining. */
1431 #ifdef HAVE_W32_SYSTEM
1432 /* Older versions of assuan set PID to 0 on Windows to indicate an
1434 else if (pid != (pid_t) INVALID_HANDLE_VALUE
1437 HANDLE process = (HANDLE) pid;
1439 /* Arbitrary error code. */
1440 TerminateProcess (process, 1);
1443 else if (pid && ((rc=waitpid (pid, NULL, WNOHANG))==-1 || (rc == pid)) )
1444 { /* The daemon already died. No need to send a kill. However
1445 because we already waited for the process, we need to tell
1446 assuan that it should not wait again (done by
1447 unlock_pinentry). */
1449 assuan_set_flag (entry_ctx, ASSUAN_NO_WAITPID, 1);
1455 /* Now wait for the thread to terminate. */
1456 rc = npth_join (popup_tid, NULL);
1458 log_debug ("agent_popup_message_stop: pth_join failed: %s\n",
1460 /* Thread IDs are opaque, but we try our best here by resetting it
1461 to the same content that a static global variable has. */
1462 memset (&popup_tid, '\0', sizeof (popup_tid));
1465 /* Now we can close the connection. */
1466 unlock_pinentry (0);
1470 agent_clear_passphrase (ctrl_t ctrl,
1471 const char *keyinfo, cache_mode_t cache_mode)
1474 char line[ASSUAN_LINELENGTH];
1476 if (! (keyinfo && (cache_mode == CACHE_MODE_NORMAL
1477 || cache_mode == CACHE_MODE_USER
1478 || cache_mode == CACHE_MODE_SSH)))
1479 return gpg_error (GPG_ERR_NOT_SUPPORTED);
1481 rc = start_pinentry (ctrl);
1485 snprintf (line, DIM(line), "CLEARPASSPHRASE %c/%s",
1486 cache_mode == CACHE_MODE_USER? 'u' :
1487 cache_mode == CACHE_MODE_SSH? 's' : 'n',
1489 rc = assuan_transact (entry_ctx, line,
1490 NULL, NULL, NULL, NULL, NULL, NULL);
1492 return unlock_pinentry (rc);