1 /* call-pinentry.c - Spawn the pinentry to query stuff from the user
2 * Copyright (C) 2001, 2002, 2004, 2007, 2008,
3 * 2010 Free Software Foundation, Inc.
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
30 #ifndef HAVE_W32_SYSTEM
31 # include <sys/wait.h>
32 # include <sys/types.h>
42 #ifdef _POSIX_OPEN_MAX
43 #define MAX_OPEN_FDS _POSIX_OPEN_MAX
45 #define MAX_OPEN_FDS 20
49 /* Because access to the pinentry must be serialized (it is and shall
50 be a global mutually exclusive dialog) we better timeout pending
51 requests after some time. 1 minute seem to be a reasonable
53 #define LOCK_TIMEOUT (1*60)
55 /* The assuan context of the current pinentry. */
56 static assuan_context_t entry_ctx;
58 /* The control variable of the connection owning the current pinentry.
59 This is only valid if ENTRY_CTX is not NULL. Note, that we care
60 only about the value of the pointer and that it should never be
62 static ctrl_t entry_owner;
64 /* A mutex used to serialize access to the pinentry. */
65 static npth_mutex_t entry_lock;
67 /* The thread ID of the popup working thread. */
68 static npth_t popup_tid;
70 /* A flag used in communication between the popup working thread and
72 static int popup_finished;
76 /* Data to be passed to our callbacks, */
81 unsigned char *buffer;
87 /* This function must be called once to initialize this module. This
88 has to be done before a second thread is spawned. We can't do the
89 static initialization because Pth emulation code might not be able
90 to do a static init; in particular, it is not possible for W32. */
92 initialize_module_call_pinentry (void)
94 static int initialized;
98 if (npth_mutex_init (&entry_lock, NULL))
105 /* This function may be called to print infromation pertaining to the
106 current state of this module to the log. */
108 agent_query_dump_state (void)
110 log_info ("agent_query_dump_state: entry_ctx=%p pid=%ld popup_tid=%p\n",
111 entry_ctx, (long)assuan_get_pid (entry_ctx), (void*)popup_tid);
114 /* Called to make sure that a popup window owned by the current
115 connection gets closed. */
117 agent_reset_query (ctrl_t ctrl)
119 if (entry_ctx && popup_tid && entry_owner == ctrl)
121 agent_popup_message_stop (ctrl);
126 /* Unlock the pinentry so that another thread can start one and
127 disconnect that pinentry - we do this after the unlock so that a
128 stalled pinentry does not block other threads. Fixme: We should
129 have a timeout in Assuan for the disconnect operation. */
131 unlock_pinentry (gpg_error_t rc)
133 assuan_context_t ctx = entry_ctx;
139 log_debug ("error calling pinentry: %s <%s>\n",
140 gpg_strerror (rc), gpg_strsource (rc));
142 /* Change the source of the error to pinentry so that the final
143 consumer of the error code knows that the problem is with
144 pinentry. For backward compatibility we do not do that for
145 some common error codes. */
146 switch (gpg_err_code (rc))
148 case GPG_ERR_NO_PIN_ENTRY:
149 case GPG_ERR_CANCELED:
150 case GPG_ERR_FULLY_CANCELED:
151 case GPG_ERR_ASS_UNKNOWN_INQUIRE:
152 case GPG_ERR_ASS_TOO_MUCH_DATA:
153 case GPG_ERR_NO_PASSPHRASE:
154 case GPG_ERR_BAD_PASSPHRASE:
155 case GPG_ERR_BAD_PIN:
159 rc = gpg_err_make (GPG_ERR_SOURCE_PINENTRY, gpg_err_code (rc));
165 err = npth_mutex_unlock (&entry_lock);
168 log_error ("failed to release the entry lock: %s\n", strerror (err));
170 rc = gpg_error_from_errno (err);
172 assuan_release (ctx);
177 /* To make sure we leave no secrets in our image after forking of the
178 pinentry, we use this callback. */
180 atfork_cb (void *opaque, int where)
182 ctrl_t ctrl = opaque;
187 const char *name, *assname, *value;
189 gcry_control (GCRYCTL_TERM_SECMEM);
191 while ((name = session_env_list_stdenvnames (&iterator, &assname)))
193 /* For all new envvars (!ASSNAME) and the two medium old
194 ones which do have an assuan name but are conveyed using
195 environment variables, update the environment of the
198 || !strcmp (name, "XAUTHORITY")
199 || !strcmp (name, "PINENTRY_USER_DATA"))
201 value = session_env_getenv (ctrl->session_env, name);
203 gnupg_setenv (name, value, 1);
211 getinfo_pid_cb (void *opaque, const void *buffer, size_t length)
213 unsigned long *pid = opaque;
216 /* There is only the pid in the server's response. */
217 if (length >= sizeof pidbuf)
218 length = sizeof pidbuf -1;
221 strncpy (pidbuf, buffer, length);
223 *pid = strtoul (pidbuf, NULL, 10);
229 /* Fork off the pin entry if this has not already been done. Note,
230 that this function must always be used to acquire the lock for the
231 pinentry - we will serialize _all_ pinentry calls.
234 start_pinentry (ctrl_t ctrl)
237 const char *full_pgmname;
239 assuan_context_t ctx;
241 assuan_fd_t no_close_list[3];
244 unsigned long pinentry_pid;
246 struct timespec abstime;
247 char *flavor_version;
250 npth_clock_gettime (&abstime);
251 abstime.tv_sec += LOCK_TIMEOUT;
252 err = npth_mutex_timedlock (&entry_lock, &abstime);
255 if (err == ETIMEDOUT)
256 rc = gpg_error (GPG_ERR_TIMEOUT);
258 rc = gpg_error_from_errno (rc);
259 log_error (_("failed to acquire the pinentry lock: %s\n"),
270 log_info ("starting a new PIN Entry\n");
272 #ifdef HAVE_W32_SYSTEM
278 #ifndef HAVE_W32_SYSTEM
279 gpg_error_t tmperr = gpg_error (gpg_err_code_from_errno (errno));
281 log_error ("error flushing pending output: %s\n", strerror (errno));
282 /* At least Windows XP fails here with EBADF. According to docs
283 and Wine an fflush(NULL) is the same as _flushall. However
284 the Wine implementaion does not flush stdin,stdout and stderr
285 - see above. Let's try to ignore the error. */
286 #ifndef HAVE_W32_SYSTEM
287 return unlock_pinentry (tmperr);
291 full_pgmname = opt.pinentry_program;
292 if (!full_pgmname || !*full_pgmname)
293 full_pgmname = gnupg_module_name (GNUPG_MODULE_NAME_PINENTRY);
294 if ( !(pgmname = strrchr (full_pgmname, '/')))
295 pgmname = full_pgmname;
299 /* OS X needs the entire file name in argv[0], so that it can locate
300 the resource bundle. For other systems we stick to the usual
301 convention of supplying only the name of the program. */
303 argv[0] = full_pgmname;
308 if (!opt.keep_display
309 && (value = session_env_getenv (ctrl->session_env, "DISPLAY")))
311 argv[1] = "--display";
319 if (!opt.running_detached)
321 if (log_get_fd () != -1)
322 no_close_list[i++] = assuan_fd_from_posix_fd (log_get_fd ());
323 no_close_list[i++] = assuan_fd_from_posix_fd (fileno (stderr));
325 no_close_list[i] = ASSUAN_INVALID_FD;
327 rc = assuan_new (&ctx);
330 log_error ("can't allocate assuan context: %s\n", gpg_strerror (rc));
333 /* We don't want to log the pinentry communication to make the logs
334 easier to read. We might want to add a new debug option to enable
336 #ifdef ASSUAN_NO_LOGGING
337 assuan_set_flag (ctx, ASSUAN_NO_LOGGING, !opt.debug_pinentry);
340 /* Connect to the pinentry and perform initial handshaking. Note
341 that atfork is used to change the environment for pinentry. We
342 start the server in detached mode to suppress the console window
344 rc = assuan_pipe_connect (ctx, full_pgmname, argv,
345 no_close_list, atfork_cb, ctrl,
346 ASSUAN_PIPE_CONNECT_DETACHED);
349 log_error ("can't connect to the PIN entry module '%s': %s\n",
350 full_pgmname, gpg_strerror (rc));
351 assuan_release (ctx);
352 return unlock_pinentry (gpg_error (GPG_ERR_NO_PIN_ENTRY));
357 log_debug ("connection to PIN entry established\n");
359 value = session_env_getenv (ctrl->session_env, "PINENTRY_USER_DATA");
363 if (asprintf (&optstr, "OPTION pinentry-user-data=%s", value) < 0 )
364 return unlock_pinentry (out_of_core ());
365 rc = assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
368 if (rc && gpg_err_code (rc) != GPG_ERR_UNKNOWN_OPTION)
369 return unlock_pinentry (rc);
372 rc = assuan_transact (entry_ctx,
373 opt.no_grab? "OPTION no-grab":"OPTION grab",
374 NULL, NULL, NULL, NULL, NULL, NULL);
376 return unlock_pinentry (rc);
378 value = session_env_getenv (ctrl->session_env, "GPG_TTY");
382 if (asprintf (&optstr, "OPTION ttyname=%s", value) < 0 )
383 return unlock_pinentry (out_of_core ());
384 rc = assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
388 return unlock_pinentry (rc);
390 value = session_env_getenv (ctrl->session_env, "TERM");
394 if (asprintf (&optstr, "OPTION ttytype=%s", value) < 0 )
395 return unlock_pinentry (out_of_core ());
396 rc = assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
400 return unlock_pinentry (rc);
405 if (asprintf (&optstr, "OPTION lc-ctype=%s", ctrl->lc_ctype) < 0 )
406 return unlock_pinentry (out_of_core ());
407 rc = assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
411 return unlock_pinentry (rc);
413 if (ctrl->lc_messages)
416 if (asprintf (&optstr, "OPTION lc-messages=%s", ctrl->lc_messages) < 0 )
417 return unlock_pinentry (out_of_core ());
418 rc = assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
422 return unlock_pinentry (rc);
426 if (opt.allow_external_cache)
428 /* Indicate to the pinentry that it may read from an external cache.
430 It is essential that the pinentry respect this. If the
431 cached password is not up to date and retry == 1, then, using
432 a version of GPG Agent that doesn't support this, won't issue
433 another pin request and the user won't get a chance to
434 correct the password. */
435 rc = assuan_transact (entry_ctx, "OPTION allow-external-password-cache",
436 NULL, NULL, NULL, NULL, NULL, NULL);
437 if (rc && gpg_err_code (rc) != GPG_ERR_UNKNOWN_OPTION)
438 return unlock_pinentry (rc);
441 if (opt.allow_emacs_pinentry)
443 /* Indicate to the pinentry that it may read passphrase through
444 Emacs minibuffer, if possible. */
445 rc = assuan_transact (entry_ctx, "OPTION allow-emacs-prompt",
446 NULL, NULL, NULL, NULL, NULL, NULL);
447 if (rc && gpg_err_code (rc) != GPG_ERR_UNKNOWN_OPTION)
448 return unlock_pinentry (rc);
453 /* Provide a few default strings for use by the pinentries. This
454 may help a pinentry to avoid implementing localization code. */
455 static struct { const char *key, *value; int what; } tbl[] = {
456 /* TRANSLATORS: These are labels for buttons etc used in
457 Pinentries. An underscore indicates that the next letter
458 should be used as an accelerator. Double the underscore for
459 a literal one. The actual to be translated text starts after
460 the second vertical bar. Note that gpg-agent has been set to
461 utf-8 so that the strings are in the expected encoding. */
462 { "ok", N_("|pinentry-label|_OK") },
463 { "cancel", N_("|pinentry-label|_Cancel") },
464 { "yes", N_("|pinentry-label|_Yes") },
465 { "no", N_("|pinentry-label|_No") },
466 { "prompt", N_("|pinentry-label|PIN:") },
467 { "pwmngr", N_("|pinentry-label|_Save in password manager"), 1 },
468 { "cf-visi",N_("Do you really want to make your "
469 "passphrase visible on the screen?") },
470 { "tt-visi",N_("|pinentry-tt|Make passphrase visible") },
471 { "tt-hide",N_("|pinentry-tt|Hide passphrase") },
478 for (idx=0; tbl[idx].key; idx++)
480 if (!opt.allow_external_cache && tbl[idx].what == 1)
481 continue; /* No need for it. */
482 s = L_(tbl[idx].value);
483 if (*s == '|' && (s2=strchr (s+1,'|')))
485 if (asprintf (&optstr, "OPTION default-%s=%s", tbl[idx].key, s) < 0 )
486 return unlock_pinentry (out_of_core ());
487 assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
493 /* Tell the pinentry that we would prefer that the given character
494 is used as the invisible character by the entry widget. */
495 if (opt.pinentry_invisible_char)
498 if ((optstr = xtryasprintf ("OPTION invisible-char=%s",
499 opt.pinentry_invisible_char)))
501 assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
503 /* We ignore errors because this is just a fancy thing and
504 older pinentries do not support this feature. */
509 if (opt.pinentry_timeout)
512 if ((optstr = xtryasprintf ("SETTIMEOUT %lu", opt.pinentry_timeout)))
514 assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
516 /* We ignore errors because this is just a fancy thing. */
521 /* Tell the pinentry the name of a file it shall touch after having
522 messed with the tty. This is optional and only supported by
523 newer pinentries and thus we do no error checking. */
524 tmpstr = opt.pinentry_touch_file;
525 if (tmpstr && !strcmp (tmpstr, "/dev/null"))
528 tmpstr = get_agent_socket_name ();
533 if (asprintf (&optstr, "OPTION touch-file=%s", tmpstr ) < 0 )
537 assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
544 /* Ask the pinentry for its version and flavor and store that as a
545 * string in MB. This information is useful for helping users to
546 * figure out Pinentry problems. */
550 init_membuf (&mb, 256);
551 if (assuan_transact (entry_ctx, "GETINFO flavor",
552 put_membuf_cb, &mb, NULL, NULL, NULL, NULL))
553 put_membuf_str (&mb, "unknown");
554 put_membuf_str (&mb, " ");
555 if (assuan_transact (entry_ctx, "GETINFO version",
556 put_membuf_cb, &mb, NULL, NULL, NULL, NULL))
557 put_membuf_str (&mb, "unknown");
558 put_membuf_str (&mb, " ");
559 if (assuan_transact (entry_ctx, "GETINFO ttyinfo",
560 put_membuf_cb, &mb, NULL, NULL, NULL, NULL))
561 put_membuf_str (&mb, "? ? ?");
562 put_membuf (&mb, "", 1);
563 flavor_version = get_membuf (&mb, NULL);
567 /* Now ask the Pinentry for its PID. If the Pinentry is new enough
568 it will send the pid back and we will use an inquire to notify
569 our client. The client may answer the inquiry either with END or
570 with CAN to cancel the pinentry. */
571 rc = assuan_transact (entry_ctx, "GETINFO pid",
572 getinfo_pid_cb, &pinentry_pid,
573 NULL, NULL, NULL, NULL);
576 log_info ("You may want to update to a newer pinentry\n");
579 else if (!rc && (pid_t)pinentry_pid == (pid_t)(-1))
580 log_error ("pinentry did not return a PID\n");
583 rc = agent_inq_pinentry_launched (ctrl, pinentry_pid, flavor_version);
584 if (gpg_err_code (rc) == GPG_ERR_CANCELED
585 || gpg_err_code (rc) == GPG_ERR_FULLY_CANCELED)
586 return unlock_pinentry (gpg_err_make (GPG_ERR_SOURCE_DEFAULT,
591 xfree (flavor_version);
597 /* Returns True if the pinentry is currently active. If WAITSECONDS is
598 greater than zero the function will wait for this many seconds
601 pinentry_active_p (ctrl_t ctrl, int waitseconds)
608 struct timespec abstime;
611 npth_clock_gettime (&abstime);
612 abstime.tv_sec += waitseconds;
613 err = npth_mutex_timedlock (&entry_lock, &abstime);
616 if (err == ETIMEDOUT)
617 rc = gpg_error (GPG_ERR_TIMEOUT);
619 rc = gpg_error (GPG_ERR_INTERNAL);
625 err = npth_mutex_trylock (&entry_lock);
627 return gpg_error (GPG_ERR_LOCKED);
630 err = npth_mutex_unlock (&entry_lock);
632 log_error ("failed to release the entry lock at %d: %s\n", __LINE__,
639 getpin_cb (void *opaque, const void *buffer, size_t length)
641 struct entry_parm_s *parm = opaque;
646 /* we expect the pin to fit on one line */
647 if (parm->lines || length >= parm->size)
648 return gpg_error (GPG_ERR_ASS_TOO_MUCH_DATA);
650 /* fixme: we should make sure that the assuan buffer is allocated in
651 secure memory or read the response byte by byte */
652 memcpy (parm->buffer, buffer, length);
653 parm->buffer[length] = 0;
660 all_digitsp( const char *s)
662 for (; *s && *s >= '0' && *s <= '9'; s++)
668 /* Return a new malloced string by unescaping the string S. Escaping
669 is percent escaping and '+'/space mapping. A binary Nul will
670 silently be replaced by a 0xFF. Function returns NULL to indicate
671 an out of memory status. Parsing stops at the end of the string or
672 a white space character. */
674 unescape_passphrase_string (const unsigned char *s)
678 buffer = d = xtrymalloc_secure (strlen ((const char*)s)+1);
681 while (*s && !spacep (s))
683 if (*s == '%' && s[1] && s[2])
705 /* Estimate the quality of the passphrase PW and return a value in the
708 estimate_passphrase_quality (const char *pw)
710 int goodlength = opt.min_passphrase_len + opt.min_passphrase_len/3;
717 for (length = 0, s = pw; *s; s++)
721 if (length > goodlength)
723 return ((length*10) / goodlength)*10;
727 /* Handle the QUALITY inquiry. */
729 inq_quality (void *opaque, const char *line)
731 assuan_context_t ctx = opaque;
738 if ((s = has_leading_keyword (line, "QUALITY")))
740 pin = unescape_passphrase_string (s);
742 rc = gpg_error_from_syserror ();
745 percent = estimate_passphrase_quality (pin);
746 if (check_passphrase_constraints (NULL, pin, NULL))
748 snprintf (numbuf, sizeof numbuf, "%d", percent);
749 rc = assuan_send_data (ctx, numbuf, strlen (numbuf));
755 log_error ("unsupported inquiry '%s' from pinentry\n", line);
756 rc = gpg_error (GPG_ERR_ASS_UNKNOWN_INQUIRE);
763 /* Helper for agent_askpin and agent_get_passphrase. */
765 setup_qualitybar (ctrl_t ctrl)
768 char line[ASSUAN_LINELENGTH];
769 char *tmpstr, *tmpstr2;
774 /* TRANSLATORS: This string is displayed by Pinentry as the label
775 for the quality bar. */
776 tmpstr = try_percent_escape (L_("Quality:"), "\t\r\n\f\v");
777 snprintf (line, DIM(line), "SETQUALITYBAR %s", tmpstr? tmpstr:"");
779 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
780 if (rc == 103 /*(Old assuan error code)*/
781 || gpg_err_code (rc) == GPG_ERR_ASS_UNKNOWN_CMD)
782 ; /* Ignore Unknown Command from old Pinentry versions. */
786 tmpstr2 = gnupg_get_help_string ("pinentry.qualitybar.tooltip", 0);
791 /* TRANSLATORS: This string is a tooltip, shown by pinentry when
792 hovering over the quality bar. Please use an appropriate
793 string to describe what this is about. The length of the
794 tooltip is limited to about 900 characters. If you do not
795 translate this entry, a default english text (see source)
797 tooltip = L_("pinentry.qualitybar.tooltip");
798 if (!strcmp ("pinentry.qualitybar.tooltip", tooltip))
799 tooltip = ("The quality of the text entered above.\n"
800 "Please ask your administrator for "
801 "details about the criteria.");
803 tmpstr = try_percent_escape (tooltip, "\t\r\n\f\v");
805 snprintf (line, DIM(line), "SETQUALITYBAR_TT %s", tmpstr? tmpstr:"");
807 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
808 if (rc == 103 /*(Old assuan error code)*/
809 || gpg_err_code (rc) == GPG_ERR_ASS_UNKNOWN_CMD)
810 ; /* Ignore Unknown Command from old pinentry versions. */
819 PINENTRY_STATUS_CLOSE_BUTTON = 1 << 0,
820 PINENTRY_STATUS_PIN_REPEATED = 1 << 8,
821 PINENTRY_STATUS_PASSWORD_FROM_CACHE = 1 << 9
824 /* Check the button_info line for a close action. Also check for the
825 PIN_REPEATED flag. */
827 pinentry_status_cb (void *opaque, const char *line)
829 unsigned int *flag = opaque;
832 if ((args = has_leading_keyword (line, "BUTTON_INFO")))
834 if (!strcmp (args, "close"))
835 *flag |= PINENTRY_STATUS_CLOSE_BUTTON;
837 else if (has_leading_keyword (line, "PIN_REPEATED"))
839 *flag |= PINENTRY_STATUS_PIN_REPEATED;
841 else if (has_leading_keyword (line, "PASSWORD_FROM_CACHE"))
843 *flag |= PINENTRY_STATUS_PASSWORD_FROM_CACHE;
852 /* Call the Entry and ask for the PIN. We do check for a valid PIN
853 number here and repeat it as long as we have invalid formed
854 numbers. KEYINFO and CACHE_MODE are used to tell pinentry something
857 agent_askpin (ctrl_t ctrl,
858 const char *desc_text, const char *prompt_text,
859 const char *initial_errtext,
860 struct pin_entry_info_s *pininfo,
861 const char *keyinfo, cache_mode_t cache_mode)
864 char line[ASSUAN_LINELENGTH];
865 struct entry_parm_s parm;
866 const char *errtext = NULL;
869 unsigned int pinentry_status;
872 return 0; /* fixme: we should return BAD PIN */
874 if (ctrl->pinentry_mode != PINENTRY_MODE_ASK)
876 if (ctrl->pinentry_mode == PINENTRY_MODE_CANCEL)
877 return gpg_error (GPG_ERR_CANCELED);
878 if (ctrl->pinentry_mode == PINENTRY_MODE_LOOPBACK)
880 unsigned char *passphrase;
883 *pininfo->pin = 0; /* Reset the PIN. */
884 rc = pinentry_loopback(ctrl, "PASSPHRASE", &passphrase, &size,
885 pininfo->max_length - 1);
889 memcpy(&pininfo->pin, passphrase, size);
891 pininfo->pin[size] = 0;
892 if (pininfo->check_cb)
894 /* More checks by utilizing the optional callback. */
895 pininfo->cb_errtext = NULL;
896 rc = pininfo->check_cb (pininfo);
900 return gpg_error(GPG_ERR_NO_PIN_ENTRY);
903 if (!pininfo || pininfo->max_length < 1)
904 return gpg_error (GPG_ERR_INV_VALUE);
905 if (!desc_text && pininfo->min_digits)
906 desc_text = L_("Please enter your PIN, so that the secret key "
907 "can be unlocked for this session");
909 desc_text = L_("Please enter your passphrase, so that the secret key "
910 "can be unlocked for this session");
913 is_pin = !!strstr (prompt_text, "PIN");
915 is_pin = desc_text && strstr (desc_text, "PIN");
917 rc = start_pinentry (ctrl);
921 /* If we have a KEYINFO string and are normal, user, or ssh cache
922 mode, we tell that the Pinentry so it may use it for own caching
923 purposes. Most pinentries won't have this implemented and thus
924 we do not error out in this case. */
925 if (keyinfo && (cache_mode == CACHE_MODE_NORMAL
926 || cache_mode == CACHE_MODE_USER
927 || cache_mode == CACHE_MODE_SSH))
928 snprintf (line, DIM(line), "SETKEYINFO %c/%s",
929 cache_mode == CACHE_MODE_USER? 'u' :
930 cache_mode == CACHE_MODE_SSH? 's' : 'n',
933 snprintf (line, DIM(line), "SETKEYINFO --clear");
935 rc = assuan_transact (entry_ctx, line,
936 NULL, NULL, NULL, NULL, NULL, NULL);
937 if (rc && gpg_err_code (rc) != GPG_ERR_ASS_UNKNOWN_CMD)
938 return unlock_pinentry (rc);
940 snprintf (line, DIM(line), "SETDESC %s", desc_text);
941 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
943 return unlock_pinentry (rc);
945 snprintf (line, DIM(line), "SETPROMPT %s",
946 prompt_text? prompt_text : is_pin? L_("PIN:") : L_("Passphrase:"));
947 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
949 return unlock_pinentry (rc);
951 /* If a passphrase quality indicator has been requested and a
952 minimum passphrase length has not been disabled, send the command
954 if (pininfo->with_qualitybar && opt.min_passphrase_len )
956 rc = setup_qualitybar (ctrl);
958 return unlock_pinentry (rc);
963 snprintf (line, DIM(line), "SETERROR %s", initial_errtext);
964 rc = assuan_transact (entry_ctx, line,
965 NULL, NULL, NULL, NULL, NULL, NULL);
967 return unlock_pinentry (rc);
970 if (pininfo->with_repeat)
972 snprintf (line, DIM(line), "SETREPEATERROR %s",
973 L_("does not match - try again"));
974 rc = assuan_transact (entry_ctx, line,
975 NULL, NULL, NULL, NULL, NULL, NULL);
977 pininfo->with_repeat = 0; /* Pinentry does not support it. */
979 pininfo->repeat_okay = 0;
981 for (;pininfo->failed_tries < pininfo->max_tries; pininfo->failed_tries++)
983 memset (&parm, 0, sizeof parm);
984 parm.size = pininfo->max_length;
985 *pininfo->pin = 0; /* Reset the PIN. */
986 parm.buffer = (unsigned char*)pininfo->pin;
990 /* TRANSLATORS: The string is appended to an error message in
991 the pinentry. The %s is the actual error message, the
992 two %d give the current and maximum number of tries. */
993 snprintf (line, DIM(line), L_("SETERROR %s (try %d of %d)"),
994 errtext, pininfo->failed_tries+1, pininfo->max_tries);
995 rc = assuan_transact (entry_ctx, line,
996 NULL, NULL, NULL, NULL, NULL, NULL);
998 return unlock_pinentry (rc);
1002 if (pininfo->with_repeat)
1004 snprintf (line, DIM(line), "SETREPEAT %s", L_("Repeat:"));
1005 rc = assuan_transact (entry_ctx, line,
1006 NULL, NULL, NULL, NULL, NULL, NULL);
1008 return unlock_pinentry (rc);
1011 saveflag = assuan_get_flag (entry_ctx, ASSUAN_CONFIDENTIAL);
1012 assuan_begin_confidential (entry_ctx);
1013 pinentry_status = 0;
1014 rc = assuan_transact (entry_ctx, "GETPIN", getpin_cb, &parm,
1015 inq_quality, entry_ctx,
1016 pinentry_status_cb, &pinentry_status);
1017 assuan_set_flag (entry_ctx, ASSUAN_CONFIDENTIAL, saveflag);
1018 /* Most pinentries out in the wild return the old Assuan error code
1019 for canceled which gets translated to an assuan Cancel error and
1020 not to the code for a user cancel. Fix this here. */
1021 if (rc && gpg_err_source (rc)
1022 && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1023 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1026 /* Change error code in case the window close button was clicked
1027 to cancel the operation. */
1028 if ((pinentry_status & PINENTRY_STATUS_CLOSE_BUTTON)
1029 && gpg_err_code (rc) == GPG_ERR_CANCELED)
1030 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_FULLY_CANCELED);
1032 if (gpg_err_code (rc) == GPG_ERR_ASS_TOO_MUCH_DATA)
1033 errtext = is_pin? L_("PIN too long")
1034 : L_("Passphrase too long");
1036 return unlock_pinentry (rc);
1038 if (!errtext && pininfo->min_digits)
1040 /* do some basic checks on the entered PIN. */
1041 if (!all_digitsp (pininfo->pin))
1042 errtext = L_("Invalid characters in PIN");
1043 else if (pininfo->max_digits
1044 && strlen (pininfo->pin) > pininfo->max_digits)
1045 errtext = L_("PIN too long");
1046 else if (strlen (pininfo->pin) < pininfo->min_digits)
1047 errtext = L_("PIN too short");
1050 if (!errtext && pininfo->check_cb)
1052 /* More checks by utilizing the optional callback. */
1053 pininfo->cb_errtext = NULL;
1054 rc = pininfo->check_cb (pininfo);
1055 if (gpg_err_code (rc) == GPG_ERR_BAD_PASSPHRASE
1056 && pininfo->cb_errtext)
1057 errtext = pininfo->cb_errtext;
1058 else if (gpg_err_code (rc) == GPG_ERR_BAD_PASSPHRASE
1059 || gpg_err_code (rc) == GPG_ERR_BAD_PIN)
1060 errtext = (is_pin? L_("Bad PIN") : L_("Bad Passphrase"));
1062 return unlock_pinentry (rc);
1067 if (pininfo->with_repeat
1068 && (pinentry_status & PINENTRY_STATUS_PIN_REPEATED))
1069 pininfo->repeat_okay = 1;
1070 return unlock_pinentry (0); /* okay, got a PIN or passphrase */
1073 if ((pinentry_status & PINENTRY_STATUS_PASSWORD_FROM_CACHE))
1074 /* The password was read from the cache. Don't count this
1075 against the retry count. */
1076 pininfo->failed_tries --;
1079 return unlock_pinentry (gpg_error (pininfo->min_digits? GPG_ERR_BAD_PIN
1080 : GPG_ERR_BAD_PASSPHRASE));
1085 /* Ask for the passphrase using the supplied arguments. The returned
1086 passphrase needs to be freed by the caller. */
1088 agent_get_passphrase (ctrl_t ctrl,
1089 char **retpass, const char *desc, const char *prompt,
1090 const char *errtext, int with_qualitybar,
1091 const char *keyinfo, cache_mode_t cache_mode)
1095 char line[ASSUAN_LINELENGTH];
1096 struct entry_parm_s parm;
1098 unsigned int pinentry_status;
1102 return gpg_error (GPG_ERR_BAD_PASSPHRASE);
1104 if (ctrl->pinentry_mode != PINENTRY_MODE_ASK)
1106 if (ctrl->pinentry_mode == PINENTRY_MODE_CANCEL)
1107 return gpg_error (GPG_ERR_CANCELED);
1109 if (ctrl->pinentry_mode == PINENTRY_MODE_LOOPBACK)
1112 size_t len = ASSUAN_LINELENGTH/2;
1114 return pinentry_loopback (ctrl, "PASSPHRASE",
1115 (unsigned char **)retpass, &size, len);
1117 return gpg_error (GPG_ERR_NO_PIN_ENTRY);
1120 rc = start_pinentry (ctrl);
1125 prompt = desc && strstr (desc, "PIN")? L_("PIN:"): L_("Passphrase:");
1128 /* If we have a KEYINFO string and are normal, user, or ssh cache
1129 mode, we tell that the Pinentry so it may use it for own caching
1130 purposes. Most pinentries won't have this implemented and thus
1131 we do not error out in this case. */
1132 if (keyinfo && (cache_mode == CACHE_MODE_NORMAL
1133 || cache_mode == CACHE_MODE_USER
1134 || cache_mode == CACHE_MODE_SSH))
1135 snprintf (line, DIM(line), "SETKEYINFO %c/%s",
1136 cache_mode == CACHE_MODE_USER? 'u' :
1137 cache_mode == CACHE_MODE_SSH? 's' : 'n',
1140 snprintf (line, DIM(line), "SETKEYINFO --clear");
1142 rc = assuan_transact (entry_ctx, line,
1143 NULL, NULL, NULL, NULL, NULL, NULL);
1144 if (rc && gpg_err_code (rc) != GPG_ERR_ASS_UNKNOWN_CMD)
1145 return unlock_pinentry (rc);
1149 snprintf (line, DIM(line), "SETDESC %s", desc);
1151 snprintf (line, DIM(line), "RESET");
1152 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1154 return unlock_pinentry (rc);
1156 snprintf (line, DIM(line), "SETPROMPT %s", prompt);
1157 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1159 return unlock_pinentry (rc);
1161 if (with_qualitybar && opt.min_passphrase_len)
1163 rc = setup_qualitybar (ctrl);
1165 return unlock_pinentry (rc);
1170 snprintf (line, DIM(line), "SETERROR %s", errtext);
1171 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1173 return unlock_pinentry (rc);
1176 memset (&parm, 0, sizeof parm);
1177 parm.size = ASSUAN_LINELENGTH/2 - 5;
1178 parm.buffer = gcry_malloc_secure (parm.size+10);
1180 return unlock_pinentry (out_of_core ());
1182 saveflag = assuan_get_flag (entry_ctx, ASSUAN_CONFIDENTIAL);
1183 assuan_begin_confidential (entry_ctx);
1184 pinentry_status = 0;
1185 rc = assuan_transact (entry_ctx, "GETPIN", getpin_cb, &parm,
1186 inq_quality, entry_ctx,
1187 pinentry_status_cb, &pinentry_status);
1188 assuan_set_flag (entry_ctx, ASSUAN_CONFIDENTIAL, saveflag);
1189 /* Most pinentries out in the wild return the old Assuan error code
1190 for canceled which gets translated to an assuan Cancel error and
1191 not to the code for a user cancel. Fix this here. */
1192 if (rc && gpg_err_source (rc) && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1193 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1194 /* Change error code in case the window close button was clicked
1195 to cancel the operation. */
1196 if ((pinentry_status & PINENTRY_STATUS_CLOSE_BUTTON)
1197 && gpg_err_code (rc) == GPG_ERR_CANCELED)
1198 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_FULLY_CANCELED);
1201 xfree (parm.buffer);
1203 *retpass = parm.buffer;
1204 return unlock_pinentry (rc);
1209 /* Pop up the PIN-entry, display the text and the prompt and ask the
1210 user to confirm this. We return 0 for success, ie. the user
1211 confirmed it, GPG_ERR_NOT_CONFIRMED for what the text says or an
1212 other error. If WITH_CANCEL it true an extra cancel button is
1213 displayed to allow the user to easily return a GPG_ERR_CANCELED.
1214 if the Pinentry does not support this, the user can still cancel by
1215 closing the Pinentry window. */
1217 agent_get_confirmation (ctrl_t ctrl,
1218 const char *desc, const char *ok,
1219 const char *notok, int with_cancel)
1222 char line[ASSUAN_LINELENGTH];
1224 if (ctrl->pinentry_mode != PINENTRY_MODE_ASK)
1226 if (ctrl->pinentry_mode == PINENTRY_MODE_CANCEL)
1227 return gpg_error (GPG_ERR_CANCELED);
1229 return gpg_error (GPG_ERR_NO_PIN_ENTRY);
1232 rc = start_pinentry (ctrl);
1237 snprintf (line, DIM(line), "SETDESC %s", desc);
1239 snprintf (line, DIM(line), "RESET");
1240 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1241 /* Most pinentries out in the wild return the old Assuan error code
1242 for canceled which gets translated to an assuan Cancel error and
1243 not to the code for a user cancel. Fix this here. */
1244 if (rc && gpg_err_source (rc) && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1245 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1248 return unlock_pinentry (rc);
1252 snprintf (line, DIM(line), "SETOK %s", ok);
1253 rc = assuan_transact (entry_ctx,
1254 line, NULL, NULL, NULL, NULL, NULL, NULL);
1256 return unlock_pinentry (rc);
1260 /* Try to use the newer NOTOK feature if a cancel button is
1261 requested. If no cancel button is requested we keep on using
1262 the standard cancel. */
1265 snprintf (line, DIM(line), "SETNOTOK %s", notok);
1266 rc = assuan_transact (entry_ctx,
1267 line, NULL, NULL, NULL, NULL, NULL, NULL);
1270 rc = GPG_ERR_ASS_UNKNOWN_CMD;
1272 if (gpg_err_code (rc) == GPG_ERR_ASS_UNKNOWN_CMD)
1274 snprintf (line, DIM(line), "SETCANCEL %s", notok);
1275 rc = assuan_transact (entry_ctx, line,
1276 NULL, NULL, NULL, NULL, NULL, NULL);
1279 return unlock_pinentry (rc);
1282 rc = assuan_transact (entry_ctx, "CONFIRM",
1283 NULL, NULL, NULL, NULL, NULL, NULL);
1284 if (rc && gpg_err_source (rc) && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1285 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1287 return unlock_pinentry (rc);
1292 /* Pop up the PINentry, display the text DESC and a button with the
1293 text OK_BTN (which may be NULL to use the default of "OK") and wait
1294 for the user to hit this button. The return value is not
1297 agent_show_message (ctrl_t ctrl, const char *desc, const char *ok_btn)
1300 char line[ASSUAN_LINELENGTH];
1302 if (ctrl->pinentry_mode != PINENTRY_MODE_ASK)
1303 return gpg_error (GPG_ERR_CANCELED);
1305 rc = start_pinentry (ctrl);
1310 snprintf (line, DIM(line), "SETDESC %s", desc);
1312 snprintf (line, DIM(line), "RESET");
1313 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1314 /* Most pinentries out in the wild return the old Assuan error code
1315 for canceled which gets translated to an assuan Cancel error and
1316 not to the code for a user cancel. Fix this here. */
1317 if (rc && gpg_err_source (rc) && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1318 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1321 return unlock_pinentry (rc);
1325 snprintf (line, DIM(line), "SETOK %s", ok_btn);
1326 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL,
1329 return unlock_pinentry (rc);
1332 rc = assuan_transact (entry_ctx, "CONFIRM --one-button", NULL, NULL, NULL,
1334 if (rc && gpg_err_source (rc) && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1335 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1337 return unlock_pinentry (rc);
1341 /* The thread running the popup message. */
1343 popup_message_thread (void *arg)
1347 /* We use the --one-button hack instead of the MESSAGE command to
1348 allow the use of old Pinentries. Those old Pinentries will then
1349 show an additional Cancel button but that is mostly a visual
1351 assuan_transact (entry_ctx, "CONFIRM --one-button",
1352 NULL, NULL, NULL, NULL, NULL, NULL);
1358 /* Pop up a message window similar to the confirm one but keep it open
1359 until agent_popup_message_stop has been called. It is crucial for
1360 the caller to make sure that the stop function gets called as soon
1361 as the message is not anymore required because the message is
1362 system modal and all other attempts to use the pinentry will fail
1363 (after a timeout). */
1365 agent_popup_message_start (ctrl_t ctrl, const char *desc, const char *ok_btn)
1368 char line[ASSUAN_LINELENGTH];
1372 if (ctrl->pinentry_mode != PINENTRY_MODE_ASK)
1373 return gpg_error (GPG_ERR_CANCELED);
1375 rc = start_pinentry (ctrl);
1380 snprintf (line, DIM(line), "SETDESC %s", desc);
1382 snprintf (line, DIM(line), "RESET");
1383 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1385 return unlock_pinentry (rc);
1389 snprintf (line, DIM(line), "SETOK %s", ok_btn);
1390 rc = assuan_transact (entry_ctx, line, NULL,NULL,NULL,NULL,NULL,NULL);
1392 return unlock_pinentry (rc);
1395 err = npth_attr_init (&tattr);
1397 return unlock_pinentry (gpg_error_from_errno (err));
1398 npth_attr_setdetachstate (&tattr, NPTH_CREATE_JOINABLE);
1401 err = npth_create (&popup_tid, &tattr, popup_message_thread, NULL);
1402 npth_attr_destroy (&tattr);
1405 rc = gpg_error_from_errno (err);
1406 log_error ("error spawning popup message handler: %s\n",
1408 return unlock_pinentry (rc);
1410 npth_setname_np (popup_tid, "popup-message");
1415 /* Close a popup window. */
1417 agent_popup_message_stop (ctrl_t ctrl)
1424 if (!popup_tid || !entry_ctx)
1426 log_debug ("agent_popup_message_stop called with no active popup\n");
1430 pid = assuan_get_pid (entry_ctx);
1431 if (pid == (pid_t)(-1))
1432 ; /* No pid available can't send a kill. */
1433 else if (popup_finished)
1434 ; /* Already finished and ready for joining. */
1435 #ifdef HAVE_W32_SYSTEM
1436 /* Older versions of assuan set PID to 0 on Windows to indicate an
1438 else if (pid != (pid_t) INVALID_HANDLE_VALUE
1441 HANDLE process = (HANDLE) pid;
1443 /* Arbitrary error code. */
1444 TerminateProcess (process, 1);
1447 else if (pid && ((rc=waitpid (pid, NULL, WNOHANG))==-1 || (rc == pid)) )
1448 { /* The daemon already died. No need to send a kill. However
1449 because we already waited for the process, we need to tell
1450 assuan that it should not wait again (done by
1451 unlock_pinentry). */
1453 assuan_set_flag (entry_ctx, ASSUAN_NO_WAITPID, 1);
1459 /* Now wait for the thread to terminate. */
1460 rc = npth_join (popup_tid, NULL);
1462 log_debug ("agent_popup_message_stop: pth_join failed: %s\n",
1464 /* Thread IDs are opaque, but we try our best here by resetting it
1465 to the same content that a static global variable has. */
1466 memset (&popup_tid, '\0', sizeof (popup_tid));
1469 /* Now we can close the connection. */
1470 unlock_pinentry (0);
1474 agent_clear_passphrase (ctrl_t ctrl,
1475 const char *keyinfo, cache_mode_t cache_mode)
1478 char line[ASSUAN_LINELENGTH];
1480 if (! (keyinfo && (cache_mode == CACHE_MODE_NORMAL
1481 || cache_mode == CACHE_MODE_USER
1482 || cache_mode == CACHE_MODE_SSH)))
1483 return gpg_error (GPG_ERR_NOT_SUPPORTED);
1485 rc = start_pinentry (ctrl);
1489 snprintf (line, DIM(line), "CLEARPASSPHRASE %c/%s",
1490 cache_mode == CACHE_MODE_USER? 'u' :
1491 cache_mode == CACHE_MODE_SSH? 's' : 'n',
1493 rc = assuan_transact (entry_ctx, line,
1494 NULL, NULL, NULL, NULL, NULL, NULL);
1496 return unlock_pinentry (rc);