1 /* call-pinentry.c - Spawn the pinentry to query stuff from the user
2 * Copyright (C) 2001, 2002, 2004, 2007, 2008,
3 * 2010 Free Software Foundation, Inc.
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
30 #ifndef HAVE_W32_SYSTEM
31 # include <sys/wait.h>
32 # include <sys/types.h>
42 #ifdef _POSIX_OPEN_MAX
43 #define MAX_OPEN_FDS _POSIX_OPEN_MAX
45 #define MAX_OPEN_FDS 20
49 /* Because access to the pinentry must be serialized (it is and shall
50 be a global mutually exclusive dialog) we better timeout pending
51 requests after some time. 1 minute seem to be a reasonable
53 #define LOCK_TIMEOUT (1*60)
55 /* The assuan context of the current pinentry. */
56 static assuan_context_t entry_ctx;
58 /* The control variable of the connection owning the current pinentry.
59 This is only valid if ENTRY_CTX is not NULL. Note, that we care
60 only about the value of the pointer and that it should never be
62 static ctrl_t entry_owner;
64 /* A mutex used to serialize access to the pinentry. */
65 static npth_mutex_t entry_lock;
67 /* The thread ID of the popup working thread. */
68 static npth_t popup_tid;
70 /* A flag used in communication between the popup working thread and
72 static int popup_finished;
76 /* Data to be passed to our callbacks, */
81 unsigned char *buffer;
87 /* This function must be called once to initialize this module. This
88 has to be done before a second thread is spawned. We can't do the
89 static initialization because Pth emulation code might not be able
90 to do a static init; in particular, it is not possible for W32. */
92 initialize_module_call_pinentry (void)
94 static int initialized;
98 if (npth_mutex_init (&entry_lock, NULL))
105 /* This function may be called to print infromation pertaining to the
106 current state of this module to the log. */
108 agent_query_dump_state (void)
110 log_info ("agent_query_dump_state: entry_ctx=%p pid=%ld popup_tid=%p\n",
111 entry_ctx, (long)assuan_get_pid (entry_ctx), (void*)popup_tid);
114 /* Called to make sure that a popup window owned by the current
115 connection gets closed. */
117 agent_reset_query (ctrl_t ctrl)
119 if (entry_ctx && popup_tid && entry_owner == ctrl)
121 agent_popup_message_stop (ctrl);
126 /* Unlock the pinentry so that another thread can start one and
127 disconnect that pinentry - we do this after the unlock so that a
128 stalled pinentry does not block other threads. Fixme: We should
129 have a timeout in Assuan for the disconnect operation. */
131 unlock_pinentry (gpg_error_t rc)
133 assuan_context_t ctx = entry_ctx;
139 log_debug ("error calling pinentry: %s <%s>\n",
140 gpg_strerror (rc), gpg_strsource (rc));
142 /* Change the source of the error to pinentry so that the final
143 consumer of the error code knows that the problem is with
144 pinentry. For backward compatibility we do not do that for
145 some common error codes. */
146 switch (gpg_err_code (rc))
148 case GPG_ERR_NO_PIN_ENTRY:
149 case GPG_ERR_CANCELED:
150 case GPG_ERR_FULLY_CANCELED:
151 case GPG_ERR_ASS_UNKNOWN_INQUIRE:
152 case GPG_ERR_ASS_TOO_MUCH_DATA:
153 case GPG_ERR_NO_PASSPHRASE:
154 case GPG_ERR_BAD_PASSPHRASE:
155 case GPG_ERR_BAD_PIN:
159 rc = gpg_err_make (GPG_ERR_SOURCE_PINENTRY, gpg_err_code (rc));
165 err = npth_mutex_unlock (&entry_lock);
168 log_error ("failed to release the entry lock: %s\n", strerror (err));
170 rc = gpg_error_from_errno (err);
172 assuan_release (ctx);
177 /* To make sure we leave no secrets in our image after forking of the
178 pinentry, we use this callback. */
180 atfork_cb (void *opaque, int where)
182 ctrl_t ctrl = opaque;
187 const char *name, *assname, *value;
189 gcry_control (GCRYCTL_TERM_SECMEM);
191 while ((name = session_env_list_stdenvnames (&iterator, &assname)))
193 /* For all new envvars (!ASSNAME) and the two medium old
194 ones which do have an assuan name but are conveyed using
195 environment variables, update the environment of the
198 || !strcmp (name, "XAUTHORITY")
199 || !strcmp (name, "PINENTRY_USER_DATA"))
201 value = session_env_getenv (ctrl->session_env, name);
203 gnupg_setenv (name, value, 1);
211 getinfo_pid_cb (void *opaque, const void *buffer, size_t length)
213 unsigned long *pid = opaque;
216 /* There is only the pid in the server's response. */
217 if (length >= sizeof pidbuf)
218 length = sizeof pidbuf -1;
221 strncpy (pidbuf, buffer, length);
223 *pid = strtoul (pidbuf, NULL, 10);
228 /* Fork off the pin entry if this has not already been done. Note,
229 that this function must always be used to acquire the lock for the
230 pinentry - we will serialize _all_ pinentry calls.
233 start_pinentry (ctrl_t ctrl)
236 const char *full_pgmname;
238 assuan_context_t ctx;
240 assuan_fd_t no_close_list[3];
243 unsigned long pinentry_pid;
245 struct timespec abstime;
248 npth_clock_gettime (&abstime);
249 abstime.tv_sec += LOCK_TIMEOUT;
250 err = npth_mutex_timedlock (&entry_lock, &abstime);
253 if (err == ETIMEDOUT)
254 rc = gpg_error (GPG_ERR_TIMEOUT);
256 rc = gpg_error_from_errno (rc);
257 log_error (_("failed to acquire the pinentry lock: %s\n"),
268 log_info ("starting a new PIN Entry\n");
270 #ifdef HAVE_W32_SYSTEM
276 #ifndef HAVE_W32_SYSTEM
277 gpg_error_t tmperr = gpg_error (gpg_err_code_from_errno (errno));
279 log_error ("error flushing pending output: %s\n", strerror (errno));
280 /* At least Windows XP fails here with EBADF. According to docs
281 and Wine an fflush(NULL) is the same as _flushall. However
282 the Wine implementaion does not flush stdin,stdout and stderr
283 - see above. Let's try to ignore the error. */
284 #ifndef HAVE_W32_SYSTEM
285 return unlock_pinentry (tmperr);
289 full_pgmname = opt.pinentry_program;
290 if (!full_pgmname || !*full_pgmname)
291 full_pgmname = gnupg_module_name (GNUPG_MODULE_NAME_PINENTRY);
292 if ( !(pgmname = strrchr (full_pgmname, '/')))
293 pgmname = full_pgmname;
297 /* OS X needs the entire file name in argv[0], so that it can locate
298 the resource bundle. For other systems we stick to the usual
299 convention of supplying only the name of the program. */
301 argv[0] = full_pgmname;
306 if (!opt.keep_display
307 && (value = session_env_getenv (ctrl->session_env, "DISPLAY")))
309 argv[1] = "--display";
317 if (!opt.running_detached)
319 if (log_get_fd () != -1)
320 no_close_list[i++] = assuan_fd_from_posix_fd (log_get_fd ());
321 no_close_list[i++] = assuan_fd_from_posix_fd (fileno (stderr));
323 no_close_list[i] = ASSUAN_INVALID_FD;
325 rc = assuan_new (&ctx);
328 log_error ("can't allocate assuan context: %s\n", gpg_strerror (rc));
331 /* We don't want to log the pinentry communication to make the logs
332 easier to read. We might want to add a new debug option to enable
334 #ifdef ASSUAN_NO_LOGGING
335 assuan_set_flag (ctx, ASSUAN_NO_LOGGING, !opt.debug_pinentry);
338 /* Connect to the pinentry and perform initial handshaking. Note
339 that atfork is used to change the environment for pinentry. We
340 start the server in detached mode to suppress the console window
342 rc = assuan_pipe_connect (ctx, full_pgmname, argv,
343 no_close_list, atfork_cb, ctrl,
344 ASSUAN_PIPE_CONNECT_DETACHED);
347 log_error ("can't connect to the PIN entry module '%s': %s\n",
348 full_pgmname, gpg_strerror (rc));
349 assuan_release (ctx);
350 return unlock_pinentry (gpg_error (GPG_ERR_NO_PIN_ENTRY));
355 log_debug ("connection to PIN entry established\n");
357 rc = assuan_transact (entry_ctx,
358 opt.no_grab? "OPTION no-grab":"OPTION grab",
359 NULL, NULL, NULL, NULL, NULL, NULL);
361 return unlock_pinentry (rc);
363 value = session_env_getenv (ctrl->session_env, "GPG_TTY");
367 if (asprintf (&optstr, "OPTION ttyname=%s", value) < 0 )
368 return unlock_pinentry (out_of_core ());
369 rc = assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
373 return unlock_pinentry (rc);
375 value = session_env_getenv (ctrl->session_env, "TERM");
379 if (asprintf (&optstr, "OPTION ttytype=%s", value) < 0 )
380 return unlock_pinentry (out_of_core ());
381 rc = assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
385 return unlock_pinentry (rc);
390 if (asprintf (&optstr, "OPTION lc-ctype=%s", ctrl->lc_ctype) < 0 )
391 return unlock_pinentry (out_of_core ());
392 rc = assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
396 return unlock_pinentry (rc);
398 if (ctrl->lc_messages)
401 if (asprintf (&optstr, "OPTION lc-messages=%s", ctrl->lc_messages) < 0 )
402 return unlock_pinentry (out_of_core ());
403 rc = assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
407 return unlock_pinentry (rc);
411 if (opt.allow_external_cache)
413 /* Indicate to the pinentry that it may read from an external cache.
415 It is essential that the pinentry respect this. If the
416 cached password is not up to date and retry == 1, then, using
417 a version of GPG Agent that doesn't support this, won't issue
418 another pin request and the user won't get a chance to
419 correct the password. */
420 rc = assuan_transact (entry_ctx, "OPTION allow-external-password-cache",
421 NULL, NULL, NULL, NULL, NULL, NULL);
422 if (rc && gpg_err_code (rc) != GPG_ERR_UNKNOWN_OPTION)
423 return unlock_pinentry (rc);
426 if (opt.allow_emacs_pinentry)
428 /* Indicate to the pinentry that it may read passphrase through
429 Emacs minibuffer, if possible. */
430 rc = assuan_transact (entry_ctx, "OPTION allow-emacs-prompt",
431 NULL, NULL, NULL, NULL, NULL, NULL);
432 if (rc && gpg_err_code (rc) != GPG_ERR_UNKNOWN_OPTION)
433 return unlock_pinentry (rc);
438 /* Provide a few default strings for use by the pinentries. This
439 may help a pinentry to avoid implementing localization code. */
440 static struct { const char *key, *value; int what; } tbl[] = {
441 /* TRANSLATORS: These are labels for buttons etc used in
442 Pinentries. An underscore indicates that the next letter
443 should be used as an accelerator. Double the underscore for
444 a literal one. The actual to be translated text starts after
445 the second vertical bar. Note that gpg-agent has been set to
446 utf-8 so that the strings are in the expected encoding. */
447 { "ok", N_("|pinentry-label|_OK") },
448 { "cancel", N_("|pinentry-label|_Cancel") },
449 { "yes", N_("|pinentry-label|_Yes") },
450 { "no", N_("|pinentry-label|_No") },
451 { "prompt", N_("|pinentry-label|PIN:") },
452 { "pwmngr", N_("|pinentry-label|_Save in password manager"), 1 },
453 { "cf-visi",N_("Do you really want to make your "
454 "passphrase visible on the screen?") },
455 { "tt-visi",N_("|pinentry-tt|Make passphrase visible") },
456 { "tt-hide",N_("|pinentry-tt|Hide passphrase") },
463 for (idx=0; tbl[idx].key; idx++)
465 if (!opt.allow_external_cache && tbl[idx].what == 1)
466 continue; /* No need for it. */
467 s = L_(tbl[idx].value);
468 if (*s == '|' && (s2=strchr (s+1,'|')))
470 if (asprintf (&optstr, "OPTION default-%s=%s", tbl[idx].key, s) < 0 )
471 return unlock_pinentry (out_of_core ());
472 assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
478 /* Tell the pinentry that we would prefer that the given character
479 is used as the invisible character by the entry widget. */
480 if (opt.pinentry_invisible_char)
483 if ((optstr = xtryasprintf ("OPTION invisible-char=%s",
484 opt.pinentry_invisible_char)))
486 assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
488 /* We ignore errors because this is just a fancy thing and
489 older pinentries do not support this feature. */
494 if (opt.pinentry_timeout)
497 if ((optstr = xtryasprintf ("SETTIMEOUT %lu", opt.pinentry_timeout)))
499 assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
501 /* We ignore errors because this is just a fancy thing. */
506 /* Tell the pinentry the name of a file it shall touch after having
507 messed with the tty. This is optional and only supported by
508 newer pinentries and thus we do no error checking. */
509 tmpstr = opt.pinentry_touch_file;
510 if (tmpstr && !strcmp (tmpstr, "/dev/null"))
513 tmpstr = get_agent_socket_name ();
518 if (asprintf (&optstr, "OPTION touch-file=%s", tmpstr ) < 0 )
522 assuan_transact (entry_ctx, optstr, NULL, NULL, NULL, NULL, NULL,
529 /* Now ask the Pinentry for its PID. If the Pinentry is new enough
530 it will send the pid back and we will use an inquire to notify
531 our client. The client may answer the inquiry either with END or
532 with CAN to cancel the pinentry. */
533 rc = assuan_transact (entry_ctx, "GETINFO pid",
534 getinfo_pid_cb, &pinentry_pid,
535 NULL, NULL, NULL, NULL);
538 log_info ("You may want to update to a newer pinentry\n");
541 else if (!rc && (pid_t)pinentry_pid == (pid_t)(-1))
542 log_error ("pinentry did not return a PID\n");
545 rc = agent_inq_pinentry_launched (ctrl, pinentry_pid);
546 if (gpg_err_code (rc) == GPG_ERR_CANCELED
547 || gpg_err_code (rc) == GPG_ERR_FULLY_CANCELED)
548 return unlock_pinentry (gpg_err_make (GPG_ERR_SOURCE_DEFAULT,
557 /* Returns True if the pinentry is currently active. If WAITSECONDS is
558 greater than zero the function will wait for this many seconds
561 pinentry_active_p (ctrl_t ctrl, int waitseconds)
568 struct timespec abstime;
571 npth_clock_gettime (&abstime);
572 abstime.tv_sec += waitseconds;
573 err = npth_mutex_timedlock (&entry_lock, &abstime);
576 if (err == ETIMEDOUT)
577 rc = gpg_error (GPG_ERR_TIMEOUT);
579 rc = gpg_error (GPG_ERR_INTERNAL);
585 err = npth_mutex_trylock (&entry_lock);
587 return gpg_error (GPG_ERR_LOCKED);
590 err = npth_mutex_unlock (&entry_lock);
592 log_error ("failed to release the entry lock at %d: %s\n", __LINE__,
599 getpin_cb (void *opaque, const void *buffer, size_t length)
601 struct entry_parm_s *parm = opaque;
606 /* we expect the pin to fit on one line */
607 if (parm->lines || length >= parm->size)
608 return gpg_error (GPG_ERR_ASS_TOO_MUCH_DATA);
610 /* fixme: we should make sure that the assuan buffer is allocated in
611 secure memory or read the response byte by byte */
612 memcpy (parm->buffer, buffer, length);
613 parm->buffer[length] = 0;
620 all_digitsp( const char *s)
622 for (; *s && *s >= '0' && *s <= '9'; s++)
628 /* Return a new malloced string by unescaping the string S. Escaping
629 is percent escaping and '+'/space mapping. A binary Nul will
630 silently be replaced by a 0xFF. Function returns NULL to indicate
631 an out of memory status. Parsing stops at the end of the string or
632 a white space character. */
634 unescape_passphrase_string (const unsigned char *s)
638 buffer = d = xtrymalloc_secure (strlen ((const char*)s)+1);
641 while (*s && !spacep (s))
643 if (*s == '%' && s[1] && s[2])
665 /* Estimate the quality of the passphrase PW and return a value in the
668 estimate_passphrase_quality (const char *pw)
670 int goodlength = opt.min_passphrase_len + opt.min_passphrase_len/3;
677 for (length = 0, s = pw; *s; s++)
681 if (length > goodlength)
683 return ((length*10) / goodlength)*10;
687 /* Handle the QUALITY inquiry. */
689 inq_quality (void *opaque, const char *line)
691 assuan_context_t ctx = opaque;
698 if ((s = has_leading_keyword (line, "QUALITY")))
700 pin = unescape_passphrase_string (s);
702 rc = gpg_error_from_syserror ();
705 percent = estimate_passphrase_quality (pin);
706 if (check_passphrase_constraints (NULL, pin, NULL))
708 snprintf (numbuf, sizeof numbuf, "%d", percent);
709 rc = assuan_send_data (ctx, numbuf, strlen (numbuf));
715 log_error ("unsupported inquiry '%s' from pinentry\n", line);
716 rc = gpg_error (GPG_ERR_ASS_UNKNOWN_INQUIRE);
723 /* Helper for agent_askpin and agent_get_passphrase. */
725 setup_qualitybar (ctrl_t ctrl)
728 char line[ASSUAN_LINELENGTH];
729 char *tmpstr, *tmpstr2;
734 /* TRANSLATORS: This string is displayed by Pinentry as the label
735 for the quality bar. */
736 tmpstr = try_percent_escape (L_("Quality:"), "\t\r\n\f\v");
737 snprintf (line, DIM(line)-1, "SETQUALITYBAR %s", tmpstr? tmpstr:"");
738 line[DIM(line)-1] = 0;
740 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
741 if (rc == 103 /*(Old assuan error code)*/
742 || gpg_err_code (rc) == GPG_ERR_ASS_UNKNOWN_CMD)
743 ; /* Ignore Unknown Command from old Pinentry versions. */
747 tmpstr2 = gnupg_get_help_string ("pinentry.qualitybar.tooltip", 0);
752 /* TRANSLATORS: This string is a tooltip, shown by pinentry when
753 hovering over the quality bar. Please use an appropriate
754 string to describe what this is about. The length of the
755 tooltip is limited to about 900 characters. If you do not
756 translate this entry, a default english text (see source)
758 tooltip = L_("pinentry.qualitybar.tooltip");
759 if (!strcmp ("pinentry.qualitybar.tooltip", tooltip))
760 tooltip = ("The quality of the text entered above.\n"
761 "Please ask your administrator for "
762 "details about the criteria.");
764 tmpstr = try_percent_escape (tooltip, "\t\r\n\f\v");
766 snprintf (line, DIM(line)-1, "SETQUALITYBAR_TT %s", tmpstr? tmpstr:"");
767 line[DIM(line)-1] = 0;
769 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
770 if (rc == 103 /*(Old assuan error code)*/
771 || gpg_err_code (rc) == GPG_ERR_ASS_UNKNOWN_CMD)
772 ; /* Ignore Unknown Command from old pinentry versions. */
781 PINENTRY_STATUS_CLOSE_BUTTON = 1 << 0,
782 PINENTRY_STATUS_PIN_REPEATED = 1 << 8,
783 PINENTRY_STATUS_PASSWORD_FROM_CACHE = 1 << 9
786 /* Check the button_info line for a close action. Also check for the
787 PIN_REPEATED flag. */
789 pinentry_status_cb (void *opaque, const char *line)
791 unsigned int *flag = opaque;
794 if ((args = has_leading_keyword (line, "BUTTON_INFO")))
796 if (!strcmp (args, "close"))
797 *flag |= PINENTRY_STATUS_CLOSE_BUTTON;
799 else if (has_leading_keyword (line, "PIN_REPEATED"))
801 *flag |= PINENTRY_STATUS_PIN_REPEATED;
803 else if (has_leading_keyword (line, "PASSWORD_FROM_CACHE"))
805 *flag |= PINENTRY_STATUS_PASSWORD_FROM_CACHE;
814 /* Call the Entry and ask for the PIN. We do check for a valid PIN
815 number here and repeat it as long as we have invalid formed
816 numbers. KEYINFO and CACHE_MODE are used to tell pinentry something
819 agent_askpin (ctrl_t ctrl,
820 const char *desc_text, const char *prompt_text,
821 const char *initial_errtext,
822 struct pin_entry_info_s *pininfo,
823 const char *keyinfo, cache_mode_t cache_mode)
826 char line[ASSUAN_LINELENGTH];
827 struct entry_parm_s parm;
828 const char *errtext = NULL;
831 unsigned int pinentry_status;
834 return 0; /* fixme: we should return BAD PIN */
836 if (ctrl->pinentry_mode != PINENTRY_MODE_ASK)
838 if (ctrl->pinentry_mode == PINENTRY_MODE_CANCEL)
839 return gpg_error (GPG_ERR_CANCELED);
840 if (ctrl->pinentry_mode == PINENTRY_MODE_LOOPBACK)
842 unsigned char *passphrase;
845 *pininfo->pin = 0; /* Reset the PIN. */
846 rc = pinentry_loopback(ctrl, "PASSPHRASE", &passphrase, &size,
847 pininfo->max_length - 1);
851 memcpy(&pininfo->pin, passphrase, size);
853 pininfo->pin[size] = 0;
854 if (pininfo->check_cb)
856 /* More checks by utilizing the optional callback. */
857 pininfo->cb_errtext = NULL;
858 rc = pininfo->check_cb (pininfo);
862 return gpg_error(GPG_ERR_NO_PIN_ENTRY);
865 if (!pininfo || pininfo->max_length < 1)
866 return gpg_error (GPG_ERR_INV_VALUE);
867 if (!desc_text && pininfo->min_digits)
868 desc_text = L_("Please enter your PIN, so that the secret key "
869 "can be unlocked for this session");
871 desc_text = L_("Please enter your passphrase, so that the secret key "
872 "can be unlocked for this session");
875 is_pin = !!strstr (prompt_text, "PIN");
877 is_pin = desc_text && strstr (desc_text, "PIN");
879 rc = start_pinentry (ctrl);
883 /* If we have a KEYINFO string and are normal, user, or ssh cache
884 mode, we tell that the Pinentry so it may use it for own caching
885 purposes. Most pinentries won't have this implemented and thus
886 we do not error out in this case. */
887 if (keyinfo && (cache_mode == CACHE_MODE_NORMAL
888 || cache_mode == CACHE_MODE_USER
889 || cache_mode == CACHE_MODE_SSH))
890 snprintf (line, DIM(line)-1, "SETKEYINFO %c/%s",
891 cache_mode == CACHE_MODE_USER? 'u' :
892 cache_mode == CACHE_MODE_SSH? 's' : 'n',
895 snprintf (line, DIM(line)-1, "SETKEYINFO --clear");
897 rc = assuan_transact (entry_ctx, line,
898 NULL, NULL, NULL, NULL, NULL, NULL);
899 if (rc && gpg_err_code (rc) != GPG_ERR_ASS_UNKNOWN_CMD)
900 return unlock_pinentry (rc);
902 snprintf (line, DIM(line)-1, "SETDESC %s", desc_text);
903 line[DIM(line)-1] = 0;
904 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
906 return unlock_pinentry (rc);
908 snprintf (line, DIM(line)-1, "SETPROMPT %s",
909 prompt_text? prompt_text : is_pin? L_("PIN:") : L_("Passphrase:"));
910 line[DIM(line)-1] = 0;
911 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
913 return unlock_pinentry (rc);
915 /* If a passphrase quality indicator has been requested and a
916 minimum passphrase length has not been disabled, send the command
918 if (pininfo->with_qualitybar && opt.min_passphrase_len )
920 rc = setup_qualitybar (ctrl);
922 return unlock_pinentry (rc);
927 snprintf (line, DIM(line)-1, "SETERROR %s", initial_errtext);
928 line[DIM(line)-1] = 0;
929 rc = assuan_transact (entry_ctx, line,
930 NULL, NULL, NULL, NULL, NULL, NULL);
932 return unlock_pinentry (rc);
935 if (pininfo->with_repeat)
937 snprintf (line, DIM(line)-1, "SETREPEATERROR %s",
938 L_("does not match - try again"));
939 line[DIM(line)-1] = 0;
940 rc = assuan_transact (entry_ctx, line,
941 NULL, NULL, NULL, NULL, NULL, NULL);
943 pininfo->with_repeat = 0; /* Pinentry does not support it. */
945 pininfo->repeat_okay = 0;
947 for (;pininfo->failed_tries < pininfo->max_tries; pininfo->failed_tries++)
949 memset (&parm, 0, sizeof parm);
950 parm.size = pininfo->max_length;
951 *pininfo->pin = 0; /* Reset the PIN. */
952 parm.buffer = (unsigned char*)pininfo->pin;
956 /* TRANSLATORS: The string is appended to an error message in
957 the pinentry. The %s is the actual error message, the
958 two %d give the current and maximum number of tries. */
959 snprintf (line, DIM(line)-1, L_("SETERROR %s (try %d of %d)"),
960 errtext, pininfo->failed_tries+1, pininfo->max_tries);
961 line[DIM(line)-1] = 0;
962 rc = assuan_transact (entry_ctx, line,
963 NULL, NULL, NULL, NULL, NULL, NULL);
965 return unlock_pinentry (rc);
969 if (pininfo->with_repeat)
971 snprintf (line, DIM(line)-1, "SETREPEAT %s", L_("Repeat:"));
972 line[DIM(line)-1] = 0;
973 rc = assuan_transact (entry_ctx, line,
974 NULL, NULL, NULL, NULL, NULL, NULL);
976 return unlock_pinentry (rc);
979 saveflag = assuan_get_flag (entry_ctx, ASSUAN_CONFIDENTIAL);
980 assuan_begin_confidential (entry_ctx);
982 rc = assuan_transact (entry_ctx, "GETPIN", getpin_cb, &parm,
983 inq_quality, entry_ctx,
984 pinentry_status_cb, &pinentry_status);
985 assuan_set_flag (entry_ctx, ASSUAN_CONFIDENTIAL, saveflag);
986 /* Most pinentries out in the wild return the old Assuan error code
987 for canceled which gets translated to an assuan Cancel error and
988 not to the code for a user cancel. Fix this here. */
989 if (rc && gpg_err_source (rc)
990 && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
991 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
994 /* Change error code in case the window close button was clicked
995 to cancel the operation. */
996 if ((pinentry_status & PINENTRY_STATUS_CLOSE_BUTTON)
997 && gpg_err_code (rc) == GPG_ERR_CANCELED)
998 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_FULLY_CANCELED);
1000 if (gpg_err_code (rc) == GPG_ERR_ASS_TOO_MUCH_DATA)
1001 errtext = is_pin? L_("PIN too long")
1002 : L_("Passphrase too long");
1004 return unlock_pinentry (rc);
1006 if (!errtext && pininfo->min_digits)
1008 /* do some basic checks on the entered PIN. */
1009 if (!all_digitsp (pininfo->pin))
1010 errtext = L_("Invalid characters in PIN");
1011 else if (pininfo->max_digits
1012 && strlen (pininfo->pin) > pininfo->max_digits)
1013 errtext = L_("PIN too long");
1014 else if (strlen (pininfo->pin) < pininfo->min_digits)
1015 errtext = L_("PIN too short");
1018 if (!errtext && pininfo->check_cb)
1020 /* More checks by utilizing the optional callback. */
1021 pininfo->cb_errtext = NULL;
1022 rc = pininfo->check_cb (pininfo);
1023 if (gpg_err_code (rc) == GPG_ERR_BAD_PASSPHRASE
1024 && pininfo->cb_errtext)
1025 errtext = pininfo->cb_errtext;
1026 else if (gpg_err_code (rc) == GPG_ERR_BAD_PASSPHRASE
1027 || gpg_err_code (rc) == GPG_ERR_BAD_PIN)
1028 errtext = (is_pin? L_("Bad PIN") : L_("Bad Passphrase"));
1030 return unlock_pinentry (rc);
1035 if (pininfo->with_repeat
1036 && (pinentry_status & PINENTRY_STATUS_PIN_REPEATED))
1037 pininfo->repeat_okay = 1;
1038 return unlock_pinentry (0); /* okay, got a PIN or passphrase */
1041 if ((pinentry_status & PINENTRY_STATUS_PASSWORD_FROM_CACHE))
1042 /* The password was read from the cache. Don't count this
1043 against the retry count. */
1044 pininfo->failed_tries --;
1047 return unlock_pinentry (gpg_error (pininfo->min_digits? GPG_ERR_BAD_PIN
1048 : GPG_ERR_BAD_PASSPHRASE));
1053 /* Ask for the passphrase using the supplied arguments. The returned
1054 passphrase needs to be freed by the caller. */
1056 agent_get_passphrase (ctrl_t ctrl,
1057 char **retpass, const char *desc, const char *prompt,
1058 const char *errtext, int with_qualitybar,
1059 const char *keyinfo, cache_mode_t cache_mode)
1063 char line[ASSUAN_LINELENGTH];
1064 struct entry_parm_s parm;
1066 unsigned int pinentry_status;
1070 return gpg_error (GPG_ERR_BAD_PASSPHRASE);
1072 if (ctrl->pinentry_mode != PINENTRY_MODE_ASK)
1074 if (ctrl->pinentry_mode == PINENTRY_MODE_CANCEL)
1075 return gpg_error (GPG_ERR_CANCELED);
1077 if (ctrl->pinentry_mode == PINENTRY_MODE_LOOPBACK)
1080 size_t len = ASSUAN_LINELENGTH/2;
1082 return pinentry_loopback (ctrl, "PASSPHRASE",
1083 (unsigned char **)retpass, &size, len);
1085 return gpg_error (GPG_ERR_NO_PIN_ENTRY);
1088 rc = start_pinentry (ctrl);
1093 prompt = desc && strstr (desc, "PIN")? L_("PIN:"): L_("Passphrase:");
1096 /* If we have a KEYINFO string and are normal, user, or ssh cache
1097 mode, we tell that the Pinentry so it may use it for own caching
1098 purposes. Most pinentries won't have this implemented and thus
1099 we do not error out in this case. */
1100 if (keyinfo && (cache_mode == CACHE_MODE_NORMAL
1101 || cache_mode == CACHE_MODE_USER
1102 || cache_mode == CACHE_MODE_SSH))
1103 snprintf (line, DIM(line)-1, "SETKEYINFO %c/%s",
1104 cache_mode == CACHE_MODE_USER? 'u' :
1105 cache_mode == CACHE_MODE_SSH? 's' : 'n',
1108 snprintf (line, DIM(line)-1, "SETKEYINFO --clear");
1110 rc = assuan_transact (entry_ctx, line,
1111 NULL, NULL, NULL, NULL, NULL, NULL);
1112 if (rc && gpg_err_code (rc) != GPG_ERR_ASS_UNKNOWN_CMD)
1113 return unlock_pinentry (rc);
1117 snprintf (line, DIM(line)-1, "SETDESC %s", desc);
1119 snprintf (line, DIM(line)-1, "RESET");
1120 line[DIM(line)-1] = 0;
1121 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1123 return unlock_pinentry (rc);
1125 snprintf (line, DIM(line)-1, "SETPROMPT %s", prompt);
1126 line[DIM(line)-1] = 0;
1127 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1129 return unlock_pinentry (rc);
1131 if (with_qualitybar && opt.min_passphrase_len)
1133 rc = setup_qualitybar (ctrl);
1135 return unlock_pinentry (rc);
1140 snprintf (line, DIM(line)-1, "SETERROR %s", errtext);
1141 line[DIM(line)-1] = 0;
1142 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1144 return unlock_pinentry (rc);
1147 memset (&parm, 0, sizeof parm);
1148 parm.size = ASSUAN_LINELENGTH/2 - 5;
1149 parm.buffer = gcry_malloc_secure (parm.size+10);
1151 return unlock_pinentry (out_of_core ());
1153 saveflag = assuan_get_flag (entry_ctx, ASSUAN_CONFIDENTIAL);
1154 assuan_begin_confidential (entry_ctx);
1155 pinentry_status = 0;
1156 rc = assuan_transact (entry_ctx, "GETPIN", getpin_cb, &parm,
1157 inq_quality, entry_ctx,
1158 pinentry_status_cb, &pinentry_status);
1159 assuan_set_flag (entry_ctx, ASSUAN_CONFIDENTIAL, saveflag);
1160 /* Most pinentries out in the wild return the old Assuan error code
1161 for canceled which gets translated to an assuan Cancel error and
1162 not to the code for a user cancel. Fix this here. */
1163 if (rc && gpg_err_source (rc) && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1164 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1165 /* Change error code in case the window close button was clicked
1166 to cancel the operation. */
1167 if ((pinentry_status & PINENTRY_STATUS_CLOSE_BUTTON)
1168 && gpg_err_code (rc) == GPG_ERR_CANCELED)
1169 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_FULLY_CANCELED);
1172 xfree (parm.buffer);
1174 *retpass = parm.buffer;
1175 return unlock_pinentry (rc);
1180 /* Pop up the PIN-entry, display the text and the prompt and ask the
1181 user to confirm this. We return 0 for success, ie. the user
1182 confirmed it, GPG_ERR_NOT_CONFIRMED for what the text says or an
1183 other error. If WITH_CANCEL it true an extra cancel button is
1184 displayed to allow the user to easily return a GPG_ERR_CANCELED.
1185 if the Pinentry does not support this, the user can still cancel by
1186 closing the Pinentry window. */
1188 agent_get_confirmation (ctrl_t ctrl,
1189 const char *desc, const char *ok,
1190 const char *notok, int with_cancel)
1193 char line[ASSUAN_LINELENGTH];
1195 if (ctrl->pinentry_mode != PINENTRY_MODE_ASK)
1197 if (ctrl->pinentry_mode == PINENTRY_MODE_CANCEL)
1198 return gpg_error (GPG_ERR_CANCELED);
1200 return gpg_error (GPG_ERR_NO_PIN_ENTRY);
1203 rc = start_pinentry (ctrl);
1208 snprintf (line, DIM(line)-1, "SETDESC %s", desc);
1210 snprintf (line, DIM(line)-1, "RESET");
1211 line[DIM(line)-1] = 0;
1212 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1213 /* Most pinentries out in the wild return the old Assuan error code
1214 for canceled which gets translated to an assuan Cancel error and
1215 not to the code for a user cancel. Fix this here. */
1216 if (rc && gpg_err_source (rc) && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1217 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1220 return unlock_pinentry (rc);
1224 snprintf (line, DIM(line)-1, "SETOK %s", ok);
1225 line[DIM(line)-1] = 0;
1226 rc = assuan_transact (entry_ctx,
1227 line, NULL, NULL, NULL, NULL, NULL, NULL);
1229 return unlock_pinentry (rc);
1233 /* Try to use the newer NOTOK feature if a cancel button is
1234 requested. If no cancel button is requested we keep on using
1235 the standard cancel. */
1238 snprintf (line, DIM(line)-1, "SETNOTOK %s", notok);
1239 line[DIM(line)-1] = 0;
1240 rc = assuan_transact (entry_ctx,
1241 line, NULL, NULL, NULL, NULL, NULL, NULL);
1244 rc = GPG_ERR_ASS_UNKNOWN_CMD;
1246 if (gpg_err_code (rc) == GPG_ERR_ASS_UNKNOWN_CMD)
1248 snprintf (line, DIM(line)-1, "SETCANCEL %s", notok);
1249 line[DIM(line)-1] = 0;
1250 rc = assuan_transact (entry_ctx, line,
1251 NULL, NULL, NULL, NULL, NULL, NULL);
1254 return unlock_pinentry (rc);
1257 rc = assuan_transact (entry_ctx, "CONFIRM",
1258 NULL, NULL, NULL, NULL, NULL, NULL);
1259 if (rc && gpg_err_source (rc) && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1260 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1262 return unlock_pinentry (rc);
1267 /* Pop up the PINentry, display the text DESC and a button with the
1268 text OK_BTN (which may be NULL to use the default of "OK") and wait
1269 for the user to hit this button. The return value is not
1272 agent_show_message (ctrl_t ctrl, const char *desc, const char *ok_btn)
1275 char line[ASSUAN_LINELENGTH];
1277 if (ctrl->pinentry_mode != PINENTRY_MODE_ASK)
1278 return gpg_error (GPG_ERR_CANCELED);
1280 rc = start_pinentry (ctrl);
1285 snprintf (line, DIM(line)-1, "SETDESC %s", desc);
1287 snprintf (line, DIM(line)-1, "RESET");
1288 line[DIM(line)-1] = 0;
1289 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1290 /* Most pinentries out in the wild return the old Assuan error code
1291 for canceled which gets translated to an assuan Cancel error and
1292 not to the code for a user cancel. Fix this here. */
1293 if (rc && gpg_err_source (rc) && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1294 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1297 return unlock_pinentry (rc);
1301 snprintf (line, DIM(line)-1, "SETOK %s", ok_btn);
1302 line[DIM(line)-1] = 0;
1303 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL,
1306 return unlock_pinentry (rc);
1309 rc = assuan_transact (entry_ctx, "CONFIRM --one-button", NULL, NULL, NULL,
1311 if (rc && gpg_err_source (rc) && gpg_err_code (rc) == GPG_ERR_ASS_CANCELED)
1312 rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_CANCELED);
1314 return unlock_pinentry (rc);
1318 /* The thread running the popup message. */
1320 popup_message_thread (void *arg)
1324 /* We use the --one-button hack instead of the MESSAGE command to
1325 allow the use of old Pinentries. Those old Pinentries will then
1326 show an additional Cancel button but that is mostly a visual
1328 assuan_transact (entry_ctx, "CONFIRM --one-button",
1329 NULL, NULL, NULL, NULL, NULL, NULL);
1335 /* Pop up a message window similar to the confirm one but keep it open
1336 until agent_popup_message_stop has been called. It is crucial for
1337 the caller to make sure that the stop function gets called as soon
1338 as the message is not anymore required because the message is
1339 system modal and all other attempts to use the pinentry will fail
1340 (after a timeout). */
1342 agent_popup_message_start (ctrl_t ctrl, const char *desc, const char *ok_btn)
1345 char line[ASSUAN_LINELENGTH];
1349 if (ctrl->pinentry_mode != PINENTRY_MODE_ASK)
1350 return gpg_error (GPG_ERR_CANCELED);
1352 rc = start_pinentry (ctrl);
1357 snprintf (line, DIM(line)-1, "SETDESC %s", desc);
1359 snprintf (line, DIM(line)-1, "RESET");
1360 line[DIM(line)-1] = 0;
1361 rc = assuan_transact (entry_ctx, line, NULL, NULL, NULL, NULL, NULL, NULL);
1363 return unlock_pinentry (rc);
1367 snprintf (line, DIM(line)-1, "SETOK %s", ok_btn);
1368 line[DIM(line)-1] = 0;
1369 rc = assuan_transact (entry_ctx, line, NULL,NULL,NULL,NULL,NULL,NULL);
1371 return unlock_pinentry (rc);
1374 err = npth_attr_init (&tattr);
1376 return unlock_pinentry (gpg_error_from_errno (err));
1377 npth_attr_setdetachstate (&tattr, NPTH_CREATE_JOINABLE);
1380 err = npth_create (&popup_tid, &tattr, popup_message_thread, NULL);
1381 npth_attr_destroy (&tattr);
1384 rc = gpg_error_from_errno (err);
1385 log_error ("error spawning popup message handler: %s\n",
1387 return unlock_pinentry (rc);
1389 npth_setname_np (popup_tid, "popup-message");
1394 /* Close a popup window. */
1396 agent_popup_message_stop (ctrl_t ctrl)
1403 if (!popup_tid || !entry_ctx)
1405 log_debug ("agent_popup_message_stop called with no active popup\n");
1409 pid = assuan_get_pid (entry_ctx);
1410 if (pid == (pid_t)(-1))
1411 ; /* No pid available can't send a kill. */
1412 else if (popup_finished)
1413 ; /* Already finished and ready for joining. */
1414 #ifdef HAVE_W32_SYSTEM
1415 /* Older versions of assuan set PID to 0 on Windows to indicate an
1417 else if (pid != (pid_t) INVALID_HANDLE_VALUE
1420 HANDLE process = (HANDLE) pid;
1422 /* Arbitrary error code. */
1423 TerminateProcess (process, 1);
1426 else if (pid && ((rc=waitpid (pid, NULL, WNOHANG))==-1 || (rc == pid)) )
1427 { /* The daemon already died. No need to send a kill. However
1428 because we already waited for the process, we need to tell
1429 assuan that it should not wait again (done by
1430 unlock_pinentry). */
1432 assuan_set_flag (entry_ctx, ASSUAN_NO_WAITPID, 1);
1438 /* Now wait for the thread to terminate. */
1439 rc = npth_join (popup_tid, NULL);
1441 log_debug ("agent_popup_message_stop: pth_join failed: %s\n",
1443 /* Thread IDs are opaque, but we try our best here by resetting it
1444 to the same content that a static global variable has. */
1445 memset (&popup_tid, '\0', sizeof (popup_tid));
1448 /* Now we can close the connection. */
1449 unlock_pinentry (0);
1453 agent_clear_passphrase (ctrl_t ctrl,
1454 const char *keyinfo, cache_mode_t cache_mode)
1457 char line[ASSUAN_LINELENGTH];
1459 if (! (keyinfo && (cache_mode == CACHE_MODE_NORMAL
1460 || cache_mode == CACHE_MODE_USER
1461 || cache_mode == CACHE_MODE_SSH)))
1462 return gpg_error (GPG_ERR_NOT_SUPPORTED);
1464 rc = start_pinentry (ctrl);
1468 snprintf (line, DIM(line)-1, "CLEARPASSPHRASE %c/%s",
1469 cache_mode == CACHE_MODE_USER? 'u' :
1470 cache_mode == CACHE_MODE_SSH? 's' : 'n',
1472 rc = assuan_transact (entry_ctx, line,
1473 NULL, NULL, NULL, NULL, NULL, NULL);
1475 return unlock_pinentry (rc);