diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/GnuPGAgent.hs | 41 | ||||
-rw-r--r-- | lib/KeyRing.hs | 157 | ||||
-rw-r--r-- | lib/Kiki.hs | 17 |
3 files changed, 165 insertions, 50 deletions
diff --git a/lib/GnuPGAgent.hs b/lib/GnuPGAgent.hs index 8bffd1b..165fdf2 100644 --- a/lib/GnuPGAgent.hs +++ b/lib/GnuPGAgent.hs | |||
@@ -3,6 +3,8 @@ | |||
3 | {-# LANGUAGE PatternGuards #-} | 3 | {-# LANGUAGE PatternGuards #-} |
4 | module GnuPGAgent | 4 | module GnuPGAgent |
5 | ( session | 5 | ( session |
6 | , Query(..) | ||
7 | , QueryMode(..) | ||
6 | , getPassphrase | 8 | , getPassphrase |
7 | , clearPassphrase | 9 | , clearPassphrase |
8 | , quit ) where | 10 | , quit ) where |
@@ -44,6 +46,12 @@ session = do | |||
44 | connect sock (SockAddrUnix (gpghome ++ "/S.gpg-agent")) | 46 | connect sock (SockAddrUnix (gpghome ++ "/S.gpg-agent")) |
45 | agent <- socketToHandle sock ReadWriteMode | 47 | agent <- socketToHandle sock ReadWriteMode |
46 | hSetBuffering agent LineBuffering | 48 | hSetBuffering agent LineBuffering |
49 | lookupEnv "DISPLAY" >>= \case | ||
50 | Just display -> do hPutStrLn agent ("option putenv DISPLAY="++display) | ||
51 | _ <- hGetLine agent | ||
52 | return () | ||
53 | Nothing -> return () | ||
54 | -- TODO: GPG_TTY | ||
47 | return $ Just $ GnuPGAgent agent | 55 | return $ Just $ GnuPGAgent agent |
48 | Nothing -> do | 56 | Nothing -> do |
49 | hPutStrLn stderr "Unable to find home directory." | 57 | hPutStrLn stderr "Unable to find home directory." |
@@ -64,23 +72,42 @@ clearPassphrase agent key = do | |||
64 | let cmd = "clear_passphrase "++fingerprint key | 72 | let cmd = "clear_passphrase "++fingerprint key |
65 | hPutStrLn (agentHandle agent) cmd | 73 | hPutStrLn (agentHandle agent) cmd |
66 | 74 | ||
67 | getPassphrase :: GnuPGAgent -> Bool -> Packet -> String -> Maybe Packet -> IO (Maybe String) | 75 | data Query = Query |
68 | getPassphrase agent ask key uid masterkey = do | 76 | { queryPacket :: Packet |
69 | let askopt = if ask then "" else "--no-ask " | 77 | , queryUID :: String |
70 | (er,pr,desc) = prompts key uid masterkey | 78 | , queryMainKey :: Maybe Packet |
79 | } | ||
80 | deriving Show | ||
81 | |||
82 | data QueryMode = AskNot | AskAgain String | Ask | ||
83 | deriving (Show,Eq,Ord) | ||
84 | |||
85 | getPassphrase :: GnuPGAgent -> QueryMode -> Query -> IO (Maybe String) | ||
86 | getPassphrase agent ask (Query key uid masterkey) = do | ||
87 | let (er0,pr,desc) = prompts key uid masterkey | ||
88 | (er,askopt) = case ask of | ||
89 | AskNot -> (er0,"--no-ask") | ||
90 | AskAgain ermsg -> (ermsg,"") | ||
91 | Ask -> (er0,"") | ||
71 | cmd = "get_passphrase "++askopt++fingerprint key++" "++unwords (map percentPlusEscape [er,pr,desc]) | 92 | cmd = "get_passphrase "++askopt++fingerprint key++" "++unwords (map percentPlusEscape [er,pr,desc]) |
72 | putStrLn cmd | 93 | -- putStrLn cmd |
73 | hPutStrLn (agentHandle agent) cmd | 94 | hPutStrLn (agentHandle agent) cmd |
74 | r0 <- hGetLine (agentHandle agent) | 95 | r0 <- hGetLine (agentHandle agent) |
96 | -- putStrLn $ "agent says: " ++ r0 | ||
75 | case takeWhile (/=' ') r0 of | 97 | case takeWhile (/=' ') r0 of |
76 | "OK" -> hGetLine (agentHandle agent) >>= unhex . drop 3 | 98 | "OK" -> hGetLine (agentHandle agent) >>= unhex . drop 3 |
77 | where | 99 | where |
78 | #if defined(VERSION_memory) | 100 | #if defined(VERSION_memory) |
79 | unhex hx = case convertFromBase Base16 (S8.pack hx) of | 101 | unhex hx = case convertFromBase Base16 (S8.pack hx) of |
80 | Left e -> return Nothing | 102 | Left e -> do |
103 | -- Useful for debugging but insecure generally ;) | ||
104 | -- putStrLn $ "convertFromBase error for input "++show hx++": "++show e | ||
105 | return Nothing | ||
81 | Right bs -> return $ Just $ S8.unpack bs | 106 | Right bs -> return $ Just $ S8.unpack bs |
82 | #elif defined(VERSION_dataenc) | 107 | #elif defined(VERSION_dataenc) |
83 | unhex hx = return $ fmap (map $ chr . fromIntegral) $ Base16.decode hx | 108 | unhex hx = maybe (return () {- putStrLn $ "dataenc error for input "++show hx -}) |
109 | return | ||
110 | $ fmap (map $ chr . fromIntegral) $ Base16.decode hx | ||
84 | #endif | 111 | #endif |
85 | "ERR" -> return Nothing | 112 | "ERR" -> return Nothing |
86 | 113 | ||
diff --git a/lib/KeyRing.hs b/lib/KeyRing.hs index ae2d14d..a055dad 100644 --- a/lib/KeyRing.hs +++ b/lib/KeyRing.hs | |||
@@ -47,7 +47,8 @@ module KeyRing | |||
47 | , KeyFilter(..) | 47 | , KeyFilter(..) |
48 | -- * Results of a KeyRing Operation | 48 | -- * Results of a KeyRing Operation |
49 | , KeyRingRuntime(..) | 49 | , KeyRingRuntime(..) |
50 | , MappedPacket(..) | 50 | , OriginMapped(..) |
51 | , MappedPacket | ||
51 | , KeyDB | 52 | , KeyDB |
52 | , KeyData(..) | 53 | , KeyData(..) |
53 | , SubKey(..) | 54 | , SubKey(..) |
@@ -209,6 +210,7 @@ import Base58 | |||
209 | import FunctorToMaybe | 210 | import FunctorToMaybe |
210 | import DotLock | 211 | import DotLock |
211 | import ProcessUtils (systemEnv, ExitCode(ExitFailure, ExitSuccess) ) | 212 | import ProcessUtils (systemEnv, ExitCode(ExitFailure, ExitSuccess) ) |
213 | import GnuPGAgent as Agent | ||
212 | 214 | ||
213 | -- DER-encoded elliptic curve ids | 215 | -- DER-encoded elliptic curve ids |
214 | -- nistp256_id = 0x2a8648ce3d030107 | 216 | -- nistp256_id = 0x2a8648ce3d030107 |
@@ -429,6 +431,7 @@ data PassphraseSpec = PassphraseSpec | |||
429 | } | 431 | } |
430 | -- | Use this to carry pasphrases from a previous run. | 432 | -- | Use this to carry pasphrases from a previous run. |
431 | | PassphraseMemoizer PacketTranscoder | 433 | | PassphraseMemoizer PacketTranscoder |
434 | | PassphraseAgent | ||
432 | 435 | ||
433 | instance Show PassphraseSpec where | 436 | instance Show PassphraseSpec where |
434 | show (PassphraseSpec a b c) = "PassphraseSpec "++show (a,b,c) | 437 | show (PassphraseSpec a b c) = "PassphraseSpec "++show (a,b,c) |
@@ -1433,6 +1436,9 @@ doesInputFileExist ctx f = do | |||
1433 | -} | 1436 | -} |
1434 | 1437 | ||
1435 | 1438 | ||
1439 | -- | Reads contents of an 'InputFile' or returns the cached content from a prior call. | ||
1440 | -- An optional prompt is provided and will be printed on stdout only in the case that | ||
1441 | -- the provided 'InputFile' is 'FileDesc' 0 (i.e. stdin). | ||
1436 | cachedContents :: Maybe S.ByteString -> InputFileContext -> InputFile -> IO (IO S.ByteString) | 1442 | cachedContents :: Maybe S.ByteString -> InputFileContext -> InputFile -> IO (IO S.ByteString) |
1437 | cachedContents maybePrompt ctx fd = do | 1443 | cachedContents maybePrompt ctx fd = do |
1438 | ref <- newIORef Nothing | 1444 | ref <- newIORef Nothing |
@@ -1637,7 +1643,7 @@ buildKeyDB ctx grip0 keyring = do | |||
1637 | readw wk n = fmap (n,) (readPacketsFromWallet wk (ArgFile n)) | 1643 | readw wk n = fmap (n,) (readPacketsFromWallet wk (ArgFile n)) |
1638 | 1644 | ||
1639 | -- KeyRings (todo: KikiCondition reporting?) | 1645 | -- KeyRings (todo: KikiCondition reporting?) |
1640 | (spilled,mwk,grip,accs,keys,unspilled) <- do | 1646 | (spilled,mwk,grip,accs,keyqs,unspilled) <- do |
1641 | #if MIN_VERSION_containers(0,5,0) | 1647 | #if MIN_VERSION_containers(0,5,0) |
1642 | ringPackets <- Map.traverseWithKey readp ringMap | 1648 | ringPackets <- Map.traverseWithKey readp ringMap |
1643 | #else | 1649 | #else |
@@ -1660,32 +1666,69 @@ buildKeyDB ctx grip0 keyring = do | |||
1660 | -- | keys | 1666 | -- | keys |
1661 | -- process ringPackets, and get a map of fingerprint info to | 1667 | -- process ringPackets, and get a map of fingerprint info to |
1662 | -- to a packet, remembering it's original file, access. | 1668 | -- to a packet, remembering it's original file, access. |
1663 | keys :: Map.Map KeyKey MappedPacket | 1669 | keys :: Map.Map KeyKey (MappedPacket,Map.Map String [Packet]) |
1664 | keys = Map.foldl slurpkeys Map.empty | 1670 | keys = Map.foldl slurpkeys Map.empty |
1665 | $ Map.mapWithKey filterSecrets ringPackets | 1671 | $ Map.mapWithKey filterSecrets ringPackets |
1666 | where | 1672 | where |
1667 | filterSecrets f (_,Message ps) = | 1673 | filterSecrets :: InputFile -> (a,Message) -> [[MappedPacket]] |
1668 | filter (isSecretKey . packet) | 1674 | filterSecrets f (_,Message ps) = keygroups |
1669 | $ zipWith (mappedPacketWithHint fname) ps [1..] | 1675 | -- filter (isSecretKey . packet) mps |
1670 | where fname = resolveForReport (Just ctx) f | 1676 | where |
1671 | slurpkeys m ps = m `Map.union` Map.fromList ps' | 1677 | mps = zipWith (mappedPacketWithHint fname) ps [1..] |
1672 | where ps' = zip (map (keykey . packet) ps) ps | 1678 | fname = resolveForReport (Just ctx) f |
1679 | keygroups = dropWhile (not . isSecretKey . packet . head) | ||
1680 | $ groupBy (const $ not . isSecretKey . packet) mps | ||
1681 | slurpkeys :: (Map.Map KeyKey (MappedPacket,Map.Map String [Packet])) | ||
1682 | -> [[MappedPacket]] | ||
1683 | -> (Map.Map KeyKey (MappedPacket,Map.Map String [Packet])) | ||
1684 | slurpkeys m pss = Map.unionWith combineKeyKey m m2 | ||
1685 | where | ||
1686 | m2 :: Map.Map KeyKey (MappedPacket, (Map.Map String [Packet])) | ||
1687 | m2 = Map.fromList $ map build pss | ||
1688 | where | ||
1689 | build ps = (kk,(kp,uidmap ps')) | ||
1690 | where | ||
1691 | (kpkt,ps') = splitAt 1 ps | ||
1692 | kp = head kpkt | ||
1693 | kk = keykey . packet $ kp | ||
1694 | combineKeyKey (mp,um) (mp2,um2) = (mp,Map.unionWith (++) um um2) | ||
1695 | uidmap ps = um2 | ||
1696 | where | ||
1697 | ugs = dropWhile (not . isUserID . packet .head) $ groupBy (const $ not . isUserID . packet) ps | ||
1698 | um2 = Map.fromList | ||
1699 | $ map (\(MappedPacket (UserIDPacket s) _:sigs)->(s,takeWhile isSignaturePacket $ map packet sigs)) ugs | ||
1673 | -- | mwk | 1700 | -- | mwk |
1674 | -- first master key matching the provided grip | 1701 | -- first master key matching the provided grip |
1675 | -- (the m is for "MappedPacket", wk for working key) | 1702 | -- (the m is for "MappedPacket", wk for working key) |
1676 | mwk :: Maybe MappedPacket | 1703 | mwk = fst <$> mwkq |
1677 | mwk = listToMaybe $ do | 1704 | |
1705 | main_query = fromMaybe (Query MarkerPacket "anonymous1" Nothing) $ snd <$> mwkq | ||
1706 | |||
1707 | keyqs :: Map.Map KeyKey (OriginMapped Query) | ||
1708 | keyqs = fmap (\(mp,us) -> mp { packet = main_query { queryPacket = packet mp} }) keys | ||
1709 | |||
1710 | mwkq :: Maybe (MappedPacket,Query) | ||
1711 | mwkq = listToMaybe $ do | ||
1678 | fp <- maybeToList grip | 1712 | fp <- maybeToList grip |
1679 | let matchfp mp = not (is_subkey p) && matchpr fp p == fp | 1713 | let matchfp (mp,us) |
1714 | | not (is_subkey p) && matchpr fp p == fp = Just (mp,query p us) | ||
1715 | | otherwise = Nothing | ||
1680 | where p = packet mp | 1716 | where p = packet mp |
1681 | Map.elems $ Map.filter matchfp keys | 1717 | -- TODO: check signature on UID packet? |
1718 | -- TODO: custom queries for subkeys? | ||
1719 | query p us = Query p | ||
1720 | (fromMaybe "" $ listToMaybe $ Map.keys us) | ||
1721 | Nothing -- No subkey queries for now. | ||
1722 | Map.elems $ Map.mapMaybe matchfp keys | ||
1723 | |||
1682 | -- | accs | 1724 | -- | accs |
1683 | -- file access(Sec | Pub) lookup table | 1725 | -- file access(Sec | Pub) lookup table |
1684 | accs :: Map.Map InputFile Access | 1726 | accs :: Map.Map InputFile Access |
1685 | accs = fmap (access . fst) ringPackets | 1727 | accs = fmap (access . fst) ringPackets |
1686 | return (spilled,mwk,grip,accs,keys,fmap snd unspilled) | 1728 | return (spilled,mwk,grip,accs,keyqs,fmap snd unspilled) |
1687 | 1729 | ||
1688 | transcode <- makeMemoizingDecrypter keyring ctx keys | 1730 | putStrLn $ ppShow keyqs |
1731 | transcode <- makeMemoizingDecrypter keyring ctx keyqs | ||
1689 | let doDecrypt = transcode (Unencrypted,S2K 100 "") | 1732 | let doDecrypt = transcode (Unencrypted,S2K 100 "") |
1690 | 1733 | ||
1691 | let wk = fmap packet mwk | 1734 | let wk = fmap packet mwk |
@@ -1707,6 +1750,9 @@ buildKeyDB ctx grip0 keyring = do | |||
1707 | r <- performManipulations doDecrypt rt1 mwk manip | 1750 | r <- performManipulations doDecrypt rt1 mwk manip |
1708 | try r $ \(rt2,report) -> do | 1751 | try r $ \(rt2,report) -> do |
1709 | return $ KikiSuccess (report,rtKeyDB rt2) | 1752 | return $ KikiSuccess (report,rtKeyDB rt2) |
1753 | -- XXX: Unspilled keys are not obtainable from rtKeyDB. | ||
1754 | -- If the working key is marked non spillable, then how | ||
1755 | -- would we look up it's UID and such? | ||
1710 | #if MIN_VERSION_containers(0,5,0) | 1756 | #if MIN_VERSION_containers(0,5,0) |
1711 | in fmap sequenceA $ Map.traverseWithKey trans spilled | 1757 | in fmap sequenceA $ Map.traverseWithKey trans spilled |
1712 | #else | 1758 | #else |
@@ -2544,7 +2590,7 @@ writePEMKeys doDecrypt db exports = do | |||
2544 | return $ KikiSuccess (fname,stream,pun) | 2590 | return $ KikiSuccess (fname,stream,pun) |
2545 | 2591 | ||
2546 | makeMemoizingDecrypter :: KeyRingOperation -> InputFileContext | 2592 | makeMemoizingDecrypter :: KeyRingOperation -> InputFileContext |
2547 | -> Map.Map KeyKey MappedPacket | 2593 | -> Map.Map KeyKey (OriginMapped Query) |
2548 | -> IO PacketTranscoder | 2594 | -> IO PacketTranscoder |
2549 | makeMemoizingDecrypter operation ctx keys = do | 2595 | makeMemoizingDecrypter operation ctx keys = do |
2550 | if null chains then do | 2596 | if null chains then do |
@@ -2555,12 +2601,14 @@ makeMemoizingDecrypter operation ctx keys = do | |||
2555 | -- FilePath? | 2601 | -- FilePath? |
2556 | -- pws :: Map.Map FilePath (IO S.ByteString) | 2602 | -- pws :: Map.Map FilePath (IO S.ByteString) |
2557 | {- | 2603 | {- |
2604 | -- This disabled code obtained password sources from StreamInfo records. | ||
2558 | pws <- | 2605 | pws <- |
2559 | Traversable.mapM (cachedContents ctx . fromJust . pwfile . typ) | 2606 | Traversable.mapM (cachedContents ctx . fromJust . pwfile . typ) |
2560 | (Map.mapKeys (resolveForReport Nothing) -- see note (*) note above | 2607 | (Map.mapKeys (resolveForReport Nothing) -- see note (*) note above |
2561 | $ Map.filter (isJust . pwfile . typ) $ opFiles operation) | 2608 | $ Map.filter (isJust . pwfile . typ) $ opFiles operation) |
2562 | -} | 2609 | -} |
2563 | let prompt = Just "Enter possibly multi-line passphrase (Press CTRL-D when finished):\n" | 2610 | let prompt = Just "Enter possibly multi-line passphrase (Press CTRL-D when finished):\n" |
2611 | -- List of file-specific password sources. | ||
2564 | pws2 <- | 2612 | pws2 <- |
2565 | Traversable.mapM (cachedContents prompt ctx) | 2613 | Traversable.mapM (cachedContents prompt ctx) |
2566 | $ Map.fromList $ mapMaybe | 2614 | $ Map.fromList $ mapMaybe |
@@ -2568,55 +2616,80 @@ makeMemoizingDecrypter operation ctx keys = do | |||
2568 | guard $ isNothing $ passSpecKeySpec spec | 2616 | guard $ isNothing $ passSpecKeySpec spec |
2569 | passSpecRingFile spec) | 2617 | passSpecRingFile spec) |
2570 | passspecs | 2618 | passspecs |
2619 | -- List of general password sources. | ||
2571 | defpw <- do | 2620 | defpw <- do |
2572 | Traversable.mapM (cachedContents prompt ctx . passSpecPassFile) | 2621 | Traversable.mapM (cachedContents prompt ctx . passSpecPassFile) |
2573 | $ listToMaybe $ filter (\sp -> isNothing (passSpecRingFile sp) | 2622 | $ listToMaybe $ filter (\sp -> isNothing (passSpecRingFile sp) |
2574 | && isNothing (passSpecKeySpec sp)) | 2623 | && isNothing (passSpecKeySpec sp)) |
2575 | $ opPassphrases operation | 2624 | $ passspecs |
2576 | unkeysRef <- newIORef (Map.empty :: Map.Map KeyKey Packet) | 2625 | unkeysRef <- newIORef (Map.empty :: Map.Map KeyKey Packet) |
2577 | return $ doDecrypt unkeysRef ({- pws `Map.union` -} pws2) defpw | 2626 | return $ doDecrypt unkeysRef ({- pws `Map.union` -} pws2) defpw (not $ null agentspec) |
2578 | else let PassphraseMemoizer f = head chains | 2627 | else let PassphraseMemoizer f = head chains |
2579 | in return f | 2628 | in return f |
2580 | where | 2629 | where |
2581 | (chains,passspecs) = partition isChain $ opPassphrases operation | 2630 | (chains,passspecs0) = partition isChain $ opPassphrases operation |
2582 | where isChain (PassphraseMemoizer {}) = True | 2631 | where isChain (PassphraseMemoizer {}) = True |
2583 | isChain _ = False | 2632 | isChain _ = False |
2633 | (agentspec,passspecs) = partition isAgent $ opPassphrases operation | ||
2634 | where isAgent PassphraseAgent = True | ||
2635 | isAgent _ = False | ||
2584 | doDecrypt :: IORef (Map.Map KeyKey Packet) | 2636 | doDecrypt :: IORef (Map.Map KeyKey Packet) |
2585 | -> Map.Map FilePath (IO S.ByteString) | 2637 | -> Map.Map FilePath (IO S.ByteString) |
2586 | -> Maybe (IO S.ByteString) | 2638 | -> Maybe (IO S.ByteString) |
2639 | -> Bool | ||
2587 | -> (SymmetricAlgorithm,S2K) | 2640 | -> (SymmetricAlgorithm,S2K) |
2588 | -> MappedPacket | 2641 | -> MappedPacket |
2589 | -> IO (KikiCondition Packet) | 2642 | -> IO (KikiCondition Packet) |
2590 | doDecrypt unkeysRef pws defpw (dest_alg,dest_s2k) mp0 = do | 2643 | doDecrypt unkeysRef pws defpw agent_requested (dest_alg,dest_s2k) mp0 = do |
2591 | unkeys <- readIORef unkeysRef | 2644 | unkeys <- readIORef unkeysRef |
2592 | let mp = fromMaybe mp0 $ do | 2645 | let (mp,qry) = fromMaybe (mp0,Query (packet mp0) "anonymous2" Nothing) $ do |
2593 | k <- Map.lookup kk keys | 2646 | k <- Map.lookup kk keys |
2594 | return $ mergeKeyPacket "decrypt" mp0 k | 2647 | return (mergeKeyPacket "decrypt" mp0 (fmap queryPacket k), packet k) |
2595 | wk = packet mp0 | 2648 | wk = packet mp0 |
2596 | kk = keykey wk | 2649 | kk = keykey wk |
2597 | fs = Map.keys $ locations mp | 2650 | fs = Map.keys $ locations mp |
2598 | 2651 | ||
2599 | decryptIt [] = return BadPassphrase | 2652 | decryptIt [] = return BadPassphrase |
2600 | decryptIt (getpw:getpws) = do | 2653 | decryptIt (getpw:getpws) = tries 1 getpw (decryptIt getpws) |
2601 | -- TODO: This function should use mergeKeyPacket to | 2654 | where |
2655 | tries count getpw recurse = do | ||
2656 | -- TODO: This function should use mergeKeyPacket to | ||
2602 | -- combine the packet with it's unspilled version before | 2657 | -- combine the packet with it's unspilled version before |
2603 | -- attempting to decrypt it. | 2658 | -- attempting to decrypt it. Note: We are uninterested |
2604 | pw <- getpw | 2659 | -- in the 'locations' field, so this would effectively |
2660 | -- allow you to run 'decryptIt' on an unencrypted public key | ||
2661 | -- to obtain it's secret key. | ||
2662 | (pw,wants_retry) <- getpw (if count>1 then AskAgain "Bad pasphrase." else Ask,qry) | ||
2605 | let wkun = fromMaybe wk $ do | 2663 | let wkun = fromMaybe wk $ do |
2606 | guard $ symmetric_algorithm (packet mp) /= Unencrypted | 2664 | guard $ symmetric_algorithm (packet mp) /= Unencrypted |
2607 | decryptSecretKey pw (packet mp) | 2665 | decryptSecretKey pw (packet mp) |
2666 | |||
2608 | case symmetric_algorithm wkun of | 2667 | case symmetric_algorithm wkun of |
2668 | |||
2609 | Unencrypted -> do | 2669 | Unencrypted -> do |
2610 | writeIORef unkeysRef (Map.insert kk wkun unkeys) | 2670 | writeIORef unkeysRef (Map.insert kk wkun unkeys) |
2611 | ek <- if dest_alg==Unencrypted | 2671 | ek <- if dest_alg==Unencrypted |
2612 | then return $ Just wkun | 2672 | then return $ Just wkun |
2613 | else encryptSecretKey pw dest_s2k dest_alg wkun | 2673 | else encryptSecretKey pw dest_s2k dest_alg wkun |
2614 | case ek of | 2674 | case ek of |
2615 | Nothing -> return $ BadPassphrase | 2675 | Nothing | wants_retry && count<3 -> tries (count+1) getpw recurse |
2616 | Just wken -> return $ KikiSuccess wken | 2676 | Nothing -> recurse |
2617 | _ -> decryptIt getpws | 2677 | Just wken -> return $ KikiSuccess wken |
2678 | |||
2679 | _ -> recurse | ||
2618 | 2680 | ||
2619 | getpws = mapMaybe (`Map.lookup` pws) fs ++ maybeToList defpw | 2681 | getpws = (map (const . fmap (,False)) $ mapMaybe (`Map.lookup` pws) fs ++ maybeToList defpw) ++ [ agentpw | agent_requested ] |
2682 | |||
2683 | agentpw (ask,qry) = do | ||
2684 | s <- session | ||
2685 | fromMaybe (return ("",False)) $ do | ||
2686 | s <- s | ||
2687 | Just $ do | ||
2688 | case ask of AskAgain _ -> clearPassphrase s (queryPacket qry) | ||
2689 | _ -> return () | ||
2690 | mbpw <- getPassphrase s ask qry | ||
2691 | quit s | ||
2692 | return ( maybe "" S8.pack mbpw, True) | ||
2620 | 2693 | ||
2621 | if symmetric_algorithm wk == dest_alg | 2694 | if symmetric_algorithm wk == dest_alg |
2622 | && ( symmetric_algorithm wk == Unencrypted || s2k wk == dest_s2k ) | 2695 | && ( symmetric_algorithm wk == Unencrypted || s2k wk == dest_s2k ) |
@@ -3434,10 +3507,13 @@ data OriginFlags = OriginFlags | |||
3434 | 3507 | ||
3435 | type OriginMap = Map.Map FilePath OriginFlags | 3508 | type OriginMap = Map.Map FilePath OriginFlags |
3436 | 3509 | ||
3437 | data MappedPacket = MappedPacket | 3510 | type MappedPacket = OriginMapped Packet |
3438 | { packet :: Packet | 3511 | data OriginMapped a = MappedPacket |
3512 | { packet :: a | ||
3439 | , locations :: OriginMap | 3513 | , locations :: OriginMap |
3440 | } deriving Show | 3514 | } deriving Show |
3515 | instance Functor OriginMapped where | ||
3516 | fmap f (MappedPacket x ls) = MappedPacket (f x) ls | ||
3441 | 3517 | ||
3442 | type TrustMap = Map.Map FilePath Packet | 3518 | type TrustMap = Map.Map FilePath Packet |
3443 | type SigAndTrust = ( MappedPacket | 3519 | type SigAndTrust = ( MappedPacket |
@@ -3521,19 +3597,26 @@ onionName kd = (addr,name) | |||
3521 | where | 3597 | where |
3522 | (addr,(name:_,_)) = getHostnames kd | 3598 | (addr,(name:_,_)) = getHostnames kd |
3523 | -} | 3599 | -} |
3600 | |||
3601 | -- | Compare different versions if the same key pair. Public versions | ||
3602 | -- are considered greater. If the two packets do not represent the same | ||
3603 | -- key or the packets are not keys at all, an error will result that | ||
3604 | -- includes the context provided as the first argument. | ||
3524 | keyCompare :: String -> Packet -> Packet -> Ordering | 3605 | keyCompare :: String -> Packet -> Packet -> Ordering |
3525 | keyCompare what (SecretKeyPacket {}) (PublicKeyPacket {}) = LT | 3606 | keyCompare what (SecretKeyPacket {}) (PublicKeyPacket {}) = LT |
3526 | keyCompare what (PublicKeyPacket {}) (SecretKeyPacket {}) = GT | 3607 | keyCompare what (PublicKeyPacket {}) (SecretKeyPacket {}) = GT |
3527 | keyCompare what a b | keykey a==keykey b = EQ | 3608 | keyCompare what a b | keykey a==keykey b = EQ |
3528 | keyCompare what a b = error $ unlines ["Unable to merge "++what++":" | 3609 | keyCompare what a b = error $ unlines ["Unable to merge "++what++":" |
3529 | , fingerprint a | 3610 | , if isKey a then fingerprint a else "" |
3530 | , PP.ppShow a | 3611 | , PP.ppShow a |
3531 | , fingerprint b | 3612 | , if isKey b then fingerprint b else "" |
3532 | , PP.ppShow b | 3613 | , PP.ppShow b |
3533 | ] | 3614 | ] |
3534 | 3615 | ||
3616 | -- | Merge two representations of the same key, prefering secret version | ||
3617 | -- because they have more information. | ||
3535 | mergeKeyPacket :: String -> MappedPacket -> MappedPacket -> MappedPacket | 3618 | mergeKeyPacket :: String -> MappedPacket -> MappedPacket -> MappedPacket |
3536 | mergeKeyPacket what key p = | 3619 | mergeKeyPacket what key p = |
3537 | key { packet = minimumBy (keyCompare what) [packet key,packet p] | 3620 | key { packet = minimumBy (keyCompare what) [packet key,packet p] |
3538 | , locations = Map.union (locations key) (locations p) | 3621 | , locations = Map.union (locations key) (locations p) |
3539 | } | 3622 | } |
diff --git a/lib/Kiki.hs b/lib/Kiki.hs index a134680..25c98e2 100644 --- a/lib/Kiki.hs +++ b/lib/Kiki.hs | |||
@@ -41,6 +41,10 @@ import CommandLine | |||
41 | import KeyRing | 41 | import KeyRing |
42 | import DotLock | 42 | import DotLock |
43 | 43 | ||
44 | withAgent :: [PassphraseSpec] -> [PassphraseSpec] | ||
45 | withAgent [] = [PassphraseAgent] | ||
46 | withAgent ps = ps | ||
47 | |||
44 | ciphername Unencrypted = "-" | 48 | ciphername Unencrypted = "-" |
45 | ciphername TripleDES = "3des" | 49 | ciphername TripleDES = "3des" |
46 | ciphername (SymmetricAlgorithm w8) = "cipher-"++show w8 | 50 | ciphername (SymmetricAlgorithm w8) = "cipher-"++show w8 |
@@ -87,8 +91,8 @@ minimalOp cap = op | |||
87 | [ ( HomeSec, streaminfo { access = Sec }) | 91 | [ ( HomeSec, streaminfo { access = Sec }) |
88 | , ( HomePub, streaminfo { access = Pub }) | 92 | , ( HomePub, streaminfo { access = Pub }) |
89 | ] | 93 | ] |
90 | , opPassphrases = do pfile <- maybeToList (cap_passfd cap) | 94 | , opPassphrases = withAgent $ do pfile <- maybeToList (cap_passfd cap) |
91 | return $ PassphraseSpec Nothing Nothing pfile | 95 | return $ PassphraseSpec Nothing Nothing pfile |
92 | , opTransforms = [] | 96 | , opTransforms = [] |
93 | , opHome = cap_homespec cap | 97 | , opHome = cap_homespec cap |
94 | } | 98 | } |
@@ -155,6 +159,7 @@ importAndRefresh root cmn = do | |||
155 | ctx = InputFileContext secring pubring | 159 | ctx = InputFileContext secring pubring |
156 | passwordop = KeyRingOperation | 160 | passwordop = KeyRingOperation |
157 | { opFiles = Map.empty | 161 | { opFiles = Map.empty |
162 | -- TODO: ask agent for new passphrase | ||
158 | , opPassphrases = do pfd <- maybeToList passfd | 163 | , opPassphrases = do pfd <- maybeToList passfd |
159 | return $ PassphraseSpec Nothing Nothing pfd | 164 | return $ PassphraseSpec Nothing Nothing pfd |
160 | , opHome = homespec | 165 | , opHome = homespec |
@@ -233,16 +238,16 @@ importAndRefresh root cmn = do | |||
233 | , ( ArgFile sshcpath, (peminfo 2048 "ssh-client") ) | 238 | , ( ArgFile sshcpath, (peminfo 2048 "ssh-client") ) |
234 | , ( ArgFile sshspath, (peminfo 2048 "ssh-server") ) | 239 | , ( ArgFile sshspath, (peminfo 2048 "ssh-server") ) |
235 | ] | 240 | ] |
236 | , opPassphrases = pwds ++ do pfd <- maybeToList passfd | 241 | , opPassphrases = withAgent $ pwds ++ do pfd <- maybeToList passfd |
237 | return $ PassphraseSpec Nothing Nothing pfd | 242 | return $ PassphraseSpec Nothing Nothing pfd |
238 | , opHome = homespec | 243 | , opHome = homespec |
239 | , opTransforms = [] | 244 | , opTransforms = [] |
240 | } | 245 | } |
241 | -- doNothing = return () | 246 | -- doNothing = return () |
242 | nop = KeyRingOperation | 247 | nop = KeyRingOperation |
243 | { opFiles = Map.empty | 248 | { opFiles = Map.empty |
244 | , opPassphrases = do pfd <- maybeToList passfd | 249 | , opPassphrases = withAgent $ do pfd <- maybeToList passfd |
245 | return $ PassphraseSpec Nothing Nothing pfd | 250 | return $ PassphraseSpec Nothing Nothing pfd |
246 | , opHome=homespec, opTransforms = [] | 251 | , opHome=homespec, opTransforms = [] |
247 | } | 252 | } |
248 | -- if bUnprivileged then doNothing else mkdirFor torpath | 253 | -- if bUnprivileged then doNothing else mkdirFor torpath |