pinentry-1.1.1/doc/pinentry.texi

\input texinfo                      @c -*-texinfo-*-
@c %**start of header
@setfilename pinentry.info

@include version.texi

@macro copyrightnotice
Copyright @copyright{} 2002, 2005, 2015 g10 Code GmbH
@end macro
@macro permissionnotice
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version. The text of the license can be found in the
section entitled ``Copying''.
@end macro

@macro pinentry
@sc{pinentry}
@end macro

@settitle Using the PIN-Entry

@c Create a separate index for command line options.
@defcodeindex op
@c Merge the standard indexes into a single one.
@syncodeindex fn cp
@syncodeindex vr cp
@syncodeindex ky cp
@syncodeindex pg cp
@syncodeindex tp cp

@c printing stuff taken from gcc.
@macro gnupgtabopt{body}
@code{\body\}
@end macro
@macro gnupgoptlist{body}
@smallexample
\body\
@end smallexample
@end macro
@c Makeinfo handles the above macro OK, TeX needs manual line breaks;
@c they get lost at some point in handling the macro.  But if @macro is
@c used here rather than @alias, it produces double line breaks.
@iftex
@alias gol = *
@end iftex
@ifnottex
@macro gol
@end macro
@end ifnottex


@c %**end of header

@ifnottex
@dircategory GNU Utilities
@direntry
* pinentry: (pinentry).    Securely ask for a passphrase or PIN.
@end direntry
This file documents the use and the internals of the @pinentry{}.

This is edition @value{EDITION}, last updated @value{UPDATED}, of
@cite{The `PINEntry' Manual}, for version @value{VERSION}.
@sp 1
Published by g10 Code GmbH@*
Hüttenstr. 61@*
40699 Erkrath, Germany
@sp 1
@copyrightnotice{}
@sp 1
@permissionnotice{}
@end ifnottex

@setchapternewpage odd

@titlepage
@title Using the PIN-Entry
@subtitle Version @value{VERSION}
@subtitle @value{UPDATED}
@author Werner Koch @code{(wk@@gnupg.org)}

@page
@vskip 0pt plus 1filll
@copyrightnotice{}
@sp 2
@permissionnotice{}
@end titlepage
@summarycontents
@contents
@page


@node Top
@top Introduction
@cindex introduction

This manual documents how to use the @pinentry{} and its protocol.

The @pinentry{} is a small GUI application used to enter PINs or
passphrases. It is usually invoked by @sc{gpg-agent}
(@pxref{Invoking GPG-AGENT, ,Invoking the gpg-agent, gnupg,
    The `GNU Privacy Guard' Manual}, for details).

@pinentry{} comes in several flavors to fit the look and feel of the
used GUI toolkit: A @sc{GTK+} based one named @code{pinentry-gtk}; a
@sc{Qt} based one named @code{pinentry-qt}; and, two non-graphical
ones @code{pinentry-curses}, which uses curses, and
@code{pinentry-tty}, which doesn't require anything more than a simple
terminal.  Not all of them are necessarily available on your
installation.  If curses is supported on your system, the GUI-based
flavors fall back to curses when the @code{DISPLAY} variable is not
set.


@menu
* Using pinentry::      How to use the beast.
* Front ends::          Description and comparison of the front ends

Developer information

* Protocol::            The Assuan protocol description.
* Implementation Details:: For those extending or writing a new pinentry.

Miscellaneous

* Copying::             GNU General Public License says
                        how you can copy and share PIN-Entry
                        as well as this manual.

Indices

* Option Index::        Index to command line options.
* Index::	        Index of concepts and symbol names.
@end menu

@node Using pinentry
@chapter How to use the @pinentry{}

@c man begin DESCRIPTION

You may run @pinentry{} directly from the command line and pass the
commands according to the Assuan protocol via stdin/stdout.


@c man end

@c man begin OPTIONS

Here is a list of options supported by all flavors of pinentry:

@table @gnupgtabopt
@item --version
@opindex version
Print the program version and licensing information.

@item --help
@opindex help
Print a usage message summarizing the most useful command line options.

@item --debug
@itemx -d
@opindex debug
@opindex d
Turn on some debugging.  Mostly useful for the maintainers.  Note that
this may reveal sensitive information like the entered passphrase.

@c @item --enhanced
@c @itemx -e
@c @opindex enhanced
@c @opindex e
@c Ask for timeouts and insurance, too.  Note that this is currently not
@c fully supported.

@item --no-global-grab
@itemx -g
@opindex no-global-grab
@opindex g
Grab the keyboard only when the window is focused.  Use this option if
you are debugging software using the @pinentry{}; otherwise you may
not be able to to access your X session anymore (unless you have other
means to connect to the machine to kill the @pinentry{}).

@item --parent-wid @var{n}
@opindex parent-wid
Use window ID @var{n} as the parent window for positioning the window.
Note, that this is not fully supported by all flavors of @pinentry{}.

@item --timeout @var{seconds}
@opindex timeout
Give up waiting for input from the user after the specified number of
seconds and return an error. The error returned is the same as if the
Cancel button was selected. To disable the timeout and wait
indefinitely, set this to 0, which is the default.

@item --display @var{string}
@itemx --ttyname @var{string}
@itemx --ttytype @var{string}
@itemx --lc-ctype @var{string}
@itemx --lc-messages @var{string}
@opindex display
@opindex ttyname
@opindex ttytype
@opindex lc-ctype
@opindex lc-messa
These options are used to pass localization information to
@pinentry{}.  They are required because @pinentry{} is usually called
by some background process which does not have any information about
the locale and terminal to use.  It is also possible to pass these
options using Assuan protocol options.
@end table

@node Front ends
@chapter Front Ends

There are several different flavors of @pinentry{}.  Concretely, there
are Gtk+2, Qt@tie{}4, TQt, EFL, FLTK, Gnome@tie{}3, Emacs, curses and
tty variants.  These different implementations provide higher levels
of integration with a specific environment.  For instance, the
Gnome@tie{}3 @pinentry{} uses Gnome@tie{}3 widgets to display the
prompts.  For Gnome@tie{}3 users, this higher level of integration
provides a more consistent aesthetic.  However, this comes at a cost.
Because this @pinentry{} uses so many components, there is a larger
chance of a failure.  In particular, there is a larger chance that the
passphrase is saved in memory and that memory is exposed to an
attacker (consider the OpenSSL Heartbeat vulnerability).

To understand how many components touch the passphrase, consider again
the Gnome@tie{}3 implementation.  When a user presses a button on the
keyboard, the key is passed from the kernel to the X@tie{}server to
the toolkit (Gtk+) and to the actual text entry widget.  Along the
way, the key is saved in memory and processed.  In fact, the key
presses are probably read using standard C library functions, which
buffer the input.  None of this code is careful to make sure the
contents of the memory are not leaked by keeping the data in unpagable
memory and wiping it when the buffer is freed.  However, even if they
did, there is still the problem that when a computer hibernates, the
system writes unpagable memory to disk anyway.  Further, many
installations are virtualized (e.g., running on Xen) and have little
control over their actual environment.

The curses variant uses a significant smaller software stack and the
tty variant uses an even smaller one.  However, if they are run in an
X@tie{}terminal, then a similar number of components are handling the
passphrase as in the Gnome@tie{}3 case!  Thus, to be most secure, you
need to direct GPG@tie{}Agent to use a fixed virtual console.  Since
you need to remain logged in for GPG@tie{}Agent to use that console,
you should run there and have @code{screen} or @code{tmux} lock the
tty.

The Emacs pinentry implementation interacts with a running Emacs
session and directs the Emacs instance to display the passphrase
prompt.  Since this doesn't work very well if there is no Emacs
running, the generic @pinentry{} backend checks if a
@pinentry{}-enabled Emacs should be used.  Specifically, it looks to
see if the @code{INSIDE_EMACS} variable is set and then attempts to
establish a connection to the specified address.  If this is the case,
then instead of, e.g., @code{pinentry-gtk2} displaying a Gtk+2
pinentry, it interacts with the Emacs session.  This functionality can
be explicitly disabled by passing @code{--disable-inside-emacs} to
@code{configure} when building @pinentry{}.

Having Emacs get the passphrase is convenient, however, it is a
significant security risk.  Emacs is a huge program, which doesn't
provide any process isolation to speak of.  As such, having it handle
the passphrase adds a huge chunk of code to the user's trusted computing
base.  Because of this concern, Emacs doesn't enable this by default,
unless the @code{allow-emacs-pinentry} option is explicitly set in his
or her @code{.gnupg/gpg-agent.conf} file.

Similar to the inside-emacs check, the @pinentry{} frontends check
whether the @code{DISPLAY} variable is set and a working X server is
available.  If this is not the case, then they fallback to the curses
front end.  This can also be disabled by passing
@code{--disable-fallback-curses} to @code{configure} at build time.

@c
@c  Assuan Protocol
@c
@node Protocol
@chapter @pinentry{}'s Assuan Protocol

The @pinentry{} should never service more than one connection at once.
It is reasonable to exec the @pinentry{} prior to a request.

The @pinentry{} does not need to stay in memory because the
@sc{gpg-agent} has the ability to cache passphrases.  The usual way to
run the @pinentry{} is by setting up a pipe (not a socket) and then
fork/exec the @pinentry{}.  The communication is then done by means of
the protocol described here until the client is satisfied with the
result.

Although it is called a @pinentry{}, it allows entering reasonably
long strings (strings that are up to 2048 characters long are
supported by every pinentry).  The client using the @pinentry{} has to
check for correctness.

Note that all strings are expected to be encoded as UTF-8; @pinentry{}
takes care of converting it to the locally used codeset.  To include
linefeeds or other special characters, you may percent-escape them
(e.g., a line feed is encoded as @code{%0A}, the percent sign itself
is encoded as @code{%25}, etc.).

The following is a list of supported commands:

@table @gnupgtabopt

@item Set the timeout before returning an error
@example
  C: SETTIMEOUT 30
  S: OK
@end example

@item Set the descriptive text to display
@example
  C: SETDESC Enter PIN for Richard Nixon <nobody@@trickydicky.gov>
  S: OK
@end example

@item Set the prompt to show
When asking for a PIN, set the text just before the widget for
passphrase entry.
@example
  C: SETPROMPT PIN:
  S: OK
@end example

You should use an underscore in the text only if you know that a
modern version of pinentry is used.  Modern versions underline the
next character after the underscore and use the first such underlined
character as a keyboard accelerator.  Use a double underscore to
escape an underscore.

@item Set the window title
This command may be used to change the default window title.  When
using this feature you should take care that the window is still
identifiable as the pinentry.
@example
  C: SETTITLE Tape Recorder Room
  S: OK
@end example

@item Set the button texts
There are three texts which should be used to override the English
defaults:

To set the text for the button signaling confirmation (in UTF-8).
See SETPROMPT on how to use an keyboard accelerator.
@example
  C: SETOK Yes
  S: OK
@end example


To set the text for the button signaling cancellation or disagreement
(in UTF-8).  See SETPROMPT on how to use an keyboard accelerator.
@example
  C: SETCANCEL No
  S: OK
@end example


In case three buttons are required, use the following command to set
the text (UTF-8) for the non-affirmative response button.  The
affirmative button text is still set using SETOK and the CANCEL button
text with SETCANCEL.  See SETPROMPT on how to use an keyboard
accelerator.
@example
  C: SETNOTOK Do not do this
  S: OK
@end example


@item Set the Error text
This is used by the client to display an error message.  In contrast
to the other commands, the error message is automatically reset with
a GETPIN or CONFIRM, and is only displayed when asking for a PIN.
@example
  C: SETERROR Invalid PIN entered - please try again
  S: OK
@end example

@item Enable a passphrase quality indicator
Adds a quality indicator to the GETPIN window.  This indicator is
updated as the passphrase is typed.  The clients needs to implement an
inquiry named "QUALITY" which gets passed the current passphrase
(percent-plus escaped) and should send back a string with a single
numerical value between -100 and 100.  Negative values will be
displayed in red.
@example
  C: SETQUALITYBAR
  S: OK
@end example

If a custom label for the quality bar is required, just add that label
as an argument as a percent-escaped string.  You will need this
feature to translate the label because @pinentry{} has no internal
gettext except for stock strings from the toolkit library.

If you want to show a tooltip for the quality bar, you may use
@example
  C: SETQUALITYBAR_TT string
  S: OK
@end example

@noindent
With STRING being a percent escaped string shown as the tooltip.


@item Ask for a PIN
The meat of this tool is to ask for a passphrase of PIN, it is done with
this command:
@example
  C: GETPIN
  S: D no more tapes
  S: OK
@end example
Note that the passphrase is transmitted in clear using standard data
responses.  Expect it to be in UTF-8.

@item Ask for confirmation
To ask for a confirmation (yes or no), you can use this command:
@example
  C: CONFIRM
  S: OK
@end example
The client should use SETDESC to set an appropriate text before
issuing this command, and may use SETPROMPT to set the button texts.
The value returned is either OK for YES or the error code
@code{ASSUAN_Not_Confirmed}.

@item Show a message
To show a message, you can use this command:
@example
  C: MESSAGE
  S: OK
@end example
alternatively you may add an option to confirm:
@example
  C: CONFIRM --one-button
  S: OK
@end example
The client should use SETDESC to set an appropriate text before issuing
this command, and may use SETOK to set the text for the dismiss button.
The value returned is OK or an error message.

@item Set the output device
When using X, the @pinentry{} program must be invoked with an
appropriate @code{DISPLAY} environment variable or the
@code{--display} option.

When using a text terminal:
@example
  C: OPTION ttyname=/dev/tty3
  S: OK
  C: OPTION ttytype=vt100
  S: OK
  C: OPTION lc-ctype=de_DE.UTF-8
  S: OK
@end example
The client should use the @code{ttyname} option to set the output TTY
file name, the @code{ttytype} option to the @code{TERM} variable
appropriate for this tty and @code{lc-ctype} to the locale which
defines the character set to use for this terminal.

@item Set the default strings
To avoid having translations in Pinentry proper, the caller may set
certain translated strings which are used by @pinentry{} as default
strings.

@example
  C: OPTION default-ok=_Korrekt
  S: OK
  C: OPTION default-cancel=Abbruch
  S: OK
  C: OPTION default-prompt=PIN eingeben:
  S: OK
@end example
The strings are subject to accelerator marking, see SETPROMPT for
details.

@item Passphrase caching

Some environments, such as GNOME, cache passwords and passphrases.
The @pinentry{} should only use an external cache if the
@code{allow-external-password-cache} option was set and a stable key
identifier (using SETKEYINFO) was provided.  In this case, if the
passphrase was read from the cache, the @pinentry{} should send the
@code{PASSWORD_FROM_CACHE} status message before returning the
passphrase.  This indicates to GPG Agent that it should not increment
the passphrase retry counter.

@example
  C: OPTION allow-external-password-cache
  S: OK
  C: SETKEYINFO key-grip
  S: OK
  C: getpin
  S: S PASSWORD_FROM_CACHE
  S: D 1234
  S: OK
@end example

Note: if @code{allow-external-password-cache} is not specified, an
external password cache must not be used: this can lead to subtle
bugs.  In particular, if this option is not specified, then GPG Agent
does not recognize the @code{PASSWORD_FROM_CACHE} status message and
will count trying a cached password against the password retry count.
If the password retry count is 1, then the user will never have the
opportunity to correct the cached password.

Note: it is strongly recommended that a pinentry supporting this
feature provide the user an option to enable it manually.  That is,
saving a passphrase in an external password manager should be opt-in.

The key identifier provided SETKEYINFO must be considered opaque and
may change in the future.  It currently has the form
@code{X/HEXSTRING} where @code{X} is either @code{n}, @code{s}, or
@code{u}.  In the former two cases, the HEXSTRING corresponds to the
key grip.  The key grip is not the OpenPGP Key ID, but it can be
mapped to the key using the following:

@example
  # gpg2 --with-keygrip --list-secret-keys
@end example

@noindent
and searching the output for the key grip.  The same command-line
options can also be used with gpgsm.

@end table

@node Implementation Details
@chapter Implementation Details

The pinentry source code can be divided into three categories.  There
is a backend module, which lives in @code{pinentry/}, there are
utility functions, e.g., in @code{secmem/}, and there are various
frontends.

All of the low-level logic lives in the backend.  This frees the
frontends from having to implement, e.g., the Assuan protocol.  When
the backend receives an option, it updates the state in a
@code{pinentry_t} struct.  The frontend is called when the client
either calls @code{GETPIN}, @code{CONFIRM} or @code{MESSAGE}.  In
these cases, the backend invokes the @code{pinentry_cmd_handler},
which is passed the @code{pinentry_t} struct.

When the callback is invoked, the frontend should create a window
based on the state in the @code{pinentry_t} struct.  For instance, the
title to use for the dialog's window (if any) is stored in the
@code{title} field.  If the is @code{NULL}, the frontend should choose
a reasonable default value.  (Default is not always provided, because
different tool kits and environments have different reasonable
defaults.)

The widget needs to support a number of different interactions with
the user.  Each of them is described below.

@table @gnupgtabopt
@item Passphrase Confirmation

When creating a new key, the passphrase should be entered twice.  The
client (typically GPG Agent) indicates this to the @pinentry{} by
invoking @code{SETREPEAT}.  In this case, the backend sets the
@code{repeat_passphrase} field to a copy of the passed string.  The
value of this field should be used to label a second text input.

It is the frontend's responsibility to check that the passwords match.
If they don't match, the frontend should display an error message and
continue to prompt the user.

If the passwords do match, then, when the user presses the okay
button, the @code{repeat_okay} field should be set to @code{1} (this
causes the backend to emit the @code{S PIN_REPEATED} status message).

@item Message Box

Sometimes GPG Agent needs to display a message.  In this case, the
@code{pin} variable is @code{NULL}.

At the Assuan level, this mode is selected by using either the
@code{MESSAGE} or the @code{CONFIRM} command instead of the
@code{GETPIN} command.  The @code{MESSAGE} command never shows the
cancel or an other button.  The same holds for @code{CONFIRM} if it
was passed the ``--one-button'' argument.  If @code{CONFIRM} was not
passed this argument, the dialog for @code{CONFIRM} should show both
the @code{ok} and the @code{cancel} buttons and optionally the
@code{notok} button.  The frontend can determine whether the dialog is
a one-button dialog by inspecting the @code{one_button} variable.

@item Passphrase Entry

If neither of the above cases holds, then GPG Agent is simply
requesting the passphrase.  In this case, the @code{ok} and
@code{cancel} buttons should be displayed.

@end table

The layout of the three variants is quite similar.  Here are the
relevant elements that describe the layout:

@table @gnupgtabopt
@item @code{title}
The window's title.

@item @code{description}
The reason for the dialog.  When requesting a passphrase, this
describes the key.  When showing a message box, this is the message to
show.

@item @code{error}
If GPG Agent determines that the passphrase was incorrect, it will
call @code{GETPIN} again (up to a configurable number of times) to
again prompt the user.  In this case, this variable contains a
description of the error message.  This text should typically be
highlighted in someway.

@item @code{prompt}, @code{default-prompt}
The string to associate with the passphrase entry box.

There is a subtle difference between @code{prompt} and
@code{default-prompt}.  @code{default-prompt} means that a stylized
prompt (e.g., an icon suggesting a prompt) may be used.  @code{prompt}
means that the entry's meaning is not consistent with such a style
and, as such, no icon should be used.

If both variables are set, the @code{prompt} variant takes precedence.

@item @code{repeat_passphrase}
The string to associate with the second passphrase entry box.  The
second passphrase entry box should only be shown if this is not
@code{NULL}.

@item @code{ok}, @code{default-ok}
The string to show in the @code{ok} button.

If there are any @code{_} characters, the following character should
be used as an accelerator.  (A double underscore means a plain
underscore should be shown.)  If the frontend does not support
accelerators, then the underscores should be removed manually.

There is a subtle difference between @code{ok} and @code{default-ok}.
@code{default-ok} means that a stylized OK button should be used.  For
instance, it could include a check mark.  @code{ok} means that the
button's meaning is not consistent with such an icon and, as such, no
icon should be used.  Thus, if the @code{ok} button should have the
text ``No password required'' then @code{ok} should be used because a
check mark icon doesn't make sense.

If this variable is @code{NULL}, the frontend should choose a
reasonable default.

If both variables are set, the @code{ok} variant takes precedence.

@item @code{cancel}, @code{default-cancel}
Like the @code{ok} and @code{default-ok} buttons except these strings
are used for the cancel button.

This button should not be shown if @code{one_button} is set.

@code{default-notok}
Like the @code{default-ok} button except this string is used for the
other button.

This button should only be displayed when showing a message box.  If
these variables are @code{NULL} or @code{one_button} is set, this
button should not be displayed.

@item @code{quality_bar}
If this is set, a widget should be used to show the password's
quality.  The value of this field is a label for the widget.

Note: to update the password quality, whenever the password changes,
call the @code{pinentry_inq_quality} function and then update the
password quality widget correspondingly.

@item @code{quality_bar_tt}
A tooltip for the quality bar.

@item @code{default_pwmngr}
If @code{may_cache_password} and @code{keyinfo} are set and the user
consents, then the @pinentry{} may cache the password with an external
manager.  Note: getting the user's consent is essential, because
password managers often provide a different level of security.  If the
above condition is true and @code{tried_password_cache} is false, then
a check box with the specified string should be displayed.  The check
box must default to off.

@item @code{default-cf-visi}
The string to show with a question if you want to confirm that
the user wants to change the visibility of the password.

@item @code{default-tt-visi}
Tooltip for an action that would reveal the entered password.

@item @code{default-tt-hide}
Tooltip for an action that would hide the password revealed
by the action labeld with @code{default-tt-visi}

@end table

When the handler is done, it should store the passphrase in
@code{pin}, if appropriate.  This variable is allocated in secure
memory.  Use @code{pinentry_setbufferlen} to size the buffer.

The actual return code is dependent on whether the dialog is in
message mode or in passphrase mode.

If the dialog is in message mode and the user pressed ok, return 1.
Otherwise, return 0.  If an error occurred, indicate this by setting it
in @code{specific_err} or setting @code{locale_err} to @code{1} (for
locale specific errors).  If the dialog was canceled, then the handler
should set the @code{canceled} variable to @code{1}.  If the not ok
button was pressed, don't do anything else.

If the dialog is in passphrase mode return @code{1} if the user
entered a password and pressed ok.  If an error occurred, return
@code{-1} and set @code{specific_err} or @code{locale_err}, as above.
If the user canceled the dialog box, return @code{-1}.

If the window was closed, then the handler should set the
@code{close_button} variable and otherwise act as if the cancel button
was pressed.


@c ---------------------------------------------------------------------
@c Legal Blurbs
@c ---------------------------------------------------------------------

@include gpl.texi

@c ---------------------------------------------------------------------
@c Indexes
@c ---------------------------------------------------------------------

@node Option Index
@unnumbered Option Index

@printindex op

@node Index
@unnumbered Index

@printindex cp

@c ---------------------------------------------------------------------
@c Epilogue
@c ---------------------------------------------------------------------

@bye