agent: Defer passphrase quality check to external tool.
Needs ReviewPublic

Authored by gouttegd on Aug 6 2017, 5:41 PM.
This revision needs review, but there are no reviewers specified.


  • agent/call-pinentry.c (estimate_passphrase_quality): Call external program to evaluate passphrase if requested.
  • agent/agent.h (struct opt): New field passphrase_quality_checker.
  • agent/gpg-agent.c (oPassphraseChecker): New const.

(opts): New option --passphrase-checker.

(parse_rereadable_options): Handle the new option.

This is a proposal to allow deferring the evaluation of a
passphrase's quality to an external program. The program is
expected to accept the passphrase to its standard input and
to write the quality value on its standard output (this is
the behavior of the pwscore program, part of the libpwquality

GnuPG-bug-id: 2103
Signed-off-by: Damien Goutte-Gattat <>

Test Plan

Install pwscore (libpwquality-tools in Debian) and run the following commands:

GNUPGHOME=$(mktemp -d /tmp/gnupg.XXXXXX)
gpg-agent --daemon --passphrase-checker /usr/bin/pwscore --pinentry-program /usr/bin/pinentry-gtk-2
gpg2 --quick-gen-key 'Alice <>'

When pinentry prompts for the new passphrase, check that for a given passphrase, the quality indicator gives the same value than the one returned by pwscore for the same passphrase.

Redo without the --passphrase-checker option and check that the quality indicator behaves as usual (10% per character).

Diff Detail

rG GnuPG
Lint Skipped
Unit Tests Skipped
gouttegd created this revision.Aug 6 2017, 5:41 PM
gouttegd updated this revision to Diff 1302.Aug 7 2017, 10:35 PM

Free the memory allocated by the gnupg_exec_tool call (sorry about that...).