From 07c19981da0607dc442fadc4079b1d71fbef8f83 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 23 Sep 2018 14:10:17 -0400 Subject: gpg: add --passphrase-env VARNAME to read passphrase from environment * g10/keydb.h: declare set_passphrase_from_environment_variable() * g10/passphrase.c: set_passphrase_from_environment_variable() new function * g10/gpg.c: add new --passphrase-env argument, handle it. -- There are problems or difficulties (to varying degrees) with all of the techniques available for sending a passphrase directly to the GnuPG process when --pinentry-mode=loopback: * Passphrases on the command line often leak into the process table. * Passphrases in a file often leak into the disk. * Using an extra file descriptor to send a passphrase works well on platforms that make it easy to allocate and use extra file descriptors, but is pretty awkward on platforms that don't facilitate this. So this patch adds a new form of passphrase-passing, using an environment variable. In POSIX shell, this looks like (for example): mypass="IUuKctdEhH8' gpg --batch --pinentry-mode=loopback\ --passphrase-env=mypass --decrypt < message.txt Hopefully, this is easier to use than --passphrase-fd on platforms or language toolkits that don't facilitate file descriptor manipulation. Signed-off-by: Daniel Kahn Gillmor --- g10/passphrase.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'g10/passphrase.c') diff --git a/g10/passphrase.c b/g10/passphrase.c index 10574ec6a..17e259695 100644 --- a/g10/passphrase.c +++ b/g10/passphrase.c @@ -159,6 +159,19 @@ set_passphrase_from_string(const char *pass) strcpy (fd_passwd, pass); } +void +set_passphrase_from_environment_variable(const char *envvar) +{ + const char *val = getenv(envvar); + if (val == NULL) + val = ""; + xfree (fd_passwd); + fd_passwd = xmalloc_secure(strlen(val)+1); + strcpy (fd_passwd, val); + /* clean up sensitive environment variable to avoid accidental + propagation: */ + unsetenv(envvar); +} void read_passphrase_from_fd( int fd ) -- cgit v1.2.3