gpgme/src
Werner Koch 085cdeddef
core: Blank out the plaintext after decryption failure.
* src/data.h (data_prop_t): New enum.
(struct gpgme_data): Add field propidx.
* src/data.c (property_t): New.
(property_table, property_table_size, property_table_lock): New.
(insert_into_property_table): New.
(remove_from_property_table): New.
(_gpgme_data_get_dserial): New.
(_gpgme_data_set_prop): New.
(_gpgme_data_get_prop): New.
(_gpgme_data_new): Connect new object to property_table.
(_gpgme_data_release): Remove from property_table.
(gpgme_data_read): With DATA_PROP_BLANKOUT set don't fill the buffer.
* src/data-mem.c (gpgme_data_release_and_get_mem): Likewise.
* src/decrypt.c (struct op_data): Add field plaintext_dserial.
(_gpgme_op_decrypt_init_result): Add arg plaintext and init new field.
(_gpgme_decrypt_status_handler): Set DATA_PROP_BLANKOUT on decryption
failure.
(_gpgme_decrypt_start): Pass PLAIN to the init function.
* src/decrypt-verify.c (decrypt_verify_start): Ditto.
* configure.ac: Check for stdint.h and bail out if uint64_t is not
available.
--

This is a best effort feature to not output plaintext after a
decryption failure (e.g. due to no or broken authenticated
encryption).  It always work when using a memory object and reading it
after the decryption but it can't work reliable when the user is
reading from the data object while the decryption process is still
running.

This is quite a large change because the data objects and the context
objects are allowed to be owned by different threads.  Thus a
synchronization is needed and we do this with a global table of all
data objects to which the context objects can do soft-linking via a
unique data object serial number.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-19 17:39:09 +02:00
..
.gitignore .gitignore: flesh out rules and add subdirectory-.gitignores. 2012-04-20 16:05:11 +02:00
argparse.c doc: Replace http: by https: in core source files. 2016-11-16 13:27:00 +01:00
argparse.h doc: Replace http: by https: in core source files. 2016-11-16 13:27:00 +01:00
assuan-support.c w32: Silence some warnings about unused parameters. 2016-09-22 12:58:23 +02:00
ath.c core: Use gpgrt locking for thread safeness 2016-11-10 13:33:13 +01:00
ath.h core: Use gpgrt locking for thread safeness 2016-11-10 13:33:13 +01:00
b64dec.c doc: Replace http: by https: in core source files. 2016-11-16 13:27:00 +01:00
ChangeLog-2011 Generate the ChangeLog from commit logs. 2011-12-02 11:36:37 +01:00
cJSON.c json: Minor cleanups in cJSON.c 2018-07-16 14:42:30 +02:00
cJSON.h json: Add a new function to cJSON. 2018-03-23 11:26:36 +01:00
cJSON.readme core: Import cJSON code from the payproc project. 2018-03-14 11:10:12 +01:00
context.h Add ctx flag for auto-key-locate 2018-07-09 10:58:04 +02:00
conversion.c core: Extend decryption result with symkey_algo. 2018-04-17 13:48:56 +02:00
data-compat.c core: Un-deprecate gpgme_data_rewind. 2017-02-02 09:53:48 +01:00
data-estream.c core: New interface gpgme_data_new_from_estream. 2018-07-19 09:51:45 +02:00
data-fd.c Make definition of off_t robust against misbehaving w32 toolchains. 2013-05-16 17:48:50 +02:00
data-identify.c doc: Replace http: by https: in core source files. 2016-11-16 13:27:00 +01:00
data-mem.c core: Blank out the plaintext after decryption failure. 2018-07-19 17:39:09 +02:00
data-stream.c Make definition of off_t robust against misbehaving w32 toolchains. 2013-05-16 17:48:50 +02:00
data-user.c Make definition of off_t robust against misbehaving w32 toolchains. 2013-05-16 17:48:50 +02:00
data.c core: Blank out the plaintext after decryption failure. 2018-07-19 17:39:09 +02:00
data.h core: Blank out the plaintext after decryption failure. 2018-07-19 17:39:09 +02:00
debug.c Spelling fixes for comments and doc 2017-12-08 05:59:11 +01:00
debug.h Fix compiler warnings about unused value in TRACE macros. 2015-06-08 11:08:08 +02:00
decrypt-verify.c core: Blank out the plaintext after decryption failure. 2018-07-19 17:39:09 +02:00
decrypt.c core: Blank out the plaintext after decryption failure. 2018-07-19 17:39:09 +02:00
delete.c g10: Add new delete operations that allow more flags. 2017-08-11 19:13:44 +02:00
dirinfo.c core: Extend gpgme_get_dirinfo to return the gpg-wks-client name. 2017-03-21 11:16:16 +01:00
edit.c core: Remove cruft from the engine-gpg code. 2018-06-01 00:13:53 +02:00
encrypt-sign.c core: Remove cruft from the engine-gpg code. 2018-06-01 00:13:53 +02:00
encrypt.c core: Remove cruft from the engine-gpg code. 2018-06-01 00:13:53 +02:00
engine-assuan.c core: New gpgme_set_ctx_flag "request-origin". 2018-03-23 15:27:32 +01:00
engine-backend.h core: Remove cruft from the engine-gpg code. 2018-06-01 00:13:53 +02:00
engine-g13.c core: New gpgme_set_ctx_flag "request-origin". 2018-03-23 15:27:32 +01:00
engine-gpg.c Add ctx flag for auto-key-locate 2018-07-09 10:58:04 +02:00
engine-gpgconf.c core: New gpgme_set_ctx_flag "request-origin". 2018-03-23 15:27:32 +01:00
engine-gpgsm.c core: Add gpg auditlog to get diagnostics 2018-07-05 11:29:36 +02:00
engine-spawn.c core: New gpgme_set_ctx_flag "request-origin". 2018-03-23 15:27:32 +01:00
engine-uiserver.c core: Add extended versions of the encrypt functions. 2018-04-17 08:45:00 +02:00
engine.c core: Remove cruft from the engine-gpg code. 2018-06-01 00:13:53 +02:00
engine.h core: Remove cruft from the engine-gpg code. 2018-06-01 00:13:53 +02:00
error.c Revert "core: Fix error types." 2017-03-02 14:47:51 +01:00
export.c doc: Replace http: by https: in core source files. 2016-11-16 13:27:00 +01:00
genkey.c core: Remove cruft from the engine-gpg code. 2018-06-01 00:13:53 +02:00
get-env.c core: Support non-thread-safe getenv. 2018-02-27 18:43:40 +09:00
getauditlog.c core: Add gpg auditlog to get diagnostics 2018-07-05 11:29:36 +02:00
gpgconf.c gpgconf: Add access to --list-dirs for non-default engine. 2017-08-15 19:52:29 +02:00
gpgme-config.in core: Use gpgrt locking for thread safeness 2016-11-10 13:33:13 +01:00
gpgme-json.c json: Don't use strdup but the xtrystrdup wrapper. 2018-07-19 09:53:37 +02:00
gpgme-tool.c IDENTIFY 2018-03-05 09:40:41 +11:00
gpgme-w32spawn.c core, w32: Enable spawning GUI applications 2018-02-09 16:11:32 +01:00
gpgme.c Add ctx flag for auto-key-locate 2018-07-09 10:58:04 +02:00
gpgme.def core: Add extended versions of the encrypt functions. 2018-04-17 08:45:00 +02:00
gpgme.h.in core: New interface gpgme_data_new_from_estream. 2018-07-19 09:51:45 +02:00
gpgme.m4 build: Implement SYSROOT feature. 2014-10-02 15:57:50 +02:00
import.c core: Parse skipped_v3_keys 2018-03-15 16:23:18 +01:00
isascii.c 008-11-03 Marcus Brinkmann <marcus@g10code.com> 2008-11-03 17:24:09 +00:00
key.c Fix a couple of bugs pointed out by clang compiler warnings. 2017-08-23 15:38:11 +02:00
keylist.c core: Initialize key return value in gpgme_get_key 2018-03-27 11:24:55 +02:00
keysign.c core: Remove cruft from the engine-gpg code. 2018-06-01 00:13:53 +02:00
libgpgme.vers core: Add extended versions of the encrypt functions. 2018-04-17 08:45:00 +02:00
Makefile.am core: New interface gpgme_data_new_from_estream. 2018-07-19 09:51:45 +02:00
mbox-util.c doc: Replace http: by https: in core source files. 2016-11-16 13:27:00 +01:00
mbox-util.h doc: Replace http: by https: in core source files. 2016-11-16 13:27:00 +01:00
op-support.c core: Do not modify args for ignored failures 2018-04-20 14:30:53 +02:00
opassuan.c doc: Replace http: by https: in core source files. 2016-11-16 13:27:00 +01:00
ops.h core: Blank out the plaintext after decryption failure. 2018-07-19 17:39:09 +02:00
parsetlv.c doc: Replace http: by https: in core source files. 2016-11-16 13:27:00 +01:00
parsetlv.h Spelling fixes for comments and doc 2017-12-08 05:59:11 +01:00
passphrase.c api: Add new function gpgme_set_ctx_flag. 2016-05-19 17:04:54 +02:00
passwd.c core: Remove cruft from the engine-gpg code. 2018-06-01 00:13:53 +02:00
posix-io.c core: use getdents64 syscall on linux instead of getdents. 2017-10-12 09:00:09 +02:00
posix-util.c core: Mark unused function args. 2016-09-13 20:53:49 +02:00
priv-io.h core, w32: Enable spawning GUI applications 2018-02-09 16:11:32 +01:00
progress.c core: Add new context flag "redraw". 2017-01-31 09:44:29 +01:00
putc_unlocked.c Remove all trailing whitespace from source files 2012-09-25 15:29:49 +02:00
queryswdb.c doc: Replace http: by https: in core source files. 2016-11-16 13:27:00 +01:00
sema.h core: Use gpgrt locking for thread safeness 2016-11-10 13:33:13 +01:00
setenv.c More include guards. 2010-11-03 09:56:27 +00:00
sig-notation.c Use gpg_error_from_syserror instead of directly accessing errno. 2013-02-06 17:35:40 +01:00
sign.c core: Remove cruft from the engine-gpg code. 2018-06-01 00:13:53 +02:00
signers.c Fix potential crash in trace macro. 2015-03-16 13:40:34 +01:00
spawn.c Actually implement flags for gpgme_op_spawn. 2014-04-10 14:17:19 +02:00
status-table.c Add flag 'is_de_vs' to decryption results and signatures. 2017-06-01 14:16:11 +02:00
stpcpy.c 008-11-03 Marcus Brinkmann <marcus@g10code.com> 2008-11-03 17:24:09 +00:00
sys-util.h doc: Replace http: by https: in core source files. 2016-11-16 13:27:00 +01:00
tofupolicy.c doc: Replace http: by https: in core source files. 2016-11-16 13:27:00 +01:00
trust-item.c Use gpg_error_from_syserror instead of directly accessing errno. 2013-02-06 17:35:40 +01:00
trustlist.c Spelling fixes for comments and doc 2017-12-08 05:59:11 +01:00
ttyname_r.c doc: Replace http: by https: in core source files. 2016-11-16 13:27:00 +01:00
util.h core: Extend decryption result with symkey_algo. 2018-04-17 13:48:56 +02:00
verify.c core: Remove leftover debug output. 2018-04-19 10:34:32 +02:00
version.c core: Use gpgrt locking for thread safeness 2016-11-10 13:33:13 +01:00
versioninfo.rc.in doc: Update copyright years and change two URLs. 2018-04-18 19:30:50 +02:00
vfs-create.c core: Replace all calls to *sprintf by gpgrt_*sprintf. 2017-02-02 12:35:59 +01:00
vfs-mount.c core: Replace all calls to *sprintf by gpgrt_*sprintf. 2017-02-02 12:35:59 +01:00
w32-ce.c doc: Replace http: by https: in core source files. 2016-11-16 13:27:00 +01:00
w32-ce.h Remove all trailing whitespace from source files 2012-09-25 15:29:49 +02:00
w32-glib-io.c Fix typos found by codespell. 2015-12-02 11:28:07 +01:00
w32-io.c core, w32: Fix flags passing to gpgme-w32-spawn 2018-02-09 16:11:03 +01:00
w32-util.c core, w32: Add w64 handling for regkeys 2018-05-17 17:46:12 +02:00
wait-global.c Fix typos found by codespell. 2015-12-02 11:28:07 +01:00
wait-private.c Fix typos found by codespell. 2015-12-02 11:28:07 +01:00
wait-user.c core: Mark unused function args. 2016-09-13 20:53:49 +02:00
wait.c Use gpg_error_from_syserror instead of directly accessing errno. 2013-02-06 17:35:40 +01:00
wait.h Remove all trailing whitespace from source files 2012-09-25 15:29:49 +02:00