diff options
| author | Werner Koch <[email protected]> | 2016-11-16 09:12:19 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2016-11-16 09:15:31 +0000 |
| commit | 9fc92a15bd0a30437a39d0eb28b6f40edc22e6e8 (patch) | |
| tree | 74981725e9d4761ca6cb9c497e5af2241e0ae2e9 | |
| parent | doc,tests: Require use of ctx_flag before use of session_key. (diff) | |
| download | gpgme-9fc92a15bd0a30437a39d0eb28b6f40edc22e6e8.tar.gz gpgme-9fc92a15bd0a30437a39d0eb28b6f40edc22e6e8.zip | |
core: Do not leak the override session key to ps(1).
* src/engine-gpg.c (struct engine_gpg): New field
override_session_key.
(gpg_release): Free that field.
(gpg_decrypt): With gnupg 2.1.16 use --override-session-key-fd.
* tests/run-decrypt.c (main): Fix setting over the override key.
--
Note that this works only with gnupg 2.1.16 and later.
Signed-off-by: Werner Koch <[email protected]>
| -rw-r--r-- | doc/gpgme.texi | 4 | ||||
| -rw-r--r-- | src/engine-gpg.c | 32 | ||||
| -rw-r--r-- | tests/run-decrypt.c | 3 |
3 files changed, 34 insertions, 5 deletions
diff --git a/doc/gpgme.texi b/doc/gpgme.texi index 4f899a9e..32e08618 100644 --- a/doc/gpgme.texi +++ b/doc/gpgme.texi @@ -2910,7 +2910,9 @@ not exported. The string given in @var{value} is passed to the GnuPG engine to override the session key for decryption. The format of that session key is specific to GnuPG and can be retrieved during a decrypt operation when -the context flag "export-session-key" is enabled. +the context flag "export-session-key" is enabled. Please be aware that +using this feature with GnuPG < 2.1.16 will leak the session key on +many platforms via ps(1). @end table diff --git a/src/engine-gpg.c b/src/engine-gpg.c index 21ed5bc3..7afeb5ce 100644 --- a/src/engine-gpg.c +++ b/src/engine-gpg.c @@ -139,6 +139,9 @@ struct engine_gpg struct gpgme_io_cbs io_cbs; gpgme_pinentry_mode_t pinentry_mode; + + /* NULL or the data object fed to --override_session_key-fd. */ + gpgme_data_t override_session_key; }; typedef struct engine_gpg *engine_gpg_t; @@ -441,6 +444,8 @@ gpg_release (void *engine) if (gpg->cmd.keyword) free (gpg->cmd.keyword); + gpgme_data_release (gpg->override_session_key); + free (gpg); } @@ -1563,9 +1568,30 @@ gpg_decrypt (void *engine, gpgme_data_t ciph, gpgme_data_t plain, if (!err && override_session_key && *override_session_key) { - err = add_arg (gpg, "--override-session-key"); - if (!err) - err = add_arg (gpg, override_session_key); + if (have_gpg_version (gpg, "2.1.16")) + { + gpgme_data_release (gpg->override_session_key); + TRACE2 (DEBUG_ENGINE, "override", gpg, "seskey='%s' len=%zu\n", + override_session_key, + strlen (override_session_key)); + + err = gpgme_data_new_from_mem (&gpg->override_session_key, + override_session_key, + strlen (override_session_key), 1); + if (!err) + { + err = add_arg (gpg, "--override-session-key-fd"); + if (!err) + err = add_data (gpg, gpg->override_session_key, -2, 0); + } + } + else + { + /* Using that option may leak the session key via ps(1). */ + err = add_arg (gpg, "--override-session-key"); + if (!err) + err = add_arg (gpg, override_session_key); + } } /* Tell the gpg object about the data. */ diff --git a/tests/run-decrypt.c b/tests/run-decrypt.c index 07a8747f..d8ff00f4 100644 --- a/tests/run-decrypt.c +++ b/tests/run-decrypt.c @@ -185,7 +185,8 @@ main (int argc, char **argv) } if (override_session_key) { - err = gpgme_set_ctx_flag (ctx, "overrride-session-key", "1"); + err = gpgme_set_ctx_flag (ctx, "override-session-key", + override_session_key); if (err) { fprintf (stderr, PGM ": error overriding session key: %s\n", |