[Pkg-gnupg-commit] [gpgme] 48/62: core: Do not leak the override session key to ps(1).
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sat Nov 19 04:03:37 UTC 2016
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch experimental
in repository gpgme.
commit 9fc92a15bd0a30437a39d0eb28b6f40edc22e6e8
Author: Werner Koch <wk at gnupg.org>
Date: Wed Nov 16 10:12:19 2016 +0100
core: Do not leak the override session key to ps(1).
* src/engine-gpg.c (struct engine_gpg): New field
override_session_key.
(gpg_release): Free that field.
(gpg_decrypt): With gnupg 2.1.16 use --override-session-key-fd.
* tests/run-decrypt.c (main): Fix setting over the override key.
--
Note that this works only with gnupg 2.1.16 and later.
Signed-off-by: Werner Koch <wk at gnupg.org>
---
doc/gpgme.texi | 4 +++-
src/engine-gpg.c | 32 +++++++++++++++++++++++++++++---
tests/run-decrypt.c | 3 ++-
3 files changed, 34 insertions(+), 5 deletions(-)
diff --git a/doc/gpgme.texi b/doc/gpgme.texi
index 4f899a9..32e0861 100644
--- a/doc/gpgme.texi
+++ b/doc/gpgme.texi
@@ -2910,7 +2910,9 @@ not exported.
The string given in @var{value} is passed to the GnuPG engine to override
the session key for decryption. The format of that session key is
specific to GnuPG and can be retrieved during a decrypt operation when
-the context flag "export-session-key" is enabled.
+the context flag "export-session-key" is enabled. Please be aware that
+using this feature with GnuPG < 2.1.16 will leak the session key on
+many platforms via ps(1).
@end table
diff --git a/src/engine-gpg.c b/src/engine-gpg.c
index 21ed5bc..7afeb5c 100644
--- a/src/engine-gpg.c
+++ b/src/engine-gpg.c
@@ -139,6 +139,9 @@ struct engine_gpg
struct gpgme_io_cbs io_cbs;
gpgme_pinentry_mode_t pinentry_mode;
+
+ /* NULL or the data object fed to --override_session_key-fd. */
+ gpgme_data_t override_session_key;
};
typedef struct engine_gpg *engine_gpg_t;
@@ -441,6 +444,8 @@ gpg_release (void *engine)
if (gpg->cmd.keyword)
free (gpg->cmd.keyword);
+ gpgme_data_release (gpg->override_session_key);
+
free (gpg);
}
@@ -1563,9 +1568,30 @@ gpg_decrypt (void *engine, gpgme_data_t ciph, gpgme_data_t plain,
if (!err && override_session_key && *override_session_key)
{
- err = add_arg (gpg, "--override-session-key");
- if (!err)
- err = add_arg (gpg, override_session_key);
+ if (have_gpg_version (gpg, "2.1.16"))
+ {
+ gpgme_data_release (gpg->override_session_key);
+ TRACE2 (DEBUG_ENGINE, "override", gpg, "seskey='%s' len=%zu\n",
+ override_session_key,
+ strlen (override_session_key));
+
+ err = gpgme_data_new_from_mem (&gpg->override_session_key,
+ override_session_key,
+ strlen (override_session_key), 1);
+ if (!err)
+ {
+ err = add_arg (gpg, "--override-session-key-fd");
+ if (!err)
+ err = add_data (gpg, gpg->override_session_key, -2, 0);
+ }
+ }
+ else
+ {
+ /* Using that option may leak the session key via ps(1). */
+ err = add_arg (gpg, "--override-session-key");
+ if (!err)
+ err = add_arg (gpg, override_session_key);
+ }
}
/* Tell the gpg object about the data. */
diff --git a/tests/run-decrypt.c b/tests/run-decrypt.c
index 07a8747..d8ff00f 100644
--- a/tests/run-decrypt.c
+++ b/tests/run-decrypt.c
@@ -185,7 +185,8 @@ main (int argc, char **argv)
}
if (override_session_key)
{
- err = gpgme_set_ctx_flag (ctx, "overrride-session-key", "1");
+ err = gpgme_set_ctx_flag (ctx, "override-session-key",
+ override_session_key);
if (err)
{
fprintf (stderr, PGM ": error overriding session key: %s\n",
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gpgme.git
More information about the Pkg-gnupg-commit
mailing list