Trivial patch for showing session keys of incomplete files

Alejo Sanchez lists at alejosanchez.com
Thu Feb 27 21:37:49 CET 2014


Hello,

For a simple backup system for very sensitive information we needed to
avoid uploading private keys to the servers. The workaround I found
was to get to a trusted computer the first 400 bytes of the files to
decrypt, get the session keys out of those, and then do a decrypt on
the server with those session keys.

For some reason the current GnuPG version has the print statement for
the file's session key below error check. Just moving the code block
up does the trick.

Posting here in case this is useful for the project or anybody else.
Hope this is the right place.

Thanks a lot for such a great project,


Alejo


--- gnupg-2.0.22/g10/mainproc.c 2013-10-04 10:00:22.000000000 -0300
+++ Sft/gnupg-2.0.22/g10/mainproc.c 2013-12-03 12:10:06.748530302 -0300
@@ -572,6 +572,18 @@
     if( !result )
  result = decrypt_data( c, pkt->pkt.encrypted, c->dek );

+ /* XXX show session key, even for broken files */
+ if(opt.show_session_key)
+  {
+    int i;
+    char *buf = xmalloc ( c->dek->keylen*2 + 20 );
+    sprintf ( buf, "%d:", c->dek->algo );
+    for(i=0; i < c->dek->keylen; i++ )
+      sprintf(buf+strlen(buf), "%02X", c->dek->key[i] );
+    log_info( "session key: `%s'\n", buf );
+    write_status_text ( STATUS_SESSION_KEY, buf );
+  }
+
     if( result == -1 )
  ;
     else if( !result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
@@ -583,16 +595,6 @@
     write_status( STATUS_GOODMDC );
  else if(!opt.no_mdc_warn)
     log_info (_("WARNING: message was not integrity protected\n"));
- if(opt.show_session_key)
-  {
-    int i;
-    char *buf = xmalloc ( c->dek->keylen*2 + 20 );
-    sprintf ( buf, "%d:", c->dek->algo );
-    for(i=0; i < c->dek->keylen; i++ )
-      sprintf(buf+strlen(buf), "%02X", c->dek->key[i] );
-    log_info( "session key: `%s'\n", buf );
-    write_status_text ( STATUS_SESSION_KEY, buf );
-  }
     }
     else if( result == G10ERR_BAD_SIGN ) {
  log_error(_("WARNING: encrypted message has been manipulated!\n"));



More information about the Gcrypt-devel mailing list