[git] GPGME - branch, master, updated. gpgme-1.7.1-48-g9fc92a1
by Werner Koch
cvs at cvs.gnupg.org
Wed Nov 16 10:20:27 CET 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GnuPG Made Easy".
The branch, master has been updated
via 9fc92a15bd0a30437a39d0eb28b6f40edc22e6e8 (commit)
via 573064742145aa5f9bf04baa88af918c0c4d5e12 (commit)
from b2c07bd47bd608afa5cc819b60a7b5bb8c9dd96a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 9fc92a15bd0a30437a39d0eb28b6f40edc22e6e8
Author: Werner Koch <wk at gnupg.org>
Date: Wed Nov 16 10:12:19 2016 +0100
core: Do not leak the override session key to ps(1).
* src/engine-gpg.c (struct engine_gpg): New field
override_session_key.
(gpg_release): Free that field.
(gpg_decrypt): With gnupg 2.1.16 use --override-session-key-fd.
* tests/run-decrypt.c (main): Fix setting over the override key.
--
Note that this works only with gnupg 2.1.16 and later.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/doc/gpgme.texi b/doc/gpgme.texi
index 4f899a9..32e0861 100644
--- a/doc/gpgme.texi
+++ b/doc/gpgme.texi
@@ -2910,7 +2910,9 @@ not exported.
The string given in @var{value} is passed to the GnuPG engine to override
the session key for decryption. The format of that session key is
specific to GnuPG and can be retrieved during a decrypt operation when
-the context flag "export-session-key" is enabled.
+the context flag "export-session-key" is enabled. Please be aware that
+using this feature with GnuPG < 2.1.16 will leak the session key on
+many platforms via ps(1).
@end table
diff --git a/src/engine-gpg.c b/src/engine-gpg.c
index 21ed5bc..7afeb5c 100644
--- a/src/engine-gpg.c
+++ b/src/engine-gpg.c
@@ -139,6 +139,9 @@ struct engine_gpg
struct gpgme_io_cbs io_cbs;
gpgme_pinentry_mode_t pinentry_mode;
+
+ /* NULL or the data object fed to --override_session_key-fd. */
+ gpgme_data_t override_session_key;
};
typedef struct engine_gpg *engine_gpg_t;
@@ -441,6 +444,8 @@ gpg_release (void *engine)
if (gpg->cmd.keyword)
free (gpg->cmd.keyword);
+ gpgme_data_release (gpg->override_session_key);
+
free (gpg);
}
@@ -1563,9 +1568,30 @@ gpg_decrypt (void *engine, gpgme_data_t ciph, gpgme_data_t plain,
if (!err && override_session_key && *override_session_key)
{
- err = add_arg (gpg, "--override-session-key");
- if (!err)
- err = add_arg (gpg, override_session_key);
+ if (have_gpg_version (gpg, "2.1.16"))
+ {
+ gpgme_data_release (gpg->override_session_key);
+ TRACE2 (DEBUG_ENGINE, "override", gpg, "seskey='%s' len=%zu\n",
+ override_session_key,
+ strlen (override_session_key));
+
+ err = gpgme_data_new_from_mem (&gpg->override_session_key,
+ override_session_key,
+ strlen (override_session_key), 1);
+ if (!err)
+ {
+ err = add_arg (gpg, "--override-session-key-fd");
+ if (!err)
+ err = add_data (gpg, gpg->override_session_key, -2, 0);
+ }
+ }
+ else
+ {
+ /* Using that option may leak the session key via ps(1). */
+ err = add_arg (gpg, "--override-session-key");
+ if (!err)
+ err = add_arg (gpg, override_session_key);
+ }
}
/* Tell the gpg object about the data. */
diff --git a/tests/run-decrypt.c b/tests/run-decrypt.c
index 07a8747..d8ff00f 100644
--- a/tests/run-decrypt.c
+++ b/tests/run-decrypt.c
@@ -185,7 +185,8 @@ main (int argc, char **argv)
}
if (override_session_key)
{
- err = gpgme_set_ctx_flag (ctx, "overrride-session-key", "1");
+ err = gpgme_set_ctx_flag (ctx, "override-session-key",
+ override_session_key);
if (err)
{
fprintf (stderr, PGM ": error overriding session key: %s\n",
commit 573064742145aa5f9bf04baa88af918c0c4d5e12
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Nov 16 14:10:22 2016 +0900
doc,tests: Require use of ctx_flag before use of session_key.
* doc/gpgme.texi: Document requirements of verifying that it is OK to
use session_key.
* tests/run-decrypt.c: Ensure that we fail if we're unable to access
the session key, so that we do not violate the guidance above.
Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Changed the description
- at code{gpgme_set_ctx_flag (ctx, "export-session-key")} returns
- at code{GPG_ERR_NO_ERROR} or @code{gpgme_get_ctx_flag (ctx,
-"export-session-key")} returns @code{"1"}.
+ at code{gpgme_set_ctx_flag (ctx, "export-session-key")} returns success
+or @code{gpgme_get_ctx_flag (ctx, "export-session-key")} returns true
+(non-empty string).
to get gpgme_get_ctx_flag for boolean values in sync with its own
description.
Note that I don't agree with the above suggestion but it does not
really harm to have it in the man page.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/doc/gpgme.texi b/doc/gpgme.texi
index fd396e0..4f899a9 100644
--- a/doc/gpgme.texi
+++ b/doc/gpgme.texi
@@ -4814,6 +4814,11 @@ set to export session keys (see @code{gpgme_set_ctx_flag,
"export-session-key"}), and a session key was available for the most
recent decryption operation. Otherwise, this is a null pointer.
+You must not try to access this member of the struct unless
+ at code{gpgme_set_ctx_flag (ctx, "export-session-key")} returns success
+or @code{gpgme_get_ctx_flag (ctx, "export-session-key")} returns true
+(non-empty string).
+
@end table
@end deftp
diff --git a/tests/run-decrypt.c b/tests/run-decrypt.c
index 65624d0..07a8747 100644
--- a/tests/run-decrypt.c
+++ b/tests/run-decrypt.c
@@ -174,9 +174,25 @@ main (int argc, char **argv)
gpgme_set_ctx_flag (ctx, "full-status", "1");
}
if (export_session_key)
- gpgme_set_ctx_flag (ctx, "export-session-key", "1");
+ {
+ err = gpgme_set_ctx_flag (ctx, "export-session-key", "1");
+ if (err)
+ {
+ fprintf (stderr, PGM ": error requesting exported session key: %s\n",
+ gpgme_strerror (err));
+ exit (1);
+ }
+ }
if (override_session_key)
- gpgme_set_ctx_flag (ctx, "override-session-key", override_session_key);
+ {
+ err = gpgme_set_ctx_flag (ctx, "overrride-session-key", "1");
+ if (err)
+ {
+ fprintf (stderr, PGM ": error overriding session key: %s\n",
+ gpgme_strerror (err));
+ exit (1);
+ }
+ }
err = gpgme_data_new_from_stream (&in, fp_in);
if (err)
@@ -201,10 +217,11 @@ main (int argc, char **argv)
fprintf (stderr, PGM ": decrypt failed: %s\n", gpgme_strerror (err));
exit (1);
}
- if (result) {
- print_result (result);
- print_data (out);
- }
+ if (result)
+ {
+ print_result (result);
+ print_data (out);
+ }
gpgme_data_release (out);
gpgme_data_release (in);
-----------------------------------------------------------------------
Summary of changes:
doc/gpgme.texi | 9 ++++++++-
src/engine-gpg.c | 32 +++++++++++++++++++++++++++++---
tests/run-decrypt.c | 30 ++++++++++++++++++++++++------
3 files changed, 61 insertions(+), 10 deletions(-)
hooks/post-receive
--
GnuPG Made Easy
http://git.gnupg.org
More information about the Gnupg-commits
mailing list