[PATCH] Re: --passphrase and command line
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jan 14 19:24:11 CET 2015
On Wed 2015-01-14 11:09:09 -0500, Werner Koch wrote:
> On Wed, 14 Jan 2015 15:39, hymie at lactose.homelinux.net said:
>> Can this feature be added to the "--passphrase" option of gpg? It's my
going from "gpg --passphrase password" to "gpg --passphrase xxxxxxxx" in
the process table in a C program is usually done by writing to the
contents of main()'s argv argument.
It's clear to me that this rewrite of the process table isn't fully
safe, for a number of reasons, including at least:
0) There are some operating systems where writing to argv doesn't
change how the process appears in the process table.
1) Even on OSes where this is possible, there is still a window of time
between when the process starts and when it manages to rewrite
argv. Anyone reading the process table at that time can see the
2) it still leaks the length of the password, since there is one x per
However, the fact that this is not perfectly safe does not mean that gpg
should necessarily avoid the practice (--passphrase itself isn't
perfectly safe, and we don't avoid it).
Put more positively, maybe it's worth considering taking this step for
gpg in spite of its various failure modes. having extra insecurity
everywhere seems marginally worse.
It would be bad if this encouraged the use of the --passphrase option
*anywhere*, though, since it really is the worst way to use the tools.
Anyway, if this is desirable, the following patch (tested only on Debian
GNU/Linux) provides this minor/dubious improvement:
diff --git a/g10/gpg.c b/g10/gpg.c
index 12fe7b2..589d6c8 100644
@@ -2713,6 +2713,11 @@ main (int argc, char **argv)
case oBZ2DecompressLowmem: opt.bz2_decompress_lowmem=1; break;
+ size_t i, l = strlen(pargs.r.ret_str);
+ for (i=0; i < l; i++)
+ pargs.r.ret_str[i] = 'x';
pwfd = translate_sys2libc_fd_int (pargs.r.ret_int, 0);
More information about the Gnupg-devel