gpg: add --passphrase-env VARNAME to read passphrase from environment

* g10/keydb.h: declare set_passphrase_from_environment_variable() * g10/passphrase.c: set_passphrase_from_environment_variable() new function * g10/gpg.c: add new --passphrase-env argument, handle it. -- There are problems or difficulties (to varying degrees) with all of the techniques available for sending a passphrase directly to the GnuPG process when --pinentry-mode=loopback: * Passphrases on the command line often leak into the process table. * Passphrases in a file often leak into the disk. * Using an extra file descriptor to send a passphrase works well on platforms that make it easy to allocate and use extra file descriptors, but is pretty awkward on platforms that don't facilitate this. So this patch adds a new form of passphrase-passing, using an environment variable. In POSIX shell, this looks like (for example): mypass="IUuKctdEhH8' gpg --batch --pinentry-mode=loopback\ --passphrase-env=mypass --decrypt < message.txt Hopefully, this is easier to use than --passphrase-fd on platforms or language toolkits that don't facilitate file descriptor manipulation. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2018-09-23 14:10:17 -04:00 · 2018-09-23 14:10:17 -04:00 · 07c19981da
parent fe8b633954
commit 07c19981da
4 changed files with 29 additions and 1 deletions
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@ -670,7 +670,8 @@ used for no expiration date.
 If this command is used with @option{--batch},
@option{--pinentry-mode} has been set to @code{loopback}, and one of
 the passphrase options (@option{--passphrase},
-@option{--passphrase-fd}, or @option{passphrase-file}) is used, the
+@option{--passphrase-fd}, @option{--passphrase-env}, or
+@option{passphrase-file}) is used, the
 supplied passphrase is used for the new key and the agent does not ask
 for it.  To create a key without any protection @code{--passphrase ''}
 may be used.
@ -3172,6 +3173,14 @@ Note that since Version 2.0 this passphrase is only used if the
 option @option{--batch} has also been given. Since Version 2.1
 the @option{--pinentry-mode} also needs to be set to @code{loopback}.

+@item --passphrase-env @var{string}
+@opindex passphrase-env
+Use the value of the environment variable @var{string} as the passphrase.
+This can only be used if only one passphrase is supplied.
+
+This passphrase is only used if the option @option{--batch} has also
+been given, and if @option{--pinentry-mode} is set to @code{loopback}.
+
@item --pinentry-mode @var{mode}
@opindex pinentry-mode
 Set the pinentry mode to @var{mode}.  Allowed values for @var{mode}
--- a/g10/gpg.c
+++ b/g10/gpg.c
@ -257,6 +257,7 @@ enum cmd_and_opt_values
    oBZ2CompressLevel,
    oBZ2DecompressLowmem,
    oPassphrase,
+    oPassphraseEnv,
    oPassphraseFD,
    oPassphraseFile,
    oPassphraseRepeat,
@ -709,6 +710,7 @@ static ARGPARSE_OPTS opts[] = {
  ARGPARSE_c (aRebuildKeydbCaches, "rebuild-keydb-caches", "@"),

  ARGPARSE_s_s (oPassphrase,      "passphrase", "@"),
+  ARGPARSE_s_s (oPassphraseEnv,   "passphrase-env", "@"),
  ARGPARSE_s_i (oPassphraseFD,    "passphrase-fd", "@"),
  ARGPARSE_s_s (oPassphraseFile,  "passphrase-file", "@"),
  ARGPARSE_s_i (oPassphraseRepeat,"passphrase-repeat", "@"),
@ -3151,6 +3153,9 @@ main (int argc, char **argv)
 	  case oPassphrase:
 	    set_passphrase_from_string(pargs.r.ret_str);
 	    break;
+	  case oPassphraseEnv:
+	    set_passphrase_from_environment_variable(pargs.r.ret_str);
+	    break;
 	  case oPassphraseFD:
            pwfd = translate_sys2libc_fd_int (pargs.r.ret_int, 0);
            break;
--- a/g10/keydb.h
+++ b/g10/keydb.h
@ -279,6 +279,7 @@ gpg_error_t build_sk_list (ctrl_t ctrl, strlist_t locusr,
 unsigned char encode_s2k_iterations (int iterations);
 int  have_static_passphrase(void);
 const char *get_static_passphrase (void);
+void set_passphrase_from_environment_variable(const char *envvar);
 void set_passphrase_from_string(const char *pass);
 void read_passphrase_from_fd( int fd );
 void passphrase_clear_cache (const char *cacheid);
--- a/g10/passphrase.c
+++ b/g10/passphrase.c
@ -159,6 +159,19 @@ set_passphrase_from_string(const char *pass)
  strcpy (fd_passwd, pass);
 }

+void
+set_passphrase_from_environment_variable(const char *envvar)
+{
+  const char *val = getenv(envvar);
+  if (val == NULL)
+    val = "";
+  xfree (fd_passwd);
+  fd_passwd = xmalloc_secure(strlen(val)+1);
+  strcpy (fd_passwd, val);
+  /* clean up sensitive environment variable to avoid accidental
+     propagation: */
+  unsetenv(envvar);
+}

 void
 read_passphrase_from_fd( int fd )