gpg: New option --show-only-session-key

* g10/options.h (opt): Add show_only_session_key and turn show_session_key into a bit flag. * g10/gpg.c (oShowOnlySessionKey): New. (opts): Add "show-only-session-key". (main): Set flag. * g10/mainproc.c (proc_encrypted): Handle the new option. * g10/decrypt-data.c (decrypt_data): Ditto. Add compliance error flag to the DECRYPTION_INFO status line. -- This new option is somehow related to GnuPG-bug-id: 1825
2025-07-03 22:56:33 +02:00 · 2024-06-24 16:31:24 +02:00 · 2024-06-24 16:31:24 +02:00 · 1695cf267e
commit 1695cf267e
parent 4c65dfeb28
6 changed files with 42 additions and 13 deletions
--- a/g10/decrypt-data.c
+++ b/g10/decrypt-data.c
@ -263,11 +263,13 @@ decrypt_data (ctrl_t ctrl, void *procctx, PKT_encrypted *ed, DEK *dek,
  /* Check compliance.  */
  if (!gnupg_cipher_is_allowed (opt.compliance, 0, dek->algo, ciphermode))
    {
-      log_error (_("cipher algorithm '%s' may not be used in %s mode\n"),
+      gpgrt_log (opt.show_only_session_key? GPGRT_LOGLVL_INFO
+                 /*                     */: GPGRT_LOGLVL_ERROR,
+                 _("cipher algorithm '%s' may not be used in %s mode\n"),
 		 openpgp_cipher_algo_mode_name (dek->algo,ed->aead_algo),
 		 gnupg_compliance_option_string (opt.compliance));
      *compliance_error = 1;
-      if (opt.flags.require_compliance)
+      if (opt.flags.require_compliance && !opt.show_only_session_key)
        {
          /* We fail early in this case because it does not make sense
           * to first decrypt everything.  */
@ -276,8 +278,9 @@ decrypt_data (ctrl_t ctrl, void *procctx, PKT_encrypted *ed, DEK *dek,
        }
    }

-  write_status_printf (STATUS_DECRYPTION_INFO, "%d %d %d",
-                       ed->mdc_method, dek->algo, ed->aead_algo);
+  write_status_printf (STATUS_DECRYPTION_INFO, "%d %d %d %d",
+                       ed->mdc_method, dek->algo, ed->aead_algo,
+                       *compliance_error);

  if (opt.show_session_key)
    {
@ -297,6 +300,11 @@ decrypt_data (ctrl_t ctrl, void *procctx, PKT_encrypted *ed, DEK *dek,
      log_info ("session key: '%s%s'\n", numbuf, hexbuf);
      write_status_strings (STATUS_SESSION_KEY, numbuf, hexbuf, NULL);
      xfree (hexbuf);
+      if (opt.show_only_session_key)
+        {
+          rc = 0;
+          goto leave;
+        }
    }

  rc = openpgp_cipher_test_algo (dek->algo);
--- a/g10/gpg.c
+++ b/g10/gpg.c
@ -367,6 +367,7 @@ enum cmd_and_opt_values
    oIgnoreCrcError,
    oIgnoreMDCError,
    oShowSessionKey,
+    oShowOnlySessionKey,
    oOverrideSessionKey,
    oOverrideSessionKeyFD,
    oNoRandomSeedFile,
@ -770,6 +771,7 @@ static gpgrt_opt_t opts[] = {
  ARGPARSE_s_n (oShowNotation,      "show-notation", "@"),
  ARGPARSE_s_n (oNoShowNotation, "no-show-notation", "@"),
  ARGPARSE_s_n (oShowSessionKey, "show-session-key", "@"),
+  ARGPARSE_s_n (oShowOnlySessionKey, "show-only-session-key", "@"),
  ARGPARSE_s_n (oUseEmbeddedFilename,      "use-embedded-filename", "@"),
  ARGPARSE_s_n (oNoUseEmbeddedFilename, "no-use-embedded-filename", "@"),
  ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
@ -3564,7 +3566,13 @@ main (int argc, char **argv)
            opt.keyserver_options.options &= ~KEYSERVER_AUTO_KEY_RETRIEVE;
            break;

-	  case oShowSessionKey: opt.show_session_key = 1; break;
+	  case oShowOnlySessionKey:
+            opt.show_only_session_key = 1;
+            /* fallthru */
+	  case oShowSessionKey:
+            opt.show_session_key = 1;
+            break;
+
 	  case oOverrideSessionKey:
 		opt.override_session_key = pargs.r.ret_str;
 		break;
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@ -664,7 +664,8 @@ proc_encrypted (CTX c, PACKET *pkt)
  if (c->dek && opt.verbose > 1)
    log_info (_("public key encrypted data: good DEK\n"));

-  write_status (STATUS_BEGIN_DECRYPTION);
+  if (!opt.show_only_session_key)
+    write_status (STATUS_BEGIN_DECRYPTION);

  /*log_debug("dat: %sencrypted data\n", c->dek?"":"conventional ");*/
  if (opt.list_only)
@ -794,6 +795,8 @@ proc_encrypted (CTX c, PACKET *pkt)
   * log_error printed in the cry_cipher_checktag never gets ignored.  */
  if (!result && early_plaintext)
    result = gpg_error (GPG_ERR_BAD_DATA);
+  else if (!result && opt.show_only_session_key)
+    result = -1;
  else if (!result && pkt->pkt.encrypted->aead_algo
           && log_get_errorcount (0))
    result = gpg_error (GPG_ERR_BAD_SIGNATURE);
@ -903,7 +906,9 @@ proc_encrypted (CTX c, PACKET *pkt)
  c->dek = NULL;
  free_packet (pkt, NULL);
  c->last_was_session_key = 0;
-  write_status (STATUS_END_DECRYPTION);
+
+  if (!opt.show_only_session_key)
+    write_status (STATUS_END_DECRYPTION);

  /* Bump the counter even if we have not seen a literal data packet
   * inside an encryption container.  This acts as a sentinel in case
@ -915,7 +920,8 @@ proc_encrypted (CTX c, PACKET *pkt)
   * de-vs compliance mode by just looking at the exit status.  */
  if (opt.flags.require_compliance
      && opt.compliance == CO_DE_VS
-      && compliance_de_vs != (4|2|1))
+      && compliance_de_vs != (4|2|1)
+      && !opt.show_only_session_key)
    {
      log_error (_("operation forced to fail due to"
                   " unfulfilled compliance rules\n"));
@ -2203,7 +2209,7 @@ check_sig_and_print (CTX c, kbnode_t node)
        }
    }

-  /* Do do something with the result of the signature checking.  */
+  /* Do something with the result of the signature checking.  */
  if (!rc || gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE)
    {
      /* We have checked the signature and the result is either a good
--- a/g10/options.h
+++ b/g10/options.h
@ -234,7 +234,8 @@ struct
  int ignore_expiration;
  int command_fd;
  const char *override_session_key;
-  int show_session_key;
+  unsigned int show_session_key:1;
+  unsigned int show_only_session_key:1;

  const char *gpg_agent_info;
  int try_all_secrets;