From 43bfaf2c5417ede621c0a07721952ea549a7a139 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 16 Nov 2016 09:02:53 +0100
Subject: [PATCH] gpg: New option --override-session-key-fd.

* g10/gpg.c (oOverrideSessionKeyFD): New.
(opts): Add option --override-session-key-fd.
(main): Handle that option.
(read_sessionkey_from_fd): New.
--

The override-session-key feature was designed to mitigate the effect
of the British RIP act by allowing to keep the private key private and
hand out only a session key.  For that use case the leaking of the
session key would not be a problem.  However there are other use
cases, for example fast re-decryption after an initial decryption,
which would benefit from concealing the session key from other users.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 doc/gpg.texi | 16 ++++++++++------
 g10/gpg.c    | 45 +++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 53 insertions(+), 8 deletions(-)

diff --git a/doc/gpg.texi b/doc/gpg.texi
index aff3aebbc..c69e512d5 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -3118,13 +3118,17 @@ inappropriate plaintext so they can take action against the offending
 user.
 
 @item --override-session-key @code{string}
+@itemx --override-session-key-fd @code{fd}
 @opindex override-session-key
-Don't use the public key but the session key @code{string}. The format
-of this string is the same as the one printed by
-@option{--show-session-key}. This option is normally not used but comes
-handy in case someone forces you to reveal the content of an encrypted
-message; using this option you can do this without handing out the
-secret key.
+Don't use the public key but the session key @code{string} respective
+the session key taken from the first line read from file descriptor
+@code{fd}.  The format of this string is the same as the one printed
+by @option{--show-session-key}. This option is normally not used but
+comes handy in case someone forces you to reveal the content of an
+encrypted message; using this option you can do this without handing
+out the secret key.  Note that using @option{--override-session-key}
+may reveal the session key to all local users via the global process
+table.
 
 @item --ask-sig-expire
 @itemx --no-ask-sig-expire
diff --git a/g10/gpg.c b/g10/gpg.c
index 495356c3e..c54facb23 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -343,6 +343,7 @@ enum cmd_and_opt_values
     oIgnoreMDCError,
     oShowSessionKey,
     oOverrideSessionKey,
+    oOverrideSessionKeyFD,
     oNoRandomSeedFile,
     oAutoKeyRetrieve,
     oNoAutoKeyRetrieve,
@@ -776,6 +777,7 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_n (oIgnoreMDCError, "ignore-mdc-error", "@"),
   ARGPARSE_s_n (oShowSessionKey, "show-session-key", "@"),
   ARGPARSE_s_s (oOverrideSessionKey, "override-session-key", "@"),
+  ARGPARSE_s_i (oOverrideSessionKeyFD, "override-session-key-fd", "@"),
   ARGPARSE_s_n (oNoRandomSeedFile,  "no-random-seed-file", "@"),
   ARGPARSE_s_n (oAutoKeyRetrieve, "auto-key-retrieve", "@"),
   ARGPARSE_s_n (oNoAutoKeyRetrieve, "no-auto-key-retrieve", "@"),
@@ -919,6 +921,7 @@ static void add_notation_data( const char *string, int which );
 static void add_policy_url( const char *string, int which );
 static void add_keyserver_url( const char *string, int which );
 static void emergency_cleanup (void);
+static void read_sessionkey_from_fd (int fd);
 
 
 static char *
@@ -2262,6 +2265,7 @@ main (int argc, char **argv)
     int eyes_only=0;
     int multifile=0;
     int pwfd = -1;
+    int ovrseskeyfd = -1;
     int fpr_maybe_cmd = 0; /* --fingerprint maybe a command.  */
     int any_explicit_recipient = 0;
     int require_secmem = 0;
@@ -3289,6 +3293,9 @@ main (int argc, char **argv)
 	  case oOverrideSessionKey:
 		opt.override_session_key = pargs.r.ret_str;
 		break;
+	  case oOverrideSessionKeyFD:
+                ovrseskeyfd = translate_sys2libc_fd_int (pargs.r.ret_int, 0);
+		break;
 	  case oMergeOnly:
 	        deprecated_warning(configname,configlineno,"--merge-only",
 				   "--import-options ","merge-only");
@@ -3856,8 +3863,11 @@ main (int argc, char **argv)
       g10_exit(0);
 
 
-    if( pwfd != -1 )  /* Read the passphrase now. */
-	read_passphrase_from_fd( pwfd );
+    if (pwfd != -1)  /* Read the passphrase now. */
+      read_passphrase_from_fd (pwfd);
+
+    if (ovrseskeyfd != -1 )  /* Read the sessionkey now. */
+      read_sessionkey_from_fd (ovrseskeyfd);
 
     fname = argc? *argv : NULL;
 
@@ -5212,3 +5222,34 @@ add_keyserver_url( const char *string, int which )
   if(critical)
     sl->flags |= 1;
 }
+
+
+static void
+read_sessionkey_from_fd (int fd)
+{
+  int i, len;
+  char *line;
+
+  for (line = NULL, i = len = 100; ; i++ )
+    {
+      if (i >= len-1 )
+        {
+          char *tmp = line;
+          len += 100;
+          line = xmalloc_secure (len);
+          if (tmp)
+            {
+              memcpy (line, tmp, i);
+              xfree (tmp);
+            }
+          else
+            i=0;
+	}
+      if (read (fd, line + i, 1) != 1 || line[i] == '\n')
+        break;
+    }
+  line[i] = 0;
+  log_debug ("seskey: %s\n", line);
+  gpgrt_annotate_leaked_object (line);
+  opt.override_session_key = line;
+}