diff options
author | Nora Widdecke <nora@sequoia-pgp.org> | 2022-06-09 16:42:20 +0200 |
---|---|---|
committer | Nora Widdecke <nora@sequoia-pgp.org> | 2022-06-29 19:19:28 +0200 |
commit | 51facecb580cd536313ded0cb0a108fa73cb3bf2 (patch) | |
tree | 6c0c16c94ad3db38437d63ef4d596328c0e1a4cb /sq | |
parent | 74478161cd7d7a46fd96b1037659903358283f3d (diff) |
sq: Print CliSessionKey session key securely.
- Printing a SessionKey requires explicit use of display_sensitive
function, to prevent accidental leaks.
Diffstat (limited to 'sq')
-rw-r--r-- | sq/src/commands/decrypt.rs | 2 | ||||
-rw-r--r-- | sq/src/sq_cli.rs | 36 |
2 files changed, 33 insertions, 5 deletions
diff --git a/sq/src/commands/decrypt.rs b/sq/src/commands/decrypt.rs index d9b6811c..312b4a40 100644 --- a/sq/src/commands/decrypt.rs +++ b/sq/src/commands/decrypt.rs @@ -226,7 +226,7 @@ impl<'a> DecryptionHelper for Helper<'a> { }) }; if let Some(d) = decrypted_with { - eprintln!("Encrypted with Session Key {}", d); + eprintln!("Encrypted with Session Key {}", d.display_sensitive()); return Ok(None); } } diff --git a/sq/src/sq_cli.rs b/sq/src/sq_cli.rs index a652810e..9d6dfb86 100644 --- a/sq/src/sq_cli.rs +++ b/sq/src/sq_cli.rs @@ -2491,6 +2491,13 @@ pub struct DecryptCommand { /// Holds a session key as parsed from the command line, with an optional /// algorithm specifier. +/// +/// This struct does not implement [`Display`] to prevent accidental leaking +/// of key material. If you are sure you want to print a session key, use +/// [`display_sensitive`]. +/// +/// [`Display`]: std::fmt::Display +/// [`display_sensitive`]: CliSessionKey::display_sensitive #[derive(Debug, Clone)] pub struct CliSessionKey { pub session_key: SessionKey, @@ -2522,13 +2529,34 @@ impl std::str::FromStr for CliSessionKey { } } -impl std::fmt::Display for CliSessionKey { +impl CliSessionKey { + + /// Returns an object that implements Display for explicitly opting into + /// printing a `SessionKey`. + pub fn display_sensitive(&self) -> CliSessionKeyDisplay { + CliSessionKeyDisplay { csk: self } + } +} + +/// Helper struct for intentionally printing session keys with format! and {}. +/// +/// This struct implements the `Display` trait to print the session key. This +/// construct requires the user to explicitly call +/// [`CliSessionKey::display_sensitive`]. By requiring the user to opt-in, this +/// will hopefully reduce that the chance that the session key is inadvertently +/// leaked, e.g., in a log that may be publicly posted. +pub struct CliSessionKeyDisplay<'a> { + csk: &'a CliSessionKey, +} + +impl<'a> std::fmt::Display for CliSessionKeyDisplay<'a> { fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result { - match self.symmetric_algo { + let sk = self.csk; + match sk.symmetric_algo { Some(sa) => { - write!(f, "{}:{}", <u8>::from(sa), hex::encode(&self.session_key)) + write!(f, "{}:{}", <u8>::from(sa), hex::encode(&sk.session_key)) } - None => write!(f, "{}", hex::encode(&self.session_key)), + None => write!(f, "{}", hex::encode(&sk.session_key)), } } } |