core: Blank out the plaintext after decryption failure.
* src/data.h (data_prop_t): New enum. (struct gpgme_data): Add field propidx. * src/data.c (property_t): New. (property_table, property_table_size, property_table_lock): New. (insert_into_property_table): New. (remove_from_property_table): New. (_gpgme_data_get_dserial): New. (_gpgme_data_set_prop): New. (_gpgme_data_get_prop): New. (_gpgme_data_new): Connect new object to property_table. (_gpgme_data_release): Remove from property_table. (gpgme_data_read): With DATA_PROP_BLANKOUT set don't fill the buffer. * src/data-mem.c (gpgme_data_release_and_get_mem): Likewise. * src/decrypt.c (struct op_data): Add field plaintext_dserial. (_gpgme_op_decrypt_init_result): Add arg plaintext and init new field. (_gpgme_decrypt_status_handler): Set DATA_PROP_BLANKOUT on decryption failure. (_gpgme_decrypt_start): Pass PLAIN to the init function. * src/decrypt-verify.c (decrypt_verify_start): Ditto. * configure.ac: Check for stdint.h and bail out if uint64_t is not available.
This is a best effort feature to not output plaintext after a
decryption failure (e.g. due to no or broken authenticated
encryption). It always work when using a memory object and reading it
after the decryption but it can't work reliable when the user is
reading from the data object while the decryption process is still
running.
This is quite a large change because the data objects and the context
objects are allowed to be owned by different threads. Thus a
synchronization is needed and we do this with a global table of all
data objects to which the context objects can do soft-linking via a
unique data object serial number.
- Signed-off-by: Werner Koch <wk@gnupg.org>