added option -X

2025-12-17 03:50:57 +01:00 · 2015-05-30 11:11:20 +02:00
parent d1bc54de01
commit 65d039501d
20 changed files with 755 additions and 549 deletions
--- a/2
+++ b/2
@@ -46,6 +46,8 @@ NEXT
 	to older pcp versions, but is more portable and
 	removes to burden to keep this code up to date.
 	added option -X (read passphrase from file).
 0.2.4	fixed compiler macro misplacement (github#4).
 	fixed invalid free (github#5).
--- a/56
+++ b/56
@@ -2,3 +2,59 @@
 ./configure --disable-debug
 make LDFLAGS="-all-static -s"
 = choosing a strong passphrase =
 A passphrase like Ahc<e3% is not really secure. First
 it's difficult to memorize, second it's easy for a computer
 to compute. The better aproach is to use a passphrase 
 you can easily momorize and which is hard for a computer
 to compute (i.e. to guess) like: Phantom orchestra boredom popcorn.
 Read [1] to learn more.
 Pcp doesn't enforce a password policy nor does it check
 the password quality. Use something like pwqcheck [2].
 = supply password non-interactively without blocking stdin =
 Sometimes (e.g. for tests) there's no controlling terminal from
 which pcp could request a passphrase if needed. In such cases
 you can use the option -X <file> so that it reads the passphrase
 from that file.
 However if you call -X - then it will read the passphrase from
 stdin. But what if the data to be processed shall be read from
 stdin as well?
 Use a pipe:
 mkfifo /tmp/pwpipe
 chmod 600 /tmp/pwpipe
 export HISTIGNORE=printf
 printf "%s\n", "password" > /tmp/pwpipe &
 cat cleartext | pcp1 -e -O output -X /tmp/pwpipe
 rm -f /tmp/pwpipe
 So, what happens here? We create a named pipe in /tmp/pwpipe and
 print the passphrase into it. We use printf, because this is a
 shell built-in and does not appear in any process listing or
 process accounting. But note the '&' after the printf command:
 we're sending it into the background. Why? Because a named pipe
 is a real simple device. It blocks writing if there's no reader
 and it blocks reading if there's no writer. So in our case we
 put the passphrase into it, but the printf command will be blocked
 until some other process reads it from the pipe, which is precisely
 what happens in the next line. Pcp uses the pipe (because of -X),
 reads the passphrase from there and proceeds with it's normal
 business. Meanwhile the printf command exits.
 [1]
 https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess/
 [2]
 http://www.openwall.com/passwdqc/
--- a/33
+++ b/33
@@ -65,7 +65,38 @@ QUICKSTART
    just sick of Alice and Bob. We're running NSA-free, so we're using other
    sample names as well.
-INSTALLATION
+FILES AND PIPES
    Pcp behaves like any other unix tool. If not otherwise specified it will
    read input from standard input (STDIN) and print output to standard
    output (STDOUT). For instance:
     pcp1 -e -O output
    will read the text to be encrypted from standard input, because -I has
    not been specified. It works the same with -O:
     pcp1 -e -I myfile
    In this case the encrypted result will be written to standard output.
    Therefore it is possible to use pcp within pipes. Another more realistic
    example:
     ssh remote cat file | pcp1 -ez | mailx -s 'as requested' bob@somewhere
    here we encrypt a file symmetrically without downloading it from a
    remote ssh server and sending the encrypted result via email to someone.
    The behavior is the same with any other functionality where files are
    involved like importing or exporting keys. However, there's one
    exception: If the option -X (--password-file) has been used and is set
    to -, then this will take precedence over any other possible use of
    standard input. So if you want to encrypt something and don't specify an
    input file you cannot use -X -, and vice versa. IF you use -X - the
    passphrase will be read from standard input, which then can't be used
    further for input files elsewhere. Pcp will exit with an error in such a
    case. =head1 INSTALLATION
    There are currently no packages available, so pcp has to be compiled
    from source. Follow these steps:
--- a/README.pod
+++ b/README.pod
@@ -69,6 +69,39 @@ Oh - and if you're wondering why I named them Alicia and Bobby:
 I was just sick of Alice and Bob. We're running NSA-free, so we're
 using other sample names as well.
 =head1 FILES AND PIPES
 Pcp behaves like any other unix tool. If not otherwise specified
 it will read input from standard input (STDIN) and print output
 to standard output (STDOUT). For instance:
 pcp1 -e -O output
 will read the text to be encrypted from standard input, because B<-I>
 has not been specified. It works the same with B<-O>:
 pcp1 -e -I myfile
 In this case the encrypted result will be written to standard output.
 Therefore it is possible to use pcp within pipes. Another more
 realistic example:
 ssh remote cat file | pcp1 -ez | mailx -s 'as requested' bob@somewhere
 here we encrypt a file symmetrically without downloading it from a
 remote ssh server and sending the encrypted result via email to
 someone.
 The behavior is the same with any other functionality where files are involved
 like importing or exporting keys. However, there's one exception:
 If the option B<-X> (B<--password-file>) has been used and is set
 to B<->, then this will take precedence over any other possible use
 of standard input. So if you want to encrypt something and don't 
 specify an input file you cannot use B<-X ->, and vice versa. IF
 you use B<-X -> the passphrase will be read from standard input, which
 then can't be used further for input files elsewhere. Pcp will exit
 with an error in such a case.
 =head1 INSTALLATION
 There are currently no packages available, so B<pcp> has to be
--- a/autogen.sh
+++ b/autogen.sh
@@ -60,8 +60,7 @@ Pretty Curved Privacy - File encryption using eliptic curve cryptography.
    (cd src && ./usage.sh)
    # generate pypcp types
-    cd bindings/py
+    bindings/py/gencffi.pl include/pcp/defines.h include/pcp/structs.h include/pcp/key.h \
    ./gencffi.pl include/pcp/defines.h include/pcp/structs.h include/pcp/key.h \
 	                   include/pcp/buffer.h include/pcp/context.h \
 	                   include/pcp/ed.h include/pcp/crypto.h include/pcp/vault.h \
 	                   include/pcp/mgmt.h include/pcp/keyhash.h \
--- a/bindings/py/pypcp/raw.py
+++ b/bindings/py/pypcp/raw.py
--- a/include/pcp.h
+++ b/include/pcp.h
@@ -7,6 +7,7 @@ extern "C" {
 #include "pcp/config.h"
 #include "pcp/buffer.h"
 #include "pcp/config.h"
 #include "pcp/context.h"
 #include "pcp/crypto.h"
 #include "pcp/defines.h"
--- a/libpcp/pcpstream.c
+++ b/libpcp/pcpstream.c
@@ -1,7 +1,7 @@
 /*
    This file is part of Pretty Curved Privacy (pcp1).
-    Copyright (C) 2013-2014 T.v.Dein.
+    Copyright (C) 2013-2015 T.v.Dein.
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -39,7 +39,10 @@ Pcpstream *ps_init(void) {
 Pcpstream *ps_new_file(FILE *backendfd) {
  Pcpstream *stream = ps_init();
-  stream->fd = backendfd;
+  if(backendfd == NULL)
    stream->err = 1;
  else
    stream->fd = backendfd;
  return stream;
 }
--- a/man/options.pod
+++ b/man/options.pod
@@ -9,6 +9,10 @@
                           will be used.
 -I --infile <file>        Input file. If not specified, stdin
                           will be used.
 -X --password-file <file> Read passphrase from <file>. If <file>
                           is -, read from stdin. This takes
                           precedence over other uses of stdin
                           elsewhere, see below for more details.
 -i --keyid <id>           Specify a key id to import/export.
 -r --recipient <string>   Specify a recpipient, used for public
                           key export and encryption.
--- a/man/pcp.pod
+++ b/man/pcp.pod
@@ -69,3 +69,36 @@ Oh - and if you're wondering why I named them Alicia and Bobby:
 I was just sick of Alice and Bob. We're running NSA-free, so we're
 using other sample names as well.
 =head1 FILES AND PIPES
 Pcp behaves like any other unix tool. If not otherwise specified
 it will read input from standard input (STDIN) and print output
 to standard output (STDOUT). For instance:
 pcp1 -e -O output
 will read the text to be encrypted from standard input, because B<-I>
 has not been specified. It works the same with B<-O>:
 pcp1 -e -I myfile
 In this case the encrypted result will be written to standard output.
 Therefore it is possible to use pcp within pipes. Another more
 realistic example:
 ssh remote cat file | pcp1 -ez | mailx -s 'as requested' bob@somewhere
 here we encrypt a file symmetrically without downloading it from a
 remote ssh server and sending the encrypted result via email to
 someone.
 The behavior is the same with any other functionality where files are involved
 like importing or exporting keys. However, there's one exception:
 If the option B<-X> (B<--password-file>) has been used and is set
 to B<->, then this will take precedence over any other possible use
 of standard input. So if you want to encrypt something and don't 
 specify an input file you cannot use B<-X ->, and vice versa. IF
 you use B<-X -> the passphrase will be read from standard input, which
 then can't be used further for input files elsewhere. Pcp will exit
 with an error in such a case.
--- a/man/pcp1.1
+++ b/man/pcp1.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PCP1 1"
-.TH PCP1 1 "2015-04-19" "PCP 0.2.6" "USER CONTRIBUTED DOCUMENTATION"
+.TH PCP1 1 "2015-05-30" "PCP 0.2.6" "USER CONTRIBUTED DOCUMENTATION"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -149,6 +149,7 @@ Pretty Curved Privacy \- File encryption using eliptic curve cryptography.
 \&  \-V \-\-vault <vaultfile>    Specify an alternate vault file.
 \&  \-O \-\-outfile <file>       Output file. STDOUT if unspecified.
 \&  \-I \-\-infile <file>        Input file. STDIN if unspecified.
 \&  \-X \-\-password\-file <file> Read passphrase from <file>.
 \&  \-i \-\-keyid <id>           Specify a key id for various operations.
 \&  \-r \-\-recipient <string>   Specify a recpipient, multiple allowed.
 \&  \-t \-\-text                 Print textual representation of ojects.
@@ -195,6 +196,10 @@ Pretty Curved Privacy \- File encryption using eliptic curve cryptography.
 \&                           will be used.
 \& \-I \-\-infile <file>        Input file. If not specified, stdin
 \&                           will be used.
 \& \-X \-\-password\-file <file> Read passphrase from <file>. If <file>
 \&                           is \-, read from stdin. This takes
 \&                           precedence over other uses of stdin
 \&                           elsewhere, see below for more details.
 \& \-i \-\-keyid <id>           Specify a key id to import/export.
 \& \-r \-\-recipient <string>   Specify a recpipient, used for public
 \&                           key export and encryption.
@@ -392,6 +397,45 @@ to actually decrypt the message.
 Oh \- and if you're wondering why I named them Alicia and Bobby:
 I was just sick of Alice and Bob. We're running NSA-free, so we're
 using other sample names as well.
 .SH "FILES AND PIPES"
 .IX Header "FILES AND PIPES"
 Pcp behaves like any other unix tool. If not otherwise specified
 it will read input from standard input (\s-1STDIN\s0) and print output
 to standard output (\s-1STDOUT\s0). For instance:
 .PP
 .Vb 1
 \& pcp1 \-e \-O output
 .Ve
 .PP
 will read the text to be encrypted from standard input, because \fB\-I\fR
 has not been specified. It works the same with \fB\-O\fR:
 .PP
 .Vb 1
 \& pcp1 \-e \-I myfile
 .Ve
 .PP
 In this case the encrypted result will be written to standard output.
 .PP
 Therefore it is possible to use pcp within pipes. Another more
 realistic example:
 .PP
 .Vb 1
 \& ssh remote cat file | pcp1 \-ez | mailx \-s \*(Aqas requested\*(Aq bob@somewhere
 .Ve
 .PP
 here we encrypt a file symmetrically without downloading it from a
 remote ssh server and sending the encrypted result via email to
 someone.
 .PP
 The behavior is the same with any other functionality where files are involved
 like importing or exporting keys. However, there's one exception:
 If the option \fB\-X\fR (\fB\-\-password\-file\fR) has been used and is set
 to \fB\-\fR, then this will take precedence over any other possible use
 of standard input. So if you want to encrypt something and don't 
 specify an input file you cannot use \fB\-X \-\fR, and vice versa. \s-1IF\s0
 you use \fB\-X \-\fR the passphrase will be read from standard input, which
 then can't be used further for input files elsewhere. Pcp will exit
 with an error in such a case.
 .SH "PCP1 KEYS"
 .IX Header "PCP1 KEYS"
 \&\fBpcp1\fR keys are stored in a binary file, called \fBthe vault\fR.
--- a/man/pcp1.pod
+++ b/man/pcp1.pod
@@ -21,6 +21,7 @@ Pretty Curved Privacy - File encryption using eliptic curve cryptography.
  -V --vault <vaultfile>    Specify an alternate vault file.
  -O --outfile <file>       Output file. STDOUT if unspecified.
  -I --infile <file>        Input file. STDIN if unspecified.
  -X --password-file <file> Read passphrase from <file>.
  -i --keyid <id>           Specify a key id for various operations.
  -r --recipient <string>   Specify a recpipient, multiple allowed.
  -t --text                 Print textual representation of ojects.
@@ -66,6 +67,10 @@ Pretty Curved Privacy - File encryption using eliptic curve cryptography.
                           will be used.
 -I --infile <file>        Input file. If not specified, stdin
                           will be used.
 -X --password-file <file> Read passphrase from <file>. If <file>
                           is -, read from stdin. This takes
                           precedence over other uses of stdin
                           elsewhere, see below for more details.
 -i --keyid <id>           Specify a key id to import/export.
 -r --recipient <string>   Specify a recpipient, used for public
                           key export and encryption.
@@ -257,6 +262,39 @@ Oh - and if you're wondering why I named them Alicia and Bobby:
 I was just sick of Alice and Bob. We're running NSA-free, so we're
 using other sample names as well.
 =head1 FILES AND PIPES
 Pcp behaves like any other unix tool. If not otherwise specified
 it will read input from standard input (STDIN) and print output
 to standard output (STDOUT). For instance:
 pcp1 -e -O output
 will read the text to be encrypted from standard input, because B<-I>
 has not been specified. It works the same with B<-O>:
 pcp1 -e -I myfile
 In this case the encrypted result will be written to standard output.
 Therefore it is possible to use pcp within pipes. Another more
 realistic example:
 ssh remote cat file | pcp1 -ez | mailx -s 'as requested' bob@somewhere
 here we encrypt a file symmetrically without downloading it from a
 remote ssh server and sending the encrypted result via email to
 someone.
 The behavior is the same with any other functionality where files are involved
 like importing or exporting keys. However, there's one exception:
 If the option B<-X> (B<--password-file>) has been used and is set
 to B<->, then this will take precedence over any other possible use
 of standard input. So if you want to encrypt something and don't 
 specify an input file you cannot use B<-X ->, and vice versa. IF
 you use B<-X -> the passphrase will be read from standard input, which
 then can't be used further for input files elsewhere. Pcp will exit
 with an error in such a case.
 =head1 PCP1 KEYS
--- a/src/encryption.c
+++ b/src/encryption.c
@@ -1,7 +1,7 @@
 /*
    This file is part of Pretty Curved Privacy (pcp1).
-    Copyright (C) 2013-2014 T.v.Dein.
+    Copyright (C) 2013-2015 T.v.Dein.
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -67,7 +67,7 @@ int pcpdecrypt(char *id, int useid, char *infile, char *outfile, char *passwd, i
      char *passphrase;
      if(passwd == NULL) {
 	pcp_readpass(&passphrase,
-		     "Enter passphrase for symetric decryption", NULL, 1);
+		     "Enter passphrase for symetric decryption", NULL, 1, NULL);
      }
      else {
 	passphrase = smalloc(strlen(passwd)+1);
@@ -100,7 +100,7 @@ int pcpdecrypt(char *id, int useid, char *infile, char *outfile, char *passwd, i
 	char *passphrase;
 	if(passwd == NULL) {
 	  pcp_readpass(&passphrase,
-		       "Enter passphrase to decrypt your secret key", NULL, 1);
+		       "Enter passphrase to decrypt your secret key", NULL, 1, NULL);
 	}
 	else {
 	  passphrase = smalloc(strlen(passwd)+1);
@@ -174,7 +174,7 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
    char *passphrase;
    if(passwd == NULL) {
      pcp_readpass(&passphrase,
-                   "Enter passphrase for symetric encryption", "Repeat passphrase", 1);
+                   "Enter passphrase for symetric encryption", "Repeat passphrase", 1, NULL);
    }
    else {
      passphrase = smalloc(strlen(passwd)+1);
@@ -268,7 +268,7 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
        char *passphrase;
 	if(passwd == NULL) {
          pcp_readpass(&passphrase,
-		     "Enter passphrase to decrypt your secret key", NULL, 1);
+		       "Enter passphrase to decrypt your secret key", NULL, 1, NULL);
        }
 	else {
          passphrase = smalloc(strlen(passwd)+1);
--- a/src/keymgmt.c
+++ b/src/keymgmt.c
@@ -1,7 +1,7 @@
 /*
    This file is part of Pretty Curved Privacy (pcp1).
-    Copyright (C) 2013 T.Linden.
+    Copyright (C) 2013-2015 T.Linden.
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -79,7 +79,7 @@ void pcp_keygen(char *passwd) {
  if(passwd == NULL) {
    pcp_readpass(&passphrase,
 		 "Enter passphrase for key encryption",
-		 "Enter the passphrase again", 1);
+		 "Enter the passphrase again", 1, NULL);
  }
  else {
    passphrase = ucmalloc(strlen(passwd)+1);
@@ -231,7 +231,7 @@ void pcp_exportsecret(char *keyid, int useid, char *outfile, int armor, char *pa
      if(passwd == NULL) {
 	char *passphrase;
 	pcp_readpass(&passphrase,
-		     "Enter passphrase to decrypt your secret key", NULL, 1);
+		     "Enter passphrase to decrypt your secret key", NULL, 1, NULL);
 	key = pcpkey_decrypt(ptx, key, passphrase);
 	if(key == NULL) {
 	  sfree(passphrase);
@@ -255,7 +255,8 @@ void pcp_exportsecret(char *keyid, int useid, char *outfile, int armor, char *pa
    else {
      char *passphrase;
      pcp_readpass(&passphrase,
-                  "Enter passphrase to encrypt the exported secret key", "Repeat passphrase", 1);
+                  "Enter passphrase to encrypt the exported secret key",
 		   "Repeat passphrase", 1, NULL);
      exported_sk = pcp_export_secret(ptx, key, passphrase);
      sfree(passphrase);
    }
@@ -344,7 +345,7 @@ void pcp_exportpublic(char *keyid, char *passwd, char *outfile, int format, int
    else {
      char *passphrase;
      pcp_readpass(&passphrase,
-		   "Enter passphrase to decrypt your secret key", NULL, 1);
+		   "Enter passphrase to decrypt your secret key", NULL, 1, NULL);
      sk = pcpkey_decrypt(ptx, sk, passphrase);
      sfree(passphrase);
    }
@@ -448,7 +449,7 @@ void pcpedit_key(char *keyid) {
  if(key != NULL) {
    if(key->secret[0] == 0) {
      char *passphrase;
-      pcp_readpass(&passphrase, "Enter passphrase to decrypt the key", NULL, 1);
+      pcp_readpass(&passphrase, "Enter passphrase to decrypt the key", NULL, 1, NULL);
      key = pcpkey_decrypt(ptx, key, passphrase);
      sfree(passphrase);
    }
@@ -501,7 +502,7 @@ void pcpedit_key(char *keyid) {
      char *passphrase;
      pcp_readpass(&passphrase,
 		   "Enter new passphrase for key encryption (press enter to keep current)",
-		   "Enter the passphrase again", 1);
+		   "Enter the passphrase again", 1, NULL);
      if(strnlen(passphrase, 1024) > 0) {
 	key = pcpkey_encrypt(ptx, key, passphrase);
@@ -610,7 +611,7 @@ int pcp_import (vault_t *vault, FILE *in, char *passwd) {
    else {
      char *passphrase;
      pcp_readpass(&passphrase,
-		   "Enter passphrase to decrypt the secret key file", NULL, 1);
+		   "Enter passphrase to decrypt the secret key file", NULL, 1, NULL);
      sk = pcp_import_secret(ptx, buf, bufsize, passphrase);
      sfree(passphrase);
    }
@@ -636,7 +637,7 @@ int pcp_import (vault_t *vault, FILE *in, char *passwd) {
      char *passphrase;
      pcp_readpass(&passphrase,
 		   "Enter passphrase for key encryption",
-		   "Enter the passphrase again", 1);
+		   "Enter the passphrase again", 1, NULL);
      if(strnlen(passphrase, 1024) > 0) {
 	/* encrypt the key */
--- a/src/pcp.c
+++ b/src/pcp.c
@@ -1,7 +1,7 @@
 /*
    This file is part of Pretty Curved Privacy (pcp1).
-    Copyright (C) 2013 T.Linden.
+    Copyright (C) 2013-2015 T.Linden.
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -45,8 +45,17 @@ char *default_vault() {
  return path; 
 }
 char *altin(char *infile, int stdinused) {
  if(infile == NULL && stdinused == 1) {
    fprintf(stderr, "Error: cannot use <stdin> because -X had precedence!\n");
    exit(1);
  }
  return infile;
 }
 int main (int argc, char **argv)  {
-  int opt, mode, usevault, useid, userec, lo, armor, detach, signcrypt, exportformat, anon;
+  int opt, mode, usevault, useid, userec, lo, armor, detach, \
    signcrypt, exportformat, anon, xpf;
  char *vaultfile = default_vault();
  char *outfile = NULL;
  char *infile = NULL;
@@ -54,6 +63,7 @@ int main (int argc, char **argv)  {
  char *keyid = NULL;
  char *id = NULL;
  char *xpass = NULL;
  char *xpassfile = NULL;
  char *extra = NULL;
  plist_t *recipient = NULL;
  FILE *in;
@@ -69,6 +79,7 @@ int main (int argc, char **argv)  {
  detach = 0;
  signcrypt = 0;
  anon = 0;
  xpf = 0;
  exportformat = EXP_FORMAT_NATIVE;
  ptx = ptx_new();
@@ -81,6 +92,7 @@ int main (int argc, char **argv)  {
    { "keyid",           required_argument, NULL,           'i' },
    { "text",            required_argument, NULL,           't' },
    { "xpass",           required_argument, NULL,           'x' },
    { "password-file",   required_argument, NULL,           'X' },
    { "recipient",       required_argument, NULL,           'r' },
    /*  key management */
@@ -123,7 +135,7 @@ int main (int argc, char **argv)  {
    { NULL,              0,                 NULL,            0 }
  };
-  while ((opt = getopt_long(argc, argv, "klLV:vdehsO:i:I:pSPRtEx:DzaZr:gcymf:b1F:0KAM",
+  while ((opt = getopt_long(argc, argv, "klLV:vdehsO:i:I:pSPRtEx:DzaZr:gcymf:b1F:0KAMX:",
 			    longopts, NULL)) != -1) {
    switch (opt)  {
@@ -251,13 +263,18 @@ int main (int argc, char **argv)  {
 	  strncpy(infile, optarg, strlen(optarg)+1);
 	}
 	break;
      case 'X':
 	xpassfile = ucmalloc(strlen(optarg)+1);
 	strncpy(xpassfile, optarg, strlen(optarg)+1);
 	xpf = 1;
 	break;
      case 'i':
 	keyid = ucmalloc(19);
 	strncpy(keyid, optarg, 19);
 	useid = 1;
 	break;
      case 'x':
-	xpass = ucmalloc(strlen(optarg)+1);
+	xpass = smalloc(strlen(optarg)+1);
 	strncpy(xpass, optarg, strlen(optarg)+1);
 	if(strncmp(xpass, "n/a", 3) == 0)
 	  xpass[0] = '\0';
@@ -405,6 +422,13 @@ int main (int argc, char **argv)  {
      free(extra);
  }
  if(xpassfile != NULL) {
    pcp_readpass(&xpass, "passphrase", NULL, 0, xpassfile);
    if(xpassfile[0] != '-')
      xpf = 0; 
    free(xpassfile);
  }
  /* check if there's some enviroment we could use */
  if(usevault == 1) {
    char *_vaultfile = getenv("PCP_VAULT");
@@ -453,8 +477,10 @@ int main (int argc, char **argv)  {
 	break;
      case PCP_MODE_IMPORT:
-	if(infile == NULL)
+	if(infile == NULL) {
 	  altin(NULL, xpf);
 	  in = stdin;
 	}
 	else {
 	  if((in = fopen(infile, "rb")) == NULL) {
 	    fatal(ptx, "Could not open input file %s\n", infile);
@@ -492,11 +518,11 @@ int main (int argc, char **argv)  {
 	if(useid == 1 && userec == 0) {
 	  /*  one dst, FIXME: make id a list as well */
 	  id = pcp_normalize_id(keyid);
-	  pcpencrypt(id, infile, outfile, xpass, NULL, signcrypt, armor, anon);
+	  pcpencrypt(id, altin(infile, xpf), outfile, xpass, NULL, signcrypt, armor, anon);
 	}
 	else if(useid == 0 && userec == 1) {
 	  /*  multiple dst */
-	  pcpencrypt(NULL, infile, outfile, xpass, recipient, signcrypt, armor, anon);
+	  pcpencrypt(NULL, altin(infile, xpf), outfile, xpass, recipient, signcrypt, armor, anon);
 	}
 	else {
 	  /*  -i and -r specified */
@@ -509,11 +535,11 @@ int main (int argc, char **argv)  {
 	if(useid) {
 	  id = pcp_normalize_id(keyid);
 	  if(id != NULL) {
-	    pcpdecrypt(id, useid, infile, outfile, xpass, signcrypt);
+	    pcpdecrypt(id, useid, altin(infile, xpf), outfile, xpass, signcrypt);
 	  }
 	}
 	else {
-	  pcpdecrypt(NULL, useid, infile, outfile, xpass, signcrypt);
+	  pcpdecrypt(NULL, useid, altin(infile, xpf), outfile, xpass, signcrypt);
 	}
 	break;	
@@ -522,21 +548,21 @@ int main (int argc, char **argv)  {
 	  if(outfile != NULL && sigfile != NULL)
 	    fatal(ptx, "You can't both specify -O and -f, use -O for std signatures and -f for detached ones\n");
 	  else
-	    pcpsign(infile, sigfile, xpass, armor, detach);
+	    pcpsign(altin(infile, xpf), sigfile, xpass, armor, detach);
 	}
 	else
-	  pcpsign(infile, outfile, xpass, armor, detach);
+	  pcpsign(altin(infile, xpf), outfile, xpass, armor, detach);
 	break;
      case PCP_MODE_VERIFY:
 	if(useid) {
 	  id = pcp_normalize_id(keyid);
 	  if(id != NULL) {
-	    pcpverify(infile, sigfile, id, detach);
+	    pcpverify(altin(infile, xpf), sigfile, id, detach);
 	  }
 	}
 	else {
-	  pcpverify(infile, sigfile, NULL, detach);
+	  pcpverify(altin(infile, xpf), sigfile, NULL, detach);
 	}
 	break;
@@ -564,7 +590,7 @@ int main (int argc, char **argv)  {
      break;
    case PCP_MODE_ENCRYPT_ME:
-      pcpencrypt(NULL, infile, outfile, xpass, NULL, 0, armor, 0);
+      pcpencrypt(NULL, altin(infile, xpf), outfile, xpass, NULL, 0, armor, 0);
      break;
    case PCP_MODE_TEXT:
@@ -606,7 +632,7 @@ int main (int argc, char **argv)  {
  if(sigfile != NULL)
    free(sigfile);
  if(xpass != NULL)
-    ucfree(xpass, strlen(xpass));
+    sfree(xpass);
  if(recipient != NULL)
    p_clean(recipient);
  if(id != NULL)
--- a/src/readpass.c
+++ b/src/readpass.c
@@ -40,7 +40,7 @@
 */
 int
 pcp_readpass(char ** passwd, const char * prompt,
-    const char * confirmprompt, int devtty)
+	     const char * confirmprompt, int devtty, char *readfromfile)
 {
 	FILE * readfrom;
 	char passbuf[MAXPASSLEN];
@@ -51,9 +51,27 @@ pcp_readpass(char ** passwd, const char * prompt,
 	/*
 	 * If devtty != 0, try to open /dev/tty; if that fails, or if devtty
 	 * is zero, we'll read the password from stdin instead.
 	 *
 	 * Added by tlinden: however, if readfromfile is defined, we'll
 	 * read the password from there, but if it is '-' we'll use stdin
 	 * as well.
 	 */
-	if ((devtty == 0) || ((readfrom = fopen("/dev/tty", "r")) == NULL))
+	if ((devtty == 0) || ((readfrom = fopen("/dev/tty", "r")) == NULL)) {
-		readfrom = stdin;
+	  if(readfromfile != NULL) {
 	    if(readfromfile[0] == '-') {
 	      readfrom = stdin;
 	    }
 	    else {
 	      if((readfrom = fopen(readfromfile, "r")) == NULL) {
 		fatal(ptx, "Could not open password file '%s'\n", readfromfile);
 		goto err1;
 	      }
 	    }
 	  }
 	  else {
 	    readfrom = stdin;
 	  }
 	}
 	/* If we're reading from a terminal, try to disable echo. */
 	if ((usingtty = isatty(fileno(readfrom))) != 0) {
@@ -102,20 +120,20 @@ retry:
 	if (usingtty)
 		tcsetattr(fileno(readfrom), TCSANOW, &term_old);
-	/* Close /dev/tty if we opened it. */
+	/* Close /dev/tty if we opened it.
-	if (readfrom != stdin)
+	   if readfromfile is defined and set to -, disable stdin */
-		fclose(readfrom);
+	if (readfrom != stdin) {
 	  fclose(readfrom);
 	}
 	else {
 	  if(readfromfile != NULL)
 	    stdin = NULL;
 	}
 	/* Copy the password out. */
 	char *p = smalloc(strlen(passbuf) + 1);
 	memcpy(p, passbuf, strlen(passbuf) + 1 );
 	*passwd = p;
 	/*
 	if ((*passwd = strdup(passbuf)) == NULL) {
 		fatal(ptx, "Cannot allocate memory\n");
 		goto err1;
 	}
 	*/
 	/* Zero any stored passwords. */
 	memset(passbuf, 0, MAXPASSLEN);
--- a/src/readpass.h
+++ b/src/readpass.h
@@ -52,6 +52,6 @@
 * ${passwd}.  The obscure name is to avoid namespace collisions due to the
 * getpass / readpass / readpassphrase / etc. functions in various libraries.
 */
-int pcp_readpass(char **, const char *, const char *, int);
+int pcp_readpass(char **, const char *, const char *, int, char *);
 #endif /* !_READPASS_H_ */
--- a/src/signature.c
+++ b/src/signature.c
@@ -1,7 +1,7 @@
 /*
    This file is part of Pretty Curved Privacy (pcp1).
-    Copyright (C) 2013 T.Linden.
+    Copyright (C) 2013-2015 T.Linden.
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -59,7 +59,7 @@ int pcpsign(char *infile, char *outfile, char *passwd, int z85, int detach) {
    char *passphrase;
    if(passwd == NULL) {
      pcp_readpass(&passphrase,
-		   "Enter passphrase to decrypt your secret key", NULL, 1);
+		   "Enter passphrase to decrypt your secret key", NULL, 1, NULL);
    }
    else {
      passphrase = smalloc(strlen(passwd)+1);
--- a/src/usage.h
+++ b/src/usage.h
@@ -16,6 +16,7 @@
 "-V --vault <vaultfile>    Specify an alternate vault file.\n" \
 "-O --outfile <file>       Output file. STDOUT if unspecified.\n" \
 "-I --infile <file>        Input file. STDIN if unspecified.\n" \
 "-X --password-file <file> Read passphrase from <file>.\n" \
 "-i --keyid <id>           Specify a key id for various operations.\n" \
 "-r --recipient <string>   Specify a recpipient, multiple allowed.\n" \
 "-t --text                 Print textual representation of ojects.\n" \
--- a/src/usage.txt
+++ b/src/usage.txt
@@ -14,6 +14,7 @@ General Options:
 -V --vault <vaultfile>    Specify an alternate vault file.
 -O --outfile <file>       Output file. STDOUT if unspecified.
 -I --infile <file>        Input file. STDIN if unspecified.
 -X --password-file <file> Read passphrase from <file>.
 -i --keyid <id>           Specify a key id for various operations.
 -r --recipient <string>   Specify a recpipient, multiple allowed.
 -t --text                 Print textual representation of ojects.