search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fixed EOF detection for encrypted packets.
[gnupg.git] / g10 / encr-data.c
blobde26d0a4b4f0f66cccda1640036d12da9953ce49
1 /* encr-data.c - process an encrypted data packet
2 * Copyright (C) 1998, 1999, 2000, 2001, 2005,
3 * 2006, 2009 Free Software Foundation, Inc.
4 *
5 * This file is part of GnuPG.
6 *
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include <config.h>
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <assert.h>
26
27 #include "gpg.h"
28 #include "util.h"
29 #include "packet.h"
30 #include "cipher.h"
31 #include "options.h"
32 #include "i18n.h"
33
34
35 static int mdc_decode_filter ( void *opaque, int control, IOBUF a,
36 byte *buf, size_t *ret_len);
37 static int decode_filter ( void *opaque, int control, IOBUF a,
38 byte *buf, size_t *ret_len);
39
40 typedef struct decode_filter_context_s
41 {
42 gcry_cipher_hd_t cipher_hd;
43 gcry_md_hd_t mdc_hash;
44 char defer[22];
45 int defer_filled;
46 int eof_seen;
47 int refcount;
48 int partial; /* Working on a partial length packet. */
49 size_t length; /* If !partial: Remaining bytes in the packet. */
50 } *decode_filter_ctx_t;
51
52
53 /* Helper to release the decode context. */
54 static void
55 release_dfx_context (decode_filter_ctx_t dfx)
56 {
57 if (!dfx)
58 return;
59
60 assert (dfx->refcount);
61 if ( !--dfx->refcount )
62 {
63 gcry_cipher_close (dfx->cipher_hd);
64 dfx->cipher_hd = NULL;
65 gcry_md_close (dfx->mdc_hash);
66 dfx->mdc_hash = NULL;
67 xfree (dfx);
68 }
69 }
70
71
72
73 /****************
74 * Decrypt the data, specified by ED with the key DEK.
75 */
76 int
77 decrypt_data( void *procctx, PKT_encrypted *ed, DEK *dek )
78 {
79 decode_filter_ctx_t dfx;
80 byte *p;
81 int rc=0, c, i;
82 byte temp[32];
83 unsigned blocksize;
84 unsigned nprefix;
85
86 dfx = xtrycalloc (1, sizeof *dfx);
87 if (!dfx)
88 return gpg_error_from_syserror ();
89 dfx->refcount = 1;
90
91 if ( opt.verbose && !dek->algo_info_printed )
92 {
93 if (!openpgp_cipher_test_algo (dek->algo))
94 log_info (_("%s encrypted data\n"),
95 openpgp_cipher_algo_name (dek->algo));
96 else
97 log_info (_("encrypted with unknown algorithm %d\n"), dek->algo );
98 dek->algo_info_printed = 1;
99 }
100 rc = openpgp_cipher_test_algo (dek->algo);
101 if (rc)
102 goto leave;
103 blocksize = openpgp_cipher_get_algo_blklen (dek->algo);
104 if ( !blocksize || blocksize > 16 )
105 log_fatal ("unsupported blocksize %u\n", blocksize );
106 nprefix = blocksize;
107 if ( ed->len && ed->len < (nprefix+2) )
108 BUG();
109
110 if ( ed->mdc_method )
111 {
112 if (gcry_md_open (&dfx->mdc_hash, ed->mdc_method, 0 ))
113 BUG ();
114 if ( DBG_HASHING )
115 gcry_md_start_debug (dfx->mdc_hash, "checkmdc");
116 }
117
118 rc = openpgp_cipher_open (&dfx->cipher_hd, dek->algo,
119 GCRY_CIPHER_MODE_CFB,
120 (GCRY_CIPHER_SECURE
121 | ((ed->mdc_method || dek->algo >= 100)?
122 0 : GCRY_CIPHER_ENABLE_SYNC)));
123 if (rc)
124 {
125 /* We should never get an error here cause we already checked
126 * that the algorithm is available. */
127 BUG();
128 }
129
130
131 /* log_hexdump( "thekey", dek->key, dek->keylen );*/
132 rc = gcry_cipher_setkey (dfx->cipher_hd, dek->key, dek->keylen);
133 if ( gpg_err_code (rc) == GPG_ERR_WEAK_KEY )
134 {
135 log_info(_("WARNING: message was encrypted with"
136 " a weak key in the symmetric cipher.\n"));
137 rc=0;
138 }
139 else if( rc )
140 {
141 log_error("key setup failed: %s\n", g10_errstr(rc) );
142 goto leave;
143 }
144
145 if (!ed->buf)
146 {
147 log_error(_("problem handling encrypted packet\n"));
148 goto leave;
149 }
150
151 gcry_cipher_setiv (dfx->cipher_hd, NULL, 0);
152
153 if ( ed->len )
154 {
155 for (i=0; i < (nprefix+2) && ed->len; i++, ed->len-- )
156 {
157 if ( (c=iobuf_get(ed->buf)) == -1 )
158 break;
159 else
160 temp[i] = c;
161 }
162 }
163 else
164 {
165 for (i=0; i < (nprefix+2); i++ )
166 if ( (c=iobuf_get(ed->buf)) == -1 )
167 break;
168 else
169 temp[i] = c;
170 }
171
172 gcry_cipher_decrypt (dfx->cipher_hd, temp, nprefix+2, NULL, 0);
173 gcry_cipher_sync (dfx->cipher_hd);
174 p = temp;
175 /* log_hexdump( "prefix", temp, nprefix+2 ); */
176 if (dek->symmetric
177 && (p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1]) )
178 {
179 rc = gpg_error (GPG_ERR_BAD_KEY);
180 goto leave;
181 }
182
183 if ( dfx->mdc_hash )
184 gcry_md_write (dfx->mdc_hash, temp, nprefix+2);
185
186 dfx->refcount++;
187 dfx->partial = ed->is_partial;
188 dfx->length = ed->len;
189 if ( ed->mdc_method )
190 iobuf_push_filter ( ed->buf, mdc_decode_filter, dfx );
191 else
192 iobuf_push_filter ( ed->buf, decode_filter, dfx );
193
194 proc_packets ( procctx, ed->buf );
195 ed->buf = NULL;
196 if (dfx->eof_seen > 1 )
197 rc = gpg_error (GPG_ERR_INV_PACKET);
198 else if ( ed->mdc_method )
199 {
200 /* We used to let parse-packet.c handle the MDC packet but this
201 turned out to be a problem with compressed packets: With old
202 style packets there is no length information available and
203 the decompressor uses an implicit end. However we can't know
204 this implicit end beforehand (:-) and thus may feed the
205 decompressor with more bytes than actually needed. It would
206 be possible to unread the extra bytes but due to our weird
207 iobuf system any unread is non reliable due to filters
208 already popped off. The easy and sane solution is to care
209 about the MDC packet only here and never pass it to the
210 packet parser. Fortunatley the OpenPGP spec requires a
211 strict format for the MDC packet so that we know that 22
212 bytes are appended. */
213 int datalen = gcry_md_get_algo_dlen (ed->mdc_method);
214
215 assert (dfx->cipher_hd);
216 assert (dfx->mdc_hash);
217 gcry_cipher_decrypt (dfx->cipher_hd, dfx->defer, 22, NULL, 0);
218 gcry_md_write (dfx->mdc_hash, dfx->defer, 2);
219 gcry_md_final (dfx->mdc_hash);
220
221 if (dfx->defer[0] != '\xd3' || dfx->defer[1] != '\x14' )
222 {
223 log_error("mdc_packet with invalid encoding\n");
224 rc = gpg_error (GPG_ERR_INV_PACKET);
225 }
226 else if (datalen != 20
227 || memcmp (gcry_md_read (dfx->mdc_hash, 0),
228 dfx->defer+2,datalen ))
229 rc = gpg_error (GPG_ERR_BAD_SIGNATURE);
230 /* log_printhex("MDC message:", dfx->defer, 22); */
231 /* log_printhex("MDC calc:", gcry_md_read (dfx->mdc_hash,0), datalen); */
232 }
233
234
235 leave:
236 release_dfx_context (dfx);
237 return rc;
238 }
239
240
241
242 static int
243 mdc_decode_filter (void *opaque, int control, IOBUF a,
244 byte *buf, size_t *ret_len)
245 {
246 decode_filter_ctx_t dfx = opaque;
247 size_t n, size = *ret_len;
248 int rc = 0;
249 int c;
250
251 /* Note: We need to distinguish between a partial and a fixed length
252 packet. The first is the usual case as created by GPG. However
253 for short messages the format degrades to a fixed length packet
254 and other implementations might use fixed length as well. Only
255 looking for the EOF on fixed data works only if the encrypted
256 packet is not followed by other data. This used to be a long
257 standing bug which was fixed on 2009-10-02. */
258
259 if ( control == IOBUFCTRL_UNDERFLOW && dfx->eof_seen )
260 {
261 *ret_len = 0;
262 rc = -1;
263 }
264 else if( control == IOBUFCTRL_UNDERFLOW )
265 {
266 assert (a);
267 assert (size > 44); /* Our code requires at least this size. */
268
269 /* Get at least 22 bytes and put it ahead in the buffer. */
270 if (dfx->partial)
271 {
272 for (n=22; n < 44; n++)
273 {
274 if ( (c = iobuf_get(a)) == -1 )
275 break;
276 buf[n] = c;
277 }
278 }
279 else
280 {
281 for (n=22; n < 44 && dfx->length; n++, dfx->length--)
282 {
283 c = iobuf_get (a);
284 if (c == -1)
285 break; /* Premature EOF. */
286 buf[n] = c;
287 }
288 }
289 if (n == 44)
290 {
291 /* We have enough stuff - flush the deferred stuff. */
292 if ( !dfx->defer_filled ) /* First time. */
293 {
294 memcpy (buf, buf+22, 22);
295 n = 22;
296 }
297 else
298 {
299 memcpy (buf, dfx->defer, 22);
300 }
301 /* Fill up the buffer. */
302 if (dfx->partial)
303 {
304 for (; n < size; n++ )
305 {
306 if ( (c = iobuf_get(a)) == -1 )
307 {
308 dfx->eof_seen = 1; /* Normal EOF. */
309 break;
310 }
311 buf[n] = c;
312 }
313 }
314 else
315 {
316 for (; n < size && dfx->length; n++, dfx->length--)
317 {
318 c = iobuf_get(a);
319 if (c == -1)
320 {
321 dfx->eof_seen = 3; /* Premature EOF. */
322 break;
323 }
324 buf[n] = c;
325 }
326 if (!dfx->length)
327 dfx->eof_seen = 1; /* Normal EOF. */
328 }
329
330 /* Move the trailing 22 bytes back to the defer buffer. We
331 have at least 44 bytes thus a memmove is not needed. */
332 n -= 22;
333 memcpy (dfx->defer, buf+n, 22 );
334 dfx->defer_filled = 1;
335 }
336 else if ( !dfx->defer_filled ) /* EOF seen but empty defer buffer. */
337 {
338 /* This is bad because it means an incomplete hash. */
339 n -= 22;
340 memcpy (buf, buf+22, n );
341 dfx->eof_seen = 2; /* EOF with incomplete hash. */
342 }
343 else /* EOF seen (i.e. read less than 22 bytes). */
344 {
345 memcpy (buf, dfx->defer, 22 );
346 n -= 22;
347 memcpy (dfx->defer, buf+n, 22 );
348 dfx->eof_seen = 1; /* Normal EOF. */
349 }
350
351 if ( n )
352 {
353 if ( dfx->cipher_hd )
354 gcry_cipher_decrypt (dfx->cipher_hd, buf, n, NULL, 0);
355 if ( dfx->mdc_hash )
356 gcry_md_write (dfx->mdc_hash, buf, n);
357 }
358 else
359 {
360 assert ( dfx->eof_seen );
361 rc = -1; /* Return EOF. */
362 }
363 *ret_len = n;
364 }
365 else if ( control == IOBUFCTRL_FREE )
366 {
367 release_dfx_context (dfx);
368 }
369 else if ( control == IOBUFCTRL_DESC )
370 {
371 *(char**)buf = "mdc_decode_filter";
372 }
373 return rc;
374 }
375
376
377 static int
378 decode_filter( void *opaque, int control, IOBUF a, byte *buf, size_t *ret_len)
379 {
380 decode_filter_ctx_t fc = opaque;
381 size_t size = *ret_len;
382 size_t n;
383 int c, rc = 0;
384
385
386 if ( control == IOBUFCTRL_UNDERFLOW && fc->eof_seen )
387 {
388 *ret_len = 0;
389 rc = -1;
390 }
391 else if ( control == IOBUFCTRL_UNDERFLOW )
392 {
393 assert(a);
394
395 if (fc->partial)
396 {
397 for (n=0; n < size; n++ )
398 {
399 c = iobuf_get(a);
400 if (c == -1)
401 {
402 fc->eof_seen = 1; /* Normal EOF. */
403 break;
404 }
405 buf[n] = c;
406 }
407 }
408 else
409 {
410 for (n=0; n < size && fc->length; n++, fc->length--)
411 {
412 c = iobuf_get(a);
413 if (c == -1)
414 {
415 fc->eof_seen = 3; /* Premature EOF. */
416 break;
417 }
418 buf[n] = c;
419 }
420 if (!fc->length)
421 fc->eof_seen = 1; /* Normal EOF. */
422 }
423 if (n)
424 {
425 if (fc->cipher_hd)
426 gcry_cipher_decrypt (fc->cipher_hd, buf, n, NULL, 0);
427 }
428 else
429 {
430 if (!fc->eof_seen)
431 fc->eof_seen = 1;
432 rc = -1; /* Return EOF. */
433 }
434 *ret_len = n;
435 }
436 else if ( control == IOBUFCTRL_FREE )
437 {
438 release_dfx_context (fc);
439 }
440 else if ( control == IOBUFCTRL_DESC )
441 {
442 *(char**)buf = "decode_filter";
443 }
444 return rc;
445 }
446
gnupg svn clone