1 /* decrypt-data.c - Decrypt an encrypted data packet
2 * Copyright (C) 1998, 1999, 2000, 2001, 2005,
3 * 2006, 2009 Free Software Foundation, Inc.
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
34 static int mdc_decode_filter ( void *opaque, int control, IOBUF a,
35 byte *buf, size_t *ret_len);
36 static int decode_filter ( void *opaque, int control, IOBUF a,
37 byte *buf, size_t *ret_len);
39 typedef struct decode_filter_context_s
41 gcry_cipher_hd_t cipher_hd;
42 gcry_md_hd_t mdc_hash;
47 int partial; /* Working on a partial length packet. */
48 size_t length; /* If !partial: Remaining bytes in the packet. */
49 } *decode_filter_ctx_t;
52 /* Helper to release the decode context. */
54 release_dfx_context (decode_filter_ctx_t dfx)
59 log_assert (dfx->refcount);
60 if ( !--dfx->refcount )
62 gcry_cipher_close (dfx->cipher_hd);
63 dfx->cipher_hd = NULL;
64 gcry_md_close (dfx->mdc_hash);
73 * Decrypt the data, specified by ED with the key DEK.
76 decrypt_data (ctrl_t ctrl, void *procctx, PKT_encrypted *ed, DEK *dek)
78 decode_filter_ctx_t dfx;
85 dfx = xtrycalloc (1, sizeof *dfx);
87 return gpg_error_from_syserror ();
90 if ( opt.verbose && !dek->algo_info_printed )
92 if (!openpgp_cipher_test_algo (dek->algo))
93 log_info (_("%s encrypted data\n"),
94 openpgp_cipher_algo_name (dek->algo));
96 log_info (_("encrypted with unknown algorithm %d\n"), dek->algo );
97 dek->algo_info_printed = 1;
103 snprintf (buf, sizeof buf, "%d %d", ed->mdc_method, dek->algo);
104 write_status_text (STATUS_DECRYPTION_INFO, buf);
107 if (opt.show_session_key)
112 snprintf (numbuf, sizeof numbuf, "%d:", dek->algo);
113 hexbuf = bin2hex (dek->key, dek->keylen, NULL);
116 rc = gpg_error_from_syserror ();
119 log_info ("session key: '%s%s'\n", numbuf, hexbuf);
120 write_status_strings (STATUS_SESSION_KEY, numbuf, hexbuf, NULL);
124 rc = openpgp_cipher_test_algo (dek->algo);
127 blocksize = openpgp_cipher_get_algo_blklen (dek->algo);
128 if ( !blocksize || blocksize > 16 )
129 log_fatal ("unsupported blocksize %u\n", blocksize );
131 if ( ed->len && ed->len < (nprefix+2) )
133 /* An invalid message. We can't check that during parsing
134 because we may not know the used cipher then. */
135 rc = gpg_error (GPG_ERR_INV_PACKET);
139 if ( ed->mdc_method )
141 if (gcry_md_open (&dfx->mdc_hash, ed->mdc_method, 0 ))
144 gcry_md_debug (dfx->mdc_hash, "checkmdc");
147 rc = openpgp_cipher_open (&dfx->cipher_hd, dek->algo,
148 GCRY_CIPHER_MODE_CFB,
150 | ((ed->mdc_method || dek->algo >= 100)?
151 0 : GCRY_CIPHER_ENABLE_SYNC)));
154 /* We should never get an error here cause we already checked
155 * that the algorithm is available. */
160 /* log_hexdump( "thekey", dek->key, dek->keylen );*/
161 rc = gcry_cipher_setkey (dfx->cipher_hd, dek->key, dek->keylen);
162 if ( gpg_err_code (rc) == GPG_ERR_WEAK_KEY )
164 log_info(_("WARNING: message was encrypted with"
165 " a weak key in the symmetric cipher.\n"));
170 log_error("key setup failed: %s\n", gpg_strerror (rc) );
176 log_error(_("problem handling encrypted packet\n"));
180 gcry_cipher_setiv (dfx->cipher_hd, NULL, 0);
184 for (i=0; i < (nprefix+2) && ed->len; i++, ed->len-- )
186 if ( (c=iobuf_get(ed->buf)) == -1 )
194 for (i=0; i < (nprefix+2); i++ )
195 if ( (c=iobuf_get(ed->buf)) == -1 )
201 gcry_cipher_decrypt (dfx->cipher_hd, temp, nprefix+2, NULL, 0);
202 gcry_cipher_sync (dfx->cipher_hd);
204 /* log_hexdump( "prefix", temp, nprefix+2 ); */
206 && (p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1]) )
208 rc = gpg_error (GPG_ERR_BAD_KEY);
213 gcry_md_write (dfx->mdc_hash, temp, nprefix+2);
216 dfx->partial = ed->is_partial;
217 dfx->length = ed->len;
218 if ( ed->mdc_method )
219 iobuf_push_filter ( ed->buf, mdc_decode_filter, dfx );
221 iobuf_push_filter ( ed->buf, decode_filter, dfx );
223 if (opt.unwrap_encryption)
227 rc = get_output_file ("", 0, ed->buf, &filename, &fp);
230 iobuf_t output = iobuf_esopen (fp, "w", 0);
231 armor_filter_context_t *afx = NULL;
235 afx = new_armor_context ();
236 push_armor_filter (afx, output);
239 iobuf_copy (output, ed->buf);
240 if ((rc = iobuf_error (ed->buf)))
241 log_error (_("error reading '%s': %s\n"),
242 filename, gpg_strerror (rc));
243 else if ((rc = iobuf_error (output)))
244 log_error (_("error writing '%s': %s\n"),
245 filename, gpg_strerror (rc));
247 iobuf_close (output);
249 release_armor_context (afx);
253 proc_packets (ctrl, procctx, ed->buf );
256 if (dfx->eof_seen > 1 )
257 rc = gpg_error (GPG_ERR_INV_PACKET);
258 else if ( ed->mdc_method )
260 /* We used to let parse-packet.c handle the MDC packet but this
261 turned out to be a problem with compressed packets: With old
262 style packets there is no length information available and
263 the decompressor uses an implicit end. However we can't know
264 this implicit end beforehand (:-) and thus may feed the
265 decompressor with more bytes than actually needed. It would
266 be possible to unread the extra bytes but due to our weird
267 iobuf system any unread is non reliable due to filters
268 already popped off. The easy and sane solution is to care
269 about the MDC packet only here and never pass it to the
270 packet parser. Fortunatley the OpenPGP spec requires a
271 strict format for the MDC packet so that we know that 22
272 bytes are appended. */
273 int datalen = gcry_md_get_algo_dlen (ed->mdc_method);
275 log_assert (dfx->cipher_hd);
276 log_assert (dfx->mdc_hash);
277 gcry_cipher_decrypt (dfx->cipher_hd, dfx->defer, 22, NULL, 0);
278 gcry_md_write (dfx->mdc_hash, dfx->defer, 2);
279 gcry_md_final (dfx->mdc_hash);
281 if ( dfx->defer[0] != '\xd3'
282 || dfx->defer[1] != '\x14'
284 || memcmp (gcry_md_read (dfx->mdc_hash, 0), dfx->defer+2, datalen))
285 rc = gpg_error (GPG_ERR_BAD_SIGNATURE);
286 /* log_printhex("MDC message:", dfx->defer, 22); */
287 /* log_printhex("MDC calc:", gcry_md_read (dfx->mdc_hash,0), datalen); */
292 release_dfx_context (dfx);
299 mdc_decode_filter (void *opaque, int control, IOBUF a,
300 byte *buf, size_t *ret_len)
302 decode_filter_ctx_t dfx = opaque;
303 size_t n, size = *ret_len;
307 /* Note: We need to distinguish between a partial and a fixed length
308 packet. The first is the usual case as created by GPG. However
309 for short messages the format degrades to a fixed length packet
310 and other implementations might use fixed length as well. Only
311 looking for the EOF on fixed data works only if the encrypted
312 packet is not followed by other data. This used to be a long
313 standing bug which was fixed on 2009-10-02. */
315 if ( control == IOBUFCTRL_UNDERFLOW && dfx->eof_seen )
320 else if( control == IOBUFCTRL_UNDERFLOW )
323 log_assert (size > 44); /* Our code requires at least this size. */
325 /* Get at least 22 bytes and put it ahead in the buffer. */
328 for (n=22; n < 44; n++)
330 if ( (c = iobuf_get(a)) == -1 )
337 for (n=22; n < 44 && dfx->length; n++, dfx->length--)
341 break; /* Premature EOF. */
347 /* We have enough stuff - flush the deferred stuff. */
348 if ( !dfx->defer_filled ) /* First time. */
350 memcpy (buf, buf+22, 22);
355 memcpy (buf, dfx->defer, 22);
357 /* Fill up the buffer. */
360 for (; n < size; n++ )
362 if ( (c = iobuf_get(a)) == -1 )
364 dfx->eof_seen = 1; /* Normal EOF. */
372 for (; n < size && dfx->length; n++, dfx->length--)
377 dfx->eof_seen = 3; /* Premature EOF. */
383 dfx->eof_seen = 1; /* Normal EOF. */
386 /* Move the trailing 22 bytes back to the defer buffer. We
387 have at least 44 bytes thus a memmove is not needed. */
389 memcpy (dfx->defer, buf+n, 22 );
390 dfx->defer_filled = 1;
392 else if ( !dfx->defer_filled ) /* EOF seen but empty defer buffer. */
394 /* This is bad because it means an incomplete hash. */
396 memcpy (buf, buf+22, n );
397 dfx->eof_seen = 2; /* EOF with incomplete hash. */
399 else /* EOF seen (i.e. read less than 22 bytes). */
401 memcpy (buf, dfx->defer, 22 );
403 memcpy (dfx->defer, buf+n, 22 );
404 dfx->eof_seen = 1; /* Normal EOF. */
409 if ( dfx->cipher_hd )
410 gcry_cipher_decrypt (dfx->cipher_hd, buf, n, NULL, 0);
412 gcry_md_write (dfx->mdc_hash, buf, n);
416 log_assert ( dfx->eof_seen );
417 rc = -1; /* Return EOF. */
421 else if ( control == IOBUFCTRL_FREE )
423 release_dfx_context (dfx);
425 else if ( control == IOBUFCTRL_DESC )
427 mem2str (buf, "mdc_decode_filter", *ret_len);
434 decode_filter( void *opaque, int control, IOBUF a, byte *buf, size_t *ret_len)
436 decode_filter_ctx_t fc = opaque;
437 size_t size = *ret_len;
442 if ( control == IOBUFCTRL_UNDERFLOW && fc->eof_seen )
447 else if ( control == IOBUFCTRL_UNDERFLOW )
453 for (n=0; n < size; n++ )
458 fc->eof_seen = 1; /* Normal EOF. */
466 for (n=0; n < size && fc->length; n++, fc->length--)
471 fc->eof_seen = 3; /* Premature EOF. */
477 fc->eof_seen = 1; /* Normal EOF. */
482 gcry_cipher_decrypt (fc->cipher_hd, buf, n, NULL, 0);
488 rc = -1; /* Return EOF. */
492 else if ( control == IOBUFCTRL_FREE )
494 release_dfx_context (fc);
496 else if ( control == IOBUFCTRL_DESC )
498 mem2str (buf, "decode_filter", *ret_len);