1 /* decrypt-data.c - Decrypt an encrypted data packet
2 * Copyright (C) 1998, 1999, 2000, 2001, 2005,
3 * 2006, 2009 Free Software Foundation, Inc.
5 * This file is part of GnuPG.
7 * GnuPG is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * GnuPG is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <https://www.gnu.org/licenses/>.
34 static int mdc_decode_filter ( void *opaque, int control, IOBUF a,
35 byte *buf, size_t *ret_len);
36 static int decode_filter ( void *opaque, int control, IOBUF a,
37 byte *buf, size_t *ret_len);
39 typedef struct decode_filter_context_s
41 gcry_cipher_hd_t cipher_hd;
42 gcry_md_hd_t mdc_hash;
47 int partial; /* Working on a partial length packet. */
48 size_t length; /* If !partial: Remaining bytes in the packet. */
49 } *decode_filter_ctx_t;
52 /* Helper to release the decode context. */
54 release_dfx_context (decode_filter_ctx_t dfx)
59 log_assert (dfx->refcount);
60 if ( !--dfx->refcount )
62 gcry_cipher_close (dfx->cipher_hd);
63 dfx->cipher_hd = NULL;
64 gcry_md_close (dfx->mdc_hash);
73 * Decrypt the data, specified by ED with the key DEK.
76 decrypt_data (ctrl_t ctrl, void *procctx, PKT_encrypted *ed, DEK *dek)
78 decode_filter_ctx_t dfx;
85 dfx = xtrycalloc (1, sizeof *dfx);
87 return gpg_error_from_syserror ();
90 if ( opt.verbose && !dek->algo_info_printed )
92 if (!openpgp_cipher_test_algo (dek->algo))
93 log_info (_("%s encrypted data\n"),
94 openpgp_cipher_algo_name (dek->algo));
96 log_info (_("encrypted with unknown algorithm %d\n"), dek->algo );
97 dek->algo_info_printed = 1;
103 snprintf (buf, sizeof buf, "%d %d", ed->mdc_method, dek->algo);
104 write_status_text (STATUS_DECRYPTION_INFO, buf);
107 if (opt.show_session_key)
112 snprintf (numbuf, sizeof numbuf, "%d:", dek->algo);
113 hexbuf = bin2hex (dek->key, dek->keylen, NULL);
116 rc = gpg_error_from_syserror ();
119 log_info ("session key: '%s%s'\n", numbuf, hexbuf);
120 write_status_strings (STATUS_SESSION_KEY, numbuf, hexbuf, NULL);
124 rc = openpgp_cipher_test_algo (dek->algo);
127 blocksize = openpgp_cipher_get_algo_blklen (dek->algo);
128 if ( !blocksize || blocksize > 16 )
129 log_fatal ("unsupported blocksize %u\n", blocksize );
131 if ( ed->len && ed->len < (nprefix+2) )
133 /* An invalid message. We can't check that during parsing
134 because we may not know the used cipher then. */
135 rc = gpg_error (GPG_ERR_INV_PACKET);
139 if ( ed->mdc_method )
141 if (gcry_md_open (&dfx->mdc_hash, ed->mdc_method, 0 ))
144 gcry_md_debug (dfx->mdc_hash, "checkmdc");
147 rc = openpgp_cipher_open (&dfx->cipher_hd, dek->algo,
148 GCRY_CIPHER_MODE_CFB,
150 | ((ed->mdc_method || dek->algo >= 100)?
151 0 : GCRY_CIPHER_ENABLE_SYNC)));
154 /* We should never get an error here cause we already checked
155 * that the algorithm is available. */
160 /* log_hexdump( "thekey", dek->key, dek->keylen );*/
161 rc = gcry_cipher_setkey (dfx->cipher_hd, dek->key, dek->keylen);
162 if ( gpg_err_code (rc) == GPG_ERR_WEAK_KEY )
164 log_info(_("WARNING: message was encrypted with"
165 " a weak key in the symmetric cipher.\n"));
170 log_error("key setup failed: %s\n", gpg_strerror (rc) );
176 log_error(_("problem handling encrypted packet\n"));
180 gcry_cipher_setiv (dfx->cipher_hd, NULL, 0);
184 for (i=0; i < (nprefix+2) && ed->len; i++, ed->len-- )
186 if ( (c=iobuf_get(ed->buf)) == -1 )
194 for (i=0; i < (nprefix+2); i++ )
195 if ( (c=iobuf_get(ed->buf)) == -1 )
201 gcry_cipher_decrypt (dfx->cipher_hd, temp, nprefix+2, NULL, 0);
202 gcry_cipher_sync (dfx->cipher_hd);
204 /* log_hexdump( "prefix", temp, nprefix+2 ); */
206 && (p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1]) )
208 rc = gpg_error (GPG_ERR_BAD_KEY);
213 gcry_md_write (dfx->mdc_hash, temp, nprefix+2);
216 dfx->partial = ed->is_partial;
217 dfx->length = ed->len;
218 if ( ed->mdc_method )
219 iobuf_push_filter ( ed->buf, mdc_decode_filter, dfx );
221 iobuf_push_filter ( ed->buf, decode_filter, dfx );
223 if (opt.unwrap_encryption)
225 char *filename = NULL;
227 rc = get_output_file ("", 0, ed->buf, &filename, &fp);
230 iobuf_t output = iobuf_esopen (fp, "w", 0);
231 armor_filter_context_t *afx = NULL;
235 afx = new_armor_context ();
236 push_armor_filter (afx, output);
239 iobuf_copy (output, ed->buf);
240 if ((rc = iobuf_error (ed->buf)))
241 log_error (_("error reading '%s': %s\n"),
242 filename, gpg_strerror (rc));
243 else if ((rc = iobuf_error (output)))
244 log_error (_("error writing '%s': %s\n"),
245 filename, gpg_strerror (rc));
247 iobuf_close (output);
249 release_armor_context (afx);
254 proc_packets (ctrl, procctx, ed->buf );
257 if (dfx->eof_seen > 1 )
258 rc = gpg_error (GPG_ERR_INV_PACKET);
259 else if ( ed->mdc_method )
261 /* We used to let parse-packet.c handle the MDC packet but this
262 turned out to be a problem with compressed packets: With old
263 style packets there is no length information available and
264 the decompressor uses an implicit end. However we can't know
265 this implicit end beforehand (:-) and thus may feed the
266 decompressor with more bytes than actually needed. It would
267 be possible to unread the extra bytes but due to our weird
268 iobuf system any unread is non reliable due to filters
269 already popped off. The easy and sane solution is to care
270 about the MDC packet only here and never pass it to the
271 packet parser. Fortunatley the OpenPGP spec requires a
272 strict format for the MDC packet so that we know that 22
273 bytes are appended. */
274 int datalen = gcry_md_get_algo_dlen (ed->mdc_method);
276 log_assert (dfx->cipher_hd);
277 log_assert (dfx->mdc_hash);
278 gcry_cipher_decrypt (dfx->cipher_hd, dfx->defer, 22, NULL, 0);
279 gcry_md_write (dfx->mdc_hash, dfx->defer, 2);
280 gcry_md_final (dfx->mdc_hash);
282 if ( dfx->defer[0] != '\xd3'
283 || dfx->defer[1] != '\x14'
285 || memcmp (gcry_md_read (dfx->mdc_hash, 0), dfx->defer+2, datalen))
286 rc = gpg_error (GPG_ERR_BAD_SIGNATURE);
287 /* log_printhex("MDC message:", dfx->defer, 22); */
288 /* log_printhex("MDC calc:", gcry_md_read (dfx->mdc_hash,0), datalen); */
293 release_dfx_context (dfx);
300 mdc_decode_filter (void *opaque, int control, IOBUF a,
301 byte *buf, size_t *ret_len)
303 decode_filter_ctx_t dfx = opaque;
304 size_t n, size = *ret_len;
308 /* Note: We need to distinguish between a partial and a fixed length
309 packet. The first is the usual case as created by GPG. However
310 for short messages the format degrades to a fixed length packet
311 and other implementations might use fixed length as well. Only
312 looking for the EOF on fixed data works only if the encrypted
313 packet is not followed by other data. This used to be a long
314 standing bug which was fixed on 2009-10-02. */
316 if ( control == IOBUFCTRL_UNDERFLOW && dfx->eof_seen )
321 else if( control == IOBUFCTRL_UNDERFLOW )
324 log_assert (size > 44); /* Our code requires at least this size. */
326 /* Get at least 22 bytes and put it ahead in the buffer. */
329 for (n=22; n < 44; n++)
331 if ( (c = iobuf_get(a)) == -1 )
338 for (n=22; n < 44 && dfx->length; n++, dfx->length--)
342 break; /* Premature EOF. */
348 /* We have enough stuff - flush the deferred stuff. */
349 if ( !dfx->defer_filled ) /* First time. */
351 memcpy (buf, buf+22, 22);
356 memcpy (buf, dfx->defer, 22);
358 /* Fill up the buffer. */
361 for (; n < size; n++ )
363 if ( (c = iobuf_get(a)) == -1 )
365 dfx->eof_seen = 1; /* Normal EOF. */
373 for (; n < size && dfx->length; n++, dfx->length--)
378 dfx->eof_seen = 3; /* Premature EOF. */
384 dfx->eof_seen = 1; /* Normal EOF. */
387 /* Move the trailing 22 bytes back to the defer buffer. We
388 have at least 44 bytes thus a memmove is not needed. */
390 memcpy (dfx->defer, buf+n, 22 );
391 dfx->defer_filled = 1;
393 else if ( !dfx->defer_filled ) /* EOF seen but empty defer buffer. */
395 /* This is bad because it means an incomplete hash. */
397 memcpy (buf, buf+22, n );
398 dfx->eof_seen = 2; /* EOF with incomplete hash. */
400 else /* EOF seen (i.e. read less than 22 bytes). */
402 memcpy (buf, dfx->defer, 22 );
404 memcpy (dfx->defer, buf+n, 22 );
405 dfx->eof_seen = 1; /* Normal EOF. */
410 if ( dfx->cipher_hd )
411 gcry_cipher_decrypt (dfx->cipher_hd, buf, n, NULL, 0);
413 gcry_md_write (dfx->mdc_hash, buf, n);
417 log_assert ( dfx->eof_seen );
418 rc = -1; /* Return EOF. */
422 else if ( control == IOBUFCTRL_FREE )
424 release_dfx_context (dfx);
426 else if ( control == IOBUFCTRL_DESC )
428 mem2str (buf, "mdc_decode_filter", *ret_len);
435 decode_filter( void *opaque, int control, IOBUF a, byte *buf, size_t *ret_len)
437 decode_filter_ctx_t fc = opaque;
438 size_t size = *ret_len;
443 if ( control == IOBUFCTRL_UNDERFLOW && fc->eof_seen )
448 else if ( control == IOBUFCTRL_UNDERFLOW )
454 for (n=0; n < size; n++ )
459 fc->eof_seen = 1; /* Normal EOF. */
467 for (n=0; n < size && fc->length; n++, fc->length--)
472 fc->eof_seen = 3; /* Premature EOF. */
478 fc->eof_seen = 1; /* Normal EOF. */
483 gcry_cipher_decrypt (fc->cipher_hd, buf, n, NULL, 0);
489 rc = -1; /* Return EOF. */
493 else if ( control == IOBUFCTRL_FREE )
495 release_dfx_context (fc);
497 else if ( control == IOBUFCTRL_DESC )
499 mem2str (buf, "decode_filter", *ret_len);