1 /* decrypt.c - Decrypt a message
2 * Copyright (C) 2001, 2003, 2010 Free Software Foundation, Inc.
4 * This file is part of GnuPG.
6 * GnuPG is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * GnuPG is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <https://www.gnu.org/licenses/>.
36 struct decrypt_filter_parm_s
44 int any_data; /* dod we push anything through the filter at all? */
45 unsigned char lastblock[16]; /* to strip the padding we have to
47 char helpblock[16]; /* needed because there is no block buffering in
54 /* Decrypt the session key and fill in the parm structure. The
55 algo and the IV is expected to be already in PARM. */
57 prepare_decryption (ctrl_t ctrl, const char *hexkeygrip, const char *desc,
58 ksba_const_sexp_t enc_val,
59 struct decrypt_filter_parm_s *parm)
65 rc = gpgsm_agent_pkdecrypt (ctrl, hexkeygrip, desc, enc_val,
69 log_error ("error decrypting session key: %s\n", gpg_strerror (rc));
74 log_printhex ("pkcs1 encoded session key:", seskey, seskeylen);
77 if (seskeylen == 24 || seskeylen == 16)
79 /* Smells like a 3-DES or AES-128 key. This might happen
80 * because a SC has already done the unpacking. A better
81 * solution would be to test for this only after we triggered
82 * the GPG_ERR_INV_SESSION_KEY. */
86 if (n + 7 > seskeylen )
88 rc = gpg_error (GPG_ERR_INV_SESSION_KEY);
92 /* FIXME: Actually the leading zero is required but due to the way
93 we encode the output in libgcrypt as an MPI we are not able to
94 encode that leading zero. However, when using a Smartcard we are
95 doing it the right way and therefore we have to skip the zero. This
96 should be fixed in gpg-agent of course. */
100 if (seskey[n] != 2 ) /* Wrong block type version. */
102 rc = gpg_error (GPG_ERR_INV_SESSION_KEY);
106 for (n++; n < seskeylen && seskey[n]; n++) /* Skip the random bytes. */
108 n++; /* and the zero byte */
111 rc = gpg_error (GPG_ERR_INV_SESSION_KEY);
117 log_printhex ("session key:", seskey+n, seskeylen-n);
119 rc = gcry_cipher_open (&parm->hd, parm->algo, parm->mode, 0);
122 log_error ("error creating decryptor: %s\n", gpg_strerror (rc));
126 rc = gcry_cipher_setkey (parm->hd, seskey+n, seskeylen-n);
127 if (gpg_err_code (rc) == GPG_ERR_WEAK_KEY)
129 log_info (_("WARNING: message was encrypted with "
130 "a weak key in the symmetric cipher.\n"));
135 log_error("key setup failed: %s\n", gpg_strerror(rc) );
139 gcry_cipher_setiv (parm->hd, parm->iv, parm->ivlen);
147 /* This function is called by the KSBA writer just before the actual
148 write is done. The function must take INLEN bytes from INBUF,
149 decrypt it and store it inoutbuf which has a maximum size of
150 maxoutlen. The valid bytes in outbuf should be return in outlen.
151 Due to different buffer sizes or different length of input and
152 output, it may happen that fewer bytes are processed or fewer bytes
155 decrypt_filter (void *arg,
156 const void *inbuf, size_t inlen, size_t *inused,
157 void *outbuf, size_t maxoutlen, size_t *outlen)
159 struct decrypt_filter_parm_s *parm = arg;
160 int blklen = parm->blklen;
161 size_t orig_inlen = inlen;
163 /* fixme: Should we issue an error when we have not seen one full block? */
165 return gpg_error (GPG_ERR_BUG);
167 if (maxoutlen < 2*parm->blklen)
168 return gpg_error (GPG_ERR_BUG);
169 /* Make some space because we will later need an extra block at the end. */
172 if (parm->helpblocklen)
176 for (i=parm->helpblocklen,j=0; i < blklen && j < inlen; i++, j++)
177 parm->helpblock[i] = ((const char*)inbuf)[j];
179 if (blklen > maxoutlen)
180 return gpg_error (GPG_ERR_BUG);
183 parm->helpblocklen = i;
188 parm->helpblocklen = 0;
191 memcpy (outbuf, parm->lastblock, blklen);
196 gcry_cipher_decrypt (parm->hd, parm->lastblock, blklen,
197 parm->helpblock, blklen);
200 *inused = orig_inlen - inlen;
205 if (inlen > maxoutlen)
208 { /* store the remainder away */
209 parm->helpblocklen = inlen%blklen;
210 inlen = inlen/blklen*blklen;
211 memcpy (parm->helpblock, (const char*)inbuf+inlen, parm->helpblocklen);
214 *inused = inlen + parm->helpblocklen;
217 assert (inlen >= blklen);
220 gcry_cipher_decrypt (parm->hd, (char*)outbuf+blklen, inlen,
222 memcpy (outbuf, parm->lastblock, blklen);
223 memcpy (parm->lastblock,(char*)outbuf+inlen, blklen);
228 gcry_cipher_decrypt (parm->hd, outbuf, inlen, inbuf, inlen);
229 memcpy (parm->lastblock, (char*)outbuf+inlen-blklen, blklen);
230 *outlen = inlen - blklen;
241 /* Perform a decrypt operation. */
243 gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
246 Base64Context b64reader = NULL;
247 Base64Context b64writer = NULL;
248 ksba_reader_t reader;
249 ksba_writer_t writer;
250 ksba_cms_t cms = NULL;
251 ksba_stop_reason_t stopreason;
254 estream_t in_fp = NULL;
255 struct decrypt_filter_parm_s dfparm;
257 memset (&dfparm, 0, sizeof dfparm);
259 audit_set_type (ctrl->audit, AUDIT_TYPE_DECRYPT);
264 log_error (_("failed to allocate keyDB handle\n"));
265 rc = gpg_error (GPG_ERR_GENERAL);
269 in_fp = es_fdopen_nc (in_fd, "rb");
272 rc = gpg_error_from_syserror ();
273 log_error ("fdopen() failed: %s\n", strerror (errno));
277 rc = gpgsm_create_reader (&b64reader, ctrl, in_fp, 0, &reader);
280 log_error ("can't create reader: %s\n", gpg_strerror (rc));
284 rc = gpgsm_create_writer (&b64writer, ctrl, out_fp, &writer);
287 log_error ("can't create writer: %s\n", gpg_strerror (rc));
291 rc = ksba_cms_new (&cms);
295 rc = ksba_cms_set_reader_writer (cms, reader, writer);
298 log_debug ("ksba_cms_set_reader_writer failed: %s\n",
303 audit_log (ctrl->audit, AUDIT_SETUP_READY);
308 rc = ksba_cms_parse (cms, &stopreason);
311 log_debug ("ksba_cms_parse failed: %s\n", gpg_strerror (rc));
315 if (stopreason == KSBA_SR_BEGIN_DATA
316 || stopreason == KSBA_SR_DETACHED_DATA)
322 audit_log (ctrl->audit, AUDIT_GOT_DATA);
324 algoid = ksba_cms_get_content_oid (cms, 2/* encryption algo*/);
325 algo = gcry_cipher_map_name (algoid);
326 mode = gcry_cipher_mode_from_oid (algoid);
329 rc = gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
330 log_error ("unsupported algorithm '%s'\n", algoid? algoid:"?");
331 if (algoid && !strcmp (algoid, "1.2.840.113549.3.2"))
332 log_info (_("(this is the RC2 algorithm)\n"));
334 log_info (_("(this does not seem to be an encrypted"
338 sprintf (numbuf, "%d", rc);
339 gpgsm_status2 (ctrl, STATUS_ERROR, "decrypt.algorithm",
340 numbuf, algoid?algoid:"?", NULL);
341 audit_log_s (ctrl->audit, AUDIT_BAD_DATA_CIPHER_ALGO, algoid);
344 /* If it seems that this is not an encrypted message we
345 return a more sensible error code. */
347 rc = gpg_error (GPG_ERR_NO_DATA);
352 audit_log_i (ctrl->audit, AUDIT_DATA_CIPHER_ALGO, algo);
355 dfparm.blklen = gcry_cipher_get_algo_blklen (algo);
356 if (dfparm.blklen > sizeof (dfparm.helpblock))
357 return gpg_error (GPG_ERR_BUG);
359 rc = ksba_cms_get_content_enc_iv (cms,
365 log_error ("error getting IV: %s\n", gpg_strerror (rc));
369 for (recp=0; !any_key; recp++)
374 char *hexkeygrip = NULL;
380 rc = ksba_cms_get_issuer_serial (cms, recp, &issuer, &serial);
381 if (rc == -1 && recp)
382 break; /* no more recipients */
383 audit_log_i (ctrl->audit, AUDIT_NEW_RECP, recp);
385 log_error ("recp %d - error getting info: %s\n",
386 recp, gpg_strerror (rc));
389 ksba_cert_t cert = NULL;
391 log_debug ("recp %d - issuer: '%s'\n",
392 recp, issuer? issuer:"[NONE]");
393 log_debug ("recp %d - serial: ", recp);
394 gpgsm_dump_serial (serial);
399 char *tmpstr = gpgsm_format_sn_issuer (serial, issuer);
400 audit_log_s (ctrl->audit, AUDIT_RECP_NAME, tmpstr);
404 keydb_search_reset (kh);
405 rc = keydb_search_issuer_sn (ctrl, kh, issuer, serial);
408 log_error ("failed to find the certificate: %s\n",
413 rc = keydb_get_cert (kh, &cert);
416 log_error ("failed to get cert: %s\n", gpg_strerror (rc));
420 /* Print the ENC_TO status line. Note that we can
421 do so only if we have the certificate. This is
422 in contrast to gpg where the keyID is commonly
423 included in the encrypted messages. It is too
424 cumbersome to retrieve the used algorithm, thus
425 we don't print it for now. We also record the
426 keyid for later use. */
428 unsigned long kid[2];
430 kid[0] = gpgsm_get_short_fingerprint (cert, kid+1);
431 snprintf (kidbuf, sizeof kidbuf, "%08lX%08lX",
433 gpgsm_status2 (ctrl, STATUS_ENC_TO,
434 kidbuf, "0", "0", NULL);
437 /* Put the certificate into the audit log. */
438 audit_log_cert (ctrl->audit, AUDIT_SAVE_CERT, cert, 0);
440 /* Just in case there is a problem with the own
441 certificate we print this message - should never
443 rc = gpgsm_cert_use_decrypt_p (cert);
447 sprintf (numbuf, "%d", rc);
448 gpgsm_status2 (ctrl, STATUS_ERROR, "decrypt.keyusage",
453 hexkeygrip = gpgsm_get_keygrip_hexstring (cert);
454 desc = gpgsm_format_keydesc (cert);
459 ksba_cert_release (cert);
464 else if (!(enc_val = ksba_cms_get_enc_val (cms, recp)))
465 log_error ("recp %d - error getting encrypted session key\n",
469 rc = prepare_decryption (ctrl,
470 hexkeygrip, desc, enc_val, &dfparm);
474 log_info ("decrypting session key failed: %s\n",
476 if (gpg_err_code (rc) == GPG_ERR_NO_SECKEY && *kidbuf)
477 gpgsm_status2 (ctrl, STATUS_NO_SECKEY, kidbuf, NULL);
480 { /* setup the bulk decrypter */
482 ksba_writer_set_filter (writer,
486 audit_log_ok (ctrl->audit, AUDIT_RECP_RESULT, rc);
492 /* If we write an audit log add the unused recipients to the
494 if (ctrl->audit && any_key)
502 tmp_rc = ksba_cms_get_issuer_serial (cms, recp,
505 break; /* no more recipients */
506 audit_log_i (ctrl->audit, AUDIT_NEW_RECP, recp);
508 log_error ("recp %d - error getting info: %s\n",
509 recp, gpg_strerror (rc));
512 char *tmpstr = gpgsm_format_sn_issuer (serial, issuer);
513 audit_log_s (ctrl->audit, AUDIT_RECP_NAME, tmpstr);
523 rc = gpg_error (GPG_ERR_NO_SECKEY);
527 else if (stopreason == KSBA_SR_END_DATA)
529 ksba_writer_set_filter (writer, NULL, NULL);
531 { /* write the last block with padding removed */
532 int i, npadding = dfparm.lastblock[dfparm.blklen-1];
533 if (!npadding || npadding > dfparm.blklen)
535 log_error ("invalid padding with value %d\n", npadding);
536 rc = gpg_error (GPG_ERR_INV_DATA);
539 rc = ksba_writer_write (writer,
541 dfparm.blklen - npadding);
545 for (i=dfparm.blklen - npadding; i < dfparm.blklen; i++)
547 if (dfparm.lastblock[i] != npadding)
549 log_error ("inconsistent padding\n");
550 rc = gpg_error (GPG_ERR_INV_DATA);
558 while (stopreason != KSBA_SR_READY);
560 rc = gpgsm_finish_writer (b64writer);
563 log_error ("write failed: %s\n", gpg_strerror (rc));
566 gpgsm_status (ctrl, STATUS_DECRYPTION_OKAY, NULL);
570 audit_log_ok (ctrl->audit, AUDIT_DECRYPTION_RESULT, rc);
573 gpgsm_status (ctrl, STATUS_DECRYPTION_FAILED, NULL);
574 log_error ("message decryption failed: %s <%s>\n",
575 gpg_strerror (rc), gpg_strsource (rc));
577 ksba_cms_release (cms);
578 gpgsm_destroy_reader (b64reader);
579 gpgsm_destroy_writer (b64writer);
583 gcry_cipher_close (dfparm.hd);