1 /*
2 * pgp-decrypt.c
3 * OpenPGP decrypt.
4 *
5 * Copyright (c) 2005 Marko Kreen
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 * contrib/pgcrypto/pgp-decrypt.c
30 */
31
32 #include "postgres.h"
33
34 #include "px.h"
35 #include "mbuf.h"
36 #include "pgp.h"
37
38 #define NO_CTX_SIZE 0
39 #define ALLOW_CTX_SIZE 1
40 #define NO_COMPR 0
41 #define ALLOW_COMPR 1
42 #define NO_MDC 0
43 #define NEED_MDC 1
44
45 #define PKT_NORMAL 1
46 #define PKT_STREAM 2
47 #define PKT_CONTEXT 3
48
49 #define MAX_CHUNK (16*1024*1024)
50
51 static int
parse_new_len(PullFilter * src,int * len_p)52 parse_new_len(PullFilter *src, int *len_p)
53 {
54 uint8 b;
55 int len;
56 int pkttype = PKT_NORMAL;
57
58 GETBYTE(src, b);
59 if (b <= 191)
60 len = b;
61 else if (b >= 192 && b <= 223)
62 {
63 len = ((unsigned) (b) - 192) << 8;
64 GETBYTE(src, b);
65 len += 192 + b;
66 }
67 else if (b == 255)
68 {
69 GETBYTE(src, b);
70 len = b;
71 GETBYTE(src, b);
72 len = (len << 8) | b;
73 GETBYTE(src, b);
74 len = (len << 8) | b;
75 GETBYTE(src, b);
76 len = (len << 8) | b;
77 }
78 else
79 {
80 len = 1 << (b & 0x1F);
81 pkttype = PKT_STREAM;
82 }
83
84 if (len < 0 || len > MAX_CHUNK)
85 {
86 px_debug("parse_new_len: weird length");
87 return PXE_PGP_CORRUPT_DATA;
88 }
89
90 *len_p = len;
91 return pkttype;
92 }
93
94 static int
parse_old_len(PullFilter * src,int * len_p,int lentype)95 parse_old_len(PullFilter *src, int *len_p, int lentype)
96 {
97 uint8 b;
98 int len;
99
100 GETBYTE(src, b);
101 len = b;
102
103 if (lentype == 1)
104 {
105 GETBYTE(src, b);
106 len = (len << 8) | b;
107 }
108 else if (lentype == 2)
109 {
110 GETBYTE(src, b);
111 len = (len << 8) | b;
112 GETBYTE(src, b);
113 len = (len << 8) | b;
114 GETBYTE(src, b);
115 len = (len << 8) | b;
116 }
117
118 if (len < 0 || len > MAX_CHUNK)
119 {
120 px_debug("parse_old_len: weird length");
121 return PXE_PGP_CORRUPT_DATA;
122 }
123 *len_p = len;
124 return PKT_NORMAL;
125 }
126
127 /* returns pkttype or 0 on eof */
128 int
pgp_parse_pkt_hdr(PullFilter * src,uint8 * tag,int * len_p,int allow_ctx)129 pgp_parse_pkt_hdr(PullFilter *src, uint8 *tag, int *len_p, int allow_ctx)
130 {
131 int lentype;
132 int res;
133 uint8 *p;
134
135 /* EOF is normal here, thus we don't use GETBYTE */
136 res = pullf_read(src, 1, &p);
137 if (res < 0)
138 return res;
139 if (res == 0)
140 return 0;
141
142 if ((*p & 0x80) == 0)
143 {
144 px_debug("pgp_parse_pkt_hdr: not pkt hdr");
145 return PXE_PGP_CORRUPT_DATA;
146 }
147
148 if (*p & 0x40)
149 {
150 *tag = *p & 0x3f;
151 res = parse_new_len(src, len_p);
152 }
153 else
154 {
155 lentype = *p & 3;
156 *tag = (*p >> 2) & 0x0F;
157 if (lentype == 3)
158 res = allow_ctx ? PKT_CONTEXT : PXE_PGP_CORRUPT_DATA;
159 else
160 res = parse_old_len(src, len_p, lentype);
161 }
162 return res;
163 }
164
165 /*
166 * Packet reader
167 */
168 struct PktData
169 {
170 int type;
171 int len;
172 };
173
174 static int
pktreader_pull(void * priv,PullFilter * src,int len,uint8 ** data_p,uint8 * buf,int buflen)175 pktreader_pull(void *priv, PullFilter *src, int len,
176 uint8 **data_p, uint8 *buf, int buflen)
177 {
178 int res;
179 struct PktData *pkt = priv;
180
181 /* PKT_CONTEXT means: whatever there is */
182 if (pkt->type == PKT_CONTEXT)
183 return pullf_read(src, len, data_p);
184
185 while (pkt->len == 0)
186 {
187 /* this was last chunk in stream */
188 if (pkt->type == PKT_NORMAL)
189 return 0;
190
191 /* next chunk in stream */
192 res = parse_new_len(src, &pkt->len);
193 if (res < 0)
194 return res;
195 pkt->type = res;
196 }
197
198 if (len > pkt->len)
199 len = pkt->len;
200
201 res = pullf_read(src, len, data_p);
202 if (res > 0)
203 pkt->len -= res;
204
205 return res;
206 }
207
208 static void
pktreader_free(void * priv)209 pktreader_free(void *priv)
210 {
211 struct PktData *pkt = priv;
212
213 px_memset(pkt, 0, sizeof(*pkt));
214 px_free(pkt);
215 }
216
217 static struct PullFilterOps pktreader_filter = {
218 NULL, pktreader_pull, pktreader_free
219 };
220
221 /* needs helper function to pass several parameters */
222 int
pgp_create_pkt_reader(PullFilter ** pf_p,PullFilter * src,int len,int pkttype,PGP_Context * ctx)223 pgp_create_pkt_reader(PullFilter **pf_p, PullFilter *src, int len,
224 int pkttype, PGP_Context *ctx)
225 {
226 int res;
227 struct PktData *pkt = px_alloc(sizeof(*pkt));
228
229 pkt->type = pkttype;
230 pkt->len = len;
231 res = pullf_create(pf_p, &pktreader_filter, pkt, src);
232 if (res < 0)
233 px_free(pkt);
234 return res;
235 }
236
237 /*
238 * Prefix check filter
239 * https://tools.ietf.org/html/rfc4880#section-5.7
240 * https://tools.ietf.org/html/rfc4880#section-5.13
241 */
242
243 static int
prefix_init(void ** priv_p,void * arg,PullFilter * src)244 prefix_init(void **priv_p, void *arg, PullFilter *src)
245 {
246 PGP_Context *ctx = arg;
247 int len;
248 int res;
249 uint8 *buf;
250 uint8 tmpbuf[PGP_MAX_BLOCK + 2];
251
252 len = pgp_get_cipher_block_size(ctx->cipher_algo);
253 if (len > sizeof(tmpbuf))
254 return PXE_BUG;
255
256 res = pullf_read_max(src, len + 2, &buf, tmpbuf);
257 if (res < 0)
258 return res;
259 if (res != len + 2)
260 {
261 px_debug("prefix_init: short read");
262 px_memset(tmpbuf, 0, sizeof(tmpbuf));
263 return PXE_PGP_CORRUPT_DATA;
264 }
265
266 if (buf[len - 2] != buf[len] || buf[len - 1] != buf[len + 1])
267 {
268 px_debug("prefix_init: corrupt prefix");
269 /* report error in pgp_decrypt() */
270 ctx->corrupt_prefix = 1;
271 }
272 px_memset(tmpbuf, 0, sizeof(tmpbuf));
273 return 0;
274 }
275
276 static struct PullFilterOps prefix_filter = {
277 prefix_init, NULL, NULL
278 };
279
280
281 /*
282 * Decrypt filter
283 */
284
285 static int
decrypt_init(void ** priv_p,void * arg,PullFilter * src)286 decrypt_init(void **priv_p, void *arg, PullFilter *src)
287 {
288 PGP_CFB *cfb = arg;
289
290 *priv_p = cfb;
291
292 /* we need to write somewhere, so ask for a buffer */
293 return 4096;
294 }
295
296 static int
decrypt_read(void * priv,PullFilter * src,int len,uint8 ** data_p,uint8 * buf,int buflen)297 decrypt_read(void *priv, PullFilter *src, int len,
298 uint8 **data_p, uint8 *buf, int buflen)
299 {
300 PGP_CFB *cfb = priv;
301 uint8 *tmp;
302 int res;
303
304 res = pullf_read(src, len, &tmp);
305 if (res > 0)
306 {
307 pgp_cfb_decrypt(cfb, tmp, res, buf);
308 *data_p = buf;
309 }
310 return res;
311 }
312
313 struct PullFilterOps pgp_decrypt_filter = {
314 decrypt_init, decrypt_read, NULL
315 };
316
317
318 /*
319 * MDC hasher filter
320 */
321
322 static int
mdc_init(void ** priv_p,void * arg,PullFilter * src)323 mdc_init(void **priv_p, void *arg, PullFilter *src)
324 {
325 PGP_Context *ctx = arg;
326
327 *priv_p = ctx;
328 return pgp_load_digest(PGP_DIGEST_SHA1, &ctx->mdc_ctx);
329 }
330
331 static void
mdc_free(void * priv)332 mdc_free(void *priv)
333 {
334 PGP_Context *ctx = priv;
335
336 if (ctx->use_mdcbuf_filter)
337 return;
338 px_md_free(ctx->mdc_ctx);
339 ctx->mdc_ctx = NULL;
340 }
341
342 static int
mdc_finish(PGP_Context * ctx,PullFilter * src,int len)343 mdc_finish(PGP_Context *ctx, PullFilter *src, int len)
344 {
345 int res;
346 uint8 hash[20];
347 uint8 tmpbuf[20];
348 uint8 *data;
349
350 /* should not happen */
351 if (ctx->use_mdcbuf_filter)
352 return PXE_BUG;
353
354 /* It's SHA1 */
355 if (len != 20)
356 return PXE_PGP_CORRUPT_DATA;
357
358 /* mdc_read should not call md_update */
359 ctx->in_mdc_pkt = 1;
360
361 /* read data */
362 res = pullf_read_max(src, len, &data, tmpbuf);
363 if (res < 0)
364 return res;
365 if (res == 0)
366 {
367 px_debug("no mdc");
368 return PXE_PGP_CORRUPT_DATA;
369 }
370
371 /* is the packet sane? */
372 if (res != 20)
373 {
374 px_debug("mdc_finish: read failed, res=%d", res);
375 return PXE_PGP_CORRUPT_DATA;
376 }
377
378 /*
379 * ok, we got the hash, now check
380 */
381 px_md_finish(ctx->mdc_ctx, hash);
382 res = memcmp(hash, data, 20);
383 px_memset(hash, 0, 20);
384 px_memset(tmpbuf, 0, sizeof(tmpbuf));
385 if (res != 0)
386 {
387 px_debug("mdc_finish: mdc failed");
388 return PXE_PGP_CORRUPT_DATA;
389 }
390 ctx->mdc_checked = 1;
391 return 0;
392 }
393
394 static int
mdc_read(void * priv,PullFilter * src,int len,uint8 ** data_p,uint8 * buf,int buflen)395 mdc_read(void *priv, PullFilter *src, int len,
396 uint8 **data_p, uint8 *buf, int buflen)
397 {
398 int res;
399 PGP_Context *ctx = priv;
400
401 /* skip this filter? */
402 if (ctx->use_mdcbuf_filter || ctx->in_mdc_pkt)
403 return pullf_read(src, len, data_p);
404
405 res = pullf_read(src, len, data_p);
406 if (res < 0)
407 return res;
408 if (res == 0)
409 {
410 px_debug("mdc_read: unexpected eof");
411 return PXE_PGP_CORRUPT_DATA;
412 }
413 px_md_update(ctx->mdc_ctx, *data_p, res);
414
415 return res;
416 }
417
418 static struct PullFilterOps mdc_filter = {
419 mdc_init, mdc_read, mdc_free
420 };
421
422
423 /*
424 * Combined Pkt reader and MDC hasher.
425 *
426 * For the case of SYMENCRYPTED_MDC packet, where
427 * the data part has 'context length', which means
428 * that data packet ends 22 bytes before end of parent
429 * packet, which is silly.
430 */
431 #define MDCBUF_LEN 8192
432 struct MDCBufData
433 {
434 PGP_Context *ctx;
435 int eof;
436 int buflen;
437 int avail;
438 uint8 *pos;
439 int mdc_avail;
440 uint8 mdc_buf[22];
441 uint8 buf[MDCBUF_LEN];
442 };
443
444 static int
mdcbuf_init(void ** priv_p,void * arg,PullFilter * src)445 mdcbuf_init(void **priv_p, void *arg, PullFilter *src)
446 {
447 PGP_Context *ctx = arg;
448 struct MDCBufData *st;
449
450 st = px_alloc(sizeof(*st));
451 memset(st, 0, sizeof(*st));
452 st->buflen = sizeof(st->buf);
453 st->ctx = ctx;
454 *priv_p = st;
455
456 /* take over the work of mdc_filter */
457 ctx->use_mdcbuf_filter = 1;
458
459 return 0;
460 }
461
462 static int
mdcbuf_finish(struct MDCBufData * st)463 mdcbuf_finish(struct MDCBufData *st)
464 {
465 uint8 hash[20];
466 int res;
467
468 st->eof = 1;
469
470 if (st->mdc_buf[0] != 0xD3 || st->mdc_buf[1] != 0x14)
471 {
472 px_debug("mdcbuf_finish: bad MDC pkt hdr");
473 return PXE_PGP_CORRUPT_DATA;
474 }
475 px_md_update(st->ctx->mdc_ctx, st->mdc_buf, 2);
476 px_md_finish(st->ctx->mdc_ctx, hash);
477 res = memcmp(hash, st->mdc_buf + 2, 20);
478 px_memset(hash, 0, 20);
479 if (res)
480 {
481 px_debug("mdcbuf_finish: MDC does not match");
482 res = PXE_PGP_CORRUPT_DATA;
483 }
484 return res;
485 }
486
487 static void
mdcbuf_load_data(struct MDCBufData * st,uint8 * src,int len)488 mdcbuf_load_data(struct MDCBufData *st, uint8 *src, int len)
489 {
490 uint8 *dst = st->pos + st->avail;
491
492 memcpy(dst, src, len);
493 px_md_update(st->ctx->mdc_ctx, src, len);
494 st->avail += len;
495 }
496
497 static void
mdcbuf_load_mdc(struct MDCBufData * st,uint8 * src,int len)498 mdcbuf_load_mdc(struct MDCBufData *st, uint8 *src, int len)
499 {
500 memmove(st->mdc_buf + st->mdc_avail, src, len);
501 st->mdc_avail += len;
502 }
503
504 static int
mdcbuf_refill(struct MDCBufData * st,PullFilter * src)505 mdcbuf_refill(struct MDCBufData *st, PullFilter *src)
506 {
507 uint8 *data;
508 int res;
509 int need;
510
511 /* put avail data in start */
512 if (st->avail > 0 && st->pos != st->buf)
513 memmove(st->buf, st->pos, st->avail);
514 st->pos = st->buf;
515
516 /* read new data */
517 need = st->buflen + 22 - st->avail - st->mdc_avail;
518 res = pullf_read(src, need, &data);
519 if (res < 0)
520 return res;
521 if (res == 0)
522 return mdcbuf_finish(st);
523
524 /* add to buffer */
525 if (res >= 22)
526 {
527 mdcbuf_load_data(st, st->mdc_buf, st->mdc_avail);
528 st->mdc_avail = 0;
529
530 mdcbuf_load_data(st, data, res - 22);
531 mdcbuf_load_mdc(st, data + res - 22, 22);
532 }
533 else
534 {
535 int canmove = st->mdc_avail + res - 22;
536
537 if (canmove > 0)
538 {
539 mdcbuf_load_data(st, st->mdc_buf, canmove);
540 st->mdc_avail -= canmove;
541 memmove(st->mdc_buf, st->mdc_buf + canmove, st->mdc_avail);
542 }
543 mdcbuf_load_mdc(st, data, res);
544 }
545 return 0;
546 }
547
548 static int
mdcbuf_read(void * priv,PullFilter * src,int len,uint8 ** data_p,uint8 * buf,int buflen)549 mdcbuf_read(void *priv, PullFilter *src, int len,
550 uint8 **data_p, uint8 *buf, int buflen)
551 {
552 struct MDCBufData *st = priv;
553 int res;
554
555 if (!st->eof && len > st->avail)
556 {
557 res = mdcbuf_refill(st, src);
558 if (res < 0)
559 return res;
560 }
561
562 if (len > st->avail)
563 len = st->avail;
564
565 *data_p = st->pos;
566 st->pos += len;
567 st->avail -= len;
568 return len;
569 }
570
571 static void
mdcbuf_free(void * priv)572 mdcbuf_free(void *priv)
573 {
574 struct MDCBufData *st = priv;
575
576 px_md_free(st->ctx->mdc_ctx);
577 st->ctx->mdc_ctx = NULL;
578 px_memset(st, 0, sizeof(*st));
579 px_free(st);
580 }
581
582 static struct PullFilterOps mdcbuf_filter = {
583 mdcbuf_init, mdcbuf_read, mdcbuf_free
584 };
585
586
587 /*
588 * Decrypt separate session key
589 */
590 static int
decrypt_key(PGP_Context * ctx,const uint8 * src,int len)591 decrypt_key(PGP_Context *ctx, const uint8 *src, int len)
592 {
593 int res;
594 uint8 algo;
595 PGP_CFB *cfb;
596
597 res = pgp_cfb_create(&cfb, ctx->s2k_cipher_algo,
598 ctx->s2k.key, ctx->s2k.key_len, 0, NULL);
599 if (res < 0)
600 return res;
601
602 pgp_cfb_decrypt(cfb, src, 1, &algo);
603 src++;
604 len--;
605
606 pgp_cfb_decrypt(cfb, src, len, ctx->sess_key);
607 pgp_cfb_free(cfb);
608 ctx->sess_key_len = len;
609 ctx->cipher_algo = algo;
610
611 if (pgp_get_cipher_key_size(algo) != len)
612 {
613 px_debug("sesskey bad len: algo=%d, expected=%d, got=%d",
614 algo, pgp_get_cipher_key_size(algo), len);
615 return PXE_PGP_CORRUPT_DATA;
616 }
617 return 0;
618 }
619
620 /*
621 * Handle key packet
622 */
623 static int
parse_symenc_sesskey(PGP_Context * ctx,PullFilter * src)624 parse_symenc_sesskey(PGP_Context *ctx, PullFilter *src)
625 {
626 uint8 *p;
627 int res;
628 uint8 tmpbuf[PGP_MAX_KEY + 2];
629 uint8 ver;
630
631 GETBYTE(src, ver);
632 GETBYTE(src, ctx->s2k_cipher_algo);
633 if (ver != 4)
634 {
635 px_debug("bad key pkt ver");
636 return PXE_PGP_CORRUPT_DATA;
637 }
638
639 /*
640 * read S2K info
641 */
642 res = pgp_s2k_read(src, &ctx->s2k);
643 if (res < 0)
644 return res;
645 ctx->s2k_mode = ctx->s2k.mode;
646 ctx->s2k_count = s2k_decode_count(ctx->s2k.iter);
647 ctx->s2k_digest_algo = ctx->s2k.digest_algo;
648
649 /*
650 * generate key from password
651 */
652 res = pgp_s2k_process(&ctx->s2k, ctx->s2k_cipher_algo,
653 ctx->sym_key, ctx->sym_key_len);
654 if (res < 0)
655 return res;
656
657 /*
658 * do we have separate session key?
659 */
660 res = pullf_read_max(src, PGP_MAX_KEY + 2, &p, tmpbuf);
661 if (res < 0)
662 return res;
663
664 if (res == 0)
665 {
666 /*
667 * no, s2k key is session key
668 */
669 memcpy(ctx->sess_key, ctx->s2k.key, ctx->s2k.key_len);
670 ctx->sess_key_len = ctx->s2k.key_len;
671 ctx->cipher_algo = ctx->s2k_cipher_algo;
672 res = 0;
673 ctx->use_sess_key = 0;
674 }
675 else
676 {
677 /*
678 * yes, decrypt it
679 */
680 if (res < 17 || res > PGP_MAX_KEY + 1)
681 {
682 px_debug("expect key, but bad data");
683 return PXE_PGP_CORRUPT_DATA;
684 }
685 ctx->use_sess_key = 1;
686 res = decrypt_key(ctx, p, res);
687 }
688
689 px_memset(tmpbuf, 0, sizeof(tmpbuf));
690 return res;
691 }
692
693 static int
copy_crlf(MBuf * dst,uint8 * data,int len,int * got_cr)694 copy_crlf(MBuf *dst, uint8 *data, int len, int *got_cr)
695 {
696 uint8 *data_end = data + len;
697 uint8 tmpbuf[1024];
698 uint8 *tmp_end = tmpbuf + sizeof(tmpbuf);
699 uint8 *p;
700 int res;
701
702 p = tmpbuf;
703 if (*got_cr)
704 {
705 if (*data != '\n')
706 *p++ = '\r';
707 *got_cr = 0;
708 }
709 while (data < data_end)
710 {
711 if (*data == '\r')
712 {
713 if (data + 1 < data_end)
714 {
715 if (*(data + 1) == '\n')
716 data++;
717 }
718 else
719 {
720 *got_cr = 1;
721 break;
722 }
723 }
724 *p++ = *data++;
725 if (p >= tmp_end)
726 {
727 res = mbuf_append(dst, tmpbuf, p - tmpbuf);
728 if (res < 0)
729 return res;
730 p = tmpbuf;
731 }
732 }
733 if (p - tmpbuf > 0)
734 {
735 res = mbuf_append(dst, tmpbuf, p - tmpbuf);
736 if (res < 0)
737 return res;
738 }
739 px_memset(tmpbuf, 0, sizeof(tmpbuf));
740 return 0;
741 }
742
743 static int
parse_literal_data(PGP_Context * ctx,MBuf * dst,PullFilter * pkt)744 parse_literal_data(PGP_Context *ctx, MBuf *dst, PullFilter *pkt)
745 {
746 int type;
747 int name_len;
748 int res;
749 uint8 *buf;
750 uint8 tmpbuf[4];
751 int got_cr = 0;
752
753 GETBYTE(pkt, type);
754 GETBYTE(pkt, name_len);
755
756 /* skip name */
757 while (name_len > 0)
758 {
759 res = pullf_read(pkt, name_len, &buf);
760 if (res < 0)
761 return res;
762 if (res == 0)
763 break;
764 name_len -= res;
765 }
766 if (name_len > 0)
767 {
768 px_debug("parse_literal_data: unexpected eof");
769 return PXE_PGP_CORRUPT_DATA;
770 }
771
772 /* skip date */
773 res = pullf_read_max(pkt, 4, &buf, tmpbuf);
774 if (res != 4)
775 {
776 px_debug("parse_literal_data: unexpected eof");
777 return PXE_PGP_CORRUPT_DATA;
778 }
779 px_memset(tmpbuf, 0, 4);
780
781 /*
782 * If called from an SQL function that returns text, pgp_decrypt() rejects
783 * inputs not self-identifying as text.
784 */
785 if (ctx->text_mode)
786 if (type != 't' && type != 'u')
787 {
788 px_debug("parse_literal_data: data type=%c", type);
789 ctx->unexpected_binary = true;
790 }
791
792 ctx->unicode_mode = (type == 'u') ? 1 : 0;
793
794 /* read data */
795 while (1)
796 {
797 res = pullf_read(pkt, 32 * 1024, &buf);
798 if (res <= 0)
799 break;
800
801 if (ctx->text_mode && ctx->convert_crlf)
802 res = copy_crlf(dst, buf, res, &got_cr);
803 else
804 res = mbuf_append(dst, buf, res);
805 if (res < 0)
806 break;
807 }
808 if (res >= 0 && got_cr)
809 res = mbuf_append(dst, (const uint8 *) "\r", 1);
810 return res;
811 }
812
813 /* process_data_packets and parse_compressed_data call each other */
814 static int process_data_packets(PGP_Context *ctx, MBuf *dst,
815 PullFilter *src, int allow_compr, int need_mdc);
816
817 static int
parse_compressed_data(PGP_Context * ctx,MBuf * dst,PullFilter * pkt)818 parse_compressed_data(PGP_Context *ctx, MBuf *dst, PullFilter *pkt)
819 {
820 int res;
821 uint8 type;
822 PullFilter *pf_decompr;
823 uint8 *discard_buf;
824
825 GETBYTE(pkt, type);
826
827 ctx->compress_algo = type;
828 switch (type)
829 {
830 case PGP_COMPR_NONE:
831 res = process_data_packets(ctx, dst, pkt, NO_COMPR, NO_MDC);
832 break;
833
834 case PGP_COMPR_ZIP:
835 case PGP_COMPR_ZLIB:
836 res = pgp_decompress_filter(&pf_decompr, ctx, pkt);
837 if (res >= 0)
838 {
839 res = process_data_packets(ctx, dst, pf_decompr,
840 NO_COMPR, NO_MDC);
841 pullf_free(pf_decompr);
842 }
843 break;
844
845 case PGP_COMPR_BZIP2:
846 px_debug("parse_compressed_data: bzip2 unsupported");
847 /* report error in pgp_decrypt() */
848 ctx->unsupported_compr = 1;
849
850 /*
851 * Discard the compressed data, allowing it to first affect any
852 * MDC digest computation.
853 */
854 while (1)
855 {
856 res = pullf_read(pkt, 32 * 1024, &discard_buf);
857 if (res <= 0)
858 break;
859 }
860
861 break;
862
863 default:
864 px_debug("parse_compressed_data: unknown compr type");
865 res = PXE_PGP_CORRUPT_DATA;
866 }
867
868 return res;
869 }
870
871 static int
process_data_packets(PGP_Context * ctx,MBuf * dst,PullFilter * src,int allow_compr,int need_mdc)872 process_data_packets(PGP_Context *ctx, MBuf *dst, PullFilter *src,
873 int allow_compr, int need_mdc)
874 {
875 uint8 tag;
876 int len,
877 res;
878 int got_data = 0;
879 int got_mdc = 0;
880 PullFilter *pkt = NULL;
881
882 while (1)
883 {
884 res = pgp_parse_pkt_hdr(src, &tag, &len, ALLOW_CTX_SIZE);
885 if (res <= 0)
886 break;
887
888
889 /* mdc packet should be last */
890 if (got_mdc)
891 {
892 px_debug("process_data_packets: data after mdc");
893 res = PXE_PGP_CORRUPT_DATA;
894 break;
895 }
896
897 /* context length inside SYMENC_MDC needs special handling */
898 if (need_mdc && res == PKT_CONTEXT)
899 res = pullf_create(&pkt, &mdcbuf_filter, ctx, src);
900 else
901 res = pgp_create_pkt_reader(&pkt, src, len, res, ctx);
902 if (res < 0)
903 break;
904
905 switch (tag)
906 {
907 case PGP_PKT_LITERAL_DATA:
908 got_data = 1;
909 res = parse_literal_data(ctx, dst, pkt);
910 break;
911 case PGP_PKT_COMPRESSED_DATA:
912 if (allow_compr == 0)
913 {
914 px_debug("process_data_packets: unexpected compression");
915 res = PXE_PGP_CORRUPT_DATA;
916 }
917 else if (got_data)
918 {
919 /*
920 * compr data must be alone
921 */
922 px_debug("process_data_packets: only one cmpr pkt allowed");
923 res = PXE_PGP_CORRUPT_DATA;
924 }
925 else
926 {
927 got_data = 1;
928 res = parse_compressed_data(ctx, dst, pkt);
929 }
930 break;
931 case PGP_PKT_MDC:
932 if (need_mdc == NO_MDC)
933 {
934 px_debug("process_data_packets: unexpected MDC");
935 res = PXE_PGP_CORRUPT_DATA;
936 break;
937 }
938
939 res = mdc_finish(ctx, pkt, len);
940 if (res >= 0)
941 got_mdc = 1;
942 break;
943 default:
944 px_debug("process_data_packets: unexpected pkt tag=%d", tag);
945 res = PXE_PGP_CORRUPT_DATA;
946 }
947
948 pullf_free(pkt);
949 pkt = NULL;
950
951 if (res < 0)
952 break;
953 }
954
955 if (pkt)
956 pullf_free(pkt);
957
958 if (res < 0)
959 return res;
960
961 if (!got_data)
962 {
963 px_debug("process_data_packets: no data");
964 res = PXE_PGP_CORRUPT_DATA;
965 }
966 if (need_mdc && !got_mdc && !ctx->use_mdcbuf_filter)
967 {
968 px_debug("process_data_packets: got no mdc");
969 res = PXE_PGP_CORRUPT_DATA;
970 }
971 return res;
972 }
973
974 static int
parse_symenc_data(PGP_Context * ctx,PullFilter * pkt,MBuf * dst)975 parse_symenc_data(PGP_Context *ctx, PullFilter *pkt, MBuf *dst)
976 {
977 int res;
978 PGP_CFB *cfb = NULL;
979 PullFilter *pf_decrypt = NULL;
980 PullFilter *pf_prefix = NULL;
981
982 res = pgp_cfb_create(&cfb, ctx->cipher_algo,
983 ctx->sess_key, ctx->sess_key_len, 1, NULL);
984 if (res < 0)
985 goto out;
986
987 res = pullf_create(&pf_decrypt, &pgp_decrypt_filter, cfb, pkt);
988 if (res < 0)
989 goto out;
990
991 res = pullf_create(&pf_prefix, &prefix_filter, ctx, pf_decrypt);
992 if (res < 0)
993 goto out;
994
995 res = process_data_packets(ctx, dst, pf_prefix, ALLOW_COMPR, NO_MDC);
996
997 out:
998 if (pf_prefix)
999 pullf_free(pf_prefix);
1000 if (pf_decrypt)
1001 pullf_free(pf_decrypt);
1002 if (cfb)
1003 pgp_cfb_free(cfb);
1004
1005 return res;
1006 }
1007
1008 static int
parse_symenc_mdc_data(PGP_Context * ctx,PullFilter * pkt,MBuf * dst)1009 parse_symenc_mdc_data(PGP_Context *ctx, PullFilter *pkt, MBuf *dst)
1010 {
1011 int res;
1012 PGP_CFB *cfb = NULL;
1013 PullFilter *pf_decrypt = NULL;
1014 PullFilter *pf_prefix = NULL;
1015 PullFilter *pf_mdc = NULL;
1016 uint8 ver;
1017
1018 GETBYTE(pkt, ver);
1019 if (ver != 1)
1020 {
1021 px_debug("parse_symenc_mdc_data: pkt ver != 1");
1022 return PXE_PGP_CORRUPT_DATA;
1023 }
1024
1025 res = pgp_cfb_create(&cfb, ctx->cipher_algo,
1026 ctx->sess_key, ctx->sess_key_len, 0, NULL);
1027 if (res < 0)
1028 goto out;
1029
1030 res = pullf_create(&pf_decrypt, &pgp_decrypt_filter, cfb, pkt);
1031 if (res < 0)
1032 goto out;
1033
1034 res = pullf_create(&pf_mdc, &mdc_filter, ctx, pf_decrypt);
1035 if (res < 0)
1036 goto out;
1037
1038 res = pullf_create(&pf_prefix, &prefix_filter, ctx, pf_mdc);
1039 if (res < 0)
1040 goto out;
1041
1042 res = process_data_packets(ctx, dst, pf_prefix, ALLOW_COMPR, NEED_MDC);
1043
1044 out:
1045 if (pf_prefix)
1046 pullf_free(pf_prefix);
1047 if (pf_mdc)
1048 pullf_free(pf_mdc);
1049 if (pf_decrypt)
1050 pullf_free(pf_decrypt);
1051 if (cfb)
1052 pgp_cfb_free(cfb);
1053
1054 return res;
1055 }
1056
1057 /*
1058 * skip over packet contents
1059 */
1060 int
pgp_skip_packet(PullFilter * pkt)1061 pgp_skip_packet(PullFilter *pkt)
1062 {
1063 int res = 1;
1064 uint8 *tmp;
1065
1066 while (res > 0)
1067 res = pullf_read(pkt, 32 * 1024, &tmp);
1068 return res;
1069 }
1070
1071 /*
1072 * expect to be at packet end, any data is error
1073 */
1074 int
pgp_expect_packet_end(PullFilter * pkt)1075 pgp_expect_packet_end(PullFilter *pkt)
1076 {
1077 int res;
1078 uint8 *tmp;
1079
1080 res = pullf_read(pkt, 32 * 1024, &tmp);
1081 if (res > 0)
1082 {
1083 px_debug("pgp_expect_packet_end: got data");
1084 return PXE_PGP_CORRUPT_DATA;
1085 }
1086 return res;
1087 }
1088
1089 int
pgp_decrypt(PGP_Context * ctx,MBuf * msrc,MBuf * mdst)1090 pgp_decrypt(PGP_Context *ctx, MBuf *msrc, MBuf *mdst)
1091 {
1092 int res;
1093 PullFilter *src = NULL;
1094 PullFilter *pkt = NULL;
1095 uint8 tag;
1096 int len;
1097 int got_key = 0;
1098 int got_data = 0;
1099
1100 res = pullf_create_mbuf_reader(&src, msrc);
1101
1102 while (res >= 0)
1103 {
1104 res = pgp_parse_pkt_hdr(src, &tag, &len, NO_CTX_SIZE);
1105 if (res <= 0)
1106 break;
1107
1108 res = pgp_create_pkt_reader(&pkt, src, len, res, ctx);
1109 if (res < 0)
1110 break;
1111
1112 res = PXE_PGP_CORRUPT_DATA;
1113 switch (tag)
1114 {
1115 case PGP_PKT_MARKER:
1116 res = pgp_skip_packet(pkt);
1117 break;
1118 case PGP_PKT_PUBENCRYPTED_SESSKEY:
1119 /* fixme: skip those */
1120 res = pgp_parse_pubenc_sesskey(ctx, pkt);
1121 got_key = 1;
1122 break;
1123 case PGP_PKT_SYMENCRYPTED_SESSKEY:
1124 if (got_key)
1125
1126 /*
1127 * Theoretically, there could be several keys, both public
1128 * and symmetric, all of which encrypt same session key.
1129 * Decrypt should try with each one, before failing.
1130 */
1131 px_debug("pgp_decrypt: using first of several keys");
1132 else
1133 {
1134 got_key = 1;
1135 res = parse_symenc_sesskey(ctx, pkt);
1136 }
1137 break;
1138 case PGP_PKT_SYMENCRYPTED_DATA:
1139 if (!got_key)
1140 px_debug("pgp_decrypt: have data but no key");
1141 else if (got_data)
1142 px_debug("pgp_decrypt: got second data packet");
1143 else
1144 {
1145 got_data = 1;
1146 ctx->disable_mdc = 1;
1147 res = parse_symenc_data(ctx, pkt, mdst);
1148 }
1149 break;
1150 case PGP_PKT_SYMENCRYPTED_DATA_MDC:
1151 if (!got_key)
1152 px_debug("pgp_decrypt: have data but no key");
1153 else if (got_data)
1154 px_debug("pgp_decrypt: several data pkts not supported");
1155 else
1156 {
1157 got_data = 1;
1158 ctx->disable_mdc = 0;
1159 res = parse_symenc_mdc_data(ctx, pkt, mdst);
1160 }
1161 break;
1162 default:
1163 px_debug("pgp_decrypt: unknown tag: 0x%02x", tag);
1164 }
1165 pullf_free(pkt);
1166 pkt = NULL;
1167 }
1168
1169 if (pkt)
1170 pullf_free(pkt);
1171
1172 if (src)
1173 pullf_free(src);
1174
1175 if (res < 0)
1176 return res;
1177
1178 /*
1179 * Report a failure of the prefix_init() "quick check" now, rather than
1180 * upon detection, to hinder timing attacks. pgcrypto is not generally
1181 * secure against timing attacks, but this helps.
1182 */
1183 if (!got_data || ctx->corrupt_prefix)
1184 return PXE_PGP_CORRUPT_DATA;
1185
1186 /*
1187 * Code interpreting purportedly-decrypted data prior to this stage shall
1188 * report no error other than PXE_PGP_CORRUPT_DATA. (PXE_BUG is okay so
1189 * long as it remains unreachable.) This ensures that an attacker able to
1190 * choose a ciphertext and receive a corresponding decryption error
1191 * message cannot use that oracle to gather clues about the decryption
1192 * key. See "An Attack on CFB Mode Encryption As Used By OpenPGP" by
1193 * Serge Mister and Robert Zuccherato.
1194 *
1195 * A problematic value in the first octet of a Literal Data or Compressed
1196 * Data packet may indicate a simple user error, such as the need to call
1197 * pgp_sym_decrypt_bytea instead of pgp_sym_decrypt. Occasionally,
1198 * though, it is the first symptom of the encryption key not matching the
1199 * decryption key. When this was the only problem encountered, report a
1200 * specific error to guide the user; otherwise, we will have reported
1201 * PXE_PGP_CORRUPT_DATA before now. A key mismatch makes the other errors
1202 * into red herrings, and this avoids leaking clues to attackers.
1203 */
1204 if (ctx->unsupported_compr)
1205 return PXE_PGP_UNSUPPORTED_COMPR;
1206 if (ctx->unexpected_binary)
1207 return PXE_PGP_NOT_TEXT;
1208
1209 return res;
1210 }
1211