PostgreSQL Source Code  git master
pgp-decrypt.c
Go to the documentation of this file.
1 /*
2  * pgp-decrypt.c
3  * OpenPGP decrypt.
4  *
5  * Copyright (c) 2005 Marko Kreen
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  * notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  * notice, this list of conditions and the following disclaimer in the
15  * documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  *
29  * contrib/pgcrypto/pgp-decrypt.c
30  */
31 
32 #include "postgres.h"
33 
34 #include "px.h"
35 #include "mbuf.h"
36 #include "pgp.h"
37 
38 #define NO_CTX_SIZE 0
39 #define ALLOW_CTX_SIZE 1
40 #define NO_COMPR 0
41 #define ALLOW_COMPR 1
42 #define NO_MDC 0
43 #define NEED_MDC 1
44 
45 #define PKT_NORMAL 1
46 #define PKT_STREAM 2
47 #define PKT_CONTEXT 3
48 
49 #define MAX_CHUNK (16*1024*1024)
50 
51 static int
52 parse_new_len(PullFilter *src, int *len_p)
53 {
54  uint8 b;
55  int len;
56  int pkttype = PKT_NORMAL;
57 
58  GETBYTE(src, b);
59  if (b <= 191)
60  len = b;
61  else if (b >= 192 && b <= 223)
62  {
63  len = ((unsigned) (b) - 192) << 8;
64  GETBYTE(src, b);
65  len += 192 + b;
66  }
67  else if (b == 255)
68  {
69  GETBYTE(src, b);
70  len = b;
71  GETBYTE(src, b);
72  len = (len << 8) | b;
73  GETBYTE(src, b);
74  len = (len << 8) | b;
75  GETBYTE(src, b);
76  len = (len << 8) | b;
77  }
78  else
79  {
80  len = 1 << (b & 0x1F);
81  pkttype = PKT_STREAM;
82  }
83 
84  if (len < 0 || len > MAX_CHUNK)
85  {
86  px_debug("parse_new_len: weird length");
87  return PXE_PGP_CORRUPT_DATA;
88  }
89 
90  *len_p = len;
91  return pkttype;
92 }
93 
94 static int
95 parse_old_len(PullFilter *src, int *len_p, int lentype)
96 {
97  uint8 b;
98  int len;
99 
100  GETBYTE(src, b);
101  len = b;
102 
103  if (lentype == 1)
104  {
105  GETBYTE(src, b);
106  len = (len << 8) | b;
107  }
108  else if (lentype == 2)
109  {
110  GETBYTE(src, b);
111  len = (len << 8) | b;
112  GETBYTE(src, b);
113  len = (len << 8) | b;
114  GETBYTE(src, b);
115  len = (len << 8) | b;
116  }
117 
118  if (len < 0 || len > MAX_CHUNK)
119  {
120  px_debug("parse_old_len: weird length");
121  return PXE_PGP_CORRUPT_DATA;
122  }
123  *len_p = len;
124  return PKT_NORMAL;
125 }
126 
127 /* returns pkttype or 0 on eof */
128 int
129 pgp_parse_pkt_hdr(PullFilter *src, uint8 *tag, int *len_p, int allow_ctx)
130 {
131  int lentype;
132  int res;
133  uint8 *p;
134 
135  /* EOF is normal here, thus we don't use GETBYTE */
136  res = pullf_read(src, 1, &p);
137  if (res < 0)
138  return res;
139  if (res == 0)
140  return 0;
141 
142  if ((*p & 0x80) == 0)
143  {
144  px_debug("pgp_parse_pkt_hdr: not pkt hdr");
145  return PXE_PGP_CORRUPT_DATA;
146  }
147 
148  if (*p & 0x40)
149  {
150  *tag = *p & 0x3f;
151  res = parse_new_len(src, len_p);
152  }
153  else
154  {
155  lentype = *p & 3;
156  *tag = (*p >> 2) & 0x0F;
157  if (lentype == 3)
158  res = allow_ctx ? PKT_CONTEXT : PXE_PGP_CORRUPT_DATA;
159  else
160  res = parse_old_len(src, len_p, lentype);
161  }
162  return res;
163 }
164 
165 /*
166  * Packet reader
167  */
168 struct PktData
169 {
170  int type;
171  int len;
172 };
173 
174 static int
175 pktreader_pull(void *priv, PullFilter *src, int len,
176  uint8 **data_p, uint8 *buf, int buflen)
177 {
178  int res;
179  struct PktData *pkt = priv;
180 
181  /* PKT_CONTEXT means: whatever there is */
182  if (pkt->type == PKT_CONTEXT)
183  return pullf_read(src, len, data_p);
184 
185  while (pkt->len == 0)
186  {
187  /* this was last chunk in stream */
188  if (pkt->type == PKT_NORMAL)
189  return 0;
190 
191  /* next chunk in stream */
192  res = parse_new_len(src, &pkt->len);
193  if (res < 0)
194  return res;
195  pkt->type = res;
196  }
197 
198  if (len > pkt->len)
199  len = pkt->len;
200 
201  res = pullf_read(src, len, data_p);
202  if (res > 0)
203  pkt->len -= res;
204 
205  return res;
206 }
207 
208 static void
209 pktreader_free(void *priv)
210 {
211  struct PktData *pkt = priv;
212 
213  px_memset(pkt, 0, sizeof(*pkt));
214  px_free(pkt);
215 }
216 
219 };
220 
221 /* needs helper function to pass several parameters */
222 int
224  int pkttype, PGP_Context *ctx)
225 {
226  int res;
227  struct PktData *pkt = px_alloc(sizeof(*pkt));
228 
229  pkt->type = pkttype;
230  pkt->len = len;
231  res = pullf_create(pf_p, &pktreader_filter, pkt, src);
232  if (res < 0)
233  px_free(pkt);
234  return res;
235 }
236 
237 /*
238  * Prefix check filter
239  * https://tools.ietf.org/html/rfc4880#section-5.7
240  * https://tools.ietf.org/html/rfc4880#section-5.13
241  */
242 
243 static int
244 prefix_init(void **priv_p, void *arg, PullFilter *src)
245 {
246  PGP_Context *ctx = arg;
247  int len;
248  int res;
249  uint8 *buf;
251 
253  if (len > sizeof(tmpbuf))
254  return PXE_BUG;
255 
256  res = pullf_read_max(src, len + 2, &buf, tmpbuf);
257  if (res < 0)
258  return res;
259  if (res != len + 2)
260  {
261  px_debug("prefix_init: short read");
262  px_memset(tmpbuf, 0, sizeof(tmpbuf));
263  return PXE_PGP_CORRUPT_DATA;
264  }
265 
266  if (buf[len - 2] != buf[len] || buf[len - 1] != buf[len + 1])
267  {
268  px_debug("prefix_init: corrupt prefix");
269  /* report error in pgp_decrypt() */
270  ctx->corrupt_prefix = 1;
271  }
272  px_memset(tmpbuf, 0, sizeof(tmpbuf));
273  return 0;
274 }
275 
276 static struct PullFilterOps prefix_filter = {
277  prefix_init, NULL, NULL
278 };
279 
280 
281 /*
282  * Decrypt filter
283  */
284 
285 static int
286 decrypt_init(void **priv_p, void *arg, PullFilter *src)
287 {
288  PGP_CFB *cfb = arg;
289 
290  *priv_p = cfb;
291 
292  /* we need to write somewhere, so ask for a buffer */
293  return 4096;
294 }
295 
296 static int
297 decrypt_read(void *priv, PullFilter *src, int len,
298  uint8 **data_p, uint8 *buf, int buflen)
299 {
300  PGP_CFB *cfb = priv;
301  uint8 *tmp;
302  int res;
303 
304  res = pullf_read(src, len, &tmp);
305  if (res > 0)
306  {
307  pgp_cfb_decrypt(cfb, tmp, res, buf);
308  *data_p = buf;
309  }
310  return res;
311 }
312 
315 };
316 
317 
318 /*
319  * MDC hasher filter
320  */
321 
322 static int
323 mdc_init(void **priv_p, void *arg, PullFilter *src)
324 {
325  PGP_Context *ctx = arg;
326 
327  *priv_p = ctx;
328  return pgp_load_digest(PGP_DIGEST_SHA1, &ctx->mdc_ctx);
329 }
330 
331 static void
332 mdc_free(void *priv)
333 {
334  PGP_Context *ctx = priv;
335 
336  if (ctx->use_mdcbuf_filter)
337  return;
338  px_md_free(ctx->mdc_ctx);
339  ctx->mdc_ctx = NULL;
340 }
341 
342 static int
344 {
345  int res;
346  uint8 hash[20];
347  uint8 tmpbuf[20];
348  uint8 *data;
349 
350  /* should not happen */
351  if (ctx->use_mdcbuf_filter)
352  return PXE_BUG;
353 
354  /* It's SHA1 */
355  if (len != 20)
356  return PXE_PGP_CORRUPT_DATA;
357 
358  /* mdc_read should not call px_md_update */
359  ctx->in_mdc_pkt = 1;
360 
361  /* read data */
362  res = pullf_read_max(src, len, &data, tmpbuf);
363  if (res < 0)
364  return res;
365  if (res == 0)
366  {
367  px_debug("no mdc");
368  return PXE_PGP_CORRUPT_DATA;
369  }
370 
371  /* is the packet sane? */
372  if (res != 20)
373  {
374  px_debug("mdc_finish: read failed, res=%d", res);
375  return PXE_PGP_CORRUPT_DATA;
376  }
377 
378  /*
379  * ok, we got the hash, now check
380  */
381  px_md_finish(ctx->mdc_ctx, hash);
382  res = memcmp(hash, data, 20);
383  px_memset(hash, 0, 20);
384  px_memset(tmpbuf, 0, sizeof(tmpbuf));
385  if (res != 0)
386  {
387  px_debug("mdc_finish: mdc failed");
388  return PXE_PGP_CORRUPT_DATA;
389  }
390  ctx->mdc_checked = 1;
391  return 0;
392 }
393 
394 static int
395 mdc_read(void *priv, PullFilter *src, int len,
396  uint8 **data_p, uint8 *buf, int buflen)
397 {
398  int res;
399  PGP_Context *ctx = priv;
400 
401  /* skip this filter? */
402  if (ctx->use_mdcbuf_filter || ctx->in_mdc_pkt)
403  return pullf_read(src, len, data_p);
404 
405  res = pullf_read(src, len, data_p);
406  if (res < 0)
407  return res;
408  if (res == 0)
409  {
410  px_debug("mdc_read: unexpected eof");
411  return PXE_PGP_CORRUPT_DATA;
412  }
413  px_md_update(ctx->mdc_ctx, *data_p, res);
414 
415  return res;
416 }
417 
418 static struct PullFilterOps mdc_filter = {
420 };
421 
422 
423 /*
424  * Combined Pkt reader and MDC hasher.
425  *
426  * For the case of SYMENCRYPTED_DATA_MDC packet, where
427  * the data part has 'context length', which means
428  * that data packet ends 22 bytes before end of parent
429  * packet, which is silly.
430  */
431 #define MDCBUF_LEN 8192
433 {
435  int eof;
436  int buflen;
437  int avail;
440  uint8 mdc_buf[22];
442 };
443 
444 static int
445 mdcbuf_init(void **priv_p, void *arg, PullFilter *src)
446 {
447  PGP_Context *ctx = arg;
448  struct MDCBufData *st;
449 
450  st = px_alloc(sizeof(*st));
451  memset(st, 0, sizeof(*st));
452  st->buflen = sizeof(st->buf);
453  st->ctx = ctx;
454  *priv_p = st;
455 
456  /* take over the work of mdc_filter */
457  ctx->use_mdcbuf_filter = 1;
458 
459  return 0;
460 }
461 
462 static int
464 {
465  uint8 hash[20];
466  int res;
467 
468  st->eof = 1;
469 
470  if (st->mdc_buf[0] != 0xD3 || st->mdc_buf[1] != 0x14)
471  {
472  px_debug("mdcbuf_finish: bad MDC pkt hdr");
473  return PXE_PGP_CORRUPT_DATA;
474  }
475  px_md_update(st->ctx->mdc_ctx, st->mdc_buf, 2);
476  px_md_finish(st->ctx->mdc_ctx, hash);
477  res = memcmp(hash, st->mdc_buf + 2, 20);
478  px_memset(hash, 0, 20);
479  if (res)
480  {
481  px_debug("mdcbuf_finish: MDC does not match");
482  res = PXE_PGP_CORRUPT_DATA;
483  }
484  return res;
485 }
486 
487 static void
488 mdcbuf_load_data(struct MDCBufData *st, uint8 *src, int len)
489 {
490  uint8 *dst = st->pos + st->avail;
491 
492  memcpy(dst, src, len);
493  px_md_update(st->ctx->mdc_ctx, src, len);
494  st->avail += len;
495 }
496 
497 static void
498 mdcbuf_load_mdc(struct MDCBufData *st, uint8 *src, int len)
499 {
500  memmove(st->mdc_buf + st->mdc_avail, src, len);
501  st->mdc_avail += len;
502 }
503 
504 static int
506 {
507  uint8 *data;
508  int res;
509  int need;
510 
511  /* put avail data in start */
512  if (st->avail > 0 && st->pos != st->buf)
513  memmove(st->buf, st->pos, st->avail);
514  st->pos = st->buf;
515 
516  /* read new data */
517  need = st->buflen + 22 - st->avail - st->mdc_avail;
518  res = pullf_read(src, need, &data);
519  if (res < 0)
520  return res;
521  if (res == 0)
522  return mdcbuf_finish(st);
523 
524  /* add to buffer */
525  if (res >= 22)
526  {
527  mdcbuf_load_data(st, st->mdc_buf, st->mdc_avail);
528  st->mdc_avail = 0;
529 
530  mdcbuf_load_data(st, data, res - 22);
531  mdcbuf_load_mdc(st, data + res - 22, 22);
532  }
533  else
534  {
535  int canmove = st->mdc_avail + res - 22;
536 
537  if (canmove > 0)
538  {
539  mdcbuf_load_data(st, st->mdc_buf, canmove);
540  st->mdc_avail -= canmove;
541  memmove(st->mdc_buf, st->mdc_buf + canmove, st->mdc_avail);
542  }
543  mdcbuf_load_mdc(st, data, res);
544  }
545  return 0;
546 }
547 
548 static int
549 mdcbuf_read(void *priv, PullFilter *src, int len,
550  uint8 **data_p, uint8 *buf, int buflen)
551 {
552  struct MDCBufData *st = priv;
553  int res;
554 
555  if (!st->eof && len > st->avail)
556  {
557  res = mdcbuf_refill(st, src);
558  if (res < 0)
559  return res;
560  }
561 
562  if (len > st->avail)
563  len = st->avail;
564 
565  *data_p = st->pos;
566  st->pos += len;
567  st->avail -= len;
568  return len;
569 }
570 
571 static void
572 mdcbuf_free(void *priv)
573 {
574  struct MDCBufData *st = priv;
575 
576  px_md_free(st->ctx->mdc_ctx);
577  st->ctx->mdc_ctx = NULL;
578  px_memset(st, 0, sizeof(*st));
579  px_free(st);
580 }
581 
582 static struct PullFilterOps mdcbuf_filter = {
584 };
585 
586 
587 /*
588  * Decrypt separate session key
589  */
590 static int
591 decrypt_key(PGP_Context *ctx, const uint8 *src, int len)
592 {
593  int res;
594  uint8 algo;
595  PGP_CFB *cfb;
596 
597  res = pgp_cfb_create(&cfb, ctx->s2k_cipher_algo,
598  ctx->s2k.key, ctx->s2k.key_len, 0, NULL);
599  if (res < 0)
600  return res;
601 
602  pgp_cfb_decrypt(cfb, src, 1, &algo);
603  src++;
604  len--;
605 
606  pgp_cfb_decrypt(cfb, src, len, ctx->sess_key);
607  pgp_cfb_free(cfb);
608  ctx->sess_key_len = len;
609  ctx->cipher_algo = algo;
610 
611  if (pgp_get_cipher_key_size(algo) != len)
612  {
613  px_debug("sesskey bad len: algo=%d, expected=%d, got=%d",
614  algo, pgp_get_cipher_key_size(algo), len);
615  return PXE_PGP_CORRUPT_DATA;
616  }
617  return 0;
618 }
619 
620 /*
621  * Handle key packet
622  */
623 static int
625 {
626  uint8 *p;
627  int res;
628  uint8 tmpbuf[PGP_MAX_KEY + 2];
629  uint8 ver;
630 
631  GETBYTE(src, ver);
632  GETBYTE(src, ctx->s2k_cipher_algo);
633  if (ver != 4)
634  {
635  px_debug("bad key pkt ver");
636  return PXE_PGP_CORRUPT_DATA;
637  }
638 
639  /*
640  * read S2K info
641  */
642  res = pgp_s2k_read(src, &ctx->s2k);
643  if (res < 0)
644  return res;
645  ctx->s2k_mode = ctx->s2k.mode;
646  ctx->s2k_count = s2k_decode_count(ctx->s2k.iter);
647  ctx->s2k_digest_algo = ctx->s2k.digest_algo;
648 
649  /*
650  * generate key from password
651  */
652  res = pgp_s2k_process(&ctx->s2k, ctx->s2k_cipher_algo,
653  ctx->sym_key, ctx->sym_key_len);
654  if (res < 0)
655  return res;
656 
657  /*
658  * do we have separate session key?
659  */
660  res = pullf_read_max(src, PGP_MAX_KEY + 2, &p, tmpbuf);
661  if (res < 0)
662  return res;
663 
664  if (res == 0)
665  {
666  /*
667  * no, s2k key is session key
668  */
669  memcpy(ctx->sess_key, ctx->s2k.key, ctx->s2k.key_len);
670  ctx->sess_key_len = ctx->s2k.key_len;
671  ctx->cipher_algo = ctx->s2k_cipher_algo;
672  res = 0;
673  ctx->use_sess_key = 0;
674  }
675  else
676  {
677  /*
678  * yes, decrypt it
679  */
680  if (res < 17 || res > PGP_MAX_KEY + 1)
681  {
682  px_debug("expect key, but bad data");
683  return PXE_PGP_CORRUPT_DATA;
684  }
685  ctx->use_sess_key = 1;
686  res = decrypt_key(ctx, p, res);
687  }
688 
689  px_memset(tmpbuf, 0, sizeof(tmpbuf));
690  return res;
691 }
692 
693 static int
694 copy_crlf(MBuf *dst, uint8 *data, int len, int *got_cr)
695 {
696  uint8 *data_end = data + len;
697  uint8 tmpbuf[1024];
698  uint8 *tmp_end = tmpbuf + sizeof(tmpbuf);
699  uint8 *p;
700  int res;
701 
702  p = tmpbuf;
703  if (*got_cr)
704  {
705  if (*data != '\n')
706  *p++ = '\r';
707  *got_cr = 0;
708  }
709  while (data < data_end)
710  {
711  if (*data == '\r')
712  {
713  if (data + 1 < data_end)
714  {
715  if (*(data + 1) == '\n')
716  data++;
717  }
718  else
719  {
720  *got_cr = 1;
721  break;
722  }
723  }
724  *p++ = *data++;
725  if (p >= tmp_end)
726  {
727  res = mbuf_append(dst, tmpbuf, p - tmpbuf);
728  if (res < 0)
729  return res;
730  p = tmpbuf;
731  }
732  }
733  if (p - tmpbuf > 0)
734  {
735  res = mbuf_append(dst, tmpbuf, p - tmpbuf);
736  if (res < 0)
737  return res;
738  }
739  px_memset(tmpbuf, 0, sizeof(tmpbuf));
740  return 0;
741 }
742 
743 static int
745 {
746  int type;
747  int name_len;
748  int res;
749  uint8 *buf;
750  uint8 tmpbuf[4];
751  int got_cr = 0;
752 
753  GETBYTE(pkt, type);
754  GETBYTE(pkt, name_len);
755 
756  /* skip name */
757  while (name_len > 0)
758  {
759  res = pullf_read(pkt, name_len, &buf);
760  if (res < 0)
761  return res;
762  if (res == 0)
763  break;
764  name_len -= res;
765  }
766  if (name_len > 0)
767  {
768  px_debug("parse_literal_data: unexpected eof");
769  return PXE_PGP_CORRUPT_DATA;
770  }
771 
772  /* skip date */
773  res = pullf_read_max(pkt, 4, &buf, tmpbuf);
774  if (res != 4)
775  {
776  px_debug("parse_literal_data: unexpected eof");
777  return PXE_PGP_CORRUPT_DATA;
778  }
779  px_memset(tmpbuf, 0, 4);
780 
781  /*
782  * If called from an SQL function that returns text, pgp_decrypt() rejects
783  * inputs not self-identifying as text.
784  */
785  if (ctx->text_mode)
786  if (type != 't' && type != 'u')
787  {
788  px_debug("parse_literal_data: data type=%c", type);
789  ctx->unexpected_binary = true;
790  }
791 
792  ctx->unicode_mode = (type == 'u') ? 1 : 0;
793 
794  /* read data */
795  while (1)
796  {
797  res = pullf_read(pkt, 32 * 1024, &buf);
798  if (res <= 0)
799  break;
800 
801  if (ctx->text_mode && ctx->convert_crlf)
802  res = copy_crlf(dst, buf, res, &got_cr);
803  else
804  res = mbuf_append(dst, buf, res);
805  if (res < 0)
806  break;
807  }
808  if (res >= 0 && got_cr)
809  res = mbuf_append(dst, (const uint8 *) "\r", 1);
810  return res;
811 }
812 
813 /* process_data_packets and parse_compressed_data call each other */
814 static int process_data_packets(PGP_Context *ctx, MBuf *dst,
815  PullFilter *src, int allow_compr, int need_mdc);
816 
817 static int
819 {
820  int res;
821  uint8 type;
822  PullFilter *pf_decompr;
823  uint8 *discard_buf;
824 
825  GETBYTE(pkt, type);
826 
827  ctx->compress_algo = type;
828  switch (type)
829  {
830  case PGP_COMPR_NONE:
831  res = process_data_packets(ctx, dst, pkt, NO_COMPR, NO_MDC);
832  break;
833 
834  case PGP_COMPR_ZIP:
835  case PGP_COMPR_ZLIB:
836  res = pgp_decompress_filter(&pf_decompr, ctx, pkt);
837  if (res >= 0)
838  {
839  res = process_data_packets(ctx, dst, pf_decompr,
840  NO_COMPR, NO_MDC);
841  pullf_free(pf_decompr);
842  }
843  break;
844 
845  case PGP_COMPR_BZIP2:
846  px_debug("parse_compressed_data: bzip2 unsupported");
847  /* report error in pgp_decrypt() */
848  ctx->unsupported_compr = 1;
849 
850  /*
851  * Discard the compressed data, allowing it to first affect any
852  * MDC digest computation.
853  */
854  while (1)
855  {
856  res = pullf_read(pkt, 32 * 1024, &discard_buf);
857  if (res <= 0)
858  break;
859  }
860 
861  break;
862 
863  default:
864  px_debug("parse_compressed_data: unknown compr type");
865  res = PXE_PGP_CORRUPT_DATA;
866  }
867 
868  return res;
869 }
870 
871 static int
873  int allow_compr, int need_mdc)
874 {
875  uint8 tag;
876  int len,
877  res;
878  int got_data = 0;
879  int got_mdc = 0;
880  PullFilter *pkt = NULL;
881 
882  while (1)
883  {
884  res = pgp_parse_pkt_hdr(src, &tag, &len, ALLOW_CTX_SIZE);
885  if (res <= 0)
886  break;
887 
888 
889  /* mdc packet should be last */
890  if (got_mdc)
891  {
892  px_debug("process_data_packets: data after mdc");
893  res = PXE_PGP_CORRUPT_DATA;
894  break;
895  }
896 
897  /*
898  * Context length inside SYMENCRYPTED_DATA_MDC packet needs special
899  * handling.
900  */
901  if (need_mdc && res == PKT_CONTEXT)
902  res = pullf_create(&pkt, &mdcbuf_filter, ctx, src);
903  else
904  res = pgp_create_pkt_reader(&pkt, src, len, res, ctx);
905  if (res < 0)
906  break;
907 
908  switch (tag)
909  {
911  got_data = 1;
912  res = parse_literal_data(ctx, dst, pkt);
913  break;
915  if (allow_compr == 0)
916  {
917  px_debug("process_data_packets: unexpected compression");
918  res = PXE_PGP_CORRUPT_DATA;
919  }
920  else if (got_data)
921  {
922  /*
923  * compr data must be alone
924  */
925  px_debug("process_data_packets: only one cmpr pkt allowed");
926  res = PXE_PGP_CORRUPT_DATA;
927  }
928  else
929  {
930  got_data = 1;
931  res = parse_compressed_data(ctx, dst, pkt);
932  }
933  break;
934  case PGP_PKT_MDC:
935  if (need_mdc == NO_MDC)
936  {
937  px_debug("process_data_packets: unexpected MDC");
938  res = PXE_PGP_CORRUPT_DATA;
939  break;
940  }
941 
942  res = mdc_finish(ctx, pkt, len);
943  if (res >= 0)
944  got_mdc = 1;
945  break;
946  default:
947  px_debug("process_data_packets: unexpected pkt tag=%d", tag);
948  res = PXE_PGP_CORRUPT_DATA;
949  }
950 
951  pullf_free(pkt);
952  pkt = NULL;
953 
954  if (res < 0)
955  break;
956  }
957 
958  if (pkt)
959  pullf_free(pkt);
960 
961  if (res < 0)
962  return res;
963 
964  if (!got_data)
965  {
966  px_debug("process_data_packets: no data");
967  res = PXE_PGP_CORRUPT_DATA;
968  }
969  if (need_mdc && !got_mdc && !ctx->use_mdcbuf_filter)
970  {
971  px_debug("process_data_packets: got no mdc");
972  res = PXE_PGP_CORRUPT_DATA;
973  }
974  return res;
975 }
976 
977 static int
979 {
980  int res;
981  PGP_CFB *cfb = NULL;
982  PullFilter *pf_decrypt = NULL;
983  PullFilter *pf_prefix = NULL;
984 
985  res = pgp_cfb_create(&cfb, ctx->cipher_algo,
986  ctx->sess_key, ctx->sess_key_len, 1, NULL);
987  if (res < 0)
988  goto out;
989 
990  res = pullf_create(&pf_decrypt, &pgp_decrypt_filter, cfb, pkt);
991  if (res < 0)
992  goto out;
993 
994  res = pullf_create(&pf_prefix, &prefix_filter, ctx, pf_decrypt);
995  if (res < 0)
996  goto out;
997 
998  res = process_data_packets(ctx, dst, pf_prefix, ALLOW_COMPR, NO_MDC);
999 
1000 out:
1001  if (pf_prefix)
1002  pullf_free(pf_prefix);
1003  if (pf_decrypt)
1004  pullf_free(pf_decrypt);
1005  if (cfb)
1006  pgp_cfb_free(cfb);
1007 
1008  return res;
1009 }
1010 
1011 static int
1013 {
1014  int res;
1015  PGP_CFB *cfb = NULL;
1016  PullFilter *pf_decrypt = NULL;
1017  PullFilter *pf_prefix = NULL;
1018  PullFilter *pf_mdc = NULL;
1019  uint8 ver;
1020 
1021  GETBYTE(pkt, ver);
1022  if (ver != 1)
1023  {
1024  px_debug("parse_symenc_mdc_data: pkt ver != 1");
1025  return PXE_PGP_CORRUPT_DATA;
1026  }
1027 
1028  res = pgp_cfb_create(&cfb, ctx->cipher_algo,
1029  ctx->sess_key, ctx->sess_key_len, 0, NULL);
1030  if (res < 0)
1031  goto out;
1032 
1033  res = pullf_create(&pf_decrypt, &pgp_decrypt_filter, cfb, pkt);
1034  if (res < 0)
1035  goto out;
1036 
1037  res = pullf_create(&pf_mdc, &mdc_filter, ctx, pf_decrypt);
1038  if (res < 0)
1039  goto out;
1040 
1041  res = pullf_create(&pf_prefix, &prefix_filter, ctx, pf_mdc);
1042  if (res < 0)
1043  goto out;
1044 
1045  res = process_data_packets(ctx, dst, pf_prefix, ALLOW_COMPR, NEED_MDC);
1046 
1047 out:
1048  if (pf_prefix)
1049  pullf_free(pf_prefix);
1050  if (pf_mdc)
1051  pullf_free(pf_mdc);
1052  if (pf_decrypt)
1053  pullf_free(pf_decrypt);
1054  if (cfb)
1055  pgp_cfb_free(cfb);
1056 
1057  return res;
1058 }
1059 
1060 /*
1061  * skip over packet contents
1062  */
1063 int
1065 {
1066  int res = 1;
1067  uint8 *tmp;
1068 
1069  while (res > 0)
1070  res = pullf_read(pkt, 32 * 1024, &tmp);
1071  return res;
1072 }
1073 
1074 /*
1075  * expect to be at packet end, any data is error
1076  */
1077 int
1079 {
1080  int res;
1081  uint8 *tmp;
1082 
1083  res = pullf_read(pkt, 32 * 1024, &tmp);
1084  if (res > 0)
1085  {
1086  px_debug("pgp_expect_packet_end: got data");
1087  return PXE_PGP_CORRUPT_DATA;
1088  }
1089  return res;
1090 }
1091 
1092 int
1093 pgp_decrypt(PGP_Context *ctx, MBuf *msrc, MBuf *mdst)
1094 {
1095  int res;
1096  PullFilter *src = NULL;
1097  PullFilter *pkt = NULL;
1098  uint8 tag;
1099  int len;
1100  int got_key = 0;
1101  int got_data = 0;
1102 
1103  res = pullf_create_mbuf_reader(&src, msrc);
1104 
1105  while (res >= 0)
1106  {
1107  res = pgp_parse_pkt_hdr(src, &tag, &len, NO_CTX_SIZE);
1108  if (res <= 0)
1109  break;
1110 
1111  res = pgp_create_pkt_reader(&pkt, src, len, res, ctx);
1112  if (res < 0)
1113  break;
1114 
1115  res = PXE_PGP_CORRUPT_DATA;
1116  switch (tag)
1117  {
1118  case PGP_PKT_MARKER:
1119  res = pgp_skip_packet(pkt);
1120  break;
1122  /* fixme: skip those */
1123  res = pgp_parse_pubenc_sesskey(ctx, pkt);
1124  got_key = 1;
1125  break;
1127  if (got_key)
1128 
1129  /*
1130  * Theoretically, there could be several keys, both public
1131  * and symmetric, all of which encrypt same session key.
1132  * Decrypt should try with each one, before failing.
1133  */
1134  px_debug("pgp_decrypt: using first of several keys");
1135  else
1136  {
1137  got_key = 1;
1138  res = parse_symenc_sesskey(ctx, pkt);
1139  }
1140  break;
1142  if (!got_key)
1143  px_debug("pgp_decrypt: have data but no key");
1144  else if (got_data)
1145  px_debug("pgp_decrypt: got second data packet");
1146  else
1147  {
1148  got_data = 1;
1149  ctx->disable_mdc = 1;
1150  res = parse_symenc_data(ctx, pkt, mdst);
1151  }
1152  break;
1154  if (!got_key)
1155  px_debug("pgp_decrypt: have data but no key");
1156  else if (got_data)
1157  px_debug("pgp_decrypt: several data pkts not supported");
1158  else
1159  {
1160  got_data = 1;
1161  ctx->disable_mdc = 0;
1162  res = parse_symenc_mdc_data(ctx, pkt, mdst);
1163  }
1164  break;
1165  default:
1166  px_debug("pgp_decrypt: unknown tag: 0x%02x", tag);
1167  }
1168  pullf_free(pkt);
1169  pkt = NULL;
1170  }
1171 
1172  if (pkt)
1173  pullf_free(pkt);
1174 
1175  if (src)
1176  pullf_free(src);
1177 
1178  if (res < 0)
1179  return res;
1180 
1181  /*
1182  * Report a failure of the prefix_init() "quick check" now, rather than
1183  * upon detection, to hinder timing attacks. pgcrypto is not generally
1184  * secure against timing attacks, but this helps.
1185  */
1186  if (!got_data || ctx->corrupt_prefix)
1187  return PXE_PGP_CORRUPT_DATA;
1188 
1189  /*
1190  * Code interpreting purportedly-decrypted data prior to this stage shall
1191  * report no error other than PXE_PGP_CORRUPT_DATA. (PXE_BUG is okay so
1192  * long as it remains unreachable.) This ensures that an attacker able to
1193  * choose a ciphertext and receive a corresponding decryption error
1194  * message cannot use that oracle to gather clues about the decryption
1195  * key. See "An Attack on CFB Mode Encryption As Used By OpenPGP" by
1196  * Serge Mister and Robert Zuccherato.
1197  *
1198  * A problematic value in the first octet of a Literal Data or Compressed
1199  * Data packet may indicate a simple user error, such as the need to call
1200  * pgp_sym_decrypt_bytea instead of pgp_sym_decrypt. Occasionally,
1201  * though, it is the first symptom of the encryption key not matching the
1202  * decryption key. When this was the only problem encountered, report a
1203  * specific error to guide the user; otherwise, we will have reported
1204  * PXE_PGP_CORRUPT_DATA before now. A key mismatch makes the other errors
1205  * into red herrings, and this avoids leaking clues to attackers.
1206  */
1207  if (ctx->unsupported_compr)
1209  if (ctx->unexpected_binary)
1210  return PXE_PGP_NOT_TEXT;
1211 
1212  return res;
1213 }
static int copy_crlf(MBuf *dst, uint8 *data, int len, int *got_cr)
Definition: pgp-decrypt.c:694
uint8 mode
Definition: pgp.h:124
static int parse_new_len(PullFilter *src, int *len_p)
Definition: pgp-decrypt.c:52
int use_mdcbuf_filter
Definition: pgp.h:161
static int decrypt_key(PGP_Context *ctx, const uint8 *src, int len)
Definition: pgp-decrypt.c:591
uint8 mdc_buf[22]
Definition: pgp-decrypt.c:440
#define PXE_PGP_CORRUPT_DATA
Definition: px.h:78
int sym_key_len
Definition: pgp.h:166
int pullf_read(PullFilter *pf, int len, uint8 **data_p)
Definition: mbuf.c:262
int in_mdc_pkt
Definition: pgp.h:160
int cipher_algo
Definition: pgp.h:144
static int parse_literal_data(PGP_Context *ctx, MBuf *dst, PullFilter *pkt)
Definition: pgp-decrypt.c:744
void pullf_free(PullFilter *pf)
Definition: mbuf.c:245
static struct PullFilterOps prefix_filter
Definition: pgp-decrypt.c:276
int pullf_create(PullFilter **pf_p, const PullFilterOps *op, void *init_arg, PullFilter *src)
Definition: mbuf.c:206
static int mdcbuf_finish(struct MDCBufData *st)
Definition: pgp-decrypt.c:463
#define NO_MDC
Definition: pgp-decrypt.c:42
int unexpected_binary
Definition: pgp.h:159
int pgp_parse_pkt_hdr(PullFilter *src, uint8 *tag, int *len_p, int allow_ctx)
Definition: pgp-decrypt.c:129
int unicode_mode
Definition: pgp.h:151
#define px_free(p)
Definition: px.h:46
#define px_md_update(md, data, dlen)
Definition: px.h:205
const uint8 * sym_key
Definition: pgp.h:165
unsigned char uint8
Definition: c.h:356
static int prefix_init(void **priv_p, void *arg, PullFilter *src)
Definition: pgp-decrypt.c:244
int pgp_cfb_decrypt(PGP_CFB *ctx, const uint8 *data, int len, uint8 *dst)
Definition: pgp-cfb.c:259
static int decrypt_read(void *priv, PullFilter *src, int len, uint8 **data_p, uint8 *buf, int buflen)
Definition: pgp-decrypt.c:297
static void mdcbuf_load_data(struct MDCBufData *st, uint8 *src, int len)
Definition: pgp-decrypt.c:488
static int parse_symenc_mdc_data(PGP_Context *ctx, PullFilter *pkt, MBuf *dst)
Definition: pgp-decrypt.c:1012
int pullf_create_mbuf_reader(PullFilter **mp_p, MBuf *src)
Definition: mbuf.c:352
int pgp_skip_packet(PullFilter *pkt)
Definition: pgp-decrypt.c:1064
int unsupported_compr
Definition: pgp.h:158
int pgp_parse_pubenc_sesskey(PGP_Context *ctx, PullFilter *pkt)
Definition: pgp-pubdec.c:150
#define px_md_finish(md, buf)
Definition: px.h:206
int disable_mdc
Definition: pgp.h:147
#define PGP_MAX_BLOCK
Definition: pgp.h:113
uint8 digest_algo
Definition: pgp.h:125
int use_sess_key
Definition: pgp.h:148
uint8 buf[MDCBUF_LEN]
Definition: pgp-decrypt.c:441
#define NO_CTX_SIZE
Definition: pgp-decrypt.c:38
#define PXE_PGP_UNSUPPORTED_COMPR
Definition: px.h:80
#define MDCBUF_LEN
Definition: pgp-decrypt.c:431
uint8 sess_key[PGP_MAX_KEY]
Definition: pgp.h:171
#define GETBYTE(x, i)
Definition: hstore_gist.c:29
#define PGP_MAX_KEY
Definition: pgp.h:112
#define NEED_MDC
Definition: pgp-decrypt.c:43
#define ALLOW_COMPR
Definition: pgp-decrypt.c:41
int pgp_create_pkt_reader(PullFilter **pf_p, PullFilter *src, int len, int pkttype, PGP_Context *ctx)
Definition: pgp-decrypt.c:223
static void mdc_free(void *priv)
Definition: pgp-decrypt.c:332
static char * buf
Definition: pg_test_fsync.c:68
#define PXE_PGP_NOT_TEXT
Definition: px.h:84
#define PKT_STREAM
Definition: pgp-decrypt.c:46
PGP_Context * ctx
Definition: pgp-decrypt.c:434
#define memmove(d, s, c)
Definition: c.h:1238
static int parse_old_len(PullFilter *src, int *len_p, int lentype)
Definition: pgp-decrypt.c:95
static void mdcbuf_free(void *priv)
Definition: pgp-decrypt.c:572
uint8 key[PGP_MAX_KEY]
Definition: pgp.h:129
int compress_algo
Definition: pgp.h:145
#define PKT_CONTEXT
Definition: pgp-decrypt.c:47
PX_MD * mdc_ctx
Definition: pgp.h:162
static void pktreader_free(void *priv)
Definition: pgp-decrypt.c:209
static int mdc_read(void *priv, PullFilter *src, int len, uint8 **data_p, uint8 *buf, int buflen)
Definition: pgp-decrypt.c:395
int pgp_get_cipher_key_size(int code)
Definition: pgp.c:147
#define PXE_BUG
Definition: px.h:70
int pgp_expect_packet_end(PullFilter *pkt)
Definition: pgp-decrypt.c:1078
int corrupt_prefix
Definition: pgp.h:157
static int parse_symenc_sesskey(PGP_Context *ctx, PullFilter *src)
Definition: pgp-decrypt.c:624
int pgp_s2k_process(PGP_S2K *s2k, int cipher, const uint8 *key, int key_len)
Definition: pgp-s2k.c:280
int mbuf_append(MBuf *dst, const uint8 *buf, int len)
Definition: mbuf.c:102
struct PullFilterOps pgp_decrypt_filter
Definition: pgp-decrypt.c:313
#define px_md_free(md)
Definition: px.h:207
void pgp_cfb_free(PGP_CFB *ctx)
Definition: pgp-cfb.c:84
static int mdc_init(void **priv_p, void *arg, PullFilter *src)
Definition: pgp-decrypt.c:323
int type
Definition: pgp-decrypt.c:170
int pgp_decompress_filter(PullFilter **res, PGP_Context *ctx, PullFilter *src)
Definition: pgp-compress.c:323
int pgp_load_digest(int code, PX_MD **res)
Definition: pgp.c:183
int pgp_decrypt(PGP_Context *ctx, MBuf *msrc, MBuf *mdst)
Definition: pgp-decrypt.c:1093
#define NO_COMPR
Definition: pgp-decrypt.c:40
int mdc_checked
Definition: pgp.h:156
unsigned sess_key_len
Definition: pgp.h:172
static int mdcbuf_read(void *priv, PullFilter *src, int len, uint8 **data_p, uint8 *buf, int buflen)
Definition: pgp-decrypt.c:549
static int pktreader_pull(void *priv, PullFilter *src, int len, uint8 **data_p, uint8 *buf, int buflen)
Definition: pgp-decrypt.c:175
uint8 iter
Definition: pgp.h:127
int pgp_s2k_read(PullFilter *src, PGP_S2K *s2k)
Definition: pgp-s2k.c:254
void px_debug(const char *fmt,...)
Definition: px.c:152
int pgp_get_cipher_block_size(int code)
Definition: pgp.c:157
Definition: mbuf.c:39
static int mdc_finish(PGP_Context *ctx, PullFilter *src, int len)
Definition: pgp-decrypt.c:343
int s2k_cipher_algo
Definition: pgp.h:143
uint8 key_len
Definition: pgp.h:130
int convert_crlf
Definition: pgp.h:150
int pgp_cfb_create(PGP_CFB **ctx_p, int algo, const uint8 *key, int key_len, int resync, uint8 *iv)
Definition: pgp-cfb.c:52
uint8 * pos
Definition: pgp-decrypt.c:438
static StringInfoData tmpbuf
Definition: walsender.c:154
#define px_alloc(s)
Definition: px.h:44
static int mdcbuf_init(void **priv_p, void *arg, PullFilter *src)
Definition: pgp-decrypt.c:445
static struct PullFilterOps mdcbuf_filter
Definition: pgp-decrypt.c:582
int s2k_mode
Definition: pgp.h:140
static int process_data_packets(PGP_Context *ctx, MBuf *dst, PullFilter *src, int allow_compr, int need_mdc)
Definition: pgp-decrypt.c:872
int s2k_digest_algo
Definition: pgp.h:142
static int parse_compressed_data(PGP_Context *ctx, MBuf *dst, PullFilter *pkt)
Definition: pgp-decrypt.c:818
#define ALLOW_CTX_SIZE
Definition: pgp-decrypt.c:39
#define PKT_NORMAL
Definition: pgp-decrypt.c:45
void * arg
static int decrypt_init(void **priv_p, void *arg, PullFilter *src)
Definition: pgp-decrypt.c:286
static struct PullFilterOps pktreader_filter
Definition: pgp-decrypt.c:217
int text_mode
Definition: pgp.h:149
static int mdcbuf_refill(struct MDCBufData *st, PullFilter *src)
Definition: pgp-decrypt.c:505
static int parse_symenc_data(PGP_Context *ctx, PullFilter *pkt, MBuf *dst)
Definition: pgp-decrypt.c:978
PGP_S2K s2k
Definition: pgp.h:139
#define s2k_decode_count(cval)
Definition: pgp.h:176
static unsigned hash(unsigned *uv, int n)
Definition: rege_dfa.c:541
int s2k_count
Definition: pgp.h:141
void px_memset(void *ptr, int c, size_t len)
Definition: px.c:126
static void mdcbuf_load_mdc(struct MDCBufData *st, uint8 *src, int len)
Definition: pgp-decrypt.c:498
int pullf_read_max(PullFilter *pf, int len, uint8 **data_p, uint8 *tmpbuf)
Definition: mbuf.c:279
static struct PullFilterOps mdc_filter
Definition: pgp-decrypt.c:418
#define MAX_CHUNK
Definition: pgp-decrypt.c:49