Disable the "quick check" bytes for PK decryptions. This is in

regards to the Mister and Zuccherato attack on OpenPGP CFB mode.
2024-12-22 10:19:57 +01:00 · 2005-02-10 04:11:35 +00:00 · 2005-02-10 04:11:35 +00:00 · 4df22ba030
commit 4df22ba030
parent 658d1e7302
5 changed files with 25 additions and 6 deletions
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@ -1,3 +1,12 @@
+2005-02-09  David Shaw  <dshaw@jabberwocky.com>
+
+	* mainproc.c (proc_symkey_enc): Set a flag to indicate that a
+	particular session key came from a passphrase and not a PK.
+
+	* encr-data.c (decrypt_data): Use it here to turn off the "quick
+	check" bytes for PK decryptions.  This is in regards to the Mister
+	and Zuccherato attack on OpenPGP CFB mode.
+
 2004-11-29  David Shaw  <dshaw@jabberwocky.com>

 	* getkey.c (parse_key_usage): New function to parse out key usage
--- a/g10/encr-data.c
+++ b/g10/encr-data.c
@ -1,5 +1,5 @@
 /* encr-data.c -  process an encrypted data packet
- * Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2005 Free Software Foundation, Inc.
 *
 * This file is part of GnuPG.
 *
@ -120,7 +120,9 @@ decrypt_data( void *procctx, PKT_encrypted *ed, DEK *dek )
    cipher_sync( dfx.cipher_hd );
    p = temp;
 /* log_hexdump( "prefix", temp, nprefix+2 ); */
-    if( p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1] ) {
+    if( dek->symmetric
+	&& (p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1]) )
+      {
 	rc = G10ERR_BAD_KEY;
 	goto leave;
      }
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@ -1,6 +1,6 @@
 /* mainproc.c - handle packets
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
- *               2004 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004,
+ *               2005 Free Software Foundation, Inc.
 *
 * This file is part of GnuPG.
 *
@ -317,6 +317,8 @@ proc_symkey_enc( CTX c, PACKET *pkt )
 	c->dek = passphrase_to_dek( NULL, 0, algo, &enc->s2k, 0, NULL, NULL );
 	if(c->dek)
 	  {
+	    c->dek->symmetric=1;
+
 	    /* FIXME: This doesn't work perfectly if a symmetric key
 	       comes before a public key in the message - if the user
 	       doesn't know the passphrase, then there is a chance
--- a/include/ChangeLog
+++ b/include/ChangeLog
@ -1,3 +1,7 @@
+2005-02-09  David Shaw  <dshaw@jabberwocky.com>
+
+	* cipher.h: Add a flag for a symmetric DEK.
+
 2004-11-29  David Shaw  <dshaw@jabberwocky.com>

 	* cipher.h: Add PUBKEY_USAGE_UNKNOWN.
--- a/include/cipher.h
+++ b/include/cipher.h
@ -1,5 +1,6 @@
 /* cipher.h
- * Copyright (C) 1998, 1999, 2000, 2001, 2003 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2003,
+ *               2005 Free Software Foundation, Inc.
 *
 * This file is part of GNUPG.
 *
@ -76,6 +77,7 @@ typedef struct {
    int keylen;
    int algo_info_printed;
    int use_mdc;
+    int symmetric;
    byte key[32]; /* this is the largest used keylen (256 bit) */
 } DEK;