security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

gpg: Make sure a DECRYPTION_OKAY is never issued for a bad OCB tag. 

* g10/mainproc.c (proc_encrypted): Force a decryption failure if any
error has been seen.
* g10/decrypt-data.c (aead_checktag): Issue an ERROR line.
--

GnuPG-bug-id: 7042

Note that gpg in any case returns a failure exit code but due to
double forking GPGME would not see it.
This commit is contained in:
Werner Koch 2024-03-14 21:41:15 +01:00
parent f78501c545
commit 50e81ad38d
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
g10/decrypt-data.c
View File

@ -205,6 +205,7 @@ aead_checktag (decode_filter_ctx_t dfx, int final, const void *tagbuf)
{
log_error ("gcry_cipher_checktag%s failed: %s\n",
final? " (final)":"", gpg_strerror (err));
write_status_error ("aead_checktag", err);
return err;
}
if (DBG_FILTER)

6
g10/mainproc.c
View File

@ -781,9 +781,13 @@ proc_encrypted (CTX c, PACKET *pkt)
compliance_de_vs |= 2;
}
/* Trigger the deferred error. */
/* Trigger the deferred error. The second condition makes sure that a
* log_error printed in the cry_cipher_checktag never gets ignored. */
if (!result && early_plaintext)
result = gpg_error (GPG_ERR_BAD_DATA);
else if (!result && pkt->pkt.encrypted->aead_algo
&& log_get_errorcount (0))
result = gpg_error (GPG_ERR_BAD_SIGNATURE);
if (result == -1)
;