gpg: Fail decryption for AES etc message w/o MDC.

* g10/mainproc.c (proc_encrypted): Fail for modern messages w/o MDC. -- This change turns the missing MDC warning into an error if the message has been encrypted using a cipher with a non-64 bit block length cipher and it is not Twofish. We can assume that such messages are created by code which should have been able to create MDC packets. AES was introduced with 1.0.3 on 2000-09-18 shortly after MDC (1.0.2 on 2000-07-12). We need to exclude Twofish because that might have been used before MDC. Signed-off-by: Werner Koch <wk@gnupg.org>
2024-05-27 21:41:23 +02:00 · 2015-10-06 09:40:57 +02:00 · 2015-10-06 09:40:57 +02:00 · 625e292108
commit 625e292108
parent 4a5bd1720f
1 changed files with 16 additions and 0 deletions
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@ -607,6 +607,22 @@ proc_encrypted (CTX c, PACKET *pkt)

  if (result == -1)
    ;
+  else if (!result
+           && !opt.ignore_mdc_error
+           && !pkt->pkt.encrypted->mdc_method
+           && openpgp_cipher_get_algo_blklen (c->dek->algo) != 8
+           && c->dek->algo != CIPHER_ALGO_TWOFISH)
+    {
+      /* The message has been decrypted but has no MDC despite that a
+         modern cipher (blocklength != 64 bit, except for Twofish) is
+         used and the option to ignore MDC errors is not used: To
+         avoid attacks changing an MDC message to a non-MDC message,
+         we fail here.  */
+      log_error (_("WARNING: message was not integrity protected\n"));
+      if (opt.verbose > 1)
+        log_info ("decryption forced to fail\n");
+      write_status (STATUS_DECRYPTION_FAILED);
+    }
  else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
                       && opt.ignore_mdc_error))
    {