From 625e292108cc0fd9077769587a8c22abe7805e33 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 6 Oct 2015 09:40:57 +0200 Subject: [PATCH] gpg: Fail decryption for AES etc message w/o MDC. * g10/mainproc.c (proc_encrypted): Fail for modern messages w/o MDC. -- This change turns the missing MDC warning into an error if the message has been encrypted using a cipher with a non-64 bit block length cipher and it is not Twofish. We can assume that such messages are created by code which should have been able to create MDC packets. AES was introduced with 1.0.3 on 2000-09-18 shortly after MDC (1.0.2 on 2000-07-12). We need to exclude Twofish because that might have been used before MDC. Signed-off-by: Werner Koch --- g10/mainproc.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/g10/mainproc.c b/g10/mainproc.c index f7b7c6b2c..9f02b1555 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -607,6 +607,22 @@ proc_encrypted (CTX c, PACKET *pkt) if (result == -1) ; + else if (!result + && !opt.ignore_mdc_error + && !pkt->pkt.encrypted->mdc_method + && openpgp_cipher_get_algo_blklen (c->dek->algo) != 8 + && c->dek->algo != CIPHER_ALGO_TWOFISH) + { + /* The message has been decrypted but has no MDC despite that a + modern cipher (blocklength != 64 bit, except for Twofish) is + used and the option to ignore MDC errors is not used: To + avoid attacks changing an MDC message to a non-MDC message, + we fail here. */ + log_error (_("WARNING: message was not integrity protected\n")); + if (opt.verbose > 1) + log_info ("decryption forced to fail\n"); + write_status (STATUS_DECRYPTION_FAILED); + } else if (!result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE && opt.ignore_mdc_error)) {