From a3ea9626797ecf9ce5dba230c9617db84c159e5a Mon Sep 17 00:00:00 2001 From: David Shaw Date: Thu, 10 Feb 2005 04:06:30 +0000 Subject: [PATCH] Disable the "quick check" bytes for PK decryptions. This is in regards to the Mister and Zuccherato attack on OpenPGP CFB mode. --- g10/ChangeLog | 9 +++++++++ g10/encr-data.c | 8 +++++--- g10/mainproc.c | 6 ++++-- include/ChangeLog | 4 ++++ include/cipher.h | 18 ++++++++++-------- 5 files changed, 32 insertions(+), 13 deletions(-) diff --git a/g10/ChangeLog b/g10/ChangeLog index e3ed14642..c3cf99e2c 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,12 @@ +2005-02-09 David Shaw + + * encr-data.c (decrypt_data): Use it here to turn off the "quick + check" bytes for PK decryptions. This is in regards to the Mister + and Zuccherato attack on OpenPGP CFB mode. + + * mainproc.c (proc_symkey_enc): Set a flag to indicate that a + particular session key came from a passphrase and not a PK. + 2005-02-06 David Shaw * trustdb.h, trustdb.c (trustdb_check_or_update): New. If the diff --git a/g10/encr-data.c b/g10/encr-data.c index e05994535..f9fabc8f0 100644 --- a/g10/encr-data.c +++ b/g10/encr-data.c @@ -1,5 +1,5 @@ /* encr-data.c - process an encrypted data packet - * Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -125,10 +125,12 @@ decrypt_data( void *procctx, PKT_encrypted *ed, DEK *dek ) cipher_sync( dfx.cipher_hd ); p = temp; /* log_hexdump( "prefix", temp, nprefix+2 ); */ - if( p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1] ) { + if(dek->symmetric + && (p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1]) ) + { rc = G10ERR_BAD_KEY; goto leave; - } + } if( dfx.mdc_hash ) md_write( dfx.mdc_hash, temp, nprefix+2 ); diff --git a/g10/mainproc.c b/g10/mainproc.c index 8db7e45be..83bb5d811 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -1,6 +1,6 @@ /* mainproc.c - handle packets - * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, - * 2004 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, + * 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -330,6 +330,8 @@ proc_symkey_enc( CTX c, PACKET *pkt ) if(c->dek) { + c->dek->symmetric=1; + /* FIXME: This doesn't work perfectly if a symmetric key comes before a public key in the message - if the user doesn't know the passphrase, then there is diff --git a/include/ChangeLog b/include/ChangeLog index 2f1c6e4a3..dcd72c1b3 100644 --- a/include/ChangeLog +++ b/include/ChangeLog @@ -1,3 +1,7 @@ +2005-02-09 David Shaw + + * cipher.h: Add a flag for a symmetric DEK. + 2004-12-16 David Shaw * memory.h: Return a flag to indicate whether we got the lock. diff --git a/include/cipher.h b/include/cipher.h index 41271eba6..da3a7d8f3 100644 --- a/include/cipher.h +++ b/include/cipher.h @@ -1,6 +1,6 @@ /* cipher.h - * Copyright (C) 1998, 1999, 2000, 2001, 2003, - * 2004 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2003, 2004, + * 2005 Free Software Foundation, Inc. * * This file is part of GNUPG. * @@ -70,12 +70,14 @@ #define is_ELGAMAL(a) ((a)==PUBKEY_ALGO_ELGAMAL_E) #define is_DSA(a) ((a)==PUBKEY_ALGO_DSA) -typedef struct { - int algo; - int keylen; - int algo_info_printed; - int use_mdc; - byte key[32]; /* this is the largest used keylen (256 bit) */ +typedef struct +{ + int algo; + int keylen; + int algo_info_printed; + int use_mdc; + int symmetric; + byte key[32]; /* this is the largest used keylen (256 bit) */ } DEK; struct cipher_handle_s;