5 * Copyright (c) 2005 Marko Kreen
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * contrib/pgcrypto/pgp-decrypt.c
39 #define ALLOW_CTX_SIZE 1
49 #define MAX_CHUNK (16*1024*1024)
52 parse_new_len(PullFilter
*src
, int *len_p
)
56 int pkttype
= PKT_NORMAL
;
61 else if (b
>= 192 && b
<= 223)
63 len
= ((unsigned) (b
) - 192) << 8;
80 len
= 1 << (b
& 0x1F);
84 if (len
< 0 || len
> MAX_CHUNK
)
86 px_debug("parse_new_len: weird length");
87 return PXE_PGP_CORRUPT_DATA
;
95 parse_old_len(PullFilter
*src
, int *len_p
, int lentype
)
106 len
= (len
<< 8) | b
;
108 else if (lentype
== 2)
111 len
= (len
<< 8) | b
;
113 len
= (len
<< 8) | b
;
115 len
= (len
<< 8) | b
;
118 if (len
< 0 || len
> MAX_CHUNK
)
120 px_debug("parse_old_len: weird length");
121 return PXE_PGP_CORRUPT_DATA
;
127 /* returns pkttype or 0 on eof */
129 pgp_parse_pkt_hdr(PullFilter
*src
, uint8
*tag
, int *len_p
, int allow_ctx
)
135 /* EOF is normal here, thus we don't use GETBYTE */
136 res
= pullf_read(src
, 1, &p
);
142 if ((*p
& 0x80) == 0)
144 px_debug("pgp_parse_pkt_hdr: not pkt hdr");
145 return PXE_PGP_CORRUPT_DATA
;
151 res
= parse_new_len(src
, len_p
);
156 *tag
= (*p
>> 2) & 0x0F;
158 res
= allow_ctx
? PKT_CONTEXT
: PXE_PGP_CORRUPT_DATA
;
160 res
= parse_old_len(src
, len_p
, lentype
);
175 pktreader_pull(void *priv
, PullFilter
*src
, int len
,
176 uint8
**data_p
, uint8
*buf
, int buflen
)
179 struct PktData
*pkt
= priv
;
181 /* PKT_CONTEXT means: whatever there is */
182 if (pkt
->type
== PKT_CONTEXT
)
183 return pullf_read(src
, len
, data_p
);
185 while (pkt
->len
== 0)
187 /* this was last chunk in stream */
188 if (pkt
->type
== PKT_NORMAL
)
191 /* next chunk in stream */
192 res
= parse_new_len(src
, &pkt
->len
);
201 res
= pullf_read(src
, len
, data_p
);
209 pktreader_free(void *priv
)
211 struct PktData
*pkt
= priv
;
213 px_memset(pkt
, 0, sizeof(*pkt
));
217 static struct PullFilterOps pktreader_filter
= {
218 NULL
, pktreader_pull
, pktreader_free
221 /* needs helper function to pass several parameters */
223 pgp_create_pkt_reader(PullFilter
**pf_p
, PullFilter
*src
, int len
,
224 int pkttype
, PGP_Context
*ctx
)
227 struct PktData
*pkt
= palloc(sizeof(*pkt
));
231 res
= pullf_create(pf_p
, &pktreader_filter
, pkt
, src
);
238 * Prefix check filter
239 * https://tools.ietf.org/html/rfc4880#section-5.7
240 * https://tools.ietf.org/html/rfc4880#section-5.13
244 prefix_init(void **priv_p
, void *arg
, PullFilter
*src
)
246 PGP_Context
*ctx
= arg
;
250 uint8 tmpbuf
[PGP_MAX_BLOCK
+ 2];
252 len
= pgp_get_cipher_block_size(ctx
->cipher_algo
);
253 if (len
> sizeof(tmpbuf
))
256 res
= pullf_read_max(src
, len
+ 2, &buf
, tmpbuf
);
261 px_debug("prefix_init: short read");
262 px_memset(tmpbuf
, 0, sizeof(tmpbuf
));
263 return PXE_PGP_CORRUPT_DATA
;
266 if (buf
[len
- 2] != buf
[len
] || buf
[len
- 1] != buf
[len
+ 1])
268 px_debug("prefix_init: corrupt prefix");
269 /* report error in pgp_decrypt() */
270 ctx
->corrupt_prefix
= 1;
272 px_memset(tmpbuf
, 0, sizeof(tmpbuf
));
276 static struct PullFilterOps prefix_filter
= {
277 prefix_init
, NULL
, NULL
286 decrypt_init(void **priv_p
, void *arg
, PullFilter
*src
)
292 /* we need to write somewhere, so ask for a buffer */
297 decrypt_read(void *priv
, PullFilter
*src
, int len
,
298 uint8
**data_p
, uint8
*buf
, int buflen
)
304 res
= pullf_read(src
, len
, &tmp
);
307 pgp_cfb_decrypt(cfb
, tmp
, res
, buf
);
313 struct PullFilterOps pgp_decrypt_filter
= {
314 decrypt_init
, decrypt_read
, NULL
323 mdc_init(void **priv_p
, void *arg
, PullFilter
*src
)
325 PGP_Context
*ctx
= arg
;
328 return pgp_load_digest(PGP_DIGEST_SHA1
, &ctx
->mdc_ctx
);
334 PGP_Context
*ctx
= priv
;
336 if (ctx
->use_mdcbuf_filter
)
338 px_md_free(ctx
->mdc_ctx
);
343 mdc_finish(PGP_Context
*ctx
, PullFilter
*src
, int len
)
350 /* should not happen */
351 if (ctx
->use_mdcbuf_filter
)
356 return PXE_PGP_CORRUPT_DATA
;
358 /* mdc_read should not call px_md_update */
362 res
= pullf_read_max(src
, len
, &data
, tmpbuf
);
368 return PXE_PGP_CORRUPT_DATA
;
371 /* is the packet sane? */
374 px_debug("mdc_finish: read failed, res=%d", res
);
375 return PXE_PGP_CORRUPT_DATA
;
379 * ok, we got the hash, now check
381 px_md_finish(ctx
->mdc_ctx
, hash
);
382 res
= memcmp(hash
, data
, 20);
383 px_memset(hash
, 0, 20);
384 px_memset(tmpbuf
, 0, sizeof(tmpbuf
));
387 px_debug("mdc_finish: mdc failed");
388 return PXE_PGP_CORRUPT_DATA
;
390 ctx
->mdc_checked
= 1;
395 mdc_read(void *priv
, PullFilter
*src
, int len
,
396 uint8
**data_p
, uint8
*buf
, int buflen
)
399 PGP_Context
*ctx
= priv
;
401 /* skip this filter? */
402 if (ctx
->use_mdcbuf_filter
|| ctx
->in_mdc_pkt
)
403 return pullf_read(src
, len
, data_p
);
405 res
= pullf_read(src
, len
, data_p
);
410 px_debug("mdc_read: unexpected eof");
411 return PXE_PGP_CORRUPT_DATA
;
413 px_md_update(ctx
->mdc_ctx
, *data_p
, res
);
418 static struct PullFilterOps mdc_filter
= {
419 mdc_init
, mdc_read
, mdc_free
424 * Combined Pkt reader and MDC hasher.
426 * For the case of SYMENCRYPTED_DATA_MDC packet, where
427 * the data part has 'context length', which means
428 * that data packet ends 22 bytes before end of parent
429 * packet, which is silly.
431 #define MDCBUF_LEN 8192
441 uint8 buf
[MDCBUF_LEN
];
445 mdcbuf_init(void **priv_p
, void *arg
, PullFilter
*src
)
447 PGP_Context
*ctx
= arg
;
448 struct MDCBufData
*st
;
450 st
= palloc0(sizeof(*st
));
451 st
->buflen
= sizeof(st
->buf
);
455 /* take over the work of mdc_filter */
456 ctx
->use_mdcbuf_filter
= 1;
462 mdcbuf_finish(struct MDCBufData
*st
)
469 if (st
->mdc_buf
[0] != 0xD3 || st
->mdc_buf
[1] != 0x14)
471 px_debug("mdcbuf_finish: bad MDC pkt hdr");
472 return PXE_PGP_CORRUPT_DATA
;
474 px_md_update(st
->ctx
->mdc_ctx
, st
->mdc_buf
, 2);
475 px_md_finish(st
->ctx
->mdc_ctx
, hash
);
476 res
= memcmp(hash
, st
->mdc_buf
+ 2, 20);
477 px_memset(hash
, 0, 20);
480 px_debug("mdcbuf_finish: MDC does not match");
481 res
= PXE_PGP_CORRUPT_DATA
;
487 mdcbuf_load_data(struct MDCBufData
*st
, uint8
*src
, int len
)
489 uint8
*dst
= st
->pos
+ st
->avail
;
491 memcpy(dst
, src
, len
);
492 px_md_update(st
->ctx
->mdc_ctx
, src
, len
);
497 mdcbuf_load_mdc(struct MDCBufData
*st
, uint8
*src
, int len
)
499 memmove(st
->mdc_buf
+ st
->mdc_avail
, src
, len
);
500 st
->mdc_avail
+= len
;
504 mdcbuf_refill(struct MDCBufData
*st
, PullFilter
*src
)
510 /* put avail data in start */
511 if (st
->avail
> 0 && st
->pos
!= st
->buf
)
512 memmove(st
->buf
, st
->pos
, st
->avail
);
516 need
= st
->buflen
+ 22 - st
->avail
- st
->mdc_avail
;
517 res
= pullf_read(src
, need
, &data
);
521 return mdcbuf_finish(st
);
526 mdcbuf_load_data(st
, st
->mdc_buf
, st
->mdc_avail
);
529 mdcbuf_load_data(st
, data
, res
- 22);
530 mdcbuf_load_mdc(st
, data
+ res
- 22, 22);
534 int canmove
= st
->mdc_avail
+ res
- 22;
538 mdcbuf_load_data(st
, st
->mdc_buf
, canmove
);
539 st
->mdc_avail
-= canmove
;
540 memmove(st
->mdc_buf
, st
->mdc_buf
+ canmove
, st
->mdc_avail
);
542 mdcbuf_load_mdc(st
, data
, res
);
548 mdcbuf_read(void *priv
, PullFilter
*src
, int len
,
549 uint8
**data_p
, uint8
*buf
, int buflen
)
551 struct MDCBufData
*st
= priv
;
554 if (!st
->eof
&& len
> st
->avail
)
556 res
= mdcbuf_refill(st
, src
);
571 mdcbuf_free(void *priv
)
573 struct MDCBufData
*st
= priv
;
575 px_md_free(st
->ctx
->mdc_ctx
);
576 st
->ctx
->mdc_ctx
= NULL
;
577 px_memset(st
, 0, sizeof(*st
));
581 static struct PullFilterOps mdcbuf_filter
= {
582 mdcbuf_init
, mdcbuf_read
, mdcbuf_free
587 * Decrypt separate session key
590 decrypt_key(PGP_Context
*ctx
, const uint8
*src
, int len
)
596 res
= pgp_cfb_create(&cfb
, ctx
->s2k_cipher_algo
,
597 ctx
->s2k
.key
, ctx
->s2k
.key_len
, 0, NULL
);
601 pgp_cfb_decrypt(cfb
, src
, 1, &algo
);
605 pgp_cfb_decrypt(cfb
, src
, len
, ctx
->sess_key
);
607 ctx
->sess_key_len
= len
;
608 ctx
->cipher_algo
= algo
;
610 if (pgp_get_cipher_key_size(algo
) != len
)
612 px_debug("sesskey bad len: algo=%d, expected=%d, got=%d",
613 algo
, pgp_get_cipher_key_size(algo
), len
);
614 return PXE_PGP_CORRUPT_DATA
;
623 parse_symenc_sesskey(PGP_Context
*ctx
, PullFilter
*src
)
627 uint8 tmpbuf
[PGP_MAX_KEY
+ 2];
631 GETBYTE(src
, ctx
->s2k_cipher_algo
);
634 px_debug("bad key pkt ver");
635 return PXE_PGP_CORRUPT_DATA
;
641 res
= pgp_s2k_read(src
, &ctx
->s2k
);
644 ctx
->s2k_mode
= ctx
->s2k
.mode
;
645 ctx
->s2k_count
= s2k_decode_count(ctx
->s2k
.iter
);
646 ctx
->s2k_digest_algo
= ctx
->s2k
.digest_algo
;
649 * generate key from password
651 res
= pgp_s2k_process(&ctx
->s2k
, ctx
->s2k_cipher_algo
,
652 ctx
->sym_key
, ctx
->sym_key_len
);
657 * do we have separate session key?
659 res
= pullf_read_max(src
, PGP_MAX_KEY
+ 2, &p
, tmpbuf
);
666 * no, s2k key is session key
668 memcpy(ctx
->sess_key
, ctx
->s2k
.key
, ctx
->s2k
.key_len
);
669 ctx
->sess_key_len
= ctx
->s2k
.key_len
;
670 ctx
->cipher_algo
= ctx
->s2k_cipher_algo
;
672 ctx
->use_sess_key
= 0;
679 if (res
< 17 || res
> PGP_MAX_KEY
+ 1)
681 px_debug("expect key, but bad data");
682 return PXE_PGP_CORRUPT_DATA
;
684 ctx
->use_sess_key
= 1;
685 res
= decrypt_key(ctx
, p
, res
);
688 px_memset(tmpbuf
, 0, sizeof(tmpbuf
));
693 copy_crlf(MBuf
*dst
, uint8
*data
, int len
, int *got_cr
)
695 uint8
*data_end
= data
+ len
;
697 uint8
*tmp_end
= tmpbuf
+ sizeof(tmpbuf
);
708 while (data
< data_end
)
712 if (data
+ 1 < data_end
)
714 if (*(data
+ 1) == '\n')
726 res
= mbuf_append(dst
, tmpbuf
, p
- tmpbuf
);
734 res
= mbuf_append(dst
, tmpbuf
, p
- tmpbuf
);
738 px_memset(tmpbuf
, 0, sizeof(tmpbuf
));
743 parse_literal_data(PGP_Context
*ctx
, MBuf
*dst
, PullFilter
*pkt
)
753 GETBYTE(pkt
, name_len
);
758 res
= pullf_read(pkt
, name_len
, &buf
);
767 px_debug("parse_literal_data: unexpected eof");
768 return PXE_PGP_CORRUPT_DATA
;
772 res
= pullf_read_max(pkt
, 4, &buf
, tmpbuf
);
775 px_debug("parse_literal_data: unexpected eof");
776 return PXE_PGP_CORRUPT_DATA
;
778 px_memset(tmpbuf
, 0, 4);
781 * If called from an SQL function that returns text, pgp_decrypt() rejects
782 * inputs not self-identifying as text.
785 if (type
!= 't' && type
!= 'u')
787 px_debug("parse_literal_data: data type=%c", type
);
788 ctx
->unexpected_binary
= true;
791 ctx
->unicode_mode
= (type
== 'u') ? 1 : 0;
796 res
= pullf_read(pkt
, 32 * 1024, &buf
);
800 if (ctx
->text_mode
&& ctx
->convert_crlf
)
801 res
= copy_crlf(dst
, buf
, res
, &got_cr
);
803 res
= mbuf_append(dst
, buf
, res
);
807 if (res
>= 0 && got_cr
)
808 res
= mbuf_append(dst
, (const uint8
*) "\r", 1);
812 /* process_data_packets and parse_compressed_data call each other */
813 static int process_data_packets(PGP_Context
*ctx
, MBuf
*dst
,
814 PullFilter
*src
, int allow_compr
, int need_mdc
);
817 parse_compressed_data(PGP_Context
*ctx
, MBuf
*dst
, PullFilter
*pkt
)
821 PullFilter
*pf_decompr
;
826 ctx
->compress_algo
= type
;
830 res
= process_data_packets(ctx
, dst
, pkt
, NO_COMPR
, NO_MDC
);
835 res
= pgp_decompress_filter(&pf_decompr
, ctx
, pkt
);
838 res
= process_data_packets(ctx
, dst
, pf_decompr
,
840 pullf_free(pf_decompr
);
844 case PGP_COMPR_BZIP2
:
845 px_debug("parse_compressed_data: bzip2 unsupported");
846 /* report error in pgp_decrypt() */
847 ctx
->unsupported_compr
= 1;
850 * Discard the compressed data, allowing it to first affect any
851 * MDC digest computation.
855 res
= pullf_read(pkt
, 32 * 1024, &discard_buf
);
863 px_debug("parse_compressed_data: unknown compr type");
864 res
= PXE_PGP_CORRUPT_DATA
;
871 process_data_packets(PGP_Context
*ctx
, MBuf
*dst
, PullFilter
*src
,
872 int allow_compr
, int need_mdc
)
879 PullFilter
*pkt
= NULL
;
883 res
= pgp_parse_pkt_hdr(src
, &tag
, &len
, ALLOW_CTX_SIZE
);
888 /* mdc packet should be last */
891 px_debug("process_data_packets: data after mdc");
892 res
= PXE_PGP_CORRUPT_DATA
;
897 * Context length inside SYMENCRYPTED_DATA_MDC packet needs special
900 if (need_mdc
&& res
== PKT_CONTEXT
)
901 res
= pullf_create(&pkt
, &mdcbuf_filter
, ctx
, src
);
903 res
= pgp_create_pkt_reader(&pkt
, src
, len
, res
, ctx
);
909 case PGP_PKT_LITERAL_DATA
:
911 res
= parse_literal_data(ctx
, dst
, pkt
);
913 case PGP_PKT_COMPRESSED_DATA
:
914 if (allow_compr
== 0)
916 px_debug("process_data_packets: unexpected compression");
917 res
= PXE_PGP_CORRUPT_DATA
;
922 * compr data must be alone
924 px_debug("process_data_packets: only one cmpr pkt allowed");
925 res
= PXE_PGP_CORRUPT_DATA
;
930 res
= parse_compressed_data(ctx
, dst
, pkt
);
934 if (need_mdc
== NO_MDC
)
936 px_debug("process_data_packets: unexpected MDC");
937 res
= PXE_PGP_CORRUPT_DATA
;
941 res
= mdc_finish(ctx
, pkt
, len
);
946 px_debug("process_data_packets: unexpected pkt tag=%d", tag
);
947 res
= PXE_PGP_CORRUPT_DATA
;
965 px_debug("process_data_packets: no data");
966 res
= PXE_PGP_CORRUPT_DATA
;
968 if (need_mdc
&& !got_mdc
&& !ctx
->use_mdcbuf_filter
)
970 px_debug("process_data_packets: got no mdc");
971 res
= PXE_PGP_CORRUPT_DATA
;
977 parse_symenc_data(PGP_Context
*ctx
, PullFilter
*pkt
, MBuf
*dst
)
981 PullFilter
*pf_decrypt
= NULL
;
982 PullFilter
*pf_prefix
= NULL
;
984 res
= pgp_cfb_create(&cfb
, ctx
->cipher_algo
,
985 ctx
->sess_key
, ctx
->sess_key_len
, 1, NULL
);
989 res
= pullf_create(&pf_decrypt
, &pgp_decrypt_filter
, cfb
, pkt
);
993 res
= pullf_create(&pf_prefix
, &prefix_filter
, ctx
, pf_decrypt
);
997 res
= process_data_packets(ctx
, dst
, pf_prefix
, ALLOW_COMPR
, NO_MDC
);
1001 pullf_free(pf_prefix
);
1003 pullf_free(pf_decrypt
);
1011 parse_symenc_mdc_data(PGP_Context
*ctx
, PullFilter
*pkt
, MBuf
*dst
)
1014 PGP_CFB
*cfb
= NULL
;
1015 PullFilter
*pf_decrypt
= NULL
;
1016 PullFilter
*pf_prefix
= NULL
;
1017 PullFilter
*pf_mdc
= NULL
;
1023 px_debug("parse_symenc_mdc_data: pkt ver != 1");
1024 return PXE_PGP_CORRUPT_DATA
;
1027 res
= pgp_cfb_create(&cfb
, ctx
->cipher_algo
,
1028 ctx
->sess_key
, ctx
->sess_key_len
, 0, NULL
);
1032 res
= pullf_create(&pf_decrypt
, &pgp_decrypt_filter
, cfb
, pkt
);
1036 res
= pullf_create(&pf_mdc
, &mdc_filter
, ctx
, pf_decrypt
);
1040 res
= pullf_create(&pf_prefix
, &prefix_filter
, ctx
, pf_mdc
);
1044 res
= process_data_packets(ctx
, dst
, pf_prefix
, ALLOW_COMPR
, NEED_MDC
);
1048 pullf_free(pf_prefix
);
1052 pullf_free(pf_decrypt
);
1060 * skip over packet contents
1063 pgp_skip_packet(PullFilter
*pkt
)
1069 res
= pullf_read(pkt
, 32 * 1024, &tmp
);
1074 * expect to be at packet end, any data is error
1077 pgp_expect_packet_end(PullFilter
*pkt
)
1082 res
= pullf_read(pkt
, 32 * 1024, &tmp
);
1085 px_debug("pgp_expect_packet_end: got data");
1086 return PXE_PGP_CORRUPT_DATA
;
1092 pgp_decrypt(PGP_Context
*ctx
, MBuf
*msrc
, MBuf
*mdst
)
1095 PullFilter
*src
= NULL
;
1096 PullFilter
*pkt
= NULL
;
1102 res
= pullf_create_mbuf_reader(&src
, msrc
);
1106 res
= pgp_parse_pkt_hdr(src
, &tag
, &len
, NO_CTX_SIZE
);
1110 res
= pgp_create_pkt_reader(&pkt
, src
, len
, res
, ctx
);
1114 res
= PXE_PGP_CORRUPT_DATA
;
1117 case PGP_PKT_MARKER
:
1118 res
= pgp_skip_packet(pkt
);
1120 case PGP_PKT_PUBENCRYPTED_SESSKEY
:
1121 /* fixme: skip those */
1122 res
= pgp_parse_pubenc_sesskey(ctx
, pkt
);
1125 case PGP_PKT_SYMENCRYPTED_SESSKEY
:
1129 * Theoretically, there could be several keys, both public
1130 * and symmetric, all of which encrypt same session key.
1131 * Decrypt should try with each one, before failing.
1133 px_debug("pgp_decrypt: using first of several keys");
1137 res
= parse_symenc_sesskey(ctx
, pkt
);
1140 case PGP_PKT_SYMENCRYPTED_DATA
:
1142 px_debug("pgp_decrypt: have data but no key");
1144 px_debug("pgp_decrypt: got second data packet");
1148 ctx
->disable_mdc
= 1;
1149 res
= parse_symenc_data(ctx
, pkt
, mdst
);
1152 case PGP_PKT_SYMENCRYPTED_DATA_MDC
:
1154 px_debug("pgp_decrypt: have data but no key");
1156 px_debug("pgp_decrypt: several data pkts not supported");
1160 ctx
->disable_mdc
= 0;
1161 res
= parse_symenc_mdc_data(ctx
, pkt
, mdst
);
1165 px_debug("pgp_decrypt: unknown tag: 0x%02x", tag
);
1181 * Report a failure of the prefix_init() "quick check" now, rather than
1182 * upon detection, to hinder timing attacks. pgcrypto is not generally
1183 * secure against timing attacks, but this helps.
1185 if (!got_data
|| ctx
->corrupt_prefix
)
1186 return PXE_PGP_CORRUPT_DATA
;
1189 * Code interpreting purportedly-decrypted data prior to this stage shall
1190 * report no error other than PXE_PGP_CORRUPT_DATA. (PXE_BUG is okay so
1191 * long as it remains unreachable.) This ensures that an attacker able to
1192 * choose a ciphertext and receive a corresponding decryption error
1193 * message cannot use that oracle to gather clues about the decryption
1194 * key. See "An Attack on CFB Mode Encryption As Used By OpenPGP" by
1195 * Serge Mister and Robert Zuccherato.
1197 * A problematic value in the first octet of a Literal Data or Compressed
1198 * Data packet may indicate a simple user error, such as the need to call
1199 * pgp_sym_decrypt_bytea instead of pgp_sym_decrypt. Occasionally,
1200 * though, it is the first symptom of the encryption key not matching the
1201 * decryption key. When this was the only problem encountered, report a
1202 * specific error to guide the user; otherwise, we will have reported
1203 * PXE_PGP_CORRUPT_DATA before now. A key mismatch makes the other errors
1204 * into red herrings, and this avoids leaking clues to attackers.
1206 if (ctx
->unsupported_compr
)
1207 return PXE_PGP_UNSUPPORTED_COMPR
;
1208 if (ctx
->unexpected_binary
)
1209 return PXE_PGP_NOT_TEXT
;