1 /* decrypt.c - Decrypt a message
2 * Copyright (C) 2001, 2003, 2010 Free Software Foundation, Inc.
3 * Copyright (C) 2001-2019 Werner Koch
4 * Copyright (C) 2015-2020 g10 Code GmbH
6 * This file is part of GnuPG.
8 * GnuPG is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * GnuPG is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <https://www.gnu.org/licenses/>.
20 * SPDX-License-Identifier: GPL-3.0-or-later
36 #include "../common/i18n.h"
37 #include "../common/tlv.h"
38 #include "../common/compliance.h"
40 struct decrypt_filter_parm_s
48 int any_data; /* did we push anything through the filter at all? */
49 unsigned char lastblock[16]; /* to strip the padding we have to
51 char helpblock[16]; /* needed because there is no block buffering in
57 /* Return the hash algorithm's algo id from its name given in the
58 * non-null termnated string in (buffer,buflen). Returns 0 on failure
59 * or if the algo is not known. */
61 string_from_gcry_buffer (gcry_buffer_t *buffer)
65 string = xtrymalloc (buffer->len + 1);
68 memcpy (string, buffer->data, buffer->len);
69 string[buffer->len] = 0;
74 /* Helper to construct and hash the
75 * ECC-CMS-SharedInfo ::= SEQUENCE {
76 * keyInfo AlgorithmIdentifier,
77 * entityUInfo [0] EXPLICIT OCTET STRING OPTIONAL,
78 * suppPubInfo [2] EXPLICIT OCTET STRING }
79 * as described in RFC-5753, 7.2. */
81 hash_ecc_cms_shared_info (gcry_md_hd_t hash_hd, const char *wrap_algo_str,
83 const void *ukm, unsigned int ukmlen)
88 size_t n, oidlen, toidlen, tkeyinfo, tukmlen, tsupppubinfo;
89 unsigned char keylenbuf[6];
90 membuf_t mb = MEMBUF_ZERO;
92 err = ksba_oid_from_str (wrap_algo_str, &oid, &oidlen);
95 toidlen = get_tlv_length (CLASS_UNIVERSAL, TAG_OBJECT_ID, 0, oidlen);
96 tkeyinfo = get_tlv_length (CLASS_UNIVERSAL, TAG_SEQUENCE, 1, toidlen);
98 tukmlen = ukm? get_tlv_length (CLASS_CONTEXT, 0, 1, ukmlen) : 0;
101 keylenbuf[0] = TAG_OCTET_STRING;
103 keylenbuf[2] = (keylen >> 24);
104 keylenbuf[3] = (keylen >> 16);
105 keylenbuf[4] = (keylen >> 8);
106 keylenbuf[5] = keylen;
108 tsupppubinfo = get_tlv_length (CLASS_CONTEXT, 2, 1, sizeof keylenbuf);
110 put_tlv_to_membuf (&mb, CLASS_UNIVERSAL, TAG_SEQUENCE, 1,
111 tkeyinfo + tukmlen + tsupppubinfo);
112 put_tlv_to_membuf (&mb, CLASS_UNIVERSAL, TAG_SEQUENCE, 1,
114 put_tlv_to_membuf (&mb, CLASS_UNIVERSAL, TAG_OBJECT_ID, 0, oidlen);
115 put_membuf (&mb, oid, oidlen);
120 put_tlv_to_membuf (&mb, CLASS_CONTEXT, 0, 1, ukmlen);
121 put_membuf (&mb, ukm, ukmlen);
124 put_tlv_to_membuf (&mb, CLASS_CONTEXT, 2, 1, sizeof keylenbuf);
125 put_membuf (&mb, keylenbuf, sizeof keylenbuf);
127 p = get_membuf (&mb, &n);
129 return gpg_error_from_syserror ();
131 gcry_md_write (hash_hd, p, n);
138 /* Derive a KEK (key wrapping key) using (SECRET,SECRETLEN), an
139 * optional (UKM,ULMLEN), the wrap algorithm WRAP_ALGO_STR in decimal
140 * dotted form, and the hash algorithm HASH_ALGO. On success a key of
141 * length KEYLEN is stored at KEY. */
143 ecdh_derive_kek (unsigned char *key, unsigned int keylen,
144 int hash_algo, const char *wrap_algo_str,
145 const void *secret, unsigned int secretlen,
146 const void *ukm, unsigned int ukmlen)
149 unsigned int hashlen;
150 gcry_md_hd_t hash_hd;
151 unsigned char counter;
152 unsigned int n, ncopy;
154 hashlen = gcry_md_get_algo_dlen (hash_algo);
156 return gpg_error (GPG_ERR_INV_ARG);
158 err = gcry_md_open (&hash_hd, hash_algo, 0);
162 /* According to SEC1 3.6.1 we should check that
163 * SECRETLEN + UKMLEN + 4 < maxhashlen
164 * However, we have no practical limit on the hash length and thus
165 * there is no point in checking this. The second check that
166 * KEYLEN < hashlen*(2^32-1)
167 * is obviously also not needed.
169 for (n=0, counter=1; n < keylen; counter++)
172 gcry_md_reset (hash_hd);
173 gcry_md_write (hash_hd, secret, secretlen);
174 gcry_md_write (hash_hd, "\x00\x00\x00", 3); /* MSBs of counter */
175 gcry_md_write (hash_hd, &counter, 1);
176 err = hash_ecc_cms_shared_info (hash_hd, wrap_algo_str, keylen,
180 gcry_md_final (hash_hd);
181 if (n + hashlen > keylen)
185 memcpy (key+n, gcry_md_read (hash_hd, 0), ncopy);
189 gcry_md_close (hash_hd);
194 /* This function will modify SECRET. NBITS is the size of the curve
195 * which which we took from the certificate. */
197 ecdh_decrypt (unsigned char *secret, size_t secretlen,
198 unsigned int nbits, gcry_sexp_t enc_val,
199 unsigned char **r_result, unsigned int *r_resultlen)
202 gcry_buffer_t ioarray[4] = { {0}, {0}, {0}, {0} };
203 char *encr_algo_str = NULL;
204 char *wrap_algo_str = NULL;
205 int hash_algo, cipher_algo;
206 const unsigned char *ukm; /* Alias for ioarray[2]. */
208 const unsigned char *data; /* Alias for ioarray[3]. */
209 unsigned int datalen;
211 unsigned char key[32];
212 gcry_cipher_hd_t cipher_hd = NULL;
213 unsigned char *result = NULL;
214 unsigned int resultlen;
219 /* Extract X from SECRET; this is the actual secret. Unless a
220 * smartcard diretcly returns X, it must be in the format of:
227 return gpg_error (GPG_ERR_BAD_DATA);
228 if (secretlen == (nbits+7)/8)
229 ; /* Matches curve length - this is already the X coordinate. */
230 else if (*secret == 0x04)
233 memmove (secret, secret+1, secretlen);
235 return gpg_error (GPG_ERR_BAD_DATA);
238 else if (*secret == 0x40 || *secret == 0x41)
241 memmove (secret, secret+1, secretlen);
244 return gpg_error (GPG_ERR_BAD_DATA);
246 return gpg_error (GPG_ERR_BAD_DATA);
249 log_printhex (secret, secretlen, "ECDH X ..:");
251 /* We have now the shared secret bytes in (SECRET,SECRETLEN). Now
252 * we will compute the KEK using a value dervied from the secret
254 err = gcry_sexp_extract_param (enc_val, "enc-val",
255 "&'encr-algo''wrap-algo''ukm'?s",
256 ioarray+0, ioarray+1,
257 ioarray+2, ioarray+3, NULL);
260 log_error ("extracting ECDH parameter failed: %s\n", gpg_strerror (err));
263 encr_algo_str = string_from_gcry_buffer (ioarray);
266 err = gpg_error_from_syserror ();
269 wrap_algo_str = string_from_gcry_buffer (ioarray+1);
272 err = gpg_error_from_syserror ();
275 ukm = ioarray[2].data;
276 ukmlen = ioarray[2].len;
277 data = ioarray[3].data;
278 datalen = ioarray[3].len;
280 /* Check parameters. */
283 log_debug ("encr_algo: %s\n", encr_algo_str);
284 log_debug ("wrap_algo: %s\n", wrap_algo_str);
285 log_printhex (ukm, ukmlen, "ukm .....:");
286 log_printhex (data, datalen, "data ....:");
289 if (!strcmp (encr_algo_str, "1.3.132.1.11.1"))
291 /* dhSinglePass-stdDH-sha256kdf-scheme */
292 hash_algo = GCRY_MD_SHA256;
294 else if (!strcmp (encr_algo_str, "1.3.132.1.11.2"))
296 /* dhSinglePass-stdDH-sha384kdf-scheme */
297 hash_algo = GCRY_MD_SHA384;
299 else if (!strcmp (encr_algo_str, "1.3.132.1.11.3"))
301 /* dhSinglePass-stdDH-sha512kdf-scheme */
302 hash_algo = GCRY_MD_SHA512;
304 else if (!strcmp (encr_algo_str, "1.3.133.16.840.63.0.2"))
306 /* dhSinglePass-stdDH-sha1kdf-scheme */
307 hash_algo = GCRY_MD_SHA1;
311 err = gpg_error (GPG_ERR_PUBKEY_ALGO);
315 if (!strcmp (wrap_algo_str, "2.16.840.1.101.3.4.1.5"))
317 cipher_algo = GCRY_CIPHER_AES128;
320 else if (!strcmp (wrap_algo_str, "2.16.840.1.101.3.4.1.25"))
322 cipher_algo = GCRY_CIPHER_AES192;
325 else if (!strcmp (wrap_algo_str, "2.16.840.1.101.3.4.1.45"))
327 cipher_algo = GCRY_CIPHER_AES256;
332 err = gpg_error (GPG_ERR_PUBKEY_ALGO);
336 err = ecdh_derive_kek (key, keylen, hash_algo, wrap_algo_str,
337 secret, secretlen, ukm, ukmlen);
342 log_printhex (key, keylen, "KEK .....:");
344 /* Unwrap the key. */
345 if ((datalen % 8) || datalen < 16)
347 log_error ("can't use a shared secret of %u bytes for ecdh\n", datalen);
348 err = gpg_error (GPG_ERR_BAD_DATA);
352 resultlen = datalen - 8;
353 result = xtrymalloc_secure (resultlen);
356 err = gpg_error_from_syserror ();
360 err = gcry_cipher_open (&cipher_hd, cipher_algo, GCRY_CIPHER_MODE_AESWRAP, 0);
363 log_error ("ecdh failed to initialize AESWRAP: %s\n", gpg_strerror (err));
367 err = gcry_cipher_setkey (cipher_hd, key, keylen);
368 wipememory (key, sizeof key);
371 log_error ("ecdh failed in gcry_cipher_setkey: %s\n", gpg_strerror (err));
375 err = gcry_cipher_decrypt (cipher_hd, result, resultlen, data, datalen);
378 log_error ("ecdh failed in gcry_cipher_decrypt: %s\n",gpg_strerror (err));
382 *r_resultlen = resultlen;
389 wipememory (result, resultlen);
392 gcry_cipher_close (cipher_hd);
393 xfree (encr_algo_str);
394 xfree (wrap_algo_str);
395 xfree (ioarray[0].data);
396 xfree (ioarray[1].data);
397 xfree (ioarray[2].data);
398 xfree (ioarray[3].data);
404 /* Decrypt the session key and fill in the parm structure. The
405 algo and the IV is expected to be already in PARM. */
407 prepare_decryption (ctrl_t ctrl, const char *hexkeygrip,
408 int pk_algo, unsigned int nbits, const char *desc,
409 ksba_const_sexp_t enc_val,
410 struct decrypt_filter_parm_s *parm)
417 log_printcanon ("decrypting:", enc_val, 0);
418 rc = gpgsm_agent_pkdecrypt (ctrl, hexkeygrip, desc, enc_val,
419 &seskey, &seskeylen);
422 log_error ("error decrypting session key: %s\n", gpg_strerror (rc));
427 log_printhex (seskey, seskeylen, "DEK frame:");
430 if (pk_algo == GCRY_PK_ECC)
432 gcry_sexp_t s_enc_val;
433 unsigned char *decrypted;
434 unsigned int decryptedlen;
436 rc = gcry_sexp_sscan (&s_enc_val, NULL, enc_val,
437 gcry_sexp_canon_len (enc_val, 0, NULL, NULL));
441 rc = ecdh_decrypt (seskey, seskeylen, nbits, s_enc_val,
442 &decrypted, &decryptedlen);
443 gcry_sexp_release (s_enc_val);
448 seskeylen = decryptedlen;
451 else if (seskeylen == 32 || seskeylen == 24 || seskeylen == 16)
453 /* Smells like an AES-128, 3-DES, or AES-256 key. This might
454 * happen because a SC has already done the unpacking. A better
455 * solution would be to test for this only after we triggered
456 * the GPG_ERR_INV_SESSION_KEY. */
460 if (n + 7 > seskeylen )
462 rc = gpg_error (GPG_ERR_INV_SESSION_KEY);
466 /* FIXME: Actually the leading zero is required but due to the way
467 we encode the output in libgcrypt as an MPI we are not able to
468 encode that leading zero. However, when using a Smartcard we are
469 doing it the right way and therefore we have to skip the zero. This
470 should be fixed in gpg-agent of course. */
474 if (seskey[n] != 2 ) /* Wrong block type version. */
476 rc = gpg_error (GPG_ERR_INV_SESSION_KEY);
480 for (n++; n < seskeylen && seskey[n]; n++) /* Skip the random bytes. */
482 n++; /* and the zero byte */
485 rc = gpg_error (GPG_ERR_INV_SESSION_KEY);
491 log_printhex (seskey+n, seskeylen-n, "CEK .....:");
494 log_info (_("%s.%s encrypted data\n"),
495 gcry_cipher_algo_name (parm->algo),
496 cipher_mode_to_string (parm->mode));
498 rc = gcry_cipher_open (&parm->hd, parm->algo, parm->mode, 0);
501 log_error ("error creating decryptor: %s\n", gpg_strerror (rc));
505 rc = gcry_cipher_setkey (parm->hd, seskey+n, seskeylen-n);
506 if (gpg_err_code (rc) == GPG_ERR_WEAK_KEY)
508 log_info (_("WARNING: message was encrypted with "
509 "a weak key in the symmetric cipher.\n"));
514 log_error("key setup failed: %s\n", gpg_strerror(rc) );
518 gcry_cipher_setiv (parm->hd, parm->iv, parm->ivlen);
526 /* This function is called by the KSBA writer just before the actual
527 write is done. The function must take INLEN bytes from INBUF,
528 decrypt it and store it inoutbuf which has a maximum size of
529 maxoutlen. The valid bytes in outbuf should be return in outlen.
530 Due to different buffer sizes or different length of input and
531 output, it may happen that fewer bytes are processed or fewer bytes
534 decrypt_filter (void *arg,
535 const void *inbuf, size_t inlen, size_t *inused,
536 void *outbuf, size_t maxoutlen, size_t *outlen)
538 struct decrypt_filter_parm_s *parm = arg;
539 int blklen = parm->blklen;
540 size_t orig_inlen = inlen;
542 /* fixme: Should we issue an error when we have not seen one full block? */
544 return gpg_error (GPG_ERR_BUG);
546 if (maxoutlen < 2*parm->blklen)
547 return gpg_error (GPG_ERR_BUG);
548 /* Make some space because we will later need an extra block at the end. */
551 if (parm->helpblocklen)
555 for (i=parm->helpblocklen,j=0; i < blklen && j < inlen; i++, j++)
556 parm->helpblock[i] = ((const char*)inbuf)[j];
558 if (blklen > maxoutlen)
559 return gpg_error (GPG_ERR_BUG);
562 parm->helpblocklen = i;
567 parm->helpblocklen = 0;
570 memcpy (outbuf, parm->lastblock, blklen);
575 gcry_cipher_decrypt (parm->hd, parm->lastblock, blklen,
576 parm->helpblock, blklen);
579 *inused = orig_inlen - inlen;
584 if (inlen > maxoutlen)
587 { /* store the remainder away */
588 parm->helpblocklen = inlen%blklen;
589 inlen = inlen/blklen*blklen;
590 memcpy (parm->helpblock, (const char*)inbuf+inlen, parm->helpblocklen);
593 *inused = inlen + parm->helpblocklen;
596 log_assert (inlen >= blklen);
599 gcry_cipher_decrypt (parm->hd, (char*)outbuf+blklen, inlen,
601 memcpy (outbuf, parm->lastblock, blklen);
602 memcpy (parm->lastblock,(char*)outbuf+inlen, blklen);
607 gcry_cipher_decrypt (parm->hd, outbuf, inlen, inbuf, inlen);
608 memcpy (parm->lastblock, (char*)outbuf+inlen-blklen, blklen);
609 *outlen = inlen - blklen;
620 /* Perform a decrypt operation. */
622 gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
625 gnupg_ksba_io_t b64reader = NULL;
626 gnupg_ksba_io_t b64writer = NULL;
627 ksba_reader_t reader;
628 ksba_writer_t writer;
629 ksba_cms_t cms = NULL;
630 ksba_stop_reason_t stopreason;
633 estream_t in_fp = NULL;
634 struct decrypt_filter_parm_s dfparm;
636 memset (&dfparm, 0, sizeof dfparm);
638 audit_set_type (ctrl->audit, AUDIT_TYPE_DECRYPT);
640 kh = keydb_new (ctrl);
643 log_error (_("failed to allocate keyDB handle\n"));
644 rc = gpg_error (GPG_ERR_GENERAL);
648 in_fp = es_fdopen_nc (in_fd, "rb");
651 rc = gpg_error_from_syserror ();
652 log_error ("fdopen() failed: %s\n", strerror (errno));
656 rc = gnupg_ksba_create_reader
657 (&b64reader, ((ctrl->is_pem? GNUPG_KSBA_IO_PEM : 0)
658 | (ctrl->is_base64? GNUPG_KSBA_IO_BASE64 : 0)
659 | (ctrl->autodetect_encoding? GNUPG_KSBA_IO_AUTODETECT : 0)),
663 log_error ("can't create reader: %s\n", gpg_strerror (rc));
667 rc = gnupg_ksba_create_writer
668 (&b64writer, ((ctrl->create_pem? GNUPG_KSBA_IO_PEM : 0)
669 | (ctrl->create_base64? GNUPG_KSBA_IO_BASE64 : 0)),
670 ctrl->pem_name, out_fp, &writer);
673 log_error ("can't create writer: %s\n", gpg_strerror (rc));
677 rc = ksba_cms_new (&cms);
681 rc = ksba_cms_set_reader_writer (cms, reader, writer);
684 log_error ("ksba_cms_set_reader_writer failed: %s\n",
689 audit_log (ctrl->audit, AUDIT_SETUP_READY);
694 rc = ksba_cms_parse (cms, &stopreason);
697 log_error ("ksba_cms_parse failed: %s\n", gpg_strerror (rc));
701 if (stopreason == KSBA_SR_BEGIN_DATA
702 || stopreason == KSBA_SR_DETACHED_DATA)
707 int is_de_vs; /* Computed compliance with CO_DE_VS. */
709 audit_log (ctrl->audit, AUDIT_GOT_DATA);
711 algoid = ksba_cms_get_content_oid (cms, 2/* encryption algo*/);
712 algo = gcry_cipher_map_name (algoid);
713 mode = gcry_cipher_mode_from_oid (algoid);
716 rc = gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
717 log_error ("unsupported algorithm '%s'\n", algoid? algoid:"?");
718 if (algoid && !strcmp (algoid, "1.2.840.113549.3.2"))
719 log_info (_("(this is the RC2 algorithm)\n"));
721 log_info (_("(this does not seem to be an encrypted"
725 sprintf (numbuf, "%d", rc);
726 gpgsm_status2 (ctrl, STATUS_ERROR, "decrypt.algorithm",
727 numbuf, algoid?algoid:"?", NULL);
728 audit_log_s (ctrl->audit, AUDIT_BAD_DATA_CIPHER_ALGO, algoid);
731 /* If it seems that this is not an encrypted message we
732 return a more sensible error code. */
734 rc = gpg_error (GPG_ERR_NO_DATA);
739 /* Check compliance. */
740 if (! gnupg_cipher_is_allowed (opt.compliance, 0, algo, mode))
742 log_error (_("cipher algorithm '%s'"
743 " may not be used in %s mode\n"),
744 gcry_cipher_algo_name (algo),
745 gnupg_compliance_option_string (opt.compliance));
746 rc = gpg_error (GPG_ERR_CIPHER_ALGO);
750 /* For CMS, CO_DE_VS demands CBC mode. */
751 is_de_vs = gnupg_cipher_is_compliant (CO_DE_VS, algo, mode);
753 audit_log_i (ctrl->audit, AUDIT_DATA_CIPHER_ALGO, algo);
756 dfparm.blklen = gcry_cipher_get_algo_blklen (algo);
757 if (dfparm.blklen > sizeof (dfparm.helpblock))
758 return gpg_error (GPG_ERR_BUG);
760 rc = ksba_cms_get_content_enc_iv (cms,
766 log_error ("error getting IV: %s\n", gpg_strerror (rc));
770 for (recp=0; !any_key; recp++)
775 char *hexkeygrip = NULL;
776 char *pkalgostr = NULL;
781 ksba_cert_t cert = NULL;
787 tmp_rc = ksba_cms_get_issuer_serial (cms, recp, &issuer, &serial);
788 if (tmp_rc == -1 && recp)
789 break; /* no more recipients */
790 audit_log_i (ctrl->audit, AUDIT_NEW_RECP, recp);
792 log_error ("recp %d - error getting info: %s\n",
793 recp, gpg_strerror (tmp_rc));
798 log_info ("recp %d - issuer: '%s'\n",
799 recp, issuer? issuer:"[NONE]");
800 log_info ("recp %d - serial: ", recp);
801 gpgsm_dump_serial (serial);
807 char *tmpstr = gpgsm_format_sn_issuer (serial, issuer);
808 audit_log_s (ctrl->audit, AUDIT_RECP_NAME, tmpstr);
812 keydb_search_reset (kh);
813 rc = keydb_search_issuer_sn (ctrl, kh, issuer, serial);
816 log_error ("failed to find the certificate: %s\n",
821 rc = keydb_get_cert (kh, &cert);
824 log_error ("failed to get cert: %s\n", gpg_strerror (rc));
828 /* Print the ENC_TO status line. Note that we can
829 do so only if we have the certificate. This is
830 in contrast to gpg where the keyID is commonly
831 included in the encrypted messages. It is too
832 cumbersome to retrieve the used algorithm, thus
833 we don't print it for now. We also record the
834 keyid for later use. */
836 unsigned long kid[2];
838 kid[0] = gpgsm_get_short_fingerprint (cert, kid+1);
839 snprintf (kidbuf, sizeof kidbuf, "%08lX%08lX",
841 gpgsm_status2 (ctrl, STATUS_ENC_TO,
842 kidbuf, "0", "0", NULL);
845 /* Put the certificate into the audit log. */
846 audit_log_cert (ctrl->audit, AUDIT_SAVE_CERT, cert, 0);
848 /* Just in case there is a problem with the own
849 certificate we print this message - should never
851 rc = gpgsm_cert_use_decrypt_p (cert);
855 sprintf (numbuf, "%d", rc);
856 gpgsm_status2 (ctrl, STATUS_ERROR, "decrypt.keyusage",
861 hexkeygrip = gpgsm_get_keygrip_hexstring (cert);
862 desc = gpgsm_format_keydesc (cert);
864 pkfpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
865 pkalgostr = gpgsm_pubkey_algo_string (cert, NULL);
866 pk_algo = gpgsm_get_key_algo_info (cert, &nbits);
868 log_info (_("encrypted to %s key %s\n"), pkalgostr, pkfpr);
870 /* Check compliance. */
871 if (!gnupg_pk_is_allowed (opt.compliance,
873 pk_algo, 0, NULL, nbits, NULL))
877 snprintf (kidstr, sizeof kidstr, "0x%08lX",
878 gpgsm_get_short_fingerprint (cert, NULL));
879 log_info (_("key %s is not suitable for decryption"
882 gnupg_compliance_option_string(opt.compliance));
883 rc = gpg_error (GPG_ERR_PUBKEY_ALGO);
887 /* Check that all certs are compliant with CO_DE_VS. */
889 && gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0,
895 /* We cannot check compliance of certs that we
901 ksba_cert_release (cert);
904 if (!hexkeygrip || !pk_algo)
906 else if (!(enc_val = ksba_cms_get_enc_val (cms, recp)))
907 log_error ("recp %d - error getting encrypted session key\n",
911 rc = prepare_decryption (ctrl, hexkeygrip, pk_algo, nbits,
912 desc, enc_val, &dfparm);
916 log_info ("decrypting session key failed: %s\n",
918 if (gpg_err_code (rc) == GPG_ERR_NO_SECKEY && *kidbuf)
919 gpgsm_status2 (ctrl, STATUS_NO_SECKEY, kidbuf, NULL);
922 { /* setup the bulk decrypter */
924 ksba_writer_set_filter (writer,
928 if (is_de_vs && gnupg_gcrypt_is_compliant (CO_DE_VS))
929 gpgsm_status (ctrl, STATUS_DECRYPTION_COMPLIANCE_MODE,
930 gnupg_status_compliance_flag (CO_DE_VS));
933 audit_log_ok (ctrl->audit, AUDIT_RECP_RESULT, rc);
941 /* If we write an audit log add the unused recipients to the
943 if (ctrl->audit && any_key)
951 tmp_rc = ksba_cms_get_issuer_serial (cms, recp,
954 break; /* no more recipients */
955 audit_log_i (ctrl->audit, AUDIT_NEW_RECP, recp);
957 log_error ("recp %d - error getting info: %s\n",
958 recp, gpg_strerror (tmp_rc));
961 char *tmpstr = gpgsm_format_sn_issuer (serial, issuer);
962 audit_log_s (ctrl->audit, AUDIT_RECP_NAME, tmpstr);
973 rc = gpg_error (GPG_ERR_NO_SECKEY);
977 else if (stopreason == KSBA_SR_END_DATA)
979 ksba_writer_set_filter (writer, NULL, NULL);
981 { /* write the last block with padding removed */
982 int i, npadding = dfparm.lastblock[dfparm.blklen-1];
983 if (!npadding || npadding > dfparm.blklen)
985 log_error ("invalid padding with value %d\n", npadding);
986 rc = gpg_error (GPG_ERR_INV_DATA);
989 rc = ksba_writer_write (writer,
991 dfparm.blklen - npadding);
995 for (i=dfparm.blklen - npadding; i < dfparm.blklen; i++)
997 if (dfparm.lastblock[i] != npadding)
999 log_error ("inconsistent padding\n");
1000 rc = gpg_error (GPG_ERR_INV_DATA);
1008 while (stopreason != KSBA_SR_READY);
1010 rc = gnupg_ksba_finish_writer (b64writer);
1013 log_error ("write failed: %s\n", gpg_strerror (rc));
1016 gpgsm_status (ctrl, STATUS_DECRYPTION_OKAY, NULL);
1020 audit_log_ok (ctrl->audit, AUDIT_DECRYPTION_RESULT, rc);
1023 gpgsm_status (ctrl, STATUS_DECRYPTION_FAILED, NULL);
1024 log_error ("message decryption failed: %s <%s>\n",
1025 gpg_strerror (rc), gpg_strsource (rc));
1027 ksba_cms_release (cms);
1028 gnupg_ksba_destroy_reader (b64reader);
1029 gnupg_ksba_destroy_writer (b64writer);
1033 gcry_cipher_close (dfparm.hd);