1 /* decrypt.c - Decrypt a message
2 * Copyright (C) 2001, 2003, 2010 Free Software Foundation, Inc.
4 * This file is part of GnuPG.
6 * GnuPG is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * GnuPG is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <https://www.gnu.org/licenses/>.
34 #include "../common/i18n.h"
36 struct decrypt_filter_parm_s
44 int any_data; /* dod we push anything through the filter at all? */
45 unsigned char lastblock[16]; /* to strip the padding we have to
47 char helpblock[16]; /* needed because there is no block buffering in
54 /* Decrypt the session key and fill in the parm structure. The
55 algo and the IV is expected to be already in PARM. */
57 prepare_decryption (ctrl_t ctrl, const char *hexkeygrip, const char *desc,
58 ksba_const_sexp_t enc_val,
59 struct decrypt_filter_parm_s *parm)
65 rc = gpgsm_agent_pkdecrypt (ctrl, hexkeygrip, desc, enc_val,
69 log_error ("error decrypting session key: %s\n", gpg_strerror (rc));
74 log_printhex ("pkcs1 encoded session key:", seskey, seskeylen);
77 if (seskeylen == 24 || seskeylen == 16)
79 /* Smells like a 3-DES or AES-128 key. This might happen
80 * because a SC has already done the unpacking. A better
81 * solution would be to test for this only after we triggered
82 * the GPG_ERR_INV_SESSION_KEY. */
86 if (n + 7 > seskeylen )
88 rc = gpg_error (GPG_ERR_INV_SESSION_KEY);
92 /* FIXME: Actually the leading zero is required but due to the way
93 we encode the output in libgcrypt as an MPI we are not able to
94 encode that leading zero. However, when using a Smartcard we are
95 doing it the right way and therefore we have to skip the zero. This
96 should be fixed in gpg-agent of course. */
100 if (seskey[n] != 2 ) /* Wrong block type version. */
102 rc = gpg_error (GPG_ERR_INV_SESSION_KEY);
106 for (n++; n < seskeylen && seskey[n]; n++) /* Skip the random bytes. */
108 n++; /* and the zero byte */
111 rc = gpg_error (GPG_ERR_INV_SESSION_KEY);
117 log_printhex ("session key:", seskey+n, seskeylen-n);
119 rc = gcry_cipher_open (&parm->hd, parm->algo, parm->mode, 0);
122 log_error ("error creating decryptor: %s\n", gpg_strerror (rc));
126 rc = gcry_cipher_setkey (parm->hd, seskey+n, seskeylen-n);
127 if (gpg_err_code (rc) == GPG_ERR_WEAK_KEY)
129 log_info (_("WARNING: message was encrypted with "
130 "a weak key in the symmetric cipher.\n"));
135 log_error("key setup failed: %s\n", gpg_strerror(rc) );
139 gcry_cipher_setiv (parm->hd, parm->iv, parm->ivlen);
147 /* This function is called by the KSBA writer just before the actual
148 write is done. The function must take INLEN bytes from INBUF,
149 decrypt it and store it inoutbuf which has a maximum size of
150 maxoutlen. The valid bytes in outbuf should be return in outlen.
151 Due to different buffer sizes or different length of input and
152 output, it may happen that fewer bytes are processed or fewer bytes
155 decrypt_filter (void *arg,
156 const void *inbuf, size_t inlen, size_t *inused,
157 void *outbuf, size_t maxoutlen, size_t *outlen)
159 struct decrypt_filter_parm_s *parm = arg;
160 int blklen = parm->blklen;
161 size_t orig_inlen = inlen;
163 /* fixme: Should we issue an error when we have not seen one full block? */
165 return gpg_error (GPG_ERR_BUG);
167 if (maxoutlen < 2*parm->blklen)
168 return gpg_error (GPG_ERR_BUG);
169 /* Make some space because we will later need an extra block at the end. */
172 if (parm->helpblocklen)
176 for (i=parm->helpblocklen,j=0; i < blklen && j < inlen; i++, j++)
177 parm->helpblock[i] = ((const char*)inbuf)[j];
179 if (blklen > maxoutlen)
180 return gpg_error (GPG_ERR_BUG);
183 parm->helpblocklen = i;
188 parm->helpblocklen = 0;
191 memcpy (outbuf, parm->lastblock, blklen);
196 gcry_cipher_decrypt (parm->hd, parm->lastblock, blklen,
197 parm->helpblock, blklen);
200 *inused = orig_inlen - inlen;
205 if (inlen > maxoutlen)
208 { /* store the remainder away */
209 parm->helpblocklen = inlen%blklen;
210 inlen = inlen/blklen*blklen;
211 memcpy (parm->helpblock, (const char*)inbuf+inlen, parm->helpblocklen);
214 *inused = inlen + parm->helpblocklen;
217 assert (inlen >= blklen);
220 gcry_cipher_decrypt (parm->hd, (char*)outbuf+blklen, inlen,
222 memcpy (outbuf, parm->lastblock, blklen);
223 memcpy (parm->lastblock,(char*)outbuf+inlen, blklen);
228 gcry_cipher_decrypt (parm->hd, outbuf, inlen, inbuf, inlen);
229 memcpy (parm->lastblock, (char*)outbuf+inlen-blklen, blklen);
230 *outlen = inlen - blklen;
241 /* Perform a decrypt operation. */
243 gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
246 gnupg_ksba_io_t b64reader = NULL;
247 gnupg_ksba_io_t b64writer = NULL;
248 ksba_reader_t reader;
249 ksba_writer_t writer;
250 ksba_cms_t cms = NULL;
251 ksba_stop_reason_t stopreason;
254 estream_t in_fp = NULL;
255 struct decrypt_filter_parm_s dfparm;
257 memset (&dfparm, 0, sizeof dfparm);
259 audit_set_type (ctrl->audit, AUDIT_TYPE_DECRYPT);
264 log_error (_("failed to allocate keyDB handle\n"));
265 rc = gpg_error (GPG_ERR_GENERAL);
269 in_fp = es_fdopen_nc (in_fd, "rb");
272 rc = gpg_error_from_syserror ();
273 log_error ("fdopen() failed: %s\n", strerror (errno));
277 rc = gnupg_ksba_create_reader
278 (&b64reader, ((ctrl->is_pem? GNUPG_KSBA_IO_PEM : 0)
279 | (ctrl->is_base64? GNUPG_KSBA_IO_BASE64 : 0)
280 | (ctrl->autodetect_encoding? GNUPG_KSBA_IO_AUTODETECT : 0)),
284 log_error ("can't create reader: %s\n", gpg_strerror (rc));
288 rc = gnupg_ksba_create_writer
289 (&b64writer, ((ctrl->create_pem? GNUPG_KSBA_IO_PEM : 0)
290 | (ctrl->create_base64? GNUPG_KSBA_IO_BASE64 : 0)),
291 ctrl->pem_name, out_fp, &writer);
294 log_error ("can't create writer: %s\n", gpg_strerror (rc));
298 rc = ksba_cms_new (&cms);
302 rc = ksba_cms_set_reader_writer (cms, reader, writer);
305 log_debug ("ksba_cms_set_reader_writer failed: %s\n",
310 audit_log (ctrl->audit, AUDIT_SETUP_READY);
315 rc = ksba_cms_parse (cms, &stopreason);
318 log_debug ("ksba_cms_parse failed: %s\n", gpg_strerror (rc));
322 if (stopreason == KSBA_SR_BEGIN_DATA
323 || stopreason == KSBA_SR_DETACHED_DATA)
329 audit_log (ctrl->audit, AUDIT_GOT_DATA);
331 algoid = ksba_cms_get_content_oid (cms, 2/* encryption algo*/);
332 algo = gcry_cipher_map_name (algoid);
333 mode = gcry_cipher_mode_from_oid (algoid);
336 rc = gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
337 log_error ("unsupported algorithm '%s'\n", algoid? algoid:"?");
338 if (algoid && !strcmp (algoid, "1.2.840.113549.3.2"))
339 log_info (_("(this is the RC2 algorithm)\n"));
341 log_info (_("(this does not seem to be an encrypted"
345 sprintf (numbuf, "%d", rc);
346 gpgsm_status2 (ctrl, STATUS_ERROR, "decrypt.algorithm",
347 numbuf, algoid?algoid:"?", NULL);
348 audit_log_s (ctrl->audit, AUDIT_BAD_DATA_CIPHER_ALGO, algoid);
351 /* If it seems that this is not an encrypted message we
352 return a more sensible error code. */
354 rc = gpg_error (GPG_ERR_NO_DATA);
359 audit_log_i (ctrl->audit, AUDIT_DATA_CIPHER_ALGO, algo);
362 dfparm.blklen = gcry_cipher_get_algo_blklen (algo);
363 if (dfparm.blklen > sizeof (dfparm.helpblock))
364 return gpg_error (GPG_ERR_BUG);
366 rc = ksba_cms_get_content_enc_iv (cms,
372 log_error ("error getting IV: %s\n", gpg_strerror (rc));
376 for (recp=0; !any_key; recp++)
381 char *hexkeygrip = NULL;
387 rc = ksba_cms_get_issuer_serial (cms, recp, &issuer, &serial);
388 if (rc == -1 && recp)
389 break; /* no more recipients */
390 audit_log_i (ctrl->audit, AUDIT_NEW_RECP, recp);
392 log_error ("recp %d - error getting info: %s\n",
393 recp, gpg_strerror (rc));
396 ksba_cert_t cert = NULL;
398 log_debug ("recp %d - issuer: '%s'\n",
399 recp, issuer? issuer:"[NONE]");
400 log_debug ("recp %d - serial: ", recp);
401 gpgsm_dump_serial (serial);
406 char *tmpstr = gpgsm_format_sn_issuer (serial, issuer);
407 audit_log_s (ctrl->audit, AUDIT_RECP_NAME, tmpstr);
411 keydb_search_reset (kh);
412 rc = keydb_search_issuer_sn (ctrl, kh, issuer, serial);
415 log_error ("failed to find the certificate: %s\n",
420 rc = keydb_get_cert (kh, &cert);
423 log_error ("failed to get cert: %s\n", gpg_strerror (rc));
427 /* Print the ENC_TO status line. Note that we can
428 do so only if we have the certificate. This is
429 in contrast to gpg where the keyID is commonly
430 included in the encrypted messages. It is too
431 cumbersome to retrieve the used algorithm, thus
432 we don't print it for now. We also record the
433 keyid for later use. */
435 unsigned long kid[2];
437 kid[0] = gpgsm_get_short_fingerprint (cert, kid+1);
438 snprintf (kidbuf, sizeof kidbuf, "%08lX%08lX",
440 gpgsm_status2 (ctrl, STATUS_ENC_TO,
441 kidbuf, "0", "0", NULL);
444 /* Put the certificate into the audit log. */
445 audit_log_cert (ctrl->audit, AUDIT_SAVE_CERT, cert, 0);
447 /* Just in case there is a problem with the own
448 certificate we print this message - should never
450 rc = gpgsm_cert_use_decrypt_p (cert);
454 sprintf (numbuf, "%d", rc);
455 gpgsm_status2 (ctrl, STATUS_ERROR, "decrypt.keyusage",
460 hexkeygrip = gpgsm_get_keygrip_hexstring (cert);
461 desc = gpgsm_format_keydesc (cert);
466 ksba_cert_release (cert);
471 else if (!(enc_val = ksba_cms_get_enc_val (cms, recp)))
472 log_error ("recp %d - error getting encrypted session key\n",
476 rc = prepare_decryption (ctrl,
477 hexkeygrip, desc, enc_val, &dfparm);
481 log_info ("decrypting session key failed: %s\n",
483 if (gpg_err_code (rc) == GPG_ERR_NO_SECKEY && *kidbuf)
484 gpgsm_status2 (ctrl, STATUS_NO_SECKEY, kidbuf, NULL);
487 { /* setup the bulk decrypter */
489 ksba_writer_set_filter (writer,
493 audit_log_ok (ctrl->audit, AUDIT_RECP_RESULT, rc);
499 /* If we write an audit log add the unused recipients to the
501 if (ctrl->audit && any_key)
509 tmp_rc = ksba_cms_get_issuer_serial (cms, recp,
512 break; /* no more recipients */
513 audit_log_i (ctrl->audit, AUDIT_NEW_RECP, recp);
515 log_error ("recp %d - error getting info: %s\n",
516 recp, gpg_strerror (rc));
519 char *tmpstr = gpgsm_format_sn_issuer (serial, issuer);
520 audit_log_s (ctrl->audit, AUDIT_RECP_NAME, tmpstr);
530 rc = gpg_error (GPG_ERR_NO_SECKEY);
534 else if (stopreason == KSBA_SR_END_DATA)
536 ksba_writer_set_filter (writer, NULL, NULL);
538 { /* write the last block with padding removed */
539 int i, npadding = dfparm.lastblock[dfparm.blklen-1];
540 if (!npadding || npadding > dfparm.blklen)
542 log_error ("invalid padding with value %d\n", npadding);
543 rc = gpg_error (GPG_ERR_INV_DATA);
546 rc = ksba_writer_write (writer,
548 dfparm.blklen - npadding);
552 for (i=dfparm.blklen - npadding; i < dfparm.blklen; i++)
554 if (dfparm.lastblock[i] != npadding)
556 log_error ("inconsistent padding\n");
557 rc = gpg_error (GPG_ERR_INV_DATA);
565 while (stopreason != KSBA_SR_READY);
567 rc = gnupg_ksba_finish_writer (b64writer);
570 log_error ("write failed: %s\n", gpg_strerror (rc));
573 gpgsm_status (ctrl, STATUS_DECRYPTION_OKAY, NULL);
577 audit_log_ok (ctrl->audit, AUDIT_DECRYPTION_RESULT, rc);
580 gpgsm_status (ctrl, STATUS_DECRYPTION_FAILED, NULL);
581 log_error ("message decryption failed: %s <%s>\n",
582 gpg_strerror (rc), gpg_strsource (rc));
584 ksba_cms_release (cms);
585 gnupg_ksba_destroy_reader (b64reader);
586 gnupg_ksba_destroy_writer (b64writer);
590 gcry_cipher_close (dfparm.hd);