Disable the "quick check" bytes for PK decryptions. This is in

regards to the Mister and Zuccherato attack on OpenPGP CFB mode.

5 files changed, 25 insertions, 6 deletions

diff --git a/g10/ChangeLog b/g10/ChangeLog
index b268c1e45..ed26a2391 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,12 @@
+2005-02-09  David Shaw  <[email protected]>
+
+	* mainproc.c (proc_symkey_enc): Set a flag to indicate that a
+	particular session key came from a passphrase and not a PK.
+
+	* encr-data.c (decrypt_data): Use it here to turn off the "quick
+	check" bytes for PK decryptions.  This is in regards to the Mister
+	and Zuccherato attack on OpenPGP CFB mode.
+
 2004-11-29  David Shaw  <[email protected]>
 
 	* getkey.c (parse_key_usage): New function to parse out key usage
diff --git a/g10/encr-data.c b/g10/encr-data.c
index c8a8c85db..fc76daf1d 100644
--- a/g10/encr-data.c
+++ b/g10/encr-data.c
@@ -1,5 +1,5 @@
 /* encr-data.c -  process an encrypted data packet
- * Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2005 Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
  *
@@ -120,10 +120,12 @@ decrypt_data( void *procctx, PKT_encrypted *ed, DEK *dek )
     cipher_sync( dfx.cipher_hd );
     p = temp;
 /* log_hexdump( "prefix", temp, nprefix+2 ); */
-    if( p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1] ) {
+    if( dek->symmetric
+	&& (p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1]) )
+      {
 	rc = G10ERR_BAD_KEY;
 	goto leave;
-    }
+      }
 
     if( dfx.mdc_hash )
 	md_write( dfx.mdc_hash, temp, nprefix+2 );
diff --git a/g10/mainproc.c b/g10/mainproc.c
index 9b7a4ddc3..88211abf9 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -1,6 +1,6 @@
 /* mainproc.c - handle packets
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
- *               2004 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004,
+ *               2005 Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
  *
@@ -317,6 +317,8 @@ proc_symkey_enc( CTX c, PACKET *pkt )
 	c->dek = passphrase_to_dek( NULL, 0, algo, &enc->s2k, 0, NULL, NULL );
 	if(c->dek)
 	  {
+	    c->dek->symmetric=1;
+
 	    /* FIXME: This doesn't work perfectly if a symmetric key
 	       comes before a public key in the message - if the user
 	       doesn't know the passphrase, then there is a chance
diff --git a/include/ChangeLog b/include/ChangeLog
index 7b5a8d88e..bbb1fdbfc 100644
--- a/include/ChangeLog
+++ b/include/ChangeLog
@@ -1,3 +1,7 @@
+2005-02-09  David Shaw  <[email protected]>
+
+	* cipher.h: Add a flag for a symmetric DEK.
+
 2004-11-29  David Shaw  <[email protected]>
 
 	* cipher.h: Add PUBKEY_USAGE_UNKNOWN.
diff --git a/include/cipher.h b/include/cipher.h
index 3e7489e92..93d345689 100644
--- a/include/cipher.h
+++ b/include/cipher.h
@@ -1,5 +1,6 @@
 /* cipher.h
- * Copyright (C) 1998, 1999, 2000, 2001, 2003 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2003,
+ *               2005 Free Software Foundation, Inc.
  *
  * This file is part of GNUPG.
  *
@@ -76,6 +77,7 @@ typedef struct {
     int keylen;
     int algo_info_printed;
     int use_mdc;
+    int symmetric;
     byte key[32]; /* this is the largest used keylen (256 bit) */
 } DEK;