diff options
Diffstat (limited to '')
-rw-r--r-- | g10/t-stutter.c | 613 |
1 files changed, 613 insertions, 0 deletions
diff --git a/g10/t-stutter.c b/g10/t-stutter.c new file mode 100644 index 0000000..503a920 --- /dev/null +++ b/g10/t-stutter.c @@ -0,0 +1,613 @@ +/* t-stutter.c - Test the stutter exploit. + * Copyright (C) 2016 g10 Code GmbH + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <https://www.gnu.org/licenses/>. + */ + +/* This test is based on the paper: "An Attack on CFB Mode Encryption + * as Used by OpenPGP." This attack uses a padding oracle to decrypt + * the first two bytes of each block (which are normally 16 bytes + * large). Concretely, if an attacker can use this attack if it can + * sense whether the quick integrity check failed. See RFC 4880, + * Section 5.7 for an explanation of this quick check. + * + * The concrete attack, as described in the paper, only works for + * PKT_ENCRYPTED packets; it does not work for PKT_ENCRYPTED_MDC + * packets, which use a slightly different CFB mode (they don't + * include a sync after the IV). But, small modifications should + * allow the attack to work for PKT_ENCRYPTED_MDC packets. + * + * The cost of this attack is 2^15 + i * 2^15 oracle queries, where i + * is the number of blocks the attack wants to decrypt. This attack + * is completely unfeasible when gpg is used interactively, but it + * could work when used as a service. + * + * How to generate a test message: + * + * $ echo 0123456789abcdefghijklmnopqrstuvwxyz | \ + * gpg --disable-mdc -z 0 -c > msg.asc + * $ gpg --list-packets msg.asc + * # Make sure the encryption packet contains a literal packet (without + * # any nesting). + * $ gpgsplit msg.asc + * $ gpg --show-session-key -d msg.asc + * $ ./t-stutter --debug SESSION_KEY 000002-009.encrypted + */ + +#include <config.h> +#include <errno.h> +#include <ctype.h> + +#include "gpg.h" +#include "main.h" +#include "../common/types.h" +#include "../common/util.h" +#include "dek.h" +#include "../common/logging.h" + +#include "test.c" + +static void +log_hexdump (byte *buffer, int length) +{ + int written = 0; + + fprintf (stderr, "%d bytes:\n", length); + while (length > 0) + { + int have = length > 16 ? 16 : length; + int i; + char formatted[2 * 16 + 1]; + char text[16 + 1]; + + fprintf (stderr, "%-8d ", written); + bin2hex (buffer, have, formatted); + for (i = 0; i < 16; i ++) + { + if (i % 2 == 0) + fputc (' ', stderr); + if (i % 8 == 0) + fputc (' ', stderr); + + if (i < have) + fwrite (&formatted[2 * i], 2, 1, stderr); + else + fwrite (" ", 2, 1, stderr); + } + + for (i = 0; i < have; i ++) + { + if (isprint (buffer[i])) + text[i] = buffer[i]; + else + text[i] = '.'; + } + text[i] = 0; + + fprintf (stderr, " "); + if (strlen (text) > 8) + { + fwrite (text, 8, 1, stderr); + fputc (' ', stderr); + fwrite (&text[8], strlen (text) - 8, 1, stderr); + } + else + fwrite (text, strlen (text), 1, stderr); + fputc ('\n', stderr); + + buffer += have; + length -= have; + written += have; + } + + return; +} + +static char * +hexstr (const byte *bytes) +{ + static int i; + static char bufs[100][7]; + + i ++; + if (i == 100) + i = 0; + + sprintf (bufs[i], "0x%02X%02X", bytes[0], bytes[1]); + return bufs[i]; +} + +/* xor the two bytes starting at A with the two bytes starting at B + and return the result. */ +static byte * +bufxor2 (const byte *a, const byte *b) +{ + static int i; + static char bufs[100][2]; + + i ++; + if (i == 100) + i = 0; + + bufs[i][0] = a[0] ^ b[0]; + bufs[i][1] = a[1] ^ b[1]; + return bufs[i]; +} + +/* The session key stays constant. */ +static DEK dek; +int blocksize; + +/* Decode the session key, which is in the format output by gpg + --show-session-key. */ +static void +parse_session_key (char *session_key) +{ + char *tail; + char *p = session_key; + + errno = 0; + dek.algo = strtol (p, &tail, 10); + if (errno || (tail && *tail != ':')) + log_fatal ("Invalid session key specification. " + "Expected: cipher-id:HEXADECIMAL-CHRACTERS\n"); + + /* Skip the ':'. */ + p = tail + 1; + + if (strlen (p) % 2 != 0) + log_fatal ("Session key must consist of an even number of hexadecimal characters.\n"); + + dek.keylen = strlen (p) / 2; + log_assert (dek.keylen <= sizeof (dek.key)); + + if (hex2bin (p, dek.key, dek.keylen) == -1) + log_fatal ("Session key must only contain hexadecimal characters\n"); + + blocksize = openpgp_cipher_get_algo_blklen (dek.algo); + if ( !blocksize || blocksize > 16 ) + log_fatal ("unsupported blocksize %u\n", blocksize ); + + return; +} + +/* The ciphertext, the plaintext as decrypted by the good session key, + and the cfb stream (derived from the ciphertext and the + plaintext). */ +static int msg_len; +static byte *msg; +static byte *msg_plaintext; +static byte *msg_cfb; + +/* Whether we need to resynchronize the CFB after writing the random + data (this is the case for encrypted packets, but not encrypted and + integrity protected packets). */ +static int sync; + +static int +block_offset (int i) +{ + int extra = 0; + + log_assert (i >= 1); + /* Make sure blocksize has been initialized. */ + log_assert (blocksize); + + if (i > 2) + { + i -= 2; + extra = blocksize + 2; + } + return (i - 1) * blocksize + extra; +} + +/* Return the ith block from TEXT. The first block is labeled 1. + Note: consistent with the OpenPGP message format, the second block + (i=2) is just 2 bytes. */ +static byte * +block (byte *text, int len, int i) +{ + int offset = block_offset (i); + + log_assert (offset < len); + return &text[offset]; +} + +/* Return true if the quick integrity check passes. Also, if + PLAINTEXTP is not NULL, return the decrypted plaintext in + *PLAINTEXTP. If CFBP is not NULL, return the CFB byte stream in + *CFBP. */ +static int +oracle (int debug, byte *ciphertext, int len, byte **plaintextp, byte **cfbp) +{ + int rc = 0; + unsigned nprefix; + gcry_cipher_hd_t cipher_hd = NULL; + byte *plaintext = NULL; + byte *cfb = NULL; + + /* Make sure DEK was initialized. */ + log_assert (dek.algo); + log_assert (dek.keylen); + log_assert (blocksize); + + nprefix = blocksize; + if (len < nprefix + 2) + { + /* An invalid message. We can't check that during parsing + because we may not know the used cipher then. */ + rc = gpg_error (GPG_ERR_INV_PACKET); + goto leave; + } + + rc = openpgp_cipher_open (&cipher_hd, dek.algo, + GCRY_CIPHER_MODE_CFB, + (! sync /* ed->mdc_method || dek.algo >= 100 */ ? + 0 : GCRY_CIPHER_ENABLE_SYNC)); + if (rc) + log_fatal ("Failed to open cipher: %s\n", gpg_strerror (rc)); + + rc = gcry_cipher_setkey (cipher_hd, dek.key, dek.keylen); + if (gpg_err_code (rc) == GPG_ERR_WEAK_KEY) + { + log_info ("WARNING: message was encrypted with" + " a weak key in the symmetric cipher.\n"); + rc=0; + } + else if( rc ) + log_fatal ("key setup failed: %s\n", gpg_strerror (rc)); + + gcry_cipher_setiv (cipher_hd, NULL, 0); + + if (debug) + { + log_debug ("Encrypted data:\n"); + log_hexdump(ciphertext, len); + } + plaintext = xmalloc_clear (len); + gcry_cipher_decrypt (cipher_hd, plaintext, blocksize + 2, + ciphertext, blocksize + 2); + gcry_cipher_sync (cipher_hd); + if (len > blocksize+2) + gcry_cipher_decrypt (cipher_hd, + &plaintext[blocksize+2], len-(blocksize+2), + &ciphertext[blocksize+2], len-(blocksize+2)); + + if (debug) + { + log_debug ("Decrypted data:\n"); + log_hexdump (plaintext, len); + log_debug ("R_{b-1,b} = %s\n", hexstr (&plaintext[blocksize - 2])); + log_debug ("R_{b+1,b+2} = %s\n", hexstr (&plaintext[blocksize])); + } + + if (cfbp || debug) + { + int i; + cfb = xmalloc (len); + for (i = 0; i < len; i ++) + cfb[i] = plaintext[i] ^ ciphertext[i]; + + log_assert (len >= blocksize + 2); + + if (debug) + { + log_debug ("cfb:\n"); + log_hexdump (cfb, len); + + log_debug ("E_k([C_1]_{1,2}) = C_2 xor R (%s xor %s) = %s\n", + hexstr (&ciphertext[blocksize]), + hexstr (&plaintext[blocksize]), + hexstr (bufxor2 (&ciphertext[blocksize], + &plaintext[blocksize]))); + if (len >= blocksize + 4) + log_debug ("D = Ek([C1]_{3-b} || C_2)_{1-2} (%s) xor C2 (%s) xor E_k(0)_{b-1,b} (%s) = %s\n", + hexstr (&cfb[blocksize + 2]), + hexstr (&ciphertext[blocksize]), + hexstr (&cfb[blocksize - 2]), + hexstr (bufxor2 (bufxor2 (&cfb[blocksize + 2], + &ciphertext[blocksize]), + &cfb[blocksize - 2]))); + } + } + + if (plaintext[nprefix-2] != plaintext[nprefix] + || plaintext[nprefix-1] != plaintext[nprefix+1]) + { + rc = gpg_error (GPG_ERR_BAD_KEY); + goto leave; + } + + leave: + if (! rc && plaintextp) + *plaintextp = plaintext; + else + xfree (plaintext); + + if (! rc && cfbp) + *cfbp = cfb; + else + xfree (cfb); + + if (cipher_hd) + gcry_cipher_close (cipher_hd); + return rc; +} + +/* Query the oracle with D=D for block B. */ +static int +oracle_test (unsigned int d, int b, int debug) +{ + byte probe[32 + 2]; + + log_assert (blocksize + 2 <= sizeof probe); + log_assert (d < 256 * 256); + + if (b == 1) + memcpy (probe, &msg[2], blocksize); + else + memcpy (probe, block (msg, msg_len, b), blocksize); + + probe[blocksize] = d >> 8; + probe[blocksize + 1] = d & 0xff; + + if (debug) + log_debug ("oracle (0x%04X):\n", d); + + return oracle (debug, probe, blocksize + 2, NULL, NULL) == 0; +} + +static void +do_test (int argc, char *argv[]) +{ + int i; + int debug = 0; + char *filename = NULL; + int help = 0; + + byte *raw_data; + int raw_data_len; + + (void)current_test_group_failed; + for (i = 1; i < argc; i ++) + { + if (strcmp (argv[i], "--debug") == 0) + debug = 1; + else if (! blocksize) + parse_session_key (argv[i]); + else if (! filename) + filename = argv[i]; + else + { + help = 1; + break; + } + } + + if (! blocksize && ! filename && (filename = prepend_srcdir ("t-stutter-data.asc"))) + /* Try defaults. */ + { + parse_session_key ("9:9274A8EC128E850C6DDDF9EAC68BFA84FC7BC05F340DA41D78C93D0640C7C503"); + } + + if (help || ! blocksize || ! filename) + log_fatal ("Usage: %s [--debug] SESSION_KEY ENCRYPTED_PKT\n", argv[0]); + + /* Don't read more than a KB. */ + raw_data_len = 1024; + raw_data = xmalloc (raw_data_len); + + { + FILE *fp; + int r; + + fp = fopen (filename, "r"); + if (! fp) + log_fatal ("Opening %s: %s\n", filename, strerror (errno)); + r = fread (raw_data, 1, raw_data_len, fp); + fclose (fp); + + /* We need at least the random data, the encrypted and literal + packets' headers and some body. */ + if (r < (blocksize + 2 /* Random data. */ + + 2 * blocksize /* Header + some plaintext. */)) + log_fatal ("Not enough data (need at least %d bytes of plain text): %s.\n", + blocksize + 2, strerror (errno)); + raw_data_len = r; + + if (debug) + { + log_debug ("First few bytes of the raw data:\n"); + log_hexdump (raw_data, raw_data_len > 8 ? 8 : raw_data_len); + } + } + + /* Parse the packet's header. */ + { + int ctb = raw_data[0]; + int new_format = ctb & (1 << 7); + int pkttype = (ctb & ((1 << 5) - 1)) >> (new_format ? 0 : 2); + int hdrlen; + + if (new_format) + { + if (debug) + log_debug ("len encoded: 0x%x (%d)\n", raw_data[1], raw_data[1]); + if (raw_data[1] < 192) + hdrlen = 2; + else if (raw_data[1] < 224) + hdrlen = 3; + else if (raw_data[1] == 255) + hdrlen = 5; + else + hdrlen = 2; + } + else + { + int lentype = ctb & 0x3; + if (lentype == 0) + hdrlen = 2; + else if (lentype == 1) + hdrlen = 3; + else if (lentype == 2) + hdrlen = 5; + else + /* Indeterminate. */ + hdrlen = 1; + } + + if (debug) + log_debug ("ctb = %x; %s format, hdrlen: %d, packet: %s\n", + ctb, new_format ? "new" : "old", + hdrlen, + pkttype_str (pkttype)); + + if (! (pkttype == PKT_ENCRYPTED || pkttype == PKT_ENCRYPTED_MDC)) + log_fatal ("%s does not contain an encrypted packet, but a %s.\n", + filename, pkttype_str (pkttype)); + + if (pkttype == PKT_ENCRYPTED_MDC) + { + /* The first byte following the header is the version, which + is 1. */ + log_assert (raw_data[hdrlen] == 1); + hdrlen ++; + sync = 0; + } + else + sync = 1; + + msg = &raw_data[hdrlen]; + msg_len = raw_data_len - hdrlen; + } + + log_assert (msg_len >= blocksize + 2); + + { + /* This can at least partially be guessed. So we just assume that + it is known. */ + int d; + int found; + const byte *m1; + byte e_k_zero[2]; + + if (oracle (debug, msg, msg_len, &msg_plaintext, &msg_cfb) == 0) + { + if (debug) + log_debug ("Session key appears to be good.\n"); + } + else + log_fatal ("Session key is bad!\n"); + + m1 = &msg_plaintext[blocksize + 2]; + if (debug) + log_debug ("First two bytes of plaintext are: %02X (%c) %02X (%c)\n", + m1[0], isprint (m1[0]) ? m1[0] : '?', + m1[1], isprint (m1[1]) ? m1[1] : '?'); + + for (d = 0; d < 256 * 256; d ++) + if ((found = oracle_test (d, 1, 0))) + break; + + if (! found) + log_fatal ("Failed to find d!\n"); + + if (debug) + oracle_test (d, 1, 1); + + if (debug) + log_debug ("D = %d (%x) looks good.\n", d, d); + + { + byte *c2 = block (msg, msg_len, 2); + byte D[2] = { d >> 8, d & 0xFF }; + byte *c3 = block (msg, msg_len, 3); + + memcpy (e_k_zero, + bufxor2 (bufxor2 (c2, D), + bufxor2 (c3, m1)), + sizeof (e_k_zero)); + + if (debug) + { + log_debug ("C2 = %s\n", hexstr (c2)); + log_debug ("D = %s\n", hexstr (D)); + log_debug ("C3 = %s\n", hexstr (c3)); + log_debug ("M = %s\n", hexstr (m1)); + log_debug ("E_k([C1]_{3-b} || C_2) = C3 xor M1 = %s\n", + hexstr (bufxor2 (c3, m1))); + log_debug ("E_k(0)_{b-1,b} = %s\n", hexstr (e_k_zero)); + } + } + + /* Figure out the first 2 bytes of M2... (offset 16 & 17 of the + plain text assuming the blocksize == 16 or bytes 34 & 35 of the + decrypted cipher text, i.e., C4). */ + for (i = 1; block_offset (i + 3) + 2 <= msg_len; i ++) + { + byte e_k_prime[2]; + byte m[2]; + byte *ct = block (msg, msg_len, i + 2); + byte *pt = block (msg_plaintext, msg_len, 2 + i + 1); + + for (d = 0; d < 256 * 256; d ++) + if (oracle_test (d, i + 2, 0)) + { + found = 1; + break; + } + + if (! found) + log_fatal ("Failed to find a valid d for block %d\n", i); + + if (debug) + log_debug ("Block %d: oracle: D = %04X passes integrity check\n", + i, d); + + { + byte D[2] = { d >> 8, d & 0xFF }; + memcpy (e_k_prime, + bufxor2 (bufxor2 (&ct[blocksize - 2], D), e_k_zero), + sizeof (e_k_prime)); + + memcpy (m, bufxor2 (e_k_prime, block (msg, msg_len, i + 3)), + sizeof (m)); + } + + if (debug) + log_debug ("=> block %d starting at %zd starts with: " + "%s (%c%c)\n", + i, (size_t) pt - (size_t) msg_plaintext, + hexstr (m), + isprint (m[0]) ? m[0] : '?', isprint (m[1]) ? m[1] : '?'); + + if (m[0] != pt[0] || m[1] != pt[1]) + { + log_debug ("oracle attack failed! Expected %s (%c%c), got %s\n", + hexstr (pt), + isprint (pt[0]) ? pt[0] : '?', + isprint (pt[1]) ? pt[1] : '?', + hexstr (m)); + tests_failed++; + } + } + + if (i == 1) + log_fatal ("Message is too short, nothing to test.\n"); + } + + xfree (filename); +} |