Merge pull request #160 from ProtonMail/fix/split-message-aead

Add support for AEADMessages in PGPMessage.SeparateKeyAndData
2022-01-10 14:55:06 +01:00 · 2022-01-10 14:55:06 +01:00 · 14f558a276
commit 14f558a276
parent 3aafa3c549 a514e451c4
3 changed files with 96 additions and 56 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## Unreleased
+
+### Fixed
+- Fixed bug with `NewPGPSplitMessageFromArmored(armored)` and `PGPMessage.SeparateKeyAndData()`.
+Those functions didn't parse AEAD encrypted messages correctly (eg messages encrypted with the latest versions of gnupg), resulting in a nil `DataPacket`.
+
 ## [2.4.0] 2021-12-21

 ### Added
--- a/crypto/message.go
+++ b/crypto/message.go
@ -333,7 +333,6 @@ func (msg *PGPMessage) SeparateKeyAndData(estimatedLength, garbageCollector int)
 	// For info on each, see: https://golang.org/pkg/runtime/#MemStats
 	packets := packet.NewReader(bytes.NewReader(msg.Data))
 	outSplit = &PGPSplitMessage{}
-	gcCounter := 0

 	// Store encrypted key and symmetrically encrypted packet separately
 	var encryptedKey *packet.EncryptedKey
@ -345,68 +344,21 @@ func (msg *PGPMessage) SeparateKeyAndData(estimatedLength, garbageCollector int)
 		}
 		switch p := p.(type) {
 		case *packet.EncryptedKey:
+			// TODO: add support for multiple keypackets
 			if encryptedKey != nil && encryptedKey.Key != nil {
 				break
 			}
 			encryptedKey = p
-
 		case *packet.SymmetricallyEncrypted:
-			// TODO: add support for multiple keypackets
-			var b bytes.Buffer
-			// 2^16 is an estimation of the size difference between input and output, the size difference is most probably
-			// 16 bytes at a maximum though.
-			// We need to avoid triggering a grow from the system as this will allocate too much memory causing problems
-			// in low-memory environments
-			b.Grow(1<<16 + estimatedLength)
-			// empty encoded length + start byte
-			if _, err := b.Write(make([]byte, 6)); err != nil {
-				return nil, errors.Wrap(err, "gopenpgp: error in writing data packet header")
+			outSplit.DataPacket, err = readPacketContents(p.Contents, estimatedLength, garbageCollector)
+			if err != nil {
+				return nil, err
 			}
-
-			if err := b.WriteByte(byte(1)); err != nil {
-				return nil, errors.Wrap(err, "gopenpgp: error in writing data packet header")
+		case *packet.AEADEncrypted:
+			outSplit.DataPacket, err = readPacketContents(p.Contents, estimatedLength, garbageCollector)
+			if err != nil {
+				return nil, err
 			}
-
-			actualLength := 1
-			block := make([]byte, 128)
-			for {
-				n, err := p.Contents.Read(block)
-				if goerrors.Is(err, io.EOF) {
-					break
-				}
-				if _, err := b.Write(block[:n]); err != nil {
-					return nil, errors.Wrap(err, "gopenpgp: error in writing data packet body")
-				}
-				actualLength += n
-				gcCounter += n
-				if gcCounter > garbageCollector && garbageCollector > 0 {
-					runtime.GC()
-					gcCounter = 0
-				}
-			}
-
-			// quick encoding
-			symEncryptedData := b.Bytes()
-			switch {
-			case actualLength < 192:
-				symEncryptedData[4] = byte(210)
-				symEncryptedData[5] = byte(actualLength)
-				symEncryptedData = symEncryptedData[4:]
-			case actualLength < 8384:
-				actualLength -= 192
-				symEncryptedData[3] = byte(210)
-				symEncryptedData[4] = 192 + byte(actualLength>>8)
-				symEncryptedData[5] = byte(actualLength)
-				symEncryptedData = symEncryptedData[3:]
-			default:
-				symEncryptedData[0] = byte(210)
-				symEncryptedData[1] = byte(255)
-				symEncryptedData[2] = byte(actualLength >> 24)
-				symEncryptedData[3] = byte(actualLength >> 16)
-				symEncryptedData[4] = byte(actualLength >> 8)
-				symEncryptedData[5] = byte(actualLength)
-			}
-			outSplit.DataPacket = symEncryptedData
 		}
 	}
 	if encryptedKey == nil {
@ -422,6 +374,65 @@ func (msg *PGPMessage) SeparateKeyAndData(estimatedLength, garbageCollector int)
 	return outSplit, nil
 }

+func readPacketContents(contents io.Reader, estimatedLength int, garbageCollector int) ([]byte, error) {
+	gcCounter := 0
+	var b bytes.Buffer
+	// 2^16 is an estimation of the size difference between input and output, the size difference is most probably
+	// 16 bytes at a maximum though.
+	// We need to avoid triggering a grow from the system as this will allocate too much memory causing problems
+	// in low-memory environments
+	b.Grow(1<<16 + estimatedLength)
+	// empty encoded length + start byte
+	if _, err := b.Write(make([]byte, 6)); err != nil {
+		return nil, errors.Wrap(err, "gopenpgp: error in writing data packet header")
+	}
+
+	if err := b.WriteByte(byte(1)); err != nil {
+		return nil, errors.Wrap(err, "gopenpgp: error in writing data packet header")
+	}
+
+	actualLength := 1
+	block := make([]byte, 128)
+	for {
+		n, err := contents.Read(block)
+		if goerrors.Is(err, io.EOF) {
+			break
+		}
+		if _, err := b.Write(block[:n]); err != nil {
+			return nil, errors.Wrap(err, "gopenpgp: error in writing data packet body")
+		}
+		actualLength += n
+		gcCounter += n
+		if gcCounter > garbageCollector && garbageCollector > 0 {
+			runtime.GC()
+			gcCounter = 0
+		}
+	}
+
+	// quick encoding
+	symEncryptedData := b.Bytes()
+	switch {
+	case actualLength < 192:
+		symEncryptedData[4] = byte(210)
+		symEncryptedData[5] = byte(actualLength)
+		symEncryptedData = symEncryptedData[4:]
+	case actualLength < 8384:
+		actualLength -= 192
+		symEncryptedData[3] = byte(210)
+		symEncryptedData[4] = 192 + byte(actualLength>>8)
+		symEncryptedData[5] = byte(actualLength)
+		symEncryptedData = symEncryptedData[3:]
+	default:
+		symEncryptedData[0] = byte(210)
+		symEncryptedData[1] = byte(255)
+		symEncryptedData[2] = byte(actualLength >> 24)
+		symEncryptedData[3] = byte(actualLength >> 16)
+		symEncryptedData[4] = byte(actualLength >> 8)
+		symEncryptedData[5] = byte(actualLength)
+	}
+	return symEncryptedData, nil
+}
+
 // GetBinary returns the unarmored binary content of the signature as a []byte.
 func (sig *PGPSignature) GetBinary() []byte {
 	return sig.Data
--- a/crypto/message_test.go
+++ b/crypto/message_test.go
@ -439,3 +439,26 @@ func TestMessageGetArmoredWithEmptyHeaders(t *testing.T) {
 	assert.NotContains(t, armored, "Version")
 	assert.NotContains(t, armored, "Comment")
 }
+
+func TestPGPSplitMessageFromArmoredWithAEAD(t *testing.T) {
+	var message = `-----BEGIN PGP MESSAGE-----
+
+hF4DJDxTg/yg6TkSAQdA3Ogzuxwz7IdSRCh81gdYuB0bKqkYDs7EksOkYJ7eUnMw
+FsRNg+X3KbCj9j747An4J7V8trghOIN00dlpuR77wELS79XHoP55qmyVyPzmTXdx
+1F8BCQIQyGCAxAA1ppydoBVp7ithTEl2bU72tbOsLCFY8TBamG6t3jfqJpO2lz+G
+M0xNgvwIDrAQsN35VGw72I/FvWJ0VG3rpBKgFp5nPK0NblRomXTRRfoNgSoVUcxU
+vA==
+=YNf2
+-----END PGP MESSAGE-----
+`
+	split, err := NewPGPSplitMessageFromArmored(message)
+	if err != nil {
+		t.Errorf("Couldn't parse split message: %v", err)
+	}
+	if split.KeyPacket == nil {
+		t.Error("Key packet was nil")
+	}
+	if split.DataPacket == nil {
+		t.Error("Data packet was nil")
+	}
+}