moparisthebest/open-keychain
1
0
Fork 0
mirror of https://github.com/moparisthebest/open-keychain synced 2024-12-26 00:48:51 -05:00
Code Issues Releases Wiki Activity

Handle missing integrity protection MDC packet as if integrity check would have failed.

Browse Source 
An attacker could strip the MDC on its way to the receiver...
This commit is contained in:
Dominik Schürmann 2014-08-10 20:59:13 +02:00
parent b0821a3ddd
commit c981902aba
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java
View File

@ -399,8 +399,7 @@ public class PgpDecryptVerify {
signingKey = signingRing.getPublicKey(sigKeyId); signingKey = signingRing.getPublicKey(sigKeyId);
signatureIndex = i; signatureIndex = i;
} catch (ProviderHelper.NotFoundException e) { } catch (ProviderHelper.NotFoundException e) {
Log.d(Constants.TAG, "key not found!"); Log.d(Constants.TAG, "key not found, trying next signature…");
// try next one...
} }
} }
@ -537,8 +536,10 @@ public class PgpDecryptVerify {
} }
} else { } else {
// no integrity check // no integrity check
Log.e(Constants.TAG, "Encrypted data was not integrity protected!"); Log.d(Constants.TAG, "Encrypted data was not integrity protected! MDC packet is missing!");
// TODO: inform user? // Handle missing integrity protection like failed integrity protection!
// The MDC packet can be stripped by an attacker!
throw new IntegrityCheckFailedException();
} }
updateProgress(R.string.progress_done, 100, 100); updateProgress(R.string.progress_done, 100, 100);