mirror of
https://git.postgresql.org/git/postgresql.git
synced 2026-02-23 23:07:15 +08:00
379695d3cc
pgp_pub_decrypt_bytea() was missing a safeguard for the session key length read from the message data, that can be given in input of pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer overflow for the session key data, when the length specified is longer than PGP_MAX_KEY, which is the maximum size of the buffer where the session data is copied to. A script able to rebuild the message and key data that can trigger the overflow is included in this commit, based on some contents provided by the reporter, heavily editted by me. A SQL test is added, based on the data generated by the script. Reported-by: Team Xint Code as part of zeroday.cloud Author: Michael Paquier <michael@paquier.xyz> Reviewed-by: Noah Misch <noah@leadboat.com> Security: CVE-2026-2005 Backpatch-through: 14
492 lines
16 KiB
Python
492 lines
16 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
#
|
|
# Generate PGP data to check the session key length of the input data provided
|
|
# to pgp_pub_decrypt_bytea().
|
|
#
|
|
# First, the crafted data is generated from valid RSA data, freshly generated
|
|
# by this script each time it is run, see generate_rsa_keypair().
|
|
# Second, the crafted PGP data is built, see build_message_data() and
|
|
# build_key_data(). Finally, the resulting SQL script is generated.
|
|
#
|
|
# This script generates in stdout the SQL file that is used in the regression
|
|
# tests of pgcrypto. The following command can be used to regenerate the file
|
|
# which should never be manually manipulated:
|
|
# python3 scripts/pgp_session_data.py > sql/pgp-pubkey-session.sql
|
|
|
|
import os
|
|
import re
|
|
import struct
|
|
import secrets
|
|
import sys
|
|
import time
|
|
|
|
# pwn for binary manipulation (p32, p64)
|
|
from pwn import *
|
|
|
|
# Cryptographic libraries, to craft the PGP data.
|
|
from Crypto.Cipher import AES
|
|
from Crypto.PublicKey import RSA
|
|
from Crypto.Util.number import inverse
|
|
|
|
# AES key used for session key encryption (16 bytes for AES-128)
|
|
AES_KEY = b'\x01' * 16
|
|
|
|
def generate_rsa_keypair(key_size: int = 2048) -> dict:
|
|
"""
|
|
Generate a fresh RSA key pair.
|
|
|
|
The generated key includes all components needed for PGP operations:
|
|
- n: public modulus (p * q)
|
|
- e: public exponent (typically 65537)
|
|
- d: private exponent (e^-1 mod phi(n))
|
|
- p, q: prime factors of n
|
|
- u: coefficient (p^-1 mod q) for CRT optimization
|
|
|
|
The caller can pass the wanted key size in input, for a default of 2048
|
|
bytes. This function returns the RSA key components, after performing
|
|
some validation on them.
|
|
"""
|
|
|
|
start_time = time.time()
|
|
|
|
# Generate RSA key
|
|
key = RSA.generate(key_size)
|
|
|
|
# Extract all key components
|
|
rsa_components = {
|
|
'n': key.n, # Public modulus (p * q)
|
|
'e': key.e, # Public exponent (typically 65537)
|
|
'd': key.d, # Private exponent (e^-1 mod phi(n))
|
|
'p': key.p, # First prime factor
|
|
'q': key.q, # Second prime factor
|
|
'u': inverse(key.p, key.q) # Coefficient for CRT: p^-1 mod q
|
|
}
|
|
|
|
# Validate key components for correctness
|
|
validate_rsa_key(rsa_components)
|
|
|
|
return rsa_components
|
|
|
|
def validate_rsa_key(rsa: dict) -> None:
|
|
"""
|
|
Validate a generated RSA key.
|
|
|
|
This function performs basic validation to ensure the RSA key is properly
|
|
constructed and all components are consistent, at least mathematically.
|
|
|
|
Validations performed:
|
|
1. n = p * q (modulus is product of primes)
|
|
2. gcd(e, phi(n)) = 1 (public exponent is coprime to phi(n))
|
|
3. (d * e) mod(phi(n)) = 1 (private exponent is multiplicative inverse)
|
|
4. (u * p) (mod q) = 1 (coefficient is correct for CRT)
|
|
"""
|
|
|
|
n, e, d, p, q, u = rsa['n'], rsa['e'], rsa['d'], rsa['p'], rsa['q'], rsa['u']
|
|
|
|
# Check that n = p * q
|
|
if n != p * q:
|
|
raise ValueError("RSA validation failed: n <> p * q")
|
|
|
|
# Check that p and q are different
|
|
if p == q:
|
|
raise ValueError("RSA validation failed: p = q (not allowed)")
|
|
|
|
# Calculate phi(n) = (p-1)(q-1)
|
|
phi_n = (p - 1) * (q - 1)
|
|
|
|
# Check that gcd(e, phi(n)) = 1
|
|
def gcd(a, b):
|
|
while b:
|
|
a, b = b, a % b
|
|
return a
|
|
|
|
if gcd(e, phi_n) != 1:
|
|
raise ValueError("RSA validation failed: gcd(e, phi(n)) <> 1")
|
|
|
|
# Check that (d * e) mod(phi(n)) = 1
|
|
if (d * e) % phi_n != 1:
|
|
raise ValueError("RSA validation failed: d * e <> 1 (mod phi(n))")
|
|
|
|
# Check that (u * p) (mod q) = 1
|
|
if (u * p) % q != 1:
|
|
raise ValueError("RSA validation failed: u * p <> 1 (mod q)")
|
|
|
|
def mpi_encode(x: int) -> bytes:
|
|
"""
|
|
Encode an integer as an OpenPGP Multi-Precision Integer (MPI).
|
|
|
|
Format (RFC 4880, Section 3.2):
|
|
- 2 bytes: bit length of the integer (big-endian)
|
|
- N bytes: the integer in big-endian format
|
|
|
|
This is used to encode RSA key components (n, e, d, p, q, u) in PGP
|
|
packets.
|
|
|
|
The integer to encode is given in input, returning an MPI-encoded
|
|
integer.
|
|
|
|
For example:
|
|
mpi_encode(65537) -> b'\x00\x11\x01\x00\x01'
|
|
(17 bits, value 0x010001)
|
|
"""
|
|
if x < 0:
|
|
raise ValueError("MPI cannot encode negative integers")
|
|
|
|
if x == 0:
|
|
# Special case: zero has 0 bits and empty magnitude
|
|
bits = 0
|
|
mag = b""
|
|
else:
|
|
# Calculate bit length and convert to bytes
|
|
bits = x.bit_length()
|
|
mag = x.to_bytes((bits + 7) // 8, 'big')
|
|
|
|
# Pack: 2-byte bit length + magnitude bytes
|
|
return struct.pack('>H', bits) + mag
|
|
|
|
def new_packet(tag: int, payload: bytes) -> bytes:
|
|
"""
|
|
Create a new OpenPGP packet with a proper header.
|
|
|
|
OpenPGP packet format (RFC 4880, Section 4.2):
|
|
- New packet format: 0xC0 | tag
|
|
- Length encoding depends on payload size:
|
|
* 0-191: single byte
|
|
* 192-8383: two bytes (192 + ((length - 192) >> 8), (length - 192) & 0xFF)
|
|
* 8384+: five bytes (0xFF + 4-byte big-endian length)
|
|
|
|
The packet is built from a "tag" (1-63) and some "payload" data. The
|
|
result generated is a complete OpenPGP packet.
|
|
|
|
For example:
|
|
new_packet(1, b'data') -> b'\xC1\x04data'
|
|
(Tag 1, length 4, payload 'data')
|
|
"""
|
|
# New packet format: set bit 7 and 6, clear bit 5, tag in bits 0-5
|
|
first = 0xC0 | (tag & 0x3F)
|
|
ln = len(payload)
|
|
|
|
# Encode length according to OpenPGP specification
|
|
if ln <= 191:
|
|
# Single byte length for small packets
|
|
llen = bytes([ln])
|
|
elif ln <= 8383:
|
|
# Two-byte length for medium packets
|
|
ln2 = ln - 192
|
|
llen = bytes([192 + (ln2 >> 8), ln2 & 0xFF])
|
|
else:
|
|
# Five-byte length for large packets
|
|
llen = bytes([255]) + struct.pack('>I', ln)
|
|
|
|
return bytes([first]) + llen + payload
|
|
|
|
def build_key_data(rsa: dict) -> bytes:
|
|
"""
|
|
Build the key data, containing an RSA private key.
|
|
|
|
The RSA contents should have been generated previously.
|
|
|
|
Format (see RFC 4880, Section 5.5.3):
|
|
- 1 byte: version (4)
|
|
- 4 bytes: creation time (current Unix timestamp)
|
|
- 1 byte: public key algorithm (2 = RSA encrypt)
|
|
- MPI: RSA public modulus n
|
|
- MPI: RSA public exponent e
|
|
- 1 byte: string-to-key usage (0 = no encryption)
|
|
- MPI: RSA private exponent d
|
|
- MPI: RSA prime p
|
|
- MPI: RSA prime q
|
|
- MPI: RSA coefficient u = p^-1 mod q
|
|
- 2 bytes: checksum of private key material
|
|
|
|
This function takes a set of RSA key components in input (n, e, d, p, q, u)
|
|
and returns a secret key packet.
|
|
"""
|
|
|
|
# Public key portion
|
|
ver = bytes([4]) # Version 4 key
|
|
ctime = struct.pack('>I', int(time.time())) # Current Unix timestamp
|
|
algo = bytes([2]) # RSA encrypt algorithm
|
|
n_mpi = mpi_encode(rsa['n']) # Public modulus
|
|
e_mpi = mpi_encode(rsa['e']) # Public exponent
|
|
pub = ver + ctime + algo + n_mpi + e_mpi
|
|
|
|
# Private key portion
|
|
hide_type = bytes([0]) # No string-to-key encryption
|
|
d_mpi = mpi_encode(rsa['d']) # Private exponent
|
|
p_mpi = mpi_encode(rsa['p']) # Prime p
|
|
q_mpi = mpi_encode(rsa['q']) # Prime q
|
|
u_mpi = mpi_encode(rsa['u']) # Coefficient u = p^-1 mod q
|
|
|
|
# Calculate checksum of private key material (simple sum mod 65536)
|
|
private_data = d_mpi + p_mpi + q_mpi + u_mpi
|
|
cksum = sum(private_data) & 0xFFFF
|
|
|
|
secret = hide_type + private_data + struct.pack('>H', cksum)
|
|
payload = pub + secret
|
|
|
|
return new_packet(7, payload)
|
|
|
|
def pgp_cfb_encrypt_resync(key, plaintext):
|
|
"""
|
|
Implement OpenPGP CFB mode with resync.
|
|
|
|
OpenPGP CFB mode is a variant of standard CFB with a resync operation
|
|
after the first two blocks.
|
|
|
|
Algorithm (RFC 4880, Section 13.9):
|
|
1. Block 1: FR=zeros, encrypt full block_size bytes
|
|
2. Block 2: FR=block1, encrypt only 2 bytes
|
|
3. Resync: FR = block1[2:] + block2
|
|
4. Remaining blocks: standard CFB mode
|
|
|
|
This function uses the following arguments:
|
|
- key: AES encryption key (16 bytes for AES-128)
|
|
- plaintext: Data to encrypt
|
|
"""
|
|
block_size = 16 # AES block size
|
|
cipher = AES.new(key[:16], AES.MODE_ECB) # Use ECB for manual CFB
|
|
ciphertext = b''
|
|
|
|
# Block 1: FR=zeros, encrypt full 16 bytes
|
|
FR = b'\x00' * block_size
|
|
FRE = cipher.encrypt(FR) # Encrypt the feedback register
|
|
block1 = bytes(a ^ b for a, b in zip(FRE, plaintext[0:16]))
|
|
ciphertext += block1
|
|
|
|
# Block 2: FR=block1, encrypt only 2 bytes
|
|
FR = block1
|
|
FRE = cipher.encrypt(FR)
|
|
block2 = bytes(a ^ b for a, b in zip(FRE[0:2], plaintext[16:18]))
|
|
ciphertext += block2
|
|
|
|
# Resync: FR = block1[2:16] + block2[0:2]
|
|
# This is the key difference from standard CFB mode
|
|
FR = block1[2:] + block2
|
|
|
|
# Block 3+: Continue with standard CFB mode
|
|
pos = 18
|
|
while pos < len(plaintext):
|
|
FRE = cipher.encrypt(FR)
|
|
chunk_len = min(block_size, len(plaintext) - pos)
|
|
chunk = plaintext[pos:pos+chunk_len]
|
|
enc_chunk = bytes(a ^ b for a, b in zip(FRE[:chunk_len], chunk))
|
|
ciphertext += enc_chunk
|
|
|
|
# Update feedback register for next iteration
|
|
if chunk_len == block_size:
|
|
FR = enc_chunk
|
|
else:
|
|
# Partial block: pad with old FR bytes
|
|
FR = enc_chunk + FR[chunk_len:]
|
|
pos += chunk_len
|
|
|
|
return ciphertext
|
|
|
|
def build_literal_data_packet(data: bytes) -> bytes:
|
|
"""
|
|
Build a literal data packet containing a message.
|
|
|
|
Format (RFC 4880, Section 5.9):
|
|
- 1 byte: data format ('b' = binary, 't' = text, 'u' = UTF-8 text)
|
|
- 1 byte: filename length (0 = no filename)
|
|
- N bytes: filename (empty in this case)
|
|
- 4 bytes: date (current Unix timestamp)
|
|
- M bytes: literal data
|
|
|
|
The data used to build the packet is given in input, with the generated
|
|
result returned.
|
|
"""
|
|
body = bytes([
|
|
ord('b'), # Binary data format
|
|
0, # Filename length (0 = no filename)
|
|
]) + struct.pack('>I', int(time.time())) + data # Current timestamp + data
|
|
|
|
return new_packet(11, body)
|
|
|
|
def build_symenc_data_packet(sess_key: bytes, cipher_algo: int, payload: bytes) -> bytes:
|
|
"""
|
|
Build a symmetrically-encrypted data packet using AES-128-CFB.
|
|
|
|
This packet contains encrypted data using the session key. The format
|
|
includes a random prefix, for security (see RFC 4880, Section 5.7).
|
|
|
|
Packet structure:
|
|
- Random prefix (block_size bytes)
|
|
- Prefix repeat (last 2 bytes of prefix repeated)
|
|
- Encrypted literal data packet
|
|
|
|
This function uses the following set of arguments:
|
|
- sess_key: Session key for encryption
|
|
- cipher_algo: Cipher algorithm identifier (7 = AES-128)
|
|
- payload: Data to encrypt (wrapped in literal data packet)
|
|
"""
|
|
block_size = 16 # AES-128 block size
|
|
key = sess_key[:16] # Use first 16 bytes for AES-128
|
|
|
|
# Create random prefix + repeat last 2 bytes (total 18 bytes)
|
|
# This is required by OpenPGP for integrity checking
|
|
prefix_random = secrets.token_bytes(block_size)
|
|
prefix = prefix_random + prefix_random[-2:] # 18 bytes total
|
|
|
|
# Wrap payload in literal data packet
|
|
literal_pkt = build_literal_data_packet(payload)
|
|
|
|
# Plaintext = prefix + literal data packet
|
|
plaintext = prefix + literal_pkt
|
|
|
|
# Encrypt using OpenPGP CFB mode with resync
|
|
ciphertext = pgp_cfb_encrypt_resync(key, plaintext)
|
|
|
|
return new_packet(9, ciphertext)
|
|
|
|
def build_tag1_packet(rsa: dict, sess_key: bytes) -> bytes:
|
|
"""
|
|
Build a public-key encrypted key.
|
|
|
|
This is a very important function, as it is able to create the packet
|
|
triggering the overflow check. This function can also be used to create
|
|
"legit" packet data.
|
|
|
|
Format (RFC 4880, Section 5.1):
|
|
- 1 byte: version (3)
|
|
- 8 bytes: key ID (0 = any key accepted)
|
|
- 1 byte: public key algorithm (2 = RSA encrypt)
|
|
- MPI: RSA-encrypted session key
|
|
|
|
This uses in arguments the generated RSA key pair, and the session key
|
|
to encrypt. The latter is manipulated to trigger the overflow.
|
|
|
|
This function returns a complete packet encrypted by a session key.
|
|
"""
|
|
|
|
# Calculate RSA modulus size in bytes
|
|
n_bytes = (rsa['n'].bit_length() + 7) // 8
|
|
|
|
# Session key message format:
|
|
# - 1 byte: symmetric cipher algorithm (7 = AES-128)
|
|
# - N bytes: session key
|
|
# - 2 bytes: checksum (simple sum of session key bytes)
|
|
algo_byte = bytes([7]) # AES-128 algorithm identifier
|
|
cksum = sum(sess_key) & 0xFFFF # 16-bit checksum
|
|
M = algo_byte + sess_key + struct.pack('>H', cksum)
|
|
|
|
# PKCS#1 v1.5 padding construction
|
|
# Format: 0x02 || PS || 0x00 || M
|
|
# Total padded message must be exactly n_bytes long.
|
|
total_len = n_bytes # Total length must equal modulus size in bytes
|
|
ps_len = total_len - len(M) - 2 # Subtract 2 for 0x02 and 0x00 bytes
|
|
|
|
if ps_len < 8:
|
|
raise ValueError(f"Padding string too short ({ps_len} bytes); need at least 8 bytes. "
|
|
f"Message length: {len(M)}, Modulus size: {n_bytes} bytes")
|
|
|
|
# Create padding string with *ALL* bytes being 0xFF (no zero separator!)
|
|
PS = bytes([0xFF]) * ps_len
|
|
|
|
# Construct the complete padded message
|
|
# Normal PKCS#1 v1.5 padding: 0x02 || PS || 0x00 || M
|
|
padded = bytes([0x02]) + PS + bytes([0x00]) + M
|
|
|
|
# Verify padding construction
|
|
if len(padded) != n_bytes:
|
|
raise ValueError(f"Padded message length ({len(padded)}) doesn't match RSA modulus size ({n_bytes})")
|
|
|
|
# Convert padded message to integer and encrypt with RSA
|
|
m_int = int.from_bytes(padded, 'big')
|
|
|
|
# Ensure message is smaller than modulus (required for RSA)
|
|
if m_int >= rsa['n']:
|
|
raise ValueError("Padded message is larger than RSA modulus")
|
|
|
|
# RSA encryption: c = m^e mod n
|
|
c_int = pow(m_int, rsa['e'], rsa['n'])
|
|
|
|
# Encode encrypted result as MPI
|
|
c_mpi = mpi_encode(c_int)
|
|
|
|
# Build complete packet
|
|
ver = bytes([3]) # Version 3 packet
|
|
key_id = b"\x00" * 8 # Key ID (0 = any key accepted)
|
|
algo = bytes([2]) # RSA encrypt algorithm
|
|
payload = ver + key_id + algo + c_mpi
|
|
|
|
return new_packet(1, payload)
|
|
|
|
def build_message_data(rsa: dict) -> bytes:
|
|
"""
|
|
This function creates a crafted message, with a long session key
|
|
length.
|
|
|
|
This takes in input the RSA key components generated previously,
|
|
returning a concatenated set of PGP packets crafted for the purpose
|
|
of this test.
|
|
"""
|
|
|
|
# Base prefix for session key (AES key + padding + size).
|
|
# Note that the crafted size is the important part for this test.
|
|
prefix = AES_KEY + b"\x00" * 16 + p32(0x10)
|
|
|
|
# Build encrypted data packet, legit.
|
|
sedata = build_symenc_data_packet(AES_KEY, cipher_algo=7, payload=b"\x0a\x00")
|
|
|
|
# Build multiple packets
|
|
packets = [
|
|
# First packet, legit.
|
|
build_tag1_packet(rsa, prefix),
|
|
|
|
# Encrypted data packet, legit.
|
|
sedata,
|
|
|
|
# Second packet: information payload.
|
|
#
|
|
# This packet contains a longer-crafted session key, able to trigger
|
|
# the overflow check in pgcrypto. This is the critical part, and
|
|
# and you are right to pay a lot of attention here if you are
|
|
# reading this code.
|
|
build_tag1_packet(rsa, prefix)
|
|
]
|
|
|
|
return b"".join(packets)
|
|
|
|
def main():
|
|
# Default key size.
|
|
# This number can be set to a higher number if wanted, like 4096. We
|
|
# just do not need to do that here.
|
|
key_size = 2048
|
|
|
|
# Generate fresh RSA key pair
|
|
rsa = generate_rsa_keypair(key_size)
|
|
|
|
# Generate the message data.
|
|
print("### Building message data", file=sys.stderr)
|
|
message_data = build_message_data(rsa)
|
|
|
|
# Build the key containing the RSA private key
|
|
print("### Building key data", file=sys.stderr)
|
|
key_data = build_key_data(rsa)
|
|
|
|
# Convert to hexadecimal, for the bytea used in the SQL file.
|
|
message_data = message_data.hex()
|
|
key_data = key_data.hex()
|
|
|
|
# Split each value into lines of 72 characters, for readability.
|
|
message_data = re.sub("(.{72})", "\\1\n", message_data, 0, re.DOTALL)
|
|
key_data = re.sub("(.{72})", "\\1\n", key_data, 0, re.DOTALL)
|
|
|
|
# Get the script filename for documentation
|
|
file_basename = os.path.basename(__file__)
|
|
|
|
# Output the SQL test case
|
|
print(f'''-- Test for overflow with session key at decrypt.
|
|
-- Data automatically generated by scripts/{file_basename}.
|
|
-- See this file for details explaining how this data is generated.
|
|
SELECT pgp_pub_decrypt_bytea(
|
|
'\\x{message_data}'::bytea,
|
|
'\\x{key_data}'::bytea);''',
|
|
file=sys.stdout)
|
|
|
|
if __name__ == "__main__":
|
|
main()
|