sequoia_openpgp/parse.rs
1//! Packet parsing infrastructure.
2//!
3//! OpenPGP defines a binary representation suitable for storing and
4//! communicating OpenPGP data structures (see [Section 3 ff. of RFC
5//! 9580]). Parsing is the process of interpreting the binary
6//! representation.
7//!
8//! [Section 3 ff. of RFC 9580]: https://www.rfc-editor.org/rfc/rfc9580.html#section-3
9//!
10//! An OpenPGP stream represents a sequence of packets. Some of the
11//! packets contain other packets. These so-called containers include
12//! encrypted data packets (the SED and [SEIP] packets), and
13//! [compressed data] packets. This structure results in a tree,
14//! which is laid out in depth-first order.
15//!
16//! [SEIP]: crate::packet::SEIP
17//! [compressed data]: crate::packet::CompressedData
18//!
19//! OpenPGP defines objects consisting of several packets with a
20//! specific structure. These objects are [`Message`]s, [`Cert`]s and
21//! sequences of [`Cert`]s ("keyrings"). Verifying the structure of
22//! these objects is also an act of parsing.
23//!
24//! [`Message`]: super::Message
25//! [`Cert`]: crate::cert::Cert
26//!
27//! This crate provides several interfaces to parse OpenPGP data.
28//! They fall in roughly three categories:
29//!
30//! - First, most data structures in this crate implement the
31//! [`Parse`] trait. It provides a uniform interface to parse data
32//! from an [`io::Read`]er, a file identified by its [`Path`], or
33//! simply a byte slice.
34//!
35//! - Second, there is a convenient interface to decrypt and/or
36//! verify OpenPGP messages in a streaming fashion. Encrypted
37//! and/or signed data is read using the [`Parse`] interface, and
38//! decrypted and/or verified data can be read using [`io::Read`].
39//!
40//! - Finally, we expose the low-level [`PacketParser`], allowing
41//! fine-grained control over the parsing.
42//!
43//! [`io::Read`]: std::io::Read
44//! [`Path`]: std::path::Path
45//!
46//! The choice of interface depends on the specific use case. In many
47//! circumstances, OpenPGP data can not be trusted until it has been
48//! authenticated. Therefore, it has to be treated as attacker
49//! controlled data, and it has to be treated with great care. See
50//! the section [Security Considerations] below.
51//!
52//! [Security Considerations]: #security-considerations
53//!
54//! # Common Operations
55//!
56//! - *Decrypt a message*: Use a [streaming `Decryptor`].
57//! - *Verify a message*: Use a [streaming `Verifier`].
58//! - *Verify a detached signature*: Use a [`DetachedVerifier`].
59//! - *Parse a [`Cert`]*: Use [`Cert`]'s [`Parse`] interface.
60//! - *Parse a keyring*: Use [`CertParser`]'s [`Parse`] interface.
61//! - *Parse an unstructured sequence of small packets from a trusted
62//! source*: Use [`PacketPile`]s [`Parse`] interface (e.g.
63//! [`PacketPile::from_file`]).
64//! - *Parse an unstructured sequence of packets*: Use the
65//! [`PacketPileParser`].
66//! - *Parse an unstructured sequence of packets with full control
67//! over the parser*: Use a [`PacketParser`].
68//! - *Customize the parser behavior even more*: Use a
69//! [`PacketParserBuilder`].
70//!
71//! [`CertParser`]: crate::cert::CertParser
72//! [streaming `Decryptor`]: stream::Decryptor
73//! [streaming `Verifier`]: stream::Verifier
74//! [`DetachedVerifier`]: stream::DetachedVerifier
75//! [`PacketPile`]: crate::PacketPile
76//! [`PacketPile::from_file`]: super::PacketPile::from_file()
77//!
78//! # Data Structures and Interfaces
79//!
80//! This crate provides several interfaces for parsing OpenPGP
81//! streams, ordered from the most convenient but least flexible to
82//! the least convenient but most flexible:
83//!
84//! - The streaming [`Verifier`], [`DetachedVerifier`], and
85//! [`Decryptor`] are the most convenient way to parse OpenPGP
86//! messages.
87//!
88//! - The [`PacketPile::from_file`] (and related methods) is the
89//! most convenient, but least flexible way to parse an arbitrary
90//! sequence of OpenPGP packets. Whereas a [`PacketPileParser`]
91//! allows the caller to determine how to handle individual
92//! packets, the [`PacketPile::from_file`] parses the whole stream
93//! at once and returns a [`PacketPile`].
94//!
95//! - The [`PacketPileParser`] abstraction builds on the
96//! [`PacketParser`] abstraction and provides a similar interface.
97//! However, after each iteration, the [`PacketPileParser`] adds the
98//! packet to a [`PacketPile`], which is returned once the packets are
99//! completely processed.
100//!
101//! This interface should only be used if the caller actually
102//! wants a [`PacketPile`]; if the OpenPGP stream is parsed in place,
103//! then using a [`PacketParser`] is better.
104//!
105//! This interface should only be used if the caller is certain
106//! that the parsed stream will fit in memory.
107//!
108//! - The [`PacketParser`] abstraction produces one packet at a
109//! time. What is done with those packets is completely up to the
110//! caller.
111//!
112//! The behavior of the [`PacketParser`] can be configured using a
113//! [`PacketParserBuilder`].
114//!
115//! [`Decryptor`]: stream::Decryptor
116//! [`Verifier`]: stream::Verifier
117//!
118//! # ASCII armored data
119//!
120//! The [`PacketParser`] will by default automatically detect and
121//! remove any ASCII armor encoding (see [Section 6 of RFC 9580]).
122//! This automatism can be disabled and fine-tuned using
123//! [`PacketParserBuilder::dearmor`].
124//!
125//! [Section 6 of RFC 9580]: https://www.rfc-editor.org/rfc/rfc9580.html#section-6
126//! [`PacketParserBuilder::dearmor`]: PacketParserBuilder::dearmor()
127//!
128//! # Security Considerations
129//!
130//! In general, OpenPGP data must be considered attacker controlled
131//! and thus treated with great care. Even though we use a
132//! memory-safe language, there are several aspects to be aware of:
133//!
134//! - OpenPGP messages may be compressed. Therefore, one cannot
135//! predict the uncompressed size of a message by looking at the
136//! compressed representation. Operations that parse OpenPGP
137//! streams and buffer the packet data (like using the
138//! [`PacketPile`]'s [`Parse`] interface) are inherently unsafe and
139//! must only be used on trusted data.
140//!
141//! - The authenticity of an OpenPGP message can only be checked once
142//! it has been fully processed. Therefore, the plaintext must be
143//! buffered and not be trusted until the whole message is
144//! processed and signatures and/or ciphertext integrity are
145//! verified. On the other hand, buffering an unbounded amount of
146//! data is problematic and can lead to out-of-memory situations
147//! resulting in denial of service. The streaming message
148//! processing interfaces address this problem by buffering a
149//! configurable amount of data before releasing any data to the
150//! caller, and only revert to streaming unverified data if the
151//! message exceeds the buffer. See [`DEFAULT_BUFFER_SIZE`] for
152//! more information.
153//!
154//! - Not all parts of signed-then-encrypted OpenPGP messages are
155//! authenticated. Notably, all packets outside the encryption
156//! container (any [`PKESK`] and [`SKESK`] packets, as well as the
157//! encryption container itself), the [`Literal`] packet's headers,
158//! as well as parts of the [`Signature`] are not covered by the
159//! signatures.
160//!
161//! - Ciphertext integrity is provided by the [version 2 SEIP]
162//! packet's use of authenticated encryption.
163//!
164//! - In messages compatible with [RFC 4880], ciphertext integrity is
165//! provided by the [`version 1 SEIP`] packet's [`MDC`] mechanism,
166//! but the integrity can only be checked after decrypting the whole
167//! container.
168//!
169//! [`DEFAULT_BUFFER_SIZE`]: stream::DEFAULT_BUFFER_SIZE
170//! [`PKESK`]: crate::packet::PKESK
171//! [`SKESK`]: crate::packet::PKESK
172//! [`Literal`]: crate::packet::Literal
173//! [`Signature`]: crate::packet::Signature
174//! [`version 2 SEIP`]: crate::packet::seip::SEIP2
175//! [RFC 4880]: https://datatracker.ietf.org/doc/html/rfc4880
176//! [`version 1 SEIP`]: crate::packet::seip::SEIP1
177//! [`SEIP`]: crate::packet::SEIP
178//! [`MDC`]: crate::packet::MDC
179
180use std::io;
181use std::io::prelude::*;
182use std::convert::TryFrom;
183use std::cmp;
184use std::str;
185use std::mem;
186use std::fmt;
187use std::path::Path;
188use std::result::Result as StdResult;
189
190use xxhash_rust::xxh3::Xxh3;
191
192// Re-export buffered_reader.
193//
194// We use this in our API, and re-exporting it here makes it easy to
195// use the correct version of the crate in downstream code without
196// having to explicitly depend on it.
197pub use buffered_reader;
198use ::buffered_reader::*;
199
200use crate::{
201 cert::CertValidator,
202 cert::CertValidity,
203 cert::KeyringValidator,
204 cert::KeyringValidity,
205 crypto::{aead, hash::Hash},
206 Result,
207 packet::header::{
208 CTB,
209 BodyLength,
210 PacketLengthType,
211 },
212 crypto::S2K,
213 Error,
214 packet::{
215 Container,
216 Header,
217 },
218 packet::signature::Signature3,
219 packet::signature::Signature4,
220 packet::signature::Signature6,
221 packet::prelude::*,
222 Packet,
223 Fingerprint,
224 KeyID,
225 crypto::SessionKey,
226};
227use crate::types::{
228 AEADAlgorithm,
229 CompressionAlgorithm,
230 Features,
231 HashAlgorithm,
232 KeyFlags,
233 KeyServerPreferences,
234 PublicKeyAlgorithm,
235 RevocationKey,
236 SignatureType,
237 SymmetricAlgorithm,
238 Timestamp,
239};
240use crate::crypto::{self, mpi::{PublicKey, MPI, ProtectedMPI}};
241use crate::crypto::symmetric::{Decryptor, InternalDecryptor};
242use crate::message;
243use crate::message::MessageValidator;
244
245mod partial_body;
246use self::partial_body::BufferedReaderPartialBodyFilter;
247
248use crate::packet::signature::subpacket::{
249 NotationData,
250 NotationDataFlags,
251 Subpacket,
252 SubpacketArea,
253 SubpacketLength,
254 SubpacketTag,
255 SubpacketValue,
256};
257
258use crate::serialize::MarshalInto;
259
260mod packet_pile_parser;
261pub use self::packet_pile_parser::PacketPileParser;
262
263mod hashed_reader;
264pub(crate) use self::hashed_reader::{
265 HashingMode,
266 HashedReader,
267};
268
269mod packet_parser_builder;
270pub use self::packet_parser_builder::{Dearmor, PacketParserBuilder};
271use packet_parser_builder::ARMOR_READER_LEVEL;
272
273pub mod map;
274mod mpis;
275pub mod stream;
276
277// Whether to trace execution by default (on stderr).
278const TRACE : bool = false;
279
280// How much junk the packet parser is willing to skip when recovering.
281// This is an internal implementation detail and hence not exported.
282pub(crate) const RECOVERY_THRESHOLD: usize = 32 * 1024;
283
284/// Parsing of packets and related structures.
285///
286/// This is a uniform interface to parse packets, messages, keys, and
287/// related data structures.
288///
289/// # Sealed trait
290///
291/// This trait is [sealed] and cannot be implemented for types outside this crate.
292/// Therefore it can be extended in a non-breaking way.
293/// If you want to implement the trait inside the crate
294/// you also need to implement the `seal::Sealed` marker trait.
295///
296/// [sealed]: https://rust-lang.github.io/api-guidelines/future-proofing.html#sealed-traits-protect-against-downstream-implementations-c-sealed
297pub trait Parse<'a, T>: crate::seal::Sealed {
298 /// Reads from the given buffered reader.
299 ///
300 /// Implementations of this function should be short. Ideally,
301 /// they should hand of the reader to a private function erasing
302 /// the readers type by invoking [`BufferedReader::into_boxed`].
303 fn from_buffered_reader<R>(reader: R) -> Result<T>
304 where
305 R: BufferedReader<Cookie> + 'a;
306
307 /// Reads from the given reader.
308 ///
309 /// The default implementation just uses
310 /// [`Parse::from_buffered_reader`], but implementations can
311 /// provide their own specialized version.
312 fn from_reader<R: 'a + Read + Send + Sync>(reader: R) -> Result<T> {
313 Self::from_buffered_reader(
314 buffered_reader::Generic::with_cookie(reader,
315 None,
316 Default::default())
317 .into_boxed())
318 }
319
320 /// Reads from the given file.
321 ///
322 /// The default implementation just uses
323 /// [`Parse::from_buffered_reader`], but implementations can
324 /// provide their own specialized version.
325 fn from_file<P: AsRef<Path>>(path: P) -> Result<T>
326 {
327 Self::from_buffered_reader(
328 buffered_reader::File::with_cookie(path.as_ref(),
329 Default::default())?
330 .into_boxed())
331 }
332
333 /// Reads from the given slice.
334 ///
335 /// The default implementation just uses
336 /// [`Parse::from_buffered_reader`], but implementations can
337 /// provide their own specialized version.
338 fn from_bytes<D: AsRef<[u8]> + ?Sized + Send + Sync>(data: &'a D) -> Result<T> {
339 Self::from_buffered_reader(
340 buffered_reader::Memory::with_cookie(data.as_ref(), Default::default())
341 .into_boxed())
342 }
343}
344
345// Implement type::from_buffered_reader and the Parse trait in terms
346// of type::from_buffered_reader for a particular packet type. If the
347// generic from_buffered_reader implementation is inappropriate, then
348// it can be overridden.
349macro_rules! impl_parse_with_buffered_reader {
350 ($typ: ident) => {
351 impl_parse_with_buffered_reader!($typ, $typ);
352 };
353
354 ($typ_in: ident, $typ_out: ident) => {
355 impl_parse_with_buffered_reader!(
356 $typ_in,
357 $typ_out,
358 |br: Box<dyn BufferedReader<Cookie>>| -> Result<$typ_out> {
359 let parser = PacketHeaderParser::new_naked(br);
360
361 let mut pp = Self::parse(parser)?;
362 pp.buffer_unread_content()?;
363
364 match pp.next()? {
365 #[allow(deprecated)]
366 (Packet::$typ_out(o), PacketParserResult::EOF(_))
367 => Ok(o),
368 (Packet::Unknown(u), PacketParserResult::EOF(_)) =>
369 Err(u.into_error()),
370 (p, PacketParserResult::EOF(_)) =>
371 Err(Error::InvalidOperation(
372 format!("Not a {} packet: {:?}", stringify!($typ_out),
373 p)).into()),
374 (_, PacketParserResult::Some(_)) =>
375 Err(Error::InvalidOperation(
376 "Excess data after packet".into()).into()),
377 }
378 });
379 };
380
381 ($typ: ident, $from_buffered_reader: expr) => {
382 impl_parse_with_buffered_reader!($typ, $typ, $from_buffered_reader);
383 };
384
385 // from_buffered_reader should be a closure that takes a
386 // BufferedReader and returns a Result<Self>.
387 ($typ_in: ident, $typ_out: ident, $from_buffered_reader: expr) => {
388 impl<'a> Parse<'a, $typ_out> for $typ_in {
389 fn from_buffered_reader<R>(reader: R) -> Result<$typ_out>
390 where
391 R: BufferedReader<Cookie> + 'a,
392 {
393 Ok($from_buffered_reader(reader.into_boxed())?)
394 }
395 }
396 }
397}
398
399/// The default amount of acceptable nesting.
400///
401/// The default is `16`.
402///
403/// Typically, we expect a message to look like:
404///
405/// ```text
406/// [ encryption container: [ compression container: [ signature: [ literal data ]]]]
407/// ```
408///
409/// So, this should be more than enough.
410///
411/// To change the maximum recursion depth, use
412/// [`PacketParserBuilder::max_recursion_depth`].
413///
414/// [`PacketParserBuilder::max_recursion_depth`]: PacketParserBuilder::max_recursion_depth()
415pub const DEFAULT_MAX_RECURSION_DEPTH : u8 = 16;
416
417/// The default maximum size of non-container packets.
418///
419/// The default is `1 MiB`.
420///
421/// Packets that exceed this limit will be returned as
422/// `Packet::Unknown`, with the error set to `Error::PacketTooLarge`.
423///
424/// This limit applies to any packet type that is *not* a container
425/// packet, i.e. any packet that is not a literal data packet, a
426/// compressed data packet, a symmetrically encrypted data packet, or
427/// an AEAD encrypted data packet.
428///
429/// To change the maximum recursion depth, use
430/// [`PacketParserBuilder::max_packet_size`].
431///
432/// [`PacketParserBuilder::max_packet_size`]: PacketParserBuilder::max_packet_size()
433pub const DEFAULT_MAX_PACKET_SIZE: u32 = 1 << 20; // 1 MiB
434
435// Used to parse an OpenPGP packet's header (note: in this case, the
436// header means a Packet's fixed data, not the OpenPGP framing
437// information, such as the CTB, and length information).
438//
439// This struct is not exposed to the user. Instead, when a header has
440// been successfully parsed, a `PacketParser` is returned.
441pub(crate) struct PacketHeaderParser<'a> {
442 // The reader stack wrapped in a buffered_reader::Dup so that if
443 // there is a parse error, we can abort and still return an
444 // Unknown packet.
445 reader: buffered_reader::Dup<Box<dyn BufferedReader<Cookie> + 'a>, Cookie>,
446
447 // The current packet's header.
448 header: Header,
449 header_bytes: Vec<u8>,
450
451 // This packet's path.
452 path: Vec<usize>,
453
454 // The `PacketParser`'s state.
455 state: PacketParserState,
456
457 /// A map of this packet.
458 map: Option<map::Map>,
459}
460
461/// Creates a local marco called php_try! that returns an Unknown
462/// packet instead of an Error like try! on parsing-related errors.
463/// (Errors like read errors are still returned as usual.)
464///
465/// If you want to fail like this in a non-try! context, use
466/// php.fail("reason").
467macro_rules! make_php_try {
468 ($parser:expr) => {
469 macro_rules! php_try {
470 ($e:expr) => {
471 match $e {
472 Ok(b) => {
473 Ok(b)
474 },
475 Err(e) => {
476 t!("parsing failed at {}:{}: {}", file!(), line!(), e);
477 let e = match e.downcast::<io::Error>() {
478 Ok(e) =>
479 if let io::ErrorKind::UnexpectedEof = e.kind() {
480 return $parser.error(e.into());
481 } else {
482 e.into()
483 },
484 Err(e) => e,
485 };
486 let e = match e.downcast::<Error>() {
487 Ok(e) => return $parser.error(e.into()),
488 Err(e) => e,
489 };
490
491 Err(e)
492 },
493 }?
494 };
495 }
496 };
497}
498
499impl std::fmt::Debug for PacketHeaderParser<'_> {
500 fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
501 f.debug_struct("PacketHeaderParser")
502 .field("header", &self.header)
503 .field("path", &self.path)
504 .field("reader", &self.reader)
505 .field("state", &self.state)
506 .field("map", &self.map)
507 .finish()
508 }
509}
510
511impl<'a> PacketHeaderParser<'a> {
512 // Returns a `PacketHeaderParser` to parse an OpenPGP packet.
513 // `inner` points to the start of the OpenPGP framing information,
514 // i.e., the CTB.
515 fn new(inner: Box<dyn BufferedReader<Cookie> + 'a>,
516 state: PacketParserState,
517 path: Vec<usize>, header: Header,
518 header_bytes: Vec<u8>) -> Self
519 {
520 assert!(!path.is_empty());
521
522 let cookie = Cookie {
523 level: inner.cookie_ref().level,
524 ..Default::default()
525 };
526 let map = if state.settings.map {
527 Some(map::Map::new(header_bytes.clone()))
528 } else {
529 None
530 };
531 PacketHeaderParser {
532 reader: buffered_reader::Dup::with_cookie(inner, cookie),
533 header,
534 header_bytes,
535 path,
536 state,
537 map,
538 }
539 }
540
541 // Returns a `PacketHeaderParser` that parses a bare packet. That
542 // is, `inner` points to the start of the packet; the OpenPGP
543 // framing has already been processed, and `inner` already
544 // includes any required filters (e.g., a
545 // `BufferedReaderPartialBodyFilter`, etc.).
546 fn new_naked(inner: Box<dyn BufferedReader<Cookie> + 'a>) -> Self {
547 PacketHeaderParser::new(inner,
548 PacketParserState::new(Default::default()),
549 vec![ 0 ],
550 Header::new(CTB::new(Tag::Reserved),
551 BodyLength::Full(0)),
552 Vec::new())
553 }
554
555 // Consumes the bytes belonging to the packet's header (i.e., the
556 // number of bytes read) from the reader, and returns a
557 // `PacketParser` that can be returned to the user.
558 //
559 // Only call this function if the packet's header has been
560 // completely and correctly parsed. If a failure occurs while
561 // parsing the header, use `fail()` instead.
562 fn ok(mut self, packet: Packet) -> Result<PacketParser<'a>> {
563 tracer!(TRACE, "PacketHeaderParser::ok",
564 self.reader.cookie_ref().level.unwrap_or(0));
565 let total_out = self.reader.total_out();
566 t!("total_out = {}", total_out);
567
568 if self.state.settings.map {
569 // Steal the body for the map.
570 self.reader.rewind();
571 let body = if self.state.settings.buffer_unread_content {
572 self.reader.steal_eof()?
573 } else {
574 self.reader.steal(total_out)?
575 };
576 t!("got {} bytes of body for the map", body.len());
577 if body.len() > total_out {
578 self.field("body", body.len() - total_out);
579 }
580 self.map.as_mut().unwrap().finalize(body);
581 }
582
583 // This is a buffered_reader::Dup, so this always has an
584 // inner.
585 let mut reader = Box::new(self.reader).into_inner().unwrap();
586
587 if total_out > 0 {
588 // We know the data has been read, so this cannot fail.
589 reader.data_consume_hard(total_out).unwrap();
590 }
591
592 Ok(PacketParser {
593 header: self.header,
594 packet,
595 path: self.path,
596 last_path: vec![],
597 reader,
598 content_was_read: false,
599 processed: true,
600 finished: false,
601 map: self.map,
602 body_hash: Some(Container::make_body_hash()),
603 state: self.state,
604 })
605 }
606
607 // Something went wrong while parsing the packet's header. Aborts
608 // and returns an Unknown packet instead.
609 fn fail(self, reason: &'static str) -> Result<PacketParser<'a>> {
610 self.error(Error::MalformedPacket(reason.into()).into())
611 }
612
613 fn error(mut self, error: anyhow::Error) -> Result<PacketParser<'a>> {
614 // Rewind the dup reader, so that the caller has a chance to
615 // buffer the whole body of the unknown packet.
616 self.reader.rewind();
617 Unknown::parse(self, error)
618 }
619
620 fn field(&mut self, name: &'static str, size: usize) {
621 if let Some(ref mut map) = self.map {
622 map.add(name, size)
623 }
624 }
625
626 fn parse_u8(&mut self, name: &'static str) -> Result<u8> {
627 let r = self.reader.data_consume_hard(1)?[0];
628 self.field(name, 1);
629 Ok(r)
630 }
631
632 fn parse_u8_len(&mut self, name: &'static str) -> Result<usize> {
633 self.parse_u8(name).map(Into::into)
634 }
635
636 fn parse_be_u16(&mut self, name: &'static str) -> Result<u16> {
637 let r = self.reader.read_be_u16()?;
638 self.field(name, 2);
639 Ok(r)
640 }
641
642 fn parse_be_u32(&mut self, name: &'static str) -> Result<u32> {
643 let r = self.reader.read_be_u32()?;
644 self.field(name, 4);
645 Ok(r)
646 }
647
648 fn parse_bool(&mut self, name: &'static str) -> Result<bool> {
649 let v = self.reader.data_consume_hard(1)?[0];
650 self.field(name, 1);
651 match v {
652 0 => Ok(false),
653 1 => Ok(true),
654 n => Err(Error::MalformedPacket(
655 format!("Invalid value for bool: {}", n)).into()),
656 }
657 }
658
659 fn parse_bytes(&mut self, name: &'static str, amount: usize)
660 -> Result<Vec<u8>> {
661 let r = self.reader.steal(amount)?;
662 self.field(name, amount);
663 Ok(r)
664 }
665
666 fn parse_bytes_into(&mut self, name: &'static str, buf: &mut [u8])
667 -> Result<()> {
668 self.reader.read_exact(buf)?;
669 self.field(name, buf.len());
670 Ok(())
671 }
672
673 fn parse_bytes_eof(&mut self, name: &'static str) -> Result<Vec<u8>> {
674 let r = self.reader.steal_eof()?;
675 self.field(name, r.len());
676 Ok(r)
677 }
678
679 fn recursion_depth(&self) -> isize {
680 self.path.len() as isize - 1
681 }
682
683 /// Marks the start of a variable-sized field `name` of length
684 /// `len`.
685 ///
686 /// After parsing the variable-sized field, hand the returned
687 /// object to [`PacketHeaderParser::variable_sized_field_end`].
688 fn variable_sized_field_start<L>(&self, name: &'static str, len: L)
689 -> VariableSizedField
690 where
691 L: Into<u32>,
692 {
693 VariableSizedField {
694 name,
695 start: self.reader.total_out().try_into()
696 .expect("offsets in packet headers cannot exceed u32"),
697 length: len.into(),
698 }
699 }
700
701 /// Returns the remaining bytes in a variable-sized field.
702 fn variable_sized_field_remaining(&self, f: &VariableSizedField) -> usize {
703 let current: u32 = self.reader.total_out().try_into()
704 .expect("offsets in packet headers cannot exceed u32");
705 f.length.saturating_sub(current - f.start) as usize
706 }
707
708 /// Marks the start of a variable-sized field and checks whether
709 /// the correct amount of data has been consumed.
710 fn variable_sized_field_end(&self, f: VariableSizedField) -> Result<()>
711 {
712 let l = u32::try_from(self.reader.total_out())
713 .expect("offsets in packet headers cannot exceed u32")
714 - f.start;
715
716 use std::cmp::Ordering;
717 match l.cmp(&f.length) {
718 Ordering::Less => Err(Error::MalformedPacket(format!(
719 "{}: length {} but only consumed {} bytes",
720 f.name, f.length, l)).into()),
721 Ordering::Equal => Ok(()),
722 Ordering::Greater => Err(Error::MalformedPacket(format!(
723 "{}: length {} but consumed {} bytes",
724 f.name, f.length, l)).into()),
725 }
726 }
727}
728
729/// Represents a variable-sized field in a packet header.
730#[must_use]
731struct VariableSizedField {
732 /// Name of the field.
733 name: &'static str,
734
735 /// The amount of bytes consumed in self.reader at the start of
736 /// the field.
737 start: u32,
738
739 /// The expected length of the variable-sized field.
740 length: u32,
741}
742
743/// What the hash in the Cookie is for.
744#[derive(Copy, Clone, PartialEq, Debug)]
745pub(crate) enum HashesFor {
746 Nothing,
747 MDC,
748 Signature,
749 CleartextSignature,
750}
751
752/// Controls whether a hashed reader hashes data.
753#[derive(Copy, Clone, PartialEq, Debug)]
754enum Hashing {
755 /// Hashing is enabled.
756 Enabled,
757 /// Hashing is enabled for notarized signatures.
758 Notarized,
759 /// Hashing is disabled.
760 Disabled,
761}
762
763/// Private state used by the `PacketParser`.
764///
765/// This is not intended to be used. It is possible to explicitly
766/// create `Cookie` instances using its `Default` implementation for
767/// low-level interfacing with parsing code.
768#[derive(Debug)]
769pub struct Cookie {
770 // `BufferedReader`s managed by a `PacketParser` have
771 // `Some(level)`; an external `BufferedReader` (i.e., the
772 // underlying `BufferedReader`) has no level.
773 //
774 // Before parsing a top-level packet, we may push a
775 // `buffered_reader::Limitor` in front of the external
776 // `BufferedReader`. Such `BufferedReader`s are assigned a level
777 // of 0.
778 //
779 // When a top-level packet (i.e., a packet with a recursion depth
780 // of 0) reads from the `BufferedReader` stack, the top
781 // `BufferedReader` will have a level of at most 0.
782 //
783 // If the top-level packet is a container, say, a `CompressedData`
784 // packet, then it pushes a decompression filter with a level of 0
785 // onto the `BufferedReader` stack, and it recursively invokes the
786 // parser.
787 //
788 // When the parser encounters the `CompressedData`'s first child,
789 // say, a `Literal` packet, it pushes a `buffered_reader::Limitor` on
790 // the `BufferedReader` stack with a level of 1. Then, a
791 // `PacketParser` for the `Literal` data packet is created with a
792 // recursion depth of 1.
793 //
794 // There are several things to note:
795 //
796 // - When a `PacketParser` with a recursion depth of N reads
797 // from the `BufferedReader` stack, the top `BufferedReader`'s
798 // level is (at most) N.
799 //
800 // - Because we sometimes don't need to push a limitor
801 // (specifically, when the length is indeterminate), the
802 // `BufferedReader` at the top of the stack may have a level
803 // less than the current `PacketParser`'s recursion depth.
804 //
805 // - When a packet at depth N is a container that filters the
806 // data, it pushes a `BufferedReader` at level N onto the
807 // `BufferedReader` stack.
808 //
809 // - When we finish parsing a packet at depth N, we pop all
810 // `BufferedReader`s from the `BufferedReader` stack that are
811 // at level N. The intuition is: the `BufferedReaders` at
812 // level N are associated with the packet at depth N.
813 //
814 // - If a OnePassSig packet occurs at the top level, then we
815 // need to push a HashedReader above the current level. The
816 // top level is level 0, thus we push the HashedReader at
817 // level -1.
818 level: Option<isize>,
819
820 hashes_for: HashesFor,
821 hashing: Hashing,
822
823 /// Keeps track of whether the last one pass signature packet had
824 /// the last flag set.
825 saw_last: bool,
826 sig_groups: Vec<SignatureGroup>,
827 /// Keep track of the maximal size of sig_groups to compute
828 /// signature levels.
829 sig_groups_max_len: usize,
830
831 /// Stashed bytes that need to be hashed.
832 ///
833 /// When checking nested signatures, we need to hash the framing.
834 /// However, at the time we know that we want to hash it, it has
835 /// already been consumed. Deferring the consumption of headers
836 /// failed due to complications with the partial body decoder
837 /// eagerly consuming data. I (Justus) decided that doing the
838 /// right thing is not worth the trouble, at least for now. Also,
839 /// hash stash sounds funny.
840 hash_stash: Option<Vec<u8>>,
841
842 /// Whether this `BufferedReader` is actually an interior EOF in a
843 /// container.
844 ///
845 /// This is used by the SEIP parser to prevent a child packet from
846 /// accidentally swallowing the trailing MDC packet. This can
847 /// happen when there is a compressed data packet with an
848 /// indeterminate body length encoding. In this case, due to
849 /// buffering, the decompressor consumes data beyond the end of
850 /// the compressed data.
851 ///
852 /// When set, buffered_reader_stack_pop will return early when it
853 /// encounters a fake EOF at the level it is popping to.
854 fake_eof: bool,
855
856 /// Indicates that this is the top-level armor reader that is
857 /// doing a transformation of a message using the cleartext
858 /// signature framework into a signed message.
859 csf_transformation: bool,
860}
861assert_send_and_sync!(Cookie);
862
863/// Contains hashes for consecutive one pass signature packets ending
864/// in one with the last flag set.
865#[derive(Default)]
866pub(crate) struct SignatureGroup {
867 /// Counts the number of one pass signature packets this group is
868 /// for. Once this drops to zero, we pop the group from the
869 /// stack.
870 ops_count: usize,
871
872 /// The hash contexts.
873 ///
874 /// We store a salt and the hash context as tuples.
875 ///
876 /// In v6, the hash is salted. We store the salt here so that we
877 /// can find the right hash context again when we encounter the
878 /// signature packet.
879 ///
880 /// In v4, the hash is not salted. Hence, salt is the zero-length
881 /// vector. The fact that the hash is not salted allows for an
882 /// optimization: to verify two signatures using the same hash
883 /// algorithm, the hash must be computed just once. We implement
884 /// this optimization for v4 signatures.
885 pub(crate) hashes: Vec<HashingMode<crypto::hash::Context>>,
886}
887
888impl fmt::Debug for SignatureGroup {
889 fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
890 let algos = self.hashes.iter()
891 .map(|mode| mode.map(|ctx| ctx.algo()))
892 .collect::<Vec<_>>();
893
894 f.debug_struct("Cookie")
895 .field("ops_count", &self.ops_count)
896 .field("hashes", &algos)
897 .finish()
898 }
899}
900
901impl SignatureGroup {
902 /// Clears the signature group.
903 fn clear(&mut self) {
904 self.ops_count = 0;
905 self.hashes.clear();
906 }
907}
908
909impl Default for Cookie {
910 fn default() -> Self {
911 Cookie {
912 level: None,
913 hashing: Hashing::Enabled,
914 hashes_for: HashesFor::Nothing,
915 saw_last: false,
916 sig_groups: vec![Default::default()],
917 sig_groups_max_len: 1,
918 hash_stash: None,
919 fake_eof: false,
920 csf_transformation: false,
921 }
922 }
923}
924
925impl Cookie {
926 fn new(level: isize) -> Cookie {
927 Cookie {
928 level: Some(level),
929 hashing: Hashing::Enabled,
930 hashes_for: HashesFor::Nothing,
931 saw_last: false,
932 sig_groups: vec![Default::default()],
933 sig_groups_max_len: 1,
934 hash_stash: None,
935 fake_eof: false,
936 csf_transformation: false,
937 }
938 }
939
940 /// Returns a reference to the topmost signature group.
941 pub(crate) fn sig_group(&self) -> &SignatureGroup {
942 assert!(!self.sig_groups.is_empty());
943 &self.sig_groups[self.sig_groups.len() - 1]
944 }
945
946 /// Returns a mutable reference to the topmost signature group.
947 pub(crate) fn sig_group_mut(&mut self) -> &mut SignatureGroup {
948 assert!(!self.sig_groups.is_empty());
949 let len = self.sig_groups.len();
950 &mut self.sig_groups[len - 1]
951 }
952
953 /// Returns the level of the currently parsed signature.
954 fn signature_level(&self) -> usize {
955 // The signature with the deepest "nesting" is closest to the
956 // data, and hence level 0.
957 self.sig_groups_max_len - self.sig_groups.len()
958 }
959
960 /// Tests whether the topmost signature group is no longer used.
961 fn sig_group_unused(&self) -> bool {
962 assert!(!self.sig_groups.is_empty());
963 self.sig_groups[self.sig_groups.len() - 1].ops_count == 0
964 }
965
966 /// Pushes a new signature group to the stack.
967 fn sig_group_push(&mut self) {
968 self.sig_groups.push(Default::default());
969 self.sig_groups_max_len += 1;
970 }
971
972 /// Pops a signature group from the stack.
973 fn sig_group_pop(&mut self) {
974 if self.sig_groups.len() == 1 {
975 // Don't pop the last one, just clear it.
976 self.sig_groups[0].clear();
977 self.hashes_for = HashesFor::Nothing;
978 } else {
979 self.sig_groups.pop();
980 }
981 }
982}
983
984impl Cookie {
985 // Enables or disables signature hashers (HashesFor::Signature) at
986 // level `level`.
987 //
988 // Thus to disable the hashing of a level 3 literal packet's
989 // meta-data, we disable hashing at level 2.
990 fn hashing(reader: &mut dyn BufferedReader<Cookie>,
991 how: Hashing, level: isize) {
992 let mut reader : Option<&mut dyn BufferedReader<Cookie>>
993 = Some(reader);
994 while let Some(r) = reader {
995 {
996 let cookie = r.cookie_mut();
997 if let Some(br_level) = cookie.level {
998 if br_level < level {
999 break;
1000 }
1001 if br_level == level
1002 && (cookie.hashes_for == HashesFor::Signature
1003 || cookie.hashes_for == HashesFor::CleartextSignature)
1004 {
1005 cookie.hashing = how;
1006 }
1007 } else {
1008 break;
1009 }
1010 }
1011 reader = r.get_mut();
1012 }
1013 }
1014
1015 /// Signals that we are processing a message using the Cleartext
1016 /// Signature Framework.
1017 ///
1018 /// This is used by the armor reader to signal that it has
1019 /// encountered such a message and is transforming it into an
1020 /// inline signed message.
1021 pub(crate) fn set_processing_csf_message(&mut self) {
1022 tracer!(TRACE, "set_processing_csf_message", self.level.unwrap_or(0));
1023 t!("Enabling CSF Transformation mode");
1024 self.csf_transformation = true;
1025 }
1026
1027 /// Checks if we are processing a signed message using the
1028 /// Cleartext Signature Framework.
1029 fn processing_csf_message(reader: &dyn BufferedReader<Cookie>)
1030 -> bool {
1031 let mut reader: Option<&dyn BufferedReader<Cookie>>
1032 = Some(reader);
1033 while let Some(r) = reader {
1034 if r.cookie_ref().level == Some(ARMOR_READER_LEVEL) {
1035 return r.cookie_ref().csf_transformation;
1036 } else {
1037 reader = r.get_ref();
1038 }
1039 }
1040 false
1041 }
1042}
1043
1044// Pops readers from a buffered reader stack at the specified level.
1045fn buffered_reader_stack_pop<'a>(
1046 mut reader: Box<dyn BufferedReader<Cookie> + 'a>, depth: isize)
1047 -> Result<(bool, Box<dyn BufferedReader<Cookie> + 'a>)>
1048{
1049 tracer!(TRACE, "buffered_reader_stack_pop", depth);
1050 t!("(reader level: {:?}, pop through: {})",
1051 reader.cookie_ref().level, depth);
1052
1053 while let Some(level) = reader.cookie_ref().level {
1054 assert!(level <= depth // Peel off exactly one level.
1055 || depth < 0); // Except for the topmost filters.
1056
1057 if level >= depth {
1058 let fake_eof = reader.cookie_ref().fake_eof;
1059
1060 t!("top reader at level {:?} (fake eof: {}), pop through: {}",
1061 reader.cookie_ref().level, fake_eof, depth);
1062
1063 t!("popping level {:?} reader, reader: {:?}",
1064 reader.cookie_ref().level,
1065 reader);
1066
1067 if reader.eof() && ! reader.consummated() {
1068 return Err(Error::MalformedPacket("Truncated packet".into())
1069 .into());
1070 }
1071 reader.drop_eof()?;
1072 reader = reader.into_inner().unwrap();
1073
1074 if level == depth && fake_eof {
1075 t!("Popped a fake EOF reader at level {}, stopping.", depth);
1076 return Ok((true, reader));
1077 }
1078
1079 t!("now at level {:?} reader: {:?}",
1080 reader.cookie_ref().level, reader);
1081 } else {
1082 break;
1083 }
1084 }
1085
1086 Ok((false, reader))
1087}
1088
1089
1090// A `PacketParser`'s settings.
1091#[derive(Clone, Debug)]
1092struct PacketParserSettings {
1093 // The maximum allowed recursion depth.
1094 //
1095 // There is absolutely no reason that this should be more than
1096 // 255. (GnuPG defaults to 32.) Moreover, if it is too large,
1097 // then a read from the reader pipeline could blow the stack.
1098 max_recursion_depth: u8,
1099
1100 // The maximum size of non-container packets.
1101 //
1102 // Packets that exceed this limit will be returned as
1103 // `Packet::Unknown`, with the error set to
1104 // `Error::PacketTooLarge`.
1105 //
1106 // This limit applies to any packet type that is *not* a
1107 // container packet, i.e. any packet that is not a literal data
1108 // packet, a compressed data packet, a symmetrically encrypted
1109 // data packet, or an AEAD encrypted data packet.
1110 max_packet_size: u32,
1111
1112 // Whether a packet's contents should be buffered or dropped when
1113 // the next packet is retrieved.
1114 buffer_unread_content: bool,
1115
1116 // Whether to create a map.
1117 map: bool,
1118
1119 // Whether to implicitly start hashing upon parsing OnePassSig
1120 // packets.
1121 automatic_hashing: bool,
1122}
1123
1124// The default `PacketParser` settings.
1125impl Default for PacketParserSettings {
1126 fn default() -> Self {
1127 PacketParserSettings {
1128 max_recursion_depth: DEFAULT_MAX_RECURSION_DEPTH,
1129 max_packet_size: DEFAULT_MAX_PACKET_SIZE,
1130 buffer_unread_content: false,
1131 map: false,
1132 automatic_hashing: true,
1133 }
1134 }
1135}
1136
1137impl S2K {
1138 /// Reads an S2K from `php`.
1139 fn parse_v4(php: &mut PacketHeaderParser<'_>)
1140 -> Result<Self> {
1141 Self::parse_common(php, None)
1142 }
1143
1144 /// Reads an S2K from `php` with explicit S2K length.
1145 fn parse_v6(php: &mut PacketHeaderParser, s2k_len: u8) -> Result<Self> {
1146 Self::parse_common(php, Some(s2k_len))
1147 }
1148
1149 /// Reads an S2K from `php` with optional explicit S2K length.
1150 fn parse_common(php: &mut PacketHeaderParser<'_>,
1151 s2k_len: Option<u8>)
1152 -> Result<Self>
1153 {
1154 if s2k_len == Some(0) {
1155 return Err(Error::MalformedPacket(
1156 "Invalid size for S2K object: 0 octets".into()).into());
1157 }
1158
1159 let check_size = |expected| {
1160 if let Some(got) = s2k_len {
1161 if got != expected {
1162 return Err(Error::MalformedPacket(format!(
1163 "Invalid size for S2K object: {} octets, expected {}",
1164 got, expected)));
1165 }
1166 }
1167 Ok(())
1168 };
1169
1170 let s2k = php.parse_u8("s2k_type")?;
1171 #[allow(deprecated)]
1172 let ret = match s2k {
1173 0 => {
1174 check_size(2)?;
1175 S2K::Simple {
1176 hash: HashAlgorithm::from(php.parse_u8("s2k_hash_algo")?),
1177 }
1178 },
1179 1 => {
1180 check_size(10)?;
1181 S2K::Salted {
1182 hash: HashAlgorithm::from(php.parse_u8("s2k_hash_algo")?),
1183 salt: Self::read_salt(php)?,
1184 }
1185 },
1186 3 => {
1187 check_size(11)?;
1188 S2K::Iterated {
1189 hash: HashAlgorithm::from(php.parse_u8("s2k_hash_algo")?),
1190 salt: Self::read_salt(php)?,
1191 hash_bytes: S2K::decode_count(php.parse_u8("s2k_count")?),
1192 }
1193 },
1194 4 => S2K::Argon2 {
1195 salt: {
1196 let mut b = [0u8; 16];
1197 let b_len = b.len();
1198 b.copy_from_slice(
1199 &php.parse_bytes("argon2_salt", b_len)?);
1200 b
1201 },
1202 t: php.parse_u8("argon2_t")?,
1203 p: php.parse_u8("argon2_p")?,
1204 m: php.parse_u8("argon2_m")?,
1205 },
1206 100..=110 => S2K::Private {
1207 tag: s2k,
1208 parameters: if let Some(l) = s2k_len {
1209 Some(
1210 php.parse_bytes("parameters", l as usize - 1 /* Tag */)?
1211 .into())
1212 } else {
1213 None
1214 },
1215 },
1216 u => S2K::Unknown {
1217 tag: u,
1218 parameters: if let Some(l) = s2k_len {
1219 Some(
1220 php.parse_bytes("parameters", l as usize - 1 /* Tag */)?
1221 .into())
1222 } else {
1223 None
1224 },
1225 },
1226 };
1227
1228 Ok(ret)
1229 }
1230
1231 fn read_salt(php: &mut PacketHeaderParser<'_>) -> Result<[u8; 8]> {
1232 let mut b = [0u8; 8];
1233 b.copy_from_slice(&php.parse_bytes("s2k_salt", 8)?);
1234
1235 Ok(b)
1236 }
1237}
1238
1239impl_parse_with_buffered_reader!(
1240 S2K,
1241 |bio: Box<dyn BufferedReader<Cookie>>| -> Result<Self> {
1242 let mut parser = PacketHeaderParser::new_naked(bio.into_boxed());
1243 Self::parse_v4(&mut parser)
1244 });
1245
1246impl Header {
1247 pub(crate) fn parse<R: BufferedReader<C>, C: fmt::Debug + Send + Sync> (bio: &mut R)
1248 -> Result<Header>
1249 {
1250 let ctb = CTB::try_from(bio.data_consume_hard(1)?[0])?;
1251 let length = match ctb {
1252 CTB::New(_) => BodyLength::parse_new_format(bio)?,
1253 CTB::Old(ref ctb) =>
1254 BodyLength::parse_old_format(bio, ctb.length_type())?,
1255 };
1256 Ok(Header::new(ctb, length))
1257 }
1258}
1259
1260impl_parse_with_buffered_reader!(
1261 Header,
1262 |mut reader| -> Result<Self> {
1263 Header::parse(&mut reader)
1264 });
1265
1266impl BodyLength {
1267 /// Decodes a new format body length as described in [Section
1268 /// 4.2.1 of RFC 9580].
1269 ///
1270 /// [Section 4.2.1 of RFC 9580]: https://www.rfc-editor.org/rfc/rfc9580.html#section-4.2.1
1271 pub(crate) fn parse_new_format<T: BufferedReader<C>, C: fmt::Debug + Send + Sync> (bio: &mut T)
1272 -> io::Result<BodyLength>
1273 {
1274 let octet1 : u8 = bio.data_consume_hard(1)?[0];
1275 match octet1 {
1276 0..=191 => // One octet.
1277 Ok(BodyLength::Full(octet1 as u32)),
1278 192..=223 => { // Two octets length.
1279 let octet2 = bio.data_consume_hard(1)?[0];
1280 Ok(BodyLength::Full(((octet1 as u32 - 192) << 8)
1281 + octet2 as u32 + 192))
1282 },
1283 224..=254 => // Partial body length.
1284 Ok(BodyLength::Partial(1 << (octet1 & 0x1F))),
1285 255 => // Five octets.
1286 Ok(BodyLength::Full(bio.read_be_u32()?)),
1287 }
1288 }
1289
1290 /// Decodes an old format body length as described in [Section
1291 /// 4.2.2 of RFC 9580].
1292 ///
1293 /// [Section 4.2.2 of RFC 9580]: https://www.rfc-editor.org/rfc/rfc9580.html#section-4.2.2
1294 pub(crate) fn parse_old_format<T: BufferedReader<C>, C: fmt::Debug + Send + Sync>
1295 (bio: &mut T, length_type: PacketLengthType)
1296 -> Result<BodyLength>
1297 {
1298 match length_type {
1299 PacketLengthType::OneOctet =>
1300 Ok(BodyLength::Full(bio.data_consume_hard(1)?[0] as u32)),
1301 PacketLengthType::TwoOctets =>
1302 Ok(BodyLength::Full(bio.read_be_u16()? as u32)),
1303 PacketLengthType::FourOctets =>
1304 Ok(BodyLength::Full(bio.read_be_u32()? as u32)),
1305 PacketLengthType::Indeterminate =>
1306 Ok(BodyLength::Indeterminate),
1307 }
1308 }
1309}
1310
1311#[test]
1312fn body_length_new_format() {
1313 fn test(input: &[u8], expected_result: BodyLength) {
1314 assert_eq!(
1315 BodyLength::parse_new_format(
1316 &mut buffered_reader::Memory::new(input)).unwrap(),
1317 expected_result);
1318 }
1319
1320 // Examples from Section 4.2.3 of RFC4880.
1321
1322 // Example #1.
1323 test(&[0x64][..], BodyLength::Full(100));
1324
1325 // Example #2.
1326 test(&[0xC5, 0xFB][..], BodyLength::Full(1723));
1327
1328 // Example #3.
1329 test(&[0xFF, 0x00, 0x01, 0x86, 0xA0][..], BodyLength::Full(100000));
1330
1331 // Example #4.
1332 test(&[0xEF][..], BodyLength::Partial(32768));
1333 test(&[0xE1][..], BodyLength::Partial(2));
1334 test(&[0xF0][..], BodyLength::Partial(65536));
1335 test(&[0xC5, 0xDD][..], BodyLength::Full(1693));
1336}
1337
1338#[test]
1339fn body_length_old_format() {
1340 fn test(input: &[u8], plt: PacketLengthType,
1341 expected_result: BodyLength, expected_rest: &[u8]) {
1342 let mut bio = buffered_reader::Memory::new(input);
1343 assert_eq!(BodyLength::parse_old_format(&mut bio, plt).unwrap(),
1344 expected_result);
1345 let rest = bio.data_eof();
1346 assert_eq!(rest.unwrap(), expected_rest);
1347 }
1348
1349 test(&[1], PacketLengthType::OneOctet, BodyLength::Full(1), &b""[..]);
1350 test(&[1, 2], PacketLengthType::TwoOctets,
1351 BodyLength::Full((1 << 8) + 2), &b""[..]);
1352 test(&[1, 2, 3, 4], PacketLengthType::FourOctets,
1353 BodyLength::Full((1 << 24) + (2 << 16) + (3 << 8) + 4), &b""[..]);
1354 test(&[1, 2, 3, 4, 5, 6], PacketLengthType::FourOctets,
1355 BodyLength::Full((1 << 24) + (2 << 16) + (3 << 8) + 4), &[5, 6][..]);
1356 test(&[1, 2, 3, 4], PacketLengthType::Indeterminate,
1357 BodyLength::Indeterminate, &[1, 2, 3, 4][..]);
1358}
1359
1360impl Unknown {
1361 /// Parses the body of any packet and returns an Unknown.
1362 fn parse(php: PacketHeaderParser, error: anyhow::Error)
1363 -> Result<PacketParser>
1364 {
1365 let tag = php.header.ctb().tag();
1366 php.ok(Packet::Unknown(Unknown::new(tag, error)))
1367 }
1368}
1369
1370// Read the next packet as an unknown packet.
1371//
1372// The `reader` must point to the packet's header, i.e., the CTB.
1373// This buffers the packet's contents.
1374//
1375// Note: we only need this function for testing purposes in a
1376// different module.
1377#[cfg(test)]
1378pub(crate) fn to_unknown_packet<R: Read + Send + Sync>(reader: R) -> Result<Unknown>
1379{
1380 let mut reader = buffered_reader::Generic::with_cookie(
1381 reader, None, Cookie::default());
1382 let header = Header::parse(&mut reader)?;
1383
1384 let reader : Box<dyn BufferedReader<Cookie>>
1385 = match header.length() {
1386 &BodyLength::Full(len) =>
1387 Box::new(buffered_reader::Limitor::with_cookie(
1388 reader, len as u64, Cookie::default())),
1389 &BodyLength::Partial(len) =>
1390 Box::new(BufferedReaderPartialBodyFilter::with_cookie(
1391 reader, len, true, Cookie::default())),
1392 _ => Box::new(reader),
1393 };
1394
1395 let parser = PacketHeaderParser::new(
1396 reader, PacketParserState::new(Default::default()), vec![ 0 ], header, Vec::new());
1397 let mut pp =
1398 Unknown::parse(parser,
1399 anyhow::anyhow!("explicit conversion to unknown"))?;
1400 pp.buffer_unread_content()?;
1401 pp.finish()?;
1402
1403 if let Packet::Unknown(packet) = pp.packet {
1404 Ok(packet)
1405 } else {
1406 panic!("Internal inconsistency.");
1407 }
1408}
1409
1410/// A parser for embedded signatures.
1411///
1412/// An embedded signature is parsed just like a normal signature, but
1413/// has the restriction that it cannot contain an embedded signature.
1414/// If it does, then it fails and returns `Error::MalformedPacket`.
1415///
1416/// This type is internal to this module.
1417struct EmbeddedSignature;
1418
1419impl crate::seal::Sealed for EmbeddedSignature {}
1420
1421impl EmbeddedSignature {
1422 // Parses a signature packet.
1423 fn parse(php: PacketHeaderParser)
1424 -> Result<PacketParser>
1425 {
1426 Signature::parse_internal(php, true)
1427 }
1428}
1429
1430impl_parse_with_buffered_reader!(EmbeddedSignature, Signature);
1431
1432impl Signature {
1433 // Parses a signature packet.
1434 fn parse(php: PacketHeaderParser)
1435 -> Result<PacketParser>
1436 {
1437 Signature::parse_internal(php, false)
1438 }
1439
1440 // Parses a signature packet.
1441 //
1442 // If `from_embedded_signature` is `true`, then any embedded
1443 // signature subpackets will make the signature invalid, as nested
1444 // embedded signatures are not allowed.
1445 fn parse_internal(mut php: PacketHeaderParser,
1446 from_embedded_signature: bool)
1447 -> Result<PacketParser>
1448 {
1449 let indent = php.recursion_depth();
1450 tracer!(TRACE, "Signature::parse", indent);
1451
1452 make_php_try!(php);
1453
1454 let version = php_try!(php.parse_u8("version"));
1455
1456 match version {
1457 3 => Signature3::parse(php),
1458 4 => Signature4::parse(php, from_embedded_signature),
1459 6 => Signature6::parse(php, from_embedded_signature),
1460 _ => {
1461 t!("Ignoring version {} packet.", version);
1462 php.fail("unknown version")
1463 },
1464 }
1465 }
1466
1467 /// Returns whether the data appears to be a signature (no promises).
1468 fn plausible(bio: &mut dyn BufferedReader<Cookie>, header: &Header)
1469 -> Result<()>
1470 {
1471 // XXX: Support other versions.
1472 Signature4::plausible(bio, header)
1473 }
1474
1475 /// When parsing an inline-signed message, attaches the digest to
1476 /// the signature.
1477 fn parse_finish(indent: isize, mut pp: PacketParser,
1478 hash_algo: HashAlgorithm)
1479 -> Result<PacketParser>
1480 {
1481 tracer!(TRACE, "Signature::parse_finish", indent);
1482
1483 let sig: &Signature = pp.packet.downcast_ref()
1484 .ok_or_else(
1485 || Error::InvalidOperation(
1486 format!("Called Signature::parse_finish on a {:?}",
1487 pp.packet)))?;
1488
1489 // If we are not parsing an inline-signed message, we are
1490 // done.
1491 if sig.typ() != SignatureType::Binary
1492 && sig.typ() != SignatureType::Text
1493 {
1494 return Ok(pp);
1495 }
1496
1497 let need_hash = HashingMode::for_signature(hash_algo, sig);
1498 t!("Need a {:?}", need_hash);
1499 if TRACE {
1500 pp.reader.dump(&mut std::io::stderr())?;
1501 }
1502
1503 // Locate the corresponding HashedReader and extract the
1504 // computed hash.
1505 let mut computed_digest = None;
1506 {
1507 let recursion_depth = pp.recursion_depth();
1508
1509 // We know that the top reader is not a HashedReader (it's
1510 // a buffered_reader::Dup). So, start with its child.
1511 let mut r = (&mut pp.reader).get_mut();
1512 while let Some(tmp) = r {
1513 {
1514 let cookie = tmp.cookie_mut();
1515
1516 assert!(cookie.level.unwrap_or(-1)
1517 <= recursion_depth);
1518 // The HashedReader has to be at level
1519 // 'recursion_depth - 1'.
1520 if cookie.level.is_none()
1521 || cookie.level.unwrap() < recursion_depth - 1 {
1522 t!("Abandoning search for suitable \
1523 hashed reader at {:?}.", cookie.level);
1524 break
1525 }
1526
1527 if cookie.hashes_for == HashesFor::Signature {
1528 // When verifying cleartext signed messages,
1529 // we may have more signatures than
1530 // one-pass-signature packets, but are
1531 // guaranteed to only have one signature
1532 // group.
1533 //
1534 // Only decrement the count when hashing for
1535 // signatures, not when hashing for cleartext
1536 // signatures.
1537 cookie.sig_group_mut().ops_count -= 1;
1538 }
1539
1540 if cookie.hashes_for == HashesFor::Signature
1541 || cookie.hashes_for == HashesFor::CleartextSignature
1542 {
1543 t!("Have: {:?}",
1544 cookie.sig_group().hashes.iter()
1545 .map(|h| h.map(|h| h.algo()))
1546 .collect::<Vec<_>>());
1547 if let Some(hash) =
1548 cookie.sig_group().hashes.iter().find_map(
1549 |mode|
1550 if mode.map(|ctx| ctx.algo()) == need_hash
1551 {
1552 Some(mode.as_ref())
1553 } else {
1554 None
1555 })
1556 {
1557 t!("found a {:?} HashedReader", need_hash);
1558 computed_digest = Some((cookie.signature_level(),
1559 hash.clone()));
1560 }
1561
1562 if cookie.sig_group_unused() {
1563 cookie.sig_group_pop();
1564 }
1565 break;
1566 }
1567 }
1568
1569 r = tmp.get_mut();
1570 }
1571 }
1572
1573 if let Some((level, mut hash)) = computed_digest {
1574 if let Packet::Signature(ref mut sig) = pp.packet {
1575 sig.hash(&mut hash)?;
1576
1577 let mut digest = vec![0u8; hash.digest_size()];
1578 let _ = hash.digest(&mut digest);
1579
1580 sig.set_computed_digest(Some(digest));
1581 sig.set_level(level);
1582 } else {
1583 unreachable!()
1584 }
1585 }
1586
1587 Ok(pp)
1588 }
1589}
1590
1591impl Signature6 {
1592 // Parses a signature packet.
1593 //
1594 // If `from_embedded_signature` is `true`, then any embedded
1595 // signature subpackets will make the signature invalid, as nested
1596 // embedded signatures are not allowed.
1597 fn parse(mut php: PacketHeaderParser,
1598 from_embedded_signature: bool)
1599 -> Result<PacketParser>
1600 {
1601 let indent = php.recursion_depth();
1602 tracer!(TRACE, "Signature6::parse", indent);
1603
1604 make_php_try!(php);
1605
1606 let typ = php_try!(php.parse_u8("type"));
1607 let pk_algo: PublicKeyAlgorithm = php_try!(php.parse_u8("pk_algo")).into();
1608 let hash_algo: HashAlgorithm =
1609 php_try!(php.parse_u8("hash_algo")).into();
1610 let hashed_area_len = php_try!(php.parse_be_u32("hashed_area_len"));
1611 let hashed_area
1612 = php_try!(SubpacketArea::parse(&mut php,
1613 hashed_area_len as usize,
1614 hash_algo,
1615 from_embedded_signature));
1616 let unhashed_area_len = php_try!(php.parse_be_u32("unhashed_area_len"));
1617 let unhashed_area
1618 = php_try!(SubpacketArea::parse(&mut php,
1619 unhashed_area_len as usize,
1620 hash_algo,
1621 from_embedded_signature));
1622 let digest_prefix1 = php_try!(php.parse_u8("digest_prefix1"));
1623 let digest_prefix2 = php_try!(php.parse_u8("digest_prefix2"));
1624 if ! pk_algo.for_signing() {
1625 return php.fail("not a signature algorithm");
1626 }
1627 let salt_len = php_try!(php.parse_u8("salt_len")) as usize;
1628 let salt = php_try!(php.parse_bytes("salt", salt_len));
1629 let mpis = php_try!(
1630 crypto::mpi::Signature::_parse(pk_algo, &mut php));
1631
1632 let typ = typ.into();
1633 let sig = php_try!(Signature6::new(
1634 typ, pk_algo, hash_algo,
1635 hashed_area,
1636 unhashed_area,
1637 [digest_prefix1, digest_prefix2],
1638 salt,
1639 mpis));
1640 let pp = php.ok(sig.into())?;
1641
1642 Signature::parse_finish(indent, pp, hash_algo)
1643 }
1644}
1645
1646impl Signature4 {
1647 // Parses a signature packet.
1648 //
1649 // If `from_embedded_signature` is `true`, then any embedded
1650 // signature subpackets will make the signature invalid, as nested
1651 // embedded signatures are not allowed.
1652 fn parse(mut php: PacketHeaderParser,
1653 from_embedded_signature: bool)
1654 -> Result<PacketParser>
1655 {
1656 let indent = php.recursion_depth();
1657 tracer!(TRACE, "Signature4::parse", indent);
1658
1659 make_php_try!(php);
1660
1661 let typ = php_try!(php.parse_u8("type"));
1662 let pk_algo: PublicKeyAlgorithm = php_try!(php.parse_u8("pk_algo")).into();
1663 let hash_algo: HashAlgorithm =
1664 php_try!(php.parse_u8("hash_algo")).into();
1665 let hashed_area_len = php_try!(php.parse_be_u16("hashed_area_len"));
1666 let hashed_area
1667 = php_try!(SubpacketArea::parse(&mut php,
1668 hashed_area_len as usize,
1669 hash_algo,
1670 from_embedded_signature));
1671 let unhashed_area_len = php_try!(php.parse_be_u16("unhashed_area_len"));
1672 let unhashed_area
1673 = php_try!(SubpacketArea::parse(&mut php,
1674 unhashed_area_len as usize,
1675 hash_algo,
1676 from_embedded_signature));
1677 let digest_prefix1 = php_try!(php.parse_u8("digest_prefix1"));
1678 let digest_prefix2 = php_try!(php.parse_u8("digest_prefix2"));
1679 if ! pk_algo.for_signing() {
1680 return php.fail("not a signature algorithm");
1681 }
1682 let mpis = php_try!(
1683 crypto::mpi::Signature::_parse(pk_algo, &mut php));
1684
1685 let typ = typ.into();
1686 let pp = php.ok(Packet::Signature(Signature4::new(
1687 typ, pk_algo, hash_algo,
1688 hashed_area,
1689 unhashed_area,
1690 [digest_prefix1, digest_prefix2],
1691 mpis).into()))?;
1692
1693 Signature::parse_finish(indent, pp, hash_algo)
1694 }
1695
1696 /// Returns whether the data appears to be a signature (no promises).
1697 fn plausible(bio: &mut dyn BufferedReader<Cookie>, header: &Header)
1698 -> Result<()>
1699 {
1700 // The absolute minimum size for the header is 11 bytes (this
1701 // doesn't include the signature MPIs).
1702
1703 if let BodyLength::Full(len) = header.length() {
1704 if *len < 11 {
1705 // Much too short.
1706 return Err(
1707 Error::MalformedPacket("Packet too short".into()).into());
1708 }
1709 } else {
1710 return Err(
1711 Error::MalformedPacket(
1712 format!("Unexpected body length encoding: {:?}",
1713 header.length())).into());
1714 }
1715
1716 // Make sure we have a minimum header.
1717 let data = bio.data(11)?;
1718 if data.len() < 11 {
1719 return Err(
1720 Error::MalformedPacket("Short read".into()).into());
1721 }
1722
1723 // Assume unknown == bad.
1724 let version = data[0];
1725 let typ : SignatureType = data[1].into();
1726 let pk_algo : PublicKeyAlgorithm = data[2].into();
1727 let hash_algo : HashAlgorithm = data[3].into();
1728
1729 if version == 4
1730 && !matches!(typ, SignatureType::Unknown(_))
1731 && !matches!(pk_algo, PublicKeyAlgorithm::Unknown(_))
1732 && !matches!(hash_algo, HashAlgorithm::Unknown(_))
1733 {
1734 Ok(())
1735 } else {
1736 Err(Error::MalformedPacket("Invalid or unsupported data".into())
1737 .into())
1738 }
1739 }
1740}
1741
1742impl Signature3 {
1743 // Parses a v3 signature packet.
1744 fn parse(mut php: PacketHeaderParser)
1745 -> Result<PacketParser>
1746 {
1747 let indent = php.recursion_depth();
1748 tracer!(TRACE, "Signature3::parse", indent);
1749
1750 make_php_try!(php);
1751
1752 let len = php_try!(php.parse_u8("hashed length"));
1753 if len != 5 {
1754 return php.fail("invalid length \
1755 (a v3 sig has 5 bytes of hashed data)");
1756 }
1757 let typ = php_try!(php.parse_u8("type"));
1758 let creation_time: Timestamp
1759 = php_try!(php.parse_be_u32("creation_time")).into();
1760 let issuer: KeyID
1761 = KeyID::from_bytes(&php_try!(php.parse_bytes("issuer", 8))[..]);
1762 let pk_algo: PublicKeyAlgorithm
1763 = php_try!(php.parse_u8("pk_algo")).into();
1764 let hash_algo: HashAlgorithm =
1765 php_try!(php.parse_u8("hash_algo")).into();
1766 let digest_prefix1 = php_try!(php.parse_u8("digest_prefix1"));
1767 let digest_prefix2 = php_try!(php.parse_u8("digest_prefix2"));
1768 if ! pk_algo.for_signing() {
1769 return php.fail("not a signature algorithm");
1770 }
1771 let mpis = php_try!(
1772 crypto::mpi::Signature::_parse(pk_algo, &mut php));
1773
1774 let typ = typ.into();
1775 let pp = php.ok(Packet::Signature(Signature3::new(
1776 typ, creation_time, issuer, pk_algo, hash_algo,
1777 [digest_prefix1, digest_prefix2],
1778 mpis).into()))?;
1779
1780 Signature::parse_finish(indent, pp, hash_algo)
1781 }
1782}
1783
1784impl_parse_with_buffered_reader!(Signature);
1785
1786#[test]
1787fn signature_parser_test () {
1788 use crate::serialize::MarshalInto;
1789 let data = crate::tests::message("sig.pgp");
1790
1791 {
1792 let pp = PacketParser::from_bytes(data).unwrap().unwrap();
1793 assert_eq!(pp.header.length(), &BodyLength::Full(307));
1794 if let Packet::Signature(ref p) = pp.packet {
1795 assert_eq!(p.version(), 4);
1796 assert_eq!(p.typ(), SignatureType::Binary);
1797 assert_eq!(p.pk_algo(), PublicKeyAlgorithm::RSAEncryptSign);
1798 assert_eq!(p.hash_algo(), HashAlgorithm::SHA512);
1799 assert_eq!(p.hashed_area().iter().count(), 2);
1800 assert_eq!(p.unhashed_area().iter().count(), 1);
1801 assert_eq!(p.digest_prefix(), &[0x65u8, 0x74]);
1802 assert_eq!(p.mpis().serialized_len(), 258);
1803 } else {
1804 panic!("Wrong packet!");
1805 }
1806 }
1807}
1808
1809impl SubpacketArea {
1810 // Parses a subpacket area.
1811 fn parse(php: &mut PacketHeaderParser,
1812 mut limit: usize,
1813 hash_algo: HashAlgorithm,
1814 from_embedded_signature: bool)
1815 -> Result<Self>
1816 {
1817 let indent = php.recursion_depth();
1818 tracer!(TRACE, "SubpacketArea::parse", indent);
1819
1820 let mut packets = Vec::new();
1821 while limit > 0 {
1822 let r = Subpacket::parse(
1823 php, limit, hash_algo, from_embedded_signature);
1824 t!("Subpacket::parse(_, {}, {:?}) => {:?}",
1825 limit, hash_algo, r);
1826 let p = r?;
1827 assert!(limit >= p.length.len() + p.length.serialized_len());
1828 limit -= p.length.len() + p.length.serialized_len();
1829 packets.push(p);
1830 }
1831 assert!(limit == 0);
1832 Self::new(packets)
1833 }
1834}
1835
1836impl Subpacket {
1837 // Parses a raw subpacket.
1838 fn parse(php: &mut PacketHeaderParser,
1839 limit: usize,
1840 hash_algo: HashAlgorithm,
1841 from_embedded_signature: bool)
1842 -> Result<Self>
1843 {
1844 let length = SubpacketLength::parse(&mut php.reader)?;
1845 php.field("subpacket length", length.serialized_len());
1846 let len = length.len() as usize;
1847
1848 if limit < length.serialized_len() + len {
1849 return Err(Error::MalformedPacket(
1850 "Subpacket extends beyond the end of the subpacket area".into())
1851 .into());
1852 }
1853
1854 if len == 0 {
1855 return Err(Error::MalformedPacket("Zero-length subpacket".into())
1856 .into());
1857 }
1858
1859 let tag = php.parse_u8("subpacket tag")?;
1860 let len = len - 1;
1861
1862 // Remember our position in the reader to check subpacket boundaries.
1863 let total_out_before = php.reader.total_out();
1864
1865 // The critical bit is the high bit. Extract it.
1866 let critical = tag & (1 << 7) != 0;
1867 // Then clear it from the type and convert it.
1868 let tag: SubpacketTag = (tag & !(1 << 7)).into();
1869
1870 #[allow(deprecated)]
1871 let value = match tag {
1872 SubpacketTag::SignatureCreationTime =>
1873 SubpacketValue::SignatureCreationTime(
1874 php.parse_be_u32("sig creation time")?.into()),
1875 SubpacketTag::SignatureExpirationTime =>
1876 SubpacketValue::SignatureExpirationTime(
1877 php.parse_be_u32("sig expiry time")?.into()),
1878 SubpacketTag::ExportableCertification =>
1879 SubpacketValue::ExportableCertification(
1880 php.parse_bool("exportable")?),
1881 SubpacketTag::TrustSignature =>
1882 SubpacketValue::TrustSignature {
1883 level: php.parse_u8("trust level")?,
1884 trust: php.parse_u8("trust value")?,
1885 },
1886 SubpacketTag::RegularExpression => {
1887 let mut v = php.parse_bytes("regular expr", len)?;
1888 if v.is_empty() || v[v.len() - 1] != 0 {
1889 return Err(Error::MalformedPacket(
1890 "Regular expression not 0-terminated".into())
1891 .into());
1892 }
1893 v.pop();
1894 SubpacketValue::RegularExpression(v)
1895 },
1896 SubpacketTag::Revocable =>
1897 SubpacketValue::Revocable(php.parse_bool("revocable")?),
1898 SubpacketTag::KeyExpirationTime =>
1899 SubpacketValue::KeyExpirationTime(
1900 php.parse_be_u32("key expiry time")?.into()),
1901 SubpacketTag::PreferredSymmetricAlgorithms =>
1902 SubpacketValue::PreferredSymmetricAlgorithms(
1903 php.parse_bytes("pref sym algos", len)?
1904 .iter().map(|o| (*o).into()).collect()),
1905 SubpacketTag::RevocationKey => {
1906 // 1 octet of class, 1 octet of pk algorithm, 20 bytes
1907 // for a v4 fingerprint and 32 bytes for a v6
1908 // fingerprint.
1909 if len < 22 {
1910 return Err(Error::MalformedPacket(
1911 "Short revocation key subpacket".into())
1912 .into());
1913 }
1914 let class = php.parse_u8("class")?;
1915 let pk_algo = php.parse_u8("pk algo")?.into();
1916 let fp = Fingerprint::from_bytes_intern(
1917 None,
1918 &php.parse_bytes("fingerprint", len - 2)?)?;
1919 SubpacketValue::RevocationKey(
1920 RevocationKey::from_bits(pk_algo, fp, class)?)
1921 },
1922 SubpacketTag::Issuer =>
1923 SubpacketValue::Issuer(
1924 KeyID::from_bytes(&php.parse_bytes("issuer", len)?)),
1925 SubpacketTag::NotationData => {
1926 let flags = php.parse_bytes("flags", 4)?;
1927 let name_len = php.parse_be_u16("name len")? as usize;
1928 let value_len = php.parse_be_u16("value len")? as usize;
1929
1930 if len != 8 + name_len + value_len {
1931 return Err(Error::MalformedPacket(
1932 format!("Malformed notation data subpacket: \
1933 expected {} bytes, got {}",
1934 8 + name_len + value_len,
1935 len)).into());
1936 }
1937 SubpacketValue::NotationData(
1938 NotationData::new(
1939 std::str::from_utf8(
1940 &php.parse_bytes("notation name", name_len)?)
1941 .map_err(|e| anyhow::Error::from(
1942 Error::MalformedPacket(
1943 format!("Malformed notation name: {}", e)))
1944 )?,
1945 &php.parse_bytes("notation value", value_len)?,
1946 Some(NotationDataFlags::new(&flags)?)))
1947 },
1948 SubpacketTag::PreferredHashAlgorithms =>
1949 SubpacketValue::PreferredHashAlgorithms(
1950 php.parse_bytes("pref hash algos", len)?
1951 .iter().map(|o| (*o).into()).collect()),
1952 SubpacketTag::PreferredCompressionAlgorithms =>
1953 SubpacketValue::PreferredCompressionAlgorithms(
1954 php.parse_bytes("pref compression algos", len)?
1955 .iter().map(|o| (*o).into()).collect()),
1956 SubpacketTag::KeyServerPreferences =>
1957 SubpacketValue::KeyServerPreferences(
1958 KeyServerPreferences::new(
1959 &php.parse_bytes("key server pref", len)?
1960 )),
1961 SubpacketTag::PreferredKeyServer =>
1962 SubpacketValue::PreferredKeyServer(
1963 php.parse_bytes("pref key server", len)?),
1964 SubpacketTag::PrimaryUserID =>
1965 SubpacketValue::PrimaryUserID(
1966 php.parse_bool("primary user id")?),
1967 SubpacketTag::PolicyURI =>
1968 SubpacketValue::PolicyURI(php.parse_bytes("policy URI", len)?),
1969 SubpacketTag::KeyFlags =>
1970 SubpacketValue::KeyFlags(KeyFlags::new(
1971 &php.parse_bytes("key flags", len)?)),
1972 SubpacketTag::SignersUserID =>
1973 SubpacketValue::SignersUserID(
1974 php.parse_bytes("signers user id", len)?),
1975 SubpacketTag::ReasonForRevocation => {
1976 if len == 0 {
1977 return Err(Error::MalformedPacket(
1978 "Short reason for revocation subpacket".into()).into());
1979 }
1980 SubpacketValue::ReasonForRevocation {
1981 code: php.parse_u8("revocation reason")?.into(),
1982 reason: php.parse_bytes("human-readable", len - 1)?,
1983 }
1984 },
1985 SubpacketTag::Features =>
1986 SubpacketValue::Features(Features::new(
1987 &php.parse_bytes("features", len)?)),
1988 SubpacketTag::SignatureTarget => {
1989 if len < 2 {
1990 return Err(Error::MalformedPacket(
1991 "Short reason for revocation subpacket".into()).into());
1992 }
1993 SubpacketValue::SignatureTarget {
1994 pk_algo: php.parse_u8("pk algo")?.into(),
1995 hash_algo: php.parse_u8("hash algo")?.into(),
1996 digest: php.parse_bytes("digest", len - 2)?,
1997 }
1998 },
1999 SubpacketTag::EmbeddedSignature => {
2000 if from_embedded_signature {
2001 return Err(Error::MalformedPacket(
2002 "Nested embedded signatures are not allowed".into())
2003 .into());
2004 } else {
2005 SubpacketValue::EmbeddedSignature(
2006 EmbeddedSignature::from_bytes(
2007 &php.parse_bytes("embedded sig", len)?)?)
2008 }
2009 }
2010 SubpacketTag::IssuerFingerprint => {
2011 if len == 0 {
2012 return Err(Error::MalformedPacket(
2013 "Short issuer fingerprint subpacket".into()).into());
2014 }
2015 let version = php.parse_u8("version")?;
2016 if let Some(expect_len) = match version {
2017 4 => Some(1 + 20),
2018 6 => Some(1 + 32),
2019 _ => None,
2020 } {
2021 if len != expect_len {
2022 return Err(Error::MalformedPacket(
2023 format!("Malformed issuer fingerprint subpacket: \
2024 expected {} bytes, got {}",
2025 expect_len, len)).into());
2026 }
2027 }
2028 let bytes = php.parse_bytes("issuer fp", len - 1)?;
2029 SubpacketValue::IssuerFingerprint(
2030 Fingerprint::from_bytes(version, &bytes)?)
2031 },
2032 SubpacketTag::IntendedRecipient => {
2033 if len == 0 {
2034 return Err(Error::MalformedPacket(
2035 "Short intended recipient subpacket".into()).into());
2036 }
2037 let version = php.parse_u8("version")?;
2038 if let Some(expect_len) = match version {
2039 4 => Some(1 + 20),
2040 6 => Some(1 + 32),
2041 _ => None,
2042 } {
2043 if len != expect_len {
2044 return Err(Error::MalformedPacket(
2045 format!("Malformed intended recipient subpacket: \
2046 expected {} bytes, got {}",
2047 expect_len, len)).into());
2048 }
2049 }
2050 let bytes = php.parse_bytes("intended rcpt", len - 1)?;
2051 SubpacketValue::IntendedRecipient(
2052 Fingerprint::from_bytes(version, &bytes)?)
2053 },
2054 SubpacketTag::ApprovedCertifications => {
2055 // If we don't know the hash algorithm, put all digest
2056 // into one bucket. That way, at least it will
2057 // roundtrip. It will never verify, because we don't
2058 // know the hash.
2059 let digest_size =
2060 hash_algo.context().map(|c| c.for_digest().digest_size())
2061 .unwrap_or(len);
2062
2063 if digest_size == 0 {
2064 // Empty body with unknown hash algorithm.
2065 SubpacketValue::ApprovedCertifications(
2066 Vec::with_capacity(0))
2067 } else {
2068 if len % digest_size != 0 {
2069 return Err(Error::BadSignature(
2070 "Wrong number of bytes in certification subpacket"
2071 .into()).into());
2072 }
2073 let bytes = php.parse_bytes("attested crts", len)?;
2074 SubpacketValue::ApprovedCertifications(
2075 bytes.chunks(digest_size).map(Into::into).collect())
2076 }
2077 },
2078
2079 SubpacketTag::PreferredAEADCiphersuites => {
2080 if len % 2 != 0 {
2081 return Err(Error::BadSignature(
2082 "Wrong number of bytes in preferred AEAD \
2083 Ciphersuites subpacket"
2084 .into()).into());
2085 }
2086
2087 SubpacketValue::PreferredAEADCiphersuites(
2088 php.parse_bytes("pref aead ciphersuites", len)?
2089 .chunks(2).map(|o| (o[0].into(),
2090 o[1].into())).collect())
2091 },
2092
2093 SubpacketTag::Reserved(_)
2094 | SubpacketTag::PlaceholderForBackwardCompatibility
2095 | SubpacketTag::PreferredAEADAlgorithms
2096 | SubpacketTag::Private(_)
2097 | SubpacketTag::Unknown(_) =>
2098 SubpacketValue::Unknown {
2099 tag,
2100 body: php.parse_bytes("unknown subpacket", len)?,
2101 },
2102 };
2103
2104 let total_out = php.reader.total_out();
2105 if total_out_before + len != total_out {
2106 return Err(Error::MalformedPacket(
2107 format!("Malformed subpacket: \
2108 body length is {} bytes, but read {}",
2109 len, total_out - total_out_before)).into());
2110 }
2111
2112 Ok(Subpacket::with_length(
2113 length,
2114 value,
2115 critical,
2116 ))
2117 }
2118}
2119
2120impl SubpacketLength {
2121 /// Parses a subpacket length.
2122 fn parse<R: BufferedReader<C>, C: fmt::Debug + Send + Sync>(bio: &mut R) -> Result<Self> {
2123 let octet1 = bio.data_consume_hard(1)?[0];
2124 if octet1 < 192 {
2125 // One octet.
2126 Ok(Self::new(
2127 octet1 as u32,
2128 // Unambiguous.
2129 None))
2130 } else if (192..255).contains(&octet1) {
2131 // Two octets length.
2132 let octet2 = bio.data_consume_hard(1)?[0];
2133 let len = ((octet1 as u32 - 192) << 8) + octet2 as u32 + 192;
2134 Ok(Self::new(
2135 len,
2136 if Self::len_optimal_encoding(len) == 2 {
2137 None
2138 } else {
2139 Some(vec![octet1, octet2])
2140 }))
2141 } else {
2142 // Five octets.
2143 assert_eq!(octet1, 255);
2144 let len = bio.read_be_u32()?;
2145 Ok(Self::new(
2146 len,
2147 if Self::len_optimal_encoding(len) == 5 {
2148 None
2149 } else {
2150 let mut out = Vec::with_capacity(5);
2151 out.push(octet1);
2152 out.extend_from_slice(&len.to_be_bytes());
2153 Some(out)
2154 }))
2155 }
2156 }
2157}
2158
2159#[cfg(test)]
2160quickcheck! {
2161 fn length_roundtrip(l: u32) -> bool {
2162 use crate::serialize::Marshal;
2163
2164 let length = SubpacketLength::from(l);
2165 let mut encoded = Vec::new();
2166 length.serialize(&mut encoded).unwrap();
2167 assert_eq!(encoded.len(), length.serialized_len());
2168 let mut reader = buffered_reader::Memory::new(&encoded);
2169 SubpacketLength::parse(&mut reader).unwrap().len() == l as usize
2170 }
2171}
2172
2173impl OnePassSig {
2174 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
2175 let indent = php.recursion_depth();
2176 tracer!(TRACE, "OnePassSig", indent);
2177
2178 make_php_try!(php);
2179
2180 let version = php_try!(php.parse_u8("version"));
2181 match version {
2182 3 => OnePassSig3::parse(php),
2183 6 => OnePassSig6::parse(php),
2184 _ => {
2185 t!("Ignoring version {} packet", version);
2186
2187 // Unknown version. Return an unknown packet.
2188 php.fail("unknown version")
2189 },
2190 }
2191 }
2192}
2193
2194impl_parse_with_buffered_reader!(OnePassSig);
2195
2196impl OnePassSig3 {
2197 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
2198 let indent = php.recursion_depth();
2199 tracer!(TRACE, "OnePassSig3", indent);
2200
2201 make_php_try!(php);
2202
2203 let typ = php_try!(php.parse_u8("type"));
2204 let hash_algo = php_try!(php.parse_u8("hash_algo"));
2205 let pk_algo = php_try!(php.parse_u8("pk_algo"));
2206 let mut issuer = [0u8; 8];
2207 issuer.copy_from_slice(&php_try!(php.parse_bytes("issuer", 8)));
2208 let last = php_try!(php.parse_u8("last"));
2209
2210 let hash_algo = hash_algo.into();
2211 let typ = typ.into();
2212 let mut sig = OnePassSig3::new(typ);
2213 sig.set_hash_algo(hash_algo);
2214 sig.set_pk_algo(pk_algo.into());
2215 sig.set_issuer(KeyID::from_bytes(&issuer));
2216 sig.set_last_raw(last);
2217 let need_hash = HashingMode::for_salt_and_type(hash_algo, &[], typ);
2218
2219 let recursion_depth = php.recursion_depth();
2220
2221 // Check if we are processing a cleartext signed message.
2222 let want_hashes_for = if Cookie::processing_csf_message(&php.reader) {
2223 HashesFor::CleartextSignature
2224 } else {
2225 HashesFor::Signature
2226 };
2227
2228 // Walk up the reader chain to see if there is already a
2229 // hashed reader on level recursion_depth - 1.
2230 let done = {
2231 let mut done = false;
2232 let mut reader : Option<&mut dyn BufferedReader<Cookie>>
2233 = Some(&mut php.reader);
2234 while let Some(r) = reader {
2235 {
2236 let cookie = r.cookie_mut();
2237 if let Some(br_level) = cookie.level {
2238 if br_level < recursion_depth - 1 {
2239 break;
2240 }
2241 if br_level == recursion_depth - 1
2242 && cookie.hashes_for == want_hashes_for {
2243 // We found a suitable hashed reader.
2244 if cookie.saw_last {
2245 cookie.sig_group_push();
2246 cookie.saw_last = false;
2247 cookie.hash_stash =
2248 Some(php.header_bytes.clone());
2249 }
2250
2251 // Make sure that it uses the required
2252 // hash algorithm.
2253 if php.state.settings.automatic_hashing
2254 && ! cookie.sig_group().hashes.iter()
2255 .any(|mode| {
2256 mode.map(|ctx| ctx.algo()) == need_hash
2257 })
2258 {
2259 if let Ok(ctx) = hash_algo.context() {
2260 let ctx = ctx.for_signature(4);
2261 cookie.sig_group_mut().hashes.push(
2262 HashingMode::for_salt_and_type(
2263 ctx, &[], typ)
2264 );
2265 }
2266 }
2267
2268 // Account for this OPS packet.
2269 cookie.sig_group_mut().ops_count += 1;
2270
2271 // Keep track of the last flag.
2272 cookie.saw_last = last > 0;
2273
2274 // We're done.
2275 done = true;
2276 break;
2277 }
2278 } else {
2279 break;
2280 }
2281 }
2282 reader = r.get_mut();
2283 }
2284 done
2285 };
2286 // Commit here after potentially pushing a signature group.
2287 let mut pp = php.ok(Packet::OnePassSig(sig.into()))?;
2288 if done {
2289 return Ok(pp);
2290 }
2291
2292 // We create an empty hashed reader even if we don't support
2293 // the hash algorithm so that we have something to match
2294 // against when we get to the Signature packet. Or, automatic
2295 // hashing may be disabled, and we want to be able to enable
2296 // it explicitly.
2297 let mut algos = Vec::new();
2298 if pp.state.settings.automatic_hashing && hash_algo.is_supported() {
2299 algos.push(HashingMode::for_salt_and_type(hash_algo, &[], typ));
2300 }
2301
2302 // We can't push the HashedReader on the BufferedReader stack:
2303 // when we finish processing this OnePassSig packet, it will
2304 // be popped. Instead, we need to insert it at the next
2305 // higher level. Unfortunately, this isn't possible. But,
2306 // since we're done reading the current packet, we can pop the
2307 // readers associated with it, and then push the HashedReader.
2308 // This is a bit of a layering violation, but I (Neal) can't
2309 // think of a more elegant solution.
2310
2311 assert!(pp.reader.cookie_ref().level <= Some(recursion_depth));
2312 let (fake_eof, reader)
2313 = buffered_reader_stack_pop(Box::new(pp.take_reader()),
2314 recursion_depth)?;
2315 // We only pop the buffered readers for the OPS, and we
2316 // (currently) never use a fake eof for OPS packets.
2317 assert!(! fake_eof);
2318
2319 let mut reader = HashedReader::new(
2320 reader, want_hashes_for, algos)?;
2321 reader.cookie_mut().level = Some(recursion_depth - 1);
2322 // Account for this OPS packet.
2323 reader.cookie_mut().sig_group_mut().ops_count += 1;
2324 // Keep track of the last flag.
2325 reader.cookie_mut().saw_last = last > 0;
2326
2327 t!("Pushed a hashed reader, level {:?}", reader.cookie_mut().level);
2328
2329 // We add an empty limitor on top of the hashed reader,
2330 // because when we are done processing a packet,
2331 // PacketParser::finish discards any unread data from the top
2332 // reader. Since the top reader is the HashedReader, this
2333 // discards any following packets. To prevent this, we push a
2334 // Limitor on the reader stack.
2335 let mut reader = buffered_reader::Limitor::with_cookie(
2336 reader, 0, Cookie::default());
2337 reader.cookie_mut().level = Some(recursion_depth);
2338
2339 pp.reader = Box::new(reader);
2340
2341 Ok(pp)
2342 }
2343}
2344
2345impl PacketParser<'_> {
2346 /// Starts hashing for the current [`OnePassSig`] packet.
2347 ///
2348 /// If automatic hashing is disabled using
2349 /// [`PacketParserBuilder::automatic_hashing`], then hashing can
2350 /// be explicitly enabled while parsing a [`OnePassSig`] packet.
2351 ///
2352 /// If this function is called on a packet other than a
2353 /// [`OnePassSig`] packet, it returns [`Error::InvalidOperation`].
2354 ///
2355 /// [`Error::InvalidOperation`]: crate::Error::InvalidOperation
2356 ///
2357 /// # Examples
2358 ///
2359 /// ```rust
2360 /// # fn main() -> sequoia_openpgp::Result<()> {
2361 /// # use sequoia_openpgp as openpgp;
2362 /// # use openpgp::{Cert, Packet};
2363 /// # use openpgp::parse::{Parse, PacketParserResult, PacketParserBuilder};
2364 /// // Parse a signed message, verify using the signer's key.
2365 /// let message_data: &[u8] = // ...
2366 /// # include_bytes!("../tests/data/messages/signed-1-eddsa-ed25519.pgp");
2367 /// # let cert: Cert = // ...
2368 /// # Cert::from_bytes(include_bytes!("../tests/data/keys/emmelie-dorothea-dina-samantha-awina-ed25519.pgp"))?;
2369 /// let signer = // ...
2370 /// # cert.primary_key().key();
2371 /// let mut good = false;
2372 /// let mut ppr = PacketParserBuilder::from_bytes(message_data)?
2373 /// .automatic_hashing(false)
2374 /// .build()?;
2375 /// while let PacketParserResult::Some(mut pp) = ppr {
2376 /// if let Packet::OnePassSig(_) = &pp.packet {
2377 /// pp.start_hashing()?;
2378 /// }
2379 /// if let Packet::Signature(sig) = &mut pp.packet {
2380 /// good |= sig.verify_document(signer).is_ok();
2381 /// }
2382 /// // Start parsing the next packet, recursing.
2383 /// ppr = pp.recurse()?.1;
2384 /// }
2385 /// assert!(good);
2386 /// # Ok(()) }
2387 /// ```
2388 pub fn start_hashing(&mut self) -> Result<()> {
2389 let ops: &OnePassSig = self.packet.downcast_ref()
2390 .ok_or_else(|| Error::InvalidOperation(
2391 "Must only be invoked on one-pass-signature packets".into())
2392 )?;
2393
2394 let sig_version = match ops.version() {
2395 3 => 4,
2396 n => return Err(Error::InvalidOperation(
2397 format!("don't know how to hash for v{} one pass sig",
2398 n)).into()),
2399 };
2400
2401 let hash_algo = ops.hash_algo();
2402 let typ = ops.typ();
2403 let salt = ops.salt().unwrap_or(&[]);
2404 let need_hash = HashingMode::for_salt_and_type(hash_algo, salt, typ);
2405 let recursion_depth = self.recursion_depth();
2406 let want_hashes_for = if Cookie::processing_csf_message(&self.reader) {
2407 HashesFor::CleartextSignature
2408 } else {
2409 HashesFor::Signature
2410 };
2411
2412 // Walk up the reader chain to find the hashed reader on level
2413 // recursion_depth - 1.
2414 let mut reader : Option<&mut dyn BufferedReader<Cookie>>
2415 = Some(&mut self.reader);
2416 while let Some(r) = reader {
2417 {
2418 let cookie = r.cookie_mut();
2419 if let Some(br_level) = cookie.level {
2420 if br_level < recursion_depth - 1 {
2421 break;
2422 }
2423 if br_level == recursion_depth - 1
2424 && cookie.hashes_for == want_hashes_for {
2425 // We found a suitable hashed reader.
2426 // Make sure that it uses the required
2427 // hash algorithm.
2428 if ! cookie.sig_group().hashes.iter()
2429 .any(|mode| {
2430 mode.map(|ctx| ctx.algo()) == need_hash
2431 })
2432 {
2433 let mut ctx = hash_algo.context()?
2434 .for_signature(sig_version);
2435
2436 ctx.update(&salt);
2437 cookie.sig_group_mut().hashes.push(
2438 HashingMode::for_salt_and_type(
2439 ctx, salt, typ));
2440 }
2441 break;
2442 }
2443 } else {
2444 break;
2445 }
2446 }
2447 reader = r.get_mut();
2448 }
2449
2450 Ok(())
2451 }
2452}
2453
2454#[test]
2455fn one_pass_sig3_parser_test () {
2456 use crate::SignatureType;
2457 use crate::PublicKeyAlgorithm;
2458
2459 // This test assumes that the first packet is a OnePassSig packet.
2460 let data = crate::tests::message("signed-1.pgp");
2461 let mut pp = PacketParser::from_bytes(data).unwrap().unwrap();
2462 let p = pp.finish().unwrap();
2463 // eprintln!("packet: {:?}", p);
2464
2465 if let &Packet::OnePassSig(ref p) = p {
2466 assert_eq!(p.version(), 3);
2467 assert_eq!(p.typ(), SignatureType::Binary);
2468 assert_eq!(p.hash_algo(), HashAlgorithm::SHA512);
2469 assert_eq!(p.pk_algo(), PublicKeyAlgorithm::RSAEncryptSign);
2470 assert_eq!(format!("{:X}", p.issuer()), "7223B56678E02528");
2471 assert_eq!(p.last_raw(), 1);
2472 } else {
2473 panic!("Wrong packet!");
2474 }
2475}
2476
2477impl_parse_with_buffered_reader!(
2478 OnePassSig3,
2479 |reader| -> Result<Self> {
2480 OnePassSig::from_buffered_reader(reader).and_then(|p| match p {
2481 OnePassSig::V3(p) => Ok(p),
2482 p => Err(Error::InvalidOperation(
2483 format!("Not a OnePassSig::V3 packet: {:?}", p)).into()),
2484 })
2485 });
2486
2487impl OnePassSig6 {
2488 #[allow(clippy::blocks_in_conditions)]
2489 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
2490 let indent = php.recursion_depth();
2491 tracer!(TRACE, "OnePassSig6", indent);
2492
2493 make_php_try!(php);
2494
2495 let typ = php_try!(php.parse_u8("type"));
2496 let hash_algo = php_try!(php.parse_u8("hash_algo"));
2497 let pk_algo = php_try!(php.parse_u8("pk_algo"));
2498 let salt_len = php_try!(php.parse_u8("salt_len"));
2499 let salt = php_try!(php.parse_bytes("salt", salt_len.into()));
2500 let mut issuer = [0u8; 32];
2501 issuer.copy_from_slice(&php_try!(php.parse_bytes("issuer", 32)));
2502 let last = php_try!(php.parse_u8("last"));
2503
2504 let hash_algo = hash_algo.into();
2505 let typ = typ.into();
2506 let mut sig =
2507 OnePassSig6::new(typ, Fingerprint::from_bytes(6, &issuer)?);
2508 sig.set_salt(salt.clone());
2509 sig.set_hash_algo(hash_algo);
2510 sig.set_pk_algo(pk_algo.into());
2511 sig.set_last_raw(last);
2512 let need_hash = HashingMode::for_salt_and_type(hash_algo, &salt, typ);
2513
2514 let recursion_depth = php.recursion_depth();
2515
2516 // Check if we are processing a cleartext signed message.
2517 let want_hashes_for = if Cookie::processing_csf_message(&php.reader) {
2518 HashesFor::CleartextSignature
2519 } else {
2520 HashesFor::Signature
2521 };
2522
2523 // Walk up the reader chain to see if there is already a
2524 // hashed reader on level recursion_depth - 1.
2525 let done = {
2526 let mut done = false;
2527 let mut reader : Option<&mut dyn BufferedReader<Cookie>>
2528 = Some(&mut php.reader);
2529 while let Some(r) = reader {
2530 {
2531 let cookie = r.cookie_mut();
2532 if let Some(br_level) = cookie.level {
2533 if br_level < recursion_depth - 1 {
2534 break;
2535 }
2536 if br_level == recursion_depth - 1
2537 && cookie.hashes_for == want_hashes_for {
2538 // We found a suitable hashed reader.
2539 if cookie.saw_last {
2540 cookie.sig_group_push();
2541 cookie.saw_last = false;
2542 cookie.hash_stash =
2543 Some(php.header_bytes.clone());
2544 }
2545
2546 // Make sure that it uses the required
2547 // hash algorithm.
2548 if php.state.settings.automatic_hashing
2549 && ! cookie.sig_group().hashes.iter()
2550 .any(|mode| {
2551 mode.map(|ctx| ctx.algo()) == need_hash
2552 })
2553 {
2554 if let Ok(ctx) = hash_algo.context() {
2555 let mut ctx = ctx.for_signature(6);
2556 ctx.update(&salt);
2557 cookie.sig_group_mut().hashes.push(
2558 HashingMode::for_salt_and_type(
2559 ctx, &salt, typ)
2560 );
2561 }
2562 }
2563
2564 // Account for this OPS packet.
2565 cookie.sig_group_mut().ops_count += 1;
2566
2567 // Keep track of the last flag.
2568 cookie.saw_last = last > 0;
2569
2570 // We're done.
2571 done = true;
2572 break;
2573 }
2574 } else {
2575 break;
2576 }
2577 }
2578 reader = r.get_mut();
2579 }
2580 done
2581 };
2582 // Commit here after potentially pushing a signature group.
2583 let mut pp = php.ok(Packet::OnePassSig(sig.into()))?;
2584 if done {
2585 return Ok(pp);
2586 }
2587
2588 // We create an empty hashed reader even if we don't support
2589 // the hash algorithm so that we have something to match
2590 // against when we get to the Signature packet.
2591 let mut algos = Vec::new();
2592 if pp.state.settings.automatic_hashing && hash_algo.is_supported() {
2593 algos.push(HashingMode::for_salt_and_type(hash_algo, &salt, typ));
2594 }
2595
2596 // We can't push the HashedReader on the BufferedReader stack:
2597 // when we finish processing this OnePassSig packet, it will
2598 // be popped. Instead, we need to insert it at the next
2599 // higher level. Unfortunately, this isn't possible. But,
2600 // since we're done reading the current packet, we can pop the
2601 // readers associated with it, and then push the HashedReader.
2602 // This is a bit of a layering violation, but I (Neal) can't
2603 // think of a more elegant solution.
2604
2605 assert!(pp.reader.cookie_ref().level <= Some(recursion_depth));
2606 let (fake_eof, reader)
2607 = buffered_reader_stack_pop(Box::new(pp.take_reader()),
2608 recursion_depth)?;
2609 // We only pop the buffered readers for the OPS, and we
2610 // (currently) never use a fake eof for OPS packets.
2611 assert!(! fake_eof);
2612
2613 let mut reader = HashedReader::new(
2614 reader, want_hashes_for, algos)?;
2615 reader.cookie_mut().level = Some(recursion_depth - 1);
2616 // Account for this OPS packet.
2617 reader.cookie_mut().sig_group_mut().ops_count += 1;
2618 // Keep track of the last flag.
2619 reader.cookie_mut().saw_last = last > 0;
2620
2621 t!("Pushed a hashed reader, level {:?}", reader.cookie_mut().level);
2622
2623 // We add an empty limitor on top of the hashed reader,
2624 // because when we are done processing a packet,
2625 // PacketParser::finish discards any unread data from the top
2626 // reader. Since the top reader is the HashedReader, this
2627 // discards any following packets. To prevent this, we push a
2628 // Limitor on the reader stack.
2629 let mut reader = buffered_reader::Limitor::with_cookie(
2630 reader, 0, Cookie::default());
2631 reader.cookie_mut().level = Some(recursion_depth);
2632
2633 pp.reader = Box::new(reader);
2634
2635 Ok(pp)
2636 }
2637}
2638
2639impl_parse_with_buffered_reader!(
2640 OnePassSig6,
2641 |reader| -> Result<Self> {
2642 OnePassSig::from_buffered_reader(reader).and_then(|p| match p {
2643 OnePassSig::V6(p) => Ok(p),
2644 p => Err(Error::InvalidOperation(
2645 format!("Not a OnePassSig::V6 packet: {:?}", p)).into()),
2646 })
2647 });
2648
2649#[test]
2650fn one_pass_sig_test () {
2651 struct Test<'a> {
2652 filename: &'a str,
2653 digest_prefix: Vec<[u8; 2]>,
2654 }
2655
2656 let tests = [
2657 Test {
2658 filename: "signed-1.pgp",
2659 digest_prefix: vec![ [ 0x83, 0xF5 ] ],
2660 },
2661 Test {
2662 filename: "signed-2-partial-body.pgp",
2663 digest_prefix: vec![ [ 0x2F, 0xBE ] ],
2664 },
2665 Test {
2666 filename: "signed-3-partial-body-multiple-sigs.pgp",
2667 digest_prefix: vec![ [ 0x29, 0x64 ], [ 0xff, 0x7d ] ],
2668 },
2669 ];
2670
2671 for test in tests.iter() {
2672 eprintln!("Trying {}...", test.filename);
2673 let mut ppr = PacketParserBuilder::from_bytes(
2674 crate::tests::message(test.filename))
2675 .unwrap_or_else(|_| panic!("Error reading {}", test.filename))
2676 .build().unwrap();
2677
2678 let mut one_pass_sigs = 0;
2679 let mut sigs = 0;
2680
2681 while let PacketParserResult::Some(pp) = ppr {
2682 if let Packet::OnePassSig(_) = pp.packet {
2683 one_pass_sigs += 1;
2684 } else if let Packet::Signature(ref sig) = pp.packet {
2685 eprintln!(" {}:\n prefix: expected: {}, in sig: {}",
2686 test.filename,
2687 crate::fmt::to_hex(&test.digest_prefix[sigs][..], false),
2688 crate::fmt::to_hex(sig.digest_prefix(), false));
2689 eprintln!(" computed hash: {}",
2690 crate::fmt::to_hex(sig.computed_digest().unwrap(),
2691 false));
2692
2693 assert_eq!(&test.digest_prefix[sigs], sig.digest_prefix());
2694 assert_eq!(&test.digest_prefix[sigs][..],
2695 &sig.computed_digest().unwrap()[..2]);
2696
2697 sigs += 1;
2698 } else if one_pass_sigs > 0 {
2699 assert_eq!(one_pass_sigs, test.digest_prefix.len(),
2700 "Number of OnePassSig packets does not match \
2701 number of expected OnePassSig packets.");
2702 }
2703
2704 ppr = pp.recurse().expect("Parsing message").1;
2705 }
2706 assert_eq!(one_pass_sigs, sigs,
2707 "Number of OnePassSig packets does not match \
2708 number of signature packets.");
2709
2710 eprintln!("done.");
2711 }
2712}
2713
2714// Key::parse doesn't actually use the Key type parameters. So, we
2715// can just set them to anything. This avoids the caller having to
2716// set them to something.
2717impl Key<key::UnspecifiedParts, key::UnspecifiedRole>
2718{
2719 /// Parses the body of a public key, public subkey, secret key or
2720 /// secret subkey packet.
2721 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
2722 tracer!(TRACE, "Key::parse", php.recursion_depth());
2723 make_php_try!(php);
2724 let tag = php.header.ctb().tag();
2725 assert!(tag == Tag::Reserved
2726 || tag == Tag::PublicKey
2727 || tag == Tag::PublicSubkey
2728 || tag == Tag::SecretKey
2729 || tag == Tag::SecretSubkey);
2730 let version = php_try!(php.parse_u8("version"));
2731
2732 match version {
2733 4 => Key4::parse(php),
2734 6 => Key6::parse(php),
2735 _ => php.fail("unknown version"),
2736 }
2737 }
2738
2739 /// Returns whether the data appears to be a key (no promises).
2740 fn plausible(bio: &mut dyn BufferedReader<Cookie>, header: &Header)
2741 -> Result<()>
2742 {
2743 // The packet's header is 6 bytes.
2744 if let BodyLength::Full(len) = header.length() {
2745 if *len < 6 {
2746 // Much too short.
2747 return Err(Error::MalformedPacket(
2748 format!("Packet too short ({} bytes)", len)).into());
2749 }
2750 } else {
2751 return Err(
2752 Error::MalformedPacket(
2753 format!("Unexpected body length encoding: {:?}",
2754 header.length())).into());
2755 }
2756
2757 // Make sure we have a minimum header.
2758 let data = bio.data(6)?;
2759 if data.len() < 6 {
2760 return Err(
2761 Error::MalformedPacket("Short read".into()).into());
2762 }
2763
2764 // Assume unknown == bad.
2765 let version = data[0];
2766 match version {
2767 4 => Key4::plausible(bio, header),
2768 6 => Key6::plausible(bio, header),
2769 n => Err(Error::MalformedPacket(
2770 format!("Unknown version {}", n)).into()),
2771 }
2772 }
2773}
2774
2775// Key4::parse doesn't actually use the Key4 type parameters. So, we
2776// can just set them to anything. This avoids the caller having to
2777// set them to something.
2778impl Key4<key::UnspecifiedParts, key::UnspecifiedRole>
2779{
2780 /// Parses the body of a public key, public subkey, secret key or
2781 /// secret subkey packet.
2782 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
2783 tracer!(TRACE, "Key4::parse", php.recursion_depth());
2784 make_php_try!(php);
2785 let tag = php.header.ctb().tag();
2786 assert!(tag == Tag::Reserved
2787 || tag == Tag::PublicKey
2788 || tag == Tag::PublicSubkey
2789 || tag == Tag::SecretKey
2790 || tag == Tag::SecretSubkey);
2791
2792 let creation_time = php_try!(php.parse_be_u32("creation_time"));
2793 let pk_algo: PublicKeyAlgorithm = php_try!(php.parse_u8("pk_algo")).into();
2794 let mpis = php_try!(PublicKey::_parse(pk_algo, &mut php));
2795 let secret = if let Ok(s2k_usage) = php.parse_u8("s2k_usage") {
2796 use crypto::mpi;
2797 let sec = match s2k_usage {
2798 // Unencrypted
2799 0 => {
2800 let sec = php_try!(
2801 mpi::SecretKeyMaterial::_parse(
2802 pk_algo, &mut php,
2803 Some(mpi::SecretKeyChecksum::Sum16)));
2804 sec.into()
2805 }
2806
2807 // AEAD encrypted secrets.
2808 253 => {
2809 let sym_algo: SymmetricAlgorithm =
2810 php_try!(php.parse_u8("sym_algo")).into();
2811
2812 let aead_algo: AEADAlgorithm =
2813 php_try!(php.parse_u8("aead_algo")).into();
2814
2815 let s2k = php_try!(S2K::parse_v4(&mut php));
2816
2817 let aead_iv = php_try!(php.parse_bytes(
2818 "aead_iv",
2819 // If we don't know the AEAD mode, we won't
2820 // know the nonce size, and all the IV will
2821 // end up in the ciphertext. This is an
2822 // inherent limitation of the v4 packet
2823 // format.
2824 aead_algo.nonce_size().unwrap_or(0)))
2825 .into();
2826
2827 let cipher =
2828 php_try!(php.parse_bytes_eof("encrypted_mpis"))
2829 .into_boxed_slice();
2830
2831 crate::packet::key::Encrypted::new_aead(
2832 s2k, sym_algo, aead_algo, aead_iv, cipher).into()
2833 },
2834
2835 // Encrypted, whether we support the S2K method or not.
2836 _ => {
2837 let sk: SymmetricAlgorithm = match s2k_usage {
2838 254 | 255 =>
2839 php_try!(php.parse_u8("sym_algo")).into(),
2840 _ => s2k_usage.into(),
2841 };
2842 let s2k = match s2k_usage {
2843 254 | 255 => php_try!(S2K::parse_v4(&mut php)),
2844 _ => {
2845 #[allow(deprecated)] S2K::Implicit
2846 },
2847 };
2848 let s2k_supported = s2k.is_supported();
2849 let cipher =
2850 php_try!(php.parse_bytes_eof("encrypted_mpis"))
2851 .into_boxed_slice();
2852
2853 crate::packet::key::Encrypted::new_raw(
2854 s2k, sk,
2855 match s2k_usage {
2856 254 => Some(mpi::SecretKeyChecksum::SHA1),
2857 255 => Some(mpi::SecretKeyChecksum::Sum16),
2858 _ => Some(mpi::SecretKeyChecksum::Sum16),
2859 },
2860 if s2k_supported {
2861 Ok((0, cipher))
2862 } else {
2863 Err(cipher)
2864 },
2865 ).into()
2866 }
2867 };
2868
2869 Some(sec)
2870 } else {
2871 None
2872 };
2873
2874 let have_secret = secret.is_some();
2875 if have_secret {
2876 if tag == Tag::PublicKey || tag == Tag::PublicSubkey {
2877 return php.error(Error::MalformedPacket(
2878 format!("Unexpected secret key found in {:?} packet", tag)
2879 ).into());
2880 }
2881 } else if tag == Tag::SecretKey || tag == Tag::SecretSubkey {
2882 return php.error(Error::MalformedPacket(
2883 format!("Expected secret key in {:?} packet", tag)
2884 ).into());
2885 }
2886
2887 fn k<R>(creation_time: u32,
2888 pk_algo: PublicKeyAlgorithm,
2889 mpis: PublicKey)
2890 -> Result<Key4<key::PublicParts, R>>
2891 where R: key::KeyRole
2892 {
2893 Key4::make(creation_time.into(), pk_algo, mpis, None)
2894 }
2895 fn s<R>(creation_time: u32,
2896 pk_algo: PublicKeyAlgorithm,
2897 mpis: PublicKey,
2898 secret: SecretKeyMaterial)
2899 -> Result<Key4<key::SecretParts, R>>
2900 where R: key::KeyRole
2901 {
2902 Key4::make(creation_time.into(), pk_algo, mpis, Some(secret))
2903 }
2904
2905 let tag = php.header.ctb().tag();
2906
2907 let p : Packet = match tag {
2908 // For the benefit of Key::from_bytes.
2909 Tag::Reserved => if have_secret {
2910 Packet::SecretKey(
2911 php_try!(s(creation_time, pk_algo, mpis, secret.unwrap()))
2912 .into())
2913 } else {
2914 Packet::PublicKey(
2915 php_try!(k(creation_time, pk_algo, mpis)).into())
2916 },
2917 Tag::PublicKey => Packet::PublicKey(
2918 php_try!(k(creation_time, pk_algo, mpis)).into()),
2919 Tag::PublicSubkey => Packet::PublicSubkey(
2920 php_try!(k(creation_time, pk_algo, mpis)).into()),
2921 Tag::SecretKey => Packet::SecretKey(
2922 php_try!(s(creation_time, pk_algo, mpis, secret.unwrap()))
2923 .into()),
2924 Tag::SecretSubkey => Packet::SecretSubkey(
2925 php_try!(s(creation_time, pk_algo, mpis, secret.unwrap()))
2926 .into()),
2927 _ => unreachable!(),
2928 };
2929
2930 php.ok(p)
2931 }
2932
2933 /// Returns whether the data appears to be a version 4 key (no
2934 /// promises).
2935 fn plausible<C>(bio: &mut dyn BufferedReader<C>, _: &Header)
2936 -> Result<()>
2937 where
2938 C: fmt::Debug + Send + Sync,
2939 {
2940 // Make sure we have a minimum header.
2941 let data = bio.data(6)?;
2942 if data.len() < 6 {
2943 return Err(
2944 Error::MalformedPacket("Short read".into()).into());
2945 }
2946
2947 // Assume unknown == bad.
2948 let version = data[0];
2949 let pk_algo : PublicKeyAlgorithm = data[5].into();
2950
2951 if version == 4 && !matches!(pk_algo, PublicKeyAlgorithm::Unknown(_)) {
2952 Ok(())
2953 } else {
2954 Err(Error::MalformedPacket("Invalid or unsupported data".into())
2955 .into())
2956 }
2957 }
2958}
2959
2960// Key6::parse doesn't actually use the Key6 type parameters. So, we
2961// can just set them to anything. This avoids the caller having to
2962// set them to something.
2963impl Key6<key::UnspecifiedParts, key::UnspecifiedRole>
2964{
2965 /// Parses the body of a public key, public subkey, secret key or
2966 /// secret subkey packet.
2967 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
2968 tracer!(TRACE, "Key6::parse", php.recursion_depth());
2969 make_php_try!(php);
2970 let tag = php.header.ctb().tag();
2971 assert!(tag == Tag::Reserved
2972 || tag == Tag::PublicKey
2973 || tag == Tag::PublicSubkey
2974 || tag == Tag::SecretKey
2975 || tag == Tag::SecretSubkey);
2976
2977 let creation_time = php_try!(php.parse_be_u32("creation_time"));
2978 let pk_algo: PublicKeyAlgorithm = php_try!(php.parse_u8("pk_algo")).into();
2979
2980 let public_len = php_try!(php.parse_be_u32("public_len"));
2981 let public_mpis =
2982 php.variable_sized_field_start("public_mpis", public_len);
2983 let mpis = php_try!(PublicKey::_parse(pk_algo, &mut php));
2984 php_try!(php.variable_sized_field_end(public_mpis));
2985
2986 let secret = if let Ok(s2k_usage) = php.parse_u8("s2k_usage") {
2987 use crypto::mpi;
2988 let sec = match s2k_usage {
2989 // Unencrypted secrets.
2990 0 => {
2991 let sec = php_try!(
2992 mpi::SecretKeyMaterial::_parse(
2993 pk_algo, &mut php, None));
2994 sec.into()
2995 },
2996
2997 // Encrypted & MD5 for key derivation: unsupported.
2998 //
2999 // XXX: Technically, we could/should parse them, then
3000 // fail later. But, this limitation has been with us
3001 // since the beginning, and no-one complained.
3002 1..=252 => {
3003 return php.fail("unsupported secret key encryption");
3004 },
3005
3006 // AEAD encrypted secrets.
3007 253 => {
3008 let parameters_len =
3009 php_try!(php.parse_u8("parameters_len"));
3010 let parameters =
3011 php.variable_sized_field_start("parameters",
3012 parameters_len);
3013 let sym_algo: SymmetricAlgorithm =
3014 php_try!(php.parse_u8("sym_algo")).into();
3015
3016 let aead_algo: AEADAlgorithm =
3017 php_try!(php.parse_u8("aead_algo")).into();
3018
3019 let s2k_len = php_try!(php.parse_u8("s2k_len"));
3020 let s2k_params =
3021 php.variable_sized_field_start("s2k_params", s2k_len);
3022 let s2k = php_try!(S2K::parse_v6(&mut php, s2k_len as _));
3023 php_try!(php.variable_sized_field_end(s2k_params));
3024
3025 let aead_iv = php_try!(php.parse_bytes(
3026 "aead_iv",
3027 php.variable_sized_field_remaining(¶meters)))
3028 .into();
3029 php_try!(php.variable_sized_field_end(parameters));
3030
3031 let cipher =
3032 php_try!(php.parse_bytes_eof("encrypted_mpis"))
3033 .into_boxed_slice();
3034
3035 crate::packet::key::Encrypted::new_aead(
3036 s2k, sym_algo, aead_algo, aead_iv, cipher).into()
3037 },
3038
3039 // Encrypted secrets.
3040 254 | 255 => {
3041 let parameters_len =
3042 php_try!(php.parse_u8("parameters_len"));
3043 let parameters =
3044 php.variable_sized_field_start("parameters",
3045 parameters_len);
3046 let sym_algo: SymmetricAlgorithm =
3047 php_try!(php.parse_u8("sym_algo")).into();
3048
3049 let s2k_len = php_try!(php.parse_u8("s2k_len"));
3050 let s2k_params =
3051 php.variable_sized_field_start("s2k_params", s2k_len);
3052 let s2k = php_try!(S2K::parse_v6(&mut php, s2k_len as _));
3053 php_try!(php.variable_sized_field_end(s2k_params));
3054
3055 // The "IV" is part of the sized parameter field.
3056 let cfb_iv = php_try!(php.parse_bytes(
3057 "cfb_iv",
3058 php.variable_sized_field_remaining(¶meters)));
3059 php_try!(php.variable_sized_field_end(parameters));
3060
3061 let cipher =
3062 php_try!(php.parse_bytes_eof("encrypted_mpis"));
3063
3064 // But we store "IV" and ciphertext as one.
3065 let cfb_iv_len = cfb_iv.len();
3066 let mut combined_ciphertext = cfb_iv;
3067 combined_ciphertext.extend_from_slice(&cipher);
3068
3069 crate::packet::key::Encrypted::new_raw(
3070 s2k, sym_algo,
3071 if s2k_usage == 254 {
3072 Some(mpi::SecretKeyChecksum::SHA1)
3073 } else {
3074 Some(mpi::SecretKeyChecksum::Sum16)
3075 },
3076 Ok((cfb_iv_len, combined_ciphertext.into())))
3077 .into()
3078 },
3079 };
3080
3081 Some(sec)
3082 } else {
3083 None
3084 };
3085
3086 let have_secret = secret.is_some();
3087 if have_secret {
3088 if tag == Tag::PublicKey || tag == Tag::PublicSubkey {
3089 return php.error(Error::MalformedPacket(
3090 format!("Unexpected secret key found in {:?} packet", tag)
3091 ).into());
3092 }
3093 } else if tag == Tag::SecretKey || tag == Tag::SecretSubkey {
3094 return php.error(Error::MalformedPacket(
3095 format!("Expected secret key in {:?} packet", tag)
3096 ).into());
3097 }
3098
3099 fn k<R>(creation_time: u32,
3100 pk_algo: PublicKeyAlgorithm,
3101 mpis: PublicKey)
3102 -> Result<Key6<key::PublicParts, R>>
3103 where R: key::KeyRole
3104 {
3105 Key6::make(creation_time.into(), pk_algo, mpis, None)
3106 }
3107 fn s<R>(creation_time: u32,
3108 pk_algo: PublicKeyAlgorithm,
3109 mpis: PublicKey,
3110 secret: SecretKeyMaterial)
3111 -> Result<Key6<key::SecretParts, R>>
3112 where R: key::KeyRole
3113 {
3114 Key6::make(creation_time.into(), pk_algo, mpis, Some(secret))
3115 }
3116
3117 let tag = php.header.ctb().tag();
3118
3119 let p : Packet = match tag {
3120 // For the benefit of Key::from_bytes.
3121 Tag::Reserved => if have_secret {
3122 Packet::SecretKey(
3123 php_try!(s(creation_time, pk_algo, mpis, secret.unwrap()))
3124 .into())
3125 } else {
3126 Packet::PublicKey(
3127 php_try!(k(creation_time, pk_algo, mpis)).into())
3128 },
3129 Tag::PublicKey => Packet::PublicKey(
3130 php_try!(k(creation_time, pk_algo, mpis)).into()),
3131 Tag::PublicSubkey => Packet::PublicSubkey(
3132 php_try!(k(creation_time, pk_algo, mpis)).into()),
3133 Tag::SecretKey => Packet::SecretKey(
3134 php_try!(s(creation_time, pk_algo, mpis, secret.unwrap()))
3135 .into()),
3136 Tag::SecretSubkey => Packet::SecretSubkey(
3137 php_try!(s(creation_time, pk_algo, mpis, secret.unwrap()))
3138 .into()),
3139 _ => unreachable!(),
3140 };
3141
3142 php.ok(p)
3143 }
3144
3145 /// Returns whether the data appears to be a version 6 key (no
3146 /// promises).
3147 fn plausible<C>(bio: &mut dyn BufferedReader<C>, header: &Header)
3148 -> Result<()>
3149 where
3150 C: fmt::Debug + Send + Sync,
3151 {
3152 // Make sure we have a minimum header.
3153 const MIN: usize = 10;
3154 let data = bio.data(MIN)?;
3155 if data.len() < MIN {
3156 return Err(
3157 Error::MalformedPacket("Short read".into()).into());
3158 }
3159
3160 // Assume unknown == bad.
3161 let version = data[0];
3162 let creation_time =
3163 u32::from_be_bytes(data[1..5].try_into().unwrap());
3164 let pk_algo: PublicKeyAlgorithm = data[5].into();
3165 let public_len =
3166 u32::from_be_bytes(data[6..10].try_into().unwrap());
3167
3168 /// The unix time at which RFC9580 was published, 2024-07-31.
3169 const RFC9580_PUBLICATION_TIME: u32 = 1722376800;
3170
3171 if version == 6
3172 && !matches!(pk_algo, PublicKeyAlgorithm::Unknown(_))
3173 && creation_time >= RFC9580_PUBLICATION_TIME
3174 && match header.length() {
3175 BodyLength::Full(len) => public_len < *len,
3176 _ => false,
3177 }
3178 {
3179 Ok(())
3180 } else {
3181 Err(Error::MalformedPacket("Invalid or unsupported data".into())
3182 .into())
3183 }
3184 }
3185}
3186
3187use key::UnspecifiedKey;
3188impl_parse_with_buffered_reader!(
3189 UnspecifiedKey,
3190 |br| -> Result<Self> {
3191 let parser = PacketHeaderParser::new_naked(br);
3192
3193 let mut pp = Self::parse(parser)?;
3194 pp.buffer_unread_content()?;
3195
3196 match pp.next()? {
3197 (Packet::PublicKey(o), PacketParserResult::EOF(_)) => Ok(o.into()),
3198 (Packet::PublicSubkey(o), PacketParserResult::EOF(_)) => Ok(o.into()),
3199 (Packet::SecretKey(o), PacketParserResult::EOF(_)) => Ok(o.into()),
3200 (Packet::SecretSubkey(o), PacketParserResult::EOF(_)) => Ok(o.into()),
3201 (Packet::Unknown(u), PacketParserResult::EOF(_)) =>
3202 Err(u.into_error()),
3203 (p, PacketParserResult::EOF(_)) =>
3204 Err(Error::InvalidOperation(
3205 format!("Not a Key packet: {:?}", p)).into()),
3206 (_, PacketParserResult::Some(_)) =>
3207 Err(Error::InvalidOperation(
3208 "Excess data after packet".into()).into()),
3209 }
3210 });
3211
3212impl Trust {
3213 /// Parses the body of a trust packet.
3214 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
3215 tracer!(TRACE, "Trust::parse", php.recursion_depth());
3216 make_php_try!(php);
3217 let value = php_try!(php.parse_bytes_eof("value"));
3218 php.ok(Packet::Trust(Trust::from(value)))
3219 }
3220}
3221
3222impl_parse_with_buffered_reader!(Trust);
3223
3224impl UserID {
3225 /// Parses the body of a user id packet.
3226 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
3227 tracer!(TRACE, "UserID::parse", php.recursion_depth());
3228 make_php_try!(php);
3229
3230 let value = php_try!(php.parse_bytes_eof("value"));
3231
3232 php.ok(Packet::UserID(UserID::from(value)))
3233 }
3234}
3235
3236impl_parse_with_buffered_reader!(UserID);
3237
3238impl UserAttribute {
3239 /// Parses the body of a user attribute packet.
3240 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
3241 tracer!(TRACE, "UserAttribute::parse", php.recursion_depth());
3242 make_php_try!(php);
3243
3244 let value = php_try!(php.parse_bytes_eof("value"));
3245
3246 php.ok(Packet::UserAttribute(UserAttribute::from(value)))
3247 }
3248}
3249
3250impl_parse_with_buffered_reader!(UserAttribute);
3251
3252impl Marker {
3253 /// Parses the body of a marker packet.
3254 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser>
3255 {
3256 tracer!(TRACE, "Marker::parse", php.recursion_depth());
3257 make_php_try!(php);
3258 let marker = php_try!(php.parse_bytes("marker", Marker::BODY.len()));
3259 if &marker[..] == Marker::BODY {
3260 php.ok(Marker::default().into())
3261 } else {
3262 php.fail("invalid marker")
3263 }
3264 }
3265
3266 /// Returns whether the data is a marker packet.
3267 fn plausible(bio: &mut dyn BufferedReader<Cookie>, header: &Header)
3268 -> Result<()>
3269 {
3270 if let BodyLength::Full(len) = header.length() {
3271 let len = *len;
3272 if len as usize != Marker::BODY.len() {
3273 return Err(Error::MalformedPacket(
3274 format!("Unexpected packet length {}", len)).into());
3275 }
3276 } else {
3277 return Err(Error::MalformedPacket(
3278 format!("Unexpected body length encoding: {:?}",
3279 header.length())).into());
3280 }
3281
3282 // Check the body.
3283 let data = bio.data(Marker::BODY.len())?;
3284 if data.len() < Marker::BODY.len() {
3285 return Err(Error::MalformedPacket("Short read".into()).into());
3286 }
3287
3288 if data == Marker::BODY {
3289 Ok(())
3290 } else {
3291 Err(Error::MalformedPacket("Invalid or unsupported data".into())
3292 .into())
3293 }
3294 }
3295}
3296
3297impl_parse_with_buffered_reader!(Marker);
3298
3299impl Literal {
3300 /// Parses the body of a literal packet.
3301 ///
3302 /// Condition: Hashing has been disabled by the callee.
3303 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser>
3304 {
3305 tracer!(TRACE, "Literal::parse", php.recursion_depth());
3306 make_php_try!(php);
3307
3308 // Directly hashing a literal data packet is... strange.
3309 // Neither the packet's header, the packet's meta-data nor the
3310 // length encoding information is included in the hash.
3311
3312 let format = php_try!(php.parse_u8("format"));
3313 let filename_len = php_try!(php.parse_u8("filename_len"));
3314
3315 let filename = if filename_len > 0 {
3316 Some(php_try!(php.parse_bytes("filename", filename_len as usize)))
3317 } else {
3318 None
3319 };
3320
3321 let date = php_try!(php.parse_be_u32("date"));
3322
3323 // The header is consumed while hashing is disabled.
3324 let recursion_depth = php.recursion_depth();
3325
3326 let mut literal = Literal::new(format.into());
3327 if let Some(filename) = filename {
3328 literal.set_filename(&filename)
3329 .expect("length checked above");
3330 }
3331 literal.set_date(
3332 Some(std::time::SystemTime::from(Timestamp::from(date))))?;
3333 let mut pp = php.ok(Packet::Literal(literal))?;
3334
3335 // Enable hashing of the body.
3336 Cookie::hashing(pp.mut_reader(), Hashing::Enabled,
3337 recursion_depth - 1);
3338
3339 Ok(pp)
3340 }
3341}
3342
3343impl_parse_with_buffered_reader!(Literal);
3344
3345#[test]
3346fn literal_parser_test () {
3347 use crate::types::DataFormat;
3348 {
3349 let data = crate::tests::message("literal-mode-b.pgp");
3350 let mut pp = PacketParser::from_bytes(data).unwrap().unwrap();
3351 assert_eq!(pp.header.length(), &BodyLength::Full(18));
3352 let content = pp.steal_eof().unwrap();
3353 let p = pp.finish().unwrap();
3354 // eprintln!("{:?}", p);
3355 if let &Packet::Literal(ref p) = p {
3356 assert_eq!(p.format(), DataFormat::Binary);
3357 assert_eq!(p.filename().unwrap()[..], b"foobar"[..]);
3358 assert_eq!(p.date().unwrap(), Timestamp::from(1507458744).into());
3359 assert_eq!(content, b"FOOBAR");
3360 } else {
3361 panic!("Wrong packet!");
3362 }
3363 }
3364
3365 {
3366 let data = crate::tests::message("literal-mode-t-partial-body.pgp");
3367 let mut pp = PacketParser::from_bytes(data).unwrap().unwrap();
3368 assert_eq!(pp.header.length(), &BodyLength::Partial(4096));
3369 let content = pp.steal_eof().unwrap();
3370 let p = pp.finish().unwrap();
3371 if let &Packet::Literal(ref p) = p {
3372 #[allow(deprecated)] {
3373 assert_eq!(p.format(), DataFormat::Text);
3374 }
3375 assert_eq!(p.filename().unwrap()[..],
3376 b"manifesto.txt"[..]);
3377 assert_eq!(p.date().unwrap(), Timestamp::from(1508000649).into());
3378
3379 let expected = crate::tests::manifesto();
3380
3381 assert_eq!(&content[..], expected);
3382 } else {
3383 panic!("Wrong packet!");
3384 }
3385 }
3386}
3387
3388impl CompressedData {
3389 /// Parses the body of a compressed data packet.
3390 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
3391 let recursion_depth = php.recursion_depth();
3392 tracer!(TRACE, "CompressedData::parse", recursion_depth);
3393
3394 make_php_try!(php);
3395 let algo: CompressionAlgorithm =
3396 php_try!(php.parse_u8("algo")).into();
3397
3398 let recursion_depth = php.recursion_depth();
3399 let mut pp = php.ok(Packet::CompressedData(CompressedData::new(algo)))?;
3400
3401 #[allow(unreachable_patterns)]
3402 match algo {
3403 CompressionAlgorithm::Uncompressed => (),
3404 #[cfg(feature = "compression-deflate")]
3405 CompressionAlgorithm::Zip
3406 | CompressionAlgorithm::Zlib => (),
3407 #[cfg(feature = "compression-bzip2")]
3408 CompressionAlgorithm::BZip2 => (),
3409 _ => {
3410 // We don't know or support this algorithm. Return a
3411 // CompressedData packet without pushing a filter, so
3412 // that it has an opaque body.
3413 t!("Algorithm {} unknown or unsupported.", algo);
3414 return Ok(pp.set_processed(false));
3415 },
3416 }
3417
3418 t!("Pushing a decompressor for {}, recursion depth = {:?}.",
3419 algo, recursion_depth);
3420
3421 let reader = pp.take_reader();
3422 let reader = match algo {
3423 CompressionAlgorithm::Uncompressed => {
3424 if TRACE {
3425 eprintln!("CompressedData::parse(): Actually, no need \
3426 for a compression filter: this is an \
3427 \"uncompressed compression packet\".");
3428 }
3429 let _ = recursion_depth;
3430 reader
3431 },
3432 #[cfg(feature = "compression-deflate")]
3433 CompressionAlgorithm::Zip =>
3434 Box::new(buffered_reader::Deflate::with_cookie(
3435 reader, Cookie::new(recursion_depth))),
3436 #[cfg(feature = "compression-deflate")]
3437 CompressionAlgorithm::Zlib =>
3438 Box::new(buffered_reader::Zlib::with_cookie(
3439 reader, Cookie::new(recursion_depth))),
3440 #[cfg(feature = "compression-bzip2")]
3441 CompressionAlgorithm::BZip2 =>
3442 Box::new(buffered_reader::Bzip::with_cookie(
3443 reader, Cookie::new(recursion_depth))),
3444 _ => unreachable!(), // Validated above.
3445 };
3446 pp.set_reader(reader);
3447
3448 Ok(pp)
3449 }
3450}
3451
3452impl_parse_with_buffered_reader!(CompressedData);
3453
3454#[cfg(any(feature = "compression-deflate", feature = "compression-bzip2"))]
3455#[test]
3456fn compressed_data_parser_test () {
3457 use crate::types::DataFormat;
3458
3459 let expected = crate::tests::manifesto();
3460
3461 for i in 1..4 {
3462 match CompressionAlgorithm::from(i) {
3463 #[cfg(feature = "compression-deflate")]
3464 CompressionAlgorithm::Zip | CompressionAlgorithm::Zlib => (),
3465 #[cfg(feature = "compression-bzip2")]
3466 CompressionAlgorithm::BZip2 => (),
3467 _ => continue,
3468 }
3469 let pp = PacketParser::from_bytes(crate::tests::message(
3470 &format!("compressed-data-algo-{}.pgp", i))).unwrap().unwrap();
3471
3472 // We expect a compressed packet containing a literal data
3473 // packet, and that is it.
3474 if let Packet::CompressedData(ref compressed) = pp.packet {
3475 assert_eq!(compressed.algo(), i.into());
3476 } else {
3477 panic!("Wrong packet!");
3478 }
3479
3480 let ppr = pp.recurse().unwrap().1;
3481
3482 // ppr should be the literal data packet.
3483 let mut pp = ppr.unwrap();
3484
3485 // It is a child.
3486 assert_eq!(pp.recursion_depth(), 1);
3487
3488 let content = pp.steal_eof().unwrap();
3489
3490 let (literal, ppr) = pp.recurse().unwrap();
3491
3492 if let Packet::Literal(literal) = literal {
3493 assert_eq!(literal.filename(), None);
3494 assert_eq!(literal.format(), DataFormat::Binary);
3495 assert_eq!(literal.date().unwrap(),
3496 Timestamp::from(1509219866).into());
3497 assert_eq!(content, expected.to_vec());
3498 } else {
3499 panic!("Wrong packet!");
3500 }
3501
3502 // And, we're done...
3503 assert!(ppr.is_eof());
3504 }
3505}
3506
3507impl SKESK {
3508 /// Parses the body of an SK-ESK packet.
3509 fn parse(mut php: PacketHeaderParser)
3510 -> Result<PacketParser>
3511 {
3512 tracer!(TRACE, "SKESK::parse", php.recursion_depth());
3513 make_php_try!(php);
3514 let version = php_try!(php.parse_u8("version"));
3515 match version {
3516 4 => SKESK4::parse(php),
3517 6 => SKESK6::parse(php),
3518 _ => php.fail("unknown version"),
3519 }
3520 }
3521}
3522
3523impl SKESK4 {
3524 /// Parses the body of an SK-ESK packet.
3525 fn parse(mut php: PacketHeaderParser)
3526 -> Result<PacketParser>
3527 {
3528 tracer!(TRACE, "SKESK4::parse", php.recursion_depth());
3529 make_php_try!(php);
3530 let sym_algo = php_try!(php.parse_u8("sym_algo"));
3531 let s2k = php_try!(S2K::parse_v4(&mut php));
3532 let s2k_supported = s2k.is_supported();
3533 let esk = php_try!(php.parse_bytes_eof("esk"));
3534
3535 let skesk = php_try!(SKESK4::new_raw(
3536 sym_algo.into(),
3537 s2k,
3538 if s2k_supported || esk.is_empty() {
3539 Ok(if ! esk.is_empty() {
3540 Some(esk.into())
3541 } else {
3542 None
3543 })
3544 } else {
3545 Err(esk.into())
3546 },
3547 ));
3548
3549 php.ok(skesk.into())
3550 }
3551}
3552
3553impl SKESK6 {
3554 /// Parses the body of an SK-ESK packet.
3555 fn parse(mut php: PacketHeaderParser)
3556 -> Result<PacketParser>
3557 {
3558 tracer!(TRACE, "SKESK6::parse", php.recursion_depth());
3559 make_php_try!(php);
3560
3561 // Octet count of the following 5 fields.
3562 let parameter_len = php_try!(php.parse_u8_len("parameter_len"));
3563 if parameter_len < 1 + 1 + 1 + 1 /* S2K */ + 12 /* IV */ {
3564 return php.fail("expected at least 16 parameter octets");
3565 }
3566
3567 let sym_algo: SymmetricAlgorithm =
3568 php_try!(php.parse_u8("sym_algo")).into();
3569 let aead_algo: AEADAlgorithm =
3570 php_try!(php.parse_u8("aead_algo")).into();
3571
3572 // The S2K object's length and the S2K.
3573 let s2k_len = php_try!(php.parse_u8_len("s2k_len"));
3574 if parameter_len < 1 + 1 + 1 + s2k_len + 12 /* IV */ {
3575 return php.fail("S2K overflows parameter count");
3576 }
3577
3578 let s2k = php_try!(S2K::parse_v6(&mut php, s2k_len as u8));
3579
3580 // And the IV.
3581 let iv =
3582 if let Some(iv_len) = parameter_len.checked_sub(1 + 1 + 1 + s2k_len) {
3583 php_try!(php.parse_bytes("iv", iv_len as usize)).into()
3584 } else {
3585 return php.fail("IV overflows parameter count");
3586 };
3587
3588 // Finally, the ESK including the AEAD tag.
3589 let esk = php_try!(php.parse_bytes_eof("esk")).into();
3590
3591 let skesk = php_try!(SKESK6::new(
3592 sym_algo,
3593 aead_algo,
3594 s2k,
3595 iv,
3596 esk,
3597 ));
3598
3599 php.ok(skesk.into())
3600 }
3601}
3602
3603impl_parse_with_buffered_reader!(SKESK);
3604
3605#[test]
3606fn skesk_parser_test() {
3607 use crate::crypto::Password;
3608 struct Test<'a> {
3609 filename: &'a str,
3610 s2k: S2K,
3611 cipher_algo: SymmetricAlgorithm,
3612 password: Password,
3613 key_hex: &'a str,
3614 }
3615
3616 let tests = [
3617 Test {
3618 filename: "s2k/mode-3-encrypted-key-password-bgtyhn.pgp",
3619 cipher_algo: SymmetricAlgorithm::AES128,
3620 s2k: S2K::Iterated {
3621 hash: HashAlgorithm::SHA1,
3622 salt: [0x82, 0x59, 0xa0, 0x6e, 0x98, 0xda, 0x94, 0x1c],
3623 hash_bytes: S2K::decode_count(238),
3624 },
3625 password: "bgtyhn".into(),
3626 key_hex: "474E5C373BA18AF0A499FCAFE6093F131DF636F6A3812B9A8AE707F1F0214AE9",
3627 },
3628 ];
3629
3630 for test in tests.iter() {
3631 let pp = PacketParser::from_bytes(
3632 crate::tests::message(test.filename)).unwrap().unwrap();
3633 if let Packet::SKESK(SKESK::V4(ref skesk)) = pp.packet {
3634 eprintln!("{:?}", skesk);
3635
3636 assert_eq!(skesk.symmetric_algo(), test.cipher_algo);
3637 assert_eq!(skesk.s2k(), &test.s2k);
3638
3639 match skesk.decrypt(&test.password) {
3640 Ok((_sym_algo, key)) => {
3641 let key = crate::fmt::to_hex(&key[..], false);
3642 assert_eq!(&key[..], test.key_hex);
3643 }
3644 Err(e) => {
3645 panic!("No session key, got: {:?}", e);
3646 }
3647 }
3648 } else {
3649 panic!("Wrong packet!");
3650 }
3651 }
3652}
3653
3654impl SEIP {
3655 /// Parses the body of a SEIP packet.
3656 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
3657 tracer!(TRACE, "SEIP::parse", php.recursion_depth());
3658 make_php_try!(php);
3659 let version = php_try!(php.parse_u8("version"));
3660 match version {
3661 1 => SEIP1::parse(php),
3662 2 => SEIP2::parse(php),
3663 _ => php.fail("unknown version"),
3664 }
3665 }
3666}
3667
3668impl_parse_with_buffered_reader!(SEIP);
3669
3670impl SEIP1 {
3671 /// Parses the body of a SEIP1 packet.
3672 fn parse(php: PacketHeaderParser) -> Result<PacketParser> {
3673 php.ok(SEIP1::new().into())
3674 .map(|pp| pp.set_processed(false))
3675 }
3676}
3677
3678impl SEIP2 {
3679 /// Parses the body of a SEIP2 packet.
3680 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
3681 tracer!(TRACE, "SEIP2::parse", php.recursion_depth());
3682 make_php_try!(php);
3683 let cipher: SymmetricAlgorithm =
3684 php_try!(php.parse_u8("sym_algo")).into();
3685 let aead: AEADAlgorithm =
3686 php_try!(php.parse_u8("aead_algo")).into();
3687 let chunk_size = php_try!(php.parse_u8("chunk_size"));
3688
3689 // An implementation MUST accept chunk size octets with values
3690 // from 0 to 16. An implementation MUST NOT create data with a
3691 // chunk size octet value larger than 16 (4 MiB chunks).
3692 if chunk_size > 16 {
3693 return php.fail("unsupported chunk size");
3694 }
3695 let chunk_size: u64 = 1 << (chunk_size + 6);
3696 let salt_v = php_try!(php.parse_bytes("salt", 32));
3697 let mut salt = [0u8; 32];
3698 salt.copy_from_slice(&salt_v);
3699
3700 let seip2 = php_try!(Self::new(cipher, aead, chunk_size, salt));
3701 php.ok(seip2.into()).map(|pp| pp.set_processed(false))
3702 }
3703}
3704
3705impl MDC {
3706 /// Parses the body of an MDC packet.
3707 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
3708 tracer!(TRACE, "MDC::parse", php.recursion_depth());
3709 make_php_try!(php);
3710
3711 // Find the HashedReader pushed by the containing SEIP packet.
3712 // In a well-formed message, this will be the outermost
3713 // HashedReader on the BufferedReader stack: we pushed it
3714 // there when we started decrypting the SEIP packet, and an
3715 // MDC packet is the last packet in a SEIP container.
3716 // Nevertheless, we take some basic precautions to check
3717 // whether it is really the matching HashedReader.
3718
3719 let mut computed_digest : [u8; 20] = Default::default();
3720 {
3721 let mut r : Option<&mut dyn BufferedReader<Cookie>>
3722 = Some(&mut php.reader);
3723 while let Some(bio) = r {
3724 {
3725 let state = bio.cookie_mut();
3726 if state.hashes_for == HashesFor::MDC {
3727 if !state.sig_group().hashes.is_empty() {
3728 let h = state.sig_group_mut().hashes
3729 .iter_mut().find_map(
3730 |mode|
3731 if matches!(mode.map(|ctx| ctx.algo()),
3732 HashingMode::Binary(_, HashAlgorithm::SHA1))
3733 {
3734 Some(mode.as_mut())
3735 } else {
3736 None
3737 }).unwrap();
3738 let _ = h.digest(&mut computed_digest);
3739 }
3740
3741 // If the outermost HashedReader is not the
3742 // matching HashedReader, then the message is
3743 // malformed.
3744 break;
3745 }
3746 }
3747
3748 r = bio.get_mut();
3749 }
3750 }
3751
3752 let mut digest: [u8; 20] = Default::default();
3753 digest.copy_from_slice(&php_try!(php.parse_bytes("digest", 20)));
3754
3755 #[allow(deprecated)]
3756 php.ok(Packet::MDC(MDC::new(digest, computed_digest)))
3757 }
3758}
3759
3760impl_parse_with_buffered_reader!(MDC);
3761
3762impl Padding {
3763 /// Parses the body of a padding packet.
3764 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
3765 tracer!(TRACE, "Padding::parse", php.recursion_depth());
3766 make_php_try!(php);
3767 // XXX: I don't think we should capture the body.
3768 let value = php_try!(php.parse_bytes_eof("value"));
3769 php.ok(Packet::Padding(Padding::from(value)))
3770 }
3771}
3772
3773impl_parse_with_buffered_reader!(Padding);
3774
3775impl MPI {
3776 /// Parses an OpenPGP MPI.
3777 ///
3778 /// See [Section 3.2 of RFC 9580] for details.
3779 ///
3780 /// [Section 3.2 of RFC 9580]: https://www.rfc-editor.org/rfc/rfc9580.html#section-3.2
3781 fn parse(name_len: &'static str,
3782 name: &'static str,
3783 php: &mut PacketHeaderParser<'_>) -> Result<Self> {
3784 Ok(MPI::parse_common(name_len, name, false, false, php)?.into())
3785 }
3786
3787 /// Parses an OpenPGP MPI.
3788 ///
3789 /// If `parsing_secrets` is `true`, errors are normalized as not
3790 /// to reveal parts of the plaintext to the caller.
3791 ///
3792 /// If `lenient_parsing` is `true`, this function will accept MPIs
3793 /// that are not well-formed (notably, issues related to leading
3794 /// zeros).
3795 fn parse_common(
3796 name_len: &'static str,
3797 name: &'static str,
3798 parsing_secrets: bool,
3799 lenient_parsing: bool,
3800 php: &mut PacketHeaderParser<'_>)
3801 -> Result<Vec<u8>> {
3802 // When we are parsing secrets, we don't want to leak it
3803 // accidentally by revealing it in error messages, or indeed
3804 // by the kind of error.
3805 //
3806 // All errors returned by this function that are depend on
3807 // secret data must be uniform and return the following error.
3808 // We make an exception for i/o errors, which may reveal
3809 // truncation, because swallowing i/o errors may be very
3810 // confusing when diagnosing errors, and we don't consider the
3811 // length of the value to be confidential as it can also be
3812 // inferred from the size of the ciphertext.
3813 let uniform_error_for_secrets = |e: Error| {
3814 if parsing_secrets {
3815 Err(Error::MalformedMPI("Details omitted, \
3816 parsing secret".into()).into())
3817 } else {
3818 Err(e.into())
3819 }
3820 };
3821
3822 // This function is used to parse MPIs from unknown
3823 // algorithms, which may use an encoding unknown to us.
3824 // Therefore, we need to be extra careful only to consume the
3825 // data once we found a well-formed MPI.
3826 let bits = {
3827 let buf = php.reader.data_hard(2)?;
3828 u16::from_be_bytes([buf[0], buf[1]]) as usize
3829 };
3830 if bits == 0 {
3831 // Now consume the data.
3832 php.parse_be_u16(name_len).expect("worked before");
3833 return Ok(vec![]);
3834 }
3835
3836 let bytes = (bits + 7) / 8;
3837 let value = {
3838 let buf = php.reader.data_hard(2 + bytes)?;
3839 Vec::from(&buf[2..2 + bytes])
3840 };
3841
3842 let unused_bits = bytes * 8 - bits;
3843 assert_eq!(bytes * 8 - unused_bits, bits);
3844
3845 // Make sure the unused bits are zeroed.
3846 if unused_bits > 0 {
3847 let mask = !((1 << (8 - unused_bits)) - 1);
3848 let unused_value = value[0] & mask;
3849
3850 if unused_value != 0 && ! lenient_parsing {
3851 return uniform_error_for_secrets(
3852 Error::MalformedMPI(
3853 format!("{} unused bits not zeroed: ({:x})",
3854 unused_bits, unused_value)
3855 ));
3856 }
3857 }
3858
3859 let first_used_bit = 8 - unused_bits;
3860 if value[0] & (1 << (first_used_bit - 1)) == 0 && ! lenient_parsing {
3861 return uniform_error_for_secrets(
3862 Error::MalformedMPI(
3863 format!("leading bit is not set: \
3864 expected bit {} to be set in {:8b} ({:x})",
3865 first_used_bit, value[0], value[0])
3866 ));
3867 }
3868
3869 // Now consume the data. Note: we avoid using parse_bytes
3870 // here because MPIs may contain secrets, and we don't want to
3871 // casually leak them into the heap. Also, we avoid doing a
3872 // heap allocation.
3873 php.reader.consume(2 + bytes);
3874 // Now fix the map.
3875 php.field(name_len, 2);
3876 php.field(name, bytes);
3877
3878 Ok(value)
3879 }
3880}
3881
3882impl_parse_with_buffered_reader!(
3883 MPI,
3884 |bio: Box<dyn BufferedReader<Cookie>>| -> Result<Self> {
3885 let mut parser = PacketHeaderParser::new_naked(bio.into_boxed());
3886 Self::parse("(none_len)", "(none)", &mut parser)
3887 });
3888
3889impl ProtectedMPI {
3890 /// Parses an OpenPGP MPI containing secrets.
3891 ///
3892 /// See [Section 3.2 of RFC 9580] for details.
3893 ///
3894 /// [Section 3.2 of RFC 9580]: https://www.rfc-editor.org/rfc/rfc9580.html#section-3.2
3895 fn parse(name_len: &'static str,
3896 name: &'static str,
3897 php: &mut PacketHeaderParser<'_>) -> Result<Self> {
3898 // XXX: While lenient parsing seemed like the right thing to
3899 // do, this breaks equality and round-tripping: we normalize
3900 // the non-canonical encoding, so two distinct wire
3901 // representations are folded into one in-core representation.
3902 Ok(MPI::parse_common(name_len, name, true, false, php)?.into())
3903 }
3904}
3905impl PKESK {
3906 /// Parses the body of an PK-ESK packet.
3907 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
3908 tracer!(TRACE, "PKESK::parse", php.recursion_depth());
3909 make_php_try!(php);
3910 let version = php_try!(php.parse_u8("version"));
3911 match version {
3912 3 => PKESK3::parse(php),
3913 6 => PKESK6::parse(php),
3914 _ => php.fail("unknown version"),
3915 }
3916 }
3917}
3918
3919impl_parse_with_buffered_reader!(PKESK);
3920
3921impl PKESK3 {
3922 /// Parses the body of an PK-ESK packet.
3923 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
3924 tracer!(TRACE, "PKESK3::parse", php.recursion_depth());
3925 make_php_try!(php);
3926
3927 let keyid = {
3928 let mut keyid = [0u8; 8];
3929 keyid.copy_from_slice(&php_try!(php.parse_bytes("keyid", 8)));
3930
3931 let keyid = KeyID::from_bytes(&keyid);
3932 if keyid.is_wildcard() {
3933 None
3934 } else {
3935 Some(keyid)
3936 }
3937 };
3938
3939 let pk_algo: PublicKeyAlgorithm = php_try!(php.parse_u8("pk_algo")).into();
3940 if ! pk_algo.for_encryption() {
3941 return php.fail("not an encryption algorithm");
3942 }
3943 let mpis = crypto::mpi::Ciphertext::_parse(pk_algo, &mut php)?;
3944
3945 let pkesk = php_try!(PKESK3::new(keyid, pk_algo, mpis));
3946 php.ok(pkesk.into())
3947 }
3948}
3949
3950impl_parse_with_buffered_reader!(
3951 PKESK3,
3952 |reader| -> Result<Self> {
3953 PKESK::from_buffered_reader(reader).and_then(|p| match p {
3954 PKESK::V3(p) => Ok(p),
3955 p => Err(Error::InvalidOperation(
3956 format!("Not a PKESKv3 packet: {:?}", p)).into()),
3957 })
3958 });
3959
3960impl PKESK6 {
3961 /// Parses the body of an PKESKv6 packet.
3962 fn parse(mut php: PacketHeaderParser) -> Result<PacketParser> {
3963 tracer!(TRACE, "PKESK6::parse", php.recursion_depth());
3964 make_php_try!(php);
3965 let fp_len = php_try!(php.parse_u8("recipient_len"));
3966 let fingerprint = if fp_len == 0 {
3967 None
3968 } else {
3969 // Get the version and sanity check the length.
3970 let fp_version = php_try!(php.parse_u8("recipient_version"));
3971 if let Some(expected_length) = match fp_version {
3972 4 => Some(20),
3973 6 => Some(32),
3974 _ => None,
3975 } {
3976 if fp_len - 1 != expected_length {
3977 return php.fail("bad fingerprint length");
3978 }
3979 }
3980 Some(Fingerprint::from_bytes(
3981 fp_version,
3982 &php_try!(php.parse_bytes("recipient", (fp_len - 1).into())))?)
3983 };
3984
3985 let pk_algo: PublicKeyAlgorithm =
3986 php_try!(php.parse_u8("pk_algo")).into();
3987 if ! pk_algo.for_encryption() { // XXX
3988 return php.fail("not an encryption algorithm");
3989 }
3990 let mpis = crypto::mpi::Ciphertext::_parse(pk_algo, &mut php)?;
3991
3992 let pkesk = php_try!(PKESK6::new(fingerprint, pk_algo, mpis));
3993 php.ok(pkesk.into())
3994 }
3995}
3996
3997impl_parse_with_buffered_reader!(
3998 PKESK6,
3999 |reader| -> Result<Self> {
4000 PKESK::from_buffered_reader(reader).and_then(|p| match p {
4001 PKESK::V6(p) => Ok(p),
4002 p => Err(Error::InvalidOperation(
4003 format!("Not a PKESKv6 packet: {:?}", p)).into()),
4004 })
4005 });
4006
4007impl_parse_with_buffered_reader!(
4008 Packet,
4009 |br| -> Result<Self> {
4010 let ppr =
4011 PacketParserBuilder::from_buffered_reader(br)
4012 ?.buffer_unread_content().build()?;
4013
4014 let (p, ppr) = match ppr {
4015 PacketParserResult::Some(pp) => {
4016 pp.next()?
4017 },
4018 PacketParserResult::EOF(_) =>
4019 return Err(Error::InvalidOperation(
4020 "Unexpected EOF".into()).into()),
4021 };
4022
4023 match (p, ppr) {
4024 (p, PacketParserResult::EOF(_)) =>
4025 Ok(p),
4026 (_, PacketParserResult::Some(_)) =>
4027 Err(Error::InvalidOperation(
4028 "Excess data after packet".into()).into()),
4029 }
4030 });
4031
4032// State that lives for the life of the packet parser, not the life of
4033// an individual packet.
4034#[derive(Debug)]
4035struct PacketParserState {
4036 // The `PacketParser`'s settings
4037 settings: PacketParserSettings,
4038
4039 /// Whether the packet sequence is a valid OpenPGP Message.
4040 message_validator: MessageValidator,
4041
4042 /// Whether the packet sequence is a valid OpenPGP keyring.
4043 keyring_validator: KeyringValidator,
4044
4045 /// Whether the packet sequence is a valid OpenPGP Cert.
4046 cert_validator: CertValidator,
4047
4048 // Whether this is the first packet in the packet sequence.
4049 first_packet: bool,
4050
4051 // Whether PacketParser::parse encountered an unrecoverable error.
4052 pending_error: Option<anyhow::Error>,
4053}
4054
4055impl PacketParserState {
4056 fn new(settings: PacketParserSettings) -> Self {
4057 PacketParserState {
4058 settings,
4059 message_validator: Default::default(),
4060 keyring_validator: Default::default(),
4061 cert_validator: Default::default(),
4062 first_packet: true,
4063 pending_error: None,
4064 }
4065 }
4066}
4067
4068/// A low-level OpenPGP message parser.
4069///
4070/// A `PacketParser` provides a low-level, iterator-like interface to
4071/// parse OpenPGP messages.
4072///
4073/// For each iteration, the user is presented with a [`Packet`]
4074/// corresponding to the last packet, a `PacketParser` for the next
4075/// packet, and their positions within the message.
4076///
4077/// Using the `PacketParser`, the user is able to configure how the
4078/// new packet will be parsed. For instance, it is possible to stream
4079/// the packet's contents (a `PacketParser` implements the
4080/// [`std::io::Read`] and the [`BufferedReader`] traits), buffer them
4081/// within the [`Packet`], or drop them. The user can also decide to
4082/// recurse into the packet, if it is a container, instead of getting
4083/// the following packet.
4084///
4085/// See the [`PacketParser::next`] and [`PacketParser::recurse`]
4086/// methods for more details.
4087///
4088/// [`Packet`]: super::Packet
4089/// [`BufferedReader`]: https://docs.rs/buffered-reader/*/buffered_reader/trait.BufferedReader.html
4090/// [`PacketParser::next`]: PacketParser::next()
4091/// [`PacketParser::recurse`]: PacketParser::recurse()
4092///
4093/// # Examples
4094///
4095/// These examples demonstrate how to process packet bodies by parsing
4096/// the simplest possible OpenPGP message containing just a single
4097/// literal data packet with the body "Hello world.". There are three
4098/// options. First, the body can be dropped. Second, it can be
4099/// buffered. Lastly, the body can be streamed. In general,
4100/// streaming should be preferred, because it avoids buffering in
4101/// Sequoia.
4102///
4103/// This example demonstrates simply ignoring the packet body:
4104///
4105/// ```rust
4106/// # fn main() -> sequoia_openpgp::Result<()> {
4107/// use sequoia_openpgp as openpgp;
4108/// use openpgp::Packet;
4109/// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
4110///
4111/// // By default, the `PacketParser` will drop packet bodies.
4112/// let mut ppr =
4113/// PacketParser::from_bytes(b"\xcb\x12b\x00\x00\x00\x00\x00Hello world.")?;
4114/// while let PacketParserResult::Some(pp) = ppr {
4115/// // Get the packet out of the parser and start parsing the next
4116/// // packet, recursing.
4117/// let (packet, next_ppr) = pp.recurse()?;
4118/// ppr = next_ppr;
4119///
4120/// // Process the packet.
4121/// if let Packet::Literal(literal) = packet {
4122/// // The body was dropped.
4123/// assert_eq!(literal.body(), b"");
4124/// } else {
4125/// unreachable!("We know it is a literal packet.");
4126/// }
4127/// }
4128/// # Ok(()) }
4129/// ```
4130///
4131/// This example demonstrates how the body can be buffered by
4132/// configuring the `PacketParser` to buffer all packet bodies:
4133///
4134/// ```rust
4135/// # fn main() -> sequoia_openpgp::Result<()> {
4136/// use sequoia_openpgp as openpgp;
4137/// use openpgp::Packet;
4138/// use openpgp::parse::{Parse, PacketParserResult, PacketParserBuilder};
4139///
4140/// // By default, the `PacketParser` will drop packet bodies. Use a
4141/// // `PacketParserBuilder` to change that.
4142/// let mut ppr =
4143/// PacketParserBuilder::from_bytes(
4144/// b"\xcb\x12b\x00\x00\x00\x00\x00Hello world.")?
4145/// .buffer_unread_content()
4146/// .build()?;
4147/// while let PacketParserResult::Some(pp) = ppr {
4148/// // Get the packet out of the parser and start parsing the next
4149/// // packet, recursing.
4150/// let (packet, next_ppr) = pp.recurse()?;
4151/// ppr = next_ppr;
4152///
4153/// // Process the packet.
4154/// if let Packet::Literal(literal) = packet {
4155/// // The body was buffered.
4156/// assert_eq!(literal.body(), b"Hello world.");
4157/// } else {
4158/// unreachable!("We know it is a literal packet.");
4159/// }
4160/// }
4161/// # Ok(()) }
4162/// ```
4163///
4164/// This example demonstrates how the body can be buffered by
4165/// buffering an individual packet:
4166///
4167/// ```rust
4168/// # fn main() -> sequoia_openpgp::Result<()> {
4169/// use sequoia_openpgp as openpgp;
4170/// use openpgp::Packet;
4171/// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
4172///
4173/// // By default, the `PacketParser` will drop packet bodies.
4174/// let mut ppr =
4175/// PacketParser::from_bytes(b"\xcb\x12b\x00\x00\x00\x00\x00Hello world.")?;
4176/// while let PacketParserResult::Some(mut pp) = ppr {
4177/// if let Packet::Literal(_) = pp.packet {
4178/// // Buffer this packet's body.
4179/// pp.buffer_unread_content()?;
4180/// }
4181///
4182/// // Get the packet out of the parser and start parsing the next
4183/// // packet, recursing.
4184/// let (packet, next_ppr) = pp.recurse()?;
4185/// ppr = next_ppr;
4186///
4187/// // Process the packet.
4188/// if let Packet::Literal(literal) = packet {
4189/// // The body was buffered.
4190/// assert_eq!(literal.body(), b"Hello world.");
4191/// } else {
4192/// unreachable!("We know it is a literal packet.");
4193/// }
4194/// }
4195/// # Ok(()) }
4196/// ```
4197///
4198/// This example demonstrates how to stream the packet body:
4199///
4200/// ```rust
4201/// # fn main() -> sequoia_openpgp::Result<()> {
4202/// use std::io::Read;
4203///
4204/// use sequoia_openpgp as openpgp;
4205/// use openpgp::Packet;
4206/// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
4207///
4208/// let mut ppr =
4209/// PacketParser::from_bytes(b"\xcb\x12b\x00\x00\x00\x00\x00Hello world.")?;
4210/// while let PacketParserResult::Some(mut pp) = ppr {
4211/// if let Packet::Literal(_) = pp.packet {
4212/// // Stream the body.
4213/// let mut buf = Vec::new();
4214/// pp.read_to_end(&mut buf)?;
4215/// assert_eq!(buf, b"Hello world.");
4216/// } else {
4217/// unreachable!("We know it is a literal packet.");
4218/// }
4219///
4220/// // Get the packet out of the parser and start parsing the next
4221/// // packet, recursing.
4222/// let (packet, next_ppr) = pp.recurse()?;
4223/// ppr = next_ppr;
4224///
4225/// // Process the packet.
4226/// if let Packet::Literal(literal) = packet {
4227/// // The body was streamed, not buffered.
4228/// assert_eq!(literal.body(), b"");
4229/// } else {
4230/// unreachable!("We know it is a literal packet.");
4231/// }
4232/// }
4233/// # Ok(()) }
4234/// ```
4235///
4236/// # Packet Parser Design
4237///
4238/// There are two major concerns that inform the design of the parsing
4239/// API.
4240///
4241/// First, when processing a container, it is possible to either
4242/// recurse into the container, and process its children, or treat the
4243/// contents of the container as an opaque byte stream, and process
4244/// the packet following the container. The low-level
4245/// [`PacketParser`] and mid-level [`PacketPileParser`] abstractions
4246/// allow the caller to choose the behavior by either calling the
4247/// [`PacketParser::recurse`] method or the [`PacketParser::next`]
4248/// method, as appropriate. OpenPGP doesn't impose any restrictions
4249/// on the amount of nesting. So, to prevent a denial-of-service
4250/// attack, the parsers don't recurse more than
4251/// [`DEFAULT_MAX_RECURSION_DEPTH`] times, by default.
4252///
4253///
4254/// Second, packets can contain an effectively unbounded amount of
4255/// data. To avoid errors due to memory exhaustion, the
4256/// `PacketParser` and [`PacketPileParser`] abstractions support
4257/// parsing packets in a streaming manner, i.e., never buffering more
4258/// than O(1) bytes of data. To do this, the parsers initially only
4259/// parse a packet's header (which is rarely more than a few kilobytes
4260/// of data), and return control to the caller. After inspecting that
4261/// data, the caller can decide how to handle the packet's contents.
4262/// If the content is deemed interesting, it can be streamed or
4263/// buffered. Otherwise, it can be dropped. Streaming is possible
4264/// not only for literal data packets, but also containers (other
4265/// packets also support the interface, but just return EOF). For
4266/// instance, encryption can be stripped by saving the decrypted
4267/// content of an encryption packet, which is just an OpenPGP message.
4268///
4269/// ## Iterator Design
4270///
4271/// We explicitly chose to not use a callback-based API, but something
4272/// that is closer to Rust's iterator API. Unfortunately, because a
4273/// `PacketParser` needs mutable access to the input stream (so that
4274/// the content can be streamed), only a single `PacketParser` item
4275/// can be live at a time (without a fair amount of unsafe nastiness).
4276/// This is incompatible with Rust's iterator concept, which allows
4277/// any number of items to be live at any time. For instance:
4278///
4279/// ```rust
4280/// let mut v = vec![1, 2, 3, 4];
4281/// let mut iter = v.iter_mut();
4282///
4283/// let x = iter.next().unwrap();
4284/// let y = iter.next().unwrap();
4285///
4286/// *x += 10; // This does not cause an error!
4287/// *y += 10;
4288/// ```
4289pub struct PacketParser<'a> {
4290 /// The current packet's header.
4291 header: Header,
4292
4293 /// The packet that is being parsed.
4294 pub packet: Packet,
4295
4296 // The path of the packet that is currently being parsed.
4297 path: Vec<usize>,
4298 // The path of the packet that was most recently returned by
4299 // `next()` or `recurse()`.
4300 last_path: Vec<usize>,
4301
4302 reader: Box<dyn BufferedReader<Cookie> + 'a>,
4303
4304 // Whether the caller read the packet's content. If so, then we
4305 // can't recurse, because we're missing some of the packet!
4306 content_was_read: bool,
4307
4308 // Whether PacketParser::finish has been called.
4309 finished: bool,
4310
4311 // Whether the content has been processed.
4312 processed: bool,
4313
4314 /// A map of this packet.
4315 map: Option<map::Map>,
4316
4317 /// We compute a hashsum over the body to implement comparison on
4318 /// containers that have been streamed.
4319 body_hash: Option<Box<Xxh3>>,
4320
4321 state: PacketParserState,
4322}
4323assert_send_and_sync!(PacketParser<'_>);
4324
4325impl<'a> std::fmt::Display for PacketParser<'a> {
4326 fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
4327 write!(f, "PacketParser")
4328 }
4329}
4330
4331impl<'a> std::fmt::Debug for PacketParser<'a> {
4332 fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
4333 f.debug_struct("PacketParser")
4334 .field("header", &self.header)
4335 .field("packet", &self.packet)
4336 .field("path", &self.path)
4337 .field("last_path", &self.last_path)
4338 .field("processed", &self.processed)
4339 .field("content_was_read", &self.content_was_read)
4340 .field("settings", &self.state.settings)
4341 .field("map", &self.map)
4342 .finish()
4343 }
4344}
4345
4346/// The return value of PacketParser::parse.
4347enum ParserResult<'a> {
4348 Success(PacketParser<'a>),
4349 EOF((Box<dyn BufferedReader<Cookie> + 'a>, PacketParserState, Vec<usize>)),
4350}
4351
4352/// Information about the stream of packets parsed by the
4353/// `PacketParser`.
4354///
4355/// Once the [`PacketParser`] reaches the end of the input stream, it
4356/// returns a [`PacketParserResult::EOF`] with a `PacketParserEOF`.
4357/// This object provides information about the parsed stream, notably
4358/// whether the packet stream was a well-formed [`Message`],
4359/// [`Cert`] or keyring.
4360///
4361/// [`Message`]: super::Message
4362/// [`Cert`]: crate::cert::Cert
4363///
4364/// # Examples
4365///
4366/// Parse some OpenPGP stream using a [`PacketParser`] and detects the
4367/// kind of data:
4368///
4369/// ```rust
4370/// # fn main() -> sequoia_openpgp::Result<()> {
4371/// use sequoia_openpgp as openpgp;
4372/// use openpgp::Packet;
4373/// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
4374///
4375/// let openpgp_data: &[u8] = // ...
4376/// # include_bytes!("../tests/data/keys/public-key.pgp");
4377/// let mut ppr = PacketParser::from_bytes(openpgp_data)?;
4378/// while let PacketParserResult::Some(mut pp) = ppr {
4379/// // Start parsing the next packet, recursing.
4380/// ppr = pp.recurse()?.1;
4381/// }
4382///
4383/// if let PacketParserResult::EOF(eof) = ppr {
4384/// if eof.is_message().is_ok() {
4385/// // ...
4386/// } else if eof.is_cert().is_ok() {
4387/// // ...
4388/// } else if eof.is_keyring().is_ok() {
4389/// // ...
4390/// } else {
4391/// // ...
4392/// }
4393/// }
4394/// # Ok(()) }
4395/// ```
4396#[derive(Debug)]
4397pub struct PacketParserEOF<'a> {
4398 state: PacketParserState,
4399 reader: Box<dyn BufferedReader<Cookie> + 'a>,
4400 last_path: Vec<usize>,
4401}
4402assert_send_and_sync!(PacketParserEOF<'_>);
4403
4404impl<'a> PacketParserEOF<'a> {
4405 /// Copies the important information in `pp` into a new
4406 /// `PacketParserEOF` instance.
4407 fn new(mut state: PacketParserState,
4408 reader: Box<dyn BufferedReader<Cookie> + 'a>)
4409 -> Self {
4410 state.message_validator.finish();
4411 state.keyring_validator.finish();
4412 state.cert_validator.finish();
4413
4414 PacketParserEOF {
4415 state,
4416 reader,
4417 last_path: vec![],
4418 }
4419 }
4420
4421 /// Creates a placeholder instance for PacketParserResult::take.
4422 fn empty() -> Self {
4423 Self::new(
4424 PacketParserState::new(Default::default()),
4425 buffered_reader::Memory::with_cookie(b"", Default::default())
4426 .into_boxed())
4427 }
4428
4429 /// Returns whether the stream is an OpenPGP Message.
4430 ///
4431 /// A [`Message`] has a very specific structure. Returns `true`
4432 /// if the stream is of that form, as opposed to a [`Cert`] or
4433 /// just a bunch of packets.
4434 ///
4435 /// [`Message`]: super::Message
4436 /// [`Cert`]: crate::cert::Cert
4437 ///
4438 /// # Examples
4439 ///
4440 /// Parse some OpenPGP stream using a [`PacketParser`] and detects the
4441 /// kind of data:
4442 ///
4443 ///
4444 /// ```rust
4445 /// # fn main() -> sequoia_openpgp::Result<()> {
4446 /// use sequoia_openpgp as openpgp;
4447 /// use openpgp::Packet;
4448 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
4449 ///
4450 /// let openpgp_data: &[u8] = // ...
4451 /// # include_bytes!("../tests/data/keys/public-key.pgp");
4452 /// let mut ppr = PacketParser::from_bytes(openpgp_data)?;
4453 /// while let PacketParserResult::Some(mut pp) = ppr {
4454 /// // Start parsing the next packet, recursing.
4455 /// ppr = pp.recurse()?.1;
4456 /// }
4457 ///
4458 /// if let PacketParserResult::EOF(eof) = ppr {
4459 /// if eof.is_message().is_ok() {
4460 /// // ...
4461 /// }
4462 /// }
4463 /// # Ok(()) }
4464 /// ```
4465 pub fn is_message(&self) -> Result<()> {
4466 use crate::message::MessageValidity;
4467
4468 match self.state.message_validator.check() {
4469 MessageValidity::Message => Ok(()),
4470 MessageValidity::MessagePrefix => unreachable!(),
4471 MessageValidity::Error(err) => Err(err),
4472 }
4473 }
4474
4475 /// Returns whether the message is an OpenPGP keyring.
4476 ///
4477 /// A keyring has a very specific structure. Returns `true` if
4478 /// the stream is of that form, as opposed to a [`Message`] or
4479 /// just a bunch of packets.
4480 ///
4481 /// [`Message`]: super::Message
4482 ///
4483 /// # Examples
4484 ///
4485 /// Parse some OpenPGP stream using a [`PacketParser`] and detects the
4486 /// kind of data:
4487 ///
4488 ///
4489 /// ```rust
4490 /// # fn main() -> sequoia_openpgp::Result<()> {
4491 /// use sequoia_openpgp as openpgp;
4492 /// use openpgp::Packet;
4493 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
4494 ///
4495 /// let openpgp_data: &[u8] = // ...
4496 /// # include_bytes!("../tests/data/keys/public-key.pgp");
4497 /// let mut ppr = PacketParser::from_bytes(openpgp_data)?;
4498 /// while let PacketParserResult::Some(mut pp) = ppr {
4499 /// // Start parsing the next packet, recursing.
4500 /// ppr = pp.recurse()?.1;
4501 /// }
4502 ///
4503 /// if let PacketParserResult::EOF(eof) = ppr {
4504 /// if eof.is_keyring().is_ok() {
4505 /// // ...
4506 /// }
4507 /// }
4508 /// # Ok(()) }
4509 /// ```
4510 pub fn is_keyring(&self) -> Result<()> {
4511 match self.state.keyring_validator.check() {
4512 KeyringValidity::Keyring => Ok(()),
4513 KeyringValidity::KeyringPrefix => unreachable!(),
4514 KeyringValidity::Error(err) => Err(err),
4515 }
4516 }
4517
4518 /// Returns whether the message is an OpenPGP Cert.
4519 ///
4520 /// A [`Cert`] has a very specific structure. Returns `true` if
4521 /// the stream is of that form, as opposed to a [`Message`] or
4522 /// just a bunch of packets.
4523 ///
4524 /// [`Message`]: super::Message
4525 /// [`Cert`]: crate::cert::Cert
4526 ///
4527 /// # Examples
4528 ///
4529 /// Parse some OpenPGP stream using a [`PacketParser`] and detects the
4530 /// kind of data:
4531 ///
4532 ///
4533 /// ```rust
4534 /// # fn main() -> sequoia_openpgp::Result<()> {
4535 /// use sequoia_openpgp as openpgp;
4536 /// use openpgp::Packet;
4537 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
4538 ///
4539 /// let openpgp_data: &[u8] = // ...
4540 /// # include_bytes!("../tests/data/keys/public-key.pgp");
4541 /// let mut ppr = PacketParser::from_bytes(openpgp_data)?;
4542 /// while let PacketParserResult::Some(mut pp) = ppr {
4543 /// // Start parsing the next packet, recursing.
4544 /// ppr = pp.recurse()?.1;
4545 /// }
4546 ///
4547 /// if let PacketParserResult::EOF(eof) = ppr {
4548 /// if eof.is_cert().is_ok() {
4549 /// // ...
4550 /// }
4551 /// }
4552 /// # Ok(()) }
4553 /// ```
4554 pub fn is_cert(&self) -> Result<()> {
4555 match self.state.cert_validator.check() {
4556 CertValidity::Cert => Ok(()),
4557 CertValidity::CertPrefix => unreachable!(),
4558 CertValidity::Error(err) => Err(err),
4559 }
4560 }
4561
4562 /// Returns the path of the last packet.
4563 ///
4564 /// # Examples
4565 ///
4566 /// Parse some OpenPGP stream using a [`PacketParser`] and returns
4567 /// the path (see [`PacketPile::path_ref`]) of the last packet:
4568 ///
4569 /// [`PacketPile::path_ref`]: super::PacketPile::path_ref()
4570 ///
4571 /// ```rust
4572 /// # fn main() -> sequoia_openpgp::Result<()> {
4573 /// use sequoia_openpgp as openpgp;
4574 /// use openpgp::Packet;
4575 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
4576 ///
4577 /// let openpgp_data: &[u8] = // ...
4578 /// # include_bytes!("../tests/data/keys/public-key.pgp");
4579 /// let mut ppr = PacketParser::from_bytes(openpgp_data)?;
4580 /// while let PacketParserResult::Some(mut pp) = ppr {
4581 /// // Start parsing the next packet, recursing.
4582 /// ppr = pp.recurse()?.1;
4583 /// }
4584 ///
4585 /// if let PacketParserResult::EOF(eof) = ppr {
4586 /// let _ = eof.last_path();
4587 /// }
4588 /// # Ok(()) }
4589 /// ```
4590 pub fn last_path(&self) -> &[usize] {
4591 &self.last_path[..]
4592 }
4593
4594 /// The last packet's recursion depth.
4595 ///
4596 /// A top-level packet has a recursion depth of 0. Packets in a
4597 /// top-level container have a recursion depth of 1, etc.
4598 ///
4599 /// # Examples
4600 ///
4601 /// Parse some OpenPGP stream using a [`PacketParser`] and returns
4602 /// the recursion depth of the last packet:
4603 ///
4604 ///
4605 /// ```rust
4606 /// # fn main() -> sequoia_openpgp::Result<()> {
4607 /// use sequoia_openpgp as openpgp;
4608 /// use openpgp::Packet;
4609 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
4610 ///
4611 /// let openpgp_data: &[u8] = // ...
4612 /// # include_bytes!("../tests/data/keys/public-key.pgp");
4613 /// let mut ppr = PacketParser::from_bytes(openpgp_data)?;
4614 /// while let PacketParserResult::Some(mut pp) = ppr {
4615 /// // Start parsing the next packet, recursing.
4616 /// ppr = pp.recurse()?.1;
4617 /// }
4618 ///
4619 /// if let PacketParserResult::EOF(eof) = ppr {
4620 /// let _ = eof.last_recursion_depth();
4621 /// }
4622 /// # Ok(()) }
4623 /// ```
4624 pub fn last_recursion_depth(&self) -> Option<isize> {
4625 if self.last_path.is_empty() {
4626 None
4627 } else {
4628 Some(self.last_path.len() as isize - 1)
4629 }
4630 }
4631
4632 /// Returns the exhausted reader.
4633 pub fn into_reader(self) -> Box<dyn BufferedReader<Cookie> + 'a> {
4634 self.reader
4635 }
4636}
4637
4638/// The result of parsing a packet.
4639///
4640/// This type is returned by [`PacketParser::next`],
4641/// [`PacketParser::recurse`], [`PacketParserBuilder::build`], and the
4642/// implementation of [`PacketParser`]'s [`Parse` trait]. The result
4643/// is either `Some(PacketParser)`, indicating successful parsing of a
4644/// packet, or `EOF(PacketParserEOF)` if the end of the input stream
4645/// has been reached.
4646///
4647/// [`PacketParser::next`]: PacketParser::next()
4648/// [`PacketParser::recurse`]: PacketParser::recurse()
4649/// [`PacketParserBuilder::build`]: PacketParserBuilder::build()
4650/// [`Parse` trait]: struct.PacketParser.html#impl-Parse%3C%27a%2C%20PacketParserResult%3C%27a%3E%3E
4651#[derive(Debug)]
4652pub enum PacketParserResult<'a> {
4653 /// A `PacketParser` for the next packet.
4654 Some(PacketParser<'a>),
4655 /// Information about a fully parsed packet sequence.
4656 EOF(PacketParserEOF<'a>),
4657}
4658assert_send_and_sync!(PacketParserResult<'_>);
4659
4660impl<'a> PacketParserResult<'a> {
4661 /// Returns `true` if the result is `EOF`.
4662 pub fn is_eof(&self) -> bool {
4663 matches!(self, PacketParserResult::EOF(_))
4664 }
4665
4666 /// Returns `true` if the result is `Some`.
4667 pub fn is_some(&self) -> bool {
4668 ! Self::is_eof(self)
4669 }
4670
4671 /// Unwraps a result, yielding the content of an `Some`.
4672 ///
4673 /// # Panics
4674 ///
4675 /// Panics if the value is an `EOF`, with a panic message
4676 /// including the passed message, and the information in the
4677 /// [`PacketParserEOF`] object.
4678 ///
4679 pub fn expect(self, msg: &str) -> PacketParser<'a> {
4680 if let PacketParserResult::Some(pp) = self {
4681 pp
4682 } else {
4683 panic!("{}", msg);
4684 }
4685 }
4686
4687 /// Unwraps a result, yielding the content of an `Some`.
4688 ///
4689 /// # Panics
4690 ///
4691 /// Panics if the value is an `EOF`, with a panic message
4692 /// including the information in the [`PacketParserEOF`] object.
4693 ///
4694 pub fn unwrap(self) -> PacketParser<'a> {
4695 self.expect("called `PacketParserResult::unwrap()` on a \
4696 `PacketParserResult::PacketParserEOF` value")
4697 }
4698
4699 /// Converts from `PacketParserResult` to `Result<&PacketParser,
4700 /// &PacketParserEOF>`.
4701 ///
4702 /// Produces a new `Result`, containing references into the
4703 /// original `PacketParserResult`, leaving the original in place.
4704 pub fn as_ref(&self)
4705 -> StdResult<&PacketParser<'a>, &PacketParserEOF<'a>> {
4706 match self {
4707 PacketParserResult::Some(pp) => Ok(pp),
4708 PacketParserResult::EOF(eof) => Err(eof),
4709 }
4710 }
4711
4712 /// Converts from `PacketParserResult` to `Result<&mut
4713 /// PacketParser, &mut PacketParserEOF>`.
4714 ///
4715 /// Produces a new `Result`, containing mutable references into the
4716 /// original `PacketParserResult`, leaving the original in place.
4717 pub fn as_mut(&mut self)
4718 -> StdResult<&mut PacketParser<'a>, &mut PacketParserEOF<'a>>
4719 {
4720 match self {
4721 PacketParserResult::Some(pp) => Ok(pp),
4722 PacketParserResult::EOF(eof) => Err(eof),
4723 }
4724 }
4725
4726 /// Takes the value out of the `PacketParserResult`, leaving a
4727 /// `EOF` in its place.
4728 ///
4729 /// The `EOF` left in place carries a [`PacketParserEOF`] with
4730 /// default values.
4731 ///
4732 pub fn take(&mut self) -> Self {
4733 mem::replace(
4734 self,
4735 PacketParserResult::EOF(PacketParserEOF::empty()))
4736 }
4737
4738 /// Maps a `PacketParserResult` to `Result<PacketParser,
4739 /// PacketParserEOF>` by applying a function to a contained `Some`
4740 /// value, leaving an `EOF` value untouched.
4741 pub fn map<U, F>(self, f: F) -> StdResult<U, PacketParserEOF<'a>>
4742 where F: FnOnce(PacketParser<'a>) -> U
4743 {
4744 match self {
4745 PacketParserResult::Some(x) => Ok(f(x)),
4746 PacketParserResult::EOF(e) => Err(e),
4747 }
4748 }
4749}
4750
4751impl<'a> Parse<'a, PacketParserResult<'a>> for PacketParser<'a> {
4752 /// Starts parsing an OpenPGP object stored in a `BufferedReader` object.
4753 ///
4754 /// This function returns a `PacketParser` for the first packet in
4755 /// the stream.
4756 fn from_buffered_reader<R>(reader: R) -> Result<PacketParserResult<'a>>
4757 where
4758 R: BufferedReader<Cookie> + 'a,
4759 {
4760 PacketParserBuilder::from_buffered_reader(reader.into_boxed())?.build()
4761 }
4762}
4763
4764impl<'a> crate::seal::Sealed for PacketParser<'a> {}
4765
4766impl <'a> PacketParser<'a> {
4767 /// Starts parsing an OpenPGP message stored in a `BufferedReader`
4768 /// object.
4769 ///
4770 /// This function returns a `PacketParser` for the first packet in
4771 /// the stream.
4772 pub(crate) fn from_cookie_reader(bio: Box<dyn BufferedReader<Cookie> + 'a>)
4773 -> Result<PacketParserResult<'a>> {
4774 PacketParserBuilder::from_cookie_reader(bio)?.build()
4775 }
4776
4777 /// Returns the reader stack, replacing it with a
4778 /// `buffered_reader::EOF` reader.
4779 ///
4780 /// This function may only be called when the `PacketParser` is in
4781 /// State::Body.
4782 fn take_reader(&mut self) -> Box<dyn BufferedReader<Cookie> + 'a> {
4783 self.set_reader(
4784 Box::new(buffered_reader::EOF::with_cookie(Default::default())))
4785 }
4786
4787 /// Replaces the reader stack.
4788 ///
4789 /// This function may only be called when the `PacketParser` is in
4790 /// State::Body.
4791 fn set_reader(&mut self, reader: Box<dyn BufferedReader<Cookie> + 'a>)
4792 -> Box<dyn BufferedReader<Cookie> + 'a>
4793 {
4794 mem::replace(&mut self.reader, reader)
4795 }
4796
4797 /// Returns a mutable reference to the reader stack.
4798 fn mut_reader(&mut self) -> &mut dyn BufferedReader<Cookie> {
4799 &mut self.reader
4800 }
4801
4802 /// Marks the packet's contents as processed or not.
4803 fn set_processed(mut self, v: bool) -> Self {
4804 self.processed = v;
4805 self
4806 }
4807
4808 /// Returns whether the packet's contents have been processed.
4809 ///
4810 /// This function returns `true` while processing an encryption
4811 /// container before it is decrypted using
4812 /// [`PacketParser::decrypt`]. Once successfully decrypted, it
4813 /// returns `false`.
4814 ///
4815 /// [`PacketParser::decrypt`]: PacketParser::decrypt()
4816 ///
4817 /// # Examples
4818 ///
4819 /// ```rust
4820 /// # fn main() -> sequoia_openpgp::Result<()> {
4821 /// use sequoia_openpgp as openpgp;
4822 /// use openpgp::Packet;
4823 /// use openpgp::fmt::hex;
4824 /// use openpgp::types::SymmetricAlgorithm;
4825 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
4826 ///
4827 /// // Parse an encrypted message.
4828 /// let message_data: &[u8] = // ...
4829 /// # include_bytes!("../tests/data/messages/encrypted-aes256-password-123.pgp");
4830 /// let mut ppr = PacketParser::from_bytes(message_data)?;
4831 /// while let PacketParserResult::Some(mut pp) = ppr {
4832 /// if let Packet::SEIP(_) = pp.packet {
4833 /// assert!(!pp.processed());
4834 /// pp.decrypt(SymmetricAlgorithm::AES256,
4835 /// &hex::decode("7EF4F08C44F780BEA866961423306166\
4836 /// B8912C43352F3D9617F745E4E3939710")?
4837 /// .into())?;
4838 /// assert!(pp.processed());
4839 /// }
4840 ///
4841 /// // Start parsing the next packet, recursing.
4842 /// ppr = pp.recurse()?.1;
4843 /// }
4844 /// # Ok(()) }
4845 /// ```
4846 pub fn processed(&self) -> bool {
4847 self.processed
4848 }
4849
4850 /// Returns the path of the last packet.
4851 ///
4852 /// This function returns the path (see [`PacketPile::path_ref`]
4853 /// for a description of paths) of the packet last returned by a
4854 /// call to [`PacketParser::recurse`] or [`PacketParser::next`].
4855 /// If no packet has been returned (i.e. the current packet is the
4856 /// first packet), this returns the empty slice.
4857 ///
4858 /// [`PacketPile::path_ref`]: super::PacketPile::path_ref()
4859 /// [`PacketParser::recurse`]: PacketParser::recurse()
4860 /// [`PacketParser::next`]: PacketParser::next()
4861 ///
4862 /// # Examples
4863 ///
4864 /// ```rust
4865 /// # fn main() -> sequoia_openpgp::Result<()> {
4866 /// use sequoia_openpgp as openpgp;
4867 /// use openpgp::Packet;
4868 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
4869 ///
4870 /// // Parse a compressed message.
4871 /// let message_data: &[u8] = // ...
4872 /// # include_bytes!("../tests/data/messages/compressed-data-algo-0.pgp");
4873 /// let mut ppr = PacketParser::from_bytes(message_data)?;
4874 /// while let PacketParserResult::Some(mut pp) = ppr {
4875 /// match pp.packet {
4876 /// Packet::CompressedData(_) => assert_eq!(pp.last_path(), &[] as &[usize]),
4877 /// Packet::Literal(_) => assert_eq!(pp.last_path(), &[0usize]),
4878 /// _ => (),
4879 /// }
4880 ///
4881 /// // Start parsing the next packet, recursing.
4882 /// ppr = pp.recurse()?.1;
4883 /// }
4884 /// # Ok(()) }
4885 /// ```
4886 pub fn last_path(&self) -> &[usize] {
4887 &self.last_path[..]
4888 }
4889
4890 /// Returns the path of the current packet.
4891 ///
4892 /// This function returns the path (see [`PacketPile::path_ref`]
4893 /// for a description of paths) of the packet currently being
4894 /// processed (see [`PacketParser::packet`]).
4895 ///
4896 /// [`PacketPile::path_ref`]: super::PacketPile::path_ref()
4897 ///
4898 /// # Examples
4899 ///
4900 /// ```rust
4901 /// # fn main() -> sequoia_openpgp::Result<()> {
4902 /// use sequoia_openpgp as openpgp;
4903 /// use openpgp::Packet;
4904 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
4905 ///
4906 /// // Parse a compressed message.
4907 /// let message_data: &[u8] = // ...
4908 /// # include_bytes!("../tests/data/messages/compressed-data-algo-0.pgp");
4909 /// let mut ppr = PacketParser::from_bytes(message_data)?;
4910 /// while let PacketParserResult::Some(mut pp) = ppr {
4911 /// match pp.packet {
4912 /// Packet::CompressedData(_) => assert_eq!(pp.path(), &[0]),
4913 /// Packet::Literal(_) => assert_eq!(pp.path(), &[0, 0]),
4914 /// _ => (),
4915 /// }
4916 ///
4917 /// // Start parsing the next packet, recursing.
4918 /// ppr = pp.recurse()?.1;
4919 /// }
4920 /// # Ok(()) }
4921 /// ```
4922 pub fn path(&self) -> &[usize] {
4923 &self.path[..]
4924 }
4925
4926 /// The current packet's recursion depth.
4927 ///
4928 /// A top-level packet has a recursion depth of 0. Packets in a
4929 /// top-level container have a recursion depth of 1, etc.
4930 ///
4931 /// # Examples
4932 ///
4933 /// ```rust
4934 /// # fn main() -> sequoia_openpgp::Result<()> {
4935 /// use sequoia_openpgp as openpgp;
4936 /// use openpgp::Packet;
4937 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
4938 ///
4939 /// // Parse a compressed message.
4940 /// let message_data: &[u8] = // ...
4941 /// # include_bytes!("../tests/data/messages/compressed-data-algo-0.pgp");
4942 /// let mut ppr = PacketParser::from_bytes(message_data)?;
4943 /// while let PacketParserResult::Some(mut pp) = ppr {
4944 /// match pp.packet {
4945 /// Packet::CompressedData(_) => assert_eq!(pp.recursion_depth(), 0),
4946 /// Packet::Literal(_) => assert_eq!(pp.recursion_depth(), 1),
4947 /// _ => (),
4948 /// }
4949 ///
4950 /// // Start parsing the next packet, recursing.
4951 /// ppr = pp.recurse()?.1;
4952 /// }
4953 /// # Ok(()) }
4954 /// ```
4955 pub fn recursion_depth(&self) -> isize {
4956 self.path.len() as isize - 1
4957 }
4958
4959 /// The last packet's recursion depth.
4960 ///
4961 /// A top-level packet has a recursion depth of 0. Packets in a
4962 /// top-level container have a recursion depth of 1, etc.
4963 ///
4964 /// Note: if no packet has been returned yet, this returns None.
4965 ///
4966 /// # Examples
4967 ///
4968 /// ```rust
4969 /// # fn main() -> sequoia_openpgp::Result<()> {
4970 /// use sequoia_openpgp as openpgp;
4971 /// use openpgp::Packet;
4972 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
4973 ///
4974 /// // Parse a compressed message.
4975 /// let message_data: &[u8] = // ...
4976 /// # include_bytes!("../tests/data/messages/compressed-data-algo-0.pgp");
4977 /// let mut ppr = PacketParser::from_bytes(message_data)?;
4978 /// while let PacketParserResult::Some(mut pp) = ppr {
4979 /// match pp.packet {
4980 /// Packet::CompressedData(_) => assert_eq!(pp.last_recursion_depth(), None),
4981 /// Packet::Literal(_) => assert_eq!(pp.last_recursion_depth(), Some(0)),
4982 /// _ => (),
4983 /// }
4984 ///
4985 /// // Start parsing the next packet, recursing.
4986 /// ppr = pp.recurse()?.1;
4987 /// }
4988 /// # Ok(()) }
4989 /// ```
4990 pub fn last_recursion_depth(&self) -> Option<isize> {
4991 if self.last_path.is_empty() {
4992 assert_eq!(&self.path[..], &[ 0 ]);
4993 None
4994 } else {
4995 Some(self.last_path.len() as isize - 1)
4996 }
4997 }
4998
4999 /// Returns whether the message appears to be an OpenPGP Message.
5000 ///
5001 /// Only when the whole message has been processed is it possible
5002 /// to say whether the message is definitely an OpenPGP Message.
5003 /// Before that, it is only possible to say that the message is a
5004 /// valid prefix or definitely not an OpenPGP message (see
5005 /// [`PacketParserEOF::is_message`]).
5006 ///
5007 /// [`PacketParserEOF::is_message`]: PacketParserEOF::is_message()
5008 ///
5009 /// # Examples
5010 ///
5011 /// ```rust
5012 /// # fn main() -> sequoia_openpgp::Result<()> {
5013 /// use sequoia_openpgp as openpgp;
5014 /// use openpgp::Packet;
5015 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
5016 ///
5017 /// // Parse a compressed message.
5018 /// let message_data: &[u8] = // ...
5019 /// # include_bytes!("../tests/data/messages/compressed-data-algo-0.pgp");
5020 /// let mut ppr = PacketParser::from_bytes(message_data)?;
5021 /// while let PacketParserResult::Some(mut pp) = ppr {
5022 /// pp.possible_message()?;
5023 ///
5024 /// // Start parsing the next packet, recursing.
5025 /// ppr = pp.recurse()?.1;
5026 /// }
5027 /// # Ok(()) }
5028 /// ```
5029 pub fn possible_message(&self) -> Result<()> {
5030 use crate::message::MessageValidity;
5031
5032 match self.state.message_validator.check() {
5033 MessageValidity::Message => unreachable!(),
5034 MessageValidity::MessagePrefix => Ok(()),
5035 MessageValidity::Error(err) => Err(err),
5036 }
5037 }
5038
5039 /// Returns whether the message appears to be an OpenPGP keyring.
5040 ///
5041 /// Only when the whole message has been processed is it possible
5042 /// to say whether the message is definitely an OpenPGP keyring.
5043 /// Before that, it is only possible to say that the message is a
5044 /// valid prefix or definitely not an OpenPGP keyring (see
5045 /// [`PacketParserEOF::is_keyring`]).
5046 ///
5047 /// [`PacketParserEOF::is_keyring`]: PacketParserEOF::is_keyring()
5048 ///
5049 /// # Examples
5050 ///
5051 /// ```rust
5052 /// # fn main() -> sequoia_openpgp::Result<()> {
5053 /// use sequoia_openpgp as openpgp;
5054 /// use openpgp::Packet;
5055 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
5056 ///
5057 /// // Parse a certificate.
5058 /// let message_data: &[u8] = // ...
5059 /// # include_bytes!("../tests/data/keys/testy.pgp");
5060 /// let mut ppr = PacketParser::from_bytes(message_data)?;
5061 /// while let PacketParserResult::Some(mut pp) = ppr {
5062 /// pp.possible_keyring()?;
5063 ///
5064 /// // Start parsing the next packet, recursing.
5065 /// ppr = pp.recurse()?.1;
5066 /// }
5067 /// # Ok(()) }
5068 /// ```
5069 pub fn possible_keyring(&self) -> Result<()> {
5070 match self.state.keyring_validator.check() {
5071 KeyringValidity::Keyring => unreachable!(),
5072 KeyringValidity::KeyringPrefix => Ok(()),
5073 KeyringValidity::Error(err) => Err(err),
5074 }
5075 }
5076
5077 /// Returns whether the message appears to be an OpenPGP Cert.
5078 ///
5079 /// Only when the whole message has been processed is it possible
5080 /// to say whether the message is definitely an OpenPGP Cert.
5081 /// Before that, it is only possible to say that the message is a
5082 /// valid prefix or definitely not an OpenPGP Cert (see
5083 /// [`PacketParserEOF::is_cert`]).
5084 ///
5085 /// [`PacketParserEOF::is_cert`]: PacketParserEOF::is_cert()
5086 ///
5087 /// # Examples
5088 ///
5089 /// ```rust
5090 /// # fn main() -> sequoia_openpgp::Result<()> {
5091 /// use sequoia_openpgp as openpgp;
5092 /// use openpgp::Packet;
5093 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
5094 ///
5095 /// // Parse a certificate.
5096 /// let message_data: &[u8] = // ...
5097 /// # include_bytes!("../tests/data/keys/testy.pgp");
5098 /// let mut ppr = PacketParser::from_bytes(message_data)?;
5099 /// while let PacketParserResult::Some(mut pp) = ppr {
5100 /// pp.possible_cert()?;
5101 ///
5102 /// // Start parsing the next packet, recursing.
5103 /// ppr = pp.recurse()?.1;
5104 /// }
5105 /// # Ok(()) }
5106 /// ```
5107 pub fn possible_cert(&self) -> Result<()> {
5108 match self.state.cert_validator.check() {
5109 CertValidity::Cert => unreachable!(),
5110 CertValidity::CertPrefix => Ok(()),
5111 CertValidity::Error(err) => Err(err),
5112 }
5113 }
5114
5115 /// Tests whether the data appears to be a legal cert packet.
5116 ///
5117 /// This is just a heuristic. It can be used for recovering from
5118 /// garbage.
5119 ///
5120 /// Successfully reading the header only means that the top bit of
5121 /// the ptag is 1. Assuming a uniform distribution, there's a 50%
5122 /// chance that that is the case.
5123 ///
5124 /// To improve our chances of a correct recovery, we make sure the
5125 /// tag is known (for new format CTBs, there are 64 possible tags,
5126 /// but only a third of them are reasonable; for old format
5127 /// packets, there are only 16 and nearly all are plausible), and
5128 /// we make sure the packet contents are reasonable.
5129 ///
5130 /// Currently, we only try to recover the most interesting
5131 /// packets.
5132 pub(crate) fn plausible_cert(bio: &mut dyn BufferedReader<Cookie>,
5133 header: &Header)
5134 -> Result<()>
5135 {
5136 let bad = Err(
5137 Error::MalformedPacket("Can't make an educated case".into()).into());
5138
5139 match header.ctb().tag() {
5140 Tag::Reserved
5141 | Tag::Unknown(_) | Tag::Private(_) =>
5142 Err(Error::MalformedPacket("Looks like garbage".into()).into()),
5143
5144 Tag::Marker => Marker::plausible(bio, header),
5145 Tag::Padding => {
5146 // Even though a padding packet may occur here, it has
5147 // so little structure, that we're likely better off
5148 // trying to find the next packet.
5149 //
5150 // XXX: We could optimize that though, by using the
5151 // potential padding packet's length to see if the
5152 // next packet is plausible.
5153 bad
5154 },
5155 Tag::Signature => Signature::plausible(bio, header),
5156
5157 Tag::SecretKey => Key::plausible(bio, header),
5158 Tag::PublicKey => Key::plausible(bio, header),
5159 Tag::SecretSubkey => Key::plausible(bio, header),
5160 Tag::PublicSubkey => Key::plausible(bio, header),
5161
5162 Tag::UserID => bad,
5163 Tag::UserAttribute => bad,
5164
5165 // It is reasonable to try and ignore garbage in Certs,
5166 // because who knows what the keyservers return, etc.
5167 // But, if we have what appears to be an OpenPGP message,
5168 // then, ignore.
5169 Tag::PKESK => bad,
5170 Tag::SKESK => bad,
5171 Tag::OnePassSig => bad,
5172 Tag::CompressedData => bad,
5173 Tag::SED => bad,
5174 Tag::Literal => bad,
5175 Tag::Trust => bad,
5176 Tag::SEIP => bad,
5177 Tag::MDC => bad,
5178 Tag::AED => bad,
5179 }
5180 }
5181
5182 /// Returns a `PacketParser` for the next OpenPGP packet in the
5183 /// stream. If there are no packets left, this function returns
5184 /// `bio`.
5185 fn parse(mut bio: Box<dyn BufferedReader<Cookie> + 'a>,
5186 mut state: PacketParserState,
5187 path: Vec<usize>)
5188 -> Result<ParserResult<'a>>
5189 {
5190 assert!(!path.is_empty());
5191
5192 let indent = path.len() as isize - 1;
5193 tracer!(TRACE, "PacketParser::parse", indent);
5194
5195 if let Some(err) = state.pending_error.take() {
5196 t!("Returning pending error: {}", err);
5197 return Err(err);
5198 }
5199 t!("Parsing packet at {:?}", path);
5200
5201 let recursion_depth = path.len() as isize - 1;
5202
5203 // When header encounters an EOF, it returns an error. But,
5204 // we want to return None. Try a one byte read.
5205 if bio.data(1)?.is_empty() {
5206 t!("No packet at {:?} (EOF).", path);
5207 return Ok(ParserResult::EOF((bio, state, path)));
5208 }
5209
5210 // When computing a hash for a signature, most of the
5211 // signature packet should not be included in the hash. That
5212 // is:
5213 //
5214 // [ one pass sig ] [ ... message ... ] [ sig ]
5215 // ^^^^^^^^^^^^^^^^^^^
5216 // hash only this
5217 //
5218 // (The special logic for the Signature packet is in
5219 // Signature::parse.)
5220 //
5221 // To avoid this, we use a Dup reader to figure out if the
5222 // next packet is a sig packet without consuming the headers,
5223 // which would cause the headers to be hashed. If so, we
5224 // extract the hash context.
5225
5226 let mut bio = buffered_reader::Dup::with_cookie(bio, Cookie::default());
5227 let header;
5228
5229 // Read the header.
5230 let mut skip = 0;
5231 let mut orig_error : Option<anyhow::Error> = None;
5232 loop {
5233 bio.rewind();
5234 if let Err(_err) = bio.data_consume_hard(skip) {
5235 // EOF. We checked for EOF above when skip was 0, so
5236 // we must have skipped something.
5237 assert!(skip > 0);
5238
5239 // Fabricate a header.
5240 header = Header::new(CTB::new(Tag::Reserved),
5241 BodyLength::Full(skip as u32));
5242
5243 break;
5244 }
5245
5246 match Header::parse(&mut bio) {
5247 Ok(header_) => {
5248 if skip == 0 {
5249 header = header_;
5250 break;
5251 }
5252
5253 match Self::plausible_cert(&mut bio, &header_) {
5254 Ok(()) => {
5255 header = Header::new(CTB::new(Tag::Reserved),
5256 BodyLength::Full(skip as u32));
5257 break;
5258 }
5259 Err(err_) => {
5260 t!("{} not plausible @ {}: {}",
5261 header_.ctb().tag(), skip, err_);
5262 },
5263 }
5264 }
5265 Err(err) => {
5266 t!("Failed to read a header after skipping {} bytes: {}",
5267 skip, err);
5268 if orig_error.is_none() {
5269 orig_error = Some(err);
5270 }
5271
5272 if state.first_packet {
5273 // We don't try to recover if we haven't seen
5274 // any packets.
5275 return Err(orig_error.unwrap());
5276 }
5277
5278 if skip > RECOVERY_THRESHOLD {
5279 // Limit the search space. This should be
5280 // enough to find a reasonable recovery point
5281 // in a Cert.
5282 state.pending_error = orig_error;
5283
5284 // Fabricate a header.
5285 header = Header::new(CTB::new(Tag::Reserved),
5286 BodyLength::Full(skip as u32));
5287 break;
5288 }
5289 }
5290 }
5291
5292 skip += 1;
5293 }
5294
5295 // Prepare to actually consume the header or garbage.
5296 let consumed = if skip == 0 {
5297 bio.total_out()
5298 } else {
5299 t!("turning {} bytes of junk into an Unknown packet", skip);
5300 bio.rewind();
5301 0
5302 };
5303
5304 let tag = header.ctb().tag();
5305 t!("Packet's tag is {}", tag);
5306
5307 // A buffered_reader::Dup always has an inner.
5308 let mut bio = Box::new(bio).into_inner().unwrap();
5309
5310 // Disable hashing for literal packets, Literal::parse will
5311 // enable it for the body. Signatures and OnePassSig packets
5312 // are only hashed by notarizing signatures.
5313 if tag == Tag::Literal {
5314 Cookie::hashing(
5315 &mut bio, Hashing::Disabled, recursion_depth - 1);
5316 } else if tag == Tag::OnePassSig || tag == Tag::Signature {
5317 if Cookie::processing_csf_message(&bio) {
5318 // When processing a CSF message, the hashing reader
5319 // is not peeled off, because the number of signature
5320 // packets cannot be known from the number of OPS
5321 // packets. Instead, we simply disable hashing.
5322 //
5323 // XXX: It would be nice to peel off the hashing
5324 // reader and drop this workaround.
5325 Cookie::hashing(
5326 &mut bio, Hashing::Disabled, recursion_depth - 1);
5327 } else {
5328 Cookie::hashing(
5329 &mut bio, Hashing::Notarized, recursion_depth - 1);
5330 }
5331 }
5332
5333 // Save header for the map or nested signatures.
5334 let header_bytes =
5335 Vec::from(&bio.data_consume_hard(consumed)?[..consumed]);
5336
5337 let bio : Box<dyn BufferedReader<Cookie>>
5338 = match header.length() {
5339 &BodyLength::Full(len) => {
5340 t!("Pushing a limitor ({} bytes), level: {}.",
5341 len, recursion_depth);
5342 Box::new(buffered_reader::Limitor::with_cookie(
5343 bio, len as u64,
5344 Cookie::new(recursion_depth)))
5345 },
5346 &BodyLength::Partial(len) => {
5347 t!("Pushing a partial body chunk decoder, level: {}.",
5348 recursion_depth);
5349 Box::new(BufferedReaderPartialBodyFilter::with_cookie(
5350 bio, len,
5351 // When hashing a literal data packet, we only
5352 // hash the packet's contents; we don't hash
5353 // the literal data packet's meta-data or the
5354 // length information, which includes the
5355 // partial body headers.
5356 tag != Tag::Literal,
5357 Cookie::new(recursion_depth)))
5358 },
5359 BodyLength::Indeterminate => {
5360 t!("Indeterminate length packet, not adding a limitor.");
5361 bio
5362 },
5363 };
5364
5365 // Our parser should not accept packets that fail our header
5366 // syntax check. Doing so breaks roundtripping, and seems
5367 // like a bad idea anyway.
5368 let mut header_syntax_error = header.valid(true).err();
5369
5370 // Check packet size.
5371 if header_syntax_error.is_none() {
5372 let max_size = state.settings.max_packet_size;
5373 match tag {
5374 // Don't check the size for container packets, those
5375 // can be safely streamed.
5376 Tag::Literal | Tag::CompressedData | Tag::SED | Tag::SEIP
5377 | Tag::AED => (),
5378 _ => match header.length() {
5379 BodyLength::Full(l) => if *l > max_size {
5380 header_syntax_error = Some(
5381 Error::PacketTooLarge(tag, *l, max_size).into());
5382 },
5383 _ => unreachable!("non-data packets have full length, \
5384 syntax check above"),
5385 }
5386 }
5387 }
5388
5389 let parser = PacketHeaderParser::new(bio, state, path,
5390 header, header_bytes);
5391
5392 let mut result = match tag {
5393 Tag::Reserved if skip > 0 => Unknown::parse(
5394 parser, Error::MalformedPacket(format!(
5395 "Skipped {} bytes of junk", skip)).into()),
5396 _ if header_syntax_error.is_some() =>
5397 Unknown::parse(parser, header_syntax_error.unwrap()),
5398 Tag::Signature => Signature::parse(parser),
5399 Tag::OnePassSig => OnePassSig::parse(parser),
5400 Tag::PublicSubkey => Key::parse(parser),
5401 Tag::PublicKey => Key::parse(parser),
5402 Tag::SecretKey => Key::parse(parser),
5403 Tag::SecretSubkey => Key::parse(parser),
5404 Tag::Trust => Trust::parse(parser),
5405 Tag::UserID => UserID::parse(parser),
5406 Tag::UserAttribute => UserAttribute::parse(parser),
5407 Tag::Marker => Marker::parse(parser),
5408 Tag::Literal => Literal::parse(parser),
5409 Tag::CompressedData => CompressedData::parse(parser),
5410 Tag::SKESK => SKESK::parse(parser),
5411 Tag::SEIP => SEIP::parse(parser),
5412 Tag::MDC => MDC::parse(parser),
5413 Tag::PKESK => PKESK::parse(parser),
5414 Tag::Padding => Padding::parse(parser),
5415 _ => Unknown::parse(parser,
5416 Error::UnsupportedPacketType(tag).into()),
5417 }?;
5418
5419 if tag == Tag::OnePassSig {
5420 Cookie::hashing(
5421 &mut result, Hashing::Enabled, recursion_depth - 1);
5422 }
5423
5424 result.state.first_packet = false;
5425
5426 t!(" -> {:?}, path: {:?}, level: {:?}.",
5427 result.packet.tag(), result.path, result.cookie_ref().level);
5428
5429 return Ok(ParserResult::Success(result));
5430 }
5431
5432 /// Finishes parsing the current packet and starts parsing the
5433 /// next one.
5434 ///
5435 /// This function finishes parsing the current packet. By
5436 /// default, any unread content is dropped. (See
5437 /// [`PacketParsererBuilder`] for how to configure this.) It then
5438 /// creates a new packet parser for the next packet. If the
5439 /// current packet is a container, this function does *not*
5440 /// recurse into the container, but skips any packets it contains.
5441 /// To recurse into the container, use the [`recurse()`] method.
5442 ///
5443 /// [`PacketParsererBuilder`]: PacketParserBuilder
5444 /// [`recurse()`]: PacketParser::recurse()
5445 ///
5446 /// The return value is a tuple containing:
5447 ///
5448 /// - A `Packet` holding the fully processed old packet;
5449 ///
5450 /// - A `PacketParser` holding the new packet;
5451 ///
5452 /// To determine the two packet's position within the parse tree,
5453 /// you can use `last_path()` and `path()`, respectively. To
5454 /// determine their depth, you can use `last_recursion_depth()`
5455 /// and `recursion_depth()`, respectively.
5456 ///
5457 /// Note: A recursion depth of 0 means that the packet is a
5458 /// top-level packet, a recursion depth of 1 means that the packet
5459 /// is an immediate child of a top-level-packet, etc.
5460 ///
5461 /// Since the packets are serialized in depth-first order and all
5462 /// interior nodes are visited, we know that if the recursion
5463 /// depth is the same, then the packets are siblings (they have a
5464 /// common parent) and not, e.g., cousins (they have a common
5465 /// grandparent). This is because, if we move up the tree, the
5466 /// only way to move back down is to first visit a new container
5467 /// (e.g., an aunt).
5468 ///
5469 /// Using the two positions, we can compute the change in depth as
5470 /// new_depth - old_depth. Thus, if the change in depth is 0, the
5471 /// two packets are siblings. If the value is 1, the old packet
5472 /// is a container, and the new packet is its first child. And,
5473 /// if the value is -1, the new packet is contained in the old
5474 /// packet's grandparent. The idea is illustrated below:
5475 ///
5476 /// ```text
5477 /// ancestor
5478 /// | \
5479 /// ... -n
5480 /// |
5481 /// grandparent
5482 /// | \
5483 /// parent -1
5484 /// | \
5485 /// packet 0
5486 /// |
5487 /// 1
5488 /// ```
5489 ///
5490 /// Note: since this function does not automatically recurse into
5491 /// a container, the change in depth will always be non-positive.
5492 /// If the current container is empty, this function DOES pop that
5493 /// container off the container stack, and returns the following
5494 /// packet in the parent container.
5495 ///
5496 /// # Examples
5497 ///
5498 /// ```rust
5499 /// # fn main() -> sequoia_openpgp::Result<()> {
5500 /// use sequoia_openpgp as openpgp;
5501 /// use openpgp::Packet;
5502 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
5503 ///
5504 /// // Parse a message.
5505 /// let message_data: &[u8] = // ...
5506 /// # include_bytes!("../tests/data/messages/compressed-data-algo-0.pgp");
5507 /// let mut ppr = PacketParser::from_bytes(message_data)?;
5508 /// while let PacketParserResult::Some(mut pp) = ppr {
5509 /// // Start parsing the next packet.
5510 /// ppr = pp.next()?.1;
5511 /// }
5512 /// # Ok(()) }
5513 /// ```
5514 pub fn next(mut self)
5515 -> Result<(Packet, PacketParserResult<'a>)>
5516 {
5517 let indent = self.recursion_depth();
5518 tracer!(TRACE, "PacketParser::next", indent);
5519 t!("({:?}, path: {:?}, level: {:?}).",
5520 self.packet.tag(), self.path, self.cookie_ref().level);
5521
5522 self.finish()?;
5523
5524 let (mut fake_eof, mut reader) = buffered_reader_stack_pop(
5525 mem::replace(&mut self.reader,
5526 Box::new(buffered_reader::EOF::with_cookie(
5527 Default::default()))),
5528 self.recursion_depth())?;
5529
5530 self.last_path.clear();
5531 self.last_path.extend_from_slice(&self.path[..]);
5532
5533 // Assume that we succeed in parsing the next packet. If not,
5534 // then we'll adjust the path.
5535 *self.path.last_mut().expect("A path is never empty") += 1;
5536
5537 // Now read the next packet.
5538 loop {
5539 // Parse the next packet.
5540 t!("Reading packet at {:?}", self.path);
5541
5542 let recursion_depth = self.recursion_depth();
5543
5544 let ppr = PacketParser::parse(reader, self.state, self.path)?;
5545 match ppr {
5546 ParserResult::EOF((reader_, state_, path_)) => {
5547 // We got EOF on the current container. The
5548 // container at recursion depth n is empty. Pop
5549 // it and any filters for it, i.e., those at level
5550 // n (e.g., the limitor that caused us to hit
5551 // EOF), and then try again.
5552
5553 t!("depth: {}, got EOF trying to read the next packet",
5554 recursion_depth);
5555
5556 self.path = path_;
5557
5558 if ! fake_eof && recursion_depth == 0 {
5559 t!("Popped top-level container, done reading message.");
5560 // Pop topmost filters (e.g. the armor::Reader).
5561 let (_, reader_) = buffered_reader_stack_pop(
5562 reader_, ARMOR_READER_LEVEL)?;
5563 let mut eof = PacketParserEOF::new(state_, reader_);
5564 eof.last_path = self.last_path;
5565 return Ok((self.packet,
5566 PacketParserResult::EOF(eof)));
5567 } else {
5568 self.state = state_;
5569 self.finish()?;
5570 let (fake_eof_, reader_) = buffered_reader_stack_pop(
5571 reader_, recursion_depth - 1)?;
5572 fake_eof = fake_eof_;
5573 if ! fake_eof {
5574 self.path.pop().unwrap();
5575 *self.path.last_mut()
5576 .expect("A path is never empty") += 1;
5577 }
5578 reader = reader_;
5579 }
5580 },
5581 ParserResult::Success(mut pp) => {
5582 let path = pp.path().to_vec();
5583 pp.state.message_validator.push(
5584 pp.packet.tag(), pp.packet.version(),
5585 &path);
5586 pp.state.keyring_validator.push(pp.packet.tag());
5587 pp.state.cert_validator.push(pp.packet.tag());
5588
5589 pp.last_path = self.last_path;
5590
5591 return Ok((self.packet, PacketParserResult::Some(pp)));
5592 }
5593 }
5594 }
5595 }
5596
5597 /// Finishes parsing the current packet and starts parsing the
5598 /// next one, recursing if possible.
5599 ///
5600 /// This method is similar to the [`next()`] method (see that
5601 /// method for more details), but if the current packet is a
5602 /// container (and we haven't reached the maximum recursion depth,
5603 /// and the user hasn't started reading the packet's contents), we
5604 /// recurse into the container, and return a `PacketParser` for
5605 /// its first child. Otherwise, we return the next packet in the
5606 /// packet stream. If this function recurses, then the new
5607 /// packet's recursion depth will be `last_recursion_depth() + 1`;
5608 /// because we always visit interior nodes, we can't recurse more
5609 /// than one level at a time.
5610 ///
5611 /// [`next()`]: PacketParser::next()
5612 ///
5613 /// # Examples
5614 ///
5615 /// ```rust
5616 /// # fn main() -> sequoia_openpgp::Result<()> {
5617 /// use sequoia_openpgp as openpgp;
5618 /// use openpgp::Packet;
5619 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
5620 ///
5621 /// // Parse a message.
5622 /// let message_data: &[u8] = // ...
5623 /// # include_bytes!("../tests/data/messages/compressed-data-algo-0.pgp");
5624 /// let mut ppr = PacketParser::from_bytes(message_data)?;
5625 /// while let PacketParserResult::Some(mut pp) = ppr {
5626 /// // Start parsing the next packet, recursing.
5627 /// ppr = pp.recurse()?.1;
5628 /// }
5629 /// # Ok(()) }
5630 /// ```
5631 pub fn recurse(self) -> Result<(Packet, PacketParserResult<'a>)> {
5632 let indent = self.recursion_depth();
5633 tracer!(TRACE, "PacketParser::recurse", indent);
5634 t!("({:?}, path: {:?}, level: {:?})",
5635 self.packet.tag(), self.path, self.cookie_ref().level);
5636
5637 match self.packet {
5638 // Packets that recurse.
5639 Packet::CompressedData(_) | Packet::SEIP(_)
5640 if self.processed =>
5641 {
5642 if self.recursion_depth() as u8
5643 >= self.state.settings.max_recursion_depth
5644 {
5645 t!("Not recursing into the {:?} packet, maximum recursion \
5646 depth ({}) reached.",
5647 self.packet.tag(),
5648 self.state.settings.max_recursion_depth);
5649
5650 // Drop through.
5651 } else if self.content_was_read {
5652 t!("Not recursing into the {:?} packet, some data was \
5653 already read.",
5654 self.packet.tag());
5655
5656 // Drop through.
5657 } else {
5658 let mut last_path = self.last_path;
5659 last_path.clear();
5660 last_path.extend_from_slice(&self.path[..]);
5661
5662 let mut path = self.path;
5663 path.push(0);
5664
5665 match PacketParser::parse(self.reader, self.state,
5666 path.clone())?
5667 {
5668 ParserResult::Success(mut pp) => {
5669 t!("Recursed into the {:?} packet, got a {:?}.",
5670 self.packet.tag(), pp.packet.tag());
5671
5672 pp.state.message_validator.push(
5673 pp.packet.tag(),
5674 pp.packet.version(),
5675 &path);
5676 pp.state.keyring_validator.push(pp.packet.tag());
5677 pp.state.cert_validator.push(pp.packet.tag());
5678
5679 pp.last_path = last_path;
5680
5681 return Ok((self.packet,
5682 PacketParserResult::Some(pp)));
5683 },
5684 ParserResult::EOF(_) => {
5685 return Err(Error::MalformedPacket(
5686 "Container is truncated".into()).into());
5687 },
5688 }
5689 }
5690 },
5691 // Packets that don't recurse.
5692 #[allow(deprecated)]
5693 Packet::Unknown(_) | Packet::Signature(_) | Packet::OnePassSig(_)
5694 | Packet::PublicKey(_) | Packet::PublicSubkey(_)
5695 | Packet::SecretKey(_) | Packet::SecretSubkey(_)
5696 | Packet::Marker(_) | Packet::Trust(_)
5697 | Packet::UserID(_) | Packet::UserAttribute(_)
5698 | Packet::Literal(_) | Packet::PKESK(_) | Packet::SKESK(_)
5699 | Packet::SEIP(_) | Packet::MDC(_)
5700 | Packet::CompressedData(_)
5701 | Packet::Padding(_) => {
5702 // Drop through.
5703 t!("A {:?} packet is not a container, not recursing.",
5704 self.packet.tag());
5705 },
5706 }
5707
5708 // No recursion.
5709 self.next()
5710 }
5711
5712 /// Causes the PacketParser to buffer the packet's contents.
5713 ///
5714 /// The packet's contents can be retrieved using
5715 /// e.g. [`Container::body`]. In general, you should avoid
5716 /// buffering a packet's content and prefer streaming its content
5717 /// unless you are certain that the content is small.
5718 ///
5719 /// [`Container::body`]: crate::packet::Container::body()
5720 ///
5721 /// ```rust
5722 /// # fn main() -> sequoia_openpgp::Result<()> {
5723 /// use sequoia_openpgp as openpgp;
5724 /// use openpgp::Packet;
5725 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
5726 ///
5727 /// // Parse a message.
5728 /// let message_data: &[u8] = // ...
5729 /// # include_bytes!("../tests/data/messages/literal-mode-t-partial-body.pgp");
5730 /// let mut ppr = PacketParser::from_bytes(message_data)?;
5731 /// while let PacketParserResult::Some(mut pp) = ppr {
5732 /// // Process the packet.
5733 ///
5734 /// if let Packet::Literal(_) = pp.packet {
5735 /// assert!(pp.buffer_unread_content()?
5736 /// .starts_with(b"A Cypherpunk's Manifesto"));
5737 /// # assert!(pp.buffer_unread_content()?
5738 /// # .starts_with(b"A Cypherpunk's Manifesto"));
5739 /// if let Packet::Literal(l) = &pp.packet {
5740 /// assert!(l.body().starts_with(b"A Cypherpunk's Manifesto"));
5741 /// assert_eq!(l.body().len(), 5158);
5742 /// } else {
5743 /// unreachable!();
5744 /// }
5745 /// }
5746 ///
5747 /// // Start parsing the next packet, recursing.
5748 /// ppr = pp.recurse()?.1;
5749 /// }
5750 /// # Ok(()) }
5751 /// ```
5752 pub fn buffer_unread_content(&mut self) -> Result<&[u8]> {
5753 let rest = self.steal_eof()?;
5754
5755 fn set_or_extend(rest: Vec<u8>, c: &mut Container, processed: bool)
5756 -> Result<&[u8]> {
5757 if !rest.is_empty() {
5758 let current = match c.body() {
5759 Body::Unprocessed(bytes) => &bytes[..],
5760 Body::Processed(bytes) => &bytes[..],
5761 Body::Structured(packets) if packets.is_empty() => &[][..],
5762 Body::Structured(_) => return Err(Error::InvalidOperation(
5763 "cannot append unread bytes to parsed packets"
5764 .into()).into()),
5765 };
5766 let rest = if !current.is_empty() {
5767 let mut new =
5768 Vec::with_capacity(current.len() + rest.len());
5769 new.extend_from_slice(current);
5770 new.extend_from_slice(&rest);
5771 new
5772 } else {
5773 rest
5774 };
5775
5776 c.set_body(if processed {
5777 Body::Processed(rest)
5778 } else {
5779 Body::Unprocessed(rest)
5780 });
5781 }
5782
5783 match c.body() {
5784 Body::Unprocessed(bytes) => Ok(bytes),
5785 Body::Processed(bytes) => Ok(bytes),
5786 Body::Structured(packets) if packets.is_empty() => Ok(&[][..]),
5787 Body::Structured(_) => Err(Error::InvalidOperation(
5788 "cannot append unread bytes to parsed packets"
5789 .into()).into()),
5790 }
5791 }
5792
5793 match &mut self.packet {
5794 Packet::Literal(p) => set_or_extend(rest, p.container_mut(), false),
5795 Packet::Unknown(p) => set_or_extend(rest, p.container_mut(), false),
5796 Packet::CompressedData(p) =>
5797 set_or_extend(rest, p.container_mut(), self.processed),
5798 Packet::SEIP(SEIP::V1(p)) =>
5799 set_or_extend(rest, p.container_mut(), self.processed),
5800 Packet::SEIP(SEIP::V2(p)) =>
5801 set_or_extend(rest, p.container_mut(), self.processed),
5802 p => {
5803 if !rest.is_empty() {
5804 Err(Error::MalformedPacket(
5805 format!("Unexpected body data for {:?}: {}",
5806 p, crate::fmt::hex::encode_pretty(rest)))
5807 .into())
5808 } else {
5809 Ok(&b""[..])
5810 }
5811 },
5812 }
5813 }
5814
5815 /// Finishes parsing the current packet.
5816 ///
5817 /// By default, this drops any unread content. Use, for instance,
5818 /// [`PacketParserBuilder`] to customize the default behavior.
5819 ///
5820 ///
5821 /// # Examples
5822 ///
5823 /// ```rust
5824 /// # fn main() -> sequoia_openpgp::Result<()> {
5825 /// use sequoia_openpgp as openpgp;
5826 /// use openpgp::Packet;
5827 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
5828 ///
5829 /// // Parse a message.
5830 /// let message_data: &[u8] = // ...
5831 /// # include_bytes!("../tests/data/messages/compressed-data-algo-0.pgp");
5832 /// let mut ppr = PacketParser::from_bytes(message_data)?;
5833 /// while let PacketParserResult::Some(mut pp) = ppr {
5834 /// let p = pp.finish()?;
5835 /// # let _ = p;
5836 ///
5837 /// // Start parsing the next packet, recursing.
5838 /// ppr = pp.recurse()?.1;
5839 /// }
5840 /// # Ok(()) }
5841 // Note: this function is public and may be called multiple times!
5842 pub fn finish(&mut self) -> Result<&Packet> {
5843 let indent = self.recursion_depth();
5844 tracer!(TRACE, "PacketParser::finish", indent);
5845
5846 if self.finished {
5847 return Ok(&self.packet);
5848 }
5849
5850 let recursion_depth = self.recursion_depth();
5851
5852 let unread_content = if self.state.settings.buffer_unread_content {
5853 t!("({:?} at depth {}): buffering {} bytes of unread content",
5854 self.packet.tag(), recursion_depth,
5855 self.data_eof().unwrap_or(&[]).len());
5856
5857 !self.buffer_unread_content()?.is_empty()
5858 } else {
5859 t!("({:?} at depth {}): dropping {} bytes of unread content",
5860 self.packet.tag(), recursion_depth,
5861 self.data_eof().unwrap_or(&[]).len());
5862
5863 self.drop_eof()?
5864 };
5865
5866 if unread_content {
5867 match self.packet.tag() {
5868 Tag::SEIP | Tag::AED | Tag::SED | Tag::CompressedData => {
5869 // We didn't (fully) process a container's content. Add
5870 // this as opaque content to the message validator.
5871 let mut path = self.path().to_vec();
5872 path.push(0);
5873 self.state.message_validator.push_token(
5874 message::Token::OpaqueContent, &path);
5875 }
5876 _ => {},
5877 }
5878 }
5879
5880 if let Some(c) = self.packet.container_mut() {
5881 let h = self.body_hash.take()
5882 .expect("body_hash is Some");
5883 c.set_body_hash(h);
5884 }
5885
5886 self.finished = true;
5887
5888 Ok(&self.packet)
5889 }
5890
5891 /// Hashes content that has been streamed.
5892 fn hash_read_content(&mut self, b: &[u8]) {
5893 if !b.is_empty() {
5894 assert!(self.body_hash.is_some());
5895 if let Some(h) = self.body_hash.as_mut() {
5896 h.update(b);
5897 }
5898 self.content_was_read = true;
5899 }
5900 }
5901
5902 /// Returns a reference to the current packet's header.
5903 ///
5904 /// # Examples
5905 ///
5906 /// ```rust
5907 /// # fn main() -> sequoia_openpgp::Result<()> {
5908 /// use sequoia_openpgp as openpgp;
5909 /// use openpgp::Packet;
5910 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
5911 ///
5912 /// // Parse a message.
5913 /// let message_data: &[u8] = // ...
5914 /// # include_bytes!("../tests/data/messages/compressed-data-algo-0.pgp");
5915 /// let mut ppr = PacketParser::from_bytes(message_data)?;
5916 /// while let PacketParserResult::Some(mut pp) = ppr {
5917 /// pp.header().valid(false)?;
5918 ///
5919 /// // Start parsing the next packet, recursing.
5920 /// ppr = pp.recurse()?.1;
5921 /// }
5922 /// # Ok(()) }
5923 /// ```
5924 pub fn header(&self) -> &Header {
5925 &self.header
5926 }
5927
5928 /// Returns a reference to the map (if any is written).
5929 ///
5930 /// # Examples
5931 ///
5932 /// ```
5933 /// # fn main() -> sequoia_openpgp::Result<()> {
5934 /// use sequoia_openpgp as openpgp;
5935 /// use openpgp::parse::{Parse, PacketParserBuilder};
5936 ///
5937 /// let message_data = b"\xcb\x12t\x00\x00\x00\x00\x00Hello world.";
5938 /// let pp = PacketParserBuilder::from_bytes(message_data)?
5939 /// .map(true) // Enable mapping.
5940 /// .build()?
5941 /// .expect("One packet, not EOF");
5942 /// let map = pp.map().expect("Mapping is enabled");
5943 ///
5944 /// assert_eq!(map.iter().nth(0).unwrap().name(), "CTB");
5945 /// assert_eq!(map.iter().nth(0).unwrap().offset(), 0);
5946 /// assert_eq!(map.iter().nth(0).unwrap().as_bytes(), &[0xcb]);
5947 /// # Ok(()) }
5948 /// ```
5949 pub fn map(&self) -> Option<&map::Map> {
5950 self.map.as_ref()
5951 }
5952
5953 /// Takes the map (if any is written).
5954 ///
5955 /// # Examples
5956 ///
5957 /// ```
5958 /// # fn main() -> sequoia_openpgp::Result<()> {
5959 /// use sequoia_openpgp as openpgp;
5960 /// use openpgp::parse::{Parse, PacketParserBuilder};
5961 ///
5962 /// let message_data = b"\xcb\x12t\x00\x00\x00\x00\x00Hello world.";
5963 /// let mut pp = PacketParserBuilder::from_bytes(message_data)?
5964 /// .map(true) // Enable mapping.
5965 /// .build()?
5966 /// .expect("One packet, not EOF");
5967 /// let map = pp.take_map().expect("Mapping is enabled");
5968 ///
5969 /// assert_eq!(map.iter().nth(0).unwrap().name(), "CTB");
5970 /// assert_eq!(map.iter().nth(0).unwrap().offset(), 0);
5971 /// assert_eq!(map.iter().nth(0).unwrap().as_bytes(), &[0xcb]);
5972 /// # Ok(()) }
5973 /// ```
5974 pub fn take_map(&mut self) -> Option<map::Map> {
5975 self.map.take()
5976 }
5977
5978 /// Checks if we are processing a signed message using the
5979 /// Cleartext Signature Framework.
5980 pub(crate) fn processing_csf_message(&self) -> bool {
5981 Cookie::processing_csf_message(&self.reader)
5982 }
5983}
5984
5985/// This interface allows a caller to read the content of a
5986/// `PacketParser` using the `Read` interface. This is essential to
5987/// supporting streaming operation.
5988///
5989/// Note: it is safe to mix the use of the `std::io::Read` and
5990/// `BufferedReader` interfaces.
5991impl<'a> io::Read for PacketParser<'a> {
5992 fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
5993 // The BufferedReader interface takes care of hashing the read
5994 // values.
5995 buffered_reader_generic_read_impl(self, buf)
5996 }
5997}
5998
5999/// This interface allows a caller to read the content of a
6000/// `PacketParser` using the `BufferedReader` interface. This is
6001/// essential to supporting streaming operation.
6002///
6003/// Note: it is safe to mix the use of the `std::io::Read` and
6004/// `BufferedReader` interfaces.
6005impl<'a> BufferedReader<Cookie> for PacketParser<'a> {
6006 fn buffer(&self) -> &[u8] {
6007 self.reader.buffer()
6008 }
6009
6010 fn data(&mut self, amount: usize) -> io::Result<&[u8]> {
6011 // There is no need to set `content_was_read`, because this
6012 // doesn't actually consume any data.
6013 self.reader.data(amount)
6014 }
6015
6016 fn data_hard(&mut self, amount: usize) -> io::Result<&[u8]> {
6017 // There is no need to set `content_was_read`, because this
6018 // doesn't actually consume any data.
6019 self.reader.data_hard(amount)
6020 }
6021
6022 fn data_eof(&mut self) -> io::Result<&[u8]> {
6023 // There is no need to set `content_was_read`, because this
6024 // doesn't actually consume any data.
6025 self.reader.data_eof()
6026 }
6027
6028 fn consume(&mut self, amount: usize) -> &[u8] {
6029 // This is awkward. Juggle mutable references around.
6030 if let Some(mut body_hash) = self.body_hash.take() {
6031 let data = self.data_hard(amount)
6032 .expect("It is an error to consume more than data returns");
6033 body_hash.update(&data[..amount]);
6034 self.body_hash = Some(body_hash);
6035 self.content_was_read |= amount > 0;
6036 } else {
6037 panic!("body_hash is None");
6038 }
6039
6040 self.reader.consume(amount)
6041 }
6042
6043 fn data_consume(&mut self, mut amount: usize) -> io::Result<&[u8]> {
6044 // This is awkward. Juggle mutable references around.
6045 if let Some(mut body_hash) = self.body_hash.take() {
6046 let data = self.data(amount)?;
6047 amount = cmp::min(data.len(), amount);
6048 body_hash.update(&data[..amount]);
6049 self.body_hash = Some(body_hash);
6050 self.content_was_read |= amount > 0;
6051 } else {
6052 panic!("body_hash is None");
6053 }
6054
6055 self.reader.data_consume(amount)
6056 }
6057
6058 fn data_consume_hard(&mut self, amount: usize) -> io::Result<&[u8]> {
6059 // This is awkward. Juggle mutable references around.
6060 if let Some(mut body_hash) = self.body_hash.take() {
6061 let data = self.data_hard(amount)?;
6062 body_hash.update(&data[..amount]);
6063 self.body_hash = Some(body_hash);
6064 self.content_was_read |= amount > 0;
6065 } else {
6066 panic!("body_hash is None");
6067 }
6068
6069 self.reader.data_consume_hard(amount)
6070 }
6071
6072 fn steal(&mut self, amount: usize) -> io::Result<Vec<u8>> {
6073 let v = self.reader.steal(amount)?;
6074 self.hash_read_content(&v);
6075 Ok(v)
6076 }
6077
6078 fn steal_eof(&mut self) -> io::Result<Vec<u8>> {
6079 let v = self.reader.steal_eof()?;
6080 self.hash_read_content(&v);
6081 Ok(v)
6082 }
6083
6084 fn get_mut(&mut self) -> Option<&mut dyn BufferedReader<Cookie>> {
6085 None
6086 }
6087
6088 fn get_ref(&self) -> Option<&dyn BufferedReader<Cookie>> {
6089 None
6090 }
6091
6092 fn into_inner<'b>(self: Box<Self>)
6093 -> Option<Box<dyn BufferedReader<Cookie> + 'b>>
6094 where Self: 'b {
6095 None
6096 }
6097
6098 fn cookie_set(&mut self, cookie: Cookie)
6099 -> Cookie {
6100 self.reader.cookie_set(cookie)
6101 }
6102
6103 fn cookie_ref(&self) -> &Cookie {
6104 self.reader.cookie_ref()
6105 }
6106
6107 fn cookie_mut(&mut self) -> &mut Cookie {
6108 self.reader.cookie_mut()
6109 }
6110}
6111
6112// Check that we can use the read interface to stream the contents of
6113// a packet.
6114#[cfg(feature = "compression-deflate")]
6115#[test]
6116fn packet_parser_reader_interface() {
6117 // We need the Read trait.
6118 use std::io::Read;
6119
6120 let expected = crate::tests::manifesto();
6121
6122 // A message containing a compressed packet that contains a
6123 // literal packet.
6124 let pp = PacketParser::from_bytes(
6125 crate::tests::message("compressed-data-algo-1.pgp")).unwrap().unwrap();
6126
6127 // The message has the form:
6128 //
6129 // [ compressed data [ literal data ] ]
6130 //
6131 // packet is the compressed data packet; ppo is the literal data
6132 // packet.
6133 let packet_depth = pp.recursion_depth();
6134 let (packet, ppr) = pp.recurse().unwrap();
6135 let pp_depth = ppr.as_ref().unwrap().recursion_depth();
6136 if let Packet::CompressedData(_) = packet {
6137 } else {
6138 panic!("Expected a compressed data packet.");
6139 }
6140
6141 let relative_position = pp_depth - packet_depth;
6142 assert_eq!(relative_position, 1);
6143
6144 let mut pp = ppr.unwrap();
6145
6146 if let Packet::Literal(_) = pp.packet {
6147 } else {
6148 panic!("Expected a literal data packet.");
6149 }
6150
6151 // Check that we can read the packet's contents. We do this one
6152 // byte at a time to exercise the cursor implementation.
6153 for i in 0..expected.len() {
6154 let mut buf = [0u8; 1];
6155 let r = pp.read(&mut buf).unwrap();
6156 assert_eq!(r, 1);
6157 assert_eq!(buf[0], expected[i]);
6158 }
6159 // And, now an EOF.
6160 let mut buf = [0u8; 1];
6161 let r = pp.read(&mut buf).unwrap();
6162 assert_eq!(r, 0);
6163
6164 // Make sure we can still get the next packet (which in this case
6165 // is just EOF).
6166 let (packet, ppr) = pp.recurse().unwrap();
6167 assert!(ppr.is_eof());
6168 // Since we read all the data, we expect content to be None.
6169 assert_eq!(packet.unprocessed_body().unwrap().len(), 0);
6170}
6171
6172impl<'a> PacketParser<'a> {
6173 /// Tries to decrypt the current packet.
6174 ///
6175 /// On success, this function pushes one or more readers onto the
6176 /// `PacketParser`'s reader stack, and sets the packet parser's
6177 /// `processed` flag (see [`PacketParser::processed`]).
6178 ///
6179 /// [`PacketParser::processed`]: PacketParser::processed()
6180 ///
6181 /// If this function is called on a packet that does not contain
6182 /// encrypted data, or some of the data was already read, then it
6183 /// returns [`Error::InvalidOperation`].
6184 ///
6185 /// [`Error::InvalidOperation`]: super::Error::InvalidOperation
6186 ///
6187 /// # Examples
6188 ///
6189 /// ```rust
6190 /// # fn main() -> sequoia_openpgp::Result<()> {
6191 /// use sequoia_openpgp as openpgp;
6192 /// use openpgp::Packet;
6193 /// use openpgp::fmt::hex;
6194 /// use openpgp::types::SymmetricAlgorithm;
6195 /// use openpgp::parse::{Parse, PacketParserResult, PacketParser};
6196 ///
6197 /// // Parse an encrypted message.
6198 /// let message_data: &[u8] = // ...
6199 /// # include_bytes!("../tests/data/messages/encrypted-aes256-password-123.pgp");
6200 /// let mut ppr = PacketParser::from_bytes(message_data)?;
6201 /// while let PacketParserResult::Some(mut pp) = ppr {
6202 /// if let Packet::SEIP(_) = pp.packet {
6203 /// pp.decrypt(SymmetricAlgorithm::AES256,
6204 /// &hex::decode("7EF4F08C44F780BEA866961423306166\
6205 /// B8912C43352F3D9617F745E4E3939710")?
6206 /// .into())?;
6207 /// }
6208 ///
6209 /// // Start parsing the next packet, recursing.
6210 /// ppr = pp.recurse()?.1;
6211 /// }
6212 /// # Ok(()) }
6213 /// ```
6214 ///
6215 /// # Security Considerations
6216 ///
6217 /// This functions returns rich errors in case the decryption
6218 /// fails. In combination with certain asymmetric algorithms
6219 /// (RSA), this may lead to compromise of secret key material or
6220 /// (partial) recovery of the message's plain text. See [Section
6221 /// 13 of RFC 9580].
6222 ///
6223 /// [Section 13 of RFC 9580]: https://www.rfc-editor.org/rfc/rfc9580.html#section-13
6224 ///
6225 /// DO NOT relay these errors in situations where an attacker can
6226 /// request decryption of messages in an automated fashion. The
6227 /// API of the streaming [`Decryptor`] prevents leaking rich
6228 /// decryption errors.
6229 ///
6230 /// [`Decryptor`]: stream::Decryptor
6231 ///
6232 /// Nevertheless, decrypting messages that do not use an
6233 /// authenticated encryption mode in an automated fashion that
6234 /// relays or leaks information to a third party is NEVER SAFE due
6235 /// to unavoidable format oracles, see [Format Oracles on
6236 /// OpenPGP].
6237 ///
6238 /// [Format Oracles on OpenPGP]: https://www.ssi.gouv.fr/uploads/2015/05/format-Oracles-on-OpenPGP.pdf
6239 pub fn decrypt<A>(&mut self, algo: A, key: &SessionKey)
6240 -> Result<()>
6241 where
6242 A: Into<Option<SymmetricAlgorithm>>,
6243 {
6244 self.decrypt_(algo.into(), key)
6245 }
6246
6247 fn decrypt_(&mut self,
6248 algo: Option<SymmetricAlgorithm>,
6249 key: &SessionKey)
6250 -> Result<()>
6251 {
6252 let indent = self.recursion_depth();
6253 tracer!(TRACE, "PacketParser::decrypt", indent);
6254
6255 if self.content_was_read {
6256 return Err(Error::InvalidOperation(
6257 "Packet's content has already been read.".to_string()).into());
6258 }
6259 if self.processed {
6260 return Err(Error::InvalidOperation(
6261 "Packet not encrypted.".to_string()).into());
6262 }
6263
6264 match self.packet.clone() {
6265 Packet::SEIP(SEIP::V1(_)) => {
6266 use crate::crypto::symmetric::{
6267 BlockCipherMode,
6268 UnpaddingMode,
6269 };
6270
6271 let algo = if let Some(a) = algo {
6272 a
6273 } else {
6274 return Err(Error::InvalidOperation(
6275 "Trying to decrypt a SEIPDv1 packet: \
6276 no symmetric algorithm given".into()).into());
6277 };
6278
6279 if algo.key_size()? != key.len () {
6280 return Err(Error::InvalidOperation(
6281 format!("Bad key size: {} expected: {}",
6282 key.len(), algo.key_size()?)).into());
6283 }
6284
6285 // Get the first blocksize plus two bytes and check
6286 // whether we can decrypt them using the provided key.
6287 // Don't actually consume them in case we can't.
6288 let bl = algo.block_size()?;
6289
6290 {
6291 let cur = buffered_reader::Memory::with_cookie(
6292 &self.data_hard(bl + 2)?[..bl + 2],
6293 Default::default());
6294 let mut dec = InternalDecryptor::new(
6295 algo, BlockCipherMode::CFB, UnpaddingMode::None,
6296 key, None, cur)?;
6297 let mut header = vec![ 0u8; bl + 2 ];
6298 dec.read_exact(&mut header)?;
6299
6300 if !(header[bl - 2] == header[bl]
6301 && header[bl - 1] == header[bl + 1]) {
6302 return Err(Error::InvalidSessionKey(
6303 "Decryption failed".into()).into());
6304 }
6305 }
6306
6307 // Ok, we can decrypt the data. Push a Decryptor and
6308 // a HashedReader on the `BufferedReader` stack.
6309
6310 // This can't fail, because we create a decryptor
6311 // above with the same parameters.
6312 let reader = self.take_reader();
6313 let mut reader = Decryptor::with_cookie(
6314 algo, BlockCipherMode::CFB, UnpaddingMode::None,
6315 key, None, reader, Cookie::default())?;
6316 reader.cookie_mut().level = Some(self.recursion_depth());
6317
6318 t!("Pushing Decryptor, level {:?}.", reader.cookie_ref().level);
6319
6320 // And the hasher.
6321 let mut reader = HashedReader::new(
6322 reader, HashesFor::MDC,
6323 vec![HashingMode::Binary(vec![], HashAlgorithm::SHA1)])?;
6324 reader.cookie_mut().level = Some(self.recursion_depth());
6325
6326 t!("Pushing HashedReader, level {:?}.",
6327 reader.cookie_ref().level);
6328
6329 // A SEIP packet is a container that always ends with
6330 // an MDC packet. But, if the packet preceding the
6331 // MDC packet uses an indeterminate length encoding
6332 // (gpg generates these for compressed data packets,
6333 // for instance), the parser has to detect the EOF and
6334 // be careful to not read any further. Unfortunately,
6335 // our decompressor buffers the data. To stop the
6336 // decompressor from buffering the MDC packet, we use
6337 // a buffered_reader::Reserve. Note: we do this
6338 // unconditionally, since it doesn't otherwise
6339 // interfere with parsing.
6340
6341 // An MDC consists of a 1-byte CTB, a 1-byte length
6342 // encoding, and a 20-byte hash.
6343 let mut reader = buffered_reader::Reserve::with_cookie(
6344 reader, 1 + 1 + 20,
6345 Cookie::new(self.recursion_depth()));
6346 reader.cookie_mut().fake_eof = true;
6347
6348 t!("Pushing buffered_reader::Reserve, level: {}.",
6349 self.recursion_depth());
6350
6351 // Consume the header. This shouldn't fail, because
6352 // it worked when reading the header.
6353 reader.data_consume_hard(bl + 2).unwrap();
6354
6355 self.reader = Box::new(reader);
6356 self.processed = true;
6357
6358 Ok(())
6359 },
6360
6361 Packet::SEIP(SEIP::V2(seip)) => {
6362 let chunk_size =
6363 aead::chunk_size_usize(seip.chunk_size())?;
6364
6365 let schedule = aead::SEIPv2Schedule::new(
6366 key,
6367 seip.symmetric_algo(),
6368 seip.aead(),
6369 chunk_size,
6370 seip.salt())?;
6371
6372 // Read the first chunk and check whether we can
6373 // decrypt it using the provided key. Don't actually
6374 // consume them in case we can't.
6375 {
6376 // We need a bit more than one chunk so that
6377 // `aead::Decryptor` won't see EOF and think that
6378 // it has a partial block and it needs to verify
6379 // the final chunk.
6380 let amount = aead::chunk_size_usize(
6381 seip.chunk_digest_size()?
6382 + seip.aead().digest_size()? as u64)?;
6383
6384 let data = self.data(amount)?;
6385 let cur = buffered_reader::Memory::with_cookie(
6386 &data[..cmp::min(data.len(), amount)],
6387 Default::default());
6388
6389 let dec = aead::InternalDecryptor::new(
6390 seip.symmetric_algo(), seip.aead(), chunk_size,
6391 schedule.clone(),
6392 cur)?;
6393 let mut chunk = Vec::new();
6394 dec.take(seip.chunk_size() as u64).read_to_end(&mut chunk)?;
6395 }
6396
6397 // Ok, we can decrypt the data. Push a Decryptor and
6398 // a HashedReader on the `BufferedReader` stack.
6399
6400 let reader = self.take_reader();
6401 let mut reader = aead::Decryptor::with_cookie(
6402 seip.symmetric_algo(), seip.aead(), chunk_size,
6403 schedule, reader, Cookie::default()).unwrap();
6404 reader.cookie_mut().level = Some(self.recursion_depth());
6405
6406 t!("Pushing aead::Decryptor, level {:?}.",
6407 reader.cookie_ref().level);
6408
6409 self.reader = Box::new(reader);
6410 self.processed = true;
6411
6412 Ok(())
6413 },
6414
6415 _ =>
6416 Err(Error::InvalidOperation(
6417 format!("Can't decrypt {:?} packets.",
6418 self.packet.tag())).into())
6419 }
6420 }
6421}
6422
6423#[cfg(test)]
6424mod test {
6425 use super::*;
6426 use crate::serialize::Serialize;
6427
6428 enum Data<'a> {
6429 File(&'a str),
6430 String(&'a [u8]),
6431 }
6432
6433 impl<'a> Data<'a> {
6434 fn content(&self) -> Vec<u8> {
6435 match self {
6436 Data::File(filename) => crate::tests::message(filename).to_vec(),
6437 Data::String(data) => data.to_vec(),
6438 }
6439 }
6440 }
6441
6442 struct DecryptTest<'a> {
6443 filename: &'a str,
6444 algo: SymmetricAlgorithm,
6445 aead_algo: Option<AEADAlgorithm>,
6446 key_hex: &'a str,
6447 plaintext: Data<'a>,
6448 paths: &'a[ (Tag, &'a[ usize ] ) ],
6449 }
6450 const DECRYPT_TESTS: &[DecryptTest] = &[
6451 // Messages with a relatively simple structure:
6452 //
6453 // [ SKESK SEIP [ Literal MDC ] ].
6454 //
6455 // And simple length encodings (no indeterminate length
6456 // encodings).
6457 DecryptTest {
6458 filename: "encrypted-aes256-password-123.pgp",
6459 algo: SymmetricAlgorithm::AES256,
6460 aead_algo: None,
6461 key_hex: "7EF4F08C44F780BEA866961423306166B8912C43352F3D9617F745E4E3939710",
6462 plaintext: Data::File("a-cypherpunks-manifesto.txt"),
6463 paths: &[
6464 (Tag::SKESK, &[ 0 ]),
6465 (Tag::SEIP, &[ 1 ]),
6466 (Tag::Literal, &[ 1, 0 ]),
6467 (Tag::MDC, &[ 1, 1 ]),
6468 ],
6469 },
6470 DecryptTest {
6471 filename: "encrypted-aes192-password-123456.pgp",
6472 algo: SymmetricAlgorithm::AES192,
6473 aead_algo: None,
6474 key_hex: "B2F747F207EFF198A6C826F1D398DE037986218ED468DB61",
6475 plaintext: Data::File("a-cypherpunks-manifesto.txt"),
6476 paths: &[
6477 (Tag::SKESK, &[ 0 ]),
6478 (Tag::SEIP, &[ 1 ]),
6479 (Tag::Literal, &[ 1, 0 ]),
6480 (Tag::MDC, &[ 1, 1 ]),
6481 ],
6482 },
6483 DecryptTest {
6484 filename: "encrypted-aes128-password-123456789.pgp",
6485 algo: SymmetricAlgorithm::AES128,
6486 aead_algo: None,
6487 key_hex: "AC0553096429260B4A90B1CEC842D6A0",
6488 plaintext: Data::File("a-cypherpunks-manifesto.txt"),
6489 paths: &[
6490 (Tag::SKESK, &[ 0 ]),
6491 (Tag::SEIP, &[ 1 ]),
6492 (Tag::Literal, &[ 1, 0 ]),
6493 (Tag::MDC, &[ 1, 1 ]),
6494 ],
6495 },
6496
6497 // Created using:
6498 //
6499 // gpg --compression-algo none \
6500 // --s2k-digest-algo sha256 \
6501 // --cipher-algo camellia256 \
6502 // --s2k-cipher-algo camellia256 \
6503 // --encrypt --symmetric \
6504 // -o encrypted-camellia256-password-123.pgp \
6505 // a-cypherpunks-manifesto.txt
6506 DecryptTest {
6507 filename: "encrypted-camellia256-password-123.pgp",
6508 algo: SymmetricAlgorithm::Camellia256,
6509 aead_algo: None,
6510 key_hex: "FC9644B500B9D0540880CB44B40F8C89\
6511 A7D817F2EF7EF9DA0D34A574377E300A",
6512 plaintext: Data::File("a-cypherpunks-manifesto.txt"),
6513 paths: &[
6514 (Tag::SKESK, &[ 0 ]),
6515 (Tag::SEIP, &[ 1 ]),
6516 (Tag::Literal, &[ 1, 0 ]),
6517 (Tag::MDC, &[ 1, 1 ]),
6518 ],
6519 },
6520 DecryptTest {
6521 filename: "encrypted-camellia192-password-123.pgp",
6522 algo: SymmetricAlgorithm::Camellia192,
6523 aead_algo: None,
6524 key_hex: "EC941DB1C5F4D3605E3F3C10B30888DA3287256E55CC978B",
6525 plaintext: Data::File("a-cypherpunks-manifesto.txt"),
6526 paths: &[
6527 (Tag::SKESK, &[ 0 ]),
6528 (Tag::SEIP, &[ 1 ]),
6529 (Tag::Literal, &[ 1, 0 ]),
6530 (Tag::MDC, &[ 1, 1 ]),
6531 ],
6532 },
6533 DecryptTest {
6534 filename: "encrypted-camellia128-password-123.pgp",
6535 algo: SymmetricAlgorithm::Camellia128,
6536 aead_algo: None,
6537 key_hex: "E1CF87BF2E030CC89CBC0F03EC2B7DF5",
6538 plaintext: Data::File("a-cypherpunks-manifesto.txt"),
6539 paths: &[
6540 (Tag::SKESK, &[ 0 ]),
6541 (Tag::SEIP, &[ 1 ]),
6542 (Tag::Literal, &[ 1, 0 ]),
6543 (Tag::MDC, &[ 1, 1 ]),
6544 ],
6545 },
6546
6547 DecryptTest {
6548 filename: "encrypted-twofish-password-red-fish-blue-fish.pgp",
6549 algo: SymmetricAlgorithm::Twofish,
6550 aead_algo: None,
6551 key_hex: "96AFE1EDFA7C9CB7E8B23484C718015E5159CFA268594180D4DB68B2543393CB",
6552 plaintext: Data::File("a-cypherpunks-manifesto.txt"),
6553 paths: &[
6554 (Tag::SKESK, &[ 0 ]),
6555 (Tag::SEIP, &[ 1 ]),
6556 (Tag::Literal, &[ 1, 0 ]),
6557 (Tag::MDC, &[ 1, 1 ]),
6558 ],
6559 },
6560
6561 // More complex messages. In particular, some of these
6562 // messages include compressed data packets, and some are
6563 // signed. But what makes these particularly complex is the
6564 // use of an indeterminate length encoding, which checks the
6565 // buffered_reader::Reserve hack.
6566 #[cfg(feature = "compression-deflate")]
6567 DecryptTest {
6568 filename: "seip/msg-compression-not-signed-password-123.pgp",
6569 algo: SymmetricAlgorithm::AES128,
6570 aead_algo: None,
6571 key_hex: "86A8C1C7961F55A3BE181A990D0ABB2A",
6572 plaintext: Data::String(b"compression, not signed\n"),
6573 paths: &[
6574 (Tag::SKESK, &[ 0 ]),
6575 (Tag::SEIP, &[ 1 ]),
6576 (Tag::CompressedData, &[ 1, 0 ]),
6577 (Tag::Literal, &[ 1, 0, 0 ]),
6578 (Tag::MDC, &[ 1, 1 ]),
6579 ],
6580 },
6581 #[cfg(feature = "compression-deflate")]
6582 DecryptTest {
6583 filename: "seip/msg-compression-signed-password-123.pgp",
6584 algo: SymmetricAlgorithm::AES128,
6585 aead_algo: None,
6586 key_hex: "1B195CD35CAD4A99D9399B4CDA4CDA4E",
6587 plaintext: Data::String(b"compression, signed\n"),
6588 paths: &[
6589 (Tag::SKESK, &[ 0 ]),
6590 (Tag::SEIP, &[ 1 ]),
6591 (Tag::CompressedData, &[ 1, 0 ]),
6592 (Tag::OnePassSig, &[ 1, 0, 0 ]),
6593 (Tag::Literal, &[ 1, 0, 1 ]),
6594 (Tag::Signature, &[ 1, 0, 2 ]),
6595 (Tag::MDC, &[ 1, 1 ]),
6596 ],
6597 },
6598 DecryptTest {
6599 filename: "seip/msg-no-compression-not-signed-password-123.pgp",
6600 algo: SymmetricAlgorithm::AES128,
6601 aead_algo: None,
6602 key_hex: "AFB43B83A4B9D971E4B4A4C53749076A",
6603 plaintext: Data::String(b"no compression, not signed\n"),
6604 paths: &[
6605 (Tag::SKESK, &[ 0 ]),
6606 (Tag::SEIP, &[ 1 ]),
6607 (Tag::Literal, &[ 1, 0 ]),
6608 (Tag::MDC, &[ 1, 1 ]),
6609 ],
6610 },
6611 DecryptTest {
6612 filename: "seip/msg-no-compression-signed-password-123.pgp",
6613 algo: SymmetricAlgorithm::AES128,
6614 aead_algo: None,
6615 key_hex: "9D5DB92F77F0E4A356EE53813EF2C3DC",
6616 plaintext: Data::String(b"no compression, signed\n"),
6617 paths: &[
6618 (Tag::SKESK, &[ 0 ]),
6619 (Tag::SEIP, &[ 1 ]),
6620 (Tag::OnePassSig, &[ 1, 0 ]),
6621 (Tag::Literal, &[ 1, 1 ]),
6622 (Tag::Signature, &[ 1, 2 ]),
6623 (Tag::MDC, &[ 1, 3 ]),
6624 ],
6625 },
6626 ];
6627
6628 // Consume packets until we get to one in `keep`.
6629 fn consume_until<'a>(mut ppr: PacketParserResult<'a>,
6630 ignore_first: bool, keep: &[Tag], skip: &[Tag])
6631 -> PacketParserResult<'a>
6632 {
6633 if ignore_first {
6634 ppr = ppr.unwrap().recurse().unwrap().1;
6635 }
6636
6637 while let PacketParserResult::Some(pp) = ppr {
6638 let tag = pp.packet.tag();
6639 for t in keep.iter() {
6640 if *t == tag {
6641 return PacketParserResult::Some(pp);
6642 }
6643 }
6644
6645 let mut ok = false;
6646 for t in skip.iter() {
6647 if *t == tag {
6648 ok = true;
6649 }
6650 }
6651 if !ok {
6652 panic!("Packet not in keep ({:?}) or skip ({:?}) set: {:?}",
6653 keep, skip, pp.packet);
6654 }
6655
6656 ppr = pp.recurse().unwrap().1;
6657 }
6658 ppr
6659 }
6660
6661 #[test]
6662 fn decrypt_test() {
6663 decrypt_test_common(false);
6664 }
6665
6666 #[test]
6667 fn decrypt_test_stream() {
6668 decrypt_test_common(true);
6669 }
6670
6671 #[allow(deprecated)]
6672 fn decrypt_test_common(stream: bool) {
6673 for test in DECRYPT_TESTS.iter() {
6674 if !test.algo.is_supported() {
6675 eprintln!("Algorithm {} unsupported, skipping", test.algo);
6676 continue;
6677 }
6678
6679 if let Some(aead_algo) = test.aead_algo {
6680 if !aead_algo.is_supported() {
6681 eprintln!("AEAD algorithm {} unsupported by
6682 selected crypto backend, skipping", aead_algo);
6683 continue;
6684 }
6685 }
6686
6687 eprintln!("Decrypting {}, streaming content: {}",
6688 test.filename, stream);
6689
6690 let ppr = PacketParserBuilder::from_bytes(
6691 crate::tests::message(test.filename)).unwrap()
6692 .buffer_unread_content()
6693 .build()
6694 .unwrap_or_else(|_| panic!("Error reading {}", test.filename));
6695
6696 let mut ppr = consume_until(
6697 ppr, false, &[ Tag::SEIP, Tag::AED ][..],
6698 &[ Tag::SKESK, Tag::PKESK ][..] );
6699 if let PacketParserResult::Some(ref mut pp) = ppr {
6700 let key = crate::fmt::from_hex(test.key_hex, false)
6701 .unwrap().into();
6702
6703 pp.decrypt(Some(test.algo), &key).unwrap();
6704 } else {
6705 panic!("Expected a SEIP packet. Got: {:?}", ppr);
6706 }
6707
6708 let mut ppr = consume_until(
6709 ppr, true, &[ Tag::Literal ][..],
6710 &[ Tag::OnePassSig, Tag::CompressedData ][..]);
6711 if let PacketParserResult::Some(ref mut pp) = ppr {
6712 if stream {
6713 let mut body = Vec::new();
6714 loop {
6715 let mut b = [0];
6716 if pp.read(&mut b).unwrap() == 0 {
6717 break;
6718 }
6719 body.push(b[0]);
6720 }
6721
6722 assert_eq!(&body[..],
6723 &test.plaintext.content()[..],
6724 "{:?}", pp.packet);
6725 } else {
6726 pp.buffer_unread_content().unwrap();
6727 if let Packet::Literal(l) = &pp.packet {
6728 assert_eq!(l.body(), &test.plaintext.content()[..],
6729 "{:?}", pp.packet);
6730 } else {
6731 panic!("Expected literal, got: {:?}", pp.packet);
6732 }
6733 }
6734 } else {
6735 panic!("Expected a Literal packet. Got: {:?}", ppr);
6736 }
6737
6738 let ppr = consume_until(
6739 ppr, true, &[ Tag::MDC ][..], &[ Tag::Signature ][..]);
6740 if let PacketParserResult::Some(
6741 PacketParser { packet: Packet::MDC(ref mdc), .. }) = ppr
6742 {
6743 assert_eq!(mdc.computed_digest(), mdc.digest(),
6744 "MDC doesn't match");
6745 }
6746
6747 if ppr.is_eof() {
6748 // AED packets don't have an MDC packet.
6749 continue;
6750 }
6751 let ppr = consume_until(
6752 ppr, true, &[][..], &[][..]);
6753 assert!(ppr.is_eof());
6754 }
6755 }
6756
6757 #[test]
6758 fn message_validator() {
6759 for marker in 0..4 {
6760 let marker_before = marker & 1 > 0;
6761 let marker_after = marker & 2 > 0;
6762
6763 for test in DECRYPT_TESTS.iter() {
6764 if !test.algo.is_supported() {
6765 eprintln!("Algorithm {} unsupported, skipping", test.algo);
6766 continue;
6767 }
6768
6769 if let Some(aead_algo) = test.aead_algo {
6770 if !aead_algo.is_supported() {
6771 eprintln!("AEAD algorithm {} unsupported by
6772 selected crypto backend, skipping", aead_algo);
6773 continue;
6774 }
6775 }
6776
6777 let mut buf = Vec::new();
6778 if marker_before {
6779 Packet::Marker(Default::default()).serialize(&mut buf).unwrap();
6780 }
6781 buf.extend_from_slice(crate::tests::message(test.filename));
6782 if marker_after {
6783 Packet::Marker(Default::default()).serialize(&mut buf).unwrap();
6784 }
6785
6786 let mut ppr = PacketParserBuilder::from_bytes(&buf)
6787 .unwrap()
6788 .build()
6789 .unwrap_or_else(|_| panic!("Error reading {}", test.filename));
6790
6791 // Make sure we actually decrypted...
6792 let mut saw_literal = false;
6793 while let PacketParserResult::Some(mut pp) = ppr {
6794 pp.possible_message().unwrap();
6795
6796 match pp.packet {
6797 Packet::SEIP(_) => {
6798 let key = crate::fmt::from_hex(test.key_hex, false)
6799 .unwrap().into();
6800 pp.decrypt(Some(test.algo), &key).unwrap();
6801 },
6802 Packet::Literal(_) => {
6803 assert!(! saw_literal);
6804 saw_literal = true;
6805 },
6806 _ => {},
6807 }
6808
6809 ppr = pp.recurse().unwrap().1;
6810 }
6811 assert!(saw_literal);
6812 if let PacketParserResult::EOF(eof) = ppr {
6813 eof.is_message().unwrap();
6814 } else {
6815 unreachable!();
6816 }
6817 }
6818 }
6819 }
6820
6821 #[test]
6822 fn keyring_validator() {
6823 for marker in 0..4 {
6824 let marker_before = marker & 1 > 0;
6825 let marker_after = marker & 2 > 0;
6826
6827 for test in &["testy.pgp",
6828 "lutz.pgp",
6829 "testy-new.pgp",
6830 "neal.pgp"]
6831 {
6832 let mut buf = Vec::new();
6833 if marker_before {
6834 Packet::Marker(Default::default()).serialize(&mut buf).unwrap();
6835 }
6836 buf.extend_from_slice(crate::tests::key("testy.pgp"));
6837 buf.extend_from_slice(crate::tests::key(test));
6838 if marker_after {
6839 Packet::Marker(Default::default()).serialize(&mut buf).unwrap();
6840 }
6841
6842 let mut ppr = PacketParserBuilder::from_bytes(&buf)
6843 .unwrap()
6844 .build()
6845 .unwrap_or_else(|_| panic!("Error reading {:?}", test));
6846
6847 while let PacketParserResult::Some(pp) = ppr {
6848 assert!(pp.possible_keyring().is_ok());
6849 ppr = pp.recurse().unwrap().1;
6850 }
6851 if let PacketParserResult::EOF(eof) = ppr {
6852 assert!(eof.is_keyring().is_ok());
6853 assert!(eof.is_cert().is_err());
6854 } else {
6855 unreachable!();
6856 }
6857 }
6858 }
6859 }
6860
6861 #[test]
6862 fn cert_validator() {
6863 for marker in 0..4 {
6864 let marker_before = marker & 1 > 0;
6865 let marker_after = marker & 2 > 0;
6866
6867 for test in &["testy.pgp",
6868 "lutz.pgp",
6869 "testy-new.pgp",
6870 "neal.pgp"]
6871 {
6872 let mut buf = Vec::new();
6873 if marker_before {
6874 Packet::Marker(Default::default()).serialize(&mut buf).unwrap();
6875 }
6876 buf.extend_from_slice(crate::tests::key(test));
6877 if marker_after {
6878 Packet::Marker(Default::default()).serialize(&mut buf).unwrap();
6879 }
6880
6881 let mut ppr = PacketParserBuilder::from_bytes(&buf)
6882 .unwrap()
6883 .build()
6884 .unwrap_or_else(|_| panic!("Error reading {:?}", test));
6885
6886 while let PacketParserResult::Some(pp) = ppr {
6887 assert!(pp.possible_keyring().is_ok());
6888 assert!(pp.possible_cert().is_ok());
6889 ppr = pp.recurse().unwrap().1;
6890 }
6891 if let PacketParserResult::EOF(eof) = ppr {
6892 assert!(eof.is_keyring().is_ok());
6893 assert!(eof.is_cert().is_ok());
6894 } else {
6895 unreachable!();
6896 }
6897 }
6898 }
6899 }
6900
6901 // If we don't decrypt the SEIP packet, it shows up as opaque
6902 // content.
6903 #[test]
6904 fn message_validator_opaque_content() {
6905 for test in DECRYPT_TESTS.iter() {
6906 let mut ppr = PacketParserBuilder::from_bytes(
6907 crate::tests::message(test.filename)).unwrap()
6908 .build()
6909 .unwrap_or_else(|_| panic!("Error reading {}", test.filename));
6910
6911 let mut saw_literal = false;
6912 while let PacketParserResult::Some(pp) = ppr {
6913 assert!(pp.possible_message().is_ok());
6914
6915 match pp.packet {
6916 Packet::Literal(_) => {
6917 assert!(! saw_literal);
6918 saw_literal = true;
6919 },
6920 _ => {},
6921 }
6922
6923 ppr = pp.recurse().unwrap().1;
6924 }
6925 assert!(! saw_literal);
6926 if let PacketParserResult::EOF(eof) = ppr {
6927 eprintln!("eof: {:?}; message: {:?}", eof, eof.is_message());
6928 assert!(eof.is_message().is_ok());
6929 } else {
6930 unreachable!();
6931 }
6932 }
6933 }
6934
6935 #[test]
6936 fn path() {
6937 for test in DECRYPT_TESTS.iter() {
6938 if !test.algo.is_supported() {
6939 eprintln!("Algorithm {} unsupported, skipping", test.algo);
6940 continue;
6941 }
6942
6943 if let Some(aead_algo) = test.aead_algo {
6944 if !aead_algo.is_supported() {
6945 eprintln!("AEAD algorithm {} unsupported, skipping", aead_algo);
6946 continue;
6947 }
6948 }
6949
6950 eprintln!("Decrypting {}", test.filename);
6951
6952 let mut ppr = PacketParserBuilder::from_bytes(
6953 crate::tests::message(test.filename)).unwrap()
6954 .build()
6955 .unwrap_or_else(|_| panic!("Error reading {}", test.filename));
6956
6957 let mut last_path = vec![];
6958
6959 let mut paths = test.paths.to_vec();
6960 // We pop from the end.
6961 paths.reverse();
6962
6963 while let PacketParserResult::Some(mut pp) = ppr {
6964 let path = paths.pop().expect("Message longer than expect");
6965 assert_eq!(path.0, pp.packet.tag());
6966 assert_eq!(path.1, pp.path());
6967
6968 assert_eq!(last_path, pp.last_path());
6969 last_path = pp.path.to_vec();
6970
6971 eprintln!(" {}: {:?}", pp.packet.tag(), pp.path());
6972
6973 match pp.packet {
6974 Packet::SEIP(_) => {
6975 let key = crate::fmt::from_hex(test.key_hex, false)
6976 .unwrap().into();
6977
6978 pp.decrypt(test.algo, &key).unwrap();
6979 }
6980 _ => (),
6981 }
6982
6983 ppr = pp.recurse().unwrap().1;
6984 }
6985 paths.reverse();
6986 assert_eq!(paths.len(), 0,
6987 "Message shorter than expected (expecting: {:?})",
6988 paths);
6989
6990 if let PacketParserResult::EOF(eof) = ppr {
6991 assert_eq!(last_path, eof.last_path());
6992 } else {
6993 panic!("Expect an EOF");
6994 }
6995 }
6996 }
6997
6998 #[test]
6999 fn corrupted_cert() {
7000 use crate::armor::{Reader, ReaderMode, Kind};
7001
7002 // The following Cert is corrupted about a third the way
7003 // through. Make sure we can recover.
7004 let mut ppr = PacketParser::from_reader(
7005 Reader::from_bytes(crate::tests::key("corrupted.pgp"),
7006 ReaderMode::Tolerant(Some(Kind::PublicKey))))
7007 .unwrap();
7008
7009 let mut sigs = 0;
7010 let mut subkeys = 0;
7011 let mut userids = 0;
7012 let mut uas = 0;
7013 let mut unknown = 0;
7014 while let PacketParserResult::Some(pp) = ppr {
7015 match pp.packet {
7016 Packet::Signature(_) => sigs += 1,
7017 Packet::PublicSubkey(_) => subkeys += 1,
7018 Packet::UserID(_) => userids += 1,
7019 Packet::UserAttribute(_) => uas += 1,
7020 Packet::Unknown(ref p) => {
7021 dbg!(p);
7022 unknown += 1;
7023 },
7024 _ => (),
7025 }
7026
7027 ppr = pp.next().unwrap().1;
7028 }
7029
7030 assert_eq!(sigs, 53);
7031 assert_eq!(subkeys, 3);
7032 assert_eq!(userids, 5);
7033 assert_eq!(uas, 0);
7034 assert_eq!(unknown, 2);
7035 }
7036
7037 #[test]
7038 fn junk_prefix() {
7039 // Make sure we can read the first packet.
7040 let msg = crate::tests::message("sig.pgp");
7041
7042 let ppr = PacketParserBuilder::from_bytes(msg).unwrap()
7043 .dearmor(packet_parser_builder::Dearmor::Disabled)
7044 .build();
7045 assert_match!(Ok(PacketParserResult::Some(ref _pp)) = ppr);
7046
7047
7048 // Prepend an invalid byte and make sure we fail. Note: we
7049 // have a mechanism to skip corruption, however, that is only
7050 // activated once we've seen a good packet. This test checks
7051 // that we don't try to recover.
7052 let mut msg2 = Vec::new();
7053 msg2.push(0);
7054 msg2.extend_from_slice(msg);
7055
7056 let ppr = PacketParserBuilder::from_bytes(&msg2[..]).unwrap()
7057 .dearmor(packet_parser_builder::Dearmor::Disabled)
7058 .build();
7059 assert_match!(Err(_) = ppr);
7060 }
7061
7062 /// Issue #141.
7063 #[test]
7064 fn truncated_packet() {
7065 for msg in &[crate::tests::message("literal-mode-b.pgp"),
7066 crate::tests::message("literal-mode-t-partial-body.pgp"),
7067 ] {
7068 // Make sure we can read the first packet.
7069 let ppr = PacketParserBuilder::from_bytes(msg).unwrap()
7070 .dearmor(packet_parser_builder::Dearmor::Disabled)
7071 .build();
7072 assert_match!(Ok(PacketParserResult::Some(ref _pp)) = ppr);
7073
7074 // Now truncate the packet.
7075 let msg2 = &msg[..msg.len() - 1];
7076 let ppr = PacketParserBuilder::from_bytes(msg2).unwrap()
7077 .dearmor(packet_parser_builder::Dearmor::Disabled)
7078 .build().unwrap();
7079 if let PacketParserResult::Some(pp) = ppr {
7080 let err = pp.next().err().unwrap();
7081 assert_match!(Some(&Error::MalformedPacket(_))
7082 = err.downcast_ref());
7083 } else {
7084 panic!("No packet!?");
7085 }
7086 }
7087 }
7088
7089 #[test]
7090 fn max_packet_size() {
7091 use crate::serialize::Serialize;
7092 let uid = Packet::UserID("foobar".into());
7093 let mut buf = Vec::new();
7094 uid.serialize(&mut buf).unwrap();
7095
7096 // Make sure we can read it.
7097 let ppr = PacketParserBuilder::from_bytes(&buf).unwrap()
7098 .build().unwrap();
7099 if let PacketParserResult::Some(pp) = ppr {
7100 assert_eq!(Packet::UserID("foobar".into()), pp.packet);
7101 } else {
7102 panic!("failed to parse userid");
7103 }
7104
7105 // But if we set the maximum packet size too low, it is parsed
7106 // into an unknown packet.
7107 let ppr = PacketParserBuilder::from_bytes(&buf).unwrap()
7108 .max_packet_size(5)
7109 .build().unwrap();
7110 if let PacketParserResult::Some(pp) = ppr {
7111 if let Packet::Unknown(ref u) = pp.packet {
7112 assert_eq!(u.tag(), Tag::UserID);
7113 assert_match!(Some(&Error::PacketTooLarge(_, _, _))
7114 = u.error().downcast_ref());
7115 } else {
7116 panic!("expected an unknown packet, got {:?}", pp.packet);
7117 }
7118 } else {
7119 panic!("failed to parse userid");
7120 }
7121
7122 }
7123
7124 /// We erroneously assumed that when BufferedReader::next() is
7125 /// called, a SEIP container be opaque and hence there cannot be a
7126 /// buffered_reader::Reserve on the stack with Cookie::fake_eof
7127 /// set. But, we could simply call BufferedReader::next() after
7128 /// the SEIP packet is decrypted, or buffer a SEIP packet's body,
7129 /// then call BufferedReader::recurse(), which falls back to
7130 /// BufferedReader::next() because some data has been read.
7131 #[test]
7132 fn issue_455() -> Result<()> {
7133 let sk: SessionKey =
7134 crate::fmt::hex::decode("3E99593760EE241488462BAFAE4FA268\
7135 260B14B82D310D196DCEC82FD4F67678")?.into();
7136 let algo = SymmetricAlgorithm::AES256;
7137
7138 // Decrypt, then call BufferedReader::next().
7139 eprintln!("Decrypt, then next():\n");
7140 let mut ppr = PacketParser::from_bytes(
7141 crate::tests::message("encrypted-to-testy.pgp"))?;
7142 while let PacketParserResult::Some(mut pp) = ppr {
7143 match &pp.packet {
7144 Packet::SEIP(_) => {
7145 pp.decrypt(algo, &sk)?;
7146 },
7147 _ => (),
7148 }
7149 // Used to trigger the assertion failure on the SEIP
7150 // packet:
7151 ppr = pp.next()?.1;
7152 }
7153
7154 // Decrypt, buffer, then call BufferedReader::recurse().
7155 eprintln!("\nDecrypt, buffer, then recurse():\n");
7156 let mut ppr = PacketParser::from_bytes(
7157 crate::tests::message("encrypted-to-testy.pgp"))?;
7158 while let PacketParserResult::Some(mut pp) = ppr {
7159 match &pp.packet {
7160 Packet::SEIP(_) => {
7161 pp.decrypt(algo, &sk)?;
7162 pp.buffer_unread_content()?;
7163 },
7164 _ => (),
7165 }
7166 // Used to trigger the assertion failure on the SEIP
7167 // packet:
7168 ppr = pp.recurse()?.1;
7169 }
7170 Ok(())
7171 }
7172
7173 /// Crash in the AED parser due to missing chunk size validation.
7174 #[test]
7175 fn issue_514() -> Result<()> {
7176 let data = &[212, 43, 1, 0, 0, 125, 212, 0, 10, 10, 10];
7177 let ppr = PacketParser::from_bytes(&data)?;
7178 let packet = &ppr.unwrap().packet;
7179 if let Packet::Unknown(_) = packet {
7180 Ok(())
7181 } else {
7182 panic!("expected unknown packet, got: {:?}", packet);
7183 }
7184 }
7185
7186 /// Malformed subpackets must not cause a hard parsing error.
7187 #[test]
7188 fn malformed_embedded_signature() -> Result<()> {
7189 let ppr = PacketParser::from_bytes(
7190 crate::tests::file("edge-cases/malformed-embedded-sig.pgp"))?;
7191 let packet = &ppr.unwrap().packet;
7192 if let Packet::Unknown(_) = packet {
7193 Ok(())
7194 } else {
7195 panic!("expected unknown packet, got: {:?}", packet);
7196 }
7197 }
7198
7199 /// Malformed notation names must not cause hard parsing errors.
7200 #[test]
7201 fn malformed_notation_name() -> Result<()> {
7202 let ppr = PacketParser::from_bytes(
7203 crate::tests::file("edge-cases/malformed-notation-name.pgp"))?;
7204 let packet = &ppr.unwrap().packet;
7205 if let Packet::Unknown(_) = packet {
7206 Ok(())
7207 } else {
7208 panic!("expected unknown packet, got: {:?}", packet);
7209 }
7210 }
7211
7212 /// Checks that the content hash is correctly computed whether
7213 /// the content has been (fully) read.
7214 #[test]
7215 fn issue_537() -> Result<()> {
7216 // Buffer unread content.
7217 let ppr0 = PacketParserBuilder::from_bytes(
7218 crate::tests::message("literal-mode-b.pgp"))?
7219 .buffer_unread_content()
7220 .build()?;
7221 let pp0 = ppr0.unwrap();
7222 let (packet0, _) = pp0.recurse()?;
7223
7224 // Drop unread content.
7225 let ppr1 = PacketParser::from_bytes(
7226 crate::tests::message("literal-mode-b.pgp"))?;
7227 let pp1 = ppr1.unwrap();
7228 let (packet1, _) = pp1.recurse()?;
7229
7230 // Read content.
7231 let ppr2 = PacketParser::from_bytes(
7232 crate::tests::message("literal-mode-b.pgp"))?;
7233 let mut pp2 = ppr2.unwrap();
7234 io::copy(&mut pp2, &mut io::sink())?;
7235 let (packet2, _) = pp2.recurse()?;
7236
7237 // Partially read content.
7238 let ppr3 = PacketParser::from_bytes(
7239 crate::tests::message("literal-mode-b.pgp"))?;
7240 let mut pp3 = ppr3.unwrap();
7241 let mut buf = [0];
7242 let nread = pp3.read(&mut buf)?;
7243 assert_eq!(buf.len(), nread);
7244 let (packet3, _) = pp3.recurse()?;
7245
7246 assert_eq!(packet0, packet1);
7247 assert_eq!(packet1, packet2);
7248 assert_eq!(packet2, packet3);
7249 Ok(())
7250 }
7251
7252 /// Checks that newlines are properly normalized when verifying
7253 /// text signatures.
7254 #[test]
7255 fn issue_530_verifying() -> Result<()> {
7256 use std::io::Write;
7257 use crate::*;
7258 use crate::packet::signature;
7259 use crate::serialize::stream::{Message, Signer};
7260
7261 use crate::policy::StandardPolicy;
7262 use crate::{Result, Cert};
7263 use crate::parse::Parse;
7264 use crate::parse::stream::*;
7265
7266 let data = b"one\r\ntwo\r\nthree";
7267
7268 let p = &StandardPolicy::new();
7269 let cert: Cert =
7270 Cert::from_bytes(crate::tests::key("testy-new-private.pgp"))?;
7271 let signing_keypair = cert.keys().secret()
7272 .with_policy(p, None).alive().revoked(false).for_signing().next().unwrap()
7273 .key().clone().into_keypair()?;
7274 let mut signature = vec![];
7275 {
7276 let message = Message::new(&mut signature);
7277 let mut message = Signer::with_template(
7278 message, signing_keypair,
7279 signature::SignatureBuilder::new(SignatureType::Text)
7280 )?.detached().build()?;
7281 message.write_all(data)?;
7282 message.finalize()?;
7283 }
7284
7285 struct Helper {}
7286 impl VerificationHelper for Helper {
7287 fn get_certs(&mut self, _ids: &[KeyHandle]) -> Result<Vec<Cert>> {
7288 Ok(vec![Cert::from_bytes(crate::tests::key("testy-new.pgp"))?])
7289 }
7290 fn check(&mut self, structure: MessageStructure) -> Result<()> {
7291 let [layer]: [&MessageLayer; 1] = structure
7292 .iter().collect::<Vec<_>>().try_into().unwrap();
7293 let MessageLayer::SignatureGroup { results } = layer else {
7294 unreachable!();
7295 };
7296 assert_eq!(results.len(), 1);
7297 results[0].as_ref().unwrap();
7298 assert!(results[0].is_ok());
7299 return Ok(());
7300 }
7301 }
7302
7303 let h = Helper {};
7304 let mut v = DetachedVerifierBuilder::from_bytes(&signature)?
7305 .with_policy(p, None, h)?;
7306
7307 for data in &[
7308 &b"one\r\ntwo\r\nthree"[..], // dos
7309 b"one\ntwo\nthree", // unix
7310 b"one\ntwo\r\nthree", // mixed
7311 b"one\r\ntwo\nthree",
7312 b"one\rtwo\rthree", // classic mac
7313 ] {
7314 v.verify_bytes(data)?;
7315 }
7316
7317 Ok(())
7318 }
7319
7320 /// Tests for a panic in the SKESK parser.
7321 #[test]
7322 fn issue_588() -> Result<()> {
7323 let data = vec![0x8c, 0x34, 0x05, 0x12, 0x02, 0x00, 0xaf, 0x0d,
7324 0xff, 0xff, 0x65];
7325 let _ = PacketParser::from_bytes(&data);
7326 Ok(())
7327 }
7328
7329 /// Tests for a panic in the packet parser.
7330 #[test]
7331 fn packet_parser_on_mangled_cert() -> Result<()> {
7332 // The armored input cert is mangled. Currently, Sequoia
7333 // doesn't grok the mangled armor, but it should not panic.
7334 let mut ppr = match PacketParser::from_bytes(
7335 crate::tests::key("bobs-cert-badly-mangled.asc")) {
7336 Ok(ppr) => ppr,
7337 Err(_) => return Ok(()),
7338 };
7339 while let PacketParserResult::Some(pp) = ppr {
7340 dbg!(&pp.packet);
7341 if let Ok((_, tmp)) = pp.recurse() {
7342 ppr = tmp;
7343 } else {
7344 break;
7345 }
7346 }
7347 Ok(())
7348 }
7349
7350 // Issue 967.
7351 #[test]
7352 fn packet_before_junk_emitted() -> Result<()> {
7353 let bytes = crate::tests::key("testy-new.pgp");
7354
7355 let mut ppr = match PacketParser::from_bytes(bytes) {
7356 Ok(ppr) => ppr,
7357 Err(_) => panic!("valid"),
7358 };
7359 let mut packets_ok = Vec::new();
7360 while let PacketParserResult::Some(pp) = ppr {
7361 if let Ok((packet, tmp)) = pp.recurse() {
7362 packets_ok.push(packet);
7363 ppr = tmp;
7364 } else {
7365 break;
7366 }
7367 }
7368
7369 let mut bytes = bytes.to_vec();
7370 // Add some junk.
7371 bytes.push(0);
7372 let mut ppr = match PacketParser::from_bytes(&bytes[..]) {
7373 Ok(ppr) => ppr,
7374 Err(_) => panic!("valid"),
7375 };
7376 let mut packets_mangled = Vec::new();
7377 while let PacketParserResult::Some(pp) = ppr {
7378 if let Ok((packet, tmp)) = pp.recurse() {
7379 packets_mangled.push(packet);
7380 ppr = tmp;
7381 } else {
7382 break;
7383 }
7384 }
7385
7386 assert_eq!(packets_ok.len(), packets_mangled.len());
7387 assert_eq!(packets_ok, packets_mangled);
7388
7389 Ok(())
7390 }
7391
7392 /// Tests for a panic in the packet parser.
7393 fn parse_message(message: &str) {
7394 eprintln!("parsing {:?}", message);
7395 let mut ppr = match PacketParser::from_bytes(message) {
7396 Ok(ppr) => ppr,
7397 Err(_) => return,
7398 };
7399 while let PacketParserResult::Some(pp) = ppr {
7400 dbg!(&pp.packet);
7401 if let Ok((_, tmp)) = pp.recurse() {
7402 ppr = tmp;
7403 } else {
7404 break;
7405 }
7406 }
7407 }
7408
7409 /// Tests issue 1005.
7410 #[test]
7411 fn panic_on_short_zip() {
7412 parse_message("-----BEGIN PGP SIGNATURE-----
7413
7414owGjAA0=
7415zXvj
7416-----END PGP SIGNATURE-----
7417");
7418 }
7419
7420 /// Tests issue 957.
7421 #[test]
7422 fn panic_on_malformed_armor() {
7423 parse_message("-----BEGIN PGP MESSAGE-----
7424
7425heLBX8Pq0kUBwQz2iFAzRwOdgTBvH5KsDU9lmE
7426
7427-----END PGP MESSAGE-----
7428");
7429 }
7430
7431 /// Tests issue 1024.
7432 #[test]
7433 // XXX: While lenient parsing seemed like the right thing to do,
7434 // this breaks equality and round-tripping: we normalize the
7435 // non-canonical encoding, so two distinct wire representations
7436 // are folded into one in-core representation.
7437 #[ignore]
7438 fn parse_secret_with_leading_zeros() -> Result<()> {
7439 crate::Cert::from_bytes(
7440 crate::tests::key("leading-zeros-private.pgp"))?
7441 .primary_key().key().clone()
7442 .parts_into_secret()?
7443 .decrypt_secret(&("hunter22"[..]).into())?
7444 .into_keypair()?;
7445 Ok(())
7446 }
7447
7448 /// Tests that junk pseudo-packets have a proper map when
7449 /// buffering is turned on.
7450 #[test]
7451 #[cfg(feature = "compression-deflate")]
7452 fn parse_junk_with_mapping() -> Result<()> {
7453 let silly = "-----BEGIN PGP MESSAGE-----
7454
7455yCsBO81bKqlfklugX5yRX5qTopuXX6KbWpFZXKJXUlGSetb4dXm+gYFBCRcA
7456=IHpt
7457-----END PGP MESSAGE-----
7458";
7459 let mut ppr = PacketParserBuilder::from_bytes(silly)?
7460 .map(true).buffer_unread_content().build()?;
7461 let mut i = 0;
7462 while let PacketParserResult::Some(pp) = ppr {
7463 assert!(pp.map().unwrap().iter().count() > 0);
7464 for f in pp.map().unwrap().iter() {
7465 eprintln!("{:?}", f);
7466 }
7467 ppr = match pp.recurse() {
7468 Ok((_, ppr)) => {
7469 i += 1;
7470 ppr
7471 },
7472 Err(_) => {
7473 // The third packet is a junk pseudo-packet, and
7474 // recursing will fail.
7475 assert_eq!(i, 2);
7476 break;
7477 },
7478 }
7479 }
7480 Ok(())
7481 }
7482
7483 /// Tests for issue 1095, parsing a secret key packet with an
7484 /// unknown S2K mechanism.
7485 #[test]
7486 fn key_unknown_s2k() -> Result<()> {
7487 let mut ppr = PacketParser::from_bytes(
7488 crate::tests::key("hardware-backed-secret.pgp"))?;
7489 let mut i = 0;
7490 while let PacketParserResult::Some(pp) = ppr {
7491 if i == 0 {
7492 assert!(matches!(&pp.packet, Packet::SecretKey(_)));
7493 }
7494 if i == 3 {
7495 assert!(matches!(&pp.packet, Packet::SecretSubkey(_)));
7496 }
7497
7498 // Make sure it roundtrips.
7499 let p = &pp.packet;
7500 let v = p.to_vec()?;
7501 let q = Packet::from_bytes(&v)?;
7502 assert_eq!(p, &q);
7503
7504 ppr = pp.recurse()?.1;
7505 i += 1;
7506 }
7507 Ok(())
7508 }
7509
7510 #[test]
7511 fn nested_embedded_signatures() {
7512 // Builds a crafted OpenPGP certificate (~44 KB) that crashes any process
7513 // parsing it. The certificate contains a signature with 3000 nested
7514 // EmbeddedSignature subpackets - enough to overflow the default 8 MB stack.
7515 // This is the same path triggered by keyserver fetches (Cert::from_bytes),
7516 // RPM signature verification, Autocrypt header parsing, etc.
7517
7518 use crate::Cert;
7519
7520 let dummy_rsa_sig = [0x00, 0x01, 0x01]; // MPI: 1-bit value 1
7521
7522 // Innermost signature: minimal valid v4 body plus one RSA signature MPI.
7523 let mut sig = vec![
7524 0x04, 0x00, 0x01, 0x08, // v4, Binary, RSA, SHA256
7525 0x00, 0x00, // hashed subpacket area: 0 bytes
7526 0x00, 0x00, // unhashed subpacket area: 0 bytes
7527 0x00, 0x00, // hash prefix
7528 ];
7529 sig.extend_from_slice(&dummy_rsa_sig);
7530
7531 // Nest 3000 times: each layer wraps the previous signature as an
7532 // EmbeddedSignature subpacket (tag 32) in the unhashed area.
7533 for _ in 0..3000 {
7534 let c_len = 1 + sig.len();
7535 let len_enc = if c_len < 192 {
7536 vec![c_len as u8]
7537 } else if c_len < 16320 {
7538 let a = c_len - 192;
7539 vec![((a >> 8) as u8) + 192, (a & 0xFF) as u8]
7540 } else {
7541 let l = c_len as u32;
7542 vec![0xFF, (l >> 24) as u8, (l >> 16) as u8, (l >> 8) as u8, l as u8]
7543 };
7544
7545 let mut sub = len_enc;
7546 sub.push(32); // EmbeddedSignature subpacket tag
7547 sub.extend(&sig);
7548 if sub.len() > 65535 { break; } // SubpacketArea max size
7549
7550 let ulen = sub.len();
7551 let mut outer = vec![
7552 0x04, 0x00, 0x01, 0x08, 0x00, 0x00,
7553 (ulen >> 8) as u8, (ulen & 0xFF) as u8,
7554 ];
7555 outer.extend(&sub);
7556 outer.extend(&[0x00, 0x00]); // hash prefix
7557 outer.extend_from_slice(&dummy_rsa_sig);
7558 sig = outer;
7559 }
7560
7561 // Wrap in a minimal OpenPGP certificate so the payload matches
7562 // real-world delivery: keyserver fetch, RPM package, Autocrypt header.
7563 sig[1] = 0x10; // patch signature type -> Generic Certification
7564
7565 if let Err(err) = Signature::from_bytes(&sig) {
7566 let err = err.downcast::<Error>();
7567 assert!(matches!(err, Ok(Error::MalformedPacket(_))));
7568 } else {
7569 panic!("Failed to rejected nested embedded signatures");
7570 }
7571
7572 // Minimal v4 RSA public key body
7573 let mut pk = vec![0x04, 0x00, 0x00, 0x00, 0x00, 0x01]; // v4, time=0, RSA
7574 pk.extend(&[0x02, 0x00]); // 512-bit modulus
7575 pk.extend(&[0xFF; 64]); // dummy modulus
7576 pk.extend(&[0x00, 0x11]); // 17-bit exponent
7577 pk.extend(&[0x01, 0x00, 0x01]); // e = 65537
7578
7579 let uid = b"Test <test@test.com>";
7580
7581 // Assemble: Public Key (tag 6) + UserID (tag 13) + Signature (tag 2)
7582 let mut cert_data = Vec::new();
7583 let header = |tag: u8, len: usize| {
7584 let mut h = vec![0xC0 | tag];
7585 if len < 192 { h.push(len as u8); }
7586 else {
7587 let l = len as u32;
7588 h.extend([0xFF, (l >> 24) as u8, (l >> 16) as u8, (l >> 8) as u8, l as u8]);
7589 }
7590 h
7591 };
7592 cert_data.extend(header(6, pk.len()));
7593 cert_data.extend(&pk);
7594 cert_data.extend(header(13, uid.len()));
7595 cert_data.extend(uid);
7596 cert_data.extend(header(2, sig.len()));
7597 cert_data.extend(&sig);
7598
7599 // We should be able to parse the certificate by rejecting the
7600 // invalid signature. If we parse the nested signatures, then
7601 // we'll probably exhaust the stack and crash.
7602 eprintln!("{} bytes ({:.1} KB), calling Cert::from_bytes()...",
7603 cert_data.len(), cert_data.len() as f64 / 1024.0);
7604 let _ = Cert::from_bytes(&cert_data);
7605 eprintln!("no crash (stack may be larger than default)");
7606 }
7607}