Do not treat a PGP message with a missing or bad MDC like a non-clear-signed PGP message

lukele · lukele · commit 39485738a2f5 · 2018-04-29T22:57:55.000+02:00
- If a bad or missing MDC is detected, don’t display the decrypted content.
- Display a proper error message for MDC errors.

[#980 state:fixed] [fix]
diff --git a/Resources/de.lproj/GPGMail.strings b/Resources/de.lproj/GPGMail.strings
@@ -244,7 +244,8 @@ NO_DEFAULTS_MESSAGE = "GPGMail funktioniert nicht wie erwartet.\n\nLade und inst
 "UNENCRYPTED_FORWARD_OF_ENCRYPTED_MESSAGE_BUTTON_SEND_ANYWAY" = "Trotzdem weiterleiten";
 "UNENCRYPTED_FORWARD_OF_ENCRYPTED_MESSAGE_BUTTON_CANCEL" = "Abbrechen";
 
-
+"MESSAGE_BANNER_PGP_DECRYPT_MDC_ERROR_TITLE" = "Es ist schädlich diese Nachricht zu entschlüsseln.";
+"MESSAGE_BANNER_PGP_DECRYPT_MDC_ERROR_MESSAGE" = "Der Code zum Erkennen von Änderungen (MDC) dieser verschlüsselten Nachricht ist nicht vorhanden oder wurde abgeändert.\n\nDas könnte ein Zeichen dafür sein, dass der Inhalt der verschlüsselten Nachricht von einem Angreifer verändert wurde.\n\nBitte lassen Sie sich die Nachricht erneut zusenden und lassen Sie den Absender wissen, dass deren Nachricht keinen Code zum Erkennen von Änderungen enthielt.";
 
 /* Accessibility */
 ACCESSIBILITY_SECURITY_METHOD_POPUP_LABEL = "Sicherheitstechnik: %@";
diff --git a/Resources/en.lproj/GPGMail.strings b/Resources/en.lproj/GPGMail.strings
@@ -235,6 +235,8 @@ NO_DEFAULTS_MESSAGE = "GPGMail is not working as expected.\n\nPlease download an
 "UNENCRYPTED_REPLY_TO_ENCRYPTED_MESSAGE_BUTTON_SEND_ANYWAY" = "Send Anyway";
 "UNENCRYPTED_REPLY_TO_ENCRYPTED_MESSAGE_BUTTON_CANCEL" = "Cancel";
 
+"MESSAGE_BANNER_PGP_DECRYPT_MDC_ERROR_TITLE" = "It is not safe to decrypt this message.";
+"MESSAGE_BANNER_PGP_DECRYPT_MDC_ERROR_MESSAGE" = "The modification detection code (MDC) for this encrypted message is missing or has been modified.\n\nThis could mean that an attacker has been trying to modify the contents within the encrypted message.\n\nPlease have the message re-sent to you and tell the sender, that their encrypted message didn't include a modification detection code.";
 
 /* Accessibility */
 ACCESSIBILITY_SECURITY_METHOD_POPUP_LABEL = "Security method: %@";
diff --git a/Source/MimePart+GPGMail.m b/Source/MimePart+GPGMail.m
@@ -838,11 +838,18 @@ - (id)decryptData:(NSData *)encryptedData {
 	// Sometimes decryption okay is issued even though a NODATA error occured.
 	BOOL success = gpgc.decryptionOkay && !error;
 	
-    // Check if this is a non-clear-signed message.
-    // Conditions: decryptionOkay == false and encrypted data has signature packets.
-    // If decryptedData length != 0 && !decryptionOkay signature packets are expected.
-    BOOL nonClearSigned = !gpgc.decryptionOkay && [decryptedData hasSignaturePacketsWithSignaturePacketsExpected:[decryptedData length] != 0 && !gpgc.decryptionOkay];
-    
+	// Bug #980: If the message doesn't contain a MDC or contains a modified MDC,
+	//           GPGMail currently believes that the message is non-clear-signed and
+	//           ignores the failed decryption.
+	//
+	// Libmacgpg has since been patched to no longer return the decrypted content
+	// if no MDC or a modified MDC is detected, so if data is returned and no DECRYPTION_OKAY
+	// status line is issued, there's a high chance, that the message was non-clear-signed instead of
+	// encrypted. In addition a check is added, to see if BEGIN_DECRYPTION wasn't issued either.
+	BOOL nonClearSigned = ![gpgc.statusDict objectForKey:@"BEGIN_DECRYPTION"] &&
+						  ![gpgc.statusDict objectForKey:@"DECRYPTION_OKAY"] &&
+						  [decryptedData length] != 0;
+
 	// Let's reset the error if the message is not clear-signed,
 	// since error will be general error.
 	if (nonClearSigned)
@@ -973,6 +980,14 @@ - (MFError *)errorForDecryptionError:(NSException *)operationError status:(NSDic
 		titleKey = [NSString stringWithFormat:@"%@_DECRYPT_ERROR_XPC_DAMAGED_TITLE", prefix];
 		messageKey = [NSString stringWithFormat:@"%@_DECRYPT_ERROR_XPC_DAMAGED_MESSAGE", prefix];
 		
+		title = GMLocalizedString(titleKey);
+		message = GMLocalizedString(messageKey);
+	}
+	else if(((GPGException *)operationError).errorCode == GPGErrorNoMDC ||
+			((GPGException *)operationError).errorCode == GPGErrorBadMDC) {
+		titleKey = [NSString stringWithFormat:@"%@_DECRYPT_MDC_ERROR_TITLE", prefix];
+		messageKey = [NSString stringWithFormat:@"%@_DECRYPT_MDC_ERROR_MESSAGE", prefix];
+
 		title = GMLocalizedString(titleKey);
 		message = GMLocalizedString(messageKey);
 	}
