BUG #16476: pgp_sym_encrypt_bytea with compress-level=6 : Wrong key or corrupt data

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

BUG #16476: pgp_sym_encrypt_bytea with compress-level=6 : Wrong key or corrupt data

PG Doc comments form
The following bug has been logged on the website:

Bug reference:      16476
Logged by:          Frank Gagnepain
Email address:      [hidden email]
PostgreSQL version: 10.13
Operating system:   Debian 10
Description:        

Hello to the support team,

I already sent a bug report for this issue, but PostgreSQL version was
9.4.21 which isnt supported anymore
So we tested this bug with a 10.13 PostgreSQL version this time and we got
the exact same issue.

I get "ERROR:  Wrong key or corrupt data" when using successively function
pgp_sym_encrypt_bytea and pgp_sym_decrypt_bytea on only some bytea data in
db with those options :
compress-algo=1 (ZIP algo)
cipher-algo=aes256
compress-level=6 (which is the default compress-level)
With any other value for compress-level (0,1,2,3,4,5,7,8,9) for
pgp_sym_encrypt_bytea, i get no error with pgp_sym_decrypt_bytea...


Here is what i do to test this error :


create or replace function bytea_import(p_path text, p_result out bytea)
language plpgsql as $$
declare
l_oid oid;
r record;
begin
p_result := '';
select lo_import(p_path) into l_oid;
for r in ( select data
from pg_largeobject
where loid = l_oid
order by pageno ) loop
p_result = p_result || r.data;
end loop;
perform lo_unlink(l_oid);
end;$$;


select
pgp_sym_decrypt_bytea(pgp_sym_encrypt_bytea(bytea_import(DATA),'password','compress-algo=1,
cipher-algo=aes256, compress-level=6'),'password','compress-algo=1,
cipher-algo=aes256');


ERROR:  Wrong key or corrupt data


Unfortunately i cant post any example of DATA since those are supposed to
be
sensitive data.
Nevertheless, does this kind of error rings a bell to anyone ?

Reply | Threaded
Open this post in threaded view
|

Re: BUG #16476: pgp_sym_encrypt_bytea with compress-level=6 : Wrong key or corrupt data

Jeff Janes
 
select
pgp_sym_decrypt_bytea(pgp_sym_encrypt_bytea(bytea_import(DATA),'password','compress-algo=1,
cipher-algo=aes256, compress-level=6'),'password','compress-algo=1,
cipher-algo=aes256');


decryption reads the settings from the encrypted message header, there is no need to specify them again. 

I can reproduce this at any compression level if the data is random (not compressible) and exactly 16365 bytes long.  If the data is compressible, then you need a longer length of message to reproduce it and it depends on the random content and compression level.

I'm attaching the reproducer as a Perl script.  I have not investigated the C code of pgcrypto itself.

Cheers,

Jeff

pgcrypto_zip.pl (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: BUG #16476: pgp_sym_encrypt_bytea with compress-level=6 : Wrong key or corrupt data

Frank Gagnepain
Hello again,

Thank you for this script ,

We managed to get you an example of data that triggers the error message (with compress-level=6) in attachments.
You would have to unzip first and then test it (I mean it hasnt been zipped by pgcrypto).

Cheers,

Frank GAGNEPAIN





De : Jeff Janes <[hidden email]>
Envoyé : mercredi 3 juin 2020 14:35
À : Frank Gagnepain <[hidden email]>; pgsql-bugs <[hidden email]>
Objet : Re: BUG #16476: pgp_sym_encrypt_bytea with compress-level=6 : Wrong key or corrupt data
 
 
select
pgp_sym_decrypt_bytea(pgp_sym_encrypt_bytea(bytea_import(DATA),'password','compress-algo=1,
cipher-algo=aes256, compress-level=6'),'password','compress-algo=1,
cipher-algo=aes256');


decryption reads the settings from the encrypted message header, there is no need to specify them again. 

I can reproduce this at any compression level if the data is random (not compressible) and exactly 16365 bytes long.  If the data is compressible, then you need a longer length of message to reproduce it and it depends on the random content and compression level.

I'm attaching the reproducer as a Perl script.  I have not investigated the C code of pgcrypto itself.

Cheers,

Jeff

CP04003072_PART2_SANS_ENTETE.zip (925K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: BUG #16476: pgp_sym_encrypt_bytea with compress-level=6 : Wrong key or corrupt data

Kyotaro Horiguchi-4
In reply to this post by Jeff Janes
At Wed, 3 Jun 2020 08:35:02 -0400, Jeff Janes <[hidden email]> wrote in
> I can reproduce this at any compression level if the data is random (not
> compressible) and exactly 16365 bytes long.  If the data is compressible,
> then you need a longer length of message to reproduce it and it depends on
> the random content and compression level.
>
> I'm attaching the reproducer as a Perl script.  I have not investigated the
> C code of pgcrypto itself.

Thanks for the reproducer.

Compressed stream must end with a normal packet. If a stream ends with
a complete stream packet, deflator adds a zero-length normal packet at
the end.  decompress_read forgets to read such a terminating packet
when EOF comes at just at the end of the last stream packet. An extra
call to pullf_read at EOF correctly consumes such an extra packet.
The extra call doesn't harm if a stream ends with partial normal
packet.

The reproducer becomes not to fail with the attached patch.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center

From f4a8997ec08c0aaec8326b0f0dda9f3a001d5865 Mon Sep 17 00:00:00 2001
From: Kyotaro Horiguchi <[hidden email]>
Date: Thu, 11 Jun 2020 20:29:23 +0900
Subject: [PATCH] Make sure to consume stream-terminating packet

When compressed stream is ended with a full stream packet, it must be
followed by a terminating normal packet with zero-length.  Make sure
consume such terminating packet at the end of stream.
---
 contrib/pgcrypto/pgp-compress.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/contrib/pgcrypto/pgp-compress.c b/contrib/pgcrypto/pgp-compress.c
index 0505bdee92..69a8d6c577 100644
--- a/contrib/pgcrypto/pgp-compress.c
+++ b/contrib/pgcrypto/pgp-compress.c
@@ -286,7 +286,20 @@ restart:
 
  dec->buf_data = dec->buf_len - dec->stream.avail_out;
  if (res == Z_STREAM_END)
+ {
+ uint8 *tmp;
+
+ /*
+ * If source stream ends with a full stream packet, it is followed by
+ * an extra normal zero-length packet, which should be consumed before
+ * reading further. If we have already seen a terminating packet,
+ * nothing happen by this call.
+ */
+ res = pullf_read(src, 1, &tmp);
+ Assert(res == 0);
+
  dec->eof = 1;
+ }
  goto restart;
 }
 
--
2.18.2

Reply | Threaded
Open this post in threaded view
|

Re: BUG #16476: pgp_sym_encrypt_bytea with compress-level=6 : Wrong key or corrupt data

Kyotaro Horiguchi-4
The reproducer becomes not to fail with the attached patch.

I put an assertion in the patch, but that is not appropriare. It shoud be an ereport instead. I’ll fix that later.

regards.
-- 
Kyotaro Horiguchi

Reply | Threaded
Open this post in threaded view
|

Re: BUG #16476: pgp_sym_encrypt_bytea with compress-level=6 : Wrong key or corrupt data

Kyotaro Horiguchi-4
At Thu, 11 Jun 2020 22:17:26 +0900, Kyotaro Horiguchi <[hidden email]> wrote in
> >
> > The reproducer becomes not to fail with the attached patch.
>
>
> I put an assertion in the patch, but that is not appropriare. It shoud be
> an ereport instead. I’ll fix that later.

Fixed.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center

From 1f5003c164cf529a79d1f56e4c43d5867c3a345e Mon Sep 17 00:00:00 2001
From: Kyotaro Horiguchi <[hidden email]>
Date: Thu, 11 Jun 2020 20:29:23 +0900
Subject: [PATCH v2] Make sure to consume stream-terminating packet

When a compressed stream ends with a full packet, it must be
terminated by a normal empty packet.  Make sure to consume such
packets.
---
 contrib/pgcrypto/pgp-compress.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/contrib/pgcrypto/pgp-compress.c b/contrib/pgcrypto/pgp-compress.c
index 0505bdee92..296afb3324 100644
--- a/contrib/pgcrypto/pgp-compress.c
+++ b/contrib/pgcrypto/pgp-compress.c
@@ -286,7 +286,29 @@ restart:
 
  dec->buf_data = dec->buf_len - dec->stream.avail_out;
  if (res == Z_STREAM_END)
+ {
+ uint8 *tmp;
+
+ /*
+ * A stream must be terminated by a normal packet. If the last stream
+ * packet in the source stream is a full packet, a normal empty packet
+ * must follow. Since the underlying packet reader doesn't know that
+ * the compressed stream has been ended, we need to to consume the
+ * terminating packet here. This read doesn't harm even if the stream
+ * has already ended.
+ */
+ res = pullf_read(src, 1, &tmp);
+
+ if (res < 0)
+ return res;
+ else if (res > 0)
+ {
+ px_debug("decompress_read: extra bytes after end of stream");
+ return PXE_PGP_CORRUPT_DATA;
+ }
+
  dec->eof = 1;
+ }
  goto restart;
 }
 
--
2.18.2

Reply | Threaded
Open this post in threaded view
|

Re: BUG #16476: pgp_sym_encrypt_bytea with compress-level=6 : Wrong key or corrupt data

Tom Lane-2
Kyotaro Horiguchi <[hidden email]> writes:
>> I put an assertion in the patch, but that is not appropriare. It shoud be
>> an ereport instead. I¢ll fix that later.
> Fixed.

Hm, should we add a test case exercising this code?

                        regards, tom lane


Reply | Threaded
Open this post in threaded view
|

Re: BUG #16476: pgp_sym_encrypt_bytea with compress-level=6 : Wrong key or corrupt data

Kyotaro Horiguchi-4
At Thu, 11 Jun 2020 21:57:25 -0400, Tom Lane <[hidden email]> wrote in
> Kyotaro Horiguchi <[hidden email]> writes:
> >> I put an assertion in the patch, but that is not appropriare. It shoud be
> >> an ereport instead. I¢ll fix that later.
> > Fixed.
>
> Hm, should we add a test case exercising this code?

Agrred.  As far as I found, there is another point where a stream ends
with an empty-packet at 16318 bytes, but he stream is not a compressed
data stream.

In the attached, generates a source bytes using random(). To make sure
to stabilize the result, it does setseed(0) just before.  One concern
of the test is there's not means to find if the test gets stale.
Concretely if somehow the data length to cause the issue moved, the
check would silently get no longer effective.

regards.

--
Kyotaro Horiguchi
NTT Open Source Software Center

From bfbe165af79dbe90e6152f738921311a483ff663 Mon Sep 17 00:00:00 2001
From: Kyotaro Horiguchi <[hidden email]>
Date: Thu, 11 Jun 2020 20:29:23 +0900
Subject: [PATCH v3] Make sure to consume stream-terminating packet

A compressed stream may end with an empty packet.  In this case
decompression finishes before reading the empty packet and the
remaining stream packet causes a failure in reading the following
data. Make sure to consume such packets after compression finishes.
---
 contrib/pgcrypto/expected/pgp-compression.out | 21 ++++++++++++++++++
 contrib/pgcrypto/pgp-compress.c               | 22 +++++++++++++++++++
 contrib/pgcrypto/sql/pgp-compression.sql      | 12 ++++++++++
 3 files changed, 55 insertions(+)

diff --git a/contrib/pgcrypto/expected/pgp-compression.out b/contrib/pgcrypto/expected/pgp-compression.out
index 32b350b8fe..84d0956070 100644
--- a/contrib/pgcrypto/expected/pgp-compression.out
+++ b/contrib/pgcrypto/expected/pgp-compression.out
@@ -48,3 +48,24 @@ select pgp_sym_decrypt(
  Secret message
 (1 row)
 
+-- check if trailing empty-packet of compressed stream is correctly read
+select setseed(0);
+ setseed
+---------
+
+(1 row)
+
+select bytes =
+ pgp_sym_decrypt_bytea(
+ pgp_sym_encrypt_bytea(bytes, E'\\x12345678',
+ 'compress-algo=1,compress-level=1'),
+ E'\\x12345678') from
+ (select -- generate incompressible source data with 16385 bytes
+     string_agg(decode(lpad(to_hex((random()*256)::int),2,'0'), 'hex'), '')
+ as bytes
+ from generate_series(0, 16365)) t;
+ ?column?
+----------
+ t
+(1 row)
+
diff --git a/contrib/pgcrypto/pgp-compress.c b/contrib/pgcrypto/pgp-compress.c
index 0505bdee92..296afb3324 100644
--- a/contrib/pgcrypto/pgp-compress.c
+++ b/contrib/pgcrypto/pgp-compress.c
@@ -286,7 +286,29 @@ restart:
 
  dec->buf_data = dec->buf_len - dec->stream.avail_out;
  if (res == Z_STREAM_END)
+ {
+ uint8 *tmp;
+
+ /*
+ * A stream must be terminated by a normal packet. If the last stream
+ * packet in the source stream is a full packet, a normal empty packet
+ * must follow. Since the underlying packet reader doesn't know that
+ * the compressed stream has been ended, we need to to consume the
+ * terminating packet here. This read doesn't harm even if the stream
+ * has already ended.
+ */
+ res = pullf_read(src, 1, &tmp);
+
+ if (res < 0)
+ return res;
+ else if (res > 0)
+ {
+ px_debug("decompress_read: extra bytes after end of stream");
+ return PXE_PGP_CORRUPT_DATA;
+ }
+
  dec->eof = 1;
+ }
  goto restart;
 }
 
diff --git a/contrib/pgcrypto/sql/pgp-compression.sql b/contrib/pgcrypto/sql/pgp-compression.sql
index ca9ee1fc00..7eb65048dd 100644
--- a/contrib/pgcrypto/sql/pgp-compression.sql
+++ b/contrib/pgcrypto/sql/pgp-compression.sql
@@ -28,3 +28,15 @@ select pgp_sym_decrypt(
  pgp_sym_encrypt('Secret message', 'key',
  'compress-algo=2, compress-level=0'),
  'key', 'expect-compress-algo=0');
+
+-- check if trailing empty-packet of compressed stream is correctly read
+select setseed(0);
+select bytes =
+ pgp_sym_decrypt_bytea(
+ pgp_sym_encrypt_bytea(bytes, E'\\x12345678',
+ 'compress-algo=1,compress-level=1'),
+ E'\\x12345678') from
+ (select -- generate incompressible source data with 16385 bytes
+     string_agg(decode(lpad(to_hex((random()*256)::int),2,'0'), 'hex'), '')
+ as bytes
+ from generate_series(0, 16365)) t;
--
2.18.2

Reply | Threaded
Open this post in threaded view
|

Re: BUG #16476: pgp_sym_encrypt_bytea with compress-level=6 : Wrong key or corrupt data

Michael Paquier-2
On Fri, Jun 12, 2020 at 02:54:12PM +0900, Kyotaro Horiguchi wrote:
> Agrred.  As far as I found, there is another point where a stream ends
> with an empty-packet at 16318 bytes, but he stream is not a compressed
> data stream.
>
> In the attached, generates a source bytes using random(). To make sure
> to stabilize the result, it does setseed(0) just before.  One concern
> of the test is there's not means to find if the test gets stale.
> Concretely if somehow the data length to cause the issue moved, the
> check would silently get no longer effective.

FYI, I have begun looking at this report, and I am reviewing the
proposed patch.
--
Michael

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: BUG #16476: pgp_sym_encrypt_bytea with compress-level=6 : Wrong key or corrupt data

Michael Paquier-2
On Wed, Jun 24, 2020 at 04:59:21PM +0900, Michael Paquier wrote:
> FYI, I have begun looking at this report, and I am reviewing the
> proposed patch.

Okay.  First I found the test case you added a bit hard to parse, so I
have refactored it with a CTE in charge of building the random string,
with the main query doing the compression/decompression and a check
making sure that the original string and the result match.  I quite
liked the logic with lpad() to append zeros if the computation with
random()*256 returned a result less than 16, as well as the use of
string_agg() for that purpose to build the string.  I have also
switched the second arguments of the functions to just use 'key', for
readability.  Using a random string sounds good to me here.  It could
always be possible that we finish with something less random, causing
it to to become compressed but I'll believe in the rule of chaos
here.

Then, the fix you are proposing is to simply make sure that all the
input from the source stream is properly consumed even after the zlib
stream has ended in this corner case thanks to pullf_read(), and that
sounds good to me.  However, I had an idea slightly different than
yours, consisting of simply reading the contents of the source before
checking if there is any available in the decompressed buffer (the
check on buf_data before the goto restart step).  That makes the fix a
bit simpler, without changing the logic.

I am also attaching an extra script I used to validate this stuff
based on the regression test of the patch, that has allowed me to
check the logic for random strings up to 33kB, like that for example
(this one took 8 mins on my laptop):
select count(test_crypto(len)) from generate_series(0, 33000) as len;

The inputs and outputs perfectly matched in all my tests, with the
16kB string being the only one failing in the range I have tested on
HEAD, test passing with the patch of course.  One or more extra pairs
of eyes is welcome, so please feel free to look at the version
attached.

Thanks,
--
Michael

crypto.sql (940 bytes) Download Attachment
pgcrypto-zlib-v4.patch (3K) Download Attachment
signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: BUG #16476: pgp_sym_encrypt_bytea with compress-level=6 : Wrong key or corrupt data

Michael Paquier-2
On Thu, Jun 25, 2020 at 03:45:41PM +0900, Michael Paquier wrote:
> The inputs and outputs perfectly matched in all my tests, with the
> 16kB string being the only one failing in the range I have tested on
> HEAD, test passing with the patch of course.  One or more extra pairs
> of eyes is welcome, so please feel free to look at the version
> attached.

Horiguchi-san, as you looked at this thread, would you like to look at
what I sent previously?  There is still time until the next minor
release, but this thread has been idle for close to two weeks now.
--
Michael

signature.asc (849 bytes) Download Attachment