Check for insecure hash and symmetric encryption algos on decrypt

3 files changed, 34 insertions, 0 deletions

diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java
index 54cd9b1b4..a96cec8cf 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/OperationResult.java
@@ -626,6 +626,7 @@ public abstract class OperationResult implements Parcelable {
         MSG_DC_ERROR_NO_DATA (LogLevel.ERROR, R.string.msg_dc_error_no_data),
         MSG_DC_ERROR_NO_KEY (LogLevel.ERROR, R.string.msg_dc_error_no_key),
         MSG_DC_ERROR_PGP_EXCEPTION (LogLevel.ERROR, R.string.msg_dc_error_pgp_exception),
+        MSG_DC_ERROR_UNSUPPORTED_HASH_ALGO (LogLevel.ERROR, R.string.msg_dc_error_unsupported_hash_algo),
         MSG_DC_INTEGRITY_CHECK_OK (LogLevel.INFO, R.string.msg_dc_integrity_check_ok),
         MSG_DC_OK_META_ONLY (LogLevel.OK, R.string.msg_dc_ok_meta_only),
         MSG_DC_OK (LogLevel.OK, R.string.msg_dc_ok),
@@ -640,6 +641,7 @@ public abstract class OperationResult implements Parcelable {
         MSG_DC_TRAIL_SYM (LogLevel.DEBUG, R.string.msg_dc_trail_sym),
         MSG_DC_TRAIL_UNKNOWN (LogLevel.DEBUG, R.string.msg_dc_trail_unknown),
         MSG_DC_UNLOCKING (LogLevel.INFO, R.string.msg_dc_unlocking),
+        MSG_DC_OLD_SYMMETRIC_ENCRYPTION_ALGO (LogLevel.WARN, R.string.msg_dc_old_symmetric_encryption_algo),
 
         // verify signed literal data
         MSG_VL (LogLevel.INFO, R.string.msg_vl),
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java
index 2ba0b6231..14bc56538 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerify.java
@@ -563,6 +563,7 @@ public class PgpDecryptVerify extends BaseOperation {
         log.add(LogType.MSG_DC_PREP_STREAMS, indent);
 
         // we made sure above one of these two would be true
+        int symmetricEncryptionAlgo;
         if (symmetricPacketFound) {
             currentProgress += 2;
             updateProgress(R.string.progress_preparing_streams, currentProgress, 100);
@@ -576,6 +577,7 @@ public class PgpDecryptVerify extends BaseOperation {
             clear = encryptedDataSymmetric.getDataStream(decryptorFactory);
             encryptedData = encryptedDataSymmetric;
 
+            symmetricEncryptionAlgo = encryptedDataSymmetric.getSymmetricAlgorithm(decryptorFactory);
         } else if (asymmetricPacketFound) {
             currentProgress += 2;
             updateProgress(R.string.progress_extracting_key, currentProgress, 100);
@@ -598,6 +600,8 @@ public class PgpDecryptVerify extends BaseOperation {
                 PublicKeyDataDecryptorFactory decryptorFactory
                         = secretEncryptionKey.getDecryptorFactory(mDecryptedSessionKey);
                 clear = encryptedDataAsymmetric.getDataStream(decryptorFactory);
+
+                symmetricEncryptionAlgo = encryptedDataAsymmetric.getSymmetricAlgorithm(decryptorFactory);
             } catch (NfcSyncPublicKeyDataDecryptorFactoryBuilder.NfcInteractionNeeded e) {
                 log.add(LogType.MSG_DC_PENDING_NFC, indent + 1);
                 DecryptVerifyResult result =
@@ -614,6 +618,11 @@ public class PgpDecryptVerify extends BaseOperation {
             return new DecryptVerifyResult(DecryptVerifyResult.RESULT_ERROR, log);
         }
 
+        // Warn about old encryption algorithms!
+        if (!PgpConstants.sPreferredSymmetricAlgorithms.contains(symmetricEncryptionAlgo)) {
+            log.add(LogType.MSG_DC_OLD_SYMMETRIC_ENCRYPTION_ALGO, indent + 1);
+        }
+
         JcaPGPObjectFactory plainFact = new JcaPGPObjectFactory(clear);
         Object dataChunk = plainFact.nextObject();
         OpenPgpSignatureResultBuilder signatureResultBuilder = new OpenPgpSignatureResultBuilder();
@@ -811,6 +820,13 @@ public class PgpDecryptVerify extends BaseOperation {
                 } else {
                     log.add(LogType.MSG_DC_CLEAR_SIGNATURE_BAD, indent + 1);
                 }
+
+                // Don't allow verification of old hash algorithms!
+                if (!PgpConstants.sPreferredHashAlgorithms.contains(signature.getHashAlgorithm())) {
+                    validSignature = false;
+                    log.add(LogType.MSG_DC_ERROR_UNSUPPORTED_HASH_ALGO, indent + 1);
+                }
+
                 signatureResultBuilder.setValidSignature(validSignature);
             }
 
@@ -936,6 +952,13 @@ public class PgpDecryptVerify extends BaseOperation {
                 } else {
                     log.add(LogType.MSG_DC_CLEAR_SIGNATURE_BAD, indent + 1);
                 }
+
+                // Don't allow verification of old hash algorithms!
+                if (!PgpConstants.sPreferredHashAlgorithms.contains(signature.getHashAlgorithm())) {
+                    validSignature = false;
+                    log.add(LogType.MSG_DC_ERROR_UNSUPPORTED_HASH_ALGO, indent + 1);
+                }
+
                 signatureResultBuilder.setValidSignature(validSignature);
 
             } catch (SignatureException e) {
@@ -1024,6 +1047,13 @@ public class PgpDecryptVerify extends BaseOperation {
             } else {
                 log.add(LogType.MSG_DC_CLEAR_SIGNATURE_BAD, indent + 1);
             }
+
+            // Don't allow verification of old hash algorithms!
+            if (!PgpConstants.sPreferredHashAlgorithms.contains(signature.getHashAlgorithm())) {
+                validSignature = false;
+                log.add(LogType.MSG_DC_ERROR_UNSUPPORTED_HASH_ALGO, indent + 1);
+            }
+
             signatureResultBuilder.setValidSignature(validSignature);
         }
 
diff --git a/OpenKeychain/src/main/res/values/strings.xml b/OpenKeychain/src/main/res/values/strings.xml
index 147201bc4..d9460882c 100644
--- a/OpenKeychain/src/main/res/values/strings.xml
+++ b/OpenKeychain/src/main/res/values/strings.xml
@@ -988,6 +988,7 @@
     <string name="msg_dc_clear_meta_size_unknown">"File size is unknown"</string>
     <string name="msg_dc_clear_meta_time">"Modification time: %s"</string>
     <string name="msg_dc_clear_signature_bad">"Signature check NOT OK!"</string>
+    <string name="msg_dc_error_unsupported_hash_algo">"Unsupported and potentially insecure hash algorithm!"</string>
     <string name="msg_dc_clear_signature_check">"Verifying signature data"</string>
     <string name="msg_dc_clear_signature_ok">"Signature check OK"</string>
     <string name="msg_dc_clear_signature">"Saving signature data for later"</string>
@@ -1015,6 +1016,7 @@
     <string name="msg_dc_trail_sym">"Encountered trailing, symmetrically encrypted data"</string>
     <string name="msg_dc_trail_unknown">"Encountered trailing data of unknown type"</string>
     <string name="msg_dc_unlocking">"Unlocking secret key"</string>
+    <string name="msg_dc_old_symmetric_encryption_algo">"Potentially insecure encryption algorithm has been used!"</string>
 
     <!-- Messages for VerifySignedLiteralData operation -->
     <string name="msg_vl">"Starting signature check"</string>