View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000147||file||General||public||2020-02-23 04:55||2020-06-07 19:22|
|Priority||normal||Severity||minor||Reproducibility||have not tried|
|Summary||0000147: Some PGP files encrypted with RSA keys are not recognized|
|Description||Magdir/pgp includes rules like:|
# 2048b RSA encrypted data
0 string \x85\x01\x0c\x03 PGP RSA encrypted session key -
>13 string \x07\xfa
>13 string \x07\xf9
>271 byte 0xd2 .
I have some files that are encrypted to a 2048b RSA key where the third byte is 0x0b instead of 0x0c, and where the 13-14th bytes are 0x07 0xf8, one off the end of the above list of recognized values.
I believe the patterns for 3072bit, and 4096bit RSA should be similarly expanded.
Also, the last byte of 0xd2 is not always at the specified offset (271 for RSA2048, 527 for RSA4096, etc.). Sometimes it is one byte sooner. I think bytes 2&3 are actually a length, which is why if byte 3 is off-by-one, then the location of the 0xd2 byte is also off by one.
|Steps To Reproduce||I have not managed to create such files on demand. And I cannot share the existing artifacts I have.|
Probably a sufficiently careful reading of gnupg source would add certainty, but... ow.
|Additional Information||I can't figure out the right way to say "expect either 0x0b or 0x0c here" without duplicating the entire pattern set into a new stanza, or unintended consequences like matching other files that are not intended. So, no patch this time.|
|Tags||No tags attached.|
I made a pass at changing the magic based on your description
the h in the indirect offset could be H but it should be close.
||Can you test the change?|
|2020-02-23 04:55||hlein||New Issue|
|2020-03-20 16:38||christos||Note Added: 0003397|
|2020-06-07 19:22||christos||Assigned To||=> christos|
|2020-06-07 19:22||christos||Status||new => assigned|
|2020-06-07 19:22||christos||Status||assigned => feedback|
|2020-06-07 19:22||christos||Note Added: 0003427|