[gnutls-devel] gnutls_openpgp_keyring_import() doesn't report the proper error if incorrect armor is used

Mon Mar 3 06:43:44 CET 2014

If the "data" argument to gnutls_openpgp_keyring_import() is really in RAW
format and "format" is incorrectly specified as BASE64, then the following
snippet of code fails silently with "err" = EOF in the very first iteration
and it falls through.
So the caller cannot detect this and retry a different armor/format.

169         do {
170             err =
171                 cdk_stream_read(input, raw_data + written,
172                         raw_len - written);
173
174             if (err > 0)
175                 written += err;
176         }
177         while (written < raw_len && err != EOF && err > 0);

Suggesting the following patch.

diff --git a/lib/openpgp/extras.c b/lib/openpgp/extras.c
index 65bb488..d2a854f 100644
--- a/lib/openpgp/extras.c
+++ b/lib/openpgp/extras.c
@@ -177,6 +177,11 @@ gnutls_openpgp_keyring_import(gnutls_openpgp_keyring_t
keyring,
                while (written < raw_len && err != EOF && err > 0);

                raw_len = written;
+               if (raw_len == 0) {
+                       gnutls_assert();
+                       err = GNUTLS_E_BASE64_DECODING_ERROR;
+                       goto error;
+               }
        } else {                /* RAW */
                raw_len = data->size;
                raw_data = data->data;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140303/23138615/attachment.html>
