Fix symmetric v6 message encryption

Commits 7d95b08 and ea31631 introduced an error where the plain session key was passed in the wrong format causing the session-key wrapper to fail due to an invalid block size.
bcgit · Dec 3, 2024 · c83aa87 · c83aa87
1 parent 9fb27b7
commit c83aa87
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/pg/src/main/java/org/bouncycastle/openpgp/PGPEncryptedDataGenerator.java b/pg/src/main/java/org/bouncycastle/openpgp/PGPEncryptedDataGenerator.java
@@ -230,10 +230,13 @@ private OutputStream open(
 
         boolean directS2K = !forceSessionKey && methods.size() == 1 &&
             methods.get(0) instanceof PBEKeyEncryptionMethodGenerator; // not public key
+
         boolean isV5StyleAEAD = dataEncryptorBuilder.isV5StyleAEAD(); //v5
-        if (dataEncryptorBuilder.getAeadAlgorithm() != -1 && !isV5StyleAEAD)
+        boolean isSeipdV2 = dataEncryptorBuilder.getAeadAlgorithm() != -1 && !isV5StyleAEAD;
+        if (isSeipdV2)
         {
             sessionKey = PGPUtil.makeRandomKey(defAlgorithm, rand);
+            sessionInfo = createSessionInfo(defAlgorithm, sessionKey);
             // In OpenPGP v6, we need an additional step to derive a message key and IV from the session info.
             // Since we cannot inject the IV into the data encryptor, we append it to the message key.
             byte[] info = SymmetricEncIntegrityPacket.createAAData(
@@ -282,7 +285,7 @@ else if (directS2K)
                 {
                     //https://www.rfc-editor.org/rfc/rfc9580.html#section-3.7.2.1 Table 2
                     //AEAD(HKDF(S2K(passphrase), info), secrets, packetprefix)
-                    writeOpenPGPv6ESKPacket(method, aeadDataEncryptor.getAEADAlgorithm(), sessionKey);
+                    writeOpenPGPv6ESKPacket(method, aeadDataEncryptor.getAEADAlgorithm(), sessionInfo);
                 }
             }
             // OpenPGP v4

diff --git a/pg/src/main/java/org/bouncycastle/openpgp/operator/PBEKeyEncryptionMethodGenerator.java b/pg/src/main/java/org/bouncycastle/openpgp/operator/PBEKeyEncryptionMethodGenerator.java
@@ -201,7 +201,7 @@ private ContainedPacket generateV5ESK(int kekAlgorithm, int aeadAlgorithm, byte[
         return SymmetricKeyEncSessionPacket.createV5Packet(kekAlgorithm, aeadAlgorithm, iv, s2k, esk, tag);
     }
 
-    private ContainedPacket generateV6ESK(int kekAlgorithm, int aeadAlgorithm, byte[] sessionKey)
+    private ContainedPacket generateV6ESK(int kekAlgorithm, int aeadAlgorithm, byte[] sessionInfo)
         throws PGPException
     {
         byte[] ikm = getKey(kekAlgorithm);
@@ -217,6 +217,7 @@ private ContainedPacket generateV6ESK(int kekAlgorithm, int aeadAlgorithm, byte[
         random.nextBytes(iv);
 
         int tagLen = AEADUtils.getAuthTagLength(aeadAlgorithm);
+        byte[] sessionKey = getSessionKey(sessionInfo);
         byte[] eskAndTag = getEskAndTag(kekAlgorithm, aeadAlgorithm, sessionKey, kek, iv, info);
         byte[] esk = Arrays.copyOfRange(eskAndTag, 0, eskAndTag.length - tagLen);
         byte[] tag = Arrays.copyOfRange(eskAndTag, esk.length, eskAndTag.length);