From fba1fb4efba51587cd0a9817af1f3e629caf157a Mon Sep 17 00:00:00 2001
From: Noah Misch <noah@leadboat.com>
Date: Mon, 18 May 2015 10:02:31 -0400
Subject: pgcrypto: Report errant decryption as "Wrong key or corrupt data".

This has been the predominant outcome.  When the output of decrypting
with a wrong key coincidentally resembled an OpenPGP packet header,
pgcrypto could instead report "Corrupt data", "Not text data" or
"Unsupported compression algorithm".  The distinct "Corrupt data"
message added no value.  The latter two error messages misled when the
decrypted payload also exhibited fundamental integrity problems.  Worse,
error message variance in other systems has enabled cryptologic attacks;
see RFC 4880 section "14. Security Considerations".  Whether these
pgcrypto behaviors are likewise exploitable is unknown.

In passing, document that pgcrypto does not resist side-channel attacks.
Back-patch to 9.0 (all supported versions).

Security: CVE-2015-3167
---
 doc/src/sgml/pgcrypto.sgml | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'doc/src')

diff --git a/doc/src/sgml/pgcrypto.sgml b/doc/src/sgml/pgcrypto.sgml
index b0ee4c1e734..b6be0a7e345 100644
--- a/doc/src/sgml/pgcrypto.sgml
+++ b/doc/src/sgml/pgcrypto.sgml
@@ -1244,6 +1244,14 @@ gen_random_uuid() returns uuid
    <para>
     If you cannot, then better do crypto inside client application.
    </para>
+
+   <para>
+    The implementation does not resist
+    <ulink url="http://en.wikipedia.org/wiki/Side-channel_attack">side-channel
+    attacks</ulink>.  For example, the time required for
+    a <filename>pgcrypto</> decryption function to complete varies among
+    ciphertexts of a given size.
+   </para>
   </sect3>
 
   <sect3>
-- 
cgit v1.2.3