postgresql/contrib/pgcrypto/scripts/pgp_session_data.py

#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Generate PGP data to check the session key length of the input data provided
# to pgp_pub_decrypt_bytea().
#
# First, the crafted data is generated from valid RSA data, freshly generated
# by this script each time it is run, see generate_rsa_keypair().
# Second, the crafted PGP data is built, see build_message_data() and
# build_key_data().  Finally, the resulting SQL script is generated.
#
# This script generates in stdout the SQL file that is used in the regression
# tests of pgcrypto.  The following command can be used to regenerate the file
# which should never be manually manipulated:
# python3 scripts/pgp_session_data.py > sql/pgp-pubkey-session.sql

import os
import re
import struct
import secrets
import sys
import time

# pwn for binary manipulation (p32, p64)
from pwn import *

# Cryptographic libraries, to craft the PGP data.
from Crypto.Cipher import AES
from Crypto.PublicKey import RSA
from Crypto.Util.number import inverse

# AES key used for session key encryption (16 bytes for AES-128)
AES_KEY = b'\x01' * 16

def generate_rsa_keypair(key_size: int = 2048) -> dict:
    """
    Generate a fresh RSA key pair.

    The generated key includes all components needed for PGP operations:
    - n: public modulus (p * q)
    - e: public exponent (typically 65537)
    - d: private exponent (e^-1 mod phi(n))
    - p, q: prime factors of n
    - u: coefficient (p^-1 mod q) for CRT optimization

    The caller can pass the wanted key size in input, for a default of 2048
    bytes.  This function returns the RSA key components, after performing
    some validation on them.
    """

    start_time = time.time()

    # Generate RSA key
    key = RSA.generate(key_size)

    # Extract all key components
    rsa_components = {
        'n': key.n,      # Public modulus (p * q)
        'e': key.e,      # Public exponent (typically 65537)
        'd': key.d,      # Private exponent (e^-1 mod phi(n))
        'p': key.p,      # First prime factor
        'q': key.q,      # Second prime factor
        'u': inverse(key.p, key.q)  # Coefficient for CRT: p^-1 mod q
    }

    # Validate key components for correctness
    validate_rsa_key(rsa_components)

    return rsa_components

def validate_rsa_key(rsa: dict) -> None:
    """
    Validate a generated RSA key.

    This function performs basic validation to ensure the RSA key is properly
    constructed and all components are consistent, at least mathematically.

    Validations performed:
    1. n = p * q (modulus is product of primes)
    2. gcd(e, phi(n)) = 1 (public exponent is coprime to phi(n))
    3. (d * e) mod(phi(n)) = 1 (private exponent is multiplicative inverse)
    4. (u * p) (mod q) = 1 (coefficient is correct for CRT)
    """

    n, e, d, p, q, u = rsa['n'], rsa['e'], rsa['d'], rsa['p'], rsa['q'], rsa['u']

    # Check that n = p * q
    if n != p * q:
        raise ValueError("RSA validation failed: n <> p * q")

    # Check that p and q are different
    if p == q:
        raise ValueError("RSA validation failed: p = q (not allowed)")

    # Calculate phi(n) = (p-1)(q-1)
    phi_n = (p - 1) * (q - 1)

    # Check that gcd(e, phi(n)) = 1
    def gcd(a, b):
        while b:
            a, b = b, a % b
        return a

    if gcd(e, phi_n) != 1:
        raise ValueError("RSA validation failed: gcd(e, phi(n)) <> 1")

    # Check that (d * e) mod(phi(n)) = 1
    if (d * e) % phi_n != 1:
        raise ValueError("RSA validation failed: d * e <> 1 (mod phi(n))")

    # Check that (u * p) (mod q) = 1
    if (u * p) % q != 1:
        raise ValueError("RSA validation failed: u * p <> 1 (mod q)")

def mpi_encode(x: int) -> bytes:
    """
    Encode an integer as an OpenPGP Multi-Precision Integer (MPI).

    Format (RFC 4880, Section 3.2):
    - 2 bytes: bit length of the integer (big-endian)
    - N bytes: the integer in big-endian format

    This is used to encode RSA key components (n, e, d, p, q, u) in PGP
    packets.

    The integer to encode is given in input, returning an MPI-encoded
    integer.

    For example:
        mpi_encode(65537) -> b'\x00\x11\x01\x00\x01'
        (17 bits, value 0x010001)
    """
    if x < 0:
        raise ValueError("MPI cannot encode negative integers")

    if x == 0:
        # Special case: zero has 0 bits and empty magnitude
        bits = 0
        mag = b""
    else:
        # Calculate bit length and convert to bytes
        bits = x.bit_length()
        mag = x.to_bytes((bits + 7) // 8, 'big')

    # Pack: 2-byte bit length + magnitude bytes
    return struct.pack('>H', bits) + mag

def new_packet(tag: int, payload: bytes) -> bytes:
    """
    Create a new OpenPGP packet with a proper header.

    OpenPGP packet format (RFC 4880, Section 4.2):
    - New packet format: 0xC0 | tag
    - Length encoding depends on payload size:
      * 0-191: single byte
      * 192-8383: two bytes (192 + ((length - 192) >> 8), (length - 192) & 0xFF)
      * 8384+: five bytes (0xFF + 4-byte big-endian length)

    The packet is built from a "tag" (1-63) and some "payload" data.  The
    result generated is a complete OpenPGP packet.

    For example:
        new_packet(1, b'data') -> b'\xC1\x04data'
        (Tag 1, length 4, payload 'data')
    """
    # New packet format: set bit 7 and 6, clear bit 5, tag in bits 0-5
    first = 0xC0 | (tag & 0x3F)
    ln = len(payload)

    # Encode length according to OpenPGP specification
    if ln <= 191:
        # Single byte length for small packets
        llen = bytes([ln])
    elif ln <= 8383:
        # Two-byte length for medium packets
        ln2 = ln - 192
        llen = bytes([192 + (ln2 >> 8), ln2 & 0xFF])
    else:
        # Five-byte length for large packets
        llen = bytes([255]) + struct.pack('>I', ln)

    return bytes([first]) + llen + payload

def build_key_data(rsa: dict) -> bytes:
    """
    Build the key data, containing an RSA private key.

    The RSA contents should have been generated previously.

    Format (see RFC 4880, Section 5.5.3):
    - 1 byte: version (4)
    - 4 bytes: creation time (current Unix timestamp)
    - 1 byte: public key algorithm (2 = RSA encrypt)
    - MPI: RSA public modulus n
    - MPI: RSA public exponent e
    - 1 byte: string-to-key usage (0 = no encryption)
    - MPI: RSA private exponent d
    - MPI: RSA prime p
    - MPI: RSA prime q
    - MPI: RSA coefficient u = p^-1 mod q
    - 2 bytes: checksum of private key material

    This function takes a set of RSA key components in input (n, e, d, p, q, u)
    and returns a secret key packet.
    """

    # Public key portion
    ver = bytes([4])                           # Version 4 key
    ctime = struct.pack('>I', int(time.time())) # Current Unix timestamp
    algo = bytes([2])                          # RSA encrypt algorithm
    n_mpi = mpi_encode(rsa['n'])               # Public modulus
    e_mpi = mpi_encode(rsa['e'])               # Public exponent
    pub = ver + ctime + algo + n_mpi + e_mpi

    # Private key portion
    hide_type = bytes([0])              # No string-to-key encryption
    d_mpi = mpi_encode(rsa['d'])        # Private exponent
    p_mpi = mpi_encode(rsa['p'])        # Prime p
    q_mpi = mpi_encode(rsa['q'])        # Prime q
    u_mpi = mpi_encode(rsa['u'])        # Coefficient u = p^-1 mod q

    # Calculate checksum of private key material (simple sum mod 65536)
    private_data = d_mpi + p_mpi + q_mpi + u_mpi
    cksum = sum(private_data) & 0xFFFF

    secret = hide_type + private_data + struct.pack('>H', cksum)
    payload = pub + secret

    return new_packet(7, payload)

def pgp_cfb_encrypt_resync(key, plaintext):
    """
    Implement OpenPGP CFB mode with resync.

    OpenPGP CFB mode is a variant of standard CFB with a resync operation
    after the first two blocks.

    Algorithm (RFC 4880, Section 13.9):
    1. Block 1: FR=zeros, encrypt full block_size bytes
    2. Block 2: FR=block1, encrypt only 2 bytes
    3. Resync: FR = block1[2:] + block2
    4. Remaining blocks: standard CFB mode

    This function uses the following arguments:
    - key: AES encryption key (16 bytes for AES-128)
    - plaintext: Data to encrypt
    """
    block_size = 16  # AES block size
    cipher = AES.new(key[:16], AES.MODE_ECB)  # Use ECB for manual CFB
    ciphertext = b''

    # Block 1: FR=zeros, encrypt full 16 bytes
    FR = b'\x00' * block_size
    FRE = cipher.encrypt(FR)  # Encrypt the feedback register
    block1 = bytes(a ^ b for a, b in zip(FRE, plaintext[0:16]))
    ciphertext += block1

    # Block 2: FR=block1, encrypt only 2 bytes
    FR = block1
    FRE = cipher.encrypt(FR)
    block2 = bytes(a ^ b for a, b in zip(FRE[0:2], plaintext[16:18]))
    ciphertext += block2

    # Resync: FR = block1[2:16] + block2[0:2]
    # This is the key difference from standard CFB mode
    FR = block1[2:] + block2

    # Block 3+: Continue with standard CFB mode
    pos = 18
    while pos < len(plaintext):
        FRE = cipher.encrypt(FR)
        chunk_len = min(block_size, len(plaintext) - pos)
        chunk = plaintext[pos:pos+chunk_len]
        enc_chunk = bytes(a ^ b for a, b in zip(FRE[:chunk_len], chunk))
        ciphertext += enc_chunk

        # Update feedback register for next iteration
        if chunk_len == block_size:
            FR = enc_chunk
        else:
            # Partial block: pad with old FR bytes
            FR = enc_chunk + FR[chunk_len:]
        pos += chunk_len

    return ciphertext

def build_literal_data_packet(data: bytes) -> bytes:
    """
    Build a literal data packet containing a message.

    Format (RFC 4880, Section 5.9):
    - 1 byte: data format ('b' = binary, 't' = text, 'u' = UTF-8 text)
    - 1 byte: filename length (0 = no filename)
    - N bytes: filename (empty in this case)
    - 4 bytes: date (current Unix timestamp)
    - M bytes: literal data

    The data used to build the packet is given in input, with the generated
    result returned.
    """
    body = bytes([
        ord('b'),                              # Binary data format
        0,                                     # Filename length (0 = no filename)
    ]) + struct.pack('>I', int(time.time())) + data  # Current timestamp + data

    return new_packet(11, body)

def build_symenc_data_packet(sess_key: bytes, cipher_algo: int, payload: bytes) -> bytes:
    """
    Build a symmetrically-encrypted data packet using AES-128-CFB.

    This packet contains encrypted data using the session key. The format
    includes a random prefix, for security (see RFC 4880, Section 5.7).

    Packet structure:
    - Random prefix (block_size bytes)
    - Prefix repeat (last 2 bytes of prefix repeated)
    - Encrypted literal data packet

    This function uses the following set of arguments:
    - sess_key: Session key for encryption
    - cipher_algo: Cipher algorithm identifier (7 = AES-128)
    - payload: Data to encrypt (wrapped in literal data packet)
    """
    block_size = 16  # AES-128 block size
    key = sess_key[:16]  # Use first 16 bytes for AES-128

    # Create random prefix + repeat last 2 bytes (total 18 bytes)
    # This is required by OpenPGP for integrity checking
    prefix_random = secrets.token_bytes(block_size)
    prefix = prefix_random + prefix_random[-2:]  # 18 bytes total

    # Wrap payload in literal data packet
    literal_pkt = build_literal_data_packet(payload)

    # Plaintext = prefix + literal data packet
    plaintext = prefix + literal_pkt

    # Encrypt using OpenPGP CFB mode with resync
    ciphertext = pgp_cfb_encrypt_resync(key, plaintext)

    return new_packet(9, ciphertext)

def build_tag1_packet(rsa: dict, sess_key: bytes) -> bytes:
    """
    Build a public-key encrypted key.

    This is a very important function, as it is able to create the packet
    triggering the overflow check.  This function can also be used to create
    "legit" packet data.

    Format (RFC 4880, Section 5.1):
    - 1 byte: version (3)
    - 8 bytes: key ID (0 = any key accepted)
    - 1 byte: public key algorithm (2 = RSA encrypt)
    - MPI: RSA-encrypted session key

    This uses in arguments the generated RSA key pair, and the session key
    to encrypt.  The latter is manipulated to trigger the overflow.

    This function returns a complete packet encrypted by a session key.
    """

    # Calculate RSA modulus size in bytes
    n_bytes = (rsa['n'].bit_length() + 7) // 8

    # Session key message format:
    # - 1 byte: symmetric cipher algorithm (7 = AES-128)
    # - N bytes: session key
    # - 2 bytes: checksum (simple sum of session key bytes)
    algo_byte = bytes([7])  # AES-128 algorithm identifier
    cksum = sum(sess_key) & 0xFFFF  # 16-bit checksum
    M = algo_byte + sess_key + struct.pack('>H', cksum)

    # PKCS#1 v1.5 padding construction
    # Format: 0x02 || PS || 0x00 || M
    # Total padded message must be exactly n_bytes long.
    total_len = n_bytes  # Total length must equal modulus size in bytes
    ps_len = total_len - len(M) - 2  # Subtract 2 for 0x02 and 0x00 bytes

    if ps_len < 8:
        raise ValueError(f"Padding string too short ({ps_len} bytes); need at least 8 bytes. "
                        f"Message length: {len(M)}, Modulus size: {n_bytes} bytes")

    # Create padding string with *ALL* bytes being 0xFF (no zero separator!)
    PS = bytes([0xFF]) * ps_len

    # Construct the complete padded message
    # Normal PKCS#1 v1.5 padding: 0x02 || PS || 0x00 || M
    padded = bytes([0x02]) + PS + bytes([0x00]) + M

    # Verify padding construction
    if len(padded) != n_bytes:
        raise ValueError(f"Padded message length ({len(padded)}) doesn't match RSA modulus size ({n_bytes})")

    # Convert padded message to integer and encrypt with RSA
    m_int = int.from_bytes(padded, 'big')

    # Ensure message is smaller than modulus (required for RSA)
    if m_int >= rsa['n']:
        raise ValueError("Padded message is larger than RSA modulus")

    # RSA encryption: c = m^e mod n
    c_int = pow(m_int, rsa['e'], rsa['n'])

    # Encode encrypted result as MPI
    c_mpi = mpi_encode(c_int)

    # Build complete packet
    ver = bytes([3])           # Version 3 packet
    key_id = b"\x00" * 8      # Key ID (0 = any key accepted)
    algo = bytes([2])         # RSA encrypt algorithm
    payload = ver + key_id + algo + c_mpi

    return new_packet(1, payload)

def build_message_data(rsa: dict) -> bytes:
    """
    This function creates a crafted message, with a long session key
    length.

    This takes in input the RSA key components generated previously,
    returning a concatenated set of PGP packets crafted for the purpose
    of this test.
    """

    # Base prefix for session key (AES key + padding + size).
    # Note that the crafted size is the important part for this test.
    prefix = AES_KEY + b"\x00" * 16 + p32(0x10)

    # Build encrypted data packet, legit.
    sedata = build_symenc_data_packet(AES_KEY, cipher_algo=7, payload=b"\x0a\x00")

    # Build multiple packets
    packets = [
        # First packet, legit.
        build_tag1_packet(rsa, prefix),

        # Encrypted data packet, legit.
        sedata,

        # Second packet: information payload.
        #
        # This packet contains a longer-crafted session key, able to trigger
        # the overflow check in pgcrypto.  This is the critical part, and
        # and you are right to pay a lot of attention here if you are
        # reading this code.
        build_tag1_packet(rsa, prefix)
    ]

    return b"".join(packets)

def main():
    # Default key size.
    # This number can be set to a higher number if wanted, like 4096.  We
    # just do not need to do that here.
    key_size = 2048

    # Generate fresh RSA key pair
    rsa = generate_rsa_keypair(key_size)

    # Generate the message data.
    print("### Building message data", file=sys.stderr)
    message_data = build_message_data(rsa)

    # Build the key containing the RSA private key
    print("### Building key data", file=sys.stderr)
    key_data = build_key_data(rsa)

    # Convert to hexadecimal, for the bytea used in the SQL file.
    message_data = message_data.hex()
    key_data = key_data.hex()

    # Split each value into lines of 72 characters, for readability.
    message_data = re.sub("(.{72})", "\\1\n", message_data, 0, re.DOTALL)
    key_data = re.sub("(.{72})", "\\1\n", key_data, 0, re.DOTALL)

    # Get the script filename for documentation
    file_basename = os.path.basename(__file__)

    # Output the SQL test case
    print(f'''-- Test for overflow with session key at decrypt.
-- Data automatically generated by scripts/{file_basename}.
-- See this file for details explaining how this data is generated.
SELECT pgp_pub_decrypt_bytea(
'\\x{message_data}'::bytea,
'\\x{key_data}'::bytea);''',
          file=sys.stdout)

if __name__ == "__main__":
    main()
pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() pgp_pub_decrypt_bytea() was missing a safeguard for the session key length read from the message data, that can be given in input of pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer overflow for the session key data, when the length specified is longer than PGP_MAX_KEY, which is the maximum size of the buffer where the session data is copied to. A script able to rebuild the message and key data that can trigger the overflow is included in this commit, based on some contents provided by the reporter, heavily editted by me. A SQL test is added, based on the data generated by the script. Reported-by: Team Xint Code as part of zeroday.cloud Author: Michael Paquier <michael@paquier.xyz> Reviewed-by: Noah Misch <noah@leadboat.com> Security: CVE-2026-2005 Backpatch-through: 14 2026-02-08 18:00:59 -05:00			`#!/usr/bin/python`
			`# -- coding: utf-8 --`
			`#`
			`# Generate PGP data to check the session key length of the input data provided`
			`# to pgp_pub_decrypt_bytea().`
			`#`
			`# First, the crafted data is generated from valid RSA data, freshly generated`
			`# by this script each time it is run, see generate_rsa_keypair().`
			`# Second, the crafted PGP data is built, see build_message_data() and`
			`# build_key_data(). Finally, the resulting SQL script is generated.`
			`#`
			`# This script generates in stdout the SQL file that is used in the regression`
			`# tests of pgcrypto. The following command can be used to regenerate the file`
			`# which should never be manually manipulated:`
			`# python3 scripts/pgp_session_data.py > sql/pgp-pubkey-session.sql`

			`import os`
			`import re`
			`import struct`
			`import secrets`
			`import sys`
			`import time`

			`# pwn for binary manipulation (p32, p64)`
			`from pwn import *`

			`# Cryptographic libraries, to craft the PGP data.`
			`from Crypto.Cipher import AES`
			`from Crypto.PublicKey import RSA`
			`from Crypto.Util.number import inverse`

			`# AES key used for session key encryption (16 bytes for AES-128)`
			`AES_KEY = b'\x01' * 16`

			`def generate_rsa_keypair(key_size: int = 2048) -> dict:`
			`"""`
			`Generate a fresh RSA key pair.`

			`The generated key includes all components needed for PGP operations:`
			`- n: public modulus (p * q)`
			`- e: public exponent (typically 65537)`
			`- d: private exponent (e^-1 mod phi(n))`
			`- p, q: prime factors of n`
			`- u: coefficient (p^-1 mod q) for CRT optimization`

			`The caller can pass the wanted key size in input, for a default of 2048`
			`bytes. This function returns the RSA key components, after performing`
			`some validation on them.`
			`"""`

			`start_time = time.time()`

			`# Generate RSA key`
			`key = RSA.generate(key_size)`

			`# Extract all key components`
			`rsa_components = {`
			`'n': key.n, # Public modulus (p * q)`
			`'e': key.e, # Public exponent (typically 65537)`
			`'d': key.d, # Private exponent (e^-1 mod phi(n))`
			`'p': key.p, # First prime factor`
			`'q': key.q, # Second prime factor`
			`'u': inverse(key.p, key.q) # Coefficient for CRT: p^-1 mod q`
			`}`

			`# Validate key components for correctness`
			`validate_rsa_key(rsa_components)`

			`return rsa_components`

			`def validate_rsa_key(rsa: dict) -> None:`
			`"""`
			`Validate a generated RSA key.`

			`This function performs basic validation to ensure the RSA key is properly`
			`constructed and all components are consistent, at least mathematically.`

			`Validations performed:`
			`1. n = p * q (modulus is product of primes)`
			`2. gcd(e, phi(n)) = 1 (public exponent is coprime to phi(n))`
			`3. (d * e) mod(phi(n)) = 1 (private exponent is multiplicative inverse)`
			`4. (u * p) (mod q) = 1 (coefficient is correct for CRT)`
			`"""`

			`n, e, d, p, q, u = rsa['n'], rsa['e'], rsa['d'], rsa['p'], rsa['q'], rsa['u']`

			`# Check that n = p * q`
			`if n != p * q:`
			`raise ValueError("RSA validation failed: n <> p * q")`

			`# Check that p and q are different`
			`if p == q:`
			`raise ValueError("RSA validation failed: p = q (not allowed)")`

			`# Calculate phi(n) = (p-1)(q-1)`
			`phi_n = (p - 1) * (q - 1)`

			`# Check that gcd(e, phi(n)) = 1`
			`def gcd(a, b):`
			`while b:`
			`a, b = b, a % b`
			`return a`

			`if gcd(e, phi_n) != 1:`
			`raise ValueError("RSA validation failed: gcd(e, phi(n)) <> 1")`

			`# Check that (d * e) mod(phi(n)) = 1`
			`if (d * e) % phi_n != 1:`
			`raise ValueError("RSA validation failed: d * e <> 1 (mod phi(n))")`

			`# Check that (u * p) (mod q) = 1`
			`if (u * p) % q != 1:`
			`raise ValueError("RSA validation failed: u * p <> 1 (mod q)")`

			`def mpi_encode(x: int) -> bytes:`
			`"""`
			`Encode an integer as an OpenPGP Multi-Precision Integer (MPI).`

			`Format (RFC 4880, Section 3.2):`
			`- 2 bytes: bit length of the integer (big-endian)`
			`- N bytes: the integer in big-endian format`

			`This is used to encode RSA key components (n, e, d, p, q, u) in PGP`
			`packets.`

			`The integer to encode is given in input, returning an MPI-encoded`
			`integer.`

			`For example:`
			`mpi_encode(65537) -> b'\x00\x11\x01\x00\x01'`
			`(17 bits, value 0x010001)`
			`"""`
			`if x < 0:`
			`raise ValueError("MPI cannot encode negative integers")`

			`if x == 0:`
			`# Special case: zero has 0 bits and empty magnitude`
			`bits = 0`
			`mag = b""`
			`else:`
			`# Calculate bit length and convert to bytes`
			`bits = x.bit_length()`
			`mag = x.to_bytes((bits + 7) // 8, 'big')`

			`# Pack: 2-byte bit length + magnitude bytes`
			`return struct.pack('>H', bits) + mag`

			`def new_packet(tag: int, payload: bytes) -> bytes:`
			`"""`
			`Create a new OpenPGP packet with a proper header.`

			`OpenPGP packet format (RFC 4880, Section 4.2):`
			`- New packet format: 0xC0 \| tag`
			`- Length encoding depends on payload size:`
			`* 0-191: single byte`
			`* 192-8383: two bytes (192 + ((length - 192) >> 8), (length - 192) & 0xFF)`
			`* 8384+: five bytes (0xFF + 4-byte big-endian length)`

			`The packet is built from a "tag" (1-63) and some "payload" data. The`
			`result generated is a complete OpenPGP packet.`

			`For example:`
			`new_packet(1, b'data') -> b'\xC1\x04data'`
			`(Tag 1, length 4, payload 'data')`
			`"""`
			`# New packet format: set bit 7 and 6, clear bit 5, tag in bits 0-5`
			`first = 0xC0 \| (tag & 0x3F)`
			`ln = len(payload)`

			`# Encode length according to OpenPGP specification`
			`if ln <= 191:`
			`# Single byte length for small packets`
			`llen = bytes([ln])`
			`elif ln <= 8383:`
			`# Two-byte length for medium packets`
			`ln2 = ln - 192`
			`llen = bytes([192 + (ln2 >> 8), ln2 & 0xFF])`
			`else:`
			`# Five-byte length for large packets`
			`llen = bytes([255]) + struct.pack('>I', ln)`

			`return bytes([first]) + llen + payload`

			`def build_key_data(rsa: dict) -> bytes:`
			`"""`
			`Build the key data, containing an RSA private key.`

			`The RSA contents should have been generated previously.`

			`Format (see RFC 4880, Section 5.5.3):`
			`- 1 byte: version (4)`
			`- 4 bytes: creation time (current Unix timestamp)`
			`- 1 byte: public key algorithm (2 = RSA encrypt)`
			`- MPI: RSA public modulus n`
			`- MPI: RSA public exponent e`
			`- 1 byte: string-to-key usage (0 = no encryption)`
			`- MPI: RSA private exponent d`
			`- MPI: RSA prime p`
			`- MPI: RSA prime q`
			`- MPI: RSA coefficient u = p^-1 mod q`
			`- 2 bytes: checksum of private key material`

			`This function takes a set of RSA key components in input (n, e, d, p, q, u)`
			`and returns a secret key packet.`
			`"""`

			`# Public key portion`
			`ver = bytes([4]) # Version 4 key`
			`ctime = struct.pack('>I', int(time.time())) # Current Unix timestamp`
			`algo = bytes([2]) # RSA encrypt algorithm`
			`n_mpi = mpi_encode(rsa['n']) # Public modulus`
			`e_mpi = mpi_encode(rsa['e']) # Public exponent`
			`pub = ver + ctime + algo + n_mpi + e_mpi`

			`# Private key portion`
			`hide_type = bytes([0]) # No string-to-key encryption`
			`d_mpi = mpi_encode(rsa['d']) # Private exponent`
			`p_mpi = mpi_encode(rsa['p']) # Prime p`
			`q_mpi = mpi_encode(rsa['q']) # Prime q`
			`u_mpi = mpi_encode(rsa['u']) # Coefficient u = p^-1 mod q`

			`# Calculate checksum of private key material (simple sum mod 65536)`
			`private_data = d_mpi + p_mpi + q_mpi + u_mpi`
			`cksum = sum(private_data) & 0xFFFF`

			`secret = hide_type + private_data + struct.pack('>H', cksum)`
			`payload = pub + secret`

			`return new_packet(7, payload)`

			`def pgp_cfb_encrypt_resync(key, plaintext):`
			`"""`
			`Implement OpenPGP CFB mode with resync.`

			`OpenPGP CFB mode is a variant of standard CFB with a resync operation`
			`after the first two blocks.`

			`Algorithm (RFC 4880, Section 13.9):`
			`1. Block 1: FR=zeros, encrypt full block_size bytes`
			`2. Block 2: FR=block1, encrypt only 2 bytes`
			`3. Resync: FR = block1[2:] + block2`
			`4. Remaining blocks: standard CFB mode`

			`This function uses the following arguments:`
			`- key: AES encryption key (16 bytes for AES-128)`
			`- plaintext: Data to encrypt`
			`"""`
			`block_size = 16 # AES block size`
			`cipher = AES.new(key[:16], AES.MODE_ECB) # Use ECB for manual CFB`
			`ciphertext = b''`

			`# Block 1: FR=zeros, encrypt full 16 bytes`
			`FR = b'\x00' * block_size`
			`FRE = cipher.encrypt(FR) # Encrypt the feedback register`
			`block1 = bytes(a ^ b for a, b in zip(FRE, plaintext[0:16]))`
			`ciphertext += block1`

			`# Block 2: FR=block1, encrypt only 2 bytes`
			`FR = block1`
			`FRE = cipher.encrypt(FR)`
			`block2 = bytes(a ^ b for a, b in zip(FRE[0:2], plaintext[16:18]))`
			`ciphertext += block2`

			`# Resync: FR = block1[2:16] + block2[0:2]`
			`# This is the key difference from standard CFB mode`
			`FR = block1[2:] + block2`

			`# Block 3+: Continue with standard CFB mode`
			`pos = 18`
			`while pos < len(plaintext):`
			`FRE = cipher.encrypt(FR)`
			`chunk_len = min(block_size, len(plaintext) - pos)`
			`chunk = plaintext[pos:pos+chunk_len]`
			`enc_chunk = bytes(a ^ b for a, b in zip(FRE[:chunk_len], chunk))`
			`ciphertext += enc_chunk`

			`# Update feedback register for next iteration`
			`if chunk_len == block_size:`
			`FR = enc_chunk`
			`else:`
			`# Partial block: pad with old FR bytes`
			`FR = enc_chunk + FR[chunk_len:]`
			`pos += chunk_len`

			`return ciphertext`

			`def build_literal_data_packet(data: bytes) -> bytes:`
			`"""`
			`Build a literal data packet containing a message.`

			`Format (RFC 4880, Section 5.9):`
			`- 1 byte: data format ('b' = binary, 't' = text, 'u' = UTF-8 text)`
			`- 1 byte: filename length (0 = no filename)`
			`- N bytes: filename (empty in this case)`
			`- 4 bytes: date (current Unix timestamp)`
			`- M bytes: literal data`

			`The data used to build the packet is given in input, with the generated`
			`result returned.`
			`"""`
			`body = bytes([`
			`ord('b'), # Binary data format`
			`0, # Filename length (0 = no filename)`
			`]) + struct.pack('>I', int(time.time())) + data # Current timestamp + data`

			`return new_packet(11, body)`

			`def build_symenc_data_packet(sess_key: bytes, cipher_algo: int, payload: bytes) -> bytes:`
			`"""`
			`Build a symmetrically-encrypted data packet using AES-128-CFB.`

			`This packet contains encrypted data using the session key. The format`
			`includes a random prefix, for security (see RFC 4880, Section 5.7).`

			`Packet structure:`
			`- Random prefix (block_size bytes)`
			`- Prefix repeat (last 2 bytes of prefix repeated)`
			`- Encrypted literal data packet`

			`This function uses the following set of arguments:`
			`- sess_key: Session key for encryption`
			`- cipher_algo: Cipher algorithm identifier (7 = AES-128)`
			`- payload: Data to encrypt (wrapped in literal data packet)`
			`"""`
			`block_size = 16 # AES-128 block size`
			`key = sess_key[:16] # Use first 16 bytes for AES-128`

			`# Create random prefix + repeat last 2 bytes (total 18 bytes)`
			`# This is required by OpenPGP for integrity checking`
			`prefix_random = secrets.token_bytes(block_size)`
			`prefix = prefix_random + prefix_random[-2:] # 18 bytes total`

			`# Wrap payload in literal data packet`
			`literal_pkt = build_literal_data_packet(payload)`

			`# Plaintext = prefix + literal data packet`
			`plaintext = prefix + literal_pkt`

			`# Encrypt using OpenPGP CFB mode with resync`
			`ciphertext = pgp_cfb_encrypt_resync(key, plaintext)`

			`return new_packet(9, ciphertext)`

			`def build_tag1_packet(rsa: dict, sess_key: bytes) -> bytes:`
			`"""`
			`Build a public-key encrypted key.`

			`This is a very important function, as it is able to create the packet`
			`triggering the overflow check. This function can also be used to create`
			`"legit" packet data.`

			`Format (RFC 4880, Section 5.1):`
			`- 1 byte: version (3)`
			`- 8 bytes: key ID (0 = any key accepted)`
			`- 1 byte: public key algorithm (2 = RSA encrypt)`
			`- MPI: RSA-encrypted session key`

			`This uses in arguments the generated RSA key pair, and the session key`
			`to encrypt. The latter is manipulated to trigger the overflow.`

			`This function returns a complete packet encrypted by a session key.`
			`"""`

			`# Calculate RSA modulus size in bytes`
			`n_bytes = (rsa['n'].bit_length() + 7) // 8`

			`# Session key message format:`
			`# - 1 byte: symmetric cipher algorithm (7 = AES-128)`
			`# - N bytes: session key`
			`# - 2 bytes: checksum (simple sum of session key bytes)`
			`algo_byte = bytes([7]) # AES-128 algorithm identifier`
			`cksum = sum(sess_key) & 0xFFFF # 16-bit checksum`
			`M = algo_byte + sess_key + struct.pack('>H', cksum)`

			`# PKCS#1 v1.5 padding construction`
			`# Format: 0x02 \|\| PS \|\| 0x00 \|\| M`
			`# Total padded message must be exactly n_bytes long.`
			`total_len = n_bytes # Total length must equal modulus size in bytes`
			`ps_len = total_len - len(M) - 2 # Subtract 2 for 0x02 and 0x00 bytes`

			`if ps_len < 8:`
			`raise ValueError(f"Padding string too short ({ps_len} bytes); need at least 8 bytes. "`
			`f"Message length: {len(M)}, Modulus size: {n_bytes} bytes")`

			`# Create padding string with ALL bytes being 0xFF (no zero separator!)`
			`PS = bytes([0xFF]) * ps_len`

			`# Construct the complete padded message`
			`# Normal PKCS#1 v1.5 padding: 0x02 \|\| PS \|\| 0x00 \|\| M`
			`padded = bytes([0x02]) + PS + bytes([0x00]) + M`

			`# Verify padding construction`
			`if len(padded) != n_bytes:`
			`raise ValueError(f"Padded message length ({len(padded)}) doesn't match RSA modulus size ({n_bytes})")`

			`# Convert padded message to integer and encrypt with RSA`
			`m_int = int.from_bytes(padded, 'big')`

			`# Ensure message is smaller than modulus (required for RSA)`
			`if m_int >= rsa['n']:`
			`raise ValueError("Padded message is larger than RSA modulus")`

			`# RSA encryption: c = m^e mod n`
			`c_int = pow(m_int, rsa['e'], rsa['n'])`

			`# Encode encrypted result as MPI`
			`c_mpi = mpi_encode(c_int)`

			`# Build complete packet`
			`ver = bytes([3]) # Version 3 packet`
			`key_id = b"\x00" * 8 # Key ID (0 = any key accepted)`
			`algo = bytes([2]) # RSA encrypt algorithm`
			`payload = ver + key_id + algo + c_mpi`

			`return new_packet(1, payload)`

			`def build_message_data(rsa: dict) -> bytes:`
			`"""`
			`This function creates a crafted message, with a long session key`
			`length.`

			`This takes in input the RSA key components generated previously,`
			`returning a concatenated set of PGP packets crafted for the purpose`
			`of this test.`
			`"""`

			`# Base prefix for session key (AES key + padding + size).`
			`# Note that the crafted size is the important part for this test.`
			`prefix = AES_KEY + b"\x00" * 16 + p32(0x10)`

			`# Build encrypted data packet, legit.`
			`sedata = build_symenc_data_packet(AES_KEY, cipher_algo=7, payload=b"\x0a\x00")`

			`# Build multiple packets`
			`packets = [`
			`# First packet, legit.`
			`build_tag1_packet(rsa, prefix),`

			`# Encrypted data packet, legit.`
			`sedata,`

			`# Second packet: information payload.`
			`#`
			`# This packet contains a longer-crafted session key, able to trigger`
			`# the overflow check in pgcrypto. This is the critical part, and`
			`# and you are right to pay a lot of attention here if you are`
			`# reading this code.`
			`build_tag1_packet(rsa, prefix)`
			`]`

			`return b"".join(packets)`

			`def main():`
			`# Default key size.`
			`# This number can be set to a higher number if wanted, like 4096. We`
			`# just do not need to do that here.`
			`key_size = 2048`

			`# Generate fresh RSA key pair`
			`rsa = generate_rsa_keypair(key_size)`

			`# Generate the message data.`
			`print("### Building message data", file=sys.stderr)`
			`message_data = build_message_data(rsa)`

			`# Build the key containing the RSA private key`
			`print("### Building key data", file=sys.stderr)`
			`key_data = build_key_data(rsa)`

			`# Convert to hexadecimal, for the bytea used in the SQL file.`
			`message_data = message_data.hex()`
			`key_data = key_data.hex()`

			`# Split each value into lines of 72 characters, for readability.`
			`message_data = re.sub("(.{72})", "\\1\n", message_data, 0, re.DOTALL)`
			`key_data = re.sub("(.{72})", "\\1\n", key_data, 0, re.DOTALL)`

			`# Get the script filename for documentation`
			`file_basename = os.path.basename(__file__)`

			`# Output the SQL test case`
			`print(f'''-- Test for overflow with session key at decrypt.`
			`-- Data automatically generated by scripts/{file_basename}.`
			`-- See this file for details explaining how this data is generated.`
			`SELECT pgp_pub_decrypt_bytea(`
			`'\\x{message_data}'::bytea,`
			`'\\x{key_data}'::bytea);''',`
			`file=sys.stdout)`

			`if __name__ == "__main__":`
			`main()`