When encrypting as follows:
$ gpg2 -c -e -r neal@walfield.org > msg.asc
The passphrase for the symmetric key is initially cached and attempts to decrypt
it succeed immediately. We can trivially ignore this by using a different
gpg-agent:
$ GNUPGHOME=/tmp/foo gpg2 -d msg.asc
Now, if we enter the wrong passphrase, we see something along the lines of:
gpg: AES encrypted session key gpg: WARNING: server 'gpg-agent' is older than us (2.1.10-beta68 < 2.1.12-beta44) gpg: encrypted with 1 passphrase gpg: encrypted with RSA key, ID 6C652598 gpg: decryption failed: Invalid cipher algorithm
Running the above command again doesn't prompt for the password, but again tries
the bad passphrase.
Note: this does not occur if we only use symmetric encryption; there has to be
at least one public key recipient.
Relatedly, in mainproc.c, there is this comment when decrypting the session key:
/* FIXME: This doesn't work perfectly if a symmetric key
comes before a public key in the message - if the
user doesn't know the passphrase, then there is a
chance that the "decrypted" algorithm will happen to
be a valid one, which will make the returned dek
appear valid, so we won't try any public keys that
come later. */But we don't actually check that the algorithm is valid. This would be a simply
way to check with about 90% probability that the password is correct.