Page MenuHome GnuPG
Create Task
Maniphest T2953

scdaemon fails to decrypt if unusual key-size is chosen
Open, NormalPublic
Actions

Details

External Link
https://lists.gnupg.org/pipermail/gnupg-users/2017-February/057637.html

Event Timeline

bslbckr set External Link to https://lists.gnupg.org/pipermail/gnupg-users/2017-February/057637.html.Feb 9 2017, 8:42 PM
bslbckr added a subscriber: bslbckr.

950_scdaemon-fail.log3 KBDownload

bslbckr added projects: scd, gnupg, Bug Report.Feb 9 2017, 8:42 PM

951_scdaemon-success.log3 KBDownload

bslbckr added a comment.Feb 9 2017, 8:46 PM

I'm having trouble decrypting some mails. I use an encryption sub-key with a
unusual length of 3104 bits. I described my problem in the gnupg-users mailing
list and there the following problem was identified:
<quote>
I think that it is deterministic; The cause is that the RSA keysize is
not the one in the set of: 1024, 1536, 2048, 3072, 4096. When data to
be decrypted is padded, scdaemon can't decrypt, I suppose.

I am not sure the exact reason why scdaemon only supports limited set of
keysize for encryption. But we have this handling of padding in the
current code:




https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=scd/app-openpgp.c;h=71c9e1b83003af07b0984688ba1ec5e9013b877c;hb=refs/heads/master#l4334



       /* We might encounter a couple of leading zeroes in the
          cryptogram.  Due to internal use of MPIs these leading zeroes
          are stripped.  However the OpenPGP card expects exactly 128
          bytes for the cryptogram (for a 1k key).  Thus we need to fix
          it up.  We do this for up to 16 leading zero bytes; a
          cryptogram with more than this is with a very high
          probability anyway broken.  If a signed conversion was used
          we may also encounter one leading zero followed by the correct
          length.  We fix that as well.  */
       if (indatalen >= (128-16) && indatalen < 128)      /* 1024 bit key.  */
         fixuplen = 128 - indatalen;
       else if (indatalen >= (192-16) && indatalen < 192) /* 1536 bit key.  */
         fixuplen = 192 - indatalen;
       else if (indatalen >= (256-16) && indatalen < 256) /* 2048 bit key.  */
         fixuplen = 256 - indatalen;
       else if (indatalen >= (384-16) && indatalen < 384) /* 3072 bit key.  */
         fixuplen = 384 - indatalen;
       else if (indatalen >= (512-16) && indatalen < 512) /* 4096 bit key.  */
         fixuplen = 512 - indatalen;
       else if (!*(const char *)indata && (indatalen == 129
                                           || indatalen == 193
                                           || indatalen == 257
                                           || indatalen == 385
                                           || indatalen == 513))
         fixuplen = -1;
       else
         fixuplen = 0;



Perhaps, it was due to support all existing OpenPGP card

implementations, I mean, somehow historical, and it was easier to list

up specific keysizes.



This should be fixed.

</quote>



I also attached to log-files of the scdaemon. One for a successful and one for a

failed decryption attempt.



Please let me know if you need any additional information.
 werner lowered the priority of this task from High to Normal.Feb 13 2017, 12:34 PM
 gniibe claimed this task.Mar 1 2017, 1:05 AM
 gniibe added a subscriber:  gniibe.