Page MenuHome GnuPG

Decrypting a message that has multiple SKESK packets sometimes fails
Open, WishlistPublic

Description

Hey,
On bouncycastle I ran into an issue where sometimes messages encrypted with two or more passphrases would fail to decrypt.
As I used GnuPG to verify that the message is apparently broken, it took me a while to come to the conclusion that the error did not happen during encryption, but instead during the decryption phase.

Consider this message:

-----BEGIN PGP MESSAGE-----
Version: BCPG v1.68

jC4ECQMCtL4bq5btiMJgL6wPT4kDozGheHZa1fmAUpp3CIBeLXw4B3IUZ05QSPRF
jC4ECQMC5nZ8aoh9uYpgtDeGdkTLP+obVSiMvs99ibpcFm60vJY7feYNTiSk2StJ
0kgB9vDAT0vUdXz1sPTEv2YIK2zeNyoA7pD9BDd68VgFVj61vSQ6Ovf6Uidv2v0M
5cfawfKpjRn0Ku3JEzDv3TuYioRWzuzxptc=
=9QAC
-----END PGP MESSAGE-----

It was encrypted using password "password1" and "password2" (in that order).
Decrypting it with "password1" succeeds as expected and reveals the secret message.
Decryption with "password2" however fails.

The message was encrypted using AES-256 (algorithm 0x09), but gpg --decrypt --show-session-key reveals the following apparent session key:

4:658DB33BD267FBA8A2CBB86297FA30EDF24CB2D21D44E770D8E1B899B706BEF2'

Apparently GnuPG does not try the correct SKESK (the second one in this case) and fails after decryption of the SEIP with the first SKESK session key failed.

Details

Version
2.2.20

Event Timeline

With GnuPG in master (to be 2.3), it can handle the second SKESK when the first one fails.

werner triaged this task as Normal priority.Feb 23 2021, 9:17 AM
werner added a project: gnupg (gpg22).
werner added a subscriber: werner.

With 2.2 the second works if the first passphrase prompt was canceled. Test invocation:

gpg -vd --no-symkey-cache <in >out
werner lowered the priority of this task from Normal to Wishlist.Tue, Sep 14, 1:58 PM

Currently I see no need to fix this for 2.2