Page MenuHome GnuPG

Decrypting OCB encrypted file fails...
Closed, ResolvedPublic



While testing optimizations for OCB performance, I noticed that decrypting some OCB encrypted files fail with master. I create encrypted file enc_065515.gpg with command (input file being 65515 byte long):

gpg --batch --symmetric --passphrase=bug --output=enc_065515.gpg --rfc4880bis --force-aead --cipher-algo AES128 --compress-algo none plain_065515

Decrypting file fails:

gpg --batch --decrypt --passphrase=bug enc_065515.gpg
gpg: AES.OCB encrypted session key
gpg: encrypted with 1 passphrase
gpg: gcry_cipher_checktag failed: Checksum error
gpg: problem reading source (16 bytes remaining)
gpg: handle plaintext failed: System error w/o errno

Same problem can be seen with 131049 bytes long file. 65514, 65516, 131048 and 131050 bytes sized files do not have this issue.

Revisions and Commits

Event Timeline

I tested the fix. It appears to break OCB encrypting files shorter than 65515 bytes:

$ gpg --batch --symmetric --passphrase=bug --output=enc_065514.gpg --rfc4880bis --force-aead --cipher-algo AES128 --compress-algo none plain_065514
$ ls -laF *065514*
-rw-rw-r-- 1 jussi jussi   100 Feb  22 18:51 enc_065514.gpg
-rw-rw-r-- 1 jussi jussi 65514 Feb  22 18:42 plain_065514
$ sha256sum plain_065514
5711955703f4d96f510ad5a660c3ccd0d01f0b2dd2561ba6586159ad941cbcde  plain_065514
$ gpg --batch --decrypt --passphrase=bug --output=- enc_065514.gpg | sha256sum
gpg: AES.OCB encrypted session key
gpg: encrypted with 1 passphrase
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  -

Just more background what I'm doing with these tests. I started testing with set of different sized test files (generated from urandom) to detect any bugs in my changes, which try to reduce amount of memory copies in iobuf_read/iobuf_write. Size ranges for these test-files are 0...17408, 32256...66560 and 130560...132096 bytes. These files are encrypted with different settings (public key/symmetric/cfb/ocb/different algos) and then decrypted and decrypted file compared to original.

gniibe triaged this task as High priority.Feb 23 2022, 1:17 AM

Sorry for pushing immature fix. I located the cause, but I didn't have enough concentration for fix.

Right fix will be in rGfb007d93de7b: Fix the previous commit..

It was the bug of generating AEAD packet, which does:

  • Packet layer: AEAD packet generation is done by chunk by chunk (4MB default)
    • each chunk has a tag at the end
  • Buffer layer: AEAD packet generation is done using IOBUF (65536 byte buffer size)

The problem was:

  • When the size of data (with header of OpenPGP (creation time, file name) is on the buffer boundary and not at chunk boundary,
  • generation of a tag for the last chunk was skipped wrongly

Thanks. All my tests work now.

gniibe changed the task status from Open to Testing.Mar 1 2022, 5:04 AM