Page MenuHome GnuPG

Decrypting OCB encrypted file fails...
Closed, ResolvedPublic



While testing optimizations for OCB performance, I noticed that decrypting some OCB encrypted files fail with master. I create encrypted file enc_065515.gpg with command (input file being 65515 byte long):

gpg --batch --symmetric --passphrase=bug --output=enc_065515.gpg --rfc4880bis --force-aead --cipher-algo AES128 --compress-algo none plain_065515

Decrypting file fails:

gpg --batch --decrypt --passphrase=bug enc_065515.gpg
gpg: AES.OCB encrypted session key
gpg: encrypted with 1 passphrase
gpg: gcry_cipher_checktag failed: Checksum error
gpg: problem reading source (16 bytes remaining)
gpg: handle plaintext failed: System error w/o errno

Same problem can be seen with 131049 bytes long file. 65514, 65516, 131048 and 131050 bytes sized files do not have this issue.

Revisions and Commits

Related Objects

Event Timeline

I tested the fix. It appears to break OCB encrypting files shorter than 65515 bytes:

$ gpg --batch --symmetric --passphrase=bug --output=enc_065514.gpg --rfc4880bis --force-aead --cipher-algo AES128 --compress-algo none plain_065514
$ ls -laF *065514*
-rw-rw-r-- 1 jussi jussi   100 Feb  22 18:51 enc_065514.gpg
-rw-rw-r-- 1 jussi jussi 65514 Feb  22 18:42 plain_065514
$ sha256sum plain_065514
5711955703f4d96f510ad5a660c3ccd0d01f0b2dd2561ba6586159ad941cbcde  plain_065514
$ gpg --batch --decrypt --passphrase=bug --output=- enc_065514.gpg | sha256sum
gpg: AES.OCB encrypted session key
gpg: encrypted with 1 passphrase
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  -

Just more background what I'm doing with these tests. I started testing with set of different sized test files (generated from urandom) to detect any bugs in my changes, which try to reduce amount of memory copies in iobuf_read/iobuf_write. Size ranges for these test-files are 0...17408, 32256...66560 and 130560...132096 bytes. These files are encrypted with different settings (public key/symmetric/cfb/ocb/different algos) and then decrypted and decrypted file compared to original.

Sorry for pushing immature fix. I located the cause, but I didn't have enough concentration for fix.

Right fix will be in rGfb007d93de7b: Fix the previous commit..

It was the bug of generating AEAD packet, which does:

  • Packet layer: AEAD packet generation is done by chunk by chunk (4MB default)
    • each chunk has a tag at the end
  • Buffer layer: AEAD packet generation is done using IOBUF (65536 byte buffer size)

The problem was:

  • When the size of data (with header of OpenPGP (creation time, file name) is on the buffer boundary and not at chunk boundary,
  • generation of a tag for the last chunk was skipped wrongly

Thanks. All my tests work now.

gniibe changed the task status from Open to Testing.Mar 1 2022, 5:04 AM