Page MenuHome GnuPG

Forcing aead when creating sign & encrypted files creates inconsistent results
Closed, ResolvedPublic


Originally reported as a Fedora bug

Encrypting&signing file with forced aead (--force-aead) prints the OCB modes will be used, but decrypting claims the CFB mode is used:

$ gpg -u testkey --force-aead -vsc foo 
gpg: AES256.OCB encryption will be used

$ gpg -vd foo.gpg
gpg: AES256.CFB encrypted data

After some digging into the code, it turns out the symkey packets created by the function sign_symencrypt_file() are a bit different than the ones created with encrypt_simple() (v4 only, no information about aead). After changing the function to use v5 and propagate the aead the tools report correct modes:

gpg2 -v -d the_file.enc
gpg: AES256.OCB encrypted data

Otherwise, the --list-packets shows even with the old version that the AEAD encrypted packet is correctly used:

# off=15 ctb=d4 tag=20 hlen=3 plen=194 new-ctb
:aead encrypted packet: cipher=9 aead=2 cb=16
	length: 194

and the decryption looks like working just fine regardless the claims in the verbose logs.

Proposed patch:

I am not sure if there are more places where such packets are constructed that are worth checking or if there would be a good place to write some sanity/regression test to make sure this works as expected, but I can have a look into that later.


Revisions and Commits

Related Objects

Event Timeline

Jakuje updated the task description. (Show Details)
werner triaged this task as High priority.Feb 24 2022, 10:34 AM

Thank you for the report.

Please note that OpenPGP specification for v5 is still in flux, specifically for AEAD.
So, I wonder how we fix the code for --force-aead. It will take time.

Sorry. While v5 things in the specification is still in flux, from the viewpoint of the implementation, this patch is 100% valid and it makes sense.

So, I applied and pushed.

gniibe changed the task status from Open to Testing.Mar 9 2022, 3:13 AM
gniibe lowered the priority of this task from High to Normal.


Reagarding the OpenPGP specs: there is a new draft with LOTS of changes to already agreed upon formats and conducted interop tests. Almost everything we implemented in GnuPG and RNP has had rough consensus in the WG. Minor things like AEAD chunk size were the contested pieces. However, now they want to change everything with the possible outcome of discretization the long established trust in the stability and durability of the PGP data and key format.

Note that the latest I-D still carries my name as editor but in reality I have not attended a meeting of the DT or read the notes for months.