Page MenuHome GnuPG
Create Task
Maniphest T5856

Forcing aead when creating sign & encrypted files creates inconsistent results
Closed, ResolvedPublic
Actions

Description

Originally reported as a Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=2054964

Encrypting&signing file with forced aead (--force-aead) prints the OCB modes will be used, but decrypting claims the CFB mode is used:

$ gpg -u testkey --force-aead -vsc foo 
gpg: AES256.OCB encryption will be used

$ gpg -vd foo.gpg
gpg: AES256.CFB encrypted data

After some digging into the code, it turns out the symkey packets created by the function sign_symencrypt_file() are a bit different than the ones created with encrypt_simple() (v4 only, no information about aead). After changing the function to use v5 and propagate the aead the tools report correct modes:

gpg2 -v -d the_file.enc
gpg: AES256.OCB encrypted data

Otherwise, the --list-packets shows even with the old version that the AEAD encrypted packet is correctly used:

# off=15 ctb=d4 tag=20 hlen=3 plen=194 new-ctb
:aead encrypted packet: cipher=9 aead=2 cb=16
	length: 194

and the decryption looks like working just fine regardless the claims in the verbose logs.

Proposed patch:

gnupg2-aead.patch946 BDownload

I am not sure if there are more places where such packets are constructed that are worth checking or if there would be a good place to write some sanity/regression test to make sure this works as expected, but I can have a look into that later.

Details

External Link
https://bugzilla.redhat.com/show_bug.cgi?id=2054964
Version
master

Revisions and Commits

rG GnuPG
rGeadf12a52c2e sign: Construct valid AEAD packets.

Related Objects

Event Timeline

Jakuje created this task.Feb 24 2022, 9:10 AM
Jakuje updated the task description. (Show Details)
werner triaged this task as High priority.Feb 24 2022, 10:34 AM
wqk added a subscriber: wqk.Feb 25 2022, 11:40 PM
gniibe claimed this task.Mar 7 2022, 11:23 AM
gniibe added a comment.Mar 8 2022, 10:40 AM

Thank you for the report.

Please note that OpenPGP specification for v5 is still in flux, specifically for AEAD.
So, I wonder how we fix the code for --force-aead. It will take time.

gniibe added a comment.Mar 9 2022, 3:12 AM

Sorry. While v5 things in the specification is still in flux, from the viewpoint of the implementation, this patch is 100% valid and it makes sense.

So, I applied and pushed.

gniibe added a commit: rGeadf12a52c2e: sign: Construct valid AEAD packets..Mar 9 2022, 3:12 AM
gniibe changed the task status from Open to Testing.Mar 9 2022, 3:13 AM
gniibe lowered the priority of this task from High to Normal.
werner added a subscriber: werner.Mar 9 2022, 2:19 PM

Thanks.

Reagarding the OpenPGP specs: there is a new draft with LOTS of changes to already agreed upon formats and conducted interop tests. Almost everything we implemented in GnuPG and RNP has had rough consensus in the WG. Minor things like AEAD chunk size were the contested pieces. However, now they want to change everything with the possible outcome of discretization the long established trust in the stability and durability of the PGP data and key format.

Note that the latest I-D still carries my name as editor but in reality I have not attended a meeting of the DT or read the notes for months.

werner mentioned this in T5743: Release GnuPG 2.3.5.Apr 21 2022, 5:59 PM
werner closed this task as Resolved.Apr 28 2022, 8:52 AM