Page MenuHome GnuPG

Kleopatra: Better error for wrong password in symmetric decryption
Closed, ResolvedPublic

Description

When decrypting a symmetric file kleopatra only says "decryption failed" only in the details / audit log a user can see that it was because "wrong session key" which is a complicated error.

We should catch this and say "Wrong Password" as the error. So "decryption failed: Wrong Password". Or something like that.

To reproduce: Encrypt a file with password. Kill gpg-agent. Decrypt it and enter a wrong password.

Event Timeline

aheinecke created this task.

The error

gpg: decryption failed: Bad session key

is only logged if the sanity check "algo given in decrypted session key is a valid OpenPGP algo" passes even though a wrong password was given (which happens with a chance of 11:256). If the sanity check detects a bad algo then gpg logs

gpg: decryption of the symmetrically encrypted session key failed: Checksum error

If AEAD is used, then other logging will happen.

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 22 2022, 5:38 PM
ikloecker changed the task status from Open to Testing.Apr 22 2022, 5:53 PM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added projects: Restricted Project, gpgme.
ikloecker added a subscriber: ikloecker.

I have added the check for a possibly wrong symmetric password to QGpgMEDecryptVerifyJob because it relies on logging messages emitted by gpg which are not part of gpg's status API.

You should not use log messages because they are subject to change and they are translated. Let us return an ERROR status instead.

ikloecker changed the task status from Testing to Open.EditedApr 25 2022, 9:16 AM
ikloecker claimed this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker removed a project: Restricted Project.

You should not use log messages because they are subject to change and they are translated. Let us return an ERROR status instead.

Yeah. I should have done this. I have created T5943: gpg: Report details about failed symmetric decrypt with ERROR status for adding/returning some ERROR status.

In this case it works, because the error messages are not translatable.

ikloecker changed the task status from Open to Testing.Apr 25 2022, 12:22 PM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a project: Restricted Project.
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 5 2023, 2:54 PM