When encrypting, gpg claims DE_VS compliance with non-compliant gcrypt
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	justus
	Sep 28 2022, 1:33 PM

Description

In contrast, --decrypt honors gcrypt not claiming compliance:

% gpg --quick-generate-key 'rsa' default default never
gpg: keybox '/tmp/tmp.aDPFCt4wI2/pubring.kbx' created
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /tmp/tmp.aDPFCt4wI2/trustdb.gpg: trustdb created
gpg: directory '/tmp/tmp.aDPFCt4wI2/openpgp-revocs.d' created
gpg: revocation certificate stored as '/tmp/tmp.aDPFCt4wI2/openpgp-revocs.d/D3F6ACB7B660B54779727A5F514BBADC83BBF12F.rev'
public and secret key created and signed.

pub   rsa3072 2022-09-28 [SC]
      D3F6ACB7B660B54779727A5F514BBADC83BBF12F
uid                      rsa
sub   rsa3072 2022-09-28 [E]

% echo huch | gpg --status-fd=1 --always-trust --encrypt --recipient D3F6ACB7B660B54779727A5F514BBADC83BBF12F --output cyphertext.pgp
[GNUPG:] KEY_CONSIDERED D3F6ACB7B660B54779727A5F514BBADC83BBF12F 0
[GNUPG:] ENCRYPTION_COMPLIANCE_MODE 23
[GNUPG:] BEGIN_ENCRYPTION 2 9
[GNUPG:] END_ENCRYPTION
% gpg --status-fd=1 --decrypt --output /dev/null cyphertext.pgp
[GNUPG:] ENC_TO B6CFBECFADDEB0C7 1 0
[GNUPG:] KEY_CONSIDERED D3F6ACB7B660B54779727A5F514BBADC83BBF12F 0
[GNUPG:] KEY_CONSIDERED D3F6ACB7B660B54779727A5F514BBADC83BBF12F 0
[GNUPG:] DECRYPTION_KEY 1144D2BBE4438F40699D2008B6CFBECFADDEB0C7 D3F6ACB7B660B54779727A5F514BBADC83BBF12F u
[GNUPG:] KEY_CONSIDERED D3F6ACB7B660B54779727A5F514BBADC83BBF12F 0
gpg: encrypted with 3072-bit RSA key, ID B6CFBECFADDEB0C7, created 2022-09-28
      "rsa"
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_INFO 2 9 0
[GNUPG:] PLAINTEXT 62 1664364604
[GNUPG:] PLAINTEXT_LENGTH 5
[GNUPG:] DECRYPTION_OKAY
[GNUPG:] GOODMDC
[GNUPG:] END_DECRYPTION

Details

Version: 2.2.39

Revisions and Commits

rG GnuPG
	rG2e22184ba5ac gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant.
	rG07c6743148d4 gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant.

Related Objects

Mentioned In: T6106: Release GnuPG 2.3.8
T6181: Release GnuPG 2.2.40

Event Timeline

justus created this task.Sep 28 2022, 1:33 PM

Justus, you should know how to write a proper bug report. Please do that and don't just paste some more or less random output here with just hint that Libgcrypt is not compliant. tia.

With a gcrypt not claiming compliance you should not get the status compliant or not but GnuPG should error out with forbidden.

I have tested both master and stable branch with gcrypt master and there I get:

gpg --version
gpg (GnuPG) 2.2.40-beta3
libgcrypt 1.9.4-unknown

echo foof | gpg --status-fd=1 --always-trust --homedir ~/.gnupg-vsd/ -ear 9B59924B537B62D14D7AB286ACDFDADC6A8E3756
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
[GNUPG:] KEY_CONSIDERED 9B59924B537B62D14D7AB286ACDFDADC6A8E3756 0
gpg: RNG is not compliant with --compliance=de-vs mode
[GNUPG:] ERROR random-compliance 33554683
[GNUPG:] FAILURE encrypt 33554683
gpg: [stdin]: encryption failed: Forbidden

gpg --version
gpg (GnuPG) 2.3.8-beta32
libgcrypt 1.9.4-unknown

echo foo | gpg --homedir ~/.gnupg-vsd/ -ear 9B59924B537B62D14D7AB286ACDFDADC6A8E3756
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: RNG is not compliant with --compliance=de-vs mode
gpg: [stdin]: encryption failed: Forbidden

So which begs the question which libgcrypt version you are using and how are you sure that this is not compliant? Because in your case ist looks like gnupg thinks that it has a compliant gcrypt.

What is the output of:

gpgconf --list-options gpg  | grep compliance

I am giving this low priority at least until we can reproduce this issue.

% gpgconf --list-options gpg  | grep compliance
compliance:16:2::1:1::"gnupg::
compliance_de_vs:144:3::2:2::0::
% dpkg --list libgcrypt20 | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name              Version      Architecture Description
+++-=================-============-============-=====================================
ii  libgcrypt20:amd64 1.10.1-2     amd64        LGPL Crypto library - runtime library
% gpg --version
gpg (GnuPG) 2.2.39
libgcrypt 1.10.1
Copyright (C) 2022 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/teythoon/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

This is on Debian testing.

• werner added a commit: rG07c6743148d4: gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant..Sep 29 2022, 2:17 PM