Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/openpgp: decryption fails when using cipher AES-192 #17060

Closed
leonklingele opened this issue Sep 11, 2016 · 5 comments
Closed

x/crypto/openpgp: decryption fails when using cipher AES-192 #17060

leonklingele opened this issue Sep 11, 2016 · 5 comments
Labels
FrozenDueToAge
Milestone
Unreleased

Comments

@leonklingele
Copy link
Contributor

Please see this script to reproduce the problem:
https://play.golang.org/p/vk58yYArMh

In line 17, set cipher := "aes128" / cipher := "aes256" and decryption will work fine.
However, when using cipher := "aes192", decryption will fail.

Decrypting the message via $ gpg --decrypt works fine for all three AES sizes, so the decryption routing of Go's openpgp package has an issue.
@leonklingele leonklingele mentioned this issue Sep 11, 2016
Merged
leonklingele added a commit to leonklingele/pick that referenced this issue Sep 11, 2016
@leonklingele
Remove AES-192 for OpenPGP mode.
149dc99 
OpenPGP messages encrypted with AES-192 can't be decrypted with the Go OpenPGP library.
See this bug report @upstream: golang/go#17060
@odeke-em odeke-em changed the title OpenPGP: Decryption fails when using AES-192 x/crypto/openpgp: decryption fails when using cipher AES-192 Sep 11, 2016
@bradfitz bradfitz added this to the Unreleased milestone Sep 11, 2016
@odeke-em
Copy link
Member

/cc @agl

@leonklingele
Copy link
Contributor Author

Issue is caused by this check: https://github.com/golang/crypto/blob/9477e0b78b9ac3d0b03822fd95422e2fe07627cd/openpgp/packet/symmetric_key_encrypted.go#L91-L93
len(plaintextKey) returns 24 for CipherAES192 (and Cipher3DES as well) which is not a multiple of AES' block size (16).

@mdp
Copy link

mdp commented Jan 26, 2017
edited

As far as I can tell, the RFC doesn't have an answer here. Other libraries implementing this don't seem to check the keysize output of the Encrypted Session Key.

The Encrypted Session Key decrypts to a message with the following makeup:
[cipher algorithm octet][Session Key]

There are three things that can happen here:

  1. the decrypted message specifies a cipher algo with a keysize larger than the SK
  2. the decrypted message specifies a cipher algo with a keysize that is the same length as the SK
  3. the decrypted message specifies a cipher algo with a keysize smaller than the SK

I think any case other than (2) should throw an error. But I'm not sure about the history on this one, maybe there was a reason for checking if it was a multiple of the blocksize.

@gopherbot
Copy link

CL https://golang.org/cl/35848 mentions this issue.

@mdp
Copy link

mdp commented Jan 28, 2017

There's probably a good reason for allowing session key sizes that are a multiple of the blocksize vs just checking if it's the same length as cipher keysize. I've updated the CL to check Session Key size is either equal to cipher key size OR is a multiple of cipher block size.

Deferring to @agl, as he implemented this code originally and I'm sure has a better understanding of it.

@golang golang locked and limited conversation to collaborators Aug 3, 2018
zapu pushed a commit to keybase/go-crypto that referenced this issue Aug 6, 2018
@mdp @zapu
openpgp/packet: fix AES-192 encrypted session keys
785dc6b 
The existing implementation checks to see if the session key size is a
multiple of the cipher blocksize. This fails for AES-192, which has a
keysize of 24 bytes and a 16 byte block size. Instead it should simply
check to ensure that the Session Key length is equal to the cipher
KeySize.

Fixes golang/go#17060

Change-Id: I1dc78129f7fb2ca5ec71b650a2adcb3752dca885
Reviewed-on: https://go-review.googlesource.com/35848
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
zapu pushed a commit to keybase/go-crypto that referenced this issue Aug 6, 2018
@mdp @zapu
openpgp/packet: fix AES-192 encrypted session keys
9e6372b 
The existing implementation checks to see if the session key size is a
multiple of the cipher blocksize. This fails for AES-192, which has a
keysize of 24 bytes and a 16 byte block size. Instead it should simply
check to ensure that the Session Key length is equal to the cipher
KeySize.

Fixes golang/go#17060

Change-Id: I1dc78129f7fb2ca5ec71b650a2adcb3752dca885
Reviewed-on: https://go-review.googlesource.com/35848
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
chintanparikh pushed a commit to opendoor-labs/openpgp that referenced this issue Dec 11, 2019
@mdp @agl
openpgp/packet: fix AES-192 encrypted session keys
6634813 
The existing implementation checks to see if the session key size is a
multiple of the cipher blocksize. This fails for AES-192, which has a
keysize of 24 bytes and a 16 byte block size. Instead it should simply
check to ensure that the Session Key length is equal to the cipher
KeySize.

Fixes golang/go#17060

Change-Id: I1dc78129f7fb2ca5ec71b650a2adcb3752dca885
Reviewed-on: https://go-review.googlesource.com/35848
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
c-expert-zigbee pushed a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 28, 2022
@mdp @agl
openpgp/packet: fix AES-192 encrypted session keys
6501a7a 
The existing implementation checks to see if the session key size is a
multiple of the cipher blocksize. This fails for AES-192, which has a
keysize of 24 bytes and a 16 byte block size. Instead it should simply
check to ensure that the Session Key length is equal to the cipher
KeySize.

Fixes golang/go#17060

Change-Id: I1dc78129f7fb2ca5ec71b650a2adcb3752dca885
Reviewed-on: https://go-review.googlesource.com/35848
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
c-expert-zigbee pushed a commit to c-expert-zigbee/crypto_go that referenced this issue Mar 29, 2022
@mdp @c-expert-zigbee
openpgp/packet: fix AES-192 encrypted session keys
6789b09 
The existing implementation checks to see if the session key size is a
multiple of the cipher blocksize. This fails for AES-192, which has a
keysize of 24 bytes and a 16 byte block size. Instead it should simply
check to ensure that the Session Key length is equal to the cipher
KeySize.

Fixes golang/go#17060

Change-Id: I1dc78129f7fb2ca5ec71b650a2adcb3752dca885
Reviewed-on: https://go-review.googlesource.com/35848
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
LewiGoddard pushed a commit to LewiGoddard/crypto that referenced this issue Feb 16, 2023
@mdp @agl
openpgp/packet: fix AES-192 encrypted session keys
a07edb7 
The existing implementation checks to see if the session key size is a
multiple of the cipher blocksize. This fails for AES-192, which has a
keysize of 24 bytes and a 16 byte block size. Instead it should simply
check to ensure that the Session Key length is equal to the cipher
KeySize.

Fixes golang/go#17060

Change-Id: I1dc78129f7fb2ca5ec71b650a2adcb3752dca885
Reviewed-on: https://go-review.googlesource.com/35848
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
BiiChris pushed a commit to BiiChris/crypto that referenced this issue Sep 15, 2023
@mdp @agl
openpgp/packet: fix AES-192 encrypted session keys
ef9b8ef 
The existing implementation checks to see if the session key size is a
multiple of the cipher blocksize. This fails for AES-192, which has a
keysize of 24 bytes and a 16 byte block size. Instead it should simply
check to ensure that the Session Key length is equal to the cipher
KeySize.

Fixes golang/go#17060

Change-Id: I1dc78129f7fb2ca5ec71b650a2adcb3752dca885
Reviewed-on: https://go-review.googlesource.com/35848
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
5 participants
@bradfitz @mdp @odeke-em @leonklingele @gopherbot