gpg-2.3 rsa decryption has wrong size ciphertext

James Bottomley James.Bottomley at HansenPartnership.com
Mon Mar 8 01:43:20 CET 2021


I finally got around to implementing unit tests for the TPM code and
I'm seeing periodic failures in the test that checks rsa
encryption/decryption.

What I'm seeing is that, occasionally (about once every 10 or so
times), for an rsa2048 key (the only size most TPMs do) a ciphertext of
length 257 is provided as input to pkdecrypt.  This causes an immediate
failure because the TPM is pre-programmed to accept only encrypted
messages of size 256 for rsa2048 keys.

When I look at the contents of the wrong length messages, they have a
leading zero byte and simply stripping this off to reduce the length to
256 bytes causes the decryption to succeed.

Is this expected behaviour from gcrypt?  I can simply code the TPM
routines to cope with the misbehaving length, but it looks like a
symptom of a truncation problem elsewhere in the code.

James





More information about the Gnupg-devel mailing list