gpg-2.3 rsa decryption has wrong size ciphertext

James Bottomley James.Bottomley at
Mon Mar 8 01:43:20 CET 2021

I finally got around to implementing unit tests for the TPM code and
I'm seeing periodic failures in the test that checks rsa

What I'm seeing is that, occasionally (about once every 10 or so
times), for an rsa2048 key (the only size most TPMs do) a ciphertext of
length 257 is provided as input to pkdecrypt.  This causes an immediate
failure because the TPM is pre-programmed to accept only encrypted
messages of size 256 for rsa2048 keys.

When I look at the contents of the wrong length messages, they have a
leading zero byte and simply stripping this off to reduce the length to
256 bytes causes the decryption to succeed.

Is this expected behaviour from gcrypt?  I can simply code the TPM
routines to cope with the misbehaving length, but it looks like a
symptom of a truncation problem elsewhere in the code.


More information about the Gnupg-devel mailing list