Bug 637414 - gpg-agent fails to encode "iteration count" into private keys, thus never unprotects secret key
Summary: gpg-agent fails to encode "iteration count" into private keys, thus never unp...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: gnupg2
Version: 13
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Rex Dieter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-25 16:50 UTC by Eric Gerney
Modified: 2014-05-20 08:58 UTC (History)
5 users (show)

Fixed In Version: gnupg2-2.0.14-7.fc13
Doc Type: Bug Fix
Doc Text:
Previously, the secret key management daemon for GnuPG, gpg-agent, failed to encode a new iteration count value when it created a new protected key or changed an existing key. As a consequence, the key could not be unprotected and gpg-agent thus did not properly interact with a number of programs that use key decryption, such as KMail or Kleopatra. With this update, the new iteration count is encoded properly and the decryption of keys created or modified by gpg-agent no longer fails.
Clone Of:
: 638635 (view as bug list)
Environment:
Last Closed: 2010-10-08 20:51:41 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Eric Gerney 2010-09-25 16:50:04 UTC 
Description of problem:
gnupg2 2.0.14 has a known regression bug that in all cases where gpg-agent creates a new protected key or changes the protection fails to encode a new iteration count into the file.  Instead the old constant value of 65536 (encoded as 96) is written to the file.  If you then try to use the key and enter the passphrase, gpg-agent uses the wrong iteration count from the file (65536) and thus can't unprotect the key.

The end result is that one is unable to properly interact with gpg-agent.  Specifically kmail cannot s/mime sign email, kleopatra cannot decrypt previously encrypted files, and gpgsm decryption fails.

Described by Werner Koch (developer) @:
http://marc.info/?l=gnupg-users&m=126451730710129&w=2
Patch provided @:
ftp://ftp.gnupg.org/gcrypt/gnupg/patches/gnupg-2.0.14-encode-s2k.patch

Version-Release number of selected component (if applicable):
Fedora 13
gnupg2-2.0.14-6.fc13.i686
gnupg2-smime-2.0.14-6.fc13.i686

How reproducible:
Always
According to above post, happens whenever gpg-agent (version 2.0.14) is used.

Steps to Reproduce:
Assuming you have an existing gpgsm certificate pair.
1. Create random text file - trash.txt
2. gpgsm -r <your key id> -o trast.txt.gpg -e trash.txt
3. gpgsm -d trast.txt.gpg
  
Actual results:
passphrase input fails, secret key decryption failure, contents of trast.txt.gpg cannot be seen

Expected results:
contents of trast.txt.gpg decrypted

Additional info:
Applying provided vendor patch to 2.0.14-6 src rpm, rebuilding (via specfile updates), and upgrading gnupg2 installation corrects this issue.
Comment 1 Rex Dieter 2010-09-25 16:56:02 UTC 
Thanks for the detailed report!
Comment 2 Tomas Mraz 2010-09-29 07:04:21 UTC 
Re
Comment 3 Fedora Update System 2010-09-29 15:02:57 UTC 
gnupg2-2.0.14-7.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/gnupg2-2.0.14-7.fc13
Comment 4 Fedora Update System 2010-09-30 10:27:29 UTC 
gnupg2-2.0.14-7.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update gnupg2'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/gnupg2-2.0.14-7.fc13
Comment 5 Fedora Update System 2010-10-08 20:51:36 UTC 
gnupg2-2.0.14-7.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.