[BUG] tpm2daemon: RSA 4096 decryption fails with "Provided object is too large" (regression from 2.4.9)

Tue, 10 Feb 2026 22:14:11 -0800 

GnuPG 2.5.17's tpm2daemon fails to decrypt RSA 4096 pubkey-encrypted
packets when the encrypted data is exactly 4096 bits. Decryption
succeeds when the data happens to be 4095 bits. GnuPG 2.4.9 handles
both cases correctly.

Environment:

- GnuPG: 2.5.17 (fails) / 2.4.9 (works)
- libgcrypt: 1.11.2-r1
- tpm2-tss: 4.1.3-r2
- TPM: STMicro STM0925 (tpm_tis driver), firmware device-id 0x3
- Platform: Lenovo ThinkPad, Gentoo Linux
- Key type: RSA 4096, encryption subkey bound to TPM via tpm2daemon

Steps to reproduce:

1. Generate an RSA 4096 key with an encryption subkey stored in TPM
(managed by tpm2daemon)
2. Encrypt a file using the public key:
gpg --encrypt --recipient <KEY_ID> file.txt
3. Attempt to decrypt: gpg --decrypt file.txt.gpg

Decryption intermittently fails when the bit length of the
encrypted session key in the pubkey enc packet is 4096.

With 2.5.17:

```
$ gpgconf --kill gpg-agent tpm2daemon
$ gpg --list-packets ~/.password-store/hskim/mutt\@google.gpg
gpg: encrypted with rsa4096 key, ID 4898C1982AD755AE, created 2025-08-17
      "Hee-Suk Kim <[email protected]>"
gpg: public key decryption failed: Provided object is too large
gpg: decryption failed: Provided object is too large
# off=0 ctb=85 tag=1 hlen=3 plen=524
:pubkey enc packet: version 3, algo 1, keyid 4898C1982AD755AE
    data: [4096 bits]
# off=527 ctb=d4 tag=20 hlen=2 plen=107 new-ctb
:aead encrypted packet: cipher=9 aead=2 cb=16
    length: 107
$ gpg --list-packets ~/.password-store/hskim/github.com.gpg
gpg: encrypted with rsa4096 key, ID 4898C1982AD755AE, created 2025-08-17
      "Hee-Suk Kim <[email protected]>"
# off=0 ctb=85 tag=1 hlen=3 plen=524
:pubkey enc packet: version 3, algo 1, keyid 4898C1982AD755AE
    data: [4095 bits]
# off=527 ctb=d4 tag=20 hlen=3 plen=204 new-ctb
:aead encrypted packet: cipher=9 aead=2 cb=16
    length: 204
# off=549 ctb=ac tag=11 hlen=2 plen=151
:literal data packet:
    mode b (62), created 1769092097, name="ixdX8b-hskim-github.com.txt",
    raw data: 118 bytes
$ gpg --list-packets ~/.password-store/hskim/naver.com.gpg
gpg: encrypted with rsa4096 key, ID 4898C1982AD755AE, created 2025-08-17
      "Hee-Suk Kim <[email protected]>"
gpg: public key decryption failed: Provided object is too large
gpg: decryption failed: Provided object is too large
# off=0 ctb=85 tag=1 hlen=3 plen=524
:pubkey enc packet: version 3, algo 1, keyid 4898C1982AD755AE
    data: [4096 bits]
# off=527 ctb=d2 tag=18 hlen=2 plen=126 new-ctb
:encrypted data packet:
    length: 126
    mdc_method: 2
$ gpg --version
gpg (GnuPG) 2.5.17
libgcrypt 1.11.2-unknown
Copyright (C) 2025 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/hskim/.gnupg
Supported algorithms:
Pubkey: RSA, Kyber, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
```

Same with 2.4.9:
```
$ gpgconf --kill gpg-agent tpm2daemon
$ gpg --list-packets ~/.password-store/hskim/mutt\@google.gpg
gpg: encrypted with rsa4096 key, ID 99A8DC6DA49AB13C, created 2025-08-17
      "Hee-Suk Kim <[email protected]>"
# off=0 ctb=85 tag=1 hlen=3 plen=524
:pubkey enc packet: version 3, algo 1, keyid 4898C1982AD755AE
    data: [4096 bits]
# off=527 ctb=d4 tag=20 hlen=2 plen=107 new-ctb
:aead encrypted packet: cipher=9 aead=2 cb=16
    length: 107
# off=548 ctb=ac tag=11 hlen=2 plen=54
:literal data packet:
    mode b (62), created 1758650396, name="[email protected]",
    raw data: 20 bytes
$ gpg --list-packets ~/.password-store/hskim/github.com.gpg
gpg: encrypted with rsa4096 key, ID 99A8DC6DA49AB13C, created 2025-08-17
      "Hee-Suk Kim <[email protected]>"
# off=0 ctb=85 tag=1 hlen=3 plen=524
:pubkey enc packet: version 3, algo 1, keyid 4898C1982AD755AE
    data: [4095 bits]
# off=527 ctb=d4 tag=20 hlen=3 plen=204 new-ctb
:aead encrypted packet: cipher=9 aead=2 cb=16
    length: 204
# off=549 ctb=ac tag=11 hlen=2 plen=151
:literal data packet:
    mode b (62), created 1769092097, name="ixdX8b-hskim-github.com.txt",
    raw data: 118 bytes
$ gpg --list-packets ~/.password-store/hskim/naver.com.gpg
gpg: encrypted with rsa4096 key, ID 99A8DC6DA49AB13C, created 2025-08-17
      "Hee-Suk Kim <[email protected]>"
# off=0 ctb=85 tag=1 hlen=3 plen=524
:pubkey enc packet: version 3, algo 1, keyid 4898C1982AD755AE
    data: [4096 bits]
# off=527 ctb=d2 tag=18 hlen=2 plen=126 new-ctb
:encrypted data packet:
    length: 126
    mdc_method: 2
# off=548 ctb=ac tag=11 hlen=2 plen=83
:literal data packet:
    mode b (62), created 1755451993, name="LhBS6D-hskim-naver.com.txt",
    raw data: 51 bytes
$ gpg --version
gpg (GnuPG) 2.4.9
libgcrypt 1.11.2-unknown
Copyright (C) 2025 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/hskim/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
```


_______________________________________________
Gnupg-devel mailing list
[email protected]
https://lists.gnupg.org/mailman/listinfo/gnupg-devel

Reply via email to