aboutsummaryrefslogtreecommitdiffstats
path: root/cipher/random.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Use blinding for the RSA secret operation.Werner Koch2013-12-031-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * cipher/random.c (randomize_mpi): New. * g10/gpgv.c (randomize_mpi): New stub. * cipher/rsa.c (USE_BLINDING): Define macro. (secret): Implement blinding. -- GPG 1.x has never used any protection against timing attacks on the RSA secret operation. The rationale for this has been that there was no way to mount a remote timing attack on GnuPG. With the turning up of Acoustic Cryptanalysis (http://cs.tau.ac.il/~tromer/acoustic) this assumption no longer holds true and thus we need to do do something about it. Blinding seems to be a suitable mitigation to the threat of key extraction. It does not help against distinguishing used keys, though. Note that GPG 2.x uses Libgcrypt which does blinding by default. The performance penalty is negligible: Modifying the core pubkey_sign or pubkey_decrypt function to run 100 times in a loop, the entire execution times for signing or decrypting a small message using a 4K RSA key on a Thinkpad X220 are Without blinding: 5.2s (8.9s) With blinding: 5.6s (9.3s) The numbers in parentheses give the values without the recently implemented k-ary exponentiation code. Thus for the next release the user will actually experience faster signing and decryption. A drawback of blinding is that we need random numbers even for decryption (albeit at low quality). Signed-off-by: Werner Koch <[email protected]> CVE-id: CVE-2013-4576
* Improve handling of random_seed read errors.Werner Koch2012-11-071-1/+25
| | | | | | | | | | | * cipher/random.c (read_seed_file): Distinguish between errors and short reads. -- This should help to avoid program aborts due to races. Nevertheless a better and cross-platform locking would be a more solid solution. GnuPG-bug-id: 1439
* Remove trailing white space from one fileWerner Koch2012-11-071-10/+10
| | | | --
* Fix typos in comments.Werner Koch2012-01-241-2/+2
| | | | | -- Fixes provided by Gilles Espinasse.
* Minor changes to help the VMS portWerner Koch2010-09-281-3/+48
|
* Switched to GPLv3.Werner Koch2007-10-231-4/+2
| | | | | Updated gettext.
* Preparing an RCWerner Koch2006-11-291-1/+1
|
* about to release 1.4.3rc1gnupg-1.4.3rc1Werner Koch2006-02-141-2/+2
|
* Lock random seed fileWerner Koch2006-02-091-1/+86
|
* Converted all m_free to xfree etc.Werner Koch2005-07-271-10/+10
|
* * random.c: Fix prototype of the fast random gatherer. Noted by JoeDavid Shaw2005-06-071-2/+2
| | | | | Vender.
* Updated FSF street address and preparations for a release candidate.Werner Koch2005-05-311-1/+2
|
* * idea-stub.c, random.c; s/__MINGW32__/_WIN32/ to help building on nativeDavid Shaw2003-08-281-2/+5
| | | | | | Windows compilers. Requested by Brian Gladman. From Werner on stable branch.
* * random.c (getfnc_gather_random): Don't check NAME_OF_DEV_RANDOM twice.David Shaw2003-08-211-1/+1
| | | | | Use NAME_OF_DEV_URANDOM.
* * bithelp.h, des.c, random.c, rndlinux.c, sha1.c, blowfish.c, elgamal.c,David Shaw2003-05-241-32/+30
| | | | | | | | rijndael.c, rndunix.c, sha256.c, cast5.c, idea-stub.c, rmd160.c, rndw32.c, sha512.c, md5.c, rmd160test.c, rsa.c, tiger.c: Edit all preprocessor instructions to remove whitespace before the '#'. This is not required by C89, but there are some compilers out there that don't like it.
* * cipher.c (setup_cipher_table): #ifdef IDEA.David Shaw2003-05-151-5/+7
| | | | | | | | | | | | | | | * random.c (fast_random_poll): Only use times() if we HAVE_TIMES. * sha512.c, tiger.c: Use the U64_C() macro to specify 64-bit constants. U64_C is defined in include/types.h and uses the correct suffix depending on the underlying type of u64. * idea-stub.c (load_module): Catch an error if the idea module file is unloadable for some reason (unreadable, bad permissions, etc.) * md.c (string_to_digest_algo): Give a warning about TIGER192 not being part of OpenPGP.
* * rndw32.c [__CYGWIN32__]: Don't include winioctl.h - it is not requiredDavid Shaw2002-11-061-11/+11
| | | | | | | | | | | | | | | anymore. (From Werner) * random.c (read_seed_file,update_random_seed_file): Use binary mode for __CYGWIN__. (From Werner) * blowfish.c (burn_stack), cast5.c (burn_stack), des.c (burn_stack), md5.c (burn_stack), random.c (burn_stack, read_pool, fast_random_poll), rijndael.c (burn_stack), rmd160.c (burn_stack), rndegd.c (rndegd_gather_random), rndlinux.c (rndlinux_gather_random), sha1.c (burn_stack), tiger.c (burn_stack), twofish.c (burn_stack): Replace various calls to memset() with the more secure wipememory().
* * random.c: Automagically detect the entrop gatherer whenWerner Koch2002-08-301-9/+38
| | | | | | | | | configure so. * rndegd.c (rndegd_connect_socket): New. Factored out from .. (rndegd_gather_random): here and call it. (do_read): Update the counter variables correctly. This was not a problem due to the way EGD works. Bug found by Christian Biere.
* RISC OS changes due to dynload removalStefan Bellon2002-08-031-0/+3
|
* The big extension module removal.Werner Koch2002-08-031-6/+36
|
* * random.c: "warning" -> "WARNING"David Shaw2002-07-251-1/+1
|
* Update head to match stable 1.0David Shaw2002-06-291-0/+687
|
* Removed files from the HEAD revision, because they are now in anotherWerner Koch2000-12-191-690/+0
| | | | | repository
* See ChangeLog: Mon Sep 18 16:35:45 CEST 2000 Werner KochWerner Koch2000-09-181-1/+3
|
* See ChangeLog: Mon Jul 17 16:35:47 CEST 2000 Werner KochWerner Koch2000-07-171-2/+2
|
* See ChangeLog: Fri Jul 14 19:38:23 CEST 2000 Werner KochWerner Koch2000-07-141-5/+199
|
* See ChangeLog: Wed Dec 8 21:58:32 CET 1999 Werner KochWerner Koch1999-12-081-1/+0
|
* See ChangeLog: Fri Nov 19 17:15:20 CET 1999 Werner KochWerner Koch1999-11-191-3/+8
|
* See ChangeLog: Mon Nov 15 21:36:02 CET 1999 Werner KochWerner Koch1999-11-151-1/+0
|
* See ChangeLog: Sat Nov 13 17:44:23 CET 1999 Werner KochWerner Koch1999-11-131-13/+27
|
* See ChangeLog: Fri Jul 2 11:45:54 CEST 1999 Werner KochWerner Koch1999-07-021-6/+46
|
* See ChangeLog: Sun May 23 14:20:22 CEST 1999 Werner KochWerner Koch1999-05-231-0/+2
|
* See ChangeLog: Mon May 17 21:54:43 CEST 1999 Werner KochWerner Koch1999-05-171-1/+3
|
* See ChangeLog: Sun Apr 18 10:11:28 CEST 1999 Werner KochWerner Koch1999-04-181-1/+1
|
* See ChangeLog: Tue Apr 6 19:58:12 CEST 1999 Werner KochWerner Koch1999-04-061-2/+7
|
* See ChangeLog: Tue Feb 16 14:10:02 CET 1999 Werner KochWerner Koch1999-02-161-1/+1
|
* See ChangeLog: Wed Feb 10 17:15:39 CET 1999 Werner KochWerner Koch1999-02-101-10/+1
|
* See ChangeLog: Tue Jan 12 11:17:18 CET 1999 Werner KochWerner Koch1999-01-121-0/+7
|
* See ChangeLog: Sat Jan 9 18:54:57 CET 1999 Werner KochWerner Koch1999-01-091-3/+0
|
* See ChangeLog: Sat Jan 9 16:02:23 CET 1999 Werner KochWerner Koch1999-01-091-4/+0
|
* See ChangeLog: Tue Dec 29 14:41:47 CET 1998 Werner KochWerner Koch1998-12-291-0/+6
|
* See ChangeLog: Wed Dec 23 13:34:22 CET 1998 Werner KochWerner Koch1998-12-231-3/+3
|
* See ChangeLog: Mon Dec 14 21:18:49 CET 1998 Werner KochWerner Koch1998-12-141-32/+28
|
* See ChangeLog: Sat Dec 12 18:40:32 CET 1998 Werner KochWerner Koch1998-12-121-0/+2
|
* See ChangeLog: Thu Dec 10 20:15:36 CET 1998 Werner KochWerner Koch1998-12-101-13/+44
|
* Restructured the RNG source and add support for loadableWerner Koch1998-11-251-7/+136
| | | | | random modules.
* bug fix releaseV0-3-4Werner Koch1998-08-111-0/+2
|
* chnages done at the trainWerner Koch1998-08-071-33/+5
|
* syncWerner Koch1998-07-141-2/+2
|
* nearly ready for 0.3.0Werner Koch1998-06-251-26/+34
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-21 11:35:17 +0000