| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
* cipher/rsa.c (rsa_sign): Verify after sign.
* g10/gpg.c (opts): Make --no-sig-create-check a NOP.
* g10/options.h (opt): Remove field "no_sig_create_check".
* g10/sign.c (do_sign): Do check only for DSA.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
| |
* cipher/sha1.c (sha1_hash_buffer): New.
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/elgamal.c (USE_BLINDING): New.
(decrypt): Rewrite to use ciphertext blinding.
--
CVE-id: CVE-2014-3591
As a countermeasure to a new side-channel attacks on sliding windows
exponentiation we blind the ciphertext for Elgamal decryption. This
is similar to what we are doing with RSA.
Unfortunately, the performance impact of Elgamal blinding is quite
noticeable: For a 3072 bit Elgamal key the decryption used to take
13ms; with the blinding it takes 24ms. This has been measured using
time(1), calling gpg with a 100 byte message, and having gpg modified
to run the pubkey_decrypt function 100 times and finally scale the
result (using an i5-2410M CPU @ 2.30GHz TP 220).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/rndlinux.c (rndlinux_gather_random): Check fd before using
FD_SET.
--
If on systems where the maximum number of fds may be dynamically
configured to a value of FD_MAXSIZE or higher and the RNG is first
used after more than FD_SETSIZE-1 descriptors are in use, we disable
the progress messages from the RNG. A better solution would be too
use poll but that requires more tests.
The same problem exists in rndunix.c - however this rng is only used
on old Unices and I assume that they don't feature dynamically
configured maximum fd sizes.
(from Libgcrypt commit 9487099071af4478d2882e633a0ade805801d6fa)
This may fix
GnuPG-bug-id: 1818
|
| |
|
|
|
|
|
| |
* cipher/rijndael.c (do_setkey, prepare_decryption): Use u32_a_t cast.
--
This extends commit 0ad1458f827c7602ef7f1a4652af05641fd02b62
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/rsa.c (secret): Normalize the INPUT.
(rsa_decrypt): Pass reduced data to secret.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/dsa.c (sign): Normalize HASH.
--
mpi_normalize is in general not required because extra leading zeroes
do not harm the computation. However, adding extra all zero limbs or
padding with multiples of N may be useful in side-channel attacks. In
particular they are used by the acoustic crypt-analysis. This is an
extra pre-caution which alone would not be sufficient to mitigate the
described attack.
CVE-id: CVE-2013-4576
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/random.c (randomize_mpi): New.
* g10/gpgv.c (randomize_mpi): New stub.
* cipher/rsa.c (USE_BLINDING): Define macro.
(secret): Implement blinding.
--
GPG 1.x has never used any protection against timing attacks on the
RSA secret operation. The rationale for this has been that there was
no way to mount a remote timing attack on GnuPG. With the turning up
of Acoustic Cryptanalysis (http://cs.tau.ac.il/~tromer/acoustic) this
assumption no longer holds true and thus we need to do do something
about it. Blinding seems to be a suitable mitigation to the threat of
key extraction. It does not help against distinguishing used keys,
though.
Note that GPG 2.x uses Libgcrypt which does blinding by default.
The performance penalty is negligible: Modifying the core pubkey_sign
or pubkey_decrypt function to run 100 times in a loop, the entire
execution times for signing or decrypting a small message using a 4K
RSA key on a Thinkpad X220 are
Without blinding: 5.2s (8.9s)
With blinding: 5.6s (9.3s)
The numbers in parentheses give the values without the recently
implemented k-ary exponentiation code. Thus for the next release the
user will actually experience faster signing and decryption. A
drawback of blinding is that we need random numbers even for
decryption (albeit at low quality).
Signed-off-by: Werner Koch <[email protected]>
CVE-id: CVE-2013-4576
|
| |
|
|
|
|
| |
* cipher/idea.c: Replace use of WORDS_BIGENDIAN by BIG_ENDIAN_HOST.
--
GnuPG-bug-id: 1461
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cipher/idea.c: New. Take from Libgcrypt master and adjust for
direct use in GnuPG.
* cipher/idea-stub.c: Remove.
* cipher/Makefile.am: Add idea.c and remove idea-stub.c rules.
* configure.ac: Remove idea-stub code.
* g10/gpg.c (check_permissions): Remove code path for ITEM==2.
(main): Make --load-extension a dummy option.
* g10/keygen.c (keygen_set_std_prefs): Include IDEA only in PGP2
compatibility mode.
* g10/misc.c (idea_cipher_warn): Remove. Also remove all callers.
* g10/seckey-cert.c (do_check): Remove emitting of STATUS_RSA_OR_IDEA.
* g10/status.c (get_status_string): Remove STATUS_RSA_OR_IDEA.
* g10/status.h (STATUS_RSA_OR_IDEA): Remove.
--
To keep the number of actually used algorithms low, we support IDEA
only in a basically read-only way (unless --pgp2 is used during key
generation). It does not make sense to suggest the use of this old 64
bit blocksize algorithm. However, there is old data available where
it might be helpful to have IDEA available.
|
| |
|
|
|
|
|
|
|
| |
* cipher/idea-stub.c: Clear last error before dlsym.
--
This is required for NetBSD.
Reported-by: Thomas Klausner
|
| |
|
|
|
|
|
|
|
|
|
| |
* cipher/random.c (read_seed_file): Distinguish between errors and
short reads.
--
This should help to avoid program aborts due to races. Nevertheless a
better and cross-platform locking would be a more solid solution.
GnuPG-bug-id: 1439
|
| |
|
|
| |
--
|
| |
|
|
|
| |
--
Fixes provided by Gilles Espinasse.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* configure.ac (AH_BOTTOM): Add GNUPG_GCC_VERSION macro.
* util/estream-printf.c (pr_float): Use new gcc pragma to ignore a
warning about a non-literal format.
* util/miscutil.c (asctimestamp): Ditto.
* cipher/md.c (md_stop_debug): Use new gcc pragme to ignore a warning
* about a set but unused variable.
|
| |
|
|
| |
* ChangeLog: New file.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Allow de/encryption using legacy type 20 keys.
Updated config.{sub,guess}
|
| | |
|
| | |
|
| |
|
|
|
| |
we inherited it. Fixing.
|
| |
|
|
|
| |
Updated gettext.
|
| |
|
|
|
|
| |
Minor W32 fix
Address change.
|
| |
|
|
|
|
|
| |
testing. It is not (yet) legal OpenPGP, is not interop tested yet
(obviously), and it's a great way to lose your data. Just don't do
it.
|
| |
|
|
|
|
| |
This required some code cleanups and the introduction of
a few accessor ducntions in mpi.
|
| | |
|
| | |
|
| |
|
|
|
| |
size doesn't end between byte boundaries.
|
| |
|
|
|
| |
Not yet used (q==160).
|
| | |
|
| |
|
|
|
| |
change. It's now all done in configure.
|
| |
|
|
|
|
|
| |
rather than '#ifdef' BIG_ENDIAN_HOST. Harmless as we explicitly
define BIG_ENDIAN_HOST to 1 when we need it, but needed for OSX fat
builds when we define BIG_ENDIAN_HOST to another macro.
|
| | |
|
| | |
|
| |
|
|
|
| |
pointer.
|
| |
|
|
|
|
| |
ifdeffed out. This causes a warning on Sun's cc. Do sha512.c as well for
consistency.
|
| | |
|
| | |
|
| |
|
|
|
| |
Vender.
|
| | |
|
| |
|
|
|
|
| |
size of the object and not the one of its address. Bug reported by
Sascha Kiefer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes #423.
* DETAILS: Document new status codes.
* cardglue.c (agent_scd_pkdecrypt, agent_scd_pksign)
(agent_scd_genkey, agent_scd_setattr, agent_scd_change_pin)
(agent_scd_checkpin, agent_openpgp_storekey): Make sure to send a
SC_OP_FAILURE after card operations which might change data.
* card-util.c (change_pin): Send a SC_OP_SUCCESS after a PIN has
been changed.
(change_name): Removed a debug output.
* status.h, status.c: New codes BAD_PASSPHRASE_PIN, SC_OP_FAILURE
and SC_OP_SUCCESS.
* de.po: Updated. Translation is still in the works, though.
|
