1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

273 Commits

Author SHA1 Message Date
Werner Koch
c6dbfe8990
random: Hash continuous areas in the csprng pool.
* cipher/random.c (mix_pool): Store the first hash at the end of the
pool.
--

This fixes a long standing bug (since 1998) in Libgcrypt and GnuPG.
An attacker who obtains 580 bytes of the random number from the
standard RNG can trivially predict the next 20 bytes of output.

This bug does not affect the default generation of
keys because running gpg for key creation creates at most 2 keys from
the pool: For a single 4096 bit RSA key 512 byte of random are
required and thus for the second key (encryption subkey), 20 bytes
could be predicted from the the first key.  However, the security of
an OpenPGP key depends on the primary key (which was generated first)
and thus the 20 predictable bytes should not be a problem.  For the
default key length of 2048 bit nothing will be predictable.

For the former default of DSA+Elgamal key it is complicate to give an
answer: For 2048 bit keys a pool of 30 non-secret candidate primes of
about 300 bits each are first created.  This reads at least 1140 bytes
from the pool and thus parts could be predicted.  At some point a 256
bit secret is read from the pool; which in the worst case might be
partly predictable.

The bug was found and reported by Felix Dörre and Vladimir Klebanov,
Karlsruhe Institute of Technology.  A paper describing the problem in
detail will shortly be published.

CVE-id: CVE-2016-6313
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-17 11:15:50 +02:00
Werner Koch
e23eec8c9a
cipher: Improve readability by using a macro.
* cipher/random.c (mix_pool): Use DIGESTLEN instead of 20.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-17 11:03:07 +02:00
Daniel Kahn Gillmor
15d1327234 Clean up "allow to"
* README, cipher/cipher.c, cipher/pubkey.c, doc/gpg.texi: replace
  "allow to" with clearer text

In standard English, the normal construction is "${XXX} allows ${YYY}
to" -- that is, the subject (${XXX}) of the sentence is allowing the
object (${YYY}) to do something.  When the object is missing, the
phrasing sounds awkward, even if the object is implied by context.
There's almost always a better construction that isn't as awkward.

These changes should make the language a bit clearer.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-08-04 12:37:41 +02:00
Daniel Kahn Gillmor
1820889e3c Fix spelling: "occured" should be "occurred"
* checks/armor.test, cipher/des.c, g10/ccid-driver.c, g10/pkclist.c,
  util/regcomp.c, util/regex_internal.c: correct the spelling of
  "occured" to "occurred"

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-08-04 12:37:34 +02:00
Werner Koch
22caa5c2d4
Fix possible sign extension problem with newer compilers.
* cipher/des.c (READ_64BIT_DATA): Cast to u32 before shifting by 24.
* cipher/blowfish.c (do_encrypt_block): Ditto.
(do_decrypt_block): Ditto.
* cipher/camellia.c (CAMELLIA_RR8): Ditto.
* cipher/cast5.c (do_encrypt_block): Ditto.
(do_decrypt_block): Ditto.
(do_cast_setkey): Ditto.
* cipher/twofish.c (INPACK): Ditto.
* util/iobuf.c (block_filter): Ditto.
--

For cipher/des.c
Reported-by: Balint Reczey <balint@balintreczey.hu>

See commit 57af33d9e7c9b20b413b96882e670e75a67a5e65 for details.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-02-01 18:15:28 +01:00
Werner Koch
a38dffde7b
Fix possible AIX problem with sysconf in rndunix.
* cipher/rndunix.c [HAVE_STDINT_H]: Include stdint.h.
(start_gatherer): Detect misbehaving sysconf.
--

See
GnuPG-bug-id: 1778
for the reason of this patch. There is no concrete bug report but this
chnage should not harm.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-01-15 15:52:11 +01:00
Werner Koch
ae61f01523
Obsolete option --no-sig-create-check.
* cipher/rsa.c (rsa_sign): Verify after sign.
* g10/gpg.c (opts): Make --no-sig-create-check a NOP.
* g10/options.h (opt): Remove field "no_sig_create_check".
* g10/sign.c (do_sign): Do check only for DSA.

Signed-off-by: Werner Koch <wk@gnupg.org>
2015-09-01 07:47:14 +02:00
Werner Koch
2e7a3ed390
Add convenience function to hash a buffer.
* cipher/sha1.c (sha1_hash_buffer): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2015-02-26 15:35:49 +01:00
Werner Koch
ff53cf06e9 Use ciphertext blinding for Elgamal decryption.
* cipher/elgamal.c (USE_BLINDING): New.
(decrypt): Rewrite to use ciphertext blinding.
--

CVE-id: CVE-2014-3591

As a countermeasure to a new side-channel attacks on sliding windows
exponentiation we blind the ciphertext for Elgamal decryption.  This
is similar to what we are doing with RSA.

Unfortunately, the performance impact of Elgamal blinding is quite
noticeable: For a 3072 bit Elgamal key the decryption used to take
13ms; with the blinding it takes 24ms.  This has been measured using
time(1), calling gpg with a 100 byte message, and having gpg modified
to run the pubkey_decrypt function 100 times and finally scale the
result (using an i5-2410M CPU @ 2.30GHz TP 220).
2015-02-11 20:04:58 +01:00
Werner Koch
8adb5ff260 Fix a problem with select and high fds.
* cipher/rndlinux.c (rndlinux_gather_random): Check fd before using
FD_SET.
--

If on systems where the maximum number of fds may be dynamically
configured to a value of FD_MAXSIZE or higher and the RNG is first
used after more than FD_SETSIZE-1 descriptors are in use, we disable
the progress messages from the RNG.  A better solution would be too
use poll but that requires more tests.

The same problem exists in rndunix.c - however this rng is only used
on old Unices and I assume that they don't feature dynamically
configured maximum fd sizes.

(from Libgcrypt commit 9487099071af4478d2882e633a0ade805801d6fa)

This may fix
GnuPG-bug-id: 1818
2015-01-19 16:46:05 +01:00
Werner Koch
ecf2728230 Fix strict-alias warnings for rijndael.c
* cipher/rijndael.c (do_setkey, prepare_decryption): Use u32_a_t cast.
--

This extends commit 0ad1458f827c7602ef7f1a4652af05641fd02b62
2014-08-20 12:22:35 +02:00
Werner Koch
d0d72d98f3 Normalize the MPIs used as input to secret key functions.
* cipher/rsa.c (secret): Normalize the INPUT.
(rsa_decrypt): Pass reduced data to secret.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/dsa.c (sign): Normalize HASH.
--

mpi_normalize is in general not required because extra leading zeroes
do not harm the computation.  However, adding extra all zero limbs or
padding with multiples of N may be useful in side-channel attacks. In
particular they are used by the acoustic crypt-analysis.  This is an
extra pre-caution which alone would not be sufficient to mitigate the
described attack.

CVE-id: CVE-2013-4576

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-12-03 09:26:04 +01:00
Werner Koch
93a96e3c0c Use blinding for the RSA secret operation.
* cipher/random.c (randomize_mpi): New.
* g10/gpgv.c (randomize_mpi): New stub.
* cipher/rsa.c (USE_BLINDING): Define macro.
(secret): Implement blinding.
--

GPG 1.x has never used any protection against timing attacks on the
RSA secret operation.  The rationale for this has been that there was
no way to mount a remote timing attack on GnuPG.  With the turning up
of Acoustic Cryptanalysis (http://cs.tau.ac.il/~tromer/acoustic) this
assumption no longer holds true and thus we need to do do something
about it.  Blinding seems to be a suitable mitigation to the threat of
key extraction.  It does not help against distinguishing used keys,
though.

Note that GPG 2.x uses Libgcrypt which does blinding by default.

The performance penalty is negligible: Modifying the core pubkey_sign
or pubkey_decrypt function to run 100 times in a loop, the entire
execution times for signing or decrypting a small message using a 4K
RSA key on a Thinkpad X220 are

  Without blinding:  5.2s  (8.9s)
  With blinding:     5.6s  (9.3s)

The numbers in parentheses give the values without the recently
implemented k-ary exponentiation code.  Thus for the next release the
user will actually experience faster signing and decryption.  A
drawback of blinding is that we need random numbers even for
decryption (albeit at low quality).

Signed-off-by: Werner Koch <wk@gnupg.org>

CVE-id: CVE-2013-4576
2013-12-03 09:25:57 +01:00
Werner Koch
37f1a42744 Fix idea.c for big endian CPUs.
* cipher/idea.c: Replace use of WORDS_BIGENDIAN by BIG_ENDIAN_HOST.
--
GnuPG-bug-id: 1461
2013-01-11 15:10:38 +01:00
Werner Koch
b1eac93431 Support the not anymore patented IDEA cipher algorithm.
* cipher/idea.c: New.  Take from Libgcrypt master and adjust for
direct use in GnuPG.
* cipher/idea-stub.c: Remove.
* cipher/Makefile.am: Add idea.c and remove idea-stub.c rules.
* configure.ac: Remove idea-stub code.
* g10/gpg.c (check_permissions): Remove code path for ITEM==2.
(main): Make --load-extension a dummy option.
* g10/keygen.c (keygen_set_std_prefs): Include IDEA only in PGP2
compatibility mode.
* g10/misc.c (idea_cipher_warn): Remove.  Also remove all callers.
* g10/seckey-cert.c (do_check): Remove emitting of STATUS_RSA_OR_IDEA.
* g10/status.c (get_status_string): Remove STATUS_RSA_OR_IDEA.
* g10/status.h (STATUS_RSA_OR_IDEA): Remove.

--

To keep the number of actually used algorithms low, we support IDEA
only in a basically read-only way (unless --pgp2 is used during key
generation).  It does not make sense to suggest the use of this old 64
bit blocksize algorithm.  However, there is old data available where
it might be helpful to have IDEA available.
2012-11-08 13:25:02 +01:00
Werner Koch
c3a5448379 Fix usage of dlerror to conform to POSIX.
* cipher/idea-stub.c: Clear last error before dlsym.
--

This is required for NetBSD.

Reported-by: Thomas Klausner
2012-11-07 21:38:27 +01:00
Werner Koch
b1abc01d4a Improve handling of random_seed read errors.
* cipher/random.c (read_seed_file): Distinguish between errors and
short reads.
--

This should help to avoid program aborts due to races.  Nevertheless a
better and cross-platform locking would be a more solid solution.

GnuPG-bug-id: 1439
2012-11-07 18:06:27 +01:00
Werner Koch
a74f05c32d Remove trailing white space from one file
--
2012-11-07 18:00:45 +01:00
Werner Koch
86a32a4b06 Fix typos in comments.
--
Fixes provided by Gilles Espinasse.
2012-01-24 09:48:17 +01:00
Werner Koch
16c90b2175 Typo fixes and comment re-formatting. 2012-01-12 11:47:35 +01:00
Werner Koch
667ba59ec5 Use gcc pragmas to suppress some warnings.
* configure.ac (AH_BOTTOM): Add GNUPG_GCC_VERSION macro.
* util/estream-printf.c (pr_float): Use new gcc pragma to ignore a
warning about a non-literal format.
* util/miscutil.c (asctimestamp): Ditto.
* cipher/md.c (md_stop_debug): Use new gcc pragme to ignore a warning
* about a set but unused variable.
2012-01-10 11:31:00 +01:00
Werner Koch
76b73caf91 Rename all ChangeLog files to ChangeLog-2011.
* ChangeLog: New file.
2011-12-02 19:42:56 +01:00
Werner Koch
a95143e225 Removed some set but unused vars. 2011-08-09 10:54:22 +02:00
Werner Koch
0ad1458f82 Fix aliasing problem. 2011-08-09 10:54:02 +02:00
Werner Koch
05febd5860 Add a minor feature for w32. 2010-10-18 10:02:29 +00:00
Werner Koch
6764837956 The rest of the VMS changes. 2010-09-28 15:55:24 +00:00
Werner Koch
aa29ba1689 Minor changes to help the VMS port 2010-09-28 10:07:30 +00:00
Werner Koch
690dc98c6f Minor fixes 2010-08-31 08:42:38 +00:00
Werner Koch
d9527051eb Revert that last stupid setuid detection fix. 2008-07-17 19:47:19 +00:00
David Shaw
18f6e7e5d8 Add Camellia-192. 2008-04-17 17:40:30 +00:00
Werner Koch
537cada38e Improved AES performance. 2008-03-22 17:01:37 +00:00
Werner Koch
81685cc799 Updated ZH po file.
Allow de/encryption using legacy type 20 keys.
Updated config.{sub,guess}
2007-12-12 18:26:25 +00:00
Werner Koch
a45ad0eba1 Allow decryption using type 20 key. 2007-12-11 17:14:05 +00:00
David Shaw
bc15e25d7a Add 128-bit variant of Camellia. 2007-11-29 14:51:08 +00:00
David Shaw
154407fd38 * sha256.c (sha224_get_info): 4880 has an error in the SHA-224 OID and
we inherited it.  Fixing.
2007-11-28 23:00:11 +00:00
Werner Koch
9a2a818887 Switched to GPLv3.
Updated gettext.
2007-10-23 10:48:09 +00:00
Werner Koch
66c5c46b95 Add an extra warning for Camellia.
Minor W32 fix
Address change.
2007-07-09 17:26:51 +00:00
David Shaw
7cf79c128a Add Camellia. Do not enable this if you are not doing interop
testing.  It is not (yet) legal OpenPGP, is not interop tested yet
(obviously), and it's a great way to lose your data.  Just don't do
it.
2007-06-13 15:28:11 +00:00
Werner Koch
9f433cccca Removed the use of g10defs.h.
This required some code cleanups and the introduction of
a few accessor ducntions in mpi.
2006-12-11 19:54:53 +00:00
Werner Koch
29f48b5fdc Preparing an RC 2006-11-29 15:42:28 +00:00
David Shaw
04376627a6 * rsa.c (generate): Use e=65537 for new RSA keys. 2006-06-28 22:29:25 +00:00
David Shaw
b625a6d1a9 (generate): Tweak to allow keys larger than 1024 bits. Enforce that the q
size doesn't end between byte boundaries.
2006-04-20 21:11:56 +00:00
David Shaw
2f94329422 The plumbing necessary to create DSA keys with variable sized q.
Not yet used (q==160).
2006-04-20 18:40:37 +00:00
David Shaw
f0902a6aef Add SHA-224 support 2006-04-20 02:05:32 +00:00
David Shaw
70f1c32ffd * blowfish.c, md5.c, rmd160.c, sha1.c, sha256.c, sha512.c: Revert previous
change.  It's now all done in configure.
2006-03-20 16:40:28 +00:00
David Shaw
0f4f660d5f * blowfish.c, md5.c, rmd160.c, sha1.c, sha256.c, sha512.c: Use '#if'
rather than '#ifdef' BIG_ENDIAN_HOST.  Harmless as we explicitly
define BIG_ENDIAN_HOST to 1 when we need it, but needed for OSX fat
builds when we define BIG_ENDIAN_HOST to another macro.
2006-03-20 00:39:44 +00:00
Werner Koch
b121d029b5 about to release 1.4.3rc1 2006-02-14 16:28:34 +00:00
Werner Koch
2410941461 Lock random seed file 2006-02-09 12:54:41 +00:00
David Shaw
8a0cf1d2a3 * idea-stub.c (load_module): Not legal to return a void * as a function
pointer.
2005-12-06 20:27:43 +00:00
David Shaw
c0d7fa368e * Makefile.am: Some cleanup so we don't build files that are completely
ifdeffed out.  This causes a warning on Sun's cc.  Do sha512.c as well for
consistency.
2005-12-06 17:13:44 +00:00