1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-11 21:48:50 +01:00
Commit Graph

26 Commits

Author SHA1 Message Date
Dario Niedermann
877e3073d7
Do not use C99 feature.
* cipher/rsa.c (secret): Move var decl to the beginning.
--

Trivial patch; ChangeLog written by wk.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-10 15:45:59 +01:00
NIIBE Yutaka
1b1f44846b rsa: Reduce secmem pressure.
* cipher/rsa.c (secret): Don't keep secmem.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-07-07 21:51:42 +09:00
NIIBE Yutaka
994d5b7075 rsa: Allow different build directory.
* cipher/Makefile.am (AM_CPPFLAGS): Add mpi dirs.
* cipher/rsa.c: Change include file.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-07-07 21:20:56 +09:00
Marcus Brinkmann
8fd9f72e1b rsa: Add exponent blinding.
* cipher/rsa.c (secret_core_crt): Blind secret D with randomized
nonce R for mpi_powm computation.

--

Backport of libgcrypt 8725c99ffa41778f382ca97233183bcd687bb0ce.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>
2017-07-07 21:03:10 +09:00
Werner Koch
ae61f01523
Obsolete option --no-sig-create-check.
* cipher/rsa.c (rsa_sign): Verify after sign.
* g10/gpg.c (opts): Make --no-sig-create-check a NOP.
* g10/options.h (opt): Remove field "no_sig_create_check".
* g10/sign.c (do_sign): Do check only for DSA.

Signed-off-by: Werner Koch <wk@gnupg.org>
2015-09-01 07:47:14 +02:00
Werner Koch
d0d72d98f3 Normalize the MPIs used as input to secret key functions.
* cipher/rsa.c (secret): Normalize the INPUT.
(rsa_decrypt): Pass reduced data to secret.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/dsa.c (sign): Normalize HASH.
--

mpi_normalize is in general not required because extra leading zeroes
do not harm the computation.  However, adding extra all zero limbs or
padding with multiples of N may be useful in side-channel attacks. In
particular they are used by the acoustic crypt-analysis.  This is an
extra pre-caution which alone would not be sufficient to mitigate the
described attack.

CVE-id: CVE-2013-4576

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-12-03 09:26:04 +01:00
Werner Koch
93a96e3c0c Use blinding for the RSA secret operation.
* cipher/random.c (randomize_mpi): New.
* g10/gpgv.c (randomize_mpi): New stub.
* cipher/rsa.c (USE_BLINDING): Define macro.
(secret): Implement blinding.
--

GPG 1.x has never used any protection against timing attacks on the
RSA secret operation.  The rationale for this has been that there was
no way to mount a remote timing attack on GnuPG.  With the turning up
of Acoustic Cryptanalysis (http://cs.tau.ac.il/~tromer/acoustic) this
assumption no longer holds true and thus we need to do do something
about it.  Blinding seems to be a suitable mitigation to the threat of
key extraction.  It does not help against distinguishing used keys,
though.

Note that GPG 2.x uses Libgcrypt which does blinding by default.

The performance penalty is negligible: Modifying the core pubkey_sign
or pubkey_decrypt function to run 100 times in a loop, the entire
execution times for signing or decrypting a small message using a 4K
RSA key on a Thinkpad X220 are

  Without blinding:  5.2s  (8.9s)
  With blinding:     5.6s  (9.3s)

The numbers in parentheses give the values without the recently
implemented k-ary exponentiation code.  Thus for the next release the
user will actually experience faster signing and decryption.  A
drawback of blinding is that we need random numbers even for
decryption (albeit at low quality).

Signed-off-by: Werner Koch <wk@gnupg.org>

CVE-id: CVE-2013-4576
2013-12-03 09:25:57 +01:00
Werner Koch
9a2a818887 Switched to GPLv3.
Updated gettext.
2007-10-23 10:48:09 +00:00
Werner Koch
9f433cccca Removed the use of g10defs.h.
This required some code cleanups and the introduction of
a few accessor ducntions in mpi.
2006-12-11 19:54:53 +00:00
David Shaw
04376627a6 * rsa.c (generate): Use e=65537 for new RSA keys. 2006-06-28 22:29:25 +00:00
Werner Koch
a1cdf3c75f Converted all m_free to xfree etc. 2005-07-27 18:10:56 +00:00
Werner Koch
7d4043ca57 Updated FSF street address and preparations for a release candidate. 2005-05-31 08:39:18 +00:00
Werner Koch
f36154535e Note: I have not fully tested the new key creation due to a pc/sc
error.  However the backupfile has been created successfully.

* rsa.c (rsa_generate): Return the dummy list of factors only if
the caller asked for it.

* card_util.c (generate_card_keys): ask whether backup should be
created.
(card_store_subkey): Factored some code out to ..
* keygen.c (save_unprotected_key_to_card): .. new function.
(gen_card_key_with_backup): New.
(generate_raw_key): New.
(generate_keypair): New arg BACKUP_ENCRYPTION_DIR.  Changed all
callers.
(do_generate_keypair): Divert to gen_card_key_with_backup when
desired.
2004-09-23 19:34:45 +00:00
David Shaw
68b3e412f4 * dsa.h, dsa.c (dsa_verify), elgamal.h, elgamal.c (elg_verify), rsa.h,
rsa.c (rsa_verify), pubkey.c (dummy_verify, pubkey_verify): Remove old
unused code.
2003-12-17 19:05:23 +00:00
David Shaw
29e6411a7b * bithelp.h, des.c, random.c, rndlinux.c, sha1.c, blowfish.c, elgamal.c,
rijndael.c, rndunix.c, sha256.c, cast5.c, idea-stub.c, rmd160.c, rndw32.c,
sha512.c, md5.c, rmd160test.c, rsa.c, tiger.c: Edit all preprocessor
instructions to remove whitespace before the '#'.  This is not required by
C89, but there are some compilers out there that don't like it.
2003-05-24 18:31:33 +00:00
David Shaw
151ee2f47b Update head to match stable 1.0 2002-06-29 13:31:13 +00:00
Werner Koch
07ca4eaa9d Removed files from the HEAD revision, because they are now in another
repository
2000-12-19 17:20:22 +00:00
Werner Koch
986649bea0 Some configuration changes 2000-11-14 16:04:16 +00:00
Werner Koch
9c20f65cbe See ChangeLog: Wed Oct 4 13:16:18 CEST 2000 Werner Koch 2000-10-04 11:16:19 +00:00
Werner Koch
986d928ce2 See ChangeLog: Mon Sep 18 16:35:45 CEST 2000 Werner Koch 2000-09-18 14:35:34 +00:00
Werner Koch
92cd255508 See ChangeLog: Fri Jul 14 19:38:23 CEST 2000 Werner Koch 2000-07-14 17:34:53 +00:00
Werner Koch
68ea0f4353 added option file handling 1997-12-12 12:03:58 +00:00
Werner Koch
935965049d fingerprints and self signatures added 1997-12-09 12:46:23 +00:00
Werner Koch
46900fbd43 ElGamal funktioniert und ist default 1997-11-24 22:24:04 +00:00
Werner Koch
25c8f1a3d7 Output armor works, RSA keygen works. 1997-11-19 13:12:23 +00:00
Werner Koch
5393dd53c5 initially checkin 1997-11-18 14:06:00 +00:00