* cipher/random.c (randomize_mpi): New.
* g10/gpgv.c (randomize_mpi): New stub.
* cipher/rsa.c (USE_BLINDING): Define macro.
(secret): Implement blinding.
--
GPG 1.x has never used any protection against timing attacks on the
RSA secret operation. The rationale for this has been that there was
no way to mount a remote timing attack on GnuPG. With the turning up
of Acoustic Cryptanalysis (http://cs.tau.ac.il/~tromer/acoustic) this
assumption no longer holds true and thus we need to do do something
about it. Blinding seems to be a suitable mitigation to the threat of
key extraction. It does not help against distinguishing used keys,
though.
Note that GPG 2.x uses Libgcrypt which does blinding by default.
The performance penalty is negligible: Modifying the core pubkey_sign
or pubkey_decrypt function to run 100 times in a loop, the entire
execution times for signing or decrypting a small message using a 4K
RSA key on a Thinkpad X220 are
Without blinding: 5.2s (8.9s)
With blinding: 5.6s (9.3s)
The numbers in parentheses give the values without the recently
implemented k-ary exponentiation code. Thus for the next release the
user will actually experience faster signing and decryption. A
drawback of blinding is that we need random numbers even for
decryption (albeit at low quality).
Signed-off-by: Werner Koch <wk@gnupg.org>
CVE-id: CVE-2013-4576
* cipher/random.c (read_seed_file): Distinguish between errors and
short reads.
--
This should help to avoid program aborts due to races. Nevertheless a
better and cross-platform locking would be a more solid solution.
GnuPG-bug-id: 1439
rijndael.c, rndunix.c, sha256.c, cast5.c, idea-stub.c, rmd160.c, rndw32.c,
sha512.c, md5.c, rmd160test.c, rsa.c, tiger.c: Edit all preprocessor
instructions to remove whitespace before the '#'. This is not required by
C89, but there are some compilers out there that don't like it.
* random.c (fast_random_poll): Only use times() if we HAVE_TIMES.
* sha512.c, tiger.c: Use the U64_C() macro to specify 64-bit constants.
U64_C is defined in include/types.h and uses the correct suffix depending
on the underlying type of u64.
* idea-stub.c (load_module): Catch an error if the idea module file is
unloadable for some reason (unreadable, bad permissions, etc.)
* md.c (string_to_digest_algo): Give a warning about TIGER192 not being
part of OpenPGP.
configure so.
* rndegd.c (rndegd_connect_socket): New. Factored out from ..
(rndegd_gather_random): here and call it.
(do_read): Update the counter variables correctly. This was not a
problem due to the way EGD works. Bug found by Christian Biere.
