* scd/app-openpgp.c (get_public_key): correctly close 'fp' upon use.
--
Inside the get_public_key function, 'fp' was opened using popen, but
incorrectly closed using fclose.
Debian-Bug-Id: 773474
* g10/keygen.c (generate_subkeypair): Release DEK soon.
--
This fixes the out_of_core error in the test case of adding
RSA-4096 subkey to RSA-4096 primary key with configuration:
s2k-cipher-algo S10
Debian-bug-id: 772780
* g10/parse-packet.c (dump_sig_subpkt): Print regex subpacket
sanitized.
--
We may not use "%s" to print an arbitrary buffer. At least "%.*s"
should have been used. However, it is in general preferable to escape
control characters while printf user data.
Reported-by: Hanno Böck
Signed-off-by: Werner Koch <wk@gnupg.org>
(backported from commit 596ae9f543)
* g10/parse-packet.c (parse_attribute_subpkts): Check that the
attribute packet is large enough for the subpacket type.
--
Reported-by: Hanno Böck
Signed-off-by: Werner Koch <wk@gnupg.org>
(backported from commit 0988764397)
* g10/mainproc.c (proc_encrypted): Take care of canceled passpharse
entry.
--
GnuPG-bug-id: 1761
Signed-off-by: Werner Koch <wk@gnupg.org>
(backported from commit 32e85668b8)
* g10/openfile.c (open_sigfile): Factor some code out to ...
(get_matching_datafile): new function.
* g10/plaintext.c (hash_datafiles): Do not try to find matching file
in batch mode.
* g10/mainproc.c (check_sig_and_print): Print a warning if a possibly
matching data file is not used by a standard signatures.
--
Allowing to use the abbreviated form for detached signatures is a long
standing bug which has only been noticed by the public with the
release of 2.1.0. :-(
What we do is to remove the ability to check detached signature in
--batch using the one file abbreviated mode. This should exhibit
problems in scripts which use this insecure practice. We also print a
warning if a matching data file exists but was not considered because
the detached signature was actually a standard signature:
gpgv: Good signature from "Werner Koch (dist sig)"
gpgv: WARNING: not a detached signature; \
file 'gnupg-2.1.0.tar.bz2' was NOT verified!
We can only print a warning because it is possible that a standard
signature is indeed to be verified but by coincidence a file with a
matching name is stored alongside the standard signature.
Reported-by: Simon Nicolussi (to gnupg-users on Nov 7)
Signed-off-by: Werner Koch <wk@gnupg.org>
(backported from commit 69384568f6)
Updated doc/gpg.texi.
* g10/options.h (IMPORT_KEEP_OWNERTTRUST): New.
* g10/import.c (parse_import_options): Add "keep-ownertrust".
(import_one): Act upon new option.
--
This option is in particular useful to convert from a pubring.gpg to
the new pubring.kbx in GnuPG 2.1 or vice versa:
gpg1 --export | gpg2 --import-options keep-ownertrust --import
(cherry-picked from commit da95d0d378)
* configure.ac: Added --enable-large-secmem option.
* g10/options.h: Add opt.flags.large_rsa.
* g10/gpg.c: Contingent on configure option: adjust secmem size,
add gpg --enable-large-rsa, bound to opt.flags.large_rsa.
* g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa
* doc/gpg.texi: Document --enable-large-rsa.
--
Some older implementations built and used RSA keys up to 16Kib, but
the larger secret keys now fail when used by more recent GnuPG, due to
secure memory limitations.
Building with ./configure --enable-large-secmem will make gpg
capable of working with those secret keys, as well as permitting the
use of a new gpg option --enable-large-rsa, which let gpg generate RSA
keys up to 8Kib when used with --batch --gen-key.
Debian-bug-id: 739424
Minor edits by wk.
GnuPG-bug-id: 1732
* doc/Makefile.am (sources_from_trunk): Remove.
(update-source): Make it a dummy.
* doc/gpg.texi: Update.
* doc/yat2m.c: Update.
--
Maintaining 3 versions in of the gpg manual in one file is getting
more complicated with 2.1. Thus we stop this now and keep the manual
for 1.4 separate.
* mpi/mpi-inv.c (mpi_invm): Return 0 for bad input.
--
Without this patch the function may enter an endless loop. This is a
backport from libgcrypt.
GnuPG-bug-id: 1713
* include/types.h (GNUPG_GCC_ATTR_UNUSED): Define for gcc >= 3.5.
* mpi/mpih-div.c (mpihelp_divmod_1, mpihelp_mod_1): Mark dummy as
unused.
* mpi/mpi-internal.h (UDIV_QRNND_PREINV): Mark _ql as unused.
--
Due to the use of macros and longlong.h, we use variables which are
only used by some architectures. At least gcc 4.7.2 prints new
warnings about set but not used variables. This patch silences them.
* g10/mainproc.c (proc_compressed): Remove superfluous check for
an algorithm number of 0.
--
(backport from commit 88633bf3d4)
GnuPG-bug-id: 1326, 1684
* g10/keygen.c (gen_elg): Enforce keysize 1024 to 4096.
(gen_rsa): Enforce keysize 1024 to 4096.
(gen_dsa): Enforce keysize 768 to 3072.
--
It was possible to create 16k RSA keys in batch mode. In addition to
the silliness of such keys, they have the major drawback that GnuPG,
with its limited amount of specially secured memory areas, the use of
such keys may lead to an "out of secure memory" condition.
* g10/keyserver.c (ks_retrieval_filter_arg_s): new.
(keyserver_retrieval_filter): Use new struct and check all
descriptions.
(keyserver_spawn): Pass filter arg suing the new struct.
--
This is a fix for commit 52303043.
The old code did only work for a single key. It failed as soon as
several keys are specified ("gpg --refresh-keys" or "gpg --recv-key A
B C").
* g10/main.h: Typedef import_filter for filter callbacks.
* g10/import.c (import): Add filter callbacks to param list.
(import_one): Ditto.
(import_secret_one): Ditto.
(import_keys_internal): Ditto.
(import_keys_stream): Ditto.
* g10/keyserver.c (keyserver_retrieval_filter): New.
(keyserver_spawn): Pass filter to import_keys_stream()
--
These changes introduces import functions that apply a constraining
filter to imported keys. These filters can verify the fingerprints of
the keys returned before importing them into the keyring, ensuring that
the keys fetched from the keyserver are in fact those selected by the
user beforehand.
Signed-off-by: Stefan Tomanek <tomanek@internet-sicherheit.de>
Re-indention and minor changes by wk.
* g10/keylist.c (list_keyblock_colon): Print field 16.
--
We have this info already in gnupg-2 and it is easy to add it to 1.4.
Debian-bug-id: 672658
Patch written and tested by Daniel Leidert. See above.
* g10/encr-data.c (decrypt_data): Do not distinguish between a bad MDC
packet header and a bad MDC.
--
The separate diagnostic was introduced for debugging a problems. For
explaining an MDC error a single error message is easier to understand.
* g10/apdu.c (pcsc_dword_t): New. It was named as DWORD (double-word)
when a word was 16-bit.
(struct reader_table_s): Fixes for types.
(struct pcsc_readerstate_s) [__APPLE__]: Enable #pragma pack(1).
Throughout: Fixes for types.
--
GnuPG-bug-id: 1358
This is a backport of commit ae22d629b6.
* g10/pkclist.c (build_pk_list): Use more specific reasons codes for
INV_RECP.
--
GnuPG-bug-id: 1650
Note that this patch is a bit more limited than the one in 2.1.
* configure.ac (DOCBOOK_TO_MAN): Remove.
* doc/gpg.ru.sgml: Remove.
* doc/Makefile.am: Remove all gpg.ru related code.
--
The man page is outdated and we do not use docbook for a long time
now. If someone wants to revive such a man page, it would be best to
translate the respective parts of the GnuPG manual in git master.
GnuPG-bug-id: 1652
* g10/compress.c (do_uncompress): Limit the number of extra FF bytes.
--
A packet like (a3 01 5b ff) leads to an infinite loop. Using
--max-output won't help if it is a partial packet. This patch
actually fixes a regression introduced on 1999-05-31 (c34c6769).
Actually it would be sufficient to stuff just one extra 0xff byte.
Given that this problem popped up only after 15 years, I feel safer to
allow for a very few FF bytes.
Thanks to Olivier Levillain and Florian Maury for their detailed
report.
* g10/trustdb.c (clear_ownertrusts): Init trustdb.
--
This is actually a hack to fix a bug introduced with commit 2528178.
Debian uses it and thus we should do too.
GnuPG-bug-id: 1622
* acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Change mingw detection.
--
From: Stephen Kitt <skitt@debian.org>
All MinGW targets require underscores when linking. This patch fixes
acinclude.m4 and the resulting configure so they don't limit the use
of underscores to the old mingw32msvc targets.
Debian-bug-id: 730271
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/mainproc.c (proc_encrypted): Move show_session_key code to ...
* g10/decrypt-data.c (decrypt_data): here.
--
This feature can be used to return the session key for just a part of
a file. For example to downloading just the first 32k of a huge file,
decrypting that incomplete part and while ignoring all the errors
break out the session key. The session key may then be used on the
server to decrypt the entire file without the need to have the private
key on the server.
This is the same feature as
commit 101a54add3 for 2.1 and
commit 3ae90ff28c for 2.0.
GnuPG-bug-id: 1389
Signed-off-by: Werner Koch <wk@gnupg.org>
* checks/Makefile.am: Add a list of test dependencies.
--
We want to keep the tests in a specific order because that helps to
compare tests and some tests rely on others anyway.
Signed-off-by: Werner Koch <wk@gnupg.org>
* cipher/rsa.c (secret): Normalize the INPUT.
(rsa_decrypt): Pass reduced data to secret.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/dsa.c (sign): Normalize HASH.
--
mpi_normalize is in general not required because extra leading zeroes
do not harm the computation. However, adding extra all zero limbs or
padding with multiples of N may be useful in side-channel attacks. In
particular they are used by the acoustic crypt-analysis. This is an
extra pre-caution which alone would not be sufficient to mitigate the
described attack.
CVE-id: CVE-2013-4576
Signed-off-by: Werner Koch <wk@gnupg.org>
* cipher/random.c (randomize_mpi): New.
* g10/gpgv.c (randomize_mpi): New stub.
* cipher/rsa.c (USE_BLINDING): Define macro.
(secret): Implement blinding.
--
GPG 1.x has never used any protection against timing attacks on the
RSA secret operation. The rationale for this has been that there was
no way to mount a remote timing attack on GnuPG. With the turning up
of Acoustic Cryptanalysis (http://cs.tau.ac.il/~tromer/acoustic) this
assumption no longer holds true and thus we need to do do something
about it. Blinding seems to be a suitable mitigation to the threat of
key extraction. It does not help against distinguishing used keys,
though.
Note that GPG 2.x uses Libgcrypt which does blinding by default.
The performance penalty is negligible: Modifying the core pubkey_sign
or pubkey_decrypt function to run 100 times in a loop, the entire
execution times for signing or decrypting a small message using a 4K
RSA key on a Thinkpad X220 are
Without blinding: 5.2s (8.9s)
With blinding: 5.6s (9.3s)
The numbers in parentheses give the values without the recently
implemented k-ary exponentiation code. Thus for the next release the
user will actually experience faster signing and decryption. A
drawback of blinding is that we need random numbers even for
decryption (albeit at low quality).
Signed-off-by: Werner Koch <wk@gnupg.org>
CVE-id: CVE-2013-4576
* mpi/mpi-pow.c (USE_ALGORITHM_SIMPLE_EXPONENTIATION): New.
(mul_mod) [!USE_ALGORITHM_SIMPLE_EXPONENTIATION]: New.
(mpi_powm) [!USE_ALGORITHM_SIMPLE_EXPONENTIATION]: New implementation
of left-to-right k-ary exponentiation.
--
This is a backport from Libgcrypt commit
45aa6131e93fac89d46733b3436d960f35fb99b2
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
For the Yarom/Falkner flush+reload cache side-channel attack, we
changed the code so that it always calls the multiplication
routine (even if we can skip it to get result). This results some
performance regression.
This change is for recovering performance with efficient
algorithm.
Signed-off-by: Werner Koch <wk@gnupg.org>
