1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-23 10:29:58 +01:00

2696 Commits

Author SHA1 Message Date
Daniel Kahn Gillmor
534e2876ac gpg: Add build and runtime support for larger RSA keys
* configure.ac: Added --enable-large-secmem option.
* g10/options.h: Add opt.flags.large_rsa.
* g10/gpg.c: Contingent on configure option: adjust secmem size,
add gpg --enable-large-rsa, bound to opt.flags.large_rsa.
* g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa
* doc/gpg.texi: Document --enable-large-rsa.

--

Some older implementations built and used RSA keys up to 16Kib, but
the larger secret keys now fail when used by more recent GnuPG, due to
secure memory limitations.

Building with ./configure --enable-large-secmem will make gpg
capable of working with those secret keys, as well as permitting the
use of a new gpg option --enable-large-rsa, which let gpg generate RSA
keys up to 8Kib when used with --batch --gen-key.

Debian-bug-id: 739424

Minor edits by wk.

GnuPG-bug-id: 1732
2014-10-03 18:27:28 +02:00
Werner Koch
2889a70c10 doc: Cleanup gpg.texi.
--

We don't need the gpgone and gpgtwoone macros anymore.
2014-09-29 11:30:03 +02:00
Werner Koch
3209f270d2 doc: Final update from master (gnupg 2.1)
* doc/Makefile.am (sources_from_trunk): Remove.
(update-source): Make it a dummy.
* doc/gpg.texi: Update.
* doc/yat2m.c: Update.
--

Maintaining 3 versions in of the gpg manual in one file is getting
more complicated with 2.1.  Thus we stop this now and keep the manual
for 1.4 separate.
2014-09-29 11:29:59 +02:00
Werner Koch
ad30b2a4ae Allow use of --debug-level=LEVEL without '='.
* g10/gpg.c (opts): Fix "debug-level".
2014-09-29 11:29:52 +02:00
Werner Koch
cd53cdbc37 mpi: Improve mpi_invm to detect bad input.
* mpi/mpi-inv.c (mpi_invm): Return 0 for bad input.
--

Without this patch the function may enter an endless loop.  This is a
backport from libgcrypt.

GnuPG-bug-id: 1713
2014-09-11 17:06:22 +02:00
Werner Koch
b89f57fe5d mpi: Suppress set-but-unused-variables warnings.
* include/types.h (GNUPG_GCC_ATTR_UNUSED): Define for gcc >= 3.5.
* mpi/mpih-div.c (mpihelp_divmod_1, mpihelp_mod_1): Mark dummy as
 unused.
* mpi/mpi-internal.h (UDIV_QRNND_PREINV): Mark _ql as unused.
--

Due to the use of macros and longlong.h, we use variables which are
only used by some architectures.  At least gcc 4.7.2 prints new
warnings about set but not used variables.  This patch silences them.
2014-08-20 13:25:17 +02:00
Werner Koch
ecf2728230 Fix strict-alias warnings for rijndael.c
* cipher/rijndael.c (do_setkey, prepare_decryption): Use u32_a_t cast.
--

This extends commit 0ad1458f827c7602ef7f1a4652af05641fd02b62
2014-08-20 12:22:35 +02:00
Werner Koch
45e3b81114 gpg: Allow compressed data with algorithm 0.
* g10/mainproc.c (proc_compressed): Remove superfluous check for
an algorithm number of 0.
--

(backport from commit 88633bf3d417aeb5ea0f75508aba8e32adc8acef)

GnuPG-bug-id: 1326, 1684
2014-08-20 12:05:16 +02:00
Werner Koch
d58552760b gpg: Fix regression due to the keyserver import filter.
* g10/keyserver.c (keyserver_retrieval_filter): Change args.  Rewrite
to take subpakets in account.
* g10/import.c (import_one, import_secret_one): Pass keyblock to
filter.
--

GnuPG-bug-id: 1680

Resolved conflicts:
	g10/main.h - s/import_filter/import_filter_t/g
2014-08-06 18:43:40 +02:00
Werner Koch
dcf58b3471 Add kbnode_t for easier backporting.
* g10/global.h (kbnode_t): New.
2014-08-06 18:33:21 +02:00
Werner Koch
c05918c1b9 Post release updates
--
2014-06-30 20:24:38 +02:00
Werner Koch
6a7b763e05 Release 1.4.18 gnupg-1.4.18 2014-06-30 19:52:28 +02:00
Werner Koch
aae7ec516b Limit keysize for unattended key generation to useful values.
* g10/keygen.c (gen_elg): Enforce keysize 1024 to 4096.
(gen_rsa): Enforce keysize 1024 to 4096.
(gen_dsa): Enforce keysize 768 to 3072.
--

It was possible to create 16k RSA keys in batch mode. In addition to
the silliness of such keys, they have the major drawback that GnuPG,
with its limited amount of specially secured memory areas, the use of
such keys may lead to an "out of secure memory" condition.
2014-06-30 19:40:58 +02:00
Werner Koch
955524f435 Make screening of keyserver result work with multi-key commands.
* g10/keyserver.c (ks_retrieval_filter_arg_s): new.
(keyserver_retrieval_filter): Use new struct and check all
descriptions.
(keyserver_spawn): Pass filter arg suing the new struct.
--

This is a fix for commit 52303043.

The old code did only work for a single key.  It failed as soon as
several keys are specified ("gpg --refresh-keys" or "gpg --recv-key A
B C").
2014-06-30 19:40:44 +02:00
Werner Koch
574b9ed28d Add CVE number
--
2014-06-30 18:48:27 +02:00
Werner Koch
ba50a00630 Post release changes.
--
2014-06-23 17:42:21 +02:00
Werner Koch
297f2ac645 Release 1.4.17 gnupg-1.4.17 2014-06-23 17:15:09 +02:00
Werner Koch
8d5f493ba4 po: Auto-update
--
2014-06-23 17:15:02 +02:00
Werner Koch
bfc7893bda doc: Update from master. 2014-06-23 17:15:00 +02:00
Werner Koch
0d0961c483 Fix syntax error introduced with 60bd6488
* g10/apdu.c (pcsc_dword_t): Fix syntax error.
2014-06-23 17:14:55 +02:00
Stefan Tomanek
5230304349 Screen keyserver responses.
* g10/main.h: Typedef import_filter for filter callbacks.
* g10/import.c (import): Add filter callbacks to param list.
(import_one): Ditto.
(import_secret_one): Ditto.
(import_keys_internal): Ditto.
(import_keys_stream): Ditto.
* g10/keyserver.c (keyserver_retrieval_filter): New.
(keyserver_spawn): Pass filter to import_keys_stream()

--
These changes introduces import functions that apply a constraining
filter to imported keys. These filters can verify the fingerprints of
the keys returned before importing them into the keyring, ensuring that
the keys fetched from the keyserver are in fact those selected by the
user beforehand.

Signed-off-by: Stefan Tomanek <tomanek@internet-sicherheit.de>

Re-indention and minor changes by wk.
2014-06-23 15:34:36 +02:00
Werner Koch
8eab483a1c Print hash algorithm in sig records
* g10/keylist.c (list_keyblock_colon): Print field 16.
--

We have this info already in gnupg-2 and it is easy to add it to 1.4.

Debian-bug-id: 672658

Patch written and tested by Daniel Leidert.  See above.
2014-06-23 14:57:32 +02:00
Werner Koch
01bd0558dd Remove useless diagnostic in MDC verification.
* g10/encr-data.c (decrypt_data): Do not distinguish between a bad MDC
packet header and a bad MDC.
--

The separate diagnostic was introduced for debugging a problems.  For
explaining an MDC error a single error message is easier to understand.
2014-06-23 13:24:43 +02:00
Werner Koch
ab644b1eff w32: Fix typo in README.W32.
--
GnuPG-bug-id: 1488
2014-06-23 10:43:22 +02:00
Werner Koch
bb4d5c2d5f intl: Fix for uClibc.
* intl/localename.c (gl_locale_name_thread_unsafe): Take care of
uCLIBC.
--

Patch provided by "vriera".

GnuPG-bug-id: 1642
2014-06-23 10:24:01 +02:00
Werner Koch
60bd6488c0 PC/SC cleanup.
* g10/apdu.c (pcsc_dword_t): New.  It was named as DWORD (double-word)
when a word was 16-bit.
(struct reader_table_s): Fixes for types.
(struct pcsc_readerstate_s) [__APPLE__]: Enable #pragma pack(1).
Throughout: Fixes for types.
--

GnuPG-bug-id: 1358

This is a backport of commit ae22d629b6028aa994ff09f012e1cb029575eeae.
2014-06-23 09:58:34 +02:00
Werner Koch
4239780d5a gpg: Use more specific reason codes for INV_RECP.
* g10/pkclist.c (build_pk_list): Use more specific reasons codes for
INV_RECP.
--

GnuPG-bug-id: 1650

Note that this patch is a bit more limited than the one in 2.1.
2014-06-23 09:25:45 +02:00
Werner Koch
e28cbdc559 doc: Remove outdated Russian man page.
* configure.ac (DOCBOOK_TO_MAN): Remove.
* doc/gpg.ru.sgml: Remove.
* doc/Makefile.am: Remove all gpg.ru related code.
--

The man page is outdated and we do not use docbook for a long time
now.  If someone wants to revive such a man page, it would be best to
translate the respective parts of the GnuPG manual in git master.

GnuPG-bug-id: 1652
2014-06-23 08:52:29 +02:00
Werner Koch
11fdfcf82b gpg: Avoid infinite loop in uncompressing garbled packets.
* g10/compress.c (do_uncompress): Limit the number of extra FF bytes.
--

A packet like (a3 01 5b ff) leads to an infinite loop.  Using
--max-output won't help if it is a partial packet.  This patch
actually fixes a regression introduced on 1999-05-31 (c34c6769).
Actually it would be sufficient to stuff just one extra 0xff byte.
Given that this problem popped up only after 15 years, I feel safer to
allow for a very few FF bytes.

Thanks to Olivier Levillain and Florian Maury for their detailed
report.
2014-06-20 20:23:19 +02:00
Werner Koch
23191d7851 gpg: Need to init the trustdb for import.
* g10/trustdb.c (clear_ownertrusts): Init trustdb.
--

This is actually a hack to fix a bug introduced with commit 2528178.
Debian uses it and thus we should do too.

GnuPG-bug-id: 1622
2014-03-06 16:11:34 +01:00
Werner Koch
24ba0ce932 Support building using the latest mingw-w64 toolchain.
* acinclude.m4 (GNUPG_SYS_SYMBOL_UNDERSCORE): Change mingw detection.
--

  From: Stephen Kitt <skitt@debian.org>

  All MinGW targets require underscores when linking. This patch fixes
  acinclude.m4 and the resulting configure so they don't limit the use
  of underscores to the old mingw32msvc targets.

Debian-bug-id: 730271
Signed-off-by: Werner Koch <wk@gnupg.org>
2014-01-23 15:19:35 +01:00
Werner Koch
9df639b684 Post release version number bump.
--
2013-12-13 10:03:19 +01:00
Werner Koch
7cdb86e0ad Release 1.4.16 gnupg-1.4.16 2013-12-13 09:07:11 +01:00
Werner Koch
fa3f555d75 Change --show-session-key to print the session key earlier.
* g10/mainproc.c (proc_encrypted): Move show_session_key code to ...
* g10/decrypt-data.c (decrypt_data): here.
--

This feature can be used to return the session key for just a part of
a file.  For example to downloading just the first 32k of a huge file,
decrypting that incomplete part and while ignoring all the errors
break out the session key.  The session key may then be used on the
server to decrypt the entire file without the need to have the private
key on the server.

This is the same feature as
commit 101a54add351ff62793cbfbf3877787c4791f833 for 2.1 and
commit 3ae90ff28c500967cb90b1176299d2ca01ef450f for 2.0.

GnuPG-bug-id: 1389
Signed-off-by: Werner Koch <wk@gnupg.org>
2013-12-11 10:50:55 +01:00
Werner Koch
4466fdba7b Update config.{guess,sub} and some copyright notices.
* scripts/config.guess, scripts/config.sub: Update to version
2013-11-29.

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-12-10 20:33:48 +01:00
Werner Koch
9b516323d7 Prepare for newer automakes which default to parallel tests.
* checks/Makefile.am: Add a list of test dependencies.
--

We want to keep the tests in a specific order because that helps to
compare tests and some tests rely on others anyway.

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-12-05 10:50:27 +01:00
Werner Koch
d0d72d98f3 Normalize the MPIs used as input to secret key functions.
* cipher/rsa.c (secret): Normalize the INPUT.
(rsa_decrypt): Pass reduced data to secret.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/dsa.c (sign): Normalize HASH.
--

mpi_normalize is in general not required because extra leading zeroes
do not harm the computation.  However, adding extra all zero limbs or
padding with multiples of N may be useful in side-channel attacks. In
particular they are used by the acoustic crypt-analysis.  This is an
extra pre-caution which alone would not be sufficient to mitigate the
described attack.

CVE-id: CVE-2013-4576

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-12-03 09:26:04 +01:00
Werner Koch
93a96e3c0c Use blinding for the RSA secret operation.
* cipher/random.c (randomize_mpi): New.
* g10/gpgv.c (randomize_mpi): New stub.
* cipher/rsa.c (USE_BLINDING): Define macro.
(secret): Implement blinding.
--

GPG 1.x has never used any protection against timing attacks on the
RSA secret operation.  The rationale for this has been that there was
no way to mount a remote timing attack on GnuPG.  With the turning up
of Acoustic Cryptanalysis (http://cs.tau.ac.il/~tromer/acoustic) this
assumption no longer holds true and thus we need to do do something
about it.  Blinding seems to be a suitable mitigation to the threat of
key extraction.  It does not help against distinguishing used keys,
though.

Note that GPG 2.x uses Libgcrypt which does blinding by default.

The performance penalty is negligible: Modifying the core pubkey_sign
or pubkey_decrypt function to run 100 times in a loop, the entire
execution times for signing or decrypting a small message using a 4K
RSA key on a Thinkpad X220 are

  Without blinding:  5.2s  (8.9s)
  With blinding:     5.6s  (9.3s)

The numbers in parentheses give the values without the recently
implemented k-ary exponentiation code.  Thus for the next release the
user will actually experience faster signing and decryption.  A
drawback of blinding is that we need random numbers even for
decryption (albeit at low quality).

Signed-off-by: Werner Koch <wk@gnupg.org>

CVE-id: CVE-2013-4576
2013-12-03 09:25:57 +01:00
Werner Koch
b135372176 gpg: Change armor Version header to emit only the major version.
* g10/options.h (opt): Rename field no_version to emit_version.
* g10/gpg.c (main): Init opt.emit_vesion to 1.  Change --emit-version
to bump up opt.emit_version.
* g10/armor.c (armor_filter): Implement different --emit-version
values.
--

GnuPG-bug-id: 1572
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e951782e937ce290be0d89d83e84b3daea997587)

Resolved conflicts:
	NEWS
	g10/armor.c
	g10/gpg.c
2013-11-27 11:00:55 +01:00
Werner Koch
cad8216f9a mpi: mpi-pow improvements
* mpi/mpi-pow.c (USE_ALGORITHM_SIMPLE_EXPONENTIATION): New.
(mul_mod) [!USE_ALGORITHM_SIMPLE_EXPONENTIATION]: New.
(mpi_powm) [!USE_ALGORITHM_SIMPLE_EXPONENTIATION]: New implementation
of left-to-right k-ary exponentiation.
--

This is a backport from Libgcrypt commit
45aa6131e93fac89d46733b3436d960f35fb99b2

    Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

    For the Yarom/Falkner flush+reload cache side-channel attack, we
    changed the code so that it always calls the multiplication
    routine (even if we can skip it to get result).  This results some
    performance regression.

    This change is for recovering performance with efficient
    algorithm.

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-10-18 10:54:55 +02:00
Werner Koch
0bdf121d1d Print the keyid for key packets with --list-packets.
* g10/parse-packet.c (parse_key): Add keyid printing.
--

This is backport from GnuPG-2.  Note that the --list-packets command
is for debugging only and not part iof the stable API.

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-10-18 10:24:32 +02:00
Werner Koch
9d89564a42 mpi: Fix syntax error for mips64 and gcc < 4.4
* mpi/longlong.h [__mips && gcc < 4.4]: Fix cpp syntax error.
--

GnuPG-bug-id: 1465
2013-10-11 14:11:43 +02:00
Werner Koch
2528178e7e gpg: Do not require a trustdb with --always-trust.
* g10/tdbio.c (tdbio_set_dbname): Add arg R_NOFILE.
* g10/trustdb.c (trustdb_args): Add field no_trustdb.
(init_trustdb): Set that field.
(revalidation_mark):  Take care of a nonexistent trustdb file.
(read_trust_options): Ditto.
(get_ownertrust): Ditto.
(get_min_ownertrust): Ditto.
(update_ownertrust): Ditto.
(update_min_ownertrust): Ditto.
(clear_ownertrusts): Ditto.
(cache_disabled_value): Ditto.
(check_trustdb_stale): Ditto.
(get_validity): Ditto.
* g10/gpg.c (main): Do not create a trustdb with most commands for
trust-model always.
--

This slightly changes the semantics of most commands in that they
won't create a trustdb if --trust-model=always is used.  It just does
not make sense to create a trustdb if there is no need for it.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 1a0eeaacd1bf09fe5125dbc3f56016bc20f3512e)

Resolved conflicts:
	g10/gpg.c
	g10/tdbio.h
	g10/trustdb.c
 (indentation fixes)
2013-10-11 09:35:01 +02:00
Werner Koch
0a10f1f91e Post release updates.
--
2013-10-04 21:29:50 +02:00
Werner Koch
8707657fe6 Release 1.4.15 gnupg-1.4.15 2013-10-04 21:10:52 +02:00
Werner Koch
ffa1ef4c84 po: Autoupdate due to changed order of strings.
--
2013-10-04 21:03:40 +02:00
Werner Koch
f5c32bd1c6 doc: Update from master. 2013-10-04 21:01:16 +02:00
Werner Koch
4a06d9a600 gpg: Print a "not found" message for an unknown key in --key-edit.
* g10/keyedit.c (keyedit_menu): Print message.
--

GnuPG-bug-id: 1420
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 0bf54e60d31389812d05c3fd29bece876204561d)
2013-10-04 20:59:45 +02:00
Werner Koch
d74dd36c11 gpg: Protect against rogue keyservers sending secret keys.
* g10/options.h (IMPORT_NO_SECKEY): New.
* g10/keyserver.c (keyserver_spawn, keyserver_import_cert): Set new
flag.
* g10/import.c (import_secret_one): Deny import if flag is set.
--

By modifying a keyserver or a DNS record to send a secret key, an
attacker could trick a user into signing using a different key and
user id.  The trust model should protect against such rogue keys but
we better make sure that secret keys are never received from remote
sources.

Suggested-by: Stefan Tomanek
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e7abed3448c1c1a4e756c12f95b665b517d22ebe)

Resolved conflicts:
	g10/options.h
2013-10-04 20:58:51 +02:00
Daniel Kahn Gillmor
fe0fb5e6b0 gpg: Allow setting of all zero key flags
* g10/keygen.c (do_add_key_flags): Do not check for empty key flags.
(cherry picked from commit b693ec02c467696bf9d7324dd081e279f9965151)
(cherry picked from commit dd868acb0d13a9f119c0536777350a6c237a66a1)
2013-10-04 20:54:10 +02:00