1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-10 21:38:50 +01:00
Commit Graph

265 Commits

Author SHA1 Message Date
Werner Koch
ff53cf06e9 Use ciphertext blinding for Elgamal decryption.
* cipher/elgamal.c (USE_BLINDING): New.
(decrypt): Rewrite to use ciphertext blinding.
--

CVE-id: CVE-2014-3591

As a countermeasure to a new side-channel attacks on sliding windows
exponentiation we blind the ciphertext for Elgamal decryption.  This
is similar to what we are doing with RSA.

Unfortunately, the performance impact of Elgamal blinding is quite
noticeable: For a 3072 bit Elgamal key the decryption used to take
13ms; with the blinding it takes 24ms.  This has been measured using
time(1), calling gpg with a 100 byte message, and having gpg modified
to run the pubkey_decrypt function 100 times and finally scale the
result (using an i5-2410M CPU @ 2.30GHz TP 220).
2015-02-11 20:04:58 +01:00
Werner Koch
8adb5ff260 Fix a problem with select and high fds.
* cipher/rndlinux.c (rndlinux_gather_random): Check fd before using
FD_SET.
--

If on systems where the maximum number of fds may be dynamically
configured to a value of FD_MAXSIZE or higher and the RNG is first
used after more than FD_SETSIZE-1 descriptors are in use, we disable
the progress messages from the RNG.  A better solution would be too
use poll but that requires more tests.

The same problem exists in rndunix.c - however this rng is only used
on old Unices and I assume that they don't feature dynamically
configured maximum fd sizes.

(from Libgcrypt commit 9487099071af4478d2882e633a0ade805801d6fa)

This may fix
GnuPG-bug-id: 1818
2015-01-19 16:46:05 +01:00
Werner Koch
ecf2728230 Fix strict-alias warnings for rijndael.c
* cipher/rijndael.c (do_setkey, prepare_decryption): Use u32_a_t cast.
--

This extends commit 0ad1458f82
2014-08-20 12:22:35 +02:00
Werner Koch
d0d72d98f3 Normalize the MPIs used as input to secret key functions.
* cipher/rsa.c (secret): Normalize the INPUT.
(rsa_decrypt): Pass reduced data to secret.
* cipher/elgamal.c (decrypt): Normalize A and B.
* cipher/dsa.c (sign): Normalize HASH.
--

mpi_normalize is in general not required because extra leading zeroes
do not harm the computation.  However, adding extra all zero limbs or
padding with multiples of N may be useful in side-channel attacks. In
particular they are used by the acoustic crypt-analysis.  This is an
extra pre-caution which alone would not be sufficient to mitigate the
described attack.

CVE-id: CVE-2013-4576

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-12-03 09:26:04 +01:00
Werner Koch
93a96e3c0c Use blinding for the RSA secret operation.
* cipher/random.c (randomize_mpi): New.
* g10/gpgv.c (randomize_mpi): New stub.
* cipher/rsa.c (USE_BLINDING): Define macro.
(secret): Implement blinding.
--

GPG 1.x has never used any protection against timing attacks on the
RSA secret operation.  The rationale for this has been that there was
no way to mount a remote timing attack on GnuPG.  With the turning up
of Acoustic Cryptanalysis (http://cs.tau.ac.il/~tromer/acoustic) this
assumption no longer holds true and thus we need to do do something
about it.  Blinding seems to be a suitable mitigation to the threat of
key extraction.  It does not help against distinguishing used keys,
though.

Note that GPG 2.x uses Libgcrypt which does blinding by default.

The performance penalty is negligible: Modifying the core pubkey_sign
or pubkey_decrypt function to run 100 times in a loop, the entire
execution times for signing or decrypting a small message using a 4K
RSA key on a Thinkpad X220 are

  Without blinding:  5.2s  (8.9s)
  With blinding:     5.6s  (9.3s)

The numbers in parentheses give the values without the recently
implemented k-ary exponentiation code.  Thus for the next release the
user will actually experience faster signing and decryption.  A
drawback of blinding is that we need random numbers even for
decryption (albeit at low quality).

Signed-off-by: Werner Koch <wk@gnupg.org>

CVE-id: CVE-2013-4576
2013-12-03 09:25:57 +01:00
Werner Koch
37f1a42744 Fix idea.c for big endian CPUs.
* cipher/idea.c: Replace use of WORDS_BIGENDIAN by BIG_ENDIAN_HOST.
--
GnuPG-bug-id: 1461
2013-01-11 15:10:38 +01:00
Werner Koch
b1eac93431 Support the not anymore patented IDEA cipher algorithm.
* cipher/idea.c: New.  Take from Libgcrypt master and adjust for
direct use in GnuPG.
* cipher/idea-stub.c: Remove.
* cipher/Makefile.am: Add idea.c and remove idea-stub.c rules.
* configure.ac: Remove idea-stub code.
* g10/gpg.c (check_permissions): Remove code path for ITEM==2.
(main): Make --load-extension a dummy option.
* g10/keygen.c (keygen_set_std_prefs): Include IDEA only in PGP2
compatibility mode.
* g10/misc.c (idea_cipher_warn): Remove.  Also remove all callers.
* g10/seckey-cert.c (do_check): Remove emitting of STATUS_RSA_OR_IDEA.
* g10/status.c (get_status_string): Remove STATUS_RSA_OR_IDEA.
* g10/status.h (STATUS_RSA_OR_IDEA): Remove.

--

To keep the number of actually used algorithms low, we support IDEA
only in a basically read-only way (unless --pgp2 is used during key
generation).  It does not make sense to suggest the use of this old 64
bit blocksize algorithm.  However, there is old data available where
it might be helpful to have IDEA available.
2012-11-08 13:25:02 +01:00
Werner Koch
c3a5448379 Fix usage of dlerror to conform to POSIX.
* cipher/idea-stub.c: Clear last error before dlsym.
--

This is required for NetBSD.

Reported-by: Thomas Klausner
2012-11-07 21:38:27 +01:00
Werner Koch
b1abc01d4a Improve handling of random_seed read errors.
* cipher/random.c (read_seed_file): Distinguish between errors and
short reads.
--

This should help to avoid program aborts due to races.  Nevertheless a
better and cross-platform locking would be a more solid solution.

GnuPG-bug-id: 1439
2012-11-07 18:06:27 +01:00
Werner Koch
a74f05c32d Remove trailing white space from one file
--
2012-11-07 18:00:45 +01:00
Werner Koch
86a32a4b06 Fix typos in comments.
--
Fixes provided by Gilles Espinasse.
2012-01-24 09:48:17 +01:00
Werner Koch
16c90b2175 Typo fixes and comment re-formatting. 2012-01-12 11:47:35 +01:00
Werner Koch
667ba59ec5 Use gcc pragmas to suppress some warnings.
* configure.ac (AH_BOTTOM): Add GNUPG_GCC_VERSION macro.
* util/estream-printf.c (pr_float): Use new gcc pragma to ignore a
warning about a non-literal format.
* util/miscutil.c (asctimestamp): Ditto.
* cipher/md.c (md_stop_debug): Use new gcc pragme to ignore a warning
* about a set but unused variable.
2012-01-10 11:31:00 +01:00
Werner Koch
76b73caf91 Rename all ChangeLog files to ChangeLog-2011.
* ChangeLog: New file.
2011-12-02 19:42:56 +01:00
Werner Koch
a95143e225 Removed some set but unused vars. 2011-08-09 10:54:22 +02:00
Werner Koch
0ad1458f82 Fix aliasing problem. 2011-08-09 10:54:02 +02:00
Werner Koch
05febd5860 Add a minor feature for w32. 2010-10-18 10:02:29 +00:00
Werner Koch
6764837956 The rest of the VMS changes. 2010-09-28 15:55:24 +00:00
Werner Koch
aa29ba1689 Minor changes to help the VMS port 2010-09-28 10:07:30 +00:00
Werner Koch
690dc98c6f Minor fixes 2010-08-31 08:42:38 +00:00
Werner Koch
d9527051eb Revert that last stupid setuid detection fix. 2008-07-17 19:47:19 +00:00
David Shaw
18f6e7e5d8 Add Camellia-192. 2008-04-17 17:40:30 +00:00
Werner Koch
537cada38e Improved AES performance. 2008-03-22 17:01:37 +00:00
Werner Koch
81685cc799 Updated ZH po file.
Allow de/encryption using legacy type 20 keys.
Updated config.{sub,guess}
2007-12-12 18:26:25 +00:00
Werner Koch
a45ad0eba1 Allow decryption using type 20 key. 2007-12-11 17:14:05 +00:00
David Shaw
bc15e25d7a Add 128-bit variant of Camellia. 2007-11-29 14:51:08 +00:00
David Shaw
154407fd38 * sha256.c (sha224_get_info): 4880 has an error in the SHA-224 OID and
we inherited it.  Fixing.
2007-11-28 23:00:11 +00:00
Werner Koch
9a2a818887 Switched to GPLv3.
Updated gettext.
2007-10-23 10:48:09 +00:00
Werner Koch
66c5c46b95 Add an extra warning for Camellia.
Minor W32 fix
Address change.
2007-07-09 17:26:51 +00:00
David Shaw
7cf79c128a Add Camellia. Do not enable this if you are not doing interop
testing.  It is not (yet) legal OpenPGP, is not interop tested yet
(obviously), and it's a great way to lose your data.  Just don't do
it.
2007-06-13 15:28:11 +00:00
Werner Koch
9f433cccca Removed the use of g10defs.h.
This required some code cleanups and the introduction of
a few accessor ducntions in mpi.
2006-12-11 19:54:53 +00:00
Werner Koch
29f48b5fdc Preparing an RC 2006-11-29 15:42:28 +00:00
David Shaw
04376627a6 * rsa.c (generate): Use e=65537 for new RSA keys. 2006-06-28 22:29:25 +00:00
David Shaw
b625a6d1a9 (generate): Tweak to allow keys larger than 1024 bits. Enforce that the q
size doesn't end between byte boundaries.
2006-04-20 21:11:56 +00:00
David Shaw
2f94329422 The plumbing necessary to create DSA keys with variable sized q.
Not yet used (q==160).
2006-04-20 18:40:37 +00:00
David Shaw
f0902a6aef Add SHA-224 support 2006-04-20 02:05:32 +00:00
David Shaw
70f1c32ffd * blowfish.c, md5.c, rmd160.c, sha1.c, sha256.c, sha512.c: Revert previous
change.  It's now all done in configure.
2006-03-20 16:40:28 +00:00
David Shaw
0f4f660d5f * blowfish.c, md5.c, rmd160.c, sha1.c, sha256.c, sha512.c: Use '#if'
rather than '#ifdef' BIG_ENDIAN_HOST.  Harmless as we explicitly
define BIG_ENDIAN_HOST to 1 when we need it, but needed for OSX fat
builds when we define BIG_ENDIAN_HOST to another macro.
2006-03-20 00:39:44 +00:00
Werner Koch
b121d029b5 about to release 1.4.3rc1 2006-02-14 16:28:34 +00:00
Werner Koch
2410941461 Lock random seed file 2006-02-09 12:54:41 +00:00
David Shaw
8a0cf1d2a3 * idea-stub.c (load_module): Not legal to return a void * as a function
pointer.
2005-12-06 20:27:43 +00:00
David Shaw
c0d7fa368e * Makefile.am: Some cleanup so we don't build files that are completely
ifdeffed out.  This causes a warning on Sun's cc.  Do sha512.c as well for
consistency.
2005-12-06 17:13:44 +00:00
Werner Koch
0a3eda24ee Experimental code to improve AES performance. Got about 25% on ia32. 2005-08-11 16:57:29 +00:00
Werner Koch
a1cdf3c75f Converted all m_free to xfree etc. 2005-07-27 18:10:56 +00:00
David Shaw
33f81c5bb6 * random.c: Fix prototype of the fast random gatherer. Noted by Joe
Vender.
2005-06-07 18:03:19 +00:00
Werner Koch
7d4043ca57 Updated FSF street address and preparations for a release candidate. 2005-05-31 08:39:18 +00:00
Werner Koch
4d5285ee87 (rndw32_gather_random_fast): While adding data use the
size of the object and not the one of its address.  Bug reported by
Sascha Kiefer.
2005-03-23 08:50:27 +00:00
Werner Koch
c91e30fda4 * primegen.c (is_prime): Free A2. Noted by pmike2001@mail.ru.
Fixes #423.

* DETAILS: Document new status codes.

* cardglue.c (agent_scd_pkdecrypt, agent_scd_pksign)
(agent_scd_genkey, agent_scd_setattr, agent_scd_change_pin)
(agent_scd_checkpin, agent_openpgp_storekey): Make sure to send a
SC_OP_FAILURE after card operations which might change data.
* card-util.c (change_pin): Send a SC_OP_SUCCESS after a PIN has
been changed.
(change_name): Removed a debug output.
* status.h, status.c: New codes BAD_PASSPHRASE_PIN, SC_OP_FAILURE
and SC_OP_SUCCESS.

* de.po: Updated. Translation is still in the works, though.
2005-03-07 13:59:59 +00:00
Werner Koch
fa284bae3f Minor changes 2005-01-20 11:42:48 +00:00
David Shaw
93ec34cc7a * md.c (string_to_digest_algo): Allow read/write SHA384 and SHA512. 2004-12-01 04:01:16 +00:00