* g10/encr-data.c (decrypt_data): Do not distinguish between a bad MDC
packet header and a bad MDC.
--
The separate diagnostic was introduced for debugging a problems. For
explaining an MDC error a single error message is easier to understand.
* g10/apdu.c (pcsc_dword_t): New. It was named as DWORD (double-word)
when a word was 16-bit.
(struct reader_table_s): Fixes for types.
(struct pcsc_readerstate_s) [__APPLE__]: Enable #pragma pack(1).
Throughout: Fixes for types.
--
GnuPG-bug-id: 1358
This is a backport of commit ae22d629b6.
* g10/pkclist.c (build_pk_list): Use more specific reasons codes for
INV_RECP.
--
GnuPG-bug-id: 1650
Note that this patch is a bit more limited than the one in 2.1.
* g10/compress.c (do_uncompress): Limit the number of extra FF bytes.
--
A packet like (a3 01 5b ff) leads to an infinite loop. Using
--max-output won't help if it is a partial packet. This patch
actually fixes a regression introduced on 1999-05-31 (c34c6769).
Actually it would be sufficient to stuff just one extra 0xff byte.
Given that this problem popped up only after 15 years, I feel safer to
allow for a very few FF bytes.
Thanks to Olivier Levillain and Florian Maury for their detailed
report.
* g10/trustdb.c (clear_ownertrusts): Init trustdb.
--
This is actually a hack to fix a bug introduced with commit 2528178.
Debian uses it and thus we should do too.
GnuPG-bug-id: 1622
* g10/mainproc.c (proc_encrypted): Move show_session_key code to ...
* g10/decrypt-data.c (decrypt_data): here.
--
This feature can be used to return the session key for just a part of
a file. For example to downloading just the first 32k of a huge file,
decrypting that incomplete part and while ignoring all the errors
break out the session key. The session key may then be used on the
server to decrypt the entire file without the need to have the private
key on the server.
This is the same feature as
commit 101a54add3 for 2.1 and
commit 3ae90ff28c for 2.0.
GnuPG-bug-id: 1389
Signed-off-by: Werner Koch <wk@gnupg.org>
* cipher/random.c (randomize_mpi): New.
* g10/gpgv.c (randomize_mpi): New stub.
* cipher/rsa.c (USE_BLINDING): Define macro.
(secret): Implement blinding.
--
GPG 1.x has never used any protection against timing attacks on the
RSA secret operation. The rationale for this has been that there was
no way to mount a remote timing attack on GnuPG. With the turning up
of Acoustic Cryptanalysis (http://cs.tau.ac.il/~tromer/acoustic) this
assumption no longer holds true and thus we need to do do something
about it. Blinding seems to be a suitable mitigation to the threat of
key extraction. It does not help against distinguishing used keys,
though.
Note that GPG 2.x uses Libgcrypt which does blinding by default.
The performance penalty is negligible: Modifying the core pubkey_sign
or pubkey_decrypt function to run 100 times in a loop, the entire
execution times for signing or decrypting a small message using a 4K
RSA key on a Thinkpad X220 are
Without blinding: 5.2s (8.9s)
With blinding: 5.6s (9.3s)
The numbers in parentheses give the values without the recently
implemented k-ary exponentiation code. Thus for the next release the
user will actually experience faster signing and decryption. A
drawback of blinding is that we need random numbers even for
decryption (albeit at low quality).
Signed-off-by: Werner Koch <wk@gnupg.org>
CVE-id: CVE-2013-4576
* g10/parse-packet.c (parse_key): Add keyid printing.
--
This is backport from GnuPG-2. Note that the --list-packets command
is for debugging only and not part iof the stable API.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/tdbio.c (tdbio_set_dbname): Add arg R_NOFILE.
* g10/trustdb.c (trustdb_args): Add field no_trustdb.
(init_trustdb): Set that field.
(revalidation_mark): Take care of a nonexistent trustdb file.
(read_trust_options): Ditto.
(get_ownertrust): Ditto.
(get_min_ownertrust): Ditto.
(update_ownertrust): Ditto.
(update_min_ownertrust): Ditto.
(clear_ownertrusts): Ditto.
(cache_disabled_value): Ditto.
(check_trustdb_stale): Ditto.
(get_validity): Ditto.
* g10/gpg.c (main): Do not create a trustdb with most commands for
trust-model always.
--
This slightly changes the semantics of most commands in that they
won't create a trustdb if --trust-model=always is used. It just does
not make sense to create a trustdb if there is no need for it.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 1a0eeaacd1)
Resolved conflicts:
g10/gpg.c
g10/tdbio.h
g10/trustdb.c
(indentation fixes)
* g10/options.h (IMPORT_NO_SECKEY): New.
* g10/keyserver.c (keyserver_spawn, keyserver_import_cert): Set new
flag.
* g10/import.c (import_secret_one): Deny import if flag is set.
--
By modifying a keyserver or a DNS record to send a secret key, an
attacker could trick a user into signing using a different key and
user id. The trust model should protect against such rogue keys but
we better make sure that secret keys are never received from remote
sources.
Suggested-by: Stefan Tomanek
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e7abed3448)
Resolved conflicts:
g10/options.h
* include/cipher.h (PUBKEY_USAGE_NONE): New.
* g10/getkey.c (parse_key_usage): Set new flag.
--
We do not want to use the default capabilities (derived from the
algorithm) if any key flags are given in a signature. Thus if key
flags are used in any way, the default key capabilities are never
used.
This allows to create a key with key flags set to all zero so it can't
be used. This better reflects common sense.
(cherry picked from commit 4bde12206c)
(cherry picked from commit 0a805ed160)
Resolved conflicts:
include/cipher.h
* include/cipher.h (PUBKEY_ALGO_ECC): New.
* g10/keyid.c (pubkey_letter): Add letter 'C'.
--
ID 22 will be used for generic ECC, i.e. one which can be used for
ECDSA and ECDH. The only support in 1.4 will pretty printing the
algorithm id.
* include/dotlock.h (dotlock_remove_lockfiles_reclaim): New.
(dotlock_destroy, dotlock_remove_lockfiles): Add a flag to reclaim
memory or not.
* util/dotlock.c (dotlock_create): Use
dotlock_remove_lockfiles_reclaim for atexit.
(dotlock_destroy_unix, dotlock_destroy)
(dotlock_remove_lockfiles): Add a reclaim flag.
(dotlock_remove_lockfiles_reclaim): New.
* g10/signal.c (got_fatal_signal): Disable flag of reclaim memory to
avoid non-async-face call.
* g10/keydb.c (maybe_create_keyring): Follow the API change.
* g10/gpgv.c: Follow the API change.
--
signal handler got_fatal_signal should not call non-async-signal-safe
functions. When malloc is interrupted by a signal, it screws up.
This issue is reported:
https://bugs.g10code.com/gnupg/issue1515http://bugs.debian.org/399904
* g10/import.c (valid_keyblock_packet): New.
(read_block): Store only valid packets.
--
A corrupted key, which for example included a mangled public key
encrypted packet, used to corrupt the keyring. This change skips all
packets which are not allowed in a keyblock.
GnuPG-bug-id: 1455
* g10/gpg.c (build_list): Rewrite to cope with buffer overflow in
certain locales.
* util/membuf.c (put_membuf_str): New.
(get_membuf): Make LEN optional.
--
This fixes an obvious bug in locales where the translated string is
longer than the original. The bug could be exhibited by using
LANG=ru_RU.utf8 gpg -v --version.
En passant we also removed the trailing white space on continued
lines.
Reported-by: Dmitry V. Levin" <ldv at altlinux.org>
* keyserver.c (print_keyrec): Honor --keyid-format when getting back
full fingerprints from the keyserver (the comment in the code was
correct, the code was not).
* g10/keygen.c (gen_card_key_with_backup): Get the size of the key
from the card.
--
Formerly the off-line encryption key was created with a fixed length
of 1024 bit. With this change the key is created as expected.
GnuPG-bug-id: 1230
* cipher/idea.c: New. Take from Libgcrypt master and adjust for
direct use in GnuPG.
* cipher/idea-stub.c: Remove.
* cipher/Makefile.am: Add idea.c and remove idea-stub.c rules.
* configure.ac: Remove idea-stub code.
* g10/gpg.c (check_permissions): Remove code path for ITEM==2.
(main): Make --load-extension a dummy option.
* g10/keygen.c (keygen_set_std_prefs): Include IDEA only in PGP2
compatibility mode.
* g10/misc.c (idea_cipher_warn): Remove. Also remove all callers.
* g10/seckey-cert.c (do_check): Remove emitting of STATUS_RSA_OR_IDEA.
* g10/status.c (get_status_string): Remove STATUS_RSA_OR_IDEA.
* g10/status.h (STATUS_RSA_OR_IDEA): Remove.
--
To keep the number of actually used algorithms low, we support IDEA
only in a basically read-only way (unless --pgp2 is used during key
generation). It does not make sense to suggest the use of this old 64
bit blocksize algorithm. However, there is old data available where
it might be helpful to have IDEA available.
* g10/sign.c (update_keysig_packet): Honor --cert-digest-algo when
recreating a cert.
This is used by various things in --edit-key like setpref, primary,
etc. Suggested by Christian Aistleitner.
* g10/gpgv.c, g10/trustdb.c (read_trust_options): Add min_cert_level
* g10/trustdb.c (check_trustdb_stale): Request a rebuild if
pending_check_trustdb is true (set when we detect a trustdb
parameter has changed).
* g10/keylist.c (public_key_list): Use 'l' in the "tru" with-colons
listing for min_cert_level not matching.
* g10/tdbio.c (tdbio_update_version_record, create_version_record,
tdbio_db_matches_options, tdbio_dump_record, tdbio_read_record,
tdbio_write_record): Add a byte for min_cert_level in the tdbio
version record.
* g10/status.h (STATUS_DECRYPTION_INFO): New.
* g10/status.c (get_status_string): Add new status string.
* g10/encr-data.c: Include status.h.
(decrypt_data): Print STATUS_DECRYPTION_INFO.
--
This is backport of commit 5667e33.
DECRYPTION_INFO <mdc_method> <sym_algo>
Print information about the symmetric encryption algorithm and
the MDC method. This will be emitted even if the decryption
fails.
The functions tdbio_read_record and tdbio_write_record control the
actual on-disk format. Thus there is no need to keep reserved fields
in the internal data structure.
* g10/tdbio.h (struct trust_record): Remove reserved fields.
We allow a single or a double space in the middle of the fingerprint
to help with c+p fingerprints from an HTML pages which are not being
enclosed in a "pre" tag.
* g10/getkey.c (classify_user_id): Check for space separated GPG
fingerprint.
--
This is a backport of commit 957fe72 and 372fb4f.
* include/dotlock.h: New. From current gnupg master.
* util/dotlock.c: Ditto. Include util.h. The major changes done in
master are: Factor Unix and W32 specific code out into specific
functions. Define HAVE_POSIX_SYSTEM. Rearrange some functions.
(disable_dotlock): Rename to dotlock_disable.
(create_dotlock): Rename to dotlock_create and add a dummy arg.
(destroy_dotlock): Rename to dotlock_destroy.
(make_dotlock): Rename to dotlock_take.
(release_dotlock): Rename to dotlock_release.
(remove_lockfiles): Rename to dotlock_remove_lockfiles.
This problem was identified and solved by Steven M. Schweda.
Note that the vms specific code is not part of this repository.
See http://antinode.info/dec/sw/gnupg.html for the VMS port.
This does not mean we have any kind of ECC support now. It is merely
to avoid printing a question mark for the algorithm.
Trailing white space changes as usual.
MD5 in preference lists. Instead of replacing MD5 with SHA-1, just
remove MD5 from the list altogether, and let the next-highest ranked
algorithm be chosen.
overflow when picking an algorithm (not a security issue since we
can't pick something not present in all preference lists, but we might
pick something that isn't scored first choice).
For compatibility reasons a few new files had to be added.
Also added estream-printf as this is now used in app-openpgp.c and provides
a better and generic asprintf implementation than the hack we used for the
W32 code in ttyio.c. Card code is not yet finished.