1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-13 22:08:52 +01:00
Commit Graph

2709 Commits

Author SHA1 Message Date
Werner Koch
93a96e3c0c Use blinding for the RSA secret operation.
* cipher/random.c (randomize_mpi): New.
* g10/gpgv.c (randomize_mpi): New stub.
* cipher/rsa.c (USE_BLINDING): Define macro.
(secret): Implement blinding.
--

GPG 1.x has never used any protection against timing attacks on the
RSA secret operation.  The rationale for this has been that there was
no way to mount a remote timing attack on GnuPG.  With the turning up
of Acoustic Cryptanalysis (http://cs.tau.ac.il/~tromer/acoustic) this
assumption no longer holds true and thus we need to do do something
about it.  Blinding seems to be a suitable mitigation to the threat of
key extraction.  It does not help against distinguishing used keys,
though.

Note that GPG 2.x uses Libgcrypt which does blinding by default.

The performance penalty is negligible: Modifying the core pubkey_sign
or pubkey_decrypt function to run 100 times in a loop, the entire
execution times for signing or decrypting a small message using a 4K
RSA key on a Thinkpad X220 are

  Without blinding:  5.2s  (8.9s)
  With blinding:     5.6s  (9.3s)

The numbers in parentheses give the values without the recently
implemented k-ary exponentiation code.  Thus for the next release the
user will actually experience faster signing and decryption.  A
drawback of blinding is that we need random numbers even for
decryption (albeit at low quality).

Signed-off-by: Werner Koch <wk@gnupg.org>

CVE-id: CVE-2013-4576
2013-12-03 09:25:57 +01:00
Werner Koch
b135372176 gpg: Change armor Version header to emit only the major version.
* g10/options.h (opt): Rename field no_version to emit_version.
* g10/gpg.c (main): Init opt.emit_vesion to 1.  Change --emit-version
to bump up opt.emit_version.
* g10/armor.c (armor_filter): Implement different --emit-version
values.
--

GnuPG-bug-id: 1572
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e951782e93)

Resolved conflicts:
	NEWS
	g10/armor.c
	g10/gpg.c
2013-11-27 11:00:55 +01:00
Werner Koch
cad8216f9a mpi: mpi-pow improvements
* mpi/mpi-pow.c (USE_ALGORITHM_SIMPLE_EXPONENTIATION): New.
(mul_mod) [!USE_ALGORITHM_SIMPLE_EXPONENTIATION]: New.
(mpi_powm) [!USE_ALGORITHM_SIMPLE_EXPONENTIATION]: New implementation
of left-to-right k-ary exponentiation.
--

This is a backport from Libgcrypt commit
45aa6131e93fac89d46733b3436d960f35fb99b2

    Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

    For the Yarom/Falkner flush+reload cache side-channel attack, we
    changed the code so that it always calls the multiplication
    routine (even if we can skip it to get result).  This results some
    performance regression.

    This change is for recovering performance with efficient
    algorithm.

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-10-18 10:54:55 +02:00
Werner Koch
0bdf121d1d Print the keyid for key packets with --list-packets.
* g10/parse-packet.c (parse_key): Add keyid printing.
--

This is backport from GnuPG-2.  Note that the --list-packets command
is for debugging only and not part iof the stable API.

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-10-18 10:24:32 +02:00
Werner Koch
9d89564a42 mpi: Fix syntax error for mips64 and gcc < 4.4
* mpi/longlong.h [__mips && gcc < 4.4]: Fix cpp syntax error.
--

GnuPG-bug-id: 1465
2013-10-11 14:11:43 +02:00
Werner Koch
2528178e7e gpg: Do not require a trustdb with --always-trust.
* g10/tdbio.c (tdbio_set_dbname): Add arg R_NOFILE.
* g10/trustdb.c (trustdb_args): Add field no_trustdb.
(init_trustdb): Set that field.
(revalidation_mark):  Take care of a nonexistent trustdb file.
(read_trust_options): Ditto.
(get_ownertrust): Ditto.
(get_min_ownertrust): Ditto.
(update_ownertrust): Ditto.
(update_min_ownertrust): Ditto.
(clear_ownertrusts): Ditto.
(cache_disabled_value): Ditto.
(check_trustdb_stale): Ditto.
(get_validity): Ditto.
* g10/gpg.c (main): Do not create a trustdb with most commands for
trust-model always.
--

This slightly changes the semantics of most commands in that they
won't create a trustdb if --trust-model=always is used.  It just does
not make sense to create a trustdb if there is no need for it.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 1a0eeaacd1)

Resolved conflicts:
	g10/gpg.c
	g10/tdbio.h
	g10/trustdb.c
 (indentation fixes)
2013-10-11 09:35:01 +02:00
Werner Koch
0a10f1f91e Post release updates.
--
2013-10-04 21:29:50 +02:00
Werner Koch
8707657fe6 Release 1.4.15 2013-10-04 21:10:52 +02:00
Werner Koch
ffa1ef4c84 po: Autoupdate due to changed order of strings.
--
2013-10-04 21:03:40 +02:00
Werner Koch
f5c32bd1c6 doc: Update from master. 2013-10-04 21:01:16 +02:00
Werner Koch
4a06d9a600 gpg: Print a "not found" message for an unknown key in --key-edit.
* g10/keyedit.c (keyedit_menu): Print message.
--

GnuPG-bug-id: 1420
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 0bf54e60d3)
2013-10-04 20:59:45 +02:00
Werner Koch
d74dd36c11 gpg: Protect against rogue keyservers sending secret keys.
* g10/options.h (IMPORT_NO_SECKEY): New.
* g10/keyserver.c (keyserver_spawn, keyserver_import_cert): Set new
flag.
* g10/import.c (import_secret_one): Deny import if flag is set.
--

By modifying a keyserver or a DNS record to send a secret key, an
attacker could trick a user into signing using a different key and
user id.  The trust model should protect against such rogue keys but
we better make sure that secret keys are never received from remote
sources.

Suggested-by: Stefan Tomanek
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e7abed3448)

Resolved conflicts:
	g10/options.h
2013-10-04 20:58:51 +02:00
Daniel Kahn Gillmor
fe0fb5e6b0 gpg: Allow setting of all zero key flags
* g10/keygen.c (do_add_key_flags): Do not check for empty key flags.
(cherry picked from commit b693ec02c4)
(cherry picked from commit dd868acb0d)
2013-10-04 20:54:10 +02:00
Werner Koch
27d0f32f77 gpg: Distinguish between missing and cleared key flags.
* include/cipher.h (PUBKEY_USAGE_NONE): New.
* g10/getkey.c (parse_key_usage): Set new flag.
--

We do not want to use the default capabilities (derived from the
algorithm) if any key flags are given in a signature.  Thus if key
flags are used in any way, the default key capabilities are never
used.

This allows to create a key with key flags set to all zero so it can't
be used.  This better reflects common sense.
(cherry picked from commit 4bde12206c)
(cherry picked from commit 0a805ed160)

Resolved conflicts:
	include/cipher.h
2013-10-04 20:53:51 +02:00
Werner Koch
69088ac76f keyserver: Allow use of cURL's default CA store.
* keyserver/gpgkeys_curl.c (main): Set CURLOPT_CAINFO only if a file
has been given.
* keyserver/gpgkeys_hkp.c (main): Ditto.
--

GnuPG-bug-id: 1542
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e957b9b3f4)
2013-10-04 20:47:48 +02:00
Werner Koch
f10b184e48 gpg: Limit the nesting level of I/O filters.
* until/iobuf.c (MAX_NESTING_FILTER): New.
(iobuf_push_filter2): Limit the nesting level.
--

This is a more general fix for the nested compression packet bug.  In
particular this helps g10/import.c:read_block to stop pushing
compression filters onto an iobuf stream.

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-10-04 20:45:49 +02:00
Werner Koch
d90a1d2340 gpg: Fix bug with deeply nested compressed packets.
* g10/mainproc.c (MAX_NESTING_DEPTH): New.
(proc_compressed): Return an error code.
(check_nesting): New.
(do_proc_packets): Check packet nesting depth.  Handle errors from
check_compressed.

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-10-02 09:29:47 +02:00
Werner Koch
9dc6dd0572 Fix bug in mpi_tdiv_q_2exp.
* mpi/mpi-internal.h (MPN_COPY_INCR): Make it work.
--

This bug has been with us since the version 0.0.0 of GnuPG.
Fortunately it only affects an optimized code path which is rarely
used in practice: If the shift size matches the size of a
limb (i.e.. 32 or 64); this is is_prime in primegen.c.  Over there the
Rabin-Miller test may fail with a probability of 2^-31 (that is if the
to be tested prime - 1 has the low 32 bits cleared).  In practice the
probability is even much less because we first do a Fermat test on the
randomly generated candidates which sorts out the majority of
composite numbers.

The bug in MPN_COPY_INCR was found by Sven Bjorn.

Signed-off-by: Werner Koch <wk@gnupg.org>

(back ported from Libgcrypt
 commit 7f7a5ef59962ae1a819b5060f9b781469bfe27d5)
2013-09-16 15:57:01 +02:00
Werner Koch
45efde9557 mpicalc: Change copyright notice.
--

Except for a minor change by David Shaw, all code has been written by
me.  After termination of my copyright assignment, I change that
notice to reflect the new legal state.

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-09-04 15:25:50 +02:00
Werner Koch
6ed7056197 gpg: Use 2048 as the default keysize in batch mode.
* g10/keygen.c (gen_elg, gen_dsa, gen_rsa): Set default keysize to
2048.

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-08-30 10:19:14 +02:00
Werner Koch
a1a59e6a53 gpg: No need to create a trustdb when encrypting with --always-trust.
* g10/gpg.c (main): Special case setup_trustdb for --encrypt.
--

(back ported from commit 498b9a95dc)

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-08-02 09:17:52 +02:00
Werner Koch
6f634b0e08 Post release updates.
--
2013-07-25 11:00:04 +02:00
Werner Koch
fb5c9deaa5 Release 1.4.14. 2013-07-25 10:44:26 +02:00
Werner Koch
a0ee4fc730 Autoupdate a translation.
--
2013-07-25 10:44:22 +02:00
Jedi Lin
beb6a51df7 Update Chinese translation. 2013-07-25 10:37:41 +02:00
Werner Koch
439999da11 Update to modern beta release numbering scheme.
* configure.ac: s/my_/mym4_/.  Add new release building code.
2013-07-25 10:37:41 +02:00
Werner Koch
801803ab6e Prepare for a forthcoming new algorithm id.
* include/cipher.h (PUBKEY_ALGO_ECC): New.
* g10/keyid.c (pubkey_letter): Add letter 'C'.
--

ID 22 will be used for generic ECC, i.e. one which can be used for
ECDSA and ECDH.  The only support in 1.4 will pretty printing the
algorithm id.
2013-07-25 10:37:41 +02:00
Werner Koch
35646689f4 Mitigate a flush+reload cache attack on RSA secret exponents.
* mpi/mpi-pow.c (mpi_powm): Always perform the mpi_mul for exponents
hold in secure memory.
--

The attack is described in a paper to be pusblished at eprint.iacr.org:

Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
Attack by Yuval Yarom and Katrina Falkner. 18 July 2013.

  Flush+Reload is a cache side-channel attack that monitors access to
  data in shared pages. In this paper we demonstrate how to use the
  attack to extract private encryption keys from GnuPG.  The high
  resolution and low noise of the Flush+Reload attack enables a spy
  program to recover over 98% of the bits of the private key in a
  single decryption or signing round. Unlike previous attacks, the
  attack targets the last level L3 cache. Consequently, the spy
  program and the victim do not need to share the execution core of
  the CPU. The attack is not limited to a traditional OS and can be
  used in a virtualised environment, where it can attack programs
  executing in a different VM.

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-07-25 10:37:40 +02:00
Werner Koch
fd86f30311 Fix git revision parsing.
* configure.ac: Use git rev-parse to retrieve the revision.

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-07-25 10:37:40 +02:00
NIIBE Yutaka
f61d8fa5a7 gpg: fix previous change
* g10/gpgv.c: Fix void dotlock_remove_lockfiles.
2013-07-16 09:21:54 +09:00
NIIBE Yutaka
212a325d42 gpg: signal handling fix
* include/dotlock.h (dotlock_remove_lockfiles_reclaim): New.
  (dotlock_destroy, dotlock_remove_lockfiles): Add a flag to reclaim
  memory or not.
* util/dotlock.c (dotlock_create): Use
  dotlock_remove_lockfiles_reclaim for atexit.
  (dotlock_destroy_unix, dotlock_destroy)
  (dotlock_remove_lockfiles): Add a reclaim flag.
  (dotlock_remove_lockfiles_reclaim): New.
* g10/signal.c (got_fatal_signal): Disable flag of reclaim memory to
  avoid non-async-face call.
* g10/keydb.c (maybe_create_keyring): Follow the API change.
* g10/gpgv.c: Follow the API change.

--

signal handler got_fatal_signal should not call non-async-signal-safe
functions.  When malloc is interrupted by a signal, it screws up.

This issue is reported:
https://bugs.g10code.com/gnupg/issue1515
http://bugs.debian.org/399904
2013-07-12 17:26:55 +09:00
David Shaw
6f0ec6ab48 Differentiate between success (full or partial), not-found, and failure.
* keyserver/gpgkeys_hkp.c (get_key): Use curl_easy_setinfo to get the
  HTTP status code so we can tell the difference between a successful
  retrieval, a partial retrieval, a not-found, or a server failed.
2013-03-02 20:39:48 -05:00
David Shaw
ca0b94d4d4 Emulate curl_easy_getinfo and CURLINFO_RESPONSE_CODE in curl-shim.
* keyserver/curl-shim.h, keyserver/curl-shim.c (curl_easy_getinfo):
  New. Return the HTTP status code for the last transfer.
2013-03-02 20:39:22 -05:00
David Shaw
1edc1b3751 Fix DNS check for recent OS X releases
* configure.ac: OS X now needs BIND_8_COMPAT and -lresolv
2013-01-29 20:31:01 -05:00
Werner Koch
b4d4acf491 Automake 1.13 compatibility fix.
* configure.ac: s/AM_CONFIG_HEADER/AC_CONFIG_HEADERS/.
--
GnuPG-bug-id: 1459
2013-01-11 15:42:32 +01:00
Werner Koch
37f1a42744 Fix idea.c for big endian CPUs.
* cipher/idea.c: Replace use of WORDS_BIGENDIAN by BIG_ENDIAN_HOST.
--
GnuPG-bug-id: 1461
2013-01-11 15:10:38 +01:00
Christian Aistleitner
ff5cfadc2c Fix honoring --cert-digest-algo when recreating a cert
* g10/sign.c (update_keysig_packet): Override original signature's
digest algo in hashed data.
2013-01-11 13:33:44 +01:00
Werner Koch
faf2174979 Post release updates
--
2012-12-20 21:25:07 +01:00
Werner Koch
0bd168bf8e Release 1.4.13. 2012-12-20 20:30:15 +01:00
Werner Koch
2812ab7d6a Last fix for the SRV record patches.
* keyserver/gpgkeys_hkp.c (srv_replace): Make sure SRVCOUNT is
always initialized.
--

See commit 5c557a51.
2012-12-20 20:29:53 +01:00
Werner Koch
65d6da865c Update manuals from master
* doc/Makefile.am (update-source): Copy from Git master.
(update-source-from-gnupg-2): Remove.
* doc/gpg.texi: Fix minor typos and grammar bugs.
* doc/yat2m.c: Change diagnostics to updated coding standards.
2012-12-20 20:12:50 +01:00
Werner Koch
cb5f640420 Update config.{guess,sub} to version 2012-07-31.
* scripts/config.guess, scripts/config.sub: Update.
2012-12-20 19:53:58 +01:00
Joe Hansen
f464a3d3a8 po: Update Danish translation.
* po/da.po: Update.
2012-12-20 19:07:08 +01:00
Werner Koch
3cccf09d65 po: Update zh_TW.po.
--

Applied changes from Jedi Lin as received in May and fixed fuzzies due
to English typo corrections.
2012-12-20 18:36:27 +01:00
Werner Koch
3a4b96e665 gpg: Suppress "public key already present" in quiet mode.
* g10/pkclist.c (build_pk_list): Print two diagnostics only in
non-quiet mode.
--

(back-ported from commit 8325d61659)
2012-12-20 09:44:09 +01:00
Werner Koch
f795a0d59e Import only packets which are allowed in a keyblock.
* g10/import.c (valid_keyblock_packet): New.
(read_block): Store only valid packets.
--

A corrupted key, which for example included a mangled public key
encrypted packet, used to corrupt the keyring.  This change skips all
packets which are not allowed in a keyblock.

GnuPG-bug-id: 1455
2012-12-20 09:43:41 +01:00
David Shaw
5c557a51cd Issue 1447: Pass proper Host header and SNI when SRV is used with curl.
* configure.ac: Check for inet_ntop.

* m4/libcurl.m4: Provide a #define for the version of the curl
  library.

* keyserver/gpgkeys_hkp.c (main, srv_replace): Call getaddrinfo() on
  each target.  Once we find one that resolves to an address (whether
  IPv4 or IPv6), pass it into libcurl via CURLOPT_RESOLVE using the
  SRV name as the "host".  Force the HTTP Host header to be the same.

Backported from 6b1f71055e

* keyserver/gpgkeys_hkp.c (main): Only default try-dns-srv to on if we
  have SRV support in the first place.

Backported from 732f3d1d47
2012-12-19 13:54:27 -05:00
David Shaw
6c3a76cca0 Part of issue 1447: Pass proper Host header when SRV is used.
* common/http.c (send_request, connect_server): Set proper Host header
  (no :port, host is that of the SRV) when SRV is used in the
  curl-shim.

Backported from cbe98b2cb1
2012-12-19 11:43:28 -05:00
Werner Koch
3d56d486e1 Remove trailing white space from some files
--
2012-12-19 14:05:56 +01:00
Werner Koch
550983f8fb Adjust to GNU coding standards
--

A variable definition with initialization shall have only one variable
per type.
2012-12-19 14:03:25 +01:00