diff options
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | THANKS | 1 | ||||
-rw-r--r-- | cipher/ChangeLog | 9 | ||||
-rw-r--r-- | cipher/pubkey.c | 8 | ||||
-rw-r--r-- | cipher/random.c | 6 | ||||
-rw-r--r-- | cipher/sha256.c | 2 | ||||
-rw-r--r-- | doc/ChangeLog | 10 | ||||
-rw-r--r-- | doc/gcrypt.texi | 59 |
8 files changed, 68 insertions, 29 deletions
@@ -1,6 +1,8 @@ Noteworthy changes in version 1.4.1 ------------------------------------------------ + * Fixed a bug introduced by 1.3.1 led to the comsumption of far too + much entropy for the intial seeding. Noteworthy changes in version 1.4.0 (2007-12-10) @@ -27,6 +27,7 @@ Detlef Lannert lannert@lannert.rz.uni-duesseldorf.de Dirk Lattermann dlatt@t-online.de Dirk Stoecker gcrypt@dstoecker.de Ed Boraas ecxjo@esperanto.org +Elie De Brauwer elie@de-brauwer.be Enzo Michelangeli em@MailAndNews.com Ernst Molitor ernst.molitor@uni-bonn.de Fabio Coatti cova@felix.unife.it diff --git a/cipher/ChangeLog b/cipher/ChangeLog index e8cd0a1a..3dec8a95 100644 --- a/cipher/ChangeLog +++ b/cipher/ChangeLog @@ -1,3 +1,12 @@ +2008-01-08 Werner Koch <wk@g10code.com> + + * random.c (add_randomness): Do not just increment + POOL_FILLED_COUNTER but update it by the actual amount of data. + +2007-12-13 Werner Koch <wk@g10code.com> + + * pubkey.c (sexp_data_to_mpi): Support SHA-224. + 2007-12-05 Werner Koch <wk@g10code.com> * rijndael.c (USE_PADLOCK): Depend on ENABLE_PADLOCK_SUPPORT. diff --git a/cipher/pubkey.c b/cipher/pubkey.c index fc57b40a..5a39f3e7 100644 --- a/cipher/pubkey.c +++ b/cipher/pubkey.c @@ -1097,7 +1097,7 @@ sexp_to_sig (gcry_sexp_t sexp, gcry_mpi_t **retarray, * Take sexp and return an array of MPI as used for our internal decrypt * function. * s_data = (enc-val - * [(flags [pkcs1]) + * [(flags [pkcs1])] * (<algo> * (<param_name1> <mpi>) * ... @@ -1403,6 +1403,7 @@ sexp_data_to_mpi (gcry_sexp_t input, unsigned int nbits, gcry_mpi_t *ret_mpi, { "rmd160", GCRY_MD_RMD160 }, { "sha384", GCRY_MD_SHA384 }, { "sha512", GCRY_MD_SHA512 }, + { "sha224", GCRY_MD_SHA224 }, { "md2", GCRY_MD_MD2 }, { "md4", GCRY_MD_MD4 }, { "tiger", GCRY_MD_TIGER }, @@ -1764,7 +1765,10 @@ gcry_pk_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t s_skey) (<algo> (<param_name1> <mpi>) ... - (<param_namen> <mpi>))) + (<param_namen> <mpi>)) + [(hash algo)]) + + Note that (hash algo) in R_SIG is not used. */ gcry_error_t gcry_pk_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_hash, gcry_sexp_t s_skey) diff --git a/cipher/random.c b/cipher/random.c index c5469805..f145116f 100644 --- a/cipher/random.c +++ b/cipher/random.c @@ -1115,6 +1115,7 @@ static void add_randomness (const void *buffer, size_t length, enum random_origins origin) { const unsigned char *p = buffer; + size_t count = 0; assert (pool_is_locked); @@ -1123,6 +1124,7 @@ add_randomness (const void *buffer, size_t length, enum random_origins origin) while (length-- ) { rndpool[pool_writepos++] ^= *p++; + count++; if (pool_writepos >= POOLSIZE ) { /* It is possible that we are invoked before the pool is @@ -1132,7 +1134,9 @@ add_randomness (const void *buffer, size_t length, enum random_origins origin) separately. See also the remarks about the seed file. */ if (origin >= RANDOM_ORIGIN_SLOWPOLL && !pool_filled) { - if (++pool_filled_counter >= POOLSIZE) + pool_filled_counter += count; + count = 0; + if (pool_filled_counter >= POOLSIZE) pool_filled = 1; } pool_writepos = 0; diff --git a/cipher/sha256.c b/cipher/sha256.c index 9d47b837..bc439c3d 100644 --- a/cipher/sha256.c +++ b/cipher/sha256.c @@ -333,7 +333,7 @@ static byte asn256[19] = /* Object ID is 2.16.840.1.101.3.4.2.1 */ static gcry_md_oid_spec_t oid_spec_sha256[] = { - /* According to the OpenPGG draft rfc2440-bis06 */ + /* According to the OpenPGP draft rfc2440-bis06 */ { "2.16.840.1.101.3.4.2.1" }, /* PKCS#1 sha256WithRSAEncryption */ { "1.2.840.113549.1.1.11" }, diff --git a/doc/ChangeLog b/doc/ChangeLog index ad3644e0..b9cb198d 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,13 @@ +2008-01-04 Werner Koch <wk@g10code.com> + + * gcrypt.texi (Controlling the library): Add remark that the + theoritical attack on a seed file is not feasible under Linux. + +2007-12-11 Werner Koch <wk@g10code.com> + + * gcrypt.texi: Various minor corrections as reported by Elie De + Brauer more than a year ago. + 2007-06-15 Werner Koch <wk@g10code.com> * gcrypt.texi (Controlling the library): Clarified the use of diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi index 0cb78750..b6d36214 100644 --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -563,7 +563,13 @@ This command disables the use of secure memory and drops the priviliges of the current process. FIXME. @item GCRYCTL_DISABLE_SECMEM -This command disables the use of secure memory. FIXME. +This command disables the use of secure memory. + +Many applications do not require secure memory, so they should disable +it right away. There won't be a problem if not disabling it unless one +makes use of a feature which requires secure memory - in that case the +process will abort because the secmem is not initialized. + @item GCRYCTL_INIT_SECMEM @item GCRYCTL_TERM_SECMEM @@ -596,13 +602,16 @@ pool and then race for updating it (the last update overwrites earlier updates). They will differentiate only by the weak entropy that is added in read_seed_file based on the PID and clock, and up to 16 bytes of weak random non-blockingly. The consequence is that the output of -these different instances is correlated to some extent. In the perfect -scenario, the attacker can control (or at least guess) the PID and clock -of the application, and drain the system's entropy pool to reduce the -"up to 16 bytes" above to 0. Then the dependencies of the inital states -of the pools are completely known. Note that this is not an issue if -random of @code{GCRY_VERY_STRONG_RANDOM} quality is requested as in this -case enough extra entropy gets mixed. +these different instances is correlated to some extent. In a perfect +attack scenario, the attacker can control (or at least guess) the PID +and clock of the application, and drain the system's entropy pool to +reduce the "up to 16 bytes" above to 0. Then the dependencies of the +inital states of the pools are completely known. Note that this is not +an issue if random of @code{GCRY_VERY_STRONG_RANDOM} quality is +requested as in this case enough extra entropy gets mixed. It is also +not an issue when using Linux (rndlinux driver), because this one +guarantees to read full 16 bytes from /dev/urandom and thus there is no +way for an attacker without kernel access to conrol these 16 bytes. @item GCRYCTL_SET_VERBOSITY @@ -2178,10 +2187,10 @@ interface allows to add more algorithms in the future. @node Used S-expressions @section Used S-expressions -Libgcrypt's API for asymmetric cryptography is based on data -structures called S-expressions (see XXXX) and does not work with -contexts as most of the other building blocks of Libgcrypt -do. +Libgcrypt's API for asymmetric cryptography is based on data structures +called S-expressions (see +@uref{http://people.csail.mit.edu/@/rivest/@/sexp.html}) and does not work +with contexts as most of the other building blocks of Libgcrypt do. The following information are stored in S-expressions: @@ -3095,9 +3104,9 @@ Destroys the data set @var{data}. @deftypefun gcry_error_t gcry_ac_data_set (gcry_ac_data_t @var{data}, unsigned int @var{flags}, char *@var{name}, gcry_mpi_t @var{mpi}) Add the value @var{mpi} to @var{data} with the label @var{name}. If -@var{flags} contains GCRY_AC_FLAG_DATA_COPY, the data set will contain +@var{flags} contains GCRY_AC_FLAG_COPY, the data set will contain copies of @var{name} and @var{mpi}. If @var{flags} contains -GCRY_AC_FLAG_DATA_DEALLOC or GCRY_AC_FLAG_DATA_COPY, the values +GCRY_AC_FLAG_DEALLOC or GCRY_AC_FLAG_COPY, the values contained in the data set will be deallocated when they are to be removed from the data set. @end deftypefun @@ -3241,10 +3250,10 @@ Creates a new handle for the algorithm @var{algorithm} and stores it in @var{handle}. @var{flags} is not used currently. @var{algorithm} must be a valid algorithm ID, see @xref{Available -algorithms}, for a list of supported algorithms and the according -constants. Besides using the listed constants directly, the functions -@code{gcry_pk_name_to_id} may be used to convert the textual name of -an algorithm into the according numeric ID. +asymmetric algorithms}, for a list of supported algorithms and the +according constants. Besides using the listed constants directly, the +functions @code{gcry_pk_name_to_id} may be used to convert the textual +name of an algorithm into the according numeric ID. @end deftypefun @deftypefun void gcry_ac_close (gcry_ac_handle_t @var{handle}) @@ -3258,9 +3267,9 @@ Destroys the handle @var{handle}. Defined constants: @table @code -@item GCRY_AC_KEY_TYPE_SECRET +@item GCRY_AC_KEY_SECRET Specifies a secret key. -@item GCRY_AC_KEY_TYPE_PUBLIC +@item GCRY_AC_KEY_PUBLIC Specifies a public key. @end table @end deftp @@ -3320,15 +3329,15 @@ Example code: @example @{ gcry_ac_key_pair_t key_pair; - gcry_ac_key_spec_rsa_t rsa_spec; + gcry_ac_key_spec_rsa_t rsa_spec; rsa_spec.e = gcry_mpi_new (0); - gcry_mpi_set_ui (rsa_spec.e, 1) + gcry_mpi_set_ui (rsa_spec.e, 1); err = gcry_ac_open (&handle, GCRY_AC_RSA, 0); assert (! err); - err = gcry_ac_key_pair_generate (handle, &key_pair, 1024, (void *) &rsa_spec); + err = gcry_ac_key_pair_generate (handle, 1024, &rsa_spec, &key_pair, NULL); assert (! err); @} @end example @@ -3394,7 +3403,7 @@ through schemes. What follows is a description of the cryptographic primitives. -@deftypefun gcry_error_t gcry_ac_data_encrypt (gcry_ac_handle_t @var{handle}, unsigned int @var{flags}, gcry_ac_key_t @var{key}, gcry_mpi_t @var{data_plain}, gcry_ac_data_t **@var{data_encrypted}) +@deftypefun gcry_error_t gcry_ac_data_encrypt (gcry_ac_handle_t @var{handle}, unsigned int @var{flags}, gcry_ac_key_t @var{key}, gcry_mpi_t @var{data_plain}, gcry_ac_data_t *@var{data_encrypted}) Encrypts the plain text MPI value @var{data_plain} with the key public @var{key} under the control of the flags @var{flags} and stores the resulting data set into @var{data_encrypted}. @@ -3964,7 +3973,7 @@ representation of an MPI and the internal one of Libgcrypt. Convert the external representation of an integer stored in @var{buffer} with a length of @var{buflen} into a newly created MPI returned which will be stored at the address of @var{r_mpi}. For certain formats the -length argument is not required and may be passed as @code{0}. After a +length argument is not required and should be passed as @code{0}. After a successful operation the variable @var{nscanned} receives the number of bytes actually scanned unless @var{nscanned} was given as @code{NULL}. @var{format} describes the format of the MPI as stored in |