diff options
Diffstat (limited to 'app-crypt/gnupg')
-rw-r--r-- | app-crypt/gnupg/files/gnupg-1.2.3-disable-elgamal.diff | 353 | ||||
-rw-r--r-- | app-crypt/gnupg/files/gnupg-1.2.3-hkp-format-string.diff | 30 |
2 files changed, 0 insertions, 383 deletions
diff --git a/app-crypt/gnupg/files/gnupg-1.2.3-disable-elgamal.diff b/app-crypt/gnupg/files/gnupg-1.2.3-disable-elgamal.diff deleted file mode 100644 index d0053bea601c..000000000000 --- a/app-crypt/gnupg/files/gnupg-1.2.3-disable-elgamal.diff +++ /dev/null @@ -1,353 +0,0 @@ -From: wk@gnupg.org (Werner Koch) -Newsgroups: mailing.unix.bugtraq -Subject: GnuPG's ElGamal signing keys compromised -Date: Thu, 27 Nov 2003 18:31:32 +0000 (UTC) -Organization: NCTU CSIE FreeBSD Server -Lines: 338 -Sender: nobody@FreeBSD.csie.NCTU.edu.tw -Message-ID: <bq5fu4$65h$1@FreeBSD.csie.NCTU.edu.tw> -NNTP-Posting-Host: freebsd.csie.nctu.edu.tw -X-Trace: FreeBSD.csie.NCTU.edu.tw 1069957892 6322 140.113.17.209 (27 Nov 2003 18:31:32 GMT) -X-Complaints-To: usenet@FreeBSD.csie.NCTU.edu.tw -NNTP-Posting-Date: Thu, 27 Nov 2003 18:31:32 +0000 (UTC) - - - ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - - GnuPG's ElGamal signing keys compromised - ========================================== - -Summary -======= - -Phong Nguyen identified a severe bug in the way GnuPG creates and uses -ElGamal keys for signing. This is a significant security failure -which can lead to a compromise of almost all ElGamal keys used for -signing. Note that this is a real world vulnerability which will -reveal your private key within a few seconds. - -Please *take immediate action and revoke your ElGamal signing keys*. -Furthermore you should take whatever measures necessary to limit the -damage done for signed or encrypted documents using that key. - -Please do not send private mail in response to this message as I won't -have the time to catch up with all the messages. The mailing list -gnupg-users@gnupg.org is the best place to discuss this problem -(please subscribe first so you don't need moderator approval [2]). - -Note that the standard keys as generated by GnuPG (DSA and ElGamal -encryption) as well as RSA keys are NOT vulnerable. Note also that -ElGamal signing keys cannot be generated without the use of a special -flag to enable hidden options and even then overriding a warning -message about this key type. See below for details on how to identify -vulnerable keys. - -This message is signed using the usual GnuPG distribution key[1]. I -apologize for this severe bug and all the problems resulting from it. - - -Background: -=========== - -For historic reasons [3], GnuPG permits creating ElGamal keys which -are usable for both encryption and signing. It is even possible to -have one key (the primary one) used for both operations. This is not -considered good cryptographic practice, but is permitted by the -OpenPGP standard. - -It was not anticipated that these keys would still be used for signing -because they have several disadvantages: The signature is much larger -than a RSA or DSA signature, verification and creation takes far -longer and the use of ElGamal for signing has always been problematic -due to a couple of cryptographic weaknesses when not done properly. -Thus I have always dissuaded people from using ElGamal keys for -signing; however they are still used and about 200 keys per year are -generated and uploaded to the keyservers. - -In January 2000, as part of version 1.0.2, the GnuPG code was changed -to create ElGamal keys which work more efficiently for encryption -(selecting a smaller x secret exponent and using a smaller k for -encryption). While making this change the problem with signing keys -was accidentally introduced: the same small k for encryption was also -used for signing. This can be used for a cryptographic attack to -reveal the private key (i.e. the secret exponent x) if a signature -made using that key is available. Such a signature is always -available for primary ElGamal keys because signatures created with -that key are used to bind the user ID and other material to the -primary key (self-signatures). Even if the key was never used for -signing documents it should be considered compromised. - -Note that this weakness does not apply to the far more common -encrypt-only (type 16) ElGamal key as GnuPG does not permit signatures -to be issued by this key type. Only the ElGamal sign+encrypt key -(type 20) is affected and then only when used to make a signature with -a GnuPG version 1.0.2 or later. - - -Impact: -======= - -All ElGamal sign+encrypt keys (type 20) generated with GnuPG 1.0.2 or -later must be considered compromised. Keys generated and used only -with prior versions might still be safe but should ideally be revoked -too. Note that even if an ElGamal sign+encrypt key was generated -before GnuPG 1.0.2, using that key in GnuPG 1.0.2 or later to issue -signatures will still compromise the key. - -Again, ElGamal encrypt-only keys (type 16) from any version of GnuPG -are *not* affected. - - -Solution: -========= - -Do not use *ElGamal sign+encrypt keys (type 20)*. Revoke all those -keys immediately. Consider all material signed or encrypted with such -a key as compromised. - -Forthcoming GnuPG versions will remove the ability to create such keys -and the ability create ElGamal signatures. - - -How to detect ElGamal type 20 keys: -=================================== - -We have to distinguish between two cases: The primary key is ElGamal -sign+encrypt versus just a subkey is ElGamal sign+encrypt. - -The first case requires immediate attention, like this one: - - $ gpg --list-keys xxxxxxxx - pub 2048G/xxxxxxxx 2001-xx-xx Mallory <mallory@example.net> - -such a key might be followed with additional "uid", "sig" or "sub" -lines. Here an ElGamal sign+encrypt key is used and very likely -created with GnuPG >= 1.0.2. The capital letter "G" indicates a -ElGamal sign+encrypt key. REVOKE such a key immediately. - -The second case is about subkeys. Here is an example: - - $ gpg --list-keys 621CC013 - pub 1024D/621CC013 1998-07-07 Werner Koch <wk@gnupg.org> - uid Werner Koch <werner.koch@guug.de> - uid Werner Koch <wk@g10code.com> - sub 1536g/ADF6A6E1 1999-02-20 [expires: 2002-11-01] - sub 1536G/B5A18FF4 1998-07-07 [expires: 2002-07-06] - sub 1536R/23D2A63D 2002-07-30 [expires: 2003-12-31] - -This my usual working key, which is a standard GnuPG key with some -additional subkeys added over time. It is a good example because one -subkey was created as type 20 signing and encrypt ElGamal key. It is -the second subkey: - - sub 1536G/B5A18FF4 1998-07-07 [expires: 2002-07-06] - -The capital letter "G" denotes such an possible compromised subkey -whereas the first subkey: - - sub 1536g/ADF6A6E1 1999-02-20 [expires: 2002-11-01] - -is a standard encryption-only subkey as indicated by the small letter -"g". That key is not affected. - -The keys denoted with this capital letter "G" should be REVOKED unless -you are definitely sure those subkeys were never used to create a -signatures with GnuPG >= 1.0.2. - - -How to revoke a key: -==================== - -To create a revocation certificate for the entire key (primary and -all subkeys), you do: - - gpg --gen-revoke your_keyid >foo.rev - -If you have lost access to your passphrase, hopefully you have a -pre-manufactured revocation certificate (either on a floppy or printed -on a sheet of paper) which you may the use instead of the above -command. - -This revocation certificate should then be imported into -GnuPG using: - - gpg --import <foo.rev - -now export your key to a file and distribute it to the keyservers. - - gpg --export -a your_keyid >mykey.asc - - gpg --keyserver subkeys.pgp.net --send-keys your_keyid - - -If your primary key is not an ElGamal key, you might need to revoke a -subkey. Note again that only type 20 ElGamal keys (denoted by a -capital letter "G") require revocation - the standard ElGamal -encrypt-only key (small g) is perfectly fine. Use gpg's edit command -like this: - - $ gpg --edit-key xyzxyzxy - -The key listing will be shown. Select the subkey you want to revoke, -using the command "key 2" (or whatever subkey it is) and then enter -the command "revkey" and follow the prompts. Continue then with an -export as described above. - - -How many keys are affected? -=========================== - -I can't tell for sure. According to the keyserver statistics, there -are 848 primary ElGamal signing keys which are affected. These are a -mere 0.04 percent of all primary keys on the keyservers. There are -324 vulnerable subkeys on the keyservers, too. - -Some of the subkeys might have never been used for signing because for -some time in the past GnuPG created the encryption subkey as type 20 -but didn't used it for signing because the DSA primary key was used -instead. It is better to revoke such keys nevertheless. - -Note again that the standard configuration of GnuPG does not allow -creating the vulnerable sign+encrypt ElGamal keys and that neither DSA -(type 17), RSA (type 1) nor ElGamal encrypt-only keys (type 16) are -affected. - - -Thanks -====== - -Phong Nguyen [4] analyzed the implementation of GnuPG's cryptographic -parts and found this vulnerability. He also developed actual code to -mount the attack and was so kind to give me enough time to have a look -at his paper and to gather a list of known type 20 keys owners. - - -I am really sorry for this, - - Werner - - -[1] To get a fresh key you might want to consult the keyservers or get - it from using "finger wk@g10code.com" or "finger dd9jn@gnu.org". -[2] See http://lists.gnupg.org/mailman/listinfo/gnupg-users . -[3] The patent status of DSA was not clear when I started to write - GnuPG back in 1997. -[4] Working at the French National Center for Scientific Research and - the Ecole normale superieure: http://www.di.ens.fr/~pnguyen/ . ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.2.3 (GNU/Linux) - -iD8DBQE/xavwaLeriVdUjc0RAquhAJ9crSJ2j8EbqaAnbJGoXBsgERPLaACePwcP -70laYWsyhXkzVgqL2X4ELVk= -=xGWG ------END PGP SIGNATURE----- - - - ---=-=-= -Content-Type: text/x-patch -Content-Disposition: attachment; filename=elgamal.patch - ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 -NotDashEscaped: You need GnuPG to verify this message - -Hi, - -David Shaw wrote a patch against GnuPG 1.2.3 to disable the ability to -create signatures using the ElGamal sign+encrypt (type 20) keys as -well as to remove the option to create such keys. - -This patch will go into the next release; if you feel better with -those flawed features disabled, you may want to apply this patch. - - -Thanks, - - Werner - - -Index: getkey.c -=================================================================== -RCS file: /cvs/gnupg/gnupg/g10/getkey.c,v -retrieving revision 1.78.2.20 -diff -u -r1.78.2.20 getkey.c ---- getkey.c 21 Jul 2003 14:55:00 -0000 1.78.2.20 -+++ getkey.c 27 Nov 2003 00:32:30 -0000 -@@ -1655,6 +1655,11 @@ - if ( x ) /* mask it down to the actual allowed usage */ - key_usage &= x; - } -+ -+ /* Type 20 Elgamal keys are not usable. */ -+ if(pk->pubkey_algo==PUBKEY_ALGO_ELGAMAL) -+ key_usage=0; -+ - pk->pubkey_usage = key_usage; - - if ( !key_expire_seen ) { -@@ -1869,6 +1874,13 @@ - if ( x ) /* mask it down to the actual allowed usage */ - key_usage &= x; - } -+ -+ /* Type 20 Elgamal subkeys or any subkey on a type 20 primary are -+ not usable. */ -+ if(mainpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL -+ || subpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL) -+ key_usage=0; -+ - subpk->pubkey_usage = key_usage; - - p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL); -Index: keygen.c -=================================================================== -RCS file: /cvs/gnupg/gnupg/g10/keygen.c,v -retrieving revision 1.90.2.11 -diff -u -r1.90.2.11 keygen.c ---- keygen.c 16 Jul 2003 03:09:15 -0000 1.90.2.11 -+++ keygen.c 27 Nov 2003 00:32:31 -0000 -@@ -958,8 +958,6 @@ - tty_printf( _(" (%d) DSA (sign only)\n"), 2 ); - if( addmode ) - tty_printf( _(" (%d) ElGamal (encrypt only)\n"), 3 ); -- if (opt.expert) -- tty_printf( _(" (%d) ElGamal (sign and encrypt)\n"), 4 ); - tty_printf( _(" (%d) RSA (sign only)\n"), 5 ); - if (addmode) - tty_printf( _(" (%d) RSA (encrypt only)\n"), 6 ); -@@ -989,21 +987,6 @@ - algo = PUBKEY_ALGO_RSA; - *r_usage = PUBKEY_USAGE_SIG; - break; -- } -- else if( algo == 4 && opt.expert) -- { -- tty_printf(_( --"The use of this algorithm is only supported by GnuPG. You will not be\n" --"able to use this key to communicate with PGP users. This algorithm is also\n" --"very slow, and may not be as secure as the other choices.\n")); -- -- if( cpr_get_answer_is_yes("keygen.algo.elg_se", -- _("Create anyway? "))) -- { -- algo = PUBKEY_ALGO_ELGAMAL; -- *r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_SIG; -- break; -- } - } - else if( algo == 3 && addmode ) { - algo = PUBKEY_ALGO_ELGAMAL_E; ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.2.3 (GNU/Linux) - -iD8DBQE/xa20aLeriVdUjc0RAvXcAKCIxQR0JbaxfX/EFpI4NLcb4vUI2ACZAQTx -zfX4QUrn7HnluPP4Pfoofdk= -=OtPO ------END PGP SIGNATURE----- - ---=-=-=-- - - diff --git a/app-crypt/gnupg/files/gnupg-1.2.3-hkp-format-string.diff b/app-crypt/gnupg/files/gnupg-1.2.3-hkp-format-string.diff deleted file mode 100644 index efb98bf6a680..000000000000 --- a/app-crypt/gnupg/files/gnupg-1.2.3-hkp-format-string.diff +++ /dev/null @@ -1,30 +0,0 @@ -######################### -# http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/gnupg/keyserver/gpgkeys_hkp.c.diff?r1=text&tr1=1.15.2.7&r2=text&tr2=1.15.2.8&diff_format=u -# -# - taviso@gentoo.org 03/12/2003. -# -################################### -=================================================================== -RCS file: /cvs/gnupg/gnupg/keyserver/gpgkeys_hkp.c,v -retrieving revision 1.15.2.7 -retrieving revision 1.15.2.8 -diff -u -r1.15.2.7 -r1.15.2.8 ---- gnupg/keyserver/gpgkeys_hkp.c 2003/05/30 04:00:26 1.15.2.7 -+++ gnupg/keyserver/gpgkeys_hkp.c 2003/11/27 12:18:20 1.15.2.8 -@@ -268,14 +268,14 @@ - - if(gotit) - { -- fprintf(output,line); -+ fputs (line, output); - if(strcmp(line,"-----END PGP PUBLIC KEY BLOCK-----\n")==0) - break; - } - else - if(strcmp(line,"-----BEGIN PGP PUBLIC KEY BLOCK-----\n")==0) - { -- fprintf(output,line); -+ fputs (line, output); - gotit=1; - } - } |