Hi! While preparing a new release of Gpg4win we found a regression in GnuPG 2.0.14. The problem is due to this change:
* New and changed passphrases are now created with an iteration count
requiring about 100ms of CPU work.
I don't know how it slipped through my tests, but somehow it happend.
The bug occurs in all cases where gpg-agent creates a new protected key
or changes the protection. For example:
- You import a new private key with GPGSM from a PKCSC#12 file.
- You change the passphrase of a X.509 key (gpgsm --passwd)
- You create or import a new on-disk Secure Shell key.
It does not affect keys or passphrases related to GPG (OpenPGP keys).
The bug is that the new iteration count is not encoded in the file.
Instead the old constant value of 65536 (encoded as 96) is written to
the file. If you now try to use the key and enter the passphrase,
gpg-agent uses the wrong iteration count from the file (65536) and thus
can't unprotect the key.
A patch against 2.0.14 is attached.
It is possible to fixup the wrong iteration counts but before I add such
a feature, I would like to know whether this is really needed.
- If you imported a p12 file you may simply re-import that file after
deleting the old file. To find the respective file with the private
key, you use this command
gpgsm --dump-cert KEYID | grep keygrip:
The hex-string you see is the basename of private key. For example:
$ gpgsm --dump-cert 0x036A1456 | grep keygrip:
keygrip: 25268070E915E1E3DCCBD9EBEF18BCEF9B0AB289
$ ls -l private-keys-v1.d/25268070E915E1E3DCCBD9EBEF18BCEF9B0AB289.key
You better delete this file before importing the p12 file again:
$ rm private-keys-v1.d/25268070E915E1E3DCCBD9EBEF18BCEF9B0AB289.key
- If you changed the passphrase and you have a backup of the private
key, it will be easier to use the backup.
- If you did not changed the passphrase, you don't have any problem.
- If there is no other way to restore it, please complain and I will
write a tool to fixup the mess.
I am sorry for the possible trouble.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
#! /bin/sh
patch -p0 -f $* < $0
exit $?
agent/
2010-01-26 Werner Koch <w...@g10code.com>
* protect.c (do_encryption): Encode the s2kcount and do not use a
static value of 96.
--- agent/protect.c (revision 5231)
+++ agent/protect.c (working copy)
@@ -360,19 +360,25 @@
in canoncical format of course. We use asprintf and %n modifier
and dummy values as placeholders. */
- p = xtryasprintf
- ("(9:protected%d:%s((4:sha18:%n_8bytes_2:96)%d:%n%*s)%d:%n%*s)",
- (int)strlen (modestr), modestr,
- &saltpos,
- blklen, &ivpos, blklen, "",
- enclen, &encpos, enclen, "");
- if (!p)
- {
- gpg_error_t tmperr = out_of_core ();
- xfree (iv);
- xfree (outbuf);
- return tmperr;
- }
+ {
+ char countbuf[35];
+
+ snprintf (countbuf, sizeof countbuf, "%lu", get_standard_s2k_count ());
+ p = xtryasprintf
+ ("(9:protected%d:%s((4:sha18:%n_8bytes_%u:%s)%d:%n%*s)%d:%n%*s)",
+ (int)strlen (modestr), modestr,
+ &saltpos,
+ (unsigned int)strlen (countbuf), countbuf,
+ blklen, &ivpos, blklen, "",
+ enclen, &encpos, enclen, "");
+ if (!p)
+ {
+ gpg_error_t tmperr = out_of_core ();
+ xfree (iv);
+ xfree (outbuf);
+ return tmperr;
+ }
+ }
*resultlen = strlen (p);
*result = (unsigned char*)p;
memcpy (p+saltpos, iv+2*blklen, 8);
pgpgkzVtzfpxh.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
