Hi! While preparing a new release of Gpg4win we found a regression in GnuPG 2.0.14. The problem is due to this change:
* New and changed passphrases are now created with an iteration count requiring about 100ms of CPU work. I don't know how it slipped through my tests, but somehow it happend. The bug occurs in all cases where gpg-agent creates a new protected key or changes the protection. For example: - You import a new private key with GPGSM from a PKCSC#12 file. - You change the passphrase of a X.509 key (gpgsm --passwd) - You create or import a new on-disk Secure Shell key. It does not affect keys or passphrases related to GPG (OpenPGP keys). The bug is that the new iteration count is not encoded in the file. Instead the old constant value of 65536 (encoded as 96) is written to the file. If you now try to use the key and enter the passphrase, gpg-agent uses the wrong iteration count from the file (65536) and thus can't unprotect the key. A patch against 2.0.14 is attached. It is possible to fixup the wrong iteration counts but before I add such a feature, I would like to know whether this is really needed. - If you imported a p12 file you may simply re-import that file after deleting the old file. To find the respective file with the private key, you use this command gpgsm --dump-cert KEYID | grep keygrip: The hex-string you see is the basename of private key. For example: $ gpgsm --dump-cert 0x036A1456 | grep keygrip: keygrip: 25268070E915E1E3DCCBD9EBEF18BCEF9B0AB289 $ ls -l private-keys-v1.d/25268070E915E1E3DCCBD9EBEF18BCEF9B0AB289.key You better delete this file before importing the p12 file again: $ rm private-keys-v1.d/25268070E915E1E3DCCBD9EBEF18BCEF9B0AB289.key - If you changed the passphrase and you have a backup of the private key, it will be easier to use the backup. - If you did not changed the passphrase, you don't have any problem. - If there is no other way to restore it, please complain and I will write a tool to fixup the mess. I am sorry for the possible trouble. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
#! /bin/sh patch -p0 -f $* < $0 exit $? agent/ 2010-01-26 Werner Koch <w...@g10code.com> * protect.c (do_encryption): Encode the s2kcount and do not use a static value of 96. --- agent/protect.c (revision 5231) +++ agent/protect.c (working copy) @@ -360,19 +360,25 @@ in canoncical format of course. We use asprintf and %n modifier and dummy values as placeholders. */ - p = xtryasprintf - ("(9:protected%d:%s((4:sha18:%n_8bytes_2:96)%d:%n%*s)%d:%n%*s)", - (int)strlen (modestr), modestr, - &saltpos, - blklen, &ivpos, blklen, "", - enclen, &encpos, enclen, ""); - if (!p) - { - gpg_error_t tmperr = out_of_core (); - xfree (iv); - xfree (outbuf); - return tmperr; - } + { + char countbuf[35]; + + snprintf (countbuf, sizeof countbuf, "%lu", get_standard_s2k_count ()); + p = xtryasprintf + ("(9:protected%d:%s((4:sha18:%n_8bytes_%u:%s)%d:%n%*s)%d:%n%*s)", + (int)strlen (modestr), modestr, + &saltpos, + (unsigned int)strlen (countbuf), countbuf, + blklen, &ivpos, blklen, "", + enclen, &encpos, enclen, ""); + if (!p) + { + gpg_error_t tmperr = out_of_core (); + xfree (iv); + xfree (outbuf); + return tmperr; + } + } *resultlen = strlen (p); *result = (unsigned char*)p; memcpy (p+saltpos, iv+2*blklen, 8);
pgpgkzVtzfpxh.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users