...
 
Commits (12)
gnupg2 (2.1.18-8~deb9u2) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* gpg: Sanitize diagnostic with the original file name (CVE-2018-12020)
-- Salvatore Bonaccorso <carnil@debian.org> Fri, 08 Jun 2018 20:12:24 +0200
gnupg2 (2.1.18-8~deb9u1) stretch; urgency=medium
* Bugfix update for debian stretch point release.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 18 Sep 2017 16:41:12 -0400
gnupg2 (2.1.18-8) unstable; urgency=medium
* updated scdaemon fix from gniibe (Closes: #862032)
......
......@@ -41,8 +41,8 @@ Build-Depends-Indep:
libnpth-mingw-w64-dev,
libz-mingw-w64-dev,
mingw-w64,
Vcs-Git: https://anonscm.debian.org/git/pkg-gnupg/gnupg2.git
Vcs-Browser: https://anonscm.debian.org/git/pkg-gnupg/gnupg2.git
Vcs-Git: https://salsa.debian.org/debian/gnupg2.git -b debian/stretch
Vcs-Browser: https://salsa.debian.org/debian/gnupg2
Homepage: https://www.gnupg.org/
Package: gnupg-agent
......
[DEFAULT]
pristine-tar = True
upstream-vcs-tag = gnupg-%(version)s
debian-branch = debian/stretch
[buildpackage]
compression = bzip2
[import-orig]
filter = [
......@@ -31,3 +35,6 @@ filter = [
'po/stamp-po',
]
filter-pristine-tar = False
[pq]
abbrev = 9
From: Werner Koch <wk@gnupg.org>
Date: Fri, 8 Jun 2018 10:45:21 +0200
Subject: gpg: Sanitize diagnostic with the original file name.
Origin: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=210e402acd3e284b32db1901e43bf1470e659e49
Bug: https://dev.gnupg.org/T4012
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12020
* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
--
This fixes a forgotten sanitation of user supplied data in a verbose
mode diagnostic. The mention CVE is about using this to inject
status-fd lines into the stderr output. Other harm good as well be
done. Note that GPGME based applications are not affected because
GPGME does not fold status output into stderr.
CVE-id: CVE-2018-12020
GnuPG-bug-id: 4012
(cherry picked from commit 13f135c7a252cc46cff96e75968d92b6dc8dce1b)
---
g10/mainproc.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/g10/mainproc.c b/g10/mainproc.c
index 116b72a6b..72b0dd828 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -758,7 +758,14 @@ proc_plaintext( CTX c, PACKET *pkt )
if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
else if (opt.verbose)
- log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
+ {
+ /* We don't use print_utf8_buffer because that would require a
+ * string change which we don't want in 2.2. It is also not
+ * clear whether the filename is always utf-8 encoded. */
+ char *tmp = make_printable_string (pt->name, pt->namelen, 0);
+ log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
+ xfree (tmp);
+ }
free_md_filter_context (&c->mfx);
if (gcry_md_open (&c->mfx.md, 0, 0))
--
2.17.1
From: Justus Winter <justus@g10code.com>
Date: Tue, 13 Jun 2017 11:33:06 +0200
Subject: dirmngr: Implement querying nameservers over IPv6.
* dirmngr/dns.c (dns_so_check): Reinitialize sockets on address family
mismatch.
(enum dns_res_state): New states for querying over IPv6.
(dns_res_exec): Implement the new states by copying and modifying the
IPv4 variants. Branch to their respective counterparts if the current
list of resolvers using the current address family is exhausted.
--
This allows dirmngr to resolve names on systems where the nameservers
are only reachable via IPv6.
GnuPG-bug-id: 2990
Signed-off-by: Justus Winter <justus@g10code.com>
(cherry picked from commit 15d2a009931f44a60b9df6325f837add208459d6)
---
dirmngr/dns.c | 180 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 179 insertions(+), 1 deletion(-)
diff --git a/dirmngr/dns.c b/dirmngr/dns.c
index 866f69dd5..c473e5a6a 100644
--- a/dirmngr/dns.c
+++ b/dirmngr/dns.c
@@ -7567,6 +7567,22 @@ int dns_so_check(struct dns_socket *so) {
retry:
switch (so->state) {
case DNS_SO_UDP_INIT:
+ if (so->remote.ss_family != so->local.ss_family) {
+ /* Family mismatch. Reinitialize. */
+ if ((error = dns_so_closefd(so, &so->udp)))
+ goto error;
+ if ((error = dns_so_closefd(so, &so->tcp)))
+ goto error;
+
+ /* If the user supplied an interface
+ statement, that is gone now. Sorry. */
+ memset(&so->local, 0, sizeof so->local);
+ so->local.ss_family = so->remote.ss_family;
+
+ if (-1 == (so->udp = dns_socket((struct sockaddr *)&so->local, SOCK_DGRAM, &error)))
+ goto error;
+ }
+
so->state++;
case DNS_SO_UDP_CONN:
error = dns_connect(so->udp, (struct sockaddr *)&so->remote, dns_sa_len(&so->remote));
@@ -7605,6 +7621,19 @@ retry:
so->state++;
case DNS_SO_TCP_INIT:
+ if (so->remote.ss_family != so->local.ss_family) {
+ /* Family mismatch. Reinitialize. */
+ if ((error = dns_so_closefd(so, &so->udp)))
+ goto error;
+ if ((error = dns_so_closefd(so, &so->tcp)))
+ goto error;
+
+ /* If the user supplied an interface
+ statement, that is gone now. Sorry. */
+ memset(&so->local, 0, sizeof so->local);
+ so->local.ss_family = so->remote.ss_family;
+ }
+
if (dns_so_tcp_keep(so)) {
so->state = DNS_SO_TCP_SEND;
@@ -8056,6 +8085,8 @@ enum dns_res_state {
DNS_R_RESOLV1_NS, /* Epilog: Inspect answer */
DNS_R_FOREACH_A,
DNS_R_QUERY_A,
+ DNS_R_FOREACH_AAAA,
+ DNS_R_QUERY_AAAA,
DNS_R_CNAME0_A,
DNS_R_CNAME1_A,
@@ -8715,8 +8746,22 @@ exec:
F->hints_j.section = DNS_S_ALL & ~DNS_S_QD;
if (!dns_rr_grep(&rr, 1, &F->hints_j, F->hints, &error)) {
- if (!dns_rr_i_count(&F->hints_j))
+ if (!dns_rr_i_count(&F->hints_j)) {
+ /* Check if we have in fact servers
+ with an IPv6 address. */
+ dns_rr_i_init(&F->hints_j, F->hints);
+ F->hints_j.name = u.ns.host;
+ F->hints_j.type = DNS_T_AAAA;
+ F->hints_j.section = DNS_S_ALL & ~DNS_S_QD;
+ if (dns_rr_grep(&rr, 1, &F->hints_j, F->hints, &error)) {
+ /* We do. Reinitialize
+ iterator and handle it. */
+ dns_rr_i_init(&F->hints_j, F->hints);
+ dgoto(R->sp, DNS_R_FOREACH_AAAA);
+ }
+
dgoto(R->sp, DNS_R_RESOLV0_NS);
+ }
dgoto(R->sp, DNS_R_FOREACH_NS);
}
@@ -8817,6 +8862,139 @@ exec:
/* XXX: Should we copy F->answer to R->nodata? */
dgoto(R->sp, DNS_R_FOREACH_A);
+ case DNS_R_FOREACH_AAAA: {
+ struct dns_aaaa aaaa;
+ struct sockaddr_in6 sin6;
+
+ /*
+ * NOTE: Iterator initialized in DNS_R_FOREACH_NS because
+ * this state is re-entrant, but we need to reset
+ * .name to a valid pointer each time.
+ */
+ if ((error = dns_ns_parse(&u.ns, &F->hints_ns, F->hints)))
+ goto error;
+
+ F->hints_j.name = u.ns.host;
+ F->hints_j.type = DNS_T_AAAA;
+ F->hints_j.section = DNS_S_ALL & ~DNS_S_QD;
+
+ if (!dns_rr_grep(&rr, 1, &F->hints_j, F->hints, &error)) {
+ if (!dns_rr_i_count(&F->hints_j)) {
+ /* Check if we have in fact servers
+ with an IPv4 address. */
+ dns_rr_i_init(&F->hints_j, F->hints);
+ F->hints_j.name = u.ns.host;
+ F->hints_j.type = DNS_T_A;
+ F->hints_j.section = DNS_S_ALL & ~DNS_S_QD;
+ if (dns_rr_grep(&rr, 1, &F->hints_j, F->hints, &error)) {
+ /* We do. Reinitialize
+ iterator and handle it. */
+ dns_rr_i_init(&F->hints_j, F->hints);
+ dgoto(R->sp, DNS_R_FOREACH_A);
+ }
+
+ dgoto(R->sp, DNS_R_RESOLV0_NS);
+ }
+
+ dgoto(R->sp, DNS_R_FOREACH_NS);
+ }
+
+ if ((error = dns_aaaa_parse(&aaaa, &rr, F->hints)))
+ goto error;
+
+ memset(&sin6, '\0', sizeof sin6); /* NB: silence valgrind */
+ sin6.sin6_family = AF_INET6;
+ sin6.sin6_addr = aaaa.addr;
+ if (R->sp == 0)
+ sin6.sin6_port = dns_hints_port(R->hints, AF_INET, &sin6.sin6_addr);
+ else
+ sin6.sin6_port = htons(53);
+
+ if (DNS_DEBUG) {
+ char addr[INET6_ADDRSTRLEN + 1];
+ dns_aaaa_print(addr, sizeof addr, &aaaa);
+ dns_header(F->query)->qid = dns_so_mkqid(&R->so);
+ DNS_SHOW(F->query, "ASKING: %s/%s @ DEPTH: %u)", u.ns.host, addr, R->sp);
+ }
+
+ dns_trace_setcname(R->trace, u.ns.host, (struct sockaddr *)&sin6);
+
+ if ((error = dns_so_submit(&R->so, F->query, (struct sockaddr *)&sin6)))
+ goto error;
+
+ F->state++;
+ }
+ case DNS_R_QUERY_AAAA:
+ if (dns_so_elapsed(&R->so) >= dns_resconf_timeout(R->resconf))
+ dgoto(R->sp, DNS_R_FOREACH_AAAA);
+
+ if ((error = dns_so_check(&R->so)))
+ goto error;
+
+ if (!dns_p_setptr(&F->answer, dns_so_fetch(&R->so, &error)))
+ goto error;
+
+ if (DNS_DEBUG) {
+ DNS_SHOW(F->answer, "ANSWER @ DEPTH: %u)", R->sp);
+ }
+
+ if (dns_p_rcode(F->answer) == DNS_RC_FORMERR ||
+ dns_p_rcode(F->answer) == DNS_RC_NOTIMP ||
+ dns_p_rcode(F->answer) == DNS_RC_BADVERS) {
+ /* Temporarily disable EDNS0 and try again. */
+ if (F->qflags & DNS_Q_EDNS0) {
+ F->qflags &= ~DNS_Q_EDNS0;
+ if ((error = dns_q_remake(&F->query, F->qflags)))
+ goto error;
+
+ dgoto(R->sp, DNS_R_FOREACH_AAAA);
+ }
+ }
+
+ if ((error = dns_rr_parse(&rr, 12, F->query)))
+ goto error;
+
+ if (!(len = dns_d_expand(u.name, sizeof u.name, rr.dn.p, F->query, &error)))
+ goto error;
+ else if (len >= sizeof u.name)
+ goto toolong;
+
+ dns_rr_foreach(&rr, F->answer, .section = DNS_S_AN, .name = u.name, .type = rr.type) {
+ dgoto(R->sp, DNS_R_FINISH); /* Found */
+ }
+
+ dns_rr_foreach(&rr, F->answer, .section = DNS_S_AN, .name = u.name, .type = DNS_T_CNAME) {
+ F->ans_cname = rr;
+
+ dgoto(R->sp, DNS_R_CNAME0_A);
+ }
+
+ /*
+ * XXX: The condition here should probably check whether
+ * R->sp == 0, because DNS_R_SEARCH runs regardless of
+ * options.recurse. See DNS_R_BIND.
+ */
+ if (!R->resconf->options.recurse) {
+ /* Make first answer our tentative answer */
+ if (!R->nodata)
+ dns_p_movptr(&R->nodata, &F->answer);
+
+ dgoto(R->sp, DNS_R_SEARCH);
+ }
+
+ dns_rr_foreach(&rr, F->answer, .section = DNS_S_NS, .type = DNS_T_NS) {
+ dns_p_movptr(&F->hints, &F->answer);
+
+ dgoto(R->sp, DNS_R_ITERATE);
+ }
+
+ /* XXX: Should this go further up? */
+ if (dns_header(F->answer)->aa)
+ dgoto(R->sp, DNS_R_FINISH);
+
+ /* XXX: Should we copy F->answer to R->nodata? */
+
+ dgoto(R->sp, DNS_R_FOREACH_AAAA);
case DNS_R_CNAME0_A:
if (&F[1] >= endof(R->stack))
dgoto(R->sp, DNS_R_FINISH);
This diff is collapsed.
From: Justus Winter <justus@g10code.com>
Date: Tue, 13 Jun 2017 15:35:01 +0200
Subject: gpg: Check and fix keys on import.
* doc/gpg.texi: Document the new import option.
* g10/gpg.c (main): Make the new option default to yes.
* g10/import.c (parse_import_options): Parse the new option.
(import_one): Act on the new option.
* g10/options.h (IMPORT_REPAIR_KEYS): New macro.
GnuPG-bug-id: 2236
Signed-off-by: Justus Winter <justus@g10code.com>
(cherry picked from commit 9b12b45aa5e67d4d422bf75a3879df1d52dbe67f)
---
doc/gpg.texi | 4 ++++
g10/gpg.c | 5 +++--
g10/import.c | 10 +++++++++-
g10/options.h | 1 +
4 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/doc/gpg.texi b/doc/gpg.texi
index a7d78c4..1cb754e 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -2287,6 +2287,10 @@ opposite meaning. The options are:
on the keyring. This option is the same as running the @option{--edit-key}
command "clean" after import. Defaults to no.
+ @item repair-keys. After import, fix various problems with the
+ keys. For example, this reorders signatures, and strips duplicate
+ signatures. Defaults to yes.
+
@item import-minimal
Import the smallest key possible. This removes all signatures except
the most recent self-signature on each user ID. This option is the
diff --git a/g10/gpg.c b/g10/gpg.c
index 5a880fd..a6a2e05 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -2364,9 +2364,10 @@ main (int argc, char **argv)
opt.max_cert_depth = 5;
opt.escape_from = 1;
opt.flags.require_cross_cert = 1;
- opt.import_options = 0;
+ opt.import_options = IMPORT_REPAIR_KEYS;
opt.export_options = EXPORT_ATTRIBUTES;
- opt.keyserver_options.import_options = IMPORT_REPAIR_PKS_SUBKEY_BUG;
+ opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS
+ | IMPORT_REPAIR_PKS_SUBKEY_BUG);
opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
opt.verify_options = (LIST_SHOW_UID_VALIDITY
diff --git a/g10/import.c b/g10/import.c
index 125b994..762b02c 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -41,6 +41,7 @@
#include "../common/membuf.h"
#include "../common/init.h"
#include "../common/mbox-util.h"
+#include "key-check.h"
struct import_stats_s
@@ -179,6 +180,9 @@ parse_import_options(char *str,unsigned int *options,int noisy)
N_("assume the GnuPG key backup format")},
{"import-restore", IMPORT_RESTORE, NULL, NULL},
+ {"repair-keys", IMPORT_REPAIR_KEYS, NULL,
+ N_("repair keys on import")},
+
/* Aliases for backward compatibility */
{"allow-local-sigs",IMPORT_LOCAL_SIGS,NULL,NULL},
{"repair-hkp-subkey-bug",IMPORT_REPAIR_PKS_SUBKEY_BUG,NULL,NULL},
@@ -1434,7 +1438,11 @@ import_one (ctrl_t ctrl,
log_info (_("key %s: PKS subkey corruption repaired\n"),
keystr_from_pk(pk));
- if (chk_self_sigs (keyblock, keyid, &non_self))
+ if ((options & IMPORT_REPAIR_KEYS))
+ key_check_all_keysigs (ctrl, keyblock, 0, 0);
+
+// if (chk_self_sigs (keyblock, keyid, &non_self))
+ if (chk_self_sigs (ctrl, keyblock, keyid, &non_self))
return 0; /* Invalid keyblock - error already printed. */
/* If we allow such a thing, mark unsigned uids as valid */
diff --git a/g10/options.h b/g10/options.h
index 88a8f32..ff09709 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -350,6 +350,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode;
#define IMPORT_KEEP_OWNERTTRUST (1<<8)
#define IMPORT_EXPORT (1<<9)
#define IMPORT_RESTORE (1<<10)
+#define IMPORT_REPAIR_KEYS (1<<11)
#define EXPORT_LOCAL_SIGS (1<<0)
#define EXPORT_ATTRIBUTES (1<<1)
......@@ -2,26 +2,29 @@ From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Tue, 11 Aug 2015 20:28:26 -0400
Subject: Avoid simple memory dumps via ptrace
This avoids needing to setgid gpg-agent. It probably doesn't defend
against all possible attacks, but it defends against one specific (and
easy) one. If there are other protections we should do them too.
This avoids needing to setgid gpg-agent or scdaemon. It probably
doesn't defend against all possible attacks, but it defends against
one specific (and easy) one. If there are other protections we should
do them too.
This will make it slightly harder to debug the agent because the
normal user won't be able to attach gdb to it directly while it runs.
This will make it slightly harder to debug the agent or scdaemon
because the normal user won't be able to attach gdb to it directly
while it runs.
The remaining options for debugging are:
* launch the agent from gdb directly
* connect gdb to a running agent as the superuser
* launch gpg-agent or scdaemon from gdb directly
* connect gdb to a running gpg-agent or scdaemon as the superuser
Upstream bug: https://bugs.gnupg.org/gnupg/issue1211
---
agent/gpg-agent.c | 8 ++++++++
configure.ac | 1 +
2 files changed, 9 insertions(+)
scd/scdaemon.c | 9 +++++++++
3 files changed, 18 insertions(+)
diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
index c0208cc88..31bf3370a 100644
index c0208cc..31bf337 100644
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@@ -48,6 +48,9 @@
......@@ -47,7 +50,7 @@ index c0208cc88..31bf3370a 100644
file descriptors and the signal mask. This info is required to
do the exec call properly. We don't need it on Windows. */
diff --git a/configure.ac b/configure.ac
index f929cb60f..f2b6a70d2 100644
index f929cb6..f2b6a70 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1335,6 +1335,7 @@ AC_CHECK_FUNCS([strerror strlwr tcgetattr mmap canonicalize_file_name])
......@@ -58,3 +61,30 @@ index f929cb60f..f2b6a70d2 100644
AC_CHECK_FUNCS([gettimeofday getrusage getrlimit setrlimit clock_gettime])
AC_CHECK_FUNCS([atexit raise getpagesize strftime nl_langinfo setlocale])
AC_CHECK_FUNCS([waitpid wait4 sigaction sigprocmask pipe getaddrinfo])
diff --git a/scd/scdaemon.c b/scd/scdaemon.c
index 74fed44..4d011c4 100644
--- a/scd/scdaemon.c
+++ b/scd/scdaemon.c
@@ -36,6 +36,9 @@
#include <unistd.h>
#include <signal.h>
#include <npth.h>
+#ifdef HAVE_PRCTL
+# include <sys/prctl.h>
+#endif
#define GNUPG_COMMON_NEED_AFLOCAL
#include "scdaemon.h"
@@ -409,6 +412,12 @@ main (int argc, char **argv )
npth_t pipecon_handler;
early_system_init ();
+
+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+ /* Disable ptrace on Linux without sgid bit */
+ prctl(PR_SET_DUMPABLE, 0);
+#endif
+
set_strusage (my_strusage);
gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
/* Please note that we may running SUID(ROOT), so be very CAREFUL
debian-packaging/0001-avoid-beta-warning.patch
block-ptrace-on-agent/0002-Avoid-simple-memory-dumps-via-ptrace.patch
block-ptrace-on-sensitive-daemons/0002-Avoid-simple-memory-dumps-via-ptrace.patch
debian-packaging/0003-avoid-regenerating-defsincdate-use-shipped-file.patch
dirmngr-idling/0001-dirmngr-hkp-Avoid-potential-race-condition-when-some.patch
dirmngr-idling/0002-dimrngr-Avoid-need-for-hkp-housekeeping.patch
......@@ -76,3 +76,10 @@ gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
skip-missing-signing-keys/0076-g10-Skip-signing-keys-where-no-secret-key-is-availab.patch
skel-file-removal/0077-g10-remove-skeleton-options-files.patch
avoid-spurious-warnings/0078-gpg-Avoid-spurious-warnings-about-trust-packets.patch
0079-gpg-Sanitize-diagnostic-with-the-original-file-name.patch
update-crypto-defaults/0080-gpgsm-default-to-3072-bit-keys.patch
update-crypto-defaults/0081-gpg-default-to-3072-bit-RSA-keys.patch
update-crypto-defaults/0082-gpg-default-to-AES-256.patch
0083-dirmngr-Implement-querying-nameservers-over-IPv6.patch
0084-gpg-Refactor-key-checking-and-fixing.patch
0085-gpg-Check-and-fix-keys-on-import.patch
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 7 Sep 2017 18:39:37 -0400
Subject: gpgsm: default to 3072-bit keys.
* doc/gpgsm.texi, doc/howto-create-a-server-cert.texi: : update
default to 3072 bits.
* sm/certreqgen-ui.c (gpgsm_gencertreq_tty): update default to
3072 bits.
* sm/certreqgen.c (proc_parameters): update default to 3072 bits.
* sm/gpgsm.c (main): print correct default_pubkey_algo.
--
3072-bit RSA is widely considered to be 128-bit-equivalent security.
This is a sensible default in 2017.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 7955262151a5c755814dd23414e6804f79125355)
---
doc/gpgsm.texi | 2 +-
doc/howto-create-a-server-cert.texi | 14 +++++++-------
sm/certreqgen-ui.c | 2 +-
sm/certreqgen.c | 4 ++--
sm/gpgsm.c | 2 +-
5 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index b92eaea..b5f23a2 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -1076,7 +1076,7 @@ key. The algorithm must be capable of signing. This is a required
parameter. The only supported value for @var{algo} is @samp{rsa}.
@item Key-Length: @var{nbits}
-The requested length of a generated key in bits. Defaults to 2048.
+The requested length of a generated key in bits. Defaults to 3072.
@item Key-Grip: @var{hexstring}
This is optional and used to generate a CSR or certificate for an
diff --git a/doc/howto-create-a-server-cert.texi b/doc/howto-create-a-server-cert.texi
index 55f1a91..30e28bd 100644
--- a/doc/howto-create-a-server-cert.texi
+++ b/doc/howto-create-a-server-cert.texi
@@ -31,14 +31,14 @@ Let's continue:
@cartouche
@example
- What keysize do you want? (2048)
- Requested keysize is 2048 bits
+ What keysize do you want? (3072)
+ Requested keysize is 3072 bits
@end example
@end cartouche
-Hitting enter chooses the default RSA key size of 2048 bits. Smaller
-keys are too weak on the modern Internet. If you choose a larger
-(stronger) key, your server will need to do more work.
+Hitting enter chooses the default RSA key size of 3072 bits. Keys
+smaller than 2048 bits are too weak on the modern Internet. If you
+choose a larger (stronger) key, your server will need to do more work.
@cartouche
@example
@@ -124,7 +124,7 @@ request:
@example
These parameters are used:
Key-Type: RSA
- Key-Length: 2048
+ Key-Length: 3072
Key-Usage: sign, encrypt
Name-DN: CN=example.com
Name-DNS: example.com
@@ -224,7 +224,7 @@ To see the content of your certificate, you may now enter:
aka: (dns-name example.com)
aka: (dns-name www.example.com)
validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
- key type: 2048 bit RSA
+ key type: 3072 bit RSA
key usage: digitalSignature keyEncipherment
ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
diff --git a/sm/certreqgen-ui.c b/sm/certreqgen-ui.c
index b50d338..b8f7912 100644
--- a/sm/certreqgen-ui.c
+++ b/sm/certreqgen-ui.c
@@ -138,7 +138,7 @@ gpgsm_gencertreq_tty (ctrl_t ctrl, estream_t output_stream)
unsigned int nbits;
int minbits = 1024;
int maxbits = 4096;
- int defbits = 2048;
+ int defbits = 3072;
const char *keyusage;
char *subject_name;
membuf_t mb_email, mb_dns, mb_uri, mb_result;
diff --git a/sm/certreqgen.c b/sm/certreqgen.c
index 9b4ffc9..9802d23 100644
--- a/sm/certreqgen.c
+++ b/sm/certreqgen.c
@@ -26,7 +26,7 @@
$ cat >foo <<EOF
%echo Generating a standard key
Key-Type: RSA
- Key-Length: 2048
+ Key-Length: 3072
Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE
Name-Email: joe@foo.bar
# Do a commit here, so that we can later print a "done"
@@ -468,7 +468,7 @@ proc_parameters (ctrl_t ctrl, struct para_data_s *para,
/* Check the keylength. NOTE: If you change this make sure that it
macthes the gpgconflist item in gpgsm.c */
if (!get_parameter (para, pKEYLENGTH, 0))
- nbits = 2048;
+ nbits = 3072;
else
nbits = get_parameter_uint (para, pKEYLENGTH);
if ((nbits < 1024 || nbits > 4096) && !cardkeyid)
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index 34a9b96..a58334b 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -1731,7 +1731,7 @@ main ( int argc, char **argv)
/* The next one is an info only item and should match what
proc_parameters actually implements. */
es_printf ("default_pubkey_algo:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT,
- "RSA-2048");
+ "RSA-3072");
}
break;
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 7 Sep 2017 18:41:10 -0400
Subject: gpg: default to 3072-bit RSA keys.
* agent/command.c (hlp_genkey): update help text to suggest the use of
3072 bits.
* doc/wks.texi: Make example match default generation.
* g10/keygen.c (DEFAULT_STD_KEY_PARAM): update to
rsa3072/cert,sign+rsa3072/encr, and fix neighboring comment,
(gen_rsa, get_keysize_range): update default from 2048 to 3072).
* g10/keyid.c (pubkey_string): update comment so that first example
is the default 3072-bit RSA.
--
3072-bit RSA is widely considered to be 128-bit-equivalent security.
This is a sensible default in 2017.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 909fbca19678e6e36968607e8a2348381da39d8c)
---
agent/command.c | 2 +-
g10/keygen.c | 9 ++++-----
g10/keyid.c | 4 ++--
3 files changed, 7 insertions(+), 8 deletions(-)
diff --git a/agent/command.c b/agent/command.c
index a2d4931..a857e5d 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -875,7 +875,7 @@ static const char hlp_genkey[] =
"\n"
" C: GENKEY\n"
" S: INQUIRE KEYPARAM\n"
- " C: D (genkey (rsa (nbits 2048)))\n"
+ " C: D (genkey (rsa (nbits 3072)))\n"
" C: END\n"
" S: D (public-key\n"
" S: D (rsa (n 326487324683264) (e 10001)))\n"
diff --git a/g10/keygen.c b/g10/keygen.c
index 0180581..f14bbbe 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -46,11 +46,10 @@
#include "mbox-util.h"
-/* The default algorithms. If you change them remember to change them
- also in gpg.c:gpgconf_list. You should also check that the value
+/* The default algorithms. If you change them, you should ensure the value
is inside the bounds enforced by ask_keysize and gen_xxx. See also
get_keysize_range which encodes the allowed ranges. */
-#define DEFAULT_STD_KEY_PARAM "rsa2048/cert,sign+rsa2048/encr"
+#define DEFAULT_STD_KEY_PARAM "rsa3072/cert,sign+rsa3072/encr"
#define FUTURE_STD_KEY_PARAM "ed25519/cert,sign+cv25519/encr"
/* When generating keys using the streamlined key generation dialog,
@@ -1620,7 +1619,7 @@ gen_rsa (int algo, unsigned int nbits, KBNODE pub_root,
if (nbits < 1024)
{
- nbits = 2048;
+ nbits = 3072;
log_info (_("keysize invalid; using %u bits\n"), nbits );
}
else if (nbits > maxsize)
@@ -2089,7 +2088,7 @@ get_keysize_range (int algo, unsigned int *min, unsigned int *max)
default:
*min = opt.compliance == CO_DE_VS ? 2048: 1024;
*max = 4096;
- def = 2048;
+ def = 3072;
break;
}
diff --git a/g10/keyid.c b/g10/keyid.c
index dd098fd..9507beb 100644
--- a/g10/keyid.c
+++ b/g10/keyid.c
@@ -73,7 +73,7 @@ pubkey_letter( int algo )
is copied to the supplied buffer up a length of BUFSIZE-1.
Examples for the output are:
- "rsa2048" - RSA with 2048 bit
+ "rsa3072" - RSA with 3072 bit
"elg1024" - Elgamal with 1024 bit
"ed25519" - ECC using the curve Ed25519.
"E_1.2.3.4" - ECC using the unsupported curve with OID "1.2.3.4".
@@ -83,7 +83,7 @@ pubkey_letter( int algo )
If the option --legacy-list-mode is active, the output use the
legacy format:
- "2048R" - RSA with 2048 bit
+ "3072R" - RSA with 3072 bit
"1024g" - Elgamal with 1024 bit
"256E" - ECDSA using a curve with 256 bit
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 7 Sep 2017 19:04:00 -0400
Subject: gpg: default to AES-256.
* g10/main.h (DEFAULT_CIPHER_ALGO): Prefer AES256 by default.
--
It's 2017, and pretty much everyone has AES-256 available. Symmetric
crypto is also rarely the bottleneck (asymmetric crypto is much more
expensive). AES-256 provides some level of protection against
large-scale decryption efforts, and longer key lengths provide a hedge
against unforseen cryptanalysis.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 73ff075204df09db5248170a049f06498cdbb7aa)
---
g10/main.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/g10/main.h b/g10/main.h
index 6837e98..edee027 100644
--- a/g10/main.h
+++ b/g10/main.h
@@ -30,7 +30,9 @@
(i.e. uncompressed) rather than 1 (zip). However, the real world
issues of speed and size come into play here. */
-#if GPG_USE_AES128
+#if GPG_USE_AES256
+# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES256
+#elif GPG_USE_AES128
# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES
#elif GPG_USE_CAST5
# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_CAST5