diff -uNrp gnupg-1.4.21/cipher/Makefile.am gnupg-1.4.22/cipher/Makefile.am --- gnupg-1.4.21/cipher/Makefile.am 2016-04-22 03:30:18.000000000 -0400 +++ gnupg-1.4.22/cipher/Makefile.am 2017-07-10 04:48:39.000000000 -0400 @@ -17,7 +17,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. ## Process this file with automake to produce Makefile.in -AM_CPPFLAGS = -I.. -I$(top_srcdir)/include -I$(top_srcdir)/intl +AM_CPPFLAGS = -I.. -I$(top_srcdir)/include -I$(top_srcdir)/intl -I$(top_srcdir)/mpi -I../mpi if ! HAVE_DOSISH_SYSTEM AM_CPPFLAGS += -DGNUPG_LIBDIR="\"$(libdir)/@PACKAGE@\"" diff -uNrp gnupg-1.4.21/cipher/Makefile.in gnupg-1.4.22/cipher/Makefile.in --- gnupg-1.4.21/cipher/Makefile.in 2016-08-17 09:20:24.000000000 -0400 +++ gnupg-1.4.22/cipher/Makefile.in 2017-07-19 05:20:16.000000000 -0400 @@ -402,7 +402,7 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AM_CPPFLAGS = -I.. -I$(top_srcdir)/include -I$(top_srcdir)/intl \ - $(am__append_1) + -I$(top_srcdir)/mpi -I../mpi $(am__append_1) noinst_LIBRARIES = libcipher.a libcipher_a_SOURCES = cipher.c pubkey.c md.c dynload.c bithelp.h des.c \ twofish.c blowfish.c cast5.c rijndael.c camellia.c camellia.h \ diff -uNrp gnupg-1.4.21/cipher/rsa.c gnupg-1.4.22/cipher/rsa.c --- gnupg-1.4.21/cipher/rsa.c 2016-04-22 03:30:18.000000000 -0400 +++ gnupg-1.4.22/cipher/rsa.c 2017-07-10 04:48:39.000000000 -0400 @@ -29,6 +29,7 @@ #include <string.h> #include "util.h" #include "mpi.h" +#include "mpi-internal.h" #include "cipher.h" #include "rsa.h" @@ -325,14 +326,45 @@ secret(MPI output, MPI input, RSA_secret # endif /* USE_BLINDING */ /* RSA secret operation: */ - /* m1 = c ^ (d mod (p-1)) mod p */ + MPI D_blind = mpi_alloc_secure (nlimbs); + MPI rr; + unsigned int rr_nbits; + + rr_nbits = mpi_get_nbits (skey->p) / 4; + if (rr_nbits < 96) + rr_nbits = 96; + rr = mpi_alloc_secure ( (rr_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB ); + + /* d_blind = (d mod (p-1)) + (p-1) * r */ + /* m1 = c ^ d_blind mod p */ + randomize_mpi (rr, rr_nbits, 0); + mpi_set_highbit (rr, rr_nbits - 1); mpi_sub_ui( h, skey->p, 1 ); + mpi_mul ( D_blind, h, rr ); + mpi_free ( rr ); mpi_fdiv_r( h, skey->d, h ); - mpi_powm( m1, input, h, skey->p ); - /* m2 = c ^ (d mod (q-1)) mod q */ + mpi_add ( D_blind, D_blind, h ); + mpi_free ( h ); + mpi_powm ( m1, input, D_blind, skey->p ); + + h = mpi_alloc_secure (nlimbs); + rr = mpi_alloc_secure ( (rr_nbits + BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB ); + + /* d_blind = (d mod (q-1)) + (q-1) * r */ + /* m2 = c ^ d_blind mod q */ + randomize_mpi (rr, rr_nbits, 0); + mpi_set_highbit (rr, rr_nbits - 1); mpi_sub_ui( h, skey->q, 1 ); + mpi_mul ( D_blind, h, rr ); + mpi_free ( rr ); mpi_fdiv_r( h, skey->d, h ); - mpi_powm( m2, input, h, skey->q ); + mpi_add ( D_blind, D_blind, h ); + mpi_free ( h ); + mpi_powm ( m2, input, D_blind, skey->q ); + + mpi_free ( D_blind ); + h = mpi_alloc_secure (nlimbs); + /* h = u * ( m2 - m1 ) mod q */ mpi_sub( h, m2, m1 ); if ( mpi_is_neg( h ) ) diff -uNrp gnupg-1.4.21/g10/build-packet.c gnupg-1.4.22/g10/build-packet.c --- gnupg-1.4.21/g10/build-packet.c 2016-04-22 03:30:18.000000000 -0400 +++ gnupg-1.4.22/g10/build-packet.c 2017-03-30 04:52:33.000000000 -0400 @@ -204,7 +204,12 @@ do_user_id( IOBUF out, int ctb, PKT_user { if( uid->attrib_data ) { - write_header(out, ctb, uid->attrib_len); + /* We need to take special care of a user ID with a length of 0: + * Without forcing HDRLEN to 2 in this case an indeterminate length + * packet would be written which is not allowed. Note that we are + * always called with a CTB indicating an old packet header format, + * so that forcing a 2 octet header works. */ + write_header2(out, ctb, uid->attrib_len, (uid->attrib_len? 0 : 2)); if( iobuf_write( out, uid->attrib_data, uid->attrib_len ) ) return G10ERR_WRITE_FILE; } diff -uNrp gnupg-1.4.21/g10/keygen.c gnupg-1.4.22/g10/keygen.c --- gnupg-1.4.21/g10/keygen.c 2016-08-17 05:00:11.000000000 -0400 +++ gnupg-1.4.22/g10/keygen.c 2017-07-10 04:48:39.000000000 -0400 @@ -2329,8 +2329,8 @@ proc_parameter_file( struct para_data_s r = xmalloc_clear(sizeof(*r)); r->key = pKEYUSAGE; r->u.usage = openpgp_pk_algo_usage(algo); - r->next = para; - para = r; + r->next = para->next; + para->next = r; } else if (err == -1) return -1; @@ -2363,8 +2363,8 @@ proc_parameter_file( struct para_data_s r = xmalloc_clear (sizeof(*r)); r->key = pSUBKEYUSAGE; r->u.usage = openpgp_pk_algo_usage (algo); - r->next = para; - para = r; + r->next = para->next; + para->next = r; } else if (err == -1) return -1; @@ -2400,8 +2400,8 @@ proc_parameter_file( struct para_data_s p = stpcpy(stpcpy(stpcpy(p," ("), s2 ),")"); if( s3 ) p = stpcpy(stpcpy(stpcpy(p," <"), s3 ),">"); - r->next = para; - para = r; + r->next = para->next; + para->next = r; have_user_id=1; } } @@ -2460,13 +2460,13 @@ proc_parameter_file( struct para_data_s r = xmalloc_clear( sizeof *r ); r->key = pPASSPHRASE_S2K; r->u.s2k = s2k; - r->next = para; - para = r; + r->next = para->next; + para->next = r; r = xmalloc_clear( sizeof *r ); r->key = pPASSPHRASE_DEK; r->u.dek = dek; - r->next = para; - para = r; + r->next = para->next; + para->next = r; } /* Make KEYCREATIONDATE from Creation-Date. */ @@ -2504,8 +2504,8 @@ proc_parameter_file( struct para_data_s r = xmalloc_clear( sizeof *r + 20 ); r->key = pSUBKEYEXPIRE; r->u.expire = seconds; - r->next = para; - para = r; + r->next = para->next; + para->next = r; } if( !!outctrl->pub.newfname ^ !!outctrl->sec.newfname ) { diff -uNrp gnupg-1.4.21/g10/Makefile.am gnupg-1.4.22/g10/Makefile.am --- gnupg-1.4.21/g10/Makefile.am 2016-04-22 03:30:18.000000000 -0400 +++ gnupg-1.4.22/g10/Makefile.am 2017-07-19 04:32:06.000000000 -0400 @@ -32,7 +32,16 @@ endif needed_libs = ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a other_libs = $(LIBICONV) $(DNSLIBS) $(LIBINTL) $(CAPLIBS) + bin_PROGRAMS = gpg gpgv + +# "make distcheck" runs "gpg --version" which unfortunately may print +# warnings about unsupported options to stderr which make distcheck +# rejects. I am not sure on how to pass the envvar GNUPGHOME to that +# gpg invocation to make sure that a gpg.conf from gnupg 2 is not +# used. The easiest way to avoid that is to not run this extra test. +AM_INSTALLCHECK_STD_OPTIONS_EXEMPT = gpg$(EXEEXT) + dist_pkgdata_DATA = options.skel if ENABLE_BZIP2_SUPPORT diff -uNrp gnupg-1.4.21/g10/Makefile.in gnupg-1.4.22/g10/Makefile.in --- gnupg-1.4.21/g10/Makefile.in 2016-08-17 09:20:24.000000000 -0400 +++ gnupg-1.4.22/g10/Makefile.in 2017-07-19 05:20:16.000000000 -0400 @@ -465,6 +465,13 @@ AM_CPPFLAGS = -I$(top_srcdir)/include -I @LIBUSB_CPPFLAGS@ $(am__append_1) needed_libs = ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a other_libs = $(LIBICONV) $(DNSLIBS) $(LIBINTL) $(CAPLIBS) + +# "make distcheck" runs "gpg --version" which unfortunately may print +# warnings about unsupported options to stderr which make distcheck +# rejects. I am not sure on how to pass the envvar GNUPGHOME to that +# gpg invocation to make sure that a gpg.conf from gnupg 2 is not +# used. The easiest way to avoid that is to not run this extra test. +AM_INSTALLCHECK_STD_OPTIONS_EXEMPT = gpg$(EXEEXT) dist_pkgdata_DATA = options.skel @ENABLE_BZIP2_SUPPORT_FALSE@bzip2_source = @ENABLE_BZIP2_SUPPORT_TRUE@bzip2_source = compress-bz2.c diff -uNrp gnupg-1.4.21/g10/textfilter.c gnupg-1.4.22/g10/textfilter.c --- gnupg-1.4.21/g10/textfilter.c 2016-04-22 03:30:18.000000000 -0400 +++ gnupg-1.4.22/g10/textfilter.c 2017-07-10 04:48:39.000000000 -0400 @@ -245,5 +245,6 @@ copy_clearsig_text( IOBUF out, IOBUF inp if( truncated ) log_info(_("input line longer than %d characters\n"), MAX_LINELEN ); + xfree (buffer); return 0; /* okay */ } diff -uNrp gnupg-1.4.21/mpi/longlong.h gnupg-1.4.22/mpi/longlong.h --- gnupg-1.4.21/mpi/longlong.h 2016-04-22 03:30:18.000000000 -0400 +++ gnupg-1.4.22/mpi/longlong.h 2017-07-10 04:48:39.000000000 -0400 @@ -189,7 +189,7 @@ extern UDItype __udiv_qrnnd (); : "%r" ((USItype)(ah)), \ "rI" ((USItype)(bh)), \ "%r" ((USItype)(al)), \ - "rI" ((USItype)(bl))) + "rI" ((USItype)(bl)) __CLOBBER_CC) #define sub_ddmmss(sh, sl, ah, al, bh, bl) \ __asm__ ("subs %1, %4, %5\n" \ "sbc %0, %2, %3" \ @@ -198,7 +198,7 @@ extern UDItype __udiv_qrnnd (); : "r" ((USItype)(ah)), \ "rI" ((USItype)(bh)), \ "r" ((USItype)(al)), \ - "rI" ((USItype)(bl))) + "rI" ((USItype)(bl)) __CLOBBER_CC) #if defined __ARM_ARCH_2__ || defined __ARM_ARCH_3__ #define umul_ppmm(xh, xl, a, b) \ __asm__ ("%@ Inlined umul_ppmm\n" \ @@ -218,7 +218,7 @@ extern UDItype __udiv_qrnnd (); "=r" ((USItype)(xl)) \ : "r" ((USItype)(a)), \ "r" ((USItype)(b)) \ - : "r0", "r1", "r2") + : "r0", "r1", "r2" __AND_CLOBBER_CC) #else #define umul_ppmm(xh, xl, a, b) \ __asm__ ("%@ Inlined umul_ppmm\n" \ diff -uNrp gnupg-1.4.21/mpi/mpi-pow.c gnupg-1.4.22/mpi/mpi-pow.c --- gnupg-1.4.21/mpi/mpi-pow.c 2016-04-22 03:30:18.000000000 -0400 +++ gnupg-1.4.22/mpi/mpi-pow.c 2017-07-10 04:48:39.000000000 -0400 @@ -162,7 +162,7 @@ mpi_powm( MPI res, MPI base, MPI exponen { mpi_size_t i; - mpi_ptr_t xp = xp_marker = mpi_alloc_limb_space( 2 * (msize + 1), msec ); + mpi_ptr_t xp = xp_marker = mpi_alloc_limb_space( size, msec ); int c; mpi_limb_t e; mpi_limb_t carry_limb; @@ -387,6 +387,9 @@ mpi_powm (MPI res, MPI base, MPI expo, M size = 2 * msize; msign = mod->sign; + ep = expo->d; + MPN_NORMALIZE(ep, esize); + if (esize * BITS_PER_MPI_LIMB > 512) W = 5; else if (esize * BITS_PER_MPI_LIMB > 256) @@ -403,10 +406,9 @@ mpi_powm (MPI res, MPI base, MPI expo, M bsec = mpi_is_secure(base); rp = res->d; - ep = expo->d; if (!msize) - msize = 1 / msize; /* provoke a signal */ + msize = 1 / msize; /* provoke a signal */ if (!esize) { @@ -463,7 +465,8 @@ mpi_powm (MPI res, MPI base, MPI expo, M } - /* Make BASE, EXPO and MOD not overlap with RES. */ + /* Make BASE, EXPO not overlap with RES. We don't need to check MOD + because that has already been copied to the MP var. */ if ( rp == bp ) { /* RES and BASE are identical. Allocate temp. space for BASE. */ @@ -477,13 +480,6 @@ mpi_powm (MPI res, MPI base, MPI expo, M ep = ep_marker = mpi_alloc_limb_space( esize, esec ); MPN_COPY(ep, rp, esize); } - if ( rp == mp ) - { - /* RES and MOD are identical. Allocate temporary space for MOD.*/ - assert (!mp_marker); - mp = mp_marker = mpi_alloc_limb_space( msize, msec ); - MPN_COPY(mp, rp, msize); - } /* Copy base to the result. */ if (res->alloced < size) @@ -503,7 +499,7 @@ mpi_powm (MPI res, MPI base, MPI expo, M struct karatsuba_ctx karactx; mpi_ptr_t tp; - xp = xp_marker = mpi_alloc_limb_space( 2 * (msize + 1), msec ); + xp = xp_marker = mpi_alloc_limb_space( size, msec ); memset( &karactx, 0, sizeof karactx ); negative_result = (ep[0] & 1) && bsign; @@ -529,7 +525,10 @@ mpi_powm (MPI res, MPI base, MPI expo, M MPN_COPY (precomp[i], rp, rsize); } + if (msize > max_u_size) + max_u_size = msize; base_u = mpi_alloc_limb_space (max_u_size, esec); + MPN_ZERO (base_u, max_u_size); i = esize - 1; @@ -564,12 +563,8 @@ mpi_powm (MPI res, MPI base, MPI expo, M if (e == 0) { j += c; - i--; - if ( i < 0 ) - { - c = 0; - break; - } + if ( --i < 0 ) + break; e = ep[i]; c = BITS_PER_MPI_LIMB; @@ -578,80 +573,78 @@ mpi_powm (MPI res, MPI base, MPI expo, M { int c0; mpi_limb_t e0; + struct gcry_mpi w, u; + w.sign = u.sign = 0; + w.flags = u.flags = 0; + w.d = base_u; count_leading_zeros (c0, e); e = (e << c0); c -= c0; j += c0; + e0 = (e >> (BITS_PER_MPI_LIMB - W)); if (c >= W) - { - e0 = (e >> (BITS_PER_MPI_LIMB - W)); - e = (e << W); - c -= W; - } + c0 = 0; else { - i--; - if ( i < 0 ) + if ( --i < 0 ) { - e = (e >> (BITS_PER_MPI_LIMB - c)); - break; + e0 = (e >> (BITS_PER_MPI_LIMB - c)); + j += c - W; + goto last_step; } - - c0 = c; - e0 = (e >> (BITS_PER_MPI_LIMB - W)) - | (ep[i] >> (BITS_PER_MPI_LIMB - W + c0)); - e = (ep[i] << (W - c0)); - c = BITS_PER_MPI_LIMB - W + c0; + else + { + c0 = c; + e = ep[i]; + c = BITS_PER_MPI_LIMB; + e0 |= (e >> (BITS_PER_MPI_LIMB - (W - c0))); + } } + e = e << (W - c0); + c -= (W - c0); + + last_step: count_trailing_zeros (c0, e0); e0 = (e0 >> c0) >> 1; - for (j += W - c0; j; j--) + for (j += W - c0; j >= 0; j--) { - mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); - tp = rp; rp = xp; xp = tp; - rsize = xsize; - } - /* - * base_u <= precomp[e0] - * base_u_size <= precomp_size[e0]; - */ - base_u_size = 0; - for (k = 0; k < (1<< (W - 1)); k++) - { - struct gcry_mpi w, u; - w.alloced = w.nlimbs = precomp_size[k]; - u.alloced = u.nlimbs = precomp_size[k]; - w.nbits = w.nlimbs * BITS_PER_MPI_LIMB; - u.nbits = u.nlimbs * BITS_PER_MPI_LIMB; - w.sign = u.sign = 0; - w.flags = u.flags = 0; - w.d = base_u; - u.d = precomp[k]; + /* + * base_u <= precomp[e0] + * base_u_size <= precomp_size[e0] + */ + base_u_size = 0; + for (k = 0; k < (1<< (W - 1)); k++) + { + w.alloced = w.nlimbs = precomp_size[k]; + u.alloced = u.nlimbs = precomp_size[k]; + u.d = precomp[k]; + + mpi_set_cond (&w, &u, k == e0); + base_u_size |= ( precomp_size[k] & (0UL - (k == e0)) ); + } - mpi_set_cond (&w, &u, k == e0); - base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == e0)) ); + w.alloced = w.nlimbs = rsize; + u.alloced = u.nlimbs = rsize; + u.d = rp; + mpi_set_cond (&w, &u, j != 0); + base_u_size ^= ((base_u_size ^ rsize) & (0UL - (j != 0))); + + mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, + mp, msize, &karactx); + tp = rp; rp = xp; xp = tp; + rsize = xsize; } - mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, - mp, msize, &karactx); - tp = rp; rp = xp; xp = tp; - rsize = xsize; j = c0; + if ( i < 0 ) + break; } - if (c != 0) - { - j += c; - count_trailing_zeros (c, e); - e = (e >> c); - j -= c; - } - while (j--) { mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); @@ -659,38 +652,6 @@ mpi_powm (MPI res, MPI base, MPI expo, M rsize = xsize; } - if (e != 0) - { - base_u_size = 0; - for (k = 0; k < (1<< (W - 1)); k++) - { - struct gcry_mpi w, u; - w.alloced = w.nlimbs = precomp_size[k]; - u.alloced = u.nlimbs = precomp_size[k]; - w.nbits = w.nlimbs * BITS_PER_MPI_LIMB; - u.nbits = u.nlimbs * BITS_PER_MPI_LIMB; - w.sign = u.sign = 0; - w.flags = u.flags = 0; - w.d = base_u; - u.d = precomp[k]; - - mpi_set_cond (&w, &u, k == (e>>1)); - base_u_size |= (precomp_size[k] & ((mpi_size_t)0 - (k == (e>>1))) ); - } - - mul_mod (xp, &xsize, rp, rsize, base_u, base_u_size, - mp, msize, &karactx); - tp = rp; rp = xp; xp = tp; - rsize = xsize; - - for (; c; c--) - { - mul_mod (xp, &xsize, rp, rsize, rp, rsize, mp, msize, &karactx); - tp = rp; rp = xp; xp = tp; - rsize = xsize; - } - } - /* We shifted MOD, the modulo reduction argument, left MOD_SHIFT_CNT steps. Adjust the result by reducing it with the original MOD. diff -uNrp gnupg-1.4.21/tools/gpg-zip.in gnupg-1.4.22/tools/gpg-zip.in --- gnupg-1.4.21/tools/gpg-zip.in 2016-04-22 03:30:18.000000000 -0400 +++ gnupg-1.4.22/tools/gpg-zip.in 2017-03-30 04:50:12.000000000 -0400 @@ -94,7 +94,8 @@ while test $# -gt 0 ; do exit 0 ;; --gpg) - GPG=$1 + GPG=$2 + shift shift ;; --gpg-args) @@ -103,7 +104,8 @@ while test $# -gt 0 ; do shift ;; --tar) - TAR=$1 + TAR=$2 + shift shift ;; --tar-args) @@ -126,8 +128,8 @@ while test $# -gt 0 ; do done if test x$create = xyes ; then -# echo "$TAR -cf - "$@" | $GPG --set-filename x.tar $gpg_args" 1>&2 - $TAR -cf - "$@" | $GPG --set-filename x.tar $gpg_args +# echo "$TAR $tar_args -cf - "$@" | $GPG --set-filename x.tar $gpg_args" 1>&2 + $TAR $tar_args -cf - "$@" | $GPG --set-filename x.tar $gpg_args elif test x$list = xyes ; then # echo "cat \"$1\" | $GPG $gpg_args | $TAR $tar_args -tf -" 1>&2 cat "$1" | $GPG $gpg_args | $TAR $tar_args -tf -