Broken ECDSA in gnupg 2.0.23
Anatol Pomozov
anatol.pomozov at gmail.com
Sat Jun 21 15:14:55 CEST 2014
Hi
On Sat, Jun 21, 2014 at 2:32 AM, Werner Koch <wk at gnupg.org> wrote:
> On Sat, 21 Jun 2014 06:22, anatol.pomozov at gmail.com said:
>
>> Our users claim that this stated since libgcrypt 1.6.0 update. With
>> libgcrypt 1.5+ gpg-agent worked without a problem. Some people tried
>
> Which Libgcrypt version is that? 1.6.0 or 1.6.1 ?
The latest stable i.e. 1.6.1.
I looked at list of API changes for libgcrypt 1.6.0
http://upstream-tracker.org/changelogs/libgcrypt/1.6.0/changelog.html
and see "The algorithm ids GCRY_PK_ECDSA and GCRY_PK_ECDH are now
deprecated. Use GCRY_PK_ECC if you need an algorithm id.".
The libgcrypt functions such as gcry_pk_map_name() return GCRY_PK_ECC
instead of GCRY_PK_ECDSA. So I modified gnupg 2.0.23 sources with this
patch:
diff --git a/common/ssh-utils.c b/common/ssh-utils.c
index d8f057d..987966f 100644
--- a/common/ssh-utils.c
+++ b/common/ssh-utils.c
@@ -89,7 +89,7 @@ get_fingerprint (gcry_sexp_t key, void **r_fpr, size_t *r_len,
elems = "pqgy";
gcry_md_write (md, "\0\0\0\x07ssh-dss", 11);
break;
- case GCRY_PK_ECDSA:
+ case GCRY_PK_ECC:
/* We only support the 3 standard curves for now. It is just a
quick hack. */
elems = "q";
Now I am able to add a ECDSA via ssh-add:
[anatol at foo gnupg]$ ps ax | grep agent
8921 ? Ss 0:00 gpg-agent --daemon --enable-ssh-support
[anatol at foo gnupg]$ echo $SSH_AUTH_SOCK
/tmp/gpg-MQPevx/S.gpg-agent.ssh
[anatol at foo gnupg]$ echo $SSH_AGENT_PID
8921
[anatol at foo gnupg]$ ssh-add -l
2048 f4:a7:bd:43:fc:aa:ab:f2:f2:ff:6b:f3:9b:37:96:be
/home/anatol/.ssh/id_rsa (RSA)
521 87:e8:e1:f6:1b:64:aa:58:ff:97:1a:20:5d:91:46:d7
/home/anatol/.ssh/id_ecdsa (ECDSA)
I do not know if there are other libgcrypt 1.6 related problems. But
at least I can 'ssh' into my machine without typing the passphrase
now.
>> http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=21dab64030c95a909767bf6d8f99e8476f9df8a2
>> that fixes ECC for libgcrypt 1.6. gnupg developers, do you think that
>
> That is not releated. The ssh-agent support is implemented in gpg-agent
> and thus not affected by this patch.
>
>
> Salam-Shalom,
>
> Werner
>
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>
More information about the Gnupg-users
mailing list