[Assword] [PATCH] use ENCRYPT_NO_COMPRESS if available
Jameson Graef Rollins
jrollins at finestructure.net
Fri May 9 14:20:05 EDT 2014
On Thu, May 08 2014, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> The CRIME attacks on TLS showed that repeated compression of a message
> with a variant component can leak some information about the plaintext
> if an attacker knows something about the variant.
>
> While it seems unlikely that such an attack applies directly to
> assword, it's possible that some use of assword in an automated
> situation could fit this attack profile.
>
> Upcoming versions of gpgme should support a GPGME_ENCRYPT_NO_COMPRESS
> option. python-gpgme should add support for it once gpgme exposes the
> flag. The use of this flag should invalidate any CRIME-style attacks.
>
> See the IETF OpenPGP WG list for discussion about how CRIME might or
> might not apply to:
>
> https://www.ietf.org/mail-archive/web/openpgp/current/msg07252.html
>
> Note that this fix will only take effect once the dependent libraries
> are themselves updated to document and support the ENCRYPT_NO_COMPRESS
> flag during encrypt() and encrypt_sign() functions.
> ---
> assword.py | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/assword.py b/assword.py
> index 28af9f5..61bf664 100644
> --- a/assword.py
> +++ b/assword.py
> @@ -120,11 +120,16 @@ class Database():
> signer = self._gpg.get_key(keyid or self._keyid)
> except:
> raise DatabaseError('Could not retrieve GPG encryption key.')
> + flags = gpgme.ENCRYPT_ALWAYS_TRUST
> + try:
> + flags |= gpgme.ENCRYPT_NO_COMPRESS
> + except AttributeError:
> + pass
> self._gpg.signers = [signer]
> encdata = io.BytesIO()
> data.seek(0)
> sigs = self._gpg.encrypt_sign([recipient],
> - gpgme.ENCRYPT_ALWAYS_TRUST,
> + flags,
> data,
> encdata)
> encdata.seek(0)
> --
> 2.0.0.rc0
pushed. thanks.
jamie.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <https://lists.mayfirst.org/mailman/private/assword/attachments/20140509/2ec7f09c/attachment.pgp>
More information about the Assword
mailing list