mirror of
https://git.yoctoproject.org/poky
synced 2026-06-02 13:29:49 +00:00
libgcrypt: Security fix CVE-2021-33560
Source: https://sources.debian.org/patches/libgcrypt20/1.8.4-5+deb10u1 MR: 111591 Type: Security Fix Disposition: Backport from https://sources.debian.org/data/main/libg/libgcrypt20/1.8.4-5%2Bdeb10u1/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch ChangeID: d066a9baacc0d967dd80ac54c684cde031ac686e Description: Affects before 1.8.8 and 1.9.x before 1.9.3 (From OE-Core rev: 7de5e19a668f268f0cc56617a9f5760054acb5f5) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster
committed by
Richard Purdie
Richard Purdie
parent
2bd92c7e47
commit
6038399048
@@ -0,0 +1,109 @@
|
||||
From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
|
||||
From: NIIBE Yutaka <gniibe@fsij.org>
|
||||
Date: Fri, 21 May 2021 11:15:07 +0900
|
||||
Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
|
||||
|
||||
* cipher/elgamal.c (gen_k): Remove support of smaller K.
|
||||
(do_encrypt): Never use smaller K.
|
||||
(sign): Folllow the change of gen_k.
|
||||
|
||||
--
|
||||
|
||||
Cherry-pick master commit of:
|
||||
632d80ef30e13de6926d503aa697f92b5dbfbc5e
|
||||
|
||||
This change basically reverts encryption changes in two commits:
|
||||
|
||||
74386120dad6b3da62db37f7044267c8ef34689b
|
||||
78531373a342aeb847950f404343a05e36022065
|
||||
|
||||
Use of smaller K for ephemeral key in ElGamal encryption is only good,
|
||||
when we can guarantee that recipient's key is generated by our
|
||||
implementation (or compatible).
|
||||
|
||||
For detail, please see:
|
||||
|
||||
Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
|
||||
"On the (in)security of ElGamal in OpenPGP";
|
||||
in the proceedings of CCS'2021.
|
||||
|
||||
CVE-id: CVE-2021-33560
|
||||
GnuPG-bug-id: 5328
|
||||
Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
|
||||
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
||||
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2021-33560
|
||||
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||
---
|
||||
cipher/elgamal.c | 24 ++++++------------------
|
||||
1 file changed, 6 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/cipher/elgamal.c b/cipher/elgamal.c
|
||||
index 4eb52d62..ae7a631e 100644
|
||||
--- a/cipher/elgamal.c
|
||||
+++ b/cipher/elgamal.c
|
||||
@@ -66,7 +66,7 @@ static const char *elg_names[] =
|
||||
|
||||
|
||||
static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
|
||||
-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
|
||||
+static gcry_mpi_t gen_k (gcry_mpi_t p);
|
||||
static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
|
||||
gcry_mpi_t **factors);
|
||||
static int check_secret_key (ELG_secret_key *sk);
|
||||
@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
|
||||
|
||||
/****************
|
||||
* Generate a random secret exponent k from prime p, so that k is
|
||||
- * relatively prime to p-1. With SMALL_K set, k will be selected for
|
||||
- * better encryption performance - this must never be used signing!
|
||||
+ * relatively prime to p-1.
|
||||
*/
|
||||
static gcry_mpi_t
|
||||
-gen_k( gcry_mpi_t p, int small_k )
|
||||
+gen_k( gcry_mpi_t p )
|
||||
{
|
||||
gcry_mpi_t k = mpi_alloc_secure( 0 );
|
||||
gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
|
||||
@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
|
||||
unsigned int nbits, nbytes;
|
||||
char *rndbuf = NULL;
|
||||
|
||||
- if (small_k)
|
||||
- {
|
||||
- /* Using a k much lesser than p is sufficient for encryption and
|
||||
- * it greatly improves the encryption performance. We use
|
||||
- * Wiener's table and add a large safety margin. */
|
||||
- nbits = wiener_map( orig_nbits ) * 3 / 2;
|
||||
- if( nbits >= orig_nbits )
|
||||
- BUG();
|
||||
- }
|
||||
- else
|
||||
- nbits = orig_nbits;
|
||||
-
|
||||
+ nbits = orig_nbits;
|
||||
|
||||
nbytes = (nbits+7)/8;
|
||||
if( DBG_CIPHER )
|
||||
@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
|
||||
* error code.
|
||||
*/
|
||||
|
||||
- k = gen_k( pkey->p, 1 );
|
||||
+ k = gen_k( pkey->p );
|
||||
mpi_powm (a, pkey->g, k, pkey->p);
|
||||
|
||||
/* b = (y^k * input) mod p
|
||||
@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
|
||||
*
|
||||
*/
|
||||
mpi_sub_ui(p_1, p_1, 1);
|
||||
- k = gen_k( skey->p, 0 /* no small K ! */ );
|
||||
+ k = gen_k( skey->p );
|
||||
mpi_powm( a, skey->g, k, skey->p );
|
||||
mpi_mul(t, skey->x, a );
|
||||
mpi_subm(t, input, t, p_1 );
|
||||
--
|
||||
2.30.2
|
||||
|
||||
@@ -28,6 +28,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
|
||||
file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \
|
||||
file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
|
||||
file://determinism.patch \
|
||||
file://CVE-2021-33560.patch \
|
||||
"
|
||||
SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"
|
||||
SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"
|
||||
|
||||
Reference in New Issue
Block a user