import libgcrypt-1.8.5-6.el8

2021-06-29 17:55:29 +00:00 · 2021-06-29 17:55:29 +00:00 · 560d09fcdf
commit 560d09fcdf
parent 5898546e10
4 changed files with 3649 additions and 1 deletions
--- a/SOURCES/libgcrypt-1.8.5-fips-hwfeatures.patch
+++ b/SOURCES/libgcrypt-1.8.5-fips-hwfeatures.patch
@ -0,0 +1,13 @@
 diff -up libgcrypt-1.8.5/src/hwfeatures.c.hw-fips libgcrypt-1.8.5/src/hwfeatures.c
 --- libgcrypt-1.8.5/src/hwfeatures.c.hw-fips	2021-06-25 11:55:55.843819137 +0200
 +++ libgcrypt-1.8.5/src/hwfeatures.c	2021-06-25 11:56:00.925895390 +0200
@@ -205,9 +205,6 @@ _gcry_detect_hw_features (void)
 {
   hw_features = 0;
 -  if (fips_mode ())
 -    return; /* Hardware support is not to be evaluated.  */
 -
   parse_hwf_deny_file ();
 #if defined (HAVE_CPU_ARCH_X86)
--- a/SOURCES/libgcrypt-1.8.5-ppc-chacha20-poly1305.patch
+++ b/SOURCES/libgcrypt-1.8.5-ppc-chacha20-poly1305.patch
--- a/SOURCES/libgcrypt-1.9.3-CVE-2021-33560.patch
+++ b/SOURCES/libgcrypt-1.9.3-CVE-2021-33560.patch
@ -0,0 +1,100 @@
 commit 3462280f2e23e16adf3ed5176e0f2413d8861320
 Author: NIIBE Yutaka <gniibe@fsij.org>
 Date:   Fri May 21 11:15:07 2021 +0900
    cipher: Fix ElGamal encryption for other implementations.
    * cipher/elgamal.c (gen_k): Remove support of smaller K.
    (do_encrypt): Never use smaller K.
    (sign): Folllow the change of gen_k.
    --
    Cherry-pick master commit of:
            632d80ef30e13de6926d503aa697f92b5dbfbc5e
    This change basically reverts encryption changes in two commits:
            74386120dad6b3da62db37f7044267c8ef34689b
            78531373a342aeb847950f404343a05e36022065
    Use of smaller K for ephemeral key in ElGamal encryption is only good,
    when we can guarantee that recipient's key is generated by our
    implementation (or compatible).
    For detail, please see:
        Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
        "On the (in)security of ElGamal in OpenPGP";
        in the proceedings of  CCS'2021.
    CVE-id: CVE-2021-33560
    GnuPG-bug-id: 5328
    Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
    Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 diff --git a/cipher/elgamal.c b/cipher/elgamal.c
 index 9835122f..eead4502 100644
 --- a/cipher/elgamal.c
 +++ b/cipher/elgamal.c
@@ -66,7 +66,7 @@ static const char *elg_names[] =
 static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
 -static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
 +static gcry_mpi_t gen_k (gcry_mpi_t p);
 static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
                                  gcry_mpi_t **factors);
 static int  check_secret_key (ELG_secret_key *sk);
@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
 /****************
  * Generate a random secret exponent k from prime p, so that k is
 - * relatively prime to p-1.  With SMALL_K set, k will be selected for
 - * better encryption performance - this must never be used signing!
 + * relatively prime to p-1.
  */
 static gcry_mpi_t
 -gen_k( gcry_mpi_t p, int small_k )
 +gen_k( gcry_mpi_t p )
 {
   gcry_mpi_t k = mpi_alloc_secure( 0 );
   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
   unsigned int nbits, nbytes;
   char *rndbuf = NULL;
 -  if (small_k)
 -    {
 -      /* Using a k much lesser than p is sufficient for encryption and
 -       * it greatly improves the encryption performance.  We use
 -       * Wiener's table and add a large safety margin. */
 -      nbits = wiener_map( orig_nbits ) * 3 / 2;
 -      if( nbits >= orig_nbits )
 -        BUG();
 -    }
 -  else
 -    nbits = orig_nbits;
 -
 +  nbits = orig_nbits;
   nbytes = (nbits+7)/8;
   if( DBG_CIPHER )
@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
    * error code.
    */
 -  k = gen_k( pkey->p, 1 );
 +  k = gen_k( pkey->p );
   mpi_powm (a, pkey->g, k, pkey->p);
   /* b = (y^k * input) mod p
@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
     *
     */
     mpi_sub_ui(p_1, p_1, 1);
 -    k = gen_k( skey->p, 0 /* no small K ! */ );
 +    k = gen_k( skey->p );
     mpi_powm( a, skey->g, k, skey->p );
     mpi_mul(t, skey->x, a );
     mpi_subm(t, input, t, p_1 );
--- a/SPECS/libgcrypt.spec
+++ b/SPECS/libgcrypt.spec
@ -1,6 +1,6 @@
 Name: libgcrypt
 Version: 1.8.5
-Release: 5%{?dist}
+Release: 6%{?dist}
 URL: http://www.gnupg.org/
 Source0: libgcrypt-%{version}-hobbled.tar.xz
 # The original libgcrypt sources now contain potentially patented ECC
@ -61,6 +61,12 @@ Patch34: libgcrypt-1.8.5-ppc-crc32.patch
 Patch35: libgcrypt-1.8.5-ppc-bugfix.patch
 # ppc64 performance AES-GCM (#1855231)
 Patch36: libgcrypt-1.8.5-ppc-aes-gcm.patch
 # ppc64 performance AES-GCM (#1855231)
 Patch37: libgcrypt-1.9.3-CVE-2021-33560.patch
 # We can use HW optimizations in FIPS (#1976137)
 Patch38: libgcrypt-1.8.5-fips-hwfeatures.patch
 # ppc64 performance chacha20 and poly1305 (#1855231)
 Patch39: libgcrypt-1.8.5-ppc-chacha20-poly1305.patch
 %define gcrylibdir %{_libdir}
@ -118,6 +124,9 @@ applications using libgcrypt.
 %patch34 -p1 -b .ppc-crc32
 %patch35 -p1 -b .ppc-bugfix
 %patch36 -p1 -b .ppc-aes-gcm
 %patch37 -p1 -b .CVE-2021-33560
 %patch38 -p1 -b .hw-fips
 %patch39 -p1 -b .ppc-chacha
 cp %{SOURCE4} cipher/
 cp %{SOURCE5} %{SOURCE6} tests/
@ -233,6 +242,11 @@ exit 0
 %license COPYING
 %changelog
 * Mon Jun 28 2021 Jakub Jelen <jjelen@redhat.com> - 1.8.5-6
 - Fix for CVE-2021-33560 (#1971421)
 - Enable HW optimizations in FIPS (#1976137)
 - Performance enchancements for ChaCha20 and Poly1305 (#1855231)
 * Thu May 13 2021 Jakub Jelen <jjelen@redhat.com> - 1.8.5-5
 - Performance enchancements for AES-GCM, CRC32 and SHA2 (#1855231)