Fix for CVE-2021-33560
Resolves: rhbz#1971422
This commit is contained in:
parent
b117db4efa
commit
a9a8b1b181
100
libgcrypt-1.9.3-CVE-2021-33560.patch
Normal file
100
libgcrypt-1.9.3-CVE-2021-33560.patch
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
commit 3462280f2e23e16adf3ed5176e0f2413d8861320
|
||||||
|
Author: NIIBE Yutaka <gniibe@fsij.org>
|
||||||
|
Date: Fri May 21 11:15:07 2021 +0900
|
||||||
|
|
||||||
|
cipher: Fix ElGamal encryption for other implementations.
|
||||||
|
|
||||||
|
* cipher/elgamal.c (gen_k): Remove support of smaller K.
|
||||||
|
(do_encrypt): Never use smaller K.
|
||||||
|
(sign): Folllow the change of gen_k.
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
Cherry-pick master commit of:
|
||||||
|
632d80ef30e13de6926d503aa697f92b5dbfbc5e
|
||||||
|
|
||||||
|
This change basically reverts encryption changes in two commits:
|
||||||
|
|
||||||
|
74386120dad6b3da62db37f7044267c8ef34689b
|
||||||
|
78531373a342aeb847950f404343a05e36022065
|
||||||
|
|
||||||
|
Use of smaller K for ephemeral key in ElGamal encryption is only good,
|
||||||
|
when we can guarantee that recipient's key is generated by our
|
||||||
|
implementation (or compatible).
|
||||||
|
|
||||||
|
For detail, please see:
|
||||||
|
|
||||||
|
Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
|
||||||
|
"On the (in)security of ElGamal in OpenPGP";
|
||||||
|
in the proceedings of CCS'2021.
|
||||||
|
|
||||||
|
CVE-id: CVE-2021-33560
|
||||||
|
GnuPG-bug-id: 5328
|
||||||
|
Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
|
||||||
|
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
||||||
|
|
||||||
|
diff --git a/cipher/elgamal.c b/cipher/elgamal.c
|
||||||
|
index 9835122f..eead4502 100644
|
||||||
|
--- a/cipher/elgamal.c
|
||||||
|
+++ b/cipher/elgamal.c
|
||||||
|
@@ -66,7 +66,7 @@ static const char *elg_names[] =
|
||||||
|
|
||||||
|
|
||||||
|
static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
|
||||||
|
-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
|
||||||
|
+static gcry_mpi_t gen_k (gcry_mpi_t p);
|
||||||
|
static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
|
||||||
|
gcry_mpi_t **factors);
|
||||||
|
static int check_secret_key (ELG_secret_key *sk);
|
||||||
|
@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
|
||||||
|
|
||||||
|
/****************
|
||||||
|
* Generate a random secret exponent k from prime p, so that k is
|
||||||
|
- * relatively prime to p-1. With SMALL_K set, k will be selected for
|
||||||
|
- * better encryption performance - this must never be used signing!
|
||||||
|
+ * relatively prime to p-1.
|
||||||
|
*/
|
||||||
|
static gcry_mpi_t
|
||||||
|
-gen_k( gcry_mpi_t p, int small_k )
|
||||||
|
+gen_k( gcry_mpi_t p )
|
||||||
|
{
|
||||||
|
gcry_mpi_t k = mpi_alloc_secure( 0 );
|
||||||
|
gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
|
||||||
|
@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
|
||||||
|
unsigned int nbits, nbytes;
|
||||||
|
char *rndbuf = NULL;
|
||||||
|
|
||||||
|
- if (small_k)
|
||||||
|
- {
|
||||||
|
- /* Using a k much lesser than p is sufficient for encryption and
|
||||||
|
- * it greatly improves the encryption performance. We use
|
||||||
|
- * Wiener's table and add a large safety margin. */
|
||||||
|
- nbits = wiener_map( orig_nbits ) * 3 / 2;
|
||||||
|
- if( nbits >= orig_nbits )
|
||||||
|
- BUG();
|
||||||
|
- }
|
||||||
|
- else
|
||||||
|
- nbits = orig_nbits;
|
||||||
|
-
|
||||||
|
+ nbits = orig_nbits;
|
||||||
|
|
||||||
|
nbytes = (nbits+7)/8;
|
||||||
|
if( DBG_CIPHER )
|
||||||
|
@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
|
||||||
|
* error code.
|
||||||
|
*/
|
||||||
|
|
||||||
|
- k = gen_k( pkey->p, 1 );
|
||||||
|
+ k = gen_k( pkey->p );
|
||||||
|
mpi_powm (a, pkey->g, k, pkey->p);
|
||||||
|
|
||||||
|
/* b = (y^k * input) mod p
|
||||||
|
@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
mpi_sub_ui(p_1, p_1, 1);
|
||||||
|
- k = gen_k( skey->p, 0 /* no small K ! */ );
|
||||||
|
+ k = gen_k( skey->p );
|
||||||
|
mpi_powm( a, skey->g, k, skey->p );
|
||||||
|
mpi_mul(t, skey->x, a );
|
||||||
|
mpi_subm(t, input, t, p_1 );
|
@ -48,6 +48,8 @@ Patch27: libgcrypt-1.8.3-md-fips-enforce.patch
|
|||||||
Patch28: libgcrypt-1.8.5-intel-cet.patch
|
Patch28: libgcrypt-1.8.5-intel-cet.patch
|
||||||
# FIPS module is redefined a little bit (implicit by kernel FIPS mode)
|
# FIPS module is redefined a little bit (implicit by kernel FIPS mode)
|
||||||
Patch30: libgcrypt-1.8.5-fips-module.patch
|
Patch30: libgcrypt-1.8.5-fips-module.patch
|
||||||
|
# Fix for CVE-2021-33560
|
||||||
|
Patch31: libgcrypt-1.9.3-CVE-2021-33560.patch
|
||||||
|
|
||||||
%global gcrylibdir %{_libdir}
|
%global gcrylibdir %{_libdir}
|
||||||
%global gcrysoname libgcrypt.so.20
|
%global gcrysoname libgcrypt.so.20
|
||||||
@ -97,6 +99,7 @@ applications using libgcrypt.
|
|||||||
%patch27 -p1 -b .fips-enforce
|
%patch27 -p1 -b .fips-enforce
|
||||||
%patch28 -p1 -b .intel-cet
|
%patch28 -p1 -b .intel-cet
|
||||||
%patch30 -p1 -b .fips-module
|
%patch30 -p1 -b .fips-module
|
||||||
|
%patch31 -p1 -b .CVE-2021-33560
|
||||||
|
|
||||||
cp %{SOURCE4} cipher/
|
cp %{SOURCE4} cipher/
|
||||||
cp %{SOURCE5} %{SOURCE6} %{SOURCE8} tests/
|
cp %{SOURCE5} %{SOURCE6} %{SOURCE8} tests/
|
||||||
|
Loading…
Reference in New Issue
Block a user