import libgcrypt-1.8.5-7.el8_6
This commit is contained in:
parent
77016c323b
commit
baf5f31474
67
SOURCES/libgcrypt-1.8.5-elgamal-blinding.patch
Normal file
67
SOURCES/libgcrypt-1.8.5-elgamal-blinding.patch
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
commit e8b7f10be275bcedb5fc05ed4837a89bfd605c61
|
||||||
|
Author: NIIBE Yutaka <gniibe@fsij.org>
|
||||||
|
Date: Tue Apr 13 10:00:00 2021 +0900
|
||||||
|
|
||||||
|
cipher: Hardening ElGamal by introducing exponent blinding too.
|
||||||
|
|
||||||
|
* cipher/elgamal.c (do_encrypt): Also do exponent blinding.
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
Base blinding had been introduced with USE_BLINDING. This patch add
|
||||||
|
exponent blinding as well to mitigate side-channel attack on mpi_powm.
|
||||||
|
|
||||||
|
GnuPG-bug-id: 5328
|
||||||
|
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
||||||
|
|
||||||
|
diff --git a/cipher/elgamal.c b/cipher/elgamal.c
|
||||||
|
index 4eb52d62..9835122f 100644
|
||||||
|
--- a/cipher/elgamal.c
|
||||||
|
+++ b/cipher/elgamal.c
|
||||||
|
@@ -522,8 +522,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
|
||||||
|
static void
|
||||||
|
decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
|
||||||
|
{
|
||||||
|
- gcry_mpi_t t1, t2, r;
|
||||||
|
+ gcry_mpi_t t1, t2, r, r1, h;
|
||||||
|
unsigned int nbits = mpi_get_nbits (skey->p);
|
||||||
|
+ gcry_mpi_t x_blind;
|
||||||
|
|
||||||
|
mpi_normalize (a);
|
||||||
|
mpi_normalize (b);
|
||||||
|
@@ -534,20 +535,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
|
||||||
|
|
||||||
|
t2 = mpi_snew (nbits);
|
||||||
|
r = mpi_new (nbits);
|
||||||
|
+ r1 = mpi_new (nbits);
|
||||||
|
+ h = mpi_new (nbits);
|
||||||
|
+ x_blind = mpi_snew (nbits);
|
||||||
|
|
||||||
|
/* We need a random number of about the prime size. The random
|
||||||
|
number merely needs to be unpredictable; thus we use level 0. */
|
||||||
|
_gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
|
||||||
|
|
||||||
|
+ /* Also, exponent blinding: x_blind = x + (p-1)*r1 */
|
||||||
|
+ _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM);
|
||||||
|
+ mpi_set_highbit (r1, nbits - 1);
|
||||||
|
+ mpi_sub_ui (h, skey->p, 1);
|
||||||
|
+ mpi_mul (x_blind, h, r1);
|
||||||
|
+ mpi_add (x_blind, skey->x, x_blind);
|
||||||
|
+
|
||||||
|
/* t1 = r^x mod p */
|
||||||
|
- mpi_powm (t1, r, skey->x, skey->p);
|
||||||
|
+ mpi_powm (t1, r, x_blind, skey->p);
|
||||||
|
/* t2 = (a * r)^-x mod p */
|
||||||
|
mpi_mulm (t2, a, r, skey->p);
|
||||||
|
- mpi_powm (t2, t2, skey->x, skey->p);
|
||||||
|
+ mpi_powm (t2, t2, x_blind, skey->p);
|
||||||
|
mpi_invm (t2, t2, skey->p);
|
||||||
|
/* t1 = (t1 * t2) mod p*/
|
||||||
|
mpi_mulm (t1, t1, t2, skey->p);
|
||||||
|
|
||||||
|
+ mpi_free (x_blind);
|
||||||
|
+ mpi_free (h);
|
||||||
|
+ mpi_free (r1);
|
||||||
|
mpi_free (r);
|
||||||
|
mpi_free (t2);
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
Name: libgcrypt
|
Name: libgcrypt
|
||||||
Version: 1.8.5
|
Version: 1.8.5
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
URL: http://www.gnupg.org/
|
URL: http://www.gnupg.org/
|
||||||
Source0: libgcrypt-%{version}-hobbled.tar.xz
|
Source0: libgcrypt-%{version}-hobbled.tar.xz
|
||||||
# The original libgcrypt sources now contain potentially patented ECC
|
# The original libgcrypt sources now contain potentially patented ECC
|
||||||
@ -61,12 +61,14 @@ Patch34: libgcrypt-1.8.5-ppc-crc32.patch
|
|||||||
Patch35: libgcrypt-1.8.5-ppc-bugfix.patch
|
Patch35: libgcrypt-1.8.5-ppc-bugfix.patch
|
||||||
# ppc64 performance AES-GCM (#1855231)
|
# ppc64 performance AES-GCM (#1855231)
|
||||||
Patch36: libgcrypt-1.8.5-ppc-aes-gcm.patch
|
Patch36: libgcrypt-1.8.5-ppc-aes-gcm.patch
|
||||||
# ppc64 performance AES-GCM (#1855231)
|
# Fix elgamal cross-configuration (CVE-2021-40528)
|
||||||
Patch37: libgcrypt-1.9.3-CVE-2021-33560.patch
|
Patch37: libgcrypt-1.9.3-CVE-2021-40528.patch
|
||||||
# We can use HW optimizations in FIPS (#1976137)
|
# We can use HW optimizations in FIPS (#1976137)
|
||||||
Patch38: libgcrypt-1.8.5-fips-hwfeatures.patch
|
Patch38: libgcrypt-1.8.5-fips-hwfeatures.patch
|
||||||
# ppc64 performance chacha20 and poly1305 (#1855231)
|
# ppc64 performance chacha20 and poly1305 (#1855231)
|
||||||
Patch39: libgcrypt-1.8.5-ppc-chacha20-poly1305.patch
|
Patch39: libgcrypt-1.8.5-ppc-chacha20-poly1305.patch
|
||||||
|
# Fix CVE-2021-33560 (elgamal blinding)
|
||||||
|
Patch40: libgcrypt-1.8.5-elgamal-blinding.patch
|
||||||
|
|
||||||
%define gcrylibdir %{_libdir}
|
%define gcrylibdir %{_libdir}
|
||||||
|
|
||||||
@ -124,9 +126,10 @@ applications using libgcrypt.
|
|||||||
%patch34 -p1 -b .ppc-crc32
|
%patch34 -p1 -b .ppc-crc32
|
||||||
%patch35 -p1 -b .ppc-bugfix
|
%patch35 -p1 -b .ppc-bugfix
|
||||||
%patch36 -p1 -b .ppc-aes-gcm
|
%patch36 -p1 -b .ppc-aes-gcm
|
||||||
%patch37 -p1 -b .CVE-2021-33560
|
%patch37 -p1 -b .CVE-2021-40528
|
||||||
%patch38 -p1 -b .hw-fips
|
%patch38 -p1 -b .hw-fips
|
||||||
%patch39 -p1 -b .ppc-chacha
|
%patch39 -p1 -b .ppc-chacha
|
||||||
|
%patch40 -p1 -b .elgamal-blinding
|
||||||
|
|
||||||
cp %{SOURCE4} cipher/
|
cp %{SOURCE4} cipher/
|
||||||
cp %{SOURCE5} %{SOURCE6} tests/
|
cp %{SOURCE5} %{SOURCE6} tests/
|
||||||
@ -242,8 +245,11 @@ exit 0
|
|||||||
%license COPYING
|
%license COPYING
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Apr 05 2022 Jakub Jelen <jjelen@redhat.com> - 1.8.5-7
|
||||||
|
- Fix CVE-2021-33560 (#2018525)
|
||||||
|
|
||||||
* Mon Jun 28 2021 Jakub Jelen <jjelen@redhat.com> - 1.8.5-6
|
* Mon Jun 28 2021 Jakub Jelen <jjelen@redhat.com> - 1.8.5-6
|
||||||
- Fix for CVE-2021-33560 (#1971421)
|
- Fix for CVE-2021-40528 (#1971421)
|
||||||
- Enable HW optimizations in FIPS (#1976137)
|
- Enable HW optimizations in FIPS (#1976137)
|
||||||
- Performance enchancements for ChaCha20 and Poly1305 (#1855231)
|
- Performance enchancements for ChaCha20 and Poly1305 (#1855231)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user