From e211638c1f8a6e6983a32a72432384c55d337702 Mon Sep 17 00:00:00 2001 From: James Antill Date: Mon, 27 Feb 2023 13:59:44 -0500 Subject: [PATCH] Import rpm: c8s --- .gitignore | 1 + libgcrypt-1.8.5-elgamal-blinding.patch | 67 +++++++++++++++++ libgcrypt-1.9.3-CVE-2021-40528.patch | 100 +++++++++++++++++++++++++ libgcrypt.spec | 16 ++-- 4 files changed, 179 insertions(+), 5 deletions(-) create mode 100644 libgcrypt-1.8.5-elgamal-blinding.patch create mode 100644 libgcrypt-1.9.3-CVE-2021-40528.patch diff --git a/.gitignore b/.gitignore index 5d38f46..06917fd 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ +SOURCES/libgcrypt-1.8.5-hobbled.tar.xz /libgcrypt-1.8.5-hobbled.tar.xz diff --git a/libgcrypt-1.8.5-elgamal-blinding.patch b/libgcrypt-1.8.5-elgamal-blinding.patch new file mode 100644 index 0000000..ea4496b --- /dev/null +++ b/libgcrypt-1.8.5-elgamal-blinding.patch @@ -0,0 +1,67 @@ +commit e8b7f10be275bcedb5fc05ed4837a89bfd605c61 +Author: NIIBE Yutaka +Date: Tue Apr 13 10:00:00 2021 +0900 + + cipher: Hardening ElGamal by introducing exponent blinding too. + + * cipher/elgamal.c (do_encrypt): Also do exponent blinding. + + -- + + Base blinding had been introduced with USE_BLINDING. This patch add + exponent blinding as well to mitigate side-channel attack on mpi_powm. + + GnuPG-bug-id: 5328 + Signed-off-by: NIIBE Yutaka + +diff --git a/cipher/elgamal.c b/cipher/elgamal.c +index 4eb52d62..9835122f 100644 +--- a/cipher/elgamal.c ++++ b/cipher/elgamal.c +@@ -522,8 +522,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) + static void + decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) + { +- gcry_mpi_t t1, t2, r; ++ gcry_mpi_t t1, t2, r, r1, h; + unsigned int nbits = mpi_get_nbits (skey->p); ++ gcry_mpi_t x_blind; + + mpi_normalize (a); + mpi_normalize (b); +@@ -534,20 +535,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) + + t2 = mpi_snew (nbits); + r = mpi_new (nbits); ++ r1 = mpi_new (nbits); ++ h = mpi_new (nbits); ++ x_blind = mpi_snew (nbits); + + /* We need a random number of about the prime size. The random + number merely needs to be unpredictable; thus we use level 0. */ + _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM); + ++ /* Also, exponent blinding: x_blind = x + (p-1)*r1 */ ++ _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM); ++ mpi_set_highbit (r1, nbits - 1); ++ mpi_sub_ui (h, skey->p, 1); ++ mpi_mul (x_blind, h, r1); ++ mpi_add (x_blind, skey->x, x_blind); ++ + /* t1 = r^x mod p */ +- mpi_powm (t1, r, skey->x, skey->p); ++ mpi_powm (t1, r, x_blind, skey->p); + /* t2 = (a * r)^-x mod p */ + mpi_mulm (t2, a, r, skey->p); +- mpi_powm (t2, t2, skey->x, skey->p); ++ mpi_powm (t2, t2, x_blind, skey->p); + mpi_invm (t2, t2, skey->p); + /* t1 = (t1 * t2) mod p*/ + mpi_mulm (t1, t1, t2, skey->p); + ++ mpi_free (x_blind); ++ mpi_free (h); ++ mpi_free (r1); + mpi_free (r); + mpi_free (t2); + diff --git a/libgcrypt-1.9.3-CVE-2021-40528.patch b/libgcrypt-1.9.3-CVE-2021-40528.patch new file mode 100644 index 0000000..2161840 --- /dev/null +++ b/libgcrypt-1.9.3-CVE-2021-40528.patch @@ -0,0 +1,100 @@ +commit 3462280f2e23e16adf3ed5176e0f2413d8861320 +Author: NIIBE Yutaka +Date: Fri May 21 11:15:07 2021 +0900 + + cipher: Fix ElGamal encryption for other implementations. + + * cipher/elgamal.c (gen_k): Remove support of smaller K. + (do_encrypt): Never use smaller K. + (sign): Folllow the change of gen_k. + + -- + + Cherry-pick master commit of: + 632d80ef30e13de6926d503aa697f92b5dbfbc5e + + This change basically reverts encryption changes in two commits: + + 74386120dad6b3da62db37f7044267c8ef34689b + 78531373a342aeb847950f404343a05e36022065 + + Use of smaller K for ephemeral key in ElGamal encryption is only good, + when we can guarantee that recipient's key is generated by our + implementation (or compatible). + + For detail, please see: + + Luca De Feo, Bertram Poettering, Alessandro Sorniotti, + "On the (in)security of ElGamal in OpenPGP"; + in the proceedings of CCS'2021. + + CVE-id: CVE-2021-33560 + GnuPG-bug-id: 5328 + Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti + Signed-off-by: NIIBE Yutaka + +diff --git a/cipher/elgamal.c b/cipher/elgamal.c +index 9835122f..eead4502 100644 +--- a/cipher/elgamal.c ++++ b/cipher/elgamal.c +@@ -66,7 +66,7 @@ static const char *elg_names[] = + + + static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie); +-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k); ++static gcry_mpi_t gen_k (gcry_mpi_t p); + static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits, + gcry_mpi_t **factors); + static int check_secret_key (ELG_secret_key *sk); +@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie ) + + /**************** + * Generate a random secret exponent k from prime p, so that k is +- * relatively prime to p-1. With SMALL_K set, k will be selected for +- * better encryption performance - this must never be used signing! ++ * relatively prime to p-1. + */ + static gcry_mpi_t +-gen_k( gcry_mpi_t p, int small_k ) ++gen_k( gcry_mpi_t p ) + { + gcry_mpi_t k = mpi_alloc_secure( 0 ); + gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) ); +@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k ) + unsigned int nbits, nbytes; + char *rndbuf = NULL; + +- if (small_k) +- { +- /* Using a k much lesser than p is sufficient for encryption and +- * it greatly improves the encryption performance. We use +- * Wiener's table and add a large safety margin. */ +- nbits = wiener_map( orig_nbits ) * 3 / 2; +- if( nbits >= orig_nbits ) +- BUG(); +- } +- else +- nbits = orig_nbits; +- ++ nbits = orig_nbits; + + nbytes = (nbits+7)/8; + if( DBG_CIPHER ) +@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) + * error code. + */ + +- k = gen_k( pkey->p, 1 ); ++ k = gen_k( pkey->p ); + mpi_powm (a, pkey->g, k, pkey->p); + + /* b = (y^k * input) mod p +@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey ) + * + */ + mpi_sub_ui(p_1, p_1, 1); +- k = gen_k( skey->p, 0 /* no small K ! */ ); ++ k = gen_k( skey->p ); + mpi_powm( a, skey->g, k, skey->p ); + mpi_mul(t, skey->x, a ); + mpi_subm(t, input, t, p_1 ); diff --git a/libgcrypt.spec b/libgcrypt.spec index 52437c7..7c5de9f 100644 --- a/libgcrypt.spec +++ b/libgcrypt.spec @@ -1,6 +1,6 @@ Name: libgcrypt Version: 1.8.5 -Release: 6%{?dist} +Release: 7%{?dist} URL: http://www.gnupg.org/ Source0: libgcrypt-%{version}-hobbled.tar.xz # The original libgcrypt sources now contain potentially patented ECC @@ -61,12 +61,14 @@ Patch34: libgcrypt-1.8.5-ppc-crc32.patch Patch35: libgcrypt-1.8.5-ppc-bugfix.patch # ppc64 performance AES-GCM (#1855231) Patch36: libgcrypt-1.8.5-ppc-aes-gcm.patch -# ppc64 performance AES-GCM (#1855231) -Patch37: libgcrypt-1.9.3-CVE-2021-33560.patch +# Fix elgamal cross-configuration (CVE-2021-40528) +Patch37: libgcrypt-1.9.3-CVE-2021-40528.patch # We can use HW optimizations in FIPS (#1976137) Patch38: libgcrypt-1.8.5-fips-hwfeatures.patch # ppc64 performance chacha20 and poly1305 (#1855231) Patch39: libgcrypt-1.8.5-ppc-chacha20-poly1305.patch +# Fix CVE-2021-33560 (elgamal blinding) +Patch40: libgcrypt-1.8.5-elgamal-blinding.patch %define gcrylibdir %{_libdir} @@ -124,9 +126,10 @@ applications using libgcrypt. %patch34 -p1 -b .ppc-crc32 %patch35 -p1 -b .ppc-bugfix %patch36 -p1 -b .ppc-aes-gcm -%patch37 -p1 -b .CVE-2021-33560 +%patch37 -p1 -b .CVE-2021-40528 %patch38 -p1 -b .hw-fips %patch39 -p1 -b .ppc-chacha +%patch40 -p1 -b .elgamal-blinding cp %{SOURCE4} cipher/ cp %{SOURCE5} %{SOURCE6} tests/ @@ -242,8 +245,11 @@ exit 0 %license COPYING %changelog +* Tue Apr 05 2022 Jakub Jelen - 1.8.5-7 +- Fix CVE-2021-33560 (#2018525) + * Mon Jun 28 2021 Jakub Jelen - 1.8.5-6 -- Fix for CVE-2021-33560 (#1971421) +- Fix for CVE-2021-40528 (#1971421) - Enable HW optimizations in FIPS (#1976137) - Performance enchancements for ChaCha20 and Poly1305 (#1855231)