libgcrypt-1.9.4-1

This commit is contained in:
Jakub Jelen 2021-08-23 14:03:10 +02:00
parent 21fe8b5f71
commit ef01d2c6d0
8 changed files with 178 additions and 1345 deletions

1
.gitignore vendored
View File

@ -27,3 +27,4 @@ libgcrypt-1.4.5-hobbled.tar.bz2
/libgcrypt-1.9.1-hobbled.tar.xz
/libgcrypt-1.9.2-hobbled.tar.xz
/libgcrypt-1.9.3-hobbled.tar.xz
/libgcrypt-1.9.4-hobbled.tar.xz

133
curves.c
View File

@ -33,7 +33,7 @@
#include "t-common.h"
/* Number of curves defined in ../cipger/ecc-curves.c */
#define N_CURVES 19
#define N_CURVES 20
/* A real world sample public key. */
static char const sample_key_1[] =
@ -99,6 +99,119 @@ check_matching (void)
static void
check_get_params (void)
{
static struct {
int algo;
const char *name;
int error_expected;
} tv[] =
{
{ GCRY_PK_ECC, "Ed25519" },
{ GCRY_PK_ECC, "1.3.6.1.4.1.11591.15.1" },
{ GCRY_PK_ECC, "1.3.101.112" },
{ GCRY_PK_ECC, "Curve25519" },
{ GCRY_PK_ECC, "1.3.6.1.4.1.3029.1.5.1" },
{ GCRY_PK_ECC, "1.3.101.110" },
{ GCRY_PK_ECC, "X25519" },
{ GCRY_PK_ECC, "Ed448" },
{ GCRY_PK_ECC, "X448" },
{ GCRY_PK_ECC, "1.3.101.113" },
{ GCRY_PK_ECC, "1.3.101.111" },
{ GCRY_PK_ECC, "NIST P-192" },
{ GCRY_PK_ECC, "1.2.840.10045.3.1.1" },
{ GCRY_PK_ECC, "prime192v1" },
{ GCRY_PK_ECC, "secp192r1" },
{ GCRY_PK_ECC, "nistp192" },
{ GCRY_PK_ECC, "NIST P-224" },
{ GCRY_PK_ECC, "secp224r1" },
{ GCRY_PK_ECC, "1.3.132.0.33" },
{ GCRY_PK_ECC, "nistp224" },
{ GCRY_PK_ECC, "NIST P-256" },
{ GCRY_PK_ECC, "1.2.840.10045.3.1.7" },
{ GCRY_PK_ECC, "prime256v1" },
{ GCRY_PK_ECC, "secp256r1" },
{ GCRY_PK_ECC, "nistp256" },
{ GCRY_PK_ECC, "NIST P-384" },
{ GCRY_PK_ECC, "secp384r1" },
{ GCRY_PK_ECC, "1.3.132.0.34" },
{ GCRY_PK_ECC, "nistp384" },
{ GCRY_PK_ECC, "NIST P-521" },
{ GCRY_PK_ECC, "secp521r1" },
{ GCRY_PK_ECC, "1.3.132.0.35" },
{ GCRY_PK_ECC, "nistp521" },
{ GCRY_PK_ECC, "GOST2001-test" },
{ GCRY_PK_ECC, "1.2.643.2.2.35.0" },
{ GCRY_PK_ECC, "GOST2001-CryptoPro-A" },
{ GCRY_PK_ECC, "1.2.643.2.2.35.1" },
{ GCRY_PK_ECC, "GOST2001-CryptoPro-B" },
{ GCRY_PK_ECC, "1.2.643.2.2.35.2" },
{ GCRY_PK_ECC, "GOST2001-CryptoPro-C" },
{ GCRY_PK_ECC, "1.2.643.2.2.35.3" },
{ GCRY_PK_ECC, "GOST2001-CryptoPro-A" },
{ GCRY_PK_ECC, "GOST2001-CryptoPro-XchA" },
{ GCRY_PK_ECC, "GOST2001-CryptoPro-C" },
{ GCRY_PK_ECC, "GOST2001-CryptoPro-XchB" },
{ GCRY_PK_ECC, "GOST2001-CryptoPro-A" },
{ GCRY_PK_ECC, "1.2.643.2.2.36.0" },
{ GCRY_PK_ECC, "GOST2001-CryptoPro-C" },
{ GCRY_PK_ECC, "1.2.643.2.2.36.1" },
/* Noet that GOST2012-256-tc26-A" is only in the curve alias
* list but has no parameter entry. */
{ GCRY_PK_ECC, "GOST2001-CryptoPro-A" },
{ GCRY_PK_ECC, "1.2.643.7.1.2.1.1.2" },
{ GCRY_PK_ECC, "GOST2001-CryptoPro-A" },
{ GCRY_PK_ECC, "GOST2012-256-tc26-B" },
{ GCRY_PK_ECC, "GOST2001-CryptoPro-B" },
{ GCRY_PK_ECC, "1.2.643.7.1.2.1.1.3" },
{ GCRY_PK_ECC, "GOST2001-CryptoPro-B" },
{ GCRY_PK_ECC, "GOST2012-256-tc26-C" },
{ GCRY_PK_ECC, "GOST2001-CryptoPro-C" },
{ GCRY_PK_ECC, "1.2.643.7.1.2.1.1.4" },
{ GCRY_PK_ECC, "GOST2001-CryptoPro-C" },
{ GCRY_PK_ECC, "GOST2012-256-tc26-D" },
{ GCRY_PK_ECC, "GOST2012-512-test" },
{ GCRY_PK_ECC, "GOST2012-test" },
{ GCRY_PK_ECC, "GOST2012-512-test" },
{ GCRY_PK_ECC, "1.2.643.7.1.2.1.2.0" },
{ GCRY_PK_ECC, "GOST2012-512-tc26-A" },
{ GCRY_PK_ECC, "GOST2012-tc26-A" },
{ GCRY_PK_ECC, "GOST2012-512-tc26-B" },
{ GCRY_PK_ECC, "GOST2012-tc26-B" },
{ GCRY_PK_ECC, "GOST2012-512-tc26-A" },
{ GCRY_PK_ECC, "1.2.643.7.1.2.1.2.1" },
{ GCRY_PK_ECC, "GOST2012-512-tc26-B" },
{ GCRY_PK_ECC, "1.2.643.7.1.2.1.2.2" },
{ GCRY_PK_ECC, "GOST2012-512-tc26-C" },
{ GCRY_PK_ECC, "1.2.643.7.1.2.1.2.3" },
{ GCRY_PK_ECC, "secp256k1" },
{ GCRY_PK_ECC, "1.3.132.0.10" },
{ GCRY_PK_ECC, "sm2p256v1" },
{ GCRY_PK_ECC, "1.2.156.10197.1.301" },
/* Check also the ECC algo mapping. */
{ GCRY_PK_ECDSA, "Ed25519" },
{ GCRY_PK_EDDSA, "Ed25519" },
{ GCRY_PK_ECDH, "Ed25519" },
{ GCRY_PK_ECDSA, "Curve25519" },
{ GCRY_PK_EDDSA, "Curve25519" },
{ GCRY_PK_ECDH, "Curve25519" },
{ GCRY_PK_ECC, "NoSuchCurve", 1 },
{ GCRY_PK_RSA, "rsa", 1 },
{ GCRY_PK_ELG, "elg", 1 },
{ GCRY_PK_DSA, "dsa", 1 }
};
int idx;
gcry_sexp_t param;
const char *name;
@ -114,6 +227,24 @@ check_get_params (void)
sample_key_1_curve, name);
gcry_sexp_release (param);
/* Some simple tests */
for (idx=0; idx < DIM (tv); idx++)
{
param = gcry_pk_get_param (tv[idx].algo, tv[idx].name);
if (!param)
{
if (!tv[idx].error_expected)
fail ("get_param: test %d (%s) failed\n", idx, tv[idx].name);
}
else
{
if (tv[idx].error_expected)
fail ("get_param: test %d (%s) failed (error expected)\n",
idx, tv[idx].name);
}
gcry_sexp_release (param);
}
}

View File

@ -55,6 +55,11 @@ static const struct
{ "Ed448", "1.3.101.113" }, /* rfc8410 */
{ "X448", "1.3.101.111" }, /* rfc8410 */
{ "NIST P-192", "1.2.840.10045.3.1.1" }, /* X9.62 OID */
{ "NIST P-192", "prime192v1" }, /* X9.62 name. */
{ "NIST P-192", "secp192r1" }, /* SECP name. */
{ "NIST P-192", "nistp192" }, /* rfc5656. */
{ "NIST P-224", "secp224r1" },
{ "NIST P-224", "1.3.132.0.33" }, /* SECP OID. */
{ "NIST P-224", "nistp224" }, /* rfc5656. */
@ -194,6 +199,35 @@ static const ecc_domain_parms_t domain_parms[] =
"8DF3F6EDB8027E2346430D211312C4B150677AF76FD7223D457B5B1A",
4,
},
#if 0 /* No real specs yet found. */
{
/* x^2 + y^2 = 1 + 3617x^2y^2 mod 2^414 - 17 */
"Curve3617",
"0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF",
MPI_EC_EDWARDS, 0,
"0x01",
"0x0e21",
"0x07FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEB3CC92414CF"
"706022B36F1C0338AD63CF181B0E71A5E106AF79",
"0x1A334905141443300218C0631C326E5FCD46369F44C03EC7F57FF35498A4AB4D"
"6D6BA111301A73FAA8537C64C4FD3812F3CBC595",
"0x22",
8
},
#endif /*0*/
{
"NIST P-192", 192, 0,
MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
"0xfffffffffffffffffffffffffffffffeffffffffffffffff",
"0xfffffffffffffffffffffffffffffffefffffffffffffffc",
"0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1",
"0xffffffffffffffffffffffff99def836146bc9b1b4d22831",
"0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012",
"0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811",
1
},
{
"NIST P-224", 224, 1,
MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
@ -1243,45 +1277,27 @@ _gcry_mpi_ec_new (gcry_ctx_t *r_ctx,
gcry_sexp_t
_gcry_ecc_get_param_sexp (const char *name)
{
unsigned int nbits;
elliptic_curve_t E;
mpi_ec_t ctx;
gcry_mpi_t g_x, g_y;
gcry_mpi_t pkey[5];
gcry_sexp_t result;
int i;
memset (&E, 0, sizeof E);
if (_gcry_ecc_fill_in_curve (0, name, &E, &nbits))
if (_gcry_ecc_fill_in_curve (0, name, &E, NULL))
return NULL;
g_x = mpi_new (0);
g_y = mpi_new (0);
ctx = _gcry_mpi_ec_p_internal_new (E.model,
E.dialect,
0,
E.p, E.a, E.b);
if (_gcry_mpi_ec_get_affine (g_x, g_y, &E.G, ctx))
log_fatal ("ecc get param: Failed to get affine coordinates\n");
_gcry_mpi_ec_free (ctx);
_gcry_mpi_point_free_parts (&E.G);
pkey[0] = E.p;
pkey[1] = E.a;
pkey[2] = E.b;
pkey[3] = _gcry_ecc_ec2os (g_x, g_y, E.p);
pkey[3] = _gcry_ecc_ec2os (E.G.x, E.G.y, E.p);
pkey[4] = E.n;
mpi_free (g_x);
mpi_free (g_y);
if (sexp_build (&result, NULL,
"(public-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)(h%u)))",
pkey[0], pkey[1], pkey[2], pkey[3], pkey[4], E.h))
result = NULL;
for (i=0; i < DIM (pkey); i++)
_gcry_mpi_release (pkey[i]);
_gcry_ecc_curve_free (&E);
_gcry_mpi_release (pkey[3]);
return result;
}

View File

@ -8,5 +8,4 @@ set -e -x
rm -f cipher/ecc-curves.c
rm -f tests/curves.c
rm -f tests/t-mpi-point.c
rm -f tests/keygrip.c

View File

@ -1,100 +0,0 @@
commit 3462280f2e23e16adf3ed5176e0f2413d8861320
Author: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri May 21 11:15:07 2021 +0900
cipher: Fix ElGamal encryption for other implementations.
* cipher/elgamal.c (gen_k): Remove support of smaller K.
(do_encrypt): Never use smaller K.
(sign): Folllow the change of gen_k.
--
Cherry-pick master commit of:
632d80ef30e13de6926d503aa697f92b5dbfbc5e
This change basically reverts encryption changes in two commits:
74386120dad6b3da62db37f7044267c8ef34689b
78531373a342aeb847950f404343a05e36022065
Use of smaller K for ephemeral key in ElGamal encryption is only good,
when we can guarantee that recipient's key is generated by our
implementation (or compatible).
For detail, please see:
Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
"On the (in)security of ElGamal in OpenPGP";
in the proceedings of CCS'2021.
CVE-id: CVE-2021-33560
GnuPG-bug-id: 5328
Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
diff --git a/cipher/elgamal.c b/cipher/elgamal.c
index 9835122f..eead4502 100644
--- a/cipher/elgamal.c
+++ b/cipher/elgamal.c
@@ -66,7 +66,7 @@ static const char *elg_names[] =
static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
+static gcry_mpi_t gen_k (gcry_mpi_t p);
static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
gcry_mpi_t **factors);
static int check_secret_key (ELG_secret_key *sk);
@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
/****************
* Generate a random secret exponent k from prime p, so that k is
- * relatively prime to p-1. With SMALL_K set, k will be selected for
- * better encryption performance - this must never be used signing!
+ * relatively prime to p-1.
*/
static gcry_mpi_t
-gen_k( gcry_mpi_t p, int small_k )
+gen_k( gcry_mpi_t p )
{
gcry_mpi_t k = mpi_alloc_secure( 0 );
gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
unsigned int nbits, nbytes;
char *rndbuf = NULL;
- if (small_k)
- {
- /* Using a k much lesser than p is sufficient for encryption and
- * it greatly improves the encryption performance. We use
- * Wiener's table and add a large safety margin. */
- nbits = wiener_map( orig_nbits ) * 3 / 2;
- if( nbits >= orig_nbits )
- BUG();
- }
- else
- nbits = orig_nbits;
-
+ nbits = orig_nbits;
nbytes = (nbits+7)/8;
if( DBG_CIPHER )
@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
* error code.
*/
- k = gen_k( pkey->p, 1 );
+ k = gen_k( pkey->p );
mpi_powm (a, pkey->g, k, pkey->p);
/* b = (y^k * input) mod p
@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
*
*/
mpi_sub_ui(p_1, p_1, 1);
- k = gen_k( skey->p, 0 /* no small K ! */ );
+ k = gen_k( skey->p );
mpi_powm( a, skey->g, k, skey->p );
mpi_mul(t, skey->x, a );
mpi_subm(t, input, t, p_1 );

View File

@ -1,6 +1,6 @@
Name: libgcrypt
Version: 1.9.3
Release: 4%{?dist}
Version: 1.9.4
Release: 1%{?dist}
URL: https://www.gnupg.org/
Source0: libgcrypt-%{version}-hobbled.tar.xz
# The original libgcrypt sources now contain potentially patented ECC
@ -18,7 +18,6 @@ Source3: hobble-libgcrypt
# Approved ECC support
Source4: ecc-curves.c
Source5: curves.c
Source6: t-mpi-point.c
Source7: random.conf
Source8: keygrip.c
# make FIPS hmac compatible with fipscheck - non upstreamable
@ -46,8 +45,6 @@ Patch27: libgcrypt-1.8.3-md-fips-enforce.patch
Patch28: libgcrypt-1.8.5-intel-cet.patch
# FIPS module is redefined a little bit (implicit by kernel FIPS mode)
Patch30: libgcrypt-1.8.5-fips-module.patch
# Fix for CVE-2021-33560
Patch31: libgcrypt-1.9.3-CVE-2021-33560.patch
%global gcrylibdir %{_libdir}
%global gcrysoname libgcrypt.so.20
@ -96,10 +93,9 @@ applications using libgcrypt.
%patch27 -p1 -b .fips-enforce
%patch28 -p1 -b .intel-cet
%patch30 -p1 -b .fips-module
%patch31 -p1 -b .CVE-2021-33560
cp %{SOURCE4} cipher/
cp %{SOURCE5} %{SOURCE6} %{SOURCE8} tests/
cp %{SOURCE5} %{SOURCE8} tests/
%build
# This package has a configure test which uses ASMs, but does not link the
@ -206,6 +202,9 @@ install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/gcrypt/random.conf
%license COPYING
%changelog
* Mon Aug 23 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.4-1
- New upstream release (#1996467)
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild

View File

@ -1 +1 @@
SHA512 (libgcrypt-1.9.3-hobbled.tar.xz) = 5c6f3ee57ec496af6d82000979a79d220a5b9be7a3a9d064d727ff7e54cf107e5b398d9ec8d822594a7fe53bc0d4324e96a5b41d55a77f103109620b88c61f1a
SHA512 (libgcrypt-1.9.4-hobbled.tar.xz) = 80b1b2159ec3c7795450037d76d81b737f2734f1cff72c8aa6ac8c1a5654ece4fce0aabfbed0cce99d123747831db135df0d040f67081052cb2363bf52f5d4e6

File diff suppressed because it is too large Load Diff