libgcrypt-1.9.4-1

.gitignore

@@ -27,3 +27,4 @@ libgcrypt-1.4.5-hobbled.tar.bz2
 /libgcrypt-1.9.1-hobbled.tar.xz
 /libgcrypt-1.9.2-hobbled.tar.xz
 /libgcrypt-1.9.3-hobbled.tar.xz
+/libgcrypt-1.9.4-hobbled.tar.xz

curves.c

@@ -33,7 +33,7 @@
 #include "t-common.h"
 
 /* Number of curves defined in ../cipger/ecc-curves.c */
-#define N_CURVES 19
+#define N_CURVES 20
 
 /* A real world sample public key.  */
 static char const sample_key_1[] =
@@ -99,6 +99,119 @@ check_matching (void)
 static void
 check_get_params (void)
 {
+  static struct {
+    int algo;
+    const char *name;
+    int error_expected;
+  } tv[] =
+      {
+       { GCRY_PK_ECC, "Ed25519" },
+       { GCRY_PK_ECC, "1.3.6.1.4.1.11591.15.1" },
+       { GCRY_PK_ECC, "1.3.101.112" },
+
+       { GCRY_PK_ECC, "Curve25519" },
+       { GCRY_PK_ECC, "1.3.6.1.4.1.3029.1.5.1" },
+       { GCRY_PK_ECC, "1.3.101.110" },
+       { GCRY_PK_ECC, "X25519" },
+
+       { GCRY_PK_ECC, "Ed448" },
+       { GCRY_PK_ECC, "X448"  },
+       { GCRY_PK_ECC, "1.3.101.113" },
+       { GCRY_PK_ECC, "1.3.101.111" },
+
+       { GCRY_PK_ECC, "NIST P-192" },
+       { GCRY_PK_ECC, "1.2.840.10045.3.1.1" },
+       { GCRY_PK_ECC,  "prime192v1" },
+       { GCRY_PK_ECC,  "secp192r1"  },
+       { GCRY_PK_ECC,  "nistp192"   },
+
+       { GCRY_PK_ECC, "NIST P-224" },
+       { GCRY_PK_ECC, "secp224r1"  },
+       { GCRY_PK_ECC, "1.3.132.0.33" },
+       { GCRY_PK_ECC, "nistp224"   },
+
+       { GCRY_PK_ECC, "NIST P-256" },
+       { GCRY_PK_ECC, "1.2.840.10045.3.1.7" },
+       { GCRY_PK_ECC, "prime256v1" },
+       { GCRY_PK_ECC, "secp256r1" },
+       { GCRY_PK_ECC, "nistp256"  },
+
+       { GCRY_PK_ECC, "NIST P-384" },
+       { GCRY_PK_ECC, "secp384r1" },
+       { GCRY_PK_ECC, "1.3.132.0.34" },
+       { GCRY_PK_ECC, "nistp384"   },
+
+       { GCRY_PK_ECC, "NIST P-521" },
+       { GCRY_PK_ECC, "secp521r1" },
+       { GCRY_PK_ECC, "1.3.132.0.35" },
+       { GCRY_PK_ECC, "nistp521"   },
+
+       { GCRY_PK_ECC, "GOST2001-test" },
+       { GCRY_PK_ECC, "1.2.643.2.2.35.0" },
+       { GCRY_PK_ECC, "GOST2001-CryptoPro-A" },
+       { GCRY_PK_ECC, "1.2.643.2.2.35.1" },
+       { GCRY_PK_ECC, "GOST2001-CryptoPro-B" },
+       { GCRY_PK_ECC, "1.2.643.2.2.35.2" },
+       { GCRY_PK_ECC, "GOST2001-CryptoPro-C" },
+       { GCRY_PK_ECC, "1.2.643.2.2.35.3" },
+       { GCRY_PK_ECC, "GOST2001-CryptoPro-A" },
+       { GCRY_PK_ECC, "GOST2001-CryptoPro-XchA" },
+       { GCRY_PK_ECC, "GOST2001-CryptoPro-C" },
+       { GCRY_PK_ECC, "GOST2001-CryptoPro-XchB" },
+       { GCRY_PK_ECC, "GOST2001-CryptoPro-A" },
+       { GCRY_PK_ECC, "1.2.643.2.2.36.0" },
+       { GCRY_PK_ECC, "GOST2001-CryptoPro-C" },
+       { GCRY_PK_ECC, "1.2.643.2.2.36.1" },
+
+       /* Noet that GOST2012-256-tc26-A" is only in the curve alias
+        * list but has no parameter entry.  */
+       { GCRY_PK_ECC, "GOST2001-CryptoPro-A" },
+       { GCRY_PK_ECC, "1.2.643.7.1.2.1.1.2" },
+       { GCRY_PK_ECC, "GOST2001-CryptoPro-A" },
+       { GCRY_PK_ECC, "GOST2012-256-tc26-B" },
+       { GCRY_PK_ECC, "GOST2001-CryptoPro-B" },
+       { GCRY_PK_ECC, "1.2.643.7.1.2.1.1.3" },
+       { GCRY_PK_ECC, "GOST2001-CryptoPro-B" },
+       { GCRY_PK_ECC, "GOST2012-256-tc26-C" },
+       { GCRY_PK_ECC, "GOST2001-CryptoPro-C" },
+       { GCRY_PK_ECC, "1.2.643.7.1.2.1.1.4" },
+       { GCRY_PK_ECC, "GOST2001-CryptoPro-C" },
+       { GCRY_PK_ECC, "GOST2012-256-tc26-D" },
+
+       { GCRY_PK_ECC, "GOST2012-512-test" },
+       { GCRY_PK_ECC, "GOST2012-test" },
+       { GCRY_PK_ECC, "GOST2012-512-test" },
+       { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.0" },
+       { GCRY_PK_ECC, "GOST2012-512-tc26-A" },
+       { GCRY_PK_ECC, "GOST2012-tc26-A" },
+       { GCRY_PK_ECC, "GOST2012-512-tc26-B" },
+       { GCRY_PK_ECC, "GOST2012-tc26-B" },
+       { GCRY_PK_ECC, "GOST2012-512-tc26-A" },
+       { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.1" },
+       { GCRY_PK_ECC, "GOST2012-512-tc26-B" },
+       { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.2" },
+       { GCRY_PK_ECC, "GOST2012-512-tc26-C" },
+       { GCRY_PK_ECC, "1.2.643.7.1.2.1.2.3" },
+
+       { GCRY_PK_ECC, "secp256k1" },
+       { GCRY_PK_ECC, "1.3.132.0.10" },
+
+       { GCRY_PK_ECC, "sm2p256v1" },
+       { GCRY_PK_ECC, "1.2.156.10197.1.301" },
+
+       /* Check also the ECC algo mapping.  */
+       { GCRY_PK_ECDSA, "Ed25519" },
+       { GCRY_PK_EDDSA, "Ed25519" },
+       { GCRY_PK_ECDH,  "Ed25519" },
+       { GCRY_PK_ECDSA, "Curve25519" },
+       { GCRY_PK_EDDSA, "Curve25519" },
+       { GCRY_PK_ECDH,  "Curve25519" },
+       { GCRY_PK_ECC,   "NoSuchCurve", 1 },
+       { GCRY_PK_RSA,   "rsa", 1 },
+       { GCRY_PK_ELG,   "elg", 1 },
+       { GCRY_PK_DSA,   "dsa", 1 }
+      };
+  int idx;
   gcry_sexp_t param;
   const char *name;
 
@@ -114,6 +227,24 @@ check_get_params (void)
           sample_key_1_curve, name);
 
   gcry_sexp_release (param);
+
+  /* Some simple tests */
+  for (idx=0; idx < DIM (tv); idx++)
+    {
+      param = gcry_pk_get_param (tv[idx].algo, tv[idx].name);
+      if (!param)
+        {
+          if (!tv[idx].error_expected)
+            fail ("get_param: test %d (%s) failed\n", idx, tv[idx].name);
+        }
+      else
+        {
+          if (tv[idx].error_expected)
+            fail ("get_param: test %d (%s) failed (error expected)\n",
+                  idx, tv[idx].name);
+        }
+      gcry_sexp_release (param);
+    }
 }
 
 

ecc-curves.c

@@ -55,6 +55,11 @@ static const struct
     { "Ed448",      "1.3.101.113" },         /* rfc8410 */
     { "X448",       "1.3.101.111" },         /* rfc8410 */
 
+    { "NIST P-192", "1.2.840.10045.3.1.1" }, /* X9.62 OID  */
+    { "NIST P-192", "prime192v1" },          /* X9.62 name.  */
+    { "NIST P-192", "secp192r1"  },          /* SECP name.  */
+    { "NIST P-192", "nistp192"   },          /* rfc5656.  */
+
     { "NIST P-224", "secp224r1" },
     { "NIST P-224", "1.3.132.0.33" },        /* SECP OID.  */
     { "NIST P-224", "nistp224"   },          /* rfc5656.  */
@@ -194,6 +199,35 @@ static const ecc_domain_parms_t domain_parms[] =
       "8DF3F6EDB8027E2346430D211312C4B150677AF76FD7223D457B5B1A",
       4,
     },
+#if 0 /* No real specs yet found.  */
+    {
+      /* x^2 + y^2 = 1 + 3617x^2y^2 mod 2^414 - 17 */
+      "Curve3617",
+      "0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+      "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF",
+      MPI_EC_EDWARDS, 0,
+      "0x01",
+      "0x0e21",
+      "0x07FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEB3CC92414CF"
+      "706022B36F1C0338AD63CF181B0E71A5E106AF79",
+      "0x1A334905141443300218C0631C326E5FCD46369F44C03EC7F57FF35498A4AB4D"
+      "6D6BA111301A73FAA8537C64C4FD3812F3CBC595",
+      "0x22",
+      8
+    },
+#endif /*0*/
+    {
+      "NIST P-192", 192, 0,
+      MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
+      "0xfffffffffffffffffffffffffffffffeffffffffffffffff",
+      "0xfffffffffffffffffffffffffffffffefffffffffffffffc",
+      "0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1",
+      "0xffffffffffffffffffffffff99def836146bc9b1b4d22831",
+
+      "0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012",
+      "0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811",
+      1
+    },
     {
       "NIST P-224", 224, 1,
       MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
@@ -1243,45 +1277,27 @@ _gcry_mpi_ec_new (gcry_ctx_t *r_ctx,
 gcry_sexp_t
 _gcry_ecc_get_param_sexp (const char *name)
 {
-  unsigned int nbits;
   elliptic_curve_t E;
-  mpi_ec_t ctx;
-  gcry_mpi_t g_x, g_y;
   gcry_mpi_t pkey[5];
   gcry_sexp_t result;
-  int i;
 
   memset (&E, 0, sizeof E);
-  if (_gcry_ecc_fill_in_curve (0, name, &E, &nbits))
+  if (_gcry_ecc_fill_in_curve (0, name, &E, NULL))
     return NULL;
 
-  g_x = mpi_new (0);
-  g_y = mpi_new (0);
-  ctx = _gcry_mpi_ec_p_internal_new (E.model,
-                                     E.dialect,
-                                     0,
-                                     E.p, E.a, E.b);
-  if (_gcry_mpi_ec_get_affine (g_x, g_y, &E.G, ctx))
-    log_fatal ("ecc get param: Failed to get affine coordinates\n");
-  _gcry_mpi_ec_free (ctx);
-  _gcry_mpi_point_free_parts (&E.G);
-
   pkey[0] = E.p;
   pkey[1] = E.a;
   pkey[2] = E.b;
-  pkey[3] = _gcry_ecc_ec2os (g_x, g_y, E.p);
+  pkey[3] = _gcry_ecc_ec2os (E.G.x, E.G.y, E.p);
   pkey[4] = E.n;
 
-  mpi_free (g_x);
-  mpi_free (g_y);
-
   if (sexp_build (&result, NULL,
                   "(public-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)(h%u)))",
                   pkey[0], pkey[1], pkey[2], pkey[3], pkey[4], E.h))
     result = NULL;
 
-  for (i=0; i < DIM (pkey); i++)
-    _gcry_mpi_release (pkey[i]);
+  _gcry_ecc_curve_free (&E);
+  _gcry_mpi_release (pkey[3]);
 
   return result;
 }

hobble-libgcrypt

@@ -8,5 +8,4 @@ set -e -x
 
 rm -f cipher/ecc-curves.c
 rm -f tests/curves.c
-rm -f tests/t-mpi-point.c
 rm -f tests/keygrip.c

libgcrypt-1.9.3-CVE-2021-33560.patch

@@ -1,100 +0,0 @@
-commit 3462280f2e23e16adf3ed5176e0f2413d8861320
-Author: NIIBE Yutaka <gniibe@fsij.org>
-Date:   Fri May 21 11:15:07 2021 +0900
-
-    cipher: Fix ElGamal encryption for other implementations.
-    
-    * cipher/elgamal.c (gen_k): Remove support of smaller K.
-    (do_encrypt): Never use smaller K.
-    (sign): Folllow the change of gen_k.
-    
-    --
-    
-    Cherry-pick master commit of:
-            632d80ef30e13de6926d503aa697f92b5dbfbc5e
-    
-    This change basically reverts encryption changes in two commits:
-    
-            74386120dad6b3da62db37f7044267c8ef34689b
-            78531373a342aeb847950f404343a05e36022065
-    
-    Use of smaller K for ephemeral key in ElGamal encryption is only good,
-    when we can guarantee that recipient's key is generated by our
-    implementation (or compatible).
-    
-    For detail, please see:
-    
-        Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
-        "On the (in)security of ElGamal in OpenPGP";
-        in the proceedings of  CCS'2021.
-    
-    CVE-id: CVE-2021-33560
-    GnuPG-bug-id: 5328
-    Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
-    Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
-
-diff --git a/cipher/elgamal.c b/cipher/elgamal.c
-index 9835122f..eead4502 100644
---- a/cipher/elgamal.c
-+++ b/cipher/elgamal.c
-@@ -66,7 +66,7 @@ static const char *elg_names[] =
- 
- 
- static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
--static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
-+static gcry_mpi_t gen_k (gcry_mpi_t p);
- static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
-                                  gcry_mpi_t **factors);
- static int  check_secret_key (ELG_secret_key *sk);
-@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
- 
- /****************
-  * Generate a random secret exponent k from prime p, so that k is
-- * relatively prime to p-1.  With SMALL_K set, k will be selected for
-- * better encryption performance - this must never be used signing!
-+ * relatively prime to p-1.
-  */
- static gcry_mpi_t
--gen_k( gcry_mpi_t p, int small_k )
-+gen_k( gcry_mpi_t p )
- {
-   gcry_mpi_t k = mpi_alloc_secure( 0 );
-   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
-@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
-   unsigned int nbits, nbytes;
-   char *rndbuf = NULL;
- 
--  if (small_k)
--    {
--      /* Using a k much lesser than p is sufficient for encryption and
--       * it greatly improves the encryption performance.  We use
--       * Wiener's table and add a large safety margin. */
--      nbits = wiener_map( orig_nbits ) * 3 / 2;
--      if( nbits >= orig_nbits )
--        BUG();
--    }
--  else
--    nbits = orig_nbits;
--
-+  nbits = orig_nbits;
- 
-   nbytes = (nbits+7)/8;
-   if( DBG_CIPHER )
-@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
-    * error code.
-    */
- 
--  k = gen_k( pkey->p, 1 );
-+  k = gen_k( pkey->p );
-   mpi_powm (a, pkey->g, k, pkey->p);
- 
-   /* b = (y^k * input) mod p
-@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
-     *
-     */
-     mpi_sub_ui(p_1, p_1, 1);
--    k = gen_k( skey->p, 0 /* no small K ! */ );
-+    k = gen_k( skey->p );
-     mpi_powm( a, skey->g, k, skey->p );
-     mpi_mul(t, skey->x, a );
-     mpi_subm(t, input, t, p_1 );

libgcrypt.spec

@@ -1,6 +1,6 @@
 Name: libgcrypt
-Version: 1.9.3
-Release: 4%{?dist}
+Version: 1.9.4
+Release: 1%{?dist}
 URL: https://www.gnupg.org/
 Source0: libgcrypt-%{version}-hobbled.tar.xz
 # The original libgcrypt sources now contain potentially patented ECC
@@ -18,7 +18,6 @@ Source3: hobble-libgcrypt
 # Approved ECC support
 Source4: ecc-curves.c
 Source5: curves.c
-Source6: t-mpi-point.c
 Source7: random.conf
 Source8: keygrip.c
 # make FIPS hmac compatible with fipscheck - non upstreamable
@@ -46,8 +45,6 @@ Patch27: libgcrypt-1.8.3-md-fips-enforce.patch
 Patch28: libgcrypt-1.8.5-intel-cet.patch
 # FIPS module is redefined a little bit (implicit by kernel FIPS mode)
 Patch30: libgcrypt-1.8.5-fips-module.patch
-# Fix for CVE-2021-33560
-Patch31: libgcrypt-1.9.3-CVE-2021-33560.patch
 
 %global gcrylibdir %{_libdir}
 %global gcrysoname libgcrypt.so.20
@@ -96,10 +93,9 @@ applications using libgcrypt.
 %patch27 -p1 -b .fips-enforce
 %patch28 -p1 -b .intel-cet
 %patch30 -p1 -b .fips-module
-%patch31 -p1 -b .CVE-2021-33560
 
 cp %{SOURCE4} cipher/
-cp %{SOURCE5} %{SOURCE6} %{SOURCE8} tests/
+cp %{SOURCE5} %{SOURCE8} tests/
 
 %build
 # This package has a configure test which uses ASMs, but does not link the
@@ -206,6 +202,9 @@ install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/gcrypt/random.conf
 %license COPYING
 
 %changelog
+* Mon Aug 23 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.4-1
+- New upstream release (#1996467)
+
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.3-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 

sources

@@ -1 +1 @@
-SHA512 (libgcrypt-1.9.3-hobbled.tar.xz) = 5c6f3ee57ec496af6d82000979a79d220a5b9be7a3a9d064d727ff7e54cf107e5b398d9ec8d822594a7fe53bc0d4324e96a5b41d55a77f103109620b88c61f1a
+SHA512 (libgcrypt-1.9.4-hobbled.tar.xz) = 80b1b2159ec3c7795450037d76d81b737f2734f1cff72c8aa6ac8c1a5654ece4fce0aabfbed0cce99d123747831db135df0d040f67081052cb2363bf52f5d4e6