Accepting request 899923 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Security fix: [bsc#1187212, CVE-2021-33560] * cipher: Fix ElGamal encryption for other implementations. * Exponent blinding was added in version 1.9.3. This patch fixes ElGamal encryption, see: https://dev.gnupg.org/T5328 - Add libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch OBS-URL: https://build.opensuse.org/request/show/899923 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=148
2021-06-15 09:30:21 +00:00 · 2021-06-15 09:30:21 +00:00 · 79c721ab6b
commit 79c721ab6b
parent c47eb17c1d
3 changed files with 112 additions and 4 deletions
--- a/libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
+++ b/libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
@ -0,0 +1,99 @@
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 21 May 2021 02:15:07 +0000 (+0900)
+Subject: cipher: Fix ElGamal encryption for other implementations.
+X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff_plain;h=632d80ef30e13de6926d503aa697f92b5dbfbc5e
+
+cipher: Fix ElGamal encryption for other implementations.
+
+* cipher/elgamal.c (gen_k): Remove support of smaller K.
+(do_encrypt): Never use smaller K.
+(sign): Folllow the change of gen_k.
+
+--
+
+This change basically reverts encryption changes in two commits:
+
+	74386120dad6b3da62db37f7044267c8ef34689b
+	78531373a342aeb847950f404343a05e36022065
+
+Use of smaller K for ephemeral key in ElGamal encryption is only good,
+when we can guarantee that recipient's key is generated by our
+implementation (or compatible).
+
+For detail, please see:
+
+    Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+    "On the (in)security of ElGamal in OpenPGP";
+    in the proceedings of  CCS'2021.
+
+CVE-id: CVE-2021-33560
+GnuPG-bug-id: 5328
+Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 9835122f..eead4502 100644
+--- a/cipher/elgamal.c
+++ b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+ 
+ 
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
+static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+                                  gcry_mpi_t **factors);
+ static int  check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
+ 
+ /****************
+  * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1.  With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
+ * relatively prime to p-1.
+  */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
+gen_k( gcry_mpi_t p )
+ {
+   gcry_mpi_t k = mpi_alloc_secure( 0 );
+   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+   unsigned int nbits, nbytes;
+   char *rndbuf = NULL;
+ 
+-  if (small_k)
+-    {
+-      /* Using a k much lesser than p is sufficient for encryption and
+-       * it greatly improves the encryption performance.  We use
+-       * Wiener's table and add a large safety margin. */
+-      nbits = wiener_map( orig_nbits ) * 3 / 2;
+-      if( nbits >= orig_nbits )
+-        BUG();
+-    }
+-  else
+-    nbits = orig_nbits;
+-
+  nbits = orig_nbits;
+ 
+   nbytes = (nbits+7)/8;
+   if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+    * error code.
+    */
+ 
+-  k = gen_k( pkey->p, 1 );
+  k = gen_k( pkey->p );
+   mpi_powm (a, pkey->g, k, pkey->p);
+ 
+   /* b = (y^k * input) mod p
+@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
+     *
+     */
+     mpi_sub_ui(p_1, p_1, 1);
+-    k = gen_k( skey->p, 0 /* no small K ! */ );
+    k = gen_k( skey->p );
+     mpi_powm( a, skey->g, k, skey->p );
+     mpi_mul(t, skey->x, a );
+     mpi_subm(t, input, t, p_1 );
--- a/libgcrypt.changes
+++ b/libgcrypt.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Jun 11 13:17:54 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1187212, CVE-2021-33560]
+  * cipher: Fix ElGamal encryption for other implementations.
+  * Exponent blinding was added in version 1.9.3. This patch
+    fixes ElGamal encryption, see: https://dev.gnupg.org/T5328
+- Add libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
+
 -------------------------------------------------------------------
 Tue Apr 20 08:46:11 UTC 2021 - Paolo Stivanin <info@paolostivanin.com>

--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@ -31,16 +31,15 @@ URL:            https://directory.fsf.org/wiki/Libgcrypt
 Source:         https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2
 Source1:        https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig
 Source2:        baselibs.conf
+Source3:        random.conf
 # https://www.gnupg.org/signature_key.en.html
 Source4:        libgcrypt.keyring
 # cavs test framework
 Source5:        cavs-test.sh
 Source6:        cavs_driver.pl
-Source7:        random.conf
 Source99:       libgcrypt.changes
 Patch1:         libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch
 Patch2:         libgcrypt-sparcv9.diff
-#PATCH-FIX-SUSE: N/A
 Patch3:         libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
 Patch4:         libgcrypt-1.6.1-use-fipscheck.patch
 Patch5:         libgcrypt-1.6.1-fips-cavs.patch
@ -77,6 +76,8 @@ Patch26:        libgcrypt-PCT-RSA.patch
 Patch27:        libgcrypt-PCT-DSA.patch
 Patch28:        libgcrypt-PCT-ECC.patch
 Patch29:        libgcrypt-fips_selftest_trigger_file.patch
+#PATCH-FIX-UPSTREAM bsc#1187212 CVE-2021-33560 ElGamal encryption lacks exponent blinding
+Patch30:        libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
 BuildRequires:  automake >= 1.14
 BuildRequires:  fipscheck
 BuildRequires:  libgpg-error-devel >= 1.27
@ -150,7 +151,6 @@ Libgcrypt is a general purpose library of cryptographic building
 blocks.  It is originally based on code used by GnuPG.  It does not
 provide any implementation of OpenPGP or other protocols.  Thorough
 understanding of applied cryptography is required to use Libgcrypt.
-
 %endif

 %prep
@ -211,7 +211,7 @@ touch %{buildroot}/%{_libdir}/.%{name}.so.%{libsover}.fips

 # Create /etc/gcrypt directory and install random.conf
 mkdir -p -m 0755 %{buildroot}%{_sysconfdir}/gcrypt
-install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/gcrypt/random.conf
+install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/gcrypt/random.conf

 %post -n %{libsoname} -p /sbin/ldconfig
 %postun -n %{libsoname} -p /sbin/ldconfig