pool/libgcrypt
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 899923 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

Browse Source 
- Security fix: [bsc#1187212, CVE-2021-33560]
  * cipher: Fix ElGamal encryption for other implementations.
  * Exponent blinding was added in version 1.9.3. This patch
    fixes ElGamal encryption, see: https://dev.gnupg.org/T5328
- Add libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch

OBS-URL: https://build.opensuse.org/request/show/899923
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=148
This commit is contained in:
Dirk Mueller 2021-06-15 09:30:21 +00:00 committed by Git OBS Bridge
parent c47eb17c1d
commit 79c721ab6b
3 changed files with 112 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch Normal file
View File

@ -0,0 +1,99 @@
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 21 May 2021 02:15:07 +0000 (+0900)
Subject: cipher: Fix ElGamal encryption for other implementations.
X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff_plain;h=632d80ef30e13de6926d503aa697f92b5dbfbc5e
cipher: Fix ElGamal encryption for other implementations.
* cipher/elgamal.c (gen_k): Remove support of smaller K.
(do_encrypt): Never use smaller K.
(sign): Folllow the change of gen_k.
--
This change basically reverts encryption changes in two commits:
74386120dad6b3da62db37f7044267c8ef34689b
78531373a342aeb847950f404343a05e36022065
Use of smaller K for ephemeral key in ElGamal encryption is only good,
when we can guarantee that recipient's key is generated by our
implementation (or compatible).
For detail, please see:
Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
"On the (in)security of ElGamal in OpenPGP";
in the proceedings of CCS'2021.
CVE-id: CVE-2021-33560
GnuPG-bug-id: 5328
Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
diff --git a/cipher/elgamal.c b/cipher/elgamal.c
index 9835122f..eead4502 100644
--- a/cipher/elgamal.c
+++ b/cipher/elgamal.c
@@ -66,7 +66,7 @@ static const char *elg_names[] =
static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
+static gcry_mpi_t gen_k (gcry_mpi_t p);
static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
gcry_mpi_t **factors);
static int check_secret_key (ELG_secret_key *sk);
@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
/****************
* Generate a random secret exponent k from prime p, so that k is
- * relatively prime to p-1. With SMALL_K set, k will be selected for
- * better encryption performance - this must never be used signing!
+ * relatively prime to p-1.
*/
static gcry_mpi_t
-gen_k( gcry_mpi_t p, int small_k )
+gen_k( gcry_mpi_t p )
{
gcry_mpi_t k = mpi_alloc_secure( 0 );
gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
unsigned int nbits, nbytes;
char *rndbuf = NULL;
- if (small_k)
- {
- /* Using a k much lesser than p is sufficient for encryption and
- * it greatly improves the encryption performance. We use
- * Wiener's table and add a large safety margin. */
- nbits = wiener_map( orig_nbits ) * 3 / 2;
- if( nbits >= orig_nbits )
- BUG();
- }
- else
- nbits = orig_nbits;
-
+ nbits = orig_nbits;
nbytes = (nbits+7)/8;
if( DBG_CIPHER )
@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
* error code.
*/
- k = gen_k( pkey->p, 1 );
+ k = gen_k( pkey->p );
mpi_powm (a, pkey->g, k, pkey->p);
/* b = (y^k * input) mod p
@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
*
*/
mpi_sub_ui(p_1, p_1, 1);
- k = gen_k( skey->p, 0 /* no small K ! */ );
+ k = gen_k( skey->p );
mpi_powm( a, skey->g, k, skey->p );
mpi_mul(t, skey->x, a );
mpi_subm(t, input, t, p_1 );

9
libgcrypt.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Fri Jun 11 13:17:54 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1187212, CVE-2021-33560]
* cipher: Fix ElGamal encryption for other implementations.
* Exponent blinding was added in version 1.9.3. This patch
fixes ElGamal encryption, see: https://dev.gnupg.org/T5328
- Add libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Apr 20 08:46:11 UTC 2021 - Paolo Stivanin <info@paolostivanin.com> Tue Apr 20 08:46:11 UTC 2021 - Paolo Stivanin <info@paolostivanin.com>

8
libgcrypt.spec
View File

@ -31,16 +31,15 @@ URL: https://directory.fsf.org/wiki/Libgcrypt
Source: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2 Source: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2
Source1: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig Source1: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig
Source2: baselibs.conf Source2: baselibs.conf
Source3: random.conf
# https://www.gnupg.org/signature_key.en.html # https://www.gnupg.org/signature_key.en.html
Source4: libgcrypt.keyring Source4: libgcrypt.keyring
# cavs test framework # cavs test framework
Source5: cavs-test.sh Source5: cavs-test.sh
Source6: cavs_driver.pl Source6: cavs_driver.pl
Source7: random.conf
Source99: libgcrypt.changes Source99: libgcrypt.changes
Patch1: libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch Patch1: libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch
Patch2: libgcrypt-sparcv9.diff Patch2: libgcrypt-sparcv9.diff
#PATCH-FIX-SUSE: N/A
Patch3: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff Patch3: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
Patch4: libgcrypt-1.6.1-use-fipscheck.patch Patch4: libgcrypt-1.6.1-use-fipscheck.patch
Patch5: libgcrypt-1.6.1-fips-cavs.patch Patch5: libgcrypt-1.6.1-fips-cavs.patch
@ -77,6 +76,8 @@ Patch26: libgcrypt-PCT-RSA.patch
Patch27: libgcrypt-PCT-DSA.patch Patch27: libgcrypt-PCT-DSA.patch
Patch28: libgcrypt-PCT-ECC.patch Patch28: libgcrypt-PCT-ECC.patch
Patch29: libgcrypt-fips_selftest_trigger_file.patch Patch29: libgcrypt-fips_selftest_trigger_file.patch
#PATCH-FIX-UPSTREAM bsc#1187212 CVE-2021-33560 ElGamal encryption lacks exponent blinding
Patch30: libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
BuildRequires: automake >= 1.14 BuildRequires: automake >= 1.14
BuildRequires: fipscheck BuildRequires: fipscheck
BuildRequires: libgpg-error-devel >= 1.27 BuildRequires: libgpg-error-devel >= 1.27
@ -150,7 +151,6 @@ Libgcrypt is a general purpose library of cryptographic building
blocks. It is originally based on code used by GnuPG. It does not blocks. It is originally based on code used by GnuPG. It does not
provide any implementation of OpenPGP or other protocols. Thorough provide any implementation of OpenPGP or other protocols. Thorough
understanding of applied cryptography is required to use Libgcrypt. understanding of applied cryptography is required to use Libgcrypt.
%endif %endif
%prep %prep
@ -211,7 +211,7 @@ touch %{buildroot}/%{_libdir}/.%{name}.so.%{libsover}.fips
# Create /etc/gcrypt directory and install random.conf # Create /etc/gcrypt directory and install random.conf
mkdir -p -m 0755 %{buildroot}%{_sysconfdir}/gcrypt mkdir -p -m 0755 %{buildroot}%{_sysconfdir}/gcrypt
install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/gcrypt/random.conf install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/gcrypt/random.conf
%post -n %{libsoname} -p /sbin/ldconfig %post -n %{libsoname} -p /sbin/ldconfig
%postun -n %{libsoname} -p /sbin/ldconfig %postun -n %{libsoname} -p /sbin/ldconfig