From 79c721ab6b6a5a1d1de14221086a29f60ff9e32962e1c7dfa09dbf0e9f4bfb0f Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dmueller@suse.com>
Date: Tue, 15 Jun 2021 09:30:21 +0000
Subject: [PATCH] Accepting request 899923 from
 home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Security fix: [bsc#1187212, CVE-2021-33560]
  * cipher: Fix ElGamal encryption for other implementations.
  * Exponent blinding was added in version 1.9.3. This patch
    fixes ElGamal encryption, see: https://dev.gnupg.org/T5328
- Add libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch

OBS-URL: https://build.opensuse.org/request/show/899923
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libgcrypt?expand=0&rev=148
---
 ...crypt-CVE-2021-33560-fix-ElGamal-enc.patch | 99 +++++++++++++++++++
 libgcrypt.changes                             |  9 ++
 libgcrypt.spec                                |  8 +-
 3 files changed, 112 insertions(+), 4 deletions(-)
 create mode 100644 libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch

diff --git a/libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch b/libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
new file mode 100644
index 0000000..bc435d0
--- /dev/null
+++ b/libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
@@ -0,0 +1,99 @@
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 21 May 2021 02:15:07 +0000 (+0900)
+Subject: cipher: Fix ElGamal encryption for other implementations.
+X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff_plain;h=632d80ef30e13de6926d503aa697f92b5dbfbc5e
+
+cipher: Fix ElGamal encryption for other implementations.
+
+* cipher/elgamal.c (gen_k): Remove support of smaller K.
+(do_encrypt): Never use smaller K.
+(sign): Folllow the change of gen_k.
+
+--
+
+This change basically reverts encryption changes in two commits:
+
+	74386120dad6b3da62db37f7044267c8ef34689b
+	78531373a342aeb847950f404343a05e36022065
+
+Use of smaller K for ephemeral key in ElGamal encryption is only good,
+when we can guarantee that recipient's key is generated by our
+implementation (or compatible).
+
+For detail, please see:
+
+    Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+    "On the (in)security of ElGamal in OpenPGP";
+    in the proceedings of  CCS'2021.
+
+CVE-id: CVE-2021-33560
+GnuPG-bug-id: 5328
+Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 9835122f..eead4502 100644
+--- a/cipher/elgamal.c
++++ b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+ 
+ 
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
++static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+                                  gcry_mpi_t **factors);
+ static int  check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
+ 
+ /****************
+  * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1.  With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
++ * relatively prime to p-1.
+  */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
++gen_k( gcry_mpi_t p )
+ {
+   gcry_mpi_t k = mpi_alloc_secure( 0 );
+   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+   unsigned int nbits, nbytes;
+   char *rndbuf = NULL;
+ 
+-  if (small_k)
+-    {
+-      /* Using a k much lesser than p is sufficient for encryption and
+-       * it greatly improves the encryption performance.  We use
+-       * Wiener's table and add a large safety margin. */
+-      nbits = wiener_map( orig_nbits ) * 3 / 2;
+-      if( nbits >= orig_nbits )
+-        BUG();
+-    }
+-  else
+-    nbits = orig_nbits;
+-
++  nbits = orig_nbits;
+ 
+   nbytes = (nbits+7)/8;
+   if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+    * error code.
+    */
+ 
+-  k = gen_k( pkey->p, 1 );
++  k = gen_k( pkey->p );
+   mpi_powm (a, pkey->g, k, pkey->p);
+ 
+   /* b = (y^k * input) mod p
+@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
+     *
+     */
+     mpi_sub_ui(p_1, p_1, 1);
+-    k = gen_k( skey->p, 0 /* no small K ! */ );
++    k = gen_k( skey->p );
+     mpi_powm( a, skey->g, k, skey->p );
+     mpi_mul(t, skey->x, a );
+     mpi_subm(t, input, t, p_1 );
diff --git a/libgcrypt.changes b/libgcrypt.changes
index f404859..cf0c2b9 100644
--- a/libgcrypt.changes
+++ b/libgcrypt.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Jun 11 13:17:54 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix: [bsc#1187212, CVE-2021-33560]
+  * cipher: Fix ElGamal encryption for other implementations.
+  * Exponent blinding was added in version 1.9.3. This patch
+    fixes ElGamal encryption, see: https://dev.gnupg.org/T5328
+- Add libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
+
 -------------------------------------------------------------------
 Tue Apr 20 08:46:11 UTC 2021 - Paolo Stivanin <info@paolostivanin.com>
 
diff --git a/libgcrypt.spec b/libgcrypt.spec
index 9fa1aa3..0f2c861 100644
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@@ -31,16 +31,15 @@ URL:            https://directory.fsf.org/wiki/Libgcrypt
 Source:         https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2
 Source1:        https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig
 Source2:        baselibs.conf
+Source3:        random.conf
 # https://www.gnupg.org/signature_key.en.html
 Source4:        libgcrypt.keyring
 # cavs test framework
 Source5:        cavs-test.sh
 Source6:        cavs_driver.pl
-Source7:        random.conf
 Source99:       libgcrypt.changes
 Patch1:         libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch
 Patch2:         libgcrypt-sparcv9.diff
-#PATCH-FIX-SUSE: N/A
 Patch3:         libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff
 Patch4:         libgcrypt-1.6.1-use-fipscheck.patch
 Patch5:         libgcrypt-1.6.1-fips-cavs.patch
@@ -77,6 +76,8 @@ Patch26:        libgcrypt-PCT-RSA.patch
 Patch27:        libgcrypt-PCT-DSA.patch
 Patch28:        libgcrypt-PCT-ECC.patch
 Patch29:        libgcrypt-fips_selftest_trigger_file.patch
+#PATCH-FIX-UPSTREAM bsc#1187212 CVE-2021-33560 ElGamal encryption lacks exponent blinding
+Patch30:        libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch
 BuildRequires:  automake >= 1.14
 BuildRequires:  fipscheck
 BuildRequires:  libgpg-error-devel >= 1.27
@@ -150,7 +151,6 @@ Libgcrypt is a general purpose library of cryptographic building
 blocks.  It is originally based on code used by GnuPG.  It does not
 provide any implementation of OpenPGP or other protocols.  Thorough
 understanding of applied cryptography is required to use Libgcrypt.
-
 %endif
 
 %prep
@@ -211,7 +211,7 @@ touch %{buildroot}/%{_libdir}/.%{name}.so.%{libsover}.fips
 
 # Create /etc/gcrypt directory and install random.conf
 mkdir -p -m 0755 %{buildroot}%{_sysconfdir}/gcrypt
-install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/gcrypt/random.conf
+install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/gcrypt/random.conf
 
 %post -n %{libsoname} -p /sbin/ldconfig
 %postun -n %{libsoname} -p /sbin/ldconfig