libgcrypt: Security fix CVE-2021-33560

Source: https://sources.debian.org/patches/libgcrypt20/1.8.4-5+deb10u1 MR: 111591 Type: Security Fix Disposition: Backport from https://sources.debian.org/data/main/libg/libgcrypt20/1.8.4-5%2Bdeb10u1/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch ChangeID: d066a9baacc0d967dd80ac54c684cde031ac686e Description: Affects before 1.8.8 and 1.9.x before 1.9.3 (From OE-Core rev: 7de5e19a668f268f0cc56617a9f5760054acb5f5) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2021-09-10 15:57:19 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-09-30 00:02:22 +0100
commit: 60383990481408e0b4c131102aa9e2905ac5d1d1 (patch)
tree: 8f3ac67c47779806606a17ee3fae47bd57b87f8f
parent: 2bd92c7e47727e9370359857cd32f1d28345ac2b (diff)
download: poky-60383990481408e0b4c131102aa9e2905ac5d1d1.tar.gz
2 files changed, 110 insertions, 0 deletions
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
new file mode 100644
index 0000000000..c0d00485e6
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
@@ -0,0 +1,109 @@
+From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 21 May 2021 11:15:07 +0900
+Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+* cipher/elgamal.c (gen_k): Remove support of smaller K.
+(do_encrypt): Never use smaller K.
+(sign): Folllow the change of gen_k.
+--
+Cherry-pick master commit of:
+        632d80ef30e13de6926d503aa697f92b5dbfbc5e
+This change basically reverts encryption changes in two commits:
+        74386120dad6b3da62db37f7044267c8ef34689b
+        78531373a342aeb847950f404343a05e36022065
+Use of smaller K for ephemeral key in ElGamal encryption is only good,
+when we can guarantee that recipient's key is generated by our
+implementation (or compatible).
+For detail, please see:
+    Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+    "On the (in)security of ElGamal in OpenPGP";
+    in the proceedings of  CCS'2021.
+CVE-id: CVE-2021-33560
+GnuPG-bug-id: 5328
+Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+Upstream-Status: Backport
+CVE: CVE-2021-33560
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ cipher/elgamal.c | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 4eb52d62..ae7a631e 100644
+--- a/cipher/elgamal.c
+++ b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+ 
+ 
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
+static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+                                  gcry_mpi_t **factors);
+ static int  check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
+ 
+ /****************
+  * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1.  With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
+ * relatively prime to p-1.
+  */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
+gen_k( gcry_mpi_t p )
+ {
+   gcry_mpi_t k = mpi_alloc_secure( 0 );
+   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+   unsigned int nbits, nbytes;
+   char *rndbuf = NULL;
+ 
+-  if (small_k)
+-    {
+-      /* Using a k much lesser than p is sufficient for encryption and
+-       * it greatly improves the encryption performance.  We use
+-       * Wiener's table and add a large safety margin. */
+-      nbits = wiener_map( orig_nbits ) * 3 / 2;
+-      if( nbits >= orig_nbits )
+-        BUG();
+-    }
+-  else
+-    nbits = orig_nbits;
+-
+  nbits = orig_nbits;
+ 
+   nbytes = (nbits+7)/8;
+   if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+    * error code.
+    */
+ 
+-  k = gen_k( pkey->p, 1 );
+  k = gen_k( pkey->p );
+   mpi_powm (a, pkey->g, k, pkey->p);
+ 
+   /* b = (y^k * input) mod p
+@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
+     *
+     */
+     mpi_sub_ui(p_1, p_1, 1);
+-    k = gen_k( skey->p, 0 /* no small K ! */ );
+    k = gen_k( skey->p );
+     mpi_powm( a, skey->g, k, skey->p );
+     mpi_mul(t, skey->x, a );
+     mpi_subm(t, input, t, p_1 );
+-- 
+2.30.2
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
index 16a58ad9b8..174b087b24 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
@@ -28,6 +28,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
           file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \
           file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
           file://determinism.patch \
+           file://CVE-2021-33560.patch \
 "
 SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"
 SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"
author	Armin Kuster <akuster@mvista.com>	2021-09-10 15:57:19 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-30 00:02:22 +0100
commit	60383990481408e0b4c131102aa9e2905ac5d1d1 (patch)
tree	8f3ac67c47779806606a17ee3fae47bd57b87f8f
parent	2bd92c7e47727e9370359857cd32f1d28345ac2b (diff)
download	poky-60383990481408e0b4c131102aa9e2905ac5d1d1.tar.gz

diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch new file mode 100644 index 0000000000..c0d00485e6 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
@@ -0,0 +1,109 @@
		1	From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
		2	From: NIIBE Yutaka <gniibe@fsij.org>
		3	Date: Fri, 21 May 2021 11:15:07 +0900
		4	Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
		5
		6	* cipher/elgamal.c (gen_k): Remove support of smaller K.
		7	(do_encrypt): Never use smaller K.
		8	(sign): Folllow the change of gen_k.
		9
		10	--
		11
		12	Cherry-pick master commit of:
		13	632d80ef30e13de6926d503aa697f92b5dbfbc5e
		14
		15	This change basically reverts encryption changes in two commits:
		16
		17	74386120dad6b3da62db37f7044267c8ef34689b
		18	78531373a342aeb847950f404343a05e36022065
		19
		20	Use of smaller K for ephemeral key in ElGamal encryption is only good,
		21	when we can guarantee that recipient's key is generated by our
		22	implementation (or compatible).
		23
		24	For detail, please see:
		25
		26	Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
		27	"On the (in)security of ElGamal in OpenPGP";
		28	in the proceedings of CCS'2021.
		29
		30	CVE-id: CVE-2021-33560
		31	GnuPG-bug-id: 5328
		32	Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
		33	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		34
		35	Upstream-Status: Backport
		36	CVE: CVE-2021-33560
		37	Signed-off-by: Armin Kuster <akuster@mvista.com>
		38	---
		39	cipher/elgamal.c \| 24 ++++++------------------
		40	1 file changed, 6 insertions(+), 18 deletions(-)
		41
		42	diff --git a/cipher/elgamal.c b/cipher/elgamal.c
		43	index 4eb52d62..ae7a631e 100644
		44	--- a/cipher/elgamal.c
		45	+++ b/cipher/elgamal.c
		46	@@ -66,7 +66,7 @@ static const char *elg_names[] =
		47
		48
		49	static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
		50	-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
		51	+static gcry_mpi_t gen_k (gcry_mpi_t p);
		52	static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
		53	gcry_mpi_t **factors);
		54	static int check_secret_key (ELG_secret_key *sk);
		55	@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
		56
		57	/****************
		58	* Generate a random secret exponent k from prime p, so that k is
		59	- * relatively prime to p-1. With SMALL_K set, k will be selected for
		60	- * better encryption performance - this must never be used signing!
		61	+ * relatively prime to p-1.
		62	*/
		63	static gcry_mpi_t
		64	-gen_k( gcry_mpi_t p, int small_k )
		65	+gen_k( gcry_mpi_t p )
		66	{
		67	gcry_mpi_t k = mpi_alloc_secure( 0 );
		68	gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
		69	@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
		70	unsigned int nbits, nbytes;
		71	char *rndbuf = NULL;
		72
		73	- if (small_k)
		74	- {
		75	- /* Using a k much lesser than p is sufficient for encryption and
		76	- * it greatly improves the encryption performance. We use
		77	- * Wiener's table and add a large safety margin. */
		78	- nbits = wiener_map( orig_nbits ) * 3 / 2;
		79	- if( nbits >= orig_nbits )
		80	- BUG();
		81	- }
		82	- else
		83	- nbits = orig_nbits;
		84	-
		85	+ nbits = orig_nbits;
		86
		87	nbytes = (nbits+7)/8;
		88	if( DBG_CIPHER )
		89	@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
		90	* error code.
		91	*/
		92
		93	- k = gen_k( pkey->p, 1 );
		94	+ k = gen_k( pkey->p );
		95	mpi_powm (a, pkey->g, k, pkey->p);
		96
		97	/* b = (y^k * input) mod p
		98	@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
		99	*
		100	*/
		101	mpi_sub_ui(p_1, p_1, 1);
		102	- k = gen_k( skey->p, 0 /* no small K ! */ );
		103	+ k = gen_k( skey->p );
		104	mpi_powm( a, skey->g, k, skey->p );
		105	mpi_mul(t, skey->x, a );
		106	mpi_subm(t, input, t, p_1 );
		107	--
		108	2.30.2
		109


diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb index 16a58ad9b8..174b087b24 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
@@ -28,6 +28,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
28	file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \	28	file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \
29	file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \	29	file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
30	file://determinism.patch \	30	file://determinism.patch \
		31	file://CVE-2021-33560.patch \
31	"	32	"
32	SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"	33	SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"
33	SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"	34	SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"