diff options
author | Armin Kuster <akuster@mvista.com> | 2021-09-10 15:57:19 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-09-30 00:02:22 +0100 |
commit | 60383990481408e0b4c131102aa9e2905ac5d1d1 (patch) | |
tree | 8f3ac67c47779806606a17ee3fae47bd57b87f8f | |
parent | 2bd92c7e47727e9370359857cd32f1d28345ac2b (diff) | |
download | poky-60383990481408e0b4c131102aa9e2905ac5d1d1.tar.gz |
libgcrypt: Security fix CVE-2021-33560
Source: https://sources.debian.org/patches/libgcrypt20/1.8.4-5+deb10u1
MR: 111591
Type: Security Fix
Disposition: Backport from https://sources.debian.org/data/main/libg/libgcrypt20/1.8.4-5%2Bdeb10u1/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch
ChangeID: d066a9baacc0d967dd80ac54c684cde031ac686e
Description:
Affects before 1.8.8 and 1.9.x before 1.9.3
(From OE-Core rev: 7de5e19a668f268f0cc56617a9f5760054acb5f5)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch | 109 | ||||
-rw-r--r-- | meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb | 1 |
2 files changed, 110 insertions, 0 deletions
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch new file mode 100644 index 0000000000..c0d00485e6 --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch | |||
@@ -0,0 +1,109 @@ | |||
1 | From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001 | ||
2 | From: NIIBE Yutaka <gniibe@fsij.org> | ||
3 | Date: Fri, 21 May 2021 11:15:07 +0900 | ||
4 | Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations. | ||
5 | |||
6 | * cipher/elgamal.c (gen_k): Remove support of smaller K. | ||
7 | (do_encrypt): Never use smaller K. | ||
8 | (sign): Folllow the change of gen_k. | ||
9 | |||
10 | -- | ||
11 | |||
12 | Cherry-pick master commit of: | ||
13 | 632d80ef30e13de6926d503aa697f92b5dbfbc5e | ||
14 | |||
15 | This change basically reverts encryption changes in two commits: | ||
16 | |||
17 | 74386120dad6b3da62db37f7044267c8ef34689b | ||
18 | 78531373a342aeb847950f404343a05e36022065 | ||
19 | |||
20 | Use of smaller K for ephemeral key in ElGamal encryption is only good, | ||
21 | when we can guarantee that recipient's key is generated by our | ||
22 | implementation (or compatible). | ||
23 | |||
24 | For detail, please see: | ||
25 | |||
26 | Luca De Feo, Bertram Poettering, Alessandro Sorniotti, | ||
27 | "On the (in)security of ElGamal in OpenPGP"; | ||
28 | in the proceedings of CCS'2021. | ||
29 | |||
30 | CVE-id: CVE-2021-33560 | ||
31 | GnuPG-bug-id: 5328 | ||
32 | Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti | ||
33 | Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> | ||
34 | |||
35 | Upstream-Status: Backport | ||
36 | CVE: CVE-2021-33560 | ||
37 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
38 | --- | ||
39 | cipher/elgamal.c | 24 ++++++------------------ | ||
40 | 1 file changed, 6 insertions(+), 18 deletions(-) | ||
41 | |||
42 | diff --git a/cipher/elgamal.c b/cipher/elgamal.c | ||
43 | index 4eb52d62..ae7a631e 100644 | ||
44 | --- a/cipher/elgamal.c | ||
45 | +++ b/cipher/elgamal.c | ||
46 | @@ -66,7 +66,7 @@ static const char *elg_names[] = | ||
47 | |||
48 | |||
49 | static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie); | ||
50 | -static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k); | ||
51 | +static gcry_mpi_t gen_k (gcry_mpi_t p); | ||
52 | static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits, | ||
53 | gcry_mpi_t **factors); | ||
54 | static int check_secret_key (ELG_secret_key *sk); | ||
55 | @@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie ) | ||
56 | |||
57 | /**************** | ||
58 | * Generate a random secret exponent k from prime p, so that k is | ||
59 | - * relatively prime to p-1. With SMALL_K set, k will be selected for | ||
60 | - * better encryption performance - this must never be used signing! | ||
61 | + * relatively prime to p-1. | ||
62 | */ | ||
63 | static gcry_mpi_t | ||
64 | -gen_k( gcry_mpi_t p, int small_k ) | ||
65 | +gen_k( gcry_mpi_t p ) | ||
66 | { | ||
67 | gcry_mpi_t k = mpi_alloc_secure( 0 ); | ||
68 | gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) ); | ||
69 | @@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k ) | ||
70 | unsigned int nbits, nbytes; | ||
71 | char *rndbuf = NULL; | ||
72 | |||
73 | - if (small_k) | ||
74 | - { | ||
75 | - /* Using a k much lesser than p is sufficient for encryption and | ||
76 | - * it greatly improves the encryption performance. We use | ||
77 | - * Wiener's table and add a large safety margin. */ | ||
78 | - nbits = wiener_map( orig_nbits ) * 3 / 2; | ||
79 | - if( nbits >= orig_nbits ) | ||
80 | - BUG(); | ||
81 | - } | ||
82 | - else | ||
83 | - nbits = orig_nbits; | ||
84 | - | ||
85 | + nbits = orig_nbits; | ||
86 | |||
87 | nbytes = (nbits+7)/8; | ||
88 | if( DBG_CIPHER ) | ||
89 | @@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) | ||
90 | * error code. | ||
91 | */ | ||
92 | |||
93 | - k = gen_k( pkey->p, 1 ); | ||
94 | + k = gen_k( pkey->p ); | ||
95 | mpi_powm (a, pkey->g, k, pkey->p); | ||
96 | |||
97 | /* b = (y^k * input) mod p | ||
98 | @@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey ) | ||
99 | * | ||
100 | */ | ||
101 | mpi_sub_ui(p_1, p_1, 1); | ||
102 | - k = gen_k( skey->p, 0 /* no small K ! */ ); | ||
103 | + k = gen_k( skey->p ); | ||
104 | mpi_powm( a, skey->g, k, skey->p ); | ||
105 | mpi_mul(t, skey->x, a ); | ||
106 | mpi_subm(t, input, t, p_1 ); | ||
107 | -- | ||
108 | 2.30.2 | ||
109 | |||
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb index 16a58ad9b8..174b087b24 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb | |||
@@ -28,6 +28,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ | |||
28 | file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \ | 28 | file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \ |
29 | file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ | 29 | file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ |
30 | file://determinism.patch \ | 30 | file://determinism.patch \ |
31 | file://CVE-2021-33560.patch \ | ||
31 | " | 32 | " |
32 | SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743" | 33 | SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743" |
33 | SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3" | 34 | SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3" |