libgcrypt: solve CVE-2021-33560 and CVE-2021-40528

This change fixes patches for two issues reported in a research paper [1]: a side channel attack (*) and a cross-configuration attack (**). In this commit we add a fix for (*) that wasn't marked as a CVE initially upstream. A fix of (**) previosly available in OE backports is in fact fixing CVE-2021-40528, not CVE-2021-33560 as marked in the commit message. We commit the accual fix for CVE-2021-33560 and rename the existing fix with the correct CVE-2021-40528. For details of the mismatch and the timeline see [2] (fix of the documentation) and [3] (the related ticket upstream). [1] https://eprint.iacr.org/2021/923.pdf [2] https://dev.gnupg.org/rCb118681ebc4c9ea4b9da79b0f9541405a64f4c13 [3] https://dev.gnupg.org/T5328#149606 (From OE-Core rev: 0ce5c68933b52d2cfe9eea967d24d57ac82250c3) Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Marta Rybczynska <rybczynska@gmail.com> 2021-12-06 08:15:43 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-12-14 22:49:22 +0000
commit: ec21b227cdd2508717f7c9d50b7fd6046a7fc1b0 (patch)
tree: f4ed15c199abd666e0a6118128bdd38dc540c208
parent: 947e5ff11c56e1a8d0d7e7c4b6bad6ce913fd22b (diff)
download: poky-ec21b227cdd2508717f7c9d50b7fd6046a7fc1b0.tar.gz
3 files changed, 163 insertions, 85 deletions
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
index c0d00485e6..bf26486d8b 100644
--- a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
+++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
@@ -1,109 +1,77 @@
-From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
+From e8b7f10be275bcedb5fc05ed4837a89bfd605c61 Mon Sep 17 00:00:00 2001
 From: NIIBE Yutaka <gniibe@fsij.org>
-Date: Fri, 21 May 2021 11:15:07 +0900
+Date: Tue, 13 Apr 2021 10:00:00 +0900
-Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+Subject: [PATCH] cipher: Hardening ElGamal by introducing exponent blinding
+ too.
-* cipher/elgamal.c (gen_k): Remove support of smaller K.
+* cipher/elgamal.c (do_encrypt): Also do exponent blinding.
-(do_encrypt): Never use smaller K.
-(sign): Folllow the change of gen_k.
 --
-Cherry-pick master commit of:
+Base blinding had been introduced with USE_BLINDING.  This patch add
-        632d80ef30e13de6926d503aa697f92b5dbfbc5e
+exponent blinding as well to mitigate side-channel attack on mpi_powm.
-This change basically reverts encryption changes in two commits:
-        74386120dad6b3da62db37f7044267c8ef34689b
-        78531373a342aeb847950f404343a05e36022065
-Use of smaller K for ephemeral key in ElGamal encryption is only good,
-when we can guarantee that recipient's key is generated by our
-implementation (or compatible).
-For detail, please see:
-    Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
-    "On the (in)security of ElGamal in OpenPGP";
-    in the proceedings of  CCS'2021.
-CVE-id: CVE-2021-33560
 GnuPG-bug-id: 5328
-Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 Upstream-Status: Backport
 CVE: CVE-2021-33560
-Signed-off-by: Armin Kuster <akuster@mvista.com>
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
 ---
- cipher/elgamal.c | 24 ++++++------------------
+ cipher/elgamal.c | 20 +++++++++++++++++---
- 1 file changed, 6 insertions(+), 18 deletions(-)
+ 1 file changed, 17 insertions(+), 3 deletions(-)
 diff --git a/cipher/elgamal.c b/cipher/elgamal.c
-index 4eb52d62..ae7a631e 100644
+index 4eb52d62..9835122f 100644
 --- a/cipher/elgamal.c
 +++ b/cipher/elgamal.c
-@@ -66,7 +66,7 @@ static const char *elg_names[] =
+@@ -522,8 +522,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
- 
+ static void
+ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
+ {
+-  gcry_mpi_t t1, t2, r;
+  gcry_mpi_t t1, t2, r, r1, h;
+   unsigned int nbits = mpi_get_nbits (skey->p);
+  gcry_mpi_t x_blind;
 
- static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+   mpi_normalize (a);
-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
+   mpi_normalize (b);
-+static gcry_mpi_t gen_k (gcry_mpi_t p);
+@@ -534,20 +535,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
- static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
-                                  gcry_mpi_t **factors);
- static int  check_secret_key (ELG_secret_key *sk);
-@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
 
- /****************
+   t2 = mpi_snew (nbits);
-  * Generate a random secret exponent k from prime p, so that k is
+   r  = mpi_new (nbits);
- * relatively prime to p-1.  With SMALL_K set, k will be selected for
+  r1 = mpi_new (nbits);
- * better encryption performance - this must never be used signing!
+  h  = mpi_new (nbits);
-+ * relatively prime to p-1.
+  x_blind = mpi_snew (nbits);
-  */
- static gcry_mpi_t
-gen_k( gcry_mpi_t p, int small_k )
-+gen_k( gcry_mpi_t p )
- {
-   gcry_mpi_t k = mpi_alloc_secure( 0 );
-   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
-@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
-   unsigned int nbits, nbytes;
-   char *rndbuf = NULL;
 
-  if (small_k)
+   /* We need a random number of about the prime size.  The random
-    {
+      number merely needs to be unpredictable; thus we use level 0.  */
-      /* Using a k much lesser than p is sufficient for encryption and
+   _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
-       * it greatly improves the encryption performance.  We use
-       * Wiener's table and add a large safety margin. */
-      nbits = wiener_map( orig_nbits ) * 3 / 2;
-      if( nbits >= orig_nbits )
-        BUG();
-    }
-  else
-    nbits = orig_nbits;
-
-+  nbits = orig_nbits;
 
-   nbytes = (nbits+7)/8;
+  /* Also, exponent blinding: x_blind = x + (p-1)*r1 */
-   if( DBG_CIPHER )
+  _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM);
-@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+  mpi_set_highbit (r1, nbits - 1);
-    * error code.
+  mpi_sub_ui (h, skey->p, 1);
-    */
+  mpi_mul (x_blind, h, r1);
+  mpi_add (x_blind, skey->x, x_blind);
+
+   /* t1 = r^x mod p */
+-  mpi_powm (t1, r, skey->x, skey->p);
+  mpi_powm (t1, r, x_blind, skey->p);
+   /* t2 = (a * r)^-x mod p */
+   mpi_mulm (t2, a, r, skey->p);
+-  mpi_powm (t2, t2, skey->x, skey->p);
+  mpi_powm (t2, t2, x_blind, skey->p);
+   mpi_invm (t2, t2, skey->p);
+   /* t1 = (t1 * t2) mod p*/
+   mpi_mulm (t1, t1, t2, skey->p);
 
-  k = gen_k( pkey->p, 1 );
+  mpi_free (x_blind);
-+  k = gen_k( pkey->p );
+  mpi_free (h);
-   mpi_powm (a, pkey->g, k, pkey->p);
+  mpi_free (r1);
+   mpi_free (r);
+   mpi_free (t2);
 
-   /* b = (y^k * input) mod p
-@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
-     *
-     */
-     mpi_sub_ui(p_1, p_1, 1);
-    k = gen_k( skey->p, 0 /* no small K ! */ );
-+    k = gen_k( skey->p );
-     mpi_powm( a, skey->g, k, skey->p );
-     mpi_mul(t, skey->x, a );
-     mpi_subm(t, input, t, p_1 );
 -- 
-2.30.2
+2.11.0
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch
new file mode 100644
index 0000000000..b3a18bc5aa
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch
@@ -0,0 +1,109 @@
+From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 21 May 2021 11:15:07 +0900
+Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+* cipher/elgamal.c (gen_k): Remove support of smaller K.
+(do_encrypt): Never use smaller K.
+(sign): Folllow the change of gen_k.
+--
+Cherry-pick master commit of:
+        632d80ef30e13de6926d503aa697f92b5dbfbc5e
+This change basically reverts encryption changes in two commits:
+        74386120dad6b3da62db37f7044267c8ef34689b
+        78531373a342aeb847950f404343a05e36022065
+Use of smaller K for ephemeral key in ElGamal encryption is only good,
+when we can guarantee that recipient's key is generated by our
+implementation (or compatible).
+For detail, please see:
+    Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+    "On the (in)security of ElGamal in OpenPGP";
+    in the proceedings of  CCS'2021.
+CVE-id: CVE-2021-33560
+GnuPG-bug-id: 5328
+Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+Upstream-Status: Backport
+CVE: CVE-2021-40528
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ cipher/elgamal.c | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 4eb52d62..ae7a631e 100644
+--- a/cipher/elgamal.c
+++ b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+ 
+ 
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
+static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+                                  gcry_mpi_t **factors);
+ static int  check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
+ 
+ /****************
+  * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1.  With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
+ * relatively prime to p-1.
+  */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
+gen_k( gcry_mpi_t p )
+ {
+   gcry_mpi_t k = mpi_alloc_secure( 0 );
+   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+   unsigned int nbits, nbytes;
+   char *rndbuf = NULL;
+ 
+-  if (small_k)
+-    {
+-      /* Using a k much lesser than p is sufficient for encryption and
+-       * it greatly improves the encryption performance.  We use
+-       * Wiener's table and add a large safety margin. */
+-      nbits = wiener_map( orig_nbits ) * 3 / 2;
+-      if( nbits >= orig_nbits )
+-        BUG();
+-    }
+-  else
+-    nbits = orig_nbits;
+-
+  nbits = orig_nbits;
+ 
+   nbytes = (nbits+7)/8;
+   if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+    * error code.
+    */
+ 
+-  k = gen_k( pkey->p, 1 );
+  k = gen_k( pkey->p );
+   mpi_powm (a, pkey->g, k, pkey->p);
+ 
+   /* b = (y^k * input) mod p
+@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
+     *
+     */
+     mpi_sub_ui(p_1, p_1, 1);
+-    k = gen_k( skey->p, 0 /* no small K ! */ );
+    k = gen_k( skey->p );
+     mpi_powm( a, skey->g, k, skey->p );
+     mpi_mul(t, skey->x, a );
+     mpi_subm(t, input, t, p_1 );
+-- 
+2.30.2
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
index 174b087b24..8045bab9ed 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
@@ -29,6 +29,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
           file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
           file://determinism.patch \
           file://CVE-2021-33560.patch \
+           file://CVE-2021-40528.patch \
 "
 SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"
 SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"
author	Marta Rybczynska <rybczynska@gmail.com>	2021-12-06 08:15:43 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-12-14 22:49:22 +0000
commit	ec21b227cdd2508717f7c9d50b7fd6046a7fc1b0 (patch)
tree	f4ed15c199abd666e0a6118128bdd38dc540c208
parent	947e5ff11c56e1a8d0d7e7c4b6bad6ce913fd22b (diff)
download	poky-ec21b227cdd2508717f7c9d50b7fd6046a7fc1b0.tar.gz

diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch index c0d00485e6..bf26486d8b 100644 --- a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
@@ -1,109 +1,77 @@
1	From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001	1	From e8b7f10be275bcedb5fc05ed4837a89bfd605c61 Mon Sep 17 00:00:00 2001
2	From: NIIBE Yutaka <gniibe@fsij.org>	2	From: NIIBE Yutaka <gniibe@fsij.org>
3	Date: Fri, 21 May 2021 11:15:07 +0900	3	Date: Tue, 13 Apr 2021 10:00:00 +0900
4	Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.	4	Subject: [PATCH] cipher: Hardening ElGamal by introducing exponent blinding
		5	too.
5		6
6	* cipher/elgamal.c (gen_k): Remove support of smaller K.	7	* cipher/elgamal.c (do_encrypt): Also do exponent blinding.
7	(do_encrypt): Never use smaller K.
8	(sign): Folllow the change of gen_k.
9		8
10	--	9	--
11		10
12	Cherry-pick master commit of:	11	Base blinding had been introduced with USE_BLINDING. This patch add
13	632d80ef30e13de6926d503aa697f92b5dbfbc5e	12	exponent blinding as well to mitigate side-channel attack on mpi_powm.
14		13
15	This change basically reverts encryption changes in two commits:
16
17	74386120dad6b3da62db37f7044267c8ef34689b
18	78531373a342aeb847950f404343a05e36022065
19
20	Use of smaller K for ephemeral key in ElGamal encryption is only good,
21	when we can guarantee that recipient's key is generated by our
22	implementation (or compatible).
23
24	For detail, please see:
25
26	Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
27	"On the (in)security of ElGamal in OpenPGP";
28	in the proceedings of CCS'2021.
29
30	CVE-id: CVE-2021-33560
31	GnuPG-bug-id: 5328	14	GnuPG-bug-id: 5328
32	Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
33	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>	15	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
34		16
35	Upstream-Status: Backport	17	Upstream-Status: Backport
36	CVE: CVE-2021-33560	18	CVE: CVE-2021-33560
37	Signed-off-by: Armin Kuster <akuster@mvista.com>	19	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
38	---	20	---
39	cipher/elgamal.c \| 24 ++++++------------------	21	cipher/elgamal.c \| 20 +++++++++++++++++---
40	1 file changed, 6 insertions(+), 18 deletions(-)	22	1 file changed, 17 insertions(+), 3 deletions(-)
41		23
42	diff --git a/cipher/elgamal.c b/cipher/elgamal.c	24	diff --git a/cipher/elgamal.c b/cipher/elgamal.c
43	index 4eb52d62..ae7a631e 100644	25	index 4eb52d62..9835122f 100644
44	--- a/cipher/elgamal.c	26	--- a/cipher/elgamal.c
45	+++ b/cipher/elgamal.c	27	+++ b/cipher/elgamal.c
46	@@ -66,7 +66,7 @@ static const char *elg_names[] =	28	@@ -522,8 +522,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
47		29	static void
		30	decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
		31	{
		32	- gcry_mpi_t t1, t2, r;
		33	+ gcry_mpi_t t1, t2, r, r1, h;
		34	unsigned int nbits = mpi_get_nbits (skey->p);
		35	+ gcry_mpi_t x_blind;
48		36
49	static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);	37	mpi_normalize (a);
50	-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);	38	mpi_normalize (b);
51	+static gcry_mpi_t gen_k (gcry_mpi_t p);	39	@@ -534,20 +535,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
52	static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
53	gcry_mpi_t **factors);
54	static int check_secret_key (ELG_secret_key *sk);
55	@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
56		40
57	/****************	41	t2 = mpi_snew (nbits);
58	* Generate a random secret exponent k from prime p, so that k is	42	r = mpi_new (nbits);
59	- * relatively prime to p-1. With SMALL_K set, k will be selected for	43	+ r1 = mpi_new (nbits);
60	- * better encryption performance - this must never be used signing!	44	+ h = mpi_new (nbits);
61	+ * relatively prime to p-1.	45	+ x_blind = mpi_snew (nbits);
62	*/
63	static gcry_mpi_t
64	-gen_k( gcry_mpi_t p, int small_k )
65	+gen_k( gcry_mpi_t p )
66	{
67	gcry_mpi_t k = mpi_alloc_secure( 0 );
68	gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
69	@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
70	unsigned int nbits, nbytes;
71	char *rndbuf = NULL;
72		46
73	- if (small_k)	47	/* We need a random number of about the prime size. The random
74	- {	48	number merely needs to be unpredictable; thus we use level 0. */
75	- /* Using a k much lesser than p is sufficient for encryption and	49	_gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
76	- * it greatly improves the encryption performance. We use
77	- * Wiener's table and add a large safety margin. */
78	- nbits = wiener_map( orig_nbits ) * 3 / 2;
79	- if( nbits >= orig_nbits )
80	- BUG();
81	- }
82	- else
83	- nbits = orig_nbits;
84	-
85	+ nbits = orig_nbits;
86		50
87	nbytes = (nbits+7)/8;	51	+ /* Also, exponent blinding: x_blind = x + (p-1)r1 /
88	if( DBG_CIPHER )	52	+ _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM);
89	@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )	53	+ mpi_set_highbit (r1, nbits - 1);
90	* error code.	54	+ mpi_sub_ui (h, skey->p, 1);
91	*/	55	+ mpi_mul (x_blind, h, r1);
		56	+ mpi_add (x_blind, skey->x, x_blind);
		57	+
		58	/* t1 = r^x mod p */
		59	- mpi_powm (t1, r, skey->x, skey->p);
		60	+ mpi_powm (t1, r, x_blind, skey->p);
		61	/* t2 = (a * r)^-x mod p */
		62	mpi_mulm (t2, a, r, skey->p);
		63	- mpi_powm (t2, t2, skey->x, skey->p);
		64	+ mpi_powm (t2, t2, x_blind, skey->p);
		65	mpi_invm (t2, t2, skey->p);
		66	/* t1 = (t1 * t2) mod p*/
		67	mpi_mulm (t1, t1, t2, skey->p);
92		68
93	- k = gen_k( pkey->p, 1 );	69	+ mpi_free (x_blind);
94	+ k = gen_k( pkey->p );	70	+ mpi_free (h);
95	mpi_powm (a, pkey->g, k, pkey->p);	71	+ mpi_free (r1);
		72	mpi_free (r);
		73	mpi_free (t2);
96		74
97	/* b = (y^k * input) mod p
98	@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
99	*
100	*/
101	mpi_sub_ui(p_1, p_1, 1);
102	- k = gen_k( skey->p, 0 /* no small K ! */ );
103	+ k = gen_k( skey->p );
104	mpi_powm( a, skey->g, k, skey->p );
105	mpi_mul(t, skey->x, a );
106	mpi_subm(t, input, t, p_1 );
107	--	75	--
108	2.30.2	76	2.11.0
109		77


diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch new file mode 100644 index 0000000000..b3a18bc5aa --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch
@@ -0,0 +1,109 @@
		1	From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
		2	From: NIIBE Yutaka <gniibe@fsij.org>
		3	Date: Fri, 21 May 2021 11:15:07 +0900
		4	Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
		5
		6	* cipher/elgamal.c (gen_k): Remove support of smaller K.
		7	(do_encrypt): Never use smaller K.
		8	(sign): Folllow the change of gen_k.
		9
		10	--
		11
		12	Cherry-pick master commit of:
		13	632d80ef30e13de6926d503aa697f92b5dbfbc5e
		14
		15	This change basically reverts encryption changes in two commits:
		16
		17	74386120dad6b3da62db37f7044267c8ef34689b
		18	78531373a342aeb847950f404343a05e36022065
		19
		20	Use of smaller K for ephemeral key in ElGamal encryption is only good,
		21	when we can guarantee that recipient's key is generated by our
		22	implementation (or compatible).
		23
		24	For detail, please see:
		25
		26	Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
		27	"On the (in)security of ElGamal in OpenPGP";
		28	in the proceedings of CCS'2021.
		29
		30	CVE-id: CVE-2021-33560
		31	GnuPG-bug-id: 5328
		32	Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
		33	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		34
		35	Upstream-Status: Backport
		36	CVE: CVE-2021-40528
		37	Signed-off-by: Armin Kuster <akuster@mvista.com>
		38	---
		39	cipher/elgamal.c \| 24 ++++++------------------
		40	1 file changed, 6 insertions(+), 18 deletions(-)
		41
		42	diff --git a/cipher/elgamal.c b/cipher/elgamal.c
		43	index 4eb52d62..ae7a631e 100644
		44	--- a/cipher/elgamal.c
		45	+++ b/cipher/elgamal.c
		46	@@ -66,7 +66,7 @@ static const char *elg_names[] =
		47
		48
		49	static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
		50	-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
		51	+static gcry_mpi_t gen_k (gcry_mpi_t p);
		52	static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
		53	gcry_mpi_t **factors);
		54	static int check_secret_key (ELG_secret_key *sk);
		55	@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
		56
		57	/****************
		58	* Generate a random secret exponent k from prime p, so that k is
		59	- * relatively prime to p-1. With SMALL_K set, k will be selected for
		60	- * better encryption performance - this must never be used signing!
		61	+ * relatively prime to p-1.
		62	*/
		63	static gcry_mpi_t
		64	-gen_k( gcry_mpi_t p, int small_k )
		65	+gen_k( gcry_mpi_t p )
		66	{
		67	gcry_mpi_t k = mpi_alloc_secure( 0 );
		68	gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
		69	@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
		70	unsigned int nbits, nbytes;
		71	char *rndbuf = NULL;
		72
		73	- if (small_k)
		74	- {
		75	- /* Using a k much lesser than p is sufficient for encryption and
		76	- * it greatly improves the encryption performance. We use
		77	- * Wiener's table and add a large safety margin. */
		78	- nbits = wiener_map( orig_nbits ) * 3 / 2;
		79	- if( nbits >= orig_nbits )
		80	- BUG();
		81	- }
		82	- else
		83	- nbits = orig_nbits;
		84	-
		85	+ nbits = orig_nbits;
		86
		87	nbytes = (nbits+7)/8;
		88	if( DBG_CIPHER )
		89	@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
		90	* error code.
		91	*/
		92
		93	- k = gen_k( pkey->p, 1 );
		94	+ k = gen_k( pkey->p );
		95	mpi_powm (a, pkey->g, k, pkey->p);
		96
		97	/* b = (y^k * input) mod p
		98	@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
		99	*
		100	*/
		101	mpi_sub_ui(p_1, p_1, 1);
		102	- k = gen_k( skey->p, 0 /* no small K ! */ );
		103	+ k = gen_k( skey->p );
		104	mpi_powm( a, skey->g, k, skey->p );
		105	mpi_mul(t, skey->x, a );
		106	mpi_subm(t, input, t, p_1 );
		107	--
		108	2.30.2
		109


diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb index 174b087b24..8045bab9ed 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
@@ -29,6 +29,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
29	file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \	29	file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
30	file://determinism.patch \	30	file://determinism.patch \
31	file://CVE-2021-33560.patch \	31	file://CVE-2021-33560.patch \
		32	file://CVE-2021-40528.patch \
32	"	33	"
33	SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"	34	SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"
34	SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"	35	SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"