diff options
author | Marta Rybczynska <rybczynska@gmail.com> | 2021-12-06 08:15:43 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-12-14 22:49:22 +0000 |
commit | ec21b227cdd2508717f7c9d50b7fd6046a7fc1b0 (patch) | |
tree | f4ed15c199abd666e0a6118128bdd38dc540c208 | |
parent | 947e5ff11c56e1a8d0d7e7c4b6bad6ce913fd22b (diff) | |
download | poky-ec21b227cdd2508717f7c9d50b7fd6046a7fc1b0.tar.gz |
libgcrypt: solve CVE-2021-33560 and CVE-2021-40528
This change fixes patches for two issues reported in a research
paper [1]: a side channel attack (*) and a cross-configuration
attack (**).
In this commit we add a fix for (*) that wasn't marked as a CVE
initially upstream. A fix of (**) previosly available in OE
backports is in fact fixing CVE-2021-40528, not CVE-2021-33560
as marked in the commit message.
We commit the accual fix for CVE-2021-33560 and rename the
existing fix with the correct CVE-2021-40528.
For details of the mismatch and the timeline see [2] (fix of the
documentation) and [3] (the related ticket upstream).
[1] https://eprint.iacr.org/2021/923.pdf
[2] https://dev.gnupg.org/rCb118681ebc4c9ea4b9da79b0f9541405a64f4c13
[3] https://dev.gnupg.org/T5328#149606
(From OE-Core rev: 0ce5c68933b52d2cfe9eea967d24d57ac82250c3)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
3 files changed, 163 insertions, 85 deletions
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch index c0d00485e6..bf26486d8b 100644 --- a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch | |||
@@ -1,109 +1,77 @@ | |||
1 | From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001 | 1 | From e8b7f10be275bcedb5fc05ed4837a89bfd605c61 Mon Sep 17 00:00:00 2001 |
2 | From: NIIBE Yutaka <gniibe@fsij.org> | 2 | From: NIIBE Yutaka <gniibe@fsij.org> |
3 | Date: Fri, 21 May 2021 11:15:07 +0900 | 3 | Date: Tue, 13 Apr 2021 10:00:00 +0900 |
4 | Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations. | 4 | Subject: [PATCH] cipher: Hardening ElGamal by introducing exponent blinding |
5 | too. | ||
5 | 6 | ||
6 | * cipher/elgamal.c (gen_k): Remove support of smaller K. | 7 | * cipher/elgamal.c (do_encrypt): Also do exponent blinding. |
7 | (do_encrypt): Never use smaller K. | ||
8 | (sign): Folllow the change of gen_k. | ||
9 | 8 | ||
10 | -- | 9 | -- |
11 | 10 | ||
12 | Cherry-pick master commit of: | 11 | Base blinding had been introduced with USE_BLINDING. This patch add |
13 | 632d80ef30e13de6926d503aa697f92b5dbfbc5e | 12 | exponent blinding as well to mitigate side-channel attack on mpi_powm. |
14 | 13 | ||
15 | This change basically reverts encryption changes in two commits: | ||
16 | |||
17 | 74386120dad6b3da62db37f7044267c8ef34689b | ||
18 | 78531373a342aeb847950f404343a05e36022065 | ||
19 | |||
20 | Use of smaller K for ephemeral key in ElGamal encryption is only good, | ||
21 | when we can guarantee that recipient's key is generated by our | ||
22 | implementation (or compatible). | ||
23 | |||
24 | For detail, please see: | ||
25 | |||
26 | Luca De Feo, Bertram Poettering, Alessandro Sorniotti, | ||
27 | "On the (in)security of ElGamal in OpenPGP"; | ||
28 | in the proceedings of CCS'2021. | ||
29 | |||
30 | CVE-id: CVE-2021-33560 | ||
31 | GnuPG-bug-id: 5328 | 14 | GnuPG-bug-id: 5328 |
32 | Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti | ||
33 | Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> | 15 | Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> |
34 | 16 | ||
35 | Upstream-Status: Backport | 17 | Upstream-Status: Backport |
36 | CVE: CVE-2021-33560 | 18 | CVE: CVE-2021-33560 |
37 | Signed-off-by: Armin Kuster <akuster@mvista.com> | 19 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> |
38 | --- | 20 | --- |
39 | cipher/elgamal.c | 24 ++++++------------------ | 21 | cipher/elgamal.c | 20 +++++++++++++++++--- |
40 | 1 file changed, 6 insertions(+), 18 deletions(-) | 22 | 1 file changed, 17 insertions(+), 3 deletions(-) |
41 | 23 | ||
42 | diff --git a/cipher/elgamal.c b/cipher/elgamal.c | 24 | diff --git a/cipher/elgamal.c b/cipher/elgamal.c |
43 | index 4eb52d62..ae7a631e 100644 | 25 | index 4eb52d62..9835122f 100644 |
44 | --- a/cipher/elgamal.c | 26 | --- a/cipher/elgamal.c |
45 | +++ b/cipher/elgamal.c | 27 | +++ b/cipher/elgamal.c |
46 | @@ -66,7 +66,7 @@ static const char *elg_names[] = | 28 | @@ -522,8 +522,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) |
47 | 29 | static void | |
30 | decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) | ||
31 | { | ||
32 | - gcry_mpi_t t1, t2, r; | ||
33 | + gcry_mpi_t t1, t2, r, r1, h; | ||
34 | unsigned int nbits = mpi_get_nbits (skey->p); | ||
35 | + gcry_mpi_t x_blind; | ||
48 | 36 | ||
49 | static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie); | 37 | mpi_normalize (a); |
50 | -static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k); | 38 | mpi_normalize (b); |
51 | +static gcry_mpi_t gen_k (gcry_mpi_t p); | 39 | @@ -534,20 +535,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) |
52 | static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits, | ||
53 | gcry_mpi_t **factors); | ||
54 | static int check_secret_key (ELG_secret_key *sk); | ||
55 | @@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie ) | ||
56 | 40 | ||
57 | /**************** | 41 | t2 = mpi_snew (nbits); |
58 | * Generate a random secret exponent k from prime p, so that k is | 42 | r = mpi_new (nbits); |
59 | - * relatively prime to p-1. With SMALL_K set, k will be selected for | 43 | + r1 = mpi_new (nbits); |
60 | - * better encryption performance - this must never be used signing! | 44 | + h = mpi_new (nbits); |
61 | + * relatively prime to p-1. | 45 | + x_blind = mpi_snew (nbits); |
62 | */ | ||
63 | static gcry_mpi_t | ||
64 | -gen_k( gcry_mpi_t p, int small_k ) | ||
65 | +gen_k( gcry_mpi_t p ) | ||
66 | { | ||
67 | gcry_mpi_t k = mpi_alloc_secure( 0 ); | ||
68 | gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) ); | ||
69 | @@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k ) | ||
70 | unsigned int nbits, nbytes; | ||
71 | char *rndbuf = NULL; | ||
72 | 46 | ||
73 | - if (small_k) | 47 | /* We need a random number of about the prime size. The random |
74 | - { | 48 | number merely needs to be unpredictable; thus we use level 0. */ |
75 | - /* Using a k much lesser than p is sufficient for encryption and | 49 | _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM); |
76 | - * it greatly improves the encryption performance. We use | ||
77 | - * Wiener's table and add a large safety margin. */ | ||
78 | - nbits = wiener_map( orig_nbits ) * 3 / 2; | ||
79 | - if( nbits >= orig_nbits ) | ||
80 | - BUG(); | ||
81 | - } | ||
82 | - else | ||
83 | - nbits = orig_nbits; | ||
84 | - | ||
85 | + nbits = orig_nbits; | ||
86 | 50 | ||
87 | nbytes = (nbits+7)/8; | 51 | + /* Also, exponent blinding: x_blind = x + (p-1)*r1 */ |
88 | if( DBG_CIPHER ) | 52 | + _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM); |
89 | @@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) | 53 | + mpi_set_highbit (r1, nbits - 1); |
90 | * error code. | 54 | + mpi_sub_ui (h, skey->p, 1); |
91 | */ | 55 | + mpi_mul (x_blind, h, r1); |
56 | + mpi_add (x_blind, skey->x, x_blind); | ||
57 | + | ||
58 | /* t1 = r^x mod p */ | ||
59 | - mpi_powm (t1, r, skey->x, skey->p); | ||
60 | + mpi_powm (t1, r, x_blind, skey->p); | ||
61 | /* t2 = (a * r)^-x mod p */ | ||
62 | mpi_mulm (t2, a, r, skey->p); | ||
63 | - mpi_powm (t2, t2, skey->x, skey->p); | ||
64 | + mpi_powm (t2, t2, x_blind, skey->p); | ||
65 | mpi_invm (t2, t2, skey->p); | ||
66 | /* t1 = (t1 * t2) mod p*/ | ||
67 | mpi_mulm (t1, t1, t2, skey->p); | ||
92 | 68 | ||
93 | - k = gen_k( pkey->p, 1 ); | 69 | + mpi_free (x_blind); |
94 | + k = gen_k( pkey->p ); | 70 | + mpi_free (h); |
95 | mpi_powm (a, pkey->g, k, pkey->p); | 71 | + mpi_free (r1); |
72 | mpi_free (r); | ||
73 | mpi_free (t2); | ||
96 | 74 | ||
97 | /* b = (y^k * input) mod p | ||
98 | @@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey ) | ||
99 | * | ||
100 | */ | ||
101 | mpi_sub_ui(p_1, p_1, 1); | ||
102 | - k = gen_k( skey->p, 0 /* no small K ! */ ); | ||
103 | + k = gen_k( skey->p ); | ||
104 | mpi_powm( a, skey->g, k, skey->p ); | ||
105 | mpi_mul(t, skey->x, a ); | ||
106 | mpi_subm(t, input, t, p_1 ); | ||
107 | -- | 75 | -- |
108 | 2.30.2 | 76 | 2.11.0 |
109 | 77 | ||
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch new file mode 100644 index 0000000000..b3a18bc5aa --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch | |||
@@ -0,0 +1,109 @@ | |||
1 | From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001 | ||
2 | From: NIIBE Yutaka <gniibe@fsij.org> | ||
3 | Date: Fri, 21 May 2021 11:15:07 +0900 | ||
4 | Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations. | ||
5 | |||
6 | * cipher/elgamal.c (gen_k): Remove support of smaller K. | ||
7 | (do_encrypt): Never use smaller K. | ||
8 | (sign): Folllow the change of gen_k. | ||
9 | |||
10 | -- | ||
11 | |||
12 | Cherry-pick master commit of: | ||
13 | 632d80ef30e13de6926d503aa697f92b5dbfbc5e | ||
14 | |||
15 | This change basically reverts encryption changes in two commits: | ||
16 | |||
17 | 74386120dad6b3da62db37f7044267c8ef34689b | ||
18 | 78531373a342aeb847950f404343a05e36022065 | ||
19 | |||
20 | Use of smaller K for ephemeral key in ElGamal encryption is only good, | ||
21 | when we can guarantee that recipient's key is generated by our | ||
22 | implementation (or compatible). | ||
23 | |||
24 | For detail, please see: | ||
25 | |||
26 | Luca De Feo, Bertram Poettering, Alessandro Sorniotti, | ||
27 | "On the (in)security of ElGamal in OpenPGP"; | ||
28 | in the proceedings of CCS'2021. | ||
29 | |||
30 | CVE-id: CVE-2021-33560 | ||
31 | GnuPG-bug-id: 5328 | ||
32 | Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti | ||
33 | Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> | ||
34 | |||
35 | Upstream-Status: Backport | ||
36 | CVE: CVE-2021-40528 | ||
37 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
38 | --- | ||
39 | cipher/elgamal.c | 24 ++++++------------------ | ||
40 | 1 file changed, 6 insertions(+), 18 deletions(-) | ||
41 | |||
42 | diff --git a/cipher/elgamal.c b/cipher/elgamal.c | ||
43 | index 4eb52d62..ae7a631e 100644 | ||
44 | --- a/cipher/elgamal.c | ||
45 | +++ b/cipher/elgamal.c | ||
46 | @@ -66,7 +66,7 @@ static const char *elg_names[] = | ||
47 | |||
48 | |||
49 | static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie); | ||
50 | -static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k); | ||
51 | +static gcry_mpi_t gen_k (gcry_mpi_t p); | ||
52 | static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits, | ||
53 | gcry_mpi_t **factors); | ||
54 | static int check_secret_key (ELG_secret_key *sk); | ||
55 | @@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie ) | ||
56 | |||
57 | /**************** | ||
58 | * Generate a random secret exponent k from prime p, so that k is | ||
59 | - * relatively prime to p-1. With SMALL_K set, k will be selected for | ||
60 | - * better encryption performance - this must never be used signing! | ||
61 | + * relatively prime to p-1. | ||
62 | */ | ||
63 | static gcry_mpi_t | ||
64 | -gen_k( gcry_mpi_t p, int small_k ) | ||
65 | +gen_k( gcry_mpi_t p ) | ||
66 | { | ||
67 | gcry_mpi_t k = mpi_alloc_secure( 0 ); | ||
68 | gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) ); | ||
69 | @@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k ) | ||
70 | unsigned int nbits, nbytes; | ||
71 | char *rndbuf = NULL; | ||
72 | |||
73 | - if (small_k) | ||
74 | - { | ||
75 | - /* Using a k much lesser than p is sufficient for encryption and | ||
76 | - * it greatly improves the encryption performance. We use | ||
77 | - * Wiener's table and add a large safety margin. */ | ||
78 | - nbits = wiener_map( orig_nbits ) * 3 / 2; | ||
79 | - if( nbits >= orig_nbits ) | ||
80 | - BUG(); | ||
81 | - } | ||
82 | - else | ||
83 | - nbits = orig_nbits; | ||
84 | - | ||
85 | + nbits = orig_nbits; | ||
86 | |||
87 | nbytes = (nbits+7)/8; | ||
88 | if( DBG_CIPHER ) | ||
89 | @@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) | ||
90 | * error code. | ||
91 | */ | ||
92 | |||
93 | - k = gen_k( pkey->p, 1 ); | ||
94 | + k = gen_k( pkey->p ); | ||
95 | mpi_powm (a, pkey->g, k, pkey->p); | ||
96 | |||
97 | /* b = (y^k * input) mod p | ||
98 | @@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey ) | ||
99 | * | ||
100 | */ | ||
101 | mpi_sub_ui(p_1, p_1, 1); | ||
102 | - k = gen_k( skey->p, 0 /* no small K ! */ ); | ||
103 | + k = gen_k( skey->p ); | ||
104 | mpi_powm( a, skey->g, k, skey->p ); | ||
105 | mpi_mul(t, skey->x, a ); | ||
106 | mpi_subm(t, input, t, p_1 ); | ||
107 | -- | ||
108 | 2.30.2 | ||
109 | |||
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb index 174b087b24..8045bab9ed 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb | |||
@@ -29,6 +29,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ | |||
29 | file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ | 29 | file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ |
30 | file://determinism.patch \ | 30 | file://determinism.patch \ |
31 | file://CVE-2021-33560.patch \ | 31 | file://CVE-2021-33560.patch \ |
32 | file://CVE-2021-40528.patch \ | ||
32 | " | 33 | " |
33 | SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743" | 34 | SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743" |
34 | SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3" | 35 | SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3" |