diff options
Diffstat (limited to 'meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch')
-rw-r--r-- | meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch new file mode 100644 index 0000000000..b3a18bc5aa --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch | |||
@@ -0,0 +1,109 @@ | |||
1 | From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001 | ||
2 | From: NIIBE Yutaka <gniibe@fsij.org> | ||
3 | Date: Fri, 21 May 2021 11:15:07 +0900 | ||
4 | Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations. | ||
5 | |||
6 | * cipher/elgamal.c (gen_k): Remove support of smaller K. | ||
7 | (do_encrypt): Never use smaller K. | ||
8 | (sign): Folllow the change of gen_k. | ||
9 | |||
10 | -- | ||
11 | |||
12 | Cherry-pick master commit of: | ||
13 | 632d80ef30e13de6926d503aa697f92b5dbfbc5e | ||
14 | |||
15 | This change basically reverts encryption changes in two commits: | ||
16 | |||
17 | 74386120dad6b3da62db37f7044267c8ef34689b | ||
18 | 78531373a342aeb847950f404343a05e36022065 | ||
19 | |||
20 | Use of smaller K for ephemeral key in ElGamal encryption is only good, | ||
21 | when we can guarantee that recipient's key is generated by our | ||
22 | implementation (or compatible). | ||
23 | |||
24 | For detail, please see: | ||
25 | |||
26 | Luca De Feo, Bertram Poettering, Alessandro Sorniotti, | ||
27 | "On the (in)security of ElGamal in OpenPGP"; | ||
28 | in the proceedings of CCS'2021. | ||
29 | |||
30 | CVE-id: CVE-2021-33560 | ||
31 | GnuPG-bug-id: 5328 | ||
32 | Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti | ||
33 | Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> | ||
34 | |||
35 | Upstream-Status: Backport | ||
36 | CVE: CVE-2021-40528 | ||
37 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
38 | --- | ||
39 | cipher/elgamal.c | 24 ++++++------------------ | ||
40 | 1 file changed, 6 insertions(+), 18 deletions(-) | ||
41 | |||
42 | diff --git a/cipher/elgamal.c b/cipher/elgamal.c | ||
43 | index 4eb52d62..ae7a631e 100644 | ||
44 | --- a/cipher/elgamal.c | ||
45 | +++ b/cipher/elgamal.c | ||
46 | @@ -66,7 +66,7 @@ static const char *elg_names[] = | ||
47 | |||
48 | |||
49 | static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie); | ||
50 | -static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k); | ||
51 | +static gcry_mpi_t gen_k (gcry_mpi_t p); | ||
52 | static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits, | ||
53 | gcry_mpi_t **factors); | ||
54 | static int check_secret_key (ELG_secret_key *sk); | ||
55 | @@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie ) | ||
56 | |||
57 | /**************** | ||
58 | * Generate a random secret exponent k from prime p, so that k is | ||
59 | - * relatively prime to p-1. With SMALL_K set, k will be selected for | ||
60 | - * better encryption performance - this must never be used signing! | ||
61 | + * relatively prime to p-1. | ||
62 | */ | ||
63 | static gcry_mpi_t | ||
64 | -gen_k( gcry_mpi_t p, int small_k ) | ||
65 | +gen_k( gcry_mpi_t p ) | ||
66 | { | ||
67 | gcry_mpi_t k = mpi_alloc_secure( 0 ); | ||
68 | gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) ); | ||
69 | @@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k ) | ||
70 | unsigned int nbits, nbytes; | ||
71 | char *rndbuf = NULL; | ||
72 | |||
73 | - if (small_k) | ||
74 | - { | ||
75 | - /* Using a k much lesser than p is sufficient for encryption and | ||
76 | - * it greatly improves the encryption performance. We use | ||
77 | - * Wiener's table and add a large safety margin. */ | ||
78 | - nbits = wiener_map( orig_nbits ) * 3 / 2; | ||
79 | - if( nbits >= orig_nbits ) | ||
80 | - BUG(); | ||
81 | - } | ||
82 | - else | ||
83 | - nbits = orig_nbits; | ||
84 | - | ||
85 | + nbits = orig_nbits; | ||
86 | |||
87 | nbytes = (nbits+7)/8; | ||
88 | if( DBG_CIPHER ) | ||
89 | @@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) | ||
90 | * error code. | ||
91 | */ | ||
92 | |||
93 | - k = gen_k( pkey->p, 1 ); | ||
94 | + k = gen_k( pkey->p ); | ||
95 | mpi_powm (a, pkey->g, k, pkey->p); | ||
96 | |||
97 | /* b = (y^k * input) mod p | ||
98 | @@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey ) | ||
99 | * | ||
100 | */ | ||
101 | mpi_sub_ui(p_1, p_1, 1); | ||
102 | - k = gen_k( skey->p, 0 /* no small K ! */ ); | ||
103 | + k = gen_k( skey->p ); | ||
104 | mpi_powm( a, skey->g, k, skey->p ); | ||
105 | mpi_mul(t, skey->x, a ); | ||
106 | mpi_subm(t, input, t, p_1 ); | ||
107 | -- | ||
108 | 2.30.2 | ||
109 | |||