3 files changed, 191 insertions, 0 deletions
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
new file mode 100644
index 0000000000..bf26486d8b
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
@@ -0,0 +1,77 @@
+From e8b7f10be275bcedb5fc05ed4837a89bfd605c61 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Tue, 13 Apr 2021 10:00:00 +0900
+Subject: [PATCH] cipher: Hardening ElGamal by introducing exponent blinding
+ too.
+* cipher/elgamal.c (do_encrypt): Also do exponent blinding.
+--
+Base blinding had been introduced with USE_BLINDING.  This patch add
+exponent blinding as well to mitigate side-channel attack on mpi_powm.
+GnuPG-bug-id: 5328
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+Upstream-Status: Backport
+CVE: CVE-2021-33560
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ cipher/elgamal.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 4eb52d62..9835122f 100644
+--- a/cipher/elgamal.c
+++ b/cipher/elgamal.c
+@@ -522,8 +522,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+ static void
+ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
+ {
+-  gcry_mpi_t t1, t2, r;
+  gcry_mpi_t t1, t2, r, r1, h;
+   unsigned int nbits = mpi_get_nbits (skey->p);
+  gcry_mpi_t x_blind;
+ 
+   mpi_normalize (a);
+   mpi_normalize (b);
+@@ -534,20 +535,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
+ 
+   t2 = mpi_snew (nbits);
+   r  = mpi_new (nbits);
+  r1 = mpi_new (nbits);
+  h  = mpi_new (nbits);
+  x_blind = mpi_snew (nbits);
+ 
+   /* We need a random number of about the prime size.  The random
+      number merely needs to be unpredictable; thus we use level 0.  */
+   _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
+ 
+  /* Also, exponent blinding: x_blind = x + (p-1)*r1 */
+  _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM);
+  mpi_set_highbit (r1, nbits - 1);
+  mpi_sub_ui (h, skey->p, 1);
+  mpi_mul (x_blind, h, r1);
+  mpi_add (x_blind, skey->x, x_blind);
+
+   /* t1 = r^x mod p */
+-  mpi_powm (t1, r, skey->x, skey->p);
+  mpi_powm (t1, r, x_blind, skey->p);
+   /* t2 = (a * r)^-x mod p */
+   mpi_mulm (t2, a, r, skey->p);
+-  mpi_powm (t2, t2, skey->x, skey->p);
+  mpi_powm (t2, t2, x_blind, skey->p);
+   mpi_invm (t2, t2, skey->p);
+   /* t1 = (t1 * t2) mod p*/
+   mpi_mulm (t1, t1, t2, skey->p);
+ 
+  mpi_free (x_blind);
+  mpi_free (h);
+  mpi_free (r1);
+   mpi_free (r);
+   mpi_free (t2);
+ 
+-- 
+2.11.0
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch
new file mode 100644
index 0000000000..b3a18bc5aa
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch
@@ -0,0 +1,109 @@
+From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 21 May 2021 11:15:07 +0900
+Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+* cipher/elgamal.c (gen_k): Remove support of smaller K.
+(do_encrypt): Never use smaller K.
+(sign): Folllow the change of gen_k.
+--
+Cherry-pick master commit of:
+        632d80ef30e13de6926d503aa697f92b5dbfbc5e
+This change basically reverts encryption changes in two commits:
+        74386120dad6b3da62db37f7044267c8ef34689b
+        78531373a342aeb847950f404343a05e36022065
+Use of smaller K for ephemeral key in ElGamal encryption is only good,
+when we can guarantee that recipient's key is generated by our
+implementation (or compatible).
+For detail, please see:
+    Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+    "On the (in)security of ElGamal in OpenPGP";
+    in the proceedings of  CCS'2021.
+CVE-id: CVE-2021-33560
+GnuPG-bug-id: 5328
+Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+Upstream-Status: Backport
+CVE: CVE-2021-40528
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ cipher/elgamal.c | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 4eb52d62..ae7a631e 100644
+--- a/cipher/elgamal.c
+++ b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+ 
+ 
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
+static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+                                  gcry_mpi_t **factors);
+ static int  check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
+ 
+ /****************
+  * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1.  With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
+ * relatively prime to p-1.
+  */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
+gen_k( gcry_mpi_t p )
+ {
+   gcry_mpi_t k = mpi_alloc_secure( 0 );
+   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+   unsigned int nbits, nbytes;
+   char *rndbuf = NULL;
+ 
+-  if (small_k)
+-    {
+-      /* Using a k much lesser than p is sufficient for encryption and
+-       * it greatly improves the encryption performance.  We use
+-       * Wiener's table and add a large safety margin. */
+-      nbits = wiener_map( orig_nbits ) * 3 / 2;
+-      if( nbits >= orig_nbits )
+-        BUG();
+-    }
+-  else
+-    nbits = orig_nbits;
+-
+  nbits = orig_nbits;
+ 
+   nbytes = (nbits+7)/8;
+   if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+    * error code.
+    */
+ 
+-  k = gen_k( pkey->p, 1 );
+  k = gen_k( pkey->p );
+   mpi_powm (a, pkey->g, k, pkey->p);
+ 
+   /* b = (y^k * input) mod p
+@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
+     *
+     */
+     mpi_sub_ui(p_1, p_1, 1);
+-    k = gen_k( skey->p, 0 /* no small K ! */ );
+    k = gen_k( skey->p );
+     mpi_powm( a, skey->g, k, skey->p );
+     mpi_mul(t, skey->x, a );
+     mpi_subm(t, input, t, p_1 );
+-- 
+2.30.2
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
index 9fd3b7c8c9..8045bab9ed 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
@@ -1,4 +1,7 @@
 SUMMARY = "General purpose cryptographic library based on the code from GnuPG"
+DESCRIPTION = "A cryptography library developed as a separated module of GnuPG. \
+It can also be used independently of GnuPG, but depends on its error-reporting \
+library Libgpg-error."
 HOMEPAGE = "http://directory.fsf.org/project/libgcrypt/"
 BUGTRACKER = "https://bugs.g10code.com/gnupg/index"
 SECTION = "libs"
@@ -25,6 +28,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
           file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \
           file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
           file://determinism.patch \
+           file://CVE-2021-33560.patch \
+           file://CVE-2021-40528.patch \
 "
 SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"
 SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"

diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch new file mode 100644 index 0000000000..bf26486d8b --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
@@ -0,0 +1,77 @@
		1	From e8b7f10be275bcedb5fc05ed4837a89bfd605c61 Mon Sep 17 00:00:00 2001
		2	From: NIIBE Yutaka <gniibe@fsij.org>
		3	Date: Tue, 13 Apr 2021 10:00:00 +0900
		4	Subject: [PATCH] cipher: Hardening ElGamal by introducing exponent blinding
		5	too.
		6
		7	* cipher/elgamal.c (do_encrypt): Also do exponent blinding.
		8
		9	--
		10
		11	Base blinding had been introduced with USE_BLINDING. This patch add
		12	exponent blinding as well to mitigate side-channel attack on mpi_powm.
		13
		14	GnuPG-bug-id: 5328
		15	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		16
		17	Upstream-Status: Backport
		18	CVE: CVE-2021-33560
		19	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
		20	---
		21	cipher/elgamal.c \| 20 +++++++++++++++++---
		22	1 file changed, 17 insertions(+), 3 deletions(-)
		23
		24	diff --git a/cipher/elgamal.c b/cipher/elgamal.c
		25	index 4eb52d62..9835122f 100644
		26	--- a/cipher/elgamal.c
		27	+++ b/cipher/elgamal.c
		28	@@ -522,8 +522,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
		29	static void
		30	decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
		31	{
		32	- gcry_mpi_t t1, t2, r;
		33	+ gcry_mpi_t t1, t2, r, r1, h;
		34	unsigned int nbits = mpi_get_nbits (skey->p);
		35	+ gcry_mpi_t x_blind;
		36
		37	mpi_normalize (a);
		38	mpi_normalize (b);
		39	@@ -534,20 +535,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
		40
		41	t2 = mpi_snew (nbits);
		42	r = mpi_new (nbits);
		43	+ r1 = mpi_new (nbits);
		44	+ h = mpi_new (nbits);
		45	+ x_blind = mpi_snew (nbits);
		46
		47	/* We need a random number of about the prime size. The random
		48	number merely needs to be unpredictable; thus we use level 0. */
		49	_gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
		50
		51	+ /* Also, exponent blinding: x_blind = x + (p-1)r1 /
		52	+ _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM);
		53	+ mpi_set_highbit (r1, nbits - 1);
		54	+ mpi_sub_ui (h, skey->p, 1);
		55	+ mpi_mul (x_blind, h, r1);
		56	+ mpi_add (x_blind, skey->x, x_blind);
		57	+
		58	/* t1 = r^x mod p */
		59	- mpi_powm (t1, r, skey->x, skey->p);
		60	+ mpi_powm (t1, r, x_blind, skey->p);
		61	/* t2 = (a * r)^-x mod p */
		62	mpi_mulm (t2, a, r, skey->p);
		63	- mpi_powm (t2, t2, skey->x, skey->p);
		64	+ mpi_powm (t2, t2, x_blind, skey->p);
		65	mpi_invm (t2, t2, skey->p);
		66	/* t1 = (t1 * t2) mod p*/
		67	mpi_mulm (t1, t1, t2, skey->p);
		68
		69	+ mpi_free (x_blind);
		70	+ mpi_free (h);
		71	+ mpi_free (r1);
		72	mpi_free (r);
		73	mpi_free (t2);
		74
		75	--
		76	2.11.0
		77


diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch new file mode 100644 index 0000000000..b3a18bc5aa --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch
@@ -0,0 +1,109 @@
		1	From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
		2	From: NIIBE Yutaka <gniibe@fsij.org>
		3	Date: Fri, 21 May 2021 11:15:07 +0900
		4	Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
		5
		6	* cipher/elgamal.c (gen_k): Remove support of smaller K.
		7	(do_encrypt): Never use smaller K.
		8	(sign): Folllow the change of gen_k.
		9
		10	--
		11
		12	Cherry-pick master commit of:
		13	632d80ef30e13de6926d503aa697f92b5dbfbc5e
		14
		15	This change basically reverts encryption changes in two commits:
		16
		17	74386120dad6b3da62db37f7044267c8ef34689b
		18	78531373a342aeb847950f404343a05e36022065
		19
		20	Use of smaller K for ephemeral key in ElGamal encryption is only good,
		21	when we can guarantee that recipient's key is generated by our
		22	implementation (or compatible).
		23
		24	For detail, please see:
		25
		26	Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
		27	"On the (in)security of ElGamal in OpenPGP";
		28	in the proceedings of CCS'2021.
		29
		30	CVE-id: CVE-2021-33560
		31	GnuPG-bug-id: 5328
		32	Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
		33	Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
		34
		35	Upstream-Status: Backport
		36	CVE: CVE-2021-40528
		37	Signed-off-by: Armin Kuster <akuster@mvista.com>
		38	---
		39	cipher/elgamal.c \| 24 ++++++------------------
		40	1 file changed, 6 insertions(+), 18 deletions(-)
		41
		42	diff --git a/cipher/elgamal.c b/cipher/elgamal.c
		43	index 4eb52d62..ae7a631e 100644
		44	--- a/cipher/elgamal.c
		45	+++ b/cipher/elgamal.c
		46	@@ -66,7 +66,7 @@ static const char *elg_names[] =
		47
		48
		49	static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
		50	-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
		51	+static gcry_mpi_t gen_k (gcry_mpi_t p);
		52	static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
		53	gcry_mpi_t **factors);
		54	static int check_secret_key (ELG_secret_key *sk);
		55	@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
		56
		57	/****************
		58	* Generate a random secret exponent k from prime p, so that k is
		59	- * relatively prime to p-1. With SMALL_K set, k will be selected for
		60	- * better encryption performance - this must never be used signing!
		61	+ * relatively prime to p-1.
		62	*/
		63	static gcry_mpi_t
		64	-gen_k( gcry_mpi_t p, int small_k )
		65	+gen_k( gcry_mpi_t p )
		66	{
		67	gcry_mpi_t k = mpi_alloc_secure( 0 );
		68	gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
		69	@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
		70	unsigned int nbits, nbytes;
		71	char *rndbuf = NULL;
		72
		73	- if (small_k)
		74	- {
		75	- /* Using a k much lesser than p is sufficient for encryption and
		76	- * it greatly improves the encryption performance. We use
		77	- * Wiener's table and add a large safety margin. */
		78	- nbits = wiener_map( orig_nbits ) * 3 / 2;
		79	- if( nbits >= orig_nbits )
		80	- BUG();
		81	- }
		82	- else
		83	- nbits = orig_nbits;
		84	-
		85	+ nbits = orig_nbits;
		86
		87	nbytes = (nbits+7)/8;
		88	if( DBG_CIPHER )
		89	@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
		90	* error code.
		91	*/
		92
		93	- k = gen_k( pkey->p, 1 );
		94	+ k = gen_k( pkey->p );
		95	mpi_powm (a, pkey->g, k, pkey->p);
		96
		97	/* b = (y^k * input) mod p
		98	@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
		99	*
		100	*/
		101	mpi_sub_ui(p_1, p_1, 1);
		102	- k = gen_k( skey->p, 0 /* no small K ! */ );
		103	+ k = gen_k( skey->p );
		104	mpi_powm( a, skey->g, k, skey->p );
		105	mpi_mul(t, skey->x, a );
		106	mpi_subm(t, input, t, p_1 );
		107	--
		108	2.30.2
		109


diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb index 9fd3b7c8c9..8045bab9ed 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
@@ -1,4 +1,7 @@
1	SUMMARY = "General purpose cryptographic library based on the code from GnuPG"	1	SUMMARY = "General purpose cryptographic library based on the code from GnuPG"
		2	DESCRIPTION = "A cryptography library developed as a separated module of GnuPG. \
		3	It can also be used independently of GnuPG, but depends on its error-reporting \
		4	library Libgpg-error."
2	HOMEPAGE = "http://directory.fsf.org/project/libgcrypt/"	5	HOMEPAGE = "http://directory.fsf.org/project/libgcrypt/"
3	BUGTRACKER = "https://bugs.g10code.com/gnupg/index"	6	BUGTRACKER = "https://bugs.g10code.com/gnupg/index"
4	SECTION = "libs"	7	SECTION = "libs"
@@ -25,6 +28,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
25	file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \	28	file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \
26	file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \	29	file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
27	file://determinism.patch \	30	file://determinism.patch \
		31	file://CVE-2021-33560.patch \
		32	file://CVE-2021-40528.patch \
28	"	33	"
29	SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"	34	SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"
30	SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"	35	SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"