diff options
Diffstat (limited to 'meta/recipes-support/libgcrypt')
3 files changed, 191 insertions, 0 deletions
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch new file mode 100644 index 0000000000..bf26486d8b --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | From e8b7f10be275bcedb5fc05ed4837a89bfd605c61 Mon Sep 17 00:00:00 2001 | ||
2 | From: NIIBE Yutaka <gniibe@fsij.org> | ||
3 | Date: Tue, 13 Apr 2021 10:00:00 +0900 | ||
4 | Subject: [PATCH] cipher: Hardening ElGamal by introducing exponent blinding | ||
5 | too. | ||
6 | |||
7 | * cipher/elgamal.c (do_encrypt): Also do exponent blinding. | ||
8 | |||
9 | -- | ||
10 | |||
11 | Base blinding had been introduced with USE_BLINDING. This patch add | ||
12 | exponent blinding as well to mitigate side-channel attack on mpi_powm. | ||
13 | |||
14 | GnuPG-bug-id: 5328 | ||
15 | Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | CVE: CVE-2021-33560 | ||
19 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
20 | --- | ||
21 | cipher/elgamal.c | 20 +++++++++++++++++--- | ||
22 | 1 file changed, 17 insertions(+), 3 deletions(-) | ||
23 | |||
24 | diff --git a/cipher/elgamal.c b/cipher/elgamal.c | ||
25 | index 4eb52d62..9835122f 100644 | ||
26 | --- a/cipher/elgamal.c | ||
27 | +++ b/cipher/elgamal.c | ||
28 | @@ -522,8 +522,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) | ||
29 | static void | ||
30 | decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) | ||
31 | { | ||
32 | - gcry_mpi_t t1, t2, r; | ||
33 | + gcry_mpi_t t1, t2, r, r1, h; | ||
34 | unsigned int nbits = mpi_get_nbits (skey->p); | ||
35 | + gcry_mpi_t x_blind; | ||
36 | |||
37 | mpi_normalize (a); | ||
38 | mpi_normalize (b); | ||
39 | @@ -534,20 +535,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey ) | ||
40 | |||
41 | t2 = mpi_snew (nbits); | ||
42 | r = mpi_new (nbits); | ||
43 | + r1 = mpi_new (nbits); | ||
44 | + h = mpi_new (nbits); | ||
45 | + x_blind = mpi_snew (nbits); | ||
46 | |||
47 | /* We need a random number of about the prime size. The random | ||
48 | number merely needs to be unpredictable; thus we use level 0. */ | ||
49 | _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM); | ||
50 | |||
51 | + /* Also, exponent blinding: x_blind = x + (p-1)*r1 */ | ||
52 | + _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM); | ||
53 | + mpi_set_highbit (r1, nbits - 1); | ||
54 | + mpi_sub_ui (h, skey->p, 1); | ||
55 | + mpi_mul (x_blind, h, r1); | ||
56 | + mpi_add (x_blind, skey->x, x_blind); | ||
57 | + | ||
58 | /* t1 = r^x mod p */ | ||
59 | - mpi_powm (t1, r, skey->x, skey->p); | ||
60 | + mpi_powm (t1, r, x_blind, skey->p); | ||
61 | /* t2 = (a * r)^-x mod p */ | ||
62 | mpi_mulm (t2, a, r, skey->p); | ||
63 | - mpi_powm (t2, t2, skey->x, skey->p); | ||
64 | + mpi_powm (t2, t2, x_blind, skey->p); | ||
65 | mpi_invm (t2, t2, skey->p); | ||
66 | /* t1 = (t1 * t2) mod p*/ | ||
67 | mpi_mulm (t1, t1, t2, skey->p); | ||
68 | |||
69 | + mpi_free (x_blind); | ||
70 | + mpi_free (h); | ||
71 | + mpi_free (r1); | ||
72 | mpi_free (r); | ||
73 | mpi_free (t2); | ||
74 | |||
75 | -- | ||
76 | 2.11.0 | ||
77 | |||
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch new file mode 100644 index 0000000000..b3a18bc5aa --- /dev/null +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-40528.patch | |||
@@ -0,0 +1,109 @@ | |||
1 | From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001 | ||
2 | From: NIIBE Yutaka <gniibe@fsij.org> | ||
3 | Date: Fri, 21 May 2021 11:15:07 +0900 | ||
4 | Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations. | ||
5 | |||
6 | * cipher/elgamal.c (gen_k): Remove support of smaller K. | ||
7 | (do_encrypt): Never use smaller K. | ||
8 | (sign): Folllow the change of gen_k. | ||
9 | |||
10 | -- | ||
11 | |||
12 | Cherry-pick master commit of: | ||
13 | 632d80ef30e13de6926d503aa697f92b5dbfbc5e | ||
14 | |||
15 | This change basically reverts encryption changes in two commits: | ||
16 | |||
17 | 74386120dad6b3da62db37f7044267c8ef34689b | ||
18 | 78531373a342aeb847950f404343a05e36022065 | ||
19 | |||
20 | Use of smaller K for ephemeral key in ElGamal encryption is only good, | ||
21 | when we can guarantee that recipient's key is generated by our | ||
22 | implementation (or compatible). | ||
23 | |||
24 | For detail, please see: | ||
25 | |||
26 | Luca De Feo, Bertram Poettering, Alessandro Sorniotti, | ||
27 | "On the (in)security of ElGamal in OpenPGP"; | ||
28 | in the proceedings of CCS'2021. | ||
29 | |||
30 | CVE-id: CVE-2021-33560 | ||
31 | GnuPG-bug-id: 5328 | ||
32 | Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti | ||
33 | Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> | ||
34 | |||
35 | Upstream-Status: Backport | ||
36 | CVE: CVE-2021-40528 | ||
37 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
38 | --- | ||
39 | cipher/elgamal.c | 24 ++++++------------------ | ||
40 | 1 file changed, 6 insertions(+), 18 deletions(-) | ||
41 | |||
42 | diff --git a/cipher/elgamal.c b/cipher/elgamal.c | ||
43 | index 4eb52d62..ae7a631e 100644 | ||
44 | --- a/cipher/elgamal.c | ||
45 | +++ b/cipher/elgamal.c | ||
46 | @@ -66,7 +66,7 @@ static const char *elg_names[] = | ||
47 | |||
48 | |||
49 | static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie); | ||
50 | -static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k); | ||
51 | +static gcry_mpi_t gen_k (gcry_mpi_t p); | ||
52 | static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits, | ||
53 | gcry_mpi_t **factors); | ||
54 | static int check_secret_key (ELG_secret_key *sk); | ||
55 | @@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie ) | ||
56 | |||
57 | /**************** | ||
58 | * Generate a random secret exponent k from prime p, so that k is | ||
59 | - * relatively prime to p-1. With SMALL_K set, k will be selected for | ||
60 | - * better encryption performance - this must never be used signing! | ||
61 | + * relatively prime to p-1. | ||
62 | */ | ||
63 | static gcry_mpi_t | ||
64 | -gen_k( gcry_mpi_t p, int small_k ) | ||
65 | +gen_k( gcry_mpi_t p ) | ||
66 | { | ||
67 | gcry_mpi_t k = mpi_alloc_secure( 0 ); | ||
68 | gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) ); | ||
69 | @@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k ) | ||
70 | unsigned int nbits, nbytes; | ||
71 | char *rndbuf = NULL; | ||
72 | |||
73 | - if (small_k) | ||
74 | - { | ||
75 | - /* Using a k much lesser than p is sufficient for encryption and | ||
76 | - * it greatly improves the encryption performance. We use | ||
77 | - * Wiener's table and add a large safety margin. */ | ||
78 | - nbits = wiener_map( orig_nbits ) * 3 / 2; | ||
79 | - if( nbits >= orig_nbits ) | ||
80 | - BUG(); | ||
81 | - } | ||
82 | - else | ||
83 | - nbits = orig_nbits; | ||
84 | - | ||
85 | + nbits = orig_nbits; | ||
86 | |||
87 | nbytes = (nbits+7)/8; | ||
88 | if( DBG_CIPHER ) | ||
89 | @@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) | ||
90 | * error code. | ||
91 | */ | ||
92 | |||
93 | - k = gen_k( pkey->p, 1 ); | ||
94 | + k = gen_k( pkey->p ); | ||
95 | mpi_powm (a, pkey->g, k, pkey->p); | ||
96 | |||
97 | /* b = (y^k * input) mod p | ||
98 | @@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey ) | ||
99 | * | ||
100 | */ | ||
101 | mpi_sub_ui(p_1, p_1, 1); | ||
102 | - k = gen_k( skey->p, 0 /* no small K ! */ ); | ||
103 | + k = gen_k( skey->p ); | ||
104 | mpi_powm( a, skey->g, k, skey->p ); | ||
105 | mpi_mul(t, skey->x, a ); | ||
106 | mpi_subm(t, input, t, p_1 ); | ||
107 | -- | ||
108 | 2.30.2 | ||
109 | |||
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb index 9fd3b7c8c9..8045bab9ed 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb | |||
@@ -1,4 +1,7 @@ | |||
1 | SUMMARY = "General purpose cryptographic library based on the code from GnuPG" | 1 | SUMMARY = "General purpose cryptographic library based on the code from GnuPG" |
2 | DESCRIPTION = "A cryptography library developed as a separated module of GnuPG. \ | ||
3 | It can also be used independently of GnuPG, but depends on its error-reporting \ | ||
4 | library Libgpg-error." | ||
2 | HOMEPAGE = "http://directory.fsf.org/project/libgcrypt/" | 5 | HOMEPAGE = "http://directory.fsf.org/project/libgcrypt/" |
3 | BUGTRACKER = "https://bugs.g10code.com/gnupg/index" | 6 | BUGTRACKER = "https://bugs.g10code.com/gnupg/index" |
4 | SECTION = "libs" | 7 | SECTION = "libs" |
@@ -25,6 +28,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ | |||
25 | file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \ | 28 | file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \ |
26 | file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ | 29 | file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ |
27 | file://determinism.patch \ | 30 | file://determinism.patch \ |
31 | file://CVE-2021-33560.patch \ | ||
32 | file://CVE-2021-40528.patch \ | ||
28 | " | 33 | " |
29 | SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743" | 34 | SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743" |
30 | SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3" | 35 | SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3" |