Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgcrypt for openSUSE:Factory checked in at 2021-06-18 10:13:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libgcrypt (Old) and /work/SRC/openSUSE:Factory/.libgcrypt.new.2625 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libgcrypt" Fri Jun 18 10:13:11 2021 rev:87 rq:900114 version:1.9.3 Changes: -------- --- /work/SRC/openSUSE:Factory/libgcrypt/libgcrypt.changes 2021-04-26 16:38:13.701942305 +0200 +++ /work/SRC/openSUSE:Factory/.libgcrypt.new.2625/libgcrypt.changes 2021-06-18 10:13:18.329956114 +0200 @@ -1,0 +2,9 @@ +Fri Jun 11 13:17:54 UTC 2021 - Pedro Monreal <[email protected]> + +- Security fix: [bsc#1187212, CVE-2021-33560] + * cipher: Fix ElGamal encryption for other implementations. + * Exponent blinding was added in version 1.9.3. This patch + fixes ElGamal encryption, see: https://dev.gnupg.org/T5328 +- Add libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch + +------------------------------------------------------------------- New: ---- libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libgcrypt.spec ++++++ --- /var/tmp/diff_new_pack.J2oKMi/_old 2021-06-18 10:13:19.005957008 +0200 +++ /var/tmp/diff_new_pack.J2oKMi/_new 2021-06-18 10:13:19.009957013 +0200 @@ -31,16 +31,15 @@ Source: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2 Source1: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig Source2: baselibs.conf +Source3: random.conf # https://www.gnupg.org/signature_key.en.html Source4: libgcrypt.keyring # cavs test framework Source5: cavs-test.sh Source6: cavs_driver.pl -Source7: random.conf Source99: libgcrypt.changes Patch1: libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch Patch2: libgcrypt-sparcv9.diff -#PATCH-FIX-SUSE: N/A Patch3: libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff Patch4: libgcrypt-1.6.1-use-fipscheck.patch Patch5: libgcrypt-1.6.1-fips-cavs.patch @@ -77,6 +76,8 @@ Patch27: libgcrypt-PCT-DSA.patch Patch28: libgcrypt-PCT-ECC.patch Patch29: libgcrypt-fips_selftest_trigger_file.patch +#PATCH-FIX-UPSTREAM bsc#1187212 CVE-2021-33560 ElGamal encryption lacks exponent blinding +Patch30: libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch BuildRequires: automake >= 1.14 BuildRequires: fipscheck BuildRequires: libgpg-error-devel >= 1.27 @@ -150,7 +151,6 @@ blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. - %endif %prep @@ -211,7 +211,7 @@ # Create /etc/gcrypt directory and install random.conf mkdir -p -m 0755 %{buildroot}%{_sysconfdir}/gcrypt -install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/gcrypt/random.conf +install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/gcrypt/random.conf %post -n %{libsoname} -p /sbin/ldconfig %postun -n %{libsoname} -p /sbin/ldconfig ++++++ libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch ++++++ From: NIIBE Yutaka <[email protected]> Date: Fri, 21 May 2021 02:15:07 +0000 (+0900) Subject: cipher: Fix ElGamal encryption for other implementations. X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff_plain;h=632d80ef30e13de6926d503aa697f92b5dbfbc5e cipher: Fix ElGamal encryption for other implementations. * cipher/elgamal.c (gen_k): Remove support of smaller K. (do_encrypt): Never use smaller K. (sign): Folllow the change of gen_k. -- This change basically reverts encryption changes in two commits: 74386120dad6b3da62db37f7044267c8ef34689b 78531373a342aeb847950f404343a05e36022065 Use of smaller K for ephemeral key in ElGamal encryption is only good, when we can guarantee that recipient's key is generated by our implementation (or compatible). For detail, please see: Luca De Feo, Bertram Poettering, Alessandro Sorniotti, "On the (in)security of ElGamal in OpenPGP"; in the proceedings of CCS'2021. CVE-id: CVE-2021-33560 GnuPG-bug-id: 5328 Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti Signed-off-by: NIIBE Yutaka <[email protected]> --- diff --git a/cipher/elgamal.c b/cipher/elgamal.c index 9835122f..eead4502 100644 --- a/cipher/elgamal.c +++ b/cipher/elgamal.c @@ -66,7 +66,7 @@ static const char *elg_names[] = static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie); -static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k); +static gcry_mpi_t gen_k (gcry_mpi_t p); static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits, gcry_mpi_t **factors); static int check_secret_key (ELG_secret_key *sk); @@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie ) /**************** * Generate a random secret exponent k from prime p, so that k is - * relatively prime to p-1. With SMALL_K set, k will be selected for - * better encryption performance - this must never be used signing! + * relatively prime to p-1. */ static gcry_mpi_t -gen_k( gcry_mpi_t p, int small_k ) +gen_k( gcry_mpi_t p ) { gcry_mpi_t k = mpi_alloc_secure( 0 ); gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) ); @@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k ) unsigned int nbits, nbytes; char *rndbuf = NULL; - if (small_k) - { - /* Using a k much lesser than p is sufficient for encryption and - * it greatly improves the encryption performance. We use - * Wiener's table and add a large safety margin. */ - nbits = wiener_map( orig_nbits ) * 3 / 2; - if( nbits >= orig_nbits ) - BUG(); - } - else - nbits = orig_nbits; - + nbits = orig_nbits; nbytes = (nbits+7)/8; if( DBG_CIPHER ) @@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) * error code. */ - k = gen_k( pkey->p, 1 ); + k = gen_k( pkey->p ); mpi_powm (a, pkey->g, k, pkey->p); /* b = (y^k * input) mod p @@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey ) * */ mpi_sub_ui(p_1, p_1, 1); - k = gen_k( skey->p, 0 /* no small K ! */ ); + k = gen_k( skey->p ); mpi_powm( a, skey->g, k, skey->p ); mpi_mul(t, skey->x, a ); mpi_subm(t, input, t, p_1 );
