On Mon, Sep 13, 2021 at 3:16 AM Saloni Jain <jainsaloni0...@gmail.com> wrote: > > From: Saloni Jain <salo...@kpit.com> > > Add fix for below CVE: > CVE-2021-33560
Armin submitted a patch for this CVE last week: https://lists.openembedded.org/g/openembedded-core/message/155935 Thanks for helping with CVE's though, I appreciate the effort! Steve > Link: > [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=3462280f2e23e16adf3ed5176e0f2413d8861320] > > Signed-off-by: Saloni Jain<jainsaloni0...@gmail.com> > --- > .../libgcrypt/files/CVE-2021-33560.patch | 108 ++++++++++++++++++ > .../libgcrypt/libgcrypt_1.8.5.bb | 1 + > 2 files changed, 109 insertions(+) > create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch > > diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch > b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch > new file mode 100644 > index 0000000000..ba51af46b3 > --- /dev/null > +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch > @@ -0,0 +1,108 @@ > +From 3462280f2e23e16adf3ed5176e0f2413d8861320 Mon Sep 17 00:00:00 2001 > +From: NIIBE Yutaka <gni...@fsij.org> > +Date: Fri, 21 May 2021 11:15:07 +0900 > +Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations. > + > +* cipher/elgamal.c (gen_k): Remove support of smaller K. > +(do_encrypt): Never use smaller K. > +(sign): Folllow the change of gen_k. > + > +-- > + > +Cherry-pick master commit of: > + 632d80ef30e13de6926d503aa697f92b5dbfbc5e > + > +This change basically reverts encryption changes in two commits: > + > + 74386120dad6b3da62db37f7044267c8ef34689b > + 78531373a342aeb847950f404343a05e36022065 > + > +Use of smaller K for ephemeral key in ElGamal encryption is only good, > +when we can guarantee that recipient's key is generated by our > +implementation (or compatible). > + > +For detail, please see: > + > + Luca De Feo, Bertram Poettering, Alessandro Sorniotti, > + "On the (in)security of ElGamal in OpenPGP"; > + in the proceedings of CCS'2021. > + > +CVE: CVE-2021-33560 > +GnuPG-bug-id: 5328 > +Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti > +Signed-off-by: NIIBE Yutaka <gni...@fsij.org> > +Signed-off-by: Saloni Jain <jainsaloni0...@gmail.com> > + > +Upstream-Status: Backport > [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=3462280f2e23e16adf3ed5176e0f2413d8861320] > +Comment: No changes/refreshing done. > +--- > + cipher/elgamal.c | 24 ++++++------------------ > + 1 file changed, 6 insertions(+), 18 deletions(-) > + > +diff --git a/cipher/elgamal.c b/cipher/elgamal.c > +index 9835122f..eead4502 100644 > +--- a/cipher/elgamal.c > ++++ b/cipher/elgamal.c > +@@ -66,7 +66,7 @@ static const char *elg_names[] = > + > + > + static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie); > +-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k); > ++static gcry_mpi_t gen_k (gcry_mpi_t p); > + static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits, > + gcry_mpi_t **factors); > + static int check_secret_key (ELG_secret_key *sk); > +@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, > int nodie ) > + > + /**************** > + * Generate a random secret exponent k from prime p, so that k is > +- * relatively prime to p-1. With SMALL_K set, k will be selected for > +- * better encryption performance - this must never be used signing! > ++ * relatively prime to p-1. > + */ > + static gcry_mpi_t > +-gen_k( gcry_mpi_t p, int small_k ) > ++gen_k( gcry_mpi_t p ) > + { > + gcry_mpi_t k = mpi_alloc_secure( 0 ); > + gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) ); > +@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k ) > + unsigned int nbits, nbytes; > + char *rndbuf = NULL; > + > +- if (small_k) > +- { > +- /* Using a k much lesser than p is sufficient for encryption and > +- * it greatly improves the encryption performance. We use > +- * Wiener's table and add a large safety margin. */ > +- nbits = wiener_map( orig_nbits ) * 3 / 2; > +- if( nbits >= orig_nbits ) > +- BUG(); > +- } > +- else > +- nbits = orig_nbits; > +- > ++ nbits = orig_nbits; > + > + nbytes = (nbits+7)/8; > + if( DBG_CIPHER ) > +@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, > ELG_public_key *pkey ) > + * error code. > + */ > + > +- k = gen_k( pkey->p, 1 ); > ++ k = gen_k( pkey->p ); > + mpi_powm (a, pkey->g, k, pkey->p); > + > + /* b = (y^k * input) mod p > +@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, > ELG_secret_key *skey ) > + * > + */ > + mpi_sub_ui(p_1, p_1, 1); > +- k = gen_k( skey->p, 0 /* no small K ! */ ); > ++ k = gen_k( skey->p ); > + mpi_powm( a, skey->g, k, skey->p ); > + mpi_mul(t, skey->x, a ); > + mpi_subm(t, input, t, p_1 ); > +-- > +2.11.0 > diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb > b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb > index 16a58ad9b8..174b087b24 100644 > --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb > +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb > @@ -28,6 +28,7 @@ SRC_URI = > "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ > > file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \ > > file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ > file://determinism.patch \ > + file://CVE-2021-33560.patch \ > " > SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743" > SRC_URI[sha256sum] = > "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3" > -- > 2.17.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#155982): https://lists.openembedded.org/g/openembedded-core/message/155982 Mute This Topic: https://lists.openembedded.org/mt/85574604/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
