[OE-core] [poky][dunfell][PATCH] libxcrypt: Add fix for CVE-2021-33560
From: Saloni Jain
Add fix for below CVE:
CVE-2021-33560
Link:
[https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=3462280f2e23e16adf3ed5176e0f2413d8861320]
Signed-off-by: Saloni Jain
---
.../libgcrypt/files/CVE-2021-33560.patch | 108 ++
.../libgcrypt/libgcrypt_1.8.5.bb | 1 +
2 files changed, 109 insertions(+)
create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
new file mode 100644
index 00..ba51af46b3
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
@@ -0,0 +1,108 @@
+From 3462280f2e23e16adf3ed5176e0f2413d8861320 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka
+Date: Fri, 21 May 2021 11:15:07 +0900
+Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+
+* cipher/elgamal.c (gen_k): Remove support of smaller K.
+(do_encrypt): Never use smaller K.
+(sign): Folllow the change of gen_k.
+
+--
+
+Cherry-pick master commit of:
+ 632d80ef30e13de6926d503aa697f92b5dbfbc5e
+
+This change basically reverts encryption changes in two commits:
+
+ 74386120dad6b3da62db37f7044267c8ef34689b
+ 78531373a342aeb847950f404343a05e36022065
+
+Use of smaller K for ephemeral key in ElGamal encryption is only good,
+when we can guarantee that recipient's key is generated by our
+implementation (or compatible).
+
+For detail, please see:
+
+Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+"On the (in)security of ElGamal in OpenPGP";
+in the proceedings of CCS'2021.
+
+CVE: CVE-2021-33560
+GnuPG-bug-id: 5328
+Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+Signed-off-by: NIIBE Yutaka
+Signed-off-by: Saloni Jain
+
+Upstream-Status: Backport
[https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=3462280f2e23e16adf3ed5176e0f2413d8861320]
+Comment: No changes/refreshing done.
+---
+ cipher/elgamal.c | 24 ++--
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 9835122f..eead4502 100644
+--- a/cipher/elgamal.c
b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+
+
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
++static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+ gcry_mpi_t **factors);
+ static int check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int
nodie )
+
+ /
+ * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1. With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
++ * relatively prime to p-1.
+ */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
++gen_k( gcry_mpi_t p )
+ {
+ gcry_mpi_t k = mpi_alloc_secure( 0 );
+ gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+ unsigned int nbits, nbytes;
+ char *rndbuf = NULL;
+
+- if (small_k)
+-{
+- /* Using a k much lesser than p is sufficient for encryption and
+- * it greatly improves the encryption performance. We use
+- * Wiener's table and add a large safety margin. */
+- nbits = wiener_map( orig_nbits ) * 3 / 2;
+- if( nbits >= orig_nbits )
+-BUG();
+-}
+- else
+-nbits = orig_nbits;
+-
++ nbits = orig_nbits;
+
+ nbytes = (nbits+7)/8;
+ if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input,
ELG_public_key *pkey )
+* error code.
+*/
+
+- k = gen_k( pkey->p, 1 );
++ k = gen_k( pkey->p );
+ mpi_powm (a, pkey->g, k, pkey->p);
+
+ /* b = (y^k * input) mod p
+@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input,
ELG_secret_key *skey )
+ *
+ */
+ mpi_sub_ui(p_1, p_1, 1);
+-k = gen_k( skey->p, 0 /* no small K ! */ );
++k = gen_k( skey->p );
+ mpi_powm( a, skey->g, k, skey->p );
+ mpi_mul(t, skey->x, a );
+ mpi_subm(t, input, t, p_1 );
+--
+2.11.0
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
index 16a58ad9b8..174b087b24 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
@@ -28,6 +28,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \
file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
file://determinism.patch \
+ file://CVE-2021-33560.patch \
"
SRC_URI[md5sum] = "3
Re: [OE-core] [poky][dunfell][PATCH] libxcrypt: Add fix for CVE-2021-33560
On Mon, Sep 13, 2021 at 3:16 AM Saloni Jain wrote:
>
> From: Saloni Jain
>
> Add fix for below CVE:
> CVE-2021-33560
Armin submitted a patch for this CVE last week:
https://lists.openembedded.org/g/openembedded-core/message/155935
Thanks for helping with CVE's though, I appreciate the effort!
Steve
> Link:
> [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=3462280f2e23e16adf3ed5176e0f2413d8861320]
>
> Signed-off-by: Saloni Jain
> ---
> .../libgcrypt/files/CVE-2021-33560.patch | 108 ++
> .../libgcrypt/libgcrypt_1.8.5.bb | 1 +
> 2 files changed, 109 insertions(+)
> create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
>
> diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
> b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
> new file mode 100644
> index 00..ba51af46b3
> --- /dev/null
> +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
> @@ -0,0 +1,108 @@
> +From 3462280f2e23e16adf3ed5176e0f2413d8861320 Mon Sep 17 00:00:00 2001
> +From: NIIBE Yutaka
> +Date: Fri, 21 May 2021 11:15:07 +0900
> +Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
> +
> +* cipher/elgamal.c (gen_k): Remove support of smaller K.
> +(do_encrypt): Never use smaller K.
> +(sign): Folllow the change of gen_k.
> +
> +--
> +
> +Cherry-pick master commit of:
> + 632d80ef30e13de6926d503aa697f92b5dbfbc5e
> +
> +This change basically reverts encryption changes in two commits:
> +
> + 74386120dad6b3da62db37f7044267c8ef34689b
> + 78531373a342aeb847950f404343a05e36022065
> +
> +Use of smaller K for ephemeral key in ElGamal encryption is only good,
> +when we can guarantee that recipient's key is generated by our
> +implementation (or compatible).
> +
> +For detail, please see:
> +
> +Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
> +"On the (in)security of ElGamal in OpenPGP";
> +in the proceedings of CCS'2021.
> +
> +CVE: CVE-2021-33560
> +GnuPG-bug-id: 5328
> +Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
> +Signed-off-by: NIIBE Yutaka
> +Signed-off-by: Saloni Jain
> +
> +Upstream-Status: Backport
> [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=3462280f2e23e16adf3ed5176e0f2413d8861320]
> +Comment: No changes/refreshing done.
> +---
> + cipher/elgamal.c | 24 ++--
> + 1 file changed, 6 insertions(+), 18 deletions(-)
> +
> +diff --git a/cipher/elgamal.c b/cipher/elgamal.c
> +index 9835122f..eead4502 100644
> +--- a/cipher/elgamal.c
> b/cipher/elgamal.c
> +@@ -66,7 +66,7 @@ static const char *elg_names[] =
> +
> +
> + static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
> +-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
> ++static gcry_mpi_t gen_k (gcry_mpi_t p);
> + static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
> + gcry_mpi_t **factors);
> + static int check_secret_key (ELG_secret_key *sk);
> +@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits,
> int nodie )
> +
> + /
> + * Generate a random secret exponent k from prime p, so that k is
> +- * relatively prime to p-1. With SMALL_K set, k will be selected for
> +- * better encryption performance - this must never be used signing!
> ++ * relatively prime to p-1.
> + */
> + static gcry_mpi_t
> +-gen_k( gcry_mpi_t p, int small_k )
> ++gen_k( gcry_mpi_t p )
> + {
> + gcry_mpi_t k = mpi_alloc_secure( 0 );
> + gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
> +@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
> + unsigned int nbits, nbytes;
> + char *rndbuf = NULL;
> +
> +- if (small_k)
> +-{
> +- /* Using a k much lesser than p is sufficient for encryption and
> +- * it greatly improves the encryption performance. We use
> +- * Wiener's table and add a large safety margin. */
> +- nbits = wiener_map( orig_nbits ) * 3 / 2;
> +- if( nbits >= orig_nbits )
> +-BUG();
> +-}
> +- else
> +-nbits = orig_nbits;
> +-
> ++ nbits = orig_nbits;
> +
> + nbytes = (nbits+7)/8;
> + if( DBG_CIPHER )
> +@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input,
> ELG_public_key *pkey )
> +* error code.
> +*/
> +
> +- k = gen_k( pkey->p, 1 );
> ++ k = gen_k( pkey->p );
> + mpi_powm (a, pkey->g, k, pkey->p);
> +
> + /* b = (y^k * input) mod p
> +@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input,
> ELG_secret_key *skey )
> + *
> + */
> + mpi_sub_ui(p_1, p_1, 1);
> +-k = gen_k( skey->p, 0 /* no small K ! */ );
> ++k = gen_k( skey->p );
> + mpi_powm( a, skey->g, k, skey->p );
> + mpi_mul(t, skey->x, a );
> + mpi_subm(t, input, t, p_1 );
> +--
> +2.11.0
> diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
> b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
> ind
Re: [OE-core] [poky][dunfell][PATCH] libxcrypt: Add fix for CVE-2021-33560
Happy to help! 🙂 🙂 I really appreciate you taking time to express gratitude. Thanks & Regards, Saloni Jain From: Steve Sakoman Sent: Monday, September 13, 2021 9:03 PM To: Saloni Jain Cc: Patches and discussions about the oe-core layer ; Khem Raj ; Nisha Parrakat ; Saloni Jain Subject: Re: [OE-core] [poky][dunfell][PATCH] libxcrypt: Add fix for CVE-2021-33560 Caution: This email originated from outside of the KPIT. Do not click links or open attachments unless you recognize the sender and know the content is safe. On Mon, Sep 13, 2021 at 3:16 AM Saloni Jain wrote: > > From: Saloni Jain > > Add fix for below CVE: > CVE-2021-33560 Armin submitted a patch for this CVE last week: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openembedded.org%2Fg%2Fopenembedded-core%2Fmessage%2F155935&data=04%7C01%7CSaloni.Jain%40kpit.com%7Cab35b176f5054ba2760408d976cbd354%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637671440110080648%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=drHkzkMi9PsPKXMK88kMxtc1tPfrCl72UfDLLYlx7yQ%3D&reserved=0 Thanks for helping with CVE's though, I appreciate the effort! Steve > Link: > [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.gnupg.org%2Fcgi-bin%2Fgitweb.cgi%3Fp%3Dlibgcrypt.git%3Ba%3Dpatch%3Bh%3D3462280f2e23e16adf3ed5176e0f2413d8861320&data=04%7C01%7CSaloni.Jain%40kpit.com%7Cab35b176f5054ba2760408d976cbd354%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637671440110080648%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=mxW8l7hc7mDiu3UKIXQegIMJsP6kWfWmJ%2FbkQEVL958%3D&reserved=0] > > Signed-off-by: Saloni Jain > --- > .../libgcrypt/files/CVE-2021-33560.patch | 108 ++ > .../libgcrypt/libgcrypt_1.8.5.bb | 1 + > 2 files changed, 109 insertions(+) > create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch > > diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch > b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch > new file mode 100644 > index 00..ba51af46b3 > --- /dev/null > +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch > @@ -0,0 +1,108 @@ > +From 3462280f2e23e16adf3ed5176e0f2413d8861320 Mon Sep 17 00:00:00 2001 > +From: NIIBE Yutaka > +Date: Fri, 21 May 2021 11:15:07 +0900 > +Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations. > + > +* cipher/elgamal.c (gen_k): Remove support of smaller K. > +(do_encrypt): Never use smaller K. > +(sign): Folllow the change of gen_k. > + > +-- > + > +Cherry-pick master commit of: > + 632d80ef30e13de6926d503aa697f92b5dbfbc5e > + > +This change basically reverts encryption changes in two commits: > + > + 74386120dad6b3da62db37f7044267c8ef34689b > + 78531373a342aeb847950f404343a05e36022065 > + > +Use of smaller K for ephemeral key in ElGamal encryption is only good, > +when we can guarantee that recipient's key is generated by our > +implementation (or compatible). > + > +For detail, please see: > + > +Luca De Feo, Bertram Poettering, Alessandro Sorniotti, > +"On the (in)security of ElGamal in OpenPGP"; > +in the proceedings of CCS'2021. > + > +CVE: CVE-2021-33560 > +GnuPG-bug-id: 5328 > +Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti > +Signed-off-by: NIIBE Yutaka > +Signed-off-by: Saloni Jain > + > +Upstream-Status: Backport > [https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.gnupg.org%2Fcgi-bin%2Fgitweb.cgi%3Fp%3Dlibgcrypt.git%3Ba%3Dpatch%3Bh%3D3462280f2e23e16adf3ed5176e0f2413d8861320&data=04%7C01%7CSaloni.Jain%40kpit.com%7Cab35b176f5054ba2760408d976cbd354%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637671440110090650%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=XEr2AaiwglyGxJRihsQJmNwA5jqW5mO%2FHHNOtWgoI1o%3D&reserved=0] > +Comment: No changes/refreshing done. > +--- > + cipher/elgamal.c | 24 ++-- > + 1 file changed, 6 insertions(+), 18 deletions(-) > + > +diff --git a/cipher/elgamal.c b/cipher/elgamal.c > +index 9835122f..eead4502 100644 > +--- a/cipher/elgamal.c > b/cipher/elgamal.c > +@@ -66,7 +66,7 @@ static const char *elg_names[] = > + > + > + static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie); > +-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k); > ++static gcry_mpi_t gen_k (gcry_mpi_t p); > + static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits, > + gcry_mpi_t **factors); > + sta
