From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by mx.groups.io with SMTP id smtpd.web10.31469.1631547204093224697 for ; Mon, 13 Sep 2021 08:33:24 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20150623.gappssmtp.com header.s=20150623 header.b=QFNUCErW; spf=softfail (domain: sakoman.com, ip: 209.85.221.54, mailfrom: steve@sakoman.com) Received: by mail-wr1-f54.google.com with SMTP id d21so7662171wra.12 for ; Mon, 13 Sep 2021 08:33:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cYqh3y+RWnBJt1suV6mQuiEgtcWigkxRpTjs1Ymubm8=; b=QFNUCErWc2+ahbfK9CkfQnFr9hclTcd7hZUxkf6t0N6TVhD71wNCjdQVjNq8yUQG2h Zdp5JltSUl8vxJa3JsY3PBv4BZ/BhAntgPFJQms2HXjw086uuQCncDIMfKjdouDSwDnj spdLxmNvtUf5PcgasR0EJuYTsUAhn/q3H5dSOBNjLjqHti9TKqay6bdk3KR6wb5YIZhi wMt+GvNWv9DFP08m1MMpISYgkzDmDUy051qxawixYH4g1Is1nEp4GfEyUcfDu0v15GdL 4V/Cdh6hVzogc8lWEEkTWNZdoAe0M4Dn0sjQpB1Hh1qV1wwEA4EOLDs8vApq0jUxhQ3y 93pQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cYqh3y+RWnBJt1suV6mQuiEgtcWigkxRpTjs1Ymubm8=; b=rAFeFSWxIP6clwD58N9Ch9D5dwNC8AzJaZ+xXqeS/X0WkHr+JH2q97pghf66Vabrhe AG06udnvaCmgD0dh9L4GAE/QNXDztp2IgrlXg/gXs2XuRDynN3Rn4cAHui+1YYm5Bjlr 8LKYsMzdo189BIGiWO96MGaaOFP/AZE2ts2GG3r8BfLzcSZuHCJDMbh7Lfd/sYJyc1bz CilMNayGqMJtgcW+wrfiF/lIrpDlHdRc4KK9AtmxvGu4Y9y0NHzPdM4xIP9RmVXW2XAP Jj4HesGrT94jDzFkxyuP4lUDt3d8jw0aJbs5hGmDlkHaEzaF9MSyy0fz0+ya1yAHrDyR Gp0w== X-Gm-Message-State: AOAM530qVVtWpK8taH8pqcf7lhUUfX3i3FVJ6b9kd5Bwtm0DuyLDAdRo V9nSkN+ffTBRgEgfcp5USP/5EJtWyPIMRHE5bz8s/g== X-Google-Smtp-Source: ABdhPJyz+vTBvJfwp8XB5TDhOrszBVcdKADyjAPIE8N6hviKVNAdXE4lc5UPJKkpKjXsp6TJDZSslhvLRNSZlsRI540= X-Received: by 2002:adf:e10c:: with SMTP id t12mr13281254wrz.36.1631547202393; Mon, 13 Sep 2021 08:33:22 -0700 (PDT) MIME-Version: 1.0 References: <20210913131615.29285-1-jainsaloni0918@gmail.com> In-Reply-To: <20210913131615.29285-1-jainsaloni0918@gmail.com> From: "Steve Sakoman" Date: Mon, 13 Sep 2021 05:33:10 -1000 Message-ID: Subject: Re: [OE-core] [poky][dunfell][PATCH] libxcrypt: Add fix for CVE-2021-33560 To: Saloni Jain Cc: Patches and discussions about the oe-core layer , Khem Raj , Nisha Parrakat , Saloni Jain Content-Type: text/plain; charset="UTF-8" On Mon, Sep 13, 2021 at 3:16 AM Saloni Jain wrote: > > From: Saloni Jain > > Add fix for below CVE: > CVE-2021-33560 Armin submitted a patch for this CVE last week: https://lists.openembedded.org/g/openembedded-core/message/155935 Thanks for helping with CVE's though, I appreciate the effort! Steve > Link: [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=3462280f2e23e16adf3ed5176e0f2413d8861320] > > Signed-off-by: Saloni Jain > --- > .../libgcrypt/files/CVE-2021-33560.patch | 108 ++++++++++++++++++ > .../libgcrypt/libgcrypt_1.8.5.bb | 1 + > 2 files changed, 109 insertions(+) > create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch > > diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch > new file mode 100644 > index 0000000000..ba51af46b3 > --- /dev/null > +++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch > @@ -0,0 +1,108 @@ > +From 3462280f2e23e16adf3ed5176e0f2413d8861320 Mon Sep 17 00:00:00 2001 > +From: NIIBE Yutaka > +Date: Fri, 21 May 2021 11:15:07 +0900 > +Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations. > + > +* cipher/elgamal.c (gen_k): Remove support of smaller K. > +(do_encrypt): Never use smaller K. > +(sign): Folllow the change of gen_k. > + > +-- > + > +Cherry-pick master commit of: > + 632d80ef30e13de6926d503aa697f92b5dbfbc5e > + > +This change basically reverts encryption changes in two commits: > + > + 74386120dad6b3da62db37f7044267c8ef34689b > + 78531373a342aeb847950f404343a05e36022065 > + > +Use of smaller K for ephemeral key in ElGamal encryption is only good, > +when we can guarantee that recipient's key is generated by our > +implementation (or compatible). > + > +For detail, please see: > + > + Luca De Feo, Bertram Poettering, Alessandro Sorniotti, > + "On the (in)security of ElGamal in OpenPGP"; > + in the proceedings of CCS'2021. > + > +CVE: CVE-2021-33560 > +GnuPG-bug-id: 5328 > +Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti > +Signed-off-by: NIIBE Yutaka > +Signed-off-by: Saloni Jain > + > +Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=3462280f2e23e16adf3ed5176e0f2413d8861320] > +Comment: No changes/refreshing done. > +--- > + cipher/elgamal.c | 24 ++++++------------------ > + 1 file changed, 6 insertions(+), 18 deletions(-) > + > +diff --git a/cipher/elgamal.c b/cipher/elgamal.c > +index 9835122f..eead4502 100644 > +--- a/cipher/elgamal.c > ++++ b/cipher/elgamal.c > +@@ -66,7 +66,7 @@ static const char *elg_names[] = > + > + > + static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie); > +-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k); > ++static gcry_mpi_t gen_k (gcry_mpi_t p); > + static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits, > + gcry_mpi_t **factors); > + static int check_secret_key (ELG_secret_key *sk); > +@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie ) > + > + /**************** > + * Generate a random secret exponent k from prime p, so that k is > +- * relatively prime to p-1. With SMALL_K set, k will be selected for > +- * better encryption performance - this must never be used signing! > ++ * relatively prime to p-1. > + */ > + static gcry_mpi_t > +-gen_k( gcry_mpi_t p, int small_k ) > ++gen_k( gcry_mpi_t p ) > + { > + gcry_mpi_t k = mpi_alloc_secure( 0 ); > + gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) ); > +@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k ) > + unsigned int nbits, nbytes; > + char *rndbuf = NULL; > + > +- if (small_k) > +- { > +- /* Using a k much lesser than p is sufficient for encryption and > +- * it greatly improves the encryption performance. We use > +- * Wiener's table and add a large safety margin. */ > +- nbits = wiener_map( orig_nbits ) * 3 / 2; > +- if( nbits >= orig_nbits ) > +- BUG(); > +- } > +- else > +- nbits = orig_nbits; > +- > ++ nbits = orig_nbits; > + > + nbytes = (nbits+7)/8; > + if( DBG_CIPHER ) > +@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey ) > + * error code. > + */ > + > +- k = gen_k( pkey->p, 1 ); > ++ k = gen_k( pkey->p ); > + mpi_powm (a, pkey->g, k, pkey->p); > + > + /* b = (y^k * input) mod p > +@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey ) > + * > + */ > + mpi_sub_ui(p_1, p_1, 1); > +- k = gen_k( skey->p, 0 /* no small K ! */ ); > ++ k = gen_k( skey->p ); > + mpi_powm( a, skey->g, k, skey->p ); > + mpi_mul(t, skey->x, a ); > + mpi_subm(t, input, t, p_1 ); > +-- > +2.11.0 > diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb > index 16a58ad9b8..174b087b24 100644 > --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb > +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb > @@ -28,6 +28,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ > file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \ > file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \ > file://determinism.patch \ > + file://CVE-2021-33560.patch \ > " > SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743" > SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3" > -- > 2.17.1 > > > >