@@ -1,109 +1,77 @@
-From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
+From e8b7f10be275bcedb5fc05ed4837a89bfd605c61 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
-Date: Fri, 21 May 2021 11:15:07 +0900
-Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+Date: Tue, 13 Apr 2021 10:00:00 +0900
+Subject: [PATCH] cipher: Hardening ElGamal by introducing exponent blinding
+ too.
-* cipher/elgamal.c (gen_k): Remove support of smaller K.
-(do_encrypt): Never use smaller K.
-(sign): Folllow the change of gen_k.
+* cipher/elgamal.c (do_encrypt): Also do exponent blinding.
--
-Cherry-pick master commit of:
- 632d80ef30e13de6926d503aa697f92b5dbfbc5e
+Base blinding had been introduced with USE_BLINDING. This patch add
+exponent blinding as well to mitigate side-channel attack on mpi_powm.
-This change basically reverts encryption changes in two commits:
-
- 74386120dad6b3da62db37f7044267c8ef34689b
- 78531373a342aeb847950f404343a05e36022065
-
-Use of smaller K for ephemeral key in ElGamal encryption is only good,
-when we can guarantee that recipient's key is generated by our
-implementation (or compatible).
-
-For detail, please see:
-
- Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
- "On the (in)security of ElGamal in OpenPGP";
- in the proceedings of CCS'2021.
-
-CVE-id: CVE-2021-33560
GnuPG-bug-id: 5328
-Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Upstream-Status: Backport
CVE: CVE-2021-33560
-Signed-off-by: Armin Kuster <akuster@mvista.com>
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
---
- cipher/elgamal.c | 24 ++++++------------------
- 1 file changed, 6 insertions(+), 18 deletions(-)
+ cipher/elgamal.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/cipher/elgamal.c b/cipher/elgamal.c
-index 4eb52d62..ae7a631e 100644
+index 4eb52d62..9835122f 100644
--- a/cipher/elgamal.c
+++ b/cipher/elgamal.c
-@@ -66,7 +66,7 @@ static const char *elg_names[] =
-
+@@ -522,8 +522,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+ static void
+ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
+ {
+- gcry_mpi_t t1, t2, r;
++ gcry_mpi_t t1, t2, r, r1, h;
+ unsigned int nbits = mpi_get_nbits (skey->p);
++ gcry_mpi_t x_blind;
- static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
--static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
-+static gcry_mpi_t gen_k (gcry_mpi_t p);
- static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
- gcry_mpi_t **factors);
- static int check_secret_key (ELG_secret_key *sk);
-@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
+ mpi_normalize (a);
+ mpi_normalize (b);
+@@ -534,20 +535,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
- /****************
- * Generate a random secret exponent k from prime p, so that k is
-- * relatively prime to p-1. With SMALL_K set, k will be selected for
-- * better encryption performance - this must never be used signing!
-+ * relatively prime to p-1.
- */
- static gcry_mpi_t
--gen_k( gcry_mpi_t p, int small_k )
-+gen_k( gcry_mpi_t p )
- {
- gcry_mpi_t k = mpi_alloc_secure( 0 );
- gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
-@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
- unsigned int nbits, nbytes;
- char *rndbuf = NULL;
+ t2 = mpi_snew (nbits);
+ r = mpi_new (nbits);
++ r1 = mpi_new (nbits);
++ h = mpi_new (nbits);
++ x_blind = mpi_snew (nbits);
-- if (small_k)
-- {
-- /* Using a k much lesser than p is sufficient for encryption and
-- * it greatly improves the encryption performance. We use
-- * Wiener's table and add a large safety margin. */
-- nbits = wiener_map( orig_nbits ) * 3 / 2;
-- if( nbits >= orig_nbits )
-- BUG();
-- }
-- else
-- nbits = orig_nbits;
--
-+ nbits = orig_nbits;
+ /* We need a random number of about the prime size. The random
+ number merely needs to be unpredictable; thus we use level 0. */
+ _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
- nbytes = (nbits+7)/8;
- if( DBG_CIPHER )
-@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
- * error code.
- */
++ /* Also, exponent blinding: x_blind = x + (p-1)*r1 */
++ _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM);
++ mpi_set_highbit (r1, nbits - 1);
++ mpi_sub_ui (h, skey->p, 1);
++ mpi_mul (x_blind, h, r1);
++ mpi_add (x_blind, skey->x, x_blind);
++
+ /* t1 = r^x mod p */
+- mpi_powm (t1, r, skey->x, skey->p);
++ mpi_powm (t1, r, x_blind, skey->p);
+ /* t2 = (a * r)^-x mod p */
+ mpi_mulm (t2, a, r, skey->p);
+- mpi_powm (t2, t2, skey->x, skey->p);
++ mpi_powm (t2, t2, x_blind, skey->p);
+ mpi_invm (t2, t2, skey->p);
+ /* t1 = (t1 * t2) mod p*/
+ mpi_mulm (t1, t1, t2, skey->p);
-- k = gen_k( pkey->p, 1 );
-+ k = gen_k( pkey->p );
- mpi_powm (a, pkey->g, k, pkey->p);
++ mpi_free (x_blind);
++ mpi_free (h);
++ mpi_free (r1);
+ mpi_free (r);
+ mpi_free (t2);
- /* b = (y^k * input) mod p
-@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
- *
- */
- mpi_sub_ui(p_1, p_1, 1);
-- k = gen_k( skey->p, 0 /* no small K ! */ );
-+ k = gen_k( skey->p );
- mpi_powm( a, skey->g, k, skey->p );
- mpi_mul(t, skey->x, a );
- mpi_subm(t, input, t, p_1 );
--
-2.30.2
+2.11.0
new file mode 100644
@@ -0,0 +1,109 @@
+From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 21 May 2021 11:15:07 +0900
+Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+
+* cipher/elgamal.c (gen_k): Remove support of smaller K.
+(do_encrypt): Never use smaller K.
+(sign): Folllow the change of gen_k.
+
+--
+
+Cherry-pick master commit of:
+ 632d80ef30e13de6926d503aa697f92b5dbfbc5e
+
+This change basically reverts encryption changes in two commits:
+
+ 74386120dad6b3da62db37f7044267c8ef34689b
+ 78531373a342aeb847950f404343a05e36022065
+
+Use of smaller K for ephemeral key in ElGamal encryption is only good,
+when we can guarantee that recipient's key is generated by our
+implementation (or compatible).
+
+For detail, please see:
+
+ Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+ "On the (in)security of ElGamal in OpenPGP";
+ in the proceedings of CCS'2021.
+
+CVE-id: CVE-2021-33560
+GnuPG-bug-id: 5328
+Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-40528
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ cipher/elgamal.c | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 4eb52d62..ae7a631e 100644
+--- a/cipher/elgamal.c
++++ b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+
+
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
++static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+ gcry_mpi_t **factors);
+ static int check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
+
+ /****************
+ * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1. With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
++ * relatively prime to p-1.
+ */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
++gen_k( gcry_mpi_t p )
+ {
+ gcry_mpi_t k = mpi_alloc_secure( 0 );
+ gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+ unsigned int nbits, nbytes;
+ char *rndbuf = NULL;
+
+- if (small_k)
+- {
+- /* Using a k much lesser than p is sufficient for encryption and
+- * it greatly improves the encryption performance. We use
+- * Wiener's table and add a large safety margin. */
+- nbits = wiener_map( orig_nbits ) * 3 / 2;
+- if( nbits >= orig_nbits )
+- BUG();
+- }
+- else
+- nbits = orig_nbits;
+-
++ nbits = orig_nbits;
+
+ nbytes = (nbits+7)/8;
+ if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+ * error code.
+ */
+
+- k = gen_k( pkey->p, 1 );
++ k = gen_k( pkey->p );
+ mpi_powm (a, pkey->g, k, pkey->p);
+
+ /* b = (y^k * input) mod p
+@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
+ *
+ */
+ mpi_sub_ui(p_1, p_1, 1);
+- k = gen_k( skey->p, 0 /* no small K ! */ );
++ k = gen_k( skey->p );
+ mpi_powm( a, skey->g, k, skey->p );
+ mpi_mul(t, skey->x, a );
+ mpi_subm(t, input, t, p_1 );
+--
+2.30.2
+
@@ -29,6 +29,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
file://determinism.patch \
file://CVE-2021-33560.patch \
+ file://CVE-2021-40528.patch \
"
SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"
SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"