Fix CVE-2021-33560 CVE-2021-40528

2021-09-24 10:30:32 +08:00 · 2021-09-24 10:30:32 +08:00 · 140d36da2f
commit 140d36da2f
parent a05aeff2e7
3 changed files with 165 additions and 85 deletions
--- a/CVE-2021-33560.patch
+++ b/CVE-2021-33560.patch
@ -1,105 +1,73 @@
-From 3462280f2e23e16adf3ed5176e0f2413d8861320 Mon Sep 17 00:00:00 2001
+From e8b7f10be275bcedb5fc05ed4837a89bfd605c61 Mon Sep 17 00:00:00 2001
 From: NIIBE Yutaka <gniibe@fsij.org>
-Date: Fri, 21 May 2021 11:15:07 +0900
+Date: Tue, 13 Apr 2021 10:00:00 +0900
-Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+Subject: [PATCH] cipher: Hardening ElGamal by introducing exponent blinding
 too.
-* cipher/elgamal.c (gen_k): Remove support of smaller K.
+* cipher/elgamal.c (do_encrypt): Also do exponent blinding.
 (do_encrypt): Never use smaller K.
 (sign): Folllow the change of gen_k.
 --
-Cherry-pick master commit of:
+Base blinding had been introduced with USE_BLINDING.  This patch add
-	632d80ef30e13de6926d503aa697f92b5dbfbc5e
+exponent blinding as well to mitigate side-channel attack on mpi_powm.
 This change basically reverts encryption changes in two commits:
 	74386120dad6b3da62db37f7044267c8ef34689b
 	78531373a342aeb847950f404343a05e36022065
 Use of smaller K for ephemeral key in ElGamal encryption is only good,
 when we can guarantee that recipient's key is generated by our
 implementation (or compatible).
 For detail, please see:
    Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
    "On the (in)security of ElGamal in OpenPGP";
    in the proceedings of  CCS'2021.
 CVE-id: CVE-2021-33560
 GnuPG-bug-id: 5328
 Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 ---
- cipher/elgamal.c | 24 ++++++------------------
+ cipher/elgamal.c | 20 +++++++++++++++++---
- 1 file changed, 6 insertions(+), 18 deletions(-)
+ 1 file changed, 17 insertions(+), 3 deletions(-)
 diff --git a/cipher/elgamal.c b/cipher/elgamal.c
-index 9835122..eead450 100644
+index 4eb52d6..9835122 100644
 --- a/cipher/elgamal.c
 +++ b/cipher/elgamal.c
-@@ -66,7 +66,7 @@ static const char *elg_names[] =
+@@ -522,8 +522,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
- 
+ static void
- 
+ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
 static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
 -static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
 +static gcry_mpi_t gen_k (gcry_mpi_t p);
 static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
                                  gcry_mpi_t **factors);
 static int  check_secret_key (ELG_secret_key *sk);
@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
 /****************
  * Generate a random secret exponent k from prime p, so that k is
 - * relatively prime to p-1.  With SMALL_K set, k will be selected for
 - * better encryption performance - this must never be used signing!
 + * relatively prime to p-1.
  */
 static gcry_mpi_t
 -gen_k( gcry_mpi_t p, int small_k )
 +gen_k( gcry_mpi_t p )
 {
-   gcry_mpi_t k = mpi_alloc_secure( 0 );
+-  gcry_mpi_t t1, t2, r;
-   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+  gcry_mpi_t t1, t2, r, r1, h;
-@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+   unsigned int nbits = mpi_get_nbits (skey->p);
-   unsigned int nbits, nbytes;
+  gcry_mpi_t x_blind;
   char *rndbuf = NULL;
-  if (small_k)
+   mpi_normalize (a);
-    {
+   mpi_normalize (b);
-      /* Using a k much lesser than p is sufficient for encryption and
+@@ -534,20 +535,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
 -       * it greatly improves the encryption performance.  We use
 -       * Wiener's table and add a large safety margin. */
 -      nbits = wiener_map( orig_nbits ) * 3 / 2;
 -      if( nbits >= orig_nbits )
 -        BUG();
 -    }
 -  else
 -    nbits = orig_nbits;
 -
 +  nbits = orig_nbits;
-   nbytes = (nbits+7)/8;
+   t2 = mpi_snew (nbits);
-   if( DBG_CIPHER )
+   r  = mpi_new (nbits);
-@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+  r1 = mpi_new (nbits);
-    * error code.
+  h  = mpi_new (nbits);
-    */
+  x_blind = mpi_snew (nbits);
-  k = gen_k( pkey->p, 1 );
+   /* We need a random number of about the prime size.  The random
-+  k = gen_k( pkey->p );
+      number merely needs to be unpredictable; thus we use level 0.  */
-   mpi_powm (a, pkey->g, k, pkey->p);
+   _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
 +  /* Also, exponent blinding: x_blind = x + (p-1)*r1 */
 +  _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM);
 +  mpi_set_highbit (r1, nbits - 1);
 +  mpi_sub_ui (h, skey->p, 1);
 +  mpi_mul (x_blind, h, r1);
 +  mpi_add (x_blind, skey->x, x_blind);
 +
   /* t1 = r^x mod p */
 -  mpi_powm (t1, r, skey->x, skey->p);
 +  mpi_powm (t1, r, x_blind, skey->p);
   /* t2 = (a * r)^-x mod p */
   mpi_mulm (t2, a, r, skey->p);
 -  mpi_powm (t2, t2, skey->x, skey->p);
 +  mpi_powm (t2, t2, x_blind, skey->p);
   mpi_invm (t2, t2, skey->p);
   /* t1 = (t1 * t2) mod p*/
   mpi_mulm (t1, t1, t2, skey->p);
 +  mpi_free (x_blind);
 +  mpi_free (h);
 +  mpi_free (r1);
   mpi_free (r);
   mpi_free (t2);
   /* b = (y^k * input) mod p
@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
     *
     */
     mpi_sub_ui(p_1, p_1, 1);
 -    k = gen_k( skey->p, 0 /* no small K ! */ );
 +    k = gen_k( skey->p );
     mpi_powm( a, skey->g, k, skey->p );
     mpi_mul(t, skey->x, a );
     mpi_subm(t, input, t, p_1 );
 -- 
 1.8.3.1
--- a/CVE-2021-40528.patch
+++ b/CVE-2021-40528.patch
@ -0,0 +1,105 @@
 From 3462280f2e23e16adf3ed5176e0f2413d8861320 Mon Sep 17 00:00:00 2001
 From: NIIBE Yutaka <gniibe@fsij.org>
 Date: Fri, 21 May 2021 11:15:07 +0900
 Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
 * cipher/elgamal.c (gen_k): Remove support of smaller K.
 (do_encrypt): Never use smaller K.
 (sign): Folllow the change of gen_k.
 --
 Cherry-pick master commit of:
 	632d80ef30e13de6926d503aa697f92b5dbfbc5e
 This change basically reverts encryption changes in two commits:
 	74386120dad6b3da62db37f7044267c8ef34689b
 	78531373a342aeb847950f404343a05e36022065
 Use of smaller K for ephemeral key in ElGamal encryption is only good,
 when we can guarantee that recipient's key is generated by our
 implementation (or compatible).
 For detail, please see:
    Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
    "On the (in)security of ElGamal in OpenPGP";
    in the proceedings of  CCS'2021.
 CVE-id: CVE-2021-33560(This patch actually modifies CVE-2021-40528,see:https://dev.gnupg.org/T5328#149606)
 GnuPG-bug-id: 5328
 Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 ---
 cipher/elgamal.c | 24 ++++++------------------
 1 file changed, 6 insertions(+), 18 deletions(-)
 diff --git a/cipher/elgamal.c b/cipher/elgamal.c
 index 9835122..eead450 100644
 --- a/cipher/elgamal.c
 +++ b/cipher/elgamal.c
@@ -66,7 +66,7 @@ static const char *elg_names[] =
 static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
 -static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
 +static gcry_mpi_t gen_k (gcry_mpi_t p);
 static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
                                  gcry_mpi_t **factors);
 static int  check_secret_key (ELG_secret_key *sk);
@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
 /****************
  * Generate a random secret exponent k from prime p, so that k is
 - * relatively prime to p-1.  With SMALL_K set, k will be selected for
 - * better encryption performance - this must never be used signing!
 + * relatively prime to p-1.
  */
 static gcry_mpi_t
 -gen_k( gcry_mpi_t p, int small_k )
 +gen_k( gcry_mpi_t p )
 {
   gcry_mpi_t k = mpi_alloc_secure( 0 );
   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
   unsigned int nbits, nbytes;
   char *rndbuf = NULL;
 -  if (small_k)
 -    {
 -      /* Using a k much lesser than p is sufficient for encryption and
 -       * it greatly improves the encryption performance.  We use
 -       * Wiener's table and add a large safety margin. */
 -      nbits = wiener_map( orig_nbits ) * 3 / 2;
 -      if( nbits >= orig_nbits )
 -        BUG();
 -    }
 -  else
 -    nbits = orig_nbits;
 -
 +  nbits = orig_nbits;
   nbytes = (nbits+7)/8;
   if( DBG_CIPHER )
@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
    * error code.
    */
 -  k = gen_k( pkey->p, 1 );
 +  k = gen_k( pkey->p );
   mpi_powm (a, pkey->g, k, pkey->p);
   /* b = (y^k * input) mod p
@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
     *
     */
     mpi_sub_ui(p_1, p_1, 1);
 -    k = gen_k( skey->p, 0 /* no small K ! */ );
 +    k = gen_k( skey->p );
     mpi_powm( a, skey->g, k, skey->p );
     mpi_mul(t, skey->x, a );
     mpi_subm(t, input, t, p_1 );
 -- 
 1.8.3.1
--- a/libgcrypt.spec
+++ b/libgcrypt.spec
@ -4,7 +4,7 @@
 Name:          libgcrypt
 Version:       1.8.7
-Release:       3
+Release:       4
 Summary:       A general-purpose cryptography library
 License:       LGPLv2+
 URL:           https://www.gnupg.org/
@ -31,6 +31,7 @@ Patch16:       CVE-2019-12904-1.patch
 Patch17:       CVE-2019-12904-2.patch
 Patch18:       CVE-2019-12904-3.patch
 Patch19:       CVE-2021-33560.patch
 Patch20:       CVE-2021-40528.patch
 BuildRequires: gcc texinfo autoconf automake libtool
 BuildRequires: gawk libgpg-error-devel >= 1.11 pkgconfig
@ -136,6 +137,12 @@ install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/gcrypt/random.conf
 %{_infodir}/gcrypt.info*
 %changelog
 * Fri Sep 24 2021 zoulin <zoulin13@huawei.com> - 1.8.7-4
 - Type:cves
 - ID:NA
 - SUG:NA
 - DESC:Fix CVE-2021-33560 CVE-2021-40528
 * Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 1.8.7-3
 - DESC: delete -S git from %autosetup, and delete BuildRequires git