File libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch of Package libgcrypt.20076

Overview Repositories Revisions Requests Users Attributes Meta

File libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch of Package libgcrypt.20076

From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 21 May 2021 02:15:07 +0000 (+0900)
Subject: cipher: Fix ElGamal encryption for other implementations.
X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff_plain;h=632d80ef30e13de6926d503aa697f92b5dbfbc5e

cipher: Fix ElGamal encryption for other implementations.

* cipher/elgamal.c (gen_k): Remove support of smaller K.
(do_encrypt): Never use smaller K.
(sign): Folllow the change of gen_k.

This change basically reverts encryption changes in two commits:

74386120dad6b3da62db37f7044267c8ef34689b
	78531373a342aeb847950f404343a05e36022065

Use of smaller K for ephemeral key in ElGamal encryption is only good,
when we can guarantee that recipient's key is generated by our
implementation (or compatible).

For detail, please see:

Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
    "On the (in)security of ElGamal in OpenPGP";
    in the proceedings of  CCS'2021.

CVE-id: CVE-2021-33560
GnuPG-bug-id: 5328
Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---

Index: libgcrypt-1.6.1/cipher/elgamal.c
===================================================================
--- libgcrypt-1.6.1.orig/cipher/elgamal.c
+++ libgcrypt-1.6.1/cipher/elgamal.c
@@ -66,7 +66,7 @@ static const char *elg_names[] =
 
 
 static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
+static gcry_mpi_t gen_k (gcry_mpi_t p);
 static void generate (ELG_secret_key *sk, unsigned nbits, gcry_mpi_t **factors);
 static int  check_secret_key (ELG_secret_key *sk);
 static void do_encrypt (gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input,
@@ -188,11 +188,10 @@ test_keys ( ELG_secret_key *sk, unsigned
 
 /****************
  * Generate a random secret exponent k from prime p, so that k is
- * relatively prime to p-1.  With SMALL_K set, k will be selected for
- * better encryption performance - this must never be used signing!
+ * relatively prime to p-1.
  */
 static gcry_mpi_t
-gen_k( gcry_mpi_t p, int small_k )
+gen_k( gcry_mpi_t p )
 {
   gcry_mpi_t k = mpi_alloc_secure( 0 );
   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
@@ -201,18 +200,7 @@ gen_k( gcry_mpi_t p, int small_k )
   unsigned int nbits, nbytes;
   char *rndbuf = NULL;
 
-  if (small_k)
-    {
-      /* Using a k much lesser than p is sufficient for encryption and
-       * it greatly improves the encryption performance.  We use
-       * Wiener's table and add a large safety margin. */
-      nbits = wiener_map( orig_nbits ) * 3 / 2;
-      if( nbits >= orig_nbits )
-        BUG();
-    }
-  else
-    nbits = orig_nbits;
-
+  nbits = orig_nbits;
 
   nbytes = (nbits+7)/8;
   if( DBG_CIPHER )
@@ -475,7 +463,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, g
    * error code.
    */
 
-  k = gen_k( pkey->p, 1 );
+  k = gen_k( pkey->p );
   mpi_powm (a, pkey->g, k, pkey->p);
 
   /* b = (y^k * input) mod p
@@ -591,7 +579,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mp
     *
     */
     mpi_sub_ui(p_1, p_1, 1);
-    k = gen_k( skey->p, 0 /* no small K ! */ );
+    k = gen_k( skey->p );
     mpi_powm( a, skey->g, k, skey->p );
     mpi_mul(t, skey->x, a );
     mpi_subm(t, input, t, p_1 );

Places

File libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch of Package libgcrypt.20076

Places