| Message ID | 20210918164248.20023-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/botan: add upstream security fix for CVE-2021-40529 | expand |
Peter, All, On 2021-09-18 18:42 +0200, Peter Korsgaard spake thusly: > Fixes the following security issue: > > - CVE-2021-40529: The ElGamal implementation in Botan through 2.18.1, as > used in Thunderbird and other products, allows plaintext recovery because, > during interaction between two cryptographic libraries, a certain > dangerous combination of the prime defined by the receiver's public key, > the generator defined by the receiver's public key, and the sender's > ephemeral exponents can lead to a cross-configuration attack against > OpenPGP > > For more details, see the upstream bug and issue writeup: > - https://github.com/randombit/botan/pull/2790 > - https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1 > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. Note: I haven't received the mail for the erlang patch yet, so I can't reply to it; consider it applied to master anyway, thanks. Regards, Yann E. MORIN. > --- > ...d-using-short-exponents-with-ElGamal.patch | 38 +++++++++++++++++++ > package/botan/botan.mk | 3 ++ > 2 files changed, 41 insertions(+) > create mode 100644 package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch > > diff --git a/package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch b/package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch > new file mode 100644 > index 0000000000..e2570cd5ff > --- /dev/null > +++ b/package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch > @@ -0,0 +1,38 @@ > +From 9a23e4e3bc3966340531f2ff608fa9d33b5185a2 Mon Sep 17 00:00:00 2001 > +From: Jack Lloyd <jack@randombit.net> > +Date: Tue, 3 Aug 2021 18:20:29 -0400 > +Subject: [PATCH] Avoid using short exponents with ElGamal > + > +Some off-brand PGP implementation generates keys where p - 1 is > +smooth, as a result short exponents can leak enough information about > +k to allow decryption. > + > +Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > +[Peter: Drop tests, CVE-2021-40529] > +--- > + src/lib/pubkey/elgamal/elgamal.cpp | 8 +++- > + 1 file changed, 1 insertions(+), 1 deletions(-) > + > +diff --git a/src/lib/pubkey/elgamal/elgamal.cpp b/src/lib/pubkey/elgamal/elgamal.cpp > +index b3ec6df2c..0e33c2ca5 100644 > +--- a/src/lib/pubkey/elgamal/elgamal.cpp > ++++ b/src/lib/pubkey/elgamal/elgamal.cpp > +@@ -113,8 +113,12 @@ ElGamal_Encryption_Operation::raw_encrypt(const uint8_t msg[], size_t msg_len, > + if(m >= m_group.get_p()) > + throw Invalid_Argument("ElGamal encryption: Input is too large"); > + > +- const size_t k_bits = m_group.exponent_bits(); > +- const BigInt k(rng, k_bits); > ++ /* > ++ Some ElGamal implementations foolishly use prime fields where p - 1 is > ++ smooth, as a result it is unsafe to use short exponents. > ++ */ > ++ const size_t k_bits = m_group.p_bits() - 1; > ++ const BigInt k(rng, k_bits, false); > + > + const BigInt a = m_group.power_g_p(k, k_bits); > + const BigInt b = m_group.multiply_mod_p(m, monty_execute(*m_monty_y_p, k, k_bits)); > +- > +-- > +2.20.1 > + > diff --git a/package/botan/botan.mk b/package/botan/botan.mk > index c23aba99dd..0ac528c990 100644 > --- a/package/botan/botan.mk > +++ b/package/botan/botan.mk > @@ -11,6 +11,9 @@ BOTAN_LICENSE = BSD-2-Clause > BOTAN_LICENSE_FILES = license.txt > BOTAN_CPE_ID_VENDOR = botan_project > > +# 0001-Avoid-using-short-exponents-with-ElGamal.patch > +BOTAN_IGNORE_CVES += CVE-2021-40529 > + > BOTAN_INSTALL_STAGING = YES > > BOTAN_CONF_OPTS = \ > -- > 2.20.1 > > _______________________________________________ > buildroot mailing list > buildroot@lists.buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issue: > - CVE-2021-40529: The ElGamal implementation in Botan through 2.18.1, as > used in Thunderbird and other products, allows plaintext recovery because, > during interaction between two cryptographic libraries, a certain > dangerous combination of the prime defined by the receiver's public key, > the generator defined by the receiver's public key, and the sender's > ephemeral exponents can lead to a cross-configuration attack against > OpenPGP > For more details, see the upstream bug and issue writeup: > - https://github.com/randombit/botan/pull/2790 > - https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2021.02.x, 2021.05.x and 2021.08.x, thanks.
diff --git a/package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch b/package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch new file mode 100644 index 0000000000..e2570cd5ff --- /dev/null +++ b/package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch @@ -0,0 +1,38 @@ +From 9a23e4e3bc3966340531f2ff608fa9d33b5185a2 Mon Sep 17 00:00:00 2001 +From: Jack Lloyd <jack@randombit.net> +Date: Tue, 3 Aug 2021 18:20:29 -0400 +Subject: [PATCH] Avoid using short exponents with ElGamal + +Some off-brand PGP implementation generates keys where p - 1 is +smooth, as a result short exponents can leak enough information about +k to allow decryption. + +Signed-off-by: Peter Korsgaard <peter@korsgaard.com> +[Peter: Drop tests, CVE-2021-40529] +--- + src/lib/pubkey/elgamal/elgamal.cpp | 8 +++- + 1 file changed, 1 insertions(+), 1 deletions(-) + +diff --git a/src/lib/pubkey/elgamal/elgamal.cpp b/src/lib/pubkey/elgamal/elgamal.cpp +index b3ec6df2c..0e33c2ca5 100644 +--- a/src/lib/pubkey/elgamal/elgamal.cpp ++++ b/src/lib/pubkey/elgamal/elgamal.cpp +@@ -113,8 +113,12 @@ ElGamal_Encryption_Operation::raw_encrypt(const uint8_t msg[], size_t msg_len, + if(m >= m_group.get_p()) + throw Invalid_Argument("ElGamal encryption: Input is too large"); + +- const size_t k_bits = m_group.exponent_bits(); +- const BigInt k(rng, k_bits); ++ /* ++ Some ElGamal implementations foolishly use prime fields where p - 1 is ++ smooth, as a result it is unsafe to use short exponents. ++ */ ++ const size_t k_bits = m_group.p_bits() - 1; ++ const BigInt k(rng, k_bits, false); + + const BigInt a = m_group.power_g_p(k, k_bits); + const BigInt b = m_group.multiply_mod_p(m, monty_execute(*m_monty_y_p, k, k_bits)); +- +-- +2.20.1 + diff --git a/package/botan/botan.mk b/package/botan/botan.mk index c23aba99dd..0ac528c990 100644 --- a/package/botan/botan.mk +++ b/package/botan/botan.mk @@ -11,6 +11,9 @@ BOTAN_LICENSE = BSD-2-Clause BOTAN_LICENSE_FILES = license.txt BOTAN_CPE_ID_VENDOR = botan_project +# 0001-Avoid-using-short-exponents-with-ElGamal.patch +BOTAN_IGNORE_CVES += CVE-2021-40529 + BOTAN_INSTALL_STAGING = YES BOTAN_CONF_OPTS = \
Fixes the following security issue: - CVE-2021-40529: The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP For more details, see the upstream bug and issue writeup: - https://github.com/randombit/botan/pull/2790 - https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- ...d-using-short-exponents-with-ElGamal.patch | 38 +++++++++++++++++++ package/botan/botan.mk | 3 ++ 2 files changed, 41 insertions(+) create mode 100644 package/botan/0001-Avoid-using-short-exponents-with-ElGamal.patch