ec12f2cf |
From 2f6c124e127b5dd98723e7e75a9825c4ed8bd5c7 Mon Sep 17 00:00:00 2001
From: Paul Howarth <paul@city-fan.org>
Date: Fri, 23 Feb 2018 13:03:13 +0000
Subject: [PATCH] Backport of fix for CVE-2018-6594 from pycryptodome
When creating ElGamal keys, the generator wasn't a square residue: ElGamal
encryption done with those keys cannot be secure under the DDH assumption.
More details:
- https://github.com/TElgamal/attack-on-pycrypto-elgamal
- https://github.com/Legrandin/pycryptodome/issues/90
- https://github.com/dlitz/pycrypto/issues/253
This commit is a backport to pycrypto of Legrandin/pycryptodome@99c27a3b
Thanks to Weikeng Chen.
---
lib/Crypto/PublicKey/ElGamal.py | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/lib/Crypto/PublicKey/ElGamal.py b/lib/Crypto/PublicKey/ElGamal.py
index 0ab07fc8..064e42bf 100644
--- a/lib/Crypto/PublicKey/ElGamal.py
+++ b/lib/Crypto/PublicKey/ElGamal.py
@@ -154,33 +154,33 @@ def generate(bits, randfunc, progress_func=None):
if number.isPrime(obj.p, randfunc=randfunc):
break
# Generate generator g
- # See Algorithm 4.80 in Handbook of Applied Cryptography
- # Note that the order of the group is n=p-1=2q, where q is prime
if progress_func:
progress_func('g\n')
while 1:
+ # Choose a square residue; it will generate a cyclic group of order q.
+ obj.g = pow(number.getRandomRange(2, obj.p, randfunc), 2, obj.p)
+
# We must avoid g=2 because of Bleichenbacher's attack described
# in "Generating ElGamal signatures without knowning the secret key",
# 1996
- #
- obj.g = number.getRandomRange(3, obj.p, randfunc)
- safe = 1
- if pow(obj.g, 2, obj.p)==1:
- safe=0
- if safe and pow(obj.g, q, obj.p)==1:
- safe=0
+ if obj.g in (1, 2):
+ continue
+
# Discard g if it divides p-1 because of the attack described
# in Note 11.67 (iii) in HAC
- if safe and divmod(obj.p-1, obj.g)[1]==0:
- safe=0
+ if (obj.p - 1) % obj.g == 0:
+ continue
+
# g^{-1} must not divide p-1 because of Khadir's attack
# described in "Conditions of the generator for forging ElGamal
# signature", 2011
ginv = number.inverse(obj.g, obj.p)
- if safe and divmod(obj.p-1, ginv)[1]==0:
- safe=0
- if safe:
- break
+ if (obj.p - 1) % ginv == 0:
+ continue
+
+ # Found
+ break
+
# Generate private key x
if progress_func:
progress_func('x\n') |