new file mode 100644

@@ -0,0 +1,72 @@

+From 2f6c124e127b5dd98723e7e75a9825c4ed8bd5c7 Mon Sep 17 00:00:00 2001

+From: Paul Howarth <paul@city-fan.org>

+Date: Fri, 23 Feb 2018 13:03:13 +0000

+Subject: [PATCH] Backport of fix for CVE-2018-6594 from pycryptodome

+

+When creating ElGamal keys, the generator wasn't a square residue: ElGamal

+encryption done with those keys cannot be secure under the DDH assumption.

+

+More details:

+- https://github.com/TElgamal/attack-on-pycrypto-elgamal

+- https://github.com/Legrandin/pycryptodome/issues/90

+- https://github.com/dlitz/pycrypto/issues/253

+

+This commit is a backport to pycrypto of Legrandin/pycryptodome@99c27a3b

+Thanks to Weikeng Chen.

+---

+ lib/Crypto/PublicKey/ElGamal.py | 30 +++++++++++++++---------------

+ 1 file changed, 15 insertions(+), 15 deletions(-)

+

+diff --git a/lib/Crypto/PublicKey/ElGamal.py b/lib/Crypto/PublicKey/ElGamal.py

+index 0ab07fc8..064e42bf 100644

+--- a/lib/Crypto/PublicKey/ElGamal.py

+@@ -154,33 +154,33 @@ def generate(bits, randfunc, progress_func=None):

+         if number.isPrime(obj.p, randfunc=randfunc):

+             break

+     # Generate generator g

+-    # See Algorithm 4.80 in Handbook of Applied Cryptography

+-    # Note that the order of the group is n=p-1=2q, where q is prime

+     if progress_func:

+         progress_func('g\n')

+     while 1:

++        # Choose a square residue; it will generate a cyclic group of order q.

++        obj.g = pow(number.getRandomRange(2, obj.p, randfunc), 2, obj.p)

++

+         # We must avoid g=2 because of Bleichenbacher's attack described

+         # in "Generating ElGamal signatures without knowning the secret key",

+         # 1996

+-        #

+-        obj.g = number.getRandomRange(3, obj.p, randfunc)

+-        safe = 1

+-        if pow(obj.g, 2, obj.p)==1:

+-            safe=0

+-        if safe and pow(obj.g, q, obj.p)==1:

+-            safe=0

++        if obj.g in (1, 2):

++            continue

++

+         # Discard g if it divides p-1 because of the attack described

+         # in Note 11.67 (iii) in HAC

+-        if safe and divmod(obj.p-1, obj.g)[1]==0:

+-            safe=0

++        if (obj.p - 1) % obj.g == 0:

++            continue

++

+         # g^{-1} must not divide p-1 because of Khadir's attack

+         # described in "Conditions of the generator for forging ElGamal

+         # signature", 2011

+         ginv = number.inverse(obj.g, obj.p)

+-        if safe and divmod(obj.p-1, ginv)[1]==0:

+-            safe=0

+-        if safe:

+-            break

++        if (obj.p - 1) % ginv == 0:

++            continue

++

++        # Found

++        break

++

+     # Generate private key x

+     if progress_func:

+         progress_func('x\n')

@@ -4,12 +4,13 @@

 Summary:        The Python Cryptography Toolkit.

 Name:           pycrypto

 Version:        2.6.1

-Release:        3%{?dist}

+Release:        4%{?dist}

 License:        Public Domain and Python

 URL:            http://www.pycrypto.org/

 Source0:        https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/%{name}-%{version}.tar.gz

 %define         sha1 pycrypto=aeda3ed41caf1766409d4efc689b9ca30ad6aeb2

 Patch0:         pycrypto-2.6.1-CVE-2013-7459.patch

+Patch1:         pycrypto-2.6.1-CVE-2018-6594.patch

 Group:          Development/Tools

 Vendor:         VMware, Inc.

 Distribution:   Photon

@@ -33,6 +34,7 @@ Python 3 version.

 %prep

 %setup -q

 %patch0 -p1

+%patch1 -p1

 %build

 python2 setup.py build

@@ -55,6 +57,8 @@ python3 setup.py test

 %{python3_sitelib}/*

 %changelog

+*   Tue Apr 17 2018 Xiaolin Li <xiaolinl@vmware.com> 2.6.1-4

+-   Apply patch for CVE-2018-6594

 *   Thu Jul 20 2017 Anish Swaminathan <anishs@vmware.com> 2.6.1-3

 -   Apply patch for CVE-2013-7459

 *   Thu Jul 13 2017 Divya Thaluru <dthaluru@vmware.com> 2.6.1-2