Browse code
Appy patch for CVE-2018-6594
Change-Id: Ie2043989e5f11a3ebfd87c648ef5116c1bc45ed8
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6259
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
smaliakkal authored on 2018/11/30 10:04:37Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,72 @@ |
| 0 |
+From 2f6c124e127b5dd98723e7e75a9825c4ed8bd5c7 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Paul Howarth <paul@city-fan.org> |
|
| 2 |
+Date: Fri, 23 Feb 2018 13:03:13 +0000 |
|
| 3 |
+Subject: [PATCH] Backport of fix for CVE-2018-6594 from pycryptodome |
|
| 4 |
+ |
|
| 5 |
+When creating ElGamal keys, the generator wasn't a square residue: ElGamal |
|
| 6 |
+encryption done with those keys cannot be secure under the DDH assumption. |
|
| 7 |
+ |
|
| 8 |
+More details: |
|
| 9 |
+- https://github.com/TElgamal/attack-on-pycrypto-elgamal |
|
| 10 |
+- https://github.com/Legrandin/pycryptodome/issues/90 |
|
| 11 |
+- https://github.com/dlitz/pycrypto/issues/253 |
|
| 12 |
+ |
|
| 13 |
+This commit is a backport to pycrypto of Legrandin/pycryptodome@99c27a3b |
|
| 14 |
+Thanks to Weikeng Chen. |
|
| 15 |
+--- |
|
| 16 |
+ lib/Crypto/PublicKey/ElGamal.py | 30 +++++++++++++++--------------- |
|
| 17 |
+ 1 file changed, 15 insertions(+), 15 deletions(-) |
|
| 18 |
+ |
|
| 19 |
+diff --git a/lib/Crypto/PublicKey/ElGamal.py b/lib/Crypto/PublicKey/ElGamal.py |
|
| 20 |
+index 0ab07fc8..064e42bf 100644 |
|
| 21 |
+--- a/lib/Crypto/PublicKey/ElGamal.py |
|
| 22 |
+@@ -154,33 +154,33 @@ def generate(bits, randfunc, progress_func=None): |
|
| 23 |
+ if number.isPrime(obj.p, randfunc=randfunc): |
|
| 24 |
+ break |
|
| 25 |
+ # Generate generator g |
|
| 26 |
+- # See Algorithm 4.80 in Handbook of Applied Cryptography |
|
| 27 |
+- # Note that the order of the group is n=p-1=2q, where q is prime |
|
| 28 |
+ if progress_func: |
|
| 29 |
+ progress_func('g\n')
|
|
| 30 |
+ while 1: |
|
| 31 |
++ # Choose a square residue; it will generate a cyclic group of order q. |
|
| 32 |
++ obj.g = pow(number.getRandomRange(2, obj.p, randfunc), 2, obj.p) |
|
| 33 |
++ |
|
| 34 |
+ # We must avoid g=2 because of Bleichenbacher's attack described |
|
| 35 |
+ # in "Generating ElGamal signatures without knowning the secret key", |
|
| 36 |
+ # 1996 |
|
| 37 |
+- # |
|
| 38 |
+- obj.g = number.getRandomRange(3, obj.p, randfunc) |
|
| 39 |
+- safe = 1 |
|
| 40 |
+- if pow(obj.g, 2, obj.p)==1: |
|
| 41 |
+- safe=0 |
|
| 42 |
+- if safe and pow(obj.g, q, obj.p)==1: |
|
| 43 |
+- safe=0 |
|
| 44 |
++ if obj.g in (1, 2): |
|
| 45 |
++ continue |
|
| 46 |
++ |
|
| 47 |
+ # Discard g if it divides p-1 because of the attack described |
|
| 48 |
+ # in Note 11.67 (iii) in HAC |
|
| 49 |
+- if safe and divmod(obj.p-1, obj.g)[1]==0: |
|
| 50 |
+- safe=0 |
|
| 51 |
++ if (obj.p - 1) % obj.g == 0: |
|
| 52 |
++ continue |
|
| 53 |
++ |
|
| 54 |
+ # g^{-1} must not divide p-1 because of Khadir's attack
|
|
| 55 |
+ # described in "Conditions of the generator for forging ElGamal |
|
| 56 |
+ # signature", 2011 |
|
| 57 |
+ ginv = number.inverse(obj.g, obj.p) |
|
| 58 |
+- if safe and divmod(obj.p-1, ginv)[1]==0: |
|
| 59 |
+- safe=0 |
|
| 60 |
+- if safe: |
|
| 61 |
+- break |
|
| 62 |
++ if (obj.p - 1) % ginv == 0: |
|
| 63 |
++ continue |
|
| 64 |
++ |
|
| 65 |
++ # Found |
|
| 66 |
++ break |
|
| 67 |
++ |
|
| 68 |
+ # Generate private key x |
|
| 69 |
+ if progress_func: |
|
| 70 |
+ progress_func('x\n')
|
| ... | ... |
@@ -4,12 +4,13 @@ |
| 4 | 4 |
Summary: The Python Cryptography Toolkit. |
| 5 | 5 |
Name: pycrypto |
| 6 | 6 |
Version: 2.6.1 |
| 7 |
-Release: 3%{?dist}
|
|
| 7 |
+Release: 4%{?dist}
|
|
| 8 | 8 |
License: Public Domain and Python |
| 9 | 9 |
URL: http://www.pycrypto.org/ |
| 10 | 10 |
Source0: https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/%{name}-%{version}.tar.gz
|
| 11 | 11 |
%define sha1 pycrypto=aeda3ed41caf1766409d4efc689b9ca30ad6aeb2 |
| 12 | 12 |
Patch0: pycrypto-2.6.1-CVE-2013-7459.patch |
| 13 |
+Patch1: pycrypto-2.6.1-CVE-2018-6594.patch |
|
| 13 | 14 |
Group: Development/Tools |
| 14 | 15 |
Vendor: VMware, Inc. |
| 15 | 16 |
Distribution: Photon |
| ... | ... |
@@ -18,7 +19,7 @@ BuildRequires: python-setuptools |
| 18 | 18 |
BuildRequires: python2-devel |
| 19 | 19 |
Requires: python2 |
| 20 | 20 |
%description |
| 21 |
-This is a collection of both secure hash functions (such as SHA256 and RIPEMD160), and various encryption algorithms (AES, DES, RSA, ElGamal, etc.). |
|
| 21 |
+This is a collection of both secure hash functions (such as SHA256 and RIPEMD160), and various encryption algorithms (AES, DES, RSA, ElGamal, etc.). |
|
| 22 | 22 |
|
| 23 | 23 |
%package -n python3-pycrypto |
| 24 | 24 |
Summary: python3-pycrypto |
| ... | ... |
@@ -33,6 +34,7 @@ Python 3 version. |
| 33 | 33 |
%prep |
| 34 | 34 |
%setup -q |
| 35 | 35 |
%patch0 -p1 |
| 36 |
+%patch1 -p1 |
|
| 36 | 37 |
|
| 37 | 38 |
%build |
| 38 | 39 |
python2 setup.py build |
| ... | ... |
@@ -55,6 +57,8 @@ python3 setup.py test |
| 55 | 55 |
%{python3_sitelib}/*
|
| 56 | 56 |
|
| 57 | 57 |
%changelog |
| 58 |
+* Thu Nov 29 2018 Siju Maliakkal <smaliakkal@vmware.com> 2.6.1-4 |
|
| 59 |
+- Apply patch for CVE-2018-6594 |
|
| 58 | 60 |
* Thu Jul 20 2017 Anish Swaminathan <anishs@vmware.com> 2.6.1-3 |
| 59 | 61 |
- Apply patch for CVE-2013-7459 |
| 60 | 62 |
* Thu Jul 13 2017 Divya Thaluru <dthaluru@vmware.com> 2.6.1-2 |