Change-Id: Ie2043989e5f11a3ebfd87c648ef5116c1bc45ed8
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6259
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,72 @@ |
0 |
+From 2f6c124e127b5dd98723e7e75a9825c4ed8bd5c7 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Paul Howarth <paul@city-fan.org> |
|
2 |
+Date: Fri, 23 Feb 2018 13:03:13 +0000 |
|
3 |
+Subject: [PATCH] Backport of fix for CVE-2018-6594 from pycryptodome |
|
4 |
+ |
|
5 |
+When creating ElGamal keys, the generator wasn't a square residue: ElGamal |
|
6 |
+encryption done with those keys cannot be secure under the DDH assumption. |
|
7 |
+ |
|
8 |
+More details: |
|
9 |
+- https://github.com/TElgamal/attack-on-pycrypto-elgamal |
|
10 |
+- https://github.com/Legrandin/pycryptodome/issues/90 |
|
11 |
+- https://github.com/dlitz/pycrypto/issues/253 |
|
12 |
+ |
|
13 |
+This commit is a backport to pycrypto of Legrandin/pycryptodome@99c27a3b |
|
14 |
+Thanks to Weikeng Chen. |
|
15 |
+--- |
|
16 |
+ lib/Crypto/PublicKey/ElGamal.py | 30 +++++++++++++++--------------- |
|
17 |
+ 1 file changed, 15 insertions(+), 15 deletions(-) |
|
18 |
+ |
|
19 |
+diff --git a/lib/Crypto/PublicKey/ElGamal.py b/lib/Crypto/PublicKey/ElGamal.py |
|
20 |
+index 0ab07fc8..064e42bf 100644 |
|
21 |
+--- a/lib/Crypto/PublicKey/ElGamal.py |
|
22 |
+@@ -154,33 +154,33 @@ def generate(bits, randfunc, progress_func=None): |
|
23 |
+ if number.isPrime(obj.p, randfunc=randfunc): |
|
24 |
+ break |
|
25 |
+ # Generate generator g |
|
26 |
+- # See Algorithm 4.80 in Handbook of Applied Cryptography |
|
27 |
+- # Note that the order of the group is n=p-1=2q, where q is prime |
|
28 |
+ if progress_func: |
|
29 |
+ progress_func('g\n') |
|
30 |
+ while 1: |
|
31 |
++ # Choose a square residue; it will generate a cyclic group of order q. |
|
32 |
++ obj.g = pow(number.getRandomRange(2, obj.p, randfunc), 2, obj.p) |
|
33 |
++ |
|
34 |
+ # We must avoid g=2 because of Bleichenbacher's attack described |
|
35 |
+ # in "Generating ElGamal signatures without knowning the secret key", |
|
36 |
+ # 1996 |
|
37 |
+- # |
|
38 |
+- obj.g = number.getRandomRange(3, obj.p, randfunc) |
|
39 |
+- safe = 1 |
|
40 |
+- if pow(obj.g, 2, obj.p)==1: |
|
41 |
+- safe=0 |
|
42 |
+- if safe and pow(obj.g, q, obj.p)==1: |
|
43 |
+- safe=0 |
|
44 |
++ if obj.g in (1, 2): |
|
45 |
++ continue |
|
46 |
++ |
|
47 |
+ # Discard g if it divides p-1 because of the attack described |
|
48 |
+ # in Note 11.67 (iii) in HAC |
|
49 |
+- if safe and divmod(obj.p-1, obj.g)[1]==0: |
|
50 |
+- safe=0 |
|
51 |
++ if (obj.p - 1) % obj.g == 0: |
|
52 |
++ continue |
|
53 |
++ |
|
54 |
+ # g^{-1} must not divide p-1 because of Khadir's attack |
|
55 |
+ # described in "Conditions of the generator for forging ElGamal |
|
56 |
+ # signature", 2011 |
|
57 |
+ ginv = number.inverse(obj.g, obj.p) |
|
58 |
+- if safe and divmod(obj.p-1, ginv)[1]==0: |
|
59 |
+- safe=0 |
|
60 |
+- if safe: |
|
61 |
+- break |
|
62 |
++ if (obj.p - 1) % ginv == 0: |
|
63 |
++ continue |
|
64 |
++ |
|
65 |
++ # Found |
|
66 |
++ break |
|
67 |
++ |
|
68 |
+ # Generate private key x |
|
69 |
+ if progress_func: |
|
70 |
+ progress_func('x\n') |
... | ... |
@@ -4,12 +4,13 @@ |
4 | 4 |
Summary: The Python Cryptography Toolkit. |
5 | 5 |
Name: pycrypto |
6 | 6 |
Version: 2.6.1 |
7 |
-Release: 3%{?dist} |
|
7 |
+Release: 4%{?dist} |
|
8 | 8 |
License: Public Domain and Python |
9 | 9 |
URL: http://www.pycrypto.org/ |
10 | 10 |
Source0: https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/%{name}-%{version}.tar.gz |
11 | 11 |
%define sha1 pycrypto=aeda3ed41caf1766409d4efc689b9ca30ad6aeb2 |
12 | 12 |
Patch0: pycrypto-2.6.1-CVE-2013-7459.patch |
13 |
+Patch1: pycrypto-2.6.1-CVE-2018-6594.patch |
|
13 | 14 |
Group: Development/Tools |
14 | 15 |
Vendor: VMware, Inc. |
15 | 16 |
Distribution: Photon |
... | ... |
@@ -18,7 +19,7 @@ BuildRequires: python-setuptools |
18 | 18 |
BuildRequires: python2-devel |
19 | 19 |
Requires: python2 |
20 | 20 |
%description |
21 |
-This is a collection of both secure hash functions (such as SHA256 and RIPEMD160), and various encryption algorithms (AES, DES, RSA, ElGamal, etc.). |
|
21 |
+This is a collection of both secure hash functions (such as SHA256 and RIPEMD160), and various encryption algorithms (AES, DES, RSA, ElGamal, etc.). |
|
22 | 22 |
|
23 | 23 |
%package -n python3-pycrypto |
24 | 24 |
Summary: python3-pycrypto |
... | ... |
@@ -33,6 +34,7 @@ Python 3 version. |
33 | 33 |
%prep |
34 | 34 |
%setup -q |
35 | 35 |
%patch0 -p1 |
36 |
+%patch1 -p1 |
|
36 | 37 |
|
37 | 38 |
%build |
38 | 39 |
python2 setup.py build |
... | ... |
@@ -55,6 +57,8 @@ python3 setup.py test |
55 | 55 |
%{python3_sitelib}/* |
56 | 56 |
|
57 | 57 |
%changelog |
58 |
+* Thu Nov 29 2018 Siju Maliakkal <smaliakkal@vmware.com> 2.6.1-4 |
|
59 |
+- Apply patch for CVE-2018-6594 |
|
58 | 60 |
* Thu Jul 20 2017 Anish Swaminathan <anishs@vmware.com> 2.6.1-3 |
59 | 61 |
- Apply patch for CVE-2013-7459 |
60 | 62 |
* Thu Jul 13 2017 Divya Thaluru <dthaluru@vmware.com> 2.6.1-2 |