Backport of fix for CVE-2018-6594 from pycryptodome

When creating ElGamal keys, the generator wasn't a square residue: ElGamal encryption done with those keys cannot be secure under the DDH assumption - https://bugzilla.redhat.com/show_bug.cgi?id=1542313 (CVE-2018-6594) - https://github.com/TElgamal/attack-on-pycrypto-elgamal - https://github.com/Legrandin/pycryptodome/issues/90 - https://github.com/dlitz/pycrypto/issues/253 - https://github.com/dlitz/pycrypto/pull/256
7 years ago · cd23639643
parent bb64be5a65
commit cd23639643
2 changed files with 74 additions and 1 deletions
--- a/pycrypto-2.6.1-CVE-2018-6594.patch
+++ b/pycrypto-2.6.1-CVE-2018-6594.patch
@ -0,0 +1,51 @@
+--- lib/Crypto/PublicKey/ElGamal.py
+++ lib/Crypto/PublicKey/ElGamal.py
+@@ -153,33 +153,33 @@ def generate(bits, randfunc, progress_fu
+         if number.isPrime(obj.p, randfunc=randfunc):
+             break
+     # Generate generator g
+-    # See Algorithm 4.80 in Handbook of Applied Cryptography
+-    # Note that the order of the group is n=p-1=2q, where q is prime
+     if progress_func:
+         progress_func('g\n')
+     while 1:
+        # Choose a square residue; it will generate a cyclic group of order q.
+        obj.g = pow(number.getRandomRange(2, obj.p, randfunc), 2, obj.p)
+
+         # We must avoid g=2 because of Bleichenbacher's attack described
+         # in "Generating ElGamal signatures without knowning the secret key",
+         # 1996
+-        #
+-        obj.g = number.getRandomRange(3, obj.p, randfunc)
+-        safe = 1
+-        if pow(obj.g, 2, obj.p)==1:
+-            safe=0
+-        if safe and pow(obj.g, q, obj.p)==1:
+-            safe=0
+        if obj.g in (1, 2):
+            continue
+
+         # Discard g if it divides p-1 because of the attack described
+         # in Note 11.67 (iii) in HAC
+-        if safe and divmod(obj.p-1, obj.g)[1]==0:
+-            safe=0
+        if (obj.p - 1) % obj.g == 0:
+            continue
+
+         # g^{-1} must not divide p-1 because of Khadir's attack
+         # described in "Conditions of the generator for forging ElGamal
+         # signature", 2011
+         ginv = number.inverse(obj.g, obj.p)
+-        if safe and divmod(obj.p-1, ginv)[1]==0:
+-            safe=0
+-        if safe:
+-            break
+        if (obj.p - 1) % ginv == 0:
+            continue
+
+        # Found
+        break
+
+     # Generate private key x
+     if progress_func:
+         progress_func('x\n')
--- a/python-crypto.spec
+++ b/python-crypto.spec
@ -10,7 +10,7 @@
 Summary:	Cryptography library for Python
 Name:		python-crypto
 Version:	2.6.1
-Release:	21%{?dist}
+Release:	22%{?dist}
 # Mostly Public Domain apart from parts of HMAC.py and setup.py, which are Python
 License:	Public Domain and Python
 URL:		http://www.pycrypto.org/
@ -20,6 +20,7 @@ Patch1:		python-crypto-2.4-fix-pubkey-size-divisions.patch
 Patch2:		pycrypto-2.6.1-CVE-2013-7459.patch
 Patch3:		pycrypto-2.6.1-unbundle-libtomcrypt.patch
 Patch4:		python-crypto-2.6.1-link.patch
+Patch5:		pycrypto-2.6.1-CVE-2018-6594.patch
 BuildRequires:	coreutils
 BuildRequires:	findutils
 BuildRequires:	gcc
@ -75,6 +76,18 @@ rm -rf src/libtom
 # log() not available in libgmp, need libm too
 %patch4

+# When creating ElGamal keys, the generator wasn't a square residue: ElGamal
+# encryption done with those keys cannot be secure under the DDH assumption
+# https://bugzilla.redhat.com/show_bug.cgi?id=1542313 (CVE-2018-6594)
+# https://github.com/TElgamal/attack-on-pycrypto-elgamal
+# https://github.com/Legrandin/pycryptodome/issues/90
+# https://github.com/dlitz/pycrypto/issues/253
+# Patch based on this commit from cryptodome:
+# https://github.com/Legrandin/pycryptodome/commit/99c27a3b
+# Converted to pull request for pycrypto:
+# https://github.com/dlitz/pycrypto/pull/256
+%patch5
+
 # setup.py doesn't run 2to3 on pct-speedtest.py
 cp pct-speedtest.py pct-speedtest3.py
 2to3 -wn pct-speedtest3.py
@ -113,6 +126,15 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} pct-speedtest3.py
 %{python3_sitearch}/pycrypto-%{version}-py3.*.egg-info

 %changelog
+* Fri Feb 23 2018 Paul Howarth <paul@city-fan.org> - 2.6.1-22
+- When creating ElGamal keys, the generator wasn't a square residue: ElGamal
+  encryption done with those keys cannot be secure under the DDH assumption
+  https://bugzilla.redhat.com/show_bug.cgi?id=1542313 (CVE-2018-6594)
+  https://github.com/TElgamal/attack-on-pycrypto-elgamal
+  https://github.com/Legrandin/pycryptodome/issues/90
+  https://github.com/dlitz/pycrypto/issues/253
+  https://github.com/dlitz/pycrypto/pull/256
+
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-21
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild