From 5788e9a25cd35695a4fa5af4132632ddc0c92550 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sep 27 2022 20:06:29 +0000
Subject: import libgcrypt-1.8.5-7.el8_6


---

diff --git a/SOURCES/libgcrypt-1.8.5-elgamal-blinding.patch b/SOURCES/libgcrypt-1.8.5-elgamal-blinding.patch
new file mode 100644
index 0000000..ea4496b
--- /dev/null
+++ b/SOURCES/libgcrypt-1.8.5-elgamal-blinding.patch
@@ -0,0 +1,67 @@
+commit e8b7f10be275bcedb5fc05ed4837a89bfd605c61
+Author: NIIBE Yutaka <gniibe@fsij.org>
+Date:   Tue Apr 13 10:00:00 2021 +0900
+
+    cipher: Hardening ElGamal by introducing exponent blinding too.
+    
+    * cipher/elgamal.c (do_encrypt): Also do exponent blinding.
+    
+    --
+    
+    Base blinding had been introduced with USE_BLINDING.  This patch add
+    exponent blinding as well to mitigate side-channel attack on mpi_powm.
+    
+    GnuPG-bug-id: 5328
+    Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 4eb52d62..9835122f 100644
+--- a/cipher/elgamal.c
++++ b/cipher/elgamal.c
+@@ -522,8 +522,9 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+ static void
+ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
+ {
+-  gcry_mpi_t t1, t2, r;
++  gcry_mpi_t t1, t2, r, r1, h;
+   unsigned int nbits = mpi_get_nbits (skey->p);
++  gcry_mpi_t x_blind;
+ 
+   mpi_normalize (a);
+   mpi_normalize (b);
+@@ -534,20 +535,33 @@ decrypt (gcry_mpi_t output, gcry_mpi_t a, gcry_mpi_t b, ELG_secret_key *skey )
+ 
+   t2 = mpi_snew (nbits);
+   r  = mpi_new (nbits);
++  r1 = mpi_new (nbits);
++  h  = mpi_new (nbits);
++  x_blind = mpi_snew (nbits);
+ 
+   /* We need a random number of about the prime size.  The random
+      number merely needs to be unpredictable; thus we use level 0.  */
+   _gcry_mpi_randomize (r, nbits, GCRY_WEAK_RANDOM);
+ 
++  /* Also, exponent blinding: x_blind = x + (p-1)*r1 */
++  _gcry_mpi_randomize (r1, nbits, GCRY_WEAK_RANDOM);
++  mpi_set_highbit (r1, nbits - 1);
++  mpi_sub_ui (h, skey->p, 1);
++  mpi_mul (x_blind, h, r1);
++  mpi_add (x_blind, skey->x, x_blind);
++
+   /* t1 = r^x mod p */
+-  mpi_powm (t1, r, skey->x, skey->p);
++  mpi_powm (t1, r, x_blind, skey->p);
+   /* t2 = (a * r)^-x mod p */
+   mpi_mulm (t2, a, r, skey->p);
+-  mpi_powm (t2, t2, skey->x, skey->p);
++  mpi_powm (t2, t2, x_blind, skey->p);
+   mpi_invm (t2, t2, skey->p);
+   /* t1 = (t1 * t2) mod p*/
+   mpi_mulm (t1, t1, t2, skey->p);
+ 
++  mpi_free (x_blind);
++  mpi_free (h);
++  mpi_free (r1);
+   mpi_free (r);
+   mpi_free (t2);
+ 
diff --git a/SOURCES/libgcrypt-1.9.3-CVE-2021-33560.patch b/SOURCES/libgcrypt-1.9.3-CVE-2021-33560.patch
deleted file mode 100644
index 2161840..0000000
--- a/SOURCES/libgcrypt-1.9.3-CVE-2021-33560.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-commit 3462280f2e23e16adf3ed5176e0f2413d8861320
-Author: NIIBE Yutaka <gniibe@fsij.org>
-Date:   Fri May 21 11:15:07 2021 +0900
-
-    cipher: Fix ElGamal encryption for other implementations.
-    
-    * cipher/elgamal.c (gen_k): Remove support of smaller K.
-    (do_encrypt): Never use smaller K.
-    (sign): Folllow the change of gen_k.
-    
-    --
-    
-    Cherry-pick master commit of:
-            632d80ef30e13de6926d503aa697f92b5dbfbc5e
-    
-    This change basically reverts encryption changes in two commits:
-    
-            74386120dad6b3da62db37f7044267c8ef34689b
-            78531373a342aeb847950f404343a05e36022065
-    
-    Use of smaller K for ephemeral key in ElGamal encryption is only good,
-    when we can guarantee that recipient's key is generated by our
-    implementation (or compatible).
-    
-    For detail, please see:
-    
-        Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
-        "On the (in)security of ElGamal in OpenPGP";
-        in the proceedings of  CCS'2021.
-    
-    CVE-id: CVE-2021-33560
-    GnuPG-bug-id: 5328
-    Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
-    Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
-
-diff --git a/cipher/elgamal.c b/cipher/elgamal.c
-index 9835122f..eead4502 100644
---- a/cipher/elgamal.c
-+++ b/cipher/elgamal.c
-@@ -66,7 +66,7 @@ static const char *elg_names[] =
- 
- 
- static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
--static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
-+static gcry_mpi_t gen_k (gcry_mpi_t p);
- static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
-                                  gcry_mpi_t **factors);
- static int  check_secret_key (ELG_secret_key *sk);
-@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
- 
- /****************
-  * Generate a random secret exponent k from prime p, so that k is
-- * relatively prime to p-1.  With SMALL_K set, k will be selected for
-- * better encryption performance - this must never be used signing!
-+ * relatively prime to p-1.
-  */
- static gcry_mpi_t
--gen_k( gcry_mpi_t p, int small_k )
-+gen_k( gcry_mpi_t p )
- {
-   gcry_mpi_t k = mpi_alloc_secure( 0 );
-   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
-@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
-   unsigned int nbits, nbytes;
-   char *rndbuf = NULL;
- 
--  if (small_k)
--    {
--      /* Using a k much lesser than p is sufficient for encryption and
--       * it greatly improves the encryption performance.  We use
--       * Wiener's table and add a large safety margin. */
--      nbits = wiener_map( orig_nbits ) * 3 / 2;
--      if( nbits >= orig_nbits )
--        BUG();
--    }
--  else
--    nbits = orig_nbits;
--
-+  nbits = orig_nbits;
- 
-   nbytes = (nbits+7)/8;
-   if( DBG_CIPHER )
-@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
-    * error code.
-    */
- 
--  k = gen_k( pkey->p, 1 );
-+  k = gen_k( pkey->p );
-   mpi_powm (a, pkey->g, k, pkey->p);
- 
-   /* b = (y^k * input) mod p
-@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
-     *
-     */
-     mpi_sub_ui(p_1, p_1, 1);
--    k = gen_k( skey->p, 0 /* no small K ! */ );
-+    k = gen_k( skey->p );
-     mpi_powm( a, skey->g, k, skey->p );
-     mpi_mul(t, skey->x, a );
-     mpi_subm(t, input, t, p_1 );
diff --git a/SOURCES/libgcrypt-1.9.3-CVE-2021-40528.patch b/SOURCES/libgcrypt-1.9.3-CVE-2021-40528.patch
new file mode 100644
index 0000000..2161840
--- /dev/null
+++ b/SOURCES/libgcrypt-1.9.3-CVE-2021-40528.patch
@@ -0,0 +1,100 @@
+commit 3462280f2e23e16adf3ed5176e0f2413d8861320
+Author: NIIBE Yutaka <gniibe@fsij.org>
+Date:   Fri May 21 11:15:07 2021 +0900
+
+    cipher: Fix ElGamal encryption for other implementations.
+    
+    * cipher/elgamal.c (gen_k): Remove support of smaller K.
+    (do_encrypt): Never use smaller K.
+    (sign): Folllow the change of gen_k.
+    
+    --
+    
+    Cherry-pick master commit of:
+            632d80ef30e13de6926d503aa697f92b5dbfbc5e
+    
+    This change basically reverts encryption changes in two commits:
+    
+            74386120dad6b3da62db37f7044267c8ef34689b
+            78531373a342aeb847950f404343a05e36022065
+    
+    Use of smaller K for ephemeral key in ElGamal encryption is only good,
+    when we can guarantee that recipient's key is generated by our
+    implementation (or compatible).
+    
+    For detail, please see:
+    
+        Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+        "On the (in)security of ElGamal in OpenPGP";
+        in the proceedings of  CCS'2021.
+    
+    CVE-id: CVE-2021-33560
+    GnuPG-bug-id: 5328
+    Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+    Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 9835122f..eead4502 100644
+--- a/cipher/elgamal.c
++++ b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+ 
+ 
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
++static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+                                  gcry_mpi_t **factors);
+ static int  check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
+ 
+ /****************
+  * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1.  With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
++ * relatively prime to p-1.
+  */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
++gen_k( gcry_mpi_t p )
+ {
+   gcry_mpi_t k = mpi_alloc_secure( 0 );
+   gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+   unsigned int nbits, nbytes;
+   char *rndbuf = NULL;
+ 
+-  if (small_k)
+-    {
+-      /* Using a k much lesser than p is sufficient for encryption and
+-       * it greatly improves the encryption performance.  We use
+-       * Wiener's table and add a large safety margin. */
+-      nbits = wiener_map( orig_nbits ) * 3 / 2;
+-      if( nbits >= orig_nbits )
+-        BUG();
+-    }
+-  else
+-    nbits = orig_nbits;
+-
++  nbits = orig_nbits;
+ 
+   nbytes = (nbits+7)/8;
+   if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+    * error code.
+    */
+ 
+-  k = gen_k( pkey->p, 1 );
++  k = gen_k( pkey->p );
+   mpi_powm (a, pkey->g, k, pkey->p);
+ 
+   /* b = (y^k * input) mod p
+@@ -608,7 +596,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
+     *
+     */
+     mpi_sub_ui(p_1, p_1, 1);
+-    k = gen_k( skey->p, 0 /* no small K ! */ );
++    k = gen_k( skey->p );
+     mpi_powm( a, skey->g, k, skey->p );
+     mpi_mul(t, skey->x, a );
+     mpi_subm(t, input, t, p_1 );
diff --git a/SPECS/libgcrypt.spec b/SPECS/libgcrypt.spec
index 52437c7..7c5de9f 100644
--- a/SPECS/libgcrypt.spec
+++ b/SPECS/libgcrypt.spec
@@ -1,6 +1,6 @@
 Name: libgcrypt
 Version: 1.8.5
-Release: 6%{?dist}
+Release: 7%{?dist}
 URL: http://www.gnupg.org/
 Source0: libgcrypt-%{version}-hobbled.tar.xz
 # The original libgcrypt sources now contain potentially patented ECC
@@ -61,12 +61,14 @@ Patch34: libgcrypt-1.8.5-ppc-crc32.patch
 Patch35: libgcrypt-1.8.5-ppc-bugfix.patch
 # ppc64 performance AES-GCM (#1855231)
 Patch36: libgcrypt-1.8.5-ppc-aes-gcm.patch
-# ppc64 performance AES-GCM (#1855231)
-Patch37: libgcrypt-1.9.3-CVE-2021-33560.patch
+# Fix elgamal cross-configuration (CVE-2021-40528)
+Patch37: libgcrypt-1.9.3-CVE-2021-40528.patch
 # We can use HW optimizations in FIPS (#1976137)
 Patch38: libgcrypt-1.8.5-fips-hwfeatures.patch
 # ppc64 performance chacha20 and poly1305 (#1855231)
 Patch39: libgcrypt-1.8.5-ppc-chacha20-poly1305.patch
+# Fix CVE-2021-33560 (elgamal blinding)
+Patch40: libgcrypt-1.8.5-elgamal-blinding.patch
 
 %define gcrylibdir %{_libdir}
 
@@ -124,9 +126,10 @@ applications using libgcrypt.
 %patch34 -p1 -b .ppc-crc32
 %patch35 -p1 -b .ppc-bugfix
 %patch36 -p1 -b .ppc-aes-gcm
-%patch37 -p1 -b .CVE-2021-33560
+%patch37 -p1 -b .CVE-2021-40528
 %patch38 -p1 -b .hw-fips
 %patch39 -p1 -b .ppc-chacha
+%patch40 -p1 -b .elgamal-blinding
 
 cp %{SOURCE4} cipher/
 cp %{SOURCE5} %{SOURCE6} tests/
@@ -242,8 +245,11 @@ exit 0
 %license COPYING
 
 %changelog
+* Tue Apr 05 2022 Jakub Jelen <jjelen@redhat.com> - 1.8.5-7
+- Fix CVE-2021-33560 (#2018525)
+
 * Mon Jun 28 2021 Jakub Jelen <jjelen@redhat.com> - 1.8.5-6
-- Fix for CVE-2021-33560 (#1971421)
+- Fix for CVE-2021-40528 (#1971421)
 - Enable HW optimizations in FIPS (#1976137)
 - Performance enchancements for ChaCha20 and Poly1305 (#1855231)