File: 0013-Backport-of-fix-for-CVE-2018-6594-from-pycryptodome.patch

package info (click to toggle)
python-crypto 2.6.1-9
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 3,052 kB
  • sloc: ansic: 12,466; python: 10,478; sh: 35; makefile: 14
file content (71 lines) | stat: -rw-r--r-- 2,569 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
From: Paul Howarth <paul@city-fan.org>
Date: Fri, 23 Feb 2018 13:03:13 +0000
Subject: Backport of fix for CVE-2018-6594 from pycryptodome

When creating ElGamal keys, the generator wasn't a square residue: ElGamal
encryption done with those keys cannot be secure under the DDH assumption.

More details:
- https://github.com/TElgamal/attack-on-pycrypto-elgamal
- https://github.com/Legrandin/pycryptodome/issues/90
- https://github.com/dlitz/pycrypto/issues/253

This commit is a backport to pycrypto of Legrandin/pycryptodome@99c27a3b
Thanks to Weikeng Chen.
---
 lib/Crypto/PublicKey/ElGamal.py | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/lib/Crypto/PublicKey/ElGamal.py b/lib/Crypto/PublicKey/ElGamal.py
index 99af71c..d10c368 100644
--- a/lib/Crypto/PublicKey/ElGamal.py
+++ b/lib/Crypto/PublicKey/ElGamal.py
@@ -153,33 +153,33 @@ def generate(bits, randfunc, progress_func=None):
         if number.isPrime(obj.p, randfunc=randfunc):
             break
     # Generate generator g
-    # See Algorithm 4.80 in Handbook of Applied Cryptography
-    # Note that the order of the group is n=p-1=2q, where q is prime
     if progress_func:
         progress_func('g\n')
     while 1:
+        # Choose a square residue; it will generate a cyclic group of order q.
+        obj.g = pow(number.getRandomRange(2, obj.p, randfunc), 2, obj.p)
+
         # We must avoid g=2 because of Bleichenbacher's attack described
         # in "Generating ElGamal signatures without knowning the secret key",
         # 1996
-        #
-        obj.g = number.getRandomRange(3, obj.p, randfunc)
-        safe = 1
-        if pow(obj.g, 2, obj.p)==1:
-            safe=0
-        if safe and pow(obj.g, q, obj.p)==1:
-            safe=0
+        if obj.g in (1, 2):
+            continue
+
         # Discard g if it divides p-1 because of the attack described
         # in Note 11.67 (iii) in HAC
-        if safe and divmod(obj.p-1, obj.g)[1]==0:
-            safe=0
+        if (obj.p - 1) % obj.g == 0:
+            continue
+
         # g^{-1} must not divide p-1 because of Khadir's attack
         # described in "Conditions of the generator for forging ElGamal
         # signature", 2011
         ginv = number.inverse(obj.g, obj.p)
-        if safe and divmod(obj.p-1, ginv)[1]==0:
-            safe=0
-        if safe:
-            break
+        if (obj.p - 1) % ginv == 0:
+            continue
+
+        # Found
+        break
+
     # Generate private key x
     if progress_func:
         progress_func('x\n')