[python-crypto/el5] Fix insecure ElGamal key generation (#825165, CVE-2012-2417)

Paul Howarth pghmcfc at fedoraproject.org
Fri May 25 15:00:02 UTC 2012 

commit 38bbfd9677fac0845e903abd200de1119b5558ee
Author: Paul Howarth <paul at city-fan.org>
Date:   Fri May 25 14:55:03 2012 +0100

    Fix insecure ElGamal key generation (#825165, CVE-2012-2417)
    
    - Fix LP#985164: insecure ElGamal key generation (#825165, CVE-2012-2417)
    - Update URL
    - Fix shellbangs and permissions of installed files

 .gitignore                         |    3 +-
 pycrypto-2.0.1-CVE-2012-2417.patch |   90 ++++++++++++++++++++++++++++++++++++
 python-crypto.spec                 |   39 ++++++++++++----
 3 files changed, 120 insertions(+), 12 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index bc34bf7..0452e1b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1 @@
-pycrypto-2.0.1.tar.gz
-/pycrypto-2.0.1-hobbled.tar.gz
+/pycrypto-[0-9.-]*.tar.gz
diff --git a/pycrypto-2.0.1-CVE-2012-2417.patch b/pycrypto-2.0.1-CVE-2012-2417.patch
new file mode 100644
index 0000000..364caa7
--- /dev/null
+++ b/pycrypto-2.0.1-CVE-2012-2417.patch
@@ -0,0 +1,90 @@
+--- PublicKey/ElGamal.py
++++ PublicKey/ElGamal.py
+@@ -25,39 +25,54 @@
+     Generate an ElGamal key of length 'bits', using 'randfunc' to get
+     random data and 'progress_func', if present, to display
+     the progress of the key generation.
++
++    The key will be safe for use for both encryption and signature
++    (although it should be used for **only one** purpose).
++
+     """
+     obj=ElGamalobj()
+-    # Generate prime p
++    # Generate a safe prime p
++    # See Algorithm 4.86 in Handbook of Applied Cryptography
+     if progress_func:
+         progress_func('p\n')
+-    obj.p=bignum(getPrime(bits, randfunc))
+-    # Generate random number g
++    while 1:
++        q = bignum(getPrime(bits-1, randfunc))
++        obj.p = 2*q+1
++        if number.isPrime(obj.p, randfunc=randfunc):
++            break
++    # Generate generator g
++    # See Algorithm 4.80 in Handbook of Applied Cryptography
++    # Note that the order of the group is n=p-1=2q, where q is prime
+     if progress_func:
+         progress_func('g\n')
+-    size=bits-1-(ord(randfunc(1)) & 63) # g will be from 1--64 bits smaller than p
+-    if size<1:
+-        size=bits-1
+-    while (1):
+-        obj.g=bignum(getPrime(size, randfunc))
+-        if obj.g < obj.p:
++    while 1:
++        # We must avoid g=2 because of Bleichenbacher's attack described
++        # in "Generating ElGamal signatures without knowning the secret key",
++        # 1996
++        #
++        obj.g = number.getRandomRange(3, obj.p, randfunc)
++        safe = 1
++        if pow(obj.g, 2, obj.p)==1:
++            safe=0
++        if safe and pow(obj.g, q, obj.p)==1:
++            safe=0
++        # Discard g if it divides p-1 because of the attack described
++        # in Note 11.67 (iii) in HAC
++        if safe and divmod(obj.p-1, obj.g)[1]==0:
++            safe=0
++        # g^{-1} must not divide p-1 because of Khadir's attack
++        # described in "Conditions of the generator for forging ElGamal
++        # signature", 2011
++        ginv = number.inverse(obj.g, obj.p)
++        if safe and divmod(obj.p-1, ginv)[1]==0:
++            safe=0
++        if safe:
+             break
+-        size=(size+1) % bits
+-        if size==0:
+-            size=4
+-    # Generate random number x
++    # Generate private key x
+     if progress_func:
+         progress_func('x\n')
+-    while (1):
+-        size=bits-1-ord(randfunc(1)) # x will be from 1 to 256 bits smaller than p
+-        if size>2:
+-            break
+-    while (1):
+-        obj.x=bignum(getPrime(size, randfunc))
+-        if obj.x < obj.p:
+-            break
+-        size = (size+1) % bits
+-        if size==0:
+-            size=4
++    obj.x=number.getRandomRange(2, obj.p-1, randfunc)
++    # Generate public key y
+     if progress_func:
+         progress_func('y\n')
+     obj.y = pow(obj.g, obj.x, obj.p)
+@@ -105,6 +120,8 @@
+         return (a, b)
+ 
+     def _verify(self, M, sig):
++        if sig[0]<1 or sig[0]>p-1:
++            return 0
+         v1=pow(self.y, sig[0], self.p)
+         v1=(v1*pow(sig[0], sig[1], self.p)) % self.p
+         v2=pow(self.g, M, self.p)
diff --git a/python-crypto.spec b/python-crypto.spec
index de3804e..a27dfe6 100644
--- a/python-crypto.spec
+++ b/python-crypto.spec
@@ -4,10 +4,10 @@
 Summary:	Cryptography library for Python
 Name:		python-crypto
 Version:	2.0.1
-Release:	4%{?dist}.2
+Release:	5%{?dist}
 License:	Public Domain
 Group:		Development/Libraries
-URL:		http://www.amk.ca/python/code/crypto.html
+URL:		http://www.pycrypto.org/
 
 # The original tarball:
 #  http://www.amk.ca/files/python/crypto/pycrypto-2.0.1.tar.gz
@@ -18,10 +18,14 @@ Source:		pycrypto-2.0.1-hobbled.tar.gz
 
 # patch taken from 
 # http://gitweb2.dlitz.net/?p=crypto/pycrypto-2.x.git;a=commitdiff;h=d1c4875e1f220652fe7ff8358f56dee3b2aba31b
-Patch0: 	%{name}-fix_buffer_overflow.patch
+Patch0:		%{name}-fix_buffer_overflow.patch
 
 # Remove references to IDEA and RC5:
-Patch1:         python-crypto-hobble.patch
+Patch1:		python-crypto-hobble.patch
+
+# Backport to pycrypto 2.0.1 of:
+# https://github.com/Legrandin/pycrypto/commit/9f912f13df99ad3421eff360d6a62d7dbec755c2
+Patch2:		pycrypto-2.0.1-CVE-2012-2417.patch
 
 BuildRequires:	python >= 2.2
 BuildRequires:	python-devel >= 2.2
@@ -38,19 +42,29 @@ SHA), and various encryption algorithms (AES, DES, RSA, ElGamal, etc.).
 
 %prep
 %setup -n pycrypto-%{version} -q
-sed -i s:/lib:/%_lib:g setup.py
+
+# C source should not be executable
+find . -name '*.c' | xargs chmod -c -x
+
+# Remove redundant shellbang
+sed -i -e '/#!\/usr\/local\/bin\/python/d' Util/RFC1751.py
+
+# Fix setup.py for lib64 if necessary
+sed -i -e 's|/lib|/%_lib|g' setup.py
+
 %patch0 -b .patch0 -p1
 %patch1 -p1
+%patch2
 
 %build
 CFLAGS="$RPM_OPT_FLAGS" %{__python} setup.py build
 
-
 %install
 rm -rf $RPM_BUILD_ROOT
 %{__python} setup.py install -O1 --skip-build --root $RPM_BUILD_ROOT
-find -name "*.py"|xargs %{__perl} -pi -e "s:/usr/local/bin/python:%{__python}:"
 
+# Remove group write permissions on shared objects
+find %{buildroot}%{python_sitearch} -name '*.so' -exec chmod -c g-w {} \;
 
 %check
 %{__python} test.py
@@ -81,15 +95,20 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Fri May 25 2012 Paul Howarth <paul at city-fan.org> - 2.0.1-5
+- Fix LP#985164: insecure ElGamal key generation (#825165, CVE-2012-2417)
+- Update URL
+- Fix shellbangs and permissions of installed files
+
 * Wed Sep 22 2010 David Malcolm <dmalcolm at redhat.com> - 2.0.1-4.2
 - remove IDEA and RC5 implementations
 - add %%check section
 
 * Fri Feb 13 2009 Thorsten Leemhuis <fedora[AT]leemhuis[DOT]info> - 2.0.1-4.1
 - some improvements from fedora branch
--- add patch to fix #485298 / CVE-2009-0544
--- provide pycrypto
--- drop patch0 and fix libdir handling so it works on more arches than x86_64
+  - add patch to fix #485298 / CVE-2009-0544
+  - provide pycrypto
+  - drop patch0 and fix libdir handling so it works on more arches than x86_64
 
 * Thu Sep 07 2006 Thorsten Leemhuis <fedora[AT]leemhuis.info> - 2.0.1-4
 - Don't ghost pyo files (#205408)

More information about the scm-commits mailing list