Use subgroup order in ElGamal encryption (GH #1059, CVE-2021-40530)

weidai11 · Sep 24, 2021 · bee8e8c · bee8e8c · noloader · Sep 25, 2021
1 parent 20962ba
commit bee8e8c
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 4 deletions.
diff --git a/elgamal.h b/elgamal.h
@@ -251,17 +251,21 @@ struct DL_PrivateKey_ElGamal : public BASE
 ///  If you need to <tt>Load</tt> an ElGamal key with the wrong OID then
 ///  see <A HREF="https://www.cryptopp.com/wiki/ElGamal">ElGamal</A> on
 ///  the Crypto++ wiki.
+/// \details At Crypto++ 8.6 ElGamalKeys were changed to use DL_CryptoKeys_ElGamal
+///  due to Issue 1069 and CVE-2021-40530. DL_CryptoKeys_ElGamal group parameters
+///  use the subgroup order, and not an estimated work factor.
 /// \sa <A HREF="https://github.com/weidai11/cryptopp/issues/876">Issue 876</A>,
-///  <A HREF="https://github.com/weidai11/cryptopp/issues/567">Issue 567</A>
+///  <A HREF="https://github.com/weidai11/cryptopp/issues/567">Issue 567</A>,
+///  <A HREF="https://github.com/weidai11/cryptopp/issues/1059">Issue 1059</A>
 /// \since Crypto++ 1.0
 struct ElGamalKeys
 {
 	/// \brief Implements DL_GroupParameters interface
-	typedef DL_CryptoKeys_GFP::GroupParameters GroupParameters;
+	typedef DL_CryptoKeys_ElGamal::GroupParameters GroupParameters;
 	/// \brief Implements DL_PrivateKey interface
-	typedef DL_PrivateKey_ElGamal<DL_CryptoKeys_GFP::PrivateKey> PrivateKey;
+	typedef DL_PrivateKey_ElGamal<DL_CryptoKeys_ElGamal::PrivateKey> PrivateKey;
 	/// \brief Implements DL_PublicKey interface
-	typedef DL_PublicKey_ElGamal<DL_CryptoKeys_GFP::PublicKey> PublicKey;
+	typedef DL_PublicKey_ElGamal<DL_CryptoKeys_ElGamal::PublicKey> PublicKey;
 };
 
 /// \brief ElGamal encryption scheme with non-standard padding

diff --git a/gfpcrypt.h b/gfpcrypt.h
@@ -282,6 +282,24 @@ class CRYPTOPP_DLL DL_GroupParameters_GFP_DefaultSafePrime : public DL_GroupPara
     unsigned int GetDefaultSubgroupOrderSize(unsigned int modulusSize) const {return modulusSize-1;}
 };
 
+/// ElGamal encryption due to due to ElGamal safe interop
+/// \sa <A HREF="https://eprint.iacr.org/2021/923.pdf">On the
+///  (in)security of ElGamal in OpenPGP</A>,
+///  <A HREF="https://github.com/weidai11/cryptopp/issues/1059">Issue 1059</A>,
+///  <A HREF="https://nvd.nist.gov/vuln/detail/CVE-2021-40530">CVE-2021-40530</A>
+class CRYPTOPP_DLL DL_GroupParameters_ElGamal : public DL_GroupParameters_GFP_DefaultSafePrime
+{
+public:
+    typedef NoCofactorMultiplication DefaultCofactorOption;
+
+    virtual ~DL_GroupParameters_ElGamal() {}
+
+	Integer GetMaxExponent() const
+	{
+		return GetSubgroupOrder()-1;
+	}
+};
+
 /// \brief GDSA algorithm
 /// \tparam T FieldElement type or class
 /// \details FieldElement <tt>T</tt> can be Integer, ECP or EC2N.
@@ -668,6 +686,18 @@ struct DL_CryptoKeys_GFP
     typedef DL_PrivateKey_GFP<GroupParameters> PrivateKey;
 };
 
+/// ElGamal encryption keys due to ElGamal safe interop
+/// \sa <A HREF="https://eprint.iacr.org/2021/923.pdf">On the
+///  (in)security of ElGamal in OpenPGP</A>,
+///  <A HREF="https://github.com/weidai11/cryptopp/issues/1059">Issue 1059</A>,
+///  <A HREF="https://nvd.nist.gov/vuln/detail/CVE-2021-40530">CVE-2021-40530</A>
+struct DL_CryptoKeys_ElGamal
+{
+    typedef DL_GroupParameters_ElGamal GroupParameters;
+    typedef DL_PublicKey_GFP<GroupParameters> PublicKey;
+    typedef DL_PrivateKey_GFP<GroupParameters> PrivateKey;
+};
+
 /// \brief DSA signature scheme
 /// \tparam H HashTransformation derived class
 /// \sa <a href="http://www.weidai.com/scan-mirror/sig.html#DSA-1363">DSA-1363</a>