summaryrefslogtreecommitdiffstats
path: root/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch')
-rw-r--r--recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch63
1 files changed, 63 insertions, 0 deletions
diff --git a/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch b/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch
new file mode 100644
index 0000000..f066774
--- /dev/null
+++ b/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch
@@ -0,0 +1,63 @@
1From e2202ff2b704623efc6277fb5256e4e15bac5676 Mon Sep 17 00:00:00 2001
2From: Werner Koch <wk@gnupg.org>
3Date: Thu, 25 Jul 2013 11:17:52 +0200
4Subject: [PATCH] Mitigate a flush+reload cache attack on RSA secret
5 exponents.
6
7commit e2202ff2b704623efc6277fb5256e4e15bac5676 from
8git://git.gnupg.org/libgcrypt.git
9
10* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for
11exponents in secure memory.
12
13Upstream-Status: Backport
14CVE: CVE-2013-4242
15
16Signed-off-by: Kai Kang <kai.kang@windriver.com>
17--
18
19The attack is published as http://eprint.iacr.org/2013/448 :
20
21Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
22Attack by Yuval Yarom and Katrina Falkner. 18 July 2013.
23
24 Flush+Reload is a cache side-channel attack that monitors access to
25 data in shared pages. In this paper we demonstrate how to use the
26 attack to extract private encryption keys from GnuPG. The high
27 resolution and low noise of the Flush+Reload attack enables a spy
28 program to recover over 98% of the bits of the private key in a
29 single decryption or signing round. Unlike previous attacks, the
30 attack targets the last level L3 cache. Consequently, the spy
31 program and the victim do not need to share the execution core of
32 the CPU. The attack is not limited to a traditional OS and can be
33 used in a virtualised environment, where it can attack programs
34 executing in a different VM.
35
36Index: gnupg-1.4.7/mpi/mpi-pow.c
37===================================================================
38--- gnupg-1.4.7.orig/mpi/mpi-pow.c
39+++ gnupg-1.4.7/mpi/mpi-pow.c
40@@ -212,7 +212,13 @@ mpi_powm( MPI res, MPI base, MPI exponen
41 tp = rp; rp = xp; xp = tp;
42 rsize = xsize;
43
44- if( (mpi_limb_signed_t)e < 0 ) {
45+ /* To mitigate the Yarom/Falkner flush+reload cache
46+ * side-channel attack on the RSA secret exponent, we do
47+ * the multiplication regardless of the value of the
48+ * high-bit of E. But to avoid this performance penalty
49+ * we do it only if the exponent has been stored in secure
50+ * memory and we can thus assume it is a secret exponent. */
51+ if (esec || (mpi_limb_signed_t)e < 0) {
52 /*mpihelp_mul( xp, rp, rsize, bp, bsize );*/
53 if( bsize < KARATSUBA_THRESHOLD ) {
54 mpihelp_mul( xp, rp, rsize, bp, bsize );
55@@ -227,6 +233,8 @@ mpi_powm( MPI res, MPI base, MPI exponen
56 mpihelp_divrem(xp + msize, 0, xp, xsize, mp, msize);
57 xsize = msize;
58 }
59+ }
60+ if ( (mpi_limb_signed_t)e < 0 ) {
61
62 tp = rp; rp = xp; xp = tp;
63 rsize = xsize;