diff options
| author | Kai Kang <kai.kang@windriver.com> | 2014-10-15 15:16:31 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-10-23 21:43:15 +0100 |
| commit | 313864bf528696a72c3ee6b3dec1a0c7b0b223f6 (patch) | |
| tree | 4dc453e8e80aad12a3c1f1b9b8542a92ea2dcf07 | |
| parent | e93f9a838260100ece7cac36f01e42e321e6414b (diff) | |
| download | poky-313864bf528696a72c3ee6b3dec1a0c7b0b223f6.tar.gz | |
gnupg: CVE-2013-4242
GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x
and possibly other products, allows local users to obtain private RSA
keys via a cache side-channel attack involving the L3 cache, aka
Flush+Reload.
Patch from commit e2202ff2b704623efc6277fb5256e4e15bac5676 in
git://git.gnupg.org/libgcrypt.git
(From OE-Core rev: 0692743b51f7daa0154fd4d8982236b4702ea2da)
Signed-off-by: Yong Zhang <yong.zhang@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch | 62 | ||||
| -rw-r--r-- | meta/recipes-support/gnupg/gnupg_1.4.7.bb | 1 |
2 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch new file mode 100644 index 0000000000..c9addca28e --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch | |||
| @@ -0,0 +1,62 @@ | |||
| 1 | From e2202ff2b704623efc6277fb5256e4e15bac5676 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Werner Koch <wk@gnupg.org> | ||
| 3 | Date: Thu, 25 Jul 2013 11:17:52 +0200 | ||
| 4 | Subject: [PATCH] Mitigate a flush+reload cache attack on RSA secret | ||
| 5 | exponents. | ||
| 6 | |||
| 7 | commit e2202ff2b704623efc6277fb5256e4e15bac5676 from | ||
| 8 | git://git.gnupg.org/libgcrypt.git | ||
| 9 | |||
| 10 | * mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for | ||
| 11 | exponents in secure memory. | ||
| 12 | |||
| 13 | Upstream-Status: Backport | ||
| 14 | |||
| 15 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
| 16 | -- | ||
| 17 | |||
| 18 | The attack is published as http://eprint.iacr.org/2013/448 : | ||
| 19 | |||
| 20 | Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel | ||
| 21 | Attack by Yuval Yarom and Katrina Falkner. 18 July 2013. | ||
| 22 | |||
| 23 | Flush+Reload is a cache side-channel attack that monitors access to | ||
| 24 | data in shared pages. In this paper we demonstrate how to use the | ||
| 25 | attack to extract private encryption keys from GnuPG. The high | ||
| 26 | resolution and low noise of the Flush+Reload attack enables a spy | ||
| 27 | program to recover over 98% of the bits of the private key in a | ||
| 28 | single decryption or signing round. Unlike previous attacks, the | ||
| 29 | attack targets the last level L3 cache. Consequently, the spy | ||
| 30 | program and the victim do not need to share the execution core of | ||
| 31 | the CPU. The attack is not limited to a traditional OS and can be | ||
| 32 | used in a virtualised environment, where it can attack programs | ||
| 33 | executing in a different VM. | ||
| 34 | |||
| 35 | Index: gnupg-1.4.7/mpi/mpi-pow.c | ||
| 36 | =================================================================== | ||
| 37 | --- gnupg-1.4.7.orig/mpi/mpi-pow.c | ||
| 38 | +++ gnupg-1.4.7/mpi/mpi-pow.c | ||
| 39 | @@ -212,7 +212,13 @@ mpi_powm( MPI res, MPI base, MPI exponen | ||
| 40 | tp = rp; rp = xp; xp = tp; | ||
| 41 | rsize = xsize; | ||
| 42 | |||
| 43 | - if( (mpi_limb_signed_t)e < 0 ) { | ||
| 44 | + /* To mitigate the Yarom/Falkner flush+reload cache | ||
| 45 | + * side-channel attack on the RSA secret exponent, we do | ||
| 46 | + * the multiplication regardless of the value of the | ||
| 47 | + * high-bit of E. But to avoid this performance penalty | ||
| 48 | + * we do it only if the exponent has been stored in secure | ||
| 49 | + * memory and we can thus assume it is a secret exponent. */ | ||
| 50 | + if (esec || (mpi_limb_signed_t)e < 0) { | ||
| 51 | /*mpihelp_mul( xp, rp, rsize, bp, bsize );*/ | ||
| 52 | if( bsize < KARATSUBA_THRESHOLD ) { | ||
| 53 | mpihelp_mul( xp, rp, rsize, bp, bsize ); | ||
| 54 | @@ -227,6 +233,8 @@ mpi_powm( MPI res, MPI base, MPI exponen | ||
| 55 | mpihelp_divrem(xp + msize, 0, xp, xsize, mp, msize); | ||
| 56 | xsize = msize; | ||
| 57 | } | ||
| 58 | + } | ||
| 59 | + if ( (mpi_limb_signed_t)e < 0 ) { | ||
| 60 | |||
| 61 | tp = rp; rp = xp; xp = tp; | ||
| 62 | rsize = xsize; | ||
diff --git a/meta/recipes-support/gnupg/gnupg_1.4.7.bb b/meta/recipes-support/gnupg/gnupg_1.4.7.bb index e8f797d4f4..5791b91c1d 100644 --- a/meta/recipes-support/gnupg/gnupg_1.4.7.bb +++ b/meta/recipes-support/gnupg/gnupg_1.4.7.bb | |||
| @@ -17,6 +17,7 @@ SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-${PV}.tar.bz2 \ | |||
| 17 | file://curl_typeof_fix_backport.patch \ | 17 | file://curl_typeof_fix_backport.patch \ |
| 18 | file://CVE-2013-4351.patch \ | 18 | file://CVE-2013-4351.patch \ |
| 19 | file://CVE-2013-4576.patch \ | 19 | file://CVE-2013-4576.patch \ |
| 20 | file://CVE-2013-4242.patch \ | ||
| 20 | " | 21 | " |
| 21 | 22 | ||
| 22 | SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c" | 23 | SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c" |