File libgcrypt-CVE-2013-4242.patch of Package compat-libgcrypt11.3673

Overview Repositories Revisions Requests Users Attributes Meta

File libgcrypt-CVE-2013-4242.patch of Package compat-libgcrypt11.3673

From e2202ff2b704623efc6277fb5256e4e15bac5676 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 25 Jul 2013 11:17:52 +0200
Subject: [PATCH] Mitigate a flush+reload cache attack on RSA secret exponents.

* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for
exponents in secure memory.
--

The attack is published as http://eprint.iacr.org/2013/448 :

Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
Attack by Yuval Yarom and Katrina Falkner. 18 July 2013.

Flush+Reload is a cache side-channel attack that monitors access to
  data in shared pages. In this paper we demonstrate how to use the
  attack to extract private encryption keys from GnuPG.  The high
  resolution and low noise of the Flush+Reload attack enables a spy
  program to recover over 98% of the bits of the private key in a
  single decryption or signing round. Unlike previous attacks, the
  attack targets the last level L3 cache. Consequently, the spy
  program and the victim do not need to share the execution core of
  the CPU. The attack is not limited to a traditional OS and can be
  used in a virtualised environment, where it can attack programs
  executing in a different VM.
---
 mpi/mpi-pow.c |   13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
index f4aebdb..a63fc6d 100644
--- a/mpi/mpi-pow.c
+++ b/mpi/mpi-pow.c
@@ -1,6 +1,7 @@
 /* mpi-pow.c  -  MPI functions for exponentiation
  * Copyright (C) 1994, 1996, 1998, 2000, 2002
  *               2003  Free Software Foundation, Inc.
+ *               2013  g10 Code GmbH
  *
  * This file is part of Libgcrypt.
  *
@@ -235,7 +236,13 @@ gcry_mpi_powm (gcry_mpi_t res,
             tp = rp; rp = xp; xp = tp;
             rsize = xsize;
 
-            if ( (mpi_limb_signed_t)e < 0 )
+            /* To mitigate the Yarom/Falkner flush+reload cache
+             * side-channel attack on the RSA secret exponent, we do
+             * the multiplication regardless of the value of the
+             * high-bit of E.  But to avoid this performance penalty
+             * we do it only if the exponent has been stored in secure
+             * memory and we can thus assume it is a secret exponent.  */
+            if (esec || (mpi_limb_signed_t)e < 0)
               {
                 /*mpih_mul( xp, rp, rsize, bp, bsize );*/
                 if( bsize < KARATSUBA_THRESHOLD )
@@ -250,7 +257,9 @@ gcry_mpi_powm (gcry_mpi_t res,
                     _gcry_mpih_divrem(xp + msize, 0, xp, xsize, mp, msize);
                     xsize = msize;
                   }
-
+              }
+            if ( (mpi_limb_signed_t)e < 0 )
+              {
                 tp = rp; rp = xp; xp = tp;
                 rsize = xsize;
               }
-- 
1.7.2.5

Places

File libgcrypt-CVE-2013-4242.patch of Package compat-libgcrypt11.3673

Places