Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
compat-libgcrypt11
libgcrypt-CVE-2013-4242.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libgcrypt-CVE-2013-4242.patch of Package compat-libgcrypt11
From e2202ff2b704623efc6277fb5256e4e15bac5676 Mon Sep 17 00:00:00 2001 From: Werner Koch <wk@gnupg.org> Date: Thu, 25 Jul 2013 11:17:52 +0200 Subject: [PATCH] Mitigate a flush+reload cache attack on RSA secret exponents. * mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for exponents in secure memory. -- The attack is published as http://eprint.iacr.org/2013/448 : Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack by Yuval Yarom and Katrina Falkner. 18 July 2013. Flush+Reload is a cache side-channel attack that monitors access to data in shared pages. In this paper we demonstrate how to use the attack to extract private encryption keys from GnuPG. The high resolution and low noise of the Flush+Reload attack enables a spy program to recover over 98% of the bits of the private key in a single decryption or signing round. Unlike previous attacks, the attack targets the last level L3 cache. Consequently, the spy program and the victim do not need to share the execution core of the CPU. The attack is not limited to a traditional OS and can be used in a virtualised environment, where it can attack programs executing in a different VM. --- mpi/mpi-pow.c | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c index f4aebdb..a63fc6d 100644 --- a/mpi/mpi-pow.c +++ b/mpi/mpi-pow.c @@ -1,6 +1,7 @@ /* mpi-pow.c - MPI functions for exponentiation * Copyright (C) 1994, 1996, 1998, 2000, 2002 * 2003 Free Software Foundation, Inc. + * 2013 g10 Code GmbH * * This file is part of Libgcrypt. * @@ -235,7 +236,13 @@ gcry_mpi_powm (gcry_mpi_t res, tp = rp; rp = xp; xp = tp; rsize = xsize; - if ( (mpi_limb_signed_t)e < 0 ) + /* To mitigate the Yarom/Falkner flush+reload cache + * side-channel attack on the RSA secret exponent, we do + * the multiplication regardless of the value of the + * high-bit of E. But to avoid this performance penalty + * we do it only if the exponent has been stored in secure + * memory and we can thus assume it is a secret exponent. */ + if (esec || (mpi_limb_signed_t)e < 0) { /*mpih_mul( xp, rp, rsize, bp, bsize );*/ if( bsize < KARATSUBA_THRESHOLD ) @@ -250,7 +257,9 @@ gcry_mpi_powm (gcry_mpi_t res, _gcry_mpih_divrem(xp + msize, 0, xp, xsize, mp, msize); xsize = msize; } - + } + if ( (mpi_limb_signed_t)e < 0 ) + { tp = rp; rp = xp; xp = tp; rsize = xsize; } -- 1.7.2.5
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor