diff options
author | Kai Kang <kai.kang@windriver.com> | 2014-10-15 15:16:31 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-10-18 16:12:56 +0200 |
commit | d1e0f3e71ce9978ff0fc94d71e67b528dad84c5c (patch) | |
tree | 00a18f11b0cd62b1b0671356422ac6e0c7b56ed3 /meta/recipes-support/gnupg | |
parent | b145374c0a498de0160a9b81f50ce0066ab14862 (diff) | |
download | openembedded-core-d1e0f3e71ce9978ff0fc94d71e67b528dad84c5c.tar.gz openembedded-core-d1e0f3e71ce9978ff0fc94d71e67b528dad84c5c.tar.bz2 openembedded-core-d1e0f3e71ce9978ff0fc94d71e67b528dad84c5c.zip |
gnupg: CVE-2013-4242
GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x
and possibly other products, allows local users to obtain private RSA
keys via a cache side-channel attack involving the L3 cache, aka
Flush+Reload.
Patch from commit e2202ff2b704623efc6277fb5256e4e15bac5676 in
git://git.gnupg.org/libgcrypt.git
Signed-off-by: Yong Zhang <yong.zhang@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Diffstat (limited to 'meta/recipes-support/gnupg')
-rw-r--r-- | meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch | 62 | ||||
-rw-r--r-- | meta/recipes-support/gnupg/gnupg_1.4.7.bb | 1 |
2 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch new file mode 100644 index 0000000000..c9addca28e --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch @@ -0,0 +1,62 @@ +From e2202ff2b704623efc6277fb5256e4e15bac5676 Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Thu, 25 Jul 2013 11:17:52 +0200 +Subject: [PATCH] Mitigate a flush+reload cache attack on RSA secret + exponents. + +commit e2202ff2b704623efc6277fb5256e4e15bac5676 from +git://git.gnupg.org/libgcrypt.git + +* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for +exponents in secure memory. + +Upstream-Status: Backport + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +-- + +The attack is published as http://eprint.iacr.org/2013/448 : + +Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel +Attack by Yuval Yarom and Katrina Falkner. 18 July 2013. + + Flush+Reload is a cache side-channel attack that monitors access to + data in shared pages. In this paper we demonstrate how to use the + attack to extract private encryption keys from GnuPG. The high + resolution and low noise of the Flush+Reload attack enables a spy + program to recover over 98% of the bits of the private key in a + single decryption or signing round. Unlike previous attacks, the + attack targets the last level L3 cache. Consequently, the spy + program and the victim do not need to share the execution core of + the CPU. The attack is not limited to a traditional OS and can be + used in a virtualised environment, where it can attack programs + executing in a different VM. + +Index: gnupg-1.4.7/mpi/mpi-pow.c +=================================================================== +--- gnupg-1.4.7.orig/mpi/mpi-pow.c ++++ gnupg-1.4.7/mpi/mpi-pow.c +@@ -212,7 +212,13 @@ mpi_powm( MPI res, MPI base, MPI exponen + tp = rp; rp = xp; xp = tp; + rsize = xsize; + +- if( (mpi_limb_signed_t)e < 0 ) { ++ /* To mitigate the Yarom/Falkner flush+reload cache ++ * side-channel attack on the RSA secret exponent, we do ++ * the multiplication regardless of the value of the ++ * high-bit of E. But to avoid this performance penalty ++ * we do it only if the exponent has been stored in secure ++ * memory and we can thus assume it is a secret exponent. */ ++ if (esec || (mpi_limb_signed_t)e < 0) { + /*mpihelp_mul( xp, rp, rsize, bp, bsize );*/ + if( bsize < KARATSUBA_THRESHOLD ) { + mpihelp_mul( xp, rp, rsize, bp, bsize ); +@@ -227,6 +233,8 @@ mpi_powm( MPI res, MPI base, MPI exponen + mpihelp_divrem(xp + msize, 0, xp, xsize, mp, msize); + xsize = msize; + } ++ } ++ if ( (mpi_limb_signed_t)e < 0 ) { + + tp = rp; rp = xp; xp = tp; + rsize = xsize; diff --git a/meta/recipes-support/gnupg/gnupg_1.4.7.bb b/meta/recipes-support/gnupg/gnupg_1.4.7.bb index ddcc2c24fe..7be56fd7b5 100644 --- a/meta/recipes-support/gnupg/gnupg_1.4.7.bb +++ b/meta/recipes-support/gnupg/gnupg_1.4.7.bb @@ -17,6 +17,7 @@ SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-${PV}.tar.bz2 \ file://curl_typeof_fix_backport.patch \ file://CVE-2013-4351.patch \ file://CVE-2013-4576.patch \ + file://CVE-2013-4242.patch \ " SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c" |