summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch62
-rw-r--r--meta/recipes-support/gnupg/gnupg_1.4.7.bb1
2 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch
new file mode 100644
index 0000000000..c9addca28e
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch
@@ -0,0 +1,62 @@
+From e2202ff2b704623efc6277fb5256e4e15bac5676 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Thu, 25 Jul 2013 11:17:52 +0200
+Subject: [PATCH] Mitigate a flush+reload cache attack on RSA secret
+ exponents.
+
+commit e2202ff2b704623efc6277fb5256e4e15bac5676 from
+git://git.gnupg.org/libgcrypt.git
+
+* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for
+exponents in secure memory.
+
+Upstream-Status: Backport
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+--
+
+The attack is published as http://eprint.iacr.org/2013/448 :
+
+Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
+Attack by Yuval Yarom and Katrina Falkner. 18 July 2013.
+
+ Flush+Reload is a cache side-channel attack that monitors access to
+ data in shared pages. In this paper we demonstrate how to use the
+ attack to extract private encryption keys from GnuPG. The high
+ resolution and low noise of the Flush+Reload attack enables a spy
+ program to recover over 98% of the bits of the private key in a
+ single decryption or signing round. Unlike previous attacks, the
+ attack targets the last level L3 cache. Consequently, the spy
+ program and the victim do not need to share the execution core of
+ the CPU. The attack is not limited to a traditional OS and can be
+ used in a virtualised environment, where it can attack programs
+ executing in a different VM.
+
+Index: gnupg-1.4.7/mpi/mpi-pow.c
+===================================================================
+--- gnupg-1.4.7.orig/mpi/mpi-pow.c
++++ gnupg-1.4.7/mpi/mpi-pow.c
+@@ -212,7 +212,13 @@ mpi_powm( MPI res, MPI base, MPI exponen
+ tp = rp; rp = xp; xp = tp;
+ rsize = xsize;
+
+- if( (mpi_limb_signed_t)e < 0 ) {
++ /* To mitigate the Yarom/Falkner flush+reload cache
++ * side-channel attack on the RSA secret exponent, we do
++ * the multiplication regardless of the value of the
++ * high-bit of E. But to avoid this performance penalty
++ * we do it only if the exponent has been stored in secure
++ * memory and we can thus assume it is a secret exponent. */
++ if (esec || (mpi_limb_signed_t)e < 0) {
+ /*mpihelp_mul( xp, rp, rsize, bp, bsize );*/
+ if( bsize < KARATSUBA_THRESHOLD ) {
+ mpihelp_mul( xp, rp, rsize, bp, bsize );
+@@ -227,6 +233,8 @@ mpi_powm( MPI res, MPI base, MPI exponen
+ mpihelp_divrem(xp + msize, 0, xp, xsize, mp, msize);
+ xsize = msize;
+ }
++ }
++ if ( (mpi_limb_signed_t)e < 0 ) {
+
+ tp = rp; rp = xp; xp = tp;
+ rsize = xsize;
diff --git a/meta/recipes-support/gnupg/gnupg_1.4.7.bb b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
index ddcc2c24fe..7be56fd7b5 100644
--- a/meta/recipes-support/gnupg/gnupg_1.4.7.bb
+++ b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
@@ -17,6 +17,7 @@ SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-${PV}.tar.bz2 \
file://curl_typeof_fix_backport.patch \
file://CVE-2013-4351.patch \
file://CVE-2013-4576.patch \
+ file://CVE-2013-4242.patch \
"
SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c"