| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
* mpi/mpi-pow.c (gcry_mpi_powm): Always perfrom the mpi_mul for
exponents in secure memory.
--
The attack is published as http://eprint.iacr.org/2013/448 :
Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
Attack by Yuval Yarom and Katrina Falkner. 18 July 2013.
Flush+Reload is a cache side-channel attack that monitors access to
data in shared pages. In this paper we demonstrate how to use the
attack to extract private encryption keys from GnuPG. The high
resolution and low noise of the Flush+Reload attack enables a spy
program to recover over 98% of the bits of the private key in a
single decryption or signing round. Unlike previous attacks, the
attack targets the last level L3 cache. Consequently, the spy
program and the victim do not need to share the execution core of
the CPU. The attack is not limited to a traditional OS and can be
used in a virtualised environment, where it can attack programs
executing in a different VM.
(cherry picked from commit 55237c8f6920c6629debd23db65e90b42a3767de)
|
|
* mpi/mpi-pow.c (gcry_mpi_powm): For a zero exponent, make sure that
the result has been allocated.
--
This code triggered the problem:
modulus = gcry_mpi_set_ui(NULL, 100);
generator = gcry_mpi_set_ui(NULL, 3);
exponent = gcry_mpi_set_ui(NULL, 0);
result = gcry_mpi_new(0);
gcry_mpi_powm(result, generator, exponent, modulus);
gcry_mpi_new(0) does not allocate the limb space thus it is not
possible to write even into the first limb. Workaround was to use
gcry_mpi_new (1) but a real fix is better.
Reported-by: Ian Goldberg
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* mpi/mpi-pow.c: Replace 1 / msize.
* mpi/mpih-div.c: Replace 1 / dsize.
* src/misc.c: Add _gcry_divide_by_zero.
--
1) Division by zero doesn't "provoke a signal" on architectures
like PowerPC.
2) C compilers like clang will optimize away these divisions, even
though the code tries "to make the compiler not remove" them.
This patch redirects these cases to _gcry_divide_by_zero.
|
|
|
|
Check and install the standard git pre-commit hook.
|
|
Add some code to allow standalone builds of some test programs.
|
|
|
|
|
|
|
|
Updated some tests.
Support for passphrase generated Elgamal keys.
|
|
(struct karatsuba_ctx): Added TSPACE_NLIMBS and TP_NLIMBS.
* mpiutil.c (_gcry_mpi_free_limb_space): Add arg NLIMBS and wipe
out the memory. Changed all callers.
* mpih-mul.c (_gcry_mpih_mul_karatsuba_case): Keep track of
allocated limbs.
* mpi-div.c (_gcry_mpi_tdiv_qr): Keep track of allocated limbs.
* mpi-mul.c (gcry_mpi_mul): Ditto.
* mpi-pow.c (gcry_mpi_powm): Ditto.
* mpiutil.c (gcry_mpi_randomize): Use gcry_create_nonce if WEAK
random has been requested.
|
|
* configure.ac: Use it here instead of the generic lib test.
Bumbed LT vesion to C9/A2/R0.
* dsa.c (verify): s/exp/ex/ due to shadowing of a builtin.
* elgamal.c (verify): Ditto.
* ac.c (gcry_ac_data_get_index): s/index/idx/
(gcry_ac_data_copy_internal): Remove the cast in _gcry_malloc.
(gcry_ac_data_add): Must use gcry_realloc instead of realloc.
* pubkey.c (sexp_elements_extract): s/index/idx/ as tribute to the
forehackers.
(gcry_pk_encrypt): Removed shadowed definition of I. Reordered
arguments to malloc for clarity.
(gcry_pk_sign, gcry_pk_genkey): Ditto.
* primegen.c (prime_generate_internal): s/random/randomlevel/.
* i386/mpih-rshift.S, i386/mpih-lshift.S: Use %dl and not %edx for
testb; this avoids an assembler warning.
* mpi-pow.c (gcry_mpi_powm): s/exp/expo/ to avoid shadowing warning.
* autogen.sh: Allow to override the tool name. Do not run
libtoolize. Update required version numbers.
* libgcrypt.vers (_gcry_generate_elg_prime): Removed this symbol;
gnutls does not need it anymore.
* secmem.c (mb_get_new): s/pool/block/ due to global pool.
* misc.c (gcry_set_log_handler): s/logf/f/ to avoid shadowing
warning against a builtin.
* ath-pth-compat.c: cast pth_connect to get rid of the const
prototype.
* basic.c (check_aes128_cbc_cts_cipher): Make it a prototype
* ac.c (check_run): Comment unused variable.
|
|
* mpi-add.c: Replace last occurences of old type names with newer
names (i.e. replace MPI with gcry_mpi_t).
* mpi-bit.c: Likewise.
* mpi-cmp.c: Likewise.
* mpi-div.c: Likewise.
* mpi-gcd.c: Likewise.
* mpi-internal.h: Likewise.
* mpi-inv.c: Likewise.
* mpi-mpow.c: Likewise.
* mpi-mul.c: Likewise.
* mpi-pow.c: Likewise.
* mpi-scan.c: Likewise.
* mpicoder.c: Likewise.
* mpiutil.c: Likewise.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
