1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-23 10:29:58 +01:00

19 Commits

Author SHA1 Message Date
NIIBE Yutaka
6cbc75e712 mpi: Avoid data-dependent timing variations in mpi_powm.
* include/mpi.h, mpi/mpiutils.c (mpi_set_cond): New.
* mpi/mpi-pow.c (SIZE_PRECOMP): Rename from SIZE_B_2I3.
(mpi_powm): Access all data in the table and use mpi_set_cond.

--

Access to the precomputed table was indexed by a portion of EXPO,
which could be mounted by a side channel attack.  This change fixes
this particular data-dependent access pattern.
2015-02-26 21:00:05 +09:00
Werner Koch
cad8216f9a mpi: mpi-pow improvements
* mpi/mpi-pow.c (USE_ALGORITHM_SIMPLE_EXPONENTIATION): New.
(mul_mod) [!USE_ALGORITHM_SIMPLE_EXPONENTIATION]: New.
(mpi_powm) [!USE_ALGORITHM_SIMPLE_EXPONENTIATION]: New implementation
of left-to-right k-ary exponentiation.
--

This is a backport from Libgcrypt commit
45aa6131e93fac89d46733b3436d960f35fb99b2

    Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

    For the Yarom/Falkner flush+reload cache side-channel attack, we
    changed the code so that it always calls the multiplication
    routine (even if we can skip it to get result).  This results some
    performance regression.

    This change is for recovering performance with efficient
    algorithm.

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-10-18 10:54:55 +02:00
Werner Koch
35646689f4 Mitigate a flush+reload cache attack on RSA secret exponents.
* mpi/mpi-pow.c (mpi_powm): Always perform the mpi_mul for exponents
hold in secure memory.
--

The attack is described in a paper to be pusblished at eprint.iacr.org:

Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel
Attack by Yuval Yarom and Katrina Falkner. 18 July 2013.

  Flush+Reload is a cache side-channel attack that monitors access to
  data in shared pages. In this paper we demonstrate how to use the
  attack to extract private encryption keys from GnuPG.  The high
  resolution and low noise of the Flush+Reload attack enables a spy
  program to recover over 98% of the bits of the private key in a
  single decryption or signing round. Unlike previous attacks, the
  attack targets the last level L3 cache. Consequently, the spy
  program and the victim do not need to share the execution core of
  the CPU. The attack is not limited to a traditional OS and can be
  used in a virtualised environment, where it can attack programs
  executing in a different VM.

Signed-off-by: Werner Koch <wk@gnupg.org>
2013-07-25 10:37:40 +02:00
Werner Koch
a95143e225 Removed some set but unused vars. 2011-08-09 10:54:22 +02:00
Werner Koch
9a2a818887 Switched to GPLv3.
Updated gettext.
2007-10-23 10:48:09 +00:00
Werner Koch
7d4043ca57 Updated FSF street address and preparations for a release candidate. 2005-05-31 08:39:18 +00:00
David Shaw
c19c728afa * longlong.h: Typo.
* mpi-pow.c (mpi_powm): s/exp/exponent/ to shutup a compiler warning.
From Werner on stable branch.
2004-05-20 17:34:00 +00:00
David Shaw
0ed6228293 Update head to match stable 1.0 2002-06-29 14:15:02 +00:00
Werner Koch
07ca4eaa9d Removed files from the HEAD revision, because they are now in another
repository
2000-12-19 17:20:22 +00:00
Werner Koch
0bf44b072c See ChangeLog: Mon Jul 17 16:35:47 CEST 2000 Werner Koch 2000-07-17 14:32:21 +00:00
Werner Koch
4555c0be94 See ChangeLog: Wed Dec 8 21:58:32 CET 1999 Werner Koch 1999-12-08 21:03:03 +00:00
Werner Koch
1feae2011c See ChangeLog: Sun Apr 18 10:11:28 CEST 1999 Werner Koch 1999-04-18 08:18:52 +00:00
Werner Koch
750d74333c See ChangeLog: Wed Dec 23 13:34:22 CET 1998 Werner Koch 1998-12-23 12:41:40 +00:00
Werner Koch
e6ac5acbbf some more internall structure changes 1998-06-16 15:13:28 +00:00
Werner Koch
5a05af2bca Renamed to GNUPG 1998-02-24 18:50:46 +00:00
Werner Koch
4ec1775f3e added some trust model stuff 1998-01-16 21:15:24 +00:00
Werner Koch
c351df1dc5 changed configuration stuff, replaced some Makefile.am by distfiles. 1997-12-23 17:30:18 +00:00
Werner Koch
e655f8de8d changed the dir layout 1997-11-26 21:06:44 +00:00
Werner Koch
5393dd53c5 initially checkin 1997-11-18 14:06:00 +00:00