mbedtls/ChangeLog.d/ecp-internal-rng.txt

Changes
   * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
     `MBEDTLS_CTR_DRBG_C`, `MBEDTLS_HMAC_DRBG_C`, `MBEDTLS_SHA512_C` or
     `MBEDTLS_SHA256_C` for some side-channel coutermeasures. If side channels
     are not a concern, this dependency can be avoided by enabling the new
     option `MBEDTLS_ECP_NO_INTERNAL_RNG`.

Security
   * Fix side channel in mbedtls_ecp_check_pub_priv() and
     mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
     private key that didn't include the uncompressed public key), as well as
     mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
     f_rng argument. An attacker with access to precise enough timing and
     memory access information (typically an untrusted operating system
     attacking a secure enclave) could fully recover the ECC private key.
     Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
Add config.h option MBEDTLS_ECP_NO_INTERNAL_RNG No effect so far, except on dependency checking, as the feature it's meant to disable isn't implemented yet (so the descriptions in config.h and the ChangeLog entry are anticipation for now). Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> 2020-05-19 10:38:31 +00:00			`Changes`
			* The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
Remove SHA-1 as a fallback option - it's 2020, there shouldn't be too many systems out there where SHA-1 is the only available hash option, so its usefulness is limited - OTOH testing configurations without SHA-2 reveal bugs that are not easy to fix in a fully compatible way So overall, the benefit/cost ratio is not good enough to justify keeping SHA-1 as a fallback option here. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> 2020-06-18 10:14:34 +00:00			`MBEDTLS_CTR_DRBG_C`, `MBEDTLS_HMAC_DRBG_C`, `MBEDTLS_SHA512_C` or
			`MBEDTLS_SHA256_C` for some side-channel coutermeasures. If side channels
			`are not a concern, this dependency can be avoided by enabling the new`
			option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
Add Security ChangeLog entry for lack of blinding Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> 2020-06-04 08:31:06 +00:00
			`Security`
			`* Fix side channel in mbedtls_ecp_check_pub_priv() and`
			`mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a`
			`private key that didn't include the uncompressed public key), as well as`
			`mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL`
			`f_rng argument. An attacker with access to precise enough timing and`
			`memory access information (typically an untrusted operating system`
			`attacking a secure enclave) could fully recover the ECC private key.`
			`Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.`