Merge pull request #664 from ARMmbed/dev/yanesca/iotcrypt-958-ecdsa-side-channel-fix-2.7

Backport 2.7: ECDSA side channel fix
This commit is contained in:
Jaeden Amero 2019-11-12 10:37:27 +00:00 committed by GitHub
commit 10fcdd25d4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 0 deletions

View file

@ -2,6 +2,13 @@ mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.7.x branch released xxxx-xx-xx
Security
* Fix side channel vulnerability in ECDSA. Our bignum implementation is not
constant time/constant trace, so side channel attacks can retrieve the
blinded value, factor it (as it is smaller than RSA keys and not guaranteed
to have only large prime factors), and then, by brute force, recover the
key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
Changes
* Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
from the cipher abstraction layer. Fixes #2198.

View file

@ -153,6 +153,7 @@ static int ecdsa_sign_internal( mbedtls_ecp_group *grp, mbedtls_mpi *r,
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &k, &k, &t ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &k, &k, &grp->N ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, &k, &grp->N ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );