yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-22 15:30:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'development-restricted' into mbedtls-2.22.0r0

Browse source 
Signed-off-by: Janos Follath <janos.follath@arm.com>
This commit is contained in:
Janos Follath 2020-04-08 14:59:43 +01:00
parent 4500e83fe4 ea6af48b7e
commit dca973bbeb
2 changed files with 33 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
ChangeLog
View file

@ -13,6 +13,11 @@ Security
legitimate clients, resulting in a Denial of Service. This could only legitimate clients, resulting in a Denial of Service. This could only
happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h
(which it is by default). (which it is by default).
* Fix side channel in ECC code that allowed an adversary with access to
precise enough timing and memory access information (typically an
untrusted operating system attacking a secure enclave) to fully recover
an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya,
Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
Bugfix Bugfix
* Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and * Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and

28
library/ecp.c
View file

@ -2016,6 +2016,20 @@ static int ecp_mul_comb_after_precomp( const mbedtls_ecp_group *grp,
final_norm: final_norm:
#endif #endif
/*
* Knowledge of the jacobian coordinates may leak the last few bits of the
* scalar [1], and since our MPI implementation isn't constant-flow,
* inversion (used for coordinate normalization) may leak the full value
* of its input via side-channels [2].
*
* [1] https://eprint.iacr.org/2003/191
* [2] https://eprint.iacr.org/2020/055
*
* Avoid the leak by randomizing coordinates before we normalize them.
*/
if( f_rng != 0 )
MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, RR, f_rng, p_rng ) );
MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV ); MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) ); MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) );
@ -2388,6 +2402,20 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
} }
/*
* Knowledge of the projective coordinates may leak the last few bits of the
* scalar [1], and since our MPI implementation isn't constant-flow,
* inversion (used for coordinate normalization) may leak the full value
* of its input via side-channels [2].
*
* [1] https://eprint.iacr.org/2003/191
* [2] https://eprint.iacr.org/2020/055
*
* Avoid the leak by randomizing coordinates before we normalize them.
*/
if( f_rng != NULL )
MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, R, f_rng, p_rng ) );
MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) ); MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
cleanup: cleanup: