mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 05:55:29 +00:00
Fix leakage of projective coordinates in ECC
See the comments in the code for how an attack would go, and the ChangeLog entry for an impact assessment. (For ECDSA, leaking a few bits of the scalar over several signatures translates to full private key recovery using a lattice attack.) Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
parent
bfa0f7d540
commit
f60041688c
|
@ -2,6 +2,13 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
||||||
|
|
||||||
= mbed TLS x.x.x branch released xxxx-xx-xx
|
= mbed TLS x.x.x branch released xxxx-xx-xx
|
||||||
|
|
||||||
|
Security
|
||||||
|
* Fix side channel in ECC code that allowed an adversary with access to
|
||||||
|
precise enough timing and memory access information (typically an
|
||||||
|
untrusted operating system attacking a secure enclave) to fully recover
|
||||||
|
an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya,
|
||||||
|
Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
|
||||||
|
|
||||||
Bugfix
|
Bugfix
|
||||||
* Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and
|
* Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and
|
||||||
MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
|
MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
|
||||||
|
|
|
@ -1938,6 +1938,20 @@ static int ecp_mul_comb_after_precomp( const mbedtls_ecp_group *grp,
|
||||||
|
|
||||||
final_norm:
|
final_norm:
|
||||||
#endif
|
#endif
|
||||||
|
/*
|
||||||
|
* Knowledge of the jacobian coordinates may leak the last few bits of the
|
||||||
|
* scalar [1], and since our MPI implementation isn't constant-flow,
|
||||||
|
* inversion (used for coordinate normalization) may leak the full value
|
||||||
|
* of its input via side-channels [2].
|
||||||
|
*
|
||||||
|
* [1] https://eprint.iacr.org/2003/191
|
||||||
|
* [2] https://eprint.iacr.org/2020/055
|
||||||
|
*
|
||||||
|
* Avoid the leak by randomizing coordinates before we normalize them.
|
||||||
|
*/
|
||||||
|
if( f_rng != 0 )
|
||||||
|
MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, RR, f_rng, p_rng ) );
|
||||||
|
|
||||||
MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
|
MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
|
||||||
MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) );
|
MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) );
|
||||||
|
|
||||||
|
@ -2308,6 +2322,20 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Knowledge of the projective coordinates may leak the last few bits of the
|
||||||
|
* scalar [1], and since our MPI implementation isn't constant-flow,
|
||||||
|
* inversion (used for coordinate normalization) may leak the full value
|
||||||
|
* of its input via side-channels [2].
|
||||||
|
*
|
||||||
|
* [1] https://eprint.iacr.org/2003/191
|
||||||
|
* [2] https://eprint.iacr.org/2020/055
|
||||||
|
*
|
||||||
|
* Avoid the leak by randomizing coordinates before we normalize them.
|
||||||
|
*/
|
||||||
|
if( f_rng != NULL )
|
||||||
|
MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, R, f_rng, p_rng ) );
|
||||||
|
|
||||||
MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
|
MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
|
|
Loading…
Reference in a new issue