mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-29 14:54:15 +01:00
Merge pull request #700 from mpg/l13-hw-starts-finish-restricted
Lucky 13: just use starts/finish around calls to process()
This commit is contained in:
commit
1c7d54a209
7
ChangeLog.d/l13-hw-accel.txt
Normal file
7
ChangeLog.d/l13-hw-accel.txt
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
Security
|
||||||
|
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
|
||||||
|
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
|
||||||
|
macros). This would cause the original Lucky 13 attack to be possible in
|
||||||
|
those configurations, allowing an active network attacker to recover
|
||||||
|
plaintext after repeated timing measurements under some conditions.
|
||||||
|
Reported and fix suggested by Luc Perneel in #3246.
|
@ -1578,6 +1578,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
|||||||
* linking an extra division function in some builds).
|
* linking an extra division function in some builds).
|
||||||
*/
|
*/
|
||||||
size_t j, extra_run = 0;
|
size_t j, extra_run = 0;
|
||||||
|
/* This size is enough to server either as input to
|
||||||
|
* md_process() or as output to md_finish() */
|
||||||
unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE];
|
unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE];
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -1633,10 +1635,15 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
|||||||
ssl_read_memory( data + rec->data_len, padlen );
|
ssl_read_memory( data + rec->data_len, padlen );
|
||||||
mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
|
mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
|
||||||
|
|
||||||
/* Call mbedtls_md_process at least once due to cache attacks
|
/* Dummy calls to compression function.
|
||||||
* that observe whether md_process() was called of not */
|
* Call mbedtls_md_process at least once due to cache attacks
|
||||||
|
* that observe whether md_process() was called of not.
|
||||||
|
* Respect the usual start-(process|update)-finish sequence for
|
||||||
|
* the sake of hardware accelerators that might require it. */
|
||||||
|
mbedtls_md_starts( &transform->md_ctx_dec );
|
||||||
for( j = 0; j < extra_run + 1; j++ )
|
for( j = 0; j < extra_run + 1; j++ )
|
||||||
mbedtls_md_process( &transform->md_ctx_dec, tmp );
|
mbedtls_md_process( &transform->md_ctx_dec, tmp );
|
||||||
|
mbedtls_md_finish( &transform->md_ctx_dec, tmp );
|
||||||
|
|
||||||
mbedtls_md_hmac_reset( &transform->md_ctx_dec );
|
mbedtls_md_hmac_reset( &transform->md_ctx_dec );
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user