mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 01:55:52 +01:00
Use starts/finish around Lucky 13 dummy compressions
Fixes #3246 Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
parent
efb669c280
commit
20cd85c6e1
7
ChangeLog.d/l13-hw-accel.txt
Normal file
7
ChangeLog.d/l13-hw-accel.txt
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
Security
|
||||||
|
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
|
||||||
|
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
|
||||||
|
macros). This would cause the original Lucky 13 attack to be possible in
|
||||||
|
those configurations, allowing an active network attacker to recover
|
||||||
|
plaintext after repeated timing measurements under some conditions.
|
||||||
|
Reported and fix suggested by Luc Perneel in #3246.
|
@ -2269,10 +2269,20 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
|
|||||||
ssl_read_memory( ssl->in_msg + ssl->in_msglen, padlen );
|
ssl_read_memory( ssl->in_msg + ssl->in_msglen, padlen );
|
||||||
mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
|
mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
|
||||||
|
|
||||||
/* Call mbedtls_md_process at least once due to cache attacks
|
/* Dummy calls to compression function.
|
||||||
* that observe whether md_process() was called of not */
|
* Call mbedtls_md_process at least once due to cache attacks
|
||||||
|
* that observe whether md_process() was called of not.
|
||||||
|
* Respect the usual start-(process|update)-finish sequence for
|
||||||
|
* the sake of hardware accelerators that might require it. */
|
||||||
|
mbedtls_md_starts( &ssl->transform_in->md_ctx_dec );
|
||||||
for( j = 0; j < extra_run + 1; j++ )
|
for( j = 0; j < extra_run + 1; j++ )
|
||||||
mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
|
mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
|
||||||
|
{
|
||||||
|
/* The switch statement above already checks that we're using
|
||||||
|
* one of MD-5, SHA-1, SHA-256 or SHA-384. */
|
||||||
|
unsigned char tmp[384 / 8];
|
||||||
|
mbedtls_md_finish( &ssl->transform_in->md_ctx_dec, tmp );
|
||||||
|
}
|
||||||
|
|
||||||
mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
|
mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user