mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-29 10:14:17 +01:00
Merge pull request #676 from ARMmbed/ecc-projective-2.16-restricted
[backport 2.16] Fix leakage of projective coordinates in ECC
This commit is contained in:
commit
3a1b209f9e
@ -2,6 +2,13 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
|||||||
|
|
||||||
= mbed TLS x.x.x branch released xxxx-xx-xx
|
= mbed TLS x.x.x branch released xxxx-xx-xx
|
||||||
|
|
||||||
|
Security
|
||||||
|
* Fix side channel in ECC code that allowed an adversary with access to
|
||||||
|
precise enough timing and memory access information (typically an
|
||||||
|
untrusted operating system attacking a secure enclave) to fully recover
|
||||||
|
an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya,
|
||||||
|
Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
|
||||||
|
|
||||||
Bugfix
|
Bugfix
|
||||||
* Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and
|
* Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and
|
||||||
MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
|
MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
|
||||||
|
@ -1938,6 +1938,20 @@ static int ecp_mul_comb_after_precomp( const mbedtls_ecp_group *grp,
|
|||||||
|
|
||||||
final_norm:
|
final_norm:
|
||||||
#endif
|
#endif
|
||||||
|
/*
|
||||||
|
* Knowledge of the jacobian coordinates may leak the last few bits of the
|
||||||
|
* scalar [1], and since our MPI implementation isn't constant-flow,
|
||||||
|
* inversion (used for coordinate normalization) may leak the full value
|
||||||
|
* of its input via side-channels [2].
|
||||||
|
*
|
||||||
|
* [1] https://eprint.iacr.org/2003/191
|
||||||
|
* [2] https://eprint.iacr.org/2020/055
|
||||||
|
*
|
||||||
|
* Avoid the leak by randomizing coordinates before we normalize them.
|
||||||
|
*/
|
||||||
|
if( f_rng != 0 )
|
||||||
|
MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, RR, f_rng, p_rng ) );
|
||||||
|
|
||||||
MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
|
MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
|
||||||
MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) );
|
MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) );
|
||||||
|
|
||||||
@ -2308,6 +2322,20 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
|
|||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Knowledge of the projective coordinates may leak the last few bits of the
|
||||||
|
* scalar [1], and since our MPI implementation isn't constant-flow,
|
||||||
|
* inversion (used for coordinate normalization) may leak the full value
|
||||||
|
* of its input via side-channels [2].
|
||||||
|
*
|
||||||
|
* [1] https://eprint.iacr.org/2003/191
|
||||||
|
* [2] https://eprint.iacr.org/2020/055
|
||||||
|
*
|
||||||
|
* Avoid the leak by randomizing coordinates before we normalize them.
|
||||||
|
*/
|
||||||
|
if( f_rng != NULL )
|
||||||
|
MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, R, f_rng, p_rng ) );
|
||||||
|
|
||||||
MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
|
MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
|
Loading…
Reference in New Issue
Block a user