mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 19:45:37 +01:00
Merge pull request #677 from ARMmbed/ecc-projective-2.7-restricted
[backport 2.7] Fix leakage of projective coordinates in ECC
This commit is contained in:
commit
e4ec3f7d1c
@ -2,6 +2,13 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
||||
|
||||
= mbed TLS x.x.x branch released xxxx-xx-xx
|
||||
|
||||
Security
|
||||
* Fix side channel in ECC code that allowed an adversary with access to
|
||||
precise enough timing and memory access information (typically an
|
||||
untrusted operating system attacking a secure enclave) to fully recover
|
||||
an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya,
|
||||
Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
|
||||
|
||||
Bugfix
|
||||
* Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and
|
||||
MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
|
||||
|
@ -1444,6 +1444,20 @@ static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
|
||||
* Now get m * P from M * P and normalize it
|
||||
*/
|
||||
MBEDTLS_MPI_CHK( ecp_safe_invert_jac( grp, R, ! m_is_odd ) );
|
||||
|
||||
/*
|
||||
* Knowledge of the jacobian coordinates may leak the last few bits of the
|
||||
* scalar [1], and since our MPI implementation isn't constant-flow,
|
||||
* inversion (used for coordinate normalization) may leak the full value
|
||||
* of its input via side-channels [2].
|
||||
*
|
||||
* [1] https://eprint.iacr.org/2003/191
|
||||
* [2] https://eprint.iacr.org/2020/055
|
||||
*
|
||||
* Avoid the leak by randomizing coordinates before we normalize them.
|
||||
*/
|
||||
if( f_rng != 0 )
|
||||
MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, R, f_rng, p_rng ) );
|
||||
MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, R ) );
|
||||
|
||||
cleanup:
|
||||
@ -1664,6 +1678,20 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
|
||||
}
|
||||
|
||||
/*
|
||||
* Knowledge of the projective coordinates may leak the last few bits of the
|
||||
* scalar [1], and since our MPI implementation isn't constant-flow,
|
||||
* inversion (used for coordinate normalization) may leak the full value
|
||||
* of its input via side-channels [2].
|
||||
*
|
||||
* [1] https://eprint.iacr.org/2003/191
|
||||
* [2] https://eprint.iacr.org/2020/055
|
||||
*
|
||||
* Avoid the leak by randomizing coordinates before we normalize them.
|
||||
*/
|
||||
if( f_rng != NULL )
|
||||
MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, R, f_rng, p_rng ) );
|
||||
|
||||
MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
|
||||
|
||||
cleanup:
|
||||
|
Loading…
Reference in New Issue
Block a user