From 8352797c440e259f767193ac22c6472680becad1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 18 Jun 2020 11:30:40 +0200 Subject: [PATCH] Use starts/finish around Lucky 13 dummy compressions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes #3246 Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/l13-hw-accel.txt | 7 +++++++ library/ssl_tls.c | 14 ++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 ChangeLog.d/l13-hw-accel.txt diff --git a/ChangeLog.d/l13-hw-accel.txt b/ChangeLog.d/l13-hw-accel.txt new file mode 100644 index 000000000..53c79243b --- /dev/null +++ b/ChangeLog.d/l13-hw-accel.txt @@ -0,0 +1,7 @@ +Security + * Fix issue in Lucky 13 counter-measure that could make it ineffective when + hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT + macros). This would cause the original Lucky 13 attack to be possible in + those configurations, allowing an active network attacker to recover + plaintext after repeated timing measurements under some conditions. + Reported and fix suggested by Luc Perneel in #3246. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 60357e262..25a43bb38 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2092,10 +2092,20 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) ssl_read_memory( ssl->in_msg + ssl->in_msglen, padlen ); mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect ); - /* Call mbedtls_md_process at least once due to cache attacks - * that observe whether md_process() was called of not */ + /* Dummy calls to compression function. + * Call mbedtls_md_process at least once due to cache attacks + * that observe whether md_process() was called of not. + * Respect the usual start-(process|update)-finish sequence for + * the sake of hardware accelerators that might require it. */ + mbedtls_md_starts( &ssl->transform_in->md_ctx_dec ); for( j = 0; j < extra_run + 1; j++ ) mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg ); + { + /* The switch statement above already checks that we're using + * one of MD-5, SHA-1, SHA-256 or SHA-384. */ + unsigned char tmp[384 / 8]; + mbedtls_md_finish( &ssl->transform_in->md_ctx_dec, tmp ); + } mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );