Merge pull request #705 from mpg/l13-hw-starts-finish-2.7-restricted

[backport 2.7] Use starts/finish around Lucky 13 dummy compressions

ChangeLog.d/l13-hw-accel.txt

@@ -0,0 +1,7 @@
+Security
+   * Fix issue in Lucky 13 counter-measure that could make it ineffective when
+     hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
+     macros). This would cause the original Lucky 13 attack to be possible in
+     those configurations, allowing an active network attacker to recover
+     plaintext after repeated timing measurements under some conditions.
+     Reported and fix suggested by Luc Perneel in #3246.

library/ssl_tls.c

@@ -2092,10 +2092,20 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
             ssl_read_memory( ssl->in_msg + ssl->in_msglen, padlen );
             mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
 
-            /* Call mbedtls_md_process at least once due to cache attacks
+            /* Dummy calls to compression function.
-             * that observe whether md_process() was called of not */
+             * Call mbedtls_md_process at least once due to cache attacks
+             * that observe whether md_process() was called of not.
+             * Respect the usual start-(process|update)-finish sequence for
+             * the sake of hardware accelerators that might require it. */
+            mbedtls_md_starts( &ssl->transform_in->md_ctx_dec );
             for( j = 0; j < extra_run + 1; j++ )
                 mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
+            {
+                /* The switch statement above already checks that we're using
+                 * one of MD-5, SHA-1, SHA-256 or SHA-384. */
+                unsigned char tmp[384 / 8];
+                mbedtls_md_finish( &ssl->transform_in->md_ctx_dec, tmp );
+            }
 
             mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );