mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 21:05:37 +01:00
Merge pull request #705 from mpg/l13-hw-starts-finish-2.7-restricted
[backport 2.7] Use starts/finish around Lucky 13 dummy compressions
This commit is contained in:
commit
f2027b5c46
7
ChangeLog.d/l13-hw-accel.txt
Normal file
7
ChangeLog.d/l13-hw-accel.txt
Normal file
@ -0,0 +1,7 @@
|
||||
Security
|
||||
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
|
||||
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
|
||||
macros). This would cause the original Lucky 13 attack to be possible in
|
||||
those configurations, allowing an active network attacker to recover
|
||||
plaintext after repeated timing measurements under some conditions.
|
||||
Reported and fix suggested by Luc Perneel in #3246.
|
@ -2092,10 +2092,20 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
|
||||
ssl_read_memory( ssl->in_msg + ssl->in_msglen, padlen );
|
||||
mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
|
||||
|
||||
/* Call mbedtls_md_process at least once due to cache attacks
|
||||
* that observe whether md_process() was called of not */
|
||||
/* Dummy calls to compression function.
|
||||
* Call mbedtls_md_process at least once due to cache attacks
|
||||
* that observe whether md_process() was called of not.
|
||||
* Respect the usual start-(process|update)-finish sequence for
|
||||
* the sake of hardware accelerators that might require it. */
|
||||
mbedtls_md_starts( &ssl->transform_in->md_ctx_dec );
|
||||
for( j = 0; j < extra_run + 1; j++ )
|
||||
mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
|
||||
{
|
||||
/* The switch statement above already checks that we're using
|
||||
* one of MD-5, SHA-1, SHA-256 or SHA-384. */
|
||||
unsigned char tmp[384 / 8];
|
||||
mbedtls_md_finish( &ssl->transform_in->md_ctx_dec, tmp );
|
||||
}
|
||||
|
||||
mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user