Use starts/finish around Lucky 13 dummy compressions

Fixes #3246 Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-11-22 16:55:42 +01:00 · 2020-06-12 11:14:35 +02:00 · 2020-06-12 11:14:35 +02:00 · f4e3fc9133
commit f4e3fc9133
parent 1fc09be3ea
2 changed files with 16 additions and 2 deletions
--- a/ChangeLog.d/l13-hw-accel.txt
+++ b/ChangeLog.d/l13-hw-accel.txt
@ -0,0 +1,7 @@
+Security
+   * Fix issue in Lucky 13 counter-measure that could make it ineffective when
+     hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
+     macros). This would cause the original Lucky 13 attack to be possible in
+     those configurations, allowing an active network attacker to recover
+     plaintext after repeated timing measurements under some conditions.
+     Reported and fix suggested by Luc Perneel in #3246.
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@ -1578,6 +1578,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
             * linking an extra division function in some builds).
             */
            size_t j, extra_run = 0;
+            /* This size is enough to server either as input to
+             * md_process() or as output to md_finish() */
            unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE];

            /*
@ -1633,10 +1635,15 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
            ssl_read_memory( data + rec->data_len, padlen );
            mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );

-            /* Call mbedtls_md_process at least once due to cache attacks
-             * that observe whether md_process() was called of not */
+            /* Dummy calls to compression function.
+             * Call mbedtls_md_process at least once due to cache attacks
+             * that observe whether md_process() was called of not.
+             * Respect the usual start-(process|update)-finish sequence for
+             * the sake of hardware accelerators that might require it. */
+            mbedtls_md_starts( &transform->md_ctx_dec );
            for( j = 0; j < extra_run + 1; j++ )
                mbedtls_md_process( &transform->md_ctx_dec, tmp );
+            mbedtls_md_finish( &transform->md_ctx_dec, tmp );

            mbedtls_md_hmac_reset( &transform->md_ctx_dec );