See the comments in the code for how an attack would go, and the ChangeLog
entry for an impact assessment. (For ECDSA, leaking a few bits of the scalar
over several signatures translates to full private key recovery using a
lattice attack.)
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This reverts commit 7550e857bf, reversing
changes made to d0c2575324.
stat() will never return S_IFLNK as the file type, as stat()
explicitly follows symlinks.
Fixes#3005.
* origin/mbedtls-2.16:
Fix some pylint warnings
Enable more test cases without MBEDTLS_MEMORY_DEBUG
More accurate test case description
Clarify that the "FATAL" message is expected
Note that mbedtls_ctr_drbg_seed() must not be called twice
Fix CTR_DRBG benchmark
Changelog entry for xxx_drbg_set_entropy_len before xxx_drbg_seed
CTR_DRBG: support set_entropy_len() before seed()
CTR_DRBG: Don't use functions before they're defined
HMAC_DRBG: support set_entropy_len() before seed()
The functions mbedtls_ctr_drbg_random() and
mbedtls_ctr_drbg_random_with_add() could return 0 if an AES function
failed. This could only happen with alternative AES
implementations (the built-in implementation of the AES functions
involved never fail), typically due to a failure in a hardware
accelerator.
Bug reported and fix proposed by Johan Uppman Bruce and Christoffer
Lauri, Sectra.
* restricted/pr/667: (24 commits)
Add ChangeLog entry
mpi_lt_mpi_ct: fix condition handling
mpi_lt_mpi_ct: Add further tests
mpi_lt_mpi_ct: Fix test numbering
mpi_lt_mpi_ct perform tests for both limb size
ct_lt_mpi_uint: cast the return value explicitely
mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
mbedtls_mpi_lt_mpi_ct: simplify condition
Rename variable for better readability
mbedtls_mpi_lt_mpi_ct: Improve documentation
Make mbedtls_mpi_lt_mpi_ct more portable
Bignum: Document assumptions about the sign field
Add more tests for mbedtls_mpi_lt_mpi_ct
mpi_lt_mpi_ct test: hardcode base 16
Document ct_lt_mpi_uint
mpi_lt_mpi_ct: make use of unsigned consistent
ct_lt_mpi_uint: make use of biL
Change mbedtls_mpi_cmp_mpi_ct to check less than
mbedtls_mpi_cmp_mpi_ct: remove multiplications
Remove excess vertical space
...
This issue has been reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).
In AES encrypt and decrypt some variables were left on the stack. The value
of these variables can be used to recover the last round key. To follow best
practice and to limit the impact of buffer overread vulnerabilities (like
Heartbleed) we need to zeroize them before exiting the function.
* origin/pr/2860: (26 commits)
config.pl full: exclude MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
mbedtls_hmac_drbg_set_entropy_len() only matters when reseeding
mbedtls_ctr_drbg_set_entropy_len() only matters when reseeding
mbedtls_ctr_drbg_seed: correct maximum for len
Add a note about CTR_DRBG security strength to config.h
Move MBEDTLS_CTR_DRBG_USE_128_BIT_KEY to the correct section
CTR_DRBG: more consistent formatting and wording
CTR_DRBG documentation: further wording improvements
CTR_DRBG: Improve the explanation of security strength
CTR_DRBG: make it easier to understand the security strength
HMAC_DRBG: note that the initial seeding grabs entropy for the nonce
Use standard terminology to describe the personalization string
Do note that xxx_drbg_random functions reseed with PR enabled
Consistently use \c NULL and \c 0
Also mention HMAC_DRBG in the changelog entry
HMAC_DRBG: improve the documentation of the entropy length
HMAC_DRBG documentation improvements clarifications
More CTR_DRBG documentation improvements and clarifications
Fix wording
Remove warning that the previous expanded discussion has obsoleted
...
This is a documentation-only change, but one that users who care about
NIST compliance may be interested in, to review if they're using the
module in a compliant way.
* origin/mbedtls-2.16:
Changelog entry
Check for zero length and NULL buffer pointer
ssl-opt.sh: wait for proxy to start before running the script further
Adapt ChangeLog
Fix mpi_bigendian_to_host() on bigendian systems
This patch fixes an issue we encountered with more stringent compiler
warnings. The signature_is_good variable has a possibility of being
used uninitialized. This patch moves the use of the variable to a
place where it cannot be used while uninitialized.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
