Google Git
Sign in
fuchsia / third_party / github.com / ARMmbed / mbedtls / 816305b8f5581cfdd87dd92dbbad1d8d6dc14e63^1..816305b8f5581cfdd87dd92dbbad1d8d6dc14e63 / .
commit816305b8f5581cfdd87dd92dbbad1d8d6dc14e63[log] [tgz]
authorJanos Follath <janos.follath@arm.com>Wed Apr 08 15:09:26 2020 +0100
committerJanos Follath <janos.follath@arm.com>Wed Apr 08 15:12:15 2020 +0100
tree43ecb0b2eda5c17c66e3d6c083750c9f5a763744
parent84751ec1d449da294248f61a0b75abaa18f15c58 [diff]
parent3a1b209f9edaa0b3331b92d8d94b5c60a2ccae5a [diff]
Merge branch 'mbedtls-2.16-restricted' into mbedtls-2.16.6r0

Signed-off-by: Janos Follath <janos.follath@arm.com>

diff --git a/ChangeLog b/ChangeLog
index 6ec1e7ec..64c72a5 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -2,6 +2,13 @@
 
 = mbed TLS x.x.x branch released xxxx-xx-xx
 
+Security
+   * Fix side channel in ECC code that allowed an adversary with access to
+     precise enough timing and memory access information (typically an
+     untrusted operating system attacking a secure enclave) to fully recover
+     an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya,
+     Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
+
 Bugfix
    * Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and
      MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.

diff --git a/library/ecp.c b/library/ecp.c
index 040c20b..725e176 100644
--- a/library/ecp.c
+++ b/library/ecp.c

@@ -1938,6 +1938,20 @@
 
 final_norm:
 #endif
+    /*
+     * Knowledge of the jacobian coordinates may leak the last few bits of the
+     * scalar [1], and since our MPI implementation isn't constant-flow,
+     * inversion (used for coordinate normalization) may leak the full value
+     * of its input via side-channels [2].
+     *
+     * [1] https://eprint.iacr.org/2003/191
+     * [2] https://eprint.iacr.org/2020/055
+     *
+     * Avoid the leak by randomizing coordinates before we normalize them.
+     */
+    if( f_rng != 0 )
+        MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, RR, f_rng, p_rng ) );
+
     MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
     MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) );
 
@@ -2308,6 +2322,20 @@
         MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
     }
 
+    /*
+     * Knowledge of the projective coordinates may leak the last few bits of the
+     * scalar [1], and since our MPI implementation isn't constant-flow,
+     * inversion (used for coordinate normalization) may leak the full value
+     * of its input via side-channels [2].
+     *
+     * [1] https://eprint.iacr.org/2003/191
+     * [2] https://eprint.iacr.org/2020/055
+     *
+     * Avoid the leak by randomizing coordinates before we normalize them.
+     */
+    if( f_rng != NULL )
+        MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, R, f_rng, p_rng ) );
+
     MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
 
 cleanup: