diff options
author | Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> | 2020-06-23 10:43:13 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-06-23 10:43:13 +0200 |
commit | 1c7d54a209c8076f5fdb8b7c0f0aef9194d01a39 (patch) | |
tree | 956677d439ceb7752bff5ab2bfc5b2780cee0c58 | |
parent | 3b46f9e86478b5fb2c21d0228c58d66a578e19ed (diff) | |
parent | f4e3fc91336296f97ce89c7b144c28b3056550e4 (diff) | |
download | mbed-tls-1c7d54a209c8076f5fdb8b7c0f0aef9194d01a39.tar.gz |
Merge pull request #700 from mpg/l13-hw-starts-finish-restricted
Lucky 13: just use starts/finish around calls to process()
-rw-r--r-- | ChangeLog.d/l13-hw-accel.txt | 7 | ||||
-rw-r--r-- | library/ssl_msg.c | 11 |
2 files changed, 16 insertions, 2 deletions
diff --git a/ChangeLog.d/l13-hw-accel.txt b/ChangeLog.d/l13-hw-accel.txt new file mode 100644 index 000000000..53c79243b --- /dev/null +++ b/ChangeLog.d/l13-hw-accel.txt @@ -0,0 +1,7 @@ +Security + * Fix issue in Lucky 13 counter-measure that could make it ineffective when + hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT + macros). This would cause the original Lucky 13 attack to be possible in + those configurations, allowing an active network attacker to recover + plaintext after repeated timing measurements under some conditions. + Reported and fix suggested by Luc Perneel in #3246. diff --git a/library/ssl_msg.c b/library/ssl_msg.c index ae8d07653..7fc4bf01d 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1578,6 +1578,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, * linking an extra division function in some builds). */ size_t j, extra_run = 0; + /* This size is enough to server either as input to + * md_process() or as output to md_finish() */ unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE]; /* @@ -1633,10 +1635,15 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, ssl_read_memory( data + rec->data_len, padlen ); mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect ); - /* Call mbedtls_md_process at least once due to cache attacks - * that observe whether md_process() was called of not */ + /* Dummy calls to compression function. + * Call mbedtls_md_process at least once due to cache attacks + * that observe whether md_process() was called of not. + * Respect the usual start-(process|update)-finish sequence for + * the sake of hardware accelerators that might require it. */ + mbedtls_md_starts( &transform->md_ctx_dec ); for( j = 0; j < extra_run + 1; j++ ) mbedtls_md_process( &transform->md_ctx_dec, tmp ); + mbedtls_md_finish( &transform->md_ctx_dec, tmp ); mbedtls_md_hmac_reset( &transform->md_ctx_dec ); |