aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>2020-06-23 10:43:13 +0200
committerGitHub <noreply@github.com>2020-06-23 10:43:13 +0200
commit1c7d54a209c8076f5fdb8b7c0f0aef9194d01a39 (patch)
tree956677d439ceb7752bff5ab2bfc5b2780cee0c58
parent3b46f9e86478b5fb2c21d0228c58d66a578e19ed (diff)
parentf4e3fc91336296f97ce89c7b144c28b3056550e4 (diff)
downloadmbed-tls-1c7d54a209c8076f5fdb8b7c0f0aef9194d01a39.tar.gz
Merge pull request #700 from mpg/l13-hw-starts-finish-restricted
Lucky 13: just use starts/finish around calls to process()
-rw-r--r--ChangeLog.d/l13-hw-accel.txt7
-rw-r--r--library/ssl_msg.c11
2 files changed, 16 insertions, 2 deletions
diff --git a/ChangeLog.d/l13-hw-accel.txt b/ChangeLog.d/l13-hw-accel.txt
new file mode 100644
index 000000000..53c79243b
--- /dev/null
+++ b/ChangeLog.d/l13-hw-accel.txt
@@ -0,0 +1,7 @@
+Security
+ * Fix issue in Lucky 13 counter-measure that could make it ineffective when
+ hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
+ macros). This would cause the original Lucky 13 attack to be possible in
+ those configurations, allowing an active network attacker to recover
+ plaintext after repeated timing measurements under some conditions.
+ Reported and fix suggested by Luc Perneel in #3246.
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index ae8d07653..7fc4bf01d 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -1578,6 +1578,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
* linking an extra division function in some builds).
*/
size_t j, extra_run = 0;
+ /* This size is enough to server either as input to
+ * md_process() or as output to md_finish() */
unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE];
/*
@@ -1633,10 +1635,15 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
ssl_read_memory( data + rec->data_len, padlen );
mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
- /* Call mbedtls_md_process at least once due to cache attacks
- * that observe whether md_process() was called of not */
+ /* Dummy calls to compression function.
+ * Call mbedtls_md_process at least once due to cache attacks
+ * that observe whether md_process() was called of not.
+ * Respect the usual start-(process|update)-finish sequence for
+ * the sake of hardware accelerators that might require it. */
+ mbedtls_md_starts( &transform->md_ctx_dec );
for( j = 0; j < extra_run + 1; j++ )
mbedtls_md_process( &transform->md_ctx_dec, tmp );
+ mbedtls_md_finish( &transform->md_ctx_dec, tmp );
mbedtls_md_hmac_reset( &transform->md_ctx_dec );