commit 10fcdd25d4a64c4ae3be875608cf53dfc723d233
author Jaeden Amero <jaeden.amero@arm.com> Tue Nov 12 10:37:27 2019 +0000
committer GitHub <noreply@github.com> Tue Nov 12 10:37:27 2019 +0000
tree ea2484b8310120fa52ea2945667935f18ca223dc
parent c87a54683bb520d2b91280457474e026bb56ba73
parent 5cf41f80a4cc7ce35ff64deb65a85d05ff275e02

Merge pull request #664 from ARMmbed/dev/yanesca/iotcrypt-958-ecdsa-side-channel-fix-2.7

Backport 2.7: ECDSA side channel fix

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index 16982a0..d84a364 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,13 @@
 
 = mbed TLS 2.7.x branch released xxxx-xx-xx
 
+Security
+   * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
+     constant time/constant trace, so side channel attacks can retrieve the
+     blinded value, factor it (as it is smaller than RSA keys and not guaranteed
+     to have only large prime factors), and then, by brute force, recover the
+     key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
+
 Changes
    * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
      from the cipher abstraction layer. Fixes #2198.

library/ecdsa.c

diff --git a/library/ecdsa.c b/library/ecdsa.c
index c635a50..24bf734 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -153,6 +153,7 @@
         MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &k, &k, &t ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &k, &k, &grp->N ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, &k, &grp->N ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );