Merge remote-tracking branch 'restricted/pr/666' into mbedtls-2.7-restricted
* restricted/pr/666: (24 commits)
Add ChangeLog entry
mpi_lt_mpi_ct: fix condition handling
mpi_lt_mpi_ct: Add further tests
mpi_lt_mpi_ct: Fix test numbering
mpi_lt_mpi_ct perform tests for both limb size
ct_lt_mpi_uint: cast the return value explicitely
mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
mbedtls_mpi_lt_mpi_ct: simplify condition
Rename variable for better readability
mbedtls_mpi_lt_mpi_ct: Improve documentation
Make mbedtls_mpi_lt_mpi_ct more portable
Bignum: Document assumptions about the sign field
Add more tests for mbedtls_mpi_lt_mpi_ct
mpi_lt_mpi_ct test: hardcode base 16
Document ct_lt_mpi_uint
mpi_lt_mpi_ct: make use of unsigned consistent
ct_lt_mpi_uint: make use of biL
Change mbedtls_mpi_cmp_mpi_ct to check less than
mbedtls_mpi_cmp_mpi_ct: remove multiplications
Remove excess vertical space
...
diff --git a/ChangeLog b/ChangeLog
index ee020ab..c958301 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,19 @@
= mbed TLS 2.7.x branch released xxxx-xx-xx
Security
+ * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
+ constant time/constant trace, so side channel attacks can retrieve the
+ blinded value, factor it (as it is smaller than RSA keys and not guaranteed
+ to have only large prime factors), and then, by brute force, recover the
+ key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
+ * Zeroize local variables in mbedtls_internal_aes_encrypt() and
+ mbedtls_internal_aes_decrypt() before exiting the function. The value of
+ these variables can be used to recover the last round key. To follow best
+ practice and to limit the impact of buffer overread vulnerabilities (like
+ Heartbleed) we need to zeroize them before exiting the function.
+ Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
+ Grant Hernandez, and Kevin Butler (University of Florida) and
+ Dave Tian (Purdue University).
* Fix side channel vulnerability in ECDSA key generation. Obtaining precise
timings on the comparison in the key generation enabled the attacker to
learn leading bits of the ephemeral key used during ECDSA signatures and to
diff --git a/library/aes.c b/library/aes.c
index 3d2eac8..beeecae 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -761,6 +761,18 @@
PUT_UINT32_LE( X2, output, 8 );
PUT_UINT32_LE( X3, output, 12 );
+ mbedtls_zeroize( &X0, sizeof( X0 ) );
+ mbedtls_zeroize( &X1, sizeof( X1 ) );
+ mbedtls_zeroize( &X2, sizeof( X2 ) );
+ mbedtls_zeroize( &X3, sizeof( X3 ) );
+
+ mbedtls_zeroize( &Y0, sizeof( Y0 ) );
+ mbedtls_zeroize( &Y1, sizeof( Y1 ) );
+ mbedtls_zeroize( &Y2, sizeof( Y2 ) );
+ mbedtls_zeroize( &Y3, sizeof( Y3 ) );
+
+ mbedtls_zeroize( &RK, sizeof( RK ) );
+
return( 0 );
}
#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
@@ -829,6 +841,18 @@
PUT_UINT32_LE( X2, output, 8 );
PUT_UINT32_LE( X3, output, 12 );
+ mbedtls_zeroize( &X0, sizeof( X0 ) );
+ mbedtls_zeroize( &X1, sizeof( X1 ) );
+ mbedtls_zeroize( &X2, sizeof( X2 ) );
+ mbedtls_zeroize( &X3, sizeof( X3 ) );
+
+ mbedtls_zeroize( &Y0, sizeof( Y0 ) );
+ mbedtls_zeroize( &Y1, sizeof( Y1 ) );
+ mbedtls_zeroize( &Y2, sizeof( Y2 ) );
+ mbedtls_zeroize( &Y3, sizeof( Y3 ) );
+
+ mbedtls_zeroize( &RK, sizeof( RK ) );
+
return( 0 );
}
#endif /* !MBEDTLS_AES_DECRYPT_ALT */
diff --git a/library/ecdsa.c b/library/ecdsa.c
index c635a50..24bf734 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -153,6 +153,7 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &k, &k, &t ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &k, &k, &grp->N ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, &k, &grp->N ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );