commit e170ee7e1823650dfe51d7ffc5ff01b2ac1ec476
author Janos Follath <janos.follath@arm.com> Wed Apr 08 15:17:20 2020 +0100
committer Janos Follath <janos.follath@arm.com> Wed Apr 08 15:17:55 2020 +0100
tree 5888d7a4cf5f160ccb5df02e0f3b7157e827f721
parent c8355101c904d65533dd20642f25a54669639dcd
parent e4ec3f7d1c7165650a24a750e7bc2d9593dda828

Merge branch 'mbedtls-2.7-restricted' into mbedtls-2.7.15r0

Signed-off-by: Janos Follath <janos.follath@arm.com>

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index 9e0abd7..5da19e8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,11 @@
      could use that to obtain a Denial of Service. This could only happen when
      MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in config.h (which it is
      by default).
+   * Fix side channel in ECC code that allowed an adversary with access to
+     precise enough timing and memory access information (typically an
+     untrusted operating system attacking a secure enclave) to fully recover
+     an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya,
+     Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
 
 Bugfix
    * Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and

library/ecp.c

diff --git a/library/ecp.c b/library/ecp.c
index d1ea748..108695b 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1444,6 +1444,20 @@
      * Now get m * P from M * P and normalize it
      */
     MBEDTLS_MPI_CHK( ecp_safe_invert_jac( grp, R, ! m_is_odd ) );
+
+    /*
+     * Knowledge of the jacobian coordinates may leak the last few bits of the
+     * scalar [1], and since our MPI implementation isn't constant-flow,
+     * inversion (used for coordinate normalization) may leak the full value
+     * of its input via side-channels [2].
+     *
+     * [1] https://eprint.iacr.org/2003/191
+     * [2] https://eprint.iacr.org/2020/055
+     *
+     * Avoid the leak by randomizing coordinates before we normalize them.
+     */
+    if( f_rng != 0 )
+        MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, R, f_rng, p_rng ) );
     MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, R ) );
 
 cleanup:
@@ -1664,6 +1678,20 @@
         MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
     }
 
+    /*
+     * Knowledge of the projective coordinates may leak the last few bits of the
+     * scalar [1], and since our MPI implementation isn't constant-flow,
+     * inversion (used for coordinate normalization) may leak the full value
+     * of its input via side-channels [2].
+     *
+     * [1] https://eprint.iacr.org/2003/191
+     * [2] https://eprint.iacr.org/2020/055
+     *
+     * Avoid the leak by randomizing coordinates before we normalize them.
+     */
+    if( f_rng != NULL )
+        MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, R, f_rng, p_rng ) );
+
     MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
 
 cleanup: