Fix leakage of projective coordinates in ECC See the comments in the code for how an attack would go, and the ChangeLog entry for an impact assessment. (For ECDSA, leaking a few bits of the scalar over several signatures translates to full private key recovery using a lattice attack.) Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

commit: a4aa89b16eb655999e45d873563e6712eece1c36 [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Mar 25 12:41:29 2020 +0100
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Mar 27 09:43:34 2020 +0100
tree: 5c63a3f50e87ede872019e15bfa23fa344813c0c
parent: d414c32a160a45725430d99b3c11904760ac8b9c [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index bcceebb..491b86a 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -6,6 +6,13 @@
    * Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL that enables function hooks in the
      SSL module for hardware acceleration of individual records.
 
+Security
+   * Fix side channel in ECC code that allowed an adversary with access to
+     precise enough timing and memory access information (typically an
+     untrusted operating system attacking a secure enclave) to fully recover
+     an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya,
+     Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
+
 Bugfix
    * Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and
      MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.
commit	a4aa89b16eb655999e45d873563e6712eece1c36	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Wed Mar 25 12:41:29 2020 +0100
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Fri Mar 27 09:43:34 2020 +0100
tree	5c63a3f50e87ede872019e15bfa23fa344813c0c
parent	d414c32a160a45725430d99b3c11904760ac8b9c [diff] [blame]