Use starts/finish around Lucky 13 dummy compressions
Fixes #3246
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/ChangeLog.d/l13-hw-accel.txt b/ChangeLog.d/l13-hw-accel.txt
new file mode 100644
index 0000000..53c7924
--- /dev/null
+++ b/ChangeLog.d/l13-hw-accel.txt
@@ -0,0 +1,7 @@
+Security
+ * Fix issue in Lucky 13 counter-measure that could make it ineffective when
+ hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
+ macros). This would cause the original Lucky 13 attack to be possible in
+ those configurations, allowing an active network attacker to recover
+ plaintext after repeated timing measurements under some conditions.
+ Reported and fix suggested by Luc Perneel in #3246.
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index ae8d076..7fc4bf0 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -1578,6 +1578,8 @@
* linking an extra division function in some builds).
*/
size_t j, extra_run = 0;
+ /* This size is enough to server either as input to
+ * md_process() or as output to md_finish() */
unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE];
/*
@@ -1633,10 +1635,15 @@
ssl_read_memory( data + rec->data_len, padlen );
mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
- /* Call mbedtls_md_process at least once due to cache attacks
- * that observe whether md_process() was called of not */
+ /* Dummy calls to compression function.
+ * Call mbedtls_md_process at least once due to cache attacks
+ * that observe whether md_process() was called of not.
+ * Respect the usual start-(process|update)-finish sequence for
+ * the sake of hardware accelerators that might require it. */
+ mbedtls_md_starts( &transform->md_ctx_dec );
for( j = 0; j < extra_run + 1; j++ )
mbedtls_md_process( &transform->md_ctx_dec, tmp );
+ mbedtls_md_finish( &transform->md_ctx_dec, tmp );
mbedtls_md_hmac_reset( &transform->md_ctx_dec );