Merge remote-tracking branch 'upstream-restricted/pr/556' into mbedtls-2.16-restricted

commit: 33f66ba6fd234114aa37f0209dac031bb2870a9b [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Wed Aug 14 16:37:16 2019 +0200
committer: Gilles Peskine <Gilles.Peskine@arm.com> Wed Aug 14 16:38:26 2019 +0200
tree: 5f6dbb6f006c75527668b654067c209bf7b2de3a
parent: 3a930650c8a2cbfda3649ec9646c06b4b9f62210 [diff] [blame]
parent: 7ffe827fca0a2bdc24b4708486f60f91762c6b19 [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index 5e89480..2a87665 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -6,6 +6,16 @@
    * Fix a missing error detection in ECJPAKE. This could have caused a
      predictable shared secret if a hardware accelerator failed and the other
      side of the key exchange had a similar bug.
+   * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
+     implement blinding. Because of this for the same key and message the same
+     blinding value was generated. This reduced the effectiveness of the
+     countermeasure and leaked information about the private key through side
+     channels. Reported by Jack Lloyd.
+
+API Changes
+   * The new function mbedtls_ecdsa_sign_det_ext() is similar to
+     mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
+     purpose of blinding.
 
 Bugfix
    * Fix to allow building test suites with any warning that detects unused
commit	33f66ba6fd234114aa37f0209dac031bb2870a9b	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Wed Aug 14 16:37:16 2019 +0200
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Wed Aug 14 16:38:26 2019 +0200
tree	5f6dbb6f006c75527668b654067c209bf7b2de3a
parent	3a930650c8a2cbfda3649ec9646c06b4b9f62210 [diff] [blame]
parent	7ffe827fca0a2bdc24b4708486f60f91762c6b19 [diff] [blame]