Merge remote-tracking branch 'restricted/pr/669' into mbedtls-2.16-restricted
* restricted/pr/669:
Zeroize local AES variables before exiting the function
diff --git a/ChangeLog b/ChangeLog
index 71f927a..994e18d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,11 @@
= mbed TLS 2.16.x branch released xxxx-xx-xx
Security
+ * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
+ constant time/constant trace, so side channel attacks can retrieve the
+ blinded value, factor it (as it is smaller than RSA keys and not guaranteed
+ to have only large prime factors), and then, by brute force, recover the
+ key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Zeroize local variables in mbedtls_internal_aes_encrypt() and
mbedtls_internal_aes_decrypt() before exiting the function. The value of
these variables can be used to recover the last round key. To follow best
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 2b48006..3cf3d7c 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -363,6 +363,7 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pk, pk, &t ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pk, pk, &grp->N ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );