commit e70059df852b1f5bd39b35036a0c7e86384a5e88
author Jaeden Amero <jaeden.amero@arm.com> Tue Nov 12 10:42:45 2019 +0000
committer Jaeden Amero <jaeden.amero@arm.com> Tue Nov 12 10:42:45 2019 +0000
tree c7c7875f1bf3c0ef08f750e18ab2c8c68fd3f17f
parent 10fcdd25d4a64c4ae3be875608cf53dfc723d233
parent 07597365cdc4d5be0e2fe5dd8d2ead167da628ec

Merge remote-tracking branch 'restricted/pr/668' into mbedtls-2.7-restricted

* restricted/pr/668:
  Zeroize local AES variables before exiting the function

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index ee94c6c..f2dc2e7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,11 @@
 = mbed TLS 2.7.x branch released xxxx-xx-xx
 
 Security
+   * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
+     constant time/constant trace, so side channel attacks can retrieve the
+     blinded value, factor it (as it is smaller than RSA keys and not guaranteed
+     to have only large prime factors), and then, by brute force, recover the
+     key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
    * Zeroize local variables in mbedtls_internal_aes_encrypt() and
      mbedtls_internal_aes_decrypt() before exiting the function. The value of
      these variables can be used to recover the last round key. To follow best

library/ecdsa.c

diff --git a/library/ecdsa.c b/library/ecdsa.c
index c635a50..24bf734 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -153,6 +153,7 @@
         MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &k, &k, &t ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &k, &k, &grp->N ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, &k, &grp->N ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
         MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );