Fix leakage of projective coordinates in ECC
See the comments in the code for how an attack would go, and the ChangeLog
entry for an impact assessment. (For ECDSA, leaking a few bits of the scalar
over several signatures translates to full private key recovery using a
lattice attack.)
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/ChangeLog b/ChangeLog
index 6ec1e7ec..64c72a5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,13 @@
= mbed TLS x.x.x branch released xxxx-xx-xx
+Security
+ * Fix side channel in ECC code that allowed an adversary with access to
+ precise enough timing and memory access information (typically an
+ untrusted operating system attacking a secure enclave) to fully recover
+ an ECDSA private key. Found and reported by Alejandro Cabrera Aldaya,
+ Billy Brumley and Cesar Pereida Garcia. CVE-2020-10932
+
Bugfix
* Fix compilation failure when both MBEDTLS_SSL_PROTO_DTLS and
MBEDTLS_SSL_HW_RECORD_ACCEL are enabled.