Merge pull request #665 from ARMmbed/dev/yanesca/iotcrypt-958-ecdsa-side-channel-fix-2.16

Backport 2.16: ECDSA side channel fix
2024-11-24 09:28:24 +00:00 · 2019-11-12 10:37:22 +00:00 · 2019-11-12 10:37:22 +00:00 · 3f1c68a1e2
commit 3f1c68a1e2
parent ec904e4b57 1baed82774
2 changed files with 8 additions and 0 deletions
--- a/7
+++ b/7
@ -2,6 +2,13 @@ mbed TLS ChangeLog (Sorted per branch, date)

 = mbed TLS 2.16.x branch released xxxx-xx-xx

+Security
+   * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
+     constant time/constant trace, so side channel attacks can retrieve the
+     blinded value, factor it (as it is smaller than RSA keys and not guaranteed
+     to have only large prime factors), and then, by brute force, recover the
+     key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
+
 Bugfix
   * Remove redundant line for getting the bitlen of a bignum, since the variable
     holding the returned value is overwritten a line after.
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@ -363,6 +363,7 @@ modn:
        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pk, pk, &t ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pk, pk, &grp->N ) );
        MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) );
        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );