Merge branch 'mbedtls-1.3' into development
* mbedtls-1.3: Add countermeasure against cache-based lucky 13 Conflicts: library/ssl_tls.c
This commit is contained in:
commit
8a81e84638
2 changed files with 4 additions and 1 deletions
|
@ -90,6 +90,8 @@ Security
|
||||||
* With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
|
* With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
|
||||||
extendedKeyUsage on the leaf certificate was lost (results not accessible
|
extendedKeyUsage on the leaf certificate was lost (results not accessible
|
||||||
via ssl_get_verify_results()).
|
via ssl_get_verify_results()).
|
||||||
|
* Add countermeasure against "Lucky 13 strikes back" cache-based attack,
|
||||||
|
https://dl.acm.org/citation.cfm?id=2714625
|
||||||
|
|
||||||
Features
|
Features
|
||||||
* Add x509_crt_verify_info() to display certificate verification results.
|
* Add x509_crt_verify_info() to display certificate verification results.
|
||||||
|
|
|
@ -1943,7 +1943,8 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
|
||||||
ssl->in_msglen );
|
ssl->in_msglen );
|
||||||
mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec,
|
mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec,
|
||||||
ssl->in_msg + ssl->in_msglen );
|
ssl->in_msg + ssl->in_msglen );
|
||||||
for( j = 0; j < extra_run; j++ )
|
/* Call md_process at least once due to cache attacks */
|
||||||
|
for( j = 0; j < extra_run + 1; j++ )
|
||||||
mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
|
mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
|
||||||
|
|
||||||
mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
|
mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
|
||||||
|
|
Loading…
Reference in a new issue