Use starts/finish around Lucky 13 dummy compressions

Fixes #3246

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard 2020-06-12 11:14:35 +02:00
parent 1fc09be3ea
commit f4e3fc9133
2 changed files with 16 additions and 2 deletions

View file

@ -0,0 +1,7 @@
Security
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
macros). This would cause the original Lucky 13 attack to be possible in
those configurations, allowing an active network attacker to recover
plaintext after repeated timing measurements under some conditions.
Reported and fix suggested by Luc Perneel in #3246.

View file

@ -1578,6 +1578,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
* linking an extra division function in some builds).
*/
size_t j, extra_run = 0;
/* This size is enough to server either as input to
* md_process() or as output to md_finish() */
unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE];
/*
@ -1633,10 +1635,15 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
ssl_read_memory( data + rec->data_len, padlen );
mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
/* Call mbedtls_md_process at least once due to cache attacks
* that observe whether md_process() was called of not */
/* Dummy calls to compression function.
* Call mbedtls_md_process at least once due to cache attacks
* that observe whether md_process() was called of not.
* Respect the usual start-(process|update)-finish sequence for
* the sake of hardware accelerators that might require it. */
mbedtls_md_starts( &transform->md_ctx_dec );
for( j = 0; j < extra_run + 1; j++ )
mbedtls_md_process( &transform->md_ctx_dec, tmp );
mbedtls_md_finish( &transform->md_ctx_dec, tmp );
mbedtls_md_hmac_reset( &transform->md_ctx_dec );