mbedtls/ChangeLog.d/ecp-internal-rng.txt
Manuel Pégourié-Gonnard c721178487 Add Security ChangeLog entry for lack of blinding
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-08 09:09:20 +02:00

15 lines
885 B
Text

Changes
* The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
`MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
coutermeasures. If side channels are not a concern, this dependency can
be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
Security
* Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
private key that didn't include the uncompressed public key), as well as
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
f_rng argument. An attacker with access to precise enough timing and
memory access information (typically an untrusted operating system
attacking a secure enclave) could fully recover the ECC private key.
Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.