From 2f18490900db6bdcf34e162252ac0b88b0dacf2a Mon Sep 17 00:00:00 2001 From: Darryl Green Date: Thu, 5 Sep 2019 15:25:29 +0100 Subject: [PATCH 1/2] Update crypto submodule to include deterministic ECDSA RNG fix --- crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto b/crypto index f0716542c4..c7cde03fec 160000 --- a/crypto +++ b/crypto @@ -1 +1 @@ -Subproject commit f0716542c458a53106ae97788321b97a7910baef +Subproject commit c7cde03feca387ae32a29d9845dd28a3020f0d97 From 12fff1520d807c87959ac0bc5181fd98568c7dac Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 4 Jan 2019 16:18:46 +0000 Subject: [PATCH 2/2] Add ChangeLog entries --- ChangeLog | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/ChangeLog b/ChangeLog index e72579d4f3..3c64930952 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,11 @@ Security as an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit of information on average and could cause the value to be 1 byte too large for the output buffer. + * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to + implement blinding. Because of this for the same key and message the same + blinding value was generated. This reduced the effectiveness of the + countermeasure and leaked information about the private key through side + channels. Reported by Jack Lloyd. Features * Add new API functions mbedtls_ssl_session_save() and @@ -40,6 +45,16 @@ API Changes just curves for which both are supported. Call mbedtls_ecdsa_can_do() or mbedtls_ecdh_can_do() on each result to check whether each algorithm is supported. + * The following function in the ECDSA module has been deprecated and replaced + as shown below. The new function can take an RNG function as an argument + which is necessary for adequate blinding. + mbedtls_ecdsa_sign_det() -> mbedtls_ecdsa_sign_det_ext() + +New deprecations + * Deprecate mbedtls_ecdsa_sign_det() in favor of a functions that can take an + RNG function as an input. + * Calling mbedtls_ecdsa_write_signature() with NULL as the f_rng argument + is now deprecated. Bugfix * Fix missing bounds checks in X.509 parsing functions that could