Merge remote-tracking branch 'upstream-restricted/pr/556' into mbedtls-2.16-restricted

2026-01-07 15:09:28 +01:00 · 2019-08-14 16:37:16 +02:00 · 2019-08-14 16:37:16 +02:00 · 33f66ba6fd
commit 33f66ba6fd
parent 3a930650c8 7ffe827fca
5 changed files with 220 additions and 15 deletions
--- a/10
+++ b/10
@ -6,6 +6,16 @@ Security
   * Fix a missing error detection in ECJPAKE. This could have caused a
     predictable shared secret if a hardware accelerator failed and the other
     side of the key exchange had a similar bug.
+   * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
+     implement blinding. Because of this for the same key and message the same
+     blinding value was generated. This reduced the effectiveness of the
+     countermeasure and leaked information about the private key through side
+     channels. Reported by Jack Lloyd.
+
+API Changes
+   * The new function mbedtls_ecdsa_sign_det_ext() is similar to
+     mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
+     purpose of blinding.

 Bugfix
   * Fix to allow building test suites with any warning that detects unused