Merge remote-tracking branch 'upstream-restricted/pr/549' into mbedtls-2.7-restricted

2026-04-05 06:26:52 +00:00 · 2019-08-14 16:24:51 +02:00 · 2019-08-14 16:24:51 +02:00 · 298a43a77e
commit 298a43a77e
parent ab327dfec7 4bf65fb71f
7 changed files with 238 additions and 34 deletions
--- a/12
+++ b/12
@ -6,6 +6,18 @@ Security
   * Fix a missing error detection in ECJPAKE. This could have caused a
     predictable shared secret if a hardware accelerator failed and the other
     side of the key exchange had a similar bug.
+   * The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
+     implement blinding. Because of this for the same key and message the same
+     blinding value was generated. This reduced the effectiveness of the
+     countermeasure and leaked information about the private key through side
+     channels. Reported by Jack Lloyd.
+
+API Changes
+   * The new function mbedtls_ecdsa_sign_det_ext() is similar to
+     mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
+     purpose of blinding.
+   * The new function mbedtls_ecp_gen_privkey() allows to generate a private
+     key without generating the public part of the pair.

 Bugfix
   * Fix to allow building test suites with any warning that detects unused