Fixes the following security vulnerabilities:
2.7.12:
- Fix a missing error detection in ECJPAKE. This could have caused a
predictable shared secret if a hardware accelerator failed and the other
side of the key exchange had a similar bug.
- When writing a private EC key, use a constant size for the private value,
as specified in RFC 5915. Previously, the value was written as an ASN.1
INTEGER, which caused the size of the key to leak about 1 bit of
information on average and could cause the value to be 1 byte too large
for the output buffer.
- The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
implement blinding. Because of this for the same key and message the same
blinding value was generated. This reduced the effectiveness of the
countermeasure and leaked information about the private key through side
channels. Reported by Jack Lloyd.
2.7.11:
- Make mbedtls_ecdh_get_params return an error if the second key belongs to
a different group from the first. Before, if an application passed keys
that belonged to different group, the first key's data was interpreted
according to the second group, which could lead to either an error or a
meaningless output from mbedtls_ecdh_get_params. In the latter case, this
could expose at most 5 bits of the private key.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
85596ae5f0