Add warning for alternative ECDSA implementations
Alternative implementations are often hardware accelerators and might not need an RNG for blinding. But if they do, then we make them misuse the RNG in the deterministic case. There are several way around this: - Exposing a lower level function for replacement. This would be the optimal solution, but litters the API and is not backward compatible. - Introducing a new compile time option for replacing the deterministic function. This would mostly cover the same code as MBEDTLS_ECDSA_DETERMINISTIC and would be yet another compile time flag. - Reusing the existing MBEDTLS_ECDSA_DETERMINISTIC macro. This changes the algorithm used by the PK layer from deterministic to randomised if the alternative implementation is present. This commit implements the third option. This is a temporary solution and should be fixed at the next device driver API change.
This commit is contained in:
parent
e65e0597a8
commit
1231d210e1
1 changed files with 10 additions and 0 deletions
|
@ -441,6 +441,16 @@
|
|||
* dependencies on them, and considering stronger message digests
|
||||
* and ciphers instead.
|
||||
*
|
||||
* \warning If both MBEDTLS_ECDSA_SIGN_ALT and MBEDTLS_ECDSA_DETERMINISTIC are
|
||||
* enabled, then the deterministic ECDH signature functions pass the
|
||||
* the static HMAC-DRBG as RNG to mbedtls_ecdsa_sign(). Therefore
|
||||
* alternative implementations should use the RNG only for generating
|
||||
* the ephemeral key and nothing else. If this is not possible, then
|
||||
* MBEDTLS_ECDSA_DETERMINISTIC should be disabled and an alternative
|
||||
* implementation should be provided for mbedtls_ecdsa_sign_det_ext()
|
||||
* (and for mbedtls_ecdsa_sign_det() too if backward compatibility is
|
||||
* desirable).
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_MD2_PROCESS_ALT
|
||||
//#define MBEDTLS_MD4_PROCESS_ALT
|
||||
|
|
Loading…
Reference in a new issue