yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Remove FORCE_VERIFICATION and FORCE_BLINDING

Browse source
This commit is contained in:
Hanno Becker 2017-10-02 15:56:48 +01:00
parent 2fdffe0da0
commit 4e1be398f6
4 changed files with 5 additions and 134 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

77
include/mbedtls/config.h
View file

@ -970,41 +970,6 @@
*/ */
#define MBEDTLS_PKCS1_V21 #define MBEDTLS_PKCS1_V21
/**
* \def MBEDTLS_RSA_FORCE_BLINDING
*
* Force the use of blinding in RSA private key operations.
* This makes these operations fail when the caller doesn't
* provide a PRNG.
*
* Comment this macro to allow RSA private key operations
* without blinding.
*
* \deprecated Disabling this option is deprecated and only
* disabled by default for backwards compatibility.
* Future versions of Mbed TLS will remove this
* option and enforce blinding unconditionally.
*
* \warning Disabling this can be a security risk!
* Blinding RSA private key operations is a way
* to prevent statistical timing attacks as in
* [P. Kocher ', Timing Attacks on Implementations
* of Diffie-Hellman, RSA, DSS, and Other Systems]
*
* \note Disabling this does not mean that blinding
* will never be used: if a PRNG is provided,
* blinding will be in place. Instead, disabling this
* option may result in private key operations being
* performed in a way potentially leaking sensitive
* information through side-channels when no PRNG
* is supplied by the user.
*
* \note For more on the use of blinding in RSA
* private key operations, see the documentation
* of \c mbedtls_rsa_private.
*/
//#define MBEDTLS_RSA_FORCE_BLINDING
/** /**
* \def MBEDTLS_RSA_NO_CRT * \def MBEDTLS_RSA_NO_CRT
* *
@ -1016,48 +981,6 @@
*/ */
//#define MBEDTLS_RSA_NO_CRT //#define MBEDTLS_RSA_NO_CRT
/**
* \def MBEDTLS_RSA_FORCE_CRT_VERIFICATION
*
* Force verification of results of RSA private key operations
* when RSA-CRT is used.
*
* Comment this macro to disable RSA-CRT verification.
*
* \warning Disabling this can be a security risk!
* Omitting verification makes the RSA-CRT
* signing vulnerable to the Bellcore
* glitch attack leading to private key
* compromise if an attacker can cause a
* glitch in a certain timeframe during
* the signing operation. Uncomment only
* if you're sure that glitches are out of
* your attack model.
*/
#define MBEDTLS_RSA_FORCE_CRT_VERIFICATION
/**
* \def MBEDTLS_RSA_FORCE_VERIFICATION
*
* Force verification of results of any RSA private key
* operation regardless of the algorithm used.
*
* Uncomment this to enable unconditional RSA verification.
*
* \note This is to prevent the RSA signing operation
* (regardless of the particular algorithm chosen)
* from potential future glitch attacks. We are
* currently not aware of any such for our default
* implementation, therefore disabling the option
* by default.
*
* \note Enabling it comes at the cost of roughly an
* additional public key operation at the end of
* signing (low compared to private key operations),
* as well as minor memory consumption.
*/
//#define MBEDTLS_RSA_FORCE_VERIFICATION
/** /**
* \def MBEDTLS_SELF_TEST * \def MBEDTLS_SELF_TEST
* *

31
include/mbedtls/rsa.h
View file

@ -63,15 +63,6 @@
#define MBEDTLS_RSA_SALT_LEN_ANY -1 #define MBEDTLS_RSA_SALT_LEN_ANY -1
/*
* RSA configuration
*/
#if defined(MBEDTLS_RSA_FORCE_VERIFICATION) || \
( ! defined(MBEDTLS_RSA_NO_CRT) && \
defined(MBEDTLS_RSA_FORCE_CRT_VERIFICATION ) )
#define MBEDTLS_RSA_REQUIRE_VERIFICATION
#endif
/* /*
* The above constants may be used even if the RSA module is compile out, * The above constants may be used even if the RSA module is compile out,
* eg for alternative (PKCS#11) RSA implemenations in the PK layers. * eg for alternative (PKCS#11) RSA implemenations in the PK layers.
@ -239,28 +230,16 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
* \note The input and output buffers must be large * \note The input and output buffers must be large
* enough (eg. 128 bytes if RSA-1024 is used). * enough (eg. 128 bytes if RSA-1024 is used).
* *
* \note Enabling and disabling of blinding: * \note Blinding is used if and onlf if a PRNG is provided.
* - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
* is disabled, blinding is disabled.
* - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
* is enabled, the function fails.
* *
* \note If blinding is used, both the base of exponentation * \note If blinding is used, both the base of exponentation
* and the exponent are blinded, preventing both statistical * and the exponent are blinded, preventing both statistical
* timing and power analysis attacks. * timing and power analysis attacks.
* *
* \note Depending on the way RSA is implemented, a failure * \warning It is deprecated and a security risk to not provide
* in the computation can lead to disclosure of the private * a PRNG here and thereby prevent the use of blinding.
* key if the wrong result is passed to attacker - e.g., * Future versions of the library may enforce the presence
* implementing RSA through CRT is vulnerable to the * of a PRNG.
* Bellcore glitch attack.
*
* As a remedy, the user can force double checking the
* result of the private key operation through the option
* MBEDTLS_RSA_FORCE_VERIFICATION. If verification is
* to be enabled only when RSA-CRT is used (as controlled
* by the configuration option MBEDTLS_RSA_NO_CRT), the
* option MBEDTLS_RSA_FORCE_CRT_VERIFICATION can be used.
* *
*/ */
int mbedtls_rsa_private( mbedtls_rsa_context *ctx, int mbedtls_rsa_private( mbedtls_rsa_context *ctx,

22
library/rsa.c
View file

@ -66,13 +66,6 @@
#define mbedtls_free free #define mbedtls_free free
#endif #endif
#if !defined(MBEDTLS_RSA_FORCE_BLINDING) && \
defined(MBEDTLS_DEPRECATED_WARNING)
#warning Not enforcing blinding checks for RSA private key operations\
is deprecated. Please uncomment MBEDTLS_RSA_FORCE_BLINDING\
in config.h to enforce blinding checks.
#endif
/* Implementation that should never be optimized out by the compiler */ /* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) { static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
@ -434,16 +427,9 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
mbedtls_mpi *D = &ctx->D; mbedtls_mpi *D = &ctx->D;
#endif /* MBEDTLS_RSA_NO_CRT */ #endif /* MBEDTLS_RSA_NO_CRT */
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
/* Temporaries holding the initial input and the double /* Temporaries holding the initial input and the double
* checked result; should be the same in the end. */ * checked result; should be the same in the end. */
mbedtls_mpi I, C; mbedtls_mpi I, C;
#endif
#if defined(MBEDTLS_RSA_FORCE_BLINDING)
if( f_rng == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
#endif
/* Sanity-check that all relevant fields are at least set, /* Sanity-check that all relevant fields are at least set,
* but don't perform a full keycheck. */ * but don't perform a full keycheck. */
@ -496,10 +482,8 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ ); mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
#endif #endif
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
mbedtls_mpi_init( &I ); mbedtls_mpi_init( &I );
mbedtls_mpi_init( &C ); mbedtls_mpi_init( &C );
#endif
/* End of MPI initialization */ /* End of MPI initialization */
@ -510,9 +494,7 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
goto cleanup; goto cleanup;
} }
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
#endif
if( f_rng != NULL ) if( f_rng != NULL )
{ {
@ -604,14 +586,12 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
} }
/* If requested by the config, verify the result to prevent glitching attacks. */ /* If requested by the config, verify the result to prevent glitching attacks. */
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E, &ctx->N, &ctx->RN ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E, &ctx->N, &ctx->RN ) );
if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 ) if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
{ {
ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
goto cleanup; goto cleanup;
} }
#endif /* MBEDTLS_RSA_REQUIRE_VERIFICATION */
olen = ctx->len; olen = ctx->len;
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
@ -642,10 +622,8 @@ cleanup:
mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ ); mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
#endif #endif
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
mbedtls_mpi_free( &C ); mbedtls_mpi_free( &C );
mbedtls_mpi_free( &I ); mbedtls_mpi_free( &I );
#endif
if( ret != 0 ) if( ret != 0 )
return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret ); return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );

9
library/version_features.c
View file

@ -345,18 +345,9 @@ static const char *features[] = {
#if defined(MBEDTLS_PKCS1_V21) #if defined(MBEDTLS_PKCS1_V21)
"MBEDTLS_PKCS1_V21", "MBEDTLS_PKCS1_V21",
#endif /* MBEDTLS_PKCS1_V21 */ #endif /* MBEDTLS_PKCS1_V21 */
#if defined(MBEDTLS_RSA_FORCE_BLINDING)
"MBEDTLS_RSA_FORCE_BLINDING",
#endif /* MBEDTLS_RSA_FORCE_BLINDING */
#if defined(MBEDTLS_RSA_NO_CRT) #if defined(MBEDTLS_RSA_NO_CRT)
"MBEDTLS_RSA_NO_CRT", "MBEDTLS_RSA_NO_CRT",
#endif /* MBEDTLS_RSA_NO_CRT */ #endif /* MBEDTLS_RSA_NO_CRT */
#if defined(MBEDTLS_RSA_FORCE_CRT_VERIFICATION)
"MBEDTLS_RSA_FORCE_CRT_VERIFICATION",
#endif /* MBEDTLS_RSA_FORCE_CRT_VERIFICATION */
#if defined(MBEDTLS_RSA_FORCE_VERIFICATION)
"MBEDTLS_RSA_FORCE_VERIFICATION",
#endif /* MBEDTLS_RSA_FORCE_VERIFICATION */
#if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_SELF_TEST)
"MBEDTLS_SELF_TEST", "MBEDTLS_SELF_TEST",
#endif /* MBEDTLS_SELF_TEST */ #endif /* MBEDTLS_SELF_TEST */