yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Remove FORCE_VERIFICATION and FORCE_BLINDING

Browse source
This commit is contained in:
Hanno Becker 2017-10-02 15:56:48 +01:00
parent 2fdffe0da0
commit 4e1be398f6
4 changed files with 5 additions and 134 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

77
include/mbedtls/config.h
View file

@ -970,41 +970,6 @@
*/
#define MBEDTLS_PKCS1_V21
/**
* \def MBEDTLS_RSA_FORCE_BLINDING
*
* Force the use of blinding in RSA private key operations.
* This makes these operations fail when the caller doesn't
* provide a PRNG.
*
* Comment this macro to allow RSA private key operations
* without blinding.
*
* \deprecated Disabling this option is deprecated and only
* disabled by default for backwards compatibility.
* Future versions of Mbed TLS will remove this
* option and enforce blinding unconditionally.
*
* \warning Disabling this can be a security risk!
* Blinding RSA private key operations is a way
* to prevent statistical timing attacks as in
* [P. Kocher ', Timing Attacks on Implementations
* of Diffie-Hellman, RSA, DSS, and Other Systems]
*
* \note Disabling this does not mean that blinding
* will never be used: if a PRNG is provided,
* blinding will be in place. Instead, disabling this
* option may result in private key operations being
* performed in a way potentially leaking sensitive
* information through side-channels when no PRNG
* is supplied by the user.
*
* \note For more on the use of blinding in RSA
* private key operations, see the documentation
* of \c mbedtls_rsa_private.
*/
//#define MBEDTLS_RSA_FORCE_BLINDING
/**
* \def MBEDTLS_RSA_NO_CRT
*
@ -1016,48 +981,6 @@
*/
//#define MBEDTLS_RSA_NO_CRT
/**
* \def MBEDTLS_RSA_FORCE_CRT_VERIFICATION
*
* Force verification of results of RSA private key operations
* when RSA-CRT is used.
*
* Comment this macro to disable RSA-CRT verification.
*
* \warning Disabling this can be a security risk!
* Omitting verification makes the RSA-CRT
* signing vulnerable to the Bellcore
* glitch attack leading to private key
* compromise if an attacker can cause a
* glitch in a certain timeframe during
* the signing operation. Uncomment only
* if you're sure that glitches are out of
* your attack model.
*/
#define MBEDTLS_RSA_FORCE_CRT_VERIFICATION
/**
* \def MBEDTLS_RSA_FORCE_VERIFICATION
*
* Force verification of results of any RSA private key
* operation regardless of the algorithm used.
*
* Uncomment this to enable unconditional RSA verification.
*
* \note This is to prevent the RSA signing operation
* (regardless of the particular algorithm chosen)
* from potential future glitch attacks. We are
* currently not aware of any such for our default
* implementation, therefore disabling the option
* by default.
*
* \note Enabling it comes at the cost of roughly an
* additional public key operation at the end of
* signing (low compared to private key operations),
* as well as minor memory consumption.
*/
//#define MBEDTLS_RSA_FORCE_VERIFICATION
/**
* \def MBEDTLS_SELF_TEST
*

31
include/mbedtls/rsa.h
View file

@ -63,15 +63,6 @@
#define MBEDTLS_RSA_SALT_LEN_ANY -1
/*
* RSA configuration
*/
#if defined(MBEDTLS_RSA_FORCE_VERIFICATION) || \
( ! defined(MBEDTLS_RSA_NO_CRT) && \
defined(MBEDTLS_RSA_FORCE_CRT_VERIFICATION ) )
#define MBEDTLS_RSA_REQUIRE_VERIFICATION
#endif
/*
* The above constants may be used even if the RSA module is compile out,
* eg for alternative (PKCS#11) RSA implemenations in the PK layers.
@ -239,28 +230,16 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
* \note The input and output buffers must be large
* enough (eg. 128 bytes if RSA-1024 is used).
*
* \note Enabling and disabling of blinding:
* - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
* is disabled, blinding is disabled.
* - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
* is enabled, the function fails.
* \note Blinding is used if and onlf if a PRNG is provided.
*
* \note If blinding is used, both the base of exponentation
* and the exponent are blinded, preventing both statistical
* timing and power analysis attacks.
*
* \note Depending on the way RSA is implemented, a failure
* in the computation can lead to disclosure of the private
* key if the wrong result is passed to attacker - e.g.,
* implementing RSA through CRT is vulnerable to the
* Bellcore glitch attack.
*
* As a remedy, the user can force double checking the
* result of the private key operation through the option
* MBEDTLS_RSA_FORCE_VERIFICATION. If verification is
* to be enabled only when RSA-CRT is used (as controlled
* by the configuration option MBEDTLS_RSA_NO_CRT), the
* option MBEDTLS_RSA_FORCE_CRT_VERIFICATION can be used.
* \warning It is deprecated and a security risk to not provide
* a PRNG here and thereby prevent the use of blinding.
* Future versions of the library may enforce the presence
* of a PRNG.
*
*/
int mbedtls_rsa_private( mbedtls_rsa_context *ctx,

22
library/rsa.c
View file

@ -66,13 +66,6 @@
#define mbedtls_free free
#endif
#if !defined(MBEDTLS_RSA_FORCE_BLINDING) && \
defined(MBEDTLS_DEPRECATED_WARNING)
#warning Not enforcing blinding checks for RSA private key operations\
is deprecated. Please uncomment MBEDTLS_RSA_FORCE_BLINDING\
in config.h to enforce blinding checks.
#endif
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
@ -434,16 +427,9 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
mbedtls_mpi *D = &ctx->D;
#endif /* MBEDTLS_RSA_NO_CRT */
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
/* Temporaries holding the initial input and the double
* checked result; should be the same in the end. */
mbedtls_mpi I, C;
#endif
#if defined(MBEDTLS_RSA_FORCE_BLINDING)
if( f_rng == NULL )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
#endif
/* Sanity-check that all relevant fields are at least set,
* but don't perform a full keycheck. */
@ -496,10 +482,8 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
#endif
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
mbedtls_mpi_init( &I );
mbedtls_mpi_init( &C );
#endif
/* End of MPI initialization */
@ -510,9 +494,7 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
goto cleanup;
}
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
#endif
if( f_rng != NULL )
{
@ -604,14 +586,12 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
}
/* If requested by the config, verify the result to prevent glitching attacks. */
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E, &ctx->N, &ctx->RN ) );
if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
{
ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
goto cleanup;
}
#endif /* MBEDTLS_RSA_REQUIRE_VERIFICATION */
olen = ctx->len;
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
@ -642,10 +622,8 @@ cleanup:
mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
#endif
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
mbedtls_mpi_free( &C );
mbedtls_mpi_free( &I );
#endif
if( ret != 0 )
return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );

9
library/version_features.c
View file

@ -345,18 +345,9 @@ static const char *features[] = {
#if defined(MBEDTLS_PKCS1_V21)
"MBEDTLS_PKCS1_V21",
#endif /* MBEDTLS_PKCS1_V21 */
#if defined(MBEDTLS_RSA_FORCE_BLINDING)
"MBEDTLS_RSA_FORCE_BLINDING",
#endif /* MBEDTLS_RSA_FORCE_BLINDING */
#if defined(MBEDTLS_RSA_NO_CRT)
"MBEDTLS_RSA_NO_CRT",
#endif /* MBEDTLS_RSA_NO_CRT */
#if defined(MBEDTLS_RSA_FORCE_CRT_VERIFICATION)
"MBEDTLS_RSA_FORCE_CRT_VERIFICATION",
#endif /* MBEDTLS_RSA_FORCE_CRT_VERIFICATION */
#if defined(MBEDTLS_RSA_FORCE_VERIFICATION)
"MBEDTLS_RSA_FORCE_VERIFICATION",
#endif /* MBEDTLS_RSA_FORCE_VERIFICATION */
#if defined(MBEDTLS_SELF_TEST)
"MBEDTLS_SELF_TEST",
#endif /* MBEDTLS_SELF_TEST */