Add configuration options for verification and blinding
This commit defines some configuration options to control the mandatory use of blinding and verification in RSA private key operations.
This commit is contained in:
parent
c44c3c288d
commit
88ec2381d6
2 changed files with 105 additions and 2 deletions
|
@ -970,16 +970,86 @@
|
|||
*/
|
||||
#define MBEDTLS_PKCS1_V21
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_RSA_FORCE_BLINDING
|
||||
*
|
||||
* Force the use of blinding in RSA private key operations.
|
||||
* This makes these operations fail when the caller doesn't
|
||||
* provide a PRNG.
|
||||
*
|
||||
* Comment this macro to allow RSA private key operations
|
||||
* without blinding.
|
||||
*
|
||||
* \warning Disabling this can be a security risk!
|
||||
* Blinding RSA private key operations is a way
|
||||
* to prevent statistical timing attacks as in
|
||||
* [P. Kocher ', Timing Attacks on Implementations
|
||||
* of Diffie-Hellman, RSA, DSS, and Other Systems]
|
||||
*
|
||||
* \note Disabling this does not mean that blinding
|
||||
* will never be used, but instead makes private
|
||||
* key operations fail if, perhaps unintentionally,
|
||||
* the user failed to call them with a PRNG.
|
||||
*
|
||||
* \note For more on the use of blinding in RSA
|
||||
* private key operations, see the documentation
|
||||
* of \c mbedtls_rsa_private.
|
||||
*/
|
||||
#define MBEDTLS_RSA_FORCE_BLINDING
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_RSA_NO_CRT
|
||||
*
|
||||
* Do not use the Chinese Remainder Theorem for the RSA private operation.
|
||||
* Do not use the Chinese Remainder Theorem
|
||||
* for the RSA private operation.
|
||||
*
|
||||
* Uncomment this macro to disable the use of CRT in RSA.
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_RSA_NO_CRT
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_RSA_FORCE_CRT_VERIFICATION
|
||||
*
|
||||
* Force verification of results of RSA private key operations
|
||||
* when RSA-CRT is used.
|
||||
*
|
||||
* Comment this macro to disable RSA-CRT verification.
|
||||
*
|
||||
* \warning Disabling this can be a security risk!
|
||||
* Omitting verification makes the RSA-CRT
|
||||
* signing vulnerable to the Bellcore
|
||||
* glitch attack leading to private key
|
||||
* compromise if an attacker can cause a
|
||||
* glitch in a certain timeframe during
|
||||
* the signing operation. Uncomment only
|
||||
* if you're sure that glitches are out of
|
||||
* your attack model.
|
||||
*/
|
||||
#define MBEDTLS_RSA_FORCE_CRT_VERIFICATION
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_RSA_FORCE_VERIFICATION
|
||||
*
|
||||
* Force verification of results of any RSA private key
|
||||
* operation regardless of the algorithm used.
|
||||
*
|
||||
* Uncomment this to enable unconditional RSA verification.
|
||||
*
|
||||
* \note This is to prevent the RSA signing operation
|
||||
* (regardless of the particular algorithm chosen)
|
||||
* from potential future glitch attacks. We are
|
||||
* currently not aware of any such for our default
|
||||
* implementation, therefore disabling the option
|
||||
* by default.
|
||||
*
|
||||
* \note Enabling it comes at the cost of roughly an
|
||||
* additional public key operation at the end of
|
||||
* signing (low compared to private key operations),
|
||||
* as well as minor memory consumption.
|
||||
*/
|
||||
//#define MBEDTLS_RSA_FORCE_VERIFICATION
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SELF_TEST
|
||||
*
|
||||
|
|
|
@ -63,6 +63,15 @@
|
|||
|
||||
#define MBEDTLS_RSA_SALT_LEN_ANY -1
|
||||
|
||||
/*
|
||||
* RSA configuration
|
||||
*/
|
||||
#if defined(MBEDTLS_RSA_FORCE_VERIFICATION) || \
|
||||
( ! defined(MBEDTLS_RSA_NO_CRT) && \
|
||||
defined(MBEDTLS_RSA_FORCE_CRT_VERIFICATION ) )
|
||||
#define MBEDTLS_RSA_REQUIRE_VERIFICATION
|
||||
#endif
|
||||
|
||||
/*
|
||||
* The above constants may be used even if the RSA module is compile out,
|
||||
* eg for alternative (PKCS#11) RSA implemenations in the PK layers.
|
||||
|
@ -220,7 +229,7 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
|
|||
* \brief Do an RSA private key operation
|
||||
*
|
||||
* \param ctx RSA context
|
||||
* \param f_rng RNG function (Needed for blinding)
|
||||
* \param f_rng RNG function (used for blinding)
|
||||
* \param p_rng RNG parameter
|
||||
* \param input input buffer
|
||||
* \param output output buffer
|
||||
|
@ -229,6 +238,30 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
|
|||
*
|
||||
* \note The input and output buffers must be large
|
||||
* enough (eg. 128 bytes if RSA-1024 is used).
|
||||
*
|
||||
* \note Enabling and disabling of blinding:
|
||||
* - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
|
||||
* is disabled, blinding is disabled.
|
||||
* - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
|
||||
* is enabled, the function fails.
|
||||
*
|
||||
* \note If blinding is used, both the base of exponentation
|
||||
* and the exponent are blinded, preventing both statistical
|
||||
* timing and power analysis attacks.
|
||||
*
|
||||
* \note Depending on the way RSA is implemented, a failure
|
||||
* in the computation can lead to disclosure of the private
|
||||
* key if the wrong result is passed to attacker - e.g.,
|
||||
* implementing RSA through CRT is vulnerable to the
|
||||
* Bellcore glitch attack.
|
||||
*
|
||||
* As a remedy, the user can force double checking the
|
||||
* result of the private key operation through the option
|
||||
* MBEDTLS_RSA_FORCE_VERIFICATION. If verification is
|
||||
* to be enabled only when RSA-CRT is used (as controlled
|
||||
* by the configuration option MBEDTLS_RSA_NO_CRT), the
|
||||
* option MBEDTLS_RSA_FORCE_CRT_VERIFICATION can be used.
|
||||
*
|
||||
*/
|
||||
int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
||||
int (*f_rng)(void *, unsigned char *, size_t),
|
||||
|
|
Loading…
Reference in a new issue