Remove FORCE_VERIFICATION and FORCE_BLINDING
This commit is contained in:
parent
2fdffe0da0
commit
4e1be398f6
@ -970,41 +970,6 @@
|
||||
*/
|
||||
#define MBEDTLS_PKCS1_V21
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_RSA_FORCE_BLINDING
|
||||
*
|
||||
* Force the use of blinding in RSA private key operations.
|
||||
* This makes these operations fail when the caller doesn't
|
||||
* provide a PRNG.
|
||||
*
|
||||
* Comment this macro to allow RSA private key operations
|
||||
* without blinding.
|
||||
*
|
||||
* \deprecated Disabling this option is deprecated and only
|
||||
* disabled by default for backwards compatibility.
|
||||
* Future versions of Mbed TLS will remove this
|
||||
* option and enforce blinding unconditionally.
|
||||
*
|
||||
* \warning Disabling this can be a security risk!
|
||||
* Blinding RSA private key operations is a way
|
||||
* to prevent statistical timing attacks as in
|
||||
* [P. Kocher ', Timing Attacks on Implementations
|
||||
* of Diffie-Hellman, RSA, DSS, and Other Systems]
|
||||
*
|
||||
* \note Disabling this does not mean that blinding
|
||||
* will never be used: if a PRNG is provided,
|
||||
* blinding will be in place. Instead, disabling this
|
||||
* option may result in private key operations being
|
||||
* performed in a way potentially leaking sensitive
|
||||
* information through side-channels when no PRNG
|
||||
* is supplied by the user.
|
||||
*
|
||||
* \note For more on the use of blinding in RSA
|
||||
* private key operations, see the documentation
|
||||
* of \c mbedtls_rsa_private.
|
||||
*/
|
||||
//#define MBEDTLS_RSA_FORCE_BLINDING
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_RSA_NO_CRT
|
||||
*
|
||||
@ -1016,48 +981,6 @@
|
||||
*/
|
||||
//#define MBEDTLS_RSA_NO_CRT
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_RSA_FORCE_CRT_VERIFICATION
|
||||
*
|
||||
* Force verification of results of RSA private key operations
|
||||
* when RSA-CRT is used.
|
||||
*
|
||||
* Comment this macro to disable RSA-CRT verification.
|
||||
*
|
||||
* \warning Disabling this can be a security risk!
|
||||
* Omitting verification makes the RSA-CRT
|
||||
* signing vulnerable to the Bellcore
|
||||
* glitch attack leading to private key
|
||||
* compromise if an attacker can cause a
|
||||
* glitch in a certain timeframe during
|
||||
* the signing operation. Uncomment only
|
||||
* if you're sure that glitches are out of
|
||||
* your attack model.
|
||||
*/
|
||||
#define MBEDTLS_RSA_FORCE_CRT_VERIFICATION
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_RSA_FORCE_VERIFICATION
|
||||
*
|
||||
* Force verification of results of any RSA private key
|
||||
* operation regardless of the algorithm used.
|
||||
*
|
||||
* Uncomment this to enable unconditional RSA verification.
|
||||
*
|
||||
* \note This is to prevent the RSA signing operation
|
||||
* (regardless of the particular algorithm chosen)
|
||||
* from potential future glitch attacks. We are
|
||||
* currently not aware of any such for our default
|
||||
* implementation, therefore disabling the option
|
||||
* by default.
|
||||
*
|
||||
* \note Enabling it comes at the cost of roughly an
|
||||
* additional public key operation at the end of
|
||||
* signing (low compared to private key operations),
|
||||
* as well as minor memory consumption.
|
||||
*/
|
||||
//#define MBEDTLS_RSA_FORCE_VERIFICATION
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SELF_TEST
|
||||
*
|
||||
|
@ -63,15 +63,6 @@
|
||||
|
||||
#define MBEDTLS_RSA_SALT_LEN_ANY -1
|
||||
|
||||
/*
|
||||
* RSA configuration
|
||||
*/
|
||||
#if defined(MBEDTLS_RSA_FORCE_VERIFICATION) || \
|
||||
( ! defined(MBEDTLS_RSA_NO_CRT) && \
|
||||
defined(MBEDTLS_RSA_FORCE_CRT_VERIFICATION ) )
|
||||
#define MBEDTLS_RSA_REQUIRE_VERIFICATION
|
||||
#endif
|
||||
|
||||
/*
|
||||
* The above constants may be used even if the RSA module is compile out,
|
||||
* eg for alternative (PKCS#11) RSA implemenations in the PK layers.
|
||||
@ -239,28 +230,16 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
|
||||
* \note The input and output buffers must be large
|
||||
* enough (eg. 128 bytes if RSA-1024 is used).
|
||||
*
|
||||
* \note Enabling and disabling of blinding:
|
||||
* - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
|
||||
* is disabled, blinding is disabled.
|
||||
* - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
|
||||
* is enabled, the function fails.
|
||||
* \note Blinding is used if and onlf if a PRNG is provided.
|
||||
*
|
||||
* \note If blinding is used, both the base of exponentation
|
||||
* and the exponent are blinded, preventing both statistical
|
||||
* timing and power analysis attacks.
|
||||
*
|
||||
* \note Depending on the way RSA is implemented, a failure
|
||||
* in the computation can lead to disclosure of the private
|
||||
* key if the wrong result is passed to attacker - e.g.,
|
||||
* implementing RSA through CRT is vulnerable to the
|
||||
* Bellcore glitch attack.
|
||||
*
|
||||
* As a remedy, the user can force double checking the
|
||||
* result of the private key operation through the option
|
||||
* MBEDTLS_RSA_FORCE_VERIFICATION. If verification is
|
||||
* to be enabled only when RSA-CRT is used (as controlled
|
||||
* by the configuration option MBEDTLS_RSA_NO_CRT), the
|
||||
* option MBEDTLS_RSA_FORCE_CRT_VERIFICATION can be used.
|
||||
* \warning It is deprecated and a security risk to not provide
|
||||
* a PRNG here and thereby prevent the use of blinding.
|
||||
* Future versions of the library may enforce the presence
|
||||
* of a PRNG.
|
||||
*
|
||||
*/
|
||||
int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
||||
|
@ -66,13 +66,6 @@
|
||||
#define mbedtls_free free
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_RSA_FORCE_BLINDING) && \
|
||||
defined(MBEDTLS_DEPRECATED_WARNING)
|
||||
#warning Not enforcing blinding checks for RSA private key operations\
|
||||
is deprecated. Please uncomment MBEDTLS_RSA_FORCE_BLINDING\
|
||||
in config.h to enforce blinding checks.
|
||||
#endif
|
||||
|
||||
/* Implementation that should never be optimized out by the compiler */
|
||||
static void mbedtls_zeroize( void *v, size_t n ) {
|
||||
volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
|
||||
@ -434,16 +427,9 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
||||
mbedtls_mpi *D = &ctx->D;
|
||||
#endif /* MBEDTLS_RSA_NO_CRT */
|
||||
|
||||
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
||||
/* Temporaries holding the initial input and the double
|
||||
* checked result; should be the same in the end. */
|
||||
mbedtls_mpi I, C;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_RSA_FORCE_BLINDING)
|
||||
if( f_rng == NULL )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
#endif
|
||||
|
||||
/* Sanity-check that all relevant fields are at least set,
|
||||
* but don't perform a full keycheck. */
|
||||
@ -496,10 +482,8 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
||||
mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
||||
mbedtls_mpi_init( &I );
|
||||
mbedtls_mpi_init( &C );
|
||||
#endif
|
||||
|
||||
/* End of MPI initialization */
|
||||
|
||||
@ -510,9 +494,7 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
|
||||
#endif
|
||||
|
||||
if( f_rng != NULL )
|
||||
{
|
||||
@ -604,14 +586,12 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
||||
}
|
||||
|
||||
/* If requested by the config, verify the result to prevent glitching attacks. */
|
||||
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E, &ctx->N, &ctx->RN ) );
|
||||
if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
|
||||
{
|
||||
ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
#endif /* MBEDTLS_RSA_REQUIRE_VERIFICATION */
|
||||
|
||||
olen = ctx->len;
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
|
||||
@ -642,10 +622,8 @@ cleanup:
|
||||
mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
|
||||
mbedtls_mpi_free( &C );
|
||||
mbedtls_mpi_free( &I );
|
||||
#endif
|
||||
|
||||
if( ret != 0 )
|
||||
return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
|
||||
|
@ -345,18 +345,9 @@ static const char *features[] = {
|
||||
#if defined(MBEDTLS_PKCS1_V21)
|
||||
"MBEDTLS_PKCS1_V21",
|
||||
#endif /* MBEDTLS_PKCS1_V21 */
|
||||
#if defined(MBEDTLS_RSA_FORCE_BLINDING)
|
||||
"MBEDTLS_RSA_FORCE_BLINDING",
|
||||
#endif /* MBEDTLS_RSA_FORCE_BLINDING */
|
||||
#if defined(MBEDTLS_RSA_NO_CRT)
|
||||
"MBEDTLS_RSA_NO_CRT",
|
||||
#endif /* MBEDTLS_RSA_NO_CRT */
|
||||
#if defined(MBEDTLS_RSA_FORCE_CRT_VERIFICATION)
|
||||
"MBEDTLS_RSA_FORCE_CRT_VERIFICATION",
|
||||
#endif /* MBEDTLS_RSA_FORCE_CRT_VERIFICATION */
|
||||
#if defined(MBEDTLS_RSA_FORCE_VERIFICATION)
|
||||
"MBEDTLS_RSA_FORCE_VERIFICATION",
|
||||
#endif /* MBEDTLS_RSA_FORCE_VERIFICATION */
|
||||
#if defined(MBEDTLS_SELF_TEST)
|
||||
"MBEDTLS_SELF_TEST",
|
||||
#endif /* MBEDTLS_SELF_TEST */
|
||||
|
Loading…
Reference in New Issue
Block a user