Add configuration options for verification and blinding

This commit defines some configuration options to control the mandatory use of blinding and verification in RSA private key operations.
2017-05-03 13:51:16 +01:00 · 2017-05-03 13:51:16 +01:00 · 88ec2381d6
commit 88ec2381d6
parent c44c3c288d
2 changed files with 105 additions and 2 deletions
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -970,16 +970,86 @@
 */
 #define MBEDTLS_PKCS1_V21

+/**
+ * \def MBEDTLS_RSA_FORCE_BLINDING
+ *
+ * Force the use of blinding in RSA private key operations.
+ * This makes these operations fail when the caller doesn't
+ * provide a PRNG.
+ *
+ * Comment this macro to allow RSA private key operations
+ * without blinding.
+ *
+ * \warning   Disabling this can be a security risk!
+ *            Blinding RSA private key operations is a way
+ *            to prevent statistical timing attacks as in
+ *            [P. Kocher ', Timing Attacks on Implementations
+ *             of Diffie-Hellman, RSA, DSS, and Other Systems]
+ *
+ * \note      Disabling this does not mean that blinding
+ *            will never be used, but instead makes private
+ *            key operations fail if, perhaps unintentionally,
+ *            the user failed to call them with a PRNG.
+ *
+ * \note      For more on the use of blinding in RSA
+ *            private key operations, see the documentation
+ *            of \c mbedtls_rsa_private.
+ */
+#define MBEDTLS_RSA_FORCE_BLINDING
+
 /**
 * \def MBEDTLS_RSA_NO_CRT
 *
- * Do not use the Chinese Remainder Theorem for the RSA private operation.
+ * Do not use the Chinese Remainder Theorem
+ * for the RSA private operation.
 *
 * Uncomment this macro to disable the use of CRT in RSA.
 *
 */
 //#define MBEDTLS_RSA_NO_CRT

+/**
+ * \def MBEDTLS_RSA_FORCE_CRT_VERIFICATION
+ *
+ * Force verification of results of RSA private key operations
+ * when RSA-CRT is used.
+ *
+ * Comment this macro to disable RSA-CRT verification.
+ *
+ * \warning Disabling this can be a security risk!
+ *          Omitting verification makes the RSA-CRT
+ *          signing vulnerable to the Bellcore
+ *          glitch attack leading to private key
+ *          compromise if an attacker can cause a
+ *          glitch in a certain timeframe during
+ *          the signing operation. Uncomment only
+ *          if you're sure that glitches are out of
+ *          your attack model.
+ */
+#define MBEDTLS_RSA_FORCE_CRT_VERIFICATION
+
+/**
+ * \def MBEDTLS_RSA_FORCE_VERIFICATION
+ *
+ * Force verification of results of any RSA private key
+ * operation regardless of the algorithm used.
+ *
+ * Uncomment this to enable unconditional RSA verification.
+ *
+ * \note     This is to prevent the RSA signing operation
+ *           (regardless of the particular algorithm chosen)
+ *           from potential future glitch attacks. We are
+ *           currently not aware of any such for our default
+ *           implementation, therefore disabling the option
+ *           by default.
+ *
+ * \note     Enabling it comes at the cost of roughly an
+ *           additional public key operation at the end of
+ *           signing (low compared to private key operations),
+ *           as well as minor memory consumption.
+ */
+//#define MBEDTLS_RSA_FORCE_VERIFICATION
+
 /**
 * \def MBEDTLS_SELF_TEST
 *
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h
@ -63,6 +63,15 @@

 #define MBEDTLS_RSA_SALT_LEN_ANY    -1

+/*
+ * RSA configuration
+ */
+#if defined(MBEDTLS_RSA_FORCE_VERIFICATION)              || \
+    ( ! defined(MBEDTLS_RSA_NO_CRT)  &&                     \
+      defined(MBEDTLS_RSA_FORCE_CRT_VERIFICATION ) )
+#define MBEDTLS_RSA_REQUIRE_VERIFICATION
+#endif
+
 /*
 * The above constants may be used even if the RSA module is compile out,
 * eg for alternative (PKCS#11) RSA implemenations in the PK layers.
@ -220,7 +229,7 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
 * \brief          Do an RSA private key operation
 *
 * \param ctx      RSA context
- * \param f_rng    RNG function (Needed for blinding)
+ * \param f_rng    RNG function (used for blinding)
 * \param p_rng    RNG parameter
 * \param input    input buffer
 * \param output   output buffer
@ -229,6 +238,30 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
 *
 * \note           The input and output buffers must be large
 *                 enough (eg. 128 bytes if RSA-1024 is used).
+ *
+ * \note           Enabling and disabling of blinding:
+ *                 - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
+ *                   is disabled, blinding is disabled.
+ *                 - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
+ *                   is enabled, the function fails.
+ *
+ * \note           If blinding is used, both the base of exponentation
+ *                 and the exponent are blinded, preventing both statistical
+ *                 timing and power analysis attacks.
+ *
+ * \note           Depending on the way RSA is implemented, a failure
+ *                 in the computation can lead to disclosure of the private
+ *                 key if the wrong result is passed to attacker - e.g.,
+ *                 implementing RSA through CRT is vulnerable to the
+ *                 Bellcore glitch attack.
+ *
+ *                 As a remedy, the user can force double checking the
+ *                 result of the private key operation through the option
+ *                 MBEDTLS_RSA_FORCE_VERIFICATION. If verification is
+ *                 to be enabled only when RSA-CRT is used (as controlled
+ *                 by the configuration option MBEDTLS_RSA_NO_CRT), the
+ *                 option MBEDTLS_RSA_FORCE_CRT_VERIFICATION can be used.
+ *
 */
 int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
                 int (*f_rng)(void *, unsigned char *, size_t),