Add configuration options for verification and blinding

This commit defines some configuration options to control the mandatory use of blinding and verification in RSA private key operations.
2017-05-03 13:51:16 +01:00 · 2017-05-03 13:51:16 +01:00 · 88ec2381d6
commit 88ec2381d6
parent c44c3c288d
2 changed files with 105 additions and 2 deletions
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -970,16 +970,86 @@
 */
 #define MBEDTLS_PKCS1_V21

+/**
+ * \def MBEDTLS_RSA_FORCE_BLINDING
+ *
+ * Force the use of blinding in RSA private key operations.
+ * This makes these operations fail when the caller doesn't
+ * provide a PRNG.
+ *
+ * Comment this macro to allow RSA private key operations
+ * without blinding.
+ *
+ * \warning   Disabling this can be a security risk!
+ *            Blinding RSA private key operations is a way
+ *            to prevent statistical timing attacks as in
+ *            [P. Kocher ', Timing Attacks on Implementations
+ *             of Diffie-Hellman, RSA, DSS, and Other Systems]
+ *
+ * \note      Disabling this does not mean that blinding
+ *            will never be used, but instead makes private
+ *            key operations fail if, perhaps unintentionally,
+ *            the user failed to call them with a PRNG.
+ *
+ * \note      For more on the use of blinding in RSA
+ *            private key operations, see the documentation
+ *            of \c mbedtls_rsa_private.
+ */
+#define MBEDTLS_RSA_FORCE_BLINDING
+
 /**
 * \def MBEDTLS_RSA_NO_CRT
 *
- * Do not use the Chinese Remainder Theorem for the RSA private operation.
+ * Do not use the Chinese Remainder Theorem
+ * for the RSA private operation.
 *
 * Uncomment this macro to disable the use of CRT in RSA.
 *
 */
 //#define MBEDTLS_RSA_NO_CRT

+/**
+ * \def MBEDTLS_RSA_FORCE_CRT_VERIFICATION
+ *
+ * Force verification of results of RSA private key operations
+ * when RSA-CRT is used.
+ *
+ * Comment this macro to disable RSA-CRT verification.
+ *
+ * \warning Disabling this can be a security risk!
+ *          Omitting verification makes the RSA-CRT
+ *          signing vulnerable to the Bellcore
+ *          glitch attack leading to private key
+ *          compromise if an attacker can cause a
+ *          glitch in a certain timeframe during
+ *          the signing operation. Uncomment only
+ *          if you're sure that glitches are out of
+ *          your attack model.
+ */
+#define MBEDTLS_RSA_FORCE_CRT_VERIFICATION
+
+/**
+ * \def MBEDTLS_RSA_FORCE_VERIFICATION
+ *
+ * Force verification of results of any RSA private key
+ * operation regardless of the algorithm used.
+ *
+ * Uncomment this to enable unconditional RSA verification.
+ *
+ * \note     This is to prevent the RSA signing operation
+ *           (regardless of the particular algorithm chosen)
+ *           from potential future glitch attacks. We are
+ *           currently not aware of any such for our default
+ *           implementation, therefore disabling the option
+ *           by default.
+ *
+ * \note     Enabling it comes at the cost of roughly an
+ *           additional public key operation at the end of
+ *           signing (low compared to private key operations),
+ *           as well as minor memory consumption.
+ */
+//#define MBEDTLS_RSA_FORCE_VERIFICATION
+
 /**
 * \def MBEDTLS_SELF_TEST
 *