Add configuration options for verification and blinding
This commit defines some configuration options to control the
mandatory use of blinding and verification in RSA private key
operations.
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index c4b8995..1ce92c5 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -971,9 +971,37 @@
#define MBEDTLS_PKCS1_V21
/**
+ * \def MBEDTLS_RSA_FORCE_BLINDING
+ *
+ * Force the use of blinding in RSA private key operations.
+ * This makes these operations fail when the caller doesn't
+ * provide a PRNG.
+ *
+ * Comment this macro to allow RSA private key operations
+ * without blinding.
+ *
+ * \warning Disabling this can be a security risk!
+ * Blinding RSA private key operations is a way
+ * to prevent statistical timing attacks as in
+ * [P. Kocher ', Timing Attacks on Implementations
+ * of Diffie-Hellman, RSA, DSS, and Other Systems]
+ *
+ * \note Disabling this does not mean that blinding
+ * will never be used, but instead makes private
+ * key operations fail if, perhaps unintentionally,
+ * the user failed to call them with a PRNG.
+ *
+ * \note For more on the use of blinding in RSA
+ * private key operations, see the documentation
+ * of \c mbedtls_rsa_private.
+ */
+#define MBEDTLS_RSA_FORCE_BLINDING
+
+/**
* \def MBEDTLS_RSA_NO_CRT
*
- * Do not use the Chinese Remainder Theorem for the RSA private operation.
+ * Do not use the Chinese Remainder Theorem
+ * for the RSA private operation.
*
* Uncomment this macro to disable the use of CRT in RSA.
*
@@ -981,6 +1009,48 @@
//#define MBEDTLS_RSA_NO_CRT
/**
+ * \def MBEDTLS_RSA_FORCE_CRT_VERIFICATION
+ *
+ * Force verification of results of RSA private key operations
+ * when RSA-CRT is used.
+ *
+ * Comment this macro to disable RSA-CRT verification.
+ *
+ * \warning Disabling this can be a security risk!
+ * Omitting verification makes the RSA-CRT
+ * signing vulnerable to the Bellcore
+ * glitch attack leading to private key
+ * compromise if an attacker can cause a
+ * glitch in a certain timeframe during
+ * the signing operation. Uncomment only
+ * if you're sure that glitches are out of
+ * your attack model.
+ */
+#define MBEDTLS_RSA_FORCE_CRT_VERIFICATION
+
+/**
+ * \def MBEDTLS_RSA_FORCE_VERIFICATION
+ *
+ * Force verification of results of any RSA private key
+ * operation regardless of the algorithm used.
+ *
+ * Uncomment this to enable unconditional RSA verification.
+ *
+ * \note This is to prevent the RSA signing operation
+ * (regardless of the particular algorithm chosen)
+ * from potential future glitch attacks. We are
+ * currently not aware of any such for our default
+ * implementation, therefore disabling the option
+ * by default.
+ *
+ * \note Enabling it comes at the cost of roughly an
+ * additional public key operation at the end of
+ * signing (low compared to private key operations),
+ * as well as minor memory consumption.
+ */
+//#define MBEDTLS_RSA_FORCE_VERIFICATION
+
+/**
* \def MBEDTLS_SELF_TEST
*
* Enable the checkup functions (*_self_test).