Remove FORCE_VERIFICATION and FORCE_BLINDING
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 741ce41..5255626 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -971,41 +971,6 @@
#define MBEDTLS_PKCS1_V21
/**
- * \def MBEDTLS_RSA_FORCE_BLINDING
- *
- * Force the use of blinding in RSA private key operations.
- * This makes these operations fail when the caller doesn't
- * provide a PRNG.
- *
- * Comment this macro to allow RSA private key operations
- * without blinding.
- *
- * \deprecated Disabling this option is deprecated and only
- * disabled by default for backwards compatibility.
- * Future versions of Mbed TLS will remove this
- * option and enforce blinding unconditionally.
- *
- * \warning Disabling this can be a security risk!
- * Blinding RSA private key operations is a way
- * to prevent statistical timing attacks as in
- * [P. Kocher ', Timing Attacks on Implementations
- * of Diffie-Hellman, RSA, DSS, and Other Systems]
- *
- * \note Disabling this does not mean that blinding
- * will never be used: if a PRNG is provided,
- * blinding will be in place. Instead, disabling this
- * option may result in private key operations being
- * performed in a way potentially leaking sensitive
- * information through side-channels when no PRNG
- * is supplied by the user.
- *
- * \note For more on the use of blinding in RSA
- * private key operations, see the documentation
- * of \c mbedtls_rsa_private.
- */
-//#define MBEDTLS_RSA_FORCE_BLINDING
-
-/**
* \def MBEDTLS_RSA_NO_CRT
*
* Do not use the Chinese Remainder Theorem
@@ -1017,48 +982,6 @@
//#define MBEDTLS_RSA_NO_CRT
/**
- * \def MBEDTLS_RSA_FORCE_CRT_VERIFICATION
- *
- * Force verification of results of RSA private key operations
- * when RSA-CRT is used.
- *
- * Comment this macro to disable RSA-CRT verification.
- *
- * \warning Disabling this can be a security risk!
- * Omitting verification makes the RSA-CRT
- * signing vulnerable to the Bellcore
- * glitch attack leading to private key
- * compromise if an attacker can cause a
- * glitch in a certain timeframe during
- * the signing operation. Uncomment only
- * if you're sure that glitches are out of
- * your attack model.
- */
-#define MBEDTLS_RSA_FORCE_CRT_VERIFICATION
-
-/**
- * \def MBEDTLS_RSA_FORCE_VERIFICATION
- *
- * Force verification of results of any RSA private key
- * operation regardless of the algorithm used.
- *
- * Uncomment this to enable unconditional RSA verification.
- *
- * \note This is to prevent the RSA signing operation
- * (regardless of the particular algorithm chosen)
- * from potential future glitch attacks. We are
- * currently not aware of any such for our default
- * implementation, therefore disabling the option
- * by default.
- *
- * \note Enabling it comes at the cost of roughly an
- * additional public key operation at the end of
- * signing (low compared to private key operations),
- * as well as minor memory consumption.
- */
-//#define MBEDTLS_RSA_FORCE_VERIFICATION
-
-/**
* \def MBEDTLS_SELF_TEST
*
* Enable the checkup functions (*_self_test).
diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
index e34fea0..bc2f810 100644
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h
@@ -64,15 +64,6 @@
#define MBEDTLS_RSA_SALT_LEN_ANY -1
/*
- * RSA configuration
- */
-#if defined(MBEDTLS_RSA_FORCE_VERIFICATION) || \
- ( ! defined(MBEDTLS_RSA_NO_CRT) && \
- defined(MBEDTLS_RSA_FORCE_CRT_VERIFICATION ) )
-#define MBEDTLS_RSA_REQUIRE_VERIFICATION
-#endif
-
-/*
* The above constants may be used even if the RSA module is compile out,
* eg for alternative (PKCS#11) RSA implemenations in the PK layers.
*/
@@ -239,28 +230,16 @@
* \note The input and output buffers must be large
* enough (eg. 128 bytes if RSA-1024 is used).
*
- * \note Enabling and disabling of blinding:
- * - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
- * is disabled, blinding is disabled.
- * - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
- * is enabled, the function fails.
+ * \note Blinding is used if and onlf if a PRNG is provided.
*
* \note If blinding is used, both the base of exponentation
* and the exponent are blinded, preventing both statistical
* timing and power analysis attacks.
*
- * \note Depending on the way RSA is implemented, a failure
- * in the computation can lead to disclosure of the private
- * key if the wrong result is passed to attacker - e.g.,
- * implementing RSA through CRT is vulnerable to the
- * Bellcore glitch attack.
- *
- * As a remedy, the user can force double checking the
- * result of the private key operation through the option
- * MBEDTLS_RSA_FORCE_VERIFICATION. If verification is
- * to be enabled only when RSA-CRT is used (as controlled
- * by the configuration option MBEDTLS_RSA_NO_CRT), the
- * option MBEDTLS_RSA_FORCE_CRT_VERIFICATION can be used.
+ * \warning It is deprecated and a security risk to not provide
+ * a PRNG here and thereby prevent the use of blinding.
+ * Future versions of the library may enforce the presence
+ * of a PRNG.
*
*/
int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
diff --git a/library/rsa.c b/library/rsa.c
index d866c7a..de684b3 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -66,13 +66,6 @@
#define mbedtls_free free
#endif
-#if !defined(MBEDTLS_RSA_FORCE_BLINDING) && \
- defined(MBEDTLS_DEPRECATED_WARNING)
-#warning Not enforcing blinding checks for RSA private key operations\
- is deprecated. Please uncomment MBEDTLS_RSA_FORCE_BLINDING\
- in config.h to enforce blinding checks.
-#endif
-
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
@@ -434,16 +427,9 @@
mbedtls_mpi *D = &ctx->D;
#endif /* MBEDTLS_RSA_NO_CRT */
-#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
/* Temporaries holding the initial input and the double
* checked result; should be the same in the end. */
mbedtls_mpi I, C;
-#endif
-
-#if defined(MBEDTLS_RSA_FORCE_BLINDING)
- if( f_rng == NULL )
- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
-#endif
/* Sanity-check that all relevant fields are at least set,
* but don't perform a full keycheck. */
@@ -496,10 +482,8 @@
mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
#endif
-#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
mbedtls_mpi_init( &I );
mbedtls_mpi_init( &C );
-#endif
/* End of MPI initialization */
@@ -510,9 +494,7 @@
goto cleanup;
}
-#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
-#endif
if( f_rng != NULL )
{
@@ -604,14 +586,12 @@
}
/* If requested by the config, verify the result to prevent glitching attacks. */
-#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E, &ctx->N, &ctx->RN ) );
if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
{
ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
goto cleanup;
}
-#endif /* MBEDTLS_RSA_REQUIRE_VERIFICATION */
olen = ctx->len;
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
@@ -642,10 +622,8 @@
mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
#endif
-#if defined(MBEDTLS_RSA_REQUIRE_VERIFICATION)
mbedtls_mpi_free( &C );
mbedtls_mpi_free( &I );
-#endif
if( ret != 0 )
return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
diff --git a/library/version_features.c b/library/version_features.c
index f7fa041..9f97c7b 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -345,18 +345,9 @@
#if defined(MBEDTLS_PKCS1_V21)
"MBEDTLS_PKCS1_V21",
#endif /* MBEDTLS_PKCS1_V21 */
-#if defined(MBEDTLS_RSA_FORCE_BLINDING)
- "MBEDTLS_RSA_FORCE_BLINDING",
-#endif /* MBEDTLS_RSA_FORCE_BLINDING */
#if defined(MBEDTLS_RSA_NO_CRT)
"MBEDTLS_RSA_NO_CRT",
#endif /* MBEDTLS_RSA_NO_CRT */
-#if defined(MBEDTLS_RSA_FORCE_CRT_VERIFICATION)
- "MBEDTLS_RSA_FORCE_CRT_VERIFICATION",
-#endif /* MBEDTLS_RSA_FORCE_CRT_VERIFICATION */
-#if defined(MBEDTLS_RSA_FORCE_VERIFICATION)
- "MBEDTLS_RSA_FORCE_VERIFICATION",
-#endif /* MBEDTLS_RSA_FORCE_VERIFICATION */
#if defined(MBEDTLS_SELF_TEST)
"MBEDTLS_SELF_TEST",
#endif /* MBEDTLS_SELF_TEST */