Add configuration options for verification and blinding
This commit defines some configuration options to control the
mandatory use of blinding and verification in RSA private key
operations.
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index c4b8995..1ce92c5 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -971,9 +971,37 @@
#define MBEDTLS_PKCS1_V21
/**
+ * \def MBEDTLS_RSA_FORCE_BLINDING
+ *
+ * Force the use of blinding in RSA private key operations.
+ * This makes these operations fail when the caller doesn't
+ * provide a PRNG.
+ *
+ * Comment this macro to allow RSA private key operations
+ * without blinding.
+ *
+ * \warning Disabling this can be a security risk!
+ * Blinding RSA private key operations is a way
+ * to prevent statistical timing attacks as in
+ * [P. Kocher ', Timing Attacks on Implementations
+ * of Diffie-Hellman, RSA, DSS, and Other Systems]
+ *
+ * \note Disabling this does not mean that blinding
+ * will never be used, but instead makes private
+ * key operations fail if, perhaps unintentionally,
+ * the user failed to call them with a PRNG.
+ *
+ * \note For more on the use of blinding in RSA
+ * private key operations, see the documentation
+ * of \c mbedtls_rsa_private.
+ */
+#define MBEDTLS_RSA_FORCE_BLINDING
+
+/**
* \def MBEDTLS_RSA_NO_CRT
*
- * Do not use the Chinese Remainder Theorem for the RSA private operation.
+ * Do not use the Chinese Remainder Theorem
+ * for the RSA private operation.
*
* Uncomment this macro to disable the use of CRT in RSA.
*
@@ -981,6 +1009,48 @@
//#define MBEDTLS_RSA_NO_CRT
/**
+ * \def MBEDTLS_RSA_FORCE_CRT_VERIFICATION
+ *
+ * Force verification of results of RSA private key operations
+ * when RSA-CRT is used.
+ *
+ * Comment this macro to disable RSA-CRT verification.
+ *
+ * \warning Disabling this can be a security risk!
+ * Omitting verification makes the RSA-CRT
+ * signing vulnerable to the Bellcore
+ * glitch attack leading to private key
+ * compromise if an attacker can cause a
+ * glitch in a certain timeframe during
+ * the signing operation. Uncomment only
+ * if you're sure that glitches are out of
+ * your attack model.
+ */
+#define MBEDTLS_RSA_FORCE_CRT_VERIFICATION
+
+/**
+ * \def MBEDTLS_RSA_FORCE_VERIFICATION
+ *
+ * Force verification of results of any RSA private key
+ * operation regardless of the algorithm used.
+ *
+ * Uncomment this to enable unconditional RSA verification.
+ *
+ * \note This is to prevent the RSA signing operation
+ * (regardless of the particular algorithm chosen)
+ * from potential future glitch attacks. We are
+ * currently not aware of any such for our default
+ * implementation, therefore disabling the option
+ * by default.
+ *
+ * \note Enabling it comes at the cost of roughly an
+ * additional public key operation at the end of
+ * signing (low compared to private key operations),
+ * as well as minor memory consumption.
+ */
+//#define MBEDTLS_RSA_FORCE_VERIFICATION
+
+/**
* \def MBEDTLS_SELF_TEST
*
* Enable the checkup functions (*_self_test).
diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
index 54653df..e34fea0 100644
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h
@@ -64,6 +64,15 @@
#define MBEDTLS_RSA_SALT_LEN_ANY -1
/*
+ * RSA configuration
+ */
+#if defined(MBEDTLS_RSA_FORCE_VERIFICATION) || \
+ ( ! defined(MBEDTLS_RSA_NO_CRT) && \
+ defined(MBEDTLS_RSA_FORCE_CRT_VERIFICATION ) )
+#define MBEDTLS_RSA_REQUIRE_VERIFICATION
+#endif
+
+/*
* The above constants may be used even if the RSA module is compile out,
* eg for alternative (PKCS#11) RSA implemenations in the PK layers.
*/
@@ -220,7 +229,7 @@
* \brief Do an RSA private key operation
*
* \param ctx RSA context
- * \param f_rng RNG function (Needed for blinding)
+ * \param f_rng RNG function (used for blinding)
* \param p_rng RNG parameter
* \param input input buffer
* \param output output buffer
@@ -229,6 +238,30 @@
*
* \note The input and output buffers must be large
* enough (eg. 128 bytes if RSA-1024 is used).
+ *
+ * \note Enabling and disabling of blinding:
+ * - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
+ * is disabled, blinding is disabled.
+ * - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
+ * is enabled, the function fails.
+ *
+ * \note If blinding is used, both the base of exponentation
+ * and the exponent are blinded, preventing both statistical
+ * timing and power analysis attacks.
+ *
+ * \note Depending on the way RSA is implemented, a failure
+ * in the computation can lead to disclosure of the private
+ * key if the wrong result is passed to attacker - e.g.,
+ * implementing RSA through CRT is vulnerable to the
+ * Bellcore glitch attack.
+ *
+ * As a remedy, the user can force double checking the
+ * result of the private key operation through the option
+ * MBEDTLS_RSA_FORCE_VERIFICATION. If verification is
+ * to be enabled only when RSA-CRT is used (as controlled
+ * by the configuration option MBEDTLS_RSA_NO_CRT), the
+ * option MBEDTLS_RSA_FORCE_CRT_VERIFICATION can be used.
+ *
*/
int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),