commit 88ec2381d6af23935c491272375cea85d942d894
author Hanno Becker <hanno.becker@arm.com> Wed May 03 13:51:16 2017 +0100
committer Hanno Becker <hanno.becker@arm.com> Fri Jun 09 13:29:48 2017 +0100
tree cfc2ee56da770b3df3d8fb89b6caf7ff313fc522
parent c44c3c288d91ccfb83eb859d94bc80c4c59dfec7

Add configuration options for verification and blinding

This commit defines some configuration options to control the
mandatory use of blinding and verification in RSA private key
operations.

include/mbedtls/rsa.h

diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
index 54653df..e34fea0 100644
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h
@@ -64,6 +64,15 @@
 #define MBEDTLS_RSA_SALT_LEN_ANY    -1
 
 /*
+ * RSA configuration
+ */
+#if defined(MBEDTLS_RSA_FORCE_VERIFICATION)              || \
+    ( ! defined(MBEDTLS_RSA_NO_CRT)  &&                     \
+      defined(MBEDTLS_RSA_FORCE_CRT_VERIFICATION ) )
+#define MBEDTLS_RSA_REQUIRE_VERIFICATION
+#endif
+
+/*
  * The above constants may be used even if the RSA module is compile out,
  * eg for alternative (PKCS#11) RSA implemenations in the PK layers.
  */
@@ -220,7 +229,7 @@
  * \brief          Do an RSA private key operation
  *
  * \param ctx      RSA context
- * \param f_rng    RNG function (Needed for blinding)
+ * \param f_rng    RNG function (used for blinding)
  * \param p_rng    RNG parameter
  * \param input    input buffer
  * \param output   output buffer
@@ -229,6 +238,30 @@
  *
  * \note           The input and output buffers must be large
  *                 enough (eg. 128 bytes if RSA-1024 is used).
+ *
+ * \note           Enabling and disabling of blinding:
+ *                 - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
+ *                   is disabled, blinding is disabled.
+ *                 - If f_rng is NULL and MBEDTLS_RSA_FORCE_BLINDING
+ *                   is enabled, the function fails.
+ *
+ * \note           If blinding is used, both the base of exponentation
+ *                 and the exponent are blinded, preventing both statistical
+ *                 timing and power analysis attacks.
+ *
+ * \note           Depending on the way RSA is implemented, a failure
+ *                 in the computation can lead to disclosure of the private
+ *                 key if the wrong result is passed to attacker - e.g.,
+ *                 implementing RSA through CRT is vulnerable to the
+ *                 Bellcore glitch attack.
+ *
+ *                 As a remedy, the user can force double checking the
+ *                 result of the private key operation through the option
+ *                 MBEDTLS_RSA_FORCE_VERIFICATION. If verification is
+ *                 to be enabled only when RSA-CRT is used (as controlled
+ *                 by the configuration option MBEDTLS_RSA_NO_CRT), the
+ *                 option MBEDTLS_RSA_FORCE_CRT_VERIFICATION can be used.
+ *
  */
 int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
                  int (*f_rng)(void *, unsigned char *, size_t),