Merge remote-tracking branch 'hanno/iotssl-1241-backport-1.3' into mbedtls-1.3
* hanno/iotssl-1241-backport-1.3:
Remember suitable hash function for any signature algorithm.
diff --git a/ChangeLog b/ChangeLog
index 51fefe5..c647e0f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,13 @@
mbed TLS ChangeLog (Sorted per branch, date)
-mbed TLS 1.x.x branch released xxxx-xx-xx
+= mbed TLS 1.3.x branch released xxxx-xx-xx
+
+Security
+ * Add exponent blinding to RSA private operations as a countermeasure
+ against side-channel attacks like the cache attack described in
+ https://arxiv.org/abs/1702.08719v2.
+ Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss,
+ Clémentine Maurice and Stefan Mangard.
Bugfix
* Fix insufficient support for signature-hash-algorithm extension,
diff --git a/library/rsa.c b/library/rsa.c
index 79726c1..3bc05b3 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -24,6 +24,11 @@
*
* http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
* http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
+ * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
+ * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
+ * Stefan Mangard
+ * https://arxiv.org/abs/1702.08719v2
+ *
*/
#if !defined(POLARSSL_CONFIG_FILE)
@@ -351,6 +356,27 @@
}
/*
+ * Exponent blinding supposed to prevent side-channel attacks using multiple
+ * traces of measurements to recover the RSA key. The more collisions are there,
+ * the more bits of the key can be recovered. See [3].
+ *
+ * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
+ * observations on avarage.
+ *
+ * For example with 28 byte blinding to achieve 2 collisions the adversary has
+ * to make 2^112 observations on avarage.
+ *
+ * (With the currently (as of 2017 April) known best algorithms breaking 2048
+ * bit RSA requires approximately as much time as trying out 2^112 random keys.
+ * Thus in this sense with 28 byte blinding the security is not reduced by
+ * side-channel attacks like the one in [3])
+ *
+ * This countermeasure does not help if the key recovery is possible with a
+ * single trace.
+ */
+#define RSA_EXPONENT_BLINDING 28
+
+/*
* Do an RSA private key operation
*/
int rsa_private( rsa_context *ctx,
@@ -362,8 +388,28 @@
int ret;
size_t olen;
mpi T, T1, T2;
+ mpi P1, Q1, R;
+#if defined(POLARSSL_RSA_NO_CRT)
+ mpi D_blind;
+ mpi *D = &ctx->D;
+#else
+ mpi DP_blind, DQ_blind;
+ mpi *DP = &ctx->DP;
+ mpi *DQ = &ctx->DQ;
+#endif
mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
+ mpi_init( &P1 ); mpi_init( &Q1 ); mpi_init( &R );
+
+ if( f_rng != NULL )
+ {
+#if defined(POLARSSL_RSA_NO_CRT)
+ mpi_init( &D_blind );
+#else
+ mpi_init( &DP_blind );
+ mpi_init( &DQ_blind );
+#endif
+ }
#if defined(POLARSSL_THREADING_C)
if( ( ret = polarssl_mutex_lock( &ctx->mutex ) ) != 0 )
@@ -386,19 +432,60 @@
MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vi ) );
MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
+
+ /*
+ * Exponent blinding
+ */
+ MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
+ MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
+
+#if defined(POLARSSL_RSA_NO_CRT)
+ /*
+ * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
+ */
+ MPI_CHK( mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
+ f_rng, p_rng ) );
+ MPI_CHK( mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
+ MPI_CHK( mpi_mul_mpi( &D_blind, &D_blind, &R ) );
+ MPI_CHK( mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
+
+ D = &D_blind;
+#else
+ /*
+ * DP_blind = ( P - 1 ) * R + DP
+ */
+ MPI_CHK( mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
+ f_rng, p_rng ) );
+ MPI_CHK( mpi_mul_mpi( &DP_blind, &P1, &R ) );
+ MPI_CHK( mpi_add_mpi( &DP_blind, &DP_blind,
+ &ctx->DP ) );
+
+ DP = &DP_blind;
+
+ /*
+ * DQ_blind = ( Q - 1 ) * R + DQ
+ */
+ MPI_CHK( mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
+ f_rng, p_rng ) );
+ MPI_CHK( mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
+ MPI_CHK( mpi_add_mpi( &DQ_blind, &DQ_blind,
+ &ctx->DQ ) );
+
+ DQ = &DQ_blind;
+#endif /* POLARSSL_RSA_NO_CRT */
}
#if defined(POLARSSL_RSA_NO_CRT)
- MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
+ MPI_CHK( mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
#else
/*
- * faster decryption using the CRT
+ * Faster decryption using the CRT
*
* T1 = input ^ dP mod P
* T2 = input ^ dQ mod Q
*/
- MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
- MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
+ MPI_CHK( mpi_exp_mod( &T1, &T, DP, &ctx->P, &ctx->RP ) );
+ MPI_CHK( mpi_exp_mod( &T2, &T, DQ, &ctx->Q, &ctx->RQ ) );
/*
* T = (T1 - T2) * (Q^-1 mod P) mod P
@@ -434,6 +521,17 @@
#endif
mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
+ mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &R );
+
+ if( f_rng != NULL )
+ {
+#if defined(POLARSSL_RSA_NO_CRT)
+ mpi_free( &D_blind );
+#else
+ mpi_free( &DP_blind );
+ mpi_free( &DQ_blind );
+#endif
+ }
if( ret != 0 )
return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret );