mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-09 03:35:40 +00:00
Merge branch 'iotssl-1272-fix-RSA-cache-attack-2.1-restricted' into mbedtls-2.1
* iotssl-1272-fix-RSA-cache-attack-2.1-restricted: Add Changelog entry for RSA exponent blinding Add exponent blinding to RSA with CRT Add exponent blinding to RSA without CRT
This commit is contained in:
commit
6820eba2bb
|
@ -2,6 +2,13 @@ mbed TLS ChangeLog (Sorted per branch, date)
|
||||||
|
|
||||||
= mbed TLS 2.1.x branch released xxxx-xx-xx
|
= mbed TLS 2.1.x branch released xxxx-xx-xx
|
||||||
|
|
||||||
|
Security
|
||||||
|
* Add exponent blinding to RSA private operations as a countermeasure
|
||||||
|
against side-channel attacks like the cache attack described in
|
||||||
|
https://arxiv.org/abs/1702.08719v2.
|
||||||
|
Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss,
|
||||||
|
Clémentine Maurice and Stefan Mangard.
|
||||||
|
|
||||||
Bugfix
|
Bugfix
|
||||||
* Remove macros from compat-1.3.h that correspond to deleted items from most
|
* Remove macros from compat-1.3.h that correspond to deleted items from most
|
||||||
recent versions of the library. Found by Kyle Keen.
|
recent versions of the library. Found by Kyle Keen.
|
||||||
|
|
108
library/rsa.c
108
library/rsa.c
|
@ -23,6 +23,11 @@
|
||||||
*
|
*
|
||||||
* http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
|
* http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
|
||||||
* http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
|
* http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
|
||||||
|
* [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
|
||||||
|
* Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
|
||||||
|
* Stefan Mangard
|
||||||
|
* https://arxiv.org/abs/1702.08719v2
|
||||||
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
@ -350,6 +355,27 @@ cleanup:
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Exponent blinding supposed to prevent side-channel attacks using multiple
|
||||||
|
* traces of measurements to recover the RSA key. The more collisions are there,
|
||||||
|
* the more bits of the key can be recovered. See [3].
|
||||||
|
*
|
||||||
|
* Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
|
||||||
|
* observations on avarage.
|
||||||
|
*
|
||||||
|
* For example with 28 byte blinding to achieve 2 collisions the adversary has
|
||||||
|
* to make 2^112 observations on avarage.
|
||||||
|
*
|
||||||
|
* (With the currently (as of 2017 April) known best algorithms breaking 2048
|
||||||
|
* bit RSA requires approximately as much time as trying out 2^112 random keys.
|
||||||
|
* Thus in this sense with 28 byte blinding the security is not reduced by
|
||||||
|
* side-channel attacks like the one in [3])
|
||||||
|
*
|
||||||
|
* This countermeasure does not help if the key recovery is possible with a
|
||||||
|
* single trace.
|
||||||
|
*/
|
||||||
|
#define RSA_EXPONENT_BLINDING 28
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Do an RSA private key operation
|
* Do an RSA private key operation
|
||||||
*/
|
*/
|
||||||
|
@ -362,12 +388,34 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
||||||
int ret;
|
int ret;
|
||||||
size_t olen;
|
size_t olen;
|
||||||
mbedtls_mpi T, T1, T2;
|
mbedtls_mpi T, T1, T2;
|
||||||
|
mbedtls_mpi P1, Q1, R;
|
||||||
|
#if defined(MBEDTLS_RSA_NO_CRT)
|
||||||
|
mbedtls_mpi D_blind;
|
||||||
|
mbedtls_mpi *D = &ctx->D;
|
||||||
|
#else
|
||||||
|
mbedtls_mpi DP_blind, DQ_blind;
|
||||||
|
mbedtls_mpi *DP = &ctx->DP;
|
||||||
|
mbedtls_mpi *DQ = &ctx->DQ;
|
||||||
|
#endif
|
||||||
|
|
||||||
/* Make sure we have private key info, prevent possible misuse */
|
/* Make sure we have private key info, prevent possible misuse */
|
||||||
if( ctx->P.p == NULL || ctx->Q.p == NULL || ctx->D.p == NULL )
|
if( ctx->P.p == NULL || ctx->Q.p == NULL || ctx->D.p == NULL )
|
||||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||||
|
|
||||||
mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
|
mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
|
||||||
|
mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &R );
|
||||||
|
|
||||||
|
|
||||||
|
if( f_rng != NULL )
|
||||||
|
{
|
||||||
|
#if defined(MBEDTLS_RSA_NO_CRT)
|
||||||
|
mbedtls_mpi_init( &D_blind );
|
||||||
|
#else
|
||||||
|
mbedtls_mpi_init( &DP_blind );
|
||||||
|
mbedtls_mpi_init( &DQ_blind );
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_THREADING_C)
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
|
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
|
||||||
|
@ -390,19 +438,60 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
|
||||||
MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
|
MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Exponent blinding
|
||||||
|
*/
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_RSA_NO_CRT)
|
||||||
|
/*
|
||||||
|
* D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
|
||||||
|
*/
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
|
||||||
|
f_rng, p_rng ) );
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
|
||||||
|
|
||||||
|
D = &D_blind;
|
||||||
|
#else
|
||||||
|
/*
|
||||||
|
* DP_blind = ( P - 1 ) * R + DP
|
||||||
|
*/
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
|
||||||
|
f_rng, p_rng ) );
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
|
||||||
|
&ctx->DP ) );
|
||||||
|
|
||||||
|
DP = &DP_blind;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* DQ_blind = ( Q - 1 ) * R + DQ
|
||||||
|
*/
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
|
||||||
|
f_rng, p_rng ) );
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
|
||||||
|
&ctx->DQ ) );
|
||||||
|
|
||||||
|
DQ = &DQ_blind;
|
||||||
|
#endif /* MBEDTLS_RSA_NO_CRT */
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_RSA_NO_CRT)
|
#if defined(MBEDTLS_RSA_NO_CRT)
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
|
||||||
#else
|
#else
|
||||||
/*
|
/*
|
||||||
* faster decryption using the CRT
|
* Faster decryption using the CRT
|
||||||
*
|
*
|
||||||
* T1 = input ^ dP mod P
|
* T1 = input ^ dP mod P
|
||||||
* T2 = input ^ dQ mod Q
|
* T2 = input ^ dQ mod Q
|
||||||
*/
|
*/
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, DP, &ctx->P, &ctx->RP ) );
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, DQ, &ctx->Q, &ctx->RQ ) );
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* T = (T1 - T2) * (Q^-1 mod P) mod P
|
* T = (T1 - T2) * (Q^-1 mod P) mod P
|
||||||
|
@ -438,6 +527,17 @@ cleanup:
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
|
mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
|
||||||
|
mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &R );
|
||||||
|
|
||||||
|
if( f_rng != NULL )
|
||||||
|
{
|
||||||
|
#if defined(MBEDTLS_RSA_NO_CRT)
|
||||||
|
mbedtls_mpi_free( &D_blind );
|
||||||
|
#else
|
||||||
|
mbedtls_mpi_free( &DP_blind );
|
||||||
|
mbedtls_mpi_free( &DQ_blind );
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
|
return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
|
||||||
|
|
Loading…
Reference in a new issue