diff --git a/configure.ac b/configure.ac index 753457d48..bf5a27fbe 100644 --- a/configure.ac +++ b/configure.ac @@ -192,6 +192,18 @@ AC_ARG_ENABLE([maxstrength], [ENABLED_MAXSTRENGTH=no]) +# Harden, enable Timing Resistance and Blinding by default +AC_ARG_ENABLE([harden], + [AS_HELP_STRING([--enable-harden],[Enable Hardened build, Enables Timing Resistance and Blinding (default: enabled)])], + [ENABLED_HARDEN=$enableval], + [ENABLED_HARDEN=yes]) + +if test "$ENABLED_HARDEN" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DTFM_TIMING_RESISTANT -DECC_TIMING_RESISTANT -DWC_RSA_BLINDING" +fi + + # IPv6 Test Apps AC_ARG_ENABLE([ipv6], [ --enable-ipv6 Enable testing of IPV6 (default: disabled)], diff --git a/mcapi/crypto.c b/mcapi/crypto.c index b73ff2772..c8a99f579 100644 --- a/mcapi/crypto.c +++ b/mcapi/crypto.c @@ -536,7 +536,22 @@ int CRYPT_RSA_EncryptSizeGet(CRYPT_RSA_CTX* rsa) return BAD_FUNC_ARG; return RsaEncryptSize((RsaKey*)rsa->holder); -} +} + + +int CRYPT_RSA_SetRng(CRYPT_RSA_CTX* rsa, CRYPT_RNG_CTX* rng) +{ + if (rsa == NULL) + return BAD_FUNC_ARG; + +#ifdef WC_RSA_BLINDING + return wc_RsaSetRNG((RsaKey*)rsa->holder, (WC_RNG*)rng); +#else + (void)rng; + + return 0; +#endif +} /* ECC init */ diff --git a/mcapi/crypto.h b/mcapi/crypto.h index 36232a452..8fe323631 100644 --- a/mcapi/crypto.h +++ b/mcapi/crypto.h @@ -220,7 +220,8 @@ int CRYPT_RSA_PrivateDecrypt(CRYPT_RSA_CTX*, unsigned char*, unsigned int, const unsigned char*, unsigned int); /* helpers */ -int CRYPT_RSA_EncryptSizeGet(CRYPT_RSA_CTX*); +int CRYPT_RSA_EncryptSizeGet(CRYPT_RSA_CTX*); +int CRYPT_RSA_SetRng(CRYPT_RSA_CTX*, CRYPT_RNG_CTX*); diff --git a/mcapi/mcapi_test.c b/mcapi/mcapi_test.c index a34834d17..0a6d77e74 100644 --- a/mcapi/mcapi_test.c +++ b/mcapi/mcapi_test.c @@ -1296,6 +1296,12 @@ static int check_rsa(void) return -1; } + ret = CRYPT_RSA_SetRng(&mcRsa, &mcRng); + if (ret != 0) { + printf("mcapi rsa set rng failed\n"); + return -1; + } + ret = CRYPT_RSA_PublicEncrypt(&mcRsa, out1, sizeof(out1), ourData, RSA_TEST_SIZE, &mcRng); if (ret < 0) { diff --git a/wolfcrypt/user-crypto/include/user_rsa.h b/wolfcrypt/user-crypto/include/user_rsa.h index fbf9430fe..72d2c610e 100644 --- a/wolfcrypt/user-crypto/include/user_rsa.h +++ b/wolfcrypt/user-crypto/include/user_rsa.h @@ -105,6 +105,7 @@ WOLFSSL_API int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, #endif WOLFSSL_API int wc_RsaFlattenPublicKey(RsaKey*, byte*, word32*, byte*, word32*); +WOLFSSL_API int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng); #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) diff --git a/wolfcrypt/user-crypto/src/rsa.c b/wolfcrypt/user-crypto/src/rsa.c index 748c420c4..974789ce7 100644 --- a/wolfcrypt/user-crypto/src/rsa.c +++ b/wolfcrypt/user-crypto/src/rsa.c @@ -2670,5 +2670,19 @@ int wc_RsaKeyToPublicDer(RsaKey* key, byte* output, word32 inLen) #endif /* WOLFSSL_KEY_GEN */ +#ifdef WC_RSA_BLINDING + +int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng) +{ + if (key == NULL) + return USER_CRYPTO_ERROR; + + (void)rng; + + return 0; +} + +#endif /* WC_RSA_BLINDING */ + #endif /* NO_RSA */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index c2130f6a2..ad95b6137 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -155,6 +155,8 @@ /* make sure old RNG name is used with CTaoCrypt FIPS */ #ifdef HAVE_FIPS #define WC_RNG RNG + /* blinding adds API not available yet in FIPS mode */ + #undef WC_RSA_BLINDING #endif