Andres Amaya Garcia
698089e07e
Change RSA to use new MD API and check return code
2017-06-28 13:01:15 +01:00
Manuel Pégourié-Gonnard
b86b143030
Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-restricted' into development-restricted
...
* restricted/iotssl-1138-rsa-padding-check-restricted:
RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:31:06 +02:00
Manuel Pégourié-Gonnard
a0bf6ecfc3
Merge remote-tracking branch 'restricted/IOTSSL-1366/development-restricted' into development-restricted
...
* restricted/IOTSSL-1366/development-restricted:
More length checks in RSA PKCS1v15 verify
More length checks in RSA PKCS1v15 verify
2017-06-08 20:24:29 +02:00
Gilles Peskine
18ac716021
RSA: wipe more stack buffers
...
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
2017-05-16 10:22:37 +01:00
Gilles Peskine
4a7f6a0ddb
RSA: wipe stack buffers
...
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.
Thanks to Laurent Simon for reporting this issue.
2017-05-16 10:22:37 +01:00
Janos Follath
f9203b4139
Add exponent blinding to RSA with CRT
...
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.
This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation.
2017-05-16 10:22:37 +01:00
Janos Follath
e81102e476
Add exponent blinding to RSA without CRT
...
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of fifferent measurements.
This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations.
2017-05-16 10:22:37 +01:00
Manuel Pégourié-Gonnard
c1380de887
RSA PKCS1v1.5 verification: check padding length
...
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential in to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:10:13 +02:00
Gilles Peskine
e7e7650480
More length checks in RSA PKCS1v15 verify
...
Added one check that I'd missed, and made the style more uniform.
2017-05-04 12:48:39 +02:00
Gilles Peskine
0e17eb05f8
More length checks in RSA PKCS1v15 verify
...
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.
2017-05-03 18:56:10 +02:00
Janos Follath
ef44178474
Restore P>Q in RSA key generation ( #558 )
...
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.
This commit restores this behaviour.
2016-10-13 00:25:07 +01:00
Simon Butcher
ab069c6b46
Merge branch 'development' into development-restricted
2016-06-23 21:42:26 +01:00
Brian J Murray
e7be5bdb96
Fixed unchecked calls to mbedtls_md_setup in rsa.c ( #502 )
...
* Fixed unchecked calls to mbedtls_md_setup in rsa.c:
* style fixes
2016-06-23 20:57:03 +01:00
Simon Butcher
f991128d40
Revert accidental changes to file mode of rsa.c
2016-06-09 13:41:28 +01:00
Janos Follath
a338691b46
Merge branch 'development' into development-restricted
2016-06-07 09:24:41 +01:00
Simon Butcher
50cdede726
Revert accidental changes to file mode of rsa.c
2016-06-06 20:15:33 +01:00
Janos Follath
04b591ee79
Merge branch 'development' for weekly test report.
2016-05-31 10:18:41 +01:00
Simon Butcher
9c22e7311c
Merge branch 'development'
2016-05-24 13:25:46 +01:00
Simon Butcher
65b1fa6b07
Fixes warnings found by Clang static analyser
...
Also removes annotations in the code to avoid warnings which don't appear to
be needed.
2016-05-23 23:18:26 +01:00
Brian Murray
930a3701e7
fix indentation in output of selftest.c
2016-05-23 14:29:32 +01:00
Paul Bakker
38d188896c
Cleanup ifdef statements
2016-05-23 14:29:31 +01:00
Nicholas Wilson
e735303026
Shut up a few clang-analyze warnings about use of uninitialized variables
...
The functions are all safe, Clang just isn't clever enough to realise
it.
2016-05-23 14:29:28 +01:00
Simon Butcher
94bafdf834
Merge branch 'development'
2016-05-18 18:40:46 +01:00
Simon Butcher
c21bec8af4
Merge branch 'development'
2016-05-16 16:15:20 +01:00
Paul Bakker
21cc5741cf
Cleanup ifdef statements
2016-05-12 12:46:28 +01:00
Paul Bakker
f4743a6f5e
Merge pull request #457 from NWilson/clang-analyze-fixes
...
Clang analyze fixes
2016-05-11 20:20:42 +02:00
Simon Butcher
2300776816
Merge branch 'development'
2016-04-19 10:39:36 +01:00
Janos Follath
1ed9f99ef3
Fix null pointer dereference in the RSA module.
...
Introduced null pointer checks in mbedtls_rsa_rsaes_pkcs1_v15_encrypt
2016-04-19 10:16:31 +01:00
Simon Butcher
3f5c875654
Adds test for odd bit length RSA key size
...
Also tidy up ChangeLog following review.
2016-04-15 19:06:59 +01:00
Janos Follath
10c575be3e
Fix odd bitlength RSA key generation
...
Fix issue that caused a hang up when generating RSA keys of odd
bitlength.
2016-04-15 18:49:13 +01:00
Nicholas Wilson
409401c044
Shut up a few clang-analyze warnings about use of uninitialized variables
...
The functions are all safe, Clang just isn't clever enough to realise
it.
2016-04-13 11:56:22 +01:00
Simon Butcher
078bcdd6f6
Merge branch 'IOTSSL-628-BufferOverread'
2016-03-16 22:53:11 +00:00
Simon Butcher
0203745e23
Swap C++ comments to C for style consistency in rsa.c
2016-03-09 21:06:20 +00:00
Janos Follath
c69fa50d4c
Removing 'if' branch from the fix.
...
This new error shouldn't be distinguishable from other padding errors.
Updating 'bad' instead of adding a new 'if' branch.
2016-03-09 21:06:19 +00:00
Janos Follath
b6eb1ca01c
Length check added
2016-03-09 21:06:19 +00:00
Manuel Pégourié-Gonnard
370717b571
Add precision about exploitability in ChangeLog
...
Also fix some whitespace while at it.
2016-03-09 21:06:19 +00:00
Janos Follath
eddfe8f6f3
Included tests for the overflow
2016-03-09 21:06:19 +00:00
Janos Follath
c17cda1ab9
Moved underflow test to better reflect time constant behaviour.
2016-02-11 11:08:18 +00:00
Janos Follath
b8afe1bb2c
Included test for integer underflow.
2016-02-09 14:51:35 +00:00
Simon Butcher
bdae02ce90
Corrected references for RSA and DHM
...
The links in the references in rsa.c and dhm.c were no longer valid and needed
updating.
2016-01-20 00:44:42 +00:00
Simon Butcher
1285ab5dc2
Fix for memory leak in RSA-SSA signing
...
Fix in mbedtls_rsa_rsassa_pkcs1_v15_sign() in rsa.c
2016-01-01 21:42:47 +00:00
Manuel Pégourié-Gonnard
fb84d38b45
Try to prevent some misuse of RSA functions
...
fixes #331
2015-10-30 10:56:25 +01:00
Manuel Pégourié-Gonnard
5f50104c52
Add counter-measure against RSA-CRT attack
...
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
2015-09-08 13:39:29 +02:00
Manuel Pégourié-Gonnard
37ff14062e
Change main license to Apache 2.0
2015-09-04 14:21:07 +02:00
Manuel Pégourié-Gonnard
4d04cdcd12
Fix RSA mutex fix
...
Once the mutex is acquired, we must goto cleanup rather that return.
Since cleanup adjusts the return value, adjust that in test cases.
Also, at cleanup we don't want to overwrite 'ret', or we'll loose track of
errors.
see #257
2015-08-31 09:31:55 +02:00
Manuel Pégourié-Gonnard
1385a289f4
Fix possible mutex lock/unlock mismatch
...
fixes #257
2015-08-27 11:30:58 +02:00
Manuel Pégourié-Gonnard
d1004f02e6
Fix printed output of some selftests
2015-08-07 10:57:41 +02:00
Manuel Pégourié-Gonnard
6fb8187279
Update date in copyright line
2015-07-28 17:11:58 +02:00
Manuel Pégourié-Gonnard
c0696c216b
Rename mbedtls_mpi_msb to mbedtls_mpi_bitlen
2015-06-18 16:49:37 +02:00
Manuel Pégourié-Gonnard
bdd7828ca0
Always check return status of mutex_(un)lock()
2015-04-24 14:43:24 +02:00