Hanno Becker
c36aab69b5
Swap D,E parameters in mbedtls_rsa_deduce_primes
2017-10-17 09:15:06 +01:00
Hanno Becker
ebd2c024dc
Don't require P,Q in rsa_private
if neither CRT nor blinding used
2017-10-12 10:57:39 +01:00
Hanno Becker
b82a5b554c
Fix typos and mixup related to RSA_NO_CRT
2017-10-11 19:12:00 +01:00
Hanno Becker
a565f54c4c
Introduce new files rsa_internal.[ch] for RSA helper functions
...
This commit splits off the RSA helper functions into separate headers and
compilation units to have a clearer separation of the public RSA interface,
intended to be used by end-users, and the helper functions which are publicly
provided only for the benefit of designers of alternative RSA implementations.
2017-10-11 11:00:19 +01:00
Hanno Becker
705fc68d72
Unify sanity checks for RSA private and public keys
2017-10-10 18:01:25 +01:00
Hanno Becker
e867489ff6
Remove outdated comments from mbedtls_rsa_complete
2017-10-10 17:56:14 +01:00
Hanno Becker
7f25f850ac
Adapt uses of mbedtls_rsa_complete
to removed PRNG argument
2017-10-10 16:56:22 +01:00
Hanno Becker
f9e184b9df
Remove PRNG argument from mbedtls_rsa_complete
2017-10-10 16:55:41 +01:00
Hanno Becker
68b4d58bd8
Remove PRNG argument from mbedtls_rsa_deduce_moduli
...
It is not necessary to pass a CSPRNG to `mbedtls_rsa_deduce_moduli`, as there
exist well-working static strategies, and even if a PRNG is preferred, a
non-secure one would be sufficient.
Further, the implementation is changed to use a static strategy for the choice
of candidates which according to some benchmarks even performs better than the
previous one using random candidate choices.
2017-10-10 16:39:10 +01:00
Hanno Becker
0f65e0ca03
Rename rsa_deduce_moduli
to rsa_deduce_primes
2017-10-03 14:40:44 +01:00
Hanno Becker
8ba6ce4f4f
Rename rsa_deduce_private
to rsa_deduce_private_exponent
2017-10-03 14:40:43 +01:00
Hanno Becker
45a0ef32d9
Correct memory leak in mbedtls_rsa_validate_crt
2017-10-03 14:32:56 +01:00
Hanno Becker
e58d38c66f
Minor improvements
2017-10-03 07:59:29 +01:00
Hanno Becker
2b2f898cbd
Streamline code-path in rsa_rsassa_pkcs1_v15_encode
2017-10-03 07:59:29 +01:00
Hanno Becker
64a8c0acd6
Verify PKCS1 v1.5 signature without parsing
...
This commit modifies the PKCS1 v1.5 signature verification function `mbedtls_rsa_rsassa_pkcs1_v15_verify` to prepare the
expected PKCS1-v1.5-encoded hash using the function also used by the signing routine `mbedtls_rsa_rsassa_pkcs1_v15_sign`
and comparing it to the provided byte-string afterwards. This comes at the benefits of (1) avoiding any error-prone
parsing, (2) removing the dependency of the RSA module on the ASN.1 parsing module, and (3) reducing code size.
2017-10-03 07:58:00 +01:00
Hanno Becker
fdf38030de
Outsource code for generating PKCS1 v1.5 encoding
...
This commit moves the code preparing PKCS1 v1.5 encoded hashes from `mbedtls_rsa_rsassa_pkcs1_v15_sign` to a separate
non-public function `rsa_rsassa_pkcs1_v15_encode`. This code-path will then be re-used by the signature verification function
`mbetls_rsa_rsassa_pkcs1_v15_verify` in a later commit.
2017-10-03 07:58:00 +01:00
Hanno Becker
171a8f1c95
Move constant time memcmp for signature verification
...
This commit replaces the ad-hoc code for constant-time double-checking the PKCS1 v1.5 RSA signature by an invocation of
`mbedtls_safer_memcmp`.
2017-10-03 07:58:00 +01:00
Hanno Becker
2dec5e8b00
Correct outdated comment
2017-10-03 07:49:52 +01:00
Hanno Becker
4e1be398f6
Remove FORCE_VERIFICATION and FORCE_BLINDING
2017-10-02 16:02:55 +01:00
Hanno Becker
b5beaa8995
Check that 1 < D, E < N in mbedtls_rsa_validate_params
2017-10-02 13:20:20 +01:00
Hanno Becker
c6fc878eda
Remove mbedtls_rsa_check_crt
...
This is no longer needed after the decision to not exhaustively validate private key material.
2017-10-02 13:20:15 +01:00
Hanno Becker
98838b04af
Minor improvements
2017-10-02 13:17:01 +01:00
Hanno Becker
7471631dde
Make input arguments to mbedtls_rsa_import_raw
constant
...
Original intention was to be allowed to perform in-place operations like changing the byte-order before importing
parameters into an HSM. Now a copy is needed in this case, but there's no more danger of a user expecting the arguments
to be left untouched.
2017-10-02 13:17:01 +01:00
Hanno Becker
bdefff1dde
Change signature of mbedtls_rsa_deduce_private
...
Make input arguments constant and adapt the implementation to use a temporary instead of in-place operations.
2017-10-02 09:59:48 +01:00
Hanno Becker
ba5b755f1a
Change signature and semantics of mbedtls_rsa_deduce_moduli
...
Input arguments are marked as constant. Further, no double-checking is performed when a factorization of the modulus has
been found.
2017-10-02 09:55:49 +01:00
Hanno Becker
56bae95e1d
Improve style and documentation, fix typo
2017-09-29 15:43:49 +01:00
Hanno Becker
2fdffe0da0
Check exactly for the RSA context fields required in rsa_private
...
Previously, the code was also checking for the presence of D for RSA-CRT, which
is not needed in this case.
2017-09-29 15:28:49 +01:00
Hanno Becker
bead71752e
Correct typo in rsa.c
2017-09-29 12:41:06 +01:00
Hanno Becker
ba1ba11a98
Check that length is properly set in mbedtls_rsa_check_pubkey
2017-09-29 11:54:05 +01:00
Hanno Becker
2f8f06aa25
Don't always recompute context length in mbedtls_rsa_get_len
...
This commit changes the implementation of `mbedtls_rsa_get_len` to return
`ctx->len` instead of always re-computing the modulus' byte-size via
`mbedtls_mpi_size`.
2017-09-29 11:54:05 +01:00
Hanno Becker
2cca6f3290
Always deduce N from P, Q in mbedtls_rsa_complete
...
Previously, a parameter set of (-, P, Q, -, E) was completed, but (-, P, Q, D,
E) wasn't - this is odd.
2017-09-29 11:54:05 +01:00
Hanno Becker
2c9f027e32
Don't require P,Q if CRT is not used
...
Previously, verification used P,Q regardless of whether CRT was used in the
computation, but this has changed in the meantime.
2017-09-28 11:04:13 +01:00
Hanno Becker
45037ceac5
Add check for presence of relevant parameters in mbedtls_rsa_private
...
If CRT is used, check for the presence N, P, Q, D, E, DP, DQ and QP. If CRT is
not used, check for N, P, Q, D, E only.
2017-09-14 08:02:14 +01:00
Hanno Becker
a988a2702a
Emit deprecation warning if MBEDTLS_RSA_FORCE_BLINDING is not set
2017-09-07 13:11:33 +01:00
Hanno Becker
cc209ca56d
Remove signature verification from rsa_rsassa_pkcs1_v15_sign
...
This verification path is redundant now that verification is uniformly done in
rsa_private.
2017-08-25 11:52:29 +01:00
Hanno Becker
43f94721ab
Add quick-check for presence of relevant parameters in rsa_private
2017-08-25 11:52:27 +01:00
Hanno Becker
c6075cc5ac
Don't use CRT for signature verification
...
If CRT is not used, the helper fields CRT are not assumed to be present in the
RSA context structure, so do the verification directly in this case. If CRT is
used, verification could be done using CRT, but we're sticking to ordinary
verification for uniformity.
2017-08-25 11:45:35 +01:00
Hanno Becker
b269a8584a
Change mbedtls_rsa_check_privkey to use new helper functions
2017-08-25 08:35:09 +01:00
Hanno Becker
d9431a7817
Minor comments improvement
2017-08-25 08:35:09 +01:00
Hanno Becker
d363799a9d
Add mbedtls_rsa_validate_crt
...
This commit adds the function mbedtls_rsa_validate_crt for validating a set of CRT parameters. The function
mbedtls_rsa_check_crt is simplified accordingly.
2017-08-25 08:35:09 +01:00
Hanno Becker
d56d83a7f3
Remove double-checking code from rsa_deduce_moduli and rsa_complete
2017-08-25 08:35:08 +01:00
Hanno Becker
750e8b4596
Rename rsa_check_params->rsa_validate_params and change error codes
2017-08-25 08:34:55 +01:00
Hanno Becker
fb81c0ec2e
Guard primality checks in RSA module by MBEDTLS_GENPRIME
...
Primality testing is guarded by the configuration flag MBEDTLS_GENPRIME and used in the new RSA helper functions. This
commit adds a corresponding preprocessor directive.
2017-08-24 06:55:11 +01:00
Hanno Becker
ab3773123c
Add support for alternative RSA implementations
...
Alternative RSA implementations can be provided by defining MBEDTLS_RSA_ALT in
config.h, defining an mbedtls_rsa_context struct in a new file rsa_alt.h and
re-implementing the RSA interface specified in rsa.h.
Through the previous reworkings, the adherence to the interface is the only
implementation obligation - in particular, implementors are free to use a
different layout for the RSA context structure.
2017-08-23 16:24:51 +01:00
Hanno Becker
6345dd33b9
Adapt rsa_check_privkey to deal with NO_CRT option
2017-08-23 16:17:28 +01:00
Hanno Becker
bee3aaeb50
Adapt rsa_gen_key to deal with RSA_NO_CRT option
2017-08-23 16:17:28 +01:00
Hanno Becker
dc95c890ad
Adapt rsa_deduce_crt to deal with RSA_NO_CRT option
2017-08-23 16:17:28 +01:00
Hanno Becker
33c30a0c7e
Adapt rsa_copy and rsa_free to deal with RSA_NO_CRT option
2017-08-23 16:17:28 +01:00
Hanno Becker
23344b5fcc
Adapt rsa_complete to deal with RSA_NO_CRT option
2017-08-23 16:17:28 +01:00
Hanno Becker
83aad1fa86
Adapt gen_key example program to new RSA interface
2017-08-23 16:17:27 +01:00
Hanno Becker
3a701161ff
Adapt RSA selftest to new RSA interface
...
This commit replaces direct manipulation of structure fields in the RSA selftest
by calls to the extended interface.
2017-08-23 15:07:40 +01:00
Hanno Becker
617c1aeb18
Implement new RSA interface functions
2017-08-23 14:47:22 +01:00
Hanno Becker
e2e8b8da1d
Implement RSA helper functions
2017-08-23 14:44:33 +01:00
Andres Amaya Garcia
c5c7d76bf5
Add goto exit; stmt in rsa.c for consistency
2017-07-20 14:42:16 +01:00
Andres Amaya Garcia
94682d1d7d
Fix use of unitialized ret in rsa.c
2017-07-20 14:26:37 +01:00
Andres Amaya Garcia
698089e07e
Change RSA to use new MD API and check return code
2017-06-28 13:01:15 +01:00
Hanno Becker
06811ced27
Put configuration options for RSA blinding and verification to work.
2017-06-09 13:29:53 +01:00
Hanno Becker
5bc8729b9e
Correct memory leak in RSA self test
...
The RSA self test didn't free the RSA context on failure.
2017-06-09 13:29:53 +01:00
Manuel Pégourié-Gonnard
b86b143030
Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-restricted' into development-restricted
...
* restricted/iotssl-1138-rsa-padding-check-restricted:
RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:31:06 +02:00
Manuel Pégourié-Gonnard
a0bf6ecfc3
Merge remote-tracking branch 'restricted/IOTSSL-1366/development-restricted' into development-restricted
...
* restricted/IOTSSL-1366/development-restricted:
More length checks in RSA PKCS1v15 verify
More length checks in RSA PKCS1v15 verify
2017-06-08 20:24:29 +02:00
Gilles Peskine
18ac716021
RSA: wipe more stack buffers
...
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
2017-05-16 10:22:37 +01:00
Gilles Peskine
4a7f6a0ddb
RSA: wipe stack buffers
...
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.
Thanks to Laurent Simon for reporting this issue.
2017-05-16 10:22:37 +01:00
Janos Follath
f9203b4139
Add exponent blinding to RSA with CRT
...
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.
This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation.
2017-05-16 10:22:37 +01:00
Janos Follath
e81102e476
Add exponent blinding to RSA without CRT
...
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of fifferent measurements.
This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations.
2017-05-16 10:22:37 +01:00
Manuel Pégourié-Gonnard
c1380de887
RSA PKCS1v1.5 verification: check padding length
...
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential in to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:10:13 +02:00
Gilles Peskine
e7e7650480
More length checks in RSA PKCS1v15 verify
...
Added one check that I'd missed, and made the style more uniform.
2017-05-04 12:48:39 +02:00
Gilles Peskine
0e17eb05f8
More length checks in RSA PKCS1v15 verify
...
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.
2017-05-03 18:56:10 +02:00
Janos Follath
ef44178474
Restore P>Q in RSA key generation ( #558 )
...
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.
This commit restores this behaviour.
2016-10-13 00:25:07 +01:00
Simon Butcher
ab069c6b46
Merge branch 'development' into development-restricted
2016-06-23 21:42:26 +01:00
Brian J Murray
e7be5bdb96
Fixed unchecked calls to mbedtls_md_setup in rsa.c ( #502 )
...
* Fixed unchecked calls to mbedtls_md_setup in rsa.c:
* style fixes
2016-06-23 20:57:03 +01:00
Simon Butcher
f991128d40
Revert accidental changes to file mode of rsa.c
2016-06-09 13:41:28 +01:00
Janos Follath
a338691b46
Merge branch 'development' into development-restricted
2016-06-07 09:24:41 +01:00
Simon Butcher
50cdede726
Revert accidental changes to file mode of rsa.c
2016-06-06 20:15:33 +01:00
Janos Follath
04b591ee79
Merge branch 'development' for weekly test report.
2016-05-31 10:18:41 +01:00
Simon Butcher
9c22e7311c
Merge branch 'development'
2016-05-24 13:25:46 +01:00
Simon Butcher
65b1fa6b07
Fixes warnings found by Clang static analyser
...
Also removes annotations in the code to avoid warnings which don't appear to
be needed.
2016-05-23 23:18:26 +01:00
Brian Murray
930a3701e7
fix indentation in output of selftest.c
2016-05-23 14:29:32 +01:00
Paul Bakker
38d188896c
Cleanup ifdef statements
2016-05-23 14:29:31 +01:00
Nicholas Wilson
e735303026
Shut up a few clang-analyze warnings about use of uninitialized variables
...
The functions are all safe, Clang just isn't clever enough to realise
it.
2016-05-23 14:29:28 +01:00
Simon Butcher
94bafdf834
Merge branch 'development'
2016-05-18 18:40:46 +01:00
Simon Butcher
c21bec8af4
Merge branch 'development'
2016-05-16 16:15:20 +01:00
Paul Bakker
21cc5741cf
Cleanup ifdef statements
2016-05-12 12:46:28 +01:00
Paul Bakker
f4743a6f5e
Merge pull request #457 from NWilson/clang-analyze-fixes
...
Clang analyze fixes
2016-05-11 20:20:42 +02:00
Simon Butcher
2300776816
Merge branch 'development'
2016-04-19 10:39:36 +01:00
Janos Follath
1ed9f99ef3
Fix null pointer dereference in the RSA module.
...
Introduced null pointer checks in mbedtls_rsa_rsaes_pkcs1_v15_encrypt
2016-04-19 10:16:31 +01:00
Simon Butcher
3f5c875654
Adds test for odd bit length RSA key size
...
Also tidy up ChangeLog following review.
2016-04-15 19:06:59 +01:00
Janos Follath
10c575be3e
Fix odd bitlength RSA key generation
...
Fix issue that caused a hang up when generating RSA keys of odd
bitlength.
2016-04-15 18:49:13 +01:00
Nicholas Wilson
409401c044
Shut up a few clang-analyze warnings about use of uninitialized variables
...
The functions are all safe, Clang just isn't clever enough to realise
it.
2016-04-13 11:56:22 +01:00
Simon Butcher
078bcdd6f6
Merge branch 'IOTSSL-628-BufferOverread'
2016-03-16 22:53:11 +00:00
Simon Butcher
0203745e23
Swap C++ comments to C for style consistency in rsa.c
2016-03-09 21:06:20 +00:00
Janos Follath
c69fa50d4c
Removing 'if' branch from the fix.
...
This new error shouldn't be distinguishable from other padding errors.
Updating 'bad' instead of adding a new 'if' branch.
2016-03-09 21:06:19 +00:00
Janos Follath
b6eb1ca01c
Length check added
2016-03-09 21:06:19 +00:00
Manuel Pégourié-Gonnard
370717b571
Add precision about exploitability in ChangeLog
...
Also fix some whitespace while at it.
2016-03-09 21:06:19 +00:00
Janos Follath
eddfe8f6f3
Included tests for the overflow
2016-03-09 21:06:19 +00:00
Janos Follath
c17cda1ab9
Moved underflow test to better reflect time constant behaviour.
2016-02-11 11:08:18 +00:00
Janos Follath
b8afe1bb2c
Included test for integer underflow.
2016-02-09 14:51:35 +00:00
Simon Butcher
bdae02ce90
Corrected references for RSA and DHM
...
The links in the references in rsa.c and dhm.c were no longer valid and needed
updating.
2016-01-20 00:44:42 +00:00
Simon Butcher
1285ab5dc2
Fix for memory leak in RSA-SSA signing
...
Fix in mbedtls_rsa_rsassa_pkcs1_v15_sign() in rsa.c
2016-01-01 21:42:47 +00:00
Manuel Pégourié-Gonnard
fb84d38b45
Try to prevent some misuse of RSA functions
...
fixes #331
2015-10-30 10:56:25 +01:00
Manuel Pégourié-Gonnard
5f50104c52
Add counter-measure against RSA-CRT attack
...
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
2015-09-08 13:39:29 +02:00