Commit Graph

63 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
2bc4505f5d Add counter-measure against RSA-CRT attack
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/

backport of a1cdcd2
2015-09-09 12:36:49 +02:00
Paul Bakker
530927b163 Update copyright line to 2015 2015-02-13 14:24:10 +01:00
Manuel Pégourié-Gonnard
e12abf90ce Fix url 2015-01-28 17:13:45 +00:00
Manuel Pégourié-Gonnard
0edee5e386 Update copyright notice 2015-01-26 15:29:40 +00:00
Manuel Pégourié-Gonnard
d730aa517a Use blinding for RSA even without CRT 2014-11-12 16:29:12 +01:00
Paul Bakker
95a11f8c16 On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings 2014-07-08 18:28:40 +02:00
Paul Bakker
b0af56334c rsa_check_pubkey() now allows an E up to N 2014-07-08 18:28:36 +02:00
Paul Bakker
7890e62a1f Added missing MPI_CHK around mpi functions 2014-07-08 18:28:29 +02:00
Manuel Pégourié-Gonnard
c675e4bde5 Fix bug in RSA PKCS#1 v1.5 "reversed" operations 2014-07-07 17:46:29 +02:00
Paul Bakker
7837026b91 Remove a few dead stores 2014-07-07 16:01:34 +02:00
Manuel Pégourié-Gonnard
9975c5d217 Check PKCS 1.5 padding in a more constant-time way
(Avoid branches that depend on secret data.)
2014-07-07 14:38:09 +02:00
Manuel Pégourié-Gonnard
d237d261e5 Check OAEP padding in a more constant-time way 2014-07-07 14:37:56 +02:00
Manuel Pégourié-Gonnard
3411464a64 RSA-OAEP decrypt: reorganise code 2014-07-07 14:37:39 +02:00
Paul Bakker
ff6e24710a RSA blinding: check highly unlikely cases 2014-07-07 13:34:41 +02:00
Paul Bakker
6b06502c4b Changed RSA blinding to a slower but thread-safe version 2013-10-07 12:06:29 +02:00
Paul Bakker
2f1481ec73 Additional fixed to rsa.c with regards to blinding 2013-10-04 16:46:21 +02:00
Paul Bakker
62087eed22 Fixed memory leak in rsa.c introduced in 43f9799 2013-10-04 10:57:12 +02:00
Paul Bakker
43f9799ce6 RSA blinding on CRT operations to counter timing attacks 2013-09-23 11:23:31 +02:00
Paul Bakker
8804f69d46 Removed timing differences due to bad padding from RSA decrypt for
PKCS#1 v1.5 operations
2013-03-06 18:01:03 +01:00
Paul Bakker
a43231c5a5 Added support for custom labels when using rsa_rsaes_oaep_encrypt() or rsa_rsaes_oaep_decrypt() 2013-03-06 18:01:02 +01:00
Paul Bakker
b386913f8b Split up the RSA PKCS#1 encrypt, decrypt, sign and verify functions
Split rsa_pkcs1_encrypt() into rsa_rsaes_oaep_encrypt() and
rsa_rsaes_pkcs1_v15_encrypt()
Split rsa_pkcs1_decrypt() into rsa_rsaes_oaep_decrypt() and
rsa_rsaes_pkcs1_v15_decrypt()
Split rsa_pkcs1_sign() into rsa_rsassa_pss_sign() and
rsa_rsassa_pkcs1_v15_sign()
Split rsa_pkcs1_verify() into rsa_rsassa_pss_verify() and
rsa_rsassa_pkcs1_v15_verify()

The original functions exist as generic wrappers to these functions.
2013-03-06 18:01:02 +01:00
Paul Bakker
02303e8be4 Moved md_init_ctx() calls around to minimize exit points 2013-01-03 11:08:31 +01:00
Paul Bakker
40628bad98 Memory leak when using RSA_PKCS_V21 operations fixed 2013-01-03 10:50:31 +01:00
Paul Bakker
9a73632fd9 - Merged changesets 1399 up to and including 1415 into 1.2 branch 2012-11-14 12:39:52 +00:00
Paul Bakker
0be82f20a9 - Updated rsa_pkcs1_verify() and rsa_pkcs1_sign() to use appropriate buffer size for max MPIs 2012-10-03 20:36:33 +00:00
Paul Bakker
321df6fb80 - Expanded rsa_check_privkey() to check DP, DQ and QP as well 2012-09-27 13:21:34 +00:00
Paul Bakker
bb51f0cb3d - Only include md.h if needed by POLARSSL_PKCS1_V21 2012-08-23 07:46:58 +00:00
Paul Bakker
3c16db9a10 - Fixed potential memory zeroization on miscrafted RSA key 2012-07-05 13:58:08 +00:00
Paul Bakker
e6ee41f932 - Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and example application (programs/ssl/o_p_test) (Requires OpenSSL)
- Handle encryption with private key and decryption with public key as per RFC 2313
2012-05-19 08:43:48 +00:00
Paul Bakker
56a7684023 - Added alternative for SHA1 signature structure to check for (without NULL) 2012-03-22 15:31:27 +00:00
Paul Bakker
ed375caa3b - Fixed signed status of ret 2012-01-14 18:10:38 +00:00
Paul Bakker
a3d195c41f - Changed the used random function pointer to more flexible format. Renamed havege_rand() to havege_random() to prevent mistakes. Lots of changes as a consequence in library code and programs 2011-11-27 21:07:34 +00:00
Paul Bakker
fe3256e54b - Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size management (Closes ticket #44) 2011-11-25 12:11:43 +00:00
Paul Bakker
1fe7d9baf9 - Fixed incorrect behaviour in case of RSASSA-PSS with a salt length smaller than the hash length. (Closes ticket #41) 2011-11-15 15:26:03 +00:00
Paul Bakker
b125ed8fc6 - Fixed typo in doxygen tag 2011-11-10 13:33:51 +00:00
Paul Bakker
684ddce18c - Minor fixer to remove compiler warnings for ARMCC 2011-07-01 09:25:54 +00:00
Paul Bakker
27fdf46d16 - Removed deprecated casts to int for now unsigned values 2011-06-09 13:55:13 +00:00
Paul Bakker
5690efccc4 - Fixed a whole bunch of dependencies on defines between files, examples and tests 2011-05-26 13:16:06 +00:00
Paul Bakker
9d781407bc - A error_strerror function() has been added to translate between error codes and their description.
- The error codes have been remapped and combining error codes is now done with a PLUS instead of an OR as error codes used are negative.
 - Descriptions to all error codes have been added.
 - Generation script for error.c has been created to automatically generate error.c from the available error definitions in the headers.
2011-05-09 16:17:09 +00:00
Paul Bakker
6c591fab72 - mpi_init() and mpi_free() only accept a single argument and do not accept variable arguments anymore. This prevents unexpected memory corruption in a number of use cases. 2011-05-05 11:49:20 +00:00
Paul Bakker
23986e5d5d - Major type rewrite of int to size_t for most variables and arguments used for buffer lengths and loops 2011-04-24 08:57:21 +00:00
Paul Bakker
0216cc1bee - Added flag to disable Chinese Remainder Theorem when using RSA private operation (POLARSSL_RSA_NO_CRT) 2011-03-26 13:40:23 +00:00
Paul Bakker
53019ae6f7 - RSASSA-PSS verification now properly handles salt lengths other than hlen 2011-03-25 13:58:48 +00:00
Paul Bakker
9dcc32236b - Added support for PKCS#1 v2.1 encoding and thus support for the RSAES-OAEP and RSASSA-PSS operations (enabled by POLARSSL_PKCS1_V21) 2011-03-08 14:16:06 +00:00
Paul Bakker
21eb2802fe - Changed origins of random function and pointer in rsa_pkcs1_encrypt, rsa_init, rsa_gen_key.
Moved to parameters of function instead of context pointers as within ssl_cli, context pointer cannot be set easily.
2010-08-16 11:10:02 +00:00
Paul Bakker
b96f154e51 - Fixed copyright message 2010-07-18 20:36:00 +00:00
Paul Bakker
84f12b76fc - Updated Copyright to correct entity 2010-07-18 10:13:04 +00:00
Paul Bakker
545570e208 - Added initialization for RSA where needed 2010-07-18 09:00:25 +00:00
Paul Bakker
b572adf5e6 - Removed dependency on rand() in rsa_pkcs1_encrypt(). Now using random fuction provided to context
- Expanded ssl_client2 arguments for more flexibility
 - rsa_check_private() now supports PKCS1v2 keys as well
 - Fixed deadlock in rsa_pkcs1_encrypt() on failing random generator
2010-07-18 08:29:32 +00:00
Paul Bakker
fc8c4360b8 - Updated copyright line to 2010 2010-03-21 17:37:16 +00:00