Commit Graph

188 Commits

Author SHA1 Message Date
Hanno Becker
45a0ef32d9 Correct memory leak in mbedtls_rsa_validate_crt 2017-10-03 14:32:56 +01:00
Hanno Becker
b5beaa8995 Check that 1 < D, E < N in mbedtls_rsa_validate_params 2017-10-02 13:20:20 +01:00
Hanno Becker
c6fc878eda Remove mbedtls_rsa_check_crt
This is no longer needed after the decision to not exhaustively validate private key material.
2017-10-02 13:20:15 +01:00
Hanno Becker
98838b04af Minor improvements 2017-10-02 13:17:01 +01:00
Hanno Becker
7471631dde Make input arguments to mbedtls_rsa_import_raw constant
Original intention was to be allowed to perform in-place operations like changing the byte-order before importing
parameters into an HSM. Now a copy is needed in this case, but there's no more danger of a user expecting the arguments
to be left untouched.
2017-10-02 13:17:01 +01:00
Hanno Becker
bdefff1dde Change signature of mbedtls_rsa_deduce_private
Make input arguments constant and adapt the implementation to use a temporary instead of in-place operations.
2017-10-02 09:59:48 +01:00
Hanno Becker
ba5b755f1a Change signature and semantics of mbedtls_rsa_deduce_moduli
Input arguments are marked as constant. Further, no double-checking is performed when a factorization of the modulus has
been found.
2017-10-02 09:55:49 +01:00
Hanno Becker
56bae95e1d Improve style and documentation, fix typo 2017-09-29 15:43:49 +01:00
Hanno Becker
bead71752e Correct typo in rsa.c 2017-09-29 12:41:06 +01:00
Hanno Becker
ba1ba11a98 Check that length is properly set in mbedtls_rsa_check_pubkey 2017-09-29 11:54:05 +01:00
Hanno Becker
2f8f06aa25 Don't always recompute context length in mbedtls_rsa_get_len
This commit changes the implementation of `mbedtls_rsa_get_len` to return
`ctx->len` instead of always re-computing the modulus' byte-size via
`mbedtls_mpi_size`.
2017-09-29 11:54:05 +01:00
Hanno Becker
2cca6f3290 Always deduce N from P, Q in mbedtls_rsa_complete
Previously, a parameter set of (-, P, Q, -, E) was completed, but (-, P, Q, D,
E) wasn't - this is odd.
2017-09-29 11:54:05 +01:00
Hanno Becker
45037ceac5 Add check for presence of relevant parameters in mbedtls_rsa_private
If CRT is used, check for the presence N, P, Q, D, E, DP, DQ and QP. If CRT is
not used, check for N, P, Q, D, E only.
2017-09-14 08:02:14 +01:00
Hanno Becker
b269a8584a Change mbedtls_rsa_check_privkey to use new helper functions 2017-08-25 08:35:09 +01:00
Hanno Becker
d9431a7817 Minor comments improvement 2017-08-25 08:35:09 +01:00
Hanno Becker
d363799a9d Add mbedtls_rsa_validate_crt
This commit adds the function mbedtls_rsa_validate_crt for validating a set of CRT parameters. The function
mbedtls_rsa_check_crt is simplified accordingly.
2017-08-25 08:35:09 +01:00
Hanno Becker
d56d83a7f3 Remove double-checking code from rsa_deduce_moduli and rsa_complete 2017-08-25 08:35:08 +01:00
Hanno Becker
750e8b4596 Rename rsa_check_params->rsa_validate_params and change error codes 2017-08-25 08:34:55 +01:00
Hanno Becker
fb81c0ec2e Guard primality checks in RSA module by MBEDTLS_GENPRIME
Primality testing is guarded by the configuration flag MBEDTLS_GENPRIME and used in the new RSA helper functions. This
commit adds a corresponding preprocessor directive.
2017-08-24 06:55:11 +01:00
Hanno Becker
ab3773123c Add support for alternative RSA implementations
Alternative RSA implementations can be provided by defining MBEDTLS_RSA_ALT in
config.h, defining an mbedtls_rsa_context struct in a new file rsa_alt.h and
re-implementing the RSA interface specified in rsa.h.

Through the previous reworkings, the adherence to the interface is the only
implementation obligation - in particular, implementors are free to use a
different layout for the RSA context structure.
2017-08-23 16:24:51 +01:00
Hanno Becker
6345dd33b9 Adapt rsa_check_privkey to deal with NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker
bee3aaeb50 Adapt rsa_gen_key to deal with RSA_NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker
dc95c890ad Adapt rsa_deduce_crt to deal with RSA_NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker
33c30a0c7e Adapt rsa_copy and rsa_free to deal with RSA_NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker
23344b5fcc Adapt rsa_complete to deal with RSA_NO_CRT option 2017-08-23 16:17:28 +01:00
Hanno Becker
83aad1fa86 Adapt gen_key example program to new RSA interface 2017-08-23 16:17:27 +01:00
Hanno Becker
3a701161ff Adapt RSA selftest to new RSA interface
This commit replaces direct manipulation of structure fields in the RSA selftest
by calls to the extended interface.
2017-08-23 15:07:40 +01:00
Hanno Becker
617c1aeb18 Implement new RSA interface functions 2017-08-23 14:47:22 +01:00
Hanno Becker
e2e8b8da1d Implement RSA helper functions 2017-08-23 14:44:33 +01:00
Manuel Pégourié-Gonnard
b86b143030 Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-restricted' into development-restricted
* restricted/iotssl-1138-rsa-padding-check-restricted:
  RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:31:06 +02:00
Manuel Pégourié-Gonnard
a0bf6ecfc3 Merge remote-tracking branch 'restricted/IOTSSL-1366/development-restricted' into development-restricted
* restricted/IOTSSL-1366/development-restricted:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify
2017-06-08 20:24:29 +02:00
Gilles Peskine
18ac716021 RSA: wipe more stack buffers
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
2017-05-16 10:22:37 +01:00
Gilles Peskine
4a7f6a0ddb RSA: wipe stack buffers
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.

Thanks to Laurent Simon for reporting this issue.
2017-05-16 10:22:37 +01:00
Janos Follath
f9203b4139 Add exponent blinding to RSA with CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.

This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation.
2017-05-16 10:22:37 +01:00
Janos Follath
e81102e476 Add exponent blinding to RSA without CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of fifferent measurements.

This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations.
2017-05-16 10:22:37 +01:00
Manuel Pégourié-Gonnard
c1380de887 RSA PKCS1v1.5 verification: check padding length
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential in to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:10:13 +02:00
Gilles Peskine
e7e7650480 More length checks in RSA PKCS1v15 verify
Added one check that I'd missed, and made the style more uniform.
2017-05-04 12:48:39 +02:00
Gilles Peskine
0e17eb05f8 More length checks in RSA PKCS1v15 verify
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.
2017-05-03 18:56:10 +02:00
Janos Follath
ef44178474 Restore P>Q in RSA key generation (#558)
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
2016-10-13 00:25:07 +01:00
Simon Butcher
ab069c6b46 Merge branch 'development' into development-restricted 2016-06-23 21:42:26 +01:00
Brian J Murray
e7be5bdb96 Fixed unchecked calls to mbedtls_md_setup in rsa.c (#502)
* Fixed unchecked calls to mbedtls_md_setup in rsa.c:

* style fixes
2016-06-23 20:57:03 +01:00
Simon Butcher
f991128d40 Revert accidental changes to file mode of rsa.c 2016-06-09 13:41:28 +01:00
Janos Follath
a338691b46 Merge branch 'development' into development-restricted 2016-06-07 09:24:41 +01:00
Simon Butcher
50cdede726 Revert accidental changes to file mode of rsa.c 2016-06-06 20:15:33 +01:00
Janos Follath
04b591ee79 Merge branch 'development' for weekly test report. 2016-05-31 10:18:41 +01:00
Simon Butcher
9c22e7311c Merge branch 'development' 2016-05-24 13:25:46 +01:00
Simon Butcher
65b1fa6b07 Fixes warnings found by Clang static analyser
Also removes annotations in the code to avoid warnings which don't appear to
be needed.
2016-05-23 23:18:26 +01:00
Brian Murray
930a3701e7 fix indentation in output of selftest.c 2016-05-23 14:29:32 +01:00
Paul Bakker
38d188896c Cleanup ifdef statements 2016-05-23 14:29:31 +01:00
Nicholas Wilson
e735303026 Shut up a few clang-analyze warnings about use of uninitialized variables
The functions are all safe, Clang just isn't clever enough to realise
it.
2016-05-23 14:29:28 +01:00