Gilles Peskine
511bb84c60
RSA: Fix another buffer overflow in PSS signature verification
...
Fix buffer overflow in RSA-PSS signature verification when the masking
operation results in an all-zero buffer. This could happen at any key size.
2017-10-17 19:33:48 +02:00
Gilles Peskine
55db24ca50
RSA: Fix buffer overflow in PSS signature verification
...
Fix buffer overflow in RSA-PSS signature verification when the hash is
too large for the key size. Found by Seth Terashima, Qualcomm.
Added a non-regression test and a positive test with the smallest
permitted key size for a SHA-512 hash.
2017-10-17 19:30:12 +02:00
Manuel Pégourié-Gonnard
ce8f919a58
Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-1.3-restricted' into mbedtls-1.3-restricted
...
* restricted/iotssl-1138-rsa-padding-check-1.3-restricted:
Fix backporting error
RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:34:40 +02:00
Manuel Pégourié-Gonnard
9105b18f72
Merge remote-tracking branch 'restricted/IOTSSL-1366/mbedtls-1.3' into mbedtls-1.3-restricted
...
* restricted/IOTSSL-1366/mbedtls-1.3:
More length checks in RSA PKCS1v15 verify
More length checks in RSA PKCS1v15 verify
2017-06-08 20:27:19 +02:00
Manuel Pégourié-Gonnard
2634aa999d
Merge remote-tracking branch 'restricted/mbedtls-1.3' into mbedtls-1.3
...
* restricted/mbedtls-1.3:
RSA: wipe more stack buffers
RSA: wipe stack buffers
2017-06-06 18:26:32 +02:00
Gilles Peskine
73e7f4c0ee
RSA: wipe more stack buffers
...
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
2017-05-15 13:58:45 +01:00
Gilles Peskine
213aec8688
RSA: wipe stack buffers
...
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.
Thanks to Laurent Simon for reporting this issue.
2017-05-15 13:58:45 +01:00
Manuel Pégourié-Gonnard
139708d105
Fix backporting errors
2017-05-11 15:10:32 +02:00
Manuel Pégourié-Gonnard
19c10e9984
RSA PKCS1v1.5 verification: check padding length
...
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:37:45 +02:00
Janos Follath
bb1e6888c9
Add exponent blinding to RSA with CRT
...
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.
This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation.
2017-05-11 11:22:51 +02:00
Janos Follath
5d392579c2
Add exponent blinding to RSA without CRT
...
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.
This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations.
2017-05-11 11:13:19 +02:00
Gilles Peskine
6e598a2065
More length checks in RSA PKCS1v15 verify
...
Added one check that I'd missed, and made the style more uniform.
Backport to 1.3.
2017-05-04 12:58:59 +02:00
Gilles Peskine
6de05fa058
More length checks in RSA PKCS1v15 verify
...
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.
Backport to 1.3
2017-05-03 18:49:35 +02:00
Simon Butcher
60371454bd
Merge branch for fix for #502 - Unchecked calls
2016-10-14 01:10:02 +01:00
Janos Follath
bfcd032f9d
Restore P>Q in RSA key generation ( #558 )
...
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.
This commit restores this behaviour.
2016-10-13 12:54:33 +01:00
Brian J Murray
4556d205a3
Fixed unchecked calls to mbedtls_md_setup in rsa.c ( #502 )
...
* Fixed unchecked calls to mbedtls_md_setup in rsa.c:
* style fixes
2016-09-05 14:11:45 +01:00
Janos Follath
742783fe85
Included tests for the overflow
...
Conflicts:
library/rsa.c
2016-05-18 19:58:41 +01:00
Simon Butcher
d3253b018e
Fix for backprt of IOTSSL-628
...
Corrections to constand and function names changed between 1.3 and 2.1
2016-05-18 19:58:41 +01:00
Janos Follath
092f2c48c4
Move underflow test to make time constant
2016-05-18 19:58:41 +01:00
Janos Follath
3bed13df1c
Included test for integer underflow.
2016-05-18 19:58:40 +01:00
Janos Follath
f18263d78b
Removing 'if' branch from the fix.
...
This new error shouldn't be distinguishable from other padding errors.
Updating 'bad' instead of adding a new 'if' branch.
2016-05-18 19:58:40 +01:00
Janos Follath
f570f7f686
Length check added
2016-05-18 19:58:40 +01:00
Janos Follath
7ddc2cdfce
Fix null pointer dereference in the RSA module.
...
Introduced null pointer checks in mbedtls_rsa_rsaes_pkcs1_v15_encrypt
2016-04-19 10:28:24 +01:00
Simon Butcher
e9f842782b
Adds test for odd bit length RSA key size
...
Also tidy up ChangeLog following review.
2016-04-19 10:02:43 +01:00
Janos Follath
d61fc6881a
Fix odd bitlength RSA key generation
...
Fix issue that caused a hang up when generating RSA keys of odd
bitlength.
2016-04-19 09:42:17 +01:00
Simon Butcher
7d3f3a8ac8
Fix for memory leak in RSA-SSA signing
...
Fix in mbedtls_rsa_rsassa_pkcs1_v15_sign() in rsa.c. Resolves github issue #372
2016-01-02 00:03:39 +00:00
Manuel Pégourié-Gonnard
a1cdcd2364
Add counter-measure against RSA-CRT attack
...
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
backport of 5f50104
2015-09-09 12:23:47 +02:00
Manuel Pégourié-Gonnard
5efed09c5f
Fix possible unlock before lock in RSA
...
Backport of 1385a28
and 4d04cdc
see #257
2015-08-31 10:21:10 +02:00
Manuel Pégourié-Gonnard
aac657a1d3
Merge remote-tracking branch 'pj/development' into mbedtls-1.3
...
* pj/development:
Added more constant-time code and removed biases in the prime number generation routines.
2015-04-15 14:12:59 +02:00
Manuel Pégourié-Gonnard
88fca3ef0e
Fix thread safety issue in RSA operations
...
The race was due to mpi_exp_mod storing a Montgomery coefficient in the
context (RM, RP, RQ).
The fix was verified with -fsanitize-thread using ssl_pthread_server and two
concurrent clients.
A more fine-grained fix should be possible, locking just enough time to check
if those values are OK and set them if not, rather than locking for the whole
mpi_exp_mod() operation, but it will be for later.
2015-03-27 15:12:05 +01:00
Pascal Junod
b99183dfc6
Added more constant-time code and removed biases in the prime number generation routines.
2015-03-11 16:49:45 +01:00
Manuel Pégourié-Gonnard
fe44643b0e
Rename website and repository
2015-03-06 13:17:10 +00:00
Manuel Pégourié-Gonnard
a273371fc4
Fix "int vs enum" warnings from armcc v5
...
enumerated type mixed with another type
2015-02-10 17:34:48 +01:00
Rich Evans
00ab47026b
cleanup library and some basic tests. Includes, add guards to includes
2015-02-10 11:28:46 +00:00
Manuel Pégourié-Gonnard
860b51642d
Fix url again
2015-01-28 17:12:07 +00:00
Manuel Pégourié-Gonnard
085ab040aa
Fix website url to use https.
2015-01-23 11:06:27 +00:00
Manuel Pégourié-Gonnard
9698f5852c
Remove maintainer line.
2015-01-23 10:59:00 +00:00
Manuel Pégourié-Gonnard
19f6b5dfaa
Remove redundant "all rights reserved"
2015-01-23 10:54:00 +00:00
Manuel Pégourié-Gonnard
a658a4051b
Update copyright
2015-01-23 09:55:24 +00:00
Manuel Pégourié-Gonnard
967a2a5f8c
Change name to mbed TLS in the copyright notice
2015-01-22 14:28:16 +00:00
Manuel Pégourié-Gonnard
2f8d1f9fc3
Add rsa_check_pub_priv()
2014-11-06 18:25:51 +01:00
Manuel Pégourié-Gonnard
e10e06d863
Blind RSA operations even without CRT
2014-11-06 18:25:44 +01:00
Paul Bakker
21e081b068
Prevent (incorrect) compiler warning
2014-07-24 10:38:01 +02:00
Paul Bakker
84bbeb58df
Adapt cipher and MD layer with _init() and _free()
2014-07-09 10:19:24 +02:00
Paul Bakker
66d5d076f7
Fix formatting in various code to match spacing from coding style
2014-06-17 17:06:47 +02:00
Paul Bakker
d8bb82665e
Fix code styling for return statements
2014-06-17 14:06:49 +02:00
Manuel Pégourié-Gonnard
88aa6e0b58
Fix potential memory leak in RSASSA-PSS verify
2014-06-06 16:32:22 +02:00
Manuel Pégourié-Gonnard
0eaa8beb36
Fix signedness warning
2014-06-06 16:32:22 +02:00
Manuel Pégourié-Gonnard
5ec628a2b9
Add rsa_rsassa_pss_verify_ext()
2014-06-05 14:02:05 +02:00
Manuel Pégourié-Gonnard
e6d1d82b66
Relax checks on RSA mode for public key operations
2014-06-04 12:09:08 +02:00