Commit Graph

119 Commits

Author SHA1 Message Date
Janos Follath
bb1e6888c9 Add exponent blinding to RSA with CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.

This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation.
2017-05-11 11:22:51 +02:00
Janos Follath
5d392579c2 Add exponent blinding to RSA without CRT
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.

This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations.
2017-05-11 11:13:19 +02:00
Simon Butcher
60371454bd Merge branch for fix for #502 - Unchecked calls 2016-10-14 01:10:02 +01:00
Janos Follath
bfcd032f9d Restore P>Q in RSA key generation (#558)
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
2016-10-13 12:54:33 +01:00
Brian J Murray
4556d205a3 Fixed unchecked calls to mbedtls_md_setup in rsa.c (#502)
* Fixed unchecked calls to mbedtls_md_setup in rsa.c:

* style fixes
2016-09-05 14:11:45 +01:00
Janos Follath
742783fe85 Included tests for the overflow
Conflicts:
	library/rsa.c
2016-05-18 19:58:41 +01:00
Simon Butcher
d3253b018e Fix for backprt of IOTSSL-628
Corrections to constand and function names changed between 1.3 and 2.1
2016-05-18 19:58:41 +01:00
Janos Follath
092f2c48c4 Move underflow test to make time constant 2016-05-18 19:58:41 +01:00
Janos Follath
3bed13df1c Included test for integer underflow. 2016-05-18 19:58:40 +01:00
Janos Follath
f18263d78b Removing 'if' branch from the fix.
This new error shouldn't be distinguishable from other padding errors.
Updating 'bad' instead of adding a new 'if' branch.
2016-05-18 19:58:40 +01:00
Janos Follath
f570f7f686 Length check added 2016-05-18 19:58:40 +01:00
Janos Follath
7ddc2cdfce Fix null pointer dereference in the RSA module.
Introduced null pointer checks in mbedtls_rsa_rsaes_pkcs1_v15_encrypt
2016-04-19 10:28:24 +01:00
Simon Butcher
e9f842782b Adds test for odd bit length RSA key size
Also tidy up ChangeLog following review.
2016-04-19 10:02:43 +01:00
Janos Follath
d61fc6881a Fix odd bitlength RSA key generation
Fix issue that caused a hang up when generating RSA keys of odd
bitlength.
2016-04-19 09:42:17 +01:00
Simon Butcher
7d3f3a8ac8 Fix for memory leak in RSA-SSA signing
Fix in mbedtls_rsa_rsassa_pkcs1_v15_sign() in rsa.c. Resolves github issue #372
2016-01-02 00:03:39 +00:00
Manuel Pégourié-Gonnard
a1cdcd2364 Add counter-measure against RSA-CRT attack
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/

backport of 5f50104
2015-09-09 12:23:47 +02:00
Manuel Pégourié-Gonnard
5efed09c5f Fix possible unlock before lock in RSA
Backport of 1385a28 and 4d04cdc

see #257
2015-08-31 10:21:10 +02:00
Manuel Pégourié-Gonnard
aac657a1d3 Merge remote-tracking branch 'pj/development' into mbedtls-1.3
* pj/development:
  Added more constant-time code and removed biases in the prime number generation routines.
2015-04-15 14:12:59 +02:00
Manuel Pégourié-Gonnard
88fca3ef0e Fix thread safety issue in RSA operations
The race was due to mpi_exp_mod storing a Montgomery coefficient in the
context (RM, RP, RQ).

The fix was verified with -fsanitize-thread using ssl_pthread_server and two
concurrent clients.

A more fine-grained fix should be possible, locking just enough time to check
if those values are OK and set them if not, rather than locking for the whole
mpi_exp_mod() operation, but it will be for later.
2015-03-27 15:12:05 +01:00
Pascal Junod
b99183dfc6 Added more constant-time code and removed biases in the prime number generation routines. 2015-03-11 16:49:45 +01:00
Manuel Pégourié-Gonnard
fe44643b0e Rename website and repository 2015-03-06 13:17:10 +00:00
Manuel Pégourié-Gonnard
a273371fc4 Fix "int vs enum" warnings from armcc v5
enumerated type mixed with another type
2015-02-10 17:34:48 +01:00
Rich Evans
00ab47026b cleanup library and some basic tests. Includes, add guards to includes 2015-02-10 11:28:46 +00:00
Manuel Pégourié-Gonnard
860b51642d Fix url again 2015-01-28 17:12:07 +00:00
Manuel Pégourié-Gonnard
085ab040aa Fix website url to use https. 2015-01-23 11:06:27 +00:00
Manuel Pégourié-Gonnard
9698f5852c Remove maintainer line. 2015-01-23 10:59:00 +00:00
Manuel Pégourié-Gonnard
19f6b5dfaa Remove redundant "all rights reserved" 2015-01-23 10:54:00 +00:00
Manuel Pégourié-Gonnard
a658a4051b Update copyright 2015-01-23 09:55:24 +00:00
Manuel Pégourié-Gonnard
967a2a5f8c Change name to mbed TLS in the copyright notice 2015-01-22 14:28:16 +00:00
Manuel Pégourié-Gonnard
2f8d1f9fc3 Add rsa_check_pub_priv() 2014-11-06 18:25:51 +01:00
Manuel Pégourié-Gonnard
e10e06d863 Blind RSA operations even without CRT 2014-11-06 18:25:44 +01:00
Paul Bakker
21e081b068 Prevent (incorrect) compiler warning 2014-07-24 10:38:01 +02:00
Paul Bakker
84bbeb58df Adapt cipher and MD layer with _init() and _free() 2014-07-09 10:19:24 +02:00
Paul Bakker
66d5d076f7 Fix formatting in various code to match spacing from coding style 2014-06-17 17:06:47 +02:00
Paul Bakker
d8bb82665e Fix code styling for return statements 2014-06-17 14:06:49 +02:00
Manuel Pégourié-Gonnard
88aa6e0b58 Fix potential memory leak in RSASSA-PSS verify 2014-06-06 16:32:22 +02:00
Manuel Pégourié-Gonnard
0eaa8beb36 Fix signedness warning 2014-06-06 16:32:22 +02:00
Manuel Pégourié-Gonnard
5ec628a2b9 Add rsa_rsassa_pss_verify_ext() 2014-06-05 14:02:05 +02:00
Manuel Pégourié-Gonnard
e6d1d82b66 Relax checks on RSA mode for public key operations 2014-06-04 12:09:08 +02:00
Paul Bakker
9af723cee7 Fix formatting: remove trailing spaces, #endif with comments (> 10 lines) 2014-05-01 13:03:14 +02:00
Manuel Pégourié-Gonnard
cef4ad2509 Adapt sources to configurable config.h name 2014-04-30 16:40:20 +02:00
Paul Bakker
f96f7b607a On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings 2014-04-30 16:02:38 +02:00
Paul Bakker
24f37ccaed rsa_check_pubkey() now allows an E up to N 2014-04-30 13:43:51 +02:00
Paul Bakker
3d8fb63e11 Added missing MPI_CHK around mpi functions 2014-04-17 12:42:41 +02:00
Manuel Pégourié-Gonnard
fdddac90a6 Fix stupid bug in rsa_copy() 2014-03-26 12:58:49 +01:00
Manuel Pégourié-Gonnard
844a4c0aef Fix RSASSA-PSS example programs 2014-03-13 19:25:06 +01:00
Paul Bakker
7dc4c44267 Library files moved to use platform layer 2014-02-06 13:20:16 +01:00
Manuel Pégourié-Gonnard
fbf0915404 Fix bug in RSA PKCS#1 v1.5 "reversed" operations 2014-02-05 17:01:24 +01:00
Paul Bakker
42099c3155 Revert "Add pk_rsa_set_padding() and rsa_set_padding()"
This reverts commit b4fae579e8.

Conflicts:
	library/pk.c
	tests/suites/test_suite_pk.data
	tests/suites/test_suite_pk.function
2014-01-27 11:59:29 +01:00
Manuel Pégourié-Gonnard
b4fae579e8 Add pk_rsa_set_padding() and rsa_set_padding() 2014-01-22 13:03:27 +01:00