mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-01-28 18:32:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5,399 Commits 170 Branches 263 Tags
Commit Graph

162 Commits

Author SHA1 Message Date
Gilles Peskine
139108af94 RSA PSS: fix minimum length check for keys of size 8N+1 
The check introduced by the previous security fix was off by one. It
fixed the buffer overflow but was not compliant with the definition of
PSS which technically led to accepting some invalid signatures (but
not signatures made without the private key).
 2017-10-18 19:03:42 +02:00
Gilles Peskine
6a54b0240d RSA: Fix another buffer overflow in PSS signature verification 
Fix buffer overflow in RSA-PSS signature verification when the masking
operation results in an all-zero buffer. This could happen at any key size.
 2017-10-17 19:12:36 +02:00
Gilles Peskine
28a0c72795 RSA: Fix buffer overflow in PSS signature verification 
Fix buffer overflow in RSA-PSS signature verification when the hash is
too large for the key size. Found by Seth Terashima, Qualcomm.

Added a non-regression test and a positive test with the smallest
permitted key size for a SHA-512 hash.
 2017-10-17 19:01:38 +02:00
Manuel Pégourié-Gonnard
b86b143030 Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-restricted' into development-restricted 
* restricted/iotssl-1138-rsa-padding-check-restricted:
  RSA PKCS1v1.5 verification: check padding length
 2017-06-08 20:31:06 +02:00
Manuel Pégourié-Gonnard
a0bf6ecfc3 Merge remote-tracking branch 'restricted/IOTSSL-1366/development-restricted' into development-restricted 
* restricted/IOTSSL-1366/development-restricted:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify
 2017-06-08 20:24:29 +02:00
Gilles Peskine
18ac716021 RSA: wipe more stack buffers 
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
 2017-05-16 10:22:37 +01:00
Gilles Peskine
4a7f6a0ddb RSA: wipe stack buffers 
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.

Thanks to Laurent Simon for reporting this issue.
 2017-05-16 10:22:37 +01:00
Janos Follath
f9203b4139 Add exponent blinding to RSA with CRT 
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.

This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation.
 2017-05-16 10:22:37 +01:00
Janos Follath
e81102e476 Add exponent blinding to RSA without CRT 
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of fifferent measurements.

This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations.
 2017-05-16 10:22:37 +01:00
Manuel Pégourié-Gonnard
c1380de887 RSA PKCS1v1.5 verification: check padding length 
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential in to check that the error that is detected first is indeed the
padding rather than the final length check).
 2017-05-11 13:10:13 +02:00
Gilles Peskine
e7e7650480 More length checks in RSA PKCS1v15 verify 
Added one check that I'd missed, and made the style more uniform.
 2017-05-04 12:48:39 +02:00
Gilles Peskine
0e17eb05f8 More length checks in RSA PKCS1v15 verify 
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.
 2017-05-03 18:56:10 +02:00
Janos Follath
ef44178474 Restore P>Q in RSA key generation (#558) 
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
 2016-10-13 00:25:07 +01:00
Simon Butcher
ab069c6b46 Merge branch 'development' into development-restricted 2016-06-23 21:42:26 +01:00
Brian J Murray
e7be5bdb96 Fixed unchecked calls to mbedtls_md_setup in rsa.c (#502) 
* Fixed unchecked calls to mbedtls_md_setup in rsa.c:

* style fixes
 2016-06-23 20:57:03 +01:00
Simon Butcher
f991128d40 Revert accidental changes to file mode of rsa.c 2016-06-09 13:41:28 +01:00
Janos Follath
a338691b46 Merge branch 'development' into development-restricted 2016-06-07 09:24:41 +01:00
Simon Butcher
50cdede726 Revert accidental changes to file mode of rsa.c 2016-06-06 20:15:33 +01:00
Janos Follath
04b591ee79 Merge branch 'development' for weekly test report. 2016-05-31 10:18:41 +01:00
Simon Butcher
9c22e7311c Merge branch 'development' 2016-05-24 13:25:46 +01:00
Simon Butcher
65b1fa6b07 Fixes warnings found by Clang static analyser 
Also removes annotations in the code to avoid warnings which don't appear to
be needed.
 2016-05-23 23:18:26 +01:00
Brian Murray
930a3701e7 fix indentation in output of selftest.c 2016-05-23 14:29:32 +01:00
Paul Bakker
38d188896c Cleanup ifdef statements 2016-05-23 14:29:31 +01:00
Nicholas Wilson
e735303026 Shut up a few clang-analyze warnings about use of uninitialized variables 
The functions are all safe, Clang just isn't clever enough to realise
it.
 2016-05-23 14:29:28 +01:00
Simon Butcher
94bafdf834 Merge branch 'development' 2016-05-18 18:40:46 +01:00
Simon Butcher
c21bec8af4 Merge branch 'development' 2016-05-16 16:15:20 +01:00
Paul Bakker
21cc5741cf Cleanup ifdef statements 2016-05-12 12:46:28 +01:00
Paul Bakker
f4743a6f5e Merge pull request #457 from NWilson/clang-analyze-fixes 
Clang analyze fixes
 2016-05-11 20:20:42 +02:00
Simon Butcher
2300776816 Merge branch 'development' 2016-04-19 10:39:36 +01:00
Janos Follath
1ed9f99ef3 Fix null pointer dereference in the RSA module. 
Introduced null pointer checks in mbedtls_rsa_rsaes_pkcs1_v15_encrypt
 2016-04-19 10:16:31 +01:00
Simon Butcher
3f5c875654 Adds test for odd bit length RSA key size 
Also tidy up ChangeLog following review.
 2016-04-15 19:06:59 +01:00
Janos Follath
10c575be3e Fix odd bitlength RSA key generation 
Fix issue that caused a hang up when generating RSA keys of odd
bitlength.
 2016-04-15 18:49:13 +01:00
Nicholas Wilson
409401c044 Shut up a few clang-analyze warnings about use of uninitialized variables 
The functions are all safe, Clang just isn't clever enough to realise
it.
 2016-04-13 11:56:22 +01:00
Simon Butcher
078bcdd6f6 Merge branch 'IOTSSL-628-BufferOverread' 2016-03-16 22:53:11 +00:00
Simon Butcher
0203745e23 Swap C++ comments to C for style consistency in rsa.c 2016-03-09 21:06:20 +00:00
Janos Follath
c69fa50d4c Removing 'if' branch from the fix. 
This new error shouldn't be distinguishable from other padding errors.
Updating 'bad' instead of adding a new 'if' branch.
 2016-03-09 21:06:19 +00:00
Janos Follath
b6eb1ca01c Length check added 2016-03-09 21:06:19 +00:00
Manuel Pégourié-Gonnard
370717b571 Add precision about exploitability in ChangeLog 
Also fix some whitespace while at it.
 2016-03-09 21:06:19 +00:00
Janos Follath
eddfe8f6f3 Included tests for the overflow 2016-03-09 21:06:19 +00:00
Janos Follath
c17cda1ab9 Moved underflow test to better reflect time constant behaviour. 2016-02-11 11:08:18 +00:00
Janos Follath
b8afe1bb2c Included test for integer underflow. 2016-02-09 14:51:35 +00:00
Simon Butcher
bdae02ce90 Corrected references for RSA and DHM 
The links in the references in rsa.c and dhm.c were no longer valid and needed
updating.
 2016-01-20 00:44:42 +00:00
Simon Butcher
1285ab5dc2 Fix for memory leak in RSA-SSA signing 
Fix in mbedtls_rsa_rsassa_pkcs1_v15_sign() in rsa.c
 2016-01-01 21:42:47 +00:00
Manuel Pégourié-Gonnard
fb84d38b45 Try to prevent some misuse of RSA functions 
fixes #331
 2015-10-30 10:56:25 +01:00
Manuel Pégourié-Gonnard
5f50104c52 Add counter-measure against RSA-CRT attack 
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
 2015-09-08 13:39:29 +02:00
Manuel Pégourié-Gonnard
37ff14062e Change main license to Apache 2.0 2015-09-04 14:21:07 +02:00
Manuel Pégourié-Gonnard
4d04cdcd12 Fix RSA mutex fix 
Once the mutex is acquired, we must goto cleanup rather that return.
Since cleanup adjusts the return value, adjust that in test cases.

Also, at cleanup we don't want to overwrite 'ret', or we'll loose track of
errors.

see #257
 2015-08-31 09:31:55 +02:00
Manuel Pégourié-Gonnard
1385a289f4 Fix possible mutex lock/unlock mismatch 
fixes #257
 2015-08-27 11:30:58 +02:00
Manuel Pégourié-Gonnard
d1004f02e6 Fix printed output of some selftests 2015-08-07 10:57:41 +02:00
Manuel Pégourié-Gonnard
6fb8187279 Update date in copyright line 2015-07-28 17:11:58 +02:00