Hanno Becker
c6fc878eda
Remove mbedtls_rsa_check_crt
...
This is no longer needed after the decision to not exhaustively validate private key material.
2017-10-02 13:20:15 +01:00
Hanno Becker
98838b04af
Minor improvements
2017-10-02 13:17:01 +01:00
Hanno Becker
7471631dde
Make input arguments to mbedtls_rsa_import_raw
constant
...
Original intention was to be allowed to perform in-place operations like changing the byte-order before importing
parameters into an HSM. Now a copy is needed in this case, but there's no more danger of a user expecting the arguments
to be left untouched.
2017-10-02 13:17:01 +01:00
Hanno Becker
bdefff1dde
Change signature of mbedtls_rsa_deduce_private
...
Make input arguments constant and adapt the implementation to use a temporary instead of in-place operations.
2017-10-02 09:59:48 +01:00
Hanno Becker
ba5b755f1a
Change signature and semantics of mbedtls_rsa_deduce_moduli
...
Input arguments are marked as constant. Further, no double-checking is performed when a factorization of the modulus has
been found.
2017-10-02 09:55:49 +01:00
Hanno Becker
56bae95e1d
Improve style and documentation, fix typo
2017-09-29 15:43:49 +01:00
Hanno Becker
2fdffe0da0
Check exactly for the RSA context fields required in rsa_private
...
Previously, the code was also checking for the presence of D for RSA-CRT, which
is not needed in this case.
2017-09-29 15:28:49 +01:00
Hanno Becker
bead71752e
Correct typo in rsa.c
2017-09-29 12:41:06 +01:00
Hanno Becker
ba1ba11a98
Check that length is properly set in mbedtls_rsa_check_pubkey
2017-09-29 11:54:05 +01:00
Hanno Becker
2f8f06aa25
Don't always recompute context length in mbedtls_rsa_get_len
...
This commit changes the implementation of `mbedtls_rsa_get_len` to return
`ctx->len` instead of always re-computing the modulus' byte-size via
`mbedtls_mpi_size`.
2017-09-29 11:54:05 +01:00
Hanno Becker
2cca6f3290
Always deduce N from P, Q in mbedtls_rsa_complete
...
Previously, a parameter set of (-, P, Q, -, E) was completed, but (-, P, Q, D,
E) wasn't - this is odd.
2017-09-29 11:54:05 +01:00
Hanno Becker
2c9f027e32
Don't require P,Q if CRT is not used
...
Previously, verification used P,Q regardless of whether CRT was used in the
computation, but this has changed in the meantime.
2017-09-28 11:04:13 +01:00
Hanno Becker
45037ceac5
Add check for presence of relevant parameters in mbedtls_rsa_private
...
If CRT is used, check for the presence N, P, Q, D, E, DP, DQ and QP. If CRT is
not used, check for N, P, Q, D, E only.
2017-09-14 08:02:14 +01:00
Hanno Becker
a988a2702a
Emit deprecation warning if MBEDTLS_RSA_FORCE_BLINDING is not set
2017-09-07 13:11:33 +01:00
Hanno Becker
cc209ca56d
Remove signature verification from rsa_rsassa_pkcs1_v15_sign
...
This verification path is redundant now that verification is uniformly done in
rsa_private.
2017-08-25 11:52:29 +01:00
Hanno Becker
43f94721ab
Add quick-check for presence of relevant parameters in rsa_private
2017-08-25 11:52:27 +01:00
Hanno Becker
c6075cc5ac
Don't use CRT for signature verification
...
If CRT is not used, the helper fields CRT are not assumed to be present in the
RSA context structure, so do the verification directly in this case. If CRT is
used, verification could be done using CRT, but we're sticking to ordinary
verification for uniformity.
2017-08-25 11:45:35 +01:00
Hanno Becker
b269a8584a
Change mbedtls_rsa_check_privkey to use new helper functions
2017-08-25 08:35:09 +01:00
Hanno Becker
d9431a7817
Minor comments improvement
2017-08-25 08:35:09 +01:00
Hanno Becker
d363799a9d
Add mbedtls_rsa_validate_crt
...
This commit adds the function mbedtls_rsa_validate_crt for validating a set of CRT parameters. The function
mbedtls_rsa_check_crt is simplified accordingly.
2017-08-25 08:35:09 +01:00
Hanno Becker
d56d83a7f3
Remove double-checking code from rsa_deduce_moduli and rsa_complete
2017-08-25 08:35:08 +01:00
Hanno Becker
750e8b4596
Rename rsa_check_params->rsa_validate_params and change error codes
2017-08-25 08:34:55 +01:00
Hanno Becker
fb81c0ec2e
Guard primality checks in RSA module by MBEDTLS_GENPRIME
...
Primality testing is guarded by the configuration flag MBEDTLS_GENPRIME and used in the new RSA helper functions. This
commit adds a corresponding preprocessor directive.
2017-08-24 06:55:11 +01:00
Hanno Becker
ab3773123c
Add support for alternative RSA implementations
...
Alternative RSA implementations can be provided by defining MBEDTLS_RSA_ALT in
config.h, defining an mbedtls_rsa_context struct in a new file rsa_alt.h and
re-implementing the RSA interface specified in rsa.h.
Through the previous reworkings, the adherence to the interface is the only
implementation obligation - in particular, implementors are free to use a
different layout for the RSA context structure.
2017-08-23 16:24:51 +01:00
Hanno Becker
6345dd33b9
Adapt rsa_check_privkey to deal with NO_CRT option
2017-08-23 16:17:28 +01:00
Hanno Becker
bee3aaeb50
Adapt rsa_gen_key to deal with RSA_NO_CRT option
2017-08-23 16:17:28 +01:00
Hanno Becker
dc95c890ad
Adapt rsa_deduce_crt to deal with RSA_NO_CRT option
2017-08-23 16:17:28 +01:00
Hanno Becker
33c30a0c7e
Adapt rsa_copy and rsa_free to deal with RSA_NO_CRT option
2017-08-23 16:17:28 +01:00
Hanno Becker
23344b5fcc
Adapt rsa_complete to deal with RSA_NO_CRT option
2017-08-23 16:17:28 +01:00
Hanno Becker
83aad1fa86
Adapt gen_key example program to new RSA interface
2017-08-23 16:17:27 +01:00
Hanno Becker
3a701161ff
Adapt RSA selftest to new RSA interface
...
This commit replaces direct manipulation of structure fields in the RSA selftest
by calls to the extended interface.
2017-08-23 15:07:40 +01:00
Hanno Becker
617c1aeb18
Implement new RSA interface functions
2017-08-23 14:47:22 +01:00
Hanno Becker
e2e8b8da1d
Implement RSA helper functions
2017-08-23 14:44:33 +01:00
Andres Amaya Garcia
c5c7d76bf5
Add goto exit; stmt in rsa.c for consistency
2017-07-20 14:42:16 +01:00
Andres Amaya Garcia
94682d1d7d
Fix use of unitialized ret in rsa.c
2017-07-20 14:26:37 +01:00
Andres Amaya Garcia
698089e07e
Change RSA to use new MD API and check return code
2017-06-28 13:01:15 +01:00
Hanno Becker
06811ced27
Put configuration options for RSA blinding and verification to work.
2017-06-09 13:29:53 +01:00
Hanno Becker
5bc8729b9e
Correct memory leak in RSA self test
...
The RSA self test didn't free the RSA context on failure.
2017-06-09 13:29:53 +01:00
Manuel Pégourié-Gonnard
b86b143030
Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-restricted' into development-restricted
...
* restricted/iotssl-1138-rsa-padding-check-restricted:
RSA PKCS1v1.5 verification: check padding length
2017-06-08 20:31:06 +02:00
Manuel Pégourié-Gonnard
a0bf6ecfc3
Merge remote-tracking branch 'restricted/IOTSSL-1366/development-restricted' into development-restricted
...
* restricted/IOTSSL-1366/development-restricted:
More length checks in RSA PKCS1v15 verify
More length checks in RSA PKCS1v15 verify
2017-06-08 20:24:29 +02:00
Gilles Peskine
18ac716021
RSA: wipe more stack buffers
...
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
2017-05-16 10:22:37 +01:00
Gilles Peskine
4a7f6a0ddb
RSA: wipe stack buffers
...
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.
Thanks to Laurent Simon for reporting this issue.
2017-05-16 10:22:37 +01:00
Janos Follath
f9203b4139
Add exponent blinding to RSA with CRT
...
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.
This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation.
2017-05-16 10:22:37 +01:00
Janos Follath
e81102e476
Add exponent blinding to RSA without CRT
...
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of fifferent measurements.
This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations.
2017-05-16 10:22:37 +01:00
Manuel Pégourié-Gonnard
c1380de887
RSA PKCS1v1.5 verification: check padding length
...
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential in to check that the error that is detected first is indeed the
padding rather than the final length check).
2017-05-11 13:10:13 +02:00
Gilles Peskine
e7e7650480
More length checks in RSA PKCS1v15 verify
...
Added one check that I'd missed, and made the style more uniform.
2017-05-04 12:48:39 +02:00
Gilles Peskine
0e17eb05f8
More length checks in RSA PKCS1v15 verify
...
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.
2017-05-03 18:56:10 +02:00
Janos Follath
ef44178474
Restore P>Q in RSA key generation ( #558 )
...
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.
This commit restores this behaviour.
2016-10-13 00:25:07 +01:00
Simon Butcher
ab069c6b46
Merge branch 'development' into development-restricted
2016-06-23 21:42:26 +01:00
Brian J Murray
e7be5bdb96
Fixed unchecked calls to mbedtls_md_setup in rsa.c ( #502 )
...
* Fixed unchecked calls to mbedtls_md_setup in rsa.c:
* style fixes
2016-06-23 20:57:03 +01:00
Simon Butcher
f991128d40
Revert accidental changes to file mode of rsa.c
2016-06-09 13:41:28 +01:00
Janos Follath
a338691b46
Merge branch 'development' into development-restricted
2016-06-07 09:24:41 +01:00
Simon Butcher
50cdede726
Revert accidental changes to file mode of rsa.c
2016-06-06 20:15:33 +01:00
Janos Follath
04b591ee79
Merge branch 'development' for weekly test report.
2016-05-31 10:18:41 +01:00
Simon Butcher
9c22e7311c
Merge branch 'development'
2016-05-24 13:25:46 +01:00
Simon Butcher
65b1fa6b07
Fixes warnings found by Clang static analyser
...
Also removes annotations in the code to avoid warnings which don't appear to
be needed.
2016-05-23 23:18:26 +01:00
Brian Murray
930a3701e7
fix indentation in output of selftest.c
2016-05-23 14:29:32 +01:00
Paul Bakker
38d188896c
Cleanup ifdef statements
2016-05-23 14:29:31 +01:00
Nicholas Wilson
e735303026
Shut up a few clang-analyze warnings about use of uninitialized variables
...
The functions are all safe, Clang just isn't clever enough to realise
it.
2016-05-23 14:29:28 +01:00
Simon Butcher
94bafdf834
Merge branch 'development'
2016-05-18 18:40:46 +01:00
Simon Butcher
c21bec8af4
Merge branch 'development'
2016-05-16 16:15:20 +01:00
Paul Bakker
21cc5741cf
Cleanup ifdef statements
2016-05-12 12:46:28 +01:00
Paul Bakker
f4743a6f5e
Merge pull request #457 from NWilson/clang-analyze-fixes
...
Clang analyze fixes
2016-05-11 20:20:42 +02:00
Simon Butcher
2300776816
Merge branch 'development'
2016-04-19 10:39:36 +01:00
Janos Follath
1ed9f99ef3
Fix null pointer dereference in the RSA module.
...
Introduced null pointer checks in mbedtls_rsa_rsaes_pkcs1_v15_encrypt
2016-04-19 10:16:31 +01:00
Simon Butcher
3f5c875654
Adds test for odd bit length RSA key size
...
Also tidy up ChangeLog following review.
2016-04-15 19:06:59 +01:00
Janos Follath
10c575be3e
Fix odd bitlength RSA key generation
...
Fix issue that caused a hang up when generating RSA keys of odd
bitlength.
2016-04-15 18:49:13 +01:00
Nicholas Wilson
409401c044
Shut up a few clang-analyze warnings about use of uninitialized variables
...
The functions are all safe, Clang just isn't clever enough to realise
it.
2016-04-13 11:56:22 +01:00
Simon Butcher
078bcdd6f6
Merge branch 'IOTSSL-628-BufferOverread'
2016-03-16 22:53:11 +00:00
Simon Butcher
0203745e23
Swap C++ comments to C for style consistency in rsa.c
2016-03-09 21:06:20 +00:00
Janos Follath
c69fa50d4c
Removing 'if' branch from the fix.
...
This new error shouldn't be distinguishable from other padding errors.
Updating 'bad' instead of adding a new 'if' branch.
2016-03-09 21:06:19 +00:00
Janos Follath
b6eb1ca01c
Length check added
2016-03-09 21:06:19 +00:00
Manuel Pégourié-Gonnard
370717b571
Add precision about exploitability in ChangeLog
...
Also fix some whitespace while at it.
2016-03-09 21:06:19 +00:00
Janos Follath
eddfe8f6f3
Included tests for the overflow
2016-03-09 21:06:19 +00:00
Janos Follath
c17cda1ab9
Moved underflow test to better reflect time constant behaviour.
2016-02-11 11:08:18 +00:00
Janos Follath
b8afe1bb2c
Included test for integer underflow.
2016-02-09 14:51:35 +00:00
Simon Butcher
bdae02ce90
Corrected references for RSA and DHM
...
The links in the references in rsa.c and dhm.c were no longer valid and needed
updating.
2016-01-20 00:44:42 +00:00
Simon Butcher
1285ab5dc2
Fix for memory leak in RSA-SSA signing
...
Fix in mbedtls_rsa_rsassa_pkcs1_v15_sign() in rsa.c
2016-01-01 21:42:47 +00:00
Manuel Pégourié-Gonnard
fb84d38b45
Try to prevent some misuse of RSA functions
...
fixes #331
2015-10-30 10:56:25 +01:00
Manuel Pégourié-Gonnard
5f50104c52
Add counter-measure against RSA-CRT attack
...
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
2015-09-08 13:39:29 +02:00
Manuel Pégourié-Gonnard
37ff14062e
Change main license to Apache 2.0
2015-09-04 14:21:07 +02:00
Manuel Pégourié-Gonnard
4d04cdcd12
Fix RSA mutex fix
...
Once the mutex is acquired, we must goto cleanup rather that return.
Since cleanup adjusts the return value, adjust that in test cases.
Also, at cleanup we don't want to overwrite 'ret', or we'll loose track of
errors.
see #257
2015-08-31 09:31:55 +02:00
Manuel Pégourié-Gonnard
1385a289f4
Fix possible mutex lock/unlock mismatch
...
fixes #257
2015-08-27 11:30:58 +02:00
Manuel Pégourié-Gonnard
d1004f02e6
Fix printed output of some selftests
2015-08-07 10:57:41 +02:00
Manuel Pégourié-Gonnard
6fb8187279
Update date in copyright line
2015-07-28 17:11:58 +02:00
Manuel Pégourié-Gonnard
c0696c216b
Rename mbedtls_mpi_msb to mbedtls_mpi_bitlen
2015-06-18 16:49:37 +02:00
Manuel Pégourié-Gonnard
bdd7828ca0
Always check return status of mutex_(un)lock()
2015-04-24 14:43:24 +02:00
Manuel Pégourié-Gonnard
53c76c07de
Merge branch 'mbedtls-1.3' into development
...
* commit 'ce60fbe':
Fix potential timing difference with RSA PMS
Update Changelog for recent merge
Added more constant-time code and removed biases in the prime number generation routines.
Conflicts:
library/bignum.c
library/ssl_srv.c
2015-04-17 20:19:32 +02:00
Manuel Pégourié-Gonnard
aac657a1d3
Merge remote-tracking branch 'pj/development' into mbedtls-1.3
...
* pj/development:
Added more constant-time code and removed biases in the prime number generation routines.
2015-04-15 14:12:59 +02:00
Manuel Pégourié-Gonnard
2cf5a7c98e
The Great Renaming
...
A simple execution of tmp/invoke-rename.pl
2015-04-08 13:25:31 +02:00
Manuel Pégourié-Gonnard
998930ae0d
Replace non-ascii characters in source files
2015-04-03 13:48:06 +02:00
Manuel Pégourié-Gonnard
26c9f90cae
Merge branch 'mbedtls-1.3' into development
...
* mbedtls-1.3:
Add missing depends in x509 programs
Simplify ifdef checks in programs/x509
Fix thread safety issue in RSA operations
Add test certificate for bitstring in DN
Add support for X.520 uniqueIdentifier
Accept bitstrings in X.509 names
2015-03-31 17:56:15 +02:00
Manuel Pégourié-Gonnard
88fca3ef0e
Fix thread safety issue in RSA operations
...
The race was due to mpi_exp_mod storing a Montgomery coefficient in the
context (RM, RP, RQ).
The fix was verified with -fsanitize-thread using ssl_pthread_server and two
concurrent clients.
A more fine-grained fix should be possible, locking just enough time to check
if those values are OK and set them if not, rather than locking for the whole
mpi_exp_mod() operation, but it will be for later.
2015-03-27 15:12:05 +01:00
Manuel Pégourié-Gonnard
abb674467b
Rename md_init_ctx() to md_setup()
2015-03-25 21:55:56 +01:00
Manuel Pégourié-Gonnard
4063ceb281
Make hmac_ctx optional
...
Note from future self: actually md_init_ctx will be re-introduced with the
same signature later, and a new function with the additional argument will be
added.
2015-03-25 21:55:56 +01:00
Manuel Pégourié-Gonnard
ca878dbaa5
Make md_info_t an opaque structure
...
- more freedom for us to change it in the future
- enforces hygiene
- performance impact of making accessors no longer inline should really be
negligible
2015-03-25 21:37:15 +01:00
Pascal Junod
b99183dfc6
Added more constant-time code and removed biases in the prime number generation routines.
2015-03-11 16:49:45 +01:00
Manuel Pégourié-Gonnard
7f8099773e
Rename include directory to mbedtls
2015-03-10 11:23:56 +00:00
Manuel Pégourié-Gonnard
fe44643b0e
Rename website and repository
2015-03-06 13:17:10 +00:00
Manuel Pégourié-Gonnard
a273371fc4
Fix "int vs enum" warnings from armcc v5
...
enumerated type mixed with another type
2015-02-10 17:34:48 +01:00
Rich Evans
00ab47026b
cleanup library and some basic tests. Includes, add guards to includes
2015-02-10 11:28:46 +00:00
Manuel Pégourié-Gonnard
860b51642d
Fix url again
2015-01-28 17:12:07 +00:00
Manuel Pégourié-Gonnard
085ab040aa
Fix website url to use https.
2015-01-23 11:06:27 +00:00
Manuel Pégourié-Gonnard
9698f5852c
Remove maintainer line.
2015-01-23 10:59:00 +00:00
Manuel Pégourié-Gonnard
19f6b5dfaa
Remove redundant "all rights reserved"
2015-01-23 10:54:00 +00:00
Manuel Pégourié-Gonnard
a658a4051b
Update copyright
2015-01-23 09:55:24 +00:00
Manuel Pégourié-Gonnard
967a2a5f8c
Change name to mbed TLS in the copyright notice
2015-01-22 14:28:16 +00:00
Manuel Pégourié-Gonnard
2f8d1f9fc3
Add rsa_check_pub_priv()
2014-11-06 18:25:51 +01:00
Manuel Pégourié-Gonnard
e10e06d863
Blind RSA operations even without CRT
2014-11-06 18:25:44 +01:00
Paul Bakker
21e081b068
Prevent (incorrect) compiler warning
2014-07-24 10:38:01 +02:00
Paul Bakker
84bbeb58df
Adapt cipher and MD layer with _init() and _free()
2014-07-09 10:19:24 +02:00
Paul Bakker
66d5d076f7
Fix formatting in various code to match spacing from coding style
2014-06-17 17:06:47 +02:00
Paul Bakker
d8bb82665e
Fix code styling for return statements
2014-06-17 14:06:49 +02:00
Manuel Pégourié-Gonnard
88aa6e0b58
Fix potential memory leak in RSASSA-PSS verify
2014-06-06 16:32:22 +02:00
Manuel Pégourié-Gonnard
0eaa8beb36
Fix signedness warning
2014-06-06 16:32:22 +02:00
Manuel Pégourié-Gonnard
5ec628a2b9
Add rsa_rsassa_pss_verify_ext()
2014-06-05 14:02:05 +02:00
Manuel Pégourié-Gonnard
e6d1d82b66
Relax checks on RSA mode for public key operations
2014-06-04 12:09:08 +02:00
Paul Bakker
9af723cee7
Fix formatting: remove trailing spaces, #endif with comments (> 10 lines)
2014-05-01 13:03:14 +02:00
Manuel Pégourié-Gonnard
cef4ad2509
Adapt sources to configurable config.h name
2014-04-30 16:40:20 +02:00
Paul Bakker
f96f7b607a
On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
2014-04-30 16:02:38 +02:00
Paul Bakker
24f37ccaed
rsa_check_pubkey() now allows an E up to N
2014-04-30 13:43:51 +02:00
Paul Bakker
3d8fb63e11
Added missing MPI_CHK around mpi functions
2014-04-17 12:42:41 +02:00
Manuel Pégourié-Gonnard
fdddac90a6
Fix stupid bug in rsa_copy()
2014-03-26 12:58:49 +01:00
Manuel Pégourié-Gonnard
844a4c0aef
Fix RSASSA-PSS example programs
2014-03-13 19:25:06 +01:00
Paul Bakker
7dc4c44267
Library files moved to use platform layer
2014-02-06 13:20:16 +01:00
Manuel Pégourié-Gonnard
fbf0915404
Fix bug in RSA PKCS#1 v1.5 "reversed" operations
2014-02-05 17:01:24 +01:00
Paul Bakker
42099c3155
Revert "Add pk_rsa_set_padding() and rsa_set_padding()"
...
This reverts commit b4fae579e8
.
Conflicts:
library/pk.c
tests/suites/test_suite_pk.data
tests/suites/test_suite_pk.function
2014-01-27 11:59:29 +01:00
Manuel Pégourié-Gonnard
b4fae579e8
Add pk_rsa_set_padding() and rsa_set_padding()
2014-01-22 13:03:27 +01:00
Manuel Pégourié-Gonnard
7c59363a85
Remove a few dead stores
2014-01-22 13:02:39 +01:00
Paul Bakker
4de44aa0ae
Rewrote check to prevent read of uninitialized data in
...
rsa_rsassa_pss_verify()
2013-12-31 11:43:01 +01:00
Paul Bakker
fef3c5a652
Fixed typo in POLARSSL_PKCS1_V15 in rsa.c
2013-12-11 13:36:30 +01:00
Manuel Pégourié-Gonnard
27290daf3b
Check PKCS 1.5 padding in a more constant-time way
...
(Avoid branches that depend on secret data.)
2013-11-30 13:36:53 +01:00
Manuel Pégourié-Gonnard
ab44d7ecc3
Check OAEP padding in a more constant-time way
2013-11-30 13:13:05 +01:00
Manuel Pégourié-Gonnard
a5cfc35db2
RSA-OAEP decrypt: reorganise code
2013-11-29 11:58:13 +01:00
Paul Bakker
b9cfaa0c7f
Explicit conversions and minor changes to prevent MSVC compiler warnings
2013-10-14 15:50:40 +02:00
Manuel Pégourié-Gonnard
ae102995a7
RSA blinding: lock for a smaller amount of time
2013-10-11 09:19:12 +02:00
Manuel Pégourié-Gonnard
4d89c7e184
RSA blinding: check highly unlikely cases
2013-10-11 09:18:27 +02:00
Manuel Pégourié-Gonnard
971f8b84bb
Fix compile errors with RSA_NO_CRT
2013-10-11 09:18:16 +02:00
Paul Bakker
c9965dca27
RSA blinding threading support
2013-09-29 15:02:11 +02:00
Paul Bakker
3e41fe8938
Remove printf when RSA selftest is skipped
2013-09-15 17:42:50 +02:00
Manuel Pégourié-Gonnard
735b8fcb0b
Fix blunder in 8a109f1
2013-09-13 12:57:23 +02:00
Paul Bakker
9013af76a3
Merged major refactoring of x509write module into development
...
This refactoring adds support for proper CSR writing and X509
certificate generation / signing
2013-09-12 11:58:04 +02:00
Manuel Pégourié-Gonnard
8a109f106d
Optimize RSA blinding by caching-updating values
2013-09-10 13:55:36 +02:00
Manuel Pégourié-Gonnard
ea53a55c0f
Refactor to prepare for RSA blinding optimisation
2013-09-10 13:55:35 +02:00
Paul Bakker
1c3853b953
oid_get_oid_by_*() now give back oid length as well
2013-09-10 11:43:44 +02:00
Paul Bakker
f451bac000
Blinding RSA only active when f_rng is provided
2013-08-30 15:48:53 +02:00
Paul Bakker
48377d9834
Configuration option to enable/disable POLARSSL_PKCS1_V15 operations
2013-08-30 13:41:14 +02:00
Paul Bakker
aab30c130c
RSA blinding added for CRT operations
2013-08-30 11:03:09 +02:00
Paul Bakker
548957dd49
Refactored RSA to have random generator in every RSA operation
...
Primarily so that rsa_private() receives an RNG for blinding purposes.
2013-08-30 10:30:02 +02:00
Manuel Pégourié-Gonnard
3053f5bcb4
Get rid of pk_wrap_rsa()
2013-08-20 20:46:04 +02:00
Manuel Pégourié-Gonnard
cc0a9d040d
Fix const-correctness of rsa_*_verify()
2013-08-20 20:46:03 +02:00
Paul Bakker
c70b982056
OID functionality moved to a separate module.
...
A new OID module has been created that contains the main OID searching
functionality based on type-dependent arrays. A base type is used to
contain the basic values (oid_descriptor_t) and that type is extended to
contain type specific information (like a pk_alg_t).
As a result the rsa sign and verify function prototypes have changed. They
now expect a md_type_t identifier instead of the removed RSA_SIG_XXX
defines.
All OID definitions have been moved to oid.h
All OID matching code is in the OID module.
The RSA PKCS#1 functions cleaned up as a result and adapted to use the
MD layer.
The SSL layer cleanup up as a result and adapted to use the MD layer.
The X509 parser cleaned up and matches OIDs in certificates with new
module and adapted to use the MD layer.
The X509 writer cleaned up and adapted to use the MD layer.
Apps and tests modified accordingly
2013-04-07 22:00:46 +02:00
Paul Bakker
8804f69d46
Removed timing differences due to bad padding from RSA decrypt for
...
PKCS#1 v1.5 operations
2013-03-06 18:01:03 +01:00
Paul Bakker
a43231c5a5
Added support for custom labels when using rsa_rsaes_oaep_encrypt() or rsa_rsaes_oaep_decrypt()
2013-03-06 18:01:02 +01:00
Paul Bakker
b386913f8b
Split up the RSA PKCS#1 encrypt, decrypt, sign and verify functions
...
Split rsa_pkcs1_encrypt() into rsa_rsaes_oaep_encrypt() and
rsa_rsaes_pkcs1_v15_encrypt()
Split rsa_pkcs1_decrypt() into rsa_rsaes_oaep_decrypt() and
rsa_rsaes_pkcs1_v15_decrypt()
Split rsa_pkcs1_sign() into rsa_rsassa_pss_sign() and
rsa_rsassa_pkcs1_v15_sign()
Split rsa_pkcs1_verify() into rsa_rsassa_pss_verify() and
rsa_rsassa_pkcs1_v15_verify()
The original functions exist as generic wrappers to these functions.
2013-03-06 18:01:02 +01:00
Paul Bakker
02303e8be4
Moved md_init_ctx() calls around to minimize exit points
2013-01-03 11:08:31 +01:00
Paul Bakker
40628bad98
Memory leak when using RSA_PKCS_V21 operations fixed
2013-01-03 10:50:31 +01:00
Paul Bakker
9a73632fd9
- Merged changesets 1399 up to and including 1415 into 1.2 branch
2012-11-14 12:39:52 +00:00
Paul Bakker
0be82f20a9
- Updated rsa_pkcs1_verify() and rsa_pkcs1_sign() to use appropriate buffer size for max MPIs
2012-10-03 20:36:33 +00:00
Paul Bakker
321df6fb80
- Expanded rsa_check_privkey() to check DP, DQ and QP as well
2012-09-27 13:21:34 +00:00
Paul Bakker
bb51f0cb3d
- Only include md.h if needed by POLARSSL_PKCS1_V21
2012-08-23 07:46:58 +00:00
Paul Bakker
3c16db9a10
- Fixed potential memory zeroization on miscrafted RSA key
2012-07-05 13:58:08 +00:00
Paul Bakker
e6ee41f932
- Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and example application (programs/ssl/o_p_test) (Requires OpenSSL)
...
- Handle encryption with private key and decryption with public key as per RFC 2313
2012-05-19 08:43:48 +00:00
Paul Bakker
56a7684023
- Added alternative for SHA1 signature structure to check for (without NULL)
2012-03-22 15:31:27 +00:00
Paul Bakker
ed375caa3b
- Fixed signed status of ret
2012-01-14 18:10:38 +00:00
Paul Bakker
a3d195c41f
- Changed the used random function pointer to more flexible format. Renamed havege_rand() to havege_random() to prevent mistakes. Lots of changes as a consequence in library code and programs
2011-11-27 21:07:34 +00:00
Paul Bakker
fe3256e54b
- Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size management (Closes ticket #44 )
2011-11-25 12:11:43 +00:00
Paul Bakker
1fe7d9baf9
- Fixed incorrect behaviour in case of RSASSA-PSS with a salt length smaller than the hash length. (Closes ticket #41 )
2011-11-15 15:26:03 +00:00
Paul Bakker
b125ed8fc6
- Fixed typo in doxygen tag
2011-11-10 13:33:51 +00:00
Paul Bakker
684ddce18c
- Minor fixer to remove compiler warnings for ARMCC
2011-07-01 09:25:54 +00:00
Paul Bakker
27fdf46d16
- Removed deprecated casts to int for now unsigned values
2011-06-09 13:55:13 +00:00
Paul Bakker
5690efccc4
- Fixed a whole bunch of dependencies on defines between files, examples and tests
2011-05-26 13:16:06 +00:00
Paul Bakker
9d781407bc
- A error_strerror function() has been added to translate between error codes and their description.
...
- The error codes have been remapped and combining error codes is now done with a PLUS instead of an OR as error codes used are negative.
- Descriptions to all error codes have been added.
- Generation script for error.c has been created to automatically generate error.c from the available error definitions in the headers.
2011-05-09 16:17:09 +00:00
Paul Bakker
6c591fab72
- mpi_init() and mpi_free() only accept a single argument and do not accept variable arguments anymore. This prevents unexpected memory corruption in a number of use cases.
2011-05-05 11:49:20 +00:00
Paul Bakker
23986e5d5d
- Major type rewrite of int to size_t for most variables and arguments used for buffer lengths and loops
2011-04-24 08:57:21 +00:00
Paul Bakker
0216cc1bee
- Added flag to disable Chinese Remainder Theorem when using RSA private operation (POLARSSL_RSA_NO_CRT)
2011-03-26 13:40:23 +00:00
Paul Bakker
53019ae6f7
- RSASSA-PSS verification now properly handles salt lengths other than hlen
2011-03-25 13:58:48 +00:00
Paul Bakker
9dcc32236b
- Added support for PKCS#1 v2.1 encoding and thus support for the RSAES-OAEP and RSASSA-PSS operations (enabled by POLARSSL_PKCS1_V21)
2011-03-08 14:16:06 +00:00
Paul Bakker
21eb2802fe
- Changed origins of random function and pointer in rsa_pkcs1_encrypt, rsa_init, rsa_gen_key.
...
Moved to parameters of function instead of context pointers as within ssl_cli, context pointer cannot be set easily.
2010-08-16 11:10:02 +00:00
Paul Bakker
b96f154e51
- Fixed copyright message
2010-07-18 20:36:00 +00:00
Paul Bakker
84f12b76fc
- Updated Copyright to correct entity
2010-07-18 10:13:04 +00:00
Paul Bakker
545570e208
- Added initialization for RSA where needed
2010-07-18 09:00:25 +00:00
Paul Bakker
b572adf5e6
- Removed dependency on rand() in rsa_pkcs1_encrypt(). Now using random fuction provided to context
...
- Expanded ssl_client2 arguments for more flexibility
- rsa_check_private() now supports PKCS1v2 keys as well
- Fixed deadlock in rsa_pkcs1_encrypt() on failing random generator
2010-07-18 08:29:32 +00:00
Paul Bakker
fc8c4360b8
- Updated copyright line to 2010
2010-03-21 17:37:16 +00:00
Paul Bakker
1f3c39c194
- Removed copyright line for Christophe Devine for clarity
2010-03-21 17:30:05 +00:00
Paul Bakker
ff60ee6c2a
- Added const-correctness to main codebase
2010-03-16 21:09:09 +00:00
Paul Bakker
77b385e91a
- Updated copyright messages on all relevant files
2009-07-28 17:23:11 +00:00
Paul Bakker
38e2b482ff
- Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE.
2009-07-19 20:41:06 +00:00
Paul Bakker
fc22c441bc
- Renamed RSA_RAW to SIG_RSA_RAW for consistency in the code.
2009-07-19 20:36:27 +00:00
Paul Bakker
37940d9ff6
- Added test coverage for X509parse
...
- Fixed segfault in rsa_check_privkey() and rsa_check_pubkey() and added test
2009-07-10 22:38:58 +00:00
Paul Bakker
cde51572df
- Fixed missing support for SHA2 in rsa_pkcs1_sign()
2009-05-17 10:11:56 +00:00
Paul Bakker
4593aeadaf
- Added support for RFC4055 SHA2 and SHA4 signature algorithms for
...
use with PKCS#1 v1.5 signing and verification.
- Added extra certificates to test-ca and test code to further test
functionality of SHA2 and SHA4 signing and verification.
- Updated other program files accordingly
2009-02-09 22:32:35 +00:00
Paul Bakker
785a9eeece
- Added email address to header license information
2009-01-25 14:15:10 +00:00
Paul Bakker
060c56871c
- Fixed possible heap overflow in pkcs1_decrypt on data larger than output
...
buffer after padding. For instance the premaster decryption in
ssl_parse_client_key_exchange() in ssl_serv.c (Thanks to Christophe
Devine)
2009-01-12 21:48:39 +00:00
Paul Bakker
e0ccd0a7c3
- Updated Copyright notices
2009-01-04 16:27:10 +00:00
Paul Bakker
40e46940df
- First replacement of xyssl by polarssl where needed
2009-01-03 21:51:57 +00:00
Paul Bakker
5121ce5bdb
- Renamed include directory to polarssl
2009-01-03 21:22:43 +00:00