yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-10-18 18:01:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
5379 commits 88 branches 205 tags 69 MiB
Commit graph

161 commits

Author SHA1 Message Date
Hanno Becker fdf38030de Outsource code for generating PKCS1 v1.5 encoding 
This commit moves the code preparing PKCS1 v1.5 encoded hashes from `mbedtls_rsa_rsassa_pkcs1_v15_sign` to a separate
non-public function `rsa_rsassa_pkcs1_v15_encode`. This code-path will then be re-used by the signature verification function
`mbetls_rsa_rsassa_pkcs1_v15_verify` in a later commit.
 2017-10-03 07:58:00 +01:00
Hanno Becker 171a8f1c95 Move constant time memcmp for signature verification 
This commit replaces the ad-hoc code for constant-time double-checking the PKCS1 v1.5 RSA signature by an invocation of
`mbedtls_safer_memcmp`.
 2017-10-03 07:58:00 +01:00
Manuel Pégourié-Gonnard b86b143030 Merge remote-tracking branch 'restricted/iotssl-1138-rsa-padding-check-restricted' into development-restricted 
* restricted/iotssl-1138-rsa-padding-check-restricted:
  RSA PKCS1v1.5 verification: check padding length
 2017-06-08 20:31:06 +02:00
Manuel Pégourié-Gonnard a0bf6ecfc3 Merge remote-tracking branch 'restricted/IOTSSL-1366/development-restricted' into development-restricted 
* restricted/IOTSSL-1366/development-restricted:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify
 2017-06-08 20:24:29 +02:00
Gilles Peskine 18ac716021 RSA: wipe more stack buffers 
MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene.
 2017-05-16 10:22:37 +01:00
Gilles Peskine 4a7f6a0ddb RSA: wipe stack buffers 
The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.

Thanks to Laurent Simon for reporting this issue.
 2017-05-16 10:22:37 +01:00
Janos Follath f9203b4139 Add exponent blinding to RSA with CRT 
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.

This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation.
 2017-05-16 10:22:37 +01:00
Janos Follath e81102e476 Add exponent blinding to RSA without CRT 
The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of fifferent measurements.

This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations.
 2017-05-16 10:22:37 +01:00
Manuel Pégourié-Gonnard c1380de887 RSA PKCS1v1.5 verification: check padding length 
The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential in to check that the error that is detected first is indeed the
padding rather than the final length check).
 2017-05-11 13:10:13 +02:00
Gilles Peskine e7e7650480 More length checks in RSA PKCS1v15 verify 
Added one check that I'd missed, and made the style more uniform.
 2017-05-04 12:48:39 +02:00
Gilles Peskine 0e17eb05f8 More length checks in RSA PKCS1v15 verify 
Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack.
 2017-05-03 18:56:10 +02:00
Janos Follath ef44178474 Restore P>Q in RSA key generation (#558) 
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.

This commit restores this behaviour.
 2016-10-13 00:25:07 +01:00
Simon Butcher ab069c6b46 Merge branch 'development' into development-restricted 2016-06-23 21:42:26 +01:00
Brian J Murray e7be5bdb96 Fixed unchecked calls to mbedtls_md_setup in rsa.c (#502) 
* Fixed unchecked calls to mbedtls_md_setup in rsa.c:

* style fixes
 2016-06-23 20:57:03 +01:00
Simon Butcher f991128d40 Revert accidental changes to file mode of rsa.c 2016-06-09 13:41:28 +01:00
Janos Follath a338691b46 Merge branch 'development' into development-restricted 2016-06-07 09:24:41 +01:00
Simon Butcher 50cdede726 Revert accidental changes to file mode of rsa.c 2016-06-06 20:15:33 +01:00
Janos Follath 04b591ee79 Merge branch 'development' for weekly test report. 2016-05-31 10:18:41 +01:00
Simon Butcher 9c22e7311c Merge branch 'development' 2016-05-24 13:25:46 +01:00
Simon Butcher 65b1fa6b07 Fixes warnings found by Clang static analyser 
Also removes annotations in the code to avoid warnings which don't appear to
be needed.
 2016-05-23 23:18:26 +01:00
Brian Murray 930a3701e7 fix indentation in output of selftest.c 2016-05-23 14:29:32 +01:00
Paul Bakker 38d188896c Cleanup ifdef statements 2016-05-23 14:29:31 +01:00
Nicholas Wilson e735303026 Shut up a few clang-analyze warnings about use of uninitialized variables 
The functions are all safe, Clang just isn't clever enough to realise
it.
 2016-05-23 14:29:28 +01:00
Simon Butcher 94bafdf834 Merge branch 'development' 2016-05-18 18:40:46 +01:00
Simon Butcher c21bec8af4 Merge branch 'development' 2016-05-16 16:15:20 +01:00
Paul Bakker 21cc5741cf Cleanup ifdef statements 2016-05-12 12:46:28 +01:00
Paul Bakker f4743a6f5e Merge pull request #457 from NWilson/clang-analyze-fixes 
Clang analyze fixes
 2016-05-11 20:20:42 +02:00
Simon Butcher 2300776816 Merge branch 'development' 2016-04-19 10:39:36 +01:00
Janos Follath 1ed9f99ef3 Fix null pointer dereference in the RSA module. 
Introduced null pointer checks in mbedtls_rsa_rsaes_pkcs1_v15_encrypt
 2016-04-19 10:16:31 +01:00
Simon Butcher 3f5c875654 Adds test for odd bit length RSA key size 
Also tidy up ChangeLog following review.
 2016-04-15 19:06:59 +01:00
Janos Follath 10c575be3e Fix odd bitlength RSA key generation 
Fix issue that caused a hang up when generating RSA keys of odd
bitlength.
 2016-04-15 18:49:13 +01:00
Nicholas Wilson 409401c044 Shut up a few clang-analyze warnings about use of uninitialized variables 
The functions are all safe, Clang just isn't clever enough to realise
it.
 2016-04-13 11:56:22 +01:00
Simon Butcher 078bcdd6f6 Merge branch 'IOTSSL-628-BufferOverread' 2016-03-16 22:53:11 +00:00
Simon Butcher 0203745e23 Swap C++ comments to C for style consistency in rsa.c 2016-03-09 21:06:20 +00:00
Janos Follath c69fa50d4c Removing 'if' branch from the fix. 
This new error shouldn't be distinguishable from other padding errors.
Updating 'bad' instead of adding a new 'if' branch.
 2016-03-09 21:06:19 +00:00
Janos Follath b6eb1ca01c Length check added 2016-03-09 21:06:19 +00:00
Manuel Pégourié-Gonnard 370717b571 Add precision about exploitability in ChangeLog 
Also fix some whitespace while at it.
 2016-03-09 21:06:19 +00:00
Janos Follath eddfe8f6f3 Included tests for the overflow 2016-03-09 21:06:19 +00:00
Janos Follath c17cda1ab9 Moved underflow test to better reflect time constant behaviour. 2016-02-11 11:08:18 +00:00
Janos Follath b8afe1bb2c Included test for integer underflow. 2016-02-09 14:51:35 +00:00
Simon Butcher bdae02ce90 Corrected references for RSA and DHM 
The links in the references in rsa.c and dhm.c were no longer valid and needed
updating.
 2016-01-20 00:44:42 +00:00
Simon Butcher 1285ab5dc2 Fix for memory leak in RSA-SSA signing 
Fix in mbedtls_rsa_rsassa_pkcs1_v15_sign() in rsa.c
 2016-01-01 21:42:47 +00:00
Manuel Pégourié-Gonnard fb84d38b45 Try to prevent some misuse of RSA functions 
fixes #331
 2015-10-30 10:56:25 +01:00
Manuel Pégourié-Gonnard 5f50104c52 Add counter-measure against RSA-CRT attack 
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
 2015-09-08 13:39:29 +02:00
Manuel Pégourié-Gonnard 37ff14062e Change main license to Apache 2.0 2015-09-04 14:21:07 +02:00
Manuel Pégourié-Gonnard 4d04cdcd12 Fix RSA mutex fix 
Once the mutex is acquired, we must goto cleanup rather that return.
Since cleanup adjusts the return value, adjust that in test cases.

Also, at cleanup we don't want to overwrite 'ret', or we'll loose track of
errors.

see #257
 2015-08-31 09:31:55 +02:00
Manuel Pégourié-Gonnard 1385a289f4 Fix possible mutex lock/unlock mismatch 
fixes #257
 2015-08-27 11:30:58 +02:00
Manuel Pégourié-Gonnard d1004f02e6 Fix printed output of some selftests 2015-08-07 10:57:41 +02:00
Manuel Pégourié-Gonnard 6fb8187279 Update date in copyright line 2015-07-28 17:11:58 +02:00
Manuel Pégourié-Gonnard c0696c216b Rename mbedtls_mpi_msb to mbedtls_mpi_bitlen 2015-06-18 16:49:37 +02:00