Manuel Pégourié-Gonnard 
							
						 
					 
					
						
						
						
						
							
						
						
							a0bf6ecfc3 
							
						 
					 
					
						
						
							
							Merge remote-tracking branch 'restricted/IOTSSL-1366/development-restricted' into development-restricted  
						
						... 
						
						
						
						* restricted/IOTSSL-1366/development-restricted:
  More length checks in RSA PKCS1v15 verify
  More length checks in RSA PKCS1v15 verify 
						
						
					 
					
						2017-06-08 20:24:29 +02:00 
						 
				 
			
				
					
						
							
							
								Gilles Peskine 
							
						 
					 
					
						
						
						
						
							
						
						
							18ac716021 
							
						 
					 
					
						
						
							
							RSA: wipe more stack buffers  
						
						... 
						
						
						
						MGF mask and PSS salt are not highly sensitive, but wipe them anyway
for good hygiene. 
						
						
					 
					
						2017-05-16 10:22:37 +01:00 
						 
				 
			
				
					
						
							
							
								Gilles Peskine 
							
						 
					 
					
						
						
						
						
							
						
						
							4a7f6a0ddb 
							
						 
					 
					
						
						
							
							RSA: wipe stack buffers  
						
						... 
						
						
						
						The RSA private key functions rsa_rsaes_pkcs1_v15_decrypt and
rsa_rsaes_oaep_decrypt put sensitive data (decryption results) on the
stack. Wipe it before returning.
Thanks to Laurent Simon for reporting this issue. 
						
						
					 
					
						2017-05-16 10:22:37 +01:00 
						 
				 
			
				
					
						
							
							
								Janos Follath 
							
						 
					 
					
						
						
						
						
							
						
						
							f9203b4139 
							
						 
					 
					
						
						
							
							Add exponent blinding to RSA with CRT  
						
						... 
						
						
						
						The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of different measurements.
This commit handles the case when the Chinese Remainder Theorem is used
to accelerate the computation. 
						
						
					 
					
						2017-05-16 10:22:37 +01:00 
						 
				 
			
				
					
						
							
							
								Janos Follath 
							
						 
					 
					
						
						
						
						
							
						
						
							e81102e476 
							
						 
					 
					
						
						
							
							Add exponent blinding to RSA without CRT  
						
						... 
						
						
						
						The sliding window exponentiation algorithm is vulnerable to
side-channel attacks. As a countermeasure we add exponent blinding in
order to prevent combining the results of fifferent measurements.
This commits handles the case when the Chinese Remainder Theorem is NOT
used to accelerate computations. 
						
						
					 
					
						2017-05-16 10:22:37 +01:00 
						 
				 
			
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
					 
					
						
						
						
						
							
						
						
							c1380de887 
							
						 
					 
					
						
						
							
							RSA PKCS1v1.5 verification: check padding length  
						
						... 
						
						
						
						The test case was generated by modifying our signature code so that it
produces a 7-byte long padding (which also means garbage at the end, so it is
essential in to check that the error that is detected first is indeed the
padding rather than the final length check). 
						
						
					 
					
						2017-05-11 13:10:13 +02:00 
						 
				 
			
				
					
						
							
							
								Gilles Peskine 
							
						 
					 
					
						
						
						
						
							
						
						
							e7e7650480 
							
						 
					 
					
						
						
							
							More length checks in RSA PKCS1v15 verify  
						
						... 
						
						
						
						Added one check that I'd missed, and made the style more uniform. 
						
						
					 
					
						2017-05-04 12:48:39 +02:00 
						 
				 
			
				
					
						
							
							
								Gilles Peskine 
							
						 
					 
					
						
						
						
						
							
						
						
							0e17eb05f8 
							
						 
					 
					
						
						
							
							More length checks in RSA PKCS1v15 verify  
						
						... 
						
						
						
						Tighten ASN.1 parsing of RSA PKCS#1 v1.5 signatures, to avoid a
potential Bleichenbacher-style attack. 
						
						
					 
					
						2017-05-03 18:56:10 +02:00 
						 
				 
			
				
					
						
							
							
								Janos Follath 
							
						 
					 
					
						
						
						
						
							
						
						
							ef44178474 
							
						 
					 
					
						
						
							
							Restore P>Q in RSA key generation ( #558 )  
						
						... 
						
						
						
						The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.
This commit restores this behaviour. 
						
						
					 
					
						2016-10-13 00:25:07 +01:00 
						 
				 
			
				
					
						
							
							
								Simon Butcher 
							
						 
					 
					
						
						
						
						
							
						
						
							ab069c6b46 
							
						 
					 
					
						
						
							
							Merge branch 'development' into development-restricted  
						
						
						
						
					 
					
						2016-06-23 21:42:26 +01:00 
						 
				 
			
				
					
						
							
							
								Brian J Murray 
							
						 
					 
					
						
						
						
						
							
						
						
							e7be5bdb96 
							
						 
					 
					
						
						
							
							Fixed unchecked calls to mbedtls_md_setup in rsa.c ( #502 )  
						
						... 
						
						
						
						* Fixed unchecked calls to mbedtls_md_setup in rsa.c:
* style fixes 
						
						
					 
					
						2016-06-23 20:57:03 +01:00 
						 
				 
			
				
					
						
							
							
								Simon Butcher 
							
						 
					 
					
						
						
						
						
							
						
						
							f991128d40 
							
						 
					 
					
						
						
							
							Revert accidental changes to file mode of rsa.c  
						
						
						
						
					 
					
						2016-06-09 13:41:28 +01:00 
						 
				 
			
				
					
						
							
							
								Janos Follath 
							
						 
					 
					
						
						
						
						
							
						
						
							a338691b46 
							
						 
					 
					
						
						
							
							Merge branch 'development' into development-restricted  
						
						
						
						
					 
					
						2016-06-07 09:24:41 +01:00 
						 
				 
			
				
					
						
							
							
								Simon Butcher 
							
						 
					 
					
						
						
						
						
							
						
						
							50cdede726 
							
						 
					 
					
						
						
							
							Revert accidental changes to file mode of rsa.c  
						
						
						
						
					 
					
						2016-06-06 20:15:33 +01:00 
						 
				 
			
				
					
						
							
							
								Janos Follath 
							
						 
					 
					
						
						
						
						
							
						
						
							04b591ee79 
							
						 
					 
					
						
						
							
							Merge branch 'development' for weekly test report.  
						
						
						
						
					 
					
						2016-05-31 10:18:41 +01:00 
						 
				 
			
				
					
						
							
							
								Simon Butcher 
							
						 
					 
					
						
						
						
						
							
						
						
							9c22e7311c 
							
						 
					 
					
						
						
							
							Merge branch 'development'  
						
						
						
						
					 
					
						2016-05-24 13:25:46 +01:00 
						 
				 
			
				
					
						
							
							
								Simon Butcher 
							
						 
					 
					
						
						
						
						
							
						
						
							65b1fa6b07 
							
						 
					 
					
						
						
							
							Fixes warnings found by Clang static analyser  
						
						... 
						
						
						
						Also removes annotations in the code to avoid warnings which don't appear to
be needed. 
						
						
					 
					
						2016-05-23 23:18:26 +01:00 
						 
				 
			
				
					
						
							
							
								Brian Murray 
							
						 
					 
					
						
						
						
						
							
						
						
							930a3701e7 
							
						 
					 
					
						
						
							
							fix indentation in output of selftest.c  
						
						
						
						
					 
					
						2016-05-23 14:29:32 +01:00 
						 
				 
			
				
					
						
							
							
								Paul Bakker 
							
						 
					 
					
						
						
						
						
							
						
						
							38d188896c 
							
						 
					 
					
						
						
							
							Cleanup ifdef statements  
						
						
						
						
					 
					
						2016-05-23 14:29:31 +01:00 
						 
				 
			
				
					
						
							
							
								Nicholas Wilson 
							
						 
					 
					
						
						
						
						
							
						
						
							e735303026 
							
						 
					 
					
						
						
							
							Shut up a few clang-analyze warnings about use of uninitialized variables  
						
						... 
						
						
						
						The functions are all safe, Clang just isn't clever enough to realise
it. 
						
						
					 
					
						2016-05-23 14:29:28 +01:00 
						 
				 
			
				
					
						
							
							
								Simon Butcher 
							
						 
					 
					
						
						
						
						
							
						
						
							94bafdf834 
							
						 
					 
					
						
						
							
							Merge branch 'development'  
						
						
						
						
					 
					
						2016-05-18 18:40:46 +01:00 
						 
				 
			
				
					
						
							
							
								Simon Butcher 
							
						 
					 
					
						
						
						
						
							
						
						
							c21bec8af4 
							
						 
					 
					
						
						
							
							Merge branch 'development'  
						
						
						
						
					 
					
						2016-05-16 16:15:20 +01:00 
						 
				 
			
				
					
						
							
							
								Paul Bakker 
							
						 
					 
					
						
						
						
						
							
						
						
							21cc5741cf 
							
						 
					 
					
						
						
							
							Cleanup ifdef statements  
						
						
						
						
					 
					
						2016-05-12 12:46:28 +01:00 
						 
				 
			
				
					
						
							
							
								Paul Bakker 
							
						 
					 
					
						
						
						
						
							
						
						
							f4743a6f5e 
							
						 
					 
					
						
						
							
							Merge pull request  #457  from NWilson/clang-analyze-fixes  
						
						... 
						
						
						
						Clang analyze fixes 
						
						
					 
					
						2016-05-11 20:20:42 +02:00 
						 
				 
			
				
					
						
							
							
								Simon Butcher 
							
						 
					 
					
						
						
						
						
							
						
						
							2300776816 
							
						 
					 
					
						
						
							
							Merge branch 'development'  
						
						
						
						
					 
					
						2016-04-19 10:39:36 +01:00 
						 
				 
			
				
					
						
							
							
								Janos Follath 
							
						 
					 
					
						
						
						
						
							
						
						
							1ed9f99ef3 
							
						 
					 
					
						
						
							
							Fix null pointer dereference in the RSA module.  
						
						... 
						
						
						
						Introduced null pointer checks in mbedtls_rsa_rsaes_pkcs1_v15_encrypt 
						
						
					 
					
						2016-04-19 10:16:31 +01:00 
						 
				 
			
				
					
						
							
							
								Simon Butcher 
							
						 
					 
					
						
						
						
						
							
						
						
							3f5c875654 
							
						 
					 
					
						
						
							
							Adds test for odd bit length RSA key size  
						
						... 
						
						
						
						Also tidy up ChangeLog following review. 
						
						
					 
					
						2016-04-15 19:06:59 +01:00 
						 
				 
			
				
					
						
							
							
								Janos Follath 
							
						 
					 
					
						
						
						
						
							
						
						
							10c575be3e 
							
						 
					 
					
						
						
							
							Fix odd bitlength RSA key generation  
						
						... 
						
						
						
						Fix issue that caused a hang up when generating RSA keys of odd
bitlength. 
						
						
					 
					
						2016-04-15 18:49:13 +01:00 
						 
				 
			
				
					
						
							
							
								Nicholas Wilson 
							
						 
					 
					
						
						
						
						
							
						
						
							409401c044 
							
						 
					 
					
						
						
							
							Shut up a few clang-analyze warnings about use of uninitialized variables  
						
						... 
						
						
						
						The functions are all safe, Clang just isn't clever enough to realise
it. 
						
						
					 
					
						2016-04-13 11:56:22 +01:00 
						 
				 
			
				
					
						
							
							
								Simon Butcher 
							
						 
					 
					
						
						
						
						
							
						
						
							078bcdd6f6 
							
						 
					 
					
						
						
							
							Merge branch 'IOTSSL-628-BufferOverread'  
						
						
						
						
					 
					
						2016-03-16 22:53:11 +00:00 
						 
				 
			
				
					
						
							
							
								Simon Butcher 
							
						 
					 
					
						
						
						
						
							
						
						
							0203745e23 
							
						 
					 
					
						
						
							
							Swap C++ comments to C for style consistency in rsa.c  
						
						
						
						
					 
					
						2016-03-09 21:06:20 +00:00 
						 
				 
			
				
					
						
							
							
								Janos Follath 
							
						 
					 
					
						
						
						
						
							
						
						
							c69fa50d4c 
							
						 
					 
					
						
						
							
							Removing 'if' branch from the fix.  
						
						... 
						
						
						
						This new error shouldn't be distinguishable from other padding errors.
Updating 'bad' instead of adding a new 'if' branch. 
						
						
					 
					
						2016-03-09 21:06:19 +00:00 
						 
				 
			
				
					
						
							
							
								Janos Follath 
							
						 
					 
					
						
						
						
						
							
						
						
							b6eb1ca01c 
							
						 
					 
					
						
						
							
							Length check added  
						
						
						
						
					 
					
						2016-03-09 21:06:19 +00:00 
						 
				 
			
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
					 
					
						
						
						
						
							
						
						
							370717b571 
							
						 
					 
					
						
						
							
							Add precision about exploitability in ChangeLog  
						
						... 
						
						
						
						Also fix some whitespace while at it. 
						
						
					 
					
						2016-03-09 21:06:19 +00:00 
						 
				 
			
				
					
						
							
							
								Janos Follath 
							
						 
					 
					
						
						
						
						
							
						
						
							eddfe8f6f3 
							
						 
					 
					
						
						
							
							Included tests for the overflow  
						
						
						
						
					 
					
						2016-03-09 21:06:19 +00:00 
						 
				 
			
				
					
						
							
							
								Janos Follath 
							
						 
					 
					
						
						
						
						
							
						
						
							c17cda1ab9 
							
						 
					 
					
						
						
							
							Moved underflow test to better reflect time constant behaviour.  
						
						
						
						
					 
					
						2016-02-11 11:08:18 +00:00 
						 
				 
			
				
					
						
							
							
								Janos Follath 
							
						 
					 
					
						
						
						
						
							
						
						
							b8afe1bb2c 
							
						 
					 
					
						
						
							
							Included test for integer underflow.  
						
						
						
						
					 
					
						2016-02-09 14:51:35 +00:00 
						 
				 
			
				
					
						
							
							
								Simon Butcher 
							
						 
					 
					
						
						
						
						
							
						
						
							bdae02ce90 
							
						 
					 
					
						
						
							
							Corrected references for RSA and DHM  
						
						... 
						
						
						
						The links in the references in rsa.c and dhm.c were no longer valid and needed
updating. 
						
						
					 
					
						2016-01-20 00:44:42 +00:00 
						 
				 
			
				
					
						
							
							
								Simon Butcher 
							
						 
					 
					
						
						
						
						
							
						
						
							1285ab5dc2 
							
						 
					 
					
						
						
							
							Fix for memory leak in RSA-SSA signing  
						
						... 
						
						
						
						Fix in mbedtls_rsa_rsassa_pkcs1_v15_sign() in rsa.c 
						
						
					 
					
						2016-01-01 21:42:47 +00:00 
						 
				 
			
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
					 
					
						
						
						
						
							
						
						
							fb84d38b45 
							
						 
					 
					
						
						
							
							Try to prevent some misuse of RSA functions  
						
						... 
						
						
						
						fixes  #331  
					
						2015-10-30 10:56:25 +01:00 
						 
				 
			
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
					 
					
						
						
						
						
							
						
						
							5f50104c52 
							
						 
					 
					
						
						
							
							Add counter-measure against RSA-CRT attack  
						
						... 
						
						
						
						https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/  
					
						2015-09-08 13:39:29 +02:00 
						 
				 
			
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
					 
					
						
						
						
						
							
						
						
							37ff14062e 
							
						 
					 
					
						
						
							
							Change main license to Apache 2.0  
						
						
						
						
					 
					
						2015-09-04 14:21:07 +02:00 
						 
				 
			
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
					 
					
						
						
						
						
							
						
						
							4d04cdcd12 
							
						 
					 
					
						
						
							
							Fix RSA mutex fix  
						
						... 
						
						
						
						Once the mutex is acquired, we must goto cleanup rather that return.
Since cleanup adjusts the return value, adjust that in test cases.
Also, at cleanup we don't want to overwrite 'ret', or we'll loose track of
errors.
see #257  
						
						
					 
					
						2015-08-31 09:31:55 +02:00 
						 
				 
			
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
					 
					
						
						
						
						
							
						
						
							1385a289f4 
							
						 
					 
					
						
						
							
							Fix possible mutex lock/unlock mismatch  
						
						... 
						
						
						
						fixes  #257  
					
						2015-08-27 11:30:58 +02:00 
						 
				 
			
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
					 
					
						
						
						
						
							
						
						
							d1004f02e6 
							
						 
					 
					
						
						
							
							Fix printed output of some selftests  
						
						
						
						
					 
					
						2015-08-07 10:57:41 +02:00 
						 
				 
			
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
					 
					
						
						
						
						
							
						
						
							6fb8187279 
							
						 
					 
					
						
						
							
							Update date in copyright line  
						
						
						
						
					 
					
						2015-07-28 17:11:58 +02:00 
						 
				 
			
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
					 
					
						
						
						
						
							
						
						
							c0696c216b 
							
						 
					 
					
						
						
							
							Rename mbedtls_mpi_msb to mbedtls_mpi_bitlen  
						
						
						
						
					 
					
						2015-06-18 16:49:37 +02:00 
						 
				 
			
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
					 
					
						
						
						
						
							
						
						
							bdd7828ca0 
							
						 
					 
					
						
						
							
							Always check return status of mutex_(un)lock()  
						
						
						
						
					 
					
						2015-04-24 14:43:24 +02:00 
						 
				 
			
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
					 
					
						
						
						
						
							
						
						
							53c76c07de 
							
						 
					 
					
						
						
							
							Merge branch 'mbedtls-1.3' into development  
						
						... 
						
						
						
						* commit 'ce60fbe':
  Fix potential timing difference with RSA PMS
  Update Changelog for recent merge
  Added more constant-time code and removed biases in the prime number generation routines.
Conflicts:
	library/bignum.c
	library/ssl_srv.c 
						
						
					 
					
						2015-04-17 20:19:32 +02:00 
						 
				 
			
				
					
						
							
							
								Manuel Pégourié-Gonnard 
							
						 
					 
					
						
						
						
						
							
						
						
							aac657a1d3 
							
						 
					 
					
						
						
							
							Merge remote-tracking branch 'pj/development' into mbedtls-1.3  
						
						... 
						
						
						
						* pj/development:
  Added more constant-time code and removed biases in the prime number generation routines. 
						
						
					 
					
						2015-04-15 14:12:59 +02:00