kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
3202750a98
boringssl/crypto/rsa
History
David Benjamin 3f5b43df07 Simplify RSA key exchange padding check. 
This check was fixed a while ago, but it could have been much simpler.

In the RSA key exchange, the expected size of the output is known, making the
padding check much simpler. There isn't any use in exporting the more general
RSA_message_index_PKCS1_type_2. (Without knowing the expected size, any
integrity check or swap to randomness or other mitigation is basically doomed
to fail.)

Verified with the valgrind uninitialized memory trick that we're still
constant-time.

Also update rsa.h to recommend against using the PKCS#1 v1.5 schemes.

Thanks to Ryan Sleevi for the suggestion.

Change-Id: I4328076b1d2e5e06617dd8907cdaa702635c2651
Reviewed-on: https://boringssl-review.googlesource.com/6613
Reviewed-by: Adam Langley <agl@google.com>
2015-12-22 00:10:14 +00:00
..
blinding.c Constify more BN_MONT_CTX parameters. 2015-11-06 20:04:36 +00:00
CMakeLists.txt Add a run_tests target to run all tests. 2015-10-26 20:33:44 +00:00
internal.h Constify more BN_MONT_CTX parameters. 2015-11-06 20:04:36 +00:00
padding.c Simplify RSA key exchange padding check. 2015-12-22 00:10:14 +00:00
rsa_asn1.c Refuse to parse RSA pubkeys with invalid exponents. 2015-12-21 23:49:02 +00:00
rsa_impl.c Remove reference to removed |RSA_FLAG_NO_CONSTTIME| flag. 2015-11-20 19:59:29 +00:00
rsa_test.cc Refuse to parse RSA pubkeys with invalid exponents. 2015-12-21 23:49:02 +00:00
rsa.c Remove the CRYPTO_EX_new callback. 2015-12-15 21:29:46 +00:00