boringssl

842 Commits

61 Branches

23 Tags

511 MiB

Tag: Branch: Tree: 828b2d26ca

Commit Graph

Author	SHA1	Message	Date
David Benjamin	29507b8184	Validate RSA public keys more consistently. https://boringssl-review.googlesource.com/c/boringssl/+/42504 aligned RSA private key checks, but I missed the public key ones. We have two different sets of RSA public key checks right now. One in the parser just checks for e = 1 and even e. The other, when using the key, checks for overly large e and n. Align the two. Now parsing RSA public keys calls RSA_check_key and the extra checks on e are added to RSA_check_key. Note RSA private key parsing already called RSA_check_key. The consequences are: First, RSA public keys with large n, large e, or n < e will be rejected at parse time. Previously, they would be parsed but all operations on them would fail. This aligns with our existing behavior for parsing private keys. Second, operations on RSA public keys with even e will fail. They already failed to parse, but it was possible to manually construct such a key. Previously, operations wouldn't explicitly fail, but they wouldn't do anything useful because even exponents are not invertible. (Encrypting would produce something undecryptable and the private key would have a hard time reliably producing signatures we'd accept.) There is no change to RSA private keys with even e. Those would already fail the (e, d) consistency check and the fault check. Third, operations on RSA public keys with e = 1 will fail. They already failed to parse, but it was possible to manually construct such a key and "verify" signatures or "encrypt" messages. However, with e = 1, those operations are no-ops. Finally, RSA private keys with e = d = 1 will be rejected at parse and use. This is the only case that affects private keys because e = d = 1 are inverses, just pointless. Uses paired with RSA public key parsing (e.g. our TLS library checks consistency with a certificate public key) are not affected. Those already rejected such keys because we rejected them in the public key parser. This CL aligns the private half. This doesn't close https://crbug.com/boringssl/316, but we won't be able to resolve that without a consistent story for what keys are valid. Update-Note: See above. Bug: 316 Change-Id: Ic27df18c4f48e5e3e57a17d6fe39399e2f8d5c68 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47524 Reviewed-by: Adam Langley <agl@google.com>	4 years ago
Adam Langley	80e3f957e4	Support 4096-bit keys in FIPS mode. Change-Id: I9aa66109bd0f6acc0c30a505eef6d85b6972132d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43624 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>	4 years ago
Adam Langley	fb0c05cac2	acvp: add CMAC-AES support. Change by Dan Janni. Change-Id: I3f059e7b1a822c6f97128ca92a693499a3f7fa8f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41984 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>	5 years ago

Author

SHA1

Message

Date

David Benjamin

29507b8184

Validate RSA public keys more consistently.

https://boringssl-review.googlesource.com/c/boringssl/+/42504 aligned
RSA private key checks, but I missed the public key ones. We have two
different sets of RSA public key checks right now. One in the parser
just checks for e = 1 and even e. The other, when using the key, checks
for overly large e and n.

Align the two. Now parsing RSA public keys calls RSA_check_key and the
extra checks on e are added to RSA_check_key. Note RSA private key
parsing already called RSA_check_key. The consequences are:

First, RSA public keys with large n, large e, or n < e will be rejected
at parse time. Previously, they would be parsed but all operations on
them would fail. This aligns with our existing behavior for parsing
private keys.

Second, operations on RSA public keys with even e will fail. They
already failed to parse, but it was possible to manually construct such
a key. Previously, operations wouldn't explicitly fail, but they
wouldn't do anything useful because even exponents are not invertible.
(Encrypting would produce something undecryptable and the private key
would have a hard time reliably producing signatures we'd accept.) There
is no change to RSA private keys with even e. Those would already fail
the (e, d) consistency check and the fault check.

Third, operations on RSA public keys with e = 1 will fail. They already
failed to parse, but it was possible to manually construct such a key
and "verify" signatures or "encrypt" messages. However, with e = 1,
those operations are no-ops.

Finally, RSA private keys with e = d = 1 will be rejected at parse and
use. This is the only case that affects private keys because e = d = 1
are inverses, just pointless. Uses paired with RSA public key parsing
(e.g. our TLS library checks consistency with a certificate public key)
are not affected. Those already rejected such keys because we rejected
them in the public key parser. This CL aligns the private half.

This doesn't close https://crbug.com/boringssl/316, but we won't be able
to resolve that without a consistent story for what keys are valid.

Update-Note: See above.
Bug: 316
Change-Id: Ic27df18c4f48e5e3e57a17d6fe39399e2f8d5c68
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47524
Reviewed-by: Adam Langley <agl@google.com>

4 years ago

Adam Langley

80e3f957e4

Support 4096-bit keys in FIPS mode.

Change-Id: I9aa66109bd0f6acc0c30a505eef6d85b6972132d
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43624
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

4 years ago

Adam Langley

fb0c05cac2

acvp: add CMAC-AES support.

Change by Dan Janni.

Change-Id: I3f059e7b1a822c6f97128ca92a693499a3f7fa8f
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41984
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>

5 years ago

3 Commits (828b2d26caee0493fb4dce36aff6869625afe072)