| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D171581
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D158323
|
|
|
|
|
|
| |
Added check for required fields
Differential Revision: https://phabricator.services.mozilla.com/D119046
|
|
|
|
|
| |
review comments. All the review comments pertained to actual code comments,
so this patch only affects the comments.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch defeats Bleichenbacher by not trying to hide the size of the
decrypted text, but to hide if the text succeeded for failed. This is done
by generating a fake returned text that's based on the key and the cipher text,
so the fake data is always the same for the same key and cipher text. Both the
length and the plain text are generated with a prf.
Here's the proposed spec the patch codes to:
1. Use SHA-256 to hash the private exponent encoded as a big-endian integer to a string the same length as the public modulus. Keep this value secret. (this is just an optimisation so that the implementation doesn't have to serialise the key over and over again)
2. Check the length of input according to step one of https://tools.ietf.org/html/rfc8017#section-7.2.2
3. When provided with a ciphertext, use SHA-256 HMAC(key=hash_from_step1, text=ciphertext) to generate the key derivation key
4. Use SHA-256 HMAC with key derivation key as the key and a two-byte big-endian iterator concatenated with byte string "length" with the big-endian representation of 2048 (0x0800) as the bit length of the generated string.
- Iterate this PRF 8 times to generate a 256 byte string
5. initialise the length of synthetic message to 0
6. split the PRF output into 2 byte strings, convert into big-endian integers, zero-out high-order bits so that they have the same bit length as the octet length of the maximum acceptable message size (k-11), select the last integer that is no larger than (k-11) or remain at 0 if no integer is smaller than (k-11); this selection needs to be performed using a side-channel free operators
7. Use SHA-256 HMAC with key derivation key as the key and a two-byte big-endian iterator concatenated with byte string "message" with the big-endian representation of k*8
- use this PRF to generate k bytes of output (right-truncate last HMAC call if the number of generated bytes is not a multiple of SHA-256 output size)
8. perform the RSA decryption as described in step 2 of section 7.2.2 of rfc8017
9. Verify the EM message padding as described in step 3 of section 7.2.2 of rfc8017, but instead of outputting "decryption error", return the last l bytes of the "message" PRF, when l is the selected synthetic message length using the "length" PRF, make this decision and copy using side-channel free operation
Differential Revision: https://phabricator.services.mozilla.com/D99843
|
|
|
|
|
|
|
|
|
| |
TestSuite r=bbeurdouche
grep -rl --exclude-dir=google_test INSTANTIATE_TEST_CASE_P gtests | xargs sed -i '' s/INSTANTIATE_TEST_CASE_P/INSTANTIATE_TEST_SUITE_P/g
grep -rl --exclude-dir=google_test SetUpTestCase gtests | xargs sed -i '' s/SetUpTestCase/SetUpTestSuite/g
Differential Revision: https://phabricator.services.mozilla.com/D98818
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D86443
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D36115
|
|
|
|
|
|
| |
Verify that when clamping, the upper 4 bytes of an `mp_digit` is checked.
Differential Revision: https://phabricator.services.mozilla.com/D58576
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D62676
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and CMAC tests r=franziskus
This patch updates to the latest Wycheproof vectors and adds Wycheproof support for CBC, CMAC, and P256-ECDH:
ChaCha20: +141 tests
Curve25519: +431 tests
GCM: +39 tests
CBC (new): +183 tests
CMAC (new): +308 tests
P256 ECDH (new): +460 tests
Differential Revision: https://phabricator.services.mozilla.com/D57477
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D40120
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D41617
|
|
|
|
|
|
| |
r=jcj,kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D40649
|
|
|
|
|
|
| |
--static), remove Test builds from taskcluster since we exercise pk11_gtest and mpi_gtests in non-static builds already. r=mt,jcj
Differential Revision: https://phabricator.services.mozilla.com/D30998
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D31091
|
|
|
|
|
|
| |
Created a gtest for this functions. r=KevinJacobs
Differential Revision: https://phabricator.services.mozilla.com/D30870
|
|
|
|
|
|
|
|
|
|
| |
cross-compilation and gcc-4.8 support. r=jcj
Updated gyp files to add -msse2 GCC option, iff the compiler is gcc and target is x64 or ia32.
Root cause for the 4.8 failure is a gcc bug where the "#pragma GCC target("sse2")" option used in gcm.h doesn't work when compiling C++ code, as the gtests do.
Differential Revision: https://phabricator.services.mozilla.com/D29886
|
| |
|
|
|
|
|
|
| |
cross-compilation. r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D29581
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D14843
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D11722
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com//D10357
|
|
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D2719
Differential Revision: https://phabricator.services.mozilla.com/D2720
Differential Revision: https://phabricator.services.mozilla.com/D2861
|
| |
|
|
|
|
| |
--build-flags. gyp builds with --enable-fips enable init tests. Enable cert_rsa_exponent test. Add Linux64 FIPS gyp build to taskcluster/CI. r=franziskus
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: Patch for bug 1369091
Reviewers: franziskus
Reviewed By: franziskus
Bug #: 1369091
Differential Revision: https://phabricator.services.mozilla.com/D165
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D362
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D350
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D340
|
|
|
|
|
|
|
|
| |
With this patch we use AES-NI whenever possible. The compile time flag USE_HW_AES
does NOT disable this new code. NSS_DISABLE_HW_AES can be used as runtime
flag to disable AES-NI and fall back to the software implementation.
Differential Revision: https://nss-review.dev.mozaws.net/D323
|
|
|
|
|
|
| |
r=mt,ttaubert
Differential Revision: https://nss-review.dev.mozaws.net/D291
|
|
|
|
|
|
| |
Jacobian-affine coordinates, r=ttaubert
Differential Revision: https://nss-review.dev.mozaws.net/D333
|
| |
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D325
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D320
|
|
|
|
|
|
| |
Summary: Fix DH_GenParam by repeating mpp_make_prime calls on failure
Differential Revision: https://nss-review.dev.mozaws.net/D308
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D284
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D237
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D145
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D170
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D149
|
|
|
|
| |
Differential Revision: https://nss-review.dev.mozaws.net/D75
|
|
Differential Revision: https://nss-review.dev.mozaws.net/D68
|