Some post merge fixups.

Fix some bugs that triggered if DEFAULT_BUFFERSIZE was either too
small or an odd size.

12 files changed, 33 insertions, 69 deletions

diff --git a/src/cert/x509/x509_ca.cpp b/src/cert/x509/x509_ca.cpp
index 9633d1466..486d769ef 100644
--- a/src/cert/x509/x509_ca.cpp
+++ b/src/cert/x509/x509_ca.cpp
@@ -13,7 +13,6 @@
 #include <botan/parsing.h>
 #include <botan/lookup.h>
 #include <botan/oids.h>
-#include <botan/time.h>
 #include <botan/key_constraint.h>
 #include <algorithm>
 #include <typeinfo>
@@ -58,7 +57,7 @@ X509_Certificate X509_CA::sign_request(const PKCS10_Request& req,
    else
       {
       std::unique_ptr<Public_Key> key(req.subject_public_key());
-      constraints = X509::find_constraints(*key, req.constraints());
+      constraints = find_constraints(*key, req.constraints());
       }
 
    Extensions extensions;
diff --git a/src/cert/x509/x509_crl.cpp b/src/cert/x509/x509_crl.cpp
index 1d6393470..29495a627 100644
--- a/src/cert/x509/x509_crl.cpp
+++ b/src/cert/x509/x509_crl.cpp
@@ -51,14 +51,14 @@ bool X509_CRL::is_revoked(const X509_Certificate& cert) const
    if(cert.issuer_dn() != issuer_dn())
       return false;
 
-   MemoryVector<byte> crl_akid = authority_key_id();
-   MemoryVector<byte> cert_akid = cert.authority_key_id();
+   std::vector<byte> crl_akid = authority_key_id();
+   std::vector<byte> cert_akid = cert.authority_key_id();
 
    if(!crl_akid.empty() && !cert_akid.empty())
       if(crl_akid != cert_akid)
          return false;
 
-   MemoryVector<byte> cert_serial = cert.serial_number();
+   std::vector<byte> cert_serial = cert.serial_number();
 
    bool is_revoked = false;
 
diff --git a/src/cert/x509/x509_obj.cpp b/src/cert/x509/x509_obj.cpp
index af8be0384..4270dfec2 100644
--- a/src/cert/x509/x509_obj.cpp
+++ b/src/cert/x509/x509_obj.cpp
@@ -177,7 +177,7 @@ std::string X509_Object::hash_used_for_signature() const
 */
 bool X509_Object::check_signature(const Public_Key* pub_key) const
    {
-   std::unique_ptr<Public_Key> key(pub_key);
+   std::unique_ptr<const Public_Key> key(pub_key);
    return check_signature(*key);
    }
 
diff --git a/src/cert/x509/x509path.cpp b/src/cert/x509/x509path.cpp
index 1d0667f85..159787800 100644
--- a/src/cert/x509/x509path.cpp
+++ b/src/cert/x509/x509path.cpp
@@ -33,7 +33,7 @@ X509_Certificate find_issuing_cert(const X509_Certificate& cert,
                                    const std::vector<Certificate_Store*>& certstores)
    {
    const X509_DN issuer_dn = cert.issuer_dn();
-   const MemoryVector<byte> auth_key_id = cert.authority_key_id();
+   const std::vector<byte> auth_key_id = cert.authority_key_id();
 
    for(size_t i = 0; i != certstores.size(); ++i)
       {
@@ -55,7 +55,7 @@ std::vector<X509_CRL> find_crls_from(const X509_Certificate& cert,
                                      const std::vector<Certificate_Store*>& certstores)
    {
    const X509_DN issuer_dn = cert.subject_dn();
-   const MemoryVector<byte> auth_key_id = cert.subject_key_id();
+   const std::vector<byte> auth_key_id = cert.subject_key_id();
 
    for(size_t i = 0; i != certstores.size(); ++i)
       {
@@ -143,7 +143,7 @@ std::string Path_Validation_Result::result_string() const
          return "CA certificate not allowed to issue CRLs";
 
       default:
-         return "Unknown code " + to_string(m_result);
+         return "Unknown code " + std::to_string(m_result);
       }
     }
 
@@ -210,7 +210,7 @@ Path_Validation_Result x509_path_validate(
 
       const bool self_signed_ee_cert = (cert_path.size() == 1);
 
-      X509_Time current_time(system_time());
+      X509_Time current_time(std::chrono::system_clock::now());
 
       for(size_t i = 0; i != cert_path.size(); ++i)
          {
diff --git a/src/cert/x509/x509path.h b/src/cert/x509/x509path.h
index fc784d429..18129a236 100644
--- a/src/cert/x509/x509path.h
+++ b/src/cert/x509/x509path.h
@@ -10,12 +10,7 @@
 
 #include <botan/x509cert.h>
 #include <botan/certstor.h>
-<<<<<<< variant A
 #include <set>
->>>>>>> variant B
-#include <functional>
-####### Ancestor
-======= end
 
 namespace Botan {
 
diff --git a/src/credentials/credentials_manager.cpp b/src/credentials/credentials_manager.cpp
index adb3a64fc..a1f2c90df 100644
--- a/src/credentials/credentials_manager.cpp
+++ b/src/credentials/credentials_manager.cpp
@@ -6,7 +6,7 @@
 */
 
 #include <botan/credentials_manager.h>
-#include <botan/x509stor.h>
+#include <botan/x509path.h>
 
 namespace Botan {
 
@@ -104,46 +104,22 @@ void Credentials_Manager::verify_certificate_chain(
    if(purported_hostname != "" && !cert_chain[0].matches_dns_name(purported_hostname))
       throw std::runtime_error("Certificate did not match hostname");
 
-#if 1
-   std::vector<X509_Certificate> CAs = trusted_certificate_authorities(type, purported_hostname);
+   auto trusted_CAs = trusted_certificate_authorities(type, purported_hostname);
 
-   X509_Store store;
-
-   for(size_t i = 0; i != CAs.size(); ++i)
-      store.add_cert(CAs[i], true);
-   for(size_t i = 0; i != cert_chain.size(); ++i)
-      store.add_cert(cert_chain[i]);
-
-   X509_Code result = store.validate_cert(cert_chain[0], X509_Store::TLS_SERVER);
-
-   if(CAs.empty())
-      {
-      if(result == CERT_ISSUER_NOT_FOUND)
-         return;
-      if(result == CANNOT_ESTABLISH_TRUST)
-         return;
-      }
-
-   if(result != VERIFIED)
-      throw std::runtime_error("Certificate did not validate, code " +
-                               std::to_string(result));
-#else
-
-   // New X.509 API
-   const Certificate_Store& CAs =
-      trusted_certificate_authorities(type, purported_hostname);
+   Certificate_Store_In_Memory CAs;
+   for(auto cert : trusted_CAs)
+      CAs.add_certificate(cert);
 
    Path_Validation_Result result =
       x509_path_validate(cert_chain,
                          Path_Validation_Restrictions(),
-                         store);
+                         CAs);
 
    if(!result.successful_validation())
-      throw std::runtime_error("Certificate validation failure: " + result.as_string());
+      throw std::runtime_error("Certificate validation failure: " + result.result_string());
 
-   if(!CAs.certificate_known(result.trust_root())
+   if(!CAs.certificate_known(result.trust_root()))
       throw std::runtime_error("Certificate chain roots in unknown/untrusted CA");
-#endif
    }
 
 }
diff --git a/src/credentials/info.txt b/src/credentials/info.txt
index 689c4f1ae..529011585 100644
--- a/src/credentials/info.txt
+++ b/src/credentials/info.txt
@@ -1,6 +1,5 @@
 define CREDENTIALS_MANAGER
 
 <requires>
-x509cert
-x509store
+x509
 </requires>
diff --git a/src/filters/modes/mode_pad/mode_pad.cpp b/src/filters/modes/mode_pad/mode_pad.cpp
index 495a0abe9..f5d544e92 100644
--- a/src/filters/modes/mode_pad/mode_pad.cpp
+++ b/src/filters/modes/mode_pad/mode_pad.cpp
@@ -40,11 +40,14 @@ void PKCS7_Padding::pad(byte block[], size_t size, size_t position) const
 size_t PKCS7_Padding::unpad(const byte block[], size_t size) const
    {
    size_t position = block[size-1];
+
    if(position > size)
-      throw Decoding_Error(name());
+      throw Decoding_Error("Bad padding in " + name());
+
    for(size_t j = size-position; j != size-1; ++j)
       if(block[j] != position)
-         throw Decoding_Error(name());
+         throw Decoding_Error("Bad padding in " + name());
+
    return (size-position);
    }
 
diff --git a/src/pbe/pbes1/pbes1.cpp b/src/pbe/pbes1/pbes1.cpp
index 0e5e8284c..41a793a24 100644
--- a/src/pbe/pbes1/pbes1.cpp
+++ b/src/pbe/pbes1/pbes1.cpp
@@ -19,13 +19,8 @@ namespace Botan {
 */
 void PBE_PKCS5v15::write(const byte input[], size_t length)
    {
-   while(length)
-      {
-      size_t put = std::min(DEFAULT_BUFFERSIZE, length);
-      pipe.write(input, length);
-      flush_pipe(true);
-      length -= put;
-      }
+   pipe.write(input, length);
+   flush_pipe(true);
    }
 
 /*
diff --git a/src/pbe/pbes2/pbes2.cpp b/src/pbe/pbes2/pbes2.cpp
index 752a4fb6d..0036359cc 100644
--- a/src/pbe/pbes2/pbes2.cpp
+++ b/src/pbe/pbes2/pbes2.cpp
@@ -26,13 +26,8 @@ namespace Botan {
 */
 void PBE_PKCS5v20::write(const byte input[], size_t length)
    {
-   while(length)
-      {
-      size_t put = std::min(DEFAULT_BUFFERSIZE, length);
-      pipe.write(input, length);
-      flush_pipe(true);
-      length -= put;
-      }
+   pipe.write(input, length);
+   flush_pipe(true);
    }
 
 /*
@@ -75,7 +70,7 @@ void PBE_PKCS5v20::flush_pipe(bool safe_to_skip)
    secure_vector<byte> buffer(DEFAULT_BUFFERSIZE);
    while(pipe.remaining())
       {
-      size_t got = pipe.read(&buffer[0], buffer.size());
+      const size_t got = pipe.read(&buffer[0], buffer.size());
       send(buffer, got);
       }
    }
diff --git a/src/stream/arc4/arc4.cpp b/src/stream/arc4/arc4.cpp
index 13eb6ff9e..16c6058d2 100644
--- a/src/stream/arc4/arc4.cpp
+++ b/src/stream/arc4/arc4.cpp
@@ -7,7 +7,7 @@
 
 #include <botan/arc4.h>
 #include <botan/internal/xor_buf.h>
-#include <botan/parsing.h>
+#include <botan/internal/rounding.h>
 
 namespace Botan {
 
@@ -62,7 +62,7 @@ void ARC4::generate()
 void ARC4::key_schedule(const byte key[], size_t length)
    {
    state.resize(256);
-   buffer.resize(DEFAULT_BUFFERSIZE);
+   buffer.resize(round_up<size_t>(DEFAULT_BUFFERSIZE, 4));
 
    position = X = Y = 0;
 
diff --git a/src/stream/wid_wake/wid_wake.cpp b/src/stream/wid_wake/wid_wake.cpp
index e4ab6477f..0f56148a5 100644
--- a/src/stream/wid_wake/wid_wake.cpp
+++ b/src/stream/wid_wake/wid_wake.cpp
@@ -8,6 +8,7 @@
 #include <botan/wid_wake.h>
 #include <botan/loadstor.h>
 #include <botan/internal/xor_buf.h>
+#include <botan/internal/rounding.h>
 
 namespace Botan {
 
@@ -76,7 +77,8 @@ void WiderWake_41_BE::key_schedule(const byte key[], size_t)
    {
    t_key.resize(4);
    state.resize(5);
-   buffer.resize(DEFAULT_BUFFERSIZE);
+   buffer.resize(
+      round_up<size_t>(std::max<size_t>(8*4, DEFAULT_BUFFERSIZE), 8));
 
    for(size_t i = 0; i != 4; ++i)
       t_key[i] = load_be<u32bit>(key, i);