| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |\
| |
| | |
Add VS2015 jobs to Appveyor build
|
| | | |
|
| |/ |
|
| |
|
|
| |
[ci skip]
|
| |
|
|
|
|
| |
Removes a fair number of the power mod test cases for size and test time.
Would be better to add a randomized or fuzzer-based test. Otherwise no
change.
|
| |
|
|
|
|
|
|
|
| |
Not optimized and relies on asm support for const time word_add/word_sub
instructions.
Fix a bug introduced in 46e9a89 - unpoison needs to call the valgrind
API with the pointer rather than the reference. Caused values not to
be unpoisoned.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Later checks on the record length in CCS and record handling already
rejected a zero length record but when reading an empty record,
readbuf.size() == TLS_HEADER_SIZE and so creating the pointer
byte* record_contents = &readbuf[TLS_HEADER_SIZE];
would trigger when running under (at least) GCC'S iterator debugging,
and likely other iterator checkers also.
Since no completely empty record is defined, reject it immediately at
the record layer.
Found by Juraj Somorovsky
Also correct DTLS record handling for large messages: a zero length or
too-long packet should be dropped rather than an exception being thrown.
|
| |
|
|
|
|
|
|
|
|
| |
Previously MCEIES used KEM with a raw SHA-512 hash. When the KDF
oriented KEM interface was added in 72f0f0ad2a it switched to using
KDF1(SHA-512) since for a 64-byte output and no salt, the output
matches the original hash. This avoids breaking the format.
Prevents runtime failures when MCEIES is enabled in the build but KDF1
is not. GH #369
|
| |
|
|
|
|
|
|
|
|
| |
If malloc fails, don't save the size that was attempted. Otherwise a
failing malloc followed by a free(nullptr) would zero a block of
memory equal to the failed allocation starting from the null address.
It's not clear if zlib,bzip2,lzma expect the return of the malloc
function to be zero but LZMA at least seems to read from it before
writing. Zero it.
|
| | |
|
| |
|
|
|
|
|
|
| |
Initialize variables in constructor in gf2m_decomp_rootfind_state
Add asserts on the degree where a positive value was assumed. How
polyn_gf2m handles the degree needs some work but this should do for
now.
|
| |
|
|
|
|
| |
It somehow deduces an input that is both > 0 and for which high_bit
never finds a bit set and returns 0. In both cases that would lead to
block being 0 and a negative shift.
|
| |
|
|
|
|
| |
Unlikely to fail in this case but anything's possible.
Found by Coverity
|
| |
|
|
|
|
|
| |
Would be better to iterate over all of the key types for this type of
coverage.
Avoids Coverity dead code warning on the error-case throw.
|
| |
|
|
|
|
|
|
|
|
| |
Some tests only deallocated in the branch where some other test
on the object succeeded.
The ECDH FFI test didn't deallocate any of its objects, which was
missed by valgrind before now because the test was not being run.
Found by Coverity scanner
|
| |
|
|
|
|
|
|
| |
It assumes unpoison is expecting a pointer to T and sizeof(T), but the
sizeof is evaluated in unpoison but only in the case of building with
valgrind.
Just call the valgrind API again directly
|
| | |
|
| | |
|
| |\
| |
| | |
PVS-Studio fixes
|
| | |
| |
| |
| | |
value. asn1_time.cpp 159
|
| |/
|
|
| |
inside the body of a loop. test_compression.cpp 78
|
| |\
| |
| | |
Update iOS build instructions
|
| |/
|
| |
When building for iOS, you want to build for all three architectures, so you can run your app on an iOS device and on the simulator.
|
| |
|
|
|
|
|
|
| |
Remove SRP_SHA from the default policy, since normal applications do
not need it.
Removes nullptr initializers of unique_ptrs in the Server_Key_Exchange
constructor, that's the default unique_ptr already.
|
| |
|
|
| |
Was previously on hres_timer entropy source
|
| |
|
|
|
|
|
|
|
|
|
| |
Add OS functions get_process_id, get_processor_timestamp, and
get_system_timestamp_ns. HMAC_RNG uses the pid call to detect forks to
initiate a reseed. It also adds the output of all three functions (the
pid, the CPU cycle counter, and the system timestamp) into the PRF input.
Calls the new OS timer functions from hres_timer entropy source.
Removes the call to QPC in es_win32 which is mostly redundant with the
one in hres_timer.
|
| | |
|
| |\ |
|
| |/
|
|
|
| |
The signature of the alert callback remains unchanged to avoid
breaking applications, though now the buffer parameter is never set.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Thinking it over I've realized this was not a good move; XP may be EOLed but is
still widely used and even VS 2015 still supports targeting XP. It's not really
the same situation as going to extra efforts for supporting SunOS 5.1 or VAX/VMS,
instead it actively broke support for something which is still widely deployed.
And for those building for XP the options are patch out the call (GH #416) or
disable win32_stats altogether in their build. I'd like to prevent downstream
distributors from having to patch, because that can get messy. And while the
design of CryptGenRandom is not disclosed it apparently has changed over time
and at one point (IIRC) used RC4 to generate outputs, so if there is any OS that
could use some extra help generating seed material it is XP.
There may be future code that really makes use of APIs added after XP - CryptoNG,
TPM support, etc and then people targetting XP will have to compile out those
modules. But it doesn't make sense to break it here for this small gain.
|
| | |
|
| |
|
|
| |
[ci skip]
|
| |
|
|
|
|
| |
Consistent speed up of about ~5% on my machine.
Also tried moving all the A[] values to local registers, was slower.
|
| |
|
|
| |
[ci skip]
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The check on each individual size in curve_mul is too strict since
we rely on redc(x*1) during the on the curve computation.
Fix an off by one in ressol which caused it to occasionally reject
valid values.
Updating version 1.11.28 since existing 1.11.27 tag already pushed :(
Fix an off-by-one in ressol which would cause it to occasionly
give up too early.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If affine coordinates larger than the prime modulus were given,
a later multiplication could overflow the size of an allocated
output buffer, which was sized based on the size of the prime.
This will cause an overflow into either the system heap or if the
mlock/mmap pool allocator is in use, then into the adjacent key
material stored in the pool.
Reported by Alex Gaynor who found it with AFL
Also fix a one word overwrite in P-521 reduction. Found with AFL
|
| |
|
|
|
|
|
| |
It first computed the first i for q**(2**i) == 1, then checked that i
was smaller than s. Given a composite modulus (for which the algorithm
does not work), the loop might do a very large amount of work before
returning the failure.
|
| | |
|
| |\ |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
As best I can tell it wasn't actually possible for the value to be
used uninitialized, since it was initialized if m_outer_summands > 1
and only used if m_outer_summands was at least 2.
|
