aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pk_pad/eme_oaep
Commit message (Collapse)AuthorAgeFilesLines
* Fix clang-tidy performance warningsJack Lloyd2022-02-061-1/+1
|
* Clarify some docstrings and commentsPhilippe Lieser2021-09-142-3/+3
|
* Fix a minor OAEP side channelJack Lloyd2021-09-141-3/+5
| | | | | | | OAEP had some logic to handle how RSA used to work, but this was already fixed way back in b8966d0f8. Thanks to @lieser for pointing out this issue.
* EMEJack Lloyd2021-04-052-11/+11
|
* Remove deprecated headers, make more headers internalJack Lloyd2020-11-062-6/+4
| | | | | | | | | Now modules default to internal headers instead of defaulting to public; making a new public API should be a visible and intentional choice. Brings the public header count from over 300 to around 150. Also removes the deprecated tls_blocking interface
* Deprecate many publically available headersJack Lloyd2019-09-061-0/+2
|
* Use consistent logic for OAEP and PKCS1v15 decodingJack Lloyd2018-12-211-12/+8
| | | | | | | | | | | | The decoding leaked some information about the delimiter index due to copying only exactly input_len - delim_idx bytes. I can't articulate a specific attack that would work here, but it is easy enough to fix this to run in const time instead, where all bytes are accessed regardless of the length of the padding. CT::copy_out is O(n^2) and thus terrible, but in practice it is only used with RSA decryption, and multiplication is also O(n^2) with the modulus size, so a few extra cycles here doesn't matter much.
* Add CT::Mask typeJack Lloyd2018-11-281-11/+11
|
* Add a fuzzer for OAEP unpaddingJack Lloyd2018-09-222-10/+33
| | | | This tests the delim scanning section which must be const time.
* Mixed mode OAEPJack Lloyd2018-03-213-10/+27
|
* Add note on OAEP version implemented [ci skip]René Korthaus2018-01-041-0/+1
|
* Header file cleanupsJack Lloyd2017-09-211-0/+2
| | | | Some help from include-what-you-use
* Change header guard format to BOTAN_FOO_H_Jack Lloyd2017-09-201-2/+2
| | | | | | ISO C++ reserves names with double underscores in them Closes #512
* Add API stability annotations.Jack Lloyd2017-09-191-1/+1
| | | | | Defined in build.h, all equal to BOTAN_DLL so ties into existing system for exporting symbols.
* Use constant_time_compare instead of same_memJack Lloyd2017-09-161-1/+1
| | | | New name, same great operation
* Remove "Dirty hack" for multiple defines in lex_me_harder()Simon Warta2017-04-021-1/+3
|
* Convert to using standard uintN_t integer typesJack Lloyd2016-12-182-18/+18
| | | | | | Renames a couple of functions for somewhat better name consistency, eg make_u32bit becomes make_uint32. The old typedefs remain for now since probably lots of application code uses them.
* Avoid timing channel in OAEP decoding (CVE-2016-8871)Juraj Somorovsky2016-10-261-7/+12
|
* Remove Algo_RegistryJack Lloyd2016-10-212-17/+0
| | | | | | | I repent my use of global constructors. I repent my use of global locks. Hopefully I will never touch this code again. :)
* Improve pk_pad doxygen [ci skip]René Korthaus2016-10-191-1/+1
|
* eme / pubkey test improvementsDaniel Neus2016-07-251-1/+3
| | | | | | - add test for EME::maximum_input_size() - additionally use maximum_input_size() before pad() in OAEP and PKCS1 (remove code duplication) - prevent C4800 MSVC warning
* Clean up PK decryption encoding.Jack Lloyd2016-03-202-12/+8
| | | | | | | Previously RSA and ElGamal stripped off leading zeros which were then assumed by the padding decoders. Instead have them produce ciphertexts with leading zeros. Changes EME_Raw to strip leading zeros to match existing behavior.
* Add PK_Decryptor::decrypt_or_randomJack Lloyd2016-03-202-8/+17
| | | | | Performs content checks on the value (expected length, expected bytes) and in constant time returns either the decrypted value or a random value.
* Add final attribute to many classesJack Lloyd2016-01-101-1/+1
| | | | | | | In some cases this can offer better optimization, via devirtualization. And it lets the user know the class is not intended for derivation. Some discussion in GH #402
* Make Montgomery reduction constant time.Jack Lloyd2015-10-241-8/+8
| | | | | | | | | | | | | | It was already close, but the carry loop would break early and selecting which value to copy out was indexed on the borrow bit. Have the carry loop run through, and add a const-time conditional copy operation and use that to copy the output. Convert ct_utils to CT namespace. Templatize the utils, which I was hesitant to do initially but is pretty useful when dealing with arbitrary word sizes. Remove the poison macros, replace with inline funcs which reads cleaner at the call site.
* Cleanups in ct and oaepJack Lloyd2015-10-171-9/+11
| | | | In OAEP expand the const time block to cover MGF1 also
* Make PKCS #1 and OAEP decoding constant time to avoid oracle attacksJack Lloyd2015-10-161-16/+16
| | | | | | | | via timing channels. Add annotations for checking constant-time code using ctgrind to PKCS #1 and OAEP, as well as IDEA and Curve25519 which were already written as constant time code.
* Remove use of lookup.h in favor of new T::create API.Jack Lloyd2015-09-211-3/+2
|
* Fix pbkdf, pk padding and ECDH registration for static linking.Jack Lloyd2015-09-111-5/+1
| | | | | | | | With this change the tests pass when linked against a static library built in the normal (non-amalgamation) fashion. Remove the restriction in configure.py, and have circleci build the clang static build as a non-amalg.
* pk_pad: Add missing overridesDaniel Seither2015-07-301-3/+3
|
* Fix module combi: adler32,eme_oaepSimon Warta2015-07-081-1/+0
|
* lib/pk_pad: Convert &vec[0] to vec.data()Daniel Seither2015-06-201-8/+8
|
* Hide Algorithm_Factory and use the functions in lookup.h internally.lloyd2015-03-041-3/+1
| | | | | | Fix two memory leaks (in TLS and modes) caused by calling get_foo and then cloning the result before saving it (leaking the original object), a holdover from the conversion between construction techniques in 1.11.14
* Clean up root dir, remove some unneeded dependencieslloyd2015-02-051-3/+0
|
* Use registry also for KDF, EMSA, and EMElloyd2015-01-312-0/+24
|
* Ensure all files have copyright and license info.lloyd2015-01-102-2/+2
| | | | | Update license header line to specify the terms and refer to the file, neither of which it included before.
* Guess I won't be needing theselloyd2014-01-182-2/+0
|
* Rename the various pubkey padding schemes to match the common names.lloyd2014-01-183-0/+184
Way back when, following IEEE 1363 naming seemed like a good idea. But not so much.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 03:30:31 +0000