aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pk_pad/eme_pkcs1
Commit message (Collapse)AuthorAgeFilesLines
* Use consistent logic for OAEP and PKCS1v15 decodingJack Lloyd2018-12-212-12/+19
| | | | | | | | | | | | The decoding leaked some information about the delimiter index due to copying only exactly input_len - delim_idx bytes. I can't articulate a specific attack that would work here, but it is easy enough to fix this to run in const time instead, where all bytes are accessed regardless of the length of the padding. CT::copy_out is O(n^2) and thus terrible, but in practice it is only used with RSA decryption, and multiplication is also O(n^2) with the modulus size, so a few extra cycles here doesn't matter much.
* Add CT::Mask typeJack Lloyd2018-11-281-10/+10
|
* Header file cleanupsJack Lloyd2017-09-211-0/+2
| | | | Some help from include-what-you-use
* Change header guard format to BOTAN_FOO_H_Jack Lloyd2017-09-201-2/+2
| | | | | | ISO C++ reserves names with double underscores in them Closes #512
* Add API stability annotations.Jack Lloyd2017-09-191-1/+1
| | | | | Defined in build.h, all equal to BOTAN_DLL so ties into existing system for exporting symbols.
* Remove "Dirty hack" for multiple defines in lex_me_harder()Simon Warta2017-04-021-1/+3
|
* Convert to using standard uintN_t integer typesJack Lloyd2016-12-182-16/+16
| | | | | | Renames a couple of functions for somewhat better name consistency, eg make_u32bit becomes make_uint32. The old typedefs remain for now since probably lots of application code uses them.
* Fix off by one in PKCS #1 v1.5 decryption decodingJack Lloyd2016-12-081-1/+1
| | | | | | | | | | | | When the code was changed in b8966d0f89e, the offset was not changed, so it would reject ciphertexts with exactly 8 bytes of random padding (the required minimum). Found by pkcs1 fuzzer which also had problems due to not having been updated at the same time. Add a test suite for decoding of PK decryption padding to cover the problem cases.
* Avoid crash in PKCS1v1.5 unpadding if input len <= 2Jack Lloyd2016-12-081-0/+6
| | | | Don't think this can't happen outside of a fuzzer test
* eme / pubkey test improvementsDaniel Neus2016-07-251-10/+10
| | | | | | - add test for EME::maximum_input_size() - additionally use maximum_input_size() before pad() in OAEP and PKCS1 (remove code duplication) - prevent C4800 MSVC warning
* Clean up PK decryption encoding.Jack Lloyd2016-03-202-12/+17
| | | | | | | Previously RSA and ElGamal stripped off leading zeros which were then assumed by the padding decoders. Instead have them produce ciphertexts with leading zeros. Changes EME_Raw to strip leading zeros to match existing behavior.
* Add PK_Decryptor::decrypt_or_randomJack Lloyd2016-03-202-8/+13
| | | | | Performs content checks on the value (expected length, expected bytes) and in constant time returns either the decrypted value or a random value.
* Add final attribute to many classesJack Lloyd2016-01-101-1/+1
| | | | | | | In some cases this can offer better optimization, via devirtualization. And it lets the user know the class is not intended for derivation. Some discussion in GH #402
* TLS improvementsJack Lloyd2015-10-251-2/+1
| | | | | | | | | | | | | | Use constant time operations when checking CBC padding in TLS decryption Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes from working: on decode the session id and hello cookie would be swapped, causing confusion between client and server. Various changes in the service of finding the above DTLS bug that should have been done before now anyway - better control of handshake timeouts (via TLS::Policy), better reporting of handshake state in the case of an error, and finally expose the facility for per-message application callbacks.
* Make Montgomery reduction constant time.Jack Lloyd2015-10-241-8/+8
| | | | | | | | | | | | | | It was already close, but the carry loop would break early and selecting which value to copy out was indexed on the borrow bit. Have the carry loop run through, and add a const-time conditional copy operation and use that to copy the output. Convert ct_utils to CT namespace. Templatize the utils, which I was hesitant to do initially but is pretty useful when dealing with arbitrary word sizes. Remove the poison macros, replace with inline funcs which reads cleaner at the call site.
* Make PKCS #1 and OAEP decoding constant time to avoid oracle attacksJack Lloyd2015-10-161-14/+32
| | | | | | | | via timing channels. Add annotations for checking constant-time code using ctgrind to PKCS #1 and OAEP, as well as IDEA and Curve25519 which were already written as constant time code.
* Fix pbkdf, pk padding and ECDH registration for static linking.Jack Lloyd2015-09-111-3/+0
| | | | | | | | With this change the tests pass when linked against a static library built in the normal (non-amalgamation) fashion. Remove the restriction in configure.py, and have circleci build the clang static build as a non-amalg.
* pk_pad: Add missing overridesDaniel Seither2015-07-301-3/+3
|
* Fix typosSimon Warta2015-07-241-4/+4
| | | | Thanks to @vlajos https://github.com/vlajos/misspell_fixer
* Use registry also for KDF, EMSA, and EMElloyd2015-01-311-0/+3
|
* Ensure all files have copyright and license info.lloyd2015-01-102-2/+2
| | | | | Update license header line to specify the terms and refer to the file, neither of which it included before.
* Rename the various pubkey padding schemes to match the common names.lloyd2014-01-183-0/+101
Way back when, following IEEE 1363 naming seemed like a good idea. But not so much.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-15 18:48:05 +0000