| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
| |
Renames a couple of functions for somewhat better name consistency,
eg make_u32bit becomes make_uint32. The old typedefs remain for now
since probably lots of application code uses them.
|
|\ |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When the code was changed in b8966d0f89e, the offset was not changed,
so it would reject ciphertexts with exactly 8 bytes of random padding
(the required minimum).
Found by pkcs1 fuzzer which also had problems due to not having been
updated at the same time.
Add a test suite for decoding of PK decryption padding to cover the
problem cases.
|
|/
|
|
| |
Don't think this can't happen outside of a fuzzer test
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
This required taking a global lock and doing a map lookup each
time an algorithm was requested (and so many times during a TLS
handshake).
|
|
|
|
|
|
|
| |
I repent my use of global constructors.
I repent my use of global locks.
Hopefully I will never touch this code again.
:)
|
| |
|
| |
|
|\ |
|
| | |
|
|/
|
|
|
|
| |
- add test for EME::maximum_input_size()
- additionally use maximum_input_size() before pad() in OAEP and PKCS1 (remove code duplication)
- prevent C4800 MSVC warning
|
|\ |
|
| | |
|
| | |
|
|/ |
|
|
|
|
|
|
|
| |
Previously RSA and ElGamal stripped off leading zeros which were then
assumed by the padding decoders. Instead have them produce ciphertexts
with leading zeros. Changes EME_Raw to strip leading zeros to match
existing behavior.
|
|
|
|
|
| |
Performs content checks on the value (expected length, expected bytes)
and in constant time returns either the decrypted value or a random value.
|
|
|
|
| |
explicit.
|
|
|
|
|
|
|
| |
In some cases this can offer better optimization, via devirtualization.
And it lets the user know the class is not intended for derivation.
Some discussion in GH #402
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use constant time operations when checking CBC padding in TLS decryption
Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes
from working: on decode the session id and hello cookie would be
swapped, causing confusion between client and server.
Various changes in the service of finding the above DTLS bug that
should have been done before now anyway - better control of handshake
timeouts (via TLS::Policy), better reporting of handshake state in the
case of an error, and finally expose the facility for per-message
application callbacks.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was already close, but the carry loop would break early and
selecting which value to copy out was indexed on the borrow bit. Have
the carry loop run through, and add a const-time conditional copy
operation and use that to copy the output.
Convert ct_utils to CT namespace. Templatize the utils, which I was
hesitant to do initially but is pretty useful when dealing with
arbitrary word sizes.
Remove the poison macros, replace with inline funcs which reads
cleaner at the call site.
|
|
|
|
| |
In OAEP expand the const time block to cover MGF1 also
|
|
|
|
|
|
|
|
| |
via timing channels.
Add annotations for checking constant-time code using ctgrind to
PKCS #1 and OAEP, as well as IDEA and Curve25519 which were already
written as constant time code.
|
| |
|
|
|
|
| |
Only user-visible change is the removal of get_byte.h
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we were hanging on the type destructors to pull in
the relevant objects. However that fails in many simple cases
where the object is never deleted.
For every type involved in the algo registry add static create
and providers functions to access the algo registry. Modify
lookup.h to be inline and call those functions, and move
a few to sub-headers (eg, get_pbkdf going to pbkdf.h). So
accessing the registry involves going through the same file
that handles the initialization, so there is no way to end up
with missing objs.
|
|
|
|
|
|
|
|
| |
With this change the tests pass when linked against a static library
built in the normal (non-amalgamation) fashion.
Remove the restriction in configure.py, and have circleci build the
clang static build as a non-amalg.
|
| |
|
| |
|
|
|
|
| |
Thanks to @vlajos https://github.com/vlajos/misspell_fixer
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
op to use a padding scheme outside of our knowledge or control, for
instance an OpenSSL RSA op which uses OpenSSL's padding code. Similar
change for key agreement and KDFs for the same reason.
Add an EME_Raw type; previously this operation was implicit in the
code in pubkey.cpp
|
|
|
|
|
|
| |
Fix two memory leaks (in TLS and modes) caused by calling get_foo and
then cloning the result before saving it (leaking the original object),
a holdover from the conversion between construction techniques in 1.11.14
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Convert all uses of Algorithm_Factory and the engines to using Algo_Registry
The shared pool of entropy sources remains but is moved to EntropySource.
With that and few remaining initializations (default OIDs and aliases)
moved elsewhere, the global state is empty and init and shutdown are no-ops.
Remove almost all of the headers and code for handling the global
state, except LibraryInitializer which remains as a compatability stub.
Update seeding for blinding so only one hacky almost-global RNG
instance needs to be setup instead of across all pubkey uses (it uses
either the system RNG or an AutoSeeded_RNG if the system RNG is not
available).
|
|
|
|
| |
Remove global PRNG.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Update license header line to specify the terms and refer to the file,
neither of which it included before.
|