aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pk_pad
Commit message (Collapse)AuthorAgeFilesLines
* Correct the SHA-3 PKCSv1.5 IDsJack Lloyd2017-10-051-4/+10
| | | | | | | Thanks to @noloader for pointing me at draft-jivsov-openpgp-sha3-01 which has the correct values. Adds a test so this can't happen again.
* Make EMSA1 data privateJack Lloyd2017-10-021-6/+4
| | | | It was already final so leaving data as protected makes no sense...
* Further build/test fixes for restricted configurationsJack Lloyd2017-09-241-0/+1
|
* Apply final annotations to the library alsoJack Lloyd2017-09-221-1/+1
| | | | | Done by a perl script which converted all classes to final, followed by selective reversion where it caused compilation failures.
* Header file cleanupsJack Lloyd2017-09-2114-5/+23
| | | | Some help from include-what-you-use
* Merge GH #1212 Add support for 'raw' PSS signaturesJack Lloyd2017-09-203-51/+167
|\
| * Clear return value, and verify 'raw' hash matches expected sizeJack Lloyd2017-09-161-1/+7
| |
| * Support PSSR_RawJack Lloyd2017-09-163-51/+161
| | | | | | | | | | | | | | Allows PSS-signing a raw hash while also still specifying the salt length. GH #1211
* | Change header guard format to BOTAN_FOO_H_Jack Lloyd2017-09-2013-26/+26
| | | | | | | | | | | | ISO C++ reserves names with double underscores in them Closes #512
* | Add API stability annotations.Jack Lloyd2017-09-1913-19/+19
| | | | | | | | | | Defined in build.h, all equal to BOTAN_DLL so ties into existing system for exporting symbols.
* | Use constant_time_compare instead of same_memJack Lloyd2017-09-165-5/+5
|/ | | | New name, same great operation
* Added SHA3_XXX_PKCS OIDFrancis Dupont2017-09-041-0/+28
|
* Fix a valgrind const-time error in ISO 9796 paddingJack Lloyd2017-08-291-2/+7
| | | | It didn't unpoison the output values.
* Allow signature using `Raw(hashname)`Jack Lloyd2017-08-153-7/+38
| | | | | | This confirms the message is exactly the size of the expected hash, and also causes RFC 6979 nonces to be generated using the specified hash. See also https://github.com/riboseinc/rnp/issues/367
* Add SM3 OIDs and PKCSv1.5 hash prefixJack Lloyd2017-05-191-0/+8
|
* Accept SHA1 and SHA-1 as aliases for hash_idJack Lloyd2017-05-181-2/+3
|
* Add botan_pkcs_hash_id to FFIJack Lloyd2017-05-183-3/+35
| | | | | | Extend EMSA_PKCS1v15_Raw to optionally take a hash function for which the PKCS hash id is prefixed to the message as usual. This allows signing a message using PKCSv1.5 padding where the hash is provided externally.
* Content:Tomasz Frydrych2017-04-033-4/+2
| | | | | | | | | * fixes for deprecated constructions in c++11 and later (explicit rule of 3/5 or implicit rule of 0 and other violations) * `default` specifier instead of `{}` in some places(probably all) * removal of unreachable code (for example `return` after `throw`) * removal of compilation unit only visible, but not used functions * fix for `throw()` specifier - used instead `BOTAN_NOEXCEPT` * removed not needed semicolons
* Remove "Dirty hack" for multiple defines in lex_me_harder()Simon Warta2017-04-0212-12/+36
|
* Avoid calling memmove with a null source in PKCSv1 signature encodingJack Lloyd2017-03-031-1/+7
| | | | Only occured with EMSA_Raw. Caught by GCC 7 warning
* fix possible iso9796 side channel and add length checkNever2017-02-211-14/+26
|
* ISO-9796-2 doxygen build fixesDaniel Neus2016-12-191-4/+4
|
* Convert to using standard uintN_t integer typesJack Lloyd2016-12-1825-216/+216
| | | | | | Renames a couple of functions for somewhat better name consistency, eg make_u32bit becomes make_uint32. The old typedefs remain for now since probably lots of application code uses them.
* Merge GH #759 Add ISO 9796-2 signature schemesJack Lloyd2016-12-084-12/+414
|\
| * ISO 9796: Change header guard formatNever2016-12-061-2/+2
| |
| * Add ISO9796-2 Signature Schemes giving message recovery 2 and 3.Never2016-12-054-12/+414
| |
* | Fix off by one in PKCS #1 v1.5 decryption decodingJack Lloyd2016-12-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | When the code was changed in b8966d0f89e, the offset was not changed, so it would reject ciphertexts with exactly 8 bytes of random padding (the required minimum). Found by pkcs1 fuzzer which also had problems due to not having been updated at the same time. Add a test suite for decoding of PK decryption padding to cover the problem cases.
* | Avoid crash in PKCS1v1.5 unpadding if input len <= 2Jack Lloyd2016-12-081-0/+6
|/ | | | Don't think this can't happen outside of a fuzzer test
* Simplify EMSA1 message recovery codeJack Lloyd2016-11-021-14/+12
|
* Avoid timing channel in OAEP decoding (CVE-2016-8871)Juraj Somorovsky2016-10-261-7/+12
|
* Fix PSSRJack Lloyd2016-10-211-1/+1
|
* Remove alias logic from SCAN_NameJack Lloyd2016-10-212-30/+48
| | | | | | This required taking a global lock and doing a map lookup each time an algorithm was requested (and so many times during a TLS handshake).
* Remove Algo_RegistryJack Lloyd2016-10-2110-105/+74
| | | | | | | I repent my use of global constructors. I repent my use of global locks. Hopefully I will never touch this code again. :)
* Improve pk_pad doxygen [ci skip]René Korthaus2016-10-196-5/+13
|
* Remove deprecated hashes MD2, HAS-160, and RIPEMD-128Jack Lloyd2016-09-021-17/+0
|
* Merge GH #554 Add PKCS #1 v1.5 ID for SHA-512/256 signaturesJack Lloyd2016-07-271-0/+8
|\
| * add SHA-512/256 PKCS#1 hash identifierDaniel Neus2016-07-251-0/+8
| |
* | eme / pubkey test improvementsDaniel Neus2016-07-252-11/+13
|/ | | | | | - add test for EME::maximum_input_size() - additionally use maximum_input_size() before pad() in OAEP and PKCS1 (remove code duplication) - prevent C4800 MSVC warning
* Merge GH #504 Add ECKCDSAJack Lloyd2016-06-208-2/+46
|\
| * Add ECKCDSA signature algorithmRené Korthaus2016-06-1410-2/+54
| |
* | remove all uses of EMSA1_BSIDaniel Neus2016-05-021-8/+0
| |
* | remove EMSA1_BSI (no longer recommended by BSI)Daniel Neus2016-04-303-69/+0
|/
* Clean up PK decryption encoding.Jack Lloyd2016-03-207-36/+34
| | | | | | | Previously RSA and ElGamal stripped off leading zeros which were then assumed by the padding decoders. Instead have them produce ciphertexts with leading zeros. Changes EME_Raw to strip leading zeros to match existing behavior.
* Add PK_Decryptor::decrypt_or_randomJack Lloyd2016-03-208-76/+59
| | | | | Performs content checks on the value (expected length, expected bytes) and in constant time returns either the decrypted value or a random value.
* cppcheck fixes: Class 'X' has a constructor with 1 argument that is not ↵Daniel Neus2016-03-057-7/+7
| | | | explicit.
* Add final attribute to many classesJack Lloyd2016-01-108-9/+9
| | | | | | | In some cases this can offer better optimization, via devirtualization. And it lets the user know the class is not intended for derivation. Some discussion in GH #402
* Mass-prefix member vars with m_René Korthaus2016-01-086-28/+28
|
* Export mgf1_mask GH #380Jack Lloyd2015-12-251-3/+3
|
* TLS improvementsJack Lloyd2015-10-251-2/+1
| | | | | | | | | | | | | | Use constant time operations when checking CBC padding in TLS decryption Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes from working: on decode the session id and hello cookie would be swapped, causing confusion between client and server. Various changes in the service of finding the above DTLS bug that should have been done before now anyway - better control of handshake timeouts (via TLS::Policy), better reporting of handshake state in the case of an error, and finally expose the facility for per-message application callbacks.
* Make Montgomery reduction constant time.Jack Lloyd2015-10-242-16/+16
| | | | | | | | | | | | | | It was already close, but the carry loop would break early and selecting which value to copy out was indexed on the borrow bit. Have the carry loop run through, and add a const-time conditional copy operation and use that to copy the output. Convert ct_utils to CT namespace. Templatize the utils, which I was hesitant to do initially but is pretty useful when dealing with arbitrary word sizes. Remove the poison macros, replace with inline funcs which reads cleaner at the call site.