botan.git - Unnamed repository; edit this file 'description' to name the repository.

	Commit message (Collapse)	Author	Age	Files	Lines
*	Don't reject TLS packets with zero plaintext bytes	Jack Lloyd	2016-04-15	1	-0/+6
\| \| \| \| \| \| \| \|	OpenSSL sends an empty record before each new data record in TLS v1.0 to randomize the IV, as a countermeasure to the BEAST attack. Most implementations use 1/(n-1) splitting for this instead. Bug introduced with the const time changes in 1.11.23
*	Clean up PK decryption encoding.	Jack Lloyd	2016-03-20	1	-5/+9
\| \| \| \| \| \| \|	Previously RSA and ElGamal stripped off leading zeros which were then assumed by the padding decoders. Instead have them produce ciphertexts with leading zeros. Changes EME_Raw to strip leading zeros to match existing behavior.
*	Add PK_Decryptor::decrypt_or_random	Jack Lloyd	2016-03-20	1	-2/+24
\| \| \| \| \|	Performs content checks on the value (expected length, expected bytes) and in constant time returns either the decrypted value or a random value.
*	Add constant time conditional swap, add, sub for bigint words	Jack Lloyd	2016-02-17	1	-1/+1
\| \| \| \| \| \| \| \| \|	Not optimized and relies on asm support for const time word_add/word_sub instructions. Fix a bug introduced in 46e9a89 - unpoison needs to call the valgrind API with the pointer rather than the reference. Caused values not to be unpoisoned.
*	Avoid Coverity false positive	Jack Lloyd	2016-02-09	1	-1/+5
\| \| \| \| \| \| \| \|	It assumes unpoison is expecting a pointer to T and sizeof(T), but the sizeof is evaluated in unpoison but only in the case of building with valgrind. Just call the valgrind API again directly
*	Use valgrind's memcheck API for checking const time annotations	Jack Lloyd	2016-01-03	1	-14/+27
\| \| \| \| \| \| \|	Has the same effect as using ctgrind, but without requiring a custom-compiled valgrind binary. Add ct checking annotations to the SSSE3 AES code.
*	Missing include dependency	Jack Lloyd	2015-10-26	1	-1/+1
\|
*	Asan fix - referencing &vec[vec.size()] instead of vec.end()	Jack Lloyd	2015-10-26	1	-0/+16
\| \| \| \|	Convert to a const time algo
*	TLS improvements	Jack Lloyd	2015-10-25	1	-0/+36
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	Use constant time operations when checking CBC padding in TLS decryption Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes from working: on decode the session id and hello cookie would be swapped, causing confusion between client and server. Various changes in the service of finding the above DTLS bug that should have been done before now anyway - better control of handshake timeouts (via TLS::Policy), better reporting of handshake state in the case of an error, and finally expose the facility for per-message application callbacks.
*	Make Montgomery reduction constant time.	Jack Lloyd	2015-10-24	1	-71/+48
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	It was already close, but the carry loop would break early and selecting which value to copy out was indexed on the borrow bit. Have the carry loop run through, and add a const-time conditional copy operation and use that to copy the output. Convert ct_utils to CT namespace. Templatize the utils, which I was hesitant to do initially but is pretty useful when dealing with arbitrary word sizes. Remove the poison macros, replace with inline funcs which reads cleaner at the call site.
*	Cleanups in ct and oaep	Jack Lloyd	2015-10-17	1	-87/+12
\| \| \| \|	In OAEP expand the const time block to cover MGF1 also
*	Make PKCS #1 and OAEP decoding constant time to avoid oracle attacks	Jack Lloyd	2015-10-16	1	-0/+207
	via timing channels. Add annotations for checking constant-time code using ctgrind to PKCS #1 and OAEP, as well as IDEA and Curve25519 which were already written as constant time code.