| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
| |
A set of carefully generated invalid signatures which are sometimes
accepted by implementations due to bugs in padding verification.
|
| |
|
|
|
| |
Remove test files for CVC as well as various tests which have
subsequently been rewritten.
|
| |
|
|
|
|
| |
All 76 of the NIST certificate tests use the same root certificate
and that issuer has an identical CRL for each test.
So, just have the one copy.
|
| |
|
|
|
|
|
| |
Add a long list of 'false' primes from Google's Wycheproof tests:
https://github.com/google/wycheproof/blob/master/java/com/google/security/wycheproof/testcases/BigIntegerTest.java
Split vector file format into Prime and NonPrime sections for easier reading.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GH #754 exposed a bug in the non-Montgomery exponentiation case.
It turned out then when the fixed window was picked to any value
> 1, the result would be incorrect due to an off by one. This is
the one line fix in powm_fw.cpp
Also fix a bug in bigint_mul which caused incorrect results,
because the output BigInt was not being zeroed out before use. This
is only exposed in rare cases, found (somewhat indirectly) in
OSS-Fuzz #287.
Add more modular exponentiation tests, which would have caught
these issues earlier.
|
| | |
|
| |\ |
|
| | | |
|
| |\ \ |
|
| | | | |
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When the code was changed in b8966d0f89e, the offset was not changed,
so it would reject ciphertexts with exactly 8 bytes of random padding
(the required minimum).
Found by pkcs1 fuzzer which also had problems due to not having been
updated at the same time.
Add a test suite for decoding of PK decryption padding to cover the
problem cases.
|
| | |
| |
| |
| |
| |
| | |
Two part commit with d44c00a as otherwise git assumes that ecb.vec
was renamed xtea.vec, because the imported vectors swamped the ones
that were previously being used in the bare block cipher tests.
|
| | |
| |
| |
| |
| |
| |
| | |
Not a good thing to offer at this level. If you know what you
are doing for the strange special case where it is necessary,
the raw BlockCipher interface is available and probably more
convenient.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
AEAD::output_length)
Fix a bug in CCM, GCM, and OCB decryption which caused `output_length(tag_size())`
to fail even though empty plaintexts are certainly defined for all three modes.
|
| |\ \
| | |
| | |
| | |
| | |
| | | |
Splits up path validation into several sub-functions for easier testing
and creating customized validation code. Much improved OCSP handling
and OCSP tests.
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Tests touching network are gated by --run-online-tests flag.
|
| | |/
| |
| |
| |
| |
| | |
Nothing much but better than nothing.
Also add a useful arg check to OCSP::Request constructor.
|
| | |
| |
| |
| | |
[ci skip]
|
| | |
| |
| |
| |
| |
| |
| | |
- Enables code for shake support
- Creating SHAKE hash function by name now allows to select output size
of 256 Bit for SHAKE128 and 512 Bit for SHAKE256.
- Adds *self-generated*, unverified test vectors for XMSS/SHAKE.
|
| |/
|
|
| |
Expected results are just what it generated on my machine.
|
| |\ |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
This required fixing some test vectors that previously
omitted the MAC, defaulting to HMAC, that used the SHA-1
alias to SHA-160, and fixing X942_PRF::name().
|
| |/ |
|
| |\ |
|
| | |
| |
| |
| |
| | |
ESP padding is one of the recommended padding
methods from BSI-TR-02102-1.
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
| |
Adds the full HKDF as class HKDF, renames the existing HKDF,
which only implemented the expansion step, to HKDF_Expand
and adds the extraction step as HKDF_Extract.
The latter two are usually only used seperately in
protocols such as TLS. A normal user would go for the
full HKDF.
|
| |
|
|
|
|
|
| |
This prevents the test suite from globbing all the XMSS tests
together under "XMSS/Raw"; since XMSS ignores the padding anyway,
pretend the param string is the padding which causes the normal
logic in the signature test code to do the right thing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[1] XMSS: Extended Hash-Based Signatures,
draft-itrf-cfrg-xmss-hash-based-signatures-06
Release: July 2016.
https://datatracker.ietf.org/doc/
draft-irtf-cfrg-xmss-hash-based-signatures/?include_text=1
Provides XMSS_PublicKey and XMSS_PrivateKey classes as well as implementations
for the Botan interfaces PK_Ops::Signature and PK_Ops::Verification. XMSS has
been integrated into the Botan test bench, signature generation and verification
can be tested independently by invoking "botan-test xmss_sign" and
"botan-test xmss_verify"
- Some headers that are not required to be exposed to users of the library have
to be declared as public in `info.txt`. Declaring those headers private will
cause the amalgamation build to fail. The following headers have been
declared public inside `info.txt`, even though they are only intended for
internal use:
* atomic.h
* xmss_hash.h
* xmss_index_registry.h
* xmss_address.h
* xmss_common_ops.h
* xmss_tools.h
* xmss_wots_parameters.h
* xmss_wots_privatekey.h
* xmss_wots_publickey.h
- XMSS_Verification_Operation Requires the "randomness" parameter out of the
XMSS signature. "Randomness" is part of the prefix that is hashed *before*
the message. Since the signature is unknown till sign() is called, all
message content has to be buffered. For large messages this can be
inconvenient or impossible.
**Possible solution**: Change PK_Ops::Verification interface to take
the signature as constructor argument, and provide a setter method to be able
to update reuse the instance on multiple signatures. Make sign a parameterless
member call. This solution requires interface changes in botan.
**Suggested workaround** for signing large messages is to not sign the message
itself, but to precompute the message hash manually using Botan::HashFunctio
and sign the message hash instead of the message itself.
- Some of the available test vectors for the XMSS signature verification have
been commented out in order to reduce testbench runtime.
|
| | |
|
| |
|
|
|
|
| |
Vectors here just whatever we spit out, but I can't find any
GOST vectors using the 'A' param set. Anyway at least with this,
we are testing to have consistent behavior across platforms.
|
| |
|
|
|
| |
Limited to 1024 bit params by default to keep runtimes reasonable,
but test vectors for all sizes from FIPS 186-3 do pass.
|
| | |
|
| |
|
|
| |
GH #681
|
| |
|
|
|
| |
Change AutoSeeded_RNG to use SHA-384, SHA-256, SHA-3(256), or SHA-1,
whichever is available (in that order).
|
| |
|
|
|
|
| |
- Added GMAC class
- Integrated GMAC into MAC-Class test bench. Run GMAC tests using
./botan-test mac
|
| | |
|
| |
|
|
| |
We were not previously hitting the 4 way unrolled loop in AES-NI in tests
|
| |
|
|
|
| |
Updates NewHope to use that instead of the hard-coded SHAKE-128,
and adds toggle for BoringSSL compat mode using AES-128/CTR + SHA-256.
|
| |
|
|
|
|
|
|
|
|
| |
Kind of a copy and paste of Keccak, but only a single copy of the
permutation at least. Keccak depends on SHA-3 instead of the reverse,
so that SHA-3 can be enabled without also bringing in an unapproved
hash function.
Updates newhope code and removes API function newhope_hash which was
an unofficial SHA-3-256.
|
| |\ |
|
| | | |
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TLS message parsing:
- CertificateVerify
- HelloVerify
- ClientHello (with extensions)
- ServerHello (with extensions)
- NewSessionTicket
- Alert
TLS message processing:
- HelloVerify
TLS Policy tests
Unit tests with TLS client authentication
Added test_throws method that checks the correct exception message.
|
| |
|
|
| |
When adding these to the .vec file, some unnecessary spaces were included.
|
