| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | | |
|
| |/ |
|
| | |
|
| |
|
|
|
| |
If the input lengths are exact multiples of 16 bytes then no padding
should be added. Previously 16 bytes of zero padding were added instead.
|
| |
|
|
| |
Avoids the test vector contortions in RSA-KEM
|
| |\ |
|
| | | |
|
| | | |
|
| |/
|
|
|
| |
Could attempt to allocate (size_t)-1 words with predicably bad_alloc
results.
|
| |
|
|
|
| |
The result of fuzzing with AFL for a while, then running cmin on the
result.
|
| | |
|
| |
|
|
|
|
| |
Removes a fair number of the power mod test cases for size and test time.
Would be better to add a randomized or fuzzer-based test. Otherwise no
change.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The check on each individual size in curve_mul is too strict since
we rely on redc(x*1) during the on the curve computation.
Fix an off by one in ressol which caused it to occasionally reject
valid values.
Updating version 1.11.28 since existing 1.11.27 tag already pushed :(
Fix an off-by-one in ressol which would cause it to occasionly
give up too early.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If affine coordinates larger than the prime modulus were given,
a later multiplication could overflow the size of an allocated
output buffer, which was sized based on the size of the prime.
This will cause an overflow into either the system heap or if the
mlock/mmap pool allocator is in use, then into the adjacent key
material stored in the pool.
Reported by Alex Gaynor who found it with AFL
Also fix a one word overwrite in P-521 reduction. Found with AFL
|
| |
|
|
|
|
|
| |
It first computed the first i for q**(2**i) == 1, then checked that i
was smaller than s. Given a composite modulus (for which the algorithm
does not work), the loop might do a very large amount of work before
returning the failure.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Expose provider param in PK_Key_Agreement API
Handle multiple providers in key agreement tests
Fix some funky formatting of P-521 EC points in ecdh.vec which was
being rejected by OpenSSL; for whatever reason the CAVS file had
the affine coords with far more leading zeros than necessary.
|
| | |
|
| |
|
|
| |
Only has vectors for NIST curves (data taken from NIST CAVS file)
|
| |
|
|
|
|
| |
There was a special case for small scalars which managed to forget
that the integer 3 also fits into two bits. Found by adding a new set
of ECC point mul tests for the NIST curves.
|
| |
|
|
|
|
| |
Convert McEliece KEM to use it
Add RSA-KEM
|
| |
|
|
| |
file
|
| |
|
|
|
|
|
|
| |
This adds tests for key length 192 and 256. Test vector source:
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm
/gcm-spec.pdf
Closes: #344
|
| |
|
|
|
|
|
|
|
|
|
| |
The tests previously had used 4 to 6 different schemes internally (the vec file
reader framework, Catch, the old InSiTo Boost.Test tests, the PK/BigInt tests
which escaped the rewrite in 1.11.7, plus a number of one-offs). Converge on a
design that works everywhere, and update all the things.
Fix also a few bugs found by the test changes: SHA-512-256 name incorrect,
OpenSSL RC4 name incorrect, signature of FFI function botan_pubkey_destroy
was wrong.
|
| |
|
|
|
|
| |
These will need to be regen'ed with corrected values.
Fix for minimized builds.
|
| |
|
|
| |
Add test suite with certs from x509test
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove and consolidate various headers
Reduce memory usage of GF2m_Field by sharing the log and exponent
tables across all instances of a particular word size.
Remove McEliece_Public_Operation and McEliece_Private_Operation which
were difficult to use safely. Instead only the KEM operations are exposed.
Add McEliece_PublicKey::random_plaintext_element
Add command line `mce` tool and some McEliece documentation
Convert the speed program to check McEliece keys of the suggested size
Add McEliece KATs for both key generation and KEM
Fix HMAC_DRBG constructor which derefed a pointer before its time
|
| |
|
|
|
| |
One a read at 0 of an empty vector, the other causing allocation of an
arbitrary amount of memory.
|
| | |
|
| | |
|
| |
|
|
| |
higher level functions on interface handling returning a vector.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ctypes Python wrapper that uses it. The API is intentionally designed
to have a very simple ABI (extern "C", all structs are opaque, no
memory ownership passing the FFI boundary, limited set of simple types
as args) so the ctypes wrapper is quite simple.
Currently ffi provides ciphers, hashes, MACs, RNGs, PBKDF, KDF,
bcrypt, and most public key operations.
Remove the old boost.python wrapper and all the build code for it.
|
| | |
|
| | |
|
| |
|
|
|
| |
Define some new functions for copying out arrays of words and use them
across hashes.
|
| | |
|
| |
|
|
|
| |
which we distinguish by the nonce size (always 64 bits in this format,
always 96 bits in the CFRG document).
|
| |
|
|
| |
draft-irtf-cfrg-chacha20-poly1305-03
|
| | |
|
| |
|
|
| |
draft-irtf-cfrg-chacha20-poly1305-03
|
| |
|
|
|
|
| |
This uses only the c64 version from curve25519-donna; on systems that
don't have a native uint128_t type, a donna128 type stands in for just
enough 128-bit operations to satisfy donna.cpp
|
| |
|
|
|
| |
Drop the GNU MP engine. Its implementations were potentially faster in
some scenarios but not well protected against side channels.
|
| | |
|
| | |
|
| |
|
|
| |
http://crypto.stackexchange.com/questions/784
|
| | |
|
| | |
|
| | |
|
