| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|\ |
|
| |
| |
| |
| | |
And allow registering one-off functions as tests
|
| |
| |
| |
| | |
Refactor areas where data was being shared
|
|/ |
|
|
|
|
|
|
|
|
|
|
| |
Needed for #1819 and unfortunately Windows does not allow thread local
data to be stored as a member of a DLL exported class. So hide it
behind an accessor function instead.
This slows down CPUID test somewhat and I would like to address that
but it seems hard without breaking the CPUID API, which is for better
or worse public.
|
|
|
|
| |
Simplify the PKCS11 tests slightly, no real reason for PKCS11_Test here
|
|
|
|
| |
Both about 33% faster on Skylake
|
|
|
|
| |
No real bugs, but pointed out some odd constructs and duplicated logic
|
| |
|
|
|
|
|
| |
It occasionally fails on AppVeyor, probably due to QueryPerformanceCounter
using something other than the hardware cycle counter because <reasons>.
|
| |
|
|\ |
|
| |
| |
| |
| | |
This is sometimes useful when debugging
|
|/ |
|
| |
|
|
|
|
|
| |
Using phrase "timestamp" makes it sound like it has some relation
to wall clock which it does not.
|
|
|
|
|
|
| |
Only used in one place, where const time doesn't matter, but can't hurt.
Remove low_bit, can be replaced by ctz.
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The decoding leaked some information about the delimiter index
due to copying only exactly input_len - delim_idx bytes. I can't
articulate a specific attack that would work here, but it is easy
enough to fix this to run in const time instead, where all bytes
are accessed regardless of the length of the padding.
CT::copy_out is O(n^2) and thus terrible, but in practice it is only
used with RSA decryption, and multiplication is also O(n^2) with the
modulus size, so a few extra cycles here doesn't matter much.
|
|/
|
|
|
|
|
| |
It was only needed for one case which is easily hardcoded. Include
rotate.h in all the source files that actually use rotr/rotl but
implicitly picked it up via loadstor.h -> bswap.h -> rotate.h include
chain.
|
|
|
|
| |
Add tests for is_power_of_2
|
| |
|
|
|
|
|
|
| |
See http://www.secg.org/sec1-v2.pdf section 4.1.6
Closes #664
|
| |
|
|
|
|
|
| |
I'm not sure this test is that useful, which is not itself a big problem,
but it is also flaky and occasionally fails, which is no good.
|
|
|
|
|
| |
Unused outside of the test code and not really useful there either.
Header is internal so no API breakage.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Regression introduced in 007314c5
Found by OSS-Fuzz (bug id 11693)
|
|
|
|
|
|
|
|
|
| |
Originally wrote it for div-by-word but that ends up requiring a dword
type which we don't always have. And uint8_t covers the most important
cases of n = 10 and n = 58 (whenever I get around to writing base58).
We could portably support up to div-by-uint32, but I don't think we need it.
Nicely for n = 10, this is actually faster than the variable time division.
|
|
|
|
|
|
|
|
| |
It is stupid and slow (~50-100x slower than variable time version) but
still useful for protecting critical algorithms.
Not currently used, waiting for OSS-Fuzz to test it for a while before
we commit to it.
|
|
|
|
|
|
|
| |
If one of the values had leading zero words, this could end up
calling bigint_sub with x_size < y_size.
OSS-Fuzz 11664 and 11656
|
|
|
|
| |
Printing the output key makes it easier to find the offending test.
|
|
|
|
|
|
| |
If reducing a negative number modulo a power of 2, an incorrect
result would be returned. This only affected the versions taking
a single word as the modulo.
|
|
|
|
|
| |
Addition already has to handle negative numbers so make it do
double duty for subtraction.
|
|
|
|
|
|
|
| |
Introduced in b13c0cc8590199d, it could only trigger if the block size
was more than 256 bytes. In that case an invalid padding could be accepted.
OSS-Fuzz 11608 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11608)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid throwing base Botan::Exception type, as it is difficult to
determine what the error is in that case.
Add Exception::error_code and Exception::error_type which allows
(for error code) more information about the error and (for error type)
allows knowing the error type without requiring a sequence of catches.
See GH #1742
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prefer using wrappers in mem_utils for this.
Current exception is where memcpy is being used to convert between
two different types, since copy_mem requires input and output
pointers have the same type. There should be a new function to
handle conversion-via-memcpy operation.
|
|/ |
|
| |
|
|
|
|
|
| |
Only the base provider uses blinding for RSA. So the test should
run exclusively for this provider. Also use base provider explicitly.
|
| |
|
|
|
|
|
| |
Also include <new> in mem_ops.cpp as apparently that header is
where bad_alloc is defined.
|
|
|
|
| |
See #1726
|
|
|
|
|
|
|
|
|
|
|
| |
This allows supporting SSE2, NEON and AltiVec in a single codebase,
so drop the NEON and SSE2 code.
This new impl avoids having to do shuffles with every round and so
is about 10% faster on Skylake.
Also, fix bugs in both baseline and AVX2 implementations when the
low counter overflowed. The SSE2 and NEON code were also buggy here.
|
| |
|