| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Unused outside of the test code and not really useful there either.
Header is internal so no API breakage.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Regression introduced in 007314c5
Found by OSS-Fuzz (bug id 11693)
|
|
|
|
|
|
|
|
|
| |
Originally wrote it for div-by-word but that ends up requiring a dword
type which we don't always have. And uint8_t covers the most important
cases of n = 10 and n = 58 (whenever I get around to writing base58).
We could portably support up to div-by-uint32, but I don't think we need it.
Nicely for n = 10, this is actually faster than the variable time division.
|
|
|
|
|
|
|
|
| |
It is stupid and slow (~50-100x slower than variable time version) but
still useful for protecting critical algorithms.
Not currently used, waiting for OSS-Fuzz to test it for a while before
we commit to it.
|
|
|
|
|
|
|
| |
If one of the values had leading zero words, this could end up
calling bigint_sub with x_size < y_size.
OSS-Fuzz 11664 and 11656
|
|
|
|
| |
Printing the output key makes it easier to find the offending test.
|
|
|
|
|
|
| |
If reducing a negative number modulo a power of 2, an incorrect
result would be returned. This only affected the versions taking
a single word as the modulo.
|
|
|
|
|
| |
Addition already has to handle negative numbers so make it do
double duty for subtraction.
|
|
|
|
|
|
|
| |
Introduced in b13c0cc8590199d, it could only trigger if the block size
was more than 256 bytes. In that case an invalid padding could be accepted.
OSS-Fuzz 11608 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11608)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid throwing base Botan::Exception type, as it is difficult to
determine what the error is in that case.
Add Exception::error_code and Exception::error_type which allows
(for error code) more information about the error and (for error type)
allows knowing the error type without requiring a sequence of catches.
See GH #1742
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Prefer using wrappers in mem_utils for this.
Current exception is where memcpy is being used to convert between
two different types, since copy_mem requires input and output
pointers have the same type. There should be a new function to
handle conversion-via-memcpy operation.
|
|/ |
|
| |
|
|
|
|
|
| |
Only the base provider uses blinding for RSA. So the test should
run exclusively for this provider. Also use base provider explicitly.
|
| |
|
|
|
|
|
| |
Also include <new> in mem_ops.cpp as apparently that header is
where bad_alloc is defined.
|
|
|
|
| |
See #1726
|
|
|
|
|
|
|
|
|
|
|
| |
This allows supporting SSE2, NEON and AltiVec in a single codebase,
so drop the NEON and SSE2 code.
This new impl avoids having to do shuffles with every round and so
is about 10% faster on Skylake.
Also, fix bugs in both baseline and AVX2 implementations when the
low counter overflowed. The SSE2 and NEON code were also buggy here.
|
| |
|
| |
|
|
|
|
| |
This was trying to test for issue in #1723 but was incorrect.
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases (EAX, GCM, ChaCha20Poly1305) the mode does not
handle this. However previously it handled it incorrectly by producing
incorrect output. Instead reject it with an exception.
Add a test that, if the mode accepts an AD before the nonce, then it
must process the message correctly. This is similar to the existing
test that if the mode accepts an AD before the key is set it must
do the right thing with it.
|
|
|
|
| |
Fix a bug (bad length field), new APIs, etc
|
| |
|
|
|
|
|
| |
The test suite was not hitting the 4x unrolled Blowfish added in
f7a8bd2780c
|
|
|
|
| |
GH #1708
|
|
|
|
|
|
|
| |
Add tests from NIST that demonstrate the problem, as well as OpenSSL
generated tests for all input sizes 16...128 bytes.
Fixes GH #1706
|
| |
|
| |
|
|
|
|
|
| |
This allows things to mostly work out of the box (#1702), and
allows us to write Emscripten specific code where required.
|
|
|
|
| |
GH #1702
|
|
|
|
|
| |
Using the standard SM2 and P-256 curves, instead of the SM2 test curve,
for both SM3 and SHA-256 hashes. All values generated with GmSSL
|
|
|
|
|
|
| |
The code was using the 1.0 API incorrectly and causing a leak.
https://github.com/riboseinc/rnp/issues/757
|
|
|
|
| |
Closes GH #1557
|
| |
|
| |
|
|\ |
|
| |
| |
| |
| | |
Fixes #1695
|
|/ |
|
|
|
|
| |
From NIST CAVP, OpenSSL test data, and elsewhere
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several problems in CBC found by adding tests
- If you set a key, then set a nonce, then set a new key,
you could encrypt without setting a new nonce.
- It was possible to call CBC finish without setting a nonce,
which would crash.
- If you had an CBC decryption object, set a key, set a nonce, then
reset message state, it should throw because no nonce is set.
Instead it would carry on using an all-zero nonce.
Disable CommonCrypto with PKCS7 padding as it seems to have some
problem that I cannot figure out from the build logs.
This work sponsored by Ribose Inc
|
|
|
|
|
|
|
|
| |
If a function returning variable length output was called with a
null output buffer but a non-zero output buffer length, FFI layer
would call memset(nullptr, 0, buffer_len) and crash.
Caught by Coverity.
|
| |
|
|\ |
|
| | |
|