| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |/ /
|/| |
| | |
| | | |
--module-policy bsi
|
| |\ \ \ |
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | | |
Adds support for probabilistic, aka the standard, DSA and ECDSA.
Can be enabled by disabling the rfc6979 module.
Includes test vectors from NIST CAVP.
Adds rfc6979 to the list of prohibited modules in BSI policy.
|
| | |/
|/|
| |
| | |
Using a struct here seems cleaner
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
GCM is defined as having a 32-bit counter, but CTR_BE incremented the
counter across the entire block. This caused incorrect results if
a very large message (2**39 bits) was processed, or if the GHASH
derived nonce ended up having a counter field near to 2**32
Thanks to Juraj Somorovsky for the bug report and repro.
|
| |/ |
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With sufficient squinting, Transform provided an abstract base
interface that covered both cipher modes and compression algorithms.
However it mapped on neither of them particularly well. In addition
this API had the same problem that has made me dislike the Pipe/Filter
API: given a Transform&, what does it do when you put bits in? Maybe
it encrypts. Maybe it compresses. It's a floor wax and a dessert topping!
Currently the Cipher_Mode interface is left mostly unchanged, with the
APIs previously on Transform just moved down the type hierarchy. I
think there are some definite improvements possible here, wrt handling
of in-place encryption, but left for a later commit.
The compression API is split into two types, Compression_Algorithm and
Decompression_Algorithm. Compression_Algorithm's start() call takes
the compression level, allowing varying compressions with a single
object. And flushing the compression state is moved to a bool param on
`Compression_Algorithm::update`. All the nonsense WRT compression
algorithms having zero length nonces, input granularity rules, etc
as a result of using the Transform interface goes away.
|
| |\ \ |
|
| | |/ |
|
| |/ |
|
| | |
|
| |
|
|
|
|
|
|
| |
Cast std::streamsize to size_t since MSVC is worried gcount() might
return a negative number.
The entropy callbacks took the entropy estimate as a size_t instead of
a double, which causes some verbose warnings due to the conversion.
|
| | |
|
| |
|
|
|
| |
If the input lengths are exact multiples of 16 bytes then no padding
should be added. Previously 16 bytes of zero padding were added instead.
|
| |
|
|
|
|
|
| |
Previously RSA and ElGamal stripped off leading zeros which were then
assumed by the padding decoders. Instead have them produce ciphertexts
with leading zeros. Changes EME_Raw to strip leading zeros to match
existing behavior.
|
| |
|
|
| |
Avoids the test vector contortions in RSA-KEM
|
| |\ |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
Could attempt to allocate (size_t)-1 words with predicably bad_alloc
results.
|
| | | |
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
A module policy is a file specifying three types of modules: ones which
are required, ones which are prohibited, and ones which should be used
if otherwise available (this is mostly for platform specific modules).
Finally there are whatever modules which exist in the library of which
the policy makes no mention. These will be included if an explicit
dependency of some other module pulls them in (so there is no reason
to mention base, utils, ... in the file) but skipped otherwise.
For example policy 'sane' does not mention 'utils' or 'twofish' either
way. Since utils is a dependency of other modules which are included,
but Twofish does not. However unlike an explicitly prohibited module,
not mentioned can still be requested as part of the build (here with
--enable-module=twofish)
Also fixes some test bugs noticed by compiling in different build
configs. DLIES test didn't check that the KDF and MAC existed. Adds a
typedef for MessageAuthenticationCode because typing it twice in a
single line in the DLIES test made me think it's way too long. :) Also
fix some fuzzer build problems. Due to a copy and paste bug the PKCS
certificate (it was not).
Inspired by GH #439
|
| |/ / |
|
| | |
| |
| |
| | |
explicit.
|
| |/
|
|
|
| |
Feels kind of nasty, but it sucks more to have CI builds break because
of random failures.
|
| |
|
|
|
| |
The result of fuzzing with AFL for a while, then running cmin on the
result.
|
| |
|
|
| |
Also adds a (not const time) implementation of almost Montgomery reduction.
|
| | |
|
| |
|
|
|
|
| |
Removes a fair number of the power mod test cases for size and test time.
Would be better to add a randomized or fuzzer-based test. Otherwise no
change.
|
| |
|
|
|
|
|
|
|
| |
Not optimized and relies on asm support for const time word_add/word_sub
instructions.
Fix a bug introduced in 46e9a89 - unpoison needs to call the valgrind
API with the pointer rather than the reference. Caused values not to
be unpoisoned.
|
| |
|
|
|
|
| |
Unlikely to fail in this case but anything's possible.
Found by Coverity
|
| |
|
|
|
|
|
| |
Would be better to iterate over all of the key types for this type of
coverage.
Avoids Coverity dead code warning on the error-case throw.
|
| |
|
|
|
|
|
|
|
|
| |
Some tests only deallocated in the branch where some other test
on the object succeeded.
The ECDH FFI test didn't deallocate any of its objects, which was
missed by valgrind before now because the test was not being run.
Found by Coverity scanner
|
| |
|
|
| |
value. asn1_time.cpp 159
|
| |
|
|
| |
inside the body of a loop. test_compression.cpp 78
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The check on each individual size in curve_mul is too strict since
we rely on redc(x*1) during the on the curve computation.
Fix an off by one in ressol which caused it to occasionally reject
valid values.
Updating version 1.11.28 since existing 1.11.27 tag already pushed :(
Fix an off-by-one in ressol which would cause it to occasionly
give up too early.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If affine coordinates larger than the prime modulus were given,
a later multiplication could overflow the size of an allocated
output buffer, which was sized based on the size of the prime.
This will cause an overflow into either the system heap or if the
mlock/mmap pool allocator is in use, then into the adjacent key
material stored in the pool.
Reported by Alex Gaynor who found it with AFL
Also fix a one word overwrite in P-521 reduction. Found with AFL
|
| |
|
|
|
|
|
| |
It first computed the first i for q**(2**i) == 1, then checked that i
was smaller than s. Given a composite modulus (for which the algorithm
does not work), the loop might do a very large amount of work before
returning the failure.
|
| | |
|
| | |
|
| |\ |
|
| | | |
|
| |/
|
|
| |
GH #369
|
| | |
|
| | |
|
| |
|
|
| |
found by gcc with -Wsuggest-override
|
| |
|
|
| |
fix PVS-Studio perfomance warnings
|
