| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
discussed with jsing
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This requires egcc to be installed, if not we'll just skip the test.
Discussed with tb@
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Also has code to check the RFC 7919 primes and run DH_check() once that
knows about these.
|
| |
|
|
|
| |
Installed packages will update and pkg_add wycheproof-testvectors will
continue to work.
|
| | |
|
| |
|
|
|
| |
This adds coverage for MLKEM_private_key_from_seed(), which was previously
only minimal teted from our regress.
|
| |
|
|
|
| |
New testvectors want some more detailed handling, which brings these
Wycheproof encapsulation tests about on par with our existing tests.
|
| | |
|
| | |
|
| |
|
|
|
| |
An update to the test vectors adds tests which verifies that the API
correctly rejects some inputs.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A nasty quirk in the bit string handling is that the serialization
produced by i2d_ASN1_BIT_STRING() depends on whether the the magic
ASN1_STRING_FLAG_BITS_LEFT is set.
If ASN1_STRING_FLAG_BITS_LEFT is set, the number of unused bits is
carried in a->flags & 0x07 and the remainder of the bit string is
in a->data. This is terrible and undocumented but handled correctly.
If ASN1_STRING_FLAG_BITS_LEFT is not set, all trailing zero bits are
(intended to be) chopped off with all sorts of hilarious side effects.
I broke this quite thoroughly when I incorrectly ported an overflow
check from BoringSSL in:
https://github.com/openbsd/src/commit/f81cc285d2aed8b36615119a306533696f3eb66c
The result is that we currently return ret = a->length + 1 for both NULL
and non-NULL pp. The calls to asn1_ex_i2c() in asn1_i2d_ex_primitive()
thus report consistent lengths back, making it succeed.
asn1_i2d_ex_primitive() therefore skips a->length + 1 bytes, while
i2c_ASN1_BIT_STRING() only overwrites len + 1 bytes, which are possibly
fewer. So a caller passing in an output buffer containing garbage
(malloc) will get some of that garbage back in the encoding. Further,
i2c_ASN1_BIT_STRING() also advances that pointer by the possibly reduced
len + 1, but that fortunately doesn't matter since that's an effect
local to asn1_ex_i2c(), the only caller of i2c_ASN1_BIT_STRING().
The last bit is that the current behavior may set bogus unused bits
coming from the scanning backward madness. I added such an example in
the parent commit.
The fix is simple: use len after the truncation effect was established,
not the original a->length, turning this commit into what my backport
should have been.
This fixes the two currently failing regress tests, so remove expected
failure marker again.
ok jsing kenjiro
|
| |
|
|
| |
This is another test that fails due to the bug in i2c_ASN1_BIT_STRING().
|
| |
|
|
| |
This test fails, so mark the asn1basic test as an expected failure
|
| |
|
|
|
|
| |
There is a bug in i2c_ASN1_BIT_STRING() resulting in nonsense encoding of
some BIT STRINGs with trailing zeroes if ASN1_STRING_FLAG_BITS_LEFT is not
set (a rare corner case). This test currently passes when it shouldn't.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
RANK768 and RANK1024 are awfully short and generic names for public
constants. Before we make it worse with similarly named constants for
ML-DSA, let's fix this. This follows the naming convention used by the
other macros in the mlkem code.
ok kenjiro jsing
|
| | |
|
| | |
|
| |
|
|
| |
alright. go home.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Exercises the batshit crazy truncation behavior of ASN1_BIT_STRING_set_bit()
Based on https://boringssl-review.googlesource.com/c/boringssl/+/48225
(still under ISC).
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
pointed out by kenjiro
|
| | |
|
| | |
|
| |
|
|
|
|
| |
We haven't defined SIXTY_FOUR_BITS in a long time, if ever. The last
#undef SIXTY_FOUR_BITS were removed when we cleaned up opensslconf.h.
Code behind #ifdef SIXTY_FOUR_BITS is therefore dead.
|
| |
|
|
|
|
|
| |
What the tests actually care about is the size of a BN_ULONG, hence
condition on BN_BYTES instead.
Discussed with tb@
|
| | |
|
| |
|
|
|
| |
Windows is super picky when it comes to paths, so it needs some special
massaging. Will let us avoid a patch or hack in portable.
|
| |
|
|
|
|
| |
This exercises the cofactor guessing code with a large cofactor. Thanks to
Daniel Bleichenbacher for pointing out this example. This contains a hack
to use a bogus OID since this curve has none.
|
| |
|
|
|
| |
Skip the tests for now since they increase the test's runtime by ~50%.
A later commit will gate these tests behind REGRESS_SKIP_SLOW.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Since this has grown organically, the test selection has become a weird mix
of globs, regexes and test variants and it is hard to reason about what is
run and why. Instead, load all the json files from testvectors_v1/ and look
at algorithm (almost always available) and test schema to figure out if we
support it in libcrypto and the test harness. This separates the logic of
the test runner better from the test selection. Also make it a fatal error
if we don't explicitly skip an unknown algorithm.
|
| | |
|
| | |
|
| |
|
|
|
| |
This prepares an upcoming change by not only skipping small curves but
also binary curves that have test vectors.
|
| | |
|
| |
|
|
|
|
|
| |
The webcrypto test files for P-256, P-384, and P-521 are identical to
the P1363 test files for these curves with the hashes SHA-256, SHA-384,
and SHA-512, respectively. The only real differences in the test paths
is the Go glue code to translate to libcrypto, so they're pointless.
|
| | |
|
