This was harmless as it would either fall through to an empty default statement (if CRYB_COVERAGE was defined) or out of the switch, but it's still bad style.
When cryb-test is used as a framework for another project, the compile-time test is useless since cryb-test itself will have been built with coverage disabled. Besides, it is not a reliable indicator of whether leak detection will work. Instead, check if the heap is already dirty when we first gain control.
Travis forces _FORTIFY_SOURCE, which enables warn_unused_result annotations in glibc. Some of those annotations are of dubious value; in the case of asprintf(3) and vasprintf(3), they flag code that doesn't check the return value as unsafe even if it checks the pointer instead (which is guaranteed to be NULL in case of failure, and arguably more useful than the return value). Unfortunately, gcc intentionally ignores (void) casts, so we have no choice but to quench the warning with -Wno-unused-result. However, some of the compilers we wish to support don't recognize it, so we move it from the developer flags to the Travis environment.
While there, switch Travis from Precious to Trusty.
The count we passed to memcmp() in mpi_eq() and mpi_eq_abs() was actually the number of significant words in the MPI, rather than the number of bytes we wanted to compare. Multiply by 4 to get the correct value.
To make the intent of the code more apparent, introduce a private MPI_MSW() macro which evaluates to the number of significant words (or 1-based index of the most significant word). This also comes in handy in mpi_{add,sub,mul}_abs().
Add a couple of test cases which not only demonstrate the bug we fixed here but also demonstrate why we must compare whole words: on a big-endian machine, we would be comparing the unused upper bytes of the first and only word instead of the lower bytes which actually hold a value...
In my eagerness to eliminate a branch which is taken once per 2^38 bytes of keystream, I forgot that the state words are in host order. Thus, the counter increment code worked fine on little-endian machines, but not on big-endian ones. Switch to a simpler (branchful) solution.
We failed to clear the negative flag when handling trivial cases, so if one of the terms was 0 and the other was negative, the result would be an exact copy of the non-zero term instead of its absolute value.
- Use the new vector byte-order conversion functions where appropriate.
- Use memset_s() instead of memset() where appropriate.
- Use consistent names and types for function arguments.
- Reindent, rename and reorganize to conform to Cryb style and idiom.
SHA224 and SHA256 were left mostly unchanged. MD2 and MD4 were completely rewritten as the previous versions (taken from XySSL) seem to have been copied from RSAREF.
This breaks the ABI as some context structures have grown or shrunk and some function arguments have been changed from int to size_t.
Single-DES is now a special case of triple-DES with all three keys being the same. This is significantly slower than a pure single-DES implementation, but that's fine since nobody should be using it anyway.
We now have separate encryption and decryption methods, and can process an arbitrary amount of plaintext or ciphertext per call, rounded down to the block size (if applicable). For stream ciphers, we also have a keystream method which fills the provided buffer with an arbitrary amount of keystream (once again, rounded down if applicable).
Not only is this a slightly more logical name, but it allows us to expose the verbose flag, previously private to cryb_t_main.c, as the equally logically named t_verbose.
If the key length is not a multiple of 40 bits, its base32 representation may be padded, and that padding will be encoded. We already decoded the label (which may contain spaces and other unsafe characters), but not the key. For the sake of simplicity and robustness, we now decode the name and value of every property.
This corresponds to OpenPAM r886.
The rk pointer in struct aes_ctx always pointed to the context's buffer and served no purpose whatsoever, but the compiler had no way of knowing that and could therefore not optimize away assignments to and from it.
Note that the removal of rk breaks the ABI, since it changes the size of struct aes_ctx, but we allow ourselves that because neither the API nor the ABI have been fixed yet.