Add CECPQ1 TLS ciphersuites

Tested against BoringSSL (as client + server) and google.com (as client).

Fix a stupid crashing bug in NewHope's BoringSSL mode.

Remove unneeded error return from curve25519_donna - always returned 0.

Default policy prefers ChaChaPoly1305 over GCM and CECPQ1 over ECDH/DH, which
means the default no-extra-configuration ciphersuite (for Botan client speaking
to Botan server) is a ciphersuite which is both implemented in constant time
on all platforms and (hopefully) provides post quantum security. Good Things.

1 files changed, 36 insertions, 0 deletions

diff --git a/src/lib/pubkey/cecpq1/cecpq1.h b/src/lib/pubkey/cecpq1/cecpq1.h
new file mode 100644
index 000000000..0bda0dd02
--- /dev/null
+++ b/src/lib/pubkey/cecpq1/cecpq1.h
@@ -0,0 +1,36 @@
+/*
+* CECPQ1 (x25519 + NewHope)
+* (C) 2016 Jack Lloyd
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#ifndef BOTAN_CECPQ1_H__
+#define BOTAN_CECPQ1_H__
+
+#include <botan/secmem.h>
+#include <botan/newhope.h>
+
+namespace Botan {
+
+struct CECPQ1_key {
+   secure_vector<uint8_t> m_x25519;
+   newhope_poly m_newhope;
+};
+
+void BOTAN_DLL CECPQ1_offer(uint8_t* offer_message,
+                            CECPQ1_key* offer_key_output,
+                            RandomNumberGenerator& rng);
+
+void BOTAN_DLL CECPQ1_accept(uint8_t* shared_key,
+                             uint8_t* accept_message,
+                             const uint8_t* offer_message,
+                             RandomNumberGenerator& rng);
+
+void BOTAN_DLL CECPQ1_finish(uint8_t* shared_key,
+                             const CECPQ1_key& offer_key,
+                             const uint8_t* accept_message);
+
+}
+
+#endif