aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey/newhope
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-11-16 12:05:34 -0500
committerJack Lloyd <[email protected]>2016-11-17 13:56:25 -0500
commit74cf1686b727d9b41781df66f3f74d63b9c5cfe2 (patch)
treec5127473f7676763202cf79837bd4328c903a21d /src/lib/pubkey/newhope
parent97df0c27b878d77799353ccc9eda9705b1ec1fa4 (diff)
Add CECPQ1 TLS ciphersuites
Tested against BoringSSL (as client + server) and google.com (as client). Fix a stupid crashing bug in NewHope's BoringSSL mode. Remove unneeded error return from curve25519_donna - always returned 0. Default policy prefers ChaChaPoly1305 over GCM and CECPQ1 over ECDH/DH, which means the default no-extra-configuration ciphersuite (for Botan client speaking to Botan server) is a ciphersuite which is both implemented in constant time on all platforms and (hopefully) provides post quantum security. Good Things.
Diffstat (limited to 'src/lib/pubkey/newhope')
-rw-r--r--src/lib/pubkey/newhope/newhope.cpp4
-rw-r--r--src/lib/pubkey/newhope/newhope.h31
2 files changed, 26 insertions, 9 deletions
diff --git a/src/lib/pubkey/newhope/newhope.cpp b/src/lib/pubkey/newhope/newhope.cpp
index 356fd416e..77194207e 100644
--- a/src/lib/pubkey/newhope/newhope.cpp
+++ b/src/lib/pubkey/newhope/newhope.cpp
@@ -666,13 +666,13 @@ void gen_a(poly *a, const uint8_t *seed, Newhope_Mode mode)
if(mode == Newhope_Mode::BoringSSL)
{
- xof = StreamCipher::create("CTR(AES-128)");
+ xof = StreamCipher::create_or_throw("CTR-BE(AES-128)");
xof->set_key(seed, 16);
xof->set_iv(seed + 16, 16);
}
else
{
- xof = StreamCipher::create("SHAKE-128");
+ xof = StreamCipher::create_or_throw("SHAKE-128");
xof->set_key(seed, NEWHOPE_SEED_BYTES);
}
diff --git a/src/lib/pubkey/newhope/newhope.h b/src/lib/pubkey/newhope/newhope.h
index 667f1c4cf..df18bc586 100644
--- a/src/lib/pubkey/newhope/newhope.h
+++ b/src/lib/pubkey/newhope/newhope.h
@@ -21,36 +21,53 @@ namespace Botan {
* Currently pubkey.h does not support a 2-phase KEM scheme of
* the sort NEWHOPE exports.
*/
-#define NEWHOPE_SENDABYTES 1824
-#define NEWHOPE_SENDBBYTES 2048
-typedef struct {
- uint16_t coeffs[1024];
-} newhope_poly;
+// TODO: change to just a secure_vector
+class newhope_poly
+ {
+ public:
+ uint16_t coeffs[1024];
+ ~newhope_poly() { secure_scrub_memory(coeffs, sizeof(coeffs)); }
+ };
+
+enum Newhope_Params {
+ NEWHOPE_SENDABYTES = 1824,
+ NEWHOPE_SENDBBYTES = 2048,
+
+ NEWHOPE_OFFER_BYTES = 1824,
+ NEWHOPE_ACCEPT_BYTES = 2048,
+ NEWHOPE_SHARED_KEY_BYTES = 32,
+
+ CECPQ1_OFFER_BYTES = NEWHOPE_OFFER_BYTES + 32,
+ CECPQ1_ACCEPT_BYTES = NEWHOPE_ACCEPT_BYTES + 32,
+ CECPQ1_SHARED_KEY_BYTES = NEWHOPE_SHARED_KEY_BYTES + 32
+};
/**
* This chooses the XOF + hash for NewHope
-
* The official NewHope specification and reference implementation use
* SHA-3 and SHAKE-128. BoringSSL instead uses SHA-256 and AES-128 in
-* CTR mode.
+* CTR mode. CECPQ1 (x25519+NewHope) always uses BoringSSL's mode
*/
enum class Newhope_Mode {
SHA3,
BoringSSL
};
+// offer
void BOTAN_DLL newhope_keygen(uint8_t *send,
newhope_poly *sk,
RandomNumberGenerator& rng,
Newhope_Mode = Newhope_Mode::SHA3);
+// accept
void BOTAN_DLL newhope_sharedb(uint8_t *sharedkey,
uint8_t *send,
const uint8_t *received,
RandomNumberGenerator& rng,
Newhope_Mode mode = Newhope_Mode::SHA3);
+// finish
void BOTAN_DLL newhope_shareda(uint8_t *sharedkey,
const newhope_poly *ska,
const uint8_t *received,