diff options
author | Jack Lloyd <[email protected]> | 2016-11-16 12:05:34 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-11-17 13:56:25 -0500 |
commit | 74cf1686b727d9b41781df66f3f74d63b9c5cfe2 (patch) | |
tree | c5127473f7676763202cf79837bd4328c903a21d /src/lib/pubkey/newhope | |
parent | 97df0c27b878d77799353ccc9eda9705b1ec1fa4 (diff) |
Add CECPQ1 TLS ciphersuites
Tested against BoringSSL (as client + server) and google.com (as client).
Fix a stupid crashing bug in NewHope's BoringSSL mode.
Remove unneeded error return from curve25519_donna - always returned 0.
Default policy prefers ChaChaPoly1305 over GCM and CECPQ1 over ECDH/DH, which
means the default no-extra-configuration ciphersuite (for Botan client speaking
to Botan server) is a ciphersuite which is both implemented in constant time
on all platforms and (hopefully) provides post quantum security. Good Things.
Diffstat (limited to 'src/lib/pubkey/newhope')
-rw-r--r-- | src/lib/pubkey/newhope/newhope.cpp | 4 | ||||
-rw-r--r-- | src/lib/pubkey/newhope/newhope.h | 31 |
2 files changed, 26 insertions, 9 deletions
diff --git a/src/lib/pubkey/newhope/newhope.cpp b/src/lib/pubkey/newhope/newhope.cpp index 356fd416e..77194207e 100644 --- a/src/lib/pubkey/newhope/newhope.cpp +++ b/src/lib/pubkey/newhope/newhope.cpp @@ -666,13 +666,13 @@ void gen_a(poly *a, const uint8_t *seed, Newhope_Mode mode) if(mode == Newhope_Mode::BoringSSL) { - xof = StreamCipher::create("CTR(AES-128)"); + xof = StreamCipher::create_or_throw("CTR-BE(AES-128)"); xof->set_key(seed, 16); xof->set_iv(seed + 16, 16); } else { - xof = StreamCipher::create("SHAKE-128"); + xof = StreamCipher::create_or_throw("SHAKE-128"); xof->set_key(seed, NEWHOPE_SEED_BYTES); } diff --git a/src/lib/pubkey/newhope/newhope.h b/src/lib/pubkey/newhope/newhope.h index 667f1c4cf..df18bc586 100644 --- a/src/lib/pubkey/newhope/newhope.h +++ b/src/lib/pubkey/newhope/newhope.h @@ -21,36 +21,53 @@ namespace Botan { * Currently pubkey.h does not support a 2-phase KEM scheme of * the sort NEWHOPE exports. */ -#define NEWHOPE_SENDABYTES 1824 -#define NEWHOPE_SENDBBYTES 2048 -typedef struct { - uint16_t coeffs[1024]; -} newhope_poly; +// TODO: change to just a secure_vector +class newhope_poly + { + public: + uint16_t coeffs[1024]; + ~newhope_poly() { secure_scrub_memory(coeffs, sizeof(coeffs)); } + }; + +enum Newhope_Params { + NEWHOPE_SENDABYTES = 1824, + NEWHOPE_SENDBBYTES = 2048, + + NEWHOPE_OFFER_BYTES = 1824, + NEWHOPE_ACCEPT_BYTES = 2048, + NEWHOPE_SHARED_KEY_BYTES = 32, + + CECPQ1_OFFER_BYTES = NEWHOPE_OFFER_BYTES + 32, + CECPQ1_ACCEPT_BYTES = NEWHOPE_ACCEPT_BYTES + 32, + CECPQ1_SHARED_KEY_BYTES = NEWHOPE_SHARED_KEY_BYTES + 32 +}; /** * This chooses the XOF + hash for NewHope - * The official NewHope specification and reference implementation use * SHA-3 and SHAKE-128. BoringSSL instead uses SHA-256 and AES-128 in -* CTR mode. +* CTR mode. CECPQ1 (x25519+NewHope) always uses BoringSSL's mode */ enum class Newhope_Mode { SHA3, BoringSSL }; +// offer void BOTAN_DLL newhope_keygen(uint8_t *send, newhope_poly *sk, RandomNumberGenerator& rng, Newhope_Mode = Newhope_Mode::SHA3); +// accept void BOTAN_DLL newhope_sharedb(uint8_t *sharedkey, uint8_t *send, const uint8_t *received, RandomNumberGenerator& rng, Newhope_Mode mode = Newhope_Mode::SHA3); +// finish void BOTAN_DLL newhope_shareda(uint8_t *sharedkey, const newhope_poly *ska, const uint8_t *received, |