aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2019-07-05 04:30:33 -0400
committerJack Lloyd <[email protected]>2019-07-05 04:30:33 -0400
commitece3587979b8b3c25645161acc0d4f280adbfc4c (patch)
tree288993597f725baf409c53b1f46e4bb9e2ff81be /src/lib
parentf95731602d83d4fd5686c98f1cfbf02f101a3652 (diff)
Remove BearSSL provider
BearSSL is much slower than Botan's builtins, and it is not commonly included in distributions so doesn't even have the advantage of ubiquity.
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/hash/hash.cpp17
-rw-r--r--src/lib/prov/bearssl/bearssl.h50
-rw-r--r--src/lib/prov/bearssl/bearssl_ec.cpp206
-rw-r--r--src/lib/prov/bearssl/bearssl_hash.cpp120
-rw-r--r--src/lib/prov/bearssl/info.txt17
-rw-r--r--src/lib/pubkey/ecdsa/ecdsa.cpp34
6 files changed, 1 insertions, 443 deletions
diff --git a/src/lib/hash/hash.cpp b/src/lib/hash/hash.cpp
index ab29e6772..63218006c 100644
--- a/src/lib/hash/hash.cpp
+++ b/src/lib/hash/hash.cpp
@@ -93,10 +93,6 @@
#include <botan/blake2b.h>
#endif
-#if defined(BOTAN_HAS_BEARSSL)
- #include <botan/internal/bearssl.h>
-#endif
-
#if defined(BOTAN_HAS_OPENSSL)
#include <botan/internal/openssl.h>
#endif
@@ -133,17 +129,6 @@ std::unique_ptr<HashFunction> HashFunction::create(const std::string& algo_spec,
}
#endif
-#if defined(BOTAN_HAS_BEARSSL)
- if(provider.empty() || provider == "bearssl")
- {
- if(auto hash = make_bearssl_hash(algo_spec))
- return hash;
-
- if(!provider.empty())
- return nullptr;
- }
-#endif
-
if(provider.empty() == false && provider != "base")
return nullptr; // unknown provider
@@ -368,7 +353,7 @@ HashFunction::create_or_throw(const std::string& algo,
std::vector<std::string> HashFunction::providers(const std::string& algo_spec)
{
- return probe_providers_of<HashFunction>(algo_spec, {"base", "bearssl", "openssl", "commoncrypto"});
+ return probe_providers_of<HashFunction>(algo_spec, {"base", "openssl", "commoncrypto"});
}
}
diff --git a/src/lib/prov/bearssl/bearssl.h b/src/lib/prov/bearssl/bearssl.h
deleted file mode 100644
index e6d77fcfa..000000000
--- a/src/lib/prov/bearssl/bearssl.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
-* Utils for calling BearSSL
-* (C) 2015,2016 Jack Lloyd
-* (C) 2017 Patrick Wildt
-*
-* Botan is released under the Simplified BSD License (see license.txt)
-*/
-
-#ifndef BOTAN_INTERNAL_BEARSSL_H_
-#define BOTAN_INTERNAL_BEARSSL_H_
-
-#include <botan/pk_ops_fwd.h>
-#include <botan/secmem.h>
-#include <botan/exceptn.h>
-#include <memory>
-#include <string>
-
-namespace Botan {
-
-class HashFunction;
-
-class BearSSL_Error final : public Exception
- {
- public:
- BearSSL_Error(const std::string& what) :
- Exception(what + " failed") {}
- };
-
-/* Hash */
-
-std::unique_ptr<HashFunction>
-make_bearssl_hash(const std::string& name);
-
-/* ECDSA */
-
-#if defined(BOTAN_HAS_ECDSA)
-
-class ECDSA_PublicKey;
-class ECDSA_PrivateKey;
-
-std::unique_ptr<PK_Ops::Verification>
-make_bearssl_ecdsa_ver_op(const ECDSA_PublicKey& key, const std::string& params);
-std::unique_ptr<PK_Ops::Signature>
-make_bearssl_ecdsa_sig_op(const ECDSA_PrivateKey& key, const std::string& params);
-
-#endif
-
-}
-
-#endif
diff --git a/src/lib/prov/bearssl/bearssl_ec.cpp b/src/lib/prov/bearssl/bearssl_ec.cpp
deleted file mode 100644
index 89f7773aa..000000000
--- a/src/lib/prov/bearssl/bearssl_ec.cpp
+++ /dev/null
@@ -1,206 +0,0 @@
-/*
-* ECDSA via BearSSL
-* (C) 2015,2016 Jack Lloyd
-* (C) 2017 Patrick Wildt
-*
-* Botan is released under the Simplified BSD License (see license.txt)
-*/
-
-#include <botan/exceptn.h>
-#include <botan/hash.h>
-#include <botan/scan_name.h>
-#include <botan/internal/bearssl.h>
-
-#if defined(BOTAN_HAS_ECC_PUBLIC_KEY_CRYPTO)
- #include <botan/der_enc.h>
- #include <botan/pkcs8.h>
- #include <botan/oids.h>
- #include <botan/internal/pk_ops_impl.h>
-#endif
-
-#if defined(BOTAN_HAS_ECDSA)
- #include <botan/ecdsa.h>
-#endif
-
-extern "C" {
- #include <bearssl_hash.h>
- #include <bearssl_ec.h>
-}
-
-namespace Botan {
-
-#if defined(BOTAN_HAS_ECC_PUBLIC_KEY_CRYPTO)
-
-namespace {
-
-int BearSSL_EC_curve_for(const OID& oid)
- {
- if(oid.empty())
- return -1;
-
- const std::string name = OIDS::lookup(oid);
-
- if(name == "secp256r1")
- return BR_EC_secp256r1;
- if(name == "secp384r1")
- return BR_EC_secp384r1;
- if(name == "secp521r1")
- return BR_EC_secp521r1;
-
- return -1;
- }
-
-const br_hash_class *BearSSL_hash_class_for(const std::string& emsa)
- {
- if (emsa == "EMSA1(SHA-1)")
- return &br_sha1_vtable;
- if (emsa == "EMSA1(SHA-224)")
- return &br_sha224_vtable;
- if (emsa == "EMSA1(SHA-256)")
- return &br_sha256_vtable;
- if (emsa == "EMSA1(SHA-384)")
- return &br_sha384_vtable;
- if (emsa == "EMSA1(SHA-512)")
- return &br_sha512_vtable;
-
- return nullptr;
- }
-}
-
-#endif
-
-#if defined(BOTAN_HAS_ECDSA)
-
-namespace {
-
-class BearSSL_ECDSA_Verification_Operation final : public PK_Ops::Verification
- {
- public:
- BearSSL_ECDSA_Verification_Operation(const ECDSA_PublicKey& ecdsa, const std::string& emsa) :
- m_order_bits(ecdsa.domain().get_order_bits())
- {
- const int curve = BearSSL_EC_curve_for(ecdsa.domain().get_oid());
- if (curve < 0)
- throw Lookup_Error("BearSSL ECDSA does not support this curve");
-
- m_hash = BearSSL_hash_class_for(emsa);
- if (m_hash == nullptr)
- throw Lookup_Error("BearSSL ECDSA does not support EMSA " + emsa);
-
- const SCAN_Name req(emsa);
- m_hf = make_bearssl_hash(req.arg(0));
- if (m_hf == nullptr)
- throw Lookup_Error("BearSSL ECDSA does not support hash " + req.arg(0));
-
- m_q_buf = ecdsa.public_point().encode(PointGFp::UNCOMPRESSED);
-
- m_key.qlen = m_q_buf.size();
- m_key.q = m_q_buf.data();
- m_key.curve = curve;
- }
-
- void update(const uint8_t msg[], size_t msg_len) override
- {
- m_hf->update(msg, msg_len);
- }
-
- bool is_valid_signature(const uint8_t sig[], size_t sig_len) override
- {
- const size_t order_bytes = (m_order_bits + 7) / 8;
- if (sig_len != 2 * order_bytes)
- return false;
- secure_vector<uint8_t> msg = m_hf->final();
-
- br_ecdsa_vrfy engine = br_ecdsa_vrfy_raw_get_default();
- if (!engine(&br_ec_prime_i31, msg.data(), msg.size(), &m_key, sig, sig_len))
- return false;
-
- return true;
- }
-
- size_t max_input_bits() const { return m_order_bits; }
-
- private:
- br_ec_public_key m_key;
- std::unique_ptr<HashFunction> m_hf;
- std::vector<uint8_t> m_q_buf;
- const br_hash_class *m_hash;
- size_t m_order_bits;
- };
-
-class BearSSL_ECDSA_Signing_Operation final : public PK_Ops::Signature
- {
- public:
- BearSSL_ECDSA_Signing_Operation(const ECDSA_PrivateKey& ecdsa, const std::string& emsa) :
- m_order_bits(ecdsa.domain().get_order_bits()),
- m_order_bytes(ecdsa.domain().get_order_bytes())
- {
- const int curve = BearSSL_EC_curve_for(ecdsa.domain().get_oid());
- if(curve < 0)
- throw Lookup_Error("BearSSL ECDSA does not support this curve");
-
- m_hash = BearSSL_hash_class_for(emsa);
- if (m_hash == nullptr)
- throw Lookup_Error("BearSSL ECDSA does not support EMSA " + emsa);
-
- const SCAN_Name req(emsa);
- m_hf = make_bearssl_hash(req.arg(0));
- if (m_hf == nullptr)
- throw Lookup_Error("BearSSL ECDSA does not support hash " + req.arg(0));
-
- m_x_buf = BigInt::encode_locked(ecdsa.private_value());
-
- m_key.xlen = m_x_buf.size();
- m_key.x = m_x_buf.data();
- m_key.curve = curve;
- }
-
- void update(const uint8_t msg[], size_t msg_len) override
- {
- m_hf->update(msg, msg_len);
- }
-
- secure_vector<uint8_t> sign(RandomNumberGenerator&) override
- {
- const size_t order_bytes = (m_order_bits + 7) / 8;
- secure_vector<uint8_t> sigval(2*order_bytes);
-
- br_ecdsa_sign engine = br_ecdsa_sign_raw_get_default();
- size_t sign_len = engine(&br_ec_prime_i31, m_hash, m_hf->final().data(), &m_key, sigval.data());
- if (sign_len == 0)
- throw BearSSL_Error("br_ecdsa_sign");
-
- sigval.resize(sign_len);
- return sigval;
- }
-
- size_t max_input_bits() const { return m_order_bits; }
-
- size_t signature_length() const override { return 2*m_order_bytes; }
-
- private:
- br_ec_private_key m_key;
- std::unique_ptr<HashFunction> m_hf;
- secure_vector<uint8_t> m_x_buf;
- const br_hash_class *m_hash;
- size_t m_order_bits;
- size_t m_order_bytes;
- };
-
-}
-
-std::unique_ptr<PK_Ops::Verification>
-make_bearssl_ecdsa_ver_op(const ECDSA_PublicKey& key, const std::string& params)
- {
- return std::unique_ptr<PK_Ops::Verification>(new BearSSL_ECDSA_Verification_Operation(key, params));
- }
-
-std::unique_ptr<PK_Ops::Signature>
-make_bearssl_ecdsa_sig_op(const ECDSA_PrivateKey& key, const std::string& params)
- {
- return std::unique_ptr<PK_Ops::Signature>(new BearSSL_ECDSA_Signing_Operation(key, params));
- }
-
-#endif
-
-}
diff --git a/src/lib/prov/bearssl/bearssl_hash.cpp b/src/lib/prov/bearssl/bearssl_hash.cpp
deleted file mode 100644
index 2b837bcf5..000000000
--- a/src/lib/prov/bearssl/bearssl_hash.cpp
+++ /dev/null
@@ -1,120 +0,0 @@
-/*
-* BearSSL Hash Functions
-* (C) 1999-2007,2015 Jack Lloyd
-* (C) 2017 Patrick Wildt
-*
-* Botan is released under the Simplified BSD License (see license.txt)
-*/
-
-#include <botan/hash.h>
-#include <botan/internal/bearssl.h>
-#include <unordered_map>
-
-extern "C" {
- #include <bearssl_hash.h>
-}
-
-namespace Botan {
-
-namespace {
-
-class BearSSL_HashFunction final : public HashFunction
- {
- public:
- void clear() override
- {
- m_ctx.vtable->init(&m_ctx.vtable);
- }
-
- std::string provider() const override { return "bearssl"; }
- std::string name() const override { return m_name; }
-
- HashFunction* clone() const override
- {
- return new BearSSL_HashFunction(m_ctx.vtable, m_name);
- }
-
- std::unique_ptr<HashFunction> copy_state() const override
- {
- std::unique_ptr<BearSSL_HashFunction> copy(new BearSSL_HashFunction(m_ctx.vtable, m_name));
- std::memcpy(&copy->m_ctx, &m_ctx, sizeof(m_ctx));
- return std::move(copy);
- }
-
- size_t output_length() const override
- {
- return (m_ctx.vtable->desc >> BR_HASHDESC_OUT_OFF) & BR_HASHDESC_OUT_MASK;
- }
-
- size_t hash_block_size() const override
- {
- return 1 << ((m_ctx.vtable->desc >> BR_HASHDESC_LBLEN_OFF) & BR_HASHDESC_LBLEN_MASK);
- }
-
- BearSSL_HashFunction(const br_hash_class *hash, const std::string name)
- {
- m_name = name;
- hash->init(&m_ctx.vtable);
- }
-
- ~BearSSL_HashFunction()
- {
- }
-
- private:
- void add_data(const uint8_t input[], size_t length) override
- {
- m_ctx.vtable->update(&m_ctx.vtable, input, length);
- }
-
- void final_result(uint8_t output[]) override
- {
- m_ctx.vtable->out(&m_ctx.vtable, output);
- m_ctx.vtable->init(&m_ctx.vtable);
- }
-
- std::string m_name;
- br_hash_compat_context m_ctx;
- };
-
-}
-
-std::unique_ptr<HashFunction>
-make_bearssl_hash(const std::string& name)
- {
-#define MAKE_BEARSSL_HASH(vtable) \
- std::unique_ptr<HashFunction>(new BearSSL_HashFunction(vtable, name))
-
-#if defined(BOTAN_HAS_SHA2_32)
- if(name == "SHA-224")
- return MAKE_BEARSSL_HASH(&br_sha224_vtable);
- if(name == "SHA-256")
- return MAKE_BEARSSL_HASH(&br_sha256_vtable);
-#endif
-
-#if defined(BOTAN_HAS_SHA2_64)
- if(name == "SHA-384")
- return MAKE_BEARSSL_HASH(&br_sha384_vtable);
- if(name == "SHA-512")
- return MAKE_BEARSSL_HASH(&br_sha512_vtable);
-#endif
-
-#if defined(BOTAN_HAS_SHA1)
- if(name == "SHA-160" || name == "SHA-1" || name == "SHA1")
- return MAKE_BEARSSL_HASH(&br_sha1_vtable);
-#endif
-
-#if defined(BOTAN_HAS_MD5)
- if(name == "MD5")
- return MAKE_BEARSSL_HASH(&br_md5_vtable);
-#endif
-
-#if defined(BOTAN_HAS_PARALLEL_HASH)
- if(name == "Parallel(MD5,SHA-160)")
- return MAKE_BEARSSL_HASH(&br_md5sha1_vtable);
-#endif
-
- return nullptr;
- }
-
-}
diff --git a/src/lib/prov/bearssl/info.txt b/src/lib/prov/bearssl/info.txt
deleted file mode 100644
index 67bdc157d..000000000
--- a/src/lib/prov/bearssl/info.txt
+++ /dev/null
@@ -1,17 +0,0 @@
-<defines>
-BEARSSL -> 20170628
-</defines>
-
-load_on vendor
-
-<header:internal>
-bearssl.h
-</header:internal>
-
-<libs>
-all!windows -> bearssl
-</libs>
-
-<requires>
-pubkey
-</requires>
diff --git a/src/lib/pubkey/ecdsa/ecdsa.cpp b/src/lib/pubkey/ecdsa/ecdsa.cpp
index fadf1dd10..ebe9268cc 100644
--- a/src/lib/pubkey/ecdsa/ecdsa.cpp
+++ b/src/lib/pubkey/ecdsa/ecdsa.cpp
@@ -19,10 +19,6 @@
#include <botan/rfc6979.h>
#endif
-#if defined(BOTAN_HAS_BEARSSL)
- #include <botan/internal/bearssl.h>
-#endif
-
#if defined(BOTAN_HAS_OPENSSL)
#include <botan/internal/openssl.h>
#endif
@@ -262,21 +258,6 @@ std::unique_ptr<PK_Ops::Verification>
ECDSA_PublicKey::create_verification_op(const std::string& params,
const std::string& provider) const
{
-#if defined(BOTAN_HAS_BEARSSL)
- if(provider == "bearssl" || provider.empty())
- {
- try
- {
- return make_bearssl_ecdsa_ver_op(*this, params);
- }
- catch(Lookup_Error& e)
- {
- if(provider == "bearssl")
- throw;
- }
- }
-#endif
-
#if defined(BOTAN_HAS_OPENSSL)
if(provider == "openssl" || provider.empty())
{
@@ -303,21 +284,6 @@ ECDSA_PrivateKey::create_signature_op(RandomNumberGenerator& rng,
const std::string& params,
const std::string& provider) const
{
-#if defined(BOTAN_HAS_BEARSSL)
- if(provider == "bearssl" || provider.empty())
- {
- try
- {
- return make_bearssl_ecdsa_sig_op(*this, params);
- }
- catch(Lookup_Error& e)
- {
- if(provider == "bearssl")
- throw;
- }
- }
-#endif
-
#if defined(BOTAN_HAS_OPENSSL)
if(provider == "openssl" || provider.empty())
{