diff options
| -rwxr-xr-x | configure.py | 3 | ||||
| -rw-r--r-- | doc/manual/ocsp.rst | 8 | ||||
| -rw-r--r-- | src/cmd/apps.h | 1 | ||||
| -rw-r--r-- | src/cmd/asn1.cpp | 5 | ||||
| -rw-r--r-- | src/cmd/is_prime.cpp | 33 | ||||
| -rw-r--r-- | src/cmd/main.cpp | 3 | ||||
| -rw-r--r-- | src/cmd/tls_client.cpp | 25 | ||||
| -rw-r--r-- | src/lib/alloc/locking_allocator/locking_allocator.cpp | 6 | ||||
| -rw-r--r-- | src/lib/cert/x509/x509_ext.cpp | 2 | ||||
| -rw-r--r-- | src/lib/cert/x509/x509path.h | 2 | ||||
| -rw-r--r-- | src/lib/entropy/egd/es_egd.cpp | 4 | ||||
| -rw-r--r-- | src/lib/entropy/proc_walk/proc_walk.cpp | 2 | ||||
| -rw-r--r-- | src/lib/entropy/unix_procs/unix_procs.cpp | 25 | ||||
| -rw-r--r-- | src/lib/kdf/info.txt | 1 | ||||
| -rw-r--r-- | src/lib/rng/hmac_rng/hmac_rng.cpp | 10 | ||||
| -rw-r--r-- | src/lib/tls/tls_messages.h | 8 | ||||
| -rw-r--r-- | src/lib/utils/sqlite3/sqlite3.h | 2 | ||||
| -rwxr-xr-x | src/scripts/dist.py | 1 | ||||
| -rw-r--r-- | src/tests/data/mp_valid.dat | 9 | ||||
| -rw-r--r-- | src/tests/test_pubkey.cpp | 4 |
20 files changed, 116 insertions, 38 deletions
diff --git a/configure.py b/configure.py index ab363a5ba..9d5b4304b 100755 --- a/configure.py +++ b/configure.py @@ -1641,8 +1641,7 @@ def setup_build(build_config, options, template_vars): portable_symlink(header_file, dir, link_method) except OSError as e: if e.errno != errno.EEXIST: - logging.error('Error linking %s into %s: %s' % ( - header_file, dir, e)) + raise Exception('Error linking %s into %s: %s' % (header_file, dir, e)) link_headers(build_config.public_headers, 'public', build_config.botan_include_dir) diff --git a/doc/manual/ocsp.rst b/doc/manual/ocsp.rst index 6c52cbe50..45858dfeb 100644 --- a/doc/manual/ocsp.rst +++ b/doc/manual/ocsp.rst @@ -37,3 +37,11 @@ OCSP requests is via HTTP, see :rfc:`2560` Appendix A for details. is signed correctly, and the response indicates that *subject* is not currently revoked. + +.. cpp:function:: OCSP::Response online_check(const X509_Certificate& issuer, \ + const X509_Certificate& subject, \ + const Certificate_Store* trusted_roots) + + Attempts to contact the OCSP responder specified in the subject certificate + and + diff --git a/src/cmd/apps.h b/src/cmd/apps.h index 0cb514aca..48f1f770e 100644 --- a/src/cmd/apps.h +++ b/src/cmd/apps.h @@ -25,6 +25,7 @@ DEFINE_APP(dsa_verify); DEFINE_APP(factor); DEFINE_APP(fpe); DEFINE_APP(hash); +DEFINE_APP(is_prime); DEFINE_APP(keygen); DEFINE_APP(ocsp_check); DEFINE_APP(pkcs10); diff --git a/src/cmd/asn1.cpp b/src/cmd/asn1.cpp index f9baae902..02b73e415 100644 --- a/src/cmd/asn1.cpp +++ b/src/cmd/asn1.cpp @@ -231,7 +231,10 @@ void decode(BER_Decoder& decoder, size_t level) for(size_t i = 0; i != bits.size(); ++i) for(size_t j = 0; j != 8; ++j) - bit_set.push_back((bool)((bits[bits.size()-i-1] >> (7-j)) & 1)); + { + const bool bit = static_cast<bool>((bits[bits.size()-i-1] >> (7-j)) & 1); + bit_set.push_back(bit); + } std::string bit_str; for(size_t i = 0; i != bit_set.size(); ++i) diff --git a/src/cmd/is_prime.cpp b/src/cmd/is_prime.cpp new file mode 100644 index 000000000..658401690 --- /dev/null +++ b/src/cmd/is_prime.cpp @@ -0,0 +1,33 @@ +#include "apps.h" +#include <botan/numthry.h> + +int is_prime_main(int argc, char* argv[]) + { + if(argc != 2 && argc != 3) + { + std::cerr << "Usage: " << argv[0] << " n <prob>\n"; + return 2; + } + + BigInt n(argv[1]); + + size_t prob = 56; + + if(argc == 3) + prob = to_u32bit(argv[2]); + + AutoSeeded_RNG rng; + + const bool prime = is_prime(n, rng, prob); + + if(prime) + { + std::cout << n << " is prime\n"; + return 0; + } + else + { + std::cout << n << " is not prime\n"; + return 1; + } + } diff --git a/src/cmd/main.cpp b/src/cmd/main.cpp index 92ecc051e..f04c7daee 100644 --- a/src/cmd/main.cpp +++ b/src/cmd/main.cpp @@ -160,9 +160,10 @@ int main(int argc, char* argv[]) CALL_APP(factor); CALL_APP(fpe); CALL_APP(hash); + CALL_APP(is_prime); CALL_APP(keygen); - CALL_APP(rng); CALL_APP(read_ssh); + CALL_APP(rng); CALL_APP(speed); #if defined(BOTAN_HAS_TLS) diff --git a/src/cmd/tls_client.cpp b/src/cmd/tls_client.cpp index 9130cd085..5ab015c33 100644 --- a/src/cmd/tls_client.cpp +++ b/src/cmd/tls_client.cpp @@ -4,6 +4,11 @@ #include <botan/tls_client.h> #include <botan/pkcs8.h> #include <botan/hex.h> + +#if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER) + #include <botan/tls_session_manager_sqlite.h> +#endif + #include <string> #include <iostream> #include <memory> @@ -21,10 +26,6 @@ #define MSG_NOSIGNAL 0 #endif -#if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER) - #include <botan/tls_session_manager_sqlite.h> -#endif - #include "credentials.h" using namespace Botan; @@ -147,9 +148,12 @@ int tls_client_main(int argc, char* argv[]) TLS::Policy policy; #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER) - TLS::Session_Manager_SQLite session_manager("my secret passphrase", + const std::string passphrase = "correct horse battery staple"; + const std::string sessions_db = "sessions.db"; + + TLS::Session_Manager_SQLite session_manager(passphrase, rng, - "sessions.db"); + sessions_db); #else TLS::Session_Manager_In_Memory session_manager(rng); #endif @@ -188,7 +192,9 @@ int tls_client_main(int argc, char* argv[]) FD_SET(sockfd, &readfds); FD_SET(STDIN_FILENO, &readfds); - ::select(sockfd + 1, &readfds, nullptr, nullptr, nullptr); + struct timeval timeout = { 1, 0 }; + + ::select(sockfd + 1, &readfds, nullptr, nullptr, &timeout); if(FD_ISSET(sockfd, &readfds)) { @@ -247,6 +253,11 @@ int tls_client_main(int argc, char* argv[]) else client.send(buf, got); } + else + { + if(client.timeout_check()) + std::cerr << "Timeout detected\n"; + } } ::close(sockfd); diff --git a/src/lib/alloc/locking_allocator/locking_allocator.cpp b/src/lib/alloc/locking_allocator/locking_allocator.cpp index 4b66ea018..9ea1235e9 100644 --- a/src/lib/alloc/locking_allocator/locking_allocator.cpp +++ b/src/lib/alloc/locking_allocator/locking_allocator.cpp @@ -158,6 +158,12 @@ bool mlock_allocator::deallocate(void* p, size_t num_elems, size_t elem_size) if(!m_pool) return false; + /* + We do not have to zero the memory here, as + secure_allocator::deallocate does that for all arguments before + invoking the deallocator (us or delete[]) + */ + size_t n = num_elems * elem_size; /* diff --git a/src/lib/cert/x509/x509_ext.cpp b/src/lib/cert/x509/x509_ext.cpp index f56014ab7..db43ab175 100644 --- a/src/lib/cert/x509/x509_ext.cpp +++ b/src/lib/cert/x509/x509_ext.cpp @@ -63,6 +63,8 @@ Extensions& Extensions::operator=(const Extensions& other) std::make_pair(other.extensions[i].first->copy(), other.extensions[i].second)); + m_throw_on_unknown_critical = other.m_throw_on_unknown_critical; + return (*this); } diff --git a/src/lib/cert/x509/x509path.h b/src/lib/cert/x509/x509path.h index f7e57759e..05ed43a2e 100644 --- a/src/lib/cert/x509/x509path.h +++ b/src/lib/cert/x509/x509path.h @@ -122,7 +122,7 @@ class BOTAN_DLL Path_Validation_Result Path_Validation_Result(Certificate_Status_Code status) : m_overall(status) {} private: - friend Path_Validation_Result x509_path_validate( + friend Path_Validation_Result BOTAN_DLL x509_path_validate( const std::vector<X509_Certificate>& end_certs, const Path_Validation_Restrictions& restrictions, const std::vector<Certificate_Store*>& certstores); diff --git a/src/lib/entropy/egd/es_egd.cpp b/src/lib/entropy/egd/es_egd.cpp index c04acb4f3..e61d4ef82 100644 --- a/src/lib/entropy/egd/es_egd.cpp +++ b/src/lib/entropy/egd/es_egd.cpp @@ -43,7 +43,7 @@ int EGD_EntropySource::EGD_Socket::open_socket(const std::string& path) std::memset(&addr, 0, sizeof(addr)); addr.sun_family = PF_LOCAL; - if(sizeof(addr.sun_path) < path.length() + 1) + if(path.length() >= sizeof(addr.sun_path)) throw std::invalid_argument("EGD socket path is too long"); std::strncpy(addr.sun_path, path.c_str(), sizeof(addr.sun_path)); @@ -109,7 +109,7 @@ size_t EGD_EntropySource::EGD_Socket::read(byte outbuf[], size_t length) void EGD_EntropySource::EGD_Socket::close() { - if(m_fd > 0) + if(m_fd >= 0) { ::close(m_fd); m_fd = -1; diff --git a/src/lib/entropy/proc_walk/proc_walk.cpp b/src/lib/entropy/proc_walk/proc_walk.cpp index 5a72f46e5..f459a7e32 100644 --- a/src/lib/entropy/proc_walk/proc_walk.cpp +++ b/src/lib/entropy/proc_walk/proc_walk.cpp @@ -106,7 +106,7 @@ int Directory_Walker::next_fd() { int fd = ::open(full_path.c_str(), O_RDONLY | O_NOCTTY); - if(fd > 0) + if(fd >= 0) return fd; } } diff --git a/src/lib/entropy/unix_procs/unix_procs.cpp b/src/lib/entropy/unix_procs/unix_procs.cpp index c36941f43..7925741bb 100644 --- a/src/lib/entropy/unix_procs/unix_procs.cpp +++ b/src/lib/entropy/unix_procs/unix_procs.cpp @@ -11,6 +11,7 @@ #include <botan/internal/unix_procs.h> #include <botan/parsing.h> #include <algorithm> +#include <atomic> #include <sys/time.h> #include <sys/stat.h> @@ -67,19 +68,25 @@ Unix_EntropySource::Unix_EntropySource(const std::vector<std::string>& trusted_p void UnixProcessInfo_EntropySource::poll(Entropy_Accumulator& accum) { - accum.add(::getpid(), 0.0); - accum.add(::getppid(), 0.0); - accum.add(::getuid(), 0.0); - accum.add(::getgid(), 0.0); - accum.add(::getsid(0), 0.0); - accum.add(::getpgrp(), 0.0); + static std::atomic<int> last_pid; + + int pid = ::getpid(); + + accum.add(pid, 0.0); + + if(pid != last_pid) + { + last_pid = pid; + accum.add(::getppid(), 0.0); + accum.add(::getuid(), 0.0); + accum.add(::getgid(), 0.0); + accum.add(::getsid(0), 0.0); + accum.add(::getpgrp(), 0.0); + } struct ::rusage usage; ::getrusage(RUSAGE_SELF, &usage); accum.add(usage, 0.0); - - ::getrusage(RUSAGE_CHILDREN, &usage); - accum.add(usage, 0.0); } namespace { diff --git a/src/lib/kdf/info.txt b/src/lib/kdf/info.txt index e9cbdeb1a..f33a4bc8d 100644 --- a/src/lib/kdf/info.txt +++ b/src/lib/kdf/info.txt @@ -2,4 +2,5 @@ define KDF_BASE 20131128 <requires> alloc +libstate </requires> diff --git a/src/lib/rng/hmac_rng/hmac_rng.cpp b/src/lib/rng/hmac_rng/hmac_rng.cpp index 7d8b54e84..153f85c80 100644 --- a/src/lib/rng/hmac_rng/hmac_rng.cpp +++ b/src/lib/rng/hmac_rng/hmac_rng.cpp @@ -95,6 +95,11 @@ void HMAC_RNG::randomize(byte out[], size_t length) const size_t max_per_prf_iter = m_prf->output_length() / 2; + m_output_since_reseed += length; + + if(m_output_since_reseed >= BOTAN_RNG_MAX_OUTPUT_BEFORE_RESEED) + reseed(BOTAN_RNG_RESEED_POLL_BITS); + /* HMAC KDF as described in E-t-E, using a CTXinfo of "rng" */ @@ -107,11 +112,6 @@ void HMAC_RNG::randomize(byte out[], size_t length) copy_mem(out, &m_K[0], copied); out += copied; length -= copied; - - m_output_since_reseed += copied; - - if(m_output_since_reseed >= BOTAN_RNG_MAX_OUTPUT_BEFORE_RESEED) - reseed(BOTAN_RNG_RESEED_POLL_BITS); } } diff --git a/src/lib/tls/tls_messages.h b/src/lib/tls/tls_messages.h index 626f6a1cf..a1634c8ad 100644 --- a/src/lib/tls/tls_messages.h +++ b/src/lib/tls/tls_messages.h @@ -210,7 +210,7 @@ class Server_Hello : public Handshake_Message bool secure_renegotiation() const { - return m_extensions.get<Renegotiation_Extension>(); + return m_extensions.has<Renegotiation_Extension>(); } std::vector<byte> renegotiation_info() const @@ -222,7 +222,7 @@ class Server_Hello : public Handshake_Message bool next_protocol_notification() const { - return m_extensions.get<Next_Protocol_Notification>(); + return m_extensions.has<Next_Protocol_Notification>(); } std::vector<std::string> next_protocols() const @@ -241,12 +241,12 @@ class Server_Hello : public Handshake_Message bool supports_session_ticket() const { - return m_extensions.get<Session_Ticket>(); + return m_extensions.has<Session_Ticket>(); } bool supports_heartbeats() const { - return m_extensions.get<Heartbeat_Support_Indicator>(); + return m_extensions.has<Heartbeat_Support_Indicator>(); } bool peer_can_send_heartbeats() const diff --git a/src/lib/utils/sqlite3/sqlite3.h b/src/lib/utils/sqlite3/sqlite3.h index aef04ab4d..3085ff0e3 100644 --- a/src/lib/utils/sqlite3/sqlite3.h +++ b/src/lib/utils/sqlite3/sqlite3.h @@ -56,8 +56,6 @@ class sqlite3_statement bool step(); - sqlite3_stmt* stmt() { return m_stmt; } - ~sqlite3_statement(); private: sqlite3_stmt* m_stmt; diff --git a/src/scripts/dist.py b/src/scripts/dist.py index 26da31d24..3929c9531 100755 --- a/src/scripts/dist.py +++ b/src/scripts/dist.py @@ -13,7 +13,6 @@ import logging import optparse import os import shlex -import StringIO import shutil import subprocess import sys diff --git a/src/tests/data/mp_valid.dat b/src/tests/data/mp_valid.dat index 1b45bf9bb..47a5df1f1 100644 --- a/src/tests/data/mp_valid.dat +++ b/src/tests/data/mp_valid.dat @@ -5419,6 +5419,10 @@ 2:1 3:1 4:0 +255:0 +257:1 +65517:0 +65521:1 65537:1 # This one passes Miller-Rabin with a base of 2, but not with most others @@ -5466,3 +5470,8 @@ 2701791887072337189992932234179329410389241899414841054215169960\ 1546741832617953638436279944072980418788682453341495300190580109\ 0622787969540076319408964006231:0 + +# Carmichael numbers +232250619601:0 +9746347772161:0 +340561:0 diff --git a/src/tests/test_pubkey.cpp b/src/tests/test_pubkey.cpp index 734ff1803..eec7e3bde 100644 --- a/src/tests/test_pubkey.cpp +++ b/src/tests/test_pubkey.cpp @@ -170,11 +170,11 @@ size_t validate_encryption(PK_Encryptor& e, PK_Decryptor& d, { std::vector<byte> message = hex_decode(input); std::vector<byte> expected = hex_decode(exp); - Fixed_Output_RNG rng(hex_decode(random)); + Fixed_Output_RNG kat_rng(hex_decode(random)); size_t fails = 0; - const std::vector<byte> ctext = e.encrypt(message, rng); + const std::vector<byte> ctext = e.encrypt(message, kat_rng); if(ctext != expected) { std::cout << "FAILED (encrypt): " << algo << std::endl; |