aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Pipe::reset's requirement that a message be completed meant thatlloyd2012-05-182-2/+5
| | | | | | exceptions thrown in end_msg (for instance in CBC decryption when the padding is bad) more or less screwed up the pipe completely. Allowing reset here at least allows an escape hatch.
* We were checking the wrong bit for rdrand support. Found using SDE'slloyd2012-05-102-1/+4
| | | | | | | | -ivb_rdrnd_cpuid option to toggle the bit off and on. Fortunately on Intel processors the bit we were actually checking is also enabled by Ivy Bridge. However it is also used on AMD Bulldozer processors to signal half-precision floating point support so we could false positive there.
* Markus Wanner pointed out on the mailing list that using rdrand opcodelloyd2012-05-071-3/+8
| | | | | | | didn't work on older GCC/binutils. Instead hardcode the expression for rdrand %eax, which should work everywhere. Also, avoid including immintrin.h unless we're going to use it, to avoid problems with older compilers that lack that header (this caused build failures under GCC 3.4.6).
* Padding wasn't set for DSA keys. Irrelevant for cert verify as thatlloyd2012-05-022-3/+3
| | | | isn't working here anyway, but also broke DSA servers.
* Partially roll back b2aef16225863cef27cdee4b91703966b3ed1458, itlloyd2012-04-281-2/+2
| | | | caused huge performance issues with DSA/ECDSA signing performance.
* A few additional Camellia test vectorslloyd2012-04-271-0/+37
|
* For all but the first and last rounds, use a set of 64 bit tables tolloyd2012-04-273-92/+669
| | | | implement Camellia's F function. Roughtly 60 - 80% speedup on Nehalem.
* Add support for the rdrand instruction, added in Intel's Ivy Bridgelloyd2012-04-265-0/+114
| | | | | | | processors. Tested using SDE on Linux with GCC 4.6, Intel C++ 11.1, and Clang 3.0, all using the inline asm variant. I do not know if current Visual C++ has the intrinsics available or not, so it's only marked as available for those compilers at the moment.
* Patrick Pelletier noted on the mailing list that the implementation oflloyd2012-04-244-109/+191
| | | | | | | | | Camellia exposed by the OpenSSL module is parameterized by the key length, much as AES is, while the version in the main source uses a single name/type for all variants. For consistency, convert to using a key length parameterized name in our version as well. In the future this might allow for better loop unrolling, etc but currently we don't make use of that.
* Patrick Pelletier pointed out the hook for Qt_Mutex in libstate.cpplloyd2012-04-235-83/+3
| | | | | | | was broken, and after fixing that and trying to compile the module it becamse clear that the Qt mutex did not work at all with recent Qt versions. Taking this as a clear indicator that it is not being used, remove it.
* Fix various typos, and remove an unused macro in checks/bench.cpplloyd2012-04-238-20/+8
| | | | All reported by Patrick Pelletier.
* merge of '18430eaa6fe25e978f72f25c0531dab0aba55894'lloyd2012-04-206-8/+18
|\ | | | | | | and '50fa70d871f837c3c3338fabf5fb45649669aabf'
| * Avoid a few maintainer mode flag warnings. Remove -Weffc++ from thelloyd2012-04-206-8/+18
| | | | | | | | | | list of maintainer mode flags. It produces some very useful warnings, but also a lot of noisy junk that I really don't care about.
* | Some fixes for very minimal builds (typically due to --no-autoload)lloyd2012-04-203-0/+14
|/
* merge of '058444ec216dd9690938c82922d911df2da535b4'lloyd2012-04-091-4/+4
|\ | | | | | | and 'bc49da394c675517b140a404c19094020d6e9d40'
| * The comments incorrectly described end as returning the last element,lloyd2012-04-091-4/+4
| | | | | | | | | | rather than one past the end. Reported by Stuart Maclean on the mailing list.
* | Use just 256 bits of secret exponent (recomended value in RFC 5054).lloyd2012-04-064-21/+22
| | | | | | | | | | | | | | Much faster, especially when using 8192 bit groups as OpenSSL does by default. Use BOTAN_DLL symbol visibility macros.
* | Remove the client SRP6 class, really free standing functions are finelloyd2012-04-053-47/+152
|/ | | | | | | | | | | for this. Add a new function that identifies a named SRP group from the N/g params - this is important as we need to verify the SRP groups, the easiest way to do that is to to force them to be a known/published value. Add the 1536, 3072, 4096, 6144, and 8192 bit groups from RFC 5054
* Add more comments explaining what is going on in dl_work_factorlloyd2012-03-302-28/+29
|
* Don't require a <source> entry in info.txt, if not set use *.cpplloyd2012-03-161-11/+13
|
* In Python 3 subprocess returns bytes instead of strings. We canlloyd2012-03-141-8/+22
| | | | | | | | | | | convert using bytes.decode, but that's not available in Python 2.5 and there doesn't seem to be a good way to test for it at runtime. Instead use a slight hack of calling subprocess with universal_newlines=True, which causes Py3k subprocess to assume the output is UTF-8 and decode accordingly (this should be fine in these cases since monotone will output a hex string and GCC will just output a version number). On Python 2 it's mostly ignored (especially as we call strip on the result anyway).
* Typo in commentlloyd2012-03-091-1/+1
|
* Allow the semi-standard but rarely used 1.3.132.1.12 OID for ECDH keyslloyd2012-02-211-1/+13
| | | | | on decoding by default, and add a comment showing how to enable it for encoding.
* The benchmark examples ran very slowly because they were passinglloyd2012-02-204-5/+5
| | | | | | | 16*1024 to an argument that treated those values as KiB, it took the RNG ~3 seconds to create 16 MiB of data to randomize the input. Change to 16. Also cap the value that can be passed to --buf-size to 1024, for a 1 MiB buffer.
* Avoid blocking more than 100 ms in the random device reader. Scale uplloyd2012-02-202-4/+8
| | | | | | | how much we ask for on the basis of how many bits we're counting each byte as contributing. Change /dev/*random estimate to 7 bits per byte. Small cleanup in HMAC_RNG.
* Avoid having more than one directory open at a time by just keeping alloyd2012-02-201-28/+49
| | | | | list of directory names (without the open DIRs) plus the one currently active dir.
* Be more conservative about entropy estimates. In particular, insteadlloyd2012-02-175-7/+7
| | | | | | | | | | | | | of giving /dev/random, EGD, and CryptoAPI a full 8 bits per byte of entropy, estimate at 6 bits. In the proc walker, allow more files to be read, read more of any particular file, and count each bit for 1/10 as much as before. Reading more of the file seems especially valuable, as some files are quite random, whereas others are very static, and this should ensure we read more of the actually unpredictable inputs. Prefer /dev/random over /dev/urandom
* Force a reseed in HMAC_RNG after 20 bytes have been added, rather thanlloyd2012-02-151-5/+12
| | | | | | waiting for a full kilobyte. This is for the benefit of DSA/ECDSA which want a call to add_entropy to update the state in some way, passing just a hash input which might be as small as 20 bytes.
* Support ECDH key creation in the key factory function. Patch from Seanlloyd2012-02-031-0/+14
| | | | Cassidy, sent to the mailing list.
* Whitespacelloyd2012-02-022-4/+3
|
* Disable this version of the SSL code by defaultlloyd2012-02-012-2/+10
|
* Remove debug printfs, stdio includeslloyd2012-01-303-11/+0
|
* Pointer writing seems cleanerlloyd2012-01-302-102/+102
|
* Partially de-unroll the loop to make changes easierlloyd2012-01-301-86/+41
|
* Add a slow but functional implementation of Camellialloyd2012-01-287-1/+428
|
* Fix lib suffixlloyd2012-01-252-3/+9
|
* Fix -Wreorder warninglloyd2012-01-251-1/+1
|
* Use initializer list, make destructor virtuallloyd2012-01-061-2/+2
|
* Remove the autheticator generation from the SRP code as it's not usedlloyd2011-12-314-52/+143
| | | | | by TLS (relies on the finished message check). Add a class for reading files created by GnuTLS's srptool.
* A bad decrypt on a TLS 1.0/1.1 message would cause a mostly infinitelloyd2011-12-311-1/+6
| | | | | loop (size_t overflow), likely causing a segfault. Not exploitable as far as I can tell, beyond the obvious crashing.
* Dirty hack to support multiple 'define' options in a module info file.lloyd2011-12-231-8/+16
| | | | | | | | If the default value is a list we will append to it instead of overwriting it. (Previouly, multiple define targets 'worked' with last one winning as the values were progressively overwritten). This might be useful for other things, compiler warning options maybe?
* Add code point for the SRP identifier extension and add a check for itlloyd2011-12-173-0/+13
| | | | | in the Client_Hello parser. Works, tested with GnuTLS command line client.
* Initial run at an SRP-6a implementation. Not entirely sure about thelloyd2011-12-175-0/+291
| | | | | interface but it's a plausible start. Will probably have more insights after adding TLS hooks.
* Add the 2048 bit SRP group from RFC 5054lloyd2011-12-171-0/+15
|
* Basic instructions for building the docslloyd2011-12-171-5/+17
|
* Make this exception somewhat more understandable. I think.lloyd2011-12-171-1/+1
|
* Add TCHead to list of userslloyd2011-12-171-0/+3
|
* Use LoadLibraryA instead of bare LoadLibrary so things work if used inlloyd2011-12-131-1/+1
| | | | an amalgamation and the app is compiled in Unicode mode.
* Fix readme URLslloyd2011-12-081-4/+4
|
* Fix PR 166lloyd2011-12-081-5/+9
|