| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|\
| |
| |
| | |
[ci skip]
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Moves x25519 to the front for best by-default side channel resistance,
and orders remaining NIST/BP curves by performance rather than size.
That means putting P-521 before P-384, since P-521 is much faster at
least in Botan (due to much simpler modular reduction for P-521 prime),
and Brainpools to the end due to being quite slow (no fast reductions).
All of the supported curves seem strong enough, and if someone can break
P-256 they can probably break P-384 as well so there doesn't seem much
advantage in preferring slower curves by default.
|
| |
| |
| |
| |
| | |
Recent Clang complains about forward decl as 'class X' when X was
actually declared as a struct.
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Tested against BoringSSL (as client + server) and google.com (as client).
Fix a stupid crashing bug in NewHope's BoringSSL mode.
Remove unneeded error return from curve25519_donna - always returned 0.
Default policy prefers ChaChaPoly1305 over GCM and CECPQ1 over ECDH/DH, which
means the default no-extra-configuration ciphersuite (for Botan client speaking
to Botan server) is a ciphersuite which is both implemented in constant time
on all platforms and (hopefully) provides post quantum security. Good Things.
|
| | |
| | |
| | |
| | | |
Add some try/catch blocks to the X.509 tests, and use create_private_key API
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
No need to strictly require it, and some applications may only want
system RNG or RDRAND.
|
|/ /
| |
| |
| |
| | |
It is allowable to request the maximum length, just not more than it.
Found after about 22K runs of the TLS tests.
|
| | |
|
| |
| |
| |
| |
| | |
Also CCM OIDS, and SHA-384/SHA-512 DSA OIDs. All from NIST:
http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html
|
| | |
|
|\ \ |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
This required fixing some test vectors that previously
omitted the MAC, defaulting to HMAC, that used the SHA-1
alias to SHA-160, and fixing X942_PRF::name().
|
|\ \ \
| | |/
| |/| |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | | |
[ci skip]
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Several sites including oracle.com seem to send extension 11
(point format) even if we (the client) did not send it. Then the
handshake fails. To workaround this problem, simply always send this
extension as the client, instead of only sending it if we wished to
support compressed points.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
The current session established cb happens before the session is
activated, so it is not possible to send application data in
response to the connection being made.
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
Not really needed (don't have a cross python to run) and avoids
the unfortunate random test failures.
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There is a simple bit flip corruption test for the TLS stack: we
shouldn't negotiate correctly if any random bit gets flipped. But it
turns out this is not entirely true as the record layer version field
is effectively ignored except for distinguishing TLS vs DTLS. So a small
bitflip in that field is sometimes ignored, causing the test to fail.
Make sure we modify something in the body instead.
|
| |/
|/| |
|
|\ \ |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
ESP padding is one of the recommended padding
methods from BSI-TR-02102-1.
|
|\ \ \ |
|
| | | | |
|
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Adds the full HKDF as class HKDF, renames the existing HKDF,
which only implemented the expansion step, to HKDF_Expand
and adds the extraction step as HKDF_Extract.
The latter two are usually only used seperately in
protocols such as TLS. A normal user would go for the
full HKDF.
|
| | |
| | |
| | |
| | | |
[ci skip]
|
| | |
| | |
| | |
| | |
| | |
| | | |
Previously ran inside of BuildConfigurationInformation's constructor
[ci skip]
|
|\ \ \
| |/ /
|/| | |
|
|/ / |
|
| |
| |
| |
| |
| |
| |
| | |
This prevents the test suite from globbing all the XMSS tests
together under "XMSS/Raw"; since XMSS ignores the padding anyway,
pretend the param string is the padding which causes the normal
logic in the signature test code to do the right thing.
|
| |
| |
| |
| | |
[ci skip]
|
| | |
|
| | |
|
| | |
|