aboutsummaryrefslogtreecommitdiffstats
path: root/doc/news.rst
Commit message (Collapse)AuthorAgeFilesLines
* Update release notesJack Lloyd2016-08-241-6/+42
| | | | [ci skip]
* Add release notes for 1.8.15 which escaped news.rstJack Lloyd2016-08-241-0/+13
| | | | [ci skip]
* Doc/relnote updatesJack Lloyd2016-08-201-26/+46
| | | | [ci skip]
* DeprecationsJack Lloyd2016-08-171-0/+7
| | | | [ci skip]
* Update newsJack Lloyd2016-07-181-2/+5
| | | | [ci skip]
* Merge GH #533 DLIES changesJack Lloyd2016-07-171-0/+11
|\
| * DLIES reworkDaniel Neus2016-07-131-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With these fixes the implementation is now compatible with bouncycastle and it should operate as it is specified in "DHIES: An encryption scheme based on Diffie-Hellman Problem" or in BSI technical guideline TR-02102-1. In addition to the already present XOR-encrypion/decryption mode it's now possible to use DLIES with a block cipher. Previously the input to the KDF was the concatenation of the (ephemeral) public key and the secret value derived by the key agreement operation: ``` secure_vector<byte> vz(m_my_key.begin(), m_my_key.end()); vz += m_ka.derive_key(0, m_other_key).bits_of(); const size_t K_LENGTH = length + m_mac_keylen; secure_vector<byte> K = m_kdf->derive_key(K_LENGTH, vz); ``` I don't know why this was implemented like this. But now the input to the KDF is only the secret value obtained by the key agreement operation. Furthermore the order of the output was changed from {public key, tag, ciphertext} to {public key, ciphertext, tag}. Multiple test vectors added that were generated with bouncycastle and some with botan itself.
* | Merge GH #534 Update changelog with X9.23 bug fixJack Lloyd2016-07-171-0/+3
|\ \
| * | Update changelog with ANSI X9.23 padding bugfixRené Korthaus2016-07-131-0/+3
| |/
* / Fix undefined behavior in donna128 typeJack Lloyd2016-07-151-0/+4
|/ | | | | | | Caused Curve25519 tests to fail when compiled by Clang on ARM, may have affected other 32-bit platforms. GH #532
* Deprecate EGDJack Lloyd2016-07-111-0/+4
|
* Update news.rst with changes so far for 1.11.31Jack Lloyd2016-07-041-0/+11
| | | | [ci skip]
* Tick to 1.11.31Jack Lloyd2016-06-191-0/+3
| | | | [ci skip]
* Update for 1.11.30 release1.11.30Jack Lloyd2016-06-191-1/+1
|
* Update release notesJack Lloyd2016-06-181-3/+12
| | | | [ci skip]
* Update release notesJack Lloyd2016-06-031-9/+40
| | | | [ci skip]
* Fix GCM counter incrementJack Lloyd2016-05-231-1/+12
| | | | | | | | | GCM is defined as having a 32-bit counter, but CTR_BE incremented the counter across the entire block. This caused incorrect results if a very large message (2**39 bits) was processed, or if the GHASH derived nonce ended up having a counter field near to 2**32 Thanks to Juraj Somorovsky for the bug report and repro.
* Update with changes since 1.11.29Jack Lloyd2016-05-061-1/+30
|
* Doc updatesJack Lloyd2016-04-281-0/+4
| | | | [ci skip]
* Update for 1.10.13 releaseJack Lloyd2016-04-231-0/+12
|
* Don't reject TLS packets with zero plaintext bytesJack Lloyd2016-04-151-0/+5
| | | | | | | | OpenSSL sends an empty record before each new data record in TLS v1.0 to randomize the IV, as a countermeasure to the BEAST attack. Most implementations use 1/(n-1) splitting for this instead. Bug introduced with the const time changes in 1.11.23
* Update OCB ciphersuites to follow new nonce scheme from -04 draftJack Lloyd2016-04-041-0/+5
|
* Add IETF standard ChaCha20Poly1305 ciphersuites to TLSJack Lloyd2016-03-231-0/+12
|
* Typo fixJack Lloyd2016-03-221-1/+1
| | | | [ci skip]
* Release 1.11.291.11.29Jack Lloyd2016-03-201-9/+78
|
* Deprecate Rabin-WilliamsJack Lloyd2016-03-161-0/+4
|
* add support for VirtualLock/VirtualUnlock on WindowsDaniel Neus2016-03-071-0/+2
| | | | equivalent to mlock on Unix to prevent swapping out of memory
* Update release notesJack Lloyd2016-02-201-0/+31
| | | | [ci skip]
* Bump version to 1.11.29 preJack Lloyd2016-02-061-0/+5
|
* Add info for 1.10.12 releaseJack Lloyd2016-02-031-0/+25
| | | | [ci skip]
* Fix two bugs in 1.11.27 which caused test failures.1.11.28Jack Lloyd2016-02-011-0/+6
| | | | | | | | | | | | | The check on each individual size in curve_mul is too strict since we rely on redc(x*1) during the on the curve computation. Fix an off by one in ressol which caused it to occasionally reject valid values. Updating version 1.11.28 since existing 1.11.27 tag already pushed :( Fix an off-by-one in ressol which would cause it to occasionly give up too early.
* Update news for 1.11.27 release1.11.27Jack Lloyd2016-02-011-1/+13
|
* Bump version to 1.11.27 preJack Lloyd2016-01-171-0/+15
|
* Release 1.11.261.11.26Jack Lloyd2016-01-041-1/+1
|
* Fix configure.py for CPython 2.6Jack Lloyd2016-01-041-0/+7
| | | | Based on GH #362 by emilymaier
* Add ECDH via OpenSSLJack Lloyd2016-01-041-0/+2
| | | | | | | | | | Expose provider param in PK_Key_Agreement API Handle multiple providers in key agreement tests Fix some funky formatting of P-521 EC points in ecdh.vec which was being rejected by OpenSSL; for whatever reason the CAVS file had the affine coords with far more leading zeros than necessary.
* Use valgrind's memcheck API for checking const time annotationsJack Lloyd2016-01-031-5/+12
| | | | | | | Has the same effect as using ctgrind, but without requiring a custom-compiled valgrind binary. Add ct checking annotations to the SSSE3 AES code.
* Add extended master secret extension (RFC 7627) to TLSJack Lloyd2016-01-031-0/+7
| | | | Interop tested with mbed TLS
* Fix PointGFp multiplication bugJack Lloyd2016-01-031-6/+19
| | | | | | There was a special case for small scalars which managed to forget that the integer 3 also fits into two bits. Found by adding a new set of ECC point mul tests for the NIST curves.
* Use memcpy instead of misaligned pointer casts for reading words.Jack Lloyd2015-12-311-0/+9
| | | | | | | | | | | | | | | | | | | | | | It works on x86, but C says it is undefined and it makes UBSan unhappy. Happily, this memcpy approach probably also works fine under processors which previously used the byte-at-a-time approach such as ARM. But for right now using memcpy here is still gated under the processor alignment flags. In my tests recent GCC and Clang seemed to produce basically identical code for either approach when using -O3; I imagine most compilers these days are very good at analyzing/inlining/unrolling memcpys. Also remove the manually unrolled versions of xor_buf, which caused problems with GCC and -O3 due to it vectorizing the loads into (aligned) SSE2 loads, which would fail when a misaligned pointer was passed. Which always seemed kind of bogus to me, but I guess that's what undefined behavior is for. Enable -O3 for GCC. With this change the test suite is clean under GCC ASan+UBSan and Clang ASan+UBSan, with the exception of one failure due to a bug in libstdc++ (GCC bug 60734) when compiled by Clang.
* Add missing assignment in DataSource::discard_nextJack Lloyd2015-12-311-0/+4
| | | | Reported on the mailing list by Falko
* Add generalized KEM interfaceJack Lloyd2015-12-261-0/+8
| | | | | | Convert McEliece KEM to use it Add RSA-KEM
* Export mgf1_mask GH #380Jack Lloyd2015-12-251-0/+2
|
* Guard all std::mem* ops against any call with zero length.Jack Lloyd2015-12-251-0/+11
| | | | | | | | | | Calling memset, memmove, memcpy with an undefined or null pointer, even with length zero, causes undefined behavior. Prevent that from happening within the functions that call these dangerous things since allowing a caller to pass length == 0 with null or just past the end and not have things explode is nice. Oh C, you so crazy.
* Add TPM v1.2 support (RSA keygen/signing, RNG)Jack Lloyd2015-12-191-1/+5
|
* Merge pull request #370 from neusdan/rdseedJack Lloyd2015-12-191-0/+2
|\ | | | | Add support for Intel RdSeed instruction
| * add support for Intel RdSeedDaniel Neus2015-12-181-0/+2
| |
* | CLI rewriteJack Lloyd2015-12-191-2/+6
|/ | | | | | | | | | | | | | | | | | The command line tools' origin as a collection of examples and test programs glued together led to some unfortunate problems; lots of hardcoded values, missing parameters, and obsolete crypto. Adds a small library for writing command line programs of the sort needed here (cli.h), which cuts the length of many of the commands in half and makes commands more pleasant to write and extend. Generalizes a lot of the commands also, eg previously only signing/verification with DSA/SHA-1 was included! Removes the fuzzer entry point since that's fairly useless outside of an instrumented build. Removes the in-library API for benchmarking.
* Enable RdRand on Windows/MSVCDaniel Neus2015-12-161-0/+2
|
* Bump version to 1.11.26-preJack Lloyd2015-12-111-0/+8
|