| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
[ci skip]
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Adds Stateful_RNG base class which handles reseeding after some
amount of output (configurable at instantiation time, defaults to
the build.h value) as well as detecting forks (just using pid
comparisons, so still vulnerable to pid wraparound). Implemented
by HMAC_RNG and HMAC_DRBG. I did not update X9.31 since its
underlying RNG should already be fork safe and handle reseeding
at the appropriate time, since a new block is taken from the
underlying RNG (for the datetime vector) for each block of
output.
Adds RNG::randomize_with_input which for most PRNGs is just a
call to add_entropy followed by randomize. However for HMAC_DRBG
it is used for additional input. Adds tests for HMAC_DRBG with AD
from the CAVS file.
RNG::add_entropy is implemented by System_RNG now, as both
CryptGenRandom and /dev/urandom support receiving application
provided data.
The AutoSeeded_RNG underlying type is currently selectable in
build.h and defaults to HMAC_DRBG(SHA-256). AutoSeeded_RNG
provides additional input with each output request, consisting of
the current pid, a counter, and timestamp (unless the application
explicitly calls randomize_with_input, in which case we just take
what they provided). This is the same hedge used in HMAC_RNGs
output PRF.
AutoSeeded_RNG is part of the base library now and cannot be
compiled out.
Removes Entropy_Accumulator type (which just served to bridge
between the RNG and the entropy source), instead the
Entropy_Source is passed a reference to the RNG being reseeded,
and it can call add_entropy on whatever it can come up with.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Handles fork checking for HMAC_RNG and HMAC_DRBG
AutoSeeded_RNG change - switch to HMAC_DRBG as default.
Start removing the io buffer from entropy poller.
Update default RNG poll bits to 256.
Fix McEliece test, was using wrong RNG API.
Update docs.
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
With these fixes the implementation is now compatible with bouncycastle and it should operate
as it is specified in "DHIES: An encryption scheme based on Diffie-Hellman Problem" or in BSI
technical guideline TR-02102-1.
In addition to the already present XOR-encrypion/decryption mode it's now possible to use DLIES with a block cipher.
Previously the input to the KDF was the concatenation of the (ephemeral) public key
and the secret value derived by the key agreement operation:
```
secure_vector<byte> vz(m_my_key.begin(), m_my_key.end());
vz += m_ka.derive_key(0, m_other_key).bits_of();
const size_t K_LENGTH = length + m_mac_keylen;
secure_vector<byte> K = m_kdf->derive_key(K_LENGTH, vz);
```
I don't know why this was implemented like this. But now the input to the KDF is only the secret value obtained by the key agreement operation.
Furthermore the order of the output was changed from {public key, tag, ciphertext} to {public key, ciphertext, tag}.
Multiple test vectors added that were generated with bouncycastle and some with botan itself.
|
|\ \ \
| |_|/
|/| | |
|
| |/ |
|
|/
|
|
|
|
|
| |
Caused Curve25519 tests to fail when compiled by Clang on ARM, may have
affected other 32-bit platforms.
GH #532
|
| |
|
|
|
|
| |
[ci skip]
|
|\ |
|
| | |
|
|\ \ |
|
| |\ \ |
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
[ci skip]
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
[ci skip]
|
|\ \ \ \
| | | | |
| | | | |
| | | | | |
Also adds ChaCha8 support
|
| | |_|/
| |/| |
| | | |
| | | | |
adding ChaCha8 support
|
|/ / / |
|
| |/
|/|
| |
| | |
[ci skip]
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
GCM is defined as having a 32-bit counter, but CTR_BE incremented the
counter across the entire block. This caused incorrect results if
a very large message (2**39 bits) was processed, or if the GHASH
derived nonce ended up having a counter field near to 2**32
Thanks to Juraj Somorovsky for the bug report and repro.
|
| | |
|
|/
|
|
| |
[ci skip]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With sufficient squinting, Transform provided an abstract base
interface that covered both cipher modes and compression algorithms.
However it mapped on neither of them particularly well. In addition
this API had the same problem that has made me dislike the Pipe/Filter
API: given a Transform&, what does it do when you put bits in? Maybe
it encrypts. Maybe it compresses. It's a floor wax and a dessert topping!
Currently the Cipher_Mode interface is left mostly unchanged, with the
APIs previously on Transform just moved down the type hierarchy. I
think there are some definite improvements possible here, wrt handling
of in-place encryption, but left for a later commit.
The compression API is split into two types, Compression_Algorithm and
Decompression_Algorithm. Compression_Algorithm's start() call takes
the compression level, allowing varying compressions with a single
object. And flushing the compression state is moved to a bool param on
`Compression_Algorithm::update`. All the nonsense WRT compression
algorithms having zero length nonces, input granularity rules, etc
as a result of using the Transform interface goes away.
|
| |
|
|
|
|
|
|
|
|
| |
OpenSSL sends an empty record before each new data record in TLS v1.0
to randomize the IV, as a countermeasure to the BEAST attack. Most
implementations use 1/(n-1) splitting for this instead.
Bug introduced with the const time changes in 1.11.23
|
|
|
|
|
|
|
| |
Fixes GH #460
Closes GH #474
[ci skip]
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
[ci skip]
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove support for weak ECC curves (anything under P-256) from TLS.
This includes secp256k1 since we don't take advantage of the special
form for any performance advantage; might as well use P-256.
The manual still mentioned that it was possible to use MD5 in
Policy::allowed_macs, but all HMAC-MD5 suites are already removed.
|
| |
|
|\ |
|
| | |
|
| |
| |
| |
| |
| |
| | |
Add flags --policy, --print-certs, --tls1.0, --tls1.1, --tls1.2
Update todo
|
|\ \ |
|
| | |
| | |
| | |
| | | |
equivalent to mlock on Unix to prevent swapping out of memory
|
|/ / |
|
|/
|
|
| |
New key is signed with my existing key.
|
|
|
|
| |
[ci skip]
|
|
|
|
| |
[ci skip]
|
|
|
| |
When building for iOS, you want to build for all three architectures, so you can run your app on an iOS device and on the simulator.
|
| |
|