aboutsummaryrefslogtreecommitdiffstats
path: root/doc
Commit message (Collapse)AuthorAgeFilesLines
* Update newsJack Lloyd2016-07-181-2/+5
| | | | [ci skip]
* Merge GH #520 RNG changesJack Lloyd2016-07-181-82/+51
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds Stateful_RNG base class which handles reseeding after some amount of output (configurable at instantiation time, defaults to the build.h value) as well as detecting forks (just using pid comparisons, so still vulnerable to pid wraparound). Implemented by HMAC_RNG and HMAC_DRBG. I did not update X9.31 since its underlying RNG should already be fork safe and handle reseeding at the appropriate time, since a new block is taken from the underlying RNG (for the datetime vector) for each block of output. Adds RNG::randomize_with_input which for most PRNGs is just a call to add_entropy followed by randomize. However for HMAC_DRBG it is used for additional input. Adds tests for HMAC_DRBG with AD from the CAVS file. RNG::add_entropy is implemented by System_RNG now, as both CryptGenRandom and /dev/urandom support receiving application provided data. The AutoSeeded_RNG underlying type is currently selectable in build.h and defaults to HMAC_DRBG(SHA-256). AutoSeeded_RNG provides additional input with each output request, consisting of the current pid, a counter, and timestamp (unless the application explicitly calls randomize_with_input, in which case we just take what they provided). This is the same hedge used in HMAC_RNGs output PRF. AutoSeeded_RNG is part of the base library now and cannot be compiled out. Removes Entropy_Accumulator type (which just served to bridge between the RNG and the entropy source), instead the Entropy_Source is passed a reference to the RNG being reseeded, and it can call add_entropy on whatever it can come up with.
| * Add Stateful_RNGJack Lloyd2016-07-171-82/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Handles fork checking for HMAC_RNG and HMAC_DRBG AutoSeeded_RNG change - switch to HMAC_DRBG as default. Start removing the io buffer from entropy poller. Update default RNG poll bits to 256. Fix McEliece test, was using wrong RNG API. Update docs.
* | Merge GH #533 DLIES changesJack Lloyd2016-07-173-0/+18
|\ \
| * | DLIES reworkDaniel Neus2016-07-133-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With these fixes the implementation is now compatible with bouncycastle and it should operate as it is specified in "DHIES: An encryption scheme based on Diffie-Hellman Problem" or in BSI technical guideline TR-02102-1. In addition to the already present XOR-encrypion/decryption mode it's now possible to use DLIES with a block cipher. Previously the input to the KDF was the concatenation of the (ephemeral) public key and the secret value derived by the key agreement operation: ``` secure_vector<byte> vz(m_my_key.begin(), m_my_key.end()); vz += m_ka.derive_key(0, m_other_key).bits_of(); const size_t K_LENGTH = length + m_mac_keylen; secure_vector<byte> K = m_kdf->derive_key(K_LENGTH, vz); ``` I don't know why this was implemented like this. But now the input to the KDF is only the secret value obtained by the key agreement operation. Furthermore the order of the output was changed from {public key, tag, ciphertext} to {public key, ciphertext, tag}. Multiple test vectors added that were generated with bouncycastle and some with botan itself.
* | | Merge GH #534 Update changelog with X9.23 bug fixJack Lloyd2016-07-171-0/+3
|\ \ \ | |_|/ |/| |
| * | Update changelog with ANSI X9.23 padding bugfixRené Korthaus2016-07-131-0/+3
| |/
* / Fix undefined behavior in donna128 typeJack Lloyd2016-07-151-0/+4
|/ | | | | | | Caused Curve25519 tests to fail when compiled by Clang on ARM, may have affected other 32-bit platforms. GH #532
* Deprecate EGDJack Lloyd2016-07-111-0/+4
|
* Update news.rst with changes so far for 1.11.31Jack Lloyd2016-07-041-0/+11
| | | | [ci skip]
* Merge GH #504 Add ECKCDSAJack Lloyd2016-06-201-0/+7
|\
| * Add entry to creditsRené Korthaus2016-06-141-0/+7
| |
* | Merge GH #483 Add ECIES and KDF1 from ISO 18033Jack Lloyd2016-06-201-6/+12
|\ \
| * \ Merge remote-tracking branch 'remotes/origin/master' into eciesPhilipp Weber2016-05-303-3/+50
| |\ \
| * | | add ecies implementation according to iso-18033Philipp Weber2016-04-271-1/+1
| | | |
| * | | add kdf1 implementation according to iso-18033 (preparation for ecies)Philipp Weber2016-04-271-0/+6
| | | |
* | | | Tick to 1.11.31Jack Lloyd2016-06-191-0/+3
| | | | | | | | | | | | | | | | [ci skip]
* | | | Update for 1.11.30 release1.11.30Jack Lloyd2016-06-191-1/+1
| | | |
* | | | Update release notesJack Lloyd2016-06-181-3/+12
| | | | | | | | | | | | | | | | [ci skip]
* | | | Merge GH #497 Add StreamCipher::seek and implementation for ChaChaJack Lloyd2016-06-182-0/+8
|\ \ \ \ | | | | | | | | | | | | | | | Also adds ChaCha8 support
| * | | | Adding StreamCipher::seek interface, supporting seek in ChaCha, and also ↵SimCog2016-06-182-0/+8
| | |_|/ | |/| | | | | | | | | | adding ChaCha8 support
* / | | Fix bug that prevents LaTeX documentation from being builtMouse2016-06-171-1/+1
|/ / /
* | / Update release notesJack Lloyd2016-06-032-9/+41
| |/ |/| | | | | [ci skip]
* | Fix GCM counter incrementJack Lloyd2016-05-231-1/+12
| | | | | | | | | | | | | | | | | | GCM is defined as having a 32-bit counter, but CTR_BE incremented the counter across the entire block. This caused incorrect results if a very large message (2**39 bits) was processed, or if the GHASH derived nonce ended up having a counter field near to 2**32 Thanks to Juraj Somorovsky for the bug report and repro.
* | Update with changes since 1.11.29Jack Lloyd2016-05-061-1/+30
| |
* | Doc updatesJack Lloyd2016-04-283-3/+10
|/ | | | [ci skip]
* Update for 1.10.13 releaseJack Lloyd2016-04-231-0/+12
|
* Remove Transform base classJack Lloyd2016-04-211-27/+63
| | | | | | | | | | | | | | | | | | | | | | With sufficient squinting, Transform provided an abstract base interface that covered both cipher modes and compression algorithms. However it mapped on neither of them particularly well. In addition this API had the same problem that has made me dislike the Pipe/Filter API: given a Transform&, what does it do when you put bits in? Maybe it encrypts. Maybe it compresses. It's a floor wax and a dessert topping! Currently the Cipher_Mode interface is left mostly unchanged, with the APIs previously on Transform just moved down the type hierarchy. I think there are some definite improvements possible here, wrt handling of in-place encryption, but left for a later commit. The compression API is split into two types, Compression_Algorithm and Decompression_Algorithm. Compression_Algorithm's start() call takes the compression level, allowing varying compressions with a single object. And flushing the compression state is moved to a bool param on `Compression_Algorithm::update`. All the nonsense WRT compression algorithms having zero length nonces, input granularity rules, etc as a result of using the Transform interface goes away.
* Specific ideas re PGP supportJack Lloyd2016-04-151-3/+15
|
* Don't reject TLS packets with zero plaintext bytesJack Lloyd2016-04-151-0/+5
| | | | | | | | OpenSSL sends an empty record before each new data record in TLS v1.0 to randomize the IV, as a countermeasure to the BEAST attack. Most implementations use 1/(n-1) splitting for this instead. Bug introduced with the const time changes in 1.11.23
* Fix formatting bugs in TLS docJack Lloyd2016-04-131-11/+6
| | | | | | | Fixes GH #460 Closes GH #474 [ci skip]
* Add support for ChaCha(12)Jack Lloyd2016-04-091-1/+0
|
* Update OCB ciphersuites to follow new nonce scheme from -04 draftJack Lloyd2016-04-041-0/+5
|
* More todosJack Lloyd2016-04-031-2/+8
|
* Add IETF standard ChaCha20Poly1305 ciphersuites to TLSJack Lloyd2016-03-232-1/+12
|
* Typo fixJack Lloyd2016-03-221-1/+1
| | | | [ci skip]
* Release 1.11.291.11.29Jack Lloyd2016-03-202-11/+103
|
* Remove support for TLS v1.2 MD5 and SHA-224 signatures.Jack Lloyd2016-03-171-7/+4
| | | | | | | | | Remove support for weak ECC curves (anything under P-256) from TLS. This includes secp256k1 since we don't take advantage of the special form for any performance advantage; might as well use P-256. The manual still mentioned that it was possible to use MD5 in Policy::allowed_macs, but all HMAC-MD5 suites are already removed.
* Deprecate Rabin-WilliamsJack Lloyd2016-03-161-0/+4
|
* Merge GH #454 X.509 name constraintsJack Lloyd2016-03-162-1/+1
|\
| * Changes from GH #454 reviewJack Lloyd2016-03-162-1/+1
| |
* | TLS client featuresJack Lloyd2016-03-161-3/+8
| | | | | | | | | | | | Add flags --policy, --print-certs, --tls1.0, --tls1.1, --tls1.2 Update todo
* | Merge GH #450 Add support for Windows VirtualLockJack Lloyd2016-03-102-1/+3
|\ \
| * | add support for VirtualLock/VirtualUnlock on WindowsDaniel Neus2016-03-072-1/+3
| | | | | | | | | | | | equivalent to mlock on Unix to prevent swapping out of memory
* | | Add section on fork safety to rng manualRené Korthaus2016-03-081-0/+19
|/ /
* / Use a distinct PGP for signing git commits.Jack Lloyd2016-03-031-1/+35
|/ | | | New key is signed with my existing key.
* Update release notesJack Lloyd2016-02-201-0/+31
| | | | [ci skip]
* Fix formatting GH #415Jack Lloyd2016-02-172-24/+32
| | | | [ci skip]
* Update iOS build instructionsRené Korthaus2016-02-071-16/+16
| | | When building for iOS, you want to build for all three architectures, so you can run your app on an iOS device and on the simulator.
* Bump version to 1.11.29 preJack Lloyd2016-02-061-0/+5
|