| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
| |
Gather entropy from system call getentropy(2). This is available
since in OpenBSD 5.6 and Solaris 11.3. It can provide up to 256
bytes entropy from the kernel without blocking. As a system call
it does not need a file descriptor and works in chroot(2) environments
without device nodes.
|
|
|
|
|
| |
Montgomery ladder with order.bits()/2 bit scalar blinding and point
randomization
|
|
|
|
|
|
| |
Already pkg-config had this, was missed in GH #802
See also GH #830
|
|
|
|
| |
these don't exist anymore
|
| |
|
|
|
|
|
|
|
|
| |
All this is just standard C that the user should not touch, so it doesn't
really make sense to have it in the build.h template file.
Remove BOTAN_TARGET_CPU_HAS_KNOWN_ENDIANESS - only used twice (in loadstor.h)
and that code is clearer without it.
|
| |
|
|
|
|
| |
Only works for GCC and Clang
|
|
|
|
|
|
| |
One additional, application-specific curve can be added
at compile time, using the new
configure.py --house-curve=curve.pem,funky311,1.2.3.4,FEFF.
|
|
|
|
|
|
|
| |
Have the /proc setting in build.h actually control the entropy source
configuration (!)
GH #708
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rarely expected and often causes performance problems, especially for private keys.
Instead applications should call check_key explicitly to validate keys when
necessary.
Note this removal doesn't apply to tests like ECDH on-the-curve tests, where a check
on the public key is required for security of our own key.
Updates most APIs to remove RNG calls, where they are no longer required. Exception
is PKCS8 interface, pending further work there (see GH #685) it just ignores the RNG
argument now.
|
|
|
|
|
|
|
|
|
|
|
| |
Originally from https://github.com/randombit/botan-fuzzers but
merging to the main tree (without the corpus files, since I suspect
the corpus files in that repo are not useful anymore)
Adds --unsafe-fuzzer-mode which can be used to selectively disable
cryptographic checks which get in the way of fuzzer testing. This
setting is reflected in build.h and in the version string. Right
now it doesn't actually disable anything.
|
|
|
|
|
| |
Change AutoSeeded_RNG to use SHA-384, SHA-256, SHA-3(256), or SHA-1,
whichever is available (in that order).
|
|
|
|
|
|
|
|
| |
Also emit `#pragma GCC target` in the ISA specific amalgamation files.
This allows compiling without any special compiler flags, at least
with GCC 6.2 and Clang 3.8. The ISA annotations are ignored in MSVC,
which just emits whatever instruction the intrinsic requires.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change reseed interval logic to count calls to `randomize` rather than
bytes, to match SP 800-90A
Changes RNG reseeding API: there is no implicit reference to the
global entropy sources within the RNGs anymore. The entropy sources
must be supplied with the API call. Adds support for reseding directly
from another RNG (such as a system or hardware RNG).
Stateful_RNG keeps optional references to both an RNG and a set of
entropy sources. During a reseed, both sources are used if set.
These can be provided to HMAC_DRBG constructor.
For HMAC_DRBG, SP800-90A requires we output no more than 2**16 bytes
per DRBG request. We treat requests longer than that as if the caller
had instead made several sequential maximum-length requests. This
means it is possible for one or more reseeds to trigger even in the
course of generating a single (long) output (generate a 256-bit key
and use ChaCha or HKDF if this is a problem).
Adds RNG::randomize_with_ts_input which takes timestamps and uses them
as the additional_data DRBG field. Stateful_RNG overrides this to also
include the process ID and the reseed counter. AutoSeeded_RNG's
`randomize` uses this.
Officially deprecates RNG::make_rng and the Serialized_RNG construtor
which creates an AutoSeeded_RNG. With these removed, it would be
possible to perform a build with no AutoSeeded_RNG/HMAC_DRBG at all
(eg, for applications which only use the system RNG).
Tests courtesy @cordney in GH PRs #598 and #600
|
|\
| |
| |
| | |
See also GH #587
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Removes user and hostname: as mentioned by a downstream maintainer, the
information should not be included in packages. In our projects, the
information is contained in the amalgamation check-in commit message.
Removes timestamp: this ensures that the header content is equal in two
equal configure runs.
Both changes together make it possible to effectively use compiler
caches for Botan (ccache on Unix, in direct mode; clcache on Windows).
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a fast fail when trying to build Botan configured for 32 bit
using a 64 bit compiler or vice versa.
Check running
python configure.py --cpu="x86_32" && make
python configure.py --cpu="x86_64" && make
or
python configure.py && nmake
on 64 bit Windows in a 32 bit Command Prompt.
Closes #456.
|
|
|
|
|
|
| |
Fix BeOS stat reader - was calling wrong function on the rng.
Remove entropy estimate defines from build.h, no longer used.
|
|
|
|
|
|
|
|
|
| |
Use consistent naming for the max output before reseed
parameter. The constant (default) value is renamed to
BOTAN_RNG_DEFAULT_MAX_OUTPUT_BEFORE_RESEED, since without
the DEFAULT_ it reads like a compile time maximum instead.
Use uint8_t instead of byte.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Handles fork checking for HMAC_RNG and HMAC_DRBG
AutoSeeded_RNG change - switch to HMAC_DRBG as default.
Start removing the io buffer from entropy poller.
Update default RNG poll bits to 256.
Fix McEliece test, was using wrong RNG API.
Update docs.
|
|
|
|
| |
Add some missing overrides
|
|
|
|
|
|
| |
Move disabling C4250 and C4251 to cmd line instead of header pragma.
This means these warnings will show up in application code. But disabling
warnings inside a library header is probably not good form.
|
|\
| |
| |
| | |
The Intel RNG may fail if heavily contended, so retry as needed.
|
| |
| |
| |
| |
| |
| |
| |
| | |
* no spaces around if(), for() etc
* snake_case for plain functions
* anonymous namespace function instead private and static
* don't propagate failed poll to the calling application
* RdRand retires configurable in build.h
|
| |
| |
| |
| |
| | |
* Make it configurable how often RdRand and RdSeed is polled
* Make it configurable how many RdSeed retries are executed
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
Has the same effect as using ctgrind, but without requiring a
custom-compiled valgrind binary.
Add ct checking annotations to the SSSE3 AES code.
|
|/ |
|
|
|
|
| |
GH #370 for background
|
| |
|
|
|
|
|
|
|
|
| |
Provide abstractions for the locking allocator (allocate and free
locked pages) to decouple it from the platform dependent code. Should
make it easy to write a Windows version using VirtualAlloc+VirtualLock.
Exposes max mlock limit as a build.h toggle
|
|
|
|
|
|
|
|
| |
Take the value from build.h if we have no way of getting it dynamically.
Fixes an infinite loop in AES on non-x86 introduced in ebf2164a,
as otherwise it does for(size_t i = 0; i != ...; i += 0) {}
while iterating over the TE tables.
|
|
|
|
| |
Defaults should be fine for everyone but it makes the values more transparent
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provides an easier way for an application to configure a list of
entropy sources they'd like to use, or add a custom entropy source to
their seeding.
Exposes some toggles for the global/default entropy sources to build.h
Adds basic entropy tests which runs the polls and does sanity checking
on the results, including compression tests if available. These are
less useful for the CSPRNG outputs but a good check for the ones
producing plain ASCII like the /proc reader.
|
|
|
|
|
|
| |
sanitizers and coverage as all 4 are usefully set independently.
Use GCC 4.9 on CircleCI as it seems to be supported. Add ASan + UBSan test.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously a build had optimizations disabled completely when debug info was
emitted. But there are many reasons to use optimized builds with debug symbols
(running under valgrind, against afl, with Asan/Ubsan, in prod, etc).
And personally I find even debugging at -O2 or -O3 is fine most of the time and
worth it for the speed. Use the (now documented!) --no-optimizations flag if no
optimization is desired while debugging.
This also removes the distinction between library and application compile flags;
there is a single optimization level that is probably good enough for everything.
On Win32 it removes definding _CONSOLE for the application. This seems to be
some mythical value that may have been required at some point, but is not
documented anywhere I can find. Who knows what VC thinks, hoping I don't have to
add this back. It also drops defining `EBUG` which is what happens when you
tell cl.exe to '/DEBUG'. LOL.
|
|
|
|
|
|
|
|
| |
via timing channels.
Add annotations for checking constant-time code using ctgrind to
PKCS #1 and OAEP, as well as IDEA and Curve25519 which were already
written as constant time code.
|
|
|
|
| |
deriving it by squaring the previous value.
|
|
|
|
| |
Some tweaks for point multiplication using fixed windows.
|
| |
|
|
|
|
| |
GH #103
|
| |
|
| |
|