| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This OS has its own crypto API and does not support CryptGenRandom.
Splits System_RNG_Impl into distinct declarations one per implementation
type. Easier to read now that we are up to 4 distinct versions.
Removes the CryptoAPI entropy source, and replaces it with an entropy
source that calls the system RNG. This is nominally a bit less flexible
in that the entropy source allowed polling multiple providers (though
we didn't actually make use of that). Plus side is it works on all
systems.
Currently the dev_random entropy source is still there because we do
actually use it to poll both /dev/random and /dev/urandom, and it
might be useful (on certain systems) to also poll a HW RNG, which
are often assigned their own device node. This could debatably also
be removed in favor of just reading the system RNG.
|
|
|
|
|
|
| |
http_util is required by the x509 module to perform
online OCSP checks, which should be defaulted to ON.
Without being part of the policy, it would be disabled.
|
| |
|
| |
|
| |
|
|\ |
|
| |
| |
| |
| |
| |
| | |
From https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
This is a contribution from Ribose Inc (@riboseinc).
|
|/
|
|
|
| |
Prohibit SM4 block cipher, ed25519 signature scheme
and NIST SP800-56A KDF.
|
| |
|
| |
|
| |
|
|\ |
|
| |
| |
| |
| | |
Just my best reckoning of what is NIST approved, may have errors.
|
|/ |
|
|
|
|
|
|
|
| |
Not a good thing to offer at this level. If you know what you
are doing for the strange special case where it is necessary,
the raw BlockCipher interface is available and probably more
convenient.
|
|
|
|
|
|
|
| |
- Moves SHAKE to prohibited algorithms
- Catches an error during XMSS private key generation when SHAKE is disabled.
This should not be reported as error by the test bench since [SHAKE is
optional in XMSS](https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-07#section-5)
|
|
|
|
|
|
| |
- Added GMAC to list of supported MAC algorithms in readme.rst
- Updated module policy to prevent CI crash
- Added myself to credits.rst
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[1] XMSS: Extended Hash-Based Signatures,
draft-itrf-cfrg-xmss-hash-based-signatures-06
Release: July 2016.
https://datatracker.ietf.org/doc/
draft-irtf-cfrg-xmss-hash-based-signatures/?include_text=1
Provides XMSS_PublicKey and XMSS_PrivateKey classes as well as implementations
for the Botan interfaces PK_Ops::Signature and PK_Ops::Verification. XMSS has
been integrated into the Botan test bench, signature generation and verification
can be tested independently by invoking "botan-test xmss_sign" and
"botan-test xmss_verify"
- Some headers that are not required to be exposed to users of the library have
to be declared as public in `info.txt`. Declaring those headers private will
cause the amalgamation build to fail. The following headers have been
declared public inside `info.txt`, even though they are only intended for
internal use:
* atomic.h
* xmss_hash.h
* xmss_index_registry.h
* xmss_address.h
* xmss_common_ops.h
* xmss_tools.h
* xmss_wots_parameters.h
* xmss_wots_privatekey.h
* xmss_wots_publickey.h
- XMSS_Verification_Operation Requires the "randomness" parameter out of the
XMSS signature. "Randomness" is part of the prefix that is hashed *before*
the message. Since the signature is unknown till sign() is called, all
message content has to be buffered. For large messages this can be
inconvenient or impossible.
**Possible solution**: Change PK_Ops::Verification interface to take
the signature as constructor argument, and provide a setter method to be able
to update reuse the instance on multiple signatures. Make sign a parameterless
member call. This solution requires interface changes in botan.
**Suggested workaround** for signing large messages is to not sign the message
itself, but to precompute the message hash manually using Botan::HashFunctio
and sign the message hash instead of the message itself.
- Some of the available test vectors for the XMSS signature verification have
been commented out in order to reduce testbench runtime.
|
|
|
|
|
| |
Change AutoSeeded_RNG to use SHA-384, SHA-256, SHA-3(256), or SHA-1,
whichever is available (in that order).
|
|\ |
|
| |
| |
| |
| |
| | |
Adds support for Galois Message Authentication Code calculation based on
GHASH, rather than GCM_Mode.
|
|/ |
|
|\ |
|
| |
| |
| |
| | |
BSI drops Keccak in favor of SHA-3. Modern adds SHA-3 and SHAKE-128.
|
|/
|
|
| |
So it shouldn't be prohibited in the module policy
|
| |
|
| |
|
|
|
|
|
| |
XTEA was also deprecated but has been spared, it does seem to be somewhat
common (eg, included in the Go x/crypto library)
|
|
|
|
|
|
| |
Fix policy files.
GH #614
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change reseed interval logic to count calls to `randomize` rather than
bytes, to match SP 800-90A
Changes RNG reseeding API: there is no implicit reference to the
global entropy sources within the RNGs anymore. The entropy sources
must be supplied with the API call. Adds support for reseding directly
from another RNG (such as a system or hardware RNG).
Stateful_RNG keeps optional references to both an RNG and a set of
entropy sources. During a reseed, both sources are used if set.
These can be provided to HMAC_DRBG constructor.
For HMAC_DRBG, SP800-90A requires we output no more than 2**16 bytes
per DRBG request. We treat requests longer than that as if the caller
had instead made several sequential maximum-length requests. This
means it is possible for one or more reseeds to trigger even in the
course of generating a single (long) output (generate a 256-bit key
and use ChaCha or HKDF if this is a problem).
Adds RNG::randomize_with_ts_input which takes timestamps and uses them
as the additional_data DRBG field. Stateful_RNG overrides this to also
include the process ID and the reseed counter. AutoSeeded_RNG's
`randomize` uses this.
Officially deprecates RNG::make_rng and the Serialized_RNG construtor
which creates an AutoSeeded_RNG. With these removed, it would be
possible to perform a build with no AutoSeeded_RNG/HMAC_DRBG at all
(eg, for applications which only use the system RNG).
Tests courtesy @cordney in GH PRs #598 and #600
|
|
|
|
|
|
|
|
| |
For those that are willing to trust uninspectible hardware. :)
Changes RDRAND entropy source to call RDRAND_RNG
Add --rdrand flag to rng cmdlet
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Handles fork checking for HMAC_RNG and HMAC_DRBG
AutoSeeded_RNG change - switch to HMAC_DRBG as default.
Start removing the io buffer from entropy poller.
Update default RNG poll bits to 256.
Fix McEliece test, was using wrong RNG API.
Update docs.
|
|
|
|
|
| |
Add RFC 6979 which became optional along the line. Also add bcrypt and compression,
and add TLS by default. Prohibit EGD.
|
| |
|
| |
|
|\ |
|
| | |
|
|/
|
|
|
|
|
| |
Adds support for probabilistic, aka the standard, DSA and ECDSA.
Can be enabled by disabling the rfc6979 module.
Includes test vectors from NIST CAVP.
Adds rfc6979 to the list of prohibited modules in BSI policy.
|
| |
|
|
|
|
| |
Prohibit unix_procs in BSI policy. See discussion in GH #446
|
| |
|
|
A module policy is a file specifying three types of modules: ones which
are required, ones which are prohibited, and ones which should be used
if otherwise available (this is mostly for platform specific modules).
Finally there are whatever modules which exist in the library of which
the policy makes no mention. These will be included if an explicit
dependency of some other module pulls them in (so there is no reason
to mention base, utils, ... in the file) but skipped otherwise.
For example policy 'sane' does not mention 'utils' or 'twofish' either
way. Since utils is a dependency of other modules which are included,
but Twofish does not. However unlike an explicitly prohibited module,
not mentioned can still be requested as part of the build (here with
--enable-module=twofish)
Also fixes some test bugs noticed by compiling in different build
configs. DLIES test didn't check that the KDF and MAC existed. Adds a
typedef for MessageAuthenticationCode because typing it twice in a
single line in the DLIES test made me think it's way too long. :) Also
fix some fuzzer build problems. Due to a copy and paste bug the PKCS
certificate (it was not).
Inspired by GH #439
|