| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
* fixes for deprecated constructions in c++11 and later (explicit rule of 3/5 or implicit rule of 0 and other violations)
* `default` specifier instead of `{}` in some places(probably all)
* removal of unreachable code (for example `return` after `throw`)
* removal of compilation unit only visible, but not used functions
* fix for `throw()` specifier - used instead `BOTAN_NOEXCEPT`
* removed not needed semicolons
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Failed to consider need for ISA flags (none required on x86-64 or
aarch64 which are my primary test targets) but handling this correctly
requires splitting up speed.cpp which requires a lot more refactoring
work than I want to take on. Anyway the additional complexity just for
this microbenchmark is not worth it so hide it behind a macro check.
Also add an ECC scalar perf test.
|
|
|
|
| |
Tests both short and full size exponents
|
|
|
|
| |
Add SIMD perf test
|
| |
|
| |
|
|
|
|
|
|
| |
Previously just throw an exception from map.at
Add an XMSS keygen test, and add default params for create_private_key
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Tested against BoringSSL (as client + server) and google.com (as client).
Fix a stupid crashing bug in NewHope's BoringSSL mode.
Remove unneeded error return from curve25519_donna - always returned 0.
Default policy prefers ChaChaPoly1305 over GCM and CECPQ1 over ECDH/DH, which
means the default no-extra-configuration ciphersuite (for Botan client speaking
to Botan server) is a ciphersuite which is both implemented in constant time
on all platforms and (hopefully) provides post quantum security. Good Things.
|
| |
|
| |
|
|\ |
|
| | |
|
|/ |
|
|
|
|
|
| |
Change AutoSeeded_RNG to use SHA-384, SHA-256, SHA-3(256), or SHA-1,
whichever is available (in that order).
|
| |
|
|
|
|
|
| |
Turns out decompressing a point is ~50x slower than checking (x,y)
is on the curve. Update relnote accordingly.
|
|
|
|
|
|
|
| |
Verification is deterministic and public, so really no RNG is ever needed.
Change provider handling - accepts "base", "openssl", or empty, otherwise
throws a Provider_Not_Found exception.
|
|
|
|
|
|
|
|
| |
Instead the key types exposes operations like `create_encryption_op`
which will return the relevant operation if the algorithm supports it.
Changes pubkey.h interface, now RNG is passed at init time.
Blinder previous created its own RNG, now it takes it from app.
|
|
|
|
| |
[ci skip]
|
|
|
|
|
|
| |
Mostly unused args and missing override notations.
Fix DH - load_check calls were commented out for debugging.
|
|\ |
|
| |
| |
| |
| | |
4x-8x overall speedup switching from HMAC_DRBG to ChaCha20
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Provides conjectured 200-bit security against a quantum attacker.
Based on the public domain reference implementation at
https://github.com/tpoeppelmann/newhope and bit-for-bit
compatible with that version.
Test vectors generated by the reference testvector.c
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change reseed interval logic to count calls to `randomize` rather than
bytes, to match SP 800-90A
Changes RNG reseeding API: there is no implicit reference to the
global entropy sources within the RNGs anymore. The entropy sources
must be supplied with the API call. Adds support for reseding directly
from another RNG (such as a system or hardware RNG).
Stateful_RNG keeps optional references to both an RNG and a set of
entropy sources. During a reseed, both sources are used if set.
These can be provided to HMAC_DRBG constructor.
For HMAC_DRBG, SP800-90A requires we output no more than 2**16 bytes
per DRBG request. We treat requests longer than that as if the caller
had instead made several sequential maximum-length requests. This
means it is possible for one or more reseeds to trigger even in the
course of generating a single (long) output (generate a 256-bit key
and use ChaCha or HKDF if this is a problem).
Adds RNG::randomize_with_ts_input which takes timestamps and uses them
as the additional_data DRBG field. Stateful_RNG overrides this to also
include the process ID and the reseed counter. AutoSeeded_RNG's
`randomize` uses this.
Officially deprecates RNG::make_rng and the Serialized_RNG construtor
which creates an AutoSeeded_RNG. With these removed, it would be
possible to perform a build with no AutoSeeded_RNG/HMAC_DRBG at all
(eg, for applications which only use the system RNG).
Tests courtesy @cordney in GH PRs #598 and #600
|
|
|
|
|
| |
Remove Entropy_Accumulator, instead have entropy sources directly
add entropy to the RNG.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Handles fork checking for HMAC_RNG and HMAC_DRBG
AutoSeeded_RNG change - switch to HMAC_DRBG as default.
Start removing the io buffer from entropy poller.
Update default RNG poll bits to 256.
Fix McEliece test, was using wrong RNG API.
Update docs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With sufficient squinting, Transform provided an abstract base
interface that covered both cipher modes and compression algorithms.
However it mapped on neither of them particularly well. In addition
this API had the same problem that has made me dislike the Pipe/Filter
API: given a Transform&, what does it do when you put bits in? Maybe
it encrypts. Maybe it compresses. It's a floor wax and a dessert topping!
Currently the Cipher_Mode interface is left mostly unchanged, with the
APIs previously on Transform just moved down the type hierarchy. I
think there are some definite improvements possible here, wrt handling
of in-place encryption, but left for a later commit.
The compression API is split into two types, Compression_Algorithm and
Decompression_Algorithm. Compression_Algorithm's start() call takes
the compression level, allowing varying compressions with a single
object. And flushing the compression state is moved to a bool param on
`Compression_Algorithm::update`. All the nonsense WRT compression
algorithms having zero length nonces, input granularity rules, etc
as a result of using the Transform interface goes away.
|
|
|
|
|
|
|
|
| |
Cast std::streamsize to size_t since MSVC is worried gcount() might
return a negative number.
The entropy callbacks took the entropy estimate as a size_t instead of
a double, which causes some verbose warnings due to the conversion.
|
| |
|
|
|
|
|
|
|
| |
Previously RSA and ElGamal stripped off leading zeros which were then
assumed by the padding decoders. Instead have them produce ciphertexts
with leading zeros. Changes EME_Raw to strip leading zeros to match
existing behavior.
|
|
|
|
| |
explicit.
|
|
|
|
| |
Also adds a (not const time) implementation of almost Montgomery reduction.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The command line tools' origin as a collection of examples and test
programs glued together led to some unfortunate problems; lots of
hardcoded values, missing parameters, and obsolete crypto.
Adds a small library for writing command line programs of the sort
needed here (cli.h), which cuts the length of many of the commands in
half and makes commands more pleasant to write and extend.
Generalizes a lot of the commands also, eg previously only
signing/verification with DSA/SHA-1 was included!
Removes the fuzzer entry point since that's fairly useless outside of
an instrumented build.
Removes the in-library API for benchmarking.
|
|
|