| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
4x-8x overall speedup switching from HMAC_DRBG to ChaCha20
|
|
|
|
|
|
|
|
|
|
| |
Provides conjectured 200-bit security against a quantum attacker.
Based on the public domain reference implementation at
https://github.com/tpoeppelmann/newhope and bit-for-bit
compatible with that version.
Test vectors generated by the reference testvector.c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change reseed interval logic to count calls to `randomize` rather than
bytes, to match SP 800-90A
Changes RNG reseeding API: there is no implicit reference to the
global entropy sources within the RNGs anymore. The entropy sources
must be supplied with the API call. Adds support for reseding directly
from another RNG (such as a system or hardware RNG).
Stateful_RNG keeps optional references to both an RNG and a set of
entropy sources. During a reseed, both sources are used if set.
These can be provided to HMAC_DRBG constructor.
For HMAC_DRBG, SP800-90A requires we output no more than 2**16 bytes
per DRBG request. We treat requests longer than that as if the caller
had instead made several sequential maximum-length requests. This
means it is possible for one or more reseeds to trigger even in the
course of generating a single (long) output (generate a 256-bit key
and use ChaCha or HKDF if this is a problem).
Adds RNG::randomize_with_ts_input which takes timestamps and uses them
as the additional_data DRBG field. Stateful_RNG overrides this to also
include the process ID and the reseed counter. AutoSeeded_RNG's
`randomize` uses this.
Officially deprecates RNG::make_rng and the Serialized_RNG construtor
which creates an AutoSeeded_RNG. With these removed, it would be
possible to perform a build with no AutoSeeded_RNG/HMAC_DRBG at all
(eg, for applications which only use the system RNG).
Tests courtesy @cordney in GH PRs #598 and #600
|
|
|
|
|
|
|
|
| |
For those that are willing to trust uninspectible hardware. :)
Changes RDRAND entropy source to call RDRAND_RNG
Add --rdrand flag to rng cmdlet
|
|
|
|
|
| |
Remove Entropy_Accumulator, instead have entropy sources directly
add entropy to the RNG.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Handles fork checking for HMAC_RNG and HMAC_DRBG
AutoSeeded_RNG change - switch to HMAC_DRBG as default.
Start removing the io buffer from entropy poller.
Update default RNG poll bits to 256.
Fix McEliece test, was using wrong RNG API.
Update docs.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With sufficient squinting, Transform provided an abstract base
interface that covered both cipher modes and compression algorithms.
However it mapped on neither of them particularly well. In addition
this API had the same problem that has made me dislike the Pipe/Filter
API: given a Transform&, what does it do when you put bits in? Maybe
it encrypts. Maybe it compresses. It's a floor wax and a dessert topping!
Currently the Cipher_Mode interface is left mostly unchanged, with the
APIs previously on Transform just moved down the type hierarchy. I
think there are some definite improvements possible here, wrt handling
of in-place encryption, but left for a later commit.
The compression API is split into two types, Compression_Algorithm and
Decompression_Algorithm. Compression_Algorithm's start() call takes
the compression level, allowing varying compressions with a single
object. And flushing the compression state is moved to a bool param on
`Compression_Algorithm::update`. All the nonsense WRT compression
algorithms having zero length nonces, input granularity rules, etc
as a result of using the Transform interface goes away.
|
|
|
|
|
|
| |
manifesting as broken sockets.
Leave the client socket open until the alert has been sent.
|
|
|
|
|
|
|
|
| |
Cast std::streamsize to size_t since MSVC is worried gcount() might
return a negative number.
The entropy callbacks took the entropy estimate as a size_t instead of
a double, which causes some verbose warnings due to the conversion.
|
| |
|
|
|
|
|
|
|
| |
Previously RSA and ElGamal stripped off leading zeros which were then
assumed by the padding decoders. Instead have them produce ciphertexts
with leading zeros. Changes EME_Raw to strip leading zeros to match
existing behavior.
|
|
|
|
|
|
| |
Add flags --policy, --print-certs, --tls1.0, --tls1.1, --tls1.2
Update todo
|
|
|
|
| |
explicit.
|
|
|
|
| |
Also adds a (not const time) implementation of almost Montgomery reduction.
|
| |
|
| |
|
|
|
|
|
| |
The signature of the alert callback remains unchanged to avoid
breaking applications, though now the buffer parameter is never set.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Remove -Wsuggest-attribute=noreturn from maintainer mode flags as it
seems like outside of the assertion failure macro any other suggestion
would always be a false positive (an unimplemented function or the like).
Or at least, if such a function needing noreturn to assist with static
analysis is added in the future it will be obvious, by virtue of the
static analyzer warnings which occur due to the missing noreturn
preventing the analyzer from understanding code flow.
|
| |
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
In some cases this can offer better optimization, via devirtualization.
And it lets the user know the class is not intended for derivation.
Some discussion in GH #402
|
|/ |
|
|
|
|
| |
found by gcc with -Wsuggest-override
|
|
|
|
| |
fix PVS-Studio perfomance warnings
|
|
|
|
| |
Missing . in compression extension, wrong name for buf-size option
|
|
|
|
|
|
|
|
|
|
| |
Expose provider param in PK_Key_Agreement API
Handle multiple providers in key agreement tests
Fix some funky formatting of P-521 EC points in ecdh.vec which was
being rejected by OpenSSL; for whatever reason the CAVS file had
the affine coords with far more leading zeros than necessary.
|
|
|
|
| |
Avoids various static init and destruction hassles.
|
|
|
|
|
|
|
| |
for when a command wants an RNG but doesn't much care what kind.
This adds a place where a future --rng-type= option can be consulted
to eg use the system RNG or a user seeded DRBG.
|
| |
|
|\
| |
| | |
Some trivial compiler and PVS-Studio warning fixes
|
| | |
|
| | |
|
| | |
|
| | |
|
|/
|
|
| |
If no files are given on the command line to `hash`, default to stdin
|
|
|
|
|
|
|
| |
Understand using '-' on the command line to mean stdin
Fix last few unit tests that wanted to write to the filesystem; removes
outdata directory.
|
|
|
|
| |
See GH #340 and 6b9a3a5 for background
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The command line tools' origin as a collection of examples and test
programs glued together led to some unfortunate problems; lots of
hardcoded values, missing parameters, and obsolete crypto.
Adds a small library for writing command line programs of the sort
needed here (cli.h), which cuts the length of many of the commands in
half and makes commands more pleasant to write and extend.
Generalizes a lot of the commands also, eg previously only
signing/verification with DSA/SHA-1 was included!
Removes the fuzzer entry point since that's fairly useless outside of
an instrumented build.
Removes the in-library API for benchmarking.
|
|
|
|
| |
See also #354
|
| |
|
|
|