| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
| |
The OpenBSD system limit for getentropy(2) is 256 bytes. It does
not make sense to use the BOTAN_SYSTEM_RNG_POLL_REQUEST define here.
As it is only used in one place, another define would be overkill.
|
|
|
|
|
| |
The /proc file system was disabled for years. With OpenBSD 5.7 the
implementation has been removed from the kernel sources.
|
|
|
|
|
|
|
|
| |
Gather entropy from system call getentropy(2). This is available
since in OpenBSD 5.6 and Solaris 11.3. It can provide up to 256
bytes entropy from the kernel without blocking. As a system call
it does not need a file descriptor and works in chroot(2) environments
without device nodes.
|
| |
|
|\ |
|
| | |
|
| |
| |
| |
| | |
module doesn't exist anymore
|
|/ |
|
| |
|
|
|
|
|
|
| |
Renames a couple of functions for somewhat better name consistency,
eg make_u32bit becomes make_uint32. The old typedefs remain for now
since probably lots of application code uses them.
|
|
|
|
|
|
| |
Kind of a vestigial thing from an earlier iteration of the module
design, and never useful to specify anymore since taking all the cpp
files is what you want exactly 100% of the time.
|
| |
|
| |
|
|
|
|
|
|
|
| |
Have the /proc setting in build.h actually control the entropy source
configuration (!)
GH #708
|
|
|
|
|
| |
Change AutoSeeded_RNG to use SHA-384, SHA-256, SHA-3(256), or SHA-1,
whichever is available (in that order).
|
|
|
|
|
| |
If opening /dev/*random resulted in fd 0, we would both not use
that RNG and leak the file descriptor. Found with Coverity.
|
| |
|
|
|
|
|
|
|
|
| |
Also emit `#pragma GCC target` in the ISA specific amalgamation files.
This allows compiling without any special compiler flags, at least
with GCC 6.2 and Clang 3.8. The ISA annotations are ignored in MSVC,
which just emits whatever instruction the intrinsic requires.
|
| |
|
|
|
|
|
|
| |
With no provider specified, Win32_CAPI_EntropySource::poll does not call
::CryptGenRandom and returns 0, leading to subsequent PRNG_Unseeded
exceptions.
|
|
|
|
| |
Fixes GH #644
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Convert Travis build configuration to a single var instead of 4 tuple.
Makes it much easier to review the builds in the Travis web UI.
Adds sanitizer builds for Clang on both Linux and OS X. Clang is a different
compiler from GCC and its sanitizers may catch things GCC does not.
I have no idea if Apple's Clang has some magic sanitizer sauce stock
LLVM does not, so maybe sanitizer build on OS X can be skipped.
Adds Linux cross compile targets for ARM32, ARM64, PPC64, and MinGW x86
using the cross compiler available in Trusty. All of them build and are
set up to run through qemu/wine. All of the tests currently fail and
so are marked as expected fail in the Travis matrix.
The ARM test runs seem to have thread problems; ARM32 thread creation just fails
with an exception, as if pthreads was disabled. All other tests pass ok for ARM32.
On Aarch64, it looks like there is a hard crash the first time the library tries
creating a thread. Both of these might be due to statically linking the binary?
I have been unable to convince Ubuntu's qemu-ppc64 to execute binaries compiled by
Ubuntu's ppc64 cross compiler. I'm downloading an Ubuntu ISO to try this in a VM.
Running under Wine exposes several issues, both in Wine and Botan. Many functions are
stubs and it appears that entropy collection fails as a result. This triggers a bug
in the FFI tests which causes a crash there.
A pox on time zones; _mkgmtime is a MSVC extension and is not available on MinGW GCC.
Add a last resort call that just uses the localzone variant instead.
Adds valgrind target, remove a bogus poison in pubkey.cpp (it was effectively
asserting that all of RSA was const time which is sadly not true at all).
Moves -Wshadow to maintainer mode for GCC - GCC 4.8 has a noisy variant of -Wshadow
which warns if a parameter masks a function name, but this comes up all the time
in constructors. Later GCCs no longer warn about this (even with -Wshadow), so the
warnings are never fixed, but they cause noise in CI output and hide interesting
warnings like
warning: vec_lvsl is deprecated for little endian; use assignment for unaligned loads and stores [-Wdeprecated]
__vector unsigned char perm = vec_lvsl(0, static_cast<u32bit*>(nullptr));
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change reseed interval logic to count calls to `randomize` rather than
bytes, to match SP 800-90A
Changes RNG reseeding API: there is no implicit reference to the
global entropy sources within the RNGs anymore. The entropy sources
must be supplied with the API call. Adds support for reseding directly
from another RNG (such as a system or hardware RNG).
Stateful_RNG keeps optional references to both an RNG and a set of
entropy sources. During a reseed, both sources are used if set.
These can be provided to HMAC_DRBG constructor.
For HMAC_DRBG, SP800-90A requires we output no more than 2**16 bytes
per DRBG request. We treat requests longer than that as if the caller
had instead made several sequential maximum-length requests. This
means it is possible for one or more reseeds to trigger even in the
course of generating a single (long) output (generate a 256-bit key
and use ChaCha or HKDF if this is a problem).
Adds RNG::randomize_with_ts_input which takes timestamps and uses them
as the additional_data DRBG field. Stateful_RNG overrides this to also
include the process ID and the reseed counter. AutoSeeded_RNG's
`randomize` uses this.
Officially deprecates RNG::make_rng and the Serialized_RNG construtor
which creates an AutoSeeded_RNG. With these removed, it would be
possible to perform a build with no AutoSeeded_RNG/HMAC_DRBG at all
(eg, for applications which only use the system RNG).
Tests courtesy @cordney in GH PRs #598 and #600
|
|
|
|
|
|
|
|
| |
For those that are willing to trust uninspectible hardware. :)
Changes RDRAND entropy source to call RDRAND_RNG
Add --rdrand flag to rng cmdlet
|
| |
|
|
|
|
|
|
| |
Fix BeOS stat reader - was calling wrong function on the rng.
Remove entropy estimate defines from build.h, no longer used.
|
| |
|
|
|
|
|
| |
Remove Entropy_Accumulator, instead have entropy sources directly
add entropy to the RNG.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Handles fork checking for HMAC_RNG and HMAC_DRBG
AutoSeeded_RNG change - switch to HMAC_DRBG as default.
Start removing the io buffer from entropy poller.
Update default RNG poll bits to 256.
Fix McEliece test, was using wrong RNG API.
Update docs.
|
|
|
|
|
|
|
|
|
|
| |
In 10.8 (and presumably older) versions, the header for SecRandomCopyBytes
is SecRandom.h, and Security.h does not include SecRandom.h
With this change, the include of Security.h may be redundant for all versions,
but I have no way to test this.
GH #528
|
| |
|
|\
| |
| |
| | |
The Intel RNG may fail if heavily contended, so retry as needed.
|
| |
| |
| |
| | |
prevents filtering out any 0x00000000 outputs from RDRAND/RDSEED
|
| |
| |
| |
| |
| |
| |
| |
| | |
* no spaces around if(), for() etc
* snake_case for plain functions
* anonymous namespace function instead private and static
* don't propagate failed poll to the calling application
* RdRand retires configurable in build.h
|
| |
| |
| |
| |
| | |
* Make it configurable how often RdRand and RdSeed is polled
* Make it configurable how many RdSeed retries are executed
|
| | |
|
| |
| |
| |
| | |
explicit.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add OS functions get_process_id, get_processor_timestamp, and
get_system_timestamp_ns. HMAC_RNG uses the pid call to detect forks to
initiate a reseed. It also adds the output of all three functions (the
pid, the CPU cycle counter, and the system timestamp) into the PRF input.
Calls the new OS timer functions from hres_timer entropy source.
Removes the call to QPC in es_win32 which is mostly redundant with the
one in hres_timer.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Thinking it over I've realized this was not a good move; XP may be EOLed but is
still widely used and even VS 2015 still supports targeting XP. It's not really
the same situation as going to extra efforts for supporting SunOS 5.1 or VAX/VMS,
instead it actively broke support for something which is still widely deployed.
And for those building for XP the options are patch out the call (GH #416) or
disable win32_stats altogether in their build. I'd like to prevent downstream
distributors from having to patch, because that can get messy. And while the
design of CryptGenRandom is not disclosed it apparently has changed over time
and at one point (IIRC) used RC4 to generate outputs, so if there is any OS that
could use some extra help generating seed material it is XP.
There may be future code that really makes use of APIs added after XP - CryptoNG,
TPM support, etc and then people targetting XP will have to compile out those
modules. But it doesn't make sense to break it here for this small gain.
|
| |
| |
| |
| | |
Remove bogus virtual destructor on Entropy_Accumulator (has no virtuals)
|
|\ \
| | |
| | |
| | |
| | |
| | | |
By adopting MemoryStatusEx, this drops support for XP and Server 2003
which do not implement this API. This is considered a feature as these
versions are already EOLed by Microsoft.
|
| | |
| | |
| | |
| | |
| | | |
* GetTickCount is replaced by GetTickCount64(): see https://msdn.microsoft.com/en-us/library/windows/desktop/ms724408(v=vs.85).aspx for details
* GlobalMemoryStatus is replaced by GlobalMemoryStatusEx: see https://msdn.microsoft.com/en-us/library/windows/desktop/aa366589(v=vs.85).aspx for details
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In some cases this can offer better optimization, via devirtualization.
And it lets the user know the class is not intended for derivation.
Some discussion in GH #402
|
| |/
|/| |
|
| |
| |
| |
| | |
GH #370 for background
|
| | |
|