| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|\ |
|
| |
| |
| |
| |
| | |
Updates NewHope to use that instead of the hard-coded SHAKE-128,
and adds toggle for BoringSSL compat mode using AES-128/CTR + SHA-256.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Kind of a copy and paste of Keccak, but only a single copy of the
permutation at least. Keccak depends on SHA-3 instead of the reverse,
so that SHA-3 can be enabled without also bringing in an unapproved
hash function.
Updates newhope code and removes API function newhope_hash which was
an unofficial SHA-3-256.
|
| | |
|
| | |
|
|/ |
|
|
|
|
|
| |
Otherwise <future> is thrown into the top of botan_all.h which
causes problems on IncludeOS
|
| |
|
| |
|
| |
|
|
|
|
| |
GH #656
|
| |
|
|
|
|
| |
Some fixes for missing system_rng in ECIES and tests.
|
|
|
|
| |
Document that create_*_op is public but not for public consumption.
|
|
|
|
|
|
|
| |
Verification is deterministic and public, so really no RNG is ever needed.
Change provider handling - accepts "base", "openssl", or empty, otherwise
throws a Provider_Not_Found exception.
|
|
|
|
|
|
|
|
| |
Instead the key types exposes operations like `create_encryption_op`
which will return the relevant operation if the algorithm supports it.
Changes pubkey.h interface, now RNG is passed at init time.
Blinder previous created its own RNG, now it takes it from app.
|
|\ |
|
| | |
|
|/ |
|
|
|
|
|
|
| |
Mostly unused args and missing override notations.
Fix DH - load_check calls were commented out for debugging.
|
| |
|
|\ |
|
| | |
|
| |
| |
| |
| | |
Change to standard int types
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Provides conjectured 200-bit security against a quantum attacker.
Based on the public domain reference implementation at
https://github.com/tpoeppelmann/newhope and bit-for-bit
compatible with that version.
Test vectors generated by the reference testvector.c
|
| |
| |
| |
| |
| |
| | |
With the removal of Rabin-Williams, RSA is the only remaining subclass,
And it's very unlikely any new integer factorization based scheme would be
added in the future.
|
| | |
|
|\ \
| |/
|/| |
|
| |
| |
| |
| |
| |
| | |
- reduced number of parameters in various methods
- introduced structures and renamed variables to improve code
readability.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Convert Travis build configuration to a single var instead of 4 tuple.
Makes it much easier to review the builds in the Travis web UI.
Adds sanitizer builds for Clang on both Linux and OS X. Clang is a different
compiler from GCC and its sanitizers may catch things GCC does not.
I have no idea if Apple's Clang has some magic sanitizer sauce stock
LLVM does not, so maybe sanitizer build on OS X can be skipped.
Adds Linux cross compile targets for ARM32, ARM64, PPC64, and MinGW x86
using the cross compiler available in Trusty. All of them build and are
set up to run through qemu/wine. All of the tests currently fail and
so are marked as expected fail in the Travis matrix.
The ARM test runs seem to have thread problems; ARM32 thread creation just fails
with an exception, as if pthreads was disabled. All other tests pass ok for ARM32.
On Aarch64, it looks like there is a hard crash the first time the library tries
creating a thread. Both of these might be due to statically linking the binary?
I have been unable to convince Ubuntu's qemu-ppc64 to execute binaries compiled by
Ubuntu's ppc64 cross compiler. I'm downloading an Ubuntu ISO to try this in a VM.
Running under Wine exposes several issues, both in Wine and Botan. Many functions are
stubs and it appears that entropy collection fails as a result. This triggers a bug
in the FFI tests which causes a crash there.
A pox on time zones; _mkgmtime is a MSVC extension and is not available on MinGW GCC.
Add a last resort call that just uses the localzone variant instead.
Adds valgrind target, remove a bogus poison in pubkey.cpp (it was effectively
asserting that all of RSA was const time which is sadly not true at all).
Moves -Wshadow to maintainer mode for GCC - GCC 4.8 has a noisy variant of -Wshadow
which warns if a parameter masks a function name, but this comes up all the time
in constructors. Later GCCs no longer warn about this (even with -Wshadow), so the
warnings are never fixed, but they cause noise in CI output and hide interesting
warnings like
warning: vec_lvsl is deprecated for little endian; use assignment for unaligned loads and stores [-Wdeprecated]
__vector unsigned char perm = vec_lvsl(0, static_cast<u32bit*>(nullptr));
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Change reseed interval logic to count calls to `randomize` rather than
bytes, to match SP 800-90A
Changes RNG reseeding API: there is no implicit reference to the
global entropy sources within the RNGs anymore. The entropy sources
must be supplied with the API call. Adds support for reseding directly
from another RNG (such as a system or hardware RNG).
Stateful_RNG keeps optional references to both an RNG and a set of
entropy sources. During a reseed, both sources are used if set.
These can be provided to HMAC_DRBG constructor.
For HMAC_DRBG, SP800-90A requires we output no more than 2**16 bytes
per DRBG request. We treat requests longer than that as if the caller
had instead made several sequential maximum-length requests. This
means it is possible for one or more reseeds to trigger even in the
course of generating a single (long) output (generate a 256-bit key
and use ChaCha or HKDF if this is a problem).
Adds RNG::randomize_with_ts_input which takes timestamps and uses them
as the additional_data DRBG field. Stateful_RNG overrides this to also
include the process ID and the reseed counter. AutoSeeded_RNG's
`randomize` uses this.
Officially deprecates RNG::make_rng and the Serialized_RNG construtor
which creates an AutoSeeded_RNG. With these removed, it would be
possible to perform a build with no AutoSeeded_RNG/HMAC_DRBG at all
(eg, for applications which only use the system RNG).
Tests courtesy @cordney in GH PRs #598 and #600
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Change behavior of default key usage encoding, default now omits
the key usage unless the user set a value.
Fix allowed_usage which could produce incorrect results.
More X.509 tests
|
| | | |
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| | |
should fix:
```
WARN: Invalid character encountered in file /home/travis/build/randombit/botan/src/tests/test_utils.cpp at line 381 for encoding UTF-8. Please fix file content or configure the encoding to be used using property 'sonar.sourceEncoding'.
WARN: Invalid character encountered in file /home/travis/build/randombit/botan/src/lib/pubkey/ecies/ecies.cpp at line 311 for encoding UTF-8. Please fix file content or configure the encoding to be used using property 'sonar.sourceEncoding'.
```
|
|\ \ |
|
| | |
| | |
| | |
| | | |
generation
|
|/ /
| |
| |
| |
| |
| | |
- Parameters available here: https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000024668816
- DER format according to the ANS1 syntax defined in ANSI X9.62 standard
available here: http://www.ssi.gouv.fr/agence/publication/publication-dun-parametrage-de-courbe-elliptique-visant-des-applications-de-passeport-electronique-et-de-ladministration-electronique-francaise/
|
|\ \ |
|
| | | |
|
|\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Adds Stateful_RNG base class which handles reseeding after some
amount of output (configurable at instantiation time, defaults to
the build.h value) as well as detecting forks (just using pid
comparisons, so still vulnerable to pid wraparound). Implemented
by HMAC_RNG and HMAC_DRBG. I did not update X9.31 since its
underlying RNG should already be fork safe and handle reseeding
at the appropriate time, since a new block is taken from the
underlying RNG (for the datetime vector) for each block of
output.
Adds RNG::randomize_with_input which for most PRNGs is just a
call to add_entropy followed by randomize. However for HMAC_DRBG
it is used for additional input. Adds tests for HMAC_DRBG with AD
from the CAVS file.
RNG::add_entropy is implemented by System_RNG now, as both
CryptGenRandom and /dev/urandom support receiving application
provided data.
The AutoSeeded_RNG underlying type is currently selectable in
build.h and defaults to HMAC_DRBG(SHA-256). AutoSeeded_RNG
provides additional input with each output request, consisting of
the current pid, a counter, and timestamp (unless the application
explicitly calls randomize_with_input, in which case we just take
what they provided). This is the same hedge used in HMAC_RNGs
output PRF.
AutoSeeded_RNG is part of the base library now and cannot be
compiled out.
Removes Entropy_Accumulator type (which just served to bridge
between the RNG and the entropy source), instead the
Entropy_Source is passed a reference to the RNG being reseeded,
and it can call add_entropy on whatever it can come up with.
|
| | |
| | |
| | |
| | |
| | | |
Remove Entropy_Accumulator, instead have entropy sources directly
add entropy to the RNG.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add support and tests for additional_data param to HMAC_DRBG
Add Stateful_RNG class which has fork detection and periodic reseeding.
AutoSeeded_RNG passes the current pid and time as additional_data
|
|\ \ \ |
|
| |/ / |
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With these fixes the implementation is now compatible with bouncycastle and it should operate
as it is specified in "DHIES: An encryption scheme based on Diffie-Hellman Problem" or in BSI
technical guideline TR-02102-1.
In addition to the already present XOR-encrypion/decryption mode it's now possible to use DLIES with a block cipher.
Previously the input to the KDF was the concatenation of the (ephemeral) public key
and the secret value derived by the key agreement operation:
```
secure_vector<byte> vz(m_my_key.begin(), m_my_key.end());
vz += m_ka.derive_key(0, m_other_key).bits_of();
const size_t K_LENGTH = length + m_mac_keylen;
secure_vector<byte> K = m_kdf->derive_key(K_LENGTH, vz);
```
I don't know why this was implemented like this. But now the input to the KDF is only the secret value obtained by the key agreement operation.
Furthermore the order of the output was changed from {public key, tag, ciphertext} to {public key, ciphertext, tag}.
Multiple test vectors added that were generated with bouncycastle and some with botan itself.
|
| | |
|
|\ \ |
|
| | | |
|