aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey
Commit message (Collapse)AuthorAgeFilesLines
* Add create_private_key, expose key loading functions in pk_algs.hJack Lloyd2016-10-205-67/+189
|
* Merge GH #669 Add SHA-3, SHAKE-128, and BoringSSL-mode NewHopeJack Lloyd2016-10-203-117/+90
|\
| * Add SHAKE-128 as stream cipherJack Lloyd2016-10-193-105/+91
| | | | | | | | | | Updates NewHope to use that instead of the hard-coded SHAKE-128, and adds toggle for BoringSSL compat mode using AES-128/CTR + SHA-256.
| * Add proper SHA-3Jack Lloyd2016-10-193-24/+11
| | | | | | | | | | | | | | | | | | | | Kind of a copy and paste of Keccak, but only a single copy of the permutation at least. Keccak depends on SHA-3 instead of the reverse, so that SHA-3 can be enabled without also bringing in an unapproved hash function. Updates newhope code and removes API function newhope_hash which was an unofficial SHA-3-256.
* | Reorganize anon namespace code to fix last doxygen warn [ci skip]René Korthaus2016-10-201-8/+8
| |
* | Fix doxygen warnings [ci skip]René Korthaus2016-10-198-6/+33
| |
* | Improve pubkey doxygen [ci skip]René Korthaus2016-10-1915-17/+251
|/
* Indent include so amalgamation works correctlyJack Lloyd2016-10-171-2/+1
| | | | | Otherwise <future> is thrown into the top of botan_all.h which causes problems on IncludeOS
* Abstract out mutex type. Make threads optional.Jack Lloyd2016-10-122-2/+24
|
* Add IncludeOS target. Make filesystem support optional.Jack Lloyd2016-10-104-0/+9
|
* Fix Clang warningsJack Lloyd2016-10-091-2/+2
|
* OpenSSL EC: Correctly handle OpenSSL not supporting the curveJack Lloyd2016-10-092-6/+6
| | | | GH #656
* This happening is actually a user error (eg, wrong key type)Jack Lloyd2016-10-091-7/+14
|
* Make pk_ops.h internalJack Lloyd2016-10-088-31/+107
| | | | Some fixes for missing system_rng in ECIES and tests.
* Add missing try/catch blocks.Jack Lloyd2016-10-071-1/+27
| | | | Document that create_*_op is public but not for public consumption.
* Revert PK_Verifier change (don't require RNG there).Jack Lloyd2016-10-0722-119/+173
| | | | | | | Verification is deterministic and public, so really no RNG is ever needed. Change provider handling - accepts "base", "openssl", or empty, otherwise throws a Provider_Not_Found exception.
* Remove Algo_Registry usage from public key code.Jack Lloyd2016-10-0737-184/+785
| | | | | | | | Instead the key types exposes operations like `create_encryption_op` which will return the relevant operation if the algorithm supports it. Changes pubkey.h interface, now RNG is passed at init time. Blinder previous created its own RNG, now it takes it from app.
* Merge GH #645 TLS compressed pointsJack Lloyd2016-10-071-1/+10
|\
| * Support encoding of supported point formats extensionRené Korthaus2016-10-031-1/+10
| |
* | 2nd review roundseu2016-10-023-0/+32
|/
* Maintainer mode fixes.Jack Lloyd2016-09-211-2/+2
| | | | | | Mostly unused args and missing override notations. Fix DH - load_check calls were commented out for debugging.
* Change T::provider to return std::stringJack Lloyd2016-09-151-2/+2
|
* Merge GH #613 NewHope R-LWE key exchangeJack Lloyd2016-09-053-0/+652
|\
| * Fix tests on things that are not little endianJack Lloyd2016-08-301-12/+6
| |
| * Avoid requiring alignment (think this was just for the AVX2 version)Jack Lloyd2016-08-302-37/+35
| | | | | | | | Change to standard int types
| * Fix header guard, macro tidyJack Lloyd2016-08-302-5/+7
| |
| * Add NEWHOPE KEM schemeJack Lloyd2016-08-303-0/+658
| | | | | | | | | | | | | | | | | | | | Provides conjectured 200-bit security against a quantum attacker. Based on the public domain reference implementation at https://github.com/tpoeppelmann/newhope and bit-for-bit compatible with that version. Test vectors generated by the reference testvector.c
* | Remove IF_Scheme_{Public,Private}KeyJack Lloyd2016-09-026-283/+186
| | | | | | | | | | | | With the removal of Rabin-Williams, RSA is the only remaining subclass, And it's very unlikely any new integer factorization based scheme would be added in the future.
* | Remove deprecated Nyberg-Rueppel and Rabin-Williams signaturesJack Lloyd2016-09-027-535/+0
| |
* | Merge GH #567/GH #457 TLS refactoring and Callbacks interfaceJack Lloyd2016-08-311-30/+46
|\ \ | |/ |/|
| * Reduction of code complexity in MP & ECC classes.Matthias Gierlings2016-06-191-30/+46
| | | | | | | | | | | | - reduced number of parameters in various methods - introduced structures and renamed variables to improve code readability.
* | Travis CI additions and cleanupJack Lloyd2016-08-281-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Convert Travis build configuration to a single var instead of 4 tuple. Makes it much easier to review the builds in the Travis web UI. Adds sanitizer builds for Clang on both Linux and OS X. Clang is a different compiler from GCC and its sanitizers may catch things GCC does not. I have no idea if Apple's Clang has some magic sanitizer sauce stock LLVM does not, so maybe sanitizer build on OS X can be skipped. Adds Linux cross compile targets for ARM32, ARM64, PPC64, and MinGW x86 using the cross compiler available in Trusty. All of them build and are set up to run through qemu/wine. All of the tests currently fail and so are marked as expected fail in the Travis matrix. The ARM test runs seem to have thread problems; ARM32 thread creation just fails with an exception, as if pthreads was disabled. All other tests pass ok for ARM32. On Aarch64, it looks like there is a hard crash the first time the library tries creating a thread. Both of these might be due to statically linking the binary? I have been unable to convince Ubuntu's qemu-ppc64 to execute binaries compiled by Ubuntu's ppc64 cross compiler. I'm downloading an Ubuntu ISO to try this in a VM. Running under Wine exposes several issues, both in Wine and Botan. Many functions are stubs and it appears that entropy collection fails as a result. This triggers a bug in the FFI tests which causes a crash there. A pox on time zones; _mkgmtime is a MSVC extension and is not available on MinGW GCC. Add a last resort call that just uses the localzone variant instead. Adds valgrind target, remove a bogus poison in pubkey.cpp (it was effectively asserting that all of RSA was const time which is sadly not true at all). Moves -Wshadow to maintainer mode for GCC - GCC 4.8 has a noisy variant of -Wshadow which warns if a parameter masks a function name, but this comes up all the time in constructors. Later GCCs no longer warn about this (even with -Wshadow), so the warnings are never fixed, but they cause noise in CI output and hide interesting warnings like warning: vec_lvsl is deprecated for little endian; use assignment for unaligned loads and stores [-Wdeprecated] __vector unsigned char perm = vec_lvsl(0, static_cast<u32bit*>(nullptr));
* | RNG changes (GH #593)Jack Lloyd2016-08-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Change reseed interval logic to count calls to `randomize` rather than bytes, to match SP 800-90A Changes RNG reseeding API: there is no implicit reference to the global entropy sources within the RNGs anymore. The entropy sources must be supplied with the API call. Adds support for reseding directly from another RNG (such as a system or hardware RNG). Stateful_RNG keeps optional references to both an RNG and a set of entropy sources. During a reseed, both sources are used if set. These can be provided to HMAC_DRBG constructor. For HMAC_DRBG, SP800-90A requires we output no more than 2**16 bytes per DRBG request. We treat requests longer than that as if the caller had instead made several sequential maximum-length requests. This means it is possible for one or more reseeds to trigger even in the course of generating a single (long) output (generate a 256-bit key and use ChaCha or HKDF if this is a problem). Adds RNG::randomize_with_ts_input which takes timestamps and uses them as the additional_data DRBG field. Stateful_RNG overrides this to also include the process ID and the reseed counter. AutoSeeded_RNG's `randomize` uses this. Officially deprecates RNG::make_rng and the Serialized_RNG construtor which creates an AutoSeeded_RNG. With these removed, it would be possible to perform a build with no AutoSeeded_RNG/HMAC_DRBG at all (eg, for applications which only use the system RNG). Tests courtesy @cordney in GH PRs #598 and #600
* | Merge GH #591Jack Lloyd2016-08-194-16/+6
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | Change behavior of default key usage encoding, default now omits the key usage unless the user set a value. Fix allowed_usage which could produce incorrect results. More X.509 tests
| * | Fix leading zero bytes in DSA, ECDSA, ECGDSA and ECKCDSA signaturesRené Korthaus2016-08-174-16/+6
| | |
* | | fix source file encoding ANSI -> UTF-8Daniel Neus2016-08-171-1/+1
|/ / | | | | | | | | | | | | | | | | should fix: ``` WARN: Invalid character encountered in file /home/travis/build/randombit/botan/src/tests/test_utils.cpp at line 381 for encoding UTF-8. Please fix file content or configure the encoding to be used using property 'sonar.sourceEncoding'. WARN: Invalid character encountered in file /home/travis/build/randombit/botan/src/lib/pubkey/ecies/ecies.cpp at line 311 for encoding UTF-8. Please fix file content or configure the encoding to be used using property 'sonar.sourceEncoding'. ```
* | Merge branch 'master' into frp256v1Simon Cogliani2016-07-301-1/+8
|\ \
| * | fix: load_check() was called instead of gen_check() during DH private key ↵Daniel Neus2016-07-261-1/+8
| | | | | | | | | | | | generation
* | | ANSSI elliptic curve cryptography frp256v1Simon Cogliani2016-07-241-0/+10
|/ / | | | | | | | | | | - Parameters available here: https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000024668816 - DER format according to the ANS1 syntax defined in ANSI X9.62 standard available here: http://www.ssi.gouv.fr/agence/publication/publication-dun-parametrage-de-courbe-elliptique-visant-des-applications-de-passeport-electronique-et-de-ladministration-electronique-francaise/
* | Merge GH #541 More ECIES testsJack Lloyd2016-07-191-2/+2
|\ \
| * | add more ECIES testsDaniel Neus2016-07-191-2/+2
| | |
* | | Merge GH #520 RNG changesJack Lloyd2016-07-183-4/+12
|\ \ \ | |/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds Stateful_RNG base class which handles reseeding after some amount of output (configurable at instantiation time, defaults to the build.h value) as well as detecting forks (just using pid comparisons, so still vulnerable to pid wraparound). Implemented by HMAC_RNG and HMAC_DRBG. I did not update X9.31 since its underlying RNG should already be fork safe and handle reseeding at the appropriate time, since a new block is taken from the underlying RNG (for the datetime vector) for each block of output. Adds RNG::randomize_with_input which for most PRNGs is just a call to add_entropy followed by randomize. However for HMAC_DRBG it is used for additional input. Adds tests for HMAC_DRBG with AD from the CAVS file. RNG::add_entropy is implemented by System_RNG now, as both CryptGenRandom and /dev/urandom support receiving application provided data. The AutoSeeded_RNG underlying type is currently selectable in build.h and defaults to HMAC_DRBG(SHA-256). AutoSeeded_RNG provides additional input with each output request, consisting of the current pid, a counter, and timestamp (unless the application explicitly calls randomize_with_input, in which case we just take what they provided). This is the same hedge used in HMAC_RNGs output PRF. AutoSeeded_RNG is part of the base library now and cannot be compiled out. Removes Entropy_Accumulator type (which just served to bridge between the RNG and the entropy source), instead the Entropy_Source is passed a reference to the RNG being reseeded, and it can call add_entropy on whatever it can come up with.
| * | Revamp entropy pollingJack Lloyd2016-07-171-0/+1
| | | | | | | | | | | | | | | Remove Entropy_Accumulator, instead have entropy sources directly add entropy to the RNG.
| * | Switch to HMAC_DRBG for all RNG generation.Jack Lloyd2016-07-172-4/+11
| | | | | | | | | | | | | | | | | | | | | | | | Add support and tests for additional_data param to HMAC_DRBG Add Stateful_RNG class which has fork detection and periodic reseeding. AutoSeeded_RNG passes the current pid and time as additional_data
* | | Merge GH #535 Use Cipher_Mode instead of Pipe in ECIESJack Lloyd2016-07-173-22/+20
|\ \ \
| * | | replace (deprecated) Pipe API with Cipher_Mode in ECIESDaniel Neus2016-07-133-22/+20
| |/ /
* / / DLIES reworkDaniel Neus2016-07-133-100/+261
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With these fixes the implementation is now compatible with bouncycastle and it should operate as it is specified in "DHIES: An encryption scheme based on Diffie-Hellman Problem" or in BSI technical guideline TR-02102-1. In addition to the already present XOR-encrypion/decryption mode it's now possible to use DLIES with a block cipher. Previously the input to the KDF was the concatenation of the (ephemeral) public key and the secret value derived by the key agreement operation: ``` secure_vector<byte> vz(m_my_key.begin(), m_my_key.end()); vz += m_ka.derive_key(0, m_other_key).bits_of(); const size_t K_LENGTH = length + m_mac_keylen; secure_vector<byte> K = m_kdf->derive_key(K_LENGTH, vz); ``` I don't know why this was implemented like this. But now the input to the KDF is only the secret value obtained by the key agreement operation. Furthermore the order of the output was changed from {public key, tag, ciphertext} to {public key, ciphertext, tag}. Multiple test vectors added that were generated with bouncycastle and some with botan itself.
* | Add missing override annotation. Fix formatting in ECIES testsJack Lloyd2016-06-301-1/+1
| |
* | Merge GH #504 Add ECKCDSAJack Lloyd2016-06-2010-24/+382
|\ \
| * | Add ECKCDSA signature algorithmRené Korthaus2016-06-1410-24/+382
| | |