aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey
Commit message (Collapse)AuthorAgeFilesLines
* Fix remaining Wshadow warnings and enable on gcc and clangRené Korthaus2016-02-182-9/+9
|
* Add KDF1 as explicit dependency in MCEIESJack Lloyd2016-02-151-0/+1
| | | | | | | | | | Previously MCEIES used KEM with a raw SHA-512 hash. When the KDF oriented KEM interface was added in 72f0f0ad2a it switched to using KDF1(SHA-512) since for a 64-byte output and no salt, the output matches the original hash. This avoids breaking the format. Prevents runtime failures when MCEIES is enabled in the build but KDF1 is not. GH #369
* Fix Coverity findings in McEliece codeJack Lloyd2016-02-093-14/+20
| | | | | | | | Initialize variables in constructor in gf2m_decomp_rootfind_state Add asserts on the degree where a positive value was assumed. How polyn_gf2m handles the degree needs some work but this should do for now.
* Don't leave member variables uninitialized. Found by Coverity scanner.Jack Lloyd2016-02-091-1/+1
|
* V816 It is more efficient to catch exception by reference rather than by ↵Daniel Neus2016-02-084-4/+4
| | | | value. asn1_time.cpp 159
* Avoid -Wmaybe-uninitialized warning under GCC 5.3Jack Lloyd2016-01-291-4/+6
| | | | | | As best I can tell it wasn't actually possible for the value to be used uninitialized, since it was initialized if m_outer_summands > 1 and only used if m_outer_summands was at least 2.
* Prefix more member vars with m_ prefixRené Korthaus2016-01-111-8/+8
|
* Mass-prefix member vars with m_René Korthaus2016-01-0821-440/+445
|
* add missing overridesDaniel Neus2016-01-081-1/+1
| | | | found by gcc with -Wsuggest-override
* String comparision fixesDaniel Neus2016-01-042-4/+4
| | | | fix PVS-Studio perfomance warnings
* Add ECDH via OpenSSLJack Lloyd2016-01-042-3/+8
| | | | | | | | | | Expose provider param in PK_Key_Agreement API Handle multiple providers in key agreement tests Fix some funky formatting of P-521 EC points in ecdh.vec which was being rejected by OpenSSL; for whatever reason the CAVS file had the affine coords with far more leading zeros than necessary.
* Merge pull request #381 from cordney/fix-load-unencryped-key-from-berJack Lloyd2015-12-312-31/+99
|\ | | | | Fix loading of unencrypted, BER encoded private keys via PKCS8 api
| * Fix loading of unencrypted, BER encoded private keys via PKCS8 apiRené Korthaus2015-12-252-31/+99
| |
* | Move McEliece KEM operation into the same file as the key type.Jack Lloyd2015-12-262-74/+65
| | | | | | | | | | | | | | Otherwise we run into the old problem in the static non-amalgamation build of the operation not being loaded even though the key itself was referenced; since now the operation is loaded as a by-product of referencing the key type (as with other impls) everything works out.
* | Remove debug printsJack Lloyd2015-12-261-4/+0
| |
* | Add generalized KEM interfaceJack Lloyd2015-12-2611-102/+367
|/ | | | | | Convert McEliece KEM to use it Add RSA-KEM
* Merge the openssl code together.Jack Lloyd2015-12-192-496/+0
| | | | | | | Having the code diffused all over the place was ugly and would not scale well to multiple alternative providers. GH #368
* Remove all remaining uses of throwing a std:: exception directlyJack Lloyd2015-12-191-1/+2
| | | | See GH #340 and 6b9a3a5 for background
* Missing addsJack Lloyd2015-12-112-2/+1
|
* Reroot the exception hierarchy into a toplevel Exception classJack Lloyd2015-12-117-13/+13
| | | | | | | | As the alternatives are unfortunate for applications trying to catch all library errors, and it seems deriving from std::runtime_error causes problems with MSVC DLLs (GH #340) Effectively reverts 2837e915d82e43
* Remove support for broken 112 and 128 bit SECP ECC groups.Jack Lloyd2015-12-021-46/+0
|
* Add update overload taking std::string to PK_Verifier and PK_SignerJack Lloyd2015-12-021-1/+19
| | | | Because convenient
* Add more workfactor estimate helpers.Jack Lloyd2015-11-296-32/+53
| | | | | | | | | | Specifically a named one for integer factorization (despite using same formula as DL calc) which incorporates the k value from RFC 3766. Also adds dl_exponent_size which returns the exponent size, this one ignores k thus using a ~10 bit larger exponent than strictly necessary. Adding in k downgrades 1024 bit RSA to exactly 80 bits, which is probably about right.
* Update and consolidate the test framework.Jack Lloyd2015-11-111-0/+4
| | | | | | | | | | | The tests previously had used 4 to 6 different schemes internally (the vec file reader framework, Catch, the old InSiTo Boost.Test tests, the PK/BigInt tests which escaped the rewrite in 1.11.7, plus a number of one-offs). Converge on a design that works everywhere, and update all the things. Fix also a few bugs found by the test changes: SHA-512-256 name incorrect, OpenSSL RC4 name incorrect, signature of FFI function botan_pubkey_destroy was wrong.
* Fix McEliece key gen endian dependency.Jack Lloyd2015-10-273-20/+27
| | | | | | | | | | | The tests which generate McEliece keys using a deterministic RNG and fixed seed failed on PowerPC (or other big endian systems) because the vectors assumed we were creating elements little endian, which is what happend with rng.randomize(&u16, 2) on x86 Fix it to always be little endian. No particular reason to prefer one vs the other here (we're just trying for compatability with ourselves) and choosing little endian avoids having to regen the vectors.
* Compile fixJack Lloyd2015-10-261-1/+1
|
* Merge pull request #314 from randombit/ct-tls-cbc-paddingJack Lloyd2015-10-261-17/+3
|\ | | | | TLS improvements
| * Asan fix - referencing &vec[vec.size()] instead of vec.end()Jack Lloyd2015-10-261-17/+3
| | | | | | | | Convert to a const time algo
* | Add missing includeJack Lloyd2015-10-261-0/+1
|/
* Make Montgomery reduction constant time.Jack Lloyd2015-10-242-8/+8
| | | | | | | | | | | | | | It was already close, but the carry loop would break early and selecting which value to copy out was indexed on the borrow bit. Have the carry loop run through, and add a const-time conditional copy operation and use that to copy the output. Convert ct_utils to CT namespace. Templatize the utils, which I was hesitant to do initially but is pretty useful when dealing with arbitrary word sizes. Remove the poison macros, replace with inline funcs which reads cleaner at the call site.
* Break up openssl providerJack Lloyd2015-10-192-0/+510
| | | | | | For RSA, RC4, and ECDSA put the openssl versions in the same directory as the base version. They just rely on a macro check for the openssl module to test for the desire to use OpenSSL.
* Make PKCS #1 and OAEP decoding constant time to avoid oracle attacksJack Lloyd2015-10-161-0/+9
| | | | | | | | via timing channels. Add annotations for checking constant-time code using ctgrind to PKCS #1 and OAEP, as well as IDEA and Curve25519 which were already written as constant time code.
* MSVC build fixJack Lloyd2015-10-152-9/+10
|
* Prohibit creating a DL_Group smaller than 1024 bitsJack Lloyd2015-10-151-2/+2
|
* Periodically reinitialize the blinding sequence instead of alwaysJack Lloyd2015-10-152-13/+39
| | | | deriving it by squaring the previous value.
* Expose providers for public key operationsJack Lloyd2015-10-142-43/+61
| | | | | | | | For PK_Encryptor and company they are requested via a new provider param to the constructors. The speed command gets a --provider option so you can see benchmark results with the different versions.
* Move DataSource to utils and rewrite PEM encoding to avoid filtersJack Lloyd2015-10-141-1/+1
| | | | | Removes filters as as an internal dependency pretty much entirely (outside of some dusty corners in misc).
* Merge pull request #286 from randombit/mce-cleanupJack Lloyd2015-09-3025-1201/+986
|\ | | | | Cleanup and document McEliece implementation
| * McEliece cleanupsJack Lloyd2015-09-2925-1201/+986
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove and consolidate various headers Reduce memory usage of GF2m_Field by sharing the log and exponent tables across all instances of a particular word size. Remove McEliece_Public_Operation and McEliece_Private_Operation which were difficult to use safely. Instead only the KEM operations are exposed. Add McEliece_PublicKey::random_plaintext_element Add command line `mce` tool and some McEliece documentation Convert the speed program to check McEliece keys of the suggested size Add McEliece KATs for both key generation and KEM Fix HMAC_DRBG constructor which derefed a pointer before its time
* | Remove warning: assuming signed overflow does not occurSimon Warta2015-09-251-1/+1
|/ | | | | | warning: assuming signed overflow does not occur when reducing constant in comparison [-Wstrict-overflow] cond1 = r0.get_degree() <= break_deg - 1;
* Remove use of lookup.h in favor of new T::create API.Jack Lloyd2015-09-211-2/+2
|
* Internal header cleanupsJack Lloyd2015-09-193-3/+0
| | | | Only user-visible change is the removal of get_byte.h
* Fix pbkdf, pk padding and ECDH registration for static linking.Jack Lloyd2015-09-112-1/+3
| | | | | | | | With this change the tests pass when linked against a static library built in the normal (non-amalgamation) fashion. Remove the restriction in configure.py, and have circleci build the clang static build as a non-amalg.
* Remove alloc module; move secmem.h to base and locking_allocator to utilsJack Lloyd2015-08-294-4/+0
|
* Remove unused variableJack Lloyd2015-08-281-3/+0
|
* Missing addJack Lloyd2015-08-211-0/+1
|
* In RSA, check that the input is less than the modulus n before blindingJack Lloyd2015-08-211-5/+7
| | | | | | | | | | | | | rather than after. After blinding the value is always reduced mod n so the condition is never met. This may be the cause of RSA test failures described in GH #174 The scenario was that during randomized corruption tests we occasionally provide an input which was greater than the modulus. When that happened the value was effectively reduced mod n, so the self-check would later fail, because the decrypted result (reduced mod n) would be compared with the original (larger than n) input.
* Add power analysis countermeasures for ECC point multiplications.Jack Lloyd2015-08-212-35/+37
| | | | | | | | The plain PointGFp operator* now uses Montgomery ladder exclusively. Adds a blinded point multiply algorithm which uses exponent and point randomization, as well as a Montgomery ladder technique that takes a random walk of the possible addition chains for k.
* Remove unused pkcs8 includesSimon Warta2015-08-033-3/+0
| | | | Only botan-cli, botan-tests and the FFI module depend on PKCS8
* pubkey: Add missing overridesDaniel Seither2015-07-3025-86/+89
|