aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey
Commit message (Collapse)AuthorAgeFilesLines
* Add support probabilistic DSA & ECDSARené Korthaus2016-05-084-11/+23
| | | | | | | Adds support for probabilistic, aka the standard, DSA and ECDSA. Can be enabled by disabling the rfc6979 module. Includes test vectors from NIST CAVP. Adds rfc6979 to the list of prohibited modules in BSI policy.
* Enable ECGDSA in default buildRené Korthaus2016-04-201-2/+0
|
* Add ECGDSARené Korthaus2016-04-197-11/+306
|
* Clean up PK decryption encoding.Jack Lloyd2016-03-204-10/+3
| | | | | | | Previously RSA and ElGamal stripped off leading zeros which were then assumed by the padding decoders. Instead have them produce ciphertexts with leading zeros. Changes EME_Raw to strip leading zeros to match existing behavior.
* Add PK_Decryptor::decrypt_or_randomJack Lloyd2016-03-207-21/+148
| | | | | Performs content checks on the value (expected length, expected bytes) and in constant time returns either the decrypted value or a random value.
* Merge GH #446 add --module-policy optionJack Lloyd2016-03-061-0/+2
|\
| * Add option --module-policyJack Lloyd2016-03-061-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A module policy is a file specifying three types of modules: ones which are required, ones which are prohibited, and ones which should be used if otherwise available (this is mostly for platform specific modules). Finally there are whatever modules which exist in the library of which the policy makes no mention. These will be included if an explicit dependency of some other module pulls them in (so there is no reason to mention base, utils, ... in the file) but skipped otherwise. For example policy 'sane' does not mention 'utils' or 'twofish' either way. Since utils is a dependency of other modules which are included, but Twofish does not. However unlike an explicitly prohibited module, not mentioned can still be requested as part of the build (here with --enable-module=twofish) Also fixes some test bugs noticed by compiling in different build configs. DLIES test didn't check that the KDF and MAC existed. Adds a typedef for MessageAuthenticationCode because typing it twice in a single line in the DLIES test made me think it's way too long. :) Also fix some fuzzer build problems. Due to a copy and paste bug the PKCS certificate (it was not). Inspired by GH #439
* | Merge branch 'master' into clang-analyzerDaniel Neus2016-03-0614-51/+35
|\ \
| * | Remaining cppcheck fixes that are not covered by GH #444Daniel Neus2016-03-056-32/+16
| |/
| * Remove explicit from DL_Group, EC_Group constructors taking std::stringJack Lloyd2016-03-052-2/+2
| | | | | | | | | | | | I think we maybe want these to be converting constructors, and adding explicit here breaks code like ECDSA_PrivateKey(rng, "secp256r1") which seems like a reasonable thing to support IMO
| * cppcheck fixes: Class 'X' has a constructor with 1 argument that is not ↵Daniel Neus2016-03-059-21/+21
| | | | | | | | explicit.
* | fix dead assignment in mce/polyn_gf2m.cpp in polyn_gf2m() found by ↵Daniel Neus2016-03-021-3/+1
|/ | | | clang-analyzer
* Fix remaining Wshadow warnings and enable on gcc and clangRené Korthaus2016-02-182-9/+9
|
* Add KDF1 as explicit dependency in MCEIESJack Lloyd2016-02-151-0/+1
| | | | | | | | | | Previously MCEIES used KEM with a raw SHA-512 hash. When the KDF oriented KEM interface was added in 72f0f0ad2a it switched to using KDF1(SHA-512) since for a 64-byte output and no salt, the output matches the original hash. This avoids breaking the format. Prevents runtime failures when MCEIES is enabled in the build but KDF1 is not. GH #369
* Fix Coverity findings in McEliece codeJack Lloyd2016-02-093-14/+20
| | | | | | | | Initialize variables in constructor in gf2m_decomp_rootfind_state Add asserts on the degree where a positive value was assumed. How polyn_gf2m handles the degree needs some work but this should do for now.
* Don't leave member variables uninitialized. Found by Coverity scanner.Jack Lloyd2016-02-091-1/+1
|
* V816 It is more efficient to catch exception by reference rather than by ↵Daniel Neus2016-02-084-4/+4
| | | | value. asn1_time.cpp 159
* Avoid -Wmaybe-uninitialized warning under GCC 5.3Jack Lloyd2016-01-291-4/+6
| | | | | | As best I can tell it wasn't actually possible for the value to be used uninitialized, since it was initialized if m_outer_summands > 1 and only used if m_outer_summands was at least 2.
* Prefix more member vars with m_ prefixRené Korthaus2016-01-111-8/+8
|
* Mass-prefix member vars with m_René Korthaus2016-01-0821-440/+445
|
* add missing overridesDaniel Neus2016-01-081-1/+1
| | | | found by gcc with -Wsuggest-override
* String comparision fixesDaniel Neus2016-01-042-4/+4
| | | | fix PVS-Studio perfomance warnings
* Add ECDH via OpenSSLJack Lloyd2016-01-042-3/+8
| | | | | | | | | | Expose provider param in PK_Key_Agreement API Handle multiple providers in key agreement tests Fix some funky formatting of P-521 EC points in ecdh.vec which was being rejected by OpenSSL; for whatever reason the CAVS file had the affine coords with far more leading zeros than necessary.
* Merge pull request #381 from cordney/fix-load-unencryped-key-from-berJack Lloyd2015-12-312-31/+99
|\ | | | | Fix loading of unencrypted, BER encoded private keys via PKCS8 api
| * Fix loading of unencrypted, BER encoded private keys via PKCS8 apiRené Korthaus2015-12-252-31/+99
| |
* | Move McEliece KEM operation into the same file as the key type.Jack Lloyd2015-12-262-74/+65
| | | | | | | | | | | | | | Otherwise we run into the old problem in the static non-amalgamation build of the operation not being loaded even though the key itself was referenced; since now the operation is loaded as a by-product of referencing the key type (as with other impls) everything works out.
* | Remove debug printsJack Lloyd2015-12-261-4/+0
| |
* | Add generalized KEM interfaceJack Lloyd2015-12-2611-102/+367
|/ | | | | | Convert McEliece KEM to use it Add RSA-KEM
* Merge the openssl code together.Jack Lloyd2015-12-192-496/+0
| | | | | | | Having the code diffused all over the place was ugly and would not scale well to multiple alternative providers. GH #368
* Remove all remaining uses of throwing a std:: exception directlyJack Lloyd2015-12-191-1/+2
| | | | See GH #340 and 6b9a3a5 for background
* Missing addsJack Lloyd2015-12-112-2/+1
|
* Reroot the exception hierarchy into a toplevel Exception classJack Lloyd2015-12-117-13/+13
| | | | | | | | As the alternatives are unfortunate for applications trying to catch all library errors, and it seems deriving from std::runtime_error causes problems with MSVC DLLs (GH #340) Effectively reverts 2837e915d82e43
* Remove support for broken 112 and 128 bit SECP ECC groups.Jack Lloyd2015-12-021-46/+0
|
* Add update overload taking std::string to PK_Verifier and PK_SignerJack Lloyd2015-12-021-1/+19
| | | | Because convenient
* Add more workfactor estimate helpers.Jack Lloyd2015-11-296-32/+53
| | | | | | | | | | Specifically a named one for integer factorization (despite using same formula as DL calc) which incorporates the k value from RFC 3766. Also adds dl_exponent_size which returns the exponent size, this one ignores k thus using a ~10 bit larger exponent than strictly necessary. Adding in k downgrades 1024 bit RSA to exactly 80 bits, which is probably about right.
* Update and consolidate the test framework.Jack Lloyd2015-11-111-0/+4
| | | | | | | | | | | The tests previously had used 4 to 6 different schemes internally (the vec file reader framework, Catch, the old InSiTo Boost.Test tests, the PK/BigInt tests which escaped the rewrite in 1.11.7, plus a number of one-offs). Converge on a design that works everywhere, and update all the things. Fix also a few bugs found by the test changes: SHA-512-256 name incorrect, OpenSSL RC4 name incorrect, signature of FFI function botan_pubkey_destroy was wrong.
* Fix McEliece key gen endian dependency.Jack Lloyd2015-10-273-20/+27
| | | | | | | | | | | The tests which generate McEliece keys using a deterministic RNG and fixed seed failed on PowerPC (or other big endian systems) because the vectors assumed we were creating elements little endian, which is what happend with rng.randomize(&u16, 2) on x86 Fix it to always be little endian. No particular reason to prefer one vs the other here (we're just trying for compatability with ourselves) and choosing little endian avoids having to regen the vectors.
* Compile fixJack Lloyd2015-10-261-1/+1
|
* Merge pull request #314 from randombit/ct-tls-cbc-paddingJack Lloyd2015-10-261-17/+3
|\ | | | | TLS improvements
| * Asan fix - referencing &vec[vec.size()] instead of vec.end()Jack Lloyd2015-10-261-17/+3
| | | | | | | | Convert to a const time algo
* | Add missing includeJack Lloyd2015-10-261-0/+1
|/
* Make Montgomery reduction constant time.Jack Lloyd2015-10-242-8/+8
| | | | | | | | | | | | | | It was already close, but the carry loop would break early and selecting which value to copy out was indexed on the borrow bit. Have the carry loop run through, and add a const-time conditional copy operation and use that to copy the output. Convert ct_utils to CT namespace. Templatize the utils, which I was hesitant to do initially but is pretty useful when dealing with arbitrary word sizes. Remove the poison macros, replace with inline funcs which reads cleaner at the call site.
* Break up openssl providerJack Lloyd2015-10-192-0/+510
| | | | | | For RSA, RC4, and ECDSA put the openssl versions in the same directory as the base version. They just rely on a macro check for the openssl module to test for the desire to use OpenSSL.
* Make PKCS #1 and OAEP decoding constant time to avoid oracle attacksJack Lloyd2015-10-161-0/+9
| | | | | | | | via timing channels. Add annotations for checking constant-time code using ctgrind to PKCS #1 and OAEP, as well as IDEA and Curve25519 which were already written as constant time code.
* MSVC build fixJack Lloyd2015-10-152-9/+10
|
* Prohibit creating a DL_Group smaller than 1024 bitsJack Lloyd2015-10-151-2/+2
|
* Periodically reinitialize the blinding sequence instead of alwaysJack Lloyd2015-10-152-13/+39
| | | | deriving it by squaring the previous value.
* Expose providers for public key operationsJack Lloyd2015-10-142-43/+61
| | | | | | | | For PK_Encryptor and company they are requested via a new provider param to the constructors. The speed command gets a --provider option so you can see benchmark results with the different versions.
* Move DataSource to utils and rewrite PEM encoding to avoid filtersJack Lloyd2015-10-141-1/+1
| | | | | Removes filters as as an internal dependency pretty much entirely (outside of some dusty corners in misc).
* Merge pull request #286 from randombit/mce-cleanupJack Lloyd2015-09-3025-1201/+986
|\ | | | | Cleanup and document McEliece implementation