| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Adds support for probabilistic, aka the standard, DSA and ECDSA.
Can be enabled by disabling the rfc6979 module.
Includes test vectors from NIST CAVP.
Adds rfc6979 to the list of prohibited modules in BSI policy.
|
| |
|
| |
|
|
|
|
|
|
|
| |
Previously RSA and ElGamal stripped off leading zeros which were then
assumed by the padding decoders. Instead have them produce ciphertexts
with leading zeros. Changes EME_Raw to strip leading zeros to match
existing behavior.
|
|
|
|
|
| |
Performs content checks on the value (expected length, expected bytes)
and in constant time returns either the decrypted value or a random value.
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
A module policy is a file specifying three types of modules: ones which
are required, ones which are prohibited, and ones which should be used
if otherwise available (this is mostly for platform specific modules).
Finally there are whatever modules which exist in the library of which
the policy makes no mention. These will be included if an explicit
dependency of some other module pulls them in (so there is no reason
to mention base, utils, ... in the file) but skipped otherwise.
For example policy 'sane' does not mention 'utils' or 'twofish' either
way. Since utils is a dependency of other modules which are included,
but Twofish does not. However unlike an explicitly prohibited module,
not mentioned can still be requested as part of the build (here with
--enable-module=twofish)
Also fixes some test bugs noticed by compiling in different build
configs. DLIES test didn't check that the KDF and MAC existed. Adds a
typedef for MessageAuthenticationCode because typing it twice in a
single line in the DLIES test made me think it's way too long. :) Also
fix some fuzzer build problems. Due to a copy and paste bug the PKCS
certificate (it was not).
Inspired by GH #439
|
|\ \ |
|
| |/ |
|
| |
| |
| |
| |
| |
| | |
I think we maybe want these to be converting constructors, and adding
explicit here breaks code like ECDSA_PrivateKey(rng, "secp256r1")
which seems like a reasonable thing to support IMO
|
| |
| |
| |
| | |
explicit.
|
|/
|
|
| |
clang-analyzer
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously MCEIES used KEM with a raw SHA-512 hash. When the KDF
oriented KEM interface was added in 72f0f0ad2a it switched to using
KDF1(SHA-512) since for a 64-byte output and no salt, the output
matches the original hash. This avoids breaking the format.
Prevents runtime failures when MCEIES is enabled in the build but KDF1
is not. GH #369
|
|
|
|
|
|
|
|
| |
Initialize variables in constructor in gf2m_decomp_rootfind_state
Add asserts on the degree where a positive value was assumed. How
polyn_gf2m handles the degree needs some work but this should do for
now.
|
| |
|
|
|
|
| |
value. asn1_time.cpp 159
|
|
|
|
|
|
| |
As best I can tell it wasn't actually possible for the value to be
used uninitialized, since it was initialized if m_outer_summands > 1
and only used if m_outer_summands was at least 2.
|
| |
|
| |
|
|
|
|
| |
found by gcc with -Wsuggest-override
|
|
|
|
| |
fix PVS-Studio perfomance warnings
|
|
|
|
|
|
|
|
|
|
| |
Expose provider param in PK_Key_Agreement API
Handle multiple providers in key agreement tests
Fix some funky formatting of P-521 EC points in ecdh.vec which was
being rejected by OpenSSL; for whatever reason the CAVS file had
the affine coords with far more leading zeros than necessary.
|
|\
| |
| | |
Fix loading of unencrypted, BER encoded private keys via PKCS8 api
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
Otherwise we run into the old problem in the static non-amalgamation
build of the operation not being loaded even though the key itself was
referenced; since now the operation is loaded as a by-product of
referencing the key type (as with other impls) everything works out.
|
| | |
|
|/
|
|
|
|
| |
Convert McEliece KEM to use it
Add RSA-KEM
|
|
|
|
|
|
|
| |
Having the code diffused all over the place was ugly and would
not scale well to multiple alternative providers.
GH #368
|
|
|
|
| |
See GH #340 and 6b9a3a5 for background
|
| |
|
|
|
|
|
|
|
|
| |
As the alternatives are unfortunate for applications trying to catch
all library errors, and it seems deriving from std::runtime_error
causes problems with MSVC DLLs (GH #340)
Effectively reverts 2837e915d82e43
|
| |
|
|
|
|
| |
Because convenient
|
|
|
|
|
|
|
|
|
|
| |
Specifically a named one for integer factorization (despite using same
formula as DL calc) which incorporates the k value from RFC 3766. Also
adds dl_exponent_size which returns the exponent size, this one ignores
k thus using a ~10 bit larger exponent than strictly necessary.
Adding in k downgrades 1024 bit RSA to exactly 80 bits, which is probably
about right.
|
|
|
|
|
|
|
|
|
|
|
| |
The tests previously had used 4 to 6 different schemes internally (the vec file
reader framework, Catch, the old InSiTo Boost.Test tests, the PK/BigInt tests
which escaped the rewrite in 1.11.7, plus a number of one-offs). Converge on a
design that works everywhere, and update all the things.
Fix also a few bugs found by the test changes: SHA-512-256 name incorrect,
OpenSSL RC4 name incorrect, signature of FFI function botan_pubkey_destroy
was wrong.
|
|
|
|
|
|
|
|
|
|
|
| |
The tests which generate McEliece keys using a deterministic RNG and
fixed seed failed on PowerPC (or other big endian systems) because the
vectors assumed we were creating elements little endian, which is
what happend with rng.randomize(&u16, 2) on x86
Fix it to always be little endian. No particular reason to prefer one vs the
other here (we're just trying for compatability with ourselves) and choosing
little endian avoids having to regen the vectors.
|
| |
|
|\
| |
| | |
TLS improvements
|
| |
| |
| |
| | |
Convert to a const time algo
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was already close, but the carry loop would break early and
selecting which value to copy out was indexed on the borrow bit. Have
the carry loop run through, and add a const-time conditional copy
operation and use that to copy the output.
Convert ct_utils to CT namespace. Templatize the utils, which I was
hesitant to do initially but is pretty useful when dealing with
arbitrary word sizes.
Remove the poison macros, replace with inline funcs which reads
cleaner at the call site.
|
|
|
|
|
|
| |
For RSA, RC4, and ECDSA put the openssl versions in the same directory
as the base version. They just rely on a macro check for the openssl
module to test for the desire to use OpenSSL.
|
|
|
|
|
|
|
|
| |
via timing channels.
Add annotations for checking constant-time code using ctgrind to
PKCS #1 and OAEP, as well as IDEA and Curve25519 which were already
written as constant time code.
|
| |
|
| |
|
|
|
|
| |
deriving it by squaring the previous value.
|
|
|
|
|
|
|
|
| |
For PK_Encryptor and company they are requested via a new provider param
to the constructors.
The speed command gets a --provider option so you can see benchmark results
with the different versions.
|
|
|
|
|
| |
Removes filters as as an internal dependency pretty much entirely
(outside of some dusty corners in misc).
|
|\
| |
| | |
Cleanup and document McEliece implementation
|