aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey
Commit message (Collapse)AuthorAgeFilesLines
* Add more workfactor estimate helpers.Jack Lloyd2015-11-296-32/+53
| | | | | | | | | | Specifically a named one for integer factorization (despite using same formula as DL calc) which incorporates the k value from RFC 3766. Also adds dl_exponent_size which returns the exponent size, this one ignores k thus using a ~10 bit larger exponent than strictly necessary. Adding in k downgrades 1024 bit RSA to exactly 80 bits, which is probably about right.
* Update and consolidate the test framework.Jack Lloyd2015-11-111-0/+4
| | | | | | | | | | | The tests previously had used 4 to 6 different schemes internally (the vec file reader framework, Catch, the old InSiTo Boost.Test tests, the PK/BigInt tests which escaped the rewrite in 1.11.7, plus a number of one-offs). Converge on a design that works everywhere, and update all the things. Fix also a few bugs found by the test changes: SHA-512-256 name incorrect, OpenSSL RC4 name incorrect, signature of FFI function botan_pubkey_destroy was wrong.
* Fix McEliece key gen endian dependency.Jack Lloyd2015-10-273-20/+27
| | | | | | | | | | | The tests which generate McEliece keys using a deterministic RNG and fixed seed failed on PowerPC (or other big endian systems) because the vectors assumed we were creating elements little endian, which is what happend with rng.randomize(&u16, 2) on x86 Fix it to always be little endian. No particular reason to prefer one vs the other here (we're just trying for compatability with ourselves) and choosing little endian avoids having to regen the vectors.
* Compile fixJack Lloyd2015-10-261-1/+1
|
* Merge pull request #314 from randombit/ct-tls-cbc-paddingJack Lloyd2015-10-261-17/+3
|\ | | | | TLS improvements
| * Asan fix - referencing &vec[vec.size()] instead of vec.end()Jack Lloyd2015-10-261-17/+3
| | | | | | | | Convert to a const time algo
* | Add missing includeJack Lloyd2015-10-261-0/+1
|/
* Make Montgomery reduction constant time.Jack Lloyd2015-10-242-8/+8
| | | | | | | | | | | | | | It was already close, but the carry loop would break early and selecting which value to copy out was indexed on the borrow bit. Have the carry loop run through, and add a const-time conditional copy operation and use that to copy the output. Convert ct_utils to CT namespace. Templatize the utils, which I was hesitant to do initially but is pretty useful when dealing with arbitrary word sizes. Remove the poison macros, replace with inline funcs which reads cleaner at the call site.
* Break up openssl providerJack Lloyd2015-10-192-0/+510
| | | | | | For RSA, RC4, and ECDSA put the openssl versions in the same directory as the base version. They just rely on a macro check for the openssl module to test for the desire to use OpenSSL.
* Make PKCS #1 and OAEP decoding constant time to avoid oracle attacksJack Lloyd2015-10-161-0/+9
| | | | | | | | via timing channels. Add annotations for checking constant-time code using ctgrind to PKCS #1 and OAEP, as well as IDEA and Curve25519 which were already written as constant time code.
* MSVC build fixJack Lloyd2015-10-152-9/+10
|
* Prohibit creating a DL_Group smaller than 1024 bitsJack Lloyd2015-10-151-2/+2
|
* Periodically reinitialize the blinding sequence instead of alwaysJack Lloyd2015-10-152-13/+39
| | | | deriving it by squaring the previous value.
* Expose providers for public key operationsJack Lloyd2015-10-142-43/+61
| | | | | | | | For PK_Encryptor and company they are requested via a new provider param to the constructors. The speed command gets a --provider option so you can see benchmark results with the different versions.
* Move DataSource to utils and rewrite PEM encoding to avoid filtersJack Lloyd2015-10-141-1/+1
| | | | | Removes filters as as an internal dependency pretty much entirely (outside of some dusty corners in misc).
* Merge pull request #286 from randombit/mce-cleanupJack Lloyd2015-09-3025-1201/+986
|\ | | | | Cleanup and document McEliece implementation
| * McEliece cleanupsJack Lloyd2015-09-2925-1201/+986
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove and consolidate various headers Reduce memory usage of GF2m_Field by sharing the log and exponent tables across all instances of a particular word size. Remove McEliece_Public_Operation and McEliece_Private_Operation which were difficult to use safely. Instead only the KEM operations are exposed. Add McEliece_PublicKey::random_plaintext_element Add command line `mce` tool and some McEliece documentation Convert the speed program to check McEliece keys of the suggested size Add McEliece KATs for both key generation and KEM Fix HMAC_DRBG constructor which derefed a pointer before its time
* | Remove warning: assuming signed overflow does not occurSimon Warta2015-09-251-1/+1
|/ | | | | | warning: assuming signed overflow does not occur when reducing constant in comparison [-Wstrict-overflow] cond1 = r0.get_degree() <= break_deg - 1;
* Remove use of lookup.h in favor of new T::create API.Jack Lloyd2015-09-211-2/+2
|
* Internal header cleanupsJack Lloyd2015-09-193-3/+0
| | | | Only user-visible change is the removal of get_byte.h
* Fix pbkdf, pk padding and ECDH registration for static linking.Jack Lloyd2015-09-112-1/+3
| | | | | | | | With this change the tests pass when linked against a static library built in the normal (non-amalgamation) fashion. Remove the restriction in configure.py, and have circleci build the clang static build as a non-amalg.
* Remove alloc module; move secmem.h to base and locking_allocator to utilsJack Lloyd2015-08-294-4/+0
|
* Remove unused variableJack Lloyd2015-08-281-3/+0
|
* Missing addJack Lloyd2015-08-211-0/+1
|
* In RSA, check that the input is less than the modulus n before blindingJack Lloyd2015-08-211-5/+7
| | | | | | | | | | | | | rather than after. After blinding the value is always reduced mod n so the condition is never met. This may be the cause of RSA test failures described in GH #174 The scenario was that during randomized corruption tests we occasionally provide an input which was greater than the modulus. When that happened the value was effectively reduced mod n, so the self-check would later fail, because the decrypted result (reduced mod n) would be compared with the original (larger than n) input.
* Add power analysis countermeasures for ECC point multiplications.Jack Lloyd2015-08-212-35/+37
| | | | | | | | The plain PointGFp operator* now uses Montgomery ladder exclusively. Adds a blinded point multiply algorithm which uses exponent and point randomization, as well as a Montgomery ladder technique that takes a random walk of the possible addition chains for k.
* Remove unused pkcs8 includesSimon Warta2015-08-033-3/+0
| | | | Only botan-cli, botan-tests and the FFI module depend on PKCS8
* pubkey: Add missing overridesDaniel Seither2015-07-3025-86/+89
|
* Fix typosSimon Warta2015-07-242-2/+2
| | | | Thanks to @vlajos https://github.com/vlajos/misspell_fixer
* Silence some extra ';' warningsSimon Warta2015-07-222-2/+2
|
* Fix module combi: adler32,mceSimon Warta2015-07-082-4/+9
|
* The gf2m type is an unsigned 16-bit, so under C promotion rules aJack Lloyd2015-07-051-1/+1
| | | | | | shift promotes to signed int rather than an unsigned value. However here we wish to use a large shift, which can cause a signed overflow. Add static_cast to force to the desired (unsigned) type.
* Make Botan compile when only some modules are enabledSimon Warta2015-07-031-0/+1
| | | | Fixes #146.
* Fix module dependencies of x509 and pubkeySimon Warta2015-06-301-1/+1
|
* More changes for use with debug STLSimon Warta2015-06-301-3/+3
|
* lib/pubkey: Convert &vec[0] to vec.data()Simon Warta2015-06-2316-56/+56
|
* Add missing headers fixing GCC 4.7 buildlloyd2015-06-171-0/+1
|
* Key agreement was missing the return check, add it to get_pk_op insteadlloyd2015-03-291-17/+11
|
* Move the signature padding schemes to the PK operation classes,lloyd2015-03-2313-360/+390
| | | | | | | | | as was previously done with encrypt/decrypt ops. One feature dropped on the floor here is previously PK_Signer by default did verification of signatures before releasing them as an measure against fault attacks. However in addition to being expensive this turned out to be difficult to implement with the new scheme.
* In PK encrypt/decrypt move pad calls to the operation. This allows anlloyd2015-03-1410-154/+218
| | | | | | | | | op to use a padding scheme outside of our knowledge or control, for instance an OpenSSL RSA op which uses OpenSSL's padding code. Similar change for key agreement and KDFs for the same reason. Add an EME_Raw type; previously this operation was implicit in the code in pubkey.cpp
* Externalize the state of a RFC 6979 nonce computation.lloyd2015-03-122-22/+55
| | | | | | | | | | | | This lets you amortize quite a few memory allocations (RNG, various BigInts, etc) over many nonce generations. Change generate_rfc6979_nonce to just instantiate one of these states, call the function once, and return. This doesn't have any additional overhead versus the previous implementation of this function. Fix HMAC_DRBG to correctly reset its state to its starting position when you call clear() on it.
* Avoid a ECC point multiplication in ECDSA signature verification bylloyd2015-03-121-14/+20
| | | | | | | distributing w into the exponents. This is at least a 50% speedup across all keysizes on my laptop. Optimization pointed out by Dr. Falko Strenzke on the mailing list.
* Add BOTAN_DLL back to LibraryInitializer and move some of the implementation tolloyd2015-03-111-1/+1
| | | | | | | a source file. Without BOTAN_DLL the LibraryInitializer was removed entirely from the list of symbols which is not desired. Add some casts to avoid scary sounding but (upon review) harmless warnings from MSVC
* Hide Algorithm_Factory and use the functions in lookup.h internally.lloyd2015-03-041-3/+2
| | | | | | Fix two memory leaks (in TLS and modes) caused by calling get_foo and then cloning the result before saving it (leaking the original object), a holdover from the conversion between construction techniques in 1.11.14
* Modify interfaces of KDF and PBKDF to write output to an array, withlloyd2015-02-181-8/+8
| | | | higher level functions on interface handling returning a vector.
* Add new module `ffi` which provides a plain C interface, plus a newlloyd2015-02-162-3/+2
| | | | | | | | | | | | ctypes Python wrapper that uses it. The API is intentionally designed to have a very simple ABI (extern "C", all structs are opaque, no memory ownership passing the FFI boundary, limited set of simple types as args) so the ctypes wrapper is quite simple. Currently ffi provides ciphers, hashes, MACs, RNGs, PBKDF, KDF, bcrypt, and most public key operations. Remove the old boost.python wrapper and all the build code for it.
* Remove static castslloyd2015-02-066-34/+28
|
* Clean up root dir, remove some unneeded dependencieslloyd2015-02-051-1/+0
|
* Remove algo factory, engines, global RNG, global state, etc.lloyd2015-02-0428-188/+131
| | | | | | | | | | | | | | | Convert all uses of Algorithm_Factory and the engines to using Algo_Registry The shared pool of entropy sources remains but is moved to EntropySource. With that and few remaining initializations (default OIDs and aliases) moved elsewhere, the global state is empty and init and shutdown are no-ops. Remove almost all of the headers and code for handling the global state, except LibraryInitializer which remains as a compatability stub. Update seeding for blinding so only one hacky almost-global RNG instance needs to be setup instead of across all pubkey uses (it uses either the system RNG or an AutoSeeded_RNG if the system RNG is not available).
* Convert PK operations to using Algo_Registry instead of Engine.lloyd2015-02-0325-693/+806
| | | | Remove global PRNG.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 04:39:11 +0000