aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey
Commit message (Collapse)AuthorAgeFilesLines
* Merge GH #613 NewHope R-LWE key exchangeJack Lloyd2016-09-053-0/+652
|\
| * Fix tests on things that are not little endianJack Lloyd2016-08-301-12/+6
| |
| * Avoid requiring alignment (think this was just for the AVX2 version)Jack Lloyd2016-08-302-37/+35
| | | | | | | | Change to standard int types
| * Fix header guard, macro tidyJack Lloyd2016-08-302-5/+7
| |
| * Add NEWHOPE KEM schemeJack Lloyd2016-08-303-0/+658
| | | | | | | | | | | | | | | | | | | | Provides conjectured 200-bit security against a quantum attacker. Based on the public domain reference implementation at https://github.com/tpoeppelmann/newhope and bit-for-bit compatible with that version. Test vectors generated by the reference testvector.c
* | Remove IF_Scheme_{Public,Private}KeyJack Lloyd2016-09-026-283/+186
| | | | | | | | | | | | With the removal of Rabin-Williams, RSA is the only remaining subclass, And it's very unlikely any new integer factorization based scheme would be added in the future.
* | Remove deprecated Nyberg-Rueppel and Rabin-Williams signaturesJack Lloyd2016-09-027-535/+0
| |
* | Merge GH #567/GH #457 TLS refactoring and Callbacks interfaceJack Lloyd2016-08-311-30/+46
|\ \ | |/ |/|
| * Reduction of code complexity in MP & ECC classes.Matthias Gierlings2016-06-191-30/+46
| | | | | | | | | | | | - reduced number of parameters in various methods - introduced structures and renamed variables to improve code readability.
* | Travis CI additions and cleanupJack Lloyd2016-08-281-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Convert Travis build configuration to a single var instead of 4 tuple. Makes it much easier to review the builds in the Travis web UI. Adds sanitizer builds for Clang on both Linux and OS X. Clang is a different compiler from GCC and its sanitizers may catch things GCC does not. I have no idea if Apple's Clang has some magic sanitizer sauce stock LLVM does not, so maybe sanitizer build on OS X can be skipped. Adds Linux cross compile targets for ARM32, ARM64, PPC64, and MinGW x86 using the cross compiler available in Trusty. All of them build and are set up to run through qemu/wine. All of the tests currently fail and so are marked as expected fail in the Travis matrix. The ARM test runs seem to have thread problems; ARM32 thread creation just fails with an exception, as if pthreads was disabled. All other tests pass ok for ARM32. On Aarch64, it looks like there is a hard crash the first time the library tries creating a thread. Both of these might be due to statically linking the binary? I have been unable to convince Ubuntu's qemu-ppc64 to execute binaries compiled by Ubuntu's ppc64 cross compiler. I'm downloading an Ubuntu ISO to try this in a VM. Running under Wine exposes several issues, both in Wine and Botan. Many functions are stubs and it appears that entropy collection fails as a result. This triggers a bug in the FFI tests which causes a crash there. A pox on time zones; _mkgmtime is a MSVC extension and is not available on MinGW GCC. Add a last resort call that just uses the localzone variant instead. Adds valgrind target, remove a bogus poison in pubkey.cpp (it was effectively asserting that all of RSA was const time which is sadly not true at all). Moves -Wshadow to maintainer mode for GCC - GCC 4.8 has a noisy variant of -Wshadow which warns if a parameter masks a function name, but this comes up all the time in constructors. Later GCCs no longer warn about this (even with -Wshadow), so the warnings are never fixed, but they cause noise in CI output and hide interesting warnings like warning: vec_lvsl is deprecated for little endian; use assignment for unaligned loads and stores [-Wdeprecated] __vector unsigned char perm = vec_lvsl(0, static_cast<u32bit*>(nullptr));
* | RNG changes (GH #593)Jack Lloyd2016-08-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Change reseed interval logic to count calls to `randomize` rather than bytes, to match SP 800-90A Changes RNG reseeding API: there is no implicit reference to the global entropy sources within the RNGs anymore. The entropy sources must be supplied with the API call. Adds support for reseding directly from another RNG (such as a system or hardware RNG). Stateful_RNG keeps optional references to both an RNG and a set of entropy sources. During a reseed, both sources are used if set. These can be provided to HMAC_DRBG constructor. For HMAC_DRBG, SP800-90A requires we output no more than 2**16 bytes per DRBG request. We treat requests longer than that as if the caller had instead made several sequential maximum-length requests. This means it is possible for one or more reseeds to trigger even in the course of generating a single (long) output (generate a 256-bit key and use ChaCha or HKDF if this is a problem). Adds RNG::randomize_with_ts_input which takes timestamps and uses them as the additional_data DRBG field. Stateful_RNG overrides this to also include the process ID and the reseed counter. AutoSeeded_RNG's `randomize` uses this. Officially deprecates RNG::make_rng and the Serialized_RNG construtor which creates an AutoSeeded_RNG. With these removed, it would be possible to perform a build with no AutoSeeded_RNG/HMAC_DRBG at all (eg, for applications which only use the system RNG). Tests courtesy @cordney in GH PRs #598 and #600
* | Merge GH #591Jack Lloyd2016-08-194-16/+6
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | Change behavior of default key usage encoding, default now omits the key usage unless the user set a value. Fix allowed_usage which could produce incorrect results. More X.509 tests
| * | Fix leading zero bytes in DSA, ECDSA, ECGDSA and ECKCDSA signaturesRené Korthaus2016-08-174-16/+6
| | |
* | | fix source file encoding ANSI -> UTF-8Daniel Neus2016-08-171-1/+1
|/ / | | | | | | | | | | | | | | | | should fix: ``` WARN: Invalid character encountered in file /home/travis/build/randombit/botan/src/tests/test_utils.cpp at line 381 for encoding UTF-8. Please fix file content or configure the encoding to be used using property 'sonar.sourceEncoding'. WARN: Invalid character encountered in file /home/travis/build/randombit/botan/src/lib/pubkey/ecies/ecies.cpp at line 311 for encoding UTF-8. Please fix file content or configure the encoding to be used using property 'sonar.sourceEncoding'. ```
* | Merge branch 'master' into frp256v1Simon Cogliani2016-07-301-1/+8
|\ \
| * | fix: load_check() was called instead of gen_check() during DH private key ↵Daniel Neus2016-07-261-1/+8
| | | | | | | | | | | | generation
* | | ANSSI elliptic curve cryptography frp256v1Simon Cogliani2016-07-241-0/+10
|/ / | | | | | | | | | | - Parameters available here: https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000024668816 - DER format according to the ANS1 syntax defined in ANSI X9.62 standard available here: http://www.ssi.gouv.fr/agence/publication/publication-dun-parametrage-de-courbe-elliptique-visant-des-applications-de-passeport-electronique-et-de-ladministration-electronique-francaise/
* | Merge GH #541 More ECIES testsJack Lloyd2016-07-191-2/+2
|\ \
| * | add more ECIES testsDaniel Neus2016-07-191-2/+2
| | |
* | | Merge GH #520 RNG changesJack Lloyd2016-07-183-4/+12
|\ \ \ | |/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds Stateful_RNG base class which handles reseeding after some amount of output (configurable at instantiation time, defaults to the build.h value) as well as detecting forks (just using pid comparisons, so still vulnerable to pid wraparound). Implemented by HMAC_RNG and HMAC_DRBG. I did not update X9.31 since its underlying RNG should already be fork safe and handle reseeding at the appropriate time, since a new block is taken from the underlying RNG (for the datetime vector) for each block of output. Adds RNG::randomize_with_input which for most PRNGs is just a call to add_entropy followed by randomize. However for HMAC_DRBG it is used for additional input. Adds tests for HMAC_DRBG with AD from the CAVS file. RNG::add_entropy is implemented by System_RNG now, as both CryptGenRandom and /dev/urandom support receiving application provided data. The AutoSeeded_RNG underlying type is currently selectable in build.h and defaults to HMAC_DRBG(SHA-256). AutoSeeded_RNG provides additional input with each output request, consisting of the current pid, a counter, and timestamp (unless the application explicitly calls randomize_with_input, in which case we just take what they provided). This is the same hedge used in HMAC_RNGs output PRF. AutoSeeded_RNG is part of the base library now and cannot be compiled out. Removes Entropy_Accumulator type (which just served to bridge between the RNG and the entropy source), instead the Entropy_Source is passed a reference to the RNG being reseeded, and it can call add_entropy on whatever it can come up with.
| * | Revamp entropy pollingJack Lloyd2016-07-171-0/+1
| | | | | | | | | | | | | | | Remove Entropy_Accumulator, instead have entropy sources directly add entropy to the RNG.
| * | Switch to HMAC_DRBG for all RNG generation.Jack Lloyd2016-07-172-4/+11
| | | | | | | | | | | | | | | | | | | | | | | | Add support and tests for additional_data param to HMAC_DRBG Add Stateful_RNG class which has fork detection and periodic reseeding. AutoSeeded_RNG passes the current pid and time as additional_data
* | | Merge GH #535 Use Cipher_Mode instead of Pipe in ECIESJack Lloyd2016-07-173-22/+20
|\ \ \
| * | | replace (deprecated) Pipe API with Cipher_Mode in ECIESDaniel Neus2016-07-133-22/+20
| |/ /
* / / DLIES reworkDaniel Neus2016-07-133-100/+261
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With these fixes the implementation is now compatible with bouncycastle and it should operate as it is specified in "DHIES: An encryption scheme based on Diffie-Hellman Problem" or in BSI technical guideline TR-02102-1. In addition to the already present XOR-encrypion/decryption mode it's now possible to use DLIES with a block cipher. Previously the input to the KDF was the concatenation of the (ephemeral) public key and the secret value derived by the key agreement operation: ``` secure_vector<byte> vz(m_my_key.begin(), m_my_key.end()); vz += m_ka.derive_key(0, m_other_key).bits_of(); const size_t K_LENGTH = length + m_mac_keylen; secure_vector<byte> K = m_kdf->derive_key(K_LENGTH, vz); ``` I don't know why this was implemented like this. But now the input to the KDF is only the secret value obtained by the key agreement operation. Furthermore the order of the output was changed from {public key, tag, ciphertext} to {public key, ciphertext, tag}. Multiple test vectors added that were generated with bouncycastle and some with botan itself.
* | Add missing override annotation. Fix formatting in ECIES testsJack Lloyd2016-06-301-1/+1
| |
* | Merge GH #504 Add ECKCDSAJack Lloyd2016-06-2010-24/+382
|\ \
| * | Add ECKCDSA signature algorithmRené Korthaus2016-06-1410-24/+382
| | |
* | | Merge GH #483 Add ECIES and KDF1 from ISO 18033Jack Lloyd2016-06-203-0/+701
|\ \ \ | |_|/ |/| |
| * | Merge remote-tracking branch 'remotes/origin/master' into eciesPhilipp Weber2016-05-301-1/+1
| |\ \
| * | | ecies review change: decrypt only if mac is correct and catch exceptions ↵Philipp Weber2016-05-231-11/+25
| | | | | | | | | | | | | | | | during decryption
| * | | add ecies implementation according to iso-18033Philipp Weber2016-04-273-0/+687
| | | |
* | | | fix test failures and seg faults when Botan is configured with ↵René Korthaus2016-06-178-4/+12
| |_|/ |/| | | | | | | | --module-policy bsi
* | | Merge GH #489 Add support probabilistic DSA & ECDSAJack Lloyd2016-06-074-11/+23
|\ \ \ | |_|/ |/| |
| * | Add support probabilistic DSA & ECDSARené Korthaus2016-05-084-11/+23
| |/ | | | | | | | | | | | | Adds support for probabilistic, aka the standard, DSA and ECDSA. Can be enabled by disabling the rfc6979 module. Includes test vectors from NIST CAVP. Adds rfc6979 to the list of prohibited modules in BSI policy.
* / Add explicit static_cast operations to eliminate implicit cast compiler ↵Dan Brown2016-04-271-1/+1
|/ | | | warnings.
* Enable ECGDSA in default buildRené Korthaus2016-04-201-2/+0
|
* Add ECGDSARené Korthaus2016-04-197-11/+306
|
* Clean up PK decryption encoding.Jack Lloyd2016-03-204-10/+3
| | | | | | | Previously RSA and ElGamal stripped off leading zeros which were then assumed by the padding decoders. Instead have them produce ciphertexts with leading zeros. Changes EME_Raw to strip leading zeros to match existing behavior.
* Add PK_Decryptor::decrypt_or_randomJack Lloyd2016-03-207-21/+148
| | | | | Performs content checks on the value (expected length, expected bytes) and in constant time returns either the decrypted value or a random value.
* Merge GH #446 add --module-policy optionJack Lloyd2016-03-061-0/+2
|\
| * Add option --module-policyJack Lloyd2016-03-061-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A module policy is a file specifying three types of modules: ones which are required, ones which are prohibited, and ones which should be used if otherwise available (this is mostly for platform specific modules). Finally there are whatever modules which exist in the library of which the policy makes no mention. These will be included if an explicit dependency of some other module pulls them in (so there is no reason to mention base, utils, ... in the file) but skipped otherwise. For example policy 'sane' does not mention 'utils' or 'twofish' either way. Since utils is a dependency of other modules which are included, but Twofish does not. However unlike an explicitly prohibited module, not mentioned can still be requested as part of the build (here with --enable-module=twofish) Also fixes some test bugs noticed by compiling in different build configs. DLIES test didn't check that the KDF and MAC existed. Adds a typedef for MessageAuthenticationCode because typing it twice in a single line in the DLIES test made me think it's way too long. :) Also fix some fuzzer build problems. Due to a copy and paste bug the PKCS certificate (it was not). Inspired by GH #439
* | Merge branch 'master' into clang-analyzerDaniel Neus2016-03-0614-51/+35
|\ \
| * | Remaining cppcheck fixes that are not covered by GH #444Daniel Neus2016-03-056-32/+16
| |/
| * Remove explicit from DL_Group, EC_Group constructors taking std::stringJack Lloyd2016-03-052-2/+2
| | | | | | | | | | | | I think we maybe want these to be converting constructors, and adding explicit here breaks code like ECDSA_PrivateKey(rng, "secp256r1") which seems like a reasonable thing to support IMO
| * cppcheck fixes: Class 'X' has a constructor with 1 argument that is not ↵Daniel Neus2016-03-059-21/+21
| | | | | | | | explicit.
* | fix dead assignment in mce/polyn_gf2m.cpp in polyn_gf2m() found by ↵Daniel Neus2016-03-021-3/+1
|/ | | | clang-analyzer
* Fix remaining Wshadow warnings and enable on gcc and clangRené Korthaus2016-02-182-9/+9
|
* Add KDF1 as explicit dependency in MCEIESJack Lloyd2016-02-151-0/+1
| | | | | | | | | | Previously MCEIES used KEM with a raw SHA-512 hash. When the KDF oriented KEM interface was added in 72f0f0ad2a it switched to using KDF1(SHA-512) since for a 64-byte output and no salt, the output matches the original hash. This avoids breaking the format. Prevents runtime failures when MCEIES is enabled in the build but KDF1 is not. GH #369
* Fix Coverity findings in McEliece codeJack Lloyd2016-02-093-14/+20
| | | | | | | | Initialize variables in constructor in gf2m_decomp_rootfind_state Add asserts on the degree where a positive value was assumed. How polyn_gf2m handles the degree needs some work but this should do for now.