| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Looking into SP808-90A, it mentions that the max
security strength is the security strength
of the hash function for pre-image resistance.
The current implementation however always only
uses half of the output length, therefore only providing
half of the security strength possible.
However, SP800-90A supports only up to 256 bit
security strength, so we fix it to this upper limit.
In a second change, add_entropy() now also resets
the reseed counter if enough entropy input provided.
|
| |
|
|
|
|
|
|
|
|
|
| |
OpenBSD provides the arc4random(3) function in libc for user land
programs that need good random data. Use this to implement the
Botan system random number generator. It has the advantage over
/dev/urandom that it works without file descriptors and in chroot(2)
environment. Internally libc is currently using a ChaCha20 cipher
as PRNG and getentropy(2) to reseed itself automatically.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Now let it return 0 if we have no hardware timestamp, and add
OS::get_high_resolution_clock for best available clock.
This is mainly because it's confusing for get_processor_timestamp to return
something that is not a processor timestamp and because it simplifies adding
cycles/byte output if we know that something is or is not a cycle counter.
Also adds Windows SEH version of run_cpu_instruction_probe. Untested, uncompiled.
|
|
|
|
|
|
| |
Renames a couple of functions for somewhat better name consistency,
eg make_u32bit becomes make_uint32. The old typedefs remain for now
since probably lots of application code uses them.
|
|
|
|
|
|
| |
GH #726
[ci skip]
|
|
|
|
|
|
|
|
| |
botan_rng_reseed: System_RNG write failed error 9
FFI ran 252 tests 1 FAILED
Failure 1: FFI botan_rng_reseed unexpectedly failed with error code -1
Signed-off-by: Alon Bar-Lev <[email protected]>
|
| |
|
| |
|
|
|
|
|
|
|
| |
This caused Doxygen to dump the copyright notices for those files into
the Botan namespace description, which is not helpful.
[ci skip]
|
|
|
|
|
| |
No need to strictly require it, and some applications may only want
system RNG or RDRAND.
|
|
|
|
|
| |
Change AutoSeeded_RNG to use SHA-384, SHA-256, SHA-3(256), or SHA-1,
whichever is available (in that order).
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Also emit `#pragma GCC target` in the ISA specific amalgamation files.
This allows compiling without any special compiler flags, at least
with GCC 6.2 and Clang 3.8. The ISA annotations are ignored in MSVC,
which just emits whatever instruction the intrinsic requires.
|
| |
|
|
|
| |
Implement a backoff approach to opening the system RNG: if opening read-write fails, try to open read-only. This will allow the RNG to be used, but attempts to add entropy will fail. If opening as read-only also fails, only then throw an exception.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change reseed interval logic to count calls to `randomize` rather than
bytes, to match SP 800-90A
Changes RNG reseeding API: there is no implicit reference to the
global entropy sources within the RNGs anymore. The entropy sources
must be supplied with the API call. Adds support for reseding directly
from another RNG (such as a system or hardware RNG).
Stateful_RNG keeps optional references to both an RNG and a set of
entropy sources. During a reseed, both sources are used if set.
These can be provided to HMAC_DRBG constructor.
For HMAC_DRBG, SP800-90A requires we output no more than 2**16 bytes
per DRBG request. We treat requests longer than that as if the caller
had instead made several sequential maximum-length requests. This
means it is possible for one or more reseeds to trigger even in the
course of generating a single (long) output (generate a 256-bit key
and use ChaCha or HKDF if this is a problem).
Adds RNG::randomize_with_ts_input which takes timestamps and uses them
as the additional_data DRBG field. Stateful_RNG overrides this to also
include the process ID and the reseed counter. AutoSeeded_RNG's
`randomize` uses this.
Officially deprecates RNG::make_rng and the Serialized_RNG construtor
which creates an AutoSeeded_RNG. With these removed, it would be
possible to perform a build with no AutoSeeded_RNG/HMAC_DRBG at all
(eg, for applications which only use the system RNG).
Tests courtesy @cordney in GH PRs #598 and #600
|
|
|
|
|
| |
configure.py expects all header guards to match a specific form,
for finding them when generating the amalgamation file.
|
|
|
|
|
|
|
|
| |
For those that are willing to trust uninspectible hardware. :)
Changes RDRAND entropy source to call RDRAND_RNG
Add --rdrand flag to rng cmdlet
|
|
|
|
|
|
|
|
|
| |
Use consistent naming for the max output before reseed
parameter. The constant (default) value is renamed to
BOTAN_RNG_DEFAULT_MAX_OUTPUT_BEFORE_RESEED, since without
the DEFAULT_ it reads like a compile time maximum instead.
Use uint8_t instead of byte.
|
|
|
|
|
| |
Remove Entropy_Accumulator, instead have entropy sources directly
add entropy to the RNG.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Handles fork checking for HMAC_RNG and HMAC_DRBG
AutoSeeded_RNG change - switch to HMAC_DRBG as default.
Start removing the io buffer from entropy poller.
Update default RNG poll bits to 256.
Fix McEliece test, was using wrong RNG API.
Update docs.
|
|
|
|
| |
Add some missing overrides
|
|
|
|
|
|
|
|
|
| |
That failure seems like an explicit system policy decision, so accept
it as such. Versus say EBADF or EFAULT which would instead suggest a
library bug.
This return is seen on OS X Travis CI, unclear if this is a problem
with OS X or with how Travis does OS X containers.
|
|
|
|
|
|
|
|
| |
Add support and tests for additional_data param to HMAC_DRBG
Add Stateful_RNG class which has fork detection and periodic reseeding.
AutoSeeded_RNG passes the current pid and time as additional_data
|
|
|
|
| |
warnings.
|
|
|
|
| |
GH #451
|
|
|
|
| |
Avoids the test vector contortions in RSA-KEM
|
|
|
|
| |
explicit.
|
|
|
|
|
|
|
|
|
|
|
| |
Add OS functions get_process_id, get_processor_timestamp, and
get_system_timestamp_ns. HMAC_RNG uses the pid call to detect forks to
initiate a reseed. It also adds the output of all three functions (the
pid, the CPU cycle counter, and the system timestamp) into the PRF input.
Calls the new OS timer functions from hres_timer entropy source.
Removes the call to QPC in es_win32 which is mostly redundant with the
one in hres_timer.
|
|
|
|
|
|
|
|
|
|
| |
Bug found by Daniel Neus
The function wasn't being used anywhere in the library (and was only
added in 1.11.20) so it seems easier to remove than fix. And removing
it serves to put any user on notice that something bad happened;
Daniel tested this as returning just 0 when bits >= 32 with his
system's compiler.
|
|
|
|
|
|
|
|
| |
As the alternatives are unfortunate for applications trying to catch
all library errors, and it seems deriving from std::runtime_error
causes problems with MSVC DLLs (GH #340)
Effectively reverts 2837e915d82e43
|
|
|
|
| |
Defaults should be fine for everyone but it makes the values more transparent
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provides an easier way for an application to configure a list of
entropy sources they'd like to use, or add a custom entropy source to
their seeding.
Exposes some toggles for the global/default entropy sources to build.h
Adds basic entropy tests which runs the polls and does sanity checking
on the results, including compression tests if available. These are
less useful for the CSPRNG outputs but a good check for the ones
producing plain ASCII like the /proc reader.
|
|
|
|
|
|
|
|
|
|
|
| |
The tests previously had used 4 to 6 different schemes internally (the vec file
reader framework, Catch, the old InSiTo Boost.Test tests, the PK/BigInt tests
which escaped the rewrite in 1.11.7, plus a number of one-offs). Converge on a
design that works everywhere, and update all the things.
Fix also a few bugs found by the test changes: SHA-512-256 name incorrect,
OpenSSL RC4 name incorrect, signature of FFI function botan_pubkey_destroy
was wrong.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use constant time operations when checking CBC padding in TLS decryption
Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes
from working: on decode the session id and hello cookie would be
swapped, causing confusion between client and server.
Various changes in the service of finding the above DTLS bug that
should have been done before now anyway - better control of handshake
timeouts (via TLS::Policy), better reporting of handshake state in the
case of an error, and finally expose the facility for per-message
application callbacks.
|
|
|
|
|
|
| |
Previously you couldn't have an unique_ptr<RNG> that might point to
either a system rng or an autoseed rng depending on availability. That
was already needed in ffi and is useful elsewhere.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove and consolidate various headers
Reduce memory usage of GF2m_Field by sharing the log and exponent
tables across all instances of a particular word size.
Remove McEliece_Public_Operation and McEliece_Private_Operation which
were difficult to use safely. Instead only the KEM operations are exposed.
Add McEliece_PublicKey::random_plaintext_element
Add command line `mce` tool and some McEliece documentation
Convert the speed program to check McEliece keys of the suggested size
Add McEliece KATs for both key generation and KEM
Fix HMAC_DRBG constructor which derefed a pointer before its time
|
| |
|
| |
|
|
|
|
| |
Only user-visible change is the removal of get_byte.h
|
|
|
|
|
|
|
|
| |
The plain PointGFp operator* now uses Montgomery ladder exclusively.
Adds a blinded point multiply algorithm which uses exponent and point
randomization, as well as a Montgomery ladder technique that takes a
random walk of the possible addition chains for k.
|