aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/utils
Commit message (Collapse)AuthorAgeFilesLines
* Travis CI additions and cleanupJack Lloyd2016-08-282-5/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Convert Travis build configuration to a single var instead of 4 tuple. Makes it much easier to review the builds in the Travis web UI. Adds sanitizer builds for Clang on both Linux and OS X. Clang is a different compiler from GCC and its sanitizers may catch things GCC does not. I have no idea if Apple's Clang has some magic sanitizer sauce stock LLVM does not, so maybe sanitizer build on OS X can be skipped. Adds Linux cross compile targets for ARM32, ARM64, PPC64, and MinGW x86 using the cross compiler available in Trusty. All of them build and are set up to run through qemu/wine. All of the tests currently fail and so are marked as expected fail in the Travis matrix. The ARM test runs seem to have thread problems; ARM32 thread creation just fails with an exception, as if pthreads was disabled. All other tests pass ok for ARM32. On Aarch64, it looks like there is a hard crash the first time the library tries creating a thread. Both of these might be due to statically linking the binary? I have been unable to convince Ubuntu's qemu-ppc64 to execute binaries compiled by Ubuntu's ppc64 cross compiler. I'm downloading an Ubuntu ISO to try this in a VM. Running under Wine exposes several issues, both in Wine and Botan. Many functions are stubs and it appears that entropy collection fails as a result. This triggers a bug in the FFI tests which causes a crash there. A pox on time zones; _mkgmtime is a MSVC extension and is not available on MinGW GCC. Add a last resort call that just uses the localzone variant instead. Adds valgrind target, remove a bogus poison in pubkey.cpp (it was effectively asserting that all of RSA was const time which is sadly not true at all). Moves -Wshadow to maintainer mode for GCC - GCC 4.8 has a noisy variant of -Wshadow which warns if a parameter masks a function name, but this comes up all the time in constructors. Later GCCs no longer warn about this (even with -Wshadow), so the warnings are never fixed, but they cause noise in CI output and hide interesting warnings like warning: vec_lvsl is deprecated for little endian; use assignment for unaligned loads and stores [-Wdeprecated] __vector unsigned char perm = vec_lvsl(0, static_cast<u32bit*>(nullptr));
* RNG changes (GH #593)Jack Lloyd2016-08-242-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Change reseed interval logic to count calls to `randomize` rather than bytes, to match SP 800-90A Changes RNG reseeding API: there is no implicit reference to the global entropy sources within the RNGs anymore. The entropy sources must be supplied with the API call. Adds support for reseding directly from another RNG (such as a system or hardware RNG). Stateful_RNG keeps optional references to both an RNG and a set of entropy sources. During a reseed, both sources are used if set. These can be provided to HMAC_DRBG constructor. For HMAC_DRBG, SP800-90A requires we output no more than 2**16 bytes per DRBG request. We treat requests longer than that as if the caller had instead made several sequential maximum-length requests. This means it is possible for one or more reseeds to trigger even in the course of generating a single (long) output (generate a 256-bit key and use ChaCha or HKDF if this is a problem). Adds RNG::randomize_with_ts_input which takes timestamps and uses them as the additional_data DRBG field. Stateful_RNG overrides this to also include the process ID and the reseed counter. AutoSeeded_RNG's `randomize` uses this. Officially deprecates RNG::make_rng and the Serialized_RNG construtor which creates an AutoSeeded_RNG. With these removed, it would be possible to perform a build with no AutoSeeded_RNG/HMAC_DRBG at all (eg, for applications which only use the system RNG). Tests courtesy @cordney in GH PRs #598 and #600
* Use stat instead of lstat in get_files_recursive.Jack Lloyd2016-07-301-1/+1
| | | | | | Otherwise symlinked files are ignored. GH #565
* Check for __SIZEOF_INT128__ before using TI modeJack Lloyd2016-07-301-6/+8
| | | | | Otherwise we run into problems on 64-bit CPUs with 32-bit userland. GH #563
* SSE2 had been disabled for testing, missed it on checkin of 6907e196Jack Lloyd2016-07-251-1/+1
|
* Merge asm into single mp_madd.h and mp_asmi.h filesJack Lloyd2016-07-219-638/+462
| | | | | | | Avoids some cut and paste, also removes the need for special logic in configure.py for handling mp module specially. Merge SIMD classes into a single type SIMD_4x32
* Revamp entropy pollingJack Lloyd2016-07-171-0/+7
| | | | | Remove Entropy_Accumulator, instead have entropy sources directly add entropy to the RNG.
* Fix undefined behavior in donna128 typeJack Lloyd2016-07-151-6/+12
| | | | | | | Caused Curve25519 tests to fail when compiled by Clang on ARM, may have affected other 32-bit platforms. GH #532
* add PKCS#11 supportDaniel Neus2016-06-173-11/+6
|
* Add Not_Implemented exceptionJack Lloyd2016-06-071-0/+10
|
* Change calls to 'get_byte' to explicitly cast parameters and eliminate ↵Dan Brown2016-04-271-1/+1
| | | | compiler warnings
* Don't reject TLS packets with zero plaintext bytesJack Lloyd2016-04-151-0/+6
| | | | | | | | OpenSSL sends an empty record before each new data record in TLS v1.0 to randomize the IV, as a countermeasure to the BEAST attack. Most implementations use 1/(n-1) splitting for this instead. Bug introduced with the const time changes in 1.11.23
* Clean up PK decryption encoding.Jack Lloyd2016-03-201-5/+9
| | | | | | | Previously RSA and ElGamal stripped off leading zeros which were then assumed by the padding decoders. Instead have them produce ciphertexts with leading zeros. Changes EME_Raw to strip leading zeros to match existing behavior.
* Add PK_Decryptor::decrypt_or_randomJack Lloyd2016-03-201-2/+24
| | | | | Performs content checks on the value (expected length, expected bytes) and in constant time returns either the decrypted value or a random value.
* Merge GH #422 Use system_time instead of high_resolution_clockJack Lloyd2016-03-101-1/+1
|\
| * Use chrono::system_clock instead of chrono::high_resolution_clock in ↵Daniel Neus2016-03-071-1/+1
| | | | | | | | | | | | get_system_timestamp_ns() GH #422
* | remove redundant returnDaniel Neus2016-03-081-1/+0
| |
* | add support for VirtualLock/VirtualUnlock on WindowsDaniel Neus2016-03-071-1/+51
|/ | | | equivalent to mlock on Unix to prevent swapping out of memory
* Remaining cppcheck fixes that are not covered by GH #444Daniel Neus2016-03-051-2/+2
|
* cppcheck fixes: Class 'X' has a constructor with 1 argument that is not ↵Daniel Neus2016-03-055-36/+36
| | | | explicit.
* fix a typo in os_utils that prevents retrieval of the current process id on ↵Daniel Neus2016-03-011-2/+2
| | | | windows
* Avoid some Wshadows in GCC 4.8Jack Lloyd2016-02-201-7/+6
| | | | | | | | | | | | | | | In GCC 4.7 and 4.8, Wshadow also warns if a local variable conflicts with a member function. This was changed in GCC 4.9 (GCC bugzilla 57709) but causes a lot of warnings on Travis which is on 4.8. Clang's Wshadow behaves like GCC 4.9 The worst offendor was Exception's constructor argument being named `what` which conflicts with the member function of the same name, being in a public header this causes so many warnings the Travis log files are truncated. This fixes Exception and a couple of others. Fixing all cases would be a slog that I'm not up for right at the moment.
* Add constant time conditional swap, add, sub for bigint wordsJack Lloyd2016-02-171-1/+1
| | | | | | | | | Not optimized and relies on asm support for const time word_add/word_sub instructions. Fix a bug introduced in 46e9a89 - unpoison needs to call the valgrind API with the pointer rather than the reference. Caused values not to be unpoisoned.
* Avoid Coverity false positiveJack Lloyd2016-02-091-1/+5
| | | | | | | | It assumes unpoison is expecting a pointer to T and sizeof(T), but the sizeof is evaluated in unpoison but only in the case of building with valgrind. Just call the valgrind API again directly
* Utils needs librt dependency due to calling clock_gettimeJack Lloyd2016-02-071-0/+4
| | | | Was previously on hres_timer entropy source
* Add explicit fork check to HMAC_RNGJack Lloyd2016-02-072-8/+104
| | | | | | | | | | | Add OS functions get_process_id, get_processor_timestamp, and get_system_timestamp_ns. HMAC_RNG uses the pid call to detect forks to initiate a reseed. It also adds the output of all three functions (the pid, the CPU cycle counter, and the system timestamp) into the PRF input. Calls the new OS timer functions from hres_timer entropy source. Removes the call to QPC in es_win32 which is mostly redundant with the one in hres_timer.
* Remove redundant initialization. Closes GH #399Jack Lloyd2016-02-071-1/+0
|
* Merge remote-tracking branch 'remotes/github/master' into noreturnDaniel Neus2016-01-097-104/+104
|\ | | | | | | | | # Conflicts: # src/build-data/cc/gcc.txt
| * Mass-prefix member vars with m_René Korthaus2016-01-087-104/+104
| |
* | move noreturn before the function declarationDaniel Neus2016-01-081-2/+2
| |
* | don't declare functions noreturn that are maybe implemented in the futureDaniel Neus2016-01-081-1/+1
| | | | | | | | In addition don't declare virtual functions noreturn
* | add BOTAN_NORETURN macro and mark those functions that do not return with itDaniel Neus2016-01-082-2/+2
|/
* String comparision fixesDaniel Neus2016-01-043-11/+11
| | | | fix PVS-Studio perfomance warnings
* Use valgrind's memcheck API for checking const time annotationsJack Lloyd2016-01-031-14/+27
| | | | | | | Has the same effect as using ctgrind, but without requiring a custom-compiled valgrind binary. Add ct checking annotations to the SSSE3 AES code.
* Use memcpy instead of misaligned pointer casts for reading words.Jack Lloyd2015-12-312-80/+44
| | | | | | | | | | | | | | | | | | | | | | It works on x86, but C says it is undefined and it makes UBSan unhappy. Happily, this memcpy approach probably also works fine under processors which previously used the byte-at-a-time approach such as ARM. But for right now using memcpy here is still gated under the processor alignment flags. In my tests recent GCC and Clang seemed to produce basically identical code for either approach when using -O3; I imagine most compilers these days are very good at analyzing/inlining/unrolling memcpys. Also remove the manually unrolled versions of xor_buf, which caused problems with GCC and -O3 due to it vectorizing the loads into (aligned) SSE2 loads, which would fail when a misaligned pointer was passed. Which always seemed kind of bogus to me, but I guess that's what undefined behavior is for. Enable -O3 for GCC. With this change the test suite is clean under GCC ASan+UBSan and Clang ASan+UBSan, with the exception of one failure due to a bug in libstdc++ (GCC bug 60734) when compiled by Clang.
* Add missing assignment in DataSource::discard_nextJack Lloyd2015-12-311-0/+1
| | | | Reported on the mailing list by Falko
* Merge pull request #378 from neusdan/warning_fixesJack Lloyd2015-12-261-1/+0
|\ | | | | Some trivial compiler and PVS-Studio warning fixes
| * some trivial compiler/PVS-Studio warning fixesDaniel Neus2015-12-221-1/+0
| |
* | Guard all std::mem* ops against any call with zero length.Jack Lloyd2015-12-252-21/+36
|/ | | | | | | | | | Calling memset, memmove, memcpy with an undefined or null pointer, even with length zero, causes undefined behavior. Prevent that from happening within the functions that call these dangerous things since allowing a caller to pass length == 0 with null or just past the end and not have things explode is nice. Oh C, you so crazy.
* Merge the openssl code together.Jack Lloyd2015-12-192-51/+0
| | | | | | | Having the code diffused all over the place was ugly and would not scale well to multiple alternative providers. GH #368
* CLI rewriteJack Lloyd2015-12-193-2/+50
| | | | | | | | | | | | | | | | | | The command line tools' origin as a collection of examples and test programs glued together led to some unfortunate problems; lots of hardcoded values, missing parameters, and obsolete crypto. Adds a small library for writing command line programs of the sort needed here (cli.h), which cuts the length of many of the commands in half and makes commands more pleasant to write and extend. Generalizes a lot of the commands also, eg previously only signing/verification with DSA/SHA-1 was included! Removes the fuzzer entry point since that's fairly useless outside of an instrumented build. Removes the in-library API for benchmarking.
* Add missing include in dyn_load.cppSimon Warta2015-12-121-0/+1
|
* Build fix. Add SQL_DB_Error exception typeJack Lloyd2015-12-112-9/+18
|
* Disable asio serial port support to avoid Darwin braindamage. GH #350Jack Lloyd2015-12-111-1/+9
|
* Missing addsJack Lloyd2015-12-116-6/+4
|
* Reroot the exception hierarchy into a toplevel Exception classJack Lloyd2015-12-118-33/+44
| | | | | | | | As the alternatives are unfortunate for applications trying to catch all library errors, and it seems deriving from std::runtime_error causes problems with MSVC DLLs (GH #340) Effectively reverts 2837e915d82e43
* Add OS utility headerJack Lloyd2015-12-056-102/+191
| | | | | | | | Provide abstractions for the locking allocator (allocate and free locked pages) to decouple it from the platform dependent code. Should make it easy to write a Windows version using VirtualAlloc+VirtualLock. Exposes max mlock limit as a build.h toggle
* Avoid ever returning 0 from CPUID::cache_line_sizeJack Lloyd2015-12-021-1/+1
| | | | | | | | Take the value from build.h if we have no way of getting it dynamically. Fixes an infinite loop in AES on non-x86 introduced in ebf2164a, as otherwise it does for(size_t i = 0; i != ...; i += 0) {} while iterating over the TE tables.
* Improve side channel attack resistance of table based AES implJack Lloyd2015-11-291-2/+17
|
* Remove bogus code from generic mp_madd header, noticed on PPC build.Jack Lloyd2015-11-231-2/+2
| | | | Also fix a few cast and zero-as-nullptr warnings in the AltiVec header