aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
Commit message (Collapse)AuthorAgeFilesLines
* Merge GH #516 Cipher_Mode API improvementsJack Lloyd2016-09-2627-290/+242
|\
| * Cipher_Mode API improvementsJack Lloyd2016-09-0127-290/+242
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Cipher_Mode::update API is more general than needed to just support ciphers (this is due to it previously being an API of Transform which before 8b85b780515 was Cipher_Mode's base class) Define a less general interface `process` which either processes the blocks in-place, producing exactly as much output as there was input, or (SIV/CCM case) saves the entire message for processing in `finish`. These two uses cover all current or anticipated cipher modes. Leaves `update` for compatability with existing callers; all that is needed is an inline function forwarding to `process`. Removes the return type from `start` - in all cipher implementations, this always returned an empty vector. Adds BOTAN_ARG_CHECK macro; right now BOTAN_ASSERT is being used for argument checking in some places, which is not right at all.
* | Merge GH #630 TLS server checks client signature_algorithmsJack Lloyd2016-09-245-31/+89
|\ \ | | | | | | | | | Only partially resolves GH #619 see both issues for discussion.
| * | TLS Server should respect client signature_algorithms. Stricter TLS hello ↵Jack Lloyd2016-09-215-31/+89
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | decoding. If the client sent a signature_algorithms extension, we should negotiate a ciphersuite in the shared union of the ciphersuite list and the extension, instead of ignoring it. Found by Juraj Somorovsky GH #619 The TLS v1.2 spec says that clients should only send the signature_algorithms extension in a hello for that version. Enforce that when decoding client hellos to prevent this extension from confusing a v1.0 negotiation. TLS v1.2 spec says ANON signature type is prohibited in the signature_algorithms extension in the client hello. Prohibit it. Reorder the TLS extensions in the client hello so there is no chance an empty extension is the last extension in the list. Some implementations apparently reject such hellos, even (perhaps especially) when they do not recognize the extension, this bug was mentioned on the ietf-tls mailing list a while back.
* | | Merge GH #634 Correctly detect self-signed certsJack Lloyd2016-09-242-2/+5
|\ \ \
| * | | Fix validation of self-issued certificates in chainsRené Korthaus2016-09-232-2/+5
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Self-issued certificates are certificates where subject_dn == issuer_dn, but the signature is from a different key (ca key). Chains with such a certificate could not be verified, because self-issued certificates (1) would be taken for a self-signed certificate and (2) find_issuing_cert() would find the same self-issued certificate that we want to verify, generating a signature error during signature verification. To fix, we now first identify a certificate as self-signed only if subject_dn == issuer_dn AND if we can verify the cert signature with it's own key. Verification will bring some extra costs, but we only do it once, in X509_Certificate's constructor. Second, we make sure find_issuing_cert() does not return the very same certificate we want to verify. This should be no problem, since path validation currently does not seem to support validating a self-signed certificate.
* / / Maintainer mode fixes.Jack Lloyd2016-09-212-3/+3
|/ / | | | | | | | | | | Mostly unused args and missing override notations. Fix DH - load_check calls were commented out for debugging.
* | Change T::provider to return std::stringJack Lloyd2016-09-1523-33/+28
| |
* | Add T::provider() to allow user to inquire about implementation usedJack Lloyd2016-09-1522-8/+147
| | | | | | | | | | For block ciphers, stream ciphers, hashes, MACs, and cipher modes. Cipher_Mode already had it, with a slightly different usage.
* | Add cpuid overload to test frameworkJack Lloyd2016-09-153-60/+89
| |
* | Merge optimized implementations into base classJack Lloyd2016-09-1532-708/+460
| | | | | | | | | | | | | | | | | | | | Various algorithms had an optimized implementation (for SSE2, AVX2, etc) which was offered alongside the 'base' implementation. This is admittedly very useful for testing, but it breaks user expectations in bad ways. See GH #477 for background. Now encrypting with `AES_128` (say) just runs whatever implementation is best on the current processor/build.
* | Prevent use of secure_vector with non-integer typesJack Lloyd2016-09-091-0/+3
| | | | | | | | | | If a non trival type was used, memory corruption could occur. Original issue reported by Matthias Gierlings.
* | These vectors can be constJack Lloyd2016-09-091-2/+2
| |
* | Remove bogus declJack Lloyd2016-09-051-2/+0
| |
* | Merge GH #613 NewHope R-LWE key exchangeJack Lloyd2016-09-056-7/+662
|\ \
| * | Fix tests on things that are not little endianJack Lloyd2016-08-301-12/+6
| | |
| * | Avoid requiring alignment (think this was just for the AVX2 version)Jack Lloyd2016-08-302-37/+35
| | | | | | | | | | | | Change to standard int types
| * | Fix header guard, macro tidyJack Lloyd2016-08-302-5/+7
| | |
| * | Add NEWHOPE KEM schemeJack Lloyd2016-08-306-7/+668
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Provides conjectured 200-bit security against a quantum attacker. Based on the public domain reference implementation at https://github.com/tpoeppelmann/newhope and bit-for-bit compatible with that version. Test vectors generated by the reference testvector.c
* | | Merge GH #616 ChaCha SSE2 optimizationsJack Lloyd2016-09-054-70/+360
|\ \ \
| * | | Avoid _mm_set_epi64x which is missing on 32-bit MSVC 12Jack Lloyd2016-09-021-8/+8
| | | |
| * | | Correct macro checkJack Lloyd2016-09-012-2/+2
| | | |
| * | | Missing increment in SSE2 version, broke ChaCha20Poly1305 testsJack Lloyd2016-09-011-0/+3
| | | | | | | | | | | | | | | | But not any ChaCha20 tests due to no long test inputs. Add one.
| * | | 4x interleaved SSE2Jack Lloyd2016-09-011-67/+225
| | | |
| * | | ChaCha 4 waysJack Lloyd2016-09-013-129/+153
| | | |
| * | | SSE2 ChaChaJack Lloyd2016-09-014-6/+111
| | |/ | |/|
* | | Make copy constructor and assignment defaultRené Korthaus2016-09-052-29/+2
| | |
* | | Call base class assignment operator in X509_CertificateRené Korthaus2016-09-041-0/+1
| | |
* | | Remove IF_Scheme_{Public,Private}KeyJack Lloyd2016-09-026-283/+186
| | | | | | | | | | | | | | | | | | With the removal of Rabin-Williams, RSA is the only remaining subclass, And it's very unlikely any new integer factorization based scheme would be added in the future.
* | | Remove XTEA SIMD implJack Lloyd2016-09-023-165/+0
| | | | | | | | | | | | | | | Testing showed no actual speedup on either i7 (SSE2) or POWER7 (Altivec), so it is just dead weight.
* | | Remove deprecated Nyberg-Rueppel and Rabin-Williams signaturesJack Lloyd2016-09-029-560/+1
| | |
* | | Remove deprecated hashes MD2, HAS-160, and RIPEMD-128Jack Lloyd2016-09-0213-622/+0
| | |
* | | Remove deprecated ciphers MARS, RC2, RC5, RC6, SAFER-SK and TEAJack Lloyd2016-09-0219-1478/+0
|/ / | | | | | | | | XTEA was also deprecated but has been spared, it does seem to be somewhat common (eg, included in the Go x/crypto library)
* | get_processor_timestamp should never return 0 if it can help it.Jack Lloyd2016-09-011-16/+59
| | | | | | | | | | | | | | For example it used to return 0 on Linux/ARM... If no QPC or asm version, use clock_gettime if available, or else std::chrono::high_resolution_clock as a fallback.
* | Merge GH #578/#492: TLS EtM extension and new policy togglesJack Lloyd2016-08-3120-112/+525
|\ \
| * \ Merge master into this branch, resolving conflicts with #457/#576Jack Lloyd2016-08-31266-7487/+17395
| |\ \ | | | | | | | | | | | | which recently landed on master.
| * | | Address some issues with PR 492Jack Lloyd2016-08-1313-58/+118
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds copyright notices for Juraj Somorovsky and Christian Mainka of Hackmanit for the changes in 7c7fcecbe6a and 6d327f879c Add Policy::check_peer_key_acceptable which lets the app set an arbitrary callback for examining keys - both the end entity signature keys from certificates and the peer PFS public keys. Default impl checks that the algorithm size matches the min keylength. This centralizes this logic and lets the application do interesting things. Adds a policy for ECDSA group size checks. Increases default policy minimums to 2048 RSA and 256 ECC. (Maybe I'm an optimist after all.)
| * | | Merge branch 'master' into Encrypt-then-MAC-with-policyJuraj Somorovsky2016-05-1221-64/+62
| |\ \ \ | | | | | | | | | | | | | | | Merged recent changes and resolved minor conflicts in tls record classes.
| * | | | Encrypt-then-MAC extension (RFC 7366)Juraj Somorovsky2016-05-1119-104/+329
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Introduced a countermeasure against the logjam attack Short TLS records (AES-CBC) now return BAD_RECORD_MAC Fixed a compatibility problem with OpenSSL and TLS 1.0 (BEAST countermeasure)
| * | | | TLS Policy supportChristian Mainka2016-05-036-24/+153
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * --policy works for TLS Server and TLS Client * Example policy BSI_TR-02102-2.txt * Fine granular configuration for TLS 1.0, 1.1, 1.2 and DTLS 1.0 and 1.2 * Minimum ecdh and rsa group size
* | | | | Fix TLS build with SRP6 disabledJack Lloyd2016-08-311-1/+1
| |_|/ / |/| | |
* | | | HMAC_RNG ignored its entropy_source argument :(Jack Lloyd2016-08-311-1/+1
| | | |
* | | | Move some Callback functions to a source file.Jack Lloyd2016-08-312-7/+17
| | | | | | | | | | | | | | | | | | | | | | | | Just to avoid the unused parameter warning (we want the parameter to be named in the header for documentation purposes, but in that case GCC warns that the param is unused).
* | | | Remove debug printfJack Lloyd2016-08-311-1/+0
| | | |
* | | | Merge GH #567/GH #457 TLS refactoring and Callbacks interfaceJack Lloyd2016-08-3129-788/+1361
|\ \ \ \
| * | | | Added doxygen function parameter comments to tls_callbacks.hDan Brown2016-08-191-12/+32
| | | | |
| * | | | Add a Callbacks function for ALPNJack Lloyd2016-08-163-14/+44
| | | | |
| * | | | Changes to TLS::Callbacks for GH PR #457Jack Lloyd2016-08-1614-151/+221
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make TLS::Channel::m_callbacks a reference, so deriving from TLS::Callbacks works Split out the compat (std::function) based interface to Compat_Callbacks. This avoids the overhead of empty std::functions when using the virtual interface, and ensures the virtual interface works since there is no callback path that does not involve a vtable lookup. Rename the TLS::Callback functions. Since the idea is that often an owning class will pass *this as the callbacks argument, it is good to namespace the virtual functions so as not to conflict with other names chosen by the class. Specifically, prefixes all cb functions with tls_ Revert changes to use the old style alert callback (with no longer used data/len params) so no API changes are required for old code. The new Callbacks interface continues to just receive the alert code itself. Switch to virtual function interface in CLI tls_client for testing. Inline tls_server_handshake_state.h - only used in tls_server.cpp Fix tests - test looked like it was creating a new client object but it was not actually being used. And when enabled, it failed because the queues were not being emptied in between. So, fix that.
| * | | | Removed Handshake_Info class.Matthias Gierlings2016-06-198-56/+49
| | | | | | | | | | | | | | | | | | | | | | | | | - Undid changes replacing Hanshake_IO, Handshake_Hash with Handshake_Info.
| * | | | Removed TLS::Session::PropertiesMatthias Gierlings2016-06-197-197/+96
| | | | | | | | | | | | | | | | | | | | | | | | | - Removed proposed wrapper class to logically group TLS session properties.