| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Also fix a few cast and zero-as-nullptr warnings in the AltiVec header
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The only reason mul128.h was included in mp_types.h was for the
definition of dword. But dword is only needed by the generic version
of mp_madd, which is an internal header. So move both the inclusion
of the header and the dword definition to there.
Previously mul128.h was very public (mp_types.h to bigint.h to rsa.h,
for example) and use of __int128 causes problems in pedantic mode. So
additionally, prefer using the TI attribute version since GCC does not
complain about that. Clang's -Wpedantic does not seem to care about it
either way.
GH #330
|
|
|
|
|
|
| |
Re-encoding the server key exchange meant that any leading zeros
in the values for DHE (or SRP) would be stripped out. This would
cause the signature check to fail.
|
|
|
|
| |
DB::spin now returns the number of rows affected
|
| |
|
|
|
|
| |
since the primality tests are expensive in CPU time.
|
|
|
|
|
|
|
|
|
|
|
| |
Fix a bug which rejected any short server key exchanges. These can
occur with a plain PSK with short or empty identity hints.
Disable SHA-224 by default.
Remove some vestigal RC4 cruft.
Push more on the TLS corruption tests.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The tests previously had used 4 to 6 different schemes internally (the vec file
reader framework, Catch, the old InSiTo Boost.Test tests, the PK/BigInt tests
which escaped the rewrite in 1.11.7, plus a number of one-offs). Converge on a
design that works everywhere, and update all the things.
Fix also a few bugs found by the test changes: SHA-512-256 name incorrect,
OpenSSL RC4 name incorrect, signature of FFI function botan_pubkey_destroy
was wrong.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The tests which generate McEliece keys using a deterministic RNG and
fixed seed failed on PowerPC (or other big endian systems) because the
vectors assumed we were creating elements little endian, which is
what happend with rng.randomize(&u16, 2) on x86
Fix it to always be little endian. No particular reason to prefer one vs the
other here (we're just trying for compatability with ourselves) and choosing
little endian avoids having to regen the vectors.
|
| |
|
|\
| |
| | |
TLS improvements
|
| | |
|
| |
| |
| |
| | |
Convert to a const time algo
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use constant time operations when checking CBC padding in TLS decryption
Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes
from working: on decode the session id and hello cookie would be
swapped, causing confusion between client and server.
Various changes in the service of finding the above DTLS bug that
should have been done before now anyway - better control of handshake
timeouts (via TLS::Policy), better reporting of handshake state in the
case of an error, and finally expose the facility for per-message
application callbacks.
|
| | |
|
|\ \
| | |
| | | |
Fix cert validation bugs found by x509test.
|
| | |
| | |
| | |
| | | |
Add test suite with certs from x509test
|
|\ \ \
| |_|/
|/| | |
Update docs to avoid Shpinx errors and warnings
|
| | |
| | |
| | |
| | | |
[ci skip]
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It was already close, but the carry loop would break early and
selecting which value to copy out was indexed on the borrow bit. Have
the carry loop run through, and add a const-time conditional copy
operation and use that to copy the output.
Convert ct_utils to CT namespace. Templatize the utils, which I was
hesitant to do initially but is pretty useful when dealing with
arbitrary word sizes.
Remove the poison macros, replace with inline funcs which reads
cleaner at the call site.
|
|/
|
|
|
|
|
|
|
| |
Remove any need for callers to do version checks or encode values
specially to handle Python2 vs Python3 ctypes differences. API users
shouldn't have to care about that - encapsulate the differences in a
few functions for handling the conversions.
Add botan_cipher_query_keylen to ffi
|
| |
|
| |
|
|
|
|
|
|
| |
For RSA, RC4, and ECDSA put the openssl versions in the same directory
as the base version. They just rely on a macro check for the openssl
module to test for the desire to use OpenSSL.
|
|
|
|
| |
In OAEP expand the const time block to cover MGF1 also
|
|
|
|
|
|
|
|
| |
via timing channels.
Add annotations for checking constant-time code using ctgrind to
PKCS #1 and OAEP, as well as IDEA and Curve25519 which were already
written as constant time code.
|
|\
| |
| | |
Support for 64 bit ARM
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds support for 64 bit ARM cores as used in many high-end phones
such as all iPhones beginning with the 5s. While these newer phones
still run 32 bit ARM code, Apple doesn't allow apps to be submitted to
the app store if they don't provide a 64 bit build.
This commit adds a new arm64 arch and renames arm to arm32 to stay
consistent with the other architectures. The name arm can still be used
for configuring because it has been added as an alias for arm32.
Additionally, the one piece of ARM inline assembly that can be found in
Botan doesn't work on 64 bit ARM, so I use the solution that has been
proposed in #180: Use __builtin_bswap32 instead of inline assembly.
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| | |
Some cleanups in random_prime. Increase probability in prime tests from
1/2**64 to 1/2**128. Also break out of the sieve loop early if it has
failed.
|
| | |
|
| |
| |
| |
| | |
deriving it by squaring the previous value.
|
| |
| |
| |
| |
| |
| | |
Previously you couldn't have an unique_ptr<RNG> that might point to
either a system rng or an autoseed rng depending on availability. That
was already needed in ffi and is useful elsewhere.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
For PK_Encryptor and company they are requested via a new provider param
to the constructors.
The speed command gets a --provider option so you can see benchmark results
with the different versions.
|
| | |
|
| | |
|
|/
|
|
|
| |
Removes filters as as an internal dependency pretty much entirely
(outside of some dusty corners in misc).
|
| |
|
| |
|
| |
|
|
|
|
| |
Missing path validation, probably other things
|
|\
| |
| | |
Cleanup and document McEliece implementation
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove and consolidate various headers
Reduce memory usage of GF2m_Field by sharing the log and exponent
tables across all instances of a particular word size.
Remove McEliece_Public_Operation and McEliece_Private_Operation which
were difficult to use safely. Instead only the KEM operations are exposed.
Add McEliece_PublicKey::random_plaintext_element
Add command line `mce` tool and some McEliece documentation
Convert the speed program to check McEliece keys of the suggested size
Add McEliece KATs for both key generation and KEM
Fix HMAC_DRBG constructor which derefed a pointer before its time
|
|\ \
| | |
| | | |
Add the Darwin_SecRandom entropy source
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It uses the SecRandomCopyBytes function from the Security framework of
OS X and iOS. We need this because it is the official way to get
cryptographically secure random numbers on iOS, where /dev/random is not
accessible due to sandboxing.
|