aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
Commit message (Collapse)AuthorAgeFilesLines
* Remove bogus code from generic mp_madd header, noticed on PPC build.Jack Lloyd2015-11-232-5/+6
| | | | Also fix a few cast and zero-as-nullptr warnings in the AltiVec header
* Remove mul128.h header from public viewJack Lloyd2015-11-163-19/+27
| | | | | | | | | | | | | | | The only reason mul128.h was included in mp_types.h was for the definition of dword. But dword is only needed by the generic version of mp_madd, which is an internal header. So move both the inclusion of the header and the dword definition to there. Previously mul128.h was very public (mp_types.h to bigint.h to rsa.h, for example) and use of __int128 causes problems in pedantic mode. So additionally, prefer using the TI attribute version since GCC does not complain about that. Clang's -Wpedantic does not seem to care about it either way. GH #330
* Fix bug causing TLS client to sometimes reject DHE server kexJack Lloyd2015-11-132-35/+16
| | | | | | Re-encoding the server key exchange meant that any leading zeros in the values for DHE (or SRP) would be stripped out. This would cause the signature check to fail.
* Add remove_all to TLS session manager interfaceJack Lloyd2015-11-138-48/+67
| | | | DB::spin now returns the number of rows affected
* Remove call to abort on a zero point in PointGFp::get_affine_{x,y}Jack Lloyd2015-11-131-4/+0
|
* Drop the DH group check to a weaker version of the checksJack Lloyd2015-11-131-2/+3
| | | | since the primality tests are expensive in CPU time.
* Add TLS_PSK testsJack Lloyd2015-11-133-14/+5
| | | | | | | | | | | Fix a bug which rejected any short server key exchanges. These can occur with a plain PSK with short or empty identity hints. Disable SHA-224 by default. Remove some vestigal RC4 cruft. Push more on the TLS corruption tests.
* Add missing overridesJack Lloyd2015-11-112-2/+2
|
* Update and consolidate the test framework.Jack Lloyd2015-11-1110-11/+29
| | | | | | | | | | | The tests previously had used 4 to 6 different schemes internally (the vec file reader framework, Catch, the old InSiTo Boost.Test tests, the PK/BigInt tests which escaped the rewrite in 1.11.7, plus a number of one-offs). Converge on a design that works everywhere, and update all the things. Fix also a few bugs found by the test changes: SHA-512-256 name incorrect, OpenSSL RC4 name incorrect, signature of FFI function botan_pubkey_destroy was wrong.
* Add check for path validation result in Credentials_Manager. GH #324Jack Lloyd2015-11-043-6/+12
|
* Remove unused xor_buf.h (internal header merged into mem_ops.h)Jack Lloyd2015-10-271-144/+0
|
* Fix McEliece key gen endian dependency.Jack Lloyd2015-10-273-20/+27
| | | | | | | | | | | The tests which generate McEliece keys using a deterministic RNG and fixed seed failed on PowerPC (or other big endian systems) because the vectors assumed we were creating elements little endian, which is what happend with rng.randomize(&u16, 2) on x86 Fix it to always be little endian. No particular reason to prefer one vs the other here (we're just trying for compatability with ourselves) and choosing little endian avoids having to regen the vectors.
* Compile fixJack Lloyd2015-10-261-1/+1
|
* Merge pull request #314 from randombit/ct-tls-cbc-paddingJack Lloyd2015-10-2621-210/+447
|\ | | | | TLS improvements
| * Missing include dependencyJack Lloyd2015-10-261-1/+1
| |
| * Asan fix - referencing &vec[vec.size()] instead of vec.end()Jack Lloyd2015-10-263-39/+22
| | | | | | | | Convert to a const time algo
| * TLS improvementsJack Lloyd2015-10-2519-170/+424
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Use constant time operations when checking CBC padding in TLS decryption Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes from working: on decode the session id and hello cookie would be swapped, causing confusion between client and server. Various changes in the service of finding the above DTLS bug that should have been done before now anyway - better control of handshake timeouts (via TLS::Policy), better reporting of handshake state in the case of an error, and finally expose the facility for per-message application callbacks.
* | Add missing includeJack Lloyd2015-10-261-0/+1
| |
* | Merge pull request #313 from randombit/path-validation-fixesJack Lloyd2015-10-2610-104/+186
|\ \ | | | | | | Fix cert validation bugs found by x509test.
| * | Fix cert validation bugs found by x509test.Jack Lloyd2015-10-2310-104/+186
| | | | | | | | | | | | Add test suite with certs from x509test
* | | Merge pull request #306 from webmaster128/update-docsSimon Warta2015-10-262-8/+2
|\ \ \ | |_|/ |/| | Update docs to avoid Shpinx errors and warnings
| * | Update doc for issuer_dn() and subject_dn()Simon Warta2015-10-202-8/+2
| | | | | | | | | | | | [ci skip]
* | | Make Montgomery reduction constant time.Jack Lloyd2015-10-248-121/+109
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | It was already close, but the carry loop would break early and selecting which value to copy out was indexed on the borrow bit. Have the carry loop run through, and add a const-time conditional copy operation and use that to copy the output. Convert ct_utils to CT namespace. Templatize the utils, which I was hesitant to do initially but is pretty useful when dealing with arbitrary word sizes. Remove the poison macros, replace with inline funcs which reads cleaner at the call site.
* | Fix botan.py for Python3Jack Lloyd2015-10-203-1/+15
|/ | | | | | | | | Remove any need for callers to do version checks or encode values specially to handle Python2 vs Python3 ctypes differences. API users shouldn't have to care about that - encapsulate the differences in a few functions for handling the conversions. Add botan_cipher_query_keylen to ffi
* Make OpenSSL ECDSA and RSA request only until they can be testedJack Lloyd2015-10-191-2/+2
|
* Add missing BOTAN_DLL to Decompression_Filter. GH #304Jack Lloyd2015-10-191-1/+1
|
* Break up openssl providerJack Lloyd2015-10-1910-23/+46
| | | | | | For RSA, RC4, and ECDSA put the openssl versions in the same directory as the base version. They just rely on a macro check for the openssl module to test for the desire to use OpenSSL.
* Cleanups in ct and oaepJack Lloyd2015-10-172-96/+23
| | | | In OAEP expand the const time block to cover MGF1 also
* Make PKCS #1 and OAEP decoding constant time to avoid oracle attacksJack Lloyd2015-10-169-168/+300
| | | | | | | | via timing channels. Add annotations for checking constant-time code using ctgrind to PKCS #1 and OAEP, as well as IDEA and Curve25519 which were already written as constant time code.
* Merge pull request #298 from tiwoc/arm64Simon Warta2015-10-161-2/+2
|\ | | | | Support for 64 bit ARM
| * Initial support for 64 bit ARMDaniel Seither2015-10-131-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds support for 64 bit ARM cores as used in many high-end phones such as all iPhones beginning with the 5s. While these newer phones still run 32 bit ARM code, Apple doesn't allow apps to be submitted to the app store if they don't provide a 64 bit build. This commit adds a new arm64 arch and renames arm to arm32 to stay consistent with the other architectures. The name arm can still be used for configuring because it has been added as an alias for arm32. Additionally, the one piece of ARM inline assembly that can be found in Botan doesn't work on 64 bit ARM, so I use the solution that has been proposed in #180: Use __builtin_bswap32 instead of inline assembly.
* | Fix compile of ffi when tls is disabled. GH #300Jack Lloyd2015-10-151-3/+8
| |
* | MSVC build fixJack Lloyd2015-10-152-9/+10
| |
* | Add prime and dl_group command line tools.Jack Lloyd2015-10-151-14/+42
| | | | | | | | | | | | Some cleanups in random_prime. Increase probability in prime tests from 1/2**64 to 1/2**128. Also break out of the sieve loop early if it has failed.
* | Prohibit creating a DL_Group smaller than 1024 bitsJack Lloyd2015-10-151-2/+2
| |
* | Periodically reinitialize the blinding sequence instead of alwaysJack Lloyd2015-10-152-13/+39
| | | | | | | | deriving it by squaring the previous value.
* | Add System_RNG which is an instantiatable RNG that uses the system RNGJack Lloyd2015-10-153-25/+33
| | | | | | | | | | | | Previously you couldn't have an unique_ptr<RNG> that might point to either a system rng or an autoseed rng depending on availability. That was already needed in ffi and is useful elsewhere.
* | Add support for RSA signing and verification via OpenSSLJack Lloyd2015-10-141-13/+131
| |
* | Expose providers for public key operationsJack Lloyd2015-10-143-47/+66
| | | | | | | | | | | | | | | | For PK_Encryptor and company they are requested via a new provider param to the constructors. The speed command gets a --provider option so you can see benchmark results with the different versions.
* | Build fixJack Lloyd2015-10-142-2/+3
| |
* | Add null pointer check to pbes2_decrypt, fix message in pbes2_encryptJack Lloyd2015-10-141-1/+3
| |
* | Move DataSource to utils and rewrite PEM encoding to avoid filtersJack Lloyd2015-10-149-17/+33
|/ | | | | Removes filters as as an internal dependency pretty much entirely (outside of some dusty corners in misc).
* Add missing null pointer check to PBES2Jack Lloyd2015-10-111-0/+3
|
* Fix bcrypt testJack Lloyd2015-10-031-1/+3
|
* Add McEliece keygen and MCEIES to C89 API. Plus random fiddlingJack Lloyd2015-10-013-32/+212
|
* Export X.509 certificates to ffi and pythonJack Lloyd2015-10-014-15/+267
| | | | Missing path validation, probably other things
* Merge pull request #286 from randombit/mce-cleanupJack Lloyd2015-09-3026-1202/+987
|\ | | | | Cleanup and document McEliece implementation
| * McEliece cleanupsJack Lloyd2015-09-2926-1202/+987
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove and consolidate various headers Reduce memory usage of GF2m_Field by sharing the log and exponent tables across all instances of a particular word size. Remove McEliece_Public_Operation and McEliece_Private_Operation which were difficult to use safely. Instead only the KEM operations are exposed. Add McEliece_PublicKey::random_plaintext_element Add command line `mce` tool and some McEliece documentation Convert the speed program to check McEliece keys of the suggested size Add McEliece KATs for both key generation and KEM Fix HMAC_DRBG constructor which derefed a pointer before its time
* | Merge pull request #288 from tiwoc/darwin_secrandomJack Lloyd2015-09-254-0/+84
|\ \ | | | | | | Add the Darwin_SecRandom entropy source
| * | Add the Darwin_SecRandom entropy sourceDaniel Seither2015-09-254-0/+84
| | | | | | | | | | | | | | | | | | | | | It uses the SecRandomCopyBytes function from the Security framework of OS X and iOS. We need this because it is the official way to get cryptographically secure random numbers on iOS, where /dev/random is not accessible due to sandboxing.