aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
Commit message (Collapse)AuthorAgeFilesLines
* fix test failures and seg faults when Botan is configured with ↵René Korthaus2016-06-178-4/+12
| | | | --module-policy bsi
* Merge GH #489 Add support probabilistic DSA & ECDSAJack Lloyd2016-06-074-11/+23
|\
| * Add support probabilistic DSA & ECDSARené Korthaus2016-05-084-11/+23
| | | | | | | | | | | | | | Adds support for probabilistic, aka the standard, DSA and ECDSA. Can be enabled by disabling the rfc6979 module. Includes test vectors from NIST CAVP. Adds rfc6979 to the list of prohibited modules in BSI policy.
* | Add Not_Implemented exceptionJack Lloyd2016-06-074-7/+17
| |
* | Remove DN field requirements on generating certs and PKCS #10Jack Lloyd2016-05-233-22/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I have no idea why this is requiring the country code be set, but for many applications a country is not even meaningful. This change also allows CN to be empty/unset on the request or cert, since there is no actual requirement for any specific DN entry type and RFC 5280 specifically allows even an completely empty DN, with name information only in the subjectAltName extension. This change also allows generating a self-signed cert or cert request that expires before it starts. That could only happen with an explicit decision by the application to set it that way, and there is no harm in returning these non-secret bits. They will probably notice their problem as soon as the cert is rejected by any receiving system.
* | Fix GCM counter incrementJack Lloyd2016-05-233-3/+19
| | | | | | | | | | | | | | | | | | GCM is defined as having a 32-bit counter, but CTR_BE incremented the counter across the entire block. This caused incorrect results if a very large message (2**39 bits) was processed, or if the GHASH derived nonce ended up having a counter field near to 2**32 Thanks to Juraj Somorovsky for the bug report and repro.
* | Merge GH #484 use explicit casts to avoids MSVC warning C4267Jack Lloyd2016-05-0921-64/+62
|\ \ | |/ |/|
| * Add explicit static_cast operations to eliminate implicit cast compiler ↵Dan Brown2016-04-2718-36/+34
| | | | | | | | warnings.
| * Change calls to 'get_byte' to explicitly cast parameters and eliminate ↵Dan Brown2016-04-277-28/+28
| | | | | | | | compiler warnings
* | Add missing overrideJack Lloyd2016-04-281-1/+1
|/
* Merge GH #469 Generate error on unknown critical extension during path ↵Jack Lloyd2016-04-239-78/+241
|\ | | | | | | | | | | | | validation Previously an unknown extension would be rejected during parsing, which prevents examining such a cert at all
| * Move name constraints validation code to extension classRené Korthaus2016-04-173-101/+111
| |
| * Add Unknown_Critical_Extension typeRené Korthaus2016-04-103-16/+43
| |
| * Generate error on unknown critical extension during path validationRené Korthaus2016-04-069-19/+145
| | | | | | | | | | | | | | | | | | | | | | | | Previously unknown critical extensions were rejected during X509_Certificate constructor, which inhibited inspecting other parts of such a certificate. Refactored the certificate extensions code so that the path validation routine performs this check only. Additionally, added an interface for extensions to inspect the path during path validation. TODOs were added in places where existing path validation code can use the new interface. Fixes GH #449.
* | Fix return type of TLS_Reader::get_u32bitJack Lloyd2016-04-211-2/+2
| | | | | | | | | | | | Only affects decoding of session ticket lifetimes. GH #478
* | Merge GH #475 Remove Transform base classJack Lloyd2016-04-2130-579/+549
|\ \
| * | Remove Transform base classJack Lloyd2016-04-2130-579/+549
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With sufficient squinting, Transform provided an abstract base interface that covered both cipher modes and compression algorithms. However it mapped on neither of them particularly well. In addition this API had the same problem that has made me dislike the Pipe/Filter API: given a Transform&, what does it do when you put bits in? Maybe it encrypts. Maybe it compresses. It's a floor wax and a dessert topping! Currently the Cipher_Mode interface is left mostly unchanged, with the APIs previously on Transform just moved down the type hierarchy. I think there are some definite improvements possible here, wrt handling of in-place encryption, but left for a later commit. The compression API is split into two types, Compression_Algorithm and Decompression_Algorithm. Compression_Algorithm's start() call takes the compression level, allowing varying compressions with a single object. And flushing the compression state is moved to a bool param on `Compression_Algorithm::update`. All the nonsense WRT compression algorithms having zero length nonces, input granularity rules, etc as a result of using the Transform interface goes away.
* | | Merge GH #481 Add NIST SP800-108 & 56c KDFsJack Lloyd2016-04-217-0/+351
|\ \ \
| * | | NIST SP800-108 & 56cKai Michaelis2016-04-207-0/+351
| |/ /
* | | Enable ECGDSA in default buildRené Korthaus2016-04-201-2/+0
| | |
* | | Add ECGDSARené Korthaus2016-04-1910-11/+341
|/ /
* | Don't reject TLS packets with zero plaintext bytesJack Lloyd2016-04-152-13/+19
| | | | | | | | | | | | | | | | OpenSSL sends an empty record before each new data record in TLS v1.0 to randomize the IV, as a countermeasure to the BEAST attack. Most implementations use 1/(n-1) splitting for this instead. Bug introduced with the const time changes in 1.11.23
* | Empty the key/tweak containers which is used to signal the key was setJack Lloyd2016-04-151-3/+3
| | | | | | | | Fix exception message
* | Add support for ChaCha(12)Jack Lloyd2016-04-093-9/+33
| |
* | fix linker error if compiling with `--module-policy bsi` on Windows. Fixes ↵Daniel Neus2016-04-081-1/+1
|/ | | | GH #451
* Update OCB ciphersuites to follow new nonce scheme from -04 draftJack Lloyd2016-04-041-37/+37
|
* Add IETF standard ChaCha20Poly1305 ciphersuites to TLSJack Lloyd2016-03-233-23/+83
|
* Fix bug in IETF version of ChaCha20Poly1305Jack Lloyd2016-03-231-11/+20
| | | | | If the input lengths are exact multiples of 16 bytes then no padding should be added. Previously 16 bytes of zero padding were added instead.
* Clean up PK decryption encoding.Jack Lloyd2016-03-2014-55/+57
| | | | | | | Previously RSA and ElGamal stripped off leading zeros which were then assumed by the padding decoders. Instead have them produce ciphertexts with leading zeros. Changes EME_Raw to strip leading zeros to match existing behavior.
* Add PK_Decryptor::decrypt_or_randomJack Lloyd2016-03-2017-129/+253
| | | | | Performs content checks on the value (expected length, expected bytes) and in constant time returns either the decrypted value or a random value.
* Remove support for TLS v1.2 MD5 and SHA-224 signatures.Jack Lloyd2016-03-172-53/+3
| | | | | | | | | Remove support for weak ECC curves (anything under P-256) from TLS. This includes secp256k1 since we don't take advantage of the special form for any performance advantage; might as well use P-256. The manual still mentioned that it was possible to use MD5 in Policy::allowed_macs, but all HMAC-MD5 suites are already removed.
* Client must verify that the server sent an ECC curve which policy accepts.Jack Lloyd2016-03-173-0/+13
| | | | | Otherwise a MITM who can in real time break any supported ECC curve can downgrade us.
* Use rejection sampling in BigInt::random_integerJack Lloyd2016-03-162-10/+10
| | | | Avoids the test vector contortions in RSA-KEM
* Merge GH #454 X.509 name constraintsJack Lloyd2016-03-1611-16/+726
|\
| * Changes from GH #454 reviewJack Lloyd2016-03-162-68/+72
| |
| * X.509 Name ConstraintsKai Michaelis2016-03-1011-16/+722
| |
* | TLS client featuresJack Lloyd2016-03-161-0/+3
| | | | | | | | | | | | Add flags --policy, --print-certs, --tls1.0, --tls1.1, --tls1.2 Update todo
* | Fix off by one in ressolJack Lloyd2016-03-151-1/+1
| | | | | | | | | | Could attempt to allocate (size_t)-1 words with predicably bad_alloc results.
* | Merge GH #422 Use system_time instead of high_resolution_clockJack Lloyd2016-03-101-1/+1
|\ \
| * | Use chrono::system_clock instead of chrono::high_resolution_clock in ↵Daniel Neus2016-03-071-1/+1
| | | | | | | | | | | | | | | | | | get_system_timestamp_ns() GH #422
* | | Merge GH #450 Add support for Windows VirtualLockJack Lloyd2016-03-101-1/+50
|\ \ \
| * | | remove redundant returnDaniel Neus2016-03-081-1/+0
| | | |
| * | | add support for VirtualLock/VirtualUnlock on WindowsDaniel Neus2016-03-071-1/+51
| |/ / | | | | | | | | | equivalent to mlock on Unix to prevent swapping out of memory
* / / Trivial warning fixesJack Lloyd2016-03-095-27/+37
|/ /
* | Merge GH #446 add --module-policy optionJack Lloyd2016-03-062-0/+4
|\ \
| * | Add option --module-policyJack Lloyd2016-03-062-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A module policy is a file specifying three types of modules: ones which are required, ones which are prohibited, and ones which should be used if otherwise available (this is mostly for platform specific modules). Finally there are whatever modules which exist in the library of which the policy makes no mention. These will be included if an explicit dependency of some other module pulls them in (so there is no reason to mention base, utils, ... in the file) but skipped otherwise. For example policy 'sane' does not mention 'utils' or 'twofish' either way. Since utils is a dependency of other modules which are included, but Twofish does not. However unlike an explicitly prohibited module, not mentioned can still be requested as part of the build (here with --enable-module=twofish) Also fixes some test bugs noticed by compiling in different build configs. DLIES test didn't check that the KDF and MAC existed. Adds a typedef for MessageAuthenticationCode because typing it twice in a single line in the DLIES test made me think it's way too long. :) Also fix some fuzzer build problems. Due to a copy and paste bug the PKCS certificate (it was not). Inspired by GH #439
* | | Merge GH #373 RDRAND/RDSEED logic changesJack Lloyd2016-03-062-34/+35
|\ \ \ | | | | | | | | | | | | The Intel RNG may fail if heavily contended, so retry as needed.
| * | | move logic back into poll()Daniel Neus2016-01-262-60/+36
| | | | | | | | | | | | | | | | prevents filtering out any 0x00000000 outputs from RDRAND/RDSEED
| * | | review changesDaniel Neus2015-12-214-37/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * no spaces around if(), for() etc * snake_case for plain functions * anonymous namespace function instead private and static * don't propagate failed poll to the calling application * RdRand retires configurable in build.h
| * | | RdRand and RdSeed logic changesDaniel Neus2015-12-204-36/+59
| | | | | | | | | | | | | | | | | | | | * Make it configurable how often RdRand and RdSeed is polled * Make it configurable how many RdSeed retries are executed