aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
Commit message (Collapse)AuthorAgeFilesLines
* Clean up PK decryption encoding.Jack Lloyd2016-03-2014-55/+57
| | | | | | | Previously RSA and ElGamal stripped off leading zeros which were then assumed by the padding decoders. Instead have them produce ciphertexts with leading zeros. Changes EME_Raw to strip leading zeros to match existing behavior.
* Add PK_Decryptor::decrypt_or_randomJack Lloyd2016-03-2017-129/+253
| | | | | Performs content checks on the value (expected length, expected bytes) and in constant time returns either the decrypted value or a random value.
* Remove support for TLS v1.2 MD5 and SHA-224 signatures.Jack Lloyd2016-03-172-53/+3
| | | | | | | | | Remove support for weak ECC curves (anything under P-256) from TLS. This includes secp256k1 since we don't take advantage of the special form for any performance advantage; might as well use P-256. The manual still mentioned that it was possible to use MD5 in Policy::allowed_macs, but all HMAC-MD5 suites are already removed.
* Client must verify that the server sent an ECC curve which policy accepts.Jack Lloyd2016-03-173-0/+13
| | | | | Otherwise a MITM who can in real time break any supported ECC curve can downgrade us.
* Use rejection sampling in BigInt::random_integerJack Lloyd2016-03-162-10/+10
| | | | Avoids the test vector contortions in RSA-KEM
* Merge GH #454 X.509 name constraintsJack Lloyd2016-03-1611-16/+726
|\
| * Changes from GH #454 reviewJack Lloyd2016-03-162-68/+72
| |
| * X.509 Name ConstraintsKai Michaelis2016-03-1011-16/+722
| |
* | TLS client featuresJack Lloyd2016-03-161-0/+3
| | | | | | | | | | | | Add flags --policy, --print-certs, --tls1.0, --tls1.1, --tls1.2 Update todo
* | Fix off by one in ressolJack Lloyd2016-03-151-1/+1
| | | | | | | | | | Could attempt to allocate (size_t)-1 words with predicably bad_alloc results.
* | Merge GH #422 Use system_time instead of high_resolution_clockJack Lloyd2016-03-101-1/+1
|\ \
| * | Use chrono::system_clock instead of chrono::high_resolution_clock in ↵Daniel Neus2016-03-071-1/+1
| | | | | | | | | | | | | | | | | | get_system_timestamp_ns() GH #422
* | | Merge GH #450 Add support for Windows VirtualLockJack Lloyd2016-03-101-1/+50
|\ \ \
| * | | remove redundant returnDaniel Neus2016-03-081-1/+0
| | | |
| * | | add support for VirtualLock/VirtualUnlock on WindowsDaniel Neus2016-03-071-1/+51
| |/ / | | | | | | | | | equivalent to mlock on Unix to prevent swapping out of memory
* / / Trivial warning fixesJack Lloyd2016-03-095-27/+37
|/ /
* | Merge GH #446 add --module-policy optionJack Lloyd2016-03-062-0/+4
|\ \
| * | Add option --module-policyJack Lloyd2016-03-062-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A module policy is a file specifying three types of modules: ones which are required, ones which are prohibited, and ones which should be used if otherwise available (this is mostly for platform specific modules). Finally there are whatever modules which exist in the library of which the policy makes no mention. These will be included if an explicit dependency of some other module pulls them in (so there is no reason to mention base, utils, ... in the file) but skipped otherwise. For example policy 'sane' does not mention 'utils' or 'twofish' either way. Since utils is a dependency of other modules which are included, but Twofish does not. However unlike an explicitly prohibited module, not mentioned can still be requested as part of the build (here with --enable-module=twofish) Also fixes some test bugs noticed by compiling in different build configs. DLIES test didn't check that the KDF and MAC existed. Adds a typedef for MessageAuthenticationCode because typing it twice in a single line in the DLIES test made me think it's way too long. :) Also fix some fuzzer build problems. Due to a copy and paste bug the PKCS certificate (it was not). Inspired by GH #439
* | | Merge GH #373 RDRAND/RDSEED logic changesJack Lloyd2016-03-062-34/+35
|\ \ \ | | | | | | | | | | | | The Intel RNG may fail if heavily contended, so retry as needed.
| * | | move logic back into poll()Daniel Neus2016-01-262-60/+36
| | | | | | | | | | | | | | | | prevents filtering out any 0x00000000 outputs from RDRAND/RDSEED
| * | | review changesDaniel Neus2015-12-214-37/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * no spaces around if(), for() etc * snake_case for plain functions * anonymous namespace function instead private and static * don't propagate failed poll to the calling application * RdRand retires configurable in build.h
| * | | RdRand and RdSeed logic changesDaniel Neus2015-12-204-36/+59
| | | | | | | | | | | | | | | | | | | | * Make it configurable how often RdRand and RdSeed is polled * Make it configurable how many RdSeed retries are executed
* | | | Typos are easy to miss in code that is not compiled by default.Jack Lloyd2016-03-061-1/+1
| | | |
* | | | Merge GH #437 add X509_Certificate::v3_extensionsJack Lloyd2016-03-064-20/+35
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Makes it possible for an application to interpret some extension not supported by the library.
| * | | | +added fields for custom x509 extensionsChristopher Bläsius2016-02-294-20/+33
| | |_|/ | |/| | | | | | | | | | +Extensions now uses std::unique_ptr
* | | | Merge GH #441 Clang analyzer fixesJack Lloyd2016-03-063-5/+7
|\ \ \ \
| * \ \ \ Merge branch 'master' into clang-analyzerDaniel Neus2016-03-06127-327/+272
| |\ \ \ \
| * | | | | added an assert for aes key length >= 4 in aes_key_schedule to prevent ↵Daniel Neus2016-03-021-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | division by zero found by clang-analyzer
| * | | | | fix dead assignment / redundant computation in block/aes_ssse3/aes_ssse3.cpp ↵Daniel Neus2016-03-021-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | in aes_schedule_transform found by clang-analyzer
| * | | | | fix dead assignment in mce/polyn_gf2m.cpp in polyn_gf2m() found by ↵Daniel Neus2016-03-021-3/+1
| | |/ / / | |/| | | | | | | | | | | | | clang-analyzer
* | | | | Check that TLS signature type is accepted by the policy.Jack Lloyd2016-03-069-38/+106
| |/ / / |/| | | | | | | | | | | | | | | | | | | Previously the signature hashes and algos info was used to set the v1.2 signature_algorithms extension, but if the counterparty ignored the extension and sent something else, we wouldn't notice.
* | | | Fix ordering of Charset::transcode argumentsJack Lloyd2016-03-062-2/+2
| | | | | | | | | | | | | | | | GH #438
* | | | Remaining cppcheck fixes that are not covered by GH #444Daniel Neus2016-03-0531-131/+75
| |_|/ |/| |
* | | Remove explicit from DL_Group, EC_Group constructors taking std::stringJack Lloyd2016-03-052-2/+2
| | | | | | | | | | | | | | | | | | I think we maybe want these to be converting constructors, and adding explicit here breaks code like ECDSA_PrivateKey(rng, "secp256r1") which seems like a reasonable thing to support IMO
* | | cppcheck fixes: Class 'X' has a constructor with 1 argument that is not ↵Daniel Neus2016-03-05100-197/+198
| | | | | | | | | | | | explicit.
* | | fix a typo in os_utils that prevents retrieval of the current process id on ↵Daniel Neus2016-03-011-2/+2
|/ / | | | | | | windows
* | Merge pull request #431 from cordney/python-improvementsJack Lloyd2016-02-211-1/+20
|\ \ | | | | | | Improvements in X.509 cert handling for python bindings. Add Python code coverage report.
| * | Improvements in X.509 cert handling for python bindingsRené Korthaus2016-02-201-1/+20
| | | | | | | | | | | | | | | | | | | | | | | | Add implementation for ffi botan_x509_cert_get_public_key(). Add subject_dn() function to python x509_cert class. Have python x509_cert constructor take a buffer alternatively. Have python x509_cert functions time_starts() and time_expires() return a python timestamp.
* | | Avoid some Wshadows in GCC 4.8Jack Lloyd2016-02-203-11/+10
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | In GCC 4.7 and 4.8, Wshadow also warns if a local variable conflicts with a member function. This was changed in GCC 4.9 (GCC bugzilla 57709) but causes a lot of warnings on Travis which is on 4.8. Clang's Wshadow behaves like GCC 4.9 The worst offendor was Exception's constructor argument being named `what` which conflicts with the member function of the same name, being in a public header this causes so many warnings the Travis log files are truncated. This fixes Exception and a couple of others. Fixing all cases would be a slog that I'm not up for right at the moment.
* | For odd moduli use a input-independent modular inverse algorithm.Jack Lloyd2016-02-204-56/+218
| | | | | | | | Also adds a (not const time) implementation of almost Montgomery reduction.
* | Add tests and timings for inverse_modJack Lloyd2016-02-202-5/+13
| |
* | Merge GH #427 Fix remaining Wshadow warningsJack Lloyd2016-02-2011-90/+95
|\ \
| * | Fix remaining Wshadow warnings and enable on gcc and clangRené Korthaus2016-02-1811-90/+95
| | |
* | | add missing include guardsDaniel Neus2016-02-192-0/+10
|/ /
* | Add constant time conditional swap, add, sub for bigint wordsJack Lloyd2016-02-173-2/+103
| | | | | | | | | | | | | | | | | | Not optimized and relies on asm support for const time word_add/word_sub instructions. Fix a bug introduced in 46e9a89 - unpoison needs to call the valgrind API with the pointer rather than the reference. Caused values not to be unpoisoned.
* | Reject zero length TLS records out of hand.Jack Lloyd2016-02-161-4/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Later checks on the record length in CCS and record handling already rejected a zero length record but when reading an empty record, readbuf.size() == TLS_HEADER_SIZE and so creating the pointer byte* record_contents = &readbuf[TLS_HEADER_SIZE]; would trigger when running under (at least) GCC'S iterator debugging, and likely other iterator checkers also. Since no completely empty record is defined, reject it immediately at the record layer. Found by Juraj Somorovsky Also correct DTLS record handling for large messages: a zero length or too-long packet should be dropped rather than an exception being thrown.
* | Add KDF1 as explicit dependency in MCEIESJack Lloyd2016-02-151-0/+1
| | | | | | | | | | | | | | | | | | | | Previously MCEIES used KEM with a raw SHA-512 hash. When the KDF oriented KEM interface was added in 72f0f0ad2a it switched to using KDF1(SHA-512) since for a 64-byte output and no salt, the output matches the original hash. This avoids breaking the format. Prevents runtime failures when MCEIES is enabled in the build but KDF1 is not. GH #369
* | In compression wrappers add an overflow check before calling mallocJack Lloyd2016-02-131-3/+21
| | | | | | | | | | | | | | | | | | | | If malloc fails, don't save the size that was attempted. Otherwise a failing malloc followed by a free(nullptr) would zero a block of memory equal to the failed allocation starting from the null address. It's not clear if zlib,bzip2,lzma expect the return of the malloc function to be zero but LZMA at least seems to read from it before writing. Zero it.
* | Fix Coverity findings in McEliece codeJack Lloyd2016-02-093-14/+20
| | | | | | | | | | | | | | | | Initialize variables in constructor in gf2m_decomp_rootfind_state Add asserts on the degree where a positive value was assumed. How polyn_gf2m handles the degree needs some work but this should do for now.
* | Add asserts to help out CoverityJack Lloyd2016-02-092-0/+4
| | | | | | | | | | | | It somehow deduces an input that is both > 0 and for which high_bit never finds a bit set and returns 0. In both cases that would lead to block being 0 and a negative shift.