aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
Commit message (Collapse)AuthorAgeFilesLines
* Combine SM2 key types for signatures and encryptionJack Lloyd2018-08-019-190/+79
| | | | | | It seems in practice the same key may be end up used for both operations, so maintaining a distinction at the type level just complicates things.
* Add OID for HMAC with SHA-512/256Jack Lloyd2018-08-011-1/+3
|
* Add Lucas test from FIPS 186-4Jack Lloyd2018-07-3112-147/+406
| | | | | | | | | | This eliminates an issue identified in the paper "Prime and Prejudice: Primality Testing Under Adversarial Conditions" by Albrecht, Massimo, Paterson and Somorovsky where DL_Group::verify_group with strong=false would accept a composite q with probability 1/4096, which is exactly as the error bound is documented, but still unfortunate.
* Fix Doxygen comments for AutoSeeded_RNG [ci skip]Jack Lloyd2018-07-311-3/+7
|
* Ensure values are fully reduced during ECDSA signatureJack Lloyd2018-07-301-3/+3
| | | | | It was possible that the Barrett reduction code would fall back to standard division due to getting an input that was >= order^2.
* Support calling Whirlpool in OpenSSLJack Lloyd2018-07-261-0/+5
| | | | Available since 1.0.0, not sure how this was missed.
* GHASH - use explicit function to check for key being setJack Lloyd2018-07-251-1/+1
|
* Add OID for SM2 with SM3 signaturesJack Lloyd2018-07-241-1/+3
|
* Add include for getenvJack Lloyd2018-07-241-0/+1
|
* Only print FFI exceptions to stdout if an env var is setJack Lloyd2018-07-241-1/+4
| | | | So debugging is possible but default is silent.
* Add botan_mac_query_keylenJack Lloyd2018-07-242-1/+28
|
* Add botan_block_cipher_query_keylen plus some new FFI error codesJack Lloyd2018-07-244-5/+49
|
* Use Alloc templates instead of overriding for specific vector typesJack Lloyd2018-07-241-16/+16
|
* Fix bad assert in Goppa decodingJack Lloyd2018-07-241-3/+4
|
* Require SM2 ciphertexts be DER encodedJack Lloyd2018-07-241-2/+18
| | | | | | | Previously SM2 test would fail about 1 in a thousand times because we would corrupt the ciphertext such that the BER was still valid; it would change the length field to an indefinite length marker, which still decoded correctly.
* In ECC private key encoding, include the optional public key fieldJack Lloyd2018-07-231-2/+4
| | | | Otherwise GnuTLS refuses to parse the private key. Fixes #1634
* Merge GH #1628 In ECDSA verify, handle error seen with LibreSSL on non-x86Jack Lloyd2018-07-201-7/+16
|\
| * Handle another possible OpenSSL error only seen on non-x86_64Jack Lloyd2018-07-171-7/+16
| | | | | | | | GH #1627
* | Add FFI funcs to get algo name from cipher, MAC and hash objsJack Lloyd2018-07-196-10/+73
| |
* | Specialize code for BigInt right shift by 1Jack Lloyd2018-07-191-0/+22
| | | | | | | | | | Improves ECDSA by 2-3% due to improving the const time modular inversion algorithm (used for the mod-order inversions).
* | Fix error in CCM when L=8Jack Lloyd2018-07-182-6/+7
| | | | | | | | GH #1631
* | Support salts other than exactly 16 bytes for Blowfish key setupJack Lloyd2018-07-184-36/+59
| | | | | | | | | | | | Bcrypt only needs 16 byte salts but unfortunately Bcrypt-PBKDF is defined to use 64 byte salts instead. So extend support to handle any salt that is a multiple of 4 bytes.
* | Correct comment on Hardware_RNGJack Lloyd2018-07-171-2/+1
|/
* Update password hashing default settingsJack Lloyd2018-07-133-3/+5
| | | | | | | | Bcrypt work factor 10 is looking pretty low these days, as is 100K iterations of PBKDF2. Increase bcrypt to 12 and PBKDF2 to 150K, and also transition passhash9 to using SHA-512 instead of SHA-256. Also document bcrypt better, and add speed tests for bcrypt and passhash9
* Remove RC2 related OIDsJack Lloyd2018-07-131-5/+1
| | | | Since RC2 has been removed since 1c0bc3cc6b no reason to have these around.
* Bump the FFI versionJack Lloyd2018-07-132-2/+6
| | | | New FFI features added in #1621 and #1625
* Correct a comment in Camellia code, and align the 256 byte tableJack Lloyd2018-07-131-1/+3
|
* Unroll SM4 encryption/decryption by 2Jack Lloyd2018-07-131-23/+105
| | | | Interleaving operations improves SM4/CTR from 26 cpb to 18 cpb
* Add FPE1 to C APIJack Lloyd2018-07-133-1/+114
| | | | GH #1612
* Make use of AlgorithmIdentifier::USE_EMPTY_PARAMJack Lloyd2018-07-103-9/+3
|
* Fix ARMv7 buildJack Lloyd2018-07-091-0/+3
| | | | These hwcaps dont exist in 32-bit mode
* Add support for ARMv8 SM4 instructionsJack Lloyd2018-07-097-5/+291
| | | | Tested in qemu
* Prefetch AES tables during the key scheduleJack Lloyd2018-07-061-8/+27
| | | | | | | | Also prefetch SD during decryption since both TD and SD are used there. Need for prefetch in the key schedule identified in the paper "Eliminating Timing Side-Channel Leaks using Program Repair" by Guo, Schaumont, Wang
* Document new flag for setting bcrypt version [ci skip]Jack Lloyd2018-07-051-1/+1
|
* Small post-merge fixups of #1621Jack Lloyd2018-07-043-20/+20
| | | | | | | Formatting, and fix the API revision annotations Adds pem as explicit dependency to FFI; already pubkey pulls it in but good to be explicit.
* Merge GH #1621 Add PKCS#1 RSA load/store funcs to FFIJack Lloyd2018-07-042-0/+57
|\
| * Add RSA PKCS#1 key load and export functions to ffiRené Korthaus2018-07-042-0/+57
| |
* | Add a couple of OIDs commonly seen in certificatesJack Lloyd2018-07-041-1/+5
|/
* Correct Doxygen errorsJack Lloyd2018-07-023-6/+5
|
* Add OID for ChaCha20Poly1305Jack Lloyd2018-07-011-1/+3
| | | | From RFC 8103
* Rename Threefish-512 AVX2 fileJack Lloyd2018-06-301-0/+0
|
* Support bcrypt 2b and 2yJack Lloyd2018-06-292-12/+36
| | | | | | | Continue to default to 2a since older versions don't know about 2b. Both 2b and 2y are identical to our implementation of 2a since we never implemented the relevant bugs which necessitated the new formats.
* Fix handling of SHA instructions in testsJack Lloyd2018-06-291-0/+2
|
* Check arguments to BigInt::random_integerJack Lloyd2018-06-292-2/+5
|
* Fix Coverity false positiveJack Lloyd2018-06-291-0/+2
| | | | It thinks a divide by zero can happen here
* Fix some -Wshadow warningsJack Lloyd2018-06-292-6/+5
|
* Move reduction mod q to DL_GroupJack Lloyd2018-06-284-31/+118
| | | | | Avoids computing Barrett params many times and gives option for more optimizations in future.
* Expose reduction mod p in CurveGFpJack Lloyd2018-06-283-16/+28
| | | | This is slightly slower for Brainpool, but NIST curves are 5% faster.
* Correct computing of discriminant in EC_Group::verify_groupJack Lloyd2018-06-271-16/+34
| | | | It was checking 4*a+27*b instead of 4*a^3 + 27*b^2
* Prohibit empty nonces with GCMJack Lloyd2018-06-272-3/+9
| | | | | This is mostly harmless but not allowed by the specification. See for example SP800-38D section 5.2.1.1