aboutsummaryrefslogtreecommitdiffstats
path: root/src/pubkey
Commit message (Collapse)AuthorAgeFilesLines
* Tidylloyd2010-09-301-3/+4
|
* Use BOTAN_ASSERT in various placeslloyd2010-09-267-25/+33
|
* If we generate a k such that s or r is 0, don't fail, simply retrylloyd2010-09-261-11/+13
| | | | with a new k.
* In RSA and RW key generation, if we generate a key that isn't exactlylloyd2010-09-222-11/+12
| | | | | | | the requested bitsize, simply repeat instead of failing immediately. The condition could actually occur in practice if a prime that was on the very low end of the specified range was chosen (eg q happened to be chosen as 10000...001).
* Update all uses of MemoryRegion::append to use either push_back or operator+=lloyd2010-09-152-4/+3
|
* Remove more implicit vector to pointer conversionslloyd2010-09-141-4/+4
|
* More changes to avoid vector to pointer implicit conversionslloyd2010-09-142-3/+3
|
* Remove constructors of MemoryVector and SecureVector that took twolloyd2010-09-131-2/+4
| | | | MemoryRegions and concatenated them.
* Remove more uses of vector to pointer implicit conversionslloyd2010-09-133-14/+14
|
* More vector->pointer conversion removals.lloyd2010-09-131-4/+3
| | | | | | | | | | | Add RandomNumberGenerator::random_vec, which takes an length n and returns a new SecureVector with randomized contents of that size. This nicely covers most of the cases where randomize was being called on a vector, and is a little cleaner in the code as well, instead of vec.resize(length); rng.randomize(&vec[0], vec.size()); we just write vec = rng.random_vec(length);
* First set of changes for avoiding use implicit vector->pointer conversionslloyd2010-09-133-5/+6
|
* The changelog for 1.9.4 claimed that the default PKCS #8 encryptionlloyd2010-08-131-1/+1
| | | | | | | | | | algorithm had changed to AES-256. This was wrong, it actually changed to AES-128. However in retrospect AES-256 is probably a reasonable move (in particular for the 4 extra rounds; the related key attacks possible against AES-256 are probably not viable since we generate the key using PBKDF2), so update the 1.9.4 changelog to correctly indicate the change made in that release, and also modify PKCS #8 to actually use AES-256.
* These functions are internal use only, and don't need to be exported withlloyd2010-06-303-13/+15
| | | | BOTAN_DLL
* Doxygenlloyd2010-06-211-0/+12
|
* Doxygenlloyd2010-06-211-0/+3
|
* Replace "@return a blah" and "@return the blah" with just "@return blah"lloyd2010-06-168-44/+44
|
* Require all PK keys implement check_key. Add for ECC keys.lloyd2010-06-163-5/+11
|
* Doxygen commentslloyd2010-06-161-3/+19
|
* Use Doxygen deprecation warningslloyd2010-06-152-4/+9
|
* More Doxygen updates/fixeslloyd2010-06-1512-18/+75
|
* Fix a few hundred Doxygen warningslloyd2010-06-157-15/+19
|
* New BER encoding funcs for PKCS and X.509. Remove Private_Key dep herelloyd2010-06-156-108/+122
|
* Simplify PKCS8::copy_keylloyd2010-06-151-7/+1
|
* Some PKCS #8 simplificationslloyd2010-06-143-21/+19
|
* Add typedefs for the named EME encryptor/decryptor classes so codelloyd2010-06-111-0/+6
| | | | using the 1.8 names continues to work.
* If you didn't specify a qbits for the DSA kosherizer, then it wouldlloyd2010-05-281-19/+20
| | | | | | choose 256 bits unless the pbits was exactly 1024. That would mean you for pbits = 512/768, the FIPS 186-3 size check would fail and it wouldn't work. Pointed out by Rickard Bellgrim.
* Expose public_value() in ECDH public keylloyd2010-04-201-3/+10
|
* In the string constructor of EC_Domain_Params, check if the PEM decodinglloyd2010-04-192-6/+16
| | | | failed. If so, assume the input string was an OID and try that.
* Move class decls togetherlloyd2010-03-211-10/+10
|
* Move where pk_ops is included, remove rng.h from dl_algo.hlloyd2010-03-214-5/+3
|
* KeyPair::check_key's behavior of throwing an exception upon failure waslloyd2010-03-219-112/+75
| | | | | | | | | | | | | | not useful; in all cases, we immediately caught it and then returned false. Modify as follows: - Create the pubkey objects inside the checking code, so calling code doesn't need to do it. - Return true/false for pass/fail Also add consistency checking for ECDSA keys
* Replace PointGFp::check_invaraints, which would either return silentlylloyd2010-03-194-42/+12
| | | | | | | | | | | or throw an exception, with PointGFp::on_the_curve, which returns a bool. Update callers. This showed several cases where check_invaraints was being called multiple times, for instance when decoding a point with OS2ECP, check_invaraints was called; many callers of OS2ECP would then call check_invaraints again on the same object.
* Add a couple of new helper functions to BER_Decoder:lloyd2010-03-194-43/+12
| | | | | | | | | | decode_and_check takes an expected value; if the decoded value does not match, a Decoding_Error with a specified string is thrown. Useful for checking embedded version codes. decode_octet_string_bigint is for decoding INTEGER values that are stored as OCTET STRINGs. Totally obnoxious and useless, but common especially in the ECC standards.
* A number of changes to primality tests:lloyd2010-03-191-1/+1
| | | | | | | | | | | | | | Use 64 bit nonces in the Miller-Rabin test, instead of 40 bits. Rename check_prime to quick_check_prime and is_prime to check_prime Remove some internal functions which weren't used outside the primality test code, along with the prime products table. For quick checking, instead of doing Miller-Rabin with fixed base 2, do a small number of randomized tests. Always use random bases instead of the first n primes.
* There are some nasty API problems that are caused by having to pass alloyd2010-03-195-37/+6
| | | | | | | | | | | | | | | | | | | | | | | | PRNG everywhere. The removal of the global PRNG was generated by a desire to remove the global library state entirely. However the real point of this was to remove the use of globally visible _mutable_ state; of the mutable state, the PRNG is probably the least important, and the most useful to share. And it seems unlikely that thread contention would be a major issue in the PRNG. Add back a global PRNG to Library_State. Use lazy initialization, so apps that don't ever use a PRNG don't need a seeding step. Then have AutoSeeded_RNG call that global PRNG. Offer once again RandomNumberGenerator& Library_State::global_rng(); which returns a reference to the global PRNG. This RNG object serializes access to itself with a mutex. Remove the hack known as Blinding::choose_nonce, replace with using the global PRNG to choose a blinding nonce
* Don't call get_eme or get_kdf with name "Raw" (returns NULL); ideallylloyd2010-03-191-3/+3
| | | | | | would like to replace these functions with generic engine code instead of hardcoded lookup, and NULL return value would be impossible to disambiguate.
* Add a couple of verification tests for GOST 34.10lloyd2010-03-161-3/+16
| | | | | | | | | | | Generating the test vectors found yet another inane (and, of course, undocumented) behavior in the GOST implementation included in OpenSSL; it treats the hash inputs as little endian. Just out of curiousity, I checked RFC 5832, which supposedly specifies this algorithm; not a peep about endian conversions. The more I deal with standards coming out of the CryptoPro people, the less confidence I have in them.
* Remove stdio includelloyd2010-03-131-2/+0
|
* Remove iostream/stdio includeslloyd2010-03-131-3/+0
|
* Fix GOST 34.10 pub key loading (uses little endian format, what the fsck?)lloyd2010-03-131-6/+25
|
* Fix GOST, wasn't getting found in enginelloyd2010-03-132-4/+4
|
* Use a Modular_Reducer in ECDSA oplloyd2010-03-132-6/+8
|
* Give PK_Signer users the option of disabling fault protectionlloyd2010-03-132-6/+17
|
* DSA and NR require certain parameters (which depend on the randomlylloyd2010-03-092-18/+24
| | | | | | choosen nonce) not be 0. Previously it would just check and throw an exception if this was the case. Change to generate a new nonce and retry if this happens.
* Remove decls of removed RSA encrypt/decryptlloyd2010-03-091-5/+0
|
* Oops. Secret nonce/seed for blinding for DH and ElGamal was 2^x mod p.lloyd2010-03-092-2/+2
| | | | | | | | | However if the group generator is 2, that's precisely the public key, which is hardly secret at all. Instead use y^x mod p, which while a little dubious in terms of mathematical structure is probably OK after being hashed through SHA-512 with some high resolution timestamps.
* De-name unused rng arglloyd2010-03-091-1/+1
|
* Deconstify PK_Ops. It's quite reasonable that some op will want tolloyd2010-03-0919-101/+59
| | | | | | | | | | | | | precompute only as needed, or will want to access some other expensive resource or etc. Change how the secret for generating blinding is done in cases where a PRNG isn't available. Use the operations public op to hide the secret, for instance the seed for a DH blinding variable is 2^x mod p. Make use of being able to mutate internal structures in the RW signer, since that does have access to a PRNG, so use it to initialize the blinder on first call to sign().
* Add back RSA consistency checking (decrypt only)lloyd2010-03-092-3/+8
|
* Have PK_Signer check the validity of all signatures before releasing.lloyd2010-03-092-8/+52
| | | | Should help against many forms of fault attacks.