| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
| |
with a new k.
|
|
|
|
|
|
|
| |
the requested bitsize, simply repeat instead of failing
immediately. The condition could actually occur in practice if a prime
that was on the very low end of the specified range was chosen (eg q
happened to be chosen as 10000...001).
|
| |
|
| |
|
| |
|
|
|
|
| |
MemoryRegions and concatenated them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add RandomNumberGenerator::random_vec, which takes an length n and
returns a new SecureVector with randomized contents of that size. This
nicely covers most of the cases where randomize was being called on a
vector, and is a little cleaner in the code as well, instead of
vec.resize(length);
rng.randomize(&vec[0], vec.size());
we just write
vec = rng.random_vec(length);
|
| |
|
|
|
|
|
|
|
|
|
|
| |
algorithm had changed to AES-256. This was wrong, it actually changed
to AES-128. However in retrospect AES-256 is probably a reasonable
move (in particular for the 4 extra rounds; the related key attacks
possible against AES-256 are probably not viable since we generate the
key using PBKDF2), so update the 1.9.4 changelog to correctly indicate
the change made in that release, and also modify PKCS #8 to actually
use AES-256.
|
|
|
|
| |
BOTAN_DLL
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
using the 1.8 names continues to work.
|
|
|
|
|
|
| |
choose 256 bits unless the pbits was exactly 1024. That would mean you
for pbits = 512/768, the FIPS 186-3 size check would fail and it
wouldn't work. Pointed out by Rickard Bellgrim.
|
| |
|
|
|
|
| |
failed. If so, assume the input string was an OID and try that.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
not useful; in all cases, we immediately caught it and then returned
false.
Modify as follows:
- Create the pubkey objects inside the checking code, so calling code
doesn't need to do it.
- Return true/false for pass/fail
Also add consistency checking for ECDSA keys
|
|
|
|
|
|
|
|
|
|
|
| |
or throw an exception, with PointGFp::on_the_curve, which returns a bool.
Update callers.
This showed several cases where check_invaraints was being called
multiple times, for instance when decoding a point with OS2ECP,
check_invaraints was called; many callers of OS2ECP would then call
check_invaraints again on the same object.
|
|
|
|
|
|
|
|
|
|
| |
decode_and_check takes an expected value; if the decoded value does
not match, a Decoding_Error with a specified string is thrown. Useful
for checking embedded version codes.
decode_octet_string_bigint is for decoding INTEGER values that are
stored as OCTET STRINGs. Totally obnoxious and useless, but common
especially in the ECC standards.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use 64 bit nonces in the Miller-Rabin test, instead of 40 bits.
Rename check_prime to quick_check_prime and is_prime to check_prime
Remove some internal functions which weren't used outside the
primality test code, along with the prime products table.
For quick checking, instead of doing Miller-Rabin with fixed base 2,
do a small number of randomized tests.
Always use random bases instead of the first n primes.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PRNG everywhere. The removal of the global PRNG was generated by a
desire to remove the global library state entirely. However the real
point of this was to remove the use of globally visible _mutable_
state; of the mutable state, the PRNG is probably the least important,
and the most useful to share. And it seems unlikely that thread
contention would be a major issue in the PRNG.
Add back a global PRNG to Library_State. Use lazy initialization, so
apps that don't ever use a PRNG don't need a seeding step. Then have
AutoSeeded_RNG call that global PRNG.
Offer once again
RandomNumberGenerator& Library_State::global_rng();
which returns a reference to the global PRNG.
This RNG object serializes access to itself with a mutex.
Remove the hack known as Blinding::choose_nonce, replace with using
the global PRNG to choose a blinding nonce
|
|
|
|
|
|
| |
would like to replace these functions with generic engine code instead
of hardcoded lookup, and NULL return value would be impossible to
disambiguate.
|
|
|
|
|
|
|
|
|
|
|
| |
Generating the test vectors found yet another inane (and, of course,
undocumented) behavior in the GOST implementation included in OpenSSL;
it treats the hash inputs as little endian. Just out of curiousity, I
checked RFC 5832, which supposedly specifies this algorithm; not a
peep about endian conversions.
The more I deal with standards coming out of the CryptoPro people, the
less confidence I have in them.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
choosen nonce) not be 0. Previously it would just check and throw an
exception if this was the case. Change to generate a new nonce and
retry if this happens.
|
| |
|
|
|
|
|
|
|
|
|
| |
However if the group generator is 2, that's precisely the public key,
which is hardly secret at all.
Instead use y^x mod p, which while a little dubious in terms of
mathematical structure is probably OK after being hashed through
SHA-512 with some high resolution timestamps.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
precompute only as needed, or will want to access some other expensive
resource or etc.
Change how the secret for generating blinding is done in cases where a
PRNG isn't available. Use the operations public op to hide the secret,
for instance the seed for a DH blinding variable is 2^x mod p.
Make use of being able to mutate internal structures in the RW signer,
since that does have access to a PRNG, so use it to initialize the
blinder on first call to sign().
|
| |
|
|
|
|
| |
Should help against many forms of fault attacks.
|