| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
using the 1.8 names continues to work.
|
| |
|
|
|
|
| |
choose 256 bits unless the pbits was exactly 1024. That would mean you
for pbits = 512/768, the FIPS 186-3 size check would fail and it
wouldn't work. Pointed out by Rickard Bellgrim.
|
| | |
|
| |
|
|
| |
failed. If so, assume the input string was an OID and try that.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
not useful; in all cases, we immediately caught it and then returned
false.
Modify as follows:
- Create the pubkey objects inside the checking code, so calling code
doesn't need to do it.
- Return true/false for pass/fail
Also add consistency checking for ECDSA keys
|
| |
|
|
|
|
|
|
|
|
|
| |
or throw an exception, with PointGFp::on_the_curve, which returns a bool.
Update callers.
This showed several cases where check_invaraints was being called
multiple times, for instance when decoding a point with OS2ECP,
check_invaraints was called; many callers of OS2ECP would then call
check_invaraints again on the same object.
|
| |
|
|
|
|
|
|
|
|
| |
decode_and_check takes an expected value; if the decoded value does
not match, a Decoding_Error with a specified string is thrown. Useful
for checking embedded version codes.
decode_octet_string_bigint is for decoding INTEGER values that are
stored as OCTET STRINGs. Totally obnoxious and useless, but common
especially in the ECC standards.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use 64 bit nonces in the Miller-Rabin test, instead of 40 bits.
Rename check_prime to quick_check_prime and is_prime to check_prime
Remove some internal functions which weren't used outside the
primality test code, along with the prime products table.
For quick checking, instead of doing Miller-Rabin with fixed base 2,
do a small number of randomized tests.
Always use random bases instead of the first n primes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PRNG everywhere. The removal of the global PRNG was generated by a
desire to remove the global library state entirely. However the real
point of this was to remove the use of globally visible _mutable_
state; of the mutable state, the PRNG is probably the least important,
and the most useful to share. And it seems unlikely that thread
contention would be a major issue in the PRNG.
Add back a global PRNG to Library_State. Use lazy initialization, so
apps that don't ever use a PRNG don't need a seeding step. Then have
AutoSeeded_RNG call that global PRNG.
Offer once again
RandomNumberGenerator& Library_State::global_rng();
which returns a reference to the global PRNG.
This RNG object serializes access to itself with a mutex.
Remove the hack known as Blinding::choose_nonce, replace with using
the global PRNG to choose a blinding nonce
|
| |
|
|
|
|
| |
would like to replace these functions with generic engine code instead
of hardcoded lookup, and NULL return value would be impossible to
disambiguate.
|
| |
|
|
|
|
|
|
|
|
|
| |
Generating the test vectors found yet another inane (and, of course,
undocumented) behavior in the GOST implementation included in OpenSSL;
it treats the hash inputs as little endian. Just out of curiousity, I
checked RFC 5832, which supposedly specifies this algorithm; not a
peep about endian conversions.
The more I deal with standards coming out of the CryptoPro people, the
less confidence I have in them.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
choosen nonce) not be 0. Previously it would just check and throw an
exception if this was the case. Change to generate a new nonce and
retry if this happens.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
However if the group generator is 2, that's precisely the public key,
which is hardly secret at all.
Instead use y^x mod p, which while a little dubious in terms of
mathematical structure is probably OK after being hashed through
SHA-512 with some high resolution timestamps.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
precompute only as needed, or will want to access some other expensive
resource or etc.
Change how the secret for generating blinding is done in cases where a
PRNG isn't available. Use the operations public op to hide the secret,
for instance the seed for a DH blinding variable is 2^x mod p.
Make use of being able to mutate internal structures in the RW signer,
since that does have access to a PRNG, so use it to initialize the
blinder on first call to sign().
|
| | |
|
| |
|
|
| |
Should help against many forms of fault attacks.
|
| | |
|
| | |
|
| |
|
|
| |
instead of each byte once...
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are multiple unsatisfactory elements to the current solution,
as compared to how blinding was previously done:
Firstly, blinding is only used in the baseline implementations; the code
using OpenSSL and GMP is not protected by blinding at all.
Secondly, at the point we need to set up blinding, there is no access
to a PRNG. Currently I am going with a quite nasty solution, of using
a private key parameter to seed a simple PRNG constructed as:
SHA-512(TS1 || private_key_param || public_key_param || TS2)
I really want to fix both of these elements but I'm not sure how to do
so easily.
|
| |
|
|
|
| |
PK_Encryptor_EME and PK_Decryptor_EME; the message recovery is somewhat
implicit in the recovery of the plaintext.
|
| |
|
|
|
| |
Remove use of look_pk from the source and examples, instead
instantiate classes directly.
|
| |
|
|
| |
convert look_pk to simple forwarders.
|
| |
|
|
|
| |
PK_Decrypting_Key, PK_Signing_Key, PK_Verifying_with_MR_Key, and
PK_Verifying_wo_MR_Key.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Note: blinding is not currently being used for RSA, RW, DH or ElGamal,
which used to have them. This should be added back before release.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Rename PK_Ops::KA_Operation to PK_Ops::Key_Agreement
|
| | |
|
