| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Self-generated vectors, just a basic smoke test right now.
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Provides conjectured 200-bit security against a quantum attacker.
Based on the public domain reference implementation at
https://github.com/tpoeppelmann/newhope and bit-for-bit
compatible with that version.
Test vectors generated by the reference testvector.c
|
| | |
|
|\ \ |
|
| |/
| |
| |
| | |
But not any ChaCha20 tests due to no long test inputs. Add one.
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
XTEA was also deprecated but has been spared, it does seem to be somewhat
common (eg, included in the Go x/crypto library)
|
|/
|
|
|
|
| |
If ommitted, assume an all zero input.
Remove some In = 0000... from test files.
|
|
|
|
|
| |
Use the group name instead of repeating 2048 bit prime N times.
Split up reporting by cipher type.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\ |
|
| |
| |
| |
| |
| |
| | |
- UCS-2 to ISO 8859-1
- UTF-8 to ISO 8859-1
- ISO 8859-1 to UTF-8
|
|/ |
|
|
|
|
|
|
|
| |
Avoids some cut and paste, also removes the need for special logic in
configure.py for handling mp module specially.
Merge SIMD classes into a single type SIMD_4x32
|
|
|
|
|
|
|
|
|
|
| |
- add one test with SHA-256,SHA-512
- test Parallel::clone()
- test Parallel ctor
- fix memory leak in Parallel::clone():
Currently Parallel::clone() calls hash->clone() (first heap allocation) and after this clone() calls
Parallel(const std::vector<HashFunction*>& in) which does another heap allocation. So its sufficient to pass the hash pointer to
the Parallel ctor instead of a clone
|
|\ |
|
| | |
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Adds Stateful_RNG base class which handles reseeding after some
amount of output (configurable at instantiation time, defaults to
the build.h value) as well as detecting forks (just using pid
comparisons, so still vulnerable to pid wraparound). Implemented
by HMAC_RNG and HMAC_DRBG. I did not update X9.31 since its
underlying RNG should already be fork safe and handle reseeding
at the appropriate time, since a new block is taken from the
underlying RNG (for the datetime vector) for each block of
output.
Adds RNG::randomize_with_input which for most PRNGs is just a
call to add_entropy followed by randomize. However for HMAC_DRBG
it is used for additional input. Adds tests for HMAC_DRBG with AD
from the CAVS file.
RNG::add_entropy is implemented by System_RNG now, as both
CryptGenRandom and /dev/urandom support receiving application
provided data.
The AutoSeeded_RNG underlying type is currently selectable in
build.h and defaults to HMAC_DRBG(SHA-256). AutoSeeded_RNG
provides additional input with each output request, consisting of
the current pid, a counter, and timestamp (unless the application
explicitly calls randomize_with_input, in which case we just take
what they provided). This is the same hedge used in HMAC_RNGs
output PRF.
AutoSeeded_RNG is part of the base library now and cannot be
compiled out.
Removes Entropy_Accumulator type (which just served to bridge
between the RNG and the entropy source), instead the
Entropy_Source is passed a reference to the RNG being reseeded,
and it can call add_entropy on whatever it can come up with.
|
| | |
| | |
| | |
| | | |
Clean up test code
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add support and tests for additional_data param to HMAC_DRBG
Add Stateful_RNG class which has fork detection and periodic reseeding.
AutoSeeded_RNG passes the current pid and time as additional_data
|
| |/
|/|
| |
| |
| | |
Adds test vectors for RSA-KEM with KDF1 from ISO 18033-2 and
test vectors for KDF1 and KDF2 generated with BouncyCastle.
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
With these fixes the implementation is now compatible with bouncycastle and it should operate
as it is specified in "DHIES: An encryption scheme based on Diffie-Hellman Problem" or in BSI
technical guideline TR-02102-1.
In addition to the already present XOR-encrypion/decryption mode it's now possible to use DLIES with a block cipher.
Previously the input to the KDF was the concatenation of the (ephemeral) public key
and the secret value derived by the key agreement operation:
```
secure_vector<byte> vz(m_my_key.begin(), m_my_key.end());
vz += m_ka.derive_key(0, m_other_key).bits_of();
const size_t K_LENGTH = length + m_mac_keylen;
secure_vector<byte> K = m_kdf->derive_key(K_LENGTH, vz);
```
I don't know why this was implemented like this. But now the input to the KDF is only the secret value obtained by the key agreement operation.
Furthermore the order of the output was changed from {public key, tag, ciphertext} to {public key, ciphertext, tag}.
Multiple test vectors added that were generated with bouncycastle and some with botan itself.
|
|/ |
|
|\ |
|
| |
| |
| |
| |
| |
| | |
Previously, CBC-CS3 only had tests with DES, but if DES
is not enabled in the module policy, then CBC-CS3 is not
tested at all.
|
|/
|
|
|
|
|
|
|
|
|
| |
Exports get_bc_pad() to be used from tests. Adds separate handcrafted
tests for block cipher padding modes. They were previously only tested
implicitly during the block cipher modes of operation tests, though not
all padding modes were covered. And in case a mode of operation is
not part of the enabled modules, the previously tested padding modes
are not covered at all. Fixes an off-by-one bug in the previously
untested ANSI X9.23 padding mode, where the number of zero bytes
in the pad was one more than allowed by the standard.
|
|\ |
|
| | |
|
|\ \ |
|
| |\ \ |
|
| | | | |
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | |
| | | | | |
Also adds ChaCha8 support
|
| | |_|/
| |/| |
| | | |
| | | | |
adding ChaCha8 support
|
|\ \ \ \
| |/ / /
|/| | | |
|
| | | | |
|
| |/ / |
|
|\ \ \
| |_|/
|/| | |
|
| |/
| |
| |
| |
| |
| |
| | |
Adds support for probabilistic, aka the standard, DSA and ECDSA.
Can be enabled by disabling the rfc6979 module.
Includes test vectors from NIST CAVP.
Adds rfc6979 to the list of prohibited modules in BSI policy.
|
|/
|
|
|
|
|
|
|
| |
GCM is defined as having a 32-bit counter, but CTR_BE incremented the
counter across the entire block. This caused incorrect results if
a very large message (2**39 bits) was processed, or if the GHASH
derived nonce ended up having a counter field near to 2**32
Thanks to Juraj Somorovsky for the bug report and repro.
|
|\ |
|
| | |
|
|/ |
|