From 74cf1686b727d9b41781df66f3f74d63b9c5cfe2 Mon Sep 17 00:00:00 2001
From: Jack Lloyd <jack@randombit.net>
Date: Wed, 16 Nov 2016 12:05:34 -0500
Subject: Add CECPQ1 TLS ciphersuites

Tested against BoringSSL (as client + server) and google.com (as client).

Fix a stupid crashing bug in NewHope's BoringSSL mode.

Remove unneeded error return from curve25519_donna - always returned 0.

Default policy prefers ChaChaPoly1305 over GCM and CECPQ1 over ECDH/DH, which
means the default no-extra-configuration ciphersuite (for Botan client speaking
to Botan server) is a ciphersuite which is both implemented in constant time
on all platforms and (hopefully) provides post quantum security. Good Things.
---
 src/lib/pubkey/newhope/newhope.cpp |  4 ++--
 src/lib/pubkey/newhope/newhope.h   | 31 ++++++++++++++++++++++++-------
 2 files changed, 26 insertions(+), 9 deletions(-)

(limited to 'src/lib/pubkey/newhope')

diff --git a/src/lib/pubkey/newhope/newhope.cpp b/src/lib/pubkey/newhope/newhope.cpp
index 356fd416e..77194207e 100644
--- a/src/lib/pubkey/newhope/newhope.cpp
+++ b/src/lib/pubkey/newhope/newhope.cpp
@@ -666,13 +666,13 @@ void gen_a(poly *a, const uint8_t *seed, Newhope_Mode mode)
 
    if(mode == Newhope_Mode::BoringSSL)
       {
-      xof = StreamCipher::create("CTR(AES-128)");
+      xof = StreamCipher::create_or_throw("CTR-BE(AES-128)");
       xof->set_key(seed, 16);
       xof->set_iv(seed + 16, 16);
       }
    else
       {
-      xof = StreamCipher::create("SHAKE-128");
+      xof = StreamCipher::create_or_throw("SHAKE-128");
       xof->set_key(seed, NEWHOPE_SEED_BYTES);
       }
 
diff --git a/src/lib/pubkey/newhope/newhope.h b/src/lib/pubkey/newhope/newhope.h
index 667f1c4cf..df18bc586 100644
--- a/src/lib/pubkey/newhope/newhope.h
+++ b/src/lib/pubkey/newhope/newhope.h
@@ -21,36 +21,53 @@ namespace Botan {
 * Currently pubkey.h does not support a 2-phase KEM scheme of
 * the sort NEWHOPE exports.
 */
-#define NEWHOPE_SENDABYTES 1824
-#define NEWHOPE_SENDBBYTES 2048
 
-typedef struct {
-  uint16_t coeffs[1024];
-} newhope_poly;
+// TODO: change to just a secure_vector
+class newhope_poly
+   {
+   public:
+      uint16_t coeffs[1024];
+      ~newhope_poly() { secure_scrub_memory(coeffs, sizeof(coeffs)); }
+   };
+
+enum Newhope_Params {
+   NEWHOPE_SENDABYTES = 1824,
+   NEWHOPE_SENDBBYTES = 2048,
+
+   NEWHOPE_OFFER_BYTES  = 1824,
+   NEWHOPE_ACCEPT_BYTES = 2048,
+   NEWHOPE_SHARED_KEY_BYTES = 32,
+
+   CECPQ1_OFFER_BYTES   = NEWHOPE_OFFER_BYTES + 32,
+   CECPQ1_ACCEPT_BYTES  = NEWHOPE_ACCEPT_BYTES + 32,
+   CECPQ1_SHARED_KEY_BYTES = NEWHOPE_SHARED_KEY_BYTES + 32
+};
 
 /**
 * This chooses the XOF + hash for NewHope
-
 * The official NewHope specification and reference implementation use
 * SHA-3 and SHAKE-128. BoringSSL instead uses SHA-256 and AES-128 in
-* CTR mode.
+* CTR mode. CECPQ1 (x25519+NewHope) always uses BoringSSL's mode
 */
 enum class Newhope_Mode {
    SHA3,
    BoringSSL
 };
 
+// offer
 void BOTAN_DLL newhope_keygen(uint8_t *send,
                               newhope_poly *sk,
                               RandomNumberGenerator& rng,
                               Newhope_Mode = Newhope_Mode::SHA3);
 
+// accept
 void BOTAN_DLL newhope_sharedb(uint8_t *sharedkey,
                                uint8_t *send,
                                const uint8_t *received,
                                RandomNumberGenerator& rng,
                                Newhope_Mode mode = Newhope_Mode::SHA3);
 
+// finish
 void BOTAN_DLL newhope_shareda(uint8_t *sharedkey,
                                const newhope_poly *ska,
                                const uint8_t *received,
-- 
cgit v1.2.3