| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
pointed out by kenjiro
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This does the following:
1) Adds a second key share prediction to the TLS 1.3 handshake.
We only add one as we are unlikely to want to send more than
one PQ one, and one classical one and are unlikely to waste
bytes on a second PQ algorithm (anything that wants something
else that we support can HRR to get it)
2) Adds X25519MLKEM768 (4588) to our list of supported groups.
We add this to our preferred client and server key shares for TLS 1.3
and we now have a separate list for TLS 1.2 which does not do this,
cleaning up the old "full list" from the comments.
3) Updates the golden magic numbers in the regression tests to allow
for the above two things changing the handshake, so the regress
tests pass.
With this you can successfully hybrid PQ with servers and clients
that support it.
ok tb@ kenjiro@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This implements the currently in use MLKEM768_X25519 hybrid
key share as outlined in
https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
This commit does not yet wire this up to anything, that is done
in follow on changes.
ok tb@ jsing@ kenjiro@
|
| | |
|
| |
|
|
|
|
| |
We haven't defined SIXTY_FOUR_BITS in a long time, if ever. The last
#undef SIXTY_FOUR_BITS were removed when we cleaned up opensslconf.h.
Code behind #ifdef SIXTY_FOUR_BITS is therefore dead.
|
| | |
|
| |
|
|
|
|
|
| |
What the tests actually care about is the size of a BN_ULONG, hence
condition on BN_BYTES instead.
Discussed with tb@
|
| | |
|
| |
|
|
| |
for them.
|
| |
|
|
| |
ok kenjiro
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This is currently an internal helper only used by a regress test.
We'll have to expose in the public API for Python 3.14:
https://github.com/libressl/portable/issues/1202
|
| | |
|
| |
|
|
|
| |
Windows is super picky when it comes to paths, so it needs some special
massaging. Will let us avoid a patch or hack in portable.
|
| |
|
|
|
|
| |
This exercises the cofactor guessing code with a large cofactor. Thanks to
Daniel Bleichenbacher for pointing out this example. This contains a hack
to use a bogus OID since this curve has none.
|
| |
|
|
|
| |
Skip the tests for now since they increase the test's runtime by ~50%.
A later commit will gate these tests behind REGRESS_SKIP_SLOW.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Since this has grown organically, the test selection has become a weird mix
of globs, regexes and test variants and it is hard to reason about what is
run and why. Instead, load all the json files from testvectors_v1/ and look
at algorithm (almost always available) and test schema to figure out if we
support it in libcrypto and the test harness. This separates the logic of
the test runner better from the test selection. Also make it a fatal error
if we don't explicitly skip an unknown algorithm.
|
| | |
|
| | |
|
| |
|
|
|
| |
This prepares an upcoming change by not only skipping small curves but
also binary curves that have test vectors.
|
| | |
|
| |
|
|
|
|
|
| |
The webcrypto test files for P-256, P-384, and P-521 are identical to
the P1363 test files for these curves with the hashes SHA-256, SHA-384,
and SHA-512, respectively. The only real differences in the test paths
is the Go glue code to translate to libcrypto, so they're pointless.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
These are no longer supported in v1 and we skipped them anyway.
|
| | |
|
| |
|
|
|
|
| |
This checks for a collection of prime order groups (secp, Brainpool, FRP)
the curve parameters are corrct. The collection is a superset of our
built-in curves, so we get one more validation for exxentially free.
|
| |
|
|
|
|
|
|
|
|
|
| |
Since the wycheproof tests were written in Java, they inherited some of
that language's weirdnesses. For example, the hex representation may have
odd length, is 2-complement and needs zero-padding if the top bit of a
nibble is set, similar to ASN.1 integers.
This is needed for correctly decoding the Primality test cases, which
worked nicely in v0 but no longer for v1. Convert the Primality test
to use this.
|
| |
|
|
|
|
| |
There's more work needed here since some of the tests are designed to
test the signing side of things, where we only verify. To be dealt with
later.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This excludes the bitcoin tests since our ECDSA_verify() doesn't have the
logic to enforce s < order / 2 to avoid the well-known malleability issue
with secp256k1 that (r, s) is valid if and only if (r, order - s) is valid.
Moreover, add a workaround for overly picky P1363 tests where only
correctly padded P1363 signatures are accepted. As the test authors say
"To our knowledge no standard (i.e., IEEE P1363 or RFC 7515) requires any
explicit checks of the signature size during signature verification."
In fact, the problem really is in the test code, not in libcrypto and
is a bit annoying to fix in a non-silly way.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
eddsa_test.json is now ed25519_test.json and again key* was renamed to
PublicKey*.
|
| |
|
|
| |
key* are now called PublicKey*, so change teh json tags accordingly.
|
| | |
|
| | |
|
