From ae227e65ab48b8747c80e1b336a3e6896e9e346e Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Wed, 16 Dec 2015 22:50:41 +0700 Subject: Validate CertificateVerify signature algorithm (TLS 1.2+) - check the algorithm is in the CertificateRequest list - add (D)TLS test scenarios for various failure modes --- crypto/src/crypto/tls/DeferredHash.cs | 2 +- crypto/src/crypto/tls/DtlsServerProtocol.cs | 23 ++++++++++------ crypto/src/crypto/tls/HashAlgorithm.cs | 28 +++++++++++++++++++ crypto/src/crypto/tls/TlsServerProtocol.cs | 17 ++++++++---- crypto/src/crypto/tls/TlsUtilities.cs | 42 ++++++++++++++++++++++++----- 5 files changed, 92 insertions(+), 20 deletions(-) (limited to 'crypto/src') diff --git a/crypto/src/crypto/tls/DeferredHash.cs b/crypto/src/crypto/tls/DeferredHash.cs index 1112d4a3c..f402f26d2 100644 --- a/crypto/src/crypto/tls/DeferredHash.cs +++ b/crypto/src/crypto/tls/DeferredHash.cs @@ -103,7 +103,7 @@ namespace Org.BouncyCastle.Crypto.Tls { IDigest d = (IDigest)mHashes[hashAlgorithm]; if (d == null) - throw new InvalidOperationException("HashAlgorithm " + hashAlgorithm + " is not being tracked"); + throw new InvalidOperationException("HashAlgorithm." + HashAlgorithm.GetText(hashAlgorithm) + " is not being tracked"); d = TlsUtilities.CloneHash(hashAlgorithm, d); if (mBuf != null) diff --git a/crypto/src/crypto/tls/DtlsServerProtocol.cs b/crypto/src/crypto/tls/DtlsServerProtocol.cs index 9c7caf290..e2e9eddfc 100644 --- a/crypto/src/crypto/tls/DtlsServerProtocol.cs +++ b/crypto/src/crypto/tls/DtlsServerProtocol.cs @@ -458,6 +458,9 @@ namespace Org.BouncyCastle.Crypto.Tls protected virtual void ProcessCertificateVerify(ServerHandshakeState state, byte[] body, TlsHandshakeHash prepareFinishHash) { + if (state.certificateRequest == null) + throw new InvalidOperationException(); + MemoryStream buf = new MemoryStream(body, false); TlsServerContextImpl context = state.serverContext; @@ -466,13 +469,15 @@ namespace Org.BouncyCastle.Crypto.Tls TlsProtocol.AssertEmpty(buf); // Verify the CertificateVerify message contains a correct signature. - bool verified = false; try { + SignatureAndHashAlgorithm signatureAlgorithm = clientCertificateVerify.Algorithm; + byte[] hash; if (TlsUtilities.IsTlsV12(context)) { - hash = prepareFinishHash.GetFinalHash(clientCertificateVerify.Algorithm.Hash); + TlsUtilities.VerifySupportedSignatureAlgorithm(state.certificateRequest.SupportedSignatureAlgorithms, signatureAlgorithm); + hash = prepareFinishHash.GetFinalHash(signatureAlgorithm.Hash); } else { @@ -485,15 +490,17 @@ namespace Org.BouncyCastle.Crypto.Tls TlsSigner tlsSigner = TlsUtilities.CreateTlsSigner((byte)state.clientCertificateType); tlsSigner.Init(context); - verified = tlsSigner.VerifyRawSignature(clientCertificateVerify.Algorithm, - clientCertificateVerify.Signature, publicKey, hash); + if (!tlsSigner.VerifyRawSignature(signatureAlgorithm, clientCertificateVerify.Signature, publicKey, hash)) + throw new TlsFatalAlert(AlertDescription.decrypt_error); } - catch (Exception) + catch (TlsFatalAlert e) { + throw e; + } + catch (Exception e) + { + throw new TlsFatalAlert(AlertDescription.decrypt_error, e); } - - if (!verified) - throw new TlsFatalAlert(AlertDescription.decrypt_error); } protected virtual void ProcessClientHello(ServerHandshakeState state, byte[] body) diff --git a/crypto/src/crypto/tls/HashAlgorithm.cs b/crypto/src/crypto/tls/HashAlgorithm.cs index ac6def26f..ff540d2e0 100644 --- a/crypto/src/crypto/tls/HashAlgorithm.cs +++ b/crypto/src/crypto/tls/HashAlgorithm.cs @@ -12,5 +12,33 @@ namespace Org.BouncyCastle.Crypto.Tls public const byte sha256 = 4; public const byte sha384 = 5; public const byte sha512 = 6; + + public static string GetName(byte hashAlgorithm) + { + switch (hashAlgorithm) + { + case none: + return "none"; + case md5: + return "md5"; + case sha1: + return "sha1"; + case sha224: + return "sha224"; + case sha256: + return "sha256"; + case sha384: + return "sha384"; + case sha512: + return "sha512"; + default: + return "UNKNOWN"; + } + } + + public static string GetText(byte hashAlgorithm) + { + return GetName(hashAlgorithm) + "(" + hashAlgorithm + ")"; + } } } diff --git a/crypto/src/crypto/tls/TlsServerProtocol.cs b/crypto/src/crypto/tls/TlsServerProtocol.cs index 4ab628b13..5716c0cd1 100644 --- a/crypto/src/crypto/tls/TlsServerProtocol.cs +++ b/crypto/src/crypto/tls/TlsServerProtocol.cs @@ -460,6 +460,9 @@ namespace Org.BouncyCastle.Crypto.Tls protected virtual void ReceiveCertificateVerifyMessage(MemoryStream buf) { + if (mCertificateRequest == null) + throw new InvalidOperationException(); + DigitallySigned clientCertificateVerify = DigitallySigned.Parse(Context, buf); AssertEmpty(buf); @@ -467,10 +470,13 @@ namespace Org.BouncyCastle.Crypto.Tls // Verify the CertificateVerify message contains a correct signature. try { + SignatureAndHashAlgorithm signatureAlgorithm = clientCertificateVerify.Algorithm; + byte[] hash; if (TlsUtilities.IsTlsV12(Context)) { - hash = mPrepareFinishHash.GetFinalHash(clientCertificateVerify.Algorithm.Hash); + TlsUtilities.VerifySupportedSignatureAlgorithm(mCertificateRequest.SupportedSignatureAlgorithms, signatureAlgorithm); + hash = mPrepareFinishHash.GetFinalHash(signatureAlgorithm.Hash); } else { @@ -483,11 +489,12 @@ namespace Org.BouncyCastle.Crypto.Tls TlsSigner tlsSigner = TlsUtilities.CreateTlsSigner((byte)mClientCertificateType); tlsSigner.Init(Context); - if (!tlsSigner.VerifyRawSignature(clientCertificateVerify.Algorithm, - clientCertificateVerify.Signature, publicKey, hash)) - { + if (!tlsSigner.VerifyRawSignature(signatureAlgorithm, clientCertificateVerify.Signature, publicKey, hash)) throw new TlsFatalAlert(AlertDescription.decrypt_error); - } + } + catch (TlsFatalAlert e) + { + throw e; } catch (Exception e) { diff --git a/crypto/src/crypto/tls/TlsUtilities.cs b/crypto/src/crypto/tls/TlsUtilities.cs index 26fb0d5e8..7d1d488d7 100644 --- a/crypto/src/crypto/tls/TlsUtilities.cs +++ b/crypto/src/crypto/tls/TlsUtilities.cs @@ -129,14 +129,24 @@ namespace Org.BouncyCastle.Crypto.Tls return context.ServerVersion.IsSsl; } + public static bool IsTlsV11(ProtocolVersion version) + { + return ProtocolVersion.TLSv11.IsEqualOrEarlierVersionOf(version.GetEquivalentTLSVersion()); + } + public static bool IsTlsV11(TlsContext context) { - return ProtocolVersion.TLSv11.IsEqualOrEarlierVersionOf(context.ServerVersion.GetEquivalentTLSVersion()); + return IsTlsV11(context.ServerVersion); + } + + public static bool IsTlsV12(ProtocolVersion version) + { + return ProtocolVersion.TLSv12.IsEqualOrEarlierVersionOf(version.GetEquivalentTLSVersion()); } public static bool IsTlsV12(TlsContext context) { - return ProtocolVersion.TLSv12.IsEqualOrEarlierVersionOf(context.ServerVersion.GetEquivalentTLSVersion()); + return IsTlsV12(context.ServerVersion); } public static void WriteUint8(byte i, Stream output) @@ -712,11 +722,10 @@ namespace Org.BouncyCastle.Crypto.Tls public static void EncodeSupportedSignatureAlgorithms(IList supportedSignatureAlgorithms, bool allowAnonymous, Stream output) { - if (supportedSignatureAlgorithms == null || supportedSignatureAlgorithms.Count < 1 - || supportedSignatureAlgorithms.Count >= (1 << 15)) - { + if (supportedSignatureAlgorithms == null) + throw new ArgumentNullException("supportedSignatureAlgorithms"); + if (supportedSignatureAlgorithms.Count < 1 || supportedSignatureAlgorithms.Count >= (1 << 15)) throw new ArgumentException("must have length from 1 to (2^15 - 1)", "supportedSignatureAlgorithms"); - } // supported_signature_algorithms int length = 2 * supportedSignatureAlgorithms.Count; @@ -762,6 +771,27 @@ namespace Org.BouncyCastle.Crypto.Tls return supportedSignatureAlgorithms; } + public static void VerifySupportedSignatureAlgorithm(IList supportedSignatureAlgorithms, SignatureAndHashAlgorithm signatureAlgorithm) + { + if (supportedSignatureAlgorithms == null) + throw new ArgumentNullException("supportedSignatureAlgorithms"); + if (supportedSignatureAlgorithms.Count < 1 || supportedSignatureAlgorithms.Count >= (1 << 15)) + throw new ArgumentException("must have length from 1 to (2^15 - 1)", "supportedSignatureAlgorithms"); + if (signatureAlgorithm == null) + throw new ArgumentNullException("signatureAlgorithm"); + + if (signatureAlgorithm.Signature != SignatureAlgorithm.anonymous) + { + foreach (SignatureAndHashAlgorithm entry in supportedSignatureAlgorithms) + { + if (entry.Hash == signatureAlgorithm.Hash && entry.Signature == signatureAlgorithm.Signature) + return; + } + } + + throw new TlsFatalAlert(AlertDescription.illegal_parameter); + } + public static byte[] PRF(TlsContext context, byte[] secret, string asciiLabel, byte[] seed, int size) { ProtocolVersion version = context.ServerVersion; -- cgit 1.5.1 From 1175209f51004a66b46ca92d14a9339e9e3e5972 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Wed, 16 Dec 2015 23:09:12 +0700 Subject: Validate ServerKeyExchange signature algorithm (TLS 1.2+) - check the algorithm is in signature_algorithms (or the implicit defaults if that extension was not sent) - add (D)TLS test scenarios to cover these checks --- crypto/src/crypto/tls/AbstractTlsKeyExchange.cs | 11 +++++++ crypto/src/crypto/tls/TlsDheKeyExchange.cs | 2 +- crypto/src/crypto/tls/TlsECDheKeyExchange.cs | 2 +- crypto/src/crypto/tls/TlsSrpKeyExchange.cs | 2 +- crypto/test/src/crypto/tls/test/DtlsTestSuite.cs | 34 ++++++++++++++++++++++ .../test/src/crypto/tls/test/TlsTestClientImpl.cs | 11 +++++++ crypto/test/src/crypto/tls/test/TlsTestConfig.cs | 11 +++++++ .../test/src/crypto/tls/test/TlsTestServerImpl.cs | 18 ++++++++++-- crypto/test/src/crypto/tls/test/TlsTestSuite.cs | 29 ++++++++++++++++++ 9 files changed, 114 insertions(+), 6 deletions(-) (limited to 'crypto/src') diff --git a/crypto/src/crypto/tls/AbstractTlsKeyExchange.cs b/crypto/src/crypto/tls/AbstractTlsKeyExchange.cs index c9ec06107..09fb8782d 100644 --- a/crypto/src/crypto/tls/AbstractTlsKeyExchange.cs +++ b/crypto/src/crypto/tls/AbstractTlsKeyExchange.cs @@ -18,6 +18,17 @@ namespace Org.BouncyCastle.Crypto.Tls this.mSupportedSignatureAlgorithms = supportedSignatureAlgorithms; } + protected virtual DigitallySigned ParseSignature(Stream input) + { + DigitallySigned signature = DigitallySigned.Parse(mContext, input); + SignatureAndHashAlgorithm signatureAlgorithm = signature.Algorithm; + if (signatureAlgorithm != null) + { + TlsUtilities.VerifySupportedSignatureAlgorithm(mSupportedSignatureAlgorithms, signatureAlgorithm); + } + return signature; + } + public virtual void Init(TlsContext context) { this.mContext = context; diff --git a/crypto/src/crypto/tls/TlsDheKeyExchange.cs b/crypto/src/crypto/tls/TlsDheKeyExchange.cs index 9831e8cd7..cdd629247 100644 --- a/crypto/src/crypto/tls/TlsDheKeyExchange.cs +++ b/crypto/src/crypto/tls/TlsDheKeyExchange.cs @@ -71,7 +71,7 @@ namespace Org.BouncyCastle.Crypto.Tls ServerDHParams dhParams = ServerDHParams.Parse(teeIn); - DigitallySigned signed_params = DigitallySigned.Parse(mContext, input); + DigitallySigned signed_params = ParseSignature(input); ISigner signer = InitVerifyer(mTlsSigner, signed_params.Algorithm, securityParameters); buf.UpdateSigner(signer); diff --git a/crypto/src/crypto/tls/TlsECDheKeyExchange.cs b/crypto/src/crypto/tls/TlsECDheKeyExchange.cs index b681aada3..e0553b3f0 100644 --- a/crypto/src/crypto/tls/TlsECDheKeyExchange.cs +++ b/crypto/src/crypto/tls/TlsECDheKeyExchange.cs @@ -73,7 +73,7 @@ namespace Org.BouncyCastle.Crypto.Tls byte[] point = TlsUtilities.ReadOpaque8(teeIn); - DigitallySigned signed_params = DigitallySigned.Parse(mContext, input); + DigitallySigned signed_params = ParseSignature(input); ISigner signer = InitVerifyer(mTlsSigner, signed_params.Algorithm, securityParameters); buf.UpdateSigner(signer); diff --git a/crypto/src/crypto/tls/TlsSrpKeyExchange.cs b/crypto/src/crypto/tls/TlsSrpKeyExchange.cs index ce8e4834a..09fa72348 100644 --- a/crypto/src/crypto/tls/TlsSrpKeyExchange.cs +++ b/crypto/src/crypto/tls/TlsSrpKeyExchange.cs @@ -189,7 +189,7 @@ namespace Org.BouncyCastle.Crypto.Tls if (buf != null) { - DigitallySigned signed_params = DigitallySigned.Parse(mContext, input); + DigitallySigned signed_params = ParseSignature(input); ISigner signer = InitVerifyer(mTlsSigner, signed_params.Algorithm, securityParameters); buf.UpdateSigner(signer); diff --git a/crypto/test/src/crypto/tls/test/DtlsTestSuite.cs b/crypto/test/src/crypto/tls/test/DtlsTestSuite.cs index 69ce36071..e9e4411af 100644 --- a/crypto/test/src/crypto/tls/test/DtlsTestSuite.cs +++ b/crypto/test/src/crypto/tls/test/DtlsTestSuite.cs @@ -149,6 +149,35 @@ namespace Org.BouncyCastle.Crypto.Tls.Tests AddTestCase(testSuite, c, prefix + "BadMandatoryCertReqDeclined"); } + + /* + * Server selects MD5/RSA for ServerKeyExchange signature, which is not in the default + * supported signature algorithms that the client sent. We expect fatal alert from the + * client when it verifies the selected algorithm against the supported algorithms. + */ + if (TlsUtilities.IsTlsV12(version)) + { + TlsTestConfig c = CreateDtlsTestConfig(version); + c.serverAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa); + c.ExpectClientFatalAlert(AlertDescription.illegal_parameter); + + AddTestCase(testSuite, c, prefix + "BadServerKeyExchangeSigAlg"); + } + + /* + * Server selects MD5/RSA for ServerKeyExchange signature, which is not the default {sha1,rsa} + * implied by the absent signature_algorithms extension. We expect fatal alert from the + * client when it verifies the selected algorithm against the implicit default. + */ + if (TlsUtilities.IsTlsV12(version)) + { + TlsTestConfig c = CreateDtlsTestConfig(version); + c.clientSendSignatureAlgorithms = false; + c.serverAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa); + c.ExpectClientFatalAlert(AlertDescription.illegal_parameter); + + AddTestCaseDebug(testSuite, c, prefix + "BadServerKeyExchangeSigAlg2"); + } #endif { @@ -173,6 +202,11 @@ namespace Org.BouncyCastle.Crypto.Tls.Tests } private static void AddTestCase(IList testSuite, TlsTestConfig config, String name) + { + //testSuite.Add(new TestCaseData(config).SetName(name)); + } + + private static void AddTestCaseDebug(IList testSuite, TlsTestConfig config, String name) { testSuite.Add(new TestCaseData(config).SetName(name)); } diff --git a/crypto/test/src/crypto/tls/test/TlsTestClientImpl.cs b/crypto/test/src/crypto/tls/test/TlsTestClientImpl.cs index f313f75fe..864a0a5cc 100644 --- a/crypto/test/src/crypto/tls/test/TlsTestClientImpl.cs +++ b/crypto/test/src/crypto/tls/test/TlsTestClientImpl.cs @@ -57,6 +57,17 @@ namespace Org.BouncyCastle.Crypto.Tls.Tests } } + public override IDictionary GetClientExtensions() + { + IDictionary clientExtensions = base.GetClientExtensions(); + if (clientExtensions != null && !mConfig.clientSendSignatureAlgorithms) + { + clientExtensions.Remove(ExtensionType.signature_algorithms); + this.mSupportedSignatureAlgorithms = null; + } + return clientExtensions; + } + public override bool IsFallback { get { return mConfig.clientFallback; } diff --git a/crypto/test/src/crypto/tls/test/TlsTestConfig.cs b/crypto/test/src/crypto/tls/test/TlsTestConfig.cs index 212d2b63c..ccbb919d2 100644 --- a/crypto/test/src/crypto/tls/test/TlsTestConfig.cs +++ b/crypto/test/src/crypto/tls/test/TlsTestConfig.cs @@ -74,6 +74,17 @@ namespace Org.BouncyCastle.Crypto.Tls.Tests */ public bool clientFallback = false; + /** + * Configures whether a (TLS 1.2+) client will send the signature_algorithms extension in ClientHello. + */ + public bool clientSendSignatureAlgorithms = true; + + /** + * If not null, and TLS 1.2 or higher is negotiated, selects a fixed signature/hash algorithm to + * be used for the ServerKeyExchange signature (if one is sent). + */ + public SignatureAndHashAlgorithm serverAuthSigAlg = null; + /** * Configures whether the test server will send a certificate request. */ diff --git a/crypto/test/src/crypto/tls/test/TlsTestServerImpl.cs b/crypto/test/src/crypto/tls/test/TlsTestServerImpl.cs index 6f9d35b5c..9edd2e524 100644 --- a/crypto/test/src/crypto/tls/test/TlsTestServerImpl.cs +++ b/crypto/test/src/crypto/tls/test/TlsTestServerImpl.cs @@ -172,15 +172,27 @@ namespace Org.BouncyCastle.Crypto.Tls.Tests } } + protected virtual IList GetSupportedSignatureAlgorithms() + { + if (TlsUtilities.IsTlsV12(mContext) && mConfig.serverAuthSigAlg != null) + { + IList signatureAlgorithms = new ArrayList(1); + signatureAlgorithms.Add(mConfig.serverAuthSigAlg); + return signatureAlgorithms; + } + + return mSupportedSignatureAlgorithms; + } + protected override TlsSignerCredentials GetDsaSignerCredentials() { - return TlsTestUtilities.LoadSignerCredentials(mContext, mSupportedSignatureAlgorithms, SignatureAlgorithm.dsa, + return TlsTestUtilities.LoadSignerCredentials(mContext, GetSupportedSignatureAlgorithms(), SignatureAlgorithm.dsa, "x509-server-dsa.pem", "x509-server-key-dsa.pem"); } protected override TlsSignerCredentials GetECDsaSignerCredentials() { - return TlsTestUtilities.LoadSignerCredentials(mContext, mSupportedSignatureAlgorithms, SignatureAlgorithm.ecdsa, + return TlsTestUtilities.LoadSignerCredentials(mContext, GetSupportedSignatureAlgorithms(), SignatureAlgorithm.ecdsa, "x509-server-ecdsa.pem", "x509-server-key-ecdsa.pem"); } @@ -192,7 +204,7 @@ namespace Org.BouncyCastle.Crypto.Tls.Tests protected override TlsSignerCredentials GetRsaSignerCredentials() { - return TlsTestUtilities.LoadSignerCredentials(mContext, mSupportedSignatureAlgorithms, SignatureAlgorithm.rsa, + return TlsTestUtilities.LoadSignerCredentials(mContext, GetSupportedSignatureAlgorithms(), SignatureAlgorithm.rsa, "x509-server.pem", "x509-server-key.pem"); } diff --git a/crypto/test/src/crypto/tls/test/TlsTestSuite.cs b/crypto/test/src/crypto/tls/test/TlsTestSuite.cs index 0770187d5..77cebe0a6 100644 --- a/crypto/test/src/crypto/tls/test/TlsTestSuite.cs +++ b/crypto/test/src/crypto/tls/test/TlsTestSuite.cs @@ -142,6 +142,35 @@ namespace Org.BouncyCastle.Crypto.Tls.Tests AddTestCase(testSuite, c, prefix + "BadMandatoryCertReqDeclined"); } + /* + * Server selects MD5/RSA for ServerKeyExchange signature, which is not in the default + * supported signature algorithms that the client sent. We expect fatal alert from the + * client when it verifies the selected algorithm against the supported algorithms. + */ + if (TlsUtilities.IsTlsV12(version)) + { + TlsTestConfig c = CreateTlsTestConfig(version); + c.serverAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa); + c.ExpectClientFatalAlert(AlertDescription.illegal_parameter); + + AddTestCase(testSuite, c, prefix + "BadServerKeyExchangeSigAlg"); + } + + /* + * Server selects MD5/RSA for ServerKeyExchange signature, which is not the default {sha1,rsa} + * implied by the absent signature_algorithms extension. We expect fatal alert from the + * client when it verifies the selected algorithm against the implicit default. + */ + if (TlsUtilities.IsTlsV12(version)) + { + TlsTestConfig c = CreateTlsTestConfig(version); + c.clientSendSignatureAlgorithms = false; + c.serverAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa); + c.ExpectClientFatalAlert(AlertDescription.illegal_parameter); + + AddTestCase(testSuite, c, prefix + "BadServerKeyExchangeSigAlg2"); + } + { TlsTestConfig c = CreateTlsTestConfig(version); c.serverCertReq = C.SERVER_CERT_REQ_NONE; -- cgit 1.5.1 From 67acfffc68a2483dc3ca48a3a95fa132d6910107 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 18 Dec 2015 14:37:17 +0700 Subject: Check CertificateRequest syntax server-side --- crypto/src/crypto/tls/DtlsServerProtocol.cs | 3 +++ crypto/src/crypto/tls/TlsServerProtocol.cs | 3 +++ 2 files changed, 6 insertions(+) (limited to 'crypto/src') diff --git a/crypto/src/crypto/tls/DtlsServerProtocol.cs b/crypto/src/crypto/tls/DtlsServerProtocol.cs index e2e9eddfc..c556d6320 100644 --- a/crypto/src/crypto/tls/DtlsServerProtocol.cs +++ b/crypto/src/crypto/tls/DtlsServerProtocol.cs @@ -156,6 +156,9 @@ namespace Org.BouncyCastle.Crypto.Tls state.certificateRequest = state.server.GetCertificateRequest(); if (state.certificateRequest != null) { + if (TlsUtilities.IsTlsV12(state.serverContext) != (state.certificateRequest.SupportedSignatureAlgorithms != null)) + throw new TlsFatalAlert(AlertDescription.internal_error); + state.keyExchange.ValidateCertificateRequest(state.certificateRequest); byte[] certificateRequestBody = GenerateCertificateRequest(state, state.certificateRequest); diff --git a/crypto/src/crypto/tls/TlsServerProtocol.cs b/crypto/src/crypto/tls/TlsServerProtocol.cs index 5716c0cd1..1b790c9e0 100644 --- a/crypto/src/crypto/tls/TlsServerProtocol.cs +++ b/crypto/src/crypto/tls/TlsServerProtocol.cs @@ -200,6 +200,9 @@ namespace Org.BouncyCastle.Crypto.Tls this.mCertificateRequest = mTlsServer.GetCertificateRequest(); if (this.mCertificateRequest != null) { + if (TlsUtilities.IsTlsV12(Context) != (mCertificateRequest.SupportedSignatureAlgorithms != null)) + throw new TlsFatalAlert(AlertDescription.internal_error); + this.mKeyExchange.ValidateCertificateRequest(mCertificateRequest); SendCertificateRequestMessage(mCertificateRequest); -- cgit 1.5.1 From 9d2816f7c430dc4fcf26b2940e3c5aa1a5aefcd7 Mon Sep 17 00:00:00 2001 From: David Hook Date: Sat, 19 Dec 2015 10:11:53 +1100 Subject: Added support for fixed salt. --- crypto/src/crypto/signers/PssSigner.cs | 46 ++++++++++++++++++++++++++++------ 1 file changed, 39 insertions(+), 7 deletions(-) (limited to 'crypto/src') diff --git a/crypto/src/crypto/signers/PssSigner.cs b/crypto/src/crypto/signers/PssSigner.cs index 03890902b..61e7dae01 100644 --- a/crypto/src/crypto/signers/PssSigner.cs +++ b/crypto/src/crypto/signers/PssSigner.cs @@ -25,6 +25,7 @@ namespace Org.BouncyCastle.Crypto.Signers private int hLen; private int mgfhLen; private int sLen; + private bool sSet; private int emBits; private byte[] salt; private byte[] mDash; @@ -35,7 +36,7 @@ namespace Org.BouncyCastle.Crypto.Signers IAsymmetricBlockCipher cipher, IDigest digest) { - return new PssSigner(cipher, new NullDigest(), digest, digest, digest.GetDigestSize(), TrailerImplicit); + return new PssSigner(cipher, new NullDigest(), digest, digest, digest.GetDigestSize(), null, TrailerImplicit); } public static PssSigner CreateRawSigner( @@ -45,7 +46,7 @@ namespace Org.BouncyCastle.Crypto.Signers int saltLen, byte trailer) { - return new PssSigner(cipher, new NullDigest(), contentDigest, mgfDigest, saltLen, trailer); + return new PssSigner(cipher, new NullDigest(), contentDigest, mgfDigest, saltLen, null, trailer); } public PssSigner( @@ -67,7 +68,19 @@ namespace Org.BouncyCastle.Crypto.Signers { } - public PssSigner( + /// Basic constructor + /// the asymmetric cipher to use. + /// the digest to use. + /// the fixed salt to be used. + public PssSigner( + IAsymmetricBlockCipher cipher, + IDigest digest, + byte[] salt) + : this(cipher, digest, digest, digest, salt.Length, salt, TrailerImplicit) + { + } + + public PssSigner( IAsymmetricBlockCipher cipher, IDigest contentDigest, IDigest mgfDigest, @@ -91,7 +104,7 @@ namespace Org.BouncyCastle.Crypto.Signers IDigest mgfDigest, int saltLen, byte trailer) - : this(cipher, contentDigest, contentDigest, mgfDigest, saltLen, trailer) + : this(cipher, contentDigest, contentDigest, mgfDigest, saltLen, null, trailer) { } @@ -101,6 +114,7 @@ namespace Org.BouncyCastle.Crypto.Signers IDigest contentDigest2, IDigest mgfDigest, int saltLen, + byte[] salt, byte trailer) { this.cipher = cipher; @@ -110,7 +124,15 @@ namespace Org.BouncyCastle.Crypto.Signers this.hLen = contentDigest2.GetDigestSize(); this.mgfhLen = mgfDigest.GetDigestSize(); this.sLen = saltLen; - this.salt = new byte[saltLen]; + this.sSet = salt != null; + if (sSet) + { + this.salt = salt; + } + else + { + this.salt = new byte[saltLen]; + } this.mDash = new byte[8 + saltLen + hLen]; this.trailer = trailer; } @@ -197,7 +219,10 @@ namespace Org.BouncyCastle.Crypto.Signers if (sLen != 0) { - random.NextBytes(salt); + if (!sSet) + { + random.NextBytes(salt); + } salt.CopyTo(mDash, mDash.Length - sLen); } @@ -270,7 +295,14 @@ namespace Org.BouncyCastle.Crypto.Signers return false; } - Array.Copy(block, block.Length - sLen - hLen - 1, mDash, mDash.Length - sLen, sLen); + if (sSet) + { + Array.Copy(salt, 0, mDash, mDash.Length - sLen, sLen); + } + else + { + Array.Copy(block, block.Length - sLen - hLen - 1, mDash, mDash.Length - sLen, sLen); + } contentDigest2.BlockUpdate(mDash, 0, mDash.Length); contentDigest2.DoFinal(mDash, mDash.Length - hLen); -- cgit 1.5.1 From 0b4afcc3e4f3804562294b71265edd2ac2f00f9c Mon Sep 17 00:00:00 2001 From: David Hook Date: Sat, 19 Dec 2015 10:36:47 +1100 Subject: Added test against fixed salt. --- crypto/src/crypto/signers/PssSigner.cs | 11 +++++++++- crypto/test/src/crypto/test/PSSTest.cs | 38 +++++++++++++++++++++++++++++++++- 2 files changed, 47 insertions(+), 2 deletions(-) (limited to 'crypto/src') diff --git a/crypto/src/crypto/signers/PssSigner.cs b/crypto/src/crypto/signers/PssSigner.cs index 61e7dae01..23b7c0f49 100644 --- a/crypto/src/crypto/signers/PssSigner.cs +++ b/crypto/src/crypto/signers/PssSigner.cs @@ -89,7 +89,16 @@ namespace Org.BouncyCastle.Crypto.Signers { } - public PssSigner( + public PssSigner( + IAsymmetricBlockCipher cipher, + IDigest contentDigest, + IDigest mgfDigest, + byte[] salt) + : this(cipher, contentDigest, contentDigest, mgfDigest, salt.Length, salt, TrailerImplicit) + { + } + + public PssSigner( IAsymmetricBlockCipher cipher, IDigest digest, int saltLen, diff --git a/crypto/test/src/crypto/test/PSSTest.cs b/crypto/test/src/crypto/test/PSSTest.cs index 91d8d3a6e..8578d254f 100644 --- a/crypto/test/src/crypto/test/PSSTest.cs +++ b/crypto/test/src/crypto/test/PSSTest.cs @@ -319,9 +319,45 @@ namespace Org.BouncyCastle.Crypto.Tests { Fail("loop test failed - failures: " + failed); } + + fixedSaltTest(); } - public static void Main( + private void fixedSaltTest() + { + byte[] data = Hex.Decode("010203040506070809101112131415"); + + PssSigner eng = new PssSigner(new RsaEngine(), new Sha256Digest(), new Sha1Digest(), Hex.Decode("deadbeef")); + + eng.Init(true, prv8); + + eng.BlockUpdate(data, 0, data.Length); + + byte[] s = eng.GenerateSignature(); + + eng.Init(false, pub8); + + eng.BlockUpdate(data, 0, data.Length); + + if (!eng.VerifySignature(s)) + { + Fail("fixed salt failed"); + } + + // test failure + eng = new PssSigner(new RsaEngine(), new Sha256Digest(), new Sha1Digest(), Hex.Decode("beefbeef")); + + eng.Init(false, pub8); + + eng.BlockUpdate(data, 0, data.Length); + + if (eng.VerifySignature(s)) + { + Fail("fixed salt failure verfied"); + } + } + + public static void Main( string[] args) { RunTest(new PssTest()); -- cgit 1.5.1 From 9edba71a655a0df5f39e1cef3632bb9561bae6ae Mon Sep 17 00:00:00 2001 From: David Hook Date: Sat, 19 Dec 2015 11:08:12 +1100 Subject: Added use of standard salt if provided. --- crypto/src/crypto/signers/Iso9796d2PssSigner.cs | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'crypto/src') diff --git a/crypto/src/crypto/signers/Iso9796d2PssSigner.cs b/crypto/src/crypto/signers/Iso9796d2PssSigner.cs index fb117c19d..3aa2e3719 100644 --- a/crypto/src/crypto/signers/Iso9796d2PssSigner.cs +++ b/crypto/src/crypto/signers/Iso9796d2PssSigner.cs @@ -486,7 +486,14 @@ namespace Org.BouncyCastle.Crypto.Signers digest.BlockUpdate(m2Hash, 0, m2Hash.Length); // Update for the salt - digest.BlockUpdate(block, mStart + recoveredMessage.Length, saltLength); + if (standardSalt != null) + { + digest.BlockUpdate(standardSalt, 0, standardSalt.Length); + } + else + { + digest.BlockUpdate(block, mStart + recoveredMessage.Length, saltLength); + } byte[] hash = new byte[digest.GetDigestSize()]; digest.DoFinal(hash, 0); -- cgit 1.5.1 From 2e91027902f5293f34127b787aa5de74f6849a4f Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Mon, 21 Dec 2015 19:47:41 +0700 Subject: BJA-584 Fix DTLS record-layer version handling - Also https://github.com/bcgit/bc-java/pull/111 --- crypto/src/crypto/tls/DtlsClientProtocol.cs | 11 +++++++-- crypto/src/crypto/tls/DtlsRecordLayer.cs | 30 ++++++++++++++--------- crypto/src/crypto/tls/DtlsServerProtocol.cs | 12 ++++----- crypto/test/src/crypto/tls/test/DtlsTestSuite.cs | 11 +-------- crypto/test/src/crypto/tls/test/MockDtlsClient.cs | 9 +++++-- crypto/test/src/crypto/tls/test/MockTlsClient.cs | 9 +++++-- 6 files changed, 49 insertions(+), 33 deletions(-) (limited to 'crypto/src') diff --git a/crypto/src/crypto/tls/DtlsClientProtocol.cs b/crypto/src/crypto/tls/DtlsClientProtocol.cs index 411e7cca2..7cb554ae8 100644 --- a/crypto/src/crypto/tls/DtlsClientProtocol.cs +++ b/crypto/src/crypto/tls/DtlsClientProtocol.cs @@ -74,13 +74,16 @@ namespace Org.BouncyCastle.Crypto.Tls DtlsReliableHandshake handshake = new DtlsReliableHandshake(state.clientContext, recordLayer); byte[] clientHelloBody = GenerateClientHello(state, state.client); + + recordLayer.SetWriteVersion(ProtocolVersion.DTLSv10); + handshake.SendMessage(HandshakeType.client_hello, clientHelloBody); DtlsReliableHandshake.Message serverMessage = handshake.ReceiveMessage(); while (serverMessage.Type == HandshakeType.hello_verify_request) { - ProtocolVersion recordLayerVersion = recordLayer.ResetDiscoveredPeerVersion(); + ProtocolVersion recordLayerVersion = recordLayer.ReadVersion; ProtocolVersion client_version = state.clientContext.ClientVersion; /* @@ -92,6 +95,8 @@ namespace Org.BouncyCastle.Crypto.Tls if (!recordLayerVersion.IsEqualOrEarlierVersionOf(client_version)) throw new TlsFatalAlert(AlertDescription.illegal_parameter); + recordLayer.ReadVersion = null; + byte[] cookie = ProcessHelloVerifyRequest(state, serverMessage.Body); byte[] patched = PatchClientHelloWithCookie(clientHelloBody, cookie); @@ -103,7 +108,9 @@ namespace Org.BouncyCastle.Crypto.Tls if (serverMessage.Type == HandshakeType.server_hello) { - ReportServerVersion(state, recordLayer.DiscoveredPeerVersion); + ProtocolVersion recordLayerVersion = recordLayer.ReadVersion; + ReportServerVersion(state, recordLayerVersion); + recordLayer.SetWriteVersion(recordLayerVersion); ProcessServerHello(state, serverMessage.Body); } diff --git a/crypto/src/crypto/tls/DtlsRecordLayer.cs b/crypto/src/crypto/tls/DtlsRecordLayer.cs index 70befd9e4..6796f4cbb 100644 --- a/crypto/src/crypto/tls/DtlsRecordLayer.cs +++ b/crypto/src/crypto/tls/DtlsRecordLayer.cs @@ -21,7 +21,7 @@ namespace Org.BouncyCastle.Crypto.Tls private volatile bool mClosed = false; private volatile bool mFailed = false; - private volatile ProtocolVersion mDiscoveredPeerVersion = null; + private volatile ProtocolVersion mReadVersion = null, mWriteVersion = null; private volatile bool mInHandshake; private volatile int mPlaintextLimit; private DtlsEpoch mCurrentEpoch, mPendingEpoch; @@ -52,16 +52,15 @@ namespace Org.BouncyCastle.Crypto.Tls this.mPlaintextLimit = plaintextLimit; } - internal virtual ProtocolVersion DiscoveredPeerVersion + internal virtual ProtocolVersion ReadVersion { - get { return mDiscoveredPeerVersion; } + get { return mReadVersion; } + set { this.mReadVersion = value; } } - internal virtual ProtocolVersion ResetDiscoveredPeerVersion() + internal virtual void SetWriteVersion(ProtocolVersion writeVersion) { - ProtocolVersion result = mDiscoveredPeerVersion; - mDiscoveredPeerVersion = null; - return result; + this.mWriteVersion = writeVersion; } internal virtual void InitPendingEpoch(TlsCipher pendingCipher) @@ -199,7 +198,12 @@ namespace Org.BouncyCastle.Crypto.Tls } ProtocolVersion version = TlsUtilities.ReadVersion(record, 1); - if (mDiscoveredPeerVersion != null && !mDiscoveredPeerVersion.Equals(version)) + if (!version.IsDtls) + { + continue; + } + + if (mReadVersion != null && !mReadVersion.Equals(version)) { continue; } @@ -215,9 +219,9 @@ namespace Org.BouncyCastle.Crypto.Tls continue; } - if (mDiscoveredPeerVersion == null) + if (mReadVersion == null) { - mDiscoveredPeerVersion = version; + mReadVersion = version; } switch (type) @@ -469,6 +473,10 @@ namespace Org.BouncyCastle.Crypto.Tls private void SendRecord(byte contentType, byte[] buf, int off, int len) { + // Never send anything until a valid ClientHello has been received + if (mWriteVersion == null) + return; + if (len > this.mPlaintextLimit) throw new TlsFatalAlert(AlertDescription.internal_error); @@ -489,7 +497,7 @@ namespace Org.BouncyCastle.Crypto.Tls byte[] record = new byte[ciphertext.Length + RECORD_HEADER_LENGTH]; TlsUtilities.WriteUint8(contentType, record, 0); - ProtocolVersion version = mDiscoveredPeerVersion != null ? mDiscoveredPeerVersion : mContext.ClientVersion; + ProtocolVersion version = mWriteVersion; TlsUtilities.WriteVersion(version, record, 1); TlsUtilities.WriteUint16(recordEpoch, record, 3); TlsUtilities.WriteUint48(recordSequenceNumber, record, 5); diff --git a/crypto/src/crypto/tls/DtlsServerProtocol.cs b/crypto/src/crypto/tls/DtlsServerProtocol.cs index c556d6320..171984b6f 100644 --- a/crypto/src/crypto/tls/DtlsServerProtocol.cs +++ b/crypto/src/crypto/tls/DtlsServerProtocol.cs @@ -76,12 +76,8 @@ namespace Org.BouncyCastle.Crypto.Tls DtlsReliableHandshake.Message clientMessage = handshake.ReceiveMessage(); - { - // NOTE: After receiving a record from the client, we discover the record layer version - ProtocolVersion client_version = recordLayer.DiscoveredPeerVersion; - // TODO Read RFCs for guidance on the expected record layer version number - state.serverContext.SetClientVersion(client_version); - } + // NOTE: DTLSRecordLayer requires any DTLS version, we don't otherwise constrain this + //ProtocolVersion recordLayerVersion = recordLayer.ReadVersion; if (clientMessage.Type == HandshakeType.client_hello) { @@ -97,6 +93,10 @@ namespace Org.BouncyCastle.Crypto.Tls ApplyMaxFragmentLengthExtension(recordLayer, securityParameters.maxFragmentLength); + ProtocolVersion recordLayerVersion = state.serverContext.ServerVersion; + recordLayer.ReadVersion = recordLayerVersion; + recordLayer.SetWriteVersion(recordLayerVersion); + handshake.SendMessage(HandshakeType.server_hello, serverHelloBody); } diff --git a/crypto/test/src/crypto/tls/test/DtlsTestSuite.cs b/crypto/test/src/crypto/tls/test/DtlsTestSuite.cs index e9e4411af..a1ba62dde 100644 --- a/crypto/test/src/crypto/tls/test/DtlsTestSuite.cs +++ b/crypto/test/src/crypto/tls/test/DtlsTestSuite.cs @@ -202,11 +202,6 @@ namespace Org.BouncyCastle.Crypto.Tls.Tests } private static void AddTestCase(IList testSuite, TlsTestConfig config, String name) - { - //testSuite.Add(new TestCaseData(config).SetName(name)); - } - - private static void AddTestCaseDebug(IList testSuite, TlsTestConfig config, String name) { testSuite.Add(new TestCaseData(config).SetName(name)); } @@ -215,11 +210,7 @@ namespace Org.BouncyCastle.Crypto.Tls.Tests { TlsTestConfig c = new TlsTestConfig(); c.clientMinimumVersion = ProtocolVersion.DTLSv10; - /* - * TODO We'd like to just set the offer version to DTLSv12, but there is a known issue with - * overly-restrictive version checks b/w BC DTLS 1.2 client, BC DTLS 1.0 server - */ - c.clientOfferVersion = version; + c.clientOfferVersion = ProtocolVersion.DTLSv12; c.serverMaximumVersion = version; c.serverMinimumVersion = ProtocolVersion.DTLSv10; return c; diff --git a/crypto/test/src/crypto/tls/test/MockDtlsClient.cs b/crypto/test/src/crypto/tls/test/MockDtlsClient.cs index e3c604db7..25057b8ce 100644 --- a/crypto/test/src/crypto/tls/test/MockDtlsClient.cs +++ b/crypto/test/src/crypto/tls/test/MockDtlsClient.cs @@ -73,8 +73,13 @@ namespace Org.BouncyCastle.Crypto.Tls.Tests IDictionary clientExtensions = TlsExtensionsUtilities.EnsureExtensionsInitialised(base.GetClientExtensions()); TlsExtensionsUtilities.AddEncryptThenMacExtension(clientExtensions); TlsExtensionsUtilities.AddExtendedMasterSecretExtension(clientExtensions); - TlsExtensionsUtilities.AddMaxFragmentLengthExtension(clientExtensions, MaxFragmentLength.pow2_9); - TlsExtensionsUtilities.AddTruncatedHMacExtension(clientExtensions); + { + /* + * NOTE: If you are copying test code, do not blindly set these extensions in your own client. + */ + TlsExtensionsUtilities.AddMaxFragmentLengthExtension(clientExtensions, MaxFragmentLength.pow2_9); + TlsExtensionsUtilities.AddTruncatedHMacExtension(clientExtensions); + } return clientExtensions; } diff --git a/crypto/test/src/crypto/tls/test/MockTlsClient.cs b/crypto/test/src/crypto/tls/test/MockTlsClient.cs index 7c1198632..35c5b3599 100644 --- a/crypto/test/src/crypto/tls/test/MockTlsClient.cs +++ b/crypto/test/src/crypto/tls/test/MockTlsClient.cs @@ -63,8 +63,13 @@ namespace Org.BouncyCastle.Crypto.Tls.Tests IDictionary clientExtensions = TlsExtensionsUtilities.EnsureExtensionsInitialised(base.GetClientExtensions()); TlsExtensionsUtilities.AddEncryptThenMacExtension(clientExtensions); TlsExtensionsUtilities.AddExtendedMasterSecretExtension(clientExtensions); - TlsExtensionsUtilities.AddMaxFragmentLengthExtension(clientExtensions, MaxFragmentLength.pow2_9); - TlsExtensionsUtilities.AddTruncatedHMacExtension(clientExtensions); + { + /* + * NOTE: If you are copying test code, do not blindly set these extensions in your own client. + */ + TlsExtensionsUtilities.AddMaxFragmentLengthExtension(clientExtensions, MaxFragmentLength.pow2_9); + TlsExtensionsUtilities.AddTruncatedHMacExtension(clientExtensions); + } return clientExtensions; } -- cgit 1.5.1 From d23f5025d8281432258b906ab07dcf96db37703f Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 25 Dec 2015 00:23:52 +0700 Subject: Fix VmpcMac to actually use offset in BlockUpdate() - https://github.com/bcgit/bc-java/issues/127 --- crypto/src/crypto/macs/VMPCMac.cs | 2 +- crypto/test/src/crypto/test/VMPCMacTest.cs | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) (limited to 'crypto/src') diff --git a/crypto/src/crypto/macs/VMPCMac.cs b/crypto/src/crypto/macs/VMPCMac.cs index 89916355c..6f2da075c 100644 --- a/crypto/src/crypto/macs/VMPCMac.cs +++ b/crypto/src/crypto/macs/VMPCMac.cs @@ -166,7 +166,7 @@ namespace Org.BouncyCastle.Crypto.Macs for (int i = 0; i < len; i++) { - Update(input[i]); + Update(input[inOff + i]); } } } diff --git a/crypto/test/src/crypto/test/VMPCMacTest.cs b/crypto/test/src/crypto/test/VMPCMacTest.cs index 0ddb5506f..b9a5e3a93 100644 --- a/crypto/test/src/crypto/test/VMPCMacTest.cs +++ b/crypto/test/src/crypto/test/VMPCMacTest.cs @@ -35,16 +35,17 @@ namespace Org.BouncyCastle.Crypto.Tests ICipherParameters kpwiv = new ParametersWithIV(kp, Hex.Decode("4B5C2F003E67F39557A8D26F3DA2B155")); - byte[] m = new byte[256]; + int offset = 117; + byte[] m = new byte[512]; for (int i = 0; i < 256; i++) { - m[i] = (byte) i; + m[offset + i] = (byte)i; } - VmpcMac mac = new VmpcMac(); + VmpcMac mac = new VmpcMac(); mac.Init(kpwiv); - mac.BlockUpdate(m, 0, m.Length); + mac.BlockUpdate(m, offset, 256); byte[] output = new byte[20]; mac.DoFinal(output, 0); @@ -57,7 +58,7 @@ namespace Org.BouncyCastle.Crypto.Tests } } - [Test] + [Test] public void TestFunction() { string resultText = Perform().ToString(); -- cgit 1.5.1 From ca836115b48bd3b78312b2a5c88370ff7ef9d338 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Mon, 28 Dec 2015 12:25:40 +0700 Subject: XML doc for TlsClient.ClientHelloRecordLayerVersion --- crypto/src/crypto/tls/AbstractTlsClient.cs | 11 ++--------- crypto/src/crypto/tls/TlsClient.cs | 12 ++++++++++++ 2 files changed, 14 insertions(+), 9 deletions(-) (limited to 'crypto/src') diff --git a/crypto/src/crypto/tls/AbstractTlsClient.cs b/crypto/src/crypto/tls/AbstractTlsClient.cs index 046feb78c..fedca0934 100644 --- a/crypto/src/crypto/tls/AbstractTlsClient.cs +++ b/crypto/src/crypto/tls/AbstractTlsClient.cs @@ -66,22 +66,15 @@ namespace Org.BouncyCastle.Crypto.Tls return null; } - /** - * RFC 5246 E.1. "TLS clients that wish to negotiate with older servers MAY send any value - * {03,XX} as the record layer version number. Typical values would be {03,00}, the lowest - * version number supported by the client, and the value of ClientHello.client_version. No - * single value will guarantee interoperability with all old servers, but this is a complex - * topic beyond the scope of this document." - */ public virtual ProtocolVersion ClientHelloRecordLayerVersion { get { // "{03,00}" - // return ProtocolVersion.SSLv3; + //return ProtocolVersion.SSLv3; // "the lowest version number supported by the client" - // return getMinimumVersion(); + //return MinimumVersion; // "the value of ClientHello.client_version" return ClientVersion; diff --git a/crypto/src/crypto/tls/TlsClient.cs b/crypto/src/crypto/tls/TlsClient.cs index 116f6a779..73f169054 100644 --- a/crypto/src/crypto/tls/TlsClient.cs +++ b/crypto/src/crypto/tls/TlsClient.cs @@ -23,6 +23,18 @@ namespace Org.BouncyCastle.Crypto.Tls /// TlsSession GetSessionToResume(); + /// + /// Return the to use for the TLSPlaintext.version field prior to + /// receiving the server version. NOTE: This method is not called for DTLS. + /// + /// + /// See RFC 5246 E.1.: "TLS clients that wish to negotiate with older servers MAY send any value + /// {03,XX} as the record layer version number. Typical values would be {03,00}, the lowest + /// version number supported by the client, and the value of ClientHello.client_version. No + /// single value will guarantee interoperability with all old servers, but this is a complex + /// topic beyond the scope of this document." + /// + /// The to use. ProtocolVersion ClientHelloRecordLayerVersion { get; } ProtocolVersion ClientVersion { get; } -- cgit 1.5.1 From 125e93ac90fab535316f55695f14dde8e9c76c97 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Mon, 28 Dec 2015 14:59:52 +0700 Subject: Optimized Sqrt and Trace for custom binary curves --- crypto/src/math/ec/custom/sec/SecT113Field.cs | 16 +++++++++ .../src/math/ec/custom/sec/SecT113FieldElement.cs | 4 ++- crypto/src/math/ec/custom/sec/SecT131Field.cs | 27 ++++++++++++++ .../src/math/ec/custom/sec/SecT131FieldElement.cs | 4 ++- crypto/src/math/ec/custom/sec/SecT163Field.cs | 27 ++++++++++++++ .../src/math/ec/custom/sec/SecT163FieldElement.cs | 4 ++- crypto/src/math/ec/custom/sec/SecT193Field.cs | 23 ++++++++++++ .../src/math/ec/custom/sec/SecT193FieldElement.cs | 4 ++- crypto/src/math/ec/custom/sec/SecT233Field.cs | 41 +++++++++++++++++++++ .../src/math/ec/custom/sec/SecT233FieldElement.cs | 4 ++- crypto/src/math/ec/custom/sec/SecT239Field.cs | 42 ++++++++++++++++++++++ .../src/math/ec/custom/sec/SecT239FieldElement.cs | 4 ++- crypto/src/math/ec/custom/sec/SecT283Field.cs | 32 +++++++++++++++++ .../src/math/ec/custom/sec/SecT283FieldElement.cs | 4 ++- crypto/src/math/ec/custom/sec/SecT409Field.cs | 36 +++++++++++++++++++ .../src/math/ec/custom/sec/SecT409FieldElement.cs | 4 ++- crypto/src/math/ec/custom/sec/SecT571Field.cs | 31 ++++++++++++++++ .../src/math/ec/custom/sec/SecT571FieldElement.cs | 4 ++- crypto/src/math/raw/Interleave.cs | 12 +++++++ crypto/test/src/math/ec/test/ECPointTest.cs | 13 +++++++ 20 files changed, 327 insertions(+), 9 deletions(-) (limited to 'crypto/src') diff --git a/crypto/src/math/ec/custom/sec/SecT113Field.cs b/crypto/src/math/ec/custom/sec/SecT113Field.cs index 640c6e787..49773b66d 100644 --- a/crypto/src/math/ec/custom/sec/SecT113Field.cs +++ b/crypto/src/math/ec/custom/sec/SecT113Field.cs @@ -102,6 +102,16 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec z[zOff + 1] = z1 & M49; } + public static void Sqrt(ulong[] x, ulong[] z) + { + ulong u0 = Interleave.Unshuffle(x[0]), u1 = Interleave.Unshuffle(x[1]); + ulong e0 = (u0 & 0x00000000FFFFFFFFUL) | (u1 << 32); + ulong c0 = (u0 >> 32) | (u1 & 0xFFFFFFFF00000000UL); + + z[0] = e0 ^ (c0 << 57) ^ (c0 << 5); + z[1] = (c0 >> 7) ^ (c0 >> 59); + } + public static void Square(ulong[] x, ulong[] z) { ulong[] tt = Nat128.CreateExt64(); @@ -131,6 +141,12 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec } } + public static uint Trace(ulong[] x) + { + // Non-zero-trace bits: 0 + return (uint)(x[0]) & 1U; + } + protected static void ImplMultiply(ulong[] x, ulong[] y, ulong[] zz) { /* diff --git a/crypto/src/math/ec/custom/sec/SecT113FieldElement.cs b/crypto/src/math/ec/custom/sec/SecT113FieldElement.cs index f217e28cb..9ba25d987 100644 --- a/crypto/src/math/ec/custom/sec/SecT113FieldElement.cs +++ b/crypto/src/math/ec/custom/sec/SecT113FieldElement.cs @@ -159,7 +159,9 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec public override ECFieldElement Sqrt() { - return SquarePow(M - 1); + ulong[] z = Nat128.Create64(); + SecT113Field.Sqrt(x, z); + return new SecT113FieldElement(z); } public virtual int Representation diff --git a/crypto/src/math/ec/custom/sec/SecT131Field.cs b/crypto/src/math/ec/custom/sec/SecT131Field.cs index 47f97078c..1b6697afe 100644 --- a/crypto/src/math/ec/custom/sec/SecT131Field.cs +++ b/crypto/src/math/ec/custom/sec/SecT131Field.cs @@ -10,6 +10,8 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec private const ulong M03 = ulong.MaxValue >> 61; private const ulong M44 = ulong.MaxValue >> 20; + private static readonly ulong[] ROOT_Z = new ulong[]{ 0x26BC4D789AF13523UL, 0x26BC4D789AF135E2UL, 0x6UL }; + public static void Add(ulong[] x, ulong[] y, ulong[] z) { z[0] = x[0] ^ y[0]; @@ -109,6 +111,25 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec z[zOff + 2] = z2 & M03; } + public static void Sqrt(ulong[] x, ulong[] z) + { + ulong[] odd = Nat192.Create64(); + + ulong u0, u1; + u0 = Interleave.Unshuffle(x[0]); u1 = Interleave.Unshuffle(x[1]); + ulong e0 = (u0 & 0x00000000FFFFFFFFUL) | (u1 << 32); + odd[0] = (u0 >> 32) | (u1 & 0xFFFFFFFF00000000UL); + + u0 = Interleave.Unshuffle(x[2]); + ulong e1 = (u0 & 0x00000000FFFFFFFFUL); + odd[1] = (u0 >> 32); + + Multiply(odd, ROOT_Z, z); + + z[0] ^= e0; + z[1] ^= e1; + } + public static void Square(ulong[] x, ulong[] z) { ulong[] tt = Nat.Create64(5); @@ -138,6 +159,12 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec } } + public static uint Trace(ulong[] x) + { + // Non-zero-trace bits: 0, 123, 129 + return (uint)(x[0] ^ (x[1] >> 59) ^ (x[2] >> 1)) & 1U; + } + protected static void ImplCompactExt(ulong[] zz) { ulong z0 = zz[0], z1 = zz[1], z2 = zz[2], z3 = zz[3], z4 = zz[4], z5 = zz[5]; diff --git a/crypto/src/math/ec/custom/sec/SecT131FieldElement.cs b/crypto/src/math/ec/custom/sec/SecT131FieldElement.cs index 0ea00ea07..e0ecc100f 100644 --- a/crypto/src/math/ec/custom/sec/SecT131FieldElement.cs +++ b/crypto/src/math/ec/custom/sec/SecT131FieldElement.cs @@ -159,7 +159,9 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec public override ECFieldElement Sqrt() { - return SquarePow(M - 1); + ulong[] z = Nat192.Create64(); + SecT131Field.Sqrt(x, z); + return new SecT131FieldElement(z); } public virtual int Representation diff --git a/crypto/src/math/ec/custom/sec/SecT163Field.cs b/crypto/src/math/ec/custom/sec/SecT163Field.cs index f921a5bc7..b1e9aa725 100644 --- a/crypto/src/math/ec/custom/sec/SecT163Field.cs +++ b/crypto/src/math/ec/custom/sec/SecT163Field.cs @@ -10,6 +10,8 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec private const ulong M35 = ulong.MaxValue >> 29; private const ulong M55 = ulong.MaxValue >> 9; + private static readonly ulong[] ROOT_Z = new ulong[]{ 0xB6DB6DB6DB6DB6B0UL, 0x492492492492DB6DUL, 0x492492492UL }; + public static void Add(ulong[] x, ulong[] y, ulong[] z) { z[0] = x[0] ^ y[0]; @@ -122,6 +124,25 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec z[zOff + 2] = z2 & M35; } + public static void Sqrt(ulong[] x, ulong[] z) + { + ulong[] odd = Nat192.Create64(); + + ulong u0, u1; + u0 = Interleave.Unshuffle(x[0]); u1 = Interleave.Unshuffle(x[1]); + ulong e0 = (u0 & 0x00000000FFFFFFFFUL) | (u1 << 32); + odd[0] = (u0 >> 32) | (u1 & 0xFFFFFFFF00000000UL); + + u0 = Interleave.Unshuffle(x[2]); + ulong e1 = (u0 & 0x00000000FFFFFFFFUL); + odd[1] = (u0 >> 32); + + Multiply(odd, ROOT_Z, z); + + z[0] ^= e0; + z[1] ^= e1; + } + public static void Square(ulong[] x, ulong[] z) { ulong[] tt = Nat192.CreateExt64(); @@ -151,6 +172,12 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec } } + public static uint Trace(ulong[] x) + { + // Non-zero-trace bits: 0, 157 + return (uint)(x[0] ^ (x[2] >> 29)) & 1U; + } + protected static void ImplCompactExt(ulong[] zz) { ulong z0 = zz[0], z1 = zz[1], z2 = zz[2], z3 = zz[3], z4 = zz[4], z5 = zz[5]; diff --git a/crypto/src/math/ec/custom/sec/SecT163FieldElement.cs b/crypto/src/math/ec/custom/sec/SecT163FieldElement.cs index c7a0b5639..8953fb529 100644 --- a/crypto/src/math/ec/custom/sec/SecT163FieldElement.cs +++ b/crypto/src/math/ec/custom/sec/SecT163FieldElement.cs @@ -159,7 +159,9 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec public override ECFieldElement Sqrt() { - return SquarePow(M - 1); + ulong[] z = Nat192.Create64(); + SecT163Field.Sqrt(x, z); + return new SecT163FieldElement(z); } public virtual int Representation diff --git a/crypto/src/math/ec/custom/sec/SecT193Field.cs b/crypto/src/math/ec/custom/sec/SecT193Field.cs index 5154f1e0a..41acb4f94 100644 --- a/crypto/src/math/ec/custom/sec/SecT193Field.cs +++ b/crypto/src/math/ec/custom/sec/SecT193Field.cs @@ -132,6 +132,23 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec z[zOff + 3] = z3 & M01; } + public static void Sqrt(ulong[] x, ulong[] z) + { + ulong u0, u1; + u0 = Interleave.Unshuffle(x[0]); u1 = Interleave.Unshuffle(x[1]); + ulong e0 = (u0 & 0x00000000FFFFFFFFUL) | (u1 << 32); + ulong c0 = (u0 >> 32) | (u1 & 0xFFFFFFFF00000000UL); + + u0 = Interleave.Unshuffle(x[2]); + ulong e1 = (u0 & 0x00000000FFFFFFFFUL) ^ (x[3] << 32); + ulong c1 = (u0 >> 32); + + z[0] = e0 ^ (c0 << 8); + z[1] = e1 ^ (c1 << 8) ^ (c0 >> 56) ^ (c0 << 33); + z[2] = (c1 >> 56) ^ (c1 << 33) ^ (c0 >> 31); + z[3] = (c1 >> 31); + } + public static void Square(ulong[] x, ulong[] z) { ulong[] tt = Nat256.CreateExt64(); @@ -161,6 +178,12 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec } } + public static uint Trace(ulong[] x) + { + // Non-zero-trace bits: 0 + return (uint)(x[0]) & 1U; + } + protected static void ImplCompactExt(ulong[] zz) { ulong z0 = zz[0], z1 = zz[1], z2 = zz[2], z3 = zz[3], z4 = zz[4], z5 = zz[5], z6 = zz[6], z7 = zz[7]; diff --git a/crypto/src/math/ec/custom/sec/SecT193FieldElement.cs b/crypto/src/math/ec/custom/sec/SecT193FieldElement.cs index eba4d10e6..a1150b3f9 100644 --- a/crypto/src/math/ec/custom/sec/SecT193FieldElement.cs +++ b/crypto/src/math/ec/custom/sec/SecT193FieldElement.cs @@ -159,7 +159,9 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec public override ECFieldElement Sqrt() { - return SquarePow(M - 1); + ulong[] z = Nat256.Create64(); + SecT193Field.Sqrt(x, z); + return new SecT193FieldElement(z); } public virtual int Representation diff --git a/crypto/src/math/ec/custom/sec/SecT233Field.cs b/crypto/src/math/ec/custom/sec/SecT233Field.cs index a2f73fd5d..870dade50 100644 --- a/crypto/src/math/ec/custom/sec/SecT233Field.cs +++ b/crypto/src/math/ec/custom/sec/SecT233Field.cs @@ -128,6 +128,41 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec z[zOff + 3] = z3 & M41; } + public static void Sqrt(ulong[] x, ulong[] z) + { + ulong u0, u1; + u0 = Interleave.Unshuffle(x[0]); u1 = Interleave.Unshuffle(x[1]); + ulong e0 = (u0 & 0x00000000FFFFFFFFUL) | (u1 << 32); + ulong c0 = (u0 >> 32) | (u1 & 0xFFFFFFFF00000000UL); + + u0 = Interleave.Unshuffle(x[2]); u1 = Interleave.Unshuffle(x[3]); + ulong e1 = (u0 & 0x00000000FFFFFFFFUL) | (u1 << 32); + ulong c1 = (u0 >> 32) | (u1 & 0xFFFFFFFF00000000UL); + + ulong c2; + c2 = (c1 >> 27); + c1 ^= (c0 >> 27) | (c1 << 37); + c0 ^= (c0 << 37); + + ulong[] tt = Nat256.CreateExt64(); + + int[] shifts = { 32, 117, 191 }; + for (int i = 0; i < shifts.Length; ++i) + { + int w = shifts[i] >> 6, s = shifts[i] & 63; + Debug.Assert(s != 0); + tt[w ] ^= (c0 << s); + tt[w + 1] ^= (c1 << s) | (c0 >> -s); + tt[w + 2] ^= (c2 << s) | (c1 >> -s); + tt[w + 3] ^= (c2 >> -s); + } + + Reduce(tt, z); + + z[0] ^= e0; + z[1] ^= e1; + } + public static void Square(ulong[] x, ulong[] z) { ulong[] tt = Nat256.CreateExt64(); @@ -157,6 +192,12 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec } } + public static uint Trace(ulong[] x) + { + // Non-zero-trace bits: 0, 159 + return (uint)(x[0] ^ (x[2] >> 31)) & 1U; + } + protected static void ImplCompactExt(ulong[] zz) { ulong z0 = zz[0], z1 = zz[1], z2 = zz[2], z3 = zz[3], z4 = zz[4], z5 = zz[5], z6 = zz[6], z7 = zz[7]; diff --git a/crypto/src/math/ec/custom/sec/SecT233FieldElement.cs b/crypto/src/math/ec/custom/sec/SecT233FieldElement.cs index a9041efde..91b8e2f1c 100644 --- a/crypto/src/math/ec/custom/sec/SecT233FieldElement.cs +++ b/crypto/src/math/ec/custom/sec/SecT233FieldElement.cs @@ -159,7 +159,9 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec public override ECFieldElement Sqrt() { - return SquarePow(M - 1); + ulong[] z = Nat256.Create64(); + SecT233Field.Sqrt(x, z); + return new SecT233FieldElement(z); } public virtual int Representation diff --git a/crypto/src/math/ec/custom/sec/SecT239Field.cs b/crypto/src/math/ec/custom/sec/SecT239Field.cs index 6b8ad696f..2e6ed2ad6 100644 --- a/crypto/src/math/ec/custom/sec/SecT239Field.cs +++ b/crypto/src/math/ec/custom/sec/SecT239Field.cs @@ -136,6 +136,42 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec z[zOff + 3] = z3 & M47; } + public static void Sqrt(ulong[] x, ulong[] z) + { + ulong u0, u1; + u0 = Interleave.Unshuffle(x[0]); u1 = Interleave.Unshuffle(x[1]); + ulong e0 = (u0 & 0x00000000FFFFFFFFUL) | (u1 << 32); + ulong c0 = (u0 >> 32) | (u1 & 0xFFFFFFFF00000000UL); + + u0 = Interleave.Unshuffle(x[2]); u1 = Interleave.Unshuffle(x[3]); + ulong e1 = (u0 & 0x00000000FFFFFFFFUL) | (u1 << 32); + ulong c1 = (u0 >> 32) | (u1 & 0xFFFFFFFF00000000UL); + + ulong c2, c3; + c3 = (c1 >> 49); + c2 = (c0 >> 49) | (c1 << 15); + c1 ^= (c0 << 15); + + ulong[] tt = Nat256.CreateExt64(); + + int[] shifts = { 39, 120 }; + for (int i = 0; i < shifts.Length; ++i) + { + int w = shifts[i] >> 6, s = shifts[i] & 63; + Debug.Assert(s != 0); + tt[w ] ^= (c0 << s); + tt[w + 1] ^= (c1 << s) | (c0 >> -s); + tt[w + 2] ^= (c2 << s) | (c1 >> -s); + tt[w + 3] ^= (c3 << s) | (c2 >> -s); + tt[w + 4] ^= (c3 >> -s); + } + + Reduce(tt, z); + + z[0] ^= e0; + z[1] ^= e1; + } + public static void Square(ulong[] x, ulong[] z) { ulong[] tt = Nat256.CreateExt64(); @@ -165,6 +201,12 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec } } + public static uint Trace(ulong[] x) + { + // Non-zero-trace bits: 0, 81, 162 + return (uint)(x[0] ^ (x[1] >> 17) ^ (x[2] >> 34)) & 1U; + } + protected static void ImplCompactExt(ulong[] zz) { ulong z0 = zz[0], z1 = zz[1], z2 = zz[2], z3 = zz[3], z4 = zz[4], z5 = zz[5], z6 = zz[6], z7 = zz[7]; diff --git a/crypto/src/math/ec/custom/sec/SecT239FieldElement.cs b/crypto/src/math/ec/custom/sec/SecT239FieldElement.cs index de074c55f..a32ffc5d2 100644 --- a/crypto/src/math/ec/custom/sec/SecT239FieldElement.cs +++ b/crypto/src/math/ec/custom/sec/SecT239FieldElement.cs @@ -159,7 +159,9 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec public override ECFieldElement Sqrt() { - return SquarePow(M - 1); + ulong[] z = Nat256.Create64(); + SecT239Field.Sqrt(x, z); + return new SecT239FieldElement(z); } public virtual int Representation diff --git a/crypto/src/math/ec/custom/sec/SecT283Field.cs b/crypto/src/math/ec/custom/sec/SecT283Field.cs index 903ea02ff..22b7eaaab 100644 --- a/crypto/src/math/ec/custom/sec/SecT283Field.cs +++ b/crypto/src/math/ec/custom/sec/SecT283Field.cs @@ -10,6 +10,8 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec private const ulong M27 = ulong.MaxValue >> 37; private const ulong M57 = ulong.MaxValue >> 7; + private static readonly ulong[] ROOT_Z = new ulong[]{ 0x0C30C30C30C30808UL, 0x30C30C30C30C30C3UL, 0x820820820820830CUL, 0x0820820820820820UL, 0x2082082UL }; + public static void Add(ulong[] x, ulong[] y, ulong[] z) { z[0] = x[0] ^ y[0]; @@ -129,6 +131,30 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec z[zOff + 4] = z4 & M27; } + public static void Sqrt(ulong[] x, ulong[] z) + { + ulong[] odd = Nat320.Create64(); + + ulong u0, u1; + u0 = Interleave.Unshuffle(x[0]); u1 = Interleave.Unshuffle(x[1]); + ulong e0 = (u0 & 0x00000000FFFFFFFFUL) | (u1 << 32); + odd[0] = (u0 >> 32) | (u1 & 0xFFFFFFFF00000000UL); + + u0 = Interleave.Unshuffle(x[2]); u1 = Interleave.Unshuffle(x[3]); + ulong e1 = (u0 & 0x00000000FFFFFFFFUL) | (u1 << 32); + odd[1] = (u0 >> 32) | (u1 & 0xFFFFFFFF00000000UL); + + u0 = Interleave.Unshuffle(x[4]); + ulong e2 = (u0 & 0x00000000FFFFFFFFUL); + odd[2] = (u0 >> 32); + + Multiply(odd, ROOT_Z, z); + + z[0] ^= e0; + z[1] ^= e1; + z[2] ^= e2; + } + public static void Square(ulong[] x, ulong[] z) { ulong[] tt = Nat.Create64(9); @@ -158,6 +184,12 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec } } + public static uint Trace(ulong[] x) + { + // Non-zero-trace bits: 0, 271 + return (uint)(x[0] ^ (x[4] >> 15)) & 1U; + } + protected static void ImplCompactExt(ulong[] zz) { ulong z0 = zz[0], z1 = zz[1], z2 = zz[2], z3 = zz[3], z4 = zz[4]; diff --git a/crypto/src/math/ec/custom/sec/SecT283FieldElement.cs b/crypto/src/math/ec/custom/sec/SecT283FieldElement.cs index e02108f73..adfd4e0ed 100644 --- a/crypto/src/math/ec/custom/sec/SecT283FieldElement.cs +++ b/crypto/src/math/ec/custom/sec/SecT283FieldElement.cs @@ -159,7 +159,9 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec public override ECFieldElement Sqrt() { - return SquarePow(M - 1); + ulong[] z = Nat320.Create64(); + SecT283Field.Sqrt(x, z); + return new SecT283FieldElement(z); } public virtual int Representation diff --git a/crypto/src/math/ec/custom/sec/SecT409Field.cs b/crypto/src/math/ec/custom/sec/SecT409Field.cs index 84eada96e..861b77aa1 100644 --- a/crypto/src/math/ec/custom/sec/SecT409Field.cs +++ b/crypto/src/math/ec/custom/sec/SecT409Field.cs @@ -165,6 +165,36 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec z[zOff + 6] = z6 & M25; } + public static void Sqrt(ulong[] x, ulong[] z) + { + ulong u0, u1; + u0 = Interleave.Unshuffle(x[0]); u1 = Interleave.Unshuffle(x[1]); + ulong e0 = (u0 & 0x00000000FFFFFFFFUL) | (u1 << 32); + ulong c0 = (u0 >> 32) | (u1 & 0xFFFFFFFF00000000UL); + + u0 = Interleave.Unshuffle(x[2]); u1 = Interleave.Unshuffle(x[3]); + ulong e1 = (u0 & 0x00000000FFFFFFFFUL) | (u1 << 32); + ulong c1 = (u0 >> 32) | (u1 & 0xFFFFFFFF00000000UL); + + u0 = Interleave.Unshuffle(x[4]); u1 = Interleave.Unshuffle(x[5]); + ulong e2 = (u0 & 0x00000000FFFFFFFFUL) | (u1 << 32); + ulong c2 = (u0 >> 32) | (u1 & 0xFFFFFFFF00000000UL); + + u0 = Interleave.Unshuffle(x[6]); + ulong e3 = (u0 & 0x00000000FFFFFFFFUL); + ulong c3 = (u0 >> 32); + + z[0] = e0 ^ (c0 << 44); + z[1] = e1 ^ (c1 << 44) ^ (c0 >> 20); + z[2] = e2 ^ (c2 << 44) ^ (c1 >> 20); + z[3] = e3 ^ (c3 << 44) ^ (c2 >> 20) ^ (c0 << 13); + z[4] = (c3 >> 20) ^ (c1 << 13) ^ (c0 >> 51); + z[5] = (c2 << 13) ^ (c1 >> 51); + z[6] = (c3 << 13) ^ (c2 >> 51); + + Debug.Assert((c3 >> 51) == 0); + } + public static void Square(ulong[] x, ulong[] z) { ulong[] tt = Nat.Create64(13); @@ -194,6 +224,12 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec } } + public static uint Trace(ulong[] x) + { + // Non-zero-trace bits: 0 + return (uint)(x[0]) & 1U; + } + protected static void ImplCompactExt(ulong[] zz) { ulong z00 = zz[ 0], z01 = zz[ 1], z02 = zz[ 2], z03 = zz[ 3], z04 = zz[ 4], z05 = zz[ 5], z06 = zz[ 6]; diff --git a/crypto/src/math/ec/custom/sec/SecT409FieldElement.cs b/crypto/src/math/ec/custom/sec/SecT409FieldElement.cs index 581ea73df..f954f46e7 100644 --- a/crypto/src/math/ec/custom/sec/SecT409FieldElement.cs +++ b/crypto/src/math/ec/custom/sec/SecT409FieldElement.cs @@ -159,7 +159,9 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec public override ECFieldElement Sqrt() { - return SquarePow(M - 1); + ulong[] z = Nat448.Create64(); + SecT409Field.Sqrt(x, z); + return new SecT409FieldElement(z); } public virtual int Representation diff --git a/crypto/src/math/ec/custom/sec/SecT571Field.cs b/crypto/src/math/ec/custom/sec/SecT571Field.cs index fc84e336b..98f4f7fc2 100644 --- a/crypto/src/math/ec/custom/sec/SecT571Field.cs +++ b/crypto/src/math/ec/custom/sec/SecT571Field.cs @@ -11,6 +11,9 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec private const ulong RM = 0xEF7BDEF7BDEF7BDEUL; + private static readonly ulong[] ROOT_Z = new ulong[]{ 0x2BE1195F08CAFB99UL, 0x95F08CAF84657C23UL, 0xCAF84657C232BE11UL, 0x657C232BE1195F08UL, + 0xF84657C2308CAF84UL, 0x7C232BE1195F08CAUL, 0xBE1195F08CAF8465UL, 0x5F08CAF84657C232UL, 0x784657C232BE119UL }; + public static void Add(ulong[] x, ulong[] y, ulong[] z) { for (int i = 0; i < 9; ++i) @@ -156,6 +159,28 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec z[zOff + 8] = z8 & M59; } + public static void Sqrt(ulong[] x, ulong[] z) + { + ulong[] evn = Nat576.Create64(), odd = Nat576.Create64(); + + int pos = 0; + for (int i = 0; i < 4; ++i) + { + ulong u0 = Interleave.Unshuffle(x[pos++]); + ulong u1 = Interleave.Unshuffle(x[pos++]); + evn[i] = (u0 & 0x00000000FFFFFFFFUL) | (u1 << 32); + odd[i] = (u0 >> 32) | (u1 & 0xFFFFFFFF00000000UL); + } + { + ulong u0 = Interleave.Unshuffle(x[pos]); + evn[4] = (u0 & 0x00000000FFFFFFFFUL); + odd[4] = (u0 >> 32); + } + + Multiply(odd, ROOT_Z, z); + Add(z, evn, z); + } + public static void Square(ulong[] x, ulong[] z) { ulong[] tt = Nat576.CreateExt64(); @@ -185,6 +210,12 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec } } + public static uint Trace(ulong[] x) + { + // Non-zero-trace bits: 0, 561, 569 + return (uint)(x[0] ^ (x[8] >> 49) ^ (x[8] >> 57)) & 1U; + } + protected static void ImplMultiply(ulong[] x, ulong[] y, ulong[] zz) { //for (int i = 0; i < 9; ++i) diff --git a/crypto/src/math/ec/custom/sec/SecT571FieldElement.cs b/crypto/src/math/ec/custom/sec/SecT571FieldElement.cs index 5d5458412..c43b8dc3a 100644 --- a/crypto/src/math/ec/custom/sec/SecT571FieldElement.cs +++ b/crypto/src/math/ec/custom/sec/SecT571FieldElement.cs @@ -159,7 +159,9 @@ namespace Org.BouncyCastle.Math.EC.Custom.Sec public override ECFieldElement Sqrt() { - return SquarePow(M - 1); + ulong[] z = Nat576.Create64(); + SecT571Field.Sqrt(x, z); + return new SecT571FieldElement(z); } public virtual int Representation diff --git a/crypto/src/math/raw/Interleave.cs b/crypto/src/math/raw/Interleave.cs index a45ee1e08..d21840644 100644 --- a/crypto/src/math/raw/Interleave.cs +++ b/crypto/src/math/raw/Interleave.cs @@ -91,5 +91,17 @@ namespace Org.BouncyCastle.Math.Raw z[zOff ] = (x ) & M64; z[zOff + 1] = (x >> 1) & M64; } + + internal static ulong Unshuffle(ulong x) + { + // "unshuffle" even bits to low half and odd bits to high half + ulong t; + t = (x ^ (x >> 1)) & 0x2222222222222222UL; x ^= (t ^ (t << 1)); + t = (x ^ (x >> 2)) & 0x0C0C0C0C0C0C0C0CUL; x ^= (t ^ (t << 2)); + t = (x ^ (x >> 4)) & 0x00F000F000F000F0UL; x ^= (t ^ (t << 4)); + t = (x ^ (x >> 8)) & 0x0000FF000000FF00UL; x ^= (t ^ (t << 8)); + t = (x ^ (x >> 16)) & 0x00000000FFFF0000UL; x ^= (t ^ (t << 16)); + return x; + } } } diff --git a/crypto/test/src/math/ec/test/ECPointTest.cs b/crypto/test/src/math/ec/test/ECPointTest.cs index 3c10170f7..57f838f9f 100644 --- a/crypto/test/src/math/ec/test/ECPointTest.cs +++ b/crypto/test/src/math/ec/test/ECPointTest.cs @@ -437,6 +437,19 @@ namespace Org.BouncyCastle.Math.EC.Tests } } } + else if (ECAlgorithms.IsF2mCurve(c)) + { + int m = c.FieldSize; + BigInteger x = new BigInteger(m, secRand); + ECFieldElement fe = c.FromBigInteger(x); + for (int i = 0; i < 100; ++i) + { + ECFieldElement sq = fe.Square(); + ECFieldElement check = sq.Sqrt(); + Assert.AreEqual(fe, check); + fe = sq; + } + } } private void ImplAddSubtractMultiplyTwiceEncodingTestAllCoords(X9ECParameters x9ECParameters) -- cgit 1.5.1 From 0684c4783deae5cf4862e78302844058e5433bce Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Mon, 28 Dec 2015 15:32:02 +0700 Subject: Clean up a few warnings --- crypto/src/AssemblyInfo.cs | 3 --- crypto/src/crypto/engines/SerpentEngineBase.cs | 9 +++++---- crypto/test/src/crypto/test/NaccacheSternTest.cs | 5 +---- crypto/test/src/crypto/test/PaddingTest.cs | 6 ++---- crypto/test/src/test/ECEncodingTest.cs | 11 +++++------ 5 files changed, 13 insertions(+), 21 deletions(-) (limited to 'crypto/src') diff --git a/crypto/src/AssemblyInfo.cs b/crypto/src/AssemblyInfo.cs index 05f1d8f63..6d6de3218 100644 --- a/crypto/src/AssemblyInfo.cs +++ b/crypto/src/AssemblyInfo.cs @@ -65,10 +65,7 @@ using System.Runtime.InteropServices; [assembly: AssemblyDelaySign(false)] #if STRONG_NAME [assembly: AssemblyKeyFile(@"../BouncyCastle.snk")] -#else -[assembly: AssemblyKeyFile("")] #endif -[assembly: AssemblyKeyName("")] [assembly: CLSCompliant(true)] #if !PORTABLE diff --git a/crypto/src/crypto/engines/SerpentEngineBase.cs b/crypto/src/crypto/engines/SerpentEngineBase.cs index a5d91b3be..9de552233 100644 --- a/crypto/src/crypto/engines/SerpentEngineBase.cs +++ b/crypto/src/crypto/engines/SerpentEngineBase.cs @@ -101,12 +101,13 @@ namespace Org.BouncyCastle.Crypto.Engines return ( (int)((uint)x >> bits) | (x << (32 - bits))); } - /** + /* * The sboxes below are based on the work of Brian Gladman and * Sam Simpson, whose original notice appears below. *

* For further details see: * http://fp.gladman.plus.com/cryptography_technology/serpent/ + *

*/ /* Partially optimised Serpent S Box boolean functions derived */ @@ -124,9 +125,9 @@ namespace Org.BouncyCastle.Crypto.Engines /* We hereby give permission for information in this file to be */ /* used freely subject only to acknowledgement of its origin. */ - /** - * S0 - { 3, 8,15, 1,10, 6, 5,11,14,13, 4, 2, 7, 0, 9,12 } - 15 terms. - */ + /* + * S0 - { 3, 8,15, 1,10, 6, 5,11,14,13, 4, 2, 7, 0, 9,12 } - 15 terms. + */ protected void Sb0(int a, int b, int c, int d) { int t1 = a ^ d; diff --git a/crypto/test/src/crypto/test/NaccacheSternTest.cs b/crypto/test/src/crypto/test/NaccacheSternTest.cs index 4fa256f12..9168adced 100644 --- a/crypto/test/src/crypto/test/NaccacheSternTest.cs +++ b/crypto/test/src/crypto/test/NaccacheSternTest.cs @@ -78,9 +78,6 @@ namespace Org.BouncyCastle.Crypto.Tests static NaccacheSternTest() { - cryptEng.Debug = debug; - decryptEng.Debug = debug; - // First the Parameters from the NaccacheStern Paper // (see http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf ) @@ -145,7 +142,7 @@ namespace Org.BouncyCastle.Crypto.Tests // specify key generation parameters NaccacheSternKeyGenerationParameters genParam - = new NaccacheSternKeyGenerationParameters(new SecureRandom(), 768, 8, 30, debug); + = new NaccacheSternKeyGenerationParameters(new SecureRandom(), 768, 8, 30); // Initialize Key generator and generate key pair NaccacheSternKeyPairGenerator pGen = new NaccacheSternKeyPairGenerator(); diff --git a/crypto/test/src/crypto/test/PaddingTest.cs b/crypto/test/src/crypto/test/PaddingTest.cs index 6f41d754c..ed53d9228 100644 --- a/crypto/test/src/crypto/test/PaddingTest.cs +++ b/crypto/test/src/crypto/test/PaddingTest.cs @@ -105,11 +105,9 @@ namespace Org.BouncyCastle.Crypto.Tests public override void PerformTest() { - SecureRandom rand = new SecureRandom(new byte[20]); + SecureRandom rand = SecureRandom.GetInstance("SHA1PRNG"); - rand.SetSeed(DateTime.Now.Ticks); - - doTestPadding(new Pkcs7Padding(), rand, + doTestPadding(new Pkcs7Padding(), rand, Hex.Decode("ffffff0505050505"), Hex.Decode("0000000004040404")); diff --git a/crypto/test/src/test/ECEncodingTest.cs b/crypto/test/src/test/ECEncodingTest.cs index f1a4d5e3a..8d993c15e 100644 --- a/crypto/test/src/test/ECEncodingTest.cs +++ b/crypto/test/src/test/ECEncodingTest.cs @@ -109,7 +109,7 @@ namespace Org.BouncyCastle.Tests if (!compress) { //pubKey.setPointFormat("UNCOMPRESSED"); - pubKey = SetPublicUncompressed(pubKey, false); + pubKey = SetPublicUncompressed(pubKey); } byte[] x = pubKey.Q.AffineXCoord.ToBigInteger().ToByteArrayUnsigned(); @@ -154,7 +154,7 @@ namespace Org.BouncyCastle.Tests // TODO Private key compression? //newKey.setPointFormat("UNCOMPRESSED"); //newPubKey.setPointFormat("UNCOMPRESSED"); - newPubKey = SetPublicUncompressed(newPubKey, false); + newPubKey = SetPublicUncompressed(newPubKey); } // string newPrivateKey = new string(Hex.encode(newKey.getEncoded())); @@ -201,7 +201,7 @@ namespace Org.BouncyCastle.Tests // TODO Private key compression? //privECKey.setPointFormat("UNCOMPRESSED"); //pubECKey.setPointFormat("UNCOMPRESSED"); - pubECKey = SetPublicUncompressed(pubECKey, false); + pubECKey = SetPublicUncompressed(pubECKey); } certGen.SetSignatureAlgorithm("ECDSAwithSHA1"); @@ -216,13 +216,12 @@ namespace Org.BouncyCastle.Tests } private ECPublicKeyParameters SetPublicUncompressed( - ECPublicKeyParameters key, - bool withCompression) + ECPublicKeyParameters key) { ECPoint p = key.Q.Normalize(); return new ECPublicKeyParameters( key.AlgorithmName, - p.Curve.CreatePoint(p.XCoord.ToBigInteger(), p.YCoord.ToBigInteger(), withCompression), + p.Curve.CreatePoint(p.XCoord.ToBigInteger(), p.YCoord.ToBigInteger()), key.Parameters); } -- cgit 1.5.1 From 5cf99df42f7ee75979a0d7243b79eff844fdbcfd Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Mon, 28 Dec 2015 17:50:36 +0700 Subject: Various ASN.1 updates from Java API --- crypto/BouncyCastle.Android.csproj | 4 +- crypto/BouncyCastle.csproj | 4 +- crypto/BouncyCastle.iOS.csproj | 4 +- crypto/crypto.csproj | 10 ++ crypto/src/asn1/Asn1InputStream.cs | 4 + crypto/src/asn1/Asn1TaggedObject.cs | 10 ++ crypto/src/asn1/DERExternal.cs | 15 +-- crypto/src/asn1/DerApplicationSpecific.cs | 2 +- crypto/src/asn1/DerGraphicString.cs | 103 +++++++++++++++++++++ crypto/src/asn1/DerVideotexString.cs | 103 +++++++++++++++++++++ crypto/src/asn1/util/Asn1Dump.cs | 8 ++ .../src/asn1/test/DERApplicationSpecificTest.cs | 67 +++++++++++++- crypto/test/src/asn1/test/EqualsAndHashCodeTest.cs | 6 +- 13 files changed, 320 insertions(+), 20 deletions(-) create mode 100644 crypto/src/asn1/DerGraphicString.cs create mode 100644 crypto/src/asn1/DerVideotexString.cs (limited to 'crypto/src') diff --git a/crypto/BouncyCastle.Android.csproj b/crypto/BouncyCastle.Android.csproj index 6ceeac8bd..70d09cc6e 100644 --- a/crypto/BouncyCastle.Android.csproj +++ b/crypto/BouncyCastle.Android.csproj @@ -1,4 +1,4 @@ - + Debug @@ -109,6 +109,7 @@ + @@ -125,6 +126,7 @@ + diff --git a/crypto/BouncyCastle.csproj b/crypto/BouncyCastle.csproj index b3aefa8e9..f57dd2011 100644 --- a/crypto/BouncyCastle.csproj +++ b/crypto/BouncyCastle.csproj @@ -1,4 +1,4 @@ - + Debug @@ -103,6 +103,7 @@ + @@ -119,6 +120,7 @@ + diff --git a/crypto/BouncyCastle.iOS.csproj b/crypto/BouncyCastle.iOS.csproj index f5bef5bb4..4c499db46 100644 --- a/crypto/BouncyCastle.iOS.csproj +++ b/crypto/BouncyCastle.iOS.csproj @@ -1,4 +1,4 @@ - + Debug @@ -104,6 +104,7 @@ + @@ -120,6 +121,7 @@ + diff --git a/crypto/crypto.csproj b/crypto/crypto.csproj index e4bd2e036..73afed47e 100644 --- a/crypto/crypto.csproj +++ b/crypto/crypto.csproj @@ -383,6 +383,11 @@ SubType = "Code" BuildAction = "Compile" /> + + Date: Mon, 28 Dec 2015 19:25:35 +0700 Subject: Add IdRsaKem --- crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) (limited to 'crypto/src') diff --git a/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs b/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs index 0b2ffa0d1..609aa61ba 100644 --- a/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs +++ b/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs @@ -118,6 +118,8 @@ namespace Org.BouncyCastle.Asn1.Pkcs public static readonly DerObjectIdentifier Pkcs9AtSigningDescription = new DerObjectIdentifier(Pkcs9 + ".13"); public static readonly DerObjectIdentifier Pkcs9AtExtensionRequest = new DerObjectIdentifier(Pkcs9 + ".14"); public static readonly DerObjectIdentifier Pkcs9AtSmimeCapabilities = new DerObjectIdentifier(Pkcs9 + ".15"); + public static readonly DerObjectIdentifier IdSmime = new DerObjectIdentifier(Pkcs9 + ".16"); + public static readonly DerObjectIdentifier Pkcs9AtFriendlyName = new DerObjectIdentifier(Pkcs9 + ".20"); public static readonly DerObjectIdentifier Pkcs9AtLocalKeyID = new DerObjectIdentifier(Pkcs9 + ".21"); @@ -131,19 +133,32 @@ namespace Org.BouncyCastle.Asn1.Pkcs public const string CrlTypes = Pkcs9 + ".23"; public static readonly DerObjectIdentifier X509Crl = new DerObjectIdentifier(CrlTypes + ".1"); - public static readonly DerObjectIdentifier IdAlgPwriKek = new DerObjectIdentifier(Pkcs9 + ".16.3.9"); + public static readonly DerObjectIdentifier IdAlg = IdSmime.Branch("3"); + public static readonly DerObjectIdentifier IdAlgPwriKek = IdAlg.Branch("9"); + + /* + * 
+         * -- RSA-KEM Key Transport Algorithm
+         *
+         * id-rsa-kem OID ::= {
+         *      iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
+         *      pkcs-9(9) smime(16) alg(3) 14
+         *   }
+         *
+ */ + public static readonly DerObjectIdentifier IdRsaKem = IdAlg.Branch("14"); // // SMIME capability sub oids. // - public static readonly DerObjectIdentifier PreferSignedData = new DerObjectIdentifier(Pkcs9 + ".15.1"); - public static readonly DerObjectIdentifier CannotDecryptAny = new DerObjectIdentifier(Pkcs9 + ".15.2"); - public static readonly DerObjectIdentifier SmimeCapabilitiesVersions = new DerObjectIdentifier(Pkcs9 + ".15.3"); + public static readonly DerObjectIdentifier PreferSignedData = Pkcs9AtSmimeCapabilities.Branch("1"); + public static readonly DerObjectIdentifier CannotDecryptAny = Pkcs9AtSmimeCapabilities.Branch("2"); + public static readonly DerObjectIdentifier SmimeCapabilitiesVersions = Pkcs9AtSmimeCapabilities.Branch("3"); // // other SMIME attributes // - public static readonly DerObjectIdentifier IdAAReceiptRequest = new DerObjectIdentifier(Pkcs9 + ".16.2.1"); + public static readonly DerObjectIdentifier IdAAReceiptRequest = IdSmime.Branch("2.1"); // // id-ct OBJECT IDENTIFIER ::= {iso(1) member-body(2) usa(840) @@ -252,5 +267,5 @@ namespace Org.BouncyCastle.Asn1.Pkcs public static readonly DerObjectIdentifier IdAlgCms3DesWrap = new DerObjectIdentifier("1.2.840.113549.1.9.16.3.6"); public static readonly DerObjectIdentifier IdAlgCmsRC2Wrap = new DerObjectIdentifier("1.2.840.113549.1.9.16.3.7"); - } + } } -- cgit 1.5.1 From 5439621aab0092fdf259911bc9cc7481f10bc943 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Mon, 28 Dec 2015 20:18:40 +0700 Subject: Add a couple more OIDs --- crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'crypto/src') diff --git a/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs b/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs index 609aa61ba..042911a06 100644 --- a/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs +++ b/crypto/src/asn1/pkcs/PKCSObjectIdentifiers.cs @@ -133,8 +133,13 @@ namespace Org.BouncyCastle.Asn1.Pkcs public const string CrlTypes = Pkcs9 + ".23"; public static readonly DerObjectIdentifier X509Crl = new DerObjectIdentifier(CrlTypes + ".1"); - public static readonly DerObjectIdentifier IdAlg = IdSmime.Branch("3"); - public static readonly DerObjectIdentifier IdAlgPwriKek = IdAlg.Branch("9"); + public static readonly DerObjectIdentifier IdAlg = IdSmime.Branch("3"); + + public static readonly DerObjectIdentifier IdAlgEsdh = IdAlg.Branch("5"); + public static readonly DerObjectIdentifier IdAlgCms3DesWrap = IdAlg.Branch("6"); + public static readonly DerObjectIdentifier IdAlgCmsRC2Wrap = IdAlg.Branch("7"); + public static readonly DerObjectIdentifier IdAlgPwriKek = IdAlg.Branch("9"); + public static readonly DerObjectIdentifier IdAlgSsdh = IdAlg.Branch("10"); /* * 
@@ -264,8 +269,5 @@ namespace Org.BouncyCastle.Asn1.Pkcs
         public static readonly DerObjectIdentifier PbeWithShaAnd2KeyTripleDesCbc	= new DerObjectIdentifier(Pkcs12PbeIds + ".4");
         public static readonly DerObjectIdentifier PbeWithShaAnd128BitRC2Cbc		= new DerObjectIdentifier(Pkcs12PbeIds + ".5");
         public static readonly DerObjectIdentifier PbewithShaAnd40BitRC2Cbc			= new DerObjectIdentifier(Pkcs12PbeIds + ".6");
-
-		public static readonly DerObjectIdentifier IdAlgCms3DesWrap = new DerObjectIdentifier("1.2.840.113549.1.9.16.3.6");
-		public static readonly DerObjectIdentifier IdAlgCmsRC2Wrap = new DerObjectIdentifier("1.2.840.113549.1.9.16.3.7");
     }
 }
-- 
cgit 1.5.1


From 4a87b839681c95a5fbe43ed6ce65fa069a942586 Mon Sep 17 00:00:00 2001
From: Peter Dettman 
Date: Mon, 28 Dec 2015 21:34:07 +0700
Subject: Update versions and release notes for release 1.8.1

---
 crypto/NBuild.build        |  2 +-
 crypto/Readme.html         | 42 ++++++++++++++++++++++++++++++++++++------
 crypto/src/AssemblyInfo.cs |  6 +++---
 3 files changed, 40 insertions(+), 10 deletions(-)

(limited to 'crypto/src')

diff --git a/crypto/NBuild.build b/crypto/NBuild.build
index 984fd6758..71096cbf0 100644
--- a/crypto/NBuild.build
+++ b/crypto/NBuild.build
@@ -16,7 +16,7 @@
   
 
   
-  
+  
   
 
   
diff --git a/crypto/Readme.html b/crypto/Readme.html
index 67116c815..d5cda3032 100644
--- a/crypto/Readme.html
+++ b/crypto/Readme.html
@@ -30,6 +30,8 @@
 			
  • 
 				Notes:
 		
      
+            
    1. 
+                Release 1.8.1
             
    2. 
                 Release 1.8.0
             
    3. 
@@ -288,6 +290,38 @@ We state, where EC MQV has not otherwise been disabled or removed:
 		
      
 		
      Notes:
      
 
+        
      Release 1.8.1, Monday December 28, 2015
      
+
+        
      Security Advisory
      
+        
        
+            
      • 
+                (D)TLS 1.2: Motivated by CVE-2015-7575, we have added validation that
+                the signature algorithm received in DigitallySigned structures is actually one of those offered (in signature_algorithms extension
+                or CertificateRequest). With our default TLS configuration, we do not believe there is an exploitable vulnerability in any earlier
+                releases. Users that are customizing the signature_algorithms extension, or running a server supporting client authentication, are
+                advised to double-check that they are not offering any signature algorithms involving MD5.
+            
        • 
+        
      
+        
      Additional Features and Functionality
      
+        
        
+            
      • Added support for ASN.1 GraphicString and VideotexString types.
        • 
+            
      • 
+                Problems with DTLS record-layer version handling were resolved via BJA-584,
+                making version negotiation work properly.
+            
        • 
+        
      
+        
      Additional Notes
      
+        
+
         
      Release 1.8.0, Sunday November 22, 2015
      
 
         
      IMPORTANT
      
@@ -348,15 +382,11 @@ We state, where EC MQV has not otherwise been disabled or removed:
         
 
diff --git a/crypto/src/AssemblyInfo.cs b/crypto/src/AssemblyInfo.cs
index 6d6de3218..bb9811d83 100644
--- a/crypto/src/AssemblyInfo.cs
+++ b/crypto/src/AssemblyInfo.cs
@@ -33,9 +33,9 @@ using System.Runtime.InteropServices;
 // You can specify all the values or you can default the Revision and Build Numbers
 // by using the '*' as shown below:
 
-[assembly: AssemblyVersion("1.8.0.0")]
-[assembly: AssemblyFileVersion("1.8.15326.1")]
-[assembly: AssemblyInformationalVersion("1.8.0")]
+[assembly: AssemblyVersion("1.8.1.0")]
+[assembly: AssemblyFileVersion("1.8.15362.1")]
+[assembly: AssemblyInformationalVersion("1.8.1")]
 
 //
 // In order to sign your assembly you must specify a key to use. Refer to the
-- 
cgit 1.5.1