debian/0000775000000000000000000000000012756167255007210 5ustar debian/gbp.conf0000664000000000000000000000026012115055317010605 0ustar [DEFAULT] debian-branch = debian-sid debian-tag = debian/%(version)s upstream-branch = upstream-sid upstream-tag = upstream/%(version)s pristine-tar = True [git-dch] meta = 1 debian/manpages/0000775000000000000000000000000012115055317010763 5ustar debian/manpages/botan-config-1.10.10000664000000000000000000000122612115055317013771 0ustar .TH BOTAN\-CONFIG\-1.10 1 2011\-08\-25 1.10.0 "Botan Configuration Query program" .SH NAME botan\-config\-1.10 \- Botan Configuration Query program .SH SYNOPSIS \fBbotan-config\-1.10\fR [\fB\-\-prefix[=DIR]\fR] [\fB\-\-version\fR] [\fB\-\-libs\fR] [\fB\-\-cflags\fR] .SH DESCRIPTION .PP \fBbase\-config\fR is used to access the configuration information of Botan. .SH HOMEPAGE More information about Botan Project can be found at <\fIhttp://botan.randombit.net/\fR>. .SH AUTHOR Botan was written by Jack Lloyd . .PP This manual page was written by Daniel Baumann , for the Debian project (but may be used by others). debian/libbotan1.10-dev.docs0000664000000000000000000000002512115055317012705 0ustar readme.txt doc/*.txt debian/libbotan1.10-dev.manpages0000664000000000000000000000002212115055317013545 0ustar debian/manpages/* debian/libbotan-1.10-0.docs0000664000000000000000000000003312115055317012342 0ustar readme.txt doc/credits.txt debian/rules0000775000000000000000000000241712115055317010254 0ustar #!/usr/bin/make -f DEB_HOST_GNU_CPU ?= $(shell dpkg-architecture -qDEB_HOST_GNU_CPU) CONFIGURE_FLAGS = --cpu=$(DEB_HOST_GNU_CPU) # SKIP_TESTS_ON_CPU="arm ia64 mips mipsel sparc sh4" # Because we used --cpu=generic before, 64bit arches did not use 64bit BigInt. # Using --cpu=$arch would enable it, and break ABI. # CONFIGURE_FLAGS += --disable-modules=mp_asm64,mp_amd64 %: DEB_BUILD_HARDENING=1 dh ${@} override_dh_auto_clean: dh_auto_clean rm -f Makefile check libbotan-*.so libbotan.a rm -rf build override_dh_auto_configure: DEB_BUILD_HARDENING=1 ./configure.py --prefix=/usr --cc=gcc --os=linux --with-bzip2 --with-gnump --with-openssl --with-zlib $(CONFIGURE_FLAGS) override_dh_auto_build: DEB_BUILD_HARDENING=1 $(MAKE) all override_dh_auto_test: ifeq (,$(findstring $(DEB_HOST_GNU_CPU),$(SKIP_TESTS_ON_CPU))) $(MAKE) check LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:$(CURDIR)" ./check --validate endif override_dh_auto_install: dh_auto_install -- DESTDIR=$(CURDIR)/debian/tmp/usr # Removing useless files rm -rf debian/tmp/usr/share/doc/botan-* override_dh_installchangelogs: dh_installchangelogs doc/log.txt override_dh_install: dh_install --fail-missing override_dh_strip: dh_strip --dbg-package=botan1.10-dbg override_dh_installdocs: dh_installdocs -Xlicense.txt debian/copyright0000664000000000000000000000577412115055317011140 0ustar Author: Jack Lloyd Download: http://botan.randombit.net/ Files: * Copyright: (C) 1999-2009 Jack Lloyd (C) 2001 Peter J Jones (C) 2004-2007 Justin Karneges (C) 2005 Matthew Gregan (C) 2005-2006 Matt Johnston (C) 2006 Luca Piccarreta (C) 2007 Yves Jerschow (C) 2007-2008 FlexSecure GmbH (C) 2007-2008 Technische Universitat Darmstadt (C) 2007-2008 Falko Strenzke (C) 2007-2008 Martin Doering (C) 2007 Manuel Hartl (C) 2007 Christoph Ludwig (C) 2007 Patrick Sona License: BSD Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer. . 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. . THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Files: debian/* Copyright: (C) 2007-2009 Daniel Baumann License: BSD Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer. . 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. . THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. debian/libbotan1.10-dev.examples0000664000000000000000000000001712115055317013574 0ustar doc/examples/* debian/changelog0000664000000000000000000005351212756167105011062 0ustar botan1.10 (1.10.5-1+deb7u1ubuntu0.14.04.1) trusty-security; urgency=medium * Security merge from Debian. -- Steve Beattie Sat, 20 Aug 2016 16:56:27 -0700 botan1.10 (1.10.5-1+deb7u1) wheezy-security; urgency=high * Non-maintainer upload by the LTS team. * CVE-2014-9742: Fix insufficient randomness in Miller-Rabin primality check. * CVE-2015-5726: Fix crash in BER decoder. * CVE-2015-5727: Fix excess memory allocation in BER decoder. * CVE-2015-7827: Fix PKCS #1 v1.5 decoding was not constant time. * CVE-2016-2194: Fix infinite loop in modulur square root algorithm. * CVE-2016-2195: Fix Heap overflow on invalid ECC point. * CVE-2016-2849: Use constant time modular inverse algorithm to avoid possible side channel attack against ECDSA. -- Markus Koschany Sat, 30 Apr 2016 11:38:27 +0200 botan1.10 (1.10.5-1ubuntu1) trusty; urgency=medium * ppc64el-support.patch: Add powerpc64le support to the upstream build system and update ppc64/altivec support for power7+ and power8 CPUs. * arm64-support.patch: Add arm64 support to the upstream build system. -- Adam Conrad Sat, 15 Mar 2014 10:26:49 -0600 botan1.10 (1.10.5-1) unstable; urgency=low * Imported Upstream version 1.10.4 + Avoid a conditional operation in the power mod implementations on if a nibble of the exponent was zero or not. This may help protect against certain forms of side channel attacks. + The SRP6 code was checking for invalid values as specified in RFC 5054, specifically values equal to zero mod p. However SRP would accept negative A/B values, or ones larger than p, neither of which should occur in a normal run of the protocol. These values are now rejected. Credits to Timothy Prepscius for pointing out these values are not normally used and probably signal something fishy. + The return value of version_string is now a compile time constant string, so version information can be more easily extracted from binaries. * Imported Upstream version 1.10.5 + A potential crash in the AES-NI implementation of the AES-192 key schedule (caused by misaligned loads) has been fixed. + A previously conditional operation in Montgomery multiplication and squaring is now always performed, removing a possible timing channel. + Use correct flags for creating a shared library on OS X under Clang. + Fix a compile time incompatibility with Visual C++ 2012. -- Ondřej Surý Mon, 04 Mar 2013 09:24:12 +0100 botan1.10 (1.10.3-1) unstable; urgency=high * Imported Upstream version 1.10.3 + A change in 1.10.2 accidentally broke ABI compatibility with 1.10.1 and earlier versions, causing programs compiled against 1.10.1 to crash if linked with 1.10.2 at runtime. (Closes: #681066) + Recent versions of OpenSSL include extra information in ECC private keys, the presence of which caused an exception when such a key was loaded by botan. The decoding of ECC private keys has been changed to ignore these fields if they are set. -- Ondřej Surý Tue, 10 Jul 2012 21:03:03 +0200 botan1.10 (1.10.2-1) unstable; urgency=low * Imported Upstream version 1.10.2 * Remove s390x patch as it was merged upstream -- Ondřej Surý Thu, 28 Jun 2012 11:08:11 +0200 botan1.10 (1.10.1-1) unstable; urgency=low * Imported Upstream version 1.10.1 -- Ondřej Surý Tue, 07 Feb 2012 20:03:56 +0100 botan1.10 (1.10.0-3) unstable; urgency=low * Don't canonicalize s390x to s390/s390 (Closes: #639564) -- Ondřej Surý Thu, 01 Sep 2011 09:45:13 +0200 botan1.10 (1.10.0-2) unstable; urgency=low * Rename manpage to botan-config-1.10 (Closes: #639264) -- Ondřej Surý Thu, 25 Aug 2011 15:41:02 +0200 botan1.10 (1.10.0-1) unstable; urgency=low * Imported Upstream version 1.10.0 * Don't Conflict with libbotan1.8-dev, it's no longer needed * Rename libbotan-1.9 to libbotan-1.10-0 to match its SONAME -- Ondřej Surý Tue, 21 Jun 2011 08:42:11 +0200 botan1.10 (1.10~1.9.18-1) unstable; urgency=low * Imported Upstream version 1.10~1.9.18 + Remove all local patches; merged upstream * Update Vcs-* links * Update *.install to reflect the versioning changes in upstream + botan-config is now botan-config-. + headers are installed to /usr/include/botan-./botan + pkg-config is botan-..pc -- Ondřej Surý Fri, 03 Jun 2011 16:23:16 +0200 botan1.10 (1.10~1.9.17-1) unstable; urgency=low * Fork botan1.8 package to botan1.10 * Imported Upstream version 1.9.17 * Fix spelling error recieved vs received in library * Debian packaging: + Bump standards version to 3.9.2 + Adjust patches to the new release + Enable full build including the checks on all platforms + Update install and docs files to the new release + Rename library to libbotan-1.9.so to match SONAME + Exclude duplicate license.txt file from package -- Ondřej Surý Tue, 10 May 2011 12:12:27 +0200 botan1.8 (1.8.11-1) unstable; urgency=low * Imported Upstream version 1.8.11 -- Ondřej Surý Wed, 22 Dec 2010 11:56:33 +0100 botan1.8 (1.8.9-2) unstable; urgency=low * Add sh4 support (Closes: #594159) * Bump standards version to 3.9.1 -- Ondřej Surý Tue, 24 Aug 2010 09:30:33 +0200 botan1.8 (1.8.9-1) unstable; urgency=low * New upstream version * Add git-buildpackage config * Remove gmp_fix.patch; merged upstream -- Ondřej Surý Wed, 04 Aug 2010 16:59:58 +0200 botan1.8 (1.8.8-5) unstable; urgency=low * Add debian/watch file * Disable tests on sparc as well -- Ondřej Surý Sun, 18 Apr 2010 22:53:09 +0200 botan1.8 (1.8.8-4) unstable; urgency=low * Take ownership of the package; update maintainer -- Ondřej Surý Tue, 13 Apr 2010 12:15:57 +0200 botan1.8 (1.8.8-3) unstable; urgency=low * Skip tests, where we know they are broken -- Ondřej Surý Fri, 26 Mar 2010 19:48:02 +0100 botan1.8 (1.8.8-2) unstable; urgency=low * Convert to 3.0 (quilt) format * Add upstream patch to fix gmp memory allocator segfault in softhsm -- Ondřej Surý Sat, 23 Jan 2010 09:29:23 +0100 botan1.8 (1.8.8-1) unstable; urgency=low * New Upstream Version 1.8.8 * New Maintainer (Closes: #543832) * Enable hardening-wrapper -- Ondřej Surý Fri, 22 Jan 2010 10:22:34 +0100 botan1.8 (1.8.6-2) unstable; urgency=low * Removing vcs fields. * Orphaning package. -- Daniel Baumann Thu, 27 Aug 2009 06:59:15 +0200 botan1.8 (1.8.6-1) unstable; urgency=low * Merging upstream version 1.8.6. * Synchronising license text in copyright file with upstream. * Removing ftbfs-mips.patch, was part of the new upstream release. * Updating package to standards version 3.8.3. -- Daniel Baumann Wed, 26 Aug 2009 16:11:46 +0200 botan1.8 (1.8.5-5) unstable; urgency=low * Adding patch from upstream to fix FTBFS on mips and mipsel. -- Daniel Baumann Mon, 10 Aug 2009 09:06:50 +0200 botan1.8 (1.8.5-4) unstable; urgency=low * Setting --cpu configure flag by using deb host gnu cpu instead (Closes: #540495). -- Daniel Baumann Sat, 08 Aug 2009 14:14:09 +0200 botan1.8 (1.8.5-3) unstable; urgency=low * Setting --cpu configure flag by using deb build arch (Closes: #540013). -- Daniel Baumann Sat, 08 Aug 2009 10:33:58 +0200 botan1.8 (1.8.5-2) unstable; urgency=low * Only manually setting cpu flag on i386 (Closes: #539860). -- Daniel Baumann Tue, 04 Aug 2009 10:47:03 +0200 botan1.8 (1.8.5-1) unstable; urgency=low * Merging upstream version 1.8.5. * Adding old changelog entries for separately uploaded botan packages in the past. * Using correct rfc-2822 date formats in changelog. * Wrapping build depends. * Adding misc depends. * Renaming local manpages directory to common name. * Minimizing rules file. * Doing some minor cosmetical updates in the manpage. * Updating copyright file to reflect changes of upstream version 1.8.0. * Using new configure.py instread of configure.pl, updating necessary things to cope with that. * Updating. * Tidy debhelper install files. -- Daniel Baumann Tue, 04 Aug 2009 00:47:32 +0200 botan1.8 (1.8.4-2) unstable; urgency=low * Adding conflicts/replaces to libbotan1.8 (Closes: #537844). -- Daniel Baumann Tue, 21 Jul 2009 13:42:48 +0200 botan1.8 (1.8.4-1) unstable; urgency=low * Merging upstream version 1.8.4. * Updating rules file to current state of the art. * Using quilt rather than dpatch. -- Daniel Baumann Tue, 14 Jul 2009 20:48:50 +0200 botan1.8 (1.8.3-1) unstable; urgency=low * Merging upstream version 1.8.3. * Renaming source package to botan1.8 for consistency. * Updating standards to 3.8.2. * Renaming libbotan1.8 to libbotan-1.8.2 to match SONAME (Closes: #527461). * Updating section of the debug package. * Updating year in copyright file. * Removing botan1.8-dbg lintian overrides, not required anymore. * Using correct rfc-2822 date formats in changelog. -- Daniel Baumann Tue, 14 Jul 2009 11:31:24 +0200 botan-devel (1.8.2-1) unstable; urgency=low * Merging upstream version 1.8.2. -- Daniel Baumann Mon, 04 May 2009 10:16:00 +0200 botan-devel (1.8.1-1) unstable; urgency=low * Merging upstream version 1.8.1. -- Daniel Baumann Sun, 25 Jan 2009 01:50:00 +0100 botan-devel (1.8.0-1) unstable; urgency=low * Merging upstream version 1.8.0. * Replacing 1.7 with 1.8 in all debhelper files. * Correcting name of botan-config manpage. -- Daniel Baumann Sun, 14 Dec 2008 20:54:00 +0100 botan-devel (1.7.24-1) unstable; urgency=low * Merging upstream version 1.7.24. * Removing info.txt and todo.txt from libbotan1.7-dev.docs, file not available anymore. -- Daniel Baumann Wed, 03 Dec 2008 09:48:00 +0100 botan-devel (1.7.23-1) unstable; urgency=low * Merging upstream version 1.7.23. * Rediffing cpuinfo.dpatch. -- Daniel Baumann Tue, 25 Nov 2008 23:02:00 +0100 botan-devel (1.7.22-1) unstable; urgency=low * Merging upstream version 1.7.22. -- Daniel Baumann Sat, 22 Nov 2008 15:18:00 +0100 botan-devel (1.7.21-1) unstable; urgency=low * Merging upstream version 1.7.21. -- Daniel Baumann Sat, 15 Nov 2008 07:33:00 +0100 botan-devel (1.7.20-1) unstable; urgency=low * Merging upstream version 1.7.20. -- Daniel Baumann Sat, 15 Nov 2008 07:27:00 +0100 botan-devel (1.7.19-1) unstable; urgency=low * Merging upstream version 1.7.19. * Replacing obsolete dh_clean -k with dh_prep. * Updating cpuinfo.dpatch. -- Daniel Baumann Fri, 07 Nov 2008 21:32:00 +0100 botan-devel (1.7.18-1) unstable; urgency=low * Merging upstream version 1.7.18. * Updating libbotan-1.7-dev debhelper install file to cover pkg-config file. * Adding related libraries to depends of libbotan1.7-dev. -- Daniel Baumann Sun, 26 Oct 2008 16:42:00 +0100 botan-devel (1.7.17-1) unstable; urgency=low * Merging upstream version 1.7.17. -- Daniel Baumann Sun, 26 Oct 2008 16:23:00 +0100 botan-devel (1.7.16-1) unstable; urgency=low * Merging upstream version 1.7.16. -- Daniel Baumann Sun, 12 Oct 2008 19:10:00 +0200 botan-devel (1.7.15-1) unstable; urgency=low * Merging upstream version 1.7.15. * Rediffing cpuinfo.dpatch. * Updating rules to reflect upstreams Makefile changes. -- Daniel Baumann Wed, 08 Oct 2008 20:32:00 +0200 botan-devel (1.7.14-1) unstable; urgency=low * Merging upstream version 1.7.14. * Removing no longer required --modules parameter to configure call. -- Daniel Baumann Wed, 08 Oct 2008 19:40:00 +0200 botan-devel (1.7.13-1) unstable; urgency=low * Merging upstream version 1.7.13. -- Daniel Baumann Mon, 06 Oct 2008 21:27:00 +0200 botan-devel (1.7.12-1) unstable; urgency=low * Reverting previous temporary commit to make builds not fail when checks are failed, now that all architectures are working. * Using patch-stamp rather than patch in rules file. * Merging upstream version 1.7.12. * Removing bigint.dpatch, part of upstream version 1.7.12. * Removing deref_alias.dpatch, went upstream. * Rediffing cpuinfo.dpatch. -- Daniel Baumann Sat, 20 Sep 2008 18:24:00 +0200 botan-devel (1.7.11-2) unstable; urgency=low * Adding patch from upstream to fix bigint bug. -- Daniel Baumann Tue, 16 Sep 2008 08:52:00 +0200 botan-devel (1.7.11-1) unstable; urgency=low * Merging upstream version 1.7.11. * Rediffing cpuinfo.dpatch. -- Daniel Baumann Sun, 14 Sep 2008 13:28:00 +0200 botan-devel (1.7.10-3) unstable; urgency=low * Temporarily not aborting when checks failing. -- Daniel Baumann Sun, 14 Sep 2008 13:24:00 +0200 botan-devel (1.7.10-2) unstable; urgency=medium * Enabling checks. -- Daniel Baumann Sat, 13 Sep 2008 17:17:00 +0200 botan-devel (1.7.10-1) experimental; urgency=low * Merging upstream version 1.7.10. -- Daniel Baumann Wed, 10 Sep 2008 08:30:00 +0200 botan-devel (1.7.9-1) experimental; urgency=low * Merging upstream version 1.7.9. * Rediffing 01-cpuinfo.dpatch. -- Daniel Baumann Wed, 10 Sep 2008 08:01:00 +0200 botan-devel (1.7.8-4) unstable; urgency=high * Updating vcs fields in control file. * Moving botan-config from libbotan1.7 to libbotan1.7-dev (Closes: #496529). * Removing old conficts/replaces. -- Daniel Baumann Mon, 08 Sep 2008 13:16:00 +0200 botan-devel (1.7.8-3) unstable; urgency=medium * Manually installing build.h into the package (Closes: #494658). -- Daniel Baumann Sat, 23 Aug 2008 16:48:00 +0200 botan-devel (1.7.8-2) unstable; urgency=low * Moving botan-config from libbotan1.7 to libbotan1.7-dev. -- Daniel Baumann Sun, 03 Aug 2008 22:29:00 +0200 botan-devel (1.7.8-1) unstable; urgency=low * Adding patch to cleanup deref_alias removal. * Merging upstream version 1.7.8. -- Daniel Baumann Wed, 16 Jul 2008 10:22:00 +0200 botan-devel (1.7.7-1) unstable; urgency=low * Merging upstream version 1.7.7. * Updating to standards 3.8.0. -- Daniel Baumann Wed, 16 Jul 2008 00:03:00 +0200 botan-devel (1.7.6-1) unstable; urgency=low * Adding lintian overrides for botan-devel-dbg. * Removing non existant partial changelog files from libbotan1.7.docs file. * Updating dh_installchangelogs call in rules file to match new name of the changelog file. * Rediffing 01-cpuinfo.dpatch. * Merging upstream version 1.7.6. -- Daniel Baumann Sat, 10 May 2008 20:57:00 +0200 botan-devel (1.7.5-2) unstable; urgency=low * Adding debug package. -- Daniel Baumann Sat, 03 May 2008 09:06:00 +0200 botan-devel (1.7.5-1) unstable; urgency=low * Updating examples debhelper files to new upstream. * Updating docs debhelper file to new upstream. * Updating configure.pl call to new upstream version. * Rediffing 01-cpuinfo.dpatch. * Updating lintian overrides. * Reordering rules file. * Using lintian debhelper to install lintian overrides. * Rewriting copyright file in machine-interpretable format. * Adding vcs fields in control file. * Upgrading package to debhelper 7. * Merging upstream version 1.7.5. -- Daniel Baumann Sat, 03 May 2008 08:42:00 +0200 botan-devel (1.7.2-1) unstable; urgency=low * Botan development release, upload as new botan-devel source package. -- Daniel Baumann Sat, 12 Jan 2008 21:09:00 +0100 botan (1.6.5-4) unstable; urgency=low * Replacing obsolete dh_clean -k with dh_prep. * Updating conflicts for botan 1.8 (Closes: #512347). * Updating year in copyright file. -- Daniel Baumann Tue, 20 Jan 2009 01:46:00 +0100 botan (1.6.5-3) unstable; urgency=low * Using patch-stamp rather than patch in rules file. * Adding related libraries to depends of libbotan1.6-dev. -- Daniel Baumann Sun, 26 Oct 2008 16:57:00 +0100 botan (1.6.5-2) unstable; urgency=medium * Enabling checks. -- Daniel Baumann Sat, 13 Sep 2008 17:15:00 +0200 botan (1.6.5-1) unstable; urgency=low * Merging upstream version 1.6.5. -- Daniel Baumann Wed, 10 Sep 2008 07:50:00 +0200 botan (1.6.4-4) unstable; urgency=high * Updating vcs fields in control file. * Moving botan-config from libbotan1.6 to libbotan1.6-dev (Closes: #496529). * Removing old conficts/replaces. -- Daniel Baumann Mon, 08 Sep 2008 13:07:00 +0200 botan (1.6.4-3) unstable; urgency=low * Moving botan-config from libbotan1.6 to libbotan1.6-dev. * Updating to standards 3.8.0. -- Daniel Baumann Sun, 03 Aug 2008 22:27:00 +0200 botan (1.6.4-2) unstable; urgency=low * Adding debug package. -- Daniel Baumann Sat, 03 May 2008 07:43:00 +0200 botan (1.6.4-1) unstable; urgency=low * Updating lintian overrides. * Reordering rules file. * Using lintian debhelper to install lintian overrides. * Rewriting copyright file in machine-interpretable format. * Adding vcs fields in control file. * Upgrading package to debhelper 7. * Merging upstream version 1.6.4. -- Daniel Baumann Sat, 03 May 2008 07:31:00 +0200 botan (1.6.3-4) unstable; urgency=low * Botan is developed in a stable release branch and a development release branch. In the past, I was uploading as 'versioned' source packages, botan1.4 and botan1.5. To be a bit more consistent, the two source packages will be named 'botan' and 'botan-devel' now. * In preparation to the 'versioned' source packages, I'm renaming the libbotan-dev to libbotan1.6-dev, and adding conflicts/replaces to the libbotan1.7-dev (build from botan-devel). * The whole transition doesn't influence any other package, currently no package in Debian is depending (yet) on botan. * Overwriting bogus lintian warning about GPL-vs.OpenSSL, only debian/* is licensed under GPL. -- Daniel Baumann Sat, 12 Jan 2008 20:39:00 +0100 botan (1.6.3-3) unstable; urgency=low * Updated to new policy. * Using homepage field in control. * Added fail-missing to dh_install call in rules. * Added simple manpage for botan-config. -- Daniel Baumann Sun, 23 Dec 2007 11:43:00 +0100 botan (1.6.3-2) unstable; urgency=low * Compiling with -fpermissive (Closes: #431888). -- Daniel Baumann Thu, 11 Oct 2007 22:47:00 +0200 botan (1.6.3-1) unstable; urgency=low * New upstream release. * Dropping 02-includes; solved upstream. -- Daniel Baumann Sun, 29 Jul 2007 20:31:00 +0200 botan (1.6.2-3) unstable; urgency=low * Fixed clean: target in rules (Closes: #424148). * Removed old conflicts/replaces. -- Daniel Baumann Tue, 15 May 2007 22:09:00 +0200 botan (1.6.2-2) unstable; urgency=low * Added patch from Martin Michlmayr to add missing include required to build with GCC 4.3 (Closes: #417125). -- Daniel Baumann Sun, 01 Apr 2007 18:41:00 +0200 botan (1.6.2-1) unstable; urgency=low * New upstream release. -- Daniel Baumann Wed, 28 Mar 2007 22:09:00 +0200 botan (1.6.1-1) unstable; urgency=low * New upstream release. -- Daniel Baumann Thu, 08 Feb 2007 13:22:00 +0100 botan (1.6.0-2) unstable; urgency=low * Minor cleanups. -- Daniel Baumann Fri, 19 Jan 2007 10:46:00 +0100 botan (1.6.0-1) unstable; urgency=low * New upstream release: - botan 1.6.0 does replace both botan1.4 and botan1.5. -- Daniel Baumann Tue, 02 Jan 2007 00:01:00 +0100 botan1.5 (1.5.13-3) unstable; urgency=low * Using gcc-linux-generic for all archs/kernels, fixes FTBFS on mips. -- Daniel Baumann Thu, 14 Dec 2006 00:13:00 +0100 botan1.5 (1.5.13-2) unstable; urgency=low * Modified rules as suggested by Petr Salinger to make it build on kfreebsd (Closes: #402930). -- Daniel Baumann Wed, 13 Dec 2006 18:55:00 +0100 botan1.5 (1.5.13-1) unstable; urgency=low * New upstream release. * Disabled cpu detection based on /proc/cpuinfo (Closes: #402073). -- Daniel Baumann Wed, 13 Dec 2006 11:04:00 +0200 botan1.5 (1.5.11-1) unstable; urgency=low * Initial release. -- Daniel Baumann Sun, 08 Oct 2006 14:43:00 +0200 botan1.4 (1.4.12-4) unstable; urgency=low * Using gcc-linux-generic for all archs/kernels, fixes FTBFS on mips. -- Daniel Baumann Thu, 14 Dec 2006 00:13:00 +0100 botan1.4 (1.4.12-3) unstable; urgency=low * Modified rules as suggested by Petr Salinger to make it build on kfreebsd (Closes: #402933). -- Daniel Baumann Wed, 13 Dec 2006 18:55:00 +0100 botan1.4 (1.4.12-2) unstable; urgency=low * Disabled cpu detection based on /proc/cpuinfo (Closes: #402071). -- Daniel Baumann Wed, 13 Dec 2006 11:04:00 +0200 botan1.4 (1.4.12-1) unstable; urgency=low * Initial release (Closes: #391770). -- Daniel Baumann Sun, 08 Oct 2006 14:43:00 +0200 debian/libbotan-1.10-0.install0000664000000000000000000000003212115055317013057 0ustar usr/lib/libbotan-1.*.so.* debian/control0000664000000000000000000000364112311077605010601 0ustar Source: botan1.10 Section: libs Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Ondřej Surý Build-Depends: debhelper (>= 7.0.50~), libbz2-dev, libgmp3-dev, libssl-dev, python, zlib1g-dev, hardening-wrapper Standards-Version: 3.9.2 Homepage: http://botan.randombit.net/ Vcs-Browser: http://git.debian.org/?p=pkg-nlnetlabs/botan1.10.git Vcs-Git: git://git.debian.org/pkg-nlnetlabs/botan1.10.git Package: botan1.10-dbg Section: debug Priority: extra Architecture: any Depends: ${misc:Depends}, libbotan-1.10-0 (= ${binary:Version}), libbotan1.10-dev (= ${binary:Version}) Description: multiplatform crypto library (debug) Botan is a C++ library which provides support for many common cryptographic operations, including encryption, authentication, and X.509v3 certificates and CRLs. A wide variety of algorithms is supported, including RSA, DSA, DES, AES, MD5, and SHA-1. . This package contains the debugging symbols. Package: libbotan-1.10-0 Section: libs Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends} Description: multiplatform crypto library Botan is a C++ library which provides support for many common cryptographic operations, including encryption, authentication, and X.509v3 certificates and CRLs. A wide variety of algorithms is supported, including RSA, DSA, DES, AES, MD5, and SHA-1. Package: libbotan1.10-dev Section: libdevel Architecture: any Depends: ${misc:Depends}, libbotan-1.10-0 (= ${binary:Version}) Conflicts: libbotan1.6-dev Replaces: libbotan1.6-dev Description: multiplatform crypto library (development) Botan is a C++ library which provides support for many common cryptographic operations, including encryption, authentication, and X.509v3 certificates and CRLs. A wide variety of algorithms is supported, including RSA, DSA, DES, AES, MD5, and SHA-1. . This package contains the development files. debian/patches/0000775000000000000000000000000012756167017010633 5ustar debian/patches/series0000664000000000000000000000026012756166777012062 0ustar ppc64el-support.patch arm64-support.patch CVE-2014-9742.patch CVE-2015-5726-and-CVE-2015-5727.patch CVE-2016-2194-and-CVE-2016-2195.patch CVE-2015-7827-and-CVE-2016-2849.patch debian/patches/CVE-2016-2194-and-CVE-2016-2195.patch0000664000000000000000000001164312756166777015434 0ustar From: Markus Koschany Date: Mon, 25 Apr 2016 22:04:28 +0200 Subject: CVE-2016-2194 and CVE-2016-2195 Infinite loop in modular square root algorithm (CVE-2016-2194) The ressol function implements the Tonelli-Shanks algorithm for finding square roots could be sent into a nearly infinite loop due to a misplaced conditional check. This could occur if a composite modulus is provided, as this algorithm is only defined for primes. This function is exposed to attacker controlled input via the OS2ECP function during ECC point decompression. Found by AFL Heap overflow on invalid ECC point (CVE-2016-2195) The PointGFp constructor did not check that the affine coordinate arguments were less than the prime, but then in curve multiplication assumed that both arguments if multiplied would fit into an integer twice the size of the prime. The bigint_mul and bigint_sqr functions received the size of the output buffer, but only used it to dispatch to a faster algorithm in cases where there was sufficient output space to call an unrolled multiplication function. The result is a heap overflow accessible via ECC point decoding, which accepted untrusted inputs. This is likely exploitable for remote code execution. On systems which use the mlock pool allocator, it would allow an attacker to overwrite memory held in secure_vector objects. After this point the write will hit the guard page at the end of the mmap’ed region so it probably could not be used for code execution directly, but would allow overwriting adjacent key material. Found by Alex Gaynor fuzzing with AFL Origin: https://github.com/randombit/botan/commit/43462f8d24880c42ce66ea45a76c7611fdab25cd --- src/math/ec_gfp/point_gfp.cpp | 12 ++++++++++-- src/math/mp/mp_karat.cpp | 5 +++++ src/math/numbertheory/ressol.cpp | 6 +++--- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/src/math/ec_gfp/point_gfp.cpp b/src/math/ec_gfp/point_gfp.cpp index 7ac6b41..afd3b9d 100644 --- a/src/math/ec_gfp/point_gfp.cpp +++ b/src/math/ec_gfp/point_gfp.cpp @@ -11,6 +11,7 @@ #include #include #include +#include namespace Botan { @@ -25,6 +26,10 @@ PointGFp::PointGFp(const CurveGFp& curve) : PointGFp::PointGFp(const CurveGFp& curve, const BigInt& x, const BigInt& y) : curve(curve), ws(2 * (curve.get_p_words() + 2)) { + if(x <= 0 || x >= curve.get_p()) + throw Invalid_Argument("Invalid PointGFp x"); + if(x <= 0 || x >= curve.get_p()) + throw Invalid_Argument("Invalid PointGFp y"); coord_x = monty_mult(x, curve.get_r2()); coord_y = monty_mult(y, curve.get_r2()); coord_z = monty_mult(1, curve.get_r2()); @@ -68,15 +73,18 @@ void PointGFp::monty_sqr(BigInt& z, const BigInt& x) const } const BigInt& p = curve.get_p(); - const size_t p_size = curve.get_p_words(); const word p_dash = curve.get_p_dash(); + const size_t p_size = curve.get_p_words(); + + const size_t x_sw = x.sig_words(); + BOTAN_ASSERT(x_sw <= p_size, "x value in range"); SecureVector& z_reg = z.get_reg(); z_reg.resize(2*p_size+1); zeroise(z_reg); bigint_monty_sqr(&z_reg[0], z_reg.size(), - x.data(), x.size(), x.sig_words(), + x.data(), x.size(), x_sw, p.data(), p_size, p_dash, &ws[0]); } diff --git a/src/math/mp/mp_karat.cpp b/src/math/mp/mp_karat.cpp index 945b3b6..b25d606 100644 --- a/src/math/mp/mp_karat.cpp +++ b/src/math/mp/mp_karat.cpp @@ -7,6 +7,7 @@ #include #include +#include #include namespace Botan { @@ -249,6 +250,8 @@ void bigint_mul(word z[], size_t z_size, word workspace[], const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw) { + BOTAN_ASSERT(z_size > x_sw && z_size > y_sw && z_size - x_sw >= y_sw, "Sufficient output size"); + if(x_sw == 1) { bigint_linmul3(z, y, y_sw, x[0]); @@ -303,6 +306,8 @@ void bigint_mul(word z[], size_t z_size, word workspace[], void bigint_sqr(word z[], size_t z_size, word workspace[], const word x[], size_t x_size, size_t x_sw) { + BOTAN_ASSERT(z_size/2 >= x_sw, "Sufficient output size"); + if(x_sw == 1) { bigint_linmul3(z, x, x_sw, x[0]); diff --git a/src/math/numbertheory/ressol.cpp b/src/math/numbertheory/ressol.cpp index 2e01406..adacd27 100644 --- a/src/math/numbertheory/ressol.cpp +++ b/src/math/numbertheory/ressol.cpp @@ -63,10 +63,10 @@ BigInt ressol(const BigInt& a, const BigInt& p) { q = mod_p.square(q); ++i; - } - if(s <= i) - return -BigInt(1); + if(i >= s) + return -BigInt(1); + } c = power_mod(c, BigInt(BigInt::Power2, s-i-1), p); r = mod_p.multiply(r, c); debian/patches/CVE-2015-5726-and-CVE-2015-5727.patch0000664000000000000000000001534312756166777015443 0ustar From: Markus Koschany Date: Mon, 25 Apr 2016 22:01:05 +0200 Subject: CVE-2015-5726 and CVE-2015-5727 CVE-2015-5726 The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be used to easily crash applications reading untrusted ASN.1 data, but does not seem exploitable for code execution. Found with afl. CVE-2015-5727 The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might cause the process to run out of memory or invoke the OOM killer. Found with afl. Origin: https://github.com/randombit/botan/commit/7c907db91bfc048b498c23baa2ec83d329947581 --- src/asn1/ber_dec.cpp | 7 ++++++- src/entropy/unix_procs/unix_cmd.cpp | 5 +++++ src/entropy/unix_procs/unix_cmd.h | 1 + src/filters/codec_filt/b64_filt.cpp | 5 +++++ src/filters/data_src.cpp | 14 ++++++++++++++ src/filters/data_src.h | 4 ++++ src/filters/pipe.h | 3 +++ src/filters/pipe_rw.cpp | 10 ++++++++++ src/filters/secqueue.h | 2 ++ 9 files changed, 50 insertions(+), 1 deletion(-) diff --git a/src/asn1/ber_dec.cpp b/src/asn1/ber_dec.cpp index b31c7b9..ad389b4 100644 --- a/src/asn1/ber_dec.cpp +++ b/src/asn1/ber_dec.cpp @@ -205,7 +205,10 @@ BER_Object BER_Decoder::get_next_object() if(next.type_tag == NO_OBJECT) return next; - size_t length = decode_length(source); + const size_t length = decode_length(source); + if(!source->check_available(length)) + throw BER_Decoding_Error("Value truncated"); + next.value.resize(length); if(source->read(&next.value[0], length) != length) throw BER_Decoding_Error("Value truncated"); @@ -457,6 +460,8 @@ BER_Decoder& BER_Decoder::decode(MemoryRegion& buffer, buffer = obj.value; else { + if(obj.value.empty()) + throw BER_Decoding_Error("Invalid BIT STRING"); if(obj.value[0] >= 8) throw BER_Decoding_Error("Bad number of unused bits in BIT STRING"); diff --git a/src/entropy/unix_procs/unix_cmd.cpp b/src/entropy/unix_procs/unix_cmd.cpp index 9304440..c72f9c0 100644 --- a/src/entropy/unix_procs/unix_cmd.cpp +++ b/src/entropy/unix_procs/unix_cmd.cpp @@ -99,6 +99,11 @@ size_t DataSource_Command::peek(byte[], size_t, size_t) const throw Stream_IO_Error("Cannot peek/seek on a command pipe"); } +bool DataSource_Command::check_available(size_t) + { + throw Stream_IO_Error("Cannot check available bytes on a pipe"); + } + /** * Check if we reached EOF */ diff --git a/src/entropy/unix_procs/unix_cmd.h b/src/entropy/unix_procs/unix_cmd.h index 5185c1c..bdbcec3 100644 --- a/src/entropy/unix_procs/unix_cmd.h +++ b/src/entropy/unix_procs/unix_cmd.h @@ -51,6 +51,7 @@ class DataSource_Command : public DataSource public: size_t read(byte[], size_t); size_t peek(byte[], size_t, size_t) const; + bool check_available(size_t n); bool end_of_data() const; std::string id() const; diff --git a/src/filters/codec_filt/b64_filt.cpp b/src/filters/codec_filt/b64_filt.cpp index 9341571..34d00fd 100644 --- a/src/filters/codec_filt/b64_filt.cpp +++ b/src/filters/codec_filt/b64_filt.cpp @@ -126,6 +126,11 @@ void Base64_Decoder::write(const byte input[], size_t length) while(length) { size_t to_copy = std::min(length, in.size() - position); + if(to_copy == 0) + { + in.resize(in.size()*2); + out.resize(out.size()*2); + } copy_mem(&in[position], input, to_copy); position += to_copy; diff --git a/src/filters/data_src.cpp b/src/filters/data_src.cpp index da67baa..b696013 100644 --- a/src/filters/data_src.cpp +++ b/src/filters/data_src.cpp @@ -101,6 +101,11 @@ DataSource_Memory::DataSource_Memory(const std::string& in) : offset = 0; } +bool DataSource_Memory::check_available(size_t n) + { + return (n <= (source.size() - offset)); + } + /* * Read from a stream */ @@ -115,6 +120,15 @@ size_t DataSource_Stream::read(byte out[], size_t length) return got; } +bool DataSource_Stream::check_available(size_t n) + { + const std::streampos orig_pos = source.tellg(); + source.seekg(0, std::ios::end); + const size_t avail = source.tellg() - orig_pos; + source.seekg(orig_pos); + return (avail >= n); + } + /* * Peek into a stream */ diff --git a/src/filters/data_src.h b/src/filters/data_src.h index a274de8..36d7057 100644 --- a/src/filters/data_src.h +++ b/src/filters/data_src.h @@ -56,6 +56,8 @@ class BOTAN_DLL DataSource */ virtual std::string id() const { return ""; } + virtual bool check_available(size_t n) = 0; + /** * Read one byte. * @param out the byte to read to @@ -94,6 +96,7 @@ class BOTAN_DLL DataSource_Memory : public DataSource public: size_t read(byte[], size_t); size_t peek(byte[], size_t, size_t) const; + bool check_available(size_t n); bool end_of_data() const; /** @@ -127,6 +130,7 @@ class BOTAN_DLL DataSource_Stream : public DataSource public: size_t read(byte[], size_t); size_t peek(byte[], size_t, size_t) const; + bool check_available(size_t n); bool end_of_data() const; std::string id() const; diff --git a/src/filters/pipe.h b/src/filters/pipe.h index e5cb5f4..3d9ffab 100644 --- a/src/filters/pipe.h +++ b/src/filters/pipe.h @@ -200,6 +200,9 @@ class BOTAN_DLL Pipe : public DataSource size_t peek(byte& output, size_t offset, message_id msg = DEFAULT_MESSAGE) const; + bool check_available(size_t n); + bool check_available_msg(size_t n, message_id msg); + /** * @return currently set default message */ diff --git a/src/filters/pipe_rw.cpp b/src/filters/pipe_rw.cpp index 90af9ed..145a7e3 100644 --- a/src/filters/pipe_rw.cpp +++ b/src/filters/pipe_rw.cpp @@ -140,6 +140,16 @@ size_t Pipe::remaining(message_id msg) const return outputs->remaining(get_message_no("remaining", msg)); } +bool Pipe::check_available(size_t n) + { + return (n <= remaining(DEFAULT_MESSAGE)); + } + +bool Pipe::check_available_msg(size_t n, message_id msg) + { + return (n <= remaining(msg)); + } + /* * Peek at some data in the pipe */ diff --git a/src/filters/secqueue.h b/src/filters/secqueue.h index 632ae85..15f336e 100644 --- a/src/filters/secqueue.h +++ b/src/filters/secqueue.h @@ -35,6 +35,8 @@ class BOTAN_DLL SecureQueue : public Fanout_Filter, public DataSource bool attachable() { return false; } + bool check_available(size_t n) { return n <= size(); } + /** * SecureQueue assignment * @param other the queue to copy debian/patches/CVE-2015-7827-and-CVE-2016-2849.patch0000664000000000000000000003161012756166777015445 0ustar From: Markus Koschany Date: Mon, 25 Apr 2016 22:06:42 +0200 Subject: CVE-2015-7827 and CVE-2016-2849 Use constant time modular inverse algorithm to avoid possible side channel attack against ECDSA (CVE-2016-2849) Use constant time PKCS #1 unpadding to avoid possible side channel attack against RSA decryption (CVE-2015-7827) Origin: https://github.com/randombit/botan/commit/bcf13fa153a11b3e0ad54e2af6962441cea3adf1 --- src/math/mp/mp_asm.cpp | 71 ++++++++++++++++++++ src/math/mp/mp_core.h | 26 ++++++++ src/math/numbertheory/numthry.cpp | 115 ++++++++++++++++++++++++++++++++ src/pk_pad/eme_pkcs/eme_pkcs.cpp | 40 +++++++---- src/utils/ct_utils.h | 137 ++++++++++++++++++++++++++++++++++++++ src/utils/info.txt | 1 + 6 files changed, 376 insertions(+), 14 deletions(-) create mode 100644 src/utils/ct_utils.h diff --git a/src/math/mp/mp_asm.cpp b/src/math/mp/mp_asm.cpp index 3ba52c4..523f939 100644 --- a/src/math/mp/mp_asm.cpp +++ b/src/math/mp/mp_asm.cpp @@ -9,6 +9,7 @@ #include #include #include +#include #include #include @@ -17,6 +18,76 @@ namespace Botan { extern "C" { /* +* If cond == 0, does nothing. +* If cond > 0, swaps x[0:size] with y[0:size] +* Runs in constant time +*/ +void bigint_cnd_swap(word cnd, word x[], word y[], size_t size) + { + const word mask = CT::expand_mask(cnd); + + for(size_t i = 0; i != size; ++i) + { + word a = x[i]; + word b = y[i]; + x[i] = CT::select(mask, b, a); + y[i] = CT::select(mask, a, b); + } + } + +/* +* If cond > 0 adds x[0:size] to y[0:size] and returns carry +* Runs in constant time +*/ +word bigint_cnd_add(word cnd, word x[], const word y[], size_t size) + { + const word mask = CT::expand_mask(cnd); + + word carry = 0; + for(size_t i = 0; i != size; ++i) + { + /* + Here we are relying on asm version of word_add being + a single addcl or equivalent. Fix this. + */ + const word z = word_add(x[i], y[i], &carry); + x[i] = CT::select(mask, z, x[i]); + } + + return carry & mask; + } + +/* +* If cond > 0 subs x[0:size] to y[0:size] and returns borrow +* Runs in constant time +*/ +word bigint_cnd_sub(word cnd, word x[], const word y[], size_t size) + { + const word mask = CT::expand_mask(cnd); + + word carry = 0; + for(size_t i = 0; i != size; ++i) + { + const word z = word_sub(x[i], y[i], &carry); + x[i] = CT::select(mask, z, x[i]); + } + + return carry & mask; + } + +void bigint_cnd_abs(word cnd, word x[], size_t size) + { + const word mask = CT::expand_mask(cnd); + + word carry = mask & 1; + for(size_t i = 0; i != size; ++i) + { + const word z = word_add(~x[i], 0, &carry); + x[i] = CT::select(mask, z, x[i]); + } + } + +/* * Two Operand Addition, No Carry */ word bigint_add2_nc(word x[], size_t x_size, const word y[], size_t y_size) diff --git a/src/math/mp/mp_core.h b/src/math/mp/mp_core.h index 82bdbad..ac3ef6c 100644 --- a/src/math/mp/mp_core.h +++ b/src/math/mp/mp_core.h @@ -20,6 +20,32 @@ const size_t MP_WORD_BITS = BOTAN_MP_WORD_BITS; extern "C" { /* +* If cond == 0, does nothing. +* If cond > 0, swaps x[0:size] with y[0:size] +* Runs in constant time +*/ +void bigint_cnd_swap(word cnd, word x[], word y[], size_t size); + +/* +* If cond > 0 adds x[0:size] to y[0:size] and returns carry +* Runs in constant time +*/ +word bigint_cnd_add(word cnd, word x[], const word y[], size_t size); + +/* +* If cond > 0 subs x[0:size] to y[0:size] and returns borrow +* Runs in constant time +*/ +word bigint_cnd_sub(word cnd, word x[], const word y[], size_t size); + +/* +* 2s complement absolute value +* If cond > 0 sets x to ~x + 1 +* Runs in constant time +*/ +void bigint_cnd_abs(word cnd, word x[], size_t size); + +/* * Addition/Subtraction Operations */ void bigint_add2(word x[], size_t x_size, diff --git a/src/math/numbertheory/numthry.cpp b/src/math/numbertheory/numthry.cpp index 535ca67..4ffb9af 100644 --- a/src/math/numbertheory/numthry.cpp +++ b/src/math/numbertheory/numthry.cpp @@ -7,6 +7,7 @@ #include #include +#include #include #include @@ -196,6 +197,117 @@ BigInt lcm(const BigInt& a, const BigInt& b) return ((a * b) / gcd(a, b)); } +namespace { + +BigInt ct_inverse_mod_odd_modulus(const BigInt& n, const BigInt& mod) + { + if(n.is_negative() || mod.is_negative()) + throw Invalid_Argument("ct_inverse_mod_odd_modulus: arguments must be non-negative"); + if(mod < 3 || mod.is_even()) + throw Invalid_Argument("Bad modulus to ct_inverse_mod_odd_modulus"); + + /* + This uses a modular inversion algorithm designed by Niels Möller + and implemented in Nettle. The same algorithm was later also + adapted to GMP in mpn_sec_invert. + + It can be easily implemented in a way that does not depend on + secret branches or memory lookups, providing resistance against + some forms of side channel attack. + + There is also a description of the algorithm in Appendix 5 of "Fast + Software Polynomial Multiplication on ARM Processors using the NEON Engine" + by Danilo Câmara, Conrado P. L. Gouvêa, Julio López, and Ricardo + Dahab in LNCS 8182 + http://conradoplg.cryptoland.net/files/2010/12/mocrysen13.pdf + + Thanks to Niels for creating the algorithm, explaining some things + about it, and the reference to the paper. + */ + + // todo allow this to be pre-calculated and passed in as arg + BigInt mp1o2 = (mod + 1) >> 1; + + const size_t mod_words = mod.sig_words(); + + BigInt a = n; + BigInt b = mod; + BigInt u = 1, v = 0; + + a.grow_to(mod_words); + u.grow_to(mod_words); + v.grow_to(mod_words); + mp1o2.grow_to(mod_words); + + SecureVector& a_w = a.get_reg(); + SecureVector& b_w = b.get_reg(); + SecureVector& u_w = u.get_reg(); + SecureVector& v_w = v.get_reg(); + + // Only n.bits() + mod.bits() iterations are required, but avoid leaking the size of n + size_t bits = 2 * mod.bits(); + + while(bits--) + { +#if 1 + const word odd = a.is_odd(); + a -= odd * b; + const word underflow = a.is_negative(); + b += a * underflow; + a.set_sign(BigInt::Positive); + + a >>= 1; + + if(underflow) + { + std::swap(u, v); + } + + u -= odd * v; + u += u.is_negative() * mod; + + const word odd_u = u.is_odd(); + + u >>= 1; + u += mp1o2 * odd_u; +#else + const word odd_a = a_w[0] & 1; + + //if(odd_a) a -= b + word underflow = bigint_cnd_sub(odd_a, a_w.begin(), b_w.begin(), mod_words); + + //if(underflow) { b -= a; a = abs(a); swap(u, v); } + bigint_cnd_add(underflow, b_w.begin(), a_w.begin(), mod_words); + bigint_cnd_abs(underflow, a_w.begin(), mod_words); + bigint_cnd_swap(underflow, u_w.begin(), v_w.begin(), mod_words); + + // a >>= 1 + bigint_shr1(a_w.begin(), mod_words, 0, 1); + + //if(odd_a) u -= v; + word borrow = bigint_cnd_sub(odd_a, u_w.begin(), v_w.begin(), mod_words); + + // if(borrow) u += p + bigint_cnd_add(borrow, u_w.begin(), mod.data(), mod_words); + + const word odd_u = u_w[0] & 1; + + // u >>= 1 + bigint_shr1(u_w.begin(), mod_words, 0, 1); + + //if(odd_u) u += mp1o2; + bigint_cnd_add(odd_u, u_w.begin(), mp1o2.data(), mod_words); +#endif + } + + if(b != 1) + return 0; + + return v; + } + +} + /* * Find the Modular Inverse */ @@ -209,6 +321,9 @@ BigInt inverse_mod(const BigInt& n, const BigInt& mod) if(n.is_zero() || (n.is_even() && mod.is_even())) return 0; + if(mod.is_odd()) + return ct_inverse_mod_odd_modulus(n % mod, mod); + BigInt x = mod, y = n, u = mod, v = n; BigInt A = 1, B = 0, C = 0, D = 1; diff --git a/src/pk_pad/eme_pkcs/eme_pkcs.cpp b/src/pk_pad/eme_pkcs/eme_pkcs.cpp index c4d6838..7f0393e 100644 --- a/src/pk_pad/eme_pkcs/eme_pkcs.cpp +++ b/src/pk_pad/eme_pkcs/eme_pkcs.cpp @@ -6,6 +6,7 @@ */ #include +#include namespace Botan { @@ -40,20 +41,31 @@ SecureVector EME_PKCS1v15::pad(const byte in[], size_t inlen, SecureVector EME_PKCS1v15::unpad(const byte in[], size_t inlen, size_t key_len) const { - if(inlen != key_len / 8 || inlen < 10 || in[0] != 0x02) - throw Decoding_Error("PKCS1::unpad"); - - size_t seperator = 0; - for(size_t j = 0; j != inlen; ++j) - if(in[j] == 0) - { - seperator = j; - break; - } - if(seperator < 9) - throw Decoding_Error("PKCS1::unpad"); - - return SecureVector(in + seperator + 1, inlen - seperator - 1); + + byte bad_input_m = 0; + byte seen_zero_m = 0; + size_t delim_idx = 0; + + bad_input_m |= ~CT::is_equal(in[0], 2); + + for(size_t i = 1; i < inlen; ++i) + { + const byte is_zero_m = CT::is_zero(in[i]); + + delim_idx += CT::select(~seen_zero_m, 1, 0); + + bad_input_m |= is_zero_m & CT::expand_mask(i < 9); + seen_zero_m |= is_zero_m; + } + + bad_input_m |= ~seen_zero_m; + bad_input_m |= CT::is_less(delim_idx, 8); + + SecureVector output(&in[delim_idx + 1], inlen - (delim_idx + 1)); + + if(bad_input_m) + throw Decoding_Error("EME_PKCS1v15::unpad invalid ciphertext"); + return output; } /* diff --git a/src/utils/ct_utils.h b/src/utils/ct_utils.h new file mode 100644 index 0000000..0eab906 --- /dev/null +++ b/src/utils/ct_utils.h @@ -0,0 +1,137 @@ +/* +* Functions for constant time operations on data and testing of +* constant time annotations using valgrind. +* +* For more information about constant time programming see +* Wagner, Molnar, et al "The Program Counter Security Model" +* +* (C) 2010 Falko Strenzke +* (C) 2015,2016 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#ifndef BOTAN_TIMING_ATTACK_CM_H__ +#define BOTAN_TIMING_ATTACK_CM_H__ + +#include +#include + +namespace Botan { + +namespace CT { + +/* +* T should be an unsigned machine integer type +* Expand to a mask used for other operations +* @param in an integer +* @return If n is zero, returns zero. Otherwise +* returns a T with all bits set for use as a mask with +* select. +*/ +template +inline T expand_mask(T x) + { + T r = x; + // First fold r down to a single bit + for(size_t i = 1; i != sizeof(T)*8; i *= 2) + r |= r >> i; + r &= 1; + r = ~(r - 1); + return r; + } + +template +inline T select(T mask, T from0, T from1) + { + return (from0 & mask) | (from1 & ~mask); + } + +template +inline ValT val_or_zero(PredT pred_val, ValT val) + { + return select(CT::expand_mask(pred_val), val, static_cast(0)); + } + +template +inline T is_zero(T x) + { + return ~expand_mask(x); + } + +template +inline T is_equal(T x, T y) + { + return is_zero(x ^ y); + } + +template +inline T is_less(T x, T y) + { + /* + This expands to a constant time sequence with GCC 5.2.0 on x86-64 + but something more complicated may be needed for portable const time. + */ + return expand_mask(x < y); + } + +template +inline T is_lte(T x, T y) + { + return expand_mask(x <= y); + } + +template +inline void conditional_copy_mem(T value, + T* to, + const T* from0, + const T* from1, + size_t elems) + { + const T mask = CT::expand_mask(value); + + for(size_t i = 0; i != elems; ++i) + { + to[i] = CT::select(mask, from0[i], from1[i]); + } + } + +template +inline void cond_zero_mem(T cond, + T* array, + size_t elems) + { + const T mask = CT::expand_mask(cond); + const T zero(0); + + for(size_t i = 0; i != elems; ++i) + { + array[i] = CT::select(mask, zero, array[i]); + } + } + +template +inline T expand_top_bit(T a) + { + return expand_mask(a >> (sizeof(T)*8-1)); + } + +template +inline T max(T a, T b) + { + const T a_larger = b - a; // negative if a is larger + return select(expand_top_bit(a), a, b); + } + +template +inline T min(T a, T b) + { + const T a_larger = b - a; // negative if a is larger + return select(expand_top_bit(b), b, a); + } + +} + +} + +#endif diff --git a/src/utils/info.txt b/src/utils/info.txt index fcf16bd..57b6a27 100644 --- a/src/utils/info.txt +++ b/src/utils/info.txt @@ -16,6 +16,7 @@ version.cpp assert.h bit_ops.h +ct_utils.h mlock.h prefetch.h rounding.h debian/patches/arm64-support.patch0000664000000000000000000000243212311102536014276 0ustar Description: Add support for arm64. Author: Adam Conrad Index: botan1.10-1.10.5/src/build-data/arch/aarch64.txt =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ botan1.10-1.10.5/src/build-data/arch/aarch64.txt 2014-03-15 10:52:05.448011048 -0600 @@ -0,0 +1,6 @@ +endian little + + +arm64 # For Debian + + Index: botan1.10-1.10.5/src/build-data/cc/gcc.txt =================================================================== --- botan1.10-1.10.5.orig/src/build-data/cc/gcc.txt 2014-03-15 10:52:05.452011048 -0600 +++ botan1.10-1.10.5/src/build-data/cc/gcc.txt 2014-03-15 10:52:05.448011048 -0600 @@ -74,6 +74,7 @@ alpha -> "-mcpu=SUBMODEL" alpha- arm -> "-march=SUBMODEL" +aarch64 -> "-mtune=generic" superh -> "-mSUBMODEL" sh hppa -> "-march=SUBMODEL" hppa ia64 -> "-mtune=SUBMODEL" Index: botan1.10-1.10.5/src/math/mp/mp_asm64/info.txt =================================================================== --- botan1.10-1.10.5.orig/src/math/mp/mp_asm64/info.txt 2014-03-15 10:52:05.452011048 -0600 +++ botan1.10-1.10.5/src/math/mp/mp_asm64/info.txt 2014-03-15 10:52:05.448011048 -0600 @@ -8,6 +8,7 @@ +aarch64 alpha ia64 mips64 debian/patches/ppc64el-support.patch0000664000000000000000000000623112311105377014631 0ustar Description: Add support for ppc64el. Author: Adam Conrad Index: botan1.10-1.10.5/src/build-data/arch/ppc64le.txt =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ botan1.10-1.10.5/src/build-data/arch/ppc64le.txt 2014-03-15 10:50:21.008012067 -0600 @@ -0,0 +1,21 @@ +endian little + +family ppc + + +powerpc64le +ppc64el + + + +power7 +power7p +power8 +power8e + + +# This should be enabled for all targets, but the Altivec code currently +# makes lots of endian assumptions that I don't have the time to fix up: +# +#altivec:all +# Index: botan1.10-1.10.5/src/build-data/cc/gcc.txt =================================================================== --- botan1.10-1.10.5.orig/src/build-data/cc/gcc.txt 2014-03-15 10:50:21.016012067 -0600 +++ botan1.10-1.10.5/src/build-data/cc/gcc.txt 2014-03-15 10:50:21.008012067 -0600 @@ -82,6 +82,7 @@ mips64 -> "-mips3 -mcpu=SUBMODEL" mips64- ppc32 -> "-mcpu=SUBMODEL" ppc ppc64 -> "-mcpu=SUBMODEL" ppc +ppc64le -> "-mpcu=power7 -mtune=power8" ppc sparc32 -> "-mcpu=SUBMODEL -Wa,-xarch=v8plus" sparc32- sparc64 -> "-mcpu=v9 -mtune=SUBMODEL" x86_32 -> "-march=SUBMODEL -momit-leaf-frame-pointer" Index: botan1.10-1.10.5/src/math/mp/mp_asm64/info.txt =================================================================== --- botan1.10-1.10.5.orig/src/math/mp/mp_asm64/info.txt 2014-03-15 10:50:21.016012067 -0600 +++ botan1.10-1.10.5/src/math/mp/mp_asm64/info.txt 2014-03-15 10:50:21.008012067 -0600 @@ -12,6 +12,7 @@ ia64 mips64 ppc64 +ppc64le sparc64 Index: botan1.10-1.10.5/src/build-data/arch/ppc64.txt =================================================================== --- botan1.10-1.10.5.orig/src/build-data/arch/ppc64.txt 2014-03-15 10:50:21.016012067 -0600 +++ botan1.10-1.10.5/src/build-data/arch/ppc64.txt 2014-03-15 10:50:21.008012067 -0600 @@ -17,6 +17,9 @@ power5 power6 power7 +power7p +power8 +power8e cellppu @@ -25,5 +28,5 @@ -altivec:cellppu,ppc970,power6,power7 +altivec:cellppu,ppc970,power6,power7,power7p,power8,power8e Index: botan1.10-1.10.5/src/utils/cpuid.cpp =================================================================== --- botan1.10-1.10.5.orig/src/utils/cpuid.cpp 2014-03-15 10:50:21.016012067 -0600 +++ botan1.10-1.10.5/src/utils/cpuid.cpp 2014-03-15 10:50:21.012012067 -0600 @@ -157,6 +157,9 @@ const u16bit PVR_G5_970GX = 0x0045; const u16bit PVR_POWER6 = 0x003E; const u16bit PVR_POWER7 = 0x003F; + const u16bit PVR_POWER7p = 0x004A; + const u16bit PVR_POWER8 = 0x004D; + const u16bit PVR_POWER8E = 0x004B; const u16bit PVR_CELL_PPU = 0x0070; // Motorola produced G4s with PVR 0x800[0123C] (at least) @@ -177,6 +180,9 @@ altivec_capable |= (pvr == PVR_G5_970GX); altivec_capable |= (pvr == PVR_POWER6); altivec_capable |= (pvr == PVR_POWER7); + altivec_capable |= (pvr == PVR_POWER7p); + altivec_capable |= (pvr == PVR_POWER8); + altivec_capable |= (pvr == PVR_POWER8E); altivec_capable |= (pvr == PVR_CELL_PPU); #endif debian/patches/CVE-2014-9742.patch0000664000000000000000000000351112756166777013274 0ustar From: Markus Koschany Date: Mon, 25 Apr 2016 21:55:02 +0200 Subject: CVE-2014-9742 Fix a bug in Miller-Rabin primality testing introduced in 1.8.3 where we chose a single random nonce and tested it repeatedly, rather than choosing new nonces each time. Reported by Jeff Marrison. Also remove a pointless comparison (also pointed out by Jeff), add an initial test using a witness of 2, and increase the random nonces from 64 to 128 bits. Origin: https://github.com/randombit/botan/commit/16ce2413403979b7f64ecfaf37c12f529830d052 --- src/math/numbertheory/numthry.cpp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/math/numbertheory/numthry.cpp b/src/math/numbertheory/numthry.cpp index c7896c1..535ca67 100644 --- a/src/math/numbertheory/numthry.cpp +++ b/src/math/numbertheory/numthry.cpp @@ -53,10 +53,8 @@ bool MillerRabin_Test::is_witness(const BigInt& a) return false; } - if(y != n_minus_1) // fails Fermat test - return true; - - return false; + // If we reached here then n fails the Fermat test + return true; } /* @@ -265,7 +263,7 @@ bool primality_test(const BigInt& n, RandomNumberGenerator& rng, size_t level) { - const size_t PREF_NONCE_BITS = 64; + const size_t PREF_NONCE_BITS = 128; if(n == 2) return true; @@ -295,17 +293,21 @@ bool primality_test(const BigInt& n, MillerRabin_Test mr(n); + if(mr.is_witness(2)) + return false; + const size_t tests = miller_rabin_test_iterations(n.bits(), level); - BigInt nonce; for(size_t i = 0; i != tests; ++i) { + BigInt nonce; while(nonce < 2 || nonce >= (n-1)) nonce.randomize(rng, NONCE_BITS); if(mr.is_witness(nonce)) return false; } + return true; } debian/watch0000664000000000000000000000010012115055317010210 0ustar version=3 http://files.randombit.net/botan/v1.8/Botan-(.*)\.tgz debian/compat0000664000000000000000000000000212115055317010366 0ustar 7 debian/libbotan1.10-dev.install0000664000000000000000000000016712115055317013432 0ustar /usr/bin/botan-config-1.* /usr/include/botan-1.* /usr/lib/*.a /usr/lib/libbotan-1.*.so /usr/lib/pkgconfig/botan-1.*.pc debian/source/0000775000000000000000000000000012115055317010470 5ustar debian/source/format0000664000000000000000000000001412115055317011676 0ustar 3.0 (quilt)