propagate from branch 'net.randombit.botan' (head fc8daa606ab7954eab48778d7236986747b719e4)

            to branch 'net.randombit.botan.c++0x' (head 2bf71b0a2e0e468d7eb3631e4ca284234f554729)

9 files changed, 83 insertions, 164 deletions

diff --git a/doc/api.tex b/doc/api.tex
index ffcc82c53..79c090c2a 100644
--- a/doc/api.tex
+++ b/doc/api.tex
@@ -2078,7 +2078,7 @@ additionally keyed. Both of these are derived from the base class
 \type{BufferedComputation}, which has the following functions.
 
 \noindent
-\type{size_t} \function{output\_length}()
+\type{size\_t} \function{output\_length}()
 
 Return the size of the output of this function.
 
diff --git a/doc/building.tex b/doc/building.tex
index 36a9f1140..7164f74eb 100644
--- a/doc/building.tex
+++ b/doc/building.tex
@@ -149,6 +149,19 @@ order for new shared libraries to be picked up by the linker. An
 alternative is to set your \texttt{LD\_LIBRARY\_PATH} shell variable
 to include the directory that the Botan libraries were installed into.
 
+\subsection{Mac OS X}
+
+In general the Unix instructions above should apply, however OS X does
+not support \texttt{LD\_LIBRARY\_PATH}. Thomas Keller suggests instead
+running \verb|install_name_tool| between building and running the
+self-test program:
+
+\begin{verbatim}
+  $ VERSION=1.9.10
+  $ install_name_tool -change $(otool -X -D libbotan-$VERSION.dylib) \
+       $PWD/libbotan-$VERSION.dylib check
+\end{verbatim}
+
 \subsection{MS Windows}
 
 If you don't want to deal with building botan on Windows, check the
diff --git a/doc/credits.txt b/doc/credits.txt
index 63ceae483..fde877e7b 100644
--- a/doc/credits.txt
+++ b/doc/credits.txt
@@ -1,20 +1,17 @@
-  This is the credits file of people that have contributed to Botan. It uses
-  the same format as the Linux credits file. Please keep it sorted by last
-  name.
-
-  The fields are:
-     N - name
-     E - email
-     W - web URL
-     P - PGP fingerprint
-     D - description
-     S - meatspace location
+This is at least a partial credits-file of people that have
+contributed to the Botan project. It is sorted by name and formatted
+to allow easy grepping and beautification by scripts. The fields are:
+name (N), email (E), web-address (W), PGP key ID and fingerprint (P),
+description (D), and snail-mail address (S).
+
+Thanks,
+  Jack Lloyd
 ----------
 
-N - Charles Brockman
-W - http://www.securitygenetics.com/
-D - documentation editing
-S - Oregon, USA
+N: Charles Brockman
+W: http://www.securitygenetics.com/
+D: documentation editing
+S: Oregon, USA
 
 N: Martin Doering
 E: [email protected]
diff --git a/doc/examples/dsa_kgen.cpp b/doc/examples/dsa_kgen.cpp
index e949ae54a..fe3157370 100644
--- a/doc/examples/dsa_kgen.cpp
+++ b/doc/examples/dsa_kgen.cpp
@@ -2,22 +2,10 @@
 * (C) 2009 Jack Lloyd
 *
 * Distributed under the terms of the Botan license
-*/
-
-
-/**
-Generate a 1024 bit DSA key and put it into a file. The public key
-format is that specified by X.509, while the private key format is
-PKCS #8.
-
-The domain parameters are the ones specified as the Java default DSA
-parameters. There is nothing special about these, it's just the only
-1024-bit DSA parameter set that's included in Botan at the time of
-this writing. The application always reads/writes all of the domain
-parameters to/from the file, so a new set could be used without any
-problems. We could generate a new set for each key, or read a set of
-DSA params from a file and use those, but they mostly seem like
-needless complications.
+*
+* Generate a 1024 bit DSA key and put it into a file. The public key
+* format is that specified by X.509, while the private key format is
+* PKCS #8.
 */
 
 #include <iostream>
diff --git a/doc/examples/new_engine.cpp b/doc/examples/new_engine.cpp
index 4a2339bef..42e5dbe33 100644
--- a/doc/examples/new_engine.cpp
+++ b/doc/examples/new_engine.cpp
@@ -39,7 +39,8 @@ class XOR_Cipher : public StreamCipher
 
       void key_schedule(const byte key[], size_t length)
          {
-         mask.set(key, length);
+         mask.resize(length);
+         copy_mem(&mask[0], key, length);
          }
 
       SecureVector<byte> mask;
diff --git a/doc/examples/tls_client.cpp b/doc/examples/tls_client.cpp
index 854cb3b28..10ead20cc 100644
--- a/doc/examples/tls_client.cpp
+++ b/doc/examples/tls_client.cpp
@@ -15,6 +15,22 @@ using namespace Botan;
 #include <iostream>
 #include <memory>
 
+class Client_TLS_Policy : public TLS_Policy
+   {
+   public:
+      bool check_cert(const std::vector<X509_Certificate>& certs) const
+         {
+         for(size_t i = 0; i != certs.size(); ++i)
+            {
+            std::cout << certs[i].to_string();
+            }
+
+         std::cout << "Warning: not checking cert signatures\n";
+
+         return true;
+         }
+   };
+
 int main(int argc, char* argv[])
    {
    if(argc != 2 && argc != 3)
@@ -37,7 +53,7 @@ int main(int argc, char* argv[])
       std::auto_ptr<Botan::RandomNumberGenerator> rng(
          Botan::RandomNumberGenerator::make_rng());
 
-      TLS_Policy policy;
+      Client_TLS_Policy policy;
 
       TLS_Client tls(std::tr1::bind(&Socket::read, std::tr1::ref(sock), _1, _2),
                      std::tr1::bind(&Socket::write, std::tr1::ref(sock), _1, _2),
diff --git a/doc/examples/tls_server.cpp b/doc/examples/tls_server.cpp
index e45a24759..91bb9ffbf 100644
--- a/doc/examples/tls_server.cpp
+++ b/doc/examples/tls_server.cpp
@@ -19,6 +19,21 @@ using namespace Botan;
 #include <iostream>
 #include <memory>
 
+class Server_TLS_Policy : public TLS_Policy
+   {
+   public:
+      bool check_cert(const std::vector<X509_Certificate>& certs) const
+         {
+         for(size_t i = 0; i != certs.size(); ++i)
+            {
+            std::cout << certs[i].to_string();
+            }
+
+         std::cout << "Warning: not checking cert signatures\n";
+
+         return true;
+         }
+   };
 int main(int argc, char* argv[])
    {
 
@@ -44,7 +59,7 @@ int main(int argc, char* argv[])
 
       Unix_Server_Socket listener(port);
 
-      TLS_Policy policy;
+      Server_TLS_Policy policy;
 
       while(true)
          {
diff --git a/doc/examples/x509info.cpp b/doc/examples/x509info.cpp
index 52cc4afbd..b22b4ebd8 100644
--- a/doc/examples/x509info.cpp
+++ b/doc/examples/x509info.cpp
@@ -7,48 +7,9 @@
 
 #include <botan/botan.h>
 #include <botan/x509cert.h>
-#include <botan/oids.h>
 using namespace Botan;
 
 #include <iostream>
-#include <iterator>
-#include <algorithm>
-
-namespace {
-
-std::string to_hex(const SecureVector<byte>& bin)
-   {
-   Pipe pipe(new Hex_Encoder);
-   pipe.process_msg(bin);
-   if(pipe.remaining())
-      return pipe.read_all_as_string();
-   else
-      return "(none)";
-   }
-
-void do_print(const std::string& what,
-              const std::vector<std::string>& vals)
-   {
-   if(vals.size() == 0)
-      return;
-
-   std::cout << "   " << what << ": ";
-   std::copy(vals.begin(), vals.end(),
-             std::ostream_iterator<std::string>(std::cout, " "));
-   std::cout << "\n";
-   }
-
-void do_subject(const X509_Certificate& cert, const std::string& what)
-   {
-   do_print(what, cert.subject_info(what));
-   }
-
-void do_issuer(const X509_Certificate& cert, const std::string& what)
-   {
-   do_print(what, cert.issuer_info(what));
-   }
-
-}
 
 int main(int argc, char* argv[])
    {
@@ -63,89 +24,7 @@ int main(int argc, char* argv[])
    try {
       X509_Certificate cert(argv[1]);
 
-      std::cout << "Version: " << cert.x509_version() << std::endl;
-
-      std::cout << "Subject" << std::endl;
-      do_subject(cert, "Name");
-      do_subject(cert, "Email");
-      do_subject(cert, "Organization");
-      do_subject(cert, "Organizational Unit");
-      do_subject(cert, "Locality");
-      do_subject(cert, "State");
-      do_subject(cert, "Country");
-      do_subject(cert, "IP");
-      do_subject(cert, "DNS");
-      do_subject(cert, "URI");
-      do_subject(cert, "PKIX.XMPPAddr");
-
-      std::cout << "Issuer" << std::endl;
-      do_issuer(cert, "Name");
-      do_issuer(cert, "Email");
-      do_issuer(cert, "Organization");
-      do_issuer(cert, "Organizational Unit");
-      do_issuer(cert, "Locality");
-      do_issuer(cert, "State");
-      do_issuer(cert, "Country");
-      do_issuer(cert, "IP");
-      do_issuer(cert, "DNS");
-      do_issuer(cert, "URI");
-
-      std::cout << "Validity" << std::endl;
-
-      std::cout << "   Not before: " << cert.start_time() << std::endl;
-      std::cout << "   Not after: " << cert.end_time() << std::endl;
-
-      std::cout << "Constraints" << std::endl;
-      Key_Constraints constraints = cert.constraints();
-      if(constraints == NO_CONSTRAINTS)
-         std::cout << "No constraints" << std::endl;
-      else
-         {
-         if(constraints & DIGITAL_SIGNATURE)
-            std::cout << "   Digital Signature\n";
-         if(constraints & NON_REPUDIATION)
-            std::cout << "   Non-Repuidation\n";
-         if(constraints & KEY_ENCIPHERMENT)
-            std::cout << "   Key Encipherment\n";
-         if(constraints & DATA_ENCIPHERMENT)
-            std::cout << "   Data Encipherment\n";
-         if(constraints & KEY_AGREEMENT)
-            std::cout << "   Key Agreement\n";
-         if(constraints & KEY_CERT_SIGN)
-            std::cout << "   Cert Sign\n";
-         if(constraints & CRL_SIGN)
-            std::cout << "   CRL Sign\n";
-         }
-
-      std::vector<std::string> policies = cert.policies();
-      if(policies.size())
-         {
-         std::cout << "Policies: " << std::endl;
-         for(u32bit j = 0; j != policies.size(); j++)
-            std::cout << "   " << policies[j] << std::endl;
-         }
-
-      std::vector<std::string> ex_constraints = cert.ex_constraints();
-      if(ex_constraints.size())
-         {
-         std::cout << "Extended Constraints: " << std::endl;
-         for(u32bit j = 0; j != ex_constraints.size(); j++)
-            std::cout << "   " << ex_constraints[j] << std::endl;
-         }
-
-      std::cout << "Signature algorithm: " <<
-         OIDS::lookup(cert.signature_algorithm().oid) << std::endl;
-
-      std::cout << "Serial: "
-                << to_hex(cert.serial_number()) << std::endl;
-      std::cout << "Authority keyid: "
-                << to_hex(cert.authority_key_id()) << std::endl;
-      std::cout << "Subject keyid: "
-                << to_hex(cert.subject_key_id()) << std::endl;
-
-      X509_PublicKey* pubkey = cert.subject_public_key();
-      std::cout << "Public Key:\n" << X509::PEM_encode(*pubkey);
-      delete pubkey;
+      std::cout << cert.to_string();
    }
    catch(std::exception& e)
       {
diff --git a/doc/log.txt b/doc/log.txt
index c8c9a477e..6ec755052 100644
--- a/doc/log.txt
+++ b/doc/log.txt
@@ -1,22 +1,32 @@
 
-* 1.9.11-dev, ????-??-??
- - Update Skein-512 to match the v1.3 specification
+* 1.9.11, 2010-11-29
+ - Many SSL/TLS APIs have changed. This API is still unstable.
+ - The SSL interface requires TR1 (uses std::tr1::function)
  - Fix SSL handshake failures when using RC4 ciphersuites
  - Fix a number of CRL encoding and decoding bugs
+ - Counter mode now always encrypts 256 blocks in parallel
+ - Code where u32bit was used to represent a length now uses size_t
  - Use small tables in the first round of AES
+ - Removed AES class: app must choose AES-128, AES-192, or AES-256
  - Add hex encoding/decoding functions that can be used without a Pipe
  - Add base64 encoding functions that can be used without a Pipe
+ - Add to_string function to X509_Certificate
  - Add support for dynamic engine loading on Windows
- - Allow using PBKDF2 with empty passphrases
- - Switch default PKCS #8 encryption algorithm from AES-128 to AES-256
- - Support use of HMAC(SHA-256) and CMAC(Blowfish) in passhash9
- - Use size_t instead of u32bit for length fields
  - Replace BlockCipher::BLOCK_SIZE attribute with function block_size()
  - Replace HashFunction::HASH_BLOCK_SIZE attribute with hash_block_size()
  - Changed semantics of MemoryRegion::resize and clear to match STL
  - Removed MemoryRegion::append, replaced by push_back and operator+=
+ - Move PBKDF lookup to engine system
+ - The IDEA key schedule has been changed to run in constant time
+ - Avoid a possible timing vulnerability in Montgomery reduction
+ - Add Algorithm and Key_Length_Specification classes
+ - Switch default PKCS #8 encryption algorithm from AES-128 to AES-256
+ - Update Skein-512 to match the v1.3 specification
+ - Allow using PBKDF2 with empty passphrases
+ - Add compile-time deprecation warnings for GCC, Clang, and MSVC
+ - Support use of HMAC(SHA-256) and CMAC(Blowfish) in passhash9
  - Improve support for Intel Atom processors
- - Fix compilation under Sun Studio
+ - Fix compilation problems under Sun Studio and Clang
 
 * 1.8.11, 2010-11-02
  - Fix a number of CRL encoding and decoding bugs