diff options
Diffstat (limited to 'doc')
71 files changed, 7061 insertions, 7377 deletions
diff --git a/doc/_templates/layout.html b/doc/_templates/layout.html new file mode 100644 index 000000000..c907c7597 --- /dev/null +++ b/doc/_templates/layout.html @@ -0,0 +1,9 @@ +{% extends "!layout.html" %} + +{% block header %} + <div class="header-wrapper"> + <div class="header"> + <h1>{{ shorttitle|e }}</h1> + </div> + </div> +{% endblock %} diff --git a/doc/algos.txt b/doc/algos.txt new file mode 100644 index 000000000..119b81a7f --- /dev/null +++ b/doc/algos.txt @@ -0,0 +1,90 @@ + +.. _algo_list: + +Algorithms +======================================== + +Supported Algorithms +---------------------------------------- + +Botan provides a number of different cryptographic algorithms and +primitives, including: + +* Public key cryptography + + * Encryption algorithms RSA, ElGamal, DLIES (padding schemes OAEP, + PKCS #1 v1.5) + * Signature algorithms RSA, DSA, ECDSA, GOST 34.10-2001, + Nyberg-Rueppel, Rabin-Williams (padding schemes PSS, PKCS #1 v1.5, + X9.31) + * Key agreement techniques Diffie-Hellman and ECDH + +* Hash functions + + * NIST hashes: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 + * RIPE hashes: RIPEMD-160 and RIPEMD-128 + * SHA-3 candidates Skein-512, Keccak, and Blue Midnight Wish-512 + * Other common hash functions Whirlpool and Tiger + * National standard hashes HAS-160 and GOST 34.11 + * Obsolete or insecure hashes MD5, MD4, MD2 + * Non-cryptographic checksums Adler32, CRC24, CRC32 + +* Block ciphers + + * AES (Rijndael) and AES candidates Serpent, Twofish, MARS, CAST-256, RC6 + * DES, and variants 3DES and DESX + * National/telecom block ciphers SEED, KASUMI, MISTY1, GOST 28147, Skipjack + * Other block ciphers including Blowfish, CAST-128, IDEA, Noekeon, + TEA, XTEA, RC2, RC5, SAFER-SK, and Square + * Block cipher constructions Luby-Rackoff and Lion + * Block cipher modes ECB, CBC, CBC/CTS, CFB, OFB, CTR, XTS and + authenticated cipher mode EAX + +* Stream ciphers ARC4, Salsa20/XSalsa20, Turing, and WiderWake4+1 + +* Authentication codes HMAC, CMAC (aka OMAC1), CBC-MAC, ANSI X9.19 + DES-MAC, and the protocol-specific SSLv3 authentication code + +* Public Key Infrastructure + + * X.509 certificates (including generating new self-signed and CA + certs) and CRLs + * Certificate path validation + * PKCS #10 certificate requests (creation and certificate issue) + +* Other cryptographic utility functions including + + * Key derivation functions for passwords: PBKDF1 (PKCS #5 v1.5), + PBKDF2 (PKCS #5 v2.0), OpenPGP S2K (RFC 2440) + * General key derivation functions KDF1 and KDF2 from IEEE 1363 + * PRFs from ANSI X9.42, SSL v3.0, TLS v1.0 + +Recommended Algorithms +--------------------------------- + +This section is by no means the last word on selecting which +algorithms to use. However, botan includes a sometimes bewildering +array of possible algorithms, and unless you're familiar with the +latest developments in the field, it can be hard to know what is +secure and what is not. The following attributes of the algorithms +were evaluated when making this list: security, standardization, +patent status, support by other implementations, and efficiency (in +roughly that order). + +It is intended as a set of simple guidelines for developers, and +nothing more. It's entirely possible that there are algorithms that +will turn out to be more secure than the ones listed, but the +algorithms listed here are (currently) thought to be safe. + +* Block ciphers: AES or Serpent in CBC, CTR, or XTS mode + +* Hash functions: SHA-256, SHA-512 + +* MACs: HMAC with any recommended hash function + +* Public Key Encryption: RSA with "EME1(SHA-256)" + +* Public Key Signatures: RSA with EMSA4 and any recommended hash, or + DSA or ECDSA with "EMSA1(SHA-256)" + +* Key Agreement: Diffie-Hellman or ECDH, with "KDF2(SHA-256)" diff --git a/doc/api.tex b/doc/api.tex deleted file mode 100644 index 79c090c2a..000000000 --- a/doc/api.tex +++ /dev/null @@ -1,2964 +0,0 @@ -\documentclass{article} - -\setlength{\textwidth}{6.5in} -\setlength{\textheight}{9in} - -\setlength{\headheight}{0in} -\setlength{\topmargin}{0in} -\setlength{\headsep}{0in} - -\setlength{\oddsidemargin}{0in} -\setlength{\evensidemargin}{0in} - -\title{\textbf{Botan Reference Manual}} -\author{} -\date{2010/06/14} - -\newcommand{\filename}[1]{\texttt{#1}} -\newcommand{\manpage}[2]{\texttt{#1}(#2)} - -\newcommand{\macro}[1]{\texttt{#1}} - -\newcommand{\function}[1]{\textbf{#1}} -\newcommand{\keyword}[1]{\texttt{#1}} -\newcommand{\type}[1]{\texttt{#1}} -\renewcommand{\arg}[1]{\textsl{#1}} -\newcommand{\namespace}[1]{\texttt{#1}} - -\newcommand{\url}[1]{\texttt{#1}} - -\newcommand{\ie}[0]{\emph{i.e.}} -\newcommand{\eg}[0]{\emph{e.g.}} - -\begin{document} - -\maketitle - -\tableofcontents - -\parskip=5pt - -\pagebreak - -\section{Introduction} - -Botan is a C++ library that attempts to provide the most common -cryptographic algorithms and operations in an easy to use, efficient, -and portable way. It runs on a wide variety of systems, and can be -used with a number of different compilers. - -The base library is written in ISO C++, so it can be ported with -minimal fuss, but Botan also supports a modules system. This system -exposes system dependent code to the library through portable -interfaces, extending the set of services available to users. - -\subsection{Recommended Reading} - -It's a very good idea if you have some knowledge of cryptography prior -to trying to use this stuff. You really should read at least one and -ideally all of these books before seriously using the library. - -\setlength{\parskip}{5pt} - -\noindent -\textit{Cryptography Engineering}, Niels Ferguson, Bruce Schneier, and -Tadayoshi Kohno; Wiley - -\noindent -\textit{Security Engineering -- A Guide to Building Dependable - Distributed Systems}, Ross Anderson; Wiley - -\noindent -\textit{Handbook of Applied Cryptography}, Alfred J. Menezes, -Paul C. Van Oorschot, and Scott A. Vanstone; CRC Press (available -online at \url{http://www.cacr.math.uwaterloo.ca/hac/}) - -\subsection{Targets} - -Botan's primary targets (system-wise) are 32 and 64-bit CPUs, with a -flat memory address space of at least 32 bits. Given the choice -between optimizing for 32-bit systems and 64-bit systems, Botan is -written to prefer 64-bit, on the theory that where performance is a -real concern, modern 64-bit processors are the obvious choice. - -Smaller handhelds, set-top boxes, and the bigger smart phones and smart -cards, are also capable of using Botan. However, Botan uses a -large amount of code space (up to several megabytes, depending upon -the compiler and options used), which could be prohibitive in some -systems. Usage of RAM is modest, usually under 64K. - -Botan's design makes it quite easy to remove unused algorithms in such -a way that applications do not need to be recompiled to work, even -applications that use the algorithms in question. They can ask Botan -if the algorithm exists, and if Botan says yes, ask the library to -give them such an object for that algorithm. - -\section{Getting Started} - -\subsection{Basic Conventions} - -With a very small number of exceptions, declarations in the library -are contained within the namespace \namespace{Botan}. Botan declares -several \keyword{typedef}'ed types to help buffer it against changes -in machine architecture. These types are used extensively in the -interface, thus it would be often be convenient to use them without -the \namespace{Botan} prefix. You can do so by \keyword{using} the -namespace \namespace{Botan\_types} (this way you can use the type -names without the namespace prefix, but the remainder of the library -stays out of the global namespace). The included types are \type{byte} -and \type{u32bit}, which are unsigned integer types. - -The headers for Botan are usually available in the form -\filename{botan/headername.h}. For brevity in this documentation, -headers are always just called \filename{headername.h}, but they -should be used with the \filename{botan/} prefix in your actual code. - -\subsection{Initializing the Library} - -There is a set of core services that the library needs access to while -it is performing requests. To ensure these are set up, you must create -a \type{LibraryInitializer} object (usually called 'init' in Botan -example code; 'botan\_library' or 'botan\_init' may make more sense in -real applications) prior to making any calls to Botan. This object's -lifetime must exceed that of all other Botan objects your application -creates; for this reason the best place to create the -\type{LibraryInitializer} is at the start of your \function{main} -function, since this guarantees that it will be created first and -destroyed last (via standard C++ RAII rules). The initializer does -things like setting up the memory allocation system and algorithm -lookup tables, finding out if there is a high resolution timer -available to use, and similar such matters. With no arguments, the -library is initialized with various default settings. So (unless you -are writing threaded code; see below), all you need is: - -\texttt{Botan::LibraryInitializer init;} - -at the start of your \texttt{main}. - -The constructor takes an optional string that specifies arguments. -Currently the only possible argument is ``thread\_safe'', which must -have an boolean argument (for instance ``thread\_safe=false'' or -``thread\_safe=true''). If ``thread\_safe'' is specified as true the -library will attempt to register a mutex type to properly guard access -to shared resources. However these locks do not protect individual -Botan objects: explicit locking must be used if you wish to share a -single object between threads. - -If you do not create a \type{LibraryInitializer} object, all library -operations will fail, because it will be unable to do basic things -like allocate memory or get random bits. You should never create more -than one \type{LibraryInitializer}. - -It is not strictly necessary to create a \type{LibraryInitializer}; -the actual code performing the initialization and shutdown are in -static member functions of \type{LibraryInitializer}, called -\function{initialize} and \function{deinitialize}. A -\type{LibraryInitializer} merely provides a convenient RAII wrapper -for the operations (thus for the internal library state as well). - -\subsection{Pitfalls} - -There are a few things to watch out for to prevent problems when using Botan. - -Never allocate any kind of Botan object globally. The problem with -doing this is that the constructor for such an object will be called -before the library is initialized. Many Botan objects will, in their -constructor, make one or more calls into the library global state -object. Access to this object is checked, so an exception should be -thrown (rather than a memory access violation or undetected -uninitialized object access). A rough equivalent that will work is to -keep a global pointer to the object, initializing it after creating -your \type{LibraryInitializer}. Merely making the -\type{LibraryInitializer} also global will probably not help, because -C++ does not make very strong guarantees about the order that such -objects will be created. - -The same rule applies for making sure the destructors of all your -Botan objects are called before the \type{LibraryInitializer} is -destroyed. This implies you can't have static variables that are Botan -objects inside functions or classes; in many C++ runtimes, these -objects will be destroyed after main has returned. - -Botan's memory object classes (\type{MemoryRegion}, -\type{MemoryVector}, \type{SecureVector}) are extremely primitive, and -meant only for secure storage of potentially sensitive data like -keys. They do not meet the requirements for an STL container object -and you should not try to use them with STL algorithms. For a -general-purpose container, use \type{std::vector}. - -Use a \function{try}/\function{catch} block inside your -\function{main} function, and catch any \type{std::exception} throws -(remember to catch by reference, as \type{std::exception}'s -\function{what} method is polymorphic). This is not strictly required, -but if you don't, and Botan throws an exception, the runtime will call -\function{std::terminate}, which usually calls \function{abort} or -something like it, leaving you (or worse, a user of your application) -wondering what went wrong. - -\subsection{Information Flow: Pipes and Filters} - -Many common uses of cryptography involve processing one or more -streams of data. Botan provides services that make setting up data -flows through various operations, such as compression, encryption, and -base64 encoding. Each of these operations is implemented in what are -called \emph{filters} in Botan. A set of filters are created and -placed into a \emph{pipe}, and information ``flows'' through the pipe -until it reaches the end, where the output is collected for -retrieval. If you're familiar with the Unix shell environment, this -design will sound quite familiar. - -Here is an example that uses a pipe to base64 encode some strings: - -\begin{verbatim} - Pipe pipe(new Base64_Encoder); // pipe owns the pointer - pipe.start_msg(); - pipe.write(``message 1''); - pipe.end_msg(); // flushes buffers, increments message number - - // process_msg(x) is start_msg() && write(x) && end_msg() - pipe.process_msg(``message2''); - - std::string m1 = pipe.read_all_as_string(0); // ``message1'' - std::string m2 = pipe.read_all_as_string(1); // ``message2'' -\end{verbatim} - -Bytestreams in the pipe are grouped into messages; blocks of data that -are processed in an identical fashion (\ie, with the same sequence of -\type{Filter}s). Messages are delimited by calls to -\function{start\_msg} and \function{end\_msg}. Each message in a pipe -has its own identifier, which currently is an integer that increments -up from zero. - -As you can see, the \type{Base64\_Encoder} was allocated using -\keyword{new}; but where was it deallocated? When a filter object is -passed to a \type{Pipe}, the pipe takes ownership of the object, and -will deallocate it when it is no longer needed. - -There are two different ways to make use of messages. One is to send -several messages through a \type{Pipe} without changing the -\type{Pipe}'s configuration, so you end up with a sequence of -messages; one use of this would be to send a sequence of identically -encrypted UDP packets, for example (note that the \emph{data} need not -be identical; it is just that each is encrypted, encoded, signed, etc -in an identical fashion). Another is to change the filters that are -used in the \type{Pipe} between each message, by adding or removing -\type{Filter}s; functions that let you do this are documented in the -Pipe API section. - -Botan has about 40 filters that perform different operations on data. -Here's code that uses one of them to encrypt a string with AES: - -\begin{verbatim} - AutoSeeded_RNG rng, - SymmetricKey key(rng, 16); // a random 128-bit key - InitializationVector iv(rng, 16); // a random 128-bit IV - - // The algorithm we want is specified by a string - Pipe pipe(get_cipher(``AES-128/CBC'', key, iv, ENCRYPTION)); - - pipe.process_msg(``secrets''); - pipe.process_msg(``more secrets''); - - MemoryVector<byte> c1 = pipe.read_all(0); - - byte c2[4096] = { 0 }; - u32bit got_out = pipe.read(c2, sizeof(c2), 1); - // use c2[0...got_out] -\end{verbatim} - -Note the use of \type{AutoSeeded\_RNG}, which is a random number -generator. If you want to, you can explicitly set up the random number -generators and entropy sources you want to, however for 99\% of cases -\type{AutoSeeded\_RNG} is preferable. - -\type{Pipe} also has convenience methods for dealing with -\type{std::iostream}s. Here is an example of those, using the -\type{Bzip\_Compression} filter (included as a module; if you have -bzlib available, check \filename{building.pdf} for how to enable it) -to compress a file: - -\begin{verbatim} - std::ifstream in(``data.bin'', std::ios::binary) - std::ofstream out(``data.bin.bz2'', std::ios::binary) - - Pipe pipe(new Bzip_Compression); - - pipe.start_msg(); - in >> pipe; - pipe.end_msg(); - out << pipe; -\end{verbatim} - -However there is a hitch to the code above; the complete contents of -the compressed data will be held in memory until the entire message -has been compressed, at which time the statement \verb|out << pipe| is -executed, and the data is freed as it is read from the pipe and -written to the file. But if the file is very large, we might not have -enough physical memory (or even enough virtual memory!) for that to be -practical. So instead of storing the compressed data in the pipe for -reading it out later, we divert it directly to the file: - -\begin{verbatim} - std::ifstream in(``data.bin'', std::ios::binary) - std::ofstream out(``data.bin.bz2'', std::ios::binary) - - Pipe pipe(new Bzip_Compression, new DataSink_Stream(out)); - - pipe.start_msg(); - in >> pipe; - pipe.end_msg(); -\end{verbatim} - -This is the first code we've seen so far that uses more than one -filter in a pipe. The output of the compressor is sent to the -\type{DataSink\_Stream}. Anything written to a \type{DataSink\_Stream} -is written to a file; the filter produces no output. As soon as the -compression algorithm finishes up a block of data, it will send it along, -at which point it will immediately be written to disk; if you were to -call \verb|pipe.read_all()| after \verb|pipe.end_msg()|, you'd get an -empty vector out. - -Here's an example using two computational filters: - -\begin{verbatim} - AutoSeeded_RNG rng, - SymmetricKey key(rng, 32); - InitializationVector iv(rng, 16); - - Pipe encryptor(get_cipher("AES/CBC/PKCS7", key, iv, ENCRYPTION), - new Base64_Encoder); - - encryptor.start_msg(); - file >> encryptor; - encryptor.end_msg(); // flush buffers, complete computations - std::cout << encryptor; -\end{verbatim} - -\subsection{Fork} - -It is common that you might receive some data and want to -perform more than one operation on it (\ie, encrypt it with Serpent -and calculate the SHA-256 hash of the plaintext at the same -time). That's where \type{Fork} comes in. \type{Fork} is a filter that -takes input and passes it on to \emph{one or more} \type{Filter}s -that are attached to it. \type{Fork} changes the nature of the pipe -system completely. Instead of being a linked list, it becomes a tree. - -Each \type{Filter} in the fork is given its own output buffer, and -thus its own message. For example, if you had previously written two -messages into a \type{Pipe}, then you start a new one with a -\type{Fork} that has three paths of \type{Filter}'s inside it, you -add three new messages to the \type{Pipe}. The data you put into the -\type{Pipe} is duplicated and sent into each set of \type{Filter}s, -and the eventual output is placed into a dedicated message slot in the -\type{Pipe}. - -Messages in the \type{Pipe} are allocated in a depth-first manner. This is only -interesting if you are using more than one \type{Fork} in a single \type{Pipe}. -As an example, consider the following: - -\begin{verbatim} - Pipe pipe(new Fork( - new Fork( - new Base64_Encoder, - new Fork( - NULL, - new Base64_Encoder - ) - ), - new Hex_Encoder - ) - ); -\end{verbatim} - -In this case, message 0 will be the output of the first \type{Base64\_Encoder}, -message 1 will be a copy of the input (see below for how \type{Fork} interprets -NULL pointers), message 2 will be the output of the second -\type{Base64\_Encoder}, and message 3 will be the output of the -\type{Hex\_Encoder}. As you can see, this results in message numbers being -allocated in a top to bottom fashion, when looked at on the screen. However, -note that there could be potential for bugs if this is not anticipated. For -example, if your code is passed a \type{Filter}, and you assume it is a -``normal'' one that only uses one message, your message offsets would be -wrong, leading to some confusion during output. - -If Fork's first argument is a null pointer, but a later argument is -not, then Fork will feed a copy of its input directly through. Here's -a case where that is useful: - -\begin{verbatim} - // have std::string ciphertext, auth_code, key, iv, mac_key; - - Pipe pipe(new Base64_Decoder, - get_cipher(``AES-128'', key, iv, DECRYPTION), - new Fork( - 0 - new MAC_Filter(``HMAC(SHA-1)'', mac_key) - ) - ); - - pipe.process_msg(ciphertext); - std::string plaintext = pipe.read_all_as_string(0); - SecureVector<byte> mac = pipe.read_all(1); - - if(mac != auth_code) - error(); -\end{verbatim} - -Here we wanted to not only decrypt the message, but send the decrypted -text through an additional computation, in order to compute the -authentication code. - -Any \type{Filter}s that are attached to the \type{Pipe} after the -\type{Fork} are implicitly attached onto the first branch created by -the fork. For example, let's say you created this \type{Pipe}: - -\begin{verbatim} -Pipe pipe(new Fork(new Hash_Filter("MD5"), new Hash_Filter("SHA-1")), - new Hex_Encoder); -\end{verbatim} - -And then called \function{start\_msg}, inserted some data, then -\function{end\_msg}. Then \arg{pipe} would contain two messages. The -first one (message number 0) would contain the MD5 sum of the input in -hex encoded form, and the other would contain the SHA-1 sum of the -input in raw binary. However, it's much better to use a \type{Chain} -instead. - -\subsubsection{Chain} - -A \type{Chain} filter creates a chain of \type{Filter}s and -encapsulates them inside a single filter (itself). This allows a -sequence of filters to become a single filter, to be passed into or -out of a function, or to a \type{Fork} constructor. - -You can call \type{Chain}'s constructor with up to 4 \type{Filter*}s -(they will be added in order), or with an array of \type{Filter*}s and -a \type{u32bit} that tells \type{Chain} how many \type{Filter*}s are -in the array (again, they will be attached in order). Here's the -example from the last section, using chain instead of relying on the -obscure rule that version used. - -\begin{verbatim} - Pipe pipe(new Fork( - new Chain(new Hash_Filter("MD5"), new Hex_Encoder), - new Hash_Filter("SHA-1") - ) - ); -\end{verbatim} - -\subsection{The Pipe API} - -\subsubsection{Initializing Pipe} - -By default, \type{Pipe} will do nothing at all; any input placed into -the \type{Pipe} will be read back unchanged. Obviously, this has -limited utility, and presumably you want to use one or more -\type{Filter}s to somehow process the data. First, you can choose a -set of \type{Filter}s to initialize the \type{Pipe} via the -constructor. You can pass it either a set of up to 4 \type{Filter*}s, -or a pre-defined array and a length: - -\begin{verbatim} - Pipe pipe1(new Filter1(/*args*/), new Filter2(/*args*/), - new Filter3(/*args*/), new Filter4(/*args*/)); - Pipe pipe2(new Filter1(/*args*/), new Filter2(/*args*/)); - - Filter* filters[5] = { - new Filter1(/*args*/), new Filter2(/*args*/), new Filter3(/*args*/), - new Filter4(/*args*/), new Filter5(/*args*/) /* more if desired... */ - }; - Pipe pipe3(filters, 5); -\end{verbatim} - -This is by far the most common way to initialize a \type{Pipe}. However, -occasionally a more flexible initialization strategy is necessary; this is -supported by 4 member functions: \function{prepend}(\type{Filter*}), -\function{append}(\type{Filter*}), \function{pop}(), and \function{reset}(). -These functions may only be used while the \type{Pipe} in question is not in -use; that is, either before calling \function{start\_msg}, or after -\function{end\_msg} has been called (and no new calls to \function{start\_msg} -have been made yet). - -The function \function{reset}() removes all the \type{Filter}s that -the \type{Pipe} is currently using~--~it is reset to an initialize, -``empty'' state. Any data that is being retained by the \type{Pipe} -is retained after a \function{reset}(), and \function{reset}() does -not affect the message numbers (discussed later). - -Calling \function{prepend} and \function{append} will either prepend -or append the passed \type{Filter} object to the list of -transformations. For example, if you \function{prepend} a -\type{Filter} implementing encryption, and the \type{Pipe} already had -a \type{Filter} that hex encoded the input, then the next set of -input would be first encrypted, then hex encoded. Alternately, if you -called \function{append}, then the input would be first be hex -encoded, and then encrypted (which is not terribly useful in this -particular example). - -Finally, calling \function{pop}() will remove the first transformation -of the \type{Pipe}. Say we had called \function{prepend} to put an -encryption \type{Filter} into a \type{Pipe}; calling \function{pop}() -would remove this \type{Filter} and return the \type{Pipe} to its -state before we called \function{prepend}. - -\subsubsection{Giving Data to a Pipe} - -Input to a \type{Pipe} is delimited into messages, which can be read from -independently (\ie, you can read 5 bytes from one message, and then all of -another message, without either read affecting any other messages). The -messages are delimited by calls to \function{start\_msg} and -\function{end\_msg}. In between these two calls, you can write data into a -\type{Pipe}, and it will be processed by the \type{Filter}(s) that it -contains. Writes at any other time are invalid, and will result in an -exception. - -As to writing, you can call any of the functions called \function{write}(), -that can take any of: a \type{byte[]}/\type{u32bit} pair, a -\type{SecureVector<byte>}, a \type{std::string}, a \type{DataSource\&}, or a -single \type{byte}. - -Sometimes, you may want to do only a single write per message. In this case, -you can use the \function{process\_msg} series of functions, which start a -message, write their argument into the \type{Pipe}, and then end the -message. In this case you would not make any explicit calls to -\function{start\_msg}/\function{end\_msg}. The version of \function{write} -that takes a single \type{byte} is not supported by \function{process\_msg}, -but all the other variants are. - -\type{Pipe} can also be used with the \verb|>>| operator, and will accept a -\type{std::istream}, (or on Unix systems with the \verb|fd_unix| module), a -Unix file descriptor. In either case, the entire contents of the file will be -read into the \type{Pipe}. - -\subsubsection{Getting Output from a Pipe} - -Retrieving the processed data from a \type{Pipe} is a bit more complicated, for -various reasons. In particular, because \type{Pipe} will separate each message -into a separate buffer, you have to be able to retrieve data from each message -independently. Each of \type{Pipe}'s read functions has a final parameter that -specifies what message to read from (as a 32-bit integer). If this parameter is -set to \type{Pipe::DEFAULT\_MESSAGE}, it will read the current default message -(\type{DEFAULT\_MESSAGE} is also the default value of this parameter). The -parameter will not be mentioned in further discussion of the reading API, but -it is always there (unless otherwise noted). - -Reading is done with a variety of functions. The most basic are \type{u32bit} -\function{read}(\type{byte} \arg{out}[], \type{u32bit} \arg{len}) and -\type{u32bit} \function{read}(\type{byte\&} \arg{out}). Each reads into -\arg{out} (either up to \arg{len} bytes, or a single byte for the one taking a -\type{byte\&}), and returns the total number of bytes read. There is a variant -of these functions, all named \function{peek}, which performs the same -operations, but does not remove the bytes from the message (reading is a -destructive operation with a \type{Pipe}). - -There are also the functions \type{SecureVector<byte>} \function{read\_all}(), -and \type{std::string} \function{read\_all\_as\_string}(), which return the -entire contents of the message, either as a memory buffer, or a -\type{std::string} (which is generally only useful if the \type{Pipe} has -encoded the message into a text string, such as when a \type{Base64\_Encoder} -is used). - -To determine how many bytes are left in a message, call \type{u32bit} -\function{remaining}() (which can also take an optional message -number). Finally, there are some functions for managing the default message -number: \type{u32bit} \function{default\_msg}() will return the current default -message, \type{u32bit} \function{message\_count}() will return the total number -of messages (0...\function{message\_count}()-1), and -\function{set\_default\_msg}(\type{u32bit} \arg{msgno}) will set a new default -message number (which must be a valid message number for that \type{Pipe}). The -ability to set the default message number is particularly important in the case -of using the file output operations (\verb|<<| with a \type{std::ostream} or -Unix file descriptor), because there is no way to specify it explicitly when -using the output operator. - -\subsection{A Filter Example} - -Here is some code that takes one or more filenames in \arg{argv} and -calculates the result of several hash functions for each file. The complete -program can be found as \filename{hasher.cpp} in the Botan distribution. For -brevity, error checking has been removed. - -\begin{verbatim} - string name[3] = { "MD5", "SHA-1", "RIPEMD-160" }; - Botan::Filter* hash[3] = { - new Botan::Chain(new Botan::Hash_Filter(name[0]), - new Botan::Hex_Encoder), - new Botan::Chain(new Botan::Hash_Filter(name[1]), - new Botan::Hex_Encoder), - new Botan::Chain(new Botan::Hash_Filter(name[2]), - new Botan::Hex_Encoder) }; - - Botan::Pipe pipe(new Botan::Fork(hash, COUNT)); - - for(u32bit j = 1; argv[j] != 0; j++) - { - ifstream file(argv[j]); - pipe.start_msg(); - file >> pipe; - pipe.end_msg(); - file.close(); - for(u32bit k = 0; k != 3; k++) - { - pipe.set_default_msg(3*(j-1)+k); - cout << name[k] << "(" << argv[j] << ") = " << pipe << endl; - } - } -\end{verbatim} - - -\subsection{Filter Catalog} - -This section contains descriptions of every \type{Filter} included in -the portable sections of Botan. \type{Filter}s provided by modules -are documented elsewhere. - -\subsubsection{Keyed Filters} - -A few sections ago, it was mentioned that \type{Pipe} can process multiple -messages, treating each of them the same. Well, that was a bit of a -lie. There are some algorithms (in particular, block ciphers not in ECB mode, -and all stream ciphers) that change their state as data is put through them. - -Naturally, you might well want to reset the keys or (in the case of block -cipher modes) IVs used by such filters, so multiple messages can be processed -using completely different keys, or new IVs, or new keys and IVs, or whatever. -And in fact, even for a MAC or an ECB block cipher, you might well want to -change the key used from message to message. - -Enter \type{Keyed\_Filter}, which acts as an abstract interface for -any filter that is uses keys: block cipher modes, stream ciphers, -MACs, and so on. It has two functions, \function{set\_key} and -\function{set\_iv}. Calling \function{set\_key} will, naturally, set -(or reset) the key used by the algorithm. Setting the IV only makes -sense in certain algorithms -- a call to \function{set\_iv} on an -object that doesn't support IVs will be ignored. You \emph{must} call -\function{set\_key} before calling \function{set\_iv}: while not all -\type{Keyed\_Filter} objects require this, you should assume it is -required anytime you are using a \type{Keyed\_Filter}. - -Here's a example: - -\begin{verbatim} - Keyed_Filter *cast, *hmac; - Pipe pipe(new Base64_Decoder, - // Note the assignments to the cast and hmac variables - cast = new CBC_Decryption("CAST-128", "PKCS7", cast_key, iv), - new Fork( - 0, // Read the section 'Fork' to understand this - new Chain( - hmac = new MAC_Filter("HMAC(SHA-1)", mac_key, 12), - new Base64_Encoder - ) - ) - ); - pipe.start_msg(); - [use pipe for a while, decrypt some stuff, derive new keys and IVs] - pipe.end_msg(); - - cast->set_key(cast_key2); - cast->set_iv(iv2); - hmac->set_key(mac_key2); - - pipe.start_msg(); - [use pipe for some other things] - pipe.end_msg(); -\end{verbatim} - -There are some requirements to using \type{Keyed\_Filter} that you must -follow. If you call \function{set\_key} or \function{set\_iv} on a filter that -is owned by a \type{Pipe}, you must do so while the \type{Pipe} is -``unlocked''. This refers to the times when no messages are being processed by -\type{Pipe} -- either before \type{Pipe}'s \function{start\_msg} is called, or -after \function{end\_msg} is called (and no new call to \function{start\_msg} -has happened yet). Doing otherwise will result in undefined behavior, probably -silently getting invalid output. - -And remember: if you're resetting both values, reset the key \emph{first}. - -\subsubsection{Cipher Filters} - -Getting a hold of a \type{Filter} implementing a cipher is very -easy. Make sure you're including the header \filename{lookup.h}, and -then call \function{get\_cipher}. You will pass the return value -directly into a \type{Pipe}. There are a couple different functions -which do varying levels of initialization: - -\function{get\_cipher}(\type{std::string} \arg{cipher\_spec}, - \type{SymmetricKey} \arg{key}, - \type{InitializationVector} \arg{iv}, - \type{Cipher\_Dir} \arg{dir}); - -\function{get\_cipher}(\type{std::string} \arg{cipher\_spec}, - \type{SymmetricKey} \arg{key}, - \type{Cipher\_Dir} \arg{dir}); - -The version that doesn't take an IV is useful for things that don't -use them, like block ciphers in ECB mode, or most stream ciphers. If -you specify a \arg{cipher\_spec} that does want a IV, and you use the -version that doesn't take one, an exception will be thrown. The -\arg{dir} argument can be either \type{ENCRYPTION} or -\type{DECRYPTION}. - -The \arg{cipher\_spec} is a string that specifies what cipher is to be -used. The general syntax for \arg{cipher\_spec} is ``STREAM\_CIPHER'', -``BLOCK\_CIPHER/MODE'', or ``BLOCK\_CIPHER/MODE/PADDING''. In the case -of stream ciphers, no mode is necessary, so just the name is -sufficient. A block cipher requires a mode of some sort, which can be -``ECB'', ``CBC'', ``CFB(n)'', ``OFB'', ``CTR-BE'', or ``EAX(n)''. The -argument to CFB mode is how many bits of feedback should be used. If -you just use ``CFB'' with no argument, it will default to using a -feedback equal to the block size of the cipher. EAX mode also takes an -optional bit argument, which tells EAX how large a tag size to -use~--~generally this is the size of the block size of the cipher, -which is the default if you don't specify any argument. - -In the case of the ECB and CBC modes, a padding method can also be -specified. If it is not supplied, ECB defaults to not padding, and CBC -defaults to using PKCS \#5/\#7 compatible padding. The padding methods -currently available are ``NoPadding'', ``PKCS7'', ``OneAndZeros'', and -``CTS''. CTS padding is currently only available for CBC mode, but the -others can also be used in ECB mode. - -Some example \arg{cipher\_spec} arguments are: ``AES-128/CBC'', -``Blowfish/CTR-BE'', ``Serpent/XTS'', and ``AES-256/EAX''. - -``CTR-BE'' refers to counter mode where the counter is incremented as -if it were a big-endian encoded integer. This is compatible with most -other implementations, but it is possible some will use the -incompatible little endian convention. This version would be denoted -as ``CTR-LE'' if it were supported. - -``EAX'' is a new cipher mode designed by Wagner, Rogaway, and -Bellare. It is an authenticated cipher mode (that is, no separate -authentication is needed), has provable security, and is free from -patent entanglements. It runs about half as fast as most of the other -cipher modes (like CBC, OFB, or CTR), which is not bad considering you -don't need to use an authentication code. - -\subsubsection{Hashes and MACs} - -Hash functions and MACs don't need anything special when it comes to -filters. Both just take their input and produce no output until -\function{end\_msg()} is called, at which time they complete the hash or MAC -and send that as output. - -These \type{Filter}s take a string naming the type to be used. If for some -reason you name something that doesn't exist, an exception will be thrown. - -\noindent -\function{Hash\_Filter}(\type{std::string} \arg{hash}, - \type{u32bit} \arg{outlength}): - -This type hashes its input with \arg{hash}. When \function{end\_msg} is called -on the owning \type{Pipe}, the hash is completed and the digest is sent on to -the next thing in the pipe. The argument \arg{outlength} specifies how much of -the output of the hash will be passed along to the next filter when -\function{end\_msg} is called. By default, it will pass the entire hash. - -Examples of names for \function{Hash\_Filter} are ``SHA-1'' and ``Whirlpool''. - -\noindent -\function{MAC\_Filter}(\type{std::string} \arg{mac}, - \type{const SymmetricKey\&} \arg{key}, - \type{u32bit} \arg{outlength}): - -The constructor for a \type{MAC\_Filter} takes a key, used in calculating the -MAC, and a length parameter, which has semantics the same as the one -passed to \type{Hash\_Filter}s constructor. - -Examples for \arg{mac} are ``HMAC(SHA-1)'', ``CMAC(AES-128)'', and the -exceptionally long, strange, and probably useless name -``CMAC(Lion(Tiger(20,3),MARK-4,1024))''. - -\subsubsection{PK Filters} - -There are four classes in this category, \type{PK\_Encryptor\_Filter}, -\type{PK\_Decryptor\_Filter}, \type{PK\_Signer\_Filter}, and -\type{PK\_Verifier\_Filter}. Each takes a pointer to an object of the -appropriate type (\type{PK\_Encryptor}, \type{PK\_Decryptor}, etc) that is -deleted by the destructor. These classes are found in \filename{pk\_filts.h}. - -Three of these, for encryption, decryption, and signing are much the -same in terms of dataflow - ach of them buffers its input until the -end of the message is marked with a call to the \function{end\_msg} -function. Then they encrypt, decrypt, or sign the entire input as a -single blob and send the output (the ciphertext, the plaintext, or the -signature) into the next filter. - -Signature verification works a little differently, because it needs to -know what the signature is in order to check it. You can either pass -this in along with the constructor, or call the function -\function{set\_signature} -- with this second method, you need to keep -a pointer to the filter around so you can send it this command. In -either case, after \function{end\_msg} is called, it will try to -verify the signature (if the signature has not been set by either -method, an exception will be thrown here). It will then send a single -byte onto the next filter -- a 1 or a 0, which specifies whether the -signature verified or not (respectively). - -For more information about PK algorithms (including creating the -appropriate objects to pass to the constructors), read the section -``Public Key Cryptography'' in this manual. - -\subsubsection{Encoders} - -Often you want your data to be in some form of text (for sending over channels -that aren't 8-bit clean, printing it, etc). The filters \type{Hex\_Encoder} -and \type{Base64\_Encoder} will convert arbitrary binary data into hex or -base64 formats. Not surprisingly, you can use \type{Hex\_Decoder} and -\type{Base64\_Decoder} to convert it back into its original form. - -Both of the encoders can take a few options about how the data should be -formatted (all of which have defaults). The first is a \type{bool} which -says if the encoder should insert line breaks. This defaults to -false. Line breaks don't matter either way to the decoder, but it makes the -output a bit more appealing to the human eye, and a few transport mechanisms -(notably some email systems) limit the maximum line length. - -The second encoder option is an integer specifying how long such lines will be -(obviously this will be ignored if line-breaking isn't being used). The default -tends to be in the range of 60-80 characters, but is not specified. If -you want a specific value, set it. Otherwise the default should be fine. - -Lastly, \type{Hex\_Encoder} takes an argument of type \type{Case}, which can be -\type{Uppercase} or \type{Lowercase} (default is \type{Uppercase}). This -specifies what case the characters A-F should be output as. The base64 encoder -has no such option, because it uses both upper and lower case letters for its -output. - -The decoders both take a single option, which tells it how the object -should behave in the case of invalid input. The enum (called -\type{Decoder\_Checking}) can take on any of three values: -\type{NONE}, \type{IGNORE\_WS}, and \type{FULL\_CHECK}. With -\type{NONE} (the default, for compatibility with previous releases), -invalid input (for example, a ``z'' character in supposedly hex input) -will be ignored. With \type{IGNORE\_WS}, whitespace will be ignored by -the decoder, but receiving other non-valid data will raise an -exception. Finally, \type{FULL\_CHECK} will raise an exception for -\emph{any} characters not in the encoded character set, including -whitespace. - -You can find the declarations for these types in \filename{hex.h} and -\filename{base64.h}. - -\subsection{Rolling Your Own} - -The system of filters and pipes was designed in an attempt to make it -as simple as possible to write new \type{Filter} objects. There are -four functions that need to be implemented by an object deriving from -\type{Filter}: - -\noindent -\type{void} \function{write}(\type{byte} \arg{input}[], \type{u32bit} -\arg{length}): - -The \function{write} function is what is called when a filter receives input -for it to process. The filter is \emph{not} required to process it right away; -many filters buffer their input before producing any output. A filter will -usually have \function{write} called many times during its lifetime. - -\noindent -\type{void} \function{send}(\type{byte} \arg{output}[], \type{u32bit} -\arg{length}): - -Eventually, a filter will want to produce some output to send along to the next -filter in the pipeline. It does so by calling \function{send} with whatever it -wants to send along to the next filter. There is also a version of -\function{send} taking a single byte argument, as a convenience. - -\noindent -\type{void} \function{start\_msg()}: - -This function is optional. Implement it if your \type{Filter} would like to do -some processing or setup at the start of each message (for an example, see the -Zlib compression module). - -\noindent -\type{void} \function{end\_msg()}: - -Implementing the \function{end\_msg} function is optional. It is -called when it has been requested that filters finish up their -computations. The filter should finish up with whatever computation it -is working on (for example, a compressing filter would flush the -compressor and \function{send} the final block), and empty any buffers -in preparation for processing a fresh new set of input. - -Additionally, if necessary, filters can define a constructor that -takes any needed arguments, and a destructor to deal with deallocating -memory, closing files, etc. - -\section{Public Key Cryptography} - -Let's create a 1024-bit RSA private key, encode the public key as a -PKCS \#1 file with PEM encoding (which can be understood by many other -cryptographic programs) - -\begin{verbatim} -// everyone does: -AutoSeeded_RNG rng; - -// Alice -RSA_PrivateKey priv_rsa(rng, 1024 /* bits */); - -std::string alice_pem = X509::PEM_encode(priv_rsa); - -// send alice_pem to Bob, who does - -// Bob -std::auto_ptr<Public_Key> alice(load_key(alice_pem)); - -RSA_PublicKey* alice_rsa = dynamic_cast<RSA_PublicKey>(alice); -if(alice_rsa) - { - /* ... */ - } - -\end{verbatim} - -\subsection{Creating PK Algorithm Key Objects} - -The library has interfaces for encryption, signatures, etc that do not require -knowing the exact algorithm in use (for example RSA and Rabin-Williams -signatures are handled by the exact same code path). - -One place where we \emph{do} need to know exactly what kind of -algorithm is in use is when we are creating a key (\emph{But}: read -the section ``Importing and Exporting PK Keys'', later in this -manual). - -There are currently three kinds of public key algorithms in Botan: -ones based on integer factorization (RSA and Rabin-Williams), ones -based on the discrete logarithm problem in the integers modulo a prime -(DSA, Diffie-Hellman, Nyberg-Rueppel, and ElGamal), and ones based on -the discrete logarithm problem in an elliptic curve (ECDSA, ECDH, GOST -34.10). The systems based on discrete logarithms (in either regular -integers or elliptic curves) use a group (a mathematical term), which -can be shared among many keys. An elliptic curve group is represented -by the class \type{EC\_Domain\_Params}, while a modulo-prime group is -represented by a \type{DL\_Group}. - -There are two ways to create a DL private key (such as -\type{DSA\_PrivateKey}). One is to pass in just a \type{DL\_Group} -object -- a new key will automatically be generated. The other -involves passing in a group to use, along with both the public and -private values (private value first). - -Since in integer factorization algorithms, the modulus used isn't shared by -other keys, we don't use this notion. You can create a new key by passing in a -\type{u32bit} telling how long (in bits) the key should be, or you can copy an -pre-existing key by passing in the appropriate parameters (primes, exponents, -etc). For RSA and Rabin-Williams (the two IF schemes in Botan), the parameters -are all \type{BigInt}s: prime 1, prime 2, encryption exponent, decryption -exponent, modulus. The last two are optional, since they can easily be derived -from the first three. - -\subsubsection{Creating a DL\_Group} - -There are quite a few ways to get a \type{DL\_Group} object. The best is to use -the function \function{get\_dl\_group}, which takes a string naming a group; it -will either return that group, if it knows about it, or throw an -exception. Names it knows about include ``IETF-n'' where n is 768, 1024, 1536, -2048, 3072, or 4096, and ``DSA-n'', where n is 512, 768, or 1024. The IETF -groups are the ones specified for use with IPSec, and the DSA ones are the -default DSA parameters specified by Java's JCE. For DSA and Nyberg-Rueppel, you -should only use the ``DSA-n'' groups, while Diffie-Hellman and ElGamal can use -either type (keep in mind that some applications/standards require DH/ELG to -use DSA-style primes, while others require strong prime groups). - -You can also generate a new random group. This is not recommend, because it is -quite slow, especially for safe primes. - -\subsection{Key Checking} - -Most public key algorithms have limitations or restrictions on their -parameters. For example RSA requires an odd exponent, and algorithms based on -the discrete logarithm problem need a generator $> 1$. - -Each low-level public key type has a function named \function{check\_key} that -takes a \type{bool}. This function returns a Boolean value that declares -whether or not the key is valid (from an algorithmic standpoint). For example, -it will check to make sure that the prime parameters of a DSA key are, in fact, -prime. It does not have anything to do with the validity of the key for any -particular use, nor does it have anything to do with certificates that link a -key (which, after all, is just some numbers) with a user or other entity. If -\function{check\_key}'s argument is \type{true}, then it does ``strong'' -checking, which includes expensive operations like primality checking. - -Keys are always checked when they are loaded or generated, so typically there -is no reason to use this function directly. However, you can disable or reduce -the checks for particular cases (public keys, loaded private keys, generated -private keys) by setting the right config toggle (see the section on the -configuration subsystem for details). - -\subsection{Getting a PK algorithm object} - -The key types, like \type{RSA\_PrivateKey}, do not implement any kind -of padding or encoding (which is necessary for security). To get an -object that knows how to do padding, use the wrapper classes included -in \filename{pubkey.h}. These take a key, along with a string that -specifies what hashing and encoding method(s) to use. Examples of such -strings are ``EME1(SHA-256)'' for OAEP encryption and -``EMSA4(SHA-256)'' for PSS signatures (where the message is hashed -using SHA-256). - -Here are some basic examples (using an RSA key) to give you a feel for -the possibilities. These examples assume \type{rsakey} is an -\type{RSA\_PrivateKey}, since otherwise we would not be able to create -a decryption or signature object with it (you can create encryption or -signature verification objects with public keys, naturally). - -\begin{verbatim} - // PKCS #1 v2.0 / IEEE 1363 compatible encryption - PK_Encryptor_EME rsa_enc_pkcs1_v2(rsakey, "EME1(SHA-1)"); - // PKCS #1 v1.5 compatible encryption - PK_Encryptor_EME rsa_enc_pkcs1_v15(rsakey, "PKCS1v15") - - // This object can decrypt things encrypted by rsa_ - PK_Decryptor_EME rsa_dec_pkcs1_v2(rsakey, "EME1(SHA-1)"); - - // PKCS #1 v1.5 compatible signatures - PK_Signer rsa_sign_pkcs1_v15(rsakey, "EMSA3(MD5)"); - PK_Verifier rsa_verify_pkcs1_v15(rsakey, "EMSA3(MD5)"); - - // PKCS #1 v2.1 compatible signatures - PK_Signer rsa_sign_pkcs1_v2(rsakey, "EMSA4(SHA-1)"); - PK_Verifier rsa_verify_pkcs1_v2(rsakey, "EMSA4(SHA-1)"); -\end{verbatim} - -\subsection{Encryption} - -The \type{PK\_Encryptor} and \type{PK\_Decryptor} classes are the -interface for encryption and decryption, respectively. - -Calling \function{encrypt} with a \type{byte} array, a length -parameter, and an RNG object will return the input encrypted with -whatever scheme is being used. Calling the similar \function{decrypt} -will perform the inverse operation. You can also do these operations -with \type{SecureVector<byte>}s. In all cases, the output is returned -via a \type{SecureVector<byte>}. - -If you attempt an operation with a larger size than the key can -support (this limit varies based on the algorithm, the key size, and -the padding method used (if any)), an exception will be thrown. You -can call \function{maximum\_input\_size} to find out the maximum size -input (in bytes) that you can safely use with any particular key. - -Available public key encryption algorithms in Botan are RSA and -ElGamal. The encoding methods are EME1, denoted by ``EME1(HASHNAME)'', -PKCS \#1 v1.5, called ``PKCS1v15'' or ``EME-PKCS1-v1\_5'', and raw -encoding (``Raw''). - -For compatibility reasons, PKCS \#1 v1.5 is recommend for use with -ElGamal (most other implementations of ElGamal do not support any -other encoding format). RSA can also be used with PKCS \# 1 encoding, -but because of various possible attacks, EME1 is the preferred -encoding. EME1 requires the use of a hash function: unless a competent -applied cryptographer tells you otherwise, you should use SHA-256 or -SHA-512. - -Don't use ``Raw'' encoding unless you need it for backward -compatibility with old protocols. There are many possible attacks -against both ElGamal and RSA when they are used in this way. - -\subsection{Signatures} - -The signature algorithms look quite a bit like the hash functions. You -can repeatedly call \function{update}, giving more and more of a -message you wish to sign, and then call \function{signature}, which -will return a signature for that message. If you want to do it all in -one shot, call \function{sign\_message}, which will just call -\function{update} with its argument and then return whatever -\function{signature} returns. Generating a signature requires random -numbers with some schemes, so \function{signature} and -\function{sign\_message} both take a \type{RandomNumberGenerator\&}. - -You can validate a signature by updating the verifier class, and finally seeing -the if the value returned from \function{check\_signature} is true (you pass -the supposed signature to the \function{check\_signature} function as a byte -array and a length or as a \type{MemoryRegion<byte>}). There is another -function, \function{verify\_message}, which takes a pair of byte array/length -pairs (or a pair of \type{MemoryRegion<byte>} objects), the first of which is -the message, the second being the (supposed) signature. It returns true if the -signature is valid and false otherwise. - -Available public key signature algorithms in Botan are RSA, DSA, -ECDSA, GOST-34.11, Nyberg-Rueppel, and Rabin-Williams. Signature -encoding methods include EMSA1, EMSA2, EMSA3, EMSA4, and Raw. All of -them, except Raw, take a parameter naming a message digest function to -hash the message with. The Raw encoding signs the input directly; if -the message is too big, the signing operation will fail. Raw is not -useful except in very specialized applications. - -There are various interactions that make certain encoding schemes and -signing algorithms more or less useful. - -EMSA2 is the usual method for encoding Rabin-William signatures, so -for compatibility with other implementations you may have to use -that. EMSA4 (also called PSS), also works with Rabin-Williams. EMSA1 -and EMSA3 do \emph{not} work with Rabin-Williams. - -RSA can be used with any of the available encoding methods. EMSA4 is -by far the most secure, but is not (as of now) widely -implemented. EMSA3 (also called ``EMSA-PKCS1-v1\_5'') is commonly used -with RSA (for example in SSL). EMSA1 signs the message digest -directly, without any extra padding or encoding. This may be useful, -but is not as secure as either EMSA3 or EMSA4. EMSA2 may be used but -is not recommended. - -For DSA, ECDSA, GOST-34.11, and Nyberg-Rueppel, you should use -EMSA1. None of the other encoding methods are particularly useful for -these algorithms. - -\subsection{Key Agreement} - -You can get a hold of a \type{PK\_Key\_Agreement\_Scheme} object by -calling \function{get\_pk\_kas} with a key that is of a type that -supports key agreement (such as a Diffie-Hellman key stored in a -\type{DH\_PrivateKey} object), and the name of a key derivation -function. This can be ``Raw'', meaning the output of the primitive -itself is returned as the key, or ``KDF1(hash)'' or ``KDF2(hash)'' -where ``hash'' is any string you happen to like (hopefully you like -strings like ``SHA-256'' or ``RIPEMD-160''), or -``X9.42-PRF(keywrap)'', which uses the PRF specified in ANSI X9.42. It -takes the name or OID of the key wrap algorithm that will be used to -encrypt a content encryption key. - -How key agreement works is that you trade public values with some -other party, and then each of you runs a computation with the other's -value and your key (this should return the same result to both -parties). This computation can be called by using -\function{derive\_key} with either a byte array/length pair, or a -\type{SecureVector<byte>} than holds the public value of the other -party. The last argument to either call is a number that specifies how -long a key you want. - -Depending on the KDF you're using, you \emph{might not} get back a key -of the size you requested. In particular ``Raw'' will return a number -about the size of the Diffie-Hellman modulus, and KDF1 can only return -a key that is the same size as the output of the hash. KDF2, on the -other hand, will always give you a key exactly as long as you request, -regardless of the underlying hash used with it. The key returned is a -\type{SymmetricKey}, ready to pass to a block cipher, MAC, or other -symmetric algorithm. - -The public value that should be used can be obtained by calling -\function{public\_data}, which exists for any key that is associated with a -key agreement algorithm. It returns a \type{SecureVector<byte>}. - -``KDF2(SHA-256)'' is by far the preferred algorithm for key derivation -in new applications. The X9.42 algorithm may be useful in some -circumstances, but unless you need X9.42 compatibility, KDF2 is easier -to use. - -There is a Diffie-Hellman example included in the distribution, which you may -want to examine. - -\subsection{Importing and Exporting PK Keys} - -[This section mentions \type{Pipe} and \type{DataSource}, which is not covered -until later in the manual. Please read those sections for more about -\type{Pipe} and \type{DataSource} and their uses.] - -There are many, many different (often conflicting) standards surrounding public -key cryptography. There is, thankfully, only two major standards surrounding -the representation of a public or private key: X.509 (for public keys), and -PKCS \#8 (for private keys). Other crypto libraries, like OpenSSL and B-SAFE, -also support these formats, so you can easily exchange keys with software that -doesn't use Botan. - -In addition to ``plain'' public keys, Botan also supports X.509 certificates. -These are documented in the section ``Certificate Handling'', later in this -manual. - -\subsubsection{Public Keys} - -The interfaces for doing either of these are quite similar. Let's look at the -X.509 stuff first: -\begin{verbatim} -namespace X509 { - MemoryVector<byte> BER_encode(const Public_Key& key); - std::string PEM_encode(const Public_Key& out); - - Public_Key* load_key(DataSource& in); - Public_Key* load_key(const SecureVector<byte>& buffer); -} -\end{verbatim} - -The function \function{X509::BER\_encode} will take any -\type{Public\_Key} and return a standard binary structure representing -the key which can be read by many other crypto libraries. - -The function \function{X509::PEM\_encode} does the same, but -additionally formats it into a text format with headers and base64 -encoding. Using PEM is \emph{highly} recommended for many reasons, -including compatibility with other software, for transmission over -8-bit unclean channels, because it can be identified by a human -without special tools, and because it sometimes allows more sane -behavior of tools that process the data. - -For loading a public key, use one of the variants of -\function{load\_key}. This function will return a newly allocated key -based on the data from whatever source it is using (assuming, of -course, the source is in fact storing a representation of a public -key). The encoding used (PEM or BER) need not be specified; the format -will be detected automatically. The key is allocated with -\function{new}, and should be released with \function{delete} when you -are done with it. The first takes a generic \type{DataSource} that you -have to create~--~the others are simple wrapper functions that take -either a filename or a memory buffer. - -Here's an example of loading a public key and then encrypting with it: - -\begin{verbatim} - /* Might be RSA, might be ElGamal, might be ... */ - Public_Key* key = X509::load_key("pubkey.asc"); - - /* This might throw an exception if the key doesn't support any - encryption operations - */ - - PK_Encryptor_EME encryptor(*key, "EME1(SHA-1)"); - - SecureVector<byte> ciphertext = encryptor.encrypt(msg, size_of_msg); -\end{verbatim} - -\subsubsection{Private Keys} - -There are two different options for private key import/export. The first is a -plaintext version of the private key. This is supported by the following -functions: - -\begin{verbatim} -namespace PKCS8 { - SecureVector<byte> BER_encode(const Private_Key& key); - std::string PEM_encode(const Private_Key& key); -} -\end{verbatim} - -These functions are similiar to the X.509 functions described -previously. The only difference is that they take a -\type{Private\_Key} object instead. In most situations, using these is -a bad idea, because anyone can come along and grab the private key -without having to know any passwords or other secrets. Unless you have -very particular security requirements, always use the versions that -encrypt the key based on a passphrase. For importing, the same -functions can be used for encrypted and unencrypted keys. - -The other way to export a PKCS \#8 key is to first encode it in the -same manner as done above, then encrypt it using a passphrase, and -store the whole thing into another structure. This method is -definitely preferred, since otherwise the private key is -unprotected. The algorithms and structures used here are standardized -by PKCS \#5 and PKCS \#8, and can be read by many other crypto -libraries. - -\begin{verbatim} -namespace PKCS8 { - SecureVector<byte> BER_encode(const Private_Key& key, - RandomNumberGenerator& rng, - const std::string& pass, - const std::string& pbe_algo = ""); - - std::string PEM_encode(const Private_Key& key, - RandomNumberGenerator& rng, - const std::string& pass, - const std::string& pbe_algo = ""); -} -\end{verbatim} - -There are three new arguments needed here to support the encryption -process in addition to the private key itself. The first is a -\type{RandomNumberGenerator}, which is needed for various purposes -internally. The \arg{pass} argument is the passphrase that will be -used to encrypt the key. Both of these are required. The final -(optional) argument is \arg{pbe}; this specifies a particular password -based encryption (or PBE) algorithm. If you don't specify a PBE, -a compiled in default will be used; this should be fine. - -Last but not least, there are some functions that will load (and -decrypt, if necessary) a PKCS \#8 private key: - -\begin{verbatim} -namespace PKCS8 { - Private_Key* load_key( - DataSource& in, - RandomNumberGenerator& rng, - std::function<std::pair<bool, std::string> ()> get_passphrase); - - Private_Key* load_key( - const std::string& filename, - RandomNumberGenerator& rng, - std::function<std::pair<bool, std::string> ()> get_passphrase); - - Private_Key* load_key(DataSource& in, - RandomNumberGenerator& rng, - std::string passphrase = ""); - - Private_Key* load_key(const std::string& filename, - RandomNumberGenerator& rng, - const std::string& passphrase = ""); -} -\end{verbatim} - -The versions that take \type{std::string} \arg{passphrase}s are -primarily for compatibility, but they are useful in limited -circumstances. The versions using \type{std::function} callbacks are -how \function{load\_key} is implemented, and provides for much more -flexibility. If you use the versions that take just a single -passphrase, then if the passphrase passed in is not correct, then an -exception is thrown and that is that. However, if you pass in a -callback, then you can keep querying to the user until they get it -right (or they cancel the action). The first return value of the -callback is if the action should continue - if false, -\function{load_key} will bail out. Otherwise, it will use the second -return value as the supposed passphrase that was used to decrypt the -key. - -If you know (or want to assume) the key is not encrypted, just ignore -the passphrase/callback entirely, letting the third parameter default -to an empty string. The call will fail if the key was encrypted. - -All versions need access to a \type{RandomNumberGenerator} in order to -perform probabilistic tests on the loaded key material. - -After loading a key, you can use \function{dynamic\_cast} to find out -what operations it supports, and use it appropriately. Remember to -\function{delete} the object once you are done with it. - -\subsubsection{Limitations} - -As of now Nyberg-Rueppel and Rabin-Williams keys cannot be imported or -exported, because they have no official ASN.1 OID or definition. ElGamal keys -can (as of Botan 1.3.8) be imported and exported, but the only other -implementation that supports the format is Peter Gutmann's Cryptlib. If you -can help it, stick to RSA and DSA. - -\emph{Note}: Currently NR and RW are given basic ASN.1 key formats (which -mirror DSA and RSA, respectively), which means that, if they are assigned an -OID, they can be imported and exported just as easily as RSA and DSA. You can -assign them an OID by putting a line in a Botan configuration file, calling -\function{OIDS::add\_oid}, or editing \filename{src/policy.cpp}. Be warned that -it is possible that a future version will use a format that is different from -the current one (\ie, a newly standardized format). - -\section{Certificate Handling} - -A certificate is a binding between some identifying information -(called a \emph{subject}) and a public key. This binding is asserted -by a signature on the certificate, which is placed there by some -authority (the \emph{issuer}) that at least claims that it knows the -subject named in the certificate really ``owns'' the private key -corresponding to the public key in the certificate. - -The major certificate format in use today is X.509v3, designed by ISO and -further hacked on by dozens (hundreds?) of other organizations. - -When working with certificates, the main class to remember is -\type{X509\_Certificate}. You can read an object of this type, but you -can't create one on the fly; a CA object is necessary for making a new -certificate. So for the most part, you only have to worry about -reading them in, verifying the signatures, and getting the bits of -data in them (most commonly the public key, and the information about -the user of that key). An X.509v3 certificate can contain a literally -infinite number of items related to all kinds of things. Botan doesn't -support a lot of them, because nobody uses them and they're an -impossible mess to work with. This section only documents the most -commonly used ones of the ones that are supported; for the rest, read -\filename{x509cert.h} and \filename{asn1\_obj.h} (which has the -definitions of various common ASN.1 constructs used in X.509). - -\subsection{So what's in an X.509 certificate?} - -Obviously, you want to be able to get the public key. This is achieved -by calling the member function \function{subject\_public\_key}, which -will return a \type{Public\_Key*}. As to what to do with this, read -about \function{load\_key} in the section ``Importing and Exporting PK -Keys''. In the general case, this could be any kind of public key, -though 99\% of the time it will be an RSA key. However, Diffie-Hellman -and DSA keys are also supported, so be careful about how you treat -this. It is also a wise idea to examine the value returned by -\function{constraints}, to see what uses the public key is approved -for. - -The second major piece of information you'll want is the -name/email/etc of the person to whom this certificate is -assigned. Here is where things get a little nasty. X.509v3 has two -(well, mostly just two $\ldots$) different places where you can stick -information about the user: the \emph{subject} field, and in an -extension called \emph{subjectAlternativeName}. The \emph{subject} -field is supposed to only included the following information: country, -organization, an organizational sub-unit name, and a so-called common -name. The common name is usually the name of the person, or it could -be a title associated with a position of some sort in the -organization. It may also include fields for state/province and -locality. What a locality is, nobody knows, but it's usually given as -a city name. - -Botan doesn't currently support any of the Unicode variants used in -ASN.1 (UTF-8, UCS-2, and UCS-4), any of which could be used for the -fields in the DN. This could be problematic, particularly in Asia and -other areas where non-ASCII characters are needed for most names. The -UTF-8 and UCS-2 string types \emph{are} accepted (in fact, UTF-8 is -used when encoding much of the time), but if any of the characters -included in the string are not in ISO 8859-1 (\ie 0 \ldots 255), an -exception will get thrown. Currently the \type{ASN1\_String} type -holds its data as ISO 8859-1 internally (regardless of local character -set); this would have to be changed to hold UCS-2 or UCS-4 in order to -support Unicode (also, many interfaces in the X.509 code would have to -accept or return a \type{std::wstring} instead of a -\type{std::string}). - -Like the distinguished names, subject alternative names can contain a -lot of things that Botan will flat out ignore (most of which you would -likely never want to use). However, there are three very useful pieces -of information that this extension might hold: an email address -(``[email protected]''), a DNS name (``somehost.site2.com''), or a URI -(``http://www.site3.com''). - -So, how to get the information? Call \function{subject\_info} with the -name of the piece of information you want, and it will return a -\type{std::string} that is either empty (signifying that the -certificate doesn't have this information), or has the information -requested. There are several names for each possible item, but the -most easily readable ones are: ``Name'', ``Country'', -``Organization'', ``Organizational Unit'', ``Locality'', ``State'', -``RFC822'', ``URI'', and ``DNS''. These values are returned as a -\type{std::string}. - -You can also get information about the issuer of the certificate in the same -way, using \function{issuer\_info}. - -\subsubsection{X.509v3 Extensions} - -X.509v3 specifies a large number of possible extensions. Botan -supports some, but by no means all of them. This section lists which -ones are supported, and notes areas where there may be problems with -the handling. - -\begin{list}{$\cdot$} - \item Key Usage and Extended Key Usage: No problems known. - \item - - \item Basic Constraints: No problems known. The default for a v1/v2 - certificate is assume it's a CA if and only if the option - ``x509/default\_to\_ca'' is set. A v3 certificate is marked as a CA if - (and only if) the basic constraints extension is present and set for a - CA cert. - - \item Subject Alternative Names: Only the ``rfc822Name'', ``dNSName'', and - ``uniformResourceIdentifier'' fields will be stored; all others are - ignored. - - \item Issuer Alternative Names: Same restrictions as the Subject Alternative - Names extension. New certificates generated by Botan never include the - issuer alternative name. - - \item Authority Key Identifier: Only the version using KeyIdentifier is - supported. If the GeneralNames version is used and the extension is - critical, an exception is thrown. If both the KeyIdentifier and - GeneralNames versions are present, then the KeyIdentifier will be - used, and the GeneralNames ignored. - - \item Subject Key Identifier: No problems known. -\end{list} - -\subsubsection{Revocation Lists} - -It will occasionally happen that a certificate must be revoked before -its expiration date. Examples of this happening include the private -key being compromised, or the user to which it has been assigned -leaving an organization. Certificate revocation lists are an answer to -this problem (though online certificate validation techniques are -starting to become somewhat more popular). Every once in a while the -CA will release a new CRL, listing all certificates that have been -revoked. Also included is various pieces of information like what time -a particular certificate was revoked, and for what reason. In most -systems, it is wise to support some form of certificate revocation, -and CRLs handle this easily. - -For most users, processing a CRL is quite easy. All you have to do is call the -constructor, which will take a filename (or a \type{DataSource\&}). The CRLs -can either be in raw BER/DER, or in PEM format; the constructor will figure out -which format without any extra information. For example: - -\begin{verbatim} - X509_CRL crl1("crl1.der"); - - DataSource_Stream in("crl2.pem"); - X509_CRL crl2(in); -\end{verbatim} - -After that, pass the \type{X509\_CRL} object to a \type{X509\_Store} object -with \type{X509\_Code} \function{add\_crl}(\type{X509\_CRL}), and all future -verifications will take into account the certificates listed, assuming -\function{add\_crl} returns \type{VERIFIED}. If it doesn't return -\type{VERIFIED}, then the return value is an error code signifying that the CRL -could not be processed due to some problem (which could range from the issuing -certificate not being found, to the CRL having some format problem). For more -about the \type{X509\_Store} API, read the section later in this chapter. - -\subsection{Reading Certificates} - -\type{X509\_Certificate} has two constructors, each of which takes a source of -data; a filename to read, and a \type{DataSource\&}. - -\subsection{Storing and Using Certificates} - -If you read a certificate, you probably want to verify the signature on -it. However, consider that to do so, we may have to verify the signature on the -certificate that we used to verify the first certificate, and on and on until -we hit the top of the certificate tree somewhere. It would be a might huge pain -to have to handle all of that manually in every application, so there is -something that does it for you: \type{X509\_Store}. - -The basic operations are: put certificates and CRLs into it, search -for certificates, and attempt to verify certificates. That's about -it. In the future, there will be support for online retrieval of -certificates and CRLs (\eg with the HTTP cert-store interface -currently under consideration by PKIX). - -\subsubsection{Adding Certificates} - -You can add new certificates to a certificate store using any of these -functions: - -\function{add\_cert}(\type{const X509\_Certificate\&} \arg{cert}, - \type{bool} \arg{trusted} \type{= false}) - -\function{add\_certs}(\type{DataSource\&} \arg{source}) - -\function{add\_trusted\_certs}(\type{DataSource\&} \arg{source}) - -The versions that take a \type{DataSource\&} will add all the certificates -that it can find in that source. - -All of them add the cert(s) to the store. The 'trusted' certificates are the -ones that you have some reason to trust are genuine. For example, say your -application is working with certificates that are owned by employees of some -company, and all of their certificates are signed by the company CA, whose -certificate is in turned signed by a commercial root CA. What you would then do -is include the certificate of the commercial CA with your application, and read -it in as a trusted certificate. From there, you could verify the company CA's -certificate, and then use that to verify the end user's certificates. Only -self-signed certificates may be considered trusted. - -\subsubsection{Adding CRLs} - -\type{X509\_Code} \function{add\_crl}(\type{const X509\_CRL\&} \arg{crl}); - -This will process the CRL and mark the revoked certificates. This will also -work if a revoked certificate is added to the store sometime after the CRL is -processed. The function can return an error code (listed later), or will return -\type{VERIFIED} if everything completed successfully. - -\subsubsection{Storing Certificates} - -You can output a set of certificates by calling \function{PEM\_encode}, which -will return a \type{std::string} containing each of the certificates in the -store, PEM encoded and concatenated. This simple format can easily be read by -both Botan and other libraries/applications. - -\subsubsection{Searching for Certificates} - -You can find certificates in the store with a series of functions contained -in the \function{X509\_Store\_Search} namespace: - -\begin{verbatim} -namespace X509_Store_Search { -std::vector<X509_Certificate> by_email(const X509_Store& store, - const std::string& email_addr); -std::vector<X509_Certificate> by_name(const X509_Store& store, - const std::string& name); -std::vector<X509_Certificate> by_dns(const X509_Store&, - const std::string& dns_name); -} -\end{verbatim} - -These functions will return a (possibly empty) vector of certificates from -\arg{store} matching your search criteria. The email address and DNS name -searches are case-insensitive but are sensitive to extra whitespace and so -on. The name search will do case-insensitive substring matching, so, for -example, calling \function{X509\_Store\_Search::by\_name}(\arg{your\_store}, -``dob'') will return certificates for ``J.R. 'Bob' Dobbs'' and -``H. Dobbertin'', assuming both of those certificates are in \arg{your\_store}. - -You could then display the results to a user, and allow them to select the -appropriate one. Searching using an email address as the key is usually more -effective than the name, since email addresses are rarely shared. - -\subsubsection{Certificate Stores} - -An object of type \type{Certificate\_Store} is a generalized interface -to an external source for certificates (and CRLs). Examples of such a -store would be one that looked up the certificates in a SQL database, -or by contacting a CGI script running on a HTTP server. There are -currently three mechanisms for looking up a certificate, and one for -retrieving CRLs. By default, most of these mechanisms will return an -empty \type{std::vector} of \type{X509\_Certificate}. This storage -mechanism is \emph{only} queried when doing certificate validation: it -allows you to distribute only the root key with an application, and -let some online method handle getting all the other certificates that -are needed to validate an end entity certificate. In particular, the -search routines will not attempt to access the external database. - -The three certificate lookup methods are \function{by\_SKID} (Subject Key -Identifier), \function{by\_name} (the CommonName DN entry), and -\function{by\_email} (stored in either the distinguished name, or in a -subjectAlternativeName extension). The name and email versions take a -\type{std::string}, while the SKID version takes a \type{SecureVector<byte>} -containing the subject key identifier in raw binary. You can choose not to -implement \function{by\_name} or \function{by\_email}, but \function{by\_SKID} -is mandatory to implement, and, currently, is the only version that is used by -\type{X509\_Store}. - -Finally, there is a method for finding CRLs, called -\function{get\_crls\_for}, that takes an \type{X509\_Certificate} -object, and returns a \type{std::vector} of \type{X509\_CRL}. While -normally there will be only one CRL, the use of the vector makes it -easy to return no CRLs (\eg, if the certificate store doesn't support -retrieving them), or return multiple ones (for example, if the -certificate store can't determine precisely which key was used to sign -the certificate). Implementing the function is optional, and by -default will return no CRLs. If it is available, it will be used by -\type{X509\_CRL}. - -As for using such a store, you have to tell \type{X509\_Store} about -it, by calling the \type{X509\_Store} member function - -\function{add\_new\_certstore}(\type{Certificate\_Store}* \arg{new\_store}) - -The argument, \arg{new\_store}, will be deleted by \type{X509\_Store}'s -destructor, so make sure to allocate it with \function{new}. - -\subsubsection{Verifying Certificates} - -There is a single function in \type{X509\_Store} related to verifying a -certificate: - -\type{X509\_Code} -\function{validate\_cert}(\type{const X509\_Certificate\&} \arg{cert}, - \type{Cert\_Usage} \arg{usage} = \type{ANY}) - -This function will return \type{VERIFIED} if the certificate can -safely be considered valid for the usage(s) described by \arg{usage}, -and an error code if it is not. Naturally, things are a bit more -complicated than that. The enum \type{Cert\_Usage} is defined inside -the \type{X509\_Store} class, it (currently) can take on any of the -values \type{ANY} (any usage is OK), \type{TLS\_SERVER} (for SSL/TLS -server authentication), \type{TLS\_CLIENT} (for SSL/TLS client -authentication), \type{CODE\_SIGNING}, \type{EMAIL\_PROTECTION} (email -encryption, usually this means S/MIME), \type{TIME\_STAMPING} (in -theory any time stamp application, usually IETF PKIX's Time Stamp -Protocol), or \type{CRL\_SIGNING}. Note that Microsoft's code signing -system, certainly the most widely used, uses a completely different -(and mostly undocumented) method for marking certificates for code -signing. - -First, how does it know if a certificate is valid? A certificate is -valid if both of the following hold: a) the signature in the -certificate can be verified using the public key in the issuer's -certificate, and b) the issuer's certificate is a valid CA -certificate. Note that this definition is recursive. We get out of -this by ``bottoming out'' when we reach a certificate that we consider -trusted. In general this will either be a commercial root CA, or an -organization or application specific CA. - -There are a few other restrictions (validity periods, key usage -restrictions, etc), but the above summarizes the major points of the -validation algorithm. In theory, Botan implements the certificate path -validation algorithm given in RFC 2459, but in practice it does not -(yet), because we don't support the X.509v3 policy or name constraint -extensions. - -Possible values for \arg{usage} are \type{TLS\_SERVER}, -\type{TLS\_CLIENT}, \type{CODE\_SIGNING}, \type{EMAIL\_PROTECTION}, -\type{CRL\_SIGNING}, and \type{TIME\_STAMPING}, and \type{ANY}. The -default \type{ANY} does not mean valid for any use, it means ``is -valid for some usage''. This is usually what you want; requiring that -a random certificate support a particular usage will likely result in -a lot of failures, unless your application is very careful to always -issue certificates with the proper extensions, and you never use -certificates generated by other apps. - -Return values for \function{validate\_cert} (and \function{add\_crl}) include: - -\begin{list}{$\cdot$} - \item VERIFIED: The certificate is valid for the specified use. - \item - \item INVALID\_USAGE: The certificate cannot be used for the specified use. - - \item CANNOT\_ESTABLISH\_TRUST: The root certificate was not marked as - trusted. - \item CERT\_CHAIN\_TOO\_LONG: The certificate chain exceeded the length - allowed by a basicConstraints extension. - \item SIGNATURE\_ERROR: An invalid signature was found - \item POLICY\_ERROR: Some problem with the certificate policies was found. - - \item CERT\_FORMAT\_ERROR: Some format problem was found in a certificate. - \item CERT\_ISSUER\_NOT\_FOUND: The issuer of a certificate could not be - found. - \item CERT\_NOT\_YET\_VALID: The certificate is not yet valid. - \item CERT\_HAS\_EXPIRED: The certificate has expired. - \item CERT\_IS\_REVOKED: The certificate has been revoked. - - \item CRL\_FORMAT\_ERROR: Some format problem was found in a CRL. - \item CRL\_ISSUER\_NOT\_FOUND: The issuer of a CRL could not be found. - \item CRL\_NOT\_YET\_VALID: The CRL is not yet valid. - \item CRL\_HAS\_EXPIRED: The CRL has expired. - - \item CA\_CERT\_CANNOT\_SIGN: The CA certificate found does not have an - contain a public key that allows signature verification. - \item CA\_CERT\_NOT\_FOR\_CERT\_ISSUER: The CA cert found is not allowed to - issue certificates. - \item CA\_CERT\_NOT\_FOR\_CRL\_ISSUER: The CA cert found is not allowed to - issue CRLs. - - \item UNKNOWN\_X509\_ERROR: Some other error occurred. - -\end{list} - -\subsection{Certificate Authorities} - -Setting up a CA for X.509 certificates is perhaps the easiest thing to -do related to X.509. A CA is represented by the type \type{X509\_CA}, -which can be found in \filename{x509\_ca.h}. A CA always needs its own -certificate, which can either be a self-signed certificate (see below -on how to create one) or one issued by another CA (see the section on -PKCS \#10 requests). Creating a CA object is done by the following -constructor: - -\begin{verbatim} - X509_CA(const X509_Certificate& cert, const Private_Key& key); -\end{verbatim} - -The private key is the private key corresponding to the public key in the -CA's certificate. - -Requests for new certificates are supplied to a CA in the form on PKCS -\#10 certificate requests (called a \type{PKCS10\_Request} object in -Botan). These are decoded in a similar manner to -certificates/CRLs/etc. A request is vetted by humans (who somehow -verify that the name in the request corresponds to the name of the -entity who requested it), and then signed by a CA key, generating a -new certificate. - -\begin{verbatim} - X509_Certificate sign_request(const PKCS10_Request&) const; -\end{verbatim} - -\subsubsection{Generating CRLs} - -As mentioned previously, the ability to process CRLs is highly important in -many PKI systems. In fact, according to strict X.509 rules, you must not -validate any certificate if the appropriate CRLs are not available (though -hardly any systems are that strict). In any case, a CA should have a valid CRL -available at all times. - -Of course, you might be wondering what to do if no certificates have -been revoked. Never fear; empty CRLs, which revoke nothing at all, can -be issued. To generate a new, empty CRL, just call \type{X509\_CRL} -\function{X509\_CA::new\_crl}(\type{u32bit}~\arg{seconds}~=~0)~--~it -will create a new, empty, CRL. If \arg{seconds} is the default 0, then -the normal default CRL next update time (the value of the -``x509/crl/next\_update'') will be used. If not, then \arg{seconds} -specifies how long (in seconds) it will be until the CRL's next update -time (after this time, most clients will reject the CRL as too old). - -On the other hand, you may have issued a CRL before. In that case, you will -want to issue a new CRL that contains all previously revoked -certificates, along with any new ones. This is done by calling the -\type{X509\_CA} member function -\function{update\_crl}(\type{X509\_CRL}~\arg{old\_crl}, -\type{std::vector<CRL\_Entry>}~\arg{new\_revoked}, -\type{u32bit}~\arg{seconds}~=~0), where \type{X509\_CRL} is the last CRL this -CA issued, and \arg{new\_revoked} is a list of any newly revoked certificates. -The function returns a new \type{X509\_CRL} to make available for clients. The -semantics for the \arg{seconds} argument is the same as \function{new\_crl}. - -The \type{CRL\_Entry} type is a structure that contains, at a minimum, the -serial number of the revoked certificate. As serial numbers are never repeated, -the pairing of an issuer and a serial number (should) distinctly identify any -certificate. In this case, we represent the serial number as a -\type{SecureVector<byte>} called \arg{serial}. There are two additional -(optional) values, an enumeration called \type{CRL\_Code} that specifies the -reason for revocation (\arg{reason}), and an object that represents the time -that the certificate became invalid (if this information is known). - -If you wish to remove an old entry from the CRL, insert a new entry for the -same cert, with a \arg{reason} code of \type{DELETE\_CRL\_ENTRY}. For example, -if a revoked certificate has expired 'normally', there is no reason to continue -to explicitly revoke it, since clients will reject the cert as expired in any -case. - -\subsubsection{Self-Signed Certificates} - -Generating a new self-signed certificate can often be useful, for -example when setting up a new root CA, or for use in email -applications. The library provides a utility function for this: - -\begin{verbatim} -namespace X509 { - X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, - const Private_Key& key); -} -\end{verbatim} - -Where \arg{key} is obviously the private key you wish to use (the public key, -used in the certificate itself, is extracted from the private key), and -\arg{opts} is an structure that has various bits of information that will be -used in creating the certificate (this structure, and its use, is discussed -below). This function is found in the header \filename{x509self.h}. There is an -example of using this function in the \filename{self\_sig} example. - -\subsubsection{Creating PKCS \#10 Requests} - -Also in \filename{x509self.h}, there is a function for generating new PKCS \#10 -certificate requests. - -\begin{verbatim} -namespace X509 { - PKCS10_Request create_cert_req(const X509_Cert_Options&, - const Private_Key&); -} -\end{verbatim} - -This function acts quite similarly to \function{create\_self\_signed\_cert}, -except it instead returns a PKCS \#10 certificate request. After creating it, -one would typically transmit it to a CA, who signs it and returns a freshly -minted X.509 certificate. There is an example of using this function in the -\filename{pkcs10} example. - -\subsubsection{Certificate Options} - -What is this \type{X509\_Cert\_Options} thing we've been passing -around? It's a class representing a bunch of information that will end -up being stored into the certificate. This information comes in 3 -major flavors: information about the subject (CA or end-user), the -validity period of the certificate, and restrictions on the usage of -the certificate. - -First and foremost is a number of \type{std::string} members, which contains -various bits of information about the user: \arg{common\_name}, -\arg{serial\_number}, \arg{country}, \arg{organization}, \arg{org\_unit}, -\arg{locality}, \arg{state}, \arg{email}, \arg{dns\_name}, and \arg{uri}. As -many of these as possible should be filled it (especially an email address), -though the only required ones are \arg{common\_name} and \arg{country}. - -There is another value that is only useful when creating a PKCS \#10 request, -which is called \arg{challenge}. This is a challenge password, which you can -later use to request certificate revocation (\emph{if} the CA supports doing -revocations in this manner). - -Then there is the validity period; these are set with \function{not\_before} -and \function{not\_after}. Both of these functions also take a -\type{std::string}, which specifies when the certificate should start being -valid, and when it should stop being valid. If you don't set the starting -validity period, it will automatically choose the current time. If you don't -set the ending time, it will choose the starting time plus a default time -period. The arguments to these functions specify the time in the following -format: ``2002/11/27 1:50:14''. The time is in 24-hour format, and the date is -encoded as year/month/day. The date must be specified, but you can omit the -time or trailing parts of it, for example ``2002/11/27 1:50'' or -``2002/11/27''. - -Lastly, you can set constraints on a key. The one you're mostly likely to want -to use is to create (or request) a CA certificate, which can be done by calling -the member function \function{CA\_key}. This should only be used when needed. - -Other constraints can be set by calling the member functions -\function{add\_constraints} and \function{add\_ex\_constraints}. The -first takes a \type{Key\_Constraints} value, and replaces any -previously set value. If no value is set, then the certificate key is -marked as being valid for any usage. You can set it to any of the -following (for more than one usage, OR them together): -\type{DIGITAL\_SIGNATURE}, \type{NON\_REPUDIATION}, -\type{KEY\_ENCIPHERMENT}, \type{DATA\_ENCIPHERMENT}, -\type{KEY\_AGREEMENT}, \type{KEY\_CERT\_SIGN}, \type{CRL\_SIGN}, -\type{ENCIPHER\_ONLY}, \type{DECIPHER\_ONLY}. Many of these have quite -special semantics, so you should either consult the appropriate -standards document (such as RFC 3280), or just not call -\function{add\_constraints}, in which case the appropriate values will -be chosen for you. - -The second function, \function{add\_ex\_constraints}, allows you to specify an -OID that has some meaning with regards to restricting the key to particular -usages. You can, if you wish, specify any OID you like, but there is a set of -standard ones that other applications will be able to understand. These are -the ones specified by the PKIX standard, and are named ``PKIX.ServerAuth'' (for -TLS server authentication), ``PKIX.ClientAuth'' (for TLS client -authentication), ``PKIX.CodeSigning'', ``PKIX.EmailProtection'' (most likely -for use with S/MIME), ``PKIX.IPsecUser'', ``PKIX.IPsecTunnel'', -``PKIX.IPsecEndSystem'', and ``PKIX.TimeStamping''. You can call -\function{add\_ex\_constraints} any number of times~--~each new OID will be -added to the list to include in the certificate. - -\section{The Low-Level Interface} - -Botan has two different interfaces. The one documented in this section is meant -more for implementing higher-level types (see the section on filters, earlier in -this manual) than for use by applications. Using it safely requires a solid -knowledge of encryption techniques and best practices, so unless you know, for -example, what CBC mode and nonces are, and why PKCS \#1 padding is important, -you should avoid this interface in favor of something working at a higher level -(such as the CMS interface). - -\subsection{Basic Algorithm Abilities} - -There are a small handful of functions implemented by most of Botan's -algorithm objects. Among these are: - -\noindent -\type{std::string} \function{name}(): - -Returns a human-readable string of the name of this algorithm. Examples of -names returned are ``Blowfish'' and ``HMAC(MD5)''. You can turn names back into -algorithm objects using the functions in \filename{lookup.h}. - -\noindent -\type{void} \function{clear}(): - -Clear out the algorithm's internal state. A block cipher object will -``forget'' its key, a hash function will ``forget'' any data put into -it, etc. The object will look and behave as it did when you initially -allocated it. - -\noindent -\function{clone}(): - -This function is central to Botan's name-based interface. The \function{clone} -has many different return types, such as \type{BlockCipher*} and -\type{HashFunction*}, depending on what kind of object it is called on. Note -that unlike Java's clone, this returns a new object in a ``pristine'' state; -that is, operations done on the initial object before calling \function{clone} -do not affect the initial state of the new clone. - -Cloned objects can (and should) be deallocated with the C++ \texttt{delete} -operator. - -\subsection{Keys and IVs} - -Both symmetric keys and initialization values can be considered byte -(or octet) strings. These are represented by the classes -\type{SymmetricKey} and \type{InitializationVector}, which are -subclasses of \type{OctetString}. - -Since often it's hard to distinguish between a key and IV, many things (such as -key derivation mechanisms) return \type{OctetString} instead of -\type{SymmetricKey} to allow its use as a key or an IV. - -\noindent -\function{OctetString}(\type{u32bit} \arg{length}): - -This constructor creates a new random key of size \arg{length}. - -\noindent -\function{OctetString}(\type{std::string} \arg{str}): - -The argument \arg{str} is assumed to be a hex string; it is converted to binary -and stored. Whitespace is ignored. - -\noindent -\function{OctetString}(\type{const byte} \arg{input}[], \type{u32bit} -\arg{length}): - -This constructor copies its input. - -\subsection{Symmetrically Keyed Algorithms} - -Block ciphers, stream ciphers, and MACs are all keyed operations; to -be useful, they have to be set to use a particular key, which is a -randomly chosen string of bits of a specified length. The length -required by any particular algorithm may vary, depending on both the -algorithm specification and the implementation. You can query any -botan object to find out what key length(s) it supports. - -To make this similarity in terms of keying explicit, all algorithms of -those types are derived from the \type{SymmetricAlgorithm} base -class. This type has three functions: - -\noindent -\type{void} \function{set\_key}(\type{const byte} \arg{key}[], \type{u32bit} -\arg{length}): - -Most algorithms only accept keys of certain lengths. If you attempt to call -\function{set\_key} with a key length that is not supported, the exception -\type{Invalid\_Key\_Length} will be thrown. There is also another version of -\function{set\_key} that takes a \type{SymmetricKey} as an argument. - -\noindent -\type{bool} \function{valid\_keylength}(\type{u32bit} \arg{length}) const: - -This function returns true if a key of the given length will be accepted by -the cipher. - -There are also three constant data members of every -\type{SymmetricAlgorithm} object, which specify what limits there are -on keys which that object can accept: - -MAXIMUM\_KEYLENGTH: The maximum length of a key. Usually, this is at -most 32 (256 bits), even if the algorithm supports more. In a few rare -cases larger keys will be supported. - -MINIMUM\_KEYLENGTH: The minimum length of a key. This is at least 1. - -KEYLENGTH\_MULTIPLE: The length of the key must be a multiple of this value. - -In all cases, \function{set\_key} must be called on an object before any data -processing (encryption, decryption, etc) is done by that object. If this is not -done, the results are undefined -- that is to say, Botan reserves the right in -this situation to do anything from printing a nasty, insulting message on the -screen to dumping core. - -\subsection{Block Ciphers} - -Block ciphers implement the interface \type{BlockCipher}, found in -\filename{base.h}, as well as the \type{SymmetricAlgorithm} interface. - -\noindent -\type{void} \function{encrypt}(\type{const byte} \arg{in}[], - \type{byte} \arg{out}[]) const - -\noindent -\type{void} \function{encrypt}(\type{byte} \arg{block}[]) const - -These functions apply the block cipher transformation to \arg{in} and -place the result in \arg{out}, or encrypts \arg{block} in place -(\arg{in} may be the same as \arg{out}). Exactly one block will be -encrypted; you can find out the block size of the cipher you are -working with by calling the member function \function{block\_size}. -\type{BlockCipher}s have similar functions \function{decrypt}, which -perform the inverse operation. - -If you want to process multiple blocks in parallel, use -\function{encrypt\_n} and \function{decrypt\_n}. - -\begin{verbatim} -AES_128 cipher; -SymmetricKey key(cipher.MAXIMUM_KEYLENGTH); // randomly created -cipher.set_key(key); - -byte in[16] = { /* secrets */ }; -byte out[16]; -cipher.encrypt(in, out); -\end{verbatim} - -\subsection{Stream Ciphers} - -Stream ciphers are somewhat different from block ciphers, in that encrypting -data results in changing the internal state of the cipher. Also, you may -encrypt any length of data in one go (in byte amounts). - -\noindent -\type{void} \function{encrypt}(\type{const byte} \arg{in}[], \type{byte} -\arg{out}[], \type{u32bit} \arg{length}) - -\noindent -\type{void} \function{encrypt}(\type{byte} \arg{data}[], \type{u32bit} -\arg{length}): - -These functions encrypt the arbitrary length (well, less than 4 gigabyte long) -string \arg{in} and place it into \arg{out}, or encrypts it in place in -\arg{data}. The \function{decrypt} functions look just like -\function{encrypt}. - -Stream ciphers implement the \type{SymmetricAlgorithm} interface. - -Some stream ciphers support random access to any point in their cipher -stream. For such ciphers, calling \type{void} \function{seek}(\type{u32bit} -\arg{byte}) will change the cipher's state so that it is as if the cipher had been -keyed as normal, then encrypted \arg{byte} -- 1 bytes of data (so the next byte -in the cipher stream is byte number \arg{byte}). - -\subsection{Hash Functions / Message Authentication Codes} - -Hash functions take their input without producing any output, only producing -anything when all input has already taken place. MACs are very similar, but are -additionally keyed. Both of these are derived from the base class -\type{BufferedComputation}, which has the following functions. - -\noindent -\type{size\_t} \function{output\_length}() - -Return the size of the output of this function. - -\type{void} \function{update}(\type{const byte} \arg{input}[], \type{u32bit} -\arg{length}) - -\noindent -\type{void} \function{update}(\type{byte} \arg{input}) - -\noindent -\type{void} \function{update}(\type{const std::string \&} \arg{input}) - -Updates the hash/mac calculation with \arg{input}. - -\noindent -\type{void} \function{final}(\type{byte} \arg{out}[]) - -\noindent -\type{SecureVector<byte>} \function{final}(): - -Complete the hash/MAC calculation and place the result into \arg{out}. -For the argument taking an array, exactly \function{output\_length}() -bytes will be written. After you call \function{final}, the hash -function is reset to its initial state, so it may be reused -immediately. - -The second method of using final is to call it with no arguments at -all, as shown in the second prototype. It will return the hash/mac -value in a memory buffer. - -There is also a pair of functions called \function{process}. They are -a combination of a single \function{update}, and \function{final}. -Both versions return the final value, rather than placing it an -array. Calling \function{process} with a single byte value isn't -available, mostly because it would rarely be useful. - -A MAC can be viewed (in most cases) as a keyed hash function, so -classes that are derived from \type{MessageAuthenticationCode} have -\function{update} and \function{final} classes just like a -\type{HashFunction} (and like a \type{HashFunction}, after -\function{final} is called, it can be used to make a new MAC right -away; the key is kept around). - -A MAC has the \type{SymmetricAlgorithm} interface in addition to the -\type{BufferedComputation} interface. - -\section{Random Number Generators} - -The random number generators provided in Botan are meant for creating -keys, IVs, padding, nonces, and anything else that requires 'random' -data. It is important to remember that the output of these classes -will vary, even if they are supplied with ethe same seed (\ie, two -\type{Randpool} objects with similar initial states will not produce -the same output, because the value of high resolution timers is added -to the state at various points). - -To ensure good quality output, a PRNG needs to be seeded with truly random data -(such as that produced by a hardware RNG). Typically, you will use an -\type{EntropySource} (see below). To add entropy to a PRNG, you can use -\type{void} \function{add\_entropy}(\type{const byte} \arg{data}[], -\type{u32bit} \arg{length}) or (better), use the \type{EntropySource} -interface. - -Once a PRNG has been initialized, you can get a single byte of random data by -calling \type{byte} \function{random()}, or get a large block by calling -\type{void} \function{randomize}(\type{byte} \arg{data}[], \type{u32bit} -\arg{length}), which will put random bytes into each member of the array from -indexes 0 $\ldots$ \arg{length} -- 1. - -You can avoid all the problems inherent in seeding the PRNG by using the -globally shared PRNG, described later in this section. - -\subsection{Randpool} - -\type{Randpool} is the primary PRNG within Botan. In recent versions all uses -of it have been wrapped by an implementation of the X9.31 PRNG (see below). If -for some reason you should have cause to create a PRNG instead of using the -``global'' one owned by the library, it would be wise to consider the same on -the grounds of general caution; while \type{Randpool} is designed with known -attacks and PRNG weaknesses in mind, it is not an standard/official PRNG. The -remainder of this section is a (fairly technical, though high-level) description -of the algorithms used in this PRNG. Unless you have a specific interest in -this subject, the rest of this section might prove somewhat uninteresting. - -\type{Randpool} has an internal state called pool, which is 512 bytes -long. This is where entropy is mixed into and extracted from. There is also a -small output buffer (called buffer), which holds the data which has already -been generated but has just not been output yet. - -It is based around a MAC and a block cipher (which are currently HMAC(SHA-256) -and AES-256). Where a specific size is mentioned, it should be taken as a -multiple of the cipher's block size. For example, if a 256-bit block cipher -were used instead of AES, all the sizes internally would double. Every time -some new output is needed, we compute the MAC of a counter and a high -resolution timer. The resulting MAC is XORed into the output buffer (wrapping -as needed), and the output buffer is then encrypted with AES, producing 16 -bytes of output. - -After 8 blocks (or 128 bytes) have been produced, we mix the pool. To do this, -we first rekey both the MAC and the cipher; the new MAC key is the MAC of the -current pool under the old MAC key, while the new cipher key is the MAC of the -current pool under the just-chosen MAC key. We then encrypt the entire pool in -CBC mode, using the current (unused) output buffer as the IV. We then generate -a new output buffer, using the mechanism described in the previous paragraph. - -To add randomness to the PRNG, we compute the MAC of the input and XOR the -output into the start of the pool. Then we remix the pool and produce a new -output buffer. The initial MAC operation should make it very hard for chosen -inputs to harm the security of \type{Randpool}, and as HMAC should be able to -hold roughly 256 bits of state, it is unlikely that we are wasting much input -entropy (or, if we are, it doesn't matter, because we have a very abundant -supply). - -\subsection{ANSI X9.31} - -\type{ANSI\_X931\_PRNG} is the standard issue X9.31 Appendix A.2.4 PRNG, though -using AES-256 instead of 3DES as the block cipher. This PRNG implementation has -been checked against official X9.31 test vectors. - -Internally, the PRNG holds a pointer to another PRNG (typically -Randpool). This internal PRNG generates the key and seed used by the -X9.31 algorithm, as well as the date/time vectors. Each time an X9.31 -PRNG object receives entropy, it passes it along to the PRNG it is -holding, and then pulls out some random bits to generate a new key and -seed. This PRNG considers itself seeded as soon as the internal PRNG -is seeded. - -As of version 1.4.7, the X9.31 PRNG is by default used for all random number -generation. - -\subsection{Entropy Sources} - -An \type{EntropySource} is an abstract representation of some method of gather -``real'' entropy. This tends to be very system dependent. The \emph{only} way -you should use an \type{EntropySource} is to pass it to a PRNG that will -extract entropy from it -- never use the output directly for any kind of key or -nonce generation! - -\type{EntropySource} has a pair of functions for getting entropy from -some external source, called \function{fast\_poll} and -\function{slow\_poll}. These pass a buffer of bytes to be written; the -functions then return how many bytes of entropy were -gathered. \type{EntropySource}s are usually used to seed the global -PRNG using the functions found in the \namespace{Global\_RNG} -namespace. - -Note for writers of \type{EntropySource}s: it isn't necessary to use any kind -of cryptographic hash on your output. The data produced by an EntropySource is -only used by an application after it has been hashed by the -\type{RandomNumberGenerator} that asked for the entropy, thus any hashing -you do will be wasteful of both CPU cycles and entropy. - -\section{User Interfaces} - -Botan has recently changed some infrastructure to better accommodate -more complex user interfaces, in particular ones that are based on -event loops. Primary among these was the fact that when doing -something like loading a PKCS \#8 encoded private key, a passphrase -might be needed, but then again it might not (a PKCS \#8 key doesn't -have to be encrypted). Asking for a passphrase to decrypt an -unencrypted key is rather pointless. Not only that, but the way to -handle the user typing the wrong passphrase was complicated, -undocumented, and inefficient. - -So now Botan has an object called \type{UI}, which provides a simple -interface for the aspects of user interaction the library has to be -concerned with. Currently, this means getting a passphrase from the -user, and that's it (\type{UI} will probably be extended in the future -to support other operations as they are needed). The base \type{UI} -class is very stupid, because the library can't directly assume -anything about the environment that it's running under (for example, -if there will be someone sitting at the terminal, if the application -is even \emph{attached} to a terminal, and so on). But since you can -subclass \type{UI} to use whatever method happens to be appropriate -for your application, this isn't a big deal. - -\begin{verbatim} - std::string get_passphrase(const std::string& what, - const std::string& source, - UI_Result& result) const; -\end{verbatim} - -The \arg{what} argument specifies what the passphrase is needed for (for -example, PKCS \#8 key loading passes \arg{what} as ``PKCS \#8 private -key''). This lets you provide the user with some indication of \emph{why} your -application is asking for a passphrase; feel free to pass the string through -\function{gettext(3)} or moral equivalent for i18n purposes. Similarly, -\arg{source} specifies where the data in question came from, if available (for -example, a file name). If the source is not available for whatever reason, then -\arg{source} will be an empty string; be sure to account for this possibility -when writing a \type{UI} subclass. - -The function returns the passphrase as the return value, and a status code in -\arg{result} (either \type{OK} or \type{CANCEL\_ACTION}). If -\type{CANCEL\_ACTION} is returned in \arg{result}, then the return value will -be ignored, and the caller will take whatever action is necessary (typically, -throwing an exception stating that the passphrase couldn't be determined). In -the specific case of PKCS \#8 key decryption, a \type{Decoding\_Error} -exception will be thrown; your UI should assume this can happen, and provide -appropriate error handling (such as putting up a dialog box informing the user -of the situation, and canceling the operation in progress). - -There is an example \type{UI} that uses GTK+ available on the web site. The -\type{GTK\_UI} code is cleanly separated from the rest of the example, so if -you happen to be using GTK+, you can copy (and/or adapt) that code for your -application. If you write a \type{UI} object for another windowing system -(Win32, Qt, wxWidgets, FOX, etc), and would like to make it available to users -in general (ideally under a permissive license such as public domain or -MIT/BSD), feel free to send in a copy. - -\section{Botan's Modules} - -Botan comes with a variety of modules that can be compiled into the system. -These will not be available on all installations of the library, but you can -check for their availability based on whether or not certain macros are -defined. - -\subsection{Pipe I/O for Unix File Descriptors} - -This is a minor feature, but it comes in handy sometimes. In all -installations of the library, Botan's \type{Pipe} object overloads the -\keyword{<<} and \keyword{>>} operators for C++ iostream objects, -which is usually more than sufficient for doing I/O. - -However, there are cases where the iostream hierarchy does not map well to -local 'file types', so there is also the ability to do I/O directly with Unix -file descriptors. This is most useful when you want to read from or write to -something like a TCP or Unix-domain socket, or a pipe, since for simple file -access it's usually easier to just use C++'s file streams. - -If \macro{BOTAN\_EXT\_PIPE\_UNIXFD\_IO} is defined, then you can use the -overloaded I/O operators with Unix file descriptors. For an example of this, -check out the \filename{hash\_fd} example, included in the Botan distribution. - -\subsection{Entropy Sources} - -All of these are used by the \function{Global\_RNG::seed} function if -they are available. Since this function is called by the -\type{LibraryInitializer} class when it is created, it is rare -that you will need to deal with any of these classes directly. Even in -the case of a long-running server that needs to renew its entropy -poll, it is easier to call \function{Global\_RNG::seed} (see the -section entitled ``The Global PRNG'' for more details). - -\noindent -\type{EGD\_EntropySource}: Query an EGD socket. If the macro -\macro{BOTAN\_EXT\_ENTROPY\_SRC\_EGD} is defined, it can be found in -\filename{es\_egd.h}. The constructor takes a \type{std::vector<std::string>} -that specifies the paths to look for an EGD socket. - -\noindent -\type{Unix\_EntropySource}: This entropy source executes programs common on -Unix systems (such as \filename{uptime}, \filename{vmstat}, and \filename{df}) -and adds it to a buffer. It's quite slow due to process overhead, and (roughly) -1 bit of real entropy is in each byte that is output. It is declared in -\filename{es\_unix.h}, if \macro{BOTAN\_EXT\_ENTROPY\_SRC\_UNIX} is -defined. If you don't have \filename{/dev/urandom} \emph{or} EGD, this is -probably the thing to use. For a long-running process on Unix, keep on object -of this type around and run fast polls ever few minutes. - -\noindent -\type{FTW\_EntropySource}: Walk through a filesystem (the root to start -searching is passed as a string to the constructor), reading files. This tends -to only be useful on things like \filename{/proc} that have a great deal of -variability over time, and even then there is only a small amount of entropy -gathered: about 1 bit of entropy for every 16 bits of output (and many hundreds -of bits are read in order to get that 16 bits). It is declared in -\filename{es\_ftw.h}, if \macro{BOTAN\_EXT\_ENTROPY\_SRC\_FTW} is defined. Only -use this as a last resort. I don't really trust it, and neither should you. - -\noindent -\type{Win32\_CAPI\_EntropySource}: This routines gathers entropy from -a Win32 CAPI module. It takes an optional \type{std::string} that will -specify what type of CAPI provider to use. The CAPI RNG is usually a -default software-based PRNG, but there are a few providers that may -use a hardware RNG. By default it will use the first provider listed -in the option ``rng/ms\_capi\_prov\_type'' that is available on the -machine (currently the providers ``RSA\_FULL'', ``INTEL\_SEC'', -``FORTEZZA'', and ``RNG'' are recognized). - -\noindent -\type{BeOS\_EntropySource}: Query system statistics using various BeOS-specific -APIs. - -\noindent -\type{Pthread\_EntropySource}: Attempt to gather entropy based on jitter -between a number of threads competing for a single mutex. This entropy source -is \emph{very} slow, and highly questionable in terms of security. However, it -provides a worst-case fallback on systems that don't have Unix-like features, -but do support POSIX threads. This module is currently unavailable due to -problems on some systems. - -\subsection{Compressors} - -There are two compression algorithms supported by Botan, Zlib and Bzip2 (Gzip -and Zip encoding will be supported in future releases). Only lossless -compression algorithms are currently supported by Botan, because they tend to -be the most useful for cryptography. However, it is very reasonable to consider -supporting something like GSM speech encoding (which is lossy), for use in -encrypted voice applications. - -You should always compress \emph{before} you encrypt, because encryption seeks -to hide the redundancy that compression is supposed to try to find and remove. - -\subsubsection{Bzip2} - -To test for Bzip2, check to see if \macro{BOTAN\_EXT\_COMPRESSOR\_BZIP2} is -defined. If so, you can include \filename{bzip2.h}, which will declare a pair -of \type{Filter} objects: \type{Bzip2\_Compression} and -\type{Bzip2\_Decompression}. - -You should be prepared to take an exception when using the decompressing -filter, for if the input is not valid Bzip2 data, that is what you will -receive. You can specify the desired level of compression to -\type{Bzip2\_Compression}'s constructor as an integer between 1 and 9, 1 -meaning worst compression, and 9 meaning the best. The default is to use 9, -since small values take the same amount of time, just use a little less memory. - -The Bzip2 module was contributed by Peter J. Jones. - -\subsubsection{Zlib} - -Zlib compression works much like Bzip2 compression. The only -differences in this case are that the macro is -\macro{BOTAN\_EXT\_COMPRESSOR\_ZLIB}, the header you need to include -is called \filename{botan/zlib.h} (remember that you shouldn't just -\verb|#include <zlib.h>|, or you'll get the regular zlib API, which is -not what you want). The Botan classes for Zlib -compression/decompression are called \type{Zlib\_Compression} and -\type{Zlib\_Decompression}. - -Like Bzip2, a \type{Zlib\_Decompression} object will throw an exception if -invalid (in the sense of not being in the Zlib format) data is passed into it. - -In the case of zlib's algorithm, a worse compression level will be faster than -a very high compression ratio. For this reason, the Zlib compressor will -default to using a compression level of 6. This tends to give a good trade off -in terms of time spent to compression achieved. There are several factors you -need to consider in order to decide if you should use a higher compression -level: - -\begin{list}{$\cdot$} - \item Better security: the less redundancy in the source text, the harder it - is to attack your ciphertext. This is not too much of a concern, - because with decent algorithms using sufficiently long keys, it doesn't - really matter \emph{that} much (but it certainly can't hurt). - \item - - \item Decreasing returns. Some simple experiments by the author showed - minimal decreases in the size between level 6 and level 9 compression - with large (1 to 3 megabyte) files. There was some difference, but it - wasn't that much. - - \item CPU time. Level 9 zlib compression is often two to four times as slow - as level 6 compression. This can make a substantial difference in the - overall runtime of a program. -\end{list} - -While the zlib compression library uses the same compression algorithm as the -gzip and zip programs, the format is different. The zlib format is defined in -RFC 1950. - -\subsubsection{Data Sources} - -A \type{DataSource} is a simple abstraction for a thing that stores bytes. This -type is used heavily in the areas of the API related to ASN.1 -encoding/decoding. The following types are \type{DataSource}s: \type{Pipe}, -\type{SecureQueue}, and a couple of special purpose ones: -\type{DataSource\_Memory} and \type{DataSource\_Stream}. - -You can create a \type{DataSource\_Memory} with an array of bytes and a length -field. The object will make a copy of the data, so you don't have to worry -about keeping that memory allocated. This is mostly for internal use, but if it -comes in handy, feel free to use it. - -A \type{DataSource\_Stream} is probably more useful than the memory based -one. Its constructors take either a \type{std::istream} or a -\type{std::string}. If it's a stream, the data source will use the -\type{istream} to satisfy read requests (this is particularly useful to use -with \type{std::cin}). If the string version is used, it will attempt to open -up a file with that name and read from it. - -\subsubsection{Data Sinks} - -A \type{DataSink} (in \filename{data\_snk.h}) is a \type{Filter} that -takes arbitrary amounts of input, and produces no output. This means -it's doing something with the data outside the realm of what -\type{Filter}/\type{Pipe} can handle, for example, writing it to a -file (which is what the \type{DataSink\_Stream} does). There is no -need for \type{DataSink}s that write to a \type{std::string} or memory -buffer, because \type{Pipe} can handle that by itself. - -Here's a quick example of using a \type{DataSink}, which encrypts -\filename{in.txt} and sends the output to \filename{out.txt}. There is -no explicit output operation; the writing of \filename{out.txt} is -implicit. - -\begin{verbatim} - DataSource_Stream in("in.txt"); - Pipe pipe(new CBC_Encryption("Blowfish", "PKCS7", key, iv), - new DataSink_Stream("out.txt")); - pipe.process_msg(in); -\end{verbatim} - -A real advantage of this is that even if ``in.txt'' is large, only as -much memory is needed for internal I/O buffers will be used. - -\section{Miscellaneous} - -This section has documentation for anything that just didn't fit into -any of the major categories. Many of them (Timers, Allocators) will -rarely be used in actual application code, but others, like the PBKDF -algorithms, have a wide degree of applicability. - -\subsection{PBKDF Algorithms} - -There are various procedures (usually ad-hoc) for turning a -passphrase into a (mostly) arbitrary length key for a symmetric -cipher. A general interface for such algorithms is presented in -\filename{pbkdf.h}. The main function is \function{derive\_key}, which -takes a passphrase, a salt, an iteration count, and the desired length -of the output key, and returns a key of that length, deterministically -produced from the passphrase and salt. If an algorithm can't produce a -key of that size, it will throw an exception (most notably, PKCS \#5's -PBKDF1 can only produce strings between 1 and $n$ bytes, where $n$ is -the output size of the underlying hash function). - -The purpose of the iteration count is to make the algorithm take -longer to compute the final key (reducing the speed of brute-force -attacks of various kinds). Most standards recommend an iteration count -of at least 10000. Currently defined PBKDF algorithms are -``PBKDF1(digest)'', ``PBKDF2(digest)'', and ``OpenPGP-S2K(digest)''; -you can retrieve any of these using the \function{get\_pbkdf}, found in -\filename{lookup.h}. As of this writing, ``PBKDF2(SHA-256)'' with -10000 iterations and a 16 byte salt is recommend for new applications. - -\subsubsection{OpenPGP S2K} - -There are some oddities about OpenPGP's S2K algorithms that are -documented here. For one thing, it uses the iteration count in a -strange manner; instead of specifying how many times to iterate the -hash, it tells how many \emph{bytes} should be hashed in total -(including the salt). So the exact iteration count will depend on the -size of the salt (which is fixed at 8 bytes by the OpenPGP standard, -though the implementation will allow any salt size) and the size of -the passphrase. - -To get what OpenPGP calls ``Simple S2K'', set iterations to 0, and do -not specify a salt. To get ``Salted S2K'', again leave the iteration -count at 0, but give an 8-byte salt. ``Salted and Iterated S2K'' -requires an 8-byte salt and some iteration count (this should be -significantly larger than the size of the longest passphrase that -might reasonably be used; somewhere from 1024 to 65536 would probably -be about right). Using both a reasonably sized salt and a large -iteration count is highly recommended to prevent password guessing -attempts. - -\subsection{Password Hashing} - -Storing passwords for user authentication purposes in plaintext is the -simplest but least secure method; when an attacker compromises the -database in which the passwords are stored, they immediately gain -access to all of them. Often passwords are reused among multiple -services or machines, meaning once a password to a single service is -known an attacker has a substantial head start on attacking other -machines. - -The general approach is to store, instead of the password, the output -of a one way function of the password. Upon receiving an -authentication request, the authenticator can recompute the one way -function and compare the value just computed with the one that was -stored. If they match, then the authentication request succeeds. But -when an attacker gains access to the database, they only have the -output of the one way function, not the original password. - -Common hash functions such as SHA-256 are one way, but used alone they -have problems for this purpose. What an attacker can do, upon gaining -access to such a stored password database, is hash common dictionary -words and other possible passwords, storing them in a list. Then he -can search through his list; if a stored hash and an entry in his list -match, then he has found the password. Even worse, this can happen -\emph{offline}: an attacker can begin hashing common passwords days, -months, or years before ever gaining access to the database. In -addition, if two users choose the same password, the one way function -output will be the same for both of them, which will be visible upon -inspection of the database. - -There are two solutions to these problems: salting and -iteration. Salting refers to including, along with the password, a -randomly chosen value which perturbs the one way function. Salting can -reduce the effectivness of offline dictionary generation (because for -each potential password, an attacker would have to compute the one way -function output for all possible salts - with a large enough salt, -this can make the problem quite difficult). It also prevents the same -password from producing the same output, as long as the salts do not -collide. With a large salt (say 80 to 128 bits) this will be quite -unlikely. Iteration refers to the general technique of forcing -multiple one way function evaluations when computing the output, to -slow down the operation. For instance if hashing a single password -requires running SHA-256 100,000 times instead of just once, that will -slow down user authentication by a factor of 100,000, but user -authentication happens quite rarely, and usually there are more -expensive operations that need to occur anyway (network and database -I/O, etc). On the other hand, an attacker who is attempting to break a -database full of stolen password hashes will be seriously -inconvenienced by a factor of 100,000 slowdown; they will be able to -only test at a rate of .0001\% of what they would without iterations -(or, equivalently, will require 100,000 times as many zombie botnet -hosts). - -There are many different ways of doing this password hashing -operation, with common ones including Unix's crypt (which is based on -DES) and OpenBSD's bcrypt (based on Blowfish). Other variants using -MD5 or SHA-256 are also in use on various systems. - -Botan provides a technique called passhash9, in -\filename{passhash9.h}, which is based on PBKDF2. Two functions are -provided in this header, \function{generate\_passhash9} and -\function{check\_passhash9}. The generate function takes the password -to hash, a \type{RandomNumberGenerator}, and a work factor, which -tells how many iterations to compute. The default work factor is 10 -(which means 100,000 iterations), but any non-zero value is accepted. -The check function takes a password and a passhash9 output and checks -if the password is the same as the one that was used to generate the -passhash9 output, returning a boolean true (same) or false (not same). -An example can be found in \filename{doc/examples/passhash.cpp}. - -Passhash9 currently uses HMAC(SHA-1) for the underlying PBKDF2 -psuedo-random function, but can be extended to use different -algorithms in the future if necessary. For instance using a PRF based -on Blowfish (a block cipher that requires 4 KiB of RAM for efficient -execution) could be used to make hardware-based password cracking more -expensive (this was one motivation for Blowfish's use in the bcrypt -hashing scheme, in fact). - -\subsection{Checksums} - -Checksums are very similar to hash functions, and in fact share the same -interface. But there are some significant differences, the major ones being -that the output size is very small (usually in the range of 2 to 4 bytes), and -is not cryptographically secure. But for their intended purpose (error -checking), they perform very well. Some examples of checksums included in Botan -are the Adler32 and CRC32 checksums. - -\subsection{Exceptions} - -Sooner or later, something is going to go wrong. Botan's behavior when -something unusual occurs, like most C++ software, is to throw an exception. -Exceptions in Botan are derived from the \type{Exception} class. You can see -most of the major varieties of exceptions used in Botan by looking at -\filename{exceptn.h}. The only function you really need to concern yourself -with is \type{const char*} \function{what()}. This will return an error message -relevant to the error that occurred. For example: - -\begin{verbatim} -try { - // various Botan operations - } -catch(Botan::Exception& e) - { - cout << "Botan exception caught: " << e.what() << endl; - // error handling, or just abort - } -\end{verbatim} - -Botan's exceptions are derived from \type{std::exception}, so you don't need -to explicitly check for Botan exceptions if you're already catching the ISO -standard ones. - -\subsection{Threads and Mutexes} - -Botan includes a mutex system, which is used internally to lock some shared -data structures that must be kept shared for efficiency reasons (mostly, these -are in the allocation systems~--~handing out 1000 separate allocators hurts -performance and makes caching memory blocks useless). This system is supported -by the \texttt{mux\_pthr} module, implementing the \type{Mutex} interface for -systems that have POSIX threads. - -If your application is using threads, you \emph{must} add the option -``thread\_safe'' to the options string when you create the -\type{LibraryInitializer} object. If you specify this option and no mutex type -is available, an exception is thrown, since otherwise you would probably be -facing a nasty crash. - -\subsection{Secure Memory} - -A major concern with mixing modern multiuser OSes and cryptographic -code is that at any time the code (including secret keys) could be -swapped to disk, where it can later be read by an attacker. Botan -stores almost everything (and especially anything sensitive) in memory -buffers that a) clear out their contents when their destructors are -called, and b) have easy plugins for various memory locking functions, -such as the \function{mlock}(2) call on many Unix systems. - -Two of the allocation method used (``malloc'' and ``mmap'') don't -require any extra privileges on Unix, but locking memory does. At -startup, each allocator type will attempt to allocate a few blocks -(typically totaling 128k), so if you want, you can run your -application \texttt{setuid} \texttt{root}, and then drop privileges -immediately after creating your \type{LibraryInitializer}. If you end -up using more than what's been allocated, some of your sensitive data -might end up being swappable, but that beats running as \texttt{root} -all the time. - -These classes should also be used within your own code for storing -sensitive data. They are only meant for primitive data types (int, -long, etc): if you want a container of higher level Botan objects, you -can just use a \verb|std::vector|, since these objects know how to -clear themselves when they are destroyed. You cannot, however, have a -\verb|std::vector| (or any other container) of \type{Pipe}s or -\type{Filter}s, because these types have pointers to other -\type{Filter}s, and implementing copy constructors for these types -would be both hard and quite expensive (vectors of pointers to such -objects is fine, though). - -These types are not described in any great detail: for more information, -consult the definitive sources~--~the header files \filename{secmem.h} and -\filename{allocate.h}. - -\type{SecureBuffer} is a simple array type, whose size is specified at compile -time. It will automatically convert to a pointer of the appropriate type, and -has a number of useful functions, including \function{clear()}, and -\type{u32bit} \function{size()}, which returns the length of the array. It is a -template that takes as parameters a type, and a constant integer which is how -long the array is (for example: \verb|SecureBuffer<byte, 8> key;|). - -\type{SecureVector} is a variable length array. Its size can be increased or -decreased as need be, and it has a wide variety of functions useful for copying -data into its buffer. Like \type{SecureBuffer}, it implements \function{clear} -and \function{size}. - -\subsection{Allocators} - -The containers described above get their memory from allocators. As a -user of the library, you can add new allocator methods at run time for -containers, including the ones used internally by the library, to -use. The interface to this is in \filename{allocate.h}. Code needing -to allocate or deallocate memory calls \function{get\_allocator}, -which returns a pointer to an allocator object. This pointer should -not be freed: the caller does not own the allocator (it is shared -among multiple allocatore users, and uses a mutex to serialize access -internally if necessary). It is possible to call -\function{get\_allocator} with a specific name to request a particular -type of allocator, otherwise, a default allocator type is returned. - -At start time, the only allocator known is a \type{Default\_Allocator}, which -just allocates memory using \function{malloc}, and \function{memset}s it to 0 -when the memory is released. It is known by the name ``malloc''. If you ask for -another type of allocator (``locking'' and ``mmap'' are currently used), and it -is not available, some other allocator will be returned. - -You can add in a new allocator type using \function{add\_allocator\_type}. This -function takes a string and a pointer to an allocator. The string gives this -allocator type a name to which it can be referred when one is requesting it -with \function{get\_allocator}. If an error occurs (such as the name being -already registered), this function returns false. It will return true if the -allocator was successfully registered. If you ask it to, -\type{LibraryInitializer} will do this for you. - -Finally, you can set the default allocator type that will be returned using -the policy setting ``default\_alloc'' to the name of any previously registered -allocator. - -\subsection{BigInt} - -\type{BigInt} is Botan's implementation of a multiple-precision -integer. Thanks to C++'s operator overloading features, using \type{BigInt} is -often quite similar to using a native integer type. The number of functions -related to \type{BigInt} is quite large. You can find most of them in -\filename{bigint.h} and \filename{numthry.h}. - -Due to the sheer number of functions involved, only a few, which a regular user -of the library might have to deal with, are mentioned here. Fully documenting -the MPI library would take a significant while, so if you need to use it now, -the best way to learn is to look at the headers. - -Probably the most important are the encoding/decoding functions, which -transform the normal representation of a \type{BigInt} into some other form, -such as a decimal string. - -\type{SecureVector<byte>} \function{BigInt::encode}(\type{BigInt}, -\type{Encoding}) - -\noindent -and - -\type{BigInt} \function{BigInt::decode}(\type{SecureVector<byte>}, -\type{Encoding}) - -\type{Encoding} is an enum that has values \type{Binary}, \type{Octal}, -\type{Decimal}, and \type{Hexadecimal}. The parameter will default to -\type{Binary}. These functions are static member functions, so they would be -called like this: - -\begin{verbatim} - BigInt n1; // some number - SecureVector<byte> n1_encoded = BigInt::encode(n1); - BigInt n2 = BigInt::decode(n1_encoded); - // now n1 == n2 -\end{verbatim} - -There are also C++-style I/O operators defined for use with \type{BigInt}. The -input operator understands negative numbers, hexadecimal numbers (marked with a -leading ``0x''), and octal numbers (marked with a leading '0'). The '-' must -come before the ``0x'' or '0' marker. The output operator will never adorn the -output; for example, when printing a hexadecimal number, there will not be a -leading ``0x'' (though a leading '-' will be printed if the number is -negative). If you want such things, you'll have to do them yourself. - -\type{BigInt} has constructors that can create a \type{BigInt} from an unsigned -integer or a string. You can also decode a \type{byte}[] / length pair into a -BigInt. There are several other \type{BigInt} constructors, which I would -seriously recommend you avoid, as they are only intended for use internally by -the library, and may arbitrarily change, or be removed, in a future release. - -An random sampling of \type{BigInt} related functions: - -\type{u32bit} \function{BigInt::bytes}(): Return the size of this \type{BigInt} -in bytes. - -\type{BigInt} \function{random\_prime(\type{u32bit} \arg{b})}: Return a prime -number \arg{b} bits long. - -\type{BigInt} \function{gcd}(\type{BigInt} \arg{x}, \type{BigInt} \arg{y}): -Returns the greatest common divisor of \arg{x} and \arg{y}. Uses the binary -GCD algorithm. - -\type{bool} \function{is\_prime}(\type{BigInt} \arg{x}): Returns true if -\arg{x} is a (possible) prime number. Uses the Miller-Rabin probabilistic -primality test with fixed bases. For higher assurance, use -\function{verify\_prime}, which uses more rounds and randomized 48-bit bases. - -\subsubsection{Efficiency Hints} - -If you can, always use expressions of the form \verb|a += b| over -\verb|a = a + b|. The difference can be \emph{very} substantial, -because the first form prevents at least one needless memory -allocation, and possibly as many as three. - -If you're doing repeated modular exponentiations with the same modulus, create -a \type{BarrettReducer} ahead of time. If the exponent or base is a constant, -use the classes in \filename{mod\_exp.h}. This stuff is all handled for you by -the normal high-level interfaces, of course. - -Never use the low-level MPI functions (those that begin with -\texttt{bigint\_}). These are completely internal to the library, and -may make arbitrarily strange and undocumented assumptions about their -inputs, and don't check to see if they are true, on the assumption -that only the library itself calls them, and that the library knows -what the assumptions are. The interfaces for these functions can -change completely without notice. - -\section{Algorithms} - -\subsection{Recommended Algorithms} - -This section is by no means the last word on selecting which -algorithms to use. However, Botan includes a sometimes bewildering -array of possible algorithms, and unless you're familiar with the -latest developments in the field, it can be hard to know what is -secure and what is not. The following attributes of the algorithms -were evaluated when making this list: security, standardization, -patent status, support by other implementations, and efficiency (in -roughly that order). - -It is intended as a set of simple guidelines for developers, and -nothing more. It's entirely possible that there are algorithms in -Botan that will turn out to be more secure than the ones listed, but -the algorithms listed here are (currently) thought to be safe. - -\begin{list}{$\cdot$} - \item Block ciphers: AES or Serpent in CBC, CTR, or XTS mode - - \item Hash functions: SHA-256, SHA-512 - - \item MACs: HMAC with any recommended hash function - - \item Public Key Encryption: RSA with ``EME1(SHA-256)'' - - \item Public Key Signatures: RSA with EMSA4 and any recommended - hash, or DSA or ECDSA with ``EMSA1(SHA-256)'' - - \item Key Agreement: Diffie-Hellman or ECDH, with ``KDF2(SHA-256)'' -\end{list} - -\subsection{Algorithms Listing} - -Botan includes a very sizable number of cryptographic algorithms. In -nearly all cases, you never need to know the header file or type name -to use them. However, you do need to know what string (or strings) are -used to identify that algorithm. These names conform to those set out -by SCAN (Standard Cryptographic Algorithm Naming), which is a document -that specifies how strings are mapped onto algorithm objects, which is -useful for a wide variety of crypto APIs (SCAN is oriented towards -Java, but Botan and several other non-Java libraries also make at -least some use of it). For full details, read the SCAN document, which -can be found at -\url{http://www.users.zetnet.co.uk/hopwood/crypto/scan/} - -Many of these algorithms can take options (such as the number of -rounds in a block cipher, the output size of a hash function, -etc). These are shown in the following list; all of them default to -reasonable values. There are algorithm-specific limits on most of -them. When you see something like ``HASH'' or ``BLOCK'', that means -you should insert the name of some algorithm of that type. There are -no defaults for those options. - -A few very obscure algorithms are skipped; if you need one of them, -you'll know it, and you can look in the appropriate header to see what -that classes' \function{name} function returns (the names tend to -match that in SCAN, if it's defined there). - -\begin{list}{$\cdot$} - \item ROUNDS: The number of rounds in a block cipher. - \item - \item OUTSZ: The output size of a hash function or MAC -\end{list} - -\vskip .05in -\noindent -\textbf{Block Ciphers:} ``AES'' (and ``AES-128'', ``AES-192'', and -``AES-256''), ``Blowfish'', ``CAST-128'', ``CAST-256'', ``DES'', -``DESX'', ``TripleDES'', ``GOST-28147-89'', ``IDEA'', ``KASUMI'', -``MARS'', ``MISTY1(ROUNDS)'', ``Noekeon'', ``RC2'', ``RC5(ROUNDS)'', -``RC6'', ``SAFER-SK(ROUNDS)'', ``SEED'', ``Serpent'', ``Skipjack'', -``Square'', ``TEA'', ``Twofish'', ``XTEA'' - -\noindent -\textbf{Stream Ciphers:} ``ARC4'', ``MARK4'', ``Salsa20'', ``Turing'', -``WiderWake4+1-BE'' - -\noindent -\textbf{Hash Functions:} ``HAS-160'', ``GOST-34.11'', -``MD2'', ``MD4'', ``MD5'', ``RIPEMD-128'', ``RIPEMD-160'', -``SHA-160'', ``SHA-256'', ``SHA-384'', ``SHA-512'', ``Skein-512'', -``Tiger(OUTSZ)'', ``Whirlpool'' - -\noindent -\textbf{MACs:} ``HMAC(HASH)'', ``CMAC(BLOCK)'', ``X9.19-MAC'' - -\section{Support and Further Information} - -\subsection{Patents} - -Some of the algorithms implemented by Botan may be covered by patents in some -locations. Algorithms known to have patent claims on them in the United States -and that are not available in a license-free/royalty-free manner include: -IDEA, MISTY1, RC5, RC6, and Nyberg-Rueppel. - -You must not assume that, just because an algorithm is not listed here, it is -not encumbered by patents. If you have any concerns about the patent status of -any algorithm you are considering using in an application, please discuss it -with your attorney. - -\subsection{Support} - -Questions or problems you have with Botan can be directed to the -development mailing list. Joining this list is highly recommended if -you're going to be using Botan, since often advance notice of upcoming -changes is sent there. ``Philosophical'' bug reports, announcements of -programs using Botan, and anything else having to do with Botan are -also welcome. - -The lists can be found at -\url{http://lists.randombit.net/mailman/listinfo/}. - -\subsection{Contact Information} - -A PGP key with a fingerprint of -\verb|621D AF64 11E1 851C 4CF9 A2E1 6211 EBF1 EFBA DFBC| is used to sign all -Botan releases. This key can be found in the file \filename{doc/pgpkeys.asc}; -PGP keys for the developers are also stored there. - -\vskip 5pt \noindent -Web Site: \url{http://botan.randombit.net} - -\subsection{License} - -Copyright \copyright 2000-2010, Jack Lloyd - -Licensed under the same terms as the Botan source - -\end{document} diff --git a/doc/architecture.pdf b/doc/architecture.pdf Binary files differdeleted file mode 100644 index f0edc3fc1..000000000 --- a/doc/architecture.pdf +++ /dev/null diff --git a/doc/bigint.txt b/doc/bigint.txt new file mode 100644 index 000000000..7eb884039 --- /dev/null +++ b/doc/bigint.txt @@ -0,0 +1,104 @@ +BigInt +======================================== + +``BigInt`` is Botan's implementation of a multiple-precision +integer. Thanks to C++'s operator overloading features, using +``BigInt`` is often quite similar to using a native integer type. The +number of functions related to ``BigInt`` is quite large. You can find +most of them in ``botan/bigint.h`` and ``botan/numthry.h``. + +.. note:: + + If you can, always use expressions of the form ``a += b`` over ``a = + a + b``. The difference can be *very* substantial, because the first + form prevents at least one needless memory allocation, and possibly + as many as three. This will be less of an issue once the library + adopts use of C++0x's rvalue references. + +Encoding Functions +---------------------------------------- + +These transform the normal representation of a ``BigInt`` into some +other form, such as a decimal string: + +.. cpp:function:: SecureVector<byte> BigInt::encode(const BigInt& n, Encoding enc = Binary) + + This function encodes the BigInt n into a memory + vector. ``Encoding`` is an enum that has values ``Binary``, + ``Octal``, ``Decimal``, and ``Hexadecimal``. + +.. cpp:function:: BigInt BigInt::decode(const MemoryRegion<byte>& vec, Encoding enc) + + Decode the integer from ``vec`` using the encoding specified. + +These functions are static member functions, so they would be called +like this:: + + BigInt n1 = ...; // some number + SecureVector<byte> n1_encoded = BigInt::encode(n1); + BigInt n2 = BigInt::decode(n1_encoded); + assert(n1 == n2); + +There are also C++-style I/O operators defined for use with +``BigInt``. The input operator understands negative numbers, +hexadecimal numbers (marked with a leading "0x"), and octal numbers +(marked with a leading '0'). The '-' must come before the "0x" or '0' +marker. The output operator will never adorn the output; for example, +when printing a hexadecimal number, there will not be a leading "0x" +(though a leading '-' will be printed if the number is negative). If +you want such things, you'll have to do them yourself. + +``BigInt`` has constructors that can create a ``BigInt`` from an +unsigned integer or a string. You can also decode an array (a ``byte`` +pointer plus a length) into a ``BigInt`` using a constructor. + +Number Theory +---------------------------------------- + +Number theoretic functions available include: + +.. cpp:function:: BigInt gcd(BigInt x, BigInt y) + + Returns the greatest common divisor of x and y + +.. cpp:function:: BigInt lcm(BigInt x, BigInt y) + + Returns an integer z which is the smallest integer such that z % x + == 0 and z % y == 0 + +.. cpp:function:: BigInt inverse_mod(BigInt x, BigInt m) + + Returns the modular inverse of x modulo m, that is, an integer + y such that (x*y) % m == 1. If no such y exists, returns zero. + +.. cpp:function:: BigInt power_mod(BigInt b, BigInt x, BigInt m) + + Returns b to the xth power modulo m. If you are doing many + exponentiations with a single fixed modulus, it is faster to use a + ``Power_Mod`` implementation. + +.. cpp:function:: BigInt ressol(BigInt x, BigInt p) + + Returns the square root modulo a prime, that is, returns a number y + such that (y*y) % p == x. Returns -1 if no such integer exists. + +.. cpp:function:: bool quick_check_prime(BigInt n, RandomNumberGenerator& rng) + +.. cpp:function:: bool check_prime(BigInt n, RandomNumberGenerator& rng) + +.. cpp:function:: bool verify_prime(BigInt n, RandomNumberGenerator& rng) + + Three variations on primality testing. All take an integer to test along with + a random number generator, and return true if the integer seems like it might + be prime; there is a chance that this function will return true even with + a composite number. The probability decreases with the amount of work performed, + so it is much less likely that ``verify_prime`` will return a false positive + than ``check_prime`` will. + +.. cpp:function BigInt random_prime(RandomNumberGenerator& rng, \ + size_t bits, BigInt coprime = 1, size_t equiv = 1, size_t equiv_mod = 2) + + Return a random prime number of ``bits`` bits long that is + relatively prime to ``coprime``, and equivalent to ``equiv`` modulo + ``equiv_mod``. + diff --git a/doc/build_log.txt b/doc/build_log.txt new file mode 100644 index 000000000..2e92a6f90 --- /dev/null +++ b/doc/build_log.txt @@ -0,0 +1,231 @@ + +Build Log +======================================== + +To report build results (successful or not), email the `development +list <http://lists.randombit.net/mailman/listinfo/botan-devel/>`_ your +results and relevant system information (OS versions, compiler name +and version, CPU architecture and other hardware information, +configuration settings). + +Debian reports the build results for 1.8 on `a number of platforms +<http://buildd.debian.org/pkg.cgi?pkg=botan1.8>`_. + +=========== ======= =================== ======================== ============================ ======== +Date Version OS CPU Compiler Results +=========== ======= =================== ======================== ============================ ======== +2011-05-09 1.9.17 Debian 6.0 Intel Atom D510 GCC 4.4.5 OK +2010-05-09 1.9.17 Gentoo 10.0 PowerPC G5 GCC 4.4.5 OK +2011-05-02 1.9.17 FreeBSD 8.2 x86-64 GCC 4.2.1 OK +2011-04-25 1.9.16 Gentoo 10.0 Intel Core i7-860 Clang 2.9 Miscompiles SSE2 IDEA +2011-04-23 1.9.16 Gentoo 10.0 Intel Core i7-860 Sun C++ 5.10 OK +2011-04-22 1.9.16 Gentoo 10.0 Intel Core i7-860 Intel C++ 11.1 OK +2011-04-15 1.9.16 Haiku R1-alpha2 x86 GCC 4.3.3 OK +2011-04-15 1.9.16 Haiku R1-alpha2 x86 GCC 2.95.3 Can't compile +2011-04-15 1.9.16 Windows 7 x86-64 Visual C++ 16.00.30319.01 OK +2011-04-15 1.9.16 QNX 6.4.1 i386 GCC 4.3.3 OK +2011-03-29 1.9.15 Gentoo 10.0 Intel Core i5-520M GCC 4.5.2 OK +2011-03-21 1.9.15 Ark Linux x86-64 GCC 4.6.0-pre OK +2011-03-21 1.9.15 Ark Linux x86-32 GCC 4.6.0-pre OK +2011-03-21 1.9.15 Ark Linux ARM GCC 4.6.0-pre OK +2011-03-18 1.9.14 Debian 6.0 Intel Atom D510 GCC 4.4.5 OK +2011-03-01 1.9.14 OpenBSD 4.6 UltraSPARC IIIi GCC 4.2.4 OK +2011-03-01 1.9.14 OpenBSD 4.7 i386 GCC 4.2.4 OK +2011-03-01 1.9.14 Debian 6.0 Intel Madison IA-64 GCC 4.4.5 OK +2011-03-01 1.9.14 Ubuntu 9.10 ARM Cortex-A8 GCC 4.4.1 OK +2011-03-01 1.9.14 Debian 5.0 PowerPC G5/970 GCC 4.3.2 OK +2011-03-01 1.9.14 Windows 7 x64 Intel Core i5-520M Visual C++ 15.00.30729.01 OK (32/64) +2011-03-01 1.9.14 Gentoo 10.0 Intel Core i7-860 Open64 4.2.1 OK +2011-03-01 1.9.14 Gentoo 10.0 Intel Core i7-860 Sun C++ 5.10 OK +2011-03-01 1.9.14 Gentoo 10.0 Intel Core i7-860 Intel C++ 11.1 OK +2011-03-01 1.9.14 Gentoo 10.0 Intel Core i7-860 GCC 4.5.2 OK +2011-02-14 1.9.13 NetBSD 5.1 Intel Xeon P4 GNU GCC 4.1.3 OK +2011-01-14 1.9.12 FreeBSD 8.1 x86-64 Clang 2.9 OK +2010-11-29 1.9.11 Windows 7 x64 Intel Core i5-520M Visual C++ 15.00.30729.01 OK (32/64) +2010-11-29 1.9.11 Gentoo 10.0 Intel Core i7-860 GNU GCC 4.1.2, 4.4.5, 4.5.1 OK +2010-11-29 1.9.11 Debian 5.0 PowerPC G5/970 GCC 4.3.2 OK +2010-11-29 1.9.11 Gentoo 10.0 Intel Core i7-860 Intel C++ 11.1 OK +2010-11-29 1.9.11 Gentoo 10.0 Intel Core i7-860 Clang 2.8 Miscompiles SSE2 IDEA +2010-11-29 1.9.11 Debian 5.0 (32 bit) UltraSPARC T1 Niagra GCC 4.3.2 OK +2010-09-07 1.9.11 Gentoo 10.0 Intel Core i7-860 Sun C++ 5.10 OK +2010-08-12 1.9.10 Debian 5.0 Xeon X5450 Harpertown GCC 4.3.2 OK +2010-08-12 1.9.10 Ubuntu 9.04 Intel Atom N270 GCC 4.3.3 OK +2010-08-12 1.9.10 Debian 5.0 Intel Prescott GCC 4.3.2 OK +2010-08-08 1.9.10 Gentoo 10.0 Intel Core i7-860 GCC 3.4.6 OK +2010-08-08 1.9.10 Gentoo 10.0 Intel Core i7-860 GCC 4.1.2 OK +2010-08-08 1.9.10 Gentoo 10.0 Intel Core i7-860 GCC 4.3.5 OK +2010-08-08 1.9.10 Gentoo 10.0 Intel Core i7-860 GCC 4.4.4 OK +2010-08-08 1.9.10 Gentoo 10.0 Intel Core i7-860 GCC 4.5.1 OK +2010-08-08 1.9.10 Gentoo 10.0 Intel Core i7-860 Clang SVN Miscompiles Turing +2010-07-27 1.9.9 Debian 5.0 AMD Magny-Cours GCC 4.3.2, 4.5.0 OK +2010-06-16 1.9.8 Gentoo 10.0 Intel Core2 Q6600 Intel C++ 11.1 OK +2010-06-16 1.9.8 Debian 5.0 (32 bit) UltraSPARC T1 Niagra GCC 4.3.2 OK +2010-06-16 1.9.8 Debian 5.0 Intel Madison IA-64 GCC 4.3.2 OK +2010-06-16 1.9.8 Gentoo 10.0 IBM POWER5+ GCC 4.1.2, 4.2.4, 4.3.2 OK +2010-06-16 1.9.8 OpenBSD 4.6 UltraSPARC IIIi GCC 3.3.5, 4.2.4 OK +2010-06-16 1.9.8 FreeBSD 8.0 AMD Opteron 252 GCC 4.2.1 OK +2010-06-16 1.9.8 gNewSense MIPS Loongson-2 (64) GCC 4.3.2 OK +2010-06-16 1.9.8 Ubuntu 9.10 ARM Cortex-A8 GCC 4.4.1 OK +2010-06-11 1.9.8 Gentoo 10.0 Intel Core2 Q6600 GCC 3.4.6, 4.1.2 OK +2010-06-11 1.9.8 Windows 7 x64 Intel Core i5-520M Visual C++ 15.00.30729.01 OK (32 and 64 bit) +2010-06-11 1.9.8 Gentoo 10.0 Intel Core i5-520M GCC 4.5.0 OK +2010-06-01 1.9.8 OpenBSD 4.7 i386 GCC 3.3.5 OK +2010-05-03 1.9.7 Windows 7 x64 Intel Core i5-520M Visual C++ 15.00.30729.01 OK +2010-04-27 1.9.7 Gentoo 10.0 PPC 970FX (G5) GCC 4.3.4 OK +2010-04-27 1.9.7 Gentoo 10.0 Intel Core2 Q6600 GCC 4.4.3, 4.5.0 OK +2010-03-18 1.9.4 Gentoo 10.0 Intel Core2 Q6600 GCC 4.4.3 OK +2010-03-18 1.9.4 Debian 5.0 UltraSPARC II (64) GCC 4.3.2 OK +2010-03-18 1.9.4 Gentoo 10.0 PowerPC G5 GCC 4.3.4 OK +2010-03-18 1.9.4 Gentoo 10.0 IBM POWER5+ GCC 4.3.2 OK +2010-03-15 1.9.4 Windows XP x86 Visual C++ 15.00.30729.01 OK +2010-03-10 1.9.4 FreeBSD 8.0 AMD Opteron 252 GCC 4.2.1 OK, but missing includes +2009-12-29 1.9.4 Debian 4.0 PowerPC G4 7455 GCC 4.1.2 OK +2009-12-23 1.9.4 Debian 5.0 Xeon X5450 Harpertown GCC 4.3.2 OK +2009-11-13 1.9.3 Debian 5.0 UltraSPARC II GCC 4.3.2 OK +2009-11-10 1.9.2 Debian 4.0 PowerPC G4 GCC 4.1.2 OK +2009-11-03 1.9.2 Debian Linux 4.0 AMD Opteron 8354 GCC 4.4.1 OK +2009-10-27 1.9.2 Debian Linux 5.0 Xeon X5450 Harpertown GCC 4.3.2 OK +2009-10-23 1.9.1 Gentoo Linux Intel Core2 Q6600 GCC 4.4.1, Intel C++ 11.1 OK +2009-10-23 1.9.1 Gentoo Linux AMD Opteron 2212 GCC 4.3.4 OK +2009-09-24 1.9.0 Debian 4.0 AMD Opteron 8354 GCC 4.1.2, 4.4.1 OK +2010-07-01 1.8.9 OpenSUSE 10.3 Intel Core2 GCC 4.2.1 OK +2010-06-22 1.8.9 Slackware 13.1 Intel E5400 (64) GCC 4.4.4 OK +2010-06-22 1.8.9 Slackware 13.1 Pentium-M (32) GCC 4.4.4 OK +2010-06-16 1.8.9 Debian 5.0 (32 bit) UltraSPARC T1 Niagra GCC 4.3.2 (GCC TR1) Crashes in GF(p) tests +2010-03-18 1.8.8 Debian 5.0 UltraSPARC II (64) GCC 4.3.2 OK +2008-10-23 1.8.7 Gentoo 2008.0 PPC 970FX (G5) GCC 4.3.4 OK +2009-10-07 1.8.7 Debian GNU/Hurd 0.3 i686 GCC 4.3.4 OK +2009-09-08 1.8.7 Gentoo 2008.0 Intel Core2 Q6600 GCC 4.4.1 OK +2009-09-04 1.8.6 Gentoo 2008.0 PPC 970FX (G5) GCC 4.3.4 OK +2009-08-13 1.8.6 Gentoo 2008.0 Intel Core2 Q6600 GCC 4.3.3 OK +2009-08-13 1.8.6 Windows XP x86 Visual C++ 15.00.30729.01 OK (no TR1) +2009-08-03 1.8.5 openSuSE 10.3 x86 GCC 4.2.1 OK +2009-08-03 1.8.5 Gentoo 2008.0 Intel Core2 Q6600 Open64 4.2.1 BAD: Miscompiles several ciphers +2009-07-31 1.8.5 Solaris 11 x86 Sun C++ 5.9 OK, but minor build problems +2009-07-30 1.8.5 Gentoo 2006.1 UltraSPARC IIe (32) GCC 3.4.6 OK (no TR1) +2009-07-25 1.8.5 Debian 4.0 AMD Opteron 2212 GCC 4.1.2 OK +2009-07-23 1.8.5 Gentoo 2008.0 Marvel Feroceon 88FR131 GCC 4.1.2 OK +2009-07-23 1.8.5 Debian 5.0 Intel Xscale 80219 GCC 4.3.2 OK +2009-07-23 1.8.5 Debian 5.0 UltraSPARC II (64) GCC 4.3.2 OK +2009-07-23 1.8.5 Debian 5.0 UltraSPARC II (32) GCC 4.3.2 BAD: bus error in GF(p) +2009-07-23 1.8.5 Debian 5.0 UltraSPARC II (32) GCC 4.1.3 BAD: miscompiles BigInt code +2009-07-23 1.8.5 Debian 4.0 PowerPC G4 GCC 4.1.2 OK +2009-07-23 1.8.5 Debian 4.0 PowerPC G5 GCC 4.1.2 OK +2009-07-23 1.8.5 Debian 5.0 Intel Madison IA-64 GCC 4.1.3, 4.3.2 OK +2009-07-23 1.8.5 Debian 5.0 HP-PA PA8600 GCC 4.3.2 OK +2009-07-23 1.8.5 Mandriva 2008.1 MIPS Loongson-2 (32) GCC 4.2.3 OK +2009-07-23 1.8.5 gNewSense MIPS Loongson-2 (64) GCC 4.3.2 OK +2009-07-21 1.8.5 Windows XP x86 Visual C++ 15.00.30729.01 OK (no TR1) +2009-07-21 1.8.5 Gentoo 2008.0 Intel Core2 Q6600 GCC 4.1.2, 4.3.3 OK +2009-07-21 1.8.5 Gentoo 2008.0 Intel Core2 Q6600 Intel C++ 10.1 20080801 OK +2009-07-21 1.8.5 Gentoo 2008.0 AMD Opteron 2212 GCC 4.3.3 OK +2009-07-21 1.8.5 Ubuntu 8.04 Intel Xeon X5492 GCC 4.2.4 OK +2009-07-21 1.8.5 MacOS X 10.5.6 Intel Core 2 Duo T5600 GCC 4.0.1 OK +2009-07-21 1.8.5 Solaris 10 AMD Opteron GCC 3.4.3 OK (no TR1) +2008-07-11 1.8.3 Fedora 11 Intel Pentium E5200 GCC 4.4.0 OK +2008-07-10 1.8.3 Gentoo 2008.0 PPC 970FX (G5) GCC 4.3.1 OK +2008-07-10 1.8.3 Gentoo 2008.0 IBM POWER5+ GCC 4.2.2 OK +2009-07-10 1.8.3 Gentoo 2008.0 AMD Opteron 2212 GCC 4.3.3 OK +2009-07-10 1.8.3 Ubuntu 8.04 Intel Xeon X5492 GCC 4.2.4 OK +2009-07-10 1.8.3 MacOS X 10.5.6 Intel Core 2 Duo T5600 GCC 4.0.1 OK +2009-07-10 1.8.3 Debian 5.0.1 Intel Core 2 Duo T5600 GCC 4.3.2 OK +2009-07-10 1.8.3 Fedora 10 Intel Core 2 Duo T5600 GCC 4.3.2 OK +2009-07-10 1.8.3 Solaris 10 AMD Opteron GCC 3.4.3 OK (no TR1) +2009-07-09 1.8.3 Gentoo 2008.0 Intel Core2 Q6600 Intel C++ 10.1 20080801 OK +2009-07-02 1.8.3 Gentoo 2008.0 Intel Core2 Q6600 GCC 4.3.3 OK +2009-07-02 1.8.3 FreeBSD 7.0 x86-64 GCC 4.2.1 OK +2009-07-02 1.8.3 Windows XP x86 Visual C++ 15.00.30729.01 OK (no TR1) +2008-12-27 1.8.0 Ubuntu 8.04 Pentium 4-M GCC 4.2.3 OK +2008-12-14 1.8.0 FreeBSD 7.0 x86-64 GCC 4.2.1 OK +2008-12-10 1.8.0 Gentoo 2007.0 Intel Core2 Q6600 GCC 4.1.2, 4.2.4, 4.3.2 OK +2008-12-05 1.7.24 Gentoo 2007.0 Intel Core2 Q6600 GCC 4.1.2, 4.2.4, 4.3.2 OK +2008-12-04 1.7.24 Gentoo 2007.0 Intel Core2 Q6600 Intel 10.1-20080801 OK +2008-12-03 1.7.24 Solaris 10 x86 GCC 3.4.3 OK (small patch needed, fixed in 1.8.0) +2008-11-24 1.7.23 Gentoo 2007.0 Intel Core2 Q6600 GCC 4.1.2 OK +2008-11-24 1.7.23 Gentoo 2007.0 Intel Core2 Q6600 GCC 4.2.4 OK +2008-11-24 1.7.23 Gentoo 2007.0 Intel Core2 Q6600 GCC 4.3.2 OK +2008-11-24 1.7.23 Gentoo 2007.0 Intel Core2 Q6600 GCC 4.4-20081017 OK +2008-11-24 1.7.23 Gentoo 2007.0 Intel Core2 Q6600 (32) GCC 4.1.2, 4.2.4 OK +2008-11-24 1.7.23 Gentoo 2007.0 Intel Core2 Q6600 (32) GCC 4.3.2 OK (with Boost 1.35 TR1) +2008-11-24 1.7.23 Gentoo 2007.0 Intel Core2 Q6600 (32) GCC 4.3.2 Crashes (with libstdc++ TR1) +2008-11-24 1.7.23 Gentoo 2007.0 Intel Core2 Q6600 Intel C++ 9.1-20061101 OK +2008-11-24 1.7.23 Gentoo 2007.0 Intel Core2 Q6600 Intel C++ 10.1-20080801 OK +2008-11-24 1.7.23 Fedora 8 STI Cell PPU GCC 4.1.2 OK +2008-11-24 1.7.23 Fedora 8 STI Cell PPU IBM XLC for Cell 0.9 45 minute link. Miscompiles DES +2008-11-24 1.7.23 Gentoo 2007.0 IBM POWER5+ GCC 4.1.2, 4.2.2, 4.3.1 OK +2008-11-24 1.7.23 Gentoo 2007.0 AMD Opteron 2212 GCC 3.3.6, 4.1.2, 4.3.2 OK (no TR1 with 3.3.6) +2008-11-24 1.7.23 Windows XP x86 Visual C++ 15.00.30729.01 OK (no TR1) +2008-11-09 1.7.20 Gentoo 2007.0 IBM POWER5+ GCC 4.1.2 OK +2008-11-09 1.7.20 Gentoo 2007.0 Intel Core2 Q6600 GCC 4.3.2 OK +2008-11-09 1.7.20 Windows XP x86 Visual C++ 15.00.30729.01 OK +2008-11-06 1.7.19 Gentoo 2007.0 IBM POWER5+ GCC 4.1.2 OK +2008-11-06 1.7.19 Gentoo 2007.0 Intel Core2 Q6600 GCC 4.1.2, 4.3.1 OK +2008-11-06 1.7.19 Gentoo 2007.0 Intel Core2 Q6600 Intel C++ 9.1-20061101 OK +2008-11-06 1.7.19 Gentoo 2007.0 Intel Core2 Q6600 Intel C++ 10.1-20080801 OK +2008-11-06 1.7.19 Windows XP x86 Visual C++ 15.00.30729.01 OK +2008-11-03 1.7.19 FreeBSD 7.0 x86-64 GCC 4.2.1 OK +2008-10-24 1.7.18 Gentoo 2007.0 IBM POWER5+ GCC 4.2.2, 4.3.1 OK +2008-10-24 1.7.18 Fedora 8 STI Cell PPU GCC 4.1.2 OK +2008-10-22 1.7.18 Windows XP Pentium 4-M GCC 3.4.5 (MinGW) OK +2008-10-22 1.7.18 Windows XP Pentium 4-M Visual C++ 15.00.30729.01 OK +2008-10-22 1.7.18 Gentoo 2007.0 IBM POWER5+ GCC 4.1.2 OK +2008-10-22 1.7.18 Gentoo 2007.0 Intel Core2 Q6600 GCC 4.1.2, 4.2.4, 4.3.2 OK +2008-10-22 1.7.18 Gentoo 2007.0 Intel Core2 Q6600 Intel C++ 9.1-20061101 OK +2008-10-22 1.7.18 Gentoo 2007.0 Intel Core2 Q6600 Intel C++ 10.1-20080801 OK +2008-10-07 1.7.15 Gentoo 2007.0 IBM POWER5+ GCC 4.1.2 OK +2008-10-07 1.7.15 Gentoo 2007.0 Intel Core2 Q6600 GCC 4.3.1 OK +2008-09-30 1.7.14 Gentoo 2007.0 PPC 970FX (G5) GCC 4.3.1 OK +2008-09-30 1.7.14 Gentoo 2007.0 IBM POWER5+ GCC 4.1.2 OK +2008-09-30 1.7.14 Gentoo 2007.0 Intel Core2 Q6600 GCC 4.3.1 OK +2008-09-30 1.7.14 Gentoo 2007.0 Intel Core2 Q6600 Intel C++ 10.1.018 OK +2008-09-30 1.7.14 Windows XP Pentium 4-M Visual C++ 15.00.30729.01 OK +2008-09-30 1.7.14 Windows XP Pentium 4-M GCC 3.4.5 (MinGW) OK +2008-09-18 1.7.12 Gentoo 2007.0 IBM POWER5+ GCC 4.1.2, 4.2.2 OK +2008-09-18 1.7.12 Gentoo 2007.0 Intel Core2 Q6600 GCC 4.2.4, 4.3.1 OK +2008-09-18 1.7.12 Gentoo 2007.0 Intel Core2 Q6600 Intel C++ 10.1.018 OK +2008-09-18 1.7.12 Windows XP Pentium 4-M Visual C++ 15.00.30729.01 OK +2008-09-18 1.7.12 Windows XP Pentium 4-M GCC 3.4.5 (MinGW) OK +2008-09-16 1.7.12 Fedora 7 STI Cell PPU GCC 4.1.2 OK +2008-09-16 1.7.11 MacOS X 10.4 (32) Intel Core2 GCC 4.0.1 OK +2008-09-11 1.7.11 Gentoo 2007.0 Intel Core2 Q6600 GCC 4.3.1 OK +2008-09-11 1.7.11 Windows XP Pentium 4-M Visual C++ 15.00.30729.01 OK +2008-09-08 1.7.9 Gentoo 2007.0 Intel Core2 Q6600 Intel C++ 10.1.018 OK +2008-08-28 1.7.9 Gentoo 2007.0 IBM POWER5+ GCC 4.1.2 OK +2008-08-28 1.7.9 Gentoo 2007.0 IBM POWER5+ GCC 4.2.2 OK +2008-08-28 1.7.9 Gentoo 2007.0 IBM POWER5+ GCC 4.3.1 OK +2008-08-28 1.7.9 Gentoo STI Cell PPU GCC 4.1.2 OK +2008-08-27 1.7.9 Gentoo Intel Core2 Q6600 GCC 4.1.2 OK +2008-08-27 1.7.9 Gentoo Intel Core2 Q6600 GCC 4.2.4 OK +2008-08-27 1.7.9 Gentoo Intel Core2 Q6600 GCC 4.3.1 OK +2008-08-27 1.7.9 Gentoo Intel Core2 Q6600 GCC 4.4-20080822 OK +2008-08-27 1.7.9 Gentoo Intel Core2 Q6600 Intel C++ 9.1-20061101 OK +2008-08-27 1.7.9 Gentoo Intel Core2 Q6600 Intel C++ 10.1-20080602 OK +2008-08-27 1.7.9 Windows XP Pentium 4-M Visual C++ 2008 OK +2008-08-27 1.7.9 Windows XP Pentium 4-M GCC 3.4.5 (MinGW) OK +2008-08-18 1.7.8 Ubuntu 8.04 Pentium 4-M GCC 4.2.3 OK +2008-08-18 1.7.8 Windows XP Pentium 4-M Visual C++ 2008 OK +2008-08-18 1.7.8 Windows XP Pentium 4-M GCC 3.4.5 (MinGW) OK +2008-07-18 1.7.8 Gentoo IBM POWER5+ GCC 4.1.2 OK +2008-07-15 1.7.8 Gentoo Intel Core2 Q6600 GCC 4.3.1 OK +2008-07-06 1.7.7 Gentoo Intel Core2 Q6600 PGI 7.2 Miscompiles TEA, Turing, BigInt +2008-06-28 1.7.7 Gentoo Pentium 4-M GCC 4.1.2 OK +2008-06-28 1.7.7 Gentoo Intel Core2 Q6600 GCC 4.1.2, 4.2.4, 4.3.1 OK +2008-06-28 1.7.7 Gentoo Intel Core2 Q6600 Intel C++ 10.1 OK +2008-06-28 1.7.7 Gentoo IBM POWER5+ GCC 4.1.2, 4.2.2 OK +2008-06-25 1.7.6 Gentoo IBM POWER5+ GCC 4.1.2, 4.2.2 OK +2008-06-09 1.7.6 Gentoo PPC 970FX (G5) GCC 4.1.2 OK +2008-05-14 1.7.6 Gentoo Intel Core2 Q6600 Intel C++ 9.1 Builds, but link problems +2008-05-14 1.7.6 Gentoo Intel Core2 Q6600 GCC 4.2.3 OK +2008-04-21 1.7.5 Gentoo STI Cell PPU GCC 4.1.2 OK +2008-04-14 1.7.5 Debian Pentium 4 GCC 4.1.2 OK +2008-04-13 1.7.5 Gentoo 2006.1 UltraSPARC II (32) GCC 3.4.6 OK +2008-04-12 1.7.5 RHEL3 Pentium 4 Xeon GCC 3.2.3 OK +2008-04-12 1.7.5 Gentoo Intel Core2 Q6600 Intel C++ 10.1 OK +2008-04-12 1.7.5 Gentoo AMD Opteron 2212 GCC 4.1.2 OK +2008-04-12 1.7.5 Gentoo Intel Core2 Q6600 GCC 4.2.3 OK +2008-09-16 1.6.5 MacOS X 10.4 Intel Core2 (32) GCC 4.0.1 OK +2008-08-28 1.6.5 Gentoo 2007.0 IBM POWER5+ GCC 4.1.2, 4.2.2, 4.3.1 OK +2008-08-27 1.6.5 Gentoo Intel Core2 Q6600 GCC 4.3.1, 4.4-20080822 OK +2008-08-18 1.6.4 Windows XP Pentium 4-M Visual C++ 2008 OK +2008-07-02 1.6.4 Solaris 10 x86-64 Sun Forte 12 OK +=========== ======= =================== ======================== ============================ ======== diff --git a/doc/building.tex b/doc/building.tex deleted file mode 100644 index 7164f74eb..000000000 --- a/doc/building.tex +++ /dev/null @@ -1,444 +0,0 @@ -\documentclass{article} - -\setlength{\textwidth}{6.5in} -\setlength{\textheight}{9in} - -\setlength{\headheight}{0in} -\setlength{\topmargin}{0in} -\setlength{\headsep}{0in} - -\setlength{\oddsidemargin}{0in} -\setlength{\evensidemargin}{0in} - -\title{\textbf{Botan Build Guide}} -\author{Jack Lloyd \\ - \texttt{[email protected]}} -\date{2010-06-10} - -\newcommand{\filename}[1]{\texttt{#1}} -\newcommand{\module}[1]{\texttt{#1}} - -\newcommand{\type}[1]{\texttt{#1}} -\newcommand{\function}[1]{\textbf{#1}} -\newcommand{\macro}[1]{\texttt{#1}} - -\begin{document} - -\maketitle - -\tableofcontents - -\parskip=5pt -\pagebreak - -\section{Introduction} - -This document describes how to build Botan on Unix/POSIX and MS -Windows systems. The POSIX oriented descriptions should apply to most -common Unix systems (including MacOS X), along with POSIX-ish systems -like BeOS, QNX, and Plan 9. Currently, systems other than Windows and -POSIX (such as VMS, MacOS 9, OS/390, OS/400, ...) are not supported by -the build system, primarily due to lack of access. Please contact the -maintainer if you would like to build Botan on such a system. - -Botan's build is controlled by configure.py, which is a Python -script. Python 2.5 or later is required. If you want to use the -(incompatible) Python 3, you must first run the \texttt{2to3} script -on it. - -\section{For the Impatient} - -\begin{verbatim} -$ ./configure.py [--prefix=/some/directory] -$ make -$ make check -$ make install -\end{verbatim} - -Or using \verb|nmake|, if you're compiling on Windows with Visual -C++. On platforms that do not understand the '\#!' convention for -beginning script files, or that have Python installed in an unusual -spot, you might need to prefix the \texttt{configure.py} command with -\texttt{python} or \texttt{/path/to/python}. - -\section{Building the Library} - -The first step is to run \filename{configure.py}, which is a Python -script that creates various directories, config files, and a Makefile -for building everything. The script requires at least Python 2.5; any -later version of Python 2.x should also work. Python 3.1 will also -work but requires an extra step, see the section ``Using Python 3.1'', -later in this document. - -The script will attempt to guess what kind of system you are trying -to compile for (and will print messages telling you what it guessed). -You can override this process by passing the options \verb|--cc|, -\verb|--os|, and \verb|--cpu|. - -You can pass basically anything reasonable with \verb|--cpu|: the -script knows about a large number of different architectures, their -sub-models, and common aliases for them. You should only select the -64-bit version of a CPU (such as ``sparc64'' or ``mips64'') if your -operating system knows how to handle 64-bit object code -- a 32-bit -kernel on a 64-bit CPU will generally not like 64-bit code. - -By default the script tries to figure out what will work on your -system, and use that. It will print a display at the end showing which -algorithms have and have not been enabled. For instance on one system -we might see lines like: - -\begin{verbatim} - INFO: Skipping mod because CPU incompatible - asm_amd64 mp_amd64 mp_asm64 sha1_amd64 - INFO: Skipping mod because OS incompatible - cryptoapi_rng win32_stats - INFO: Skipping mod because compiler incompatible - mp_ia32_msvc - INFO: Skipping mod because loaded on request only - bzip2 gnump openssl qt_mutex zlib -\end{verbatim} - -The ones that are 'loaded on request only' have to be explicitly asked -for, because they rely on third party libraries which your system -might not have. For instance to enable zlib support, add -\verb|--with-zlib| to your invocation of \verb|configure.py|. - -You can control which algorithms and modules are built using the -options \verb|--enable-modules=MODS| and -\verb|--disable-modules=MODS|, for instance -\verb|--enable-modules=zlib| and \verb|--disable-modules=rc5,idea|. -Modules not listed on the command line will simply be loaded if needed -or if configured to load by default. If you use \verb|--no-autoload|, -only the most core modules will be included; you can then explicitly -enable things that you want to use with enable-modules. This is useful -for creating a minimal build targetted to a specific application. - -The script tries to guess what kind of makefile to generate, and it -almost always guesses correctly (basically, Visual C++ uses NMAKE with -Windows commands, and everything else uses Unix make with POSIX -commands). Just in case, you can override it with -\verb|--make-style=somestyle|. The styles Botan currently knows about -are 'unix' (normal Unix makefiles), and 'nmake', the make variant -commonly used by Windows compilers. To add a new variant (eg, a build -script for VMS), you will need to create a new template file in -\filename{src/build-data/makefile}. - -\subsection{POSIX / Unix} - -The basic build procedure on Unix and Unix-like systems is: - -\begin{verbatim} - $ ./configure.py [--enable-modules=<list>] [--cc=CC] - $ make - # You may need to set your LD_LIBRARY_PATH or equivalent for ./check to run - $ make check # optional, but a good idea - $ make install -\end{verbatim} - -On Unix systems the script will default to using GCC; use -\texttt{--cc} if you want something else. For instance use -\texttt{--cc=icc} for Intel C++ and \texttt{--cc=clang} for Clang. - -The \verb|make install| target has a default directory in which it -will install Botan (typically \verb|/usr/local|). You can override -this by using the \texttt{--prefix} argument to -\filename{configure.py}, like so: - -\verb|./configure.py --prefix=/opt <other arguments>| - -On some systems shared libraries might not be immediately visible to -the runtime linker. For example, on Linux you may have to edit -\filename{/etc/ld.so.conf} and run \texttt{ldconfig} (as root) in -order for new shared libraries to be picked up by the linker. An -alternative is to set your \texttt{LD\_LIBRARY\_PATH} shell variable -to include the directory that the Botan libraries were installed into. - -\subsection{Mac OS X} - -In general the Unix instructions above should apply, however OS X does -not support \texttt{LD\_LIBRARY\_PATH}. Thomas Keller suggests instead -running \verb|install_name_tool| between building and running the -self-test program: - -\begin{verbatim} - $ VERSION=1.9.10 - $ install_name_tool -change $(otool -X -D libbotan-$VERSION.dylib) \ - $PWD/libbotan-$VERSION.dylib check -\end{verbatim} - -\subsection{MS Windows} - -If you don't want to deal with building botan on Windows, check the -website; commonly prebuilt Windows binaries with installers are -available, especially for stable versions. - -You need to have a copy of Python installed, and have both Python and -your chosen compiler in your path. Open a command shell (or the SDK -shell), and run: - -\begin{verbatim} - > python configure.py --cc=msvc (or --cc=gcc for MinGW) [--cpu=CPU] - > nmake - > nmake check # optional, but recommended - > nmake install -\end{verbatim} - -For Win95 pre OSR2, the \verb|cryptoapi_rng| module will not work, -because CryptoAPI didn't exist. And all versions of NT4 lack the -ToolHelp32 interface, which is how \verb|win32_stats| does its slow -polls, so a version of the library built with that module will not -load under NT4. Later versions of Windows support both methods, so -this shouldn't be much of an issue anymore. - -By default the install target will be 'C:\textbackslash botan'; you -can modify this with the \texttt{--prefix} option. - -When building your applications, all you have to do is tell the -compiler to look for both include files and library files in -\verb|C:\botan|, and it will find both. Or you can move them to a -place where they will be in the default compiler search paths (consult -your documentation and/or local expert for details). - -\section{Trickier Things} - -\subsection{Modules Relying on Third Party Libraries} - -There are a fairly large number of modules included with Botan. Some -of these are extremely useful, while others are only necessary in very -unusual circumstances. Most are loaded (or not) automatically as -necessary, but some require external libraries are thus must be -enabled at build time; these include: - -\newcommand{\mod}[2]{\textbf{#1}: #2} - -\begin{list}{$\cdot$} - \item \mod{bzip2}{Enables an application to perform bzip2 - compression and decompression using the library. Available on any - system that has bzip2. To enable, use option \texttt{--with-bzip2}} - - \item \mod{zlib}{Enables an application to perform zlib compression - and decompression using the library. Available on any system that - has zlib. To enable, use option \texttt{--with-zlib}} - - \item \mod{gnump}{An engine that uses GNU MP to speed up PK - operations. GNU MP 4.1 or later is required. To enable, use - option \texttt{--with-gnump}} - - \item \mod{openssl}{An engine that uses OpenSSL to speed up public - key operations and some ciphers/hashes. OpenSSL 0.9.7 or later is - required. Note that, unlike GNU MP, OpenSSL's versions are not - always faster than the versions built into botan. To enable, use - option \texttt{--with-openssl}} - -\end{list} - -\subsection{Amalgamation} - -You can also configure Botan to be built using only a single source -file; this is quite convenient if you plan to embed the library into -another application. To do so, run \filename{configure.py} with -whatever arguments you would ordinarily use, along with the option -\texttt{--gen-amalgamation}. This will create two (rather large) -files, \filename{botan\_all.h} and \filename{botan\_all.cpp}. - -Whenever you would have included a botan header, you can then include -\filename{botan\_all.h}, and include \filename{botan\_all.cpp} along -with the rest of the source files in your build. If you want to be -able to easily switch between amalgamated and non-amalgamated versions -(for instance to take advantage of prepackaged versions of botan on -operating systems that support it), you can instead ignore -\filename{botan\_all.h} and use the headers from -\filename{build/include} as normal. - -\subsection{Multiple Builds} - -It may be useful to run multiple builds with different -configurations. Specify \verb|--build-dir=<dir>| to set up a build -environment in a different directory. - -\subsection{Using Python 3.1} - -The versions of Python begininning with 3 are (intentionally) -incompatible with the (currently more common) 2.x series. If you want -to use Python 3.1 to set up the build, you'll have to use the -\texttt{2to3} program (included in the Python distribution) on the -script; this will convert the script to the Python 3.x dialect: - -\begin{verbatim} - $ python ./configure.py - File "configure.py", line 860 - except KeyError, e: - ^ -SyntaxError: invalid syntax - $ # incompatible python version, let's fix it - $ 2to3 -w configure.py -[...] -RefactoringTool: Files that were modified: -RefactoringTool: configure.py - $ python ./configure.py -[...] -\end{verbatim} - -\subsection{Local Configuration} - -You may want to do something peculiar with the configuration; to -support this there is a flag to \filename{configure.py} called -\texttt{--with-local-config=<file>}. The contents of the file are -inserted into \filename{build/build.h} which is (indirectly) included -into every Botan header and source file. - -\subsection{Configuration Parameters} - -There are some configuration parameters which you may want to tweak -before building the library. These can be found in -\filename{config.h}. This file is overwritten every time the configure -script is run (and does not exist until after you run the script for -the first time). - -Also included in \filename{build/build.h} are macros which are defined -if one or more extensions are available. All of them begin with -\verb|BOTAN_HAS_|. For example, if \verb|BOTAN_HAS_COMPRESSOR_BZIP2| -is defined, then an application using Botan can include -\filename{<botan/bzip2.h>} and use the Bzip2 filters. - -\macro{BOTAN\_MP\_WORD\_BITS}: This macro controls the size of the -words used for calculations with the MPI implementation in Botan. You -can choose 8, 16, 32, or 64, with 32 being the default. You can use 8, -16, or 32 bit words on any CPU, but the value should be set to the -same size as the CPU's registers for best performance. You can only -use 64-bit words if an assembly module (such as \module{mp\_ia32} or -\module{mp\_asm64}) is used. If the appropriate module is available, -64 bits are used, otherwise this is set to 32. Unless you are building -for a 8 or 16-bit CPU, this isn't worth messing with. - -\macro{BOTAN\_VECTOR\_OVER\_ALLOCATE}: The memory container -\type{SecureVector} will over-allocate requests by this amount (in -elements). In several areas of the library, we grow a vector fairly often. By -over-allocating by a small amount, we don't have to do allocations as often -(which is good, because the allocators can be quite slow). If you \emph{really} -want to reduce memory usage, set it to 0. Otherwise, the default should be -perfectly fine. - -\macro{BOTAN\_DEFAULT\_BUFFER\_SIZE}: This constant is used as the size of -buffers throughout Botan. A good rule of thumb would be to use the page size of -your machine. The default should be fine for most, if not all, purposes. - -\section{Building Applications} - -\subsection{Unix} - -Botan usually links in several different system libraries (such as -\texttt{librt} and \texttt{libz}), depending on which modules are -configured at compile time. In many environments, particularly ones -using static libraries, an application has to link against the same -libraries as Botan for the linking step to succeed. But how does it -figure out what libraries it \emph{is} linked against? - -The answer is to ask the \filename{botan-config} script. This -basically solves the same problem all the other \filename{*-config} -scripts solve, and in basically the same manner. - -There are 4 options: - -\texttt{--prefix[=DIR]}: If no argument, print the prefix where Botan -is installed (such as \filename{/opt} or \filename{/usr/local}). If an -argument is specified, other options given with the same command will -execute as if Botan as actually installed at \filename{DIR} and not -where it really is; or at least where \filename{botan-config} thinks -it really is. I should mention that it - -\texttt{--version}: Print the Botan version number. - -\texttt{--cflags}: Print options that should be passed to the compiler -whenever a C++ file is compiled. Typically this is used for setting -include paths. - -\texttt{--libs}: Print options for which libraries to link to (this includes -\texttt{-lbotan}). - -Your \filename{Makefile} can run \filename{botan-config} and get the -options necessary for getting your application to compile and link, -regardless of whatever crazy libraries Botan might be linked against. - -Botan also by default installs a file for \texttt{pkg-config}, -namespaced by the major and minor versions. So it can be used, -for instance, as - -\begin{verbatim} -$ pkg-config botan-1.9 --modversion -1.9.8 -$ pkg-config botan-1.9 --cflags --I/usr/local/include -$ pkg-config botan-1.9 --libs --L/usr/local/lib -lbotan -lm -lbz2 -lpthread -lrt -\end{verbatim} - -\subsection{MS Windows} - -No special help exists for building applications on Windows. However, -given that typically Windows software is distributed as binaries, this -is less of a problem - only the developer needs to worry about it. As -long as they can remember where they installed Botan, they just have -to set the appropriate flags in their Makefile/project file. - -\section{Language Wrappers} - -\subsection{Building the Python wrappers} - -The Python wrappers for Botan use Boost.Python, so you must have Boost -installed. To build the wrappers, add the flag - -\verb|--with-boost-python| - -to \verb|configure.py|. This will create a second makefile, -\verb|Makefile.python|, with instructions for building the Python -module. After building the library, execute - -\begin{verbatim} -$ make -f Makefile.python -\end{verbatim} - -to build the module. Currently only Unix systems are supported, and -the Makefile assumes that the version of Python you want to build -against is the same one you used to run \verb|configure.py|. - -To install the module, use the \verb|install| target. - -Examples of using the Python module can be seen in \filename{doc/python} - -\subsection{Building the Perl XS wrappers} - -To build the Perl XS wrappers, change your directory to -\filename{src/wrap/perl-xs} and run \verb|perl Makefile.PL|, then run -\verb|make| to build the module and \verb|make test| to run the test -suite. - -\begin{verbatim} -$ perl Makefile.PL -Checking if your kit is complete... -Looks good -Writing Makefile for Botan -$ make -cp Botan.pm blib/lib/Botan.pm -AutoSplitting blib/lib/Botan.pm (blib/lib/auto/Botan) -/usr/bin/perl5.8.8 /usr/lib64/perl5/5.8.8/ExtUtils/xsubpp [...] -g++ -c -Wno-write-strings -fexceptions -g [...] -Running Mkbootstrap for Botan () -chmod 644 Botan.bs -rm -f blib/arch/auto/Botan/Botan.so -g++ -shared Botan.o -o blib/arch/auto/Botan/Botan.so \ - -lbotan -lbz2 -lpthread -lrt -lz \ - -chmod 755 blib/arch/auto/Botan/Botan.so -cp Botan.bs blib/arch/auto/Botan/Botan.bs -chmod 644 blib/arch/auto/Botan/Botan.bs -Manifying blib/man3/Botan.3pm -$ make test -PERL_DL_NONLAZY=1 /usr/bin/perl5.8.8 [...] -t/base64......ok -t/filt........ok -t/hex.........ok -t/oid.........ok -t/pipe........ok -t/x509cert....ok -All tests successful. -Files=6, Tests=83, 0 wallclock secs ( 0.08 cusr + 0.02 csys = 0.10 CPU) -\end{verbatim} - -\end{document} diff --git a/doc/building.txt b/doc/building.txt new file mode 100644 index 000000000..9e7be79a3 --- /dev/null +++ b/doc/building.txt @@ -0,0 +1,433 @@ + +Building The Library +================================= + +This document describes how to build Botan on Unix/POSIX and MS +Windows systems. The POSIX oriented descriptions should apply to most +common Unix systems (including MacOS X), along with POSIX-ish systems +like BeOS, QNX, and Plan 9. Currently, systems other than Windows and +POSIX (such as VMS, MacOS 9, OS/390, OS/400, ...) are not supported by +the build system, primarily due to lack of access. Please contact the +maintainer if you would like to build Botan on such a system. + +Botan's build is controlled by configure.py, which is a `Python +<http://www.python.org>`_ script. Python 2.5 or later is required. + +For the impatient, this works for most systems:: + + $ ./configure.py [--prefix=/some/directory] + $ make + $ make check + $ make install + +Or using ``nmake``, if you're compiling on Windows with Visual C++. On +platforms that do not understand the '#!' convention for beginning +script files, or that have Python installed in an unusual spot, you +might need to prefix the ``configure.py`` command with ``python`` or +``/path/to/python``:: + + $ python ./configure.py [arguments] + +Configuring the Build +--------------------------------- + +The first step is to run ``configure.py``, which is a Python script +that creates various directories, config files, and a Makefile for +building everything. The script requires at least Python 2.5; any +later version of Python 2.x should also work. Python 3.1 will also +work but requires an extra step; see :ref:`configure_with_python3` for +details. + +The script will attempt to guess what kind of system you are trying to +compile for (and will print messages telling you what it guessed). +You can override this process by passing the options ``--cc``, +``--os``, and ``--cpu``. + +You can pass basically anything reasonable with ``--cpu``: the script +knows about a large number of different architectures, their +sub-models, and common aliases for them. You should only select the +64-bit version of a CPU (such as "sparc64" or "mips64") if your +operating system knows how to handle 64-bit object code - a 32-bit +kernel on a 64-bit CPU will generally not like 64-bit code. + +By default the script tries to figure out what will work on your +system, and use that. It will print a display at the end showing which +algorithms have and have not been enabled. For instance on one system +we might see lines like:: + + INFO: Skipping, by request only - bzip2 gnump openssl qt_mutex zlib + INFO: Skipping, incompatible CPU - aes_intel aes_ssse3 asm_x86_64 mp_asm64 mp_x86_64 sha1_x86_64 + INFO: Skipping, incompatible OS - beos_stats cryptoapi_rng win32_crit_section win32_stats + INFO: Skipping, incompatible compiler - mp_msvc64 mp_x86_32_msvc + +The ones that are 'loaded on request only' have to be explicitly asked +for, because they rely on third party libraries which your system +might not have. For instance to enable zlib support, add +``--with-zlib`` to your invocation of ``configure.py``. + +You can control which algorithms and modules are built using the +options ``--enable-modules=MODS`` and ``--disable-modules=MODS``, for +instance ``--enable-modules=zlib`` and ``--disable-modules=rc5,idea``. +Modules not listed on the command line will simply be loaded if needed +or if configured to load by default. If you use ``--no-autoload``, +only the most core modules will be included; you can then explicitly +enable things that you want to use with ``--enable-modules``. This is +useful for creating a minimal build targeting to a specific +application, especially in conjunction with the amalgamation option; +see :ref:`amalgamation`. + +For instance:: + + $ ./configure.py --no-autoload --enable-modules=rsa,ecdsa,eme1,emsa1,emsa4 + +will set up a build that only includes RSA, ECDSA, and some padding +modes, along with their dependencies. A small subset of core features, +including AES, SHA-2, HMAC, and the multiple precision integer +library, are always loaded. + +The script tries to guess what kind of makefile to generate, and it +almost always guesses correctly (basically, Visual C++ uses NMAKE with +Windows commands, and everything else uses Unix make with POSIX +commands). Just in case, you can override it with +``--make-style=somestyle``. The styles Botan currently knows about are +'unix' (normal Unix makefiles), and 'nmake', the make variant commonly +used by Windows compilers. To add a new variant (eg, a build script +for VMS), you will need to create a new template file in +``src/build-data/makefile``. + +On Unix +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The basic build procedure on Unix and Unix-like systems is:: + + $ ./configure.py [--enable-modules=<list>] [--cc=CC] + $ make + # You may need to set your LD_LIBRARY_PATH or equivalent for ./check to run + $ make check # optional, but a good idea + $ make install + +On Unix systems the script will default to using GCC; use +``--cc`` if you want something else. For instance use +``--cc=icc`` for Intel C++ and ``--cc=clang`` for Clang. + +The ``make install`` target has a default directory in which it +will install Botan (typically ``/usr/local``). You can override +this by using the ``--prefix`` argument to +``configure.py``, like so: + +``./configure.py --prefix=/opt <other arguments>`` + +On some systems shared libraries might not be immediately visible to +the runtime linker. For example, on Linux you may have to edit +``/etc/ld.so.conf`` and run ``ldconfig`` (as root) in +order for new shared libraries to be picked up by the linker. An +alternative is to set your ``LD_LIBRARY_PATH`` shell variable +to include the directory that the Botan libraries were installed into. + +On Mac OS X +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +In general the Unix instructions above should apply, however OS X does +not support ``LD_LIBRARY_PATH``. Thomas Keller suggests instead +running ``install_name_tool`` between building and running the +self-test program:: + + $ VERSION=1.10.0 # or whatever the current version is + $ install_name_tool -change $(otool -X -D libbotan-$VERSION.dylib) \ + $PWD/libbotan-$VERSION.dylib check + +On MS Windows +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +If you don't want to deal with building botan on Windows, check the +website; commonly prebuilt Windows binaries with installers are +available, especially for stable versions. + +You need to have a copy of Python installed, and have both Python and +your chosen compiler in your path. Open a command shell (or the SDK +shell), and run:: + + > python configure.py --cc=msvc (or --cc=gcc for MinGW) [--cpu=CPU] + > nmake + > nmake check # optional, but recommended + > nmake install + +For Win95 pre OSR2, the ``cryptoapi_rng`` module will not work, +because CryptoAPI didn't exist. And all versions of NT4 lack the +ToolHelp32 interface, which is how ``win32_stats`` does its slow +polls, so a version of the library built with that module will not +load under NT4. Later versions of Windows support both methods, so +this shouldn't be much of an issue anymore. + +By default the install target will be ``C:\botan``; you can modify +this with the ``--prefix`` option. + +When building your applications, all you have to do is tell the +compiler to look for both include files and library files in +``C:\botan``, and it will find both. Or you can move them to a +place where they will be in the default compiler search paths (consult +your documentation and/or local expert for details). + +Other Build-Related Tasks +---------------------------------------- + +.. _amalgamation: + +The Amalgamation Build +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +You can also configure Botan to be built using only a single source +file; this is quite convenient if you plan to embed the library into +another application. To do so, run ``configure.py`` with whatever +arguments you would ordinarily use, along with the option +``--gen-amalgamation``. This will create two (rather large) files, +``botan_all.h`` and ``botan_all.cpp``. + +Whenever you would have included a botan header, you can then include +``botan_all.h``, and include ``botan_all.cpp`` along with the rest of +the source files in your build. If you want to be able to easily +switch between amalgamated and non-amalgamated versions (for instance +to take advantage of prepackaged versions of botan on operating +systems that support it), you can instead ignore ``botan_all.h`` and +use the headers from ``build/include`` as normal. + +You can also build the library as normal but using the amalgamation +instead of the individual source files using ``--via-amalgamation``. +This is essentially a very simple form of link time optimization; +because the entire library source is visible to the compiler, it has +more opportunities for interprocedural optimizations. + +Modules Relying on Third Party Libraries +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +There are a fairly large number of modules included with Botan. Some +of these are extremely useful, while others are only necessary in very +unusual circumstances. Most are loaded (or not) automatically as +necessary, but some require external libraries are thus must be +enabled at build time; these include: + + - ``--with-bzip2`` enables the filters providing bzip2 compression + and decompression. Requires the bzip2 development libraries to be + installed. + + - ``--with-zlib`` enables the filters providing zlib compression + and decompression. Requires the zlib development libraries to be + installed. + + - ``--with-gnump`` adds an alternative engine for public key + cryptography that uses the GNU MP library. GNU MP 4.1 or later is + required. + + - ``--with-openssl`` adds an engine that uses OpenSSL for some public + key operations and ciphers/hashes. OpenSSL 0.9.7 or later is + required. Note that OpenSSL's versions are not always faster than + the versions built into botan. + +Multiple Builds +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +It may be useful to run multiple builds with different +configurations. Specify ``--build-dir=<dir>`` to set up a build +environment in a different directory. + + +.. _configure_with_python3: + +Configuring the Build With Python 3.1 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The versions of Python beginning with 3 are (intentionally) +incompatible with the (currently more common) 2.x series. If you want +to use Python 3.1 to set up the build, you'll have to use the +``2to3`` program (included in the Python distribution) on the +script; this will convert the script to the Python 3.x dialect:: + + $ python ./configure.py + File "configure.py", line 860 + except KeyError, e: + ^ + SyntaxError: invalid syntax + $ # incompatible python version, let's fix it + $ 2to3 -w configure.py + [...] + RefactoringTool: Files that were modified: + RefactoringTool: configure.py + $ python ./configure.py + [...] + +Setting Distribution Info +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The build allows you to set some information about what distribution +this build of the library comes from. It is particularly relevant to +people packaging the library for wider distribution, to signify what +distribution this build is from. Applications can test this value by +checking the string value of the macro ``BOTAN_DISTRIBUTION_INFO``. It +can be set using the ``--distribution-info`` flag to ``configure.py``, +and otherwise defaults to "unspecified". For instance, a `Gentoo +<http://www.gentoo.org>`_ ebuild might set it with +``--distribution-info="Gentoo ${PVR}"`` where ``${PVR}`` is an ebuild +variable automatically set to a combination of the library and ebuild +versions. + +Local Configuration Settings +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +You may want to do something peculiar with the configuration; to +support this there is a flag to ``configure.py`` called +``--with-local-config=<file>``. The contents of the file are +inserted into ``build/build.h`` which is (indirectly) included +into every Botan header and source file. + +Configuration Parameters +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +There are some configuration parameters which you may want to tweak +before building the library. These can be found in ``config.h``. This +file is overwritten every time the configure script is run (and does +not exist until after you run the script for the first time). + +Also included in ``build/build.h`` are macros which let applications +check which features are included in the current version of the +library. All of them begin with ``BOTAN_HAS_``. For example, if +``BOTAN_HAS_BLOWFISH`` is defined, then an application can include +``<botan/blowfish.h>`` and use the Blowfish class. + +``BOTAN_MP_WORD_BITS``: This macro controls the size of the words used +for calculations with the MPI implementation in Botan. You can choose +8, 16, 32, or 64. Normally this defaults to either 32 or 64, depending +on the processor. Unless you are building for a 8 or 16-bit CPU, this +isn't worth messing with. + +``BOTAN_VECTOR_OVER_ALLOCATE``: The memory container ``SecureVector`` +will over-allocate requests by this amount (in elements). In several +areas of the library, we grow a vector fairly often. By +over-allocating by a small amount, we don't have to do allocations as +often (which is good, because the allocators can be quite slow). If +you *really* want to reduce memory usage, set it to 0. Otherwise, the +default should be perfectly fine. + +``BOTAN_DEFAULT_BUFFER_SIZE``: This constant is used as the size of +buffers throughout Botan. A good rule of thumb would be to use the +page size of your machine. The default should be fine for most +purposes. + +Building Applications +---------------------------------------- + +Unix +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Botan usually links in several different system libraries (such as +``librt`` and ``libz``), depending on which modules are +configured at compile time. In many environments, particularly ones +using static libraries, an application has to link against the same +libraries as Botan for the linking step to succeed. But how does it +figure out what libraries it *is* linked against? + +The answer is to ask the ``botan-config`` script. This +basically solves the same problem all the other ``*-config`` +scripts solve, and in basically the same manner. + +There are 4 options: + +``--prefix[=DIR]``: If no argument, print the prefix where Botan +is installed (such as ``/opt`` or ``/usr/local``). If an +argument is specified, other options given with the same command will +execute as if Botan as actually installed at ``DIR`` and not +where it really is; or at least where ``botan-config`` thinks +it really is. I should mention that it + +``--version``: Print the Botan version number. + +``--cflags``: Print options that should be passed to the compiler +whenever a C++ file is compiled. Typically this is used for setting +include paths. + +``--libs``: Print options for which libraries to link to (this includes +``-lbotan``). + +Your ``Makefile`` can run ``botan-config`` and get the +options necessary for getting your application to compile and link, +regardless of whatever crazy libraries Botan might be linked against. + +Botan also by default installs a file for ``pkg-config``, +namespaced by the major and minor versions. So it can be used, +for instance, as:: + + $ pkg-config botan-1.10 --modversion + 1.10.0 + $ pkg-config botan-1.10 --cflags + -I/usr/local/include + $ pkg-config botan-1.10 --libs + -L/usr/local/lib -lbotan -lm -lbz2 -lpthread -lrt + +MS Windows +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +No special help exists for building applications on Windows. However, +given that typically Windows software is distributed as binaries, this +is less of a problem - only the developer needs to worry about it. As +long as they can remember where they installed Botan, they just have +to set the appropriate flags in their Makefile/project file. + +Language Wrappers +---------------------------------------- + +Building the Python wrappers +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The Python wrappers for Botan use Boost.Python, so you must have Boost +installed. To build the wrappers, pass the flag +``--with-boost-python`` to ``configure.py``. This will create a second +makefile, ``Makefile.python``, with instructions for building the +Python module. After building the library, execute:: + + $ make -f Makefile.python + +to build the module. Currently only Unix systems are supported, and +the Makefile assumes that the version of Python you want to build +against is the same one you used to run ``configure.py``. + +To install the module, use the ``install`` target. + +Examples of using the Python module can be seen in +``doc/examples/python`` + +Building the Perl XS wrappers +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To build the Perl XS wrappers, change your directory to +``src/wrap/perl-xs`` and run ``perl Makefile.PL``, then run +``make`` to build the module and ``make test`` to run the test +suite:: + + $ perl Makefile.PL + Checking if your kit is complete... + Looks good + Writing Makefile for Botan + $ make + cp Botan.pm blib/lib/Botan.pm + AutoSplitting blib/lib/Botan.pm (blib/lib/auto/Botan) + /usr/bin/perl5.8.8 /usr/lib64/perl5/5.8.8/ExtUtils/xsubpp [...] + g++ -c -Wno-write-strings -fexceptions -g [...] + Running Mkbootstrap for Botan () + chmod 644 Botan.bs + rm -f blib/arch/auto/Botan/Botan.so + g++ -shared Botan.o -o blib/arch/auto/Botan/Botan.so \ + -lbotan -lbz2 -lpthread -lrt -lz \ + + chmod 755 blib/arch/auto/Botan/Botan.so + cp Botan.bs blib/arch/auto/Botan/Botan.bs + chmod 644 blib/arch/auto/Botan/Botan.bs + Manifying blib/man3/Botan.3pm + $ make test + PERL_DL_NONLAZY=1 /usr/bin/perl5.8.8 [...] + t/base64......ok + t/filt........ok + t/hex.........ok + t/oid.........ok + t/pipe........ok + t/x509cert....ok + All tests successful. + Files=6, Tests=83, 0 wallclock secs ( 0.08 cusr + 0.02 csys = 0.10 CPU) diff --git a/doc/conf.py b/doc/conf.py new file mode 100644 index 000000000..65f40314a --- /dev/null +++ b/doc/conf.py @@ -0,0 +1,243 @@ +# -*- coding: utf-8 -*- +# +# botan documentation build configuration file, created by +# sphinx-quickstart on Sun Apr 3 11:41:06 2011. +# +# This file is execfile()d with the current directory set to its containing dir. +# +# Note that not all possible configuration values are present in this +# autogenerated file. +# +# All configuration values have a default; values that are commented out +# serve to show the default. + +import sys, os + +sys.path.insert(0, os.pardir) + +# Avoid useless botan_version.pyc (Python 2.6 or higher) +if 'dont_write_bytecode' in sys.__dict__: + sys.dont_write_bytecode = True + +import botan_version + +# If extensions (or modules to document with autodoc) are in another directory, +# add these directories to sys.path here. If the directory is relative to the +# documentation root, use os.path.abspath to make it absolute, like shown here. +#sys.path.insert(0, os.path.abspath('.')) + +# -- General configuration ----------------------------------------------------- + +# If your documentation needs a minimal Sphinx version, state it here. +needs_sphinx = '1.0' + +""" +Assert that we are running under Sphinx 1.0.7 or later. Earlier +versions have bugs in the C++ domain that cause crashes. And +needs_sphinx only allows us to assert needing a particular major/minor +version. +""" +def check_sphinx_version(): + import sphinx + + version = map(int, sphinx.__version__.split('.')) + if version[0] == 1 and version[1] == 0 and version[2] < 7: + # Exit rather than throwing to avoid a confusing backtrace + print "This Sphinx is too old - upgrade to at least 1.0.7" + import sys + sys.exit(1) + +check_sphinx_version() + +# Add any Sphinx extension module names here, as strings. They can be extensions +# coming with Sphinx (named 'sphinx.ext.*') or your custom ones. +extensions = [] + +# Add any paths that contain templates here, relative to this directory. +templates_path = ['_templates'] + +# The suffix of source filenames. +source_suffix = '.txt' + +# The encoding of source files. +#source_encoding = 'utf-8-sig' + +# The master toctree document. +master_doc = 'contents' + +# General information about the project. +project = u'botan' +copyright = u'2000-2011, Jack Lloyd' + +# The version info for the project you're documenting, acts as replacement for +# |version| and |release|, also used in various other places throughout the +# built documents. +# +# The short X.Y version. +version = '%d.%d' % (botan_version.release_major, botan_version.release_minor) +# The full version, including alpha/beta/rc tags. +release = '%d.%d.%d' % (botan_version.release_major, + botan_version.release_minor, + botan_version.release_patch) + +# The language for content autogenerated by Sphinx. Refer to documentation +# for a list of supported languages. +#language = None + +# There are two options for replacing |today|: either, you set today to some +# non-false value, then it is used: +#today = '' +# Else, today_fmt is used as the format for a strftime call. +today_fmt = '%Y-%m-%d' + +# List of patterns, relative to source directory, that match files and +# directories to ignore when looking for source files. +exclude_patterns = [] + +# The reST default role (used for this markup: `text`) to use for all documents. +#default_role = None + +# If true, '()' will be appended to :func: etc. cross-reference text. +add_function_parentheses = False + +# If true, the current module name will be prepended to all description +# unit titles (such as .. function::). +#add_module_names = True + +# If true, sectionauthor and moduleauthor directives will be shown in the +# output. They are ignored by default. +#show_authors = False + +highlight_language = 'cpp' + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'sphinx' + +# A list of ignored prefixes for module index sorting. +#modindex_common_prefix = [] + + +# -- Options for HTML output --------------------------------------------------- + +# The theme to use for HTML and HTML Help pages. See the documentation for +# a list of builtin themes. +html_theme = 'agogo' + +# Theme options are theme-specific and customize the look and feel of a theme +# further. For a list of options available for each theme, see the +# documentation. +html_theme_options = { + 'linkcolor': 'blue', + 'headerlinkcolor': 'blue', + 'headercolor1': 'darkblue', + 'headercolor2': 'darkblue', + 'textalign': 'left' + } + +# Add any paths that contain custom themes here, relative to this directory. +#html_theme_path = [] + +# The name for this set of Sphinx documents. If None, it defaults to +# "<project> v<release> documentation". +html_title = 'Botan' + +# A shorter title for the navigation bar. Default is the same as html_title. +#html_short_title = None + +# The name of an image file (relative to this directory) to place at the top +# of the sidebar. +#html_logo = None + +# The name of an image file (within the static path) to use as favicon of the +# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 +# pixels large. +#html_favicon = None + +# Add any paths that contain custom static files (such as style sheets) here, +# relative to this directory. They are copied after the builtin static files, +# so a file named "default.css" will overwrite the builtin "default.css". +html_static_path = [] + +# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, +# using the given strftime format. +#html_last_updated_fmt = '%b %d, %Y' + +# If true, SmartyPants will be used to convert quotes and dashes to +# typographically correct entities. +#html_use_smartypants = True + +# Custom sidebar templates, maps document names to template names. +#html_sidebars = {} + +# Additional templates that should be rendered to pages, maps page names to +# template names. +#html_additional_pages = {} + +# If false, no module index is generated. +#html_domain_indices = True + +# If false, no index is generated. +#html_use_index = True + +# If true, the index is split into individual pages for each letter. +#html_split_index = False + +# If true, links to the reST sources are added to the pages. +#html_show_sourcelink = True + +# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. +#html_show_sphinx = True + +# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. +#html_show_copyright = True + +# If true, an OpenSearch description file will be output, and all pages will +# contain a <link> tag referring to it. The value of this option must be the +# base URL from which the finished HTML is served. +#html_use_opensearch = '' + +# This is the file name suffix for HTML files (e.g. ".xhtml"). +#html_file_suffix = None + +# Output file base name for HTML help builder. +htmlhelp_basename = 'botandoc' + + +# -- Options for LaTeX output -------------------------------------------------- + +# The paper size ('letter' or 'a4'). +#latex_paper_size = 'letter' + +# The font size ('10pt', '11pt' or '12pt'). +#latex_font_size = '10pt' + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, author, documentclass [howto/manual]). +latex_documents = [ + ('contents', 'botan.tex', u'botan Reference Manual', + u'Jack Lloyd', 'manual'), +] + +# The name of an image file (relative to this directory) to place at the top of +# the title page. +#latex_logo = None + +# For "manual" documents, if this is true, then toplevel headings are parts, +# not chapters. +#latex_use_parts = False + +# If true, show page references after internal links. +latex_show_pagerefs = False + +# If true, show URL addresses after external links. +latex_show_urls = False + +# Additional stuff for the LaTeX preamble. +#latex_preamble = '' + +# Documents to append as an appendix to all manuals. +#latex_appendices = [] + +# If false, no module index is generated. +#latex_domain_indices = True + diff --git a/doc/contents.txt b/doc/contents.txt new file mode 100644 index 000000000..633625e14 --- /dev/null +++ b/doc/contents.txt @@ -0,0 +1,42 @@ + +Contents +================================= + +.. toctree:: + :maxdepth: 2 + + index + building + firststep + filters + pubkey + x509 + ssl + bigint + lowlevel + secmem + kdf + pbkdf + passhash + rng + fpe + +.. toctree:: + :hidden: + + license + credits + faq + users + support + download + pgpkey + algos + log + build_log + +Indices and tables +================== + +* :ref:`genindex` +* :ref:`search` diff --git a/doc/credits.txt b/doc/credits.txt index fde877e7b..076498756 100644 --- a/doc/credits.txt +++ b/doc/credits.txt @@ -1,78 +1,80 @@ -This is at least a partial credits-file of people that have -contributed to the Botan project. It is sorted by name and formatted -to allow easy grepping and beautification by scripts. The fields are: -name (N), email (E), web-address (W), PGP key ID and fingerprint (P), -description (D), and snail-mail address (S). - -Thanks, - Jack Lloyd ----------- - -N: Charles Brockman -W: http://www.securitygenetics.com/ -D: documentation editing -S: Oregon, USA - -N: Martin Doering -D: GF(p) arithmetic - -N: Olivier de Gaalon -D: SQLite encryption codec (src/wrap/sqlite) - -N: Matthew Gregan -D: Binary file I/O support, allocator fixes - -N: Hany Greiss -D: Windows porting - -N: Manuel Hartl -W: http://www.flexsecure.de/ -D: ECDSA, ECDH - -N: Yves Jerschow -D: Optimizations for memory load/store and HMAC -D: Support for IPv4 addresses in X.509 alternative names -S: Germany - -N: Matt Johnston -D: Allocator fixes and optimizations, decompressor fixes - -N: Peter J. Jones -D: Bzip2 compression module -S: Colorado, USA - -N: Justin Karneges -D: Qt support modules (mutexes and types), X.509 API design - -N: Jack Lloyd -W: http://www.randombit.net/ -P: 3F69 2E64 6D92 3BBE E7AE 9258 5C0F 96E8 4EC1 6D6B -D: Original designer/author, maintainer 2001-current -S: Vermont, USA - -N: Joel Low -D: DLL symbol visibility - -N: Christoph Ludwig -D: GP(p) arithmetic - -N: Vaclav Ovsik -D: Perl XS module (src/wrap/perl-xs) - -N: Luca Piccarreta -D: x86/amd64 assembler, BigInt optimizations, Win32 mutex module -S: Italy - -N: Falko Strenzke -W: http://www.flexsecure.de/ -D: GF(p) arithmetic, CVC, Shanks-Tonelli algorithm -S: Darmstadt, Germany + +Credits +======================================== + +This is at least a partial credits-file of people that have contributed +to botan. It is sorted by name and formatted to allow easy grepping +and beautification by scripts. The fields are name (N), email (E), +web-address (W), PGP key ID and fingerprint (P), description (D), and +snail-mail address (S). + +:: + + N: Charles Brockman + W: http://www.securitygenetics.com/ + D: documentation editing + S: Oregon, USA + + N: Martin Doering + E: [email protected] + D: GF(p) arithmetic + + N: Olivier de Gaalon + D: SQLite encryption codec (src/wrap/sqlite) + + N: Matthew Gregan + D: Binary file I/O support, allocator fixes + + N: Hany Greiss + D: Windows porting + + N: Manuel Hartl + E: [email protected] + W: http://www.flexsecure.de/ + D: ECDSA, ECDH + + N: Yves Jerschow + E: [email protected] + D: Optimizations for memory load/store and HMAC + D: Support for IPv4 addresses in X.509 alternative names + S: Germany + + N: Matt Johnston + D: Allocator fixes and optimizations, decompressor fixes + + N: Peter J. Jones + E: [email protected] + D: Bzip2 compression module + S: Colorado, USA + + N: Justin Karneges + D: Qt support modules (mutexes and types), X.509 API design + + N: Jack Lloyd + E: [email protected] + W: http://www.randombit.net/ + P: 3F69 2E64 6D92 3BBE E7AE 9258 5C0F 96E8 4EC1 6D6B + D: Original designer/author, maintainer 2001-current + S: Vermont, USA + + N: Joel Low + D: DLL symbol visibility and Windows DLL support in general + + N: Christoph Ludwig + E: [email protected] + D: GP(p) arithmetic + + N: Vaclav Ovsik + E: [email protected] + D: Perl XS module (src/wrap/perl-xs) + + N: Luca Piccarreta + E: [email protected] + D: x86/amd64 assembler, BigInt optimizations, Win32 mutex module + S: Italy + + N: Falko Strenzke + E: [email protected] + W: http://www.flexsecure.de/ + D: GF(p) arithmetic, CVC, Shanks-Tonelli algorithm + S: Darmstadt, Germany diff --git a/doc/download.txt b/doc/download.txt new file mode 100644 index 000000000..7d189d10a --- /dev/null +++ b/doc/download.txt @@ -0,0 +1,100 @@ + +Getting The Latest Sources +======================================== + +All releases are signed with a :doc:`PGP key <pgpkey>`. + +Unsure which release you want? Check the :ref:`FAQ <devel_vs_stable>`. + +.. only:: not website + + .. note:: + + If you are viewing this documentation offline, a more recent + release `may be available <http://botan.randombit.net/download.html>`_ + +Current Stable Release (1.10) +---------------------------------------- + +The current stable release is `1.10.0 +<http://botan.randombit.net/news/releases/1_10_0.html>`_ which was +released on ?. + +Sources: + +`1.10.0 tar/gz <http://botan.randombit.net/files/Botan-1.10.0.tgz>`_ +(`1.10.0 tar/gz sig <http://botan.randombit.net/files/Botan-1.10.0.tgz.asc>`_), + +`1.10.0 tar/bzip <http://botan.randombit.net/files/Botan-1.10.0.tbz>`_ +(`1.10.0 tar/bzip sig <http://botan.randombit.net/files/Botan-1.10.0.tbz.asc>`_) + +Windows binary installer for use with Visual C++ 2010: + +`1.10.0 x86-32 installer +<http://botan.randombit.net/files/win32/botan-1.10.0_win32.exe>`_ + +`1.10.0 x86-64 installer +<http://botan.randombit.net/files/win32/botan-1.10.0_win64.exe>`_ + +Previous Stable Release (1.8) +---------------------------------------- + +The previous stable release is `1.8.11 +<http://botan.randombit.net/news/releases/1_8_11.html>`_ which was +released on 2010-11-02. + +Sources: + +`1.8.11 tar/gz <http://botan.randombit.net/files/Botan-1.8.11.tgz>`_ +(`1.8.11 tar/gz sig <http://botan.randombit.net/files/Botan-1.8.11.tgz.asc>`_), + +`1.8.11 tar/bzip <http://botan.randombit.net/files/Botan-1.8.11.tbz>`_ +(`1.8.11 tar/bzip sig <http://botan.randombit.net/files/Botan-1.8.11.tbz.asc>`_) + +Windows binary installer for use with Visual C++ 2008: + +`1.8.11 x86-32 installer +<http://botan.randombit.net/files/win32/botan-1.8.11_win32.exe>`_ + +`1.8.11 x86-64 installer +<http://botan.randombit.net/files/win32/botan-1.8.11_win64.exe>`_ + +Accessing Version Control +---------------------------------------- + +Botan's development occurs using a distributed version control system +called `Monotone <http://www.monotone.ca>`_. + +The main branch of development occurs on the branch named +``net.randombit.botan``; this is probably the branch you want. To +download that branch and set up a new workspace, run:: + + $ mtn db init --db=botan.mtn + $ mtn pull --db=botan.mtn randombit.net 'net.randombit.botan' + [...] + $ mtn checkout --db=botan.mtn --branch=net.randombit.botan + [...] + +By default the ``checkout`` command will place the workspace in a directory +with the same name as the branch you are checking out. If you want a +different directory name, just include it after the ``--branch`` option (you +can also rename this directory at any time). + +If this is the first time you've connected to the server, Monotone +will print:: + + mtn: first time connecting to server randombit.net + mtn: I'll assume it's really them, but you might want to double-check + mtn: their key's fingerprint: 8c0b868f2247215c63c96983b1c8ca0f0f0cfd9a + +The fingerprint shown above was the correct one as of September 21, 2010. + +To pull further changes, from anywhere in the workspace run these commands:: + + $ mtn pull + [...] + $ mtn update + [summary of changes] + +The ``mtn update`` command will give you a summary of which files changed; +to view the full changelog, run ``mtn log``. diff --git a/doc/examples/GNUmakefile b/doc/examples/GNUmakefile index a96e8d65d..6238512dc 100644 --- a/doc/examples/GNUmakefile +++ b/doc/examples/GNUmakefile @@ -3,7 +3,7 @@ BOTAN_CONFIG = botan-config CXX = g++-4.5-20091112 CFLAGS = -O2 -ansi -std=c++0x -W -Wall -I../../build/include -LIBS = -L../.. -lbotan +LIBS = -L../.. -lbotan-1.10 SRCS=$(wildcard *.cpp) diff --git a/doc/examples/asn1.cpp b/doc/examples/asn1.cpp index 11e283a64..866e57d75 100644 --- a/doc/examples/asn1.cpp +++ b/doc/examples/asn1.cpp @@ -1,37 +1,3 @@ -/* -* (C) 2009 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -/* - A simple ASN.1 parser, similiar to 'dumpasn1' or 'openssl asn1parse', though - without some of the bells and whistles of those. Primarily used for testing - the BER decoder. The output format is modeled loosely on 'asn1parse -i' - - The output is actually less precise than the other decoders named, because - the underlying BER_Decoder hides quite a bit from userspace, such as the use - of indefinite length encodings (and the EOC markers). At some point it will - also hide the constructed string types from the user, but right now you'll - seem them as-is. - - Written by Jack Lloyd, November 9-10, 2003 - - Nov 22: Updated to new BER_Object format (tag -> class_tag/type_tag) - - Nov 25: Much improved BIT STRING output - Can deal with non-constructed taggings - Can produce UTF-8 output -*/ - -// Set this if your terminal understands UTF-8; otherwise output is in Latin-1 -#define UTF8_TERMINAL 1 - -/* - What level the outermost layer of stuff is at. Probably 0 or 1; asn1parse - uses 0 as the outermost, while 1 makes more sense to me. 2+ doesn't make - much sense at all. -*/ -#define INITIAL_LEVEL 0 - #include <botan/botan.h> #include <botan/bigint.h> #include <botan/der_enc.h> @@ -45,8 +11,18 @@ using namespace Botan; #include <stdio.h> #include <ctype.h> -void decode(BER_Decoder&, u32bit); -void emit(const std::string&, u32bit, u32bit, const std::string& = ""); +// Set this if your terminal understands UTF-8; otherwise output is in Latin-1 +#define UTF8_TERMINAL 1 + +/* + What level the outermost layer of stuff is at. Probably 0 or 1; asn1parse + uses 0 as the outermost, while 1 makes more sense to me. 2+ doesn't make + much sense at all. +*/ +#define INITIAL_LEVEL 0 + +void decode(BER_Decoder&, size_t); +void emit(const std::string&, size_t, size_t, const std::string& = ""); std::string type_name(ASN1_Tag); int main(int argc, char* argv[]) @@ -57,7 +33,7 @@ int main(int argc, char* argv[]) return 1; } - Botan::LibraryInitializer init; + LibraryInitializer init; try { DataSource_Stream in(argv[1]); @@ -83,7 +59,7 @@ int main(int argc, char* argv[]) return 0; } -void decode(BER_Decoder& decoder, u32bit level) +void decode(BER_Decoder& decoder, size_t level) { BER_Object obj = decoder.get_next_object(); @@ -91,7 +67,7 @@ void decode(BER_Decoder& decoder, u32bit level) { const ASN1_Tag type_tag = obj.type_tag; const ASN1_Tag class_tag = obj.class_tag; - const u32bit length = obj.value.size(); + const size_t length = obj.value.size(); /* hack to insert the tag+length back in front of the stuff now that we've gotten the type info */ @@ -142,8 +118,8 @@ void decode(BER_Decoder& decoder, u32bit level) { bool not_text = false; - for(u32bit j = 0; j != bits.size(); j++) - if(!isgraph(bits[j]) && !isspace(bits[j])) + for(size_t i = 0; i != bits.size(); ++i) + if(!isgraph(bits[i]) && !isspace(bits[i])) not_text = true; Pipe pipe(((not_text) ? new Hex_Encoder : 0)); @@ -176,8 +152,8 @@ void decode(BER_Decoder& decoder, u32bit level) rep = BigInt::encode(number, BigInt::Hexadecimal); std::string str; - for(u32bit j = 0; j != rep.size(); j++) - str += (char)rep[j]; + for(size_t i = 0; i != rep.size(); ++i) + str += (char)rep[i]; emit(type_name(type_tag), level, length, str); } @@ -198,8 +174,8 @@ void decode(BER_Decoder& decoder, u32bit level) data.decode(bits, type_tag); bool not_text = false; - for(u32bit j = 0; j != bits.size(); j++) - if(!isgraph(bits[j]) && !isspace(bits[j])) + for(size_t i = 0; i != bits.size(); ++i) + if(!isgraph(bits[i]) && !isspace(bits[i])) not_text = true; Pipe pipe(((not_text) ? new Hex_Encoder : 0)); @@ -213,14 +189,14 @@ void decode(BER_Decoder& decoder, u32bit level) std::vector<bool> bit_set; - for(u32bit j = 0; j != bits.size(); j++) - for(u32bit k = 0; k != 8; k++) - bit_set.push_back((bool)((bits[bits.size()-j-1] >> (7-k)) & 1)); + for(size_t i = 0; i != bits.size(); ++i) + for(size_t j = 0; j != 8; ++j) + bit_set.push_back((bool)((bits[bits.size()-i-1] >> (7-j)) & 1)); std::string bit_str; - for(u32bit j = 0; j != bit_set.size(); j++) + for(size_t i = 0; i != bit_set.size(); ++i) { - bool the_bit = bit_set[bit_set.size()-j-1]; + bool the_bit = bit_set[bit_set.size()-i-1]; if(!the_bit && bit_str.size() == 0) continue; @@ -260,15 +236,15 @@ void decode(BER_Decoder& decoder, u32bit level) } } -void emit(const std::string& type, u32bit level, u32bit length, +void emit(const std::string& type, size_t level, size_t length, const std::string& value) { - const u32bit LIMIT = 128; - const u32bit BIN_LIMIT = 64; + const size_t LIMIT = 128; + const size_t BIN_LIMIT = 64; int written = 0; - written += printf(" d=%2d, l=%4d: ", level, length); - for(u32bit j = INITIAL_LEVEL; j != level; j++) + written += printf(" d=%2d, l=%4d: ", (int)level, (int)length); + for(size_t i = INITIAL_LEVEL; i != level; ++i) written += printf(" "); written += printf("%s ", type.c_str()); diff --git a/doc/examples/bcrypt.cpp b/doc/examples/bcrypt.cpp index 27a98cf33..4154b26ad 100644 --- a/doc/examples/bcrypt.cpp +++ b/doc/examples/bcrypt.cpp @@ -1,10 +1,3 @@ -/* -* Bcrypt example -* (C) 2011 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - #include <botan/botan.h> #include <botan/bcrypt.h> #include <iostream> diff --git a/doc/examples/ca.cpp b/doc/examples/ca.cpp index 25a3b5a03..6fd2eb15b 100644 --- a/doc/examples/ca.cpp +++ b/doc/examples/ca.cpp @@ -1,20 +1,3 @@ -/* -* (C) 2009 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -/* - Implement the functionality of a simple CA: read in a CA certificate, - the associated private key, and a PKCS #10 certificate request. Sign the - request and print out the new certificate. - - File names are hardcoded for simplicity. - cacert.pem: The CA's certificate (perhaps created by self_sig) - caprivate.pem: The CA's private key - req.pem: The user's PKCS #10 certificate request -*/ - #include <botan/botan.h> #include <botan/x509_ca.h> using namespace Botan; diff --git a/doc/examples/dh.cpp b/doc/examples/dh.cpp index 652c7b136..8d163303a 100644 --- a/doc/examples/dh.cpp +++ b/doc/examples/dh.cpp @@ -1,9 +1,3 @@ -/* -* (C) 2009-2010 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - #include <botan/botan.h> #include <botan/dh.h> #include <botan/pubkey.h> @@ -14,41 +8,36 @@ using namespace Botan; int main() { - Botan::LibraryInitializer init; - try { + LibraryInitializer init; + AutoSeeded_RNG rng; // Alice and Bob agree on a DH domain to use - DL_Group shared_domain("modp/ietf/1024"); + DL_Group shared_domain("modp/ietf/2048"); - // Alice creates a DH key and sends (the public part) to Bob + // Alice creates a DH key DH_PrivateKey private_a(rng, shared_domain); - // Alice sends to Bob her public key: - MemoryVector<byte> public_a = private_a.public_value(); - // Bob creates a key with a matching group DH_PrivateKey private_b(rng, shared_domain); + // Alice sends to Bob her public key and a session parameter + MemoryVector<byte> public_a = private_a.public_value(); + const std::string session_param = + "Alice and Bob's shared session parameter"; + // Bob sends his public key to Alice MemoryVector<byte> public_b = private_b.public_value(); - PK_Key_Agreement ka1(private_a, "KDF2(SHA-1)"); - PK_Key_Agreement ka2(private_b, "KDF2(SHA-1)"); - - /* - * Preferably, include some salt or parameter that binds this key - * generation to the current session (for instance a session - * identifier, if guaranteed unique, would be a good choice). Or - * anything else that both sides can agree on that will never - * repeat. - */ - const std::string ka_salt = "alice and bob agree on a key"; + // Now Alice performs the key agreement operation + PK_Key_Agreement ka_alice(private_a, "KDF2(SHA-256)"); + SymmetricKey alice_key = ka_alice.derive_key(32, public_b, session_param); - SymmetricKey alice_key = ka1.derive_key(32, public_b, ka_salt); - SymmetricKey bob_key = ka2.derive_key(32, public_a, ka_salt); + // Bob does the same: + PK_Key_Agreement ka_bob(private_b, "KDF2(SHA-256)"); + SymmetricKey bob_key = ka_bob.derive_key(32, public_a, session_param); if(alice_key == bob_key) { diff --git a/doc/examples/dsa_kgen.cpp b/doc/examples/dsa_kgen.cpp index fe3157370..fc5b7b501 100644 --- a/doc/examples/dsa_kgen.cpp +++ b/doc/examples/dsa_kgen.cpp @@ -1,13 +1,3 @@ -/* -* (C) 2009 Jack Lloyd -* -* Distributed under the terms of the Botan license -* -* Generate a 1024 bit DSA key and put it into a file. The public key -* format is that specified by X.509, while the private key format is -* PKCS #8. -*/ - #include <iostream> #include <fstream> #include <string> @@ -20,24 +10,24 @@ using namespace Botan; int main(int argc, char* argv[]) { - if(argc != 1 && argc != 2) - { - std::cout << "Usage: " << argv[0] << " [passphrase]" << std::endl; - return 1; - } - - Botan::LibraryInitializer init; - - std::ofstream priv("dsapriv.pem"); - std::ofstream pub("dsapub.pem"); - if(!priv || !pub) - { - std::cout << "Couldn't write output files" << std::endl; - return 1; - } - try { + if(argc != 1 && argc != 2) + { + std::cout << "Usage: " << argv[0] << " [passphrase]" << std::endl; + return 1; + } + + std::ofstream priv("dsapriv.pem"); + std::ofstream pub("dsapub.pem"); + if(!priv || !pub) + { + std::cout << "Couldn't write output files" << std::endl; + return 1; + } + + Botan::LibraryInitializer init; + AutoSeeded_RNG rng; DL_Group group(rng, DL_Group::DSA_Kosherizer, 2048, 256); diff --git a/doc/examples/dsa_sign.cpp b/doc/examples/dsa_sign.cpp index 5f02c0dc1..3511eacfa 100644 --- a/doc/examples/dsa_sign.cpp +++ b/doc/examples/dsa_sign.cpp @@ -1,10 +1,3 @@ -/* -* DSA signature generation example -* (C) 2009 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - #include <iostream> #include <iomanip> #include <fstream> @@ -14,6 +7,7 @@ #include <botan/botan.h> #include <botan/pubkey.h> #include <botan/dsa.h> +#include <botan/base64.h> using namespace Botan; const std::string SUFFIX = ".sig"; @@ -66,12 +60,10 @@ int main(int argc, char* argv[]) DataSource_Stream in(message); byte buf[4096] = { 0 }; - while(u32bit got = in.read(buf, sizeof(buf))) + while(size_t got = in.read(buf, sizeof(buf))) signer.update(buf, got); - Pipe pipe(new Base64_Encoder); - pipe.process_msg(signer.signature(rng)); - sigfile << pipe.read_all_as_string() << std::endl; + sigfile << base64_encode(signer.signature(rng)) << "\n"; } catch(std::exception& e) { diff --git a/doc/examples/dsa_ver.cpp b/doc/examples/dsa_ver.cpp index a666259c1..9cb85740e 100644 --- a/doc/examples/dsa_ver.cpp +++ b/doc/examples/dsa_ver.cpp @@ -1,18 +1,3 @@ -/* -* (C) 2009 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -/* -Grab an DSA public key from the file given as an argument, grab a -signature from another file, and verify the message (which, suprise, -is also in a file). - -The signature format isn't particularly standard: take the IEEE 1363 -signature format, encoded into base64 with a trailing newline. -*/ - #include <iostream> #include <iomanip> #include <fstream> @@ -45,28 +30,30 @@ int main(int argc, char* argv[]) return 1; } - Botan::LibraryInitializer init; - std::ifstream message(argv[2], std::ios::binary); - if(!message) - { - std::cout << "Couldn't read the message file." << std::endl; - return 1; - } + try { + Botan::LibraryInitializer init; - std::ifstream sigfile(argv[3]); - if(!sigfile) - { - std::cout << "Couldn't read the signature file." << std::endl; - return 1; - } + std::ifstream message(argv[2], std::ios::binary); + if(!message) + { + std::cout << "Couldn't read the message file." << std::endl; + return 1; + } + + std::ifstream sigfile(argv[3]); + if(!sigfile) + { + std::cout << "Couldn't read the signature file." << std::endl; + return 1; + } - try { std::string sigstr; getline(sigfile, sigstr); std::auto_ptr<X509_PublicKey> key(X509::load_key(argv[1])); DSA_PublicKey* dsakey = dynamic_cast<DSA_PublicKey*>(key.get()); + if(!dsakey) { std::cout << "The loaded key is not a DSA key!\n"; @@ -79,10 +66,10 @@ int main(int argc, char* argv[]) DataSource_Stream in(message); byte buf[4096] = { 0 }; - while(u32bit got = in.read(buf, sizeof(buf))) + while(size_t got = in.read(buf, sizeof(buf))) ver.update(buf, got); - bool ok = ver.check_signature(sig); + const bool ok = ver.check_signature(sig); if(ok) std::cout << "Signature verified\n"; diff --git a/doc/examples/eax_tv.txt b/doc/examples/eax.vec index 95cd7c1ab..95cd7c1ab 100644 --- a/doc/examples/eax_tv.txt +++ b/doc/examples/eax.vec diff --git a/doc/examples/eax_test.cpp b/doc/examples/eax_test.cpp index 32311800d..b43861132 100644 --- a/doc/examples/eax_test.cpp +++ b/doc/examples/eax_test.cpp @@ -236,7 +236,7 @@ void run_tests(std::istream& in) int main() { - std::ifstream in("eax_tv.txt"); + std::ifstream in("eax.vec"); Botan::LibraryInitializer init; diff --git a/doc/examples/ecdsa.cpp b/doc/examples/ecdsa.cpp index df1e1b93a..1607107eb 100644 --- a/doc/examples/ecdsa.cpp +++ b/doc/examples/ecdsa.cpp @@ -21,7 +21,7 @@ int main() { AutoSeeded_RNG rng; - EC_Domain_Params params("1.3.132.0.8"); + EC_Domain_Params params("secp160r1"); ECDSA_PrivateKey ecdsa(rng, params); diff --git a/doc/examples/fpe.cpp b/doc/examples/fpe.cpp index 9b18d4879..029a761e7 100644 --- a/doc/examples/fpe.cpp +++ b/doc/examples/fpe.cpp @@ -1,17 +1,6 @@ -/* -* (C) 2009 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -/* -* Encrypt credit cards numbers with valid checksums into other credit -* card numbers with valid checksums using format preserving encryption. -*/ - -#include <botan/fpe.h> +#include <botan/botan.h> +#include <botan/fpe_fe1.h> #include <botan/sha160.h> -#include <botan/init.h> using namespace Botan; @@ -81,7 +70,7 @@ u64bit encrypt_cc_number(u64bit cc_number, u64bit cc_ranked = cc_rank(cc_number); - BigInt c = fpe_encrypt(n, cc_ranked, key, sha1(acct_name)); + BigInt c = FPE::fe1_encrypt(n, cc_ranked, key, sha1(acct_name)); if(c.bits() > 50) throw std::runtime_error("FPE produced a number too large"); @@ -100,7 +89,7 @@ u64bit decrypt_cc_number(u64bit enc_cc, u64bit cc_ranked = cc_rank(enc_cc); - BigInt c = fpe_decrypt(n, cc_ranked, key, sha1(acct_name)); + BigInt c = FPE::fe1_decrypt(n, cc_ranked, key, sha1(acct_name)); if(c.bits() > 50) throw std::runtime_error("FPE produced a number too large"); @@ -130,7 +119,7 @@ int main(int argc, char* argv[]) std::cout << "Input was: " << cc_number << ' ' << luhn_check(cc_number) << '\n'; - /** + /* * In practice something like PBKDF2 with a salt and high iteration * count would be a good idea. */ diff --git a/doc/examples/pkcs10.cpp b/doc/examples/pkcs10.cpp index 3f5ec8e05..b5ad1d1dd 100644 --- a/doc/examples/pkcs10.cpp +++ b/doc/examples/pkcs10.cpp @@ -1,9 +1,3 @@ -/* -* (C) 2003 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - #include <botan/init.h> #include <botan/auto_rng.h> #include <botan/x509self.h> @@ -31,9 +25,6 @@ int main(int argc, char* argv[]) AutoSeeded_RNG rng; RSA_PrivateKey priv_key(rng, 1024); - // If you want a DSA key instead of RSA, comment out the above line and - // uncomment this one: - //DSA_PrivateKey priv_key(DL_Group("dsa/jce/1024")); std::ofstream key_file("private.pem"); key_file << PKCS8::PEM_encode(priv_key, rng, argv[1]); @@ -45,18 +36,8 @@ int main(int argc, char* argv[]) opts.organization = argv[4]; opts.email = argv[5]; - /* Some hard-coded options, just to give you an idea of what's there */ - opts.challenge = "a fixed challenge passphrase"; - opts.locality = "Baltimore"; - opts.state = "MD"; - opts.org_unit = "Testing"; - opts.add_ex_constraint("PKIX.ClientAuth"); - opts.add_ex_constraint("PKIX.IPsecUser"); - opts.add_ex_constraint("PKIX.EmailProtection"); - - opts.xmpp = "[email protected]"; - - PKCS10_Request req = X509::create_cert_req(opts, priv_key, "SHA-1", rng); + PKCS10_Request req = X509::create_cert_req(opts, priv_key, + "SHA-256", rng); std::ofstream req_file("req.pem"); req_file << req.PEM_encode(); diff --git a/doc/python/cipher.py b/doc/examples/python/cipher.py index 1be2759ae..1be2759ae 100755 --- a/doc/python/cipher.py +++ b/doc/examples/python/cipher.py diff --git a/doc/python/cryptobox.py b/doc/examples/python/cryptobox.py index f76ed6bc3..f76ed6bc3 100755 --- a/doc/python/cryptobox.py +++ b/doc/examples/python/cryptobox.py diff --git a/doc/python/nisttest.py b/doc/examples/python/nisttest.py index 3ea8fda0f..1260b1226 100755 --- a/doc/python/nisttest.py +++ b/doc/examples/python/nisttest.py @@ -47,7 +47,7 @@ def main(): results[test] = result return results - results = load_results('results.txt') + results = load_results('results.vec') for root, dirs, files in os.walk('../../checks/nist_tests/tests'): if files: diff --git a/doc/python/results.txt b/doc/examples/python/results.vec index 7a3824001..7a3824001 100644 --- a/doc/python/results.txt +++ b/doc/examples/python/results.vec diff --git a/doc/python/rng_test.py b/doc/examples/python/rng_test.py index 06c79b84e..06c79b84e 100755 --- a/doc/python/rng_test.py +++ b/doc/examples/python/rng_test.py diff --git a/doc/python/rsa.py b/doc/examples/python/rsa.py index 8ca95ff8b..8ca95ff8b 100755 --- a/doc/python/rsa.py +++ b/doc/examples/python/rsa.py diff --git a/doc/examples/readme.txt b/doc/examples/readme.txt deleted file mode 100644 index fb6a03ddf..000000000 --- a/doc/examples/readme.txt +++ /dev/null @@ -1,77 +0,0 @@ -This directory contains some simple example applications for the Botan crypto -library. If you want to see something a bit more complicated, check out the -stuff in the checks/ directory. Both it and the files in this directory are in -the public domain, and you may do with them however you please. - -The makefile assumes that you built the library with g++; you'll have to change -it if this assumption proves incorrect. - -Some of these examples will not build on all configurations of the library, -particularly 'bzip', 'encrypt', 'decrypt', and 'hash_fd', as they require -various extensions. - -The examples are fairly small (50-150 lines). And that's with argument -processing, I/O, error checking, etc (which counts for 40% or more of most of -them). This is partially to make them easy to understand, and partially because -I'm lazy. For the most part, the examples cover the stuff a 'regular' -application might need. - -Feel free to contribute new examples. You too can gain fame and fortune by -writing example apps for obscure libraries! - -The examples are: - -* X.509 examples --------- -ca: A (very) simple CA application - -x509info: Prints some information about an X.509 certificate - -pkcs10: Generates a PKCS #10 certificate request for a 1024 bit RSA key - -self_sig: Generates a self-signed X.509v3 certificate with a 1024 bit RSA key --------- - -* RSA examples (also uses X.509, PKCS #8, block ciphers, MACs, PBKDF algorithms) --------- -rsa_kgen: Generate an RSA key, encrypt the private key with a passphrase, - output the keys to a pair of files -rsa_enc: Take a public key (generated by rsa_kgen) and encrypt a file - using CAST-128, MAC it with HMAC(SHA-1) -rsa_dec: Decrypt a file encrypted by rsa_enc - -* DSA examples (also uses X.509, PKCS #8) --------- -dsa_kgen: Generates a DSA key, encrypts the private key with a passphrase - and stores it in PKCS #8 format. -dsa_sign: Produce a DSA signature for a file. Uses SHA-1 -dsa_ver: Verify a message signed with dsa_sign - -* Encryption examples --------- -encrypt: Encrypt a file in CBC mode with a block cipher of your choice. Adds - a MAC for authentication, and compresses the plaintext with Zlib. - -decrypt: Decrypt the result of 'encrypt' - -xor_ciph: Shows how to add a new algorithm from application code - -* Hash function examples (also shows different methods of using Pipe) --------- -hash: Print digests of files, using any chosen hash function - -hash_fd: Same as hash, except that it uses Unix file I/O. Requires the - pipe_unixfd extension - -hasher: Print MD5, SHA-1, and RIPEMD-160 digests of files - -hasher2: Same as hasher, just shows an alternate method - -stack: A demonstration of some more advanced Pipe functionality. Prints - MD5 hashes - -* Misc examples --------- -base64: Simple base64 encoding/decoding tool - -bzip: Bzip2 compression/decompression. diff --git a/doc/examples/rsa_kgen.cpp b/doc/examples/rsa_kgen.cpp index f4566263b..a1f0fe71d 100644 --- a/doc/examples/rsa_kgen.cpp +++ b/doc/examples/rsa_kgen.cpp @@ -1,15 +1,3 @@ -/* -* (C) 2002 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -/* -Generate an RSA key of a specified bitlength, and put it into a pair of key -files. One is the public key in X.509 format (PEM encoded), the private key is -in PKCS #8 format (also PEM encoded). -*/ - #include <iostream> #include <fstream> #include <string> @@ -29,25 +17,25 @@ int main(int argc, char* argv[]) return 1; } - u32bit bits = std::atoi(argv[1]); + const size_t bits = std::atoi(argv[1]); if(bits < 1024 || bits > 16384) { std::cout << "Invalid argument for bitsize" << std::endl; return 1; } - Botan::LibraryInitializer init; - - std::ofstream pub("rsapub.pem"); - std::ofstream priv("rsapriv.pem"); - if(!priv || !pub) - { - std::cout << "Couldn't write output files" << std::endl; - return 1; - } - try { + Botan::LibraryInitializer init; + + std::ofstream pub("rsapub.pem"); + std::ofstream priv("rsapriv.pem"); + if(!priv || !pub) + { + std::cout << "Couldn't write output files" << std::endl; + return 1; + } + AutoSeeded_RNG rng; RSA_PrivateKey key(rng, bits); diff --git a/doc/examples/self_sig.cpp b/doc/examples/self_sig.cpp index 6710cfb51..64b778b71 100644 --- a/doc/examples/self_sig.cpp +++ b/doc/examples/self_sig.cpp @@ -1,17 +1,3 @@ -/* -* (C) 2003 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -/* -Generate a 1024 bit RSA key, and then create a self-signed X.509v3 -certificate with that key. If the do_CA variable is set to true, then -it will be marked for CA use, otherwise it will get extensions -appropriate for use with a client certificate. The private key is -stored as an encrypted PKCS #8 object in another file. -*/ - #include <botan/botan.h> #include <botan/x509self.h> #include <botan/rsa.h> @@ -49,7 +35,7 @@ int main(int argc, char* argv[]) { AutoSeeded_RNG rng; - RSA_PrivateKey key(rng, 1024); + RSA_PrivateKey key(rng, 2048); std::ofstream priv_key("private.pem"); priv_key << PKCS8::PEM_encode(key, rng, argv[1]); diff --git a/doc/examples/socket.h b/doc/examples/socket.h new file mode 100644 index 000000000..f7ce98fea --- /dev/null +++ b/doc/examples/socket.h @@ -0,0 +1,257 @@ +/* +* Unix Socket +* (C) 2004-2010 Jack Lloyd +* +* Released under the terms of the Botan license +*/ + +#ifndef SOCKET_WRAPPER_H__ +#define SOCKET_WRAPPER_H__ + +#include <stdexcept> + +#if defined(_MSC_VER) + #define SOCKET_IS_WINSOCK 1 +#endif + +#if !defined(SOCKET_IS_WINSOCK) + #define SOCKET_IS_WINSOCK 0 +#endif + +#if SOCKET_IS_WINSOCK + #include <winsock.h> + + typedef SOCKET socket_t; + const socket_t invalid_socket = INVALID_SOCKET; + #define socket_error_code WSAGetLastError() + typedef int ssize_t; + + class SocketInitializer + { + public: + SocketInitializer() + { + WSADATA wsadata; + WSAStartup(MAKEWORD(2, 2), &wsadata); + } + + ~SocketInitializer() + { + WSACleanup(); + } + }; +#else + #include <sys/types.h> + #include <sys/socket.h> + #include <sys/time.h> + #include <netinet/in.h> + #include <netdb.h> + #include <unistd.h> + #include <errno.h> + + typedef int socket_t; + const socket_t invalid_socket = -1; + #define socket_error_code errno + #define closesocket close + + class SocketInitializer {}; +#endif + +#if !defined(MSG_NOSIGNAL) + #define MSG_NOSIGNAL 0 +#endif + +#include <string.h> + +class Socket + { + public: + size_t read(unsigned char[], size_t); + void write(const unsigned char[], size_t); + + std::string peer_id() const { return peer; } + + void close() + { + if(sockfd != invalid_socket) + { + if(::closesocket(sockfd) != 0) + throw std::runtime_error("Socket::close failed"); + sockfd = invalid_socket; + } + } + + Socket(socket_t fd, const std::string& peer_id = "") : + peer(peer_id), sockfd(fd) + { + } + + Socket(const std::string&, unsigned short); + ~Socket() { close(); } + private: + std::string peer; + socket_t sockfd; + }; + +class Server_Socket + { + public: + /** + * Accept a new connection + */ + Socket* accept() + { + socket_t retval = ::accept(sockfd, 0, 0); + if(retval == invalid_socket) + throw std::runtime_error("Server_Socket: accept failed"); + return new Socket(retval); + } + + void close() + { + if(sockfd != invalid_socket) + { + if(::closesocket(sockfd) != 0) + throw std::runtime_error("Server_Socket::close failed"); + sockfd = invalid_socket; + } + } + + Server_Socket(unsigned short); + ~Server_Socket() { close(); } + private: + socket_t sockfd; + }; + +/** +* Unix Socket Constructor +*/ +Socket::Socket(const std::string& host, unsigned short port) : peer(host) + { + sockfd = invalid_socket; + + hostent* host_addr = ::gethostbyname(host.c_str()); + + if(host_addr == 0) + throw std::runtime_error("Socket: gethostbyname failed for " + host); + if(host_addr->h_addrtype != AF_INET) // FIXME + throw std::runtime_error("Socket: " + host + " has IPv6 address"); + + socket_t fd = ::socket(PF_INET, SOCK_STREAM, 0); + if(fd == invalid_socket) + throw std::runtime_error("Socket: Unable to acquire socket"); + + sockaddr_in socket_info; + ::memset(&socket_info, 0, sizeof(socket_info)); + socket_info.sin_family = AF_INET; + socket_info.sin_port = htons(port); + + ::memcpy(&socket_info.sin_addr, + host_addr->h_addr, + host_addr->h_length); + + socket_info.sin_addr = *(struct in_addr*)host_addr->h_addr; // FIXME + + if(::connect(fd, (sockaddr*)&socket_info, sizeof(struct sockaddr)) != 0) + { + ::closesocket(fd); + throw std::runtime_error("Socket: connect failed"); + } + + sockfd = fd; + } + +/** +* Read from a Unix socket +*/ +size_t Socket::read(unsigned char buf[], size_t length) + { + if(sockfd == invalid_socket) + throw std::runtime_error("Socket::read: Socket not connected"); + + size_t got = 0; + + while(length) + { + ssize_t this_time = ::recv(sockfd, (char*)buf + got, + length, MSG_NOSIGNAL); + + if(this_time == 0) + break; + + if(this_time == -1) + { + if(socket_error_code == EINTR) + this_time = 0; + else + throw std::runtime_error("Socket::read: Socket read failed"); + } + + got += this_time; + length -= this_time; + } + return got; + } + +/** +* Write to a Unix socket +*/ +void Socket::write(const unsigned char buf[], size_t length) + { + if(sockfd == invalid_socket) + throw std::runtime_error("Socket::write: Socket not connected"); + + size_t offset = 0; + while(length) + { + ssize_t sent = ::send(sockfd, (const char*)buf + offset, + length, MSG_NOSIGNAL); + + if(sent == -1) + { + if(socket_error_code == EINTR) + sent = 0; + else + throw std::runtime_error("Socket::write: Socket write failed"); + } + + offset += sent; + length -= sent; + } + } + +/** +* Unix Server Socket Constructor +*/ +Server_Socket::Server_Socket(unsigned short port) + { + sockfd = invalid_socket; + + socket_t fd = ::socket(PF_INET, SOCK_STREAM, 0); + if(fd == invalid_socket) + throw std::runtime_error("Server_Socket: Unable to acquire socket"); + + sockaddr_in socket_info; + ::memset(&socket_info, 0, sizeof(socket_info)); + socket_info.sin_family = AF_INET; + socket_info.sin_port = htons(port); + + // FIXME: support limiting listeners + socket_info.sin_addr.s_addr = INADDR_ANY; + + if(::bind(fd, (sockaddr*)&socket_info, sizeof(struct sockaddr)) != 0) + { + ::closesocket(fd); + throw std::runtime_error("Server_Socket: bind failed"); + } + + if(::listen(fd, 100) != 0) // FIXME: totally arbitrary + { + ::closesocket(fd); + throw std::runtime_error("Server_Socket: listen failed"); + } + + sockfd = fd; + } + +#endif diff --git a/doc/examples/tls_client.cpp b/doc/examples/tls_client.cpp index 10ead20cc..cedfe1ca8 100644 --- a/doc/examples/tls_client.cpp +++ b/doc/examples/tls_client.cpp @@ -1,12 +1,6 @@ -/* -* (C) 2008 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/init.h> +#include <botan/botan.h> #include <botan/tls_client.h> -#include <botan/unx_sock.h> +#include "socket.h" using namespace Botan; @@ -41,23 +35,24 @@ int main(int argc, char* argv[]) try { - LibraryInitializer init; + LibraryInitializer botan_init; std::string host = argv[1]; u32bit port = argc == 3 ? Botan::to_u32bit(argv[2]) : 443; printf("Connecting to %s:%d...\n", host.c_str(), port); - Unix_Socket sock(argv[1], port); + SocketInitializer socket_init; + + Socket sock(argv[1], port); - std::auto_ptr<Botan::RandomNumberGenerator> rng( - Botan::RandomNumberGenerator::make_rng()); + AutoSeeded_RNG rng; Client_TLS_Policy policy; TLS_Client tls(std::tr1::bind(&Socket::read, std::tr1::ref(sock), _1, _2), std::tr1::bind(&Socket::write, std::tr1::ref(sock), _1, _2), - policy, *rng); + policy, rng); printf("Handshake extablished...\n"); @@ -68,17 +63,18 @@ int main(int argc, char* argv[]) std::string http_command = "GET / HTTP/1.0\r\n\r\n"; #endif - tls.write((const byte*)http_command.c_str(), http_command.length()); + tls.write((const Botan::byte*)http_command.c_str(), + http_command.length()); - u32bit total_got = 0; + size_t total_got = 0; while(true) { if(tls.is_closed()) break; - byte buf[16+1] = { 0 }; - u32bit got = tls.read(buf, sizeof(buf)-1); + Botan::byte buf[128+1] = { 0 }; + size_t got = tls.read(buf, sizeof(buf)-1); printf("%s", buf); fflush(0); diff --git a/doc/examples/tls_server.cpp b/doc/examples/tls_server.cpp index da13953f8..153b26d04 100644 --- a/doc/examples/tls_server.cpp +++ b/doc/examples/tls_server.cpp @@ -1,17 +1,12 @@ -/* -* (C) 2008-2010 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - #include <botan/botan.h> #include <botan/tls_server.h> -#include <botan/unx_sock.h> #include <botan/rsa.h> #include <botan/dsa.h> #include <botan/x509self.h> +#include "socket.h" + using namespace Botan; #include <stdio.h> @@ -34,9 +29,9 @@ class Server_TLS_Policy : public TLS_Policy return true; } }; + int main(int argc, char* argv[]) { - int port = 4433; if(argc == 2) @@ -44,7 +39,8 @@ int main(int argc, char* argv[]) try { - LibraryInitializer init; + LibraryInitializer botan_init; + SocketInitializer socket_init; AutoSeeded_RNG rng; @@ -57,7 +53,7 @@ int main(int argc, char* argv[]) X509_Certificate cert = X509::create_self_signed_cert(options, key, "SHA-1", rng); - Unix_Server_Socket listener(port); + Server_Socket listener(port); Server_TLS_Policy policy; @@ -86,12 +82,12 @@ int main(int argc, char* argv[]) printf("Writing some text\n"); char msg[] = "Foo\nBar\nBaz\nQuux\n"; - tls.write((const byte*)msg, strlen(msg)); + tls.write((const Botan::byte*)msg, strlen(msg)); printf("Now trying a read...\n"); char buf[1024] = { 0 }; - u32bit got = tls.read((byte*)buf, sizeof(buf)-1); + u32bit got = tls.read((Botan::byte*)buf, sizeof(buf)-1); printf("%d: '%s'\n", got, buf); tls.close(); diff --git a/doc/examples/x509info.cpp b/doc/examples/x509info.cpp deleted file mode 100644 index b22b4ebd8..000000000 --- a/doc/examples/x509info.cpp +++ /dev/null @@ -1,35 +0,0 @@ -/* -* Read an X.509 certificate, and print various things about it -* (C) 2003 Jack Lloyd -* -* Distributed under the terms of the Botan license -*/ - -#include <botan/botan.h> -#include <botan/x509cert.h> -using namespace Botan; - -#include <iostream> - -int main(int argc, char* argv[]) - { - if(argc != 2) - { - std::cout << "Usage: " << argv[0] << " <x509cert>\n"; - return 1; - } - - Botan::LibraryInitializer init; - - try { - X509_Certificate cert(argv[1]); - - std::cout << cert.to_string(); - } - catch(std::exception& e) - { - std::cout << e.what() << std::endl; - return 1; - } - return 0; - } diff --git a/doc/faq.txt b/doc/faq.txt new file mode 100644 index 000000000..4ff5457bb --- /dev/null +++ b/doc/faq.txt @@ -0,0 +1,209 @@ + +Frequently Asked Questions +======================================== + +What is this thing? +---------------------------------------- + +Botan is a library written in C++ which provides a fairly high level +and C++-ish interface to a number of different crypto algorithms. In +addition to the bare algorithms there is also support for number of +standards and de-facto standards like X.509v3 certificates, and +various useful constructs like format-preserving encryption, all or +nothing transforms, and secret splitting. + +.. _devel_vs_stable: + +Which release should I use? +---------------------------------------- + +The library is normally released along two different trees, termed +stable and development. The stable tree is a branch off the main line, +and typically only sees bug fixes; almost all new development occurs +in the unstable/development releases. The primary issue is not +stability of the program (bugs of course do occur, and are more likely +to occur in code that is more in flux), but rather stability of API +and ABI. In particular, you should not expect any level of ABI +stability between releases on the development branch, and API changes +may be made without notice. Feel free to send comments on API changes, +or API problems, to the list. + +If you don't want to have to worry about tracking a moving target, and +just want something that works, you'll probably prefer using the +stable releases. If you want to get the latest features, the +development releases are the obvious choice. + +If you want to ship a binary that is usable out of the box on a Linux +distro that ships botan, you'll probably want to match versions with +that distro; as of this writing most ship with 1.8. + +If you're building an application that will embed botan into it +(without relying on a shared library), you want to use an amalgamation +build, which basically turns botan into a single header and a single +source file which you can easily include in your existing application +build. In this case you can pick which ever tree you prefer. + +The self-test program can't locate the library +----------------------------------------------- + +Are you sure either the current working directory ('.') or the +directory botan is building into are in the dynamic library path? On +many Unix systems this is controlled by the ``LD_LIBRARY_PATH`` +variable. You can add the currently directory to the list of +directories to search with this Bourne shell command:: + + $ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:. + +If you install the library into a well known location like +``/usr/local/lib``, then probably no particular +``LD_LIBRARY_PATH`` needs to be set. + +My program aborts with any message +---------------------------------------- + +Does your main function wrap all code inside a try/catch block? If an +exception is thrown and is not caught, many C++ runtimes simply crash +the process without providing any sort of diagnostic. + +Is the library thread-safe? +---------------------------------------- + +Yes, botan is thread safe. However, because mutual exclusion depends +on OS specific code, you must load a module to help. POSIX threads and +Win32 critical sections are both supported out of the box, other +thread libraries are very easy to add. To enable thread safe +operation, include "thread_safe" in the string you pass to +``Botan::LibraryInitializer`` constructor. If for whatever reason a +working mutex implementation cannot be found, LibraryInitializer will +throw an exception rather than continue operating in a bad state. + +How do I load this key generated by OpenSSL into botan? +-------------------------------------------------------- + +The encrypted key format used by the ``openssl`` command line tool is +undocumented and apparently specific to OpenSSL. The easiest approach +is to convert it to the (standard) PKCS #8 format, using:: + + openssl pkcs8 -topk8 -in my_key.pem + +Add ``-nocrypt`` to the command line if you want the resulting PKCS #8 +file to be unencrypted, otherwise it will ask you for a new password +to use. + +For unencrypted keys, you can also manually decode the parameters +using the existing PEM and BER support; see `this post +<http://lists.randombit.net/pipermail/botan-devel/2010-June/001156.html>`_ +to the dev list for an example. + +Is botan FIPS 140 certified? +---------------------------------------- + +No version of botan has been certified under FIPS 140. This is +unlikely to happen unless/until an organization is willing to fund and +shepherd the validation process, which typically requires several +months and many thousands of dollars. + +Is this thing safe to use? +---------------------------------------- + +The primary author/maintainer (Jack Lloyd) has 5+ years of experience +reviewing code for security flaws, and has additionally performed +several FIPS 140 validations of hardware and software crypto +implementations. However the library has never undergone an +*impartial* third-party security review, and thus it is entirely +possible/probable that a number of exploitable flaws remain in the +source. (If your company is interested in handling such a review, +please contact the maintainers). + +There has been one known security flaw. Between versions 0.7.8 +(released Feb 2002) and 1.3.7 (released Dec 2003), the ``es_unix`` +module, which runs Unix programs to gather entropy for seeding a +random number generator, ran programs by invoking the ``popen`` +library function with commands with no leading directory names. This +means setuid or setgid programs that used this entropy source could be +tricked into executing arbitrary programs via manipulation of the PATH +variable. Later versions will only search through specific (presumed +safe) directories like ``/usr/bin``; the list of directories to search +can be controlled by the application. + +Is botan vulnerable to timing attacks? +---------------------------------------- + +Botan's public key implementations do make some attempt to defend +against timing attacks; random blinding is used to protect all RSA, +Rabin-Williams, ElGamal, and Diffie-Hellman private key operations. + +Public key algorithms implemented using the Chinese Remainder Theorem +(RSA and Rabin-Williams) are subject to a catastrophic failure: if a +computational error (either induced by an attacker or merely +accidental) occurs during the private key operation, the private key +can be revealed. Other, more subtle, fault attacks are possible against +other schemes. For this reason, private key operations are checked +for consistency with the public key - if the results are not +consistent, then an exception is thrown indicating an error has +occurred rather than release information that might compromise the +key. + +AES implementations are usually quite vulnerable to timing attacks. +The table based implementation of AES included in botan uses small +tables in the first and last rounds which makes such attacks somewhat +more difficult. Alternate implementations of AES using SSSE3 and +AES-NI instruction sets are also included, and run in constant time, +but of course require a processor that supports these instruction +sets. + +I think I've found a security flaw. What should I do? +------------------------------------------------------------ + +You can do any combination of: + +* Contact the current lead maintainer personally; currently + `Jack Lloyd <http://www.randombit.net>`_ + (`personal PGP key` <http://www.randombit.net/pgpgkey.html`_) + +* Email the `development list + <http://lists.randombit.net/mailman/listinfo/botan-devel>`_ + +* File a bug in `Bugzilla <http://bugs.randombit.net/>`_ + +Does botan support SSL/TLS, SSH, S/MIME, OpenPGP... +------------------------------------------------------------ + +Support for SSL/TLS is included in version 1.9.4 and later. Currently +SSLv3 and TLS 1.0 and 1.1 are supported. + +`NetSieben SSH <http://netsieben.com/products/ssh/>`_ is an open +source SSHv2 implementation that uses botan. + +A preliminary and very incomplete implementation of CMS (the crypto +layer underlying S/MIME) is included in ``src/cms``, but it needs a +lot of love and attention before being truly useful. + +There is currently no support for OpenPGP. + +Will it work on my platform XYZ?? +---------------------------------------- + +The most common stumbling block is a compiler that is buggy or can't +handle modern C++ (specifically, C++98). Check out the `build list +<http://botan.randombit.net/builds.html>`_ for a sense of which +platforms are actively being tested. + +I'm not feeling this, what can I use instead? +------------------------------------------------------------ + +* `Crypto++ <http://www.cryptopp.com/>`_ is another C++ crypto + library. Its API is more heavily based on templates and in general + has a very different design philosophy from botan - so if you feel + botan's API is not a good match, you may well like Crypto++. + +* `OpenSSL <http://www.openssl.org>`_ is written in C and mostly + targeted to being an SSL/TLS implementation but there is a lot of + other stuff in there as well. + +* `XySSL <http://www.ohloh.net/projects/xyssl>`_ is a C library + providing a very small footprint crypto library and SSL + implementation. + +* `Adam Shostack <http://www.homeport.org/~adam/crypto/>`_ maintains a + (somewhat out of date) list of open source crypto libraries. diff --git a/doc/filters.txt b/doc/filters.txt new file mode 100644 index 000000000..2355005aa --- /dev/null +++ b/doc/filters.txt @@ -0,0 +1,780 @@ + +Information Flow: Pipes and Filters +======================================== + +Many common uses of cryptography involve processing one or more +streams of data. Botan provides services that make setting up data +flows through various operations, such as compression, encryption, and +base64 encoding. Each of these operations is implemented in what are +called *filters* in Botan. A set of filters are created and placed into +a *pipe*, and information "flows" through the pipe until it reaches +the end, where the output is collected for retrieval. If you're +familiar with the Unix shell environment, this design will sound quite +familiar. + +Here is an example that uses a pipe to base64 encode some strings:: + + Pipe pipe(new Base64_Encoder); // pipe owns the pointer + pipe.start_msg(); + pipe.write("message 1"); + pipe.end_msg(); // flushes buffers, increments message number + + // process_msg(x) is start_msg() && write(x) && end_msg() + pipe.process_msg("message2"); + + std::string m1 = pipe.read_all_as_string(0); // "message1" + std::string m2 = pipe.read_all_as_string(1); // "message2" + +Bytestreams in the pipe are grouped into messages; blocks of data that +are processed in an identical fashion (ie, with the same sequence of +filter operations). Messages are delimited by calls to ``start_msg`` +and ``end_msg``. Each message in a pipe has its own identifier, which +currently is an integer that increments up from zero. + +The ``Base64_Encoder`` was allocated using ``new``; but where was it +deallocated? When a filter object is passed to a ``Pipe``, the pipe +takes ownership of the object, and will deallocate it when it is no +longer needed. + +There are two different ways to make use of messages. One is to send +several messages through a ``Pipe`` without changing the ``Pipe`` +configuration, so you end up with a sequence of messages; one use of +this would be to send a sequence of identically encrypted UDP packets, +for example (note that the *data* need not be identical; it is just +that each is encrypted, encoded, signed, etc in an identical +fashion). Another is to change the filters that are used in the +``Pipe`` between each message, by adding or removing filters; +functions that let you do this are documented in the Pipe API section. + +Botan has about 40 filters that perform different operations on data. +Here's code that uses one of them to encrypt a string with AES:: + + AutoSeeded_RNG rng, + SymmetricKey key(rng, 16); // a random 128-bit key + InitializationVector iv(rng, 16); // a random 128-bit IV + + // The algorithm we want is specified by a string + Pipe pipe(get_cipher("AES-128/CBC", key, iv, ENCRYPTION)); + + pipe.process_msg("secrets"); + pipe.process_msg("more secrets"); + + MemoryVector<byte> c1 = pipe.read_all(0); + + byte c2[4096] = { 0 }; + size_t got_out = pipe.read(c2, sizeof(c2), 1); + // use c2[0...got_out] + +Note the use of ``AutoSeeded_RNG``, which is a random number +generator. If you want to, you can explicitly set up the random number +generators and entropy sources you want to, however for 99% of cases +``AutoSeeded_RNG`` is preferable. + +``Pipe`` also has convenience methods for dealing with +``std::iostream``. Here is an example of those, using the +``Bzip_Compression`` filter (included as a module; if you have bzlib +available, check the build instructions for how to enable it) to +compress a file:: + + std::ifstream in("data.bin", std::ios::binary) + std::ofstream out("data.bin.bz2", std::ios::binary) + + Pipe pipe(new Bzip_Compression); + + pipe.start_msg(); + in >> pipe; + pipe.end_msg(); + out << pipe; + +However there is a hitch to the code above; the complete contents of +the compressed data will be held in memory until the entire message +has been compressed, at which time the statement ``out << pipe`` is +executed, and the data is freed as it is read from the pipe and +written to the file. But if the file is very large, we might not have +enough physical memory (or even enough virtual memory!) for that to be +practical. So instead of storing the compressed data in the pipe for +reading it out later, we divert it directly to the file:: + + std::ifstream in("data.bin", std::ios::binary) + std::ofstream out("data.bin.bz2", std::ios::binary) + + Pipe pipe(new Bzip_Compression, new DataSink_Stream(out)); + + pipe.start_msg(); + in >> pipe; + pipe.end_msg(); + +This is the first code we've seen so far that uses more than one +filter in a pipe. The output of the compressor is sent to the +``DataSink_Stream``. Anything written to a ``DataSink_Stream`` is +written to a file; the filter produces no output. As soon as the +compression algorithm finishes up a block of data, it will send it +along to the sink filter, which will immediately write it to the +stream; if you were to call ``pipe.read_all()`` after +``pipe.end_msg()``, you'd get an empty vector out. This is +particularly useful for cases where you are processing a large amount +of data, as it means you don't have to store everything in memory at +once. + +Here's an example using two computational filters:: + + AutoSeeded_RNG rng, + SymmetricKey key(rng, 32); + InitializationVector iv(rng, 16); + + Pipe encryptor(get_cipher("AES/CBC/PKCS7", key, iv, ENCRYPTION), + new Base64_Encoder); + + encryptor.start_msg(); + file >> encryptor; + encryptor.end_msg(); // flush buffers, complete computations + std::cout << encryptor; + +You can read from a pipe while you are still writing to it, which +allows you to bound the amount of memory that is in use at any one +time. A common idiom for this is:: + + pipe.start_msg(); + SecureBuffer<byte, 4096> buffer; + while(infile.good()) + { + infile.read((char*)&buffer[0], buffer.size()); + const size_t got_from_infile = infile.gcount(); + pipe.write(buffer, got_from_infile); + + if(infile.eof()) + pipe.end_msg(); + + while(pipe.remaining() > 0) + { + const size_t buffered = pipe.read(buffer, buffer.size()); + outfile.write((const char*)&buffer[0], buffered); + } + } + if(infile.bad() || (infile.fail() && !infile.eof())) + throw Some_Exception(); + +Fork +--------------------------------- + +It is common that you might receive some data and want to perform more +than one operation on it (ie, encrypt it with Serpent and calculate +the SHA-256 hash of the plaintext at the same time). That's where +``Fork`` comes in. ``Fork`` is a filter that takes input and passes it +on to *one or more* filters that are attached to it. ``Fork`` changes +the nature of the pipe system completely: instead of being a linked +list, it becomes a tree or acyclic graph. + +Each filter in the fork is given its own output buffer, and thus its +own message. For example, if you had previously written two messages +into a pipe, then you start a new one with a fork that has three +paths of filter's inside it, you add three new messages to the +pipe. The data you put into the pipe is duplicated and sent +into each set of filter and the eventual output is placed into a +dedicated message slot in the pipe. + +Messages in the pipe are allocated in a depth-first manner. This is only +interesting if you are using more than one fork in a single pipe. +As an example, consider the following:: + + Pipe pipe(new Fork( + new Fork( + new Base64_Encoder, + new Fork( + NULL, + new Base64_Encoder + ) + ), + new Hex_Encoder + ) + ); + +In this case, message 0 will be the output of the first +``Base64_Encoder``, message 1 will be a copy of the input (see below +for how fork interprets NULL pointers), message 2 will be the output +of the second ``Base64_Encoder``, and message 3 will be the output of +the ``Hex_Encoder``. This results in message numbers being allocated +in a top to bottom fashion, when looked at on the screen. However, +note that there could be potential for bugs if this is not +anticipated. For example, if your code is passed a filter, and you +assume it is a "normal" one that only uses one message, your message +offsets would be wrong, leading to some confusion during output. + +If Fork's first argument is a null pointer, but a later argument is +not, then Fork will feed a copy of its input directly through. Here's +a case where that is useful:: + + // have std::string ciphertext, auth_code, key, iv, mac_key; + + Pipe pipe(new Base64_Decoder, + get_cipher("AES-128", key, iv, DECRYPTION), + new Fork( + 0, // this message gets ciphertext + new MAC_Filter("HMAC(SHA-1)", mac_key) + ) + ); + + pipe.process_msg(ciphertext); + std::string plaintext = pipe.read_all_as_string(0); + SecureVector<byte> mac = pipe.read_all(1); + + if(mac != auth_code) + error(); + +Here we wanted to not only decrypt the message, but send the decrypted +text through an additional computation, in order to compute the +authentication code. + +Any filters that are attached to the pipe after the fork are +implicitly attached onto the first branch created by the fork. For +example, let's say you created this pipe:: + + Pipe pipe(new Fork(new Hash_Filter("SHA-256"), + new Hash_Filter("SHA-512")), + new Hex_Encoder); + +And then called ``start_msg``, inserted some data, then +``end_msg``. Then ``pipe`` would contain two messages. The first one +(message number 0) would contain the SHA-256 sum of the input in hex +encoded form, and the other would contain the SHA-512 sum of the input +in raw binary. In many situations you'll want to perform a sequence of +operations on multiple branches of the fork; in which case, use +the filter described in :ref:`chain`. + +.. _chain: + +Chain +--------------------------------- + +A ``Chain`` filter creates a chain of filters and encapsulates them +inside a single filter (itself). This allows a sequence of filters to +become a single filter, to be passed into or out of a function, or to +a ``Fork`` constructor. + +You can call ``Chain``'s constructor with up to four ``Filter`` +pointers (they will be added in order), or with an array of filter +pointers and a ``size_t`` that tells ``Chain`` how many filters are in +the array (again, they will be attached in order). Here's the example +from the last section, using chain instead of relying on the implicit +passthrough the other version used:: + + Pipe pipe(new Fork( + new Chain(new Hash_Filter("SHA-256"), new Hex_Encoder), + new Hash_Filter("SHA-512") + ) + ); + +Sources and Sinks +---------------------------------------- + +Data Sources +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +A ``DataSource`` is a simple abstraction for a thing that stores +bytes. This type is used heavily in the areas of the API related to +ASN.1 encoding/decoding. The following types are ``DataSource``: +``Pipe``, ``SecureQueue``, and a couple of special purpose ones: +``DataSource_Memory`` and ``DataSource_Stream``. + +You can create a ``DataSource_Memory`` with an array of bytes and a +length field. The object will make a copy of the data, so you don't +have to worry about keeping that memory allocated. This is mostly for +internal use, but if it comes in handy, feel free to use it. + +A ``DataSource_Stream`` is probably more useful than the memory based +one. Its constructors take either a ``std::istream`` or a +``std::string``. If it's a stream, the data source will use the +``istream`` to satisfy read requests (this is particularly useful to +use with ``std::cin``). If the string version is used, it will attempt +to open up a file with that name and read from it. + +Data Sinks +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +A ``DataSink`` (in ``data_snk.h``) is a ``Filter`` that takes +arbitrary amounts of input, and produces no output. This means it's +doing something with the data outside the realm of what +``Filter``/``Pipe`` can handle, for example, writing it to a file +(which is what the ``DataSink_Stream`` does). There is no need for +``DataSink``s that write to a ``std::string`` or memory buffer, +because ``Pipe`` can handle that by itself. + +Here's a quick example of using a ``DataSink``, which encrypts +``in.txt`` and sends the output to ``out.txt``. There is +no explicit output operation; the writing of ``out.txt`` is +implicit:: + + DataSource_Stream in("in.txt"); + Pipe pipe(get_cipher("AES-128/CTR-BE", key, iv), + new DataSink_Stream("out.txt")); + pipe.process_msg(in); + +A real advantage of this is that even if "in.txt" is large, only as +much memory is needed for internal I/O buffers will be used. + +The Pipe API +--------------------------------- + +Initializing Pipe +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +By default, ``Pipe`` will do nothing at all; any input placed into the +``Pipe`` will be read back unchanged. Obviously, this has limited +utility, and presumably you want to use one or more filters to somehow +process the data. First, you can choose a set of filters to initialize +the ``Pipe`` via the constructor. You can pass it either a set of up +to four filter pointers, or a pre-defined array and a length:: + + Pipe pipe1(new Filter1(/*args*/), new Filter2(/*args*/), + new Filter3(/*args*/), new Filter4(/*args*/)); + Pipe pipe2(new Filter1(/*args*/), new Filter2(/*args*/)); + + Filter* filters[5] = { + new Filter1(/*args*/), new Filter2(/*args*/), new Filter3(/*args*/), + new Filter4(/*args*/), new Filter5(/*args*/) /* more if desired... */ + }; + Pipe pipe3(filters, 5); + +This is by far the most common way to initialize a ``Pipe``. However, +occasionally a more flexible initialization strategy is necessary; +this is supported by 4 member functions. These functions may only be +used while the pipe in question is not in use; that is, either before +calling ``start_msg``, or after ``end_msg`` has been called (and no +new calls to ``start_msg`` have been made yet). + +.. cpp:function:: void Pipe::prepend(Filter* filter) + + Calling ``prepend`` will put the passed filter first in the list of + transformations. For example, if you prepend a filter implementing + encryption, and the pipe already had a filter that hex encoded the + input, then the next message processed would be first encrypted, + and *then* hex encoded. + +.. cpp:function:: void Pipe::append(Filter* filter) + + Like ``prepend``, but places the filter at the end of the message + flow. This doesn't always do what you expect if there is a fork. + +.. cpp:function:: void Pipe::pop() + + Removes the first filter in the flow. + +.. cpp:function:: void Pipe::reset() + + Removes all the filters that the pipe currently holds - it is reset + to an empty/no-op state. Any data that is being retained by the + pipe is retained after a ``reset``, and ``reset`` does not affect + message numbers (discussed later). + +Giving Data to a Pipe +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Input to a ``Pipe`` is delimited into messages, which can be read from +independently (ie, you can read 5 bytes from one message, and then all of +another message, without either read affecting any other messages). + +.. cpp:function:: void Pipe::start_msg() + + Starts a new message; if a message was already running, an exception is + thrown. After this function returns, you can call ``write``. + +.. cpp:function:: void Pipe::write(const byte* input, size_t length) + +.. cpp:function:: void Pipe::write(const MemoryRegion<byte>& input) + +.. cpp:function:: void Pipe::write(const std::string& input) + +.. cpp:function:: void Pipe::write(DataSource& input) + +.. cpp:function:: void Pipe::write(byte input) + + All versions of ``write`` write the input into the filter sequence. + If a message is not currently active, an exception is thrown. + +.. cpp:function:: void Pipe::end_msg() + + End the currently active message + +Sometimes, you may want to do only a single write per message. In this +case, you can use the ``process_msg`` series of functions, which start +a message, write their argument into the pipe, and then end the +message. In this case you would not make any explicit calls to +``start_msg``/``end_msg``. + +Pipes can also be used with the ``>>`` operator, and will accept a +``std::istream``, or on Unix systems with the ``fd_unix`` module, a +Unix file descriptor. In either case, the entire contents of the file +will be read into the pipe. + +Getting Output from a Pipe +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Retrieving the processed data from a pipe is a bit more complicated, +for various reasons. The pipe will separate each message into a +separate buffer, and you have to retrieve data from each message +independently. Each of the reader functions has a final parameter that +specifies what message to read from. If this parameter is set to +``Pipe::DEFAULT_MESSAGE``, it will read the current default message +(``DEFAULT_MESSAGE`` is also the default value of this parameter). + +Functions in ``Pipe`` related to reading include: + +.. cpp:function:: size_t Pipe::read(byte* out, size_t len) + + Reads up to ``len`` bytes into ``out``, and returns the number of + bytes actually read. + +.. cpp:function:: size_t Pipe::peek(byte* out, size_t len) + + Acts exactly like `read`, except the data is not actually read; the + next read will return the same data. + +.. cpp:function:: SecureVector<byte> Pipe::read_all() + + Reads the entire message into a buffer and returns it + +.. cpp:function:: std::string Pipe::read_all_as_string() + + Like ``read_all``, but it returns the data as a ``std::string``. + No encoding is done; if the message contains raw binary, so will + the string. + +.. cpp:function:: size_t Pipe::remaining() + + Returns how many bytes are left in the message + +.. cpp:function:: Pipe::message_id Pipe::default_msg() + + Returns the current default message number + +.. cpp:function:: Pipe::message_id Pipe::message_count() + + Returns the total number of messages currently in the pipe + +.. cpp:function:: Pipe::set_default_msg(Pipe::message_id msgno) + + Sets the default message number (which must be a valid message + number for that pipe). The ability to set the default message number + is particularly important in the case of using the file output + operations (``<<`` with a ``std::ostream`` or Unix file descriptor), + because there is no way to specify the message explicitly when using + the output operator. + +Pipe I/O for Unix File Descriptors +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This is a minor feature, but it comes in handy sometimes. In all +installations of the library, Botan's ``Pipe`` object overloads the +``<<`` and ``>>`` operators for C++ iostream objects, +which is usually more than sufficient for doing I/O. + +However, there are cases where the iostream hierarchy does not map well to +local 'file types', so there is also the ability to do I/O directly with Unix +file descriptors. This is most useful when you want to read from or write to +something like a TCP or Unix-domain socket, or a pipe, since for simple file +access it's usually easier to just use C++'s file streams. + +If ``BOTAN_EXT_PIPE_UNIXFD_IO`` is defined, then you can use the +overloaded I/O operators with Unix file descriptors. For an example of this, +check out the ``hash_fd`` example, included in the Botan distribution. + +Filter Catalog +--------------------------------- + +This section documents most of the useful filters included in the +library. + +Keyed Filters +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +A few sections ago, it was mentioned that ``Pipe`` can process +multiple messages, treating each of them the same. Well, that was a +bit of a lie. There are some algorithms (in particular, block ciphers +not in ECB mode, and all stream ciphers) that change their state as +data is put through them. + +Naturally, you might well want to reset the keys or (in the case of +block cipher modes) IVs used by such filters, so multiple messages can +be processed using completely different keys, or new IVs, or new keys +and IVs, or whatever. And in fact, even for a MAC or an ECB block +cipher, you might well want to change the key used from message to +message. + +Enter ``Keyed_Filter``, which acts as an abstract interface for any +filter that is uses keys: block cipher modes, stream ciphers, MACs, +and so on. It has two functions, ``set_key`` and ``set_iv``. Calling +``set_key`` will set (or reset) the key used by the algorithm. Setting +the IV only makes sense in certain algorithms -- a call to ``set_iv`` +on an object that doesn't support IVs will cause an exception. You +must call ``set_key`` *before* calling ``set_iv``. + +Here's a example:: + + Keyed_Filter *aes, *hmac; + Pipe pipe(new Base64_Decoder, + // Note the assignments to the cast and hmac variables + aes = get_cipher("AES-128/CBC", aes_key, iv), + new Fork( + 0, // Read the section 'Fork' to understand this + new Chain( + hmac = new MAC_Filter("HMAC(SHA-1)", mac_key, 12), + new Base64_Encoder + ) + ) + ); + pipe.start_msg(); + // use pipe for a while, decrypt some stuff, derive new keys and IVs + pipe.end_msg(); + + aes->set_key(aes_key2); + aes->set_iv(iv2); + hmac->set_key(mac_key2); + + pipe.start_msg(); + // use pipe for some other things + pipe.end_msg(); + +There are some requirements to using ``Keyed_Filter`` that you must +follow. If you call ``set_key`` or ``set_iv`` on a filter that is +owned by a ``Pipe``, you must do so while the ``Pipe`` is +"unlocked". This refers to the times when no messages are being +processed by ``Pipe`` -- either before ``Pipe``'s ``start_msg`` is +called, or after ``end_msg`` is called (and no new call to +``start_msg`` has happened yet). Doing otherwise will result in +undefined behavior, probably silently getting invalid output. + +And remember: if you're resetting both values, reset the key *first*. + +Cipher Filters +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Getting a hold of a ``Filter`` implementing a cipher is very +easy. Make sure you're including the header ``lookup.h``, and +then call ``get_cipher``. You will pass the return value +directly into a ``Pipe``. There are a couple different functions +which do varying levels of initialization: + +.. cpp:function:: Keyed_Filter* get_cipher(std::string cipher_spec, \ + SymmetricKey key, InitializationVector iv, Cipher_Dir dir) + +.. cpp:function:: Keyed_Filter* get_cipher(std::string cipher_spec, \ + SymmetricKey key, Cipher_Dir dir) + +The version that doesn't take an IV is useful for things that don't +use them, like block ciphers in ECB mode, or most stream ciphers. If +you specify a cipher spec that does want a IV, and you use the version +that doesn't take one, an exception will be thrown. The ``dir`` +argument can be either ``ENCRYPTION`` or ``DECRYPTION``. + +The cipher_spec is a string that specifies what cipher is to be +used. The general syntax for "cipher_spec" is "STREAM_CIPHER", +"BLOCK_CIPHER/MODE", or "BLOCK_CIPHER/MODE/PADDING". In the case of +stream ciphers, no mode is necessary, so just the name is +sufficient. A block cipher requires a mode of some sort, which can be +"ECB", "CBC", "CFB(n)", "OFB", "CTR-BE", or "EAX(n)". The argument to +CFB mode is how many bits of feedback should be used. If you just use +"CFB" with no argument, it will default to using a feedback equal to +the block size of the cipher. EAX mode also takes an optional bit +argument, which tells EAX how large a tag size to use~--~generally +this is the size of the block size of the cipher, which is the default +if you don't specify any argument. + +In the case of the ECB and CBC modes, a padding method can also be +specified. If it is not supplied, ECB defaults to not padding, and CBC +defaults to using PKCS #5/#7 compatible padding. The padding methods +currently available are "NoPadding", "PKCS7", "OneAndZeros", and +"CTS". CTS padding is currently only available for CBC mode, but the +others can also be used in ECB mode. + +Some example "cipher_spec arguments are: "AES-128/CBC", +"Blowfish/CTR-BE", "Serpent/XTS", and "AES-256/EAX". + +"CTR-BE" refers to counter mode where the counter is incremented as if +it were a big-endian encoded integer. This is compatible with most +other implementations, but it is possible some will use the +incompatible little endian convention. This version would be denoted +as "CTR-LE" if it were supported. + +"EAX" is a new cipher mode designed by Wagner, Rogaway, and +Bellare. It is an authenticated cipher mode (that is, no separate +authentication is needed), has provable security, and is free from +patent entanglements. It runs about half as fast as most of the other +cipher modes (like CBC, OFB, or CTR), which is not bad considering you +don't need to use an authentication code. + +Hashes and MACs +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Hash functions and MACs don't need anything special when it comes to +filters. Both just take their input and produce no output until +``end_msg`` is called, at which time they complete the hash or MAC and +send that as output. + +These filters take a string naming the type to be used. If for some +reason you name something that doesn't exist, an exception will be thrown. + +.. cpp:function:: Hash_Filter::Hash_Filter(std::string hash, size_t outlen = 0) + + This constructor creates a filter that hashes its input with + ``hash``. When ``end_msg`` is called on the owning pipe, the hash is + completed and the digest is sent on to the next filter in the + pipeline. The parameter ``outlen`` specifies how many bytes of the + hash output will be passed along to the next filter when ``end_msg`` + is called. By default, it will pass the entire hash. + + Examples of names for ``Hash_Filter`` are "SHA-1" and "Whirlpool". + +.. cpp:function:: MAC_Filter::MAC_Filter(std::string mac, SymmetricKey key, size_t outlen = 0) + + This constructor takes a name for a mac, such as "HMAC(SHA-1)" or + "CMAC(AES-128)", along with a key to use. The optional ``outlen`` + works the same as in ``Hash_Filter``. + +PK Filters +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +There are four classes in this category, ``PK_Encryptor_Filter``, +``PK_Decryptor_Filter``, ``PK_Signer_Filter``, and +``PK_Verifier_Filter``. Each takes a pointer to an object of the +appropriate type (``PK_Encryptor``, ``PK_Decryptor``, etc) that is +deleted by the destructor. These classes are found in ``pk_filts.h``. + +Three of these, for encryption, decryption, and signing are much the +same in terms of dataflow - ach of them buffers its input until the +end of the message is marked with a call to the ``end_msg`` +function. Then they encrypt, decrypt, or sign the entire input as a +single blob and send the output (the ciphertext, the plaintext, or the +signature) into the next filter. + +Signature verification works a little differently, because it needs to +know what the signature is in order to check it. You can either pass +this in along with the constructor, or call the function +``set_signature`` -- with this second method, you need to keep +a pointer to the filter around so you can send it this command. In +either case, after ``end_msg`` is called, it will try to +verify the signature (if the signature has not been set by either +method, an exception will be thrown here). It will then send a single +byte onto the next filter -- a 1 or a 0, which specifies whether the +signature verified or not (respectively). + +For more information about PK algorithms (including creating the +appropriate objects to pass to the constructors), see :doc:`pubkey`. + +Encoders +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Often you want your data to be in some form of text (for sending over +channels that aren't 8-bit clean, printing it, etc). The filters +``Hex_Encoder`` and ``Base64_Encoder`` will convert arbitrary binary +data into hex or base64 formats. Not surprisingly, you can use +``Hex_Decoder`` and ``Base64_Decoder`` to convert it back into its +original form. + +Both of the encoders can take a few options about how the data should +be formatted (all of which have defaults). The first is a ``bool`` +which says if the encoder should insert line breaks. This defaults to +false. Line breaks don't matter either way to the decoder, but it +makes the output a bit more appealing to the human eye, and a few +transport mechanisms (notably some email systems) limit the maximum +line length. + +The second encoder option is an integer specifying how long such lines +will be (obviously this will be ignored if line-breaking isn't being +used). The default tends to be in the range of 60-80 characters, but +is not specified. If you want a specific value, set it. Otherwise the +default should be fine. + +Lastly, ``Hex_Encoder`` takes an argument of type ``Case``, which can +be ``Uppercase`` or ``Lowercase`` (default is ``Uppercase``). This +specifies what case the characters A-F should be output as. The base64 +encoder has no such option, because it uses both upper and lower case +letters for its output. + +You can find the declarations for these types in ``hex_filt.h`` and +``b64_filt.h``. + +Compressors +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +There are two compression algorithms supported by Botan, zlib and +bzip2. Only lossless compression algorithms are currently supported by +Botan, because they tend to be the most useful for +cryptography. However, it is very reasonable to consider supporting +something like GSM speech encoding (which is lossy), for use in +encrypted voice applications. + +You should always compress *before* you encrypt, because encryption seeks +to hide the redundancy that compression is supposed to try to find and remove. + +To test for Bzip2, check to see if ``BOTAN_HAS_COMPRESSOR_BZIP2`` is +defined. If so, you can include ``botan/bzip2.h``, which will declare +a pair of ``Filter`` objects: ``Bzip2_Compression`` and +``Bzip2_Decompression``. + +You should be prepared to take an exception when using the +decompressing filter, for if the input is not valid bzip2 data, that +is what you will receive. You can specify the desired level of +compression to ``Bzip2_Compression``'s constructor as an integer +between 1 and 9, 1 meaning worst compression, and 9 meaning the +best. The default is to use 9, since small values take the same amount +of time, just use a little less memory. + +Zlib compression works much like Bzip2 compression. The only +differences in this case are that the macro is +``BOTAN_HAS_COMPRESSOR_ZLIB``, the header you need to include is +called ``botan/zlib.h`` (remember that you shouldn't just ``#include +<zlib.h>``, or you'll get the regular zlib API, which is not what you +want). The Botan classes for zlib compression/decompression are called +``Zlib_Compression`` and ``Zlib_Decompression``. + +Like Bzip2, a ``Zlib_Decompression`` object will throw an exception if +invalid (in the sense of not being in the Zlib format) data is passed +into it. + +While the zlib compression library uses the same compression algorithm +as the gzip and zip programs, the format is different. The zlib format +is defined in RFC 1950. + +Writing New Filters +--------------------------------- + +The system of filters and pipes was designed in an attempt to make it +as simple as possible to write new filter types. There are four +functions that need to be implemented by a class deriving from +``Filter``: + +.. cpp:function:: void Filter::write(const byte* input, size_t length) + + This function is what is called when a filter receives input for it + to process. The filter is not required to process the data right + away; many filters buffer their input before producing any output. A + filter will usually have ``write`` called many times during its + lifetime. + +.. cpp:function:: void Filter::send(byte* output, size_t length) + + Eventually, a filter will want to produce some output to send along + to the next filter in the pipeline. It does so by calling ``send`` + with whatever it wants to send along to the next filter. There is + also a version of ``send`` taking a single byte argument, as a + convenience. + +.. cpp:function:: void Filter::start_msg() + + Implementing this function is optional. Implement it if your filter + would like to do some processing or setup at the start of each + message, such as allocating a data structure. + +.. cpp:function:: void Filter::end_msg() + + Implementing this function is optional. It is called when it has + been requested that filters finish up their computations. The filter + should finish up with whatever computation it is working on (for + example, a compressing filter would flush the compressor and + ``send`` the final block), and empty any buffers in preparation for + processing a fresh new set of input. + +Additionally, if necessary, filters can define a constructor that +takes any needed arguments, and a destructor to deal with deallocating +memory, closing files, etc. + diff --git a/doc/fips140.tex b/doc/fips140.tex deleted file mode 100644 index 8b2004508..000000000 --- a/doc/fips140.tex +++ /dev/null @@ -1,156 +0,0 @@ -\documentclass{article} - -\setlength{\textwidth}{6.5in} -\setlength{\textheight}{9in} - -\setlength{\headheight}{0in} -\setlength{\topmargin}{0in} -\setlength{\headsep}{0in} - -\setlength{\oddsidemargin}{0in} -\setlength{\evensidemargin}{0in} - -\title{\textbf{Botan FIPS 140-2 Security Policy}} -\author{Jack Lloyd \\ - \texttt{[email protected]}} -\date{} - -\newcommand{\filename}[1]{\texttt{#1}} -\newcommand{\module}[1]{\texttt{#1}} - -\newcommand{\type}[1]{\texttt{#1}} -\newcommand{\function}[1]{\textbf{#1}} -\newcommand{\macro}[1]{\texttt{#1}} - -\begin{document} - -\maketitle - -\tableofcontents - -\parskip=5pt -%\baselineskip=15pt - -\pagebreak - -\section{Introduction} - -\emph{Note that this is a draft, and almost certainly does not comply with what -FIPS 140-2 wants (also it's incomplete). In any case, there is no way for me to -afford paying the validation lab, so this is all theoretical.} - -\emph{I would welcome comments from people who are familiar with the FIPS 140 -process. I am currently basing this off a few dozen other security policies and -the FIPS itself.} - -\subsection{Purpose} - -This document is a security policy for the Botan C++ crypto library for use in -a FIPS 140-2 Level 1 validation process. It describes how to configure and use -the library to comply with the requirements of FIPS 140-2. - -This document is non-proprietary, and may be freely reproduced and distributed -in unmodified form. - -\subsection{Product Description} - -The Botan C++ crypto library (hereafter ``Botan'' or ``the library'') is an -open source C++ class library providing a general-purpose interface to a wide -variety of cryptographic algorithms and formats (such as X.509v3 and PKCS -\#10). It runs on most Win32 and POSIX-like systems, including Windows -NT/2000/XP, MacOS X, Linux, Solaris, FreeBSD, and QNX. However, only versions -running on \emph{(goal:)} Windows XP, Linux, and Solaris have been validated by -FIPS 140-2 at this time. - -\subsection{Algorithms} - -The library contains the following FIPS Approved algorithms: RSA, DSA, DES, -TripleDES, Skipjack, AES, SHA-1, HMAC, the X9.19 DES MAC, and the FIPS 186-2 -SHA-1 RNG. Other (non-Approved) algorithms, such as MD5 and Diffie-Hellman, are -also included. - -\section{Initialization} - -Certain tests are only performed if the flag ``fips140'' is passed as part of -the initialization process to the library (the argument to -\type{LibraryInitializer} or \function{Init::initialize}). Known answer tests -and key generation self-checks for RSA and DSA are always performed, regardless -of this setting. This flag must be passed by any application which desires -using the FIPS 140 mode of operation. - -\section{Roles and Services} - -Botan supports two roles, the User and the Crypto Officer. Authentication is -not performed by the module; all authentication is implicitly done by the -operating system. - -\subsection{User Role} - -The user has the ability to access the services of the module. This role is -implicitly selected whenever the module's services are accessed. - -\subsection{Crypto Officer Role} - -The crypto officer has all of the powers of the user, and in addition has the -power to install and uninstall the module and to configure the operating -system. This role is implicitly selected whenever these actions are performed. - -\section{Key Management} - -\subsection{Key Import/Export} - -Symmetric keys can be imported and exported in either unencrypted, encrypted, -or split-knowledge forms, as the application desires. Private keys for -asymmetric algorithms can be imported and exported as either encrypted or -unencrypted PKCS \#8 structures. The library natively supports PKCS \#5 -encryption with TripleDES for encrypting private keys. - -\subsection{Key Storage} - -In no case does the library itself import or export keys from/to an external -storage device; all such operations are done explicitly by the application. It -is the responsibly of the operator to ensure than any such operations comply -with the requirements of FIPS 140-2 Level 1. - -\subsection{Key Generation} - -Keys for symmetric algorithms (such as DES, AES, and HMAC) are generated by an -Approved RNG, by generating a random byte string of the appropriate size, and -using it as a key. - -DSA keys are generated as specified in FIPS 186-2 (or not?). RSA keys are -generated as specified in ANSI X9.31 (\emph{I think...}). Diffie-Hellman keys -are generated in a manner compatible with ANSI X9.42. All newly created DSA and -RSA keys are checked with a pairwise consistency test before being returned to -the caller. A pairwise consistency check can be performed on any RSA, DSA, or -Diffie-Hellman key by calling the \function{check\_key} member function with -an argument of \type{true}. - -\subsection{Key Establishment} - -Botan supports using RSA or Diffie-Hellman to establish keys. RSA can be used -with PKCS \#1 v1.5 or OAEP padding. None of these methods are FIPS Approved, -but Annex D of FIPS 140-2 allows for their use until such time as a FIPS -Approved asymmetric key establishment method is established. - -\subsection{Key Protection / Zeroization} - -Keys are protected against external access by the operating system's memory and -process protection mechanisms. If the library is used by multiple processes at -once, the OS virtual memory mechanisms ensure that each version will have it's -own data space (and thus, keys are not shared among multiple processes). - -All keys and other sensitive materials are zeroed in memory before being -released to the system. - -On Windows systems the \function{VirtualLock} system call is used to notify the -operating system that the memory containing potentially sensitive keying -material is not swapped to disk, preventing an attacker from applying disk -forenistics techniques to recovery data. - -On Unix systems, Botan allocates memory from file-backed memory mappings, which -are thoroughly erased when the memory is freed. - -\section{References} - -\end{document} diff --git a/doc/firststep.txt b/doc/firststep.txt new file mode 100644 index 000000000..fb4eb583e --- /dev/null +++ b/doc/firststep.txt @@ -0,0 +1,107 @@ + +Getting Started +======================================== + +All declarations in the library are contained within the namespace +``Botan``, so you need to either prefix types with ``Botan::`` or add +a ``using`` declaration in your code. All examples will assume a +``using`` declaration. + +All library headers are included like so:: + + #include <botan/botan.h> + +Initializing the Library +---------------------------------------- + +There is a set of core services that the library needs access to while +it is performing requests. To ensure these are set up, you must create +an object of type + +.. cpp:class:: LibraryInitializer + +prior to making any other library calls. Typically this will be named +something like ``init`` or ``botan_init``. The object lifetime must +exceed that of all other Botan objects your application creates; for +this reason the best place to create the ``LibraryInitializer`` is at +the start of your ``main`` function, since this guarantees that it +will be created first and destroyed last (via standard C++ RAII +rules). The initializer does things like setting up the memory +allocation system and algorithm lookup tables, finding out if there is +a high resolution timer available to use, and similar such +matters. With no arguments, the library is initialized with various +default settings. So (unless you are writing threaded code; see +below), all you need is:: + + Botan::LibraryInitializer init; + +at the start of your ``main``. + +The constructor takes an optional string that specifies arguments. +Currently the only possible argument is "thread_safe", which must have +an boolean argument (for instance "thread_safe=false" or +"thread_safe=true"). If "thread_safe" is specified as true the library +will attempt to register a mutex type to properly guard access to +shared resources. However these locks do not protect individual Botan +objects: explicit locking must be used if you wish to share a single +object between threads. + +If you do not create a ``LibraryInitializer`` object, all library +operations will fail, because it will be unable to do basic things +like allocate memory or get random bits. You should never create more +than one ``LibraryInitializer``. + +Pitfalls +---------------------------------------- + +There are a few things to watch out for to prevent problems when using +the library. + +Never allocate any kind of Botan object globally. The problem with +doing this is that the constructor for such an object will be called +before the library is initialized. Many Botan objects will, in their +constructor, make one or more calls into the library global state +object. Access to this object is checked, so an exception should be +thrown (rather than a memory access violation or undetected +uninitialized object access). A rough equivalent that will work is to +keep a global pointer to the object, initializing it after creating +your ``LibraryInitializer``. Merely making the +``LibraryInitializer`` also global will probably not help, because +C++ does not make very strong guarantees about the order that such +objects will be created. + +The same rule applies for making sure the destructors of all your +Botan objects are called before the ``LibraryInitializer`` is +destroyed. This implies you can't have static variables that are Botan +objects inside functions or classes; in many C++ runtimes, these +objects will be destroyed after main has returned. + +The memory object classes (``MemoryRegion``, ``MemoryVector``, +``SecureVector``) are extremely primitive, and meant only for +secure storage of potentially sensitive data like keys. They do not +meet the requirements for an STL container object and you should not +try to use them with STL algorithms. For a general-purpose container, +use ``std::vector``. + +Use a ``try``/``catch`` block inside your ``main`` function, and catch +any ``std::exception`` throws (remember to catch by reference, as +``std::exception::what`` is polymorphic):: + + int main() + { + try + { + LibraryInitializer init; + + // ... + } + catch(std::exception& e) + { + std::cerr << e.what() << "\n"; + } + } + +This is not strictly required, but if you don't, and Botan throws an +exception, the runtime will call ``std::terminate``, which usually +calls ``abort`` or something like it, leaving you (or worse, a user of +your application) wondering what went wrong. diff --git a/doc/fpe.txt b/doc/fpe.txt new file mode 100644 index 000000000..5c035f0b7 --- /dev/null +++ b/doc/fpe.txt @@ -0,0 +1,58 @@ + +Format Preserving Encryption +======================================== + +.. versionadded:: 1.9.17 + +Format preserving encryption (FPE) refers to a set of techniques for +encrypting data such that the ciphertext has the same format as the +plaintext. For instance, you can use FPE to encrypt credit card +numbers with valid checksums such that the ciphertext is also an +credit card number with a valid checksum, or similiarly for bank +account numbers, US Social Security numbers, or even more general +mappings like English words onto other English words. + +The scheme currently implemented in botan is called FE1, and described +in the paper `Format Preserving Encryption +<http://eprint.iacr.org/2009/251>`_ by Mihir Bellare, Thomas +Ristenpart, Phillip Rogaway, and Till Stegers. FPE is an area of +ongoing standardization and it is likely that other schemes will be +included in the future. + +To use FE1, use these functions, from ``fpe_fe1.h``: + +.. cpp:function:: BigInt FPE::fe1_encrypt(const BigInt& n, const BigInt& X, \ + const SymmetricKey& key, const MemoryRegion<byte>& tweak) + + Encrypts the value *X* modulo the value *n* using the *key* and + *tweak* specified. Returns an integer less than *n*. The *tweak* is + a value that does not need to be secret that parameterizes the + encryption function. For instance, if you were encrypting a + database column with a single key, you could use a per-row-unique + integer index value as the tweak. + + To encrypt an arbitrary value using FE1, you need to use a ranking + method. Basically, the idea is to assign an integer to every value + you might encrypt. For instance, a 16 digit credit card number + consists of a 15 digit code plus a 1 digit checksum. So to encrypt + a credit card number, you first remove the checksum, encrypt the 15 + digit value modulo 10\ :sup:`15`, and then calculate what the + checksum is for the new (ciphertext) number. + +.. cpp:function:: BigInt FPE::fe1_decrypt(const BigInt& n, const BigInt& X, \ + const SymmetricKey& key, const MemoryRegion<byte>& tweak) + + Decrypts an FE1 ciphertext produced by :cpp:func:`fe1_encrypt`; the + *n*, *key* and *tweak* should be the same as that provided to the + encryption function. Returns the plaintext. + + Note that there is not any implicit authentication or checking of + data, so if you provide an incorrect key or tweak the result is + simply a random integer. + +This example encrypts a credit card number with a valid +`Luhn checksum <http://en.wikipedia.org/wiki/Luhn_algorithm>`_ to +another number with the same format, including a correct checksum. + +.. literalinclude:: examples/fpe.cpp + diff --git a/doc/indent.el b/doc/indent.el index 9811bf848..7fa2540b0 100644 --- a/doc/indent.el +++ b/doc/indent.el @@ -2,19 +2,14 @@ ; get everything perfectly correct, but it's pretty close. Copy this code into ; your .emacs file, or use M-x eval-buffer. Make sure to also set ; indent-tabs-mode to nil so spaces are inserted instead. - +; ; This style is basically Whitesmiths style with 3 space indents (the Emacs ; "whitesmith" style seems more like a weird Whitesmiths/Allman mutant style). - +; ; To activate using this style, open the file you want to edit and run this: -; M-x c-set-style <RET> and then enter "botan". Alternately, put something -; like this in your .emacs file to make it the default style: +; M-x c-set-style <RET> and then enter "botan". -; (add-hook 'c++-mode-common-hook -; (function (lambda() -; (c-add-style "botan" botan t)))) - -(setq botan '( +(setq botan-style '( (c-basic-offset . 3) (c-comment-only-line-offset . 0) (c-offsets-alist @@ -55,3 +50,6 @@ (label . 0) ) )) + +(add-hook 'c++-mode-common-hook + (function (lambda () (c-add-style "botan" botan-style nil)))) diff --git a/doc/index.txt b/doc/index.txt new file mode 100644 index 000000000..430a71f20 --- /dev/null +++ b/doc/index.txt @@ -0,0 +1,90 @@ + +Welcome +======================================== + +Botan is a :doc:`BSD-licensed <license>` crypto library for C++. It +provides applications with most any :doc:`cryptographic algorithm +<algos>` you might be looking for, along with :doc:`SSL/TLS <ssl>`, +:doc:`X.509 certificates and CRLs <x509>`, a :doc:`pipeline-style +message processing system <filters>`, and a wide variety of other +features. A third party open source implementation of `SSHv2 +<http://www.netsieben.com/products/ssh/>`_ that uses botan is also +available. In addition to C++ you can use botan from Python or Perl, +though the current bindings only wrap portions of the library. + +See the :doc:`faq` for a list of common questions and answers. + +.. only:: html and website + + See :doc:`download` for information about getting the latest version. + +The core of botan is written in C++98 with no dependencies besides the +STL and the rest of the ISO standard library, but the library also +includes optional modules which make further assumptions about their +environment, providing features such as compression (using zlib or +bzip2), entropy gathering, and secure memory allocation. Assembly +implementations of key algorithms like SHA-1 and multiple precision +integer routines for x86 and x86-64 processors are also included. + +It runs on most common operating systems and can be used with a number +of different commercial and open source compilers. The :doc:`build log +<build_log>` contains information about recently tested targets. It is +already included in most major package distributions, including +\ +`Fedora <https://admin.fedoraproject.org/pkgdb/acls/name/botan>`_, +`EPEL <http://download.fedora.redhat.com/pub/epel/beta/6/SRPMS/repoview/botan.html>`_ (for RHEL/CentOS), +`Debian <http://packages.debian.org/search?keywords=libbotan>`_, +`Ubuntu <http://packages.ubuntu.com/search?keywords=botan>`_, +`Gentoo <http://packages.gentoo.org/package/botan>`_, +`Arch Linux <http://www.archlinux.org/packages/extra/x86_64/botan/>`_, +`Slackbuild <http://slackbuilds.org/result/?search=Botan>`_, +`FreeBSD <http://www.freshports.org/security/botan>`_, +`NetBSD <ftp://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/security/botan/README.html>`_, +`Cygwin <http://cygwin.com/packages/botan/>`_, +`MacPorts <http://www.macports.org/ports.php?by=name&substr=botan>`_, +`OpenPKG <http://www.openpkg.org/product/packages/?package=botan>`_, and +`T2 SDE <http://www.t2-project.org/packages/botan.html>`_ and has +more than a few :doc:`known users <users>`. + +It was started as a personal project by `Jack Lloyd +<http:://www.randombit.net>`_,who continues to be the maintainer and +release manager. Since the first release in 2001, a number of +:doc:`individuals and organizations <credits>` have contributed bug +fixes and new features. Check out the :doc:`release notes <log>` and +`news archive <http://botan.randombit.net/news>`_ for more project +history. + +If you need help or have questions, send a mail to the `development +mailing list +<http://lists.randombit.net/mailman/listinfo/botan-devel/>`_. +"Philosophical" bug reports, announcements of programs using the +library, and related topics are also welcome. :doc:`Commercial support +options <support>` are also available. If you find what you believe to +be a bug, please file a ticket in `Bugzilla +<http://bugs.randombit.net/>`_. + +A useful reference while reading this manual is the `Doxygen +documentation <http://botan.randombit.net/doxygen>`_. + +Recommended Reading +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +It's a very good idea if you have some knowledge of cryptography +*before* trying to use the library. This is an area where it is very +easy to make mistakes, and where things are often subtle and/or +counterintuitive. Obviously the library tries to provide things at a +high level precisely to minimize the number of ways things can go +wrong, but naive use will almost certainly not result in a secure +system. + +Especially recommended are: + +- *Cryptography Engineering* + Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno + +- *Security Engineering -- A Guide to Building Dependable Distributed Systems* + Ross Anderson + +- *Handbook of Applied Cryptography* + Alfred J. Menezes, Paul C. Van Oorschot, and Scott A. Vanstone + (`available online <http://www.cacr.math.uwaterloo.ca/hac/>`_) diff --git a/doc/insito_manual.pdf b/doc/insito_manual.pdf Binary files differdeleted file mode 100644 index b07146992..000000000 --- a/doc/insito_manual.pdf +++ /dev/null diff --git a/doc/internals.tex b/doc/internals.tex deleted file mode 100644 index 5b1650f6e..000000000 --- a/doc/internals.tex +++ /dev/null @@ -1,179 +0,0 @@ -\documentclass{article} - -\setlength{\textwidth}{6.75in} % 1 inch side margins -\setlength{\textheight}{9in} % ~1 inch top and bottom margins - -\setlength{\headheight}{0in} -\setlength{\topmargin}{0in} -\setlength{\headsep}{0in} - -\setlength{\oddsidemargin}{0in} -\setlength{\evensidemargin}{0in} - -\title{Botan Internals} -\author{Jack Lloyd ([email protected])} -\date{August 20, 2006} - -\newcommand{\filename}[1]{\texttt{#1}} -\newcommand{\manpage}[2]{\texttt{#1}(#2)} - -\newcommand{\function}[1]{\textbf{#1}} -\newcommand{\type}[1]{\texttt{#1}} -\renewcommand{\arg}[1]{\textsl{#1}} - -\begin{document} - -\maketitle - -\tableofcontents - -\parskip=5pt - -\section{Introduction} - -This document is intended to document some of the trickier and/or more -complicated parts of Botan. This is not going to be terribly useful if -you just want to use the library, but for people wishing to understand -how it works, or contribute new code to it, it will hopefully prove -helpful. - -I've realized that a lot of things Botan does internally are pretty -hard to understand, and that a lot of things are only inside my head, -which is a bad place for them to be (things tend to get lost in there, -not to mention the possibility that I'll get hit by a truck next -week). - -This document is currently very incomplete. I'll be working on it as I -have time. - -\pagebreak - -\section{Filter} - -\type{Filter} is one of the core abstractions of the library. It is -used to represent any sort of transformation. Nearly all -\type{Filter}s are linear; they take input from a single source and -send their output (if any) to another single \type{Filter}. The one -exception is \type{Fanout\_Filter}, which uses friend access to -\type{Filter} in order to allow for multiple \type{Filter}s to attach -to its output. This special access is used by the Chain and Fork -filters; Chain encapsulates one or more \type{Filter}s into a single -Filter, and Fork sends its input to a set of several \type{Filter} -objects. - -The majority of the relations between filters is maintained by the -\type{Pipe} object which ``owns'' the \type{Filter}s. - -\section{Pipe} - -\type{Pipe} is, conceptually, a tree structure of \type{Filter} -objects. There is a single unique top, and an arbitrary number of -leaves (which are \type{SecureQueue} objects). \type{SecureQueue} is a -simple \type{Filter} that buffers its input. - -Writing into the pipe writes into the top of the tree. The filter at -the top of the tree writes its output into the next \type{Filter}, and -so on until eventually data trickles down into the bottommost -\type{Filter}s, where the data is stored for later retrieval. - -When a new message is started, \type{Pipe} searches through the tree -of \type{Filter}s and finds places where the \arg{next} field of the -\type{Filter} is NULL. This implies that it was the lowest layer of -the \type{Filter} tree that the user added. It then adds -\type{SecureQueue} objects onto these \type{Filter}s. These queues are -also stored in an deque; this is so \type{Pipe} can read from them -later without doing a tree traversal each time. - -\type{Pipe} will, if asked, destroy the existing tree structure, in -order to create a new one. However, the queue objects are not deleted, -because \type{Pipe} might be asked to read from them later (while -\type{Pipe} could delete all the messages in this case, the principle -of least astonishment suggested keeping them). - -What I wrote about \type{Pipe} keeing the queues in a deque is a -lie. Sort of. It keeps them in an object called -\type{Output\_Buffers}, which keeps them in a -deque. \type{Output\_Buffers} is intended to abstract away how message -queues are stored from \type{Pipe}. After a queue has been added to -the output buffers object, \type{Pipe} keeps no references to it -whatsoever; all access is mediated by the \type{Output\_Buffers}. -This allows queues which have been read to be deleted, rather than -leaving empty queue objects all over the place. - -\section{Library Initialization} - -WRITEME - -\section{Lookup Mechanism} - -Most objects know their name, and they know how to create a new copy -of themselves. We build mapping tables that map from an algorithm name -into a single instance of that algorithm. The tables themselves can be -found in \filename{src/lookup.cpp}. - -There are a set of functions named \function{add\_algorithm} that can -be used to populate the tables. We get something out of the table with -\function{retrieve\_x}, where x is the name of a type -(\texttt{block\_cipher}, \texttt{hash}, etc). This returns a const -pointer to the single unique instance of the algorithm that the lookup -tables know about. If it doesn't know about it, it falls back on -calling a function called \function{try\_to\_get\_x}. These functions -live in \filename{src/algolist.cpp}. They are mostly used to handle -algorithms which need (or at least can have) arguments passed to them, -like \type{HMAC} and \type{SAFER\_SK}. It will return NULL if it can't -find the algorithm at all. - -When it's asked for an algorithm it doesn't know about (ie, isn't in -the mapping tables), the retrieval functions will ask the try-to-get -functions if \emph{they} know about it. If they do, then the object -returned will be stored into the table for later retrieval. - -The functions \function{get\_x} call the retrieval functions. If we -get back NULL, an exception is thrown. Otherwise it will call the -\function{clone} method to get a new copy of the algorithm, which it -returns. - -The various functions like \function{output\_length\_of} call the -retrieval function for each type of object that the parameter in -question (in this case, \texttt{OUTPUT\_LENGTH}) might be meaningful -for. If it manages to get back an object, it will return (in this -case) the \texttt{OUTPUT\_LENGTH} field of the object. No allocations -are required to call this function: all of its operations work -directly on the copies living in the lookup tables. - -\section{Allocators} - -A big (slow) mess. - -\section{BigInt} - -Read ``Handbook of Applied Cryptography''. - -\section{PEM/BER Identification} - -We have a specific algorithm for figuring out if something is PEM or -BER. Previous versions (everything before 1.3.0) requried that the -caller specify which one it was, and they had to be right. Now we use -a hueristic (aka, an algorithm that sometimes doesn't work right) to -figure it out. If the first character is not 0x30 (equal to ASCII -'0'), then it can't possibly be BER (because everything we care about -is enclosed in an ASN.1 SEQUENCE, which for BER/DER is encoded as -beginning with 0x30). Roughly 99.9% of PEM blocks \emph{won't} have a -random 0 character in front of them, so we are mostly safe (unless -someone does it on purpose, in which case, please hit them for me). -But to be sure, if there is a 0, then we search the first \emph{N} -bytes of the block for the string ``-----BEGIN ``, which marks the -typical start of a PEM block. The specific \emph{N} depends on the -variable ``base/pem\_search'', which defaults to 4 kilobytes. - -So, you can actually fool it either way: that a PEM file is really -BER, or that a BER file is actually PEM. To fool it that a BER file is -PEM, just have the string ``-----BEGIN `` somewhere (I can't imagine -this string shows up in certificates or CRLs too often, so if it is -there it means somebody is being a jerk). If a file starts with 0 and -has at least ``base/pem\_search'' byte more junk in the way, it won't -notice that its PEM at all. In either case, of course, the loading -will fail, and you'll get a nice exception saying that the decoding -failed. - -\end{document} diff --git a/doc/kdf.txt b/doc/kdf.txt new file mode 100644 index 000000000..da916dcb3 --- /dev/null +++ b/doc/kdf.txt @@ -0,0 +1,37 @@ + +.. _key_derivation_function: + +Key Derivation Functions +======================================== + +Key derivation functions are used to turn some amount of shared secret +material into uniform random keys suitable for use with symmetric +algorithms. An example of an input which is useful for a KDF is a +shared secret created using Diffie-Hellman key agreement. + +.. cpp:class:: KDF + + .. cpp:function:: SecureVector<byte> derive_key( \ + size_t key_len, const MemoryRegion<byte>& secret, \ + const std::string& salt = "") const + + .. cpp:function:: SecureVector<byte> derive_key( \ + size_t key_len, const MemoryRegion<byte>& secret, \ + const MemoryRegion<byte>& salt) const + + .. cpp:function:: SecureVector<byte> derive_key( \ + size_t key_len, const MemoryRegion<byte>& secret, \ + const byte* salt, size_t salt_len) const + + .. cpp:function:: SecureVector<byte> derive_key( \ + size_t key_len, const byte* secret, size_t secret_len, \ + const std::string& salt) const + + All variations on the same theme. Deterministically creates a + uniform random value from *secret* and *salt*. Typically *salt* is + a lable or identifier, such as a session id. + +You can create a :cpp:class:`KDF` using + +.. cpp:function:: KDF* get_kdf(const std::string& algo_spec) + diff --git a/doc/license.txt b/doc/license.txt index f1b261eab..aefcee395 100644 --- a/doc/license.txt +++ b/doc/license.txt @@ -1,42 +1,49 @@ -Botan (http://botan.randombit.net/) is distributed under these terms: - -Copyright (C) 1999-2011 Jack Lloyd - 2001 Peter J Jones - 2004-2007 Justin Karneges - 2004 Vaclav Ovsik - 2005 Matthew Gregan - 2005-2006 Matt Johnston - 2006 Luca Piccarreta - 2007 Yves Jerschow - 2007-2008 FlexSecure GmbH - 2007-2008 Technische Universitat Darmstadt - 2007-2008 Falko Strenzke - 2007-2008 Martin Doering - 2007 Manuel Hartl - 2007 Christoph Ludwig - 2007 Patrick Sona - 2010 Olivier de Gaalon -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - -1. Redistributions of source code must retain the above copyright -notice, this list of conditions, and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions, and the following disclaimer in the -documentation and/or other materials provided with the distribution. - -THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) "AS IS" AND ANY EXPRESS OR -IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, -ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE -LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +.. _license: +.. highlight:: none + +License +======================================== + +Botan (http://botan.randombit.net/) is distributed under these terms:: + + Copyright (C) 1999-2011 Jack Lloyd + 2001 Peter J Jones + 2004-2007 Justin Karneges + 2004 Vaclav Ovsik + 2005 Matthew Gregan + 2005-2006 Matt Johnston + 2006 Luca Piccarreta + 2007 Yves Jerschow + 2007-2008 FlexSecure GmbH + 2007-2008 Technische Universitat Darmstadt + 2007-2008 Falko Strenzke + 2007-2008 Martin Doering + 2007 Manuel Hartl + 2007 Christoph Ludwig + 2007 Patrick Sona + 2010 Olivier de Gaalon + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions, and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions, and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) "AS IS" AND ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, + ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE + LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE + OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN + IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/doc/log.txt b/doc/log.txt index 9313ac2f6..b9c6c9230 100644 --- a/doc/log.txt +++ b/doc/log.txt @@ -1,1525 +1,2072 @@ -* 1.9.15-dev, ????-??-?? - - Pipe will delete empty output queues as soon as they are no longer - needed, even if earlier messages still have data unread. - -* 1.9.14, 2011-03-01 - - Add support for bcrypt, OpenBSD's password hashing scheme - - Add support for NIST's AES key wrapping algorithm - - Fix an infinite loop in zlib filters introduced in 1.9.11 (PR 142) - -* 1.9.13, 2011-02-19 - - Update Keccak to the round 3 variant - - Fix ordering in GOST 34.10 signatures to match DNSSEC specifications - - Use size_t instead of u32bit for small integers in DER/BER codecs - - Add new build option --distribution-info - - Fix problems in the amalgamation build - - Fix building under Clang 2.9 and Sun Studio 12 - -* 1.9.12, 2010-12-13 - - Add the Keccak hash function - - Fix compilation problems in Python wrappers - - Fix compilation problem in OpenSSL engine - - Update SQLite3 database encryption codec - -* 1.9.11, 2010-11-29 - - Many SSL/TLS APIs have changed. This API is still unstable. - - The SSL interface requires TR1 (uses std::tr1::function) - - Fix SSL handshake failures when using RC4 ciphersuites - - Fix a number of CRL encoding and decoding bugs - - Counter mode now always encrypts 256 blocks in parallel - - Code where u32bit was used to represent a length now uses size_t - - Use small tables in the first round of AES - - Removed AES class: app must choose AES-128, AES-192, or AES-256 - - Add hex encoding/decoding functions that can be used without a Pipe - - Add base64 encoding functions that can be used without a Pipe - - Add to_string function to X509_Certificate - - Add support for dynamic engine loading on Windows - - Replace BlockCipher::BLOCK_SIZE attribute with function block_size() - - Replace HashFunction::HASH_BLOCK_SIZE attribute with hash_block_size() - - Changed semantics of MemoryRegion::resize and clear to match STL - - Removed MemoryRegion::append, replaced by push_back and operator+= - - Move PBKDF lookup to engine system - - The IDEA key schedule has been changed to run in constant time - - Avoid a possible timing vulnerability in Montgomery reduction - - Add Algorithm and Key_Length_Specification classes - - Switch default PKCS #8 encryption algorithm from AES-128 to AES-256 - - Update Skein-512 to match the v1.3 specification - - Allow using PBKDF2 with empty passphrases - - Add compile-time deprecation warnings for GCC, Clang, and MSVC - - Support use of HMAC(SHA-256) and CMAC(Blowfish) in passhash9 - - Improve support for Intel Atom processors - - Fix compilation problems under Sun Studio and Clang - -* 1.8.11, 2010-11-02 - - Fix a number of CRL encoding and decoding bugs - - When building a debug library under VC++, use the debug runtime - - Fix compilation under Sun Studio on Linux and Solaris - - Add several functions for compatability with 1.9 - - In the examples, read most input files as binary - - The Perl build script has been removed in this release - -* 1.8.10, 2010-08-31 - - Switch default PKCS #8 encryption algorithm from 3DES to AES-256 - - Increase default hash iterations from 2048 to 10000 in PBES1 and PBES2 - - Use small tables in the first round of AES - - Add PBKDF typedef and get_pbkdf for better compatability with 1.9 - - Add version of S2K::derive_key taking salt and iteration count - - Enable the /proc-walking entropy source on NetBSD - - Fix the doxygen makefile target - -* 1.9.10, 2010-08-12 - - Add a constant time AES implementation using SSSE3 - - Add support for loading new Engines at runtime - - Use GCC byteswap intrinsics where possible - - Drop support for building with Python 2.4 - - Fix benchmarking of block ciphers in ECB mode - - Consolidate the two x86 assembly engines - - Rename S2K to PBKDF - -* 1.9.9, 2010-06-28 - - Add new X509::BER_encode and PKCS8::BER_encode - - Give all Filter objects a name() function - - Add Keyed_Filter::valid_iv_length - - Increase default iteration counts for private key encryption - - Fix compilation of mp_asm64 on 64-bit MIPS with GCC 4.4 and later - - Fix compilation under Apple's GCC 4.2 - - Expand and update the Doxygen documentation - -* 1.8.9, 2010-06-16 - - Use constant time multiplication in IDEA - - Avoid possible timing attack against OAEP decoding - - Add new X509::BER_encode and PKCS8::BER_encode - - Enable DLL builds under Windows - - Add Win32 installer support - - Add support for the Clang compiler - - Fix problem in semcem.h preventing build under Clang or GCC 3.4 - - Fix bug that prevented creation of DSA groups under 1024 bits - - Fix crash in GMP_Engine if library is shutdown and reinitialized - - Work around problem with recent binutils in x86-64 SHA-1 - - The Perl build script is no longer supported and refuses to run by default - -* 1.9.8, 2010-06-14 - - Add support for wide multiplications on 64-bit Windows - - Use constant time multiplication in IDEA - - Avoid possible timing attack against OAEP decoding - - Removed FORK-256; rarely used and it has been broken - - Rename --use-boost-python to --with-boost-python - - Skip building shared libraries on MinGW/Cygwin - - Fix creation of 512 and 768 bit DL groups using the DSA kosherizer - - Fix compilation on GCC versions before 4.3 (missing cpuid.h) - - Fix compilation under the Clang compiler - -* 1.9.7, 2010-04-27 - - TLS: Support reading SSLv2 client hellos - - TLS: Add support for SEED ciphersuites (RFC 4162) - - Add Comb4P hash combiner function - - Fix checking of EMSA_Raw signatures with leading 0 bytes - -* 1.9.6, 2010-04-09 - - TLS: Add support for TLS v1.1 - - TLS: Support server name indicator extension - - TLS: Fix server handshake - - TLS: Fix server using DSA certificates - - TLS: Avoid timing channel between CBC padding check and MAC verification - -* 1.9.5, 2010-03-29 - - Numerous ECC optimizations - - Fix GOST 34.10-2001 X.509 key loading - - Allow PK_Signer's fault protection checks to be toggled off - - Avoid using pool-based locking allocator if we can't mlock - - Remove all runtime options - - New BER_Decoder::{decode_and_check, decode_octet_string_bigint} - - Remove SecureBuffer in favor of SecureVector length parameter - - HMAC_RNG: Perform a poll along with user-supplied entropy - - Fix crash in MemoryRegion if Allocator::get failed - - Fix small compilation problem on FreeBSD - -* 1.9.4, 2010-03-09 - - Add the Ajisai SSLv3/TLSv1.0 implementation - - Add GOST 34.10-2001 public key signature scheme - - Add SIMD implementation of Noekeon - - Add SSE2 implementation of IDEA - - Extend Salsa20 to support longer IVs (XSalsa20) - - Perform XTS encryption and decryption in parallel where possible - - Perform CBC decryption in parallel where possible - - Add SQLite3 db encryption codec, contributed by Olivier de Gaalon - - Add a block cipher cascade construction - - Add support for password hashing for authentication (passhash9.h) - - Add support for Win32 high resolution system timers - - Major refactoring and API changes in the public key code - - Use consistency checking (anti-fault attack) for all signature schemes - - Changed S2K interface: derive_key now takes salt, iteration count - - Remove dependency on TR1 for ECC and CVC code - - Renamed ECKAEG to its more usual name, ECDH - - Fix crash in GMP_Engine if library is shutdown and reinitialized - - Fix an invalid memory read in MD4 - - Fix Visual C++ static builds - - Remove Timer class entirely - - Switch default PKCS #8 encryption algorithm from 3DES to AES-128 - - New option --gen-amalgamation for creating a SQLite-style amalgamation - - Many headers are now explicitly internal-use-only and are not installed - - Greatly improve the Win32 installer - - Several fixes for Visual C++ debug builds - -* 1.9.3, 2009-11-19 - - Add new AES implementation using Intel's AES instruction intrinsics - - Add an implementation of format preserving encryption - - Allow use of any hash function in X.509 certificate creation - - Optimizations for MARS, Skipjack, and AES - - Set macros for available SIMD instructions in build.h - - Add support for using InnoSetup to package Windows builds - - By default build a DLL on Windows - -* 1.9.2, 2009-11-03 - - Add SIMD version of XTEA - - Support both SSE2 and AltiVec SIMD for Serpent and XTEA - - Optimizations for SHA-1 and SHA-2 - - Add AltiVec runtime detection - - Fix x86 CPU identification with Intel C++ and Visual C++ - -* 1.8.8, 2009-11-03 - - Alter Skein-512 to match the tweaked 1.2 specification - - Fix use of inline asm for access to x86 bswap function - - Allow building the library without AES enabled - - Add 'powerpc64' alias to ppc64 arch for Gentoo ebuild - -* 1.9.1, 2009-10-23 - - Better support for Python and Perl wrappers - - Add an implementation of Blue Midnight Wish (Round 2 tweak version) - - Modify Skein-512 to match the tweaked 1.2 specification - - Add threshold secret sharing (draft-mcgrew-tss-02) - - Add runtime cpu feature detection for x86/x86-64 - - Add code for general runtime self testing for hashes, MACs, and ciphers - - Optimize XTEA; twice as fast as before on Core2 and Opteron - - Convert CTR_BE and OFB from filters to stream ciphers - - New parsing code for SCAN algorithm names - - Enable SSE2 optimizations under Visual C++ - - Remove all use of C++ exception specifications - - Add support for GNU/Hurd and Clang/LLVM - -* 1.9.0, 2009-09-09 - - Add support for parallel invocation of block ciphers where possible - - Add SSE2 implementation of Serpent - - Add Rivest's package transform (an all or nothing transform) - - Minor speedups to the Turing key schedule - - Fix processing multiple messages in XTS mode - - Add --no-autoload option to configure.py, for minimized builds - - The previously used configure.pl script is no longer supported - -* 1.8.7, 2009-09-09 - - Fix processing multiple messages in XTS mode - - Add --no-autoload option to configure.py, for minimized builds - -* 1.8.6, 2009-08-13 - - Add Cryptobox, a set of simple password-based encryption routines - - Only read world-readable files when walking /proc for entropy - - Fix building with TR1 disabled - - Fix x86 bswap support for Visual C++ - - Fixes for compilation under Sun C++ - - Add support for Dragonfly BSD (contributed by Patrick Georgi) - - Add support for the Open64 C++ compiler - - Build fixes for MIPS systems running Linux - - Minor changes to license, now equivalent to the FreeBSD/NetBSD license - -* 1.8.5, 2009-07-23 - - Change configure.py to work on stock Python 2.4 - - Avoid a crash in Skein_512::add_data processing a zero-length input - - Small build fixes for SPARC, ARM, and HP-PA processors - - The test suite now returns an error code from main() if any tests failed - -* 1.8.4, 2009-07-12 - - Fix a bug in nonce generation in the Miller-Rabin test - -* 1.8.3, 2009-07-11 - - Add a new Python configuration script - - Add the Skein-512 SHA-3 candidate hash function - - Add the XTS block cipher mode from IEEE P1619 - - Fix random_prime when generating a prime of less than 7 bits - - Improve handling of low-entropy situations during PRNG seeding - - Change random device polling to prefer /dev/urandom over /dev/random - - Use an input insensitive implementation of same_mem instead of memcmp - - Correct DataSource::discard_next to return the number of discarded bytes - - Provide a default value for AutoSeeded_RNG::reseed - - Fix Gentoo bug 272242 - -* 1.8.2, 2009-04-07 - - Make entropy polling more flexible and in most cases faster - - GOST 28147 now supports multiple sbox parameters - - Added the GOST 34.11 hash function - - Fix botan-config problems on MacOS X - -* 1.8.1, 2009-01-20 - - Avoid a valgrind warning in es_unix.cpp on 32-bit Linux - - Fix memory leak in PKCS8 load_key and encrypt_key - - Relicense api.tex from CC-By-SA 2.5 to BSD - - Fix botan-config on MacOS X, Solaris - -* 1.8.0, 2008-12-08 - - Fix compilation on Solaris with GCC - -* 1.7.24, 2008-12-01 - - Fix a compatibility problem with SHA-512/EMSA3 signature padding - - Fix bug preventing EGD/PRNGD entropy poller from working - - Fix integer overflow in Pooling_Allocator::get_more_core (bug id #27) - - Add EMSA3_Raw, a variant of EMSA3 called CKM_RSA_PKCS in PKCS #11 - - Add support for SHA-224 in EMSA2 and EMSA3 PK signature padding schemes - - Add many more test vectors for RSA with EMSA2, EMSA3, and EMSA4 - - Wrap private structs in SSE2 SHA-1 code in anonymous namespace - - Change configure.pl's CPU autodetection output to be more consistent - - Disable using OpenSSL's AES due to crashes of unknown cause - - Fix warning in /proc walking entropy poller - - Fix compilation with IBM XLC for Cell 0.9-200709 - -* 1.7.23, 2008-11-23 - - Change to use TR1 (thus enabling ECDSA) with GCC and ICC - - Optimize almost all hash functions, especially MD4 and Tiger - - Add configure.pl options --{with,without}-{bzip2,zlib,openssl,gnump} - - Change Timer to be pure virtual, and add ANSI_Clock_Timer - - Cache socket descriptors in the EGD entropy source - - Avoid bogging down startup in /proc walking entropy source - - Remove Buffered_EntropySource helper class - - Add a Default_Benchmark_Timer typedef in benchmark.h - - Add examples using benchmark.h and Algorithm_Factory - - Add ECC tests from InSiTo - - Minor documentation updates - -* 1.7.22, 2008-11-17 - - Add provider preferences to Algorithm_Factory - - Fix memory leaks in PBE_PKCS5v20 and get_pbe introduced in 1.7.21 - - Optimize AES encryption and decryption (about 10% faster) - - Enable SSE2 optimized SHA-1 implementation on Intel Prescott CPUs - - Fix nanoseconds overflow in benchmark code - - Remove Engine::add_engine - -* 1.7.21, 2008-11-11 - - Make algorithm lookup much more configuable - - Add facilities for runtime performance testing of algorithms - - Drop use of entropy estimation in the PRNGs - - Increase intervals between HMAC_RNG automatic reseeding - - Drop InitializerOptions class, all options but thread safety - -* 1.7.20, 2008-11-09 - - Namespace pkg-config file by major and minor versions - - Cache device descriptors in Device_EntropySource - - Split base.h into {block_cipher,stream_cipher,mac,hash}.h - - Removed get_mgf function from lookup.h - -* 1.7.19, 2008-11-06 - - Add HMAC_RNG, based on a design by Hugo Krawczyk - - Optimized the Turing stream cipher (about 20% faster on x86-64) - - Modify Randpool's reseeding algorithm to poll more sources - - Add a new AutoSeeded_RNG in auto_rng.h - - OpenPGP_S2K changed to take hash object instead of name - - Add automatic identification for Intel's Prescott processors - -* 1.7.18, 2008-10-22 - - Add Doxygen comments from InSiTo - - Add ECDSA and ECKAEG benchmarks - - Add configure.pl switch --with-tr1-implementation - - Fix configure.pl's --with-endian and --with-unaligned-mem options - - Added support for pkg-config - - Optimize byteswap with x86 inline asm for Visual C++ by Yves Jerschow - - Use const references to avoid copying overhead in CurveGFp, GFpModulus - -* 1.7.17, 2008-10-12 - - Add missing ECDSA object identifiers - - Fix error in x86 and x86-64 assembler affecting GF(p) math - - Remove Boost dependency from GF(p) math - - Modify botan-config to not print -L/usr/lib or -L/usr/local/lib - - Add BOTAN_DLL macro to over 30 classes missing it - - Rename the two SHA-2 base classes for consistency - -* 1.7.16, 2008-10-09 - - Add several missing pieces needed for ECDSA and ECKAEG - - Add Card Verifiable Certificates from InSiTo - - Add SHA-224 from InSiTo - - Add BSI variant of EMSA1 from InSiTo - - Add GF(p) and ECDSA tests from InSiTo - - Split ECDSA and ECKAEG into distinct modules - - Allow OpenSSL and GNU MP engines to be built with public key algos disabled - - Rename sha256.h to sha2_32.h and sha_64.h to sha2_64.h - -* 1.7.15, 2008-10-07 - - Add GF(p) arithmetic from InSiTo - - Add ECDSA and ECKAEG implementations from InSiTo - - Minimize internal dependencies, allowing for smaller build configurations - - Add new User Manual and Architecture Guide from FlexSecure GmbH - - Alter configure.pl options for better autotools compatibility - - Update build instructions for recent changes to configure.pl - - Fix CPU detection using /proc/cpuinfo - -* 1.7.14, 2008-09-30 - - Split library into parts allowing modular builds - - Add (very preliminary) CMS support to the main library - - Some constructors now require object pointers instead of names - - Support multiple implementations of the same algorithm - - Build support for Pentium-M processors, from Derek Scherger - - Build support for MinGW/MSYS, from Zbigniew Zagorski - - Use inline assembly for bswap on 32-bit x86 - -* 1.7.13, 2008-09-27 - - Add SSLv3 MAC, SSLv3 PRF, and TLS v1.0 PRF from Ajisai - - Allow all examples to compile even if compression not enabled - - Make CMAC's polynomial doubling operation a public class method - - Use the -m64 flag when compiling with Sun Forte on x86-64 - - Clean up and slightly optimize CMAC::final_result - -* 1.7.12, 2008-09-18 - - Add x86 assembly for Visual Studio C++, by Luca Piccarreta - - Add a Perl XS module, by Vaclav Ovsik - - Add SWIG-based wrapper for Botan - - Add SSE2 implementation of SHA-1, by Dean Gaudet - - Remove the BigInt::sig_words cache due to bugs - - Combined the 4 Blowfish sboxes, suggested by Yves Jerschow - - Changed BigInt::grow_by and BigInt::grow_to to be non-const - - Add private assignment operators to classes that don't support assignment - - Benchmark RSA encryption and signatures - - Added test programs for random_prime and ressol - - Add high resolution timers for IA-64, HP-PA, S390x - - Reduce use of the RNG during benchmarks - - Fix builds on STI Cell PPU - - Add support for IBM's XLC compiler - - Add IETF 8192 bit MODP group - -* 1.7.11, 2008-09-11 - - Added the Salsa20 stream cipher - - Optimized Montgomery reduction, Karatsuba squaring - - Added 16x16->32 word Comba multiplication and squaring - - Use a much larger Karatsuba cutoff point - - Remove bigint_mul_add_words - - Inlined several BigInt functions - - Add useful information to the generated build.h - - Rename alg_{ia32,amd64} modules to asm_{ia32,amd64} - - Fix the Windows build - -* 1.7.10, 2008-09-05 - - Public key benchmarks run using a selection of random keys - - New benchmark timer options are clock_gettime, gettimeofday, times, clock - - Including reinterpret_cast optimization for xor_buf in default header - - Split byte swapping and word rotation functions into distinct headers - - Add IETF modp 6144 group and 2048 and 3072 bit DSS groups - - Optimizes BigInt right shift - - Add aliases in DL_Group::Format enum - - BigInt now caches the significant word count - -* 1.7.9, 2008-08-27 - - Make clear() in most algorithm base classes a pure virtual - - Add noexec stack marker for GNU linker in assembly code - - Avoid string operations in ressol - - Compilation fixes for MinGW and Visual Studio C++ 2008 - - Some autoconfiguration fixes for Windows - -* 1.6.5, 2008-08-27 - - Add noexec stack marker for GNU linker in assembly code - - Fix autoconfiguration problem on x86 with GCC 4.2 and 4.3 - -* 1.7.8, 2008-07-15 - - Added the block cipher Noekeon - - Remove global deref_alias function - - X509_Store takes timeout options as constructor arguments - - Add Shanks-Tonelli algorithm, contributed by FlexSecure GmbH - - Extend random_prime() for generating primes of any bit length - - Remove Config class - - Allow adding new entropy via base RNG interface - - Reseeding a X9.31 PRNG also reseeds the underlying PRNG - -* 1.7.7, 2008-06-28 - - Remove the global PRNG object - - The PK filter objects were removed - - Add a test suite for the ANSI X9.31 PRNG - - Much cleaner and (mostly) thread-safe reimplementation of es_ftw - - Remove both default arguments to ANSI_X931_RNG's constructor - - Remove the randomizing version of OctetString::change - - Make the cipher and MAC to use in Randpool configurable - - Move RandomNumberGenerator declaration to rng.h - - RSA_PrivateKey will not generate keys smaller than 1024 bits - - Fix an error decoding BER UNIVERSAL types with special taggings - -* 1.7.6, 2008-05-05 - - Initial support for Windows DLLs, from Joel Low - - Reset the position pointer when a new block is generated in X9.32 PRNG - - Timer objects are now treated as entropy sources - - Moved several ASN.1-related enums from enums.h to an appropriate header - - Removed the AEP module, due to inability to test - - Removed Global_RNG and rng.h - - Removed system_clock - - Removed Library_State::UI and the pulse callback logic - -* 1.7.5, 2008-04-12 - - The API of X509_CA::sign_request was altered to avoid race conditions - - New type Pipe::message_id to represent the Pipe message number - - Remove the Named_Mutex_Holder for a small performance gain - - Removed several unused or rarely used functions from Config - - Ignore spaces inside of a decimal string in BigInt::decode - - Allow using a std::istream to initialize a DataSource_Stream object - - Fix compilation problem in zlib compression module - - The chunk sized used by Pooling_Allocator is now a compile time setting - - The size of random blinding factors is now a compile time setting - - The install target no longer tries to set a particular owner/group - -* 1.7.4, 2008-03-10 - - Use unaligned memory read/writes on systems that allow it, for performance - - Assembly for x86-64 for accessing the bswap instruction - - Use larger buffers in ARC4 and WiderWAKE for significant throughput increase - - Unroll loops in SHA-160 for a few percent increase in performance - - Fix compilation with GCC 3.2 in es_ftw and es_unix - - Build fix for NetBSD systems - - Prevent es_dev from being built except on Unix systems - -* 1.6.4, 2008-03-08 - - Fix a compilation problem with Visual Studio C++ 2003 - -* 1.7.3, 2008-01-23 - - New invocation syntax for configure.pl with several new options - - Support for IPv4 addresses in a subject alternative name - - New fast poll for the generic Unix entropy source (es_unix) - - The es_file entropy source has been replaced by the es_dev module - - The malloc allocator does not inherit from Pooling_Allocator anymore - - The path that es_unix will search in are now fully user-configurable - - Truncate X9.42 PRF output rather than allow counter overflow - - PowerPC is now assumed to be big-endian - -* 1.7.2, 2007-10-13 - - Initialize the global library state lazily - - Add plain CBC-MAC for backwards compatibility with old systems - - Clean up some of the self test code - - Throw a sensible exception if a DL_Group is not found - - Truncate KDF2 output rather than allowing counter overflow - - Add newly assigned OIDs for SHA-2 and DSA with SHA-224/256 - - Fix a Visual Studio compilation problem in x509stat.cpp - -* 1.7.1, 2007-07-23 - - Fix a race condition in the algorithm object cache - - HMAC key schedule optimization - - The build header sets a macro defining endianness, if known - - New word load/store abstraction allowing further optimization - - Modify most of the library to avoid use the C-style casts - - Use higher resolution timers in symmetric benchmarks - -* 1.6.3, 2007-07-23 - - Fix a race condition in the algorithm lookup cache - - Fix problems building the memory pool on some versions of Visual C++ - -* 1.7.0, 2007-05-19 - - DSA parameter generation now follows FIPS 186-3 - - Added OIDs for Rabin-Williams and Nyberg-Rueppel - - Somewhat better support for out of tree builds - - Minor optimizations for RC2 and Tiger - - Documentation updates - - Update the todo list - -* 1.6.2, 2007-03-24 - - Fix autodection on Athlon64s running Linux - - Fix builds on QNX and compilers using STLport - - Remove a call to abort() that crept into production - -* 1.6.1, 2007-01-20 - - Fix some base64 decoder bugs - - Add a new option to base64 encoding, to always append a newline - - Fix some build problems under Visual Studio with debug enabled - - Fix a bug in BER_Decoder that was triggered under some compilers - -* 1.6.0, 2006-12-17 - - Minor cleanups versus 1.5.13 - -* 1.5.13, 2006-12-10 - - Compilation fixes for the bzip2, zlib, and GNU MP modules - - Better support for Intel C++ and EKOpath C++ on x86-64 - -* 1.5.12, 2006-10-27 - - Cleanups in the initialization routines - - Add some x86-64 assembly for multiply-add - - Fix problems generating very small (below 384 bit) RSA keys - - Support out of tree builds - - Bring some of the documentation up to date - - More improvements to the Python bindings - -* 1.5.11, 2006-09-10 - - Removed the Algorithm base class - - Various cleanups in the public key inheritance hierarchy - - Major overhaul of the configure/build setup - - Added x86 assembler implementations of Serpent and low-level MPI code - - Optimizations for the SHA-1 x86 assembler - - Various improvements to the Python wrappers - - Work around a Visual Studio compiler bug - -* 1.5.10, 2006-08-13 - - Add x86 assembler versions of MD4, MD5, and SHA-1 - - Expand InitializerOptions' language to support on/off switches - - Fix definition of OID 2.5.4.8; was accidentally changed in 1.5.9 - - Fix possible resource leaks in the mmap allocator - - Slightly optimized buffering in MDx_HashFunction - - Initialization failures are dealt with somewhat better - - Add an example implementing Pollard's Rho algorithm - - Better option handling in the test/benchmark tool - - Expand the xor_ciph example to support longer keys - - Some updates to the documentation - -* 1.5.9, 2006-07-12 - - Fixed bitrot in the AEP engine - - Fix support for marking certificate/CRL extensions as critical - - Significant cleanups in the library state / initialization code - - LibraryInitializer takes an explicit InitializerOptions object - - Make Mutex_Factory an abstract class, add Default_Mutex_Factory - - Change configuration access to using global_state() - - Add support for global named mutexes throughout the library - - Add some STL wrappers for the delete operator - - Change how certificates are created to be more flexible and general - -* 1.5.8, 2006-06-23 - - Many internal cleanups to the X.509 cert/CRL code - - Allow for application code to support new X.509 extensions - - Change the return type of X509_Certificate::{subject,issuer}_info - - Allow for alternate character set handling mechanisms - - Fix a bug that was slowing squaring performance somewhat - - Fix a very hard to hit overflow bug in the C version of word3_muladd - - Minor cleanups to the assembler modules - - Disable es_unix module on FreeBSD due to build problem on FreeBSD 6.1 - - Support for GCC 2.95.x has been dropped in this release - -* 1.5.7, 2006-05-28 - - Further, major changes to the BER/DER coding system - - Updated the Qt mutex module to use Mutex_Factory - - Moved the library global state object into an anonymous namespace - - Drop the Visual C++ x86 assembly module due to bugs - -* 1.5.6, 2006-03-01 - - The low-level DER/BER coding system was redesigned and rewritten - - Portions of the certificate code were cleaned up internally - - Use macros to substantially clean up the GCC assembly code - - Added 32-bit x86 assembly for Visual C++ (by Luca Piccarreta) - - Avoid a couple of spurious warnings under Visual C++ - - Some slight cleanups in X509_PublicKey::key_id - -* 1.5.5, 2006-02-04 - - Fixed a potential infinite loop in the memory pool code (Matt Johnston) - - Made Pooling_Allocator::Memory_Block an actual class of sorts - - Some small optimizations to the division and modulo computations - - Cleaned up the implementation of some of the BigInt operators - - Reduced use of dynamic memory allocation in low-level BigInt functions - - A few simplifications in the Randpool mixing function - - Removed power(), as it was not particularly useful (or fast) - - Fixed some annoying bugs in the benchmark code - - Added a real credits file - -* 1.5.4, 2006-01-29 - - Integrated x86 and amd64 assembly code, contributed by Luca Piccarreta - - Fixed a memory access off-by-one in the Karatsuba code - - Changed Pooling_Allocator's free list search to a log(N) algorithm - - Merged ModularReducer with its only subclass, Barrett_Reducer - - Fixed sign-handling bugs in some of the division and modulo code - - Renamed the module description files to modinfo.txt - - Further cleanups in the initialization code - - Removed BigInt::add and BigInt::sub - - Merged all the division-related functions into just divide() - - Modified the <mp_asmi.h> functions to allow for better optimizations - - Made the number of bits polled from an EntropySource user configurable - - Avoid including <algorithm> in <botan/secmem.h> - - Fixed some build problems with Sun Forte - - Removed some dead code from bigint_modop - - Fix the definition of same_mem - -* 1.5.3, 2006-01-24 - - Many optimizations in the low-level multiple precision integer code - - Added hooks for assembly implementations of the MPI code - - Support for the X.509 issuer alternative name extension in new certs - - Fixed a bug in the decompression modules; found and patched by Matt Johnston - - New Windows mutex module (mux_win32), by Luca Piccarreta - - Changed the Windows timer module to use QueryPerformanceCounter - - mem_pool.cpp was using std::set iterators instead of std::multiset ones - - Fixed a bug in X509_CA preventing users from disabling particular extensions - - Fixed the mp_asm64 module, which was entirely broken in 1.5.2 - - Fixed some module build problems on FreeBSD and Tru64 - -* 1.5.2, 2006-01-15 - - Fixed an off-by-one memory read in MISTY1::key() - - Fixed a nasty memory leak in Output_Buffers::retire() - - Reimplemented the memory allocator from scratch - - Improved memory caching in Montgomery exponentiation - - Optimizations for multiple precision addition and subtraction - - Fixed a build problem in the hardware timer module on 64-bit PowerPC - - Changed default Karatsuba cutoff to 12 words (was 14) - - Removed MemoryRegion::bits(), which was unused and incorrect - - Changed maximum HMAC keylength to 1024 bits - - Various minor Makefile and build system changes - - Avoid using std::min in <secmem.h> to bypass Windows libc macro pollution - - Switched checks/clock.cpp back to using clock() by default - - Enabled the symmetric algorithm tests, which were accidentally off in 1.5.1 - - Removed the Default_Mutex's unused clone() member function - -* 1.4.12, 2006-01-15 - - Fixed an off-by-one memory read in MISTY1::key() - - Fixed a nasty memory leak in Output_Buffers::retire() - - Changed maximum HMAC keylength to 1024 bits - - Fixed a build problem in the hardware timer module on 64-bit PowerPC - -* 1.5.1, 2006-01-08 - - Implemented Montgomery exponentiation - - Implemented generalized Karatsuba multiplication and squaring - - Implemented Comba squaring for 4, 6, and 8 word inputs - - Added new Modular_Exponentiator and Power_Mod classes - - Removed FixedBase_Exp and FixedExponent_Exp - - Fixed a performance regression in get_allocator introduced in 1.5.0 - - Engines can now offer S2K algorithms and block cipher padding methods - - Merged the remaining global 'algolist' code into Default_Engine - - The low-level MPI code is linked as C again - - Replaced BigInt's get_nibble with the more general get_substring - - Some documentation updates - -* 1.5.0, 2006-01-01 - - Moved all global/shared library state into a single object - - Mutex objects are created through mutex factories instead of a global - - Removed ::get_mutex(), ::initialize_mutex(), and Mutex::clone() - - Removed the RNG_Quality enum entirely - - There is now only a single global-use PRNG - - Removed the no_aliases and no_oids options for LibraryInitializer - - Removed the deprecated algorithms SEAL, ISAAC, and HAVAL - - Change es_ftw to use unbuffered I/O - -* 1.4.11, 2005-12-31 - - Changed Whirlpool diffusion matrix to match updated algorithm spec - - Fixed several engine module build errors introduced in 1.4.10 - - Fixed two build problems in es_capi; reported by Matthew Gregan - - Added a constructor to DataSource_Memory taking a std::string - - Placing the same Filter in multiple Pipes triggers an exception - - The configure script accepts --docdir and --libdir - - Merged doc/rngs.txt into the main API document - - Thanks to Joel Low for several bug reports on early tarballs of 1.4.11 - -* 1.4.10, 2005-12-18 - - Added an implementation of KASUMI, the block cipher used in 3G phones - - Refactored Pipe; output queues are now managed by a distinct class - - Made certain Filter facilities only available to subclasses of Fanout_Filter - - There is no longer any overhead in Pipe for a message that has been read out - - It is now possible to generate RSA keys as small as 128 bits - - Changed some of the core classes to derive from Algorithm as a virtual base - - Changed Randpool to use HMAC instead of a plain hash as the mixing function - - Fixed a bug in the allocators; found and fixed by Matthew Gregan - - Enabled the use of binary file I/O, when requested by the application - - The OpenSSL engine's block cipher code was missing some deallocation calls - - Disabled the es_ftw module on NetBSD, due to header problems there - - Fixed a problem preventing tm_hard from building on MacOS X on PowerPC - - Some cleanups for the modules that use inline assembler - - config.h is now stored in build/ instead of build/include/botan/ - - The header util.h was split into bit_ops.h, parsing.h, and util.h - - Cleaned up some redundant include directives - -* 1.4.9, 2005-11-06 - - Added the IBM-created AES candidate algorithm MARS - - Added the South Korean block cipher SEED - - Added the stream cipher Turing - - Added the new hash function FORK-256 - - Deprecated the ISAAC stream cipher - - Twofish and RC6 are significantly faster with GCC - - Much better support for 64-bit PowerPC - - Added support for high-resolution PowerPC timers - - Fixed a bug in the configure script causing problems on FreeBSD - - Changed ANSI X9.31 to support arbitrary block ciphers - - Make the configure script a bit less noisy - - Added more test vectors for some algorithms, including all the AES finalists - - Various cosmetic source code cleanups - -* 1.4.8, 2005-10-16 - - Resolved a bad performance problem in the allocators; fix by Matt Johnston - - Worked around a Visual Studio 2003 compilation problem introduced in 1.4.7 - - Renamed OMAC to CMAC to match the official NIST naming - - Added single byte versions of update() to PK_Signer and PK_Verifier - - Removed the unused reverse_bits and reverse_bytes functions - -* 1.4.7, 2005-09-25 - - Fixed major performance problems with recent versions of GNU C++ - - Added an implementation of the X9.31 PRNG - - Removed the X9.17 and FIPS 186-2 PRNG algorithms - - Changed defaults to use X9.31 PRNGs as global PRNG objects - - Documentation updates to reflect the PRNG changes - - Some cleanups related to the engine code - - Removed two useless headers, base_eng.h and secalloc.h - - Removed PK_Verifier::valid_signature - - Fixed configure/build system bugs affecting MacOS X builds - - Added support for the EKOPath x86-64 compiler - - Added missing destructor for BlockCipherModePaddingMethod - - Fix some build problems with Visual C++ 2005 beta - - Fix some build problems with Visual C++ 2003 Workshop - -* 1.4.6, 2005-03-13 - - Fix an error in the shutdown code introduced in 1.4.5 - - Setting base/pkcs8_tries to 0 disables the builtin fail-out - - Support for XMPP identifiers in X.509 certificates - - Duplicate entries in X.509 DNs are removed - - More fixes for Borland C++, from Friedemann Kleint - - Add a workaround for buggy iostreams - -* 1.4.5, 2005-02-26 - - Add support for AES encryption of private keys - - Minor fixes for PBES2 parameter decoding - - Internal cleanups for global state variables - - GCC 3.x version detection was broken in non-English locales - - Work around a Sun Forte bug affecting mem_pool.h - - Several fixes for Borland C++ 5.5, from Friedemann Kleint - - Removed inclusion of init.h into base.h - - Fixed a major bug in reading from certificate stores - - Cleaned up a couple of mutex leaks - - Removed some left-over debugging code - - Removed SSL3_MAC, SSL3_PRF, and TLS_PRF - -* 1.4.4, 2004-12-02 - - Further tweaks to the pooling allocator - - Modified EMSA3 to support SSL/TLS signatures - - Changes to support Qt/QCA, from Justin Karneges - - Moved mux_qt module code into mod_qt - - Fixes for HP-UX from Mike Desjardins - -* 1.4.3, 2004-11-06 - - Split up SecureAllocator into Allocator and Pooling_Allocator - - Memory locking allocators are more likely to be used - - Fixed the placement of includes in some modules - - Fixed broken installation procedure - - Fixes in configure script to support alternate install programs - - Modules can specify the minimum version they support - -* 1.4.2, 2004-10-31 - - Fixed a major CRL handling bug - - Cipher and hash operations can be offloaded to engines - - Added support for cipher and hash offload in OpenSSL engine - - Improvements for 64-bit CPUs without a widening multiply instruction - - Support for SHA2-* and Whirlpool with EMSA2 - - Fixed a long-standing build problem with conflicting include files - - Fixed some examples that hadn't been updated for 1.4.x - - Portability fixes for Solaris, *BSD, HP-UX, and others - - Lots of fixes and cleanups in the configure script - - Updated the Gentoo ebuild file - -* 1.4.1, 2004-10-10 - - Fixed major errors in the X.509 and PKCS #8 copy_key functions - - Added a LAST_MESSAGE meta-message number for Pipe - - Added new aliases (3DES and DES-EDE) for Triple-DES - - Added some new functions to PK_Verifier - - Cleaned up the KDF interface - - Disabled tm_posix on *BSD due to header issues - - Fixed a build problem on PowerPC with GNU C++ pre-3.4 - -* 1.4.0, 2004-06-26 - - Added the FIPS 186 RNG back - - Added copy_key functions for X.509 public keys and PKCS #8 private keys - - Fixed PKCS #1 signatures with RIPEMD-128 - - Moved some code around to avoid warnings with Sun ONE compiler - - Fixed a bug in botan-config affecting OpenBSD - - Fixed some build problems on Tru64, HP-UX - - Fixed compile problems with Intel C++, Compaq C++ - -* 1.3.14, 2004-06-12 - - Added support for AEP's AEP1000/AEP2000 crypto cards - - Added a Mutex module using Qt, from Justin Karneges - - Added support for engine loading in LibraryInitializer - - Tweaked SecureAllocator, giving 20% better performance under heavy load - - Added timer and memory locking modules for Win32 (tm_win32, ml_win32) - - Renamed PK_Engine to Engine_Core - - Improved the Karatsuba cutoff points - - Fixes for compiling with GCC 3.4 and Sun C++ 5.5 - - Fixes for Linux/s390, OpenBSD, and Solaris - - Added support for Linux/s390x - - The configure script was totally broken for 'generic' OS - - Removed Montgomery reduction due to bugs - - Removed an unused header, pkcs8alg.h - - check --validate returns an error code if any tests failed - - Removed duplicate entry in Unix command list for es_unix - - Moved the Cert_Usage enumeration into X509_Store - - Added new timing methods for PK benchmarks, clock_gettime and RDTSC - - Fixed a few minor bugs in the configure script - - Removed some deprecated functions from x509cert.h and pkcs10.h - - Removed the 'minimal' module, has to be updated for Engine support - - Changed MP_WORD_BITS macro to BOTAN_MP_WORD_BITS to clean up namespace - - Documentation updates - -* 1.3.13, 2004-05-15 - - Major fixes for Cygwin builds - - Minor MacOS X install fixes - - The configure script is a little better at picking the right modules - - Removed ml_unix from the 'unix' module set for Cygwin compatibility - - Fixed a stupid compile problem in pkcs10.h - -* 1.3.12, 2004-05-02 - - Added ability to remove old entries from CRLs - - Swapped the first two arguments of X509_CA::update_crl() - - Added an < operator for MemoryRegion, so it can be used as a std::map key - - Changed X.509 searching by DNS name from substring to full string compares - - Renamed a few X509_Certificate and PKCS10_Request member functions - - Fixed a problem when decoding some PKCS #10 requests - - Hex_Decoder would not check inputs, reported by Vaclav Ovsik - - Changed default CRL expire time from 30 days to 7 days - - X509_CRL's default PEM header is now "X509 CRL", for OpenSSL compatibility - - Corrected errors in the API doc, fixes from Ken Perano - - More documentation about the Pipe/Filter code - -* 1.3.11, 2004-04-01 - - Fixed two show-stopping bugs in PKCS10_Request - - Added some sanity checks in Pipe/Filter - - The DNS and URI entries would get swapped in subjectAlternativeNames - - MAC_Filter is now willing to not take a key at creation time - - Setting the expiration times of certs and CRLs is more flexible - - Fixed problems building on AIX with GCC - - Fixed some problems in the tutorial pointed out by Dominik Vogt - - Documentation updates - -* 1.3.10, 2004-03-27 - - Added support for OpenPGP's ASCII armor format - - Cleaned up the RNG system; seeding is much more flexible - - Added simple autoconfiguration abilities to configure.pl - - Fixed a GCC 2.95.x compile problem - - Updated the example configuration file - - Documentation updates - -* 1.3.9, 2004-03-07 - - Added an engine using OpenSSL (requires 0.9.7 or later) - - X509_Certificate would lose email addresses stored in the DN - - Fixed a missing initialization in a BigInt constructor - - Fixed several Visual C++ compile problems - - Fixed some BeOS build problems - - Fixed the WiderWake benchmark - -* 1.3.8, 2003-12-30 - - Internal changes to PK algorithms to divide data and algorithms - - DSA/DH/NR/ElGamal constructors accept taking just the private key again - - ElGamal keys now support being imported/exported as ASN.1 objects - - Much more consistent and complete error checking in PK algorithms - - Support for arbitrary backends (engines) for PK operations - - Added Montgomery reductions - - Added an engine that uses GNU MP (requires 4.1 or later) - - Removed the obsolete mp_gmp module - - Moved several initialization/shutdown functions to init.h - - Major refactoring of the memory containers - - New non-locking container, MemoryVector - - Fixed 64-bit problems in BigInt::set_bit/clear_bit - - Renamed PK_Key::check_params() to check_key() - - Some incompatible changes to OctetString - - Added version checking macros in version.h - - Removed the fips140 module pending rewrite - - Added some functions and hooks to help GUIs - - Moved more shared code into MDx_HashFunction - - Added a policy hook for specifying the encoding of X.509 strings - -* 1.3.7, 2003-12-12 - - Fixed a big security problem in es_unix - - Fixed several stability problems in es_unix - - Expanded the list of programs es_unix will try to use - - SecureAllocator now only preallocates blocks in special cases - - Added a special case in Global_RNG::seed for forcing a full poll - - Removed the FIPS 186 RNG added in 1.3.5 pending further testing - - Configure updates for PowerPC CPUs - - Removed the (never tested) VAX support - - Added support for S/390 Linux - -* 1.3.6, 2003-12-07 - - Added a new module 'minimal', which disables most algorithms - - SecureAllocator allocates a few blocks at startup - - A few minor MPI cleanups - - RPM spec file cleanups and fixes - -* 1.3.5, 2003-11-30 - - Major improvements in ASN.1 string handling - - Added partial support for ASN.1 UTF8 STRINGs and BMP STRINGs - - Added partial support for the X.509v3 certificate policies extension - - Centralized the handling of character set information - - Added FIPS 140-2 startup self tests - - Added a module (fips140) for doing extra FIPS 140-2 tests - - Added FIPS 186-2 RNG - - Improved ASN.1 BIT STRING handling - - Removed a memory leak in PKCS10_Request - - The encoding of DirectoryString now follows PKIX guidelines - - Fixed some of the character set dependencies - - Fixed a DER encoding error for tags greater than 30 - - The BER decoder can now handle tags larger than 30 - - Fixed tm_hard.cpp to recognize SPARC on more systems - - Workarounds for a GCC 2.95.x bug in x509find.cpp - - RPM changed to install into /usr instead of /usr/local - - Added support for QNX - -* 1.2.8, 2003-11-21 - - Merged several important bug fixes from 1.3.x - -* 1.3.4, 2003-11-21 - - Added a module that does certain MPI operations using GNU MP - - Added the X9.42 Diffie-Hellman PRF - - The Zlib and Bzip2 objects now use custom allocators - - Added member functions for directly hashing/MACing SecureVectors - - Minor optimizations to the MPI addition and subtraction algorithms - - Some cleanups in the low-level MPI code - - Created separate AES-{128,192,256} objects - -* 1.3.3, 2003-11-17 - - The library can now be repeatedly initialized and shutdown without crashing - - Fixed an off-by-one error in the CTS code - - Fixed an error in the EMSA4 verification code - - Fixed a memory leak in mutex.cpp (pointed out by James Widener) - - Fixed a memory leak in Pthread_Mutex - - Fixed several memory leaks in the testing code - - Bulletproofed the EMSA/EME/KDF/MGF retrieval functions - - Minor cleanups in SecureAllocator - - Removed a needless mutex guarding the (stateless) global timer - - Fixed a piece of bash-specific code in botan-config - - X.509 objects report more information about decoding errors - - Cleaned up some of the exception handling - - Updated the example config file with new OIDSs - - Moved the build instructions into a separate document, building.tex - -* 1.3.2, 2003-11-13 - - Fixed a bug preventing DSA signatures from verifying on X.509 objects - - Made the X509_Store search routines more efficient and flexible - - Added a function to X509_PublicKey to do easy public/private key matching - - Added support for decoding indefinite length BER data - - Changed Pipe's peek() to take an offset - - Removed Filter::set_owns in favor of the new incr_owns function - - Removed BigInt::zero() and BigInt::one() - - Renamed the PEM related options from base/pem_* to pem/* - - Added an option to specify the line width when encoding PEM - - Removed the "rng/safe_longterm" option; it's always on now - - Changed the cipher used for RNG super-encryption from ARC4 to WiderWake4+1 - - Cleaned up the base64/hex encoders and decoders - - Added an ASN.1/BER decoder as an example - - AES had its internals marked 'public' in previous versions - - Changed the value of the ASN.1 NO_OBJECT enum - - Various new hacks in the configure script - - Removed the already nominal support for SunOS - -* 1.3.1, 2003-11-04 - - Generalized a few pieces of the DER encoder - - PKCS8::load_key would fail if handed an unencrypted key - - Added a failsafe so PKCS #8 key decoding can't go into an infinite loop - -* 1.3.0, 2003-11-02 - - Major redesign of the PKCS #8 private key import/export system - - Added a small amount of UI interface code for getting passphrases - - Added heuristics that tell if a key, cert, etc is stored as PEM or BER - - Removed CS-Cipher, SHARK, ThreeWay, MD5-MAC, and EMAC - - Removed certain deprecated constructors of RSA, DSA, DH, RW, NR - - Made PEM decoding more forgiving of extra text before the header - -* 1.2.7, 2003-10-31 - - Added support for reading configuration files - - Added constructors so NR and RW keys can be imported easily - - Fixed mp_asm64, which was completely broken in 1.2.6 - - Removed tm_hw_ia32 module; replaced by tm_hard - - Added support for loading certain oddly formed RSA certificates - - Fixed spelling of NON_REPUDIATION enum - - Renamed the option default_to_ca to v1_assume_ca - - Fixed a minor bug in X.509 certificate generation - - Fixed a latent bug in the OID lookup code - - Updated the RPM spec file - - Added to the tutorial - -* 1.2.6, 2003-07-04 - - Major performance increase for PK algorithms on most 64-bit systems - - Cleanups in the low-level MPI code to support asm implementations - - Fixed build problems with some versions of Compaq's C++ compiler - - Removed useless constructors for NR public and private keys - - Removed support for the patch_file directive in module files - - Removed several deprecated functions - -* 1.2.5, 2003-06-22 - - Fixed a tricky and long-standing memory leak in Pipe - - Major cleanups and fixes in the memory allocation system - - Removed alloc_mlock, which has been superseded by the ml_unix module - - Removed a denial of service vulnerability in X509_Store - - Fixed compilation problems with VS .NET 2003 and Codewarrior 8 - - Added another variant of PKCS8::load_key, taking a memory buffer - - Fixed various minor/obscure bugs which occurred when MP_WORD_BITS != 32 - - BigInt::operator%=(word) was a no-op if the input was a power of 2 - - Fixed portability problems in BigInt::to_u32bit - - Fixed major bugs in SSL3-MAC - - Cleaned up some messes in the PK algorithms - - Cleanups and extensions for OMAC and EAX - - Made changes to the entropy estimation function - - Added a 'beos' module set for use on BeOS - - Officially deprecated a few X509:: and PKCS8:: functions - - Moved the contents of primes.h to numthry.h - - Moved the contents of x509opt.h to x509self.h - - Removed the (empty) desx.h header - - Documentation updates - -* 1.2.4, 2003-05-29 - - Fixed a bug in EMSA1 affecting NR signature verification - - Fixed a few latent bugs in BigInt related to word size - - Removed an unused function, mp_add2_nc, from the MPI implementation - - Reorganized the core MPI files - -* 1.2.3, 2003-05-20 - - Fixed a bug that prevented DSA/NR key generation - - Fixed a bug that prevented importing some root CA certs - - Fixed a bug in the BER decoder when handing optional bit or byte strings - - Fixed the encoding of authorityKeyIdentifier in X509_CA - - Added a sanity check in PBKDF2 for zero length passphrases - - Added versions of X509::load_key and PKCS8::load_key that take a file name - - X509_CA generates 128 bit serial numbers now - - Added tests to check PK key generation - - Added a simplistic X.509 CA example - - Cleaned up some of the examples - -* 1.2.2, 2003-05-13 - - Add checks to prevent any BigInt bugs from revealing an RSA or RW key - - Changed the interface of Global_RNG::seed - - Major improvements for the es_unix module - - Added another Win32 entropy source, es_win32 - - The Win32 CryptoAPI entropy source can now poll multiple providers - - Improved the BeOS entropy source - - Renamed pipe_unixfd module to fd_unix - - Fixed a file descriptor leak in the EGD module - - Fixed a few locking bugs - -* 1.2.1, 2003-05-06 - - Added ANSI X9.23 compatible CBC padding - - Added an entropy source using Win32 CryptoAPI - - Removed the Pipe I/O operators taking a FILE* - - Moved the BigInt encoding/decoding functions into the BigInt class - - Integrated several fixes for VC++ 7 (from Hany Greiss) - - Fixed the configure.pl script for Windows builds - -* 1.2.0, 2003-04-28 - - Tweaked the Karatsuba cut-off points - - Increased the allowed keylength of HMAC and Blowfish - - Removed the 'mpi_ia32' module, pending rewrite - - Workaround a GCC 2.95.x bug in eme1.cpp - -* 1.1.13, 2003-04-22 - - Added OMAC - - Added EAX authenticated cipher mode - - Diffie-Hellman would not do blinding in some cases - - Optimized the OFB and CTR modes - - Corrected Skipjack's word ordering, as per NIST clarification - - Support for all subject/issuer attribute types required by RFC 3280 - - The removeFromCRL CRL reason code is now handled correctly - - Increased the flexibility of the allocators - - Renamed Rijndael to AES, created aes.h, deleted rijndael.h - - Removed support for the 'no_timer' LibraryInitializer option - - Removed 'es_pthr' module, pending further testing - - Cleaned up get_ciph.cpp - -* 1.1.12, 2003-04-15 - - Fixed a ASN.1 string encoding bug - - Fixed a pair of X509_DN encoding problems - - Base64_Decoder and Hex_Decoder can now validate input - - Removed support for the LibraryInitializer option 'egd_path' - - Added tests for DSA X.509 and PKCS #8 key formats - - Removed a long deprecated feature of DH_PrivateKey's constructor - - Updated the RPM .spec file - - Major documentation updates - -* 1.1.11, 2003-04-07 - - Added PKCS #10 certificate requests - - Changed X509_Store searching interface to be more flexible - - Added a generic Certificate_Store interface - - Added a function for generating self-signed X.509 certs - - Cleanups and changes to X509_CA - - New examples for PKCS #10 and self-signed certificates - - Some documentation updates - -* 1.1.10, 2003-04-03 - - X509_CA can now generate new X.509 CRLs - - Added blinding for RSA, RW, DH, and ElGamal to prevent timing attacks - - More certificate and CRL extensions/attributes are supported - - Better DN handling in X.509 certificates/CRLs - - Added a DataSink hierarchy (suggested by Jim Darby) - - Consolidated SecureAllocator and ManagedAllocator - - Many cleanups and generalizations - - Added a (slow) pthreads based EntropySource - - Fixed some threading bugs - -* 1.1.9, 2003-02-25 - - Added support for using X.509v2 CRLs - - Fixed several bugs in the path validation algorithm - - Certificates can be verified for a particular usage - - Algorithm for comparing distinguished names now follows X.509 - - Cleaned up the code for the es_beos, es_ftw, es_unix modules - - Documentation updates - -* 1.1.8, 2003-01-29 - - Fixes for the certificate path validation algorithm in X509_Store - - Fixed a bug affecting X509_Certificate::is_ca_cert() - - Added a general configuration interface for policy issues - - Cleanups and API changes in the X.509 CA, cert, and store code - - Made various options available for X509_CA users - - Changed X509_Time's interface to work around time_t problems - - Fixed a theoretical weakness in Randpool's entropy mixing function - - Fixed problems compiling with GCC 2.95.3 and GCC 2.96 - - Fixed a configure bug (reported by Jon Wilson) affecting MinGW - -* 1.1.7, 2003-01-12 - - Fixed an obscure but dangerous bug in SecureVector::swap - - Consolidated SHA-384 and SHA-512 to save code space - - Added SSL3-MAC and SSL3-PRF - - Documentation updates, including a new tutorial - -* 1.0.2, 2003-01-12 - - Fixed an obscure SEGFAULT causing bug in Pipe - - Fixed an obscure but dangerous bug in SecureVector::swap - -* 1.1.6, 2002-12-10 - - Initial support for X.509v3 certificates and CAs - - Major redesign/rewrite of the ASN.1 encoding/decoding code - - Added handling for DSA/NR signatures encoded as DER SEQUENCEs - - Documented the generic cipher lookup interface - - Added an (untested) entropy source for BeOS - - Various cleanups and bug fixes - -* 1.1.5, 2002-11-17 - - Added the discrete logarithm integrated encryption system (DLIES) - - Various optimizations for BigInt - - Added support for assembler optimizations in modules - - Added BigInt x86 optimizations module (mpi_ia32) - -* 1.1.4, 2002-11-10 - - Speedup of 15-30% for PK algorithms - - Implemented the PBES2 encryption scheme - - Fixed a potential bug in decoding RSA and RW private keys - - Changed the DL_Group class interface to handle different formats better - - Added support for PKCS #3 encoded DH parameters - - X9.42 DH parameters use a PEM label of 'X942 DH PARAMETERS' - - Added key pair consistency checking - - Fixed a compatibility problem with gcc 2.96 (pointed out by Hany Greiss) - - A botan-config script is generated at configure time - - Documentation updates - -* 1.1.3, 2002-11-03 - - Added a generic public/private key loading interface - - Fixed a small encoding bug in RSA, RW, and DH - - Changed the PK encryption/decryption interface classes - - ECB supports using padding methods - - Added a function-based interface for library initialization - - Added support for RIPEMD-128 and Tiger PKCS#1 v1.5 signatures - - The cipher mode benchmarks now use 128-bit AES instead of DES - - Removed some obsolete typedefs - - Removed OpenCL support (opencl.h, the OPENCL_* macros, etc) - - Added tests for PKCS #8 encoding/decoding - - Added more tests for ECB and CBC - -* 1.1.2, 2002-10-21 - - Support for PKCS #8 encoded RSA, DSA, and DH private keys - - Support for Diffie-Hellman X.509 public keys - - Major reorganization of how X.509 keys are handled - - Added PKCS #5 v2.0's PBES1 encryption scheme - - Added a generic cipher lookup interface - - Added the WiderWake4+1 stream cipher - - Added support for sync-able stream ciphers - - Added a 'paranoia level' option for the LibraryInitializer - - More security for RNG output meant for long term keys - - Added documentation for some of the new 1.1.x features - - CFB's feedback argument is now specified in bits - - Renamed CTR class to CTR_BE - - Updated the RSA and DSA examples to use X.509 and PKCS #8 key formats - -* 1.1.1, 2002-10-15 - - Added the Korean hash function HAS-160 - - Partial support for RSA and DSA X.509 public keys - - Added a mostly functional BER encoder/decoder - - Added support for non-deterministic MAC functions - - Initial support for PEM encoding/decoding - - Internal cleanups in the PK algorithms - - Several new convenience functions in Pipe - - Fixed two nasty bugs in Pipe - - Messed with the entropy sources for es_unix - - Discrete logarithm groups are checked for safety more closely now - - For compatibility with GnuPG, ElGamal now supports DSA-style groups - -* 1.1.0, 2002-09-14 - - Added entropy estimation to the RNGs - - Improved the overall design of both Randpool and ANSI_X917_RNG - - Added a separate RNG for nonce generation - - Added window exponentiation support in power_mod - - Added a get_s2k function and the PKCS #5 S2K algorithms - - Added the TLSv1 PRF - - Replaced BlockCipherModeIV typedef with InitializationVector class - - Renamed PK_Key_Agreement_Scheme to PK_Key_Agreement - - Renamed SHA1 -> SHA_160 and SHA2_x -> SHA_x - - Added support for RIPEMD-160 PKCS#1 v1.5 signatures - - Changed the key agreement scheme interface - - Changed the S2K and KDF interfaces - - Better SCAN compatibility for HAVAL, Tiger, MISTY1, SEAL, RC5, SAFER-SK - - Added support for variable-pass Tiger - - Major speedup for Rabin-Williams key generation - -* 1.0.1, 2002-09-14 - - Fixed a minor bug in Randpool::random() - - Added some new aliases and typedefs for 1.1.x compatibility - - The 4096-bit RSA benchmark key was decimal instead of hex - - EMAC was returning an incorrect name - -* 1.0.0, 2002-08-26 - - Octal I/O of BigInt is now supported - - Fixed portability problems in the es_egd module - - Generalized IV handling in the block cipher modes - - Added Karatsuba multiplication and k-ary exponentiation - - Fixed a problem in the multiplication routines - -* 0.9.2, 2002-08-18 - - DH_PrivateKey::public_value() was returning the wrong value - - Various BigInt optimizations - - The filters.h header now includes hex.h and base64.h - - Moved Counter mode to ctr.h - - Fixed a couple minor problems with VC++ 7 - - Fixed problems with the RPM spec file - -* 0.9.1, 2002-08-10 - - Grand rename from OpenCL to Botan - - Major optimizations for the PK algorithms - - Added ElGamal encryption - - Added Whirlpool - - Tweaked memory allocation parameters - - Improved the method of seeding the global RNG - - Moved pkcs1.h to eme_pkcs.h - - Added more test vectors for some algorithms - - Fixed error reporting in the BigInt tests - - Removed Default_Timer, it was pointless - - Added some new example applications - - Removed some old examples that weren't that interesting - - Documented the compression modules - -* 0.9.0, 2002-08-03 - - EMSA4 supports variable salt size - - PK_* can take a string naming the encoding method to use - - Started writing some internals documentation - -* 0.8.7, 2002-07-30 - - Fixed bugs in EME1 and EMSA4 - - Fixed a potential crash at shutdown - - Cipher modes returned an ill-formed name - - Removed various deprecated types and headers - - Cleaned up the Pipe interface a bit - - Minor additions to the documentation - - First stab at a Visual C++ makefile (doc/Makefile.vc7) - -* 0.8.6, 2002-07-25 - - Added EMSA4 (aka PSS) - - Brought the manual up to date; many corrections and additions - - Added a parallel hash function construction - - Lookup supports all available algorithms now - - Lazy initialization of the lookup tables - - Made more discrete logarithm groups available through get_dl_group() - - StreamCipher_Filter supports seeking (if the underlying cipher does) - - Minor optimization for GCD calculations - - Renamed SAFER_SK128 to SAFER_SK - - Removed many previously deprecated functions - - Some now-obsolete functions, headers, and types have been deprecated - - Fixed some bugs in DSA prime generation - - DL_Group had a constructor for DSA-style prime gen but it wasn't defined - - Reversed the ordering of the two arguments to SEAL's constructor - - Fixed a threading problem in the PK algorithms - - Fixed a minor memory leak in lookup.cpp - - Fixed pk_types.h (it was broken in 0.8.5) - - Made validation tests more verbose - - Updated the check and example applications - -* 0.8.5, 2002-07-21 - - Major changes to constructors for DL-based cryptosystems (DSA, NR, DH) - - Added a DL_Group class - - Reworking of the pubkey internals - - Support in lookup for aliases and PK algorithms - - Renamed CAST5 to CAST_128 and CAST256 to CAST_256 - - Added EMSA1 - - Reorganization of header files - - LibraryInitializer will install new allocator types if requested - - Fixed a bug in Diffie-Hellman key generation - - Did a workaround in pipe.cpp for GCC 2.95.x on Linux - - Removed some debugging code from init.cpp that made FTW ES useless - - Better checking for invalid arguments in the PK algorithms - - Reduced Base64 and Hex default line length (if line breaking is used) - - Fixes for HP's aCC compiler - - Cleanups in BigInt - -* 0.8.4, 2002-07-14 - - Added Nyberg-Rueppel signatures - - Added Diffie-Hellman key exchange (kex interface is subject to change) - - Added KDF2 - - Enhancements to the lookup API - - Many things formerly taking pointers to algorithms now take names - - Speedups for prime generation - - LibraryInitializer has support for seeding the global RNG - - Reduced SAFER-SK128 memory consumption - - Reversed the ordering of public and private key values in DSA constructor - - Fixed serious bugs in MemoryMapping_Allocator - - Fixed memory leak in Lion - - FTW_EntropySource was not closing the files it read - - Fixed line breaking problem in Hex_Encoder - -* 0.8.3, 2002-06-09 - - Added DSA and Rabin-Williams signature schemes - - Added EMSA3 - - Added PKCS#1 v1.5 encryption padding - - Added Filters for PK algorithms - - Added a Keyed_Filter class - - LibraryInitializer processes arguments now - - Major revamp of the PK interface classes - - Changed almost all of the Filters for non-template operation - - Changed HMAC, Lion, Luby-Rackoff to non-template classes - - Some fairly minor BigInt optimizations - - Added simple benchmarking for PK algorithms - - Added hooks for fixed base and fixed exponent modular exponentiation - - Added some examples for using RSA - - Numerous bugfixes and cleanups - - Documentation updates - -* 0.8.2, 2002-05-18 - - Added an (experimental) algorithm lookup interface - - Added code for directly testing BigInt - - Added SHA2-384 - - Optimized SHA2-512 - - Major optimization for Adler32 (thanks to Dan Nicolaescu) - - Various minor optimizations in BigInt and related areas - - Fixed two bugs in X9.19 MAC, both reported by Darren Starsmore - - Fixed a bug in BufferingFilter - - Made a few fixes for MacOS X - - Added a workaround in configure.pl for GCC 2.95.x - - Better support for PowerPC, ARM, and Alpha - - Some more cleanups - -* 0.8.1, 2002-05-06 - - Major code cleanup (check doc/deprecated.txt) - - Various bugs fixed, including several portability problems - - Renamed MessageAuthCode to MessageAuthenticationCode - - A replacement for X917 is in x917_rng.h - - Changed EMAC to non-template class - - Added ANSI X9.19 compatible CBC-MAC - - TripleDES now supports 128 bit keys - -* 0.8.0, 2002-04-24 - - Merged BigInt: many bugfixes and optimizations since alpha2 - - Added RSA (rsa.h) - - Added EMSA2 (emsa2.h) - - Lots of new interface code for public key algorithms (pk_base.h, pubkey.h) - - Changed some interfaces, including SymmetricKey, to support the global rng - - Fixed a serious bug in ManagedAllocator - - Renamed RIPEMD128 to RIPEMD_128 and RIPEMD160 to RIPEMD_160 - - Removed some deprecated stuff - - Added a global random number generator (rng.h) - - Added clone functions to most of the basic algorithms - - Added a library initializer class (init.h) - - Version macros in version.h - - Moved the base classes from opencl.h to base.h - - Renamed the bzip2 module to comp_bzip2 and zlib to comp_zlib - - Documentation updates for the new stuff (still incomplete) - - Many new deprecated things: check doc/deprecated.txt - -* 0.7.10, 2002-04-07 - - Added EGD_EntropySource module (es_egd) - - Added a file tree walking EntropySource (es_ftw) - - Added MemoryLocking_Allocator module (alloc_mlock) - - Renamed the pthr_mux, unix_rnd, and mmap_mem modules - - Changed timer mechanism; the clock method can be switched on the fly. - - Renamed MmapDisk_Allocator to MemoryMapping_Allocator - - Renamed ent_file.h to es_file.h (ent_file.h is around, but deprecated) - - Fixed several bugs in MemoryMapping_Allocator - - Added more default sources for Unix_EntropySource - - Changed SecureBuffer to use same allocation methods as SecureVector - - Added bigint_divcore into mp_core to support BigInt alpha2 release - - Removed some Pipe functions deprecated since 0.7.8 - - Some fixes for the configure program - -* 0.7.9, 2002-03-19 - - Memory allocation substantially revamped - - Added memory allocation method based on mmap(2) in the mmap_mem module - - Added ECB and CTS block cipher modes (ecb.h, cts.h) - - Added a Mutex interface (mutex.h) - - Added module pthr_mux, implementing the Mutex interface - - Added Threaded Filter interface (thr_filt.h) - - All algorithms can now by keyed with SymmetricKey objects - - More testing occurs with --validate (expected failures) - - Fixed two bugs reported by Hany Greiss, in Luby-Rackoff and RC6 - - Fixed a buffering bug in Bzip_Decompress and Zlib_Decompress - - Made X917 safer (and about 1/3 as fast) - - Documentation updates - -* 0.7.8, 2002-02-28 - - More capabilities for Pipe, inspired by SysV STREAMS, including peeking, - better buffering, and stack ops. NOT BACKWARDS COMPATIBLE: SEE DOCUMENTATION - - Added a BufferingFilter class - - Added popen() based EntropySource for generic Unix systems (unix_rnd) - - Moved 'devrand' module into main distribution (ent_file.h), renamed to - File_EntropySource, and changed interface somewhat. - - Made Randpool somewhat more conservative and also 25% faster - - Minor fixes and updates for the configure script - - Added some tweaks for memory allocation - - Documentation updates for the new Pipe interface - - Fixed various minor bugs - - Added a couple of new example programs (stack and hasher2) - -* 0.7.7, 2001-11-24 - - Filter::send now works in the constructor of a Filter subclass - - You may now have to include <opencl/pipe.h> explicitly in some code - - Added preliminary PK infrastructure classes in pubkey.h and pkbase.h - - Enhancements to SecureVector (append, destroy functions) - - New infrastructure for secure memory allocation - - Added IEEE P1363 primitives MGF1, EME1, KDF1 - - Rijndael optimizations and cleanups - - Changed CipherMode<B> to BlockCipherMode(B*) - - Fixed a nasty bug in pipe_unixfd - - Added portions of the BigInt code into the main library - - Support for VAX, SH, POWER, PowerPC-64, Intel C++ - -* 0.7.6, 2001-10-14 - - Fixed several serious bugs in SecureVector created in 0.7.5 - - Square optimizations - - Fixed shared objects on MacOS X and HP-UX - - Fixed static libs for KCC 4.0; works with KCC 3.4g as well - - Full support for Athlon and K6 processors using GCC - - Added a table of prime numbers < 2**16 (primes.h) - - Some minor documentation updates - -* 0.7.5, 2001-08-19 - - Split checksum.h into adler32.h, crc24.h, and crc32.h - - Split modes.h into cbc.h, cfb.h, and ofb.h - - CBC_wPadding* has been replaced by CBC_Encryption and CBC_Decryption - - Added OneAndZeros and NoPadding methods for CBC - - Added Lion, a very fast block cipher construction - - Added an S2K base class (s2k.h) and an OpenPGP_S2K class (pgp_s2k.h) - - Basic types (ciphers, hashes, etc) know their names now (call name()) - - Changed the EntropySource type somewhat - - Big speed-ups for ISAAC, Adler32, CRC24, and CRC32 - - Optimized CAST-256, DES, SAFER-SK, Serpent, SEAL, MD2, and RIPEMD-160 - - Some semantics of SecureVector have changed slightly - - The mlock module has been removed for the time being - - Added string handling functions for hashes and MACs - - Various non-user-visible cleanups - - Shared library soname is now set to the full version number - -* 0.7.4, 2001-07-15 - - New modules: Zlib, gettimeofday and x86 RTC timers, Unix I/O for Pipe - - Fixed a vast number of errors in the config script/makefile/specfile - - Pipe now has a stdio(3) interface as well as C++ iostreams - - ARC4 supports skipping the first N bytes of the cipher stream (ala MARK4) - - Bzip2 supports decompressing multiple concatenated streams, and flushing - - Added a simple 'overall average' score to the benchmarks - - Fixed a small bug in the POSIX timer module - - Removed a very-unlikely-to-occur bug in most of the hash functions - - filtbase.h now includes <iosfwd>, not <iostream> - - Minor documentation updates - -* 0.7.3, 2001-06-08 - - Fix build problems on Solaris/SPARC - - Fix build problems with Perl versions < 5.6 - - Fixed some stupid code that broke on a few compilers - - Added string handling functions to Pipe - - MISTY1 optimizations - -* 0.7.2, 2001-06-03 - - Build system supports modules - - Added modules for mlock, a /dev/random EntropySource, POSIX1.b timers - - Added Bzip2 compression filter, contributed by Peter Jones - - GNU make no longer required (tested with 4.4BSD pmake and Solaris make) - - Fixed minor bug in several of the hash functions - - Various other minor fixes and changes - - Updates to the documentation - -* 0.7.1, 2001-05-16 - - Rewrote configure script: more consistent and complete - - Made it easier to find out parameters of types at run time (opencl.h) - - New functions for finding the version being used (version.h) - - New SymmetricKey interface for Filters (symkey.h) - - InvalidKeyLength now records what the invalid key length was - - Optimized DES, CS-Cipher, MISTY1, Skipjack, XTEA - - Changed GOST to use correct S-box ordering (incompatible change) - - Benchmark code was almost totally rewritten - - Many more entries in the test vector file - - Fixed minor and idiotic bug in check.cpp - -* 0.7.0, 2001-03-01 - - First public release +.. _relnotes: + +Release Notes +======================================== + +Series 1.10 +---------------------------------------- + +Version 1.10.0, Not Yet Released +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + +Series 1.9 +---------------------------------------- + +Version 1.9.18, 2011-06-03 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fourth release candidate for 1.10.0 + +* The GOST 34.10 verification operation was not ensuring that s and r + were both greater than zero. This could potentially have meant it + would have accepted an invalid all-zero signature as valid for any + message. Due to how ECC points are internally represented it instead + resulted in an exception being thrown. + +* A simple multiexponentation algorithm is now used in ECDSA and + GOST-34.10 signature verification, leading to 20 to 25% improvements + in ECDSA and 25% to 40% improvements in GOST-34.10 verification + performance. + +* The internal representation of elliptic curve points has been + modified to use Montgomery representation exclusively, resulting in + reduced memory usage and a 10 to 20% performance improvement for + ECDSA and ECDH. + +* In OAEP decoding, scan for the delimiter bytes using a loop that is + written without conditionals so as to help avoid timing analysis. + Unfortunately GCC at least is 'smart' enough to compile it to + jumps anyway. + +* The SSE2 implementation of IDEA did not work correctly when compiled + by Clang, because the trick it used to emulate a 16 bit unsigned + compare in SSE (which doesn't contain one natively) relied on signed + overflow working in the 'usual' way. A different method that doesn't + rely on signed overflow is now used. + +* Add support for compiling SSL using Visual C++ 2010's TR1 + implementation. + +* Fix a bug under Visual C++ 2010 which would cause ``hex_encode`` to + crash if given a zero-sized input to encode. + +* A new build option ``--via-amalgamation`` will first generate the + single-file amalgamation, then build the library from that single + file. This option requires a lot of memory and does not parallelize, + but the resulting library is smaller and may be faster. + +* On Unix, the library and header paths have been changed to allow + parallel installation of different versions of the library. Headers + are installed into ``<prefix>/include/botan-1.9/botan``, libraries + are named ``libbotan-1.9``, and ``botan-config`` is now namespaced + (so in this release ``botan-config-1.9``). All of these embedded + versions will be 1.10 in the upcoming stable release. + +* The soname system has been modified. In this release the library + soname is ``libbotan-1.9.so.0``, with the full library being named + ``libbotan-1.9.so.0.18``. The ``0`` is the ABI version, and will be + incremented whenever a breaking ABI change is made. + +* TR1 support is not longer automatically assumed under older versions + of GCC + +* Functions for base64 decoding that work standalone (without needing + to use a pipe) have been added to ``base64.h`` + +* The function ``BigInt::to_u32bit`` was inadvertently removed in 1.9.11 + and has been added back. + +* The function ``BigInt::get_substring`` did not work correctly with a + *length* argument of 32. + +* The implementation of ``FD_ZERO`` on Solaris uses ``memset`` and + assumes the caller included ``string.h`` on its behalf. Do so to + fix compilation in the ``dev_random`` and ``unix_procs`` entropy + sources. Patch from Jeremy C. Reed. + +* Add two different configuration targets for Atom, since some are + 32-bit and some are 64-bit. The 'atom' target now refers to the + 64-bit implementations, use 'atom32' to target the 32-bit + processors. + +* The (incomplete) support for CMS and card verifiable certificates + are disabled by default; add ``--enable-modules=cms`` or + ``--enable-modules=cvc`` during configuration to turn them back on. + +Version 1.9.17, 2011-04-29 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Third release candidate for 1.10.0 + +* The format preserving encryption method currently available was + presented in the header ``fpe.h`` and the functions ``fpe_encrypt`` + and ``fpe_decrypt``. These were renamed as it is likely that other + FPE schemes will be included in the future. The header is now + ``fpe_fe1.h``, and the functions are named ``fe1_encrypt`` and + ``fe1_decrypt``. See :doc:`fpe` for more information. + +* New options to ``configure.py`` control what tools are used for + documentation generation. The ``--with-sphinx`` option enables using + Sphinx to convert ReST into HTML; otherwise the ReST sources are + installed directly. If ``--with-doxygen`` is used, Doxygen will run + as well. Documentation generation can be triggered via the ``docs`` + target in the makefile; it will also be installed by the install + target on Unix. + +* A bug in 1.9.16 effectively disabled support for runtime CPU feature + detection on x86 under GCC in that release. + +* A mostly internal change, all references to "ia32" and "amd64" have + been changed to the vendor neutral and probably easier to understand + "x86-32" and "x86-64". For instance, the "mp_amd64" module has been + renamed "mp_x86_64", and the macro indicating x86-32 has changed + from ``BOTAN_TARGET_ARCH_IS_IA32`` to + ``BOTAN_TARGET_ARCH_IS_X86_32``. The classes calling assembly have + also been renamed. + +* Similiarly to the above change, the AES implemenations using the + AES-NI instruction set have been renamed from AES_XXX_Intel to + AES_XXX_NI. + +* Systems that are identified as `sun4u` will default to compiling for + 32-bit SPARCv9 code rather than 64-bit. This matches the still + common convention for 32-bit SPARC userspaces. If you want 64-bit + code on such as system, use ``--cpu=sparc64``. + +* Some minor fixes for compiling botan under the BeOS + clone/continuation `Haiku <http://haiku-os.org>`_. + +* Further updates to the documentation + +Version 1.9.16, 2011-04-11 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Second release candidate for 1.10.0 + +* The documentation, previously written in LaTeX, is now in + reStructuredText suitable for processing by `Sphinx + <http://sphinx.pocoo.org>`_, which can generate nicely formatted + HTML and PDFs. The documentation has also been greatly updated and + expanded. + +* The class ``EC_Domain_Params`` has been renamed ``EC_Group``, with a + typedef for backwards compatability. + +* ``EC_Group``'s string constructor didn't understand the standard + names like "secp160r1", forcing use of the OIDs. + +* Two constructors for ECDSA private keys, the one that creates a new + random key, and the one that provides a preset private key as a + ``BigInt``, have been merged. This matches the existing interface + for DSA and DH keys. If you previously used the version taking a + ``BigInt`` private key, you'll have to additionally pass in a + ``RandomNumberGenerator`` object starting in this release. + +* It is now possible to create ECDH keys with a preset ``BigInt`` + private key; previously no method for this was available. + +* The overload of ``generate_passhash9`` that takes an explicit + algorithm identifier has been merged with the one that does not. + The algorithm identifier code has been moved from the second + parameter to the fourth. See :ref:`passhash9` for details. + +* Change shared library versioning to match the normal Unix + conventions. Instead of ``libbotan-X.Y.Z.so``, the shared lib is + named ``libbotan-X.Y.so.Z``; this allows the runtime linker to do + its runtime linky magic. It can be safely presumed that any change + in the major or minor version indicates ABI incompatability. + +* Remove the socket wrapper code; it was not actually used by anything + in the library, only in the examples, and you can use whatever kind + of (blocking) socket interface you like with the SSL/TLS code. It's + available as socket.h in the examples directory if you want to use + it. + +* Disable the by-default 'strong' checking of private keys that are + loaded from storage. You can always request key material sanity + checking using Private_Key::check_key. + +* Bring back removed functions ``min_keylength_of``, + ``max_keylength_of``, ``keylength_multiple_of`` in ``lookup.h`` to + avoid breaking applications written against 1.8 + +Version 1.9.15, 2011-03-21 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* First release candidate for 1.10.0 + +* Modify how message expansion is done in SHA-256 and SHA-512. + Instead of expanding the entire message at the start, compute them + in the minimum number of registers. Values are computed 15 rounds + before they are needed. On a Core i7-860, GCC 4.5.2, went from 143 + to 157 MiB/s in SHA-256, and 211 to 256 MiB/s in SHA-512. + +* Pipe will delete empty output queues as soon as they are no longer + needed, even if earlier messages still have data unread. However an + (empty) entry in a deque of pointers will remain until all prior + messages are completely emptied. + +* Avoid reading the SPARC ``%tick`` register on OpenBSD as unlike + Linux the kernel will not trap and emulate it for us, causing a + illegal instruction crash. + +* Improve detection and autoconfiguration for ARM processors. + +Version 1.9.14, 2011-03-01 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add support for bcrypt, OpenBSD's password hashing scheme. It is + described in :ref:`bcrypt`. + +* Add support for NIST's AES key wrapping algorithm, as described in + :rfc:`3394`. It is available by including ``rfc3394.h``. + +* Fix an infinite loop in zlib filters introduced in 1.9.11 (PR 142) + +Version 1.9.13, 2011-02-19 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Update Keccak to the round 3 variant +* Fix ordering in GOST 34.10 signatures to match DNSSEC specifications +* Use ``size_t`` instead of ``u32bit`` for small integers in DER/BER codecs +* Add new build option ``--distribution-info`` +* Fix problems in the amalgamation build +* Fix building under Clang 2.9 and Sun Studio 12 + +Version 1.9.12, 2010-12-13 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add the Keccak hash function +* Fix compilation problems in Python wrappers +* Fix compilation problem in OpenSSL engine +* Update SQLite3 database encryption codec + +Version 1.9.11, 2010-11-29 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Many SSL/TLS APIs have changed. This API is still unstable. +* The SSL interface requires TR1 (uses std::tr1::function) +* Fix SSL handshake failures when using RC4 ciphersuites +* Fix a number of CRL encoding and decoding bugs +* Counter mode now always encrypts 256 blocks in parallel +* Code where u32bit was used to represent a length now uses size_t +* Use small tables in the first round of AES +* Removed AES class: app must choose AES-128, AES-192, or AES-256 +* Add hex encoding/decoding functions that can be used without a Pipe +* Add base64 encoding functions that can be used without a Pipe +* Add to_string function to X509_Certificate +* Add support for dynamic engine loading on Windows +* Replace BlockCipher::BLOCK_SIZE attribute with function block_size() +* Replace HashFunction::HASH_BLOCK_SIZE attribute with hash_block_size() +* Changed semantics of MemoryRegion::resize and clear to match STL +* Removed MemoryRegion::append, replaced by push_back and operator+= +* Move PBKDF lookup to engine system +* The IDEA key schedule has been changed to run in constant time +* Avoid a possible timing vulnerability in Montgomery reduction +* Add Algorithm and Key_Length_Specification classes +* Switch default PKCS #8 encryption algorithm from AES-128 to AES-256 +* Update Skein-512 to match the v1.3 specification +* Allow using PBKDF2 with empty passphrases +* Add compile-time deprecation warnings for GCC, Clang, and MSVC +* Support use of HMAC(SHA-256) and CMAC(Blowfish) in passhash9 +* Improve support for Intel Atom processors +* Fix compilation problems under Sun Studio and Clang + +Version 1.9.10, 2010-08-12 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add a constant time AES implementation using SSSE3 +* Add support for loading new Engines at runtime +* Use GCC byteswap intrinsics where possible +* Drop support for building with Python 2.4 +* Fix benchmarking of block ciphers in ECB mode +* Consolidate the two x86 assembly engines +* Rename S2K to PBKDF + +Version 1.9.9, 2010-06-28 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add new X509::BER_encode and PKCS8::BER_encode +* Give all Filter objects a name() function +* Add Keyed_Filter::valid_iv_length +* Increase default iteration counts for private key encryption +* Fix compilation of mp_asm64 on 64-bit MIPS with GCC 4.4 and later +* Fix compilation under Apple's GCC 4.2 +* Expand and update the Doxygen documentation + +Version 1.9.8, 2010-06-14 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add support for wide multiplications on 64-bit Windows +* Use constant time multiplication in IDEA +* Avoid possible timing attack against OAEP decoding +* Removed FORK-256; rarely used and it has been broken +* Rename ``--use-boost-python`` to ``--with-boost-python`` +* Skip building shared libraries on MinGW/Cygwin +* Fix creation of 512 and 768 bit DL groups using the DSA kosherizer +* Fix compilation on GCC versions before 4.3 (missing cpuid.h) +* Fix compilation under the Clang compiler + +Version 1.9.7, 2010-04-27 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* TLS: Support reading SSLv2 client hellos +* TLS: Add support for SEED ciphersuites (RFC 4162) +* Add Comb4P hash combiner function +* Fix checking of EMSA_Raw signatures with leading 0 bytes + +Version 1.9.6, 2010-04-09 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* TLS: Add support for TLS v1.1 +* TLS: Support server name indicator extension +* TLS: Fix server handshake +* TLS: Fix server using DSA certificates +* TLS: Avoid timing channel between CBC padding check and MAC verification + +Version 1.9.5, 2010-03-29 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Numerous ECC optimizations +* Fix GOST 34.10-2001 X.509 key loading +* Allow PK_Signer's fault protection checks to be toggled off +* Avoid using pool-based locking allocator if we can't mlock +* Remove all runtime options +* New BER_Decoder::{decode_and_check, decode_octet_string_bigint} +* Remove SecureBuffer in favor of SecureVector length parameter +* HMAC_RNG: Perform a poll along with user-supplied entropy +* Fix crash in MemoryRegion if Allocator::get failed +* Fix small compilation problem on FreeBSD + +Version 1.9.4, 2010-03-09 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add the Ajisai SSLv3/TLSv1.0 implementation +* Add GOST 34.10-2001 public key signature scheme +* Add SIMD implementation of Noekeon +* Add SSE2 implementation of IDEA +* Extend Salsa20 to support longer IVs (XSalsa20) +* Perform XTS encryption and decryption in parallel where possible +* Perform CBC decryption in parallel where possible +* Add SQLite3 db encryption codec, contributed by Olivier de Gaalon +* Add a block cipher cascade construction +* Add support for password hashing for authentication (passhash9.h) +* Add support for Win32 high resolution system timers +* Major refactoring and API changes in the public key code +* Use consistency checking (anti-fault attack) for all signature schemes +* Changed S2K interface: derive_key now takes salt, iteration count +* Remove dependency on TR1 for ECC and CVC code +* Renamed ECKAEG to its more usual name, ECDH +* Fix crash in GMP_Engine if library is shutdown and reinitialized +* Fix an invalid memory read in MD4 +* Fix Visual C++ static builds +* Remove Timer class entirely +* Switch default PKCS #8 encryption algorithm from 3DES to AES-128 +* New option --gen-amalgamation for creating a SQLite-style amalgamation +* Many headers are now explicitly internal-use-only and are not installed +* Greatly improve the Win32 installer +* Several fixes for Visual C++ debug builds + +Version 1.9.3, 2009-11-19 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add new AES implementation using Intel's AES instruction intrinsics +* Add an implementation of format preserving encryption +* Allow use of any hash function in X.509 certificate creation +* Optimizations for MARS, Skipjack, and AES +* Set macros for available SIMD instructions in build.h +* Add support for using InnoSetup to package Windows builds +* By default build a DLL on Windows + +Version 1.9.2, 2009-11-03 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add SIMD version of XTEA +* Support both SSE2 and AltiVec SIMD for Serpent and XTEA +* Optimizations for SHA-1 and SHA-2 +* Add AltiVec runtime detection +* Fix x86 CPU identification with Intel C++ and Visual C++ + +Version 1.9.1, 2009-10-23 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Better support for Python and Perl wrappers +* Add an implementation of Blue Midnight Wish (Round 2 tweak version) +* Modify Skein-512 to match the tweaked 1.2 specification +* Add threshold secret sharing (draft-mcgrew-tss-02) +* Add runtime cpu feature detection for x86/x86-64 +* Add code for general runtime self testing for hashes, MACs, and ciphers +* Optimize XTEA; twice as fast as before on Core2 and Opteron +* Convert CTR_BE and OFB from filters to stream ciphers +* New parsing code for SCAN algorithm names +* Enable SSE2 optimizations under Visual C++ +* Remove all use of C++ exception specifications +* Add support for GNU/Hurd and Clang/LLVM + +Version 1.9.0, 2009-09-09 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add support for parallel invocation of block ciphers where possible +* Add SSE2 implementation of Serpent +* Add Rivest's package transform (an all or nothing transform) +* Minor speedups to the Turing key schedule +* Fix processing multiple messages in XTS mode +* Add --no-autoload option to configure.py, for minimized builds +* The previously used configure.pl script is no longer supported + +Series 1.8 +---------------------------------------- + +Version 1.8.11, 2010-11-02 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix a number of CRL encoding and decoding bugs +* When building a debug library under VC++, use the debug runtime +* Fix compilation under Sun Studio on Linux and Solaris +* Add several functions for compatability with 1.9 +* In the examples, read most input files as binary +* The Perl build script has been removed in this release + +Version 1.8.10, 2010-08-31 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Switch default PKCS #8 encryption algorithm from 3DES to AES-256 +* Increase default hash iterations from 2048 to 10000 in PBES1 and PBES2 +* Use small tables in the first round of AES +* Add PBKDF typedef and get_pbkdf for better compatability with 1.9 +* Add version of S2K::derive_key taking salt and iteration count +* Enable the /proc-walking entropy source on NetBSD +* Fix the doxygen makefile target + +Version 1.8.9, 2010-06-16 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Use constant time multiplication in IDEA +* Avoid possible timing attack against OAEP decoding +* Add new X509::BER_encode and PKCS8::BER_encode +* Enable DLL builds under Windows +* Add Win32 installer support +* Add support for the Clang compiler +* Fix problem in semcem.h preventing build under Clang or GCC 3.4 +* Fix bug that prevented creation of DSA groups under 1024 bits +* Fix crash in GMP_Engine if library is shutdown and reinitialized +* Work around problem with recent binutils in x86-64 SHA-1 +* The Perl build script is no longer supported and refuses to run by default + +Version 1.8.8, 2009-11-03 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Alter Skein-512 to match the tweaked 1.2 specification +* Fix use of inline asm for access to x86 bswap function +* Allow building the library without AES enabled +* Add 'powerpc64' alias to ppc64 arch for Gentoo ebuild + +Version 1.8.7, 2009-09-09 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix processing multiple messages in XTS mode +* Add --no-autoload option to configure.py, for minimized builds + +Version 1.8.6, 2009-08-13 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add Cryptobox, a set of simple password-based encryption routines +* Only read world-readable files when walking /proc for entropy +* Fix building with TR1 disabled +* Fix x86 bswap support for Visual C++ +* Fixes for compilation under Sun C++ +* Add support for Dragonfly BSD (contributed by Patrick Georgi) +* Add support for the Open64 C++ compiler +* Build fixes for MIPS systems running Linux +* Minor changes to license, now equivalent to the FreeBSD/NetBSD license + +Version 1.8.5, 2009-07-23 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Change configure.py to work on stock Python 2.4 +* Avoid a crash in Skein_512::add_data processing a zero-length input +* Small build fixes for SPARC, ARM, and HP-PA processors +* The test suite now returns an error code from main() if any tests failed + +Version 1.8.4, 2009-07-12 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix a bug in nonce generation in the Miller-Rabin test + +Version 1.8.3, 2009-07-11 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add a new Python configuration script +* Add the Skein-512 SHA-3 candidate hash function +* Add the XTS block cipher mode from IEEE P1619 +* Fix random_prime when generating a prime of less than 7 bits +* Improve handling of low-entropy situations during PRNG seeding +* Change random device polling to prefer /dev/urandom over /dev/random +* Use an input insensitive implementation of same_mem instead of memcmp +* Correct DataSource::discard_next to return the number of discarded bytes +* Provide a default value for AutoSeeded_RNG::reseed +* Fix Gentoo bug 272242 + +Version 1.8.2, 2009-04-07 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Make entropy polling more flexible and in most cases faster +* GOST 28147 now supports multiple sbox parameters +* Added the GOST 34.11 hash function +* Fix botan-config problems on MacOS X + +Version 1.8.1, 2009-01-20 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Avoid a valgrind warning in es_unix.cpp on 32-bit Linux +* Fix memory leak in PKCS8 load_key and encrypt_key +* Relicense api.tex from CC-By-SA 2.5 to BSD +* Fix botan-config on MacOS X, Solaris + +Version 1.8.0, 2008-12-08 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix compilation on Solaris with GCC + +Series 1.7 +---------------------------------------- + +Version 1.7.24, 2008-12-01 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix a compatibility problem with SHA-512/EMSA3 signature padding +* Fix bug preventing EGD/PRNGD entropy poller from working +* Fix integer overflow in Pooling_Allocator::get_more_core (bug id #27) +* Add EMSA3_Raw, a variant of EMSA3 called CKM_RSA_PKCS in PKCS #11 +* Add support for SHA-224 in EMSA2 and EMSA3 PK signature padding schemes +* Add many more test vectors for RSA with EMSA2, EMSA3, and EMSA4 +* Wrap private structs in SSE2 SHA-1 code in anonymous namespace +* Change configure.pl's CPU autodetection output to be more consistent +* Disable using OpenSSL's AES due to crashes of unknown cause +* Fix warning in /proc walking entropy poller +* Fix compilation with IBM XLC for Cell 0.9-200709 + +Version 1.7.23, 2008-11-23 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Change to use TR1 (thus enabling ECDSA) with GCC and ICC +* Optimize almost all hash functions, especially MD4 and Tiger +* Add configure.pl options --{with,without}-{bzip2,zlib,openssl,gnump} +* Change Timer to be pure virtual, and add ANSI_Clock_Timer +* Cache socket descriptors in the EGD entropy source +* Avoid bogging down startup in /proc walking entropy source +* Remove Buffered_EntropySource helper class +* Add a Default_Benchmark_Timer typedef in benchmark.h +* Add examples using benchmark.h and Algorithm_Factory +* Add ECC tests from InSiTo +* Minor documentation updates + +Version 1.7.22, 2008-11-17 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add provider preferences to Algorithm_Factory +* Fix memory leaks in PBE_PKCS5v20 and get_pbe introduced in 1.7.21 +* Optimize AES encryption and decryption (about 10% faster) +* Enable SSE2 optimized SHA-1 implementation on Intel Prescott CPUs +* Fix nanoseconds overflow in benchmark code +* Remove Engine::add_engine + +Version 1.7.21, 2008-11-11 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Make algorithm lookup much more configuable +* Add facilities for runtime performance testing of algorithms +* Drop use of entropy estimation in the PRNGs +* Increase intervals between HMAC_RNG automatic reseeding +* Drop InitializerOptions class, all options but thread safety + +Version 1.7.20, 2008-11-09 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Namespace pkg-config file by major and minor versions +* Cache device descriptors in Device_EntropySource +* Split base.h into {block_cipher,stream_cipher,mac,hash}.h +* Removed get_mgf function from lookup.h + +Version 1.7.19, 2008-11-06 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add HMAC_RNG, based on a design by Hugo Krawczyk +* Optimized the Turing stream cipher (about 20% faster on x86-64) +* Modify Randpool's reseeding algorithm to poll more sources +* Add a new AutoSeeded_RNG in auto_rng.h +* OpenPGP_S2K changed to take hash object instead of name +* Add automatic identification for Intel's Prescott processors + +Version 1.7.18, 2008-10-22 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add Doxygen comments from InSiTo +* Add ECDSA and ECKAEG benchmarks +* Add configure.pl switch --with-tr1-implementation +* Fix configure.pl's --with-endian and --with-unaligned-mem options +* Added support for pkg-config +* Optimize byteswap with x86 inline asm for Visual C++ by Yves Jerschow +* Use const references to avoid copying overhead in CurveGFp, GFpModulus + +Version 1.7.17, 2008-10-12 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add missing ECDSA object identifiers +* Fix error in x86 and x86-64 assembler affecting GF(p) math +* Remove Boost dependency from GF(p) math +* Modify botan-config to not print -L/usr/lib or -L/usr/local/lib +* Add BOTAN_DLL macro to over 30 classes missing it +* Rename the two SHA-2 base classes for consistency + +Version 1.7.16, 2008-10-09 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add several missing pieces needed for ECDSA and ECKAEG +* Add Card Verifiable Certificates from InSiTo +* Add SHA-224 from InSiTo +* Add BSI variant of EMSA1 from InSiTo +* Add GF(p) and ECDSA tests from InSiTo +* Split ECDSA and ECKAEG into distinct modules +* Allow OpenSSL and GNU MP engines to be built with public key algos disabled +* Rename sha256.h to sha2_32.h and sha_64.h to sha2_64.h + +Version 1.7.15, 2008-10-07 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add GF(p) arithmetic from InSiTo +* Add ECDSA and ECKAEG implementations from InSiTo +* Minimize internal dependencies, allowing for smaller build configurations +* Add new User Manual and Architecture Guide from FlexSecure GmbH +* Alter configure.pl options for better autotools compatibility +* Update build instructions for recent changes to configure.pl +* Fix CPU detection using /proc/cpuinfo + +Version 1.7.14, 2008-09-30 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Split library into parts allowing modular builds +* Add (very preliminary) CMS support to the main library +* Some constructors now require object pointers instead of names +* Support multiple implementations of the same algorithm +* Build support for Pentium-M processors, from Derek Scherger +* Build support for MinGW/MSYS, from Zbigniew Zagorski +* Use inline assembly for bswap on 32-bit x86 + +Version 1.7.13, 2008-09-27 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add SSLv3 MAC, SSLv3 PRF, and TLS v1.0 PRF from Ajisai +* Allow all examples to compile even if compression not enabled +* Make CMAC's polynomial doubling operation a public class method +* Use the -m64 flag when compiling with Sun Forte on x86-64 +* Clean up and slightly optimize CMAC::final_result + +Version 1.7.12, 2008-09-18 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add x86 assembly for Visual Studio C++, by Luca Piccarreta +* Add a Perl XS module, by Vaclav Ovsik +* Add SWIG-based wrapper for Botan +* Add SSE2 implementation of SHA-1, by Dean Gaudet +* Remove the BigInt::sig_words cache due to bugs +* Combined the 4 Blowfish sboxes, suggested by Yves Jerschow +* Changed BigInt::grow_by and BigInt::grow_to to be non-const +* Add private assignment operators to classes that don't support assignment +* Benchmark RSA encryption and signatures +* Added test programs for random_prime and ressol +* Add high resolution timers for IA-64, HP-PA, S390x +* Reduce use of the RNG during benchmarks +* Fix builds on STI Cell PPU +* Add support for IBM's XLC compiler +* Add IETF 8192 bit MODP group + +Version 1.7.11, 2008-09-11 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added the Salsa20 stream cipher +* Optimized Montgomery reduction, Karatsuba squaring +* Added 16x16->32 word Comba multiplication and squaring +* Use a much larger Karatsuba cutoff point +* Remove bigint_mul_add_words +* Inlined several BigInt functions +* Add useful information to the generated build.h +* Rename alg_{ia32,amd64} modules to asm_{ia32,amd64} +* Fix the Windows build + +Version 1.7.10, 2008-09-05 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Public key benchmarks run using a selection of random keys +* New benchmark timer options are clock_gettime, gettimeofday, times, clock +* Including reinterpret_cast optimization for xor_buf in default header +* Split byte swapping and word rotation functions into distinct headers +* Add IETF modp 6144 group and 2048 and 3072 bit DSS groups +* Optimizes BigInt right shift +* Add aliases in DL_Group::Format enum +* BigInt now caches the significant word count + +Version 1.7.9, 2008-08-27 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Make clear() in most algorithm base classes a pure virtual +* Add noexec stack marker for GNU linker in assembly code +* Avoid string operations in ressol +* Compilation fixes for MinGW and Visual Studio C++ 2008 +* Some autoconfiguration fixes for Windows + +Version 1.7.8, 2008-07-15 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added the block cipher Noekeon +* Remove global deref_alias function +* X509_Store takes timeout options as constructor arguments +* Add Shanks-Tonelli algorithm, contributed by FlexSecure GmbH +* Extend random_prime() for generating primes of any bit length +* Remove Config class +* Allow adding new entropy via base RNG interface +* Reseeding a X9.31 PRNG also reseeds the underlying PRNG + +Version 1.7.7, 2008-06-28 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Remove the global PRNG object +* The PK filter objects were removed +* Add a test suite for the ANSI X9.31 PRNG +* Much cleaner and (mostly) thread-safe reimplementation of es_ftw +* Remove both default arguments to ANSI_X931_RNG's constructor +* Remove the randomizing version of OctetString::change +* Make the cipher and MAC to use in Randpool configurable +* Move RandomNumberGenerator declaration to rng.h +* RSA_PrivateKey will not generate keys smaller than 1024 bits +* Fix an error decoding BER UNIVERSAL types with special taggings + +Version 1.7.6, 2008-05-05 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Initial support for Windows DLLs, from Joel Low +* Reset the position pointer when a new block is generated in X9.32 PRNG +* Timer objects are now treated as entropy sources +* Moved several ASN.1-related enums from enums.h to an appropriate header +* Removed the AEP module, due to inability to test +* Removed Global_RNG and rng.h +* Removed system_clock +* Removed Library_State::UI and the pulse callback logic + +Version 1.7.5, 2008-04-12 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* The API of X509_CA::sign_request was altered to avoid race conditions +* New type Pipe::message_id to represent the Pipe message number +* Remove the Named_Mutex_Holder for a small performance gain +* Removed several unused or rarely used functions from Config +* Ignore spaces inside of a decimal string in BigInt::decode +* Allow using a std::istream to initialize a DataSource_Stream object +* Fix compilation problem in zlib compression module +* The chunk sized used by Pooling_Allocator is now a compile time setting +* The size of random blinding factors is now a compile time setting +* The install target no longer tries to set a particular owner/group + +Version 1.7.4, 2008-03-10 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Use unaligned memory read/writes on systems that allow it, for performance +* Assembly for x86-64 for accessing the bswap instruction +* Use larger buffers in ARC4 and WiderWAKE for significant throughput increase +* Unroll loops in SHA-160 for a few percent increase in performance +* Fix compilation with GCC 3.2 in es_ftw and es_unix +* Build fix for NetBSD systems +* Prevent es_dev from being built except on Unix systems + +Version 1.7.3, 2008-01-23 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* New invocation syntax for configure.pl with several new options +* Support for IPv4 addresses in a subject alternative name +* New fast poll for the generic Unix entropy source (es_unix) +* The es_file entropy source has been replaced by the es_dev module +* The malloc allocator does not inherit from Pooling_Allocator anymore +* The path that es_unix will search in are now fully user-configurable +* Truncate X9.42 PRF output rather than allow counter overflow +* PowerPC is now assumed to be big-endian + +Version 1.7.2, 2007-10-13 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Initialize the global library state lazily +* Add plain CBC-MAC for backwards compatibility with old systems +* Clean up some of the self test code +* Throw a sensible exception if a DL_Group is not found +* Truncate KDF2 output rather than allowing counter overflow +* Add newly assigned OIDs for SHA-2 and DSA with SHA-224/256 +* Fix a Visual Studio compilation problem in x509stat.cpp + +Version 1.7.1, 2007-07-23 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix a race condition in the algorithm object cache +* HMAC key schedule optimization +* The build header sets a macro defining endianness, if known +* New word load/store abstraction allowing further optimization +* Modify most of the library to avoid use the C-style casts +* Use higher resolution timers in symmetric benchmarks + +Version 1.7.0, 2007-05-19 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* DSA parameter generation now follows FIPS 186-3 +* Added OIDs for Rabin-Williams and Nyberg-Rueppel +* Somewhat better support for out of tree builds +* Minor optimizations for RC2 and Tiger +* Documentation updates +* Update the todo list + +Series 1.6 +---------------------------------------- + +Version 1.6.5, 2008-08-27 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add noexec stack marker for GNU linker in assembly code +* Fix autoconfiguration problem on x86 with GCC 4.2 and 4.3 + +Version 1.6.4, 2008-03-08 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix a compilation problem with Visual Studio C++ 2003 + +Version 1.6.3, 2007-07-23 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix a race condition in the algorithm lookup cache +* Fix problems building the memory pool on some versions of Visual C++ + +Version 1.6.2, 2007-03-24 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix autodection on Athlon64s running Linux +* Fix builds on QNX and compilers using STLport +* Remove a call to abort() that crept into production + +Version 1.6.1, 2007-01-20 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix some base64 decoder bugs +* Add a new option to base64 encoding, to always append a newline +* Fix some build problems under Visual Studio with debug enabled +* Fix a bug in BER_Decoder that was triggered under some compilers + +Version 1.6.0, 2006-12-17 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Minor cleanups versus 1.5.13 + +Series 1.5 +---------------------------------------- + +Version 1.5.13, 2006-12-10 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Compilation fixes for the bzip2, zlib, and GNU MP modules +* Better support for Intel C++ and EKOpath C++ on x86-64 + +Version 1.5.12, 2006-10-27 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Cleanups in the initialization routines +* Add some x86-64 assembly for multiply-add +* Fix problems generating very small (below 384 bit) RSA keys +* Support out of tree builds +* Bring some of the documentation up to date +* More improvements to the Python bindings + +Version 1.5.11, 2006-09-10 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Removed the Algorithm base class +* Various cleanups in the public key inheritance hierarchy +* Major overhaul of the configure/build setup +* Added x86 assembler implementations of Serpent and low-level MPI code +* Optimizations for the SHA-1 x86 assembler +* Various improvements to the Python wrappers +* Work around a Visual Studio compiler bug + +Version 1.5.10, 2006-08-13 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add x86 assembler versions of MD4, MD5, and SHA-1 +* Expand InitializerOptions' language to support on/off switches +* Fix definition of OID 2.5.4.8; was accidentally changed in 1.5.9 +* Fix possible resource leaks in the mmap allocator +* Slightly optimized buffering in MDx_HashFunction +* Initialization failures are dealt with somewhat better +* Add an example implementing Pollard's Rho algorithm +* Better option handling in the test/benchmark tool +* Expand the xor_ciph example to support longer keys +* Some updates to the documentation + +Version 1.5.9, 2006-07-12 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed bitrot in the AEP engine +* Fix support for marking certificate/CRL extensions as critical +* Significant cleanups in the library state / initialization code +* LibraryInitializer takes an explicit InitializerOptions object +* Make Mutex_Factory an abstract class, add Default_Mutex_Factory +* Change configuration access to using global_state() +* Add support for global named mutexes throughout the library +* Add some STL wrappers for the delete operator +* Change how certificates are created to be more flexible and general + +Version 1.5.8, 2006-06-23 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Many internal cleanups to the X.509 cert/CRL code +* Allow for application code to support new X.509 extensions +* Change the return type of X509_Certificate::{subject,issuer}_info +* Allow for alternate character set handling mechanisms +* Fix a bug that was slowing squaring performance somewhat +* Fix a very hard to hit overflow bug in the C version of word3_muladd +* Minor cleanups to the assembler modules +* Disable es_unix module on FreeBSD due to build problem on FreeBSD 6.1 +* Support for GCC 2.95.x has been dropped in this release + +Version 1.5.7, 2006-05-28 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Further, major changes to the BER/DER coding system +* Updated the Qt mutex module to use Mutex_Factory +* Moved the library global state object into an anonymous namespace +* Drop the Visual C++ x86 assembly module due to bugs + +Version 1.5.6, 2006-03-01 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* The low-level DER/BER coding system was redesigned and rewritten +* Portions of the certificate code were cleaned up internally +* Use macros to substantially clean up the GCC assembly code +* Added 32-bit x86 assembly for Visual C++ (by Luca Piccarreta) +* Avoid a couple of spurious warnings under Visual C++ +* Some slight cleanups in X509_PublicKey::key_id + +Version 1.5.5, 2006-02-04 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed a potential infinite loop in the memory pool code (Matt Johnston) +* Made Pooling_Allocator::Memory_Block an actual class of sorts +* Some small optimizations to the division and modulo computations +* Cleaned up the implementation of some of the BigInt operators +* Reduced use of dynamic memory allocation in low-level BigInt functions +* A few simplifications in the Randpool mixing function +* Removed power(), as it was not particularly useful (or fast) +* Fixed some annoying bugs in the benchmark code +* Added a real credits file + +Version 1.5.4, 2006-01-29 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Integrated x86 and amd64 assembly code, contributed by Luca Piccarreta +* Fixed a memory access off-by-one in the Karatsuba code +* Changed Pooling_Allocator's free list search to a log(N) algorithm +* Merged ModularReducer with its only subclass, Barrett_Reducer +* Fixed sign-handling bugs in some of the division and modulo code +* Renamed the module description files to modinfo.txt +* Further cleanups in the initialization code +* Removed BigInt::add and BigInt::sub +* Merged all the division-related functions into just divide() +* Modified the <mp_asmi.h> functions to allow for better optimizations +* Made the number of bits polled from an EntropySource user configurable +* Avoid including <algorithm> in <botan/secmem.h> +* Fixed some build problems with Sun Forte +* Removed some dead code from bigint_modop +* Fix the definition of same_mem + +Version 1.5.3, 2006-01-24 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Many optimizations in the low-level multiple precision integer code +* Added hooks for assembly implementations of the MPI code +* Support for the X.509 issuer alternative name extension in new certs +* Fixed a bug in the decompression modules; found and patched by Matt Johnston +* New Windows mutex module (mux_win32), by Luca Piccarreta +* Changed the Windows timer module to use QueryPerformanceCounter +* mem_pool.cpp was using std::set iterators instead of std::multiset ones +* Fixed a bug in X509_CA preventing users from disabling particular extensions +* Fixed the mp_asm64 module, which was entirely broken in 1.5.2 +* Fixed some module build problems on FreeBSD and Tru64 + +Version 1.5.2, 2006-01-15 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed an off-by-one memory read in MISTY1::key() +* Fixed a nasty memory leak in Output_Buffers::retire() +* Reimplemented the memory allocator from scratch +* Improved memory caching in Montgomery exponentiation +* Optimizations for multiple precision addition and subtraction +* Fixed a build problem in the hardware timer module on 64-bit PowerPC +* Changed default Karatsuba cutoff to 12 words (was 14) +* Removed MemoryRegion::bits(), which was unused and incorrect +* Changed maximum HMAC keylength to 1024 bits +* Various minor Makefile and build system changes +* Avoid using std::min in <secmem.h> to bypass Windows libc macro pollution +* Switched checks/clock.cpp back to using clock() by default +* Enabled the symmetric algorithm tests, which were accidentally off in 1.5.1 +* Removed the Default_Mutex's unused clone() member function + +Version 1.5.1, 2006-01-08 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Implemented Montgomery exponentiation +* Implemented generalized Karatsuba multiplication and squaring +* Implemented Comba squaring for 4, 6, and 8 word inputs +* Added new Modular_Exponentiator and Power_Mod classes +* Removed FixedBase_Exp and FixedExponent_Exp +* Fixed a performance regression in get_allocator introduced in 1.5.0 +* Engines can now offer S2K algorithms and block cipher padding methods +* Merged the remaining global 'algolist' code into Default_Engine +* The low-level MPI code is linked as C again +* Replaced BigInt's get_nibble with the more general get_substring +* Some documentation updates + +Version 1.5.0, 2006-01-01 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Moved all global/shared library state into a single object +* Mutex objects are created through mutex factories instead of a global +* Removed ::get_mutex(), ::initialize_mutex(), and Mutex::clone() +* Removed the RNG_Quality enum entirely +* There is now only a single global-use PRNG +* Removed the no_aliases and no_oids options for LibraryInitializer +* Removed the deprecated algorithms SEAL, ISAAC, and HAVAL +* Change es_ftw to use unbuffered I/O + +Series 1.4 +---------------------------------------- + +Version 1.4.12, 2006-01-15 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed an off-by-one memory read in MISTY1::key() +* Fixed a nasty memory leak in Output_Buffers::retire() +* Changed maximum HMAC keylength to 1024 bits +* Fixed a build problem in the hardware timer module on 64-bit PowerPC + +Version 1.4.11, 2005-12-31 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Changed Whirlpool diffusion matrix to match updated algorithm spec +* Fixed several engine module build errors introduced in 1.4.10 +* Fixed two build problems in es_capi; reported by Matthew Gregan +* Added a constructor to DataSource_Memory taking a std::string +* Placing the same Filter in multiple Pipes triggers an exception +* The configure script accepts --docdir and --libdir +* Merged doc/rngs.txt into the main API document +* Thanks to Joel Low for several bug reports on early tarballs of 1.4.11 + +Version 1.4.10, 2005-12-18 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added an implementation of KASUMI, the block cipher used in 3G phones +* Refactored Pipe; output queues are now managed by a distinct class +* Made certain Filter facilities only available to subclasses of Fanout_Filter +* There is no longer any overhead in Pipe for a message that has been read out +* It is now possible to generate RSA keys as small as 128 bits +* Changed some of the core classes to derive from Algorithm as a virtual base +* Changed Randpool to use HMAC instead of a plain hash as the mixing function +* Fixed a bug in the allocators; found and fixed by Matthew Gregan +* Enabled the use of binary file I/O, when requested by the application +* The OpenSSL engine's block cipher code was missing some deallocation calls +* Disabled the es_ftw module on NetBSD, due to header problems there +* Fixed a problem preventing tm_hard from building on MacOS X on PowerPC +* Some cleanups for the modules that use inline assembler +* config.h is now stored in build/ instead of build/include/botan/ +* The header util.h was split into bit_ops.h, parsing.h, and util.h +* Cleaned up some redundant include directives + +Version 1.4.9, 2005-11-06 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added the IBM-created AES candidate algorithm MARS +* Added the South Korean block cipher SEED +* Added the stream cipher Turing +* Added the new hash function FORK-256 +* Deprecated the ISAAC stream cipher +* Twofish and RC6 are significantly faster with GCC +* Much better support for 64-bit PowerPC +* Added support for high-resolution PowerPC timers +* Fixed a bug in the configure script causing problems on FreeBSD +* Changed ANSI X9.31 to support arbitrary block ciphers +* Make the configure script a bit less noisy +* Added more test vectors for some algorithms, including all the AES finalists +* Various cosmetic source code cleanups + +Version 1.4.8, 2005-10-16 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Resolved a bad performance problem in the allocators; fix by Matt Johnston +* Worked around a Visual Studio 2003 compilation problem introduced in 1.4.7 +* Renamed OMAC to CMAC to match the official NIST naming +* Added single byte versions of update() to PK_Signer and PK_Verifier +* Removed the unused reverse_bits and reverse_bytes functions + +Version 1.4.7, 2005-09-25 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed major performance problems with recent versions of GNU C++ +* Added an implementation of the X9.31 PRNG +* Removed the X9.17 and FIPS 186-2 PRNG algorithms +* Changed defaults to use X9.31 PRNGs as global PRNG objects +* Documentation updates to reflect the PRNG changes +* Some cleanups related to the engine code +* Removed two useless headers, base_eng.h and secalloc.h +* Removed PK_Verifier::valid_signature +* Fixed configure/build system bugs affecting MacOS X builds +* Added support for the EKOPath x86-64 compiler +* Added missing destructor for BlockCipherModePaddingMethod +* Fix some build problems with Visual C++ 2005 beta +* Fix some build problems with Visual C++ 2003 Workshop + +Version 1.4.6, 2005-03-13 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix an error in the shutdown code introduced in 1.4.5 +* Setting base/pkcs8_tries to 0 disables the builtin fail-out +* Support for XMPP identifiers in X.509 certificates +* Duplicate entries in X.509 DNs are removed +* More fixes for Borland C++, from Friedemann Kleint +* Add a workaround for buggy iostreams + +Version 1.4.5, 2005-02-26 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add support for AES encryption of private keys +* Minor fixes for PBES2 parameter decoding +* Internal cleanups for global state variables +* GCC 3.x version detection was broken in non-English locales +* Work around a Sun Forte bug affecting mem_pool.h +* Several fixes for Borland C++ 5.5, from Friedemann Kleint +* Removed inclusion of init.h into base.h +* Fixed a major bug in reading from certificate stores +* Cleaned up a couple of mutex leaks +* Removed some left-over debugging code +* Removed SSL3_MAC, SSL3_PRF, and TLS_PRF + +Version 1.4.4, 2004-12-02 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Further tweaks to the pooling allocator +* Modified EMSA3 to support SSL/TLS signatures +* Changes to support Qt/QCA, from Justin Karneges +* Moved mux_qt module code into mod_qt +* Fixes for HP-UX from Mike Desjardins + +Version 1.4.3, 2004-11-06 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Split up SecureAllocator into Allocator and Pooling_Allocator +* Memory locking allocators are more likely to be used +* Fixed the placement of includes in some modules +* Fixed broken installation procedure +* Fixes in configure script to support alternate install programs +* Modules can specify the minimum version they support + +Version 1.4.2, 2004-10-31 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed a major CRL handling bug +* Cipher and hash operations can be offloaded to engines +* Added support for cipher and hash offload in OpenSSL engine +* Improvements for 64-bit CPUs without a widening multiply instruction +* Support for SHA2-* and Whirlpool with EMSA2 +* Fixed a long-standing build problem with conflicting include files +* Fixed some examples that hadn't been updated for 1.4.x +* Portability fixes for Solaris, BSD, HP-UX, and others +* Lots of fixes and cleanups in the configure script +* Updated the Gentoo ebuild file + +Version 1.4.1, 2004-10-10 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed major errors in the X.509 and PKCS #8 copy_key functions +* Added a LAST_MESSAGE meta-message number for Pipe +* Added new aliases (3DES and DES-EDE) for Triple-DES +* Added some new functions to PK_Verifier +* Cleaned up the KDF interface +* Disabled tm_posix on BSD due to header issues +* Fixed a build problem on PowerPC with GNU C++ pre-3.4 + +Version 1.4.0, 2004-06-26 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added the FIPS 186 RNG back +* Added copy_key functions for X.509 public keys and PKCS #8 private keys +* Fixed PKCS #1 signatures with RIPEMD-128 +* Moved some code around to avoid warnings with Sun ONE compiler +* Fixed a bug in botan-config affecting OpenBSD +* Fixed some build problems on Tru64, HP-UX +* Fixed compile problems with Intel C++, Compaq C++ + +Series 1.3 +---------------------------------------- + +Version 1.3.14, 2004-06-12 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added support for AEP's AEP1000/AEP2000 crypto cards +* Added a Mutex module using Qt, from Justin Karneges +* Added support for engine loading in LibraryInitializer +* Tweaked SecureAllocator, giving 20% better performance under heavy load +* Added timer and memory locking modules for Win32 (tm_win32, ml_win32) +* Renamed PK_Engine to Engine_Core +* Improved the Karatsuba cutoff points +* Fixes for compiling with GCC 3.4 and Sun C++ 5.5 +* Fixes for Linux/s390, OpenBSD, and Solaris +* Added support for Linux/s390x +* The configure script was totally broken for 'generic' OS +* Removed Montgomery reduction due to bugs +* Removed an unused header, pkcs8alg.h +* check --validate returns an error code if any tests failed +* Removed duplicate entry in Unix command list for es_unix +* Moved the Cert_Usage enumeration into X509_Store +* Added new timing methods for PK benchmarks, clock_gettime and RDTSC +* Fixed a few minor bugs in the configure script +* Removed some deprecated functions from x509cert.h and pkcs10.h +* Removed the 'minimal' module, has to be updated for Engine support +* Changed MP_WORD_BITS macro to BOTAN_MP_WORD_BITS to clean up namespace +* Documentation updates + +Version 1.3.13, 2004-05-15 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Major fixes for Cygwin builds +* Minor MacOS X install fixes +* The configure script is a little better at picking the right modules +* Removed ml_unix from the 'unix' module set for Cygwin compatibility +* Fixed a stupid compile problem in pkcs10.h + +Version 1.3.12, 2004-05-02 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added ability to remove old entries from CRLs +* Swapped the first two arguments of X509_CA::update_crl() +* Added an < operator for MemoryRegion, so it can be used as a std::map key +* Changed X.509 searching by DNS name from substring to full string compares +* Renamed a few X509_Certificate and PKCS10_Request member functions +* Fixed a problem when decoding some PKCS #10 requests +* Hex_Decoder would not check inputs, reported by Vaclav Ovsik +* Changed default CRL expire time from 30 days to 7 days +* X509_CRL's default PEM header is now "X509 CRL", for OpenSSL compatibility +* Corrected errors in the API doc, fixes from Ken Perano +* More documentation about the Pipe/Filter code + +Version 1.3.11, 2004-04-01 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed two show-stopping bugs in PKCS10_Request +* Added some sanity checks in Pipe/Filter +* The DNS and URI entries would get swapped in subjectAlternativeNames +* MAC_Filter is now willing to not take a key at creation time +* Setting the expiration times of certs and CRLs is more flexible +* Fixed problems building on AIX with GCC +* Fixed some problems in the tutorial pointed out by Dominik Vogt +* Documentation updates + +Version 1.3.10, 2004-03-27 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added support for OpenPGP's ASCII armor format +* Cleaned up the RNG system; seeding is much more flexible +* Added simple autoconfiguration abilities to configure.pl +* Fixed a GCC 2.95.x compile problem +* Updated the example configuration file +* Documentation updates + +Version 1.3.9, 2004-03-07 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added an engine using OpenSSL (requires 0.9.7 or later) +* X509_Certificate would lose email addresses stored in the DN +* Fixed a missing initialization in a BigInt constructor +* Fixed several Visual C++ compile problems +* Fixed some BeOS build problems +* Fixed the WiderWake benchmark + +Version 1.3.8, 2003-12-30 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Internal changes to PK algorithms to divide data and algorithms +* DSA/DH/NR/ElGamal constructors accept taking just the private key again +* ElGamal keys now support being imported/exported as ASN.1 objects +* Much more consistent and complete error checking in PK algorithms +* Support for arbitrary backends (engines) for PK operations +* Added Montgomery reductions +* Added an engine that uses GNU MP (requires 4.1 or later) +* Removed the obsolete mp_gmp module +* Moved several initialization/shutdown functions to init.h +* Major refactoring of the memory containers +* New non-locking container, MemoryVector +* Fixed 64-bit problems in BigInt::set_bit/clear_bit +* Renamed PK_Key::check_params() to check_key() +* Some incompatible changes to OctetString +* Added version checking macros in version.h +* Removed the fips140 module pending rewrite +* Added some functions and hooks to help GUIs +* Moved more shared code into MDx_HashFunction +* Added a policy hook for specifying the encoding of X.509 strings + +Version 1.3.7, 2003-12-12 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed a big security problem in es_unix +* Fixed several stability problems in es_unix +* Expanded the list of programs es_unix will try to use +* SecureAllocator now only preallocates blocks in special cases +* Added a special case in Global_RNG::seed for forcing a full poll +* Removed the FIPS 186 RNG added in 1.3.5 pending further testing +* Configure updates for PowerPC CPUs +* Removed the (never tested) VAX support +* Added support for S/390 Linux + +Version 1.3.6, 2003-12-07 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added a new module 'minimal', which disables most algorithms +* SecureAllocator allocates a few blocks at startup +* A few minor MPI cleanups +* RPM spec file cleanups and fixes + +Version 1.3.5, 2003-11-30 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Major improvements in ASN.1 string handling +* Added partial support for ASN.1 UTF8 STRINGs and BMP STRINGs +* Added partial support for the X.509v3 certificate policies extension +* Centralized the handling of character set information +* Added FIPS 140-2 startup self tests +* Added a module (fips140) for doing extra FIPS 140-2 tests +* Added FIPS 186-2 RNG +* Improved ASN.1 BIT STRING handling +* Removed a memory leak in PKCS10_Request +* The encoding of DirectoryString now follows PKIX guidelines +* Fixed some of the character set dependencies +* Fixed a DER encoding error for tags greater than 30 +* The BER decoder can now handle tags larger than 30 +* Fixed tm_hard.cpp to recognize SPARC on more systems +* Workarounds for a GCC 2.95.x bug in x509find.cpp +* RPM changed to install into /usr instead of /usr/local +* Added support for QNX + +Version 1.3.4, 2003-11-21 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added a module that does certain MPI operations using GNU MP +* Added the X9.42 Diffie-Hellman PRF +* The Zlib and Bzip2 objects now use custom allocators +* Added member functions for directly hashing/MACing SecureVectors +* Minor optimizations to the MPI addition and subtraction algorithms +* Some cleanups in the low-level MPI code +* Created separate AES-{128,192,256} objects + +Version 1.3.3, 2003-11-17 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* The library can now be repeatedly initialized and shutdown without crashing +* Fixed an off-by-one error in the CTS code +* Fixed an error in the EMSA4 verification code +* Fixed a memory leak in mutex.cpp (pointed out by James Widener) +* Fixed a memory leak in Pthread_Mutex +* Fixed several memory leaks in the testing code +* Bulletproofed the EMSA/EME/KDF/MGF retrieval functions +* Minor cleanups in SecureAllocator +* Removed a needless mutex guarding the (stateless) global timer +* Fixed a piece of bash-specific code in botan-config +* X.509 objects report more information about decoding errors +* Cleaned up some of the exception handling +* Updated the example config file with new OIDSs +* Moved the build instructions into a separate document, building.tex + +Version 1.3.2, 2003-11-13 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed a bug preventing DSA signatures from verifying on X.509 objects +* Made the X509_Store search routines more efficient and flexible +* Added a function to X509_PublicKey to do easy public/private key matching +* Added support for decoding indefinite length BER data +* Changed Pipe's peek() to take an offset +* Removed Filter::set_owns in favor of the new incr_owns function +* Removed BigInt::zero() and BigInt::one() +* Renamed the PEM related options from base/pem_* to pem/* +* Added an option to specify the line width when encoding PEM +* Removed the "rng/safe_longterm" option; it's always on now +* Changed the cipher used for RNG super-encryption from ARC4 to WiderWake4+1 +* Cleaned up the base64/hex encoders and decoders +* Added an ASN.1/BER decoder as an example +* AES had its internals marked 'public' in previous versions +* Changed the value of the ASN.1 NO_OBJECT enum +* Various new hacks in the configure script +* Removed the already nominal support for SunOS + +Version 1.3.1, 2003-11-04 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Generalized a few pieces of the DER encoder +* PKCS8::load_key would fail if handed an unencrypted key +* Added a failsafe so PKCS #8 key decoding can't go into an infinite loop + +Version 1.3.0, 2003-11-02 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Major redesign of the PKCS #8 private key import/export system +* Added a small amount of UI interface code for getting passphrases +* Added heuristics that tell if a key, cert, etc is stored as PEM or BER +* Removed CS-Cipher, SHARK, ThreeWay, MD5-MAC, and EMAC +* Removed certain deprecated constructors of RSA, DSA, DH, RW, NR +* Made PEM decoding more forgiving of extra text before the header + +Series 1.2 +---------------------------------------- + +Version 1.2.8, 2003-11-21 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Merged several important bug fixes from 1.3.x + +Version 1.2.7, 2003-10-31 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added support for reading configuration files +* Added constructors so NR and RW keys can be imported easily +* Fixed mp_asm64, which was completely broken in 1.2.6 +* Removed tm_hw_ia32 module; replaced by tm_hard +* Added support for loading certain oddly formed RSA certificates +* Fixed spelling of NON_REPUDIATION enum +* Renamed the option default_to_ca to v1_assume_ca +* Fixed a minor bug in X.509 certificate generation +* Fixed a latent bug in the OID lookup code +* Updated the RPM spec file +* Added to the tutorial + +Version 1.2.6, 2003-07-04 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Major performance increase for PK algorithms on most 64-bit systems +* Cleanups in the low-level MPI code to support asm implementations +* Fixed build problems with some versions of Compaq's C++ compiler +* Removed useless constructors for NR public and private keys +* Removed support for the patch_file directive in module files +* Removed several deprecated functions + +Version 1.2.5, 2003-06-22 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed a tricky and long-standing memory leak in Pipe +* Major cleanups and fixes in the memory allocation system +* Removed alloc_mlock, which has been superseded by the ml_unix module +* Removed a denial of service vulnerability in X509_Store +* Fixed compilation problems with VS .NET 2003 and Codewarrior 8 +* Added another variant of PKCS8::load_key, taking a memory buffer +* Fixed various minor/obscure bugs which occurred when MP_WORD_BITS != 32 +* BigInt::operator%=(word) was a no-op if the input was a power of 2 +* Fixed portability problems in BigInt::to_u32bit +* Fixed major bugs in SSL3-MAC +* Cleaned up some messes in the PK algorithms +* Cleanups and extensions for OMAC and EAX +* Made changes to the entropy estimation function +* Added a 'beos' module set for use on BeOS +* Officially deprecated a few X509:: and PKCS8:: functions +* Moved the contents of primes.h to numthry.h +* Moved the contents of x509opt.h to x509self.h +* Removed the (empty) desx.h header +* Documentation updates + +Version 1.2.4, 2003-05-29 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed a bug in EMSA1 affecting NR signature verification +* Fixed a few latent bugs in BigInt related to word size +* Removed an unused function, mp_add2_nc, from the MPI implementation +* Reorganized the core MPI files + +Version 1.2.3, 2003-05-20 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed a bug that prevented DSA/NR key generation +* Fixed a bug that prevented importing some root CA certs +* Fixed a bug in the BER decoder when handing optional bit or byte strings +* Fixed the encoding of authorityKeyIdentifier in X509_CA +* Added a sanity check in PBKDF2 for zero length passphrases +* Added versions of X509::load_key and PKCS8::load_key that take a file name +* X509_CA generates 128 bit serial numbers now +* Added tests to check PK key generation +* Added a simplistic X.509 CA example +* Cleaned up some of the examples + +Version 1.2.2, 2003-05-13 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Add checks to prevent any BigInt bugs from revealing an RSA or RW key +* Changed the interface of Global_RNG::seed +* Major improvements for the es_unix module +* Added another Win32 entropy source, es_win32 +* The Win32 CryptoAPI entropy source can now poll multiple providers +* Improved the BeOS entropy source +* Renamed pipe_unixfd module to fd_unix +* Fixed a file descriptor leak in the EGD module +* Fixed a few locking bugs + +Version 1.2.1, 2003-05-06 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added ANSI X9.23 compatible CBC padding +* Added an entropy source using Win32 CryptoAPI +* Removed the Pipe I/O operators taking a FILE* +* Moved the BigInt encoding/decoding functions into the BigInt class +* Integrated several fixes for VC++ 7 (from Hany Greiss) +* Fixed the configure.pl script for Windows builds + +Version 1.2.0, 2003-04-28 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Tweaked the Karatsuba cut-off points +* Increased the allowed keylength of HMAC and Blowfish +* Removed the 'mpi_ia32' module, pending rewrite +* Workaround a GCC 2.95.x bug in eme1.cpp + +Series 1.1 +---------------------------------------- + +Version 1.1.13, 2003-04-22 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added OMAC +* Added EAX authenticated cipher mode +* Diffie-Hellman would not do blinding in some cases +* Optimized the OFB and CTR modes +* Corrected Skipjack's word ordering, as per NIST clarification +* Support for all subject/issuer attribute types required by RFC 3280 +* The removeFromCRL CRL reason code is now handled correctly +* Increased the flexibility of the allocators +* Renamed Rijndael to AES, created aes.h, deleted rijndael.h +* Removed support for the 'no_timer' LibraryInitializer option +* Removed 'es_pthr' module, pending further testing +* Cleaned up get_ciph.cpp + +Version 1.1.12, 2003-04-15 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed a ASN.1 string encoding bug +* Fixed a pair of X509_DN encoding problems +* Base64_Decoder and Hex_Decoder can now validate input +* Removed support for the LibraryInitializer option 'egd_path' +* Added tests for DSA X.509 and PKCS #8 key formats +* Removed a long deprecated feature of DH_PrivateKey's constructor +* Updated the RPM .spec file +* Major documentation updates + +Version 1.1.11, 2003-04-07 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added PKCS #10 certificate requests +* Changed X509_Store searching interface to be more flexible +* Added a generic Certificate_Store interface +* Added a function for generating self-signed X.509 certs +* Cleanups and changes to X509_CA +* New examples for PKCS #10 and self-signed certificates +* Some documentation updates + +Version 1.1.10, 2003-04-03 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* X509_CA can now generate new X.509 CRLs +* Added blinding for RSA, RW, DH, and ElGamal to prevent timing attacks +* More certificate and CRL extensions/attributes are supported +* Better DN handling in X.509 certificates/CRLs +* Added a DataSink hierarchy (suggested by Jim Darby) +* Consolidated SecureAllocator and ManagedAllocator +* Many cleanups and generalizations +* Added a (slow) pthreads based EntropySource +* Fixed some threading bugs + +Version 1.1.9, 2003-02-25 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added support for using X.509v2 CRLs +* Fixed several bugs in the path validation algorithm +* Certificates can be verified for a particular usage +* Algorithm for comparing distinguished names now follows X.509 +* Cleaned up the code for the es_beos, es_ftw, es_unix modules +* Documentation updates + +Version 1.1.8, 2003-01-29 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixes for the certificate path validation algorithm in X509_Store +* Fixed a bug affecting X509_Certificate::is_ca_cert() +* Added a general configuration interface for policy issues +* Cleanups and API changes in the X.509 CA, cert, and store code +* Made various options available for X509_CA users +* Changed X509_Time's interface to work around time_t problems +* Fixed a theoretical weakness in Randpool's entropy mixing function +* Fixed problems compiling with GCC 2.95.3 and GCC 2.96 +* Fixed a configure bug (reported by Jon Wilson) affecting MinGW + +Version 1.1.7, 2003-01-12 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed an obscure but dangerous bug in SecureVector::swap +* Consolidated SHA-384 and SHA-512 to save code space +* Added SSL3-MAC and SSL3-PRF +* Documentation updates, including a new tutorial + +Version 1.1.6, 2002-12-10 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Initial support for X.509v3 certificates and CAs +* Major redesign/rewrite of the ASN.1 encoding/decoding code +* Added handling for DSA/NR signatures encoded as DER SEQUENCEs +* Documented the generic cipher lookup interface +* Added an (untested) entropy source for BeOS +* Various cleanups and bug fixes + +Version 1.1.5, 2002-11-17 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added the discrete logarithm integrated encryption system (DLIES) +* Various optimizations for BigInt +* Added support for assembler optimizations in modules +* Added BigInt x86 optimizations module (mpi_ia32) + +Version 1.1.4, 2002-11-10 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Speedup of 15-30% for PK algorithms +* Implemented the PBES2 encryption scheme +* Fixed a potential bug in decoding RSA and RW private keys +* Changed the DL_Group class interface to handle different formats better +* Added support for PKCS #3 encoded DH parameters +* X9.42 DH parameters use a PEM label of 'X942 DH PARAMETERS' +* Added key pair consistency checking +* Fixed a compatibility problem with gcc 2.96 (pointed out by Hany Greiss) +* A botan-config script is generated at configure time +* Documentation updates + +Version 1.1.3, 2002-11-03 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added a generic public/private key loading interface +* Fixed a small encoding bug in RSA, RW, and DH +* Changed the PK encryption/decryption interface classes +* ECB supports using padding methods +* Added a function-based interface for library initialization +* Added support for RIPEMD-128 and Tiger PKCS#1 v1.5 signatures +* The cipher mode benchmarks now use 128-bit AES instead of DES +* Removed some obsolete typedefs +* Removed OpenCL support (opencl.h, the OPENCL_* macros, etc) +* Added tests for PKCS #8 encoding/decoding +* Added more tests for ECB and CBC + +Version 1.1.2, 2002-10-21 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Support for PKCS #8 encoded RSA, DSA, and DH private keys +* Support for Diffie-Hellman X.509 public keys +* Major reorganization of how X.509 keys are handled +* Added PKCS #5 v2.0's PBES1 encryption scheme +* Added a generic cipher lookup interface +* Added the WiderWake4+1 stream cipher +* Added support for sync-able stream ciphers +* Added a 'paranoia level' option for the LibraryInitializer +* More security for RNG output meant for long term keys +* Added documentation for some of the new 1.1.x features +* CFB's feedback argument is now specified in bits +* Renamed CTR class to CTR_BE +* Updated the RSA and DSA examples to use X.509 and PKCS #8 key formats + +Version 1.1.1, 2002-10-15 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added the Korean hash function HAS-160 +* Partial support for RSA and DSA X.509 public keys +* Added a mostly functional BER encoder/decoder +* Added support for non-deterministic MAC functions +* Initial support for PEM encoding/decoding +* Internal cleanups in the PK algorithms +* Several new convenience functions in Pipe +* Fixed two nasty bugs in Pipe +* Messed with the entropy sources for es_unix +* Discrete logarithm groups are checked for safety more closely now +* For compatibility with GnuPG, ElGamal now supports DSA-style groups + +Version 1.1.0, 2002-09-14 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added entropy estimation to the RNGs +* Improved the overall design of both Randpool and ANSI_X917_RNG +* Added a separate RNG for nonce generation +* Added window exponentiation support in power_mod +* Added a get_s2k function and the PKCS #5 S2K algorithms +* Added the TLSv1 PRF +* Replaced BlockCipherModeIV typedef with InitializationVector class +* Renamed PK_Key_Agreement_Scheme to PK_Key_Agreement +* Renamed SHA1 -> SHA_160 and SHA2_x -> SHA_x +* Added support for RIPEMD-160 PKCS#1 v1.5 signatures +* Changed the key agreement scheme interface +* Changed the S2K and KDF interfaces +* Better SCAN compatibility for HAVAL, Tiger, MISTY1, SEAL, RC5, SAFER-SK +* Added support for variable-pass Tiger +* Major speedup for Rabin-Williams key generation + +Series 1.0 +---------------------------------------- + +Version 1.0.2, 2003-01-12 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed an obscure SEGFAULT causing bug in Pipe +* Fixed an obscure but dangerous bug in SecureVector::swap + +Version 1.0.1, 2002-09-14 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed a minor bug in Randpool::random() +* Added some new aliases and typedefs for 1.1.x compatibility +* The 4096-bit RSA benchmark key was decimal instead of hex +* EMAC was returning an incorrect name + +Version 1.0.0, 2002-08-26 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Octal I/O of BigInt is now supported +* Fixed portability problems in the es_egd module +* Generalized IV handling in the block cipher modes +* Added Karatsuba multiplication and k-ary exponentiation +* Fixed a problem in the multiplication routines + +Series 0.9 +---------------------------------------- + +Version 0.9.2, 2002-08-18 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* DH_PrivateKey::public_value() was returning the wrong value +* Various BigInt optimizations +* The filters.h header now includes hex.h and base64.h +* Moved Counter mode to ctr.h +* Fixed a couple minor problems with VC++ 7 +* Fixed problems with the RPM spec file + +Version 0.9.1, 2002-08-10 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Grand rename from OpenCL to Botan +* Major optimizations for the PK algorithms +* Added ElGamal encryption +* Added Whirlpool +* Tweaked memory allocation parameters +* Improved the method of seeding the global RNG +* Moved pkcs1.h to eme_pkcs.h +* Added more test vectors for some algorithms +* Fixed error reporting in the BigInt tests +* Removed Default_Timer, it was pointless +* Added some new example applications +* Removed some old examples that weren't that interesting +* Documented the compression modules + +Version 0.9.0, 2002-08-03 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* EMSA4 supports variable salt size +* PK_* can take a string naming the encoding method to use +* Started writing some internals documentation + +Series 0.8 +---------------------------------------- + +Version 0.8.7, 2002-07-30 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed bugs in EME1 and EMSA4 +* Fixed a potential crash at shutdown +* Cipher modes returned an ill-formed name +* Removed various deprecated types and headers +* Cleaned up the Pipe interface a bit +* Minor additions to the documentation +* First stab at a Visual C++ makefile (doc/Makefile.vc7) + +Version 0.8.6, 2002-07-25 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added EMSA4 (aka PSS) +* Brought the manual up to date; many corrections and additions +* Added a parallel hash function construction +* Lookup supports all available algorithms now +* Lazy initialization of the lookup tables +* Made more discrete logarithm groups available through get_dl_group() +* StreamCipher_Filter supports seeking (if the underlying cipher does) +* Minor optimization for GCD calculations +* Renamed SAFER_SK128 to SAFER_SK +* Removed many previously deprecated functions +* Some now-obsolete functions, headers, and types have been deprecated +* Fixed some bugs in DSA prime generation +* DL_Group had a constructor for DSA-style prime gen but it wasn't defined +* Reversed the ordering of the two arguments to SEAL's constructor +* Fixed a threading problem in the PK algorithms +* Fixed a minor memory leak in lookup.cpp +* Fixed pk_types.h (it was broken in 0.8.5) +* Made validation tests more verbose +* Updated the check and example applications + +Version 0.8.5, 2002-07-21 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Major changes to constructors for DL-based cryptosystems (DSA, NR, DH) +* Added a DL_Group class +* Reworking of the pubkey internals +* Support in lookup for aliases and PK algorithms +* Renamed CAST5 to CAST_128 and CAST256 to CAST_256 +* Added EMSA1 +* Reorganization of header files +* LibraryInitializer will install new allocator types if requested +* Fixed a bug in Diffie-Hellman key generation +* Did a workaround in pipe.cpp for GCC 2.95.x on Linux +* Removed some debugging code from init.cpp that made FTW ES useless +* Better checking for invalid arguments in the PK algorithms +* Reduced Base64 and Hex default line length (if line breaking is used) +* Fixes for HP's aCC compiler +* Cleanups in BigInt + +Version 0.8.4, 2002-07-14 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added Nyberg-Rueppel signatures +* Added Diffie-Hellman key exchange (kex interface is subject to change) +* Added KDF2 +* Enhancements to the lookup API +* Many things formerly taking pointers to algorithms now take names +* Speedups for prime generation +* LibraryInitializer has support for seeding the global RNG +* Reduced SAFER-SK128 memory consumption +* Reversed the ordering of public and private key values in DSA constructor +* Fixed serious bugs in MemoryMapping_Allocator +* Fixed memory leak in Lion +* FTW_EntropySource was not closing the files it read +* Fixed line breaking problem in Hex_Encoder + +Version 0.8.3, 2002-06-09 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added DSA and Rabin-Williams signature schemes +* Added EMSA3 +* Added PKCS#1 v1.5 encryption padding +* Added Filters for PK algorithms +* Added a Keyed_Filter class +* LibraryInitializer processes arguments now +* Major revamp of the PK interface classes +* Changed almost all of the Filters for non-template operation +* Changed HMAC, Lion, Luby-Rackoff to non-template classes +* Some fairly minor BigInt optimizations +* Added simple benchmarking for PK algorithms +* Added hooks for fixed base and fixed exponent modular exponentiation +* Added some examples for using RSA +* Numerous bugfixes and cleanups +* Documentation updates + +Version 0.8.2, 2002-05-18 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added an (experimental) algorithm lookup interface +* Added code for directly testing BigInt +* Added SHA2-384 +* Optimized SHA2-512 +* Major optimization for Adler32 (thanks to Dan Nicolaescu) +* Various minor optimizations in BigInt and related areas +* Fixed two bugs in X9.19 MAC, both reported by Darren Starsmore +* Fixed a bug in BufferingFilter +* Made a few fixes for MacOS X +* Added a workaround in configure.pl for GCC 2.95.x +* Better support for PowerPC, ARM, and Alpha +* Some more cleanups + +Version 0.8.1, 2002-05-06 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Major code cleanup (check doc/deprecated.txt) +* Various bugs fixed, including several portability problems +* Renamed MessageAuthCode to MessageAuthenticationCode +* A replacement for X917 is in x917_rng.h +* Changed EMAC to non-template class +* Added ANSI X9.19 compatible CBC-MAC +* TripleDES now supports 128 bit keys + +Version 0.8.0, 2002-04-24 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Merged BigInt: many bugfixes and optimizations since alpha2 +* Added RSA (rsa.h) +* Added EMSA2 (emsa2.h) +* Lots of new interface code for public key algorithms (pk_base.h, pubkey.h) +* Changed some interfaces, including SymmetricKey, to support the global rng +* Fixed a serious bug in ManagedAllocator +* Renamed RIPEMD128 to RIPEMD_128 and RIPEMD160 to RIPEMD_160 +* Removed some deprecated stuff +* Added a global random number generator (rng.h) +* Added clone functions to most of the basic algorithms +* Added a library initializer class (init.h) +* Version macros in version.h +* Moved the base classes from opencl.h to base.h +* Renamed the bzip2 module to comp_bzip2 and zlib to comp_zlib +* Documentation updates for the new stuff (still incomplete) +* Many new deprecated things: check doc/deprecated.txt + +Series 0.7 +---------------------------------------- + +Version 0.7.10, 2002-04-07 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Added EGD_EntropySource module (es_egd) +* Added a file tree walking EntropySource (es_ftw) +* Added MemoryLocking_Allocator module (alloc_mlock) +* Renamed the pthr_mux, unix_rnd, and mmap_mem modules +* Changed timer mechanism; the clock method can be switched on the fly. +* Renamed MmapDisk_Allocator to MemoryMapping_Allocator +* Renamed ent_file.h to es_file.h (ent_file.h is around, but deprecated) +* Fixed several bugs in MemoryMapping_Allocator +* Added more default sources for Unix_EntropySource +* Changed SecureBuffer to use same allocation methods as SecureVector +* Added bigint_divcore into mp_core to support BigInt alpha2 release +* Removed some Pipe functions deprecated since 0.7.8 +* Some fixes for the configure program + +Version 0.7.9, 2002-03-19 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Memory allocation substantially revamped +* Added memory allocation method based on mmap(2) in the mmap_mem module +* Added ECB and CTS block cipher modes (ecb.h, cts.h) +* Added a Mutex interface (mutex.h) +* Added module pthr_mux, implementing the Mutex interface +* Added Threaded Filter interface (thr_filt.h) +* All algorithms can now by keyed with SymmetricKey objects +* More testing occurs with --validate (expected failures) +* Fixed two bugs reported by Hany Greiss, in Luby-Rackoff and RC6 +* Fixed a buffering bug in Bzip_Decompress and Zlib_Decompress +* Made X917 safer (and about 1/3 as fast) +* Documentation updates + +Version 0.7.8, 2002-02-28 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* More capabilities for Pipe, inspired by SysV STREAMS, including peeking, + better buffering, and stack ops. NOT BACKWARDS COMPATIBLE: SEE DOCUMENTATION +* Added a BufferingFilter class +* Added popen() based EntropySource for generic Unix systems (unix_rnd) +* Moved 'devrand' module into main distribution (ent_file.h), renamed to + File_EntropySource, and changed interface somewhat. +* Made Randpool somewhat more conservative and also 25% faster +* Minor fixes and updates for the configure script +* Added some tweaks for memory allocation +* Documentation updates for the new Pipe interface +* Fixed various minor bugs +* Added a couple of new example programs (stack and hasher2) + +Version 0.7.7, 2001-11-24 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Filter::send now works in the constructor of a Filter subclass +* You may now have to include <opencl/pipe.h> explicitly in some code +* Added preliminary PK infrastructure classes in pubkey.h and pkbase.h +* Enhancements to SecureVector (append, destroy functions) +* New infrastructure for secure memory allocation +* Added IEEE P1363 primitives MGF1, EME1, KDF1 +* Rijndael optimizations and cleanups +* Changed CipherMode<B> to BlockCipherMode(B*) +* Fixed a nasty bug in pipe_unixfd +* Added portions of the BigInt code into the main library +* Support for VAX, SH, POWER, PowerPC-64, Intel C++ + +Version 0.7.6, 2001-10-14 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fixed several serious bugs in SecureVector created in 0.7.5 +* Square optimizations +* Fixed shared objects on MacOS X and HP-UX +* Fixed static libs for KCC 4.0; works with KCC 3.4g as well +* Full support for Athlon and K6 processors using GCC +* Added a table of prime numbers < 2**16 (primes.h) +* Some minor documentation updates + +Version 0.7.5, 2001-08-19 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Split checksum.h into adler32.h, crc24.h, and crc32.h +* Split modes.h into cbc.h, cfb.h, and ofb.h +* CBC_wPadding* has been replaced by CBC_Encryption and CBC_Decryption +* Added OneAndZeros and NoPadding methods for CBC +* Added Lion, a very fast block cipher construction +* Added an S2K base class (s2k.h) and an OpenPGP_S2K class (pgp_s2k.h) +* Basic types (ciphers, hashes, etc) know their names now (call name()) +* Changed the EntropySource type somewhat +* Big speed-ups for ISAAC, Adler32, CRC24, and CRC32 +* Optimized CAST-256, DES, SAFER-SK, Serpent, SEAL, MD2, and RIPEMD-160 +* Some semantics of SecureVector have changed slightly +* The mlock module has been removed for the time being +* Added string handling functions for hashes and MACs +* Various non-user-visible cleanups +* Shared library soname is now set to the full version number + +Version 0.7.4, 2001-07-15 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* New modules: Zlib, gettimeofday and x86 RTC timers, Unix I/O for Pipe +* Fixed a vast number of errors in the config script/makefile/specfile +* Pipe now has a stdio(3) interface as well as C++ iostreams +* ARC4 supports skipping the first N bytes of the cipher stream (ala MARK4) +* Bzip2 supports decompressing multiple concatenated streams, and flushing +* Added a simple 'overall average' score to the benchmarks +* Fixed a small bug in the POSIX timer module +* Removed a very-unlikely-to-occur bug in most of the hash functions +* filtbase.h now includes <iosfwd>, not <iostream> +* Minor documentation updates + +Version 0.7.3, 2001-06-08 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix build problems on Solaris/SPARC +* Fix build problems with Perl versions < 5.6 +* Fixed some stupid code that broke on a few compilers +* Added string handling functions to Pipe +* MISTY1 optimizations + +Version 0.7.2, 2001-06-03 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Build system supports modules +* Added modules for mlock, a /dev/random EntropySource, POSIX1.b timers +* Added Bzip2 compression filter, contributed by Peter Jones +* GNU make no longer required (tested with 4.4BSD pmake and Solaris make) +* Fixed minor bug in several of the hash functions +* Various other minor fixes and changes +* Updates to the documentation + +Version 0.7.1, 2001-05-16 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Rewrote configure script: more consistent and complete +* Made it easier to find out parameters of types at run time (opencl.h) +* New functions for finding the version being used (version.h) +* New SymmetricKey interface for Filters (symkey.h) +* InvalidKeyLength now records what the invalid key length was +* Optimized DES, CS-Cipher, MISTY1, Skipjack, XTEA +* Changed GOST to use correct S-box ordering (incompatible change) +* Benchmark code was almost totally rewritten +* Many more entries in the test vector file +* Fixed minor and idiotic bug in check.cpp + +Version 0.7.0, 2001-03-01 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* First public release diff --git a/doc/lowlevel.txt b/doc/lowlevel.txt new file mode 100644 index 000000000..852d7eb43 --- /dev/null +++ b/doc/lowlevel.txt @@ -0,0 +1,236 @@ + +The Low-Level Interface +================================= + +Botan has two different interfaces. The one documented in this section +is meant more for implementing higher-level types (see the section on +filters, earlier in this manual) than for use by applications. Using +it safely requires a solid knowledge of encryption techniques and best +practices, so unless you know, for example, what CBC mode and nonces +are, and why PKCS #1 padding is important, you should avoid this +interface in favor of something working at a higher level. + +Basic Algorithm Abilities +--------------------------------- + +There are a small handful of functions implemented by most of Botan's +algorithm objects. Among these are: + +.. cpp:function:: std::string Algorithm::name() + +Returns a human-readable string of the name of this +algorithm. Examples of names returned are "AES-128" and +"HMAC(SHA-512)". You can turn names back into algorithm objects using +the functions in ``lookup.h``. + +.. cpp:function:: void Algorithm::clear() + +Clear out the algorithm's internal state. A block cipher object will +"forget" its key, a hash function will "forget" any data put into it, +etc. The object will look and behave as it did when you initially +allocated it. + +.. cpp:function:: T* Algorithm::clone() + +This function is central to Botan's name-based interface. The +``clone`` has many different return types, such as ``BlockCipher``\* +and ``HashFunction``\*, depending on what kind of object it is called +on. Note that unlike Java's clone, this returns a new object in a +"pristine" state; that is, operations done on the initial object +before calling ``clone`` do not affect the initial state of the new +clone. + +Cloned objects can (and should) be deallocated with the C++ ``delete`` +operator. + +Keys and IVs +--------------------------------- + +Both symmetric keys and initialization values can be considered byte +(or octet) strings. These are represented by + +.. cpp:class:: OctetString + + Also known as ``SymmetricKey`` and ``InitializationVector``, when + you want to express intent. + + .. cpp:function:: OctetString(RandomNumberGenerator& rng, size_t length) + + This constructor creates a new random key *length* bytes long + using the random number generator. + + .. cpp:function:: OctetString(std::string str) + + The argument *str* is assumed to be a hex string; it is + converted to binary and stored. Whitespace is ignored. + + .. cpp:function:: OctetString(const byte* input, size_t length) + + This constructor copies its input. + + .. cpp:function:: as_string() const + + Returns the hex representation of the key or IV + +Symmetrically Keyed Algorithms +--------------------------------- + +Block ciphers, stream ciphers, and MACs are all keyed operations; to +be useful, they have to be set to use a particular key, which is a +randomly chosen string of bits of a specified length. The length +required by any particular algorithm may vary, depending on both the +algorithm specification and the implementation. You can query any +botan object to find out what key length(s) it supports. + +To make this similarity in terms of keying explicit, all algorithms of +those types are derived from the :cpp:class`SymmetricAlgorithm` base. +This type provides functions for setting the key, and querying +restrictions on the size of the key. + +.. cpp:class:: SymmetricAlgorithm + + .. cpp:function:: void set_key(const byte* key, size_t length) + + .. cpp:function:: void set_key(const SymmetricKey& key) + + This sets the key to the value specified. Most algorithms only + accept keys of certain lengths. If you attempt to call + ``set_key`` with a key length that is not supported, the + exception ``Invalid_Key_Length`` will be thrown. + + In all cases, ``set_key`` must be called on an object before any + data processing (encryption, decryption, etc) is done by that + object. If this is not done, the results are undefined. + + .. cpp:function:: bool valid_keylength(size_t length) const + + This function returns true if and only if *length* is a valid + keylength for the algorithm. + + .. cpp:function:: size_t minimum_keylength() const + + Return the smallest key length (in bytes) that is acceptible for the + algorithm. + + .. cpp:function:: size_t maximum_keylength() const + + Return the largest key length (in bytes) that is acceptible for the + algorithm + +Block Ciphers +--------------------------------- + +All block ciphers classes in botan are subclasses of + +.. cpp:class:: BlockCipher + + Which subclasses the :cpp:class:`SymmetricAlgorithm` interface. + + .. cpp:function:: size_t block_size() const + + Returns the block size of the cipher in bytes + + .. cpp:function:: void encrypt_n(const byte* in, \ + byte* out, size_t n) const + + Encrypt *n* blocks of data, taking the input from the array *in* + and placing the ciphertext into *out*. The two pointers may be + identical, but should not overlap ranges. + + .. cpp:function:: void encrypt(const byte* in, byte* out) const + + Encrypt a single block, taking the input from *in* and placing + it in *out*. Acts like :cpp:func:`encrypt_n`\ (in, out, 1). + + .. cpp:function:: void encrypt(byte* block) const + + Identical to :cpp:func:`encrypt`\ (block, block) + + .. cpp:function:: void decrypt_n(const byte* in, byte out, size_t n) const + + Decrypt *n* blocks of data, taking the input from *in* and + placing the plaintext in *out*. The two pointers may be + identical, but should not overlap ranges. + + .. cpp:function:: void decrypt(const byte* in, byte* out) const + + Decrypt a single block, taking the input from *in* and placing it + in *out*. Acts like :cpp:func:`decrypt_n`\ (in, out, 1). + + .. cpp:function:: void decrypt(byte* block) const + + Identical to :cpp:func:`decrypt`\ (block, block) + +Stream Ciphers +--------------------------------- + +Stream ciphers are somewhat different from block ciphers, in that +encrypting data results in changing the internal state of the +cipher. Also, you may encrypt any length of data in one go (in byte +amounts). + +.. cpp:function:: void StreamCipher::encrypt(const byte* in, byte* out, size_t length) + +.. cpp:function:: void StreamCipher::encrypt(byte* data, size_t length) + +Stream ciphers implement the ``SymmetricAlgorithm`` interface. + +Hash Functions / Message Authentication Codes +---------------------------------------------- + +Hash functions take their input without producing any output, only +producing anything when all input has already taken place. MACs are +very similar, but are additionally keyed. Both of these are derived +from the base class ``BufferedComputation``, which has the following +functions. + +.. cpp:function:: size_t BufferedComputation::output_length() + +Return the size of the output of this function. + +.. cpp:function:: void BufferedComputation::update(const byte* input, size_t length) + +.. cpp:function:: void BufferedComputation::update(byte input) + +.. cpp:function:: void BufferedComputation::update(const std::string& input) + +Updates the hash/mac calculation with *input*. + +.. cpp:function:: void BufferedComputation::final(byte* out) + +.. cpp:function:: SecureVector<byte> BufferedComputation::final() + +Complete the hash/MAC calculation and place the result into ``out``. +For the argument taking an array, exactly ``output_length`` bytes will +be written. After you call ``final``, the hash function is reset to +its initial state, so it may be reused immediately. + +The second method of using final is to call it with no arguments at +all, as shown in the second prototype. It will return the hash/mac +value in a memory buffer. + +There is also a pair of functions called ``process``. They are a +combination of a single ``update``, and ``final``. Both versions +return the final value, rather than placing it an array. Calling +``process`` with a single byte value isn't available, mostly because +it would rarely be useful. + +A MAC can be viewed (in most cases) as a keyed hash function, so +classes that are derived from ``MessageAuthenticationCode`` have +``update`` and ``final`` classes just like a ``HashFunction`` (and +like a ``HashFunction``, after ``final`` is called, it can be used to +make a new MAC right away; the key is kept around). + +A MAC has the ``SymmetricAlgorithm`` interface in addition to the +``BufferedComputation`` interface. + +Checksums +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Checksums are very similar to hash functions, and in fact share the +same interface. But there are some significant differences, the major +ones being that the output size is very small (usually in the range of +2 to 4 bytes), and is not cryptographically secure. But for their +intended purpose (error checking), they perform very well. Some +examples of checksums included in Botan are the Adler32 and CRC32 +checksums. diff --git a/doc/old_tutorial.tex b/doc/old_tutorial.tex deleted file mode 100644 index f220d765a..000000000 --- a/doc/old_tutorial.tex +++ /dev/null @@ -1,880 +0,0 @@ -\documentclass{article} - -\setlength{\textwidth}{6.5in} % 1 inch side margins -\setlength{\textheight}{9in} % ~1 inch top and bottom margins - -\setlength{\headheight}{0in} -\setlength{\topmargin}{0in} -\setlength{\headsep}{0in} - -\setlength{\oddsidemargin}{0in} -\setlength{\evensidemargin}{0in} - -\title{\textbf{Botan Tutorial}} -\author{Jack Lloyd \\ - \texttt{[email protected]}} -\date{2009/07/08} - -\newcommand{\filename}[1]{\texttt{#1}} -\newcommand{\manpage}[2]{\texttt{#1}(#2)} - -\newcommand{\macro}[1]{\texttt{#1}} - -\newcommand{\function}[1]{\textbf{#1}} -\newcommand{\type}[1]{\texttt{#1}} -\renewcommand{\arg}[1]{\textsl{#1}} -\newcommand{\variable}[1]{\textsl{#1}} - -\begin{document} - -\maketitle - -\tableofcontents - -\parskip=5pt -\pagebreak - -\section{Introduction} - -This document essentially sets up various simple scenarios and then -shows how to solve the problems using Botan. It's fairly simple, and -doesn't cover many of the available APIs and algorithms, especially -the more obscure or unusual ones. It is a supplement to the API -documentation and the example applications, which are included in the -distribution. - -To quote the Perl man page: '``There's more than one way to do it.'' -Divining how many more is left as an exercise to the reader.' - -This is \emph{not} a general introduction to cryptography, and most simple -terms and ideas are not explained in any great detail. - -Finally, most of the code shown in this tutorial has not been tested, it was -just written down from memory. If you find errors, please let me know. - -\section{Initializing the Library} - -The first step to using Botan is to create a \type{LibraryInitializer} object, -which handles creating various internal structures, and also destroying them at -shutdown. Essentially: - -\begin{verbatim} -#include <botan/botan.h> -/* include other headers here */ - -int main() - { - LibraryInitializer init; - /* now do stuff */ - return 0; - } -\end{verbatim} - -\section{Hashing a File} - -\section{Symmetric Cryptography} - -\subsection{Encryption with a passphrase} - -Probably the most common crypto problem is encrypting a file (or some data that -is in-memory) using a passphrase. There are a million ways to do this, most of -them bad. In particular, you have to protect against weak passphrases, -people reusing a passphrase many times, accidental and deliberate modification, -and a dozen other potential problems. - -We'll start with a simple method that is commonly used, and show the problems -that can arise. Each subsequent solution will modify the previous one to -prevent one or more common problems, until we arrive at a good version. - -In these examples, we'll always use Serpent in Cipher-Block Chaining -(CBC) mode. Whenever we need a hash function, we'll use SHA-256, since -that is a common and well-known hash that is thought to be secure. - -In all examples, we choose to derive the Initialization Vector (IV) from the -passphrase. Another (probably more common) alternative is to generate the IV -randomly and include it at the beginning of the message. Either way is -acceptable, and can be secure. The method used here was chosen to make for more -interesting examples (because it's harder to get right), and may not be an -appropriate choice for some environments. - -First, some notation. The passphrase is stored as a \type{std::string} named -\variable{passphrase}. The input and output files (\variable{infile} and -\variable{outfile}) are of types \type{std::ifstream} and \type{std::ofstream} -(respectively). - -\subsubsection{First try} - -We hash the passphrase with SHA-256, and use the resulting hash to key -Serpent. To generate the IV, we prepend a single '0' character to the -passphrase, hash it, and truncate it to 16 bytes (which is Serpent's -block size). - -\begin{verbatim} - HashFunction* hash = get_hash("SHA-256"); - - SymmetricKey key = hash->process(passphrase); - SecureVector<byte> raw_iv = hash->process('0' + passphrase); - InitializationVector iv(raw_iv, 16); - - Pipe pipe(get_cipher("Serpent/CBC/PKCS7", key, iv, ENCRYPTION)); - - pipe.start_msg(); - infile >> pipe; - pipe.end_msg(); - outfile << pipe; -\end{verbatim} - -\subsubsection{Problem 1: Buffering} - -There is a problem with the above code, if the input file is fairly large as -compared to available memory. Specifically, all the encrypted data is stored -in memory, and then flushed to \variable{outfile} in a single go at the very -end. If the input file is big (say, a gigabyte), this will be most problematic. - -The solution is to use a \type{DataSink} to handle the output for us (writing -to \arg{outfile} will be implicit with writing to the \type{Pipe}). We can do -this by replacing the last few lines with: - -\begin{verbatim} - Pipe pipe(get_cipher("Serpent/CBC/PKCS7", key, iv, ENCRYPTION), - new DataSink_Stream(outfile)); - - pipe.start_msg(); - infile >> pipe; - pipe.end_msg(); -\end{verbatim} - -\subsubsection{Problem 2: Deriving the key and IV} - -Hash functions like SHA-256 are deterministic; if the same passphrase -is supplied twice, then the key (and in our case, the IV) will be the -same. This is very dangerous, and could easily open the whole system -up to attack. What we need to do is introduce a salt (or nonce) into -the generation of the key from the passphrase. This will mean that the -key will not be the same each time the same passphrase is typed in by -a user. - -There is another problem with using a bare hash function to derive -keys. While it's inconceivable (based on our current understanding of -thermodynamics and theories of computation) that an attacker could -brute-force a 256-bit key, it would be fairly simple for them to -compute the SHA-256 hashes of various common passwords ('password', -the name of the dog, the significant other's middle name, favorite -sports team) and try those as keys. So we want to slow the attacker -down if we can, and an easy way to do that is to iterate the hash -function a bunch of times (say, 1024 to 4096 times). This will involve -only a small amount of effort for a legitimate user (since they only -have to compute the hashes once, when they type in their passphrase), -but an attacker, trying out a large list of potential passphrases, -will be seriously annoyed (and slowed down) by this. - -In this iteration of the example, we'll kill these two birds with one -stone, and derive the key from the passphrase using a PBKDF -(Password-Based Key Derivation Function). In this example, we use -PBKDF2 with Hash Message Authentication Code (HMAC(SHA-256)), which is -specified in PKCS \#5. We replace the first four lines of code from -the first example with: - -\begin{verbatim} - PBKDF* pbkdf = get_pbkdf("PBKDF2(SHA-256)"); - // hard-coded iteration count for simplicity; should be sufficient - pbkdf->set_iterations(10000); - // 8 octets == 64-bit salt; again, good enough - pbkdf->new_random_salt(8); - SecureVector<byte> the_salt = pbkdf->current_salt(); - - // 48 octets == 32 for key + 16 for IV - SecureVector<byte> key_and_IV = pbkdf->derive_key(48, passphrase).bits_of(); - - SymmetricKey key(key_and_IV, 32); - InitializationVector iv(key_and_IV + 32, 16); -\end{verbatim} - -To complete the example, we have to remember to write out the salt (stored in -\variable{the\_salt}) at the beginning of the file. The receiving side needs to -know this value in order to restore it (by calling the \variable{pbkdf} object's -\function{change\_salt} function) so it can derive the same key and IV from the -passphrase. - -\subsubsection{Problem 3: Protecting against modification} - -As it is, an attacker can undetectably alter the message while it is -in transit. It is vital to remember that encryption does not imply -authentication (except when using special modes that are specifically -designed to provide authentication along with encryption, like OCB and -EAX). For this purpose, we will append a message authentication code -to the encrypted message. Specifically, we will generate an extra 256 -bits of key data, and use it to key the ``HMAC(SHA-256)'' MAC -function. We don't want to have the MAC and the cipher to share the -same key; that is very much a no-no. - -\begin{verbatim} - // 80 octets == 32 for cipher key + 16 for IV + 32 for hmac key - SecureVector<byte> keys_and_IV = pbkdf->derive_key(80, passphrase); - - SymmetricKey key(keys_and_IV, 32); - InitializationVector iv(keys_and_IV + 32, 16); - SymmetricKey mac_key(keys_and_IV + 32 + 16, 32); - - Pipe pipe(new Fork( - new Chain( - get_cipher("Serpent/CBC/PKCS7", key, iv, ENCRYPTION), - new DataSink_Stream(outfile) - ), - new MAC_Filter("HMAC(SHA-256)", mac_key) - ) - ); - - pipe.start_msg(); - infile >> pipe; - pipe.end_msg(); - - // now read the MAC from message #2. Message numbers start from 0 - SecureVector<byte> hmac = pipe.read_all(1); - outfile.write((const char*)&hmac[0], hmac.size()); -\end{verbatim} - -The receiver can check the size of the file (in bytes), and since it knows how -long the MAC is, can figure out how many bytes of ciphertext there are. Then it -reads in that many bytes, sending them to a Serpent/CBC decryption object -(which could be obtained by calling \verb|get_cipher| with an argument of -\type{DECRYPTION} instead of \type{ENCRYPTION}), and storing the final bytes to -authenticate the message with. - -\subsubsection{Problem 4: Cleaning up the key generation} - -The method used to derive the keys and IV is rather inelegant, and it would be -nice to clean that up a bit, algorithmically speaking. A nice solution for this -is to generate a master key from the passphrase and salt, and then generate the -two keys and the IV (the cryptovariables) from that. - -Starting from the master key, we derive the cryptovariables using a KDF -algorithm, which is designed, among other things, to ``separate'' keys so that -we can derive several different keys from the single master key. For this -purpose, we will use KDF2, which is a generally useful KDF function (defined in -IEEE 1363a, among other standards). The use of different labels (``cipher -key'', etc) makes sure that each of the three derived variables will have -different values. - -\begin{verbatim} - PBKDF* pbkdf = get_pbkdf("PBKDF2(SHA-256)"); - // hard-coded iteration count for simplicity; should be sufficient - pbkdf->set_iterations(10000); - // 8 octet == 64-bit salt; again, good enough - pbkdf->new_random_salt(8); - // store the salt so we can write it to a file later - SecureVector<byte> the_salt = pbkdf->current_salt(); - - SymmetricKey master_key = pbkdf->derive_key(48, passphrase); - - KDF* kdf = get_kdf("KDF2(SHA-256)"); - - SymmetricKey key = kdf->derive_key(32, master_key, "cipher key"); - SymmetricKey mac_key = kdf->derive_key(32, master_key, "hmac key"); - InitializationVector iv = kdf->derive_key(16, master_key, "cipher iv"); -\end{verbatim} - -\subsubsection{Final version} - -Here is the final version of the encryption code, with all the changes we've -made: - -\begin{verbatim} - PBKDF* pbkdf = get_pbkdf("PBKDF2(SHA-256)"); - pbkdf->set_iterations(10000); - pbkdf->new_random_salt(8); - SecureVector<byte> the_salt = pbkdf->current_salt(); - - SymmetricKey master_key = pbkdf->derive_key(48, passphrase); - - KDF* kdf = get_kdf("KDF2(SHA-256)"); - - SymmetricKey key = kdf->derive_key(32, master_key, "cipher key"); - SymmetricKey mac_key = kdf->derive_key(32, masterkey, "hmac key"); - InitializationVector iv = kdf->derive_key(16, masterkey, "cipher iv"); - - Pipe pipe(new Fork( - new Chain( - get_cipher("Serpent/CBC/PKCS7", key, iv, ENCRYPTION), - new DataSink_Stream(outfile) - ), - new MAC_Filter("HMAC(SHA-256)", mac_key) - ) - ); - - outfile.write((const char*)&the_salt[0], the_salt.size()); - - pipe.start_msg(); - infile >> pipe; - pipe.end_msg(); - - SecureVector<byte> hmac = pipe.read_all(1); - outfile.write((const char*)&hmac[0], hmac.size()); -\end{verbatim} - -\subsubsection{Another buffering technique} - -Sometimes the use of \type{DataSink\_Stream} is not practical for whatever -reason. In this case, an alternate buffering mechanism might be useful. Here is -some code which will write all the processed data as quickly as possible, so -that memory pressure is reduced in the case of large inputs. - -\begin{verbatim} - pipe.start_msg(); - SecureBuffer<byte, 1024> buffer; - while(infile.good()) - { - infile.read((char*)&buffer[0], buffer.size()); - u32bit got_from_infile = infile.gcount(); - pipe.write(buffer, got_from_infile); - - if(infile.eof()) - pipe.end_msg(); - - while(pipe.remaining() > 0) - { - u32bit buffered = pipe.read(buffer, buffer.size()); - outfile.write((const char*)&buffer[0], buffered); - } - } - if(infile.bad() || (infile.fail() && !infile.eof())) - throw Some_Exception(); -\end{verbatim} - -\pagebreak - -\subsection{Authentication} - -After doing the encryption routines, doing message authentication keyed off a -passphrase is not very difficult. In fact it's much easier than the encryption -case, for the following reasons: a) we only need one key, and b) we don't have -to store anything, so all the input can be done in a single step without -worrying about it taking up a lot of memory if the input file is large. - -In this case, we'll hex-encode the salt and the MAC, and output them both to -standard output (the salt followed by the MAC). - -\begin{verbatim} - PBKDF* pbkdf = get_pbkdf("PBKDF2(SHA-256)"); - pbkdf->set_iterations(10000); - pbkdf->new_random_salt(8); - OctetString the_salt = pbkdf->current_salt(); - - SymmetricKey hmac_key = pbkdf->derive_key(32, passphrase); - - Pipe pipe(new MAC_Filter("HMAC(SHA-256)", mac_key), - new Hex_Encoder - ); - - std::cout << the_salt.to_string(); // hex encoded - - pipe.start_msg(); - infile >> pipe; - pipe.end_msg(); - std::cout << pipe.read_all_as_string() << std::endl; -\end{verbatim} - -\subsection{User Authentication} - -Doing user authentication off a shared passphrase is fairly easy. Essentially, -a challenge-response protocol is used - the server sends a random challenge, -and the client responds with an appropriate response to the challenge. The idea -is that only someone who knows the passphrase can generate or check to see if a -response is valid. - -Let's say we use 160-bit (20 byte) challenges, which seems fairly -reasonable. We can create this challenge using the global random -number generator (RNG): - -\begin{verbatim} - byte challenge[20]; - Global_RNG::randomize(challenge, sizeof(challenge), Nonce); - // send challenge to client -\end{verbatim} - -After reading the challenge, the client generates a response based on -the challenge and the passphrase. In this case, we will do it by -repeatedly hashing the challenge, the passphrase, and (if applicable) -the previous digest. We iterate this construction 10000 times, to make -brute force attacks on the passphrase hard to do. Since we are already -using 160-bit challenges, a 160-bit response seems warranted, so we'll -use SHA-1. - -\begin{verbatim} - HashFunction* hash = get_hash("SHA-1"); - SecureVector<byte> digest; - for(u32bit j = 0; j != 10000; j++) - { - hash->update(digest, digest.size()); - hash->update(passphrase); - hash->update(challenge, challenge.size()); - digest = hash->final(); - } - delete hash; - // send value of digest to the server -\end{verbatim} - -Upon receiving the response from the client, the server computes what the -response should have been based on the challenge it sent out, and the -passphrase. If the two responses match, the client is authenticated. -Otherwise, it is not. - -An alternate method is to use PBKDF2 again, using the challenge as the salt. In -this case, the response could (for example) be the hash of the key produced by -PBKDF2. There is no reason to have an explicit iteration loop, as PBKDF2 is -designed to prevent dictionary attacks (assuming PBKDF2 is set up for a large -iteration count internally). - -\pagebreak - -\section{Public Key Cryptography} - -\subsection{Basic Operations} - -In this section, we'll assume we have a \type{X509\_PublicKey*} named -\arg{pubkey}, and, if necessary, a private key type (a -\type{PKCS8\_PrivateKey*}) named \arg{privkey}. A description of these types, -how to create them, and related details appears later in this tutorial. In this -section, we will use various functions that are defined in -\filename{look\_pk.h} -- you will have to include this header explicitly. - -\subsubsection{Encryption} - -Basically, pick an encoding method, create a \type{PK\_Encryptor} (with -\function{get\_pk\_encryptor}()), and use it. But first we have to make sure -the public key can actually be used for public key encryption. For encryption -(and decryption), the key could be RSA, ElGamal, or (in future versions) some -other public key encryption scheme, like Rabin or an elliptic curve scheme. - -\begin{verbatim} - PK_Encrypting_Key* key = dynamic_cast<PK_Encrypting_Key*>(pubkey); - if(!key) - error(); - PK_Encryptor* enc = get_pk_encryptor(*key, "EME1(SHA-256)"); - - byte msg[] = { /* ... */ }; - - // will also accept a SecureVector<byte> as input - SecureVector<byte> ciphertext = enc->encrypt(msg, sizeof(msg)); -\end{verbatim} - -\subsubsection{Decryption} - -This is essentially the same as the encryption operation, but using a private -key instead. One major difference is that the decryption operation can fail due -to the fact that the ciphertext was invalid (most common padding schemes, such -as ``EME1(SHA-256)'', include various pieces of redundancy, which are checked -after decryption). - -\begin{verbatim} - PK_Decrypting_Key* key = dynamic_cast<PK_Decrypting_Key*>(privkey); - if(!key) - error(); - PK_Decryptor* dec = get_pk_decryptor(*key, "EME1(SHA-256)"); - - byte msg[] = { /* ... */ }; - - SecureVector<byte> plaintext; - - try { - // will also accept a SecureVector<byte> as input - plaintext = dec->decrypt(msg, sizeof(msg)); - } - catch(Decoding_Error) - { - /* the ciphertext was invalid */ - } -\end{verbatim} - -\subsubsection{Signature Generation} - -There is one difficulty with signature generation that does not occur with -encryption or decryption. Specifically, there are various padding methods which -can be useful for different signature algorithms, and not all are appropriate -for all signature schemes. The following table breaks down what algorithms -support which encodings: - -\begin{tabular}{|c|c|c|} \hline -Signature Algorithm & Usable Encoding Methods & Preferred Encoding(s) \\ \hline -DSA / NR & EMSA1 & EMSA1 \\ \hline -RSA & EMSA1, EMSA2, EMSA3, EMSA4 & EMSA3, EMSA4 \\ \hline -Rabin-Williams & EMSA2, EMSA4 & EMSA2, EMSA4 \\ \hline -\end{tabular} - -For new applications, use EMSA4 with both RSA and Rabin-Williams, as it is -significantly more secure than the alternatives. However, most current -applications/libraries only support EMSA2 with Rabin-Williams and EMSA3 with -RSA. Given this, you may be forced to use less secure encoding methods for the -near future. In these examples, we punt on the problem, and hard-code using -EMSA1 with SHA-256. - -\begin{verbatim} - Public_Key* key = /* loaded or generated somehow */ - PK_Signer* signer = get_pk_signer(*key, "EMSA1(SHA-256)"); - - byte msg[] = { /* ... */ }; - - /* - You can also repeatedly call update(const byte[], u32bit), followed - by a call to signature(), which will return the final signature of - all the data that was passed through update(). sign_message() is - just a stub that calls update() once, and returns the value of - signature(). - */ - - SecureVector<byte> signature = signer->sign_message(msg, sizeof(msg)); -\end{verbatim} - -\pagebreak - -\subsubsection{Signature Verification} - -In addition to all the problems with choosing the correct padding method, -there is yet another complication with verifying a signature. Namely, there are -two varieties of signature algorithms - those providing message recovery (that -is, the value that was signed can be directly recovered by someone verifying -the signature), and those without message recovery (the verify operation simply -returns if the signature was valid, without telling you exactly what was -signed). This leads to two slightly different implementations of the -verification operation, which user code has to work with. As you can see -however, the implementation is still not at all difficult. - -\begin{verbatim} - PK_Verifier* verifier = 0; - - PK_Verifying_with_MR_Key* key1 = - dynamic_cast<PK_Verifying_with_MR_Key*>(pubkey); - PK_Verifying_wo_MR_Key* key2 = - dynamic_cast<PK_Verifying_wo_MR_Key*>(pubkey); - - if(key1) - verifier = get_pk_verifier(*key1, "EMSA1(SHA-256)"); - else if(key2) - verifier = get_pk_verifier(*key2, "EMSA1(SHA-256)"); - else - error(); - - byte msg[] = { /* ... */ }; - byte sig[] = { /* ... */ }; - - /* - Like PK_Signer, you can also do repeated calls to - void update(const byte some_data[], u32bit length) - followed by a call to - bool check_signature(const byte the_sig[], u32bit length) - which will return true (valid signature) or false (bad signature). - The function verify_message() is a simple wrapper around update() and - check_signature(). - - */ - bool is_valid = verifier->verify_message(msg, sizeof(msg), sig, sizeof(sig)); -\end{verbatim} - -\subsubsection{Key Agreement} - -WRITEME - -\pagebreak - -\subsection{Working with Keys} - -\subsubsection{Reading Public Keys (X.509 format)} - -There are two separate ways to read X.509 public keys. Remember that the X.509 -public keys are simply that: public keys. There is no associated information -(such as the owner of that key) included with the public key itself. If you -need that kind of information, you'll need to use X.509 certificates. - -However, there are surely times when a simple public key is sufficient. The -most obvious is when the key is implicitly trusted, for example if access -and/or modification of it is controlled by something else (like filesystem -ACLs). In other cases, it is a perfectly reasonable proposition to use them -over the network as an anonymous key exchange mechanism. This is, admittedly, -vulnerable to man-in-the-middle attacks, but it's simple enough that it's hard -to mess up (see, for example, Peter Guttman's paper ``Lessons Learned in -Implementing and Deploying Crypto Software'' in Usenix '02). - -The way to load a key is basically to set up a \type{DataSource} and then call -\function{X509::load\_key}, which will return a \type{X509\_PublicKey*}. For -example: - -\begin{verbatim} - DataSource_Stream somefile("somefile.pem"); // has 3 public keys - X509_PublicKey* key1 = X509::load_key(somefile); - X509_PublicKey* key2 = X509::load_key(somefile); - X509_PublicKey* key3 = X509::load_key(somefile); - // Now we have them all loaded. Huzah! -\end{verbatim} - -At this point you can use \function{dynamic\_cast} to find the operations the -key supports (by seeing if a cast to \type{PK\_Encrypting\_Key}, -\type{PK\_Verifying\_with\_MR\_Key}, or \type{PK\_Verifying\_wo\_MR\_Key} -succeeds). - -There is a variant of \function{X509::load\_key} (and of -\function{PKCS8::load\_key}, described in the next section) which take a -filename (as a \type{std::string}). These are just convenience functions which -create the appropriate \type{DataSource} for you and call the main -\function{X509::load\_key}. - -\subsubsection{Reading Private Keys (PKCS \#8 format)} - -This is very similar to reading raw public keys, with the difference that the -key may be encrypted with a user passphrase: - -\begin{verbatim} - // rng is a RandomNumberGenerator, like AutoSeeded_RNG - - DataSource_Stream somefile("somefile"); - std::string a_passphrase = /* get from the user */ - PKCS8_PrivateKey* key = PKCS8::load_key(somefile, rng, a_passphrase); -\end{verbatim} - -You can, by the way, convert a \type{PKCS8\_PrivateKey} to a -\type{X509\_PublicKey} simply by casting it (with \function{dynamic\_cast}), as -the private key type is derived from \type{X509\_PublicKey}. As with -\type{X509\_PublicKey}, you can use \function{dynamic\_cast} to figure out what -operations the private key is capable of; in particular, you can attempt to -cast it to \type{PK\_Decrypting\_Key}, \type{PK\_Signing\_Key}, or -\type{PK\_Key\_Agreement\_Key}. - -Sometimes you can get away with having a static passphrase passed to -\function{load\_key}. Typically, however, you'll have to do some user -interaction to get the appropriate passphrase. In that case you'll want to use -the \type{UI} related interface, which is fully described in the API -documentation. - -\subsubsection{Generating New Private Keys} - -Generate a new private key is the one operation which requires you to -explicitly name the type of key you are working with. There are (currently) two -kinds of public key algorithms in Botan: ones based on the integer -factorization (IF) problem (RSA and Rabin-Williams), and ones based on the -discrete logarithm (DL) problem (DSA, Diffie-Hellman, Nyberg-Rueppel, and -ElGamal). Since discrete logarithm parameters (primes and generators) can be -shared among many keys, there is the notion of these being a combined type -(called \type{DL\_Group}). - -To create a new DL-based private key, simply pass a desired \type{DL\_Group} to -the constructor of the private key - a new public/private key pair will be -generated. Since in IF-based algorithms, the modulus used isn't shared by other -keys, we don't use this notion. You can create a new key by passing in a -\type{u32bit} telling how long (in bits) the key should be. - -There are quite a few ways to get a \type{DL\_Group} object. The best is to use -the function \function{get\_dl\_group}, which takes a string naming a group; it -will either return that group, if it knows about it, or throw an -exception. Names it knows about include ``IETF-n'' where n is 768, 1024, 1536, -2048, 3072, or 4096, and ``DSA-n'', where n is 512, 768, or 1024. The IETF -groups are the ones specified for use with IPSec, and the DSA ones are the -default DSA parameters specified by Java's JCE. For DSA and Nyberg-Rueppel, use -the ``DSA-n'' groups, and for Diffie-Hellman and ElGamal, use the ``IETF-n'' -groups. - -You can also generate a new random group. This is not recommend, because it is -very slow, particularly for ``safe'' primes, which are needed for -Diffie-Hellman and ElGamal. - -Some examples: - -\begin{verbatim} - RSA_PrivateKey rsa1(512); // 512-bit RSA key - RSA_PrivateKey rsa2(2048); // 2048-bit RSA key - - RW_PrivateKey rw1(1024); // 1024-bit Rabin-Williams key - RW_PrivateKey rw2(1536); // 1536-bit Rabin-Williams key - - DSA_PrivateKey dsa(get_dl_group("DSA-512")); // 512-bit DSA key - DH_PrivateKey dh(get_dl_group("IETF-4096")); // 4096-bit DH key - NR_PrivateKey nr(get_dl_group("DSA-1024")); // 1024-bit NR key - ElGamal_PrivateKey elg(get_dl_group("IETF-1536")); // 1536-bit ElGamal key -\end{verbatim} - -To export your newly created private key, use the PKCS \#8 routines in -\filename{pkcs8.h}: - -\begin{verbatim} - std::string a_passphrase = /* get from the user */ - std::string the_key = PKCS8::PEM_encode(rsa2, a_passphrase); -\end{verbatim} - -You can read the key back in using \function{PKCS8::load\_key}, described in -the section ``Reading Private Keys (PKCS \#8 format)'', above. Unfortunately, -this only works with keys that have an assigned algorithm identifier and -standardized format. Currently this is only the RSA, DSA, DH, and ElGamal -algorithms, though RW and NR keys can also be imported and exported by -assigning them an OID (this can be done either through a configuration file, or -by calling the function \function{OIDS::add\_oid} in \filename{oids.h}). Be -aware that the OID and format for ElGamal keys is not exactly standard, but -there does exist at least one other crypto library which will accept the -format. - -The raw public can be exported using: - -\begin{verbatim} - std::string the_public_key = X509::PEM_encode(rsa2); -\end{verbatim} - -\pagebreak - -\section{X.509v3 Certificates} - -Using certificates is rather complicated, so only the very basic mechanisms are -going to be covered here. The section ``Setting up a CA'' goes into reasonable -detail about CRLs and certificate requests, but there is a lot that isn't -covered (else this section would get quite long and complicated). - -\subsection{Importing and Exporting Certificates} - -Importing and exporting X.509 certificates is easy. Simply call the constructor -with either a \type{DataSource\&}, or the name of a file: - -\begin{verbatim} - X509_Certificate cert1("cert1.pem"); - - /* This file contains two certificates, concatenated */ - DataSource_Stream in("certs2_and_3.pem"); - - X509_Certificate cert2(in); // read the first cert - X509_Certificate cert3(in); // read the second cert -\end{verbatim} - -Exporting the certificate is a simple matter of calling the member function -\function{PEM\_encode}(), which returns a \type{std::string} containing the -certificate in PEM encoding. - -\begin{verbatim} - std::cout << cert3.PEM_encode(); - some_ostream_object << cert1.PEM_encode(); - std::string cert2_str = cert2.PEM_encode(); -\end{verbatim} - -\subsection{Verifying Certificates} - -Verifying a certificate requires that we build up a chain of trust, starting -from the root (usually a commercial CA), down through some number of -intermediate CAs, and finally reaching the actual certificate in -question. Thus, to verify, we actually have to have all those certificates -on hand (or at the very least, know where we can get the ones we need). - -The class which handles both storing certificates, and verifying them, is -called \type{X509\_Store}. We'll start by assuming that we have all the -certificates we need, and just want to verify a cert. This is done by calling -the member function \function{validate\_cert}, which takes the -\type{X509\_Certificate} in question, and an optional argument of type -\type{Cert\_Usage} (which is ignored here; read the section in the API doc -titled ``Verifying Certificates for information). It returns an enum; -\type{X509\_Code}, which, for most purposes, is either \type{VERIFIED}, or -something else (which specifies what circumstance caused the certificate to be -considered invalid). Really, that's it. - -Now, how to let \type{X509\_Store} know about all those certificates and CRLs -we have lying around? The simplest method is to add them directly, using the -functions \function{add\_cert}, \function{add\_certs}, -\function{add\_trusted\_certs}, and \function{add\_crl}; for details, consult -the API doc or read the \filename{x509stor.h} header. There is also a much more -elegant and powerful method: \type{Certificate\_Store}s. A certificate store -refers to an object that knows how to retrieve certificates from some external -source (a file, an LDAP directory, a HTTP server, a SQL database, or anything -else). By calling the function \function{add\_new\_certstore}, you can register -a new certificate store, which \type{X509\_Store} will use to find certificates -it needs. Thus, you can get away with only adding whichever root CA cert(s) you -want to use, letting some online source handle the storage of all intermediate -X.509 certificates. The API documentation has a more complete discussion of -\type{Certificate\_Store}. - -\subsection{Setting up a CA} - -WRITEME - -\pagebreak - -\section{Special Topics} - -This chapter is for subjects that don't really fit into the API documentation -or into other chapters of the tutorial. - -\subsection{GUIs} - -There is nothing particularly special about using Botan in a GUI-based -application. However there are a few tricky spots, as well as a few ways to -take advantage of an event-based application. - -\subsubsection{Initialization} - -Generally you will create the \type{LibraryInitializer} somewhere in -\texttt{main}, before entering the event loop. One problem is that some GUI -libraries take over \texttt{main} and drop you right into the event loop; the -question then is how to initialize the library? The simplest way is probably to -have a static flag that marks if you have already initialized the library or -not. When you enter the event loop, check to see if this flag has not been set, -and if so, initialize the library using the function-based initializers. Using -\type{LibraryInitializer} obviously won't work in this case, since it would be -destroyed as soon as the current event handler finished. You then deinitialize -the library whenever your application is signaled to quit. - -\subsubsection{Interacting With the Library} - -In the simple case, the user will do stuff asynchronously, and then in response -your code will do things like encrypt a file or whatever, which can all be done -synchronously, since the data is right there for you. An application doing -something like this is basically going to look exactly like a command line -application that uses Botan, the only major difference being that the calls to -the library are inside event handlers. - -Much harder is something like an SSH client, where you're acting as a layer -between two asynchronous things (the user and the network). This actually isn't -restricted to GUIs at all (text-mode SSH clients have to deal with most of the -same problems), but it is probably more common with a GUI app. The following -discussion is fairly vague, but hopefully somewhat useful. - -There are a few facilities in Botan that are primarily designed to be used by -applications based on an event loop. See the section ``User Interfaces'' in the -main API doc for details. - -\subsubsection{Entropy} - -One nice advantage of using a GUI is opening a new method of gathering entropy -for the library. This is especially handy on Windows, where the available -sources of entropy are pretty questionable. In many versions, -\texttt{CryptGenRandom} is really rather poor, and the Toolhelp functions may -not provide much data on a small system (such as a handheld). For example, in -GTK+, you can use the following callback to get information about mouse -movements: - -\begin{verbatim} -static gint add_entropy(GtkWidget* widget, GdkEventMotion* event) - { - if(event) - Global_RNG::add_entropy(event, sizeof(GdkEventMotion)); - return FALSE; - } -\end{verbatim} - -And then register it with your main GTK window (presumably named -\variable{window}) as follows: - -\begin{verbatim} -gtk_signal_connect(GTK_OBJECT(window), "motion_notify_event", - GTK_SIGNAL_FUNC(add_entropy), NULL); - -gtk_widget_set_events(window, GDK_POINTER_MOTION_MASK); -\end{verbatim} - -Even though we're catching all mouse movements, and hashing the results into -the entropy pool, this doesn't use up more than a few percent of even a -relatively slow desktop CPU. Note that in the case of using X over a network, -catching all mouse events would cause large amounts of X traffic over the -network, which might make your application slow, or even unusable (I haven't -tried it, though). - -This could be made nicer if the collection function did something like -calculating deltas between each run, storing them into a buffer, and then when -enough of them have been added, hashing them and send them all to the PRNG in -one shot. This would not only reduce load, but also prevent the PRNG from -overestimating the amount of entropy it's getting, since its estimates don't -(can't) take history into account. For example, you could move the mouse back -and forth one pixel, and the PRNG would think it was getting a full load of -entropy each time, when actually it was getting (at best) a bit or two. - -\end{document} diff --git a/doc/passhash.txt b/doc/passhash.txt new file mode 100644 index 000000000..8ce3cf805 --- /dev/null +++ b/doc/passhash.txt @@ -0,0 +1,117 @@ + +Password Hashing +======================================== + +Storing passwords for user authentication purposes in plaintext is the +simplest but least secure method; when an attacker compromises the +database in which the passwords are stored, they immediately gain +access to all of them. Often passwords are reused among multiple +services or machines, meaning once a password to a single service is +known an attacker has a substantial head start on attacking other +machines. + +The general approach is to store, instead of the password, the output +of a one way function of the password. Upon receiving an +authentication request, the authenticator can recompute the one way +function and compare the value just computed with the one that was +stored. If they match, then the authentication request succeeds. But +when an attacker gains access to the database, they only have the +output of the one way function, not the original password. + +Common hash functions such as SHA-256 are one way, but used alone they +have problems for this purpose. What an attacker can do, upon gaining +access to such a stored password database, is hash common dictionary +words and other possible passwords, storing them in a list. Then he +can search through his list; if a stored hash and an entry in his list +match, then he has found the password. Even worse, this can happen +*offline*: an attacker can begin hashing common passwords days, +months, or years before ever gaining access to the database. In +addition, if two users choose the same password, the one way function +output will be the same for both of them, which will be visible upon +inspection of the database. + +There are two solutions to these problems: salting and +iteration. Salting refers to including, along with the password, a +randomly chosen value which perturbs the one way function. Salting can +reduce the effectivness of offline dictionary generation (because for +each potential password, an attacker would have to compute the one way +function output for all possible salts - with a large enough salt, +this can make the problem quite difficult). It also prevents the same +password from producing the same output, as long as the salts do not +collide. With a large salt (say 80 to 128 bits) this will be quite +unlikely. Iteration refers to the general technique of forcing +multiple one way function evaluations when computing the output, to +slow down the operation. For instance if hashing a single password +requires running SHA-256 100,000 times instead of just once, that will +slow down user authentication by a factor of 100,000, but user +authentication happens quite rarely, and usually there are more +expensive operations that need to occur anyway (network and database +I/O, etc). On the other hand, an attacker who is attempting to break a +database full of stolen password hashes will be seriously +inconvenienced by a factor of 100,000 slowdown; they will be able to +only test at a rate of .0001% of what they would without iterations +(or, equivalently, will require 100,000 times as many zombie botnet +hosts). + +Botan provides two techniques for password hashing, bcrypt and +passhash9. + +.. _bcrypt: + +Bcrypt Password Hashing +---------------------------------------- + +Bcrypt is a password hashing scheme originally designed for use in +OpenBSD, but numerous other implementations exist. It is made +available by including ``bcrypt.h``. Bcrypt provides outputs that +look like this:: + + "$2a$12$7KIYdyv8Bp32WAvc.7YvI.wvRlyVn0HP/EhPmmOyMQA4YKxINO0p2" + +.. cpp:function:: std::string generate_bcrypt(const std::string& password, \ + RandomNumberGenerator& rng, u16bit work_factor = 10) + + Takes the password to hash, a rng, and a work factor. Higher values + increase the amount of time the algorithm runs, increasing the cost + of cracking attempts. The resulting hash is returned as a string. + +.. cpp:function:: bool check_bcrypt(const std::string& password, \ + const std::string& hash) + + Takes a password and a bcrypt output and returns true if the + password is the same as the one that was used to generate the + bcrypt hash. + +Here is an example of using bcrypt: + +.. literalinclude:: examples/bcrypt.cpp + +.. _passhash9: + +Passhash9 +---------------------------------------- + +Botan also provides a password hashing technique called passhash9, in +``passhash9.h``, which is based on PBKDF2. Its outputs look like:: + + "$9$AAAKxwMGNPSdPkOKJS07Xutm3+1Cr3ytmbnkjO6LjHzCMcMQXvcT" + +.. cpp:function:: std::string generate_passhash9(const std::string& password, \ + RandomNumberGenerator& rng, u16bit work_factor = 10, byte alg_id = 0) + + Functions much like ``generate_bcrypt``. The last parameter, + ``alg_id``, specifies which PRF to use. Currently defined values + are + + ======= ============== + Value PRF algorithm + ======= ============== + 0 HMAC(SHA-1) + 1 HMAC(SHA-256) + 2 CMAC(Blowfish) + ======= ============== + +.. cpp:function:: bool check_passhash9(const std::string& password, \ + const std::string& hash) + + Functions much like ``check_bcrypt`` diff --git a/doc/pbkdf.txt b/doc/pbkdf.txt new file mode 100644 index 000000000..f24dcd188 --- /dev/null +++ b/doc/pbkdf.txt @@ -0,0 +1,76 @@ + +.. _pbkdf: + +PBKDF Algorithms +======================================== + +There are various procedures for turning a passphrase into a arbitrary +length key for use with a symmetric cipher. A general interface for +such algorithms is presented in ``pbkdf.h``. The main function is +``derive_key``, which takes a passphrase, a salt, an iteration count, +and the desired length of the output key, and returns a key of that +length, deterministically produced from the passphrase and salt. If an +algorithm can't produce a key of that size, it will throw an exception +(most notably, PKCS #5's PBKDF1 can only produce strings between 1 and +$n$ bytes, where $n$ is the output size of the underlying hash +function). + +The purpose of the iteration count is to make the algorithm take +longer to compute the final key (reducing the speed of brute-force +attacks of various kinds). Most standards recommend an iteration count +of at least 10000. Currently defined PBKDF algorithms are +"PBKDF1(digest)", "PBKDF2(digest)", and "OpenPGP-S2K(digest)"; you can +retrieve any of these using the ``get_pbkdf``, found in +``lookup.h``. As of this writing, "PBKDF2(SHA-256)" with 10000 +iterations and a 16 byte salt is recommend for new applications. + +.. cpp:function:: OctetString PBKDF::derive_key( \ + size_t output_len, const std::string& passphrase, \ + const byte* salt, size_t salt_len, \ + size_t iterations) const + + Computes a key from *passphrase* and the *salt* (of length + *salt_len* bytes) using an algorithm-specific interpretation of + *iterations*, producing a key of length *output_len*. + + Use an iteration count of at least 10000. The salt should be + randomly chosen by a good random number generator (see + :ref:`random_number_generators` for how), or at the very least + unique to this usage of the passphrase. + + If you call this function again with the same parameters, you will + get the same key. + +:: + + PBKDF* pbkdf = get_pbkdf("PBKDF2(SHA-256)"); + AutoSeeded_RNG rng; + + SecureVector<byte> salt = rng.random_vec(16); + OctetString aes256_key = pbkdf->derive_key(32, "password", + &salt[0], salt.size(), + 10000); + + +OpenPGP S2K +---------------------------------------- + +There are some oddities about OpenPGP's S2K algorithms that are +documented here. For one thing, it uses the iteration count in a +strange manner; instead of specifying how many times to iterate the +hash, it tells how many *bytes* should be hashed in total +(including the salt). So the exact iteration count will depend on the +size of the salt (which is fixed at 8 bytes by the OpenPGP standard, +though the implementation will allow any salt size) and the size of +the passphrase. + +To get what OpenPGP calls "Simple S2K", set iterations to 0, and do +not specify a salt. To get "Salted S2K", again leave the iteration +count at 0, but give an 8-byte salt. "Salted and Iterated S2K" +requires an 8-byte salt and some iteration count (this should be +significantly larger than the size of the longest passphrase that +might reasonably be used; somewhere from 1024 to 65536 would probably +be about right). Using both a reasonably sized salt and a large +iteration count is highly recommended to prevent password guessing +attempts. + diff --git a/doc/pgpkey.txt b/doc/pgpkey.txt new file mode 100644 index 000000000..ef8827835 --- /dev/null +++ b/doc/pgpkey.txt @@ -0,0 +1,43 @@ + +PGP Code Signing Key +======================================== + +.. highlight:: none + +The following PGP key is used to sign all releases:: + + pub 2048R/EFBADFBC 2004-10-30 + Key fingerprint = 621D AF64 11E1 851C 4CF9 A2E1 6211 EBF1 EFBA DFBC + uid Botan Distribution Key + + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: GnuPG v2.0.17 (GNU/Linux) + + mQELBEGD1j0BCADHxPJkPcjJE+4Dlisx2hVc0Dj6JI1MSLrkM8R+2bOhVUSferxP + T1EMPhfrAdOHTAloyvRThJztnZsNKqfLL49GGcBLdEGAVNks1pG37Teze5Lx1XIu + zJFrozL2sqBy5C6nHpFgd1tcD68Rah2wp0u2cR9owXf1IqKdEfuo661+MTv7wTB1 + 4hKV75nB7ZO6676SEZRILYM+7RJwKAKEmEPJc6hEf94VXn9ecNzaTlHgYkjhz9db + LOd3od9XvuUw+LMR1dwBqMxbvR90MiXjbedDEkbArcZB9YOAIvEX/lC3qaW4XJt4 + iwHWl/YVZEfALcvQywe2CDrH5hO794wd9MpBAAYptBZCb3RhbiBEaXN0cmlidXRp + b24gS2V5iQEqBBMBAgAUAhsDAh4BAheABQJKfFpnBBUKCQgACgkQYhHr8e+637xk + PQf/aOi78XenwwvFrwXOVIVTdZIf8rK1zJksf26h09UD8uVV6z5iiTcpn86+eN9p + 6Ar8IH3tD+JuFnPSwZ/r9MNC2XZwenYo4Gb14jqM6/9hBe328vmeM4Y1G7bD4HrL + kgV5WEyokqm3zbp3FBLr3Vh68TAC5JB9aHevra+cCA2u3vBNI3YUM5z4TdO150P3 + J00whkqImQEUni8bgxvllBLFM+uhucsX3HZWkoDEpotbg8yd0bqMkiPEyMr1OnJq + eDVDMrB5wnyLgLFfRAAw3mopM0C1PNOAHr/BIYiaDHX2OwnOfep8rMDoRVf2Ge0D + DBgsJJ6LduQHLeg403SHWL2F6YkCHAQTAQIABgUCQYPWUgAKCRBcD5boTsFta+r9 + EACWVis7YcaGkKKgRB/5ox8rM36XVhMXdh/hnnGHt5rapbbRRkRHRcWU8WIcFO1A + 59+TfwNNd8gN1MEt/5aX5KHWVKHBDexJgIxm6Dm1pisYHf/dnYQPM18hmqqwNlKY + 97hFkPpHd7enrtc/SvGbQhhLXYlpwBrdMl76e9xJLnnrRQksxegGPo8cr+C9HTs1 + Lwa8zzBxyBwYBYX+0moDkDShEhuXx6mEOXrGvQanJuIvpoIwGH+62E65MbJGlwWp + w/MAtm2jFhBIhGV0bqJCFp9zIgdNgfskBaPr0oilbuJQZqP0Iqe/6CCt4XkS51yW + ZqxjLAFpEpvDec4PGw3witKf/koGon9X8C035+nEjLBrWy18Q91vw2USyLI+mm9d + iMAS8pY2gomfxBO2VwYHJryZykjCYQkccRA1tHteRj4gqTObo0Ak47y5MnplTWwi + 40oP7K2cfhCRBmMioxmYES4xsHEupfRBo3xr1Jq9q0t688WTT1NXHPMPoueF9mKZ + Cf2pa9aHsqBmWTm3sCaNQKGubCDBEUmJUyndmSatJyYM7NVYoUp6EfqMACFuTNdB + sjKMh7aWVikQpbJDfA1BIU3lZeqgjgrghVAWkEOBfhG0IVZj+RVCJpsqoTJ8asY2 + VreArSCyr/VnLEnfuH/QpgvCiCbepo3E34DJt4SaAOO2ZohGBBARAgAGBQJMGVc1 + AAoJEKY/LL36AvvMgsoAn2G7kXd09BF7ffk1Sfh174SVrvM9AKC7+R7x0+yV3SCd + JkkUOo3xR5cOxw== + =1QuR + -----END PGP PUBLIC KEY BLOCK----- diff --git a/doc/pgpkeys.asc b/doc/pgpkeys.asc deleted file mode 100644 index 378230f32..000000000 --- a/doc/pgpkeys.asc +++ /dev/null @@ -1,83 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.9 (GNU/Linux) - -mQGiBDqZbS4RBACH3vOrWo72lWh/lbECfIfGdtl+YDgyGMB2BiGDJG7Kzbg9IB2e -no0Du+omligWpgWlYdkiJ+/wpCJlBxd/P3rEegp822aeV1eD3E03wxWUvhyWgy+8 -I8POrcCjC9RkrTGTl5RiFdaRVCG93vzmJFUJoI1Kt0F5AnTJXJm4VgNo0wCg4F/M -jN7YfhrUroE8ksTGPiCeNocD/R6wGZ0FFtYHdK5W19u/vM9JfAXxoK+OmDheFSVL -oIWVCXacwvbVQ15MfdQxaRyZmkWD9jgm2Omr8II6iK12B3WLRb96bkQzC0Sd25Xm -2tLKUDBwK0meG/8cRj3hE4WFF6VBdhWNtRhbby6Le9JHC+ylMrHwMy+HHXl5a2gf -ycCmA/9LU5GukTKfaBz9OPrVkMf2n0RbdBgn5hxtDeZ5iV6JMosEGobMnZ77n44M -VdGk6NWlMZqmwy6tJg2CdKPiQtjJaPuIR6qM0rtc8tpnhJSqq2c3KNOcaTennJsc -H3MNtT6FeZH1pZOhcmLjs7wb267NgR89vBQd2l46qWYSaBCASbQWQm90YW4gRGlz -dHJpYnV0aW9uIEtleYhiBBMRAgAaBQsHCgMEAxUDAgMWAgECF4ACGQEFAkkXKWoA -EgdlR1BHAAEBCRCmPyy9+gL7zKhdAKCfZvYBJeZaVW+Cq8S463bbw9vtJACg29tp -zrPhPtU4baw3ngVFUjUcLCyJAhwEEAECAAYFAkkq4q8ACgkQXA+W6E7BbWuJmg/+ -NTxLCg0I527bNowv/pEBrN26Aghwu3/Gn6QrRz2bFQ1A/8LNw2w8eKY0w/b5ieiC -kYy/DmkcDFkspmtaVvA0A+hK/NIIEbFqllKnTQ2BK5EdqQxS+OuBZN4BbJJ2XzKD -6bUcmIEpzymVah/r49D09VG7TQeBequcER9DumSuKhDM10Jt594tkjUo8E7BO8Np -54T2MXX3Nk839eZLihnSh5Cnj6pmLlr/4Tx8iXQTuk2CKkOWxCXaE1CJlUnaXTTy -T16na7PdWPKUR1x2cNY9uL+r5RwSRebV2iV3620MzFHYIAbFYrRdew8HnBnzrwgE -gk4z8fFFSDwIkkGVIkZMqchyWQySJ8UIQpUPVM0/EA+ejgMbLx/Xt6ONIZQiq9Cc -8AaPsoEXFlQHRFN65BB8GIYUdraw/yHwTWX4UNtyNNTq6zgwnsvik6ZJN7RNdgea -rZavW8svXsDZgwEVDI3ps19B1yD0AxC/IJ9uqxqTKn+dYciiZJCMBUTITb6lVs6b -SnMNqdllE2z591cQH02rInHH25WiMjoPeboUozLZ7tyWZtv7/CP4a+IcNqB7LmET -qNTWki3cAnLw5UfPVYrnunI5jHG2eFCjHk3cGAM/AcWRs+wqRfUAqzjs/rRUH8QD -n4vADnCuKHle3dRFq3Dy+fCZe/7yEmeAyJ8FbmSQRgOZAgsEQX8lLwEQALecnQ3J -k1iajTjKoUryWAs8orDTBxiOkYQuwD1g01Geu5XMcDx0ykqPPer1688QN2P/4Lc6 -zN4B0h3SNn8zmz9MI9afCaL3DPynogKX4/zPvSSAITiSytClKNbpSRoqjpdXeoUU -cW7gs8+d81bYJtgBtATtVHDZXzDO32wbPT1Zi+IdI+19R84tgWZBDgLYdQIaUa+G -+j14Gdubc4nFfP6h/UmWC7r6xo0TeQsNLUv2c9nyMeUUKeKZwBar0349sWKihjLf -ne9TXPgdEpg0C9fYAlxTOBa+hIbESVie/4BxtvSHk+wWFpRZtBkS43SDF5qZY0TX -uZJmt3YhiX/zlRut1nhLtqxzNVMIZtNZkD4MrMl7+mHManITkCMBS5NmpmXdlBES -Si+cPVMD91fEAuILczJj/VCUl1pn83kIlD9wxDNQcFdMzuicvFneEszW7UCdvPUC -3UcFQcsxAuYUEPr/H9Qraogm8/UE7+fTb8pTSt06KsZR3nMLLMKICcgLpraDQENZ -GCcK8js82FsB+6ccQ5WB1nMDfdDbYNyRKv/bgPmKxOw74jo24wSeio4zFHBzVXYQ -CLleO52H+w5jz4vEXhC3IEqoLhJHAIW41yl3pqx1qeZ0XwOfGP67nQzI+YhUn59+ -OBngAVQ8rdfWxopzVTI7oRlQafFbTyN/sReTAAYptC5KYWNrIExsb3lkIChTaWdu -aW5nIEtleSkgPGxsb3lkQHJhbmRvbWJpdC5uZXQ+iQIuBBMBAgAYAhsDAh4BAheA -BQJBgDp5AwsJAgQVAgMIAAoJEFwPluhOwW1roTQP+QFzRSVwJYzHUebr1nQSS65b -/9EeX3tSI8ZnKEMAIAYn3YvnYhZxKwdFvCWKZJXfPcaJqv+xWEvArsYEbj6n4AJw -73V27USLqvqNnBleeQluM1nm8AYvmukHXUDmTOCRhqL1rK70DKTRB3Q08sgnmuRF -8sMuG6TRPm8zk9N87zI8fYbT7hWxoO6E9wXPOr+4cYirmtbPY0Ni5bWvd/JrRzWa -2e/UVrpvoBE6kPaF6mxK8oDTGmRr+yKjEsxsTKYQJbguzDYtjEvjoDxScYfegk7n -5PdOGyhjDV/EjC/I7HcJNDVg72szmNLaNskoiHZaEiiTKD60gWFRwQJfNRYiZk0J -x1707wNZCzjKVkeD5U8x4uWchkWjXft0XdCYsKdZQ/GTepcIwz683wicdCVAMcUt -vy43i5DaPelOV22TqL6coLoelso1AURHAwfgBc/cqCsweUVotNA8SvsYMTaXuNMm -578Cs44AEXrWY0sLFCYEu6rA47HV7FXoaruK7Qjo/IopqsLd42g7HBR993tEl7j5 -3lK0VGHdFI0I4kw/tWSVXqH5vK12WLg0mc+21KGoLjkGSdPsKNUP2xhZaiK8fAB9 -2WonnGMAVUXwQ4Tu9gGzA4KzjZv5RLWvOnbRc8Vh1ppXXoSrlRkHJXT6wHfNDrvf -ZJuOruFauUJmw1CEQcKyiQEiBBABAgAMBQJBugFKBQMAEnUAAAoJEJcQuJvKV618 -KrcIAJ0f1Js973k2ednThL7Fy1B68KZ/DOpbWqB8R53oJ/aaIU0TpXqKFN+amy1N -qrC2lLh7DebBJkan+UNJ6l/uj6cR0q+D1VeDjrFKgS9D7WwjXthik6Ph/nMnd9jz -TH7+8CxN3h0BAlaysxbM/gXjPYd/z05yYdtMayE/hnUhG1ysKrWdVzZv68qBesi+ -h0Z5b7IsfdlTtBi+0Y/wNDiOl8dg7UIkNjYveNgv02yR6InQEnAW6ESEiJ5/p4fi -CPtyTk3Hz8biM4I7oTKPNYhnpp7LxVMQbeWck3mb9Yjr2uqjNMiFuBHslmAZvtBn -hj55BU0GwM7ukMNkQLWICfftXGmIRgQTEQIABgUCQjkXLAAKCRBG+5XZXjRWKC0P -AKCHLrGe1Lz/4sxvKhROPiGFAEOPoACfRYNAzEZJ2iqeb6JxQuu3gxH3XVuZAQsE -QYPWPQEIAMfE8mQ9yMkT7gOWKzHaFVzQOPokjUxIuuQzxH7Zs6FVRJ96vE9PUQw+ -F+sB04dMCWjK9FOEnO2dmw0qp8svj0YZwEt0QYBU2SzWkbftN7N7kvHVci7MkWuj -MvayoHLkLqcekWB3W1wPrxFqHbCnS7ZxH2jBd/Uiop0R+6jrrX4xO/vBMHXiEpXv -mcHtk7rrvpIRlEgtgz7tEnAoAoSYQ8lzqER/3hVef15w3NpOUeBiSOHP11ss53eh -31e+5TD4sxHV3AGozFu9H3QyJeNt50MSRsCtxkH1g4Ai8Rf+ULeppbhcm3iLAdaX -9hVkR8Aty9DLB7YIOsfmE7v3jB30ykEABim0FkJvdGFuIERpc3RyaWJ1dGlvbiBL -ZXmJATQEEwECAB4FAkGD1j0CGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQYhHr -8e+637yzmAf/VTzFHTY/JoehmaXmoQflhDT2gvHCRi1cWv0g1nxPMLAgN44KHRQp -ckgO8edO6QYI9zTxwa+WQxt+WqX8qv8/MAKjhqsLIB/XBF2+FwW6RXcO9t7gwKDY -6ufUuN7Lju0CIZrXYVUqSdwLzwG6MiTc170aYranq1riRtmtRwhubvIMRo3bkxZX -RPWHpm535h7Cfos7AKj+kq/Q3IlBhnmuSLS2H05rceLQ37VHi/xJOqqRZiJndSPy -gP3uKII1fOaLu74YKGSerXeWtCzzA5XzCZRov0z74CnTRKwT5u5hf4zp9doMi+DV -sjtXTqXDHM8snA2tvPASNW67uK+v7WnZmYkCHAQTAQIABgUCQYPWUgAKCRBcD5bo -TsFta+r9EACWVis7YcaGkKKgRB/5ox8rM36XVhMXdh/hnnGHt5rapbbRRkRHRcWU -8WIcFO1A59+TfwNNd8gN1MEt/5aX5KHWVKHBDexJgIxm6Dm1pisYHf/dnYQPM18h -mqqwNlKY97hFkPpHd7enrtc/SvGbQhhLXYlpwBrdMl76e9xJLnnrRQksxegGPo8c -r+C9HTs1Lwa8zzBxyBwYBYX+0moDkDShEhuXx6mEOXrGvQanJuIvpoIwGH+62E65 -MbJGlwWpw/MAtm2jFhBIhGV0bqJCFp9zIgdNgfskBaPr0oilbuJQZqP0Iqe/6CCt -4XkS51yWZqxjLAFpEpvDec4PGw3witKf/koGon9X8C035+nEjLBrWy18Q91vw2US -yLI+mm9diMAS8pY2gomfxBO2VwYHJryZykjCYQkccRA1tHteRj4gqTObo0Ak47y5 -MnplTWwi40oP7K2cfhCRBmMioxmYES4xsHEupfRBo3xr1Jq9q0t688WTT1NXHPMP -oueF9mKZCf2pa9aHsqBmWTm3sCaNQKGubCDBEUmJUyndmSatJyYM7NVYoUp6EfqM -ACFuTNdBsjKMh7aWVikQpbJDfA1BIU3lZeqgjgrghVAWkEOBfhG0IVZj+RVCJpsq -oTJ8asY2VreArSCyr/VnLEnfuH/QpgvCiCbepo3E34DJt4SaAOO2Zg== -=QyrG ------END PGP PUBLIC KEY BLOCK----- diff --git a/doc/pubkey.txt b/doc/pubkey.txt new file mode 100644 index 000000000..6ff016038 --- /dev/null +++ b/doc/pubkey.txt @@ -0,0 +1,541 @@ + +Public Key Cryptography +================================= + +Public key cryptography (also called assymmetric cryptography) is a collection +of techniques allowing for encryption, signatures, and key agreement. + +Key Objects +---------------------------------------- + +Public and private keys are represented by classes ``Public_Key`` and it's +subclass ``Private_Key``. The use of inheritence here means that a +``Private_Key`` can be converted into a reference to a public key. + +None of the functions on ``Public_Key`` and ``Private_Key`` itself are +particularly useful for users of the library, because 'bare' public key +operations are *very insecure*. The only purpose of these functions is to +provide a clean interface that higher level operations can be built on. So +really the only thing you need to know is that when a function takes a +reference to a ``Public_Key``, it can take any public key or private key, and +similiarly for ``Private_Key``. + +Types of ``Public_Key`` include ``RSA_PublicKey``, ``DSA_PublicKey``, +``ECDSA_PublicKey``, ``DH_PublicKey``, ``ECDH_PublicKey``, ``RW_PublicKey``, +``NR_PublicKey``,, and ``GOST_3410_PublicKey``. There are cooresponding +``Private_Key`` classes for each of these algorithms. + +.. _creating_new_private_keys: + +Creating New Private Keys +---------------------------------------- + +Creating a new private key requires two things: a source of random numbers +(see :ref:`random_number_generators`) and some algorithm specific parameters +that define the *security level* of the resulting key. For instance, the +security level of an RSA key is (at least in part) defined by the length of +the public key modulus in bits. So to create a new RSA private key, you would +call + +.. cpp:function:: RSA_PrivateKey::RSA_PrivateKey(RandomNumberGenerator& rng, size_t bits) + + A constructor that creates a new random RSA private key with a modulus + of length *bits*. + +Algorithms based on the discrete-logarithm problem uses what is called a +*group*; a group can safely be used with many keys, and for some operations, +like key agreement, the two keys *must* use the same group. There are +currently two kinds of discrete logarithm groups supported in botan: the +integers modulo a prime, represented by :ref:`dl_group`, and elliptic curves +in GF(p), represented by :ref:`ec_group`. A rough generalization is that the +larger the group is, the more secure the algorithm is, but coorespondingly the +slower the operations will be. + +Given a ``DL_Group``, you can create new DSA, Diffie-Hellman, and +Nyberg-Rueppel key pairs with + +.. cpp:function:: DSA_PrivateKey::DSA_PrivateKey(RandomNumberGenerator& rng, \ + const DL_Group& group, const BigInt& x = 0) + +.. cpp:function:: DH_PrivateKey::DH_PrivateKey(RandomNumberGenerator& rng, \ + const DL_Group& group, const BigInt& x = 0) + +.. cpp:function:: NR_PrivateKey::NR_PrivateKey(RandomNumberGenerator& rng, \ + const DL_Group& group, const BigInt& x = 0) + +.. cpp:function:: ElGamal_PrivateKey::ElGamal_PrivateKey(RandomNumberGenerator& rng, \ + const DL_Group& group, const BigInt& x = 0) + + The optional *x* parameter to each of these contructors is a private key + value. This allows you to create keys where the private key is formed by + some special technique; for instance you can use the hash of a password (see + :ref:`pbkdf` for how to do that) as a private key value. Normally, you would + leave the value as zero, letting the class generate a new random key. + +Finally, given an ``EC_Group`` object, you can create a new ECDSA, +ECDH, or GOST 34.10-2001 private key with + +.. cpp:function:: ECDSA_PrivateKey::ECDSA_PrivateKey(RandomNumberGenerator& rng, \ + const EC_Group& domain, const BigInt& x = 0) + +.. cpp:function:: ECDH_PrivateKey::ECDH_PrivateKey(RandomNumberGenerator& rng, \ + const EC_Group& domain, const BigInt& x = 0) + +.. cpp:function:: GOST_3410_PrivateKey::GOST_3410_PrivateKey(RandomNumberGenerator& rng, \ + const EC_Group& domain, const BigInt& x = 0) + + +Generating RSA keys +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This example will generate an RSA key of a specified bitlength, and put it +into a pair of key files. One is the public key in X.509 format (PEM encoded), +the private key is in PKCS #8 format (also PEM encoded), either encrypted or +unencrypted depending on if a password was given. + +.. literalinclude:: examples/rsa_kgen.cpp + +Generate DSA keys +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This example generates a 2048 bit DSA key + +.. literalinclude:: examples/dsa_kgen.cpp + + +.. _serializing_private_keys: + +Serializing Private Keys Using PKCS #8 +---------------------------------------- + +The standard format for serializing a private key is PKCS #8, the operations +for which are defined in ``pkcs8.h``. It supports both unencrypted and +encrypted storage. + +.. cpp:function:: SecureVector<byte> PKCS8::BER_encode(const Private_Key& key, \ + RandomNumberGenerator& rng, const std::string& password, const std::string& pbe_algo = "") + + Takes any private key object, serializes it, encrypts it using + *password*, and returns a binary structure representing the private + key. + + The final (optional) argument, *pbe_algo*, specifies a particular + password based encryption (or PBE) algorithm. If you don't specify a + PBE, a sensible default will be used. + +.. cpp:function:: std::string PKCS8::PEM_encode(const Private_Key& key, \ + RandomNumberGenerator& rng, const std::string& pass, const std::string& pbe_algo = "") + + This formats the key in the same manner as ``BER_encode``, but additionally + encodes it into a text format with identifying headers. Using PEM encoding + is *highly* recommended for many reasons, including compatibility with other + software, for transmission over 8-bit unclean channels, because it can be + identified by a human without special tools, and because it sometimes allows + more sane behavior of tools that process the data. + +Unencrypted serialization is also supported. + +.. warning:: + + In most situations, using unecrypted private key storage is a bad idea, + because anyone can come along and grab the private key without having to + know any passwords or other secrets. Unless you have very particular + security requirements, always use the versions that encrypt the key based on + a passphrase, described above. + +.. cpp:function:: SecureVector<byte> PKCS8::BER_encode(const Private_Key& key) + + Serializes the private key and returns the result. + +.. cpp:function:: std::string PKCS8::PEM_encode(const Private_Key& key) + + Serializes the private key, base64 encodes it, and returns the + result. + +Last but not least, there are some functions that will load (and +decrypt, if necessary) a PKCS #8 private key: + +.. cpp:function:: Private_Key* PKCS8::load_key(DataSource& in, \ + RandomNumberGenerator& rng, const User_Interface& ui) + +.. cpp:function:: Private_Key* PKCS8::load_key(DataSource& in, \ + RandomNumberGenerator& rng, std::string passphrase = "") + +.. cpp:function:: Private_Key* PKCS8::load_key(const std::string& filename, \ + RandomNumberGenerator& rng, const User_Interface& ui) + +.. cpp:function:: Private_Key* PKCS8::load_key(const std::string& filename, \ + RandomNumberGenerator& rng, const std::string& passphrase = "") + +These functions will return an object allocated key object based on the data +from whatever source it is using (assuming, of course, the source is in fact +storing a representation of a private key, and the decryption was +sucessful). The encoding used (PEM or BER) need not be specified; the format +will be detected automatically. The key is allocated with ``new``, and should +be released with ``delete`` when you are done with it. The first takes a +generic ``DataSource`` that you have to create - the other is a simple wrapper +functions that take either a filename or a memory buffer and create the +appropriate ``DataSource``. + +The versions taking a ``std::string`` attempt to decrypt using the password +given (if the key is encrypted; if it is not, the passphase value will be +ignored). If the passphrase does not decrypt the key, an exception will be +thrown. + +The ones taking a ``User_Interface`` provide a simple callback interface which +makes handling incorrect passphrases and such a bit simpler. A +``User_Interface`` has very little to do with talking to users; it's just a +way to glue together Botan and whatever user interface you happen to be using. + +.. note:: + + In a future version, it is likely that ``User_Interface`` will be + replaced by a simple callback using ``std::function``. + +To use ``User_Interface``, derive a subclass and implement: + +.. cpp:function:: std::string User_Interface::get_passphrase(const std::string& what, \ + const std::string& source, UI_Result& result) const + + The ``what`` argument specifies what the passphrase is needed for (for + example, PKCS #8 key loading passes ``what`` as "PKCS #8 private key"). This + lets you provide the user with some indication of *why* your application is + asking for a passphrase; feel free to pass the string through ``gettext(3)`` + or moral equivalent for i18n purposes. Similarly, ``source`` specifies where + the data in question came from, if available (for example, a file name). If + the source is not available for whatever reason, then ``source`` will be an + empty string; be sure to account for this possibility. + + The function returns the passphrase as the return value, and a status code + in ``result`` (either ``OK`` or ``CANCEL_ACTION``). If ``CANCEL_ACTION`` is + returned in ``result``, then the return value will be ignored, and the + caller will take whatever action is necessary (typically, throwing an + exception stating that the passphrase couldn't be determined). In the + specific case of PKCS #8 key decryption, a ``Decoding_Error`` exception will + be thrown; your UI should assume this can happen, and provide appropriate + error handling (such as putting up a dialog box informing the user of the + situation, and canceling the operation in progress). + +.. _serializing_public_keys: + +Serializing Public Keys +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To import and export public keys, use: + +.. cpp:function:: MemoryVector<byte> X509::BER_encode(const Public_Key& key) + +.. cpp:function:: std::string X509::PEM_encode(const Public_Key& key) + +.. cpp:function:: Public_Key* X509::load_key(DataSource& in) + +.. cpp:function:: Public_Key* X509::load_key(const SecureVector<byte>& buffer) + +.. cpp:function:: Public_Key* X509::load_key(const std::string& filename) + + These functions operate in the same way as the ones described in + :ref:`serializing_private_keys`, except that no encryption option is + availabe. + +.. _dl_group: + +DL_Group +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +As described in :ref:`creating_new_private_keys`, a discrete logarithm group +can be shared among many keys, even keys created by users who do not trust +each other. However, it is necessary to trust the entity who created the +group; that is why organization like NIST use algorithms which generate groups +in a deterministic way such that creating a bogus group would require breaking +some trusted cryptographic primitive like SHA-2. + +Instantiating a ``DL_Group`` simply requires calling + +.. cpp:function:: DL_Group::DL_Group(const std::string& name) + + The *name* parameter is a specially formatted string that consists of three + things, the type of the group ("modp" or "dsa"), the creator of the group, + and the size of the group in bits, all delimited by '/' characters. + + Currently all "modp" groups included in botan are ones defined by the + Internet Engineering Task Force, so the provider is "ietf", and the strings + look like "modp/ietf/N" where N can be any of 768, 1024, 1536, 2048, 3072, + 4096, 6144, or 8192. This group type is used for Diffie-Hellman and ElGamal + algorithms. + + The other type, "dsa" is used for DSA and Nyberg-Rueppel keys. They can + also be used with Diffie-Hellman and ElGamal, but this is less common. The + currently available groups are "dsa/jce/N" for N in 512, 768, or 1024, and + "dsa/botan/N" with N being 2048 or 3072. The "jce" groups are the standard + DSA groups used in the Java Cryptography Extensions, while the "botan" + groups were randomly generated using the FIPS 186-3 algorithm by the library + maintainers. + +You can generate a new random group using + +.. cpp:function:: DL_Group::DL_Group(RandomNumberGenerator& rng, \ + PrimeType type, size_t pbits, size_t qbits = 0) + + The *type* can be either ``Strong``, ``Prime_Subgroup``, or + ``DSA_Kosherizer``. *pbits* specifies the size of the prime in + bits. If the *type* is ``Prime_Subgroup`` or ``DSA_Kosherizer``, + then *qbits* specifies the size of the subgroup. + +You can serialize a ``DL_Group`` using + +.. cpp:function:: SecureVector<byte> DL_Group::DER_Encode(Format format) + +or + +.. cpp:function:: std::string DL_Group::PEM_encode(Format format) + +where *format* is any of + +* ``ANSI_X9_42`` (or ``DH_PARAMETERS``) for modp groups +* ``ANSI_X9_57`` (or ``DSA_PARAMETERS``) for DSA-style groups +* ``PKCS_3`` is an older format for modp groups; it should only + be used for backwards compatability. + +You can reload a serialized group using + +.. cpp:function:: void DL_Group::BER_decode(DataSource& source, Format format) + +.. cpp:function:: void DL_Group::PEM_decode(DataSource& source) + +.. _ec_group: + +EC_Group +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +An ``EC_Group`` is initialized by passing the name of the +group to be used to the constructor. These groups have +semi-standardized names like "secp256r1" and "brainpool512r1". + +Key Checking +--------------------------------- + +Most public key algorithms have limitations or restrictions on their +parameters. For example RSA requires an odd exponent, and algorithms +based on the discrete logarithm problem need a generator $> 1$. + +Each public key type has a function + +.. cpp:function:: bool Public_Key::check_key(RandomNumberGenerator& rng, bool strong) + + This function performs a number of algorithm-specific tests that the key + seems to be mathematically valid and consistent, and returns true if all of + the tests pass. + + It does not have anything to do with the validity of the key for any + particular use, nor does it have anything to do with certificates that link + a key (which, after all, is just some numbers) with a user or other + entity. If *strong* is ``true``, then it does "strong" checking, which + includes expensive operations like primality checking. + +Encryption +--------------------------------- + +Safe public key encryption requires the use of a padding scheme which hides +the underlying mathematical properties of the algorithm. Additionally, they +will add randomness, so encrypting the same plaintext twice produces two +different ciphertexts. + +The primary interface for encryption is + +.. cpp:class:: PK_Encryptor + + .. cpp:function:: SecureVector<byte> encrypt( \ + const byte* in, size_t length, RandomNumberGenerator& rng) const + + .. cpp:function:: SecureVector<byte> encrypt( \ + const MemoryRegion<byte>& in, RandomNumberGenerator& rng) const + + These encrypt a message, returning the ciphertext. + + .. cpp:function:: size_t maximum_input_size() const + + Returns the maximum size of the message that can be processed, in + bytes. If you call :cpp:func:`PK_Encryptor::encrypt` with a value larger + than this the operation will fail with an exception. + +:cpp:class:`PK_Encryptor` is only an interface - to actually encrypt you have +to create an implementation, of which there are currently two available in the +library, :cpp:class:`PK_Encryptor_EME` and :cpp:class:`DLIES_Encryptor`. DLIES +is a standard method (from IEEE 1363) that uses a key agreement technique such +as DH or ECDH to perform message encryption. Normally, public key encryption +is done using algorithms which support it directly, such as RSA or ElGamal; +these use the EME class: + +.. cpp:class:: PK_Encryptor_EME + + .. cpp:function:: PK_Encryptor_EME(const Public_Key& key, std::string eme) + + With *key* being the key you want to encrypt messages to. The padding + method to use is specified in *eme*. + + The recommended values for *eme* is "EME1(SHA-1)" or "EME1(SHA-256)". If + you need compatability with protocols using the PKCS #1 v1.5 standard, + you can also use "EME-PKCS1-v1_5". + +.. cpp:class:: DLIES_Encryptor + + Available in the header ``dlies.h`` + + .. cpp:function:: DLIES_Encryptor(const PK_Key_Agreement_Key& key, \ + KDF* kdf, MessageAuthenticationCode* mac, size_t mac_key_len = 20) + + Where *kdf* is a key derivation function (see + :ref:`key_derivation_function`) and *mac* is a + MessageAuthenticationCode. + +The decryption classes are named ``PK_Decryptor``, ``PK_Decryptor_EME``, and +``DLIES_Decryptor``. They are created in the exact same way, except they take +the private key, and the processing function is named ``decrypt``. + + +Signatures +--------------------------------- + +Signature generation is performed using + +.. cpp:class:: PK_Signer + + .. cpp:function:: PK_Signer(const Private_Key& key, \ + const std::string& emsa, \ + Signature_Format format = IEEE_1363) + + Constructs a new signer object for the private key *key* using the + signature format *emsa*. The key must support signature operations. In + the current version of the library, this includes RSA, DSA, ECDSA, GOST + 34.10-2001, Nyberg-Rueppel, and Rabin-Williams. Other signature schemes + may be supported in the future. + + Currently available values for *emsa* include EMSA1, EMSA2, EMSA3, EMSA4, + and Raw. All of them, except Raw, take a parameter naming a message + digest function to hash the message with. The Raw encoding signs the + input directly; if the message is too big, the signing operation will + fail. Raw is not useful except in very specialized applications. Examples + are "EMSA1(SHA-1)" and "EMSA4(SHA-256)". + + For RSA, use EMSA4 (also called PSS) unless you need compatability with + software that uses the older PKCS #1 v1.5 standard, in which case use + EMSA3 (also called "EMSA-PKCS1-v1_5"). For DSA, ECDSA, GOST 34.10-2001, + and Nyberg-Rueppel, you should use EMSA1. + + The *format* defaults to ``IEEE_1363`` which is the only available + format for RSA. For DSA and ECDSA, you can also use + ``DER_SEQUENCE``, which will format the signature as an ASN.1 + SEQUENCE value. + + .. cpp:function:: void update(const byte* in, size_t length) + .. cpp:function:: void update(const MemoryRegion<byte>& in) + .. cpp:function:: void update(byte in) + + These add more data to be included in the signature + computation. Typically, the input will be provided directly to a + hash function. + + .. cpp:function:: SecureVector<byte> signature(RandomNumberGenerator& rng) + + Creates the signature and returns it + + .. cpp:function:: SecureVector<byte> sign_message( \ + const byte* in, size_t length, RandomNumberGenerator& rng) + + .. cpp:function:: SecureVector<byte> sign_message( \ + const MemoryRegion<byte>& in, RandomNumberGenerator& rng) + + These functions are equivalent to calling + :cpp:func:`PK_Signer::update` and then + :cpp:func:`PK_Signer::signature`. Any data previously provided + using ``update`` will be included. + +Signatures are verified using + +.. cpp:class:: PK_Verifier + + .. cpp:function:: PK_Verifier(const Public_Key& pub_key, \ + const std::string& emsa, Signature_Format format = IEEE_1363) + + Construct a new verifier for signatures assicated with public + key *pub_key*. The *emsa* and *format* should be the same as + that used by the signer. + + .. cpp:function:: void update(const byte* in, size_t length) + .. cpp:function:: void update(const MemoryRegion<byte>& in) + .. cpp:function:: void update(byte in) + + Add further message data that is purportedly assocated with the + signature that will be checked. + + .. cpp:function:: bool check_signature(const byte* sig, size_t length) + .. cpp:function:: bool check_signature(const MemoryRegion<byte>& sig) + + Check to see if *sig* is a valid signature for the message data + that was written in. Return true if so. This function clears the + internal message state, so after this call you can call + :cpp:func:`PK_Verifier::update` to start verifying another + message. + + .. cpp:function:: bool verify_message(const byte* msg, size_t msg_length, \ + const byte* sig, size_t sig_length) + + .. cpp:function:: bool verify_message(const MemoryRegion<byte>& msg, \ + const MemoryRegion<byte>& sig) + + These are equivalent to calling :cpp:func:`PK_Verifier::update` + on *msg* and then calling :cpp:func:`PK_Verifier::check_signature` + on *sig*. + +Here is an example of DSA signature generation + +.. literalinclude:: examples/dsa_sign.cpp + +Here is an example that verifies DSA signatures + +.. literalinclude:: examples/dsa_ver.cpp + +Key Agreement +--------------------------------- + +You can get a hold of a ``PK_Key_Agreement_Scheme`` object by calling +``get_pk_kas`` with a key that is of a type that supports key +agreement (such as a Diffie-Hellman key stored in a ``DH_PrivateKey`` +object), and the name of a key derivation function. This can be "Raw", +meaning the output of the primitive itself is returned as the key, or +"KDF1(hash)" or "KDF2(hash)" where "hash" is any string you happen to +like (hopefully you like strings like "SHA-256" or "RIPEMD-160"), or +"X9.42-PRF(keywrap)", which uses the PRF specified in ANSI X9.42. It +takes the name or OID of the key wrap algorithm that will be used to +encrypt a content encryption key. + +How key agreement works is that you trade public values with some +other party, and then each of you runs a computation with the other's +value and your key (this should return the same result to both +parties). This computation can be called by using +``derive_key`` with either a byte array/length pair, or a +``SecureVector<byte>`` than holds the public value of the other +party. The last argument to either call is a number that specifies how +long a key you want. + +Depending on the KDF you're using, you *might not* get back a key +of the size you requested. In particular "Raw" will return a number +about the size of the Diffie-Hellman modulus, and KDF1 can only return +a key that is the same size as the output of the hash. KDF2, on the +other hand, will always give you a key exactly as long as you request, +regardless of the underlying hash used with it. The key returned is a +``SymmetricKey``, ready to pass to a block cipher, MAC, or other +symmetric algorithm. + +The public value that should be used can be obtained by calling +``public_data``, which exists for any key that is associated with a +key agreement algorithm. It returns a ``SecureVector<byte>``. + +"KDF2(SHA-256)" is by far the preferred algorithm for key derivation +in new applications. The X9.42 algorithm may be useful in some +circumstances, but unless you need X9.42 compatibility, KDF2 is easier +to use. + +An example of using Diffie-Hellman: + +.. literalinclude:: examples/dh.cpp diff --git a/doc/python.tex b/doc/python.tex deleted file mode 100644 index afdd66b6a..000000000 --- a/doc/python.tex +++ /dev/null @@ -1,68 +0,0 @@ -\documentclass{article} - -\setlength{\textwidth}{6.5in} % 1 inch side margins -\setlength{\textheight}{9in} % ~1 inch top and bottom margins - -\setlength{\headheight}{0in} -\setlength{\topmargin}{0in} -\setlength{\headsep}{0in} - -\setlength{\oddsidemargin}{0in} -\setlength{\evensidemargin}{0in} - -\title{\textbf{Botan Python Interface Documentation}} -\author{Jack Lloyd \\ - \texttt{[email protected]}} -\date{2009/10/10} - -\newcommand{\filename}[1]{\texttt{#1}} -\newcommand{\manpage}[2]{\texttt{#1}(#2)} - -\newcommand{\macro}[1]{\texttt{#1}} - -\newcommand{\function}[1]{\textbf{#1}} -\newcommand{\type}[1]{\texttt{#1}} -\renewcommand{\arg}[1]{\textsl{#1}} -\newcommand{\variable}[1]{\textsl{#1}} - -\begin{document} - -\maketitle - -\tableofcontents - -\parskip=5pt -\pagebreak - -\section{Ciphers} - -Botan's Python interface provides a generic interface to any cipher -supported by the library. The class \type{botan.Cipher} takes three -arguments, all strings: first, the name of the algorith, second the -direction (which can be either ``encrypt'' or ``decrypt''), and -lastly, the key to use. For instance - -\begin{verbatim} - encryptor = botan.Cipher("AES-128/EAX", "encrypt", key) -\end{verbatim} - -creates an object that will encrypt and authenticate messages using -the EAX mode of operation using the AES cipher. To use this object, -call the \function{cipher} function with two arguments - the input -to encrypt, and the IV to use: - -\begin{verbatim} - ciphertext = encryptor.cipher(input, salt) -\end{verbatim} - - -\subsection{Cryptobox} - - -\subsection{RNGs} - -\section{RSA} - - - -\end{document} diff --git a/doc/rng.txt b/doc/rng.txt new file mode 100644 index 000000000..66679271d --- /dev/null +++ b/doc/rng.txt @@ -0,0 +1,129 @@ +.. _random_number_generators: + +Random Number Generators +======================================== + +The random number generators provided in Botan are meant for creating +keys, IVs, padding, nonces, and anything else that requires 'random' +data. It is important to remember that the output of these classes +will vary, even if they are supplied with the same seed (ie, two +``Randpool`` objects with similar initial states will not produce the +same output, because the value of high resolution timers is added to +the state at various points). + +To create a random number generator, instantiate a ``AutoSeeded_RNG`` +object. This object will handle choosing the right algorithms from the +set of enabled ones and doing seeding using OS specific +routines. The main service a RandomNumberGenerator provides is, of +course, random numbers: + +.. cpp:function:: byte RandomNumberGenerator::random() + + Generates a single random byte and returns it + +.. cpp:function:: void RandomNumberGenerator::randomize(byte* data, size_t length) + + Places *length* bytes into the array pointed to by *data* + +To ensure good quality output, a PRNG needs to be seeded with truly +random data. Normally this is done for you. However it may happen that +your application has access to data that is potentially unpredictable +to an attacker. If so, use + +.. cpp:function:: void RandomNumberGenerator::add_entropy(const byte* data, \ + size_t length) + +which incorporates the data into the current randomness state. Don't +worry about filtering the data or doing any kind of cryptographic +preprocessing (such as hashing); the RNG objects in botan are designed +such that you can feed them any arbitrary non-random or even +maliciously chosen data - as long as at some point some of the seed +data was good the output will be secure. + + +Implementation Notes +---------------------------------------- + +Randpool +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +``Randpool`` is the primary PRNG within Botan. In recent versions all +uses of it have been wrapped by an implementation of the X9.31 PRNG +(see below). If for some reason you should have cause to create a PRNG +instead of using the "global" one owned by the library, it would be +wise to consider the same on the grounds of general caution; while +``Randpool`` is designed with known attacks and PRNG weaknesses in +mind, it is not an standard/official PRNG. The remainder of this +section is a (fairly technical, though high-level) description of the +algorithms used in this PRNG. Unless you have a specific interest in +this subject, the rest of this section might prove somewhat +uninteresting. + +``Randpool`` has an internal state called pool, which is 512 bytes +long. This is where entropy is mixed into and extracted from. There is also a +small output buffer (called buffer), which holds the data which has already +been generated but has just not been output yet. + +It is based around a MAC and a block cipher (which are currently +HMAC(SHA-256) and AES-256). Where a specific size is mentioned, it +should be taken as a multiple of the cipher's block size. For example, +if a 256-bit block cipher were used instead of AES, all the sizes +internally would double. Every time some new output is needed, we +compute the MAC of a counter and a high resolution timer. The +resulting MAC is XORed into the output buffer (wrapping as needed), +and the output buffer is then encrypted with AES, producing 16 bytes +of output. + +After 8 blocks (or 128 bytes) have been produced, we mix the pool. To +do this, we first rekey both the MAC and the cipher; the new MAC key +is the MAC of the current pool under the old MAC key, while the new +cipher key is the MAC of the current pool under the just-chosen MAC +key. We then encrypt the entire pool in CBC mode, using the current +(unused) output buffer as the IV. We then generate a new output +buffer, using the mechanism described in the previous paragraph. + +To add randomness to the PRNG, we compute the MAC of the input and XOR +the output into the start of the pool. Then we remix the pool and +produce a new output buffer. The initial MAC operation should make it +very hard for chosen inputs to harm the security of ``Randpool``, and +as HMAC should be able to hold roughly 256 bits of state, it is +unlikely that we are wasting much input entropy (or, if we are, it +doesn't matter, because we have a very abundant supply). + +ANSI X9.31 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +``ANSI_X931_PRNG`` is the standard issue X9.31 Appendix A.2.4 PRNG, +though using AES-256 instead of 3DES as the block cipher. This PRNG +implementation has been checked against official X9.31 test vectors. + +Internally, the PRNG holds a pointer to another PRNG (typically +Randpool). This internal PRNG generates the key and seed used by the +X9.31 algorithm, as well as the date/time vectors. Each time an X9.31 +PRNG object receives entropy, it passes it along to the PRNG it is +holding, and then pulls out some random bits to generate a new key and +seed. This PRNG considers itself seeded as soon as the internal PRNG +is seeded. + + +Entropy Sources +--------------------------------- + +An ``EntropySource`` is an abstract representation of some method of +gather "real" entropy. This tends to be very system dependent. The +*only* way you should use an ``EntropySource`` is to pass it to a PRNG +that will extract entropy from it -- never use the output directly for +any kind of key or nonce generation! + +``EntropySource`` has a pair of functions for getting entropy from +some external source, called ``fast_poll`` and ``slow_poll``. These +pass a buffer of bytes to be written; the functions then return how +many bytes of entropy were gathered. + +Note for writers of ``EntropySource`` subclasses: it isn't necessary +to use any kind of cryptographic hash on your output. The data +produced by an EntropySource is only used by an application after it +has been hashed by the ``RandomNumberGenerator`` that asked for the +entropy, thus any hashing you do will be wasteful of both CPU cycles +and entropy. + diff --git a/doc/scripts/comba.py b/doc/scripts/comba.py deleted file mode 100755 index ce3cfed77..000000000 --- a/doc/scripts/comba.py +++ /dev/null @@ -1,65 +0,0 @@ -#!/usr/bin/python - -import sys - -def comba_indexes(N): - - indexes = [] - - for i in xrange(0, 2*N): - x = [] - - for j in xrange(max(0, i-N+1), min(N, i+1)): - x += [(j,i-j)] - indexes += [sorted(x)] - - return indexes - -def comba_sqr_indexes(N): - - indexes = [] - - for i in xrange(0, 2*N): - x = [] - - for j in xrange(max(0, i-N+1), min(N, i+1)): - if j < i-j: - x += [(j,i-j)] - else: - x += [(i-j,j)] - indexes += [sorted(x)] - - return indexes - -def comba_multiply_code(N): - indexes = comba_indexes(N) - - for (i,idx) in zip(range(0, len(indexes)), indexes): - for pair in idx: - print "word3_muladd(&w2, &w1, &w0, x[%2d], y[%2d]);" % (pair) - print "z[%2d] = w0; w0 = w1; w1 = w2; w2 = 0;" % (i) - -def comba_square_code(N): - indexes = comba_sqr_indexes(N) - - for (rnd,idx) in zip(range(0, len(indexes)), indexes): - for (i,pair) in zip(range(0, len(idx)), idx): - if pair[0] == pair[1]: - print " word3_muladd(&w2, &w1, &w0, x[%2d], x[%2d]);" % (pair) - elif i % 2 == 0: - print " word3_muladd_2(&w2, &w1, &w0, x[%2d], x[%2d]);" % (pair[0], pair[1]) - if rnd < len(idx)-2: - print " z[%2d] = w0; w0 = w1; w1 = w2; w2 = 0;\n" % (rnd) - elif rnd == len(idx)-1: - print " z[%2d] = w0;\n" % (rnd) - else: - print " z[%2d] = w1;\n" % (rnd) - -def main(args = None): - if args is None: - args = sys.argv - #comba_square_code(int(args[1])) - comba_multiply_code(int(args[1])) - -if __name__ == '__main__': - sys.exit(main()) diff --git a/doc/scripts/combine_bmarks.pl b/doc/scripts/combine_bmarks.pl deleted file mode 100755 index b6436496e..000000000 --- a/doc/scripts/combine_bmarks.pl +++ /dev/null @@ -1,120 +0,0 @@ -#!/usr/bin/perl -w - -use strict; - -my %results; -my %pk; - -my %pk_algos; -my %algos; - -my %filename_to_desc; - -for my $filename (@ARGV) { - - open IN, "<$filename" or die "Couldn't read $filename ($!)\n"; - - my $desc = <IN>; - chomp $desc; - - $results{$desc} = {}; - - while(<IN>) { - if(/(.*): +(.*) Mbytes\/sec/) { - $results{$desc}{$1} = $2; - $algos{$1} = undef; - } - if(/(.*): (.*) ops \/ second \((.*)\)/) { - my $alg = "$1"; - $alg = "$alg $3" if defined($3); - $pk{$desc}{$alg} = $2; - $pk_algos{$alg} = undef; - } - } -} - - -sub print_table { - my @columns = sort keys %results; - - print "\n<P>All results are in MiB / second:\n"; - print "<TABLE BORDER CELLSPACING=1>\n<THEAD>\n"; - - my %col_index = (); - - my $line = "<TR><TH>Algorithm "; - - foreach my $col (@columns) { - $col_index{$col} = length($line); - $line .= "<TH>" . $col . " "; - } - - $line .= "\n<TBODY>\n"; - - print $line; - - $line = ''; - - foreach my $algo (sort keys %algos) { - $line = " <TR><TH>$algo "; - - for my $col (@columns) { - my $result = $results{$col}{$algo}; - $result = "-" if not defined($result); - - $result = "<TH>$result"; - - $line .= ' ' while(length($line) < ($col_index{$col})); - $line .= $result; - - } - - print $line, "\n"; - $line = ''; - } - - print "</TABLE>\n"; -} - - -sub print_pk_table { - my @columns = sort keys %pk; - - print "\n<P>All results are in operations per second:\n"; - print "<TABLE BORDER CELLSPACING=1>\n<THEAD>\n"; - - my %col_index = (); - - my $line = "<TR><TH>Algorithm "; - - foreach my $col (@columns) { - $col_index{$col} = length($line); - $line .= "<TH>" . $col . " "; - } - - $line .= "\n<TBODY>\n"; - - print $line; - - foreach my $algo (sort keys %pk_algos) { - my $line = " <TR><TH>$algo "; - - for my $col (@columns) { - my $result = $pk{$col}{$algo}; - $result = '-' if not defined($result); - - $result = "<TH>$result"; - - $line .= ' ' while(length($line) < ($col_index{$col})); - $line .= $result; - - } - - print $line, "\n"; - } - - print "</TABLE>\n"; -} - -print_table(); -print_pk_table(); diff --git a/doc/scripts/dist.sh b/doc/scripts/dist.sh deleted file mode 100755 index 479de24d1..000000000 --- a/doc/scripts/dist.sh +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash - -# This is probably only useful if run on my machine, which is not -# exactly ideal - -SELECTOR=h:net.randombit.botan -KEY_ID=EFBADFBC -MTN_DB=/storage/mtn/botan.mtn -DIST_DIR=~/Botan-dist - -DIST_FILES_DIR=$HOME/projects/www/files/botan/v1.9/ -WEB_DOCS_DIR=$HOME/projects/www/htdocs/botan/htdocs/ - -# You shouldn't have to change anything after this -mkdir -p $DIST_DIR -cd $DIST_DIR - -mtn -d $MTN_DB checkout -r $SELECTOR Botan - -VERSION=$(Botan/configure.py --version) - -mv Botan Botan-$VERSION - -cd Botan-$VERSION -rm -rf _MTN -rm -f .mtn-ignore - -# Build docs -cd doc - -for doc in api tutorial building python -do - latex $doc.tex - latex $doc.tex - dvips $doc.dvi -o - pdflatex $doc.tex - pdflatex $doc.tex - cp $doc.pdf $DIST_DIR - mv $doc.ps $DIST_DIR - # Clean up after TeX - rm -f $doc.aux $doc.log $doc.dvi $doc.toc -done - -botan_log_to_html log.txt > ../../log.html - -cd .. # topdir -cd .. # now in DIST_DIR - -tar -cf Botan-$VERSION.tar Botan-$VERSION - -bzip2 -9 -k Botan-$VERSION.tar -gzip -9 Botan-$VERSION.tar - -rm -rf Botan-$VERSION - -mv Botan-$VERSION.tar.gz Botan-$VERSION.tgz -mv Botan-$VERSION.tar.bz2 Botan-$VERSION.tbz - -echo "*****************************************************" -read -a PASSWORD -p "Enter PGP password (or ^C to skip signatures): " - -echo $PASSWORD | gpg --batch --armor -b --passphrase-fd 0 -u $KEY_ID Botan-$VERSION.tgz -echo $PASSWORD | gpg --batch --armor -b --passphrase-fd 0 -u $KEY_ID Botan-$VERSION.tbz - -mv Botan-$VERSION.tgz* Botan-$VERSION.tbz* $DIST_FILES_DIR -mv log.html $WEB_DOCS_DIR - -echo "Now edit download.html, and add a release notice to pyblosxom" diff --git a/doc/scripts/print_deps.py b/doc/scripts/print_deps.py deleted file mode 100755 index c68fa2617..000000000 --- a/doc/scripts/print_deps.py +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/python - -""" -Analyze the botan source tree and print the module interdependencies - -(C) 2009 Jack Lloyd -Distributed under the terms of the Botan license -""" - -import os -import os.path -import sys -import re - -def find_deps_in(filename): - # By convention #include's with spaces before them are - # always wrapped in #ifdef blocks - regexp = re.compile('^#include <botan/(.*)>') - - for line in open(filename).readlines(): - match = regexp.match(line) - if match != None: - yield match.group(1).replace('internal/', '') - -def get_dependencies(dirname): - all_dirdeps = {} - file_homes = {} - - is_sourcefile = re.compile('\.(cpp|h|S)$') - - for (dirpath, dirnames, filenames) in os.walk('src'): - dirdeps = set() - for filename in filenames: - if is_sourcefile.search(filename) != None: - file_homes[filename] = os.path.basename(dirpath) - - for dep in find_deps_in(os.path.join(dirpath, filename)): - if dep not in filenames and dep != 'build.h': - dirdeps.add(dep) - - dirdeps = sorted(dirdeps) - if dirdeps != []: - all_dirdeps[dirpath] = dirdeps - - return (all_dirdeps, file_homes) - -def main(): - (all_dirdeps, file_homes) = get_dependencies('src') - - def interesting_dep_for(dirname): - def interesting_dep(dep): - if dep == 'utils': - return False # everything depends on it - - # block/serpent depends on block, etc - if dirname.find('/%s/' % (dep)) > 0: - return False - return True - return interesting_dep - - for dirname in sorted(all_dirdeps.keys()): - depdirs = sorted(set(map(lambda x: file_homes[x], all_dirdeps[dirname]))) - - depdirs = filter(interesting_dep_for(dirname), depdirs) - - if depdirs != []: - print "%s: %s" % (dirname, ' '.join(depdirs)) - -if __name__ == '__main__': - sys.exit(main()) diff --git a/doc/scripts/update_deps.py b/doc/scripts/update_deps.py deleted file mode 100755 index ac19885e0..000000000 --- a/doc/scripts/update_deps.py +++ /dev/null @@ -1,41 +0,0 @@ -#!/usr/bin/python - -import sys -import re -import os.path - -def update_requires(dir, deps): - lines = map(lambda x: x.strip(), - open(os.path.join(dir, 'info.txt')).readlines()) - - if '<requires>' in lines: - start = lines.index('<requires>') - - while lines.pop(start) != '</requires>': - pass - - while len(lines) > 0 and lines[-1] == '': - lines = lines[:-1] - - if len(deps) > 0: - lines.append('') - lines.append('<requires>') - for dep in deps: - lines.append(dep) - lines.append('</requires>') - lines.append('') - - lines = "\n".join(lines).replace("\n\n\n", "\n\n") - - output = open(os.path.join(dir, 'info.txt'), 'w') - output.write(lines) - output.close() - -def main(): - for line in sys.stdin.readlines(): - (dirname, deps) = line.split(':') - deps = deps.strip().split(' ') - update_requires(dirname, deps) - -if __name__ == '__main__': - sys.exit(main()) diff --git a/doc/secmem.txt b/doc/secmem.txt new file mode 100644 index 000000000..eba3462de --- /dev/null +++ b/doc/secmem.txt @@ -0,0 +1,81 @@ + +Secure Memory Containers +======================================== + +A major concern with mixing modern multiuser OSes and cryptographic +code is that at any time the code (including secret keys) could be +swapped to disk, where it can later be read by an attacker. Botan +stores almost everything (and especially anything sensitive) in memory +buffers that a) clear out their contents when their destructors are +called, and b) have easy plugins for various memory locking functions, +such as the ``mlock`` call on many Unix systems. + +Two of the allocation method used ("malloc" and "mmap") don't +require any extra privileges on Unix, but locking memory does. At +startup, each allocator type will attempt to allocate a few blocks +(typically totaling 128k), so if you want, you can run your +application ``setuid`` ``root``, and then drop privileges +immediately after creating your ``LibraryInitializer``. If you end +up using more than what's been allocated, some of your sensitive data +might end up being swappable, but that beats running as ``root`` +all the time. + +These classes should also be used within your own code for storing +sensitive data. They are only meant for primitive data types (int, +long, etc): if you want a container of higher level Botan objects, you +can just use a ``std::vector``, since these objects know how to clear +themselves when they are destroyed. You cannot, however, have a +``std::vector`` (or any other container) of ``Pipe`` objects or +filters, because these types have pointers to other filters, and +implementing copy constructors for these types would be both hard and +quite expensive (vectors of pointers to such objects is fine, though). + +These types are not described in any great detail: for more information, +consult the definitive sources~--~the header files ``secmem.h`` and +``allocate.h``. + +``SecureBuffer`` is a simple array type, whose size is specified at +compile time. It will automatically convert to a pointer of the +appropriate type, and has a number of useful functions, including +``clear()``, and ``size_t`` ``size()``, which returns the length of +the array. It is a template that takes as parameters a type, and a +constant integer which is how long the array is (for example: +``SecureBuffer<byte, 8> key;``). + +``SecureVector`` is a variable length array. Its size can be increased +or decreased as need be, and it has a wide variety of functions useful +for copying data into its buffer. Like ``SecureBuffer``, it implements +``clear`` and ``size``. + +Allocators +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The containers described above get their memory from allocators. As a +user of the library, you can add new allocator methods at run time for +containers, including the ones used internally by the library, to +use. The interface to this is in ``allocate.h``. Code needing to +allocate or deallocate memory calls ``get_allocator``, which returns a +pointer to an allocator object. This pointer should not be freed: the +caller does not own the allocator (it is shared among multiple +allocatore users, and uses a mutex to serialize access internally if +necessary). It is possible to call ``get_allocator`` with a specific +name to request a particular type of allocator, otherwise, a default +allocator type is returned. + +At start time, the only allocator known is a ``Default_Allocator``, +which just allocates memory using ``malloc``, and zeroizes it when the +memory is released. It is known by the name "malloc". If you ask for +another type of allocator ("locking" and "mmap" are currently used), +and it is not available, some other allocator will be returned. + +You can add in a new allocator type using ``add_allocator_type``. This +function takes a string and a pointer to an allocator. The string gives this +allocator type a name to which it can be referred when one is requesting it +with ``get_allocator``. If an error occurs (such as the name being +already registered), this function returns false. It will return true if the +allocator was successfully registered. If you ask it to, +``LibraryInitializer`` will do this for you. + +Finally, you can set the default allocator type that will be returned +using the policy setting "default_alloc" to the name of any previously +registered allocator. diff --git a/doc/ssl.txt b/doc/ssl.txt new file mode 100644 index 000000000..adca78bf8 --- /dev/null +++ b/doc/ssl.txt @@ -0,0 +1,58 @@ + +.. _ssl_api: + +SSL and TLS +======================================== + +.. versionadded:: 1.9.4 + +Botan supports both client and server implementations of the SSL/TLS +protocols, including SSL v3, TLS v1.0, and TLS v1.1. The insecure and +obsolete SSL v2 is not supported. + +The implementation uses ``std::tr1::function``, so it may not have +been compiled into the version you are using; you can test for the +feature macro ``BOTAN_HAS_SSL_TLS`` to check. + +TLS Clients +---------------------------------------- + +.. cpp:class:: TLS_Client + + .. cpp:function:: TLS_Client( \ + std::tr1::function<size_t (byte*, size_t)> input_fn, \ + std::tr1::function<void (const byte*, size_t)> output_fn, \ + const TLS_Policy& policy, RandomNumberGenerator& rng) + + Creates a TLS client. It will call *input_fn* to read bytes from + the network and call *output_fn* when bytes need to be written to + the network. + + .. cpp:function:: size_t read(byte* buf, size_t buf_len) + + Reads up to *buf_len* bytes from the open connection into *buf*, + returning the number of bytes actually written. + + .. cpp:function:: void write(const byte* buf, size_t buf_len) + + Writes *buf_len* bytes in *buf* to the remote side + + .. cpp:function:: void close() + + Closes the connection + + .. cpp:function:: std::vector<X509_Certificate> peer_cert_chain() + + Returns the certificate chain of the server + +A simple TLS client example: + +.. literalinclude:: examples/tls_client.cpp + + +TLS Servers +---------------------------------------- + +A simple TLS server + +.. literalinclude:: examples/tls_server.cpp diff --git a/doc/support.txt b/doc/support.txt new file mode 100644 index 000000000..288ed8aa0 --- /dev/null +++ b/doc/support.txt @@ -0,0 +1,19 @@ + +Commercial Support Options +======================================== + +Commercial support is currently available for Botan from a couple of +sources. If you provide services related to Botan, email the +development list and your information can be added here. + +* `FlexSecure GmbH <http://www.flexsecure.de>`_ offers support for + both Botan and `InSiTo <http://www.flexsecure.eu/insito/>`_ + libraries. Developers from FlexSecure have done extensive work + with Botan in the past, and many new features to Botan have been + implemented and contributed by them. More information at + http://www.flexsecure.eu/insito/support.html + +* `Jack Lloyd <http://www.randombit.net>`_ can provide services + relating to Botan including performance analysis of application + code using Botan, review of cryptographic use and designs for + security flaws, and implementing new features. diff --git a/doc/thanks.txt b/doc/thanks.txt deleted file mode 100644 index 68fd81b3b..000000000 --- a/doc/thanks.txt +++ /dev/null @@ -1,53 +0,0 @@ - -The following people (sorted alphabetically) contributed bug reports, useful -information, or were generally just helpful people to talk to: - -Jeff B -Rickard Bondesson -Mike Desjardins -Matthew Gregan -Hany Greiss -Friedemann Kleint -Ying-Chieh Liao -Dan Nicolaescu -Vaclav Ovsik -Ken Perano -Darren Starsmore -Kaushik Veeraraghavan -Dominik Vogt -James Widener - -Cerulean Studios, creators of the Trillian instant messaging client, -has provided financial assistance to the project. - -Barry Kavanagh of AEP Systems Ltd kindly provided an AEP2000 crypto card and -drivers, enabling the creation of Botan's AEP engine module. - -In addition, the following people have unknowingly contributed help -via public domain code which has been repurposed into the library: - - Dean Gaudet wrote the SSE2 implementation of SHA-1 - - Mike Hamburg wrote x86-64/SSSE3 assembly which was the basis for the - constant time AES implementation - - The implementation of DES is based off a public domain implementation by Phil - Karn from 1994 (he, in turn, credits Richard Outerbridge and Jim Gillogly). - - Rijndael and Square are based on the reference implementations written by - the inventors, Joan Daemen and Vincent Rijmen. - - The Serpent S-boxes used were discovered by Dag Arne Osvik and detailed in - his paper "Speeding Up Serpent". - - Matthew Skala's public domain twofish.c (as given in GnuPG 0.9.8) provided - the basis for my Twofish code (particularly the key schedule). - - Some of the hash functions (MD5, SHA-1, etc) use an optimized implementation - of one of the boolean functions, which was discovered by Colin Plumb. - - The design of Randpool takes some of its design principles from those - suggested by Eric A. Young in his SSLeay documentation, Peter Gutmann's paper - "Software Generation of Practically Strong Random Numbers", and the paper - "Cryptanalytic Attacks on Pseudorandom Number Generators", by Kelsey, - Schneier, Wagner, and Hall. diff --git a/doc/tutorial.tex b/doc/tutorial.tex deleted file mode 100644 index 840679d10..000000000 --- a/doc/tutorial.tex +++ /dev/null @@ -1,141 +0,0 @@ -\documentclass{article} - -\setlength{\textwidth}{6.5in} % 1 inch side margins -\setlength{\textheight}{9in} % ~1 inch top and bottom margins - -\setlength{\headheight}{0in} -\setlength{\topmargin}{0in} -\setlength{\headsep}{0in} - -\setlength{\oddsidemargin}{0in} -\setlength{\evensidemargin}{0in} - -\title{\textbf{Botan Tutorial}} -\author{Jack Lloyd \\ - \texttt{[email protected]}} -\date{2010/08/07} - -\newcommand{\filename}[1]{\texttt{#1}} -\newcommand{\manpage}[2]{\texttt{#1}(#2)} - -\newcommand{\macro}[1]{\texttt{#1}} - -\newcommand{\function}[1]{\textbf{#1}} -\newcommand{\type}[1]{\texttt{#1}} -\renewcommand{\arg}[1]{\textsl{#1}} -\newcommand{\variable}[1]{\textsl{#1}} - -\begin{document} - -\maketitle - -\tableofcontents - -\parskip=5pt -\pagebreak - -\section{Introduction} - -This document essentially sets up various simple scenarios and then -shows how to solve the problems using botan. It's fairly simple, and -doesn't cover many of the available APIs and algorithms, especially -the more obscure or unusual ones. It is a supplement to the API -documentation and the example applications, which are included in the -distribution. - -\section{Initializing the Library} - -The first step to using botan is to create a \type{LibraryInitializer} -object, which handles creating various internal structures, and also -destroying them at shutdown. - -\begin{verbatim} -#include <botan/botan.h> - -int main() - { - Botan::LibraryInitializer init; - return 0; - } -\end{verbatim} - -If your application is multi-threaded, you need to tell botan this so -that it will use locking where necessary. This is done by passing a -string to the constructor of \type{LibraryInitializer}: - -\begin{verbatim} - Botan::LibraryInitializer init("thread_safe=yes"); -\end{verbatim} - -\section{Introduction to Pipe} - -Most operations in botan are specified in terms of transformations on -streams. The class that handles the I/O and management for these -streams is called \type{Pipe}. You can construct a \type{Pipe} with -one or more \type{Filter}s, which sequentially process messages. You -can only update a single message at a time, but you can leave the -final output contents in a \type{Pipe} and read them out as desired. - -Here is how you might hex encode two messages: - -\begin{verbatim} - std::string message1 = "this is the first message"; - const byte message2[] = "a second message"; - Pipe pipe(new Hex_Encoder); - - pipe.start_msg(); // must be called before writing to the pipe - pipe.write(message1); - pipe.end_msg(); // must be called to signal completion - - /* - process_msg(x) is equivalent to calling - start_msg(); write(x); end_msg(); - */ - pipe.process_msg(message2); - - Pipe::message_id n = pipe.message_count(); // returns 2 - - /* you can read a message as a string, here we read message 0 */ - std::string first_result = pipe.read_all_as_string(0); - - /* or a piece at a time using array/length, now we'll read the - second message (message id 1) - */ - - byte output[4096] = { 0 }; - u32bit got = read(output, sizeof(output), 1); - if(got >= sizeof(output)) - // have to read again to get more of the message -\end{verbatim} - -You can also read output while the message is still active (before the -call to \function{end\_msg}), using the same interfaces. You can find -out how much data is currently available for a particular \type{Pipe} -by calling the member function \function{remaining}, which takes a -message sequence number and returns the number of bytes that are -currently available to read from that message. - -\section{Hashing a File} - -Hashing a file is done using a \type{Hash\_Filter}, which takes a string -which specifies which hash function you want to use: - -\begin{verbatim} - Pipe pipe(new Hash_Filter("SHA-256")); -\end{verbatim} - -The output of a \type{Hash\_Filter} is raw binary. The filter will not -produce any output at all until you call \function{end\_msg}. - -\section{Symmetric Cryptography} - - - -\subsection{Authentication} - -\subsection{User Authentication} - -\section{Public Key Cryptography} - - -\end{document} diff --git a/doc/users.txt b/doc/users.txt new file mode 100644 index 000000000..4c743b137 --- /dev/null +++ b/doc/users.txt @@ -0,0 +1,111 @@ + +Known Users +======================================== + +This is a list of some of the known users of botan. If you'd like to +be added to the list, email the development list. + +Open Source Software +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* `SoftHSM <http://trac.opendnssec.org/wiki/SoftHSM>`_ an open sourced + software PKCS #11 implementation, which is used as part of the + `OpenDNSSEC <http://www.opendnssec.org>`_ project. + +* `Qt Creator <http://qt.nokia.com/products/developer-tools>`_, an + IDE for building Qt applications. + +* `NetSieben's <http://netsieben.com/products/ssh/>`_ + SSH library provides SSHv2 client connections for C++ + applications, using botan for the crypto. (GPL or commercial) + +* `InSiTo <http://www.flexsecure.eu/insito/index.html>`_ is a library + for ePassports based on botan which was commissioned by the German + Federal Office for Information Security. + +* `QCA <http://delta.affinix.com/qca/>`_, the Qt Cryptographic + Architecture (part of KDE4) uses parts of botan as an `embedded + crypto provider + <http://websvn.kde.org/trunk/kdesupport/qca/src/botantools/botan/>`_. + +* `Octopod <http://code.google.com/p/octopod/>`_ is a + file sharing system. + +* `Silverlock <http://www.petroules.com/products/silverlock/>`_ + is a GPL password management tool for Windows, OS X, and Linux.</p> + +* `Monotone <http://monotone.ca/>`_, a free distributed + version control system, uses botan for RSA authentication, + content hashing, and message authentication. + +* `Publimark <http://www.gleguelv.org/soft/publimark/index.html>`_ + is a tool for hiding messages in an audio file. + +* `KeySafe <http://therning.org/magnus/computer/keysafe>`_, + a password application for GNOME + +* `SuSE <http://gcc.opensuse.org>`_ uses botan as part + of a test suite for the GCC optimizer. + +* `Openbench <http://www.exactcode.de/site/open_source/openbench/>`_, + an open source benchmark suite, uses botan as a component. + +* `VNCcrack <http://www.randombit.net/code/vnccrack/>`_ + is a password cracker for the VNC authentication/response protocol. + +Commercial Software +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* `Hulu Desktop <http://www.hulu.com/labs/hulu-desktop>`_ uses botan + on Windows `(ref) + <http://download.hulu.com/HuluDesktop_ThirdPartyLicenses.txt>`_. + +* `Hitman Pro <http://www.surfright.nl/en>`_ is a malware + scanner for Windows. + +* `Flying Lab Software <http://www.burningsea.com>`_, a Seattle based + game developer, uses botan as a part of their user authentication + process. + +* `CryptoTE <http://idlebox.net/2009/cryptote/>`_ is a text editor + with integrated strong cryptography. + +* `TextEgg <http://www.textegg.com/>`_ is an encrypted document editor. + +* `Seagate <http://www.seagate.com/www/en-us/support/downloads/>`_ + uses botan for the drive encryption in the Maxtor OneTouch III Mini + Edition hard drive. + +* `Aegeus Technology Ltd <http://www.aegeus-technology.com>`_ used + botan in a research implementation of SPKI. + +* `E.V.E. Paradox <http://www.entropicsoftware.com/eve/eve.html>`_, a + suite of games for Windows. + +Research Projects +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* `A Unified Approach to Intra-Domain Security + <http://www.csiir.ornl.gov/shue/research/securecom09.pdf>`_ + describes a system by researches from Oak Ridge National Lab and + Indiana University that uses botan to secure ARP and DHCP. + +* `CLL: A Cryptographic Link Layer for Local Area Networks + <http://www.springerlink.com/content/c4681m76808l4621/>`_ describes + a network encryption system using botan. (One of the coauthors, Yves + Jerschow, also contributed a number of optimizations to the + library). + +* The system described in `Enabling Intrusion Detection in IPsec + Protected IPv6 Networks Through Secret-key Sharing + <http://www.stormingmedia.us/01/0151/A015134.pdf>`_ + +* `An experimental tamper detection system + <http://www.cis.udel.edu/~hiper/passages/papers/jochenMILCOM03.pdf>`_ + designed by researchers from the University of Delaware and the US + Army Research Laboratory. + +* A prototype implementation of a telephony signal security system, + described in `Prototyping and evaluation of TCAPsec + <http://www.cs.kau.se/cs/education/courses/davddiss/Uppsatser_2007/D2007-04.pdf>`_ + by Kang Chung and Mathilda Gustafsson. diff --git a/doc/x509.txt b/doc/x509.txt new file mode 100644 index 000000000..d31a84498 --- /dev/null +++ b/doc/x509.txt @@ -0,0 +1,527 @@ + +.. _x509_certificates: + +Certificate Handling +================================= + +A certificate is a binding between some identifying information +(called a *subject*) and a public key. This binding is asserted by a +signature on the certificate, which is placed there by some authority +(the *issuer*) that at least claims that it knows the subject named in +the certificate really "owns" the private key corresponding to the +public key in the certificate. + +The major certificate format in use today is X.509v3, designed by ISO +and further hacked on by dozens (hundreds?) of other organizations. + +When working with certificates, the main class to remember is +``X509_Certificate``. You can read an object of this type, but you can't create +one on the fly; a CA object is necessary for making a new certificate. So for +the most part, you only have to worry about reading them in, verifying the +signatures, and getting the bits of data in them (most commonly the public key, +and the information about the user of that key). An X.509v3 certificate can +contain a literally infinite number of items related to all kinds of +things. Botan doesn't support a lot of them, because nobody uses them and +they're an impossible mess to work with. This section only documents the most +commonly used ones of the ones that are supported; for the rest, read +``x509cert.h`` and ``asn1_obj.h`` (which has the definitions of various common +ASN.1 constructs used in X.509). + +So what's in an X.509 certificate? +----------------------------------- + +Obviously, you want to be able to get the public key. This is achieved by +calling the member function ``subject_public_key``, which will return a +``Public_Key``\*. As to what to do with this, read about ``load_key`` in +:ref:`serializing_public_keys`. In the general case, this could be any kind of +public key, though 99% of the time it will be an RSA key. However, +Diffie-Hellman, DSA, and ECDSA keys are also supported, so be careful about how +you treat this. It is also a wise idea to examine the value returned by +``constraints``, to see what uses the public key is approved for. + +The second major piece of information you'll want is the name/email/etc of the +person to whom this certificate is assigned. Here is where things get a little +nasty. X.509v3 has two (well, mostly just two...) different places where you +can stick information about the user: the *subject* field, and in an extension +called *subjectAlternativeName*. The *subject* field is supposed to only +included the following information: country, organization, an organizational +sub-unit name, and a so-called common name. The common name is usually the name +of the person, or it could be a title associated with a position of some sort +in the organization. It may also include fields for state/province and +locality. What a locality is, nobody knows, but it's usually given as a city +name. + +Botan doesn't currently support any of the Unicode variants used in ASN.1 +(UTF-8, UCS-2, and UCS-4), any of which could be used for the fields in the +DN. This could be problematic, particularly in Asia and other areas where +non-ASCII characters are needed for most names. The UTF-8 and UCS-2 string +types *are* accepted (in fact, UTF-8 is used when encoding much of the time), +but if any of the characters included in the string are not in ISO 8859-1 (ie 0 +... 255), an exception will get thrown. Currently the ``ASN1_String`` type +holds its data as ISO 8859-1 internally (regardless of local character set); +this would have to be changed to hold UCS-2 or UCS-4 in order to support +Unicode (also, many interfaces in the X.509 code would have to accept or return +a ``std::wstring`` instead of a ``std::string``). + +Like the distinguished names, subject alternative names can contain a lot of +things that Botan will flat out ignore (most of which you would likely never +want to use). However, there are three very useful pieces of information that +this extension might hold: an email address ([email protected]), a DNS name +(somehost.example.com), or a URI (http://www.example.com). + +So, how to get the information? Call ``subject_info`` with the name of the +piece of information you want, and it will return a ``std::string`` that is +either empty (signifying that the certificate doesn't have this information), +or has the information requested. There are several names for each possible +item, but the most easily readable ones are: "Name", "Country", "Organization", +"Organizational Unit", "Locality", "State", "RFC822", "URI", and "DNS". These +values are returned as a ``std::string``. + +You can also get information about the issuer of the certificate in the same +way, using ``issuer_info``. + +X.509v3 Extensions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +X.509v3 specifies a large number of possible extensions. Botan supports some, +but by no means all of them. This section lists which ones are supported, and +notes areas where there may be problems with the handling. + + - Key Usage and Extended Key Usage: No problems known. + + - Basic Constraints: No problems known. The default for a v1/v2 certificate is + assume it's a CA if and only if the option "x509/default_to_ca" is set. A v3 + certificate is marked as a CA if (and only if) the basic constraints + extension is present and set for a CA cert. + + - Subject Alternative Names: Only the "rfc822Name", "dNSName", and + "uniformResourceIdentifier" fields will be stored; all others are + ignored. + + - Issuer Alternative Names: Same restrictions as the Subject + Alternative Names extension. New certificates generated by Botan + never include the issuer alternative name. + + - Authority Key Identifier: Only the version using KeyIdentifier is + supported. If the GeneralNames version is used and the extension is + critical, an exception is thrown. If both the KeyIdentifier and GeneralNames + versions are present, then the KeyIdentifier will be used, and the + GeneralNames ignored. + + - Subject Key Identifier: No problems known. + +Revocation Lists +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +It will occasionally happen that a certificate must be revoked before its +expiration date. Examples of this happening include the private key being +compromised, or the user to which it has been assigned leaving an +organization. Certificate revocation lists are an answer to this problem +(though online certificate validation techniques are starting to become +somewhat more popular). Every once in a while the CA will release a new CRL, +listing all certificates that have been revoked. Also included is various +pieces of information like what time a particular certificate was revoked, and +for what reason. In most systems, it is wise to support some form of +certificate revocation, and CRLs handle this easily. + +For most users, processing a CRL is quite easy. All you have to do is call the +constructor, which will take a filename (or a ``DataSource&``). The CRLs +can either be in raw BER/DER, or in PEM format; the constructor will figure out +which format without any extra information. For example:: + + X509_CRL crl1("crl1.der"); + + DataSource_Stream in("crl2.pem"); + X509_CRL crl2(in); + +After that, pass the ``X509_CRL`` object to a ``X509_Store`` object +with + +.. cpp:function:: X509_Code X509_Store::add_crl(const X509_CRL& crl) + +and all future verifications will take into account the certificates +listed, assuming ``add_crl`` returns ``VERIFIED``. If it doesn't +return ``VERIFIED``, then the return value is an error code signifying +that the CRL could not be processed due to some problem (which could +be something like the issuing certificate could not being found, an +invalid signature, or the CRL having some format problem). For more +about the ``X509_Store`` API, read :ref:`x509_store`. + +Reading Certificates +--------------------------------- + +``X509_Certificate`` has two constructors, each of which takes a source of +data; a filename to read, and a ``DataSource&``:: + + X509_Certificate cert1("cert1.pem"); + + /* This file contains two certificates, concatenated */ + DataSource_Stream in("certs2_and_3.pem"); + + X509_Certificate cert2(in); // read the first cert + X509_Certificate cert3(in); // read the second cert + +.. _x509_store: + +Storing and Using Certificates +--------------------------------- + +If you read a certificate, you probably want to verify the signature on +it. However, consider that to do so, we may have to verify the signature on the +certificate that we used to verify the first certificate, and on and on until +we hit the top of the certificate tree somewhere. It would be a might huge pain +to have to handle all of that manually in every application, so there is +something that does it for you: ``X509_Store``. + +The basic operations are: put certificates and CRLs into it, search for +certificates, and attempt to verify certificates. That's about it. In the +future, there will be support for online retrieval of certificates and CRLs (eg +with the HTTP cert-store interface currently under consideration by PKIX). + +Adding Certificates +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +You can add new certificates to a certificate store using any of these +functions: + +.. cpp:function:: void X509_Store::add_cert(const X509_Certificate& cert, \ + bool trusted = false) + +.. cpp:function:: void X509_Store::add_cert(DataSource& source) + +.. cpp:function:: void X509_Store::add_trusted_certs(DataSource& source) + +The versions that take a ``DataSource&`` will add all the certificates +that it can find in that source. + +All of them add the cert(s) to the store. The "trusted" certificates are the +ones that you are willing to trust for certification purposes. For example, say +your application is working with certificates that are owned by employees of +some company, and all of their certificates are signed by the company CA, whose +certificate is in turned signed by a commercial root CA. What you would then do +is include the certificate of the commercial CA with your application, and read +it in as a trusted certificate. From there, you could verify the company CA's +certificate, and then use that to verify the end user's certificates. Only +self-signed certificates may be considered trusted. + +Adding CRLs +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. cpp:function:: X509_Code X509_Store::add_crl(const X509_CRL& crl) + +This will process the CRL and mark the revoked certificates. This will +also work if a revoked certificate is added to the store sometime +after the CRL is processed. The function can return an error code +(listed later), or will return ``VERIFIED`` if everything completed +successfully. + +Storing Certificates +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +You can output a set of certificates by calling ``PEM_encode``, which +will return a ``std::string`` containing each of the certificates in +the store, PEM encoded and concatenated. This simple format can easily +be read by both Botan and other libraries/applications. + +Certificate Stores +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +An object of type ``Certificate_Store`` is a generalized interface to an +external source for certificates (and CRLs). Examples of such a store would be +one that looked up the certificates in a SQL database, or by contacting a CGI +script running on a HTTP server. There are currently three mechanisms for +looking up a certificate, and one for retrieving CRLs. By default, most of +these mechanisms will return an empty ``std::vector`` of +``X509_Certificate``. This storage mechanism is *only* queried when doing +certificate validation: it allows you to distribute only the root key with an +application, and let some online method handle getting all the other +certificates that are needed to validate an end entity certificate. In +particular, the search routines will not attempt to access the external +database. + +The three certificate lookup methods are ``by_SKID`` (Subject Key Identifier), +``by_name`` (the CommonName DN entry), and ``by_email`` (stored in either the +distinguished name, or in a subjectAlternativeName extension). The name and +email versions take a ``std::string``, while the SKID version takes a +``SecureVector<byte>`` containing the subject key identifier in raw binary. You +can choose not to implement ``by_name`` or ``by_email``, but ``by_SKID`` is +mandatory to implement, and, currently, is the only version that is used by +``X509_Store``. + +Finally, there is a method for finding CRLs, called ``get_crls_for``, that +takes an ``X509_Certificate`` object, and returns a ``std::vector`` of +``X509_CRL``. While normally there will be only one CRL, the use of the vector +makes it easy to return no CRLs (eg, if the certificate store doesn't support +retrieving them), or return multiple ones (for example, if the certificate +store can't determine precisely which key was used to sign the +certificate). Implementing the function is optional, and by default will return +no CRLs. If it is available, it will be used by ``X509_CRL``. + +As for using such a store, you have to tell ``X509_Store`` about it +with + +.. cpp:function:: void X509_Store::add_new_certstore(Certificate_Store* new_store) + + The store object will be owned by (and deleted by) ``X509_Store``, + so make sure to allocate it with ``new``. + +Verifying Certificates +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Verifying a certificate requires that we build up a chain of trust, starting +from the root (usually a commercial CA), down through some number of +intermediate CAs, and finally reaching the actual certificate in +question. Thus, to verify, we actually have to have all those certificates on +hand (or at the very least, know where we can get the ones we need). + +The class which handles both storing certificates, and verifying them, +is + +.. cpp:class:: X509_Store + +.. cpp:type:: Cert_Usage + + Can be any of: + * ``ANY`` (any usage is OK) + * ``CRL_SIGNING`` + * ``TLS_SERVER`` (for SSL/TLS server authentication) + * ``TLS_CLIENT`` (for SSL/TLS client authentication) + * ``CODE_SIGNING`` + * ``EMAIL_PROTECTION`` (usually this means S/MIME) + * ``TIME_STAMPING`` (in theory any time stamp application, + usually IETF PKIX's Time Stamp Protocol) + +.. cpp:function:: X509_Code validate_cert(const X509_Certificate& cert, \ + Cert_Usage usage = ANY) + + Return ``VERIFIED`` if the certificate can safely be considered + valid for the usage(s) described by *usage*, and an error code if + it is not. + +First, how does :cpp:class`X509_Store::validate_cert` know if a certificate is +valid? A certificate is valid if both of the following hold: a) the signature +in the certificate can be verified using the public key in the issuer's +certificate, and b) the issuer's certificate is a valid CA certificate. Note +that this definition is recursive. We get out of this by "bottoming out" when +we reach a certificate that we consider trusted. In general this will either be +a commercial root CA, or an organization or application specific CA. + +There are a few other restrictions (validity periods, key usage restrictions, +etc), but the above summarizes the major points of the validation algorithm. In +theory, Botan implements the certificate path validation algorithm given in RFC +2459, but in practice it does not (yet), because we don't support the X.509v3 +policy or name constraint extensions. + +The default ``ANY`` does not mean valid for any use, it means "is valid for +some usage". This is usually what you want; requiring that a random certificate +support a particular usage will likely result in a lot of failures, unless your +application is very careful to always issue certificates with the proper +extensions, and you never use certificates generated by other apps. + +Return values for ``validate_cert`` (and ``add_crl``) include: + +* VERIFIED: The certificate is valid for the specified use. +* INVALID_USAGE: The certificate cannot be used for the specified use. + +* CANNOT_ESTABLISH_TRUST: The root certificate was not marked as trusted. + +* CERT_CHAIN_TOO_LONG: The certificate chain exceeded the length + allowed by a basicConstraints extension. + +* SIGNATURE_ERROR: An invalid signature was found + +* POLICY_ERROR: Some problem with the certificate policies was found. + +* CERT_FORMAT_ERROR: Some format problem was found in a certificate. +* CERT_ISSUER_NOT_FOUND: The issuer of a certificate could not be found. +* CERT_NOT_YET_VALID: The certificate is not yet valid. +* CERT_HAS_EXPIRED: The certificate has expired. +* CERT_IS_REVOKED: The certificate has been revoked. +* CRL_FORMAT_ERROR: Some format problem was found in a CRL. +* CRL_ISSUER_NOT_FOUND: The issuer of a CRL could not be found. +* CRL_NOT_YET_VALID: The CRL is not yet valid. +* CRL_HAS_EXPIRED: The CRL has expired. +* CA_CERT_CANNOT_SIGN: The CA certificate found does not have an + contain a public key that allows signature verification. +* CA_CERT_NOT_FOR_CERT_ISSUER: The CA cert found is not allowed to + issue certificates. +* CA_CERT_NOT_FOR_CRL_ISSUER: The CA cert found is not allowed to + issue CRLs. +* UNKNOWN_X509_ERROR: Some other error occurred. + +Certificate Authorities +--------------------------------- + +Setting up a CA for X.509 certificates is perhaps the easiest thing to +do related to X.509. A CA is represented by the type ``X509_CA``, +which can be found in ``x509_ca.h``. A CA always needs its own +certificate, which can either be a self-signed certificate (see below +on how to create one) or one issued by another CA (see the section on +PKCS #10 requests). Creating a CA object is done by the following +constructor: + +.. cpp:function:: X509_CA::X509_CA(const X509_Certificate& cert, \ + const Private_Key& key) + +The private key is the private key corresponding to the public key in the +CA's certificate. + +Requests for new certificates are supplied to a CA in the form on PKCS +#10 certificate requests (called a ``PKCS10_Request`` object in +Botan). These are decoded in a similar manner to +certificates/CRLs/etc. A request is vetted by humans (who somehow +verify that the name in the request corresponds to the name of the +entity who requested it), and then signed by a CA key, generating a +new certificate: + +.. cpp:function:: X509_Certificate \ + X509_CA::sign_request(const PKCS10_Request& req) const + +Here's an example: + +.. literalinclude examples/ca.cpp + +Generating CRLs +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +As mentioned previously, the ability to process CRLs is highly important in +many PKI systems. In fact, according to strict X.509 rules, you must not +validate any certificate if the appropriate CRLs are not available (though +hardly any systems are that strict). In any case, a CA should have a valid CRL +available at all times. + +Of course, you might be wondering what to do if no certificates have +been revoked. Never fear; empty CRLs, which revoke nothing at all, can +be issued. To generate a new, empty CRL, just call + +.. cpp:function:: X509_CRL X509_CA::new_crl(u32bit seconds_to_expiration = 0) + + This function will return a new, empty CRL. The + ``seconds_to_expiration`` parameter is the number of seconds before + the CRL expires. If it is set to the (default) value of zero, then a + reasonable default (currently 7 days) will be used. + +On the other hand, you may have issued a CRL before. In that case, you will +want to issue a new CRL that contains all previously revoked +certificates, along with any new ones. This is done by calling + +.. cpp:function:: X509_CRL X509_CA::update_crl(const X509_CRL& old_crl, \ + std::vector<CRL_Entry> new_revoked, size_t seconds_to_expiration = 0) + + Where ``X509_CRL`` is the last CRL this CA issued, and + ``new_revoked`` is a list of any newly revoked certificates. The + function returns a new ``X509_CRL`` to make available for + clients. + +The ``CRL_Entry`` type is a structure that contains, at a minimum, the serial +number of the revoked certificate. As serial numbers are never repeated, the +pairing of an issuer and a serial number (should) distinctly identify any +certificate. In this case, we represent the serial number as a +``SecureVector<byte>`` called ``serial``. There are two additional (optional) +values, an enumeration called ``CRL_Code`` that specifies the reason for +revocation (``reason``), and an object that represents the time that the +certificate became invalid (if this information is known). + +If you wish to remove an old entry from the CRL, insert a new entry for the +same cert, with a ``reason`` code of ``DELETE_CRL_ENTRY``. For example, if a +revoked certificate has expired 'normally', there is no reason to continue to +explicitly revoke it, since clients will reject the cert as expired in any +case. + +Self-Signed Certificates +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Generating a new self-signed certificate can often be useful, for example when +setting up a new root CA, or for use in email applications. The library +provides a utility function for this: + +.. cpp:function:: X509_Certificate create_self_signed_cert( \ + const X509_Cert_Options& opts, const Private_Key& key) + + Where *key* is the private key you wish to use (the public key, + used in the certificate itself, is extracted from the private key), + and *opts* is an structure that has various bits of information + that will be used in creating the certificate (this structure, and + its use, is discussed below). + +An example: + +.. literalinclude:: examples/self_sig.cpp + +Creating PKCS #10 Requests +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Also in ``x509self.h``, there is a function for generating new PKCS #10 +certificate requests: + +.. cpp:function:: PKCS10_Request create_cert_req( \ + const X509_Cert_Options& opts, const Private_Key& key) + +This function acts quite similarly to +:cpp:func:`create_self_signed_cert`, except it instead returns a PKCS +#10 certificate request. After creating it, one would typically +transmit it to a CA, who signs it and returns a freshly minted X.509 +certificate. + +An example: + +.. literalinclude:: examples/pkcs10.cpp + +Certificate Options +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +What is this ``X509_Cert_Options`` thing we've been passing around? It's a +class representing a bunch of information that will end up being stored into +the certificate. This information comes in 3 major flavors: information about +the subject (CA or end-user), the validity period of the certificate, and +restrictions on the usage of the certificate. + +First and foremost is a number of ``std::string`` members, which contains +various bits of information about the user: ``common_name``, ``serial_number``, +``country``, ``organization``, ``org_unit``, ``locality``, ``state``, +``email``, ``dns_name``, and ``uri``. As many of these as possible should be +filled it (especially an email address), though the only required ones are +``common_name`` and ``country``. + +There is another value that is only useful when creating a PKCS #10 request, +which is called ``challenge``. This is a challenge password, which you can +later use to request certificate revocation (*if* the CA supports doing +revocations in this manner). + +Then there is the validity period; these are set with ``not_before`` and +``not_after``. Both of these functions also take a ``std::string``, which +specifies when the certificate should start being valid, and when it should +stop being valid. If you don't set the starting validity period, it will +automatically choose the current time. If you don't set the ending time, it +will choose the starting time plus a default time period. The arguments to +these functions specify the time in the following format: "2002/11/27 +1:50:14". The time is in 24-hour format, and the date is encoded as +year/month/day. The date must be specified, but you can omit the time or +trailing parts of it, for example "2002/11/27 1:50" or "2002/11/27". + +Lastly, you can set constraints on a key. The one you're mostly likely to want +to use is to create (or request) a CA certificate, which can be done by calling +the member function ``CA_key``. This should only be used when needed. + +Other constraints can be set by calling the member functions +``add_constraints`` and ``add_ex_constraints``. The first takes a +``Key_Constraints`` value, and replaces any previously set value. If no value +is set, then the certificate key is marked as being valid for any usage. You +can set it to any of the following (for more than one usage, OR them together): +``DIGITAL_SIGNATURE``, ``NON_REPUDIATION``, ``KEY_ENCIPHERMENT``, +``DATA_ENCIPHERMENT``, ``KEY_AGREEMENT``, ``KEY_CERT_SIGN``, ``CRL_SIGN``, +``ENCIPHER_ONLY``, ``DECIPHER_ONLY``. Many of these have quite special +semantics, so you should either consult the appropriate standards document +(such as RFC 3280), or just not call ``add_constraints``, in which case the +appropriate values will be chosen for you. + +The second function, ``add_ex_constraints``, allows you to specify an OID that +has some meaning with regards to restricting the key to particular usages. You +can, if you wish, specify any OID you like, but there is a set of standard ones +that other applications will be able to understand. These are the ones +specified by the PKIX standard, and are named "PKIX.ServerAuth" (for TLS server +authentication), "PKIX.ClientAuth" (for TLS client authentication), +"PKIX.CodeSigning", "PKIX.EmailProtection" (most likely for use with S/MIME), +"PKIX.IPsecUser", "PKIX.IPsecTunnel", "PKIX.IPsecEndSystem", and +"PKIX.TimeStamping". You can call "add_ex_constraints" any number of times - +each new OID will be added to the list to include in the certificate. |