| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
precompute only as needed, or will want to access some other expensive
resource or etc.
Change how the secret for generating blinding is done in cases where a
PRNG isn't available. Use the operations public op to hide the secret,
for instance the seed for a DH blinding variable is 2^x mod p.
Make use of being able to mutate internal structures in the RW signer,
since that does have access to a PRNG, so use it to initialize the
blinder on first call to sign().
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
performed. Up until now, each key object (eg DSA_PublicKey or
ECDH_PrivateKey) had two jobs: contain the key material, and know how
to perform any operations on that key. However because of a desire to
support alternative implementations (GNU MP, hardware, whatever),
there was a notion of operations, with the key objects containing an
op that they got via engine rather than actually implementing the
underlying algorithms directly.
Now, represent the operation as an abstract interface (typically
mapping a byte string to a byte string), and pass a plain Public_Key&
or Private_Key& to the engine. The engine does any checks it wants (eg
based on name, typeid, key sizes, etc), and either returns nothing
(I'll pass) or a pointer to a new operation that represents signatures
or encryption or what-have-you using that key.
This means that plain key objects no longer contain operations. This
is a major break with the traditional interface. On the other hand,
using these 'bare' operations without padding, KDFs, etc is 99% of the
time a bad idea anyway (and if you really need them, there are options
so you get the bare op but via the pubkey.h interfaces).
Currently this change is only implemented for DH and ECDH (ie, key
agreement algorithms). Additionally the optional engines (gnump and
openssl) have not been updated. I'll probably wait to touch those
until after I can change them all in one go for all algos.
|
| | |
|
| | |
|
| |
|
|
|
| |
I'm not sure where the old name came from though as literally the only
hits for it on Google are botan-related.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
finalized.
Move header to passhash9.h and rename the functions to be passhash9
specific ({generator,check}_passhash9)
Add an algorithm identifer field. Currently only id 0 is defined, for
HMAC(SHA-1), but this opens up for using HMAC(SHA-512) or HMAC(SHA-3)
or CMAC(Blowfish) or whatever in the future if necessary. Increase the
salt size to 96 bits and the PRF output size to 192 bits.
Document in api.tex
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
extant for a long long time and was never caught because until
recently the code did not depend on M.size(). However with the recent
loadstore changes that use memcpy to load the entire array in one
shot, an extra 128 bytes of memory would be read (but not used) in
each iteration.
This probably did not cause any problems except for Valgrind warnings,
though in some situations it would be possible for the M buffer and
MDx_HashFunctions buffer to be close enough that memcpy would be called
with overlapping regions, which could cause arbitrarily weird failures
since memcpy is allowed to assume they do not overlap.
|
| |
|
|
|
|
|
|
| |
the passhash example to the library. Support variable work factors;
default work factor of 10 takes about half a second to do one password
on my Core2. Switch to using SHA-512 instead of SHA-1 in PBKDF2. To keep
the output evenly sized for base64 purposes, reduce PBKDF2 output size by
one byte (to 112 bits).
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
reinitialized. It would cache an Allocator pointer on first use,
and then never zero it, so after the reinit the pointer would be going
to a now deallocated Allocator object.
Encountered in the SoftHSM test suite, reported by Ondrej Sury.
Use a simple reference counting scheme to zero the pointer, and reset
the GNU MP memory functions. This also fixes a quite obscure and never
reported bug, that if the GMP engine was used, and if the library was
deinitialized but then the program tried to use GNU MP, the allocator
functions would crash. Now after deinit the allocator funcs revert to the
defaults.
The reference count is not updated atomically so this is not thread safe,
but seems a non-issue; the only time this could happen (especially now that
the GMP engine header is internal-only) is if multiple threads were attempting
to initialize / shutdown the library at once - which won't work anyway for
a variety of reasons, including contention on the (unlocked) global_lib_state
pointer.
If at some point thread safety is useful here, the refcnt can be locked by
a mutex, or kept in an atomic<unsigned int>.
|
| |
|
|
| |
Twofish in XTS mode for encryption by default, but is easily tweakable.
|
| |
|
|
| |
and 1.6x faster using SIMD_Scalar.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
faster than the scalar version on a Core2.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes for the amalgamation generator for internal headers.
Remove BOTAN_DLL exporting macros from all internal-only headers;
the classes/functions there don't need to be exported, and
avoiding the PIC/GOT indirection can be a big win.
Add missing BOTAN_DLLs where necessary, mostly gfpmath and cvc
For GCC, use -fvisibility=hidden and set BOTAN_DLL to the
visibility __attribute__ to export those classes/functions.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Currently requires SSE4.1 for _mm_extract_epi32 for the key schedule, it
would be nice to remove this dependency, though all currently known/scheduled
chips with AES-NI (Intel Westmere and Sandy Bridge, and AMD Bulldozer) are
supposed to include SSE 4.1 so this is not a huge problem.
|
| |
|
|
|
|
|
|
|
| |
tests under Intel's emulator.
Document and enable in the engine.
Merge both versions to aes_intel.cpp - some shared code and much similiar
structure which might be sharable via macros.
|
| |
|
|
| |
testing with Intel's emulator shows all green.
|
| |
|
|
|
|
|
| |
the user to specify the hash function to use, instead of always using SHA-1.
This was a sensible default a few years ago, when there wasn't a ~2^60 attack
on SHA-1 and support for SHA-2 was pretty much nil, but using something else
makes a lot more sense these days.
|
| |
|
|
|
| |
Rename BOTAN_UNALIGNED_LOADSTOR_OK to BOTAN_UNALIGNED_MEMORY_ACCESS_OK
which is somewhat more clear as to the point.
|
| |\
| |
| |
| |
| |
| | |
a101c8c86b755a666c72baf03154230e09e0667e)
to branch 'net.randombit.botan' (head 948905e3872b6f5904686533c6aa87d38ff90a71)
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
Document SHA optimizations, AltiVec runtime checking, fixes for cpuid
for both icc and msvc.
|
| |\ \
| | |
| | |
| | |
| | |
| | | |
8fb69dd1c599ada1008c4cab2a6d502cbcc468e0)
to branch 'net.randombit.botan.general-simd' (head c05c9a6d398659891fb8cca170ed514ea7e6476d)
|
| | | | |
|
| |\| |
| |/
|/|
| |
| |
| | |
3158f8272a3582dd44dfb771665eb71f7d005339)
to branch 'net.randombit.botan' (head bf629b13dd132b263e76a72b7eca0f7e4ab19aac)
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
