aboutsummaryrefslogtreecommitdiffstats
path: root/src/rng
Commit message (Collapse)AuthorAgeFilesLines
* Some changes to HMAC_RNG:lloyd2012-07-182-23/+13
| | | | | | | | | | | | | - Only give out half of K in each iteration. This prevents an attacker who recovers the PRF key and knows some RNG outputs from being able to determine other RNG outputs. - Don't reset the counter on a reseed, and every 1024 outputs (16 Kbytes with default PRF) initiate a poll. - Don't ever reseed when called with add_entropy, just give it to the extractor, as we know that eventually we'll reseed at which time that input will be incorporated.
* Fairly huge update that replaces the old secmem types with std::vectorlloyd2012-05-187-11/+11
| | | | | | using a custom allocator. Currently our allocator just does new/delete with a memset before deletion, and the mmap and mlock allocators have been removed.
* propagate from branch 'net.randombit.botan' (head ↵lloyd2012-05-181-2/+2
|\ | | | | | | | | | | 6332543aa5a8a4cc13662008ff9ac0f0016d9a4d) to branch 'net.randombit.botan.cxx11' (head 5517c9f8f6d1990f269afb94f569a97a80c5a5f4)
| * Partially roll back b2aef16225863cef27cdee4b91703966b3ed1458, itlloyd2012-04-281-2/+2
| | | | | | | | caused huge performance issues with DSA/ECDSA signing performance.
* | propagate from branch 'net.randombit.botan' (head ↵lloyd2012-02-201-6/+14
|\| | | | | | | | | | | c247a55e7c0bcd239fcfc672139b59ef63d7ee84) to branch 'net.randombit.botan.cxx11' (head 16d7756c6b8933d0d543ebdda9c7e8f4908a4a33)
| * Avoid blocking more than 100 ms in the random device reader. Scale uplloyd2012-02-201-1/+2
| | | | | | | | | | | | | | how much we ask for on the basis of how many bits we're counting each byte as contributing. Change /dev/*random estimate to 7 bits per byte. Small cleanup in HMAC_RNG.
| * Force a reseed in HMAC_RNG after 20 bytes have been added, rather thanlloyd2012-02-151-5/+12
| | | | | | | | | | | | waiting for a full kilobyte. This is for the benefit of DSA/ECDSA which want a call to add_entropy to update the state in some way, passing just a hash input which might be as small as 20 bytes.
* | Add string_join; inverse of split_on.lloyd2011-06-171-2/+2
| | | | | | | | | | | | | | | | | | Use auto in a few more places. Use GCC 4.6's range-for Delete rather than hide Algorithm copy constructor/assignment Move version to more or less randomly chosen 1.99 so there is no ambiguity about versions.
* | propagate from branch 'net.randombit.botan' (head ↵lloyd2010-11-042-6/+5
|\ \ | |/ |/| | | | | | | 303b2518a80553214b1e5ab4d9b96ef54629cbc7) to branch 'net.randombit.botan.c++0x' (head d734eefabe4816be4dd3e3e6e7bb13b7ab5be148)
| * propagate from branch 'net.randombit.botan' (head ↵lloyd2010-10-132-6/+5
| |\ | | | | | | | | | | | | | | | 2898d79f992f27a328a3e41d34b46eb1052da0de) to branch 'net.randombit.botan.c++0x' (head 6cba76268fd69a73195760c021b7f881b8a6552c)
| | * propagate from branch 'net.randombit.botan' (head ↵lloyd2010-06-178-34/+55
| | |\ | | | | | | | | | | | | | | | | | | | | 294e2082ce9231d6165276e2f2a4153a0116aca3) to branch 'net.randombit.botan.c++0x' (head 0b695fad10f924601e07b009fcd781191fafcb28)
| | * \ propagate from branch 'net.randombit.botan' (head ↵lloyd2010-04-282-35/+31
| | |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | a5f25a3b954f24c5d07fa0dab6c4d76f63767165) to branch 'net.randombit.botan.c++0x' (head a365694b70b4b84ca713272d56d496acca351cb5)
| | * \ \ propagate from branch 'net.randombit.botan' (head ↵lloyd2010-04-091-1/+0
| | |\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 75d272c759511a9a99a371ddc74bd17b2c1453b6) to branch 'net.randombit.botan.c++0x' (head 2ce9ba37cb9287a3d875921240d6682100625b9f)
| | * \ \ \ propagate from branch 'net.randombit.botan' (head ↵lloyd2010-03-212-6/+5
| | |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 96d0a1885774b624812fd143d541c8bcda319217) to branch 'net.randombit.botan.c++0x' (head e14368ab9d7976f3e111c6bc0adf24eebeb7c114)
| | | * \ \ \ propagate from branch 'net.randombit.botan' (head ↵lloyd2010-02-142-6/+5
| | | |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 5bfc3e699003b86615c584f8ae40bd6e761f96c0) to branch 'net.randombit.botan.c++0x' (head 8c64a107b58d41f376bfffc69dfab4514d722c5c)
| | | | * \ \ \ propagate from branch 'net.randombit.botan' (head ↵lloyd2010-01-212-6/+5
| | | | |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 12382647ef0a28fcb11c824c77b670cc88a4f721) to branch 'net.randombit.botan.c++0x' (head b586a3286d2c4d547ad3add5af9df1455bf4b87b)
| | | | | * \ \ \ propagate from branch 'net.randombit.botan' (head ↵lloyd2009-12-212-6/+5
| | | | | |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 14c1d4dc8696d2705a70ec3d2403e01d2ca95265) to branch 'net.randombit.botan.c++0x' (head c567fa7310ba082a837562092728c4b4b882bf82)
| | | | | | * | | | Post-merge fixeslloyd2009-12-162-12/+2
| | | | | | | | | |
| | | | | | * | | | propagate from branch 'net.randombit.botan' (head ↵lloyd2009-12-168-46/+21
| | | | | | |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 744dccf92270cf16b80b50ee2759424c9866b256) to branch 'net.randombit.botan.c++0x' (head 2aa1acac1d05e8ea9991fe39015b1db9abc3b24e)
| | | | | | * \ \ \ \ propagate from branch 'net.randombit.botan' (head ↵lloyd2009-12-012-30/+4
| | | | | | |\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | b3515264af291b4785d3d296e2cc0e877ca7816a) to branch 'net.randombit.botan.c++0x' (head 66ca78008f08bb5efc2eca52a3d4501f02ffd736)
| | | | | | * \ \ \ \ \ propagate from branch 'net.randombit.botan' (head ↵lloyd2009-11-173-7/+7
| | | | | | |\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | cfb19182987fc95b2a8885584a38edb10b4709b3) to branch 'net.randombit.botan.c++0x' (head 1570877c463fed4b632bc49a5b5ee27c57de2cb5)
| | | | | | * | | | | | | Use auto for long iterator names, etc.lloyd2009-11-162-6/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It will be nice to convert to the range-based for loop once that's available.
| | | | | | * | | | | | | propagate from branch 'net.randombit.botan' (head ↵lloyd2009-11-022-3/+4
| | | | | | |\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 2773c2310e8c0a51975987a2dd6c5824c8d43882) to branch 'net.randombit.botan.c++0x' (head f13cf5d7e89706c882604299b508f356c20aae3a)
| | | | | | | * | | | | | | Attic-ize all of src/timer, except for time_t_to_tm and system_timelloyd2009-10-131-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (which will go later) which will live in the new time.h
| | | | | | | * | | | | | | propagate from branch 'net.randombit.botan' (head ↵lloyd2009-10-131-2/+4
| | | | | | | |\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 139d6957d20f0b1202e0eacc63cb011588faffde) to branch 'net.randombit.botan.c++0x' (head c16676fa6c393bc3f46a044755ce525a013380a6)
| | | | | | | | * | | | | | | Change call to system_time to use std::chronolloyd2009-09-301-2/+4
| | | | | | | | | | | | | | |
* | | | | | | | | | | | | | | Doxygenlloyd2010-11-021-0/+5
| | | | | | | | | | | | | | |
* | | | | | | | | | | | | | | Eliminate the constant size_t values in SymmetricAlgorithm that givelloyd2010-10-281-1/+1
|/ / / / / / / / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the parameters of the key length. Instead define a new function which returns a simple object which contains this information. This definitely breaks backwards compatability, though only with code that directly manipulates low level objects like BlockCipher*s directly, which is probably relatively rare. Also remove some deprecated accessor functions from lookup.h. It turns out block_size_of and output_size_of are being used in the TLS code; I need to remove them from there before I can delete these entirely. Really that didn't make much sense, because they assumed all implementations of a particular algorithm will have the same specifications, which is definitely not necessarily true, especially WRT key length. It is much safer (and probably simpler) to first retrieve an instance of the actual object you are going to use and then ask it directly.
* | | | | | | | | | | | | | s/BLOCK_SIZE/block_size()/lloyd2010-10-132-8/+12
| | | | | | | | | | | | | |
* | | | | | | | | | | | | | Use output_length() instead of OUTPUT_LENGTH pseudo-propertylloyd2010-10-132-5/+5
| | | | | | | | | | | | | |
* | | | | | | | | | | | | | Use size_t instead of u32bit in entropy and rnglloyd2010-10-128-48/+48
| | | | | | | | | | | | | |
* | | | | | | | | | | | | | Remove more implicit vector to pointer conversionslloyd2010-09-141-6/+4
| | | | | | | | | | | | | |
* | | | | | | | | | | | | | More changes to avoid vector to pointer implicit conversionslloyd2010-09-142-8/+8
| | | | | | | | | | | | | |
* | | | | | | | | | | | | | Handle the case that container size() returns something other than u32bitlloyd2010-09-143-7/+5
| | | | | | | | | | | | | |
* | | | | | | | | | | | | | More vector->pointer conversion removals.lloyd2010-09-131-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add RandomNumberGenerator::random_vec, which takes an length n and returns a new SecureVector with randomized contents of that size. This nicely covers most of the cases where randomize was being called on a vector, and is a little cleaner in the code as well, instead of vec.resize(length); rng.randomize(&vec[0], vec.size()); we just write vec = rng.random_vec(length);
* | | | | | | | | | | | | | Anywhere where we use MemoryRegion::begin to get access to the raw pointerlloyd2010-09-132-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | representation (rather than in an interator context), instead use &buf[0], which works for both MemoryRegion and std::vector
* | | | | | | | | | | | | | Rename MemoryRegion::destroy to MemoryRegion::clear to match STLlloyd2010-09-081-1/+1
| | | | | | | | | | | | | |
* | | | | | | | | | | | | | Big, invasive but mostly automated change, with a further attempt atlloyd2010-09-073-6/+6
| |_|_|_|_|_|_|_|_|_|_|_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | harmonising MemoryRegion with std::vector: The MemoryRegion::clear() function would zeroise the buffer, but keep the memory allocated and the size unchanged. This is very different from STL's clear(), which is basically the equivalent to what is called destroy() in MemoryRegion. So to be able to replace MemoryRegion with a std::vector, we have to rename destroy() to clear() and we have to expose the current functionality of clear() in some other way, since vector doesn't support this operation. Do so by adding a global function named zeroise() which takes a MemoryRegion which is zeroed. Remove clear() to ensure all callers are updated.
* | | | | | | | | | | | | Yet more Doxygen commentslloyd2010-06-166-32/+50
| | | | | | | | | | | | |
* | | | | | | | | | | | | More Doxygen updates/fixeslloyd2010-06-152-2/+5
| |_|_|_|_|_|_|_|_|_|_|/ |/| | | | | | | | | | |
* | | | | | | | | | | | HMAC_RNG handling changes - split up reseed() and add_entropy()lloyd2010-04-272-35/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | entirely. add_entropy() just adds the input into the extractor; if more than 1024 bytes of input have been added by the user since the last reseed, then force a reseed. Until that point, the data simply remains accumulating in the extractor, which is fast and helps ensure a large block of data is input when we finally do reseed.
* | | | | | | | | | | | Remove add_entropy_vec. Much cleaner way of doing this: add the entirelloyd2010-04-271-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | contents of all SSL/TLS handshake messages into the PRNG input.
* | | | | | | | | | | | Add add_entropy_vec which calls add_entropy on the passed vector. Haslloyd2010-04-231-0/+3
| |_|_|_|_|_|_|_|_|_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | to be named differently from add_entropy to deal with odd C++ overloading/virtual rules.
* | | | | | | | | | | Don't delete the global RNG in AutoSeeded_RNG's destructorlloyd2010-03-231-1/+0
|/ / / / / / / / / /
* | | | | | | | | | In add_entropy(), additionally poll for 64 bits of system entropylloyd2010-03-191-15/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | to mix in with the user input. Check that the prf and extractor are compatible. For the initial PRF key, use all zeros of the appropriate size, and for the initial XTS key, use PRF("Botan HMAC_RNG XTS"). This ensures that only the one fixed key size is ever used with either the prf or extractor objects, allowing you to use, say HMAC(SHA-256)+CMAC(AES-256), or even CMAC(AES-128)+CMAC(AES-128) as the PRFs in the RNG.
* | | | | | | | | | There are some nasty API problems that are caused by having to pass alloyd2010-03-193-151/+10
|/ / / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | PRNG everywhere. The removal of the global PRNG was generated by a desire to remove the global library state entirely. However the real point of this was to remove the use of globally visible _mutable_ state; of the mutable state, the PRNG is probably the least important, and the most useful to share. And it seems unlikely that thread contention would be a major issue in the PRNG. Add back a global PRNG to Library_State. Use lazy initialization, so apps that don't ever use a PRNG don't need a seeding step. Then have AutoSeeded_RNG call that global PRNG. Offer once again RandomNumberGenerator& Library_State::global_rng(); which returns a reference to the global PRNG. This RNG object serializes access to itself with a mutex. Remove the hack known as Blinding::choose_nonce, replace with using the global PRNG to choose a blinding nonce
* / / / / / / / / Move the get_byte template to its own header, because many fileslloyd2010-02-022-2/+2
|/ / / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | including loadstor.h actually just needed get_byte and nothing else.
* / / / / / / / Use Algorithm_Factory instead of instantiating directly; will allow the uselloyd2010-01-071-10/+14
|/ / / / / / / | | | | | | | | | | | | | | | | | | | | | of AES-NI instructions, etc, in the PRNGs.
* | | | | | / Un-internal loadstor.h (and its header deps, rotate.h andlloyd2009-12-212-2/+2
| |_|_|_|_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | bswap.h); too many external apps rely on loadstor.h existing. Define 64-bit generic bswap in terms of 32-bit bswap, since it's not much slower if 32-bit is also generic, and much faster if it's not. This may be quite helpful on 32-bit x86 in particular. Change formulation of generic 32-bit bswap. It may be faster or slower depending on the CPU, especially the latency and throuput of rotate instructions, but should be faster on an ideally superscalar processor with rotate instructions (ie, what I expect future CPUs to look more like).
* | | | | | Make many more headers internal-only.lloyd2009-12-163-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes for the amalgamation generator for internal headers. Remove BOTAN_DLL exporting macros from all internal-only headers; the classes/functions there don't need to be exported, and avoiding the PIC/GOT indirection can be a big win. Add missing BOTAN_DLLs where necessary, mostly gfpmath and cvc For GCC, use -fvisibility=hidden and set BOTAN_DLL to the visibility __attribute__ to export those classes/functions.