aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Rename mp_amd64_msvc to mp_msvc64 since it supports both AMD64 andlloyd2010-08-253-2/+2
| | | | | IA-64 (and, hypothetically, any other 64 bit CPU Visual C++ might target in the future).
* Add support for Windows-style dynamic loading with LoadLibrary. Notlloyd2010-08-253-8/+32
| | | | yet tested.
* merge of '4c134c636202fe03606cf0825bad22bd5362a224'lloyd2010-08-222-0/+2
|\ | | | | | | and '9e16b5a133480199541647fe245b79b059c9d5ca'
| * Add support for Atom processors.lloyd2010-08-222-0/+2
| | | | | | | | | | | | | | Fix a bug that would cause a harmless but bogus macro to be generated in build.h if you used --enable-sse2 Add --enable-movbe to turn on a macro marking movbe as available
* | For passhash9, add another interface that allows the caller to specifylloyd2010-08-222-14/+35
|/ | | | | | | | | | | which PRF they want to use. The old interface just calls this new version with alg_id set to 0 which is HMAC(SHA-1), which was previously the only supported PRF. Assign new codepoints for HMAC(SHA-256) and CMAC(Blowfish) to allow their use with passhash9. Have the generate+check tests run a test for each supported PRF.
* When creating a PBKDF2, first check if the argument name is a knownlloyd2010-08-211-2/+6
| | | | | | | | | | | | | MAC. If it is, use it as the PRF. Otherwise assume it is a hash function and use it with HMAC. Instead of instantiating the HMAC directly, go through the algorithm factory. Add a test using PBKDF2 with CMAC(Blowfish); Blowfish mainly because it supports arbitrarily large keys, and also the required 4 KiB of sbox tables actually would make it fairly useful in that it would make cracking using hardware or GPUs rather expensive. Have not confirmed this vector against any other implementation because I don't know of any other implementation of PBKDF2 that supports MACs other than HMAC.
* Turns out OpenSSL's implementation of PBKDF2 allows empty passphrases,lloyd2010-08-212-6/+11
| | | | | | | | | | | | | | | | | so for compatability with keys that were encrypted with an empty passphrase we probably want to support it as well. In PBKDF2, don't reject empty passphrases out of hand; simply call set_key and if the underlying MAC cannot use the key, throw an informative exception. This will also be more helpful in the case that someone tries using another MAC (say, CMAC) with a block cipher that only supports keys of specific sizes. In HMAC, allow zero-length keys. This is not really optimal in the sense of allowing the user to do something dumb, but a 1 byte key would be pretty dumb as well and we already allowed that. Add a test vector using an empty passphrase generated by OpenSSL
* Fix paper ref URL, remove unused prefetch includelloyd2010-08-201-5/+9
|
* Also use a smaller table in the first round of AES in the decrypt directionlloyd2010-08-191-9/+19
|
* Use a different idiom for handling the different cases between beinglloyd2010-08-194-45/+48
| | | | | passed a ref and having to allocate a new stream object, a little bit cleaner I think.
* In the first round of AES, use a 256 element table and do thelloyd2010-08-181-9/+28
| | | | | | | | | | | | | rotations in the code. This reduces the number of cache lines potentially accessed in the first round from 64 to 16 (assuming 64 byte cache lines). On average, about 10 cache lines will actually be accessed, assuming a uniform distribution of the inputs, so there definitely is still a timing channel here, just a somewhat smaller one. I experimented with using the 256 element table for all rounds but it reduced performance significantly and I'm not sure if the benefit is worth the cost or not.
* Correct Doxygen commentlloyd2010-08-171-3/+2
|
* Fix Doxygen comment in PBKDF2 constructorlloyd2010-08-131-2/+2
|
* The changelog for 1.9.4 claimed that the default PKCS #8 encryptionlloyd2010-08-131-1/+1
| | | | | | | | | | algorithm had changed to AES-256. This was wrong, it actually changed to AES-128. However in retrospect AES-256 is probably a reasonable move (in particular for the 4 extra rounds; the related key attacks possible against AES-256 are probably not viable since we generate the key using PBKDF2), so update the 1.9.4 changelog to correctly indicate the change made in that release, and also modify PKCS #8 to actually use AES-256.
* Add also AES-192 using SSSE3lloyd2010-08-123-23/+151
|
* Support AES-256 is the SSSE3 implementationlloyd2010-08-123-5/+95
|
* Use _mm_set_epi32 instead of _mm_set_epi64x - VC++ obnoxiously onlylloyd2010-08-112-79/+79
| | | | supports epi64x in 64-bit mode.
* Remove use of -ansi; it's not particularly helpful anyway, and itlloyd2010-08-111-1/+1
| | | | causes obnoxious problems under MinGW.
* Workaround problem with GCC 3 - it doesn't like you casting pointerslloyd2010-08-101-0/+4
| | | | | | to pointers-to-functions (which, admittedly, is undefined in ISO C++, but doing this is required to use dlopen). Using the dumb hammer of a C-style cast works, though.
* Add Filter::name implementationlloyd2010-08-101-0/+2
|
* Typo fixeslloyd2010-08-101-2/+2
|
* In 1.9.9 I moved the cryptobox functions out of the CryptoBoxlloyd2010-08-102-11/+22
| | | | | | | namespace, but this causes backwards compat problems, since cryptobox is already in 1.8, and also it's likely that other functions along these lines will be useful at some point (eg using RSA encryption instead of a passphrase for the key transfer).
* Only enable aes_ssse3 when compiling with GCC or Clang. For some dumbasslloyd2010-08-091-0/+7
| | | | | | | | | | | | | | | reasons, Intel C++ rejects const __m128i foo = _mm_set_epi64x(...) though it will accept if you use one of the _mm_set1 variants. And Visual C++ doesn't know about _mm_set_epi64x() in 32-bit mode for similarly dumb reasons - it works fine compiling for 64 bit but for whatever reason they don't offer this function when compiling as 32 bit. Unfortunately there isn't a good way to specify it's OK with a particular compiler with one arch but not another, so just disable it globally for the time being. The workaround for VC++ is probably to use _mm_set_epi32 and break up the input values into 32 bit chunks. ICC is a lost cause I fear.
* Clang supports -marchlloyd2010-08-091-0/+4
|
* Add an implementation of AES-128 using SSSE3 instructions. It runs inlloyd2010-08-094-0/+463
| | | | | | | | | | | | | | | constant time and on a Nehalem is significantly faster than the table based version. This implementation technique was invented by Mike Hamburg and described in a paper in CHES 2009 "Accelerating AES with Vector Permute Instructions". This code is basically a translation of his public domain x86-64 assembly code into intrinsics. Todo: Adding support for AES-192 and AES-256; this just requires implementing the key schedules. Currently only tested on an i7 with GCC (32 and 64 bit code); testing/optimization on 32-bit processors with SSSE3 like the Atom, and with Visual C++ and other compilers, are also todos.
* Also allow clang with 32-bit assembly code, everything seems to worklloyd2010-08-088-94/+20
| | | | fine with latest SVN.
* Clang understands at least some GCC inline asm syntax as well as whatlloyd2010-08-083-0/+3
| | | | an .S file is, so allow it for x86-64. Tested/works with Clang SVN.
* Identify a i7-860 as Nehalemlloyd2010-08-081-0/+1
|
* If we can't access cpuid, but we know that we are compiling forlloyd2010-08-081-0/+9
| | | | | | x86-64, then enable SSE2 anyway because we know any x86-64 processor does have SSE2, and the OS has to support it because it's part of the standard ABIs.
* Use clang++ instead of clang for the compiler driver, otherwise linklloyd2010-08-081-1/+1
| | | | errors can result due to not getting the C++ runtime library.
* Clang fixlloyd2010-08-081-0/+1
|
* Fix return value for set_global_state_unless_setlloyd2010-08-081-0/+3
|
* Move the functions that directly manipulate the global state singletonlloyd2010-08-066-67/+165
| | | | | | | | | | | into global_state.{h,cpp}. Move all of the functions into a new namespace Global_State_Management, though exposing global_state() into the Botan namespace for compatability. Also add new functions global_state_exists and set_global_state_unless_set which may be helpful in certain tricky initialization scenarios (eg when an application using botan also uses a library which may or may not itself use botan).
* merge of '28d57385c0f1a9a2665288ce728e8b3231634f59'lloyd2010-08-035-8/+42
|\ | | | | | | and 'a4d88442d5f6b8554234c7f7468856868919b614'
| * Forbid copying an Algorithm_Factory; could easily cause double-delete,lloyd2010-07-301-0/+4
| | | | | | | | | | | | | | | | | | | | especially in a multithreaded environment, and doesn't seem like a useful operation to support. (In principle, we could support this by adding a clone() call to Algorithm_Cache, which would in turn call clone on each of it's held prototype objects, plus adding a clone to Engine. Doesn't seem worth the bother, though.
| * Change the benchmark code to also take a buf_size, instead of using hardcodedlloyd2010-07-302-7/+28
| | | | | | | | | | | | | | | | 16 KiB buffer. Also reorder the parameters to make somewhat more sense, with the first arguments being totally mandatory and the later ones potentially optional. Provide inlined version matching the old interface that just forwards to the new call, marking it as deprecated.
| * If dynamic loading fails, include result of dlerror() in the exception msglloyd2010-07-301-1/+8
| |
| * Add name() function to DataSource_Stream for Filter interfacelloyd2010-07-301-0/+2
| |
* | We've already predeclared Engine at the start of the header, so nolloyd2010-07-291-4/+4
|/ | | | reason to say `class Engine*` later on.
* Restrict dyn_load to platforms where it might theoretically work:lloyd2010-07-281-0/+9
| | | | | | | | Linux, Solaris, and the BSDs. Solaris and BSD are untested, but it seems like they should work. Using libdl on Solaris is seemingly only required in Solaris 9 and earlier, but 10 has a stub library so it should work there as well.
* Remove redundant setting for adding libdl link on Linux in dyn_engine;lloyd2010-07-281-4/+0
| | | | | it relies on dyn_load which should be the sole source for this kind of stuff, since dyn_engine itself does not touch the OS level APIs.
* Add a version info function which returns a u32bit. The currentlylloyd2010-07-281-1/+12
| | | | | expected value is 20100728 (ie, today). This will allow for checking for and/or working around changes to interfaces.
* Expose Algorithm_Factory::clear_caches which clears out all of thelloyd2010-07-272-1/+10
| | | | | caches; this might be useful for applications which are, say, particularly sensitive to memory usage.
* There was an interesting bug affecting dynamically loaded engines.lloyd2010-07-272-4/+14
| | | | | | | | | | | | | | | | | | | | | | | The library initializer runs some self tests; this brings objects for a few select types (AES, SHA-1, etc) into the caches. Later on, when we add a dynamic engine, the engines aren't requeried because the cache has hits. So, for instance an dlopen'ed engine that provided AES-128 would not actually be used unless you called on the algo factory with a provider of "blah" - even using set_preferred_provider would have no effect, because that's just a request. Add a new function to Algorithm_Cache, clear_cache, which just deletes everything that is currently loaded (this is 90% of the destructor). Then call this on each cache in Algorithm_Factory when a new Engine is loaded. In normal use, this should be very fast because on init the engines are loaded one after another so clear_cache() won't do much work at all, but it ensures that if you load an engine later on in runtime it will always be found. It does have the downside that the app will then requery each Engine for each new algo after this point, but I think typically loading a dynamic engine will happen very early on so this won't be too much of a hassle. (And even if it happens in the middle of execution, everything still works, it just means some overhead the first time you ask for algo X).
* In Algorithm_Factory, delete the Engines after deleting the cacheslloyd2010-07-271-2/+2
| | | | | | | | rather than before. Otherwise, we run into a problem with dynamically loaded engines: the engine will be deleted (and thus, the external library unloaded), before calling the destructors on any objects which may have been cached, so we jump to a now invalid address instead of the destructor code.
* Add a new utility class Dynamically_Loaded_Library which wraps aroundlloyd2010-07-277-0/+308
| | | | | | | | | | the system dynamic linker (if any). Currently it only supports dlopen, and is only enabled on Linux. It will almost certainly work on BSDs and Solaris as well, though, and should be easy to extend to support Win32-style dynamic loading. Also add a new engine, Dynamically_Loaded_Engine, which loads up a new Engine object from a shared library/DLL.
* Rename Default_Engine to Core_Engine which describes its purposeslloyd2010-07-2713-38/+36
| | | | (slightly) better.
* merge of '17389a973545d2f8e25813894cdd2da1b01aa534'lloyd2010-07-275-56/+76
|\ | | | | | | and 'ada4c9893d70affd8934ab9664e390087feab3c9'
| * Oops, bad GCC version check herelloyd2010-07-271-1/+1
| |
| * Add support in CPUID for detecting PCMULUDQ and MOVBE instructions.lloyd2010-07-272-5/+19
| | | | | | | | Rename CPUID::has_aes_intel to has_aes_ni.