aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/modes/aead
Commit message (Collapse)AuthorAgeFilesLines
* Make ssse3/sse2 dependencies explicit rather than implicitJack Lloyd2019-09-042-0/+3
| | | | Previously --disable-sse2/--disable-ssse3 would not work as expected
* Remove another malloc+free per GCM message overheadJack Lloyd2019-07-051-3/+4
|
* Avoid allocations during GCM message processingJack Lloyd2019-07-054-23/+41
| | | | | On Skylake with 1024 byte buffer brings perf from 2.69 cpb to 2.2 cpb. And over 50% improvement for small messages.
* Make the ISA list a listJack Lloyd2019-04-173-3/+9
|
* Rename Integrity_Failure to Invalid_Authentication_TagJack Lloyd2019-01-186-6/+6
| | | | | | | | | This makes the meaning and usage more clear. Add a specific error type so invalid tags can be distinguished without having to catch that specific type. See also #1813
* Make significant_words const time alsoJack Lloyd2018-12-231-3/+3
| | | | | | Only used in one place, where const time doesn't matter, but can't hurt. Remove low_bit, can be replaced by ctz.
* Make exceptions easier to translate to error codesJack Lloyd2018-11-231-1/+1
| | | | | | | | | | | Avoid throwing base Botan::Exception type, as it is difficult to determine what the error is in that case. Add Exception::error_code and Exception::error_type which allows (for error code) more information about the error and (for error type) allows knowing the error type without requiring a sequence of catches. See GH #1742
* Ensure this works even if par mult param is set to 1Jack Lloyd2018-11-021-1/+1
| | | | As this paramater is technically a user configurable toggle.
* Fixed an issue where update_granularity is equal to tag_size in GCM mode, ↵chux05192018-11-011-1/+1
| | | | | | | | | | which will cause incremental decoding to fail in ffi. related code(ffi_cipher.cpp): ```cpp BOTAN_ASSERT(cipher.update_granularity() > cipher.minimum_final_size(), "logic error"); ```
* Handle setting AD after a nonce correctly in AEADsJack Lloyd2018-10-313-3/+11
| | | | | | | | | | | In some cases (EAX, GCM, ChaCha20Poly1305) the mode does not handle this. However previously it handled it incorrectly by producing incorrect output. Instead reject it with an exception. Add a test that, if the mode accepts an AD before the nonce, then it must process the message correctly. This is similar to the existing test that if the mode accepts an AD before the key is set it must do the right thing with it.
* Fix some warnings in ARM specific codeJack Lloyd2018-10-011-16/+22
|
* Fix some MSVC warningsJack Lloyd2018-09-301-3/+3
|
* Remove unneeded load_on autoJack Lloyd2018-09-041-2/+0
| | | | It is the default...
* In EAX, CCM, OCB verify nonce is set before processingJack Lloyd2018-08-173-1/+9
|
* Fix an EAX bug in reset()Jack Lloyd2018-08-171-0/+8
| | | | | | | | | | | | | | It failed to reset any data that had been fed into CMAC so far, so a sequence with eax->set_key(key); eax->start(nonce); eax->process(discarded_bits); eax->reset(); eax->start(second_nonce); eax->process(second_msg); would produce incorrect results
* GHASH should check the nonce sizeJack Lloyd2018-08-101-0/+1
|
* Fix GCM bug: would accept AD without keyed if AD was emptyJack Lloyd2018-08-091-2/+2
|
* Add StreamCipher::write_keystreamJack Lloyd2018-08-081-4/+4
| | | | | Avoids the XOR operation. Only implemented for ChaCha20 currently, everything else defaults to memset-to-zero + xor-cipher
* Add support for XChaCha20Poly1305Jack Lloyd2018-08-073-5/+6
|
* Fix crashes when modes were used unkeyed.Jack Lloyd2018-08-055-6/+25
| | | | Fix crashes in OCB, GCM and CFB when called without a key being set.
* GHASH - use explicit function to check for key being setJack Lloyd2018-07-251-1/+1
|
* Fix error in CCM when L=8Jack Lloyd2018-07-182-6/+7
| | | | GH #1631
* Prohibit empty nonces with GCMJack Lloyd2018-06-272-3/+9
| | | | | This is mostly harmless but not allowed by the specification. See for example SP800-38D section 5.2.1.1
* Add message to BOTAN_ARG_CHECK and use it more widelyJack Lloyd2018-05-133-13/+15
|
* Add RAII versions of get_cipher_mode and get_aeadJack Lloyd2018-04-072-20/+59
| | | | See also #1526
* Minor tweaks for coverageJack Lloyd2018-03-101-2/+1
|
* ABI for Aarch64 cryptoJack Lloyd2018-01-121-3/+1
|
* Make stream, block, hash and cipher mode base classes optionalJack Lloyd2018-01-123-0/+6
|
* Increase EAX update granularity to 128 bytes.Jack Lloyd2017-12-301-1/+5
| | | | | | | | | | Works around a performance problem with applications that use this as a buffer size. Longer term fix is to have two different functions, one for the minimum grain size and another for the optimium buffer size. GH #1377
* Minor SIV/CMAC optimizationsJack Lloyd2017-11-021-3/+6
|
* Add checks that keyed algorithms are actually keyed before useJack Lloyd2017-10-261-1/+1
| | | | | Previously calling update or encrypt without calling set_key first would result in invalid outputs or else crashing.
* Convert http:// links to https:// where possibleJack Lloyd2017-10-241-1/+1
|
* Fix for 32-bit WindowsJack Lloyd2017-10-201-4/+4
| | | | The buffer is not aligned :/
* Add GHASH using SSSE3Jack Lloyd2017-10-204-2/+105
| | | | About 30% faster than scalar on Skylake
* Remove unused variableJack Lloyd2017-10-191-1/+1
|
* PMULL optimizationsJack Lloyd2017-10-183-61/+192
|
* Further optimizations, and split out GHASH reduction codeJack Lloyd2017-10-182-79/+46
|
* GCM and CTR optimizationsJack Lloyd2017-10-186-319/+508
| | | | | | | | | | | In CTR, special case for counter widths of special interest. In GHASH, uses a 4x reduction technique suggested by Intel. Split out GHASH to its own source file and header. With these changes GCM is over twice as fast on Skylake and about 50% faster on Westmere.
* Further GCM optimizationsJack Lloyd2017-10-131-17/+27
| | | | Went from 27 to 20 cycles per byte on Skylake (with clmul disabled)
* Optimize GCMJack Lloyd2017-10-136-151/+215
| | | | | | | | | | By allowing multiple blocks for clmul, slight speedup there though still far behind optimum. Precompute a table of multiples of H, 3-4x faster on systems without clmul (and still no secret indexes). Refactor GMAC to not derive from GHASH
* OCB optimizationsJack Lloyd2017-10-132-58/+90
| | | | | | With fast AES-NI, gets down to about 2 cycles per byte which is pretty good compared to the ~5.5 cpb of 2.3, still a long way off the best stiched impls which run at ~0.6 cpb.
* OCB optimizationsJack Lloyd2017-10-122-48/+52
| | | | From ~5 cbp to ~2.5 cbp on Skylake
* Helpful commentJack Lloyd2017-10-111-1/+2
|
* Address some MSVC warningsJack Lloyd2017-09-301-1/+1
|
* Make poly_dbl.h a submodule of utilsJack Lloyd2017-09-272-0/+5
| | | | | Only required by a few modules and if none of them are in use then the whole thing can just be skipped from the build.
* Avoid debug iterator errorJack Lloyd2017-09-241-6/+12
|
* Test SIV multi-AD functionJack Lloyd2017-09-241-2/+2
|
* Better tests for SIVJack Lloyd2017-09-242-22/+33
| | | | | | | | | | | | Correct errors in the AEAD tests that assumed process/update always return something - that isn't true for SIV Minor optimizations in CMAC and CTR to cache the block size instead of making a zillion virtual calls for it. Generalize SIV slightly to where it could support a non-128 bit cipher, but don't pull the trigger on it since I can't find any implementations to crosscheck with.
* Further build/test fixes for restricted configurationsJack Lloyd2017-09-242-1/+8
|
* Apply final annotations to the library alsoJack Lloyd2017-09-221-1/+1
| | | | | Done by a perl script which converted all classes to final, followed by selective reversion where it caused compilation failures.