| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Previously --disable-sse2/--disable-ssse3 would not work as expected
|
| |
|
|
|
|
|
| |
On Skylake with 1024 byte buffer brings perf from 2.69 cpb to 2.2 cpb.
And over 50% improvement for small messages.
|
| |
|
|
|
|
|
|
|
|
|
| |
This makes the meaning and usage more clear.
Add a specific error type so invalid tags can be distinguished without
having to catch that specific type.
See also #1813
|
|
|
|
|
|
| |
Only used in one place, where const time doesn't matter, but can't hurt.
Remove low_bit, can be replaced by ctz.
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid throwing base Botan::Exception type, as it is difficult to
determine what the error is in that case.
Add Exception::error_code and Exception::error_type which allows
(for error code) more information about the error and (for error type)
allows knowing the error type without requiring a sequence of catches.
See GH #1742
|
|
|
|
| |
As this paramater is technically a user configurable toggle.
|
|
|
|
|
|
|
|
|
|
| |
which will cause incremental decoding to fail in ffi.
related code(ffi_cipher.cpp):
```cpp
BOTAN_ASSERT(cipher.update_granularity() > cipher.minimum_final_size(), "logic error");
```
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases (EAX, GCM, ChaCha20Poly1305) the mode does not
handle this. However previously it handled it incorrectly by producing
incorrect output. Instead reject it with an exception.
Add a test that, if the mode accepts an AD before the nonce, then it
must process the message correctly. This is similar to the existing
test that if the mode accepts an AD before the key is set it must
do the right thing with it.
|
| |
|
| |
|
|
|
|
| |
It is the default...
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It failed to reset any data that had been fed into CMAC so far,
so a sequence with
eax->set_key(key);
eax->start(nonce);
eax->process(discarded_bits);
eax->reset();
eax->start(second_nonce);
eax->process(second_msg);
would produce incorrect results
|
| |
|
| |
|
|
|
|
|
| |
Avoids the XOR operation. Only implemented for ChaCha20 currently,
everything else defaults to memset-to-zero + xor-cipher
|
| |
|
|
|
|
| |
Fix crashes in OCB, GCM and CFB when called without a key being set.
|
| |
|
|
|
|
| |
GH #1631
|
|
|
|
|
| |
This is mostly harmless but not allowed by the specification.
See for example SP800-38D section 5.2.1.1
|
| |
|
|
|
|
| |
See also #1526
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Works around a performance problem with applications that use this
as a buffer size.
Longer term fix is to have two different functions, one for the
minimum grain size and another for the optimium buffer size.
GH #1377
|
| |
|
|
|
|
|
| |
Previously calling update or encrypt without calling set_key first
would result in invalid outputs or else crashing.
|
| |
|
|
|
|
| |
The buffer is not aligned :/
|
|
|
|
| |
About 30% faster than scalar on Skylake
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In CTR, special case for counter widths of special interest.
In GHASH, uses a 4x reduction technique suggested by Intel.
Split out GHASH to its own source file and header.
With these changes GCM is over twice as fast on Skylake and about
50% faster on Westmere.
|
|
|
|
| |
Went from 27 to 20 cycles per byte on Skylake (with clmul disabled)
|
|
|
|
|
|
|
|
|
|
| |
By allowing multiple blocks for clmul, slight speedup there though still
far behind optimum.
Precompute a table of multiples of H, 3-4x faster on systems without clmul
(and still no secret indexes).
Refactor GMAC to not derive from GHASH
|
|
|
|
|
|
| |
With fast AES-NI, gets down to about 2 cycles per byte which is
pretty good compared to the ~5.5 cpb of 2.3, still a long way off
the best stiched impls which run at ~0.6 cpb.
|
|
|
|
| |
From ~5 cbp to ~2.5 cbp on Skylake
|
| |
|
| |
|
|
|
|
|
| |
Only required by a few modules and if none of them are in use
then the whole thing can just be skipped from the build.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Correct errors in the AEAD tests that assumed process/update always
return something - that isn't true for SIV
Minor optimizations in CMAC and CTR to cache the block size instead
of making a zillion virtual calls for it.
Generalize SIV slightly to where it could support a non-128 bit
cipher, but don't pull the trigger on it since I can't find any
implementations to crosscheck with.
|
| |
|
|
|
|
|
| |
Done by a perl script which converted all classes to final, followed
by selective reversion where it caused compilation failures.
|