| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
Based on VC2017 output
|
|
|
|
|
|
|
|
|
| |
Now does 64-bits at a time instead of 8 bits, and avoids conditional
timing channel on the XOR carry. Confirmed that at least GCC 7 and
Clang 4 on x86-64 compile the functions without conditional jumps.
Also removes CMAC as a dependency of OCB, which only needed it in
order to call CMAC::poly_double
|
| |
|
|
|
|
| |
Otherwise we just SIGSEGV.
|
|
|
|
|
|
| |
Allow an empty nonce to mean "continue using the current cipher state".
GH #864
|
|
|
|
|
|
| |
Use the OpenSSL provider to implement AES CBC mode. Also pass down
the provider to the encryption layer if there is no matching OpenSSL
mode. Add a test with empty nonce.
|
|
|
|
|
|
|
|
|
| |
* fixes for deprecated constructions in c++11 and later (explicit rule of 3/5 or implicit rule of 0 and other violations)
* `default` specifier instead of `{}` in some places(probably all)
* removal of unreachable code (for example `return` after `throw`)
* removal of compilation unit only visible, but not used functions
* fix for `throw()` specifier - used instead `BOTAN_NOEXCEPT`
* removed not needed semicolons
|
| |
|
|
|
|
|
|
| |
Renames a couple of functions for somewhat better name consistency,
eg make_u32bit becomes make_uint32. The old typedefs remain for now
since probably lots of application code uses them.
|
| |
|
|
|
|
|
|
| |
The unpad functions return the blocksize as padding position, if the padding is invalid.
.
|
|
|
|
|
|
|
| |
Not a good thing to offer at this level. If you know what you
are doing for the strange special case where it is necessary,
the raw BlockCipher interface is available and probably more
convenient.
|
| |
|
|
|
|
|
|
|
| |
AEAD::output_length)
Fix a bug in CCM, GCM, and OCB decryption which caused `output_length(tag_size())`
to fail even though empty plaintexts are certainly defined for all three modes.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
ESP padding is one of the recommended padding
methods from BSI-TR-02102-1.
|
|
|
|
|
|
|
|
|
|
|
|
| |
See PR #552
- Add Cipher_Mode::reset() which resets just the message specific state and allows encrypting again under the existing key
- In Cipher_Mode::clear() (at some planes) use cipher->clear() instead of resetting the pointer which would make the cipher object unusable
- EAX_Decryption::output_length() bugfix?! Now its possible to decrypt an empty ciphertext (just a tag)
- Bugfix for GCM_Decryption::finish()
- set tag length in GCM_Mode::name()
- Cipher_Mode tests: add tests for reset()and process()
- AEAD_Mode tests: add tests for reset(), clear(), update() and process()
|
|
|
|
|
| |
Adds support for Galois Message Authentication Code calculation based on
GHASH, rather than GCM_Mode.
|
|
|
|
|
|
| |
- Added GMAC class
- Integrated GMAC into MAC-Class test bench. Run GMAC tests using
./botan-test mac
|
|
|
|
|
|
| |
This required taking a global lock and doing a map lookup each
time an algorithm was requested (and so many times during a TLS
handshake).
|
|
|
|
|
|
|
| |
I repent my use of global constructors.
I repent my use of global locks.
Hopefully I will never touch this code again.
:)
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Also emit `#pragma GCC target` in the ISA specific amalgamation files.
This allows compiling without any special compiler flags, at least
with GCC 6.2 and Clang 3.8. The ISA annotations are ignored in MSVC,
which just emits whatever instruction the intrinsic requires.
|
| |
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The Cipher_Mode::update API is more general than needed to just
support ciphers (this is due to it previously being an API of
Transform which before 8b85b780515 was Cipher_Mode's base class)
Define a less general interface `process` which either processes the
blocks in-place, producing exactly as much output as there was input,
or (SIV/CCM case) saves the entire message for processing in `finish`.
These two uses cover all current or anticipated cipher modes.
Leaves `update` for compatability with existing callers; all that is
needed is an inline function forwarding to `process`.
Removes the return type from `start` - in all cipher implementations,
this always returned an empty vector.
Adds BOTAN_ARG_CHECK macro; right now BOTAN_ASSERT is being used
for argument checking in some places, which is not right at all.
|
| | |
|
|/
|
|
|
| |
For block ciphers, stream ciphers, hashes, MACs, and cipher modes.
Cipher_Mode already had it, with a slightly different usage.
|
|
|
|
|
|
|
|
|
|
|
| |
Exports get_bc_pad() to be used from tests. Adds separate handcrafted
tests for block cipher padding modes. They were previously only tested
implicitly during the block cipher modes of operation tests, though not
all padding modes were covered. And in case a mode of operation is
not part of the enabled modules, the previously tested padding modes
are not covered at all. Fixes an off-by-one bug in the previously
untested ANSI X9.23 padding mode, where the number of zero bytes
in the pad was one more than allowed by the standard.
|
|
|
|
|
|
|
|
|
| |
GCM is defined as having a 32-bit counter, but CTR_BE incremented the
counter across the entire block. This caused incorrect results if
a very large message (2**39 bits) was processed, or if the GHASH
derived nonce ended up having a counter field near to 2**32
Thanks to Juraj Somorovsky for the bug report and repro.
|
|
|
|
| |
warnings.
|
|
|
|
| |
compiler warnings
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With sufficient squinting, Transform provided an abstract base
interface that covered both cipher modes and compression algorithms.
However it mapped on neither of them particularly well. In addition
this API had the same problem that has made me dislike the Pipe/Filter
API: given a Transform&, what does it do when you put bits in? Maybe
it encrypts. Maybe it compresses. It's a floor wax and a dessert topping!
Currently the Cipher_Mode interface is left mostly unchanged, with the
APIs previously on Transform just moved down the type hierarchy. I
think there are some definite improvements possible here, wrt handling
of in-place encryption, but left for a later commit.
The compression API is split into two types, Compression_Algorithm and
Decompression_Algorithm. Compression_Algorithm's start() call takes
the compression level, allowing varying compressions with a single
object. And flushing the compression state is moved to a bool param on
`Compression_Algorithm::update`. All the nonsense WRT compression
algorithms having zero length nonces, input granularity rules, etc
as a result of using the Transform interface goes away.
|
|
|
|
|
| |
If the input lengths are exact multiples of 16 bytes then no padding
should be added. Previously 16 bytes of zero padding were added instead.
|
|
|
|
| |
explicit.
|
|
|
|
|
|
|
| |
In some cases this can offer better optimization, via devirtualization.
And it lets the user know the class is not intended for derivation.
Some discussion in GH #402
|
| |
|
|
|
|
|
|
|
|
| |
As the alternatives are unfortunate for applications trying to catch
all library errors, and it seems deriving from std::runtime_error
causes problems with MSVC DLLs (GH #340)
Effectively reverts 2837e915d82e43
|
|
|
|
| |
Checked with ctgrind
|
| |
|
| |
|
| |
|
|
|
|
| |
Only user-visible change is the removal of get_byte.h
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we were hanging on the type destructors to pull in
the relevant objects. However that fails in many simple cases
where the object is never deleted.
For every type involved in the algo registry add static create
and providers functions to access the algo registry. Modify
lookup.h to be inline and call those functions, and move
a few to sub-headers (eg, get_pbkdf going to pbkdf.h). So
accessing the registry involves going through the same file
that handles the initialization, so there is no way to end up
with missing objs.
|
| |
|
|
|
|
|
|
| |
defined, so don't fail. Fix XTS, as XTS always uses ciphertext
stealing the value of output_length had been incorrect in rounding up
to the block size.
|