aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/modes
Commit message (Collapse)AuthorAgeFilesLines
* More MSVC warnings fixesJack Lloyd2017-08-311-2/+3
|
* Fix various MSVC warningsJack Lloyd2017-08-311-6/+6
| | | | Based on VC2017 output
* Improve polynomial doubling code, move to utilJack Lloyd2017-08-153-9/+8
| | | | | | | | | Now does 64-bits at a time instead of 8 bits, and avoids conditional timing channel on the XOR carry. Confirmed that at least GCC 7 and Clang 4 on x86-64 compile the functions without conditional jumps. Also removes CMAC as a dependency of OCB, which only needed it in order to call CMAC::poly_double
* Update OCB ref to RFC, and add new test vectorsJack Lloyd2017-06-121-2/+2
|
* Add assertion to ensure key is set in OCB_Encryption::encrypt.Daniel Wyatt2017-06-091-0/+2
| | | | Otherwise we just SIGSEGV.
* Handle IV carryover in CBC, CFB, and stream ciphersJack Lloyd2017-05-133-4/+18
| | | | | | Allow an empty nonce to mean "continue using the current cipher state". GH #864
* Implement cipher modes with OpenSSL.Alexander Bluhm2017-04-252-5/+46
| | | | | | Use the OpenSSL provider to implement AES CBC mode. Also pass down the provider to the encryption layer if there is no matching OpenSSL mode. Add a test with empty nonce.
* Content:Tomasz Frydrych2017-04-033-3/+3
| | | | | | | | | * fixes for deprecated constructions in c++11 and later (explicit rule of 3/5 or implicit rule of 0 and other violations) * `default` specifier instead of `{}` in some places(probably all) * removal of unreachable code (for example `return` after `throw`) * removal of compilation unit only visible, but not used functions * fix for `throw()` specifier - used instead `BOTAN_NOEXCEPT` * removed not needed semicolons
* Remove "Dirty hack" for multiple defines in lex_me_harder()Simon Warta2017-04-0213-14/+39
|
* Convert to using standard uintN_t integer typesJack Lloyd2016-12-1825-312/+312
| | | | | | Renames a couple of functions for somewhat better name consistency, eg make_u32bit becomes make_uint32. The old typedefs remain for now since probably lots of application code uses them.
* forgot to unpoison return valsNever2016-12-091-0/+4
|
* Rewrote bc unpad functions as const time operations.Never2016-12-092-41/+65
| | | | | | The unpad functions return the blocksize as padding position, if the padding is invalid. .
* Remove ECB modeJack Lloyd2016-12-045-268/+1
| | | | | | | Not a good thing to offer at this level. If you know what you are doing for the strange special case where it is necessary, the raw BlockCipher interface is available and probably more convenient.
* Correct output_length bug in SIV and ChaCha20Poly1305 alsoJack Lloyd2016-11-262-2/+2
|
* Add test for various functions previously missed (T::clone, PBKDF::name, ↵Jack Lloyd2016-11-263-3/+3
| | | | | | | AEAD::output_length) Fix a bug in CCM, GCM, and OCB decryption which caused `output_length(tag_size())` to fail even though empty plaintexts are certainly defined for all three modes.
* Update ISO standard for OneAndZeros_PaddingRené Korthaus2016-11-151-1/+1
|
* Check all padding bytes in ESP_Padding::unpad()René Korthaus2016-11-151-4/+9
|
* Check all ESP padding bytes during unpadRené Korthaus2016-11-141-12/+11
|
* Add ESP block cipher padding from RFC 4303René Korthaus2016-11-142-1/+62
| | | | | ESP padding is one of the recommended padding methods from BSI-TR-02102-1.
* Cipher_Mode and AEAD_Mode improvementsDaniel Neus2016-11-0822-17/+165
| | | | | | | | | | | | See PR #552 - Add Cipher_Mode::reset() which resets just the message specific state and allows encrypting again under the existing key - In Cipher_Mode::clear() (at some planes) use cipher->clear() instead of resetting the pointer which would make the cipher object unusable - EAX_Decryption::output_length() bugfix?! Now its possible to decrypt an empty ciphertext (just a tag) - Bugfix for GCM_Decryption::finish() - set tag length in GCM_Mode::name() - Cipher_Mode tests: add tests for reset()and process() - AEAD_Mode tests: add tests for reset(), clear(), update() and process()
* Implements GMAC with GHASH.Matthias Gierlings2016-10-282-54/+52
| | | | | Adds support for Galois Message Authentication Code calculation based on GHASH, rather than GCM_Mode.
* Added implementation for GMACMatthias Gierlings2016-10-272-49/+54
| | | | | | - Added GMAC class - Integrated GMAC into MAC-Class test bench. Run GMAC tests using ./botan-test mac
* Remove alias logic from SCAN_NameJack Lloyd2016-10-212-0/+12
| | | | | | This required taking a global lock and doing a map lookup each time an algorithm was requested (and so many times during a TLS handshake).
* Remove Algo_RegistryJack Lloyd2016-10-2116-200/+192
| | | | | | | I repent my use of global constructors. I repent my use of global locks. Hopefully I will never touch this code again. :)
* Fix doxygen warnings [ci skip]René Korthaus2016-10-192-3/+3
|
* Improve modes doxygen [ci skip]René Korthaus2016-10-199-8/+104
|
* Add ISA annotations to functions using SIMD, AES, etcJack Lloyd2016-10-141-0/+1
| | | | | | | | Also emit `#pragma GCC target` in the ISA specific amalgamation files. This allows compiling without any special compiler flags, at least with GCC 6.2 and Clang 3.8. The ISA annotations are ignored in MSVC, which just emits whatever instruction the intrinsic requires.
* SIV is restricted to 128 bit ciphersJack Lloyd2016-10-021-0/+2
|
* Merge GH #516 Cipher_Mode API improvementsJack Lloyd2016-09-2622-279/+215
|\
| * Cipher_Mode API improvementsJack Lloyd2016-09-0122-279/+215
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Cipher_Mode::update API is more general than needed to just support ciphers (this is due to it previously being an API of Transform which before 8b85b780515 was Cipher_Mode's base class) Define a less general interface `process` which either processes the blocks in-place, producing exactly as much output as there was input, or (SIV/CCM case) saves the entire message for processing in `finish`. These two uses cover all current or anticipated cipher modes. Leaves `update` for compatability with existing callers; all that is needed is an inline function forwarding to `process`. Removes the return type from `start` - in all cipher implementations, this always returned an empty vector. Adds BOTAN_ARG_CHECK macro; right now BOTAN_ASSERT is being used for argument checking in some places, which is not right at all.
* | Change T::provider to return std::stringJack Lloyd2016-09-153-4/+3
| |
* | Add T::provider() to allow user to inquire about implementation usedJack Lloyd2016-09-153-8/+19
|/ | | | | For block ciphers, stream ciphers, hashes, MACs, and cipher modes. Cipher_Mode already had it, with a slightly different usage.
* Add test vectors for block cipher padding modesRené Korthaus2016-07-112-2/+5
| | | | | | | | | | | Exports get_bc_pad() to be used from tests. Adds separate handcrafted tests for block cipher padding modes. They were previously only tested implicitly during the block cipher modes of operation tests, though not all padding modes were covered. And in case a mode of operation is not part of the enabled modules, the previously tested padding modes are not covered at all. Fixes an off-by-one bug in the previously untested ANSI X9.23 padding mode, where the number of zero bytes in the pad was one more than allowed by the standard.
* Fix GCM counter incrementJack Lloyd2016-05-231-1/+1
| | | | | | | | | GCM is defined as having a 32-bit counter, but CTR_BE incremented the counter across the entire block. This caused incorrect results if a very large message (2**39 bits) was processed, or if the GHASH derived nonce ended up having a counter field near to 2**32 Thanks to Juraj Somorovsky for the bug report and repro.
* Add explicit static_cast operations to eliminate implicit cast compiler ↵Dan Brown2016-04-271-2/+2
| | | | warnings.
* Change calls to 'get_byte' to explicitly cast parameters and eliminate ↵Dan Brown2016-04-271-2/+2
| | | | compiler warnings
* Remove Transform base classJack Lloyd2016-04-214-33/+194
| | | | | | | | | | | | | | | | | | | | | | With sufficient squinting, Transform provided an abstract base interface that covered both cipher modes and compression algorithms. However it mapped on neither of them particularly well. In addition this API had the same problem that has made me dislike the Pipe/Filter API: given a Transform&, what does it do when you put bits in? Maybe it encrypts. Maybe it compresses. It's a floor wax and a dessert topping! Currently the Cipher_Mode interface is left mostly unchanged, with the APIs previously on Transform just moved down the type hierarchy. I think there are some definite improvements possible here, wrt handling of in-place encryption, but left for a later commit. The compression API is split into two types, Compression_Algorithm and Decompression_Algorithm. Compression_Algorithm's start() call takes the compression level, allowing varying compressions with a single object. And flushing the compression state is moved to a bool param on `Compression_Algorithm::update`. All the nonsense WRT compression algorithms having zero length nonces, input granularity rules, etc as a result of using the Transform interface goes away.
* Fix bug in IETF version of ChaCha20Poly1305Jack Lloyd2016-03-231-11/+20
| | | | | If the input lengths are exact multiples of 16 bytes then no padding should be added. Previously 16 bytes of zero padding were added instead.
* cppcheck fixes: Class 'X' has a constructor with 1 argument that is not ↵Daniel Neus2016-03-055-10/+10
| | | | explicit.
* Add final attribute to many classesJack Lloyd2016-01-1011-24/+24
| | | | | | | In some cases this can offer better optimization, via devirtualization. And it lets the user know the class is not intended for derivation. Some discussion in GH #402
* Mass-prefix member vars with m_René Korthaus2016-01-082-7/+7
|
* Reroot the exception hierarchy into a toplevel Exception classJack Lloyd2015-12-118-13/+13
| | | | | | | | As the alternatives are unfortunate for applications trying to catch all library errors, and it seems deriving from std::runtime_error causes problems with MSVC DLLs (GH #340) Effectively reverts 2837e915d82e43
* Make portable GCM multiply operation run in constant time.Jack Lloyd2015-12-041-9/+16
| | | | Checked with ctgrind
* Cleanup includesJack Lloyd2015-09-223-2/+3
|
* Remove use of lookup.h in favor of new T::create API.Jack Lloyd2015-09-214-16/+16
|
* Address some review comments by Simon. GH #279Jack Lloyd2015-09-212-10/+10
|
* Internal header cleanupsJack Lloyd2015-09-191-1/+0
| | | | Only user-visible change is the removal of get_byte.h
* Handle dependencies re static linking. GH #279Jack Lloyd2015-09-172-0/+2
| | | | | | | | | | | | | | Previously we were hanging on the type destructors to pull in the relevant objects. However that fails in many simple cases where the object is never deleted. For every type involved in the algo registry add static create and providers functions to access the algo registry. Modify lookup.h to be inline and call those functions, and move a few to sub-headers (eg, get_pbkdf going to pbkdf.h). So accessing the registry involves going through the same file that handles the initialization, so there is no way to end up with missing objs.
* Same treatment for cipher modesJack Lloyd2015-09-1013-51/+118
|
* For CBC, ECB, and XTS the output length of a zero length input is wellJack Lloyd2015-08-043-7/+9
| | | | | | defined, so don't fail. Fix XTS, as XTS always uses ciphertext stealing the value of output_length had been incorrect in rounding up to the block size.