aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/modes
Commit message (Collapse)AuthorAgeFilesLines
* Update ISO standard for OneAndZeros_PaddingRené Korthaus2016-11-151-1/+1
|
* Check all padding bytes in ESP_Padding::unpad()René Korthaus2016-11-151-4/+9
|
* Check all ESP padding bytes during unpadRené Korthaus2016-11-141-12/+11
|
* Add ESP block cipher padding from RFC 4303René Korthaus2016-11-142-1/+62
| | | | | ESP padding is one of the recommended padding methods from BSI-TR-02102-1.
* Cipher_Mode and AEAD_Mode improvementsDaniel Neus2016-11-0822-17/+165
| | | | | | | | | | | | See PR #552 - Add Cipher_Mode::reset() which resets just the message specific state and allows encrypting again under the existing key - In Cipher_Mode::clear() (at some planes) use cipher->clear() instead of resetting the pointer which would make the cipher object unusable - EAX_Decryption::output_length() bugfix?! Now its possible to decrypt an empty ciphertext (just a tag) - Bugfix for GCM_Decryption::finish() - set tag length in GCM_Mode::name() - Cipher_Mode tests: add tests for reset()and process() - AEAD_Mode tests: add tests for reset(), clear(), update() and process()
* Implements GMAC with GHASH.Matthias Gierlings2016-10-282-54/+52
| | | | | Adds support for Galois Message Authentication Code calculation based on GHASH, rather than GCM_Mode.
* Added implementation for GMACMatthias Gierlings2016-10-272-49/+54
| | | | | | - Added GMAC class - Integrated GMAC into MAC-Class test bench. Run GMAC tests using ./botan-test mac
* Remove alias logic from SCAN_NameJack Lloyd2016-10-212-0/+12
| | | | | | This required taking a global lock and doing a map lookup each time an algorithm was requested (and so many times during a TLS handshake).
* Remove Algo_RegistryJack Lloyd2016-10-2116-200/+192
| | | | | | | I repent my use of global constructors. I repent my use of global locks. Hopefully I will never touch this code again. :)
* Fix doxygen warnings [ci skip]René Korthaus2016-10-192-3/+3
|
* Improve modes doxygen [ci skip]René Korthaus2016-10-199-8/+104
|
* Add ISA annotations to functions using SIMD, AES, etcJack Lloyd2016-10-141-0/+1
| | | | | | | | Also emit `#pragma GCC target` in the ISA specific amalgamation files. This allows compiling without any special compiler flags, at least with GCC 6.2 and Clang 3.8. The ISA annotations are ignored in MSVC, which just emits whatever instruction the intrinsic requires.
* SIV is restricted to 128 bit ciphersJack Lloyd2016-10-021-0/+2
|
* Merge GH #516 Cipher_Mode API improvementsJack Lloyd2016-09-2622-279/+215
|\
| * Cipher_Mode API improvementsJack Lloyd2016-09-0122-279/+215
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Cipher_Mode::update API is more general than needed to just support ciphers (this is due to it previously being an API of Transform which before 8b85b780515 was Cipher_Mode's base class) Define a less general interface `process` which either processes the blocks in-place, producing exactly as much output as there was input, or (SIV/CCM case) saves the entire message for processing in `finish`. These two uses cover all current or anticipated cipher modes. Leaves `update` for compatability with existing callers; all that is needed is an inline function forwarding to `process`. Removes the return type from `start` - in all cipher implementations, this always returned an empty vector. Adds BOTAN_ARG_CHECK macro; right now BOTAN_ASSERT is being used for argument checking in some places, which is not right at all.
* | Change T::provider to return std::stringJack Lloyd2016-09-153-4/+3
| |
* | Add T::provider() to allow user to inquire about implementation usedJack Lloyd2016-09-153-8/+19
|/ | | | | For block ciphers, stream ciphers, hashes, MACs, and cipher modes. Cipher_Mode already had it, with a slightly different usage.
* Add test vectors for block cipher padding modesRené Korthaus2016-07-112-2/+5
| | | | | | | | | | | Exports get_bc_pad() to be used from tests. Adds separate handcrafted tests for block cipher padding modes. They were previously only tested implicitly during the block cipher modes of operation tests, though not all padding modes were covered. And in case a mode of operation is not part of the enabled modules, the previously tested padding modes are not covered at all. Fixes an off-by-one bug in the previously untested ANSI X9.23 padding mode, where the number of zero bytes in the pad was one more than allowed by the standard.
* Fix GCM counter incrementJack Lloyd2016-05-231-1/+1
| | | | | | | | | GCM is defined as having a 32-bit counter, but CTR_BE incremented the counter across the entire block. This caused incorrect results if a very large message (2**39 bits) was processed, or if the GHASH derived nonce ended up having a counter field near to 2**32 Thanks to Juraj Somorovsky for the bug report and repro.
* Add explicit static_cast operations to eliminate implicit cast compiler ↵Dan Brown2016-04-271-2/+2
| | | | warnings.
* Change calls to 'get_byte' to explicitly cast parameters and eliminate ↵Dan Brown2016-04-271-2/+2
| | | | compiler warnings
* Remove Transform base classJack Lloyd2016-04-214-33/+194
| | | | | | | | | | | | | | | | | | | | | | With sufficient squinting, Transform provided an abstract base interface that covered both cipher modes and compression algorithms. However it mapped on neither of them particularly well. In addition this API had the same problem that has made me dislike the Pipe/Filter API: given a Transform&, what does it do when you put bits in? Maybe it encrypts. Maybe it compresses. It's a floor wax and a dessert topping! Currently the Cipher_Mode interface is left mostly unchanged, with the APIs previously on Transform just moved down the type hierarchy. I think there are some definite improvements possible here, wrt handling of in-place encryption, but left for a later commit. The compression API is split into two types, Compression_Algorithm and Decompression_Algorithm. Compression_Algorithm's start() call takes the compression level, allowing varying compressions with a single object. And flushing the compression state is moved to a bool param on `Compression_Algorithm::update`. All the nonsense WRT compression algorithms having zero length nonces, input granularity rules, etc as a result of using the Transform interface goes away.
* Fix bug in IETF version of ChaCha20Poly1305Jack Lloyd2016-03-231-11/+20
| | | | | If the input lengths are exact multiples of 16 bytes then no padding should be added. Previously 16 bytes of zero padding were added instead.
* cppcheck fixes: Class 'X' has a constructor with 1 argument that is not ↵Daniel Neus2016-03-055-10/+10
| | | | explicit.
* Add final attribute to many classesJack Lloyd2016-01-1011-24/+24
| | | | | | | In some cases this can offer better optimization, via devirtualization. And it lets the user know the class is not intended for derivation. Some discussion in GH #402
* Mass-prefix member vars with m_René Korthaus2016-01-082-7/+7
|
* Reroot the exception hierarchy into a toplevel Exception classJack Lloyd2015-12-118-13/+13
| | | | | | | | As the alternatives are unfortunate for applications trying to catch all library errors, and it seems deriving from std::runtime_error causes problems with MSVC DLLs (GH #340) Effectively reverts 2837e915d82e43
* Make portable GCM multiply operation run in constant time.Jack Lloyd2015-12-041-9/+16
| | | | Checked with ctgrind
* Cleanup includesJack Lloyd2015-09-223-2/+3
|
* Remove use of lookup.h in favor of new T::create API.Jack Lloyd2015-09-214-16/+16
|
* Address some review comments by Simon. GH #279Jack Lloyd2015-09-212-10/+10
|
* Internal header cleanupsJack Lloyd2015-09-191-1/+0
| | | | Only user-visible change is the removal of get_byte.h
* Handle dependencies re static linking. GH #279Jack Lloyd2015-09-172-0/+2
| | | | | | | | | | | | | | Previously we were hanging on the type destructors to pull in the relevant objects. However that fails in many simple cases where the object is never deleted. For every type involved in the algo registry add static create and providers functions to access the algo registry. Modify lookup.h to be inline and call those functions, and move a few to sub-headers (eg, get_pbkdf going to pbkdf.h). So accessing the registry involves going through the same file that handles the initialization, so there is no way to end up with missing objs.
* Same treatment for cipher modesJack Lloyd2015-09-1013-51/+118
|
* For CBC, ECB, and XTS the output length of a zero length input is wellJack Lloyd2015-08-043-7/+9
| | | | | | defined, so don't fail. Fix XTS, as XTS always uses ciphertext stealing the value of output_length had been incorrect in rounding up to the block size.
* modes: Add missing overridesDaniel Seither2015-07-305-20/+21
|
* Remove semicolons at the end of macrosDaniel Seither2015-07-151-3/+3
|
* Fix round_upSimon Warta2015-07-153-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1. src/lib/codec/base64/base64.cpp: : (round_up<size_t>(input_length, 3) / 3) * 4; 2. src/lib/codec/base64/base64.cpp: : (round_up<size_t>(input_length, 4) * 3) / 4; 3. src/lib/filters/transform_filter.cpp: return round_up(target_size, update_granularity); 4. src/lib/math/bigint/bigint.cpp: m_reg.resize(round_up<size_t>(size, 8)); 5. src/lib/math/bigint/bigint.cpp: m_reg.resize(round_up<size_t>((length / WORD_BYTES) + 1, 8)); 6. src/lib/math/numbertheory/mp_numth.cpp: BigInt z(BigInt::Positive, round_up<size_t>(2*x_sw, 16)); 7. src/lib/modes/cbc/cbc.cpp: return round_up(input_length, cipher().block_size()); 8. src/lib/modes/ecb/ecb.cpp: return round_up(input_length, cipher().block_size()); 9. src/lib/modes/xts/xts.cpp: return round_up(input_length, cipher().block_size()); 10. src/lib/pbkdf/pbkdf2/pbkdf2.cpp: const size_t blocks_needed = round_up(out_len, prf_sz) / prf_sz; 11. src/lib/tls/tls_record.cpp: const size_t buf_size = round_up( 12. src/lib/utils/rounding.h:inline T round_up(T n, T align_to) 1. Reason for change 2. Reason for change 3. first argument cannot be 0 (`target_size = 1024`) 4. Is a bug in the current implementation iff `size = 0` 5. first argument cannot be 0 6. round_up should return 0 if `x_sw = 0` 7. ? 8. ? 9. ? 10. first argument cannot be 0 (`if(out_len == 0) return 0;`) 11. first argument is unlikely to be 0 (`iv_size + msg_length + mac_size + (block_size ? 1 : 0)`) 12. Implementation
* Fix module combi: adler32,sivSimon Warta2015-07-081-0/+5
|
* Make Botan compile when only some modules are enabledSimon Warta2015-07-032-1/+2
| | | | Fixes #146.
* More changes for use with debug STLSimon Warta2015-06-301-2/+8
|
* lib/modes: Convert &vec[0] to vec.data()Simon Warta2015-06-2414-115/+115
|
* Fix code that triggers a strange MSVC 'performance warning'git2015-04-081-2/+2
| | | | Github pull 74 from Chris Desjardins
* Consider AES-NI as implying SSSE3 which lets us merge two of thelloyd2015-03-151-1/+1
| | | | | | amalgamation objects (aes_ni and clmul). The real advantage is for the static link, as GCM will pull in clmul via its reference, which is sufficient to also pull the AES impl into the link.
* Fix clmul which was broken by amalgamation ISA split.lloyd2015-03-122-2/+2
| | | | | Change GCM update granularity to BS (16) which is sufficient for GCM and more convenient to callers
* Add BOTAN_DLL back to LibraryInitializer and move some of the implementation tolloyd2015-03-111-2/+2
| | | | | | | a source file. Without BOTAN_DLL the LibraryInitializer was removed entirely from the list of symbols which is not desired. Add some casts to avoid scary sounding but (upon review) harmless warnings from MSVC
* Hide Algorithm_Factory and use the functions in lookup.h internally.lloyd2015-03-045-14/+17
| | | | | | Fix two memory leaks (in TLS and modes) caused by calling get_foo and then cloning the result before saving it (leaking the original object), a holdover from the conversion between construction techniques in 1.11.14
* Get algos via lookup in case of SIMD or other optimized versionslloyd2015-02-181-4/+2
|
* Add version_cstr (returns const char*) and move tag_size from AEAD tolloyd2015-02-112-5/+5
| | | | Cipher_Mode. Add missing includes in entropy sources, noticed by clang.
* Move Cipher_Mode enum out of types.h, move stream cipher mode to new headerlloyd2015-02-054-46/+70
|