aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/modes
Commit message (Collapse)AuthorAgeFilesLines
* Make the ISA list a listJack Lloyd2019-04-173-3/+9
|
* Rename Integrity_Failure to Invalid_Authentication_TagJack Lloyd2019-01-186-6/+6
| | | | | | | | | This makes the meaning and usage more clear. Add a specific error type so invalid tags can be distinguished without having to catch that specific type. See also #1813
* Make significant_words const time alsoJack Lloyd2018-12-231-3/+3
| | | | | | Only used in one place, where const time doesn't matter, but can't hurt. Remove low_bit, can be replaced by ctz.
* Fix some MSVC warningsJack Lloyd2018-12-101-5/+6
|
* Fix some misc MSVC warningsJack Lloyd2018-12-041-3/+3
|
* Fix a bug in OneAndZeros unpaddingJack Lloyd2018-11-301-5/+6
| | | | | | | Introduced in b13c0cc8590199d, it could only trigger if the block size was more than 256 bytes. In that case an invalid padding could be accepted. OSS-Fuzz 11608 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11608)
* Add CT::Mask typeJack Lloyd2018-11-281-22/+41
|
* Make exceptions easier to translate to error codesJack Lloyd2018-11-232-2/+2
| | | | | | | | | | | Avoid throwing base Botan::Exception type, as it is difficult to determine what the error is in that case. Add Exception::error_code and Exception::error_type which allows (for error code) more information about the error and (for error type) allows knowing the error type without requiring a sequence of catches. See GH #1742
* Ensure this works even if par mult param is set to 1Jack Lloyd2018-11-021-1/+1
| | | | As this paramater is technically a user configurable toggle.
* Fixed an issue where update_granularity is equal to tag_size in GCM mode, ↵chux05192018-11-011-1/+1
| | | | | | | | | | which will cause incremental decoding to fail in ffi. related code(ffi_cipher.cpp): ```cpp BOTAN_ASSERT(cipher.update_granularity() > cipher.minimum_final_size(), "logic error"); ```
* Handle setting AD after a nonce correctly in AEADsJack Lloyd2018-10-313-3/+11
| | | | | | | | | | | In some cases (EAX, GCM, ChaCha20Poly1305) the mode does not handle this. However previously it handled it incorrectly by producing incorrect output. Instead reject it with an exception. Add a test that, if the mode accepts an AD before the nonce, then it must process the message correctly. This is similar to the existing test that if the mode accepts an AD before the key is set it must do the right thing with it.
* Use more informative error message for invalid CBC paddingJack Lloyd2018-10-231-1/+1
| | | | GH #1714
* Correct error with XTS minimum block sizeJack Lloyd2018-10-151-1/+1
| | | | | | | Add tests from NIST that demonstrate the problem, as well as OpenSSL generated tests for all input sizes 16...128 bytes. Fixes GH #1706
* Fix some warnings in ARM specific codeJack Lloyd2018-10-011-16/+22
|
* Fix some MSVC warningsJack Lloyd2018-09-301-3/+3
|
* Refactor mode tests, and correct bugs foundJack Lloyd2018-09-291-1/+7
| | | | | | | | | | | | | | | | | | | Several problems in CBC found by adding tests - If you set a key, then set a nonce, then set a new key, you could encrypt without setting a new nonce. - It was possible to call CBC finish without setting a nonce, which would crash. - If you had an CBC decryption object, set a key, set a nonce, then reset message state, it should throw because no nonce is set. Instead it would carry on using an all-zero nonce. Disable CommonCrypto with PKCS7 padding as it seems to have some problem that I cannot figure out from the build logs. This work sponsored by Ribose Inc
* Add fuzzer for mode unpadding, and fix bugs found therebyJack Lloyd2018-09-222-59/+65
| | | | | | | Both PKCS7 and X9.23 padding modes did not examine the first byte of the purported padding if the padding took an entire block. So for example for a 64-bit cipher, PKCS7 would accept XX08080808080808 as a valid padding for any byte value.
* Add CommonCrypto cipher modes supportJose Pereira2018-09-091-1/+18
|
* Remove unneeded load_on autoJack Lloyd2018-09-041-2/+0
| | | | It is the default...
* Have cipher modes also verify that the nonce is set prior to useJack Lloyd2018-08-175-7/+20
|
* In EAX, CCM, OCB verify nonce is set before processingJack Lloyd2018-08-173-1/+9
|
* Fix an EAX bug in reset()Jack Lloyd2018-08-171-0/+8
| | | | | | | | | | | | | | It failed to reset any data that had been fed into CMAC so far, so a sequence with eax->set_key(key); eax->start(nonce); eax->process(discarded_bits); eax->reset(); eax->start(second_nonce); eax->process(second_msg); would produce incorrect results
* GHASH should check the nonce sizeJack Lloyd2018-08-101-0/+1
|
* Add a function to query output length of symmetric cipherJack Lloyd2018-08-101-2/+3
|
* Fix GCM bug: would accept AD without keyed if AD was emptyJack Lloyd2018-08-091-2/+2
|
* Remove functions from Cipher_Mode now inherited from base classJack Lloyd2018-08-091-44/+0
|
* Add StreamCipher::write_keystreamJack Lloyd2018-08-081-4/+4
| | | | | Avoids the XOR operation. Only implemented for ChaCha20 currently, everything else defaults to memset-to-zero + xor-cipher
* Add support for XChaCha20Poly1305Jack Lloyd2018-08-073-5/+6
|
* Fix crashes when modes were used unkeyed.Jack Lloyd2018-08-057-26/+36
| | | | Fix crashes in OCB, GCM and CFB when called without a key being set.
* GHASH - use explicit function to check for key being setJack Lloyd2018-07-251-1/+1
|
* Fix error in CCM when L=8Jack Lloyd2018-07-182-6/+7
| | | | GH #1631
* Prohibit empty nonces with GCMJack Lloyd2018-06-272-3/+9
| | | | | This is mostly harmless but not allowed by the specification. See for example SP800-38D section 5.2.1.1
* Add message to BOTAN_ARG_CHECK and use it more widelyJack Lloyd2018-05-133-13/+15
|
* Work around unique_ptr conversion bug in older GCCJack Lloyd2018-04-071-1/+1
|
* Add RAII versions of get_cipher_mode and get_aeadJack Lloyd2018-04-074-51/+127
| | | | See also #1526
* Minor tweaks for coverageJack Lloyd2018-03-101-2/+1
|
* Fix speed test of cipher modes [ci skip]Jack Lloyd2018-01-271-0/+1
| | | | | Add BOTAN_HAS_CIPHER_MODES which is an easier to read/remember macro than BOTAN_HAS_MODES
* ABI for Aarch64 cryptoJack Lloyd2018-01-121-3/+1
|
* Make stream, block, hash and cipher mode base classes optionalJack Lloyd2018-01-128-1/+22
|
* Increase EAX update granularity to 128 bytes.Jack Lloyd2017-12-301-1/+5
| | | | | | | | | | Works around a performance problem with applications that use this as a buffer size. Longer term fix is to have two different functions, one for the minimum grain size and another for the optimium buffer size. GH #1377
* Add a function for checking if poly_double_n supports a particular sizeJack Lloyd2017-11-181-4/+1
|
* Minor SIV/CMAC optimizationsJack Lloyd2017-11-021-3/+6
|
* Add checks that keyed algorithms are actually keyed before useJack Lloyd2017-10-261-1/+1
| | | | | Previously calling update or encrypt without calling set_key first would result in invalid outputs or else crashing.
* Convert http:// links to https:// where possibleJack Lloyd2017-10-241-1/+1
|
* Fix for 32-bit WindowsJack Lloyd2017-10-201-4/+4
| | | | The buffer is not aligned :/
* Add GHASH using SSSE3Jack Lloyd2017-10-204-2/+105
| | | | About 30% faster than scalar on Skylake
* Remove unused variableJack Lloyd2017-10-191-1/+1
|
* PMULL optimizationsJack Lloyd2017-10-183-61/+192
|
* Further optimizations, and split out GHASH reduction codeJack Lloyd2017-10-182-79/+46
|
* GCM and CTR optimizationsJack Lloyd2017-10-186-319/+508
| | | | | | | | | | | In CTR, special case for counter widths of special interest. In GHASH, uses a 4x reduction technique suggested by Intel. Split out GHASH to its own source file and header. With these changes GCM is over twice as fast on Skylake and about 50% faster on Westmere.