| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
| |
This makes the meaning and usage more clear.
Add a specific error type so invalid tags can be distinguished without
having to catch that specific type.
See also #1813
|
|
|
|
|
|
| |
Only used in one place, where const time doesn't matter, but can't hurt.
Remove low_bit, can be replaced by ctz.
|
| |
|
| |
|
|
|
|
|
|
|
| |
Introduced in b13c0cc8590199d, it could only trigger if the block size
was more than 256 bytes. In that case an invalid padding could be accepted.
OSS-Fuzz 11608 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11608)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid throwing base Botan::Exception type, as it is difficult to
determine what the error is in that case.
Add Exception::error_code and Exception::error_type which allows
(for error code) more information about the error and (for error type)
allows knowing the error type without requiring a sequence of catches.
See GH #1742
|
|
|
|
| |
As this paramater is technically a user configurable toggle.
|
|
|
|
|
|
|
|
|
|
| |
which will cause incremental decoding to fail in ffi.
related code(ffi_cipher.cpp):
```cpp
BOTAN_ASSERT(cipher.update_granularity() > cipher.minimum_final_size(), "logic error");
```
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases (EAX, GCM, ChaCha20Poly1305) the mode does not
handle this. However previously it handled it incorrectly by producing
incorrect output. Instead reject it with an exception.
Add a test that, if the mode accepts an AD before the nonce, then it
must process the message correctly. This is similar to the existing
test that if the mode accepts an AD before the key is set it must
do the right thing with it.
|
|
|
|
| |
GH #1714
|
|
|
|
|
|
|
| |
Add tests from NIST that demonstrate the problem, as well as OpenSSL
generated tests for all input sizes 16...128 bytes.
Fixes GH #1706
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several problems in CBC found by adding tests
- If you set a key, then set a nonce, then set a new key,
you could encrypt without setting a new nonce.
- It was possible to call CBC finish without setting a nonce,
which would crash.
- If you had an CBC decryption object, set a key, set a nonce, then
reset message state, it should throw because no nonce is set.
Instead it would carry on using an all-zero nonce.
Disable CommonCrypto with PKCS7 padding as it seems to have some
problem that I cannot figure out from the build logs.
This work sponsored by Ribose Inc
|
|
|
|
|
|
|
| |
Both PKCS7 and X9.23 padding modes did not examine the first byte
of the purported padding if the padding took an entire block. So
for example for a 64-bit cipher, PKCS7 would accept XX08080808080808
as a valid padding for any byte value.
|
| |
|
|
|
|
| |
It is the default...
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It failed to reset any data that had been fed into CMAC so far,
so a sequence with
eax->set_key(key);
eax->start(nonce);
eax->process(discarded_bits);
eax->reset();
eax->start(second_nonce);
eax->process(second_msg);
would produce incorrect results
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Avoids the XOR operation. Only implemented for ChaCha20 currently,
everything else defaults to memset-to-zero + xor-cipher
|
| |
|
|
|
|
| |
Fix crashes in OCB, GCM and CFB when called without a key being set.
|
| |
|
|
|
|
| |
GH #1631
|
|
|
|
|
| |
This is mostly harmless but not allowed by the specification.
See for example SP800-38D section 5.2.1.1
|
| |
|
| |
|
|
|
|
| |
See also #1526
|
| |
|
|
|
|
|
| |
Add BOTAN_HAS_CIPHER_MODES which is an easier to read/remember
macro than BOTAN_HAS_MODES
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Works around a performance problem with applications that use this
as a buffer size.
Longer term fix is to have two different functions, one for the
minimum grain size and another for the optimium buffer size.
GH #1377
|
| |
|
| |
|
|
|
|
|
| |
Previously calling update or encrypt without calling set_key first
would result in invalid outputs or else crashing.
|
| |
|
|
|
|
| |
The buffer is not aligned :/
|
|
|
|
| |
About 30% faster than scalar on Skylake
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In CTR, special case for counter widths of special interest.
In GHASH, uses a 4x reduction technique suggested by Intel.
Split out GHASH to its own source file and header.
With these changes GCM is over twice as fast on Skylake and about
50% faster on Westmere.
|