aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/modes
Commit message (Collapse)AuthorAgeFilesLines
* Further GCM optimizationsJack Lloyd2017-10-131-17/+27
| | | | Went from 27 to 20 cycles per byte on Skylake (with clmul disabled)
* Optimize GCMJack Lloyd2017-10-136-151/+215
| | | | | | | | | | By allowing multiple blocks for clmul, slight speedup there though still far behind optimum. Precompute a table of multiples of H, 3-4x faster on systems without clmul (and still no secret indexes). Refactor GMAC to not derive from GHASH
* OCB optimizationsJack Lloyd2017-10-132-58/+90
| | | | | | With fast AES-NI, gets down to about 2 cycles per byte which is pretty good compared to the ~5.5 cpb of 2.3, still a long way off the best stiched impls which run at ~0.6 cpb.
* OCB optimizationsJack Lloyd2017-10-123-56/+54
| | | | From ~5 cbp to ~2.5 cbp on Skylake
* Helpful commentJack Lloyd2017-10-111-1/+2
|
* Optimize CFB modeJack Lloyd2017-10-112-39/+97
| | | | Still slower but notably faster at least with AES-NI
* Avoid empty methods, use =default or add a commentJack Lloyd2017-10-031-1/+4
| | | | Sonar
* Remove redundant return statementJack Lloyd2017-10-021-1/+1
|
* Address some MSVC warningsJack Lloyd2017-09-301-1/+1
|
* Make poly_dbl.h a submodule of utilsJack Lloyd2017-09-273-0/+9
| | | | | Only required by a few modules and if none of them are in use then the whole thing can just be skipped from the build.
* Avoid debug iterator errorJack Lloyd2017-09-241-6/+12
|
* Test SIV multi-AD functionJack Lloyd2017-09-241-2/+2
|
* Better tests for SIVJack Lloyd2017-09-242-22/+33
| | | | | | | | | | | | Correct errors in the AEAD tests that assumed process/update always return something - that isn't true for SIV Minor optimizations in CMAC and CTR to cache the block size instead of making a zillion virtual calls for it. Generalize SIV slightly to where it could support a non-128 bit cipher, but don't pull the trigger on it since I can't find any implementations to crosscheck with.
* Further build/test fixes for restricted configurationsJack Lloyd2017-09-242-1/+8
|
* Apply final annotations to the library alsoJack Lloyd2017-09-222-2/+2
| | | | | Done by a perl script which converted all classes to final, followed by selective reversion where it caused compilation failures.
* More include header cleanupsJack Lloyd2017-09-216-6/+15
|
* Header file cleanupsJack Lloyd2017-09-218-11/+3
| | | | Some help from include-what-you-use
* Change header guard format to BOTAN_FOO_H_Jack Lloyd2017-09-2015-30/+30
| | | | | | ISO C++ reserves names with double underscores in them Closes #512
* Complete the final annotation changesJack Lloyd2017-09-191-4/+5
|
* Add API stability annotations.Jack Lloyd2017-09-1912-40/+40
| | | | | Defined in build.h, all equal to BOTAN_DLL so ties into existing system for exporting symbols.
* Merge GH #1205 Support large blocks in OCB modeJack Lloyd2017-09-192-62/+134
|\
| * Change wide block OCBJack Lloyd2017-09-151-29/+0
| | | | | | | | | | Ted Krovetz confirmed there were bugs in the reference code for blocks > 128 bits so these values should be the correct ones.
| * Add alternate form for matching OCB ref codeJack Lloyd2017-09-111-4/+30
| |
| * Support larger block sizes in OCBJack Lloyd2017-09-102-59/+134
| | | | | | | | | | | | This doesn't match the draft-3 test vectors and may be bogus. [ci skip]
* | Use constant_time_compare instead of same_memJack Lloyd2017-09-165-5/+5
| | | | | | | | New name, same great operation
* | Small cleanup in CBC modeJack Lloyd2017-09-162-21/+23
| |
* | reenable 8 byte gcm tagsAtanas Filyanov2017-09-151-1/+2
| |
* | Allow GCM tag size in the range 96..128 bitsAtanas Filyanov2017-09-141-1/+2
| |
* | allow 12 byte GCM tags and add test vectorsAtanas Filyanov2017-09-131-1/+1
| |
* | Address CFB carryover bugJack Lloyd2017-09-102-47/+44
|/ | | | | | Test data generated by 1.10 so hopefully no further issues here. GH #1200
* Simplify polynomial doubling codeJack Lloyd2017-09-052-46/+14
| | | | | | | | | | GCC and Clang generate effectively identical code for a template with parameters, vs completely unrolled code as was used previously. Add a little-endian variant so XTS can use it. This extends XTS support to cover 256 and 512-bit ciphers. I was not able to find another implementation that supports both XTS and ciphers with large blocks, so the XTS test vectors are self-generated.
* Add support for ARMv8 PMULL instructionJack Lloyd2017-09-034-0/+112
| | | | Contributed in GH #842
* More MSVC warnings fixesJack Lloyd2017-08-311-2/+3
|
* Fix various MSVC warningsJack Lloyd2017-08-311-6/+6
| | | | Based on VC2017 output
* Improve polynomial doubling code, move to utilJack Lloyd2017-08-153-9/+8
| | | | | | | | | Now does 64-bits at a time instead of 8 bits, and avoids conditional timing channel on the XOR carry. Confirmed that at least GCC 7 and Clang 4 on x86-64 compile the functions without conditional jumps. Also removes CMAC as a dependency of OCB, which only needed it in order to call CMAC::poly_double
* Update OCB ref to RFC, and add new test vectorsJack Lloyd2017-06-121-2/+2
|
* Add assertion to ensure key is set in OCB_Encryption::encrypt.Daniel Wyatt2017-06-091-0/+2
| | | | Otherwise we just SIGSEGV.
* Handle IV carryover in CBC, CFB, and stream ciphersJack Lloyd2017-05-133-4/+18
| | | | | | Allow an empty nonce to mean "continue using the current cipher state". GH #864
* Implement cipher modes with OpenSSL.Alexander Bluhm2017-04-252-5/+46
| | | | | | Use the OpenSSL provider to implement AES CBC mode. Also pass down the provider to the encryption layer if there is no matching OpenSSL mode. Add a test with empty nonce.
* Content:Tomasz Frydrych2017-04-033-3/+3
| | | | | | | | | * fixes for deprecated constructions in c++11 and later (explicit rule of 3/5 or implicit rule of 0 and other violations) * `default` specifier instead of `{}` in some places(probably all) * removal of unreachable code (for example `return` after `throw`) * removal of compilation unit only visible, but not used functions * fix for `throw()` specifier - used instead `BOTAN_NOEXCEPT` * removed not needed semicolons
* Remove "Dirty hack" for multiple defines in lex_me_harder()Simon Warta2017-04-0213-14/+39
|
* Convert to using standard uintN_t integer typesJack Lloyd2016-12-1825-312/+312
| | | | | | Renames a couple of functions for somewhat better name consistency, eg make_u32bit becomes make_uint32. The old typedefs remain for now since probably lots of application code uses them.
* forgot to unpoison return valsNever2016-12-091-0/+4
|
* Rewrote bc unpad functions as const time operations.Never2016-12-092-41/+65
| | | | | | The unpad functions return the blocksize as padding position, if the padding is invalid. .
* Remove ECB modeJack Lloyd2016-12-045-268/+1
| | | | | | | Not a good thing to offer at this level. If you know what you are doing for the strange special case where it is necessary, the raw BlockCipher interface is available and probably more convenient.
* Correct output_length bug in SIV and ChaCha20Poly1305 alsoJack Lloyd2016-11-262-2/+2
|
* Add test for various functions previously missed (T::clone, PBKDF::name, ↵Jack Lloyd2016-11-263-3/+3
| | | | | | | AEAD::output_length) Fix a bug in CCM, GCM, and OCB decryption which caused `output_length(tag_size())` to fail even though empty plaintexts are certainly defined for all three modes.
* Update ISO standard for OneAndZeros_PaddingRené Korthaus2016-11-151-1/+1
|
* Check all padding bytes in ESP_Padding::unpad()René Korthaus2016-11-151-4/+9
|
* Check all ESP padding bytes during unpadRené Korthaus2016-11-141-12/+11
|