aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/stream
Commit message (Collapse)AuthorAgeFilesLines
* Add SHACAL2 AVX2Jack Lloyd2019-11-141-24/+19
| | | | About 2x faster on Skylake
* Optimize CTR_BE::seekJack Lloyd2019-09-261-1/+20
|
* Merge GH #2061 Add header deprecation warningsJack Lloyd2019-09-086-0/+12
|\
| * Deprecate many publically available headersJack Lloyd2019-09-066-0/+12
| |
* | Optimizations for CTR_BE::add_counterJack Lloyd2019-09-061-14/+9
|/ | | | This is in the hot path for GCM
* Avoid pointless writeJack Lloyd2019-07-051-1/+1
| | | | The last 4 bytes are always overwritten in this loop.
* Add a compatability shim for libsodiumJack Lloyd2019-06-152-5/+3
| | | | | Not complete, just trying to hit the most commonly used APIs plus the ones that are easy to do.
* Make the ISA list a listJack Lloyd2019-04-171-1/+3
|
* Fixes for minimized buildsJack Lloyd2019-02-161-0/+4
| | | | Various configurations would fail build or test, fix that.
* Support arbitrary key lengths in SHAKE-128 cipherJack Lloyd2019-02-132-22/+14
| | | | | We need this for Kyber, which uses 34 byte inputs to XOF when computing the public matrix.
* Avoid including rotate.h in bswap.hJack Lloyd2018-12-212-0/+2
| | | | | | | It was only needed for one case which is easily hardcoded. Include rotate.h in all the source files that actually use rotr/rotl but implicitly picked it up via loadstor.h -> bswap.h -> rotate.h include chain.
* Silence MSVC warningsJack Lloyd2018-12-041-2/+2
| | | | static_casts for the compiler god
* Make exceptions easier to translate to error codesJack Lloyd2018-11-231-1/+1
| | | | | | | | | | | Avoid throwing base Botan::Exception type, as it is difficult to determine what the error is in that case. Add Exception::error_code and Exception::error_type which allows (for error code) more information about the error and (for error type) allows knowing the error type without requiring a sequence of catches. See GH #1742
* Simplify Salsa20 xor loopJack Lloyd2018-11-211-4/+7
|
* Slight simplification to ChaCha loopJack Lloyd2018-11-211-7/+13
|
* Remove needless memset operationJack Lloyd2018-11-171-1/+0
|
* Use vzeroupper/vzeroall to transition between AVX and SSE states.Jack Lloyd2018-11-101-0/+4
| | | | | | | | Otherwise some CPUs suffer serious stalls. Using vzeroall on exit also has the nice effect that we don't have to worry about register contents leaking. HT to @noloader for doing the background research on this.
* Add some missing includesJack Lloyd2018-11-081-0/+1
| | | | This is not exhaustive. See GH #1733
* Optimize AVX2 ChaChaJack Lloyd2018-11-051-236/+181
| | | | | | Using the same transposition trick used for SSE2 in #1728 On my Skylake desktop about 5-10% faster depending on buffer sizes.
* Add ChaCha using SIMD_4x32Jack Lloyd2018-11-049-608/+236
| | | | | | | | | | | This allows supporting SSE2, NEON and AltiVec in a single codebase, so drop the NEON and SSE2 code. This new impl avoids having to do shuffles with every round and so is about 10% faster on Skylake. Also, fix bugs in both baseline and AVX2 implementations when the low counter overflowed. The SSE2 and NEON code were also buggy here.
* Add ChaCha in NEONJack Lloyd2018-10-264-0/+324
| | | | | Originally written by Jeffrey Walton for Crypto++, which was in turn based on my SSE2 ChaCha.
* In ChaCha AVX2/SSE2 code s/input/state/Jack Lloyd2018-10-262-80/+79
| | | | | It is confusing as while the stream cipher state is the input to the permutation, the stream cipher has an unrelated input (the text).
* Remove unused variableJack Lloyd2018-08-261-1/+0
|
* Add AVX2 version of ChaChaJack Lloyd2018-08-264-12/+304
|
* Optimize computation of CTR input blocksJack Lloyd2018-08-101-8/+13
| | | | | | | | We don't need to read each block since we know what is there Improves CTR perf with AES-NI by 5-6%, also helps GCM GH #969
* Specialize CTR::seek for 4-byte countersJack Lloyd2018-08-101-5/+19
| | | | | When used with AES-128 on Skylake (AES-NI), improves GCM performance by 10% on small messages and 5% on 1K messages.
* Add StreamCipher::write_keystreamJack Lloyd2018-08-083-0/+31
| | | | | Avoids the XOR operation. Only implemented for ChaCha20 currently, everything else defaults to memset-to-zero + xor-cipher
* De-inline functions from stream cipher headersJack Lloyd2018-08-0812-52/+127
|
* Add StreamCipher::default_iv_lengthJack Lloyd2018-08-088-11/+26
|
* Add support for XChaChaJack Lloyd2018-08-073-41/+126
|
* Fix a bug in XSalsa20Jack Lloyd2018-08-072-19/+43
| | | | | | | | If you called set_key, then set_iv, then set_iv again without having previously reset the key, you would end up with a garbled state buffer that depended on the value of the first IV. This only affected 192-bit Salsa nonces, not other sizes.
* Avoid crash in ChaCha20+Salsa if set_iv called without a key setJack Lloyd2018-08-072-0/+4
|
* Add Scrypt key dervation functionJack Lloyd2018-05-162-7/+12
|
* Add message to BOTAN_ARG_CHECK and use it more widelyJack Lloyd2018-05-136-4/+10
|
* Make stream, block, hash and cipher mode base classes optionalJack Lloyd2018-01-122-0/+8
|
* FIX: add carry bit to correct half-padRené Meusel2018-01-051-1/+1
|
* Fix RC4 name in case of skipped bytesJack Lloyd2017-12-281-3/+6
| | | | | | | | | | Add a test to detect that. Add test that stream ciphers throw if they are asked to use a nonce of a size they don't support. Remove "In = 00...00" blocks since that's implicit in the stream cipher tests.
* Accept ChaCha20 as a nameJack Lloyd2017-12-181-0/+6
|
* Support seeking in Salsa20Jack Lloyd2017-11-146-9/+23
| | | | Add a test that StreamCipher::seek throws if not keyed.
* Include <memory> in base type headersJack Lloyd2017-10-291-0/+1
| | | | Needed for the create calls
* Add checks that keyed algorithms are actually keyed before useJack Lloyd2017-10-265-7/+16
| | | | | Previously calling update or encrypt without calling set_key first would result in invalid outputs or else crashing.
* Convert http:// links to https:// where possibleJack Lloyd2017-10-241-1/+1
|
* Allow setting CTR width via stringJack Lloyd2017-10-203-6/+14
| | | | | | | | | Prohibit very small counter widths (under 4 bytes), since they lead to trivial keystream reuse. Add tests. Fix clone which always returned an object with a block-wide counter.
* Appease SonarJack Lloyd2017-10-191-1/+1
|
* Further optimizations, and split out GHASH reduction codeJack Lloyd2017-10-181-8/+11
|
* GCM and CTR optimizationsJack Lloyd2017-10-182-47/+99
| | | | | | | | | | | In CTR, special case for counter widths of special interest. In GHASH, uses a 4x reduction technique suggested by Intel. Split out GHASH to its own source file and header. With these changes GCM is over twice as fast on Skylake and about 50% faster on Westmere.
* Add compile-time rotation functionsJack Lloyd2017-10-122-16/+16
| | | | | | | | | | | | | | | | | The problem with asm rol/ror is the compiler can't schedule effectively. But we only need asm in the case when the rotation is variable, so distinguish the two cases. If a compile time constant, then static_assert that the rotation is in the correct range and do the straightforward expression knowing the compiler will probably do the right thing. Otherwise do a tricky expression that both GCC and Clang happen to have recognize. Avoid the reduction case; instead require that the rotation be in range (this reverts 2b37c13dcf). Remove the asm rotations (making this branch illnamed), because now both Clang and GCC will create a roll without any extra help. Remove the reduction/mask by the word size for the variable case. The compiler can't optimize that it out well, but it's easy to ensure it is valid in the callers, especially now that the variable input cases are easy to grep for.
* Use explicit on more single-argument constructorsJack Lloyd2017-09-301-1/+1
|
* Better tests for SIVJack Lloyd2017-09-242-12/+14
| | | | | | | | | | | | Correct errors in the AEAD tests that assumed process/update always return something - that isn't true for SIV Minor optimizations in CMAC and CTR to cache the block size instead of making a zillion virtual calls for it. Generalize SIV slightly to where it could support a non-128 bit cipher, but don't pull the trigger on it since I can't find any implementations to crosscheck with.
* Further build/test fixes for restricted configurationsJack Lloyd2017-09-241-0/+4
|