| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | | |
|
| |\ \ |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Prohibit very small counter widths (under 4 bytes), since they lead
to trivial keystream reuse.
Add tests.
Fix clone which always returned an object with a block-wide counter.
|
| |/ /
| |
| |
| | |
About 30% faster than scalar on Skylake
|
| |/
|
|
| |
[ci skip]
|
| |
|
|
|
| |
No reason to scan the entire record since it's assured at most
256 bytes of padding are used. Inspired by GH #1227
|
| |
|
|
| |
See also GH #1227
|
| |\ |
|
| | |
| |
| |
| | |
Step 1/n of TLS 1.3
|
| |/
|
|
|
| |
We already know how long the output should be, it should match
the test vector :)
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Correct errors in the AEAD tests that assumed process/update always
return something - that isn't true for SIV
Minor optimizations in CMAC and CTR to cache the block size instead
of making a zillion virtual calls for it.
Generalize SIV slightly to where it could support a non-128 bit
cipher, but don't pull the trigger on it since I can't find any
implementations to crosscheck with.
|
| |
|
|
| |
[ci skip]
|
| |
|
|
| |
[ci skip]
|
| |
|
|
|
|
|
|
|
| |
There are in fact 3 different variations of SM2 standard, first
C1||C2||C3, then C1||C3||C2, then (most recently) an ASN.1 encoding.
This makes us compatible with GmSSL
This work was sponsored by Ribose Inc (@riboseinc).
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| | |
Allows PSS-signing a raw hash while also still specifying the salt
length.
GH #1211
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| | |
Ted Krovetz confirmed there were bugs in the reference code for
blocks > 128 bits so these values should be the correct ones.
|
| | |
| |
| |
| |
| |
| | |
This doesn't match the draft-3 test vectors and may be bogus.
[ci skip]
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| |\ \ |
|
| | |/
| |
| |
| |
| |
| |
| |
| | |
RFC 5915 mandates that the OID of an ECDSA ECPrivateKey
shall be id-ecPublicKey with the named curve as the parameters.
ECPrivateKey may contain the named curve OID, too, which is
compared to id-ecPublicKey. Such keys could not be loaded.
We remove this check and add a test vector from strongswan.
|
| |/ |
|
| |
|
|
|
|
|
|
| |
Unfortunately it seems the SM2 format changed between 2010 and 2012,
now the ciphertext is C1 || C3 || C2.
Unfortunate no matter how you slice it, but at least it's easy to
convert from one form to another.
|
| |
|
|
| |
This is a contribution from Ribose Inc
|
| |
|
|
|
|
|
|
|
|
| |
GCC and Clang generate effectively identical code for a template
with parameters, vs completely unrolled code as was used previously.
Add a little-endian variant so XTS can use it. This extends XTS support
to cover 256 and 512-bit ciphers. I was not able to find another
implementation that supports both XTS and ciphers with large blocks,
so the XTS test vectors are self-generated.
|
| |
|
|
| |
Closes #1168
|
| |
|
|
| |
[ci skip]
|
| |
|
|
| |
All of these values were imported into crypto-corpus repo
|
| | |
|
| |
|
|
| |
Remove NEON support, replace macros with inlines
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This confirms the message is exactly the size of the expected hash,
and also causes RFC 6979 nonces to be generated using the specified
hash. See also https://github.com/riboseinc/rnp/issues/367
|
| |\ |
|
| | |
| |
| |
| | |
Bit over 2x faster on my desktop
|
| | |
| |
| |
| | |
256 bit ARX block cipher with hardware support, what's not to love.
|
| |/
|
|
|
|
|
|
|
| |
Now does 64-bits at a time instead of 8 bits, and avoids conditional
timing channel on the XOR carry. Confirmed that at least GCC 7 and
Clang 4 on x86-64 compile the functions without conditional jumps.
Also removes CMAC as a dependency of OCB, which only needed it in
order to call CMAC::poly_double
|
| |
|
|
|
| |
The tests were generated by Botan but I was able to verify the
resulting signatures using Golang's ecdsa module.
|
| |\ |
|
| | |
| |
| |
| | |
This is a contribution from Ribose Inc (@riboseinc)
|
