boringssl

kris/boringssl

Fork 0

Commit Graph

Author	SHA1	Message	Date
David Benjamin	14e18ca257	Fix AES-GCM-SIV on large inputs. This was noticed by observing we had one line of missing test coverage in polyval.c. CRYPTO_POLYVAL_update_blocks acts 32 blocks at a time and all existing test vectors are smaller than that. Test vector obtained by just picking random values and seeing what our existing implementation did if I modified CRYPTO_POLYVAL_update_blocks to consume many more blocks at a time. Then I fixed the bug and ensured the answer was still the same. Change-Id: Ib7002dbc10952229ff42a17132c30d0e290d4be5 Reviewed-on: https://boringssl-review.googlesource.com/13041 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>	2017-01-04 01:45:31 +00:00
Adam Langley	df447ba3a9	Add generic AES-GCM-SIV support. AES-GCM-SIV is an AEAD with nonce-misuse resistance. It can reuse hardware support for AES-GCM and thus encrypt at ~66% the speed, and decrypt at 100% the speed, of AES-GCM. See https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02 This implementation is generic, not optimised, and reuses existing AES and GHASH support as much as possible. It is guarded by !OPENSSL_SMALL, at least for now. Change-Id: Ia9f77b256ef5dfb8588bb9ecfe6ee0e827626f57 Reviewed-on: https://boringssl-review.googlesource.com/12541 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	2016-12-07 00:13:50 +00:00

Author

SHA1

Message

Date

David Benjamin

14e18ca257

Fix AES-GCM-SIV on large inputs.

This was noticed by observing we had one line of missing test coverage
in polyval.c. CRYPTO_POLYVAL_update_blocks acts 32 blocks at a time and
all existing test vectors are smaller than that.

Test vector obtained by just picking random values and seeing what our
existing implementation did if I modified CRYPTO_POLYVAL_update_blocks
to consume many more blocks at a time. Then I fixed the bug and ensured
the answer was still the same.

Change-Id: Ib7002dbc10952229ff42a17132c30d0e290d4be5
Reviewed-on: https://boringssl-review.googlesource.com/13041
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>

2017-01-04 01:45:31 +00:00

Adam Langley

df447ba3a9

Add generic AES-GCM-SIV support.

AES-GCM-SIV is an AEAD with nonce-misuse resistance. It can reuse
hardware support for AES-GCM and thus encrypt at ~66% the speed, and
decrypt at 100% the speed, of AES-GCM.

See https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02

This implementation is generic, not optimised, and reuses existing AES
and GHASH support as much as possible. It is guarded by !OPENSSL_SMALL,
at least for now.

Change-Id: Ia9f77b256ef5dfb8588bb9ecfe6ee0e827626f57
Reviewed-on: https://boringssl-review.googlesource.com/12541
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

2016-12-07 00:13:50 +00:00

2 Commits