aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Add --no-fsname option to hash cliJack Lloyd2018-06-281-2/+8
|
* Put warning about 64-bit ciphers in a warning blockJack Lloyd2018-06-281-5/+7
|
* Correct computing of discriminant in EC_Group::verify_groupJack Lloyd2018-06-272-16/+36
| | | | It was checking 4*a+27*b instead of 4*a^3 + 27*b^2
* Prohibit empty nonces with GCMJack Lloyd2018-06-273-5/+13
| | | | | This is mostly harmless but not allowed by the specification. See for example SP800-38D section 5.2.1.1
* Add todo [ci skip]Jack Lloyd2018-06-271-0/+1
|
* Avoid useless multiplication in Montgomery exponentiationJack Lloyd2018-06-263-22/+39
| | | | | | | | | | | | When beginning the loop we initialized a value to one (in Montgomery form) then multiply it by the first element looked up based on the exponent. But this will always (after Montgomery multiplication) be exactly the value we looked up in the table. So just assign it directly and avoid the redundant operation. Improves RSA verification by 5% or so since the number of multiplications is so small in that case saving even 1 in useful. For other operations there is no measurable improvement.
* Add a warning about win32 stats making antivirus unhappy [ci skip]Jack Lloyd2018-06-251-0/+4
| | | | GH #1614
* Fix error in 1024-bit polynomial doubleJack Lloyd2018-06-252-2/+7
| | | | | No big problem since we don't even support 1024-bit ciphers atm (though I suppose someone might have used Lion for this)
* Merge GH #1616 Use ASCII versions of Win32 filesystem callsJack Lloyd2018-06-251-3/+3
|\
| * Use ASCII specific function calls for Windows API callsJack Lloyd2018-06-251-3/+3
|/ | | | Fixes #1615
* Test all multiplication variants in ECC scalar mult testJack Lloyd2018-06-251-4/+15
|
* Document preconditions of BigInt::mod_add/mod_subJack Lloyd2018-06-231-0/+2
|
* Minor optimization for Montgomery exponentiationJack Lloyd2018-06-233-17/+26
| | | | | | | | | The loop started off by squaring the result value, but at that point it is always one (or the Montgomery representation thereof). Avoiding those squarings does not leak any information about the exponent, because we haven't even looked at the exponent at that point. Improves RSA verify performance by about 5%, everything else ~1% speedup
* Fix typo [ci skip]Jack Lloyd2018-06-221-1/+1
|
* Some fiddling with RSA private operationJack Lloyd2018-06-221-18/+29
| | | | | Spawning the thread off as quickly as possible helps perf slighty, especially with larger modulus.
* Improve documentation of the AES T-table situation [ci skip]Jack Lloyd2018-06-221-8/+26
|
* Document what we do in GCM a bit better [ci skip]Jack Lloyd2018-06-211-2/+5
|
* Remove outdated comment [ci skip]Jack Lloyd2018-06-211-2/+0
|
* Avoid needless alloc and copyJack Lloyd2018-06-212-7/+11
|
* Fix a header comment and inline PointGFp::add/add_affineJack Lloyd2018-06-212-26/+23
|
* Attempt to verify decoded ECC groups are using prime fieldsJack Lloyd2018-06-202-5/+57
| | | | | | | Otherwise ressol (part of point decompression) can end up in very long loop. OSS-Fuzz 9011
* Add todoJack Lloyd2018-06-201-0/+1
| | | | GH #1612
* Avoid an unncecessary mallocJack Lloyd2018-06-201-1/+1
|
* Use masked table lookups for variable point scalar multJack Lloyd2018-06-202-16/+36
|
* Changes to allow masked lookups for variable point multJack Lloyd2018-06-208-146/+174
|
* Fix SM2 encryption testsJack Lloyd2018-06-201-3/+4
| | | | Broken in 5f26125d
* Update side channel docJack Lloyd2018-06-201-9/+25
|
* Remove build time toggle for ECC coordinate maskingJack Lloyd2018-06-203-23/+16
| | | | | | | | | This is not a decision we should leave to end users. And always use a random mask equal in size to the underlying field. It was never quite clear if 80 bits was sufficient or not. But taking a random field element is clearly the best possible situation, and has very little additional cost.
* Perform ECC mult starting from top bit of the exponentJack Lloyd2018-06-201-17/+16
| | | | | | | Since we know the top bit is 1, then R will always be a point other than point at infinity after the very first addition regardless of the scalar or mask, so then coordinate randomization is guaranteed to work.
* Avoid a small timing channel in Barrett reductionJack Lloyd2018-06-202-25/+31
| | | | No known exploit for this but no point taking chances.
* More cli testsJack Lloyd2018-06-191-0/+27
|
* Ensure that trying to add points from different groups fails.Jack Lloyd2018-06-193-13/+35
| | | | Producing garbage instead is asking for trouble.
* Use masked table lookup in ECC base point multiplicationJack Lloyd2018-06-192-9/+42
|
* Avoid a special case in Barrett reduction for x < modJack Lloyd2018-06-181-8/+3
| | | | This would have prevented CVE-2018-12435
* Avoid unnecessary realloc in BigInt::mod_subJack Lloyd2018-06-171-2/+7
|
* Add some todo comments wrt side channels in ECC scalar multJack Lloyd2018-06-171-0/+5
|
* Merge GH #1610 Make exponentiation loop independent of exponent sizeJack Lloyd2018-06-1711-51/+119
|\
| * Avoid leaking size of exponentJack Lloyd2018-06-1711-51/+119
|/ | | | See #1606 for discussion
* Merge GH #1609 Avoid small side channel in ECC field mulJack Lloyd2018-06-151-22/+15
|\
| * In ECC avoid using significant words to dispatch the mult algoJack Lloyd2018-06-151-22/+15
| | | | | | | | | | | | Normally all elements will be exact number of limbs as the field. Any situation with short elements is rare and not worth optimizing for, and likely leads to some unfortunate side channel.
* | Merge GH #1608 Fix TLS when x25519 is disabledJack Lloyd2018-06-156-8/+18
|\ \
| * | TLS would try to negotiate x25519 even if disabledJack Lloyd2018-06-156-8/+18
| |/ | | | | | | | | | | | | | | Also reorder ECC groups to actually match performance characteristics. I'm not sure when P-384 was slower than P-521 but it certainly isn't anymore. Fixes #1607
* / Use Botan specific CVE for ECDSA side channel [ci skip]Jack Lloyd2018-06-152-4/+3
|/
* Update newsJack Lloyd2018-06-151-0/+2
|
* Merge GH #1606 Make Montgomery exponentation const timeJack Lloyd2018-06-157-60/+124
|\
| * Document leak of exponent sizeJack Lloyd2018-06-141-2/+4
| |
| * Add combined conditional add-or-subtractJack Lloyd2018-06-143-5/+41
| |
| * Remove CT annotations from Montgomery reductionJack Lloyd2018-06-141-8/+0
| | | | | | | | | | The poisons don't stack so the unpoison hid conditional jumps we want to find.
| * In Montgomery mul, avoid branching based on sig words of integersJack Lloyd2018-06-141-13/+21
| | | | | | | | Instead just assume they are the same size as the prime
| * Make Karatsuba multiply completely const timeJack Lloyd2018-06-145-36/+62
|/
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-28 02:20:53 +0000