aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Support bcrypt 2b and 2yJack Lloyd2018-06-293-12/+47
| | | | | | | Continue to default to 2a since older versions don't know about 2b. Both 2b and 2y are identical to our implementation of 2a since we never implemented the relevant bugs which necessitated the new formats.
* Fix handling of SHA instructions in testsJack Lloyd2018-06-294-2/+6
|
* Check arguments to BigInt::random_integerJack Lloyd2018-06-292-2/+5
|
* Fix Coverity false positiveJack Lloyd2018-06-291-0/+2
| | | | It thinks a divide by zero can happen here
* Fix file descriptor leak in tls_serverJack Lloyd2018-06-291-0/+2
| | | | Coverity find
* Fix some -Wshadow warningsJack Lloyd2018-06-292-6/+5
|
* Add `botan has_command`Jack Lloyd2018-06-291-0/+42
| | | | Allows scripts to check if a subcommand is available
* Fix CLI tests when OpenSSL is enabledJack Lloyd2018-06-291-1/+1
|
* More CLI testsJack Lloyd2018-06-291-5/+66
|
* Fix error - testing input file instead of output fileJack Lloyd2018-06-291-1/+1
|
* More cli tests, and a lint fixJack Lloyd2018-06-281-3/+4
|
* Add --max-clients= option to tls_server CLIJack Lloyd2018-06-282-3/+10
| | | | | | | Killing the process seems to result in the coverage info being lost. I think because gcov writes during an exit handler which ends up not running if we SIGTERM
* Allow setting extended key usage when generating PKCS10Jack Lloyd2018-06-281-1/+6
|
* Move reduction mod q to DL_GroupJack Lloyd2018-06-284-31/+118
| | | | | Avoids computing Barrett params many times and gives option for more optimizations in future.
* Lint fixesJack Lloyd2018-06-281-7/+4
|
* More CLI testsJack Lloyd2018-06-282-4/+97
|
* Expose reduction mod p in CurveGFpJack Lloyd2018-06-283-16/+28
| | | | This is slightly slower for Brainpool, but NIST curves are 5% faster.
* Better document security status of included hashesJack Lloyd2018-06-281-9/+14
|
* Add --no-fsname option to hash cliJack Lloyd2018-06-281-2/+8
|
* Put warning about 64-bit ciphers in a warning blockJack Lloyd2018-06-281-5/+7
|
* Correct computing of discriminant in EC_Group::verify_groupJack Lloyd2018-06-272-16/+36
| | | | It was checking 4*a+27*b instead of 4*a^3 + 27*b^2
* Prohibit empty nonces with GCMJack Lloyd2018-06-273-5/+13
| | | | | This is mostly harmless but not allowed by the specification. See for example SP800-38D section 5.2.1.1
* Add todo [ci skip]Jack Lloyd2018-06-271-0/+1
|
* Avoid useless multiplication in Montgomery exponentiationJack Lloyd2018-06-263-22/+39
| | | | | | | | | | | | When beginning the loop we initialized a value to one (in Montgomery form) then multiply it by the first element looked up based on the exponent. But this will always (after Montgomery multiplication) be exactly the value we looked up in the table. So just assign it directly and avoid the redundant operation. Improves RSA verification by 5% or so since the number of multiplications is so small in that case saving even 1 in useful. For other operations there is no measurable improvement.
* Add a warning about win32 stats making antivirus unhappy [ci skip]Jack Lloyd2018-06-251-0/+4
| | | | GH #1614
* Fix error in 1024-bit polynomial doubleJack Lloyd2018-06-252-2/+7
| | | | | No big problem since we don't even support 1024-bit ciphers atm (though I suppose someone might have used Lion for this)
* Merge GH #1616 Use ASCII versions of Win32 filesystem callsJack Lloyd2018-06-251-3/+3
|\
| * Use ASCII specific function calls for Windows API callsJack Lloyd2018-06-251-3/+3
|/ | | | Fixes #1615
* Test all multiplication variants in ECC scalar mult testJack Lloyd2018-06-251-4/+15
|
* Document preconditions of BigInt::mod_add/mod_subJack Lloyd2018-06-231-0/+2
|
* Minor optimization for Montgomery exponentiationJack Lloyd2018-06-233-17/+26
| | | | | | | | | The loop started off by squaring the result value, but at that point it is always one (or the Montgomery representation thereof). Avoiding those squarings does not leak any information about the exponent, because we haven't even looked at the exponent at that point. Improves RSA verify performance by about 5%, everything else ~1% speedup
* Fix typo [ci skip]Jack Lloyd2018-06-221-1/+1
|
* Some fiddling with RSA private operationJack Lloyd2018-06-221-18/+29
| | | | | Spawning the thread off as quickly as possible helps perf slighty, especially with larger modulus.
* Improve documentation of the AES T-table situation [ci skip]Jack Lloyd2018-06-221-8/+26
|
* Document what we do in GCM a bit better [ci skip]Jack Lloyd2018-06-211-2/+5
|
* Remove outdated comment [ci skip]Jack Lloyd2018-06-211-2/+0
|
* Avoid needless alloc and copyJack Lloyd2018-06-212-7/+11
|
* Fix a header comment and inline PointGFp::add/add_affineJack Lloyd2018-06-212-26/+23
|
* Attempt to verify decoded ECC groups are using prime fieldsJack Lloyd2018-06-202-5/+57
| | | | | | | Otherwise ressol (part of point decompression) can end up in very long loop. OSS-Fuzz 9011
* Add todoJack Lloyd2018-06-201-0/+1
| | | | GH #1612
* Avoid an unncecessary mallocJack Lloyd2018-06-201-1/+1
|
* Use masked table lookups for variable point scalar multJack Lloyd2018-06-202-16/+36
|
* Changes to allow masked lookups for variable point multJack Lloyd2018-06-208-146/+174
|
* Fix SM2 encryption testsJack Lloyd2018-06-201-3/+4
| | | | Broken in 5f26125d
* Update side channel docJack Lloyd2018-06-201-9/+25
|
* Remove build time toggle for ECC coordinate maskingJack Lloyd2018-06-203-23/+16
| | | | | | | | | This is not a decision we should leave to end users. And always use a random mask equal in size to the underlying field. It was never quite clear if 80 bits was sufficient or not. But taking a random field element is clearly the best possible situation, and has very little additional cost.
* Perform ECC mult starting from top bit of the exponentJack Lloyd2018-06-201-17/+16
| | | | | | | Since we know the top bit is 1, then R will always be a point other than point at infinity after the very first addition regardless of the scalar or mask, so then coordinate randomization is guaranteed to work.
* Avoid a small timing channel in Barrett reductionJack Lloyd2018-06-202-25/+31
| | | | No known exploit for this but no point taking chances.
* More cli testsJack Lloyd2018-06-191-0/+27
|
* Ensure that trying to add points from different groups fails.Jack Lloyd2018-06-193-13/+35
| | | | Producing garbage instead is asking for trouble.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-28 18:13:34 +0000