aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Make high_bit and ctz actually const timeJack Lloyd2018-12-221-3/+3
|
* Promote ct_is_zero and expand_top_bit to bit_ops.hJack Lloyd2018-12-222-10/+21
|
* Make ctz and high_bit faster and const-time-ishJack Lloyd2018-12-223-48/+51
| | | | | | | They get compiled as const-time on x86-64 with GCC but I don't think this can be totally relied on. But it is anyway an improvement. And, faster, because we compute it recursively
* Increase Travis cache size [ci skip]Jack Lloyd2018-12-221-2/+2
| | | | | With compression disabled, the cache is too small for builds that use debug info, and causes 100% miss rate.
* Fix build with PGI [ci skip]Jack Lloyd2018-12-221-5/+7
| | | | I couldn't get anything to link with PGI, but at least it builds again.
* Update newsJack Lloyd2018-12-211-2/+2
|
* Merge GH #1794 Improve const time logic in PKCS1v15 and OAEP decodingJack Lloyd2018-12-219-92/+171
|\
| * Use consistent logic for OAEP and PKCS1v15 decodingJack Lloyd2018-12-219-92/+171
| | | | | | | | | | | | | | | | | | | | | | | | The decoding leaked some information about the delimiter index due to copying only exactly input_len - delim_idx bytes. I can't articulate a specific attack that would work here, but it is easy enough to fix this to run in const time instead, where all bytes are accessed regardless of the length of the padding. CT::copy_out is O(n^2) and thus terrible, but in practice it is only used with RSA decryption, and multiplication is also O(n^2) with the modulus size, so a few extra cycles here doesn't matter much.
* | Merge GH #1793 Cleanup use of rotate.h headerJack Lloyd2018-12-2128-2/+30
|\ \
| * | Avoid including rotate.h in bswap.hJack Lloyd2018-12-2128-2/+30
|/ / | | | | | | | | | | | | It was only needed for one case which is easily hardcoded. Include rotate.h in all the source files that actually use rotr/rotl but implicitly picked it up via loadstor.h -> bswap.h -> rotate.h include chain.
* / Stop compressing Travis ccacheJack Lloyd2018-12-211-3/+1
|/ | | | Since CPU is main bottleneck to the build, this is likely not helping.
* Address a couple of Coverity false positivesJack Lloyd2018-12-194-7/+62
| | | | Add tests for is_power_of_2
* Correct affected version range for CVE-2018-20187Jack Lloyd2018-12-191-1/+1
| | | | | | Using the Montgomery ladder for operator* was introduced in ca155a7e54, previous versions did something different, which was itself vulnerable to side channels, but not with the same issue as CVE-2018-20187.
* Update newsJack Lloyd2018-12-191-0/+4
|
* Merge GH #1792 Avoid unblinded Montgomery ladder during ECC keygenJack Lloyd2018-12-193-11/+41
|\
| * Avoid using unblinded Montgomery ladder during ECC key generationJack Lloyd2018-12-183-11/+41
|/ | | | | | | | | | | As doing so means that information about the high bits of the scalar can leak via timing since the loop bound depends on the length of the scalar. An attacker who has such information can perform a more efficient brute force attack (using Pollard's rho) than would be possible otherwise. Found by Ján Jančár (@J08nY) using ECTester (https://github.com/crocs-muni/ECTester) CVE-2018-20187
* Update roadmap [ci skip]Jack Lloyd2018-12-182-56/+30
|
* Test how long it takes to precompute base point multiplesJack Lloyd2018-12-162-1/+21
|
* Merge GH #1789 Improvements to const time lookupsJack Lloyd2018-12-143-22/+26
|\
| * In PointGFp addition, prevent all_zeros from being shortcircuitedJack Lloyd2018-12-141-4/+7
| | | | | | | | | | | | This doesn't matter much but it causes confusing valgrind output when const-time checking since it distinguishes between the two possible conditional returns.
| * Unroll const_time_lookup by 2Jack Lloyd2018-12-141-6/+10
| | | | | | | | | | We know the lookup table is some power of 2, unrolling a bit allows more IPC
| * Simplify the const time lookup in ECC scalar mulJack Lloyd2018-12-141-12/+9
|/ | | | | Code is easier to understand and it may let the CPU interleave the loads and logical ops better. Slightly faster on my machine.
* Update newsJack Lloyd2018-12-141-1/+1
|
* Merge GH #1788 Use 3-bit comb for ECC base point multipliesJack Lloyd2018-12-142-19/+36
|\
| * Use a 3-bit comb for ECC base point multiplyJack Lloyd2018-12-132-19/+36
|/ | | | Improves ECDSA signing by 15%
* Another todo [ci skip]Jack Lloyd2018-12-131-0/+1
|
* More todos [ci skip]Jack Lloyd2018-12-121-0/+2
|
* Make this comment more clear [ci skip]Jack Lloyd2018-12-121-1/+2
|
* Some cleanups in x25519Jack Lloyd2018-12-101-53/+43
|
* More todosJack Lloyd2018-12-101-1/+2
|
* Fix more MSVC warningsJack Lloyd2018-12-104-8/+9
|
* More todos [ci skip]Jack Lloyd2018-12-101-0/+6
|
* Merge GH #1769 Support TLS signature padding strings in PKCS11 mappingJack Lloyd2018-12-101-0/+10
|\
| * Remove EMSA1 encodings from p11 sign mechanisms mapHannes Rantzsch2018-12-101-5/+0
| |
| * Extend the SignMechanisms map for Signature_Scheme padding stringsHannes Rantzsch2018-12-041-0/+15
| | | | | | | | | | | | This addresses #730. The tls_sign_message callback was unable to handle emsa strings produced as padding strings for TLS::Signature_Scheme, due to inconsistent naming (mostly between EMSA3 and EMSA_PKCS1).
* | Fix some MSVC warningsJack Lloyd2018-12-1012-26/+35
| |
* | Update newsJack Lloyd2018-12-101-1/+3
| |
* | Merge GH #1784 Add ECDSA pubkey recoveryJack Lloyd2018-12-106-3/+236
|\ \
| * | Work around a problem when built with OpenSSLJack Lloyd2018-12-103-7/+10
| | | | | | | | | | | | | | | | | | | | | It appears OpenSSL has a different interpretation from us of how the message representative is formed for P-521 when given a hash to sign that is larger than the group order; signatures generated by us do not verify with OpenSSL and vice versa.
| * | Support recovering ECDSA public key from message/signature pairJack Lloyd2018-12-106-2/+232
|/ / | | | | | | | | | | See http://www.secg.org/sec1-v2.pdf section 4.1.6 Closes #664
* | Fix pylint3 warning [ci skip]Jack Lloyd2018-12-101-1/+1
| |
* | More todosJack Lloyd2018-12-091-0/+2
| |
* | Update newsJack Lloyd2018-12-091-0/+2
| |
* | Merge GH #1783 Add base58 encoding/decodingJack Lloyd2018-12-097-1/+454
|\ \
| * | Make ASan happyJack Lloyd2018-12-091-1/+1
| | |
| * | Add base58 encoding/decodingJack Lloyd2018-12-097-1/+454
|/ /
* | Todos [ci skip]Jack Lloyd2018-12-091-2/+2
| |
* | Merge GH #1782 Add an i386 build/test to CIJack Lloyd2018-12-093-4/+14
|\ \
| * | Add an i386 CI target to check on 32-bit asmJack Lloyd2018-12-093-4/+14
| | |
* | | Remove Chi-square test on random_integerJack Lloyd2018-12-091-46/+0
|/ / | | | | | | | | I'm not sure this test is that useful, which is not itself a big problem, but it is also flaky and occasionally fails, which is no good.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 02:01:52 +0000