aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Update for 2.9.0 release2.9.0Jack Lloyd2019-01-042-4/+4
|
* Split up these blocks in appveyor.yml [ci skip]Jack Lloyd2019-01-031-1/+3
|
* Some cleanups in McEliece keygenJack Lloyd2019-01-031-15/+17
| | | | Lots more of this needed in here
* Add cast for MSVCJack Lloyd2019-01-031-1/+4
|
* Use memcpy instead of strcpy here to shut up MSVC warningJack Lloyd2019-01-031-1/+1
| | | | Here the caller is assumed to have provided a buffer of sufficient size.
* Casts to avoid MSVC warningsJack Lloyd2019-01-031-1/+9
|
* Fix bogus macro check that disabled a testJack Lloyd2019-01-031-1/+1
|
* Remove VC2013 support from AppVeyor scriptJack Lloyd2019-01-031-1/+0
|
* Merge GH #1804 Add VC2019 preview build to CIJack Lloyd2019-01-035-3/+10
|\
| * Add VC 2019 preview buildJack Lloyd2019-01-025-3/+10
|/
* Update license yearsJack Lloyd2019-01-011-1/+1
|
* Merge GH #1803 XLC fixesJack Lloyd2019-01-0111-25/+55
|\
| * Fix use of macroJack Lloyd2018-12-311-1/+1
| | | | | | | | Assumed to be 0/1
| * Clean up define for inline asmJack Lloyd2018-12-312-3/+7
| | | | | | | | Also fix xlc macro
| * Update support doc textJack Lloyd2018-12-311-7/+7
| |
| * Use __builtin_bswapN builtins on XLCJack Lloyd2018-12-311-4/+4
| | | | | | | | Recent XLC is based on clang and has these
| * Fixes for XLCJack Lloyd2018-12-313-4/+4
| | | | | | | | | | | | XLC 16 changed which macros are used to identify it. Older versions of XLC didn't work correctly anyway (#1581 #1509 etc), so just drop support for recognizing those versions.
| * Fix generic 32-bit bswapJack Lloyd2018-12-311-2/+6
| | | | | | | | Was broken by removing inclusion of rotate header
| * Add ability to skip a few named testsJack Lloyd2018-12-313-4/+26
| | | | | | | | This is sometimes useful when debugging
* | Fix MSVC warningsJack Lloyd2018-12-312-2/+2
| |
* | Use Test::data_file in these testsJack Lloyd2018-12-311-2/+2
|/
* Merge GH #1801 Recognize powerpc64leJack Lloyd2018-12-311-0/+1
|\
| * Add powerpc64le as an alias for ppc64Shawn Anastasio2018-12-301-0/+1
|/ | | | Add powerpc64le as an alias for the ppc64 build target.
* Fix Memory_Pool fuzzer [ci skip]Jack Lloyd2018-12-291-1/+1
|
* Add a fuzzer for Memory_PoolJack Lloyd2018-12-292-1/+115
| | | | | | | | | Basically, test that it works. Accepts a sequence of alloc+free operations and verify that each pointer returned does not overlap with any other outstanding allocation, that the memory returned is zeroed, and that alignment is respected. Intended for testing #1800 but no reason not to land this first.
* Merge GH #1799 Tweak how PBKDF self-tuning worksJack Lloyd2018-12-295-65/+72
|\
| * Improve PBKDF self-tuningJack Lloyd2018-12-295-65/+72
|/ | | | | | | | | Make the tune interval a build-time configurable instead of hardcoding it in each source file. Also use binary search in RFC4880_encode_count instead of linear search. Fix a bug in Timer
* Correct spellingJack Lloyd2018-12-291-0/+1
|
* Add OS::read_env_variableJack Lloyd2018-12-293-9/+22
| | | | Combines the priv check and the getenv call on one.
* Update newsJack Lloyd2018-12-291-6/+10
|
* Merge GH #1798 Use posix_memalign instead of mmap for page locked poolJack Lloyd2018-12-292-27/+18
|\
| * Use posix_memalign instead of mmap for creating the locking poolJack Lloyd2018-12-282-27/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | As described in #602, using mmap with fork causes problems because the mmap remains shared in the child instead of being copy-on-write, then the parent and child stomp on each others memory. However we really do not need mmap semantics, we just want a block of memory that is page-aligned, which can be done with posix_memalign instead. This was added in POSIX.1-2001 and seems to be implemented by all modern systems. Closes #602
* | Avoid const-time modulo in DSA verificationJack Lloyd2018-12-291-1/+11
| | | | | | | | | | | | It has a substantial perf hit and is not necessary. It may not be really necessary for signatures either but leave that as it, with a comment explaining.
* | Simplifications in BigIntJack Lloyd2018-12-291-7/+1
|/ | | | | Use ct_is_zero instead of more complicated construction, and avoid duplicated size check/resize - Data::set_word will handle it.
* Make bigint_sub_abs const timeJack Lloyd2018-12-272-6/+26
|
* Add a test of highly imbalanced RSA keyJack Lloyd2018-12-271-0/+15
|
* Update newsJack Lloyd2018-12-261-1/+1
|
* Merge GH #1797 Fix Barrett reduction upper boundJack Lloyd2018-12-264-17/+28
|\
| * Fix Barrett reduction input boundJack Lloyd2018-12-264-17/+28
|/ | | | | | | | | | | | In the long ago when I wrote the Barrett code I must have missed that Barrett works for any input < 2^2k where k is the word size of the modulus. Fixing this has several nice effects, it is faster because it replaces a multiprecision comparison with a single size_t compare, and now the branch does not reveal information about the input or modulus, but only their word lengths, which is not considered sensitive. Fixing this allows reverting the change make in a57ce5a4fd2 and now RSA signing is even slightly faster than in 2.8, rather than 30% slower.
* Update newsJack Lloyd2018-12-241-1/+1
|
* Merge GH #1796 More const-time improvementsJack Lloyd2018-12-247-52/+79
|\
| * Avoid size-based bypass of the comparison in Barrett reduction.Jack Lloyd2018-12-241-1/+1
| | | | | | | | As it would leak if an input was > p^2, or just close to it in size.
| * Avoid conditional branch in Barrett for negative inputsJack Lloyd2018-12-241-4/+27
| |
| * Update side channel docJack Lloyd2018-12-241-30/+34
| |
| * Always use const-time modulo during DSA signingJack Lloyd2018-12-241-1/+2
| | | | | | | | | | | | | | | | | | | | | | Since we are reducing a mod-p integer down to mod-q this would nearly always use ct_modulo in any case. And, in the case where Barrett did work, it would reveal that g^k mod p was <= q*q which would likely be useful for searching for k. This should actually be slightly faster (if anything) since it avoids the unnecessary comparison against q*q and jumps directly to ct_modulo.
| * Address a side channel in RSA and SM2Jack Lloyd2018-12-242-8/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Barrett will branch to a different (and slower) algorithm if the input is larger than the square of the modulus. This branch can be detected by a side channel. For RSA we need to compute m % p and m % q to get CRT started. Being able to detect if m > q*q (assuming q is the smaller prime) allows a binary search on the secret prime. This attack is blocked by input blinding, but still seems dangerous. Unfortunately changing to use the generic const time modulo instead of Barrett introduces a rather severe performance regression in RSA signing. In SM2, reduce k-r*x modulo the order before multiplying it with (x-1)^-1. Otherwise the need for slow modulo vs Barrett leaks information about k and/or x.
| * In NIST P-xxx reductions unpoison S before using itJack Lloyd2018-12-241-8/+10
| | | | | | | | | | | | | | | | Was already done in P-256 but not in P-{192,224,384}. This is a cache-based side channel which would be good to address. It seems like it would be very difficult to exploit even with perfect recovery, but crazier things have worked.
| * Unpoison result of high_bits_freeJack Lloyd2018-12-241-0/+1
|/ | | | | Previously we unpoisoned the input to high_bit but this is no longer required. But still the output should be unpoisoned.
* Correct read in test fuzzersJack Lloyd2018-12-231-1/+1
|
* Add a multi-file input mode for test fuzzersJack Lloyd2018-12-233-24/+105
| | | | | | | | | | The test_fuzzers.py script is very slow especially on CI. Add a mode to the test fuzzers where it will accept many files on the command line and test each of them in turn. This is 100s of times faster, as it avoids all overhead from fork/exec. It has the downside that you can't tell which input caused a crash, so retain the old mode with --one-at-a-time option for debugging work.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-01 18:56:56 +0000