aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Support recovering ECDSA public key from message/signature pairJack Lloyd2018-12-106-2/+232
| | | | | | See http://www.secg.org/sec1-v2.pdf section 4.1.6 Closes #664
* Fix pylint3 warning [ci skip]Jack Lloyd2018-12-101-1/+1
|
* More todosJack Lloyd2018-12-091-0/+2
|
* Update newsJack Lloyd2018-12-091-0/+2
|
* Merge GH #1783 Add base58 encoding/decodingJack Lloyd2018-12-097-1/+454
|\
| * Make ASan happyJack Lloyd2018-12-091-1/+1
| |
| * Add base58 encoding/decodingJack Lloyd2018-12-097-1/+454
|/
* Todos [ci skip]Jack Lloyd2018-12-091-2/+2
|
* Merge GH #1782 Add an i386 build/test to CIJack Lloyd2018-12-093-4/+14
|\
| * Add an i386 CI target to check on 32-bit asmJack Lloyd2018-12-093-4/+14
| |
* | Remove Chi-square test on random_integerJack Lloyd2018-12-091-46/+0
|/ | | | | I'm not sure this test is that useful, which is not itself a big problem, but it is also flaky and occasionally fails, which is no good.
* Update newsJack Lloyd2018-12-091-1/+1
|
* Merge GH #1780 Use constant time algorithm for monty_inverseJack Lloyd2018-12-092-39/+23
|\
| * Use a const time algorithm for monty_inverseJack Lloyd2018-12-092-39/+23
| | | | | | | | | | Previous EEA leaked information about the low word of the prime, which is a problem for RSA.
* | Fix typoJack Lloyd2018-12-091-1/+1
| |
* | Merge GH #1779 Avoid variable time division during Montgomery setupJack Lloyd2018-12-095-14/+25
|\ \ | |/ |/|
| * Avoid doing a variable time division during Montgomery setupJack Lloyd2018-12-095-14/+25
|/ | | | | | Instead require the inputs be reduced already. For RSA-CRT use Barrett which is const time already. For SRP6 inputs were not reduced, use the Barrett hook available in DL_Group.
* Move Miller-Rabin t param inside the blockJack Lloyd2018-12-091-2/+2
| | | | This var is not used if we use Baile-PSW instead
* Merge GH #1778 Enable explicit_bzero/explicit_memset for BSDsJack Lloyd2018-12-094-2/+8
|\
| * Few features added for BSD.David Carlier2018-12-094-2/+8
|/ | | | | explicit_bzero/explicit_memset since quite a time. getentropy exists for FreeBSD, but only from 12.x.
* Update newsJack Lloyd2018-12-081-1/+2
|
* Merge GH #1777 Optimization for NIST reductionsJack Lloyd2018-12-081-25/+33
|\
| * Avoid repeated size checks when setting words in NIST reductionJack Lloyd2018-12-081-25/+33
|/ | | | This is a tiny thing but it saves over 100K cycles for P-384 ECDSA
* Merge GH #1776 Clean ups in MDx_HashFunctionJack Lloyd2018-12-082-33/+49
|\
| * Require MDx_HashFunction block size to be a power of 2Jack Lloyd2018-12-082-14/+25
| | | | | | | | | | | | Allows replacing div/mod by a variable with a shift/mask. Allows storing just the bit count, which saves a few bytes.
| * Cleanups in MDx_HashFunctionJack Lloyd2018-12-082-32/+37
| |
* | Merge GH #1775 Clean up Streebog and fix unaligned loadsJack Lloyd2018-12-082-94/+114
|\ \
| * | Clean up Streebog and fix use of unaligned loadsJack Lloyd2018-12-082-94/+114
| |/
* | In speed, track number of invalid generated signatures and print onceJack Lloyd2018-12-081-1/+6
| | | | | | | | Otherwise this spams the output when something goes wrong.
* | Update newsJack Lloyd2018-12-081-1/+1
|/
* Merge GH #1774 Const time BigInt shiftsJack Lloyd2018-12-086-98/+83
|\
| * Avoid early exitJack Lloyd2018-12-071-4/+3
| |
| * Fix bug and avoid allocations in left shiftJack Lloyd2018-12-075-22/+36
| |
| * Const time the behavior of shifts [WIP]Jack Lloyd2018-12-063-87/+59
| | | | | | | | | | | | | | | | | | They would previously leak for example if the requested shift was 0. However, that should only happen in two situations: very dumb code explicitly requested a shift of zero (in which case we don't care if performance is poor, your code is dumb) or a variable shift that just happens to be zero, in which case the variable may be a secret, for instance this can be seen in the GCD computation.
* | In calc_sig_words save the size of m_reg before the loopJack Lloyd2018-12-081-3/+4
| |
* | Update newsJack Lloyd2018-12-071-2/+4
| |
* | Merge GH #1773 Add BigInt::ct_reduce_belowJack Lloyd2018-12-073-3/+39
|\ \
| * | Add BigInt::ct_reduce_belowJack Lloyd2018-12-063-3/+39
| | |
* | | Merge GH #1772 ECDSA now caches RFC 6979 nonce generator objectJack Lloyd2018-12-061-3/+3
|\ \ \ | |_|/ |/| |
| * | In ECDSA cache the RFC6979 objectJack Lloyd2018-12-061-3/+3
| |/ | | | | | | | | This is a very minor savings but does make a difference especially for P-256.
* | Remove hamming_weight functionJack Lloyd2018-12-062-22/+4
| | | | | | | | | | Unused outside of the test code and not really useful there either. Header is internal so no API breakage.
* | Better logic in BigInt::bits wrt valgrind const time checksJack Lloyd2018-12-061-2/+3
|/
* Merge GH #1771 Add GCC 4.8 build to TravisJack Lloyd2018-12-053-0/+10
|\
| * Add GCC 4.8 travis buildJack Lloyd2018-12-053-0/+10
| |
* | Do swaps in PointGFp instead of copiesJack Lloyd2018-12-052-14/+13
| | | | | | | | Saves 5% for ECDSA
* | Avoid needless is_zero check in set_signJack Lloyd2018-12-051-4/+4
| | | | | | | | If not negative we don't need to check the size
* | Fix Doxygen errors [ci skip]Jack Lloyd2018-12-052-1/+1
|/
* Make BigInt::cond_flip_sign constant timeJack Lloyd2018-12-051-3/+9
|
* Use BigInt::cond_flip_signJack Lloyd2018-12-053-7/+4
|
* Update newsJack Lloyd2018-12-051-4/+4
|
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-04 06:27:43 +0000