| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
explicit.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The check on each individual size in curve_mul is too strict since
we rely on redc(x*1) during the on the curve computation.
Fix an off by one in ressol which caused it to occasionally reject
valid values.
Updating version 1.11.28 since existing 1.11.27 tag already pushed :(
Fix an off-by-one in ressol which would cause it to occasionly
give up too early.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If affine coordinates larger than the prime modulus were given,
a later multiplication could overflow the size of an allocated
output buffer, which was sized based on the size of the prime.
This will cause an overflow into either the system heap or if the
mlock/mmap pool allocator is in use, then into the adjacent key
material stored in the pool.
Reported by Alex Gaynor who found it with AFL
Also fix a one word overwrite in P-521 reduction. Found with AFL
|
| |
|
|
|
|
|
| |
In some cases this can offer better optimization, via devirtualization.
And it lets the user know the class is not intended for derivation.
Some discussion in GH #402
|
| |
|
|
|
|
| |
There was a special case for small scalars which managed to forget
that the integer 3 also fits into two bits. Found by adding a new set
of ECC point mul tests for the NIST curves.
|
| |
|
|
|
|
|
|
| |
As the alternatives are unfortunate for applications trying to catch
all library errors, and it seems deriving from std::runtime_error
causes problems with MSVC DLLs (GH #340)
Effectively reverts 2837e915d82e43
|
| | |
|
| |
|
|
| |
Some tweaks for point multiplication using fixed windows.
|
| |
|
|
|
|
|
|
| |
The plain PointGFp operator* now uses Montgomery ladder exclusively.
Adds a blinded point multiply algorithm which uses exponent and point
randomization, as well as a Montgomery ladder technique that takes a
random walk of the possible addition chains for k.
|
| |
|
|
|
|
| |
Previously they were hidden away as private functions on the CurveGFp
types. This allows directly testing the reduction functions against
other computational methods.
|
| | |
|
| |
|
|
|
|
|
| |
a source file. Without BOTAN_DLL the LibraryInitializer was removed entirely
from the list of symbols which is not desired.
Add some casts to avoid scary sounding but (upon review) harmless warnings from MSVC
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Update license header line to specify the terms and refer to the file,
neither of which it included before.
|
| |
|
|
|
| |
The test function create_random_point did not actually create a point
on the curve - fix.
|
| |
|
|
|
| |
Roughly 35-50% faster on my laptop (depending on if mlock is enabled,
the overhead in that allocator is becoming much more of a hotspot).
|
| | |
|
| | |
|
| |
|
|
|
| |
can use different representations/operations depending on the curve
(eg, using a specialized version for P-256 reduction)
|
| |
|
|
|
| |
provides a much better worst-case error bound. Also take the nonce from anywhere
in the usable range rather than limiting the bit size.
|
| |
|
