| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Use [[nodiscard]] and [[deprecated]] annotations since those
are available to us now.
|
| |
|
|
| |
See #2365
|
| |
|
|
|
|
|
|
|
| |
Now modules default to internal headers instead of defaulting to public; making
a new public API should be a visible and intentional choice.
Brings the public header count from over 300 to around 150.
Also removes the deprecated tls_blocking interface
|
| |
|
|
|
| |
It doesn't like expressions that evaluate to nullptr + non-zero,
even though in the end we didn't do anything with the pointer.
|
| |
|
|
| |
The numbers in #256 suggest that it does nothing at all for performance.
|
| |
|
|
|
| |
Previous version leaked some (minimal) information from the loop
bounds.
|
| |
|
|
| |
Based on profiling RSA key generation
|
| | |
|
| | |
|
| |
|
|
| |
Assumed to be 0/1
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The decoding leaked some information about the delimiter index
due to copying only exactly input_len - delim_idx bytes. I can't
articulate a specific attack that would work here, but it is easy
enough to fix this to run in const time instead, where all bytes
are accessed regardless of the length of the padding.
CT::copy_out is O(n^2) and thus terrible, but in practice it is only
used with RSA decryption, and multiplication is also O(n^2) with the
modulus size, so a few extra cycles here doesn't matter much.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
They would previously leak for example if the requested shift was 0.
However, that should only happen in two situations: very dumb code
explicitly requested a shift of zero (in which case we don't care if
performance is poor, your code is dumb) or a variable shift that just
happens to be zero, in which case the variable may be a secret, for
instance this can be seen in the GCD computation.
|
| | |
|
| |
|
|
|
|
|
| |
If one of the values had leading zero words, this could end up
calling bigint_sub with x_size < y_size.
OSS-Fuzz 11664 and 11656
|
| | |
|
| | |
|
| |
|
|
|
| |
Addition already has to handle negative numbers so make it do
double duty for subtraction.
|
| | |
|
| |
|
|
| |
In particular comparisons, calc sig words, and mod_sub are const time now.
|
| |
|
|
|
| |
This is still vulnerable to a cache-based side channel since the
multiple chosen leaks the final carry.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
It turned out 8 bit was very broken (failed to compile, due to
overload problems with functions taking uint8_t vs word).
16 bit words work aside from a test failure, but is really slow.
Practically speaking we are not in a position to support 16-bit CPUs
very well. And being able to assume sizeof(word) >= sizeof(uint32_t)
allows simplifying some code.
|
| |
|
|
|
| |
Improves ECDSA by 2-3% due to improving the const time modular
inversion algorithm (used for the mod-order inversions).
|
| | |
|
| |
|
|
|
| |
The poisons don't stack so the unpoison hid conditional jumps
we want to find.
|
| | |
|
| |
|
|
| |
Speedup of 10 to 30% depending on algo
|
| | |
|
| |
|
|
|
|
| |
Improves performance on "odd" sized DH/RSA (eg 1536, 3072, 6144)
where otherwise the Karatsuba operation bottoms out with 24-word
operands which ended up in the basecase multiply.
|
| | |
|
| |
|
|
| |
And set us up for eventually having this be completely const time.
|
| | |
|
| |
|
|
|
|
|
| |
The constraints were invalid as they missed the clobber of a/d
registers. This caused miscompilation when using GCC -fno-plt option.
GH #1524
|
| | |
|
| |
|
|
|
|
| |
Just a simple adaption of the n^2 multiply algorithm, so no
performance impact. However makes the difference between
squaring and multiply easier to see when profiling.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Results in 10-20% improvement for DH and RSA, 5% for ECC curves
that use Montgomery form.
|
| |
|
|
| |
Increases perf of larger DH by 5-8%
|
| | |
|
| | |
|
| |
|
|
| |
Use the BOTAN_MP_WORD_BITS consistently
|
| | |
|
| |
|
|
| |
Makes it less likely compiler will use add-with-carry op
|
