| Commit message (Collapse) | Author | Age | Files | Lines |
|\ |
|
| |
| |
| |
| |
| |
| | |
- reduced number of parameters in various methods
- introduced structures and renamed variables to improve code
readability.
|
| | |
|
|/
|
|
|
|
|
| |
Avoids some cut and paste, also removes the need for special logic in
configure.py for handling mp module specially.
Merge SIMD classes into a single type SIMD_4x32
|
|
|
|
| |
warnings.
|
| |
|
|
|
|
| |
Avoids the test vector contortions in RSA-KEM
|
|
|
|
|
| |
Could attempt to allocate (size_t)-1 words with predicably bad_alloc
results.
|
| |
|
|
|
|
| |
explicit.
|
|
|
|
| |
Also adds a (not const time) implementation of almost Montgomery reduction.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Not optimized and relies on asm support for const time word_add/word_sub
instructions.
Fix a bug introduced in 46e9a89 - unpoison needs to call the valgrind
API with the pointer rather than the reference. Caused values not to
be unpoisoned.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The check on each individual size in curve_mul is too strict since
we rely on redc(x*1) during the on the curve computation.
Fix an off by one in ressol which caused it to occasionally reject
valid values.
Updating version 1.11.28 since existing 1.11.27 tag already pushed :(
Fix an off-by-one in ressol which would cause it to occasionly
give up too early.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If affine coordinates larger than the prime modulus were given,
a later multiplication could overflow the size of an allocated
output buffer, which was sized based on the size of the prime.
This will cause an overflow into either the system heap or if the
mlock/mmap pool allocator is in use, then into the adjacent key
material stored in the pool.
Reported by Alex Gaynor who found it with AFL
Also fix a one word overwrite in P-521 reduction. Found with AFL
|
|
|
|
|
|
|
| |
It first computed the first i for q**(2**i) == 1, then checked that i
was smaller than s. Given a composite modulus (for which the algorithm
does not work), the loop might do a very large amount of work before
returning the failure.
|
|
|
|
|
|
|
| |
In some cases this can offer better optimization, via devirtualization.
And it lets the user know the class is not intended for derivation.
Some discussion in GH #402
|
| |
|
|
|
|
|
|
| |
There was a special case for small scalars which managed to forget
that the integer 3 also fits into two bits. Found by adding a new set
of ECC point mul tests for the NIST curves.
|
|
|
|
|
|
| |
Aligning the calls makes it easier to read the index travel
Add a date to the generated output file
|
|
|
|
|
|
| |
It had two functions, both only called from one place (mp_karat.cpp).
Both multiple and square ops were O(n**2), so drop square and just
call mul in mp_karat.cpp for either case
|
|
|
|
| |
GH #363
|
| |
|
|
|
|
|
|
|
|
| |
As the alternatives are unfortunate for applications trying to catch
all library errors, and it seems deriving from std::runtime_error
causes problems with MSVC DLLs (GH #340)
Effectively reverts 2837e915d82e43
|
|
|
|
| |
Also fix a few cast and zero-as-nullptr warnings in the AltiVec header
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The only reason mul128.h was included in mp_types.h was for the
definition of dword. But dword is only needed by the generic version
of mp_madd, which is an internal header. So move both the inclusion
of the header and the dword definition to there.
Previously mul128.h was very public (mp_types.h to bigint.h to rsa.h,
for example) and use of __int128 causes problems in pedantic mode. So
additionally, prefer using the TI attribute version since GCC does not
complain about that. Clang's -Wpedantic does not seem to care about it
either way.
GH #330
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was already close, but the carry loop would break early and
selecting which value to copy out was indexed on the borrow bit. Have
the carry loop run through, and add a const-time conditional copy
operation and use that to copy the output.
Convert ct_utils to CT namespace. Templatize the utils, which I was
hesitant to do initially but is pretty useful when dealing with
arbitrary word sizes.
Remove the poison macros, replace with inline funcs which reads
cleaner at the call site.
|
|
|
|
|
|
| |
Some cleanups in random_prime. Increase probability in prime tests from
1/2**64 to 1/2**128. Also break out of the sieve loop early if it has
failed.
|
| |
|
|
|
|
| |
Only user-visible change is the removal of get_byte.h
|
| |
|
|
|
|
| |
Some tweaks for point multiplication using fixed windows.
|
|
|
|
|
|
|
|
| |
The plain PointGFp operator* now uses Montgomery ladder exclusively.
Adds a blinded point multiply algorithm which uses exponent and point
randomization, as well as a Montgomery ladder technique that takes a
random walk of the possible addition chains for k.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
C functions must not throw but Botan::bigint_divop throws (MSVC: warning
C4297: 'Botan::bigint_divop' : function assumed not to throw an
exception but does)
* Move bigint_mul -> Botan::bigint_sqr
* Move bigint_sqr -> Botan::bigint_sqr
* Variable in unnamed namespace supersedes "static" keyword
|
|
|
|
|
|
| |
Previously they were hidden away as private functions on the CurveGFp
types. This allows directly testing the reduction functions against
other computational methods.
|
| |
|
|
|
|
| |
Thanks to @vlajos https://github.com/vlajos/misspell_fixer
|
|
|
|
| |
Fixes #108
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. src/lib/codec/base64/base64.cpp: :
(round_up<size_t>(input_length, 3) / 3) * 4;
2. src/lib/codec/base64/base64.cpp: :
(round_up<size_t>(input_length, 4) * 3) / 4;
3. src/lib/filters/transform_filter.cpp: return round_up(target_size,
update_granularity);
4. src/lib/math/bigint/bigint.cpp:
m_reg.resize(round_up<size_t>(size, 8));
5. src/lib/math/bigint/bigint.cpp:
m_reg.resize(round_up<size_t>((length / WORD_BYTES) + 1, 8));
6. src/lib/math/numbertheory/mp_numth.cpp: BigInt z(BigInt::Positive,
round_up<size_t>(2*x_sw, 16));
7. src/lib/modes/cbc/cbc.cpp: return round_up(input_length,
cipher().block_size());
8. src/lib/modes/ecb/ecb.cpp: return round_up(input_length,
cipher().block_size());
9. src/lib/modes/xts/xts.cpp: return round_up(input_length,
cipher().block_size());
10. src/lib/pbkdf/pbkdf2/pbkdf2.cpp: const size_t blocks_needed =
round_up(out_len, prf_sz) / prf_sz;
11. src/lib/tls/tls_record.cpp: const size_t buf_size = round_up(
12. src/lib/utils/rounding.h:inline T round_up(T n, T align_to)
1. Reason for change
2. Reason for change
3. first argument cannot be 0 (`target_size = 1024`)
4. Is a bug in the current implementation iff `size = 0`
5. first argument cannot be 0
6. round_up should return 0 if `x_sw = 0`
7. ?
8. ?
9. ?
10. first argument cannot be 0 (`if(out_len == 0) return 0;`)
11. first argument is unlikely to be 0 (`iv_size + msg_length + mac_size
+ (block_size ? 1 : 0)`)
12. Implementation
|
|
|
|
| |
Fixes #146.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Uninitialized variables, missing divide by zero checks, missing
virtual destructor, etc. Only thing serious is bug in TLS maximum
fragment decoder; missing breaks in switch statement meant receiver
would treat any negotiated max frament as 4k limit.
|