aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/math
Commit message (Collapse)AuthorAgeFilesLines
* Fix leading zero bytes in DSA, ECDSA, ECGDSA and ECKCDSA signaturesRené Korthaus2016-08-172-0/+20
|
* Merge asm into single mp_madd.h and mp_asmi.h filesJack Lloyd2016-07-2116-1545/+1084
| | | | | | | Avoids some cut and paste, also removes the need for special logic in configure.py for handling mp module specially. Merge SIMD classes into a single type SIMD_4x32
* Add explicit static_cast operations to eliminate implicit cast compiler ↵Dan Brown2016-04-273-3/+3
| | | | warnings.
* Add ECGDSARené Korthaus2016-04-192-0/+25
|
* Use rejection sampling in BigInt::random_integerJack Lloyd2016-03-161-10/+8
| | | | Avoids the test vector contortions in RSA-KEM
* Fix off by one in ressolJack Lloyd2016-03-151-1/+1
| | | | | Could attempt to allocate (size_t)-1 words with predicably bad_alloc results.
* Remaining cppcheck fixes that are not covered by GH #444Daniel Neus2016-03-052-9/+11
|
* cppcheck fixes: Class 'X' has a constructor with 1 argument that is not ↵Daniel Neus2016-03-053-5/+5
| | | | explicit.
* For odd moduli use a input-independent modular inverse algorithm.Jack Lloyd2016-02-204-56/+218
| | | | Also adds a (not const time) implementation of almost Montgomery reduction.
* Add tests and timings for inverse_modJack Lloyd2016-02-202-5/+13
|
* Fix remaining Wshadow warnings and enable on gcc and clangRené Korthaus2016-02-182-4/+7
|
* Add constant time conditional swap, add, sub for bigint wordsJack Lloyd2016-02-172-1/+102
| | | | | | | | | Not optimized and relies on asm support for const time word_add/word_sub instructions. Fix a bug introduced in 46e9a89 - unpoison needs to call the valgrind API with the pointer rather than the reference. Caused values not to be unpoisoned.
* Fix two bugs in 1.11.27 which caused test failures.1.11.28Jack Lloyd2016-02-012-4/+1
| | | | | | | | | | | | | The check on each individual size in curve_mul is too strict since we rely on redc(x*1) during the on the curve computation. Fix an off by one in ressol which caused it to occasionally reject valid values. Updating version 1.11.28 since existing 1.11.27 tag already pushed :( Fix an off-by-one in ressol which would cause it to occasionly give up too early.
* Fix heap overflow in ECC point multiplicationJack Lloyd2016-02-014-4/+24
| | | | | | | | | | | | | | If affine coordinates larger than the prime modulus were given, a later multiplication could overflow the size of an allocated output buffer, which was sized based on the size of the prime. This will cause an overflow into either the system heap or if the mlock/mmap pool allocator is in use, then into the adjacent key material stored in the pool. Reported by Alex Gaynor who found it with AFL Also fix a one word overwrite in P-521 reduction. Found with AFL
* Fix (nearly) infinite loop in RESSOL (modular square root).Jack Lloyd2016-02-011-8/+12
| | | | | | | It first computed the first i for q**(2**i) == 1, then checked that i was smaller than s. Given a composite modulus (for which the algorithm does not work), the loop might do a very large amount of work before returning the failure.
* Add final attribute to many classesJack Lloyd2016-01-101-6/+6
| | | | | | | In some cases this can offer better optimization, via devirtualization. And it lets the user know the class is not intended for derivation. Some discussion in GH #402
* Mass-prefix member vars with m_René Korthaus2016-01-085-49/+49
|
* Fix PointGFp multiplication bugJack Lloyd2016-01-031-18/+0
| | | | | | There was a special case for small scalars which managed to forget that the integer 3 also fits into two bits. Found by adding a new set of ECC point mul tests for the NIST curves.
* Prettify mp_comba a bitJack Lloyd2016-01-011-44/+44
| | | | | | Aligning the calls makes it easier to read the index travel Add a date to the generated output file
* Remove mp_mulop.cppJack Lloyd2015-12-256-93/+42
| | | | | | It had two functions, both only called from one place (mp_karat.cpp). Both multiple and square ops were O(n**2), so drop square and just call mul in mp_karat.cpp for either case
* Remove unused word8_muladd from MSVC x86-32 asmJack Lloyd2015-12-191-84/+0
| | | | GH #363
* Missing addsJack Lloyd2015-12-111-2/+2
|
* Reroot the exception hierarchy into a toplevel Exception classJack Lloyd2015-12-114-5/+5
| | | | | | | | As the alternatives are unfortunate for applications trying to catch all library errors, and it seems deriving from std::runtime_error causes problems with MSVC DLLs (GH #340) Effectively reverts 2837e915d82e43
* Remove bogus code from generic mp_madd header, noticed on PPC build.Jack Lloyd2015-11-231-3/+4
| | | | Also fix a few cast and zero-as-nullptr warnings in the AltiVec header
* Remove mul128.h header from public viewJack Lloyd2015-11-162-13/+21
| | | | | | | | | | | | | | | The only reason mul128.h was included in mp_types.h was for the definition of dword. But dword is only needed by the generic version of mp_madd, which is an internal header. So move both the inclusion of the header and the dword definition to there. Previously mul128.h was very public (mp_types.h to bigint.h to rsa.h, for example) and use of __int128 causes problems in pedantic mode. So additionally, prefer using the TI attribute version since GCC does not complain about that. Clang's -Wpedantic does not seem to care about it either way. GH #330
* Remove call to abort on a zero point in PointGFp::get_affine_{x,y}Jack Lloyd2015-11-131-4/+0
|
* Make Montgomery reduction constant time.Jack Lloyd2015-10-241-6/+17
| | | | | | | | | | | | | | It was already close, but the carry loop would break early and selecting which value to copy out was indexed on the borrow bit. Have the carry loop run through, and add a const-time conditional copy operation and use that to copy the output. Convert ct_utils to CT namespace. Templatize the utils, which I was hesitant to do initially but is pretty useful when dealing with arbitrary word sizes. Remove the poison macros, replace with inline funcs which reads cleaner at the call site.
* Add prime and dl_group command line tools.Jack Lloyd2015-10-151-14/+42
| | | | | | Some cleanups in random_prime. Increase probability in prime tests from 1/2**64 to 1/2**128. Also break out of the sieve loop early if it has failed.
* Remove use of lookup.h in favor of new T::create API.Jack Lloyd2015-09-211-2/+4
|
* Internal header cleanupsJack Lloyd2015-09-192-2/+2
| | | | Only user-visible change is the removal of get_byte.h
* Remove alloc module; move secmem.h to base and locking_allocator to utilsJack Lloyd2015-08-291-1/+0
|
* Move GF(p) side channel countermeasure toggles to build.hJack Lloyd2015-08-282-28/+43
| | | | Some tweaks for point multiplication using fixed windows.
* Add power analysis countermeasures for ECC point multiplications.Jack Lloyd2015-08-212-128/+251
| | | | | | | | The plain PointGFp operator* now uses Montgomery ladder exclusively. Adds a blinded point multiply algorithm which uses exponent and point randomization, as well as a Montgomery ladder technique that takes a random walk of the possible addition chains for k.
* Add m_ prefix to member variable Power_Mod::m_coreSimon Warta2015-08-212-23/+23
|
* Remove 'extern "C"' from src/lib/math/mpSimon Warta2015-08-1415-58/+2
| | | | | | | | | | C functions must not throw but Botan::bigint_divop throws (MSVC: warning C4297: 'Botan::bigint_divop' : function assumed not to throw an exception but does) * Move bigint_mul -> Botan::bigint_sqr * Move bigint_sqr -> Botan::bigint_sqr * Variable in unnamed namespace supersedes "static" keyword
* Expose the NIST prime values and reduction operations as plain functions.Jack Lloyd2015-08-086-269/+229
| | | | | | Previously they were hidden away as private functions on the CurveGFp types. This allows directly testing the reduction functions against other computational methods.
* math: Add missing overridesDaniel Seither2015-07-301-8/+8
|
* Fix typosSimon Warta2015-07-241-1/+1
| | | | Thanks to @vlajos https://github.com/vlajos/misspell_fixer
* Fix BigInt random_integer() distribution issue.Simon Warta2015-07-243-10/+31
| | | | Fixes #108
* Refactor BigIntSimon Warta2015-07-243-9/+20
|
* BigInt::to_u32bit failed on 32-bit integers. GH #220Jack Lloyd2015-07-231-1/+1
|
* Fix round_upSimon Warta2015-07-152-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1. src/lib/codec/base64/base64.cpp: : (round_up<size_t>(input_length, 3) / 3) * 4; 2. src/lib/codec/base64/base64.cpp: : (round_up<size_t>(input_length, 4) * 3) / 4; 3. src/lib/filters/transform_filter.cpp: return round_up(target_size, update_granularity); 4. src/lib/math/bigint/bigint.cpp: m_reg.resize(round_up<size_t>(size, 8)); 5. src/lib/math/bigint/bigint.cpp: m_reg.resize(round_up<size_t>((length / WORD_BYTES) + 1, 8)); 6. src/lib/math/numbertheory/mp_numth.cpp: BigInt z(BigInt::Positive, round_up<size_t>(2*x_sw, 16)); 7. src/lib/modes/cbc/cbc.cpp: return round_up(input_length, cipher().block_size()); 8. src/lib/modes/ecb/ecb.cpp: return round_up(input_length, cipher().block_size()); 9. src/lib/modes/xts/xts.cpp: return round_up(input_length, cipher().block_size()); 10. src/lib/pbkdf/pbkdf2/pbkdf2.cpp: const size_t blocks_needed = round_up(out_len, prf_sz) / prf_sz; 11. src/lib/tls/tls_record.cpp: const size_t buf_size = round_up( 12. src/lib/utils/rounding.h:inline T round_up(T n, T align_to) 1. Reason for change 2. Reason for change 3. first argument cannot be 0 (`target_size = 1024`) 4. Is a bug in the current implementation iff `size = 0` 5. first argument cannot be 0 6. round_up should return 0 if `x_sw = 0` 7. ? 8. ? 9. ? 10. first argument cannot be 0 (`if(out_len == 0) return 0;`) 11. first argument is unlikely to be 0 (`iv_size + msg_length + mac_size + (block_size ? 1 : 0)`) 12. Implementation
* Make Botan compile when only some modules are enabledSimon Warta2015-07-031-1/+1
| | | | Fixes #146.
* s/auto/size_t/Simon Warta2015-07-031-1/+1
|
* More changes for use with debug STLSimon Warta2015-06-301-1/+5
|
* lib/math: Convert &vec[0] to vec.data()Daniel Seither2015-06-2012-35/+35
|
* Add missing includelloyd2015-05-311-0/+1
|
* Fix various bugs found by Coverity scanner.lloyd2015-05-153-0/+7
| | | | | | | Uninitialized variables, missing divide by zero checks, missing virtual destructor, etc. Only thing serious is bug in TLS maximum fragment decoder; missing breaks in switch statement meant receiver would treat any negotiated max frament as 4k limit.
* Fixlloyd2015-04-121-1/+1
|
* Remove the stray binary character making Python3 unhappy, removelloyd2015-04-121-3/+2
| | | | encoding= flags since they are not needed anymore and broke Python2.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-26 03:31:46 +0000