| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
GOST uses IEEE style formatting for signatures rather than DER struct.
Confirmed using 2012 test certs from CryptoPro
GH #1860 #1897
|
|
|
|
| |
Only used in this one place.
|
| |
|
|
|
|
|
|
| |
Notably several from the new -Wdefaulted-function-deleted
Also remove some compat macro checks for MSVC 2013
|
|
|
|
| |
Add a checker script.
|
| |
|
| |
|
|
|
|
|
| |
A few older APIs use as_string where everywhere else uses to_string.
Add to_string's where missing, and deprecate X::as_string.
|
|
|
|
|
|
|
|
|
|
|
| |
As doing so means that information about the high bits of the scalar can leak
via timing since the loop bound depends on the length of the scalar. An attacker
who has such information can perform a more efficient brute force attack (using
Pollard's rho) than would be possible otherwise.
Found by Ján Jančár (@J08nY) using ECTester (https://github.com/crocs-muni/ECTester)
CVE-2018-20187
|
|
|
|
|
|
| |
This doesn't matter much but it causes confusing valgrind output when
const-time checking since it distinguishes between the two possible
conditional returns.
|
|
|
|
|
| |
Code is easier to understand and it may let the CPU interleave the
loads and logical ops better. Slightly faster on my machine.
|
|
|
|
| |
Improves ECDSA signing by 15%
|
|
|
|
| |
Saves 5% for ECDSA
|
|
|
|
| |
I'm not sure why this was here.
|
| |
|
| |
|
| |
|
|
|
|
| |
In particular comparisons, calc sig words, and mod_sub are const time now.
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid throwing base Botan::Exception type, as it is difficult to
determine what the error is in that case.
Add Exception::error_code and Exception::error_type which allows
(for error code) more information about the error and (for error type)
allows knowing the error type without requiring a sequence of catches.
See GH #1742
|
|
|
|
| |
Closes GH #1557
|
| |
|
|
|
|
| |
Needed for https://github.com/strongswan/strongswan/pull/109
|
|
|
|
|
|
|
|
|
|
| |
This eliminates an issue identified in the paper
"Prime and Prejudice: Primality Testing Under Adversarial Conditions"
by Albrecht, Massimo, Paterson and Somorovsky
where DL_Group::verify_group with strong=false would accept a composite
q with probability 1/4096, which is exactly as the error bound is
documented, but still unfortunate.
|
| |
|
| |
|
|
|
|
| |
This is slightly slower for Brainpool, but NIST curves are 5% faster.
|
|
|
|
| |
It was checking 4*a+27*b instead of 4*a^3 + 27*b^2
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Otherwise ressol (part of point decompression) can end up in
very long loop.
OSS-Fuzz 9011
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
This is not a decision we should leave to end users.
And always use a random mask equal in size to the underlying field.
It was never quite clear if 80 bits was sufficient or not. But
taking a random field element is clearly the best possible situation,
and has very little additional cost.
|
|
|
|
|
|
|
| |
Since we know the top bit is 1, then R will always be a point
other than point at infinity after the very first addition regardless
of the scalar or mask, so then coordinate randomization is guaranteed
to work.
|
|
|
|
| |
Producing garbage instead is asking for trouble.
|
| |
|
| |
|
|
|
|
|
|
| |
Normally all elements will be exact number of limbs as the field.
Any situation with short elements is rare and not worth optimizing
for, and likely leads to some unfortunate side channel.
|
|
|
|
|
|
|
| |
The size is rounded up to next 8 words so there was substantial
slack here.
No noticable perf difference.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Let DER_Encoder write to a user specified vector instead of only to an
internal vector. This allows encoding to a std::vector without having
to first write to a locked vector and then copying out the result.
Add ASN1_Object::BER_encode convenience method. Replaces
X509_Object::BER_encode which had the same logic but was restricted to
a subtype. This replaces many cases where DER_Encoder was just used
to encode a single object (X509_DN, AlgorithmIdentifier, etc).
|
| |
|
| |
|
| |
|