aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey/ec_group
Commit message (Collapse)AuthorAgeFilesLines
* Deprecate many publically available headersJack Lloyd2019-09-061-0/+3
|
* Reduce usage of oids.h with the addition of some helpers on OIDJack Lloyd2019-08-041-3/+2
|
* Deprecate and replace OIDS::lookupJack Lloyd2019-08-041-2/+2
|
* Add gost_512A paramJack Lloyd2019-08-011-0/+12
|
* Updates for GOST 2012 supportJack Lloyd2019-08-011-1/+1
| | | | | | | GOST uses IEEE style formatting for signatures rather than DER struct. Confirmed using 2012 test certs from CryptoPro GH #1860 #1897
* Move decl of blinding bits into the source fileJack Lloyd2019-07-272-2/+6
| | | | Only used in this one place.
* Resolve some MSVC warningsJack Lloyd2019-06-141-1/+1
|
* Fix some warnings with Clang 8Jack Lloyd2019-05-081-0/+6
| | | | | | Notably several from the new -Wdefaulted-function-deleted Also remove some compat macro checks for MSVC 2013
* Fix feature macro checks.Jack Lloyd2019-04-261-7/+0
| | | | Add a checker script.
* Fix some extra semicolonsJack Lloyd2019-03-271-1/+1
|
* Add references for these addition chains [ci skip]Jack Lloyd2019-03-071-0/+4
|
* s/as_string/to_string/Jack Lloyd2019-03-012-2/+2
| | | | | A few older APIs use as_string where everywhere else uses to_string. Add to_string's where missing, and deprecate X::as_string.
* Avoid using unblinded Montgomery ladder during ECC key generationJack Lloyd2018-12-181-8/+27
| | | | | | | | | | | As doing so means that information about the high bits of the scalar can leak via timing since the loop bound depends on the length of the scalar. An attacker who has such information can perform a more efficient brute force attack (using Pollard's rho) than would be possible otherwise. Found by Ján Jančár (@J08nY) using ECTester (https://github.com/crocs-muni/ECTester) CVE-2018-20187
* In PointGFp addition, prevent all_zeros from being shortcircuitedJack Lloyd2018-12-141-4/+7
| | | | | | This doesn't matter much but it causes confusing valgrind output when const-time checking since it distinguishes between the two possible conditional returns.
* Simplify the const time lookup in ECC scalar mulJack Lloyd2018-12-141-12/+9
| | | | | Code is easier to understand and it may let the CPU interleave the loads and logical ops better. Slightly faster on my machine.
* Use a 3-bit comb for ECC base point multiplyJack Lloyd2018-12-132-19/+36
| | | | Improves ECDSA signing by 15%
* Do swaps in PointGFp instead of copiesJack Lloyd2018-12-051-13/+12
| | | | Saves 5% for ECDSA
* No need to check x when checking if a point is at infinityJack Lloyd2018-12-011-2/+1
| | | | I'm not sure why this was here.
* Add BigInt::mod_mulJack Lloyd2018-12-013-27/+10
|
* Fix debug asserts, and add it to CIJack Lloyd2018-11-291-2/+2
|
* Add CT::Mask typeJack Lloyd2018-11-281-8/+10
|
* Make more BigInt functions const-timeJack Lloyd2018-11-261-0/+1
| | | | In particular comparisons, calc sig words, and mod_sub are const time now.
* Make exceptions easier to translate to error codesJack Lloyd2018-11-231-7/+10
| | | | | | | | | | | Avoid throwing base Botan::Exception type, as it is difficult to determine what the error is in that case. Add Exception::error_code and Exception::error_type which allows (for error code) more information about the error and (for error type) allows knowing the error type without requiring a sequence of catches. See GH #1742
* Remove support for Visual C++ 2013Jack Lloyd2018-10-011-1/+1
| | | | Closes GH #1557
* Fix some MSVC warningsJack Lloyd2018-09-301-4/+4
|
* Add functions to get size of PK ciphertext,plaintextJack Lloyd2018-08-102-0/+11
| | | | Needed for https://github.com/strongswan/strongswan/pull/109
* Add Lucas test from FIPS 186-4Jack Lloyd2018-07-311-24/+3
| | | | | | | | | | This eliminates an issue identified in the paper "Prime and Prejudice: Primality Testing Under Adversarial Conditions" by Albrecht, Massimo, Paterson and Somorovsky where DL_Group::verify_group with strong=false would accept a composite q with probability 1/4096, which is exactly as the error bound is documented, but still unfortunate.
* Correct Doxygen errorsJack Lloyd2018-07-021-3/+2
|
* Fix some -Wshadow warningsJack Lloyd2018-06-291-4/+4
|
* Expose reduction mod p in CurveGFpJack Lloyd2018-06-283-16/+28
| | | | This is slightly slower for Brainpool, but NIST curves are 5% faster.
* Correct computing of discriminant in EC_Group::verify_groupJack Lloyd2018-06-271-16/+34
| | | | It was checking 4*a+27*b instead of 4*a^3 + 27*b^2
* Remove outdated comment [ci skip]Jack Lloyd2018-06-211-2/+0
|
* Avoid needless alloc and copyJack Lloyd2018-06-211-7/+5
|
* Fix a header comment and inline PointGFp::add/add_affineJack Lloyd2018-06-212-26/+23
|
* Attempt to verify decoded ECC groups are using prime fieldsJack Lloyd2018-06-201-2/+37
| | | | | | | Otherwise ressol (part of point decompression) can end up in very long loop. OSS-Fuzz 9011
* Avoid an unncecessary mallocJack Lloyd2018-06-201-1/+1
|
* Use masked table lookups for variable point scalar multJack Lloyd2018-06-201-10/+30
|
* Changes to allow masked lookups for variable point multJack Lloyd2018-06-207-140/+164
|
* Remove build time toggle for ECC coordinate maskingJack Lloyd2018-06-202-16/+16
| | | | | | | | | This is not a decision we should leave to end users. And always use a random mask equal in size to the underlying field. It was never quite clear if 80 bits was sufficient or not. But taking a random field element is clearly the best possible situation, and has very little additional cost.
* Perform ECC mult starting from top bit of the exponentJack Lloyd2018-06-201-17/+16
| | | | | | | Since we know the top bit is 1, then R will always be a point other than point at infinity after the very first addition regardless of the scalar or mask, so then coordinate randomization is guaranteed to work.
* Ensure that trying to add points from different groups fails.Jack Lloyd2018-06-192-13/+19
| | | | Producing garbage instead is asking for trouble.
* Use masked table lookup in ECC base point multiplicationJack Lloyd2018-06-191-9/+30
|
* Add some todo comments wrt side channels in ECC scalar multJack Lloyd2018-06-171-0/+5
|
* In ECC avoid using significant words to dispatch the mult algoJack Lloyd2018-06-151-22/+15
| | | | | | Normally all elements will be exact number of limbs as the field. Any situation with short elements is rare and not worth optimizing for, and likely leads to some unfortunate side channel.
* Avoid overallocation of memory for EC base point multiplesJack Lloyd2018-06-141-1/+1
| | | | | | | The size is rounded up to next 8 words so there was substantial slack here. No noticable perf difference.
* Address DSA/ECDSA side channelJack Lloyd2018-06-132-0/+30
|
* DER improvementsJack Lloyd2018-05-221-6/+14
| | | | | | | | | | | Let DER_Encoder write to a user specified vector instead of only to an internal vector. This allows encoding to a std::vector without having to first write to a locked vector and then copying out the result. Add ASN1_Object::BER_encode convenience method. Replaces X509_Object::BER_encode which had the same logic but was restricted to a subtype. This replaces many cases where DER_Encoder was just used to encode a single object (X509_DN, AlgorithmIdentifier, etc).
* Add message to BOTAN_ARG_CHECK and use it more widelyJack Lloyd2018-05-131-0/+1
|
* Add final annotations [ci skip]Jack Lloyd2018-04-241-3/+3
|
* Add BigInt::mod_subJack Lloyd2018-04-232-93/+63
|