aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey/rsa
Commit message (Collapse)AuthorAgeFilesLines
* Avoid a harmless data race in RSA decryptionJack Lloyd2019-01-281-0/+7
| | | | | | | | | Both threads called Modular_Reducer::reduce on m, which caused the significant words result to be written twice in an unsynchronized way. By calling it once beforehand it is computed and cached and so no additional writes occur. Found with helgrind.
* Fix Barrett reduction input boundJack Lloyd2018-12-261-8/+18
| | | | | | | | | | | | In the long ago when I wrote the Barrett code I must have missed that Barrett works for any input < 2^2k where k is the word size of the modulus. Fixing this has several nice effects, it is faster because it replaces a multiprecision comparison with a single size_t compare, and now the branch does not reveal information about the input or modulus, but only their word lengths, which is not considered sensitive. Fixing this allows reverting the change make in a57ce5a4fd2 and now RSA signing is even slightly faster than in 2.8, rather than 30% slower.
* Address a side channel in RSA and SM2Jack Lloyd2018-12-241-7/+3
| | | | | | | | | | | | | | | | | Barrett will branch to a different (and slower) algorithm if the input is larger than the square of the modulus. This branch can be detected by a side channel. For RSA we need to compute m % p and m % q to get CRT started. Being able to detect if m > q*q (assuming q is the smaller prime) allows a binary search on the secret prime. This attack is blocked by input blinding, but still seems dangerous. Unfortunately changing to use the generic const time modulo instead of Barrett introduces a rather severe performance regression in RSA signing. In SM2, reduce k-r*x modulo the order before multiplying it with (x-1)^-1. Otherwise the need for slow modulo vs Barrett leaks information about k and/or x.
* Avoid doing a variable time division during Montgomery setupJack Lloyd2018-12-091-9/+14
| | | | | | Instead require the inputs be reduced already. For RSA-CRT use Barrett which is const time already. For SRP6 inputs were not reduced, use the Barrett hook available in DL_Group.
* Use ct_modulo during RSA key generationJack Lloyd2018-12-031-6/+7
|
* Avoid an implausible integer overflow flagged by Coverity [ci skip]Jack Lloyd2018-11-101-1/+6
|
* Add some missing includesJack Lloyd2018-11-081-0/+2
| | | | This is not exhaustive. See GH #1733
* Add functions to get size of PK ciphertext,plaintextJack Lloyd2018-08-101-0/+4
| | | | Needed for https://github.com/strongswan/strongswan/pull/109
* Add PK_Signer::signature_lengthJack Lloyd2018-08-101-0/+2
|
* Some fiddling with RSA private operationJack Lloyd2018-06-221-18/+29
| | | | | Spawning the thread off as quickly as possible helps perf slighty, especially with larger modulus.
* Avoid leaking size of exponentJack Lloyd2018-06-171-10/+17
| | | | See #1606 for discussion
* DER improvementsJack Lloyd2018-05-221-4/+6
| | | | | | | | | | | Let DER_Encoder write to a user specified vector instead of only to an internal vector. This allows encoding to a std::vector without having to first write to a locked vector and then copying out the result. Add ASN1_Object::BER_encode convenience method. Replaces X509_Object::BER_encode which had the same logic but was restricted to a subtype. This replaces many cases where DER_Encoder was just used to encode a single object (X509_DN, AlgorithmIdentifier, etc).
* Add a comment on side channels hereJack Lloyd2018-04-261-4/+5
|
* Avoid potential side channel when generating RSA primesJack Lloyd2018-04-171-2/+6
| | | | | | | | | | Add a new function dedicated to generating RSA primes. Don't test for p.bits() > bits until the very end - rarely happens, and speeds up prime generation quite noticably. Add Miller-Rabin error probabilities for 1/2**128, which again speeds up RSA keygen and DL param gen quite a bit.
* Add const time annotationsJack Lloyd2018-04-151-1/+1
|
* Add a Montgomery exponentiation that takes variable timeJack Lloyd2018-04-091-7/+14
| | | | | | | | In the case of RSA encryption/verification the public exponent is... public. So we don't need to carefully guard against side channels that leak the exponent. Improves RSA verification performance by 50% or more.
* Work around a bug in MSVC lambda handlingJack Lloyd2018-04-041-1/+1
|
* Add RSA exponent blindingJack Lloyd2018-04-041-5/+12
| | | | Additional paranoia never hurt.
* Tweak how RSA private operations are performedJack Lloyd2018-04-041-25/+44
| | | | Improves perf by about 15%
* Throw Lookup_Error here for benefit of testsJack Lloyd2018-03-211-2/+2
|
* Remove PK_Ops::Decryption_with_EME::max_raw_input_bitsJack Lloyd2018-02-191-2/+0
| | | | | Unused and not exposed to higher levels. RSA and ElGamal both check their inputs vs the system parameters (n, p) after decoding.
* Use new DL_Group functionsJack Lloyd2018-02-191-1/+1
|
* Tighten up RSA key validity testsJack Lloyd2018-02-131-3/+7
| | | | They allowed even e, another leftover from Rabin-Williams
* Remove handling of even e in RSA keygenJack Lloyd2018-02-131-5/+2
| | | | | This is a holdover from Rabin-Williams support and just confusing in RSA-specific code.
* Apply final annotations to the library alsoJack Lloyd2017-09-222-7/+7
| | | | | Done by a perl script which converted all classes to final, followed by selective reversion where it caused compilation failures.
* More include header cleanupsJack Lloyd2017-09-212-2/+2
|
* Change header guard format to BOTAN_FOO_H_Jack Lloyd2017-09-201-2/+2
| | | | | | ISO C++ reserves names with double underscores in them Closes #512
* Add API stability annotations.Jack Lloyd2017-09-191-2/+2
| | | | | Defined in build.h, all equal to BOTAN_DLL so ties into existing system for exporting symbols.
* Content:Tomasz Frydrych2017-04-032-5/+5
| | | | | | | | | * fixes for deprecated constructions in c++11 and later (explicit rule of 3/5 or implicit rule of 0 and other violations) * `default` specifier instead of `{}` in some places(probably all) * removal of unreachable code (for example `return` after `throw`) * removal of compilation unit only visible, but not used functions * fix for `throw()` specifier - used instead `BOTAN_NOEXCEPT` * removed not needed semicolons
* Remove "Dirty hack" for multiple defines in lex_me_harder()Simon Warta2017-04-021-1/+3
|
* Remove verify_end() chained immediatly before end_cons() (close #890)Nuno Goncalves2017-02-251-1/+0
| | | | | | | BER_Decoder::end_cons() allready assures the verify_end() function, so it is redundant. Signed-off-by: Nuno Goncalves <[email protected]>
* increase miller-rabin iterations for RSA strong check_key. We call is_prime ↵Never2017-02-131-1/+1
| | | | with prob=128 during sampling and we should check with the same prob
* Fix private key ctors API docs [ci skip]René Korthaus2017-01-271-1/+1
|
* Convert to using standard uintN_t integer typesJack Lloyd2016-12-182-16/+16
| | | | | | Renames a couple of functions for somewhat better name consistency, eg make_u32bit becomes make_uint32. The old typedefs remain for now since probably lots of application code uses them.
* Public_Key derived class ctors take an std::vector<byte>René Korthaus2016-12-112-3/+3
| | | | | | | Changes all the Public_Key derived classes ctors to take a std::vector instead of a secure_vector for the DER encoded public key bits. There is no point in transporting a public key in secure storage. (GH #768)
* Add Private_Key::private_key_info()René Korthaus2016-12-052-2/+2
| | | | | | | Adds new Private_Key::private_key_info() that returns a PKCS#8 PrivateKeyInfo structure. Renames the current Private_Key::pkcs8_private_key() to private_key_bits(). BER_encode() just invokes private_key_info().
* Add Public_Key::subject_public_key()René Korthaus2016-12-052-2/+2
| | | | | | | Adds new Public_Key::subject_public_key() that returns a X.509 SubjectPublicKey structure. Renames the current Public_Key::x509_subject_public_key() to public_key_bits(). BER_encode() just invokes subject_public_key().
* Pubkey cleanupsJack Lloyd2016-11-122-3/+7
| | | | | | | | | | Add Public_Key::key_length usable for policy checking (as in TLS::Policy::check_peer_key_acceptable) Remove Public_Key::max_input_bits because it didn't make much sense for most algorithms actually. Remove message_parts and message_part_size from PK_Ops
* Remove Key_Type typedefsJack Lloyd2016-11-081-6/+0
| | | | Also part of Algo_Registry and not needed after #668
* Update Doxygen comment [ci skip]Jack Lloyd2016-11-061-1/+0
|
* Remove automatic self-testing of public and private keysJack Lloyd2016-11-032-15/+4
| | | | | | | | | | | | | Rarely expected and often causes performance problems, especially for private keys. Instead applications should call check_key explicitly to validate keys when necessary. Note this removal doesn't apply to tests like ECDH on-the-curve tests, where a check on the public key is required for security of our own key. Updates most APIs to remove RNG calls, where they are no longer required. Exception is PKCS8 interface, pending further work there (see GH #685) it just ignores the RNG argument now.
* Fix doxygen warnings [ci skip]René Korthaus2016-10-191-1/+1
|
* Improve pubkey doxygen [ci skip]René Korthaus2016-10-191-1/+12
|
* Indent include so amalgamation works correctlyJack Lloyd2016-10-171-2/+1
| | | | | Otherwise <future> is thrown into the top of botan_all.h which causes problems on IncludeOS
* Abstract out mutex type. Make threads optional.Jack Lloyd2016-10-121-1/+10
|
* Revert PK_Verifier change (don't require RNG there).Jack Lloyd2016-10-072-24/+55
| | | | | | | Verification is deterministic and public, so really no RNG is ever needed. Change provider handling - accepts "base", "openssl", or empty, otherwise throws a Provider_Not_Found exception.
* Remove Algo_Registry usage from public key code.Jack Lloyd2016-10-072-15/+126
| | | | | | | | Instead the key types exposes operations like `create_encryption_op` which will return the relevant operation if the algorithm supports it. Changes pubkey.h interface, now RNG is passed at init time. Blinder previous created its own RNG, now it takes it from app.
* Remove IF_Scheme_{Public,Private}KeyJack Lloyd2016-09-023-27/+186
| | | | | | With the removal of Rabin-Williams, RSA is the only remaining subclass, And it's very unlikely any new integer factorization based scheme would be added in the future.
* fix test failures and seg faults when Botan is configured with ↵René Korthaus2016-06-172-1/+3
| | | | --module-policy bsi
* Clean up PK decryption encoding.Jack Lloyd2016-03-201-1/+1
| | | | | | | Previously RSA and ElGamal stripped off leading zeros which were then assumed by the padding decoders. Instead have them produce ciphertexts with leading zeros. Changes EME_Raw to strip leading zeros to match existing behavior.