| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
A few older APIs use as_string where everywhere else uses to_string.
Add to_string's where missing, and deprecate X::as_string.
|
| | |
|
| |
|
|
| |
Various configurations would fail build or test, fix that.
|
| |
|
|
|
|
|
|
|
| |
Both threads called Modular_Reducer::reduce on m, which caused the
significant words result to be written twice in an unsynchronized way.
By calling it once beforehand it is computed and cached and so no
additional writes occur.
Found with helgrind.
|
| |
|
|
|
|
|
|
|
| |
This makes the meaning and usage more clear.
Add a specific error type so invalid tags can be distinguished without
having to catch that specific type.
See also #1813
|
| | |
|
| |
|
|
| |
No real bugs, but pointed out some odd constructs and duplicated logic
|
| | |
|
| |
|
|
| |
Lots more of this needed in here
|
| | |
|
| | |
|
| |
|
|
|
|
| |
It has a substantial perf hit and is not necessary. It may not
be really necessary for signatures either but leave that as it,
with a comment explaining.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the long ago when I wrote the Barrett code I must have missed that
Barrett works for any input < 2^2k where k is the word size of the
modulus. Fixing this has several nice effects, it is faster because it
replaces a multiprecision comparison with a single size_t compare, and
now the branch does not reveal information about the input or modulus,
but only their word lengths, which is not considered sensitive.
Fixing this allows reverting the change make in a57ce5a4fd2 and now
RSA signing is even slightly faster than in 2.8, rather than 30% slower.
|
| |
|
|
|
|
|
|
|
|
|
| |
Since we are reducing a mod-p integer down to mod-q this would
nearly always use ct_modulo in any case. And, in the case where
Barrett did work, it would reveal that g^k mod p was <= q*q
which would likely be useful for searching for k.
This should actually be slightly faster (if anything) since it avoids
the unnecessary comparison against q*q and jumps directly to
ct_modulo.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Barrett will branch to a different (and slower) algorithm if the input
is larger than the square of the modulus. This branch can be detected
by a side channel.
For RSA we need to compute m % p and m % q to get CRT started. Being
able to detect if m > q*q (assuming q is the smaller prime) allows a
binary search on the secret prime. This attack is blocked by input
blinding, but still seems dangerous. Unfortunately changing to use the
generic const time modulo instead of Barrett introduces a rather
severe performance regression in RSA signing.
In SM2, reduce k-r*x modulo the order before multiplying it with (x-1)^-1.
Otherwise the need for slow modulo vs Barrett leaks information about
k and/or x.
|
| |
|
|
|
|
|
|
|
|
|
| |
As doing so means that information about the high bits of the scalar can leak
via timing since the loop bound depends on the length of the scalar. An attacker
who has such information can perform a more efficient brute force attack (using
Pollard's rho) than would be possible otherwise.
Found by Ján Jančár (@J08nY) using ECTester (https://github.com/crocs-muni/ECTester)
CVE-2018-20187
|
| |
|
|
|
|
| |
This doesn't matter much but it causes confusing valgrind output when
const-time checking since it distinguishes between the two possible
conditional returns.
|
| |
|
|
|
| |
Code is easier to understand and it may let the CPU interleave the
loads and logical ops better. Slightly faster on my machine.
|
| |
|
|
| |
Improves ECDSA signing by 15%
|
| | |
|
| |
|
|
|
|
|
| |
It appears OpenSSL has a different interpretation from us of how the
message representative is formed for P-521 when given a hash to sign
that is larger than the group order; signatures generated by us do
not verify with OpenSSL and vice versa.
|
| |
|
|
|
|
| |
See http://www.secg.org/sec1-v2.pdf section 4.1.6
Closes #664
|
| |
|
|
|
|
| |
Instead require the inputs be reduced already. For RSA-CRT use
Barrett which is const time already. For SRP6 inputs were not reduced,
use the Barrett hook available in DL_Group.
|
| |
|
|
|
| |
This is a very minor savings but does make a difference especially
for P-256.
|
| |
|
|
| |
Saves 5% for ECDSA
|
| |
|
|
| |
static_casts for the compiler god
|
| | |
|
| |
|
|
| |
I'm not sure why this was here.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
In particular comparisons, calc sig words, and mod_sub are const time now.
|
| |
|
|
|
|
|
|
|
|
|
| |
Avoid throwing base Botan::Exception type, as it is difficult to
determine what the error is in that case.
Add Exception::error_code and Exception::error_type which allows
(for error code) more information about the error and (for error type)
allows knowing the error type without requiring a sequence of catches.
See GH #1742
|
| |
|
|
|
|
|
|
|
| |
Prefer using wrappers in mem_utils for this.
Current exception is where memcpy is being used to convert between
two different types, since copy_mem requires input and output
pointers have the same type. There should be a new function to
handle conversion-via-memcpy operation.
|
| | |
|
| |
|
|
| |
This is not exhaustive. See GH #1733
|
| | |
|
| |
|
|
| |
See #1726
|
| |
|
|
| |
Fixes GH #1720
|
| |
|
|
| |
Closes GH #1557
|
| | |
|
| | |
|
| | |
|
| |\ |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
This also changes some (library only) APIs so PBES2 needed to
be modified.
This is a contribution of Ribose Inc (@riboseinc)
|
| |/
|
|
| |
See GH #1680
|
| |
|
|
|
|
| |
Where SM2 signs a hash input provided by the application.
This is a contribution by Ribose Inc (@riboseinc)
|
| |
|
|
| |
It is the default...
|
