Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Add message to BOTAN_ARG_CHECK and use it more widely | Jack Lloyd | 2018-05-13 | 1 | -0/+1 |
| | |||||
* | Add a comment on side channels here | Jack Lloyd | 2018-04-26 | 1 | -4/+5 |
| | |||||
* | Remove unused include | Jack Lloyd | 2018-04-26 | 1 | -1/+0 |
| | |||||
* | Add final annotations [ci skip] | Jack Lloyd | 2018-04-24 | 1 | -3/+3 |
| | |||||
* | Add BigInt::mod_sub | Jack Lloyd | 2018-04-23 | 2 | -93/+63 |
| | |||||
* | Use EC_Group::inverse_mod_order where appropriate | Jack Lloyd | 2018-04-20 | 2 | -6/+3 |
| | |||||
* | Add Fermat based inversion of P-384 field elements | Jack Lloyd | 2018-04-19 | 1 | -0/+72 |
| | | | | | | | | | Cuts about 100K cycles from the inversion, improving ECDSA sign by 10% and ECDH by ~2% Addition chain from https://briansmith.org/ecc-inversion-addition-chains-01 GH #1479 | ||||
* | Add field inversion for P-521 | Jack Lloyd | 2018-04-18 | 1 | -0/+68 |
| | | | | ECDSA sign about 10% faster, ECDSA verify and ECDH about 5% faster. | ||||
* | Add optimized inversion for P-256 | Jack Lloyd | 2018-04-18 | 1 | -0/+75 |
| | | | | | | Could be slightly more clever here but this is pretty decent. GH #1479 | ||||
* | Add EC_Group::inverse_mod_order | Jack Lloyd | 2018-04-17 | 6 | -6/+21 |
| | | | | | | | Centralizing this logic allows curve specific implementations such as using a precomputed ladder for exponentiating by p - 2 GH #1479 | ||||
* | Precompute for multiexponentation when verifying ECC signatures | Jack Lloyd | 2018-04-17 | 4 | -15/+19 |
| | | | | | ECDSA already did this. Improves repeated ECGDSA, ECKCDSA, SM2, and GOST signature verification by 10-15% | ||||
* | Avoid potential side channel when generating RSA primes | Jack Lloyd | 2018-04-17 | 1 | -2/+6 |
| | | | | | | | | | | Add a new function dedicated to generating RSA primes. Don't test for p.bits() > bits until the very end - rarely happens, and speeds up prime generation quite noticably. Add Miller-Rabin error probabilities for 1/2**128, which again speeds up RSA keygen and DL param gen quite a bit. | ||||
* | Add const time annotations | Jack Lloyd | 2018-04-15 | 1 | -1/+1 |
| | |||||
* | Add an explicit test mode build | Jack Lloyd | 2018-04-14 | 1 | -2/+2 |
| | | | | GH #1537 | ||||
* | Merge GH #1538 Minor ECC optimizations | Jack Lloyd | 2018-04-14 | 7 | -21/+105 |
|\ | |||||
| * | Various minor ECC optimizations | Jack Lloyd | 2018-04-13 | 7 | -21/+105 |
| | | | | | | | | | | | | | | | | | | Add a way of getting Montgomery representation of one. Reduce use of temporaries in variable point mult. Prefer doubling over addition in precomputing fixed window. Add Brainpool ECDH tests Improves ECDH by 2-3% across the board | ||||
* | | Merge GH #1531 Improve XMSS test coverage | Jack Lloyd | 2018-04-14 | 3 | -12/+8 |
|\ \ | |/ |/| | |||||
| * | Removes unused overload in XMSS_Hash | Matthias Gierlings | 2018-04-12 | 2 | -12/+0 |
| | | | | | | | | - Removes overload `XMSS_Hash::h_msg_update(secure_vector<uint8_t>&)` | ||||
| * | Codecov - cover MT code in XMSS_PrivateKey | Matthias Gierlings | 2018-04-12 | 1 | -0/+8 |
| | | | | | | | | | | | | Codecov does not reach all parts of the `XMSS_PrivateKey` code because too few cores are detected during the CI run. To cover the missed codepaths always return a large enough core count if botan is compiled with coverage. | ||||
* | | Merge GH #1537 Add missing XMSS signature length check | Jack Lloyd | 2018-04-12 | 2 | -22/+21 |
|\ \ | |||||
| * | | Adds missing XMSS signature length check. | Matthias Gierlings | 2018-04-12 | 2 | -22/+21 |
| | | | | | | | | | | | | | | | | | | | | | | | | - Fixes out of bounds read in `XMSS_Signature` constructor when the raw signature data supplied as arguments is shorter than the signature size defined by the XMSS parameter set encoded in the `XMSS_PublicKey`. - Fixes valid signatures with arbitrary appended data to be verified as correct signature. | ||||
* | | | In XMSS_Tools::bench_threads only call hardware_concurrency once | Jack Lloyd | 2018-04-12 | 1 | -7/+9 |
| |/ |/| | | | | | | | Getting this value will typically require either a system call or a cpuid call, both of which are fairly expensive. | ||||
* | | Optimize EC point doubling for a == 0 and a == -3 | Jack Lloyd | 2018-04-11 | 3 | -9/+61 |
|/ | |||||
* | Add EC_Group::a_is_zero | Jack Lloyd | 2018-04-11 | 2 | -1/+14 |
| | |||||
* | Add DL_Group::exponent_bits | Jack Lloyd | 2018-04-09 | 4 | -7/+25 |
| | | | | Just a useful helper | ||||
* | Add a Montgomery exponentiation that takes variable time | Jack Lloyd | 2018-04-09 | 1 | -7/+14 |
| | | | | | | | | In the case of RSA encryption/verification the public exponent is... public. So we don't need to carefully guard against side channels that leak the exponent. Improves RSA verification performance by 50% or more. | ||||
* | Add RAII versions of get_cipher_mode and get_aead | Jack Lloyd | 2018-04-07 | 3 | -14/+5 |
| | | | | See also #1526 | ||||
* | Add pk_workfactor CLI and refactor workfactor estimator functions | Jack Lloyd | 2018-04-05 | 1 | -12/+19 |
| | | | | No reason to duplicate the NFS workfactor estimator twice | ||||
* | Merge GH #1523 RSA optimizations and exponent blinding | Jack Lloyd | 2018-04-04 | 2 | -25/+53 |
|\ | |||||
| * | Work around a bug in MSVC lambda handling | Jack Lloyd | 2018-04-04 | 1 | -1/+1 |
| | | |||||
| * | Add RSA exponent blinding | Jack Lloyd | 2018-04-04 | 2 | -5/+14 |
| | | | | | | | | Additional paranoia never hurt. | ||||
| * | Tweak how RSA private operations are performed | Jack Lloyd | 2018-04-04 | 1 | -25/+44 |
| | | | | | | | | Improves perf by about 15% | ||||
* | | Add DL_Group::monty_params_p to get Montgomery params | Jack Lloyd | 2018-04-04 | 2 | -2/+13 |
|/ | |||||
* | Fix problems with failure to build in various configurations | Jack Lloyd | 2018-03-31 | 1 | -1/+1 |
| | |||||
* | Minor DH optimization | Jack Lloyd | 2018-03-28 | 1 | -4/+6 |
| | | | | Saves 30k-170k cycles depending on param size. | ||||
* | Fix some Doxygen errors | Jack Lloyd | 2018-03-28 | 1 | -0/+12 |
| | |||||
* | Fix carry bugs introduced in 8a7559e4f8ad | Jack Lloyd | 2018-03-27 | 2 | -22/+23 |
| | |||||
* | Handle some corner cases in ECC mult | Jack Lloyd | 2018-03-25 | 3 | -5/+19 |
| | | | | | | | | For blinded_base_point_multiply_x if result is point at inifinity (eg due to k == group_order) return 0 instead of throwing. For base point multiply, reduce k mod order before masking otherwise the combination of k + mask might exceed our precomputed table. | ||||
* | Add warning comment | Jack Lloyd | 2018-03-22 | 1 | -0/+6 |
| | |||||
* | Add back mul/sqr to CurveGFp [ci skip] | Jack Lloyd | 2018-03-22 | 1 | -0/+10 |
| | | | | | These were available in 2.4 and while users "shouldn't" be using CurveGFp, it is an exposed API. | ||||
* | Revamp GOST-34.10 tests | Jack Lloyd | 2018-03-21 | 1 | -6/+1 |
| | | | | | Use an official vector (from RFC 5832), support arbitrary curves since GOST likes those for testing. | ||||
* | Add EC_Group::random_scalar | Jack Lloyd | 2018-03-21 | 8 | -6/+16 |
| | |||||
* | Remove bogus -1 from DSA key generation | Jack Lloyd | 2018-03-21 | 1 | -1/+1 |
| | | | | GH #222 | ||||
* | Throw Lookup_Error here for benefit of tests | Jack Lloyd | 2018-03-21 | 1 | -2/+2 |
| | |||||
* | Change DSA behavior similarly | Jack Lloyd | 2018-03-21 | 1 | -2/+2 |
| | |||||
* | Shift ECDSA inputs to match OpenSSL behavior | Jack Lloyd | 2018-03-21 | 2 | -4/+4 |
| | | | | See also GH #986 | ||||
* | Remove unused variables [ci skip] | Jack Lloyd | 2018-03-21 | 2 | -4/+0 |
| | |||||
* | Add another Ed25519 helper to save a few hundred redundant lines | Jack Lloyd | 2018-03-20 | 3 | -301/+106 |
| | | | | No impact on performance. | ||||
* | Add some helpers for handling carries in Ed25519 | Jack Lloyd | 2018-03-20 | 4 | -893/+491 |
| | |||||
* | Store base point multiplies in a single std::vector | Jack Lloyd | 2018-03-20 | 6 | -30/+158 |
| | | | | | | | | | | | Since the point is public all the values are also, so this reduces pressure on the mlock allocator and may (slightly) help perf through cache read-ahead. Downside is cache based side channels are slightly easier (vs the data being stored in discontigious vectors). But we shouldn't rely on that in any case. And having it be in an array makes a masked table lookup easier to arrange. |