aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/utils/ct_utils.h
Commit message (Collapse)AuthorAgeFilesLines
* Force expand_mask to be on T instead of intJack Lloyd2017-10-031-1/+1
| | | | Which is what the expression evaluates to. Caught by MSVC warning.
* Change header guard format to BOTAN_FOO_H_Jack Lloyd2017-09-201-2/+2
| | | | | | ISO C++ reserves names with double underscores in them Closes #512
* Add basic tests for const time utilsJack Lloyd2017-09-191-28/+10
| | | | Remove CT::min and CT::max which were unused and it turns out, broken.
* Fix various MSVC warningsJack Lloyd2017-08-311-1/+1
| | | | Based on VC2017 output
* Convert to using standard uintN_t integer typesJack Lloyd2016-12-181-2/+2
| | | | | | Renames a couple of functions for somewhat better name consistency, eg make_u32bit becomes make_uint32. The old typedefs remain for now since probably lots of application code uses them.
* Don't reject TLS packets with zero plaintext bytesJack Lloyd2016-04-151-0/+6
| | | | | | | | OpenSSL sends an empty record before each new data record in TLS v1.0 to randomize the IV, as a countermeasure to the BEAST attack. Most implementations use 1/(n-1) splitting for this instead. Bug introduced with the const time changes in 1.11.23
* Clean up PK decryption encoding.Jack Lloyd2016-03-201-5/+9
| | | | | | | Previously RSA and ElGamal stripped off leading zeros which were then assumed by the padding decoders. Instead have them produce ciphertexts with leading zeros. Changes EME_Raw to strip leading zeros to match existing behavior.
* Add PK_Decryptor::decrypt_or_randomJack Lloyd2016-03-201-2/+24
| | | | | Performs content checks on the value (expected length, expected bytes) and in constant time returns either the decrypted value or a random value.
* Add constant time conditional swap, add, sub for bigint wordsJack Lloyd2016-02-171-1/+1
| | | | | | | | | Not optimized and relies on asm support for const time word_add/word_sub instructions. Fix a bug introduced in 46e9a89 - unpoison needs to call the valgrind API with the pointer rather than the reference. Caused values not to be unpoisoned.
* Avoid Coverity false positiveJack Lloyd2016-02-091-1/+5
| | | | | | | | It assumes unpoison is expecting a pointer to T and sizeof(T), but the sizeof is evaluated in unpoison but only in the case of building with valgrind. Just call the valgrind API again directly
* Use valgrind's memcheck API for checking const time annotationsJack Lloyd2016-01-031-14/+27
| | | | | | | Has the same effect as using ctgrind, but without requiring a custom-compiled valgrind binary. Add ct checking annotations to the SSSE3 AES code.
* Missing include dependencyJack Lloyd2015-10-261-1/+1
|
* Asan fix - referencing &vec[vec.size()] instead of vec.end()Jack Lloyd2015-10-261-0/+16
| | | | Convert to a const time algo
* TLS improvementsJack Lloyd2015-10-251-0/+36
| | | | | | | | | | | | | | Use constant time operations when checking CBC padding in TLS decryption Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes from working: on decode the session id and hello cookie would be swapped, causing confusion between client and server. Various changes in the service of finding the above DTLS bug that should have been done before now anyway - better control of handshake timeouts (via TLS::Policy), better reporting of handshake state in the case of an error, and finally expose the facility for per-message application callbacks.
* Make Montgomery reduction constant time.Jack Lloyd2015-10-241-71/+48
| | | | | | | | | | | | | | It was already close, but the carry loop would break early and selecting which value to copy out was indexed on the borrow bit. Have the carry loop run through, and add a const-time conditional copy operation and use that to copy the output. Convert ct_utils to CT namespace. Templatize the utils, which I was hesitant to do initially but is pretty useful when dealing with arbitrary word sizes. Remove the poison macros, replace with inline funcs which reads cleaner at the call site.
* Cleanups in ct and oaepJack Lloyd2015-10-171-87/+12
| | | | In OAEP expand the const time block to cover MGF1 also
* Make PKCS #1 and OAEP decoding constant time to avoid oracle attacksJack Lloyd2015-10-161-0/+207
via timing channels. Add annotations for checking constant-time code using ctgrind to PKCS #1 and OAEP, as well as IDEA and Curve25519 which were already written as constant time code.