aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/utils/ct_utils.h
Commit message (Collapse)AuthorAgeFilesLines
* Make bigint_sub_abs const timeJack Lloyd2018-12-271-0/+23
|
* Promote ct_is_zero and expand_top_bit to bit_ops.hJack Lloyd2018-12-221-10/+3
|
* Use consistent logic for OAEP and PKCS1v15 decodingJack Lloyd2018-12-211-13/+10
| | | | | | | | | | | | The decoding leaked some information about the delimiter index due to copying only exactly input_len - delim_idx bytes. I can't articulate a specific attack that would work here, but it is easy enough to fix this to run in const time instead, where all bytes are accessed regardless of the length of the padding. CT::copy_out is O(n^2) and thus terrible, but in practice it is only used with RSA decryption, and multiplication is also O(n^2) with the modulus size, so a few extra cycles here doesn't matter much.
* Fix some MSVC warnings in CT::MaskJack Lloyd2018-12-041-2/+2
|
* Fix a bug in OneAndZeros unpaddingJack Lloyd2018-11-301-0/+10
| | | | | | | Introduced in b13c0cc8590199d, it could only trigger if the block size was more than 256 bytes. In that case an invalid padding could be accepted. OSS-Fuzz 11608 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11608)
* Add CT::Mask typeJack Lloyd2018-11-281-111/+266
|
* Implement const time select based on xor-swapJack Lloyd2018-11-231-1/+2
| | | | | For some compilers this may make the difference between compiling using bitmasks as intendeded, and compiling with a conditional jump.
* Make a few simple functions constexprJack Lloyd2018-10-011-10/+10
| | | | This is primarily just to verify that C++11 constexpr works.
* Add fuzzer for mode unpadding, and fix bugs found therebyJack Lloyd2018-09-221-0/+8
| | | | | | | Both PKCS7 and X9.23 padding modes did not examine the first byte of the purported padding if the padding took an entire block. So for example for a 64-bit cipher, PKCS7 would accept XX08080808080808 as a valid padding for any byte value.
* Optimize CT::is_zero, CT::expand_mask, CT::expand_top_bitJack Lloyd2018-09-071-21/+20
|
* Use masked table lookup in ECC base point multiplicationJack Lloyd2018-06-191-0/+12
|
* Make Karatsuba multiply completely const timeJack Lloyd2018-06-141-5/+7
|
* Address various GCC warningsJack Lloyd2017-10-061-5/+7
| | | | | Things like -Wconversion and -Wuseless-cast that are noisy and not on by default.
* Force expand_mask to be on T instead of intJack Lloyd2017-10-031-1/+1
| | | | Which is what the expression evaluates to. Caught by MSVC warning.
* Change header guard format to BOTAN_FOO_H_Jack Lloyd2017-09-201-2/+2
| | | | | | ISO C++ reserves names with double underscores in them Closes #512
* Add basic tests for const time utilsJack Lloyd2017-09-191-28/+10
| | | | Remove CT::min and CT::max which were unused and it turns out, broken.
* Fix various MSVC warningsJack Lloyd2017-08-311-1/+1
| | | | Based on VC2017 output
* Convert to using standard uintN_t integer typesJack Lloyd2016-12-181-2/+2
| | | | | | Renames a couple of functions for somewhat better name consistency, eg make_u32bit becomes make_uint32. The old typedefs remain for now since probably lots of application code uses them.
* Don't reject TLS packets with zero plaintext bytesJack Lloyd2016-04-151-0/+6
| | | | | | | | OpenSSL sends an empty record before each new data record in TLS v1.0 to randomize the IV, as a countermeasure to the BEAST attack. Most implementations use 1/(n-1) splitting for this instead. Bug introduced with the const time changes in 1.11.23
* Clean up PK decryption encoding.Jack Lloyd2016-03-201-5/+9
| | | | | | | Previously RSA and ElGamal stripped off leading zeros which were then assumed by the padding decoders. Instead have them produce ciphertexts with leading zeros. Changes EME_Raw to strip leading zeros to match existing behavior.
* Add PK_Decryptor::decrypt_or_randomJack Lloyd2016-03-201-2/+24
| | | | | Performs content checks on the value (expected length, expected bytes) and in constant time returns either the decrypted value or a random value.
* Add constant time conditional swap, add, sub for bigint wordsJack Lloyd2016-02-171-1/+1
| | | | | | | | | Not optimized and relies on asm support for const time word_add/word_sub instructions. Fix a bug introduced in 46e9a89 - unpoison needs to call the valgrind API with the pointer rather than the reference. Caused values not to be unpoisoned.
* Avoid Coverity false positiveJack Lloyd2016-02-091-1/+5
| | | | | | | | It assumes unpoison is expecting a pointer to T and sizeof(T), but the sizeof is evaluated in unpoison but only in the case of building with valgrind. Just call the valgrind API again directly
* Use valgrind's memcheck API for checking const time annotationsJack Lloyd2016-01-031-14/+27
| | | | | | | Has the same effect as using ctgrind, but without requiring a custom-compiled valgrind binary. Add ct checking annotations to the SSSE3 AES code.
* Missing include dependencyJack Lloyd2015-10-261-1/+1
|
* Asan fix - referencing &vec[vec.size()] instead of vec.end()Jack Lloyd2015-10-261-0/+16
| | | | Convert to a const time algo
* TLS improvementsJack Lloyd2015-10-251-0/+36
| | | | | | | | | | | | | | Use constant time operations when checking CBC padding in TLS decryption Fix a bug in decoding ClientHellos that prevented DTLS rehandshakes from working: on decode the session id and hello cookie would be swapped, causing confusion between client and server. Various changes in the service of finding the above DTLS bug that should have been done before now anyway - better control of handshake timeouts (via TLS::Policy), better reporting of handshake state in the case of an error, and finally expose the facility for per-message application callbacks.
* Make Montgomery reduction constant time.Jack Lloyd2015-10-241-71/+48
| | | | | | | | | | | | | | It was already close, but the carry loop would break early and selecting which value to copy out was indexed on the borrow bit. Have the carry loop run through, and add a const-time conditional copy operation and use that to copy the output. Convert ct_utils to CT namespace. Templatize the utils, which I was hesitant to do initially but is pretty useful when dealing with arbitrary word sizes. Remove the poison macros, replace with inline funcs which reads cleaner at the call site.
* Cleanups in ct and oaepJack Lloyd2015-10-171-87/+12
| | | | In OAEP expand the const time block to cover MGF1 also
* Make PKCS #1 and OAEP decoding constant time to avoid oracle attacksJack Lloyd2015-10-161-0/+207
via timing channels. Add annotations for checking constant-time code using ctgrind to PKCS #1 and OAEP, as well as IDEA and Curve25519 which were already written as constant time code.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-22 20:38:13 +0000