aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
Commit message (Collapse)AuthorAgeFilesLines
* Do swaps in PointGFp instead of copiesJack Lloyd2018-12-052-14/+13
| | | | Saves 5% for ECDSA
* Avoid needless is_zero check in set_signJack Lloyd2018-12-051-4/+4
| | | | If not negative we don't need to check the size
* Fix Doxygen errors [ci skip]Jack Lloyd2018-12-052-1/+1
|
* Make BigInt::cond_flip_sign constant timeJack Lloyd2018-12-051-3/+9
|
* Use BigInt::cond_flip_signJack Lloyd2018-12-053-7/+4
|
* Don't leak if x is zero eitherJack Lloyd2018-12-051-39/+37
|
* Remove some conditional branches from divisionJack Lloyd2018-12-053-22/+27
|
* Fix more MSVC warningsJack Lloyd2018-12-041-1/+1
|
* Reduce the base in the fixed window exponentiatorJack Lloyd2018-12-041-1/+1
| | | | | | | | | | | Otherwise we can end up calling the Barrett reducer with an input that is more than the square of the modulus, which will make it fall back to the (slow) const time division. This only affected even moduli, and only when the base was larger than the modulus. OSS-Fuzz 11750
* Silence MSVC warningsJack Lloyd2018-12-0410-114/+116
| | | | static_casts for the compiler god
* Fix some misc MSVC warningsJack Lloyd2018-12-042-4/+4
|
* Fix some MSVC warnings in CT::MaskJack Lloyd2018-12-041-2/+2
|
* Merge GH #1767 Switch Travis builds to XenialJack Lloyd2018-12-042-4/+8
|\
| * Fix a memory leak in OpenSSL ECDHJack Lloyd2018-12-031-3/+5
| |
| * Add PVR identifer for POWER9Jack Lloyd2018-12-031-1/+3
| | | | | | | | According to qemu-ppc64le -cpu help output
* | Merge GH #1765 Avoid some conditional branches in binary extended Euclidean ↵Jack Lloyd2018-12-033-12/+62
|\ \ | |/ |/| | | algorithm
| * Make binary extended Euclidean algorithm less branchyJack Lloyd2018-12-033-12/+62
| | | | | | | | This is still leaky, but much less than before.
* | Fix Sphinx errorsJack Lloyd2018-12-032-1/+2
| |
* | Fix bug in TLS CBC unpaddingJack Lloyd2018-12-031-1/+1
|/ | | | | | Regression introduced in 007314c5 Found by OSS-Fuzz (bug id 11693)
* Extend ct_modulo to handle negative inputsJack Lloyd2018-12-031-8/+17
| | | | Unfortunately Barrett reductions API allows negative inputs
* Use const time reductions in Barrett and LCM computationsJack Lloyd2018-12-033-4/+23
|
* Use ct_modulo in format preserving encryptionJack Lloyd2018-12-031-2/+2
|
* Use ct_modulo during RSA key generationJack Lloyd2018-12-031-6/+7
|
* Fix shift operatorJack Lloyd2018-12-031-1/+1
| | | | This would continually reallocate to larger sizes which is bad news.
* Add ct_modulo and BigInt::ct_cond_swapJack Lloyd2018-12-034-7/+62
|
* Merge GH #1759 Add constant time divide by uint8_tJack Lloyd2018-12-033-7/+59
|\
| * Add a constant time divide variant for dividing by uint8_tJack Lloyd2018-12-023-7/+59
| | | | | | | | | | | | | | | | | | Originally wrote it for div-by-word but that ends up requiring a dword type which we don't always have. And uint8_t covers the most important cases of n = 10 and n = 58 (whenever I get around to writing base58). We could portably support up to div-by-uint32, but I don't think we need it. Nicely for n = 10, this is actually faster than the variable time division.
* | Merge GH #1758 Remove some conditional branches from variable time divisionJack Lloyd2018-12-031-53/+46
|\ \ | |/ |/|
| * Make variable time division less branchyJack Lloyd2018-12-021-53/+46
| | | | | | | | This is still leaky, but better than nothing.
* | Merge GH #1757 Add a constant time division algorithmJack Lloyd2018-12-024-8/+69
|\|
| * Add a const-time division algorithmJack Lloyd2018-12-024-8/+69
| | | | | | | | | | | | | | | | It is stupid and slow (~50-100x slower than variable time version) but still useful for protecting critical algorithms. Not currently used, waiting for OSS-Fuzz to test it for a while before we commit to it.
* | Merge GH #1756 Support getting passphrase from the consoleJack Lloyd2018-12-022-2/+126
|\ \ | |/ |/|
| * Avoid macro conflict when including termios in amalgamationJack Lloyd2018-12-021-0/+1
| |
| * Add Win32 support for echo suppressionJack Lloyd2018-12-011-3/+47
| | | | | | | | Tested with MinGW cross compiler and Wine.
| * Promote echo suppression of terminal to Botan::OSJack Lloyd2018-12-012-2/+81
| |
* | Fix a bug in bigint_sub_absJack Lloyd2018-12-021-0/+7
| | | | | | | | | | | | | | If one of the values had leading zero words, this could end up calling bigint_sub with x_size < y_size. OSS-Fuzz 11664 and 11656
* | One variable per lineJack Lloyd2018-12-021-1/+2
|/
* Correct a bug in BigInt::operator%(word)Jack Lloyd2018-12-012-21/+26
| | | | | | If reducing a negative number modulo a power of 2, an incorrect result would be returned. This only affected the versions taking a single word as the modulo.
* No need to check x when checking if a point is at infinityJack Lloyd2018-12-011-2/+1
| | | | I'm not sure why this was here.
* Unroll mod_sub for 6 words also, helps P-384 quite a bitJack Lloyd2018-12-011-0/+2
|
* Avoid conditional operations in P-521 reductionJack Lloyd2018-12-011-30/+31
|
* Add BigInt::mod_mulJack Lloyd2018-12-019-56/+104
|
* Simplify BigInt addition and subtractionJack Lloyd2018-11-305-187/+151
| | | | | Addition already has to handle negative numbers so make it do double duty for subtraction.
* Fix a bug in OneAndZeros unpaddingJack Lloyd2018-11-302-5/+16
| | | | | | | Introduced in b13c0cc8590199d, it could only trigger if the block size was more than 256 bytes. In that case an invalid padding could be accepted. OSS-Fuzz 11608 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11608)
* Fix debug asserts, and add it to CIJack Lloyd2018-11-291-2/+2
|
* Add CT::Mask typeJack Lloyd2018-11-2819-283/+480
|
* Fix typo [ci skip]Jack Lloyd2018-11-271-1/+1
|
* Need to ensure minimum size hereJack Lloyd2018-11-271-0/+1
| | | | Previously handled by the early exit
* Optimizations for NIST reductionJack Lloyd2018-11-261-22/+20
| | | | Also avoid an early exit in P-521
* Make more BigInt functions const-timeJack Lloyd2018-11-267-135/+328
| | | | In particular comparisons, calc sig words, and mod_sub are const time now.
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-26 02:23:47 +0000