Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Add message to BOTAN_ARG_CHECK and use it more widely | Jack Lloyd | 2018-05-13 | 44 | -95/+138 |
| | |||||
* | Inline BigInt::shrink_to_fit | Jack Lloyd | 2018-05-09 | 2 | -7/+5 |
| | | | | Improves P-256 a bit | ||||
* | Merge GH #1564 Add 24x Comba multiply/square | Jack Lloyd | 2018-05-09 | 3 | -1/+1101 |
|\ | |||||
| * | Add 24-word wide Comba multiply/square | Jack Lloyd | 2018-05-08 | 3 | -1/+1101 |
| | | | | | | | | | | | | Improves performance on "odd" sized DH/RSA (eg 1536, 3072, 6144) where otherwise the Karatsuba operation bottoms out with 24-word operands which ended up in the basecase multiply. | ||||
* | | Slight refactoring to avoid GCC signed overflow warnings. [ci skip] | Jack Lloyd | 2018-05-08 | 1 | -4/+4 |
|/ | | | | Couldn't occur since length is 24 bits but GCC couldn't figure that out. | ||||
* | Merge GH #1563 Use correct calling convention for RtlGenRandom | Jack Lloyd | 2018-05-07 | 1 | -4/+8 |
|\ | |||||
| * | Use type BYTE instead of BOOLEAN | Simon Warta | 2018-05-08 | 1 | -1/+4 |
| | | |||||
| * | Rename RtlGenRandom_f -> RtlGenRandom_fptr | Simon Warta | 2018-05-07 | 1 | -3/+3 |
| | | | | | | | | because this is a function pointer, not a function | ||||
| * | Rewrite assignment of RtlGenRandom_f using "using" | Simon Warta | 2018-05-07 | 1 | -1/+1 |
| | | |||||
| * | Check return value of m_rtlgenrandom against proper type | Simon Warta | 2018-05-07 | 1 | -1/+2 |
| | | |||||
| * | Use BOOLEAN return type for RtlGenRandom_f | Simon Warta | 2018-05-07 | 1 | -1/+1 |
| | | |||||
| * | Add missing NTAPI to RtlGenRandom_f signature | Simon Warta | 2018-05-07 | 1 | -1/+1 |
| | | |||||
* | | Fix some warnings new in GCC 8.1 | Jack Lloyd | 2018-05-07 | 6 | -43/+49 |
| | | | | | | | | | | It thinks the typedefs are "locals" that are being conflicted with, which seems wrong to me but whatever. | ||||
* | | Remove needless allocation in Montgomery_Int::mul_by | Jack Lloyd | 2018-05-02 | 2 | -7/+41 |
| | | |||||
* | | Make Montgomery_Int public, add function for addition with workspace | Jack Lloyd | 2018-05-02 | 2 | -3/+11 |
| | | |||||
* | | Add OpenPGP-specific curve OIDs | Marcus Brinkmann | 2018-05-02 | 1 | -1/+5 |
| | | |||||
* | | Inline this operator+ [ci skip] | Jack Lloyd | 2018-04-26 | 2 | -6/+1 |
| | | |||||
* | | Add a comment on side channels here | Jack Lloyd | 2018-04-26 | 1 | -4/+5 |
| | | |||||
* | | Correct handling of gcd(p - 1, e) in RSA keygen | Jack Lloyd | 2018-04-26 | 1 | -7/+25 |
| | | | | | | | | | | | | | | | | | | | | We were calling inverse mod but because p - 1 > e the binary extended euclidean algorithm was used instead of the const time version. Use the fact that e is odd (for RSA keys) to remove the factors of 2 from p - 1 and then check coprimality that way, since it allows using our const time algo. | ||||
* | | Remove unused include | Jack Lloyd | 2018-04-26 | 1 | -1/+0 |
| | | |||||
* | | Rewrite GCD in less branchy way, and use Montgomery in M-R test | Jack Lloyd | 2018-04-26 | 1 | -16/+30 |
| | | |||||
* | | Add BigInt functions for adding, subtracting and comparing with words | Jack Lloyd | 2018-04-26 | 4 | -51/+142 |
| | | | | | | | | Avoids needless allocations for expressions like x - 1 or y <= 4. | ||||
* | | Add final annotations [ci skip] | Jack Lloyd | 2018-04-24 | 1 | -3/+3 |
| | | |||||
* | | Add BigInt::mod_sub | Jack Lloyd | 2018-04-23 | 4 | -93/+128 |
| | | |||||
* | | Use EC_Group::inverse_mod_order where appropriate | Jack Lloyd | 2018-04-20 | 2 | -6/+3 |
| | | |||||
* | | Add Fermat based inversion of P-384 field elements | Jack Lloyd | 2018-04-19 | 1 | -0/+72 |
| | | | | | | | | | | | | | | | | | | Cuts about 100K cycles from the inversion, improving ECDSA sign by 10% and ECDH by ~2% Addition chain from https://briansmith.org/ecc-inversion-addition-chains-01 GH #1479 | ||||
* | | Add field inversion for P-521 | Jack Lloyd | 2018-04-18 | 1 | -0/+68 |
| | | | | | | | | ECDSA sign about 10% faster, ECDSA verify and ECDH about 5% faster. | ||||
* | | Add optimized inversion for P-256 | Jack Lloyd | 2018-04-18 | 1 | -0/+75 |
| | | | | | | | | | | | | Could be slightly more clever here but this is pretty decent. GH #1479 | ||||
* | | Add early exit for P-192 reduce | Jack Lloyd | 2018-04-18 | 1 | -0/+5 |
| | | |||||
* | | Remove now unused function | Jack Lloyd | 2018-04-18 | 1 | -19/+0 |
| | | |||||
* | | Optimize P-224 reduction | Jack Lloyd | 2018-04-18 | 1 | -47/+77 |
| | | | | | | | | 5-7% faster ECDSA | ||||
* | | Further NIST reduction tweaks | Jack Lloyd | 2018-04-18 | 1 | -40/+44 |
| | | |||||
* | | P-192 optimizations | Jack Lloyd | 2018-04-18 | 1 | -34/+64 |
| | | | | | | | | 5-7% faster for ECDSA and ECDH | ||||
* | | Micro optimizations in P-256 and P-384 reductions | Jack Lloyd | 2018-04-18 | 1 | -30/+73 |
| | | | | | | | | Improves ECDSA and ECDH by 1% or so. | ||||
* | | Minor optimizations for P-256 and P-384 | Jack Lloyd | 2018-04-17 | 1 | -161/+65 |
| | | | | | | | | Improves ECDSA by ~5% on Skylake | ||||
* | | Add EC_Group::inverse_mod_order | Jack Lloyd | 2018-04-17 | 6 | -6/+21 |
| | | | | | | | | | | | | | | Centralizing this logic allows curve specific implementations such as using a precomputed ladder for exponentiating by p - 2 GH #1479 | ||||
* | | Precompute for multiexponentation when verifying ECC signatures | Jack Lloyd | 2018-04-17 | 4 | -15/+19 |
| | | | | | | | | | | ECDSA already did this. Improves repeated ECGDSA, ECKCDSA, SM2, and GOST signature verification by 10-15% | ||||
* | | Avoid potential side channel when generating RSA primes | Jack Lloyd | 2018-04-17 | 4 | -43/+179 |
| | | | | | | | | | | | | | | | | | | | | Add a new function dedicated to generating RSA primes. Don't test for p.bits() > bits until the very end - rarely happens, and speeds up prime generation quite noticably. Add Miller-Rabin error probabilities for 1/2**128, which again speeds up RSA keygen and DL param gen quite a bit. | ||||
* | | Remove debug assignment [ci skip] | Jack Lloyd | 2018-04-16 | 1 | -1/+0 |
| | | |||||
* | | Truncate new SKIDs to 192 bits | Jack Lloyd | 2018-04-16 | 2 | -6/+9 |
| | | | | | | | | | | More than long enough, and saves quite a bit of space especially for SHA-512 certificates. | ||||
* | | Add vars to split the two Karatsuba sub-workspaces | Jack Lloyd | 2018-04-16 | 1 | -14/+20 |
| | | |||||
* | | Merge GH #1540 Progress towards const-time RSA | Jack Lloyd | 2018-04-16 | 10 | -47/+112 |
|\ \ | |||||
| * | | Add const time annotations | Jack Lloyd | 2018-04-15 | 6 | -7/+43 |
| | | | |||||
| * | | Simplify Karatsuba code | Jack Lloyd | 2018-04-15 | 3 | -39/+43 |
| | | | | | | | | | | | | And set us up for eventually having this be completely const time. | ||||
| * | | Use GCC builtins for clz operation | Jack Lloyd | 2018-04-15 | 1 | -1/+26 |
| | | | |||||
* | | | Use bad_record_mac instead of decode_error for short TLS packets | Jack Lloyd | 2018-04-16 | 1 | -1/+8 |
|/ / | | | | | | | | | Decode error seems more appropriate but it confuses some automated tools including older versions of TLS-Attacker. | ||||
* | | Add an explicit test mode build | Jack Lloyd | 2018-04-14 | 1 | -2/+2 |
| | | | | | | | | GH #1537 | ||||
* | | Merge GH #1538 Minor ECC optimizations | Jack Lloyd | 2018-04-14 | 7 | -21/+105 |
|\ \ | |||||
| * | | Various minor ECC optimizations | Jack Lloyd | 2018-04-13 | 7 | -21/+105 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a way of getting Montgomery representation of one. Reduce use of temporaries in variable point mult. Prefer doubling over addition in precomputing fixed window. Add Brainpool ECDH tests Improves ECDH by 2-3% across the board | ||||
* | | | Merge GH #1531 Improve XMSS test coverage | Jack Lloyd | 2018-04-14 | 3 | -12/+8 |
|\ \ \ | |/ / |/| | |