aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
Commit message (Collapse)AuthorAgeFilesLines
* Minor optimization for Montgomery exponentiationJack Lloyd2018-06-233-17/+26
| | | | | | | | | The loop started off by squaring the result value, but at that point it is always one (or the Montgomery representation thereof). Avoiding those squarings does not leak any information about the exponent, because we haven't even looked at the exponent at that point. Improves RSA verify performance by about 5%, everything else ~1% speedup
* Some fiddling with RSA private operationJack Lloyd2018-06-221-18/+29
| | | | | Spawning the thread off as quickly as possible helps perf slighty, especially with larger modulus.
* Remove outdated comment [ci skip]Jack Lloyd2018-06-211-2/+0
|
* Avoid needless alloc and copyJack Lloyd2018-06-212-7/+11
|
* Fix a header comment and inline PointGFp::add/add_affineJack Lloyd2018-06-212-26/+23
|
* Attempt to verify decoded ECC groups are using prime fieldsJack Lloyd2018-06-202-5/+57
| | | | | | | Otherwise ressol (part of point decompression) can end up in very long loop. OSS-Fuzz 9011
* Avoid an unncecessary mallocJack Lloyd2018-06-201-1/+1
|
* Use masked table lookups for variable point scalar multJack Lloyd2018-06-201-10/+30
|
* Changes to allow masked lookups for variable point multJack Lloyd2018-06-208-146/+174
|
* Remove build time toggle for ECC coordinate maskingJack Lloyd2018-06-202-16/+16
| | | | | | | | | This is not a decision we should leave to end users. And always use a random mask equal in size to the underlying field. It was never quite clear if 80 bits was sufficient or not. But taking a random field element is clearly the best possible situation, and has very little additional cost.
* Perform ECC mult starting from top bit of the exponentJack Lloyd2018-06-201-17/+16
| | | | | | | Since we know the top bit is 1, then R will always be a point other than point at infinity after the very first addition regardless of the scalar or mask, so then coordinate randomization is guaranteed to work.
* Avoid a small timing channel in Barrett reductionJack Lloyd2018-06-201-8/+12
| | | | No known exploit for this but no point taking chances.
* Ensure that trying to add points from different groups fails.Jack Lloyd2018-06-192-13/+19
| | | | Producing garbage instead is asking for trouble.
* Use masked table lookup in ECC base point multiplicationJack Lloyd2018-06-192-9/+42
|
* Avoid a special case in Barrett reduction for x < modJack Lloyd2018-06-181-8/+3
| | | | This would have prevented CVE-2018-12435
* Avoid unnecessary realloc in BigInt::mod_subJack Lloyd2018-06-171-2/+7
|
* Add some todo comments wrt side channels in ECC scalar multJack Lloyd2018-06-171-0/+5
|
* Avoid leaking size of exponentJack Lloyd2018-06-1711-51/+119
| | | | See #1606 for discussion
* Merge GH #1609 Avoid small side channel in ECC field mulJack Lloyd2018-06-151-22/+15
|\
| * In ECC avoid using significant words to dispatch the mult algoJack Lloyd2018-06-151-22/+15
| | | | | | | | | | | | Normally all elements will be exact number of limbs as the field. Any situation with short elements is rare and not worth optimizing for, and likely leads to some unfortunate side channel.
* | TLS would try to negotiate x25519 even if disabledJack Lloyd2018-06-151-2/+6
|/ | | | | | | | Also reorder ECC groups to actually match performance characteristics. I'm not sure when P-384 was slower than P-521 but it certainly isn't anymore. Fixes #1607
* Add combined conditional add-or-subtractJack Lloyd2018-06-143-5/+41
|
* Remove CT annotations from Montgomery reductionJack Lloyd2018-06-141-8/+0
| | | | | The poisons don't stack so the unpoison hid conditional jumps we want to find.
* In Montgomery mul, avoid branching based on sig words of integersJack Lloyd2018-06-141-13/+21
| | | | Instead just assume they are the same size as the prime
* Make Karatsuba multiply completely const timeJack Lloyd2018-06-144-24/+52
|
* Avoid overallocation of memory for EC base point multiplesJack Lloyd2018-06-141-1/+1
| | | | | | | The size is rounded up to next 8 words so there was substantial slack here. No noticable perf difference.
* Add 192-bit Suite B policyJack Lloyd2018-06-141-0/+36
| | | | Since 128-bit policy is actually not even allowed since 2015.
* Address DSA/ECDSA side channelJack Lloyd2018-06-134-17/+80
|
* Unroll bigint_monty_redc for various sizesJack Lloyd2018-06-114-24/+2691
| | | | Speedup of 10 to 30% depending on algo
* Add missing statementJack Lloyd2018-06-081-0/+1
|
* Attempt at MSVC 2013 workaroundJack Lloyd2018-06-081-2/+4
|
* Expose BER_Decoder constructor taking BER_Object&&Jack Lloyd2018-06-082-4/+10
|
* Reduce copying/allocations when BER decodingJack Lloyd2018-06-082-81/+194
| | | | | | | We are constrained in how far we can go because BER_Object must mandatorily copy its value (due to the public member variable exposting the bytes). But this reduces the number of allocations when parsing a sample X.509 certificate by about 15%
* Allow passing a writer function callback to DER_EncoderJack Lloyd2018-06-082-10/+18
|
* Declare copy and move constructors on BER_ObjectJack Lloyd2018-06-081-0/+8
|
* Constify some local variablesJack Lloyd2018-06-081-2/+2
|
* Improve error reporting on unexpected EOF when decoding ASNJack Lloyd2018-06-081-4/+17
|
* Fix a bug in Barrett reductionJack Lloyd2018-06-052-26/+33
| | | | | | -x*n % n would reduce to n instead of zero. Also some small optimizations and cleanups.
* Correct exception message [ci skip]Jack Lloyd2018-06-041-1/+1
| | | | The previous message was both incorrect and very misleading.
* Merge GH #1594 Add ECDSA Wycheproof testsJack Lloyd2018-05-314-16/+52
|\
| * Handle EC_R_BAD_SIGNATURE from OpenSSLJack Lloyd2018-05-312-0/+14
| |
| * Prevent signature malleability in DER/BER encoded sigsJack Lloyd2018-05-311-14/+35
| |
| * Correct error in P-224 computationJack Lloyd2018-05-311-2/+3
| | | | | | | | | | | | | | | | If x was very small to start with x.size() might be under the limb count which would cause the final addition to throw because the destination array was smaller than the P-224 p being added. Caught by Wycheproof ECDSA tests
* | Move codec_base.h to internal header in utilsJack Lloyd2018-05-315-5/+4
| |
* | Refactoring Base32 to use the templated algorithmWambou2018-05-312-182/+146
| |
* | Define templated base encoding/decodingWambou2018-05-312-0/+167
| |
* | Implement Base32Wambou2018-05-313-0/+417
|/
* Add back support for Windows Phone RNG, undeprecate UWPJack Lloyd2018-05-282-0/+49
| | | | See #1586. Reverts part of #1494
* Tiny optimization in MDx_HashFunction::final_resultJack Lloyd2018-05-281-2/+1
| | | | Typically not a bottleneck but this shows up in XMSS profiling
* Merge GH #1584 Add BMI2 optimization for SHA-256Jack Lloyd2018-05-277-4/+192
|\
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-29 13:36:30 +0000