aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
Commit message (Collapse)AuthorAgeFilesLines
* Merge GH #1767 Switch Travis builds to XenialJack Lloyd2018-12-042-4/+8
|\
| * Fix a memory leak in OpenSSL ECDHJack Lloyd2018-12-031-3/+5
| |
| * Add PVR identifer for POWER9Jack Lloyd2018-12-031-1/+3
| | | | | | | | According to qemu-ppc64le -cpu help output
* | Merge GH #1765 Avoid some conditional branches in binary extended Euclidean ↵Jack Lloyd2018-12-033-12/+62
|\ \ | |/ |/| | | algorithm
| * Make binary extended Euclidean algorithm less branchyJack Lloyd2018-12-033-12/+62
| | | | | | | | This is still leaky, but much less than before.
* | Fix Sphinx errorsJack Lloyd2018-12-032-1/+2
| |
* | Fix bug in TLS CBC unpaddingJack Lloyd2018-12-031-1/+1
|/ | | | | | Regression introduced in 007314c5 Found by OSS-Fuzz (bug id 11693)
* Extend ct_modulo to handle negative inputsJack Lloyd2018-12-031-8/+17
| | | | Unfortunately Barrett reductions API allows negative inputs
* Use const time reductions in Barrett and LCM computationsJack Lloyd2018-12-033-4/+23
|
* Use ct_modulo in format preserving encryptionJack Lloyd2018-12-031-2/+2
|
* Use ct_modulo during RSA key generationJack Lloyd2018-12-031-6/+7
|
* Fix shift operatorJack Lloyd2018-12-031-1/+1
| | | | This would continually reallocate to larger sizes which is bad news.
* Add ct_modulo and BigInt::ct_cond_swapJack Lloyd2018-12-034-7/+62
|
* Merge GH #1759 Add constant time divide by uint8_tJack Lloyd2018-12-033-7/+59
|\
| * Add a constant time divide variant for dividing by uint8_tJack Lloyd2018-12-023-7/+59
| | | | | | | | | | | | | | | | | | Originally wrote it for div-by-word but that ends up requiring a dword type which we don't always have. And uint8_t covers the most important cases of n = 10 and n = 58 (whenever I get around to writing base58). We could portably support up to div-by-uint32, but I don't think we need it. Nicely for n = 10, this is actually faster than the variable time division.
* | Merge GH #1758 Remove some conditional branches from variable time divisionJack Lloyd2018-12-031-53/+46
|\ \ | |/ |/|
| * Make variable time division less branchyJack Lloyd2018-12-021-53/+46
| | | | | | | | This is still leaky, but better than nothing.
* | Merge GH #1757 Add a constant time division algorithmJack Lloyd2018-12-024-8/+69
|\|
| * Add a const-time division algorithmJack Lloyd2018-12-024-8/+69
| | | | | | | | | | | | | | | | It is stupid and slow (~50-100x slower than variable time version) but still useful for protecting critical algorithms. Not currently used, waiting for OSS-Fuzz to test it for a while before we commit to it.
* | Merge GH #1756 Support getting passphrase from the consoleJack Lloyd2018-12-022-2/+126
|\ \ | |/ |/|
| * Avoid macro conflict when including termios in amalgamationJack Lloyd2018-12-021-0/+1
| |
| * Add Win32 support for echo suppressionJack Lloyd2018-12-011-3/+47
| | | | | | | | Tested with MinGW cross compiler and Wine.
| * Promote echo suppression of terminal to Botan::OSJack Lloyd2018-12-012-2/+81
| |
* | Fix a bug in bigint_sub_absJack Lloyd2018-12-021-0/+7
| | | | | | | | | | | | | | If one of the values had leading zero words, this could end up calling bigint_sub with x_size < y_size. OSS-Fuzz 11664 and 11656
* | One variable per lineJack Lloyd2018-12-021-1/+2
|/
* Correct a bug in BigInt::operator%(word)Jack Lloyd2018-12-012-21/+26
| | | | | | If reducing a negative number modulo a power of 2, an incorrect result would be returned. This only affected the versions taking a single word as the modulo.
* No need to check x when checking if a point is at infinityJack Lloyd2018-12-011-2/+1
| | | | I'm not sure why this was here.
* Unroll mod_sub for 6 words also, helps P-384 quite a bitJack Lloyd2018-12-011-0/+2
|
* Avoid conditional operations in P-521 reductionJack Lloyd2018-12-011-30/+31
|
* Add BigInt::mod_mulJack Lloyd2018-12-019-56/+104
|
* Simplify BigInt addition and subtractionJack Lloyd2018-11-305-187/+151
| | | | | Addition already has to handle negative numbers so make it do double duty for subtraction.
* Fix a bug in OneAndZeros unpaddingJack Lloyd2018-11-302-5/+16
| | | | | | | Introduced in b13c0cc8590199d, it could only trigger if the block size was more than 256 bytes. In that case an invalid padding could be accepted. OSS-Fuzz 11608 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11608)
* Fix debug asserts, and add it to CIJack Lloyd2018-11-291-2/+2
|
* Add CT::Mask typeJack Lloyd2018-11-2819-283/+480
|
* Fix typo [ci skip]Jack Lloyd2018-11-271-1/+1
|
* Need to ensure minimum size hereJack Lloyd2018-11-271-0/+1
| | | | Previously handled by the early exit
* Optimizations for NIST reductionJack Lloyd2018-11-261-22/+20
| | | | Also avoid an early exit in P-521
* Make more BigInt functions const-timeJack Lloyd2018-11-267-135/+328
| | | | In particular comparisons, calc sig words, and mod_sub are const time now.
* Merge GH #1744 Make exception throws easier to debugJack Lloyd2018-11-2372-330/+627
|\
| * Make exceptions easier to translate to error codesJack Lloyd2018-11-2372-330/+627
| | | | | | | | | | | | | | | | | | | | | | Avoid throwing base Botan::Exception type, as it is difficult to determine what the error is in that case. Add Exception::error_code and Exception::error_type which allows (for error code) more information about the error and (for error type) allows knowing the error type without requiring a sequence of catches. See GH #1742
* | Implement const time select based on xor-swapJack Lloyd2018-11-231-1/+2
| | | | | | | | | | For some compilers this may make the difference between compiling using bitmasks as intendeded, and compiling with a conditional jump.
* | In operator>> avoid testing for zero unless requiredJack Lloyd2018-11-231-1/+1
|/
* Simplify Salsa20 xor loopJack Lloyd2018-11-211-4/+7
|
* Fix type errorJack Lloyd2018-11-211-1/+1
| | | | Closes #1747
* Slight simplification to ChaCha loopJack Lloyd2018-11-211-7/+13
|
* When available use RDRAND for Stateful_RNG additional dataJack Lloyd2018-11-211-4/+19
|
* Use builtin_bswap16 when availableJack Lloyd2018-11-201-0/+4
|
* Add typecast_copyJack Lloyd2018-11-173-30/+48
| | | | | Wraps memcpy in the cases where we really are doing a type conversion using memcpy
* Avoid calling memset, memcpy within library codeJack Lloyd2018-11-1711-18/+20
| | | | | | | | | Prefer using wrappers in mem_utils for this. Current exception is where memcpy is being used to convert between two different types, since copy_mem requires input and output pointers have the same type. There should be a new function to handle conversion-via-memcpy operation.
* Remove needless memset operationJack Lloyd2018-11-171-1/+0
|