Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Merge GH #1767 Switch Travis builds to Xenial | Jack Lloyd | 2018-12-04 | 2 | -4/+8 |
|\ | |||||
| * | Fix a memory leak in OpenSSL ECDH | Jack Lloyd | 2018-12-03 | 1 | -3/+5 |
| | | |||||
| * | Add PVR identifer for POWER9 | Jack Lloyd | 2018-12-03 | 1 | -1/+3 |
| | | | | | | | | According to qemu-ppc64le -cpu help output | ||||
* | | Merge GH #1765 Avoid some conditional branches in binary extended Euclidean ↵ | Jack Lloyd | 2018-12-03 | 3 | -12/+62 |
|\ \ | |/ |/| | | | algorithm | ||||
| * | Make binary extended Euclidean algorithm less branchy | Jack Lloyd | 2018-12-03 | 3 | -12/+62 |
| | | | | | | | | This is still leaky, but much less than before. | ||||
* | | Fix Sphinx errors | Jack Lloyd | 2018-12-03 | 2 | -1/+2 |
| | | |||||
* | | Fix bug in TLS CBC unpadding | Jack Lloyd | 2018-12-03 | 1 | -1/+1 |
|/ | | | | | | Regression introduced in 007314c5 Found by OSS-Fuzz (bug id 11693) | ||||
* | Extend ct_modulo to handle negative inputs | Jack Lloyd | 2018-12-03 | 1 | -8/+17 |
| | | | | Unfortunately Barrett reductions API allows negative inputs | ||||
* | Use const time reductions in Barrett and LCM computations | Jack Lloyd | 2018-12-03 | 3 | -4/+23 |
| | |||||
* | Use ct_modulo in format preserving encryption | Jack Lloyd | 2018-12-03 | 1 | -2/+2 |
| | |||||
* | Use ct_modulo during RSA key generation | Jack Lloyd | 2018-12-03 | 1 | -6/+7 |
| | |||||
* | Fix shift operator | Jack Lloyd | 2018-12-03 | 1 | -1/+1 |
| | | | | This would continually reallocate to larger sizes which is bad news. | ||||
* | Add ct_modulo and BigInt::ct_cond_swap | Jack Lloyd | 2018-12-03 | 4 | -7/+62 |
| | |||||
* | Merge GH #1759 Add constant time divide by uint8_t | Jack Lloyd | 2018-12-03 | 3 | -7/+59 |
|\ | |||||
| * | Add a constant time divide variant for dividing by uint8_t | Jack Lloyd | 2018-12-02 | 3 | -7/+59 |
| | | | | | | | | | | | | | | | | | | Originally wrote it for div-by-word but that ends up requiring a dword type which we don't always have. And uint8_t covers the most important cases of n = 10 and n = 58 (whenever I get around to writing base58). We could portably support up to div-by-uint32, but I don't think we need it. Nicely for n = 10, this is actually faster than the variable time division. | ||||
* | | Merge GH #1758 Remove some conditional branches from variable time division | Jack Lloyd | 2018-12-03 | 1 | -53/+46 |
|\ \ | |/ |/| | |||||
| * | Make variable time division less branchy | Jack Lloyd | 2018-12-02 | 1 | -53/+46 |
| | | | | | | | | This is still leaky, but better than nothing. | ||||
* | | Merge GH #1757 Add a constant time division algorithm | Jack Lloyd | 2018-12-02 | 4 | -8/+69 |
|\| | |||||
| * | Add a const-time division algorithm | Jack Lloyd | 2018-12-02 | 4 | -8/+69 |
| | | | | | | | | | | | | | | | | It is stupid and slow (~50-100x slower than variable time version) but still useful for protecting critical algorithms. Not currently used, waiting for OSS-Fuzz to test it for a while before we commit to it. | ||||
* | | Merge GH #1756 Support getting passphrase from the console | Jack Lloyd | 2018-12-02 | 2 | -2/+126 |
|\ \ | |/ |/| | |||||
| * | Avoid macro conflict when including termios in amalgamation | Jack Lloyd | 2018-12-02 | 1 | -0/+1 |
| | | |||||
| * | Add Win32 support for echo suppression | Jack Lloyd | 2018-12-01 | 1 | -3/+47 |
| | | | | | | | | Tested with MinGW cross compiler and Wine. | ||||
| * | Promote echo suppression of terminal to Botan::OS | Jack Lloyd | 2018-12-01 | 2 | -2/+81 |
| | | |||||
* | | Fix a bug in bigint_sub_abs | Jack Lloyd | 2018-12-02 | 1 | -0/+7 |
| | | | | | | | | | | | | | | If one of the values had leading zero words, this could end up calling bigint_sub with x_size < y_size. OSS-Fuzz 11664 and 11656 | ||||
* | | One variable per line | Jack Lloyd | 2018-12-02 | 1 | -1/+2 |
|/ | |||||
* | Correct a bug in BigInt::operator%(word) | Jack Lloyd | 2018-12-01 | 2 | -21/+26 |
| | | | | | | If reducing a negative number modulo a power of 2, an incorrect result would be returned. This only affected the versions taking a single word as the modulo. | ||||
* | No need to check x when checking if a point is at infinity | Jack Lloyd | 2018-12-01 | 1 | -2/+1 |
| | | | | I'm not sure why this was here. | ||||
* | Unroll mod_sub for 6 words also, helps P-384 quite a bit | Jack Lloyd | 2018-12-01 | 1 | -0/+2 |
| | |||||
* | Avoid conditional operations in P-521 reduction | Jack Lloyd | 2018-12-01 | 1 | -30/+31 |
| | |||||
* | Add BigInt::mod_mul | Jack Lloyd | 2018-12-01 | 9 | -56/+104 |
| | |||||
* | Simplify BigInt addition and subtraction | Jack Lloyd | 2018-11-30 | 5 | -187/+151 |
| | | | | | Addition already has to handle negative numbers so make it do double duty for subtraction. | ||||
* | Fix a bug in OneAndZeros unpadding | Jack Lloyd | 2018-11-30 | 2 | -5/+16 |
| | | | | | | | Introduced in b13c0cc8590199d, it could only trigger if the block size was more than 256 bytes. In that case an invalid padding could be accepted. OSS-Fuzz 11608 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11608) | ||||
* | Fix debug asserts, and add it to CI | Jack Lloyd | 2018-11-29 | 1 | -2/+2 |
| | |||||
* | Add CT::Mask type | Jack Lloyd | 2018-11-28 | 19 | -283/+480 |
| | |||||
* | Fix typo [ci skip] | Jack Lloyd | 2018-11-27 | 1 | -1/+1 |
| | |||||
* | Need to ensure minimum size here | Jack Lloyd | 2018-11-27 | 1 | -0/+1 |
| | | | | Previously handled by the early exit | ||||
* | Optimizations for NIST reduction | Jack Lloyd | 2018-11-26 | 1 | -22/+20 |
| | | | | Also avoid an early exit in P-521 | ||||
* | Make more BigInt functions const-time | Jack Lloyd | 2018-11-26 | 7 | -135/+328 |
| | | | | In particular comparisons, calc sig words, and mod_sub are const time now. | ||||
* | Merge GH #1744 Make exception throws easier to debug | Jack Lloyd | 2018-11-23 | 72 | -330/+627 |
|\ | |||||
| * | Make exceptions easier to translate to error codes | Jack Lloyd | 2018-11-23 | 72 | -330/+627 |
| | | | | | | | | | | | | | | | | | | | | | | Avoid throwing base Botan::Exception type, as it is difficult to determine what the error is in that case. Add Exception::error_code and Exception::error_type which allows (for error code) more information about the error and (for error type) allows knowing the error type without requiring a sequence of catches. See GH #1742 | ||||
* | | Implement const time select based on xor-swap | Jack Lloyd | 2018-11-23 | 1 | -1/+2 |
| | | | | | | | | | | For some compilers this may make the difference between compiling using bitmasks as intendeded, and compiling with a conditional jump. | ||||
* | | In operator>> avoid testing for zero unless required | Jack Lloyd | 2018-11-23 | 1 | -1/+1 |
|/ | |||||
* | Simplify Salsa20 xor loop | Jack Lloyd | 2018-11-21 | 1 | -4/+7 |
| | |||||
* | Fix type error | Jack Lloyd | 2018-11-21 | 1 | -1/+1 |
| | | | | Closes #1747 | ||||
* | Slight simplification to ChaCha loop | Jack Lloyd | 2018-11-21 | 1 | -7/+13 |
| | |||||
* | When available use RDRAND for Stateful_RNG additional data | Jack Lloyd | 2018-11-21 | 1 | -4/+19 |
| | |||||
* | Use builtin_bswap16 when available | Jack Lloyd | 2018-11-20 | 1 | -0/+4 |
| | |||||
* | Add typecast_copy | Jack Lloyd | 2018-11-17 | 3 | -30/+48 |
| | | | | | Wraps memcpy in the cases where we really are doing a type conversion using memcpy | ||||
* | Avoid calling memset, memcpy within library code | Jack Lloyd | 2018-11-17 | 11 | -18/+20 |
| | | | | | | | | | Prefer using wrappers in mem_utils for this. Current exception is where memcpy is being used to convert between two different types, since copy_mem requires input and output pointers have the same type. There should be a new function to handle conversion-via-memcpy operation. | ||||
* | Remove needless memset operation | Jack Lloyd | 2018-11-17 | 1 | -1/+0 |
| |