aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
Commit message (Collapse)AuthorAgeFilesLines
* Ensure that trying to add points from different groups fails.Jack Lloyd2018-06-192-13/+19
| | | | Producing garbage instead is asking for trouble.
* Use masked table lookup in ECC base point multiplicationJack Lloyd2018-06-192-9/+42
|
* Avoid a special case in Barrett reduction for x < modJack Lloyd2018-06-181-8/+3
| | | | This would have prevented CVE-2018-12435
* Avoid unnecessary realloc in BigInt::mod_subJack Lloyd2018-06-171-2/+7
|
* Add some todo comments wrt side channels in ECC scalar multJack Lloyd2018-06-171-0/+5
|
* Avoid leaking size of exponentJack Lloyd2018-06-1711-51/+119
| | | | See #1606 for discussion
* Merge GH #1609 Avoid small side channel in ECC field mulJack Lloyd2018-06-151-22/+15
|\
| * In ECC avoid using significant words to dispatch the mult algoJack Lloyd2018-06-151-22/+15
| | | | | | | | | | | | Normally all elements will be exact number of limbs as the field. Any situation with short elements is rare and not worth optimizing for, and likely leads to some unfortunate side channel.
* | TLS would try to negotiate x25519 even if disabledJack Lloyd2018-06-151-2/+6
|/ | | | | | | | Also reorder ECC groups to actually match performance characteristics. I'm not sure when P-384 was slower than P-521 but it certainly isn't anymore. Fixes #1607
* Add combined conditional add-or-subtractJack Lloyd2018-06-143-5/+41
|
* Remove CT annotations from Montgomery reductionJack Lloyd2018-06-141-8/+0
| | | | | The poisons don't stack so the unpoison hid conditional jumps we want to find.
* In Montgomery mul, avoid branching based on sig words of integersJack Lloyd2018-06-141-13/+21
| | | | Instead just assume they are the same size as the prime
* Make Karatsuba multiply completely const timeJack Lloyd2018-06-144-24/+52
|
* Avoid overallocation of memory for EC base point multiplesJack Lloyd2018-06-141-1/+1
| | | | | | | The size is rounded up to next 8 words so there was substantial slack here. No noticable perf difference.
* Add 192-bit Suite B policyJack Lloyd2018-06-141-0/+36
| | | | Since 128-bit policy is actually not even allowed since 2015.
* Address DSA/ECDSA side channelJack Lloyd2018-06-134-17/+80
|
* Unroll bigint_monty_redc for various sizesJack Lloyd2018-06-114-24/+2691
| | | | Speedup of 10 to 30% depending on algo
* Add missing statementJack Lloyd2018-06-081-0/+1
|
* Attempt at MSVC 2013 workaroundJack Lloyd2018-06-081-2/+4
|
* Expose BER_Decoder constructor taking BER_Object&&Jack Lloyd2018-06-082-4/+10
|
* Reduce copying/allocations when BER decodingJack Lloyd2018-06-082-81/+194
| | | | | | | We are constrained in how far we can go because BER_Object must mandatorily copy its value (due to the public member variable exposting the bytes). But this reduces the number of allocations when parsing a sample X.509 certificate by about 15%
* Allow passing a writer function callback to DER_EncoderJack Lloyd2018-06-082-10/+18
|
* Declare copy and move constructors on BER_ObjectJack Lloyd2018-06-081-0/+8
|
* Constify some local variablesJack Lloyd2018-06-081-2/+2
|
* Improve error reporting on unexpected EOF when decoding ASNJack Lloyd2018-06-081-4/+17
|
* Fix a bug in Barrett reductionJack Lloyd2018-06-052-26/+33
| | | | | | -x*n % n would reduce to n instead of zero. Also some small optimizations and cleanups.
* Correct exception message [ci skip]Jack Lloyd2018-06-041-1/+1
| | | | The previous message was both incorrect and very misleading.
* Merge GH #1594 Add ECDSA Wycheproof testsJack Lloyd2018-05-314-16/+52
|\
| * Handle EC_R_BAD_SIGNATURE from OpenSSLJack Lloyd2018-05-312-0/+14
| |
| * Prevent signature malleability in DER/BER encoded sigsJack Lloyd2018-05-311-14/+35
| |
| * Correct error in P-224 computationJack Lloyd2018-05-311-2/+3
| | | | | | | | | | | | | | | | If x was very small to start with x.size() might be under the limb count which would cause the final addition to throw because the destination array was smaller than the P-224 p being added. Caught by Wycheproof ECDSA tests
* | Move codec_base.h to internal header in utilsJack Lloyd2018-05-315-5/+4
| |
* | Refactoring Base32 to use the templated algorithmWambou2018-05-312-182/+146
| |
* | Define templated base encoding/decodingWambou2018-05-312-0/+167
| |
* | Implement Base32Wambou2018-05-313-0/+417
|/
* Add back support for Windows Phone RNG, undeprecate UWPJack Lloyd2018-05-282-0/+49
| | | | See #1586. Reverts part of #1494
* Tiny optimization in MDx_HashFunction::final_resultJack Lloyd2018-05-281-2/+1
| | | | Typically not a bottleneck but this shows up in XMSS profiling
* Merge GH #1584 Add BMI2 optimization for SHA-256Jack Lloyd2018-05-277-4/+192
|\
| * Add BMI2-specific SHA-256Jack Lloyd2018-05-277-4/+192
| | | | | | | | | | Currently just a copy of the baseline compression function, but compiled with BMI2 flags. On Skylake improves performance by about 40%.
* | Improves "Avoid repeated allocations in XMSS chain function"Matthias Gierlings2018-05-271-1/+2
| |
* | Avoid repeated allocations in XMSS chain functionJack Lloyd2018-05-271-1/+4
|/ | | | | | | | | | | | | | | | | | | | This is the core hotspot of XMSS signatures. Avoiding the secure_vector allocation for the PRF output improves performance quite noticably. Before: XMSS_SHA2-256_W16_H10 1940.74 ms/op XMSS_SHA2-512_W16_H10 3985.98 ms/op XMSS_SHAKE128_W16_H10 1910.48 ms/op XMSS_SHAKE256_W16_H10 4074.65 ms/op After: XMSS_SHA2-256_W16_H10 1204.34 ms/op XMSS_SHA2-512_W16_H10 2498.17 ms/op XMSS_SHAKE128_W16_H10 1176.55 ms/op XMSS_SHAKE256_W16_H10 2689.76 ms/op
* Fixes XMSS leaf index bounds sanity checkMatthias Gierlings2018-05-253-5/+4
| | | | | | | | | | Prior to this patch the sanity check for XMSS leaf indices was wrongly based on the tree height. As a result only half of the one-time keys could be used. Instead base leaf index sanity check on the number of levels in a tree which equals tree height + 1. (see also: https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12#section-4.1.1)
* Improve error message on BER decoding errorJack Lloyd2018-05-242-6/+50
|
* Add OIDS for Camellia and SM4 in GCM and CBC modesJack Lloyd2018-05-222-3/+23
| | | | Making them usable for private key encryption
* Support scrypt for encrypting private keysJack Lloyd2018-05-223-85/+259
|
* Remove debug printfJack Lloyd2018-05-221-1/+1
|
* Fix PBE decoding and fix test macro checkJack Lloyd2018-05-221-1/+1
|
* DER improvementsJack Lloyd2018-05-2222-200/+287
| | | | | | | | | | | Let DER_Encoder write to a user specified vector instead of only to an internal vector. This allows encoding to a std::vector without having to first write to a locked vector and then copying out the result. Add ASN1_Object::BER_encode convenience method. Replaces X509_Object::BER_encode which had the same logic but was restricted to a subtype. This replaces many cases where DER_Encoder was just used to encode a single object (X509_DN, AlgorithmIdentifier, etc).
* Inline SymmetricAlgorithm::verify_key_setJack Lloyd2018-05-212-4/+9
| | | | Instead just put the throw into a compiled function.
* Merge GH #1571 DER_Encoder optimizationsJack Lloyd2018-05-212-83/+123
|\
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-11 07:45:54 +0000