aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Only need a single word from p_dash, so only save that single word.lloyd2010-03-131-94/+9
| | | | Remove hand-coded montgomery reduction, use bigint_mont_redc() instead
* Use Montgomery reduction for the important parts of PointGFp, usinglloyd2010-03-132-74/+78
| | | | | code cobbled together from 1.8/InSiTo. Faster than it was in 1.9.4, but still quite slow.
* Name args to bigint_{mul,sqr} in headerlloyd2010-03-131-5/+5
|
* Give PK_Signer users the option of disabling fault protectionlloyd2010-03-132-6/+17
|
* Move monty params to curve, since only depend on the primelloyd2010-03-131-4/+37
|
* Add back code for montgomery PointGFp mult (not used atm)lloyd2010-03-132-14/+165
|
* Hide PointGFp constructorslloyd2010-03-132-7/+14
|
* Remove access to the Jacobian coordinate getters get_{x,y,z}, as welllloyd2010-03-132-33/+9
| | | | | | | | | | | | | | as the 4-argument constructor. Define operator==() in terms of the affine coordinates. Rewrite tests that assumed access to the Jacobian coodinates in terms of the affine coordinates. This change allows for using arbitrary coordinate systems in PointGFp, as long as it can convert to the normal affine coordinates (which are what is used by all ECC algorithms implemented currently, and probably all interesting ECC algorithms in general).
* Include <netinet/in.h>; needed on FreeBSD at leastlloyd2010-03-101-1/+2
|
* Remove config options to toggle if X.509 extensions are critical orlloyd2010-03-107-96/+47
| | | | | | | | not. Instead provide via Extensions::add(). No way to modify behavior currently, it just follows the previous default police. Remove the config options from Library_State entirely. Die, mutable singletons, die.
* Make cert decoding errors more verboselloyd2010-03-101-2/+2
|
* Remove the base/default_allocator option, instead save as a per-libstatelloyd2010-03-103-19/+25
| | | | variable directly.
* Guard call to the allocator in deallocate() by checking if the alloclloyd2010-03-101-1/+1
| | | | | | | | | | | | | | | | | | pointer was actually set. Otherwise, the following problem could occur if an allocator could not be found: init() will call Allocator::get, which throws an exception init() is called from the constructor of the subclasses (MemoryVector, etc) Since the constructor of MemoryRegion has already finished, its destructor will be called. ~MemoryRegion will call deallocate() deallocate() will then access a NULL pointer By guarding the call, the exception is propagated correctly.
* DSA and NR require certain parameters (which depend on the randomlylloyd2010-03-092-18/+24
| | | | | | choosen nonce) not be 0. Previously it would just check and throw an exception if this was the case. Change to generate a new nonce and retry if this happens.
* Remove decls of removed RSA encrypt/decryptlloyd2010-03-091-5/+0
|
* Oops. Secret nonce/seed for blinding for DH and ElGamal was 2^x mod p.lloyd2010-03-092-2/+2
| | | | | | | | | However if the group generator is 2, that's precisely the public key, which is hardly secret at all. Instead use y^x mod p, which while a little dubious in terms of mathematical structure is probably OK after being hashed through SHA-512 with some high resolution timestamps.
* De-name unused rng arglloyd2010-03-091-1/+1
|
* Deconstify PK_Ops. It's quite reasonable that some op will want tolloyd2010-03-0922-121/+79
| | | | | | | | | | | | | precompute only as needed, or will want to access some other expensive resource or etc. Change how the secret for generating blinding is done in cases where a PRNG isn't available. Use the operations public op to hide the secret, for instance the seed for a DH blinding variable is 2^x mod p. Make use of being able to mutate internal structures in the RW signer, since that does have access to a PRNG, so use it to initialize the blinder on first call to sign().
* Consolidate code for choosing a window size for fixed width windowlloyd2010-03-094-72/+41
| | | | exponentiation algorithms.
* Add back RSA consistency checking (decrypt only)lloyd2010-03-092-3/+8
|
* Have PK_Signer check the validity of all signatures before releasing.lloyd2010-03-092-8/+52
| | | | Should help against many forms of fault attacks.
* Use preexisting powermod precomputations for setting up blinderslloyd2010-03-092-2/+2
|
* Remove decls of unimplemented functionslloyd2010-03-081-3/+0
|
* Blinder::choose_nonce added a single byte of the timestamps 8 times,lloyd2010-03-081-2/+2
| | | | instead of each byte once...
* Add back in blinding to RSA, RW, ElGamal, and DH.lloyd2010-03-0815-103/+175
| | | | | | | | | | | | | | | | There are multiple unsatisfactory elements to the current solution, as compared to how blinding was previously done: Firstly, blinding is only used in the baseline implementations; the code using OpenSSL and GMP is not protected by blinding at all. Secondly, at the point we need to set up blinding, there is no access to a PRNG. Currently I am going with a quite nasty solution, of using a private key parameter to seed a simple PRNG constructed as: SHA-512(TS1 || private_key_param || public_key_param || TS2) I really want to fix both of these elements but I'm not sure how to do so easily.
* Rename PK_Encryptor_MR_with_EME and PK_Decryptor_MR_with_EME tolloyd2010-03-086-43/+45
| | | | | PK_Encryptor_EME and PK_Decryptor_EME; the message recovery is somewhat implicit in the recovery of the plaintext.
* Modify pubkey classes to take names instead of object pointers.lloyd2010-03-0820-160/+148
| | | | | Remove use of look_pk from the source and examples, instead instantiate classes directly.
* Have the constructors in pubkey.h take all arguments look_pk does, andlloyd2010-03-083-39/+51
| | | | convert look_pk to simple forwarders.
* Remove the now no-op classes PK_Encrypting_Key,lloyd2010-03-0819-148/+38
| | | | | PK_Decrypting_Key, PK_Signing_Key, PK_Verifying_with_MR_Key, and PK_Verifying_wo_MR_Key.
* On GMP 5.0 and later, use mpz_powm_sec, which is a version of modularlloyd2010-03-051-0/+6
| | | | exponentiation that has countermeasures against side-channel attacks.
* Update OpenSSL engine for new interface. Similiar to GMP engine, droplloyd2010-03-059-503/+356
| | | | support for ElGamal and NR, leaving only RSA, DSA, and DH support.
* Add GMP PK filelloyd2010-03-051-0/+344
|
* Remove unused variablelloyd2010-03-051-1/+0
|
* Update GMP engine with new PK operations interface.lloyd2010-03-058-481/+11
| | | | | Drop support for ElGamal and NR from GMP engine, leaving just DH, DSA, and RSA
* Set domain_encoding enum in all EC key constructorslloyd2010-03-051-10/+15
|
* Inline Engine_Core::mod_exp into singler caller, and deletelloyd2010-03-054-74/+19
|
* Remove IF_Corelloyd2010-03-0516-366/+7
|
* Add RSA encrypt/decrypt opslloyd2010-03-053-27/+66
|
* Add ops for ElGamal encryption and decryption.lloyd2010-03-0515-399/+208
| | | | | Note: blinding is not currently being used for RSA, RW, DH or ElGamal, which used to have them. This should be added back before release.
* Constify sign and verify opslloyd2010-03-0513-41/+50
|
* Remove sign and verify ops from key typeslloyd2010-03-056-109/+0
|
* Remove ECDSA_PublicKey::verifylloyd2010-03-052-40/+0
|
* Rename PK_Ops::Signature_Operation to PK_Ops::Signaturelloyd2010-03-0513-20/+20
| | | | Rename PK_Ops::KA_Operation to PK_Ops::Key_Agreement
* Remove NR and DSA specific hookslloyd2010-03-0518-626/+5
|
* Add verification ops for all signature key typeslloyd2010-03-0519-146/+409
|
* Make the modulus visible in Modular_Reducerlloyd2010-03-051-0/+2
|
* Inline look_pk funcslloyd2010-03-053-102/+49
|
* Remove the sign() operation from the public key objects, totally replacedlloyd2010-03-0513-155/+40
| | | | | | by using the ops. Add real ECDSA test vectors (two found in ANSI X9.62)
* Force high bit in random_prime as well (done by randomize currently, but ↵lloyd2010-03-051-0/+3
| | | | might not be later)
* Clarify exception text on get_affine when point is zerolloyd2010-03-051-2/+2
|