Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Attempt to verify decoded ECC groups are using prime fields | Jack Lloyd | 2018-06-20 | 2 | -5/+57 |
| | | | | | | | Otherwise ressol (part of point decompression) can end up in very long loop. OSS-Fuzz 9011 | ||||
* | Avoid an unncecessary malloc | Jack Lloyd | 2018-06-20 | 1 | -1/+1 |
| | |||||
* | Use masked table lookups for variable point scalar mult | Jack Lloyd | 2018-06-20 | 1 | -10/+30 |
| | |||||
* | Changes to allow masked lookups for variable point mult | Jack Lloyd | 2018-06-20 | 8 | -146/+174 |
| | |||||
* | Fix SM2 encryption tests | Jack Lloyd | 2018-06-20 | 1 | -3/+4 |
| | | | | Broken in 5f26125d | ||||
* | Remove build time toggle for ECC coordinate masking | Jack Lloyd | 2018-06-20 | 3 | -23/+16 |
| | | | | | | | | | This is not a decision we should leave to end users. And always use a random mask equal in size to the underlying field. It was never quite clear if 80 bits was sufficient or not. But taking a random field element is clearly the best possible situation, and has very little additional cost. | ||||
* | Perform ECC mult starting from top bit of the exponent | Jack Lloyd | 2018-06-20 | 1 | -17/+16 |
| | | | | | | | Since we know the top bit is 1, then R will always be a point other than point at infinity after the very first addition regardless of the scalar or mask, so then coordinate randomization is guaranteed to work. | ||||
* | Avoid a small timing channel in Barrett reduction | Jack Lloyd | 2018-06-20 | 2 | -25/+31 |
| | | | | No known exploit for this but no point taking chances. | ||||
* | More cli tests | Jack Lloyd | 2018-06-19 | 1 | -0/+27 |
| | |||||
* | Ensure that trying to add points from different groups fails. | Jack Lloyd | 2018-06-19 | 3 | -13/+35 |
| | | | | Producing garbage instead is asking for trouble. | ||||
* | Use masked table lookup in ECC base point multiplication | Jack Lloyd | 2018-06-19 | 2 | -9/+42 |
| | |||||
* | Avoid a special case in Barrett reduction for x < mod | Jack Lloyd | 2018-06-18 | 1 | -8/+3 |
| | | | | This would have prevented CVE-2018-12435 | ||||
* | Avoid unnecessary realloc in BigInt::mod_sub | Jack Lloyd | 2018-06-17 | 1 | -2/+7 |
| | |||||
* | Add some todo comments wrt side channels in ECC scalar mult | Jack Lloyd | 2018-06-17 | 1 | -0/+5 |
| | |||||
* | Avoid leaking size of exponent | Jack Lloyd | 2018-06-17 | 11 | -51/+119 |
| | | | | See #1606 for discussion | ||||
* | Merge GH #1609 Avoid small side channel in ECC field mul | Jack Lloyd | 2018-06-15 | 1 | -22/+15 |
|\ | |||||
| * | In ECC avoid using significant words to dispatch the mult algo | Jack Lloyd | 2018-06-15 | 1 | -22/+15 |
| | | | | | | | | | | | | Normally all elements will be exact number of limbs as the field. Any situation with short elements is rare and not worth optimizing for, and likely leads to some unfortunate side channel. | ||||
* | | TLS would try to negotiate x25519 even if disabled | Jack Lloyd | 2018-06-15 | 6 | -8/+18 |
|/ | | | | | | | | Also reorder ECC groups to actually match performance characteristics. I'm not sure when P-384 was slower than P-521 but it certainly isn't anymore. Fixes #1607 | ||||
* | Add combined conditional add-or-subtract | Jack Lloyd | 2018-06-14 | 3 | -5/+41 |
| | |||||
* | Remove CT annotations from Montgomery reduction | Jack Lloyd | 2018-06-14 | 1 | -8/+0 |
| | | | | | The poisons don't stack so the unpoison hid conditional jumps we want to find. | ||||
* | In Montgomery mul, avoid branching based on sig words of integers | Jack Lloyd | 2018-06-14 | 1 | -13/+21 |
| | | | | Instead just assume they are the same size as the prime | ||||
* | Make Karatsuba multiply completely const time | Jack Lloyd | 2018-06-14 | 4 | -24/+52 |
| | |||||
* | Fix CLI test | Jack Lloyd | 2018-06-14 | 1 | -0/+1 |
| | |||||
* | Avoid overallocation of memory for EC base point multiples | Jack Lloyd | 2018-06-14 | 1 | -1/+1 |
| | | | | | | | The size is rounded up to next 8 words so there was substantial slack here. No noticable perf difference. | ||||
* | Merge GH #1605 Add 192-bit Suite B TLS policy | Jack Lloyd | 2018-06-14 | 6 | -5/+71 |
|\ | |||||
| * | Add 192-bit Suite B policy | Jack Lloyd | 2018-06-14 | 6 | -5/+71 |
| | | | | | | | | Since 128-bit policy is actually not even allowed since 2015. | ||||
* | | Output order with ec_group_info | Jack Lloyd | 2018-06-14 | 1 | -0/+1 |
|/ | |||||
* | Address DSA/ECDSA side channel | Jack Lloyd | 2018-06-13 | 4 | -17/+80 |
| | |||||
* | Merge GH #1603 Unroll Montgomery reduction for specific sizes | Jack Lloyd | 2018-06-11 | 7 | -26/+2784 |
|\ | |||||
| * | Unroll bigint_monty_redc for various sizes | Jack Lloyd | 2018-06-11 | 7 | -26/+2784 |
| | | | | | | | | Speedup of 10 to 30% depending on algo | ||||
* | | Required changes according to the code review | Hegedüs Márton Csaba | 2018-06-11 | 3 | -3/+7 |
| | | |||||
* | | Add support for GCC's --sysroot option to configure.py | Hegedüs Márton Csaba | 2018-06-08 | 1 | -2/+2 |
|/ | |||||
* | Add missing statement | Jack Lloyd | 2018-06-08 | 1 | -0/+1 |
| | |||||
* | Attempt at MSVC 2013 workaround | Jack Lloyd | 2018-06-08 | 1 | -2/+4 |
| | |||||
* | Expose BER_Decoder constructor taking BER_Object&& | Jack Lloyd | 2018-06-08 | 2 | -4/+10 |
| | |||||
* | Reduce copying/allocations when BER decoding | Jack Lloyd | 2018-06-08 | 2 | -81/+194 |
| | | | | | | | We are constrained in how far we can go because BER_Object must mandatorily copy its value (due to the public member variable exposting the bytes). But this reduces the number of allocations when parsing a sample X.509 certificate by about 15% | ||||
* | Allow passing a writer function callback to DER_Encoder | Jack Lloyd | 2018-06-08 | 2 | -10/+18 |
| | |||||
* | Declare copy and move constructors on BER_Object | Jack Lloyd | 2018-06-08 | 1 | -0/+8 |
| | |||||
* | Constify some local variables | Jack Lloyd | 2018-06-08 | 1 | -2/+2 |
| | |||||
* | Improve error reporting on unexpected EOF when decoding ASN | Jack Lloyd | 2018-06-08 | 2 | -5/+18 |
| | |||||
* | Add "info" and "codec" groups for cli commands [ci skip] | Jack Lloyd | 2018-06-07 | 2 | -10/+12 |
| | |||||
* | Fix a bug in Barrett reduction | Jack Lloyd | 2018-06-05 | 4 | -30/+45 |
| | | | | | | -x*n % n would reduce to n instead of zero. Also some small optimizations and cleanups. | ||||
* | Conditionally use concurrency with sphinx-build. | Daniel Wyatt | 2018-06-04 | 1 | -2/+19 |
| | |||||
* | Correct exception message [ci skip] | Jack Lloyd | 2018-06-04 | 1 | -1/+1 |
| | | | | The previous message was both incorrect and very misleading. | ||||
* | Remove stray header in vector file [ci skip] | Jack Lloyd | 2018-06-01 | 1 | -2/+0 |
| | |||||
* | Merge GH #1594 Add EdDSA/X25519 Wycheproof tests | Jack Lloyd | 2018-05-31 | 5 | -1/+831 |
|\ | |||||
| * | Add EdDSA and X25519 tests from Wycheproof | Jack Lloyd | 2018-05-31 | 5 | -1/+831 |
| | | |||||
* | | Merge GH #1594 Add ECDSA Wycheproof tests | Jack Lloyd | 2018-05-31 | 8 | -24/+13771 |
|\ \ | |||||
| * | | Handle EC_R_BAD_SIGNATURE from OpenSSL | Jack Lloyd | 2018-05-31 | 2 | -0/+14 |
| | | | |||||
| * | | Add ECDSA tests from Wycheproof | Jack Lloyd | 2018-05-31 | 4 | -8/+13719 |
| | | |