aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Perform ECC mult starting from top bit of the exponentJack Lloyd2018-06-201-17/+16
| | | | | | | Since we know the top bit is 1, then R will always be a point other than point at infinity after the very first addition regardless of the scalar or mask, so then coordinate randomization is guaranteed to work.
* Avoid a small timing channel in Barrett reductionJack Lloyd2018-06-202-25/+31
| | | | No known exploit for this but no point taking chances.
* More cli testsJack Lloyd2018-06-191-0/+27
|
* Ensure that trying to add points from different groups fails.Jack Lloyd2018-06-193-13/+35
| | | | Producing garbage instead is asking for trouble.
* Use masked table lookup in ECC base point multiplicationJack Lloyd2018-06-192-9/+42
|
* Avoid a special case in Barrett reduction for x < modJack Lloyd2018-06-181-8/+3
| | | | This would have prevented CVE-2018-12435
* Avoid unnecessary realloc in BigInt::mod_subJack Lloyd2018-06-171-2/+7
|
* Add some todo comments wrt side channels in ECC scalar multJack Lloyd2018-06-171-0/+5
|
* Avoid leaking size of exponentJack Lloyd2018-06-1711-51/+119
| | | | See #1606 for discussion
* Merge GH #1609 Avoid small side channel in ECC field mulJack Lloyd2018-06-151-22/+15
|\
| * In ECC avoid using significant words to dispatch the mult algoJack Lloyd2018-06-151-22/+15
| | | | | | | | | | | | Normally all elements will be exact number of limbs as the field. Any situation with short elements is rare and not worth optimizing for, and likely leads to some unfortunate side channel.
* | TLS would try to negotiate x25519 even if disabledJack Lloyd2018-06-156-8/+18
|/ | | | | | | | Also reorder ECC groups to actually match performance characteristics. I'm not sure when P-384 was slower than P-521 but it certainly isn't anymore. Fixes #1607
* Add combined conditional add-or-subtractJack Lloyd2018-06-143-5/+41
|
* Remove CT annotations from Montgomery reductionJack Lloyd2018-06-141-8/+0
| | | | | The poisons don't stack so the unpoison hid conditional jumps we want to find.
* In Montgomery mul, avoid branching based on sig words of integersJack Lloyd2018-06-141-13/+21
| | | | Instead just assume they are the same size as the prime
* Make Karatsuba multiply completely const timeJack Lloyd2018-06-144-24/+52
|
* Fix CLI testJack Lloyd2018-06-141-0/+1
|
* Avoid overallocation of memory for EC base point multiplesJack Lloyd2018-06-141-1/+1
| | | | | | | The size is rounded up to next 8 words so there was substantial slack here. No noticable perf difference.
* Merge GH #1605 Add 192-bit Suite B TLS policyJack Lloyd2018-06-146-5/+71
|\
| * Add 192-bit Suite B policyJack Lloyd2018-06-146-5/+71
| | | | | | | | Since 128-bit policy is actually not even allowed since 2015.
* | Output order with ec_group_infoJack Lloyd2018-06-141-0/+1
|/
* Address DSA/ECDSA side channelJack Lloyd2018-06-134-17/+80
|
* Merge GH #1603 Unroll Montgomery reduction for specific sizesJack Lloyd2018-06-117-26/+2784
|\
| * Unroll bigint_monty_redc for various sizesJack Lloyd2018-06-117-26/+2784
| | | | | | | | Speedup of 10 to 30% depending on algo
* | Required changes according to the code reviewHegedüs Márton Csaba2018-06-113-3/+7
| |
* | Add support for GCC's --sysroot option to configure.pyHegedüs Márton Csaba2018-06-081-2/+2
|/
* Add missing statementJack Lloyd2018-06-081-0/+1
|
* Attempt at MSVC 2013 workaroundJack Lloyd2018-06-081-2/+4
|
* Expose BER_Decoder constructor taking BER_Object&&Jack Lloyd2018-06-082-4/+10
|
* Reduce copying/allocations when BER decodingJack Lloyd2018-06-082-81/+194
| | | | | | | We are constrained in how far we can go because BER_Object must mandatorily copy its value (due to the public member variable exposting the bytes). But this reduces the number of allocations when parsing a sample X.509 certificate by about 15%
* Allow passing a writer function callback to DER_EncoderJack Lloyd2018-06-082-10/+18
|
* Declare copy and move constructors on BER_ObjectJack Lloyd2018-06-081-0/+8
|
* Constify some local variablesJack Lloyd2018-06-081-2/+2
|
* Improve error reporting on unexpected EOF when decoding ASNJack Lloyd2018-06-082-5/+18
|
* Add "info" and "codec" groups for cli commands [ci skip]Jack Lloyd2018-06-072-10/+12
|
* Fix a bug in Barrett reductionJack Lloyd2018-06-054-30/+45
| | | | | | -x*n % n would reduce to n instead of zero. Also some small optimizations and cleanups.
* Conditionally use concurrency with sphinx-build.Daniel Wyatt2018-06-041-2/+19
|
* Correct exception message [ci skip]Jack Lloyd2018-06-041-1/+1
| | | | The previous message was both incorrect and very misleading.
* Remove stray header in vector file [ci skip]Jack Lloyd2018-06-011-2/+0
|
* Merge GH #1594 Add EdDSA/X25519 Wycheproof testsJack Lloyd2018-05-315-1/+831
|\
| * Add EdDSA and X25519 tests from WycheproofJack Lloyd2018-05-315-1/+831
| |
* | Merge GH #1594 Add ECDSA Wycheproof testsJack Lloyd2018-05-318-24/+13771
|\ \
| * | Handle EC_R_BAD_SIGNATURE from OpenSSLJack Lloyd2018-05-312-0/+14
| | |
| * | Add ECDSA tests from WycheproofJack Lloyd2018-05-314-8/+13719
| | |
| * | Prevent signature malleability in DER/BER encoded sigsJack Lloyd2018-05-311-14/+35
| | |
| * | Correct error in P-224 computationJack Lloyd2018-05-311-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | If x was very small to start with x.size() might be under the limb count which would cause the final addition to throw because the destination array was smaller than the P-224 p being added. Caught by Wycheproof ECDSA tests
* | | Merge GH #1595/#1555 Base32 encodingJack Lloyd2018-05-317-2/+713
|\ \ \ | |_|/ |/| |
| * | Move codec_base.h to internal header in utilsJack Lloyd2018-05-315-5/+4
| | |
| * | Refactoring Base32 to use the templated algorithmWambou2018-05-312-182/+146
| | |
| * | Define templated base encoding/decodingWambou2018-05-312-0/+167
| | |
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-04 16:46:35 +0000