aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Support recovering ECDSA public key from message/signature pairJack Lloyd2018-12-106-2/+232
| | | | | | See http://www.secg.org/sec1-v2.pdf section 4.1.6 Closes #664
* Fix pylint3 warning [ci skip]Jack Lloyd2018-12-101-1/+1
|
* Make ASan happyJack Lloyd2018-12-091-1/+1
|
* Add base58 encoding/decodingJack Lloyd2018-12-096-0/+454
|
* Merge GH #1782 Add an i386 build/test to CIJack Lloyd2018-12-093-4/+14
|\
| * Add an i386 CI target to check on 32-bit asmJack Lloyd2018-12-093-4/+14
| |
* | Remove Chi-square test on random_integerJack Lloyd2018-12-091-46/+0
|/ | | | | I'm not sure this test is that useful, which is not itself a big problem, but it is also flaky and occasionally fails, which is no good.
* Merge GH #1780 Use constant time algorithm for monty_inverseJack Lloyd2018-12-092-39/+23
|\
| * Use a const time algorithm for monty_inverseJack Lloyd2018-12-092-39/+23
| | | | | | | | | | Previous EEA leaked information about the low word of the prime, which is a problem for RSA.
* | Fix typoJack Lloyd2018-12-091-1/+1
| |
* | Avoid doing a variable time division during Montgomery setupJack Lloyd2018-12-095-14/+25
|/ | | | | | Instead require the inputs be reduced already. For RSA-CRT use Barrett which is const time already. For SRP6 inputs were not reduced, use the Barrett hook available in DL_Group.
* Move Miller-Rabin t param inside the blockJack Lloyd2018-12-091-2/+2
| | | | This var is not used if we use Baile-PSW instead
* Few features added for BSD.David Carlier2018-12-093-1/+6
| | | | | explicit_bzero/explicit_memset since quite a time. getentropy exists for FreeBSD, but only from 12.x.
* Avoid repeated size checks when setting words in NIST reductionJack Lloyd2018-12-081-25/+33
| | | | This is a tiny thing but it saves over 100K cycles for P-384 ECDSA
* Merge GH #1776 Clean ups in MDx_HashFunctionJack Lloyd2018-12-082-33/+49
|\
| * Require MDx_HashFunction block size to be a power of 2Jack Lloyd2018-12-082-14/+25
| | | | | | | | | | | | Allows replacing div/mod by a variable with a shift/mask. Allows storing just the bit count, which saves a few bytes.
| * Cleanups in MDx_HashFunctionJack Lloyd2018-12-082-32/+37
| |
* | Merge GH #1775 Clean up Streebog and fix unaligned loadsJack Lloyd2018-12-082-94/+114
|\ \
| * | Clean up Streebog and fix use of unaligned loadsJack Lloyd2018-12-082-94/+114
| |/
* / In speed, track number of invalid generated signatures and print onceJack Lloyd2018-12-081-1/+6
|/ | | | Otherwise this spams the output when something goes wrong.
* Merge GH #1774 Const time BigInt shiftsJack Lloyd2018-12-086-98/+83
|\
| * Avoid early exitJack Lloyd2018-12-071-4/+3
| |
| * Fix bug and avoid allocations in left shiftJack Lloyd2018-12-075-22/+36
| |
| * Const time the behavior of shifts [WIP]Jack Lloyd2018-12-063-87/+59
| | | | | | | | | | | | | | | | | | They would previously leak for example if the requested shift was 0. However, that should only happen in two situations: very dumb code explicitly requested a shift of zero (in which case we don't care if performance is poor, your code is dumb) or a variable shift that just happens to be zero, in which case the variable may be a secret, for instance this can be seen in the GCD computation.
* | In calc_sig_words save the size of m_reg before the loopJack Lloyd2018-12-081-3/+4
| |
* | Merge GH #1773 Add BigInt::ct_reduce_belowJack Lloyd2018-12-073-3/+39
|\ \
| * | Add BigInt::ct_reduce_belowJack Lloyd2018-12-063-3/+39
| | |
* | | Merge GH #1772 ECDSA now caches RFC 6979 nonce generator objectJack Lloyd2018-12-061-3/+3
|\ \ \ | |_|/ |/| |
| * | In ECDSA cache the RFC6979 objectJack Lloyd2018-12-061-3/+3
| |/ | | | | | | | | This is a very minor savings but does make a difference especially for P-256.
* | Remove hamming_weight functionJack Lloyd2018-12-062-22/+4
| | | | | | | | | | Unused outside of the test code and not really useful there either. Header is internal so no API breakage.
* | Better logic in BigInt::bits wrt valgrind const time checksJack Lloyd2018-12-061-2/+3
|/
* Merge GH #1771 Add GCC 4.8 build to TravisJack Lloyd2018-12-053-0/+10
|\
| * Add GCC 4.8 travis buildJack Lloyd2018-12-053-0/+10
| |
* | Do swaps in PointGFp instead of copiesJack Lloyd2018-12-052-14/+13
| | | | | | | | Saves 5% for ECDSA
* | Avoid needless is_zero check in set_signJack Lloyd2018-12-051-4/+4
| | | | | | | | If not negative we don't need to check the size
* | Fix Doxygen errors [ci skip]Jack Lloyd2018-12-052-1/+1
|/
* Make BigInt::cond_flip_sign constant timeJack Lloyd2018-12-051-3/+9
|
* Use BigInt::cond_flip_signJack Lloyd2018-12-053-7/+4
|
* Don't leak if x is zero eitherJack Lloyd2018-12-051-39/+37
|
* Remove some conditional branches from divisionJack Lloyd2018-12-054-22/+2995
|
* Partially revert 9d5e0567b2Jack Lloyd2018-12-041-0/+10
| | | | Guess we need that update or some packages just aren't found.
* Simplify the Travis setup scriptJack Lloyd2018-12-041-19/+14
|
* Fix more MSVC warningsJack Lloyd2018-12-044-4/+24
|
* Reduce the base in the fixed window exponentiatorJack Lloyd2018-12-041-1/+1
| | | | | | | | | | | Otherwise we can end up calling the Barrett reducer with an input that is more than the square of the modulus, which will make it fall back to the (slow) const time division. This only affected even moduli, and only when the base was larger than the modulus. OSS-Fuzz 11750
* Silence MSVC warningsJack Lloyd2018-12-0410-114/+116
| | | | static_casts for the compiler god
* Merge GH #1768 Use AppVeyor installed jomJack Lloyd2018-12-041-2/+1
|\
| * Use AppVeyor installed jomJack Lloyd2018-12-041-2/+1
| |
* | Move valgrind CI build before the cross buildsJack Lloyd2018-12-041-1/+1
| | | | | | | | | | Takes longer than the cross builds so usually ends up being the last build running.
* | Fix some misc MSVC warningsJack Lloyd2018-12-042-4/+4
| |
* | Fix some MSVC warnings in CT::MaskJack Lloyd2018-12-041-2/+2
| |
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-11 17:59:42 +0000