SP ECC signing code was generating signatures with r of 0.
This is not allowed by the algorithm description.
Retry sig gen when r is 0 like when s is 0.
used and size have no reason to be negative - change type.
Change code to match unsigned change. Mostly change variables to be
unsigned where possible.
integer.c: Only have mp_rand_prime available when needed and
mp_prime_is_prime_ex is available.
Fixes from regression testing.
Fix for GeneratePublicDh was not right in #6002.
sp_DhExp_* are called from multiple functions.
Sometimes outLen contains a value and sometimes not.
Check public key output size in GeneratePublicDh before calling SP.
Enabling SP with ASM didn't enable SP or error out when SP wasn't
configured. Now enables SP when '' and errors when 'no'.
SAKKE modinv used large amounts of stack. Change to have more temporary
memory allocated increased to cover the usage.
ECC, SAKKE: sp_<bits>_ecc_mulmod_<cpu><words>() used large amounts of
stack. Allocate when WOLFSSL_SMALL_STACK.
wc_DhCheckKeyPair() not available when HAVE_SELFTEST.
Wasn't compiled in before as WOLFSSL_HAVE_SP_DH wasn't defined.
Specific compress key code for P521 doesn't need a n square function.
Fixing generation of x86_64 ASM scripts resulted in adding carriage
return to chacha_asm.S.
P-256/384/521.
New functions:
- sp_ecc_make_key_256_nb
- sp_ecc_make_key_384_nb
- sp_ecc_make_key_521_nb
- sp_ecc_secret_gen_256_nb
- sp_ecc_secret_gen_384_nb
- sp_ecc_secret_gen_521_nb
This commit also tweaks the testing for ECDSA testing in test.c. Instead of
testing with one of P-256/384/521, we test with all that are available.
Implement div words for different platforms.
Use implementation not using a divide instruction unless
SP_DIV_WORD_USE_DIV or we know there is a div instruction.
Fix Thumb implementation of div word.
GCM: make borrow constant time.
AES-GCM decrypt: compare at end and constant time.
Random: array_add touchs all elements every time.
RSA-OAEP: look for padding byte in constant time (look at every byte in
array).
SP
- reduce conditional use (make them bit ops)
- Fix point adds to not use double when adding infinity to infinity
- Implement signed div as __divi3 is not constant time.
- Move check sof input variables to API.
EC point add is a double if affine ordinates are the same.
Fix AVX2 implementation of mod inv to do conversion from 26 bits in
32-bit registers to 64 bits in 64-bit registers. Also handle negative
value.
RSA OAEP: loop down to last byte. Must have a separator.
Div for x86_64: fix to have all 1s when high word equals divisor.
Change Karatsuba implementations for x86_64.
Fix ECC code to better handle corner cases.
Add 'lower' versions of functions wehn an input is known to be less than m.
Add mont_add/dbl/tpl/sub for P384.
Change ECC point add to be cache-attack resistant.
Change mod_exp to be cache-attack resistant.
Need to right shift number down when hash is more than 521 bits.
Previously handled at a byte level and now at bit level.
Always return err from sp_*_ecc_mulmod_add_only_*().
When ECC add and double points are public and only have SP
implementation, check that the point ordinates are the right size.
Faster small code and fast code.
Allow fixed 4096-bit FFDHE parameters in benchmark.
Convert [u]int[32|64|128]*_t types to sp_[u]int[32|64|128].
Add a div for when top bits are all 1
WOLFSSL_SP_FAST_LARGE_CODE added to make mul_add function faster on
non-embedded platforms.
Change mod_exp window sizes for same performance but less memory.
P256 with c32 now 9 words instead of 10.
