2021-07-12 16:31:22 +02:00
|
|
|
/**
|
|
|
|
* Constant-time functions
|
|
|
|
*
|
|
|
|
* Copyright The Mbed TLS Contributors
|
|
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
|
|
* not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
/*
|
2021-11-03 16:13:32 +01:00
|
|
|
* The following functions are implemented without using comparison operators, as those
|
2021-10-18 16:09:41 +02:00
|
|
|
* might be translated to branches by some compilers on some platforms.
|
|
|
|
*/
|
|
|
|
|
2023-09-11 20:05:51 +02:00
|
|
|
#include <stdint.h>
|
2023-05-17 12:59:56 +02:00
|
|
|
#include <limits.h>
|
|
|
|
|
2021-07-12 16:31:22 +02:00
|
|
|
#include "common.h"
|
2021-10-20 12:09:35 +02:00
|
|
|
#include "constant_time_internal.h"
|
2021-10-19 12:22:25 +02:00
|
|
|
#include "mbedtls/constant_time.h"
|
2021-09-27 14:28:31 +02:00
|
|
|
#include "mbedtls/error.h"
|
2021-09-29 10:50:31 +02:00
|
|
|
#include "mbedtls/platform_util.h"
|
2021-09-27 11:28:54 +02:00
|
|
|
|
2021-09-27 16:11:12 +02:00
|
|
|
#include <string.h>
|
2023-05-30 15:21:20 +02:00
|
|
|
|
|
|
|
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
|
|
|
|
#include "psa/crypto.h"
|
2023-05-30 11:45:00 +02:00
|
|
|
/* Define a local translating function to save code size by not using too many
|
|
|
|
* arguments in each translating place. */
|
|
|
|
static int local_err_translation(psa_status_t status)
|
|
|
|
{
|
|
|
|
return psa_status_to_mbedtls(status, psa_to_ssl_errors,
|
2023-05-30 15:45:17 +02:00
|
|
|
ARRAY_LENGTH(psa_to_ssl_errors),
|
2023-05-30 11:45:00 +02:00
|
|
|
psa_generic_status_to_mbedtls);
|
|
|
|
}
|
|
|
|
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
|
2022-12-23 17:00:06 +01:00
|
|
|
#endif
|
2021-09-27 12:55:33 +02:00
|
|
|
|
2023-06-12 19:19:46 +02:00
|
|
|
#if !defined(MBEDTLS_CT_ASM)
|
|
|
|
/*
|
2023-06-12 19:22:18 +02:00
|
|
|
* Define an object with the value zero, such that the compiler cannot prove that it
|
|
|
|
* has the value zero (because it is volatile, it "may be modified in ways unknown to
|
|
|
|
* the implementation").
|
|
|
|
*/
|
2023-06-12 19:19:46 +02:00
|
|
|
volatile mbedtls_ct_uint_t mbedtls_ct_zero = 0;
|
|
|
|
#endif
|
|
|
|
|
2022-12-30 22:25:35 +01:00
|
|
|
/*
|
|
|
|
* Define MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS where assembly is present to
|
|
|
|
* perform fast unaligned access to volatile data.
|
2022-12-22 16:04:43 +01:00
|
|
|
*
|
|
|
|
* This is needed because mbedtls_get_unaligned_uintXX etc don't support volatile
|
|
|
|
* memory accesses.
|
|
|
|
*
|
2022-12-30 22:25:35 +01:00
|
|
|
* Some of these definitions could be moved into alignment.h but for now they are
|
|
|
|
* only used here.
|
2022-12-22 16:04:43 +01:00
|
|
|
*/
|
2023-05-17 12:59:56 +02:00
|
|
|
#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS) && \
|
2023-06-28 19:52:02 +02:00
|
|
|
((defined(MBEDTLS_CT_ARM_ASM) && (UINTPTR_MAX == 0xfffffffful)) || \
|
|
|
|
defined(MBEDTLS_CT_AARCH64_ASM))
|
2023-06-21 12:55:17 +02:00
|
|
|
/* We check pointer sizes to avoid issues with them not matching register size requirements */
|
2022-12-30 22:25:35 +01:00
|
|
|
#define MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS
|
2022-12-22 16:04:43 +01:00
|
|
|
|
|
|
|
static inline uint32_t mbedtls_get_unaligned_volatile_uint32(volatile const unsigned char *p)
|
|
|
|
{
|
|
|
|
/* This is UB, even where it's safe:
|
|
|
|
* return *((volatile uint32_t*)p);
|
|
|
|
* so instead the same thing is expressed in assembly below.
|
|
|
|
*/
|
|
|
|
uint32_t r;
|
2023-05-17 12:59:56 +02:00
|
|
|
#if defined(MBEDTLS_CT_ARM_ASM)
|
2023-08-16 13:31:54 +02:00
|
|
|
asm volatile ("ldr %0, [%1]" : "=r" (r) : "r" (p) :);
|
2023-05-17 12:59:56 +02:00
|
|
|
#elif defined(MBEDTLS_CT_AARCH64_ASM)
|
2023-06-21 17:36:47 +02:00
|
|
|
asm volatile ("ldr %w0, [%1]" : "=r" (r) : MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT(p) :);
|
2023-05-17 12:59:56 +02:00
|
|
|
#else
|
2023-08-16 13:26:37 +02:00
|
|
|
#error "No assembly defined for mbedtls_get_unaligned_volatile_uint32"
|
2022-12-22 16:04:43 +01:00
|
|
|
#endif
|
2022-12-30 22:25:35 +01:00
|
|
|
return r;
|
2022-12-22 16:04:43 +01:00
|
|
|
}
|
2023-05-17 12:59:56 +02:00
|
|
|
#endif /* defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS) &&
|
|
|
|
(defined(MBEDTLS_CT_ARM_ASM) || defined(MBEDTLS_CT_AARCH64_ASM)) */
|
2022-12-22 16:04:43 +01:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
int mbedtls_ct_memcmp(const void *a,
|
|
|
|
const void *b,
|
|
|
|
size_t n)
|
2021-09-27 11:28:54 +02:00
|
|
|
{
|
2022-12-22 16:04:43 +01:00
|
|
|
size_t i = 0;
|
2023-01-11 18:39:33 +01:00
|
|
|
/*
|
|
|
|
* `A` and `B` are cast to volatile to ensure that the compiler
|
|
|
|
* generates code that always fully reads both buffers.
|
|
|
|
* Otherwise it could generate a test to exit early if `diff` has all
|
|
|
|
* bits set early in the loop.
|
|
|
|
*/
|
2021-09-27 11:28:54 +02:00
|
|
|
volatile const unsigned char *A = (volatile const unsigned char *) a;
|
|
|
|
volatile const unsigned char *B = (volatile const unsigned char *) b;
|
2023-01-11 18:39:33 +01:00
|
|
|
uint32_t diff = 0;
|
2021-09-27 11:28:54 +02:00
|
|
|
|
2022-12-30 22:25:35 +01:00
|
|
|
#if defined(MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS)
|
2022-12-22 16:04:43 +01:00
|
|
|
for (; (i + 4) <= n; i += 4) {
|
|
|
|
uint32_t x = mbedtls_get_unaligned_volatile_uint32(A + i);
|
|
|
|
uint32_t y = mbedtls_get_unaligned_volatile_uint32(B + i);
|
|
|
|
diff |= x ^ y;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
for (; i < n; i++) {
|
2021-09-27 11:28:54 +02:00
|
|
|
/* Read volatile data in order before computing diff.
|
|
|
|
* This avoids IAR compiler warning:
|
|
|
|
* 'the order of volatile accesses is undefined ..' */
|
|
|
|
unsigned char x = A[i], y = B[i];
|
|
|
|
diff |= x ^ y;
|
|
|
|
}
|
|
|
|
|
2023-09-12 10:29:33 +02:00
|
|
|
|
2023-09-12 10:30:44 +02:00
|
|
|
#if (INT_MAX < INT32_MAX)
|
2023-09-12 10:29:33 +02:00
|
|
|
/* We don't support int smaller than 32-bits, but if someone tried to build
|
|
|
|
* with this configuration, there is a risk that, for differing data, the
|
|
|
|
* only bits set in diff are in the top 16-bits, and would be lost by a
|
|
|
|
* simple cast from uint32 to int.
|
|
|
|
* This would have significant security implications, so protect against it. */
|
|
|
|
#error "mbedtls_ct_memcmp() requires minimum 32-bit ints"
|
2023-09-11 20:05:51 +02:00
|
|
|
#else
|
2023-09-12 13:38:53 +02:00
|
|
|
/* The bit-twiddling ensures that when we cast uint32_t to int, we are casting
|
|
|
|
* a value that is in the range 0..INT_MAX - a value larger than this would
|
|
|
|
* result in implementation defined behaviour.
|
|
|
|
*
|
|
|
|
* This ensures that the value returned by the function is non-zero iff
|
|
|
|
* diff is non-zero.
|
|
|
|
*/
|
|
|
|
return (int) ((diff & 0xffff) | (diff >> 16));
|
2023-09-11 20:05:51 +02:00
|
|
|
#endif
|
2021-09-27 11:28:54 +02:00
|
|
|
}
|
|
|
|
|
2023-09-18 19:20:27 +02:00
|
|
|
#if defined(MBEDTLS_NIST_KW_C)
|
|
|
|
|
|
|
|
int mbedtls_ct_memcmp_partial(const void *a,
|
|
|
|
const void *b,
|
|
|
|
size_t n,
|
|
|
|
size_t skip_head,
|
|
|
|
size_t skip_tail)
|
|
|
|
{
|
|
|
|
unsigned int diff = 0;
|
|
|
|
|
|
|
|
volatile const unsigned char *A = (volatile const unsigned char *) a;
|
|
|
|
volatile const unsigned char *B = (volatile const unsigned char *) b;
|
|
|
|
|
|
|
|
size_t valid_end = n - skip_tail;
|
|
|
|
|
|
|
|
for (size_t i = 0; i < n; i++) {
|
|
|
|
unsigned char x = A[i], y = B[i];
|
2023-09-19 15:13:41 +02:00
|
|
|
unsigned int d = x ^ y;
|
2023-09-18 19:20:27 +02:00
|
|
|
mbedtls_ct_condition_t valid = mbedtls_ct_bool_and(mbedtls_ct_uint_ge(i, skip_head),
|
|
|
|
mbedtls_ct_uint_lt(i, valid_end));
|
|
|
|
diff |= mbedtls_ct_uint_if_else_0(valid, d);
|
|
|
|
}
|
|
|
|
|
2023-09-19 15:13:41 +02:00
|
|
|
/* Since we go byte-by-byte, the only bits set will be in the bottom 8 bits, so the
|
|
|
|
* cast from uint to int is safe. */
|
|
|
|
return (int) diff;
|
2023-09-18 19:20:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
2021-10-18 17:05:06 +02:00
|
|
|
#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
|
|
|
|
|
2023-05-17 13:20:11 +02:00
|
|
|
void mbedtls_ct_memmove_left(void *start, size_t total, size_t offset)
|
2021-09-27 13:31:06 +02:00
|
|
|
{
|
2023-07-31 13:37:01 +02:00
|
|
|
volatile unsigned char *buf = start;
|
2023-05-17 13:20:11 +02:00
|
|
|
for (size_t i = 0; i < total; i++) {
|
2023-08-10 12:58:18 +02:00
|
|
|
mbedtls_ct_condition_t no_op = mbedtls_ct_uint_gt(total - offset, i);
|
2023-07-31 13:37:01 +02:00
|
|
|
/* The first `total - offset` passes are a no-op. The last
|
|
|
|
* `offset` passes shift the data one byte to the left and
|
|
|
|
* zero out the last byte. */
|
|
|
|
for (size_t n = 0; n < total - 1; n++) {
|
|
|
|
unsigned char current = buf[n];
|
|
|
|
unsigned char next = buf[n+1];
|
|
|
|
buf[n] = mbedtls_ct_uint_if(no_op, current, next);
|
|
|
|
}
|
2023-08-10 13:11:31 +02:00
|
|
|
buf[total-1] = mbedtls_ct_uint_if_else_0(no_op, buf[total-1]);
|
2021-09-27 13:31:06 +02:00
|
|
|
}
|
|
|
|
}
|
2021-09-27 13:34:25 +02:00
|
|
|
|
2021-10-18 17:05:06 +02:00
|
|
|
#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
|
|
|
|
|
2023-05-17 13:34:56 +02:00
|
|
|
void mbedtls_ct_memcpy_if(mbedtls_ct_condition_t condition,
|
|
|
|
unsigned char *dest,
|
|
|
|
const unsigned char *src1,
|
|
|
|
const unsigned char *src2,
|
|
|
|
size_t len)
|
|
|
|
{
|
2023-05-19 11:33:21 +02:00
|
|
|
#if defined(MBEDTLS_CT_SIZE_64)
|
|
|
|
const uint64_t mask = (uint64_t) condition;
|
|
|
|
const uint64_t not_mask = (uint64_t) ~mbedtls_ct_compiler_opaque(condition);
|
|
|
|
#else
|
2023-05-17 13:34:56 +02:00
|
|
|
const uint32_t mask = (uint32_t) condition;
|
|
|
|
const uint32_t not_mask = (uint32_t) ~mbedtls_ct_compiler_opaque(condition);
|
2023-05-19 11:33:21 +02:00
|
|
|
#endif
|
2023-05-17 13:34:56 +02:00
|
|
|
|
2023-07-31 13:27:49 +02:00
|
|
|
/* If src2 is NULL, setup src2 so that we read from the destination address.
|
|
|
|
*
|
|
|
|
* This means that if src2 == NULL && condition is false, the result will be a
|
|
|
|
* no-op because we read from dest and write the same data back into dest.
|
|
|
|
*/
|
2023-05-17 13:34:56 +02:00
|
|
|
if (src2 == NULL) {
|
|
|
|
src2 = dest;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* dest[i] = c1 == c2 ? src[i] : dest[i] */
|
|
|
|
size_t i = 0;
|
|
|
|
#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
|
2023-05-19 11:33:21 +02:00
|
|
|
#if defined(MBEDTLS_CT_SIZE_64)
|
|
|
|
for (; (i + 8) <= len; i += 8) {
|
|
|
|
uint64_t a = mbedtls_get_unaligned_uint64(src1 + i) & mask;
|
|
|
|
uint64_t b = mbedtls_get_unaligned_uint64(src2 + i) & not_mask;
|
|
|
|
mbedtls_put_unaligned_uint64(dest + i, a | b);
|
|
|
|
}
|
|
|
|
#else
|
2023-05-17 13:34:56 +02:00
|
|
|
for (; (i + 4) <= len; i += 4) {
|
|
|
|
uint32_t a = mbedtls_get_unaligned_uint32(src1 + i) & mask;
|
|
|
|
uint32_t b = mbedtls_get_unaligned_uint32(src2 + i) & not_mask;
|
|
|
|
mbedtls_put_unaligned_uint32(dest + i, a | b);
|
|
|
|
}
|
2023-05-19 11:33:21 +02:00
|
|
|
#endif /* defined(MBEDTLS_CT_SIZE_64) */
|
2023-05-17 13:34:56 +02:00
|
|
|
#endif /* MBEDTLS_EFFICIENT_UNALIGNED_ACCESS */
|
|
|
|
for (; i < len; i++) {
|
|
|
|
dest[i] = (src1[i] & mask) | (src2[i] & not_mask);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
void mbedtls_ct_memcpy_offset(unsigned char *dest,
|
|
|
|
const unsigned char *src,
|
|
|
|
size_t offset,
|
|
|
|
size_t offset_min,
|
|
|
|
size_t offset_max,
|
|
|
|
size_t len)
|
2021-09-27 13:57:45 +02:00
|
|
|
{
|
2021-10-18 16:17:57 +02:00
|
|
|
size_t offsetval;
|
2021-09-27 13:57:45 +02:00
|
|
|
|
2023-01-11 14:50:10 +01:00
|
|
|
for (offsetval = offset_min; offsetval <= offset_max; offsetval++) {
|
2023-08-10 12:58:18 +02:00
|
|
|
mbedtls_ct_memcpy_if(mbedtls_ct_uint_eq(offsetval, offset), dest, src + offsetval, NULL,
|
2023-05-17 18:45:33 +02:00
|
|
|
len);
|
2021-09-27 13:57:45 +02:00
|
|
|
}
|
|
|
|
}
|
2021-09-27 14:28:31 +02:00
|
|
|
|
2023-05-17 13:12:44 +02:00
|
|
|
#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
|
|
|
|
|
|
|
|
void mbedtls_ct_zeroize_if(mbedtls_ct_condition_t condition, void *buf, size_t len)
|
|
|
|
{
|
|
|
|
uint32_t mask = (uint32_t) ~condition;
|
|
|
|
uint8_t *p = (uint8_t *) buf;
|
|
|
|
size_t i = 0;
|
|
|
|
#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
|
|
|
|
for (; (i + 4) <= len; i += 4) {
|
|
|
|
mbedtls_put_unaligned_uint32((void *) (p + i),
|
|
|
|
mbedtls_get_unaligned_uint32((void *) (p + i)) & mask);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
for (; i < len; i++) {
|
|
|
|
p[i] = p[i] & mask;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) */
|