Rename constant-time functions to have mbedtls_ct prefix
Rename functions to better suite with the module name. Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
This commit is contained in:
parent
53dd04c13b
commit
90437e3762
13 changed files with 89 additions and 89 deletions
|
@ -38,7 +38,7 @@
|
||||||
* \return Zero if the content of the two buffer is the same,
|
* \return Zero if the content of the two buffer is the same,
|
||||||
* otherwise non-zero.
|
* otherwise non-zero.
|
||||||
*/
|
*/
|
||||||
int mbedtls_cf_memcmp( const void *a,
|
int mbedtls_ct_memcmp( const void *a,
|
||||||
const void *b,
|
const void *b,
|
||||||
size_t n );
|
size_t n );
|
||||||
|
|
||||||
|
|
|
@ -1951,7 +1951,7 @@ static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi
|
||||||
* so d[n] == 1 and we want to set A to the result of the subtraction
|
* so d[n] == 1 and we want to set A to the result of the subtraction
|
||||||
* which is d - (2^biL)^n, i.e. the n least significant limbs of d.
|
* which is d - (2^biL)^n, i.e. the n least significant limbs of d.
|
||||||
* This exactly corresponds to a conditional assignment. */
|
* This exactly corresponds to a conditional assignment. */
|
||||||
mbedtls_cf_mpi_uint_cond_assign( n, A->p, d, (unsigned char) d[n] );
|
mbedtls_ct_mpi_uint_cond_assign( n, A->p, d, (unsigned char) d[n] );
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -1993,7 +1993,7 @@ static int mpi_select( mbedtls_mpi *R, const mbedtls_mpi *T, size_t T_size, size
|
||||||
for( size_t i = 0; i < T_size; i++ )
|
for( size_t i = 0; i < T_size; i++ )
|
||||||
{
|
{
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( R, &T[i],
|
MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( R, &T[i],
|
||||||
(unsigned char) mbedtls_cf_size_bool_eq( i, idx ) ) );
|
(unsigned char) mbedtls_ct_size_bool_eq( i, idx ) ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
|
|
|
@ -1159,7 +1159,7 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check the tag in "constant-time" */
|
/* Check the tag in "constant-time" */
|
||||||
if( mbedtls_cf_memcmp( tag, check_tag, tag_len ) != 0 )
|
if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 )
|
||||||
return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
|
return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
|
@ -1181,7 +1181,7 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check the tag in "constant-time" */
|
/* Check the tag in "constant-time" */
|
||||||
if( mbedtls_cf_memcmp( tag, check_tag, tag_len ) != 0 )
|
if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 )
|
||||||
return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
|
return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
|
|
|
@ -42,7 +42,7 @@
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
int mbedtls_cf_memcmp( const void *a,
|
int mbedtls_ct_memcmp( const void *a,
|
||||||
const void *b,
|
const void *b,
|
||||||
size_t n )
|
size_t n )
|
||||||
{
|
{
|
||||||
|
@ -63,7 +63,7 @@ int mbedtls_cf_memcmp( const void *a,
|
||||||
return( (int)diff );
|
return( (int)diff );
|
||||||
}
|
}
|
||||||
|
|
||||||
unsigned mbedtls_cf_uint_mask( unsigned value )
|
unsigned mbedtls_ct_uint_mask( unsigned value )
|
||||||
{
|
{
|
||||||
/* MSVC has a warning about unary minus on unsigned, but this is
|
/* MSVC has a warning about unary minus on unsigned, but this is
|
||||||
* well-defined and precisely what we want to do here */
|
* well-defined and precisely what we want to do here */
|
||||||
|
@ -79,7 +79,7 @@ unsigned mbedtls_cf_uint_mask( unsigned value )
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
|
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
|
||||||
|
|
||||||
size_t mbedtls_cf_size_mask( size_t value )
|
size_t mbedtls_ct_size_mask( size_t value )
|
||||||
{
|
{
|
||||||
/* MSVC has a warning about unary minus on unsigned integer types,
|
/* MSVC has a warning about unary minus on unsigned integer types,
|
||||||
* but this is well-defined and precisely what we want to do here. */
|
* but this is well-defined and precisely what we want to do here. */
|
||||||
|
@ -97,7 +97,7 @@ size_t mbedtls_cf_size_mask( size_t value )
|
||||||
|
|
||||||
#if defined(MBEDTLS_BIGNUM_C)
|
#if defined(MBEDTLS_BIGNUM_C)
|
||||||
|
|
||||||
mbedtls_mpi_uint mbedtls_cf_mpi_uint_mask( mbedtls_mpi_uint value )
|
mbedtls_mpi_uint mbedtls_ct_mpi_uint_mask( mbedtls_mpi_uint value )
|
||||||
{
|
{
|
||||||
/* MSVC has a warning about unary minus on unsigned, but this is
|
/* MSVC has a warning about unary minus on unsigned, but this is
|
||||||
* well-defined and precisely what we want to do here */
|
* well-defined and precisely what we want to do here */
|
||||||
|
@ -127,7 +127,7 @@ mbedtls_mpi_uint mbedtls_cf_mpi_uint_mask( mbedtls_mpi_uint value )
|
||||||
*
|
*
|
||||||
* \return All-bits-one if \p x is less than \p y, otherwise zero.
|
* \return All-bits-one if \p x is less than \p y, otherwise zero.
|
||||||
*/
|
*/
|
||||||
static size_t mbedtls_cf_size_mask_lt( size_t x,
|
static size_t mbedtls_ct_size_mask_lt( size_t x,
|
||||||
size_t y )
|
size_t y )
|
||||||
{
|
{
|
||||||
/* This has the most significant bit set if and only if x < y */
|
/* This has the most significant bit set if and only if x < y */
|
||||||
|
@ -137,20 +137,20 @@ static size_t mbedtls_cf_size_mask_lt( size_t x,
|
||||||
const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 );
|
const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 );
|
||||||
|
|
||||||
/* mask = (x < y) ? 0xff... : 0x00... */
|
/* mask = (x < y) ? 0xff... : 0x00... */
|
||||||
const size_t mask = mbedtls_cf_size_mask( sub1 );
|
const size_t mask = mbedtls_ct_size_mask( sub1 );
|
||||||
|
|
||||||
return( mask );
|
return( mask );
|
||||||
}
|
}
|
||||||
|
|
||||||
size_t mbedtls_cf_size_mask_ge( size_t x,
|
size_t mbedtls_ct_size_mask_ge( size_t x,
|
||||||
size_t y )
|
size_t y )
|
||||||
{
|
{
|
||||||
return( ~mbedtls_cf_size_mask_lt( x, y ) );
|
return( ~mbedtls_ct_size_mask_lt( x, y ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
|
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
|
||||||
|
|
||||||
unsigned mbedtls_cf_size_bool_eq( size_t x,
|
unsigned mbedtls_ct_size_bool_eq( size_t x,
|
||||||
size_t y )
|
size_t y )
|
||||||
{
|
{
|
||||||
/* diff = 0 if x == y, non-zero otherwise */
|
/* diff = 0 if x == y, non-zero otherwise */
|
||||||
|
@ -189,7 +189,7 @@ unsigned mbedtls_cf_size_bool_eq( size_t x,
|
||||||
*
|
*
|
||||||
* \return 1 if \p x greater than \p y, otherwise 0.
|
* \return 1 if \p x greater than \p y, otherwise 0.
|
||||||
*/
|
*/
|
||||||
static unsigned mbedtls_cf_size_gt( size_t x,
|
static unsigned mbedtls_ct_size_gt( size_t x,
|
||||||
size_t y )
|
size_t y )
|
||||||
{
|
{
|
||||||
/* Return the sign bit (1 for negative) of (y - x). */
|
/* Return the sign bit (1 for negative) of (y - x). */
|
||||||
|
@ -200,7 +200,7 @@ static unsigned mbedtls_cf_size_gt( size_t x,
|
||||||
|
|
||||||
#if defined(MBEDTLS_BIGNUM_C)
|
#if defined(MBEDTLS_BIGNUM_C)
|
||||||
|
|
||||||
unsigned mbedtls_cf_mpi_uint_lt( const mbedtls_mpi_uint x,
|
unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x,
|
||||||
const mbedtls_mpi_uint y )
|
const mbedtls_mpi_uint y )
|
||||||
{
|
{
|
||||||
mbedtls_mpi_uint ret;
|
mbedtls_mpi_uint ret;
|
||||||
|
@ -230,11 +230,11 @@ unsigned mbedtls_cf_mpi_uint_lt( const mbedtls_mpi_uint x,
|
||||||
|
|
||||||
#endif /* MBEDTLS_BIGNUM_C */
|
#endif /* MBEDTLS_BIGNUM_C */
|
||||||
|
|
||||||
unsigned mbedtls_cf_uint_if( unsigned condition,
|
unsigned mbedtls_ct_uint_if( unsigned condition,
|
||||||
unsigned if1,
|
unsigned if1,
|
||||||
unsigned if0 )
|
unsigned if0 )
|
||||||
{
|
{
|
||||||
unsigned mask = mbedtls_cf_uint_mask( condition );
|
unsigned mask = mbedtls_ct_uint_mask( condition );
|
||||||
return( ( mask & if1 ) | (~mask & if0 ) );
|
return( ( mask & if1 ) | (~mask & if0 ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -254,7 +254,7 @@ unsigned mbedtls_cf_uint_if( unsigned condition,
|
||||||
*
|
*
|
||||||
* \return \c if1 if \p condition is nonzero, otherwise \c if0.
|
* \return \c if1 if \p condition is nonzero, otherwise \c if0.
|
||||||
* */
|
* */
|
||||||
static int mbedtls_cf_cond_select_sign( unsigned char condition,
|
static int mbedtls_ct_cond_select_sign( unsigned char condition,
|
||||||
int if1,
|
int if1,
|
||||||
int if0 )
|
int if0 )
|
||||||
{
|
{
|
||||||
|
@ -274,7 +274,7 @@ static int mbedtls_cf_cond_select_sign( unsigned char condition,
|
||||||
return( (int) ur - 1 );
|
return( (int) ur - 1 );
|
||||||
}
|
}
|
||||||
|
|
||||||
void mbedtls_cf_mpi_uint_cond_assign( size_t n,
|
void mbedtls_ct_mpi_uint_cond_assign( size_t n,
|
||||||
mbedtls_mpi_uint *dest,
|
mbedtls_mpi_uint *dest,
|
||||||
const mbedtls_mpi_uint *src,
|
const mbedtls_mpi_uint *src,
|
||||||
unsigned char condition )
|
unsigned char condition )
|
||||||
|
@ -305,7 +305,7 @@ void mbedtls_cf_mpi_uint_cond_assign( size_t n,
|
||||||
|
|
||||||
/** Shift some data towards the left inside a buffer.
|
/** Shift some data towards the left inside a buffer.
|
||||||
*
|
*
|
||||||
* `mbedtls_cf_mem_move_to_left(start, total, offset)` is functionally
|
* `mbedtls_ct_mem_move_to_left(start, total, offset)` is functionally
|
||||||
* equivalent to
|
* equivalent to
|
||||||
* ```
|
* ```
|
||||||
* memmove(start, start + offset, total - offset);
|
* memmove(start, start + offset, total - offset);
|
||||||
|
@ -319,7 +319,7 @@ void mbedtls_cf_mpi_uint_cond_assign( size_t n,
|
||||||
* \param total Total size of the buffer.
|
* \param total Total size of the buffer.
|
||||||
* \param offset Offset from which to copy \p total - \p offset bytes.
|
* \param offset Offset from which to copy \p total - \p offset bytes.
|
||||||
*/
|
*/
|
||||||
static void mbedtls_cf_mem_move_to_left( void *start,
|
static void mbedtls_ct_mem_move_to_left( void *start,
|
||||||
size_t total,
|
size_t total,
|
||||||
size_t offset )
|
size_t offset )
|
||||||
{
|
{
|
||||||
|
@ -329,7 +329,7 @@ static void mbedtls_cf_mem_move_to_left( void *start,
|
||||||
return;
|
return;
|
||||||
for( i = 0; i < total; i++ )
|
for( i = 0; i < total; i++ )
|
||||||
{
|
{
|
||||||
unsigned no_op = mbedtls_cf_size_gt( total - offset, i );
|
unsigned no_op = mbedtls_ct_size_gt( total - offset, i );
|
||||||
/* The first `total - offset` passes are a no-op. The last
|
/* The first `total - offset` passes are a no-op. The last
|
||||||
* `offset` passes shift the data one byte to the left and
|
* `offset` passes shift the data one byte to the left and
|
||||||
* zero out the last byte. */
|
* zero out the last byte. */
|
||||||
|
@ -337,9 +337,9 @@ static void mbedtls_cf_mem_move_to_left( void *start,
|
||||||
{
|
{
|
||||||
unsigned char current = buf[n];
|
unsigned char current = buf[n];
|
||||||
unsigned char next = buf[n+1];
|
unsigned char next = buf[n+1];
|
||||||
buf[n] = mbedtls_cf_uint_if( no_op, current, next );
|
buf[n] = mbedtls_ct_uint_if( no_op, current, next );
|
||||||
}
|
}
|
||||||
buf[total-1] = mbedtls_cf_uint_if( no_op, buf[total-1], 0 );
|
buf[total-1] = mbedtls_ct_uint_if( no_op, buf[total-1], 0 );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -347,22 +347,22 @@ static void mbedtls_cf_mem_move_to_left( void *start,
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
|
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
|
||||||
|
|
||||||
void mbedtls_cf_memcpy_if_eq( unsigned char *dest,
|
void mbedtls_ct_memcpy_if_eq( unsigned char *dest,
|
||||||
const unsigned char *src,
|
const unsigned char *src,
|
||||||
size_t len,
|
size_t len,
|
||||||
size_t c1,
|
size_t c1,
|
||||||
size_t c2 )
|
size_t c2 )
|
||||||
{
|
{
|
||||||
/* mask = c1 == c2 ? 0xff : 0x00 */
|
/* mask = c1 == c2 ? 0xff : 0x00 */
|
||||||
const size_t equal = mbedtls_cf_size_bool_eq( c1, c2 );
|
const size_t equal = mbedtls_ct_size_bool_eq( c1, c2 );
|
||||||
const unsigned char mask = (unsigned char) mbedtls_cf_size_mask( equal );
|
const unsigned char mask = (unsigned char) mbedtls_ct_size_mask( equal );
|
||||||
|
|
||||||
/* dest[i] = c1 == c2 ? src[i] : dest[i] */
|
/* dest[i] = c1 == c2 ? src[i] : dest[i] */
|
||||||
for( size_t i = 0; i < len; i++ )
|
for( size_t i = 0; i < len; i++ )
|
||||||
dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask );
|
dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask );
|
||||||
}
|
}
|
||||||
|
|
||||||
void mbedtls_cf_memcpy_offset( unsigned char *dest,
|
void mbedtls_ct_memcpy_offset( unsigned char *dest,
|
||||||
const unsigned char *src,
|
const unsigned char *src,
|
||||||
size_t offset,
|
size_t offset,
|
||||||
size_t offset_min,
|
size_t offset_min,
|
||||||
|
@ -373,12 +373,12 @@ void mbedtls_cf_memcpy_offset( unsigned char *dest,
|
||||||
|
|
||||||
for( offsetval = offset_min; offsetval <= offset_max; offsetval++ )
|
for( offsetval = offset_min; offsetval <= offset_max; offsetval++ )
|
||||||
{
|
{
|
||||||
mbedtls_cf_memcpy_if_eq( dest, src + offsetval, len,
|
mbedtls_ct_memcpy_if_eq( dest, src + offsetval, len,
|
||||||
offsetval, offset );
|
offsetval, offset );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
int mbedtls_cf_hmac( mbedtls_md_context_t *ctx,
|
int mbedtls_ct_hmac( mbedtls_md_context_t *ctx,
|
||||||
const unsigned char *add_data,
|
const unsigned char *add_data,
|
||||||
size_t add_data_len,
|
size_t add_data_len,
|
||||||
const unsigned char *data,
|
const unsigned char *data,
|
||||||
|
@ -436,7 +436,7 @@ int mbedtls_cf_hmac( mbedtls_md_context_t *ctx,
|
||||||
MD_CHK( mbedtls_md_clone( &aux, ctx ) );
|
MD_CHK( mbedtls_md_clone( &aux, ctx ) );
|
||||||
MD_CHK( mbedtls_md_finish( &aux, aux_out ) );
|
MD_CHK( mbedtls_md_finish( &aux, aux_out ) );
|
||||||
/* Keep only the correct inner_hash in the output buffer */
|
/* Keep only the correct inner_hash in the output buffer */
|
||||||
mbedtls_cf_memcpy_if_eq( output, aux_out, hash_size,
|
mbedtls_ct_memcpy_if_eq( output, aux_out, hash_size,
|
||||||
offset, data_len_secret );
|
offset, data_len_secret );
|
||||||
|
|
||||||
if( offset < max_data_len )
|
if( offset < max_data_len )
|
||||||
|
@ -485,13 +485,13 @@ int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X,
|
||||||
MPI_VALIDATE_RET( Y != NULL );
|
MPI_VALIDATE_RET( Y != NULL );
|
||||||
|
|
||||||
/* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */
|
/* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */
|
||||||
limb_mask = mbedtls_cf_mpi_uint_mask( assign );;
|
limb_mask = mbedtls_ct_mpi_uint_mask( assign );;
|
||||||
|
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
|
||||||
|
|
||||||
X->s = mbedtls_cf_cond_select_sign( assign, Y->s, X->s );
|
X->s = mbedtls_ct_cond_select_sign( assign, Y->s, X->s );
|
||||||
|
|
||||||
mbedtls_cf_mpi_uint_cond_assign( Y->n, X->p, Y->p, assign );
|
mbedtls_ct_mpi_uint_cond_assign( Y->n, X->p, Y->p, assign );
|
||||||
|
|
||||||
for( i = Y->n; i < X->n; i++ )
|
for( i = Y->n; i < X->n; i++ )
|
||||||
X->p[i] &= ~limb_mask;
|
X->p[i] &= ~limb_mask;
|
||||||
|
@ -521,14 +521,14 @@ int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X,
|
||||||
return( 0 );
|
return( 0 );
|
||||||
|
|
||||||
/* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */
|
/* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */
|
||||||
limb_mask = mbedtls_cf_mpi_uint_mask( swap );
|
limb_mask = mbedtls_ct_mpi_uint_mask( swap );
|
||||||
|
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
|
||||||
|
|
||||||
s = X->s;
|
s = X->s;
|
||||||
X->s = mbedtls_cf_cond_select_sign( swap, Y->s, X->s );
|
X->s = mbedtls_ct_cond_select_sign( swap, Y->s, X->s );
|
||||||
Y->s = mbedtls_cf_cond_select_sign( swap, s, Y->s );
|
Y->s = mbedtls_ct_cond_select_sign( swap, s, Y->s );
|
||||||
|
|
||||||
|
|
||||||
for( i = 0; i < X->n; i++ )
|
for( i = 0; i < X->n; i++ )
|
||||||
|
@ -590,7 +590,7 @@ int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X,
|
||||||
* Again even if we can make a decision, we just mark the result and
|
* Again even if we can make a decision, we just mark the result and
|
||||||
* the fact that we are done and continue looping.
|
* the fact that we are done and continue looping.
|
||||||
*/
|
*/
|
||||||
cond = mbedtls_cf_mpi_uint_lt( Y->p[i - 1], X->p[i - 1] );
|
cond = mbedtls_ct_mpi_uint_lt( Y->p[i - 1], X->p[i - 1] );
|
||||||
*ret |= cond & ( 1 - done ) & X_is_negative;
|
*ret |= cond & ( 1 - done ) & X_is_negative;
|
||||||
done |= cond;
|
done |= cond;
|
||||||
|
|
||||||
|
@ -601,7 +601,7 @@ int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X,
|
||||||
* Again even if we can make a decision, we just mark the result and
|
* Again even if we can make a decision, we just mark the result and
|
||||||
* the fact that we are done and continue looping.
|
* the fact that we are done and continue looping.
|
||||||
*/
|
*/
|
||||||
cond = mbedtls_cf_mpi_uint_lt( X->p[i - 1], Y->p[i - 1] );
|
cond = mbedtls_ct_mpi_uint_lt( X->p[i - 1], Y->p[i - 1] );
|
||||||
*ret |= cond & ( 1 - done ) & ( 1 - X_is_negative );
|
*ret |= cond & ( 1 - done ) & ( 1 - X_is_negative );
|
||||||
done |= cond;
|
done |= cond;
|
||||||
}
|
}
|
||||||
|
@ -613,7 +613,7 @@ int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X,
|
||||||
|
|
||||||
#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
|
#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
|
||||||
|
|
||||||
int mbedtls_cf_rsaes_pkcs1_v15_unpadding( unsigned char *input,
|
int mbedtls_ct_rsaes_pkcs1_v15_unpadding( unsigned char *input,
|
||||||
size_t ilen,
|
size_t ilen,
|
||||||
unsigned char *output,
|
unsigned char *output,
|
||||||
size_t output_max_len,
|
size_t output_max_len,
|
||||||
|
@ -660,10 +660,10 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( unsigned char *input,
|
||||||
|
|
||||||
|
|
||||||
/* If pad_done is still zero, there's no data, only unfinished padding. */
|
/* If pad_done is still zero, there's no data, only unfinished padding. */
|
||||||
bad |= mbedtls_cf_uint_if( pad_done, 0, 1 );
|
bad |= mbedtls_ct_uint_if( pad_done, 0, 1 );
|
||||||
|
|
||||||
/* There must be at least 8 bytes of padding. */
|
/* There must be at least 8 bytes of padding. */
|
||||||
bad |= mbedtls_cf_size_gt( 8, pad_count );
|
bad |= mbedtls_ct_size_gt( 8, pad_count );
|
||||||
|
|
||||||
/* If the padding is valid, set plaintext_size to the number of
|
/* If the padding is valid, set plaintext_size to the number of
|
||||||
* remaining bytes after stripping the padding. If the padding
|
* remaining bytes after stripping the padding. If the padding
|
||||||
|
@ -672,13 +672,13 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( unsigned char *input,
|
||||||
* buffer. Do it without branches to avoid leaking the padding
|
* buffer. Do it without branches to avoid leaking the padding
|
||||||
* validity through timing. RSA keys are small enough that all the
|
* validity through timing. RSA keys are small enough that all the
|
||||||
* size_t values involved fit in unsigned int. */
|
* size_t values involved fit in unsigned int. */
|
||||||
plaintext_size = mbedtls_cf_uint_if(
|
plaintext_size = mbedtls_ct_uint_if(
|
||||||
bad, (unsigned) plaintext_max_size,
|
bad, (unsigned) plaintext_max_size,
|
||||||
(unsigned) ( ilen - pad_count - 3 ) );
|
(unsigned) ( ilen - pad_count - 3 ) );
|
||||||
|
|
||||||
/* Set output_too_large to 0 if the plaintext fits in the output
|
/* Set output_too_large to 0 if the plaintext fits in the output
|
||||||
* buffer and to 1 otherwise. */
|
* buffer and to 1 otherwise. */
|
||||||
output_too_large = mbedtls_cf_size_gt( plaintext_size,
|
output_too_large = mbedtls_ct_size_gt( plaintext_size,
|
||||||
plaintext_max_size );
|
plaintext_max_size );
|
||||||
|
|
||||||
/* Set ret without branches to avoid timing attacks. Return:
|
/* Set ret without branches to avoid timing attacks. Return:
|
||||||
|
@ -686,9 +686,9 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( unsigned char *input,
|
||||||
* - OUTPUT_TOO_LARGE if the padding is good but the decrypted
|
* - OUTPUT_TOO_LARGE if the padding is good but the decrypted
|
||||||
* plaintext does not fit in the output buffer.
|
* plaintext does not fit in the output buffer.
|
||||||
* - 0 if the padding is correct. */
|
* - 0 if the padding is correct. */
|
||||||
ret = - (int) mbedtls_cf_uint_if(
|
ret = - (int) mbedtls_ct_uint_if(
|
||||||
bad, - MBEDTLS_ERR_RSA_INVALID_PADDING,
|
bad, - MBEDTLS_ERR_RSA_INVALID_PADDING,
|
||||||
mbedtls_cf_uint_if( output_too_large,
|
mbedtls_ct_uint_if( output_too_large,
|
||||||
- MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
|
- MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
|
||||||
0 ) );
|
0 ) );
|
||||||
|
|
||||||
|
@ -698,7 +698,7 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( unsigned char *input,
|
||||||
* from the same buffer whether the padding is good or not to
|
* from the same buffer whether the padding is good or not to
|
||||||
* avoid leaking the padding validity through overall timing or
|
* avoid leaking the padding validity through overall timing or
|
||||||
* through memory or cache access patterns. */
|
* through memory or cache access patterns. */
|
||||||
bad = mbedtls_cf_uint_mask( bad | output_too_large );
|
bad = mbedtls_ct_uint_mask( bad | output_too_large );
|
||||||
for( i = 11; i < ilen; i++ )
|
for( i = 11; i < ilen; i++ )
|
||||||
input[i] &= ~bad;
|
input[i] &= ~bad;
|
||||||
|
|
||||||
|
@ -706,7 +706,7 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( unsigned char *input,
|
||||||
* Copy anyway to avoid revealing the length through timing, because
|
* Copy anyway to avoid revealing the length through timing, because
|
||||||
* revealing the length is as bad as revealing the padding validity
|
* revealing the length is as bad as revealing the padding validity
|
||||||
* for a Bleichenbacher attack. */
|
* for a Bleichenbacher attack. */
|
||||||
plaintext_size = mbedtls_cf_uint_if( output_too_large,
|
plaintext_size = mbedtls_ct_uint_if( output_too_large,
|
||||||
(unsigned) plaintext_max_size,
|
(unsigned) plaintext_max_size,
|
||||||
(unsigned) plaintext_size );
|
(unsigned) plaintext_size );
|
||||||
|
|
||||||
|
@ -716,7 +716,7 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( unsigned char *input,
|
||||||
* does not depend on the plaintext size. After this move, the
|
* does not depend on the plaintext size. After this move, the
|
||||||
* starting location of the plaintext is no longer sensitive
|
* starting location of the plaintext is no longer sensitive
|
||||||
* information. */
|
* information. */
|
||||||
mbedtls_cf_mem_move_to_left( input + ilen - plaintext_max_size,
|
mbedtls_ct_mem_move_to_left( input + ilen - plaintext_max_size,
|
||||||
plaintext_max_size,
|
plaintext_max_size,
|
||||||
plaintext_max_size - plaintext_size );
|
plaintext_max_size - plaintext_size );
|
||||||
|
|
||||||
|
|
|
@ -44,7 +44,7 @@
|
||||||
*
|
*
|
||||||
* \return Zero if \p value is zero, otherwise all-bits-one.
|
* \return Zero if \p value is zero, otherwise all-bits-one.
|
||||||
*/
|
*/
|
||||||
unsigned mbedtls_cf_uint_mask( unsigned value );
|
unsigned mbedtls_ct_uint_mask( unsigned value );
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
|
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
|
||||||
|
|
||||||
|
@ -59,7 +59,7 @@ unsigned mbedtls_cf_uint_mask( unsigned value );
|
||||||
*
|
*
|
||||||
* \return Zero if \p value is zero, otherwise all-bits-one.
|
* \return Zero if \p value is zero, otherwise all-bits-one.
|
||||||
*/
|
*/
|
||||||
size_t mbedtls_cf_size_mask( size_t value );
|
size_t mbedtls_ct_size_mask( size_t value );
|
||||||
|
|
||||||
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
|
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
|
||||||
|
|
||||||
|
@ -76,7 +76,7 @@ size_t mbedtls_cf_size_mask( size_t value );
|
||||||
*
|
*
|
||||||
* \return Zero if \p value is zero, otherwise all-bits-one.
|
* \return Zero if \p value is zero, otherwise all-bits-one.
|
||||||
*/
|
*/
|
||||||
mbedtls_mpi_uint mbedtls_cf_mpi_uint_mask( mbedtls_mpi_uint value );
|
mbedtls_mpi_uint mbedtls_ct_mpi_uint_mask( mbedtls_mpi_uint value );
|
||||||
|
|
||||||
#endif /* MBEDTLS_BIGNUM_C */
|
#endif /* MBEDTLS_BIGNUM_C */
|
||||||
|
|
||||||
|
@ -95,7 +95,7 @@ mbedtls_mpi_uint mbedtls_cf_mpi_uint_mask( mbedtls_mpi_uint value );
|
||||||
* \return All-bits-one if \p x is greater or equal than \p y,
|
* \return All-bits-one if \p x is greater or equal than \p y,
|
||||||
* otherwise zero.
|
* otherwise zero.
|
||||||
*/
|
*/
|
||||||
size_t mbedtls_cf_size_mask_ge( size_t x,
|
size_t mbedtls_ct_size_mask_ge( size_t x,
|
||||||
size_t y );
|
size_t y );
|
||||||
|
|
||||||
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
|
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
|
||||||
|
@ -111,7 +111,7 @@ size_t mbedtls_cf_size_mask_ge( size_t x,
|
||||||
*
|
*
|
||||||
* \return 1 if \p x equals to \p y, otherwise 0.
|
* \return 1 if \p x equals to \p y, otherwise 0.
|
||||||
*/
|
*/
|
||||||
unsigned mbedtls_cf_size_bool_eq( size_t x,
|
unsigned mbedtls_ct_size_bool_eq( size_t x,
|
||||||
size_t y );
|
size_t y );
|
||||||
|
|
||||||
#if defined(MBEDTLS_BIGNUM_C)
|
#if defined(MBEDTLS_BIGNUM_C)
|
||||||
|
@ -126,7 +126,7 @@ unsigned mbedtls_cf_size_bool_eq( size_t x,
|
||||||
*
|
*
|
||||||
* \return 1 if \p x is less than \p y, otherwise 0.
|
* \return 1 if \p x is less than \p y, otherwise 0.
|
||||||
*/
|
*/
|
||||||
unsigned mbedtls_cf_mpi_uint_lt( const mbedtls_mpi_uint x,
|
unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x,
|
||||||
const mbedtls_mpi_uint y );
|
const mbedtls_mpi_uint y );
|
||||||
|
|
||||||
#endif /* MBEDTLS_BIGNUM_C */
|
#endif /* MBEDTLS_BIGNUM_C */
|
||||||
|
@ -142,7 +142,7 @@ unsigned mbedtls_cf_mpi_uint_lt( const mbedtls_mpi_uint x,
|
||||||
*
|
*
|
||||||
* \return \c if1 if \p condition is nonzero, otherwise \c if0.
|
* \return \c if1 if \p condition is nonzero, otherwise \c if0.
|
||||||
*/
|
*/
|
||||||
unsigned mbedtls_cf_uint_if( unsigned condition,
|
unsigned mbedtls_ct_uint_if( unsigned condition,
|
||||||
unsigned if1,
|
unsigned if1,
|
||||||
unsigned if0 );
|
unsigned if0 );
|
||||||
|
|
||||||
|
@ -160,7 +160,7 @@ unsigned mbedtls_cf_uint_if( unsigned condition,
|
||||||
* initialized MPI.
|
* initialized MPI.
|
||||||
* \param condition Condition to test, must be 0 or 1.
|
* \param condition Condition to test, must be 0 or 1.
|
||||||
*/
|
*/
|
||||||
void mbedtls_cf_mpi_uint_cond_assign( size_t n,
|
void mbedtls_ct_mpi_uint_cond_assign( size_t n,
|
||||||
mbedtls_mpi_uint *dest,
|
mbedtls_mpi_uint *dest,
|
||||||
const mbedtls_mpi_uint *src,
|
const mbedtls_mpi_uint *src,
|
||||||
unsigned char condition );
|
unsigned char condition );
|
||||||
|
@ -180,7 +180,7 @@ void mbedtls_cf_mpi_uint_cond_assign( size_t n,
|
||||||
* \param c1 The first value to analyze in the condition.
|
* \param c1 The first value to analyze in the condition.
|
||||||
* \param c2 The second value to analyze in the condition.
|
* \param c2 The second value to analyze in the condition.
|
||||||
*/
|
*/
|
||||||
void mbedtls_cf_memcpy_if_eq( unsigned char *dest,
|
void mbedtls_ct_memcpy_if_eq( unsigned char *dest,
|
||||||
const unsigned char *src,
|
const unsigned char *src,
|
||||||
size_t len,
|
size_t len,
|
||||||
size_t c1, size_t c2 );
|
size_t c1, size_t c2 );
|
||||||
|
@ -204,7 +204,7 @@ void mbedtls_cf_memcpy_if_eq( unsigned char *dest,
|
||||||
* \param offset_max The maximal value of \p offset.
|
* \param offset_max The maximal value of \p offset.
|
||||||
* \param len The number of bytes to copy.
|
* \param len The number of bytes to copy.
|
||||||
*/
|
*/
|
||||||
void mbedtls_cf_memcpy_offset( unsigned char *dest,
|
void mbedtls_ct_memcpy_offset( unsigned char *dest,
|
||||||
const unsigned char *src,
|
const unsigned char *src,
|
||||||
size_t offset,
|
size_t offset,
|
||||||
size_t offset_min,
|
size_t offset_min,
|
||||||
|
@ -247,7 +247,7 @@ void mbedtls_cf_memcpy_offset( unsigned char *dest,
|
||||||
* \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
|
* \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
|
||||||
* The hardware accelerator failed.
|
* The hardware accelerator failed.
|
||||||
*/
|
*/
|
||||||
int mbedtls_cf_hmac( mbedtls_md_context_t *ctx,
|
int mbedtls_ct_hmac( mbedtls_md_context_t *ctx,
|
||||||
const unsigned char *add_data,
|
const unsigned char *add_data,
|
||||||
size_t add_data_len,
|
size_t add_data_len,
|
||||||
const unsigned char *data,
|
const unsigned char *data,
|
||||||
|
@ -286,7 +286,7 @@ int mbedtls_cf_hmac( mbedtls_md_context_t *ctx,
|
||||||
* \return #MBEDTLS_ERR_RSA_INVALID_PADDING
|
* \return #MBEDTLS_ERR_RSA_INVALID_PADDING
|
||||||
* The input doesn't contain properly formatted padding.
|
* The input doesn't contain properly formatted padding.
|
||||||
*/
|
*/
|
||||||
int mbedtls_cf_rsaes_pkcs1_v15_unpadding( unsigned char *input,
|
int mbedtls_ct_rsaes_pkcs1_v15_unpadding( unsigned char *input,
|
||||||
size_t ilen,
|
size_t ilen,
|
||||||
unsigned char *output,
|
unsigned char *output,
|
||||||
size_t output_max_len,
|
size_t output_max_len,
|
||||||
|
|
|
@ -399,7 +399,7 @@ int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx,
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
/* Check ICV in "constant-time" */
|
/* Check ICV in "constant-time" */
|
||||||
diff = mbedtls_cf_memcmp( NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH );
|
diff = mbedtls_ct_memcmp( NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH );
|
||||||
|
|
||||||
if( diff != 0 )
|
if( diff != 0 )
|
||||||
{
|
{
|
||||||
|
@ -448,7 +448,7 @@ int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check ICV in "constant-time" */
|
/* Check ICV in "constant-time" */
|
||||||
diff = mbedtls_cf_memcmp( NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2 );
|
diff = mbedtls_ct_memcmp( NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2 );
|
||||||
|
|
||||||
if( diff != 0 )
|
if( diff != 0 )
|
||||||
{
|
{
|
||||||
|
|
|
@ -1492,7 +1492,7 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
ret = mbedtls_cf_rsaes_pkcs1_v15_unpadding( buf, ilen,
|
ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding( buf, ilen,
|
||||||
output, output_max_len, olen );
|
output, output_max_len, olen );
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
|
@ -1887,7 +1887,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
|
||||||
MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
|
MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
|
||||||
MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
|
MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
|
||||||
|
|
||||||
if( mbedtls_cf_memcmp( verif, sig, ctx->len ) != 0 )
|
if( mbedtls_ct_memcmp( verif, sig, ctx->len ) != 0 )
|
||||||
{
|
{
|
||||||
ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
|
ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
@ -2159,7 +2159,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
|
||||||
* Compare
|
* Compare
|
||||||
*/
|
*/
|
||||||
|
|
||||||
if( ( ret = mbedtls_cf_memcmp( encoded, encoded_expected,
|
if( ( ret = mbedtls_ct_memcmp( encoded, encoded_expected,
|
||||||
sig_len ) ) != 0 )
|
sig_len ) ) != 0 )
|
||||||
{
|
{
|
||||||
ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
|
ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
|
||||||
|
|
|
@ -1381,9 +1381,9 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
|
||||||
/* Check verify-data in constant-time. The length OTOH is no secret */
|
/* Check verify-data in constant-time. The length OTOH is no secret */
|
||||||
if( len != 1 + ssl->verify_data_len * 2 ||
|
if( len != 1 + ssl->verify_data_len * 2 ||
|
||||||
buf[0] != ssl->verify_data_len * 2 ||
|
buf[0] != ssl->verify_data_len * 2 ||
|
||||||
mbedtls_cf_memcmp( buf + 1,
|
mbedtls_ct_memcmp( buf + 1,
|
||||||
ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
|
ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
|
||||||
mbedtls_cf_memcmp( buf + 1 + ssl->verify_data_len,
|
mbedtls_ct_memcmp( buf + 1 + ssl->verify_data_len,
|
||||||
ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
|
ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
|
||||||
|
|
|
@ -227,7 +227,7 @@ int mbedtls_ssl_cookie_check( void *p_ctx,
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
return( ret );
|
return( ret );
|
||||||
|
|
||||||
if( mbedtls_cf_memcmp( cookie + 4, ref_hmac, sizeof( ref_hmac ) ) != 0 )
|
if( mbedtls_ct_memcmp( cookie + 4, ref_hmac, sizeof( ref_hmac ) ) != 0 )
|
||||||
return( -1 );
|
return( -1 );
|
||||||
|
|
||||||
#if defined(MBEDTLS_HAVE_TIME)
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
|
|
|
@ -1173,7 +1173,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
||||||
*
|
*
|
||||||
* Afterwards, we know that data + data_len is followed by at
|
* Afterwards, we know that data + data_len is followed by at
|
||||||
* least maclen Bytes, which justifies the call to
|
* least maclen Bytes, which justifies the call to
|
||||||
* mbedtls_cf_memcmp() below.
|
* mbedtls_ct_memcmp() below.
|
||||||
*
|
*
|
||||||
* Further, we still know that data_len > minlen */
|
* Further, we still know that data_len > minlen */
|
||||||
rec->data_len -= transform->maclen;
|
rec->data_len -= transform->maclen;
|
||||||
|
@ -1196,7 +1196,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
||||||
transform->maclen );
|
transform->maclen );
|
||||||
|
|
||||||
/* Compare expected MAC with MAC at the end of the record. */
|
/* Compare expected MAC with MAC at the end of the record. */
|
||||||
if( mbedtls_cf_memcmp( data + rec->data_len, mac_expect,
|
if( mbedtls_ct_memcmp( data + rec->data_len, mac_expect,
|
||||||
transform->maclen ) != 0 )
|
transform->maclen ) != 0 )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
|
||||||
|
@ -1258,7 +1258,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
||||||
|
|
||||||
if( auth_done == 1 )
|
if( auth_done == 1 )
|
||||||
{
|
{
|
||||||
const size_t mask = mbedtls_cf_size_mask_ge(
|
const size_t mask = mbedtls_ct_size_mask_ge(
|
||||||
rec->data_len,
|
rec->data_len,
|
||||||
padlen + 1 );
|
padlen + 1 );
|
||||||
correct &= mask;
|
correct &= mask;
|
||||||
|
@ -1278,7 +1278,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
const size_t mask = mbedtls_cf_size_mask_ge(
|
const size_t mask = mbedtls_ct_size_mask_ge(
|
||||||
rec->data_len,
|
rec->data_len,
|
||||||
transform->maclen + padlen + 1 );
|
transform->maclen + padlen + 1 );
|
||||||
correct &= mask;
|
correct &= mask;
|
||||||
|
@ -1312,18 +1312,18 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
||||||
/* pad_count += (idx >= padding_idx) &&
|
/* pad_count += (idx >= padding_idx) &&
|
||||||
* (check[idx] == padlen - 1);
|
* (check[idx] == padlen - 1);
|
||||||
*/
|
*/
|
||||||
const size_t mask = mbedtls_cf_size_mask_ge( idx, padding_idx );
|
const size_t mask = mbedtls_ct_size_mask_ge( idx, padding_idx );
|
||||||
const size_t equal = mbedtls_cf_size_bool_eq( check[idx],
|
const size_t equal = mbedtls_ct_size_bool_eq( check[idx],
|
||||||
padlen - 1 );
|
padlen - 1 );
|
||||||
pad_count += mask & equal;
|
pad_count += mask & equal;
|
||||||
}
|
}
|
||||||
correct &= mbedtls_cf_size_bool_eq( pad_count, padlen );
|
correct &= mbedtls_ct_size_bool_eq( pad_count, padlen );
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_DEBUG_ALL)
|
#if defined(MBEDTLS_SSL_DEBUG_ALL)
|
||||||
if( padlen > 0 && correct == 0 )
|
if( padlen > 0 && correct == 0 )
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
|
||||||
#endif
|
#endif
|
||||||
padlen &= mbedtls_cf_size_mask( correct );
|
padlen &= mbedtls_ct_size_mask( correct );
|
||||||
|
|
||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||||
|
|
||||||
|
@ -1386,17 +1386,17 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
||||||
const size_t max_len = rec->data_len + padlen;
|
const size_t max_len = rec->data_len + padlen;
|
||||||
const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
|
const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
|
||||||
|
|
||||||
ret = mbedtls_cf_hmac( &transform->md_ctx_dec,
|
ret = mbedtls_ct_hmac( &transform->md_ctx_dec,
|
||||||
add_data, add_data_len,
|
add_data, add_data_len,
|
||||||
data, rec->data_len, min_len, max_len,
|
data, rec->data_len, min_len, max_len,
|
||||||
mac_expect );
|
mac_expect );
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cf_hmac", ret );
|
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ct_hmac", ret );
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
mbedtls_cf_memcpy_offset( mac_peer, data,
|
mbedtls_ct_memcpy_offset( mac_peer, data,
|
||||||
rec->data_len,
|
rec->data_len,
|
||||||
min_len, max_len,
|
min_len, max_len,
|
||||||
transform->maclen );
|
transform->maclen );
|
||||||
|
@ -1407,7 +1407,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
||||||
MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, transform->maclen );
|
MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, transform->maclen );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if( mbedtls_cf_memcmp( mac_peer, mac_expect,
|
if( mbedtls_ct_memcmp( mac_peer, mac_expect,
|
||||||
transform->maclen ) != 0 )
|
transform->maclen ) != 0 )
|
||||||
{
|
{
|
||||||
#if defined(MBEDTLS_SSL_DEBUG_ALL)
|
#if defined(MBEDTLS_SSL_DEBUG_ALL)
|
||||||
|
|
|
@ -198,7 +198,7 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
|
||||||
/* Check verify-data in constant-time. The length OTOH is no secret */
|
/* Check verify-data in constant-time. The length OTOH is no secret */
|
||||||
if( len != 1 + ssl->verify_data_len ||
|
if( len != 1 + ssl->verify_data_len ||
|
||||||
buf[0] != ssl->verify_data_len ||
|
buf[0] != ssl->verify_data_len ||
|
||||||
mbedtls_cf_memcmp( buf + 1, ssl->peer_verify_data,
|
mbedtls_ct_memcmp( buf + 1, ssl->peer_verify_data,
|
||||||
ssl->verify_data_len ) != 0 )
|
ssl->verify_data_len ) != 0 )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
|
||||||
|
@ -3582,7 +3582,7 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
|
||||||
diff |= peer_pms[1] ^ ver[1];
|
diff |= peer_pms[1] ^ ver[1];
|
||||||
|
|
||||||
/* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
|
/* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
|
||||||
mask = mbedtls_cf_uint_mask( diff );
|
mask = mbedtls_ct_uint_mask( diff );
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
|
* Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
|
||||||
|
@ -3665,7 +3665,7 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha
|
||||||
/* Identity is not a big secret since clients send it in the clear,
|
/* Identity is not a big secret since clients send it in the clear,
|
||||||
* but treat it carefully anyway, just in case */
|
* but treat it carefully anyway, just in case */
|
||||||
if( n != ssl->conf->psk_identity_len ||
|
if( n != ssl->conf->psk_identity_len ||
|
||||||
mbedtls_cf_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
|
mbedtls_ct_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
|
||||||
{
|
{
|
||||||
ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
|
ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
|
||||||
}
|
}
|
||||||
|
|
|
@ -2915,7 +2915,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
|
||||||
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
|
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
|
||||||
}
|
}
|
||||||
|
|
||||||
if( mbedtls_cf_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
|
if( mbedtls_ct_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
|
||||||
buf, hash_len ) != 0 )
|
buf, hash_len ) != 0 )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
|
||||||
|
|
|
@ -4555,7 +4555,7 @@ void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation,
|
||||||
void ssl_cf_hmac( int hash )
|
void ssl_cf_hmac( int hash )
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* Test the function mbedtls_cf_hmac() against a reference
|
* Test the function mbedtls_ct_hmac() against a reference
|
||||||
* implementation.
|
* implementation.
|
||||||
*/
|
*/
|
||||||
mbedtls_md_context_t ctx, ref_ctx;
|
mbedtls_md_context_t ctx, ref_ctx;
|
||||||
|
@ -4614,7 +4614,7 @@ void ssl_cf_hmac( int hash )
|
||||||
|
|
||||||
/* Get the function's result */
|
/* Get the function's result */
|
||||||
TEST_CF_SECRET( &in_len, sizeof( in_len ) );
|
TEST_CF_SECRET( &in_len, sizeof( in_len ) );
|
||||||
TEST_EQUAL( 0, mbedtls_cf_hmac( &ctx, add_data, sizeof( add_data ),
|
TEST_EQUAL( 0, mbedtls_ct_hmac( &ctx, add_data, sizeof( add_data ),
|
||||||
data, in_len,
|
data, in_len,
|
||||||
min_in_len, max_in_len,
|
min_in_len, max_in_len,
|
||||||
out ) );
|
out ) );
|
||||||
|
@ -4664,7 +4664,7 @@ void ssl_cf_memcpy_offset( int offset_min, int offset_max, int len )
|
||||||
mbedtls_test_set_step( (int) secret );
|
mbedtls_test_set_step( (int) secret );
|
||||||
|
|
||||||
TEST_CF_SECRET( &secret, sizeof( secret ) );
|
TEST_CF_SECRET( &secret, sizeof( secret ) );
|
||||||
mbedtls_cf_memcpy_offset( dst, src, secret,
|
mbedtls_ct_memcpy_offset( dst, src, secret,
|
||||||
offset_min, offset_max, len );
|
offset_min, offset_max, len );
|
||||||
TEST_CF_PUBLIC( &secret, sizeof( secret ) );
|
TEST_CF_PUBLIC( &secret, sizeof( secret ) );
|
||||||
TEST_CF_PUBLIC( dst, len );
|
TEST_CF_PUBLIC( dst, len );
|
||||||
|
|
Loading…
Reference in a new issue