diff --git a/library/constant_time.c b/library/constant_time.c index 4fad1b2d0..6e8a7c2f5 100644 --- a/library/constant_time.c +++ b/library/constant_time.c @@ -167,8 +167,19 @@ unsigned mbedtls_cf_size_bool_eq( size_t x, return( 1 ^ diff1 ); } -unsigned mbedtls_cf_size_gt( size_t x, - size_t y ) +/** Constant-flow "greater than" comparison: + * return x > y + * + * This is equivalent to \p x > \p y, but is likely to be compiled + * to code using bitwise operation rather than a branch. + * + * \param x The first value to analyze. + * \param y The second value to analyze. + * + * \return 1 if \p x greater than \p y, otherwise 0. + */ +static unsigned mbedtls_cf_size_gt( size_t x, + size_t y ) { /* Return the sign bit (1 for negative) of (y - x). */ return( ( y - x ) >> ( sizeof( size_t ) * 8 - 1 ) ); @@ -214,17 +225,42 @@ unsigned mbedtls_cf_uint_if( unsigned condition, return( ( mask & if1 ) | (~mask & if0 ) ); } -size_t mbedtls_cf_size_if( unsigned condition, - size_t if1, - size_t if0 ) +/** Choose between two integer values without branches. + * + * This is equivalent to `condition ? if1 : if0`, but is likely to be compiled + * to code using bitwise operation rather than a branch. + * + * \param condition Condition to test. + * \param if1 Value to use if \p condition is nonzero. + * \param if0 Value to use if \p condition is zero. + * + * \return \c if1 if \p condition is nonzero, otherwise \c if0. + */ +static size_t mbedtls_cf_size_if( unsigned condition, + size_t if1, + size_t if0 ) { size_t mask = mbedtls_cf_size_mask( condition ); return( ( mask & if1 ) | (~mask & if0 ) ); } -int mbedtls_cf_cond_select_sign( unsigned char condition, - int if1, - int if0 ) +/** Select between two sign values witout branches. + * + * This is functionally equivalent to `condition ? if1 : if0` but uses only bit + * operations in order to avoid branches. + * + * \note if1 and if0 must be either 1 or -1, otherwise the result + * is undefined. + * + * \param condition Condition to test. + * \param if1 The first sign; must be either +1 or -1. + * \param if0 The second sign; must be either +1 or -1. + * + * \return \c if1 if \p condition is nonzero, otherwise \c if0. + * */ +static int mbedtls_cf_cond_select_sign( unsigned char condition, + int if1, + int if0 ) { /* In order to avoid questions about what we can reasonnably assume about * the representations of signed integers, move everything to unsigned @@ -271,9 +307,25 @@ void mbedtls_cf_mpi_uint_cond_assign( size_t n, #endif /* MBEDTLS_BIGNUM_C */ -void mbedtls_cf_mem_move_to_left( void *start, - size_t total, - size_t offset ) +/** Shift some data towards the left inside a buffer. + * + * `mbedtls_cf_mem_move_to_left(start, total, offset)` is functionally + * equivalent to + * ``` + * memmove(start, start + offset, total - offset); + * memset(start + offset, 0, total - offset); + * ``` + * but it strives to use a memory access pattern (and thus total timing) + * that does not depend on \p offset. This timing independence comes at + * the expense of performance. + * + * \param start Pointer to the start of the buffer. + * \param total Total size of the buffer. + * \param offset Offset from which to copy \p total - \p offset bytes. + */ +static void mbedtls_cf_mem_move_to_left( void *start, + size_t total, + size_t offset ) { volatile unsigned char *buf = start; size_t i, n; diff --git a/library/constant_time.h b/library/constant_time.h index 11a07f312..6dfac8b3f 100644 --- a/library/constant_time.h +++ b/library/constant_time.h @@ -122,19 +122,6 @@ size_t mbedtls_cf_size_mask_ge( size_t x, unsigned mbedtls_cf_size_bool_eq( size_t x, size_t y ); -/** Constant-flow "greater than" comparison: - * return x > y - * - * This is equivalent to \p x > \p y, but is likely to be compiled - * to code using bitwise operation rather than a branch. - * - * \param x The first value to analyze. - * \param y The second value to analyze. - * - * \return 1 if \p x greater than \p y, otherwise 0. - */ -unsigned mbedtls_cf_size_gt( size_t x, - size_t y ); #if defined(MBEDTLS_BIGNUM_C) @@ -168,38 +155,6 @@ unsigned mbedtls_cf_uint_if( unsigned condition, unsigned if1, unsigned if0 ); -/** Choose between two integer values without branches. - * - * This is equivalent to `condition ? if1 : if0`, but is likely to be compiled - * to code using bitwise operation rather than a branch. - * - * \param condition Condition to test. - * \param if1 Value to use if \p condition is nonzero. - * \param if0 Value to use if \p condition is zero. - * - * \return \c if1 if \p condition is nonzero, otherwise \c if0. - */ -size_t mbedtls_cf_size_if( unsigned condition, - size_t if1, - size_t if0 ); - -/** Select between two sign values witout branches. - * - * This is functionally equivalent to `condition ? if1 : if0` but uses only bit - * operations in order to avoid branches. - * - * \note if1 and if0 must be either 1 or -1, otherwise the result - * is undefined. - * - * \param condition Condition to test. - * \param if1 The first sign; must be either +1 or -1. - * \param if0 The second sign; must be either +1 or -1. - * - * \return \c if1 if \p condition is nonzero, otherwise \c if0. */ -int mbedtls_cf_cond_select_sign( unsigned char condition, - int if1, - int if0 ); - #if defined(MBEDTLS_BIGNUM_C) /** Conditionally assign a value without branches. @@ -222,26 +177,6 @@ void mbedtls_cf_mpi_uint_cond_assign( size_t n, #endif /* MBEDTLS_BIGNUM_C */ -/** Shift some data towards the left inside a buffer. - * - * `mbedtls_cf_mem_move_to_left(start, total, offset)` is functionally - * equivalent to - * ``` - * memmove(start, start + offset, total - offset); - * memset(start + offset, 0, total - offset); - * ``` - * but it strives to use a memory access pattern (and thus total timing) - * that does not depend on \p offset. This timing independence comes at - * the expense of performance. - * - * \param start Pointer to the start of the buffer. - * \param total Total size of the buffer. - * \param offset Offset from which to copy \p total - \p offset bytes. - */ -void mbedtls_cf_mem_move_to_left( void *start, - size_t total, - size_t offset ); - /** Conditional memcpy without branches. * * This is equivalent to `if ( c1 == c2 ) memcpy(dst, src, len)`, but is likely