]> git.ipfire.org Git - thirdparty/openssl.git/blame - include/internal/constant_time.h
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Extend create_accept_stream test
[thirdparty/openssl.git] / include / internal / constant_time.h
CommitLineData
21dcbebc 1/*
0c679f55 2 * Copyright 2014-2025 The OpenSSL Project Authors. All Rights Reserved.
5a3d21c0 3 *
48f4ad77 4 * Licensed under the Apache License 2.0 (the "License"). You may not use
21dcbebc
RS		 5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
5a3d21c0
EK		 8 */
9
ae4186b0
DMSP		 10#ifndef OSSL_INTERNAL_CONSTANT_TIME_H
11# define OSSL_INTERNAL_CONSTANT_TIME_H
3a111aad 12# pragma once
5a3d21c0 13
2688e7a0 14# include <stdlib.h>
e0fa6324 15# include <string.h>
80e0ecbf 16# include <openssl/e_os2.h> /* For 'ossl_inline' */
5a3d21c0 17
1d97c843 18/*-
294d1e36 19 * The boolean methods return a bitmask of all ones (0xff...f) for true
5a3d21c0
EK		 20 * and 0 for false. This is useful for choosing a value based on the result
21 * of a conditional in constant time. For example,
9018f3ce
RS		 22 * if (a < b) {
23 * c = a;
24 * } else {
25 * c = b;
26 * }
5a3d21c0 27 * can be written as
9018f3ce
RS		 28 * unsigned int lt = constant_time_lt(a, b);
29 * c = constant_time_select(lt, a, b);
5a3d21c0
EK		 30 */
31
b12169ee 32/* Returns the given value with the MSB copied to all the other bits. */
80e0ecbf 33static ossl_inline unsigned int constant_time_msb(unsigned int a);
e0fa6324
MC		 34/* Convenience method for uint32_t. */
35static ossl_inline uint32_t constant_time_msb_32(uint32_t a);
9018f3ce
RS		 36/* Convenience method for uint64_t. */
37static ossl_inline uint64_t constant_time_msb_64(uint64_t a);
5a3d21c0 38
9018f3ce 39/* Returns 0xff..f if a < b and 0 otherwise. */
80e0ecbf
DSH		 40static ossl_inline unsigned int constant_time_lt(unsigned int a,
41 unsigned int b);
5a3d21c0 42/* Convenience method for getting an 8-bit mask. */
80e0ecbf
DSH		 43static ossl_inline unsigned char constant_time_lt_8(unsigned int a,
44 unsigned int b);
fcffbbe1 45/* Convenience method for uint32_t. */
46static ossl_inline uint32_t constant_time_lt_32(uint32_t a, uint32_t b);
47
9018f3ce
RS		 48/* Convenience method for uint64_t. */
49static ossl_inline uint64_t constant_time_lt_64(uint64_t a, uint64_t b);
5a3d21c0 50
9018f3ce 51/* Returns 0xff..f if a >= b and 0 otherwise. */
80e0ecbf
DSH		 52static ossl_inline unsigned int constant_time_ge(unsigned int a,
53 unsigned int b);
5a3d21c0 54/* Convenience method for getting an 8-bit mask. */
80e0ecbf
DSH		 55static ossl_inline unsigned char constant_time_ge_8(unsigned int a,
56 unsigned int b);
5a3d21c0 57
9018f3ce 58/* Returns 0xff..f if a == 0 and 0 otherwise. */
80e0ecbf 59static ossl_inline unsigned int constant_time_is_zero(unsigned int a);
5a3d21c0 60/* Convenience method for getting an 8-bit mask. */
80e0ecbf 61static ossl_inline unsigned char constant_time_is_zero_8(unsigned int a);
e0fa6324
MC		 62/* Convenience method for getting a 32-bit mask. */
63static ossl_inline uint32_t constant_time_is_zero_32(uint32_t a);
5a3d21c0 64
9018f3ce 65/* Returns 0xff..f if a == b and 0 otherwise. */
80e0ecbf
DSH		 66static ossl_inline unsigned int constant_time_eq(unsigned int a,
67 unsigned int b);
5a3d21c0 68/* Convenience method for getting an 8-bit mask. */
80e0ecbf
DSH		 69static ossl_inline unsigned char constant_time_eq_8(unsigned int a,
70 unsigned int b);
455b65df 71/* Signed integers. */
80e0ecbf 72static ossl_inline unsigned int constant_time_eq_int(int a, int b);
455b65df 73/* Convenience method for getting an 8-bit mask. */
80e0ecbf 74static ossl_inline unsigned char constant_time_eq_int_8(int a, int b);
455b65df 75
1d97c843 76/*-
294d1e36
EK		 77 * Returns (mask & a) | (~mask & b).
78 *
79 * When |mask| is all 1s or all 0s (as returned by the methods above),
80 * the select methods return either |a| (if |mask| is nonzero) or |b|
81 * (if |mask| is zero).
82 */
80e0ecbf
DSH		 83static ossl_inline unsigned int constant_time_select(unsigned int mask,
84 unsigned int a,
85 unsigned int b);
294d1e36 86/* Convenience method for unsigned chars. */
80e0ecbf
DSH		 87static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
88 unsigned char a,
89 unsigned char b);
e0fa6324
MC		 90
91/* Convenience method for uint32_t. */
92static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,
93 uint32_t b);
94
9018f3ce
RS		 95/* Convenience method for uint64_t. */
96static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,
97 uint64_t b);
294d1e36 98/* Convenience method for signed integers. */
80e0ecbf
DSH		 99static ossl_inline int constant_time_select_int(unsigned int mask, int a,
100 int b);
294d1e36 101
9018f3ce 102
80e0ecbf 103static ossl_inline unsigned int constant_time_msb(unsigned int a)
0f113f3e
MC		 104{
105 return 0 - (a >> (sizeof(a) * 8 - 1));
106}
5a3d21c0 107
e0fa6324
MC		 108
109static ossl_inline uint32_t constant_time_msb_32(uint32_t a)
110{
111 return 0 - (a >> 31);
112}
113
9018f3ce
RS		 114static ossl_inline uint64_t constant_time_msb_64(uint64_t a)
115{
116 return 0 - (a >> 63);
117}
118
2688e7a0
MC		 119static ossl_inline size_t constant_time_msb_s(size_t a)
120{
121 return 0 - (a >> (sizeof(a) * 8 - 1));
122}
123
80e0ecbf
DSH		 124static ossl_inline unsigned int constant_time_lt(unsigned int a,
125 unsigned int b)
0f113f3e
MC		 126{
127 return constant_time_msb(a ^ ((a ^ b) | ((a - b) ^ b)));
128}
5a3d21c0 129
2688e7a0
MC		 130static ossl_inline size_t constant_time_lt_s(size_t a, size_t b)
131{
132 return constant_time_msb_s(a ^ ((a ^ b) | ((a - b) ^ b)));
133}
134
80e0ecbf
DSH		 135static ossl_inline unsigned char constant_time_lt_8(unsigned int a,
136 unsigned int b)
0f113f3e 137{
26a7d938 138 return (unsigned char)constant_time_lt(a, b);
0f113f3e 139}
5a3d21c0 140
fcffbbe1 141static ossl_inline uint32_t constant_time_lt_32(uint32_t a, uint32_t b)
142{
143 return constant_time_msb_32(a ^ ((a ^ b) | ((a - b) ^ b)));
144}
145
9018f3ce
RS		 146static ossl_inline uint64_t constant_time_lt_64(uint64_t a, uint64_t b)
147{
148 return constant_time_msb_64(a ^ ((a ^ b) | ((a - b) ^ b)));
149}
150
d7d1bdcb 151#ifdef BN_ULONG
aaa1bda7
AG		 152static ossl_inline BN_ULONG value_barrier_bn(BN_ULONG a)
153{
154#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
155 BN_ULONG r;
156 __asm__("" : "=r"(r) : "0"(a));
157#else
158 volatile BN_ULONG r = a;
159#endif
160 return r;
161}
162
d7d1bdcb
TM		 163static ossl_inline BN_ULONG constant_time_msb_bn(BN_ULONG a)
164{
165 return 0 - (a >> (sizeof(a) * 8 - 1));
166}
167
168static ossl_inline BN_ULONG constant_time_lt_bn(BN_ULONG a, BN_ULONG b)
169{
170 return constant_time_msb_bn(a ^ ((a ^ b) | ((a - b) ^ b)));
171}
2d285fa8
TM		 172
173static ossl_inline BN_ULONG constant_time_is_zero_bn(BN_ULONG a)
174{
175 return constant_time_msb_bn(~a & (a - 1));
176}
177
178static ossl_inline BN_ULONG constant_time_eq_bn(BN_ULONG a,
179 BN_ULONG b)
180{
181 return constant_time_is_zero_bn(a ^ b);
182}
aaa1bda7
AG		 183
184static ossl_inline BN_ULONG constant_time_select_bn(BN_ULONG mask,
185 BN_ULONG a,
186 BN_ULONG b)
187{
188 return (value_barrier_bn(mask) & a) | (value_barrier_bn(~mask) & b);
189}
d7d1bdcb
TM		 190#endif
191
80e0ecbf
DSH		 192static ossl_inline unsigned int constant_time_ge(unsigned int a,
193 unsigned int b)
0f113f3e
MC		 194{
195 return ~constant_time_lt(a, b);
196}
5a3d21c0 197
2688e7a0
MC		 198static ossl_inline size_t constant_time_ge_s(size_t a, size_t b)
199{
200 return ~constant_time_lt_s(a, b);
201}
202
80e0ecbf
DSH		 203static ossl_inline unsigned char constant_time_ge_8(unsigned int a,
204 unsigned int b)
0f113f3e 205{
26a7d938 206 return (unsigned char)constant_time_ge(a, b);
0f113f3e 207}
5a3d21c0 208
2688e7a0
MC		 209static ossl_inline unsigned char constant_time_ge_8_s(size_t a, size_t b)
210{
26a7d938 211 return (unsigned char)constant_time_ge_s(a, b);
2688e7a0
MC		 212}
213
80e0ecbf 214static ossl_inline unsigned int constant_time_is_zero(unsigned int a)
0f113f3e
MC		 215{
216 return constant_time_msb(~a & (a - 1));
217}
5a3d21c0 218
2688e7a0
MC		 219static ossl_inline size_t constant_time_is_zero_s(size_t a)
220{
221 return constant_time_msb_s(~a & (a - 1));
222}
223
80e0ecbf 224static ossl_inline unsigned char constant_time_is_zero_8(unsigned int a)
0f113f3e 225{
26a7d938 226 return (unsigned char)constant_time_is_zero(a);
0f113f3e 227}
5a3d21c0 228
e0fa6324
MC		 229static ossl_inline uint32_t constant_time_is_zero_32(uint32_t a)
230{
231 return constant_time_msb_32(~a & (a - 1));
232}
233
ceaa6b31
AI		 234static ossl_inline uint64_t constant_time_is_zero_64(uint64_t a)
235{
236 return constant_time_msb_64(~a & (a - 1));
237}
238
80e0ecbf
DSH		 239static ossl_inline unsigned int constant_time_eq(unsigned int a,
240 unsigned int b)
0f113f3e
MC		 241{
242 return constant_time_is_zero(a ^ b);
243}
5a3d21c0 244
2688e7a0
MC		 245static ossl_inline size_t constant_time_eq_s(size_t a, size_t b)
246{
247 return constant_time_is_zero_s(a ^ b);
248}
249
80e0ecbf
DSH		 250static ossl_inline unsigned char constant_time_eq_8(unsigned int a,
251 unsigned int b)
0f113f3e 252{
26a7d938 253 return (unsigned char)constant_time_eq(a, b);
0f113f3e 254}
5a3d21c0 255
2688e7a0
MC		 256static ossl_inline unsigned char constant_time_eq_8_s(size_t a, size_t b)
257{
26a7d938 258 return (unsigned char)constant_time_eq_s(a, b);
2688e7a0
MC		 259}
260
80e0ecbf 261static ossl_inline unsigned int constant_time_eq_int(int a, int b)
0f113f3e
MC		 262{
263 return constant_time_eq((unsigned)(a), (unsigned)(b));
264}
455b65df 265
80e0ecbf 266static ossl_inline unsigned char constant_time_eq_int_8(int a, int b)
0f113f3e
MC		 267{
268 return constant_time_eq_8((unsigned)(a), (unsigned)(b));
269}
455b65df 270
04edd688
BE		 271/*
272 * Returns the value unmodified, but avoids optimizations.
273 * The barriers prevent the compiler from narrowing down the
274 * possible value range of the mask and ~mask in the select
275 * statements, which avoids the recognition of the select
276 * and turning it into a conditional load or branch.
277 */
278static ossl_inline unsigned int value_barrier(unsigned int a)
279{
280#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
281 unsigned int r;
282 __asm__("" : "=r"(r) : "0"(a));
283#else
284 volatile unsigned int r = a;
285#endif
286 return r;
287}
288
289/* Convenience method for uint32_t. */
290static ossl_inline uint32_t value_barrier_32(uint32_t a)
291{
292#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
293 uint32_t r;
294 __asm__("" : "=r"(r) : "0"(a));
295#else
296 volatile uint32_t r = a;
297#endif
298 return r;
299}
300
301/* Convenience method for uint64_t. */
302static ossl_inline uint64_t value_barrier_64(uint64_t a)
303{
304#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
305 uint64_t r;
306 __asm__("" : "=r"(r) : "0"(a));
307#else
308 volatile uint64_t r = a;
309#endif
310 return r;
311}
312
313/* Convenience method for size_t. */
314static ossl_inline size_t value_barrier_s(size_t a)
315{
316#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
317 size_t r;
318 __asm__("" : "=r"(r) : "0"(a));
319#else
320 volatile size_t r = a;
321#endif
322 return r;
323}
324
8a9e0d0f
J		 325/* Convenience method for unsigned char. */
326static ossl_inline unsigned char value_barrier_8(unsigned char a)
327{
328#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
329 unsigned char r;
330 __asm__("" : "=r"(r) : "0"(a));
331#else
332 volatile unsigned char r = a;
333#endif
334 return r;
335}
336
80e0ecbf
DSH		 337static ossl_inline unsigned int constant_time_select(unsigned int mask,
338 unsigned int a,
339 unsigned int b)
0f113f3e 340{
04edd688 341 return (value_barrier(mask) & a) | (value_barrier(~mask) & b);
0f113f3e 342}
294d1e36 343
2688e7a0
MC		 344static ossl_inline size_t constant_time_select_s(size_t mask,
345 size_t a,
346 size_t b)
347{
04edd688 348 return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b);
2688e7a0
MC		 349}
350
80e0ecbf
DSH		 351static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
352 unsigned char a,
353 unsigned char b)
0f113f3e 354{
26a7d938 355 return (unsigned char)constant_time_select(mask, a, b);
0f113f3e 356}
294d1e36 357
80e0ecbf
DSH		 358static ossl_inline int constant_time_select_int(unsigned int mask, int a,
359 int b)
0f113f3e 360{
26a7d938 361 return (int)constant_time_select(mask, (unsigned)(a), (unsigned)(b));
0f113f3e 362}
294d1e36 363
2688e7a0
MC		 364static ossl_inline int constant_time_select_int_s(size_t mask, int a, int b)
365{
26a7d938
K		 366 return (int)constant_time_select((unsigned)mask, (unsigned)(a),
367 (unsigned)(b));
2688e7a0
MC		 368}
369
e0fa6324
MC		 370static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,
371 uint32_t b)
372{
04edd688 373 return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b);
e0fa6324
MC		 374}
375
9018f3ce
RS		 376static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,
377 uint64_t b)
378{
04edd688 379 return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b);
9018f3ce
RS		 380}
381
e0fa6324
MC		 382/*
383 * mask must be 0xFFFFFFFF or 0x00000000.
384 *
385 * if (mask) {
386 * uint32_t tmp = *a;
387 *
388 * *a = *b;
389 * *b = tmp;
390 * }
391 */
392static ossl_inline void constant_time_cond_swap_32(uint32_t mask, uint32_t *a,
393 uint32_t *b)
394{
395 uint32_t xor = *a ^ *b;
396
8a9e0d0f 397 xor &= value_barrier_32(mask);
e0fa6324
MC		 398 *a ^= xor;
399 *b ^= xor;
400}
401
402/*
403 * mask must be 0xFFFFFFFF or 0x00000000.
404 *
405 * if (mask) {
406 * uint64_t tmp = *a;
407 *
408 * *a = *b;
409 * *b = tmp;
410 * }
411 */
412static ossl_inline void constant_time_cond_swap_64(uint64_t mask, uint64_t *a,
413 uint64_t *b)
414{
415 uint64_t xor = *a ^ *b;
416
8a9e0d0f 417 xor &= value_barrier_64(mask);
e0fa6324
MC		 418 *a ^= xor;
419 *b ^= xor;
420}
421
677c4a01
PS		 422/*
423 * mask must be 0xFF or 0x00.
424 * "constant time" is per len.
425 *
426 * if (mask) {
427 * unsigned char tmp[len];
428 *
429 * memcpy(tmp, a, len);
430 * memcpy(a, b);
431 * memcpy(b, tmp);
432 * }
433 */
434static ossl_inline void constant_time_cond_swap_buff(unsigned char mask,
435 unsigned char *a,
436 unsigned char *b,
437 size_t len)
438{
439 size_t i;
440 unsigned char tmp;
441
442 for (i = 0; i < len; i++) {
443 tmp = a[i] ^ b[i];
8a9e0d0f 444 tmp &= value_barrier_8(mask);
677c4a01
PS		 445 a[i] ^= tmp;
446 b[i] ^= tmp;
447 }
448}
449
e0fa6324
MC		 450/*
451 * table is a two dimensional array of bytes. Each row has rowsize elements.
452 * Copies row number idx into out. rowsize and numrows are not considered
453 * private.
454 */
455static ossl_inline void constant_time_lookup(void *out,
456 const void *table,
457 size_t rowsize,
458 size_t numrows,
459 size_t idx)
460{
461 size_t i, j;
462 const unsigned char *tablec = (const unsigned char *)table;
463 unsigned char *outc = (unsigned char *)out;
464 unsigned char mask;
465
466 memset(out, 0, rowsize);
467
468 /* Note idx may underflow - but that is well defined */
469 for (i = 0; i < numrows; i++, idx--) {
470 mask = (unsigned char)constant_time_is_zero_s(idx);
471 for (j = 0; j < rowsize; j++)
472 *(outc + j) |= constant_time_select_8(mask, *(tablec++), 0);
473 }
474}
475
f658a3b6
AP		 476/*
477 * Expected usage pattern is to unconditionally set error and then
478 * wipe it if there was no actual error. |clear| is 1 or 0.
479 */
480void err_clear_last_constant_time(int clear);
481
ae4186b0 482#endif /* OSSL_INTERNAL_CONSTANT_TIME_H */
Mirror of https://github.com/openssl/openssl.git