]> git.ipfire.org Git - thirdparty/openssl.git/blame_incremental - include/internal/constant_time.h
projects / thirdparty / openssl.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Fix some conversion from size_t to const int errors
[thirdparty/openssl.git] / include / internal / constant_time.h
... / ...
CommitLineData
1/*
2 * Copyright 2014-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#ifndef OSSL_INTERNAL_CONSTANT_TIME_H
11# define OSSL_INTERNAL_CONSTANT_TIME_H
12# pragma once
13
14# include <stdlib.h>
15# include <string.h>
16# include <openssl/e_os2.h> /* For 'ossl_inline' */
17
18/*-
19 * The boolean methods return a bitmask of all ones (0xff...f) for true
20 * and 0 for false. This is useful for choosing a value based on the result
21 * of a conditional in constant time. For example,
22 * if (a < b) {
23 * c = a;
24 * } else {
25 * c = b;
26 * }
27 * can be written as
28 * unsigned int lt = constant_time_lt(a, b);
29 * c = constant_time_select(lt, a, b);
30 */
31
32/* Returns the given value with the MSB copied to all the other bits. */
33static ossl_inline unsigned int constant_time_msb(unsigned int a);
34/* Convenience method for uint32_t. */
35static ossl_inline uint32_t constant_time_msb_32(uint32_t a);
36/* Convenience method for uint64_t. */
37static ossl_inline uint64_t constant_time_msb_64(uint64_t a);
38
39/* Returns 0xff..f if a < b and 0 otherwise. */
40static ossl_inline unsigned int constant_time_lt(unsigned int a,
41 unsigned int b);
42/* Convenience method for getting an 8-bit mask. */
43static ossl_inline unsigned char constant_time_lt_8(unsigned int a,
44 unsigned int b);
45/* Convenience method for uint32_t. */
46static ossl_inline uint32_t constant_time_lt_32(uint32_t a, uint32_t b);
47
48/* Convenience method for uint64_t. */
49static ossl_inline uint64_t constant_time_lt_64(uint64_t a, uint64_t b);
50
51/* Returns 0xff..f if a >= b and 0 otherwise. */
52static ossl_inline unsigned int constant_time_ge(unsigned int a,
53 unsigned int b);
54/* Convenience method for getting an 8-bit mask. */
55static ossl_inline unsigned char constant_time_ge_8(unsigned int a,
56 unsigned int b);
57
58/* Returns 0xff..f if a == 0 and 0 otherwise. */
59static ossl_inline unsigned int constant_time_is_zero(unsigned int a);
60/* Convenience method for getting an 8-bit mask. */
61static ossl_inline unsigned char constant_time_is_zero_8(unsigned int a);
62/* Convenience method for getting a 32-bit mask. */
63static ossl_inline uint32_t constant_time_is_zero_32(uint32_t a);
64
65/* Returns 0xff..f if a == b and 0 otherwise. */
66static ossl_inline unsigned int constant_time_eq(unsigned int a,
67 unsigned int b);
68/* Convenience method for getting an 8-bit mask. */
69static ossl_inline unsigned char constant_time_eq_8(unsigned int a,
70 unsigned int b);
71/* Signed integers. */
72static ossl_inline unsigned int constant_time_eq_int(int a, int b);
73/* Convenience method for getting an 8-bit mask. */
74static ossl_inline unsigned char constant_time_eq_int_8(int a, int b);
75
76/*-
77 * Returns (mask & a) | (~mask & b).
78 *
79 * When |mask| is all 1s or all 0s (as returned by the methods above),
80 * the select methods return either |a| (if |mask| is nonzero) or |b|
81 * (if |mask| is zero).
82 */
83static ossl_inline unsigned int constant_time_select(unsigned int mask,
84 unsigned int a,
85 unsigned int b);
86/* Convenience method for unsigned chars. */
87static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
88 unsigned char a,
89 unsigned char b);
90
91/* Convenience method for uint32_t. */
92static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,
93 uint32_t b);
94
95/* Convenience method for uint64_t. */
96static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,
97 uint64_t b);
98/* Convenience method for signed integers. */
99static ossl_inline int constant_time_select_int(unsigned int mask, int a,
100 int b);
101
102
103static ossl_inline unsigned int constant_time_msb(unsigned int a)
104{
105 return 0 - (a >> (sizeof(a) * 8 - 1));
106}
107
108
109static ossl_inline uint32_t constant_time_msb_32(uint32_t a)
110{
111 return 0 - (a >> 31);
112}
113
114static ossl_inline uint64_t constant_time_msb_64(uint64_t a)
115{
116 return 0 - (a >> 63);
117}
118
119static ossl_inline size_t constant_time_msb_s(size_t a)
120{
121 return 0 - (a >> (sizeof(a) * 8 - 1));
122}
123
124static ossl_inline unsigned int constant_time_lt(unsigned int a,
125 unsigned int b)
126{
127 return constant_time_msb(a ^ ((a ^ b) | ((a - b) ^ b)));
128}
129
130static ossl_inline size_t constant_time_lt_s(size_t a, size_t b)
131{
132 return constant_time_msb_s(a ^ ((a ^ b) | ((a - b) ^ b)));
133}
134
135static ossl_inline unsigned char constant_time_lt_8(unsigned int a,
136 unsigned int b)
137{
138 return (unsigned char)constant_time_lt(a, b);
139}
140
141static ossl_inline uint32_t constant_time_lt_32(uint32_t a, uint32_t b)
142{
143 return constant_time_msb_32(a ^ ((a ^ b) | ((a - b) ^ b)));
144}
145
146static ossl_inline uint64_t constant_time_lt_64(uint64_t a, uint64_t b)
147{
148 return constant_time_msb_64(a ^ ((a ^ b) | ((a - b) ^ b)));
149}
150
151#ifdef BN_ULONG
152static ossl_inline BN_ULONG value_barrier_bn(BN_ULONG a)
153{
154#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
155 BN_ULONG r;
156 __asm__("" : "=r"(r) : "0"(a));
157#else
158 volatile BN_ULONG r = a;
159#endif
160 return r;
161}
162
163static ossl_inline BN_ULONG constant_time_msb_bn(BN_ULONG a)
164{
165 return 0 - (a >> (sizeof(a) * 8 - 1));
166}
167
168static ossl_inline BN_ULONG constant_time_lt_bn(BN_ULONG a, BN_ULONG b)
169{
170 return constant_time_msb_bn(a ^ ((a ^ b) | ((a - b) ^ b)));
171}
172
173static ossl_inline BN_ULONG constant_time_is_zero_bn(BN_ULONG a)
174{
175 return constant_time_msb_bn(~a & (a - 1));
176}
177
178static ossl_inline BN_ULONG constant_time_eq_bn(BN_ULONG a,
179 BN_ULONG b)
180{
181 return constant_time_is_zero_bn(a ^ b);
182}
183
184static ossl_inline BN_ULONG constant_time_select_bn(BN_ULONG mask,
185 BN_ULONG a,
186 BN_ULONG b)
187{
188 return (value_barrier_bn(mask) & a) | (value_barrier_bn(~mask) & b);
189}
190#endif
191
192static ossl_inline unsigned int constant_time_ge(unsigned int a,
193 unsigned int b)
194{
195 return ~constant_time_lt(a, b);
196}
197
198static ossl_inline size_t constant_time_ge_s(size_t a, size_t b)
199{
200 return ~constant_time_lt_s(a, b);
201}
202
203static ossl_inline unsigned char constant_time_ge_8(unsigned int a,
204 unsigned int b)
205{
206 return (unsigned char)constant_time_ge(a, b);
207}
208
209static ossl_inline unsigned char constant_time_ge_8_s(size_t a, size_t b)
210{
211 return (unsigned char)constant_time_ge_s(a, b);
212}
213
214static ossl_inline unsigned int constant_time_is_zero(unsigned int a)
215{
216 return constant_time_msb(~a & (a - 1));
217}
218
219static ossl_inline size_t constant_time_is_zero_s(size_t a)
220{
221 return constant_time_msb_s(~a & (a - 1));
222}
223
224static ossl_inline unsigned char constant_time_is_zero_8(unsigned int a)
225{
226 return (unsigned char)constant_time_is_zero(a);
227}
228
229static ossl_inline uint32_t constant_time_is_zero_32(uint32_t a)
230{
231 return constant_time_msb_32(~a & (a - 1));
232}
233
234static ossl_inline uint64_t constant_time_is_zero_64(uint64_t a)
235{
236 return constant_time_msb_64(~a & (a - 1));
237}
238
239static ossl_inline unsigned int constant_time_eq(unsigned int a,
240 unsigned int b)
241{
242 return constant_time_is_zero(a ^ b);
243}
244
245static ossl_inline size_t constant_time_eq_s(size_t a, size_t b)
246{
247 return constant_time_is_zero_s(a ^ b);
248}
249
250static ossl_inline unsigned char constant_time_eq_8(unsigned int a,
251 unsigned int b)
252{
253 return (unsigned char)constant_time_eq(a, b);
254}
255
256static ossl_inline unsigned char constant_time_eq_8_s(size_t a, size_t b)
257{
258 return (unsigned char)constant_time_eq_s(a, b);
259}
260
261static ossl_inline unsigned int constant_time_eq_int(int a, int b)
262{
263 return constant_time_eq((unsigned)(a), (unsigned)(b));
264}
265
266static ossl_inline unsigned char constant_time_eq_int_8(int a, int b)
267{
268 return constant_time_eq_8((unsigned)(a), (unsigned)(b));
269}
270
271/*
272 * Returns the value unmodified, but avoids optimizations.
273 * The barriers prevent the compiler from narrowing down the
274 * possible value range of the mask and ~mask in the select
275 * statements, which avoids the recognition of the select
276 * and turning it into a conditional load or branch.
277 */
278static ossl_inline unsigned int value_barrier(unsigned int a)
279{
280#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
281 unsigned int r;
282 __asm__("" : "=r"(r) : "0"(a));
283#else
284 volatile unsigned int r = a;
285#endif
286 return r;
287}
288
289/* Convenience method for uint32_t. */
290static ossl_inline uint32_t value_barrier_32(uint32_t a)
291{
292#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
293 uint32_t r;
294 __asm__("" : "=r"(r) : "0"(a));
295#else
296 volatile uint32_t r = a;
297#endif
298 return r;
299}
300
301/* Convenience method for uint64_t. */
302static ossl_inline uint64_t value_barrier_64(uint64_t a)
303{
304#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
305 uint64_t r;
306 __asm__("" : "=r"(r) : "0"(a));
307#else
308 volatile uint64_t r = a;
309#endif
310 return r;
311}
312
313/* Convenience method for size_t. */
314static ossl_inline size_t value_barrier_s(size_t a)
315{
316#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
317 size_t r;
318 __asm__("" : "=r"(r) : "0"(a));
319#else
320 volatile size_t r = a;
321#endif
322 return r;
323}
324
325/* Convenience method for unsigned char. */
326static ossl_inline unsigned char value_barrier_8(unsigned char a)
327{
328#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
329 unsigned char r;
330 __asm__("" : "=r"(r) : "0"(a));
331#else
332 volatile unsigned char r = a;
333#endif
334 return r;
335}
336
337static ossl_inline unsigned int constant_time_select(unsigned int mask,
338 unsigned int a,
339 unsigned int b)
340{
341 return (value_barrier(mask) & a) | (value_barrier(~mask) & b);
342}
343
344static ossl_inline size_t constant_time_select_s(size_t mask,
345 size_t a,
346 size_t b)
347{
348 return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b);
349}
350
351static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
352 unsigned char a,
353 unsigned char b)
354{
355 return (unsigned char)constant_time_select(mask, a, b);
356}
357
358static ossl_inline int constant_time_select_int(unsigned int mask, int a,
359 int b)
360{
361 return (int)constant_time_select(mask, (unsigned)(a), (unsigned)(b));
362}
363
364static ossl_inline int constant_time_select_int_s(size_t mask, int a, int b)
365{
366 return (int)constant_time_select((unsigned)mask, (unsigned)(a),
367 (unsigned)(b));
368}
369
370static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,
371 uint32_t b)
372{
373 return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b);
374}
375
376static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,
377 uint64_t b)
378{
379 return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b);
380}
381
382/*
383 * mask must be 0xFFFFFFFF or 0x00000000.
384 *
385 * if (mask) {
386 * uint32_t tmp = *a;
387 *
388 * *a = *b;
389 * *b = tmp;
390 * }
391 */
392static ossl_inline void constant_time_cond_swap_32(uint32_t mask, uint32_t *a,
393 uint32_t *b)
394{
395 uint32_t xor = *a ^ *b;
396
397 xor &= value_barrier_32(mask);
398 *a ^= xor;
399 *b ^= xor;
400}
401
402/*
403 * mask must be 0xFFFFFFFF or 0x00000000.
404 *
405 * if (mask) {
406 * uint64_t tmp = *a;
407 *
408 * *a = *b;
409 * *b = tmp;
410 * }
411 */
412static ossl_inline void constant_time_cond_swap_64(uint64_t mask, uint64_t *a,
413 uint64_t *b)
414{
415 uint64_t xor = *a ^ *b;
416
417 xor &= value_barrier_64(mask);
418 *a ^= xor;
419 *b ^= xor;
420}
421
422/*
423 * mask must be 0xFF or 0x00.
424 * "constant time" is per len.
425 *
426 * if (mask) {
427 * unsigned char tmp[len];
428 *
429 * memcpy(tmp, a, len);
430 * memcpy(a, b);
431 * memcpy(b, tmp);
432 * }
433 */
434static ossl_inline void constant_time_cond_swap_buff(unsigned char mask,
435 unsigned char *a,
436 unsigned char *b,
437 size_t len)
438{
439 size_t i;
440 unsigned char tmp;
441
442 for (i = 0; i < len; i++) {
443 tmp = a[i] ^ b[i];
444 tmp &= value_barrier_8(mask);
445 a[i] ^= tmp;
446 b[i] ^= tmp;
447 }
448}
449
450/*
451 * table is a two dimensional array of bytes. Each row has rowsize elements.
452 * Copies row number idx into out. rowsize and numrows are not considered
453 * private.
454 */
455static ossl_inline void constant_time_lookup(void *out,
456 const void *table,
457 size_t rowsize,
458 size_t numrows,
459 size_t idx)
460{
461 size_t i, j;
462 const unsigned char *tablec = (const unsigned char *)table;
463 unsigned char *outc = (unsigned char *)out;
464 unsigned char mask;
465
466 memset(out, 0, rowsize);
467
468 /* Note idx may underflow - but that is well defined */
469 for (i = 0; i < numrows; i++, idx--) {
470 mask = (unsigned char)constant_time_is_zero_s(idx);
471 for (j = 0; j < rowsize; j++)
472 *(outc + j) |= constant_time_select_8(mask, *(tablec++), 0);
473 }
474}
475
476/*
477 * Expected usage pattern is to unconditionally set error and then
478 * wipe it if there was no actual error. |clear| is 1 or 0.
479 */
480void err_clear_last_constant_time(int clear);
481
482#endif /* OSSL_INTERNAL_CONSTANT_TIME_H */
Mirror of https://github.com/openssl/openssl.git