From 9b208659aa217f27a002ba24bf5b28b3bf7710ac Mon Sep 17 00:00:00 2001 From: Emilia Kasper Date: Thu, 28 Aug 2014 15:33:34 +0200 Subject: [PATCH] Constant-time utilities Pull constant-time methods out to a separate header, add tests. Reviewed-by: Bodo Moeller (cherry picked from commit 73729e4cf3961e36b5534d270c11ff7cd811aa43) Conflicts: ssl/Makefile test/Makefile --- crypto/Makefile | 1 + crypto/constant_time_locl.h | 169 +++++++++++++++++++++++++++++ crypto/constant_time_test.c | 205 ++++++++++++++++++++++++++++++++++++ ssl/Makefile | 43 ++++---- ssl/s3_cbc.c | 56 ++-------- test/Makefile | 28 +++-- 6 files changed, 426 insertions(+), 76 deletions(-) create mode 100644 crypto/constant_time_locl.h create mode 100644 crypto/constant_time_test.c diff --git a/crypto/Makefile b/crypto/Makefile index 6557f2b4e1..c1eb620672 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -30,6 +30,7 @@ AFLAGS=$(ASFLAGS) LIBS= GENERAL=Makefile README crypto-lib.com install.com +TEST=constant_time_test.c LIB= $(TOP)/libcrypto.a SHARED_LIB= libcrypto$(SHLIB_EXT) diff --git a/crypto/constant_time_locl.h b/crypto/constant_time_locl.h new file mode 100644 index 0000000000..782da6c8b2 --- /dev/null +++ b/crypto/constant_time_locl.h @@ -0,0 +1,169 @@ +/* crypto/constant_time_locl.h */ +/* + * Utilities for constant-time cryptography. + * + * Author: Emilia Kasper (emilia@openssl.org) + * Based on previous work by Bodo Moeller, Emilia Kasper, Adam Langley + * (Google). + * ==================================================================== + * Copyright (c) 2014 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#ifndef HEADER_CONSTANT_TIME_LOCL_H +#define HEADER_CONSTANT_TIME_LOCL_H + +#include "e_os.h" /* For 'inline' */ + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * The following methods return a bitmask of all ones (0xff...f) for true + * and 0 for false. This is useful for choosing a value based on the result + * of a conditional in constant time. For example, + * + * if (a < b) { + * c = a; + * } else { + * c = b; + * } + * + * can be written as + * + * unsigned int lt = constant_time_lt(a, b); + * c = a & lt | b & ~lt; + */ + +/* + * Returns the given value with the MSB copied to all the other + * bits. Uses the fact that arithmetic shift shifts-in the sign bit. + * However, this is not ensured by the C standard so you may need to + * replace this with something else on odd CPUs. + */ +static inline unsigned int constant_time_msb(unsigned int a); + +/* + * Returns 0xff..f if a < b and 0 otherwise. + */ +inline unsigned int constant_time_lt(unsigned int a, unsigned int b); +/* Convenience method for getting an 8-bit mask. */ +inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b); + +/* + * Returns 0xff..f if a >= b and 0 otherwise. + */ +inline unsigned int constant_time_ge(unsigned int a, unsigned int b); +/* Convenience method for getting an 8-bit mask. */ +inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b); + +/* + * Returns 0xff..f if a == 0 and 0 otherwise. + */ +inline unsigned int constant_time_is_zero(unsigned int a); +/* Convenience method for getting an 8-bit mask. */ +inline unsigned char constant_time_is_zero_8(unsigned int a); + + +/* + * Returns 0xff..f if a == b and 0 otherwise. + */ +inline unsigned int constant_time_eq(unsigned int a, unsigned int b); +/* Convenience method for getting an 8-bit mask. */ +inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b); + +static inline unsigned int constant_time_msb(unsigned int a) + { + return (unsigned int)((int)(a) >> (sizeof(int) * 8 - 1)); + } + +inline unsigned int constant_time_lt(unsigned int a, unsigned int b) + { + unsigned int lt; + /* Case 1: msb(a) == msb(b). a < b iff the MSB of a - b is set.*/ + lt = ~(a ^ b) & (a - b); + /* Case 2: msb(a) != msb(b). a < b iff the MSB of b is set. */ + lt |= ~a & b; + return constant_time_msb(lt); + } + +inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b) + { + return (unsigned char)(constant_time_lt(a, b)); + } + +inline unsigned int constant_time_ge(unsigned int a, unsigned int b) + { + unsigned int ge; + /* Case 1: msb(a) == msb(b). a >= b iff the MSB of a - b is not set.*/ + ge = ~((a ^ b) | (a - b)); + /* Case 2: msb(a) != msb(b). a >= b iff the MSB of a is set. */ + ge |= a & ~b; + return constant_time_msb(ge); + } + +inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b) + { + return (unsigned char)(constant_time_ge(a, b)); + } + +inline unsigned int constant_time_is_zero(unsigned int a) + { + return constant_time_msb(~a & (a - 1)); + } + +inline unsigned char constant_time_is_zero_8(unsigned int a) + { + return (unsigned char)(constant_time_is_zero(a)); + } + +inline unsigned int constant_time_eq(unsigned int a, unsigned int b) + { + return constant_time_is_zero(a ^ b); + } + +inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b) + { + return (unsigned char)(constant_time_eq(a, b)); + } + +#ifdef __cplusplus +} +#endif + +#endif /* HEADER_CONSTANT_TIME_LOCL_H */ diff --git a/crypto/constant_time_test.c b/crypto/constant_time_test.c new file mode 100644 index 0000000000..89fad7d3f2 --- /dev/null +++ b/crypto/constant_time_test.c @@ -0,0 +1,205 @@ +/* crypto/constant_time_test.c */ +/* + * Utilities for constant-time cryptography. + * + * Author: Emilia Kasper (emilia@openssl.org) + * Based on previous work by Bodo Moeller, Emilia Kasper, Adam Langley + * (Google). + * ==================================================================== + * Copyright (c) 2014 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include "../crypto/constant_time_locl.h" + +#include +#include +#include + +static const unsigned int CONSTTIME_TRUE = ~0; +static const unsigned int CONSTTIME_FALSE = 0; +static const unsigned char CONSTTIME_TRUE_8 = ~0; +static const unsigned char CONSTTIME_FALSE_8 = 0; + +static int test_binary_op(unsigned int (*op)(unsigned int a, unsigned int b), + const char* op_name, unsigned int a, unsigned int b, int is_true) + { + unsigned c = op(a, b); + if (is_true && c != CONSTTIME_TRUE) + { + fprintf(stderr, "Test failed for %s(%du, %du): expected %du " + "(TRUE), got %du\n", op_name, a, b, CONSTTIME_TRUE, c); + return 1; + } + else if (!is_true && c != CONSTTIME_FALSE) + { + fprintf(stderr, "Test failed for %s(%du, %du): expected %du " + "(FALSE), got %du\n", op_name, a, b, CONSTTIME_FALSE, + c); + return 1; + } + return 0; + } + +static int test_binary_op_8(unsigned char (*op)(unsigned int a, unsigned int b), + const char* op_name, unsigned int a, unsigned int b, int is_true) + { + unsigned char c = op(a, b); + if (is_true && c != CONSTTIME_TRUE_8) + { + fprintf(stderr, "Test failed for %s(%du, %du): expected %u " + "(TRUE), got %u\n", op_name, a, b, CONSTTIME_TRUE_8, c); + return 1; + } + else if (!is_true && c != CONSTTIME_FALSE_8) + { + fprintf(stderr, "Test failed for %s(%du, %du): expected %u " + "(FALSE), got %u\n", op_name, a, b, CONSTTIME_FALSE_8, + c); + return 1; + } + return 0; + } + +static int test_is_zero(unsigned int a) + { + unsigned int c = constant_time_is_zero(a); + if (a == 0 && c != CONSTTIME_TRUE) + { + fprintf(stderr, "Test failed for constant_time_is_zero(%du): " + "expected %du (TRUE), got %du\n", a, CONSTTIME_TRUE, c); + return 1; + } + else if (a != 0 && c != CONSTTIME_FALSE) + { + fprintf(stderr, "Test failed for constant_time_is_zero(%du): " + "expected %du (FALSE), got %du\n", a, CONSTTIME_FALSE, + c); + return 1; + } + return 0; + } + +static int test_is_zero_8(unsigned int a) + { + unsigned char c = constant_time_is_zero_8(a); + if (a == 0 && c != CONSTTIME_TRUE_8) + { + fprintf(stderr, "Test failed for constant_time_is_zero(%du): " + "expected %u (TRUE), got %u\n", a, CONSTTIME_TRUE_8, c); + return 1; + } + else if (a != 0 && c != CONSTTIME_FALSE) + { + fprintf(stderr, "Test failed for constant_time_is_zero(%du): " + "expected %u (FALSE), got %u\n", a, CONSTTIME_FALSE_8, + c); + return 1; + } + return 0; + } + +static unsigned int test_values[] = {0, 1, 1024, 12345, 32000, UINT_MAX/2-1, + UINT_MAX/2, UINT_MAX/2+1, UINT_MAX-1, + UINT_MAX}; + +int main(int argc, char *argv[]) + { + unsigned int a, b, i, j; + int num_failed = 0, num_all = 0; + fprintf(stdout, "Testing constant time operations...\n"); + + for (i = 0; i < sizeof(test_values)/sizeof(int); ++i) + { + a = test_values[i]; + num_failed += test_is_zero(a); + num_failed += test_is_zero_8(a); + num_failed += test_binary_op(&constant_time_lt, + "constant_time_lt", a, a, 0); + num_failed += test_binary_op_8(&constant_time_lt_8, + "constant_time_lt_8", a, a, 0); + num_failed += test_binary_op(&constant_time_ge, + "constant_time_ge", a, a, 1); + num_failed += test_binary_op_8(&constant_time_ge_8, + "constant_time_ge_8", a, a, 1); + num_failed += test_binary_op(&constant_time_eq, + "constant_time_eq", a, a, 1); + num_failed += test_binary_op_8(&constant_time_eq_8, + "constant_time_eq_8", a, a, 1); + num_all += 8; + for (j = i + 1; j < sizeof(test_values)/sizeof(int); ++j) + { + b = test_values[j]; + num_failed += test_binary_op(&constant_time_lt, + "constant_time_lt", a, b, a < b); + num_failed += test_binary_op_8(&constant_time_lt_8, + "constant_time_lt_8", a, b, a < b); + num_failed += test_binary_op(&constant_time_lt, + "constant_time_lt_8", b, a, b < a); + num_failed += test_binary_op_8(&constant_time_lt_8, + "constant_time_lt_8", b, a, b < a); + num_failed += test_binary_op(&constant_time_ge, + "constant_time_ge", a, b, a >= b); + num_failed += test_binary_op_8(&constant_time_ge_8, + "constant_time_ge_8", a, b, a >= b); + num_failed += test_binary_op(&constant_time_ge, + "constant_time_ge", b, a, b >= a); + num_failed += test_binary_op_8(&constant_time_ge_8, + "constant_time_ge_8", b, a, b >= a); + num_failed += test_binary_op(&constant_time_eq, + "constant_time_eq", a, b, a == b); + num_failed += test_binary_op_8(&constant_time_eq_8, + "constant_time_eq_8", a, b, a == b); + num_failed += test_binary_op(&constant_time_eq, + "constant_time_eq", b, a, b == a); + num_failed += test_binary_op_8(&constant_time_eq_8, + "constant_time_eq_8", b, a, b == a); + num_all += 12; + } + } + + if (!num_failed) + { + fprintf(stdout, "ok (ran %d tests)\n", num_all); + return EXIT_SUCCESS; + } + else + { + fprintf(stdout, "%d of %d tests failed!\n", num_failed, num_all); + return EXIT_FAILURE; + } + } diff --git a/ssl/Makefile b/ssl/Makefile index 90b9b9d44b..b82d38165c 100644 --- a/ssl/Makefile +++ b/ssl/Makefile @@ -545,27 +545,28 @@ s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s3_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s3_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h s3_both.o: ../include/openssl/x509_vfy.h s3_both.c ssl_locl.h -s3_cbc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s3_cbc.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s3_cbc.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_cbc.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h -s3_cbc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -s3_cbc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -s3_cbc.o: ../include/openssl/err.h ../include/openssl/evp.h -s3_cbc.o: ../include/openssl/fips.h ../include/openssl/hmac.h -s3_cbc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s3_cbc.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h -s3_cbc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s3_cbc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -s3_cbc.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s3_cbc.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h -s3_cbc.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h -s3_cbc.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s3_cbc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s3_cbc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s3_cbc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s3_cbc.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s3_cbc.o: ../include/openssl/x509_vfy.h s3_cbc.c ssl_locl.h +s3_cbc.o: ../crypto/constant_time_locl.h ../e_os.h ../include/openssl/asn1.h +s3_cbc.o: ../include/openssl/bio.h ../include/openssl/bn.h +s3_cbc.o: ../include/openssl/buffer.h ../include/openssl/comp.h +s3_cbc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h +s3_cbc.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +s3_cbc.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +s3_cbc.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +s3_cbc.o: ../include/openssl/evp.h ../include/openssl/fips.h +s3_cbc.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +s3_cbc.o: ../include/openssl/lhash.h ../include/openssl/md5.h +s3_cbc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s3_cbc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s3_cbc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s3_cbc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +s3_cbc.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h +s3_cbc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s3_cbc.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s3_cbc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s3_cbc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s3_cbc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s3_cbc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_cbc.c +s3_cbc.o: ssl_locl.h s3_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 9f57fc9a62..f7eaf94e50 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -53,6 +53,7 @@ * */ +#include "../crypto/constant_time_locl.h" #include "ssl_locl.h" #include @@ -67,37 +68,6 @@ * supported by TLS.) */ #define MAX_HASH_BLOCK_SIZE 128 -/* Some utility functions are needed: - * - * These macros return the given value with the MSB copied to all the other - * bits. They use the fact that arithmetic shift shifts-in the sign bit. - * However, this is not ensured by the C standard so you may need to replace - * them with something else on odd CPUs. */ -#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) ) -#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x))) - -/* constant_time_lt returns 0xff if a=b and 0x00 otherwise. */ -static unsigned constant_time_ge(unsigned a, unsigned b) - { - a -= b; - return DUPLICATE_MSB_TO_ALL(~a); - } - -/* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */ -static unsigned char constant_time_eq_8(unsigned a, unsigned b) - { - unsigned c = a ^ b; - c--; - return DUPLICATE_MSB_TO_ALL_8(c); - } - /* ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC * record in |rec| by updating |rec->length| in constant time. * @@ -127,7 +97,7 @@ int ssl3_cbc_remove_padding(const SSL* s, rec->length -= padding_length; rec->type |= padding_length<<8; /* kludge: pass padding length */ return (int)((good & 1) | (~good & -1)); -} + } /* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC * record in |rec| in constant time and returns 1 if the padding is valid and @@ -201,7 +171,7 @@ int tls1_cbc_remove_padding(const SSL* s, for (i = 0; i < to_check; i++) { - unsigned char mask = constant_time_ge(padding_length, i); + unsigned char mask = constant_time_ge_8(padding_length, i); unsigned char b = rec->data[rec->length-1-i]; /* The final |padding_length+1| bytes should all have the value * |padding_length|. Therefore the XOR should be zero. */ @@ -209,15 +179,9 @@ int tls1_cbc_remove_padding(const SSL* s, } /* If any of the final |padding_length+1| bytes had the wrong value, - * one or more of the lower eight bits of |good| will be cleared. We - * AND the bottom 8 bits together and duplicate the result to all the - * bits. */ - good &= good >> 4; - good &= good >> 2; - good &= good >> 1; - good <<= sizeof(good)*8-1; - good = DUPLICATE_MSB_TO_ALL(good); - + * one or more of the lower eight bits of |good| will be cleared. + */ + good = constant_time_eq(0xff, good & 0xff); padding_length = good & (padding_length+1); rec->length -= padding_length; rec->type |= padding_length<<8; /* kludge: pass padding length */ @@ -289,8 +253,8 @@ void ssl3_cbc_copy_mac(unsigned char* out, memset(rotated_mac, 0, md_size); for (i = scan_start, j = 0; i < orig_len; i++) { - unsigned char mac_started = constant_time_ge(i, mac_start); - unsigned char mac_ended = constant_time_ge(i, mac_end); + unsigned char mac_started = constant_time_ge_8(i, mac_start); + unsigned char mac_ended = constant_time_ge_8(i, mac_end); unsigned char b = rec->data[i]; rotated_mac[j++] |= b & mac_started & ~mac_ended; j &= constant_time_lt(j,md_size); @@ -676,8 +640,8 @@ void ssl3_cbc_digest_record( b = data[k-header_length]; k++; - is_past_c = is_block_a & constant_time_ge(j, c); - is_past_cp1 = is_block_a & constant_time_ge(j, c+1); + is_past_c = is_block_a & constant_time_ge_8(j, c); + is_past_cp1 = is_block_a & constant_time_ge_8(j, c+1); /* If this is the block containing the end of the * application data, and we are at the offset for the * 0x80 value, then overwrite b with 0x80. */ diff --git a/test/Makefile b/test/Makefile index 4e8d93a5e4..ac4f2742cc 100644 --- a/test/Makefile +++ b/test/Makefile @@ -72,6 +72,7 @@ FIPS_DSATEST= fips_dsatest FIPS_DSSVS= fips_dssvs FIPS_RNGVS= fips_rngvs FIPS_TEST_SUITE=fips_test_suite +CONSTTIMETEST= constant_time_test TESTS= alltests @@ -88,7 +89,8 @@ EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_EXT) $(ECDSATEST)$(EXE_EXT) $(ECDHTEST) $(FIPS_HMACTEST)$(EXE_EXT) $(FIPS_RSAVTEST)$(EXE_EXT) \ $(FIPS_RSASTEST)$(EXE_EXT) $(FIPS_RSAGTEST)$(EXE_EXT) \ $(FIPS_DSSVS)$(EXE_EXT) $(FIPS_DSATEST)$(EXE_EXT) \ - $(FIPS_RNGVS)$(EXE_EXT) $(FIPS_TEST_SUITE)$(EXE_EXT) jpaketest$(EXE_EXT) + $(FIPS_RNGVS)$(EXE_EXT) $(FIPS_TEST_SUITE)$(EXE_EXT) \ + jpaketest$(EXE_EXT) $(CONSTTIMETEST)$(EXE_EXT) # $(METHTEST)$(EXE_EXT) @@ -105,7 +107,7 @@ OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATEST).o $(ECDHTEST).o $(IDEATEST).o \ $(FIPS_AESTEST).o $(FIPS_HMACTEST).o $(FIPS_RSAVTEST).o \ $(FIPS_RSASTEST).o $(FIPS_RSAGTEST).o \ $(FIPS_DSSVS).o $(FIPS_DSATEST).o $(FIPS_RNGVS).o $(FIPS_TEST_SUITE).o \ - jpaketest.o + jpaketest.o $(CONSTTIMETEST).o SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \ $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ @@ -119,7 +121,7 @@ SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \ $(FIPS_AESTEST).c $(FIPS_HMACTEST).c $(FIPS_RSAVTEST).c \ $(FIPS_RSASTEST).c $(FIPS_RSAGTEST).c \ $(FIPS_DSSVS).c $(FIPS_DSATEST).c $(FIPS_RNGVS).c $(FIPS_TEST_SUITE).c \ - jpaketest.c + jpaketest.c $(CONSTTIMETEST).c EXHEADER= HEADER= $(EXHEADER) @@ -161,7 +163,8 @@ alltests: \ test_rand test_bn test_ec test_ecdsa test_ecdh \ test_enc test_x509 test_rsa test_crl test_sid \ test_gen test_req test_pkcs7 test_verify test_dh test_dsa \ - test_ss test_ca test_engine test_evp test_ssl test_ige test_jpake + test_ss test_ca test_engine test_evp test_ssl test_ige test_jpake \ + test_constant_time test_evp: ../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt @@ -333,6 +336,10 @@ test_jpake: jpaketest$(EXE_EXT) @echo "Test JPAKE" ../util/shlib_wrap.sh ./jpaketest +test_constant_time: $(CONSTTIMETEST)$(EXE_EXT) + @echo "Test constant time utilites" + ../util/shlib_wrap.sh ./$(CONSTTIMETEST) + lint: lint -DLINT $(INCLUDES) $(SRC)>fluff @@ -527,6 +534,9 @@ $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO) jpaketest$(EXE_EXT): jpaketest.o $(DLIBCRYPTO) @target=jpaketest; $(BUILD_CMD) +$(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o + @target=$(CONSTTIMETEST) $(BUILD_CMD) + #$(AESTEST).o: $(AESTEST).c # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c @@ -561,6 +571,9 @@ bntest.o: ../include/openssl/symhacks.h ../include/openssl/x509.h bntest.o: ../include/openssl/x509_vfy.h bntest.c casttest.o: ../e_os.h ../include/openssl/cast.h ../include/openssl/e_os2.h casttest.o: ../include/openssl/opensslconf.h casttest.c +constant_time_test.o: ../crypto/constant_time_locl.h ../e_os.h +constant_time_test.o: ../include/openssl/e_os2.h +constant_time_test.o: ../include/openssl/opensslconf.h constant_time_test.c destest.o: ../include/openssl/des.h ../include/openssl/des_old.h destest.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h destest.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h @@ -866,11 +879,8 @@ md5test.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h md5test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h md5test.o: ../include/openssl/safestack.h ../include/openssl/stack.h md5test.o: ../include/openssl/symhacks.h md5test.c -mdc2test.o: ../include/openssl/buffer.h ../include/openssl/crypto.h -mdc2test.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h -mdc2test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -mdc2test.o: ../include/openssl/safestack.h ../include/openssl/stack.h -mdc2test.o: ../include/openssl/symhacks.h mdc2test.c +mdc2test.o: ../e_os.h ../include/openssl/e_os2.h +mdc2test.o: ../include/openssl/opensslconf.h mdc2test.c randtest.o: ../e_os.h ../include/openssl/e_os2.h randtest.o: ../include/openssl/opensslconf.h ../include/openssl/ossl_typ.h randtest.o: ../include/openssl/rand.h randtest.c -- 2.39.2