1*62c56f98SSadaf Ebrahimi /** 2*62c56f98SSadaf Ebrahimi * Constant-time functions 3*62c56f98SSadaf Ebrahimi * 4*62c56f98SSadaf Ebrahimi * Copyright The Mbed TLS Contributors 5*62c56f98SSadaf Ebrahimi * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6*62c56f98SSadaf Ebrahimi */ 7*62c56f98SSadaf Ebrahimi 8*62c56f98SSadaf Ebrahimi #ifndef MBEDTLS_CONSTANT_TIME_INTERNAL_H 9*62c56f98SSadaf Ebrahimi #define MBEDTLS_CONSTANT_TIME_INTERNAL_H 10*62c56f98SSadaf Ebrahimi 11*62c56f98SSadaf Ebrahimi #include <stdint.h> 12*62c56f98SSadaf Ebrahimi #include <stddef.h> 13*62c56f98SSadaf Ebrahimi 14*62c56f98SSadaf Ebrahimi #include "common.h" 15*62c56f98SSadaf Ebrahimi 16*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_BIGNUM_C) 17*62c56f98SSadaf Ebrahimi #include "mbedtls/bignum.h" 18*62c56f98SSadaf Ebrahimi #endif 19*62c56f98SSadaf Ebrahimi 20*62c56f98SSadaf Ebrahimi /* The constant-time interface provides various operations that are likely 21*62c56f98SSadaf Ebrahimi * to result in constant-time code that does not branch or use conditional 22*62c56f98SSadaf Ebrahimi * instructions for secret data (for secret pointers, this also applies to 23*62c56f98SSadaf Ebrahimi * the data pointed to). 24*62c56f98SSadaf Ebrahimi * 25*62c56f98SSadaf Ebrahimi * It has three main parts: 26*62c56f98SSadaf Ebrahimi * 27*62c56f98SSadaf Ebrahimi * - boolean operations 28*62c56f98SSadaf Ebrahimi * These are all named mbedtls_ct_<type>_<operation>. 29*62c56f98SSadaf Ebrahimi * They operate over <type> and return mbedtls_ct_condition_t. 30*62c56f98SSadaf Ebrahimi * All arguments are considered secret. 31*62c56f98SSadaf Ebrahimi * example: bool x = y | z => x = mbedtls_ct_bool_or(y, z) 32*62c56f98SSadaf Ebrahimi * example: bool x = y == z => x = mbedtls_ct_uint_eq(y, z) 33*62c56f98SSadaf Ebrahimi * 34*62c56f98SSadaf Ebrahimi * - conditional data selection 35*62c56f98SSadaf Ebrahimi * These are all named mbedtls_ct_<type>_if and mbedtls_ct_<type>_if_else_0 36*62c56f98SSadaf Ebrahimi * All arguments are considered secret. 37*62c56f98SSadaf Ebrahimi * example: size_t a = x ? b : c => a = mbedtls_ct_size_if(x, b, c) 38*62c56f98SSadaf Ebrahimi * example: unsigned a = x ? b : 0 => a = mbedtls_ct_uint_if_else_0(x, b) 39*62c56f98SSadaf Ebrahimi * 40*62c56f98SSadaf Ebrahimi * - block memory operations 41*62c56f98SSadaf Ebrahimi * Only some arguments are considered secret, as documented for each 42*62c56f98SSadaf Ebrahimi * function. 43*62c56f98SSadaf Ebrahimi * example: if (x) memcpy(...) => mbedtls_ct_memcpy_if(x, ...) 44*62c56f98SSadaf Ebrahimi * 45*62c56f98SSadaf Ebrahimi * mbedtls_ct_condition_t must be treated as opaque and only created and 46*62c56f98SSadaf Ebrahimi * manipulated via the functions in this header. The compiler should never 47*62c56f98SSadaf Ebrahimi * be able to prove anything about its value at compile-time. 48*62c56f98SSadaf Ebrahimi * 49*62c56f98SSadaf Ebrahimi * mbedtls_ct_uint_t is an unsigned integer type over which constant time 50*62c56f98SSadaf Ebrahimi * operations may be performed via the functions in this header. It is as big 51*62c56f98SSadaf Ebrahimi * as the larger of size_t and mbedtls_mpi_uint, i.e. it is safe to cast 52*62c56f98SSadaf Ebrahimi * to/from "unsigned int", "size_t", and "mbedtls_mpi_uint" (and any other 53*62c56f98SSadaf Ebrahimi * not-larger integer types). 54*62c56f98SSadaf Ebrahimi * 55*62c56f98SSadaf Ebrahimi * For Arm (32-bit, 64-bit and Thumb), x86 and x86-64, assembly implementations 56*62c56f98SSadaf Ebrahimi * are used to ensure that the generated code is constant time. For other 57*62c56f98SSadaf Ebrahimi * architectures, it uses a plain C fallback designed to yield constant-time code 58*62c56f98SSadaf Ebrahimi * (this has been observed to be constant-time on latest gcc, clang and MSVC 59*62c56f98SSadaf Ebrahimi * as of May 2023). 60*62c56f98SSadaf Ebrahimi * 61*62c56f98SSadaf Ebrahimi * For readability, the static inline definitions are separated out into 62*62c56f98SSadaf Ebrahimi * constant_time_impl.h. 63*62c56f98SSadaf Ebrahimi */ 64*62c56f98SSadaf Ebrahimi 65*62c56f98SSadaf Ebrahimi #if (SIZE_MAX > 0xffffffffffffffffULL) 66*62c56f98SSadaf Ebrahimi /* Pointer size > 64-bit */ 67*62c56f98SSadaf Ebrahimi typedef size_t mbedtls_ct_condition_t; 68*62c56f98SSadaf Ebrahimi typedef size_t mbedtls_ct_uint_t; 69*62c56f98SSadaf Ebrahimi typedef ptrdiff_t mbedtls_ct_int_t; 70*62c56f98SSadaf Ebrahimi #define MBEDTLS_CT_TRUE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(SIZE_MAX)) 71*62c56f98SSadaf Ebrahimi #elif (SIZE_MAX > 0xffffffff) || defined(MBEDTLS_HAVE_INT64) 72*62c56f98SSadaf Ebrahimi /* 32-bit < pointer size <= 64-bit, or 64-bit MPI */ 73*62c56f98SSadaf Ebrahimi typedef uint64_t mbedtls_ct_condition_t; 74*62c56f98SSadaf Ebrahimi typedef uint64_t mbedtls_ct_uint_t; 75*62c56f98SSadaf Ebrahimi typedef int64_t mbedtls_ct_int_t; 76*62c56f98SSadaf Ebrahimi #define MBEDTLS_CT_SIZE_64 77*62c56f98SSadaf Ebrahimi #define MBEDTLS_CT_TRUE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(UINT64_MAX)) 78*62c56f98SSadaf Ebrahimi #else 79*62c56f98SSadaf Ebrahimi /* Pointer size <= 32-bit, and no 64-bit MPIs */ 80*62c56f98SSadaf Ebrahimi typedef uint32_t mbedtls_ct_condition_t; 81*62c56f98SSadaf Ebrahimi typedef uint32_t mbedtls_ct_uint_t; 82*62c56f98SSadaf Ebrahimi typedef int32_t mbedtls_ct_int_t; 83*62c56f98SSadaf Ebrahimi #define MBEDTLS_CT_SIZE_32 84*62c56f98SSadaf Ebrahimi #define MBEDTLS_CT_TRUE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(UINT32_MAX)) 85*62c56f98SSadaf Ebrahimi #endif 86*62c56f98SSadaf Ebrahimi #define MBEDTLS_CT_FALSE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(0)) 87*62c56f98SSadaf Ebrahimi 88*62c56f98SSadaf Ebrahimi /* ============================================================================ 89*62c56f98SSadaf Ebrahimi * Boolean operations 90*62c56f98SSadaf Ebrahimi */ 91*62c56f98SSadaf Ebrahimi 92*62c56f98SSadaf Ebrahimi /** Convert a number into a mbedtls_ct_condition_t. 93*62c56f98SSadaf Ebrahimi * 94*62c56f98SSadaf Ebrahimi * \param x Number to convert. 95*62c56f98SSadaf Ebrahimi * 96*62c56f98SSadaf Ebrahimi * \return MBEDTLS_CT_TRUE if \p x != 0, or MBEDTLS_CT_FALSE if \p x == 0 97*62c56f98SSadaf Ebrahimi * 98*62c56f98SSadaf Ebrahimi */ 99*62c56f98SSadaf Ebrahimi static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x); 100*62c56f98SSadaf Ebrahimi 101*62c56f98SSadaf Ebrahimi /** Boolean "not equal" operation. 102*62c56f98SSadaf Ebrahimi * 103*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 104*62c56f98SSadaf Ebrahimi * 105*62c56f98SSadaf Ebrahimi * \p x != \p y 106*62c56f98SSadaf Ebrahimi * 107*62c56f98SSadaf Ebrahimi * \param x The first value to analyze. 108*62c56f98SSadaf Ebrahimi * \param y The second value to analyze. 109*62c56f98SSadaf Ebrahimi * 110*62c56f98SSadaf Ebrahimi * \return MBEDTLS_CT_TRUE if \p x != \p y, otherwise MBEDTLS_CT_FALSE. 111*62c56f98SSadaf Ebrahimi */ 112*62c56f98SSadaf Ebrahimi static inline mbedtls_ct_condition_t mbedtls_ct_uint_ne(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y); 113*62c56f98SSadaf Ebrahimi 114*62c56f98SSadaf Ebrahimi /** Boolean "equals" operation. 115*62c56f98SSadaf Ebrahimi * 116*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 117*62c56f98SSadaf Ebrahimi * 118*62c56f98SSadaf Ebrahimi * \p x == \p y 119*62c56f98SSadaf Ebrahimi * 120*62c56f98SSadaf Ebrahimi * \param x The first value to analyze. 121*62c56f98SSadaf Ebrahimi * \param y The second value to analyze. 122*62c56f98SSadaf Ebrahimi * 123*62c56f98SSadaf Ebrahimi * \return MBEDTLS_CT_TRUE if \p x == \p y, otherwise MBEDTLS_CT_FALSE. 124*62c56f98SSadaf Ebrahimi */ 125*62c56f98SSadaf Ebrahimi static inline mbedtls_ct_condition_t mbedtls_ct_uint_eq(mbedtls_ct_uint_t x, 126*62c56f98SSadaf Ebrahimi mbedtls_ct_uint_t y); 127*62c56f98SSadaf Ebrahimi 128*62c56f98SSadaf Ebrahimi /** Boolean "less than" operation. 129*62c56f98SSadaf Ebrahimi * 130*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 131*62c56f98SSadaf Ebrahimi * 132*62c56f98SSadaf Ebrahimi * \p x < \p y 133*62c56f98SSadaf Ebrahimi * 134*62c56f98SSadaf Ebrahimi * \param x The first value to analyze. 135*62c56f98SSadaf Ebrahimi * \param y The second value to analyze. 136*62c56f98SSadaf Ebrahimi * 137*62c56f98SSadaf Ebrahimi * \return MBEDTLS_CT_TRUE if \p x < \p y, otherwise MBEDTLS_CT_FALSE. 138*62c56f98SSadaf Ebrahimi */ 139*62c56f98SSadaf Ebrahimi static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y); 140*62c56f98SSadaf Ebrahimi 141*62c56f98SSadaf Ebrahimi /** Boolean "greater than" operation. 142*62c56f98SSadaf Ebrahimi * 143*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 144*62c56f98SSadaf Ebrahimi * 145*62c56f98SSadaf Ebrahimi * \p x > \p y 146*62c56f98SSadaf Ebrahimi * 147*62c56f98SSadaf Ebrahimi * \param x The first value to analyze. 148*62c56f98SSadaf Ebrahimi * \param y The second value to analyze. 149*62c56f98SSadaf Ebrahimi * 150*62c56f98SSadaf Ebrahimi * \return MBEDTLS_CT_TRUE if \p x > \p y, otherwise MBEDTLS_CT_FALSE. 151*62c56f98SSadaf Ebrahimi */ 152*62c56f98SSadaf Ebrahimi static inline mbedtls_ct_condition_t mbedtls_ct_uint_gt(mbedtls_ct_uint_t x, 153*62c56f98SSadaf Ebrahimi mbedtls_ct_uint_t y); 154*62c56f98SSadaf Ebrahimi 155*62c56f98SSadaf Ebrahimi /** Boolean "greater or equal" operation. 156*62c56f98SSadaf Ebrahimi * 157*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 158*62c56f98SSadaf Ebrahimi * 159*62c56f98SSadaf Ebrahimi * \p x >= \p y 160*62c56f98SSadaf Ebrahimi * 161*62c56f98SSadaf Ebrahimi * \param x The first value to analyze. 162*62c56f98SSadaf Ebrahimi * \param y The second value to analyze. 163*62c56f98SSadaf Ebrahimi * 164*62c56f98SSadaf Ebrahimi * \return MBEDTLS_CT_TRUE if \p x >= \p y, 165*62c56f98SSadaf Ebrahimi * otherwise MBEDTLS_CT_FALSE. 166*62c56f98SSadaf Ebrahimi */ 167*62c56f98SSadaf Ebrahimi static inline mbedtls_ct_condition_t mbedtls_ct_uint_ge(mbedtls_ct_uint_t x, 168*62c56f98SSadaf Ebrahimi mbedtls_ct_uint_t y); 169*62c56f98SSadaf Ebrahimi 170*62c56f98SSadaf Ebrahimi /** Boolean "less than or equal" operation. 171*62c56f98SSadaf Ebrahimi * 172*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 173*62c56f98SSadaf Ebrahimi * 174*62c56f98SSadaf Ebrahimi * \p x <= \p y 175*62c56f98SSadaf Ebrahimi * 176*62c56f98SSadaf Ebrahimi * \param x The first value to analyze. 177*62c56f98SSadaf Ebrahimi * \param y The second value to analyze. 178*62c56f98SSadaf Ebrahimi * 179*62c56f98SSadaf Ebrahimi * \return MBEDTLS_CT_TRUE if \p x <= \p y, 180*62c56f98SSadaf Ebrahimi * otherwise MBEDTLS_CT_FALSE. 181*62c56f98SSadaf Ebrahimi */ 182*62c56f98SSadaf Ebrahimi static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x, 183*62c56f98SSadaf Ebrahimi mbedtls_ct_uint_t y); 184*62c56f98SSadaf Ebrahimi 185*62c56f98SSadaf Ebrahimi /** Boolean not-equals operation. 186*62c56f98SSadaf Ebrahimi * 187*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 188*62c56f98SSadaf Ebrahimi * 189*62c56f98SSadaf Ebrahimi * \p x != \p y 190*62c56f98SSadaf Ebrahimi * 191*62c56f98SSadaf Ebrahimi * \param x The first value to analyze. 192*62c56f98SSadaf Ebrahimi * \param y The second value to analyze. 193*62c56f98SSadaf Ebrahimi * 194*62c56f98SSadaf Ebrahimi * \note This is more efficient than mbedtls_ct_uint_ne if both arguments are 195*62c56f98SSadaf Ebrahimi * mbedtls_ct_condition_t. 196*62c56f98SSadaf Ebrahimi * 197*62c56f98SSadaf Ebrahimi * \return MBEDTLS_CT_TRUE if \p x != \p y, 198*62c56f98SSadaf Ebrahimi * otherwise MBEDTLS_CT_FALSE. 199*62c56f98SSadaf Ebrahimi */ 200*62c56f98SSadaf Ebrahimi static inline mbedtls_ct_condition_t mbedtls_ct_bool_ne(mbedtls_ct_condition_t x, 201*62c56f98SSadaf Ebrahimi mbedtls_ct_condition_t y); 202*62c56f98SSadaf Ebrahimi 203*62c56f98SSadaf Ebrahimi /** Boolean "and" operation. 204*62c56f98SSadaf Ebrahimi * 205*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 206*62c56f98SSadaf Ebrahimi * 207*62c56f98SSadaf Ebrahimi * \p x && \p y 208*62c56f98SSadaf Ebrahimi * 209*62c56f98SSadaf Ebrahimi * \param x The first value to analyze. 210*62c56f98SSadaf Ebrahimi * \param y The second value to analyze. 211*62c56f98SSadaf Ebrahimi * 212*62c56f98SSadaf Ebrahimi * \return MBEDTLS_CT_TRUE if \p x && \p y, 213*62c56f98SSadaf Ebrahimi * otherwise MBEDTLS_CT_FALSE. 214*62c56f98SSadaf Ebrahimi */ 215*62c56f98SSadaf Ebrahimi static inline mbedtls_ct_condition_t mbedtls_ct_bool_and(mbedtls_ct_condition_t x, 216*62c56f98SSadaf Ebrahimi mbedtls_ct_condition_t y); 217*62c56f98SSadaf Ebrahimi 218*62c56f98SSadaf Ebrahimi /** Boolean "or" operation. 219*62c56f98SSadaf Ebrahimi * 220*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 221*62c56f98SSadaf Ebrahimi * 222*62c56f98SSadaf Ebrahimi * \p x || \p y 223*62c56f98SSadaf Ebrahimi * 224*62c56f98SSadaf Ebrahimi * \param x The first value to analyze. 225*62c56f98SSadaf Ebrahimi * \param y The second value to analyze. 226*62c56f98SSadaf Ebrahimi * 227*62c56f98SSadaf Ebrahimi * \return MBEDTLS_CT_TRUE if \p x || \p y, 228*62c56f98SSadaf Ebrahimi * otherwise MBEDTLS_CT_FALSE. 229*62c56f98SSadaf Ebrahimi */ 230*62c56f98SSadaf Ebrahimi static inline mbedtls_ct_condition_t mbedtls_ct_bool_or(mbedtls_ct_condition_t x, 231*62c56f98SSadaf Ebrahimi mbedtls_ct_condition_t y); 232*62c56f98SSadaf Ebrahimi 233*62c56f98SSadaf Ebrahimi /** Boolean "not" operation. 234*62c56f98SSadaf Ebrahimi * 235*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 236*62c56f98SSadaf Ebrahimi * 237*62c56f98SSadaf Ebrahimi * ! \p x 238*62c56f98SSadaf Ebrahimi * 239*62c56f98SSadaf Ebrahimi * \param x The value to invert 240*62c56f98SSadaf Ebrahimi * 241*62c56f98SSadaf Ebrahimi * \return MBEDTLS_CT_FALSE if \p x, otherwise MBEDTLS_CT_TRUE. 242*62c56f98SSadaf Ebrahimi */ 243*62c56f98SSadaf Ebrahimi static inline mbedtls_ct_condition_t mbedtls_ct_bool_not(mbedtls_ct_condition_t x); 244*62c56f98SSadaf Ebrahimi 245*62c56f98SSadaf Ebrahimi 246*62c56f98SSadaf Ebrahimi /* ============================================================================ 247*62c56f98SSadaf Ebrahimi * Data selection operations 248*62c56f98SSadaf Ebrahimi */ 249*62c56f98SSadaf Ebrahimi 250*62c56f98SSadaf Ebrahimi /** Choose between two size_t values. 251*62c56f98SSadaf Ebrahimi * 252*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 253*62c56f98SSadaf Ebrahimi * 254*62c56f98SSadaf Ebrahimi * condition ? if1 : if0. 255*62c56f98SSadaf Ebrahimi * 256*62c56f98SSadaf Ebrahimi * \param condition Condition to test. 257*62c56f98SSadaf Ebrahimi * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE. 258*62c56f98SSadaf Ebrahimi * \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE. 259*62c56f98SSadaf Ebrahimi * 260*62c56f98SSadaf Ebrahimi * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0. 261*62c56f98SSadaf Ebrahimi */ 262*62c56f98SSadaf Ebrahimi static inline size_t mbedtls_ct_size_if(mbedtls_ct_condition_t condition, 263*62c56f98SSadaf Ebrahimi size_t if1, 264*62c56f98SSadaf Ebrahimi size_t if0); 265*62c56f98SSadaf Ebrahimi 266*62c56f98SSadaf Ebrahimi /** Choose between two unsigned values. 267*62c56f98SSadaf Ebrahimi * 268*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 269*62c56f98SSadaf Ebrahimi * 270*62c56f98SSadaf Ebrahimi * condition ? if1 : if0. 271*62c56f98SSadaf Ebrahimi * 272*62c56f98SSadaf Ebrahimi * \param condition Condition to test. 273*62c56f98SSadaf Ebrahimi * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE. 274*62c56f98SSadaf Ebrahimi * \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE. 275*62c56f98SSadaf Ebrahimi * 276*62c56f98SSadaf Ebrahimi * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0. 277*62c56f98SSadaf Ebrahimi */ 278*62c56f98SSadaf Ebrahimi static inline unsigned mbedtls_ct_uint_if(mbedtls_ct_condition_t condition, 279*62c56f98SSadaf Ebrahimi unsigned if1, 280*62c56f98SSadaf Ebrahimi unsigned if0); 281*62c56f98SSadaf Ebrahimi 282*62c56f98SSadaf Ebrahimi /** Choose between two mbedtls_ct_condition_t values. 283*62c56f98SSadaf Ebrahimi * 284*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 285*62c56f98SSadaf Ebrahimi * 286*62c56f98SSadaf Ebrahimi * condition ? if1 : if0. 287*62c56f98SSadaf Ebrahimi * 288*62c56f98SSadaf Ebrahimi * \param condition Condition to test. 289*62c56f98SSadaf Ebrahimi * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE. 290*62c56f98SSadaf Ebrahimi * \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE. 291*62c56f98SSadaf Ebrahimi * 292*62c56f98SSadaf Ebrahimi * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0. 293*62c56f98SSadaf Ebrahimi */ 294*62c56f98SSadaf Ebrahimi static inline mbedtls_ct_condition_t mbedtls_ct_bool_if(mbedtls_ct_condition_t condition, 295*62c56f98SSadaf Ebrahimi mbedtls_ct_condition_t if1, 296*62c56f98SSadaf Ebrahimi mbedtls_ct_condition_t if0); 297*62c56f98SSadaf Ebrahimi 298*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_BIGNUM_C) 299*62c56f98SSadaf Ebrahimi 300*62c56f98SSadaf Ebrahimi /** Choose between two mbedtls_mpi_uint values. 301*62c56f98SSadaf Ebrahimi * 302*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 303*62c56f98SSadaf Ebrahimi * 304*62c56f98SSadaf Ebrahimi * condition ? if1 : if0. 305*62c56f98SSadaf Ebrahimi * 306*62c56f98SSadaf Ebrahimi * \param condition Condition to test. 307*62c56f98SSadaf Ebrahimi * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE. 308*62c56f98SSadaf Ebrahimi * \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE. 309*62c56f98SSadaf Ebrahimi * 310*62c56f98SSadaf Ebrahimi * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0. 311*62c56f98SSadaf Ebrahimi */ 312*62c56f98SSadaf Ebrahimi static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t condition, \ 313*62c56f98SSadaf Ebrahimi mbedtls_mpi_uint if1, \ 314*62c56f98SSadaf Ebrahimi mbedtls_mpi_uint if0); 315*62c56f98SSadaf Ebrahimi 316*62c56f98SSadaf Ebrahimi #endif 317*62c56f98SSadaf Ebrahimi 318*62c56f98SSadaf Ebrahimi /** Choose between an unsigned value and 0. 319*62c56f98SSadaf Ebrahimi * 320*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 321*62c56f98SSadaf Ebrahimi * 322*62c56f98SSadaf Ebrahimi * condition ? if1 : 0. 323*62c56f98SSadaf Ebrahimi * 324*62c56f98SSadaf Ebrahimi * Functionally equivalent to mbedtls_ct_uint_if(condition, if1, 0) but 325*62c56f98SSadaf Ebrahimi * results in smaller code size. 326*62c56f98SSadaf Ebrahimi * 327*62c56f98SSadaf Ebrahimi * \param condition Condition to test. 328*62c56f98SSadaf Ebrahimi * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE. 329*62c56f98SSadaf Ebrahimi * 330*62c56f98SSadaf Ebrahimi * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0. 331*62c56f98SSadaf Ebrahimi */ 332*62c56f98SSadaf Ebrahimi static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t condition, unsigned if1); 333*62c56f98SSadaf Ebrahimi 334*62c56f98SSadaf Ebrahimi /** Choose between an mbedtls_ct_condition_t and 0. 335*62c56f98SSadaf Ebrahimi * 336*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 337*62c56f98SSadaf Ebrahimi * 338*62c56f98SSadaf Ebrahimi * condition ? if1 : 0. 339*62c56f98SSadaf Ebrahimi * 340*62c56f98SSadaf Ebrahimi * Functionally equivalent to mbedtls_ct_bool_if(condition, if1, 0) but 341*62c56f98SSadaf Ebrahimi * results in smaller code size. 342*62c56f98SSadaf Ebrahimi * 343*62c56f98SSadaf Ebrahimi * \param condition Condition to test. 344*62c56f98SSadaf Ebrahimi * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE. 345*62c56f98SSadaf Ebrahimi * 346*62c56f98SSadaf Ebrahimi * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0. 347*62c56f98SSadaf Ebrahimi */ 348*62c56f98SSadaf Ebrahimi static inline mbedtls_ct_condition_t mbedtls_ct_bool_if_else_0(mbedtls_ct_condition_t condition, 349*62c56f98SSadaf Ebrahimi mbedtls_ct_condition_t if1); 350*62c56f98SSadaf Ebrahimi 351*62c56f98SSadaf Ebrahimi /** Choose between a size_t value and 0. 352*62c56f98SSadaf Ebrahimi * 353*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 354*62c56f98SSadaf Ebrahimi * 355*62c56f98SSadaf Ebrahimi * condition ? if1 : 0. 356*62c56f98SSadaf Ebrahimi * 357*62c56f98SSadaf Ebrahimi * Functionally equivalent to mbedtls_ct_size_if(condition, if1, 0) but 358*62c56f98SSadaf Ebrahimi * results in smaller code size. 359*62c56f98SSadaf Ebrahimi * 360*62c56f98SSadaf Ebrahimi * \param condition Condition to test. 361*62c56f98SSadaf Ebrahimi * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE. 362*62c56f98SSadaf Ebrahimi * 363*62c56f98SSadaf Ebrahimi * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0. 364*62c56f98SSadaf Ebrahimi */ 365*62c56f98SSadaf Ebrahimi static inline size_t mbedtls_ct_size_if_else_0(mbedtls_ct_condition_t condition, size_t if1); 366*62c56f98SSadaf Ebrahimi 367*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_BIGNUM_C) 368*62c56f98SSadaf Ebrahimi 369*62c56f98SSadaf Ebrahimi /** Choose between an mbedtls_mpi_uint value and 0. 370*62c56f98SSadaf Ebrahimi * 371*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 372*62c56f98SSadaf Ebrahimi * 373*62c56f98SSadaf Ebrahimi * condition ? if1 : 0. 374*62c56f98SSadaf Ebrahimi * 375*62c56f98SSadaf Ebrahimi * Functionally equivalent to mbedtls_ct_mpi_uint_if(condition, if1, 0) but 376*62c56f98SSadaf Ebrahimi * results in smaller code size. 377*62c56f98SSadaf Ebrahimi * 378*62c56f98SSadaf Ebrahimi * \param condition Condition to test. 379*62c56f98SSadaf Ebrahimi * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE. 380*62c56f98SSadaf Ebrahimi * 381*62c56f98SSadaf Ebrahimi * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0. 382*62c56f98SSadaf Ebrahimi */ 383*62c56f98SSadaf Ebrahimi static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_condition_t condition, 384*62c56f98SSadaf Ebrahimi mbedtls_mpi_uint if1); 385*62c56f98SSadaf Ebrahimi 386*62c56f98SSadaf Ebrahimi #endif 387*62c56f98SSadaf Ebrahimi 388*62c56f98SSadaf Ebrahimi /** Constant-flow char selection 389*62c56f98SSadaf Ebrahimi * 390*62c56f98SSadaf Ebrahimi * \param low Secret. Bottom of range 391*62c56f98SSadaf Ebrahimi * \param high Secret. Top of range 392*62c56f98SSadaf Ebrahimi * \param c Secret. Value to compare to range 393*62c56f98SSadaf Ebrahimi * \param t Secret. Value to return, if in range 394*62c56f98SSadaf Ebrahimi * 395*62c56f98SSadaf Ebrahimi * \return \p t if \p low <= \p c <= \p high, 0 otherwise. 396*62c56f98SSadaf Ebrahimi */ 397*62c56f98SSadaf Ebrahimi static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low, 398*62c56f98SSadaf Ebrahimi unsigned char high, 399*62c56f98SSadaf Ebrahimi unsigned char c, 400*62c56f98SSadaf Ebrahimi unsigned char t); 401*62c56f98SSadaf Ebrahimi 402*62c56f98SSadaf Ebrahimi /** Choose between two error values. The values must be in the range [-32767..0]. 403*62c56f98SSadaf Ebrahimi * 404*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 405*62c56f98SSadaf Ebrahimi * 406*62c56f98SSadaf Ebrahimi * condition ? if1 : if0. 407*62c56f98SSadaf Ebrahimi * 408*62c56f98SSadaf Ebrahimi * \param condition Condition to test. 409*62c56f98SSadaf Ebrahimi * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE. 410*62c56f98SSadaf Ebrahimi * \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE. 411*62c56f98SSadaf Ebrahimi * 412*62c56f98SSadaf Ebrahimi * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0. 413*62c56f98SSadaf Ebrahimi */ 414*62c56f98SSadaf Ebrahimi static inline int mbedtls_ct_error_if(mbedtls_ct_condition_t condition, int if1, int if0); 415*62c56f98SSadaf Ebrahimi 416*62c56f98SSadaf Ebrahimi /** Choose between an error value and 0. The error value must be in the range [-32767..0]. 417*62c56f98SSadaf Ebrahimi * 418*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 419*62c56f98SSadaf Ebrahimi * 420*62c56f98SSadaf Ebrahimi * condition ? if1 : 0. 421*62c56f98SSadaf Ebrahimi * 422*62c56f98SSadaf Ebrahimi * Functionally equivalent to mbedtls_ct_error_if(condition, if1, 0) but 423*62c56f98SSadaf Ebrahimi * results in smaller code size. 424*62c56f98SSadaf Ebrahimi * 425*62c56f98SSadaf Ebrahimi * \param condition Condition to test. 426*62c56f98SSadaf Ebrahimi * \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE. 427*62c56f98SSadaf Ebrahimi * 428*62c56f98SSadaf Ebrahimi * \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0. 429*62c56f98SSadaf Ebrahimi */ 430*62c56f98SSadaf Ebrahimi static inline int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, int if1); 431*62c56f98SSadaf Ebrahimi 432*62c56f98SSadaf Ebrahimi /* ============================================================================ 433*62c56f98SSadaf Ebrahimi * Block memory operations 434*62c56f98SSadaf Ebrahimi */ 435*62c56f98SSadaf Ebrahimi 436*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) 437*62c56f98SSadaf Ebrahimi 438*62c56f98SSadaf Ebrahimi /** Conditionally set a block of memory to zero. 439*62c56f98SSadaf Ebrahimi * 440*62c56f98SSadaf Ebrahimi * Regardless of the condition, every byte will be read once and written to 441*62c56f98SSadaf Ebrahimi * once. 442*62c56f98SSadaf Ebrahimi * 443*62c56f98SSadaf Ebrahimi * \param condition Secret. Condition to test. 444*62c56f98SSadaf Ebrahimi * \param buf Secret. Pointer to the start of the buffer. 445*62c56f98SSadaf Ebrahimi * \param len Number of bytes to set to zero. 446*62c56f98SSadaf Ebrahimi * 447*62c56f98SSadaf Ebrahimi * \warning Unlike mbedtls_platform_zeroize, this does not have the same guarantees 448*62c56f98SSadaf Ebrahimi * about not being optimised away if the memory is never read again. 449*62c56f98SSadaf Ebrahimi */ 450*62c56f98SSadaf Ebrahimi void mbedtls_ct_zeroize_if(mbedtls_ct_condition_t condition, void *buf, size_t len); 451*62c56f98SSadaf Ebrahimi 452*62c56f98SSadaf Ebrahimi /** Shift some data towards the left inside a buffer. 453*62c56f98SSadaf Ebrahimi * 454*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 455*62c56f98SSadaf Ebrahimi * 456*62c56f98SSadaf Ebrahimi * memmove(start, start + offset, total - offset); 457*62c56f98SSadaf Ebrahimi * memset(start + (total - offset), 0, offset); 458*62c56f98SSadaf Ebrahimi * 459*62c56f98SSadaf Ebrahimi * Timing independence comes at the expense of performance. 460*62c56f98SSadaf Ebrahimi * 461*62c56f98SSadaf Ebrahimi * \param start Secret. Pointer to the start of the buffer. 462*62c56f98SSadaf Ebrahimi * \param total Total size of the buffer. 463*62c56f98SSadaf Ebrahimi * \param offset Secret. Offset from which to copy \p total - \p offset bytes. 464*62c56f98SSadaf Ebrahimi */ 465*62c56f98SSadaf Ebrahimi void mbedtls_ct_memmove_left(void *start, 466*62c56f98SSadaf Ebrahimi size_t total, 467*62c56f98SSadaf Ebrahimi size_t offset); 468*62c56f98SSadaf Ebrahimi 469*62c56f98SSadaf Ebrahimi #endif /* defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) */ 470*62c56f98SSadaf Ebrahimi 471*62c56f98SSadaf Ebrahimi /** Conditional memcpy. 472*62c56f98SSadaf Ebrahimi * 473*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 474*62c56f98SSadaf Ebrahimi * 475*62c56f98SSadaf Ebrahimi * if (condition) { 476*62c56f98SSadaf Ebrahimi * memcpy(dest, src1, len); 477*62c56f98SSadaf Ebrahimi * } else { 478*62c56f98SSadaf Ebrahimi * if (src2 != NULL) 479*62c56f98SSadaf Ebrahimi * memcpy(dest, src2, len); 480*62c56f98SSadaf Ebrahimi * } 481*62c56f98SSadaf Ebrahimi * 482*62c56f98SSadaf Ebrahimi * It will always read len bytes from src1. 483*62c56f98SSadaf Ebrahimi * If src2 != NULL, it will always read len bytes from src2. 484*62c56f98SSadaf Ebrahimi * If src2 == NULL, it will instead read len bytes from dest (as if src2 == dest). 485*62c56f98SSadaf Ebrahimi * 486*62c56f98SSadaf Ebrahimi * \param condition The condition 487*62c56f98SSadaf Ebrahimi * \param dest Secret. Destination pointer. 488*62c56f98SSadaf Ebrahimi * \param src1 Secret. Pointer to copy from (if \p condition == MBEDTLS_CT_TRUE). 489*62c56f98SSadaf Ebrahimi * This may be equal to \p dest, but may not overlap in other ways. 490*62c56f98SSadaf Ebrahimi * \param src2 Secret (contents only - may branch to determine if this parameter is NULL). 491*62c56f98SSadaf Ebrahimi * Pointer to copy from (if \p condition == MBEDTLS_CT_FALSE and \p src2 is not NULL). May be NULL. 492*62c56f98SSadaf Ebrahimi * This may be equal to \p dest, but may not overlap it in other ways. It may overlap with \p src1. 493*62c56f98SSadaf Ebrahimi * \param len Number of bytes to copy. 494*62c56f98SSadaf Ebrahimi */ 495*62c56f98SSadaf Ebrahimi void mbedtls_ct_memcpy_if(mbedtls_ct_condition_t condition, 496*62c56f98SSadaf Ebrahimi unsigned char *dest, 497*62c56f98SSadaf Ebrahimi const unsigned char *src1, 498*62c56f98SSadaf Ebrahimi const unsigned char *src2, 499*62c56f98SSadaf Ebrahimi size_t len 500*62c56f98SSadaf Ebrahimi ); 501*62c56f98SSadaf Ebrahimi 502*62c56f98SSadaf Ebrahimi /** Copy data from a secret position. 503*62c56f98SSadaf Ebrahimi * 504*62c56f98SSadaf Ebrahimi * Functionally equivalent to: 505*62c56f98SSadaf Ebrahimi * 506*62c56f98SSadaf Ebrahimi * memcpy(dst, src + offset, len) 507*62c56f98SSadaf Ebrahimi * 508*62c56f98SSadaf Ebrahimi * This function copies \p len bytes from \p src + \p offset to 509*62c56f98SSadaf Ebrahimi * \p dst, with a code flow and memory access pattern that does not depend on 510*62c56f98SSadaf Ebrahimi * \p offset, but only on \p offset_min, \p offset_max and \p len. 511*62c56f98SSadaf Ebrahimi * 512*62c56f98SSadaf Ebrahimi * \note This function reads from \p dest, but the value that 513*62c56f98SSadaf Ebrahimi * is read does not influence the result and this 514*62c56f98SSadaf Ebrahimi * function's behavior is well-defined regardless of the 515*62c56f98SSadaf Ebrahimi * contents of the buffers. This may result in false 516*62c56f98SSadaf Ebrahimi * positives from static or dynamic analyzers, especially 517*62c56f98SSadaf Ebrahimi * if \p dest is not initialized. 518*62c56f98SSadaf Ebrahimi * 519*62c56f98SSadaf Ebrahimi * \param dest Secret. The destination buffer. This must point to a writable 520*62c56f98SSadaf Ebrahimi * buffer of at least \p len bytes. 521*62c56f98SSadaf Ebrahimi * \param src Secret. The base of the source buffer. This must point to a 522*62c56f98SSadaf Ebrahimi * readable buffer of at least \p offset_max + \p len 523*62c56f98SSadaf Ebrahimi * bytes. Shouldn't overlap with \p dest 524*62c56f98SSadaf Ebrahimi * \param offset Secret. The offset in the source buffer from which to copy. 525*62c56f98SSadaf Ebrahimi * This must be no less than \p offset_min and no greater 526*62c56f98SSadaf Ebrahimi * than \p offset_max. 527*62c56f98SSadaf Ebrahimi * \param offset_min The minimal value of \p offset. 528*62c56f98SSadaf Ebrahimi * \param offset_max The maximal value of \p offset. 529*62c56f98SSadaf Ebrahimi * \param len The number of bytes to copy. 530*62c56f98SSadaf Ebrahimi */ 531*62c56f98SSadaf Ebrahimi void mbedtls_ct_memcpy_offset(unsigned char *dest, 532*62c56f98SSadaf Ebrahimi const unsigned char *src, 533*62c56f98SSadaf Ebrahimi size_t offset, 534*62c56f98SSadaf Ebrahimi size_t offset_min, 535*62c56f98SSadaf Ebrahimi size_t offset_max, 536*62c56f98SSadaf Ebrahimi size_t len); 537*62c56f98SSadaf Ebrahimi 538*62c56f98SSadaf Ebrahimi /* Documented in include/mbedtls/constant_time.h. a and b are secret. 539*62c56f98SSadaf Ebrahimi 540*62c56f98SSadaf Ebrahimi int mbedtls_ct_memcmp(const void *a, 541*62c56f98SSadaf Ebrahimi const void *b, 542*62c56f98SSadaf Ebrahimi size_t n); 543*62c56f98SSadaf Ebrahimi */ 544*62c56f98SSadaf Ebrahimi 545*62c56f98SSadaf Ebrahimi #if defined(MBEDTLS_NIST_KW_C) 546*62c56f98SSadaf Ebrahimi 547*62c56f98SSadaf Ebrahimi /** Constant-time buffer comparison without branches. 548*62c56f98SSadaf Ebrahimi * 549*62c56f98SSadaf Ebrahimi * Similar to mbedtls_ct_memcmp, except that the result only depends on part of 550*62c56f98SSadaf Ebrahimi * the input data - differences in the head or tail are ignored. Functionally equivalent to: 551*62c56f98SSadaf Ebrahimi * 552*62c56f98SSadaf Ebrahimi * memcmp(a + skip_head, b + skip_head, size - skip_head - skip_tail) 553*62c56f98SSadaf Ebrahimi * 554*62c56f98SSadaf Ebrahimi * Time taken depends on \p n, but not on \p skip_head or \p skip_tail . 555*62c56f98SSadaf Ebrahimi * 556*62c56f98SSadaf Ebrahimi * Behaviour is undefined if ( \p skip_head + \p skip_tail) > \p n. 557*62c56f98SSadaf Ebrahimi * 558*62c56f98SSadaf Ebrahimi * \param a Secret. Pointer to the first buffer, containing at least \p n bytes. May not be NULL. 559*62c56f98SSadaf Ebrahimi * \param b Secret. Pointer to the second buffer, containing at least \p n bytes. May not be NULL. 560*62c56f98SSadaf Ebrahimi * \param n The number of bytes to examine (total size of the buffers). 561*62c56f98SSadaf Ebrahimi * \param skip_head Secret. The number of bytes to treat as non-significant at the start of the buffer. 562*62c56f98SSadaf Ebrahimi * These bytes will still be read. 563*62c56f98SSadaf Ebrahimi * \param skip_tail Secret. The number of bytes to treat as non-significant at the end of the buffer. 564*62c56f98SSadaf Ebrahimi * These bytes will still be read. 565*62c56f98SSadaf Ebrahimi * 566*62c56f98SSadaf Ebrahimi * \return Zero if the contents of the two buffers are the same, otherwise non-zero. 567*62c56f98SSadaf Ebrahimi */ 568*62c56f98SSadaf Ebrahimi int mbedtls_ct_memcmp_partial(const void *a, 569*62c56f98SSadaf Ebrahimi const void *b, 570*62c56f98SSadaf Ebrahimi size_t n, 571*62c56f98SSadaf Ebrahimi size_t skip_head, 572*62c56f98SSadaf Ebrahimi size_t skip_tail); 573*62c56f98SSadaf Ebrahimi 574*62c56f98SSadaf Ebrahimi #endif 575*62c56f98SSadaf Ebrahimi 576*62c56f98SSadaf Ebrahimi /* Include the implementation of static inline functions above. */ 577*62c56f98SSadaf Ebrahimi #include "constant_time_impl.h" 578*62c56f98SSadaf Ebrahimi 579*62c56f98SSadaf Ebrahimi #endif /* MBEDTLS_CONSTANT_TIME_INTERNAL_H */ 580