1 /**
2 * Constant-time functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 /*
21 * The following functions are implemented without using comparison operators, as those
22 * might be translated to branches by some compilers on some platforms.
23 */
24
25 #include "common.h"
26 #include "constant_time_internal.h"
27 #include "mbedtls/constant_time.h"
28 #include "mbedtls/error.h"
29 #include "mbedtls/platform_util.h"
30
31 #if defined(MBEDTLS_BIGNUM_C)
32 #include "mbedtls/bignum.h"
33 #include "bignum_core.h"
34 #endif
35
36 #if defined(MBEDTLS_SSL_TLS_C)
37 #include "ssl_misc.h"
38 #endif
39
40 #if defined(MBEDTLS_RSA_C)
41 #include "mbedtls/rsa.h"
42 #endif
43
44 #if defined(MBEDTLS_BASE64_C)
45 #include "constant_time_invasive.h"
46 #endif
47
48 #include <string.h>
49
mbedtls_ct_memcmp(const void * a,const void * b,size_t n)50 int mbedtls_ct_memcmp( const void *a,
51 const void *b,
52 size_t n )
53 {
54 size_t i;
55 volatile const unsigned char *A = (volatile const unsigned char *) a;
56 volatile const unsigned char *B = (volatile const unsigned char *) b;
57 volatile unsigned char diff = 0;
58
59 for( i = 0; i < n; i++ )
60 {
61 /* Read volatile data in order before computing diff.
62 * This avoids IAR compiler warning:
63 * 'the order of volatile accesses is undefined ..' */
64 unsigned char x = A[i], y = B[i];
65 diff |= x ^ y;
66 }
67
68 return( (int)diff );
69 }
70
mbedtls_ct_uint_mask(unsigned value)71 unsigned mbedtls_ct_uint_mask( unsigned value )
72 {
73 /* MSVC has a warning about unary minus on unsigned, but this is
74 * well-defined and precisely what we want to do here */
75 #if defined(_MSC_VER)
76 #pragma warning( push )
77 #pragma warning( disable : 4146 )
78 #endif
79 return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
80 #if defined(_MSC_VER)
81 #pragma warning( pop )
82 #endif
83 }
84
85 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
86
mbedtls_ct_size_mask(size_t value)87 size_t mbedtls_ct_size_mask( size_t value )
88 {
89 /* MSVC has a warning about unary minus on unsigned integer types,
90 * but this is well-defined and precisely what we want to do here. */
91 #if defined(_MSC_VER)
92 #pragma warning( push )
93 #pragma warning( disable : 4146 )
94 #endif
95 return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
96 #if defined(_MSC_VER)
97 #pragma warning( pop )
98 #endif
99 }
100
101 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
102
103 #if defined(MBEDTLS_BIGNUM_C)
104
mbedtls_ct_mpi_uint_mask(mbedtls_mpi_uint value)105 mbedtls_mpi_uint mbedtls_ct_mpi_uint_mask( mbedtls_mpi_uint value )
106 {
107 /* MSVC has a warning about unary minus on unsigned, but this is
108 * well-defined and precisely what we want to do here */
109 #if defined(_MSC_VER)
110 #pragma warning( push )
111 #pragma warning( disable : 4146 )
112 #endif
113 return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
114 #if defined(_MSC_VER)
115 #pragma warning( pop )
116 #endif
117 }
118
119 #endif /* MBEDTLS_BIGNUM_C */
120
121 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
122
123 /** Constant-flow mask generation for "less than" comparison:
124 * - if \p x < \p y, return all-bits 1, that is (size_t) -1
125 * - otherwise, return all bits 0, that is 0
126 *
127 * This function can be used to write constant-time code by replacing branches
128 * with bit operations using masks.
129 *
130 * \param x The first value to analyze.
131 * \param y The second value to analyze.
132 *
133 * \return All-bits-one if \p x is less than \p y, otherwise zero.
134 */
mbedtls_ct_size_mask_lt(size_t x,size_t y)135 static size_t mbedtls_ct_size_mask_lt( size_t x,
136 size_t y )
137 {
138 /* This has the most significant bit set if and only if x < y */
139 const size_t sub = x - y;
140
141 /* sub1 = (x < y) ? 1 : 0 */
142 const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 );
143
144 /* mask = (x < y) ? 0xff... : 0x00... */
145 const size_t mask = mbedtls_ct_size_mask( sub1 );
146
147 return( mask );
148 }
149
mbedtls_ct_size_mask_ge(size_t x,size_t y)150 size_t mbedtls_ct_size_mask_ge( size_t x,
151 size_t y )
152 {
153 return( ~mbedtls_ct_size_mask_lt( x, y ) );
154 }
155
156 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
157
158 #if defined(MBEDTLS_BASE64_C)
159
160 /* Return 0xff if low <= c <= high, 0 otherwise.
161 *
162 * Constant flow with respect to c.
163 */
164 MBEDTLS_STATIC_TESTABLE
mbedtls_ct_uchar_mask_of_range(unsigned char low,unsigned char high,unsigned char c)165 unsigned char mbedtls_ct_uchar_mask_of_range( unsigned char low,
166 unsigned char high,
167 unsigned char c )
168 {
169 /* low_mask is: 0 if low <= c, 0x...ff if low > c */
170 unsigned low_mask = ( (unsigned) c - low ) >> 8;
171 /* high_mask is: 0 if c <= high, 0x...ff if c > high */
172 unsigned high_mask = ( (unsigned) high - c ) >> 8;
173 return( ~( low_mask | high_mask ) & 0xff );
174 }
175
176 #endif /* MBEDTLS_BASE64_C */
177
mbedtls_ct_size_bool_eq(size_t x,size_t y)178 unsigned mbedtls_ct_size_bool_eq( size_t x,
179 size_t y )
180 {
181 /* diff = 0 if x == y, non-zero otherwise */
182 const size_t diff = x ^ y;
183
184 /* MSVC has a warning about unary minus on unsigned integer types,
185 * but this is well-defined and precisely what we want to do here. */
186 #if defined(_MSC_VER)
187 #pragma warning( push )
188 #pragma warning( disable : 4146 )
189 #endif
190
191 /* diff_msb's most significant bit is equal to x != y */
192 const size_t diff_msb = ( diff | (size_t) -diff );
193
194 #if defined(_MSC_VER)
195 #pragma warning( pop )
196 #endif
197
198 /* diff1 = (x != y) ? 1 : 0 */
199 const unsigned diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 );
200
201 return( 1 ^ diff1 );
202 }
203
204 #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
205
206 /** Constant-flow "greater than" comparison:
207 * return x > y
208 *
209 * This is equivalent to \p x > \p y, but is likely to be compiled
210 * to code using bitwise operation rather than a branch.
211 *
212 * \param x The first value to analyze.
213 * \param y The second value to analyze.
214 *
215 * \return 1 if \p x greater than \p y, otherwise 0.
216 */
mbedtls_ct_size_gt(size_t x,size_t y)217 static unsigned mbedtls_ct_size_gt( size_t x,
218 size_t y )
219 {
220 /* Return the sign bit (1 for negative) of (y - x). */
221 return( ( y - x ) >> ( sizeof( size_t ) * 8 - 1 ) );
222 }
223
224 #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
225
226 #if defined(MBEDTLS_BIGNUM_C)
227
mbedtls_ct_mpi_uint_lt(const mbedtls_mpi_uint x,const mbedtls_mpi_uint y)228 unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x,
229 const mbedtls_mpi_uint y )
230 {
231 mbedtls_mpi_uint ret;
232 mbedtls_mpi_uint cond;
233
234 /*
235 * Check if the most significant bits (MSB) of the operands are different.
236 */
237 cond = ( x ^ y );
238 /*
239 * If the MSB are the same then the difference x-y will be negative (and
240 * have its MSB set to 1 during conversion to unsigned) if and only if x<y.
241 */
242 ret = ( x - y ) & ~cond;
243 /*
244 * If the MSB are different, then the operand with the MSB of 1 is the
245 * bigger. (That is if y has MSB of 1, then x<y is true and it is false if
246 * the MSB of y is 0.)
247 */
248 ret |= y & cond;
249
250
251 ret = ret >> ( sizeof( mbedtls_mpi_uint ) * 8 - 1 );
252
253 return (unsigned) ret;
254 }
255
256 #endif /* MBEDTLS_BIGNUM_C */
257
mbedtls_ct_uint_if(unsigned condition,unsigned if1,unsigned if0)258 unsigned mbedtls_ct_uint_if( unsigned condition,
259 unsigned if1,
260 unsigned if0 )
261 {
262 unsigned mask = mbedtls_ct_uint_mask( condition );
263 return( ( mask & if1 ) | (~mask & if0 ) );
264 }
265
266 #if defined(MBEDTLS_BIGNUM_C)
267
268 /** Select between two sign values without branches.
269 *
270 * This is functionally equivalent to `condition ? if1 : if0` but uses only bit
271 * operations in order to avoid branches.
272 *
273 * \note if1 and if0 must be either 1 or -1, otherwise the result
274 * is undefined.
275 *
276 * \param condition Condition to test; must be either 0 or 1.
277 * \param if1 The first sign; must be either +1 or -1.
278 * \param if0 The second sign; must be either +1 or -1.
279 *
280 * \return \c if1 if \p condition is nonzero, otherwise \c if0.
281 * */
mbedtls_ct_cond_select_sign(unsigned char condition,int if1,int if0)282 static int mbedtls_ct_cond_select_sign( unsigned char condition,
283 int if1,
284 int if0 )
285 {
286 /* In order to avoid questions about what we can reasonably assume about
287 * the representations of signed integers, move everything to unsigned
288 * by taking advantage of the fact that if1 and if0 are either +1 or -1. */
289 unsigned uif1 = if1 + 1;
290 unsigned uif0 = if0 + 1;
291
292 /* condition was 0 or 1, mask is 0 or 2 as are uif1 and uif0 */
293 const unsigned mask = condition << 1;
294
295 /* select uif1 or uif0 */
296 unsigned ur = ( uif0 & ~mask ) | ( uif1 & mask );
297
298 /* ur is now 0 or 2, convert back to -1 or +1 */
299 return( (int) ur - 1 );
300 }
301
mbedtls_ct_mpi_uint_cond_assign(size_t n,mbedtls_mpi_uint * dest,const mbedtls_mpi_uint * src,unsigned char condition)302 void mbedtls_ct_mpi_uint_cond_assign( size_t n,
303 mbedtls_mpi_uint *dest,
304 const mbedtls_mpi_uint *src,
305 unsigned char condition )
306 {
307 size_t i;
308
309 /* MSVC has a warning about unary minus on unsigned integer types,
310 * but this is well-defined and precisely what we want to do here. */
311 #if defined(_MSC_VER)
312 #pragma warning( push )
313 #pragma warning( disable : 4146 )
314 #endif
315
316 /* all-bits 1 if condition is 1, all-bits 0 if condition is 0 */
317 const mbedtls_mpi_uint mask = -condition;
318
319 #if defined(_MSC_VER)
320 #pragma warning( pop )
321 #endif
322
323 for( i = 0; i < n; i++ )
324 dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask );
325 }
326
327 #endif /* MBEDTLS_BIGNUM_C */
328
329 #if defined(MBEDTLS_BASE64_C)
330
mbedtls_ct_base64_enc_char(unsigned char value)331 unsigned char mbedtls_ct_base64_enc_char( unsigned char value )
332 {
333 unsigned char digit = 0;
334 /* For each range of values, if value is in that range, mask digit with
335 * the corresponding value. Since value can only be in a single range,
336 * only at most one masking will change digit. */
337 digit |= mbedtls_ct_uchar_mask_of_range( 0, 25, value ) & ( 'A' + value );
338 digit |= mbedtls_ct_uchar_mask_of_range( 26, 51, value ) & ( 'a' + value - 26 );
339 digit |= mbedtls_ct_uchar_mask_of_range( 52, 61, value ) & ( '0' + value - 52 );
340 digit |= mbedtls_ct_uchar_mask_of_range( 62, 62, value ) & '+';
341 digit |= mbedtls_ct_uchar_mask_of_range( 63, 63, value ) & '/';
342 return( digit );
343 }
344
mbedtls_ct_base64_dec_value(unsigned char c)345 signed char mbedtls_ct_base64_dec_value( unsigned char c )
346 {
347 unsigned char val = 0;
348 /* For each range of digits, if c is in that range, mask val with
349 * the corresponding value. Since c can only be in a single range,
350 * only at most one masking will change val. Set val to one plus
351 * the desired value so that it stays 0 if c is in none of the ranges. */
352 val |= mbedtls_ct_uchar_mask_of_range( 'A', 'Z', c ) & ( c - 'A' + 0 + 1 );
353 val |= mbedtls_ct_uchar_mask_of_range( 'a', 'z', c ) & ( c - 'a' + 26 + 1 );
354 val |= mbedtls_ct_uchar_mask_of_range( '0', '9', c ) & ( c - '0' + 52 + 1 );
355 val |= mbedtls_ct_uchar_mask_of_range( '+', '+', c ) & ( c - '+' + 62 + 1 );
356 val |= mbedtls_ct_uchar_mask_of_range( '/', '/', c ) & ( c - '/' + 63 + 1 );
357 /* At this point, val is 0 if c is an invalid digit and v+1 if c is
358 * a digit with the value v. */
359 return( val - 1 );
360 }
361
362 #endif /* MBEDTLS_BASE64_C */
363
364 #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
365
366 /** Shift some data towards the left inside a buffer.
367 *
368 * `mbedtls_ct_mem_move_to_left(start, total, offset)` is functionally
369 * equivalent to
370 * ```
371 * memmove(start, start + offset, total - offset);
372 * memset(start + offset, 0, total - offset);
373 * ```
374 * but it strives to use a memory access pattern (and thus total timing)
375 * that does not depend on \p offset. This timing independence comes at
376 * the expense of performance.
377 *
378 * \param start Pointer to the start of the buffer.
379 * \param total Total size of the buffer.
380 * \param offset Offset from which to copy \p total - \p offset bytes.
381 */
mbedtls_ct_mem_move_to_left(void * start,size_t total,size_t offset)382 static void mbedtls_ct_mem_move_to_left( void *start,
383 size_t total,
384 size_t offset )
385 {
386 volatile unsigned char *buf = start;
387 size_t i, n;
388 if( total == 0 )
389 return;
390 for( i = 0; i < total; i++ )
391 {
392 unsigned no_op = mbedtls_ct_size_gt( total - offset, i );
393 /* The first `total - offset` passes are a no-op. The last
394 * `offset` passes shift the data one byte to the left and
395 * zero out the last byte. */
396 for( n = 0; n < total - 1; n++ )
397 {
398 unsigned char current = buf[n];
399 unsigned char next = buf[n+1];
400 buf[n] = mbedtls_ct_uint_if( no_op, current, next );
401 }
402 buf[total-1] = mbedtls_ct_uint_if( no_op, buf[total-1], 0 );
403 }
404 }
405
406 #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
407
408 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
409
mbedtls_ct_memcpy_if_eq(unsigned char * dest,const unsigned char * src,size_t len,size_t c1,size_t c2)410 void mbedtls_ct_memcpy_if_eq( unsigned char *dest,
411 const unsigned char *src,
412 size_t len,
413 size_t c1,
414 size_t c2 )
415 {
416 /* mask = c1 == c2 ? 0xff : 0x00 */
417 const size_t equal = mbedtls_ct_size_bool_eq( c1, c2 );
418 const unsigned char mask = (unsigned char) mbedtls_ct_size_mask( equal );
419
420 /* dest[i] = c1 == c2 ? src[i] : dest[i] */
421 for( size_t i = 0; i < len; i++ )
422 dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask );
423 }
424
mbedtls_ct_memcpy_offset(unsigned char * dest,const unsigned char * src,size_t offset,size_t offset_min,size_t offset_max,size_t len)425 void mbedtls_ct_memcpy_offset( unsigned char *dest,
426 const unsigned char *src,
427 size_t offset,
428 size_t offset_min,
429 size_t offset_max,
430 size_t len )
431 {
432 size_t offsetval;
433
434 for( offsetval = offset_min; offsetval <= offset_max; offsetval++ )
435 {
436 mbedtls_ct_memcpy_if_eq( dest, src + offsetval, len,
437 offsetval, offset );
438 }
439 }
440
441 #if defined(MBEDTLS_USE_PSA_CRYPTO)
442
443 #if defined(PSA_WANT_ALG_SHA_384)
444 #define MAX_HASH_BLOCK_LENGTH PSA_HASH_BLOCK_LENGTH( PSA_ALG_SHA_384 )
445 #elif defined(PSA_WANT_ALG_SHA_256)
446 #define MAX_HASH_BLOCK_LENGTH PSA_HASH_BLOCK_LENGTH( PSA_ALG_SHA_256 )
447 #else /* See check_config.h */
448 #define MAX_HASH_BLOCK_LENGTH PSA_HASH_BLOCK_LENGTH( PSA_ALG_SHA_1 )
449 #endif
450
mbedtls_ct_hmac(mbedtls_svc_key_id_t key,psa_algorithm_t mac_alg,const unsigned char * add_data,size_t add_data_len,const unsigned char * data,size_t data_len_secret,size_t min_data_len,size_t max_data_len,unsigned char * output)451 int mbedtls_ct_hmac( mbedtls_svc_key_id_t key,
452 psa_algorithm_t mac_alg,
453 const unsigned char *add_data,
454 size_t add_data_len,
455 const unsigned char *data,
456 size_t data_len_secret,
457 size_t min_data_len,
458 size_t max_data_len,
459 unsigned char *output )
460 {
461 /*
462 * This function breaks the HMAC abstraction and uses psa_hash_clone()
463 * extension in order to get constant-flow behaviour.
464 *
465 * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
466 * concatenation, and okey/ikey are the XOR of the key with some fixed bit
467 * patterns (see RFC 2104, sec. 2).
468 *
469 * We'll first compute ikey/okey, then inner_hash = HASH(ikey + msg) by
470 * hashing up to minlen, then cloning the context, and for each byte up
471 * to maxlen finishing up the hash computation, keeping only the
472 * correct result.
473 *
474 * Then we only need to compute HASH(okey + inner_hash) and we're done.
475 */
476 psa_algorithm_t hash_alg = PSA_ALG_HMAC_GET_HASH( mac_alg );
477 const size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg );
478 unsigned char key_buf[MAX_HASH_BLOCK_LENGTH];
479 const size_t hash_size = PSA_HASH_LENGTH( hash_alg );
480 psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
481 size_t hash_length;
482
483 unsigned char aux_out[PSA_HASH_MAX_SIZE];
484 psa_hash_operation_t aux_operation = PSA_HASH_OPERATION_INIT;
485 size_t offset;
486 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
487
488 size_t mac_key_length;
489 size_t i;
490
491 #define PSA_CHK( func_call ) \
492 do { \
493 status = (func_call); \
494 if( status != PSA_SUCCESS ) \
495 goto cleanup; \
496 } while( 0 )
497
498 /* Export MAC key
499 * We assume key length is always exactly the output size
500 * which is never more than the block size, thus we use block_size
501 * as the key buffer size.
502 */
503 PSA_CHK( psa_export_key( key, key_buf, block_size, &mac_key_length ) );
504
505 /* Calculate ikey */
506 for( i = 0; i < mac_key_length; i++ )
507 key_buf[i] = (unsigned char)( key_buf[i] ^ 0x36 );
508 for(; i < block_size; ++i )
509 key_buf[i] = 0x36;
510
511 PSA_CHK( psa_hash_setup( &operation, hash_alg ) );
512
513 /* Now compute inner_hash = HASH(ikey + msg) */
514 PSA_CHK( psa_hash_update( &operation, key_buf, block_size ) );
515 PSA_CHK( psa_hash_update( &operation, add_data, add_data_len ) );
516 PSA_CHK( psa_hash_update( &operation, data, min_data_len ) );
517
518 /* Fill the hash buffer in advance with something that is
519 * not a valid hash (barring an attack on the hash and
520 * deliberately-crafted input), in case the caller doesn't
521 * check the return status properly. */
522 memset( output, '!', hash_size );
523
524 /* For each possible length, compute the hash up to that point */
525 for( offset = min_data_len; offset <= max_data_len; offset++ )
526 {
527 PSA_CHK( psa_hash_clone( &operation, &aux_operation ) );
528 PSA_CHK( psa_hash_finish( &aux_operation, aux_out,
529 PSA_HASH_MAX_SIZE, &hash_length ) );
530 /* Keep only the correct inner_hash in the output buffer */
531 mbedtls_ct_memcpy_if_eq( output, aux_out, hash_size,
532 offset, data_len_secret );
533
534 if( offset < max_data_len )
535 PSA_CHK( psa_hash_update( &operation, data + offset, 1 ) );
536 }
537
538 /* Abort current operation to prepare for final operation */
539 PSA_CHK( psa_hash_abort( &operation ) );
540
541 /* Calculate okey */
542 for( i = 0; i < mac_key_length; i++ )
543 key_buf[i] = (unsigned char)( ( key_buf[i] ^ 0x36 ) ^ 0x5C );
544 for(; i < block_size; ++i )
545 key_buf[i] = 0x5C;
546
547 /* Now compute HASH(okey + inner_hash) */
548 PSA_CHK( psa_hash_setup( &operation, hash_alg ) );
549 PSA_CHK( psa_hash_update( &operation, key_buf, block_size ) );
550 PSA_CHK( psa_hash_update( &operation, output, hash_size ) );
551 PSA_CHK( psa_hash_finish( &operation, output, hash_size, &hash_length ) );
552
553 #undef PSA_CHK
554
555 cleanup:
556 mbedtls_platform_zeroize( key_buf, MAX_HASH_BLOCK_LENGTH );
557 mbedtls_platform_zeroize( aux_out, PSA_HASH_MAX_SIZE );
558
559 psa_hash_abort( &operation );
560 psa_hash_abort( &aux_operation );
561 return( psa_ssl_status_to_mbedtls( status ) );
562 }
563
564 #undef MAX_HASH_BLOCK_LENGTH
565
566 #else
mbedtls_ct_hmac(mbedtls_md_context_t * ctx,const unsigned char * add_data,size_t add_data_len,const unsigned char * data,size_t data_len_secret,size_t min_data_len,size_t max_data_len,unsigned char * output)567 int mbedtls_ct_hmac( mbedtls_md_context_t *ctx,
568 const unsigned char *add_data,
569 size_t add_data_len,
570 const unsigned char *data,
571 size_t data_len_secret,
572 size_t min_data_len,
573 size_t max_data_len,
574 unsigned char *output )
575 {
576 /*
577 * This function breaks the HMAC abstraction and uses the md_clone()
578 * extension to the MD API in order to get constant-flow behaviour.
579 *
580 * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
581 * concatenation, and okey/ikey are the XOR of the key with some fixed bit
582 * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx.
583 *
584 * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to
585 * minlen, then cloning the context, and for each byte up to maxlen
586 * finishing up the hash computation, keeping only the correct result.
587 *
588 * Then we only need to compute HASH(okey + inner_hash) and we're done.
589 */
590 const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info );
591 /* TLS 1.2 only supports SHA-384, SHA-256, SHA-1, MD-5,
592 * all of which have the same block size except SHA-384. */
593 const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64;
594 const unsigned char * const ikey = ctx->hmac_ctx;
595 const unsigned char * const okey = ikey + block_size;
596 const size_t hash_size = mbedtls_md_get_size( ctx->md_info );
597
598 unsigned char aux_out[MBEDTLS_MD_MAX_SIZE];
599 mbedtls_md_context_t aux;
600 size_t offset;
601 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
602
603 mbedtls_md_init( &aux );
604
605 #define MD_CHK( func_call ) \
606 do { \
607 ret = (func_call); \
608 if( ret != 0 ) \
609 goto cleanup; \
610 } while( 0 )
611
612 MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) );
613
614 /* After hmac_start() of hmac_reset(), ikey has already been hashed,
615 * so we can start directly with the message */
616 MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) );
617 MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) );
618
619 /* Fill the hash buffer in advance with something that is
620 * not a valid hash (barring an attack on the hash and
621 * deliberately-crafted input), in case the caller doesn't
622 * check the return status properly. */
623 memset( output, '!', hash_size );
624
625 /* For each possible length, compute the hash up to that point */
626 for( offset = min_data_len; offset <= max_data_len; offset++ )
627 {
628 MD_CHK( mbedtls_md_clone( &aux, ctx ) );
629 MD_CHK( mbedtls_md_finish( &aux, aux_out ) );
630 /* Keep only the correct inner_hash in the output buffer */
631 mbedtls_ct_memcpy_if_eq( output, aux_out, hash_size,
632 offset, data_len_secret );
633
634 if( offset < max_data_len )
635 MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) );
636 }
637
638 /* The context needs to finish() before it starts() again */
639 MD_CHK( mbedtls_md_finish( ctx, aux_out ) );
640
641 /* Now compute HASH(okey + inner_hash) */
642 MD_CHK( mbedtls_md_starts( ctx ) );
643 MD_CHK( mbedtls_md_update( ctx, okey, block_size ) );
644 MD_CHK( mbedtls_md_update( ctx, output, hash_size ) );
645 MD_CHK( mbedtls_md_finish( ctx, output ) );
646
647 /* Done, get ready for next time */
648 MD_CHK( mbedtls_md_hmac_reset( ctx ) );
649
650 #undef MD_CHK
651
652 cleanup:
653 mbedtls_md_free( &aux );
654 return( ret );
655 }
656 #endif /* MBEDTLS_USE_PSA_CRYPTO */
657
658 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
659
660 #if defined(MBEDTLS_BIGNUM_C)
661
662 #define MPI_VALIDATE_RET( cond ) \
663 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA )
664
665 /*
666 * Conditionally assign X = Y, without leaking information
667 * about whether the assignment was made or not.
668 * (Leaking information about the respective sizes of X and Y is ok however.)
669 */
670 #if defined(_MSC_VER) && defined(_M_ARM64) && (_MSC_FULL_VER < 193131103)
671 /*
672 * MSVC miscompiles this function if it's inlined prior to Visual Studio 2022 version 17.1. See:
673 * https://developercommunity.visualstudio.com/t/c-compiler-miscompiles-part-of-mbedtls-library-on/1646989
674 */
675 __declspec(noinline)
676 #endif
mbedtls_mpi_safe_cond_assign(mbedtls_mpi * X,const mbedtls_mpi * Y,unsigned char assign)677 int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X,
678 const mbedtls_mpi *Y,
679 unsigned char assign )
680 {
681 int ret = 0;
682 MPI_VALIDATE_RET( X != NULL );
683 MPI_VALIDATE_RET( Y != NULL );
684
685 /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */
686 mbedtls_mpi_uint limb_mask = mbedtls_ct_mpi_uint_mask( assign );
687
688 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
689
690 X->s = mbedtls_ct_cond_select_sign( assign, Y->s, X->s );
691
692 mbedtls_mpi_core_cond_assign( X->p, Y->p, Y->n, assign );
693
694 for( size_t i = Y->n; i < X->n; i++ )
695 X->p[i] &= ~limb_mask;
696
697 cleanup:
698 return( ret );
699 }
700
701 /*
702 * Conditionally swap X and Y, without leaking information
703 * about whether the swap was made or not.
704 * Here it is not ok to simply swap the pointers, which would lead to
705 * different memory access patterns when X and Y are used afterwards.
706 */
mbedtls_mpi_safe_cond_swap(mbedtls_mpi * X,mbedtls_mpi * Y,unsigned char swap)707 int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X,
708 mbedtls_mpi *Y,
709 unsigned char swap )
710 {
711 int ret = 0;
712 int s;
713 MPI_VALIDATE_RET( X != NULL );
714 MPI_VALIDATE_RET( Y != NULL );
715
716 if( X == Y )
717 return( 0 );
718
719 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
720 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
721
722 s = X->s;
723 X->s = mbedtls_ct_cond_select_sign( swap, Y->s, X->s );
724 Y->s = mbedtls_ct_cond_select_sign( swap, s, Y->s );
725
726 mbedtls_mpi_core_cond_swap( X->p, Y->p, X->n, swap );
727
728 cleanup:
729 return( ret );
730 }
731
732 /*
733 * Compare unsigned values in constant time
734 */
mbedtls_mpi_core_lt_ct(const mbedtls_mpi_uint * A,const mbedtls_mpi_uint * B,size_t limbs)735 unsigned mbedtls_mpi_core_lt_ct( const mbedtls_mpi_uint *A,
736 const mbedtls_mpi_uint *B,
737 size_t limbs )
738 {
739 unsigned ret, cond, done;
740
741 /* The value of any of these variables is either 0 or 1 for the rest of
742 * their scope. */
743 ret = cond = done = 0;
744
745 for( size_t i = limbs; i > 0; i-- )
746 {
747 /*
748 * If B[i - 1] < A[i - 1] then A < B is false and the result must
749 * remain 0.
750 *
751 * Again even if we can make a decision, we just mark the result and
752 * the fact that we are done and continue looping.
753 */
754 cond = mbedtls_ct_mpi_uint_lt( B[i - 1], A[i - 1] );
755 done |= cond;
756
757 /*
758 * If A[i - 1] < B[i - 1] then A < B is true.
759 *
760 * Again even if we can make a decision, we just mark the result and
761 * the fact that we are done and continue looping.
762 */
763 cond = mbedtls_ct_mpi_uint_lt( A[i - 1], B[i - 1] );
764 ret |= cond & ( 1 - done );
765 done |= cond;
766 }
767
768 /*
769 * If all the limbs were equal, then the numbers are equal, A < B is false
770 * and leaving the result 0 is correct.
771 */
772
773 return( ret );
774 }
775
776 /*
777 * Compare signed values in constant time
778 */
mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi * X,const mbedtls_mpi * Y,unsigned * ret)779 int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X,
780 const mbedtls_mpi *Y,
781 unsigned *ret )
782 {
783 size_t i;
784 /* The value of any of these variables is either 0 or 1 at all times. */
785 unsigned cond, done, X_is_negative, Y_is_negative;
786
787 MPI_VALIDATE_RET( X != NULL );
788 MPI_VALIDATE_RET( Y != NULL );
789 MPI_VALIDATE_RET( ret != NULL );
790
791 if( X->n != Y->n )
792 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
793
794 /*
795 * Set sign_N to 1 if N >= 0, 0 if N < 0.
796 * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
797 */
798 X_is_negative = ( X->s & 2 ) >> 1;
799 Y_is_negative = ( Y->s & 2 ) >> 1;
800
801 /*
802 * If the signs are different, then the positive operand is the bigger.
803 * That is if X is negative (X_is_negative == 1), then X < Y is true and it
804 * is false if X is positive (X_is_negative == 0).
805 */
806 cond = ( X_is_negative ^ Y_is_negative );
807 *ret = cond & X_is_negative;
808
809 /*
810 * This is a constant-time function. We might have the result, but we still
811 * need to go through the loop. Record if we have the result already.
812 */
813 done = cond;
814
815 for( i = X->n; i > 0; i-- )
816 {
817 /*
818 * If Y->p[i - 1] < X->p[i - 1] then X < Y is true if and only if both
819 * X and Y are negative.
820 *
821 * Again even if we can make a decision, we just mark the result and
822 * the fact that we are done and continue looping.
823 */
824 cond = mbedtls_ct_mpi_uint_lt( Y->p[i - 1], X->p[i - 1] );
825 *ret |= cond & ( 1 - done ) & X_is_negative;
826 done |= cond;
827
828 /*
829 * If X->p[i - 1] < Y->p[i - 1] then X < Y is true if and only if both
830 * X and Y are positive.
831 *
832 * Again even if we can make a decision, we just mark the result and
833 * the fact that we are done and continue looping.
834 */
835 cond = mbedtls_ct_mpi_uint_lt( X->p[i - 1], Y->p[i - 1] );
836 *ret |= cond & ( 1 - done ) & ( 1 - X_is_negative );
837 done |= cond;
838 }
839
840 return( 0 );
841 }
842
843 #endif /* MBEDTLS_BIGNUM_C */
844
845 #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
846
mbedtls_ct_rsaes_pkcs1_v15_unpadding(unsigned char * input,size_t ilen,unsigned char * output,size_t output_max_len,size_t * olen)847 int mbedtls_ct_rsaes_pkcs1_v15_unpadding( unsigned char *input,
848 size_t ilen,
849 unsigned char *output,
850 size_t output_max_len,
851 size_t *olen )
852 {
853 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
854 size_t i, plaintext_max_size;
855
856 /* The following variables take sensitive values: their value must
857 * not leak into the observable behavior of the function other than
858 * the designated outputs (output, olen, return value). Otherwise
859 * this would open the execution of the function to
860 * side-channel-based variants of the Bleichenbacher padding oracle
861 * attack. Potential side channels include overall timing, memory
862 * access patterns (especially visible to an adversary who has access
863 * to a shared memory cache), and branches (especially visible to
864 * an adversary who has access to a shared code cache or to a shared
865 * branch predictor). */
866 size_t pad_count = 0;
867 unsigned bad = 0;
868 unsigned char pad_done = 0;
869 size_t plaintext_size = 0;
870 unsigned output_too_large;
871
872 plaintext_max_size = ( output_max_len > ilen - 11 ) ? ilen - 11
873 : output_max_len;
874
875 /* Check and get padding length in constant time and constant
876 * memory trace. The first byte must be 0. */
877 bad |= input[0];
878
879
880 /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
881 * where PS must be at least 8 nonzero bytes. */
882 bad |= input[1] ^ MBEDTLS_RSA_CRYPT;
883
884 /* Read the whole buffer. Set pad_done to nonzero if we find
885 * the 0x00 byte and remember the padding length in pad_count. */
886 for( i = 2; i < ilen; i++ )
887 {
888 pad_done |= ((input[i] | (unsigned char)-input[i]) >> 7) ^ 1;
889 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
890 }
891
892
893 /* If pad_done is still zero, there's no data, only unfinished padding. */
894 bad |= mbedtls_ct_uint_if( pad_done, 0, 1 );
895
896 /* There must be at least 8 bytes of padding. */
897 bad |= mbedtls_ct_size_gt( 8, pad_count );
898
899 /* If the padding is valid, set plaintext_size to the number of
900 * remaining bytes after stripping the padding. If the padding
901 * is invalid, avoid leaking this fact through the size of the
902 * output: use the maximum message size that fits in the output
903 * buffer. Do it without branches to avoid leaking the padding
904 * validity through timing. RSA keys are small enough that all the
905 * size_t values involved fit in unsigned int. */
906 plaintext_size = mbedtls_ct_uint_if(
907 bad, (unsigned) plaintext_max_size,
908 (unsigned) ( ilen - pad_count - 3 ) );
909
910 /* Set output_too_large to 0 if the plaintext fits in the output
911 * buffer and to 1 otherwise. */
912 output_too_large = mbedtls_ct_size_gt( plaintext_size,
913 plaintext_max_size );
914
915 /* Set ret without branches to avoid timing attacks. Return:
916 * - INVALID_PADDING if the padding is bad (bad != 0).
917 * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
918 * plaintext does not fit in the output buffer.
919 * - 0 if the padding is correct. */
920 ret = - (int) mbedtls_ct_uint_if(
921 bad, - MBEDTLS_ERR_RSA_INVALID_PADDING,
922 mbedtls_ct_uint_if( output_too_large,
923 - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
924 0 ) );
925
926 /* If the padding is bad or the plaintext is too large, zero the
927 * data that we're about to copy to the output buffer.
928 * We need to copy the same amount of data
929 * from the same buffer whether the padding is good or not to
930 * avoid leaking the padding validity through overall timing or
931 * through memory or cache access patterns. */
932 bad = mbedtls_ct_uint_mask( bad | output_too_large );
933 for( i = 11; i < ilen; i++ )
934 input[i] &= ~bad;
935
936 /* If the plaintext is too large, truncate it to the buffer size.
937 * Copy anyway to avoid revealing the length through timing, because
938 * revealing the length is as bad as revealing the padding validity
939 * for a Bleichenbacher attack. */
940 plaintext_size = mbedtls_ct_uint_if( output_too_large,
941 (unsigned) plaintext_max_size,
942 (unsigned) plaintext_size );
943
944 /* Move the plaintext to the leftmost position where it can start in
945 * the working buffer, i.e. make it start plaintext_max_size from
946 * the end of the buffer. Do this with a memory access trace that
947 * does not depend on the plaintext size. After this move, the
948 * starting location of the plaintext is no longer sensitive
949 * information. */
950 mbedtls_ct_mem_move_to_left( input + ilen - plaintext_max_size,
951 plaintext_max_size,
952 plaintext_max_size - plaintext_size );
953
954 /* Finally copy the decrypted plaintext plus trailing zeros into the output
955 * buffer. If output_max_len is 0, then output may be an invalid pointer
956 * and the result of memcpy() would be undefined; prevent undefined
957 * behavior making sure to depend only on output_max_len (the size of the
958 * user-provided output buffer), which is independent from plaintext
959 * length, validity of padding, success of the decryption, and other
960 * secrets. */
961 if( output_max_len != 0 )
962 memcpy( output, input + ilen - plaintext_max_size, plaintext_max_size );
963
964 /* Report the amount of data we copied to the output buffer. In case
965 * of errors (bad padding or output too large), the value of *olen
966 * when this function returns is not specified. Making it equivalent
967 * to the good case limits the risks of leaking the padding validity. */
968 *olen = plaintext_size;
969
970 return( ret );
971 }
972
973 #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
974
