1 /** 2 * Constant-time functions 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 20 #ifndef MBEDTLS_CONSTANT_TIME_INTERNAL_H 21 #define MBEDTLS_CONSTANT_TIME_INTERNAL_H 22 23 #include "common.h" 24 25 #if defined(MBEDTLS_BIGNUM_C) 26 #include "mbedtls/bignum.h" 27 #endif 28 29 #if defined(MBEDTLS_SSL_TLS_C) 30 #include "ssl_misc.h" 31 #endif 32 33 #include <stddef.h> 34 35 36 /** Turn a value into a mask: 37 * - if \p value == 0, return the all-bits 0 mask, aka 0 38 * - otherwise, return the all-bits 1 mask, aka (unsigned) -1 39 * 40 * This function can be used to write constant-time code by replacing branches 41 * with bit operations using masks. 42 * 43 * \param value The value to analyze. 44 * 45 * \return Zero if \p value is zero, otherwise all-bits-one. 46 */ 47 unsigned mbedtls_ct_uint_mask( unsigned value ); 48 49 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 50 51 /** Turn a value into a mask: 52 * - if \p value == 0, return the all-bits 0 mask, aka 0 53 * - otherwise, return the all-bits 1 mask, aka (size_t) -1 54 * 55 * This function can be used to write constant-time code by replacing branches 56 * with bit operations using masks. 57 * 58 * \param value The value to analyze. 59 * 60 * \return Zero if \p value is zero, otherwise all-bits-one. 61 */ 62 size_t mbedtls_ct_size_mask( size_t value ); 63 64 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 65 66 #if defined(MBEDTLS_BIGNUM_C) 67 68 /** Turn a value into a mask: 69 * - if \p value == 0, return the all-bits 0 mask, aka 0 70 * - otherwise, return the all-bits 1 mask, aka (mbedtls_mpi_uint) -1 71 * 72 * This function can be used to write constant-time code by replacing branches 73 * with bit operations using masks. 74 * 75 * \param value The value to analyze. 76 * 77 * \return Zero if \p value is zero, otherwise all-bits-one. 78 */ 79 mbedtls_mpi_uint mbedtls_ct_mpi_uint_mask( mbedtls_mpi_uint value ); 80 81 #endif /* MBEDTLS_BIGNUM_C */ 82 83 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) 84 85 /** Constant-flow mask generation for "greater or equal" comparison: 86 * - if \p x >= \p y, return all-bits 1, that is (size_t) -1 87 * - otherwise, return all bits 0, that is 0 88 * 89 * This function can be used to write constant-time code by replacing branches 90 * with bit operations using masks. 91 * 92 * \param x The first value to analyze. 93 * \param y The second value to analyze. 94 * 95 * \return All-bits-one if \p x is greater or equal than \p y, 96 * otherwise zero. 97 */ 98 size_t mbedtls_ct_size_mask_ge( size_t x, 99 size_t y ); 100 101 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ 102 103 /** Constant-flow boolean "equal" comparison: 104 * return x == y 105 * 106 * This is equivalent to \p x == \p y, but is likely to be compiled 107 * to code using bitwise operation rather than a branch. 108 * 109 * \param x The first value to analyze. 110 * \param y The second value to analyze. 111 * 112 * \return 1 if \p x equals to \p y, otherwise 0. 113 */ 114 unsigned mbedtls_ct_size_bool_eq( size_t x, 115 size_t y ); 116 117 #if defined(MBEDTLS_BIGNUM_C) 118 119 /** Decide if an integer is less than the other, without branches. 120 * 121 * This is equivalent to \p x < \p y, but is likely to be compiled 122 * to code using bitwise operation rather than a branch. 123 * 124 * \param x The first value to analyze. 125 * \param y The second value to analyze. 126 * 127 * \return 1 if \p x is less than \p y, otherwise 0. 128 */ 129 unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x, 130 const mbedtls_mpi_uint y ); 131 132 /** 133 * \brief Check if one unsigned MPI is less than another in constant 134 * time. 135 * 136 * \param A The left-hand MPI. This must point to an array of limbs 137 * with the same allocated length as \p B. 138 * \param B The right-hand MPI. This must point to an array of limbs 139 * with the same allocated length as \p A. 140 * \param limbs The number of limbs in \p A and \p B. 141 * This must not be 0. 142 * 143 * \return The result of the comparison: 144 * \c 1 if \p A is less than \p B. 145 * \c 0 if \p A is greater than or equal to \p B. 146 */ 147 unsigned mbedtls_mpi_core_lt_ct( const mbedtls_mpi_uint *A, 148 const mbedtls_mpi_uint *B, 149 size_t limbs); 150 #endif /* MBEDTLS_BIGNUM_C */ 151 152 /** Choose between two integer values without branches. 153 * 154 * This is equivalent to `condition ? if1 : if0`, but is likely to be compiled 155 * to code using bitwise operation rather than a branch. 156 * 157 * \param condition Condition to test. 158 * \param if1 Value to use if \p condition is nonzero. 159 * \param if0 Value to use if \p condition is zero. 160 * 161 * \return \c if1 if \p condition is nonzero, otherwise \c if0. 162 */ 163 unsigned mbedtls_ct_uint_if( unsigned condition, 164 unsigned if1, 165 unsigned if0 ); 166 167 #if defined(MBEDTLS_BIGNUM_C) 168 169 /** Conditionally assign a value without branches. 170 * 171 * This is equivalent to `if ( condition ) dest = src`, but is likely 172 * to be compiled to code using bitwise operation rather than a branch. 173 * 174 * \param n \p dest and \p src must be arrays of limbs of size n. 175 * \param dest The MPI to conditionally assign to. This must point 176 * to an initialized MPI. 177 * \param src The MPI to be assigned from. This must point to an 178 * initialized MPI. 179 * \param condition Condition to test, must be 0 or 1. 180 */ 181 void mbedtls_ct_mpi_uint_cond_assign( size_t n, 182 mbedtls_mpi_uint *dest, 183 const mbedtls_mpi_uint *src, 184 unsigned char condition ); 185 186 #endif /* MBEDTLS_BIGNUM_C */ 187 188 #if defined(MBEDTLS_BASE64_C) 189 190 /** Given a value in the range 0..63, return the corresponding Base64 digit. 191 * 192 * The implementation assumes that letters are consecutive (e.g. ASCII 193 * but not EBCDIC). 194 * 195 * \param value A value in the range 0..63. 196 * 197 * \return A base64 digit converted from \p value. 198 */ 199 unsigned char mbedtls_ct_base64_enc_char( unsigned char value ); 200 201 /** Given a Base64 digit, return its value. 202 * 203 * If c is not a Base64 digit ('A'..'Z', 'a'..'z', '0'..'9', '+' or '/'), 204 * return -1. 205 * 206 * The implementation assumes that letters are consecutive (e.g. ASCII 207 * but not EBCDIC). 208 * 209 * \param c A base64 digit. 210 * 211 * \return The value of the base64 digit \p c. 212 */ 213 signed char mbedtls_ct_base64_dec_value( unsigned char c ); 214 215 #endif /* MBEDTLS_BASE64_C */ 216 217 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 218 219 /** Conditional memcpy without branches. 220 * 221 * This is equivalent to `if ( c1 == c2 ) memcpy(dest, src, len)`, but is likely 222 * to be compiled to code using bitwise operation rather than a branch. 223 * 224 * \param dest The pointer to conditionally copy to. 225 * \param src The pointer to copy from. Shouldn't overlap with \p dest. 226 * \param len The number of bytes to copy. 227 * \param c1 The first value to analyze in the condition. 228 * \param c2 The second value to analyze in the condition. 229 */ 230 void mbedtls_ct_memcpy_if_eq( unsigned char *dest, 231 const unsigned char *src, 232 size_t len, 233 size_t c1, size_t c2 ); 234 235 /** Copy data from a secret position with constant flow. 236 * 237 * This function copies \p len bytes from \p src_base + \p offset_secret to \p 238 * dst, with a code flow and memory access pattern that does not depend on \p 239 * offset_secret, but only on \p offset_min, \p offset_max and \p len. 240 * Functionally equivalent to `memcpy(dst, src + offset_secret, len)`. 241 * 242 * \note This function reads from \p dest, but the value that 243 * is read does not influence the result and this 244 * function's behavior is well-defined regardless of the 245 * contents of the buffers. This may result in false 246 * positives from static or dynamic analyzers, especially 247 * if \p dest is not initialized. 248 * 249 * \param dest The destination buffer. This must point to a writable 250 * buffer of at least \p len bytes. 251 * \param src The base of the source buffer. This must point to a 252 * readable buffer of at least \p offset_max + \p len 253 * bytes. Shouldn't overlap with \p dest. 254 * \param offset The offset in the source buffer from which to copy. 255 * This must be no less than \p offset_min and no greater 256 * than \p offset_max. 257 * \param offset_min The minimal value of \p offset. 258 * \param offset_max The maximal value of \p offset. 259 * \param len The number of bytes to copy. 260 */ 261 void mbedtls_ct_memcpy_offset( unsigned char *dest, 262 const unsigned char *src, 263 size_t offset, 264 size_t offset_min, 265 size_t offset_max, 266 size_t len ); 267 268 /** Compute the HMAC of variable-length data with constant flow. 269 * 270 * This function computes the HMAC of the concatenation of \p add_data and \p 271 * data, and does with a code flow and memory access pattern that does not 272 * depend on \p data_len_secret, but only on \p min_data_len and \p 273 * max_data_len. In particular, this function always reads exactly \p 274 * max_data_len bytes from \p data. 275 * 276 * \param ctx The HMAC context. It must have keys configured 277 * with mbedtls_md_hmac_starts() and use one of the 278 * following hashes: SHA-384, SHA-256, SHA-1 or MD-5. 279 * It is reset using mbedtls_md_hmac_reset() after 280 * the computation is complete to prepare for the 281 * next computation. 282 * \param add_data The first part of the message whose HMAC is being 283 * calculated. This must point to a readable buffer 284 * of \p add_data_len bytes. 285 * \param add_data_len The length of \p add_data in bytes. 286 * \param data The buffer containing the second part of the 287 * message. This must point to a readable buffer 288 * of \p max_data_len bytes. 289 * \param data_len_secret The length of the data to process in \p data. 290 * This must be no less than \p min_data_len and no 291 * greater than \p max_data_len. 292 * \param min_data_len The minimal length of the second part of the 293 * message, read from \p data. 294 * \param max_data_len The maximal length of the second part of the 295 * message, read from \p data. 296 * \param output The HMAC will be written here. This must point to 297 * a writable buffer of sufficient size to hold the 298 * HMAC value. 299 * 300 * \retval 0 on success. 301 * \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED 302 * The hardware accelerator failed. 303 */ 304 #if defined(MBEDTLS_USE_PSA_CRYPTO) 305 int mbedtls_ct_hmac( mbedtls_svc_key_id_t key, 306 psa_algorithm_t alg, 307 const unsigned char *add_data, 308 size_t add_data_len, 309 const unsigned char *data, 310 size_t data_len_secret, 311 size_t min_data_len, 312 size_t max_data_len, 313 unsigned char *output ); 314 #else 315 int mbedtls_ct_hmac( mbedtls_md_context_t *ctx, 316 const unsigned char *add_data, 317 size_t add_data_len, 318 const unsigned char *data, 319 size_t data_len_secret, 320 size_t min_data_len, 321 size_t max_data_len, 322 unsigned char *output ); 323 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 324 325 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 326 327 #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) 328 329 /** This function performs the unpadding part of a PKCS#1 v1.5 decryption 330 * operation (EME-PKCS1-v1_5 decoding). 331 * 332 * \note The return value from this function is a sensitive value 333 * (this is unusual). #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE shouldn't happen 334 * in a well-written application, but 0 vs #MBEDTLS_ERR_RSA_INVALID_PADDING 335 * is often a situation that an attacker can provoke and leaking which 336 * one is the result is precisely the information the attacker wants. 337 * 338 * \param input The input buffer which is the payload inside PKCS#1v1.5 339 * encryption padding, called the "encoded message EM" 340 * by the terminology. 341 * \param ilen The length of the payload in the \p input buffer. 342 * \param output The buffer for the payload, called "message M" by the 343 * PKCS#1 terminology. This must be a writable buffer of 344 * length \p output_max_len bytes. 345 * \param olen The address at which to store the length of 346 * the payload. This must not be \c NULL. 347 * \param output_max_len The length in bytes of the output buffer \p output. 348 * 349 * \return \c 0 on success. 350 * \return #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE 351 * The output buffer is too small for the unpadded payload. 352 * \return #MBEDTLS_ERR_RSA_INVALID_PADDING 353 * The input doesn't contain properly formatted padding. 354 */ 355 int mbedtls_ct_rsaes_pkcs1_v15_unpadding( unsigned char *input, 356 size_t ilen, 357 unsigned char *output, 358 size_t output_max_len, 359 size_t *olen ); 360 361 #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ 362 363 #endif /* MBEDTLS_CONSTANT_TIME_INTERNAL_H */ 364