1*039e02dfSJerome Forissier /** 2*039e02dfSJerome Forissier * Constant-time functions 3*039e02dfSJerome Forissier * 4*039e02dfSJerome Forissier * Copyright The Mbed TLS Contributors 5*039e02dfSJerome Forissier * SPDX-License-Identifier: Apache-2.0 6*039e02dfSJerome Forissier * 7*039e02dfSJerome Forissier * Licensed under the Apache License, Version 2.0 (the "License"); you may 8*039e02dfSJerome Forissier * not use this file except in compliance with the License. 9*039e02dfSJerome Forissier * You may obtain a copy of the License at 10*039e02dfSJerome Forissier * 11*039e02dfSJerome Forissier * http://www.apache.org/licenses/LICENSE-2.0 12*039e02dfSJerome Forissier * 13*039e02dfSJerome Forissier * Unless required by applicable law or agreed to in writing, software 14*039e02dfSJerome Forissier * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15*039e02dfSJerome Forissier * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16*039e02dfSJerome Forissier * See the License for the specific language governing permissions and 17*039e02dfSJerome Forissier * limitations under the License. 18*039e02dfSJerome Forissier */ 19*039e02dfSJerome Forissier 20*039e02dfSJerome Forissier /* 21*039e02dfSJerome Forissier * The following functions are implemented without using comparison operators, as those 22*039e02dfSJerome Forissier * might be translated to branches by some compilers on some platforms. 23*039e02dfSJerome Forissier */ 24*039e02dfSJerome Forissier 25*039e02dfSJerome Forissier #include "common.h" 26*039e02dfSJerome Forissier #include "constant_time_internal.h" 27*039e02dfSJerome Forissier #include "mbedtls/constant_time.h" 28*039e02dfSJerome Forissier #include "mbedtls/error.h" 29*039e02dfSJerome Forissier #include "mbedtls/platform_util.h" 30*039e02dfSJerome Forissier 31*039e02dfSJerome Forissier #if defined(MBEDTLS_BIGNUM_C) 32*039e02dfSJerome Forissier #include "mbedtls/bignum.h" 33*039e02dfSJerome Forissier #endif 34*039e02dfSJerome Forissier 35*039e02dfSJerome Forissier #if defined(MBEDTLS_SSL_TLS_C) 36*039e02dfSJerome Forissier #include "mbedtls/ssl_internal.h" 37*039e02dfSJerome Forissier #endif 38*039e02dfSJerome Forissier 39*039e02dfSJerome Forissier #if defined(MBEDTLS_RSA_C) 40*039e02dfSJerome Forissier #include "mbedtls/rsa.h" 41*039e02dfSJerome Forissier #endif 42*039e02dfSJerome Forissier 43*039e02dfSJerome Forissier #if defined(MBEDTLS_BASE64_C) 44*039e02dfSJerome Forissier #include "constant_time_invasive.h" 45*039e02dfSJerome Forissier #endif 46*039e02dfSJerome Forissier 47*039e02dfSJerome Forissier #include <string.h> 48*039e02dfSJerome Forissier 49*039e02dfSJerome Forissier int mbedtls_ct_memcmp( const void *a, 50*039e02dfSJerome Forissier const void *b, 51*039e02dfSJerome Forissier size_t n ) 52*039e02dfSJerome Forissier { 53*039e02dfSJerome Forissier size_t i; 54*039e02dfSJerome Forissier volatile const unsigned char *A = (volatile const unsigned char *) a; 55*039e02dfSJerome Forissier volatile const unsigned char *B = (volatile const unsigned char *) b; 56*039e02dfSJerome Forissier volatile unsigned char diff = 0; 57*039e02dfSJerome Forissier 58*039e02dfSJerome Forissier for( i = 0; i < n; i++ ) 59*039e02dfSJerome Forissier { 60*039e02dfSJerome Forissier /* Read volatile data in order before computing diff. 61*039e02dfSJerome Forissier * This avoids IAR compiler warning: 62*039e02dfSJerome Forissier * 'the order of volatile accesses is undefined ..' */ 63*039e02dfSJerome Forissier unsigned char x = A[i], y = B[i]; 64*039e02dfSJerome Forissier diff |= x ^ y; 65*039e02dfSJerome Forissier } 66*039e02dfSJerome Forissier 67*039e02dfSJerome Forissier return( (int)diff ); 68*039e02dfSJerome Forissier } 69*039e02dfSJerome Forissier 70*039e02dfSJerome Forissier unsigned mbedtls_ct_uint_mask( unsigned value ) 71*039e02dfSJerome Forissier { 72*039e02dfSJerome Forissier /* MSVC has a warning about unary minus on unsigned, but this is 73*039e02dfSJerome Forissier * well-defined and precisely what we want to do here */ 74*039e02dfSJerome Forissier #if defined(_MSC_VER) 75*039e02dfSJerome Forissier #pragma warning( push ) 76*039e02dfSJerome Forissier #pragma warning( disable : 4146 ) 77*039e02dfSJerome Forissier #endif 78*039e02dfSJerome Forissier return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) ); 79*039e02dfSJerome Forissier #if defined(_MSC_VER) 80*039e02dfSJerome Forissier #pragma warning( pop ) 81*039e02dfSJerome Forissier #endif 82*039e02dfSJerome Forissier } 83*039e02dfSJerome Forissier 84*039e02dfSJerome Forissier #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) 85*039e02dfSJerome Forissier 86*039e02dfSJerome Forissier size_t mbedtls_ct_size_mask( size_t value ) 87*039e02dfSJerome Forissier { 88*039e02dfSJerome Forissier /* MSVC has a warning about unary minus on unsigned integer types, 89*039e02dfSJerome Forissier * but this is well-defined and precisely what we want to do here. */ 90*039e02dfSJerome Forissier #if defined(_MSC_VER) 91*039e02dfSJerome Forissier #pragma warning( push ) 92*039e02dfSJerome Forissier #pragma warning( disable : 4146 ) 93*039e02dfSJerome Forissier #endif 94*039e02dfSJerome Forissier return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) ); 95*039e02dfSJerome Forissier #if defined(_MSC_VER) 96*039e02dfSJerome Forissier #pragma warning( pop ) 97*039e02dfSJerome Forissier #endif 98*039e02dfSJerome Forissier } 99*039e02dfSJerome Forissier 100*039e02dfSJerome Forissier #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ 101*039e02dfSJerome Forissier 102*039e02dfSJerome Forissier #if defined(MBEDTLS_BIGNUM_C) 103*039e02dfSJerome Forissier 104*039e02dfSJerome Forissier mbedtls_mpi_uint mbedtls_ct_mpi_uint_mask( mbedtls_mpi_uint value ) 105*039e02dfSJerome Forissier { 106*039e02dfSJerome Forissier /* MSVC has a warning about unary minus on unsigned, but this is 107*039e02dfSJerome Forissier * well-defined and precisely what we want to do here */ 108*039e02dfSJerome Forissier #if defined(_MSC_VER) 109*039e02dfSJerome Forissier #pragma warning( push ) 110*039e02dfSJerome Forissier #pragma warning( disable : 4146 ) 111*039e02dfSJerome Forissier #endif 112*039e02dfSJerome Forissier return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) ); 113*039e02dfSJerome Forissier #if defined(_MSC_VER) 114*039e02dfSJerome Forissier #pragma warning( pop ) 115*039e02dfSJerome Forissier #endif 116*039e02dfSJerome Forissier } 117*039e02dfSJerome Forissier 118*039e02dfSJerome Forissier #endif /* MBEDTLS_BIGNUM_C */ 119*039e02dfSJerome Forissier 120*039e02dfSJerome Forissier #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) 121*039e02dfSJerome Forissier 122*039e02dfSJerome Forissier /** Constant-flow mask generation for "less than" comparison: 123*039e02dfSJerome Forissier * - if \p x < \p y, return all-bits 1, that is (size_t) -1 124*039e02dfSJerome Forissier * - otherwise, return all bits 0, that is 0 125*039e02dfSJerome Forissier * 126*039e02dfSJerome Forissier * This function can be used to write constant-time code by replacing branches 127*039e02dfSJerome Forissier * with bit operations using masks. 128*039e02dfSJerome Forissier * 129*039e02dfSJerome Forissier * \param x The first value to analyze. 130*039e02dfSJerome Forissier * \param y The second value to analyze. 131*039e02dfSJerome Forissier * 132*039e02dfSJerome Forissier * \return All-bits-one if \p x is less than \p y, otherwise zero. 133*039e02dfSJerome Forissier */ 134*039e02dfSJerome Forissier static size_t mbedtls_ct_size_mask_lt( size_t x, 135*039e02dfSJerome Forissier size_t y ) 136*039e02dfSJerome Forissier { 137*039e02dfSJerome Forissier /* This has the most significant bit set if and only if x < y */ 138*039e02dfSJerome Forissier const size_t sub = x - y; 139*039e02dfSJerome Forissier 140*039e02dfSJerome Forissier /* sub1 = (x < y) ? 1 : 0 */ 141*039e02dfSJerome Forissier const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 ); 142*039e02dfSJerome Forissier 143*039e02dfSJerome Forissier /* mask = (x < y) ? 0xff... : 0x00... */ 144*039e02dfSJerome Forissier const size_t mask = mbedtls_ct_size_mask( sub1 ); 145*039e02dfSJerome Forissier 146*039e02dfSJerome Forissier return( mask ); 147*039e02dfSJerome Forissier } 148*039e02dfSJerome Forissier 149*039e02dfSJerome Forissier size_t mbedtls_ct_size_mask_ge( size_t x, 150*039e02dfSJerome Forissier size_t y ) 151*039e02dfSJerome Forissier { 152*039e02dfSJerome Forissier return( ~mbedtls_ct_size_mask_lt( x, y ) ); 153*039e02dfSJerome Forissier } 154*039e02dfSJerome Forissier 155*039e02dfSJerome Forissier #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ 156*039e02dfSJerome Forissier 157*039e02dfSJerome Forissier #if defined(MBEDTLS_BASE64_C) 158*039e02dfSJerome Forissier 159*039e02dfSJerome Forissier /* Return 0xff if low <= c <= high, 0 otherwise. 160*039e02dfSJerome Forissier * 161*039e02dfSJerome Forissier * Constant flow with respect to c. 162*039e02dfSJerome Forissier */ 163*039e02dfSJerome Forissier MBEDTLS_STATIC_TESTABLE 164*039e02dfSJerome Forissier unsigned char mbedtls_ct_uchar_mask_of_range( unsigned char low, 165*039e02dfSJerome Forissier unsigned char high, 166*039e02dfSJerome Forissier unsigned char c ) 167*039e02dfSJerome Forissier { 168*039e02dfSJerome Forissier /* low_mask is: 0 if low <= c, 0x...ff if low > c */ 169*039e02dfSJerome Forissier unsigned low_mask = ( (unsigned) c - low ) >> 8; 170*039e02dfSJerome Forissier /* high_mask is: 0 if c <= high, 0x...ff if c > high */ 171*039e02dfSJerome Forissier unsigned high_mask = ( (unsigned) high - c ) >> 8; 172*039e02dfSJerome Forissier return( ~( low_mask | high_mask ) & 0xff ); 173*039e02dfSJerome Forissier } 174*039e02dfSJerome Forissier 175*039e02dfSJerome Forissier #endif /* MBEDTLS_BASE64_C */ 176*039e02dfSJerome Forissier 177*039e02dfSJerome Forissier unsigned mbedtls_ct_size_bool_eq( size_t x, 178*039e02dfSJerome Forissier size_t y ) 179*039e02dfSJerome Forissier { 180*039e02dfSJerome Forissier /* diff = 0 if x == y, non-zero otherwise */ 181*039e02dfSJerome Forissier const size_t diff = x ^ y; 182*039e02dfSJerome Forissier 183*039e02dfSJerome Forissier /* MSVC has a warning about unary minus on unsigned integer types, 184*039e02dfSJerome Forissier * but this is well-defined and precisely what we want to do here. */ 185*039e02dfSJerome Forissier #if defined(_MSC_VER) 186*039e02dfSJerome Forissier #pragma warning( push ) 187*039e02dfSJerome Forissier #pragma warning( disable : 4146 ) 188*039e02dfSJerome Forissier #endif 189*039e02dfSJerome Forissier 190*039e02dfSJerome Forissier /* diff_msb's most significant bit is equal to x != y */ 191*039e02dfSJerome Forissier const size_t diff_msb = ( diff | (size_t) -diff ); 192*039e02dfSJerome Forissier 193*039e02dfSJerome Forissier #if defined(_MSC_VER) 194*039e02dfSJerome Forissier #pragma warning( pop ) 195*039e02dfSJerome Forissier #endif 196*039e02dfSJerome Forissier 197*039e02dfSJerome Forissier /* diff1 = (x != y) ? 1 : 0 */ 198*039e02dfSJerome Forissier const unsigned diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 ); 199*039e02dfSJerome Forissier 200*039e02dfSJerome Forissier return( 1 ^ diff1 ); 201*039e02dfSJerome Forissier } 202*039e02dfSJerome Forissier 203*039e02dfSJerome Forissier #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) 204*039e02dfSJerome Forissier 205*039e02dfSJerome Forissier /** Constant-flow "greater than" comparison: 206*039e02dfSJerome Forissier * return x > y 207*039e02dfSJerome Forissier * 208*039e02dfSJerome Forissier * This is equivalent to \p x > \p y, but is likely to be compiled 209*039e02dfSJerome Forissier * to code using bitwise operation rather than a branch. 210*039e02dfSJerome Forissier * 211*039e02dfSJerome Forissier * \param x The first value to analyze. 212*039e02dfSJerome Forissier * \param y The second value to analyze. 213*039e02dfSJerome Forissier * 214*039e02dfSJerome Forissier * \return 1 if \p x greater than \p y, otherwise 0. 215*039e02dfSJerome Forissier */ 216*039e02dfSJerome Forissier static unsigned mbedtls_ct_size_gt( size_t x, 217*039e02dfSJerome Forissier size_t y ) 218*039e02dfSJerome Forissier { 219*039e02dfSJerome Forissier /* Return the sign bit (1 for negative) of (y - x). */ 220*039e02dfSJerome Forissier return( ( y - x ) >> ( sizeof( size_t ) * 8 - 1 ) ); 221*039e02dfSJerome Forissier } 222*039e02dfSJerome Forissier 223*039e02dfSJerome Forissier #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ 224*039e02dfSJerome Forissier 225*039e02dfSJerome Forissier #if defined(MBEDTLS_BIGNUM_C) 226*039e02dfSJerome Forissier 227*039e02dfSJerome Forissier unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x, 228*039e02dfSJerome Forissier const mbedtls_mpi_uint y ) 229*039e02dfSJerome Forissier { 230*039e02dfSJerome Forissier mbedtls_mpi_uint ret; 231*039e02dfSJerome Forissier mbedtls_mpi_uint cond; 232*039e02dfSJerome Forissier 233*039e02dfSJerome Forissier /* 234*039e02dfSJerome Forissier * Check if the most significant bits (MSB) of the operands are different. 235*039e02dfSJerome Forissier */ 236*039e02dfSJerome Forissier cond = ( x ^ y ); 237*039e02dfSJerome Forissier /* 238*039e02dfSJerome Forissier * If the MSB are the same then the difference x-y will be negative (and 239*039e02dfSJerome Forissier * have its MSB set to 1 during conversion to unsigned) if and only if x<y. 240*039e02dfSJerome Forissier */ 241*039e02dfSJerome Forissier ret = ( x - y ) & ~cond; 242*039e02dfSJerome Forissier /* 243*039e02dfSJerome Forissier * If the MSB are different, then the operand with the MSB of 1 is the 244*039e02dfSJerome Forissier * bigger. (That is if y has MSB of 1, then x<y is true and it is false if 245*039e02dfSJerome Forissier * the MSB of y is 0.) 246*039e02dfSJerome Forissier */ 247*039e02dfSJerome Forissier ret |= y & cond; 248*039e02dfSJerome Forissier 249*039e02dfSJerome Forissier 250*039e02dfSJerome Forissier ret = ret >> ( sizeof( mbedtls_mpi_uint ) * 8 - 1 ); 251*039e02dfSJerome Forissier 252*039e02dfSJerome Forissier return (unsigned) ret; 253*039e02dfSJerome Forissier } 254*039e02dfSJerome Forissier 255*039e02dfSJerome Forissier #endif /* MBEDTLS_BIGNUM_C */ 256*039e02dfSJerome Forissier 257*039e02dfSJerome Forissier unsigned mbedtls_ct_uint_if( unsigned condition, 258*039e02dfSJerome Forissier unsigned if1, 259*039e02dfSJerome Forissier unsigned if0 ) 260*039e02dfSJerome Forissier { 261*039e02dfSJerome Forissier unsigned mask = mbedtls_ct_uint_mask( condition ); 262*039e02dfSJerome Forissier return( ( mask & if1 ) | (~mask & if0 ) ); 263*039e02dfSJerome Forissier } 264*039e02dfSJerome Forissier 265*039e02dfSJerome Forissier #if defined(MBEDTLS_BIGNUM_C) 266*039e02dfSJerome Forissier 267*039e02dfSJerome Forissier /** Select between two sign values without branches. 268*039e02dfSJerome Forissier * 269*039e02dfSJerome Forissier * This is functionally equivalent to `condition ? if1 : if0` but uses only bit 270*039e02dfSJerome Forissier * operations in order to avoid branches. 271*039e02dfSJerome Forissier * 272*039e02dfSJerome Forissier * \note if1 and if0 must be either 1 or -1, otherwise the result 273*039e02dfSJerome Forissier * is undefined. 274*039e02dfSJerome Forissier * 275*039e02dfSJerome Forissier * \param condition Condition to test. 276*039e02dfSJerome Forissier * \param if1 The first sign; must be either +1 or -1. 277*039e02dfSJerome Forissier * \param if0 The second sign; must be either +1 or -1. 278*039e02dfSJerome Forissier * 279*039e02dfSJerome Forissier * \return \c if1 if \p condition is nonzero, otherwise \c if0. 280*039e02dfSJerome Forissier * */ 281*039e02dfSJerome Forissier static int mbedtls_ct_cond_select_sign( unsigned char condition, 282*039e02dfSJerome Forissier int if1, 283*039e02dfSJerome Forissier int if0 ) 284*039e02dfSJerome Forissier { 285*039e02dfSJerome Forissier /* In order to avoid questions about what we can reasonably assume about 286*039e02dfSJerome Forissier * the representations of signed integers, move everything to unsigned 287*039e02dfSJerome Forissier * by taking advantage of the fact that if1 and if0 are either +1 or -1. */ 288*039e02dfSJerome Forissier unsigned uif1 = if1 + 1; 289*039e02dfSJerome Forissier unsigned uif0 = if0 + 1; 290*039e02dfSJerome Forissier 291*039e02dfSJerome Forissier /* condition was 0 or 1, mask is 0 or 2 as are uif1 and uif0 */ 292*039e02dfSJerome Forissier const unsigned mask = condition << 1; 293*039e02dfSJerome Forissier 294*039e02dfSJerome Forissier /* select uif1 or uif0 */ 295*039e02dfSJerome Forissier unsigned ur = ( uif0 & ~mask ) | ( uif1 & mask ); 296*039e02dfSJerome Forissier 297*039e02dfSJerome Forissier /* ur is now 0 or 2, convert back to -1 or +1 */ 298*039e02dfSJerome Forissier return( (int) ur - 1 ); 299*039e02dfSJerome Forissier } 300*039e02dfSJerome Forissier 301*039e02dfSJerome Forissier void mbedtls_ct_mpi_uint_cond_assign( size_t n, 302*039e02dfSJerome Forissier mbedtls_mpi_uint *dest, 303*039e02dfSJerome Forissier const mbedtls_mpi_uint *src, 304*039e02dfSJerome Forissier unsigned char condition ) 305*039e02dfSJerome Forissier { 306*039e02dfSJerome Forissier size_t i; 307*039e02dfSJerome Forissier 308*039e02dfSJerome Forissier /* MSVC has a warning about unary minus on unsigned integer types, 309*039e02dfSJerome Forissier * but this is well-defined and precisely what we want to do here. */ 310*039e02dfSJerome Forissier #if defined(_MSC_VER) 311*039e02dfSJerome Forissier #pragma warning( push ) 312*039e02dfSJerome Forissier #pragma warning( disable : 4146 ) 313*039e02dfSJerome Forissier #endif 314*039e02dfSJerome Forissier 315*039e02dfSJerome Forissier /* all-bits 1 if condition is 1, all-bits 0 if condition is 0 */ 316*039e02dfSJerome Forissier const mbedtls_mpi_uint mask = -condition; 317*039e02dfSJerome Forissier 318*039e02dfSJerome Forissier #if defined(_MSC_VER) 319*039e02dfSJerome Forissier #pragma warning( pop ) 320*039e02dfSJerome Forissier #endif 321*039e02dfSJerome Forissier 322*039e02dfSJerome Forissier for( i = 0; i < n; i++ ) 323*039e02dfSJerome Forissier dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask ); 324*039e02dfSJerome Forissier } 325*039e02dfSJerome Forissier 326*039e02dfSJerome Forissier #endif /* MBEDTLS_BIGNUM_C */ 327*039e02dfSJerome Forissier 328*039e02dfSJerome Forissier #if defined(MBEDTLS_BASE64_C) 329*039e02dfSJerome Forissier 330*039e02dfSJerome Forissier unsigned char mbedtls_ct_base64_enc_char( unsigned char value ) 331*039e02dfSJerome Forissier { 332*039e02dfSJerome Forissier unsigned char digit = 0; 333*039e02dfSJerome Forissier /* For each range of values, if value is in that range, mask digit with 334*039e02dfSJerome Forissier * the corresponding value. Since value can only be in a single range, 335*039e02dfSJerome Forissier * only at most one masking will change digit. */ 336*039e02dfSJerome Forissier digit |= mbedtls_ct_uchar_mask_of_range( 0, 25, value ) & ( 'A' + value ); 337*039e02dfSJerome Forissier digit |= mbedtls_ct_uchar_mask_of_range( 26, 51, value ) & ( 'a' + value - 26 ); 338*039e02dfSJerome Forissier digit |= mbedtls_ct_uchar_mask_of_range( 52, 61, value ) & ( '0' + value - 52 ); 339*039e02dfSJerome Forissier digit |= mbedtls_ct_uchar_mask_of_range( 62, 62, value ) & '+'; 340*039e02dfSJerome Forissier digit |= mbedtls_ct_uchar_mask_of_range( 63, 63, value ) & '/'; 341*039e02dfSJerome Forissier return( digit ); 342*039e02dfSJerome Forissier } 343*039e02dfSJerome Forissier 344*039e02dfSJerome Forissier signed char mbedtls_ct_base64_dec_value( unsigned char c ) 345*039e02dfSJerome Forissier { 346*039e02dfSJerome Forissier unsigned char val = 0; 347*039e02dfSJerome Forissier /* For each range of digits, if c is in that range, mask val with 348*039e02dfSJerome Forissier * the corresponding value. Since c can only be in a single range, 349*039e02dfSJerome Forissier * only at most one masking will change val. Set val to one plus 350*039e02dfSJerome Forissier * the desired value so that it stays 0 if c is in none of the ranges. */ 351*039e02dfSJerome Forissier val |= mbedtls_ct_uchar_mask_of_range( 'A', 'Z', c ) & ( c - 'A' + 0 + 1 ); 352*039e02dfSJerome Forissier val |= mbedtls_ct_uchar_mask_of_range( 'a', 'z', c ) & ( c - 'a' + 26 + 1 ); 353*039e02dfSJerome Forissier val |= mbedtls_ct_uchar_mask_of_range( '0', '9', c ) & ( c - '0' + 52 + 1 ); 354*039e02dfSJerome Forissier val |= mbedtls_ct_uchar_mask_of_range( '+', '+', c ) & ( c - '+' + 62 + 1 ); 355*039e02dfSJerome Forissier val |= mbedtls_ct_uchar_mask_of_range( '/', '/', c ) & ( c - '/' + 63 + 1 ); 356*039e02dfSJerome Forissier /* At this point, val is 0 if c is an invalid digit and v+1 if c is 357*039e02dfSJerome Forissier * a digit with the value v. */ 358*039e02dfSJerome Forissier return( val - 1 ); 359*039e02dfSJerome Forissier } 360*039e02dfSJerome Forissier 361*039e02dfSJerome Forissier #endif /* MBEDTLS_BASE64_C */ 362*039e02dfSJerome Forissier 363*039e02dfSJerome Forissier #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) 364*039e02dfSJerome Forissier 365*039e02dfSJerome Forissier /** Shift some data towards the left inside a buffer. 366*039e02dfSJerome Forissier * 367*039e02dfSJerome Forissier * `mbedtls_ct_mem_move_to_left(start, total, offset)` is functionally 368*039e02dfSJerome Forissier * equivalent to 369*039e02dfSJerome Forissier * ``` 370*039e02dfSJerome Forissier * memmove(start, start + offset, total - offset); 371*039e02dfSJerome Forissier * memset(start + offset, 0, total - offset); 372*039e02dfSJerome Forissier * ``` 373*039e02dfSJerome Forissier * but it strives to use a memory access pattern (and thus total timing) 374*039e02dfSJerome Forissier * that does not depend on \p offset. This timing independence comes at 375*039e02dfSJerome Forissier * the expense of performance. 376*039e02dfSJerome Forissier * 377*039e02dfSJerome Forissier * \param start Pointer to the start of the buffer. 378*039e02dfSJerome Forissier * \param total Total size of the buffer. 379*039e02dfSJerome Forissier * \param offset Offset from which to copy \p total - \p offset bytes. 380*039e02dfSJerome Forissier */ 381*039e02dfSJerome Forissier static void mbedtls_ct_mem_move_to_left( void *start, 382*039e02dfSJerome Forissier size_t total, 383*039e02dfSJerome Forissier size_t offset ) 384*039e02dfSJerome Forissier { 385*039e02dfSJerome Forissier volatile unsigned char *buf = start; 386*039e02dfSJerome Forissier size_t i, n; 387*039e02dfSJerome Forissier if( total == 0 ) 388*039e02dfSJerome Forissier return; 389*039e02dfSJerome Forissier for( i = 0; i < total; i++ ) 390*039e02dfSJerome Forissier { 391*039e02dfSJerome Forissier unsigned no_op = mbedtls_ct_size_gt( total - offset, i ); 392*039e02dfSJerome Forissier /* The first `total - offset` passes are a no-op. The last 393*039e02dfSJerome Forissier * `offset` passes shift the data one byte to the left and 394*039e02dfSJerome Forissier * zero out the last byte. */ 395*039e02dfSJerome Forissier for( n = 0; n < total - 1; n++ ) 396*039e02dfSJerome Forissier { 397*039e02dfSJerome Forissier unsigned char current = buf[n]; 398*039e02dfSJerome Forissier unsigned char next = buf[n+1]; 399*039e02dfSJerome Forissier buf[n] = mbedtls_ct_uint_if( no_op, current, next ); 400*039e02dfSJerome Forissier } 401*039e02dfSJerome Forissier buf[total-1] = mbedtls_ct_uint_if( no_op, buf[total-1], 0 ); 402*039e02dfSJerome Forissier } 403*039e02dfSJerome Forissier } 404*039e02dfSJerome Forissier 405*039e02dfSJerome Forissier #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ 406*039e02dfSJerome Forissier 407*039e02dfSJerome Forissier #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) 408*039e02dfSJerome Forissier 409*039e02dfSJerome Forissier void mbedtls_ct_memcpy_if_eq( unsigned char *dest, 410*039e02dfSJerome Forissier const unsigned char *src, 411*039e02dfSJerome Forissier size_t len, 412*039e02dfSJerome Forissier size_t c1, 413*039e02dfSJerome Forissier size_t c2 ) 414*039e02dfSJerome Forissier { 415*039e02dfSJerome Forissier /* mask = c1 == c2 ? 0xff : 0x00 */ 416*039e02dfSJerome Forissier const size_t equal = mbedtls_ct_size_bool_eq( c1, c2 ); 417*039e02dfSJerome Forissier const unsigned char mask = (unsigned char) mbedtls_ct_size_mask( equal ); 418*039e02dfSJerome Forissier 419*039e02dfSJerome Forissier /* dest[i] = c1 == c2 ? src[i] : dest[i] */ 420*039e02dfSJerome Forissier for( size_t i = 0; i < len; i++ ) 421*039e02dfSJerome Forissier dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask ); 422*039e02dfSJerome Forissier } 423*039e02dfSJerome Forissier 424*039e02dfSJerome Forissier void mbedtls_ct_memcpy_offset( unsigned char *dest, 425*039e02dfSJerome Forissier const unsigned char *src, 426*039e02dfSJerome Forissier size_t offset, 427*039e02dfSJerome Forissier size_t offset_min, 428*039e02dfSJerome Forissier size_t offset_max, 429*039e02dfSJerome Forissier size_t len ) 430*039e02dfSJerome Forissier { 431*039e02dfSJerome Forissier size_t offsetval; 432*039e02dfSJerome Forissier 433*039e02dfSJerome Forissier for( offsetval = offset_min; offsetval <= offset_max; offsetval++ ) 434*039e02dfSJerome Forissier { 435*039e02dfSJerome Forissier mbedtls_ct_memcpy_if_eq( dest, src + offsetval, len, 436*039e02dfSJerome Forissier offsetval, offset ); 437*039e02dfSJerome Forissier } 438*039e02dfSJerome Forissier } 439*039e02dfSJerome Forissier 440*039e02dfSJerome Forissier int mbedtls_ct_hmac( mbedtls_md_context_t *ctx, 441*039e02dfSJerome Forissier const unsigned char *add_data, 442*039e02dfSJerome Forissier size_t add_data_len, 443*039e02dfSJerome Forissier const unsigned char *data, 444*039e02dfSJerome Forissier size_t data_len_secret, 445*039e02dfSJerome Forissier size_t min_data_len, 446*039e02dfSJerome Forissier size_t max_data_len, 447*039e02dfSJerome Forissier unsigned char *output ) 448*039e02dfSJerome Forissier { 449*039e02dfSJerome Forissier /* 450*039e02dfSJerome Forissier * This function breaks the HMAC abstraction and uses the md_clone() 451*039e02dfSJerome Forissier * extension to the MD API in order to get constant-flow behaviour. 452*039e02dfSJerome Forissier * 453*039e02dfSJerome Forissier * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means 454*039e02dfSJerome Forissier * concatenation, and okey/ikey are the XOR of the key with some fixed bit 455*039e02dfSJerome Forissier * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx. 456*039e02dfSJerome Forissier * 457*039e02dfSJerome Forissier * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to 458*039e02dfSJerome Forissier * minlen, then cloning the context, and for each byte up to maxlen 459*039e02dfSJerome Forissier * finishing up the hash computation, keeping only the correct result. 460*039e02dfSJerome Forissier * 461*039e02dfSJerome Forissier * Then we only need to compute HASH(okey + inner_hash) and we're done. 462*039e02dfSJerome Forissier */ 463*039e02dfSJerome Forissier const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info ); 464*039e02dfSJerome Forissier /* TLS 1.0-1.2 only support SHA-384, SHA-256, SHA-1, MD-5, 465*039e02dfSJerome Forissier * all of which have the same block size except SHA-384. */ 466*039e02dfSJerome Forissier const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64; 467*039e02dfSJerome Forissier const unsigned char * const ikey = ctx->hmac_ctx; 468*039e02dfSJerome Forissier const unsigned char * const okey = ikey + block_size; 469*039e02dfSJerome Forissier const size_t hash_size = mbedtls_md_get_size( ctx->md_info ); 470*039e02dfSJerome Forissier 471*039e02dfSJerome Forissier unsigned char aux_out[MBEDTLS_MD_MAX_SIZE]; 472*039e02dfSJerome Forissier mbedtls_md_context_t aux; 473*039e02dfSJerome Forissier size_t offset; 474*039e02dfSJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 475*039e02dfSJerome Forissier 476*039e02dfSJerome Forissier mbedtls_md_init( &aux ); 477*039e02dfSJerome Forissier 478*039e02dfSJerome Forissier #define MD_CHK( func_call ) \ 479*039e02dfSJerome Forissier do { \ 480*039e02dfSJerome Forissier ret = (func_call); \ 481*039e02dfSJerome Forissier if( ret != 0 ) \ 482*039e02dfSJerome Forissier goto cleanup; \ 483*039e02dfSJerome Forissier } while( 0 ) 484*039e02dfSJerome Forissier 485*039e02dfSJerome Forissier MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) ); 486*039e02dfSJerome Forissier 487*039e02dfSJerome Forissier /* After hmac_start() of hmac_reset(), ikey has already been hashed, 488*039e02dfSJerome Forissier * so we can start directly with the message */ 489*039e02dfSJerome Forissier MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) ); 490*039e02dfSJerome Forissier MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) ); 491*039e02dfSJerome Forissier 492*039e02dfSJerome Forissier /* Fill the hash buffer in advance with something that is 493*039e02dfSJerome Forissier * not a valid hash (barring an attack on the hash and 494*039e02dfSJerome Forissier * deliberately-crafted input), in case the caller doesn't 495*039e02dfSJerome Forissier * check the return status properly. */ 496*039e02dfSJerome Forissier memset( output, '!', hash_size ); 497*039e02dfSJerome Forissier 498*039e02dfSJerome Forissier /* For each possible length, compute the hash up to that point */ 499*039e02dfSJerome Forissier for( offset = min_data_len; offset <= max_data_len; offset++ ) 500*039e02dfSJerome Forissier { 501*039e02dfSJerome Forissier MD_CHK( mbedtls_md_clone( &aux, ctx ) ); 502*039e02dfSJerome Forissier MD_CHK( mbedtls_md_finish( &aux, aux_out ) ); 503*039e02dfSJerome Forissier /* Keep only the correct inner_hash in the output buffer */ 504*039e02dfSJerome Forissier mbedtls_ct_memcpy_if_eq( output, aux_out, hash_size, 505*039e02dfSJerome Forissier offset, data_len_secret ); 506*039e02dfSJerome Forissier 507*039e02dfSJerome Forissier if( offset < max_data_len ) 508*039e02dfSJerome Forissier MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) ); 509*039e02dfSJerome Forissier } 510*039e02dfSJerome Forissier 511*039e02dfSJerome Forissier /* The context needs to finish() before it starts() again */ 512*039e02dfSJerome Forissier MD_CHK( mbedtls_md_finish( ctx, aux_out ) ); 513*039e02dfSJerome Forissier 514*039e02dfSJerome Forissier /* Now compute HASH(okey + inner_hash) */ 515*039e02dfSJerome Forissier MD_CHK( mbedtls_md_starts( ctx ) ); 516*039e02dfSJerome Forissier MD_CHK( mbedtls_md_update( ctx, okey, block_size ) ); 517*039e02dfSJerome Forissier MD_CHK( mbedtls_md_update( ctx, output, hash_size ) ); 518*039e02dfSJerome Forissier MD_CHK( mbedtls_md_finish( ctx, output ) ); 519*039e02dfSJerome Forissier 520*039e02dfSJerome Forissier /* Done, get ready for next time */ 521*039e02dfSJerome Forissier MD_CHK( mbedtls_md_hmac_reset( ctx ) ); 522*039e02dfSJerome Forissier 523*039e02dfSJerome Forissier #undef MD_CHK 524*039e02dfSJerome Forissier 525*039e02dfSJerome Forissier cleanup: 526*039e02dfSJerome Forissier mbedtls_md_free( &aux ); 527*039e02dfSJerome Forissier return( ret ); 528*039e02dfSJerome Forissier } 529*039e02dfSJerome Forissier 530*039e02dfSJerome Forissier #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ 531*039e02dfSJerome Forissier 532*039e02dfSJerome Forissier #if defined(MBEDTLS_BIGNUM_C) 533*039e02dfSJerome Forissier 534*039e02dfSJerome Forissier #define MPI_VALIDATE_RET( cond ) \ 535*039e02dfSJerome Forissier MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA ) 536*039e02dfSJerome Forissier 537*039e02dfSJerome Forissier /* 538*039e02dfSJerome Forissier * Conditionally assign X = Y, without leaking information 539*039e02dfSJerome Forissier * about whether the assignment was made or not. 540*039e02dfSJerome Forissier * (Leaking information about the respective sizes of X and Y is ok however.) 541*039e02dfSJerome Forissier */ 542*039e02dfSJerome Forissier #if defined(_MSC_VER) && defined(_M_ARM64) && (_MSC_FULL_VER < 193131103) 543*039e02dfSJerome Forissier /* 544*039e02dfSJerome Forissier * MSVC miscompiles this function if it's inlined prior to Visual Studio 2022 version 17.1. See: 545*039e02dfSJerome Forissier * https://developercommunity.visualstudio.com/t/c-compiler-miscompiles-part-of-mbedtls-library-on/1646989 546*039e02dfSJerome Forissier */ 547*039e02dfSJerome Forissier __declspec(noinline) 548*039e02dfSJerome Forissier #endif 549*039e02dfSJerome Forissier int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, 550*039e02dfSJerome Forissier const mbedtls_mpi *Y, 551*039e02dfSJerome Forissier unsigned char assign ) 552*039e02dfSJerome Forissier { 553*039e02dfSJerome Forissier int ret = 0; 554*039e02dfSJerome Forissier size_t i; 555*039e02dfSJerome Forissier mbedtls_mpi_uint limb_mask; 556*039e02dfSJerome Forissier MPI_VALIDATE_RET( X != NULL ); 557*039e02dfSJerome Forissier MPI_VALIDATE_RET( Y != NULL ); 558*039e02dfSJerome Forissier 559*039e02dfSJerome Forissier /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */ 560*039e02dfSJerome Forissier limb_mask = mbedtls_ct_mpi_uint_mask( assign );; 561*039e02dfSJerome Forissier 562*039e02dfSJerome Forissier MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) ); 563*039e02dfSJerome Forissier 564*039e02dfSJerome Forissier X->s = mbedtls_ct_cond_select_sign( assign, Y->s, X->s ); 565*039e02dfSJerome Forissier 566*039e02dfSJerome Forissier mbedtls_ct_mpi_uint_cond_assign( Y->n, X->p, Y->p, assign ); 567*039e02dfSJerome Forissier 568*039e02dfSJerome Forissier for( i = Y->n; i < X->n; i++ ) 569*039e02dfSJerome Forissier X->p[i] &= ~limb_mask; 570*039e02dfSJerome Forissier 571*039e02dfSJerome Forissier cleanup: 572*039e02dfSJerome Forissier return( ret ); 573*039e02dfSJerome Forissier } 574*039e02dfSJerome Forissier 575*039e02dfSJerome Forissier /* 576*039e02dfSJerome Forissier * Conditionally swap X and Y, without leaking information 577*039e02dfSJerome Forissier * about whether the swap was made or not. 578*039e02dfSJerome Forissier * Here it is not ok to simply swap the pointers, which would lead to 579*039e02dfSJerome Forissier * different memory access patterns when X and Y are used afterwards. 580*039e02dfSJerome Forissier */ 581*039e02dfSJerome Forissier int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, 582*039e02dfSJerome Forissier mbedtls_mpi *Y, 583*039e02dfSJerome Forissier unsigned char swap ) 584*039e02dfSJerome Forissier { 585*039e02dfSJerome Forissier int ret, s; 586*039e02dfSJerome Forissier size_t i; 587*039e02dfSJerome Forissier mbedtls_mpi_uint limb_mask; 588*039e02dfSJerome Forissier mbedtls_mpi_uint tmp; 589*039e02dfSJerome Forissier MPI_VALIDATE_RET( X != NULL ); 590*039e02dfSJerome Forissier MPI_VALIDATE_RET( Y != NULL ); 591*039e02dfSJerome Forissier 592*039e02dfSJerome Forissier if( X == Y ) 593*039e02dfSJerome Forissier return( 0 ); 594*039e02dfSJerome Forissier 595*039e02dfSJerome Forissier /* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */ 596*039e02dfSJerome Forissier limb_mask = mbedtls_ct_mpi_uint_mask( swap ); 597*039e02dfSJerome Forissier 598*039e02dfSJerome Forissier MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) ); 599*039e02dfSJerome Forissier MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) ); 600*039e02dfSJerome Forissier 601*039e02dfSJerome Forissier s = X->s; 602*039e02dfSJerome Forissier X->s = mbedtls_ct_cond_select_sign( swap, Y->s, X->s ); 603*039e02dfSJerome Forissier Y->s = mbedtls_ct_cond_select_sign( swap, s, Y->s ); 604*039e02dfSJerome Forissier 605*039e02dfSJerome Forissier 606*039e02dfSJerome Forissier for( i = 0; i < X->n; i++ ) 607*039e02dfSJerome Forissier { 608*039e02dfSJerome Forissier tmp = X->p[i]; 609*039e02dfSJerome Forissier X->p[i] = ( X->p[i] & ~limb_mask ) | ( Y->p[i] & limb_mask ); 610*039e02dfSJerome Forissier Y->p[i] = ( Y->p[i] & ~limb_mask ) | ( tmp & limb_mask ); 611*039e02dfSJerome Forissier } 612*039e02dfSJerome Forissier 613*039e02dfSJerome Forissier cleanup: 614*039e02dfSJerome Forissier return( ret ); 615*039e02dfSJerome Forissier } 616*039e02dfSJerome Forissier 617*039e02dfSJerome Forissier /* 618*039e02dfSJerome Forissier * Compare signed values in constant time 619*039e02dfSJerome Forissier */ 620*039e02dfSJerome Forissier int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, 621*039e02dfSJerome Forissier const mbedtls_mpi *Y, 622*039e02dfSJerome Forissier unsigned *ret ) 623*039e02dfSJerome Forissier { 624*039e02dfSJerome Forissier size_t i; 625*039e02dfSJerome Forissier /* The value of any of these variables is either 0 or 1 at all times. */ 626*039e02dfSJerome Forissier unsigned cond, done, X_is_negative, Y_is_negative; 627*039e02dfSJerome Forissier 628*039e02dfSJerome Forissier MPI_VALIDATE_RET( X != NULL ); 629*039e02dfSJerome Forissier MPI_VALIDATE_RET( Y != NULL ); 630*039e02dfSJerome Forissier MPI_VALIDATE_RET( ret != NULL ); 631*039e02dfSJerome Forissier 632*039e02dfSJerome Forissier if( X->n != Y->n ) 633*039e02dfSJerome Forissier return MBEDTLS_ERR_MPI_BAD_INPUT_DATA; 634*039e02dfSJerome Forissier 635*039e02dfSJerome Forissier /* 636*039e02dfSJerome Forissier * Set sign_N to 1 if N >= 0, 0 if N < 0. 637*039e02dfSJerome Forissier * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0. 638*039e02dfSJerome Forissier */ 639*039e02dfSJerome Forissier X_is_negative = ( X->s & 2 ) >> 1; 640*039e02dfSJerome Forissier Y_is_negative = ( Y->s & 2 ) >> 1; 641*039e02dfSJerome Forissier 642*039e02dfSJerome Forissier /* 643*039e02dfSJerome Forissier * If the signs are different, then the positive operand is the bigger. 644*039e02dfSJerome Forissier * That is if X is negative (X_is_negative == 1), then X < Y is true and it 645*039e02dfSJerome Forissier * is false if X is positive (X_is_negative == 0). 646*039e02dfSJerome Forissier */ 647*039e02dfSJerome Forissier cond = ( X_is_negative ^ Y_is_negative ); 648*039e02dfSJerome Forissier *ret = cond & X_is_negative; 649*039e02dfSJerome Forissier 650*039e02dfSJerome Forissier /* 651*039e02dfSJerome Forissier * This is a constant-time function. We might have the result, but we still 652*039e02dfSJerome Forissier * need to go through the loop. Record if we have the result already. 653*039e02dfSJerome Forissier */ 654*039e02dfSJerome Forissier done = cond; 655*039e02dfSJerome Forissier 656*039e02dfSJerome Forissier for( i = X->n; i > 0; i-- ) 657*039e02dfSJerome Forissier { 658*039e02dfSJerome Forissier /* 659*039e02dfSJerome Forissier * If Y->p[i - 1] < X->p[i - 1] then X < Y is true if and only if both 660*039e02dfSJerome Forissier * X and Y are negative. 661*039e02dfSJerome Forissier * 662*039e02dfSJerome Forissier * Again even if we can make a decision, we just mark the result and 663*039e02dfSJerome Forissier * the fact that we are done and continue looping. 664*039e02dfSJerome Forissier */ 665*039e02dfSJerome Forissier cond = mbedtls_ct_mpi_uint_lt( Y->p[i - 1], X->p[i - 1] ); 666*039e02dfSJerome Forissier *ret |= cond & ( 1 - done ) & X_is_negative; 667*039e02dfSJerome Forissier done |= cond; 668*039e02dfSJerome Forissier 669*039e02dfSJerome Forissier /* 670*039e02dfSJerome Forissier * If X->p[i - 1] < Y->p[i - 1] then X < Y is true if and only if both 671*039e02dfSJerome Forissier * X and Y are positive. 672*039e02dfSJerome Forissier * 673*039e02dfSJerome Forissier * Again even if we can make a decision, we just mark the result and 674*039e02dfSJerome Forissier * the fact that we are done and continue looping. 675*039e02dfSJerome Forissier */ 676*039e02dfSJerome Forissier cond = mbedtls_ct_mpi_uint_lt( X->p[i - 1], Y->p[i - 1] ); 677*039e02dfSJerome Forissier *ret |= cond & ( 1 - done ) & ( 1 - X_is_negative ); 678*039e02dfSJerome Forissier done |= cond; 679*039e02dfSJerome Forissier } 680*039e02dfSJerome Forissier 681*039e02dfSJerome Forissier return( 0 ); 682*039e02dfSJerome Forissier } 683*039e02dfSJerome Forissier 684*039e02dfSJerome Forissier #endif /* MBEDTLS_BIGNUM_C */ 685*039e02dfSJerome Forissier 686*039e02dfSJerome Forissier #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) 687*039e02dfSJerome Forissier 688*039e02dfSJerome Forissier int mbedtls_ct_rsaes_pkcs1_v15_unpadding( int mode, 689*039e02dfSJerome Forissier unsigned char *input, 690*039e02dfSJerome Forissier size_t ilen, 691*039e02dfSJerome Forissier unsigned char *output, 692*039e02dfSJerome Forissier size_t output_max_len, 693*039e02dfSJerome Forissier size_t *olen ) 694*039e02dfSJerome Forissier { 695*039e02dfSJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 696*039e02dfSJerome Forissier size_t i, plaintext_max_size; 697*039e02dfSJerome Forissier 698*039e02dfSJerome Forissier /* The following variables take sensitive values: their value must 699*039e02dfSJerome Forissier * not leak into the observable behavior of the function other than 700*039e02dfSJerome Forissier * the designated outputs (output, olen, return value). Otherwise 701*039e02dfSJerome Forissier * this would open the execution of the function to 702*039e02dfSJerome Forissier * side-channel-based variants of the Bleichenbacher padding oracle 703*039e02dfSJerome Forissier * attack. Potential side channels include overall timing, memory 704*039e02dfSJerome Forissier * access patterns (especially visible to an adversary who has access 705*039e02dfSJerome Forissier * to a shared memory cache), and branches (especially visible to 706*039e02dfSJerome Forissier * an adversary who has access to a shared code cache or to a shared 707*039e02dfSJerome Forissier * branch predictor). */ 708*039e02dfSJerome Forissier size_t pad_count = 0; 709*039e02dfSJerome Forissier unsigned bad = 0; 710*039e02dfSJerome Forissier unsigned char pad_done = 0; 711*039e02dfSJerome Forissier size_t plaintext_size = 0; 712*039e02dfSJerome Forissier unsigned output_too_large; 713*039e02dfSJerome Forissier 714*039e02dfSJerome Forissier plaintext_max_size = ( output_max_len > ilen - 11 ) ? ilen - 11 715*039e02dfSJerome Forissier : output_max_len; 716*039e02dfSJerome Forissier 717*039e02dfSJerome Forissier /* Check and get padding length in constant time and constant 718*039e02dfSJerome Forissier * memory trace. The first byte must be 0. */ 719*039e02dfSJerome Forissier bad |= input[0]; 720*039e02dfSJerome Forissier 721*039e02dfSJerome Forissier if( mode == MBEDTLS_RSA_PRIVATE ) 722*039e02dfSJerome Forissier { 723*039e02dfSJerome Forissier /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00 724*039e02dfSJerome Forissier * where PS must be at least 8 nonzero bytes. */ 725*039e02dfSJerome Forissier bad |= input[1] ^ MBEDTLS_RSA_CRYPT; 726*039e02dfSJerome Forissier 727*039e02dfSJerome Forissier /* Read the whole buffer. Set pad_done to nonzero if we find 728*039e02dfSJerome Forissier * the 0x00 byte and remember the padding length in pad_count. */ 729*039e02dfSJerome Forissier for( i = 2; i < ilen; i++ ) 730*039e02dfSJerome Forissier { 731*039e02dfSJerome Forissier pad_done |= ((input[i] | (unsigned char)-input[i]) >> 7) ^ 1; 732*039e02dfSJerome Forissier pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; 733*039e02dfSJerome Forissier } 734*039e02dfSJerome Forissier } 735*039e02dfSJerome Forissier else 736*039e02dfSJerome Forissier { 737*039e02dfSJerome Forissier /* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00 738*039e02dfSJerome Forissier * where PS must be at least 8 bytes with the value 0xFF. */ 739*039e02dfSJerome Forissier bad |= input[1] ^ MBEDTLS_RSA_SIGN; 740*039e02dfSJerome Forissier 741*039e02dfSJerome Forissier /* Read the whole buffer. Set pad_done to nonzero if we find 742*039e02dfSJerome Forissier * the 0x00 byte and remember the padding length in pad_count. 743*039e02dfSJerome Forissier * If there's a non-0xff byte in the padding, the padding is bad. */ 744*039e02dfSJerome Forissier for( i = 2; i < ilen; i++ ) 745*039e02dfSJerome Forissier { 746*039e02dfSJerome Forissier pad_done |= mbedtls_ct_uint_if( input[i], 0, 1 ); 747*039e02dfSJerome Forissier pad_count += mbedtls_ct_uint_if( pad_done, 0, 1 ); 748*039e02dfSJerome Forissier bad |= mbedtls_ct_uint_if( pad_done, 0, input[i] ^ 0xFF ); 749*039e02dfSJerome Forissier } 750*039e02dfSJerome Forissier } 751*039e02dfSJerome Forissier 752*039e02dfSJerome Forissier /* If pad_done is still zero, there's no data, only unfinished padding. */ 753*039e02dfSJerome Forissier bad |= mbedtls_ct_uint_if( pad_done, 0, 1 ); 754*039e02dfSJerome Forissier 755*039e02dfSJerome Forissier /* There must be at least 8 bytes of padding. */ 756*039e02dfSJerome Forissier bad |= mbedtls_ct_size_gt( 8, pad_count ); 757*039e02dfSJerome Forissier 758*039e02dfSJerome Forissier /* If the padding is valid, set plaintext_size to the number of 759*039e02dfSJerome Forissier * remaining bytes after stripping the padding. If the padding 760*039e02dfSJerome Forissier * is invalid, avoid leaking this fact through the size of the 761*039e02dfSJerome Forissier * output: use the maximum message size that fits in the output 762*039e02dfSJerome Forissier * buffer. Do it without branches to avoid leaking the padding 763*039e02dfSJerome Forissier * validity through timing. RSA keys are small enough that all the 764*039e02dfSJerome Forissier * size_t values involved fit in unsigned int. */ 765*039e02dfSJerome Forissier plaintext_size = mbedtls_ct_uint_if( 766*039e02dfSJerome Forissier bad, (unsigned) plaintext_max_size, 767*039e02dfSJerome Forissier (unsigned) ( ilen - pad_count - 3 ) ); 768*039e02dfSJerome Forissier 769*039e02dfSJerome Forissier /* Set output_too_large to 0 if the plaintext fits in the output 770*039e02dfSJerome Forissier * buffer and to 1 otherwise. */ 771*039e02dfSJerome Forissier output_too_large = mbedtls_ct_size_gt( plaintext_size, 772*039e02dfSJerome Forissier plaintext_max_size ); 773*039e02dfSJerome Forissier 774*039e02dfSJerome Forissier /* Set ret without branches to avoid timing attacks. Return: 775*039e02dfSJerome Forissier * - INVALID_PADDING if the padding is bad (bad != 0). 776*039e02dfSJerome Forissier * - OUTPUT_TOO_LARGE if the padding is good but the decrypted 777*039e02dfSJerome Forissier * plaintext does not fit in the output buffer. 778*039e02dfSJerome Forissier * - 0 if the padding is correct. */ 779*039e02dfSJerome Forissier ret = - (int) mbedtls_ct_uint_if( 780*039e02dfSJerome Forissier bad, - MBEDTLS_ERR_RSA_INVALID_PADDING, 781*039e02dfSJerome Forissier mbedtls_ct_uint_if( output_too_large, 782*039e02dfSJerome Forissier - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE, 783*039e02dfSJerome Forissier 0 ) ); 784*039e02dfSJerome Forissier 785*039e02dfSJerome Forissier /* If the padding is bad or the plaintext is too large, zero the 786*039e02dfSJerome Forissier * data that we're about to copy to the output buffer. 787*039e02dfSJerome Forissier * We need to copy the same amount of data 788*039e02dfSJerome Forissier * from the same buffer whether the padding is good or not to 789*039e02dfSJerome Forissier * avoid leaking the padding validity through overall timing or 790*039e02dfSJerome Forissier * through memory or cache access patterns. */ 791*039e02dfSJerome Forissier bad = mbedtls_ct_uint_mask( bad | output_too_large ); 792*039e02dfSJerome Forissier for( i = 11; i < ilen; i++ ) 793*039e02dfSJerome Forissier input[i] &= ~bad; 794*039e02dfSJerome Forissier 795*039e02dfSJerome Forissier /* If the plaintext is too large, truncate it to the buffer size. 796*039e02dfSJerome Forissier * Copy anyway to avoid revealing the length through timing, because 797*039e02dfSJerome Forissier * revealing the length is as bad as revealing the padding validity 798*039e02dfSJerome Forissier * for a Bleichenbacher attack. */ 799*039e02dfSJerome Forissier plaintext_size = mbedtls_ct_uint_if( output_too_large, 800*039e02dfSJerome Forissier (unsigned) plaintext_max_size, 801*039e02dfSJerome Forissier (unsigned) plaintext_size ); 802*039e02dfSJerome Forissier 803*039e02dfSJerome Forissier /* Move the plaintext to the leftmost position where it can start in 804*039e02dfSJerome Forissier * the working buffer, i.e. make it start plaintext_max_size from 805*039e02dfSJerome Forissier * the end of the buffer. Do this with a memory access trace that 806*039e02dfSJerome Forissier * does not depend on the plaintext size. After this move, the 807*039e02dfSJerome Forissier * starting location of the plaintext is no longer sensitive 808*039e02dfSJerome Forissier * information. */ 809*039e02dfSJerome Forissier mbedtls_ct_mem_move_to_left( input + ilen - plaintext_max_size, 810*039e02dfSJerome Forissier plaintext_max_size, 811*039e02dfSJerome Forissier plaintext_max_size - plaintext_size ); 812*039e02dfSJerome Forissier 813*039e02dfSJerome Forissier /* Finally copy the decrypted plaintext plus trailing zeros into the output 814*039e02dfSJerome Forissier * buffer. If output_max_len is 0, then output may be an invalid pointer 815*039e02dfSJerome Forissier * and the result of memcpy() would be undefined; prevent undefined 816*039e02dfSJerome Forissier * behavior making sure to depend only on output_max_len (the size of the 817*039e02dfSJerome Forissier * user-provided output buffer), which is independent from plaintext 818*039e02dfSJerome Forissier * length, validity of padding, success of the decryption, and other 819*039e02dfSJerome Forissier * secrets. */ 820*039e02dfSJerome Forissier if( output_max_len != 0 ) 821*039e02dfSJerome Forissier memcpy( output, input + ilen - plaintext_max_size, plaintext_max_size ); 822*039e02dfSJerome Forissier 823*039e02dfSJerome Forissier /* Report the amount of data we copied to the output buffer. In case 824*039e02dfSJerome Forissier * of errors (bad padding or output too large), the value of *olen 825*039e02dfSJerome Forissier * when this function returns is not specified. Making it equivalent 826*039e02dfSJerome Forissier * to the good case limits the risks of leaking the padding validity. */ 827*039e02dfSJerome Forissier *olen = plaintext_size; 828*039e02dfSJerome Forissier 829*039e02dfSJerome Forissier return( ret ); 830*039e02dfSJerome Forissier } 831*039e02dfSJerome Forissier 832*039e02dfSJerome Forissier #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ 833