1*039e02dfSJerome Forissier /** 2*039e02dfSJerome Forissier * Constant-time functions 3*039e02dfSJerome Forissier * 4*039e02dfSJerome Forissier * Copyright The Mbed TLS Contributors 5*039e02dfSJerome Forissier * SPDX-License-Identifier: Apache-2.0 6*039e02dfSJerome Forissier * 7*039e02dfSJerome Forissier * Licensed under the Apache License, Version 2.0 (the "License"); you may 8*039e02dfSJerome Forissier * not use this file except in compliance with the License. 9*039e02dfSJerome Forissier * You may obtain a copy of the License at 10*039e02dfSJerome Forissier * 11*039e02dfSJerome Forissier * http://www.apache.org/licenses/LICENSE-2.0 12*039e02dfSJerome Forissier * 13*039e02dfSJerome Forissier * Unless required by applicable law or agreed to in writing, software 14*039e02dfSJerome Forissier * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15*039e02dfSJerome Forissier * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16*039e02dfSJerome Forissier * See the License for the specific language governing permissions and 17*039e02dfSJerome Forissier * limitations under the License. 18*039e02dfSJerome Forissier */ 19*039e02dfSJerome Forissier 20*039e02dfSJerome Forissier #ifndef MBEDTLS_CONSTANT_TIME_INTERNAL_H 21*039e02dfSJerome Forissier #define MBEDTLS_CONSTANT_TIME_INTERNAL_H 22*039e02dfSJerome Forissier 23*039e02dfSJerome Forissier #include "common.h" 24*039e02dfSJerome Forissier 25*039e02dfSJerome Forissier #if defined(MBEDTLS_BIGNUM_C) 26*039e02dfSJerome Forissier #include "mbedtls/bignum.h" 27*039e02dfSJerome Forissier #endif 28*039e02dfSJerome Forissier 29*039e02dfSJerome Forissier #if defined(MBEDTLS_SSL_TLS_C) 30*039e02dfSJerome Forissier #include "mbedtls/ssl_internal.h" 31*039e02dfSJerome Forissier #endif 32*039e02dfSJerome Forissier 33*039e02dfSJerome Forissier #include <stddef.h> 34*039e02dfSJerome Forissier 35*039e02dfSJerome Forissier 36*039e02dfSJerome Forissier /** Turn a value into a mask: 37*039e02dfSJerome Forissier * - if \p value == 0, return the all-bits 0 mask, aka 0 38*039e02dfSJerome Forissier * - otherwise, return the all-bits 1 mask, aka (unsigned) -1 39*039e02dfSJerome Forissier * 40*039e02dfSJerome Forissier * This function can be used to write constant-time code by replacing branches 41*039e02dfSJerome Forissier * with bit operations using masks. 42*039e02dfSJerome Forissier * 43*039e02dfSJerome Forissier * \param value The value to analyze. 44*039e02dfSJerome Forissier * 45*039e02dfSJerome Forissier * \return Zero if \p value is zero, otherwise all-bits-one. 46*039e02dfSJerome Forissier */ 47*039e02dfSJerome Forissier unsigned mbedtls_ct_uint_mask( unsigned value ); 48*039e02dfSJerome Forissier 49*039e02dfSJerome Forissier #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) 50*039e02dfSJerome Forissier 51*039e02dfSJerome Forissier /** Turn a value into a mask: 52*039e02dfSJerome Forissier * - if \p value == 0, return the all-bits 0 mask, aka 0 53*039e02dfSJerome Forissier * - otherwise, return the all-bits 1 mask, aka (size_t) -1 54*039e02dfSJerome Forissier * 55*039e02dfSJerome Forissier * This function can be used to write constant-time code by replacing branches 56*039e02dfSJerome Forissier * with bit operations using masks. 57*039e02dfSJerome Forissier * 58*039e02dfSJerome Forissier * \param value The value to analyze. 59*039e02dfSJerome Forissier * 60*039e02dfSJerome Forissier * \return Zero if \p value is zero, otherwise all-bits-one. 61*039e02dfSJerome Forissier */ 62*039e02dfSJerome Forissier size_t mbedtls_ct_size_mask( size_t value ); 63*039e02dfSJerome Forissier 64*039e02dfSJerome Forissier #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ 65*039e02dfSJerome Forissier 66*039e02dfSJerome Forissier #if defined(MBEDTLS_BIGNUM_C) 67*039e02dfSJerome Forissier 68*039e02dfSJerome Forissier /** Turn a value into a mask: 69*039e02dfSJerome Forissier * - if \p value == 0, return the all-bits 0 mask, aka 0 70*039e02dfSJerome Forissier * - otherwise, return the all-bits 1 mask, aka (mbedtls_mpi_uint) -1 71*039e02dfSJerome Forissier * 72*039e02dfSJerome Forissier * This function can be used to write constant-time code by replacing branches 73*039e02dfSJerome Forissier * with bit operations using masks. 74*039e02dfSJerome Forissier * 75*039e02dfSJerome Forissier * \param value The value to analyze. 76*039e02dfSJerome Forissier * 77*039e02dfSJerome Forissier * \return Zero if \p value is zero, otherwise all-bits-one. 78*039e02dfSJerome Forissier */ 79*039e02dfSJerome Forissier mbedtls_mpi_uint mbedtls_ct_mpi_uint_mask( mbedtls_mpi_uint value ); 80*039e02dfSJerome Forissier 81*039e02dfSJerome Forissier #endif /* MBEDTLS_BIGNUM_C */ 82*039e02dfSJerome Forissier 83*039e02dfSJerome Forissier #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) 84*039e02dfSJerome Forissier 85*039e02dfSJerome Forissier /** Constant-flow mask generation for "greater or equal" comparison: 86*039e02dfSJerome Forissier * - if \p x >= \p y, return all-bits 1, that is (size_t) -1 87*039e02dfSJerome Forissier * - otherwise, return all bits 0, that is 0 88*039e02dfSJerome Forissier * 89*039e02dfSJerome Forissier * This function can be used to write constant-time code by replacing branches 90*039e02dfSJerome Forissier * with bit operations using masks. 91*039e02dfSJerome Forissier * 92*039e02dfSJerome Forissier * \param x The first value to analyze. 93*039e02dfSJerome Forissier * \param y The second value to analyze. 94*039e02dfSJerome Forissier * 95*039e02dfSJerome Forissier * \return All-bits-one if \p x is greater or equal than \p y, 96*039e02dfSJerome Forissier * otherwise zero. 97*039e02dfSJerome Forissier */ 98*039e02dfSJerome Forissier size_t mbedtls_ct_size_mask_ge( size_t x, 99*039e02dfSJerome Forissier size_t y ); 100*039e02dfSJerome Forissier 101*039e02dfSJerome Forissier #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ 102*039e02dfSJerome Forissier 103*039e02dfSJerome Forissier /** Constant-flow boolean "equal" comparison: 104*039e02dfSJerome Forissier * return x == y 105*039e02dfSJerome Forissier * 106*039e02dfSJerome Forissier * This is equivalent to \p x == \p y, but is likely to be compiled 107*039e02dfSJerome Forissier * to code using bitwise operation rather than a branch. 108*039e02dfSJerome Forissier * 109*039e02dfSJerome Forissier * \param x The first value to analyze. 110*039e02dfSJerome Forissier * \param y The second value to analyze. 111*039e02dfSJerome Forissier * 112*039e02dfSJerome Forissier * \return 1 if \p x equals to \p y, otherwise 0. 113*039e02dfSJerome Forissier */ 114*039e02dfSJerome Forissier unsigned mbedtls_ct_size_bool_eq( size_t x, 115*039e02dfSJerome Forissier size_t y ); 116*039e02dfSJerome Forissier 117*039e02dfSJerome Forissier #if defined(MBEDTLS_BIGNUM_C) 118*039e02dfSJerome Forissier 119*039e02dfSJerome Forissier /** Decide if an integer is less than the other, without branches. 120*039e02dfSJerome Forissier * 121*039e02dfSJerome Forissier * This is equivalent to \p x < \p y, but is likely to be compiled 122*039e02dfSJerome Forissier * to code using bitwise operation rather than a branch. 123*039e02dfSJerome Forissier * 124*039e02dfSJerome Forissier * \param x The first value to analyze. 125*039e02dfSJerome Forissier * \param y The second value to analyze. 126*039e02dfSJerome Forissier * 127*039e02dfSJerome Forissier * \return 1 if \p x is less than \p y, otherwise 0. 128*039e02dfSJerome Forissier */ 129*039e02dfSJerome Forissier unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x, 130*039e02dfSJerome Forissier const mbedtls_mpi_uint y ); 131*039e02dfSJerome Forissier 132*039e02dfSJerome Forissier #endif /* MBEDTLS_BIGNUM_C */ 133*039e02dfSJerome Forissier 134*039e02dfSJerome Forissier /** Choose between two integer values without branches. 135*039e02dfSJerome Forissier * 136*039e02dfSJerome Forissier * This is equivalent to `condition ? if1 : if0`, but is likely to be compiled 137*039e02dfSJerome Forissier * to code using bitwise operation rather than a branch. 138*039e02dfSJerome Forissier * 139*039e02dfSJerome Forissier * \param condition Condition to test. 140*039e02dfSJerome Forissier * \param if1 Value to use if \p condition is nonzero. 141*039e02dfSJerome Forissier * \param if0 Value to use if \p condition is zero. 142*039e02dfSJerome Forissier * 143*039e02dfSJerome Forissier * \return \c if1 if \p condition is nonzero, otherwise \c if0. 144*039e02dfSJerome Forissier */ 145*039e02dfSJerome Forissier unsigned mbedtls_ct_uint_if( unsigned condition, 146*039e02dfSJerome Forissier unsigned if1, 147*039e02dfSJerome Forissier unsigned if0 ); 148*039e02dfSJerome Forissier 149*039e02dfSJerome Forissier #if defined(MBEDTLS_BIGNUM_C) 150*039e02dfSJerome Forissier 151*039e02dfSJerome Forissier /** Conditionally assign a value without branches. 152*039e02dfSJerome Forissier * 153*039e02dfSJerome Forissier * This is equivalent to `if ( condition ) dest = src`, but is likely 154*039e02dfSJerome Forissier * to be compiled to code using bitwise operation rather than a branch. 155*039e02dfSJerome Forissier * 156*039e02dfSJerome Forissier * \param n \p dest and \p src must be arrays of limbs of size n. 157*039e02dfSJerome Forissier * \param dest The MPI to conditionally assign to. This must point 158*039e02dfSJerome Forissier * to an initialized MPI. 159*039e02dfSJerome Forissier * \param src The MPI to be assigned from. This must point to an 160*039e02dfSJerome Forissier * initialized MPI. 161*039e02dfSJerome Forissier * \param condition Condition to test, must be 0 or 1. 162*039e02dfSJerome Forissier */ 163*039e02dfSJerome Forissier void mbedtls_ct_mpi_uint_cond_assign( size_t n, 164*039e02dfSJerome Forissier mbedtls_mpi_uint *dest, 165*039e02dfSJerome Forissier const mbedtls_mpi_uint *src, 166*039e02dfSJerome Forissier unsigned char condition ); 167*039e02dfSJerome Forissier 168*039e02dfSJerome Forissier #endif /* MBEDTLS_BIGNUM_C */ 169*039e02dfSJerome Forissier 170*039e02dfSJerome Forissier #if defined(MBEDTLS_BASE64_C) 171*039e02dfSJerome Forissier 172*039e02dfSJerome Forissier /** Given a value in the range 0..63, return the corresponding Base64 digit. 173*039e02dfSJerome Forissier * 174*039e02dfSJerome Forissier * The implementation assumes that letters are consecutive (e.g. ASCII 175*039e02dfSJerome Forissier * but not EBCDIC). 176*039e02dfSJerome Forissier * 177*039e02dfSJerome Forissier * \param value A value in the range 0..63. 178*039e02dfSJerome Forissier * 179*039e02dfSJerome Forissier * \return A base64 digit converted from \p value. 180*039e02dfSJerome Forissier */ 181*039e02dfSJerome Forissier unsigned char mbedtls_ct_base64_enc_char( unsigned char value ); 182*039e02dfSJerome Forissier 183*039e02dfSJerome Forissier /** Given a Base64 digit, return its value. 184*039e02dfSJerome Forissier * 185*039e02dfSJerome Forissier * If c is not a Base64 digit ('A'..'Z', 'a'..'z', '0'..'9', '+' or '/'), 186*039e02dfSJerome Forissier * return -1. 187*039e02dfSJerome Forissier * 188*039e02dfSJerome Forissier * The implementation assumes that letters are consecutive (e.g. ASCII 189*039e02dfSJerome Forissier * but not EBCDIC). 190*039e02dfSJerome Forissier * 191*039e02dfSJerome Forissier * \param c A base64 digit. 192*039e02dfSJerome Forissier * 193*039e02dfSJerome Forissier * \return The value of the base64 digit \p c. 194*039e02dfSJerome Forissier */ 195*039e02dfSJerome Forissier signed char mbedtls_ct_base64_dec_value( unsigned char c ); 196*039e02dfSJerome Forissier 197*039e02dfSJerome Forissier #endif /* MBEDTLS_BASE64_C */ 198*039e02dfSJerome Forissier 199*039e02dfSJerome Forissier #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) 200*039e02dfSJerome Forissier 201*039e02dfSJerome Forissier /** Conditional memcpy without branches. 202*039e02dfSJerome Forissier * 203*039e02dfSJerome Forissier * This is equivalent to `if ( c1 == c2 ) memcpy(dest, src, len)`, but is likely 204*039e02dfSJerome Forissier * to be compiled to code using bitwise operation rather than a branch. 205*039e02dfSJerome Forissier * 206*039e02dfSJerome Forissier * \param dest The pointer to conditionally copy to. 207*039e02dfSJerome Forissier * \param src The pointer to copy from. Shouldn't overlap with \p dest. 208*039e02dfSJerome Forissier * \param len The number of bytes to copy. 209*039e02dfSJerome Forissier * \param c1 The first value to analyze in the condition. 210*039e02dfSJerome Forissier * \param c2 The second value to analyze in the condition. 211*039e02dfSJerome Forissier */ 212*039e02dfSJerome Forissier void mbedtls_ct_memcpy_if_eq( unsigned char *dest, 213*039e02dfSJerome Forissier const unsigned char *src, 214*039e02dfSJerome Forissier size_t len, 215*039e02dfSJerome Forissier size_t c1, size_t c2 ); 216*039e02dfSJerome Forissier 217*039e02dfSJerome Forissier /** Copy data from a secret position with constant flow. 218*039e02dfSJerome Forissier * 219*039e02dfSJerome Forissier * This function copies \p len bytes from \p src_base + \p offset_secret to \p 220*039e02dfSJerome Forissier * dst, with a code flow and memory access pattern that does not depend on \p 221*039e02dfSJerome Forissier * offset_secret, but only on \p offset_min, \p offset_max and \p len. 222*039e02dfSJerome Forissier * Functionally equivalent to `memcpy(dst, src + offset_secret, len)`. 223*039e02dfSJerome Forissier * 224*039e02dfSJerome Forissier * \note This function reads from \p dest, but the value that 225*039e02dfSJerome Forissier * is read does not influence the result and this 226*039e02dfSJerome Forissier * function's behavior is well-defined regardless of the 227*039e02dfSJerome Forissier * contents of the buffers. This may result in false 228*039e02dfSJerome Forissier * positives from static or dynamic analyzers, especially 229*039e02dfSJerome Forissier * if \p dest is not initialized. 230*039e02dfSJerome Forissier * 231*039e02dfSJerome Forissier * \param dest The destination buffer. This must point to a writable 232*039e02dfSJerome Forissier * buffer of at least \p len bytes. 233*039e02dfSJerome Forissier * \param src The base of the source buffer. This must point to a 234*039e02dfSJerome Forissier * readable buffer of at least \p offset_max + \p len 235*039e02dfSJerome Forissier * bytes. Shouldn't overlap with \p dest. 236*039e02dfSJerome Forissier * \param offset The offset in the source buffer from which to copy. 237*039e02dfSJerome Forissier * This must be no less than \p offset_min and no greater 238*039e02dfSJerome Forissier * than \p offset_max. 239*039e02dfSJerome Forissier * \param offset_min The minimal value of \p offset. 240*039e02dfSJerome Forissier * \param offset_max The maximal value of \p offset. 241*039e02dfSJerome Forissier * \param len The number of bytes to copy. 242*039e02dfSJerome Forissier */ 243*039e02dfSJerome Forissier void mbedtls_ct_memcpy_offset( unsigned char *dest, 244*039e02dfSJerome Forissier const unsigned char *src, 245*039e02dfSJerome Forissier size_t offset, 246*039e02dfSJerome Forissier size_t offset_min, 247*039e02dfSJerome Forissier size_t offset_max, 248*039e02dfSJerome Forissier size_t len ); 249*039e02dfSJerome Forissier 250*039e02dfSJerome Forissier /** Compute the HMAC of variable-length data with constant flow. 251*039e02dfSJerome Forissier * 252*039e02dfSJerome Forissier * This function computes the HMAC of the concatenation of \p add_data and \p 253*039e02dfSJerome Forissier * data, and does with a code flow and memory access pattern that does not 254*039e02dfSJerome Forissier * depend on \p data_len_secret, but only on \p min_data_len and \p 255*039e02dfSJerome Forissier * max_data_len. In particular, this function always reads exactly \p 256*039e02dfSJerome Forissier * max_data_len bytes from \p data. 257*039e02dfSJerome Forissier * 258*039e02dfSJerome Forissier * \param ctx The HMAC context. It must have keys configured 259*039e02dfSJerome Forissier * with mbedtls_md_hmac_starts() and use one of the 260*039e02dfSJerome Forissier * following hashes: SHA-384, SHA-256, SHA-1 or MD-5. 261*039e02dfSJerome Forissier * It is reset using mbedtls_md_hmac_reset() after 262*039e02dfSJerome Forissier * the computation is complete to prepare for the 263*039e02dfSJerome Forissier * next computation. 264*039e02dfSJerome Forissier * \param add_data The first part of the message whose HMAC is being 265*039e02dfSJerome Forissier * calculated. This must point to a readable buffer 266*039e02dfSJerome Forissier * of \p add_data_len bytes. 267*039e02dfSJerome Forissier * \param add_data_len The length of \p add_data in bytes. 268*039e02dfSJerome Forissier * \param data The buffer containing the second part of the 269*039e02dfSJerome Forissier * message. This must point to a readable buffer 270*039e02dfSJerome Forissier * of \p max_data_len bytes. 271*039e02dfSJerome Forissier * \param data_len_secret The length of the data to process in \p data. 272*039e02dfSJerome Forissier * This must be no less than \p min_data_len and no 273*039e02dfSJerome Forissier * greater than \p max_data_len. 274*039e02dfSJerome Forissier * \param min_data_len The minimal length of the second part of the 275*039e02dfSJerome Forissier * message, read from \p data. 276*039e02dfSJerome Forissier * \param max_data_len The maximal length of the second part of the 277*039e02dfSJerome Forissier * message, read from \p data. 278*039e02dfSJerome Forissier * \param output The HMAC will be written here. This must point to 279*039e02dfSJerome Forissier * a writable buffer of sufficient size to hold the 280*039e02dfSJerome Forissier * HMAC value. 281*039e02dfSJerome Forissier * 282*039e02dfSJerome Forissier * \retval 0 on success. 283*039e02dfSJerome Forissier * \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED 284*039e02dfSJerome Forissier * The hardware accelerator failed. 285*039e02dfSJerome Forissier */ 286*039e02dfSJerome Forissier int mbedtls_ct_hmac( mbedtls_md_context_t *ctx, 287*039e02dfSJerome Forissier const unsigned char *add_data, 288*039e02dfSJerome Forissier size_t add_data_len, 289*039e02dfSJerome Forissier const unsigned char *data, 290*039e02dfSJerome Forissier size_t data_len_secret, 291*039e02dfSJerome Forissier size_t min_data_len, 292*039e02dfSJerome Forissier size_t max_data_len, 293*039e02dfSJerome Forissier unsigned char *output ); 294*039e02dfSJerome Forissier 295*039e02dfSJerome Forissier #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ 296*039e02dfSJerome Forissier 297*039e02dfSJerome Forissier #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) 298*039e02dfSJerome Forissier 299*039e02dfSJerome Forissier /** This function performs the unpadding part of a PKCS#1 v1.5 decryption 300*039e02dfSJerome Forissier * operation (EME-PKCS1-v1_5 decoding). 301*039e02dfSJerome Forissier * 302*039e02dfSJerome Forissier * \note The return value from this function is a sensitive value 303*039e02dfSJerome Forissier * (this is unusual). #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE shouldn't happen 304*039e02dfSJerome Forissier * in a well-written application, but 0 vs #MBEDTLS_ERR_RSA_INVALID_PADDING 305*039e02dfSJerome Forissier * is often a situation that an attacker can provoke and leaking which 306*039e02dfSJerome Forissier * one is the result is precisely the information the attacker wants. 307*039e02dfSJerome Forissier * 308*039e02dfSJerome Forissier * \param mode The mode of operation. This must be either 309*039e02dfSJerome Forissier * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated). 310*039e02dfSJerome Forissier * \param input The input buffer which is the payload inside PKCS#1v1.5 311*039e02dfSJerome Forissier * encryption padding, called the "encoded message EM" 312*039e02dfSJerome Forissier * by the terminology. 313*039e02dfSJerome Forissier * \param ilen The length of the payload in the \p input buffer. 314*039e02dfSJerome Forissier * \param output The buffer for the payload, called "message M" by the 315*039e02dfSJerome Forissier * PKCS#1 terminology. This must be a writable buffer of 316*039e02dfSJerome Forissier * length \p output_max_len bytes. 317*039e02dfSJerome Forissier * \param olen The address at which to store the length of 318*039e02dfSJerome Forissier * the payload. This must not be \c NULL. 319*039e02dfSJerome Forissier * \param output_max_len The length in bytes of the output buffer \p output. 320*039e02dfSJerome Forissier * 321*039e02dfSJerome Forissier * \return \c 0 on success. 322*039e02dfSJerome Forissier * \return #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE 323*039e02dfSJerome Forissier * The output buffer is too small for the unpadded payload. 324*039e02dfSJerome Forissier * \return #MBEDTLS_ERR_RSA_INVALID_PADDING 325*039e02dfSJerome Forissier * The input doesn't contain properly formatted padding. 326*039e02dfSJerome Forissier */ 327*039e02dfSJerome Forissier int mbedtls_ct_rsaes_pkcs1_v15_unpadding( int mode, 328*039e02dfSJerome Forissier unsigned char *input, 329*039e02dfSJerome Forissier size_t ilen, 330*039e02dfSJerome Forissier unsigned char *output, 331*039e02dfSJerome Forissier size_t output_max_len, 332*039e02dfSJerome Forissier size_t *olen ); 333*039e02dfSJerome Forissier 334*039e02dfSJerome Forissier #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ 335*039e02dfSJerome Forissier 336*039e02dfSJerome Forissier #endif /* MBEDTLS_CONSTANT_TIME_INTERNAL_H */ 337