| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 1 | /** | 
|  | 2 | *  Constant-time functions | 
|  | 3 | * | 
|  | 4 | *  For readability, the static inline definitions are here, and | 
|  | 5 | *  constant_time_internal.h has only the declarations. | 
|  | 6 | * | 
|  | 7 | *  This results in duplicate declarations of the form: | 
|  | 8 | *      static inline void f() { ... } | 
|  | 9 | *      static inline void f(); | 
|  | 10 | *  when constant_time_internal.h is included. This appears to behave | 
|  | 11 | *  exactly as if the declaration-without-definition was not present. | 
|  | 12 | * | 
|  | 13 | *  Copyright The Mbed TLS Contributors | 
|  | 14 | *  SPDX-License-Identifier: Apache-2.0 | 
|  | 15 | * | 
|  | 16 | *  Licensed under the Apache License, Version 2.0 (the "License"); you may | 
|  | 17 | *  not use this file except in compliance with the License. | 
|  | 18 | *  You may obtain a copy of the License at | 
|  | 19 | * | 
|  | 20 | *  http://www.apache.org/licenses/LICENSE-2.0 | 
|  | 21 | * | 
|  | 22 | *  Unless required by applicable law or agreed to in writing, software | 
|  | 23 | *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | 
|  | 24 | *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | 
|  | 25 | *  See the License for the specific language governing permissions and | 
|  | 26 | *  limitations under the License. | 
|  | 27 | */ | 
|  | 28 |  | 
|  | 29 | #ifndef MBEDTLS_CONSTANT_TIME_IMPL_H | 
|  | 30 | #define MBEDTLS_CONSTANT_TIME_IMPL_H | 
|  | 31 |  | 
|  | 32 | #include <stddef.h> | 
|  | 33 |  | 
|  | 34 | #include "common.h" | 
|  | 35 |  | 
|  | 36 | #if defined(MBEDTLS_BIGNUM_C) | 
|  | 37 | #include "mbedtls/bignum.h" | 
|  | 38 | #endif | 
|  | 39 |  | 
| Dave Rodgman | 205295c | 2023-08-01 14:10:56 +0100 | [diff] [blame] | 40 | /* constant_time_impl.h contains all the static inline implementations, | 
|  | 41 | * so that constant_time_internal.h is more readable. | 
|  | 42 | * | 
|  | 43 | * gcc generates warnings about duplicate declarations, so disable this | 
|  | 44 | * warning. | 
|  | 45 | */ | 
|  | 46 | #ifdef __GNUC__ | 
|  | 47 | #pragma GCC diagnostic push | 
|  | 48 | #pragma GCC diagnostic ignored "-Wredundant-decls" | 
|  | 49 | #endif | 
|  | 50 |  | 
| Dave Rodgman | 246210e | 2023-07-31 18:07:44 +0100 | [diff] [blame] | 51 | /* Disable asm under Memsan because it confuses Memsan and generates false errors. | 
|  | 52 | * | 
|  | 53 | * We also disable under Valgrind by default, because it's more useful | 
|  | 54 | * for Valgrind to test the plain C implementation. MBEDTLS_TEST_CONSTANT_FLOW_ASM //no-check-names | 
|  | 55 | * may be set to permit building asm under Valgrind. | 
|  | 56 | */ | 
|  | 57 | #if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) || \ | 
|  | 58 | (defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND) && !defined(MBEDTLS_TEST_CONSTANT_FLOW_ASM)) //no-check-names | 
| Dave Rodgman | 3d574da | 2023-07-31 16:54:00 +0100 | [diff] [blame] | 59 | #define MBEDTLS_CT_NO_ASM | 
|  | 60 | #elif defined(__has_feature) | 
|  | 61 | #if __has_feature(memory_sanitizer) | 
|  | 62 | #define MBEDTLS_CT_NO_ASM | 
|  | 63 | #endif | 
|  | 64 | #endif | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 65 |  | 
|  | 66 | /* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */ | 
|  | 67 | #if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && (!defined(__ARMCC_VERSION) || \ | 
| Dave Rodgman | 3d574da | 2023-07-31 16:54:00 +0100 | [diff] [blame] | 68 | __ARMCC_VERSION >= 6000000) && !defined(MBEDTLS_CT_NO_ASM) | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 69 | #define MBEDTLS_CT_ASM | 
|  | 70 | #if (defined(__arm__) || defined(__thumb__) || defined(__thumb2__)) | 
|  | 71 | #define MBEDTLS_CT_ARM_ASM | 
|  | 72 | #elif defined(__aarch64__) | 
|  | 73 | #define MBEDTLS_CT_AARCH64_ASM | 
|  | 74 | #endif | 
|  | 75 | #endif | 
|  | 76 |  | 
|  | 77 | #define MBEDTLS_CT_SIZE (sizeof(mbedtls_ct_uint_t) * 8) | 
|  | 78 |  | 
|  | 79 |  | 
|  | 80 | /* ============================================================================ | 
|  | 81 | * Core const-time primitives | 
|  | 82 | */ | 
|  | 83 |  | 
| Dave Rodgman | 2894d00 | 2023-06-08 17:52:21 +0100 | [diff] [blame] | 84 | /* Ensure that the compiler cannot know the value of x (i.e., cannot optimise | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 85 | * based on its value) after this function is called. | 
|  | 86 | * | 
|  | 87 | * If we are not using assembly, this will be fairly inefficient, so its use | 
|  | 88 | * should be minimised. | 
|  | 89 | */ | 
| Dave Rodgman | 2894d00 | 2023-06-08 17:52:21 +0100 | [diff] [blame] | 90 |  | 
|  | 91 | #if !defined(MBEDTLS_CT_ASM) | 
| Dave Rodgman | 58c80f4 | 2023-06-12 18:19:46 +0100 | [diff] [blame] | 92 | extern volatile mbedtls_ct_uint_t mbedtls_ct_zero; | 
| Dave Rodgman | 2894d00 | 2023-06-08 17:52:21 +0100 | [diff] [blame] | 93 | #endif | 
|  | 94 |  | 
| Dave Rodgman | 93cec45 | 2023-07-31 12:30:26 +0100 | [diff] [blame] | 95 | /** | 
|  | 96 | * \brief   Ensure that a value cannot be known at compile time. | 
|  | 97 | * | 
|  | 98 | * \param x        The value to hide from the compiler. | 
|  | 99 | * \return         The same value that was passed in, such that the compiler | 
|  | 100 | *                 cannot prove its value (even for calls of the form | 
|  | 101 | *                 x = mbedtls_ct_compiler_opaque(1), x will be unknown). | 
|  | 102 | * | 
|  | 103 | * \note           This is mainly used in constructing mbedtls_ct_condition_t | 
|  | 104 | *                 values and performing operations over them, to ensure that | 
|  | 105 | *                 there is no way for the compiler to ever know anything about | 
|  | 106 | *                 the value of an mbedtls_ct_condition_t. | 
|  | 107 | */ | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 108 | static inline mbedtls_ct_uint_t mbedtls_ct_compiler_opaque(mbedtls_ct_uint_t x) | 
|  | 109 | { | 
|  | 110 | #if defined(MBEDTLS_CT_ASM) | 
|  | 111 | asm volatile ("" : [x] "+r" (x) :); | 
|  | 112 | return x; | 
|  | 113 | #else | 
| Dave Rodgman | 2894d00 | 2023-06-08 17:52:21 +0100 | [diff] [blame] | 114 | return x ^ mbedtls_ct_zero; | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 115 | #endif | 
|  | 116 | } | 
|  | 117 |  | 
| Dave Rodgman | 3ab114e | 2023-08-21 07:54:11 +0100 | [diff] [blame] | 118 | /* | 
|  | 119 | * Selecting unified syntax is needed for gcc, and harmless on clang. | 
|  | 120 | * | 
|  | 121 | * This is needed because on Thumb 1, condition flags are always set, so | 
|  | 122 | * e.g. "negs" is supported but "neg" is not (on Thumb 2, both exist). | 
|  | 123 | * | 
|  | 124 | * Under Thumb 1 unified syntax, only the "negs" form is accepted, and | 
|  | 125 | * under divided syntax, only the "neg" form is accepted. clang only | 
|  | 126 | * supports unified syntax. | 
|  | 127 | * | 
|  | 128 | * On Thumb 2 and Arm, both compilers are happy with the "s" suffix, | 
|  | 129 | * although we don't actually care about setting the flags. | 
|  | 130 | * | 
|  | 131 | * For gcc, restore divided syntax afterwards - otherwise old versions of gcc | 
|  | 132 | * seem to apply unified syntax globally, which breaks other asm code. | 
|  | 133 | */ | 
|  | 134 | #if !defined(__clang__) | 
|  | 135 | #define RESTORE_ASM_SYNTAX  ".syntax divided             \n\t" | 
|  | 136 | #else | 
|  | 137 | #define RESTORE_ASM_SYNTAX | 
|  | 138 | #endif | 
|  | 139 |  | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 140 | /* Convert a number into a condition in constant time. */ | 
|  | 141 | static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x) | 
|  | 142 | { | 
|  | 143 | /* | 
|  | 144 | * Define mask-generation code that, as far as possible, will not use branches or conditional instructions. | 
|  | 145 | * | 
|  | 146 | * For some platforms / type sizes, we define assembly to assure this. | 
|  | 147 | * | 
|  | 148 | * Otherwise, we define a plain C fallback which (in May 2023) does not get optimised into | 
|  | 149 | * conditional instructions or branches by trunk clang, gcc, or MSVC v19. | 
|  | 150 | */ | 
| Dave Rodgman | c9ed5de | 2023-05-13 12:47:02 +0100 | [diff] [blame] | 151 | #if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64)) | 
|  | 152 | mbedtls_ct_uint_t s; | 
|  | 153 | asm volatile ("neg %x[s], %x[x]                     \n\t" | 
|  | 154 | "orr %x[x], %x[s], %x[x]              \n\t" | 
|  | 155 | "asr %x[x], %x[x], 63" | 
|  | 156 | : | 
|  | 157 | [s] "=&r" (s), | 
|  | 158 | [x] "+&r" (x) | 
|  | 159 | : | 
|  | 160 | : | 
|  | 161 | ); | 
|  | 162 | return (mbedtls_ct_condition_t) x; | 
| Dave Rodgman | ef25279 | 2023-05-13 12:48:02 +0100 | [diff] [blame] | 163 | #elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32) | 
|  | 164 | uint32_t s; | 
| Dave Rodgman | 822c9c7 | 2023-06-12 15:38:49 +0100 | [diff] [blame] | 165 | asm volatile (".syntax unified                       \n\t" | 
|  | 166 | "negs %[s], %[x]                       \n\t" | 
|  | 167 | "orrs %[x], %[x], %[s]                 \n\t" | 
|  | 168 | "asrs %[x], %[x], #31                  \n\t" | 
|  | 169 | RESTORE_ASM_SYNTAX | 
| Dave Rodgman | ef25279 | 2023-05-13 12:48:02 +0100 | [diff] [blame] | 170 | : | 
|  | 171 | [s] "=&l" (s), | 
|  | 172 | [x] "+&l" (x) | 
|  | 173 | : | 
|  | 174 | : | 
| Dave Rodgman | 822c9c7 | 2023-06-12 15:38:49 +0100 | [diff] [blame] | 175 | "cc" /* clobbers flag bits */ | 
| Dave Rodgman | ef25279 | 2023-05-13 12:48:02 +0100 | [diff] [blame] | 176 | ); | 
|  | 177 | return (mbedtls_ct_condition_t) x; | 
| Dave Rodgman | c9ed5de | 2023-05-13 12:47:02 +0100 | [diff] [blame] | 178 | #else | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 179 | const mbedtls_ct_uint_t xo = mbedtls_ct_compiler_opaque(x); | 
|  | 180 | #if defined(_MSC_VER) | 
|  | 181 | /* MSVC has a warning about unary minus on unsigned, but this is | 
|  | 182 | * well-defined and precisely what we want to do here */ | 
|  | 183 | #pragma warning( push ) | 
|  | 184 | #pragma warning( disable : 4146 ) | 
|  | 185 | #endif | 
| Dave Rodgman | 0c99a90 | 2023-08-21 17:06:24 +0100 | [diff] [blame] | 186 | // y is negative (i.e., top bit set) iff x is non-zero | 
|  | 187 | mbedtls_ct_int_t y = (-xo) | -(xo >> 1); | 
|  | 188 |  | 
|  | 189 | // extract only the sign bit of y so that y == 1 (if x is non-zero) or 0 (if x is zero) | 
|  | 190 | y = (((mbedtls_ct_uint_t) y) >> (MBEDTLS_CT_SIZE - 1)); | 
|  | 191 |  | 
|  | 192 | // -y has all bits set (if x is non-zero), or all bits clear (if x is zero) | 
|  | 193 | return (mbedtls_ct_condition_t) (-y); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 194 | #if defined(_MSC_VER) | 
|  | 195 | #pragma warning( pop ) | 
|  | 196 | #endif | 
| Dave Rodgman | c9ed5de | 2023-05-13 12:47:02 +0100 | [diff] [blame] | 197 | #endif | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 198 | } | 
|  | 199 |  | 
|  | 200 | static inline mbedtls_ct_uint_t mbedtls_ct_if(mbedtls_ct_condition_t condition, | 
|  | 201 | mbedtls_ct_uint_t if1, | 
|  | 202 | mbedtls_ct_uint_t if0) | 
|  | 203 | { | 
| Dave Rodgman | c9ed5de | 2023-05-13 12:47:02 +0100 | [diff] [blame] | 204 | #if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64)) | 
|  | 205 | asm volatile ("and %x[if1], %x[if1], %x[condition]       \n\t" | 
|  | 206 | "mvn %x[condition], %x[condition]          \n\t" | 
|  | 207 | "and %x[condition], %x[condition], %x[if0] \n\t" | 
|  | 208 | "orr %x[condition], %x[if1], %x[condition]" | 
|  | 209 | : | 
|  | 210 | [condition] "+&r" (condition), | 
|  | 211 | [if1] "+&r" (if1) | 
|  | 212 | : | 
|  | 213 | [if0] "r" (if0) | 
|  | 214 | : | 
|  | 215 | ); | 
|  | 216 | return (mbedtls_ct_uint_t) condition; | 
| Dave Rodgman | ef25279 | 2023-05-13 12:48:02 +0100 | [diff] [blame] | 217 | #elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32) | 
| Dave Rodgman | 822c9c7 | 2023-06-12 15:38:49 +0100 | [diff] [blame] | 218 | asm volatile (".syntax unified                           \n\t" | 
|  | 219 | "ands %[if1], %[if1], %[condition]         \n\t" | 
|  | 220 | "mvns %[condition], %[condition]           \n\t" | 
|  | 221 | "ands %[condition], %[condition], %[if0]   \n\t" | 
|  | 222 | "orrs %[condition], %[if1], %[condition]   \n\t" | 
|  | 223 | RESTORE_ASM_SYNTAX | 
| Dave Rodgman | ef25279 | 2023-05-13 12:48:02 +0100 | [diff] [blame] | 224 | : | 
|  | 225 | [condition] "+&l" (condition), | 
|  | 226 | [if1] "+&l" (if1) | 
|  | 227 | : | 
|  | 228 | [if0] "l" (if0) | 
|  | 229 | : | 
| Dave Rodgman | 822c9c7 | 2023-06-12 15:38:49 +0100 | [diff] [blame] | 230 | "cc" | 
| Dave Rodgman | ef25279 | 2023-05-13 12:48:02 +0100 | [diff] [blame] | 231 | ); | 
|  | 232 | return (mbedtls_ct_uint_t) condition; | 
| Dave Rodgman | c9ed5de | 2023-05-13 12:47:02 +0100 | [diff] [blame] | 233 | #else | 
| Dave Rodgman | 1c4eaa1 | 2023-05-17 12:22:59 +0100 | [diff] [blame] | 234 | mbedtls_ct_condition_t not_cond = | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 235 | (mbedtls_ct_condition_t) (~mbedtls_ct_compiler_opaque(condition)); | 
| Dave Rodgman | 1c4eaa1 | 2023-05-17 12:22:59 +0100 | [diff] [blame] | 236 | return (mbedtls_ct_uint_t) ((condition & if1) | (not_cond & if0)); | 
| Dave Rodgman | c9ed5de | 2023-05-13 12:47:02 +0100 | [diff] [blame] | 237 | #endif | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 238 | } | 
|  | 239 |  | 
| Dave Rodgman | b7825ce | 2023-08-10 11:58:18 +0100 | [diff] [blame] | 240 | static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y) | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 241 | { | 
| Dave Rodgman | c9ed5de | 2023-05-13 12:47:02 +0100 | [diff] [blame] | 242 | #if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64)) | 
| Dave Rodgman | 0ce0fbc | 2023-08-21 07:58:50 +0100 | [diff] [blame] | 243 | uint64_t s1; | 
| Dave Rodgman | c9ed5de | 2023-05-13 12:47:02 +0100 | [diff] [blame] | 244 | asm volatile ("eor     %x[s1], %x[y], %x[x]          \n\t" | 
| Dave Rodgman | 0ce0fbc | 2023-08-21 07:58:50 +0100 | [diff] [blame] | 245 | "sub     %x[x], %x[x], %x[y]           \n\t" | 
| Dave Rodgman | e20d688 | 2023-08-22 08:46:18 +0100 | [diff] [blame] | 246 | "bic     %x[x], %x[x], %x[s1]          \n\t" | 
| Dave Rodgman | c9ed5de | 2023-05-13 12:47:02 +0100 | [diff] [blame] | 247 | "and     %x[s1], %x[s1], %x[y]         \n\t" | 
| Dave Rodgman | 0ce0fbc | 2023-08-21 07:58:50 +0100 | [diff] [blame] | 248 | "orr     %x[s1], %x[x], %x[s1]         \n\t" | 
| Dave Rodgman | c9ed5de | 2023-05-13 12:47:02 +0100 | [diff] [blame] | 249 | "asr     %x[x], %x[s1], 63" | 
| Dave Rodgman | 0ce0fbc | 2023-08-21 07:58:50 +0100 | [diff] [blame] | 250 | : [s1] "=&r" (s1), [x] "+&r" (x) | 
| Dave Rodgman | c9ed5de | 2023-05-13 12:47:02 +0100 | [diff] [blame] | 251 | : [y] "r" (y) | 
|  | 252 | : | 
|  | 253 | ); | 
|  | 254 | return (mbedtls_ct_condition_t) x; | 
| Dave Rodgman | ef25279 | 2023-05-13 12:48:02 +0100 | [diff] [blame] | 255 | #elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32) | 
|  | 256 | uint32_t s1; | 
|  | 257 | asm volatile ( | 
| Dave Rodgman | 822c9c7 | 2023-06-12 15:38:49 +0100 | [diff] [blame] | 258 | ".syntax unified                    \n\t" | 
| Dave Rodgman | ef25279 | 2023-05-13 12:48:02 +0100 | [diff] [blame] | 259 | #if defined(__thumb__) && !defined(__thumb2__) | 
| Dave Rodgman | 822c9c7 | 2023-06-12 15:38:49 +0100 | [diff] [blame] | 260 | "movs     %[s1], %[x]               \n\t" | 
|  | 261 | "eors     %[s1], %[s1], %[y]        \n\t" | 
| Dave Rodgman | ef25279 | 2023-05-13 12:48:02 +0100 | [diff] [blame] | 262 | #else | 
| Dave Rodgman | 822c9c7 | 2023-06-12 15:38:49 +0100 | [diff] [blame] | 263 | "eors     %[s1], %[x], %[y]         \n\t" | 
| Dave Rodgman | ef25279 | 2023-05-13 12:48:02 +0100 | [diff] [blame] | 264 | #endif | 
| Dave Rodgman | 822c9c7 | 2023-06-12 15:38:49 +0100 | [diff] [blame] | 265 | "subs    %[x], %[x], %[y]           \n\t" | 
|  | 266 | "bics    %[x], %[x], %[s1]          \n\t" | 
|  | 267 | "ands    %[y], %[s1], %[y]          \n\t" | 
|  | 268 | "orrs    %[x], %[x], %[y]           \n\t" | 
|  | 269 | "asrs    %[x], %[x], #31            \n\t" | 
|  | 270 | RESTORE_ASM_SYNTAX | 
| Dave Rodgman | ef25279 | 2023-05-13 12:48:02 +0100 | [diff] [blame] | 271 | : [s1] "=&l" (s1), [x] "+&l" (x),  [y] "+&l" (y) | 
|  | 272 | : | 
|  | 273 | : | 
| Dave Rodgman | 822c9c7 | 2023-06-12 15:38:49 +0100 | [diff] [blame] | 274 | "cc" | 
| Dave Rodgman | ef25279 | 2023-05-13 12:48:02 +0100 | [diff] [blame] | 275 | ); | 
|  | 276 | return (mbedtls_ct_condition_t) x; | 
| Dave Rodgman | c9ed5de | 2023-05-13 12:47:02 +0100 | [diff] [blame] | 277 | #else | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 278 | /* Ensure that the compiler cannot optimise the following operations over x and y, | 
|  | 279 | * even if it knows the value of x and y. | 
|  | 280 | */ | 
| Dave Rodgman | 74e18eb | 2023-05-17 12:21:32 +0100 | [diff] [blame] | 281 | const mbedtls_ct_uint_t xo = mbedtls_ct_compiler_opaque(x); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 282 | const mbedtls_ct_uint_t yo = mbedtls_ct_compiler_opaque(y); | 
|  | 283 | /* | 
|  | 284 | * Check if the most significant bits (MSB) of the operands are different. | 
|  | 285 | * cond is true iff the MSBs differ. | 
|  | 286 | */ | 
| Dave Rodgman | 74e18eb | 2023-05-17 12:21:32 +0100 | [diff] [blame] | 287 | mbedtls_ct_condition_t cond = mbedtls_ct_bool((xo ^ yo) >> (MBEDTLS_CT_SIZE - 1)); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 288 |  | 
|  | 289 | /* | 
|  | 290 | * If the MSB are the same then the difference x-y will be negative (and | 
|  | 291 | * have its MSB set to 1 during conversion to unsigned) if and only if x<y. | 
|  | 292 | * | 
|  | 293 | * If the MSB are different, then the operand with the MSB of 1 is the | 
|  | 294 | * bigger. (That is if y has MSB of 1, then x<y is true and it is false if | 
|  | 295 | * the MSB of y is 0.) | 
|  | 296 | */ | 
|  | 297 |  | 
|  | 298 | // Select either y, or x - y | 
| Dave Rodgman | 74e18eb | 2023-05-17 12:21:32 +0100 | [diff] [blame] | 299 | mbedtls_ct_uint_t ret = mbedtls_ct_if(cond, yo, (mbedtls_ct_uint_t) (xo - yo)); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 300 |  | 
|  | 301 | // Extract only the MSB of ret | 
|  | 302 | ret = ret >> (MBEDTLS_CT_SIZE - 1); | 
|  | 303 |  | 
|  | 304 | // Convert to a condition (i.e., all bits set iff non-zero) | 
|  | 305 | return mbedtls_ct_bool(ret); | 
| Dave Rodgman | c9ed5de | 2023-05-13 12:47:02 +0100 | [diff] [blame] | 306 | #endif | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 307 | } | 
|  | 308 |  | 
| Dave Rodgman | b7825ce | 2023-08-10 11:58:18 +0100 | [diff] [blame] | 309 | static inline mbedtls_ct_condition_t mbedtls_ct_uint_ne(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y) | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 310 | { | 
|  | 311 | /* diff = 0 if x == y, non-zero otherwise */ | 
| Dave Rodgman | fe76af2 | 2023-05-17 17:45:17 +0100 | [diff] [blame] | 312 | const mbedtls_ct_uint_t diff = mbedtls_ct_compiler_opaque(x) ^ mbedtls_ct_compiler_opaque(y); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 313 |  | 
|  | 314 | /* all ones if x != y, 0 otherwise */ | 
|  | 315 | return mbedtls_ct_bool(diff); | 
|  | 316 | } | 
|  | 317 |  | 
|  | 318 | static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low, | 
|  | 319 | unsigned char high, | 
|  | 320 | unsigned char c, | 
|  | 321 | unsigned char t) | 
|  | 322 | { | 
| Agathiyan Bragadeesh | 9ebfa7f | 2023-08-17 10:00:01 +0100 | [diff] [blame] | 323 | const unsigned char co = (unsigned char) mbedtls_ct_compiler_opaque(c); | 
|  | 324 | const unsigned char to = (unsigned char) mbedtls_ct_compiler_opaque(t); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 325 |  | 
|  | 326 | /* low_mask is: 0 if low <= c, 0x...ff if low > c */ | 
|  | 327 | unsigned low_mask = ((unsigned) co - low) >> 8; | 
|  | 328 | /* high_mask is: 0 if c <= high, 0x...ff if c > high */ | 
|  | 329 | unsigned high_mask = ((unsigned) high - co) >> 8; | 
|  | 330 |  | 
|  | 331 | return (unsigned char) (~(low_mask | high_mask)) & to; | 
|  | 332 | } | 
|  | 333 |  | 
|  | 334 |  | 
|  | 335 | /* ============================================================================ | 
|  | 336 | * Everything below here is trivial wrapper functions | 
|  | 337 | */ | 
|  | 338 |  | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 339 | static inline size_t mbedtls_ct_size_if(mbedtls_ct_condition_t condition, | 
|  | 340 | size_t if1, | 
|  | 341 | size_t if0) | 
|  | 342 | { | 
|  | 343 | return (size_t) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1, (mbedtls_ct_uint_t) if0); | 
|  | 344 | } | 
|  | 345 |  | 
| Dave Rodgman | 2b4486a | 2023-05-17 15:51:59 +0100 | [diff] [blame] | 346 | static inline unsigned mbedtls_ct_uint_if(mbedtls_ct_condition_t condition, | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 347 | unsigned if1, | 
|  | 348 | unsigned if0) | 
|  | 349 | { | 
|  | 350 | return (unsigned) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1, (mbedtls_ct_uint_t) if0); | 
|  | 351 | } | 
|  | 352 |  | 
|  | 353 | #if defined(MBEDTLS_BIGNUM_C) | 
|  | 354 |  | 
| Dave Rodgman | 585f7f7 | 2023-05-17 17:45:33 +0100 | [diff] [blame] | 355 | static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t condition, | 
|  | 356 | mbedtls_mpi_uint if1, | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 357 | mbedtls_mpi_uint if0) | 
|  | 358 | { | 
|  | 359 | return (mbedtls_mpi_uint) mbedtls_ct_if(condition, | 
|  | 360 | (mbedtls_ct_uint_t) if1, | 
|  | 361 | (mbedtls_ct_uint_t) if0); | 
|  | 362 | } | 
|  | 363 |  | 
|  | 364 | #endif | 
|  | 365 |  | 
| Dave Rodgman | 98ddc01 | 2023-08-10 12:11:31 +0100 | [diff] [blame] | 366 | static inline size_t mbedtls_ct_size_if_else_0(mbedtls_ct_condition_t condition, size_t if1) | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 367 | { | 
| Dave Rodgman | fe76af2 | 2023-05-17 17:45:17 +0100 | [diff] [blame] | 368 | return (size_t) (condition & if1); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 369 | } | 
|  | 370 |  | 
| Dave Rodgman | 98ddc01 | 2023-08-10 12:11:31 +0100 | [diff] [blame] | 371 | static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t condition, unsigned if1) | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 372 | { | 
| Dave Rodgman | fe76af2 | 2023-05-17 17:45:17 +0100 | [diff] [blame] | 373 | return (unsigned) (condition & if1); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 374 | } | 
|  | 375 |  | 
|  | 376 | #if defined(MBEDTLS_BIGNUM_C) | 
|  | 377 |  | 
| Dave Rodgman | 98ddc01 | 2023-08-10 12:11:31 +0100 | [diff] [blame] | 378 | static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_condition_t condition, | 
|  | 379 | mbedtls_mpi_uint if1) | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 380 | { | 
| Dave Rodgman | fe76af2 | 2023-05-17 17:45:17 +0100 | [diff] [blame] | 381 | return (mbedtls_mpi_uint) (condition & if1); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 382 | } | 
|  | 383 |  | 
|  | 384 | #endif /* MBEDTLS_BIGNUM_C */ | 
|  | 385 |  | 
| Dave Rodgman | b7825ce | 2023-08-10 11:58:18 +0100 | [diff] [blame] | 386 | static inline mbedtls_ct_condition_t mbedtls_ct_uint_eq(mbedtls_ct_uint_t x, | 
| Dave Rodgman | 585f7f7 | 2023-05-17 17:45:33 +0100 | [diff] [blame] | 387 | mbedtls_ct_uint_t y) | 
|  | 388 | { | 
| Dave Rodgman | b7825ce | 2023-08-10 11:58:18 +0100 | [diff] [blame] | 389 | return ~mbedtls_ct_uint_ne(x, y); | 
| Dave Rodgman | 585f7f7 | 2023-05-17 17:45:33 +0100 | [diff] [blame] | 390 | } | 
|  | 391 |  | 
| Dave Rodgman | b7825ce | 2023-08-10 11:58:18 +0100 | [diff] [blame] | 392 | static inline mbedtls_ct_condition_t mbedtls_ct_uint_gt(mbedtls_ct_uint_t x, | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 393 | mbedtls_ct_uint_t y) | 
|  | 394 | { | 
| Dave Rodgman | b7825ce | 2023-08-10 11:58:18 +0100 | [diff] [blame] | 395 | return mbedtls_ct_uint_lt(y, x); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 396 | } | 
|  | 397 |  | 
| Dave Rodgman | b7825ce | 2023-08-10 11:58:18 +0100 | [diff] [blame] | 398 | static inline mbedtls_ct_condition_t mbedtls_ct_uint_ge(mbedtls_ct_uint_t x, | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 399 | mbedtls_ct_uint_t y) | 
|  | 400 | { | 
| Dave Rodgman | b7825ce | 2023-08-10 11:58:18 +0100 | [diff] [blame] | 401 | return ~mbedtls_ct_uint_lt(x, y); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 402 | } | 
|  | 403 |  | 
| Dave Rodgman | b7825ce | 2023-08-10 11:58:18 +0100 | [diff] [blame] | 404 | static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x, | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 405 | mbedtls_ct_uint_t y) | 
|  | 406 | { | 
| Dave Rodgman | b7825ce | 2023-08-10 11:58:18 +0100 | [diff] [blame] | 407 | return ~mbedtls_ct_uint_gt(x, y); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 408 | } | 
|  | 409 |  | 
|  | 410 | static inline mbedtls_ct_condition_t mbedtls_ct_bool_xor(mbedtls_ct_condition_t x, | 
|  | 411 | mbedtls_ct_condition_t y) | 
|  | 412 | { | 
| Dave Rodgman | fe76af2 | 2023-05-17 17:45:17 +0100 | [diff] [blame] | 413 | return (mbedtls_ct_condition_t) (x ^ y); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 414 | } | 
|  | 415 |  | 
|  | 416 | static inline mbedtls_ct_condition_t mbedtls_ct_bool_and(mbedtls_ct_condition_t x, | 
|  | 417 | mbedtls_ct_condition_t y) | 
|  | 418 | { | 
| Dave Rodgman | fe76af2 | 2023-05-17 17:45:17 +0100 | [diff] [blame] | 419 | return (mbedtls_ct_condition_t) (x & y); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 420 | } | 
|  | 421 |  | 
|  | 422 | static inline mbedtls_ct_condition_t mbedtls_ct_bool_or(mbedtls_ct_condition_t x, | 
|  | 423 | mbedtls_ct_condition_t y) | 
|  | 424 | { | 
| Dave Rodgman | fe76af2 | 2023-05-17 17:45:17 +0100 | [diff] [blame] | 425 | return (mbedtls_ct_condition_t) (x | y); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 426 | } | 
|  | 427 |  | 
|  | 428 | static inline mbedtls_ct_condition_t mbedtls_ct_bool_not(mbedtls_ct_condition_t x) | 
|  | 429 | { | 
| Dave Rodgman | fe76af2 | 2023-05-17 17:45:17 +0100 | [diff] [blame] | 430 | return (mbedtls_ct_condition_t) (~x); | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 431 | } | 
|  | 432 |  | 
| Dave Rodgman | 205295c | 2023-08-01 14:10:56 +0100 | [diff] [blame] | 433 | #ifdef __GNUC__ | 
|  | 434 | #pragma GCC diagnostic pop | 
|  | 435 | #endif | 
|  | 436 |  | 
| Dave Rodgman | 40a41d0 | 2023-05-17 11:59:56 +0100 | [diff] [blame] | 437 | #endif /* MBEDTLS_CONSTANT_TIME_IMPL_H */ |