Botan 3.4.0
Crypto and TLS for C&
|
Classes | |
class | Mask |
Functions | |
template<typename T > | |
constexpr CT::Mask< T > | all_zeros (const T elem[], size_t len) |
template<typename T > | |
constexpr Mask< T > | conditional_assign_mem (T cnd, T *sink, const T *src, size_t elems) |
template<typename T > | |
constexpr Mask< T > | conditional_copy_mem (Mask< T > mask, T *to, const T *from0, const T *from1, size_t elems) |
template<typename T > | |
constexpr Mask< T > | conditional_copy_mem (T cnd, T *to, const T *from0, const T *from1, size_t elems) |
template<typename T > | |
constexpr void | conditional_swap (bool cnd, T &x, T &y) |
template<typename T > | |
constexpr void | conditional_swap_ptr (bool cnd, T &x, T &y) |
secure_vector< uint8_t > | copy_output (CT::Mask< uint8_t > bad_input_u8, const uint8_t input[], size_t input_length, size_t offset) |
template<typename T > | |
constexpr CT::Mask< T > | is_equal (const T x[], const T y[], size_t len) |
template<typename T > | |
constexpr CT::Mask< T > | is_not_equal (const T x[], const T y[], size_t len) |
template<typename T > | |
void | poison (const T *p, size_t n) |
secure_vector< uint8_t > | strip_leading_zeros (const secure_vector< uint8_t > &in) |
secure_vector< uint8_t > | strip_leading_zeros (const uint8_t in[], size_t length) |
template<typename T > | |
constexpr void | unpoison (const T *p, size_t n) |
template<typename T > | |
constexpr void | unpoison (T &p) |
|
inlineconstexpr |
Definition at line 332 of file ct_utils.h.
References Botan::CT::Mask< T >::is_zero(), and T.
Referenced by Botan::EC_Point::add(), Botan::EC_Point::add_affine(), Botan::Scalar448::bytes_are_reduced(), Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), and Botan::Gf448Elem::is_zero().
|
inlineconstexpr |
Definition at line 304 of file ct_utils.h.
References Botan::CT::Mask< T >::expand().
Referenced by Botan::bigint_monty_maybe_sub(), Botan::bigint_monty_maybe_sub(), and Botan::Gf448Elem::ct_cond_assign().
|
inlineconstexpr |
Definition at line 292 of file ct_utils.h.
References Botan::CT::Mask< T >::select_n().
Referenced by Botan::bigint_sub_abs(), conditional_copy_mem(), and Botan::BigInt::mod_add().
|
inlineconstexpr |
Definition at line 298 of file ct_utils.h.
References conditional_copy_mem(), and Botan::CT::Mask< T >::expand().
|
inlineconstexpr |
Definition at line 311 of file ct_utils.h.
References Botan::CT::Mask< T >::expand(), and T.
Referenced by Botan::bigint_sub_abs(), and Botan::Gf448Elem::ct_cond_swap().
|
inlineconstexpr |
Definition at line 321 of file ct_utils.h.
References T.
Referenced by Botan::bigint_sub_abs().
BOTAN_TEST_API secure_vector< uint8_t > Botan::CT::copy_output | ( | CT::Mask< uint8_t > | bad_input, |
const uint8_t | input[], | ||
size_t | input_length, | ||
size_t | offset ) |
If bad_input is unset, return input[offset:input_length] copied to new buffer. If bad_input is set, return an empty vector. In all cases, the capacity of the vector is equal to input_length
This function attempts to avoid leaking the following:
This function leaks the value of input_length
Definition at line 11 of file ct_utils.cpp.
References Botan::CT::Mask< T >::expand(), Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_gt(), poison(), and unpoison().
Referenced by Botan::oaep_find_delim(), strip_leading_zeros(), and Botan::EME_PKCS1v15::unpad().
|
inlineconstexpr |
Compare two arrays of equal size and return a Mask indicating if they are equal or not. The mask is set if they are identical.
Definition at line 345 of file ct_utils.h.
References Botan::CT::Mask< T >::is_zero(), and T.
Referenced by Botan::argon2_check_pwhash(), botan_constant_time_compare(), Botan::Gf448Elem::bytes_are_canonical_representation(), Botan::check_bcrypt(), Botan::X448_PrivateKey::check_key(), Botan::Ed25519_PublicKey::check_key(), Botan::check_passhash9(), Botan::FrodoMatrix::constant_time_compare(), Botan::constant_time_compare(), Botan::Sodium::crypto_secretbox_open_detached(), Botan::Sodium::crypto_verify_16(), Botan::Sodium::crypto_verify_32(), Botan::Sodium::crypto_verify_64(), Botan::ct_compare_u8(), Botan::TLS::Session::decrypt(), Botan::CryptoBox::decrypt_bin(), Botan::ed25519_verify(), is_not_equal(), Botan::Gf448Elem::operator==(), Botan::RTSS_Share::reconstruct(), Botan::Sodium::sodium_memcmp(), Botan::TLS::Finished_12::verify(), and Botan::MessageAuthenticationCode::verify_mac_result().
|
inlineconstexpr |
Compare two arrays of equal size and return a Mask indicating if they are equal or not. The mask is set if they differ.
Definition at line 370 of file ct_utils.h.
References is_equal().
Referenced by Botan::Sodium::crypto_secretbox_xsalsa20poly1305_open(), and Botan::oaep_find_delim().
Use valgrind to mark the contents of memory as being undefined. Valgrind will accept operations which manipulate undefined values, but will warn if an undefined value is used to decided a conditional jump or a load/store address. So if we poison all of our inputs we can confirm that the operations in question are truly const time when compiled by whatever compiler is in use.
Even better, the VALGRIND_MAKE_MEM_* macros work even when the program is not run under valgrind (though with a few cycles of overhead, which is unfortunate in final binaries as these annotations tend to be used in fairly important loops).
This approach was first used in ctgrind (https://github.com/agl/ctgrind) but calling the valgrind mecheck API directly works just as well and doesn't require a custom patched valgrind.
Definition at line 46 of file ct_utils.h.
References BOTAN_UNUSED, and T.
Referenced by Botan::PKCS7_Padding::add_padding(), Botan::ANSI_X923_Padding::add_padding(), Botan::OneAndZeros_Padding::add_padding(), Botan::ESP_Padding::add_padding(), Botan::BOTAN_FUNC_ISA(), copy_output(), Botan::curve25519_donna(), Botan::oaep_find_delim(), Botan::PKCS7_Padding::unpad(), Botan::ANSI_X923_Padding::unpad(), Botan::OneAndZeros_Padding::unpad(), Botan::ESP_Padding::unpad(), and Botan::EME_PKCS1v15::unpad().
|
inline |
Definition at line 394 of file ct_utils.h.
References strip_leading_zeros().
secure_vector< uint8_t > Botan::CT::strip_leading_zeros | ( | const uint8_t | in[], |
size_t | length ) |
Definition at line 84 of file ct_utils.cpp.
References copy_output(), Botan::CT::Mask< T >::is_zero(), and Botan::CT::Mask< T >::set().
Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), and strip_leading_zeros().
Definition at line 57 of file ct_utils.h.
References BOTAN_UNUSED, and T.
Referenced by Botan::PKCS7_Padding::add_padding(), Botan::ANSI_X923_Padding::add_padding(), Botan::OneAndZeros_Padding::add_padding(), Botan::ESP_Padding::add_padding(), Botan::bigint_cmp(), Botan::BOTAN_FUNC_ISA(), copy_output(), Botan::curve25519_donna(), Botan::oaep_find_delim(), Botan::redc_p192(), Botan::redc_p224(), Botan::redc_p256(), Botan::redc_p384(), Botan::CT::Mask< T >::select_and_unpoison(), Botan::BigInt::top_bits_free(), Botan::PKCS7_Padding::unpad(), Botan::ANSI_X923_Padding::unpad(), Botan::OneAndZeros_Padding::unpad(), Botan::ESP_Padding::unpad(), Botan::EME_PKCS1v15::unpad(), and Botan::CT::Mask< T >::unpoisoned_value().
Definition at line 68 of file ct_utils.h.
References BOTAN_UNUSED, and T.