#include <ct_utils.h>
Public Member Functions | |
| constexpr void | _const_time_poison () const |
| constexpr void | _const_time_unpoison () const |
| constexpr bool | as_bool () const |
| constexpr CT::Choice | as_choice () const |
| template<typename U> requires (sizeof(U) <= sizeof(T)) | |
| void | conditional_swap (U &x, U &y) const |
| constexpr T | if_not_set_return (T x) const |
| constexpr T | if_set_return (T x) const |
| constexpr void | if_set_zero_out (T buf[], size_t elems) |
| Mask (const Mask< T > &other)=default | |
| Mask (Mask< T > &&other)=default | |
| template<typename U> | |
| constexpr | Mask (Mask< U > o) |
| Mask< T > & | operator&= (Mask< T > o) |
| Mask< T > & | operator= (const Mask< T > &other)=default |
| Mask< T > & | operator= (Mask< T > &&other)=default |
| Mask< T > & | operator^= (Mask< T > o) |
| Mask< T > & | operator|= (Mask< T > o) |
| constexpr Mask< T > | operator~ () const |
| constexpr T | select (T x, T y) const |
| constexpr T | select_and_unpoison (T x, T y) const |
| Mask< T > | select_mask (Mask< T > x, Mask< T > y) const |
| constexpr void | select_n (T output[], const T x[], const T y[], size_t len) const |
| constexpr T | unpoisoned_value () const |
| constexpr T | value () const |
| ~Mask ()=default | |
Static Public Member Functions | |
| static constexpr Mask< T > | cleared () |
| template<typename U> | |
| static constexpr Mask< T > | expand (Mask< U > m) |
| static constexpr Mask< T > | expand (T v) |
| static constexpr Mask< T > | expand_bit (T v, size_t bit) |
| static constexpr Mask< T > | expand_bool (bool v) |
| static constexpr Mask< T > | expand_top_bit (T v) |
| static constexpr Mask< T > | from_choice (Choice c) |
| static constexpr Mask< T > | is_any_of (T v, std::initializer_list< T > accepted) |
| static constexpr Mask< T > | is_equal (T x, T y) |
| static constexpr Mask< T > | is_gt (T x, T y) |
| static constexpr Mask< T > | is_gte (T x, T y) |
| static constexpr Mask< T > | is_lt (T x, T y) |
| static constexpr Mask< T > | is_lte (T x, T y) |
| static constexpr Mask< T > | is_within_range (T v, T l, T u) |
| static constexpr Mask< T > | is_zero (T x) |
| static constexpr Mask< T > | set () |
Friends | |
| Mask< T > | operator& (Mask< T > x, Mask< T > y) |
| Mask< T > | operator^ (Mask< T > x, Mask< T > y) |
| Mask< T > | operator| (Mask< T > x, Mask< T > y) |
Detailed Description
class Botan::CT::Mask< T >
A Mask type used for constant-time operations. A Mask<T> always has value either |0| (all bits cleared) or |1| (all bits set). All operations in a Mask<T> are intended to compile to code which does not contain conditional jumps. This must be verified with tooling (eg binary disassembly or using valgrind) since you never know what a compiler might do.
Definition at line 388 of file ct_utils.h.
Constructor & Destructor Documentation
◆ Mask() [1/3]
|
default |
References Mask().
Referenced by cleared(), conditional_swap(), expand(), expand(), expand_bit(), expand_bool(), expand_top_bit(), from_choice(), is_any_of(), is_equal(), is_gt(), is_gte(), is_lt(), is_lte(), is_within_range(), is_zero(), Mask(), Mask(), Mask(), operator&, operator&=(), operator=(), operator=(), operator^, operator^=(), operator|, operator|=(), operator~(), select_mask(), and set().
◆ Mask() [2/3]
|
default |
References Mask().
◆ ~Mask()
|
default |
◆ Mask() [3/3]
|
inlineexplicitconstexpr |
Derive a Mask from a Mask of a larger type
Definition at line 403 of file ct_utils.h.
Member Function Documentation
◆ _const_time_poison()
|
inlineconstexpr |
Definition at line 660 of file ct_utils.h.
References Botan::CT::poison().
◆ _const_time_unpoison()
|
inlineconstexpr |
Definition at line 662 of file ct_utils.h.
References Botan::CT::unpoison().
◆ as_bool()
|
inlineconstexpr |
Unsafe conversion to bool
This conversion itself is (probably) constant time, but once the mask is reduced to a simple bool, it's entirely possible for the compiler to perform range analysis on the values, since there are just the two. As a consequence even if the caller is not using this in an obviously branchy way (if(mask.as_bool()) ...) a smart compiler may introduce branches depending on the value.
Definition at line 642 of file ct_utils.h.
References unpoisoned_value().
◆ as_choice()
|
inlineconstexpr |
Return a Choice based on this mask
Definition at line 647 of file ct_utils.h.
References Botan::CT::Choice::from_int(), Botan::CT::Choice::from_mask(), and unpoisoned_value().
Referenced by Botan::oaep_find_delim().
◆ cleared()
|
inlinestaticconstexpr |
Return a Mask<T> of |0| (all bits cleared)
Definition at line 415 of file ct_utils.h.
References Mask().
Referenced by Botan::Classic_McEliece_PrivateKeyInternal::check_key(), Botan::CT::is_equal(), Botan::low_zero_bits(), Botan::oaep_find_delim(), Botan::OneAndZeros_Padding::remove_padding(), and Botan::x448().
◆ conditional_swap()
requires (sizeof(U) <= sizeof(T))
|
inline |
If this mask is set, swap x and y
Definition at line 613 of file ct_utils.h.
References Mask().
◆ expand() [1/2]
|
inlinestaticconstexpr |
◆ expand() [2/2]
|
inlinestaticconstexpr |
Return a Mask<T> which is set if v is != 0
Definition at line 420 of file ct_utils.h.
References is_zero(), Mask(), and Botan::CT::value_barrier().
Referenced by Botan::bigint_cnd_abs(), Botan::bigint_cnd_add(), Botan::bigint_cnd_sub(), Botan::bigint_cnd_swap(), Botan::bigint_ct_is_lt(), Botan::bigint_shl1(), Botan::bigint_shl2(), Botan::bigint_shr1(), Botan::bigint_shr2(), Botan::Classic_McEliece_PrivateKeyInternal::check_key(), Botan::CT::conditional_assign_mem(), Botan::CT::conditional_copy_mem(), Botan::CT::conditional_swap(), Botan::constant_time_compare(), Botan::BigInt::ct_cond_add(), Botan::GF_Mask::expand(), expand_bool(), Botan::low_zero_bits(), Botan::bitvector_base< AllocatorT >::bitref< BlockT >::operator=(), Botan::bitvector_base< AllocatorT >::bitref< BlockT >::operator^=(), Botan::bitvector_base< AllocatorT >::bitref< BlockT >::operator|=(), Botan::ANSI_X923_Padding::remove_padding(), Botan::OneAndZeros_Padding::remove_padding(), Botan::Sodium::sodium_is_zero(), Botan::solinas_correct_redc(), and Botan::x448().
◆ expand_bit()
|
inlinestaticconstexpr |
Return a Mask<T> which is set if the given bit of v is set. bit must be from 0 (LSB) to (sizeof(T) * 8 - 1) (MSB).
Definition at line 449 of file ct_utils.h.
References expand_top_bit(), and Mask().
Referenced by Botan::FrodoMatrix::sample().
◆ expand_bool()
|
inlinestaticconstexpr |
Return a Mask<T> which is set if v is true
Definition at line 425 of file ct_utils.h.
References expand(), and Mask().
Referenced by Botan::BigInt::cond_flip_sign(), Botan::Classic_McEliece_Field_Ordering::create_from_control_bits(), Botan::BigInt::ct_cond_assign(), Botan::Ed448Point::decode(), Botan::gcd(), Botan::Ed448Point::operator==(), and Botan::Classic_McEliece_Field_Ordering::permute_with_pivots().
◆ expand_top_bit()
|
inlinestaticconstexpr |
Return a Mask<T> which is set if the top bit of v is set
Definition at line 443 of file ct_utils.h.
References Botan::expand_top_bit(), Mask(), and Botan::CT::value_barrier().
Referenced by Botan::ct_divide_word(), Botan::ct_mod_word(), expand_bit(), is_any_of(), is_lt(), is_within_range(), and Botan::CRYSTALS::Trait_Base< ConstantsT, DerivedT >::poly_cadd_q().
◆ from_choice()
|
inlinestaticconstexpr |
Return a Mask<T> which is set if choice is set
Definition at line 430 of file ct_utils.h.
References is_zero(), Mask(), and Botan::CT::Choice::value().
Referenced by Botan::Scalar448::bytes_are_reduced(), Botan::IntMod< MontgomeryRep< ScalarParams > >::conditional_assign(), Botan::IntMod< MontgomeryRep< ScalarParams > >::conditional_assign(), Botan::IntMod< MontgomeryRep< ScalarParams > >::conditional_assign(), Botan::CT::conditional_assign_mem(), Botan::IntMod< MontgomeryRep< ScalarParams > >::conditional_swap(), Botan::CT::copy_output(), Botan::bitvector_base< secure_allocator >::ct_conditional_xor(), Botan::PK_Ops::Decryption_with_EME::decrypt(), and Botan::CT::Option< T >::value_or().
◆ if_not_set_return()
|
inlineconstexpr |
Return x if the mask is cleared, or otherwise zero
Definition at line 571 of file ct_utils.h.
References value().
Referenced by if_set_zero_out().
◆ if_set_return()
|
inlineconstexpr |
Return x if the mask is set, or otherwise zero
Definition at line 566 of file ct_utils.h.
References value().
Referenced by Botan::oaep_find_delim().
◆ if_set_zero_out()
|
inlineconstexpr |
If this mask is set, zero out buf, otherwise do nothing
Definition at line 603 of file ct_utils.h.
References if_not_set_return().
◆ is_any_of()
|
inlinestaticconstexpr |
Definition at line 507 of file ct_utils.h.
References expand_top_bit(), Mask(), and Botan::CT::value_barrier().
◆ is_equal()
|
inlinestaticconstexpr |
Return a Mask<T> which is set if x == y
Definition at line 470 of file ct_utils.h.
References is_zero(), Mask(), and Botan::CT::value_barrier().
Referenced by Botan::OneAndZeros_Padding::apply_padding(), Botan::bigint_cmp(), Botan::bigint_ct_is_lt(), Botan::Classic_McEliece_PrivateKeyInternal::check_key(), Botan::TLS::check_tls_cbc_padding(), Botan::constant_time_compare(), Botan::CT::copy_output(), Botan::BigInt::ct_cond_assign(), Botan::AffineCurvePoint< FieldElement, Params >::ct_select(), Botan::AffinePointTable< C, R >::ct_select(), Botan::AffinePointTable< C, R >::ct_select(), Botan::PK_Decryptor::decrypt_or_random(), Botan::PCurve::PrimeOrderCurveImpl< C >::deserialize_point(), Botan::GF_Mask::is_equal(), Botan::Dilithium_Algos::make_hint(), Botan::EC_Point_Base_Point_Precompute::mul(), Botan::EC_Point_Var_Point_Precompute::mul(), Botan::oaep_find_delim(), Botan::Classic_McEliece_Field_Ordering::permute_with_pivots(), Botan::ESP_Padding::remove_padding(), Botan::OneAndZeros_Padding::remove_padding(), Botan::PKCS7_Padding::remove_padding(), and Botan::Sodium::sodium_compare().
◆ is_gt()
|
inlinestaticconstexpr |
Return a Mask<T> which is set if x > y
Definition at line 486 of file ct_utils.h.
References is_lt(), and Mask().
Referenced by Botan::OneAndZeros_Padding::apply_padding(), is_lte(), Botan::Dilithium_Algos::make_hint(), Botan::ANSI_X923_Padding::remove_padding(), Botan::ESP_Padding::remove_padding(), and Botan::PKCS7_Padding::remove_padding().
◆ is_gte()
|
inlinestaticconstexpr |
Return a Mask<T> which is set if x >= y
Definition at line 496 of file ct_utils.h.
References is_lt(), and Mask().
Referenced by Botan::ANSI_X923_Padding::apply_padding(), Botan::ESP_Padding::apply_padding(), Botan::PKCS7_Padding::apply_padding(), Botan::ct_divide_word(), Botan::ct_mod_word(), Botan::ANSI_X923_Padding::remove_padding(), and Botan::PKCS7_Padding::remove_padding().
◆ is_lt()
|
inlinestaticconstexpr |
Return a Mask<T> which is set if x < y
Definition at line 478 of file ct_utils.h.
References expand_top_bit(), and Mask().
Referenced by Botan::bigint_cmp(), Botan::bigint_ct_is_lt(), Botan::TLS::check_tls_cbc_padding(), is_gt(), is_gte(), Botan::donna128::operator+=(), Botan::donna128::operator+=(), Botan::FrodoMatrix::sample(), Botan::Sodium::sodium_add(), and Botan::Sodium::sodium_compare().
◆ is_lte()
|
inlinestaticconstexpr |
Return a Mask<T> which is set if x <= y
Definition at line 491 of file ct_utils.h.
References is_gt(), and Mask().
Referenced by Botan::TLS::check_tls_cbc_padding(), Botan::constant_time_compare(), Botan::CT::copy_output(), Botan::GF_Mask::is_lte(), and Botan::Dilithium_Algos::make_hint().
◆ is_within_range()
|
inlinestaticconstexpr |
Definition at line 498 of file ct_utils.h.
References expand_top_bit(), Mask(), and Botan::CT::value_barrier().
◆ is_zero()
|
inlinestaticconstexpr |
Return a Mask<T> which is set if v is == 0 or cleared otherwise
Definition at line 465 of file ct_utils.h.
References Botan::ct_is_zero(), Mask(), and Botan::CT::value_barrier().
Referenced by Botan::CT::all_zeros(), Botan::bigint_cmp(), Botan::bigint_ct_is_eq(), Botan::bigint_ct_is_lt(), Botan::CT::count_leading_zero_bytes(), Botan::BigInt::ct_reduce_below(), expand(), expand(), from_choice(), Botan::GF2m_Field::gf_div(), Botan::CT::is_equal(), is_equal(), Botan::GF_Mask::is_zero(), Botan::Dilithium_Algos::make_hint(), Botan::oaep_find_delim(), Botan::ESP_Padding::remove_padding(), Botan::OneAndZeros_Padding::remove_padding(), and Botan::Sodium::sodium_increment().
◆ operator&=()
|
inline |
◆ operator=() [1/2]
|
default |
References Mask().
◆ operator=() [2/2]
|
default |
References Mask().
◆ operator^=()
|
inline |
◆ operator|=()
|
inline |
◆ operator~()
|
inlineconstexpr |
◆ select()
|
inlineconstexpr |
If this mask is set, return x, otherwise return y
Definition at line 576 of file ct_utils.h.
References Botan::choose(), and value().
Referenced by Botan::Classic_McEliece_Decryptor::raw_kem_decrypt(), select_and_unpoison(), and select_mask().
◆ select_and_unpoison()
|
inlineconstexpr |
Definition at line 578 of file ct_utils.h.
References select(), and Botan::CT::unpoison().
◆ select_mask()
|
inline |
◆ select_n()
|
inlineconstexpr |
Conditionally set output to x or y, depending on if mask is set or cleared (resp)
Definition at line 593 of file ct_utils.h.
References Botan::choose(), and value().
Referenced by Botan::CT::conditional_copy_mem(), and Botan::Classic_McEliece_Decryptor::raw_kem_decrypt().
◆ set()
|
inlinestaticconstexpr |
Return a Mask<T> of |1| (all bits set)
Definition at line 410 of file ct_utils.h.
References Mask().
Referenced by Botan::CT::count_leading_zero_bytes(), Botan::oaep_find_delim(), and Botan::GF_Mask::set().
◆ unpoisoned_value()
|
inlineconstexpr |
Return the value of the mask, unpoisoned
Definition at line 626 of file ct_utils.h.
References Botan::CT::unpoison(), and value().
Referenced by as_bool(), and as_choice().
◆ value()
|
inlineconstexpr |
Return the underlying value of the mask
Definition at line 658 of file ct_utils.h.
References Botan::CT::value_barrier().
Referenced by expand(), if_not_set_return(), if_set_return(), Mask(), operator&, operator&=(), operator^, operator^=(), operator|, operator|=(), operator~(), select(), select_mask(), select_n(), and unpoisoned_value().
Friends And Related Symbol Documentation
◆ operator&
◆ operator^
◆ operator|
The documentation for this class was generated from the following file:
- src/lib/utils/ct_utils.h
Generated by
1.14.0