Botan  2.7.0
Crypto and TLS for C++11
ct_utils.h
Go to the documentation of this file.
1 /*
2 * Functions for constant time operations on data and testing of
3 * constant time annotations using valgrind.
4 *
5 * For more information about constant time programming see
6 * Wagner, Molnar, et al "The Program Counter Security Model"
7 *
8 * (C) 2010 Falko Strenzke
9 * (C) 2015,2016 Jack Lloyd
10 *
11 * Botan is released under the Simplified BSD License (see license.txt)
12 */
13 
14 #ifndef BOTAN_TIMING_ATTACK_CM_H_
15 #define BOTAN_TIMING_ATTACK_CM_H_
16 
17 #include <botan/secmem.h>
18 #include <vector>
19 
20 #if defined(BOTAN_HAS_VALGRIND)
21  #include <valgrind/memcheck.h>
22 #endif
23 
24 namespace Botan {
25 
26 namespace CT {
27 
28 /**
29 * Use valgrind to mark the contents of memory as being undefined.
30 * Valgrind will accept operations which manipulate undefined values,
31 * but will warn if an undefined value is used to decided a conditional
32 * jump or a load/store address. So if we poison all of our inputs we
33 * can confirm that the operations in question are truly const time
34 * when compiled by whatever compiler is in use.
35 *
36 * Even better, the VALGRIND_MAKE_MEM_* macros work even when the
37 * program is not run under valgrind (though with a few cycles of
38 * overhead, which is unfortunate in final binaries as these
39 * annotations tend to be used in fairly important loops).
40 *
41 * This approach was first used in ctgrind (https://github.com/agl/ctgrind)
42 * but calling the valgrind mecheck API directly works just as well and
43 * doesn't require a custom patched valgrind.
44 */
45 template<typename T>
46 inline void poison(const T* p, size_t n)
47  {
48 #if defined(BOTAN_HAS_VALGRIND)
49  VALGRIND_MAKE_MEM_UNDEFINED(p, n * sizeof(T));
50 #else
51  BOTAN_UNUSED(p);
52  BOTAN_UNUSED(n);
53 #endif
54  }
55 
56 template<typename T>
57 inline void unpoison(const T* p, size_t n)
58  {
59 #if defined(BOTAN_HAS_VALGRIND)
60  VALGRIND_MAKE_MEM_DEFINED(p, n * sizeof(T));
61 #else
62  BOTAN_UNUSED(p);
63  BOTAN_UNUSED(n);
64 #endif
65  }
66 
67 template<typename T>
68 inline void unpoison(T& p)
69  {
70 #if defined(BOTAN_HAS_VALGRIND)
71  VALGRIND_MAKE_MEM_DEFINED(&p, sizeof(T));
72 #else
73  BOTAN_UNUSED(p);
74 #endif
75  }
76 
77 /*
78 * T should be an unsigned machine integer type
79 * Expand to a mask used for other operations
80 * @param in an integer
81 * @return If n is zero, returns zero. Otherwise
82 * returns a T with all bits set for use as a mask with
83 * select.
84 */
85 template<typename T>
86 inline T expand_mask(T x)
87  {
88  T r = x;
89  // First fold r down to a single bit
90  for(size_t i = 1; i != sizeof(T)*8; i *= 2)
91  {
92  r = r | static_cast<T>(r >> i);
93  }
94  r &= 1;
95  r = static_cast<T>(~(r - 1));
96  return r;
97  }
98 
99 template<typename T>
100 inline T expand_top_bit(T a)
101  {
102  return expand_mask<T>(a >> (sizeof(T)*8-1));
103  }
104 
105 template<typename T>
106 inline T select(T mask, T from0, T from1)
107  {
108  return static_cast<T>((from0 & mask) | (from1 & ~mask));
109  }
110 
111 template<typename T>
112 inline T select2(T mask0, T val0, T mask1, T val1, T val2)
113  {
114  return select<T>(mask0, val0, select<T>(mask1, val1, val2));
115  }
116 
117 template<typename T>
118 inline T select3(T mask0, T val0, T mask1, T val1, T mask2, T val2, T val3)
119  {
120  return select2<T>(mask0, val0, mask1, val1, select<T>(mask2, val2, val3));
121  }
122 
123 template<typename PredT, typename ValT>
124 inline ValT val_or_zero(PredT pred_val, ValT val)
125  {
126  return select(CT::expand_mask<ValT>(pred_val), val, static_cast<ValT>(0));
127  }
128 
129 template<typename T>
130 inline T is_zero(T x)
131  {
132  return static_cast<T>(~expand_mask(x));
133  }
134 
135 template<typename T>
136 inline T is_equal(T x, T y)
137  {
138  return is_zero<T>(x ^ y);
139  }
140 
141 template<typename T>
142 inline T is_less(T a, T b)
143  {
144  return expand_top_bit<T>(a ^ ((a^b) | ((a-b)^a)));
145  }
146 
147 template<typename T>
148 inline T is_lte(T a, T b)
149  {
150  return CT::is_less(a, b) | CT::is_equal(a, b);
151  }
152 
153 template<typename T>
154 inline T conditional_copy_mem(T value,
155  T* to,
156  const T* from0,
157  const T* from1,
158  size_t elems)
159  {
160  const T mask = CT::expand_mask(value);
161 
162  for(size_t i = 0; i != elems; ++i)
163  {
164  to[i] = CT::select(mask, from0[i], from1[i]);
165  }
166 
167  return mask;
168  }
169 
170 template<typename T>
171 inline void cond_zero_mem(T cond,
172  T* array,
173  size_t elems)
174  {
175  const T mask = CT::expand_mask(cond);
176  const T zero(0);
177 
178  for(size_t i = 0; i != elems; ++i)
179  {
180  array[i] = CT::select(mask, zero, array[i]);
181  }
182  }
183 
184 inline secure_vector<uint8_t> strip_leading_zeros(const uint8_t in[], size_t length)
185  {
186  size_t leading_zeros = 0;
187 
188  uint8_t only_zeros = 0xFF;
189 
190  for(size_t i = 0; i != length; ++i)
191  {
192  only_zeros = only_zeros & CT::is_zero<uint8_t>(in[i]);
193  leading_zeros += CT::select<uint8_t>(only_zeros, 1, 0);
194  }
195 
196  return secure_vector<uint8_t>(in + leading_zeros, in + length);
197  }
198 
199 inline secure_vector<uint8_t> strip_leading_zeros(const secure_vector<uint8_t>& in)
200  {
201  return strip_leading_zeros(in.data(), in.size());
202  }
203 
204 }
205 
206 }
207 
208 #endif
Botan::CT::is_lte
T is_lte(T a, T b)
Definition: ct_utils.h:148
Botan::CT::expand_top_bit
T expand_top_bit(T a)
Definition: ct_utils.h:100
Botan::CT::poison
void poison(const T *p, size_t n)
Definition: ct_utils.h:46
Botan::CT::is_equal
T is_equal(T x, T y)
Definition: ct_utils.h:136
Botan::CT::conditional_copy_mem
T conditional_copy_mem(T value, T *to, const T *from0, const T *from1, size_t elems)
Definition: ct_utils.h:154
Botan::CT::is_less
T is_less(T a, T b)
Definition: ct_utils.h:142
Botan::CT::cond_zero_mem
void cond_zero_mem(T cond, T *array, size_t elems)
Definition: ct_utils.h:171
Botan::CT::expand_mask
T expand_mask(T x)
Definition: ct_utils.h:86
Botan::CT::select3
T select3(T mask0, T val0, T mask1, T val1, T mask2, T val2, T val3)
Definition: ct_utils.h:118
Botan::CT::select
T select(T mask, T from0, T from1)
Definition: ct_utils.h:106
Botan
Definition: alg_id.cpp:13
BOTAN_UNUSED
#define BOTAN_UNUSED(...)
Definition: assert.h:130
Botan::CT::val_or_zero
ValT val_or_zero(PredT pred_val, ValT val)
Definition: ct_utils.h:124
Botan::CT::is_zero
T is_zero(T x)
Definition: ct_utils.h:130
Botan::CT::select2
T select2(T mask0, T val0, T mask1, T val1, T val2)
Definition: ct_utils.h:112
T
fe T
Definition: ge.cpp:37
Botan::CT::unpoison
void unpoison(const T *p, size_t n)
Definition: ct_utils.h:57
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
Botan::CT::strip_leading_zeros
secure_vector< uint8_t > strip_leading_zeros(const uint8_t in[], size_t length)
Definition: ct_utils.h:184
Generated by   doxygen 1.8.14