Classes
class	Mask

Functions
template<typename T >
Mask< T >	conditional_copy_mem (T cnd, T to, const T from0, const T *from1, size_t elems)

template<typename T >
void	conditional_swap (bool cnd, T &x, T &y)

template<typename T >
void	conditional_swap_ptr (bool cnd, T &x, T &y)

secure_vector< uint8_t >	copy_output (CT::Mask< uint8_t > bad_input, const uint8_t input[], size_t input_length, size_t offset)

template<typename T >
void	poison (const T *p, size_t n)

secure_vector< uint8_t >	strip_leading_zeros (const uint8_t in[], size_t length)

secure_vector< uint8_t >	strip_leading_zeros (const secure_vector< uint8_t > &in)

template<typename T >
void	unpoison (const T *p, size_t n)

template<typename T >
void	unpoison (T &p)

Function Documentation

◆ conditional_copy_mem()

template<typename T >

Mask<T> Botan::CT::conditional_copy_mem	(	T	cnd,
		T *	to,
		const T *	from0,
		const T *	from1,
		size_t	elems
	)

inline

Definition at line 339 of file ct_utils.h.

    {
    const auto mask = CT::Mask<T>::expand(cnd);
    mask.select_n(to, from0, from1, elems);
    return mask;
    }

References Botan::elems, and Botan::CT::Mask< T >::expand().

Referenced by Botan::bigint_monty_redc_16(), Botan::bigint_monty_redc_24(), Botan::bigint_monty_redc_32(), Botan::bigint_monty_redc_4(), Botan::bigint_monty_redc_6(), Botan::bigint_monty_redc_8(), and Botan::bigint_sub_abs().

◆ conditional_swap()

template<typename T >

void Botan::CT::conditional_swap	(	bool	cnd,
		T &	x,
		T &	y
	)

inline

Definition at line 351 of file ct_utils.h.

    {
    const auto swap = CT::Mask<T>::expand(cnd);
 
    T t0 = swap.select(y, x);
    T t1 = swap.select(x, y);
    x = t0;
    y = t1;
    }

References Botan::CT::Mask< T >::expand(), T, Botan::x, and Botan::y.

Referenced by Botan::bigint_sub_abs().

◆ conditional_swap_ptr()

template<typename T >

void Botan::CT::conditional_swap_ptr	(	bool	cnd,
		T &	x,
		T &	y
	)

inline

Definition at line 362 of file ct_utils.h.

    {
    uintptr_t xp = reinterpret_cast<uintptr_t>(x);
    uintptr_t yp = reinterpret_cast<uintptr_t>(y);
 
    conditional_swap<uintptr_t>(cnd, xp, yp);
 
    x = reinterpret_cast<T>(xp);
    y = reinterpret_cast<T>(yp);
    }

References Botan::x, and Botan::y.

Referenced by Botan::bigint_sub_abs().

◆ copy_output()

secure_vector< uint8_t > Botan::CT::copy_output	(	CT::Mask< uint8_t >	bad_input,
		const uint8_t	input[],
		size_t	input_length,
		size_t	delim_idx
	)

If bad_mask is unset, return in[delim_idx:input_length] copied to new buffer. If bad_mask is set, return an all zero vector of unspecified length.

Definition at line 13 of file ct_utils.cpp.

    {
    if(input_length == 0)
       return secure_vector<uint8_t>();
 
    /*
    * Ensure at runtime that offset <= input_length. This is an invalid input,
    * but we can't throw without using the poisoned value. Instead, if it happens,
    * set offset to be equal to the input length (so output_bytes becomes 0 and
    * the returned vector is empty)
    */
    const auto valid_offset = CT::Mask<size_t>::is_lte(offset, input_length);
    offset = valid_offset.select(offset, input_length);
 
    const size_t output_bytes = input_length - offset;
 
    secure_vector<uint8_t> output(input_length);
 
    /*
    Move the desired output bytes to the front using a slow (O^n)
    but constant time loop that does not leak the value of the offset
    */
    for(size_t i = 0; i != input_length; ++i)
       {
       /*
       start index from i rather than 0 since we know j must be >= i + offset
       to have any effect, and starting from i does not reveal information
       */
       for(size_t j = i; j != input_length; ++j)
          {
          const uint8_t b = input[j];
          const auto is_eq = CT::Mask<size_t>::is_equal(j, offset + i);
          output[i] |= is_eq.if_set_return(b);
          }
       }
 
    bad_input.if_set_zero_out(output.data(), output.size());
 
    /*
    This is potentially not const time, depending on how std::vector is
    implemented. But since we are always reducing length, it should
    just amount to setting the member var holding the length.
    */
    CT::unpoison(output.data(), output.size());
    CT::unpoison(output_bytes);
    output.resize(output_bytes);
    return output;
    }

References Botan::b, Botan::CT::Mask< T >::if_set_zero_out(), Botan::input, Botan::input_length, Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_lte(), Botan::offset, Botan::output, and unpoison().

Referenced by Botan::oaep_find_delim(), and strip_leading_zeros().

◆ poison()

template<typename T >

void Botan::CT::poison	(	const T *	p,
		size_t	n
	)

inline

Use valgrind to mark the contents of memory as being undefined. Valgrind will accept operations which manipulate undefined values, but will warn if an undefined value is used to decided a conditional jump or a load/store address. So if we poison all of our inputs we can confirm that the operations in question are truly const time when compiled by whatever compiler is in use.

Even better, the VALGRIND_MAKE_MEM_* macros work even when the program is not run under valgrind (though with a few cycles of overhead, which is unfortunate in final binaries as these annotations tend to be used in fairly important loops).

This approach was first used in ctgrind (https://github.com/agl/ctgrind) but calling the valgrind mecheck API directly works just as well and doesn't require a custom patched valgrind.

Definition at line 48 of file ct_utils.h.

    {
 #if defined(BOTAN_HAS_VALGRIND)
    VALGRIND_MAKE_MEM_UNDEFINED(p, n * sizeof(T));
 #else
    BOTAN_UNUSED(p);
    BOTAN_UNUSED(n);
 #endif
    }

References BOTAN_UNUSED, Botan::n, Botan::p, and T.

Referenced by Botan::ct_inverse_mod_odd_modulus(), Botan::curve25519_donna(), Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption::finish(), and Botan::oaep_find_delim().

◆ strip_leading_zeros() [1/2]

secure_vector< uint8_t > Botan::CT::strip_leading_zeros	(	const uint8_t	in[],
		size_t	length
	)

Definition at line 65 of file ct_utils.cpp.

    {
    size_t leading_zeros = 0;
 
    auto only_zeros = Mask<uint8_t>::set();
 
    for(size_t i = 0; i != length; ++i)
       {
       only_zeros &= CT::Mask<uint8_t>::is_zero(in[i]);
       leading_zeros += only_zeros.if_set_return(1);
       }
 
    return copy_output(CT::Mask<uint8_t>::cleared(), in, length, leading_zeros);
    }

References copy_output(), Botan::in, Botan::CT::Mask< T >::is_zero(), and Botan::CT::Mask< T >::set().

Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), and strip_leading_zeros().

◆ strip_leading_zeros() [2/2]

secure_vector<uint8_t> Botan::CT::strip_leading_zeros ( const secure_vector< uint8_t > & in )

inline

Definition at line 385 of file ct_utils.h.

    {
    return strip_leading_zeros(in.data(), in.size());
    }

References Botan::in, and strip_leading_zeros().

◆ unpoison() [1/2]

template<typename T >

void Botan::CT::unpoison	(	const T *	p,
		size_t	n
	)

inline

Definition at line 59 of file ct_utils.h.

    {
 #if defined(BOTAN_HAS_VALGRIND)
    VALGRIND_MAKE_MEM_DEFINED(p, n * sizeof(T));
 #else
    BOTAN_UNUSED(p);
    BOTAN_UNUSED(n);
 #endif
    }

References BOTAN_UNUSED, Botan::n, Botan::p, and T.

Referenced by Botan::bigint_cmp(), copy_output(), Botan::ct_inverse_mod_odd_modulus(), Botan::curve25519_donna(), Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption::finish(), Botan::oaep_find_delim(), Botan::redc_p192(), Botan::redc_p224(), Botan::redc_p256(), Botan::redc_p384(), Botan::CT::Mask< T >::select_and_unpoison(), and Botan::CT::Mask< T >::unpoisoned_value().

◆ unpoison() [2/2]

template<typename T >

void Botan::CT::unpoison ( T & p )

inline

Definition at line 70 of file ct_utils.h.

    {
 #if defined(BOTAN_HAS_VALGRIND)
    VALGRIND_MAKE_MEM_DEFINED(&p, sizeof(T));
 #else
    BOTAN_UNUSED(p);
 #endif
    }

References BOTAN_UNUSED, Botan::p, and T.

Classes

Functions

Function Documentation

◆ conditional_copy_mem()

◆ conditional_swap()

◆ conditional_swap_ptr()

◆ copy_output()

◆ poison()

◆ strip_leading_zeros() [1/2]

◆ strip_leading_zeros() [2/2]

◆ unpoison() [1/2]

◆ unpoison() [2/2]