Botan::CT Namespace Reference

Functions
template<typename T >
void	cond_zero_mem (T cond, T *array, size_t elems)
template<typename T >
void	conditional_copy_mem (T value, T *to, const T *from0, const T *from1, size_t elems)
template<typename T >
T	expand_mask (T x)
template<typename T >
T	expand_top_bit (T a)
template<typename T >
T	is_equal (T x, T y)
template<typename T >
T	is_less (T a, T b)
template<typename T >
T	is_lte (T a, T b)
template<typename T >
T	is_zero (T x)
template<typename T >
void	poison (const T *p, size_t n)
template<typename T >
T	select (T mask, T from0, T from1)
secure_vector< uint8_t >	strip_leading_zeros (const uint8_t in[], size_t length)
secure_vector< uint8_t >	strip_leading_zeros (const secure_vector< uint8_t > &in)
template<typename T >
void	unpoison (const T *p, size_t n)
template<typename T >
void	unpoison (T &p)
template<typename PredT , typename ValT >
ValT	val_or_zero (PredT pred_val, ValT val)

Function Documentation

cond_zero_mem()

template<typename T >

void Botan::CT::cond_zero_mem ( T  cond, T *  array, size_t  elems  )

inline

Definition at line 157 of file ct_utils.h.

References expand_mask(), select(), and T.

   {
   const T mask = CT::expand_mask(cond);
   const T zero(0);

   for(size_t i = 0; i != elems; ++i)
      {
      array[i] = CT::select(mask, zero, array[i]);
      }
   }

conditional_copy_mem()

template<typename T >

void Botan::CT::conditional_copy_mem ( T  value, T *  to, const T *  from0, const T *  from1, size_t  elems  )

inline

Definition at line 142 of file ct_utils.h.

References expand_mask(), select(), and T.

Referenced by Botan::bigint_monty_redc(), Botan::PK_Decryptor::decrypt_or_random(), Botan::PKCS7_Padding::unpad(), Botan::ANSI_X923_Padding::unpad(), Botan::OneAndZeros_Padding::unpad(), and Botan::ESP_Padding::unpad().

   {
   const T mask = CT::expand_mask(value);

   for(size_t i = 0; i != elems; ++i)
      {
      to[i] = CT::select(mask, from0[i], from1[i]);
      }
   }

expand_mask()

template<typename T >

T Botan::CT::expand_mask ( T  x )

inline

Definition at line 86 of file ct_utils.h.

References T.

Referenced by Botan::bigint_cnd_abs(), Botan::bigint_cnd_add(), Botan::bigint_cnd_sub(), Botan::bigint_cnd_swap(), cond_zero_mem(), conditional_copy_mem(), and is_zero().

   {
   T r = x;
   // First fold r down to a single bit
   for(size_t i = 1; i != sizeof(T)*8; i *= 2)
      {
      r = r | static_cast<T>(r >> i);
      }
   r &= 1;
   r = static_cast<T>(~(r - 1));
   return r;
   }

expand_top_bit()

template<typename T >

T Botan::CT::expand_top_bit ( T  a )

inline

Definition at line 100 of file ct_utils.h.

References T.

   {
   return expand_mask<T>(a >> (sizeof(T)*8-1));
   }

is_equal()

template<typename T >

T Botan::CT::is_equal ( T  x, T  y  )

inline

Definition at line 124 of file ct_utils.h.

Referenced by Botan::BigInt::const_time_lookup(), Botan::PK_Decryptor::decrypt_or_random(), is_lte(), and Botan::PKCS7_Padding::unpad().

   {
   return is_zero<T>(x ^ y);
   }

is_less()

template<typename T >

T Botan::CT::is_less ( T  a, T  b  )

inline

Definition at line 130 of file ct_utils.h.

Referenced by is_lte().

   {
   return expand_top_bit<T>(a ^ ((a^b) | ((a-b)^a)));
   }

is_lte()

template<typename T >

T Botan::CT::is_lte ( T  a, T  b  )

inline

Definition at line 136 of file ct_utils.h.

References is_equal(), and is_less().

   {
   return CT::is_less(a, b) | CT::is_equal(a, b);
   }

is_zero()

template<typename T >

T Botan::CT::is_zero ( T  x )

inline

Definition at line 118 of file ct_utils.h.

References expand_mask(), and T.

Referenced by Botan::DL_Group::DER_encode(), Botan::BigInt::is_nonzero(), Botan::PointGFp::negate(), Botan::BigInt::set_sign(), Botan::ANSI_X923_Padding::unpad(), and Botan::EC_Group::verify_group().

   {
   return static_cast<T>(~expand_mask(x));
   }

poison()

template<typename T >

void Botan::CT::poison ( const T *  p, size_t  n  )

inline

Use valgrind to mark the contents of memory as being undefined. Valgrind will accept operations which manipulate undefined values, but will warn if an undefined value is used to decided a conditional jump or a load/store address. So if we poison all of our inputs we can confirm that the operations in question are truly const time when compiled by whatever compiler is in use.

Even better, the VALGRIND_MAKE_MEM_* macros work even when the program is not run under valgrind (though with a few cycles of overhead, which is unfortunate in final binaries as these annotations tend to be used in fairly important loops).

This approach was first used in ctgrind (https://github.com/agl/ctgrind) but calling the valgrind mecheck API directly works just as well and doesn't require a custom patched valgrind.

Definition at line 46 of file ct_utils.h.

References BOTAN_UNUSED, and T.

Referenced by Botan::bigint_monty_redc(), Botan::BigInt::const_time_lookup(), Botan::ct_inverse_mod_odd_modulus(), Botan::curve25519_donna(), Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption::finish(), Botan::PKCS7_Padding::unpad(), Botan::ANSI_X923_Padding::unpad(), Botan::OneAndZeros_Padding::unpad(), and Botan::ESP_Padding::unpad().

   {
#if defined(BOTAN_HAS_VALGRIND)
   VALGRIND_MAKE_MEM_UNDEFINED(p, n * sizeof(T));
#else
   BOTAN_UNUSED(p);
   BOTAN_UNUSED(n);
#endif
   }

select()

template<typename T >

T Botan::CT::select ( T  mask, T  from0, T  from1  )

inline

Definition at line 106 of file ct_utils.h.

References T.

Referenced by Botan::bigint_cnd_abs(), Botan::bigint_cnd_add(), Botan::bigint_cnd_sub(), Botan::bigint_cnd_swap(), cond_zero_mem(), conditional_copy_mem(), Botan::ge_scalarmult_base(), Botan::Device_EntropySource::poll(), and val_or_zero().

   {
   return static_cast<T>((from0 & mask) | (from1 & ~mask));
   }

strip_leading_zeros() [1/2]

secure_vector<uint8_t> Botan::CT::strip_leading_zeros ( const uint8_t  in[], size_t  length  )

inline

Definition at line 170 of file ct_utils.h.

Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), strip_leading_zeros(), and Botan::TLS::Callbacks::tls_dh_agree().

   {
   size_t leading_zeros = 0;

   uint8_t only_zeros = 0xFF;

   for(size_t i = 0; i != length; ++i)
      {
      only_zeros = only_zeros & CT::is_zero<uint8_t>(in[i]);
      leading_zeros += CT::select<uint8_t>(only_zeros, 1, 0);
      }

   return secure_vector<uint8_t>(in + leading_zeros, in + length);
   }

strip_leading_zeros() [2/2]

secure_vector<uint8_t> Botan::CT::strip_leading_zeros ( const secure_vector< uint8_t > &  in )

inline

Definition at line 185 of file ct_utils.h.

References strip_leading_zeros().

   {
   return strip_leading_zeros(in.data(), in.size());
   }

unpoison() [1/2]

template<typename T >

void Botan::CT::unpoison ( const T *  p, size_t  n  )

inline

Definition at line 57 of file ct_utils.h.

References BOTAN_UNUSED, and T.

Referenced by Botan::bigint_monty_redc(), Botan::BigInt::const_time_lookup(), Botan::ct_inverse_mod_odd_modulus(), Botan::curve25519_donna(), Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption::finish(), Botan::PKCS7_Padding::unpad(), Botan::ANSI_X923_Padding::unpad(), Botan::OneAndZeros_Padding::unpad(), and Botan::ESP_Padding::unpad().

   {
#if defined(BOTAN_HAS_VALGRIND)
   VALGRIND_MAKE_MEM_DEFINED(p, n * sizeof(T));
#else
   BOTAN_UNUSED(p);
   BOTAN_UNUSED(n);
#endif
   }

unpoison() [2/2]

template<typename T >

void Botan::CT::unpoison ( T &  p )

inline

Definition at line 68 of file ct_utils.h.

References BOTAN_UNUSED, and T.

   {
#if defined(BOTAN_HAS_VALGRIND)
   VALGRIND_MAKE_MEM_DEFINED(&p, sizeof(T));
#else
   BOTAN_UNUSED(p);
#endif
   }

val_or_zero()

template<typename PredT , typename ValT >

ValT Botan::CT::val_or_zero ( PredT  pred_val, ValT  val  )

inline

Definition at line 112 of file ct_utils.h.

References select().

   {
   return select(CT::expand_mask<ValT>(pred_val), val, static_cast<ValT>(0));
   }