Botan  2.7.0
Crypto and TLS for C++11
Functions
Botan::CT Namespace Reference

Functions

template<typename T >
void cond_zero_mem (T cond, T *array, size_t elems)
 
template<typename T >
T conditional_copy_mem (T value, T *to, const T *from0, const T *from1, size_t elems)
 
template<typename T >
T expand_mask (T x)
 
template<typename T >
T expand_top_bit (T a)
 
template<typename T >
T is_equal (T x, T y)
 
template<typename T >
T is_less (T a, T b)
 
template<typename T >
T is_lte (T a, T b)
 
template<typename T >
T is_zero (T x)
 
template<typename T >
void poison (const T *p, size_t n)
 
template<typename T >
T select (T mask, T from0, T from1)
 
template<typename T >
T select2 (T mask0, T val0, T mask1, T val1, T val2)
 
template<typename T >
T select3 (T mask0, T val0, T mask1, T val1, T mask2, T val2, T val3)
 
secure_vector< uint8_t > strip_leading_zeros (const uint8_t in[], size_t length)
 
secure_vector< uint8_t > strip_leading_zeros (const secure_vector< uint8_t > &in)
 
template<typename T >
void unpoison (const T *p, size_t n)
 
template<typename T >
void unpoison (T &p)
 
template<typename PredT , typename ValT >
ValT val_or_zero (PredT pred_val, ValT val)
 

Function Documentation

◆ cond_zero_mem()

template<typename T >
void Botan::CT::cond_zero_mem ( T  cond,
T array,
size_t  elems 
)
inline

Definition at line 171 of file ct_utils.h.

References expand_mask(), select(), and T.

174  {
175  const T mask = CT::expand_mask(cond);
176  const T zero(0);
177 
178  for(size_t i = 0; i != elems; ++i)
179  {
180  array[i] = CT::select(mask, zero, array[i]);
181  }
182  }
Botan::CT::expand_mask
T expand_mask(T x)
Definition: ct_utils.h:86
Botan::CT::select
T select(T mask, T from0, T from1)
Definition: ct_utils.h:106
T
fe T
Definition: ge.cpp:37

◆ conditional_copy_mem()

template<typename T >
T Botan::CT::conditional_copy_mem ( T  value,
T to,
const T from0,
const T from1,
size_t  elems 
)
inline

Definition at line 154 of file ct_utils.h.

References expand_mask(), select(), and T.

Referenced by Botan::bigint_monty_redc_16(), Botan::bigint_monty_redc_24(), Botan::bigint_monty_redc_32(), Botan::bigint_monty_redc_4(), Botan::bigint_monty_redc_6(), Botan::bigint_monty_redc_8(), Botan::bigint_sub_abs(), Botan::PK_Decryptor::decrypt_or_random(), Botan::PKCS7_Padding::unpad(), Botan::ANSI_X923_Padding::unpad(), Botan::OneAndZeros_Padding::unpad(), and Botan::ESP_Padding::unpad().

159  {
160  const T mask = CT::expand_mask(value);
161 
162  for(size_t i = 0; i != elems; ++i)
163  {
164  to[i] = CT::select(mask, from0[i], from1[i]);
165  }
166 
167  return mask;
168  }
Botan::CT::expand_mask
T expand_mask(T x)
Definition: ct_utils.h:86
Botan::CT::select
T select(T mask, T from0, T from1)
Definition: ct_utils.h:106
T
fe T
Definition: ge.cpp:37

◆ expand_mask()

template<typename T >
T Botan::CT::expand_mask ( T  x)
inline

Definition at line 86 of file ct_utils.h.

References T.

Referenced by Botan::bigint_cnd_abs(), Botan::bigint_cnd_add(), Botan::bigint_cnd_sub(), Botan::bigint_cnd_swap(), cond_zero_mem(), conditional_copy_mem(), and is_zero().

87  {
88  T r = x;
89  // First fold r down to a single bit
90  for(size_t i = 1; i != sizeof(T)*8; i *= 2)
91  {
92  r = r | static_cast<T>(r >> i);
93  }
94  r &= 1;
95  r = static_cast<T>(~(r - 1));
96  return r;
97  }
T
fe T
Definition: ge.cpp:37

◆ expand_top_bit()

template<typename T >
T Botan::CT::expand_top_bit ( T  a)
inline

Definition at line 100 of file ct_utils.h.

References T.

101  {
102  return expand_mask<T>(a >> (sizeof(T)*8-1));
103  }
T
fe T
Definition: ge.cpp:37

◆ is_equal()

template<typename T >
T Botan::CT::is_equal ( T  x,
T  y 
)
inline

Definition at line 136 of file ct_utils.h.

Referenced by Botan::BigInt::const_time_lookup(), Botan::PK_Decryptor::decrypt_or_random(), is_lte(), and Botan::PKCS7_Padding::unpad().

137  {
138  return is_zero<T>(x ^ y);
139  }

◆ is_less()

template<typename T >
T Botan::CT::is_less ( T  a,
T  b 
)
inline

Definition at line 142 of file ct_utils.h.

Referenced by is_lte().

143  {
144  return expand_top_bit<T>(a ^ ((a^b) | ((a-b)^a)));
145  }

◆ is_lte()

template<typename T >
T Botan::CT::is_lte ( T  a,
T  b 
)
inline

Definition at line 148 of file ct_utils.h.

References is_equal(), and is_less().

149  {
150  return CT::is_less(a, b) | CT::is_equal(a, b);
151  }
Botan::CT::is_equal
T is_equal(T x, T y)
Definition: ct_utils.h:136
Botan::CT::is_less
T is_less(T a, T b)
Definition: ct_utils.h:142

◆ is_zero()

template<typename T >
T Botan::CT::is_zero ( T  x)
inline

Definition at line 130 of file ct_utils.h.

References expand_mask(), and T.

Referenced by Botan::DL_Group::DER_encode(), Botan::generate_rsa_prime(), Botan::BigInt::is_nonzero(), Botan::PointGFp::negate(), Botan::BigInt::set_sign(), and Botan::ANSI_X923_Padding::unpad().

131  {
132  return static_cast<T>(~expand_mask(x));
133  }
Botan::CT::expand_mask
T expand_mask(T x)
Definition: ct_utils.h:86
T
fe T
Definition: ge.cpp:37

◆ poison()

template<typename T >
void Botan::CT::poison ( const T p,
size_t  n 
)
inline

Use valgrind to mark the contents of memory as being undefined. Valgrind will accept operations which manipulate undefined values, but will warn if an undefined value is used to decided a conditional jump or a load/store address. So if we poison all of our inputs we can confirm that the operations in question are truly const time when compiled by whatever compiler is in use.

Even better, the VALGRIND_MAKE_MEM_* macros work even when the program is not run under valgrind (though with a few cycles of overhead, which is unfortunate in final binaries as these annotations tend to be used in fairly important loops).

This approach was first used in ctgrind (https://github.com/agl/ctgrind) but calling the valgrind mecheck API directly works just as well and doesn't require a custom patched valgrind.

Definition at line 46 of file ct_utils.h.

References BOTAN_UNUSED, and T.

Referenced by Botan::BigInt::const_time_lookup(), Botan::ct_inverse_mod_odd_modulus(), Botan::curve25519_donna(), Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption::finish(), Botan::PKCS7_Padding::unpad(), Botan::ANSI_X923_Padding::unpad(), Botan::OneAndZeros_Padding::unpad(), and Botan::ESP_Padding::unpad().

47  {
48 #if defined(BOTAN_HAS_VALGRIND)
49  VALGRIND_MAKE_MEM_UNDEFINED(p, n * sizeof(T));
50 #else
51  BOTAN_UNUSED(p);
52  BOTAN_UNUSED(n);
53 #endif
54  }
BOTAN_UNUSED
#define BOTAN_UNUSED(...)
Definition: assert.h:130
T
fe T
Definition: ge.cpp:37

◆ select()

template<typename T >
T Botan::CT::select ( T  mask,
T  from0,
T  from1 
)
inline

Definition at line 106 of file ct_utils.h.

References T.

Referenced by Botan::bigint_cnd_abs(), Botan::bigint_cnd_add(), Botan::bigint_cnd_addsub(), Botan::bigint_cnd_sub(), Botan::bigint_cnd_swap(), cond_zero_mem(), conditional_copy_mem(), Botan::ge_scalarmult_base(), Botan::Device_EntropySource::poll(), and val_or_zero().

107  {
108  return static_cast<T>((from0 & mask) | (from1 & ~mask));
109  }
T
fe T
Definition: ge.cpp:37

◆ select2()

template<typename T >
T Botan::CT::select2 ( T  mask0,
T  val0,
T  mask1,
T  val1,
T  val2 
)
inline

Definition at line 112 of file ct_utils.h.

113  {
114  return select<T>(mask0, val0, select<T>(mask1, val1, val2));
115  }

◆ select3()

template<typename T >
T Botan::CT::select3 ( T  mask0,
T  val0,
T  mask1,
T  val1,
T  mask2,
T  val2,
T  val3 
)
inline

Definition at line 118 of file ct_utils.h.

119  {
120  return select2<T>(mask0, val0, mask1, val1, select<T>(mask2, val2, val3));
121  }

◆ strip_leading_zeros() [1/2]

secure_vector<uint8_t> Botan::CT::strip_leading_zeros ( const uint8_t  in[],
size_t  length 
)
inline

Definition at line 184 of file ct_utils.h.

Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), strip_leading_zeros(), and Botan::TLS::Callbacks::tls_dh_agree().

185  {
186  size_t leading_zeros = 0;
187 
188  uint8_t only_zeros = 0xFF;
189 
190  for(size_t i = 0; i != length; ++i)
191  {
192  only_zeros = only_zeros & CT::is_zero<uint8_t>(in[i]);
193  leading_zeros += CT::select<uint8_t>(only_zeros, 1, 0);
194  }
195 
196  return secure_vector<uint8_t>(in + leading_zeros, in + length);
197  }

◆ strip_leading_zeros() [2/2]

secure_vector<uint8_t> Botan::CT::strip_leading_zeros ( const secure_vector< uint8_t > &  in)
inline

Definition at line 199 of file ct_utils.h.

References strip_leading_zeros().

200  {
201  return strip_leading_zeros(in.data(), in.size());
202  }
Botan::CT::strip_leading_zeros
secure_vector< uint8_t > strip_leading_zeros(const secure_vector< uint8_t > &in)
Definition: ct_utils.h:199

◆ unpoison() [1/2]

template<typename T >
void Botan::CT::unpoison ( const T p,
size_t  n 
)
inline

Definition at line 57 of file ct_utils.h.

References BOTAN_UNUSED, and T.

Referenced by Botan::BigInt::const_time_lookup(), Botan::ct_inverse_mod_odd_modulus(), Botan::curve25519_donna(), Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption::finish(), Botan::PKCS7_Padding::unpad(), Botan::ANSI_X923_Padding::unpad(), Botan::OneAndZeros_Padding::unpad(), and Botan::ESP_Padding::unpad().

58  {
59 #if defined(BOTAN_HAS_VALGRIND)
60  VALGRIND_MAKE_MEM_DEFINED(p, n * sizeof(T));
61 #else
62  BOTAN_UNUSED(p);
63  BOTAN_UNUSED(n);
64 #endif
65  }
BOTAN_UNUSED
#define BOTAN_UNUSED(...)
Definition: assert.h:130
T
fe T
Definition: ge.cpp:37

◆ unpoison() [2/2]

template<typename T >
void Botan::CT::unpoison ( T p)
inline

Definition at line 68 of file ct_utils.h.

References BOTAN_UNUSED, and T.

69  {
70 #if defined(BOTAN_HAS_VALGRIND)
71  VALGRIND_MAKE_MEM_DEFINED(&p, sizeof(T));
72 #else
73  BOTAN_UNUSED(p);
74 #endif
75  }
BOTAN_UNUSED
#define BOTAN_UNUSED(...)
Definition: assert.h:130
T
fe T
Definition: ge.cpp:37

◆ val_or_zero()

template<typename PredT , typename ValT >
ValT Botan::CT::val_or_zero ( PredT  pred_val,
ValT  val 
)
inline

Definition at line 124 of file ct_utils.h.

References select().

125  {
126  return select(CT::expand_mask<ValT>(pred_val), val, static_cast<ValT>(0));
127  }
Botan::CT::select
T select(T mask, T from0, T from1)
Definition: ct_utils.h:106
Generated by   doxygen 1.8.14