Botan::CT Namespace Reference

Classes
class	Mask

Functions
template<typename T >
Mask< T >	conditional_copy_mem (T cnd, T *to, const T *from0, const T *from1, size_t elems)
template<typename T >
void	conditional_swap (bool cnd, T &x, T &y)
template<typename T >
void	conditional_swap_ptr (bool cnd, T &x, T &y)
secure_vector< uint8_t >	copy_output (CT::Mask< uint8_t > bad_input, const uint8_t input[], size_t input_length, size_t offset)
template<typename T >
void	poison (const T *p, size_t n)
secure_vector< uint8_t >	strip_leading_zeros (const uint8_t in[], size_t length)
secure_vector< uint8_t >	strip_leading_zeros (const secure_vector< uint8_t > &in)
template<typename T >
void	unpoison (const T *p, size_t n)
template<typename T >
void	unpoison (T &p)

Function Documentation

conditional_copy_mem()

template<typename T >

Mask<T> Botan::CT::conditional_copy_mem ( T  cnd, T *  to, const T *  from0, const T *  from1, size_t  elems  )

inline

Definition at line 339 of file ct_utils.h.

References Botan::CT::Mask< T >::expand().

Referenced by Botan::bigint_monty_redc_16(), Botan::bigint_monty_redc_24(), Botan::bigint_monty_redc_32(), Botan::bigint_monty_redc_4(), Botan::bigint_monty_redc_6(), Botan::bigint_monty_redc_8(), Botan::bigint_sub_abs(), and Botan::BigInt::mod_add().

   {
   const auto mask = CT::Mask<T>::expand(cnd);
   mask.select_n(to, from0, from1, elems);
   return mask;
   }

conditional_swap()

template<typename T >

void Botan::CT::conditional_swap ( bool  cnd, T &  x, T &  y  )

inline

Definition at line 351 of file ct_utils.h.

References Botan::CT::Mask< T >::expand(), and T.

Referenced by Botan::bigint_sub_abs().

   {
   const auto swap = CT::Mask<T>::expand(cnd);

   T t0 = swap.select(y, x);
   T t1 = swap.select(x, y);
   x = t0;
   y = t1;
   }

conditional_swap_ptr()

template<typename T >

void Botan::CT::conditional_swap_ptr ( bool  cnd, T &  x, T &  y  )

inline

Definition at line 362 of file ct_utils.h.

References T.

Referenced by Botan::bigint_sub_abs().

   {
   uintptr_t xp = reinterpret_cast<uintptr_t>(x);
   uintptr_t yp = reinterpret_cast<uintptr_t>(y);

   conditional_swap<uintptr_t>(cnd, xp, yp);

   x = reinterpret_cast<T>(xp);
   y = reinterpret_cast<T>(yp);
   }

copy_output()

secure_vector< uint8_t > Botan::CT::copy_output	(	CT::Mask< uint8_t >	bad_input,
		const uint8_t	input[],
		size_t	input_length,
		size_t	delim_idx
	)

If bad_mask is unset, return in[delim_idx:input_length] copied to new buffer. If bad_mask is set, return an all zero vector of unspecified length.

Definition at line 13 of file ct_utils.cpp.

References Botan::CT::Mask< T >::if_set_zero_out(), Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_lte(), and unpoison().

Referenced by Botan::oaep_find_delim(), strip_leading_zeros(), and Botan::EME_PKCS1v15::unpad().

   {
   if(input_length == 0)
      return secure_vector<uint8_t>();

   /*
   * Ensure at runtime that offset <= input_length. This is an invalid input,
   * but we can't throw without using the poisoned value. Instead, if it happens,
   * set offset to be equal to the input length (so output_bytes becomes 0 and
   * the returned vector is empty)
   */
   const auto valid_offset = CT::Mask<size_t>::is_lte(offset, input_length);
   offset = valid_offset.select(offset, input_length);

   const size_t output_bytes = input_length - offset;

   secure_vector<uint8_t> output(input_length);

   /*
   Move the desired output bytes to the front using a slow (O^n)
   but constant time loop that does not leak the value of the offset
   */
   for(size_t i = 0; i != input_length; ++i)
      {
      /*
      start index from i rather than 0 since we know j must be >= i + offset
      to have any effect, and starting from i does not reveal information
      */
      for(size_t j = i; j != input_length; ++j)
         {
         const uint8_t b = input[j];
         const auto is_eq = CT::Mask<size_t>::is_equal(j, offset + i);
         output[i] |= is_eq.if_set_return(b);
         }
      }

   bad_input.if_set_zero_out(output.data(), output.size());

   /*
   This is potentially not const time, depending on how std::vector is
   implemented. But since we are always reducing length, it should
   just amount to setting the member var holding the length.
   */
   CT::unpoison(output.data(), output.size());
   CT::unpoison(output_bytes);
   output.resize(output_bytes);
   return output;
   }

poison()

template<typename T >

void Botan::CT::poison ( const T *  p, size_t  n  )

inline

Use valgrind to mark the contents of memory as being undefined. Valgrind will accept operations which manipulate undefined values, but will warn if an undefined value is used to decided a conditional jump or a load/store address. So if we poison all of our inputs we can confirm that the operations in question are truly const time when compiled by whatever compiler is in use.

Even better, the VALGRIND_MAKE_MEM_* macros work even when the program is not run under valgrind (though with a few cycles of overhead, which is unfortunate in final binaries as these annotations tend to be used in fairly important loops).

This approach was first used in ctgrind (https://github.com/agl/ctgrind) but calling the valgrind mecheck API directly works just as well and doesn't require a custom patched valgrind.

Definition at line 48 of file ct_utils.h.

References BOTAN_UNUSED, and T.

Referenced by Botan::BigInt::const_time_lookup(), Botan::ct_inverse_mod_odd_modulus(), Botan::curve25519_donna(), Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption::finish(), Botan::oaep_find_delim(), Botan::EME_PKCS1v15::unpad(), Botan::PKCS7_Padding::unpad(), Botan::ANSI_X923_Padding::unpad(), Botan::OneAndZeros_Padding::unpad(), and Botan::ESP_Padding::unpad().

   {
#if defined(BOTAN_HAS_VALGRIND)
   VALGRIND_MAKE_MEM_UNDEFINED(p, n * sizeof(T));
#else
   BOTAN_UNUSED(p);
   BOTAN_UNUSED(n);
#endif
   }

strip_leading_zeros() [1/2]

secure_vector< uint8_t > Botan::CT::strip_leading_zeros	(	const uint8_t	in[],
		size_t	length
	)

Definition at line 65 of file ct_utils.cpp.

References copy_output(), Botan::CT::Mask< T >::is_zero(), and Botan::CT::Mask< T >::set().

Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), strip_leading_zeros(), and Botan::TLS::Callbacks::tls_dh_agree().

   {
   size_t leading_zeros = 0;

   auto only_zeros = Mask<uint8_t>::set();

   for(size_t i = 0; i != length; ++i)
      {
      only_zeros &= CT::Mask<uint8_t>::is_zero(in[i]);
      leading_zeros += only_zeros.if_set_return(1);
      }

   return copy_output(CT::Mask<uint8_t>::cleared(), in, length, leading_zeros);
   }

strip_leading_zeros() [2/2]

secure_vector<uint8_t> Botan::CT::strip_leading_zeros ( const secure_vector< uint8_t > &  in )

inline

Definition at line 385 of file ct_utils.h.

References strip_leading_zeros().

   {
   return strip_leading_zeros(in.data(), in.size());
   }

unpoison() [1/2]

template<typename T >

void Botan::CT::unpoison ( const T *  p, size_t  n  )

inline

Definition at line 59 of file ct_utils.h.

References BOTAN_UNUSED, and T.

Referenced by Botan::bigint_cmp(), Botan::BigInt::const_time_lookup(), copy_output(), Botan::ct_inverse_mod_odd_modulus(), Botan::curve25519_donna(), Botan::TLS::TLS_CBC_HMAC_AEAD_Decryption::finish(), Botan::oaep_find_delim(), Botan::CT::Mask< T >::select_and_unpoison(), Botan::BigInt::top_bits_free(), Botan::EME_PKCS1v15::unpad(), Botan::PKCS7_Padding::unpad(), Botan::ANSI_X923_Padding::unpad(), Botan::OneAndZeros_Padding::unpad(), Botan::ESP_Padding::unpad(), and Botan::CT::Mask< T >::unpoisoned_value().

   {
#if defined(BOTAN_HAS_VALGRIND)
   VALGRIND_MAKE_MEM_DEFINED(p, n * sizeof(T));
#else
   BOTAN_UNUSED(p);
   BOTAN_UNUSED(n);
#endif
   }

unpoison() [2/2]

template<typename T >

void Botan::CT::unpoison ( T &  p )

inline

Definition at line 70 of file ct_utils.h.

References BOTAN_UNUSED, and T.

   {
#if defined(BOTAN_HAS_VALGRIND)
   VALGRIND_MAKE_MEM_DEFINED(&p, sizeof(T));
#else
   BOTAN_UNUSED(p);
#endif
   }