Botan 3.3.0
Crypto and TLS for C&
sodium_utils.cpp
Go to the documentation of this file.
1/*
2* (C) 2019 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/sodium.h>
8
9#include <botan/mem_ops.h>
10#include <botan/system_rng.h>
11#include <botan/internal/chacha.h>
12#include <botan/internal/ct_utils.h>
13#include <botan/internal/loadstor.h>
14#include <botan/internal/os_utils.h>
15#include <cstdlib>
16
17namespace Botan {
18
19void Sodium::randombytes_buf(void* buf, size_t len) {
20 system_rng().randomize(static_cast<uint8_t*>(buf), len);
21}
22
23uint32_t Sodium::randombytes_uniform(uint32_t upper_bound) {
24 if(upper_bound <= 1) {
25 return 0;
26 }
27
28 // Not completely uniform
29 uint64_t x;
30 randombytes_buf(&x, sizeof(x));
31 return x % upper_bound;
32}
33
34void Sodium::randombytes_buf_deterministic(void* buf, size_t size, const uint8_t seed[randombytes_SEEDBYTES]) {
35 const unsigned char nonce[12] = {'L', 'i', 'b', 's', 'o', 'd', 'i', 'u', 'm', 'D', 'R', 'G'};
36
37 ChaCha chacha(20);
38 chacha.set_key(seed, randombytes_SEEDBYTES);
39 chacha.set_iv(nonce, sizeof(nonce));
40 chacha.write_keystream(static_cast<uint8_t*>(buf), size);
41}
42
43int Sodium::crypto_verify_16(const uint8_t x[16], const uint8_t y[16]) {
44 return static_cast<int>(CT::is_equal(x, y, 16).select(1, 0));
45}
46
47int Sodium::crypto_verify_32(const uint8_t x[32], const uint8_t y[32]) {
48 return static_cast<int>(CT::is_equal(x, y, 32).select(1, 0));
49}
50
51int Sodium::crypto_verify_64(const uint8_t x[64], const uint8_t y[64]) {
52 return static_cast<int>(CT::is_equal(x, y, 64).select(1, 0));
53}
54
55void Sodium::sodium_memzero(void* ptr, size_t len) {
56 secure_scrub_memory(ptr, len);
57}
58
59int Sodium::sodium_memcmp(const void* x, const void* y, size_t len) {
60 const auto same = CT::is_equal(static_cast<const uint8_t*>(x), static_cast<const uint8_t*>(y), len);
61 // Return 0 if same or -1 if differing
62 return static_cast<int>(same.select(1, 0)) - 1;
63}
64
65int Sodium::sodium_compare(const uint8_t x[], const uint8_t y[], size_t len) {
66 const uint8_t LT = static_cast<uint8_t>(-1);
67 const uint8_t EQ = 0;
68 const uint8_t GT = 1;
69
70 uint8_t result = EQ; // until found otherwise
71
72 for(size_t i = 0; i != len; ++i) {
73 const auto is_eq = CT::Mask<uint8_t>::is_equal(x[i], y[i]);
74 const auto is_lt = CT::Mask<uint8_t>::is_lt(x[i], y[i]);
75 result = is_eq.select(result, is_lt.select(LT, GT));
76 }
77
78 return static_cast<int8_t>(result);
79}
80
81int Sodium::sodium_is_zero(const uint8_t b[], size_t len) {
82 uint8_t sum = 0;
83 for(size_t i = 0; i != len; ++i) {
84 sum |= b[i];
85 }
86 return static_cast<int>(CT::Mask<uint8_t>::expand(sum).if_not_set_return(1));
87}
88
89void Sodium::sodium_increment(uint8_t b[], size_t len) {
90 uint8_t carry = 1;
91 for(size_t i = 0; i != len; ++i) {
92 b[i] += carry;
93 carry &= (b[i] == 0);
94 }
95}
96
97void Sodium::sodium_add(uint8_t a[], const uint8_t b[], size_t len) {
98 uint8_t carry = 0;
99 for(size_t i = 0; i != len; ++i) {
100 a[i] += b[i] + carry;
101 carry = (a[i] < b[i]);
102 }
103}
104
105void* Sodium::sodium_malloc(size_t size) {
106 const uint64_t len = size;
107
108 if(size + sizeof(len) < size) {
109 return nullptr;
110 }
111
112 // NOLINTNEXTLINE(*-no-malloc)
113 uint8_t* p = static_cast<uint8_t*>(std::calloc(size + sizeof(len), 1));
114 store_le(len, p);
115 return p + 8;
116}
117
118void Sodium::sodium_free(void* ptr) {
119 if(ptr == nullptr) {
120 return;
121 }
122
123 uint8_t* p = static_cast<uint8_t*>(ptr) - 8;
124 const uint64_t len = load_le<uint64_t>(p, 0);
125 secure_scrub_memory(ptr, static_cast<size_t>(len));
126 // NOLINTNEXTLINE(*-no-malloc)
127 std::free(p);
128}
129
130void* Sodium::sodium_allocarray(size_t count, size_t size) {
131 const size_t bytes = count * size;
132 if(bytes < count || bytes < size) {
133 return nullptr;
134 }
135 return sodium_malloc(bytes);
136}
137
140 return 0;
141}
142
145 return 0;
146}
147
148} // namespace Botan
static Mask< T > is_equal(T x, T y)
Definition ct_utils.h:128
static Mask< T > expand(T v)
Definition ct_utils.h:109
static Mask< T > is_lt(T x, T y)
Definition ct_utils.h:133
void randomize(std::span< uint8_t > output)
Definition rng.h:52
void set_iv(const uint8_t iv[], size_t iv_len)
void write_keystream(uint8_t out[], size_t len)
void set_key(const SymmetricKey &key)
Definition sym_algo.h:113
CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:339
void page_allow_access(void *page)
Definition os_utils.cpp:573
void page_prohibit_access(void *page)
Definition os_utils.cpp:587
int crypto_verify_32(const uint8_t x[32], const uint8_t y[32])
int crypto_verify_16(const uint8_t x[16], const uint8_t y[16])
void * sodium_allocarray(size_t count, size_t size)
int sodium_memcmp(const void *x, const void *y, size_t len)
@ randombytes_SEEDBYTES
Definition sodium.h:149
int crypto_verify_64(const uint8_t x[64], const uint8_t y[64])
void sodium_add(uint8_t a[], const uint8_t b[], size_t len)
void * sodium_malloc(size_t size)
void sodium_increment(uint8_t n[], size_t nlen)
int sodium_compare(const uint8_t x[], const uint8_t y[], size_t len)
int sodium_mprotect_noaccess(void *ptr)
void randombytes_buf_deterministic(void *buf, size_t size, const uint8_t seed[randombytes_SEEDBYTES])
int sodium_is_zero(const uint8_t nonce[], size_t nlen)
void sodium_free(void *ptr)
uint32_t randombytes_uniform(uint32_t upper_bound)
int sodium_mprotect_readwrite(void *ptr)
void sodium_memzero(void *ptr, size_t len)
void randombytes_buf(void *buf, size_t size)
RandomNumberGenerator & system_rng()
constexpr void store_le(T in, OutR &&out_range)
Definition loadstor.h:383
void secure_scrub_memory(void *ptr, size_t n)
Definition os_utils.cpp:87
void carry(int64_t &h0, int64_t &h1)