Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/openssl/include/internal/constant_time.h
103835 views
1
/*

2
 * Copyright 2014-2025 The OpenSSL Project Authors. All Rights Reserved.

3
 *

4
 * Licensed under the Apache License 2.0 (the "License").  You may not use

5
 * this file except in compliance with the License.  You can obtain a copy

6
 * in the file LICENSE in the source distribution or at

7
 * https://www.openssl.org/source/license.html

8
 */

9


10
#ifndef OSSL_INTERNAL_CONSTANT_TIME_H

11
#define OSSL_INTERNAL_CONSTANT_TIME_H

12
#pragma once

13


14
#include <stdlib.h>

15
#include <string.h>

16
#include <openssl/e_os2.h> /* For 'ossl_inline' */

17


18
/*-

19
 * The boolean methods return a bitmask of all ones (0xff...f) for true

20
 * and 0 for false. This is useful for choosing a value based on the result

21
 * of a conditional in constant time. For example,

22
 *      if (a < b) {

23
 *        c = a;

24
 *      } else {

25
 *        c = b;

26
 *      }

27
 * can be written as

28
 *      unsigned int lt = constant_time_lt(a, b);

29
 *      c = constant_time_select(lt, a, b);

30
 */

31


32
/* Returns the given value with the MSB copied to all the other bits. */

33
static ossl_inline unsigned int constant_time_msb(unsigned int a);

34
/* Convenience method for uint32_t. */

35
static ossl_inline uint32_t constant_time_msb_32(uint32_t a);

36
/* Convenience method for uint64_t. */

37
static ossl_inline uint64_t constant_time_msb_64(uint64_t a);

38


39
/* Returns 0xff..f if a < b and 0 otherwise. */

40
static ossl_inline unsigned int constant_time_lt(unsigned int a,

41
    unsigned int b);

42
/* Convenience method for getting an 8-bit mask. */

43
static ossl_inline unsigned char constant_time_lt_8(unsigned int a,

44
    unsigned int b);

45
/* Convenience method for uint32_t. */

46
static ossl_inline uint32_t constant_time_lt_32(uint32_t a, uint32_t b);

47


48
/* Convenience method for uint64_t. */

49
static ossl_inline uint64_t constant_time_lt_64(uint64_t a, uint64_t b);

50


51
/* Returns 0xff..f if a >= b and 0 otherwise. */

52
static ossl_inline unsigned int constant_time_ge(unsigned int a,

53
    unsigned int b);

54
/* Convenience method for getting an 8-bit mask. */

55
static ossl_inline unsigned char constant_time_ge_8(unsigned int a,

56
    unsigned int b);

57


58
/* Returns 0xff..f if a == 0 and 0 otherwise. */

59
static ossl_inline unsigned int constant_time_is_zero(unsigned int a);

60
/* Convenience method for getting an 8-bit mask. */

61
static ossl_inline unsigned char constant_time_is_zero_8(unsigned int a);

62
/* Convenience method for getting a 32-bit mask. */

63
static ossl_inline uint32_t constant_time_is_zero_32(uint32_t a);

64


65
/* Returns 0xff..f if a == b and 0 otherwise. */

66
static ossl_inline unsigned int constant_time_eq(unsigned int a,

67
    unsigned int b);

68
/* Convenience method for getting an 8-bit mask. */

69
static ossl_inline unsigned char constant_time_eq_8(unsigned int a,

70
    unsigned int b);

71
/* Signed integers. */

72
static ossl_inline unsigned int constant_time_eq_int(int a, int b);

73
/* Convenience method for getting an 8-bit mask. */

74
static ossl_inline unsigned char constant_time_eq_int_8(int a, int b);

75


76
/*-

77
 * Returns (mask & a) | (~mask & b).

78
 *

79
 * When |mask| is all 1s or all 0s (as returned by the methods above),

80
 * the select methods return either |a| (if |mask| is nonzero) or |b|

81
 * (if |mask| is zero).

82
 */

83
static ossl_inline unsigned int constant_time_select(unsigned int mask,

84
    unsigned int a,

85
    unsigned int b);

86
/* Convenience method for unsigned chars. */

87
static ossl_inline unsigned char constant_time_select_8(unsigned char mask,

88
    unsigned char a,

89
    unsigned char b);

90


91
/* Convenience method for uint32_t. */

92
static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,

93
    uint32_t b);

94


95
/* Convenience method for uint64_t. */

96
static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,

97
    uint64_t b);

98
/* Convenience method for signed integers. */

99
static ossl_inline int constant_time_select_int(unsigned int mask, int a,

100
    int b);

101


102
static ossl_inline unsigned int constant_time_msb(unsigned int a)

103
{

104
    return 0 - (a >> (sizeof(a) * 8 - 1));

105
}

106


107
static ossl_inline uint32_t constant_time_msb_32(uint32_t a)

108
{

109
    return 0 - (a >> 31);

110
}

111


112
static ossl_inline uint64_t constant_time_msb_64(uint64_t a)

113
{

114
    return 0 - (a >> 63);

115
}

116


117
static ossl_inline size_t constant_time_msb_s(size_t a)

118
{

119
    return 0 - (a >> (sizeof(a) * 8 - 1));

120
}

121


122
static ossl_inline unsigned int constant_time_lt(unsigned int a,

123
    unsigned int b)

124
{

125
    return constant_time_msb(a ^ ((a ^ b) | ((a - b) ^ b)));

126
}

127


128
static ossl_inline size_t constant_time_lt_s(size_t a, size_t b)

129
{

130
    return constant_time_msb_s(a ^ ((a ^ b) | ((a - b) ^ b)));

131
}

132


133
static ossl_inline unsigned char constant_time_lt_8(unsigned int a,

134
    unsigned int b)

135
{

136
    return (unsigned char)constant_time_lt(a, b);

137
}

138


139
static ossl_inline uint32_t constant_time_lt_32(uint32_t a, uint32_t b)

140
{

141
    return constant_time_msb_32(a ^ ((a ^ b) | ((a - b) ^ b)));

142
}

143


144
static ossl_inline uint64_t constant_time_lt_64(uint64_t a, uint64_t b)

145
{

146
    return constant_time_msb_64(a ^ ((a ^ b) | ((a - b) ^ b)));

147
}

148


149
#ifdef BN_ULONG

150
static ossl_inline BN_ULONG value_barrier_bn(BN_ULONG a)

151
{

152
#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)

153
    BN_ULONG r;

154
    __asm__("" : "=r"(r) : "0"(a));

155
#else

156
    volatile BN_ULONG r = a;

157
#endif

158
    return r;

159
}

160


161
static ossl_inline BN_ULONG constant_time_msb_bn(BN_ULONG a)

162
{

163
    return 0 - (a >> (sizeof(a) * 8 - 1));

164
}

165


166
static ossl_inline BN_ULONG constant_time_lt_bn(BN_ULONG a, BN_ULONG b)

167
{

168
    return constant_time_msb_bn(a ^ ((a ^ b) | ((a - b) ^ b)));

169
}

170


171
static ossl_inline BN_ULONG constant_time_is_zero_bn(BN_ULONG a)

172
{

173
    return constant_time_msb_bn(~a & (a - 1));

174
}

175


176
static ossl_inline BN_ULONG constant_time_eq_bn(BN_ULONG a,

177
    BN_ULONG b)

178
{

179
    return constant_time_is_zero_bn(a ^ b);

180
}

181


182
static ossl_inline BN_ULONG constant_time_select_bn(BN_ULONG mask,

183
    BN_ULONG a,

184
    BN_ULONG b)

185
{

186
    return (value_barrier_bn(mask) & a) | (value_barrier_bn(~mask) & b);

187
}

188
#endif

189


190
static ossl_inline unsigned int constant_time_ge(unsigned int a,

191
    unsigned int b)

192
{

193
    return ~constant_time_lt(a, b);

194
}

195


196
static ossl_inline size_t constant_time_ge_s(size_t a, size_t b)

197
{

198
    return ~constant_time_lt_s(a, b);

199
}

200


201
static ossl_inline unsigned char constant_time_ge_8(unsigned int a,

202
    unsigned int b)

203
{

204
    return (unsigned char)constant_time_ge(a, b);

205
}

206


207
static ossl_inline unsigned char constant_time_ge_8_s(size_t a, size_t b)

208
{

209
    return (unsigned char)constant_time_ge_s(a, b);

210
}

211


212
static ossl_inline unsigned int constant_time_is_zero(unsigned int a)

213
{

214
    return constant_time_msb(~a & (a - 1));

215
}

216


217
static ossl_inline size_t constant_time_is_zero_s(size_t a)

218
{

219
    return constant_time_msb_s(~a & (a - 1));

220
}

221


222
static ossl_inline unsigned char constant_time_is_zero_8(unsigned int a)

223
{

224
    return (unsigned char)constant_time_is_zero(a);

225
}

226


227
static ossl_inline uint32_t constant_time_is_zero_32(uint32_t a)

228
{

229
    return constant_time_msb_32(~a & (a - 1));

230
}

231


232
static ossl_inline uint64_t constant_time_is_zero_64(uint64_t a)

233
{

234
    return constant_time_msb_64(~a & (a - 1));

235
}

236


237
static ossl_inline unsigned int constant_time_eq(unsigned int a,

238
    unsigned int b)

239
{

240
    return constant_time_is_zero(a ^ b);

241
}

242


243
static ossl_inline size_t constant_time_eq_s(size_t a, size_t b)

244
{

245
    return constant_time_is_zero_s(a ^ b);

246
}

247


248
static ossl_inline unsigned char constant_time_eq_8(unsigned int a,

249
    unsigned int b)

250
{

251
    return (unsigned char)constant_time_eq(a, b);

252
}

253


254
static ossl_inline unsigned char constant_time_eq_8_s(size_t a, size_t b)

255
{

256
    return (unsigned char)constant_time_eq_s(a, b);

257
}

258


259
static ossl_inline unsigned int constant_time_eq_int(int a, int b)

260
{

261
    return constant_time_eq((unsigned)(a), (unsigned)(b));

262
}

263


264
static ossl_inline unsigned char constant_time_eq_int_8(int a, int b)

265
{

266
    return constant_time_eq_8((unsigned)(a), (unsigned)(b));

267
}

268


269
/*

270
 * Returns the value unmodified, but avoids optimizations.

271
 * The barriers prevent the compiler from narrowing down the

272
 * possible value range of the mask and ~mask in the select

273
 * statements, which avoids the recognition of the select

274
 * and turning it into a conditional load or branch.

275
 */

276
static ossl_inline unsigned int value_barrier(unsigned int a)

277
{

278
#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)

279
    unsigned int r;

280
    __asm__("" : "=r"(r) : "0"(a));

281
#else

282
    volatile unsigned int r = a;

283
#endif

284
    return r;

285
}

286


287
/* Convenience method for uint32_t. */

288
static ossl_inline uint32_t value_barrier_32(uint32_t a)

289
{

290
#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)

291
    uint32_t r;

292
    __asm__("" : "=r"(r) : "0"(a));

293
#else

294
    volatile uint32_t r = a;

295
#endif

296
    return r;

297
}

298


299
/* Convenience method for uint64_t. */

300
static ossl_inline uint64_t value_barrier_64(uint64_t a)

301
{

302
#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)

303
    uint64_t r;

304
    __asm__("" : "=r"(r) : "0"(a));

305
#else

306
    volatile uint64_t r = a;

307
#endif

308
    return r;

309
}

310


311
/* Convenience method for size_t. */

312
static ossl_inline size_t value_barrier_s(size_t a)

313
{

314
#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)

315
    size_t r;

316
    __asm__("" : "=r"(r) : "0"(a));

317
#else

318
    volatile size_t r = a;

319
#endif

320
    return r;

321
}

322


323
/* Convenience method for unsigned char. */

324
static ossl_inline unsigned char value_barrier_8(unsigned char a)

325
{

326
#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)

327
    unsigned char r;

328
    __asm__("" : "=r"(r) : "0"(a));

329
#else

330
    volatile unsigned char r = a;

331
#endif

332
    return r;

333
}

334


335
static ossl_inline unsigned int constant_time_select(unsigned int mask,

336
    unsigned int a,

337
    unsigned int b)

338
{

339
    return (value_barrier(mask) & a) | (value_barrier(~mask) & b);

340
}

341


342
static ossl_inline size_t constant_time_select_s(size_t mask,

343
    size_t a,

344
    size_t b)

345
{

346
    return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b);

347
}

348


349
static ossl_inline unsigned char constant_time_select_8(unsigned char mask,

350
    unsigned char a,

351
    unsigned char b)

352
{

353
    return (unsigned char)constant_time_select(mask, a, b);

354
}

355


356
static ossl_inline int constant_time_select_int(unsigned int mask, int a,

357
    int b)

358
{

359
    return (int)constant_time_select(mask, (unsigned)(a), (unsigned)(b));

360
}

361


362
static ossl_inline int constant_time_select_int_s(size_t mask, int a, int b)

363
{

364
    return (int)constant_time_select((unsigned)mask, (unsigned)(a),

365
        (unsigned)(b));

366
}

367


368
static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,

369
    uint32_t b)

370
{

371
    return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b);

372
}

373


374
static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,

375
    uint64_t b)

376
{

377
    return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b);

378
}

379


380
/*

381
 * mask must be 0xFFFFFFFF or 0x00000000.

382
 *

383
 * if (mask) {

384
 *     uint32_t tmp = *a;

385
 *

386
 *     *a = *b;

387
 *     *b = tmp;

388
 * }

389
 */

390
static ossl_inline void constant_time_cond_swap_32(uint32_t mask, uint32_t *a,

391
    uint32_t *b)

392
{

393
    uint32_t xor = *a ^ *b;

394


395
    xor&= value_barrier_32(mask);

396
    *a ^= xor;

397
    *b ^= xor;

398
}

399


400
/*

401
 * mask must be 0xFFFFFFFF or 0x00000000.

402
 *

403
 * if (mask) {

404
 *     uint64_t tmp = *a;

405
 *

406
 *     *a = *b;

407
 *     *b = tmp;

408
 * }

409
 */

410
static ossl_inline void constant_time_cond_swap_64(uint64_t mask, uint64_t *a,

411
    uint64_t *b)

412
{

413
    uint64_t xor = *a ^ *b;

414


415
    xor&= value_barrier_64(mask);

416
    *a ^= xor;

417
    *b ^= xor;

418
}

419


420
/*

421
 * mask must be 0xFF or 0x00.

422
 * "constant time" is per len.

423
 *

424
 * if (mask) {

425
 *     unsigned char tmp[len];

426
 *

427
 *     memcpy(tmp, a, len);

428
 *     memcpy(a, b);

429
 *     memcpy(b, tmp);

430
 * }

431
 */

432
static ossl_inline void constant_time_cond_swap_buff(unsigned char mask,

433
    unsigned char *a,

434
    unsigned char *b,

435
    size_t len)

436
{

437
    size_t i;

438
    unsigned char tmp;

439


440
    for (i = 0; i < len; i++) {

441
        tmp = a[i] ^ b[i];

442
        tmp &= value_barrier_8(mask);

443
        a[i] ^= tmp;

444
        b[i] ^= tmp;

445
    }

446
}

447


448
/*

449
 * table is a two dimensional array of bytes. Each row has rowsize elements.

450
 * Copies row number idx into out. rowsize and numrows are not considered

451
 * private.

452
 */

453
static ossl_inline void constant_time_lookup(void *out,

454
    const void *table,

455
    size_t rowsize,

456
    size_t numrows,

457
    size_t idx)

458
{

459
    size_t i, j;

460
    const unsigned char *tablec = (const unsigned char *)table;

461
    unsigned char *outc = (unsigned char *)out;

462
    unsigned char mask;

463


464
    memset(out, 0, rowsize);

465


466
    /* Note idx may underflow - but that is well defined */

467
    for (i = 0; i < numrows; i++, idx--) {

468
        mask = (unsigned char)constant_time_is_zero_s(idx);

469
        for (j = 0; j < rowsize; j++)

470
            *(outc + j) |= constant_time_select_8(mask, *(tablec++), 0);

471
    }

472
}

473


474
/*

475
 * Expected usage pattern is to unconditionally set error and then

476
 * wipe it if there was no actual error. |clear| is 1 or 0.

477
 */

478
void err_clear_last_constant_time(int clear);

479


480
#endif /* OSSL_INTERNAL_CONSTANT_TIME_H */

481


482