87e41aea87b6e650c277d85df2356bef4da907ba
[openwrt/staging/hauke.git] /
1 From 6e34f618d37ddbb5854c42e2ad4fca83492fa7b7 Mon Sep 17 00:00:00 2001
2 From: Jouni Malinen <jouni@codeaurora.org>
3 Date: Wed, 27 Feb 2019 18:38:30 +0200
4 Subject: [PATCH 02/14] Add helper functions for constant time operations
5
6 These functions can be used to help implement constant time operations
7 for various cryptographic operations that must minimize externally
8 observable differences in processing (both in timing and also in
9 internal cache use, etc.).
10
11 This is related to CVE-2019-9494 and CVE-2019-9495.
12
13 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
14 ---
15 src/utils/const_time.h | 191 +++++++++++++++++++++++++++++++++++++++++++++++++
16 1 file changed, 191 insertions(+)
17 create mode 100644 src/utils/const_time.h
18
19 --- /dev/null
20 +++ b/src/utils/const_time.h
21 @@ -0,0 +1,191 @@
22 +/*
23 + * Helper functions for constant time operations
24 + * Copyright (c) 2019, The Linux Foundation
25 + *
26 + * This software may be distributed under the terms of the BSD license.
27 + * See README for more details.
28 + *
29 + * These helper functions can be used to implement logic that needs to minimize
30 + * externally visible differences in execution path by avoiding use of branches,
31 + * avoiding early termination or other time differences, and forcing same memory
32 + * access pattern regardless of values.
33 + */
34 +
35 +#ifndef CONST_TIME_H
36 +#define CONST_TIME_H
37 +
38 +
39 +#if defined(__clang__)
40 +#define NO_UBSAN_UINT_OVERFLOW \
41 + __attribute__((no_sanitize("unsigned-integer-overflow")))
42 +#else
43 +#define NO_UBSAN_UINT_OVERFLOW
44 +#endif
45 +
46 +
47 +/**
48 + * const_time_fill_msb - Fill all bits with MSB value
49 + * @val: Input value
50 + * Returns: Value with all the bits set to the MSB of the input val
51 + */
52 +static inline unsigned int const_time_fill_msb(unsigned int val)
53 +{
54 + /* Move the MSB to LSB and multiple by -1 to fill in all bits. */
55 + return (val >> (sizeof(val) * 8 - 1)) * ~0U;
56 +}
57 +
58 +
59 +/* Returns: -1 if val is zero; 0 if val is not zero */
60 +static inline unsigned int const_time_is_zero(unsigned int val)
61 + NO_UBSAN_UINT_OVERFLOW
62 +{
63 + /* Set MSB to 1 for 0 and fill rest of bits with the MSB value */
64 + return const_time_fill_msb(~val & (val - 1));
65 +}
66 +
67 +
68 +/* Returns: -1 if a == b; 0 if a != b */
69 +static inline unsigned int const_time_eq(unsigned int a, unsigned int b)
70 +{
71 + return const_time_is_zero(a ^ b);
72 +}
73 +
74 +
75 +/* Returns: -1 if a == b; 0 if a != b */
76 +static inline u8 const_time_eq_u8(unsigned int a, unsigned int b)
77 +{
78 + return (u8) const_time_eq(a, b);
79 +}
80 +
81 +
82 +/**
83 + * const_time_eq_bin - Constant time memory comparison
84 + * @a: First buffer to compare
85 + * @b: Second buffer to compare
86 + * @len: Number of octets to compare
87 + * Returns: -1 if buffers are equal, 0 if not
88 + *
89 + * This function is meant for comparing passwords or hash values where
90 + * difference in execution time or memory access pattern could provide external
91 + * observer information about the location of the difference in the memory
92 + * buffers. The return value does not behave like memcmp(), i.e.,
93 + * const_time_eq_bin() cannot be used to sort items into a defined order. Unlike
94 + * memcmp(), the execution time of const_time_eq_bin() does not depend on the
95 + * contents of the compared memory buffers, but only on the total compared
96 + * length.
97 + */
98 +static inline unsigned int const_time_eq_bin(const void *a, const void *b,
99 + size_t len)
100 +{
101 + const u8 *aa = a;
102 + const u8 *bb = b;
103 + size_t i;
104 + u8 res = 0;
105 +
106 + for (i = 0; i < len; i++)
107 + res |= aa[i] ^ bb[i];
108 +
109 + return const_time_is_zero(res);
110 +}
111 +
112 +
113 +/**
114 + * const_time_select - Constant time unsigned int selection
115 + * @mask: 0 (false) or -1 (true) to identify which value to select
116 + * @true_val: Value to select for the true case
117 + * @false_val: Value to select for the false case
118 + * Returns: true_val if mask == -1, false_val if mask == 0
119 + */
120 +static inline unsigned int const_time_select(unsigned int mask,
121 + unsigned int true_val,
122 + unsigned int false_val)
123 +{
124 + return (mask & true_val) | (~mask & false_val);
125 +}
126 +
127 +
128 +/**
129 + * const_time_select_int - Constant time int selection
130 + * @mask: 0 (false) or -1 (true) to identify which value to select
131 + * @true_val: Value to select for the true case
132 + * @false_val: Value to select for the false case
133 + * Returns: true_val if mask == -1, false_val if mask == 0
134 + */
135 +static inline int const_time_select_int(unsigned int mask, int true_val,
136 + int false_val)
137 +{
138 + return (int) const_time_select(mask, (unsigned int) true_val,
139 + (unsigned int) false_val);
140 +}
141 +
142 +
143 +/**
144 + * const_time_select_u8 - Constant time u8 selection
145 + * @mask: 0 (false) or -1 (true) to identify which value to select
146 + * @true_val: Value to select for the true case
147 + * @false_val: Value to select for the false case
148 + * Returns: true_val if mask == -1, false_val if mask == 0
149 + */
150 +static inline u8 const_time_select_u8(u8 mask, u8 true_val, u8 false_val)
151 +{
152 + return (u8) const_time_select(mask, true_val, false_val);
153 +}
154 +
155 +
156 +/**
157 + * const_time_select_s8 - Constant time s8 selection
158 + * @mask: 0 (false) or -1 (true) to identify which value to select
159 + * @true_val: Value to select for the true case
160 + * @false_val: Value to select for the false case
161 + * Returns: true_val if mask == -1, false_val if mask == 0
162 + */
163 +static inline s8 const_time_select_s8(u8 mask, s8 true_val, s8 false_val)
164 +{
165 + return (s8) const_time_select(mask, (unsigned int) true_val,
166 + (unsigned int) false_val);
167 +}
168 +
169 +
170 +/**
171 + * const_time_select_bin - Constant time binary buffer selection copy
172 + * @mask: 0 (false) or -1 (true) to identify which value to copy
173 + * @true_val: Buffer to copy for the true case
174 + * @false_val: Buffer to copy for the false case
175 + * @len: Number of octets to copy
176 + * @dst: Destination buffer for the copy
177 + *
178 + * This function copies the specified buffer into the destination buffer using
179 + * operations with identical memory access pattern regardless of which buffer
180 + * is being copied.
181 + */
182 +static inline void const_time_select_bin(u8 mask, const u8 *true_val,
183 + const u8 *false_val, size_t len,
184 + u8 *dst)
185 +{
186 + size_t i;
187 +
188 + for (i = 0; i < len; i++)
189 + dst[i] = const_time_select_u8(mask, true_val[i], false_val[i]);
190 +}
191 +
192 +
193 +static inline int const_time_memcmp(const void *a, const void *b, size_t len)
194 +{
195 + const u8 *aa = a;
196 + const u8 *bb = b;
197 + int diff, res = 0;
198 + unsigned int mask;
199 +
200 + if (len == 0)
201 + return 0;
202 + do {
203 + len--;
204 + diff = (int) aa[len] - (int) bb[len];
205 + mask = const_time_is_zero((unsigned int) diff);
206 + res = const_time_select_int(mask, res, diff);
207 + } while (len);
208 +
209 + return res;
210 +}
211 +
212 +#endif /* CONST_TIME_H */