Rename crypto_word_t to crypto_word.
Avoid using the `_t` suffix since that's undefined behavior in C.
This commit is contained in:
Brian Smith
parent
22a5605417
commit
0027633cc9
@ -52,10 +52,10 @@
|
||||
|
||||
int bssl_constant_time_test_main(void);
|
||||
|
||||
static int test_binary_op_w(crypto_word_t (*op)(crypto_word_t a, crypto_word_t b),
|
||||
const char* op_name, crypto_word_t a, crypto_word_t b,
|
||||
static int test_binary_op_w(crypto_word (*op)(crypto_word a, crypto_word b),
|
||||
const char* op_name, crypto_word a, crypto_word b,
|
||||
int is_true) {
|
||||
crypto_word_t c = op(a, b);
|
||||
crypto_word c = op(a, b);
|
||||
if (is_true && c != CONSTTIME_TRUE_W) {
|
||||
fprintf(stderr,
|
||||
"Test failed for %s(%zu, %zu): expected %zu (TRUE), got %zu\n",
|
||||
@ -70,8 +70,8 @@ static int test_binary_op_w(crypto_word_t (*op)(crypto_word_t a, crypto_word_t b
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int test_is_zero_w(crypto_word_t a) {
|
||||
crypto_word_t c = constant_time_is_zero_w(a);
|
||||
static int test_is_zero_w(crypto_word a) {
|
||||
crypto_word c = constant_time_is_zero_w(a);
|
||||
if (a == 0 && c != CONSTTIME_TRUE_W) {
|
||||
fprintf(stderr,
|
||||
"Test failed for constant_time_is_zero_w(%zu): "
|
||||
@ -104,8 +104,8 @@ static int test_is_zero_w(crypto_word_t a) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int test_select_w(crypto_word_t a, crypto_word_t b) {
|
||||
crypto_word_t selected = constant_time_select_w(CONSTTIME_TRUE_W, a, b);
|
||||
static int test_select_w(crypto_word a, crypto_word b) {
|
||||
crypto_word selected = constant_time_select_w(CONSTTIME_TRUE_W, a, b);
|
||||
if (selected != a) {
|
||||
fprintf(stderr,
|
||||
"Test failed for constant_time_select_w(%zu, %zu,"
|
||||
@ -127,7 +127,7 @@ static int test_select_w(crypto_word_t a, crypto_word_t b) {
|
||||
}
|
||||
|
||||
static int test_eq_int(int a, int b) {
|
||||
crypto_word_t equal = constant_time_eq_int(a, b);
|
||||
crypto_word equal = constant_time_eq_int(a, b);
|
||||
if (a == b && equal != CONSTTIME_TRUE_W) {
|
||||
fprintf(stderr,
|
||||
"Test failed for constant_time_eq_int(%d, %d): expected %zu(TRUE), "
|
||||
@ -144,7 +144,7 @@ static int test_eq_int(int a, int b) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
static crypto_word_t test_values_s[] = {
|
||||
static crypto_word test_values_s[] = {
|
||||
0,
|
||||
1,
|
||||
1024,
|
||||
@ -185,11 +185,11 @@ int bssl_constant_time_test_main(void) {
|
||||
|
||||
for (size_t i = 0;
|
||||
i < sizeof(test_values_s) / sizeof(test_values_s[0]); ++i) {
|
||||
crypto_word_t a = test_values_s[i];
|
||||
crypto_word a = test_values_s[i];
|
||||
num_failed += test_is_zero_w(a);
|
||||
for (size_t j = 0;
|
||||
j < sizeof(test_values_s) / sizeof(test_values_s[0]); ++j) {
|
||||
crypto_word_t b = test_values_s[j];
|
||||
crypto_word b = test_values_s[j];
|
||||
num_failed += test_binary_op_w(&constant_time_eq_w,
|
||||
"constant_time_eq_w", a, b, a == b);
|
||||
num_failed += test_binary_op_w(&constant_time_eq_w,
|
||||
|
||||
@ -139,7 +139,7 @@
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
typedef crypto_word_t BN_ULONG;
|
||||
typedef crypto_word BN_ULONG;
|
||||
|
||||
#if defined(OPENSSL_64_BIT)
|
||||
|
||||
|
||||
@ -155,8 +155,6 @@ int GFp_bn_from_montgomery_in_place(BN_ULONG r[], size_t num_r, BN_ULONG a[],
|
||||
|
||||
// |a| thus requires at most one additional subtraction |n| to be reduced.
|
||||
// Subtract |n| and select the answer in constant time.
|
||||
OPENSSL_COMPILE_ASSERT(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
|
||||
crypto_word_t_too_small);
|
||||
BN_ULONG v = LIMBS_sub(r, a, n, num_n) - carry;
|
||||
// |v| is one if |a| - |n| underflowed or zero if it did not. Note |v| cannot
|
||||
// be -1. That would imply the subtraction did not fit in |num_n| words, and
|
||||
|
||||
@ -100,8 +100,6 @@ extern "C" {
|
||||
// essentially provides the input bits "shifted to the left" by one position.
|
||||
// For example, the input to compute the least significant recoded digit, given
|
||||
// that there's no bit b_-1, has to be b_4 b_3 b_2 b_1 b_0 0.
|
||||
OPENSSL_COMPILE_ASSERT(sizeof(crypto_word_t) == sizeof(Limb),
|
||||
size_t_and_bn_ulong_are_different_sizes);
|
||||
static inline void booth_recode(Limb *is_negative, unsigned *digit,
|
||||
unsigned in, unsigned w) {
|
||||
assert(w >= 2);
|
||||
|
||||
@ -34,7 +34,7 @@ static void byte_reverse(polyval_block *b) {
|
||||
static void reverse_and_mulX_ghash(polyval_block *b) {
|
||||
uint64_t hi = b->u[0];
|
||||
uint64_t lo = b->u[1];
|
||||
const crypto_word_t carry = constant_time_eq_w(hi & 1, 1);
|
||||
const crypto_word carry = constant_time_eq_w(hi & 1, 1);
|
||||
hi >>= 1;
|
||||
hi |= lo << 63;
|
||||
lo >>= 1;
|
||||
|
||||
@ -199,36 +199,36 @@ typedef __uint128_t uint128_t;
|
||||
//
|
||||
// can be written as
|
||||
//
|
||||
// crypto_word_t lt = constant_time_lt_w(a, b);
|
||||
// crypto_word lt = constant_time_lt_w(a, b);
|
||||
// c = constant_time_select_w(lt, a, b);
|
||||
|
||||
// crypto_word_t is the type that most constant-time functions use. Ideally we
|
||||
// crypto_word is the type that most constant-time functions use. Ideally we
|
||||
// would like it to be |size_t|, but NaCl builds in 64-bit mode with 32-bit
|
||||
// pointers, which means that |size_t| can be 32 bits when |crypto_word_t| is 64
|
||||
// pointers, which means that |size_t| can be 32 bits when |crypto_word| is 64
|
||||
// bits.
|
||||
#if defined(OPENSSL_64_BIT)
|
||||
typedef uint64_t crypto_word_t;
|
||||
#define CRYPTO_WORD_T_BITS (64u)
|
||||
typedef uint64_t crypto_word;
|
||||
#define CRYPTO_WORD_BITS (64u)
|
||||
#elif defined(OPENSSL_32_BIT)
|
||||
typedef uint32_t crypto_word_t;
|
||||
#define CRYPTO_WORD_T_BITS (32u)
|
||||
typedef uint32_t crypto_word;
|
||||
#define CRYPTO_WORD_BITS (32u)
|
||||
#else
|
||||
#error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT"
|
||||
#endif
|
||||
|
||||
#define CONSTTIME_TRUE_W ~((crypto_word_t)0)
|
||||
#define CONSTTIME_FALSE_W ((crypto_word_t)0)
|
||||
#define CONSTTIME_TRUE_W ~((crypto_word)0)
|
||||
#define CONSTTIME_FALSE_W ((crypto_word)0)
|
||||
#define CONSTTIME_TRUE_8 ((uint8_t)0xff)
|
||||
#define CONSTTIME_FALSE_8 ((uint8_t)0)
|
||||
|
||||
// constant_time_msb_w returns the given value with the MSB copied to all the
|
||||
// other bits.
|
||||
static inline crypto_word_t constant_time_msb_w(crypto_word_t a) {
|
||||
static inline crypto_word constant_time_msb_w(crypto_word a) {
|
||||
return 0u - (a >> (sizeof(a) * 8 - 1));
|
||||
}
|
||||
|
||||
// constant_time_is_zero_w returns 0xff..f if a == 0 and 0 otherwise.
|
||||
static inline crypto_word_t constant_time_is_zero_w(crypto_word_t a) {
|
||||
static inline crypto_word constant_time_is_zero_w(crypto_word a) {
|
||||
// Here is an SMT-LIB verification of this formula:
|
||||
//
|
||||
// (define-fun is_zero ((a (_ BitVec 32))) (_ BitVec 32)
|
||||
@ -243,34 +243,34 @@ static inline crypto_word_t constant_time_is_zero_w(crypto_word_t a) {
|
||||
return constant_time_msb_w(~a & (a - 1));
|
||||
}
|
||||
|
||||
static inline crypto_word_t constant_time_is_nonzero_w(crypto_word_t a) {
|
||||
static inline crypto_word constant_time_is_nonzero_w(crypto_word a) {
|
||||
return ~constant_time_is_zero_w(a);
|
||||
}
|
||||
|
||||
// constant_time_is_zero_8 acts like |constant_time_is_zero_w| but returns an
|
||||
// 8-bit mask.
|
||||
static inline uint8_t constant_time_is_zero_8(crypto_word_t a) {
|
||||
static inline uint8_t constant_time_is_zero_8(crypto_word a) {
|
||||
return (uint8_t)(constant_time_is_zero_w(a));
|
||||
}
|
||||
|
||||
// constant_time_eq_w returns 0xff..f if a == b and 0 otherwise.
|
||||
static inline crypto_word_t constant_time_eq_w(crypto_word_t a,
|
||||
crypto_word_t b) {
|
||||
static inline crypto_word constant_time_eq_w(crypto_word a,
|
||||
crypto_word b) {
|
||||
return constant_time_is_zero_w(a ^ b);
|
||||
}
|
||||
|
||||
// constant_time_eq_int acts like |constant_time_eq_w| but works on int
|
||||
// values.
|
||||
static inline crypto_word_t constant_time_eq_int(int a, int b) {
|
||||
return constant_time_eq_w((crypto_word_t)(a), (crypto_word_t)(b));
|
||||
static inline crypto_word constant_time_eq_int(int a, int b) {
|
||||
return constant_time_eq_w((crypto_word)(a), (crypto_word)(b));
|
||||
}
|
||||
|
||||
// constant_time_select_w returns (mask & a) | (~mask & b). When |mask| is all
|
||||
// 1s or all 0s (as returned by the methods above), the select methods return
|
||||
// either |a| (if |mask| is nonzero) or |b| (if |mask| is zero).
|
||||
static inline crypto_word_t constant_time_select_w(crypto_word_t mask,
|
||||
crypto_word_t a,
|
||||
crypto_word_t b) {
|
||||
static inline crypto_word constant_time_select_w(crypto_word mask,
|
||||
crypto_word a,
|
||||
crypto_word b) {
|
||||
return (mask & a) | (~mask & b);
|
||||
}
|
||||
|
||||
|
||||
@ -19,9 +19,9 @@
|
||||
|
||||
#include "../internal.h"
|
||||
|
||||
typedef crypto_word_t Limb;
|
||||
typedef crypto_word Limb;
|
||||
|
||||
#define LIMB_BITS CRYPTO_WORD_T_BITS
|
||||
#define LIMB_BITS CRYPTO_WORD_BITS
|
||||
#define LIMB_HIGH_BIT ((Limb)(1) << (LIMB_BITS - 1))
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user