yggdrasil/ring
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rename size_t constant-time utilities to match BoringSSL's.

Browse Source 
Make it easier to keep the code in sync by using the same names.
This commit is contained in:
Brian Smith 2017-12-28 19:19:46 -10:00
parent db972916c0
commit 2c56be7e2c
8 changed files with 76 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
crypto/constant_time_test.c
View File

@ -55,22 +55,22 @@ int bssl_constant_time_test_main(void);
static const unsigned int CONSTTIME_TRUE = (unsigned)(~0);
static const unsigned int CONSTTIME_FALSE = 0;
static const size_t CONSTTIME_TRUE_SIZE_T = (size_t)(~0);
static const size_t CONSTTIME_FALSE_SIZE_T = 0;
static const size_t CONSTTIME_TRUE_s = (size_t)(~0);
static const size_t CONSTTIME_FALSE_s = 0;
static int test_binary_op_size_t(size_t (*op)(size_t a, size_t b),
static int test_binary_op_s(size_t (*op)(size_t a, size_t b),
const char* op_name, size_t a, size_t b,
int is_true) {
size_t c = op(a, b);
if (is_true && c != CONSTTIME_TRUE_SIZE_T) {
if (is_true && c != CONSTTIME_TRUE_s) {
fprintf(stderr,
"Test failed for %s(%zu, %zu): expected %zu (TRUE), got %zu\n",
op_name, a, b, CONSTTIME_TRUE_SIZE_T, c);
op_name, a, b, CONSTTIME_TRUE_s, c);
return 1;
} else if (!is_true && c != CONSTTIME_FALSE_SIZE_T) {
} else if (!is_true && c != CONSTTIME_FALSE_s) {
fprintf(stderr,
"Test failed for %s(%zu, %zu): expected %zu (FALSE), got %zu\n",
op_name, a, b, CONSTTIME_FALSE_SIZE_T, c);
op_name, a, b, CONSTTIME_FALSE_s, c);
return 1;
}
return 0;
@ -94,55 +94,55 @@ static int test_is_zero(unsigned int a) {
return 0;
}
static int test_is_zero_size_t(size_t a) {
size_t c = constant_time_is_zero_size_t(a);
if (a == 0 && c != CONSTTIME_TRUE_SIZE_T) {
static int test_is_zero_s(size_t a) {
size_t c = constant_time_is_zero_s(a);
if (a == 0 && c != CONSTTIME_TRUE_s) {
fprintf(stderr,
"Test failed for constant_time_is_zero_size_t(%zu): "
"Test failed for constant_time_is_zero_s(%zu): "
"expected %zu (TRUE), got %zu\n",
a, CONSTTIME_TRUE_SIZE_T, c);
a, CONSTTIME_TRUE_s, c);
return 1;
} else if (a != 0 && c != CONSTTIME_FALSE_SIZE_T) {
} else if (a != 0 && c != CONSTTIME_FALSE_s) {
fprintf(stderr,
"Test failed for constant_time_is_zero_size_t(%zu): "
"Test failed for constant_time_is_zero_s(%zu): "
"expected %zu (FALSE), got %zu\n",
a, CONSTTIME_FALSE_SIZE_T, c);
a, CONSTTIME_FALSE_s, c);
return 1;
}
c = constant_time_is_nonzero_size_t(a);
if (a == 0 && c != CONSTTIME_FALSE_SIZE_T) {
c = constant_time_is_nonzero_s(a);
if (a == 0 && c != CONSTTIME_FALSE_s) {
fprintf(stderr,
"Test failed for constant_time_is_nonzero_size_t(%zu): "
"Test failed for constant_time_is_nonzero_s(%zu): "
"expected %zu (FALSE), got %zu\n",
a, CONSTTIME_FALSE_SIZE_T, c);
a, CONSTTIME_FALSE_s, c);
return 1;
} else if (a != 0 && c != CONSTTIME_TRUE_SIZE_T) {
} else if (a != 0 && c != CONSTTIME_TRUE_s) {
fprintf(stderr,
"Test failed for constant_time_is_nonzero_size_t(%zu): "
"Test failed for constant_time_is_nonzero_s(%zu): "
"expected %zu (TRUE), got %zu\n",
a, CONSTTIME_TRUE_SIZE_T, c);
a, CONSTTIME_TRUE_s, c);
return 1;
}
return 0;
}
static int test_select_size_t(size_t a, size_t b) {
size_t selected = constant_time_select_size_t(CONSTTIME_TRUE_SIZE_T, a, b);
static int test_select_s(size_t a, size_t b) {
size_t selected = constant_time_select_s(CONSTTIME_TRUE_s, a, b);
if (selected != a) {
fprintf(stderr,
"Test failed for constant_time_select_size_t(%zu, %zu,"
"Test failed for constant_time_select_s(%zu, %zu,"
"%zu): expected %zu(first value), got %zu\n",
CONSTTIME_TRUE_SIZE_T, a, b, a, selected);
CONSTTIME_TRUE_s, a, b, a, selected);
return 1;
}
selected = constant_time_select_size_t(CONSTTIME_FALSE_SIZE_T, a, b);
selected = constant_time_select_s(CONSTTIME_FALSE_s, a, b);
if (selected != b) {
fprintf(stderr,
"Test failed for constant_time_select_size_t(%zu, %zu,"
"Test failed for constant_time_select_s(%zu, %zu,"
"%zu): expected %zu(second value), got %zu\n",
CONSTTIME_FALSE_SIZE_T, a, b, b, selected);
CONSTTIME_FALSE_s, a, b, b, selected);
return 1;
}
return 0;
@ -178,7 +178,7 @@ static unsigned int test_values[] = {
UINT_MAX - 1, UINT_MAX
};
static size_t size_t_test_values[] = {
static size_t test_values_s[] = {
0,
1,
1024,
@ -216,17 +216,17 @@ int bssl_constant_time_test_main(void) {
}
for (size_t i = 0;
i < sizeof(size_t_test_values) / sizeof(size_t_test_values[0]); ++i) {
size_t a = size_t_test_values[i];
num_failed += test_is_zero_size_t(a);
i < sizeof(test_values_s) / sizeof(test_values_s[0]); ++i) {
size_t a = test_values_s[i];
num_failed += test_is_zero_s(a);
for (size_t j = 0;
j < sizeof(size_t_test_values) / sizeof(size_t_test_values[0]); ++j) {
size_t b = size_t_test_values[j];
num_failed += test_binary_op_size_t(
&constant_time_eq_size_t, "constant_time_eq_size_t", a, b, a == b);
num_failed += test_binary_op_size_t(
&constant_time_eq_size_t, "constant_time_eq_size_t", b, a, b == a);
num_failed += test_select_size_t(a, b);
j < sizeof(test_values_s) / sizeof(test_values_s[0]); ++j) {
size_t b = test_values_s[j];
num_failed += test_binary_op_s(&constant_time_eq_s,
"constant_time_eq_s", a, b, a == b);
num_failed += test_binary_op_s(&constant_time_eq_s,
"constant_time_eq_s", b, a, b == a);
num_failed += test_select_s(a, b);
}
}

6
crypto/ec/ecp_nistz.h
View File

@ -96,7 +96,7 @@ extern "C" {
* six bits b_(4j + 4) ... b_(4j - 1).
*
* This function takes those `w` bits as an integer, writing the recoded digit
* to |*is_negative| (a mask for `constant_time_select_size_t`) and |*digit|
* to |*is_negative| (a mask for `constant_time_select_s`) and |*digit|
* (absolute value, in the range 0 .. 2**(w-1). Note that this integer
* essentially provides the input bits "shifted to the left" by one position.
* For example, the input to compute the least significant recoded digit, given
@ -108,7 +108,7 @@ static inline void booth_recode(BN_ULONG *is_negative, unsigned *digit,
assert(w >= 2);
assert(w <= 7);
/* Set all bits of `s` to MSB(in), similar to |constant_time_msb_size_t|,
/* Set all bits of `s` to MSB(in), similar to |constant_time_msb_s|,
* but 'in' seen as (`w+1`)-bit value. */
BN_ULONG s = ~((in >> w) - 1);
unsigned d;
@ -116,7 +116,7 @@ static inline void booth_recode(BN_ULONG *is_negative, unsigned *digit,
d = (d & s) | (in & ~s);
d = (d >> 1) + (d & 1);
*is_negative = constant_time_is_nonzero_size_t(s & 1);
*is_negative = constant_time_is_nonzero_s(s & 1);
*digit = d;
}

2
crypto/ec/ecp_nistz256.c
View File

@ -75,7 +75,7 @@ static BN_ULONG is_infinity(const BN_ULONG x[P256_LIMBS],
for (size_t i = 0; i < P256_LIMBS; ++i) {
acc |= x[i] | y[i];
}
return constant_time_is_zero_size_t(acc);
return constant_time_is_zero_s(acc);
}
static void copy_conditional(BN_ULONG dst[P256_LIMBS],

2
crypto/ec/ecp_nistz384.inl
View File

@ -34,7 +34,7 @@ static BN_ULONG is_zero(const BN_ULONG a[P384_LIMBS]) {
for (size_t i = 0; i < P384_LIMBS; ++i) {
acc |= a[i];
}
return constant_time_is_zero_size_t(acc);
return constant_time_is_zero_s(acc);
}
/* Point double: r = 2*a */

8
crypto/ec/gfp_p256.c
View File

@ -87,14 +87,14 @@ OPENSSL_COMPILE_ASSERT(sizeof(size_t) == sizeof(Limb),
void GFp_nistz256_select_w5(P256_POINT *out, const P256_POINT table[16],
int index) {
assert(index >= 0);
size_t index_as_size_t = (size_t)index; /* XXX: constant time? */
size_t index_s = (size_t)index; /* XXX: constant time? */
alignas(32) Elem x; memset(x, 0, sizeof(x));
alignas(32) Elem y; memset(y, 0, sizeof(y));
alignas(32) Elem z; memset(z, 0, sizeof(z));
for (size_t i = 0; i < 16; ++i) {
Limb mask = constant_time_eq_size_t(index_as_size_t, i + 1);
Limb mask = constant_time_eq_s(index_s, i + 1);
for (size_t j = 0; j < P256_LIMBS; ++j) {
x[j] |= table[i].X[j] & mask;
y[j] |= table[i].Y[j] & mask;
@ -110,13 +110,13 @@ void GFp_nistz256_select_w5(P256_POINT *out, const P256_POINT table[16],
void GFp_nistz256_select_w7(P256_POINT_AFFINE *out,
const P256_POINT_AFFINE table[64], int index) {
assert(index >= 0);
size_t index_as_size_t = (size_t)index; /* XXX: constant time? */
size_t index_as_s = (size_t)index; /* XXX: constant time? */
alignas(32) Elem x; memset(x, 0, sizeof(x));
alignas(32) Elem y; memset(y, 0, sizeof(y));
for (size_t i = 0; i < 64; ++i) {
Limb mask = constant_time_eq_size_t(index_as_size_t, i + 1);
Limb mask = constant_time_eq_s(index_as_s, i + 1);
for (size_t j = 0; j < P256_LIMBS; ++j) {
x[j] |= table[i].X[j] & mask;
y[j] |= table[i].Y[j] & mask;

8
crypto/ec/gfp_p384.c
View File

@ -90,7 +90,7 @@ static INLINE_IF_POSSIBLE Limb is_equal(const Elem a, const Elem b) {
static INLINE_IF_POSSIBLE void copy_conditional(Elem r, const Elem a,
const Limb condition) {
for (size_t i = 0; i < P384_LIMBS; ++i) {
r[i] = constant_time_select_size_t(condition, a[i], r[i]);
r[i] = constant_time_select_s(condition, a[i], r[i]);
}
}
@ -145,7 +145,7 @@ static void elem_div_by_2(Elem r, const Elem a) {
*
* Thus, no reduction of the sum mod `q` is necessary. */
Limb is_odd = constant_time_is_nonzero_size_t(a[0] & 1);
Limb is_odd = constant_time_is_nonzero_s(a[0] & 1);
/* r = a >> 1. */
Limb carry = a[P384_LIMBS - 1] & 1;
@ -221,7 +221,7 @@ void GFp_p384_elem_neg(Elem r, const Elem a) {
#endif
assert(borrow == 0);
for (size_t i = 0; i < P384_LIMBS; ++i) {
r[i] = constant_time_select_size_t(is_zero, 0, r[i]);
r[i] = constant_time_select_s(is_zero, 0, r[i]);
}
}
@ -245,7 +245,7 @@ static void gfp_p384_point_select_w5(P384_POINT *out,
Elem z; memset(z, 0, sizeof(z));
for (size_t i = 0; i < 16; ++i) {
Limb mask = constant_time_eq_size_t(index, i + 1);
Limb mask = constant_time_eq_s(index, i + 1);
for (size_t j = 0; j < P384_LIMBS; ++j) {
x[j] |= table[i].X[j] & mask;
y[j] |= table[i].Y[j] & mask;

23
crypto/internal.h
View File

@ -193,7 +193,7 @@ static inline unsigned int constant_time_msb_unsigned(unsigned int a) {
OPENSSL_COMPILE_ASSERT(sizeof(ptrdiff_t) == sizeof(size_t),
ptrdiff_t_and_size_t_are_different_sizes);
static inline size_t constant_time_msb_size_t(size_t a) {
static inline size_t constant_time_msb_s(size_t a) {
return (size_t)((ptrdiff_t)(a) >> (sizeof(ptrdiff_t) * 8 - 1));
}
@ -215,14 +215,14 @@ static inline unsigned int constant_time_is_zero_unsigned(unsigned int a) {
return constant_time_msb_unsigned(~a & (a - 1));
}
/* constant_time_is_zero_size_t is like |constant_time_is_zero_unsigned| but
/* constant_time_is_zero_s is like |constant_time_is_zero_unsigned| but
* operates on |size_t|. */
static inline size_t constant_time_is_zero_size_t(size_t a) {
return constant_time_msb_size_t(~a & (a - 1));
static inline size_t constant_time_is_zero_s(size_t a) {
return constant_time_msb_s(~a & (a - 1));
}
static inline size_t constant_time_is_nonzero_size_t(size_t a) {
return constant_time_is_zero_size_t(constant_time_is_zero_size_t(a));
static inline size_t constant_time_is_nonzero_s(size_t a) {
return constant_time_is_zero_s(constant_time_is_zero_s(a));
}
/* constant_time_eq_int returns 0xff..f if a == b and 0 otherwise. */
@ -230,18 +230,17 @@ static inline unsigned int constant_time_eq_int(int a, int b) {
return constant_time_is_zero_unsigned((unsigned)(a) ^ (unsigned)(b));
}
/* constant_time_eq_size_t acts like |constant_time_eq_int| but operates on
/* constant_time_eq_s acts like |constant_time_eq_int| but operates on
* |size_t|. */
static inline size_t constant_time_eq_size_t(size_t a, size_t b) {
return constant_time_is_zero_size_t(a ^ b);
static inline size_t constant_time_eq_s(size_t a, size_t b) {
return constant_time_is_zero_s(a ^ b);
}
/* constant_time_select_size_t returns (mask & a) | (~mask & b). When |mask| is
/* constant_time_select_s returns (mask & a) | (~mask & b). When |mask| is
* all 1s or all 0s (as returned by the methods above), the select methods
* return either |a| (if |mask| is nonzero) or |b| (if |mask| is zero). it is
* derived from BoringSSL's |constant_time_select|. */
static inline size_t constant_time_select_size_t(size_t mask, size_t a,
size_t b) {
static inline size_t constant_time_select_s(size_t mask, size_t a, size_t b) {
return (mask & a) | (~mask & b);
}

24
crypto/limbs/limbs.c
View File

@ -42,10 +42,10 @@ OPENSSL_COMPILE_ASSERT(sizeof(size_t) == sizeof(Limb),
/* Returns 0xfff..f if |a| is all zero limbs, and zero otherwise. */
Limb LIMBS_are_zero(const Limb a[], size_t num_limbs) {
assert(num_limbs >= 1);
Limb is_zero = constant_time_is_zero_size_t(a[0]);
Limb is_zero = constant_time_is_zero_s(a[0]);
for (size_t i = 1; i < num_limbs; ++i) {
is_zero = constant_time_select_size_t(
is_zero, constant_time_is_zero_size_t(a[i]), is_zero);
is_zero = constant_time_select_s(
is_zero, constant_time_is_zero_s(a[i]), is_zero);
}
return is_zero;
}
@ -53,9 +53,9 @@ Limb LIMBS_are_zero(const Limb a[], size_t num_limbs) {
/* Returns 0xffff..f if |a| is less than |b|, and zero otherwise. */
Limb LIMBS_equal(const Limb a[], const Limb b[], size_t num_limbs) {
assert(num_limbs >= 1);
Limb eq = constant_time_eq_size_t(a[0], b[0]);
Limb eq = constant_time_eq_s(a[0], b[0]);
for (size_t i = 1; i < num_limbs; ++i) {
eq = constant_time_select_size_t(eq, constant_time_eq_size_t(a[i], b[i]),
eq = constant_time_select_s(eq, constant_time_eq_s(a[i], b[i]),
eq);
}
return eq;
@ -72,7 +72,7 @@ Limb LIMBS_less_than(const Limb a[], const Limb b[], size_t num_limbs) {
for (size_t i = 1; i < num_limbs; ++i) {
borrow = limb_sbb(&dummy, a[i], b[i], borrow);
}
return constant_time_is_nonzero_size_t(borrow);
return constant_time_is_nonzero_s(borrow);
}
/* if (r >= m) { r -= m; } */
@ -85,13 +85,13 @@ void LIMBS_reduce_once(Limb r[], const Limb m[], size_t num_limbs) {
* slightly less efficient way. */
Limb lt = LIMBS_less_than(r, m, num_limbs);
Carry borrow =
limb_sub(&r[0], r[0], constant_time_select_size_t(lt, 0, m[0]));
limb_sub(&r[0], r[0], constant_time_select_s(lt, 0, m[0]));
for (size_t i = 1; i < num_limbs; ++i) {
/* XXX: This is probably particularly inefficient because the operations in
* constant_time_select affect the carry flag, so there will likely be
* loads and stores of |borrow|. */
borrow =
limb_sbb(&r[i], r[i], constant_time_select_size_t(lt, 0, m[i]), borrow);
limb_sbb(&r[i], r[i], constant_time_select_s(lt, 0, m[i]), borrow);
}
assert(borrow == 0);
}
@ -103,7 +103,7 @@ Limb LIMBS_add_assign(Limb r[], const Limb a[], size_t num_limbs) {
void LIMBS_add_mod(Limb r[], const Limb a[], const Limb b[], const Limb m[],
size_t num_limbs) {
Limb overflow1 =
constant_time_is_nonzero_size_t(limbs_add(r, a, b, num_limbs));
constant_time_is_nonzero_s(limbs_add(r, a, b, num_limbs));
Limb overflow2 = ~LIMBS_less_than(r, m, num_limbs);
Limb overflow = overflow1 | overflow2;
Carry borrow = limb_sub(&r[0], r[0], m[0] & overflow);
@ -120,7 +120,7 @@ void LIMBS_sub_assign(Limb r[], const Limb a[], size_t num_limbs) {
void LIMBS_sub_mod(Limb r[], const Limb a[], const Limb b[], const Limb m[],
size_t num_limbs) {
Limb underflow =
constant_time_is_nonzero_size_t(limbs_sub(r, a, b, num_limbs));
constant_time_is_nonzero_s(limbs_sub(r, a, b, num_limbs));
Carry carry = limb_add(&r[0], r[0], m[0] & underflow);
for (size_t i = 1; i < num_limbs; ++i) {
carry = limb_adc(&r[i], r[i], m[i] & underflow, carry);
@ -137,7 +137,7 @@ void LIMBS_sub_mod_ex(Limb r[], const Limb a[], const Limb m[], size_t num_limbs
for (size_t i = a_limbs; i < num_limbs; ++i) {
borrow = limb_sbb(&r[i], r[i], 0, borrow);
}
Limb underflow = constant_time_is_nonzero_size_t(borrow);
Limb underflow = constant_time_is_nonzero_s(borrow);
Carry carry = limb_add(&r[0], r[0], m[0] & underflow);
for (size_t i = 1; i < num_limbs; ++i) {
carry = limb_adc(&r[i], r[i], m[i] & underflow, carry);
@ -146,7 +146,7 @@ void LIMBS_sub_mod_ex(Limb r[], const Limb a[], const Limb m[], size_t num_limbs
void LIMBS_shl_mod(Limb r[], const Limb a[], const Limb m[], size_t num_limbs) {
Limb overflow1 =
constant_time_is_nonzero_size_t(a[num_limbs - 1] & LIMB_HIGH_BIT);
constant_time_is_nonzero_s(a[num_limbs - 1] & LIMB_HIGH_BIT);
Limb carry = 0;
for (size_t i = 0; i < num_limbs; ++i) {
Limb limb = a[i];