diff --git a/include/mbedtls/constant_time.h b/include/mbedtls/constant_time.h index bd7758fff..b7f9a861d 100644 --- a/include/mbedtls/constant_time.h +++ b/include/mbedtls/constant_time.h @@ -38,7 +38,7 @@ * \return Zero if the content of the two buffer is the same, * otherwise non-zero. */ -int mbedtls_cf_memcmp( const void *a, +int mbedtls_ct_memcmp( const void *a, const void *b, size_t n ); diff --git a/library/bignum.c b/library/bignum.c index a15c6f11b..846f5a331 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1951,7 +1951,7 @@ static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi * so d[n] == 1 and we want to set A to the result of the subtraction * which is d - (2^biL)^n, i.e. the n least significant limbs of d. * This exactly corresponds to a conditional assignment. */ - mbedtls_cf_mpi_uint_cond_assign( n, A->p, d, (unsigned char) d[n] ); + mbedtls_ct_mpi_uint_cond_assign( n, A->p, d, (unsigned char) d[n] ); } /* @@ -1993,7 +1993,7 @@ static int mpi_select( mbedtls_mpi *R, const mbedtls_mpi *T, size_t T_size, size for( size_t i = 0; i < T_size; i++ ) { MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( R, &T[i], - (unsigned char) mbedtls_cf_size_bool_eq( i, idx ) ) ); + (unsigned char) mbedtls_ct_size_bool_eq( i, idx ) ) ); } cleanup: diff --git a/library/cipher.c b/library/cipher.c index a0354d68e..d51ccd77f 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -1139,7 +1139,7 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, } /* Check the tag in "constant-time" */ - if( mbedtls_cf_memcmp( tag, check_tag, tag_len ) != 0 ) + if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 ) return( MBEDTLS_ERR_CIPHER_AUTH_FAILED ); return( 0 ); @@ -1161,7 +1161,7 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, } /* Check the tag in "constant-time" */ - if( mbedtls_cf_memcmp( tag, check_tag, tag_len ) != 0 ) + if( mbedtls_ct_memcmp( tag, check_tag, tag_len ) != 0 ) return( MBEDTLS_ERR_CIPHER_AUTH_FAILED ); return( 0 ); diff --git a/library/constant_time.c b/library/constant_time.c index 5bbdf1c3e..3836d54d5 100644 --- a/library/constant_time.c +++ b/library/constant_time.c @@ -42,7 +42,7 @@ #include -int mbedtls_cf_memcmp( const void *a, +int mbedtls_ct_memcmp( const void *a, const void *b, size_t n ) { @@ -63,7 +63,7 @@ int mbedtls_cf_memcmp( const void *a, return( (int)diff ); } -unsigned mbedtls_cf_uint_mask( unsigned value ) +unsigned mbedtls_ct_uint_mask( unsigned value ) { /* MSVC has a warning about unary minus on unsigned, but this is * well-defined and precisely what we want to do here */ @@ -79,7 +79,7 @@ unsigned mbedtls_cf_uint_mask( unsigned value ) #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) -size_t mbedtls_cf_size_mask( size_t value ) +size_t mbedtls_ct_size_mask( size_t value ) { /* MSVC has a warning about unary minus on unsigned integer types, * but this is well-defined and precisely what we want to do here. */ @@ -97,7 +97,7 @@ size_t mbedtls_cf_size_mask( size_t value ) #if defined(MBEDTLS_BIGNUM_C) -mbedtls_mpi_uint mbedtls_cf_mpi_uint_mask( mbedtls_mpi_uint value ) +mbedtls_mpi_uint mbedtls_ct_mpi_uint_mask( mbedtls_mpi_uint value ) { /* MSVC has a warning about unary minus on unsigned, but this is * well-defined and precisely what we want to do here */ @@ -127,7 +127,7 @@ mbedtls_mpi_uint mbedtls_cf_mpi_uint_mask( mbedtls_mpi_uint value ) * * \return All-bits-one if \p x is less than \p y, otherwise zero. */ -static size_t mbedtls_cf_size_mask_lt( size_t x, +static size_t mbedtls_ct_size_mask_lt( size_t x, size_t y ) { /* This has the most significant bit set if and only if x < y */ @@ -137,20 +137,20 @@ static size_t mbedtls_cf_size_mask_lt( size_t x, const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 ); /* mask = (x < y) ? 0xff... : 0x00... */ - const size_t mask = mbedtls_cf_size_mask( sub1 ); + const size_t mask = mbedtls_ct_size_mask( sub1 ); return( mask ); } -size_t mbedtls_cf_size_mask_ge( size_t x, +size_t mbedtls_ct_size_mask_ge( size_t x, size_t y ) { - return( ~mbedtls_cf_size_mask_lt( x, y ) ); + return( ~mbedtls_ct_size_mask_lt( x, y ) ); } #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ -unsigned mbedtls_cf_size_bool_eq( size_t x, +unsigned mbedtls_ct_size_bool_eq( size_t x, size_t y ) { /* diff = 0 if x == y, non-zero otherwise */ @@ -189,7 +189,7 @@ unsigned mbedtls_cf_size_bool_eq( size_t x, * * \return 1 if \p x greater than \p y, otherwise 0. */ -static unsigned mbedtls_cf_size_gt( size_t x, +static unsigned mbedtls_ct_size_gt( size_t x, size_t y ) { /* Return the sign bit (1 for negative) of (y - x). */ @@ -200,7 +200,7 @@ static unsigned mbedtls_cf_size_gt( size_t x, #if defined(MBEDTLS_BIGNUM_C) -unsigned mbedtls_cf_mpi_uint_lt( const mbedtls_mpi_uint x, +unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x, const mbedtls_mpi_uint y ) { mbedtls_mpi_uint ret; @@ -230,11 +230,11 @@ unsigned mbedtls_cf_mpi_uint_lt( const mbedtls_mpi_uint x, #endif /* MBEDTLS_BIGNUM_C */ -unsigned mbedtls_cf_uint_if( unsigned condition, +unsigned mbedtls_ct_uint_if( unsigned condition, unsigned if1, unsigned if0 ) { - unsigned mask = mbedtls_cf_uint_mask( condition ); + unsigned mask = mbedtls_ct_uint_mask( condition ); return( ( mask & if1 ) | (~mask & if0 ) ); } @@ -254,7 +254,7 @@ unsigned mbedtls_cf_uint_if( unsigned condition, * * \return \c if1 if \p condition is nonzero, otherwise \c if0. * */ -static int mbedtls_cf_cond_select_sign( unsigned char condition, +static int mbedtls_ct_cond_select_sign( unsigned char condition, int if1, int if0 ) { @@ -274,7 +274,7 @@ static int mbedtls_cf_cond_select_sign( unsigned char condition, return( (int) ur - 1 ); } -void mbedtls_cf_mpi_uint_cond_assign( size_t n, +void mbedtls_ct_mpi_uint_cond_assign( size_t n, mbedtls_mpi_uint *dest, const mbedtls_mpi_uint *src, unsigned char condition ) @@ -305,7 +305,7 @@ void mbedtls_cf_mpi_uint_cond_assign( size_t n, /** Shift some data towards the left inside a buffer. * - * `mbedtls_cf_mem_move_to_left(start, total, offset)` is functionally + * `mbedtls_ct_mem_move_to_left(start, total, offset)` is functionally * equivalent to * ``` * memmove(start, start + offset, total - offset); @@ -319,7 +319,7 @@ void mbedtls_cf_mpi_uint_cond_assign( size_t n, * \param total Total size of the buffer. * \param offset Offset from which to copy \p total - \p offset bytes. */ -static void mbedtls_cf_mem_move_to_left( void *start, +static void mbedtls_ct_mem_move_to_left( void *start, size_t total, size_t offset ) { @@ -329,7 +329,7 @@ static void mbedtls_cf_mem_move_to_left( void *start, return; for( i = 0; i < total; i++ ) { - unsigned no_op = mbedtls_cf_size_gt( total - offset, i ); + unsigned no_op = mbedtls_ct_size_gt( total - offset, i ); /* The first `total - offset` passes are a no-op. The last * `offset` passes shift the data one byte to the left and * zero out the last byte. */ @@ -337,9 +337,9 @@ static void mbedtls_cf_mem_move_to_left( void *start, { unsigned char current = buf[n]; unsigned char next = buf[n+1]; - buf[n] = mbedtls_cf_uint_if( no_op, current, next ); + buf[n] = mbedtls_ct_uint_if( no_op, current, next ); } - buf[total-1] = mbedtls_cf_uint_if( no_op, buf[total-1], 0 ); + buf[total-1] = mbedtls_ct_uint_if( no_op, buf[total-1], 0 ); } } @@ -347,22 +347,22 @@ static void mbedtls_cf_mem_move_to_left( void *start, #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) -void mbedtls_cf_memcpy_if_eq( unsigned char *dest, +void mbedtls_ct_memcpy_if_eq( unsigned char *dest, const unsigned char *src, size_t len, size_t c1, size_t c2 ) { /* mask = c1 == c2 ? 0xff : 0x00 */ - const size_t equal = mbedtls_cf_size_bool_eq( c1, c2 ); - const unsigned char mask = (unsigned char) mbedtls_cf_size_mask( equal ); + const size_t equal = mbedtls_ct_size_bool_eq( c1, c2 ); + const unsigned char mask = (unsigned char) mbedtls_ct_size_mask( equal ); /* dest[i] = c1 == c2 ? src[i] : dest[i] */ for( size_t i = 0; i < len; i++ ) dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask ); } -void mbedtls_cf_memcpy_offset( unsigned char *dest, +void mbedtls_ct_memcpy_offset( unsigned char *dest, const unsigned char *src, size_t offset, size_t offset_min, @@ -373,12 +373,12 @@ void mbedtls_cf_memcpy_offset( unsigned char *dest, for( offsetval = offset_min; offsetval <= offset_max; offsetval++ ) { - mbedtls_cf_memcpy_if_eq( dest, src + offsetval, len, + mbedtls_ct_memcpy_if_eq( dest, src + offsetval, len, offsetval, offset ); } } -int mbedtls_cf_hmac( mbedtls_md_context_t *ctx, +int mbedtls_ct_hmac( mbedtls_md_context_t *ctx, const unsigned char *add_data, size_t add_data_len, const unsigned char *data, @@ -436,7 +436,7 @@ int mbedtls_cf_hmac( mbedtls_md_context_t *ctx, MD_CHK( mbedtls_md_clone( &aux, ctx ) ); MD_CHK( mbedtls_md_finish( &aux, aux_out ) ); /* Keep only the correct inner_hash in the output buffer */ - mbedtls_cf_memcpy_if_eq( output, aux_out, hash_size, + mbedtls_ct_memcpy_if_eq( output, aux_out, hash_size, offset, data_len_secret ); if( offset < max_data_len ) @@ -485,13 +485,13 @@ int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, MPI_VALIDATE_RET( Y != NULL ); /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */ - limb_mask = mbedtls_cf_mpi_uint_mask( assign );; + limb_mask = mbedtls_ct_mpi_uint_mask( assign );; MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) ); - X->s = mbedtls_cf_cond_select_sign( assign, Y->s, X->s ); + X->s = mbedtls_ct_cond_select_sign( assign, Y->s, X->s ); - mbedtls_cf_mpi_uint_cond_assign( Y->n, X->p, Y->p, assign ); + mbedtls_ct_mpi_uint_cond_assign( Y->n, X->p, Y->p, assign ); for( i = Y->n; i < X->n; i++ ) X->p[i] &= ~limb_mask; @@ -521,14 +521,14 @@ int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, return( 0 ); /* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */ - limb_mask = mbedtls_cf_mpi_uint_mask( swap ); + limb_mask = mbedtls_ct_mpi_uint_mask( swap ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) ); s = X->s; - X->s = mbedtls_cf_cond_select_sign( swap, Y->s, X->s ); - Y->s = mbedtls_cf_cond_select_sign( swap, s, Y->s ); + X->s = mbedtls_ct_cond_select_sign( swap, Y->s, X->s ); + Y->s = mbedtls_ct_cond_select_sign( swap, s, Y->s ); for( i = 0; i < X->n; i++ ) @@ -590,7 +590,7 @@ int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, * Again even if we can make a decision, we just mark the result and * the fact that we are done and continue looping. */ - cond = mbedtls_cf_mpi_uint_lt( Y->p[i - 1], X->p[i - 1] ); + cond = mbedtls_ct_mpi_uint_lt( Y->p[i - 1], X->p[i - 1] ); *ret |= cond & ( 1 - done ) & X_is_negative; done |= cond; @@ -601,7 +601,7 @@ int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, * Again even if we can make a decision, we just mark the result and * the fact that we are done and continue looping. */ - cond = mbedtls_cf_mpi_uint_lt( X->p[i - 1], Y->p[i - 1] ); + cond = mbedtls_ct_mpi_uint_lt( X->p[i - 1], Y->p[i - 1] ); *ret |= cond & ( 1 - done ) & ( 1 - X_is_negative ); done |= cond; } @@ -613,7 +613,7 @@ int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) -int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode, +int mbedtls_ct_rsaes_pkcs1_v15_unpadding( int mode, unsigned char *input, size_t ilen, unsigned char *output, @@ -671,17 +671,17 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode, * If there's a non-0xff byte in the padding, the padding is bad. */ for( i = 2; i < ilen; i++ ) { - pad_done |= mbedtls_cf_uint_if( input[i], 0, 1 ); - pad_count += mbedtls_cf_uint_if( pad_done, 0, 1 ); - bad |= mbedtls_cf_uint_if( pad_done, 0, input[i] ^ 0xFF ); + pad_done |= mbedtls_ct_uint_if( input[i], 0, 1 ); + pad_count += mbedtls_ct_uint_if( pad_done, 0, 1 ); + bad |= mbedtls_ct_uint_if( pad_done, 0, input[i] ^ 0xFF ); } } /* If pad_done is still zero, there's no data, only unfinished padding. */ - bad |= mbedtls_cf_uint_if( pad_done, 0, 1 ); + bad |= mbedtls_ct_uint_if( pad_done, 0, 1 ); /* There must be at least 8 bytes of padding. */ - bad |= mbedtls_cf_size_gt( 8, pad_count ); + bad |= mbedtls_ct_size_gt( 8, pad_count ); /* If the padding is valid, set plaintext_size to the number of * remaining bytes after stripping the padding. If the padding @@ -690,13 +690,13 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode, * buffer. Do it without branches to avoid leaking the padding * validity through timing. RSA keys are small enough that all the * size_t values involved fit in unsigned int. */ - plaintext_size = mbedtls_cf_uint_if( + plaintext_size = mbedtls_ct_uint_if( bad, (unsigned) plaintext_max_size, (unsigned) ( ilen - pad_count - 3 ) ); /* Set output_too_large to 0 if the plaintext fits in the output * buffer and to 1 otherwise. */ - output_too_large = mbedtls_cf_size_gt( plaintext_size, + output_too_large = mbedtls_ct_size_gt( plaintext_size, plaintext_max_size ); /* Set ret without branches to avoid timing attacks. Return: @@ -704,9 +704,9 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode, * - OUTPUT_TOO_LARGE if the padding is good but the decrypted * plaintext does not fit in the output buffer. * - 0 if the padding is correct. */ - ret = - (int) mbedtls_cf_uint_if( + ret = - (int) mbedtls_ct_uint_if( bad, - MBEDTLS_ERR_RSA_INVALID_PADDING, - mbedtls_cf_uint_if( output_too_large, + mbedtls_ct_uint_if( output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE, 0 ) ); @@ -716,7 +716,7 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode, * from the same buffer whether the padding is good or not to * avoid leaking the padding validity through overall timing or * through memory or cache access patterns. */ - bad = mbedtls_cf_uint_mask( bad | output_too_large ); + bad = mbedtls_ct_uint_mask( bad | output_too_large ); for( i = 11; i < ilen; i++ ) input[i] &= ~bad; @@ -724,7 +724,7 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode, * Copy anyway to avoid revealing the length through timing, because * revealing the length is as bad as revealing the padding validity * for a Bleichenbacher attack. */ - plaintext_size = mbedtls_cf_uint_if( output_too_large, + plaintext_size = mbedtls_ct_uint_if( output_too_large, (unsigned) plaintext_max_size, (unsigned) plaintext_size ); @@ -734,7 +734,7 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode, * does not depend on the plaintext size. After this move, the * starting location of the plaintext is no longer sensitive * information. */ - mbedtls_cf_mem_move_to_left( input + ilen - plaintext_max_size, + mbedtls_ct_mem_move_to_left( input + ilen - plaintext_max_size, plaintext_max_size, plaintext_max_size - plaintext_size ); diff --git a/library/constant_time.h b/library/constant_time.h index 6fd23c97a..61681084b 100644 --- a/library/constant_time.h +++ b/library/constant_time.h @@ -44,7 +44,7 @@ * * \return Zero if \p value is zero, otherwise all-bits-one. */ -unsigned mbedtls_cf_uint_mask( unsigned value ); +unsigned mbedtls_ct_uint_mask( unsigned value ); #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) @@ -59,7 +59,7 @@ unsigned mbedtls_cf_uint_mask( unsigned value ); * * \return Zero if \p value is zero, otherwise all-bits-one. */ -size_t mbedtls_cf_size_mask( size_t value ); +size_t mbedtls_ct_size_mask( size_t value ); #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ @@ -76,7 +76,7 @@ size_t mbedtls_cf_size_mask( size_t value ); * * \return Zero if \p value is zero, otherwise all-bits-one. */ -mbedtls_mpi_uint mbedtls_cf_mpi_uint_mask( mbedtls_mpi_uint value ); +mbedtls_mpi_uint mbedtls_ct_mpi_uint_mask( mbedtls_mpi_uint value ); #endif /* MBEDTLS_BIGNUM_C */ @@ -95,7 +95,7 @@ mbedtls_mpi_uint mbedtls_cf_mpi_uint_mask( mbedtls_mpi_uint value ); * \return All-bits-one if \p x is greater or equal than \p y, * otherwise zero. */ -size_t mbedtls_cf_size_mask_ge( size_t x, +size_t mbedtls_ct_size_mask_ge( size_t x, size_t y ); #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ @@ -111,7 +111,7 @@ size_t mbedtls_cf_size_mask_ge( size_t x, * * \return 1 if \p x equals to \p y, otherwise 0. */ -unsigned mbedtls_cf_size_bool_eq( size_t x, +unsigned mbedtls_ct_size_bool_eq( size_t x, size_t y ); #if defined(MBEDTLS_BIGNUM_C) @@ -126,7 +126,7 @@ unsigned mbedtls_cf_size_bool_eq( size_t x, * * \return 1 if \p x is less than \p y, otherwise 0. */ -unsigned mbedtls_cf_mpi_uint_lt( const mbedtls_mpi_uint x, +unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x, const mbedtls_mpi_uint y ); #endif /* MBEDTLS_BIGNUM_C */ @@ -142,7 +142,7 @@ unsigned mbedtls_cf_mpi_uint_lt( const mbedtls_mpi_uint x, * * \return \c if1 if \p condition is nonzero, otherwise \c if0. */ -unsigned mbedtls_cf_uint_if( unsigned condition, +unsigned mbedtls_ct_uint_if( unsigned condition, unsigned if1, unsigned if0 ); @@ -160,7 +160,7 @@ unsigned mbedtls_cf_uint_if( unsigned condition, * initialized MPI. * \param condition Condition to test, must be 0 or 1. */ -void mbedtls_cf_mpi_uint_cond_assign( size_t n, +void mbedtls_ct_mpi_uint_cond_assign( size_t n, mbedtls_mpi_uint *dest, const mbedtls_mpi_uint *src, unsigned char condition ); @@ -180,7 +180,7 @@ void mbedtls_cf_mpi_uint_cond_assign( size_t n, * \param c1 The first value to analyze in the condition. * \param c2 The second value to analyze in the condition. */ -void mbedtls_cf_memcpy_if_eq( unsigned char *dest, +void mbedtls_ct_memcpy_if_eq( unsigned char *dest, const unsigned char *src, size_t len, size_t c1, size_t c2 ); @@ -204,7 +204,7 @@ void mbedtls_cf_memcpy_if_eq( unsigned char *dest, * \param offset_max The maximal value of \p offset. * \param len The number of bytes to copy. */ -void mbedtls_cf_memcpy_offset( unsigned char *dest, +void mbedtls_ct_memcpy_offset( unsigned char *dest, const unsigned char *src, size_t offset, size_t offset_min, @@ -247,7 +247,7 @@ void mbedtls_cf_memcpy_offset( unsigned char *dest, * \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED * The hardware accelerator failed. */ -int mbedtls_cf_hmac( mbedtls_md_context_t *ctx, +int mbedtls_ct_hmac( mbedtls_md_context_t *ctx, const unsigned char *add_data, size_t add_data_len, const unsigned char *data, @@ -288,7 +288,7 @@ int mbedtls_cf_hmac( mbedtls_md_context_t *ctx, * \return #MBEDTLS_ERR_RSA_INVALID_PADDING * The input doesn't contain properly formatted padding. */ -int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode, +int mbedtls_ct_rsaes_pkcs1_v15_unpadding( int mode, unsigned char *input, size_t ilen, unsigned char *output, diff --git a/library/nist_kw.c b/library/nist_kw.c index e5d7fcd87..1aea0b634 100644 --- a/library/nist_kw.c +++ b/library/nist_kw.c @@ -379,7 +379,7 @@ int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx, goto cleanup; /* Check ICV in "constant-time" */ - diff = mbedtls_cf_memcmp( NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH ); + diff = mbedtls_ct_memcmp( NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH ); if( diff != 0 ) { @@ -428,7 +428,7 @@ int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx, } /* Check ICV in "constant-time" */ - diff = mbedtls_cf_memcmp( NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2 ); + diff = mbedtls_ct_memcmp( NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2 ); if( diff != 0 ) { diff --git a/library/rsa.c b/library/rsa.c index 351f4af52..3866b7341 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1518,7 +1518,7 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, if( ret != 0 ) goto cleanup; - ret = mbedtls_cf_rsaes_pkcs1_v15_unpadding( mode, buf, ilen, + ret = mbedtls_ct_rsaes_pkcs1_v15_unpadding( mode, buf, ilen, output, output_max_len, olen ); cleanup: @@ -1933,7 +1933,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) ); MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) ); - if( mbedtls_cf_memcmp( verif, sig, ctx->len ) != 0 ) + if( mbedtls_ct_memcmp( verif, sig, ctx->len ) != 0 ) { ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED; goto cleanup; @@ -2231,7 +2231,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, * Compare */ - if( ( ret = mbedtls_cf_memcmp( encoded, encoded_expected, + if( ( ret = mbedtls_ct_memcmp( encoded, encoded_expected, sig_len ) ) != 0 ) { ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; diff --git a/library/ssl_cli.c b/library/ssl_cli.c index def6c7b45..0e802e9dd 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1459,9 +1459,9 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, /* Check verify-data in constant-time. The length OTOH is no secret */ if( len != 1 + ssl->verify_data_len * 2 || buf[0] != ssl->verify_data_len * 2 || - mbedtls_cf_memcmp( buf + 1, + mbedtls_ct_memcmp( buf + 1, ssl->own_verify_data, ssl->verify_data_len ) != 0 || - mbedtls_cf_memcmp( buf + 1 + ssl->verify_data_len, + mbedtls_ct_memcmp( buf + 1 + ssl->verify_data_len, ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c index cdc236414..faf92e7c0 100644 --- a/library/ssl_cookie.c +++ b/library/ssl_cookie.c @@ -225,7 +225,7 @@ int mbedtls_ssl_cookie_check( void *p_ctx, if( ret != 0 ) return( ret ); - if( mbedtls_cf_memcmp( cookie + 4, ref_hmac, sizeof( ref_hmac ) ) != 0 ) + if( mbedtls_ct_memcmp( cookie + 4, ref_hmac, sizeof( ref_hmac ) ) != 0 ) return( -1 ); #if defined(MBEDTLS_HAVE_TIME) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 83c4a4bd5..58f41be88 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1282,7 +1282,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, * * Afterwards, we know that data + data_len is followed by at * least maclen Bytes, which justifies the call to - * mbedtls_cf_memcmp() below. + * mbedtls_ct_memcmp() below. * * Further, we still know that data_len > minlen */ rec->data_len -= transform->maclen; @@ -1305,7 +1305,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, transform->maclen ); /* Compare expected MAC with MAC at the end of the record. */ - if( mbedtls_cf_memcmp( data + rec->data_len, mac_expect, + if( mbedtls_ct_memcmp( data + rec->data_len, mac_expect, transform->maclen ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); @@ -1384,7 +1384,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, if( auth_done == 1 ) { - const size_t mask = mbedtls_cf_size_mask_ge( + const size_t mask = mbedtls_ct_size_mask_ge( rec->data_len, padlen + 1 ); correct &= mask; @@ -1404,7 +1404,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, } #endif - const size_t mask = mbedtls_cf_size_mask_ge( + const size_t mask = mbedtls_ct_size_mask_ge( rec->data_len, transform->maclen + padlen + 1 ); correct &= mask; @@ -1460,18 +1460,18 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, /* pad_count += (idx >= padding_idx) && * (check[idx] == padlen - 1); */ - const size_t mask = mbedtls_cf_size_mask_ge( idx, padding_idx ); - const size_t equal = mbedtls_cf_size_bool_eq( check[idx], + const size_t mask = mbedtls_ct_size_mask_ge( idx, padding_idx ); + const size_t equal = mbedtls_ct_size_bool_eq( check[idx], padlen - 1 ); pad_count += mask & equal; } - correct &= mbedtls_cf_size_bool_eq( pad_count, padlen ); + correct &= mbedtls_ct_size_bool_eq( pad_count, padlen ); #if defined(MBEDTLS_SSL_DEBUG_ALL) if( padlen > 0 && correct == 0 ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) ); #endif - padlen &= mbedtls_cf_size_mask( correct ); + padlen &= mbedtls_ct_size_mask( correct ); } else #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ @@ -1555,7 +1555,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, const size_t max_len = rec->data_len + padlen; const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0; - ret = mbedtls_cf_hmac( &transform->md_ctx_dec, + ret = mbedtls_ct_hmac( &transform->md_ctx_dec, add_data, add_data_len, data, rec->data_len, min_len, max_len, mac_expect ); @@ -1565,7 +1565,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, return( ret ); } - mbedtls_cf_memcpy_offset( mac_peer, data, + mbedtls_ct_memcpy_offset( mac_peer, data, rec->data_len, min_len, max_len, transform->maclen ); @@ -1583,7 +1583,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, transform->maclen ); #endif - if( mbedtls_cf_memcmp( mac_peer, mac_expect, + if( mbedtls_ct_memcmp( mac_peer, mac_expect, transform->maclen ) != 0 ) { #if defined(MBEDTLS_SSL_DEBUG_ALL) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index d9d49a22d..8ef8e905a 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -198,7 +198,7 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, /* Check verify-data in constant-time. The length OTOH is no secret */ if( len != 1 + ssl->verify_data_len || buf[0] != ssl->verify_data_len || - mbedtls_cf_memcmp( buf + 1, ssl->peer_verify_data, + mbedtls_ct_memcmp( buf + 1, ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); @@ -3973,7 +3973,7 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, diff |= peer_pms[1] ^ ver[1]; /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */ - mask = mbedtls_cf_uint_mask( diff ); + mask = mbedtls_ct_uint_mask( diff ); /* * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding @@ -4056,7 +4056,7 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha /* Identity is not a big secret since clients send it in the clear, * but treat it carefully anyway, just in case */ if( n != ssl->conf->psk_identity_len || - mbedtls_cf_memcmp( ssl->conf->psk_identity, *p, n ) != 0 ) + mbedtls_ct_memcmp( ssl->conf->psk_identity, *p, n ) != 0 ) { ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; } diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f6c593de8..8195af2f9 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3604,7 +3604,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED ); } - if( mbedtls_cf_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), + if( mbedtls_ct_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), buf, hash_len ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) ); diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 37e8067f6..a7efb0400 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4428,7 +4428,7 @@ void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation, void ssl_cf_hmac( int hash ) { /* - * Test the function mbedtls_cf_hmac() against a reference + * Test the function mbedtls_ct_hmac() against a reference * implementation. */ mbedtls_md_context_t ctx, ref_ctx; @@ -4487,7 +4487,7 @@ void ssl_cf_hmac( int hash ) /* Get the function's result */ TEST_CF_SECRET( &in_len, sizeof( in_len ) ); - TEST_EQUAL( 0, mbedtls_cf_hmac( &ctx, add_data, sizeof( add_data ), + TEST_EQUAL( 0, mbedtls_ct_hmac( &ctx, add_data, sizeof( add_data ), data, in_len, min_in_len, max_in_len, out ) ); @@ -4537,7 +4537,7 @@ void ssl_cf_memcpy_offset( int offset_min, int offset_max, int len ) mbedtls_test_set_step( (int) secret ); TEST_CF_SECRET( &secret, sizeof( secret ) ); - mbedtls_cf_memcpy_offset( dst, src, secret, + mbedtls_ct_memcpy_offset( dst, src, secret, offset_min, offset_max, len ); TEST_CF_PUBLIC( &secret, sizeof( secret ) ); TEST_CF_PUBLIC( dst, len );