Move contatnt-time memcmp functions to the contant-time module

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
This commit is contained in:
gabor-mezei-arm 2021-09-27 11:28:54 +02:00 committed by Gabor Mezei
parent e41e3e8a8b
commit 944c107744
No known key found for this signature in database
GPG Key ID: 106F5A41ECC305BD
11 changed files with 112 additions and 77 deletions

View File

@ -1212,26 +1212,6 @@ void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst, int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
const mbedtls_ssl_session *src ); const mbedtls_ssl_session *src );
/* constant-time buffer comparison */
static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
{
size_t i;
volatile const unsigned char *A = (volatile const unsigned char *) a;
volatile const unsigned char *B = (volatile const unsigned char *) b;
volatile unsigned char diff = 0;
for( i = 0; i < n; i++ )
{
/* Read volatile data in order before computing diff.
* This avoids IAR compiler warning:
* 'the order of volatile accesses is undefined ..' */
unsigned char x = A[i], y = B[i];
diff |= x ^ y;
}
return( diff );
}
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1) defined(MBEDTLS_SSL_PROTO_TLS1_1)
int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl, int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,

View File

@ -29,6 +29,7 @@
#include "mbedtls/cipher_internal.h" #include "mbedtls/cipher_internal.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "constant_time.h"
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
@ -74,27 +75,6 @@
#define CIPHER_VALIDATE( cond ) \ #define CIPHER_VALIDATE( cond ) \
MBEDTLS_INTERNAL_VALIDATE( cond ) MBEDTLS_INTERNAL_VALIDATE( cond )
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
/* Compare the contents of two buffers in constant time.
* Returns 0 if the contents are bitwise identical, otherwise returns
* a non-zero value.
* This is currently only used by GCM and ChaCha20+Poly1305.
*/
static int mbedtls_constant_time_memcmp( const void *v1, const void *v2,
size_t len )
{
const unsigned char *p1 = (const unsigned char*) v1;
const unsigned char *p2 = (const unsigned char*) v2;
size_t i;
unsigned char diff;
for( diff = 0, i = 0; i < len; i++ )
diff |= p1[i] ^ p2[i];
return( (int)diff );
}
#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
static int supported_init = 0; static int supported_init = 0;
const int *mbedtls_cipher_list( void ) const int *mbedtls_cipher_list( void )

View File

@ -18,3 +18,77 @@
*/ */
#include "common.h" #include "common.h"
#include "constant_time.h"
/* constant-time buffer comparison */
int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
{
size_t i;
volatile const unsigned char *A = (volatile const unsigned char *) a;
volatile const unsigned char *B = (volatile const unsigned char *) b;
volatile unsigned char diff = 0;
for( i = 0; i < n; i++ )
{
/* Read volatile data in order before computing diff.
* This avoids IAR compiler warning:
* 'the order of volatile accesses is undefined ..' */
unsigned char x = A[i], y = B[i];
diff |= x ^ y;
}
return( diff );
}
/* Compare the contents of two buffers in constant time.
* Returns 0 if the contents are bitwise identical, otherwise returns
* a non-zero value.
* This is currently only used by GCM and ChaCha20+Poly1305.
*/
int mbedtls_constant_time_memcmp( const void *v1, const void *v2,
size_t len )
{
const unsigned char *p1 = (const unsigned char*) v1;
const unsigned char *p2 = (const unsigned char*) v2;
size_t i;
unsigned char diff;
for( diff = 0, i = 0; i < len; i++ )
diff |= p1[i] ^ p2[i];
return( (int)diff );
}
/* constant-time buffer comparison */
unsigned char mbedtls_nist_kw_safer_memcmp( const void *a, const void *b, size_t n )
{
size_t i;
volatile const unsigned char *A = (volatile const unsigned char *) a;
volatile const unsigned char *B = (volatile const unsigned char *) b;
volatile unsigned char diff = 0;
for( i = 0; i < n; i++ )
{
/* Read volatile data in order before computing diff.
* This avoids IAR compiler warning:
* 'the order of volatile accesses is undefined ..' */
unsigned char x = A[i], y = B[i];
diff |= x ^ y;
}
return( diff );
}
/* constant-time buffer comparison */
int mbedtls_safer_memcmp( const void *a, const void *b, size_t n )
{
size_t i;
const unsigned char *A = (const unsigned char *) a;
const unsigned char *B = (const unsigned char *) b;
unsigned char diff = 0;
for( i = 0; i < n; i++ )
diff |= A[i] ^ B[i];
return( diff );
}

30
library/constant_time.h Normal file
View File

@ -0,0 +1,30 @@
/**
* Constant-time functions
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "common.h"
#include <stddef.h>
int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n );
int mbedtls_constant_time_memcmp( const void *v1, const void *v2, size_t len );
unsigned char mbedtls_nist_kw_safer_memcmp( const void *a, const void *b, size_t n );
int mbedtls_safer_memcmp( const void *a, const void *b, size_t n );

View File

@ -34,6 +34,7 @@
#include "mbedtls/nist_kw.h" #include "mbedtls/nist_kw.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "constant_time.h"
#include <stdint.h> #include <stdint.h>
#include <string.h> #include <string.h>
@ -52,26 +53,6 @@
#define KW_SEMIBLOCK_LENGTH 8 #define KW_SEMIBLOCK_LENGTH 8
#define MIN_SEMIBLOCKS_COUNT 3 #define MIN_SEMIBLOCKS_COUNT 3
/* constant-time buffer comparison */
static inline unsigned char mbedtls_nist_kw_safer_memcmp( const void *a, const void *b, size_t n )
{
size_t i;
volatile const unsigned char *A = (volatile const unsigned char *) a;
volatile const unsigned char *B = (volatile const unsigned char *) b;
volatile unsigned char diff = 0;
for( i = 0; i < n; i++ )
{
/* Read volatile data in order before computing diff.
* This avoids IAR compiler warning:
* 'the order of volatile accesses is undefined ..' */
unsigned char x = A[i], y = B[i];
diff |= x ^ y;
}
return( diff );
}
/*! The 64-bit default integrity check value (ICV) for KW mode. */ /*! The 64-bit default integrity check value (ICV) for KW mode. */
static const unsigned char NIST_KW_ICV1[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6}; static const unsigned char NIST_KW_ICV1[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6};
/*! The 32-bit default integrity check value (ICV) for KWP mode. */ /*! The 32-bit default integrity check value (ICV) for KWP mode. */

View File

@ -44,6 +44,7 @@
#include "mbedtls/oid.h" #include "mbedtls/oid.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "constant_time.h"
#include <string.h> #include <string.h>
@ -72,22 +73,6 @@
#define RSA_VALIDATE( cond ) \ #define RSA_VALIDATE( cond ) \
MBEDTLS_INTERNAL_VALIDATE( cond ) MBEDTLS_INTERNAL_VALIDATE( cond )
#if defined(MBEDTLS_PKCS1_V15)
/* constant-time buffer comparison */
static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n )
{
size_t i;
const unsigned char *A = (const unsigned char *) a;
const unsigned char *B = (const unsigned char *) b;
unsigned char diff = 0;
for( i = 0; i < n; i++ )
diff |= A[i] ^ B[i];
return( diff );
}
#endif /* MBEDTLS_PKCS1_V15 */
int mbedtls_rsa_import( mbedtls_rsa_context *ctx, int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
const mbedtls_mpi *N, const mbedtls_mpi *N,
const mbedtls_mpi *P, const mbedtls_mpi *Q, const mbedtls_mpi *P, const mbedtls_mpi *Q,

View File

@ -33,6 +33,7 @@
#include "mbedtls/ssl_internal.h" #include "mbedtls/ssl_internal.h"
#include "mbedtls/debug.h" #include "mbedtls/debug.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "constant_time.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "mbedtls/psa_util.h" #include "mbedtls/psa_util.h"

View File

@ -36,6 +36,7 @@
#include "mbedtls/ssl_internal.h" #include "mbedtls/ssl_internal.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "constant_time.h"
#include <string.h> #include <string.h>

View File

@ -44,6 +44,7 @@
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/version.h" #include "mbedtls/version.h"
#include "constant_time.h"
#include "ssl_invasive.h" #include "ssl_invasive.h"

View File

@ -34,6 +34,7 @@
#include "mbedtls/debug.h" #include "mbedtls/debug.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "constant_time.h"
#include <string.h> #include <string.h>

View File

@ -43,6 +43,7 @@
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/version.h" #include "mbedtls/version.h"
#include "constant_time.h"
#include <string.h> #include <string.h>