From e24dea8225465635fed7dc3d7c7f0a112351c8bd Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 19 Oct 2021 12:22:25 +0200 Subject: [PATCH] Move mbedtls_cf_memcmp to a new public header Signed-off-by: Gabor Mezei --- include/mbedtls/constant_time.h | 47 +++++++++++++++++++++++++++++++++ library/cipher.c | 2 +- library/constant_time.c | 1 + library/constant_time.h | 19 ------------- library/nist_kw.c | 2 +- library/rsa.c | 1 + library/ssl_cli.c | 2 +- library/ssl_cookie.c | 2 +- library/ssl_msg.c | 1 + library/ssl_srv.c | 1 + library/ssl_tls.c | 2 +- 11 files changed, 56 insertions(+), 24 deletions(-) create mode 100644 include/mbedtls/constant_time.h diff --git a/include/mbedtls/constant_time.h b/include/mbedtls/constant_time.h new file mode 100644 index 000000000..69df954d4 --- /dev/null +++ b/include/mbedtls/constant_time.h @@ -0,0 +1,47 @@ +/** + * Constant-time functions + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef MBEDTLS_CONSTANT_TIME_H +#define MBEDTLS_CONSTANT_TIME_H + +#include "common.h" + +#include + + +/** Constant-time buffer comparison without branches. + * + * This is equivalent to the standard memncmp function, but is likely to be + * compiled to code using bitwise operation rather than a branch. + * + * This function can be used to write constant-time code by replacing branches + * with bit operations using masks. + * + * \param a Pointer to the first buffer. + * \param b Pointer to the second buffer. + * \param n The number of bytes to compare in the buffer. + * + * \return Zero if the content of the two buffer is the same, + * otherwise non-zero. + */ +int mbedtls_cf_memcmp( const void *a, + const void *b, + size_t n ); + +#endif /* MBEDTLS_CONSTANT_TIME_H */ diff --git a/library/cipher.c b/library/cipher.c index f38eb0403..a0354d68e 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -29,7 +29,7 @@ #include "mbedtls/cipher_internal.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" -#include "constant_time.h" +#include "mbedtls/constant_time.h" #include #include diff --git a/library/constant_time.c b/library/constant_time.c index 952528d98..977971278 100644 --- a/library/constant_time.c +++ b/library/constant_time.c @@ -24,6 +24,7 @@ #include "common.h" #include "constant_time.h" +#include "mbedtls/constant_time.h" #include "mbedtls/error.h" #include "mbedtls/platform_util.h" diff --git a/library/constant_time.h b/library/constant_time.h index 26e0dd097..d78dd70f5 100644 --- a/library/constant_time.h +++ b/library/constant_time.h @@ -33,25 +33,6 @@ #include -/** Constant-time buffer comparison without branches. - * - * This is equivalent to the standard memncmp function, but is likely to be - * compiled to code using bitwise operation rather than a branch. - * - * This function can be used to write constant-time code by replacing branches - * with bit operations using masks. - * - * \param a Pointer to the first buffer. - * \param b Pointer to the second buffer. - * \param n The number of bytes to compare in the buffer. - * - * \return Zero if the content of the two buffer is the same, - * otherwise non-zero. - */ -int mbedtls_cf_memcmp( const void *a, - const void *b, - size_t n ); - /** Turn a value into a mask: * - if \p value == 0, return the all-bits 0 mask, aka 0 * - otherwise, return the all-bits 1 mask, aka (unsigned) -1 diff --git a/library/nist_kw.c b/library/nist_kw.c index 98c237be4..e5d7fcd87 100644 --- a/library/nist_kw.c +++ b/library/nist_kw.c @@ -34,7 +34,7 @@ #include "mbedtls/nist_kw.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" -#include "constant_time.h" +#include "mbedtls/constant_time.h" #include #include diff --git a/library/rsa.c b/library/rsa.c index ea888713b..351f4af52 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -45,6 +45,7 @@ #include "mbedtls/platform_util.h" #include "mbedtls/error.h" #include "constant_time.h" +#include "mbedtls/constant_time.h" #include diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 0bc39fa74..def6c7b45 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -33,7 +33,7 @@ #include "mbedtls/ssl_internal.h" #include "mbedtls/debug.h" #include "mbedtls/error.h" -#include "constant_time.h" +#include "mbedtls/constant_time.h" #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "mbedtls/psa_util.h" diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c index d19a13a35..cdc236414 100644 --- a/library/ssl_cookie.c +++ b/library/ssl_cookie.c @@ -36,7 +36,7 @@ #include "mbedtls/ssl_internal.h" #include "mbedtls/error.h" #include "mbedtls/platform_util.h" -#include "constant_time.h" +#include "mbedtls/constant_time.h" #include diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 57a56f4cd..83c4a4bd5 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -45,6 +45,7 @@ #include "mbedtls/platform_util.h" #include "mbedtls/version.h" #include "constant_time.h" +#include "mbedtls/constant_time.h" #include diff --git a/library/ssl_srv.c b/library/ssl_srv.c index c50ce9238..d9d49a22d 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -35,6 +35,7 @@ #include "mbedtls/error.h" #include "mbedtls/platform_util.h" #include "constant_time.h" +#include "mbedtls/constant_time.h" #include diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 3fafb7d84..f6c593de8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -43,7 +43,7 @@ #include "mbedtls/error.h" #include "mbedtls/platform_util.h" #include "mbedtls/version.h" -#include "constant_time.h" +#include "mbedtls/constant_time.h" #include