Add some util functions for timing attack countermeasures from Falko

4 files changed, 104 insertions, 1 deletions

diff --git a/doc/license.rst b/doc/license.rst
index 0084051c5..98bee5575 100644
--- a/doc/license.rst
+++ b/doc/license.rst
@@ -17,7 +17,7 @@ Botan (http://botan.randombit.net/) is distributed under these terms::
                 2007 Yves Jerschow
                 2007-2008 FlexSecure GmbH
                 2007-2008 Technische Universitat Darmstadt
-                2007-2008 Falko Strenzke
+                2007-2008,2010 Falko Strenzke
                 2007-2008 Martin Doering
                 2007 Manuel Hartl
                 2007 Christoph Ludwig
diff --git a/src/lib/utils/info.txt b/src/lib/utils/info.txt
index 0e8edeb00..17ae249c2 100644
--- a/src/lib/utils/info.txt
+++ b/src/lib/utils/info.txt
@@ -8,6 +8,7 @@ prefetch.h
 rounding.h
 semaphore.h
 stl_util.h
+ta_utils.h
 xor_buf.h
 </header:internal>
 
diff --git a/src/lib/utils/ta_utils.cpp b/src/lib/utils/ta_utils.cpp
new file mode 100644
index 000000000..86cf25969
--- /dev/null
+++ b/src/lib/utils/ta_utils.cpp
@@ -0,0 +1,54 @@
+/*
+* Timing Attack Countermeasure Functions
+* (C) 2010 Falko Strenzke, Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/internal/ta_utils.h>
+
+namespace Botan {
+
+namespace TA_CM {
+
+/*
+* We use volatile in these functions in an attempt to ensure that the
+* compiler doesn't optimize in a way that would create branching
+* operations.
+*
+* Note: this needs further testing; on at least x86-64 with GCC,
+* volatile is not required to get branch-free operations, it just
+* makes the functions much longer/slower. It may not be required
+* anywhere.
+*/
+
+u32bit gen_mask_u32bit(u32bit in)
+   {
+   volatile u32bit result = in;
+   result |= result >> 1;
+   result |= result >> 2;
+   result |= result >> 4;
+   result |= result >> 8;
+   result |= result >> 16;
+   result &= 1;
+   result = ~(result - 1);
+   return result;
+   }
+
+u32bit max_32(u32bit a, u32bit b)
+   {
+   const u32bit a_larger = b - a; /* negative if a larger */
+   const u32bit mask = gen_mask_u32bit(a_larger >> 31);
+   return (a & mask) | (b & ~mask);
+   }
+
+u32bit min_32(u32bit a, u32bit b)
+   {
+   const u32bit a_larger = b - a; /* negative if a larger */
+   const u32bit mask = gen_mask_u32bit(a_larger >> 31);
+   return (a & ~mask) | (b & mask);
+   }
+
+}
+
+}
diff --git a/src/lib/utils/ta_utils.h b/src/lib/utils/ta_utils.h
new file mode 100644
index 000000000..36ee551cc
--- /dev/null
+++ b/src/lib/utils/ta_utils.h
@@ -0,0 +1,48 @@
+/*
+* Timing Attack Countermeasure Functions
+* (C) 2010 Falko Strenzke, Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_TIMING_ATTACK_CM_H__
+#define BOTAN_TIMING_ATTACK_CM_H__
+
+#include <botan/types.h>
+
+namespace Botan {
+
+namespace TA_CM {
+
+/**
+* Function used in timing attack countermeasures
+* See Wagner, Molnar, et al "The Program Counter Security Model"
+*
+* @param in an integer
+* @return 0 if in == 0 else 0xFFFFFFFF
+*/
+u32bit gen_mask_u32bit(u32bit in);
+
+/**
+* Branch-free maximum
+* Note: assumes twos-complement signed representation
+* @param a an integer
+* @param b an integer
+* @return max(a,b)
+*/
+u32bit max_32(u32bit a, u32bit b);
+
+/**
+* Branch-free minimum
+* Note: assumes twos-complement signed representation
+* @param a an integer
+* @param b an integer
+* @return min(a,b)
+*/
+u32bit min_32(u32bit a, u32bit b);
+
+}
+
+}
+
+#endif