aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2015-10-17 23:21:14 -0400
committerJack Lloyd <[email protected]>2015-10-17 23:21:14 -0400
commitada3ce066d1edfe95ee8bffa82f0c2846908a4e1 (patch)
treed3818b138d9bcb11de1ce69660201c215140a1ab /src/lib
parentea07110c86c7ae2601e71dd3c1134873ccfd721f (diff)
Cleanups in ct and oaep
In OAEP expand the const time block to cover MGF1 also
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/pk_pad/eme_oaep/oaep.cpp20
-rw-r--r--src/lib/utils/ct_utils.h99
2 files changed, 23 insertions, 96 deletions
diff --git a/src/lib/pk_pad/eme_oaep/oaep.cpp b/src/lib/pk_pad/eme_oaep/oaep.cpp
index 48a9b5c63..b114afb8b 100644
--- a/src/lib/pk_pad/eme_oaep/oaep.cpp
+++ b/src/lib/pk_pad/eme_oaep/oaep.cpp
@@ -61,7 +61,7 @@ secure_vector<byte> OAEP::pad(const byte in[], size_t in_length,
* OAEP Unpad Operation
*/
secure_vector<byte> OAEP::unpad(const byte in[], size_t in_length,
- size_t key_length) const
+ size_t key_length) const
{
/*
Must be careful about error messages here; if an attacker can
@@ -84,17 +84,19 @@ secure_vector<byte> OAEP::unpad(const byte in[], size_t in_length,
secure_vector<byte> input(key_length);
buffer_insert(input, key_length - in_length, in, in_length);
- mgf1_mask(*m_hash,
- &input[m_Phash.size()], input.size() - m_Phash.size(),
- input.data(), m_Phash.size());
+ BOTAN_CONST_TIME_POISON(input.data(), input.size());
+
+ const size_t hlen = m_Phash.size();
mgf1_mask(*m_hash,
- input.data(), m_Phash.size(),
- &input[m_Phash.size()], input.size() - m_Phash.size());
+ &input[hlen], input.size() - hlen,
+ input.data(), hlen);
- BOTAN_CONST_TIME_POISON(input.data(), input.size());
+ mgf1_mask(*m_hash,
+ input.data(), hlen,
+ &input[hlen], input.size() - hlen);
- size_t delim_idx = 2 * m_Phash.size();
+ size_t delim_idx = 2 * hlen;
byte waiting_for_delim = 0xFF;
byte bad_input = 0;
@@ -114,7 +116,7 @@ secure_vector<byte> OAEP::unpad(const byte in[], size_t in_length,
// If we never saw any non-zero byte, then it's not valid input
bad_input |= waiting_for_delim;
- bad_input |= ct_expand_mask_8(!same_mem(&input[m_Phash.size()], m_Phash.data(), m_Phash.size()));
+ bad_input |= ct_expand_mask_8(!same_mem(&input[hlen], m_Phash.data(), hlen));
BOTAN_CONST_TIME_UNPOISON(input.data(), input.size());
BOTAN_CONST_TIME_UNPOISON(&bad_input, sizeof(bad_input));
diff --git a/src/lib/utils/ct_utils.h b/src/lib/utils/ct_utils.h
index 02148001e..4ae735330 100644
--- a/src/lib/utils/ct_utils.h
+++ b/src/lib/utils/ct_utils.h
@@ -40,25 +40,21 @@ namespace Botan {
#endif
/*
-* Constant time operations for 32 bit values:
-* mask, select, zero, equals, min, max
-*/
-
-/*
* Expand to a mask used for other operations
* @param in an integer
* @return 0 if in == 0 else 0xFFFFFFFF
*/
-
inline uint32_t ct_expand_mask_32(uint32_t x)
{
+ // First fold x down to a single bit:
uint32_t r = x;
- r |= r >> 1;
- r |= r >> 2;
- r |= r >> 4;
- r |= r >> 8;
r |= r >> 16;
+ r |= r >> 8;
+ r |= r >> 4;
+ r |= r >> 2;
+ r |= r >> 1;
r &= 1;
+ // assumes 2s complement signed representation
r = ~(r - 1);
return r;
}
@@ -68,23 +64,9 @@ inline uint32_t ct_select_mask_32(uint32_t mask, uint32_t a, uint32_t b)
return (a & mask) | (b & ~mask);
}
-inline uint32_t ct_select_cond_32(bool cond, uint32_t a, uint32_t b)
- {
- return ct_select_mask_32(ct_expand_mask_32(static_cast<uint32_t>(cond)), a, b);
- }
-
-inline uint32_t ct_get_high_bit_32(uint32_t x)
- {
- return (x >> (8 * sizeof(x) - 1));
- }
-
-/*
-* If x is zero, return 0xFFFF...
-* Otherwise returns zero
-*/
inline uint32_t ct_is_zero_32(uint32_t x)
{
- return ct_expand_mask_32(ct_get_high_bit_32(~x & (x-1)));
+ return ~ct_expand_mask_32(x);
}
inline uint32_t ct_is_equal_32(uint32_t x, uint32_t y)
@@ -92,43 +74,13 @@ inline uint32_t ct_is_equal_32(uint32_t x, uint32_t y)
return ct_is_zero_32(x ^ y);
}
-/**
-* Branch-free maximum
-* Note: assumes twos-complement signed representation
-* @param a an integer
-* @param b an integer
-* @return max(a,b)
-*/
-inline uint32_t ct_max_32(uint32_t a, uint32_t b)
- {
- const uint32_t s = b - a;
- return ct_select_cond_32(ct_get_high_bit_32(s), a, b);
- }
-
-/**
-* Branch-free minimum
-* Note: assumes twos-complement signed representation
-* @param a an integer
-* @param b an integer
-* @return min(a,b)
-*/
-inline uint32_t ct_min_32(uint32_t a, uint32_t b)
- {
- const uint32_t s = b - a;
- return ct_select_cond_32(ct_get_high_bit_32(s), b, a);
- }
-
-/*
-* Constant time operations for 16 bit values:
-* mask, select, zero, equals
-*/
inline uint16_t ct_expand_mask_16(uint16_t x)
{
uint16_t r = x;
- r |= r >> 1;
- r |= r >> 2;
- r |= r >> 4;
r |= r >> 8;
+ r |= r >> 4;
+ r |= r >> 2;
+ r |= r >> 1;
r &= 1;
r = ~(r - 1);
return r;
@@ -139,21 +91,9 @@ inline uint16_t ct_select_mask_16(uint16_t mask, uint16_t a, uint16_t b)
return (a & mask) | (b & ~mask);
}
-inline uint16_t ct_select_cond_16(bool cond, uint16_t a, uint16_t b)
- {
- return ct_select_mask_16(ct_expand_mask_16(static_cast<uint16_t>(cond)), a, b);
- }
-
-inline uint16_t ct_get_high_bit_16(uint16_t x)
- {
- return (x >> (8 * sizeof(x) - 1));
- }
-
inline uint16_t ct_is_zero_16(uint16_t x)
{
- //uint16_t z = x & (x - 1)
- //return ct_expand_mask_16((~x & (x-1))
- return ct_expand_mask_16(ct_get_high_bit_16(~x & (x-1)));
+ return ~ct_expand_mask_16(x);
}
inline uint16_t ct_is_equal_16(uint16_t x, uint16_t y)
@@ -161,11 +101,6 @@ inline uint16_t ct_is_equal_16(uint16_t x, uint16_t y)
return ct_is_zero_16(x ^ y);
}
-/*
-* Constant time operations for 8 bit values:
-* mask, select, zero, equals
-*/
-
inline uint8_t ct_expand_mask_8(uint8_t x)
{
uint8_t r = x;
@@ -182,19 +117,9 @@ inline uint8_t ct_select_mask_8(uint8_t mask, uint8_t a, uint8_t b)
return (a & mask) | (b & ~mask);
}
-inline uint8_t ct_select_cond_8(bool cond, uint8_t a, uint8_t b)
- {
- return ct_select_mask_8(ct_expand_mask_8(static_cast<uint8_t>(cond)), a, b);
- }
-
-inline uint8_t ct_get_high_bit_8(uint8_t x)
- {
- return (x >> (8 * sizeof(x) - 1));
- }
-
inline uint8_t ct_is_zero_8(uint8_t x)
{
- return ct_expand_mask_8(ct_get_high_bit_8(~x & (x-1)));
+ return ~ct_expand_mask_8(x);
}
inline uint8_t ct_is_equal_8(uint8_t x, uint8_t y)