1 /**
2 * Constant-time functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 /*
21 * The following functions are implemented without using comparison operators, as those
22 * might be translated to branches by some compilers on some platforms.
23 */
24
25 #include "common.h"
26 #include "constant_time_internal.h"
27 #include "mbedtls/constant_time.h"
28 #include "mbedtls/error.h"
29 #include "mbedtls/platform_util.h"
30
31 #if defined(MBEDTLS_BIGNUM_C)
32 #include "mbedtls/bignum.h"
33 #endif
34
35 #if defined(MBEDTLS_SSL_TLS_C)
36 #include "mbedtls/ssl_internal.h"
37 #endif
38
39 #if defined(MBEDTLS_RSA_C)
40 #include "mbedtls/rsa.h"
41 #endif
42
43 #if defined(MBEDTLS_BASE64_C)
44 #include "constant_time_invasive.h"
45 #endif
46
47 #include <string.h>
48
mbedtls_ct_memcmp(const void * a,const void * b,size_t n)49 int mbedtls_ct_memcmp( const void *a,
50 const void *b,
51 size_t n )
52 {
53 size_t i;
54 volatile const unsigned char *A = (volatile const unsigned char *) a;
55 volatile const unsigned char *B = (volatile const unsigned char *) b;
56 volatile unsigned char diff = 0;
57
58 for( i = 0; i < n; i++ )
59 {
60 /* Read volatile data in order before computing diff.
61 * This avoids IAR compiler warning:
62 * 'the order of volatile accesses is undefined ..' */
63 unsigned char x = A[i], y = B[i];
64 diff |= x ^ y;
65 }
66
67 return( (int)diff );
68 }
69
mbedtls_ct_uint_mask(unsigned value)70 unsigned mbedtls_ct_uint_mask( unsigned value )
71 {
72 /* MSVC has a warning about unary minus on unsigned, but this is
73 * well-defined and precisely what we want to do here */
74 #if defined(_MSC_VER)
75 #pragma warning( push )
76 #pragma warning( disable : 4146 )
77 #endif
78 return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
79 #if defined(_MSC_VER)
80 #pragma warning( pop )
81 #endif
82 }
83
84 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
85
mbedtls_ct_size_mask(size_t value)86 size_t mbedtls_ct_size_mask( size_t value )
87 {
88 /* MSVC has a warning about unary minus on unsigned integer types,
89 * but this is well-defined and precisely what we want to do here. */
90 #if defined(_MSC_VER)
91 #pragma warning( push )
92 #pragma warning( disable : 4146 )
93 #endif
94 return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
95 #if defined(_MSC_VER)
96 #pragma warning( pop )
97 #endif
98 }
99
100 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
101
102 #if defined(MBEDTLS_BIGNUM_C)
103
mbedtls_ct_mpi_uint_mask(mbedtls_mpi_uint value)104 mbedtls_mpi_uint mbedtls_ct_mpi_uint_mask( mbedtls_mpi_uint value )
105 {
106 /* MSVC has a warning about unary minus on unsigned, but this is
107 * well-defined and precisely what we want to do here */
108 #if defined(_MSC_VER)
109 #pragma warning( push )
110 #pragma warning( disable : 4146 )
111 #endif
112 return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
113 #if defined(_MSC_VER)
114 #pragma warning( pop )
115 #endif
116 }
117
118 #endif /* MBEDTLS_BIGNUM_C */
119
120 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
121
122 /** Constant-flow mask generation for "less than" comparison:
123 * - if \p x < \p y, return all-bits 1, that is (size_t) -1
124 * - otherwise, return all bits 0, that is 0
125 *
126 * This function can be used to write constant-time code by replacing branches
127 * with bit operations using masks.
128 *
129 * \param x The first value to analyze.
130 * \param y The second value to analyze.
131 *
132 * \return All-bits-one if \p x is less than \p y, otherwise zero.
133 */
mbedtls_ct_size_mask_lt(size_t x,size_t y)134 static size_t mbedtls_ct_size_mask_lt( size_t x,
135 size_t y )
136 {
137 /* This has the most significant bit set if and only if x < y */
138 const size_t sub = x - y;
139
140 /* sub1 = (x < y) ? 1 : 0 */
141 const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 );
142
143 /* mask = (x < y) ? 0xff... : 0x00... */
144 const size_t mask = mbedtls_ct_size_mask( sub1 );
145
146 return( mask );
147 }
148
mbedtls_ct_size_mask_ge(size_t x,size_t y)149 size_t mbedtls_ct_size_mask_ge( size_t x,
150 size_t y )
151 {
152 return( ~mbedtls_ct_size_mask_lt( x, y ) );
153 }
154
155 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
156
157 #if defined(MBEDTLS_BASE64_C)
158
159 /* Return 0xff if low <= c <= high, 0 otherwise.
160 *
161 * Constant flow with respect to c.
162 */
163 MBEDTLS_STATIC_TESTABLE
mbedtls_ct_uchar_mask_of_range(unsigned char low,unsigned char high,unsigned char c)164 unsigned char mbedtls_ct_uchar_mask_of_range( unsigned char low,
165 unsigned char high,
166 unsigned char c )
167 {
168 /* low_mask is: 0 if low <= c, 0x...ff if low > c */
169 unsigned low_mask = ( (unsigned) c - low ) >> 8;
170 /* high_mask is: 0 if c <= high, 0x...ff if c > high */
171 unsigned high_mask = ( (unsigned) high - c ) >> 8;
172 return( ~( low_mask | high_mask ) & 0xff );
173 }
174
175 #endif /* MBEDTLS_BASE64_C */
176
mbedtls_ct_size_bool_eq(size_t x,size_t y)177 unsigned mbedtls_ct_size_bool_eq( size_t x,
178 size_t y )
179 {
180 /* diff = 0 if x == y, non-zero otherwise */
181 const size_t diff = x ^ y;
182
183 /* MSVC has a warning about unary minus on unsigned integer types,
184 * but this is well-defined and precisely what we want to do here. */
185 #if defined(_MSC_VER)
186 #pragma warning( push )
187 #pragma warning( disable : 4146 )
188 #endif
189
190 /* diff_msb's most significant bit is equal to x != y */
191 const size_t diff_msb = ( diff | (size_t) -diff );
192
193 #if defined(_MSC_VER)
194 #pragma warning( pop )
195 #endif
196
197 /* diff1 = (x != y) ? 1 : 0 */
198 const unsigned diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 );
199
200 return( 1 ^ diff1 );
201 }
202
203 #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
204
205 /** Constant-flow "greater than" comparison:
206 * return x > y
207 *
208 * This is equivalent to \p x > \p y, but is likely to be compiled
209 * to code using bitwise operation rather than a branch.
210 *
211 * \param x The first value to analyze.
212 * \param y The second value to analyze.
213 *
214 * \return 1 if \p x greater than \p y, otherwise 0.
215 */
mbedtls_ct_size_gt(size_t x,size_t y)216 static unsigned mbedtls_ct_size_gt( size_t x,
217 size_t y )
218 {
219 /* Return the sign bit (1 for negative) of (y - x). */
220 return( ( y - x ) >> ( sizeof( size_t ) * 8 - 1 ) );
221 }
222
223 #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
224
225 #if defined(MBEDTLS_BIGNUM_C)
226
mbedtls_ct_mpi_uint_lt(const mbedtls_mpi_uint x,const mbedtls_mpi_uint y)227 unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x,
228 const mbedtls_mpi_uint y )
229 {
230 mbedtls_mpi_uint ret;
231 mbedtls_mpi_uint cond;
232
233 /*
234 * Check if the most significant bits (MSB) of the operands are different.
235 */
236 cond = ( x ^ y );
237 /*
238 * If the MSB are the same then the difference x-y will be negative (and
239 * have its MSB set to 1 during conversion to unsigned) if and only if x<y.
240 */
241 ret = ( x - y ) & ~cond;
242 /*
243 * If the MSB are different, then the operand with the MSB of 1 is the
244 * bigger. (That is if y has MSB of 1, then x<y is true and it is false if
245 * the MSB of y is 0.)
246 */
247 ret |= y & cond;
248
249
250 ret = ret >> ( sizeof( mbedtls_mpi_uint ) * 8 - 1 );
251
252 return (unsigned) ret;
253 }
254
255 #endif /* MBEDTLS_BIGNUM_C */
256
mbedtls_ct_uint_if(unsigned condition,unsigned if1,unsigned if0)257 unsigned mbedtls_ct_uint_if( unsigned condition,
258 unsigned if1,
259 unsigned if0 )
260 {
261 unsigned mask = mbedtls_ct_uint_mask( condition );
262 return( ( mask & if1 ) | (~mask & if0 ) );
263 }
264
265 #if defined(MBEDTLS_BIGNUM_C)
266
267 /** Select between two sign values without branches.
268 *
269 * This is functionally equivalent to `condition ? if1 : if0` but uses only bit
270 * operations in order to avoid branches.
271 *
272 * \note if1 and if0 must be either 1 or -1, otherwise the result
273 * is undefined.
274 *
275 * \param condition Condition to test.
276 * \param if1 The first sign; must be either +1 or -1.
277 * \param if0 The second sign; must be either +1 or -1.
278 *
279 * \return \c if1 if \p condition is nonzero, otherwise \c if0.
280 * */
mbedtls_ct_cond_select_sign(unsigned char condition,int if1,int if0)281 static int mbedtls_ct_cond_select_sign( unsigned char condition,
282 int if1,
283 int if0 )
284 {
285 /* In order to avoid questions about what we can reasonably assume about
286 * the representations of signed integers, move everything to unsigned
287 * by taking advantage of the fact that if1 and if0 are either +1 or -1. */
288 unsigned uif1 = if1 + 1;
289 unsigned uif0 = if0 + 1;
290
291 /* condition was 0 or 1, mask is 0 or 2 as are uif1 and uif0 */
292 const unsigned mask = condition << 1;
293
294 /* select uif1 or uif0 */
295 unsigned ur = ( uif0 & ~mask ) | ( uif1 & mask );
296
297 /* ur is now 0 or 2, convert back to -1 or +1 */
298 return( (int) ur - 1 );
299 }
300
mbedtls_ct_mpi_uint_cond_assign(size_t n,mbedtls_mpi_uint * dest,const mbedtls_mpi_uint * src,unsigned char condition)301 void mbedtls_ct_mpi_uint_cond_assign( size_t n,
302 mbedtls_mpi_uint *dest,
303 const mbedtls_mpi_uint *src,
304 unsigned char condition )
305 {
306 size_t i;
307
308 /* MSVC has a warning about unary minus on unsigned integer types,
309 * but this is well-defined and precisely what we want to do here. */
310 #if defined(_MSC_VER)
311 #pragma warning( push )
312 #pragma warning( disable : 4146 )
313 #endif
314
315 /* all-bits 1 if condition is 1, all-bits 0 if condition is 0 */
316 const mbedtls_mpi_uint mask = -condition;
317
318 #if defined(_MSC_VER)
319 #pragma warning( pop )
320 #endif
321
322 for( i = 0; i < n; i++ )
323 dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask );
324 }
325
326 #endif /* MBEDTLS_BIGNUM_C */
327
328 #if defined(MBEDTLS_BASE64_C)
329
mbedtls_ct_base64_enc_char(unsigned char value)330 unsigned char mbedtls_ct_base64_enc_char( unsigned char value )
331 {
332 unsigned char digit = 0;
333 /* For each range of values, if value is in that range, mask digit with
334 * the corresponding value. Since value can only be in a single range,
335 * only at most one masking will change digit. */
336 digit |= mbedtls_ct_uchar_mask_of_range( 0, 25, value ) & ( 'A' + value );
337 digit |= mbedtls_ct_uchar_mask_of_range( 26, 51, value ) & ( 'a' + value - 26 );
338 digit |= mbedtls_ct_uchar_mask_of_range( 52, 61, value ) & ( '0' + value - 52 );
339 digit |= mbedtls_ct_uchar_mask_of_range( 62, 62, value ) & '+';
340 digit |= mbedtls_ct_uchar_mask_of_range( 63, 63, value ) & '/';
341 return( digit );
342 }
343
mbedtls_ct_base64_dec_value(unsigned char c)344 signed char mbedtls_ct_base64_dec_value( unsigned char c )
345 {
346 unsigned char val = 0;
347 /* For each range of digits, if c is in that range, mask val with
348 * the corresponding value. Since c can only be in a single range,
349 * only at most one masking will change val. Set val to one plus
350 * the desired value so that it stays 0 if c is in none of the ranges. */
351 val |= mbedtls_ct_uchar_mask_of_range( 'A', 'Z', c ) & ( c - 'A' + 0 + 1 );
352 val |= mbedtls_ct_uchar_mask_of_range( 'a', 'z', c ) & ( c - 'a' + 26 + 1 );
353 val |= mbedtls_ct_uchar_mask_of_range( '0', '9', c ) & ( c - '0' + 52 + 1 );
354 val |= mbedtls_ct_uchar_mask_of_range( '+', '+', c ) & ( c - '+' + 62 + 1 );
355 val |= mbedtls_ct_uchar_mask_of_range( '/', '/', c ) & ( c - '/' + 63 + 1 );
356 /* At this point, val is 0 if c is an invalid digit and v+1 if c is
357 * a digit with the value v. */
358 return( val - 1 );
359 }
360
361 #endif /* MBEDTLS_BASE64_C */
362
363 #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
364
365 /** Shift some data towards the left inside a buffer.
366 *
367 * `mbedtls_ct_mem_move_to_left(start, total, offset)` is functionally
368 * equivalent to
369 * ```
370 * memmove(start, start + offset, total - offset);
371 * memset(start + offset, 0, total - offset);
372 * ```
373 * but it strives to use a memory access pattern (and thus total timing)
374 * that does not depend on \p offset. This timing independence comes at
375 * the expense of performance.
376 *
377 * \param start Pointer to the start of the buffer.
378 * \param total Total size of the buffer.
379 * \param offset Offset from which to copy \p total - \p offset bytes.
380 */
mbedtls_ct_mem_move_to_left(void * start,size_t total,size_t offset)381 static void mbedtls_ct_mem_move_to_left( void *start,
382 size_t total,
383 size_t offset )
384 {
385 volatile unsigned char *buf = start;
386 size_t i, n;
387 if( total == 0 )
388 return;
389 for( i = 0; i < total; i++ )
390 {
391 unsigned no_op = mbedtls_ct_size_gt( total - offset, i );
392 /* The first `total - offset` passes are a no-op. The last
393 * `offset` passes shift the data one byte to the left and
394 * zero out the last byte. */
395 for( n = 0; n < total - 1; n++ )
396 {
397 unsigned char current = buf[n];
398 unsigned char next = buf[n+1];
399 buf[n] = mbedtls_ct_uint_if( no_op, current, next );
400 }
401 buf[total-1] = mbedtls_ct_uint_if( no_op, buf[total-1], 0 );
402 }
403 }
404
405 #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
406
407 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
408
mbedtls_ct_memcpy_if_eq(unsigned char * dest,const unsigned char * src,size_t len,size_t c1,size_t c2)409 void mbedtls_ct_memcpy_if_eq( unsigned char *dest,
410 const unsigned char *src,
411 size_t len,
412 size_t c1,
413 size_t c2 )
414 {
415 /* mask = c1 == c2 ? 0xff : 0x00 */
416 const size_t equal = mbedtls_ct_size_bool_eq( c1, c2 );
417 const unsigned char mask = (unsigned char) mbedtls_ct_size_mask( equal );
418
419 /* dest[i] = c1 == c2 ? src[i] : dest[i] */
420 for( size_t i = 0; i < len; i++ )
421 dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask );
422 }
423
mbedtls_ct_memcpy_offset(unsigned char * dest,const unsigned char * src,size_t offset,size_t offset_min,size_t offset_max,size_t len)424 void mbedtls_ct_memcpy_offset( unsigned char *dest,
425 const unsigned char *src,
426 size_t offset,
427 size_t offset_min,
428 size_t offset_max,
429 size_t len )
430 {
431 size_t offsetval;
432
433 for( offsetval = offset_min; offsetval <= offset_max; offsetval++ )
434 {
435 mbedtls_ct_memcpy_if_eq( dest, src + offsetval, len,
436 offsetval, offset );
437 }
438 }
439
mbedtls_ct_hmac(mbedtls_md_context_t * ctx,const unsigned char * add_data,size_t add_data_len,const unsigned char * data,size_t data_len_secret,size_t min_data_len,size_t max_data_len,unsigned char * output)440 int mbedtls_ct_hmac( mbedtls_md_context_t *ctx,
441 const unsigned char *add_data,
442 size_t add_data_len,
443 const unsigned char *data,
444 size_t data_len_secret,
445 size_t min_data_len,
446 size_t max_data_len,
447 unsigned char *output )
448 {
449 /*
450 * This function breaks the HMAC abstraction and uses the md_clone()
451 * extension to the MD API in order to get constant-flow behaviour.
452 *
453 * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
454 * concatenation, and okey/ikey are the XOR of the key with some fixed bit
455 * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx.
456 *
457 * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to
458 * minlen, then cloning the context, and for each byte up to maxlen
459 * finishing up the hash computation, keeping only the correct result.
460 *
461 * Then we only need to compute HASH(okey + inner_hash) and we're done.
462 */
463 const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info );
464 /* TLS 1.0-1.2 only support SHA-384, SHA-256, SHA-1, MD-5,
465 * all of which have the same block size except SHA-384. */
466 const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64;
467 const unsigned char * const ikey = ctx->hmac_ctx;
468 const unsigned char * const okey = ikey + block_size;
469 const size_t hash_size = mbedtls_md_get_size( ctx->md_info );
470
471 unsigned char aux_out[MBEDTLS_MD_MAX_SIZE];
472 mbedtls_md_context_t aux;
473 size_t offset;
474 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
475
476 mbedtls_md_init( &aux );
477
478 #define MD_CHK( func_call ) \
479 do { \
480 ret = (func_call); \
481 if( ret != 0 ) \
482 goto cleanup; \
483 } while( 0 )
484
485 MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) );
486
487 /* After hmac_start() of hmac_reset(), ikey has already been hashed,
488 * so we can start directly with the message */
489 MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) );
490 MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) );
491
492 /* Fill the hash buffer in advance with something that is
493 * not a valid hash (barring an attack on the hash and
494 * deliberately-crafted input), in case the caller doesn't
495 * check the return status properly. */
496 memset( output, '!', hash_size );
497
498 /* For each possible length, compute the hash up to that point */
499 for( offset = min_data_len; offset <= max_data_len; offset++ )
500 {
501 MD_CHK( mbedtls_md_clone( &aux, ctx ) );
502 MD_CHK( mbedtls_md_finish( &aux, aux_out ) );
503 /* Keep only the correct inner_hash in the output buffer */
504 mbedtls_ct_memcpy_if_eq( output, aux_out, hash_size,
505 offset, data_len_secret );
506
507 if( offset < max_data_len )
508 MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) );
509 }
510
511 /* The context needs to finish() before it starts() again */
512 MD_CHK( mbedtls_md_finish( ctx, aux_out ) );
513
514 /* Now compute HASH(okey + inner_hash) */
515 MD_CHK( mbedtls_md_starts( ctx ) );
516 MD_CHK( mbedtls_md_update( ctx, okey, block_size ) );
517 MD_CHK( mbedtls_md_update( ctx, output, hash_size ) );
518 MD_CHK( mbedtls_md_finish( ctx, output ) );
519
520 /* Done, get ready for next time */
521 MD_CHK( mbedtls_md_hmac_reset( ctx ) );
522
523 #undef MD_CHK
524
525 cleanup:
526 mbedtls_md_free( &aux );
527 return( ret );
528 }
529
530 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
531
532 #if defined(MBEDTLS_BIGNUM_C)
533
534 #define MPI_VALIDATE_RET( cond ) \
535 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA )
536
537 /*
538 * Conditionally assign X = Y, without leaking information
539 * about whether the assignment was made or not.
540 * (Leaking information about the respective sizes of X and Y is ok however.)
541 */
542 #if defined(_MSC_VER) && defined(_M_ARM64) && (_MSC_FULL_VER < 193131103)
543 /*
544 * MSVC miscompiles this function if it's inlined prior to Visual Studio 2022 version 17.1. See:
545 * https://developercommunity.visualstudio.com/t/c-compiler-miscompiles-part-of-mbedtls-library-on/1646989
546 */
547 __declspec(noinline)
548 #endif
mbedtls_mpi_safe_cond_assign(mbedtls_mpi * X,const mbedtls_mpi * Y,unsigned char assign)549 int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X,
550 const mbedtls_mpi *Y,
551 unsigned char assign )
552 {
553 int ret = 0;
554 size_t i;
555 mbedtls_mpi_uint limb_mask;
556 MPI_VALIDATE_RET( X != NULL );
557 MPI_VALIDATE_RET( Y != NULL );
558
559 /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */
560 limb_mask = mbedtls_ct_mpi_uint_mask( assign );;
561
562 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
563
564 X->s = mbedtls_ct_cond_select_sign( assign, Y->s, X->s );
565
566 mbedtls_ct_mpi_uint_cond_assign( Y->n, X->p, Y->p, assign );
567
568 for( i = Y->n; i < X->n; i++ )
569 X->p[i] &= ~limb_mask;
570
571 cleanup:
572 return( ret );
573 }
574
575 /*
576 * Conditionally swap X and Y, without leaking information
577 * about whether the swap was made or not.
578 * Here it is not ok to simply swap the pointers, which would lead to
579 * different memory access patterns when X and Y are used afterwards.
580 */
mbedtls_mpi_safe_cond_swap(mbedtls_mpi * X,mbedtls_mpi * Y,unsigned char swap)581 int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X,
582 mbedtls_mpi *Y,
583 unsigned char swap )
584 {
585 int ret, s;
586 size_t i;
587 mbedtls_mpi_uint limb_mask;
588 mbedtls_mpi_uint tmp;
589 MPI_VALIDATE_RET( X != NULL );
590 MPI_VALIDATE_RET( Y != NULL );
591
592 if( X == Y )
593 return( 0 );
594
595 /* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */
596 limb_mask = mbedtls_ct_mpi_uint_mask( swap );
597
598 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
599 MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
600
601 s = X->s;
602 X->s = mbedtls_ct_cond_select_sign( swap, Y->s, X->s );
603 Y->s = mbedtls_ct_cond_select_sign( swap, s, Y->s );
604
605
606 for( i = 0; i < X->n; i++ )
607 {
608 tmp = X->p[i];
609 X->p[i] = ( X->p[i] & ~limb_mask ) | ( Y->p[i] & limb_mask );
610 Y->p[i] = ( Y->p[i] & ~limb_mask ) | ( tmp & limb_mask );
611 }
612
613 cleanup:
614 return( ret );
615 }
616
617 /*
618 * Compare signed values in constant time
619 */
mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi * X,const mbedtls_mpi * Y,unsigned * ret)620 int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X,
621 const mbedtls_mpi *Y,
622 unsigned *ret )
623 {
624 size_t i;
625 /* The value of any of these variables is either 0 or 1 at all times. */
626 unsigned cond, done, X_is_negative, Y_is_negative;
627
628 MPI_VALIDATE_RET( X != NULL );
629 MPI_VALIDATE_RET( Y != NULL );
630 MPI_VALIDATE_RET( ret != NULL );
631
632 if( X->n != Y->n )
633 return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
634
635 /*
636 * Set sign_N to 1 if N >= 0, 0 if N < 0.
637 * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
638 */
639 X_is_negative = ( X->s & 2 ) >> 1;
640 Y_is_negative = ( Y->s & 2 ) >> 1;
641
642 /*
643 * If the signs are different, then the positive operand is the bigger.
644 * That is if X is negative (X_is_negative == 1), then X < Y is true and it
645 * is false if X is positive (X_is_negative == 0).
646 */
647 cond = ( X_is_negative ^ Y_is_negative );
648 *ret = cond & X_is_negative;
649
650 /*
651 * This is a constant-time function. We might have the result, but we still
652 * need to go through the loop. Record if we have the result already.
653 */
654 done = cond;
655
656 for( i = X->n; i > 0; i-- )
657 {
658 /*
659 * If Y->p[i - 1] < X->p[i - 1] then X < Y is true if and only if both
660 * X and Y are negative.
661 *
662 * Again even if we can make a decision, we just mark the result and
663 * the fact that we are done and continue looping.
664 */
665 cond = mbedtls_ct_mpi_uint_lt( Y->p[i - 1], X->p[i - 1] );
666 *ret |= cond & ( 1 - done ) & X_is_negative;
667 done |= cond;
668
669 /*
670 * If X->p[i - 1] < Y->p[i - 1] then X < Y is true if and only if both
671 * X and Y are positive.
672 *
673 * Again even if we can make a decision, we just mark the result and
674 * the fact that we are done and continue looping.
675 */
676 cond = mbedtls_ct_mpi_uint_lt( X->p[i - 1], Y->p[i - 1] );
677 *ret |= cond & ( 1 - done ) & ( 1 - X_is_negative );
678 done |= cond;
679 }
680
681 return( 0 );
682 }
683
684 #endif /* MBEDTLS_BIGNUM_C */
685
686 #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
687
mbedtls_ct_rsaes_pkcs1_v15_unpadding(int mode,unsigned char * input,size_t ilen,unsigned char * output,size_t output_max_len,size_t * olen)688 int mbedtls_ct_rsaes_pkcs1_v15_unpadding( int mode,
689 unsigned char *input,
690 size_t ilen,
691 unsigned char *output,
692 size_t output_max_len,
693 size_t *olen )
694 {
695 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
696 size_t i, plaintext_max_size;
697
698 /* The following variables take sensitive values: their value must
699 * not leak into the observable behavior of the function other than
700 * the designated outputs (output, olen, return value). Otherwise
701 * this would open the execution of the function to
702 * side-channel-based variants of the Bleichenbacher padding oracle
703 * attack. Potential side channels include overall timing, memory
704 * access patterns (especially visible to an adversary who has access
705 * to a shared memory cache), and branches (especially visible to
706 * an adversary who has access to a shared code cache or to a shared
707 * branch predictor). */
708 size_t pad_count = 0;
709 unsigned bad = 0;
710 unsigned char pad_done = 0;
711 size_t plaintext_size = 0;
712 unsigned output_too_large;
713
714 plaintext_max_size = ( output_max_len > ilen - 11 ) ? ilen - 11
715 : output_max_len;
716
717 /* Check and get padding length in constant time and constant
718 * memory trace. The first byte must be 0. */
719 bad |= input[0];
720
721 if( mode == MBEDTLS_RSA_PRIVATE )
722 {
723 /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
724 * where PS must be at least 8 nonzero bytes. */
725 bad |= input[1] ^ MBEDTLS_RSA_CRYPT;
726
727 /* Read the whole buffer. Set pad_done to nonzero if we find
728 * the 0x00 byte and remember the padding length in pad_count. */
729 for( i = 2; i < ilen; i++ )
730 {
731 pad_done |= ((input[i] | (unsigned char)-input[i]) >> 7) ^ 1;
732 pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
733 }
734 }
735 else
736 {
737 /* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00
738 * where PS must be at least 8 bytes with the value 0xFF. */
739 bad |= input[1] ^ MBEDTLS_RSA_SIGN;
740
741 /* Read the whole buffer. Set pad_done to nonzero if we find
742 * the 0x00 byte and remember the padding length in pad_count.
743 * If there's a non-0xff byte in the padding, the padding is bad. */
744 for( i = 2; i < ilen; i++ )
745 {
746 pad_done |= mbedtls_ct_uint_if( input[i], 0, 1 );
747 pad_count += mbedtls_ct_uint_if( pad_done, 0, 1 );
748 bad |= mbedtls_ct_uint_if( pad_done, 0, input[i] ^ 0xFF );
749 }
750 }
751
752 /* If pad_done is still zero, there's no data, only unfinished padding. */
753 bad |= mbedtls_ct_uint_if( pad_done, 0, 1 );
754
755 /* There must be at least 8 bytes of padding. */
756 bad |= mbedtls_ct_size_gt( 8, pad_count );
757
758 /* If the padding is valid, set plaintext_size to the number of
759 * remaining bytes after stripping the padding. If the padding
760 * is invalid, avoid leaking this fact through the size of the
761 * output: use the maximum message size that fits in the output
762 * buffer. Do it without branches to avoid leaking the padding
763 * validity through timing. RSA keys are small enough that all the
764 * size_t values involved fit in unsigned int. */
765 plaintext_size = mbedtls_ct_uint_if(
766 bad, (unsigned) plaintext_max_size,
767 (unsigned) ( ilen - pad_count - 3 ) );
768
769 /* Set output_too_large to 0 if the plaintext fits in the output
770 * buffer and to 1 otherwise. */
771 output_too_large = mbedtls_ct_size_gt( plaintext_size,
772 plaintext_max_size );
773
774 /* Set ret without branches to avoid timing attacks. Return:
775 * - INVALID_PADDING if the padding is bad (bad != 0).
776 * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
777 * plaintext does not fit in the output buffer.
778 * - 0 if the padding is correct. */
779 ret = - (int) mbedtls_ct_uint_if(
780 bad, - MBEDTLS_ERR_RSA_INVALID_PADDING,
781 mbedtls_ct_uint_if( output_too_large,
782 - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
783 0 ) );
784
785 /* If the padding is bad or the plaintext is too large, zero the
786 * data that we're about to copy to the output buffer.
787 * We need to copy the same amount of data
788 * from the same buffer whether the padding is good or not to
789 * avoid leaking the padding validity through overall timing or
790 * through memory or cache access patterns. */
791 bad = mbedtls_ct_uint_mask( bad | output_too_large );
792 for( i = 11; i < ilen; i++ )
793 input[i] &= ~bad;
794
795 /* If the plaintext is too large, truncate it to the buffer size.
796 * Copy anyway to avoid revealing the length through timing, because
797 * revealing the length is as bad as revealing the padding validity
798 * for a Bleichenbacher attack. */
799 plaintext_size = mbedtls_ct_uint_if( output_too_large,
800 (unsigned) plaintext_max_size,
801 (unsigned) plaintext_size );
802
803 /* Move the plaintext to the leftmost position where it can start in
804 * the working buffer, i.e. make it start plaintext_max_size from
805 * the end of the buffer. Do this with a memory access trace that
806 * does not depend on the plaintext size. After this move, the
807 * starting location of the plaintext is no longer sensitive
808 * information. */
809 mbedtls_ct_mem_move_to_left( input + ilen - plaintext_max_size,
810 plaintext_max_size,
811 plaintext_max_size - plaintext_size );
812
813 /* Finally copy the decrypted plaintext plus trailing zeros into the output
814 * buffer. If output_max_len is 0, then output may be an invalid pointer
815 * and the result of memcpy() would be undefined; prevent undefined
816 * behavior making sure to depend only on output_max_len (the size of the
817 * user-provided output buffer), which is independent from plaintext
818 * length, validity of padding, success of the decryption, and other
819 * secrets. */
820 if( output_max_len != 0 )
821 memcpy( output, input + ilen - plaintext_max_size, plaintext_max_size );
822
823 /* Report the amount of data we copied to the output buffer. In case
824 * of errors (bad padding or output too large), the value of *olen
825 * when this function returns is not specified. Making it equivalent
826 * to the good case limits the risks of leaking the padding validity. */
827 *olen = plaintext_size;
828
829 return( ret );
830 }
831
832 #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
833