diff options
Diffstat (limited to 'src/modules/rlm_eap/types/rlm_eap_pwd/const_time.h')
| -rw-r--r-- | src/modules/rlm_eap/types/rlm_eap_pwd/const_time.h | 190 |
1 files changed, 190 insertions, 0 deletions
diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/const_time.h b/src/modules/rlm_eap/types/rlm_eap_pwd/const_time.h new file mode 100644 index 0000000..b717dd5 --- /dev/null +++ b/src/modules/rlm_eap/types/rlm_eap_pwd/const_time.h @@ -0,0 +1,190 @@ +/* + * Helper functions for constant time operations + * Copyright (c) 2019, The Linux Foundation + * + * This software may be distributed under the terms of the BSD license. + * See README for more details. + * + * These helper functions can be used to implement logic that needs to minimize + * externally visible differences in execution path by avoiding use of branches, + * avoiding early termination or other time differences, and forcing same memory + * access pattern regardless of values. + */ + +#ifndef CONST_TIME_H +#define CONST_TIME_H + + +#if defined(__clang__) +#define NO_UBSAN_UINT_OVERFLOW \ + __attribute__((no_sanitize("unsigned-integer-overflow"))) +#else +#define NO_UBSAN_UINT_OVERFLOW +#endif + +/** + * const_time_fill_msb - Fill all bits with MSB value + * @param val Input value + * @return Value with all the bits set to the MSB of the input val + */ +static inline unsigned int const_time_fill_msb(unsigned int val) +{ + /* Move the MSB to LSB and multiple by -1 to fill in all bits. */ + return (val >> (sizeof(val) * 8 - 1)) * ~0U; +} + + +/* @return -1 if val is zero; 0 if val is not zero */ +static inline unsigned int const_time_is_zero(unsigned int val) + NO_UBSAN_UINT_OVERFLOW +{ + /* Set MSB to 1 for 0 and fill rest of bits with the MSB value */ + return const_time_fill_msb(~val & (val - 1)); +} + + +/* @return -1 if a == b; 0 if a != b */ +static inline unsigned int const_time_eq(unsigned int a, unsigned int b) +{ + return const_time_is_zero(a ^ b); +} + + +/* @return -1 if a == b; 0 if a != b */ +static inline unsigned char const_time_eq_u8(unsigned int a, unsigned int b) +{ + return (unsigned char) const_time_eq(a, b); +} + + +/** + * const_time_eq_bin - Constant time memory comparison + * @param a First buffer to compare + * @param b Second buffer to compare + * @param len Number of octets to compare + * @return -1 if buffers are equal, 0 if not + * + * This function is meant for comparing passwords or hash values where + * difference in execution time or memory access pattern could provide external + * observer information about the location of the difference in the memory + * buffers. The return value does not behave like memcmp(), i.e., + * const_time_eq_bin() cannot be used to sort items into a defined order. Unlike + * memcmp(), the execution time of const_time_eq_bin() does not depend on the + * contents of the compared memory buffers, but only on the total compared + * length. + */ +static inline unsigned int const_time_eq_bin(const void *a, const void *b, + size_t len) +{ + const unsigned char *aa = a; + const unsigned char *bb = b; + size_t i; + unsigned char res = 0; + + for (i = 0; i < len; i++) + res |= aa[i] ^ bb[i]; + + return const_time_is_zero(res); +} + + +/** + * const_time_select - Constant time unsigned int selection + * @param mask 0 (false) or -1 (true) to identify which value to select + * @param true_val Value to select for the true case + * @param false_val Value to select for the false case + * @return true_val if mask == -1, false_val if mask == 0 + */ +static inline unsigned int const_time_select(unsigned int mask, + unsigned int true_val, + unsigned int false_val) +{ + return (mask & true_val) | (~mask & false_val); +} + + +/** + * const_time_select_int - Constant time int selection + * @param mask 0 (false) or -1 (true) to identify which value to select + * @param true_val Value to select for the true case + * @param false_val Value to select for the false case + * @return true_val if mask == -1, false_val if mask == 0 + */ +static inline int const_time_select_int(unsigned int mask, int true_val, + int false_val) +{ + return (int) const_time_select(mask, (unsigned int) true_val, + (unsigned int) false_val); +} + + +/** + * const_time_select_u8 - Constant time u8 selection + * @param mask 0 (false) or -1 (true) to identify which value to select + * @param true_val Value to select for the true case + * @param false_val Value to select for the false case + * @return true_val if mask == -1, false_val if mask == 0 + */ +static inline unsigned char const_time_select_u8(unsigned char mask, unsigned char true_val, unsigned char false_val) +{ + return (unsigned char) const_time_select(mask, true_val, false_val); +} + + +/** + * const_time_select_s8 - Constant time s8 selection + * @param mask 0 (false) or -1 (true) to identify which value to select + * @param true_val Value to select for the true case + * @param false_val Value to select for the false case + * @return true_val if mask == -1, false_val if mask == 0 + */ +static inline char const_time_select_s8(char mask, char true_val, char false_val) +{ + return (char) const_time_select(mask, (unsigned int) true_val, + (unsigned int) false_val); +} + + +/** + * const_time_select_bin - Constant time binary buffer selection copy + * @param mask 0 (false) or -1 (true) to identify which value to copy + * @param true_val Buffer to copy for the true case + * @param false_val Buffer to copy for the false case + * @param len Number of octets to copy + * @param dst Destination buffer for the copy + * + * This function copies the specified buffer into the destination buffer using + * operations with identical memory access pattern regardless of which buffer + * is being copied. + */ +static inline void const_time_select_bin(unsigned char mask, const unsigned char *true_val, + const unsigned char *false_val, size_t len, + unsigned char *dst) +{ + size_t i; + + for (i = 0; i < len; i++) + dst[i] = const_time_select_u8(mask, true_val[i], false_val[i]); +} + + +static inline int const_time_memcmp(const void *a, const void *b, size_t len) +{ + const unsigned char *aa = a; + const unsigned char *bb = b; + int diff, res = 0; + unsigned int mask; + + if (len == 0) + return 0; + do { + len--; + diff = (int) aa[len] - (int) bb[len]; + mask = const_time_is_zero((unsigned int) diff); + res = const_time_select_int(mask, res, diff); + } while (len); + + return res; +} + +#endif /* CONST_TIME_H */ |