From a0b8f38ab54ac451646aa00cd5e91b6c76f22a84 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Thu, 30 May 2024 05:57:19 +0200 Subject: Merging upstream version 1.72.1+dfsg1. Signed-off-by: Daniel Baumann --- vendor/subtle/.cargo-checksum.json | 2 +- vendor/subtle/CHANGELOG.md | 15 ++++ vendor/subtle/Cargo.toml | 16 +++-- vendor/subtle/README.md | 23 +++++-- vendor/subtle/src/lib.rs | 136 +++++++++++++++++++++++++++++++++---- vendor/subtle/tests/mod.rs | 40 ++++++++++- 6 files changed, 205 insertions(+), 27 deletions(-) (limited to 'vendor/subtle') diff --git a/vendor/subtle/.cargo-checksum.json b/vendor/subtle/.cargo-checksum.json index 57f71292d..62db1587b 100644 --- a/vendor/subtle/.cargo-checksum.json +++ b/vendor/subtle/.cargo-checksum.json @@ -1 +1 @@ -{"files":{"CHANGELOG.md":"1d604ca36159c79a4341f0c15fc249da7bf2912cd5b1bbf4964ce03dd887fc02","CONTRIBUTING.md":"2fbb44138ececdef7c0950fae6ed1dcad481fb2f368df0e3734c9902be791f3e","Cargo.toml":"2206ebe5be7cca3ad0a5dcbb0b12f85ac091b4b6a58861cddc8ecd5d137d4c7c","LICENSE":"36c48715a280d334a995f26fc38103f21cb92425a20c8eeaa368b229b49b6d4d","README.md":"ee1a1768f9b119a36db27a170f7f6bb8bdb79f868db28b37a11d1a57a208e9f5","src/lib.rs":"d873dd52215caf21a385391ed88f75e09f8f32203e93e3530c2a22d19e5a6452","tests/mod.rs":"127c8ab8ddbfa554f11876d76926f710382e293629875673e3bc99d738a13733"},"package":"6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601"} \ No newline at end of file +{"files":{"CHANGELOG.md":"02f92a31269311c965b1dfa705f22f341dc9cce73af08a8c9840c91b8ceb79df","CONTRIBUTING.md":"2fbb44138ececdef7c0950fae6ed1dcad481fb2f368df0e3734c9902be791f3e","Cargo.toml":"72ff6f9d47061233fc938824f2adc126ba9e8f686df75dec4ab7a0f44327d5c6","LICENSE":"36c48715a280d334a995f26fc38103f21cb92425a20c8eeaa368b229b49b6d4d","README.md":"9a04bb0dee4e6c350d1728ec225f162081d31273dbae6580757aadb363c76cdf","src/lib.rs":"7e14a5d5f2351343e41ff0e085a348190178ebe19cf12ffce083ce75ae6fba9d","tests/mod.rs":"61e6540375c1ccf5a5f134336d5297ecbda6ef76dd3cd81c600b303d2572e7ee"},"package":"81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc"} \ No newline at end of file diff --git a/vendor/subtle/CHANGELOG.md b/vendor/subtle/CHANGELOG.md index 152e7bcac..e6a386365 100644 --- a/vendor/subtle/CHANGELOG.md +++ b/vendor/subtle/CHANGELOG.md @@ -2,6 +2,21 @@ Entries are listed in reverse chronological order. +## 2.5.0 + +* Add constant-timedness note to the documentation for `CtOption::unwrap_or_else`. +* Add `CtOption::expect`. +* Add `ConstantTimeEq::ct_ne` with default implementation. +* Add new `core_hint_black_box` feature from Diane Hosfelt and Amber + Sprenkels which utilises the original `black_box` functionality from + when subtle was first written, which has now found it's way into the + Rust standard library. +* Add new `const-generics` feature from @survived which adds support + for subtle traits for generic arrays `[T; N]`. +* Add new feature for supporting `core::cmp::Ordering` for types which + implement subtle traits, patch from @tarcieri. +* Update `rand` dependency to 0.8. + ## 2.4.1 * Fix a bug in how the README was included in the documentation builds diff --git a/vendor/subtle/Cargo.toml b/vendor/subtle/Cargo.toml index 8689ad2f7..351989ace 100644 --- a/vendor/subtle/Cargo.toml +++ b/vendor/subtle/Cargo.toml @@ -3,16 +3,16 @@ # When uploading crates to the registry Cargo will automatically # "normalize" Cargo.toml files for maximal compatibility # with all versions of Cargo and also rewrite `path` dependencies -# to registry (e.g., crates.io) dependencies +# to registry (e.g., crates.io) dependencies. # -# If you believe there's an error in this file please file an -# issue against the rust-lang/cargo repository. If you're -# editing this file be aware that the upstream Cargo.toml -# will likely look very different (and much more reasonable) +# If you are reading this file be aware that the original Cargo.toml +# will likely look very different (and much more reasonable). +# See Cargo.toml.orig for the original contents. [package] +edition = "2018" name = "subtle" -version = "2.4.1" +version = "2.5.0" authors = ["Isis Lovecruft ", "Henry de Valence "] exclude = ["**/.gitignore", ".travis.yml"] description = "Pure-Rust traits and utilities for constant-time cryptographic implementations." @@ -24,9 +24,11 @@ categories = ["cryptography", "no-std"] license = "BSD-3-Clause" repository = "https://github.com/dalek-cryptography/subtle" [dev-dependencies.rand] -version = "0.7" +version = "0.8" [features] +const-generics = [] +core_hint_black_box = [] default = ["std", "i128"] i128 = [] nightly = [] diff --git a/vendor/subtle/README.md b/vendor/subtle/README.md index 81ac448fe..de7757554 100644 --- a/vendor/subtle/README.md +++ b/vendor/subtle/README.md @@ -7,7 +7,7 @@ instead of `bool` which are intended to execute in constant-time. The `Choice` type is a wrapper around a `u8` that holds a `0` or `1`. ```toml -subtle = "2.4" +subtle = "2.5" ``` This crate represents a “best-effort” attempt, since side-channels @@ -26,6 +26,13 @@ prevent this refinement, the crate tries to hide the value of a `Choice`'s inner `u8` by passing it through a volatile read. For more information, see the _About_ section below. +Rust versions from 1.66 or higher support a new best-effort optimization +barrier ([`core::hint::black_box`]). To use the new optimization barrier, +enable the `core_hint_black_box` feature. + +Rust versions from 1.51 or higher have const generics support. You may enable +`const-generics` feautre to have `subtle` traits implemented for arrays `[T; N]`. + Versions prior to `2.2` recommended use of the `nightly` feature to enable an optimization barrier; this is not required in versions `2.2` and above. @@ -48,10 +55,15 @@ Minimum supported Rust version can be changed in the future, but it will be done This library aims to be the Rust equivalent of Go’s `crypto/subtle` module. -The optimization barrier in `impl From for Choice` was based on Tim -Maclean's [work on `rust-timing-shield`][rust-timing-shield], which attempts to -provide a more comprehensive approach for preventing software side-channels in -Rust code. +Old versions of the optimization barrier in `impl From for Choice` were +based on Tim Maclean's [work on `rust-timing-shield`][rust-timing-shield], +which attempts to provide a more comprehensive approach for preventing +software side-channels in Rust code. + +From version `2.2`, it was based on Diane Hosfelt and Amber Sprenkels' work on +"Secret Types in Rust". Version `2.5` adds the `core_hint_black_box` feature, +which uses the original method through the [`core::hint::black_box`] function +from the Rust standard library. `subtle` is authored by isis agora lovecruft and Henry de Valence. @@ -66,4 +78,5 @@ effort is fundamentally limited. **USE AT YOUR OWN RISK** [docs]: https://docs.rs/subtle +[`core::hint::black_box`]: https://doc.rust-lang.org/core/hint/fn.black_box.html [rust-timing-shield]: https://www.chosenplaintext.ca/open-source/rust-timing-shield/security diff --git a/vendor/subtle/src/lib.rs b/vendor/subtle/src/lib.rs index 27d05eeae..795eade44 100644 --- a/vendor/subtle/src/lib.rs +++ b/vendor/subtle/src/lib.rs @@ -11,7 +11,7 @@ #![no_std] #![deny(missing_docs)] #![doc(html_logo_url = "https://doc.dalek.rs/assets/dalek-logo-clear.png")] -#![doc(html_root_url = "https://docs.rs/subtle/2.4.1")] +#![doc(html_root_url = "https://docs.rs/subtle/2.5.0")] //! # subtle [![](https://img.shields.io/crates/v/subtle.svg)](https://crates.io/crates/subtle) [![](https://img.shields.io/badge/dynamic/json.svg?label=docs&uri=https%3A%2F%2Fcrates.io%2Fapi%2Fv1%2Fcrates%2Fsubtle%2Fversions&query=%24.versions%5B0%5D.num&colorB=4F74A6)](https://doc.dalek.rs/subtle) [![](https://travis-ci.org/dalek-cryptography/subtle.svg?branch=master)](https://travis-ci.org/dalek-cryptography/subtle) //! @@ -22,7 +22,7 @@ //! type is a wrapper around a `u8` that holds a `0` or `1`. //! //! ```toml -//! subtle = "2.4" +//! subtle = "2.5" //! ``` //! //! This crate represents a “best-effort” attempt, since side-channels @@ -41,6 +41,13 @@ //! inner `u8` by passing it through a volatile read. For more information, see //! the _About_ section below. //! +//! Rust versions from 1.66 or higher support a new best-effort optimization +//! barrier ([`core::hint::black_box`]). To use the new optimization barrier, +//! enable the `core_hint_black_box` feature. +//! +//! Rust versions from 1.51 or higher have const generics support. You may enable +//! `const-generics` feautre to have `subtle` traits implemented for arrays `[T; N]`. +//! //! Versions prior to `2.2` recommended use of the `nightly` feature to enable an //! optimization barrier; this is not required in versions `2.2` and above. //! @@ -63,10 +70,15 @@ //! //! This library aims to be the Rust equivalent of Go’s `crypto/subtle` module. //! -//! The optimization barrier in `impl From for Choice` was based on Tim -//! Maclean's [work on `rust-timing-shield`][rust-timing-shield], which attempts to -//! provide a more comprehensive approach for preventing software side-channels in -//! Rust code. +//! Old versions of the optimization barrier in `impl From for Choice` were +//! based on Tim Maclean's [work on `rust-timing-shield`][rust-timing-shield], +//! which attempts to provide a more comprehensive approach for preventing +//! software side-channels in Rust code. +//! +//! From version `2.2`, it was based on Diane Hosfelt and Amber Sprenkels' work on +//! "Secret Types in Rust". Version `2.5` adds the `core_hint_black_box` feature, +//! which uses the original method through the [`core::hint::black_box`] function +//! from the Rust standard library. //! //! `subtle` is authored by isis agora lovecruft and Henry de Valence. //! @@ -81,12 +93,14 @@ //! **USE AT YOUR OWN RISK** //! //! [docs]: https://docs.rs/subtle +//! [`core::hint::black_box`]: https://doc.rust-lang.org/core/hint/fn.black_box.html //! [rust-timing-shield]: https://www.chosenplaintext.ca/open-source/rust-timing-shield/security #[cfg(feature = "std")] #[macro_use] extern crate std; +use core::cmp; use core::ops::{BitAnd, BitAndAssign, BitOr, BitOrAssign, BitXor, BitXorAssign, Neg, Not}; use core::option::Option; @@ -210,6 +224,7 @@ impl Not for Choice { /// Note: Rust's notion of "volatile" is subject to change over time. While this /// code may break in a non-destructive way in the future, “constant-time” code /// is a continually moving target, and this is better than doing nothing. +#[cfg(not(feature = "core_hint_black_box"))] #[inline(never)] fn black_box(input: u8) -> u8 { debug_assert!((input == 0u8) | (input == 1u8)); @@ -227,6 +242,13 @@ fn black_box(input: u8) -> u8 { } } +#[cfg(feature = "core_hint_black_box")] +#[inline(never)] +fn black_box(input: u8) -> u8 { + debug_assert!((input == 0u8) | (input == 1u8)); + core::hint::black_box(input) +} + impl From for Choice { #[inline] fn from(input: u8) -> Choice { @@ -259,6 +281,19 @@ pub trait ConstantTimeEq { /// * `Choice(0u8)` if `self != other`. #[inline] fn ct_eq(&self, other: &Self) -> Choice; + + /// Determine if two items are NOT equal. + /// + /// The `ct_ne` function should execute in constant time. + /// + /// # Returns + /// + /// * `Choice(0u8)` if `self == other`; + /// * `Choice(1u8)` if `self != other`. + #[inline] + fn ct_ne(&self, other: &Self) -> Choice { + !self.ct_eq(other) + } } impl ConstantTimeEq for [T] { @@ -350,6 +385,14 @@ generate_integer_equal!(u64, i64, 64); generate_integer_equal!(u128, i128, 128); generate_integer_equal!(usize, isize, ::core::mem::size_of::() * 8); +/// `Ordering` is `#[repr(i8)]` making it possible to leverage `i8::ct_eq`. +impl ConstantTimeEq for cmp::Ordering { + #[inline] + fn ct_eq(&self, other: &Self) -> Choice { + (*self as i8).ct_eq(&(*other as i8)) + } +} + /// A type which can be conditionally selected in constant time. /// /// This trait also provides generic implementations of conditional @@ -367,7 +410,6 @@ pub trait ConditionallySelectable: Copy { /// # Example /// /// ``` - /// # extern crate subtle; /// use subtle::ConditionallySelectable; /// # /// # fn main() { @@ -390,7 +432,6 @@ pub trait ConditionallySelectable: Copy { /// # Example /// /// ``` - /// # extern crate subtle; /// use subtle::ConditionallySelectable; /// # /// # fn main() { @@ -416,7 +457,6 @@ pub trait ConditionallySelectable: Copy { /// # Example /// /// ``` - /// # extern crate subtle; /// use subtle::ConditionallySelectable; /// # /// # fn main() { @@ -511,6 +551,26 @@ generate_integer_conditional_select!( u64 i64); #[cfg(feature = "i128")] generate_integer_conditional_select!(u128 i128); +/// `Ordering` is `#[repr(i8)]` where: +/// +/// - `Less` => -1 +/// - `Equal` => 0 +/// - `Greater` => 1 +/// +/// Given this, it's possible to operate on orderings as if they're integers, +/// which allows leveraging conditional masking for predication. +impl ConditionallySelectable for cmp::Ordering { + fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self { + let a = *a as i8; + let b = *b as i8; + let ret = i8::conditional_select(&a, &b, choice); + + // SAFETY: `Ordering` is `#[repr(i8)]` and `ret` has been assigned to + // a value which was originally a valid `Ordering` then cast to `i8` + unsafe { *((&ret as *const _) as *const cmp::Ordering) } + } +} + impl ConditionallySelectable for Choice { #[inline] fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self { @@ -518,6 +578,25 @@ impl ConditionallySelectable for Choice { } } +#[cfg(feature = "const-generics")] +impl ConditionallySelectable for [T; N] +where + T: ConditionallySelectable, +{ + #[inline] + fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self { + let mut output = *a; + output.conditional_assign(b, choice); + output + } + + fn conditional_assign(&mut self, other: &Self, choice: Choice) { + for (a_i, b_i) in self.iter_mut().zip(other) { + a_i.conditional_assign(b_i, choice) + } + } +} + /// A type which can be conditionally negated in constant time. /// /// # Note @@ -605,6 +684,18 @@ impl CtOption { } } + /// Returns the contained value, consuming the `self` value. + /// + /// # Panics + /// + /// Panics if the value is none with a custom panic message provided by + /// `msg`. + pub fn expect(self, msg: &str) -> T { + assert_eq!(self.is_some.unwrap_u8(), 1, "{}", msg); + + self.value + } + /// This returns the underlying value but panics if it /// is not `Some`. #[inline] @@ -626,6 +717,9 @@ impl CtOption { /// This returns the underlying value if it is `Some` /// or the value produced by the provided closure otherwise. + /// + /// This operates in constant time, because the provided closure + /// is always called. #[inline] pub fn unwrap_or_else(self, f: F) -> T where @@ -748,7 +842,6 @@ pub trait ConstantTimeGreater { /// # Example /// /// ``` - /// # extern crate subtle; /// use subtle::ConstantTimeGreater; /// /// let x: u8 = 13; @@ -801,7 +894,7 @@ macro_rules! generate_unsigned_integer_greater { Choice::from((bit & 1) as u8) } } - } + }; } generate_unsigned_integer_greater!(u8, 8); @@ -811,6 +904,16 @@ generate_unsigned_integer_greater!(u64, 64); #[cfg(feature = "i128")] generate_unsigned_integer_greater!(u128, 128); +impl ConstantTimeGreater for cmp::Ordering { + #[inline] + fn ct_gt(&self, other: &Self) -> Choice { + // No impl of `ConstantTimeGreater` for `i8`, so use `u8` + let a = (*self as i8) + 1; + let b = (*other as i8) + 1; + (a as u8).ct_gt(&(b as u8)) + } +} + /// A type which can be compared in some manner and be determined to be less /// than another of the same type. pub trait ConstantTimeLess: ConstantTimeEq + ConstantTimeGreater { @@ -832,7 +935,6 @@ pub trait ConstantTimeLess: ConstantTimeEq + ConstantTimeGreater { /// # Example /// /// ``` - /// # extern crate subtle; /// use subtle::ConstantTimeLess; /// /// let x: u8 = 13; @@ -862,3 +964,13 @@ impl ConstantTimeLess for u32 {} impl ConstantTimeLess for u64 {} #[cfg(feature = "i128")] impl ConstantTimeLess for u128 {} + +impl ConstantTimeLess for cmp::Ordering { + #[inline] + fn ct_lt(&self, other: &Self) -> Choice { + // No impl of `ConstantTimeLess` for `i8`, so use `u8` + let a = (*self as i8) + 1; + let b = (*other as i8) + 1; + (a as u8).ct_lt(&(b as u8)) + } +} diff --git a/vendor/subtle/tests/mod.rs b/vendor/subtle/tests/mod.rs index eaa98a460..f6b3982e0 100644 --- a/vendor/subtle/tests/mod.rs +++ b/vendor/subtle/tests/mod.rs @@ -1,5 +1,4 @@ -extern crate rand; -extern crate subtle; +use std::cmp; use rand::rngs::OsRng; use rand::RngCore; @@ -96,6 +95,19 @@ fn custom_conditional_select_i16() { assert_eq!(i16::conditional_select(&x, &y, 1.into()), 514); } +#[test] +fn ordering_conditional_select() { + assert_eq!( + cmp::Ordering::conditional_select(&cmp::Ordering::Less, &cmp::Ordering::Greater, 0.into()), + cmp::Ordering::Less + ); + + assert_eq!( + cmp::Ordering::conditional_select(&cmp::Ordering::Less, &cmp::Ordering::Greater, 1.into()), + cmp::Ordering::Greater + ); +} + macro_rules! generate_integer_equal_tests { ($($t:ty),*) => ($( let y: $t = 0; // all 0 bits @@ -105,6 +117,8 @@ macro_rules! generate_integer_equal_tests { assert_eq!(x.ct_eq(&y).unwrap_u8(), 0); assert_eq!(x.ct_eq(&z).unwrap_u8(), 1); + assert_eq!(x.ct_ne(&y).unwrap_u8(), 1); + assert_eq!(x.ct_ne(&z).unwrap_u8(), 0); )*) } @@ -147,6 +161,16 @@ fn choice_equal() { assert!(Choice::from(1).ct_eq(&Choice::from(1)).unwrap_u8() == 1); } +#[test] +fn ordering_equal() { + let a = cmp::Ordering::Equal; + let b = cmp::Ordering::Greater; + let c = a; + + assert_eq!(a.ct_eq(&b).unwrap_u8(), 0); + assert_eq!(a.ct_eq(&c).unwrap_u8(), 1); +} + #[test] fn test_ctoption() { let a = CtOption::new(10, Choice::from(1)); @@ -332,6 +356,12 @@ fn greater_than_u128() { generate_greater_than_test!(u128); } +#[test] +fn greater_than_ordering() { + assert_eq!(cmp::Ordering::Less.ct_gt(&cmp::Ordering::Greater).unwrap_u8(), 0); + assert_eq!(cmp::Ordering::Greater.ct_gt(&cmp::Ordering::Less).unwrap_u8(), 1); +} + #[test] /// Test that the two's compliment min and max, i.e. 0000...0001 < 1111...1110, /// gives the correct result. (This fails using the bit-twiddling algorithm that @@ -387,3 +417,9 @@ fn less_than_u64() { fn less_than_u128() { generate_less_than_test!(u128); } + +#[test] +fn less_than_ordering() { + assert_eq!(cmp::Ordering::Greater.ct_lt(&cmp::Ordering::Less).unwrap_u8(), 0); + assert_eq!(cmp::Ordering::Less.ct_lt(&cmp::Ordering::Greater).unwrap_u8(), 1); +} -- cgit v1.2.3