• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.]
56  */
57 /* ====================================================================
58  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
59  *
60  * Redistribution and use in source and binary forms, with or without
61  * modification, are permitted provided that the following conditions
62  * are met:
63  *
64  * 1. Redistributions of source code must retain the above copyright
65  *    notice, this list of conditions and the following disclaimer.
66  *
67  * 2. Redistributions in binary form must reproduce the above copyright
68  *    notice, this list of conditions and the following disclaimer in
69  *    the documentation and/or other materials provided with the
70  *    distribution.
71  *
72  * 3. All advertising materials mentioning features or use of this
73  *    software must display the following acknowledgment:
74  *    "This product includes software developed by the OpenSSL Project
75  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76  *
77  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78  *    endorse or promote products derived from this software without
79  *    prior written permission. For written permission, please contact
80  *    openssl-core@openssl.org.
81  *
82  * 5. Products derived from this software may not be called "OpenSSL"
83  *    nor may "OpenSSL" appear in their names without prior written
84  *    permission of the OpenSSL Project.
85  *
86  * 6. Redistributions of any form whatsoever must retain the following
87  *    acknowledgment:
88  *    "This product includes software developed by the OpenSSL Project
89  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90  *
91  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
95  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102  * OF THE POSSIBILITY OF SUCH DAMAGE.
103  * ====================================================================
104  *
105  * This product includes cryptographic software written by Eric Young
106  * (eay@cryptsoft.com).  This product includes software written by Tim
107  * Hudson (tjh@cryptsoft.com). */
108 
109 #ifndef OPENSSL_HEADER_CRYPTO_INTERNAL_H
110 #define OPENSSL_HEADER_CRYPTO_INTERNAL_H
111 
112 #include <GFp/base.h> // Must be first.
113 
114 #include "GFp/check.h"
115 
116 #if defined(__GNUC__) && \
117     (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) < 40800
118 // |alignas| and |alignof| were added in C11. GCC added support in version 4.8.
119 // Testing for __STDC_VERSION__/__cplusplus doesn't work because 4.7 already
120 // reports support for C11.
121 #define alignas(x) __attribute__ ((aligned (x)))
122 #elif defined(_MSC_VER) && !defined(__clang__)
123 #define alignas(x) __declspec(align(x))
124 #else
125 #include <stdalign.h>
126 #endif
127 
128 #if (!defined(_MSC_VER) || defined(__clang__)) && defined(OPENSSL_64_BIT)
129 #define BORINGSSL_HAS_UINT128
130 typedef __int128_t int128_t;
131 typedef __uint128_t uint128_t;
132 #endif
133 
134 
135 // Constant-time utility functions.
136 //
137 // The following methods return a bitmask of all ones (0xff...f) for true and 0
138 // for false. This is useful for choosing a value based on the result of a
139 // conditional in constant time. For example,
140 //
141 // if (a < b) {
142 //   c = a;
143 // } else {
144 //   c = b;
145 // }
146 //
147 // can be written as
148 //
149 // crypto_word lt = constant_time_lt_w(a, b);
150 // c = constant_time_select_w(lt, a, b);
151 
152 // crypto_word is the type that most constant-time functions use. Ideally we
153 // would like it to be |size_t|, but NaCl builds in 64-bit mode with 32-bit
154 // pointers, which means that |size_t| can be 32 bits when |crypto_word| is 64
155 // bits.
156 #if defined(OPENSSL_64_BIT)
157 typedef uint64_t crypto_word;
158 #define CRYPTO_WORD_BITS (64u)
159 #elif defined(OPENSSL_32_BIT)
160 typedef uint32_t crypto_word;
161 #define CRYPTO_WORD_BITS (32u)
162 #else
163 #error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT"
164 #endif
165 
166 #define CONSTTIME_TRUE_W ~((crypto_word)0)
167 #define CONSTTIME_FALSE_W ((crypto_word)0)
168 
169 // value_barrier_w returns |a|, but prevents GCC and Clang from reasoning about
170 // the returned value. This is used to mitigate compilers undoing constant-time
171 // code, until we can express our requirements directly in the language.
172 //
173 // Note the compiler is aware that |value_barrier_w| has no side effects and
174 // always has the same output for a given input. This allows it to eliminate
175 // dead code, move computations across loops, and vectorize.
value_barrier_w(crypto_word a)176 static inline crypto_word value_barrier_w(crypto_word a) {
177 #if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__))
178   __asm__("" : "+r"(a) : /* no inputs */);
179 #endif
180   return a;
181 }
182 
183 // value_barrier_u32 behaves like |value_barrier_w| but takes a |uint32_t|.
value_barrier_u32(uint32_t a)184 static inline uint32_t value_barrier_u32(uint32_t a) {
185 #if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__))
186   __asm__("" : "+r"(a) : /* no inputs */);
187 #endif
188   return a;
189 }
190 
191 // value_barrier_u64 behaves like |value_barrier_w| but takes a |uint64_t|.
value_barrier_u64(uint64_t a)192 static inline uint64_t value_barrier_u64(uint64_t a) {
193 #if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__))
194   __asm__("" : "+r"(a) : /* no inputs */);
195 #endif
196   return a;
197 }
198 
199 // constant_time_msb_w returns the given value with the MSB copied to all the
200 // other bits.
constant_time_msb_w(crypto_word a)201 static inline crypto_word constant_time_msb_w(crypto_word a) {
202   return 0u - (a >> (sizeof(a) * 8 - 1));
203 }
204 
205 // constant_time_is_zero_w returns 0xff..f if a == 0 and 0 otherwise.
constant_time_is_zero_w(crypto_word a)206 static inline crypto_word constant_time_is_zero_w(crypto_word a) {
207   // Here is an SMT-LIB verification of this formula:
208   //
209   // (define-fun is_zero ((a (_ BitVec 32))) (_ BitVec 32)
210   //   (bvand (bvnot a) (bvsub a #x00000001))
211   // )
212   //
213   // (declare-fun a () (_ BitVec 32))
214   //
215   // (assert (not (= (= #x00000001 (bvlshr (is_zero a) #x0000001f)) (= a #x00000000))))
216   // (check-sat)
217   // (get-model)
218   return constant_time_msb_w(~a & (a - 1));
219 }
220 
constant_time_is_nonzero_w(crypto_word a)221 static inline crypto_word constant_time_is_nonzero_w(crypto_word a) {
222   return ~constant_time_is_zero_w(a);
223 }
224 
225 // constant_time_eq_w returns 0xff..f if a == b and 0 otherwise.
constant_time_eq_w(crypto_word a,crypto_word b)226 static inline crypto_word constant_time_eq_w(crypto_word a,
227                                                crypto_word b) {
228   return constant_time_is_zero_w(a ^ b);
229 }
230 
231 // constant_time_select_w returns (mask & a) | (~mask & b). When |mask| is all
232 // 1s or all 0s (as returned by the methods above), the select methods return
233 // either |a| (if |mask| is nonzero) or |b| (if |mask| is zero).
constant_time_select_w(crypto_word mask,crypto_word a,crypto_word b)234 static inline crypto_word constant_time_select_w(crypto_word mask,
235                                                    crypto_word a,
236                                                    crypto_word b) {
237   // Clang recognizes this pattern as a select. While it usually transforms it
238   // to a cmov, it sometimes further transforms it into a branch, which we do
239   // not want.
240   //
241   // Adding barriers to both |mask| and |~mask| breaks the relationship between
242   // the two, which makes the compiler stick with bitmasks.
243   return (value_barrier_w(mask) & a) | (value_barrier_w(~mask) & b);
244 }
245 
246 // Endianness conversions.
247 
248 #if defined(__GNUC__) && __GNUC__ >= 2
CRYPTO_bswap4(uint32_t x)249 static inline uint32_t CRYPTO_bswap4(uint32_t x) {
250   return __builtin_bswap32(x);
251 }
252 #elif defined(_MSC_VER)
253 #pragma warning(push, 3)
254 #include <stdlib.h>
255 #pragma warning(pop)
256 #pragma intrinsic(_byteswap_uint64, _byteswap_ulong)
CRYPTO_bswap4(uint32_t x)257 static inline uint32_t CRYPTO_bswap4(uint32_t x) {
258   return _byteswap_ulong(x);
259 }
260 #endif
261 
262 #if !defined(GFp_NOSTDLIBINC)
263 #include <string.h>
264 #endif
265 
GFp_memcpy(void * dst,const void * src,size_t n)266 static inline void *GFp_memcpy(void *dst, const void *src, size_t n) {
267 #if !defined(GFp_NOSTDLIBINC)
268   if (n == 0) {
269     return dst;
270   }
271   return memcpy(dst, src, n);
272 #else
273   unsigned char *d = dst;
274   const unsigned char *s = src;
275   for (size_t i = 0; i < n; ++i) {
276     d[i] = s[i];
277   }
278   return dst;
279 #endif
280 }
281 
GFp_memset(void * dst,int c,size_t n)282 static inline void *GFp_memset(void *dst, int c, size_t n) {
283 #if !defined(GFp_NOSTDLIBINC)
284   if (n == 0) {
285     return dst;
286   }
287   return memset(dst, c, n);
288 #else
289   unsigned char *d = dst;
290   for (size_t i = 0; i < n; ++i) {
291     d[i] = (unsigned char)c;
292   }
293   return dst;
294 #endif
295 }
296 
297 #endif  // OPENSSL_HEADER_CRYPTO_INTERNAL_H
298