1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com). */
108
109 #ifndef OPENSSL_HEADER_CRYPTO_INTERNAL_H
110 #define OPENSSL_HEADER_CRYPTO_INTERNAL_H
111
112 #include <ring-core/base.h> // Must be first.
113
114 #include "ring-core/check.h"
115
116 #if defined(__GNUC__) && \
117 (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) < 40800
118 // |alignas| and |alignof| were added in C11. GCC added support in version 4.8.
119 // Testing for __STDC_VERSION__/__cplusplus doesn't work because 4.7 already
120 // reports support for C11.
121 #define alignas(x) __attribute__ ((aligned (x)))
122 #elif defined(_MSC_VER) && !defined(__clang__)
123 #define alignas(x) __declspec(align(x))
124 #else
125 #include <stdalign.h>
126 #endif
127
128 // Some C compilers require a useless cast when dealing with arrays for the
129 // reason explained in
130 // https://gustedt.wordpress.com/2011/02/12/const-and-arrays/
131 #if defined(__clang__) || defined(_MSC_VER)
132 #define RING_CORE_POINTLESS_ARRAY_CONST_CAST(cast)
133 #else
134 #define RING_CORE_POINTLESS_ARRAY_CONST_CAST(cast) cast
135 #endif
136
137 #if (!defined(_MSC_VER) || defined(__clang__)) && defined(OPENSSL_64_BIT)
138 #define BORINGSSL_HAS_UINT128
139 typedef __int128_t int128_t;
140 typedef __uint128_t uint128_t;
141 #endif
142
143
144 // Constant-time utility functions.
145 //
146 // The following methods return a bitmask of all ones (0xff...f) for true and 0
147 // for false. This is useful for choosing a value based on the result of a
148 // conditional in constant time. For example,
149 //
150 // if (a < b) {
151 // c = a;
152 // } else {
153 // c = b;
154 // }
155 //
156 // can be written as
157 //
158 // crypto_word lt = constant_time_lt_w(a, b);
159 // c = constant_time_select_w(lt, a, b);
160
161 // crypto_word is the type that most constant-time functions use. Ideally we
162 // would like it to be |size_t|, but NaCl builds in 64-bit mode with 32-bit
163 // pointers, which means that |size_t| can be 32 bits when |crypto_word| is 64
164 // bits.
165 #if defined(OPENSSL_64_BIT)
166 typedef uint64_t crypto_word;
167 #define CRYPTO_WORD_BITS (64u)
168 #elif defined(OPENSSL_32_BIT)
169 typedef uint32_t crypto_word;
170 #define CRYPTO_WORD_BITS (32u)
171 #else
172 #error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT"
173 #endif
174
175 #define CONSTTIME_TRUE_W ~((crypto_word)0)
176 #define CONSTTIME_FALSE_W ((crypto_word)0)
177
178 // value_barrier_w returns |a|, but prevents GCC and Clang from reasoning about
179 // the returned value. This is used to mitigate compilers undoing constant-time
180 // code, until we can express our requirements directly in the language.
181 //
182 // Note the compiler is aware that |value_barrier_w| has no side effects and
183 // always has the same output for a given input. This allows it to eliminate
184 // dead code, move computations across loops, and vectorize.
value_barrier_w(crypto_word a)185 static inline crypto_word value_barrier_w(crypto_word a) {
186 #if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__))
187 __asm__("" : "+r"(a) : /* no inputs */);
188 #endif
189 return a;
190 }
191
192 // value_barrier_u32 behaves like |value_barrier_w| but takes a |uint32_t|.
value_barrier_u32(uint32_t a)193 static inline uint32_t value_barrier_u32(uint32_t a) {
194 #if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__))
195 __asm__("" : "+r"(a) : /* no inputs */);
196 #endif
197 return a;
198 }
199
200 // value_barrier_u64 behaves like |value_barrier_w| but takes a |uint64_t|.
value_barrier_u64(uint64_t a)201 static inline uint64_t value_barrier_u64(uint64_t a) {
202 #if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__))
203 __asm__("" : "+r"(a) : /* no inputs */);
204 #endif
205 return a;
206 }
207
208 // constant_time_msb_w returns the given value with the MSB copied to all the
209 // other bits.
constant_time_msb_w(crypto_word a)210 static inline crypto_word constant_time_msb_w(crypto_word a) {
211 return 0u - (a >> (sizeof(a) * 8 - 1));
212 }
213
214 // constant_time_is_zero_w returns 0xff..f if a == 0 and 0 otherwise.
constant_time_is_zero_w(crypto_word a)215 static inline crypto_word constant_time_is_zero_w(crypto_word a) {
216 // Here is an SMT-LIB verification of this formula:
217 //
218 // (define-fun is_zero ((a (_ BitVec 32))) (_ BitVec 32)
219 // (bvand (bvnot a) (bvsub a #x00000001))
220 // )
221 //
222 // (declare-fun a () (_ BitVec 32))
223 //
224 // (assert (not (= (= #x00000001 (bvlshr (is_zero a) #x0000001f)) (= a #x00000000))))
225 // (check-sat)
226 // (get-model)
227 return constant_time_msb_w(~a & (a - 1));
228 }
229
constant_time_is_nonzero_w(crypto_word a)230 static inline crypto_word constant_time_is_nonzero_w(crypto_word a) {
231 return ~constant_time_is_zero_w(a);
232 }
233
234 // constant_time_eq_w returns 0xff..f if a == b and 0 otherwise.
constant_time_eq_w(crypto_word a,crypto_word b)235 static inline crypto_word constant_time_eq_w(crypto_word a,
236 crypto_word b) {
237 return constant_time_is_zero_w(a ^ b);
238 }
239
240 // constant_time_select_w returns (mask & a) | (~mask & b). When |mask| is all
241 // 1s or all 0s (as returned by the methods above), the select methods return
242 // either |a| (if |mask| is nonzero) or |b| (if |mask| is zero).
constant_time_select_w(crypto_word mask,crypto_word a,crypto_word b)243 static inline crypto_word constant_time_select_w(crypto_word mask,
244 crypto_word a,
245 crypto_word b) {
246 // Clang recognizes this pattern as a select. While it usually transforms it
247 // to a cmov, it sometimes further transforms it into a branch, which we do
248 // not want.
249 //
250 // Adding barriers to both |mask| and |~mask| breaks the relationship between
251 // the two, which makes the compiler stick with bitmasks.
252 return (value_barrier_w(mask) & a) | (value_barrier_w(~mask) & b);
253 }
254
255 // Endianness conversions.
256
257 #if defined(__GNUC__) && __GNUC__ >= 2
CRYPTO_bswap4(uint32_t x)258 static inline uint32_t CRYPTO_bswap4(uint32_t x) {
259 return __builtin_bswap32(x);
260 }
261 #elif defined(_MSC_VER)
262 #pragma warning(push, 3)
263 #include <stdlib.h>
264 #pragma warning(pop)
265 #pragma intrinsic(_byteswap_uint64, _byteswap_ulong)
CRYPTO_bswap4(uint32_t x)266 static inline uint32_t CRYPTO_bswap4(uint32_t x) {
267 return _byteswap_ulong(x);
268 }
269 #endif
270
271 #if !defined(RING_CORE_NOSTDLIBINC)
272 #include <string.h>
273 #endif
274
OPENSSL_memcpy(void * dst,const void * src,size_t n)275 static inline void *OPENSSL_memcpy(void *dst, const void *src, size_t n) {
276 #if !defined(RING_CORE_NOSTDLIBINC)
277 if (n == 0) {
278 return dst;
279 }
280 return memcpy(dst, src, n);
281 #else
282 unsigned char *d = dst;
283 const unsigned char *s = src;
284 for (size_t i = 0; i < n; ++i) {
285 d[i] = s[i];
286 }
287 return dst;
288 #endif
289 }
290
OPENSSL_memset(void * dst,int c,size_t n)291 static inline void *OPENSSL_memset(void *dst, int c, size_t n) {
292 #if !defined(RING_CORE_NOSTDLIBINC)
293 if (n == 0) {
294 return dst;
295 }
296 return memset(dst, c, n);
297 #else
298 unsigned char *d = dst;
299 for (size_t i = 0; i < n; ++i) {
300 d[i] = (unsigned char)c;
301 }
302 return dst;
303 #endif
304 }
305
306 #endif // OPENSSL_HEADER_CRYPTO_INTERNAL_H
307