From 765862c4f37938e7e5ec97044b301820f2b1a3de Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Tue, 19 Oct 2021 12:22:25 +0200 Subject: [PATCH] Move mbedtls_cf_memcmp to a new public header Signed-off-by: Gabor Mezei --- include/mbedtls/constant_time.h | 47 +++++++++++++++++++++++++++++++++ library/cipher.c | 2 +- library/constant_time.c | 1 + library/constant_time.h | 19 ------------- library/nist_kw.c | 2 +- library/rsa.c | 1 + library/ssl_cli.c | 2 +- library/ssl_cookie.c | 2 +- library/ssl_msg.c | 1 + library/ssl_srv.c | 1 + library/ssl_tls.c | 2 +- 11 files changed, 56 insertions(+), 24 deletions(-) create mode 100644 include/mbedtls/constant_time.h diff --git a/include/mbedtls/constant_time.h b/include/mbedtls/constant_time.h new file mode 100644 index 0000000000..69df954d4b --- /dev/null +++ b/include/mbedtls/constant_time.h @@ -0,0 +1,47 @@ +/** + * Constant-time functions + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef MBEDTLS_CONSTANT_TIME_H +#define MBEDTLS_CONSTANT_TIME_H + +#include "common.h" + +#include + + +/** Constant-time buffer comparison without branches. + * + * This is equivalent to the standard memncmp function, but is likely to be + * compiled to code using bitwise operation rather than a branch. + * + * This function can be used to write constant-time code by replacing branches + * with bit operations using masks. + * + * \param a Pointer to the first buffer. + * \param b Pointer to the second buffer. + * \param n The number of bytes to compare in the buffer. + * + * \return Zero if the content of the two buffer is the same, + * otherwise non-zero. + */ +int mbedtls_cf_memcmp( const void *a, + const void *b, + size_t n ); + +#endif /* MBEDTLS_CONSTANT_TIME_H */ diff --git a/library/cipher.c b/library/cipher.c index ce5179c5e7..b48fd6d8a8 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -29,7 +29,7 @@ #include "cipher_wrap.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" -#include "constant_time.h" +#include "mbedtls/constant_time.h" #include #include diff --git a/library/constant_time.c b/library/constant_time.c index 5bd74b6f80..aff30eae86 100644 --- a/library/constant_time.c +++ b/library/constant_time.c @@ -24,6 +24,7 @@ #include "common.h" #include "constant_time.h" +#include "mbedtls/constant_time.h" #include "mbedtls/error.h" #include "mbedtls/platform_util.h" diff --git a/library/constant_time.h b/library/constant_time.h index 010cfad9db..598b0eb0a1 100644 --- a/library/constant_time.h +++ b/library/constant_time.h @@ -33,25 +33,6 @@ #include -/** Constant-time buffer comparison without branches. - * - * This is equivalent to the standard memncmp function, but is likely to be - * compiled to code using bitwise operation rather than a branch. - * - * This function can be used to write constant-time code by replacing branches - * with bit operations using masks. - * - * \param a Pointer to the first buffer. - * \param b Pointer to the second buffer. - * \param n The number of bytes to compare in the buffer. - * - * \return Zero if the content of the two buffer is the same, - * otherwise non-zero. - */ -int mbedtls_cf_memcmp( const void *a, - const void *b, - size_t n ); - /** Turn a value into a mask: * - if \p value == 0, return the all-bits 0 mask, aka 0 * - otherwise, return the all-bits 1 mask, aka (unsigned) -1 diff --git a/library/nist_kw.c b/library/nist_kw.c index b71befd88d..5795441319 100644 --- a/library/nist_kw.c +++ b/library/nist_kw.c @@ -34,7 +34,7 @@ #include "mbedtls/nist_kw.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" -#include "constant_time.h" +#include "mbedtls/constant_time.h" #include #include diff --git a/library/rsa.c b/library/rsa.c index 6ac974a50f..856a04bf4a 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -45,6 +45,7 @@ #include "mbedtls/platform_util.h" #include "mbedtls/error.h" #include "constant_time.h" +#include "mbedtls/constant_time.h" #include diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 8fd28cf772..ec5e824cf5 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -33,7 +33,7 @@ #include "ssl_misc.h" #include "mbedtls/debug.h" #include "mbedtls/error.h" -#include "constant_time.h" +#include "mbedtls/constant_time.h" #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "mbedtls/psa_util.h" diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c index 6ed3f2be33..cb89c94323 100644 --- a/library/ssl_cookie.c +++ b/library/ssl_cookie.c @@ -36,7 +36,7 @@ #include "ssl_misc.h" #include "mbedtls/error.h" #include "mbedtls/platform_util.h" -#include "constant_time.h" +#include "mbedtls/constant_time.h" #include diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 55be047945..923f2b57ea 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -41,6 +41,7 @@ #include "mbedtls/platform_util.h" #include "mbedtls/version.h" #include "constant_time.h" +#include "mbedtls/constant_time.h" #include diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 989cfe07b4..0066744530 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -35,6 +35,7 @@ #include "mbedtls/error.h" #include "mbedtls/platform_util.h" #include "constant_time.h" +#include "mbedtls/constant_time.h" #include diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d6f038575b..1a1543ea28 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -39,7 +39,7 @@ #include "mbedtls/error.h" #include "mbedtls/platform_util.h" #include "mbedtls/version.h" -#include "constant_time.h" +#include "mbedtls/constant_time.h" #include