1/*
2 * Helper functions for constant time operations
3 * Copyright (c) 2019, The Linux Foundation
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 *
8 * These helper functions can be used to implement logic that needs to minimize
9 * externally visible differences in execution path by avoiding use of branches,
10 * avoiding early termination or other time differences, and forcing same memory
11 * access pattern regardless of values.
12 */
13
14#ifndef CONST_TIME_H
15#define CONST_TIME_H
16
17
18#if defined(__clang__)
19#define NO_UBSAN_UINT_OVERFLOW \
20	__attribute__((no_sanitize("unsigned-integer-overflow")))
21#else
22#define NO_UBSAN_UINT_OVERFLOW
23#endif
24
25
26/**
27 * const_time_fill_msb - Fill all bits with MSB value
28 * @val: Input value
29 * Returns: Value with all the bits set to the MSB of the input val
30 */
31static inline unsigned int const_time_fill_msb(unsigned int val)
32{
33	/* Move the MSB to LSB and multiple by -1 to fill in all bits. */
34	return (val >> (sizeof(val) * 8 - 1)) * ~0U;
35}
36
37
38/* Returns: -1 if val is zero; 0 if val is not zero */
39static inline unsigned int const_time_is_zero(unsigned int val)
40	NO_UBSAN_UINT_OVERFLOW
41{
42	/* Set MSB to 1 for 0 and fill rest of bits with the MSB value */
43	return const_time_fill_msb(~val & (val - 1));
44}
45
46
47/* Returns: -1 if a == b; 0 if a != b */
48static inline unsigned int const_time_eq(unsigned int a, unsigned int b)
49{
50	return const_time_is_zero(a ^ b);
51}
52
53
54/* Returns: -1 if a == b; 0 if a != b */
55static inline u8 const_time_eq_u8(unsigned int a, unsigned int b)
56{
57	return (u8) const_time_eq(a, b);
58}
59
60
61/**
62 * const_time_eq_bin - Constant time memory comparison
63 * @a: First buffer to compare
64 * @b: Second buffer to compare
65 * @len: Number of octets to compare
66 * Returns: -1 if buffers are equal, 0 if not
67 *
68 * This function is meant for comparing passwords or hash values where
69 * difference in execution time or memory access pattern could provide external
70 * observer information about the location of the difference in the memory
71 * buffers. The return value does not behave like memcmp(), i.e.,
72 * const_time_eq_bin() cannot be used to sort items into a defined order. Unlike
73 * memcmp(), the execution time of const_time_eq_bin() does not depend on the
74 * contents of the compared memory buffers, but only on the total compared
75 * length.
76 */
77static inline unsigned int const_time_eq_bin(const void *a, const void *b,
78					     size_t len)
79{
80	const u8 *aa = a;
81	const u8 *bb = b;
82	size_t i;
83	u8 res = 0;
84
85	for (i = 0; i < len; i++)
86		res |= aa[i] ^ bb[i];
87
88	return const_time_is_zero(res);
89}
90
91
92/**
93 * const_time_select - Constant time unsigned int selection
94 * @mask: 0 (false) or -1 (true) to identify which value to select
95 * @true_val: Value to select for the true case
96 * @false_val: Value to select for the false case
97 * Returns: true_val if mask == -1, false_val if mask == 0
98 */
99static inline unsigned int const_time_select(unsigned int mask,
100					     unsigned int true_val,
101					     unsigned int false_val)
102{
103	return (mask & true_val) | (~mask & false_val);
104}
105
106
107/**
108 * const_time_select_int - Constant time int selection
109 * @mask: 0 (false) or -1 (true) to identify which value to select
110 * @true_val: Value to select for the true case
111 * @false_val: Value to select for the false case
112 * Returns: true_val if mask == -1, false_val if mask == 0
113 */
114static inline int const_time_select_int(unsigned int mask, int true_val,
115					int false_val)
116{
117	return (int) const_time_select(mask, (unsigned int) true_val,
118				       (unsigned int) false_val);
119}
120
121
122/**
123 * const_time_select_u8 - Constant time u8 selection
124 * @mask: 0 (false) or -1 (true) to identify which value to select
125 * @true_val: Value to select for the true case
126 * @false_val: Value to select for the false case
127 * Returns: true_val if mask == -1, false_val if mask == 0
128 */
129static inline u8 const_time_select_u8(u8 mask, u8 true_val, u8 false_val)
130{
131	return (u8) const_time_select(mask, true_val, false_val);
132}
133
134
135/**
136 * const_time_select_s8 - Constant time s8 selection
137 * @mask: 0 (false) or -1 (true) to identify which value to select
138 * @true_val: Value to select for the true case
139 * @false_val: Value to select for the false case
140 * Returns: true_val if mask == -1, false_val if mask == 0
141 */
142static inline s8 const_time_select_s8(u8 mask, s8 true_val, s8 false_val)
143{
144	return (s8) const_time_select(mask, (unsigned int) true_val,
145				      (unsigned int) false_val);
146}
147
148
149/**
150 * const_time_select_bin - Constant time binary buffer selection copy
151 * @mask: 0 (false) or -1 (true) to identify which value to copy
152 * @true_val: Buffer to copy for the true case
153 * @false_val: Buffer to copy for the false case
154 * @len: Number of octets to copy
155 * @dst: Destination buffer for the copy
156 *
157 * This function copies the specified buffer into the destination buffer using
158 * operations with identical memory access pattern regardless of which buffer
159 * is being copied.
160 */
161static inline void const_time_select_bin(u8 mask, const u8 *true_val,
162					 const u8 *false_val, size_t len,
163					 u8 *dst)
164{
165	size_t i;
166
167	for (i = 0; i < len; i++)
168		dst[i] = const_time_select_u8(mask, true_val[i], false_val[i]);
169}
170
171
172static inline int const_time_memcmp(const void *a, const void *b, size_t len)
173{
174	const u8 *aa = a;
175	const u8 *bb = b;
176	int diff, res = 0;
177	unsigned int mask;
178
179	if (len == 0)
180		return 0;
181	do {
182		len--;
183		diff = (int) aa[len] - (int) bb[len];
184		mask = const_time_is_zero((unsigned int) diff);
185		res = const_time_select_int(mask, res, diff);
186	} while (len);
187
188	return res;
189}
190
191#endif /* CONST_TIME_H */
192