Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 1 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 2 | * All rights reserved. |
| 3 | * |
| 4 | * This package is an SSL implementation written |
| 5 | * by Eric Young (eay@cryptsoft.com). |
| 6 | * The implementation was written so as to conform with Netscapes SSL. |
| 7 | * |
| 8 | * This library is free for commercial and non-commercial use as long as |
| 9 | * the following conditions are aheared to. The following conditions |
| 10 | * apply to all code found in this distribution, be it the RC4, RSA, |
| 11 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
| 12 | * included with this distribution is covered by the same copyright terms |
| 13 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
| 14 | * |
| 15 | * Copyright remains Eric Young's, and as such any Copyright notices in |
| 16 | * the code are not to be removed. |
| 17 | * If this package is used in a product, Eric Young should be given attribution |
| 18 | * as the author of the parts of the library used. |
| 19 | * This can be in the form of a textual message at program startup or |
| 20 | * in documentation (online or textual) provided with the package. |
| 21 | * |
| 22 | * Redistribution and use in source and binary forms, with or without |
| 23 | * modification, are permitted provided that the following conditions |
| 24 | * are met: |
| 25 | * 1. Redistributions of source code must retain the copyright |
| 26 | * notice, this list of conditions and the following disclaimer. |
| 27 | * 2. Redistributions in binary form must reproduce the above copyright |
| 28 | * notice, this list of conditions and the following disclaimer in the |
| 29 | * documentation and/or other materials provided with the distribution. |
| 30 | * 3. All advertising materials mentioning features or use of this software |
| 31 | * must display the following acknowledgement: |
| 32 | * "This product includes cryptographic software written by |
| 33 | * Eric Young (eay@cryptsoft.com)" |
| 34 | * The word 'cryptographic' can be left out if the rouines from the library |
| 35 | * being used are not cryptographic related :-). |
| 36 | * 4. If you include any Windows specific code (or a derivative thereof) from |
| 37 | * the apps directory (application code) you must include an acknowledgement: |
| 38 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
| 39 | * |
| 40 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
| 41 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 43 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
| 44 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 45 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 46 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 48 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 49 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 50 | * SUCH DAMAGE. |
| 51 | * |
| 52 | * The licence and distribution terms for any publically available version or |
| 53 | * derivative of this code cannot be changed. i.e. this code cannot simply be |
| 54 | * copied and put under another distribution licence |
| 55 | * [including the GNU Public Licence.] |
| 56 | */ |
| 57 | /* ==================================================================== |
| 58 | * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. |
| 59 | * |
| 60 | * Redistribution and use in source and binary forms, with or without |
| 61 | * modification, are permitted provided that the following conditions |
| 62 | * are met: |
| 63 | * |
| 64 | * 1. Redistributions of source code must retain the above copyright |
| 65 | * notice, this list of conditions and the following disclaimer. |
| 66 | * |
| 67 | * 2. Redistributions in binary form must reproduce the above copyright |
| 68 | * notice, this list of conditions and the following disclaimer in |
| 69 | * the documentation and/or other materials provided with the |
| 70 | * distribution. |
| 71 | * |
| 72 | * 3. All advertising materials mentioning features or use of this |
| 73 | * software must display the following acknowledgment: |
| 74 | * "This product includes software developed by the OpenSSL Project |
| 75 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
| 76 | * |
| 77 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
| 78 | * endorse or promote products derived from this software without |
| 79 | * prior written permission. For written permission, please contact |
| 80 | * openssl-core@openssl.org. |
| 81 | * |
| 82 | * 5. Products derived from this software may not be called "OpenSSL" |
| 83 | * nor may "OpenSSL" appear in their names without prior written |
| 84 | * permission of the OpenSSL Project. |
| 85 | * |
| 86 | * 6. Redistributions of any form whatsoever must retain the following |
| 87 | * acknowledgment: |
| 88 | * "This product includes software developed by the OpenSSL Project |
| 89 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
| 90 | * |
| 91 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
| 92 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 93 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 94 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
| 95 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 96 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 97 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 98 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 99 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
| 100 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 101 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 102 | * OF THE POSSIBILITY OF SUCH DAMAGE. |
| 103 | * ==================================================================== |
| 104 | * |
| 105 | * This product includes cryptographic software written by Eric Young |
| 106 | * (eay@cryptsoft.com). This product includes software written by Tim |
| 107 | * Hudson (tjh@cryptsoft.com). */ |
| 108 | |
| 109 | #ifndef OPENSSL_HEADER_CRYPTO_INTERNAL_H |
| 110 | #define OPENSSL_HEADER_CRYPTO_INTERNAL_H |
| 111 | |
| 112 | #include <openssl/ex_data.h> |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 113 | #include <openssl/stack.h> |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 114 | #include <openssl/thread.h> |
| 115 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 116 | #include <assert.h> |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 117 | #include <string.h> |
| 118 | |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 119 | #if defined(BORINGSSL_CONSTANT_TIME_VALIDATION) |
| 120 | #include <valgrind/memcheck.h> |
| 121 | #endif |
| 122 | |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 123 | #if !defined(__cplusplus) |
Robert Sloan | 5bdaadb | 2018-10-30 16:00:26 -0700 | [diff] [blame] | 124 | #if defined(_MSC_VER) |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 125 | #define alignas(x) __declspec(align(x)) |
| 126 | #define alignof __alignof |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 127 | #else |
| 128 | #include <stdalign.h> |
| 129 | #endif |
Robert Sloan | 2e9e66a | 2017-09-25 09:08:29 -0700 | [diff] [blame] | 130 | #endif |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 131 | |
Robert Sloan | f068def | 2018-10-10 18:45:40 -0700 | [diff] [blame] | 132 | #if defined(OPENSSL_THREADS) && \ |
David Benjamin | 7c0d06c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 133 | (!defined(OPENSSL_WINDOWS) || defined(__MINGW32__)) |
| 134 | #include <pthread.h> |
| 135 | #define OPENSSL_PTHREADS |
| 136 | #endif |
| 137 | |
Robert Sloan | f068def | 2018-10-10 18:45:40 -0700 | [diff] [blame] | 138 | #if defined(OPENSSL_THREADS) && !defined(OPENSSL_PTHREADS) && \ |
David Benjamin | 7c0d06c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 139 | defined(OPENSSL_WINDOWS) |
| 140 | #define OPENSSL_WINDOWS_THREADS |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 141 | OPENSSL_MSVC_PRAGMA(warning(push, 3)) |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 142 | #include <windows.h> |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 143 | OPENSSL_MSVC_PRAGMA(warning(pop)) |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 144 | #endif |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 145 | |
| 146 | #if defined(__cplusplus) |
| 147 | extern "C" { |
| 148 | #endif |
| 149 | |
| 150 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 151 | #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || defined(OPENSSL_ARM) || \ |
Steven Valdez | bb1ceac | 2016-10-07 10:34:51 -0400 | [diff] [blame] | 152 | defined(OPENSSL_AARCH64) || defined(OPENSSL_PPC64LE) |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 153 | // OPENSSL_cpuid_setup initializes the platform-specific feature cache. |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 154 | void OPENSSL_cpuid_setup(void); |
| 155 | #endif |
| 156 | |
Robert Sloan | c9abfe4 | 2018-11-26 12:19:07 -0800 | [diff] [blame] | 157 | #if (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && \ |
| 158 | !defined(OPENSSL_STATIC_ARMCAP) |
| 159 | // OPENSSL_get_armcap_pointer_for_test returns a pointer to |OPENSSL_armcap_P| |
| 160 | // for unit tests. Any modifications to the value must be made after |
| 161 | // |CRYPTO_library_init| but before any other function call in BoringSSL. |
| 162 | OPENSSL_EXPORT uint32_t *OPENSSL_get_armcap_pointer_for_test(void); |
| 163 | #endif |
| 164 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 165 | |
Robert Sloan | 5581810 | 2017-12-18 11:26:17 -0800 | [diff] [blame] | 166 | #if (!defined(_MSC_VER) || defined(__clang__)) && defined(OPENSSL_64_BIT) |
| 167 | #define BORINGSSL_HAS_UINT128 |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 168 | typedef __int128_t int128_t; |
| 169 | typedef __uint128_t uint128_t; |
Robert Sloan | 5581810 | 2017-12-18 11:26:17 -0800 | [diff] [blame] | 170 | |
| 171 | // clang-cl supports __uint128_t but modulus and division don't work. |
| 172 | // https://crbug.com/787617. |
| 173 | #if !defined(_MSC_VER) || !defined(__clang__) |
| 174 | #define BORINGSSL_CAN_DIVIDE_UINT128 |
| 175 | #endif |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 176 | #endif |
| 177 | |
David Benjamin | f0c4a6c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 178 | #define OPENSSL_ARRAY_SIZE(array) (sizeof(array) / sizeof((array)[0])) |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 179 | |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame] | 180 | // Have a generic fall-through for different versions of C/C++. |
| 181 | #if defined(__cplusplus) && __cplusplus >= 201703L |
| 182 | #define OPENSSL_FALLTHROUGH [[fallthrough]] |
| 183 | #elif defined(__cplusplus) && __cplusplus >= 201103L && defined(__clang__) |
| 184 | #define OPENSSL_FALLTHROUGH [[clang::fallthrough]] |
| 185 | #elif defined(__cplusplus) && __cplusplus >= 201103L && defined(__GNUC__) && \ |
| 186 | __GNUC__ >= 7 |
| 187 | #define OPENSSL_FALLTHROUGH [[gnu::fallthrough]] |
| 188 | #elif defined(__GNUC__) && __GNUC__ >= 7 // gcc 7 |
| 189 | #define OPENSSL_FALLTHROUGH __attribute__ ((fallthrough)) |
| 190 | #else // C++11 on gcc 6, and all other cases |
| 191 | #define OPENSSL_FALLTHROUGH |
| 192 | #endif |
| 193 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 194 | // buffers_alias returns one if |a| and |b| alias and zero otherwise. |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 195 | static inline int buffers_alias(const uint8_t *a, size_t a_len, |
| 196 | const uint8_t *b, size_t b_len) { |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 197 | // Cast |a| and |b| to integers. In C, pointer comparisons between unrelated |
| 198 | // objects are undefined whereas pointer to integer conversions are merely |
| 199 | // implementation-defined. We assume the implementation defined it in a sane |
| 200 | // way. |
David Benjamin | 6e899c7 | 2016-06-09 18:02:18 -0400 | [diff] [blame] | 201 | uintptr_t a_u = (uintptr_t)a; |
| 202 | uintptr_t b_u = (uintptr_t)b; |
| 203 | return a_u + a_len > b_u && b_u + b_len > a_u; |
| 204 | } |
| 205 | |
| 206 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 207 | // Constant-time utility functions. |
| 208 | // |
| 209 | // The following methods return a bitmask of all ones (0xff...f) for true and 0 |
| 210 | // for false. This is useful for choosing a value based on the result of a |
| 211 | // conditional in constant time. For example, |
| 212 | // |
| 213 | // if (a < b) { |
| 214 | // c = a; |
| 215 | // } else { |
| 216 | // c = b; |
| 217 | // } |
| 218 | // |
| 219 | // can be written as |
| 220 | // |
| 221 | // crypto_word_t lt = constant_time_lt_w(a, b); |
| 222 | // c = constant_time_select_w(lt, a, b); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 223 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 224 | // crypto_word_t is the type that most constant-time functions use. Ideally we |
| 225 | // would like it to be |size_t|, but NaCl builds in 64-bit mode with 32-bit |
| 226 | // pointers, which means that |size_t| can be 32 bits when |BN_ULONG| is 64 |
| 227 | // bits. Since we want to be able to do constant-time operations on a |
| 228 | // |BN_ULONG|, |crypto_word_t| is defined as an unsigned value with the native |
| 229 | // word length. |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 230 | #if defined(OPENSSL_64_BIT) |
| 231 | typedef uint64_t crypto_word_t; |
| 232 | #elif defined(OPENSSL_32_BIT) |
| 233 | typedef uint32_t crypto_word_t; |
| 234 | #else |
| 235 | #error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT" |
| 236 | #endif |
| 237 | |
| 238 | #define CONSTTIME_TRUE_W ~((crypto_word_t)0) |
| 239 | #define CONSTTIME_FALSE_W ((crypto_word_t)0) |
| 240 | #define CONSTTIME_TRUE_8 ((uint8_t)0xff) |
Robert Sloan | 6f79a50 | 2017-04-03 09:16:40 -0700 | [diff] [blame] | 241 | #define CONSTTIME_FALSE_8 ((uint8_t)0) |
| 242 | |
Pete Bentley | 0c61efe | 2019-08-13 09:32:23 +0100 | [diff] [blame^] | 243 | // value_barrier_w returns |a|, but prevents GCC and Clang from reasoning about |
| 244 | // the returned value. This is used to mitigate compilers undoing constant-time |
| 245 | // code, until we can express our requirements directly in the language. |
| 246 | // |
| 247 | // Note the compiler is aware that |value_barrier_w| has no side effects and |
| 248 | // always has the same output for a given input. This allows it to eliminate |
| 249 | // dead code, move computations across loops, and vectorize. |
| 250 | static inline crypto_word_t value_barrier_w(crypto_word_t a) { |
| 251 | #if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) |
| 252 | __asm__("" : "+r"(a) : /* no inputs */); |
| 253 | #endif |
| 254 | return a; |
| 255 | } |
| 256 | |
| 257 | // value_barrier_u32 behaves like |value_barrier_w| but takes a |uint32_t|. |
| 258 | static inline uint32_t value_barrier_u32(uint32_t a) { |
| 259 | #if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) |
| 260 | __asm__("" : "+r"(a) : /* no inputs */); |
| 261 | #endif |
| 262 | return a; |
| 263 | } |
| 264 | |
| 265 | // value_barrier_u64 behaves like |value_barrier_w| but takes a |uint64_t|. |
| 266 | static inline uint64_t value_barrier_u64(uint64_t a) { |
| 267 | #if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) |
| 268 | __asm__("" : "+r"(a) : /* no inputs */); |
| 269 | #endif |
| 270 | return a; |
| 271 | } |
| 272 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 273 | // constant_time_msb_w returns the given value with the MSB copied to all the |
| 274 | // other bits. |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 275 | static inline crypto_word_t constant_time_msb_w(crypto_word_t a) { |
Robert Sloan | 6f79a50 | 2017-04-03 09:16:40 -0700 | [diff] [blame] | 276 | return 0u - (a >> (sizeof(a) * 8 - 1)); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 277 | } |
| 278 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 279 | // constant_time_lt_w returns 0xff..f if a < b and 0 otherwise. |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 280 | static inline crypto_word_t constant_time_lt_w(crypto_word_t a, |
| 281 | crypto_word_t b) { |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 282 | // Consider the two cases of the problem: |
| 283 | // msb(a) == msb(b): a < b iff the MSB of a - b is set. |
| 284 | // msb(a) != msb(b): a < b iff the MSB of b is set. |
| 285 | // |
| 286 | // If msb(a) == msb(b) then the following evaluates as: |
| 287 | // msb(a^((a^b)|((a-b)^a))) == |
| 288 | // msb(a^((a-b) ^ a)) == (because msb(a^b) == 0) |
| 289 | // msb(a^a^(a-b)) == (rearranging) |
| 290 | // msb(a-b) (because ∀x. x^x == 0) |
| 291 | // |
| 292 | // Else, if msb(a) != msb(b) then the following evaluates as: |
| 293 | // msb(a^((a^b)|((a-b)^a))) == |
| 294 | // msb(a^(𝟙 | ((a-b)^a))) == (because msb(a^b) == 1 and 𝟙 |
| 295 | // represents a value s.t. msb(𝟙) = 1) |
| 296 | // msb(a^𝟙) == (because ORing with 1 results in 1) |
| 297 | // msb(b) |
| 298 | // |
| 299 | // |
| 300 | // Here is an SMT-LIB verification of this formula: |
| 301 | // |
| 302 | // (define-fun lt ((a (_ BitVec 32)) (b (_ BitVec 32))) (_ BitVec 32) |
| 303 | // (bvxor a (bvor (bvxor a b) (bvxor (bvsub a b) a))) |
| 304 | // ) |
| 305 | // |
| 306 | // (declare-fun a () (_ BitVec 32)) |
| 307 | // (declare-fun b () (_ BitVec 32)) |
| 308 | // |
| 309 | // (assert (not (= (= #x00000001 (bvlshr (lt a b) #x0000001f)) (bvult a b)))) |
| 310 | // (check-sat) |
| 311 | // (get-model) |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 312 | return constant_time_msb_w(a^((a^b)|((a-b)^a))); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 313 | } |
| 314 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 315 | // constant_time_lt_8 acts like |constant_time_lt_w| but returns an 8-bit |
| 316 | // mask. |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 317 | static inline uint8_t constant_time_lt_8(crypto_word_t a, crypto_word_t b) { |
| 318 | return (uint8_t)(constant_time_lt_w(a, b)); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 319 | } |
| 320 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 321 | // constant_time_ge_w returns 0xff..f if a >= b and 0 otherwise. |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 322 | static inline crypto_word_t constant_time_ge_w(crypto_word_t a, |
| 323 | crypto_word_t b) { |
| 324 | return ~constant_time_lt_w(a, b); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 325 | } |
| 326 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 327 | // constant_time_ge_8 acts like |constant_time_ge_w| but returns an 8-bit |
| 328 | // mask. |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 329 | static inline uint8_t constant_time_ge_8(crypto_word_t a, crypto_word_t b) { |
| 330 | return (uint8_t)(constant_time_ge_w(a, b)); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 331 | } |
| 332 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 333 | // constant_time_is_zero returns 0xff..f if a == 0 and 0 otherwise. |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 334 | static inline crypto_word_t constant_time_is_zero_w(crypto_word_t a) { |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 335 | // Here is an SMT-LIB verification of this formula: |
| 336 | // |
| 337 | // (define-fun is_zero ((a (_ BitVec 32))) (_ BitVec 32) |
| 338 | // (bvand (bvnot a) (bvsub a #x00000001)) |
| 339 | // ) |
| 340 | // |
| 341 | // (declare-fun a () (_ BitVec 32)) |
| 342 | // |
| 343 | // (assert (not (= (= #x00000001 (bvlshr (is_zero a) #x0000001f)) (= a #x00000000)))) |
| 344 | // (check-sat) |
| 345 | // (get-model) |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 346 | return constant_time_msb_w(~a & (a - 1)); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 347 | } |
| 348 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 349 | // constant_time_is_zero_8 acts like |constant_time_is_zero_w| but returns an |
| 350 | // 8-bit mask. |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 351 | static inline uint8_t constant_time_is_zero_8(crypto_word_t a) { |
| 352 | return (uint8_t)(constant_time_is_zero_w(a)); |
Robert Sloan | 6f79a50 | 2017-04-03 09:16:40 -0700 | [diff] [blame] | 353 | } |
| 354 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 355 | // constant_time_eq_w returns 0xff..f if a == b and 0 otherwise. |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 356 | static inline crypto_word_t constant_time_eq_w(crypto_word_t a, |
| 357 | crypto_word_t b) { |
| 358 | return constant_time_is_zero_w(a ^ b); |
Robert Sloan | 6f79a50 | 2017-04-03 09:16:40 -0700 | [diff] [blame] | 359 | } |
| 360 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 361 | // constant_time_eq_8 acts like |constant_time_eq_w| but returns an 8-bit |
| 362 | // mask. |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 363 | static inline uint8_t constant_time_eq_8(crypto_word_t a, crypto_word_t b) { |
| 364 | return (uint8_t)(constant_time_eq_w(a, b)); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 365 | } |
| 366 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 367 | // constant_time_eq_int acts like |constant_time_eq_w| but works on int |
| 368 | // values. |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 369 | static inline crypto_word_t constant_time_eq_int(int a, int b) { |
| 370 | return constant_time_eq_w((crypto_word_t)(a), (crypto_word_t)(b)); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 371 | } |
| 372 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 373 | // constant_time_eq_int_8 acts like |constant_time_eq_int| but returns an 8-bit |
| 374 | // mask. |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 375 | static inline uint8_t constant_time_eq_int_8(int a, int b) { |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 376 | return constant_time_eq_8((crypto_word_t)(a), (crypto_word_t)(b)); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 377 | } |
| 378 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 379 | // constant_time_select_w returns (mask & a) | (~mask & b). When |mask| is all |
| 380 | // 1s or all 0s (as returned by the methods above), the select methods return |
| 381 | // either |a| (if |mask| is nonzero) or |b| (if |mask| is zero). |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 382 | static inline crypto_word_t constant_time_select_w(crypto_word_t mask, |
| 383 | crypto_word_t a, |
| 384 | crypto_word_t b) { |
Pete Bentley | 0c61efe | 2019-08-13 09:32:23 +0100 | [diff] [blame^] | 385 | // Clang recognizes this pattern as a select. While it usually transforms it |
| 386 | // to a cmov, it sometimes further transforms it into a branch, which we do |
| 387 | // not want. |
| 388 | // |
| 389 | // Adding barriers to both |mask| and |~mask| breaks the relationship between |
| 390 | // the two, which makes the compiler stick with bitmasks. |
| 391 | return (value_barrier_w(mask) & a) | (value_barrier_w(~mask) & b); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 392 | } |
| 393 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 394 | // constant_time_select_8 acts like |constant_time_select| but operates on |
| 395 | // 8-bit values. |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 396 | static inline uint8_t constant_time_select_8(uint8_t mask, uint8_t a, |
| 397 | uint8_t b) { |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 398 | return (uint8_t)(constant_time_select_w(mask, a, b)); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 399 | } |
| 400 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 401 | // constant_time_select_int acts like |constant_time_select| but operates on |
| 402 | // ints. |
Robert Sloan | 9254e68 | 2017-04-24 09:42:06 -0700 | [diff] [blame] | 403 | static inline int constant_time_select_int(crypto_word_t mask, int a, int b) { |
| 404 | return (int)(constant_time_select_w(mask, (crypto_word_t)(a), |
| 405 | (crypto_word_t)(b))); |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 406 | } |
| 407 | |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 408 | #if defined(BORINGSSL_CONSTANT_TIME_VALIDATION) |
| 409 | |
| 410 | // CONSTTIME_SECRET takes a pointer and a number of bytes and marks that region |
| 411 | // of memory as secret. Secret data is tracked as it flows to registers and |
| 412 | // other parts of a memory. If secret data is used as a condition for a branch, |
| 413 | // or as a memory index, it will trigger warnings in valgrind. |
| 414 | #define CONSTTIME_SECRET(x, y) VALGRIND_MAKE_MEM_UNDEFINED(x, y) |
| 415 | |
| 416 | // CONSTTIME_DECLASSIFY takes a pointer and a number of bytes and marks that |
| 417 | // region of memory as public. Public data is not subject to constant-time |
| 418 | // rules. |
| 419 | #define CONSTTIME_DECLASSIFY(x, y) VALGRIND_MAKE_MEM_DEFINED(x, y) |
| 420 | |
| 421 | #else |
| 422 | |
| 423 | #define CONSTTIME_SECRET(x, y) |
| 424 | #define CONSTTIME_DECLASSIFY(x, y) |
| 425 | |
| 426 | #endif // BORINGSSL_CONSTANT_TIME_VALIDATION |
| 427 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 428 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 429 | // Thread-safe initialisation. |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 430 | |
Robert Sloan | f068def | 2018-10-10 18:45:40 -0700 | [diff] [blame] | 431 | #if !defined(OPENSSL_THREADS) |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 432 | typedef uint32_t CRYPTO_once_t; |
| 433 | #define CRYPTO_ONCE_INIT 0 |
David Benjamin | 7c0d06c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 434 | #elif defined(OPENSSL_WINDOWS_THREADS) |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 435 | typedef INIT_ONCE CRYPTO_once_t; |
| 436 | #define CRYPTO_ONCE_INIT INIT_ONCE_STATIC_INIT |
David Benjamin | 7c0d06c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 437 | #elif defined(OPENSSL_PTHREADS) |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 438 | typedef pthread_once_t CRYPTO_once_t; |
| 439 | #define CRYPTO_ONCE_INIT PTHREAD_ONCE_INIT |
David Benjamin | 7c0d06c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 440 | #else |
| 441 | #error "Unknown threading library" |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 442 | #endif |
| 443 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 444 | // CRYPTO_once calls |init| exactly once per process. This is thread-safe: if |
| 445 | // concurrent threads call |CRYPTO_once| with the same |CRYPTO_once_t| argument |
| 446 | // then they will block until |init| completes, but |init| will have only been |
| 447 | // called once. |
| 448 | // |
| 449 | // The |once| argument must be a |CRYPTO_once_t| that has been initialised with |
| 450 | // the value |CRYPTO_ONCE_INIT|. |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 451 | OPENSSL_EXPORT void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void)); |
| 452 | |
| 453 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 454 | // Reference counting. |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 455 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 456 | // CRYPTO_REFCOUNT_MAX is the value at which the reference count saturates. |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 457 | #define CRYPTO_REFCOUNT_MAX 0xffffffff |
| 458 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 459 | // CRYPTO_refcount_inc atomically increments the value at |*count| unless the |
| 460 | // value would overflow. It's safe for multiple threads to concurrently call |
| 461 | // this or |CRYPTO_refcount_dec_and_test_zero| on the same |
| 462 | // |CRYPTO_refcount_t|. |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 463 | OPENSSL_EXPORT void CRYPTO_refcount_inc(CRYPTO_refcount_t *count); |
| 464 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 465 | // CRYPTO_refcount_dec_and_test_zero tests the value at |*count|: |
| 466 | // if it's zero, it crashes the address space. |
| 467 | // if it's the maximum value, it returns zero. |
| 468 | // otherwise, it atomically decrements it and returns one iff the resulting |
| 469 | // value is zero. |
| 470 | // |
| 471 | // It's safe for multiple threads to concurrently call this or |
| 472 | // |CRYPTO_refcount_inc| on the same |CRYPTO_refcount_t|. |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 473 | OPENSSL_EXPORT int CRYPTO_refcount_dec_and_test_zero(CRYPTO_refcount_t *count); |
| 474 | |
| 475 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 476 | // Locks. |
| 477 | // |
| 478 | // Two types of locks are defined: |CRYPTO_MUTEX|, which can be used in |
| 479 | // structures as normal, and |struct CRYPTO_STATIC_MUTEX|, which can be used as |
| 480 | // a global lock. A global lock must be initialised to the value |
| 481 | // |CRYPTO_STATIC_MUTEX_INIT|. |
| 482 | // |
| 483 | // |CRYPTO_MUTEX| can appear in public structures and so is defined in |
| 484 | // thread.h as a structure large enough to fit the real type. The global lock is |
| 485 | // a different type so it may be initialized with platform initializer macros. |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 486 | |
Robert Sloan | f068def | 2018-10-10 18:45:40 -0700 | [diff] [blame] | 487 | #if !defined(OPENSSL_THREADS) |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 488 | struct CRYPTO_STATIC_MUTEX { |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 489 | char padding; // Empty structs have different sizes in C and C++. |
David Benjamin | 4969cc9 | 2016-04-22 15:02:23 -0400 | [diff] [blame] | 490 | }; |
| 491 | #define CRYPTO_STATIC_MUTEX_INIT { 0 } |
David Benjamin | 7c0d06c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 492 | #elif defined(OPENSSL_WINDOWS_THREADS) |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 493 | struct CRYPTO_STATIC_MUTEX { |
David Benjamin | d316cba | 2016-06-02 16:17:39 -0400 | [diff] [blame] | 494 | SRWLOCK lock; |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 495 | }; |
David Benjamin | d316cba | 2016-06-02 16:17:39 -0400 | [diff] [blame] | 496 | #define CRYPTO_STATIC_MUTEX_INIT { SRWLOCK_INIT } |
David Benjamin | 7c0d06c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 497 | #elif defined(OPENSSL_PTHREADS) |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 498 | struct CRYPTO_STATIC_MUTEX { |
| 499 | pthread_rwlock_t lock; |
| 500 | }; |
| 501 | #define CRYPTO_STATIC_MUTEX_INIT { PTHREAD_RWLOCK_INITIALIZER } |
David Benjamin | 7c0d06c | 2016-08-11 13:26:41 -0400 | [diff] [blame] | 502 | #else |
| 503 | #error "Unknown threading library" |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 504 | #endif |
| 505 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 506 | // CRYPTO_MUTEX_init initialises |lock|. If |lock| is a static variable, use a |
| 507 | // |CRYPTO_STATIC_MUTEX|. |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 508 | OPENSSL_EXPORT void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 509 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 510 | // CRYPTO_MUTEX_lock_read locks |lock| such that other threads may also have a |
| 511 | // read lock, but none may have a write lock. |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 512 | OPENSSL_EXPORT void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 513 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 514 | // CRYPTO_MUTEX_lock_write locks |lock| such that no other thread has any type |
| 515 | // of lock on it. |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 516 | OPENSSL_EXPORT void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 517 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 518 | // CRYPTO_MUTEX_unlock_read unlocks |lock| for reading. |
David Benjamin | d316cba | 2016-06-02 16:17:39 -0400 | [diff] [blame] | 519 | OPENSSL_EXPORT void CRYPTO_MUTEX_unlock_read(CRYPTO_MUTEX *lock); |
| 520 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 521 | // CRYPTO_MUTEX_unlock_write unlocks |lock| for writing. |
David Benjamin | d316cba | 2016-06-02 16:17:39 -0400 | [diff] [blame] | 522 | OPENSSL_EXPORT void CRYPTO_MUTEX_unlock_write(CRYPTO_MUTEX *lock); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 523 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 524 | // CRYPTO_MUTEX_cleanup releases all resources held by |lock|. |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 525 | OPENSSL_EXPORT void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 526 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 527 | // CRYPTO_STATIC_MUTEX_lock_read locks |lock| such that other threads may also |
| 528 | // have a read lock, but none may have a write lock. The |lock| variable does |
| 529 | // not need to be initialised by any function, but must have been statically |
| 530 | // initialised with |CRYPTO_STATIC_MUTEX_INIT|. |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 531 | OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_lock_read( |
| 532 | struct CRYPTO_STATIC_MUTEX *lock); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 533 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 534 | // CRYPTO_STATIC_MUTEX_lock_write locks |lock| such that no other thread has |
| 535 | // any type of lock on it. The |lock| variable does not need to be initialised |
| 536 | // by any function, but must have been statically initialised with |
| 537 | // |CRYPTO_STATIC_MUTEX_INIT|. |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 538 | OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_lock_write( |
| 539 | struct CRYPTO_STATIC_MUTEX *lock); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 540 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 541 | // CRYPTO_STATIC_MUTEX_unlock_read unlocks |lock| for reading. |
David Benjamin | d316cba | 2016-06-02 16:17:39 -0400 | [diff] [blame] | 542 | OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_unlock_read( |
| 543 | struct CRYPTO_STATIC_MUTEX *lock); |
| 544 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 545 | // CRYPTO_STATIC_MUTEX_unlock_write unlocks |lock| for writing. |
David Benjamin | d316cba | 2016-06-02 16:17:39 -0400 | [diff] [blame] | 546 | OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_unlock_write( |
Adam Langley | f4e4272 | 2015-06-04 17:45:09 -0700 | [diff] [blame] | 547 | struct CRYPTO_STATIC_MUTEX *lock); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 548 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 549 | #if defined(__cplusplus) |
| 550 | extern "C++" { |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 551 | |
Robert Sloan | 726e9d1 | 2018-09-11 11:45:04 -0700 | [diff] [blame] | 552 | BSSL_NAMESPACE_BEGIN |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 553 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 554 | namespace internal { |
| 555 | |
| 556 | // MutexLockBase is a RAII helper for CRYPTO_MUTEX locking. |
| 557 | template <void (*LockFunc)(CRYPTO_MUTEX *), void (*ReleaseFunc)(CRYPTO_MUTEX *)> |
| 558 | class MutexLockBase { |
| 559 | public: |
| 560 | explicit MutexLockBase(CRYPTO_MUTEX *mu) : mu_(mu) { |
| 561 | assert(mu_ != nullptr); |
| 562 | LockFunc(mu_); |
| 563 | } |
| 564 | ~MutexLockBase() { ReleaseFunc(mu_); } |
| 565 | MutexLockBase(const MutexLockBase<LockFunc, ReleaseFunc> &) = delete; |
| 566 | MutexLockBase &operator=(const MutexLockBase<LockFunc, ReleaseFunc> &) = |
| 567 | delete; |
| 568 | |
| 569 | private: |
| 570 | CRYPTO_MUTEX *const mu_; |
| 571 | }; |
| 572 | |
| 573 | } // namespace internal |
| 574 | |
| 575 | using MutexWriteLock = |
| 576 | internal::MutexLockBase<CRYPTO_MUTEX_lock_write, CRYPTO_MUTEX_unlock_write>; |
| 577 | using MutexReadLock = |
| 578 | internal::MutexLockBase<CRYPTO_MUTEX_lock_read, CRYPTO_MUTEX_unlock_read>; |
| 579 | |
Robert Sloan | 726e9d1 | 2018-09-11 11:45:04 -0700 | [diff] [blame] | 580 | BSSL_NAMESPACE_END |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 581 | |
| 582 | } // extern "C++" |
| 583 | #endif // defined(__cplusplus) |
| 584 | |
| 585 | |
| 586 | // Thread local storage. |
| 587 | |
| 588 | // thread_local_data_t enumerates the types of thread-local data that can be |
| 589 | // stored. |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 590 | typedef enum { |
| 591 | OPENSSL_THREAD_LOCAL_ERR = 0, |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 592 | OPENSSL_THREAD_LOCAL_RAND, |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 593 | OPENSSL_THREAD_LOCAL_TEST, |
| 594 | NUM_OPENSSL_THREAD_LOCALS, |
| 595 | } thread_local_data_t; |
| 596 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 597 | // thread_local_destructor_t is the type of a destructor function that will be |
| 598 | // called when a thread exits and its thread-local storage needs to be freed. |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 599 | typedef void (*thread_local_destructor_t)(void *); |
| 600 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 601 | // CRYPTO_get_thread_local gets the pointer value that is stored for the |
| 602 | // current thread for the given index, or NULL if none has been set. |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 603 | OPENSSL_EXPORT void *CRYPTO_get_thread_local(thread_local_data_t value); |
| 604 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 605 | // CRYPTO_set_thread_local sets a pointer value for the current thread at the |
| 606 | // given index. This function should only be called once per thread for a given |
| 607 | // |index|: rather than update the pointer value itself, update the data that |
| 608 | // is pointed to. |
| 609 | // |
| 610 | // The destructor function will be called when a thread exits to free this |
| 611 | // thread-local data. All calls to |CRYPTO_set_thread_local| with the same |
| 612 | // |index| should have the same |destructor| argument. The destructor may be |
| 613 | // called with a NULL argument if a thread that never set a thread-local |
| 614 | // pointer for |index|, exits. The destructor may be called concurrently with |
| 615 | // different arguments. |
| 616 | // |
| 617 | // This function returns one on success or zero on error. If it returns zero |
| 618 | // then |destructor| has been called with |value| already. |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 619 | OPENSSL_EXPORT int CRYPTO_set_thread_local( |
| 620 | thread_local_data_t index, void *value, |
| 621 | thread_local_destructor_t destructor); |
| 622 | |
| 623 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 624 | // ex_data |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 625 | |
| 626 | typedef struct crypto_ex_data_func_st CRYPTO_EX_DATA_FUNCS; |
| 627 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 628 | DECLARE_STACK_OF(CRYPTO_EX_DATA_FUNCS) |
| 629 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 630 | // CRYPTO_EX_DATA_CLASS tracks the ex_indices registered for a type which |
| 631 | // supports ex_data. It should defined as a static global within the module |
| 632 | // which defines that type. |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 633 | typedef struct { |
| 634 | struct CRYPTO_STATIC_MUTEX lock; |
| 635 | STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth; |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 636 | // num_reserved is one if the ex_data index zero is reserved for legacy |
| 637 | // |TYPE_get_app_data| functions. |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 638 | uint8_t num_reserved; |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 639 | } CRYPTO_EX_DATA_CLASS; |
| 640 | |
Kenny Root | b849459 | 2015-09-25 02:29:14 +0000 | [diff] [blame] | 641 | #define CRYPTO_EX_DATA_CLASS_INIT {CRYPTO_STATIC_MUTEX_INIT, NULL, 0} |
| 642 | #define CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA \ |
| 643 | {CRYPTO_STATIC_MUTEX_INIT, NULL, 1} |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 644 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 645 | // CRYPTO_get_ex_new_index allocates a new index for |ex_data_class| and writes |
| 646 | // it to |*out_index|. Each class of object should provide a wrapper function |
| 647 | // that uses the correct |CRYPTO_EX_DATA_CLASS|. It returns one on success and |
| 648 | // zero otherwise. |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 649 | OPENSSL_EXPORT int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class, |
| 650 | int *out_index, long argl, |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 651 | void *argp, |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 652 | CRYPTO_EX_free *free_func); |
| 653 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 654 | // CRYPTO_set_ex_data sets an extra data pointer on a given object. Each class |
| 655 | // of object should provide a wrapper function. |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 656 | OPENSSL_EXPORT int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val); |
| 657 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 658 | // CRYPTO_get_ex_data returns an extra data pointer for a given object, or NULL |
| 659 | // if no such index exists. Each class of object should provide a wrapper |
| 660 | // function. |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 661 | OPENSSL_EXPORT void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int index); |
| 662 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 663 | // CRYPTO_new_ex_data initialises a newly allocated |CRYPTO_EX_DATA|. |
Adam Langley | 4139edb | 2016-01-13 15:00:54 -0800 | [diff] [blame] | 664 | OPENSSL_EXPORT void CRYPTO_new_ex_data(CRYPTO_EX_DATA *ad); |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 665 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 666 | // CRYPTO_free_ex_data frees |ad|, which is embedded inside |obj|, which is an |
| 667 | // object of the given class. |
Adam Langley | e9ada86 | 2015-05-11 17:20:37 -0700 | [diff] [blame] | 668 | OPENSSL_EXPORT void CRYPTO_free_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class, |
| 669 | void *obj, CRYPTO_EX_DATA *ad); |
| 670 | |
| 671 | |
Robert Sloan | 0da4395 | 2018-01-03 15:13:14 -0800 | [diff] [blame] | 672 | // Endianness conversions. |
| 673 | |
| 674 | #if defined(__GNUC__) && __GNUC__ >= 2 |
| 675 | static inline uint32_t CRYPTO_bswap4(uint32_t x) { |
| 676 | return __builtin_bswap32(x); |
| 677 | } |
| 678 | |
| 679 | static inline uint64_t CRYPTO_bswap8(uint64_t x) { |
| 680 | return __builtin_bswap64(x); |
| 681 | } |
| 682 | #elif defined(_MSC_VER) |
| 683 | OPENSSL_MSVC_PRAGMA(warning(push, 3)) |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 684 | #include <stdlib.h> |
Robert Sloan | 0da4395 | 2018-01-03 15:13:14 -0800 | [diff] [blame] | 685 | OPENSSL_MSVC_PRAGMA(warning(pop)) |
| 686 | #pragma intrinsic(_byteswap_uint64, _byteswap_ulong) |
| 687 | static inline uint32_t CRYPTO_bswap4(uint32_t x) { |
| 688 | return _byteswap_ulong(x); |
| 689 | } |
| 690 | |
| 691 | static inline uint64_t CRYPTO_bswap8(uint64_t x) { |
| 692 | return _byteswap_uint64(x); |
| 693 | } |
| 694 | #else |
| 695 | static inline uint32_t CRYPTO_bswap4(uint32_t x) { |
| 696 | x = (x >> 16) | (x << 16); |
| 697 | x = ((x & 0xff00ff00) >> 8) | ((x & 0x00ff00ff) << 8); |
| 698 | return x; |
| 699 | } |
| 700 | |
| 701 | static inline uint64_t CRYPTO_bswap8(uint64_t x) { |
| 702 | return CRYPTO_bswap4(x >> 32) | (((uint64_t)CRYPTO_bswap4(x)) << 32); |
| 703 | } |
| 704 | #endif |
| 705 | |
| 706 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 707 | // Language bug workarounds. |
| 708 | // |
| 709 | // Most C standard library functions are undefined if passed NULL, even when the |
| 710 | // corresponding length is zero. This gives them (and, in turn, all functions |
| 711 | // which call them) surprising behavior on empty arrays. Some compilers will |
| 712 | // miscompile code due to this rule. See also |
| 713 | // https://www.imperialviolet.org/2016/06/26/nonnull.html |
| 714 | // |
| 715 | // These wrapper functions behave the same as the corresponding C standard |
| 716 | // functions, but behave as expected when passed NULL if the length is zero. |
| 717 | // |
| 718 | // Note |OPENSSL_memcmp| is a different function from |CRYPTO_memcmp|. |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 719 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 720 | // C++ defines |memchr| as a const-correct overload. |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 721 | #if defined(__cplusplus) |
| 722 | extern "C++" { |
| 723 | |
| 724 | static inline const void *OPENSSL_memchr(const void *s, int c, size_t n) { |
| 725 | if (n == 0) { |
| 726 | return NULL; |
| 727 | } |
| 728 | |
| 729 | return memchr(s, c, n); |
| 730 | } |
| 731 | |
| 732 | static inline void *OPENSSL_memchr(void *s, int c, size_t n) { |
| 733 | if (n == 0) { |
| 734 | return NULL; |
| 735 | } |
| 736 | |
| 737 | return memchr(s, c, n); |
| 738 | } |
| 739 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 740 | } // extern "C++" |
| 741 | #else // __cplusplus |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 742 | |
| 743 | static inline void *OPENSSL_memchr(const void *s, int c, size_t n) { |
| 744 | if (n == 0) { |
| 745 | return NULL; |
| 746 | } |
| 747 | |
| 748 | return memchr(s, c, n); |
| 749 | } |
| 750 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 751 | #endif // __cplusplus |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 752 | |
| 753 | static inline int OPENSSL_memcmp(const void *s1, const void *s2, size_t n) { |
| 754 | if (n == 0) { |
| 755 | return 0; |
| 756 | } |
| 757 | |
| 758 | return memcmp(s1, s2, n); |
| 759 | } |
| 760 | |
| 761 | static inline void *OPENSSL_memcpy(void *dst, const void *src, size_t n) { |
| 762 | if (n == 0) { |
| 763 | return dst; |
| 764 | } |
| 765 | |
| 766 | return memcpy(dst, src, n); |
| 767 | } |
| 768 | |
| 769 | static inline void *OPENSSL_memmove(void *dst, const void *src, size_t n) { |
| 770 | if (n == 0) { |
| 771 | return dst; |
| 772 | } |
| 773 | |
| 774 | return memmove(dst, src, n); |
| 775 | } |
| 776 | |
| 777 | static inline void *OPENSSL_memset(void *dst, int c, size_t n) { |
| 778 | if (n == 0) { |
| 779 | return dst; |
| 780 | } |
| 781 | |
| 782 | return memset(dst, c, n); |
| 783 | } |
| 784 | |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 785 | #if defined(BORINGSSL_FIPS) |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 786 | // BORINGSSL_FIPS_abort is called when a FIPS power-on or continuous test |
| 787 | // fails. It prevents any further cryptographic operations by the current |
| 788 | // process. |
Robert Sloan | 8ff0355 | 2017-06-14 12:40:58 -0700 | [diff] [blame] | 789 | void BORINGSSL_FIPS_abort(void) __attribute__((noreturn)); |
| 790 | #endif |
Robert Sloan | 69939df | 2017-01-09 10:53:07 -0800 | [diff] [blame] | 791 | |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 792 | #if defined(__cplusplus) |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 793 | } // extern C |
Adam Langley | d9e397b | 2015-01-22 14:27:53 -0800 | [diff] [blame] | 794 | #endif |
| 795 | |
Robert Sloan | 8f860b1 | 2017-08-28 07:37:06 -0700 | [diff] [blame] | 796 | #endif // OPENSSL_HEADER_CRYPTO_INTERNAL_H |