8419f769c7
Also fix Valgrind regression with constant-time code
535 lines
19 KiB
Diff
535 lines
19 KiB
Diff
diff -up openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync openssl-1.1.1c/crypto/dsa/dsa_ameth.c
|
|
--- openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/dsa/dsa_ameth.c 2019-05-29 17:10:39.768187283 +0200
|
|
@@ -503,7 +503,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey,
|
|
|
|
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
|
|
*(int *)arg2 = NID_sha256;
|
|
- return 2;
|
|
+ return 1;
|
|
|
|
default:
|
|
return -2;
|
|
diff -up openssl-1.1.1c/crypto/err/err.c.sync openssl-1.1.1c/crypto/err/err.c
|
|
--- openssl-1.1.1c/crypto/err/err.c.sync 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/crypto/err/err.c 2019-05-29 17:07:13.345793792 +0200
|
|
@@ -184,8 +184,8 @@ static ERR_STRING_DATA *int_err_get_item
|
|
}
|
|
|
|
#ifndef OPENSSL_NO_ERR
|
|
-/* A measurement on Linux 2018-11-21 showed about 3.5kib */
|
|
-# define SPACE_SYS_STR_REASONS 4 * 1024
|
|
+/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
|
|
+# define SPACE_SYS_STR_REASONS 8 * 1024
|
|
# define NUM_SYS_STR_REASONS 127
|
|
|
|
static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
|
|
@@ -219,21 +219,23 @@ static void build_SYS_str_reasons(void)
|
|
ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
|
|
|
|
str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
|
|
- if (str->string == NULL) {
|
|
+ /*
|
|
+ * If we have used up all the space in strerror_pool,
|
|
+ * there's no point in calling openssl_strerror_r()
|
|
+ */
|
|
+ if (str->string == NULL && cnt < sizeof(strerror_pool)) {
|
|
if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
|
|
size_t l = strlen(cur);
|
|
|
|
str->string = cur;
|
|
cnt += l;
|
|
- if (cnt > sizeof(strerror_pool))
|
|
- cnt = sizeof(strerror_pool);
|
|
cur += l;
|
|
|
|
/*
|
|
* VMS has an unusual quirk of adding spaces at the end of
|
|
- * some (most? all?) messages. Lets trim them off.
|
|
+ * some (most? all?) messages. Lets trim them off.
|
|
*/
|
|
- while (ossl_isspace(cur[-1])) {
|
|
+ while (cur > strerror_pool && ossl_isspace(cur[-1])) {
|
|
cur--;
|
|
cnt--;
|
|
}
|
|
diff -up openssl-1.1.1c/crypto/rand/rand_lib.c.sync openssl-1.1.1c/crypto/rand/rand_lib.c
|
|
--- openssl-1.1.1c/crypto/rand/rand_lib.c.sync 2019-05-29 17:20:17.175099183 +0200
|
|
+++ openssl-1.1.1c/crypto/rand/rand_lib.c 2019-05-30 11:51:20.784850208 +0200
|
|
@@ -239,8 +239,9 @@ size_t rand_drbg_get_nonce(RAND_DRBG *dr
|
|
struct {
|
|
void * instance;
|
|
int count;
|
|
- } data = { NULL, 0 };
|
|
+ } data;
|
|
|
|
+ memset(&data, 0, sizeof(data));
|
|
pool = rand_pool_new(0, min_len, max_len);
|
|
if (pool == NULL)
|
|
return 0;
|
|
From 6c2f347c78a530407b5310497080810094427920 Mon Sep 17 00:00:00 2001
|
|
From: Matt Caswell <matt@openssl.org>
|
|
Date: Wed, 17 Apr 2019 11:09:05 +0100
|
|
Subject: [PATCH 1/2] Defer sending a KeyUpdate until after pending writes are
|
|
complete
|
|
|
|
If we receive a KeyUpdate message (update requested) from the peer while
|
|
we are in the middle of a write, we should defer sending the responding
|
|
KeyUpdate message until after the current write is complete. We do this
|
|
by waiting to send the KeyUpdate until the next time we write and there is
|
|
no pending write data.
|
|
|
|
This does imply a subtle change in behaviour. Firstly the responding
|
|
KeyUpdate message won't be sent straight away as it is now. Secondly if
|
|
the peer sends multiple KeyUpdates without us doing any writing then we
|
|
will only send one response, as opposed to previously where we sent a
|
|
response for each KeyUpdate received.
|
|
|
|
Fixes #8677
|
|
|
|
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
|
|
(Merged from https://github.com/openssl/openssl/pull/8773)
|
|
|
|
(cherry picked from commit feb9e31c40c49de6384dd0413685e9b5a15adc99)
|
|
---
|
|
ssl/record/rec_layer_s3.c | 7 +++++++
|
|
ssl/statem/statem_clnt.c | 6 ------
|
|
ssl/statem/statem_lib.c | 7 ++-----
|
|
ssl/statem/statem_srvr.c | 6 ------
|
|
4 files changed, 9 insertions(+), 17 deletions(-)
|
|
|
|
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
|
|
index b2f97ef905..b65137c332 100644
|
|
--- a/ssl/record/rec_layer_s3.c
|
|
+++ b/ssl/record/rec_layer_s3.c
|
|
@@ -373,6 +373,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
|
|
|
|
s->rlayer.wnum = 0;
|
|
|
|
+ /*
|
|
+ * If we are supposed to be sending a KeyUpdate then go into init unless we
|
|
+ * have writes pending - in which case we should finish doing that first.
|
|
+ */
|
|
+ if (wb->left == 0 && s->key_update != SSL_KEY_UPDATE_NONE)
|
|
+ ossl_statem_set_in_init(s, 1);
|
|
+
|
|
/*
|
|
* When writing early data on the server side we could be "in_init" in
|
|
* between receiving the EoED and the CF - but we don't want to handle those
|
|
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
|
|
index 87800cd835..6410414fb6 100644
|
|
--- a/ssl/statem/statem_clnt.c
|
|
+++ b/ssl/statem/statem_clnt.c
|
|
@@ -473,12 +473,6 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
|
|
return WRITE_TRAN_CONTINUE;
|
|
|
|
case TLS_ST_CR_KEY_UPDATE:
|
|
- if (s->key_update != SSL_KEY_UPDATE_NONE) {
|
|
- st->hand_state = TLS_ST_CW_KEY_UPDATE;
|
|
- return WRITE_TRAN_CONTINUE;
|
|
- }
|
|
- /* Fall through */
|
|
-
|
|
case TLS_ST_CW_KEY_UPDATE:
|
|
case TLS_ST_CR_SESSION_TICKET:
|
|
case TLS_ST_CW_FINISHED:
|
|
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
|
|
index c0482b0a90..2960dafa52 100644
|
|
--- a/ssl/statem/statem_lib.c
|
|
+++ b/ssl/statem/statem_lib.c
|
|
@@ -645,12 +645,9 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
|
|
/*
|
|
* If we get a request for us to update our sending keys too then, we need
|
|
* to additionally send a KeyUpdate message. However that message should
|
|
- * not also request an update (otherwise we get into an infinite loop). We
|
|
- * ignore a request for us to update our sending keys too if we already
|
|
- * sent close_notify.
|
|
+ * not also request an update (otherwise we get into an infinite loop).
|
|
*/
|
|
- if (updatetype == SSL_KEY_UPDATE_REQUESTED
|
|
- && (s->shutdown & SSL_SENT_SHUTDOWN) == 0)
|
|
+ if (updatetype == SSL_KEY_UPDATE_REQUESTED)
|
|
s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
|
|
|
|
if (!tls13_update_key(s, 0)) {
|
|
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
|
|
index d454326a99..04a23320fc 100644
|
|
--- a/ssl/statem/statem_srvr.c
|
|
+++ b/ssl/statem/statem_srvr.c
|
|
@@ -502,12 +502,6 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
|
|
return WRITE_TRAN_CONTINUE;
|
|
|
|
case TLS_ST_SR_KEY_UPDATE:
|
|
- if (s->key_update != SSL_KEY_UPDATE_NONE) {
|
|
- st->hand_state = TLS_ST_SW_KEY_UPDATE;
|
|
- return WRITE_TRAN_CONTINUE;
|
|
- }
|
|
- /* Fall through */
|
|
-
|
|
case TLS_ST_SW_KEY_UPDATE:
|
|
st->hand_state = TLS_ST_OK;
|
|
return WRITE_TRAN_CONTINUE;
|
|
--
|
|
2.20.1
|
|
|
|
From c8feb1039ccc4cd11e6db084df1446bf863bee1e Mon Sep 17 00:00:00 2001
|
|
From: Matt Caswell <matt@openssl.org>
|
|
Date: Wed, 17 Apr 2019 10:30:53 +0100
|
|
Subject: [PATCH 2/2] Write a test for receiving a KeyUpdate (update requested)
|
|
while writing
|
|
|
|
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
|
|
(Merged from https://github.com/openssl/openssl/pull/8773)
|
|
|
|
(cherry picked from commit a77b4dba237d001073d2d1c5d55c674a196c949f)
|
|
---
|
|
test/sslapitest.c | 92 +++++++++++++++++++++++++++++++++++++++++++++
|
|
test/ssltestlib.c | 96 +++++++++++++++++++++++++++++++++++++++++++++++
|
|
test/ssltestlib.h | 3 ++
|
|
3 files changed, 191 insertions(+)
|
|
|
|
diff --git a/test/sslapitest.c b/test/sslapitest.c
|
|
index 2261fe4a7a..577342644d 100644
|
|
--- a/test/sslapitest.c
|
|
+++ b/test/sslapitest.c
|
|
@@ -4290,6 +4290,11 @@ static int test_key_update(void)
|
|
|| !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)),
|
|
strlen(mess)))
|
|
goto end;
|
|
+
|
|
+ if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess))
|
|
+ || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)),
|
|
+ strlen(mess)))
|
|
+ goto end;
|
|
}
|
|
|
|
testresult = 1;
|
|
@@ -4302,6 +4307,91 @@ static int test_key_update(void)
|
|
|
|
return testresult;
|
|
}
|
|
+
|
|
+/*
|
|
+ * Test we can handle a KeyUpdate (update requested) message while write data
|
|
+ * is pending.
|
|
+ * Test 0: Client sends KeyUpdate while Server is writing
|
|
+ * Test 1: Server sends KeyUpdate while Client is writing
|
|
+ */
|
|
+static int test_key_update_in_write(int tst)
|
|
+{
|
|
+ SSL_CTX *cctx = NULL, *sctx = NULL;
|
|
+ SSL *clientssl = NULL, *serverssl = NULL;
|
|
+ int testresult = 0;
|
|
+ char buf[20];
|
|
+ static char *mess = "A test message";
|
|
+ BIO *bretry = BIO_new(bio_s_always_retry());
|
|
+ BIO *tmp = NULL;
|
|
+ SSL *peerupdate = NULL, *peerwrite = NULL;
|
|
+
|
|
+ if (!TEST_ptr(bretry)
|
|
+ || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
|
|
+ TLS_client_method(),
|
|
+ TLS1_3_VERSION,
|
|
+ 0,
|
|
+ &sctx, &cctx, cert, privkey))
|
|
+ || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
|
|
+ NULL, NULL))
|
|
+ || !TEST_true(create_ssl_connection(serverssl, clientssl,
|
|
+ SSL_ERROR_NONE)))
|
|
+ goto end;
|
|
+
|
|
+ peerupdate = tst == 0 ? clientssl : serverssl;
|
|
+ peerwrite = tst == 0 ? serverssl : clientssl;
|
|
+
|
|
+ if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED))
|
|
+ || !TEST_true(SSL_do_handshake(peerupdate)))
|
|
+ goto end;
|
|
+
|
|
+ /* Swap the writing endpoint's write BIO to force a retry */
|
|
+ tmp = SSL_get_wbio(peerwrite);
|
|
+ if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) {
|
|
+ tmp = NULL;
|
|
+ goto end;
|
|
+ }
|
|
+ SSL_set0_wbio(peerwrite, bretry);
|
|
+ bretry = NULL;
|
|
+
|
|
+ /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */
|
|
+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1)
|
|
+ || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE))
|
|
+ goto end;
|
|
+
|
|
+ /* Reinstate the original writing endpoint's write BIO */
|
|
+ SSL_set0_wbio(peerwrite, tmp);
|
|
+ tmp = NULL;
|
|
+
|
|
+ /* Now read some data - we will read the key update */
|
|
+ if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1)
|
|
+ || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ))
|
|
+ goto end;
|
|
+
|
|
+ /*
|
|
+ * Complete the write we started previously and read it from the other
|
|
+ * endpoint
|
|
+ */
|
|
+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
|
|
+ || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
|
|
+ goto end;
|
|
+
|
|
+ /* Write more data to ensure we send the KeyUpdate message back */
|
|
+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess))
|
|
+ || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess)))
|
|
+ goto end;
|
|
+
|
|
+ testresult = 1;
|
|
+
|
|
+ end:
|
|
+ SSL_free(serverssl);
|
|
+ SSL_free(clientssl);
|
|
+ SSL_CTX_free(sctx);
|
|
+ SSL_CTX_free(cctx);
|
|
+ BIO_free(bretry);
|
|
+ BIO_free(tmp);
|
|
+
|
|
+ return testresult;
|
|
+}
|
|
#endif /* OPENSSL_NO_TLS1_3 */
|
|
|
|
static int test_ssl_clear(int idx)
|
|
@@ -5982,6 +6072,7 @@ int setup_tests(void)
|
|
#ifndef OPENSSL_NO_TLS1_3
|
|
ADD_ALL_TESTS(test_export_key_mat_early, 3);
|
|
ADD_TEST(test_key_update);
|
|
+ ADD_ALL_TESTS(test_key_update_in_write, 2);
|
|
#endif
|
|
ADD_ALL_TESTS(test_ssl_clear, 2);
|
|
ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
|
|
@@ -6002,4 +6093,5 @@ int setup_tests(void)
|
|
void cleanup_tests(void)
|
|
{
|
|
bio_s_mempacket_test_free();
|
|
+ bio_s_always_retry_free();
|
|
}
|
|
diff --git a/test/ssltestlib.c b/test/ssltestlib.c
|
|
index 05139be750..e1038620ac 100644
|
|
--- a/test/ssltestlib.c
|
|
+++ b/test/ssltestlib.c
|
|
@@ -62,9 +62,11 @@ static int tls_dump_puts(BIO *bp, const char *str);
|
|
/* Choose a sufficiently large type likely to be unused for this custom BIO */
|
|
#define BIO_TYPE_TLS_DUMP_FILTER (0x80 | BIO_TYPE_FILTER)
|
|
#define BIO_TYPE_MEMPACKET_TEST 0x81
|
|
+#define BIO_TYPE_ALWAYS_RETRY 0x82
|
|
|
|
static BIO_METHOD *method_tls_dump = NULL;
|
|
static BIO_METHOD *meth_mem = NULL;
|
|
+static BIO_METHOD *meth_always_retry = NULL;
|
|
|
|
/* Note: Not thread safe! */
|
|
const BIO_METHOD *bio_f_tls_dump_filter(void)
|
|
@@ -612,6 +614,100 @@ static int mempacket_test_puts(BIO *bio, const char *str)
|
|
return mempacket_test_write(bio, str, strlen(str));
|
|
}
|
|
|
|
+static int always_retry_new(BIO *bi);
|
|
+static int always_retry_free(BIO *a);
|
|
+static int always_retry_read(BIO *b, char *out, int outl);
|
|
+static int always_retry_write(BIO *b, const char *in, int inl);
|
|
+static long always_retry_ctrl(BIO *b, int cmd, long num, void *ptr);
|
|
+static int always_retry_gets(BIO *bp, char *buf, int size);
|
|
+static int always_retry_puts(BIO *bp, const char *str);
|
|
+
|
|
+const BIO_METHOD *bio_s_always_retry(void)
|
|
+{
|
|
+ if (meth_always_retry == NULL) {
|
|
+ if (!TEST_ptr(meth_always_retry = BIO_meth_new(BIO_TYPE_ALWAYS_RETRY,
|
|
+ "Always Retry"))
|
|
+ || !TEST_true(BIO_meth_set_write(meth_always_retry,
|
|
+ always_retry_write))
|
|
+ || !TEST_true(BIO_meth_set_read(meth_always_retry,
|
|
+ always_retry_read))
|
|
+ || !TEST_true(BIO_meth_set_puts(meth_always_retry,
|
|
+ always_retry_puts))
|
|
+ || !TEST_true(BIO_meth_set_gets(meth_always_retry,
|
|
+ always_retry_gets))
|
|
+ || !TEST_true(BIO_meth_set_ctrl(meth_always_retry,
|
|
+ always_retry_ctrl))
|
|
+ || !TEST_true(BIO_meth_set_create(meth_always_retry,
|
|
+ always_retry_new))
|
|
+ || !TEST_true(BIO_meth_set_destroy(meth_always_retry,
|
|
+ always_retry_free)))
|
|
+ return NULL;
|
|
+ }
|
|
+ return meth_always_retry;
|
|
+}
|
|
+
|
|
+void bio_s_always_retry_free(void)
|
|
+{
|
|
+ BIO_meth_free(meth_always_retry);
|
|
+}
|
|
+
|
|
+static int always_retry_new(BIO *bio)
|
|
+{
|
|
+ BIO_set_init(bio, 1);
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+static int always_retry_free(BIO *bio)
|
|
+{
|
|
+ BIO_set_data(bio, NULL);
|
|
+ BIO_set_init(bio, 0);
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+static int always_retry_read(BIO *bio, char *out, int outl)
|
|
+{
|
|
+ BIO_set_retry_read(bio);
|
|
+ return -1;
|
|
+}
|
|
+
|
|
+static int always_retry_write(BIO *bio, const char *in, int inl)
|
|
+{
|
|
+ BIO_set_retry_write(bio);
|
|
+ return -1;
|
|
+}
|
|
+
|
|
+static long always_retry_ctrl(BIO *bio, int cmd, long num, void *ptr)
|
|
+{
|
|
+ long ret = 1;
|
|
+
|
|
+ switch (cmd) {
|
|
+ case BIO_CTRL_FLUSH:
|
|
+ BIO_set_retry_write(bio);
|
|
+ /* fall through */
|
|
+ case BIO_CTRL_EOF:
|
|
+ case BIO_CTRL_RESET:
|
|
+ case BIO_CTRL_DUP:
|
|
+ case BIO_CTRL_PUSH:
|
|
+ case BIO_CTRL_POP:
|
|
+ default:
|
|
+ ret = 0;
|
|
+ break;
|
|
+ }
|
|
+ return ret;
|
|
+}
|
|
+
|
|
+static int always_retry_gets(BIO *bio, char *buf, int size)
|
|
+{
|
|
+ BIO_set_retry_read(bio);
|
|
+ return -1;
|
|
+}
|
|
+
|
|
+static int always_retry_puts(BIO *bio, const char *str)
|
|
+{
|
|
+ BIO_set_retry_write(bio);
|
|
+ return -1;
|
|
+}
|
|
+
|
|
int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
|
|
int min_proto_version, int max_proto_version,
|
|
SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
|
|
diff --git a/test/ssltestlib.h b/test/ssltestlib.h
|
|
index fa19e7d80d..56e323f5bc 100644
|
|
--- a/test/ssltestlib.h
|
|
+++ b/test/ssltestlib.h
|
|
@@ -30,6 +30,9 @@ void bio_f_tls_dump_filter_free(void);
|
|
const BIO_METHOD *bio_s_mempacket_test(void);
|
|
void bio_s_mempacket_test_free(void);
|
|
|
|
+const BIO_METHOD *bio_s_always_retry(void);
|
|
+void bio_s_always_retry_free(void);
|
|
+
|
|
/* Packet types - value 0 is reserved */
|
|
#define INJECT_PACKET 1
|
|
#define INJECT_PACKET_IGNORE_REC_SEQ 2
|
|
--
|
|
2.20.1
|
|
|
|
diff -up openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind openssl-1.1.1c/include/internal/constant_time_locl.h
|
|
--- openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind 2019-05-28 15:12:21.000000000 +0200
|
|
+++ openssl-1.1.1c/include/internal/constant_time_locl.h 2019-06-24 15:02:12.796053536 +0200
|
|
@@ -213,18 +213,66 @@ static ossl_inline unsigned char constan
|
|
return constant_time_eq_8((unsigned)(a), (unsigned)(b));
|
|
}
|
|
|
|
+/* Returns the value unmodified, but avoids optimizations. */
|
|
+static ossl_inline unsigned int value_barrier(unsigned int a)
|
|
+{
|
|
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
|
|
+ unsigned int r;
|
|
+ __asm__("" : "=r"(r) : "0"(a));
|
|
+#else
|
|
+ volatile unsigned int r = a;
|
|
+#endif
|
|
+ return r;
|
|
+}
|
|
+
|
|
+/* Convenience method for uint32_t. */
|
|
+static ossl_inline uint32_t value_barrier_32(uint32_t a)
|
|
+{
|
|
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
|
|
+ uint32_t r;
|
|
+ __asm__("" : "=r"(r) : "0"(a));
|
|
+#else
|
|
+ volatile uint32_t r = a;
|
|
+#endif
|
|
+ return r;
|
|
+}
|
|
+
|
|
+/* Convenience method for uint64_t. */
|
|
+static ossl_inline uint64_t value_barrier_64(uint64_t a)
|
|
+{
|
|
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
|
|
+ uint64_t r;
|
|
+ __asm__("" : "=r"(r) : "0"(a));
|
|
+#else
|
|
+ volatile uint64_t r = a;
|
|
+#endif
|
|
+ return r;
|
|
+}
|
|
+
|
|
+/* Convenience method for size_t. */
|
|
+static ossl_inline size_t value_barrier_s(size_t a)
|
|
+{
|
|
+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__)
|
|
+ size_t r;
|
|
+ __asm__("" : "=r"(r) : "0"(a));
|
|
+#else
|
|
+ volatile size_t r = a;
|
|
+#endif
|
|
+ return r;
|
|
+}
|
|
+
|
|
static ossl_inline unsigned int constant_time_select(unsigned int mask,
|
|
unsigned int a,
|
|
unsigned int b)
|
|
{
|
|
- return (mask & a) | (~mask & b);
|
|
+ return (value_barrier(mask) & a) | (value_barrier(~mask) & b);
|
|
}
|
|
|
|
static ossl_inline size_t constant_time_select_s(size_t mask,
|
|
size_t a,
|
|
size_t b)
|
|
{
|
|
- return (mask & a) | (~mask & b);
|
|
+ return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b);
|
|
}
|
|
|
|
static ossl_inline unsigned char constant_time_select_8(unsigned char mask,
|
|
@@ -249,13 +297,13 @@ static ossl_inline int constant_time_sel
|
|
static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a,
|
|
uint32_t b)
|
|
{
|
|
- return (mask & a) | (~mask & b);
|
|
+ return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b);
|
|
}
|
|
|
|
static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a,
|
|
uint64_t b)
|
|
{
|
|
- return (mask & a) | (~mask & b);
|
|
+ return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b);
|
|
}
|
|
|
|
/*
|