From f554a317d741c2fe8cd891ac0fcd6c38d0c49ace Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 15 Oct 2018 15:02:50 -0400 Subject: [PATCH] Add a side-channel silent conditional memcpy Originally from Niels, with minor changes to avoid compiler warnings. --- Makefile.in | 1 + cnd-memcpy.c | 55 +++++++++++++++++++++++++++++++++++++ memops.h | 6 ++++ testsuite/.gitignore | 1 + testsuite/.test-rules.make | 3 ++ testsuite/Makefile.in | 1 + testsuite/cnd-memcpy-test.c | 47 +++++++++++++++++++++++++++++++ 7 files changed, 114 insertions(+) create mode 100644 cnd-memcpy.c create mode 100644 testsuite/cnd-memcpy-test.c diff --git a/Makefile.in b/Makefile.in index 7740d717..9c5694cf 100644 --- a/Makefile.in +++ b/Makefile.in @@ -92,6 +92,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \ camellia256-meta.c \ cast128.c cast128-meta.c cbc.c \ ccm.c ccm-aes128.c ccm-aes192.c ccm-aes256.c cfb.c \ + cnd-memcpy.c \ chacha-crypt.c chacha-core-internal.c \ chacha-poly1305.c chacha-poly1305-meta.c \ chacha-set-key.c chacha-set-nonce.c \ diff --git a/cnd-memcpy.c b/cnd-memcpy.c new file mode 100644 index 00000000..4aaee78b --- /dev/null +++ b/cnd-memcpy.c @@ -0,0 +1,55 @@ +/* cnd-memcpy.c + + Copyright (C) 2018 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "memops.h" + +void +cnd_memcpy(int cnd, volatile void *dst, const volatile void *src, size_t n) +{ + const volatile unsigned char *sp = src; + volatile unsigned char *dp = dst; + volatile unsigned char c; + volatile unsigned char m; + size_t i; + + m = -(unsigned char) cnd; + + for (i = 0; i < n; i++) + { + c = (sp[i] & m); + c |= (dp[i] & ~m); + dp[i] = c; + } +} diff --git a/memops.h b/memops.h index 8e40594d..815d5472 100644 --- a/memops.h +++ b/memops.h @@ -39,11 +39,17 @@ extern "C" { #endif /* Name mangling */ +#define cnd_memcpy nettle_cnd_memcpy #define memeql_sec nettle_memeql_sec int memeql_sec (const void *a, const void *b, size_t n); +/* Side-channel silent conditional memcpy. cnd must be 0 (nop) or 1 + (copy). */ +void +cnd_memcpy(int cnd, volatile void *dst, const volatile void *src, size_t n); + #ifdef __cplusplus } #endif diff --git a/testsuite/.gitignore b/testsuite/.gitignore index 5db4e789..32ff2eb1 100644 --- a/testsuite/.gitignore +++ b/testsuite/.gitignore @@ -15,6 +15,7 @@ /cfb-test /chacha-poly1305-test /chacha-test +/cnd-memcpy-test /ctr-test /curve25519-dh-test /cxx-test diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make index 12c39f30..2023e06c 100644 --- a/testsuite/.test-rules.make +++ b/testsuite/.test-rules.make @@ -25,6 +25,9 @@ camellia-test$(EXEEXT): camellia-test.$(OBJEXT) chacha-test$(EXEEXT): chacha-test.$(OBJEXT) $(LINK) chacha-test.$(OBJEXT) $(TEST_OBJS) -o chacha-test$(EXEEXT) +cnd-memcpy-test$(EXEEXT): cnd-memcpy-test.$(OBJEXT) + $(LINK) cnd-memcpy-test.$(OBJEXT) $(TEST_OBJS) -o cnd-memcpy-test$(EXEEXT) + des-test$(EXEEXT): des-test.$(OBJEXT) $(LINK) des-test.$(OBJEXT) $(TEST_OBJS) -o des-test$(EXEEXT) diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in index df1c8150..9a7f6a23 100644 --- a/testsuite/Makefile.in +++ b/testsuite/Makefile.in @@ -14,6 +14,7 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \ blowfish-test.c cast128-test.c \ base16-test.c base64-test.c \ camellia-test.c chacha-test.c \ + cnd-memcpy-test.c \ des-test.c des3-test.c des-compat-test.c \ md2-test.c md4-test.c md5-test.c md5-compat-test.c \ memeql-test.c memxor-test.c gosthash94-test.c \ diff --git a/testsuite/cnd-memcpy-test.c b/testsuite/cnd-memcpy-test.c new file mode 100644 index 00000000..6e5db341 --- /dev/null +++ b/testsuite/cnd-memcpy-test.c @@ -0,0 +1,47 @@ +#include "testutils.h" +#include "knuth-lfib.h" +#include "memops.h" + +#if HAVE_VALGRIND_MEMCHECK_H +# include +static void +cnd_memcpy_for_test(int cnd, void *dst, const void *src, size_t n) +{ + /* Makes valgrind trigger on any branches depending on the input + data. */ + VALGRIND_MAKE_MEM_UNDEFINED (dst, n); + VALGRIND_MAKE_MEM_UNDEFINED (src, n); + VALGRIND_MAKE_MEM_UNDEFINED (&cnd, sizeof(cnd)); + + cnd_memcpy (cnd, dst, src, n); + VALGRIND_MAKE_MEM_DEFINED (src, n); + VALGRIND_MAKE_MEM_DEFINED (dst, n); +} +#else +#define cnd_memcpy_for_test cnd_memcpy +#endif + +#define MAX_SIZE 50 +void +test_main(void) +{ + uint8_t src[MAX_SIZE]; + uint8_t dst[MAX_SIZE]; + uint8_t res[MAX_SIZE]; + struct knuth_lfib_ctx random_ctx; + + knuth_lfib_init (&random_ctx, 11); + + size_t size; + for (size = 1; size < 50; size++) + { + knuth_lfib_random (&random_ctx, size, src); + knuth_lfib_random (&random_ctx, size, dst); + memcpy (res, dst, size); + cnd_memcpy_for_test (0, res, src, size); + + ASSERT (memcmp (res, dst, size) == 0); + cnd_memcpy_for_test (1, res, src, size); + ASSERT (memcmp (res, src, size) == 0); + } +} -- GitLab