Skip to content

Commit

Permalink
Rename crypto_word back to crypto_word_t.
Browse files Browse the repository at this point in the history 
Originally I was trying to be pedantic and avoid any use of `_t`-
suffixed names. However, this hasn't really accomplished anything
except annoying me, so just do what BoringSSL does.
  • Loading branch information
@briansmith
briansmith committed Sep 29, 2023
1 parent 8e3548f commit 2270dc6
Show file tree
Hide file tree
Showing 12 changed files with 74 additions and 72 deletions.
20 changes: 10 additions & 10 deletions crypto/constant_time_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,9 +47,9 @@

int bssl_constant_time_test_main(void);

static int test_binary_op_w(crypto_word (*op)(crypto_word a, crypto_word b),
crypto_word a, crypto_word b, int is_true) {
crypto_word c = op(a, b);
static int test_binary_op_w(crypto_word_t (*op)(crypto_word_t a, crypto_word_t b),
crypto_word_t a, crypto_word_t b, int is_true) {
crypto_word_t c = op(a, b);
if (is_true && c != CONSTTIME_TRUE_W) {
return 1;
} else if (!is_true && c != CONSTTIME_FALSE_W) {
Expand All @@ -58,8 +58,8 @@ static int test_binary_op_w(crypto_word (*op)(crypto_word a, crypto_word b),
return 0;
}

static int test_is_zero_w(crypto_word a) {
crypto_word c = constant_time_is_zero_w(a);
static int test_is_zero_w(crypto_word_t a) {
crypto_word_t c = constant_time_is_zero_w(a);
if (a == 0 && c != CONSTTIME_TRUE_W) {
return 1;
} else if (a != 0 && c != CONSTTIME_FALSE_W) {
Expand All @@ -76,8 +76,8 @@ static int test_is_zero_w(crypto_word a) {
return 0;
}

static int test_select_w(crypto_word a, crypto_word b) {
crypto_word selected = constant_time_select_w(CONSTTIME_TRUE_W, a, b);
static int test_select_w(crypto_word_t a, crypto_word_t b) {
crypto_word_t selected = constant_time_select_w(CONSTTIME_TRUE_W, a, b);
if (selected != a) {
return 1;
}
Expand All @@ -88,7 +88,7 @@ static int test_select_w(crypto_word a, crypto_word b) {
return 0;
}

static crypto_word test_values_s[] = {
static crypto_word_t test_values_s[] = {
0,
1,
1024,
Expand All @@ -113,11 +113,11 @@ int bssl_constant_time_test_main(void) {

for (size_t i = 0;
i < sizeof(test_values_s) / sizeof(test_values_s[0]); ++i) {
crypto_word a = test_values_s[i];
crypto_word_t a = test_values_s[i];
num_failed += test_is_zero_w(a);
for (size_t j = 0;
j < sizeof(test_values_s) / sizeof(test_values_s[0]); ++j) {
crypto_word b = test_values_s[j];
crypto_word_t b = test_values_s[j];
num_failed += test_binary_op_w(&constant_time_eq_w, a, b, a == b);
num_failed += test_binary_op_w(&constant_time_eq_w, b, a, b == a);
num_failed += test_select_w(a, b);
Expand Down
2 changes: 1 addition & 1 deletion crypto/fipsmodule/bn/internal.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@

#include "../../internal.h"

typedef crypto_word BN_ULONG;
typedef crypto_word_t BN_ULONG;

#if defined(OPENSSL_64_BIT)

Expand Down
10 changes: 5 additions & 5 deletions crypto/fipsmodule/ec/ecp_nistz.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,16 +246,16 @@
// P-384: ...01110011; w = 2, 5, 6, 7 are okay
// P-256: ...01010001; w = 5, 7 are okay
// P-224: ...00111101; w = 3, 4, 5, 6 are okay
static inline void booth_recode(crypto_word *is_negative, crypto_word *digit,
crypto_word in, crypto_word w) {
static inline void booth_recode(crypto_word_t *is_negative, crypto_word_t *digit,
crypto_word_t in, crypto_word_t w) {
debug_assert_nonsecret(w >= 2);
debug_assert_nonsecret(w <= 7);

// Set all bits of `s` to MSB(in), similar to |constant_time_msb_s|,
// but 'in' seen as (`w+1`)-bit value.
crypto_word s = ~((in >> w) - 1);
crypto_word d;
d = ((crypto_word)1u << (w + 1)) - in - 1;
crypto_word_t s = ~((in >> w) - 1);
crypto_word_t d;
d = ((crypto_word_t)1u << (w + 1)) - in - 1;
d = (d & s) | (in & ~s);
d = (d >> 1) + (d & 1);

Expand Down
12 changes: 6 additions & 6 deletions crypto/fipsmodule/ec/ecp_nistz384.inl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,10 +157,10 @@ void nistz384_point_add(P384_POINT *r, const P384_POINT *a,
limbs_copy(r->Z, res_z, P384_LIMBS);
}

static void add_precomputed_w5(P384_POINT *r, crypto_word wvalue,
static void add_precomputed_w5(P384_POINT *r, crypto_word_t wvalue,
const P384_POINT table[16]) {
crypto_word recoded_is_negative;
crypto_word recoded;
crypto_word_t recoded_is_negative;
crypto_word_t recoded;
booth_recode(&recoded_is_negative, &recoded, wvalue, 5);

alignas(64) P384_POINT h;
Expand All @@ -178,7 +178,7 @@ void nistz384_point_mul(P384_POINT *r, const BN_ULONG p_scalar[P384_LIMBS],
const BN_ULONG p_x[P384_LIMBS],
const BN_ULONG p_y[P384_LIMBS]) {
static const size_t kWindowSize = 5;
static const crypto_word kMask = (1 << (5 /* kWindowSize */ + 1)) - 1;
static const crypto_word_t kMask = (1 << (5 /* kWindowSize */ + 1)) - 1;

uint8_t p_str[(P384_LIMBS * sizeof(Limb)) + 1];
little_endian_bytes_from_scalar(p_str, sizeof(p_str) / sizeof(p_str[0]),
Expand Down Expand Up @@ -218,9 +218,9 @@ void nistz384_point_mul(P384_POINT *r, const BN_ULONG p_scalar[P384_LIMBS],
size_t index = START_INDEX;

BN_ULONG recoded_is_negative;
crypto_word recoded;
crypto_word_t recoded;

crypto_word wvalue = p_str[(index - 1) / 8];
crypto_word_t wvalue = p_str[(index - 1) / 8];
wvalue = (wvalue >> ((index - 1) % 8)) & kMask;

booth_recode(&recoded_is_negative, &recoded, wvalue, 5);
Expand Down
2 changes: 1 addition & 1 deletion crypto/fipsmodule/ec/gfp_p384.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,7 @@ static void p384_point_select_w5(P384_POINT *out,

// TODO: Rewrite in terms of |limbs_select|.
for (size_t i = 0; i < 16; ++i) {
crypto_word equal = constant_time_eq_w(index, (crypto_word)i + 1);
crypto_word_t equal = constant_time_eq_w(index, (crypto_word_t)i + 1);
for (size_t j = 0; j < P384_LIMBS; ++j) {
x[j] = constant_time_select_w(equal, table[i].X[j], x[j]);
y[j] = constant_time_select_w(equal, table[i].Y[j], y[j]);
Expand Down
30 changes: 15 additions & 15 deletions crypto/fipsmodule/ec/p256-nistz.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,8 @@ static const BN_ULONG ONE[P256_LIMBS] = {

// Recode window to a signed digit, see |nistp_recode_scalar_bits| in
// util.c for details
static crypto_word booth_recode_w5(crypto_word in) {
crypto_word s, d;
static crypto_word_t booth_recode_w5(crypto_word_t in) {
crypto_word_t s, d;

s = ~((in >> 5) - 1);
d = (1 << 6) - in - 1;
Expand All @@ -50,8 +50,8 @@ static crypto_word booth_recode_w5(crypto_word in) {
return (d << 1) + (s & 1);
}

static crypto_word booth_recode_w7(crypto_word in) {
crypto_word s, d;
static crypto_word_t booth_recode_w7(crypto_word_t in) {
crypto_word_t s, d;

s = ~((in >> 7) - 1);
d = (1 << 8) - in - 1;
Expand Down Expand Up @@ -128,7 +128,7 @@ static void ecp_nistz256_windowed_mul(P256_POINT *r,
debug_assert_nonsecret(p_y != NULL);

static const size_t kWindowSize = 5;
static const crypto_word kMask = (1 << (5 /* kWindowSize */ + 1)) - 1;
static const crypto_word_t kMask = (1 << (5 /* kWindowSize */ + 1)) - 1;

// A |P256_POINT| is (3 * 32) = 96 bytes, and the 64-byte alignment should
// add no more than 63 bytes of overhead. Thus, |table| should require
Expand Down Expand Up @@ -165,7 +165,7 @@ static void ecp_nistz256_windowed_mul(P256_POINT *r,
BN_ULONG tmp[P256_LIMBS];
alignas(32) P256_POINT h;
size_t index = 255;
crypto_word wvalue = p_str[(index - 1) / 8];
crypto_word_t wvalue = p_str[(index - 1) / 8];
wvalue = (wvalue >> ((index - 1) % 8)) & kMask;

ecp_nistz256_select_w5(r, table, (int)(booth_recode_w5(wvalue) >> 1));
Expand All @@ -174,7 +174,7 @@ static void ecp_nistz256_windowed_mul(P256_POINT *r,
if (index != 255) {
size_t off = (index - 1) / 8;

wvalue = (crypto_word)p_str[off] | (crypto_word)p_str[off + 1] << 8;
wvalue = (crypto_word_t)p_str[off] | (crypto_word_t)p_str[off + 1] << 8;
wvalue = (wvalue >> ((index - 1) % 8)) & kMask;

wvalue = booth_recode_w5(wvalue);
Expand Down Expand Up @@ -210,22 +210,22 @@ static void ecp_nistz256_windowed_mul(P256_POINT *r,
ecp_nistz256_point_add(r, r, &h);
}

static crypto_word calc_first_wvalue(size_t *index, const uint8_t p_str[33]) {
static crypto_word_t calc_first_wvalue(size_t *index, const uint8_t p_str[33]) {
static const size_t kWindowSize = 7;
static const crypto_word kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;
static const crypto_word_t kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;
*index = kWindowSize;

crypto_word wvalue = ((crypto_word)p_str[0] << 1) & kMask;
crypto_word_t wvalue = ((crypto_word_t)p_str[0] << 1) & kMask;
return booth_recode_w7(wvalue);
}

static crypto_word calc_wvalue(size_t *index, const uint8_t p_str[33]) {
static crypto_word_t calc_wvalue(size_t *index, const uint8_t p_str[33]) {
static const size_t kWindowSize = 7;
static const crypto_word kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;
static const crypto_word_t kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;

const size_t off = (*index - 1) / 8;
crypto_word wvalue =
(crypto_word)p_str[off] | (crypto_word)p_str[off + 1] << 8;
crypto_word_t wvalue =
(crypto_word_t)p_str[off] | (crypto_word_t)p_str[off + 1] << 8;
wvalue = (wvalue >> ((*index - 1) % 8)) & kMask;
*index += kWindowSize;

Expand All @@ -249,7 +249,7 @@ void p256_point_mul_base(P256_POINT *r, const Limb scalar[P256_LIMBS]) {

// First window
size_t index = 0;
crypto_word wvalue = calc_first_wvalue(&index, p_str);
crypto_word_t wvalue = calc_first_wvalue(&index, p_str);

alignas(32) P256_POINT_AFFINE t;
alignas(32) P256_POINT p;
Expand Down
10 changes: 5 additions & 5 deletions crypto/fipsmodule/ec/p256.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -326,7 +326,7 @@ static void fiat_p256_select_point(const fiat_p256_limb_t idx, size_t size,
}

// fiat_p256_get_bit returns the |i|th bit in |in|
static crypto_word fiat_p256_get_bit(const Limb in[P256_LIMBS], int i) {
static crypto_word_t fiat_p256_get_bit(const Limb in[P256_LIMBS], int i) {
if (i < 0 || i >= 256) {
return 0;
}
Expand Down Expand Up @@ -379,13 +379,13 @@ void p256_point_mul(P256_POINT *r, const Limb scalar[P256_LIMBS],

// do other additions every 5 doublings
if (i % 5 == 0) {
crypto_word bits = fiat_p256_get_bit(scalar, i + 4) << 5;
crypto_word_t bits = fiat_p256_get_bit(scalar, i + 4) << 5;
bits |= fiat_p256_get_bit(scalar, i + 3) << 4;
bits |= fiat_p256_get_bit(scalar, i + 2) << 3;
bits |= fiat_p256_get_bit(scalar, i + 1) << 2;
bits |= fiat_p256_get_bit(scalar, i) << 1;
bits |= fiat_p256_get_bit(scalar, i - 1);
crypto_word sign, digit;
crypto_word_t sign, digit;
recode_scalar_bits(&sign, &digit, bits);

// select the point to add or subtract, in constant time.
Expand Down Expand Up @@ -423,7 +423,7 @@ void p256_point_mul_base(P256_POINT *r, const Limb scalar[P256_LIMBS]) {
}

// First, look 32 bits upwards.
crypto_word bits = fiat_p256_get_bit(scalar, i + 224) << 3;
crypto_word_t bits = fiat_p256_get_bit(scalar, i + 224) << 3;
bits |= fiat_p256_get_bit(scalar, i + 160) << 2;
bits |= fiat_p256_get_bit(scalar, i + 96) << 1;
bits |= fiat_p256_get_bit(scalar, i + 32);
Expand Down Expand Up @@ -485,7 +485,7 @@ void p256_point_add_affine(P256_POINT *r, const P256_POINT *a,
const Limb *b_x = &b[0];
const Limb *b_y = &b[P256_LIMBS];
fiat_p256_felem b_z = {0};
crypto_word b_is_inf = constant_time_select_w(
crypto_word_t b_is_inf = constant_time_select_w(
LIMBS_are_zero(b_x, P256_LIMBS), LIMBS_are_zero(b_y, P256_LIMBS), 0);
fiat_p256_cmovznz(b_z, constant_time_is_zero_w(b_is_inf), b_z, fiat_p256_one);
fiat_p256_point_add(r->X, r->Y, r->Z,
Expand Down
6 changes: 3 additions & 3 deletions crypto/fipsmodule/ec/util.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -243,9 +243,9 @@
// P-384: ...01110011; w = 2, 5, 6, 7 are okay
// P-256: ...01010001; w = 5, 7 are okay
// P-224: ...00111101; w = 3, 4, 5, 6 are okay
static inline void recode_scalar_bits(crypto_word *sign, crypto_word *digit,
crypto_word in) {
crypto_word s, d;
static inline void recode_scalar_bits(crypto_word_t *sign, crypto_word_t *digit,
crypto_word_t in) {
crypto_word_t s, d;

s = ~((in >> 5) - 1); /* sets all bits to MSB(in), 'in' seen as
* 6-bit value */
Expand Down
44 changes: 23 additions & 21 deletions crypto/internal.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,25 +161,27 @@ typedef __uint128_t uint128_t;
//
// can be written as
//
// crypto_word lt = constant_time_lt_w(a, b);
// crypto_word_t lt = constant_time_lt_w(a, b);
// c = constant_time_select_w(lt, a, b);

// crypto_word is the type that most constant-time functions use. Ideally we
// crypto_word_t is the type that most constant-time functions use. Ideally we
// would like it to be |size_t|, but NaCl builds in 64-bit mode with 32-bit
// pointers, which means that |size_t| can be 32 bits when |crypto_word| is 64
// bits.
// pointers, which means that |size_t| can be 32 bits when |BN_ULONG| is 64
// bits. Since we want to be able to do constant-time operations on a
// |BN_ULONG|, |crypto_word_t| is defined as an unsigned value with the native
// word length.
#if defined(OPENSSL_64_BIT)
typedef uint64_t crypto_word;
typedef uint64_t crypto_word_t;
#define CRYPTO_WORD_BITS (64u)
#elif defined(OPENSSL_32_BIT)
typedef uint32_t crypto_word;
typedef uint32_t crypto_word_t;
#define CRYPTO_WORD_BITS (32u)
#else
#error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT"
#endif

#define CONSTTIME_TRUE_W ~((crypto_word)0)
#define CONSTTIME_FALSE_W ((crypto_word)0)
#define CONSTTIME_TRUE_W ~((crypto_word_t)0)
#define CONSTTIME_FALSE_W ((crypto_word_t)0)

// value_barrier_w returns |a|, but prevents GCC and Clang from reasoning about
// the returned value. This is used to mitigate compilers undoing constant-time
Expand All @@ -188,7 +190,7 @@ typedef uint32_t crypto_word;
// Note the compiler is aware that |value_barrier_w| has no side effects and
// always has the same output for a given input. This allows it to eliminate
// dead code, move computations across loops, and vectorize.
static inline crypto_word value_barrier_w(crypto_word a) {
static inline crypto_word_t value_barrier_w(crypto_word_t a) {
#if defined(__GNUC__) || defined(__clang__)
__asm__("" : "+r"(a) : /* no inputs */);
#endif
Expand All @@ -213,12 +215,12 @@ static inline uint64_t value_barrier_u64(uint64_t a) {

// constant_time_msb_w returns the given value with the MSB copied to all the
// other bits.
static inline crypto_word constant_time_msb_w(crypto_word a) {
static inline crypto_word_t constant_time_msb_w(crypto_word_t a) {
return 0u - (a >> (sizeof(a) * 8 - 1));
}

// constant_time_is_zero_w returns 0xff..f if a == 0 and 0 otherwise.
static inline crypto_word constant_time_is_zero_w(crypto_word a) {
static inline crypto_word_t constant_time_is_zero_w(crypto_word_t a) {
// Here is an SMT-LIB verification of this formula:
//
// (define-fun is_zero ((a (_ BitVec 32))) (_ BitVec 32)
Expand All @@ -233,22 +235,22 @@ static inline crypto_word constant_time_is_zero_w(crypto_word a) {
return constant_time_msb_w(~a & (a - 1));
}

static inline crypto_word constant_time_is_nonzero_w(crypto_word a) {
static inline crypto_word_t constant_time_is_nonzero_w(crypto_word_t a) {
return ~constant_time_is_zero_w(a);
}

// constant_time_eq_w returns 0xff..f if a == b and 0 otherwise.
static inline crypto_word constant_time_eq_w(crypto_word a,
crypto_word b) {
static inline crypto_word_t constant_time_eq_w(crypto_word_t a,
crypto_word_t b) {
return constant_time_is_zero_w(a ^ b);
}

// constant_time_select_w returns (mask & a) | (~mask & b). When |mask| is all
// 1s or all 0s (as returned by the methods above), the select methods return
// either |a| (if |mask| is nonzero) or |b| (if |mask| is zero).
static inline crypto_word constant_time_select_w(crypto_word mask,
crypto_word a,
crypto_word b) {
static inline crypto_word_t constant_time_select_w(crypto_word_t mask,
crypto_word_t a,
crypto_word_t b) {
// Clang recognizes this pattern as a select. While it usually transforms it
// to a cmov, it sometimes further transforms it into a branch, which we do
// not want.
Expand Down Expand Up @@ -278,7 +280,7 @@ static inline crypto_word constant_time_select_w(crypto_word mask,

#endif // BORINGSSL_CONSTANT_TIME_VALIDATION

static inline crypto_word constant_time_declassify_w(crypto_word v) {
static inline crypto_word_t constant_time_declassify_w(crypto_word_t v) {
// Return |v| through a value barrier to be safe. Valgrind-based constant-time
// validation is partly to check the compiler has not undone any constant-time
// work. Any place |BORINGSSL_CONSTANT_TIME_VALIDATION| influences
Expand Down Expand Up @@ -402,13 +404,13 @@ static inline void CRYPTO_store_u64_be(void *out, uint64_t v) {
OPENSSL_memcpy(out, &v, sizeof(v));
}

static inline crypto_word CRYPTO_load_word_le(const void *in) {
crypto_word v;
static inline crypto_word_t CRYPTO_load_word_le(const void *in) {
crypto_word_t v;
OPENSSL_memcpy(&v, in, sizeof(v));
return v;
}

static inline void CRYPTO_store_word_le(void *out, crypto_word v) {
static inline void CRYPTO_store_word_le(void *out, crypto_word_t v) {
OPENSSL_memcpy(out, &v, sizeof(v));
}

Expand Down
Loading

0 comments on commit 2270dc6

Please sign in to comment.