mirror of
https://codeberg.org/ziglang/zig.git
synced 2025-12-06 13:54:21 +00:00
84cdb62159
* std.crypto: add the ability to explicitly tag a value as secret It turns out that Valgrind can be a very useful tool to check that secrets are not leaked via side channels involving lookups or conditional jumps. Valgrind tracks uninitialized data, and memcheck reports operations involving uninitialized values. By permanently or temporarily telling Valgrind that a memory region containing secrets is uninitialized, we can detect common side-channel vulnerabilities. For example, the following code snippets would immediately report that the result is not computed in constant time: ```zig classify(&key); const len = std.mem.indexOfScalar(u8, &key, 0); ``` ```zig classify(&key); const idx = key[0]; x += idx; ``` ```zig var x: [4]u8 = undefined; std.crypto.random.bytes(&x); classify(&x); if (std.mem.eql(u8, "test", &x)) return; ``` This is not fool-proof, but it can help a lot to detect unwanted compiler optimizations. Also, right now, this is relying on Valgrind primitives, but these annotations can be used to do more interesting things later, especially with our own code generation backends. * Update for Zig 0.14 * Remove checks for Valgrind enablement
281 lines
10 KiB
Zig
281 lines
10 KiB
Zig
//! Please see this accepted proposal for the long-term plans regarding
|
|
//! constant-time operations in Zig: https://github.com/ziglang/zig/issues/1776
|
|
|
|
const std = @import("../std.zig");
|
|
const assert = std.debug.assert;
|
|
const Endian = std.builtin.Endian;
|
|
const Order = std.math.Order;
|
|
|
|
/// Compares two arrays in constant time (for a given length) and returns whether they are equal.
|
|
/// This function was designed to compare short cryptographic secrets (MACs, signatures).
|
|
/// For all other applications, use mem.eql() instead.
|
|
pub fn eql(comptime T: type, a: T, b: T) bool {
|
|
switch (@typeInfo(T)) {
|
|
.array => |info| {
|
|
const C = info.child;
|
|
if (@typeInfo(C) != .int) {
|
|
@compileError("Elements to be compared must be integers");
|
|
}
|
|
var acc = @as(C, 0);
|
|
for (a, 0..) |x, i| {
|
|
acc |= x ^ b[i];
|
|
}
|
|
const s = @typeInfo(C).int.bits;
|
|
const Cu = std.meta.Int(.unsigned, s);
|
|
const Cext = std.meta.Int(.unsigned, s + 1);
|
|
return @as(bool, @bitCast(@as(u1, @truncate((@as(Cext, @as(Cu, @bitCast(acc))) -% 1) >> s))));
|
|
},
|
|
.vector => |info| {
|
|
const C = info.child;
|
|
if (@typeInfo(C) != .int) {
|
|
@compileError("Elements to be compared must be integers");
|
|
}
|
|
const acc = @reduce(.Or, a ^ b);
|
|
const s = @typeInfo(C).int.bits;
|
|
const Cu = std.meta.Int(.unsigned, s);
|
|
const Cext = std.meta.Int(.unsigned, s + 1);
|
|
return @as(bool, @bitCast(@as(u1, @truncate((@as(Cext, @as(Cu, @bitCast(acc))) -% 1) >> s))));
|
|
},
|
|
else => {
|
|
@compileError("Only arrays and vectors can be compared");
|
|
},
|
|
}
|
|
}
|
|
|
|
/// Compare two integers serialized as arrays of the same size, in constant time.
|
|
/// Returns .lt if a<b, .gt if a>b and .eq if a=b
|
|
pub fn compare(comptime T: type, a: []const T, b: []const T, endian: Endian) Order {
|
|
assert(a.len == b.len);
|
|
const bits = switch (@typeInfo(T)) {
|
|
.int => |cinfo| if (cinfo.signedness != .unsigned) @compileError("Elements to be compared must be unsigned") else cinfo.bits,
|
|
else => @compileError("Elements to be compared must be integers"),
|
|
};
|
|
const Cext = std.meta.Int(.unsigned, bits + 1);
|
|
var gt: T = 0;
|
|
var eq: T = 1;
|
|
if (endian == .little) {
|
|
var i = a.len;
|
|
while (i != 0) {
|
|
i -= 1;
|
|
const x1 = a[i];
|
|
const x2 = b[i];
|
|
gt |= @as(T, @truncate((@as(Cext, x2) -% @as(Cext, x1)) >> bits)) & eq;
|
|
eq &= @as(T, @truncate((@as(Cext, (x2 ^ x1)) -% 1) >> bits));
|
|
}
|
|
} else {
|
|
for (a, 0..) |x1, i| {
|
|
const x2 = b[i];
|
|
gt |= @as(T, @truncate((@as(Cext, x2) -% @as(Cext, x1)) >> bits)) & eq;
|
|
eq &= @as(T, @truncate((@as(Cext, (x2 ^ x1)) -% 1) >> bits));
|
|
}
|
|
}
|
|
if (gt != 0) {
|
|
return Order.gt;
|
|
} else if (eq != 0) {
|
|
return Order.eq;
|
|
}
|
|
return Order.lt;
|
|
}
|
|
|
|
/// Add two integers serialized as arrays of the same size, in constant time.
|
|
/// The result is stored into `result`, and `true` is returned if an overflow occurred.
|
|
pub fn add(comptime T: type, a: []const T, b: []const T, result: []T, endian: Endian) bool {
|
|
const len = a.len;
|
|
assert(len == b.len and len == result.len);
|
|
var carry: u1 = 0;
|
|
if (endian == .little) {
|
|
var i: usize = 0;
|
|
while (i < len) : (i += 1) {
|
|
const ov1 = @addWithOverflow(a[i], b[i]);
|
|
const ov2 = @addWithOverflow(ov1[0], carry);
|
|
result[i] = ov2[0];
|
|
carry = ov1[1] | ov2[1];
|
|
}
|
|
} else {
|
|
var i: usize = len;
|
|
while (i != 0) {
|
|
i -= 1;
|
|
const ov1 = @addWithOverflow(a[i], b[i]);
|
|
const ov2 = @addWithOverflow(ov1[0], carry);
|
|
result[i] = ov2[0];
|
|
carry = ov1[1] | ov2[1];
|
|
}
|
|
}
|
|
return @as(bool, @bitCast(carry));
|
|
}
|
|
|
|
/// Subtract two integers serialized as arrays of the same size, in constant time.
|
|
/// The result is stored into `result`, and `true` is returned if an underflow occurred.
|
|
pub fn sub(comptime T: type, a: []const T, b: []const T, result: []T, endian: Endian) bool {
|
|
const len = a.len;
|
|
assert(len == b.len and len == result.len);
|
|
var borrow: u1 = 0;
|
|
if (endian == .little) {
|
|
var i: usize = 0;
|
|
while (i < len) : (i += 1) {
|
|
const ov1 = @subWithOverflow(a[i], b[i]);
|
|
const ov2 = @subWithOverflow(ov1[0], borrow);
|
|
result[i] = ov2[0];
|
|
borrow = ov1[1] | ov2[1];
|
|
}
|
|
} else {
|
|
var i: usize = len;
|
|
while (i != 0) {
|
|
i -= 1;
|
|
const ov1 = @subWithOverflow(a[i], b[i]);
|
|
const ov2 = @subWithOverflow(ov1[0], borrow);
|
|
result[i] = ov2[0];
|
|
borrow = ov1[1] | ov2[1];
|
|
}
|
|
}
|
|
return @as(bool, @bitCast(borrow));
|
|
}
|
|
|
|
fn markSecret(ptr: anytype, comptime action: enum { classify, declassify }) void {
|
|
const t = @typeInfo(@TypeOf(ptr));
|
|
if (t != .pointer) @compileError("Pointer expected - Found: " ++ @typeName(@TypeOf(ptr)));
|
|
const p = t.pointer;
|
|
if (p.is_allowzero) @compileError("A nullable pointer is always assumed to leak information via side channels");
|
|
const child = @typeInfo(p.child);
|
|
|
|
switch (child) {
|
|
.void, .null, .comptime_int, .comptime_float => return,
|
|
.pointer => {
|
|
if (child.pointer.size == .Slice) {
|
|
@compileError("Found pointer to pointer. If the intent was to pass a slice, maybe remove the leading & in the function call");
|
|
}
|
|
@compileError("A pointer value is always assumed leak information via side channels");
|
|
},
|
|
else => {
|
|
const mem8: *const [@sizeOf(@TypeOf(ptr.*))]u8 = @constCast(@ptrCast(ptr));
|
|
if (action == .classify) {
|
|
std.valgrind.memcheck.makeMemUndefined(mem8);
|
|
} else {
|
|
std.valgrind.memcheck.makeMemDefined(mem8);
|
|
}
|
|
},
|
|
}
|
|
}
|
|
|
|
/// Mark a value as sensitive or secret, helping to detect potential side-channel vulnerabilities.
|
|
///
|
|
/// When Valgrind is enabled, this function allows for the detection of conditional jumps or lookups
|
|
/// that depend on secrets or secret-derived data. Violations are reported by Valgrind as operations
|
|
/// relying on uninitialized values.
|
|
///
|
|
/// If Valgrind is disabled, it has no effect.
|
|
///
|
|
/// Use this function to verify that cryptographic operations perform constant-time arithmetic on sensitive data,
|
|
/// ensuring the confidentiality of secrets and preventing information leakage through side channels.
|
|
pub fn classify(ptr: anytype) void {
|
|
markSecret(ptr, .classify);
|
|
}
|
|
|
|
/// Mark a value as non-sensitive or public, indicating it's safe from side-channel attacks.
|
|
///
|
|
/// Signals that a value has been securely processed and is no longer confidential, allowing for
|
|
/// relaxed handling without fear of information leakage through conditional jumps or lookups.
|
|
pub fn declassify(ptr: anytype) void {
|
|
markSecret(ptr, .declassify);
|
|
}
|
|
|
|
test eql {
|
|
const random = std.crypto.random;
|
|
const expect = std.testing.expect;
|
|
var a: [100]u8 = undefined;
|
|
var b: [100]u8 = undefined;
|
|
random.bytes(a[0..]);
|
|
random.bytes(b[0..]);
|
|
try expect(!eql([100]u8, a, b));
|
|
a = b;
|
|
try expect(eql([100]u8, a, b));
|
|
}
|
|
|
|
test "eql (vectors)" {
|
|
if (@import("builtin").zig_backend == .stage2_x86_64) return error.SkipZigTest;
|
|
|
|
const random = std.crypto.random;
|
|
const expect = std.testing.expect;
|
|
var a: [100]u8 = undefined;
|
|
var b: [100]u8 = undefined;
|
|
random.bytes(a[0..]);
|
|
random.bytes(b[0..]);
|
|
const v1: @Vector(100, u8) = a;
|
|
const v2: @Vector(100, u8) = b;
|
|
try expect(!eql(@Vector(100, u8), v1, v2));
|
|
const v3: @Vector(100, u8) = a;
|
|
try expect(eql(@Vector(100, u8), v1, v3));
|
|
}
|
|
|
|
test compare {
|
|
const expectEqual = std.testing.expectEqual;
|
|
var a = [_]u8{10} ** 32;
|
|
var b = [_]u8{10} ** 32;
|
|
try expectEqual(compare(u8, &a, &b, .big), .eq);
|
|
try expectEqual(compare(u8, &a, &b, .little), .eq);
|
|
a[31] = 1;
|
|
try expectEqual(compare(u8, &a, &b, .big), .lt);
|
|
try expectEqual(compare(u8, &a, &b, .little), .lt);
|
|
a[0] = 20;
|
|
try expectEqual(compare(u8, &a, &b, .big), .gt);
|
|
try expectEqual(compare(u8, &a, &b, .little), .lt);
|
|
}
|
|
|
|
test "add and sub" {
|
|
const expectEqual = std.testing.expectEqual;
|
|
const expectEqualSlices = std.testing.expectEqualSlices;
|
|
const random = std.crypto.random;
|
|
const len = 32;
|
|
var a: [len]u8 = undefined;
|
|
var b: [len]u8 = undefined;
|
|
var c: [len]u8 = undefined;
|
|
const zero = [_]u8{0} ** len;
|
|
var iterations: usize = 100;
|
|
while (iterations != 0) : (iterations -= 1) {
|
|
random.bytes(&a);
|
|
random.bytes(&b);
|
|
const endian = if (iterations % 2 == 0) Endian.big else Endian.little;
|
|
_ = sub(u8, &a, &b, &c, endian); // a-b
|
|
_ = add(u8, &c, &b, &c, endian); // (a-b)+b
|
|
try expectEqualSlices(u8, &c, &a);
|
|
const borrow = sub(u8, &c, &a, &c, endian); // ((a-b)+b)-a
|
|
try expectEqualSlices(u8, &c, &zero);
|
|
try expectEqual(borrow, false);
|
|
}
|
|
}
|
|
|
|
test classify {
|
|
const random = std.crypto.random;
|
|
const expect = std.testing.expect;
|
|
|
|
var secret: [32]u8 = undefined;
|
|
random.bytes(&secret);
|
|
|
|
// Input of the hash function is marked as secret
|
|
classify(&secret);
|
|
|
|
var out: [32]u8 = undefined;
|
|
std.crypto.hash.sha3.TurboShake128(null).hash(&secret, &out, .{});
|
|
|
|
// Output of the hash function is derived from secret data, so
|
|
// it will automatically be considered secret as well. But it can be
|
|
// declassified; the input itself will still be considered secret.
|
|
declassify(&out);
|
|
|
|
// Comparing public data in non-constant time is acceptable.
|
|
try expect(!std.mem.eql(u8, &out, &[_]u8{0} ** out.len));
|
|
|
|
// Comparing secret data must be done in constant time. The result
|
|
// is going to be considered as secret as well.
|
|
var res = std.crypto.utils.timingSafeEql([32]u8, out, secret);
|
|
|
|
// If we want to make a conditional jump based on a secret,
|
|
// it has to be declassified.
|
|
declassify(&res);
|
|
try expect(!res);
|
|
|
|
// Once a secret has been declassified, a comparison in
|
|
// non-constant time is fine.
|
|
declassify(&secret);
|
|
try expect(!std.mem.eql(u8, &out, &secret));
|
|
}
|