Commit bd07154242

Frank Denis <github@pureftpd.org>
2020-08-23 01:36:37
Add mem.timingSafeEql() for constant-time array comparison
This is a trivial implementation that just does a or[xor] loop. However, this pattern is used by virtually all crypto libraries and in practice, even without assembly barriers, LLVM never turns it into code with conditional jumps, even if one of the parameters is constant. This has been verified to still be the case with LLVM 11.0.0.
master
1 parent 03ae77b
Changed files (7)
lib
std
crypto
bcrypt.zig
ghash.zig
poly1305.zig
salsa20.zig
utils.zig
crypto.zig
mem.zig
lib/std/crypto/bcrypt.zig
@@ -11,6 +11,7 @@ const math = std.math;
 const mem = std.mem;
 const debug = std.debug;
 const testing = std.testing;
+const utils = std.crypto.utils;
 
 const salt_length: usize = 16;
 const salt_str_length: usize = 22;
@@ -226,7 +227,7 @@ fn strHashInternal(password: []const u8, rounds_log: u6, salt: [salt_length]u8)
         state.expand0(passwordZ);
         state.expand0(salt[0..]);
     }
-    mem.secureZero(u8, &password_buf);
+    utils.secureZero(u8, &password_buf);
 
     var cdata = [6]u32{ 0x4f727068, 0x65616e42, 0x65686f6c, 0x64657253, 0x63727944, 0x6f756274 }; // "OrpheanBeholderScryDoubt"
     k = 0;
lib/std/crypto/ghash.zig
@@ -10,6 +10,7 @@ const std = @import("../std.zig");
 const assert = std.debug.assert;
 const math = std.math;
 const mem = std.mem;
+const utils = std.crypto.utils;
 
 /// GHASH is a universal hash function that features multiplication
 /// by a fixed parameter within a Galois field.
@@ -305,7 +306,7 @@ pub const Ghash = struct {
         mem.writeIntBig(u64, out[0..8], st.y1);
         mem.writeIntBig(u64, out[8..16], st.y0);
 
-        mem.secureZero(u8, @ptrCast([*]u8, st)[0..@sizeOf(Ghash)]);
+        utils.secureZero(u8, @ptrCast([*]u8, st)[0..@sizeOf(Ghash)]);
     }
 
     pub fn create(out: *[mac_length]u8, msg: []const u8, key: *const [key_length]u8) void {
lib/std/crypto/poly1305.zig
@@ -4,6 +4,7 @@
 // The MIT license requires this copyright notice to be included in all copies
 // and substantial portions of the software.
 const std = @import("../std.zig");
+const utils = std.crypto.utils;
 const mem = std.mem;
 
 pub const Poly1305 = struct {
@@ -195,7 +196,7 @@ pub const Poly1305 = struct {
         mem.writeIntLittle(u64, out[0..8], st.h[0]);
         mem.writeIntLittle(u64, out[8..16], st.h[1]);
 
-        std.mem.secureZero(u8, @ptrCast([*]u8, st)[0..@sizeOf(Poly1305)]);
+        utils.secureZero(u8, @ptrCast([*]u8, st)[0..@sizeOf(Poly1305)]);
     }
 
     pub fn create(out: *[mac_length]u8, msg: []const u8, key: *const [key_length]u8) void {
lib/std/crypto/salsa20.zig
@@ -9,6 +9,7 @@ const crypto = std.crypto;
 const debug = std.debug;
 const math = std.math;
 const mem = std.mem;
+const utils = std.crypto.utils;
 const Vector = std.meta.Vector;
 
 const Poly1305 = crypto.onetimeauth.Poly1305;
@@ -414,7 +415,7 @@ pub const XSalsa20Poly1305 = struct {
             acc |= computedTag[i] ^ tag[i];
         }
         if (acc != 0) {
-            mem.secureZero(u8, &computedTag);
+            utils.secureZero(u8, &computedTag);
             return error.AuthenticationFailed;
         }
         mem.copy(u8, m[0..mlen0], block0[32..][0..mlen0]);
@@ -532,7 +533,7 @@ pub const SealedBox = struct {
         const nonce = createNonce(ekp.public_key, public_key);
         mem.copy(u8, c[0..public_length], ekp.public_key[0..]);
         try Box.seal(c[Box.public_length..], m, nonce, public_key, ekp.secret_key);
-        mem.secureZero(u8, ekp.secret_key[0..]);
+        utils.secureZero(u8, ekp.secret_key[0..]);
     }
 
     /// Decrypt a message using a key pair.
lib/std/crypto/utils.zig
@@ -0,0 +1,86 @@
+const std = @import("../std.zig");
+const mem = std.mem;
+const testing = std.testing;
+
+/// Compares two arrays in constant time (for a given length) and returns whether they are equal.
+/// This function was designed to compare short cryptographic secrets (MACs, signatures).
+/// For all other applications, use mem.eql() instead.
+pub fn timingSafeEql(comptime T: type, a: T, b: T) bool {
+    switch (@typeInfo(T)) {
+        .Array => |info| {
+            const C = info.child;
+            if (@typeInfo(C) != .Int) {
+                @compileError("Elements to be compared must be integers");
+            }
+            var acc = @as(C, 0);
+            for (a) |x, i| {
+                acc |= x ^ b[i];
+            }
+            comptime const s = @typeInfo(C).Int.bits;
+            comptime const Cu = std.meta.Int(.unsigned, s);
+            comptime const Cext = std.meta.Int(.unsigned, s + 1);
+            return @bitCast(bool, @truncate(u1, (@as(Cext, @bitCast(Cu, acc)) -% 1) >> s));
+        },
+        .Vector => |info| {
+            const C = info.child;
+            if (@typeInfo(C) != .Int) {
+                @compileError("Elements to be compared must be integers");
+            }
+            const z = a ^ b;
+            var acc = @as(C, 0);
+            var i: usize = 0;
+            while (i < info.len) : (i += 1) {
+                acc |= z[i];
+            }
+            comptime const s = @typeInfo(C).Int.bits;
+            comptime const Cu = std.meta.Int(.unsigned, s);
+            comptime const Cext = std.meta.Int(.unsigned, s + 1);
+            return @bitCast(bool, @truncate(u1, (@as(Cext, @bitCast(Cu, acc)) -% 1) >> s));
+        },
+        else => {
+            @compileError("Only arrays and vectors can be compared");
+        },
+    }
+}
+
+/// Sets a slice to zeroes.
+/// Prevents the store from being optimized out.
+pub fn secureZero(comptime T: type, s: []T) void {
+    // NOTE: We do not use a volatile slice cast here since LLVM cannot
+    // see that it can be replaced by a memset.
+    const ptr = @ptrCast([*]volatile u8, s.ptr);
+    const length = s.len * @sizeOf(T);
+    @memset(ptr, 0, length);
+}
+
+test "crypto.utils.timingSafeEql" {
+    var a: [100]u8 = undefined;
+    var b: [100]u8 = undefined;
+    try std.crypto.randomBytes(a[0..]);
+    try std.crypto.randomBytes(b[0..]);
+    testing.expect(!timingSafeEql([100]u8, a, b));
+    mem.copy(u8, a[0..], b[0..]);
+    testing.expect(timingSafeEql([100]u8, a, b));
+}
+
+test "crypto.utils.timingSafeEql (vectors)" {
+    var a: [100]u8 = undefined;
+    var b: [100]u8 = undefined;
+    try std.crypto.randomBytes(a[0..]);
+    try std.crypto.randomBytes(b[0..]);
+    const v1: std.meta.Vector(100, u8) = a;
+    const v2: std.meta.Vector(100, u8) = b;
+    testing.expect(!timingSafeEql(std.meta.Vector(100, u8), v1, v2));
+    const v3: std.meta.Vector(100, u8) = a;
+    testing.expect(timingSafeEql(std.meta.Vector(100, u8), v1, v3));
+}
+
+test "crypto.utils.secureZero" {
+    var a = [_]u8{0xfe} ** 8;
+    var b = [_]u8{0xfe} ** 8;
+
+    mem.set(u8, a[0..], 0);
+    secureZero(u8, b[0..]);
+
+    testing.expectEqualSlices(u8, a[0..], b[0..]);
+}
lib/std/crypto.zig
@@ -130,6 +130,8 @@ pub const nacl = struct {
     pub const SealedBox = salsa20.SealedBox;
 };
 
+pub const utils = @import("crypto/utils.zig");
+
 const std = @import("std.zig");
 pub const randomBytes = std.os.getrandom;
lib/std/mem.zig
@@ -342,26 +342,6 @@ test "mem.zeroes" {
     testing.expectEqual(@as(u8, 0), c.a);
 }
 
-/// Sets a slice to zeroes.
-/// Prevents the store from being optimized out.
-pub fn secureZero(comptime T: type, s: []T) void {
-    // NOTE: We do not use a volatile slice cast here since LLVM cannot
-    // see that it can be replaced by a memset.
-    const ptr = @ptrCast([*]volatile u8, s.ptr);
-    const length = s.len * @sizeOf(T);
-    @memset(ptr, 0, length);
-}
-
-test "mem.secureZero" {
-    var a = [_]u8{0xfe} ** 8;
-    var b = [_]u8{0xfe} ** 8;
-
-    set(u8, a[0..], 0);
-    secureZero(u8, b[0..]);
-
-    testing.expectEqualSlices(u8, a[0..], b[0..]);
-}
-
 /// Initializes all fields of the struct with their default value, or zero values if no default value is present.
 /// If the field is present in the provided initial values, it will have that value instead.
 /// Structs are initialized recursively.