krypteia-silentops 0.1.0

//! ARMv6-M Thumb constant-time primitives (Cortex-M0/M0+).
//!
//! The M0/M0+ has NO IT blocks, NO conditional execution, NO csel.
//! Only 16-bit Thumb instructions + a few 32-bit (BL, MRS, MSR).
//!
//! Constant-time selection must use pure bitwise operations:
//!   result = (a & mask) | (b & ~mask)
//! where mask is all-ones or all-zeros derived from the condition.
//!
//! Targets: STM32F0, STM32L0, Raspberry Pi Pico (RP2040), some Secure Elements.

use core::arch::asm;

/// Constant-time select for Cortex-M0 (no IT blocks).
///
/// ```asm
///   @ Build mask: 0xFFFFFFFF if condition != 0, 0x00000000 if condition == 0
///   subs  mask, condition, #1   @ sets carry if condition != 0
///   sbcs  mask, mask, mask      @ mask = 0xFFFFFFFF if carry, 0x00000000 if not
///   @ Hmm actually: rsbs + sbcs is cleaner
///   @ Better approach:
///   negs  mask, condition       @ mask = -condition (0 or negative)
///   asrs  mask, mask, #31       @ arithmetic shift: 0x00000000 or 0xFFFFFFFF
///   @ Select: result = (a & mask) | (b & ~mask)
///   ands  t1, a, mask
///   bics  t2, b, mask           @ t2 = b & ~mask
///   orrs  result, t1, t2
/// ```
#[inline(always)]
pub fn ct_select_u8(a: u8, b: u8, condition: u8) -> u8 {
    let result: u32;
    unsafe {
        asm!(
            // Build mask: all-ones if condition!=0, all-zeros if condition==0
            "negs {mask}, {cond}",        // mask = -condition
            "asrs {mask}, {mask}, #31",   // arithmetic shift right 31 → 0 or 0xFFFFFFFF
            // Select: result = (a & mask) | (b & ~mask)
            "ands {t}, {a}, {mask}",      // t = a & mask
            "bics {out}, {b}, {mask}",    // out = b & ~mask
            "orrs {out}, {out}, {t}",     // out = (a & mask) | (b & ~mask)
            a = in(reg) a as u32,
            b = in(reg) b as u32,
            cond = in(reg) condition as u32,
            mask = out(reg) _,
            t = out(reg) _,
            out = out(reg) result,
            options(pure, nomem, nostack),
        );
    }
    result as u8
}

#[inline(always)]
pub fn ct_select_i16(a: i16, b: i16, condition: u8) -> i16 {
    let result: u32;
    unsafe {
        asm!(
            "negs {mask}, {cond}",
            "asrs {mask}, {mask}, #31",
            "ands {t}, {a}, {mask}",
            "bics {out}, {b}, {mask}",
            "orrs {out}, {out}, {t}",
            a = in(reg) a as u32,
            b = in(reg) b as u32,
            cond = in(reg) condition as u32,
            mask = out(reg) _,
            t = out(reg) _,
            out = out(reg) result,
            options(pure, nomem, nostack),
        );
    }
    result as i16
}

#[inline(always)]
pub fn ct_select_i32(a: i32, b: i32, condition: u8) -> i32 {
    let result: u32;
    unsafe {
        asm!(
            "negs {mask}, {cond}",
            "asrs {mask}, {mask}, #31",
            "ands {t}, {a}, {mask}",
            "bics {out}, {b}, {mask}",
            "orrs {out}, {out}, {t}",
            a = in(reg) a as u32,
            b = in(reg) b as u32,
            cond = in(reg) condition as u32,
            mask = out(reg) _,
            t = out(reg) _,
            out = out(reg) result,
            options(pure, nomem, nostack),
        );
    }
    result as i32
}

/// Constant-time equality of two `u32`s: returns 1 if `a == b`, 0 otherwise.
#[inline(always)]
pub fn ct_eq_u32(a: u32, b: u32) -> u8 {
    let diff = a ^ b;
    let mask = (diff | diff.wrapping_neg()) >> 31;
    ((mask as u8) ^ 1) & 1
}

#[inline(never)]
pub fn ct_eq(a: &[u8], b: &[u8]) -> u8 {
    if a.len() != b.len() {
        return 0;
    }
    let mut diff = 0u8;
    for i in 0..a.len() {
        diff |= a[i] ^ b[i];
    }
    // Branchless: (diff == 0) → 1, else → 0
    // Use: result = 1 - min(diff, 1) via shift
    let d32 = diff as u32;
    let result: u32;
    unsafe {
        asm!(
            "negs {t}, {d}",       // t = -d
            "orrs {t}, {t}, {d}",  // t = d | -d (MSB set if d != 0)
            "lsrs {t}, {t}, #31",  // t = 0 if d==0, 1 if d!=0
            "movs {out}, #1",
            "subs {out}, {out}, {t}", // out = 1 - t
            d = in(reg) d32,
            t = out(reg) _,
            out = out(reg) result,
            options(pure, nomem, nostack),
        );
    }
    result as u8
}

#[inline(never)]
pub fn ct_copy(dst: &mut [u8], src: &[u8], condition: u8) {
    let len = dst.len().min(src.len());
    for i in 0..len {
        dst[i] = ct_select_u8(src[i], dst[i], condition);
    }
}

/// Constant-time slice select: writes `a` to `out` if `condition != 0`,
/// else writes `b`. Both `a` and `b` are read in full byte-by-byte; no
/// secret-dependent control flow or memory access. Length used is
/// `out.len().min(a.len()).min(b.len())`.
#[inline(never)]
pub fn ct_select_bytes(out: &mut [u8], a: &[u8], b: &[u8], condition: u8) {
    let len = out.len().min(a.len()).min(b.len());
    for i in 0..len {
        out[i] = ct_select_u8(a[i], b[i], condition);
    }
}

#[inline(never)]
pub fn ct_zeroize(buf: &mut [u8]) {
    for byte in buf.iter_mut() {
        unsafe { core::ptr::write_volatile(byte, 0) };
    }
    core::sync::atomic::compiler_fence(core::sync::atomic::Ordering::SeqCst);
}

#[inline(never)]
pub fn ct_zeroize_i16(buf: &mut [i16]) {
    for val in buf.iter_mut() {
        unsafe { core::ptr::write_volatile(val, 0) };
    }
    core::sync::atomic::compiler_fence(core::sync::atomic::Ordering::SeqCst);
}