purecrypto 0.2.0

A pure-Rust cryptography toolkit with no foreign-code dependencies, from constant-time primitives up to keys, X.509 and TLS.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

//! Constant-time ordering for unsigned integers.
//!
//! These are the comparisons needed by constant-time bignum arithmetic (e.g.
//! deciding a conditional subtraction). They are defined for unsigned types
//! only; signed ordering needs separate handling of the sign bit.

use super::Choice;

/// Greater-than comparison that runs in time independent of the values.
pub trait ConstantTimeGreater {
    /// Returns a [`Choice`] that is true iff `self > other`.
    fn ct_gt(&self, other: &Self) -> Choice;
}

/// Less-than comparison that runs in time independent of the values.
pub trait ConstantTimeLess: ConstantTimeGreater {
    /// Returns a [`Choice`] that is true iff `self < other`.
    #[inline]
    fn ct_lt(&self, other: &Self) -> Choice {
        other.ct_gt(self)
    }
}

macro_rules! impl_ct_ord_uint {
    ($($t:ty),+ $(,)?) => {$(
        impl ConstantTimeGreater for $t {
            #[inline]
            fn ct_gt(&self, other: &$t) -> Choice {
                let bits = <$t>::BITS;
                // Bits where self is greater (1) / less (0) than other.
                let gtb = self & !other;
                let mut ltb = !self & other;
                // Smear each "less" bit downward, so position i is set iff some
                // "less" bit exists at position >= i.
                let mut pow = 1;
                while pow < bits {
                    ltb |= ltb >> pow;
                    pow <<= 1;
                }
                // Keep only "greater" bits with no "less" bit at or above them,
                // i.e. self > other iff the highest differing bit is a gt bit.
                let mut bit = gtb & !ltb;
                // Fold the surviving bit down to the LSB.
                let mut pow = 1;
                while pow < bits {
                    bit |= bit >> pow;
                    pow <<= 1;
                }
                Choice::from(core::hint::black_box((bit & 1) as u8))
            }
        }

        impl ConstantTimeLess for $t {}
    )+};
}

impl_ct_ord_uint!(u8, u16, u32, u64, u128, usize);

#[cfg(test)]
mod tests {
    use super::*;

    fn b(c: Choice) -> bool {
        c.into()
    }

    #[test]
    fn u8_exhaustive() {
        for a in 0u8..=u8::MAX {
            for c in 0u8..=u8::MAX {
                assert_eq!(b(a.ct_gt(&c)), a > c);
                assert_eq!(b(a.ct_lt(&c)), a < c);
            }
        }
    }

    #[test]
    fn wide_edges() {
        assert!(b(1u64.ct_gt(&0)));
        assert!(!b(0u64.ct_gt(&0)));
        assert!(!b(0u64.ct_gt(&1)));
        assert!(b(u64::MAX.ct_gt(&(u64::MAX - 1))));
        assert!(b((u64::MAX - 1).ct_lt(&u64::MAX)));
        assert!(!b(u64::MAX.ct_lt(&u64::MAX)));

        assert!(b((1u128 << 100).ct_gt(&(1u128 << 99))));
        assert!(b(0u128.ct_lt(&u128::MAX)));

        assert!(b(200u8.ct_gt(&100)));
        assert!(!b(100u8.ct_gt(&200)));
    }
}