1 // SPDX-License-Identifier: GPL-2.0 OR MIT 2 /* 3 * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 4 * 5 * This is a specialized constant-time base64/hex implementation that resists side-channel attacks. 6 */ 7 8 #include <string.h> 9 #include "encoding.h" 10 11 static inline void encode_base64(char dest[static 4], const uint8_t src[static 3]) 12 { 13 const uint8_t input[] = { (src[0] >> 2) & 63, ((src[0] << 4) | (src[1] >> 4)) & 63, ((src[1] << 2) | (src[2] >> 6)) & 63, src[2] & 63 }; 14 15 for (unsigned int i = 0; i < 4; ++i) 16 dest[i] = input[i] + 'A' 17 + (((25 - input[i]) >> 8) & 6) 18 - (((51 - input[i]) >> 8) & 75) 19 - (((61 - input[i]) >> 8) & 15) 20 + (((62 - input[i]) >> 8) & 3); 21 22 } 23 24 void key_to_base64(char base64[static WG_KEY_LEN_BASE64], const uint8_t key[static WG_KEY_LEN]) 25 { 26 unsigned int i; 27 28 for (i = 0; i < WG_KEY_LEN / 3; ++i) 29 encode_base64(&base64[i * 4], &key[i * 3]); 30 encode_base64(&base64[i * 4], (const uint8_t[]){ key[i * 3 + 0], key[i * 3 + 1], 0 }); 31 base64[WG_KEY_LEN_BASE64 - 2] = '='; 32 base64[WG_KEY_LEN_BASE64 - 1] = '\0'; 33 } 34 35 static inline int decode_base64(const char src[static 4]) 36 { 37 int val = 0; 38 39 for (unsigned int i = 0; i < 4; ++i) 40 val |= (-1 41 + ((((('A' - 1) - src[i]) & (src[i] - ('Z' + 1))) >> 8) & (src[i] - 64)) 42 + ((((('a' - 1) - src[i]) & (src[i] - ('z' + 1))) >> 8) & (src[i] - 70)) 43 + ((((('0' - 1) - src[i]) & (src[i] - ('9' + 1))) >> 8) & (src[i] + 5)) 44 + ((((('+' - 1) - src[i]) & (src[i] - ('+' + 1))) >> 8) & 63) 45 + ((((('/' - 1) - src[i]) & (src[i] - ('/' + 1))) >> 8) & 64) 46 ) << (18 - 6 * i); 47 return val; 48 } 49 50 bool key_from_base64(uint8_t key[static WG_KEY_LEN], const char *base64) 51 { 52 unsigned int i; 53 volatile uint8_t ret = 0; 54 int val; 55 56 if (strlen(base64) != WG_KEY_LEN_BASE64 - 1 || base64[WG_KEY_LEN_BASE64 - 2] != '=') 57 return false; 58 59 for (i = 0; i < WG_KEY_LEN / 3; ++i) { 60 val = decode_base64(&base64[i * 4]); 61 ret |= (uint32_t)val >> 31; 62 key[i * 3 + 0] = (val >> 16) & 0xff; 63 key[i * 3 + 1] = (val >> 8) & 0xff; 64 key[i * 3 + 2] = val & 0xff; 65 } 66 val = decode_base64((const char[]){ base64[i * 4 + 0], base64[i * 4 + 1], base64[i * 4 + 2], 'A' }); 67 ret |= ((uint32_t)val >> 31) | (val & 0xff); 68 key[i * 3 + 0] = (val >> 16) & 0xff; 69 key[i * 3 + 1] = (val >> 8) & 0xff; 70 71 return 1 & ((ret - 1) >> 8); 72 } 73 74 void key_to_hex(char hex[static WG_KEY_LEN_HEX], const uint8_t key[static WG_KEY_LEN]) 75 { 76 unsigned int i; 77 78 for (i = 0; i < WG_KEY_LEN; ++i) { 79 hex[i * 2] = 87U + (key[i] >> 4) + ((((key[i] >> 4) - 10U) >> 8) & ~38U); 80 hex[i * 2 + 1] = 87U + (key[i] & 0xf) + ((((key[i] & 0xf) - 10U) >> 8) & ~38U); 81 } 82 hex[i * 2] = '\0'; 83 } 84 85 bool key_from_hex(uint8_t key[static WG_KEY_LEN], const char *hex) 86 { 87 uint8_t c, c_acc, c_alpha0, c_alpha, c_num0, c_num, c_val; 88 volatile uint8_t ret = 0; 89 90 if (strlen(hex) != WG_KEY_LEN_HEX - 1) 91 return false; 92 93 for (unsigned int i = 0; i < WG_KEY_LEN_HEX - 1; i += 2) { 94 c = (uint8_t)hex[i]; 95 c_num = c ^ 48U; 96 c_num0 = (c_num - 10U) >> 8; 97 c_alpha = (c & ~32U) - 55U; 98 c_alpha0 = ((c_alpha - 10U) ^ (c_alpha - 16U)) >> 8; 99 ret |= ((c_num0 | c_alpha0) - 1) >> 8; 100 c_val = (c_num0 & c_num) | (c_alpha0 & c_alpha); 101 c_acc = c_val * 16U; 102 103 c = (uint8_t)hex[i + 1]; 104 c_num = c ^ 48U; 105 c_num0 = (c_num - 10U) >> 8; 106 c_alpha = (c & ~32U) - 55U; 107 c_alpha0 = ((c_alpha - 10U) ^ (c_alpha - 16U)) >> 8; 108 ret |= ((c_num0 | c_alpha0) - 1) >> 8; 109 c_val = (c_num0 & c_num) | (c_alpha0 & c_alpha); 110 key[i / 2] = c_acc | c_val; 111 } 112 113 return 1 & ((ret - 1) >> 8); 114 } 115 116 bool key_is_zero(const uint8_t key[static WG_KEY_LEN]) 117 { 118 volatile uint8_t acc = 0; 119 120 for (unsigned int i = 0; i < WG_KEY_LEN; ++i) { 121 acc |= key[i]; 122 asm volatile("" : "=r"(acc) : "0"(acc)); 123 } 124 return 1 & ((acc - 1) >> 8); 125 } 126