subtle-2.1.1/CHANGELOG.md010064400017500001750000000007521352041323400130440ustar0000000000000000# Changelog Entries are listed in reverse chronological order. ## 2.1.1 * Adds the "crypto" tag to crate metadata. * New shorter, more efficient ct_eq() for integers, contributed by Thomas Pornin. ## 2.1.0 * Adds a new `CtOption` which acts as a constant-time `Option` (thanks to @ebfull for the implementation). * `Choice` now itself implements `ConditionallySelectable`. ## 2.0.0 * Stable version with traits reworked from 1.0.0 to interact better with the orphan rules. subtle-2.1.1/CONTRIBUTING.md010064400017500001750000000025251335254054100134710ustar0000000000000000# Contributing to subtle If you have questions or comments, please feel free to email the authors. For feature requests, suggestions, and bug reports, please open an issue on [our Github](https://github.com/dalek-cryptography/subtle). (Or, send us an email if you're opposed to using Github for whatever reason.) Patches are welcomed as pull requests on [our Github](https://github.com/dalek-cryptography/subtle), as well as by email (preferably sent to all of the authors listed in `Cargo.toml`). We're happy to take generalised utility code, provided the code is: 1. constant time for all potential valid invocations, and 2. applicable to implementations of several different protocols/primitives. All issues on subtle are mentored, if you want help with a bug just ask @isislovecruft or @hdevalence. Some issues are easier than others. The `easy` label can be used to find the easy issues. If you want to work on an issue, please leave a comment so that we can assign it to you! # Code of Conduct We follow the [Rust Code of Conduct](http://www.rust-lang.org/conduct.html), with the following additional clauses: * We respect the rights to privacy and anonymity for contributors and people in the community. If someone wishes to contribute under a pseudonym different to their primary identity, that wish is to be respected by all contributors. subtle-2.1.1/Cargo.toml.orig010064400017500001750000000013571352041313600141250ustar0000000000000000[package] name = "subtle" version = "2.1.1" authors = ["Isis Lovecruft ", "Henry de Valence "] readme = "README.md" license = "BSD-3-Clause" repository = "https://github.com/dalek-cryptography/subtle" homepage = "https://dalek.rs/" documentation = "https://docs.rs/subtle" categories = ["cryptography", "no-std"] keywords = ["cryptography", "crypto", "constant-time", "utilities"] description = "Pure-Rust traits and utilities for constant-time cryptographic implementations." exclude = [ "**/.gitignore", ".travis.yml", ] [badges] travis-ci = { repository = "dalek-cryptography/subtle", branch = "master"} [features] default = ["std", "i128"] std = [] i128 = [] nightly = [] subtle-2.1.1/Cargo.toml0000644000000023360000000000000103740ustar00# THIS FILE IS AUTOMATICALLY GENERATED BY CARGO # # When uploading crates to the registry Cargo will automatically # "normalize" Cargo.toml files for maximal compatibility # with all versions of Cargo and also rewrite `path` dependencies # to registry (e.g. crates.io) dependencies # # If you believe there's an error in this file please file an # issue against the rust-lang/cargo repository. If you're # editing this file be aware that the upstream Cargo.toml # will likely look very different (and much more reasonable) [package] name = "subtle" version = "2.1.1" authors = ["Isis Lovecruft ", "Henry de Valence "] exclude = ["**/.gitignore", ".travis.yml"] description = "Pure-Rust traits and utilities for constant-time cryptographic implementations." homepage = "https://dalek.rs/" documentation = "https://docs.rs/subtle" readme = "README.md" keywords = ["cryptography", "crypto", "constant-time", "utilities"] categories = ["cryptography", "no-std"] license = "BSD-3-Clause" repository = "https://github.com/dalek-cryptography/subtle" [features] default = ["std", "i128"] i128 = [] nightly = [] std = [] [badges.travis-ci] branch = "master" repository = "dalek-cryptography/subtle" subtle-2.1.1/Cargo.toml.orig0000644000000023370000000000000113340ustar00# THIS FILE IS AUTOMATICALLY GENERATED BY CARGO # # When uploading crates to the registry Cargo will automatically # "normalize" Cargo.toml files for maximal compatibility # with all versions of Cargo and also rewrite `path` dependencies # to registry (e.g., crates.io) dependencies # # If you believe there's an error in this file please file an # issue against the rust-lang/cargo repository. If you're # editing this file be aware that the upstream Cargo.toml # will likely look very different (and much more reasonable) [package] name = "subtle" version = "2.1.1" authors = ["Isis Lovecruft ", "Henry de Valence "] exclude = ["**/.gitignore", ".travis.yml"] description = "Pure-Rust traits and utilities for constant-time cryptographic implementations." homepage = "https://dalek.rs/" documentation = "https://docs.rs/subtle" readme = "README.md" keywords = ["cryptography", "crypto", "constant-time", "utilities"] categories = ["cryptography", "no-std"] license = "BSD-3-Clause" repository = "https://github.com/dalek-cryptography/subtle" [features] default = ["std", "i128"] i128 = [] nightly = [] std = [] [badges.travis-ci] branch = "master" repository = "dalek-cryptography/subtle" subtle-2.1.1/LICENSE010064400017500001750000000027531335254054100122500ustar0000000000000000Copyright (c) 2016-2017 Isis Agora Lovecruft, Henry de Valence. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. subtle-2.1.1/README.md010064400017500001750000000055011346167125300125220ustar0000000000000000# subtle [![](https://img.shields.io/crates/v/subtle.svg)](https://crates.io/crates/subtle) [![](https://img.shields.io/badge/dynamic/json.svg?label=docs&uri=https%3A%2F%2Fcrates.io%2Fapi%2Fv1%2Fcrates%2Fsubtle%2Fversions&query=%24.versions%5B0%5D.num&colorB=4F74A6)](https://doc.dalek.rs/subtle) [![](https://travis-ci.org/dalek-cryptography/subtle.svg?branch=master)](https://travis-ci.org/dalek-cryptography/subtle) **Pure-Rust traits and utilities for constant-time cryptographic implementations.** It consists of a `Choice` type, and a collection of traits using `Choice` instead of `bool` which are intended to execute in constant-time. The `Choice` type is a wrapper around a `u8` that holds a `0` or `1`. This crate represents a “best-effort” attempt, since side-channels are ultimately a property of a deployed cryptographic system including the hardware it runs on, not just of software. The traits are implemented using bitwise operations, and should execute in constant time provided that a) the bitwise operations are constant-time and b) the operations are not optimized into a branch. To prevent the latter possibility, when using the `nightly` feature (recommended), the crate attempts to hide the value of a `Choice`'s inner `u8` from the optimizer, by passing it through an inline assembly block. For more information, see the _About_ section below. When not using the `nightly` feature, there is no protection against b). This is unfortunate, but is at least no worse than C code, and has the advantange that if a suitable black box is stabilized, we will be able to transparently enable it with no changes to the external interface). ```toml [dependencies.subtle] version = "2.1" features = ["nightly"] ``` ## Features * The `nightly` feature enables the use of an optimization barrier to protect the `Choice` type. _Using the `nightly` feature is recommended for security_. ## Documentation Documentation is available [here][docs]. ## About This library aims to be the Rust equivalent of Go’s `crypto/subtle` module. The optimization barrier in `impl From for Choice` was based on Tim Maclean's [work on `rust-timing-shield`][rust-timing-shield], which attempts to provide a more comprehensive approach for preventing software side-channels in Rust code. `subtle` is authored by isis agora lovecruft and Henry de Valence. ## Warning This code is a low-level library, intended for specific use-cases implementing cryptographic protocols. It represents a best-effort attempt to protect against some software side-channels. Because side-channel resistance is not a property of software alone, but of software together with hardware, any such effort is fundamentally limited. **USE AT YOUR OWN RISK** [docs]: https://doc.dalek.rs/subtle [rust-timing-shield]: https://www.chosenplaintext.ca/open-source/rust-timing-shield/security subtle-2.1.1/src/lib.rs010064400017500001750000000450561352011654200131460ustar0000000000000000// -*- mode: rust; -*- // // This file is part of subtle, part of the dalek cryptography project. // Copyright (c) 2016-2018 isis lovecruft, Henry de Valence // See LICENSE for licensing information. // // Authors: // - isis agora lovecruft // - Henry de Valence #![no_std] #![cfg_attr(feature = "nightly", feature(asm))] #![cfg_attr(feature = "nightly", feature(external_doc))] #![cfg_attr(feature = "nightly", doc(include = "../README.md"))] #![cfg_attr(feature = "nightly", deny(missing_docs))] #![doc(html_logo_url = "https://doc.dalek.rs/assets/dalek-logo-clear.png")] //! Note that docs will only build on nightly Rust until //! [RFC 1990 stabilizes](https://github.com/rust-lang/rust/issues/44732). #[cfg(feature = "std")] #[macro_use] extern crate std; use core::ops::{BitAnd, BitAndAssign, BitOr, BitOrAssign, BitXor, BitXorAssign, Neg, Not}; /// The `Choice` struct represents a choice for use in conditional /// assignment. /// /// It is a wrapper around a `u8`, which should have the value either /// `1` (true) or `0` (false). /// /// With the `nightly` feature enabled, the conversion from `u8` to /// `Choice` passes the value through an optimization barrier, as a /// best-effort attempt to prevent the compiler from inferring that the /// `Choice` value is a boolean. This strategy is based on Tim /// Maclean's [work on `rust-timing-shield`][rust-timing-shield], /// which attempts to provide a more comprehensive approach for /// preventing software side-channels in Rust code. /// /// The `Choice` struct implements operators for AND, OR, XOR, and /// NOT, to allow combining `Choice` values. /// These operations do not short-circuit. /// /// [rust-timing-shield]: https://www.chosenplaintext.ca/open-source/rust-timing-shield/security #[derive(Copy, Clone, Debug)] pub struct Choice(u8); impl Choice { /// Unwrap the `Choice` wrapper to reveal the underlying `u8`. /// /// # Note /// /// This function only exists as an escape hatch for the rare case /// where it's not possible to use one of the `subtle`-provided /// trait impls. /// /// To convert a `Choice` to a `bool`, use the `From` implementation instead. #[inline] pub fn unwrap_u8(&self) -> u8 { self.0 } } impl From for bool { /// Convert the `Choice` wrapper into a `bool`, depending on whether /// the underlying `u8` was a `0` or a `1`. /// /// # Note /// /// This function exists to avoid having higher-level cryptographic protocol /// implementations duplicating this pattern. /// /// The intended use case for this conversion is at the _end_ of a /// higher-level primitive implementation: for example, in checking a keyed /// MAC, where the verification should happen in constant-time (and thus use /// a `Choice`) but it is safe to return a `bool` at the end of the /// verification. #[inline] fn from(source: Choice) -> bool { debug_assert!((source.0 == 0u8) | (source.0 == 1u8)); source.0 != 0 } } impl BitAnd for Choice { type Output = Choice; #[inline] fn bitand(self, rhs: Choice) -> Choice { (self.0 & rhs.0).into() } } impl BitAndAssign for Choice { #[inline] fn bitand_assign(&mut self, rhs: Choice) { *self = *self & rhs; } } impl BitOr for Choice { type Output = Choice; #[inline] fn bitor(self, rhs: Choice) -> Choice { (self.0 | rhs.0).into() } } impl BitOrAssign for Choice { #[inline] fn bitor_assign(&mut self, rhs: Choice) { *self = *self | rhs; } } impl BitXor for Choice { type Output = Choice; #[inline] fn bitxor(self, rhs: Choice) -> Choice { (self.0 ^ rhs.0).into() } } impl BitXorAssign for Choice { #[inline] fn bitxor_assign(&mut self, rhs: Choice) { *self = *self ^ rhs; } } impl Not for Choice { type Output = Choice; #[inline] fn not(self) -> Choice { (1u8 & (!self.0)).into() } } /// This function is a best-effort attempt to prevent the compiler /// from knowing anything about the value of the returned `u8`, other /// than its type. /// /// Uses inline asm when available, otherwise it's a no-op. #[cfg(all(feature = "nightly", not(any(target_arch = "asmjs", target_arch = "wasm32"))))] fn black_box(input: u8) -> u8 { debug_assert!((input == 0u8) | (input == 1u8)); // Pretend to access a register containing the input. We "volatile" here // because some optimisers treat assembly templates without output operands // as "volatile" while others do not. unsafe { asm!("" :: "r"(&input) :: "volatile") } input } #[cfg(any(target_arch = "asmjs", target_arch = "wasm32", not(feature = "nightly")))] #[inline(never)] fn black_box(input: u8) -> u8 { debug_assert!((input == 0u8) | (input == 1u8)); // We don't have access to inline assembly or test::black_box or ... // // Bailing out, hopefully the compiler doesn't use the fact that `input` is 0 or 1. input } impl From for Choice { #[inline] fn from(input: u8) -> Choice { // Our goal is to prevent the compiler from inferring that the value held inside the // resulting `Choice` struct is really an `i1` instead of an `i8`. Choice(black_box(input)) } } /// An `Eq`-like trait that produces a `Choice` instead of a `bool`. /// /// # Example /// /// ``` /// use subtle::ConstantTimeEq; /// let x: u8 = 5; /// let y: u8 = 13; /// /// assert_eq!(x.ct_eq(&y).unwrap_u8(), 0); /// assert_eq!(x.ct_eq(&x).unwrap_u8(), 1); /// ``` pub trait ConstantTimeEq { /// Determine if two items are equal. /// /// The `ct_eq` function should execute in constant time. /// /// # Returns /// /// * `Choice(1u8)` if `self == other`; /// * `Choice(0u8)` if `self != other`. #[inline] fn ct_eq(&self, other: &Self) -> Choice; } impl ConstantTimeEq for [T] { /// Check whether two slices of `ConstantTimeEq` types are equal. /// /// # Note /// /// This function short-circuits if the lengths of the input slices /// are different. Otherwise, it should execute in time independent /// of the slice contents. /// /// Since arrays coerce to slices, this function works with fixed-size arrays: /// /// ``` /// # use subtle::ConstantTimeEq; /// # /// let a: [u8; 8] = [0,1,2,3,4,5,6,7]; /// let b: [u8; 8] = [0,1,2,3,0,1,2,3]; /// /// let a_eq_a = a.ct_eq(&a); /// let a_eq_b = a.ct_eq(&b); /// /// assert_eq!(a_eq_a.unwrap_u8(), 1); /// assert_eq!(a_eq_b.unwrap_u8(), 0); /// ``` #[inline] fn ct_eq(&self, _rhs: &[T]) -> Choice { let len = self.len(); // Short-circuit on the *lengths* of the slices, not their // contents. if len != _rhs.len() { return Choice::from(0); } // This loop shouldn't be shortcircuitable, since the compiler // shouldn't be able to reason about the value of the `u8` // unwrapped from the `ct_eq` result. let mut x = 1u8; for (ai, bi) in self.iter().zip(_rhs.iter()) { x &= ai.ct_eq(bi).unwrap_u8(); } x.into() } } /// Given the bit-width `$bit_width` and the corresponding primitive /// unsigned and signed types `$t_u` and `$t_i` respectively, generate /// an `ConstantTimeEq` implementation. macro_rules! generate_integer_equal { ($t_u:ty, $t_i:ty, $bit_width:expr) => { impl ConstantTimeEq for $t_u { #[inline] fn ct_eq(&self, other: &$t_u) -> Choice { // x == 0 if and only if self == other let x: $t_u = self ^ other; // If x == 0, then x and -x are both equal to zero; // otherwise, one or both will have its high bit set. let y: $t_u = (x | x.wrapping_neg()) >> ($bit_width - 1); // Result is the opposite of the high bit (now shifted to low). ((y ^ (1 as $t_u)) as u8).into() } } impl ConstantTimeEq for $t_i { #[inline] fn ct_eq(&self, other: &$t_i) -> Choice { // Bitcast to unsigned and call that implementation. (*self as $t_u).ct_eq(&(*other as $t_u)) } } }; } generate_integer_equal!(u8, i8, 8); generate_integer_equal!(u16, i16, 16); generate_integer_equal!(u32, i32, 32); generate_integer_equal!(u64, i64, 64); #[cfg(feature = "i128")] generate_integer_equal!(u128, i128, 128); generate_integer_equal!(usize, isize, ::core::mem::size_of::() * 8); /// A type which can be conditionally selected in constant time. /// /// This trait also provides generic implementations of conditional /// assignment and conditional swaps. pub trait ConditionallySelectable: Copy { /// Select `a` or `b` according to `choice`. /// /// # Returns /// /// * `a` if `choice == Choice(0)`; /// * `b` if `choice == Choice(1)`. /// /// This function should execute in constant time. /// /// # Example /// /// ``` /// # extern crate subtle; /// use subtle::ConditionallySelectable; /// # /// # fn main() { /// let x: u8 = 13; /// let y: u8 = 42; /// /// let z = u8::conditional_select(&x, &y, 0.into()); /// assert_eq!(z, x); /// let z = u8::conditional_select(&x, &y, 1.into()); /// assert_eq!(z, y); /// # } /// ``` #[inline] fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self; /// Conditionally assign `other` to `self`, according to `choice`. /// /// This function should execute in constant time. /// /// # Example /// /// ``` /// # extern crate subtle; /// use subtle::ConditionallySelectable; /// # /// # fn main() { /// let mut x: u8 = 13; /// let mut y: u8 = 42; /// /// x.conditional_assign(&y, 0.into()); /// assert_eq!(x, 13); /// x.conditional_assign(&y, 1.into()); /// assert_eq!(x, 42); /// # } /// ``` #[inline] fn conditional_assign(&mut self, other: &Self, choice: Choice) { *self = Self::conditional_select(self, other, choice); } /// Conditionally swap `self` and `other` if `choice == 1`; otherwise, /// reassign both unto themselves. /// /// This function should execute in constant time. /// /// # Example /// /// ``` /// # extern crate subtle; /// use subtle::ConditionallySelectable; /// # /// # fn main() { /// let mut x: u8 = 13; /// let mut y: u8 = 42; /// /// u8::conditional_swap(&mut x, &mut y, 0.into()); /// assert_eq!(x, 13); /// assert_eq!(y, 42); /// u8::conditional_swap(&mut x, &mut y, 1.into()); /// assert_eq!(x, 42); /// assert_eq!(y, 13); /// # } /// ``` #[inline] fn conditional_swap(a: &mut Self, b: &mut Self, choice: Choice) { let t: Self = *a; a.conditional_assign(&b, choice); b.conditional_assign(&t, choice); } } macro_rules! to_signed_int { (u8) => { i8 }; (u16) => { i16 }; (u32) => { i32 }; (u64) => { i64 }; (u128) => { i128 }; (i8) => { i8 }; (i16) => { i16 }; (i32) => { i32 }; (i64) => { i64 }; (i128) => { i128 }; } macro_rules! generate_integer_conditional_select { ($($t:tt)*) => ($( impl ConditionallySelectable for $t { #[inline] fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self { // if choice = 0, mask = (-0) = 0000...0000 // if choice = 1, mask = (-1) = 1111...1111 let mask = -(choice.unwrap_u8() as to_signed_int!($t)) as $t; a ^ (mask & (a ^ b)) } #[inline] fn conditional_assign(&mut self, other: &Self, choice: Choice) { // if choice = 0, mask = (-0) = 0000...0000 // if choice = 1, mask = (-1) = 1111...1111 let mask = -(choice.unwrap_u8() as to_signed_int!($t)) as $t; *self ^= mask & (*self ^ *other); } #[inline] fn conditional_swap(a: &mut Self, b: &mut Self, choice: Choice) { // if choice = 0, mask = (-0) = 0000...0000 // if choice = 1, mask = (-1) = 1111...1111 let mask = -(choice.unwrap_u8() as to_signed_int!($t)) as $t; let t = mask & (*a ^ *b); *a ^= t; *b ^= t; } } )*) } generate_integer_conditional_select!( u8 i8); generate_integer_conditional_select!( u16 i16); generate_integer_conditional_select!( u32 i32); generate_integer_conditional_select!( u64 i64); #[cfg(feature = "i128")] generate_integer_conditional_select!(u128 i128); impl ConditionallySelectable for Choice { #[inline] fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self { Choice(u8::conditional_select(&a.0, &b.0, choice)) } } /// A type which can be conditionally negated in constant time. /// /// # Note /// /// A generic implementation of `ConditionallyNegatable` is provided /// for types `T` which are `ConditionallySelectable` and have `Neg` /// implemented on `&T`. pub trait ConditionallyNegatable { /// Negate `self` if `choice == Choice(1)`; otherwise, leave it /// unchanged. /// /// This function should execute in constant time. #[inline] fn conditional_negate(&mut self, choice: Choice); } impl ConditionallyNegatable for T where T: ConditionallySelectable, for<'a> &'a T: Neg, { #[inline] fn conditional_negate(&mut self, choice: Choice) { // Need to cast to eliminate mutability let self_neg: T = -(self as &T); self.conditional_assign(&self_neg, choice); } } /// The `CtOption` type represents an optional value similar to the /// [`Option`](core::option::Option) type but is intended for /// use in constant time APIs. /// /// Any given `CtOption` is either `Some` or `None`, but unlike /// `Option` these variants are not exposed. The /// [`is_some()`](CtOption::is_some) method is used to determine if /// the value is `Some`, and [`unwrap_or()`](CtOption::unwrap_or) and /// [`unwrap_or_else()`](CtOption::unwrap_or_else) methods are /// provided to access the underlying value. The value can also be /// obtained with [`unwrap()`](CtOption::unwrap) but this will panic /// if it is `None`. /// /// Functions that are intended to be constant time may not produce /// valid results for all inputs, such as square root and inversion /// operations in finite field arithmetic. Returning an `Option` /// from these functions makes it difficult for the caller to reason /// about the result in constant time, and returning an incorrect /// value burdens the caller and increases the chance of bugs. #[derive(Clone, Copy, Debug)] pub struct CtOption { value: T, is_some: Choice, } impl CtOption { /// This method is used to construct a new `CtOption` and takes /// a value of type `T`, and a `Choice` that determines whether /// the optional value should be `Some` or not. If `is_some` is /// false, the value will still be stored but its value is never /// exposed. #[inline] pub fn new(value: T, is_some: Choice) -> CtOption { CtOption { value: value, is_some: is_some } } /// This returns the underlying value but panics if it /// is not `Some`. #[inline] pub fn unwrap(self) -> T { assert_eq!(self.is_some.unwrap_u8(), 1); self.value } /// This returns the underlying value if it is `Some` /// or the provided value otherwise. #[inline] pub fn unwrap_or(self, def: T) -> T where T: ConditionallySelectable, { T::conditional_select(&def, &self.value, self.is_some) } /// This returns the underlying value if it is `Some` /// or the value produced by the provided closure otherwise. #[inline] pub fn unwrap_or_else(self, f: F) -> T where T: ConditionallySelectable, F: FnOnce() -> T, { T::conditional_select(&f(), &self.value, self.is_some) } /// Returns a true `Choice` if this value is `Some`. #[inline] pub fn is_some(&self) -> Choice { self.is_some } /// Returns a true `Choice` if this value is `None`. #[inline] pub fn is_none(&self) -> Choice { !self.is_some } /// Returns a `None` value if the option is `None`, otherwise /// returns a `CtOption` enclosing the value of the provided closure. /// The closure is given the enclosed value or, if the option is /// `None`, it is provided a dummy value computed using /// `Default::default()`. /// /// This operates in constant time, because the provided closure /// is always called. #[inline] pub fn map(self, f: F) -> CtOption where T: Default + ConditionallySelectable, F: FnOnce(T) -> U, { CtOption::new( f(T::conditional_select( &T::default(), &self.value, self.is_some, )), self.is_some, ) } /// Returns a `None` value if the option is `None`, otherwise /// returns the result of the provided closure. The closure is /// given the enclosed value or, if the option is `None`, it /// is provided a dummy value computed using `Default::default()`. /// /// This operates in constant time, because the provided closure /// is always called. #[inline] pub fn and_then(self, f: F) -> CtOption where T: Default + ConditionallySelectable, F: FnOnce(T) -> CtOption, { let mut tmp = f(T::conditional_select( &T::default(), &self.value, self.is_some, )); tmp.is_some &= self.is_some; tmp } } impl ConditionallySelectable for CtOption { fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self { CtOption::new( T::conditional_select(&a.value, &b.value, choice), Choice::conditional_select(&a.is_some, &b.is_some, choice), ) } } impl ConstantTimeEq for CtOption { /// Two `CtOption`s are equal if they are both `Some` and /// their values are equal, or both `None`. #[inline] fn ct_eq(&self, rhs: &CtOption) -> Choice { let a = self.is_some(); let b = rhs.is_some(); (a & b & self.value.ct_eq(&rhs.value)) | (!a & !b) } } subtle-2.1.1/tests/mod.rs010064400017500001750000000157751346167124000135440ustar0000000000000000extern crate subtle; use subtle::*; #[test] #[should_panic] fn slices_equal_different_lengths() { let a: [u8; 3] = [0, 0, 0]; let b: [u8; 4] = [0, 0, 0, 0]; assert_eq!((&a).ct_eq(&b).unwrap_u8(), 1); } #[test] fn slices_equal() { let a: [u8; 8] = [1, 2, 3, 4, 5, 6, 7, 8]; let b: [u8; 8] = [1, 2, 3, 4, 4, 3, 2, 1]; let a_eq_a = (&a).ct_eq(&a); let a_eq_b = (&a).ct_eq(&b); assert_eq!(a_eq_a.unwrap_u8(), 1); assert_eq!(a_eq_b.unwrap_u8(), 0); let c: [u8; 16] = [0u8; 16]; let a_eq_c = (&a).ct_eq(&c); assert_eq!(a_eq_c.unwrap_u8(), 0); } #[test] fn conditional_assign_i32() { let mut a: i32 = 5; let b: i32 = 13; a.conditional_assign(&b, 0.into()); assert_eq!(a, 5); a.conditional_assign(&b, 1.into()); assert_eq!(a, 13); } #[test] fn conditional_assign_i64() { let mut c: i64 = 2343249123; let d: i64 = 8723884895; c.conditional_assign(&d, 0.into()); assert_eq!(c, 2343249123); c.conditional_assign(&d, 1.into()); assert_eq!(c, 8723884895); } macro_rules! generate_integer_conditional_select_tests { ($($t:ty)*) => ($( let x: $t = 0; // all 0 bits let y: $t = !0; // all 1 bits assert_eq!(<$t>::conditional_select(&x, &y, 0.into()), 0); assert_eq!(<$t>::conditional_select(&x, &y, 1.into()), y); let mut z = x; let mut w = y; <$t>::conditional_swap(&mut z, &mut w, 0.into()); assert_eq!(z, x); assert_eq!(w, y); <$t>::conditional_swap(&mut z, &mut w, 1.into()); assert_eq!(z, y); assert_eq!(w, x); z.conditional_assign(&x, 1.into()); w.conditional_assign(&y, 0.into()); assert_eq!(z, x); assert_eq!(w, x); )*) } #[test] fn integer_conditional_select() { generate_integer_conditional_select_tests!(u8 u16 u32 u64); generate_integer_conditional_select_tests!(i8 i16 i32 i64); #[cfg(feature = "i128")] generate_integer_conditional_select_tests!(i128 u128); } #[test] fn custom_conditional_select_i16() { let x: i16 = 257; let y: i16 = 514; assert_eq!(i16::conditional_select(&x, &y, 0.into()), 257); assert_eq!(i16::conditional_select(&x, &y, 1.into()), 514); } macro_rules! generate_integer_equal_tests { ($($t:ty),*) => ($( let y: $t = 0; // all 0 bits let z: $t = !0; // all 1 bits let x = z; assert_eq!(x.ct_eq(&y).unwrap_u8(), 0); assert_eq!(x.ct_eq(&z).unwrap_u8(), 1); )*) } #[test] fn integer_equal() { generate_integer_equal_tests!(u8, u16, u32, u64); generate_integer_equal_tests!(i8, i16, i32, i64); #[cfg(feature = "i128")] generate_integer_equal_tests!(i128, u128); generate_integer_equal_tests!(isize, usize); } #[test] fn choice_into_bool() { let choice_true: bool = Choice::from(1).into(); assert!(choice_true); let choice_false: bool = Choice::from(0).into(); assert!(!choice_false); } #[test] fn conditional_select_choice() { let t = Choice::from(1); let f = Choice::from(0); assert_eq!(bool::from(Choice::conditional_select(&t, &f, f)), true); assert_eq!(bool::from(Choice::conditional_select(&t, &f, t)), false); assert_eq!(bool::from(Choice::conditional_select(&f, &t, f)), false); assert_eq!(bool::from(Choice::conditional_select(&f, &t, t)), true); } #[test] fn test_ctoption() { let a = CtOption::new(10, Choice::from(1)); let b = CtOption::new(9, Choice::from(1)); let c = CtOption::new(10, Choice::from(0)); let d = CtOption::new(9, Choice::from(0)); // Test is_some / is_none assert!(bool::from(a.is_some())); assert!(bool::from(!a.is_none())); assert!(bool::from(b.is_some())); assert!(bool::from(!b.is_none())); assert!(bool::from(!c.is_some())); assert!(bool::from(c.is_none())); assert!(bool::from(!d.is_some())); assert!(bool::from(d.is_none())); // Test unwrap for Some assert_eq!(a.unwrap(), 10); assert_eq!(b.unwrap(), 9); // Test equality assert!(bool::from(a.ct_eq(&a))); assert!(bool::from(!a.ct_eq(&b))); assert!(bool::from(!a.ct_eq(&c))); assert!(bool::from(!a.ct_eq(&d))); // Test equality of None with different // dummy value assert!(bool::from(c.ct_eq(&d))); // Test unwrap_or assert_eq!(CtOption::new(1, Choice::from(1)).unwrap_or(2), 1); assert_eq!(CtOption::new(1, Choice::from(0)).unwrap_or(2), 2); // Test unwrap_or_else assert_eq!(CtOption::new(1, Choice::from(1)).unwrap_or_else(|| 2), 1); assert_eq!(CtOption::new(1, Choice::from(0)).unwrap_or_else(|| 2), 2); // Test map assert_eq!( CtOption::new(1, Choice::from(1)) .map(|v| { assert_eq!(v, 1); 2 }) .unwrap(), 2 ); assert_eq!( CtOption::new(1, Choice::from(0)) .map(|_| 2) .is_none() .unwrap_u8(), 1 ); // Test and_then assert_eq!( CtOption::new(1, Choice::from(1)) .and_then(|v| { assert_eq!(v, 1); CtOption::new(2, Choice::from(0)) }) .is_none() .unwrap_u8(), 1 ); assert_eq!( CtOption::new(1, Choice::from(1)) .and_then(|v| { assert_eq!(v, 1); CtOption::new(2, Choice::from(1)) }) .unwrap(), 2 ); assert_eq!( CtOption::new(1, Choice::from(0)) .and_then(|_| CtOption::new(2, Choice::from(0))) .is_none() .unwrap_u8(), 1 ); assert_eq!( CtOption::new(1, Choice::from(0)) .and_then(|_| CtOption::new(2, Choice::from(1))) .is_none() .unwrap_u8(), 1 ); // Test (in)equality assert!(CtOption::new(1, Choice::from(0)).ct_eq(&CtOption::new(1, Choice::from(1))).unwrap_u8() == 0); assert!(CtOption::new(1, Choice::from(1)).ct_eq(&CtOption::new(1, Choice::from(0))).unwrap_u8() == 0); assert!(CtOption::new(1, Choice::from(0)).ct_eq(&CtOption::new(2, Choice::from(1))).unwrap_u8() == 0); assert!(CtOption::new(1, Choice::from(1)).ct_eq(&CtOption::new(2, Choice::from(0))).unwrap_u8() == 0); assert!(CtOption::new(1, Choice::from(0)).ct_eq(&CtOption::new(1, Choice::from(0))).unwrap_u8() == 1); assert!(CtOption::new(1, Choice::from(0)).ct_eq(&CtOption::new(2, Choice::from(0))).unwrap_u8() == 1); assert!(CtOption::new(1, Choice::from(1)).ct_eq(&CtOption::new(2, Choice::from(1))).unwrap_u8() == 0); assert!(CtOption::new(1, Choice::from(1)).ct_eq(&CtOption::new(2, Choice::from(1))).unwrap_u8() == 0); assert!(CtOption::new(1, Choice::from(1)).ct_eq(&CtOption::new(1, Choice::from(1))).unwrap_u8() == 1); assert!(CtOption::new(1, Choice::from(1)).ct_eq(&CtOption::new(1, Choice::from(1))).unwrap_u8() == 1); } #[test] #[should_panic] fn unwrap_none_ctoption() { // This test might fail (in release mode?) if the // compiler decides to optimize it away. CtOption::new(10, Choice::from(0)).unwrap(); } subtle-2.1.1/.cargo_vcs_info.json0000644000000001120000000000000123640ustar00{ "git": { "sha1": "d12fc92b39c187997eefd312a18472a2b9640eac" } }