Skip to content

Mark variables as volatile #9148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
douzzer merged 1 commit into from
Oct 1, 2025
+79 −66
Merged

Mark variables as volatile #9148

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 26 additions & 24 deletions src/internal.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20994,7 +20994,7 @@ static byte MaskPadding(const byte* data, int sz, int macSz)
checkSz = TLS_MAX_PAD_SZ;

for (i = 0; i < checkSz; i++) {
byte mask = ctMaskLTE(i, paddingSz);
volatile byte mask = ctMaskLTE(i, paddingSz);
good |= mask & (data[sz - 1 - i] ^ paddingSz);
}

Expand All @@ -21014,16 +21014,21 @@ static byte MaskPadding(const byte* data, int sz, int macSz)
static byte MaskMac(const byte* data, int sz, int macSz, byte* expMac)
{
int i, j;
unsigned char mac[WC_MAX_DIGEST_SIZE];
int scanStart = sz - 1 - TLS_MAX_PAD_SZ - macSz;
int macEnd = sz - 1 - data[sz - 1];
int macStart = macEnd - macSz;
int r = 0;
unsigned char started, notEnded;
unsigned char mac[WC_MAX_DIGEST_SIZE];
volatile int scanStart = sz - 1 - TLS_MAX_PAD_SZ - macSz;
volatile int macEnd = sz - 1 - data[sz - 1];
volatile int macStart = macEnd - macSz;
volatile int maskScanStart;
volatile int maskMacStart;
volatile unsigned char started;
volatile unsigned char notEnded;
unsigned char good = 0;

scanStart &= ctMaskIntGTE(scanStart, 0);
macStart &= ctMaskIntGTE(macStart, 0);
maskScanStart = ctMaskIntGTE(scanStart, 0);
maskMacStart = ctMaskIntGTE(macStart, 0);
scanStart &= maskScanStart;
macStart &= maskMacStart;

/* Div on Intel has different speeds depending on value.
* Use a bitwise AND or mod a specific value (converted to mul). */
Expand Down Expand Up @@ -21993,22 +21998,19 @@ static int DoDecrypt(WOLFSSL *ssl)

/* Last of padding bytes - indicates length. */
ssl->keys.padSz = in->buffer[off];
/* Constant time checking of padding - don't leak
* the length of the data.
*/
/* Constant time checking of padding - don't leak the length of
* the data. */
/* Compare max pad bytes or at most data + pad. */
for (i = 1; i < MAX_PAD_SIZE && off >= i; i++) {
/* Mask on indicates this is expected to be a
* padding byte.
*/
padding &= ctMaskLTE((int)i,
(int)ssl->keys.padSz);
/* When this is a padding byte and not equal
* to length then mask is set.
*/
invalid |= padding &
ctMaskNotEq(in->buffer[off - i],
(int)ssl->keys.padSz);
/* Mask on indicates this is expected to be a padding byte.
*/
volatile byte maskPadByte = ctMaskLTE((int)i,
(int)ssl->keys.padSz);
padding &= maskPadByte;
/* When this is a padding byte and not equal to length then
* mask is set. */
invalid |= padding & ctMaskNotEq(in->buffer[off - i],
(int)ssl->keys.padSz);
}
/* If mask is set then there was an error. */
if (invalid) {
Expand Down Expand Up @@ -41655,7 +41657,7 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
case rsa_kea:
{
RsaKey* key = (RsaKey*)ssl->hsKey;
int lenErrMask;
volatile int lenErrMask;

ret = RsaDec(ssl,
input + args->idx,
Expand Down Expand Up @@ -41869,7 +41871,7 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
case rsa_kea:
{
byte *tmpRsa;
byte mask;
volatile byte mask;

/* Add the signature length to idx */
args->idx += args->length;
Expand Down
8 changes: 6 additions & 2 deletions src/tls.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -946,7 +946,10 @@ static int Hmac_UpdateFinal_CT(Hmac* hmac, byte* digest, const byte* in,
unsigned int k;
int blockBits, blockMask;
int lastBlockLen, extraLen, eocIndex;
int blocks, safeBlocks, lenBlock, eocBlock;
int blocks;
int safeBlocks;
int lenBlock;
int eocBlock;
word32 maxLen;
int blockSz, padSz;
int ret;
Expand Down Expand Up @@ -1056,7 +1059,8 @@ static int Hmac_UpdateFinal_CT(Hmac* hmac, byte* digest, const byte* in,

for (j = 0; j < blockSz; j++) {
unsigned char atEoc = ctMaskEq(j, eocIndex) & isEocBlock;
unsigned char pastEoc = ctMaskGT(j, eocIndex) & isEocBlock;
volatile unsigned char maskPastEoc = ctMaskGT(j, eocIndex);
volatile unsigned char pastEoc = maskPastEoc & isEocBlock;
unsigned char b = 0;

if (k < headerSz)
Expand Down
4 changes: 2 additions & 2 deletions wolfcrypt/src/aes.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6803,7 +6803,7 @@ static WC_INLINE void RIGHTSHIFTX(byte* x)
{
int i;
int carryIn = 0;
byte borrow = (byte)((0x00U - (x[15] & 0x01U)) & 0xE1U);
volatile byte borrow = (byte)((0x00U - (x[15] & 0x01U)) & 0xE1U);

for (i = 0; i < WC_AES_BLOCK_SIZE; i++) {
int carryOut = (x[i] & 0x01) << 7;
Expand Down Expand Up @@ -9346,7 +9346,7 @@ int WARN_UNUSED_RESULT AES_GCM_decrypt_C(
ALIGN16 byte scratch[WC_AES_BLOCK_SIZE];
ALIGN16 byte Tprime[WC_AES_BLOCK_SIZE];
ALIGN16 byte EKY0[WC_AES_BLOCK_SIZE];
sword32 res;
volatile sword32 res;

if (ivSz == GCM_NONCE_MID_SZ) {
/* Counter is IV with bottom 4 bytes set to: 0x00,0x00,0x00,0x01. */
Expand Down
2 changes: 1 addition & 1 deletion wolfcrypt/src/dh.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2114,7 +2114,7 @@ static int wc_DhAgree_Sync(DhKey* key, byte* agree, word32* agreeSz,
}

if ((ret == 0) && ct) {
word16 mask = 0xff;
volatile word16 mask = 0xff;
sword16 o = (sword16)(*agreeSz - 1);

*agreeSz = (word32)(i + 1);
Expand Down
8 changes: 4 additions & 4 deletions wolfcrypt/src/ecc.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3166,7 +3166,7 @@ static int ecc_mulmod(const mp_int* k, ecc_point* P, ecc_point* Q,
ecc_point** R, mp_int* a, mp_int* modulus, mp_digit mp, WC_RNG* rng)
{
int err = MP_OKAY;
int bytes = (mp_count_bits(modulus) + 7) / 8;
int bytes = (mp_count_bits(modulus) + 7) >> 3;
int i;
int j = 1;
int cnt = DIGIT_BIT;
Expand Down Expand Up @@ -3404,7 +3404,7 @@ static int ecc_mulmod(const mp_int* k, ecc_point* P, ecc_point* Q,
ecc_point** R, mp_int* a, mp_int* modulus, mp_digit mp, WC_RNG* rng)
{
int err = MP_OKAY;
int bytes = (mp_count_bits(modulus) + 7) / 8;
int bytes = (mp_count_bits(modulus) + 7) >> 3;
int i;
int j = 1;
int cnt;
Expand Down Expand Up @@ -4452,7 +4452,7 @@ int wc_ecc_get_curve_id_from_params(int fieldSize,
Gx == NULL || Gy == NULL)
return BAD_FUNC_ARG;

curveSz = (fieldSize + 1) / 8; /* round up */
curveSz = (fieldSize + 1) >> 3; /* round up */

for (idx = 0; ecc_sets[idx].size != 0; idx++) {
if (curveSz == ecc_sets[idx].size) {
Expand Down Expand Up @@ -11929,7 +11929,7 @@ int wc_ecc_sig_size(const ecc_key* key)
keySz = key->dp->size;
orderBits = wc_ecc_get_curve_order_bit_count(key->dp);
if (orderBits > keySz * 8) {
keySz = (orderBits + 7) / 8;
keySz = (orderBits + 7) >> 3;
}
/* maximum possible signature header size is 7 bytes */
maxSigSz = (keySz * 2) + SIG_HEADER_SZ;
Expand Down
4 changes: 2 additions & 2 deletions wolfcrypt/src/misc.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -774,7 +774,7 @@ WC_MISC_STATIC WC_INLINE void ctMaskCopy(byte mask, byte* dst, byte* src,
{
#if !defined(WOLFSSL_NO_CT_OPS) && !defined(WOLFSSL_NO_CT_MAX_MIN) && \
defined(WORD64_AVAILABLE)
word32 gte_mask = (word32)ctMaskWord32GTE(a, b);
volatile word32 gte_mask = (word32)ctMaskWord32GTE(a, b);
return (a & ~gte_mask) | (b & gte_mask);
#else /* WOLFSSL_NO_CT_OPS */
return a > b ? b : a;
Expand All @@ -791,7 +791,7 @@ WC_MISC_STATIC WC_INLINE void ctMaskCopy(byte mask, byte* dst, byte* src,
{
#if !defined(WOLFSSL_NO_CT_OPS) && !defined(WOLFSSL_NO_CT_MAX_MIN) && \
defined(WORD64_AVAILABLE)
word32 gte_mask = (word32)ctMaskWord32GTE(a, b);
volatile word32 gte_mask = (word32)ctMaskWord32GTE(a, b);
return (a & gte_mask) | (b & ~gte_mask);
#else /* WOLFSSL_NO_CT_OPS */
return a > b ? a : b;
Expand Down
18 changes: 11 additions & 7 deletions wolfcrypt/src/rsa.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1562,11 +1562,11 @@ static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen,
byte* optLabel, word32 labelLen, void* heap)
{
word32 hLen;
int ret;
volatile int ret;
byte h[WC_MAX_DIGEST_SIZE]; /* max digest size */
word32 idx;
word32 i;
word32 inc;
volatile word32 inc;

#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
byte* tmp = NULL;
Expand Down Expand Up @@ -1851,9 +1851,11 @@ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
}
#ifndef WOLFSSL_RSA_VERIFY_ONLY
else {
unsigned int j;
word16 pastSep = 0;
byte invalid = 0;
unsigned int j;
volatile word16 pastSep = 0;
volatile byte invalid = 0;
volatile byte minPad;
volatile int invalidMask;

i = 0;
/* Decrypted with private key - unpad must be constant time. */
Expand All @@ -1865,7 +1867,8 @@ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
}

/* Minimum of 11 bytes of pre-message data - including leading 0x00. */
invalid |= ctMaskLT(i, RSA_MIN_PAD_SZ);
minPad = ctMaskLT(i, RSA_MIN_PAD_SZ);
invalid |= minPad;
/* Must have seen separator. */
invalid |= (byte)~pastSep;
/* First byte must be 0x00. */
Expand All @@ -1874,7 +1877,8 @@ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
invalid |= ctMaskNotEq(pkcsBlock[1], padValue);

*output = (byte *)(pkcsBlock + i);
ret = ((int)-1 + (int)(invalid >> 7)) & ((int)pkcsBlockLen - i);
invalidMask = (int)-1 + (int)(invalid >> 7);
ret = invalidMask & ((int)pkcsBlockLen - i);
}
#endif

Expand Down
Loading
Loading