NFC: Remove dead code from syncing with BoringSSL.

briansmith · briansmith · commit 2e6d759e5667 · 2023-09-29T10:30:01.000-07:00
*ring* doesn't use the BoringSSL code that uses these constant-time
utilities.
diff --git a/crypto/internal.h b/crypto/internal.h
@@ -248,60 +248,6 @@ static inline crypto_word_t constant_time_msb_w(crypto_word_t a) {
   return 0u - (a >> (sizeof(a) * 8 - 1));
 }
 
-// constant_time_lt_w returns 0xff..f if a < b and 0 otherwise.
-static inline crypto_word_t constant_time_lt_w(crypto_word_t a,
-                                               crypto_word_t b) {
-  // Consider the two cases of the problem:
-  //   msb(a) == msb(b): a < b iff the MSB of a - b is set.
-  //   msb(a) != msb(b): a < b iff the MSB of b is set.
-  //
-  // If msb(a) == msb(b) then the following evaluates as:
-  //   msb(a^((a^b)|((a-b)^a))) ==
-  //   msb(a^((a-b) ^ a))       ==   (because msb(a^b) == 0)
-  //   msb(a^a^(a-b))           ==   (rearranging)
-  //   msb(a-b)                      (because ∀x. x^x == 0)
-  //
-  // Else, if msb(a) != msb(b) then the following evaluates as:
-  //   msb(a^((a^b)|((a-b)^a))) ==
-  //   msb(a^(𝟙 | ((a-b)^a)))   ==   (because msb(a^b) == 1 and 𝟙
-  //                                  represents a value s.t. msb(𝟙) = 1)
-  //   msb(a^𝟙)                 ==   (because ORing with 1 results in 1)
-  //   msb(b)
-  //
-  //
-  // Here is an SMT-LIB verification of this formula:
-  //
-  // (define-fun lt ((a (_ BitVec 32)) (b (_ BitVec 32))) (_ BitVec 32)
-  //   (bvxor a (bvor (bvxor a b) (bvxor (bvsub a b) a)))
-  // )
-  //
-  // (declare-fun a () (_ BitVec 32))
-  // (declare-fun b () (_ BitVec 32))
-  //
-  // (assert (not (= (= #x00000001 (bvlshr (lt a b) #x0000001f)) (bvult a b))))
-  // (check-sat)
-  // (get-model)
-  return constant_time_msb_w(a^((a^b)|((a-b)^a)));
-}
-
-// constant_time_lt_8 acts like |constant_time_lt_w| but returns an 8-bit
-// mask.
-static inline uint8_t constant_time_lt_8(crypto_word_t a, crypto_word_t b) {
-  return (uint8_t)(constant_time_lt_w(a, b));
-}
-
-// constant_time_ge_w returns 0xff..f if a >= b and 0 otherwise.
-static inline crypto_word_t constant_time_ge_w(crypto_word_t a,
-                                               crypto_word_t b) {
-  return ~constant_time_lt_w(a, b);
-}
-
-// constant_time_ge_8 acts like |constant_time_ge_w| but returns an 8-bit
-// mask.
-static inline uint8_t constant_time_ge_8(crypto_word_t a, crypto_word_t b) {
-  return (uint8_t)(constant_time_ge_w(a, b));
-}
-
 // constant_time_is_zero returns 0xff..f if a == 0 and 0 otherwise.
 static inline crypto_word_t constant_time_is_zero_w(crypto_word_t a) {
   // Here is an SMT-LIB verification of this formula:
@@ -322,24 +268,12 @@ static inline crypto_word_t constant_time_is_nonzero_w(crypto_word_t a) {
   return ~constant_time_is_zero_w(a);
 }
 
-// constant_time_is_zero_8 acts like |constant_time_is_zero_w| but returns an
-// 8-bit mask.
-static inline uint8_t constant_time_is_zero_8(crypto_word_t a) {
-  return (uint8_t)(constant_time_is_zero_w(a));
-}
-
 // constant_time_eq_w returns 0xff..f if a == b and 0 otherwise.
 static inline crypto_word_t constant_time_eq_w(crypto_word_t a,
                                                crypto_word_t b) {
   return constant_time_is_zero_w(a ^ b);
 }
 
-// constant_time_eq_8 acts like |constant_time_eq_w| but returns an 8-bit
-// mask.
-static inline uint8_t constant_time_eq_8(crypto_word_t a, crypto_word_t b) {
-  return (uint8_t)(constant_time_eq_w(a, b));
-}
-
 // constant_time_select_w returns (mask & a) | (~mask & b). When |mask| is all
 // 1s or all 0s (as returned by the methods above), the select methods return
 // either |a| (if |mask| is nonzero) or |b| (if |mask| is zero).
@@ -355,41 +289,6 @@ static inline crypto_word_t constant_time_select_w(crypto_word_t mask,
   return (mask & a) | (~mask & b);
 }
 
-// constant_time_select_8 acts like |constant_time_select| but operates on
-// 8-bit values.
-static inline uint8_t constant_time_select_8(crypto_word_t mask, uint8_t a,
-                                             uint8_t b) {
-  // |mask| is a word instead of |uint8_t| to avoid materializing 0x000..0MM
-  // Making both |mask| and its value barrier |uint8_t| would allow the compiler
-  // to materialize 0x????..?MM instead, but only clang is that clever.
-  // However, vectorization of bitwise operations seems to work better on
-  // |uint8_t| than a mix of |uint64_t| and |uint8_t|, so |m| is cast to
-  // |uint8_t| after the value barrier but before the bitwise operations.
-  uint8_t m = value_barrier_w(mask);
-  return (m & a) | (~m & b);
-}
-
-// constant_time_select_int acts like |constant_time_select| but operates on
-// ints.
-static inline int constant_time_select_int(crypto_word_t mask, int a, int b) {
-  return (int)(constant_time_select_w(mask, (crypto_word_t)(a),
-                                      (crypto_word_t)(b)));
-}
-
-// constant_time_conditional_memcpy copies |n| bytes from |src| to |dst| if
-// |mask| is 0xff..ff and does nothing if |mask| is 0. The |n|-byte memory
-// ranges at |dst| and |src| must not overlap, as when calling |memcpy|.
-static inline void constant_time_conditional_memcpy(void *dst, const void *src,
-                                                    const size_t n,
-                                                    const crypto_word_t mask) {
-  debug_assert_nonsecret(!buffers_alias(dst, n, src, n));
-  uint8_t *out = (uint8_t *)dst;
-  const uint8_t *in = (const uint8_t *)src;
-  for (size_t i = 0; i < n; i++) {
-    out[i] = constant_time_select_8(mask, in[i], out[i]);
-  }
-}
-
 // constant_time_conditional_memxor xors |n| bytes from |src| to |dst| if
 // |mask| is 0xff..ff and does nothing if |mask| is 0. The |n|-byte memory
 // ranges at |dst| and |src| must not overlap, as when calling |memcpy|.
