Implement constant time AES CBC #14
Conversation
ctaes.h
Outdated
| @@ -38,4 +38,7 @@ void AES256_init(AES256_ctx* ctx, const unsigned char* key32); | |||
| void AES256_encrypt(const AES256_ctx* ctx, size_t blocks, unsigned char* cipher16, const unsigned char* plain16); | |||
| void AES256_decrypt(const AES256_ctx* ctx, size_t blocks, unsigned char* plain16, const unsigned char* cipher16); | |||
|
|
|||
| void AES_encrypt(const AES_state* rounds, int nrounds, unsigned char* cipher16, const unsigned char* plain16); | |||
| void AES_decrypt(const AES_state* rounds, int nrounds, unsigned char* plain16, const unsigned char* cipher16); | |||
There was a problem hiding this comment.
nit: perhaps better to declare these in the -cbc.c, as I take it's not a part of the public interface.
There was a problem hiding this comment.
This could also be avoided by just merging this into ctaes.c, as it's a tiny amount of code, so I doubt any user would care. Having them in the same module may also enable better interprocedural optimization.
ctaes-cbc.c
Outdated
| unsigned char buf[16]; | ||
|
|
||
| for (i = 0; i < blocks; i++) { | ||
| for (j = 0; j < 16; j++) { |
ctaes-cbc.c
Outdated
| } | ||
| Xor128(buf, iv); | ||
| AES_encrypt(rounds, nk, encrypted, buf); | ||
| for (j = 0; j < 16; j++) { |
ctaes-cbc.c
Outdated
| uint8_t next_iv[16]; | ||
|
|
||
| for (i = 0; i < blocks; i++) { | ||
| for (j = 0; j < 16; j++) { |
ctaes-cbc.c
Outdated
| } | ||
| AES_decrypt(rounds, nk, plain, encrypted); | ||
| Xor128(plain, iv); | ||
| for (j = 0; j < 16; j++) { |
ctaes-cbc.c
Outdated
| void AES128_CBC_init(AES128_CBC_ctx* ctx, const unsigned char* key16, const uint8_t* iv) { | ||
| size_t i; | ||
| AES128_init(&(ctx->ctx), key16); | ||
| for (i = 0; i < 16; i++) { |
ctaes-cbc.c
Outdated
| void AES192_CBC_init(AES192_CBC_ctx* ctx, const unsigned char* key16, const uint8_t* iv) { | ||
| size_t i; | ||
| AES192_init(&(ctx->ctx), key16); | ||
| for (i = 0; i < 16; i++) { |
ctaes-cbc.c
Outdated
| void AES256_CBC_init(AES256_CBC_ctx* ctx, const unsigned char* key16, const uint8_t* iv) { | ||
| size_t i; | ||
| AES256_init(&(ctx->ctx), key16); | ||
| for (i = 0; i < 16; i++) { |
ctaes-cbc.h
Outdated
|
|
||
| typedef struct { | ||
| AES128_ctx ctx; | ||
| uint8_t iv[16]; |
There was a problem hiding this comment.
Perhaps document that this isn't exactly the IV (after the first block, it's the carried-forward previous ciphertext).
ctaes.h
Outdated
| @@ -38,4 +38,7 @@ void AES256_init(AES256_ctx* ctx, const unsigned char* key32); | |||
| void AES256_encrypt(const AES256_ctx* ctx, size_t blocks, unsigned char* cipher16, const unsigned char* plain16); | |||
| void AES256_decrypt(const AES256_ctx* ctx, size_t blocks, unsigned char* plain16, const unsigned char* cipher16); | |||
|
|
|||
| void AES_encrypt(const AES_state* rounds, int nrounds, unsigned char* cipher16, const unsigned char* plain16); | |||
| void AES_decrypt(const AES_state* rounds, int nrounds, unsigned char* plain16, const unsigned char* cipher16); | |||
There was a problem hiding this comment.
This could also be avoided by just merging this into ctaes.c, as it's a tiny amount of code, so I doubt any user would care. Having them in the same module may also enable better interprocedural optimization.
kristapsk
force-pushed
the
CBC
branch
2 times, most recently
from
2890e41
to
4cb6dcc
Compare
|
Addressed review comments. |
|
Just remembered why I choose to not use |
|
Yeah, memcpy is C89, so it should be ~everywhere. It may also be easier to optimize for the compiler (using something faster than byte per byte copy). Any reason to keep the CBC tests in a separate file? |
It's not only about availability, if libc is implemented correct way, linker will not need to add code of unused functions in a final executable, so any extra function may increase size. I've done some embedded programming in the past, where sometimes every byte counts, so that thinking by default is from there. :) But memcpy is actually used by a lot of other libc stuff itself, so likely will be in almost any piece of software anyway.
Guess not. Will move them to |
Done. |
ctaes.h
Outdated
| @@ -26,6 +26,21 @@ typedef struct { | |||
| AES_state rk[15]; | |||
| } AES256_ctx; | |||
|
|
|||
| typedef struct { | |||
| AES128_ctx ctx; | |||
| uint8_t iv[16]; // iv is updated after each use | |||
There was a problem hiding this comment.
Please use /* */ comments (// only exists in C++ and C99+).
test.c
Outdated
| @@ -101,6 +129,51 @@ int main(void) { | |||
| fail++; | |||
| } | |||
| } | |||
| for (i = 0; i < sizeof(ctaes_cbc_tests) / sizeof(ctaes_cbc_tests[0]); i++) { | |||
| const ctaes_cbc_test* test = &ctaes_cbc_tests[i]; | |||
| unsigned char key[32], iv[16], plain[test->nblocks * 16], cipher[test->nblocks * 16], ciphered[test->nblocks * 16], deciphered[test->nblocks * 16]; | |||
|
Generally looks good-- just the C99isms need to be fixed otherwise I think it's good to go, thanks for submitting this! |
|
Addressed additional review comments. Tested compiling tests with |
|
ACK 8835446 |
1 similar comment
|
ACK 8835446 |
|
I just realized that AES-CBC in practice also includes a padding scheme, and as that e.g. needs to be checked in constant time, it seems appropriate to also have that implemented here. Unfortunately, it doesn't quite match the API implemented here very well. The problem is that if the padding is incorrect, the decryption has to be rejected, which doesn't work well with a mutable state that lets you decrypt initial blocks before checking the padding. In case where the amount of data is large, and you want to use it in a streaming fashion, there is little that can be done about that, but I'm not sure there is a need for that. Instead, there could just be a function that takes a @kristapsk Are you interested in tackling that as well, or would you like me to do that instead? |
Before, the submodule pointed to https://github.com/digitalbitbox/ctaes/tree/cbc, which was a re-host of bitcoin-core/ctaes#14 before it was merged. It has since been merged. https://github.com/digitalbitbox/ctaes/tree/master is now at 8012b062ea4931f10cc2fd2075fddc3782a57ee4, which is up to date with upstream https://github.com/bitcoin-core/ctaes. The submodule is updated to this commit revision.
Tried to not change anything in existing code, except for making
AES_encrypt()andAES_decrypt()public.Related to #11.