-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add AES-SIV support #3540
Add AES-SIV support #3540
Conversation
INSTALL
Outdated
@@ -510,8 +510,8 @@ | |||
Build without support for the specified algorithm, where | |||
<alg> is one of: bf, blake2, camellia, cast, chacha, cmac, | |||
des, dh, dsa, ecdh, ecdsa, idea, md4, mdc2, ocb, poly1305, | |||
rc2, rc4, rmd160, scrypt, seed, siphash or whirlpool. The | |||
"ripemd" algorithm is deprecated and if used is synonymous | |||
rc2, rc4, rmd160, scrypt, seed, siphash aes-siv or whirlpool. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
siphash, aes-siv
Is there specific reason for why is it "hard-wired" to AES? SIV is a mode that can operate with any block cipher. Why does it get wired unconditionally to AES? In other words, wouldn't it be better if it was cipher-agnostic crypto/modes/siv128.c? [And btw, red cross from appveyor is totally relevant.] |
Ah, Windows build failure, thanks @dot-asm. |
Which opens with "This memo describes SIV, a block cipher mode of operation." Original paper reads "SIV can be based on an arbitrary blockcipher, such as AES or TDEA". The only additional and relevant reference to AES in the paper is "SIV never uses the inverse of the blockcipher, which is convenient for a blockcipher like AES." Well, admittedly RFC is more explicit asserting that E(K,X) indicates AES encryption of string X using key K, but this still doesn't preclude possibility of using it with alternative cipher. But there is even another reason. I'd argue that cipher-agnostic module would be more manageable and easier to maintain. Because it allows you to concentrate harder on one thing at a time, namely on mode specifics, and then on EVP wiring... |
@dot-asm Fair enough; the title specifically mentions AES, and the implementation that this was based on was originally (and only) AES. That being said, it'll take some time! :) |
(Don't get me wrong, when I first started this, I had thought of adding a mode, but I lacked familiarity in that code.) |
Well, there is certain ambiguity in suggestion. Modules in crypto/modes aim for EVP-neutrality in sense that they don't make calls to EVP or depend on EVP structures. They are rather providers to EVP. But this is not necessarily the only way. Well, one of original rationales behind making them EVP-neutral was that it would allow to make better decisions when it comes to performance and re-usability. But still it doesn't mean that every mode has to be that way. What I'm trying to say it that I'd [let's say] insist on taking mode specific code out of e_aes.c. For better maintainability. But whether or not it will be crypto/modes-style EVP-neutral thing or one that still relies heavily on EVP could be open for discussion. Personally I'd prefer to see crypto/modes-style, but maybe it would make it unnecessarily complicated. Maybe you can start by taking current code out of evp/e_aes.c, put it into say evp/e_mode_siv.c... EVP_aes_*_siv would go to the latter. Idea would be if we want to add another-cipher-siv, we'd add few lines to evp/e_mode_siv.c... If I also may make another suggestion. Would it be sensible to arrange objects.txt update as separate commit? |
doc/man3/EVP_EncryptInit.pod
Outdated
@@ -30,6 +30,7 @@ EVP_aes_192_cbc, EVP_aes_192_ecb, EVP_aes_192_cfb, EVP_aes_192_ofb, | |||
EVP_aes_256_cbc, EVP_aes_256_ecb, EVP_aes_256_cfb, EVP_aes_256_ofb, | |||
EVP_aes_128_gcm, EVP_aes_192_gcm, EVP_aes_256_gcm, | |||
EVP_aes_128_ccm, EVP_aes_192_ccm, EVP_aes_256_ccm, | |||
EVP_aes_128_civ, EVP_aes_192_siv, EVP_aes_256_siv, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typo: EVP_aes_128_civ.
583ed82
to
2a15741
Compare
We have a new mode! siv128 |
Travis error is: My |
Rebase. Should be fixed by #3688. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gee, sorry for missing this. Some notes, nothing major.
crypto/modes/siv128.c
Outdated
|
||
#if !defined(OPENSSL_NO_SIV) && !defined(OPENSSL_NO_CMAC) | ||
|
||
static const union { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
get rid of the run-time endian tests and just do the portable code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You'll have to pull in some ifdef'd code from Daniel's original work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is based on other code in openssl that does the same thing.
crypto/modes/siv128.c
Outdated
#include <openssl/cmac.h> | ||
#include "modes_lcl.h" | ||
|
||
#if !defined(OPENSSL_NO_SIV) && !defined(OPENSSL_NO_CMAC) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you can make no-siv imply no-cmac or otherwise tie them together in Configure; why test for both?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's the opposite; SIV depends on CMAC, so no-cmac implies no-siv. It's already in Configure, so I can remove the CMAC checks.
crypto/modes/modes_lcl.h
Outdated
|
||
#define SIV_LEN 16 | ||
|
||
typedef union { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Put a name siv_block_u
crypto/modes/siv128.c
Outdated
* in the file LICENSE in the source distribution or at | ||
* https://www.openssl.org/source/license.html | ||
* | ||
* Copyright 2017, Akamai Technologies. All Rights Reserved. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove the akamai copyright; put Daniel's name in the commit message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I included a reference to his github; but the code has diverged considerably.
crypto/modes/siv128.c
Outdated
} | ||
|
||
/* | ||
* Copy an SIV128_CONTEXT object -- TODO |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need a copy operation? If not, remove this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment out of date.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copy is referenced in the CTRL.
crypto/modes/siv128.c
Outdated
|
||
int CRYPTO_siv128_speed(SIV128_CONTEXT *ctx, int arg) | ||
{ | ||
if (arg == 1) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use the ?: operator
@@ -1532,3 +1532,7 @@ id-pkinit 5 : pkInitKDC : Signing KDC Response | |||
: Poly1305 : poly1305 | |||
# NID for SipHash | |||
: SipHash : siphash | |||
# NID for AES-SIV | |||
: AES-128-SIV : aes-128-siv |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where were these defined BTW?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the crypto/objects/obj_dat.h
@@ -485,8 +490,13 @@ static int cipher_test_parse(EVP_TEST *t, const char *keyword, | |||
if (strcmp(keyword, "Ciphertext") == 0) | |||
return parse_bin(value, &cdat->ciphertext, &cdat->ciphertext_len); | |||
if (cdat->aead) { | |||
if (strcmp(keyword, "AAD") == 0) | |||
return parse_bin(value, &cdat->aad, &cdat->aad_len); | |||
if (strcmp(keyword, "AAD") == 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hm, should we have AAD1 AAD2 etc tags instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That limits the number of AADs, I think it's easier to just allow multiple entries.
test/evp_test.c
Outdated
if (!EVP_CipherUpdate(ctx, NULL, &chunklen, expected->aad, | ||
expected->aad_len)) | ||
goto err; | ||
for (i = 0; expected->aad[i] != NULL; i++){ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
space before the curly.
test/evp_test.c
Outdated
@@ -611,32 +621,36 @@ static int cipher_test_enc(EVP_TEST *t, int enc, | |||
goto err; | |||
} | |||
} | |||
if (expected->aad) { | |||
if (expected->aad[0]) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add NULL explicitly
aa0446d
to
d996767
Compare
so is this all set and ready for final(!) review, @tmshort? |
d996767
to
eb15f0c
Compare
Yes @richsalz, I just rebased |
travis says: |
I'll look at doc-nits. |
Fixed doc-nits, but now there's a libcrypto conflict. |
@dot-asm where are we with this? what needs to be done for your approval? |
fd05b0d
to
d092900
Compare
Rebased on top of master |
d092900
to
b8136b7
Compare
Rebased again... |
This is really old... |
Yes, it was delayed (along with a lot of other enhancements) due to the TLSv1.3 effort that was the primary focus of 1.1.1. |
b8136b7
to
7bca5f3
Compare
Rebased. |
Still pending for an OMC review, @openssl/omc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good apart from the EVP_MAC suggestion which can be a new PR.
|
||
if (key == NULL || cbc == NULL || ctr == NULL | ||
|| (ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL | ||
|| (ctx->cmac_ctx_init = CMAC_CTX_new()) == NULL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thinking that all of the CMAC calls should use the new EVP_MAC API rather than going directly. Probably as a new PR.
Need a rebase too. |
And I had just done that, too! |
7bca5f3
to
89b4d5d
Compare
Based originally on github.com/dfoxfranke/libaes_siv This creates an SIV128 mode that uses EVP interfaces for the CBC, CTR and CMAC code to reduce complexity at the cost of perfomance. The expected use is for short inputs, not TLS-sized records. Add multiple AAD input capacity in the EVP tests.
89b4d5d
to
59ae51d
Compare
Merged to master, thanks to all involved. |
Based originally on github.com/dfoxfranke/libaes_siv This creates an SIV128 mode that uses EVP interfaces for the CBC, CTR and CMAC code to reduce complexity at the cost of perfomance. The expected use is for short inputs, not TLS-sized records. Add multiple AAD input capacity in the EVP tests. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #3540)
Checklist