Add AES-SIV support #3540
Add AES-SIV support #3540
Conversation
INSTALL
Outdated
| @@ -510,8 +510,8 @@ | |||
| Build without support for the specified algorithm, where | |||
| <alg> is one of: bf, blake2, camellia, cast, chacha, cmac, | |||
| des, dh, dsa, ecdh, ecdsa, idea, md4, mdc2, ocb, poly1305, | |||
| rc2, rc4, rmd160, scrypt, seed, siphash or whirlpool. The | |||
| "ripemd" algorithm is deprecated and if used is synonymous | |||
| rc2, rc4, rmd160, scrypt, seed, siphash aes-siv or whirlpool. | |||
|
Is there specific reason for why is it "hard-wired" to AES? SIV is a mode that can operate with any block cipher. Why does it get wired unconditionally to AES? In other words, wouldn't it be better if it was cipher-agnostic crypto/modes/siv128.c? [And btw, red cross from appveyor is totally relevant.] |
|
Ah, Windows build failure, thanks @dot-asm. |
Which opens with "This memo describes SIV, a block cipher mode of operation." Original paper reads "SIV can be based on an arbitrary blockcipher, such as AES or TDEA". The only additional and relevant reference to AES in the paper is "SIV never uses the inverse of the blockcipher, which is convenient for a blockcipher like AES." Well, admittedly RFC is more explicit asserting that E(K,X) indicates AES encryption of string X using key K, but this still doesn't preclude possibility of using it with alternative cipher. But there is even another reason. I'd argue that cipher-agnostic module would be more manageable and easier to maintain. Because it allows you to concentrate harder on one thing at a time, namely on mode specifics, and then on EVP wiring... |
|
@dot-asm Fair enough; the title specifically mentions AES, and the implementation that this was based on was originally (and only) AES. That being said, it'll take some time! :) |
|
(Don't get me wrong, when I first started this, I had thought of adding a mode, but I lacked familiarity in that code.) |
|
Well, there is certain ambiguity in suggestion. Modules in crypto/modes aim for EVP-neutrality in sense that they don't make calls to EVP or depend on EVP structures. They are rather providers to EVP. But this is not necessarily the only way. Well, one of original rationales behind making them EVP-neutral was that it would allow to make better decisions when it comes to performance and re-usability. But still it doesn't mean that every mode has to be that way. What I'm trying to say it that I'd [let's say] insist on taking mode specific code out of e_aes.c. For better maintainability. But whether or not it will be crypto/modes-style EVP-neutral thing or one that still relies heavily on EVP could be open for discussion. Personally I'd prefer to see crypto/modes-style, but maybe it would make it unnecessarily complicated. Maybe you can start by taking current code out of evp/e_aes.c, put it into say evp/e_mode_siv.c... EVP_aes_*_siv would go to the latter. Idea would be if we want to add another-cipher-siv, we'd add few lines to evp/e_mode_siv.c... If I also may make another suggestion. Would it be sensible to arrange objects.txt update as separate commit? |
doc/man3/EVP_EncryptInit.pod
Outdated
| @@ -30,6 +30,7 @@ EVP_aes_192_cbc, EVP_aes_192_ecb, EVP_aes_192_cfb, EVP_aes_192_ofb, | |||
| EVP_aes_256_cbc, EVP_aes_256_ecb, EVP_aes_256_cfb, EVP_aes_256_ofb, | |||
| EVP_aes_128_gcm, EVP_aes_192_gcm, EVP_aes_256_gcm, | |||
| EVP_aes_128_ccm, EVP_aes_192_ccm, EVP_aes_256_ccm, | |||
| EVP_aes_128_civ, EVP_aes_192_siv, EVP_aes_256_siv, | |||
tmshort
force-pushed
the
master-aes-siv
branch
2 times, most recently
from
583ed82
to
2a15741
Compare
|
We have a new mode! siv128 |
|
Travis error is: My |
|
Rebase. Should be fixed by #3688. |
crypto/modes/siv128.c
Outdated
|
|
||
| #if !defined(OPENSSL_NO_SIV) && !defined(OPENSSL_NO_CMAC) | ||
|
|
||
| static const union { |
There was a problem hiding this comment.
get rid of the run-time endian tests and just do the portable code.
There was a problem hiding this comment.
You'll have to pull in some ifdef'd code from Daniel's original work.
There was a problem hiding this comment.
This is based on other code in openssl that does the same thing.
crypto/modes/siv128.c
Outdated
| #include <openssl/cmac.h> | ||
| #include "modes_lcl.h" | ||
|
|
||
| #if !defined(OPENSSL_NO_SIV) && !defined(OPENSSL_NO_CMAC) |
There was a problem hiding this comment.
you can make no-siv imply no-cmac or otherwise tie them together in Configure; why test for both?
There was a problem hiding this comment.
It's the opposite; SIV depends on CMAC, so no-cmac implies no-siv. It's already in Configure, so I can remove the CMAC checks.
crypto/modes/modes_lcl.h
Outdated
|
|
||
| #define SIV_LEN 16 | ||
|
|
||
| typedef union { |
crypto/modes/siv128.c
Outdated
| * in the file LICENSE in the source distribution or at | ||
| * https://www.openssl.org/source/license.html | ||
| * | ||
| * Copyright 2017, Akamai Technologies. All Rights Reserved. |
There was a problem hiding this comment.
Remove the akamai copyright; put Daniel's name in the commit message.
There was a problem hiding this comment.
I included a reference to his github; but the code has diverged considerably.
crypto/modes/siv128.c
Outdated
| } | ||
|
|
||
| /* | ||
| * Copy an SIV128_CONTEXT object -- TODO |
There was a problem hiding this comment.
Do we need a copy operation? If not, remove this.
There was a problem hiding this comment.
Comment out of date.
There was a problem hiding this comment.
Copy is referenced in the CTRL.
crypto/modes/siv128.c
Outdated
|
|
||
| int CRYPTO_siv128_speed(SIV128_CONTEXT *ctx, int arg) | ||
| { | ||
| if (arg == 1) |
| @@ -1532,3 +1532,7 @@ id-pkinit 5 : pkInitKDC : Signing KDC Response | |||
| : Poly1305 : poly1305 | |||
| # NID for SipHash | |||
| : SipHash : siphash | |||
| # NID for AES-SIV | |||
| : AES-128-SIV : aes-128-siv | |||
There was a problem hiding this comment.
Where were these defined BTW?
There was a problem hiding this comment.
In the crypto/objects/obj_dat.h
| @@ -485,8 +490,13 @@ static int cipher_test_parse(EVP_TEST *t, const char *keyword, | |||
| if (strcmp(keyword, "Ciphertext") == 0) | |||
| return parse_bin(value, &cdat->ciphertext, &cdat->ciphertext_len); | |||
| if (cdat->aead) { | |||
| if (strcmp(keyword, "AAD") == 0) | |||
| return parse_bin(value, &cdat->aad, &cdat->aad_len); | |||
| if (strcmp(keyword, "AAD") == 0) { | |||
There was a problem hiding this comment.
hm, should we have AAD1 AAD2 etc tags instead?
There was a problem hiding this comment.
That limits the number of AADs, I think it's easier to just allow multiple entries.
test/evp_test.c
Outdated
| if (!EVP_CipherUpdate(ctx, NULL, &chunklen, expected->aad, | ||
| expected->aad_len)) | ||
| goto err; | ||
| for (i = 0; expected->aad[i] != NULL; i++){ |
test/evp_test.c
Outdated
| @@ -611,32 +621,36 @@ static int cipher_test_enc(EVP_TEST *t, int enc, | |||
| goto err; | |||
| } | |||
| } | |||
| if (expected->aad) { | |||
| if (expected->aad[0]) { | |||
tmshort
force-pushed
the
master-aes-siv
branch
from
aa0446d
to
d996767
Compare
|
so is this all set and ready for final(!) review, @tmshort? |
tmshort
force-pushed
the
master-aes-siv
branch
from
d996767
to
eb15f0c
Compare
|
Yes @richsalz, I just rebased |
|
travis says: |
|
I'll look at doc-nits. |
|
Fixed doc-nits, but now there's a libcrypto conflict. |
|
@dot-asm where are we with this? what needs to be done for your approval? |
tmshort
force-pushed
the
master-aes-siv
branch
from
fd05b0d
to
d092900
Compare
|
Rebased on top of master |
tmshort
force-pushed
the
master-aes-siv
branch
from
d092900
to
b8136b7
Compare
|
Rebased again... |
|
This is really old... |
|
Yes, it was delayed (along with a lot of other enhancements) due to the TLSv1.3 effort that was the primary focus of 1.1.1. |
tmshort
force-pushed
the
master-aes-siv
branch
from
b8136b7
to
7bca5f3
Compare
|
Rebased. |
|
Still pending for an OMC review, @openssl/omc |
|
|
||
| if (key == NULL || cbc == NULL || ctr == NULL | ||
| || (ctx->cipher_ctx = EVP_CIPHER_CTX_new()) == NULL | ||
| || (ctx->cmac_ctx_init = CMAC_CTX_new()) == NULL |
There was a problem hiding this comment.
Thinking that all of the CMAC calls should use the new EVP_MAC API rather than going directly. Probably as a new PR.
paulidale
added
approval: done
|
Need a rebase too. |
|
And I had just done that, too! |
tmshort
force-pushed
the
master-aes-siv
branch
from
7bca5f3
to
89b4d5d
Compare
Based originally on github.com/dfoxfranke/libaes_siv This creates an SIV128 mode that uses EVP interfaces for the CBC, CTR and CMAC code to reduce complexity at the cost of perfomance. The expected use is for short inputs, not TLS-sized records. Add multiple AAD input capacity in the EVP tests.
tmshort
force-pushed
the
master-aes-siv
branch
from
89b4d5d
to
59ae51d
Compare
|
Merged to master, thanks to all involved. |
Based originally on github.com/dfoxfranke/libaes_siv This creates an SIV128 mode that uses EVP interfaces for the CBC, CTR and CMAC code to reduce complexity at the cost of perfomance. The expected use is for short inputs, not TLS-sized records. Add multiple AAD input capacity in the EVP tests. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from #3540)
Checklist