Commit dd46e07fb9
Changed files (4)
lib
std
lib/std/crypto/aes.zig
@@ -28,31 +28,6 @@ pub const AesDecryptCtx = impl.AesDecryptCtx;
pub const Aes128 = impl.Aes128;
pub const Aes256 = impl.Aes256;
-test "ctr" {
- // NIST SP 800-38A pp 55-58
- const ctr = @import("modes.zig").ctr;
-
- const key = [_]u8{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
- const iv = [_]u8{ 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff };
- const in = [_]u8{
- 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
- 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
- 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
- 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10,
- };
- const exp_out = [_]u8{
- 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce,
- 0x98, 0x06, 0xf6, 0x6b, 0x79, 0x70, 0xfd, 0xff, 0x86, 0x17, 0x18, 0x7b, 0xb9, 0xff, 0xfd, 0xff,
- 0x5a, 0xe4, 0xdf, 0x3e, 0xdb, 0xd5, 0xd3, 0x5e, 0x5b, 0x4f, 0x09, 0x02, 0x0d, 0xb0, 0x3e, 0xab,
- 0x1e, 0x03, 0x1d, 0xda, 0x2f, 0xbe, 0x03, 0xd1, 0x79, 0x21, 0x70, 0xa0, 0xf3, 0x00, 0x9c, 0xee,
- };
-
- var out: [exp_out.len]u8 = undefined;
- const ctx = Aes128.initEnc(key);
- ctr(AesEncryptCtx(Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big);
- try testing.expectEqualSlices(u8, exp_out[0..], out[0..]);
-}
-
test "encrypt" {
// Appendix B
{
lib/std/crypto/aes_siv.zig
@@ -0,0 +1,481 @@
+const std = @import("std");
+const assert = std.debug.assert;
+const crypto = std.crypto;
+const debug = std.debug;
+const mem = std.mem;
+const math = std.math;
+const modes = crypto.core.modes;
+const Cmac = @import("cmac.zig").Cmac;
+const AuthenticationError = crypto.errors.AuthenticationError;
+
+pub const Aes128Siv = AesSiv(crypto.core.aes.Aes128);
+pub const Aes256Siv = AesSiv(crypto.core.aes.Aes256);
+
+/// AES-SIV: Deterministic authenticated encryption - the same message always produces the same ciphertext.
+///
+/// What it does: Encrypts data and protects it from tampering. Unlike most encryption modes,
+/// AES-SIV is deterministic: encrypting the same message with the same key always produces
+/// the same ciphertext (unless you provide an optional nonce).
+///
+/// When to use AES-SIV:
+/// - When you need deterministic encryption (e.g., for deduplication in encrypted storage)
+/// - When you can't store or generate nonces
+/// - For key wrapping (protecting cryptographic keys)
+/// - When you need to search encrypted data without decrypting it
+///
+/// When NOT to use AES-SIV:
+/// - When identical plaintexts must produce different ciphertexts (use AES-GCM or AES-GCM-SIV)
+/// - For network protocols where replay attacks are a concern
+///
+/// Unique features:
+/// - Optional nonce: You can add a nonce to make encryption non-deterministic, but this is optional
+/// - Multiple associated data: Supports a vector of associated data strings instead of just one.
+/// The algorithm cryptographically ensures each component is properly separated, preventing
+/// canonicalization attacks where different splits of data could be accepted as valid.
+///
+/// Security properties:
+/// - Deterministic: Same input always gives same output (this can leak information about patterns)
+/// - Nonce misuse resistant: Doesn't catastrophically fail if you reuse a nonce
+/// - Key commitment: Ciphertext can only be decrypted with the exact key that encrypted it
+///
+/// AES-SIV has better security properties than AES-GCM-SIV, but is must slower.
+///
+/// How it works: Combines two keys - one for authentication (S2V) and one for encryption (CTR mode).
+/// The total key size is double the AES key size (256 bits for AES-128-SIV, 512 bits for AES-256-SIV).
+///
+/// Defined in RFC 5297.
+fn AesSiv(comptime Aes: anytype) type {
+ debug.assert(Aes.block.block_length == 16);
+
+ return struct {
+ pub const tag_length = 16;
+ pub const key_length = Aes.key_bits / 8 * 2; // SIV uses 2x key size
+
+ const CmacImpl = Cmac(Aes);
+
+ /// S2V (String to Vector) - RFC 5297 Section 2.4
+ /// Derives a synthetic IV from the key and input strings using CMAC.
+ /// This function implements a cryptographic pseudo-random function that maps
+ /// a variable-length vector of strings to a fixed 128-bit output.
+ fn s2v(iv: *[16]u8, key: [Aes.key_bits / 8]u8, strings: []const []const u8) void {
+ assert(strings.len > 0);
+ assert(strings.len <= 127); // S2V limitation
+
+ var d: [16]u8 = undefined;
+
+ // Special case: single empty string
+ if (strings.len == 1 and strings[0].len == 0) {
+ CmacImpl.create(&d, &[_]u8{}, &key);
+ iv.* = d;
+ return;
+ }
+
+ // Initialize with CMAC of zero block
+ const zero_block: [16]u8 = @splat(0);
+ CmacImpl.create(&d, &zero_block, &key);
+
+ // Process all strings except the last one
+ var i: usize = 0;
+ while (i < strings.len - 1) : (i += 1) {
+ d = dbl(d);
+ var tmp: [16]u8 = undefined;
+ CmacImpl.create(&tmp, strings[i], &key);
+ for (&d, tmp) |*b, t| {
+ b.* ^= t;
+ }
+ }
+
+ // Process the final string
+ const sn = strings[strings.len - 1];
+ if (sn.len >= 16) {
+ // XOR d with the first 16 bytes of Sn
+ var xored_msg_buf: [4096]u8 = undefined;
+ const xored_len = @min(sn.len, xored_msg_buf.len);
+ @memcpy(xored_msg_buf[0..xored_len], sn[0..xored_len]);
+
+ for (d, 0..) |b, j| {
+ xored_msg_buf[j] ^= b;
+ }
+
+ CmacImpl.create(iv, xored_msg_buf[0..xored_len], &key);
+ } else {
+ // Pad and XOR
+ d = dbl(d);
+ var padded: [16]u8 = @splat(0);
+ @memcpy(padded[0..sn.len], sn);
+ padded[sn.len] = 0x80;
+ for (&d, padded) |*b, p| {
+ b.* ^= p;
+ }
+ CmacImpl.create(iv, &d, &key);
+ }
+ }
+
+ /// Double operation as defined in RFC 5297.
+ /// Performs multiplication by x (i.e., left shift by 1) in GF(2^128).
+ /// This is the same operation used in CMAC subkey generation.
+ /// If the MSB is set, XORs with the polynomial 0x87 after shifting.
+ fn dbl(d: [16]u8) [16]u8 {
+ // Read as big-endian 128-bit integer
+ const val = mem.readInt(u128, &d, .big);
+
+ // Left shift by 1, and XOR with 0x87 if MSB was set
+ const doubled = (val << 1) ^ (0x87 & -%(@as(u128, val >> 127)));
+
+ // Write back as big-endian
+ var result: [16]u8 = undefined;
+ mem.writeInt(u128, &result, doubled, .big);
+ return result;
+ }
+
+ /// Encrypt plaintext using AES-SIV
+ /// `c`: Output buffer for ciphertext (same size as plaintext)
+ /// `tag`: Output buffer for authentication tag (synthetic IV)
+ /// `m`: Plaintext to encrypt
+ /// `ad`: Optional associated data
+ /// `nonce`: Optional nonce (if provided, will be added as last AD component)
+ /// `key`: Combined key (2x AES key size)
+ pub fn encrypt(c: []u8, tag: *[tag_length]u8, m: []const u8, ad: ?[]const u8, nonce: ?[]const u8, key: [key_length]u8) void {
+ debug.assert(c.len == m.len);
+
+ // Split key into K1 (for S2V) and K2 (for CTR)
+ const k1 = key[0 .. Aes.key_bits / 8];
+ const k2 = key[Aes.key_bits / 8 ..];
+
+ // Prepare strings for S2V: AD components followed by plaintext
+ var strings_buf: [128][]const u8 = undefined;
+ var strings_len: usize = 0;
+
+ if (ad) |a| {
+ strings_buf[strings_len] = a;
+ strings_len += 1;
+ }
+ if (nonce) |n| {
+ strings_buf[strings_len] = n;
+ strings_len += 1;
+ }
+ strings_buf[strings_len] = m;
+ strings_len += 1;
+
+ // Compute synthetic IV using S2V
+ s2v(tag, k1.*, strings_buf[0..strings_len]);
+
+ // Clear the 31st and 63rd bits for use as CTR IV
+ var ctr_iv = tag.*;
+ ctr_iv[8] &= 0x7f;
+ ctr_iv[12] &= 0x7f;
+
+ // Encrypt plaintext using CTR mode
+ const aes_ctx = Aes.initEnc(k2.*);
+ modes.ctr(@TypeOf(aes_ctx), aes_ctx, c, m, ctr_iv, .big);
+ }
+
+ /// Decrypt ciphertext using AES-SIV
+ /// `m`: Output buffer for decrypted plaintext
+ /// `c`: Ciphertext to decrypt
+ /// `tag`: Authentication tag (synthetic IV)
+ /// `ad`: Optional associated data (must match encryption)
+ /// `nonce`: Optional nonce (must match encryption)
+ /// `key`: Combined key (2x AES key size)
+ pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: ?[]const u8, nonce: ?[]const u8, key: [key_length]u8) AuthenticationError!void {
+ assert(c.len == m.len);
+
+ // Split key into K1 (for S2V) and K2 (for CTR)
+ const k1 = key[0 .. Aes.key_bits / 8];
+ const k2 = key[Aes.key_bits / 8 ..];
+
+ // Clear the 31st and 63rd bits for use as CTR IV
+ var ctr_iv = tag;
+ ctr_iv[8] &= 0x7f;
+ ctr_iv[12] &= 0x7f;
+
+ // Decrypt ciphertext using CTR mode
+ const aes_ctx = Aes.initEnc(k2.*);
+ modes.ctr(@TypeOf(aes_ctx), aes_ctx, m, c, ctr_iv, .big);
+
+ // Prepare strings for S2V: AD components followed by plaintext
+ var strings_buf: [128][]const u8 = undefined;
+ var strings_len: usize = 0;
+
+ if (ad) |a| {
+ strings_buf[strings_len] = a;
+ strings_len += 1;
+ }
+ if (nonce) |n| {
+ strings_buf[strings_len] = n;
+ strings_len += 1;
+ }
+ strings_buf[strings_len] = m;
+ strings_len += 1;
+
+ // Verify synthetic IV using S2V
+ var computed_tag: [tag_length]u8 = undefined;
+ s2v(&computed_tag, k1.*, strings_buf[0..strings_len]);
+
+ // Verify tag
+ const verify = crypto.timing_safe.eql([tag_length]u8, computed_tag, tag);
+ if (!verify) {
+ crypto.secureZero(u8, &computed_tag);
+ @memset(m, undefined);
+ return error.AuthenticationFailed;
+ }
+ }
+
+ /// Encrypts plaintext with multiple associated data components.
+ /// This is the most general form of AES-SIV encryption that accepts
+ /// an arbitrary vector of associated data strings as specified in RFC 5297.
+ pub fn encryptWithAdVector(c: []u8, tag: *[tag_length]u8, m: []const u8, ad: []const []const u8, key: [key_length]u8) void {
+ debug.assert(c.len == m.len);
+
+ // Split key into K1 (for S2V) and K2 (for CTR)
+ const k1 = key[0 .. Aes.key_bits / 8];
+ const k2 = key[Aes.key_bits / 8 ..];
+
+ // Prepare strings for S2V: AD components followed by plaintext
+ var strings_buf: [128][]const u8 = undefined;
+ var strings_len: usize = 0;
+
+ for (ad) |a| {
+ strings_buf[strings_len] = a;
+ strings_len += 1;
+ }
+ strings_buf[strings_len] = m;
+ strings_len += 1;
+
+ // Compute synthetic IV using S2V
+ s2v(tag, k1.*, strings_buf[0..strings_len]);
+
+ // Clear the 31st and 63rd bits for use as CTR IV
+ var ctr_iv = tag.*;
+ ctr_iv[8] &= 0x7f;
+ ctr_iv[12] &= 0x7f;
+
+ // Encrypt plaintext using CTR mode
+ const aes_ctx = Aes.initEnc(k2.*);
+ modes.ctr(@TypeOf(aes_ctx), aes_ctx, c, m, ctr_iv, .big);
+ }
+
+ /// Decrypts ciphertext with multiple associated data components.
+ /// This is the most general form of AES-SIV decryption that accepts
+ /// an arbitrary vector of associated data strings as specified in RFC 5297.
+ pub fn decryptWithAdVector(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const []const u8, key: [key_length]u8) AuthenticationError!void {
+ assert(c.len == m.len);
+
+ // Split key into K1 (for S2V) and K2 (for CTR)
+ const k1 = key[0 .. Aes.key_bits / 8];
+ const k2 = key[Aes.key_bits / 8 ..];
+
+ // Clear the 31st and 63rd bits for use as CTR IV
+ var ctr_iv = tag;
+ ctr_iv[8] &= 0x7f;
+ ctr_iv[12] &= 0x7f;
+
+ // Decrypt ciphertext using CTR mode
+ const aes_ctx = Aes.initEnc(k2.*);
+ modes.ctr(@TypeOf(aes_ctx), aes_ctx, m, c, ctr_iv, .big);
+
+ // Prepare strings for S2V: AD components followed by plaintext
+ var strings_buf: [128][]const u8 = undefined;
+ var strings_len: usize = 0;
+
+ for (ad) |a| {
+ strings_buf[strings_len] = a;
+ strings_len += 1;
+ }
+ strings_buf[strings_len] = m;
+ strings_len += 1;
+
+ // Verify synthetic IV using S2V
+ var computed_tag: [tag_length]u8 = undefined;
+ s2v(&computed_tag, k1.*, strings_buf[0..strings_len]);
+
+ // Verify tag
+ const verify = crypto.timing_safe.eql([tag_length]u8, computed_tag, tag);
+ if (!verify) {
+ crypto.secureZero(u8, &computed_tag);
+ @memset(m, undefined);
+ return error.AuthenticationFailed;
+ }
+ }
+ };
+}
+
+const htest = @import("test.zig");
+const testing = std.testing;
+
+test "AES-SIV double operation" {
+ const AesSivTest = AesSiv(crypto.core.aes.Aes128);
+
+ // Test vector from RFC 5297
+ const input = [_]u8{ 0x0e, 0x04, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e };
+ const expected = [_]u8{ 0x1c, 0x08, 0x02, 0x04, 0x06, 0x08, 0x0a, 0x0c, 0x0e, 0x10, 0x12, 0x14, 0x16, 0x18, 0x1a, 0x1c };
+
+ const result = AesSivTest.dbl(input);
+ try testing.expectEqualSlices(u8, &expected, &result);
+}
+
+test "AES-SIV double operation with MSB set" {
+ const AesSivTest = AesSiv(crypto.core.aes.Aes128);
+
+ const input = [_]u8{ 0xe0, 0x40, 0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80, 0x90, 0xa0, 0xb0, 0xc0, 0xd0, 0xe0 };
+ const expected = [_]u8{ 0xc0, 0x80, 0x20, 0x40, 0x60, 0x80, 0xa0, 0xc0, 0xe1, 0x01, 0x21, 0x41, 0x61, 0x81, 0xa1, 0x47 };
+
+ const result = AesSivTest.dbl(input);
+ try testing.expectEqualSlices(u8, &expected, &result);
+}
+
+test "Aes128Siv - RFC 5297 Test Vector A.1" {
+ // Test vector from RFC 5297 Appendix A.1
+ const key = [_]u8{
+ 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
+ 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff,
+ };
+ const ad = [_]u8{
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+ 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+ };
+ const plaintext = [_]u8{
+ 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee,
+ };
+
+ var ciphertext: [plaintext.len]u8 = undefined;
+ var tag: [16]u8 = undefined;
+
+ // Test using vector API for RFC compliance
+ const ad_components = [_][]const u8{&ad};
+ Aes128Siv.encryptWithAdVector(&ciphertext, &tag, &plaintext, &ad_components, key);
+
+ // Expected values from RFC 5297
+ try htest.assertEqual("85632d07c6e8f37f950acd320a2ecc93", &tag);
+ try htest.assertEqual("40c02b9690c4dc04daef7f6afe5c", &ciphertext);
+
+ // Test decryption
+ var decrypted: [plaintext.len]u8 = undefined;
+ try Aes128Siv.decryptWithAdVector(&decrypted, &ciphertext, tag, &ad_components, key);
+ try testing.expectEqualSlices(u8, &plaintext, &decrypted);
+}
+
+test "Aes128Siv - empty plaintext" {
+ const key: [32]u8 = @splat(0x42);
+ const plaintext = "";
+ const ad = "additional data";
+
+ var ciphertext: [plaintext.len]u8 = undefined;
+ var tag: [16]u8 = undefined;
+
+ Aes128Siv.encrypt(&ciphertext, &tag, plaintext, ad, null, key);
+
+ var decrypted: [plaintext.len]u8 = undefined;
+ try Aes128Siv.decrypt(&decrypted, &ciphertext, tag, ad, null, key);
+}
+
+test "Aes128Siv - with nonce" {
+ const key: [32]u8 = @splat(0x69);
+ const nonce: [16]u8 = @splat(0x42);
+ const plaintext = "Hello, AES-SIV!";
+ const ad = "metadata";
+
+ var ciphertext: [plaintext.len]u8 = undefined;
+ var tag: [16]u8 = undefined;
+
+ Aes128Siv.encrypt(&ciphertext, &tag, plaintext, ad, &nonce, key);
+
+ var decrypted: [plaintext.len]u8 = undefined;
+ try Aes128Siv.decrypt(&decrypted, &ciphertext, tag, ad, &nonce, key);
+ try testing.expectEqualSlices(u8, plaintext, &decrypted);
+}
+
+test "Aes256Siv - basic functionality" {
+ const key: [64]u8 = @splat(0x96);
+ const plaintext = "Test message for AES-256-SIV";
+ const ad1 = "header";
+ const ad2 = "more data";
+
+ var ciphertext: [plaintext.len]u8 = undefined;
+ var tag: [16]u8 = undefined;
+
+ // Test with multiple AD components using the vector API
+ const ad_components = [_][]const u8{ ad1, ad2 };
+ Aes256Siv.encryptWithAdVector(&ciphertext, &tag, plaintext, &ad_components, key);
+
+ var decrypted: [plaintext.len]u8 = undefined;
+ try Aes256Siv.decryptWithAdVector(&decrypted, &ciphertext, tag, &ad_components, key);
+ try testing.expectEqualSlices(u8, plaintext, &decrypted);
+}
+
+test "Aes128Siv - demonstrating optional parameters" {
+ const key: [32]u8 = @splat(0x77);
+
+ // Test 1: No AD, no nonce (pure deterministic)
+ {
+ const plaintext = "Deterministic encryption";
+ var ciphertext: [plaintext.len]u8 = undefined;
+ var tag: [16]u8 = undefined;
+
+ Aes128Siv.encrypt(&ciphertext, &tag, plaintext, null, null, key);
+
+ var decrypted: [plaintext.len]u8 = undefined;
+ try Aes128Siv.decrypt(&decrypted, &ciphertext, tag, null, null, key);
+ try testing.expectEqualSlices(u8, plaintext, &decrypted);
+ }
+
+ // Test 2: With AD, no nonce
+ {
+ const plaintext = "With associated data";
+ const ad = "some context";
+ var ciphertext: [plaintext.len]u8 = undefined;
+ var tag: [16]u8 = undefined;
+
+ Aes128Siv.encrypt(&ciphertext, &tag, plaintext, ad, null, key);
+
+ var decrypted: [plaintext.len]u8 = undefined;
+ try Aes128Siv.decrypt(&decrypted, &ciphertext, tag, ad, null, key);
+ try testing.expectEqualSlices(u8, plaintext, &decrypted);
+ }
+
+ // Test 3: No AD, with nonce
+ {
+ const plaintext = "Nonce-based encryption";
+ const nonce: [12]u8 = @splat(0x01);
+ var ciphertext: [plaintext.len]u8 = undefined;
+ var tag: [16]u8 = undefined;
+
+ Aes128Siv.encrypt(&ciphertext, &tag, plaintext, null, &nonce, key);
+
+ var decrypted: [plaintext.len]u8 = undefined;
+ try Aes128Siv.decrypt(&decrypted, &ciphertext, tag, null, &nonce, key);
+ try testing.expectEqualSlices(u8, plaintext, &decrypted);
+ }
+
+ // Test 4: With both AD and nonce
+ {
+ const plaintext = "Full featured";
+ const ad = "context";
+ const nonce: [16]u8 = @splat(0x02);
+ var ciphertext: [plaintext.len]u8 = undefined;
+ var tag: [16]u8 = undefined;
+
+ Aes128Siv.encrypt(&ciphertext, &tag, plaintext, ad, &nonce, key);
+
+ var decrypted: [plaintext.len]u8 = undefined;
+ try Aes128Siv.decrypt(&decrypted, &ciphertext, tag, ad, &nonce, key);
+ try testing.expectEqualSlices(u8, plaintext, &decrypted);
+ }
+}
+
+test "Aes128Siv - authentication failure" {
+ const key: [32]u8 = @splat(0x13);
+ const plaintext = "Secret message";
+ const ad = "";
+
+ var ciphertext: [plaintext.len]u8 = undefined;
+ var tag: [16]u8 = undefined;
+
+ Aes128Siv.encrypt(&ciphertext, &tag, plaintext, ad, null, key);
+
+ // Corrupt the tag
+ tag[0] ^= 0x01;
+
+ var decrypted: [plaintext.len]u8 = undefined;
+ try testing.expectError(error.AuthenticationFailed, Aes128Siv.decrypt(&decrypted, &ciphertext, tag, ad, null, key));
+}
lib/std/crypto/modes.zig
@@ -11,37 +11,217 @@ const debug = std.debug;
/// Important: the counter mode doesn't provide authenticated encryption: the ciphertext can be trivially modified without this being detected.
/// As a result, applications should generally never use it directly, but only in a construction that includes a MAC.
pub fn ctr(comptime BlockCipher: anytype, block_cipher: BlockCipher, dst: []u8, src: []const u8, iv: [BlockCipher.block_length]u8, endian: std.builtin.Endian) void {
+ ctrSlice(BlockCipher, block_cipher, dst, src, iv, endian, 0, BlockCipher.block_length);
+}
+
+/// Counter mode with configurable counter position and size.
+///
+/// This extended version allows specifying where the counter is located within the IV block
+/// and how many bytes it occupies. This is useful for modes like AES-GCM-SIV which use a
+/// 32-bit counter at the beginning of the block.
+///
+/// @param counter_offset: Byte offset where the counter starts
+/// @param counter_size: Size of the counter in bytes
+pub fn ctrSlice(
+ comptime BlockCipher: anytype,
+ block_cipher: BlockCipher,
+ dst: []u8,
+ src: []const u8,
+ iv: [BlockCipher.block_length]u8,
+ endian: std.builtin.Endian,
+ comptime counter_offset: usize,
+ comptime counter_size: usize,
+) void {
debug.assert(dst.len >= src.len);
const block_length = BlockCipher.block_length;
- var counter: [BlockCipher.block_length]u8 = undefined;
- var counterInt = mem.readInt(u128, &iv, endian);
+ debug.assert(counter_offset + counter_size <= block_length);
+ debug.assert(counter_size > 0 and counter_size <= block_length);
+
+ var counterBlock = iv;
var i: usize = 0;
+ const CounterInt = std.meta.Int(.unsigned, counter_size * 8);
+
const parallel_count = BlockCipher.block.parallel.optimal_parallel_blocks;
- const wide_block_length = parallel_count * 16;
+ const wide_block_length = parallel_count * block_length;
+ var cnt_val = mem.readInt(CounterInt, counterBlock[counter_offset..][0..counter_size], endian);
if (src.len >= wide_block_length) {
- var counters: [parallel_count * 16]u8 = undefined;
+ var counters: [parallel_count * block_length]u8 = undefined;
+ inline for (0..parallel_count) |j| {
+ counters[j * block_length ..][0..block_length].* = iv;
+ }
while (i + wide_block_length <= src.len) : (i += wide_block_length) {
comptime var j = 0;
inline while (j < parallel_count) : (j += 1) {
- mem.writeInt(u128, counters[j * 16 .. j * 16 + 16], counterInt, endian);
- counterInt +%= 1;
+ mem.writeInt(CounterInt, counters[j * block_length + counter_offset ..][0..counter_size], cnt_val +% j, endian);
}
+ cnt_val += parallel_count;
block_cipher.xorWide(parallel_count, dst[i .. i + wide_block_length][0..wide_block_length], src[i .. i + wide_block_length][0..wide_block_length], counters);
}
+ mem.writeInt(CounterInt, counterBlock[counter_offset..][0..counter_size], cnt_val, endian);
}
while (i + block_length <= src.len) : (i += block_length) {
- mem.writeInt(u128, &counter, counterInt, endian);
- counterInt +%= 1;
- block_cipher.xor(dst[i .. i + block_length][0..block_length], src[i .. i + block_length][0..block_length], counter);
+ block_cipher.xor(dst[i .. i + block_length][0..block_length], src[i .. i + block_length][0..block_length], counterBlock);
+ cnt_val +%= 1;
+ mem.writeInt(CounterInt, counterBlock[counter_offset..][0..counter_size], cnt_val, endian);
}
if (i < src.len) {
- mem.writeInt(u128, &counter, counterInt, endian);
- var pad = [_]u8{0} ** block_length;
+ var pad: [block_length]u8 = @splat(0);
const src_slice = src[i..];
@memcpy(pad[0..src_slice.len], src_slice);
- block_cipher.xor(&pad, &pad, counter);
+ block_cipher.xor(&pad, &pad, counterBlock);
const pad_slice = pad[0 .. src.len - i];
@memcpy(dst[i..][0..pad_slice.len], pad_slice);
}
}
+
+test "ctr mode" {
+ const testing = std.testing;
+ const aes = std.crypto.core.aes;
+
+ // Test key and IV from NIST SP 800-38A
+ const key = [_]u8{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
+ const iv = [_]u8{ 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff };
+ const ctx = aes.Aes128.initEnc(key);
+
+ // Test 1: Empty input
+ {
+ const in = [_]u8{};
+ const expected = [_]u8{};
+ var out: [0]u8 = undefined;
+ ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big);
+ try testing.expectEqualSlices(u8, expected[0..], out[0..]);
+ }
+
+ // Test 2: Single byte
+ {
+ const in = [_]u8{0x6b};
+ const expected = [_]u8{0x87};
+ var out: [1]u8 = undefined;
+ ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big);
+ try testing.expectEqualSlices(u8, expected[0..], out[0..]);
+ }
+
+ // Test 3: Less than one block (15 bytes)
+ {
+ const in = [_]u8{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17 };
+ const expected = [_]u8{ 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6 };
+ var out: [15]u8 = undefined;
+ ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big);
+ try testing.expectEqualSlices(u8, expected[0..], out[0..]);
+ }
+
+ // Test 4: Exactly one block (16 bytes)
+ {
+ const in = [_]u8{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a };
+ const expected = [_]u8{ 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce };
+ var out: [16]u8 = undefined;
+ ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big);
+ try testing.expectEqualSlices(u8, expected[0..], out[0..]);
+ }
+
+ // Test 5: One block plus one byte (17 bytes)
+ {
+ const in = [_]u8{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, 0xae };
+ const expected = [_]u8{ 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce, 0x98 };
+ var out: [17]u8 = undefined;
+ ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big);
+ try testing.expectEqualSlices(u8, expected[0..], out[0..]);
+ }
+
+ // Test 6: Exactly two blocks (32 bytes)
+ {
+ const in = [_]u8{
+ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+ 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
+ };
+ const expected = [_]u8{
+ 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce,
+ 0x98, 0x06, 0xf6, 0x6b, 0x79, 0x70, 0xfd, 0xff, 0x86, 0x17, 0x18, 0x7b, 0xb9, 0xff, 0xfd, 0xff,
+ };
+ var out: [32]u8 = undefined;
+ ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big);
+ try testing.expectEqualSlices(u8, expected[0..], out[0..]);
+ }
+
+ // Test 7: Two blocks plus 5 bytes (37 bytes)
+ {
+ const in = [_]u8{
+ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+ 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
+ 0x30, 0xc8, 0x1c, 0x46, 0xa3,
+ };
+ const expected = [_]u8{
+ 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce,
+ 0x98, 0x06, 0xf6, 0x6b, 0x79, 0x70, 0xfd, 0xff, 0x86, 0x17, 0x18, 0x7b, 0xb9, 0xff, 0xfd, 0xff,
+ 0x5a, 0xe4, 0xdf, 0x3e, 0xdb,
+ };
+ var out: [37]u8 = undefined;
+ ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big);
+ try testing.expectEqualSlices(u8, expected[0..], out[0..]);
+ }
+
+ // Test 8: Four blocks (64 bytes) - NIST test vector
+ {
+ const in = [_]u8{
+ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+ 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
+ 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
+ 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10,
+ };
+ const expected = [_]u8{
+ 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce,
+ 0x98, 0x06, 0xf6, 0x6b, 0x79, 0x70, 0xfd, 0xff, 0x86, 0x17, 0x18, 0x7b, 0xb9, 0xff, 0xfd, 0xff,
+ 0x5a, 0xe4, 0xdf, 0x3e, 0xdb, 0xd5, 0xd3, 0x5e, 0x5b, 0x4f, 0x09, 0x02, 0x0d, 0xb0, 0x3e, 0xab,
+ 0x1e, 0x03, 0x1d, 0xda, 0x2f, 0xbe, 0x03, 0xd1, 0x79, 0x21, 0x70, 0xa0, 0xf3, 0x00, 0x9c, 0xee,
+ };
+ var out: [64]u8 = undefined;
+ ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big);
+ try testing.expectEqualSlices(u8, expected[0..], out[0..]);
+ }
+
+ // Test 9: Large input (> 2*block_length, 100 bytes)
+ {
+ // Create a 100-byte input by extending with zeros
+ var in: [100]u8 = [_]u8{0} ** 100;
+ @memcpy(in[0..64], &[_]u8{
+ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+ 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
+ 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
+ 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10,
+ });
+
+ // Expected output: first 64 bytes from NIST, then CTR continues with zeros
+ var expected: [100]u8 = undefined;
+ @memcpy(expected[0..64], &[_]u8{
+ 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce,
+ 0x98, 0x06, 0xf6, 0x6b, 0x79, 0x70, 0xfd, 0xff, 0x86, 0x17, 0x18, 0x7b, 0xb9, 0xff, 0xfd, 0xff,
+ 0x5a, 0xe4, 0xdf, 0x3e, 0xdb, 0xd5, 0xd3, 0x5e, 0x5b, 0x4f, 0x09, 0x02, 0x0d, 0xb0, 0x3e, 0xab,
+ 0x1e, 0x03, 0x1d, 0xda, 0x2f, 0xbe, 0x03, 0xd1, 0x79, 0x21, 0x70, 0xa0, 0xf3, 0x00, 0x9c, 0xee,
+ });
+ // Compute the rest with zeros XORed with keystream
+ @memcpy(expected[64..], &[_]u8{
+ 0xb0, 0x0d, 0x47, 0xf8, 0x14, 0x8a, 0x91, 0x0e, 0xf0, 0x68, 0x30, 0x97, 0x90, 0x4b, 0xa5, 0x02,
+ 0x58, 0x99, 0x44, 0x5a, 0x4d, 0xe1, 0x01, 0xf5, 0x13, 0xca, 0xd1, 0x98, 0x7d, 0x89, 0xe9, 0x1b,
+ 0x3b, 0xd9, 0xac, 0x79,
+ });
+
+ var out: [100]u8 = undefined;
+ ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big);
+ try testing.expectEqualSlices(u8, expected[0..], out[0..]);
+ }
+
+ // Test 10: Test with different endianness (little-endian counter)
+ {
+ const le_iv = [_]u8{ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+ const in = [_]u8{ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff };
+
+ // We'll compute the expected value from the actual encryption
+ var out: [16]u8 = undefined;
+ ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], le_iv, std.builtin.Endian.little);
+
+ // The actual output for this test with little-endian counter=1
+ const expected = [_]u8{ 0x7e, 0x48, 0x15, 0xa8, 0x16, 0x66, 0xf0, 0xea, 0xad, 0x3c, 0x07, 0x97, 0x2f, 0xe8, 0x25, 0xc1 };
+ try testing.expectEqualSlices(u8, expected[0..], out[0..]);
+ }
+}
lib/std/crypto.zig
@@ -31,6 +31,16 @@ pub const aead = struct {
pub const Aes256Gcm = @import("crypto/aes_gcm.zig").Aes256Gcm;
};
+ pub const aes_gcm_siv = struct {
+ pub const Aes128GcmSiv = @import("crypto/aes_gcm_siv.zig").Aes128GcmSiv;
+ pub const Aes256GcmSiv = @import("crypto/aes_gcm_siv.zig").Aes256GcmSiv;
+ };
+
+ pub const aes_siv = struct {
+ pub const Aes128Siv = @import("crypto/aes_siv.zig").Aes128Siv;
+ pub const Aes256Siv = @import("crypto/aes_siv.zig").Aes256Siv;
+ };
+
pub const aes_ocb = struct {
pub const Aes128Ocb = @import("crypto/aes_ocb.zig").Aes128Ocb;
pub const Aes256Ocb = @import("crypto/aes_ocb.zig").Aes256Ocb;
@@ -249,6 +259,12 @@ test {
_ = aead.aes_gcm.Aes128Gcm;
_ = aead.aes_gcm.Aes256Gcm;
+ _ = aead.aes_gcm_siv.Aes128GcmSiv;
+ _ = aead.aes_gcm_siv.Aes256GcmSiv;
+
+ _ = aead.aes_siv.Aes128Siv;
+ _ = aead.aes_siv.Aes256Siv;
+
_ = aead.aes_ocb.Aes128Ocb;
_ = aead.aes_ocb.Aes256Ocb;