From dd46e07fb95c6c5952b3dc41307a5aa4e130ba6a Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Tue, 16 Sep 2025 12:07:50 +0200 Subject: [PATCH] std.crypto: add AES-SIV and AES-GCM-SIV The Zig standard library lacked schemes that resist nonce reuse. AES-SIV and AES-GCM-SIV are the standard options for this. AES-GCM-SIV can be very useful when Zig is used to target embedded systems, and AES-SIV is especially useful for key wrapping. Also take it as an opportunity to add a bunch of test vectors to modes.ctr and make sure it works with block ciphers whose size is not 16. --- lib/std/crypto.zig | 16 ++ lib/std/crypto/aes.zig | 25 -- lib/std/crypto/aes_siv.zig | 481 +++++++++++++++++++++++++++++++++++++ lib/std/crypto/modes.zig | 204 +++++++++++++++- 4 files changed, 689 insertions(+), 37 deletions(-) create mode 100644 lib/std/crypto/aes_siv.zig diff --git a/lib/std/crypto.zig b/lib/std/crypto.zig index 2a45c188b6..6d8c76153c 100644 --- a/lib/std/crypto.zig +++ b/lib/std/crypto.zig @@ -31,6 +31,16 @@ pub const aead = struct { pub const Aes256Gcm = @import("crypto/aes_gcm.zig").Aes256Gcm; }; + pub const aes_gcm_siv = struct { + pub const Aes128GcmSiv = @import("crypto/aes_gcm_siv.zig").Aes128GcmSiv; + pub const Aes256GcmSiv = @import("crypto/aes_gcm_siv.zig").Aes256GcmSiv; + }; + + pub const aes_siv = struct { + pub const Aes128Siv = @import("crypto/aes_siv.zig").Aes128Siv; + pub const Aes256Siv = @import("crypto/aes_siv.zig").Aes256Siv; + }; + pub const aes_ocb = struct { pub const Aes128Ocb = @import("crypto/aes_ocb.zig").Aes128Ocb; pub const Aes256Ocb = @import("crypto/aes_ocb.zig").Aes256Ocb; @@ -249,6 +259,12 @@ test { _ = aead.aes_gcm.Aes128Gcm; _ = aead.aes_gcm.Aes256Gcm; + _ = aead.aes_gcm_siv.Aes128GcmSiv; + _ = aead.aes_gcm_siv.Aes256GcmSiv; + + _ = aead.aes_siv.Aes128Siv; + _ = aead.aes_siv.Aes256Siv; + _ = aead.aes_ocb.Aes128Ocb; _ = aead.aes_ocb.Aes256Ocb; diff --git a/lib/std/crypto/aes.zig b/lib/std/crypto/aes.zig index 6b368e65cc..130b461a5e 100644 --- a/lib/std/crypto/aes.zig +++ b/lib/std/crypto/aes.zig @@ -28,31 +28,6 @@ pub const AesDecryptCtx = impl.AesDecryptCtx; pub const Aes128 = impl.Aes128; pub const Aes256 = impl.Aes256; -test "ctr" { - // NIST SP 800-38A pp 55-58 - const ctr = @import("modes.zig").ctr; - - const key = [_]u8{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c }; - const iv = [_]u8{ 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff }; - const in = [_]u8{ - 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, - 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, - 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, - 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10, - }; - const exp_out = [_]u8{ - 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce, - 0x98, 0x06, 0xf6, 0x6b, 0x79, 0x70, 0xfd, 0xff, 0x86, 0x17, 0x18, 0x7b, 0xb9, 0xff, 0xfd, 0xff, - 0x5a, 0xe4, 0xdf, 0x3e, 0xdb, 0xd5, 0xd3, 0x5e, 0x5b, 0x4f, 0x09, 0x02, 0x0d, 0xb0, 0x3e, 0xab, - 0x1e, 0x03, 0x1d, 0xda, 0x2f, 0xbe, 0x03, 0xd1, 0x79, 0x21, 0x70, 0xa0, 0xf3, 0x00, 0x9c, 0xee, - }; - - var out: [exp_out.len]u8 = undefined; - const ctx = Aes128.initEnc(key); - ctr(AesEncryptCtx(Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big); - try testing.expectEqualSlices(u8, exp_out[0..], out[0..]); -} - test "encrypt" { // Appendix B { diff --git a/lib/std/crypto/aes_siv.zig b/lib/std/crypto/aes_siv.zig new file mode 100644 index 0000000000..56b095fe05 --- /dev/null +++ b/lib/std/crypto/aes_siv.zig @@ -0,0 +1,481 @@ +const std = @import("std"); +const assert = std.debug.assert; +const crypto = std.crypto; +const debug = std.debug; +const mem = std.mem; +const math = std.math; +const modes = crypto.core.modes; +const Cmac = @import("cmac.zig").Cmac; +const AuthenticationError = crypto.errors.AuthenticationError; + +pub const Aes128Siv = AesSiv(crypto.core.aes.Aes128); +pub const Aes256Siv = AesSiv(crypto.core.aes.Aes256); + +/// AES-SIV: Deterministic authenticated encryption - the same message always produces the same ciphertext. +/// +/// What it does: Encrypts data and protects it from tampering. Unlike most encryption modes, +/// AES-SIV is deterministic: encrypting the same message with the same key always produces +/// the same ciphertext (unless you provide an optional nonce). +/// +/// When to use AES-SIV: +/// - When you need deterministic encryption (e.g., for deduplication in encrypted storage) +/// - When you can't store or generate nonces +/// - For key wrapping (protecting cryptographic keys) +/// - When you need to search encrypted data without decrypting it +/// +/// When NOT to use AES-SIV: +/// - When identical plaintexts must produce different ciphertexts (use AES-GCM or AES-GCM-SIV) +/// - For network protocols where replay attacks are a concern +/// +/// Unique features: +/// - Optional nonce: You can add a nonce to make encryption non-deterministic, but this is optional +/// - Multiple associated data: Supports a vector of associated data strings instead of just one. +/// The algorithm cryptographically ensures each component is properly separated, preventing +/// canonicalization attacks where different splits of data could be accepted as valid. +/// +/// Security properties: +/// - Deterministic: Same input always gives same output (this can leak information about patterns) +/// - Nonce misuse resistant: Doesn't catastrophically fail if you reuse a nonce +/// - Key commitment: Ciphertext can only be decrypted with the exact key that encrypted it +/// +/// AES-SIV has better security properties than AES-GCM-SIV, but is must slower. +/// +/// How it works: Combines two keys - one for authentication (S2V) and one for encryption (CTR mode). +/// The total key size is double the AES key size (256 bits for AES-128-SIV, 512 bits for AES-256-SIV). +/// +/// Defined in RFC 5297. +fn AesSiv(comptime Aes: anytype) type { + debug.assert(Aes.block.block_length == 16); + + return struct { + pub const tag_length = 16; + pub const key_length = Aes.key_bits / 8 * 2; // SIV uses 2x key size + + const CmacImpl = Cmac(Aes); + + /// S2V (String to Vector) - RFC 5297 Section 2.4 + /// Derives a synthetic IV from the key and input strings using CMAC. + /// This function implements a cryptographic pseudo-random function that maps + /// a variable-length vector of strings to a fixed 128-bit output. + fn s2v(iv: *[16]u8, key: [Aes.key_bits / 8]u8, strings: []const []const u8) void { + assert(strings.len > 0); + assert(strings.len <= 127); // S2V limitation + + var d: [16]u8 = undefined; + + // Special case: single empty string + if (strings.len == 1 and strings[0].len == 0) { + CmacImpl.create(&d, &[_]u8{}, &key); + iv.* = d; + return; + } + + // Initialize with CMAC of zero block + const zero_block: [16]u8 = @splat(0); + CmacImpl.create(&d, &zero_block, &key); + + // Process all strings except the last one + var i: usize = 0; + while (i < strings.len - 1) : (i += 1) { + d = dbl(d); + var tmp: [16]u8 = undefined; + CmacImpl.create(&tmp, strings[i], &key); + for (&d, tmp) |*b, t| { + b.* ^= t; + } + } + + // Process the final string + const sn = strings[strings.len - 1]; + if (sn.len >= 16) { + // XOR d with the first 16 bytes of Sn + var xored_msg_buf: [4096]u8 = undefined; + const xored_len = @min(sn.len, xored_msg_buf.len); + @memcpy(xored_msg_buf[0..xored_len], sn[0..xored_len]); + + for (d, 0..) |b, j| { + xored_msg_buf[j] ^= b; + } + + CmacImpl.create(iv, xored_msg_buf[0..xored_len], &key); + } else { + // Pad and XOR + d = dbl(d); + var padded: [16]u8 = @splat(0); + @memcpy(padded[0..sn.len], sn); + padded[sn.len] = 0x80; + for (&d, padded) |*b, p| { + b.* ^= p; + } + CmacImpl.create(iv, &d, &key); + } + } + + /// Double operation as defined in RFC 5297. + /// Performs multiplication by x (i.e., left shift by 1) in GF(2^128). + /// This is the same operation used in CMAC subkey generation. + /// If the MSB is set, XORs with the polynomial 0x87 after shifting. + fn dbl(d: [16]u8) [16]u8 { + // Read as big-endian 128-bit integer + const val = mem.readInt(u128, &d, .big); + + // Left shift by 1, and XOR with 0x87 if MSB was set + const doubled = (val << 1) ^ (0x87 & -%(@as(u128, val >> 127))); + + // Write back as big-endian + var result: [16]u8 = undefined; + mem.writeInt(u128, &result, doubled, .big); + return result; + } + + /// Encrypt plaintext using AES-SIV + /// `c`: Output buffer for ciphertext (same size as plaintext) + /// `tag`: Output buffer for authentication tag (synthetic IV) + /// `m`: Plaintext to encrypt + /// `ad`: Optional associated data + /// `nonce`: Optional nonce (if provided, will be added as last AD component) + /// `key`: Combined key (2x AES key size) + pub fn encrypt(c: []u8, tag: *[tag_length]u8, m: []const u8, ad: ?[]const u8, nonce: ?[]const u8, key: [key_length]u8) void { + debug.assert(c.len == m.len); + + // Split key into K1 (for S2V) and K2 (for CTR) + const k1 = key[0 .. Aes.key_bits / 8]; + const k2 = key[Aes.key_bits / 8 ..]; + + // Prepare strings for S2V: AD components followed by plaintext + var strings_buf: [128][]const u8 = undefined; + var strings_len: usize = 0; + + if (ad) |a| { + strings_buf[strings_len] = a; + strings_len += 1; + } + if (nonce) |n| { + strings_buf[strings_len] = n; + strings_len += 1; + } + strings_buf[strings_len] = m; + strings_len += 1; + + // Compute synthetic IV using S2V + s2v(tag, k1.*, strings_buf[0..strings_len]); + + // Clear the 31st and 63rd bits for use as CTR IV + var ctr_iv = tag.*; + ctr_iv[8] &= 0x7f; + ctr_iv[12] &= 0x7f; + + // Encrypt plaintext using CTR mode + const aes_ctx = Aes.initEnc(k2.*); + modes.ctr(@TypeOf(aes_ctx), aes_ctx, c, m, ctr_iv, .big); + } + + /// Decrypt ciphertext using AES-SIV + /// `m`: Output buffer for decrypted plaintext + /// `c`: Ciphertext to decrypt + /// `tag`: Authentication tag (synthetic IV) + /// `ad`: Optional associated data (must match encryption) + /// `nonce`: Optional nonce (must match encryption) + /// `key`: Combined key (2x AES key size) + pub fn decrypt(m: []u8, c: []const u8, tag: [tag_length]u8, ad: ?[]const u8, nonce: ?[]const u8, key: [key_length]u8) AuthenticationError!void { + assert(c.len == m.len); + + // Split key into K1 (for S2V) and K2 (for CTR) + const k1 = key[0 .. Aes.key_bits / 8]; + const k2 = key[Aes.key_bits / 8 ..]; + + // Clear the 31st and 63rd bits for use as CTR IV + var ctr_iv = tag; + ctr_iv[8] &= 0x7f; + ctr_iv[12] &= 0x7f; + + // Decrypt ciphertext using CTR mode + const aes_ctx = Aes.initEnc(k2.*); + modes.ctr(@TypeOf(aes_ctx), aes_ctx, m, c, ctr_iv, .big); + + // Prepare strings for S2V: AD components followed by plaintext + var strings_buf: [128][]const u8 = undefined; + var strings_len: usize = 0; + + if (ad) |a| { + strings_buf[strings_len] = a; + strings_len += 1; + } + if (nonce) |n| { + strings_buf[strings_len] = n; + strings_len += 1; + } + strings_buf[strings_len] = m; + strings_len += 1; + + // Verify synthetic IV using S2V + var computed_tag: [tag_length]u8 = undefined; + s2v(&computed_tag, k1.*, strings_buf[0..strings_len]); + + // Verify tag + const verify = crypto.timing_safe.eql([tag_length]u8, computed_tag, tag); + if (!verify) { + crypto.secureZero(u8, &computed_tag); + @memset(m, undefined); + return error.AuthenticationFailed; + } + } + + /// Encrypts plaintext with multiple associated data components. + /// This is the most general form of AES-SIV encryption that accepts + /// an arbitrary vector of associated data strings as specified in RFC 5297. + pub fn encryptWithAdVector(c: []u8, tag: *[tag_length]u8, m: []const u8, ad: []const []const u8, key: [key_length]u8) void { + debug.assert(c.len == m.len); + + // Split key into K1 (for S2V) and K2 (for CTR) + const k1 = key[0 .. Aes.key_bits / 8]; + const k2 = key[Aes.key_bits / 8 ..]; + + // Prepare strings for S2V: AD components followed by plaintext + var strings_buf: [128][]const u8 = undefined; + var strings_len: usize = 0; + + for (ad) |a| { + strings_buf[strings_len] = a; + strings_len += 1; + } + strings_buf[strings_len] = m; + strings_len += 1; + + // Compute synthetic IV using S2V + s2v(tag, k1.*, strings_buf[0..strings_len]); + + // Clear the 31st and 63rd bits for use as CTR IV + var ctr_iv = tag.*; + ctr_iv[8] &= 0x7f; + ctr_iv[12] &= 0x7f; + + // Encrypt plaintext using CTR mode + const aes_ctx = Aes.initEnc(k2.*); + modes.ctr(@TypeOf(aes_ctx), aes_ctx, c, m, ctr_iv, .big); + } + + /// Decrypts ciphertext with multiple associated data components. + /// This is the most general form of AES-SIV decryption that accepts + /// an arbitrary vector of associated data strings as specified in RFC 5297. + pub fn decryptWithAdVector(m: []u8, c: []const u8, tag: [tag_length]u8, ad: []const []const u8, key: [key_length]u8) AuthenticationError!void { + assert(c.len == m.len); + + // Split key into K1 (for S2V) and K2 (for CTR) + const k1 = key[0 .. Aes.key_bits / 8]; + const k2 = key[Aes.key_bits / 8 ..]; + + // Clear the 31st and 63rd bits for use as CTR IV + var ctr_iv = tag; + ctr_iv[8] &= 0x7f; + ctr_iv[12] &= 0x7f; + + // Decrypt ciphertext using CTR mode + const aes_ctx = Aes.initEnc(k2.*); + modes.ctr(@TypeOf(aes_ctx), aes_ctx, m, c, ctr_iv, .big); + + // Prepare strings for S2V: AD components followed by plaintext + var strings_buf: [128][]const u8 = undefined; + var strings_len: usize = 0; + + for (ad) |a| { + strings_buf[strings_len] = a; + strings_len += 1; + } + strings_buf[strings_len] = m; + strings_len += 1; + + // Verify synthetic IV using S2V + var computed_tag: [tag_length]u8 = undefined; + s2v(&computed_tag, k1.*, strings_buf[0..strings_len]); + + // Verify tag + const verify = crypto.timing_safe.eql([tag_length]u8, computed_tag, tag); + if (!verify) { + crypto.secureZero(u8, &computed_tag); + @memset(m, undefined); + return error.AuthenticationFailed; + } + } + }; +} + +const htest = @import("test.zig"); +const testing = std.testing; + +test "AES-SIV double operation" { + const AesSivTest = AesSiv(crypto.core.aes.Aes128); + + // Test vector from RFC 5297 + const input = [_]u8{ 0x0e, 0x04, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e }; + const expected = [_]u8{ 0x1c, 0x08, 0x02, 0x04, 0x06, 0x08, 0x0a, 0x0c, 0x0e, 0x10, 0x12, 0x14, 0x16, 0x18, 0x1a, 0x1c }; + + const result = AesSivTest.dbl(input); + try testing.expectEqualSlices(u8, &expected, &result); +} + +test "AES-SIV double operation with MSB set" { + const AesSivTest = AesSiv(crypto.core.aes.Aes128); + + const input = [_]u8{ 0xe0, 0x40, 0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80, 0x90, 0xa0, 0xb0, 0xc0, 0xd0, 0xe0 }; + const expected = [_]u8{ 0xc0, 0x80, 0x20, 0x40, 0x60, 0x80, 0xa0, 0xc0, 0xe1, 0x01, 0x21, 0x41, 0x61, 0x81, 0xa1, 0x47 }; + + const result = AesSivTest.dbl(input); + try testing.expectEqualSlices(u8, &expected, &result); +} + +test "Aes128Siv - RFC 5297 Test Vector A.1" { + // Test vector from RFC 5297 Appendix A.1 + const key = [_]u8{ + 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff, + }; + const ad = [_]u8{ + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + }; + const plaintext = [_]u8{ + 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, + }; + + var ciphertext: [plaintext.len]u8 = undefined; + var tag: [16]u8 = undefined; + + // Test using vector API for RFC compliance + const ad_components = [_][]const u8{&ad}; + Aes128Siv.encryptWithAdVector(&ciphertext, &tag, &plaintext, &ad_components, key); + + // Expected values from RFC 5297 + try htest.assertEqual("85632d07c6e8f37f950acd320a2ecc93", &tag); + try htest.assertEqual("40c02b9690c4dc04daef7f6afe5c", &ciphertext); + + // Test decryption + var decrypted: [plaintext.len]u8 = undefined; + try Aes128Siv.decryptWithAdVector(&decrypted, &ciphertext, tag, &ad_components, key); + try testing.expectEqualSlices(u8, &plaintext, &decrypted); +} + +test "Aes128Siv - empty plaintext" { + const key: [32]u8 = @splat(0x42); + const plaintext = ""; + const ad = "additional data"; + + var ciphertext: [plaintext.len]u8 = undefined; + var tag: [16]u8 = undefined; + + Aes128Siv.encrypt(&ciphertext, &tag, plaintext, ad, null, key); + + var decrypted: [plaintext.len]u8 = undefined; + try Aes128Siv.decrypt(&decrypted, &ciphertext, tag, ad, null, key); +} + +test "Aes128Siv - with nonce" { + const key: [32]u8 = @splat(0x69); + const nonce: [16]u8 = @splat(0x42); + const plaintext = "Hello, AES-SIV!"; + const ad = "metadata"; + + var ciphertext: [plaintext.len]u8 = undefined; + var tag: [16]u8 = undefined; + + Aes128Siv.encrypt(&ciphertext, &tag, plaintext, ad, &nonce, key); + + var decrypted: [plaintext.len]u8 = undefined; + try Aes128Siv.decrypt(&decrypted, &ciphertext, tag, ad, &nonce, key); + try testing.expectEqualSlices(u8, plaintext, &decrypted); +} + +test "Aes256Siv - basic functionality" { + const key: [64]u8 = @splat(0x96); + const plaintext = "Test message for AES-256-SIV"; + const ad1 = "header"; + const ad2 = "more data"; + + var ciphertext: [plaintext.len]u8 = undefined; + var tag: [16]u8 = undefined; + + // Test with multiple AD components using the vector API + const ad_components = [_][]const u8{ ad1, ad2 }; + Aes256Siv.encryptWithAdVector(&ciphertext, &tag, plaintext, &ad_components, key); + + var decrypted: [plaintext.len]u8 = undefined; + try Aes256Siv.decryptWithAdVector(&decrypted, &ciphertext, tag, &ad_components, key); + try testing.expectEqualSlices(u8, plaintext, &decrypted); +} + +test "Aes128Siv - demonstrating optional parameters" { + const key: [32]u8 = @splat(0x77); + + // Test 1: No AD, no nonce (pure deterministic) + { + const plaintext = "Deterministic encryption"; + var ciphertext: [plaintext.len]u8 = undefined; + var tag: [16]u8 = undefined; + + Aes128Siv.encrypt(&ciphertext, &tag, plaintext, null, null, key); + + var decrypted: [plaintext.len]u8 = undefined; + try Aes128Siv.decrypt(&decrypted, &ciphertext, tag, null, null, key); + try testing.expectEqualSlices(u8, plaintext, &decrypted); + } + + // Test 2: With AD, no nonce + { + const plaintext = "With associated data"; + const ad = "some context"; + var ciphertext: [plaintext.len]u8 = undefined; + var tag: [16]u8 = undefined; + + Aes128Siv.encrypt(&ciphertext, &tag, plaintext, ad, null, key); + + var decrypted: [plaintext.len]u8 = undefined; + try Aes128Siv.decrypt(&decrypted, &ciphertext, tag, ad, null, key); + try testing.expectEqualSlices(u8, plaintext, &decrypted); + } + + // Test 3: No AD, with nonce + { + const plaintext = "Nonce-based encryption"; + const nonce: [12]u8 = @splat(0x01); + var ciphertext: [plaintext.len]u8 = undefined; + var tag: [16]u8 = undefined; + + Aes128Siv.encrypt(&ciphertext, &tag, plaintext, null, &nonce, key); + + var decrypted: [plaintext.len]u8 = undefined; + try Aes128Siv.decrypt(&decrypted, &ciphertext, tag, null, &nonce, key); + try testing.expectEqualSlices(u8, plaintext, &decrypted); + } + + // Test 4: With both AD and nonce + { + const plaintext = "Full featured"; + const ad = "context"; + const nonce: [16]u8 = @splat(0x02); + var ciphertext: [plaintext.len]u8 = undefined; + var tag: [16]u8 = undefined; + + Aes128Siv.encrypt(&ciphertext, &tag, plaintext, ad, &nonce, key); + + var decrypted: [plaintext.len]u8 = undefined; + try Aes128Siv.decrypt(&decrypted, &ciphertext, tag, ad, &nonce, key); + try testing.expectEqualSlices(u8, plaintext, &decrypted); + } +} + +test "Aes128Siv - authentication failure" { + const key: [32]u8 = @splat(0x13); + const plaintext = "Secret message"; + const ad = ""; + + var ciphertext: [plaintext.len]u8 = undefined; + var tag: [16]u8 = undefined; + + Aes128Siv.encrypt(&ciphertext, &tag, plaintext, ad, null, key); + + // Corrupt the tag + tag[0] ^= 0x01; + + var decrypted: [plaintext.len]u8 = undefined; + try testing.expectError(error.AuthenticationFailed, Aes128Siv.decrypt(&decrypted, &ciphertext, tag, ad, null, key)); +} diff --git a/lib/std/crypto/modes.zig b/lib/std/crypto/modes.zig index eed803a899..9db9c3dd4e 100644 --- a/lib/std/crypto/modes.zig +++ b/lib/std/crypto/modes.zig @@ -11,37 +11,217 @@ const debug = std.debug; /// Important: the counter mode doesn't provide authenticated encryption: the ciphertext can be trivially modified without this being detected. /// As a result, applications should generally never use it directly, but only in a construction that includes a MAC. pub fn ctr(comptime BlockCipher: anytype, block_cipher: BlockCipher, dst: []u8, src: []const u8, iv: [BlockCipher.block_length]u8, endian: std.builtin.Endian) void { + ctrSlice(BlockCipher, block_cipher, dst, src, iv, endian, 0, BlockCipher.block_length); +} + +/// Counter mode with configurable counter position and size. +/// +/// This extended version allows specifying where the counter is located within the IV block +/// and how many bytes it occupies. This is useful for modes like AES-GCM-SIV which use a +/// 32-bit counter at the beginning of the block. +/// +/// @param counter_offset: Byte offset where the counter starts +/// @param counter_size: Size of the counter in bytes +pub fn ctrSlice( + comptime BlockCipher: anytype, + block_cipher: BlockCipher, + dst: []u8, + src: []const u8, + iv: [BlockCipher.block_length]u8, + endian: std.builtin.Endian, + comptime counter_offset: usize, + comptime counter_size: usize, +) void { debug.assert(dst.len >= src.len); const block_length = BlockCipher.block_length; - var counter: [BlockCipher.block_length]u8 = undefined; - var counterInt = mem.readInt(u128, &iv, endian); + debug.assert(counter_offset + counter_size <= block_length); + debug.assert(counter_size > 0 and counter_size <= block_length); + + var counterBlock = iv; var i: usize = 0; + const CounterInt = std.meta.Int(.unsigned, counter_size * 8); + const parallel_count = BlockCipher.block.parallel.optimal_parallel_blocks; - const wide_block_length = parallel_count * 16; + const wide_block_length = parallel_count * block_length; + var cnt_val = mem.readInt(CounterInt, counterBlock[counter_offset..][0..counter_size], endian); if (src.len >= wide_block_length) { - var counters: [parallel_count * 16]u8 = undefined; + var counters: [parallel_count * block_length]u8 = undefined; + inline for (0..parallel_count) |j| { + counters[j * block_length ..][0..block_length].* = iv; + } while (i + wide_block_length <= src.len) : (i += wide_block_length) { comptime var j = 0; inline while (j < parallel_count) : (j += 1) { - mem.writeInt(u128, counters[j * 16 .. j * 16 + 16], counterInt, endian); - counterInt +%= 1; + mem.writeInt(CounterInt, counters[j * block_length + counter_offset ..][0..counter_size], cnt_val +% j, endian); } + cnt_val += parallel_count; block_cipher.xorWide(parallel_count, dst[i .. i + wide_block_length][0..wide_block_length], src[i .. i + wide_block_length][0..wide_block_length], counters); } + mem.writeInt(CounterInt, counterBlock[counter_offset..][0..counter_size], cnt_val, endian); } while (i + block_length <= src.len) : (i += block_length) { - mem.writeInt(u128, &counter, counterInt, endian); - counterInt +%= 1; - block_cipher.xor(dst[i .. i + block_length][0..block_length], src[i .. i + block_length][0..block_length], counter); + block_cipher.xor(dst[i .. i + block_length][0..block_length], src[i .. i + block_length][0..block_length], counterBlock); + cnt_val +%= 1; + mem.writeInt(CounterInt, counterBlock[counter_offset..][0..counter_size], cnt_val, endian); } if (i < src.len) { - mem.writeInt(u128, &counter, counterInt, endian); - var pad = [_]u8{0} ** block_length; + var pad: [block_length]u8 = @splat(0); const src_slice = src[i..]; @memcpy(pad[0..src_slice.len], src_slice); - block_cipher.xor(&pad, &pad, counter); + block_cipher.xor(&pad, &pad, counterBlock); const pad_slice = pad[0 .. src.len - i]; @memcpy(dst[i..][0..pad_slice.len], pad_slice); } } + +test "ctr mode" { + const testing = std.testing; + const aes = std.crypto.core.aes; + + // Test key and IV from NIST SP 800-38A + const key = [_]u8{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c }; + const iv = [_]u8{ 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff }; + const ctx = aes.Aes128.initEnc(key); + + // Test 1: Empty input + { + const in = [_]u8{}; + const expected = [_]u8{}; + var out: [0]u8 = undefined; + ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big); + try testing.expectEqualSlices(u8, expected[0..], out[0..]); + } + + // Test 2: Single byte + { + const in = [_]u8{0x6b}; + const expected = [_]u8{0x87}; + var out: [1]u8 = undefined; + ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big); + try testing.expectEqualSlices(u8, expected[0..], out[0..]); + } + + // Test 3: Less than one block (15 bytes) + { + const in = [_]u8{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17 }; + const expected = [_]u8{ 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6 }; + var out: [15]u8 = undefined; + ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big); + try testing.expectEqualSlices(u8, expected[0..], out[0..]); + } + + // Test 4: Exactly one block (16 bytes) + { + const in = [_]u8{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a }; + const expected = [_]u8{ 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce }; + var out: [16]u8 = undefined; + ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big); + try testing.expectEqualSlices(u8, expected[0..], out[0..]); + } + + // Test 5: One block plus one byte (17 bytes) + { + const in = [_]u8{ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, 0xae }; + const expected = [_]u8{ 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce, 0x98 }; + var out: [17]u8 = undefined; + ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big); + try testing.expectEqualSlices(u8, expected[0..], out[0..]); + } + + // Test 6: Exactly two blocks (32 bytes) + { + const in = [_]u8{ + 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, + 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, + }; + const expected = [_]u8{ + 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce, + 0x98, 0x06, 0xf6, 0x6b, 0x79, 0x70, 0xfd, 0xff, 0x86, 0x17, 0x18, 0x7b, 0xb9, 0xff, 0xfd, 0xff, + }; + var out: [32]u8 = undefined; + ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big); + try testing.expectEqualSlices(u8, expected[0..], out[0..]); + } + + // Test 7: Two blocks plus 5 bytes (37 bytes) + { + const in = [_]u8{ + 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, + 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, + 0x30, 0xc8, 0x1c, 0x46, 0xa3, + }; + const expected = [_]u8{ + 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce, + 0x98, 0x06, 0xf6, 0x6b, 0x79, 0x70, 0xfd, 0xff, 0x86, 0x17, 0x18, 0x7b, 0xb9, 0xff, 0xfd, 0xff, + 0x5a, 0xe4, 0xdf, 0x3e, 0xdb, + }; + var out: [37]u8 = undefined; + ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big); + try testing.expectEqualSlices(u8, expected[0..], out[0..]); + } + + // Test 8: Four blocks (64 bytes) - NIST test vector + { + const in = [_]u8{ + 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, + 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, + 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, + 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10, + }; + const expected = [_]u8{ + 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce, + 0x98, 0x06, 0xf6, 0x6b, 0x79, 0x70, 0xfd, 0xff, 0x86, 0x17, 0x18, 0x7b, 0xb9, 0xff, 0xfd, 0xff, + 0x5a, 0xe4, 0xdf, 0x3e, 0xdb, 0xd5, 0xd3, 0x5e, 0x5b, 0x4f, 0x09, 0x02, 0x0d, 0xb0, 0x3e, 0xab, + 0x1e, 0x03, 0x1d, 0xda, 0x2f, 0xbe, 0x03, 0xd1, 0x79, 0x21, 0x70, 0xa0, 0xf3, 0x00, 0x9c, 0xee, + }; + var out: [64]u8 = undefined; + ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big); + try testing.expectEqualSlices(u8, expected[0..], out[0..]); + } + + // Test 9: Large input (> 2*block_length, 100 bytes) + { + // Create a 100-byte input by extending with zeros + var in: [100]u8 = [_]u8{0} ** 100; + @memcpy(in[0..64], &[_]u8{ + 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a, + 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c, 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51, + 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11, 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef, + 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17, 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10, + }); + + // Expected output: first 64 bytes from NIST, then CTR continues with zeros + var expected: [100]u8 = undefined; + @memcpy(expected[0..64], &[_]u8{ + 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce, + 0x98, 0x06, 0xf6, 0x6b, 0x79, 0x70, 0xfd, 0xff, 0x86, 0x17, 0x18, 0x7b, 0xb9, 0xff, 0xfd, 0xff, + 0x5a, 0xe4, 0xdf, 0x3e, 0xdb, 0xd5, 0xd3, 0x5e, 0x5b, 0x4f, 0x09, 0x02, 0x0d, 0xb0, 0x3e, 0xab, + 0x1e, 0x03, 0x1d, 0xda, 0x2f, 0xbe, 0x03, 0xd1, 0x79, 0x21, 0x70, 0xa0, 0xf3, 0x00, 0x9c, 0xee, + }); + // Compute the rest with zeros XORed with keystream + @memcpy(expected[64..], &[_]u8{ + 0xb0, 0x0d, 0x47, 0xf8, 0x14, 0x8a, 0x91, 0x0e, 0xf0, 0x68, 0x30, 0x97, 0x90, 0x4b, 0xa5, 0x02, + 0x58, 0x99, 0x44, 0x5a, 0x4d, 0xe1, 0x01, 0xf5, 0x13, 0xca, 0xd1, 0x98, 0x7d, 0x89, 0xe9, 0x1b, + 0x3b, 0xd9, 0xac, 0x79, + }); + + var out: [100]u8 = undefined; + ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], iv, std.builtin.Endian.big); + try testing.expectEqualSlices(u8, expected[0..], out[0..]); + } + + // Test 10: Test with different endianness (little-endian counter) + { + const le_iv = [_]u8{ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; + const in = [_]u8{ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff }; + + // We'll compute the expected value from the actual encryption + var out: [16]u8 = undefined; + ctr(aes.AesEncryptCtx(aes.Aes128), ctx, out[0..], in[0..], le_iv, std.builtin.Endian.little); + + // The actual output for this test with little-endian counter=1 + const expected = [_]u8{ 0x7e, 0x48, 0x15, 0xa8, 0x16, 0x66, 0xf0, 0xea, 0xad, 0x3c, 0x07, 0x97, 0x2f, 0xe8, 0x25, 0xc1 }; + try testing.expectEqualSlices(u8, expected[0..], out[0..]); + } +}