aes: tweak weak key test (#469)

The new code results in a better codegen with resulting binaries still
being const time: https://rust.godbolt.org/z/x1a8aTsbY

Author: newpavlov

Cargo.lock

@@ -15,7 +15,6 @@ categories = ["cryptography", "no-std"]
 [dependencies]
 cfg-if = "1"
 cipher = "=0.5.0-pre.7"
-subtle = { version = "2.6", default-features = false }
 zeroize = { version = "1.5.6", optional = true, default-features = false, features = [
     "aarch64",
 ] }

aes/Cargo.toml

@@ -110,8 +110,9 @@ macro_rules! define_aes_impl {
                 Self { encrypt, decrypt }
             }
 
+            #[inline]
             fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
-                weak_key_test!(key, Self)
+                crate::weak_key_test(&key.0)
             }
         }
 
@@ -199,8 +200,9 @@ macro_rules! define_aes_impl {
                 Self { backend }
             }
 
+            #[inline]
             fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
-                weak_key_test!(key, Self)
+                crate::weak_key_test(&key.0)
             }
         }
 
@@ -265,8 +267,9 @@ macro_rules! define_aes_impl {
                 Self { backend }
             }
 
+            #[inline]
             fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
-                weak_key_test!(key, Self)
+                crate::weak_key_test(&key.0)
             }
         }
 

aes/src/armv8.rs

@@ -105,8 +105,9 @@ macro_rules! define_aes_impl {
                 Self { inner, token }
             }
 
+            #[inline]
             fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
-                weak_key_test!(key, Self)
+                crate::weak_key_test(&key.0)
             }
         }
 
@@ -226,8 +227,9 @@ macro_rules! define_aes_impl {
                 Self { inner, token }
             }
 
+            #[inline]
             fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
-                weak_key_test!(key, Self)
+                crate::weak_key_test(&key.0)
             }
         }
 
@@ -357,8 +359,9 @@ macro_rules! define_aes_impl {
                 Self { inner, token }
             }
 
+            #[inline]
             fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
-                weak_key_test!(key, Self)
+                crate::weak_key_test(&key.0)
             }
         }
 

aes/src/autodetect.rs

@@ -143,11 +143,41 @@ cfg_if! {
 }
 
 pub use cipher;
-use cipher::{array::Array, consts::U16};
+use cipher::{array::Array, consts::U16, crypto_common::WeakKeyError};
 
 /// 128-bit AES block
 pub type Block = Array<u8, U16>;
 
+/// Check if any bit of the upper half of the key is set.
+///
+/// This follows the interpretation laid out in section `11.4.10.4 Reject of weak keys`
+/// from the [TPM specification][0]:
+/// ```text
+/// In the case of AES, at least one bit in the upper half of the key must be set
+/// ```
+///
+/// [0]: https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-1-Architecture.pdf#page=82
+pub(crate) fn weak_key_test<const N: usize>(key: &[u8; N]) -> Result<(), WeakKeyError> {
+    let t = match N {
+        16 => u64::from_ne_bytes(key[..8].try_into().unwrap()),
+        24 => {
+            let t1 = u64::from_ne_bytes(key[..8].try_into().unwrap());
+            let t2 = u32::from_ne_bytes(key[8..12].try_into().unwrap());
+            t1 | u64::from(t2)
+        }
+        32 => {
+            let t1 = u64::from_ne_bytes(key[..8].try_into().unwrap());
+            let t2 = u64::from_ne_bytes(key[8..16].try_into().unwrap());
+            t1 | t2
+        }
+        _ => unreachable!(),
+    };
+    match t {
+        0 => Err(WeakKeyError),
+        _ => Ok(()),
+    }
+}
+
 #[cfg(test)]
 mod tests {
     #[cfg(feature = "zeroize")]

aes/src/lib.rs

@@ -103,29 +103,3 @@ macro_rules! impl_backends {
         }
     };
 }
-
-macro_rules! weak_key_test {
-    ($key: expr, $k: ty) => {{
-        // Check if any bit of the upper half of the key is set
-        //
-        // This follows the interpretation laid out in section `11.4.10.4 Reject of weak keys`
-        // from the TPM specification:
-        // ```
-        // In the case of AES, at least one bit in the upper half of the key must be set
-        // ```
-        // See: https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-1-Architecture.pdf#page=82
-        let mut weak = subtle::Choice::from(0);
-
-        for v in &$key
-            [..(<<$k as cipher::KeySizeUser>::KeySize as cipher::typenum::Unsigned>::USIZE / 2)]
-        {
-            weak |= <_ as subtle::ConstantTimeGreater>::ct_gt(v, &0);
-        }
-
-        if weak.unwrap_u8() == 0 {
-            Err(cipher::crypto_common::WeakKeyError)
-        } else {
-            Ok(())
-        }
-    }};
-}

aes/src/macros.rs

@@ -120,8 +120,9 @@ macro_rules! define_aes_impl {
                 Self { encrypt, decrypt }
             }
 
+            #[inline]
             fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
-                weak_key_test!(key, Self)
+                crate::weak_key_test(&key.0)
             }
         }
 
@@ -199,8 +200,9 @@ macro_rules! define_aes_impl {
                 }
             }
 
+            #[inline]
             fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
-                weak_key_test!(key, Self)
+                crate::weak_key_test(&key.0)
             }
         }
 
@@ -263,8 +265,9 @@ macro_rules! define_aes_impl {
                 $name_enc::new(key).into()
             }
 
+            #[inline]
             fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
-                weak_key_test!(key, Self)
+                crate::weak_key_test(&key.0)
             }
         }
 

aes/src/ni.rs

@@ -69,8 +69,9 @@ macro_rules! define_aes_impl {
                 }
             }
 
+            #[inline]
             fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
-                weak_key_test!(key, Self)
+                crate::weak_key_test(&key.0)
             }
         }
 
@@ -152,8 +153,9 @@ macro_rules! define_aes_impl {
                 Self { inner }
             }
 
+            #[inline]
             fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
-                weak_key_test!(key, Self)
+                crate::weak_key_test(&key.0)
             }
         }
 
@@ -207,8 +209,9 @@ macro_rules! define_aes_impl {
                 Self { inner }
             }
 
+            #[inline]
             fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
-                weak_key_test!(key, Self)
+                crate::weak_key_test(&key.0)
             }
         }