aes,des: implement weak key detection (#465)

See RustCrypto/traits#1738

Author: baloo

Cargo.lock

@@ -25,3 +25,7 @@ members = [
 
 [profile.dev]
 opt-level = 2
+
+[patch.crates-io]
+# https://github.com/RustCrypto/traits/pull/1742
+crypto-common = { git = "https://github.com/RustCrypto/traits.git" }

Cargo.toml

@@ -15,6 +15,7 @@ categories = ["cryptography", "no-std"]
 [dependencies]
 cfg-if = "1"
 cipher = "=0.5.0-pre.7"
+subtle = { version = "2.6", default-features = false }
 zeroize = { version = "1.5.6", optional = true, default-features = false, features = [
     "aarch64",
 ] }

aes/Cargo.toml

@@ -19,6 +19,7 @@ mod test_expand;
 
 use cipher::{
     consts::{self, U16, U24, U32},
+    crypto_common::WeakKeyError,
     AlgorithmName, BlockCipherDecClosure, BlockCipherDecrypt, BlockCipherEncClosure,
     BlockCipherEncrypt, BlockSizeUser, Key, KeyInit, KeySizeUser,
 };
@@ -108,6 +109,10 @@ macro_rules! define_aes_impl {
                 let decrypt = $name_back_dec::from(encrypt.clone());
                 Self { encrypt, decrypt }
             }
+
+            fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
+                weak_key_test!(key, Self)
+            }
         }
 
         impl From<$name_enc> for $name {
@@ -193,6 +198,10 @@ macro_rules! define_aes_impl {
                 let backend = $name_back_enc::new(key);
                 Self { backend }
             }
+
+            fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
+                weak_key_test!(key, Self)
+            }
         }
 
         impl BlockSizeUser for $name_enc {
@@ -255,6 +264,10 @@ macro_rules! define_aes_impl {
                 let backend = encrypt.clone().into();
                 Self { backend }
             }
+
+            fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
+                weak_key_test!(key, Self)
+            }
         }
 
         impl From<$name_enc> for $name_dec {

aes/src/armv8.rs

@@ -4,6 +4,7 @@
 use crate::soft;
 use cipher::{
     consts::{U16, U24, U32},
+    crypto_common::WeakKeyError,
     AlgorithmName, BlockCipherDecClosure, BlockCipherDecrypt, BlockCipherEncClosure,
     BlockCipherEncrypt, BlockSizeUser, Key, KeyInit, KeySizeUser,
 };
@@ -103,6 +104,10 @@ macro_rules! define_aes_impl {
 
                 Self { inner, token }
             }
+
+            fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
+                weak_key_test!(key, Self)
+            }
         }
 
         impl Clone for $name {
@@ -220,6 +225,10 @@ macro_rules! define_aes_impl {
 
                 Self { inner, token }
             }
+
+            fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
+                weak_key_test!(key, Self)
+            }
         }
 
         impl Clone for $name_enc {
@@ -347,6 +356,10 @@ macro_rules! define_aes_impl {
 
                 Self { inner, token }
             }
+
+            fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
+                weak_key_test!(key, Self)
+            }
         }
 
         impl Clone for $name_dec {

aes/src/autodetect.rs

@@ -103,3 +103,29 @@ macro_rules! impl_backends {
         }
     };
 }
+
+macro_rules! weak_key_test {
+    ($key: expr, $k: ty) => {{
+        // Check if any bit of the upper half of the key is set
+        //
+        // This follows the interpretation laid out in section `11.4.10.4 Reject of weak keys`
+        // from the TPM specification:
+        // ```
+        // In the case of AES, at least one bit in the upper half of the key must be set
+        // ```
+        // See: https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-1.83-Part-1-Architecture.pdf#page=82
+        let mut weak = subtle::Choice::from(0);
+
+        for v in &$key
+            [..(<<$k as cipher::KeySizeUser>::KeySize as cipher::typenum::Unsigned>::USIZE / 2)]
+        {
+            weak |= <_ as subtle::ConstantTimeGreater>::ct_gt(v, &0);
+        }
+
+        if weak.unwrap_u8() == 0 {
+            Err(cipher::crypto_common::WeakKeyError)
+        } else {
+            Ok(())
+        }
+    }};
+}

aes/src/macros.rs

@@ -30,6 +30,7 @@ use core::arch::x86_64 as arch;
 
 use cipher::{
     consts::{self, U16, U24, U32},
+    crypto_common::WeakKeyError,
     AlgorithmName, BlockCipherDecClosure, BlockCipherDecrypt, BlockCipherEncClosure,
     BlockCipherEncrypt, BlockSizeUser, Key, KeyInit, KeySizeUser,
 };
@@ -118,6 +119,10 @@ macro_rules! define_aes_impl {
                 let decrypt = $name_dec::from(&encrypt);
                 Self { encrypt, decrypt }
             }
+
+            fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
+                weak_key_test!(key, Self)
+            }
         }
 
         impl From<$name_enc> for $name {
@@ -193,6 +198,10 @@ macro_rules! define_aes_impl {
                     backend: $name_back_enc::new(key),
                 }
             }
+
+            fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
+                weak_key_test!(key, Self)
+            }
         }
 
         impl BlockSizeUser for $name_enc {
@@ -253,6 +262,10 @@ macro_rules! define_aes_impl {
             fn new(key: &Key<Self>) -> Self {
                 $name_enc::new(key).into()
             }
+
+            fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
+                weak_key_test!(key, Self)
+            }
         }
 
         impl From<$name_enc> for $name_dec {

aes/src/ni.rs

@@ -15,6 +15,7 @@ pub(crate) mod fixslice;
 use crate::Block;
 use cipher::{
     consts::{U16, U24, U32},
+    crypto_common::WeakKeyError,
     inout::InOut,
     AlgorithmName, BlockCipherDecBackend, BlockCipherDecClosure, BlockCipherDecrypt,
     BlockCipherEncBackend, BlockCipherEncClosure, BlockCipherEncrypt, BlockSizeUser, Key, KeyInit,
@@ -67,6 +68,10 @@ macro_rules! define_aes_impl {
                     keys: $fixslice_key_schedule(key.into()),
                 }
             }
+
+            fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
+                weak_key_test!(key, Self)
+            }
         }
 
         impl BlockSizeUser for $name {
@@ -146,6 +151,10 @@ macro_rules! define_aes_impl {
                 let inner = $name::new(key);
                 Self { inner }
             }
+
+            fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
+                weak_key_test!(key, Self)
+            }
         }
 
         impl BlockSizeUser for $name_enc {
@@ -197,6 +206,10 @@ macro_rules! define_aes_impl {
                 let inner = $name::new(key);
                 Self { inner }
             }
+
+            fn weak_key_test(key: &Key<Self>) -> Result<(), WeakKeyError> {
+                weak_key_test!(key, Self)
+            }
         }
 
         impl From<$name_enc> for $name_dec {

aes/src/soft.rs

@@ -0,0 +1,24 @@
+use aes::Aes128;
+use cipher::{Key, KeyInit};
+use hex_literal::hex;
+
+#[test]
+fn test_weak_key() {
+    for k in &[
+        hex!("00000000000000000000000000000000"),
+        hex!("00000000000000000101010101010101"),
+        hex!("00000000000000000100000000000000"),
+    ] {
+        let k = Key::<Aes128>::from(*k);
+        assert!(Aes128::weak_key_test(&k).is_err());
+    }
+
+    for k in &[
+        hex!("00000000010000000000000000000000"),
+        hex!("00000000010000000101010101010101"),
+        hex!("00000000010000000100000000000000"),
+    ] {
+        let k = Key::<Aes128>::from(*k);
+        assert!(Aes128::weak_key_test(&k).is_ok());
+    }
+}

aes/tests/weak.rs

@@ -14,9 +14,11 @@ categories = ["cryptography", "no-std"]
 
 [dependencies]
 cipher = "=0.5.0-pre.7"
+subtle = { version = "2.6", default-features = false }
 
 [dev-dependencies]
 cipher = { version = "=0.5.0-pre.7", features = ["dev"] }
+hex-literal = "0.4"
 
 [features]
 zeroize = ["cipher/zeroize"]