Merge pull request #578 from h2o/kazuho/aes64

implement 64-bit block cipher based on AES

Author: kazuho

.gitignore

@@ -31,3 +31,7 @@ deps/picotest
 /picotlsvs/testopenssl/testopenssl.vcxproj.user
 /fuzz/fuzzer-asn1-type-and-length.c
 /fuzz/fuzzer-asn1-validation.c
+/deps/micro-ecc/test/ecc_test
+/src/esni.c
+/t/assets
+/.travis.yml

CMakeLists.txt

@@ -58,7 +58,8 @@ SET(CORE_FILES
     lib/pembase64.c)
 SET(CORE_TEST_FILES
     t/hpke.c
-    t/picotls.c)
+    t/picotls.c
+    t/quiclb.c)
 IF (WITH_DTRACE)
     SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DPICOTLS_USE_DTRACE=1")
     DEFINE_DTRACE_DEPENDENCIES(${PROJECT_SOURCE_DIR}/picotls-probes.d picotls)
@@ -184,7 +185,8 @@ IF (WITH_FUSION)
     ADD_EXECUTABLE(test-fusion.t
         deps/picotest/picotest.c
         lib/picotls.c
-        t/fusion.c)
+        t/fusion.c
+        t/quiclb.c)
     TARGET_LINK_LIBRARIES(test-fusion.t picotls-minicrypto)
     SET_TARGET_PROPERTIES(test-fusion.t PROPERTIES COMPILE_FLAGS "-mavx2 -maes -mpclmul -mvaes -mvpclmulqdq")
     IF (WITH_DTRACE)

include/picotls.h

@@ -117,6 +117,10 @@ extern "C" {
 #define PTLS_BLOWFISH_KEY_SIZE 16
 #define PTLS_BLOWFISH_BLOCK_SIZE 8
 
+#define PTLS_QUICLB_KEY_SIZE 16 /* same as the underlying aes128ecb */
+#define PTLS_QUICLB_MIN_BLOCK_SIZE 7
+#define PTLS_QUICLB_MAX_BLOCK_SIZE 19 /* inclusive */
+
 #define PTLS_SHA256_BLOCK_SIZE 64
 #define PTLS_SHA256_DIGEST_SIZE 32
 

include/picotls/fusion.h

@@ -103,6 +103,8 @@ extern ptls_cipher_algorithm_t ptls_fusion_aes128ctr, ptls_fusion_aes256ctr;
 extern ptls_aead_algorithm_t ptls_fusion_aes128gcm, ptls_fusion_aes256gcm;
 extern ptls_aead_algorithm_t ptls_non_temporal_aes128gcm, ptls_non_temporal_aes256gcm;
 
+extern ptls_cipher_algorithm_t ptls_fusion_quiclb;
+
 /**
  * Returns a boolean indicating if fusion can be used.
  */

include/picotls/openssl.h

@@ -149,6 +149,8 @@ extern ptls_cipher_suite_t ptls_openssl_tls12_ecdhe_ecdsa_chacha20poly1305sha256
 extern ptls_cipher_algorithm_t ptls_openssl_bfecb;
 #endif
 
+extern ptls_cipher_algorithm_t ptls_openssl_quiclb;
+
 extern ptls_hpke_kem_t ptls_openssl_hpke_kem_p256sha256;
 extern ptls_hpke_kem_t ptls_openssl_hpke_kem_p384sha384;
 #if PTLS_OPENSSL_HAVE_X25519

lib/fusion.c

@@ -47,6 +47,7 @@
 #include <wmmintrin.h>
 #include "picotls.h"
 #include "picotls/fusion.h"
+#include "./quiclb-impl.h"
 
 #if defined(__clang__)
 #if __has_feature(address_sanitizer)
@@ -2178,6 +2179,57 @@ ptls_aead_algorithm_t ptls_non_temporal_aes256gcm = {"AES256-GCM",
                                                      sizeof(struct aesgcm_context),
                                                      non_temporal_aes256gcm_setup};
 
+struct fusion_quiclb_context {
+    ptls_cipher_context_t super;
+    ptls_fusion_aesecb_context_t aesecb;
+};
+
+static void fusion_quiclb_dispose(ptls_cipher_context_t *_ctx)
+{
+    struct fusion_quiclb_context *ctx = (struct fusion_quiclb_context *)_ctx;
+    ptls_fusion_aesecb_dispose(&ctx->aesecb);
+}
+
+static inline void fusion_quiclb_aes(void *aesecb, union picotls_quiclb_block *block)
+{
+    block->m128 = aesecb_encrypt(aesecb, block->m128);
+}
+
+static void fusion_quiclb_encrypt(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t len)
+{
+    struct fusion_quiclb_context *ctx = (struct fusion_quiclb_context *)_ctx;
+    picotls_quiclb_transform(fusion_quiclb_aes, &ctx->aesecb, output, input, len, 1);
+}
+
+static void fusion_quiclb_decrypt(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t len)
+{
+    struct fusion_quiclb_context *ctx = (struct fusion_quiclb_context *)_ctx;
+    picotls_quiclb_transform(fusion_quiclb_aes, &ctx->aesecb, output, input, len, 0);
+}
+
+static int fusion_quiclb_setup_crypto(ptls_cipher_context_t *_ctx, int is_enc, const void *key)
+{
+    struct fusion_quiclb_context *ctx = (struct fusion_quiclb_context *)_ctx;
+
+    *ctx = (struct fusion_quiclb_context){
+        .super.do_dispose = fusion_quiclb_dispose,
+        .super.do_init = picotls_quiclb_do_init,
+        .super.do_transform = is_enc ? fusion_quiclb_encrypt : fusion_quiclb_decrypt,
+    };
+    ptls_fusion_aesecb_init(&ctx->aesecb, 1, key, PTLS_AES128_KEY_SIZE, 0);
+
+    return 0;
+}
+
+ptls_cipher_algorithm_t ptls_fusion_quiclb = {
+    .name = "QUICLB",
+    .key_size = PTLS_QUICLB_KEY_SIZE,
+    .block_size = 8,
+    .iv_size = 0,
+    .context_size = sizeof(struct fusion_quiclb_context),
+    .setup_crypto = fusion_quiclb_setup_crypto,
+};
+
 #ifdef _WINDOWS
 /**
  * ptls_fusion_is_supported_by_cpu:

lib/openssl.c

@@ -58,6 +58,7 @@
 #ifdef PTLS_HAVE_AEGIS
 #include "./libaegis.h"
 #endif
+#include "./quiclb-impl.h"
 
 #ifdef _WINDOWS
 #ifndef _CRT_SECURE_NO_WARNINGS
@@ -1436,6 +1437,43 @@ static int bfecb_setup_crypto(ptls_cipher_context_t *ctx, int is_enc, const void
 
 #endif
 
+struct quiclb_context_t {
+    ptls_cipher_context_t super;
+    ptls_cipher_context_t *aesecb;
+};
+
+static void quiclb_dispose(ptls_cipher_context_t *_ctx)
+{
+    struct quiclb_context_t *ctx = (struct quiclb_context_t *)_ctx;
+    ptls_cipher_free(ctx->aesecb);
+}
+
+static void quiclb_encrypt(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t len)
+{
+    struct quiclb_context_t *ctx = (struct quiclb_context_t *)_ctx;
+    picotls_quiclb_transform(picotls_quiclb_cipher_aes, ctx->aesecb, output, input, len, 1);
+}
+
+static void quiclb_decrypt(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t len)
+{
+    struct quiclb_context_t *ctx = (struct quiclb_context_t *)_ctx;
+    picotls_quiclb_transform(picotls_quiclb_cipher_aes, ctx->aesecb, output, input, len, 0);
+}
+
+static int quiclb_setup_crypto(ptls_cipher_context_t *_ctx, int is_enc, const void *key)
+{
+    struct quiclb_context_t *ctx = (struct quiclb_context_t *)_ctx;
+
+    *ctx = (struct quiclb_context_t){
+        .super.do_dispose = quiclb_dispose,
+        .super.do_init = picotls_quiclb_do_init,
+        .super.do_transform = is_enc ? quiclb_encrypt : quiclb_decrypt,
+    };
+    if ((ctx->aesecb = ptls_cipher_new(&ptls_openssl_aes128ecb, 1, key)) == NULL)
+        return PTLS_ERROR_LIBRARY;
+    return 0;
+}
+
 struct aead_crypto_context_t {
     ptls_aead_context_t super;
     EVP_CIPHER_CTX *evp_ctx;
@@ -2610,6 +2648,15 @@ ptls_cipher_algorithm_t ptls_openssl_bfecb = {"BF-ECB",        PTLS_BLOWFISH_KEY
                                               0 /* iv size */, sizeof(struct cipher_context_t), bfecb_setup_crypto};
 #endif
 
+ptls_cipher_algorithm_t ptls_openssl_quiclb = {
+    .name = "QUICLB",
+    .key_size = PTLS_QUICLB_KEY_SIZE,
+    .block_size = 8,
+    .iv_size = 0,
+    .context_size = sizeof(struct quiclb_context_t),
+    .setup_crypto = quiclb_setup_crypto,
+};
+
 ptls_hpke_kem_t ptls_openssl_hpke_kem_p256sha256 = {PTLS_HPKE_KEM_P256_SHA256, &ptls_openssl_secp256r1, &ptls_openssl_sha256};
 ptls_hpke_kem_t ptls_openssl_hpke_kem_p384sha384 = {PTLS_HPKE_KEM_P384_SHA384, &ptls_openssl_secp384r1, &ptls_openssl_sha384};
 #if PTLS_OPENSSL_HAVE_X25519

lib/quiclb-impl.h

@@ -0,0 +1,164 @@
+/*
+ * Copyright (c) 2025 Fastly, Kazuho Oku
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to
+ * deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+ * sell copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+#ifndef picotls_quiclb_h
+#define picotls_quiclb_h
+
+#if defined(__x86_64__) || defined(_M_X64)
+#include <emmintrin.h>
+#define PICOTLS_QUICLB_HAVE_SSE2 1
+#endif
+
+union picotls_quiclb_block {
+    uint8_t bytes[PTLS_AES_BLOCK_SIZE];
+    uint64_t u64[PTLS_AES_BLOCK_SIZE / sizeof(uint64_t)];
+#if PICOTLS_QUICLB_HAVE_SSE2
+    __m128i m128;
+#endif
+};
+
+/**
+ * encrypts one block of AES, assuming the context is `ptls_cipher_context_t` backed by ptls_foo_aes128ecb
+ */
+static inline void picotls_quiclb_cipher_aes(void *aesecb, union picotls_quiclb_block *block)
+{
+    ptls_cipher_encrypt(aesecb, block->bytes, block->bytes, PTLS_AES_BLOCK_SIZE);
+}
+
+/**
+ * calculates X ^ AES(mask_and_expand(Y))
+ */
+static inline void picotls_quiclb_one_round(void (*aesecb_func)(void *aesecb, union picotls_quiclb_block *), void *aesecb_ctx,
+                                            union picotls_quiclb_block *dest, const union picotls_quiclb_block *x,
+                                            const union picotls_quiclb_block *y, const union picotls_quiclb_block *mask,
+                                            const union picotls_quiclb_block *len_pass)
+{
+#if PICOTLS_QUICLB_HAVE_SSE2
+    dest->m128 = _mm_or_si128(_mm_and_si128(y->m128, mask->m128), len_pass->m128);
+#else
+    for (size_t i = 0; i < PTLS_ELEMENTSOF(dest->u64); ++i)
+        dest->u64[i] = (y->u64[i] & mask->u64[i]) | len_pass->u64[i];
+#endif
+
+    aesecb_func(aesecb_ctx, dest);
+
+#if PICOTLS_QUICLB_HAVE_SSE2
+    dest->m128 = _mm_xor_si128(dest->m128, x->m128);
+#else
+    for (size_t i = 0; i < PTLS_ELEMENTSOF(dest->u64); ++i)
+        dest->u64[i] ^= x->u64[i];
+#endif
+}
+
+static inline void picotls_quiclb_split_input(union picotls_quiclb_block *l, union picotls_quiclb_block *r, const uint8_t *input,
+                                              size_t len)
+{
+    size_t i;
+    for (i = 0; i < (len + 1) / 2; ++i)
+        l->bytes[i] = input[i];
+    for (; i < PTLS_ELEMENTSOF(l->bytes); ++i)
+        l->bytes[i] = 0;
+    for (i = 0; i < (len + 1) / 2; ++i)
+        r->bytes[i] = input[i + len / 2];
+    for (; i < PTLS_ELEMENTSOF(r->bytes); ++i)
+        r->bytes[i] = 0;
+}
+
+static inline void picotls_quiclb_merge_output(uint8_t *output, size_t len, const union picotls_quiclb_block *l,
+                                               const union picotls_quiclb_block *r)
+{
+    uint8_t *outp = output;
+
+    for (size_t i = 0; i < len / 2; ++i)
+        *outp++ = l->bytes[i];
+
+    if (len % 2 == 0) {
+        for (size_t i = 0; i < len / 2; ++i)
+            *outp++ = r->bytes[i];
+    } else {
+        *outp++ = (l->bytes[len / 2] & 0xf0) | (r->bytes[0] & 0x0f);
+        for (size_t i = 0; i < len / 2; ++i)
+            *outp++ = r->bytes[i + 1];
+    }
+}
+
+static inline void picotls_quiclb_do_init(ptls_cipher_context_t *ctx, const void *iv)
+{
+    /* no-op */
+}
+
+static inline void picotls_quiclb_transform(void (*aesecb_func)(void *aesecb, union picotls_quiclb_block *), void *aesecb_ctx,
+                                            void *output, const void *input, size_t len, int encrypt)
+{
+    static const struct quiclb_mask_t {
+        union picotls_quiclb_block l, r;
+    } masks[] = {
+        {{{0xff, 0xff, 0xff, 0xf0}}, {{0x0f, 0xff, 0xff, 0xff}}},                                                 /* 7 (MIN_LEN) */
+        {{{0xff, 0xff, 0xff, 0xff}}, {{0xff, 0xff, 0xff, 0xff}}},                                                 /* 8 */
+        {{{0xff, 0xff, 0xff, 0xff, 0xf0}}, {{0x0f, 0xff, 0xff, 0xff, 0xff}}},                                     /* 9 */
+        {{{0xff, 0xff, 0xff, 0xff, 0xff}}, {{0xff, 0xff, 0xff, 0xff, 0xff}}},                                     /* 10 */
+        {{{0xff, 0xff, 0xff, 0xff, 0xff, 0xf0}}, {{0x0f, 0xff, 0xff, 0xff, 0xff, 0xff}}},                         /* 11 */
+        {{{0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}},                         /* 12 */
+        {{{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf0}}, {{0x0f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}},             /* 13 */
+        {{{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}},             /* 14 */
+        {{{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf0}}, {{0x0f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}}, /* 15 */
+        {{{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}, {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}}, /* 16 */
+        {{{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf0}},
+         {{0x0f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}}, /* 17 */
+        {{{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
+         {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}}, /* 18 */
+        {{{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf0}},
+         {{0x0f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}}} /* 19 */
+    };
+
+    assert(PTLS_QUICLB_MIN_BLOCK_SIZE <= len && len <= PTLS_QUICLB_MAX_BLOCK_SIZE);
+    PTLS_BUILD_ASSERT(PTLS_QUICLB_MAX_BLOCK_SIZE == PTLS_QUICLB_MIN_BLOCK_SIZE + PTLS_ELEMENTSOF(masks) - 1);
+
+    const struct quiclb_mask_t *mask = &masks[len - PTLS_QUICLB_MIN_BLOCK_SIZE];
+    union picotls_quiclb_block l0, r0, r1, l1, r2, l2, len_pass = {{0}};
+    len_pass.bytes[14] = (uint8_t)len;
+
+#define ROUND(rnd, dest, x, y, mask_side)                                                                                          \
+    do {                                                                                                                           \
+        len_pass.bytes[15] = (rnd);                                                                                                \
+        picotls_quiclb_one_round(aesecb_func, aesecb_ctx, &dest, &x, &y, &mask->mask_side, &len_pass);                             \
+    } while (0)
+
+    if (encrypt) {
+        picotls_quiclb_split_input(&l0, &r0, input, len);
+        ROUND(1, r1, r0, l0, l);
+        ROUND(2, l1, l0, r1, r);
+        ROUND(3, r2, r1, l1, l);
+        ROUND(4, l2, l1, r2, r);
+        picotls_quiclb_merge_output(output, len, &l2, &r2);
+    } else {
+        picotls_quiclb_split_input(&l2, &r2, input, len);
+        ROUND(4, l1, l2, r2, r);
+        ROUND(3, r1, r2, l1, l);
+        ROUND(2, l0, l1, r1, r);
+        ROUND(1, r0, r1, l0, l);
+        picotls_quiclb_merge_output(output, len, &l0, &r0);
+    }
+
+#undef ROUND
+}
+
+#endif

picotlsvs/fusiontest/fusiontest.vcxproj

@@ -21,6 +21,7 @@
   <ItemGroup>
     <ClCompile Include="..\..\deps\picotest\picotest.c" />
     <ClCompile Include="..\..\t\fusion.c" />
+    <ClCompile Include="..\..\t\quiclb.c" />
   </ItemGroup>
   <PropertyGroup Label="Globals">
     <VCProjectVersion>16.0</VCProjectVersion>

picotlsvs/fusiontest/fusiontest.vcxproj.filters

@@ -21,5 +21,8 @@
     <ClCompile Include="..\..\deps\picotest\picotest.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="..\..\t\quiclb.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
 </Project>