Merge pull request #384 from inikolcev/separate-aes-ctr

Separate CTR code and replace it in AES-CCM and AES-GCM

Author: tomato42

tests/tlstest.py

@@ -921,10 +921,13 @@ def connect():
                 continue
             if cipher in ("aes128gcm", "aes256gcm") and \
                     implementation not in ("pycrypto",
-                                           "python"):
+                                           "python", "openssl"):
                 continue
-            if cipher in ("chacha20-poly1305_draft00", "chacha20-poly1305",
-                    "aes128ccm", "aes128ccm_8", "aes256ccm", "aes256ccm_8") \
+            if cipher in ("aes128ccm", "aes128ccm_8",
+                          "aes256ccm", "aes256ccm_8") and \
+                    implementation not in ("python", "openssl"):
+                continue
+            if cipher in ("chacha20-poly1305_draft00", "chacha20-poly1305") \
                     and implementation not in ("python", ):
                 continue
 
@@ -2211,11 +2214,13 @@ def server_bind(self):
                 continue
             if cipher in ("aes128gcm", "aes256gcm") and \
                     implementation not in ("pycrypto",
-                                           "python"):
+                                           "python", "openssl"):
+                continue
+            if cipher in ("aes128ccm", "aes128ccm_8",
+                          "aes256ccm", "aes256ccm_8") and \
+                    implementation not in ("python", "openssl"):
                 continue
-            if cipher in ("chacha20-poly1305_draft00", "chacha20-poly1305",
-                         "aes128ccm", "aes128ccm_8",
-                         "aes256ccm", "aes256ccm_8") \
+            if cipher in ("chacha20-poly1305_draft00", "chacha20-poly1305") \
                     and implementation not in ("python", ):
                 continue
 

tlslite/utils/aes.py

@@ -7,10 +7,14 @@ class AES(object):
     def __init__(self, key, mode, IV, implementation):
         if len(key) not in (16, 24, 32):
             raise AssertionError()
-        if mode != 2:
-            raise AssertionError()
-        if len(IV) != 16:
+        if mode not in [2, 6]:
             raise AssertionError()
+        if mode == 2:
+            if len(IV) != 16:
+                raise AssertionError()
+        if mode == 6:
+            if len(IV) > 16:
+                raise AssertionError()
         self.isBlockCipher = True
         self.isAEAD = False
         self.block_size = 16

tlslite/utils/aesccm.py

@@ -4,10 +4,8 @@
 #
 
 from __future__ import division
-from tlslite.utils.cryptomath import numberToByteArray, divceil
-from tlslite.utils.python_aes import Python_AES
-import sys
-import array
+from tlslite.utils.cryptomath import numberToByteArray
+from tlslite.utils import python_aes
 
 
 class AESCCM(object):
@@ -18,6 +16,9 @@ def __init__(self, key, implementation, rawAesEncrypt, tag_length=16):
         self.isAEAD = True
         self.key = key
         self.tagLength = tag_length
+        self.nonceLength = 12
+        self.implementation = implementation
+
         if len(self.key) == 16 and self.tagLength == 8:
             self.name = "aes128ccm_8"
         elif len(self.key) == 16 and self.tagLength == 16:
@@ -27,10 +28,10 @@ def __init__(self, key, implementation, rawAesEncrypt, tag_length=16):
         else:
             assert len(self.key) == 32 and self.tagLength == 16
             self.name = "aes256ccm"
-        self._rawAesEncrypt = rawAesEncrypt
-        self.implementation = implementation
-        self.nonceLength = 12
-        self._cbc = Python_AES(self.key, 2, bytearray(b'\x00' * 16))
+
+        self._ctr = python_aes.new(self.key, 6, bytearray(b'\x00' * 16))
+        self._cbc = python_aes.new(self.key, 2, bytearray(b'\x00' * 16))
+
 
     def _cbcmac_calc(self, nonce, aad, msg):
         L = 15 - len(nonce)
@@ -89,25 +90,19 @@ def seal(self, nonce, msg, aad):
             raise ValueError("Bad nonce length")
 
         L = 15 - len(nonce)
-        auth_value = bytearray(self.tagLength)
 
         # We construct the key stream blocks.
         # S_0 is not used for encrypting the message, it is only used
         # to compute the authentication value.
         # S_1..S_n are used to encrypt the message.
 
         flags = L - 1
-        s_0 = self._rawAesEncrypt(bytearray([flags]) +
-              nonce + numberToByteArray(0, L))
-
-        s_n = self._construct_s_n(msg, flags, nonce, L)
-
-        enc_msg = self._xor(msg, s_n)
+        s_0 = bytearray([flags]) + nonce + numberToByteArray(0, L)
 
         mac = self._cbcmac_calc(nonce, aad, msg)
-
-        for i in range(self.tagLength):
-            auth_value[i] = mac[i] ^ s_0[i]
+        self._ctr.counter = s_0
+        auth_value = self._ctr.encrypt(mac)
+        enc_msg = self._ctr.encrypt(msg)
 
         ciphertext = enc_msg + auth_value
         return ciphertext
@@ -122,61 +117,29 @@ def open(self, nonce, ciphertext, aad):
             return None
 
         L = 15 - len(nonce)
-        received_mac = bytearray(self.tagLength)
         flags = L - 1
 
         # Same construction as in seal function
 
-        s_0 = self._rawAesEncrypt(bytearray([flags]) +
-              nonce + numberToByteArray(0, L))
+        s_0 = bytearray([flags]) + nonce + numberToByteArray(0, L)
 
-        s_n = self._construct_s_n(ciphertext, flags, nonce, L)
+        auth_value = ciphertext[-self.tagLength:]
 
-        msg = self._xor(ciphertext, s_n)
+        # We decrypt the auth value
+        self._ctr.counter = s_0
+        received_mac = self._ctr.decrypt(auth_value)
+        msg = self._ctr.decrypt(ciphertext)
         msg = msg[:-self.tagLength]
-
-        auth_value = ciphertext[-self.tagLength:]
         computed_mac = self._cbcmac_calc(nonce, aad, msg)
 
-        # We decrypt the auth value
-        for i in range(self.tagLength):
-            received_mac[i] = auth_value[i] ^ s_0[i]
 
         # Compare the mac vlaue is the same as the one we computed
         if received_mac != computed_mac:
             return None
         return msg
 
-    def _construct_s_n(self, ciphertext, flags, nonce, L):
-        s_n = bytearray()
-        counter_lmt = divceil(len(ciphertext), 16)
-        for i in range(1, int(counter_lmt) + 1):
-            s_n += self._rawAesEncrypt(bytearray([flags]) +
-                   nonce + numberToByteArray(i, L))
-        return s_n
-
-    if sys.version_info[0] >= 3:
-        def _xor(self, inp, s_n):
-            inp_added = -((8 - (len(inp) % 8)) % 8) or None
-            self._pad_with_zeroes(inp, 8)
-            msg = self._use_memoryview(inp, s_n)[:inp_added]
-            inp[:] = inp[:inp_added]
-            return msg
-    else:
-        def _xor(self, inp, s_n):
-            msg = bytearray(i ^ j for i, j in zip(inp, s_n))
-            return msg
-
     @staticmethod
     def _pad_with_zeroes(data, size):
         if len(data) % size != 0:
             zeroes_to_add = size - (len(data) % size)
             data += b'\x00' * zeroes_to_add
-
-    @staticmethod
-    def _use_memoryview(msg, s_n):
-        msg_mv = memoryview(msg).cast('Q')
-        s_n_mv = memoryview(s_n).cast('Q')
-        enc_arr = array.array('Q', (i ^ j for i, j in zip(msg_mv, s_n_mv)))
-        enc_msg = bytearray(enc_arr.tobytes())
-        return enc_msg

tlslite/utils/aesgcm.py

@@ -14,6 +14,7 @@
 # look-up table.
 
 from __future__ import division
+from tlslite.utils import python_aes
 from .constanttime import ct_compare_digest
 from .cryptomath import bytesToNumber, numberToByteArray
 
@@ -35,8 +36,10 @@ def __init__(self, key, implementation, rawAesEncrypt):
             self.name = "aes256gcm"
         else:
             raise AssertionError()
+        self.key = key
 
         self._rawAesEncrypt = rawAesEncrypt
+        self._ctr = python_aes.new(self.key, 6, bytearray(b'\x00' * 16))
 
         # The GCM key is AES(0).
         h = bytesToNumber(self._rawAesEncrypt(bytearray(16)))
@@ -53,18 +56,6 @@ def __init__(self, key, implementation, rawAesEncrypt):
             self._productTable[self._reverseBits(i+1)] = \
                 self._gcmAdd(self._productTable[self._reverseBits(i)], h)
 
-    def _rawAesCtrEncrypt(self, counter, inp):
-        """
-        Encrypts (or decrypts) plaintext with AES-CTR. counter is modified.
-        """
-        out = bytearray(len(inp))
-        rawAesEncrypt = self._rawAesEncrypt
-        for i in range(0, len(out), 16):
-            mask = rawAesEncrypt(counter)
-            for j in range(i, min(len(out), i + 16)):
-                out[j] = inp[j] ^ mask[j-i]
-            self._inc32(counter)
-        return out
 
     def _auth(self, ciphertext, ad, tagMask):
         y = 0
@@ -125,7 +116,8 @@ def seal(self, nonce, plaintext, data):
 
         # The counter starts at 2 for the actual encryption.
         counter[-1] = 2
-        ciphertext = self._rawAesCtrEncrypt(counter, plaintext)
+        self._ctr.counter = counter
+        ciphertext = self._ctr.encrypt(plaintext)
 
         tag = self._auth(ciphertext, data, tagMask)
 
@@ -158,7 +150,8 @@ def open(self, nonce, ciphertext, data):
 
         # The counter starts at 2 for the actual decryption.
         counter[-1] = 2
-        return self._rawAesCtrEncrypt(counter, ciphertext)
+        self._ctr.counter = counter
+        return self._ctr.decrypt(ciphertext)
 
     @staticmethod
     def _reverseBits(i):

tlslite/utils/cipherfactory.py

@@ -11,6 +11,8 @@
 from tlslite.utils import python_chacha20_poly1305
 from tlslite.utils import python_rc4
 from tlslite.utils import python_tripledes
+from tlslite.utils import openssl_aesccm
+from tlslite.utils import openssl_aesgcm
 
 from tlslite.utils import cryptomath
 
@@ -53,7 +55,27 @@ def createAES(key, IV, implList=None):
         elif impl == "pycrypto" and cryptomath.pycryptoLoaded:
             return pycrypto_aes.new(key, 2, IV)
         elif impl == "python":
-            return python_aes.new(key, 2, IV)
+                return python_aes.new(key, 2, IV)
+    raise NotImplementedError()
+
+def createAESCTR(key, IV, implList=None):
+    """Create a new AESCTR object.
+
+    :type key: str
+    :param key: A 16, 24, or 32 byte string.
+
+    :type IV: str
+    :param IV: A 8 or 12 byte string
+
+    :rtype: tlslite.utils.AES
+    :returns: An AES object.
+    """
+    if implList is None:
+        implList = ["python"]
+
+    for impl in implList:
+        if impl == "python":
+            return python_aes.new(key, 6, IV)
     raise NotImplementedError()
 
 def createAESGCM(key, implList=None):
@@ -66,9 +88,11 @@ def createAESGCM(key, implList=None):
     :returns: An AESGCM object.
     """
     if implList is None:
-        implList = ["pycrypto", "python"]
+        implList = ["openssl", "pycrypto", "python"]
 
     for impl in implList:
+        if impl == "openssl" and cryptomath.m2cryptoLoaded:
+            return openssl_aesgcm.new(key)
         if impl == "pycrypto" and cryptomath.pycryptoLoaded:
             return pycrypto_aesgcm.new(key)
         if impl == "python":
@@ -86,9 +110,11 @@ def createAESCCM(key, implList=None):
     """
 
     if implList is None:
-        implList = ["python"]
+        implList = ["openssl", "python"]
 
     for impl in implList:
+        if impl == "openssl" and cryptomath.m2cryptoLoaded:
+            return openssl_aesccm.new(key)
         if impl == "python":
             return python_aesccm.new(key)
 
@@ -105,9 +131,11 @@ def createAESCCM_8(key, implList=None):
     """
 
     if implList is None:
-        implList = ["python"]
+        implList = ["openssl", "python"]
 
     for impl in implList:
+        if impl == "openssl" and cryptomath.m2cryptoLoaded:
+            return openssl_aesccm.new(key, 8)
         if impl == "python":
             return python_aesccm.new(key, 8)
 

tlslite/utils/openssl_aes.py

@@ -11,7 +11,13 @@
     def new(key, mode, IV):
         # IV argument name is a part of the interface
         # pylint: disable=invalid-name
-        return OpenSSL_AES(key, mode, IV)
+        if mode == 2:
+            return OpenSSL_AES(key, mode, IV)
+        elif mode == 6:
+            return OpenSSL_CTR(key, mode, IV)
+        else:
+            raise NotImplementedError()
+
 
     class OpenSSL_AES(AES):
 
@@ -58,3 +64,53 @@ def decrypt(self, ciphertext):
         def __del__(self):
             if self._context is not None:
                 m2.cipher_ctx_free(self._context)
+
+
+    class OpenSSL_CTR(AES):
+
+        def __init__(self, key, mode, IV):
+            # IV argument/field names are a part of the interface
+            # pylint: disable=invalid-name
+            AES.__init__(self, key, mode, IV, "openssl")
+            self._IV = IV
+            self.key = key
+            self._context = None
+            self._encrypt = None
+            if len(key) not in (16, 24, 32):
+                raise AssertionError()
+
+        @property
+        def counter(self):
+            return self._IV
+
+        @counter.setter
+        def counter(self, ctr):
+            if self._context is not None:
+                m2.cipher_ctx_free(self._context)
+            self._IV = ctr
+            self._init_context()
+
+        def _init_context(self, encrypt=True):
+            if len(self.key) == 16:
+                cipherType = m2.aes_128_ctr()
+            if len(self.key) == 24:
+                cipherType = m2.aes_192_ctr()
+            if len(self.key) == 32:
+                cipherType = m2.aes_256_ctr()
+            self._context = m2.cipher_ctx_new()
+            m2.cipher_init(self._context, cipherType, self.key, self._IV,
+                           int(encrypt))
+            m2.cipher_set_padding(self._context, 0)
+            self._encrypt = encrypt
+
+        def encrypt(self, plaintext):
+            ciphertext = m2.cipher_update(self._context, plaintext)
+            return bytearray(ciphertext)
+
+        def decrypt(self, ciphertext):
+            plaintext = m2.cipher_update(self._context, ciphertext)
+            return bytearray(plaintext)
+
+        def __del__(self):
+            if self._context is not None:
+                m2.cipher_ctx_free(self._context)