-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Support for CBC, CTR Cipher modes with AES 128 & 256 bit keys. #150
Conversation
* Add Cipher CLI to Examples * Make Clippy Happy
Co-authored-by: Samuel Chiang <sachiang@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
initialization in initialization vector seems to be misspelled throughout the PR, so we might want to adjust that.
#155 has some API improvements which will allow reuse of the Encrypt/Decrypt keys so that they aren't consumed by value after calling encrypt/decrypt. Will allow us a path for future optimizations if/when we decide to migrate to the EVP_CIPHER based APIs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I got through everything outside of cipher.rs
and cipher/key.rs
. I'll need to do the rest tomorrow.
aws-lc-rs/tests/cipher_test.rs
Outdated
let key = from_hex($key).unwrap(); | ||
let input = from_hex($plaintext).unwrap(); | ||
let expected_ciphertext = from_hex($ciphertext).unwrap(); | ||
|
||
let iv = from_hex($iv).unwrap(); | ||
let fixed_iv = FixedLength::try_from(iv.as_slice()).unwrap(); | ||
let context = CipherContext::Iv128(fixed_iv); | ||
|
||
let unbound_key = UnboundCipherKey::new($alg, &key).unwrap(); | ||
|
||
let encrypting_key = | ||
PaddedBlockEncryptingKey::[<less_safe_ $constructor>](unbound_key, context).unwrap(); | ||
assert_eq!($mode, encrypting_key.mode()); | ||
assert_eq!($padding, encrypting_key.padding()); | ||
assert_eq!($alg, encrypting_key.algorithm()); | ||
let mut in_out = input.clone(); | ||
let context = encrypting_key.encrypt(&mut in_out).unwrap(); | ||
assert_eq!(expected_ciphertext.as_slice(), in_out.as_slice()); | ||
|
||
let unbound_key2 = UnboundCipherKey::new($alg, &key).unwrap(); | ||
let decrypting_key = | ||
PaddedBlockDecryptingKey::$constructor(unbound_key2, context).unwrap(); | ||
assert_eq!($mode, decrypting_key.mode()); | ||
assert_eq!($padding, decrypting_key.padding()); | ||
assert_eq!($alg, decrypting_key.algorithm()); | ||
let plaintext = decrypting_key.decrypt(&mut in_out).unwrap(); | ||
assert_eq!(input.as_slice(), plaintext); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: it might be worth extracting some of this out into an actual function rather than a macro. It's especially annoying to work with paste!
and other tooling like rustfmt or rust-analyzer.
Co-authored-by: Cameron Bytheway <bytheway.cameron@gmail.com>
* CBC/CTR API Improvements * Cleanup unnecessary paste usage
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CI looks unhappy. But otherwise, OK from me.
CI is happy now. |
Description of changes:
This pull request adds support for CBC and CTR cipher mode encryption for 128-bit and 256-bit AES keys.
aws_lc_rs::cipher
module which supports unauthenticated ciphers for encryption/decryption.PaddedBlockEncryptingKey
,PaddedBlockDecryptingKey
provide encryption/decryption of plaintext/ciphertext for block cipher modes using padding.PaddedBlockEncryptingKey::cbc_pkcs7(...)
PaddedBlockDecryptingKey::cbc_pkcs7(...)
and are the constructor methods provided for using CBC mode with PKCS#7 padding.PaddedBlockEncryptingKey::less_safe_cbc_pkcs7
.EncryptingKey
,DecryptingKey
provide encryption/decryption of plaintext/ciphertext for unpadded block cipher modes.PaddedBlockEncryptingKey::ctr(...)
PaddedBlockDecryptingKey::ctr(...)
and are the constructor methods provided for using CTR mode (unpadded).EncryptingKey::less_safe_ctr
.API Usage Examples
AES-128 CBC
AES-128 CTR
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.