~sircmpwn/hare-dev

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
6 3

[PATCH hare] crypto::cipher::gcm: tag as slice

Details
Message ID
<20220814064722.5017-1-apreiml@strohwolke.at>
DKIM signature
pass
Download raw message
Patch: +15 -12
Signed-off-by: Armin Preiml <apreiml@strohwolke.at>
---
Tags usally are appended to messages. Requiring an array as argument
requires some annoying extra steps.

 crypto/aes/+test/gcm.ha |  6 ++++--
 crypto/cipher/gcm.ha    | 21 +++++++++++----------
 2 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/crypto/aes/+test/gcm.ha b/crypto/aes/+test/gcm.ha
index 86d7c233..9e2d1bdc 100644
--- a/crypto/aes/+test/gcm.ha
+++ b/crypto/aes/+test/gcm.ha
@@ -612,7 +612,8 @@ const gcmtestcases: []gcmtestcase = [
		defer io::close(&gstream)!;

		io::writeall(&gstream, t.plain)!;
		const tag = cipher::gcm_seal(&gstream);
		let tag: [cipher::GCMTAGSIZE]u8 = [0...];
		cipher::gcm_seal(&gstream, tag);

		assert(bytes::equal(t.cipher, result));
		assert(bytes::equal(t.tag, tag));
@@ -675,7 +676,8 @@ const gcmtestcases: []gcmtestcase = [

		io::writeall(&gstream, result)!;

		const tag = cipher::gcm_seal(&gstream);
		let tag: [cipher::GCMTAGSIZE]u8 = [0...];
		cipher::gcm_seal(&gstream, tag);
		assert(bytes::equal(t.cipher, result));
		assert(bytes::equal(t.tag, tag));

diff --git a/crypto/cipher/gcm.ha b/crypto/cipher/gcm.ha
index e50b911a..64c62236 100644
--- a/crypto/cipher/gcm.ha
+++ b/crypto/cipher/gcm.ha
@@ -9,6 +9,8 @@ use types;

def GCMBLOCKSIZE: size = 16;

export def GCMTAGSIZE: size = 16;

export type gcmstream = struct {
	stream: io::stream,
	block: *block,
@@ -190,30 +192,29 @@ fn gcm_reader(s: *io::stream, buf: []u8) (size | io::EOF | io::error) = {

// Finishes encryption and returns the authentication tag. After calling seal,
// the user must not write any more data to the stream.
export fn gcm_seal(s: *gcmstream) [16]u8 = {
export fn gcm_seal(s: *gcmstream, tag: []u8) void = {
	assert(len(tag) == GCMTAGSIZE);
	if (s.xorbufpos > 0 && s.xorbufpos < GCMBLOCKSIZE) {
		// last block was is not full, therefore the content was not
		// hashed yet.
		ghash_ctmul64(s.tagbuf, s.h, s.cipherbuf[..s.xorbufpos]);
	};

	let tmp: [16]u8 = [0...];
	beputu64(tmp, s.adlen << 3);
	beputu64(tmp[8..], s.clen << 3);
	ghash_ctmul64(s.tagbuf, s.h, tmp);
	beputu64(tag, s.adlen << 3);
	beputu64(tag[8..], s.clen << 3);
	ghash_ctmul64(s.tagbuf, s.h, tag);

	// use tmp to store the resulting tag
	encrypt(s.block, tmp, s.y0);
	xor(tmp, tmp, s.tagbuf);

	return tmp;
	encrypt(s.block, tag, s.y0);
	xor(tag, tag, s.tagbuf);
};

// Verifies the authentication tag against the decrypted data. Must be called
// after reading all data from the stream to ensure that the data was not 
// modified. If the data was modified, [[errors::invalid]] will be returned and
// the data must not be trusted.
export fn gcm_verify(s: *gcmstream, tag: [16]u8) (void | errors::invalid) = {
export fn gcm_verify(s: *gcmstream, tag: []u8) (void | errors::invalid) = {
	assert(len(tag) == GCMTAGSIZE);
	if (s.xorbufpos > 0 && s.xorbufpos < GCMBLOCKSIZE) {
		ghash_ctmul64(s.tagbuf, s.h, s.cipherbuf[..s.xorbufpos]);
	};
-- 
2.37.1

[hare/patches] build success

builds.sr.ht <builds@sr.ht>
Details
Message ID
<CM5JURJP585N.3U0EH5AFSBMDI@cirno2>
In-Reply-To
<20220814064722.5017-1-apreiml@strohwolke.at> (view parent)
DKIM signature
missing
Download raw message
hare/patches: SUCCESS in 1m30s

[crypto::cipher::gcm: tag as slice][0] from [Armin Preiml][1]

[0]: https://lists.sr.ht/~sircmpwn/hare-dev/patches/34658
[1]: apreiml@strohwolke.at

✓ #822605 SUCCESS hare/patches/freebsd.yml https://builds.sr.ht/~sircmpwn/job/822605
✓ #822604 SUCCESS hare/patches/alpine.yml  https://builds.sr.ht/~sircmpwn/job/822604
Details
Message ID
<CMGPLAMBN4PM.1HM3EQUJ3FUJI@taiga>
In-Reply-To
<20220814064722.5017-1-apreiml@strohwolke.at> (view parent)
DKIM signature
pass
Download raw message
On Sun Aug 14, 2022 at 8:47 AM CEST, Armin Preiml wrote:
> Signed-off-by: Armin Preiml <apreiml@strohwolke.at>
> ---
> Tags usally are appended to messages. Requiring an array as argument
> requires some annoying extra steps.

Can you elaborate on this? The array has the advantage of having a
statically defined length.
Details
Message ID
<062bcb32-102f-6611-5d23-729be6baf8c7@strohwolke.at>
In-Reply-To
<CMGPLAMBN4PM.1HM3EQUJ3FUJI@taiga> (view parent)
DKIM signature
pass
Download raw message
On 8/27/22 11:38, Drew DeVault wrote:
> On Sun Aug 14, 2022 at 8:47 AM CEST, Armin Preiml wrote:
>> Signed-off-by: Armin Preiml <apreiml@strohwolke.at>
>> ---
>> Tags usally are appended to messages. Requiring an array as argument
>> requires some annoying extra steps.
> 
> Can you elaborate on this? The array has the advantage of having a
> statically defined length.

When I have the cipher and the tag in a buffer, I need to copy the tag 
from the buffer into a fixed size array first, before passing it to 
verify. Similar thing during encrypt: I'd like to write the tag directly 
into a buffer at a certain position. Currently I need to copy the tag.

So a slice API would not require those additional steps, with the 
downside of having the assert.

If https://todo.sr.ht/~sircmpwn/hare/719 is considered to be done, than 
this patch would be unnecessary though.
Details
Message ID
<CMII8XG7BAQJ.3HUJWF5XZKVT6@taiga>
In-Reply-To
<062bcb32-102f-6611-5d23-729be6baf8c7@strohwolke.at> (view parent)
DKIM signature
pass
Download raw message
On Sat Aug 27, 2022 at 7:51 PM CEST, Armin Preiml wrote:
> When I have the cipher and the tag in a buffer, I need to copy the tag 
> from the buffer into a fixed size array first, before passing it to 
> verify. Similar thing during encrypt: I'd like to write the tag directly 
> into a buffer at a certain position. Currently I need to copy the tag.

I understand. Can you send a revised version of this patch, given that
you split the const change out?
Details
Message ID
<e71da1a0-a57b-682d-cd8b-59f8e2bea380@strohwolke.at>
In-Reply-To
<CMII8XG7BAQJ.3HUJWF5XZKVT6@taiga> (view parent)
DKIM signature
pass
Download raw message
On 8/29/22 14:18, Drew DeVault wrote:
> I understand. Can you send a revised version of this patch, given that
> you split the const change out?

The const patch was for crypto::hamc not gcm.
Details
Message ID
<CN2U3K8RP5KL.1JW7D251GABB0@taiga>
In-Reply-To
<e71da1a0-a57b-682d-cd8b-59f8e2bea380@strohwolke.at> (view parent)
DKIM signature
pass
Download raw message
Applied the patch.
Reply to thread Export thread (mbox)