From ff94748205290f6684a64fcccf8579b561371a56 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Sat, 10 Jun 2017 14:00:03 +0700 Subject: Added s box allocation to AesEngine - mark AesFastEngine obsolete and replace all usages with AesEngine --- crypto/src/crypto/engines/AesEngine.cs | 19 ++++++++++------- crypto/src/crypto/engines/AesFastEngine.cs | 5 +++++ crypto/src/security/CipherUtilities.cs | 6 +++--- crypto/src/security/MacUtilities.cs | 2 +- crypto/src/security/WrapperUtilities.cs | 2 +- crypto/test/src/crypto/prng/test/CtrDrbgTest.cs | 26 +++++++++++------------ crypto/test/src/crypto/test/CMacTest.cs | 2 +- crypto/test/src/crypto/test/EAXTest.cs | 6 +++--- crypto/test/src/crypto/test/GCMTest.cs | 2 +- crypto/test/src/crypto/test/GMacTest.cs | 4 ++-- crypto/test/src/crypto/test/Poly1305Test.cs | 8 +++---- crypto/test/src/security/test/SecureRandomTest.cs | 4 ++-- 12 files changed, 47 insertions(+), 39 deletions(-) diff --git a/crypto/src/crypto/engines/AesEngine.cs b/crypto/src/crypto/engines/AesEngine.cs index ba62af4da..91bdf69ef 100644 --- a/crypto/src/crypto/engines/AesEngine.cs +++ b/crypto/src/crypto/engines/AesEngine.cs @@ -429,6 +429,8 @@ namespace Org.BouncyCastle.Crypto.Engines private uint C0, C1, C2, C3; private bool forEncryption; + private byte[] s; + private const int BLOCK_SIZE = 16; /** @@ -459,6 +461,7 @@ namespace Org.BouncyCastle.Crypto.Engines WorkingKey = GenerateWorkingKey(keyParameter.GetKey(), forEncryption); this.forEncryption = forEncryption; + this.s = Arrays.Clone(forEncryption ? S : Si); } public virtual string AlgorithmName @@ -560,10 +563,10 @@ namespace Org.BouncyCastle.Crypto.Engines // the final round's table is a simple function of S so we don't use a whole other four tables for it kw = KW[r]; - this.C0 = (uint)S[r0 & 255] ^ (((uint)S[(r1 >> 8) & 255]) << 8) ^ (((uint)S[(r2 >> 16) & 255]) << 16) ^ (((uint)S[(r3 >> 24) & 255]) << 24) ^ kw[0]; - this.C1 = (uint)S[r1 & 255] ^ (((uint)S[(r2 >> 8) & 255]) << 8) ^ (((uint)S[(r3 >> 16) & 255]) << 16) ^ (((uint)S[(r0 >> 24) & 255]) << 24) ^ kw[1]; - this.C2 = (uint)S[r2 & 255] ^ (((uint)S[(r3 >> 8) & 255]) << 8) ^ (((uint)S[(r0 >> 16) & 255]) << 16) ^ (((uint)S[(r1 >> 24) & 255]) << 24) ^ kw[2]; - this.C3 = (uint)S[r3 & 255] ^ (((uint)S[(r0 >> 8) & 255]) << 8) ^ (((uint)S[(r1 >> 16) & 255]) << 16) ^ (((uint)S[(r2 >> 24) & 255]) << 24) ^ kw[3]; + this.C0 = (uint)S[r0 & 255] ^ (((uint)S[(r1 >> 8) & 255]) << 8) ^ (((uint)s[(r2 >> 16) & 255]) << 16) ^ (((uint)s[(r3 >> 24) & 255]) << 24) ^ kw[0]; + this.C1 = (uint)s[r1 & 255] ^ (((uint)S[(r2 >> 8) & 255]) << 8) ^ (((uint)S[(r3 >> 16) & 255]) << 16) ^ (((uint)s[(r0 >> 24) & 255]) << 24) ^ kw[1]; + this.C2 = (uint)s[r2 & 255] ^ (((uint)S[(r3 >> 8) & 255]) << 8) ^ (((uint)S[(r0 >> 16) & 255]) << 16) ^ (((uint)S[(r1 >> 24) & 255]) << 24) ^ kw[2]; + this.C3 = (uint)s[r3 & 255] ^ (((uint)s[(r0 >> 8) & 255]) << 8) ^ (((uint)s[(r1 >> 16) & 255]) << 16) ^ (((uint)S[(r2 >> 24) & 255]) << 24) ^ kw[3]; } private void DecryptBlock(uint[][] KW) @@ -598,10 +601,10 @@ namespace Org.BouncyCastle.Crypto.Engines // the final round's table is a simple function of Si so we don't use a whole other four tables for it kw = KW[0]; - this.C0 = (uint)Si[r0 & 255] ^ (((uint)Si[(r3 >> 8) & 255]) << 8) ^ (((uint)Si[(r2 >> 16) & 255]) << 16) ^ (((uint)Si[(r1 >> 24) & 255]) << 24) ^ kw[0]; - this.C1 = (uint)Si[r1 & 255] ^ (((uint)Si[(r0 >> 8) & 255]) << 8) ^ (((uint)Si[(r3 >> 16) & 255]) << 16) ^ (((uint)Si[(r2 >> 24) & 255]) << 24) ^ kw[1]; - this.C2 = (uint)Si[r2 & 255] ^ (((uint)Si[(r1 >> 8) & 255]) << 8) ^ (((uint)Si[(r0 >> 16) & 255]) << 16) ^ (((uint)Si[(r3 >> 24) & 255]) << 24) ^ kw[2]; - this.C3 = (uint)Si[r3 & 255] ^ (((uint)Si[(r2 >> 8) & 255]) << 8) ^ (((uint)Si[(r1 >> 16) & 255]) << 16) ^ (((uint)Si[(r0 >> 24) & 255]) << 24) ^ kw[3]; + this.C0 = (uint)Si[r0 & 255] ^ (((uint)s[(r3 >> 8) & 255]) << 8) ^ (((uint)s[(r2 >> 16) & 255]) << 16) ^ (((uint)Si[(r1 >> 24) & 255]) << 24) ^ kw[0]; + this.C1 = (uint)s[r1 & 255] ^ (((uint)s[(r0 >> 8) & 255]) << 8) ^ (((uint)Si[(r3 >> 16) & 255]) << 16) ^ (((uint)s[(r2 >> 24) & 255]) << 24) ^ kw[1]; + this.C2 = (uint)s[r2 & 255] ^ (((uint)Si[(r1 >> 8) & 255]) << 8) ^ (((uint)Si[(r0 >> 16) & 255]) << 16) ^ (((uint)s[(r3 >> 24) & 255]) << 24) ^ kw[2]; + this.C3 = (uint)Si[r3 & 255] ^ (((uint)s[(r2 >> 8) & 255]) << 8) ^ (((uint)s[(r1 >> 16) & 255]) << 16) ^ (((uint)s[(r0 >> 24) & 255]) << 24) ^ kw[3]; } } } diff --git a/crypto/src/crypto/engines/AesFastEngine.cs b/crypto/src/crypto/engines/AesFastEngine.cs index 3a9c3a89e..9d3a86fd2 100644 --- a/crypto/src/crypto/engines/AesFastEngine.cs +++ b/crypto/src/crypto/engines/AesFastEngine.cs @@ -31,6 +31,11 @@ namespace Org.BouncyCastle.Crypto.Engines * This file contains the fast version with 8Kbytes of static tables for round precomputation *

*/ + /// + /// Unfortunately this class has a few side channel issues. + /// In an environment where encryption/decryption may be closely observed it should not be used. + /// + [Obsolete("Use AesEngine instead")] public class AesFastEngine : IBlockCipher { diff --git a/crypto/src/security/CipherUtilities.cs b/crypto/src/security/CipherUtilities.cs index 3217f3183..de05bc9ef 100644 --- a/crypto/src/security/CipherUtilities.cs +++ b/crypto/src/security/CipherUtilities.cs @@ -323,7 +323,7 @@ namespace Org.BouncyCastle.Security "PBEWITHMD5AND256BITAES-CBC-OPENSSL")) { return new PaddedBufferedBlockCipher( - new CbcBlockCipher(new AesFastEngine())); + new CbcBlockCipher(new AesEngine())); } } } @@ -358,7 +358,7 @@ namespace Org.BouncyCastle.Security switch (cipherAlgorithm) { case CipherAlgorithm.AES: - blockCipher = new AesFastEngine(); + blockCipher = new AesEngine(); break; case CipherAlgorithm.ARC4: streamCipher = new RC4Engine(); @@ -722,7 +722,7 @@ namespace Org.BouncyCastle.Security { switch (cipherAlgorithm) { - case CipherAlgorithm.AES: return new AesFastEngine(); + case CipherAlgorithm.AES: return new AesEngine(); case CipherAlgorithm.BLOWFISH: return new BlowfishEngine(); case CipherAlgorithm.CAMELLIA: return new CamelliaEngine(); case CipherAlgorithm.CAST5: return new Cast5Engine(); diff --git a/crypto/src/security/MacUtilities.cs b/crypto/src/security/MacUtilities.cs index fab9b1d41..278f3bec1 100644 --- a/crypto/src/security/MacUtilities.cs +++ b/crypto/src/security/MacUtilities.cs @@ -136,7 +136,7 @@ namespace Org.BouncyCastle.Security if (mechanism == "AESCMAC") { - return new CMac(new AesFastEngine()); + return new CMac(new AesEngine()); } if (mechanism == "DESMAC") { diff --git a/crypto/src/security/WrapperUtilities.cs b/crypto/src/security/WrapperUtilities.cs index ce31ea519..c57632081 100644 --- a/crypto/src/security/WrapperUtilities.cs +++ b/crypto/src/security/WrapperUtilities.cs @@ -78,7 +78,7 @@ namespace Org.BouncyCastle.Security case WrapAlgorithm.RC2WRAP: return new RC2WrapEngine(); case WrapAlgorithm.SEEDWRAP: return new SeedWrapEngine(); case WrapAlgorithm.DESEDERFC3211WRAP: return new Rfc3211WrapEngine(new DesEdeEngine()); - case WrapAlgorithm.AESRFC3211WRAP: return new Rfc3211WrapEngine(new AesFastEngine()); + case WrapAlgorithm.AESRFC3211WRAP: return new Rfc3211WrapEngine(new AesEngine()); case WrapAlgorithm.CAMELLIARFC3211WRAP: return new Rfc3211WrapEngine(new CamelliaEngine()); } } diff --git a/crypto/test/src/crypto/prng/test/CtrDrbgTest.cs b/crypto/test/src/crypto/prng/test/CtrDrbgTest.cs index 44b08f3a6..4dc09f4e8 100644 --- a/crypto/test/src/crypto/prng/test/CtrDrbgTest.cs +++ b/crypto/test/src/crypto/prng/test/CtrDrbgTest.cs @@ -149,7 +149,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test .AddAdditionalInput("606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C") .AddAdditionalInput("A0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBC"), new DrbgTestVector( - new AesFastEngine(), 128, + new AesEngine(), 128, new Bit256EntropyProvider().Get(256), false, "2021222324252627", @@ -161,7 +161,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test } ), new DrbgTestVector( - new AesFastEngine(), 128, + new AesEngine(), 128, new Bit256EntropyProvider().Get(256), false, "2021222324252627", @@ -175,7 +175,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test .AddAdditionalInput("606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F") .AddAdditionalInput("A0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBF"), new DrbgTestVector( - new AesFastEngine(), 128, + new AesEngine(), 128, new Bit256EntropyProvider().Get(256), false, "2021222324252627", @@ -188,7 +188,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test ) .SetPersonalizationString("404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F"), new DrbgTestVector( - new AesFastEngine(), 128, + new AesEngine(), 128, new Bit256EntropyProvider().Get(256), true, "2021222324252627", @@ -200,7 +200,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test } ), new DrbgTestVector( - new AesFastEngine(), 128, + new AesEngine(), 128, new Bit256EntropyProvider().Get(256), true, "2021222324252627", @@ -214,7 +214,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test .AddAdditionalInput("606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F") .AddAdditionalInput("A0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBF"), new DrbgTestVector( - new AesFastEngine(), 128, + new AesEngine(), 128, new Bit256EntropyProvider().Get(256), true, "2021222324252627", @@ -227,7 +227,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test ) .SetPersonalizationString("404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F"), new DrbgTestVector( - new AesFastEngine(), 192, + new AesEngine(), 192, new Bit320EntropyProvider().Get(320), false, "202122232425262728292A2B", @@ -240,7 +240,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test ) .SetPersonalizationString("404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F6061626364656667"), new DrbgTestVector( - new AesFastEngine(), 192, + new AesEngine(), 192, new Bit320EntropyProvider().Get(320), true, "202122232425262728292A2B", @@ -253,7 +253,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test ) .SetPersonalizationString("404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F6061626364656667"), new DrbgTestVector( - new AesFastEngine(), 256, + new AesEngine(), 256, new Bit384EntropyProvider().Get(384), false, "202122232425262728292A2B2C2D2E2F", @@ -268,7 +268,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test .AddAdditionalInput("606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F") .AddAdditionalInput("A0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECF"), new DrbgTestVector( - new AesFastEngine(), 256, + new AesEngine(), 256, new Bit384EntropyProvider().Get(384), true, "202122232425262728292A2B2C2D2E2F", @@ -282,7 +282,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test .AddAdditionalInput("606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F") .AddAdditionalInput("A0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECF"), new DrbgTestVector( - new AesFastEngine(), 256, + new AesEngine(), 256, new Bit384EntropyProvider().Get(384), true, "202122232425262728292A2B2C2D2E2F", @@ -295,7 +295,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test ) .SetPersonalizationString("404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F"), new DrbgTestVector( - new AesFastEngine(), 256, + new AesEngine(), 256, new Bit384EntropyProvider().Get(384), true, "202122232425262728292A2B2C2D2E2F", @@ -310,7 +310,7 @@ namespace Org.BouncyCastle.Crypto.Prng.Test .AddAdditionalInput("606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F") .AddAdditionalInput("A0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7C8C9CACBCCCDCECF"), new DrbgTestVector( - new AesFastEngine(), 256, + new AesEngine(), 256, new Bit384EntropyProvider().Get(384), true, "202122232425262728292A2B2C2D2E2F", diff --git a/crypto/test/src/crypto/test/CMacTest.cs b/crypto/test/src/crypto/test/CMacTest.cs index d71b69f98..23ae7cb88 100644 --- a/crypto/test/src/crypto/test/CMacTest.cs +++ b/crypto/test/src/crypto/test/CMacTest.cs @@ -57,7 +57,7 @@ namespace Org.BouncyCastle.Crypto.Tests public override void PerformTest() { - IBlockCipher cipher = new AesFastEngine(); + IBlockCipher cipher = new AesEngine(); IMac mac = new CMac(cipher, 128); //128 bytes key diff --git a/crypto/test/src/crypto/test/EAXTest.cs b/crypto/test/src/crypto/test/EAXTest.cs index c6be118b2..838f26a1b 100644 --- a/crypto/test/src/crypto/test/EAXTest.cs +++ b/crypto/test/src/crypto/test/EAXTest.cs @@ -186,8 +186,8 @@ namespace Org.BouncyCastle.Crypto.Tests byte[] t, byte[] c) { - EaxBlockCipher encEax = new EaxBlockCipher(new AesFastEngine()); - EaxBlockCipher decEax = new EaxBlockCipher(new AesFastEngine()); + EaxBlockCipher encEax = new EaxBlockCipher(new AesEngine()); + EaxBlockCipher decEax = new EaxBlockCipher(new AesEngine()); AeadParameters parameters = new AeadParameters(new KeyParameter(k), macSize, n, a); encEax.Init(true, parameters); @@ -313,7 +313,7 @@ namespace Org.BouncyCastle.Crypto.Tests srng.NextBytes(datIn); srng.NextBytes(key); - AesFastEngine engine = new AesFastEngine(); + IBlockCipher engine = new AesEngine(); KeyParameter sessKey = new KeyParameter(key); EaxBlockCipher eaxCipher = new EaxBlockCipher(engine); diff --git a/crypto/test/src/crypto/test/GCMTest.cs b/crypto/test/src/crypto/test/GCMTest.cs index 943ffdad4..3f7418fb2 100644 --- a/crypto/test/src/crypto/test/GCMTest.cs +++ b/crypto/test/src/crypto/test/GCMTest.cs @@ -327,7 +327,7 @@ namespace Org.BouncyCastle.Crypto.Tests protected IBlockCipher CreateAesEngine() { - return new AesFastEngine(); + return new AesEngine(); } private void DoTestExceptions() diff --git a/crypto/test/src/crypto/test/GMacTest.cs b/crypto/test/src/crypto/test/GMacTest.cs index 383ff96b7..62088b976 100644 --- a/crypto/test/src/crypto/test/GMacTest.cs +++ b/crypto/test/src/crypto/test/GMacTest.cs @@ -107,7 +107,7 @@ namespace Org.BouncyCastle.Crypto.Tests { TestCase testCase = TEST_VECTORS[i]; - IMac mac = new GMac(new GcmBlockCipher(new AesFastEngine()), testCase.getTag().Length * 8); + IMac mac = new GMac(new GcmBlockCipher(new AesEngine()), testCase.getTag().Length * 8); ICipherParameters key = new KeyParameter(testCase.getKey()); mac.Init(new ParametersWithIV(key, testCase.getIv())); @@ -125,7 +125,7 @@ namespace Org.BouncyCastle.Crypto.Tests { try { - GMac mac = new GMac(new GcmBlockCipher(new AesFastEngine()), size); + GMac mac = new GMac(new GcmBlockCipher(new AesEngine()), size); mac.Init(new ParametersWithIV(null, new byte[16])); Fail("Expected failure for illegal mac size " + size); } diff --git a/crypto/test/src/crypto/test/Poly1305Test.cs b/crypto/test/src/crypto/test/Poly1305Test.cs index cfbff787e..7aaceb99e 100644 --- a/crypto/test/src/crypto/test/Poly1305Test.cs +++ b/crypto/test/src/crypto/test/Poly1305Test.cs @@ -129,7 +129,7 @@ namespace Org.BouncyCastle.Crypto.Tests } else { - mac = new Poly1305(new AesFastEngine()); + mac = new Poly1305(new AesEngine()); mac.Init(new ParametersWithIV(new KeyParameter(tc.key), tc.nonce)); } mac.BlockUpdate(tc.message, 0, tc.message.Length); @@ -151,7 +151,7 @@ namespace Org.BouncyCastle.Crypto.Tests byte[] output = new byte[16]; int c = 0; - IMac mac = new Poly1305(new AesFastEngine()); + IMac mac = new Poly1305(new AesEngine()); for (int loop = 0; loop < 13; loop++) { len = 0; @@ -228,7 +228,7 @@ namespace Org.BouncyCastle.Crypto.Tests byte[] output = new byte[16]; // Generate baseline - IMac poly = new Poly1305(new AesFastEngine()); + IMac poly = new Poly1305(new AesEngine()); poly.Init(new ParametersWithIV(new KeyParameter(k), new byte[16])); poly.BlockUpdate(m, 0, m.Length); @@ -274,7 +274,7 @@ namespace Org.BouncyCastle.Crypto.Tests gen.Init(new KeyGenerationParameters(new SecureRandom(), 256)); byte[] k = gen.GenerateKey(); - IMac poly = new Poly1305(new AesFastEngine()); + IMac poly = new Poly1305(new AesEngine()); poly.Init(new ParametersWithIV(new KeyParameter(k), new byte[16])); try diff --git a/crypto/test/src/security/test/SecureRandomTest.cs b/crypto/test/src/security/test/SecureRandomTest.cs index f1d83b29c..98bf75508 100644 --- a/crypto/test/src/security/test/SecureRandomTest.cs +++ b/crypto/test/src/security/test/SecureRandomTest.cs @@ -68,7 +68,7 @@ namespace Org.BouncyCastle.Security.Tests [Test] public void TestSP800Ctr() { - SecureRandom random = new SP800SecureRandomBuilder().BuildCtr(new AesFastEngine(), 256, new byte[32], false); + SecureRandom random = new SP800SecureRandomBuilder().BuildCtr(new AesEngine(), 256, new byte[32], false); CheckSecureRandom(random); } @@ -110,7 +110,7 @@ namespace Org.BouncyCastle.Security.Tests [Test] public void TestX931() { - SecureRandom random = new X931SecureRandomBuilder().Build(new AesFastEngine(), new KeyParameter(new byte[16]), false); + SecureRandom random = new X931SecureRandomBuilder().Build(new AesEngine(), new KeyParameter(new byte[16]), false); CheckSecureRandom(random); } -- cgit 1.4.1