AES-GCM internals: Make the Block type an alias for [u8; BLOCK_LEN].

briansmith · briansmith · commit cc875154e301 · 2024-03-22T14:24:47.000-07:00
After this change, there are some uses of `[u8; BLOCK_LEN]` that could
now be replaced with `Block`. Now the code is a bit inconsistent
regarding this, but we expect to address this soon. Keeping these
instances this way reduces the size of this diff.
diff --git a/src/aead.rs b/src/aead.rs
@@ -242,7 +242,6 @@ pub const MAX_TAG_LEN: usize = TAG_LEN;
 
 mod aes;
 mod aes_gcm;
-mod block;
 mod chacha;
 mod chacha20_poly1305;
 pub mod chacha20_poly1305_openssh;
diff --git a/src/aead/aes.rs b/src/aead/aes.rs
@@ -12,17 +12,13 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-use super::{
-    block::{Block, BLOCK_LEN},
-    nonce::Nonce,
-    quic::Sample,
-};
+use super::{nonce::Nonce, quic::Sample};
 use crate::{
     bits::{BitLength, FromByteLen as _},
-    c, cpu,
+    c, constant_time, cpu,
     endian::BigEndian,
     error,
-    polyfill::{self, ArraySplitMap},
+    polyfill::{self, ArrayFlatten as _, ArraySplitMap as _},
 };
 use core::ops::RangeFrom;
 
@@ -199,7 +195,7 @@ impl Key {
     #[inline]
     pub fn encrypt_iv_xor_block(&self, iv: Iv, input: Block, cpu_features: cpu::Features) -> Block {
         let encrypted_iv = self.encrypt_block(iv.into_block_less_safe(), cpu_features);
-        encrypted_iv ^ input
+        constant_time::xor(encrypted_iv, input)
     }
 
     #[inline]
@@ -266,7 +262,7 @@ impl Key {
             #[cfg(target_arch = "x86")]
             Implementation::VPAES_BSAES => {
                 super::shift::shift_full_blocks(in_out, src, |input| {
-                    self.encrypt_iv_xor_block(ctr.increment(), Block::from(input), cpu_features)
+                    self.encrypt_iv_xor_block(ctr.increment(), *input, cpu_features)
                 });
             }
 
@@ -277,9 +273,7 @@ impl Key {
     }
 
     pub fn new_mask(&self, sample: Sample) -> [u8; 5] {
-        let &[b0, b1, b2, b3, b4, ..] = self
-            .encrypt_block(Block::from(&sample), cpu::features())
-            .as_ref();
+        let [b0, b1, b2, b3, b4, ..] = self.encrypt_block(sample, cpu::features());
         [b0, b1, b2, b3, b4]
     }
 
@@ -324,7 +318,7 @@ impl Counter {
 
     pub fn increment(&mut self) -> Iv {
         let iv: [[u8; 4]; 4] = self.0.map(Into::into);
-        let iv = Iv(Block::from(iv));
+        let iv = Iv(iv.array_flatten());
         self.increment_by_less_safe(1);
         iv
     }
@@ -343,7 +337,7 @@ pub struct Iv(Block);
 impl From<Counter> for Iv {
     fn from(counter: Counter) -> Self {
         let iv: [[u8; 4]; 4] = counter.0.map(Into::into);
-        Self(Block::from(iv))
+        Self(iv.array_flatten())
     }
 }
 
@@ -355,6 +349,10 @@ impl Iv {
     }
 }
 
+pub(super) type Block = [u8; BLOCK_LEN];
+pub(super) const BLOCK_LEN: usize = 16;
+pub(super) const ZERO_BLOCK: Block = [0u8; BLOCK_LEN];
+
 #[repr(C)] // Only so `Key` can be `#[repr(C)]`
 #[derive(Clone, Copy)]
 #[allow(clippy::upper_case_acronyms)]
@@ -434,10 +432,9 @@ mod tests {
             assert_eq!(section, "");
             let key = consume_key(test_case, "Key");
             let input = test_case.consume_bytes("Input");
-            let input: &[u8; BLOCK_LEN] = input.as_slice().try_into()?;
+            let block: Block = input.as_slice().try_into()?;
             let expected_output = test_case.consume_bytes("Output");
 
-            let block = Block::from(input);
             let output = key.encrypt_block(block, cpu_features);
             assert_eq!(output.as_ref(), &expected_output[..]);
 
diff --git a/src/aead/aes_gcm.rs b/src/aead/aes_gcm.rs
@@ -13,12 +13,11 @@
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 use super::{
-    aes::{self, Counter},
-    block::{Block, BLOCK_LEN},
+    aes::{self, Counter, BLOCK_LEN, ZERO_BLOCK},
     gcm, shift, Aad, Nonce, Tag,
 };
 use crate::{
-    aead, cpu, error,
+    aead, constant_time, cpu, error,
     polyfill::{sliceutil::overwrite_at_start, usize_from_u64_saturated},
 };
 use core::ops::RangeFrom;
@@ -62,7 +61,7 @@ fn init(
 ) -> Result<aead::KeyInner, error::Unspecified> {
     let aes_key = aes::Key::new(key, variant, cpu_features)?;
     let gcm_key = gcm::Key::new(
-        aes_key.encrypt_block(Block::zero(), cpu_features),
+        aes_key.encrypt_block(ZERO_BLOCK, cpu_features),
         cpu_features,
     );
     Ok(aead::KeyInner::AesGcm(Key { gcm_key, aes_key }))
@@ -170,12 +169,12 @@ fn aes_gcm_seal(
     }
 
     if !remainder.is_empty() {
-        let mut input = Block::zero();
-        input.overwrite_part_at(0, remainder);
+        let mut input = ZERO_BLOCK;
+        overwrite_at_start(&mut input, remainder);
         let mut output = aes_key.encrypt_iv_xor_block(ctr.into(), input, cpu_features);
-        output.zero_from(remainder.len());
+        output[remainder.len()..].fill(0);
         auth.update_block(output);
-        overwrite_at_start(remainder, output.as_ref());
+        overwrite_at_start(remainder, &output);
     }
 
     Ok(finish(aes_key, auth, tag_iv))
@@ -309,8 +308,8 @@ fn aes_gcm_open(
 
     let remainder = &mut in_out[whole_len..];
     shift::shift_partial((in_prefix_len, remainder), |remainder| {
-        let mut input = Block::zero();
-        input.overwrite_part_at(0, remainder);
+        let mut input = ZERO_BLOCK;
+        overwrite_at_start(&mut input, remainder);
         auth.update_block(input);
         aes_key.encrypt_iv_xor_block(ctr.into(), input, cpu_features)
     });
@@ -322,8 +321,7 @@ fn finish(aes_key: &aes::Key, gcm_ctx: gcm::Context, tag_iv: aes::Iv) -> Tag {
     // Finalize the tag and return it.
     gcm_ctx.pre_finish(|pre_tag, cpu_features| {
         let encrypted_iv = aes_key.encrypt_block(tag_iv.into_block_less_safe(), cpu_features);
-        let tag = pre_tag ^ encrypted_iv;
-        Tag(*tag.as_ref())
+        Tag(constant_time::xor(pre_tag, encrypted_iv))
     })
 }
 
diff --git a/src/aead/block.rs b/src/aead/block.rs
diff --git a/src/aead/gcm.rs b/src/aead/gcm.rs
@@ -12,18 +12,18 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-use super::{
-    aes_gcm,
-    block::{Block, BLOCK_LEN},
-    Aad,
-};
+use super::{aes_gcm, Aad};
+
 use crate::{
     bits::{BitLength, FromByteLen as _},
-    cpu, error,
-    polyfill::ArraySplitMap,
+    constant_time, cpu, error,
+    polyfill::{sliceutil::overwrite_at_start, ArrayFlatten as _, ArraySplitMap as _},
 };
 use core::ops::BitXorAssign;
 
+// GCM uses the same block type as AES.
+use super::aes::{Block, BLOCK_LEN, ZERO_BLOCK};
+
 mod gcm_nohw;
 
 #[derive(Clone)]
@@ -33,7 +33,7 @@ pub struct Key {
 
 impl Key {
     pub(super) fn new(h_be: Block, cpu_features: cpu::Features) -> Self {
-        let h: [u64; 2] = h_be.as_ref().array_split_map(u64::from_be_bytes);
+        let h: [u64; 2] = h_be.array_split_map(u64::from_be_bytes);
 
         let mut key = Self {
             h_table: HTable {
@@ -111,7 +111,7 @@ impl Context {
 
         let mut ctx = Self {
             inner: ContextInner {
-                Xi: Xi(Block::zero()),
+                Xi: Xi(ZERO_BLOCK),
                 Htable: key.h_table.clone(),
             },
             aad_len: BitLength::from_byte_len(aad.as_ref().len())?,
@@ -120,8 +120,8 @@ impl Context {
         };
 
         for ad in aad.0.chunks(BLOCK_LEN) {
-            let mut block = Block::zero();
-            block.overwrite_part_at(0, ad);
+            let mut block = ZERO_BLOCK;
+            overwrite_at_start(&mut block, ad);
             ctx.update_block(block);
         }
 
@@ -268,9 +268,11 @@ impl Context {
     where
         F: FnOnce(Block, cpu::Features) -> super::Tag,
     {
-        self.update_block(Block::from(
-            [self.aad_len, self.in_out_len].map(BitLength::to_be_bytes),
-        ));
+        self.update_block(
+            [self.aad_len, self.in_out_len]
+                .map(BitLength::to_be_bytes)
+                .array_flatten(),
+        );
 
         f(self.inner.Xi.0, self.cpu_features)
     }
@@ -314,14 +316,7 @@ pub struct Xi(Block);
 impl BitXorAssign<Block> for Xi {
     #[inline]
     fn bitxor_assign(&mut self, a: Block) {
-        self.0 ^= a;
-    }
-}
-
-impl From<Xi> for Block {
-    #[inline]
-    fn from(Xi(block): Xi) -> Self {
-        block
+        self.0 = constant_time::xor(self.0, a)
     }
 }
 
diff --git a/src/aead/gcm/gcm_nohw.rs b/src/aead/gcm/gcm_nohw.rs
@@ -22,8 +22,8 @@
 //
 // Unlike the BearSSL notes, we use u128 in the 64-bit implementation.
 
-use super::{Block, Xi, BLOCK_LEN};
-use crate::polyfill::ArraySplitMap;
+use super::{Xi, BLOCK_LEN};
+use crate::polyfill::{ArrayFlatten as _, ArraySplitMap as _};
 
 #[cfg(target_pointer_width = "64")]
 fn gcm_mul64_nohw(a: u64, b: u64) -> (u64, u64) {
@@ -236,9 +236,9 @@ pub(super) fn ghash(xi: &mut Xi, h: super::u128, input: &[[u8; BLOCK_LEN]]) {
 
 #[inline]
 fn with_swapped_xi(Xi(xi): &mut Xi, f: impl FnOnce(&mut [u64; 2])) {
-    let unswapped: [u64; 2] = xi.as_ref().array_split_map(u64::from_be_bytes);
+    let unswapped: [u64; 2] = xi.array_split_map(u64::from_be_bytes);
     let mut swapped: [u64; 2] = [unswapped[1], unswapped[0]];
     f(&mut swapped);
     let reswapped = [swapped[1], swapped[0]];
-    *xi = Block::from(reswapped.map(u64::to_be_bytes))
+    *xi = reswapped.map(u64::to_be_bytes).array_flatten()
 }
diff --git a/src/aead/shift.rs b/src/aead/shift.rs
@@ -12,14 +12,13 @@
 // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-use super::block::{Block, BLOCK_LEN};
 use crate::polyfill::sliceutil::overwrite_at_start;
 
 #[cfg(target_arch = "x86")]
-pub fn shift_full_blocks(
+pub fn shift_full_blocks<const BLOCK_LEN: usize>(
     in_out: &mut [u8],
     src: core::ops::RangeFrom<usize>,
-    mut transform: impl FnMut(&[u8; BLOCK_LEN]) -> Block,
+    mut transform: impl FnMut(&[u8; BLOCK_LEN]) -> [u8; BLOCK_LEN],
 ) {
     let in_out_len = in_out[src.clone()].len();
 
@@ -30,13 +29,13 @@ pub fn shift_full_blocks(
             transform(input)
         };
         let output = <&mut [u8; BLOCK_LEN]>::try_from(&mut in_out[i..][..BLOCK_LEN]).unwrap();
-        *output = *block.as_ref();
+        *output = block;
     }
 }
 
-pub fn shift_partial(
+pub fn shift_partial<const BLOCK_LEN: usize>(
     (in_prefix_len, in_out): (usize, &mut [u8]),
-    transform: impl FnOnce(&[u8]) -> Block,
+    transform: impl FnOnce(&[u8]) -> [u8; BLOCK_LEN],
 ) {
     let (block, in_out_len) = {
         let input = &in_out[in_prefix_len..];
@@ -47,5 +46,5 @@ pub fn shift_partial(
         debug_assert!(in_out_len < BLOCK_LEN);
         (transform(input), in_out_len)
     };
-    overwrite_at_start(&mut in_out[..in_out_len], block.as_ref());
+    overwrite_at_start(&mut in_out[..in_out_len], &block);
 }
