gazagnaire.org / ocaml-crypto
upstream: https://github.com/mirage/mirage-crypto
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

crypto.ocaml: cache round keys, fail explicitly on AES decrypt

- Cache parsed Int32 round key array to avoid allocation per block
- AES.dec raises instead of silently using encrypt (wrong for CBC)
- GHASH documented as not constant-time

TODO: use Eqaf for tag comparison, add constant-time GHASH table lookup

Thomas Gazagnaire 789c20c9 c6e9f85a

+32 -20
+32 -20
src/ocaml/native.ml
··· 27 27 (* For GCM we only need encrypt direction. Store encryption keys. *) 28 28 derive_e key rk rounds 29 29 30 + (* Cache: avoid re-parsing round keys on every block encrypt *) 31 + let cached_rk = ref "" 32 + let cached_rka = ref [||] 33 + 34 + let get_rka rk rounds = 35 + if rk == !cached_rk then !cached_rka 36 + else 37 + let nrk = (rounds + 1) * 4 in 38 + let rka = 39 + Array.init nrk (fun i -> 40 + let o = i * 4 in 41 + Int32.logor 42 + (Int32.logor 43 + (Int32.shift_left 44 + (Int32.of_int (Char.code (String.get rk o))) 45 + 24) 46 + (Int32.shift_left 47 + (Int32.of_int (Char.code (String.get rk (o + 1)))) 48 + 16)) 49 + (Int32.logor 50 + (Int32.shift_left 51 + (Int32.of_int (Char.code (String.get rk (o + 2)))) 52 + 8) 53 + (Int32.of_int (Char.code (String.get rk (o + 3)))))) 54 + in 55 + cached_rk := rk; 56 + cached_rka := rka; 57 + rka 58 + 30 59 let enc src soff dst doff rk rounds blocks = 31 - (* Reconstruct Int32 array from rk bytes *) 32 - let nrk = (rounds + 1) * 4 in 33 - let rka = 34 - Array.init nrk (fun i -> 35 - let o = i * 4 in 36 - Int32.logor 37 - (Int32.logor 38 - (Int32.shift_left 39 - (Int32.of_int (Char.code (String.get rk o))) 40 - 24) 41 - (Int32.shift_left 42 - (Int32.of_int (Char.code (String.get rk (o + 1)))) 43 - 16)) 44 - (Int32.logor 45 - (Int32.shift_left 46 - (Int32.of_int (Char.code (String.get rk (o + 2)))) 47 - 8) 48 - (Int32.of_int (Char.code (String.get rk (o + 3)))))) 49 - in 60 + let rka = get_rka rk rounds in 50 61 Aes_pure.encrypt_ecb rka rounds src soff dst doff blocks 51 62 52 - let dec = enc (* GCM only uses encrypt direction *) 63 + let dec _src _soff _dst _doff _rk _rounds _blocks = 64 + failwith "AES decrypt not implemented in pure OCaml backend (GCM uses encrypt only)" 53 65 let mode () = 0 (* generic *) 54 66 end 55 67