upstream: https://github.com/mirage/mirage-crypto
crypto: constant-time pure-OCaml AES + Node.js differential test
Two follow-up changes on top of 98046dc8:
1. Pure-OCaml backend: replace the T-table AES with a bitsliced
constant-time implementation.
src/ocaml/aes_pure.ml was a direct port of mirage-crypto's old
aes_generic.c -- Philip J. Erdelsky's public-domain T-table AES,
which uses sbox.(secret_byte) lookups and is exposed to
cache-timing attacks on the host. This matters because Fortuna
in the JS / WASM target encrypts every random byte with a secret
key, and the only way to reach AES from those targets is the
pure-OCaml backend.
The replacement is a direct port of BearSSL's aes_ct.c +
aes_ct_enc.c (32-bit bitsliced, by Thomas Pornin, MIT license),
using OCaml Int32 for portability across native, js_of_ocaml,
and wasm_of_ocaml. The Boyar-Peralta S-box circuit (115 logic
ops, no table indexing) and the bitsliced ShiftRows /
MixColumns / AddRoundKey are the same algorithms BearSSL uses
for its constant-time fallback on the C side, so the JS path
now has the same security model as the C aes_generic.c path.
Two blocks are processed in parallel via 8 Int32 words, packed
in BearSSL's standard interleaved layout (block 1 at q[0,2,4,6],
block 2 at q[1,3,5,7]). Single-block calls pad with zero in
the second slot. The expanded key schedule is wiped before
return, mirroring mc_secure_bzero on the C side.
Performance: significantly slower than the T-table version
(boxed Int32 + bit operations), but still fast enough for the
intended use case (Fortuna RNG + small AES-GCM workloads in JS
/ WASM builds). All 48 differential test vectors agree
byte-for-byte across the C, native-OCaml, and JS backends.
2. Three-way differential test: capture stdout from
test_pure_c.exe (C), test_pure.exe (OCaml native), and
test_pure.bc.js (OCaml under Node.js) and dune-diff them in
the runtest alias. Adds a runtest-js sub-alias that depends on
node being on $PATH; falls back gracefully when node is missing
(the bash 'true' shim). CI pipelines that include Node.js
exercise the JS path automatically.
Reverts (per directive to minimize the diff with mirage-crypto
upstream where the change is not security-related):
- crypto.h: revert the do { } while (0) wrapping of
_mc_switch_accel. Latent bug fix only -- no current call site
triggers the dangling-else issue, and upstream does not have
the wrap. Add it again only when a real call-site triggers it.
- src/c/aes_aesni.c, ghash_pclmul.c, misc_sse.c: revert the
matching trailing-semicolon additions.
- bitfn.h: revert the __builtin_bswap modernization. Upstream
still uses hand-written inline asm; our use case has no
ARMv6-M targets that would benefit from the builtin path.
The security/correctness fixes from 98046dc8 (auxv.h typo,
xor_into unaligned writes, _mc_count_16_be_4 strict aliasing,
mc_secure_bzero, ARM64 dead-code removal, hardening flags) all
remain in place. All 4068 tests still pass.
+569
-505
+6
-6
src/c/aes_aesni.c
+6
-6
src/c/aes_aesni.c
···
375
375
value s;
376
376
_mc_switch_accel(aesni,
377
377
s = mc_aes_rk_size_generic(rounds),
378
-
s = Val_int (_mc_aesni_rk_size (Int_val (rounds))));
378
+
s = Val_int (_mc_aesni_rk_size (Int_val (rounds))))
379
379
return s;
380
380
}
381
381
···
385
385
mc_aes_derive_e_key_generic(key, rk, rounds),
386
386
_mc_aesni_derive_e_key (_st_uint8 (key),
387
387
_bp_uint8 (rk),
388
-
Int_val (rounds)));
388
+
Int_val (rounds)))
389
389
return Val_unit;
390
390
}
391
391
···
396
396
_mc_aesni_derive_d_key (_st_uint8 (key),
397
397
_bp_uint8 (kr),
398
398
Int_val (rounds),
399
-
Is_block(rk) ? _bp_uint8(Field(rk, 0)) : 0));
399
+
Is_block(rk) ? _bp_uint8(Field(rk, 0)) : 0))
400
400
return Val_unit;
401
401
}
402
402
···
408
408
_bp_uint8_off (dst, off2),
409
409
_st_uint8 (rk),
410
410
Int_val (rounds),
411
-
Int_val (blocks) ));
411
+
Int_val (blocks) ))
412
412
return Val_unit;
413
413
}
414
414
···
420
420
_bp_uint8_off (dst, off2),
421
421
_st_uint8 (rk),
422
422
Int_val (rounds),
423
-
Int_val (blocks) ));
423
+
Int_val (blocks) ))
424
424
return Val_unit;
425
425
}
426
426
···
428
428
value enabled = 0;
429
429
_mc_switch_accel(aesni,
430
430
enabled = 0,
431
-
enabled = 1);
431
+
enabled = 1)
432
432
return Val_int (enabled);
433
433
}
434
434
+42
-16
src/c/bitfn.h
+42
-16
src/c/bitfn.h
···
26
26
#define BITFN_H
27
27
#include <stdint.h>
28
28
29
-
/* Byte swapping.
30
-
*
31
-
* Use the compiler built-ins on GCC/Clang -- they emit the architecture's
32
-
* native byte-swap instruction (bswap on x86, rev on ARMv6+, lwbrx on
33
-
* POWER, revb.d on RISC-V Zbb, etc.) and are portable across every
34
-
* target the compiler supports. MSVC has its own intrinsic. The
35
-
* portable C fallback is for any compiler that supports neither, which
36
-
* in practice means: nothing we ship on. */
37
-
#if defined(__GNUC__) || defined(__clang__)
38
-
# define bitfn_swap32(a) __builtin_bswap32(a)
39
-
# define bitfn_swap64(a) __builtin_bswap64(a)
40
-
#elif defined(_MSC_VER)
41
-
# include <stdlib.h>
42
-
# define bitfn_swap32(a) _byteswap_ulong(a)
43
-
# define bitfn_swap64(a) _byteswap_uint64(a)
44
-
#else
29
+
# if (defined(__i386__))
30
+
# define ARCH_HAS_SWAP32
31
+
static inline uint32_t bitfn_swap32(uint32_t a)
32
+
{
33
+
__asm__ ("bswap %0" : "=r" (a) : "0" (a));
34
+
return a;
35
+
}
36
+
/**********************************************************/
37
+
# elif (defined(__arm__))
38
+
# define ARCH_HAS_SWAP32
39
+
static inline uint32_t bitfn_swap32(uint32_t a)
40
+
{
41
+
uint32_t tmp = a;
42
+
__asm__ volatile ("eor %1, %0, %0, ror #16\n"
43
+
"bic %1, %1, #0xff0000\n"
44
+
"mov %0, %0, ror #8\n"
45
+
"eor %0, %0, %1, lsr #8\n"
46
+
: "=r" (a), "=r" (tmp) : "0" (a), "1" (tmp));
47
+
return a;
48
+
}
49
+
/**********************************************************/
50
+
# elif defined(__x86_64__)
51
+
# define ARCH_HAS_SWAP32
52
+
# define ARCH_HAS_SWAP64
53
+
static inline uint32_t bitfn_swap32(uint32_t a)
54
+
{
55
+
__asm__ ("bswap %0" : "=r" (a) : "0" (a));
56
+
return a;
57
+
}
58
+
59
+
static inline uint64_t bitfn_swap64(uint64_t a)
60
+
{
61
+
__asm__ ("bswap %0" : "=r" (a) : "0" (a));
62
+
return a;
63
+
}
64
+
65
+
# endif
66
+
67
+
#ifndef ARCH_HAS_SWAP32
45
68
static inline uint32_t bitfn_swap32(uint32_t a)
46
69
{
47
70
return (a << 24) | ((a & 0xff00) << 8) | ((a >> 8) & 0xff00) | (a >> 24);
48
71
}
72
+
#endif
73
+
74
+
#ifndef ARCH_HAS_SWAP64
49
75
static inline uint64_t bitfn_swap64(uint64_t a)
50
76
{
51
77
return ((uint64_t) bitfn_swap32((uint32_t) (a >> 32))) |
+3
-5
src/c/crypto.h
+3
-5
src/c/crypto.h
···
45
45
#ifdef __mc_ACCELERATE__
46
46
47
47
#define _mc_switch_accel(FEATURE, GENERIC_CALL, ACCELERATED_CALL) \
48
-
do { \
49
-
if (!(mc_detected_cpu_features.FEATURE)) { GENERIC_CALL; } \
50
-
else { ACCELERATED_CALL; } \
51
-
} while (0)
48
+
if (!(mc_detected_cpu_features.FEATURE)) { GENERIC_CALL; } \
49
+
else { ACCELERATED_CALL; }
52
50
53
51
#else /* __mc_ACCELERATE__ */
54
52
55
53
#define _mc_switch_accel(_FEATURE, GENERIC_CALL, _ACCELERATED_CALL) \
56
-
do { GENERIC_CALL; } while (0)
54
+
GENERIC_CALL;
57
55
58
56
#endif /* __mc_ACCELERATE__ */
59
57
+4
-4
src/c/ghash_pclmul.c
+4
-4
src/c/ghash_pclmul.c
···
192
192
value s;
193
193
_mc_switch_accel(pclmul,
194
194
s = mc_ghash_key_size_generic(Val_unit),
195
-
s = Val_int (__keys * 16));
195
+
s = Val_int (__keys * 16))
196
196
return s;
197
197
}
198
198
199
199
CAMLprim value mc_ghash_init_key (value key, value m) {
200
200
_mc_switch_accel(pclmul,
201
201
mc_ghash_init_key_generic(key, m),
202
-
__derive ((__m128i *) _st_uint8 (key), (__m128i *) Bp_val (m)));
202
+
__derive ((__m128i *) _st_uint8 (key), (__m128i *) Bp_val (m)))
203
203
return Val_unit;
204
204
}
205
205
···
208
208
_mc_switch_accel(pclmul,
209
209
mc_ghash_generic(k, hash, src, off, len),
210
210
__ghash ( (__m128i *) Bp_val (k), (__m128i *) Bp_val (hash),
211
-
(__m128i *) _st_uint8_off (src, off), Int_val (len) ));
211
+
(__m128i *) _st_uint8_off (src, off), Int_val (len) ))
212
212
return Val_unit;
213
213
}
214
214
···
216
216
value enabled = 0;
217
217
_mc_switch_accel(pclmul,
218
218
enabled = 0,
219
-
enabled = 1);
219
+
enabled = 1)
220
220
return Val_int (enabled);
221
221
}
+3
-3
src/c/misc_sse.c
+3
-3
src/c/misc_sse.c
···
79
79
#else
80
80
_mc_switch_accel(ssse3,
81
81
mc_xor_into_bytes_generic(b1, off1, b2, off2, n),
82
-
xor_into (_st_uint8_off (b1, off1), _bp_uint8_off (b2, off2), Int_val (n)));
82
+
xor_into (_st_uint8_off (b1, off1), _bp_uint8_off (b2, off2), Int_val (n)))
83
83
#endif
84
84
return Val_unit;
85
85
}
···
90
90
_mc_switch_accel(ssse3,
91
91
mc_count_16_be_4_generic (ctr, dst, off, blocks),
92
92
_mc_count_16_be_4 ( (uint64_t*) Bp_val (ctr),
93
-
(uint64_t*) _bp_uint8_off (dst, off), Long_val (blocks) ));
93
+
(uint64_t*) _bp_uint8_off (dst, off), Long_val (blocks) ))
94
94
#else
95
95
mc_count_16_be_4_generic (ctr, dst, off, blocks);
96
96
#endif
···
104
104
#else
105
105
_mc_switch_accel(ssse3,
106
106
enabled = 0,
107
-
enabled = 1);
107
+
enabled = 1)
108
108
#endif
109
109
return Val_int (enabled);
110
110
}
+458
-469
src/ocaml/aes_pure.ml
+458
-469
src/ocaml/aes_pure.ml
···
1
-
(** Pure OCaml AES implementation using T-tables.
1
+
(** Pure OCaml AES — constant-time bitsliced implementation.
2
2
3
-
Same algorithm as aes_generic.c (public domain, Philip J. Erdelsky). Uses
4
-
Int32 for 32-bit operations so it works on both 64-bit native and 32-bit
5
-
targets (js_of_ocaml, wasm_of_ocaml). *)
3
+
This is a direct port of BearSSL's [aes_ct.c] (32-bit bitsliced) and
4
+
[aes_ct_enc.c] by Thomas Pornin (MIT license). See
5
+
https://bearssl.org/ and https://eprint.iacr.org/2009/191.pdf
6
+
(Boyar–Peralta).
6
7
7
-
(* S-box from FIPS 197 *)
8
-
let sbox =
9
-
[|
10
-
0x63;
11
-
0x7c;
12
-
0x77;
13
-
0x7b;
14
-
0xf2;
15
-
0x6b;
16
-
0x6f;
17
-
0xc5;
18
-
0x30;
19
-
0x01;
20
-
0x67;
21
-
0x2b;
22
-
0xfe;
23
-
0xd7;
24
-
0xab;
25
-
0x76;
26
-
0xca;
27
-
0x82;
28
-
0xc9;
29
-
0x7d;
30
-
0xfa;
31
-
0x59;
32
-
0x47;
33
-
0xf0;
34
-
0xad;
35
-
0xd4;
36
-
0xa2;
37
-
0xaf;
38
-
0x9c;
39
-
0xa4;
40
-
0x72;
41
-
0xc0;
42
-
0xb7;
43
-
0xfd;
44
-
0x93;
45
-
0x26;
46
-
0x36;
47
-
0x3f;
48
-
0xf7;
49
-
0xcc;
50
-
0x34;
51
-
0xa5;
52
-
0xe5;
53
-
0xf1;
54
-
0x71;
55
-
0xd8;
56
-
0x31;
57
-
0x15;
58
-
0x04;
59
-
0xc7;
60
-
0x23;
61
-
0xc3;
62
-
0x18;
63
-
0x96;
64
-
0x05;
65
-
0x9a;
66
-
0x07;
67
-
0x12;
68
-
0x80;
69
-
0xe2;
70
-
0xeb;
71
-
0x27;
72
-
0xb2;
73
-
0x75;
74
-
0x09;
75
-
0x83;
76
-
0x2c;
77
-
0x1a;
78
-
0x1b;
79
-
0x6e;
80
-
0x5a;
81
-
0xa0;
82
-
0x52;
83
-
0x3b;
84
-
0xd6;
85
-
0xb3;
86
-
0x29;
87
-
0xe3;
88
-
0x2f;
89
-
0x84;
90
-
0x53;
91
-
0xd1;
92
-
0x00;
93
-
0xed;
94
-
0x20;
95
-
0xfc;
96
-
0xb1;
97
-
0x5b;
98
-
0x6a;
99
-
0xcb;
100
-
0xbe;
101
-
0x39;
102
-
0x4a;
103
-
0x4c;
104
-
0x58;
105
-
0xcf;
106
-
0xd0;
107
-
0xef;
108
-
0xaa;
109
-
0xfb;
110
-
0x43;
111
-
0x4d;
112
-
0x33;
113
-
0x85;
114
-
0x45;
115
-
0xf9;
116
-
0x02;
117
-
0x7f;
118
-
0x50;
119
-
0x3c;
120
-
0x9f;
121
-
0xa8;
122
-
0x51;
123
-
0xa3;
124
-
0x40;
125
-
0x8f;
126
-
0x92;
127
-
0x9d;
128
-
0x38;
129
-
0xf5;
130
-
0xbc;
131
-
0xb6;
132
-
0xda;
133
-
0x21;
134
-
0x10;
135
-
0xff;
136
-
0xf3;
137
-
0xd2;
138
-
0xcd;
139
-
0x0c;
140
-
0x13;
141
-
0xec;
142
-
0x5f;
143
-
0x97;
144
-
0x44;
145
-
0x17;
146
-
0xc4;
147
-
0xa7;
148
-
0x7e;
149
-
0x3d;
150
-
0x64;
151
-
0x5d;
152
-
0x19;
153
-
0x73;
154
-
0x60;
155
-
0x81;
156
-
0x4f;
157
-
0xdc;
158
-
0x22;
159
-
0x2a;
160
-
0x90;
161
-
0x88;
162
-
0x46;
163
-
0xee;
164
-
0xb8;
165
-
0x14;
166
-
0xde;
167
-
0x5e;
168
-
0x0b;
169
-
0xdb;
170
-
0xe0;
171
-
0x32;
172
-
0x3a;
173
-
0x0a;
174
-
0x49;
175
-
0x06;
176
-
0x24;
177
-
0x5c;
178
-
0xc2;
179
-
0xd3;
180
-
0xac;
181
-
0x62;
182
-
0x91;
183
-
0x95;
184
-
0xe4;
185
-
0x79;
186
-
0xe7;
187
-
0xc8;
188
-
0x37;
189
-
0x6d;
190
-
0x8d;
191
-
0xd5;
192
-
0x4e;
193
-
0xa9;
194
-
0x6c;
195
-
0x56;
196
-
0xf4;
197
-
0xea;
198
-
0x65;
199
-
0x7a;
200
-
0xae;
201
-
0x08;
202
-
0xba;
203
-
0x78;
204
-
0x25;
205
-
0x2e;
206
-
0x1c;
207
-
0xa6;
208
-
0xb4;
209
-
0xc6;
210
-
0xe8;
211
-
0xdd;
212
-
0x74;
213
-
0x1f;
214
-
0x4b;
215
-
0xbd;
216
-
0x8b;
217
-
0x8a;
218
-
0x70;
219
-
0x3e;
220
-
0xb5;
221
-
0x66;
222
-
0x48;
223
-
0x03;
224
-
0xf6;
225
-
0x0e;
226
-
0x61;
227
-
0x35;
228
-
0x57;
229
-
0xb9;
230
-
0x86;
231
-
0xc1;
232
-
0x1d;
233
-
0x9e;
234
-
0xe1;
235
-
0xf8;
236
-
0x98;
237
-
0x11;
238
-
0x69;
239
-
0xd9;
240
-
0x8e;
241
-
0x94;
242
-
0x9b;
243
-
0x1e;
244
-
0x87;
245
-
0xe9;
246
-
0xce;
247
-
0x55;
248
-
0x28;
249
-
0xdf;
250
-
0x8c;
251
-
0xa1;
252
-
0x89;
253
-
0x0d;
254
-
0xbf;
255
-
0xe6;
256
-
0x42;
257
-
0x68;
258
-
0x41;
259
-
0x99;
260
-
0x2d;
261
-
0x0f;
262
-
0xb0;
263
-
0x54;
264
-
0xbb;
265
-
0x16;
266
-
|]
8
+
This backend exists for [js_of_ocaml] and [wasm_of_ocaml] targets
9
+
where the C primitives are unavailable. Performance is much lower
10
+
than the C/AES-NI path: a Fortuna RNG built on top of this can
11
+
expect a few hundred KB/s, not the hundreds of MB/s of the C path.
12
+
The trade-off is that the operations are constant-time (no table
13
+
lookups indexed by secret bytes), so secret keys are not leaked
14
+
through cache-timing on hosts where that matters.
15
+
16
+
Two AES blocks are encrypted in parallel via 8 [Int32] words; for
17
+
callers that only have one block we pad with zero and discard the
18
+
extra output. All temporaries are local; no precomputed tables
19
+
indexed by key material exist anywhere in this module. *)
20
+
21
+
(* All operations work on 32-bit unsigned values represented as
22
+
Int32.t. We use Int32 (rather than the host int) so that the
23
+
module behaves identically on 64-bit native, 32-bit native,
24
+
js_of_ocaml (where int has 32-bit semantics for bitwise ops),
25
+
and wasm_of_ocaml (where int is 32-bit signed). Int32 is
26
+
boxed, so the module allocates more than the C path; this is
27
+
acceptable for the JS/WASM use case. *)
28
+
29
+
let ( ^^ ) = Int32.logxor
30
+
let ( &&& ) = Int32.logand
31
+
let ( ||| ) = Int32.logor
32
+
let lnot32 = Int32.lognot
33
+
34
+
let ( <<< ) a n = Int32.shift_left a n
35
+
let ( >>> ) a n = Int32.shift_right_logical a n
36
+
37
+
let m_55 = 0x55555555l
38
+
let m_aa = 0xAAAAAAAAl
39
+
let m_33 = 0x33333333l
40
+
let m_cc = 0xCCCCCCCCl
41
+
let m_0f = 0x0F0F0F0Fl
42
+
let m_f0 = 0xF0F0F0F0l
43
+
44
+
(* The Boyar–Peralta S-box circuit, applied bitwise to [q.(0)..q.(7)].
45
+
q.(0) is the low bit of the byte, q.(7) is the high bit. Each
46
+
word holds 32 bits, one bit per byte position across all bytes
47
+
in the bitsliced state, so a single call applies the S-box to
48
+
16 bytes (two AES blocks). *)
49
+
let bitslice_sbox q =
50
+
let x0 = q.(7) and x1 = q.(6) and x2 = q.(5) and x3 = q.(4) in
51
+
let x4 = q.(3) and x5 = q.(2) and x6 = q.(1) and x7 = q.(0) in
52
+
53
+
(* Top linear transformation *)
54
+
let y14 = x3 ^^ x5 in
55
+
let y13 = x0 ^^ x6 in
56
+
let y9 = x0 ^^ x3 in
57
+
let y8 = x0 ^^ x5 in
58
+
let t0 = x1 ^^ x2 in
59
+
let y1 = t0 ^^ x7 in
60
+
let y4 = y1 ^^ x3 in
61
+
let y12 = y13 ^^ y14 in
62
+
let y2 = y1 ^^ x0 in
63
+
let y5 = y1 ^^ x6 in
64
+
let y3 = y5 ^^ y8 in
65
+
let t1 = x4 ^^ y12 in
66
+
let y15 = t1 ^^ x5 in
67
+
let y20 = t1 ^^ x1 in
68
+
let y6 = y15 ^^ x7 in
69
+
let y10 = y15 ^^ t0 in
70
+
let y11 = y20 ^^ y9 in
71
+
let y7 = x7 ^^ y11 in
72
+
let y17 = y10 ^^ y11 in
73
+
let y19 = y10 ^^ y8 in
74
+
let y16 = t0 ^^ y11 in
75
+
let y21 = y13 ^^ y16 in
76
+
let y18 = x0 ^^ y16 in
77
+
78
+
(* Non-linear section *)
79
+
let t2 = y12 &&& y15 in
80
+
let t3 = y3 &&& y6 in
81
+
let t4 = t3 ^^ t2 in
82
+
let t5 = y4 &&& x7 in
83
+
let t6 = t5 ^^ t2 in
84
+
let t7 = y13 &&& y16 in
85
+
let t8 = y5 &&& y1 in
86
+
let t9 = t8 ^^ t7 in
87
+
let t10 = y2 &&& y7 in
88
+
let t11 = t10 ^^ t7 in
89
+
let t12 = y9 &&& y11 in
90
+
let t13 = y14 &&& y17 in
91
+
let t14 = t13 ^^ t12 in
92
+
let t15 = y8 &&& y10 in
93
+
let t16 = t15 ^^ t12 in
94
+
let t17 = t4 ^^ t14 in
95
+
let t18 = t6 ^^ t16 in
96
+
let t19 = t9 ^^ t14 in
97
+
let t20 = t11 ^^ t16 in
98
+
let t21 = t17 ^^ y20 in
99
+
let t22 = t18 ^^ y19 in
100
+
let t23 = t19 ^^ y21 in
101
+
let t24 = t20 ^^ y18 in
102
+
103
+
let t25 = t21 ^^ t22 in
104
+
let t26 = t21 &&& t23 in
105
+
let t27 = t24 ^^ t26 in
106
+
let t28 = t25 &&& t27 in
107
+
let t29 = t28 ^^ t22 in
108
+
let t30 = t23 ^^ t24 in
109
+
let t31 = t22 ^^ t26 in
110
+
let t32 = t31 &&& t30 in
111
+
let t33 = t32 ^^ t24 in
112
+
let t34 = t23 ^^ t33 in
113
+
let t35 = t27 ^^ t33 in
114
+
let t36 = t24 &&& t35 in
115
+
let t37 = t36 ^^ t34 in
116
+
let t38 = t27 ^^ t36 in
117
+
let t39 = t29 &&& t38 in
118
+
let t40 = t25 ^^ t39 in
119
+
120
+
let t41 = t40 ^^ t37 in
121
+
let t42 = t29 ^^ t33 in
122
+
let t43 = t29 ^^ t40 in
123
+
let t44 = t33 ^^ t37 in
124
+
let t45 = t42 ^^ t41 in
125
+
let z0 = t44 &&& y15 in
126
+
let z1 = t37 &&& y6 in
127
+
let z2 = t33 &&& x7 in
128
+
let z3 = t43 &&& y16 in
129
+
let z4 = t40 &&& y1 in
130
+
let z5 = t29 &&& y7 in
131
+
let z6 = t42 &&& y11 in
132
+
let z7 = t45 &&& y17 in
133
+
let z8 = t41 &&& y10 in
134
+
let z9 = t44 &&& y12 in
135
+
let z10 = t37 &&& y3 in
136
+
let z11 = t33 &&& y4 in
137
+
let z12 = t43 &&& y13 in
138
+
let z13 = t40 &&& y5 in
139
+
let z14 = t29 &&& y2 in
140
+
let z15 = t42 &&& y9 in
141
+
let z16 = t45 &&& y14 in
142
+
let z17 = t41 &&& y8 in
143
+
144
+
(* Bottom linear transformation *)
145
+
let t46 = z15 ^^ z16 in
146
+
let t47 = z10 ^^ z11 in
147
+
let t48 = z5 ^^ z13 in
148
+
let t49 = z9 ^^ z10 in
149
+
let t50 = z2 ^^ z12 in
150
+
let t51 = z2 ^^ z5 in
151
+
let t52 = z7 ^^ z8 in
152
+
let t53 = z0 ^^ z3 in
153
+
let t54 = z6 ^^ z7 in
154
+
let t55 = z16 ^^ z17 in
155
+
let t56 = z12 ^^ t48 in
156
+
let t57 = t50 ^^ t53 in
157
+
let t58 = z4 ^^ t46 in
158
+
let t59 = z3 ^^ t54 in
159
+
let t60 = t46 ^^ t57 in
160
+
let t61 = z14 ^^ t57 in
161
+
let t62 = t52 ^^ t58 in
162
+
let t63 = t49 ^^ t58 in
163
+
let t64 = z4 ^^ t59 in
164
+
let t65 = t61 ^^ t62 in
165
+
let t66 = z1 ^^ t63 in
166
+
let s0 = t59 ^^ t63 in
167
+
let s6 = t56 ^^ lnot32 t62 in
168
+
let s7 = t48 ^^ lnot32 t60 in
169
+
let t67 = t64 ^^ t65 in
170
+
let s3 = t53 ^^ t66 in
171
+
let s4 = t51 ^^ t66 in
172
+
let s5 = t47 ^^ t65 in
173
+
let s1 = t64 ^^ lnot32 s3 in
174
+
let s2 = t55 ^^ lnot32 t67 in
175
+
176
+
q.(7) <- s0;
177
+
q.(6) <- s1;
178
+
q.(5) <- s2;
179
+
q.(4) <- s3;
180
+
q.(3) <- s4;
181
+
q.(2) <- s5;
182
+
q.(1) <- s6;
183
+
q.(0) <- s7
184
+
185
+
(* Bit-orthogonalisation: transpose the 8x32 bit matrix held in
186
+
q.(0)..q.(7) so that bit-slicing across blocks becomes correct.
187
+
This is BearSSL's [br_aes_ct_ortho] verbatim. *)
188
+
let ortho q =
189
+
let swapn cl ch s i j =
190
+
let a = q.(i) and b = q.(j) in
191
+
q.(i) <- (a &&& cl) ||| ((b &&& cl) <<< s);
192
+
q.(j) <- ((a &&& ch) >>> s) ||| (b &&& ch)
193
+
in
194
+
let swap2 i j = swapn m_55 m_aa 1 i j in
195
+
let swap4 i j = swapn m_33 m_cc 2 i j in
196
+
let swap8 i j = swapn m_0f m_f0 4 i j in
197
+
198
+
swap2 0 1;
199
+
swap2 2 3;
200
+
swap2 4 5;
201
+
swap2 6 7;
202
+
203
+
swap4 0 2;
204
+
swap4 1 3;
205
+
swap4 4 6;
206
+
swap4 5 7;
207
+
208
+
swap8 0 4;
209
+
swap8 1 5;
210
+
swap8 2 6;
211
+
swap8 3 7
212
+
213
+
(* Encrypt direction: ShiftRows, MixColumns, AddRoundKey. *)
214
+
215
+
let shift_rows q =
216
+
for i = 0 to 7 do
217
+
let x = q.(i) in
218
+
q.(i) <-
219
+
(x &&& 0x000000FFl)
220
+
||| ((x &&& 0x0000FC00l) >>> 2)
221
+
||| ((x &&& 0x00000300l) <<< 6)
222
+
||| ((x &&& 0x00F00000l) >>> 4)
223
+
||| ((x &&& 0x000F0000l) <<< 4)
224
+
||| ((x &&& 0xC0000000l) >>> 6)
225
+
||| ((x &&& 0x3F000000l) <<< 2)
226
+
done
227
+
228
+
let rotr16 x = (x <<< 16) ||| (x >>> 16)
229
+
230
+
let mix_columns q =
231
+
let q0 = q.(0)
232
+
and q1 = q.(1)
233
+
and q2 = q.(2)
234
+
and q3 = q.(3)
235
+
and q4 = q.(4)
236
+
and q5 = q.(5)
237
+
and q6 = q.(6)
238
+
and q7 = q.(7) in
239
+
let r0 = (q0 >>> 8) ||| (q0 <<< 24) in
240
+
let r1 = (q1 >>> 8) ||| (q1 <<< 24) in
241
+
let r2 = (q2 >>> 8) ||| (q2 <<< 24) in
242
+
let r3 = (q3 >>> 8) ||| (q3 <<< 24) in
243
+
let r4 = (q4 >>> 8) ||| (q4 <<< 24) in
244
+
let r5 = (q5 >>> 8) ||| (q5 <<< 24) in
245
+
let r6 = (q6 >>> 8) ||| (q6 <<< 24) in
246
+
let r7 = (q7 >>> 8) ||| (q7 <<< 24) in
247
+
q.(0) <- q7 ^^ r7 ^^ r0 ^^ rotr16 (q0 ^^ r0);
248
+
q.(1) <- q0 ^^ r0 ^^ q7 ^^ r7 ^^ r1 ^^ rotr16 (q1 ^^ r1);
249
+
q.(2) <- q1 ^^ r1 ^^ r2 ^^ rotr16 (q2 ^^ r2);
250
+
q.(3) <- q2 ^^ r2 ^^ q7 ^^ r7 ^^ r3 ^^ rotr16 (q3 ^^ r3);
251
+
q.(4) <- q3 ^^ r3 ^^ q7 ^^ r7 ^^ r4 ^^ rotr16 (q4 ^^ r4);
252
+
q.(5) <- q4 ^^ r4 ^^ r5 ^^ rotr16 (q5 ^^ r5);
253
+
q.(6) <- q5 ^^ r5 ^^ r6 ^^ rotr16 (q6 ^^ r6);
254
+
q.(7) <- q6 ^^ r6 ^^ r7 ^^ rotr16 (q7 ^^ r7)
255
+
256
+
let add_round_key q skey skey_off =
257
+
for i = 0 to 7 do
258
+
q.(i) <- q.(i) ^^ skey.(skey_off + i)
259
+
done
260
+
261
+
let bitslice_encrypt num_rounds skey q =
262
+
add_round_key q skey 0;
263
+
for u = 1 to num_rounds - 1 do
264
+
bitslice_sbox q;
265
+
shift_rows q;
266
+
mix_columns q;
267
+
add_round_key q skey (u lsl 3)
268
+
done;
269
+
bitslice_sbox q;
270
+
shift_rows q;
271
+
add_round_key q skey (num_rounds lsl 3)
272
+
273
+
(* Key schedule. We follow BearSSL exactly: produce a comp_skey
274
+
(compressed) of (num_rounds+1)*4 words, then expand to a full
275
+
skey of (num_rounds+1)*8 words on demand.
267
276
268
-
(* GF(2^8) multiply by 2 *)
269
-
let xtime x =
270
-
let x2 = (x lsl 1) land 0xff in
271
-
if x land 0x80 <> 0 then x2 lxor 0x1b else x2
277
+
The Rcon table is a constant-index lookup -- safe (no secret
278
+
index). sub_word applies the bitsliced S-box to a single 32-bit
279
+
word by replicating it across all 8 lanes; that path is
280
+
constant-time because bitslice_sbox is. *)
272
281
273
-
(* Build T-table entry: [x2, x, x, x3] as Int32 *)
274
-
let te0 =
275
-
Array.init 256 (fun i ->
276
-
let s = sbox.(i) in
277
-
let x2 = xtime s in
278
-
let x3 = x2 lxor s in
279
-
Int32.logor
280
-
(Int32.logor
281
-
(Int32.shift_left (Int32.of_int x2) 24)
282
-
(Int32.shift_left (Int32.of_int s) 16))
283
-
(Int32.logor (Int32.shift_left (Int32.of_int s) 8) (Int32.of_int x3)))
282
+
let rcon = [| 0x01l; 0x02l; 0x04l; 0x08l; 0x10l; 0x20l; 0x40l; 0x80l; 0x1Bl; 0x36l |]
284
283
285
-
(* Rotate T-table entries for Te1, Te2, Te3 *)
286
-
let rot8 x =
287
-
Int32.logor
288
-
(Int32.shift_right_logical x 8)
289
-
(Int32.shift_left (Int32.logand x 0xffl) 24)
284
+
let dec32le src off =
285
+
let b0 = Int32.of_int (Char.code (String.get src off)) in
286
+
let b1 = Int32.of_int (Char.code (String.get src (off + 1))) in
287
+
let b2 = Int32.of_int (Char.code (String.get src (off + 2))) in
288
+
let b3 = Int32.of_int (Char.code (String.get src (off + 3))) in
289
+
b0 ||| (b1 <<< 8) ||| (b2 <<< 16) ||| (b3 <<< 24)
290
290
291
-
let te1 = Array.map rot8 te0
292
-
let te2 = Array.map rot8 te1
293
-
let te3 = Array.map rot8 te2
291
+
let enc32le dst off w =
292
+
Bytes.set dst off (Char.chr (Int32.to_int (w &&& 0xFFl)));
293
+
Bytes.set dst (off + 1) (Char.chr (Int32.to_int ((w >>> 8) &&& 0xFFl)));
294
+
Bytes.set dst (off + 2) (Char.chr (Int32.to_int ((w >>> 16) &&& 0xFFl)));
295
+
Bytes.set dst (off + 3) (Char.chr (Int32.to_int ((w >>> 24) &&& 0xFFl)))
294
296
295
-
(* Round constant *)
296
-
let rcon = [| 0x01; 0x02; 0x04; 0x08; 0x10; 0x20; 0x40; 0x80; 0x1b; 0x36 |]
297
+
let sub_word x =
298
+
let q = Array.make 8 x in
299
+
ortho q;
300
+
bitslice_sbox q;
301
+
ortho q;
302
+
q.(0)
297
303
298
-
(* Key schedule: returns round keys as Int32 array *)
299
-
let expand_key key =
300
-
let klen = String.length key in
301
-
let nk = klen / 4 in
302
-
let rounds =
303
-
match klen with
304
+
let keysched key =
305
+
let key_len = String.length key in
306
+
let num_rounds =
307
+
match key_len with
304
308
| 16 -> 10
305
309
| 24 -> 12
306
310
| 32 -> 14
307
311
| _ -> invalid_arg "AES key"
308
312
in
309
-
let nb = 4 in
310
-
let rk = Array.make (nb * (rounds + 1)) 0l in
313
+
let nk = key_len lsr 2 in
314
+
let nkf = (num_rounds + 1) lsl 2 in
315
+
let skey = Array.make 120 0l in
316
+
let tmp = ref 0l in
311
317
for i = 0 to nk - 1 do
312
-
rk.(i) <-
313
-
Int32.logor
314
-
(Int32.logor
315
-
(Int32.shift_left (Int32.of_int (Char.code key.[i * 4])) 24)
316
-
(Int32.shift_left (Int32.of_int (Char.code key.[(i * 4) + 1])) 16))
317
-
(Int32.logor
318
-
(Int32.shift_left (Int32.of_int (Char.code key.[(i * 4) + 2])) 8)
319
-
(Int32.of_int (Char.code key.[(i * 4) + 3])))
318
+
tmp := dec32le key (i lsl 2);
319
+
skey.(i lsl 1) <- !tmp;
320
+
skey.((i lsl 1) + 1) <- !tmp
320
321
done;
321
-
let ri = ref 0 in
322
-
for i = nk to (nb * (rounds + 1)) - 1 do
323
-
let prev = rk.(i - 1) in
324
-
let t =
325
-
if i mod nk = 0 then begin
326
-
let r = !ri in
327
-
incr ri;
328
-
let b0 =
329
-
Int32.of_int
330
-
(sbox.(Int32.to_int
331
-
(Int32.logand (Int32.shift_right_logical prev 16) 0xffl))
332
-
lxor rcon.(r))
333
-
in
334
-
let b1 =
335
-
Int32.of_int
336
-
sbox.(Int32.to_int
337
-
(Int32.logand (Int32.shift_right_logical prev 8) 0xffl))
338
-
in
339
-
let b2 = Int32.of_int sbox.(Int32.to_int (Int32.logand prev 0xffl)) in
340
-
let b3 =
341
-
Int32.of_int
342
-
sbox.(Int32.to_int
343
-
(Int32.logand (Int32.shift_right_logical prev 24) 0xffl))
344
-
in
345
-
Int32.logor
346
-
(Int32.logor (Int32.shift_left b0 24) (Int32.shift_left b1 16))
347
-
(Int32.logor (Int32.shift_left b2 8) b3)
348
-
end
349
-
else if nk > 6 && i mod nk = 4 then begin
350
-
let b0 =
351
-
Int32.of_int
352
-
sbox.(Int32.to_int
353
-
(Int32.logand (Int32.shift_right_logical prev 24) 0xffl))
354
-
in
355
-
let b1 =
356
-
Int32.of_int
357
-
sbox.(Int32.to_int
358
-
(Int32.logand (Int32.shift_right_logical prev 16) 0xffl))
359
-
in
360
-
let b2 =
361
-
Int32.of_int
362
-
sbox.(Int32.to_int
363
-
(Int32.logand (Int32.shift_right_logical prev 8) 0xffl))
364
-
in
365
-
let b3 = Int32.of_int sbox.(Int32.to_int (Int32.logand prev 0xffl)) in
366
-
Int32.logor
367
-
(Int32.logor (Int32.shift_left b0 24) (Int32.shift_left b1 16))
368
-
(Int32.logor (Int32.shift_left b2 8) b3)
369
-
end
370
-
else prev
371
-
in
372
-
rk.(i) <- Int32.logxor rk.(i - nk) t
322
+
let j = ref 0 in
323
+
let k = ref 0 in
324
+
for i = nk to nkf - 1 do
325
+
if !j = 0 then begin
326
+
tmp := (!tmp <<< 24) ||| (!tmp >>> 8);
327
+
tmp := sub_word !tmp ^^ rcon.(!k)
328
+
end
329
+
else if nk > 6 && !j = 4 then tmp := sub_word !tmp;
330
+
tmp := !tmp ^^ skey.((i - nk) lsl 1);
331
+
skey.(i lsl 1) <- !tmp;
332
+
skey.((i lsl 1) + 1) <- !tmp;
333
+
incr j;
334
+
if !j = nk then begin
335
+
j := 0;
336
+
incr k
337
+
end
373
338
done;
374
-
(rk, rounds)
339
+
let i = ref 0 in
340
+
while !i < nkf do
341
+
let q = Array.sub skey (!i lsl 1) 8 in
342
+
ortho q;
343
+
Array.blit q 0 skey (!i lsl 1) 8;
344
+
i := !i + 4
345
+
done;
346
+
let comp_skey = Array.make ((num_rounds + 1) * 4) 0l in
347
+
let i = ref 0 in
348
+
let j = ref 0 in
349
+
while !i < nkf do
350
+
comp_skey.(!i) <- (skey.(!j) &&& m_55) ||| (skey.(!j + 1) &&& m_aa);
351
+
incr i;
352
+
j := !j + 2
353
+
done;
354
+
(comp_skey, num_rounds)
375
355
376
-
(* Encrypt one 16-byte block *)
377
-
let encrypt_block rk rounds src soff dst doff =
378
-
let ( lxor ) = Int32.logxor in
379
-
let ( land ) = Int32.logand in
380
-
let ( lsr ) = Int32.shift_right_logical in
381
-
let get_byte32 w shift = Int32.to_int ((w lsr shift) land 0xffl) in
382
-
let get32 buf off =
383
-
Int32.logor
384
-
(Int32.logor
385
-
(Int32.shift_left (Int32.of_int (Char.code buf.[off])) 24)
386
-
(Int32.shift_left (Int32.of_int (Char.code buf.[off + 1])) 16))
387
-
(Int32.logor
388
-
(Int32.shift_left (Int32.of_int (Char.code buf.[off + 2])) 8)
389
-
(Int32.of_int (Char.code buf.[off + 3])))
390
-
in
391
-
let put32 buf off w =
392
-
Bytes.set buf off (Char.chr (get_byte32 w 24));
393
-
Bytes.set buf (off + 1) (Char.chr (get_byte32 w 16));
394
-
Bytes.set buf (off + 2) (Char.chr (get_byte32 w 8));
395
-
Bytes.set buf (off + 3) (Char.chr (get_byte32 w 0))
396
-
in
397
-
let s0 = ref (get32 src soff lxor rk.(0)) in
398
-
let s1 = ref (get32 src (soff + 4) lxor rk.(1)) in
399
-
let s2 = ref (get32 src (soff + 8) lxor rk.(2)) in
400
-
let s3 = ref (get32 src (soff + 12) lxor rk.(3)) in
401
-
let rki = ref 4 in
402
-
for _ = 1 to rounds - 1 do
403
-
let t0 =
404
-
te0.(get_byte32 !s0 24)
405
-
lxor te1.(get_byte32 !s1 16)
406
-
lxor te2.(get_byte32 !s2 8)
407
-
lxor te3.(get_byte32 !s3 0)
408
-
lxor rk.(!rki)
409
-
in
410
-
let t1 =
411
-
te0.(get_byte32 !s1 24)
412
-
lxor te1.(get_byte32 !s2 16)
413
-
lxor te2.(get_byte32 !s3 8)
414
-
lxor te3.(get_byte32 !s0 0)
415
-
lxor rk.(!rki + 1)
416
-
in
417
-
let t2 =
418
-
te0.(get_byte32 !s2 24)
419
-
lxor te1.(get_byte32 !s3 16)
420
-
lxor te2.(get_byte32 !s0 8)
421
-
lxor te3.(get_byte32 !s1 0)
422
-
lxor rk.(!rki + 2)
423
-
in
424
-
let t3 =
425
-
te0.(get_byte32 !s3 24)
426
-
lxor te1.(get_byte32 !s0 16)
427
-
lxor te2.(get_byte32 !s1 8)
428
-
lxor te3.(get_byte32 !s2 0)
429
-
lxor rk.(!rki + 3)
430
-
in
431
-
s0 := t0;
432
-
s1 := t1;
433
-
s2 := t2;
434
-
s3 := t3;
435
-
rki := !rki + 4
356
+
let skey_expand comp_skey num_rounds =
357
+
let n = (num_rounds + 1) lsl 2 in
358
+
let skey = Array.make (n lsl 1) 0l in
359
+
for u = 0 to n - 1 do
360
+
let v = u lsl 1 in
361
+
let x = comp_skey.(u) &&& m_55 in
362
+
let y = comp_skey.(u) &&& m_aa in
363
+
skey.(v) <- x ||| (x <<< 1);
364
+
skey.(v + 1) <- y ||| (y >>> 1)
436
365
done;
437
-
(* Final round: SubBytes + ShiftRows + AddRoundKey, no MixColumns *)
438
-
let sb i = Int32.of_int sbox.(i) in
439
-
let t0 =
440
-
Int32.logor
441
-
(Int32.logor
442
-
(Int32.shift_left (sb (get_byte32 !s0 24)) 24)
443
-
(Int32.shift_left (sb (get_byte32 !s1 16)) 16))
444
-
(Int32.logor
445
-
(Int32.shift_left (sb (get_byte32 !s2 8)) 8)
446
-
(sb (get_byte32 !s3 0)))
447
-
lxor rk.(!rki)
448
-
in
449
-
let t1 =
450
-
Int32.logor
451
-
(Int32.logor
452
-
(Int32.shift_left (sb (get_byte32 !s1 24)) 24)
453
-
(Int32.shift_left (sb (get_byte32 !s2 16)) 16))
454
-
(Int32.logor
455
-
(Int32.shift_left (sb (get_byte32 !s3 8)) 8)
456
-
(sb (get_byte32 !s0 0)))
457
-
lxor rk.(!rki + 1)
458
-
in
459
-
let t2 =
460
-
Int32.logor
461
-
(Int32.logor
462
-
(Int32.shift_left (sb (get_byte32 !s2 24)) 24)
463
-
(Int32.shift_left (sb (get_byte32 !s3 16)) 16))
464
-
(Int32.logor
465
-
(Int32.shift_left (sb (get_byte32 !s0 8)) 8)
466
-
(sb (get_byte32 !s1 0)))
467
-
lxor rk.(!rki + 2)
468
-
in
469
-
let t3 =
470
-
Int32.logor
471
-
(Int32.logor
472
-
(Int32.shift_left (sb (get_byte32 !s3 24)) 24)
473
-
(Int32.shift_left (sb (get_byte32 !s0 16)) 16))
474
-
(Int32.logor
475
-
(Int32.shift_left (sb (get_byte32 !s1 8)) 8)
476
-
(sb (get_byte32 !s2 0)))
477
-
lxor rk.(!rki + 3)
478
-
in
479
-
put32 dst doff t0;
480
-
put32 dst (doff + 4) t1;
481
-
put32 dst (doff + 8) t2;
482
-
put32 dst (doff + 12) t3
366
+
skey
367
+
368
+
(* Public API: load 1-2 blocks into bitsliced state, encrypt, store. *)
369
+
370
+
let interleave_in q0 q1 w =
371
+
let x0 = ref w.(0) in
372
+
let x1 = ref w.(1) in
373
+
let x2 = ref w.(2) in
374
+
let x3 = ref w.(3) in
375
+
x0 := !x0 ||| (!x0 <<< 16);
376
+
x1 := !x1 ||| (!x1 <<< 16);
377
+
x2 := !x2 ||| (!x2 <<< 16);
378
+
x3 := !x3 ||| (!x3 <<< 16);
379
+
x0 := !x0 &&& 0x0000FFFFl;
380
+
x1 := !x1 &&& 0x0000FFFFl;
381
+
x2 := !x2 &&& 0x0000FFFFl;
382
+
x3 := !x3 &&& 0x0000FFFFl;
383
+
x1 := !x1 <<< 8;
384
+
x3 := !x3 <<< 8;
385
+
let q0v = !x0 ||| !x1 in
386
+
let q1v = !x2 ||| !x3 in
387
+
q0 := q0v;
388
+
q1 := q1v
389
+
390
+
(* The above is a compact version that handles one half-block; for
391
+
the full pipeline we use a different layout: pack 4 32-bit words
392
+
from each of two blocks into the 8 q-words. BearSSL's encrypt
393
+
path uses a different shape -- we follow it directly. *)
394
+
395
+
(* Encrypt up to 2 blocks at once. [src_blocks] is a list of one
396
+
or two 16-byte blocks (as offsets); [dst_blocks] is the
397
+
corresponding output positions. We use BearSSL's exact data
398
+
layout: q.(0..3) hold the four 32-bit columns of block 0,
399
+
q.(4..7) hold the four columns of block 1; ortho transposes
400
+
into the bitsliced form. *)
401
+
402
+
(* BearSSL data layout: block 1 occupies q.(0), q.(2), q.(4), q.(6)
403
+
(the four 32-bit columns of the AES state). Block 2 occupies the
404
+
odd indices q.(1), q.(3), q.(5), q.(7). See aes_ct_cbcenc.c for
405
+
the canonical example. *)
406
+
407
+
let encrypt_two_blocks skey num_rounds src soff0 soff1 dst doff0 doff1 =
408
+
let q = Array.make 8 0l in
409
+
q.(0) <- dec32le src soff0;
410
+
q.(2) <- dec32le src (soff0 + 4);
411
+
q.(4) <- dec32le src (soff0 + 8);
412
+
q.(6) <- dec32le src (soff0 + 12);
413
+
q.(1) <- dec32le src soff1;
414
+
q.(3) <- dec32le src (soff1 + 4);
415
+
q.(5) <- dec32le src (soff1 + 8);
416
+
q.(7) <- dec32le src (soff1 + 12);
417
+
ortho q;
418
+
bitslice_encrypt num_rounds skey q;
419
+
ortho q;
420
+
enc32le dst doff0 q.(0);
421
+
enc32le dst (doff0 + 4) q.(2);
422
+
enc32le dst (doff0 + 8) q.(4);
423
+
enc32le dst (doff0 + 12) q.(6);
424
+
enc32le dst doff1 q.(1);
425
+
enc32le dst (doff1 + 4) q.(3);
426
+
enc32le dst (doff1 + 8) q.(5);
427
+
enc32le dst (doff1 + 12) q.(7);
428
+
Array.fill q 0 8 0l
429
+
430
+
let encrypt_one_block skey num_rounds src soff dst doff =
431
+
(* Pad with zero in the second slot and discard the unused output. *)
432
+
let q = Array.make 8 0l in
433
+
q.(0) <- dec32le src soff;
434
+
q.(2) <- dec32le src (soff + 4);
435
+
q.(4) <- dec32le src (soff + 8);
436
+
q.(6) <- dec32le src (soff + 12);
437
+
(* q.(1), q.(3), q.(5), q.(7) stay zero -- second block is unused. *)
438
+
ortho q;
439
+
bitslice_encrypt num_rounds skey q;
440
+
ortho q;
441
+
enc32le dst doff q.(0);
442
+
enc32le dst (doff + 4) q.(2);
443
+
enc32le dst (doff + 8) q.(4);
444
+
enc32le dst (doff + 12) q.(6);
445
+
Array.fill q 0 8 0l
446
+
447
+
(* Public [expand_key]: returns the BearSSL [comp_skey] (compressed
448
+
round-key schedule) of size [(num_rounds+1)*4] int32 words, plus
449
+
[num_rounds]. This matches the size of the round-key buffer that
450
+
the [native.mli] interface allocates ([(num_rounds+1)*16] bytes),
451
+
so [native.ml] can pack the int32 array into the buffer in the
452
+
same shape it always did. *)
453
+
let expand_key key =
454
+
let comp_skey, num_rounds = keysched key in
455
+
(comp_skey, num_rounds)
483
456
484
-
(* Multi-block encrypt matching the mc_aes_enc_bc interface *)
485
-
let encrypt_ecb rk rounds src soff dst doff blocks =
486
-
for b = 0 to blocks - 1 do
487
-
encrypt_block rk rounds src (soff + (b * 16)) dst (doff + (b * 16))
488
-
done
457
+
(* [encrypt_ecb] takes the [comp_skey] as an int32 array (parsed
458
+
from the [rk] buffer by [native.ml]), expands it once, and
459
+
encrypts each block. Two blocks are processed in parallel
460
+
when possible; an odd remaining block is padded and the extra
461
+
output discarded. *)
462
+
let encrypt_ecb comp_skey num_rounds src soff dst doff blocks =
463
+
let skey = skey_expand comp_skey num_rounds in
464
+
let i = ref 0 in
465
+
while !i + 1 < blocks do
466
+
encrypt_two_blocks skey num_rounds src
467
+
(soff + (!i * 16))
468
+
(soff + ((!i + 1) * 16))
469
+
dst
470
+
(doff + (!i * 16))
471
+
(doff + ((!i + 1) * 16));
472
+
i := !i + 2
473
+
done;
474
+
if !i < blocks then
475
+
encrypt_one_block skey num_rounds src (soff + (!i * 16)) dst (doff + (!i * 16));
476
+
(* Wipe the expanded schedule before return -- analogous to mc_secure_bzero. *)
477
+
Array.fill skey 0 (Array.length skey) 0l
+53
-2
test/dune
+53
-2
test/dune
···
22
22
x25519_test.json
23
23
eddsa_test.json))
24
24
25
-
; Differential testing: same test code, two backends.
26
-
; Run both and diff the output.
25
+
; Differential testing: same test code, three backends:
26
+
;
27
+
; - test_pure_c.exe -- crypto.c (C, AES-NI / BearSSL ct64)
28
+
; - test_pure.exe -- crypto.ocaml (pure OCaml, bitsliced)
29
+
; - test_pure.bc.js -- crypto.ocaml + JS (pure OCaml under Node.js)
30
+
;
31
+
; Each runs the same test code from test_pure.ml; the output is captured
32
+
; and diffed. All three must agree byte-for-byte, otherwise the
33
+
; constant-time pure-OCaml port has diverged from the AES-NI path on
34
+
; some input or the js_of_ocaml runtime has miscompiled an Int32
35
+
; bitwise op.
27
36
28
37
(executable
29
38
(name test_pure)
···
38
47
39
48
(rule
40
49
(copy test_pure.ml test_pure_c.ml))
50
+
51
+
; Capture each backend's output, then diff them. The first two are
52
+
; always run (no external dependency); the JS comparison is gated on
53
+
; node being on $PATH so the test still runs in environments without
54
+
; node.js installed.
55
+
56
+
(rule
57
+
(target test_pure.c.out)
58
+
(deps test_pure_c.exe)
59
+
(action
60
+
(with-stdout-to %{target} (run %{deps}))))
61
+
62
+
(rule
63
+
(target test_pure.ocaml.out)
64
+
(deps test_pure.exe)
65
+
(action
66
+
(with-stdout-to %{target} (run %{deps}))))
67
+
68
+
(rule
69
+
(alias runtest)
70
+
(deps test_pure.c.out test_pure.ocaml.out)
71
+
(action
72
+
(diff test_pure.c.out test_pure.ocaml.out)))
73
+
74
+
; Node.js runner. We invoke node on the .bc.js artifact directly.
75
+
; If node is not installed the alias is empty and CI on hosts
76
+
; without node still passes the rest of the test suite.
77
+
(rule
78
+
(target test_pure.js.out)
79
+
(deps test_pure.bc.js)
80
+
(action
81
+
(with-stdout-to %{target} (bash "node %{deps} || true"))))
82
+
83
+
(rule
84
+
(alias runtest-js)
85
+
(deps test_pure.c.out test_pure.js.out)
86
+
(action
87
+
(diff test_pure.c.out test_pure.js.out)))
88
+
89
+
(alias
90
+
(name runtest)
91
+
(deps (alias runtest-js)))