CBC/CTR API Improvements

skmcgrail · Jun 14, 2023 · 0adffb7 · 0adffb7
1 parent 7438df0
commit 0adffb7
Show file tree

Hide file tree

Showing 4 changed files with 243 additions and 298 deletions.
diff --git a/aws-lc-rs/benches/cipher_benchmark.rs b/aws-lc-rs/benches/cipher_benchmark.rs
@@ -35,25 +35,23 @@ macro_rules! benchmark_padded {
                             CipherContext::Iv128(iv.as_slice().try_into().unwrap());
 
                         let encrypt_key = match $mode {
-                            OperatingMode::CBC => {
-                                PaddedBlockEncryptingKey::less_safe_cbc_pkcs7(key, iv)
-                            }
+                            OperatingMode::CBC => PaddedBlockEncryptingKey::cbc_pkcs7(key),
                             _ => unreachable!(),
                         }
                         .unwrap();
 
                         let mut in_out = Vec::from(data.as_slice());
-                        let context = encrypt_key.encrypt(&mut in_out).unwrap();
+                        let context = encrypt_key.less_safe_encrypt(&mut in_out, iv).unwrap();
 
                         let key = UnboundCipherKey::new($awslc, &key_bytes).unwrap();
 
                         let decrypt_key = match $mode {
-                            OperatingMode::CBC => PaddedBlockDecryptingKey::cbc_pkcs7(key, context),
+                            OperatingMode::CBC => PaddedBlockDecryptingKey::cbc_pkcs7(key),
                             _ => unreachable!(),
                         }
                         .unwrap();
 
-                        let _ = decrypt_key.decrypt(&mut in_out).unwrap();
+                        let _ = decrypt_key.decrypt(&mut in_out, context).unwrap();
                     })
                 });
 
@@ -82,23 +80,23 @@ macro_rules! benchmark_unpadded {
                             CipherContext::Iv128(iv.as_slice().try_into().unwrap());
 
                         let encrypt_key = match $mode {
-                            OperatingMode::CTR => EncryptingKey::less_safe_ctr(key, iv),
+                            OperatingMode::CTR => EncryptingKey::ctr(key),
                             _ => unreachable!(),
                         }
                         .unwrap();
 
                         let mut in_out = Vec::from(data.as_slice());
-                        let context = encrypt_key.encrypt(&mut in_out).unwrap();
+                        let context = encrypt_key.less_safe_encrypt(&mut in_out, iv).unwrap();
 
                         let key = UnboundCipherKey::new($awslc, &key_bytes).unwrap();
 
                         let decrypt_key = match $mode {
-                            OperatingMode::CTR => DecryptingKey::ctr(key, context),
+                            OperatingMode::CTR => DecryptingKey::ctr(key),
                             _ => unreachable!(),
                         }
                         .unwrap();
 
-                        let _ = decrypt_key.decrypt(&mut in_out).unwrap();
+                        let _ = decrypt_key.decrypt(&mut in_out, context).unwrap();
                     })
                 });
 

diff --git a/aws-lc-rs/examples/cipher.rs b/aws-lc-rs/examples/cipher.rs
@@ -101,24 +101,22 @@ fn aes_ctr_encrypt(key: &[u8], iv: Option<String>, plaintext: String) -> Result<
     let hex_key = hex::encode(key);
     let key = new_unbound_key(key)?;
 
-    let key = match iv {
+    let key = EncryptingKey::ctr(key).map_err(|_| "failed to initalized aes encryption")?;
+
+    let mut ciphertext = Vec::from(plaintext);
+
+    let context = match iv {
         Some(iv) => {
-            let iv = {
+            let context = {
                 let v = hex::decode(iv).map_err(|_| "invalid iv")?;
                 let v: FixedLength<16> = v.as_slice().try_into().map_err(|_| "invalid iv")?;
-                v
+                CipherContext::Iv128(v)
             };
-            EncryptingKey::less_safe_ctr(key, CipherContext::Iv128(iv))
+            key.less_safe_encrypt(ciphertext.as_mut(), context)
         }
-        None => EncryptingKey::ctr(key),
+        None => key.encrypt(ciphertext.as_mut()),
     }
-    .map_err(|_| "failed to initialized aes encryption")?;
-
-    let mut ciphertext = Vec::from(plaintext);
-
-    let context = key
-        .encrypt(ciphertext.as_mut())
-        .map_err(|_| "Failed to encrypt plaintext")?;
+    .map_err(|_| "failed to encrypt plaintext")?;
 
     let iv: &[u8] = (&context)
         .try_into()
@@ -141,14 +139,13 @@ fn aes_ctr_decrypt(key: &[u8], iv: String, ciphertext: String) -> Result<(), &'s
         v
     };
 
-    let key = DecryptingKey::ctr(key, CipherContext::Iv128(iv))
-        .map_err(|_| "failed to initialized aes decryption")?;
+    let key = DecryptingKey::ctr(key).map_err(|_| "failed to initalized aes decryption")?;
 
     let mut ciphertext =
         hex::decode(ciphertext).map_err(|_| "ciphertext is not valid hex encoding")?;
 
     let plaintext = key
-        .decrypt(ciphertext.as_mut())
+        .decrypt(ciphertext.as_mut(), CipherContext::Iv128(iv))
         .map_err(|_| "failed to decrypt ciphertext")?;
 
     let plaintext =
@@ -163,25 +160,24 @@ fn aes_cbc_encrypt(key: &[u8], iv: Option<String>, plaintext: String) -> Result<
     let hex_key = hex::encode(key);
     let key = new_unbound_key(key)?;
 
-    let key = match iv {
+    let key = PaddedBlockEncryptingKey::cbc_pkcs7(key)
+        .map_err(|_| "failed to initalized aes encryption")?;
+
+    let mut ciphertext = Vec::from(plaintext);
+
+    let context = match iv {
         Some(iv) => {
-            let iv = {
+            let context = {
                 let v = hex::decode(iv).map_err(|_| "invalid iv")?;
                 let v: FixedLength<AES_CBC_IV_LEN> =
                     v.as_slice().try_into().map_err(|_| "invalid iv")?;
-                v
+                CipherContext::Iv128(v)
             };
-            PaddedBlockEncryptingKey::less_safe_cbc_pkcs7(key, CipherContext::Iv128(iv))
+            key.less_safe_encrypt(&mut ciphertext, context)
         }
-        None => PaddedBlockEncryptingKey::cbc_pkcs7(key),
+        None => key.encrypt(&mut ciphertext),
     }
-    .map_err(|_| "failed to initialized aes encryption")?;
-
-    let mut ciphertext = Vec::from(plaintext);
-
-    let context = key
-        .encrypt(&mut ciphertext)
-        .map_err(|_| "Failed to encrypt plaintext")?;
+    .map_err(|_| "failed to initalized aes encryption")?;
 
     let iv: &[u8] = (&context)
         .try_into()
@@ -204,14 +200,14 @@ fn aes_cbc_decrypt(key: &[u8], iv: String, ciphertext: String) -> Result<(), &'s
         v
     };
 
-    let key = PaddedBlockDecryptingKey::cbc_pkcs7(key, CipherContext::Iv128(iv))
-        .map_err(|_| "failed to initialized aes decryption")?;
+    let key = PaddedBlockDecryptingKey::cbc_pkcs7(key)
+        .map_err(|_| "failed to initalized aes decryption")?;
 
     let mut ciphertext =
         hex::decode(ciphertext).map_err(|_| "ciphertext is not valid hex encoding")?;
 
     let plaintext = key
-        .decrypt(ciphertext.as_mut())
+        .decrypt(ciphertext.as_mut(), CipherContext::Iv128(iv))
         .map_err(|_| "failed to decrypt ciphertext")?;
 
     let plaintext =