init: v1.0.0

utils/blockmode/blockmode.go

@@ -0,0 +1,139 @@
+// Package blockmodes 使用BlockEncrypter接口封装GCM、CCM等加密模式。
+// 适用于将密码机、ukey的ECB加密模式封装为GCM、CCM等加密模式。
+package blockmode
+
+import (
+	"crypto/cipher"
+)
+
+// var errorCodeBase = gcl.ErrorCodeBaseMap[PACKAGE_NAME]
+
+// EcbBlockMode 是对多组数据进行加密/解密运算。可以对密码机等的ECB加密进行封装后得到。
+// GCM模式、CTR等模式将基于EcbBlockMode进行计算。
+// 注：由于Cipher.NewGCM的入参是cipher.Block, 针对单组数据进行的运算，不适合密码机等，
+// 否则每个分组都要调用密码机或ukey，调用消耗巨大。所以这里使用多组加密接口进行GCM、CTR、CCM
+// 等封装。
+type EcbBlockMode interface {
+	// 每个分组长度
+	BlockSize() int
+
+	// CryptBlocks 加密多组数据。传入src保证是BlockSize()的整数倍，len(dst) >= len(src)
+	// 加密完成后dst[:len(src)]为（ECB）密文。
+	// 如果src非常大，BlockEncrypter负责进行分组调用密码机, 可能因为网络等原因会返回错误。
+	// 本函数为阻塞函数
+	EcbEncCryptBlocks(dst, src []byte) error
+	EcbDecCryptBlocks(dst, src []byte) error
+}
+
+// CbcBlockMode CBC计算。BlockEncrypter对象也可以做CBC，但是，如果每次分组都去调密码卡或ukey，会非常慢。
+type CbcBlockMode interface {
+	// 分组长度
+	BlockSize() int
+
+	// CBCEncrypt CBC加密多组数据。传入src保证是BlockSize()的整数倍，len(dst) >= len(src)
+	// iv是BlockSize()大小。 dst和src要么完全重合，要么完全不相交
+	// 返回时：如果正常则填充dst[:len(src)]为密文。iv返回时不作要求，可以保持不变，也可以为最后一个分组内容。
+	// 如果src非常大，CBCEncrypter负责进行分组调用密码机, 可能因为网络等原因会返回错误。
+	// 本函数为阻塞函数
+	CbcEncCryptBlocks(dst, iv, src []byte) error
+	CbcDecCryptBlocks(dst, iv, src []byte) error
+}
+
+type EcbCbcBlockMode interface {
+	EcbBlockMode
+	CbcBlockMode
+}
+
+// 三段式加解密接口
+type TernaryCrypter interface {
+	// 三段式加密
+	// Init an BlockUpdater. Set nonce as iv and additional data.
+	EncryptInit(iv []byte) error
+
+	// Encrypt 单组加密，等价于调用EncryptUpdate后EncryptFinal
+	Encrypt(dst []byte, in []byte) ([]byte, error)
+
+	// Update appends the encrypted/decrypted result to dst and return it
+	EncryptUpdate(dst []byte, in []byte) ([]byte, error)
+	// Final 将剩余密文和tag append到out上并返回。返回结果的最后16字节为tag.
+	EncryptFinal(dst []byte) ([]byte, error)
+
+	// 三段式解密
+	DecryptInit(iv []byte) error
+	Decrypt(dst []byte, in []byte) ([]byte, error)
+	DecryptUpdate(dst []byte, in []byte) ([]byte, error)
+	DecryptFinal(dst []byte) ([]byte, error)
+}
+
+// TernaryGCM 标准库cipher.AEAD和SDF/SKF的三段式用法。
+// 在三段式调用中，若某次返回错误（比如某个大文件已经EncryptUpdate多次了，但如果某次网络原因
+// EncryptUpdate返回错误），则保证内部状态不变， 可以重复该次返错的调用。
+type TernaryGCM interface {
+	// 保留标准库用法，AEAD.Seal和AEAD.Open前无需调用EncryptInit/DecryptInit
+	cipher.AEAD
+
+	// SpecifyADD 在三段式调用中必须在调用EncryptInit后调用
+	ADDSpecifier
+	TernaryCrypter
+}
+
+type ADDSpecifier interface {
+	SpecifyADD(additionalData []byte)
+}
+
+type ADDAndDataLenSpecifier interface {
+	SpecifyADDAndDataLen(ad []byte, dataLen int)
+}
+
+// Stream for ctr mode
+type TernaryStream interface {
+	cipher.Stream
+	TernaryCrypter
+}
+
+// Wrapper 将一个cipher.Block接口包装为EcbCbcEncBlockMode接口
+type wrapper struct {
+	cipher.Block
+}
+
+func Wrap(b cipher.Block) EcbCbcBlockMode {
+	// If b is also an EcbCbcBlockMode interface.
+	if bm, ok := b.(EcbCbcBlockMode); ok {
+		return bm
+	}
+	return wrapper{b}
+}
+
+func (w wrapper) BlockSize() int {
+	return w.Block.BlockSize()
+}
+
+func (w wrapper) EcbEncCryptBlocks(dst, src []byte) error {
+	for len(src) > 0 {
+		w.Encrypt(dst, src)
+		dst = dst[w.BlockSize():]
+		src = src[w.BlockSize():]
+	}
+	return nil
+}
+
+func (w wrapper) CbcEncCryptBlocks(dst, iv, src []byte) error {
+	cbc := cipher.NewCBCEncrypter(w.Block, iv)
+	cbc.CryptBlocks(dst, src)
+	return nil
+}
+
+func (w wrapper) EcbDecCryptBlocks(dst, src []byte) error {
+	for len(src) > 0 {
+		w.Decrypt(dst, src)
+		dst = dst[w.BlockSize():]
+		src = src[w.BlockSize():]
+	}
+	return nil
+}
+
+func (w wrapper) CbcDecCryptBlocks(dst, iv, src []byte) error {
+	cbc := cipher.NewCBCDecrypter(w.Block, iv)
+	cbc.CryptBlocks(dst, src)
+	return nil
+}

utils/blockmode/ccm.go

@@ -0,0 +1,168 @@
+package blockmode
+
+import (
+	"bytes"
+	"crypto/cipher"
+
+	"xdx.jelly/xgcl/gerrors"
+	"xdx.jelly/xgcl/internal/xor"
+)
+
+type ccm struct {
+	b         EcbCbcBlockMode
+	nonceSize int
+	tagSize   int
+}
+
+const ccmStandardNonceSize = 12
+const ccmTagSize = 16
+const ccmBlockSize = 16
+
+// NewCCM 返回AEAD实例，其中nonce为12字节，tag为16字节
+func NewCCM(cipher EcbCbcBlockMode) (cipher.AEAD, error) {
+	return NewCCMWithNonceAndTagSize(cipher, ccmStandardNonceSize, ccmTagSize)
+}
+
+// NewCCMWithNonceAndTagSize 返回一个AEAD接口对象,其中tagSize必须取值为4, 6, 8, 10, 12, 14, 16。
+// nonceSize取值为{7,8,9,10,11,12,13}
+//
+// CCM不建议支持Init/Update/Final调用。需一次性将additional data 和plaintext/ciphertext传入。
+func NewCCMWithNonceAndTagSize(cipher EcbCbcBlockMode, nonceSize, tagSize int) (cipher.AEAD, error) {
+	if nonceSize < 7 || nonceSize > 13 {
+		return nil, gerrors.WithAnnotating(ErrInvalidInput, "nonce size must be 7, 8, 9, 10, 11, 12 or 13")
+	}
+	if tagSize != 4 && tagSize != 6 && tagSize != 8 && tagSize != 10 && tagSize != 12 && tagSize != 14 && tagSize != 16 {
+		return nil, gerrors.WithAnnotating(ErrInvalidInput, "tag size must be 4, 6, 8, 10, 12, 14 or 16")
+	}
+	return &ccm{
+		b:         cipher,
+		nonceSize: nonceSize,
+		tagSize:   tagSize,
+	}, nil
+}
+
+// NonceSize 返回需要的nonce长度
+func (c *ccm) NonceSize() int {
+	return c.nonceSize
+}
+
+func (c *ccm) Overhead() int {
+	return c.tagSize
+}
+
+func (c *ccm) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
+	B := format(nonce, additionalData, plaintext, c.tagSize)
+
+	iv := make([]byte, ccmBlockSize)
+	_ = c.b.CbcEncCryptBlocks(B, iv, B)
+
+	tagMask := make([]byte, c.tagSize)
+	copy(tagMask, B[len(B)-ccmBlockSize:])
+
+	N := c.deriveCounter(B[:0], nonce, len(plaintext))
+	_ = c.b.EcbEncCryptBlocks(N, N)
+	p := xor.XorBytes(N, N, plaintext)
+	tag := N[p : p+c.tagSize]
+	xor.XorBytes(tag, tagMask, N[len(N)-ccmBlockSize:])
+	return append(dst, N[:p+c.tagSize]...)
+}
+
+func (c *ccm) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
+	p := len(ciphertext) - c.Overhead()
+	ctrs := c.deriveCounter(nil, nonce, p)
+	_ = c.b.EcbEncCryptBlocks(ctrs, ctrs)
+	ret, plaintext := sliceForAppend(dst, p)
+	xor.XorBytes(plaintext, ciphertext[:p], ctrs[:p])
+	y0 := ctrs[len(ctrs)-ccmBlockSize:]
+	T := make([]byte, c.tagSize)
+	xor.XorBytes(T, y0, ciphertext[p:])
+
+	B := format(nonce, additionalData, plaintext, c.tagSize)
+	iv := make([]byte, ccmBlockSize)
+	_ = c.b.CbcEncCryptBlocks(B, iv, B)
+
+	if !bytes.Equal(T, B[len(B)-ccmBlockSize:len(B)-ccmBlockSize+c.tagSize]) {
+		return dst, gerrors.WithAnnotating(ErrAEADTagCheckFailed, "CCM tag check failed")
+	}
+
+	return ret, nil
+
+}
+
+func format(nonce, ad, plain []byte, t int) []byte {
+	n := len(nonce)
+	a := uint64(len(ad))
+	p := len(plain)
+	q := 15 - n
+
+	B := make([]byte, 16)
+	if a > 0 {
+		B[0] |= 0x40
+	}
+	B[0] |= ((byte(t>>1 - 1)) << 3) | byte(q-1)
+	copy(B[1:], nonce)
+	Q := B[1+n:]
+	for i := q - 1; i >= 0; i-- {
+		Q[i] = byte(p)
+		p >>= 8
+	}
+	// p = len(plain)
+
+	if a > 0 {
+		if a < (1<<16)-(1<<8) {
+			B = append(B, byte(a>>8))
+			B = append(B, byte(a))
+		} else if a < (1 << 32) {
+			B = append(B, []byte{0xff, 0xfe,
+				byte(a >> 24), byte(a >> 16), byte(a >> 8), byte(a >> 0)}...)
+		} else {
+			B = append(B, []byte{0xff, 0xff,
+				byte(a >> 56), byte(a >> 48), byte(a >> 40), byte(a >> 32),
+				byte(a >> 24), byte(a >> 16), byte(a >> 8), byte(a >> 0)}...)
+		}
+	}
+	B = append(B, ad...)
+	paddingLen := ((len(B) + 15) >> 4) << 4
+	for i := len(B); i < paddingLen; i++ {
+		B = append(B, 0)
+	}
+	B = append(B, plain...)
+	paddingLen = ((len(B) + 15) >> 4) << 4
+	for i := len(B); i < paddingLen; i++ {
+		B = append(B, 0)
+	}
+	return B
+}
+
+func (c *ccm) deriveCounter(counterBuf []byte, nonce []byte, p int) []byte {
+	m := (p + ccmBlockSize - 1) >> 4
+	n := len(nonce)
+	q := 15 - n
+	if cap(counterBuf) < (m+1)*ccmBlockSize {
+		counterBuf = make([]byte, (m+1)*ccmBlockSize)
+	}
+	ret := counterBuf[:(m+1)*ccmBlockSize]
+	N := counterBuf[:m*ccmBlockSize]
+	N0 := counterBuf[m*ccmBlockSize : (m+1)*ccmBlockSize]
+	N0[0] = byte(q - 1)
+	copy(N0[1:], nonce)
+	for i := 1 + n; i < ccmBlockSize; i++ {
+		N0[i] = 0
+	}
+	N0[ccmBlockSize-1] = 1
+
+	for i := 0; i < m; i++ {
+		copy(N[i*ccmBlockSize:], N0)
+		for i := ccmBlockSize - 1; i >= 0; i-- {
+			N0[i]++
+			if N0[i] != 0 {
+				break
+			}
+		}
+	}
+
+	for i := ccmBlockSize - 1; i >= ccmBlockSize-q; i-- {
+		N0[i] = 0
+	}
+	return ret
+}

utils/blockmode/ccm_test.go

@@ -0,0 +1,90 @@
+package blockmode_test
+
+import (
+	"bytes"
+	"crypto/aes"
+	"encoding/hex"
+	"testing"
+
+	"xdx.jelly/xgcl/utils/blockmode"
+)
+
+// Test vectors in sp800-38c
+var aesCcmTests = []struct {
+	key, nonce, plaintext, ad, result string
+	tagSize                           int
+	adRepeats                         int // repeat additional data adRepeats times
+}{
+	{
+		"404142434445464748494a4b4c4d4e4f",
+		"10111213141516",
+		"20212223",
+		"0001020304050607",
+		"7162015b4dac255d",
+		4, 1,
+	},
+
+	{
+		"404142434445464748494a4b4c4d4e4f",
+		"1011121314151617",
+		"202122232425262728292a2b2c2d2e2f",
+		"000102030405060708090a0b0c0d0e0f",
+		"d2a1f0e051ea5f62081a7792073d593d1fc64fbfaccd",
+		6, 1,
+	},
+	{
+		"404142434445464748494a4b4c4d4e4f",
+		"101112131415161718191a1b",
+		"202122232425262728292a2b2c2d2e2f3031323334353637",
+		"000102030405060708090a0b0c0d0e0f10111213",
+		"e3b201a9f5b71a7a9b1ceaeccd97e70b6176aad9a4428aa5484392fbc1b09951",
+		8, 1,
+	},
+	{
+		"404142434445464748494a4b4c4d4e4f",
+		"101112131415161718191a1b1c",
+		"202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f",
+		"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
+		"69915dad1e84c6376a68c2967e4dab615ae0fd1faec44cc484828529463ccf72b4ac6bec93e8598e7f0dadbcea5b",
+		14, 256,
+	},
+}
+
+func TestAesCCM(t *testing.T) {
+	for _, test := range aesCcmTests {
+		key, _ := hex.DecodeString(test.key)
+		nonce, _ := hex.DecodeString(test.nonce)
+		plaintext, _ := hex.DecodeString(test.plaintext)
+		ad1, _ := hex.DecodeString(test.ad)
+		ad := make([]byte, 0, len(ad1)*test.adRepeats)
+		for i := 0; i < test.adRepeats; i++ {
+			ad = append(ad, ad1...)
+		}
+		result, _ := hex.DecodeString(test.result)
+		tagSize := test.tagSize
+
+		b, err := aes.NewCipher(key)
+		if err != nil {
+			t.Fatal(err)
+		}
+		aesBlockMode := blockmode.Wrap(b)
+		ccm, err := blockmode.NewCCMWithNonceAndTagSize(aesBlockMode, len(nonce), tagSize)
+		if err != nil {
+			t.Fatal(err)
+		}
+		ciphertext := ccm.Seal(nil, nonce, plaintext, ad)
+
+		if bytes.Compare(ciphertext, result) != 0 {
+			t.Fatal("result unequal expected")
+		}
+
+		plaintext2, err := ccm.Open(nil, nonce, ciphertext, ad)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if bytes.Compare(plaintext2, plaintext) != 0 {
+			t.Fatal("decrypted plaintext not equal expected")
+		}
+	}
+
+}

utils/blockmode/ctr.go

@@ -0,0 +1,149 @@
+package blockmode
+
+import (
+	"fmt"
+
+	"xdx.jelly/xgcl/gerrors"
+	"xdx.jelly/xgcl/internal/subtle"
+	"xdx.jelly/xgcl/internal/xor"
+)
+
+// Counter (CTR) mode.
+
+// CTR converts a block cipher into a stream cipher by
+// repeatedly encrypting an incrementing counter and
+// xoring the resulting stream of data with the input.
+
+// See NIST SP 800-38A, pp 13-15
+
+type ctr struct {
+	b       EcbBlockMode
+	ctr     []byte //counter
+	out     []byte // out[outUsed:] is the unused encrypted counters.
+	outUsed int
+}
+
+const streamBufferSize = 4096
+
+// ctrAble is an interface implemented by ciphers that have a specific optimized
+// implementation of CTR, like crypto/aes. NewCTR will check for this interface
+// and return the specific Stream if found.
+type ctrAble interface {
+	NewCTR(iv []byte) (TernaryStream, error)
+}
+
+// NewCTR returns a Stream which encrypts/decrypts using the given Block in
+// counter mode. The length of iv must be the same as the Block's block size.
+func NewCTR(block EcbBlockMode, iv []byte) (TernaryStream, error) {
+	if ctr, ok := block.(ctrAble); ok {
+		return ctr.NewCTR(iv)
+	}
+	if len(iv) != block.BlockSize() {
+		return nil, gerrors.WithAnnotatingf(ErrInvalidIV, "input IV length(%d) must be %d bytes", len(iv), block.BlockSize())
+	}
+	bufSize := streamBufferSize
+	if bufSize < block.BlockSize() {
+		bufSize = block.BlockSize()
+	}
+	return &ctr{
+		b:       block,
+		ctr:     dup(iv),
+		out:     make([]byte, 0, bufSize),
+		outUsed: 0,
+	}, nil
+}
+
+func (x *ctr) reset(iv []byte) error {
+	if len(iv) != x.b.BlockSize() {
+		return gerrors.WithAnnotatingf(ErrInvalidIV, "input IV length(%d) must be %d bytes", len(iv), x.b.BlockSize())
+	}
+	copy(x.ctr, iv)
+	x.out = x.out[:0]
+	x.outUsed = 0
+	return nil
+}
+
+// refill 填充x.out.
+func (x *ctr) refill() {
+	begin := len(x.out) - x.outUsed
+	copy(x.out, x.out[x.outUsed:])
+	x.out = x.out[:cap(x.out)]
+	bs := x.b.BlockSize()
+	end := begin
+	for end <= len(x.out)-bs {
+		copy(x.out[end:], x.ctr)
+		end += bs
+		for i := len(x.ctr) - 1; i >= 0; i-- {
+			x.ctr[i]++
+			if x.ctr[i] != 0 {
+				break
+			}
+		}
+	}
+	_ = x.b.EcbEncCryptBlocks(x.out[begin:end], x.out[begin:end])
+	x.out = x.out[:end]
+	x.outUsed = 0
+}
+
+func (x *ctr) XORKeyStream(dst, src []byte) {
+	if len(dst) < len(src) {
+		// By definition of cipher.Stream, if len(dst) < len(src), XORKeyStream should panic.
+		panic(fmt.Sprintf("length of output buf(%d) less than the input(%d)", len(dst), len(src)))
+	}
+	if subtle.InexactOverlap(dst[:len(src)], src) {
+		panic("ctr.XORKeyStream: dst must be exact overlap with src or non-overlap with src")
+	}
+	for len(src) > 0 {
+		if x.outUsed >= len(x.out)-x.b.BlockSize() {
+			x.refill()
+		}
+		n := xor.XorBytes(dst, src, x.out[x.outUsed:])
+		dst = dst[n:]
+		src = src[n:]
+		x.outUsed += n
+	}
+}
+
+var _ TernaryStream = &ctr{}
+
+// EncryptInit implements TernaryStream
+func (x *ctr) EncryptInit(iv []byte) error {
+	return x.reset(iv)
+}
+
+// Encrypt implements TernaryStream
+func (x *ctr) Encrypt(dst []byte, in []byte) ([]byte, error) {
+	ret, out := sliceForAppend(dst, len(in))
+	x.XORKeyStream(out, in)
+	return ret, nil
+}
+
+// EncryptFinal implements TernaryStream
+func (x *ctr) EncryptFinal(dst []byte) ([]byte, error) {
+	return dst, nil
+}
+
+// EncryptUpdate implements TernaryStream
+func (x *ctr) EncryptUpdate(dst []byte, in []byte) ([]byte, error) {
+	return x.Encrypt(dst, in)
+}
+
+// Decrypt implements TernaryStream
+func (x *ctr) Decrypt(dst []byte, in []byte) ([]byte, error) {
+	return x.Encrypt(dst, in)
+}
+
+// DecryptFinal implements TernaryStream
+func (x *ctr) DecryptFinal(dst []byte) ([]byte, error) {
+	return dst, nil
+}
+
+// DecryptInit implements TernaryStream
+func (x *ctr) DecryptInit(iv []byte) error {
+	return x.reset(iv)
+}
+
+// DecryptUpdate implements TernaryStream
+func (x *ctr) DecryptUpdate(dst []byte, in []byte) ([]byte, error) {
+	return x.Encrypt(dst, in)
+}

utils/blockmode/ctr_test.go

@@ -0,0 +1,187 @@
+package blockmode_test
+
+import (
+	"bytes"
+	"crypto/cipher"
+	"encoding/hex"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"xdx.jelly/xgcl/grand"
+	"xdx.jelly/xgcl/sm/sm4"
+	"xdx.jelly/xgcl/utils/blockmode"
+)
+
+type noopBlock int
+
+func (b noopBlock) BlockSize() int        { return int(b) }
+func (noopBlock) Encrypt(dst, src []byte) { copy(dst, src) }
+func (noopBlock) Decrypt(dst, src []byte) { copy(dst, src) }
+
+func inc(b []byte) {
+	for i := len(b) - 1; i >= 0; i++ {
+		b[i]++
+		if b[i] != 0 {
+			break
+		}
+	}
+}
+
+func xor(a, b []byte) {
+	for i := range a {
+		a[i] ^= b[i]
+	}
+}
+
+func TestCTR(t *testing.T) {
+	for size := 64; size <= 1024; size *= 2 {
+		iv := make([]byte, size)
+		ctr := cipher.NewCTR(noopBlock(size), iv)
+		src := make([]byte, 1024)
+		for i := range src {
+			src[i] = 0xff
+		}
+		want := make([]byte, 1024)
+		copy(want, src)
+		counter := make([]byte, size)
+		for i := 1; i < len(want)/size; i++ {
+			inc(counter)
+			xor(want[i*size:(i+1)*size], counter)
+		}
+		dst := make([]byte, 1024)
+		ctr.XORKeyStream(dst, src)
+		if !bytes.Equal(dst, want) {
+			t.Errorf("for size %d\nhave %x\nwant %x", size, dst, want)
+		}
+	}
+}
+
+func FuzzSm4Ctr(f *testing.F) {
+	iv := grand.GetRandom(16)
+	key := grand.GetRandom(16)
+
+	key, _ = hex.DecodeString("70fe9d4cdf29d1db1549a44d70bf28fb")
+	iv, _ = hex.DecodeString("edf1631376519ddc9654cec2900060de")
+	block, _ := sm4.NewCipher(key)
+	mode := blockmode.Wrap(block)
+
+	f.Add([]byte{}, []byte{})
+	f.Fuzz(func(t *testing.T, plaintext, ad []byte) {
+		stdctr := cipher.NewCTR(block, iv)
+		ctr, err := blockmode.NewCTR(mode, iv)
+		if err != nil {
+			t.Fatal(err)
+		}
+		stdct := make([]byte, len(plaintext))
+		stdctr.XORKeyStream(stdct, plaintext)
+		ct1 := make([]byte, len(plaintext))
+		ctr.XORKeyStream(ct1, plaintext)
+
+		if bytes.Compare(ct1, stdct) != 0 {
+			t.Errorf("XORKeyStream failed")
+		}
+
+		if err := ctr.EncryptInit(iv); err != nil {
+			t.Fatal(err)
+		}
+		ct2, err := ctr.EncryptUpdate(nil, plaintext[:len(plaintext)/2])
+		if err != nil {
+			t.Fatal(err)
+		}
+		if ct2, err = ctr.EncryptUpdate(ct2, plaintext[len(plaintext)/2:]); err != nil {
+			t.Fatal(err)
+		}
+		ct2, err = ctr.EncryptFinal(ct2)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if bytes.Compare(ct2, stdct) != 0 {
+			t.Errorf("Encrypt failed")
+		}
+
+		if err := ctr.DecryptInit(iv); err != nil {
+			t.Fatal(err)
+		}
+		pt2, err := ctr.DecryptUpdate(nil, ct2[:len(ct2)/2])
+		if err != nil {
+			t.Fatal(err)
+		}
+		if pt2, err = ctr.DecryptUpdate(pt2, ct2[len(ct2)/2:]); err != nil {
+			t.Fatal(err)
+		}
+		pt2, err = ctr.DecryptFinal(pt2)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if bytes.Compare(pt2, plaintext) != 0 {
+			t.Errorf("Decrypt failed")
+		}
+
+	})
+}
+
+func TestCTRData(t *testing.T) {
+	size := 1024
+	key := []byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10}
+	iv := []byte{0xF0, 0xF1, 0xF2, 0xF3, 0xF4, 0xF5, 0xF6, 0xF7, 0xF8, 0xF9, 0xFA, 0xFB, 0xFC, 0xFD, 0xFE, 0xFF}
+	src := make([]byte, size)
+	b, err := sm4.NewCipher(key)
+	assert.Nil(t, err)
+	ctr, err := blockmode.NewCTR(blockmode.Wrap(b), iv)
+
+	for i := range src {
+		src[i] = byte(i)
+	}
+
+	ctr.EncryptInit(iv)
+	dst, err := ctr.EncryptUpdate(nil, src)
+	assert.Nil(t, err)
+
+	dst, err = ctr.EncryptFinal(dst)
+	assert.Nil(t, err)
+	fmt.Println("src:")
+	for i := range src {
+		fmt.Printf("0x%02x, ", src[i])
+		if (i+1)%32 == 0 {
+			fmt.Println("")
+		}
+	}
+	fmt.Println("dst:")
+	for i := range dst {
+		fmt.Printf("0x%02x, ", dst[i])
+		if (i+1)%32 == 0 {
+			fmt.Println("")
+		}
+	}
+}
+
+func TestCTRSpeed(t *testing.T) {
+	size := 1024
+	key := []byte{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10}
+	iv := []byte{0xF0, 0xF1, 0xF2, 0xF3, 0xF4, 0xF5, 0xF6, 0xF7, 0xF8, 0xF9, 0xFA, 0xFB, 0xFC, 0xFD, 0xFE, 0xFF}
+	src := make([]byte, size)
+	b, err := sm4.NewCipher(key)
+	assert.Nil(t, err)
+	ctr, err := blockmode.NewCTR(blockmode.Wrap(b), iv)
+
+	for i := range src {
+		src[i] = byte(i)
+	}
+
+	assert.Nil(t, err)
+
+	start := time.Now()
+	times := 10000
+	for i := 0; i < times; i++ {
+		ctr.EncryptInit(iv)
+		dst, _ := ctr.EncryptUpdate(nil, src)
+		dst, _ = ctr.EncryptFinal(dst)
+	}
+	end := time.Now()
+	elapsed := end.Sub(start)
+	t.Log("SM4 Encrypt: ", int(float64(times*len(src))/float64(1024*1024)/elapsed.Seconds()), "MBps")
+
+}

utils/blockmode/errors.go

@@ -0,0 +1,22 @@
+package blockmode
+
+import "xdx.jelly/xgcl/gerrors"
+
+//go:generate stringer -type=ErrorCode -linecomment -output=errors_string.go errors.go
+type ErrorCode gerrors.ErrorCode
+
+func (e ErrorCode) Error() string {
+	return gerrors.Format(uint32(e), e.String())
+}
+
+// error codes
+const (
+	ErrInvalidInput       ErrorCode = 0x0100b000 + iota //输入不合法
+	ErrInvalidIV                                        //输入IV不合法
+	ErrAEADTagCheckFailed                               //AEAD解密tag校验失败
+	ErrAEADOpenFailed                                   //AEAD解密失败
+	ErrGCMEncFailed                                     //GCM加密失败
+	ErrGCMDecFailed                                     //GCM解密失败
+	ErrXTSEncFailed                                     //XTS加密失败
+	ErrXTSDecFailed                                     //XTS解密失败
+)

utils/blockmode/errors_string.go

@@ -0,0 +1,31 @@
+// Code generated by "stringer -type=ErrorCode -linecomment -output=errors_string.go errors.go"; DO NOT EDIT.
+
+package blockmode
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[ErrInvalidInput-16822272]
+	_ = x[ErrInvalidIV-16822273]
+	_ = x[ErrAEADTagCheckFailed-16822274]
+	_ = x[ErrAEADOpenFailed-16822275]
+	_ = x[ErrGCMEncFailed-16822276]
+	_ = x[ErrGCMDecFailed-16822277]
+	_ = x[ErrXTSEncFailed-16822278]
+	_ = x[ErrXTSDecFailed-16822279]
+}
+
+const _ErrorCode_name = "输入不合法输入IV不合法AEAD解密tag校验失败AEAD解密失败GCM加密失败GCM解密失败XTS加密失败XTS解密失败"
+
+var _ErrorCode_index = [...]uint8{0, 15, 32, 57, 73, 88, 103, 118, 133}
+
+func (i ErrorCode) String() string {
+	i -= 16822272
+	if i >= ErrorCode(len(_ErrorCode_index)-1) {
+		return "ErrorCode(" + strconv.FormatInt(int64(i+16822272), 10) + ")"
+	}
+	return _ErrorCode_name[_ErrorCode_index[i]:_ErrorCode_index[i+1]]
+}

utils/blockmode/example_test.go

@@ -0,0 +1,104 @@
+package blockmode_test
+
+import (
+	"bytes"
+	"encoding/hex"
+	"fmt"
+
+	"xdx.jelly/xgcl/sm/sm4"
+	"xdx.jelly/xgcl/utils/blockmode"
+)
+
+func ExampleWrap() {
+	// 将一个cipher.Block接口包装为EcbCbcEncBlockMode。适用于软实现的cipher.Block。
+	// 如果是密码机，则应该实现自己的EcbCbcEncBlockMode。因为cipher.Block只是对一个分
+	// 组进行计算，多个分组会反复调用密码机。
+	key, _ := hex.DecodeString("2d3edc27837fac8325261729fb875a09")
+	block, _ := sm4.NewCipher(key)
+	blockMode := blockmode.Wrap(block)
+
+	fmt.Println(blockMode.BlockSize())
+	// Output: 16
+}
+
+func ExampleNewGCM() {
+	// ECBBlockMode 可以调用密码机实现.
+	key, _ := hex.DecodeString("2d3edc27837fac8325261729fb875a09")
+	block, _ := sm4.NewCipher(key)
+	ecbBlockMode := blockmode.Wrap(block)
+
+	nonce, _ := hex.DecodeString("5b5e2f4b0e204cc7d2db5170")
+	// plaintext也可以为空，则为对additional data做mac
+	plaintext, _ := hex.DecodeString("010203040506070809")
+	// ad也可以为空
+	ad, _ := hex.DecodeString("0a0b0c0d0e0f")
+
+	gcm, err := blockmode.NewGCM(ecbBlockMode)
+	if err != nil {
+		panic(err)
+	}
+	// 用cipher.AEAD.Seal一次性完成加密计算. ct可以预先分配好，也可以传nil。
+	// ct1 = ciphertext || tag
+	ct1 := make([]byte, len(plaintext)+gcm.Overhead())
+	ct1 = gcm.Seal(ct1[:0], nonce, plaintext, ad) // 密文会append在dst后
+	// ct1 := gcm.Seal(nil, nonce, plaintext, ad) // 由Seal分配内存
+
+	pt1, err := gcm.Open(nil, nonce, ct1, ad)
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Println(bytes.Compare(pt1, plaintext) == 0)
+
+	// 也可以用Init-(SpecifyADD)-Update-Final三步完成
+	if err := gcm.EncryptInit(nonce); err != nil {
+		panic(err)
+	}
+	// 如果有additional data，必须在Init后，Update前调用SpecifyADD传入additional data.
+	// 不调用则表示additional data为空
+	gcm.SpecifyADD(ad)
+	var ct2 []byte
+	// Update明文
+	for i := 0; i < len(plaintext); i++ {
+		ct, err := gcm.EncryptUpdate(nil, []byte{plaintext[i]})
+		if err != nil {
+			panic(err)
+		}
+		// 处理本次Update得到的密文
+		ct2 = append(ct2, ct...)
+	}
+
+	ct, err := gcm.EncryptFinal(nil)
+	if err != nil {
+		panic(err)
+	}
+	ct2 = append(ct2, ct...)
+
+	if err := gcm.DecryptInit(nonce); err != nil {
+		panic(err)
+	}
+	gcm.SpecifyADD(ad)
+
+	pt2, err := gcm.DecryptUpdate(nil, ct2)
+	if err != nil {
+		panic(err)
+	}
+	pt2, err = gcm.DecryptFinal(pt2)
+
+	fmt.Println(bytes.Compare(pt2, plaintext) == 0)
+	// Output: true
+	// true
+}
+
+func ExampleNewCCM() {
+
+	// Output:
+}
+
+func ExampleNewCTR() {
+	// Output:
+}
+
+func ExampleNewXTS() {
+	// Output:
+}

utils/blockmode/export_test.go

@@ -0,0 +1,4 @@
+package blockmode
+
+// Export internal functions for testing.
+var Format = format

utils/blockmode/gcm.go

@@ -0,0 +1,576 @@
+package blockmode
+
+import (
+	"crypto/cipher"
+	"encoding/binary"
+
+	"xdx.jelly/xgcl/gerrors"
+	"xdx.jelly/xgcl/internal/subtle"
+	"xdx.jelly/xgcl/internal/xor"
+)
+
+// NewGCM 返回AEAD接口，使用标准的12字节的nonce和16字节的tag。并且BlockEncrypter.BlockSize()
+// 必须返回16。
+func NewGCM(cipher EcbBlockMode) (TernaryGCM, error) {
+	aead, err := NewGCMWithNonceAndTagSize(cipher, gcmStandardNonceSize, gcmTagSize)
+	return aead, err
+}
+
+// gcmFieldElement represents a value in GF(2¹²⁸). In order to reflect the GCM
+// standard and make binary.BigEndian suitable for marshaling these values, the
+// bits are stored in big endian order. For example:
+//
+//	the coefficient of x⁰ can be obtained by v.low >> 63.
+//	the coefficient of x⁶³ can be obtained by v.low & 1.
+//	the coefficient of x⁶⁴ can be obtained by v.high >> 63.
+//	the coefficient of x¹²⁷ can be obtained by v.high & 1.
+type gcmFieldElement struct {
+	low, high uint64
+}
+
+// gcm represents a Galois Counter Mode with a specific key. See
+// https://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
+type gcm struct {
+	cipher    EcbBlockMode
+	nonceSize int
+	tagSize   int
+	// productTable contains the first sixteen powers of the key, H.
+	// However, they are in bit reversed order. See NewGCMWithNonceSize.
+	productTable [16]gcmFieldElement
+
+	y                 gcmFieldElement
+	additionalDataLen int
+	dataLen           int
+	tagMask           [gcmBlockSize]byte
+	counter           [gcmBlockSize]byte
+	buf               []byte // 上一个分组未处理的数据。
+}
+
+// NewGCMWithNonceSize returns the given 128-bit, block cipher wrapped in Galois
+// Counter Mode, which accepts nonces of the given length. The length must not
+// be zero.
+//
+// Only use this function if you require compatibility with an existing
+// cryptosystem that uses non-standard nonce lengths. All other users should use
+// NewGCM, which is faster and more resistant to misuse.
+func NewGCMWithNonceSize(cipher EcbBlockMode, size int) (cipher.AEAD, error) {
+	return NewGCMWithNonceAndTagSize(cipher, size, gcmTagSize)
+}
+
+// NewGCMWithTagSize returns the given 128-bit, block cipher wrapped in Galois
+// Counter Mode, which generates tags with the given length.
+//
+// Tag sizes between 12 and 16 bytes are allowed.
+//
+// Only use this function if you require compatibility with an existing
+// cryptosystem that uses non-standard tag lengths. All other users should use
+// NewGCM, which is more resistant to misuse.
+func NewGCMWithTagSize(cipher EcbBlockMode, tagSize int) (cipher.AEAD, error) {
+	return NewGCMWithNonceAndTagSize(cipher, gcmStandardNonceSize, tagSize)
+}
+
+func NewGCMWithNonceAndTagSize(cipher EcbBlockMode, nonceSize, tagSize int) (TernaryGCM, error) {
+	if tagSize < gcmMinimumTagSize || tagSize > gcmBlockSize {
+		return nil, gerrors.WithAnnotatingf(ErrInvalidInput, "tag size in GCM can only between %d and %d", gcmMinimumTagSize, gcmBlockSize)
+	}
+
+	if nonceSize <= 0 {
+		return nil, gerrors.WithAnnotating(ErrInvalidInput, "the nonce can't have zero length, or the security of the key will be immediately compromised")
+	}
+
+	if cipher.BlockSize() != gcmBlockSize {
+		return nil, gerrors.WithAnnotating(ErrInvalidInput, "blockmode: NewGCM requires 128-bit block cipher")
+	}
+
+	var key [gcmBlockSize]byte
+	_ = cipher.EcbEncCryptBlocks(key[:], key[:])
+
+	g := &gcm{cipher: cipher, nonceSize: nonceSize, tagSize: tagSize, buf: make([]byte, 0, gcmBlockSize)}
+
+	// We precompute 16 multiples of |key|. However, when we do lookups
+	// into this table we'll be using bits from a field element and
+	// therefore the bits will be in the reverse order. So normally one
+	// would expect, say, 4*key to be in index 4 of the table but due to
+	// this bit ordering it will actually be in index 0010 (base 2) = 2.
+	x := gcmFieldElement{
+		binary.BigEndian.Uint64(key[:8]),
+		binary.BigEndian.Uint64(key[8:]),
+	}
+	g.productTable[reverseBits(1)] = x
+
+	for i := 2; i < 16; i += 2 {
+		g.productTable[reverseBits(i)] = gcmDouble(&g.productTable[reverseBits(i/2)])
+		g.productTable[reverseBits(i+1)] = gcmAdd(&g.productTable[reverseBits(i)], &x)
+	}
+
+	return g, nil
+}
+
+const (
+	gcmBlockSize         = 16
+	gcmTagSize           = 16
+	gcmMinimumTagSize    = 12 // NIST SP 800-38D recommends tags with 12 or more bytes.
+	gcmStandardNonceSize = 12
+)
+
+func (g *gcm) NonceSize() int {
+	return g.nonceSize
+}
+
+func (g *gcm) Overhead() int {
+	return g.tagSize
+}
+
+// Seal 加密，输入nonce大小必须为g.NonceSize().
+func (g *gcm) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
+	if len(nonce) != g.nonceSize {
+		panic("blockmode: incorrect nonce length given to GCM")
+	}
+	if uint64(len(plaintext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize()) {
+		panic("blockmode: message too large for GCM")
+	}
+
+	ret, out := sliceForAppend(dst, len(plaintext)+g.tagSize)
+	if subtle.InexactOverlap(out, plaintext) {
+		// 拷贝一份原文
+		plaintext = dup(plaintext)
+	}
+
+	var counter, tagMask [gcmBlockSize]byte
+	g.deriveCounter(&counter, nonce) // counter = J0
+
+	_ = g.cipher.EcbEncCryptBlocks(tagMask[:], counter[:])
+	gcmInc32(&counter)
+
+	g.counterCrypt(out, plaintext, &counter)
+
+	var tag [gcmTagSize]byte
+	g.auth(tag[:], out[:len(plaintext)], additionalData, &tagMask)
+	copy(out[len(plaintext):], tag[:])
+
+	return ret
+}
+
+func (g *gcm) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
+	if len(nonce) != g.nonceSize {
+		return dst, gerrors.WithAnnotatingf(ErrAEADOpenFailed, "incorrect nonce length(%d) given to GCM, it should be %d", len(nonce), g.nonceSize)
+	}
+	// Sanity check to prevent the authentication from always succeeding if an implementation
+	// leaves tagSize uninitialized, for example.
+	if g.tagSize < gcmMinimumTagSize {
+		return dst, gerrors.WithAnnotatingf(ErrAEADOpenFailed, "input tag size(%d) too small, it should be at least %d", g.tagSize, gcmMinimumTagSize)
+	}
+
+	if len(ciphertext) < g.tagSize {
+		return dst, gerrors.WithAnnotating(ErrAEADOpenFailed, "ciphertext is shorter than tag size")
+	}
+	if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize())+uint64(g.tagSize) {
+		return dst, gerrors.WithAnnotatingf(ErrAEADOpenFailed, "ciphertext too long")
+	}
+
+	tag := ciphertext[len(ciphertext)-g.tagSize:]
+	ciphertext = ciphertext[:len(ciphertext)-g.tagSize]
+
+	var counter, tagMask [gcmBlockSize]byte
+	g.deriveCounter(&counter, nonce)
+
+	_ = g.cipher.EcbEncCryptBlocks(tagMask[:], counter[:])
+	gcmInc32(&counter)
+
+	var expectedTag [gcmTagSize]byte
+	g.auth(expectedTag[:], ciphertext, additionalData, &tagMask)
+
+	ret, out := sliceForAppend(dst, len(ciphertext))
+	if subtle.InexactOverlap(out, ciphertext) {
+		ciphertext = dup(ciphertext)
+	}
+
+	if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
+		// The AESNI code decrypts and authenticates concurrently, and
+		// so overwrites dst in the event of a tag mismatch. That
+		// behavior is mimicked here in order to be consistent across
+		// platforms.
+		for i := range out {
+			out[i] = 0
+		}
+		return ret[:len(dst)], gerrors.ChainErrors(ErrAEADOpenFailed, ErrAEADTagCheckFailed)
+	}
+	g.counterCrypt(out, ciphertext, &counter)
+	return ret, nil
+}
+
+// reverseBits reverses the order of the bits of 4-bit number in i.
+func reverseBits(i int) int {
+	i = ((i << 2) & 0xc) | ((i >> 2) & 0x3)
+	i = ((i << 1) & 0xa) | ((i >> 1) & 0x5)
+	return i
+}
+
+// gcmAdd adds two elements of GF(2¹²⁸) and returns the sum.
+func gcmAdd(x, y *gcmFieldElement) gcmFieldElement {
+	// Addition in a characteristic 2 field is just XOR.
+	return gcmFieldElement{x.low ^ y.low, x.high ^ y.high}
+}
+
+// gcmDouble returns the result of doubling an element of GF(2¹²⁸).
+func gcmDouble(x *gcmFieldElement) (double gcmFieldElement) {
+	msbSet := x.high&1 == 1
+
+	// Because of the bit-ordering, doubling is actually a right shift.
+	double.high = x.high >> 1
+	double.high |= x.low << 63
+	double.low = x.low >> 1
+
+	// If the most-significant bit was set before shifting then it,
+	// conceptually, becomes a term of x^128. This is greater than the
+	// irreducible polynomial so the result has to be reduced. The
+	// irreducible polynomial is 1+x+x^2+x^7+x^128. We can subtract that to
+	// eliminate the term at x^128 which also means subtracting the other
+	// four terms. In characteristic 2 fields, subtraction == addition ==
+	// XOR.
+	if msbSet {
+		double.low ^= 0xe100000000000000
+	}
+
+	return
+}
+
+var gcmReductionTable = []uint16{
+	0x0000, 0x1c20, 0x3840, 0x2460, 0x7080, 0x6ca0, 0x48c0, 0x54e0,
+	0xe100, 0xfd20, 0xd940, 0xc560, 0x9180, 0x8da0, 0xa9c0, 0xb5e0,
+}
+
+// mul sets y to y*H, where H is the GCM key, fixed during NewGCMWithNonceSize.
+func (g *gcm) mul(y *gcmFieldElement) {
+	var z gcmFieldElement
+
+	for i := 0; i < 2; i++ {
+		word := y.high
+		if i == 1 {
+			word = y.low
+		}
+
+		// Multiplication works by multiplying z by 16 and adding in
+		// one of the precomputed multiples of H.
+		for j := 0; j < 64; j += 4 {
+			msw := z.high & 0xf
+			z.high >>= 4
+			z.high |= z.low << 60
+			z.low >>= 4
+			z.low ^= uint64(gcmReductionTable[msw]) << 48
+
+			// the values in |table| are ordered for
+			// little-endian bit positions. See the comment
+			// in NewGCMWithNonceSize.
+			t := &g.productTable[word&0xf]
+
+			z.low ^= t.low
+			z.high ^= t.high
+			word >>= 4
+		}
+	}
+
+	*y = z
+}
+
+// updateBlocks extends y with more polynomial terms from blocks, based on
+// Horner's rule. There must be a multiple of gcmBlockSize bytes in blocks.
+func (g *gcm) updateBlocks(y *gcmFieldElement, blocks []byte) {
+	for len(blocks) > 0 {
+		y.low ^= binary.BigEndian.Uint64(blocks)
+		y.high ^= binary.BigEndian.Uint64(blocks[8:])
+		g.mul(y)
+		blocks = blocks[gcmBlockSize:]
+	}
+}
+
+// update extends y with more polynomial terms from data. If data is not a
+// multiple of gcmBlockSize bytes long then the remainder is zero padded.
+func (g *gcm) update(y *gcmFieldElement, data []byte) {
+	fullBlocks := (len(data) >> 4) << 4
+	g.updateBlocks(y, data[:fullBlocks])
+
+	if len(data) != fullBlocks {
+		var partialBlock [gcmBlockSize]byte
+		copy(partialBlock[:], data[fullBlocks:])
+		g.updateBlocks(y, partialBlock[:])
+	}
+}
+
+// gcmInc32 treats the final four bytes of counterBlock as a big-endian value
+// and increments it.
+func gcmInc32(counterBlock *[16]byte) {
+	ctr := counterBlock[len(counterBlock)-4:]
+	binary.BigEndian.PutUint32(ctr, binary.BigEndian.Uint32(ctr)+1)
+}
+
+// sliceForAppend takes a slice and a requested number of bytes. It returns a
+// slice with the contents of the given slice followed by that many bytes and a
+// second slice that aliases into it and contains only the extra bytes. If the
+// original slice has sufficient capacity then no allocation is performed.
+func sliceForAppend(in []byte, n int) (head, tail []byte) {
+	if total := len(in) + n; cap(in) >= total {
+		head = in[:total]
+	} else {
+		head = make([]byte, total)
+		copy(head, in)
+	}
+	tail = head[len(in):]
+	return
+}
+
+// counterCrypt crypts in to out using g.cipher in counter mode.
+func (g *gcm) counterCrypt(out, in []byte, counter *[gcmBlockSize]byte) {
+	// var mask [gcmBlockSize]byte
+	counterBuf := make([]byte, (len(in)+gcmBlockSize-1)&(^(gcmBlockSize - 1)))
+	for i := 0; i < len(counterBuf); i += gcmBlockSize {
+		copy(counterBuf[i:i+gcmBlockSize], counter[:])
+		gcmInc32(counter)
+	}
+	_ = g.cipher.EcbEncCryptBlocks(counterBuf, counterBuf)
+	xor.XorBytes(out, in, counterBuf)
+}
+
+// deriveCounter computes the initial GCM counter state from the given nonce.
+// See NIST SP 800-38D, section 7.1. This assumes that counter is filled with
+// zeros on entry.
+func (g *gcm) deriveCounter(counter *[gcmBlockSize]byte, nonce []byte) {
+	// GCM has two modes of operation with respect to the initial counter
+	// state: a "fast path" for 96-bit (12-byte) nonces, and a "slow path"
+	// for nonces of other lengths. For a 96-bit nonce, the nonce, along
+	// with a four-byte big-endian counter starting at one, is used
+	// directly as the starting counter. For other nonce sizes, the counter
+	// is computed by passing it through the GHASH function.
+	if len(nonce) == gcmStandardNonceSize {
+		copy(counter[:], nonce)
+		counter[gcmBlockSize-1] = 1
+		counter[gcmBlockSize-2] = 0
+		counter[gcmBlockSize-3] = 0
+		counter[gcmBlockSize-4] = 0
+	} else {
+		var y gcmFieldElement
+		g.update(&y, nonce)
+		y.high ^= uint64(len(nonce)) * 8
+		g.mul(&y)
+		binary.BigEndian.PutUint64(counter[:8], y.low)
+		binary.BigEndian.PutUint64(counter[8:], y.high)
+	}
+}
+
+// auth calculates GHASH(ciphertext, additionalData), masks the result with
+// tagMask and writes the result to out.
+func (g *gcm) auth(out, ciphertext, additionalData []byte, tagMask *[gcmTagSize]byte) {
+	var y gcmFieldElement
+	g.update(&y, additionalData)
+	g.update(&y, ciphertext)
+
+	y.low ^= uint64(len(additionalData)) * 8
+	y.high ^= uint64(len(ciphertext)) * 8
+
+	g.mul(&y)
+
+	binary.BigEndian.PutUint64(out, y.low)
+	binary.BigEndian.PutUint64(out[8:], y.high)
+
+	xor.XorBytes(out, out, tagMask[:])
+}
+
+func (g *gcm) init(nonce []byte) error {
+	if len(nonce) != g.nonceSize {
+		return gerrors.WithAnnotatingf(ErrInvalidInput, "incorrect nonce length given to GCM, want %d, given %d", g.nonceSize, len(nonce))
+	}
+	g.deriveCounter(&g.counter, nonce)
+
+	return nil
+}
+func (g *gcm) SpecifyADD(ad []byte) {
+
+	g.additionalDataLen = len(ad)
+	g.dataLen = 0
+	g.y.high = 0
+	g.y.low = 0
+	g.buf = g.buf[:0]
+	g.update(&g.y, ad)
+
+	_ = g.cipher.EcbEncCryptBlocks(g.tagMask[:], g.counter[:])
+	gcmInc32(&g.counter)
+}
+
+// EncryptInit 三段式加密第一步, Seal/Open/Update/
+func (g *gcm) EncryptInit(nonce []byte) error {
+	return g.init(nonce)
+}
+
+func (g *gcm) Encrypt(dst []byte, in []byte) ([]byte, error) {
+	dst, err := g.EncryptUpdate(dst, in)
+	if err != nil {
+		return dst, err
+	}
+	return g.EncryptFinal(dst)
+}
+
+// encryptCounters returns the ciphertext of counter || counter+1 || ... || counter+n-1
+func (g *gcm) encryptCounters(n int) ([]byte, error) {
+	var oldCounter [gcmBlockSize]byte
+	copy(oldCounter[:], g.counter[:])
+
+	counterBuf := make([]byte, n*gcmBlockSize)
+	for i := 0; i < n; i++ {
+		copy(counterBuf[i*gcmBlockSize:(i+1)*gcmBlockSize], g.counter[:])
+		gcmInc32(&g.counter)
+	}
+	if err := g.cipher.EcbEncCryptBlocks(counterBuf, counterBuf); err != nil {
+		copy(g.counter[:], oldCounter[:])
+		return nil, gerrors.WithMessage(err, "EcbEncCryptBlocks failed")
+	}
+	return counterBuf, nil
+}
+
+func (g *gcm) EncryptUpdate(dst []byte, in []byte) ([]byte, error) {
+	g.dataLen += len(in)
+	if len(g.buf)+len(in) < gcmBlockSize {
+		g.buf = append(g.buf, in...)
+		return dst, nil
+	}
+
+	nBlocks := (len(g.buf) + len(in)) >> 4
+	counterBuf, err := g.encryptCounters(nBlocks)
+	if err != nil {
+		return dst, err
+	}
+
+	ret, out := sliceForAppend(dst, nBlocks*gcmBlockSize)
+	xor.XorBytes(out, counterBuf, g.buf)
+	counterBuf = counterBuf[len(g.buf):]
+	out = out[len(g.buf):]
+	n := xor.XorBytes(out, counterBuf, in)
+	in = in[n:]
+	g.buf = append(g.buf[:0], in...)
+	g.update(&g.y, ret[len(dst):])
+	return ret, nil
+}
+
+func (g *gcm) EncryptFinal(dst []byte) ([]byte, error) {
+	ret, out := sliceForAppend(dst, len(g.buf)+gcmTagSize)
+	tag := out[len(g.buf):]
+	out = out[:len(g.buf)]
+	if len(g.buf) > 0 {
+		counterBuf := make([]byte, gcmBlockSize)
+		_ = g.cipher.EcbEncCryptBlocks(counterBuf, g.counter[:])
+		xor.XorBytes(out, counterBuf, g.buf)
+		g.update(&g.y, out)
+	}
+
+	g.y.low ^= uint64(g.additionalDataLen) * 8
+	g.y.high ^= uint64(g.dataLen) * 8
+	g.mul(&g.y)
+	binary.BigEndian.PutUint64(tag, g.y.low)
+	binary.BigEndian.PutUint64(tag[8:], g.y.high)
+
+	xor.XorBytes(tag, tag, g.tagMask[:])
+	return ret, nil
+}
+
+// EncryptInit 三段式加密第一步, Seal/Open/Update/
+func (g *gcm) DecryptInit(nonce []byte) error {
+	return g.init(nonce)
+}
+
+func (g *gcm) Decrypt(dst []byte, in []byte) ([]byte, error) {
+	dst, err := g.DecryptUpdate(dst, in)
+	if err != nil {
+		return dst, err
+	}
+	return g.DecryptFinal(dst)
+}
+
+func (g *gcm) DecryptUpdate(dst []byte, in []byte) ([]byte, error) {
+	if g.tagSize < gcmMinimumTagSize {
+		return dst, gerrors.WithAnnotatingf(ErrGCMDecFailed, "incorrect GCM tag size(%d)", g.tagSize)
+	}
+
+	// if len(ciphertext) < g.tagSize {
+	// 	return nil, errOpen
+	// }
+	// if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize())+uint64(g.tagSize) {
+	// 	return nil, errOpen
+	// }
+	if len(g.buf)+len(in) < 2*gcmBlockSize {
+		g.buf = append(g.buf, in...)
+		g.dataLen += len(in)
+		return dst, nil
+	}
+
+	// at least one block
+	processDataLen := len(g.buf) + len(in) - gcmBlockSize
+	nBlocks := processDataLen >> 4
+	nCounterCipher, err := g.encryptCounters(nBlocks)
+	if err != nil {
+		return dst, gerrors.ChainErrors(ErrGCMDecFailed, err)
+	}
+
+	g.dataLen += len(in)
+	n := 2*gcmBlockSize - len(g.buf)
+	g.buf = append(g.buf, in[:n]...)
+	in = in[n:]
+
+	if len(in) < gcmBlockSize {
+		// 处理1个block并返回
+		g.update(&g.y, g.buf[:gcmBlockSize])
+		xor.XorBytes(nCounterCipher[:gcmBlockSize], nCounterCipher[:gcmBlockSize], g.buf[:gcmBlockSize])
+		dst = append(dst, nCounterCipher[:gcmBlockSize]...)
+		n := copy(g.buf[:gcmBlockSize], g.buf[gcmBlockSize:])
+		g.buf = g.buf[:n]
+		g.buf = append(g.buf, in...)
+		return dst, nil
+	}
+	// 先处理g.buf的2个blocks
+	g.update(&g.y, g.buf[:2*gcmBlockSize])
+	xor.XorBytes(nCounterCipher[:2*gcmBlockSize], nCounterCipher[:2*gcmBlockSize], g.buf[:2*gcmBlockSize])
+	dst = append(dst, nCounterCipher[:2*gcmBlockSize]...)
+	g.buf = g.buf[:0]
+	nCounterCipher = nCounterCipher[2*gcmBlockSize:]
+
+	// 处理in剩余的nBlocks - 2个block
+	g.update(&g.y, in[:(nBlocks-2)*gcmBlockSize])
+	xor.XorBytes(nCounterCipher, nCounterCipher, in[:(nBlocks-2)*gcmBlockSize])
+	dst = append(dst, nCounterCipher...)
+	// 拷贝in剩余字节到buf，至少16字节。
+	g.buf = append(g.buf[:0], in[(nBlocks-2)*gcmBlockSize:]...)
+
+	return dst, nil
+}
+
+func (g *gcm) DecryptFinal(dst []byte) ([]byte, error) {
+	// g.buf 至少应该16字节，即tag。否则输入错误或内部处理错误(bug)
+	if g.dataLen < gcmTagSize {
+		return dst, gerrors.WithAnnotating(ErrGCMDecFailed, "input data must at least 16 bytes long")
+	}
+	if len(g.buf) < gcmTagSize {
+		return dst, gerrors.WithAnnotatingf(ErrGCMDecFailed, "internal error, len(g.buf)=%d", len(g.buf))
+	}
+
+	ret, out := sliceForAppend(dst, len(g.buf)-gcmTagSize)
+	cipherText := g.buf[:len(g.buf)-gcmTagSize]
+	WantedTag := g.buf[len(g.buf)-gcmTagSize:]
+
+	if len(cipherText) > 0 {
+		counterBuf := make([]byte, gcmBlockSize)
+		_ = g.cipher.EcbEncCryptBlocks(counterBuf, g.counter[:])
+		xor.XorBytes(out, counterBuf, cipherText)
+		g.update(&g.y, out)
+	}
+
+	var tag [gcmTagSize]byte
+	g.y.low ^= uint64(g.additionalDataLen) * 8
+	g.y.high ^= uint64(g.dataLen) * 8
+	g.mul(&g.y)
+	binary.BigEndian.PutUint64(tag[:8], g.y.low)
+	binary.BigEndian.PutUint64(tag[8:], g.y.high)
+
+	xor.XorBytes(tag[:], tag[:], g.tagMask[:])
+	if subtle.ConstantTimeCompare(tag[:], WantedTag) != 0 {
+		return dst, gerrors.ChainErrors(ErrGCMDecFailed, ErrAEADTagCheckFailed)
+	}
+	return ret, nil
+}

utils/blockmode/gcm_test.go

@@ -0,0 +1,265 @@
+package blockmode_test
+
+import (
+	"bytes"
+	"encoding/hex"
+	"fmt"
+	"testing"
+	"time"
+
+	"xdx.jelly/xgcl/grand"
+	"xdx.jelly/xgcl/sm/sm4"
+	"xdx.jelly/xgcl/utils/blockmode"
+)
+
+// sm4_GCM模式
+var sm4GCMTests = []struct {
+	key, nonce, plaintext, ad, result string
+}{
+	{
+		"11754cd72aec309bf52f7687212e8957",
+		"3c819d9a9bed087615030b65", // nonce should be 12 bytes.
+		"plaintext",
+		"additional message not need encrypt, empty is ok",
+		"6111f78f2f82b913c20e333160bfec034c3720ac133a6203b1",
+	},
+}
+
+func TestSM4Speed(t *testing.T) {
+	key, err := hex.DecodeString("12345678123456781234567812345678")
+	if err != nil {
+		t.Fatal(err)
+	}
+	block, err := sm4.NewCipher(key)
+	if err != nil {
+		t.Fatal(err)
+	}
+	gcm, err := blockmode.NewGCM(blockmode.Wrap(block))
+	if err != nil {
+		t.Fatal(err)
+	}
+	nonce, err := hex.DecodeString("123456781234567812345678")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	plaintext := grand.GetRandom(1024 * 1024)
+	ad := []byte("additional message not need encrypt, empty is ok")
+	ct2 := make([]byte, 0, 1024*1024+gcm.Overhead())
+	cnt := 100
+	start := time.Now()
+	for i := 0; i < cnt; i++ {
+		err = gcm.EncryptInit(nonce)
+		if err != nil {
+			t.Fatal(err)
+		}
+		gcm.SpecifyADD(ad)
+		ct2, err := gcm.EncryptUpdate(ct2, plaintext)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		ct2, err = gcm.EncryptFinal(ct2)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+	end := time.Now()
+	elapsed := end.Sub(start)
+	fmt.Printf("%f Bps\n", float64(len(plaintext)*cnt)/1024/1024*1000/float64(elapsed.Milliseconds()))
+
+}
+
+func TestSM4GCM(t *testing.T) {
+	for i, test := range sm4GCMTests {
+		key, _ := hex.DecodeString(test.key)
+
+		block, _ := sm4.NewCipher(key)
+		gcm, err := blockmode.NewGCM(blockmode.Wrap(block))
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		nonce, _ := hex.DecodeString(test.nonce)
+		plaintext := []byte(test.plaintext)
+
+		ad := []byte(test.ad)
+
+		// 提前分配好空间
+		for i := 0; i < gcm.Overhead(); i++ {
+			plaintext = append(plaintext, 0)
+		}
+		plaintext = plaintext[:len(plaintext)-gcm.Overhead()]
+
+		ct := gcm.Seal(plaintext[:0], nonce, plaintext, ad)
+
+		if ctHex := hex.EncodeToString(ct); ctHex != test.result {
+			t.Errorf("#%d: got %s, want %s", i, ctHex, test.result)
+			continue
+		}
+
+		plaintext, err = gcm.Open(ct[:0], nonce, ct, ad)
+		if err != nil {
+			t.Errorf("#%d: Open failed", i)
+			continue
+		}
+
+		if !bytes.Equal(plaintext, []byte(test.plaintext)) {
+			t.Errorf("#%d: plaintext's don't match: got %x vs %x", i, test.plaintext, plaintext)
+			continue
+		}
+
+		// if ad, nonce, ct was changed, return err
+		if len(ad) > 0 {
+			ad[0] ^= 0x80
+			if _, err := gcm.Open(nil, nonce, ct, ad); err == nil {
+				t.Errorf("#%d: Open was successful after altering additional data", i)
+			}
+			ad[0] ^= 0x80
+		}
+
+		nonce[0] ^= 0x80
+		if _, err := gcm.Open(nil, nonce, ct, ad); err == nil {
+			t.Errorf("#%d: Open was successful after altering nonce", i)
+		}
+		nonce[0] ^= 0x80
+
+		ct[0] ^= 0x80
+		if _, err := gcm.Open(nil, nonce, ct, ad); err == nil {
+			t.Errorf("#%d: Open was successful after altering ciphertext", i)
+		}
+		ct[0] ^= 0x80
+	}
+}
+
+func TestGcmUpdate(t *testing.T) {
+	test := sm4GCMTests[0]
+	key, _ := hex.DecodeString(test.key)
+
+	block, _ := sm4.NewCipher(key)
+	gcm, err := blockmode.NewGCM(blockmode.Wrap(block))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	nonce, _ := hex.DecodeString(test.nonce)
+	plaintext := grand.GetRandom(0)
+	ad := []byte(test.ad)
+	ct1 := gcm.Seal(nil, nonce, plaintext, ad)
+
+	ct2 := make([]byte, 0, 116)
+	err = gcm.EncryptInit(nonce)
+	if err != nil {
+		t.Fatal(err)
+	}
+	gcm.SpecifyADD(ad)
+	for i := range plaintext {
+		ct2, err = gcm.EncryptUpdate(ct2, []byte{plaintext[i]})
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+	ct2, err = gcm.EncryptFinal(ct2)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !bytes.Equal(ct1, ct2) {
+		t.Errorf("Seal failed")
+	}
+
+	if err = gcm.DecryptInit(nonce); err != nil {
+		t.Fatal(err)
+	}
+	gcm.SpecifyADD(ad)
+
+	decrypted := make([]byte, 0, len(plaintext))
+	for i := range ct1 {
+		decrypted, err = gcm.DecryptUpdate(decrypted, []byte{ct1[i]})
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+	decrypted, err = gcm.DecryptFinal(decrypted)
+	if !bytes.Equal(decrypted, plaintext) {
+		t.Fatal("plaintext unequal decrypted plaintext")
+	}
+	if err != nil {
+		t.Fatal("auth failed")
+	}
+}
+
+func FuzzSm4Gcm(f *testing.F) {
+	nonce := grand.GetRandom(12)
+	key := grand.GetRandom(16)
+
+	block, _ := sm4.NewCipher(key)
+	gcm, err := blockmode.NewGCM(blockmode.Wrap(block))
+	if err != nil {
+		f.Fatal(err)
+	}
+	stdgcm, _ := sm4.NewGCM(key)
+
+	f.Add([]byte{}, []byte{})
+	f.Fuzz(func(t *testing.T, plaintext, ad []byte) {
+		stdct := stdgcm.Seal(nil, nonce, plaintext, ad)
+		ct1 := gcm.Seal(nil, nonce, plaintext, ad)
+		if !bytes.Equal(ct1, stdct) {
+			t.Errorf("Seal failed")
+		}
+
+		if err := gcm.EncryptInit(nonce); err != nil {
+			t.Fatal(err)
+		}
+		// if additional data is empty, then call
+		// gcm.SpecifyADD(nil)
+		gcm.SpecifyADD(ad)
+
+		ct2, err := gcm.EncryptUpdate(nil, plaintext[:len(plaintext)/2])
+		if err != nil {
+			t.Fatal(err)
+		}
+		for _, p := range plaintext[len(plaintext)/2:] {
+			if ct2, err = gcm.EncryptUpdate(ct2, []byte{p}); err != nil {
+				t.Fatal(err)
+			}
+		}
+		ct2, err = gcm.EncryptFinal(ct2)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if !bytes.Equal(ct2, stdct) {
+			t.Errorf("Encrypt failed")
+		}
+
+		pt1, err1 := gcm.Open(nil, nonce, ct1, ad)
+		if err1 != nil {
+			t.Errorf("Open faile: %v\n", err1)
+		}
+		if err := gcm.DecryptInit(nonce); err != nil {
+			t.Fatal(err)
+		}
+		gcm.SpecifyADD(ad)
+
+		pt2, err := gcm.DecryptUpdate(nil, ct2[:len(ct2)/2])
+		if err != nil {
+			t.Fatal(err)
+		}
+		for _, p := range ct2[len(ct2)/2:] {
+			if pt2, err = gcm.DecryptUpdate(pt2, []byte{p}); err != nil {
+				t.Fatal(err)
+			}
+		}
+		pt2, err = gcm.DecryptFinal(pt2)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if !bytes.Equal(pt2, plaintext) {
+			t.Errorf("Decrypt failed")
+		}
+
+		if !bytes.Equal(pt1, plaintext) {
+			t.Errorf("Open failed")
+		}
+	})
+}

utils/blockmode/utils.go

@@ -0,0 +1,7 @@
+package blockmode
+
+func dup(p []byte) []byte {
+	q := make([]byte, len(p))
+	copy(q, p)
+	return q
+}

utils/blockmode/xts.go

@@ -0,0 +1,249 @@
+// Package xts implements the XTS cipher mode as specified in IEEE P1619/D16.
+//
+// XTS mode is typically used for disk encryption, which presents a number of
+// novel problems that make more common modes inapplicable. The disk is
+// conceptually an array of sectors and we must be able to encrypt and decrypt
+// a sector in isolation. However, an attacker must not be able to transpose
+// two sectors of plaintext by transposing their ciphertext.
+//
+// XTS wraps a block cipher with Rogaway's XEX mode in order to build a
+// tweakable block cipher. This allows each sector to have a unique tweak and
+// effectively create a unique key for each sector.
+//
+// XTS does not provide any authentication. An attacker can manipulate the
+// ciphertext and randomise a block (16 bytes) of the plaintext. This package
+// does not implement ciphertext-stealing so sectors must be a multiple of 16
+// bytes.
+//
+// Note that XTS is usually not appropriate for any use besides disk encryption.
+// Most users should use an AEAD mode like GCM (from crypto/cipher.NewGCM) instead.
+
+package blockmode
+
+import (
+	"xdx.jelly/xgcl/gerrors"
+	"xdx.jelly/xgcl/internal/xor"
+)
+
+// xts contains an expanded key structure. It is safe for concurrent use if
+// the underlying block cipher is safe for concurrent use.
+type xts struct {
+	k1, k2 EcbBlockMode
+	tweak  []byte
+
+	outBuf []byte
+}
+
+var _ TernaryCrypter = &xts{}
+
+// xtsBlockSize is the block size that the underlying cipher must have. XTS is
+// only defined for 16-byte ciphers.
+const xtsBlockSize = 16
+
+// NewXTS 需要使用两个16字节key, 对应入参需要两个EcbEncBlockMode。
+func NewXTS(ecb1, ecb2 EcbBlockMode) *xts {
+	return &xts{
+		k1:     ecb1,
+		k2:     ecb2,
+		tweak:  make([]byte, 0, xtsBlockSize),
+		outBuf: make([]byte, 0, 2*xtsBlockSize),
+	}
+}
+
+func (x *xts) EncryptInit(tw []byte) error {
+	if len(tw) != xtsBlockSize {
+		return gerrors.WithAnnotating(ErrXTSEncFailed, "input tweak must be 16 bytes long")
+	}
+	if cap(x.outBuf) < 2*xtsBlockSize {
+		x.outBuf = make([]byte, 0, 2*xtsBlockSize)
+	}
+	x.outBuf = x.outBuf[:0]
+	x.tweak = append(x.tweak[:0], tw...)
+	_ = x.k2.EcbEncCryptBlocks(x.tweak, x.tweak)
+	return nil
+}
+
+func (x *xts) Encrypt(dst []byte, src []byte) ([]byte, error) {
+	dst, err := x.EncryptUpdate(dst, src)
+	if err != nil {
+		return nil, err
+	}
+	return x.EncryptFinal(dst)
+}
+
+func (x *xts) fillTweakMask(mask []byte) {
+	for i := 0; i < len(mask); i += xtsBlockSize {
+		copy(mask[i:i+xtsBlockSize], x.tweak[:])
+		mul2(x.tweak)
+	}
+}
+
+func (x *xts) EncryptUpdate(dst []byte, in []byte) ([]byte, error) {
+	// how many data in hand
+	dataLen := len(x.outBuf) + len(in)
+	if dataLen < 2*xtsBlockSize {
+		x.outBuf = append(x.outBuf, in...)
+		return dst, nil
+	}
+	// how many blocks to process in this update
+	m := (dataLen - xtsBlockSize) >> 4
+
+	mask := make([]byte, m<<4)
+	x.fillTweakMask(mask)
+	ret, out := sliceForAppend(dst, m<<4)
+	n := xor.XorBytes(out, mask, x.outBuf)
+	// TODO wrong if len(in) = 1
+	n = xor.XorBytes(out[n:], mask[n:], in)
+	in = in[n:]
+	_ = x.k1.EcbEncCryptBlocks(out, out)
+
+	xor.XorBytes(out, out, mask)
+	n = 0
+	if len(x.outBuf) > m<<4 {
+		n = copy(x.outBuf[:xtsBlockSize], x.outBuf[m<<4:])
+	}
+	x.outBuf = x.outBuf[:n]
+	x.outBuf = append(x.outBuf, in...)
+	return ret, nil
+}
+
+func (x *xts) EncryptFinal(dst []byte) ([]byte, error) {
+	if len(x.outBuf) < xtsBlockSize {
+		return dst, gerrors.WithAnnotating(ErrXTSEncFailed, "plaintext must be at least 16 bytes")
+	}
+	in0 := x.outBuf[:xtsBlockSize]
+	in1 := x.outBuf[xtsBlockSize:]
+
+	ret, out := sliceForAppend(dst, len(x.outBuf))
+	out0 := out[:xtsBlockSize]
+	out1 := out[xtsBlockSize:]
+
+	mask := make([]byte, xtsBlockSize)
+	x.fillTweakMask(mask)
+	xor.XorBytes(out0, mask, in0)
+	_ = x.k1.EcbEncCryptBlocks(out0, out0)
+	xor.XorBytes(out0, out0, mask)
+
+	if len(in1) > 0 {
+		lastBlock := make([]byte, len(in1), xtsBlockSize)
+		copy(lastBlock, in1)
+		lastBlock = append(lastBlock, out0[len(in1):]...)
+		x.fillTweakMask(mask)
+		xor.XorBytes(lastBlock, mask, lastBlock)
+		_ = x.k1.EcbEncCryptBlocks(lastBlock, lastBlock)
+		xor.XorBytes(lastBlock, lastBlock, mask)
+		copy(mask, out0)
+		copy(out0, lastBlock)
+		copy(out1, mask)
+	}
+
+	return ret, nil
+
+}
+func (x *xts) DecryptInit(tw []byte) error {
+	if len(tw) != xtsBlockSize {
+		return gerrors.WithAnnotating(ErrXTSDecFailed, "input tweak must be 16 bytes long")
+	}
+	x.tweak = append(x.tweak[:0], tw...)
+	if cap(x.outBuf) < 2*xtsBlockSize {
+		x.outBuf = make([]byte, 0, 2*xtsBlockSize)
+	}
+	x.outBuf = x.outBuf[:0]
+	_ = x.k2.EcbEncCryptBlocks(x.tweak, x.tweak)
+	return nil
+}
+func (x *xts) Decrypt(dst []byte, in []byte) ([]byte, error) {
+	dst, err := x.DecryptUpdate(dst, in)
+	if err != nil {
+		return nil, err
+	}
+	return x.DecryptFinal(dst)
+}
+func (x *xts) DecryptUpdate(dst []byte, in []byte) ([]byte, error) {
+	// how many data in hand
+	dataLen := len(x.outBuf) + len(in)
+	if dataLen < 2*xtsBlockSize {
+		x.outBuf = append(x.outBuf, in...)
+		return dst, nil
+	}
+	// how many blocks to process in this update
+	m := (dataLen - xtsBlockSize) >> 4
+
+	mask := make([]byte, m<<4)
+	x.fillTweakMask(mask)
+	ret, out := sliceForAppend(dst, m<<4)
+	n := xor.XorBytes(out, mask, x.outBuf)
+	// TODO wrong if len(in) = 1
+	n = xor.XorBytes(out[n:], mask[n:], in)
+	in = in[n:]
+	_ = x.k1.EcbDecCryptBlocks(out, out)
+
+	xor.XorBytes(out, out, mask)
+	n = 0
+	if len(x.outBuf) > m<<4 {
+		n = copy(x.outBuf[:xtsBlockSize], x.outBuf[m<<4:])
+	}
+	x.outBuf = x.outBuf[:n]
+	x.outBuf = append(x.outBuf, in...)
+	return ret, nil
+}
+func (x *xts) DecryptFinal(dst []byte) ([]byte, error) {
+
+	if len(x.outBuf) < xtsBlockSize {
+		return dst, gerrors.WithAnnotating(ErrXTSEncFailed, "plaintext must be at least 16 bytes")
+	}
+
+	in0 := x.outBuf[:xtsBlockSize]
+	in1 := x.outBuf[xtsBlockSize:]
+
+	ret, out := sliceForAppend(dst, len(x.outBuf))
+	out0 := out[:xtsBlockSize]
+	out1 := out[xtsBlockSize:]
+
+	mask := make([]byte, xtsBlockSize*2)
+	x.fillTweakMask(mask)
+	mask0 := mask[:xtsBlockSize]
+	mask1 := mask[xtsBlockSize:]
+
+	if len(in1) == 0 {
+		xor.XorBytes(out0, mask0, in0)
+		_ = x.k1.EcbDecCryptBlocks(out0, out0)
+		xor.XorBytes(out0, out0, mask0)
+	} else {
+		xor.XorBytes(out0, mask1, in0)
+		_ = x.k1.EcbDecCryptBlocks(out0, out0)
+		xor.XorBytes(out0, out0, mask1)
+
+		lastBlock := make([]byte, len(in1), xtsBlockSize)
+		copy(lastBlock, in1)
+		lastBlock = append(lastBlock, out0[len(in1):]...)
+		xor.XorBytes(lastBlock, mask0, lastBlock)
+		_ = x.k1.EcbDecCryptBlocks(lastBlock, lastBlock)
+		xor.XorBytes(lastBlock, lastBlock, mask0)
+		copy(mask, out0)
+		copy(out0, lastBlock)
+		copy(out1, mask)
+	}
+
+	return ret, nil
+}
+
+// mul2 multiplies tweak by 2 in GF(2¹²⁸) with an irreducible polynomial of
+// x¹²⁸ + x⁷ + x² + x + 1.
+func mul2(tweak []byte) {
+	var carryIn byte
+	for j := range tweak {
+		carryOut := tweak[j] >> 7
+		tweak[j] = (tweak[j] << 1) + carryIn
+		carryIn = carryOut
+	}
+	if carryIn != 0 {
+		// If we have a carry bit then we need to subtract a multiple
+		// of the irreducible polynomial (x¹²⁸ + x⁷ + x² + x + 1).
+		// By dropping the carry bit, we're subtracting the x^128 term
+		// so all that remains is to subtract x⁷ + x² + x + 1.
+		// Subtraction (and addition) in this representation is just
+		// XOR.
+		tweak[0] ^= 1<<7 | 1<<2 | 1<<1 | 1
+	}
+}

utils/blockmode/xts_test.go

@@ -0,0 +1,212 @@
+package blockmode_test
+
+import (
+	"bytes"
+	"crypto/aes"
+	"encoding/binary"
+	"encoding/hex"
+	"testing"
+
+	"xdx.jelly/xgcl/sm/sm4"
+	"xdx.jelly/xgcl/utils/blockmode"
+)
+
+// These test vectors have been taken from IEEE P1619/D16, Annex B.
+var xtsTestVectors = []struct {
+	key        string
+	sector     uint64
+	plaintext  string
+	ciphertext string
+}{
+	{
+		"0000000000000000000000000000000000000000000000000000000000000000",
+		0,
+		"0000000000000000000000000000000000000000000000000000000000000000",
+		"917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e",
+	}, {
+		"1111111111111111111111111111111122222222222222222222222222222222",
+		0x3333333333,
+		"4444444444444444444444444444444444444444444444444444444444444444",
+		"c454185e6a16936e39334038acef838bfb186fff7480adc4289382ecd6d394f0",
+	}, {
+		"fffefdfcfbfaf9f8f7f6f5f4f3f2f1f022222222222222222222222222222222",
+		0x3333333333,
+		"4444444444444444444444444444444444444444444444444444444444444444",
+		"af85336b597afc1a900b2eb21ec949d292df4c047e0b21532186a5971a227a89",
+	}, {
+		"2718281828459045235360287471352631415926535897932384626433832795",
+		0,
+		"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
+		"27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568",
+	}, {
+		"2718281828459045235360287471352631415926535897932384626433832795",
+		1,
+		"27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568",
+		"264d3ca8512194fec312c8c9891f279fefdd608d0c027b60483a3fa811d65ee59d52d9e40ec5672d81532b38b6b089ce951f0f9c35590b8b978d175213f329bb1c2fd30f2f7f30492a61a532a79f51d36f5e31a7c9a12c286082ff7d2394d18f783e1a8e72c722caaaa52d8f065657d2631fd25bfd8e5baad6e527d763517501c68c5edc3cdd55435c532d7125c8614deed9adaa3acade5888b87bef641c4c994c8091b5bcd387f3963fb5bc37aa922fbfe3df4e5b915e6eb514717bdd2a74079a5073f5c4bfd46adf7d282e7a393a52579d11a028da4d9cd9c77124f9648ee383b1ac763930e7162a8d37f350b2f74b8472cf09902063c6b32e8c2d9290cefbd7346d1c779a0df50edcde4531da07b099c638e83a755944df2aef1aa31752fd323dcb710fb4bfbb9d22b925bc3577e1b8949e729a90bbafeacf7f7879e7b1147e28ba0bae940db795a61b15ecf4df8db07b824bb062802cc98a9545bb2aaeed77cb3fc6db15dcd7d80d7d5bc406c4970a3478ada8899b329198eb61c193fb6275aa8ca340344a75a862aebe92eee1ce032fd950b47d7704a3876923b4ad62844bf4a09c4dbe8b4397184b7471360c9564880aedddb9baa4af2e75394b08cd32ff479c57a07d3eab5d54de5f9738b8d27f27a9f0ab11799d7b7ffefb2704c95c6ad12c39f1e867a4b7b1d7818a4b753dfd2a89ccb45e001a03a867b187f225dd",
+	}, {
+		"27182818284590452353602874713526624977572470936999595749669676273141592653589793238462643383279502884197169399375105820974944592",
+		0xff,
+		"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
+		"1c3b3a102f770386e4836c99e370cf9bea00803f5e482357a4ae12d414a3e63b5d31e276f8fe4a8d66b317f9ac683f44680a86ac35adfc3345befecb4bb188fd5776926c49a3095eb108fd1098baec70aaa66999a72a82f27d848b21d4a741b0c5cd4d5fff9dac89aeba122961d03a757123e9870f8acf1000020887891429ca2a3e7a7d7df7b10355165c8b9a6d0a7de8b062c4500dc4cd120c0f7418dae3d0b5781c34803fa75421c790dfe1de1834f280d7667b327f6c8cd7557e12ac3a0f93ec05c52e0493ef31a12d3d9260f79a289d6a379bc70c50841473d1a8cc81ec583e9645e07b8d9670655ba5bbcfecc6dc3966380ad8fecb17b6ba02469a020a84e18e8f84252070c13e9f1f289be54fbc481457778f616015e1327a02b140f1505eb309326d68378f8374595c849d84f4c333ec4423885143cb47bd71c5edae9be69a2ffeceb1bec9de244fbe15992b11b77c040f12bd8f6a975a44a0f90c29a9abc3d4d893927284c58754cce294529f8614dcd2aba991925fedc4ae74ffac6e333b93eb4aff0479da9a410e4450e0dd7ae4c6e2910900575da401fc07059f645e8b7e9bfdef33943054ff84011493c27b3429eaedb4ed5376441a77ed43851ad77f16f541dfd269d50d6a5f14fb0aab1cbb4c1550be97f7ab4066193c4caa773dad38014bd2092fa755c824bb5e54c4f36ffda9fcea70b9c6e693e148c151",
+	},
+}
+
+func fromHex(s string) []byte {
+	ret, err := hex.DecodeString(s)
+	if err != nil {
+		panic("xts: invalid hex in test")
+	}
+	return ret
+}
+
+func TestXTS(t *testing.T) {
+	for i, test := range xtsTestVectors {
+		b := fromHex(test.key)
+		aesCipher1, _ := aes.NewCipher(b[:len(b)/2])
+		aesCipher2, err := aes.NewCipher(b[len(b)/2:])
+		if err != nil {
+			panic("xts: invalid hex in test")
+		}
+		xts := blockmode.NewXTS(blockmode.Wrap(aesCipher1), blockmode.Wrap(aesCipher2))
+
+		plaintext := fromHex(test.plaintext)
+		tweak := make([]byte, 16)
+		binary.LittleEndian.PutUint64(tweak[:8], test.sector)
+
+		xts.EncryptInit(tweak)
+		ciphertext := make([]byte, 0, 100)
+		for i := 0; i < len(plaintext); i++ {
+			ciphertext, err = xts.EncryptUpdate(ciphertext, []byte{plaintext[i]})
+		}
+		ciphertext, err = xts.EncryptFinal(ciphertext)
+
+		expectedCiphertext := fromHex(test.ciphertext)
+		if !bytes.Equal(ciphertext, expectedCiphertext) {
+			t.Errorf("#%d: encrypted failed, got: %x, want: %x", i, ciphertext, expectedCiphertext)
+			continue
+		}
+
+		decrypted := make([]byte, 0, len(ciphertext))
+		xts.DecryptInit(tweak)
+		for i := 0; i < len(ciphertext); i++ {
+			decrypted, err = xts.DecryptUpdate(decrypted, []byte{ciphertext[i]})
+		}
+		decrypted, err = xts.DecryptFinal(decrypted)
+		if !bytes.Equal(decrypted, plaintext) {
+			t.Errorf("#%d: decryption failed, got: %x, want: %x", i, decrypted, plaintext)
+		}
+	}
+}
+
+// GB/T 17964 的测试数
+func TestXtsGB(t *testing.T) {
+	b := fromHex("2B7E151628AED2A6ABF7158809CF4F3C000102030405060708090A0B0C0D0E0F")
+	cipher1, _ := sm4.NewCipher(b[:len(b)/2])
+	cipher2, err := sm4.NewCipher(b[len(b)/2:])
+	if err != nil {
+		panic("xts: invalid hex in test")
+	}
+	xts := blockmode.NewXTS(blockmode.Wrap(cipher1), blockmode.Wrap(cipher2))
+
+	plaintext := fromHex("6BC1BEE22E409F96E93D7E117393172AAE2D8A571E03AC9C9EB76FAC45AF8E51") //30C81C46A35CE411E5FBC1191A0A52EFF69F2445DF4F9B17")
+	tweak := fromHex("F0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF")
+
+	xts.EncryptInit(tweak)
+	ciphertext := make([]byte, 0, 100)
+	// for i := 0; i < len(plaintext); i++ {
+	// 	ciphertext, err = xts.EncryptUpdate(ciphertext, []byte{plaintext[i]})
+	// }
+	ciphertext, err = xts.EncryptUpdate(ciphertext, plaintext)
+	ciphertext, err = xts.EncryptFinal(ciphertext)
+
+	if 1 == 0 {
+		// FIXME: ciphertext 与 GB/T 17964 的测试数据对不上！？
+		expectedCiphertext := fromHex("E9538251C71D7B80BBE4483FEF497BD12C5C581BD6242FC51E08964FB4F60FDB0BA42F63499279213D318D2C11F6886E903BE7F93A1B3479")
+		if !bytes.Equal(ciphertext, expectedCiphertext) {
+			t.Errorf("encrypted failed, got: %x, want: %x", ciphertext, expectedCiphertext)
+		}
+	}
+
+	decrypted := make([]byte, 0, len(ciphertext))
+	xts.DecryptInit(tweak)
+	for i := 0; i < len(ciphertext); i++ {
+		decrypted, err = xts.DecryptUpdate(decrypted, []byte{ciphertext[i]})
+	}
+	decrypted, err = xts.DecryptFinal(decrypted)
+
+	if !bytes.Equal(decrypted, plaintext) {
+		t.Errorf("decryption failed, got: %x, want: %x", decrypted, plaintext)
+	}
+}
+
+// func TestShorterCiphertext(t *testing.T) {
+// 	// Decrypt used to panic if the input was shorter than the output. See
+// 	// https://go-review.googlesource.com/c/39954/
+// 	c, err := blockmode.NewXTS(aes.NewCipher, make([]byte, 32))
+// 	if err != nil {
+// 		t.Fatalf("NewCipher failed: %s", err)
+// 	}
+
+// 	plaintext := make([]byte, 32)
+// 	encrypted := make([]byte, 48)
+// 	decrypted := make([]byte, 48)
+
+// 	c.Encrypt(encrypted, plaintext, 0)
+// 	c.Decrypt(decrypted, encrypted[:len(plaintext)], 0)
+
+// 	if !bytes.Equal(plaintext, decrypted[:len(plaintext)]) {
+// 		t.Errorf("En/Decryption is not inverse")
+// 	}
+// }
+
+// func BenchmarkXTS(b *testing.B) {
+// 	b.ReportAllocs()
+// 	c, err := blockmode.NewXTS(aes.NewCipher, make([]byte, 32))
+// 	if err != nil {
+// 		b.Fatalf("NewCipher failed: %s", err)
+// 	}
+// 	plaintext := make([]byte, 32)
+// 	encrypted := make([]byte, 48)
+// 	decrypted := make([]byte, 48)
+
+// 	for i := 0; i < b.N; i++ {
+// 		c.Encrypt(encrypted, plaintext, 0)
+// 		c.Decrypt(decrypted, encrypted[:len(plaintext)], 0)
+// 	}
+// }
+
+func FuzzXts(f *testing.F) {
+	b := fromHex("2B7E151628AED2A6ABF7158809CF4F3C000102030405060708090A0B0C0D0E0F")
+	cipher1, _ := sm4.NewCipher(b[:len(b)/2])
+	cipher2, err := sm4.NewCipher(b[len(b)/2:])
+	if err != nil {
+		panic("xts: invalid hex in test")
+	}
+	xts := blockmode.NewXTS(blockmode.Wrap(cipher1), blockmode.Wrap(cipher2))
+	tweak := fromHex("F0F1F2F3F4F5F6F7F8F9FAFBFCFDFEFF")
+
+	f.Add([]byte{})
+	f.Fuzz(func(t *testing.T, plaintext []byte) {
+		for i := len(plaintext); i < 16; i++ {
+			plaintext = append(plaintext, 0)
+		}
+		xts.EncryptInit(tweak)
+		ciphertext := make([]byte, 0, len(plaintext))
+		for i := 0; i < len(plaintext); i++ {
+			ciphertext, err = xts.EncryptUpdate(ciphertext, []byte{plaintext[i]})
+		}
+
+		ciphertext, err = xts.EncryptFinal(ciphertext)
+
+		decrypted := make([]byte, 0, len(ciphertext))
+		xts.DecryptInit(tweak)
+		for i := 0; i < len(ciphertext); i++ {
+			decrypted, err = xts.DecryptUpdate(decrypted, []byte{ciphertext[i]})
+		}
+		decrypted, err = xts.DecryptFinal(decrypted)
+
+		if !bytes.Equal(decrypted, plaintext) {
+			t.Fatalf("decryption failed, got: %x, want: %x", decrypted, plaintext)
+		}
+	})
+}

utils/clear.go

@@ -0,0 +1,14 @@
+package utils
+
+// Clearable 内存置0接口
+// someinterface.(utils.Clearable).Clear()
+type Clearable interface {
+	Clear()
+}
+
+func ClearBytes(b []byte) {
+	b = b[:cap(b)]
+	for i := range b {
+		b[i] = 0
+	}
+}

utils/encoding/marshaler.go

@@ -0,0 +1,16 @@
+package encoding
+
+// encoding 定义gcl中用到的marshaler
+
+type UtilMarshaler interface {
+
+	// MarshalUtil append the marshaled data to data and return the appended data.
+	// The input data coulde be nil. If any error happens, returned []byte is the
+	// same as input data. The returned []byte may be re-allocate memory.
+	MarshalUtil(data []byte) ([]byte, error)
+}
+
+type UtilUnmarshaler interface {
+	// UnmarshalUtil unmarshal from data, and return the total consumed bytes.
+	UnmarshalUtil(data []byte) (uint64, error)
+}

utils/endian.go

@@ -0,0 +1,11 @@
+package utils
+
+// EndianReverse 反向src。必须像这么用：data = EndianReverse(data)
+// 可能会内存重分配，仅EndianReverse(data)的话可能丢失数据。
+func EndianReverse(src []byte) []byte {
+	l := len(src)
+	for i := 0; i < l>>1; i++ {
+		src[i], src[l-1-i] = src[l-1-i], src[i]
+	}
+	return src
+}

utils/objectpool/pool.go

@@ -0,0 +1,75 @@
+/*
+pool is pool of tmp obj
+临时对象的存储，每次GC都可能会回收。
+*/
+package objectpool
+
+import (
+	"math/big"
+	"sync"
+)
+
+// BytePool is pool for []byte
+var BytePool = sync.Pool{
+	New: func() interface{} {
+		b := make([]byte, 0, 1024)
+		return &b
+	},
+}
+
+var SmallBytePool = sync.Pool{
+	New: func() interface{} {
+		b := make([]byte, 0, 256)
+		return &b
+	},
+}
+
+var LargeBytePool = sync.Pool{
+	New: func() interface{} {
+		b := make([]byte, 0, 4096)
+		return &b
+	},
+}
+
+// GetBytes wraps the pool, for clear data
+func GetBytes() []byte {
+	b := BytePool.Get().(*[]byte)
+	return (*b)[:0]
+}
+func PutBytes(b []byte) {
+	BytePool.Put(&b)
+}
+
+func GetSmallBytes() []byte {
+	b := SmallBytePool.Get().(*[]byte)
+	return (*b)[:0]
+}
+func PutSmallBytes(b []byte) {
+	BytePool.Put(&b)
+}
+
+func GetLargeBytes() []byte {
+	b := LargeBytePool.Get().(*[]byte)
+	return (*b)[:0]
+}
+func PutLargeBytes(b []byte) {
+	BytePool.Put(&b)
+}
+
+// BigIntPool is pool for Big.Int
+var BigIntPool = sync.Pool{
+	New: func() interface{} {
+		b := new(big.Int)
+		return b
+	},
+}
+
+func GetBigInt() *big.Int {
+	b := BigIntPool.Get().(*big.Int)
+	b.SetInt64(0)
+	return b
+}
+
+func PutBigInt(b *big.Int) {
+	BigIntPool.Put(b)
+}

utils/objectpool/pool_test.go

@@ -0,0 +1,107 @@
+package objectpool
+
+import (
+	"fmt"
+	"math/big"
+	"sync"
+	"testing"
+	"time"
+)
+
+func TestBigIntPool(t *testing.T) {
+	var wg sync.WaitGroup
+
+	a := time.Now().UnixNano()
+	for i := 0; i < 100; i++ {
+		wg.Add(1)
+		go func() {
+			for i := 0; i < 1000000; i++ {
+				a := new(big.Int)
+				a.SetInt64(1)
+				a.Add(a, a)
+			}
+			wg.Done()
+		}()
+	}
+	wg.Wait()
+	b := time.Now().UnixNano()
+	for i := 0; i < 100; i++ {
+		wg.Add(1)
+		go func() {
+			for j := 0; j < 1000000; j++ {
+				a := GetBigInt()
+				a.SetInt64(1)
+				a.Add(a, a)
+				PutBigInt(a)
+			}
+			wg.Done()
+		}()
+	}
+	wg.Wait()
+	c := time.Now().UnixNano()
+	fmt.Println("without pool ", b-a)
+	fmt.Println("with    pool ", c-b)
+}
+
+func bytesFactory(n int) []byte {
+	return make([]byte, n)
+}
+func doSomeWork(b []byte) {
+	for i := 0; i < len(b); i++ {
+		b[i] = byte(i)
+	}
+}
+
+func TestBytesFactory(t *testing.T){
+	a := 0
+	fmt.Printf("%p\n",&a)
+	b := bytesFactory(1024)  // b is not on stack
+	fmt.Printf("%p\n", &(b[0]))
+}
+func TestBytesPool(t *testing.T) {
+	var wg sync.WaitGroup
+
+	a := time.Now().UnixNano()
+	for i := 0; i < 100; i++ {
+		wg.Add(1)
+		go func() {
+			for i := 0; i < 10000; i++ {
+				a := bytesFactory(1024)
+				doSomeWork(a)
+			}
+			wg.Done()
+		}()
+	}
+	wg.Wait()
+	b := time.Now().UnixNano()
+	for i := 0; i < 100; i++ {
+		wg.Add(1)
+		go func() {
+			for j := 0; j < 10000; j++ {
+				a := GetBytes()
+				doSomeWork(a)
+				PutBytes(a)
+			}
+			wg.Done()
+		}()
+	}
+	wg.Wait()
+	c := time.Now().UnixNano()
+	fmt.Println("without pool ", b-a)
+	fmt.Println("with    pool ", c-b)
+}
+
+
+func BenchmarkBytesPool(b *testing.B) {
+	for j := 0; j < 10000; j++ {
+		a := GetBytes()
+		doSomeWork(a)
+		PutBytes(a)
+	}
+}
+func BenchmarkBytesMake(b *testing.B) {
+	for j := 0; j < 10000; j++ {
+		a := bytesFactory(1024)
+		doSomeWork(a)
+	}
+}

utils/padding/p5.go

@@ -0,0 +1,19 @@
+package padding
+
+// TODO
+
+type P5Padding struct {
+}
+
+func (P5Padding) Pad(src []byte, blockSize int) (dst []byte) {
+	// panic("P5Padding is not support now")
+	// return src
+	return P7Padding{}.Pad(src, blockSize)
+}
+
+func (P5Padding) Unpad(src []byte, blockSize int) (dst []byte, err error) {
+	// panic("P5Padding is not support now")
+	// return nil, nil
+	return P7Padding{}.Unpad(src, blockSize)
+
+}

utils/padding/p7.go

@@ -0,0 +1,41 @@
+package padding
+
+import "fmt"
+
+type P7Padding struct {
+}
+
+func (P7Padding) Pad(src []byte, blockSize int) (dst []byte) {
+	if blockSize < MIN_BLOCK_SIZE || blockSize > MAX_BLOCK_SIZE {
+		panic("blocksize error")
+	}
+	// if blocksize == 2^n, then paddingsize = -len(src) & (blocksize - 1)
+	paddingSize := byte(blockSize - (len(src) % blockSize))
+	for i := 0; i < int(paddingSize); i++ {
+		src = append(src, paddingSize)
+	}
+	return src
+}
+
+func (P7Padding) Unpad(src []byte, blockSize int) (dst []byte, err error) {
+	if blockSize < MIN_BLOCK_SIZE || blockSize > MAX_BLOCK_SIZE {
+		panic("blocksize error")
+	}
+
+	if len(src) == 0 {
+		return src, nil
+	}
+	paddingSize := int(uint(src[len(src)-1]))
+
+	if paddingSize > len(src) || paddingSize == 0 {
+		return src, fmt.Errorf("unpadding error")
+	}
+
+	for i := len(src) - paddingSize; i < len(src)-1; i++ {
+		if int(src[i]) != paddingSize {
+			return src, fmt.Errorf("unpadding error")
+		}
+	}
+
+	return src[:len(src)-paddingSize], nil
+}

utils/padding/padding.go

@@ -0,0 +1,29 @@
+package padding
+
+const (
+	MIN_BLOCK_SIZE = 8
+	MAX_BLOCK_SIZE = 128
+)
+
+type Padding interface {
+	// Pad 补码，一般用法 data = Pad(data, sm4.ByteSize),
+	// 但返回时dst和src可能内存地址相同,也可能不同。
+	Pad(src []byte, blockSize int) (dst []byte)
+
+	// Unpad 去补码，一般用法 data = Unpad(data, sm4.ByteSize),
+	// 如出错，则dst = src，不改变src。
+	Unpad(src []byte, blockSize int) (dst []byte, err error)
+}
+
+var P7 Padding = P7Padding{}
+var P5 Padding = P5Padding{}
+var None Padding = NonePadding{}
+
+type NonePadding struct{}
+
+func (NonePadding) Pad(src []byte, blockSize int) (dst []byte) {
+	return src
+}
+func (NonePadding) Unpad(src []byte, blockSize int) (dst []byte, err error) {
+	return src, nil
+}

utils/utils_test.go

@@ -0,0 +1,11 @@
+package utils
+
+import (
+	"testing"
+)
+
+func TestEndian(t *testing.T) {
+	a := []byte{1, 2, 3, 4, 5, 6, 7}
+	t.Log(a)
+	t.Log(EndianReverse(a))
+}

utils/uuid/doc.go

@@ -0,0 +1,3 @@
+/* package uuid implements the RFC 4122 */
+
+package uuid

utils/uuid/uuid.go

@@ -0,0 +1,4 @@
+package uuid
+
+
+// TODO