yaole/xgcl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init: v1.0.0

Browse Source
This commit is contained in:
yaole
2026-05-27 23:03:00 +08:00
commit 8d97f750eb
466 changed files with 80067 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
utils/blockmode/gcm.go
+576
View File
@@ -0,0 +1,576 @@
package blockmode
import (
"crypto/cipher"
"encoding/binary"
"xdx.jelly/xgcl/gerrors"
"xdx.jelly/xgcl/internal/subtle"
"xdx.jelly/xgcl/internal/xor"
)
// NewGCM 返回AEAD接口,使用标准的12字节的nonce和16字节的tag。并且BlockEncrypter.BlockSize()
// 必须返回16。
func NewGCM(cipher EcbBlockMode) (TernaryGCM, error) {
aead, err := NewGCMWithNonceAndTagSize(cipher, gcmStandardNonceSize, gcmTagSize)
return aead, err
}
// gcmFieldElement represents a value in GF(2¹²⁸). In order to reflect the GCM
// standard and make binary.BigEndian suitable for marshaling these values, the
// bits are stored in big endian order. For example:
//
// the coefficient of x⁰ can be obtained by v.low >> 63.
// the coefficient of x⁶³ can be obtained by v.low & 1.
// the coefficient of x⁶⁴ can be obtained by v.high >> 63.
// the coefficient of x¹²⁷ can be obtained by v.high & 1.
type gcmFieldElement struct {
low, high uint64
}
// gcm represents a Galois Counter Mode with a specific key. See
// https://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
type gcm struct {
cipher EcbBlockMode
nonceSize int
tagSize int
// productTable contains the first sixteen powers of the key, H.
// However, they are in bit reversed order. See NewGCMWithNonceSize.
productTable [16]gcmFieldElement
y gcmFieldElement
additionalDataLen int
dataLen int
tagMask [gcmBlockSize]byte
counter [gcmBlockSize]byte
buf []byte // 上一个分组未处理的数据。
}
// NewGCMWithNonceSize returns the given 128-bit, block cipher wrapped in Galois
// Counter Mode, which accepts nonces of the given length. The length must not
// be zero.
//
// Only use this function if you require compatibility with an existing
// cryptosystem that uses non-standard nonce lengths. All other users should use
// NewGCM, which is faster and more resistant to misuse.
func NewGCMWithNonceSize(cipher EcbBlockMode, size int) (cipher.AEAD, error) {
return NewGCMWithNonceAndTagSize(cipher, size, gcmTagSize)
}
// NewGCMWithTagSize returns the given 128-bit, block cipher wrapped in Galois
// Counter Mode, which generates tags with the given length.
//
// Tag sizes between 12 and 16 bytes are allowed.
//
// Only use this function if you require compatibility with an existing
// cryptosystem that uses non-standard tag lengths. All other users should use
// NewGCM, which is more resistant to misuse.
func NewGCMWithTagSize(cipher EcbBlockMode, tagSize int) (cipher.AEAD, error) {
return NewGCMWithNonceAndTagSize(cipher, gcmStandardNonceSize, tagSize)
}
func NewGCMWithNonceAndTagSize(cipher EcbBlockMode, nonceSize, tagSize int) (TernaryGCM, error) {
if tagSize < gcmMinimumTagSize || tagSize > gcmBlockSize {
return nil, gerrors.WithAnnotatingf(ErrInvalidInput, "tag size in GCM can only between %d and %d", gcmMinimumTagSize, gcmBlockSize)
}
if nonceSize <= 0 {
return nil, gerrors.WithAnnotating(ErrInvalidInput, "the nonce can't have zero length, or the security of the key will be immediately compromised")
}
if cipher.BlockSize() != gcmBlockSize {
return nil, gerrors.WithAnnotating(ErrInvalidInput, "blockmode: NewGCM requires 128-bit block cipher")
}
var key [gcmBlockSize]byte
_ = cipher.EcbEncCryptBlocks(key[:], key[:])
g := &gcm{cipher: cipher, nonceSize: nonceSize, tagSize: tagSize, buf: make([]byte, 0, gcmBlockSize)}
// We precompute 16 multiples of |key|. However, when we do lookups
// into this table we'll be using bits from a field element and
// therefore the bits will be in the reverse order. So normally one
// would expect, say, 4*key to be in index 4 of the table but due to
// this bit ordering it will actually be in index 0010 (base 2) = 2.
x := gcmFieldElement{
binary.BigEndian.Uint64(key[:8]),
binary.BigEndian.Uint64(key[8:]),
}
g.productTable[reverseBits(1)] = x
for i := 2; i < 16; i += 2 {
g.productTable[reverseBits(i)] = gcmDouble(&g.productTable[reverseBits(i/2)])
g.productTable[reverseBits(i+1)] = gcmAdd(&g.productTable[reverseBits(i)], &x)
}
return g, nil
}
const (
gcmBlockSize = 16
gcmTagSize = 16
gcmMinimumTagSize = 12 // NIST SP 800-38D recommends tags with 12 or more bytes.
gcmStandardNonceSize = 12
)
func (g *gcm) NonceSize() int {
return g.nonceSize
}
func (g *gcm) Overhead() int {
return g.tagSize
}
// Seal 加密,输入nonce大小必须为g.NonceSize().
func (g *gcm) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
if len(nonce) != g.nonceSize {
panic("blockmode: incorrect nonce length given to GCM")
}
if uint64(len(plaintext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize()) {
panic("blockmode: message too large for GCM")
}
ret, out := sliceForAppend(dst, len(plaintext)+g.tagSize)
if subtle.InexactOverlap(out, plaintext) {
// 拷贝一份原文
plaintext = dup(plaintext)
}
var counter, tagMask [gcmBlockSize]byte
g.deriveCounter(&counter, nonce) // counter = J0
_ = g.cipher.EcbEncCryptBlocks(tagMask[:], counter[:])
gcmInc32(&counter)
g.counterCrypt(out, plaintext, &counter)
var tag [gcmTagSize]byte
g.auth(tag[:], out[:len(plaintext)], additionalData, &tagMask)
copy(out[len(plaintext):], tag[:])
return ret
}
func (g *gcm) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
if len(nonce) != g.nonceSize {
return dst, gerrors.WithAnnotatingf(ErrAEADOpenFailed, "incorrect nonce length(%d) given to GCM, it should be %d", len(nonce), g.nonceSize)
}
// Sanity check to prevent the authentication from always succeeding if an implementation
// leaves tagSize uninitialized, for example.
if g.tagSize < gcmMinimumTagSize {
return dst, gerrors.WithAnnotatingf(ErrAEADOpenFailed, "input tag size(%d) too small, it should be at least %d", g.tagSize, gcmMinimumTagSize)
}
if len(ciphertext) < g.tagSize {
return dst, gerrors.WithAnnotating(ErrAEADOpenFailed, "ciphertext is shorter than tag size")
}
if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize())+uint64(g.tagSize) {
return dst, gerrors.WithAnnotatingf(ErrAEADOpenFailed, "ciphertext too long")
}
tag := ciphertext[len(ciphertext)-g.tagSize:]
ciphertext = ciphertext[:len(ciphertext)-g.tagSize]
var counter, tagMask [gcmBlockSize]byte
g.deriveCounter(&counter, nonce)
_ = g.cipher.EcbEncCryptBlocks(tagMask[:], counter[:])
gcmInc32(&counter)
var expectedTag [gcmTagSize]byte
g.auth(expectedTag[:], ciphertext, additionalData, &tagMask)
ret, out := sliceForAppend(dst, len(ciphertext))
if subtle.InexactOverlap(out, ciphertext) {
ciphertext = dup(ciphertext)
}
if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
// The AESNI code decrypts and authenticates concurrently, and
// so overwrites dst in the event of a tag mismatch. That
// behavior is mimicked here in order to be consistent across
// platforms.
for i := range out {
out[i] = 0
}
return ret[:len(dst)], gerrors.ChainErrors(ErrAEADOpenFailed, ErrAEADTagCheckFailed)
}
g.counterCrypt(out, ciphertext, &counter)
return ret, nil
}
// reverseBits reverses the order of the bits of 4-bit number in i.
func reverseBits(i int) int {
i = ((i << 2) & 0xc) | ((i >> 2) & 0x3)
i = ((i << 1) & 0xa) | ((i >> 1) & 0x5)
return i
}
// gcmAdd adds two elements of GF(2¹²⁸) and returns the sum.
func gcmAdd(x, y *gcmFieldElement) gcmFieldElement {
// Addition in a characteristic 2 field is just XOR.
return gcmFieldElement{x.low ^ y.low, x.high ^ y.high}
}
// gcmDouble returns the result of doubling an element of GF(2¹²⁸).
func gcmDouble(x *gcmFieldElement) (double gcmFieldElement) {
msbSet := x.high&1 == 1
// Because of the bit-ordering, doubling is actually a right shift.
double.high = x.high >> 1
double.high |= x.low << 63
double.low = x.low >> 1
// If the most-significant bit was set before shifting then it,
// conceptually, becomes a term of x^128. This is greater than the
// irreducible polynomial so the result has to be reduced. The
// irreducible polynomial is 1+x+x^2+x^7+x^128. We can subtract that to
// eliminate the term at x^128 which also means subtracting the other
// four terms. In characteristic 2 fields, subtraction == addition ==
// XOR.
if msbSet {
double.low ^= 0xe100000000000000
}
return
}
var gcmReductionTable = []uint16{
0x0000, 0x1c20, 0x3840, 0x2460, 0x7080, 0x6ca0, 0x48c0, 0x54e0,
0xe100, 0xfd20, 0xd940, 0xc560, 0x9180, 0x8da0, 0xa9c0, 0xb5e0,
}
// mul sets y to y*H, where H is the GCM key, fixed during NewGCMWithNonceSize.
func (g *gcm) mul(y *gcmFieldElement) {
var z gcmFieldElement
for i := 0; i < 2; i++ {
word := y.high
if i == 1 {
word = y.low
}
// Multiplication works by multiplying z by 16 and adding in
// one of the precomputed multiples of H.
for j := 0; j < 64; j += 4 {
msw := z.high & 0xf
z.high >>= 4
z.high |= z.low << 60
z.low >>= 4
z.low ^= uint64(gcmReductionTable[msw]) << 48
// the values in |table| are ordered for
// little-endian bit positions. See the comment
// in NewGCMWithNonceSize.
t := &g.productTable[word&0xf]
z.low ^= t.low
z.high ^= t.high
word >>= 4
}
}
*y = z
}
// updateBlocks extends y with more polynomial terms from blocks, based on
// Horner's rule. There must be a multiple of gcmBlockSize bytes in blocks.
func (g *gcm) updateBlocks(y *gcmFieldElement, blocks []byte) {
for len(blocks) > 0 {
y.low ^= binary.BigEndian.Uint64(blocks)
y.high ^= binary.BigEndian.Uint64(blocks[8:])
g.mul(y)
blocks = blocks[gcmBlockSize:]
}
}
// update extends y with more polynomial terms from data. If data is not a
// multiple of gcmBlockSize bytes long then the remainder is zero padded.
func (g *gcm) update(y *gcmFieldElement, data []byte) {
fullBlocks := (len(data) >> 4) << 4
g.updateBlocks(y, data[:fullBlocks])
if len(data) != fullBlocks {
var partialBlock [gcmBlockSize]byte
copy(partialBlock[:], data[fullBlocks:])
g.updateBlocks(y, partialBlock[:])
}
}
// gcmInc32 treats the final four bytes of counterBlock as a big-endian value
// and increments it.
func gcmInc32(counterBlock *[16]byte) {
ctr := counterBlock[len(counterBlock)-4:]
binary.BigEndian.PutUint32(ctr, binary.BigEndian.Uint32(ctr)+1)
}
// sliceForAppend takes a slice and a requested number of bytes. It returns a
// slice with the contents of the given slice followed by that many bytes and a
// second slice that aliases into it and contains only the extra bytes. If the
// original slice has sufficient capacity then no allocation is performed.
func sliceForAppend(in []byte, n int) (head, tail []byte) {
if total := len(in) + n; cap(in) >= total {
head = in[:total]
} else {
head = make([]byte, total)
copy(head, in)
}
tail = head[len(in):]
return
}
// counterCrypt crypts in to out using g.cipher in counter mode.
func (g *gcm) counterCrypt(out, in []byte, counter *[gcmBlockSize]byte) {
// var mask [gcmBlockSize]byte
counterBuf := make([]byte, (len(in)+gcmBlockSize-1)&(^(gcmBlockSize - 1)))
for i := 0; i < len(counterBuf); i += gcmBlockSize {
copy(counterBuf[i:i+gcmBlockSize], counter[:])
gcmInc32(counter)
}
_ = g.cipher.EcbEncCryptBlocks(counterBuf, counterBuf)
xor.XorBytes(out, in, counterBuf)
}
// deriveCounter computes the initial GCM counter state from the given nonce.
// See NIST SP 800-38D, section 7.1. This assumes that counter is filled with
// zeros on entry.
func (g *gcm) deriveCounter(counter *[gcmBlockSize]byte, nonce []byte) {
// GCM has two modes of operation with respect to the initial counter
// state: a "fast path" for 96-bit (12-byte) nonces, and a "slow path"
// for nonces of other lengths. For a 96-bit nonce, the nonce, along
// with a four-byte big-endian counter starting at one, is used
// directly as the starting counter. For other nonce sizes, the counter
// is computed by passing it through the GHASH function.
if len(nonce) == gcmStandardNonceSize {
copy(counter[:], nonce)
counter[gcmBlockSize-1] = 1
counter[gcmBlockSize-2] = 0
counter[gcmBlockSize-3] = 0
counter[gcmBlockSize-4] = 0
} else {
var y gcmFieldElement
g.update(&y, nonce)
y.high ^= uint64(len(nonce)) * 8
g.mul(&y)
binary.BigEndian.PutUint64(counter[:8], y.low)
binary.BigEndian.PutUint64(counter[8:], y.high)
}
}
// auth calculates GHASH(ciphertext, additionalData), masks the result with
// tagMask and writes the result to out.
func (g *gcm) auth(out, ciphertext, additionalData []byte, tagMask *[gcmTagSize]byte) {
var y gcmFieldElement
g.update(&y, additionalData)
g.update(&y, ciphertext)
y.low ^= uint64(len(additionalData)) * 8
y.high ^= uint64(len(ciphertext)) * 8
g.mul(&y)
binary.BigEndian.PutUint64(out, y.low)
binary.BigEndian.PutUint64(out[8:], y.high)
xor.XorBytes(out, out, tagMask[:])
}
func (g *gcm) init(nonce []byte) error {
if len(nonce) != g.nonceSize {
return gerrors.WithAnnotatingf(ErrInvalidInput, "incorrect nonce length given to GCM, want %d, given %d", g.nonceSize, len(nonce))
}
g.deriveCounter(&g.counter, nonce)
return nil
}
func (g *gcm) SpecifyADD(ad []byte) {
g.additionalDataLen = len(ad)
g.dataLen = 0
g.y.high = 0
g.y.low = 0
g.buf = g.buf[:0]
g.update(&g.y, ad)
_ = g.cipher.EcbEncCryptBlocks(g.tagMask[:], g.counter[:])
gcmInc32(&g.counter)
}
// EncryptInit 三段式加密第一步, Seal/Open/Update/
func (g *gcm) EncryptInit(nonce []byte) error {
return g.init(nonce)
}
func (g *gcm) Encrypt(dst []byte, in []byte) ([]byte, error) {
dst, err := g.EncryptUpdate(dst, in)
if err != nil {
return dst, err
}
return g.EncryptFinal(dst)
}
// encryptCounters returns the ciphertext of counter || counter+1 || ... || counter+n-1
func (g *gcm) encryptCounters(n int) ([]byte, error) {
var oldCounter [gcmBlockSize]byte
copy(oldCounter[:], g.counter[:])
counterBuf := make([]byte, n*gcmBlockSize)
for i := 0; i < n; i++ {
copy(counterBuf[i*gcmBlockSize:(i+1)*gcmBlockSize], g.counter[:])
gcmInc32(&g.counter)
}
if err := g.cipher.EcbEncCryptBlocks(counterBuf, counterBuf); err != nil {
copy(g.counter[:], oldCounter[:])
return nil, gerrors.WithMessage(err, "EcbEncCryptBlocks failed")
}
return counterBuf, nil
}
func (g *gcm) EncryptUpdate(dst []byte, in []byte) ([]byte, error) {
g.dataLen += len(in)
if len(g.buf)+len(in) < gcmBlockSize {
g.buf = append(g.buf, in...)
return dst, nil
}
nBlocks := (len(g.buf) + len(in)) >> 4
counterBuf, err := g.encryptCounters(nBlocks)
if err != nil {
return dst, err
}
ret, out := sliceForAppend(dst, nBlocks*gcmBlockSize)
xor.XorBytes(out, counterBuf, g.buf)
counterBuf = counterBuf[len(g.buf):]
out = out[len(g.buf):]
n := xor.XorBytes(out, counterBuf, in)
in = in[n:]
g.buf = append(g.buf[:0], in...)
g.update(&g.y, ret[len(dst):])
return ret, nil
}
func (g *gcm) EncryptFinal(dst []byte) ([]byte, error) {
ret, out := sliceForAppend(dst, len(g.buf)+gcmTagSize)
tag := out[len(g.buf):]
out = out[:len(g.buf)]
if len(g.buf) > 0 {
counterBuf := make([]byte, gcmBlockSize)
_ = g.cipher.EcbEncCryptBlocks(counterBuf, g.counter[:])
xor.XorBytes(out, counterBuf, g.buf)
g.update(&g.y, out)
}
g.y.low ^= uint64(g.additionalDataLen) * 8
g.y.high ^= uint64(g.dataLen) * 8
g.mul(&g.y)
binary.BigEndian.PutUint64(tag, g.y.low)
binary.BigEndian.PutUint64(tag[8:], g.y.high)
xor.XorBytes(tag, tag, g.tagMask[:])
return ret, nil
}
// EncryptInit 三段式加密第一步, Seal/Open/Update/
func (g *gcm) DecryptInit(nonce []byte) error {
return g.init(nonce)
}
func (g *gcm) Decrypt(dst []byte, in []byte) ([]byte, error) {
dst, err := g.DecryptUpdate(dst, in)
if err != nil {
return dst, err
}
return g.DecryptFinal(dst)
}
func (g *gcm) DecryptUpdate(dst []byte, in []byte) ([]byte, error) {
if g.tagSize < gcmMinimumTagSize {
return dst, gerrors.WithAnnotatingf(ErrGCMDecFailed, "incorrect GCM tag size(%d)", g.tagSize)
}
// if len(ciphertext) < g.tagSize {
// return nil, errOpen
// }
// if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize())+uint64(g.tagSize) {
// return nil, errOpen
// }
if len(g.buf)+len(in) < 2*gcmBlockSize {
g.buf = append(g.buf, in...)
g.dataLen += len(in)
return dst, nil
}
// at least one block
processDataLen := len(g.buf) + len(in) - gcmBlockSize
nBlocks := processDataLen >> 4
nCounterCipher, err := g.encryptCounters(nBlocks)
if err != nil {
return dst, gerrors.ChainErrors(ErrGCMDecFailed, err)
}
g.dataLen += len(in)
n := 2*gcmBlockSize - len(g.buf)
g.buf = append(g.buf, in[:n]...)
in = in[n:]
if len(in) < gcmBlockSize {
// 处理1个block并返回
g.update(&g.y, g.buf[:gcmBlockSize])
xor.XorBytes(nCounterCipher[:gcmBlockSize], nCounterCipher[:gcmBlockSize], g.buf[:gcmBlockSize])
dst = append(dst, nCounterCipher[:gcmBlockSize]...)
n := copy(g.buf[:gcmBlockSize], g.buf[gcmBlockSize:])
g.buf = g.buf[:n]
g.buf = append(g.buf, in...)
return dst, nil
}
// 先处理g.buf的2个blocks
g.update(&g.y, g.buf[:2*gcmBlockSize])
xor.XorBytes(nCounterCipher[:2*gcmBlockSize], nCounterCipher[:2*gcmBlockSize], g.buf[:2*gcmBlockSize])
dst = append(dst, nCounterCipher[:2*gcmBlockSize]...)
g.buf = g.buf[:0]
nCounterCipher = nCounterCipher[2*gcmBlockSize:]
// 处理in剩余的nBlocks - 2个block
g.update(&g.y, in[:(nBlocks-2)*gcmBlockSize])
xor.XorBytes(nCounterCipher, nCounterCipher, in[:(nBlocks-2)*gcmBlockSize])
dst = append(dst, nCounterCipher...)
// 拷贝in剩余字节到buf,至少16字节。
g.buf = append(g.buf[:0], in[(nBlocks-2)*gcmBlockSize:]...)
return dst, nil
}
func (g *gcm) DecryptFinal(dst []byte) ([]byte, error) {
// g.buf 至少应该16字节,即tag。否则输入错误或内部处理错误(bug)
if g.dataLen < gcmTagSize {
return dst, gerrors.WithAnnotating(ErrGCMDecFailed, "input data must at least 16 bytes long")
}
if len(g.buf) < gcmTagSize {
return dst, gerrors.WithAnnotatingf(ErrGCMDecFailed, "internal error, len(g.buf)=%d", len(g.buf))
}
ret, out := sliceForAppend(dst, len(g.buf)-gcmTagSize)
cipherText := g.buf[:len(g.buf)-gcmTagSize]
WantedTag := g.buf[len(g.buf)-gcmTagSize:]
if len(cipherText) > 0 {
counterBuf := make([]byte, gcmBlockSize)
_ = g.cipher.EcbEncCryptBlocks(counterBuf, g.counter[:])
xor.XorBytes(out, counterBuf, cipherText)
g.update(&g.y, out)
}
var tag [gcmTagSize]byte
g.y.low ^= uint64(g.additionalDataLen) * 8
g.y.high ^= uint64(g.dataLen) * 8
g.mul(&g.y)
binary.BigEndian.PutUint64(tag[:8], g.y.low)
binary.BigEndian.PutUint64(tag[8:], g.y.high)
xor.XorBytes(tag[:], tag[:], g.tagMask[:])
if subtle.ConstantTimeCompare(tag[:], WantedTag) != 0 {
return dst, gerrors.ChainErrors(ErrGCMDecFailed, ErrAEADTagCheckFailed)
}
return ret, nil
}