package blockmode import ( "crypto/cipher" "encoding/binary" "xdx.jelly/xgcl/gerrors" "xdx.jelly/xgcl/internal/subtle" "xdx.jelly/xgcl/internal/xor" ) // NewGCM 返回AEAD接口,使用标准的12字节的nonce和16字节的tag。并且BlockEncrypter.BlockSize() // 必须返回16。 func NewGCM(cipher EcbBlockMode) (TernaryGCM, error) { aead, err := NewGCMWithNonceAndTagSize(cipher, gcmStandardNonceSize, gcmTagSize) return aead, err } // gcmFieldElement represents a value in GF(2¹²⁸). In order to reflect the GCM // standard and make binary.BigEndian suitable for marshaling these values, the // bits are stored in big endian order. For example: // // the coefficient of x⁰ can be obtained by v.low >> 63. // the coefficient of x⁶³ can be obtained by v.low & 1. // the coefficient of x⁶⁴ can be obtained by v.high >> 63. // the coefficient of x¹²⁷ can be obtained by v.high & 1. type gcmFieldElement struct { low, high uint64 } // gcm represents a Galois Counter Mode with a specific key. See // https://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf type gcm struct { cipher EcbBlockMode nonceSize int tagSize int // productTable contains the first sixteen powers of the key, H. // However, they are in bit reversed order. See NewGCMWithNonceSize. productTable [16]gcmFieldElement y gcmFieldElement additionalDataLen int dataLen int tagMask [gcmBlockSize]byte counter [gcmBlockSize]byte buf []byte // 上一个分组未处理的数据。 } // NewGCMWithNonceSize returns the given 128-bit, block cipher wrapped in Galois // Counter Mode, which accepts nonces of the given length. The length must not // be zero. // // Only use this function if you require compatibility with an existing // cryptosystem that uses non-standard nonce lengths. All other users should use // NewGCM, which is faster and more resistant to misuse. func NewGCMWithNonceSize(cipher EcbBlockMode, size int) (cipher.AEAD, error) { return NewGCMWithNonceAndTagSize(cipher, size, gcmTagSize) } // NewGCMWithTagSize returns the given 128-bit, block cipher wrapped in Galois // Counter Mode, which generates tags with the given length. // // Tag sizes between 12 and 16 bytes are allowed. // // Only use this function if you require compatibility with an existing // cryptosystem that uses non-standard tag lengths. All other users should use // NewGCM, which is more resistant to misuse. func NewGCMWithTagSize(cipher EcbBlockMode, tagSize int) (cipher.AEAD, error) { return NewGCMWithNonceAndTagSize(cipher, gcmStandardNonceSize, tagSize) } func NewGCMWithNonceAndTagSize(cipher EcbBlockMode, nonceSize, tagSize int) (TernaryGCM, error) { if tagSize < gcmMinimumTagSize || tagSize > gcmBlockSize { return nil, gerrors.WithAnnotatingf(ErrInvalidInput, "tag size in GCM can only between %d and %d", gcmMinimumTagSize, gcmBlockSize) } if nonceSize <= 0 { return nil, gerrors.WithAnnotating(ErrInvalidInput, "the nonce can't have zero length, or the security of the key will be immediately compromised") } if cipher.BlockSize() != gcmBlockSize { return nil, gerrors.WithAnnotating(ErrInvalidInput, "blockmode: NewGCM requires 128-bit block cipher") } var key [gcmBlockSize]byte _ = cipher.EcbEncCryptBlocks(key[:], key[:]) g := &gcm{cipher: cipher, nonceSize: nonceSize, tagSize: tagSize, buf: make([]byte, 0, gcmBlockSize)} // We precompute 16 multiples of |key|. However, when we do lookups // into this table we'll be using bits from a field element and // therefore the bits will be in the reverse order. So normally one // would expect, say, 4*key to be in index 4 of the table but due to // this bit ordering it will actually be in index 0010 (base 2) = 2. x := gcmFieldElement{ binary.BigEndian.Uint64(key[:8]), binary.BigEndian.Uint64(key[8:]), } g.productTable[reverseBits(1)] = x for i := 2; i < 16; i += 2 { g.productTable[reverseBits(i)] = gcmDouble(&g.productTable[reverseBits(i/2)]) g.productTable[reverseBits(i+1)] = gcmAdd(&g.productTable[reverseBits(i)], &x) } return g, nil } const ( gcmBlockSize = 16 gcmTagSize = 16 gcmMinimumTagSize = 12 // NIST SP 800-38D recommends tags with 12 or more bytes. gcmStandardNonceSize = 12 ) func (g *gcm) NonceSize() int { return g.nonceSize } func (g *gcm) Overhead() int { return g.tagSize } // Seal 加密,输入nonce大小必须为g.NonceSize(). func (g *gcm) Seal(dst, nonce, plaintext, additionalData []byte) []byte { if len(nonce) != g.nonceSize { panic("blockmode: incorrect nonce length given to GCM") } if uint64(len(plaintext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize()) { panic("blockmode: message too large for GCM") } ret, out := sliceForAppend(dst, len(plaintext)+g.tagSize) if subtle.InexactOverlap(out, plaintext) { // 拷贝一份原文 plaintext = dup(plaintext) } var counter, tagMask [gcmBlockSize]byte g.deriveCounter(&counter, nonce) // counter = J0 _ = g.cipher.EcbEncCryptBlocks(tagMask[:], counter[:]) gcmInc32(&counter) g.counterCrypt(out, plaintext, &counter) var tag [gcmTagSize]byte g.auth(tag[:], out[:len(plaintext)], additionalData, &tagMask) copy(out[len(plaintext):], tag[:]) return ret } func (g *gcm) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) { if len(nonce) != g.nonceSize { return dst, gerrors.WithAnnotatingf(ErrAEADOpenFailed, "incorrect nonce length(%d) given to GCM, it should be %d", len(nonce), g.nonceSize) } // Sanity check to prevent the authentication from always succeeding if an implementation // leaves tagSize uninitialized, for example. if g.tagSize < gcmMinimumTagSize { return dst, gerrors.WithAnnotatingf(ErrAEADOpenFailed, "input tag size(%d) too small, it should be at least %d", g.tagSize, gcmMinimumTagSize) } if len(ciphertext) < g.tagSize { return dst, gerrors.WithAnnotating(ErrAEADOpenFailed, "ciphertext is shorter than tag size") } if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize())+uint64(g.tagSize) { return dst, gerrors.WithAnnotatingf(ErrAEADOpenFailed, "ciphertext too long") } tag := ciphertext[len(ciphertext)-g.tagSize:] ciphertext = ciphertext[:len(ciphertext)-g.tagSize] var counter, tagMask [gcmBlockSize]byte g.deriveCounter(&counter, nonce) _ = g.cipher.EcbEncCryptBlocks(tagMask[:], counter[:]) gcmInc32(&counter) var expectedTag [gcmTagSize]byte g.auth(expectedTag[:], ciphertext, additionalData, &tagMask) ret, out := sliceForAppend(dst, len(ciphertext)) if subtle.InexactOverlap(out, ciphertext) { ciphertext = dup(ciphertext) } if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 { // The AESNI code decrypts and authenticates concurrently, and // so overwrites dst in the event of a tag mismatch. That // behavior is mimicked here in order to be consistent across // platforms. for i := range out { out[i] = 0 } return ret[:len(dst)], gerrors.ChainErrors(ErrAEADOpenFailed, ErrAEADTagCheckFailed) } g.counterCrypt(out, ciphertext, &counter) return ret, nil } // reverseBits reverses the order of the bits of 4-bit number in i. func reverseBits(i int) int { i = ((i << 2) & 0xc) | ((i >> 2) & 0x3) i = ((i << 1) & 0xa) | ((i >> 1) & 0x5) return i } // gcmAdd adds two elements of GF(2¹²⁸) and returns the sum. func gcmAdd(x, y *gcmFieldElement) gcmFieldElement { // Addition in a characteristic 2 field is just XOR. return gcmFieldElement{x.low ^ y.low, x.high ^ y.high} } // gcmDouble returns the result of doubling an element of GF(2¹²⁸). func gcmDouble(x *gcmFieldElement) (double gcmFieldElement) { msbSet := x.high&1 == 1 // Because of the bit-ordering, doubling is actually a right shift. double.high = x.high >> 1 double.high |= x.low << 63 double.low = x.low >> 1 // If the most-significant bit was set before shifting then it, // conceptually, becomes a term of x^128. This is greater than the // irreducible polynomial so the result has to be reduced. The // irreducible polynomial is 1+x+x^2+x^7+x^128. We can subtract that to // eliminate the term at x^128 which also means subtracting the other // four terms. In characteristic 2 fields, subtraction == addition == // XOR. if msbSet { double.low ^= 0xe100000000000000 } return } var gcmReductionTable = []uint16{ 0x0000, 0x1c20, 0x3840, 0x2460, 0x7080, 0x6ca0, 0x48c0, 0x54e0, 0xe100, 0xfd20, 0xd940, 0xc560, 0x9180, 0x8da0, 0xa9c0, 0xb5e0, } // mul sets y to y*H, where H is the GCM key, fixed during NewGCMWithNonceSize. func (g *gcm) mul(y *gcmFieldElement) { var z gcmFieldElement for i := 0; i < 2; i++ { word := y.high if i == 1 { word = y.low } // Multiplication works by multiplying z by 16 and adding in // one of the precomputed multiples of H. for j := 0; j < 64; j += 4 { msw := z.high & 0xf z.high >>= 4 z.high |= z.low << 60 z.low >>= 4 z.low ^= uint64(gcmReductionTable[msw]) << 48 // the values in |table| are ordered for // little-endian bit positions. See the comment // in NewGCMWithNonceSize. t := &g.productTable[word&0xf] z.low ^= t.low z.high ^= t.high word >>= 4 } } *y = z } // updateBlocks extends y with more polynomial terms from blocks, based on // Horner's rule. There must be a multiple of gcmBlockSize bytes in blocks. func (g *gcm) updateBlocks(y *gcmFieldElement, blocks []byte) { for len(blocks) > 0 { y.low ^= binary.BigEndian.Uint64(blocks) y.high ^= binary.BigEndian.Uint64(blocks[8:]) g.mul(y) blocks = blocks[gcmBlockSize:] } } // update extends y with more polynomial terms from data. If data is not a // multiple of gcmBlockSize bytes long then the remainder is zero padded. func (g *gcm) update(y *gcmFieldElement, data []byte) { fullBlocks := (len(data) >> 4) << 4 g.updateBlocks(y, data[:fullBlocks]) if len(data) != fullBlocks { var partialBlock [gcmBlockSize]byte copy(partialBlock[:], data[fullBlocks:]) g.updateBlocks(y, partialBlock[:]) } } // gcmInc32 treats the final four bytes of counterBlock as a big-endian value // and increments it. func gcmInc32(counterBlock *[16]byte) { ctr := counterBlock[len(counterBlock)-4:] binary.BigEndian.PutUint32(ctr, binary.BigEndian.Uint32(ctr)+1) } // sliceForAppend takes a slice and a requested number of bytes. It returns a // slice with the contents of the given slice followed by that many bytes and a // second slice that aliases into it and contains only the extra bytes. If the // original slice has sufficient capacity then no allocation is performed. func sliceForAppend(in []byte, n int) (head, tail []byte) { if total := len(in) + n; cap(in) >= total { head = in[:total] } else { head = make([]byte, total) copy(head, in) } tail = head[len(in):] return } // counterCrypt crypts in to out using g.cipher in counter mode. func (g *gcm) counterCrypt(out, in []byte, counter *[gcmBlockSize]byte) { // var mask [gcmBlockSize]byte counterBuf := make([]byte, (len(in)+gcmBlockSize-1)&(^(gcmBlockSize - 1))) for i := 0; i < len(counterBuf); i += gcmBlockSize { copy(counterBuf[i:i+gcmBlockSize], counter[:]) gcmInc32(counter) } _ = g.cipher.EcbEncCryptBlocks(counterBuf, counterBuf) xor.XorBytes(out, in, counterBuf) } // deriveCounter computes the initial GCM counter state from the given nonce. // See NIST SP 800-38D, section 7.1. This assumes that counter is filled with // zeros on entry. func (g *gcm) deriveCounter(counter *[gcmBlockSize]byte, nonce []byte) { // GCM has two modes of operation with respect to the initial counter // state: a "fast path" for 96-bit (12-byte) nonces, and a "slow path" // for nonces of other lengths. For a 96-bit nonce, the nonce, along // with a four-byte big-endian counter starting at one, is used // directly as the starting counter. For other nonce sizes, the counter // is computed by passing it through the GHASH function. if len(nonce) == gcmStandardNonceSize { copy(counter[:], nonce) counter[gcmBlockSize-1] = 1 counter[gcmBlockSize-2] = 0 counter[gcmBlockSize-3] = 0 counter[gcmBlockSize-4] = 0 } else { var y gcmFieldElement g.update(&y, nonce) y.high ^= uint64(len(nonce)) * 8 g.mul(&y) binary.BigEndian.PutUint64(counter[:8], y.low) binary.BigEndian.PutUint64(counter[8:], y.high) } } // auth calculates GHASH(ciphertext, additionalData), masks the result with // tagMask and writes the result to out. func (g *gcm) auth(out, ciphertext, additionalData []byte, tagMask *[gcmTagSize]byte) { var y gcmFieldElement g.update(&y, additionalData) g.update(&y, ciphertext) y.low ^= uint64(len(additionalData)) * 8 y.high ^= uint64(len(ciphertext)) * 8 g.mul(&y) binary.BigEndian.PutUint64(out, y.low) binary.BigEndian.PutUint64(out[8:], y.high) xor.XorBytes(out, out, tagMask[:]) } func (g *gcm) init(nonce []byte) error { if len(nonce) != g.nonceSize { return gerrors.WithAnnotatingf(ErrInvalidInput, "incorrect nonce length given to GCM, want %d, given %d", g.nonceSize, len(nonce)) } g.deriveCounter(&g.counter, nonce) return nil } func (g *gcm) SpecifyADD(ad []byte) { g.additionalDataLen = len(ad) g.dataLen = 0 g.y.high = 0 g.y.low = 0 g.buf = g.buf[:0] g.update(&g.y, ad) _ = g.cipher.EcbEncCryptBlocks(g.tagMask[:], g.counter[:]) gcmInc32(&g.counter) } // EncryptInit 三段式加密第一步, Seal/Open/Update/ func (g *gcm) EncryptInit(nonce []byte) error { return g.init(nonce) } func (g *gcm) Encrypt(dst []byte, in []byte) ([]byte, error) { dst, err := g.EncryptUpdate(dst, in) if err != nil { return dst, err } return g.EncryptFinal(dst) } // encryptCounters returns the ciphertext of counter || counter+1 || ... || counter+n-1 func (g *gcm) encryptCounters(n int) ([]byte, error) { var oldCounter [gcmBlockSize]byte copy(oldCounter[:], g.counter[:]) counterBuf := make([]byte, n*gcmBlockSize) for i := 0; i < n; i++ { copy(counterBuf[i*gcmBlockSize:(i+1)*gcmBlockSize], g.counter[:]) gcmInc32(&g.counter) } if err := g.cipher.EcbEncCryptBlocks(counterBuf, counterBuf); err != nil { copy(g.counter[:], oldCounter[:]) return nil, gerrors.WithMessage(err, "EcbEncCryptBlocks failed") } return counterBuf, nil } func (g *gcm) EncryptUpdate(dst []byte, in []byte) ([]byte, error) { g.dataLen += len(in) if len(g.buf)+len(in) < gcmBlockSize { g.buf = append(g.buf, in...) return dst, nil } nBlocks := (len(g.buf) + len(in)) >> 4 counterBuf, err := g.encryptCounters(nBlocks) if err != nil { return dst, err } ret, out := sliceForAppend(dst, nBlocks*gcmBlockSize) xor.XorBytes(out, counterBuf, g.buf) counterBuf = counterBuf[len(g.buf):] out = out[len(g.buf):] n := xor.XorBytes(out, counterBuf, in) in = in[n:] g.buf = append(g.buf[:0], in...) g.update(&g.y, ret[len(dst):]) return ret, nil } func (g *gcm) EncryptFinal(dst []byte) ([]byte, error) { ret, out := sliceForAppend(dst, len(g.buf)+gcmTagSize) tag := out[len(g.buf):] out = out[:len(g.buf)] if len(g.buf) > 0 { counterBuf := make([]byte, gcmBlockSize) _ = g.cipher.EcbEncCryptBlocks(counterBuf, g.counter[:]) xor.XorBytes(out, counterBuf, g.buf) g.update(&g.y, out) } g.y.low ^= uint64(g.additionalDataLen) * 8 g.y.high ^= uint64(g.dataLen) * 8 g.mul(&g.y) binary.BigEndian.PutUint64(tag, g.y.low) binary.BigEndian.PutUint64(tag[8:], g.y.high) xor.XorBytes(tag, tag, g.tagMask[:]) return ret, nil } // EncryptInit 三段式加密第一步, Seal/Open/Update/ func (g *gcm) DecryptInit(nonce []byte) error { return g.init(nonce) } func (g *gcm) Decrypt(dst []byte, in []byte) ([]byte, error) { dst, err := g.DecryptUpdate(dst, in) if err != nil { return dst, err } return g.DecryptFinal(dst) } func (g *gcm) DecryptUpdate(dst []byte, in []byte) ([]byte, error) { if g.tagSize < gcmMinimumTagSize { return dst, gerrors.WithAnnotatingf(ErrGCMDecFailed, "incorrect GCM tag size(%d)", g.tagSize) } // if len(ciphertext) < g.tagSize { // return nil, errOpen // } // if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize())+uint64(g.tagSize) { // return nil, errOpen // } if len(g.buf)+len(in) < 2*gcmBlockSize { g.buf = append(g.buf, in...) g.dataLen += len(in) return dst, nil } // at least one block processDataLen := len(g.buf) + len(in) - gcmBlockSize nBlocks := processDataLen >> 4 nCounterCipher, err := g.encryptCounters(nBlocks) if err != nil { return dst, gerrors.ChainErrors(ErrGCMDecFailed, err) } g.dataLen += len(in) n := 2*gcmBlockSize - len(g.buf) g.buf = append(g.buf, in[:n]...) in = in[n:] if len(in) < gcmBlockSize { // 处理1个block并返回 g.update(&g.y, g.buf[:gcmBlockSize]) xor.XorBytes(nCounterCipher[:gcmBlockSize], nCounterCipher[:gcmBlockSize], g.buf[:gcmBlockSize]) dst = append(dst, nCounterCipher[:gcmBlockSize]...) n := copy(g.buf[:gcmBlockSize], g.buf[gcmBlockSize:]) g.buf = g.buf[:n] g.buf = append(g.buf, in...) return dst, nil } // 先处理g.buf的2个blocks g.update(&g.y, g.buf[:2*gcmBlockSize]) xor.XorBytes(nCounterCipher[:2*gcmBlockSize], nCounterCipher[:2*gcmBlockSize], g.buf[:2*gcmBlockSize]) dst = append(dst, nCounterCipher[:2*gcmBlockSize]...) g.buf = g.buf[:0] nCounterCipher = nCounterCipher[2*gcmBlockSize:] // 处理in剩余的nBlocks - 2个block g.update(&g.y, in[:(nBlocks-2)*gcmBlockSize]) xor.XorBytes(nCounterCipher, nCounterCipher, in[:(nBlocks-2)*gcmBlockSize]) dst = append(dst, nCounterCipher...) // 拷贝in剩余字节到buf,至少16字节。 g.buf = append(g.buf[:0], in[(nBlocks-2)*gcmBlockSize:]...) return dst, nil } func (g *gcm) DecryptFinal(dst []byte) ([]byte, error) { // g.buf 至少应该16字节,即tag。否则输入错误或内部处理错误(bug) if g.dataLen < gcmTagSize { return dst, gerrors.WithAnnotating(ErrGCMDecFailed, "input data must at least 16 bytes long") } if len(g.buf) < gcmTagSize { return dst, gerrors.WithAnnotatingf(ErrGCMDecFailed, "internal error, len(g.buf)=%d", len(g.buf)) } ret, out := sliceForAppend(dst, len(g.buf)-gcmTagSize) cipherText := g.buf[:len(g.buf)-gcmTagSize] WantedTag := g.buf[len(g.buf)-gcmTagSize:] if len(cipherText) > 0 { counterBuf := make([]byte, gcmBlockSize) _ = g.cipher.EcbEncCryptBlocks(counterBuf, g.counter[:]) xor.XorBytes(out, counterBuf, cipherText) g.update(&g.y, out) } var tag [gcmTagSize]byte g.y.low ^= uint64(g.additionalDataLen) * 8 g.y.high ^= uint64(g.dataLen) * 8 g.mul(&g.y) binary.BigEndian.PutUint64(tag[:8], g.y.low) binary.BigEndian.PutUint64(tag[8:], g.y.high) xor.XorBytes(tag[:], tag[:], g.tagMask[:]) if subtle.ConstantTimeCompare(tag[:], WantedTag) != 0 { return dst, gerrors.ChainErrors(ErrGCMDecFailed, ErrAEADTagCheckFailed) } return ret, nil }