2014-09-21 17:33:12 +00:00
|
|
|
// Copyright 2013 The Go Authors. All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
package cipher
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/subtle"
|
|
|
|
"errors"
|
|
|
|
)
|
|
|
|
|
|
|
|
// AEAD is a cipher mode providing authenticated encryption with associated
|
2017-04-10 11:32:00 +00:00
|
|
|
// data. For a description of the methodology, see
|
|
|
|
// https://en.wikipedia.org/wiki/Authenticated_encryption
|
2014-09-21 17:33:12 +00:00
|
|
|
type AEAD interface {
|
|
|
|
// NonceSize returns the size of the nonce that must be passed to Seal
|
|
|
|
// and Open.
|
|
|
|
NonceSize() int
|
|
|
|
|
|
|
|
// Overhead returns the maximum difference between the lengths of a
|
2017-04-10 11:32:00 +00:00
|
|
|
// plaintext and its ciphertext.
|
2014-09-21 17:33:12 +00:00
|
|
|
Overhead() int
|
|
|
|
|
|
|
|
// Seal encrypts and authenticates plaintext, authenticates the
|
|
|
|
// additional data and appends the result to dst, returning the updated
|
|
|
|
// slice. The nonce must be NonceSize() bytes long and unique for all
|
|
|
|
// time, for a given key.
|
|
|
|
//
|
2017-04-10 11:32:00 +00:00
|
|
|
// The plaintext and dst may alias exactly or not at all. To reuse
|
|
|
|
// plaintext's storage for the encrypted output, use plaintext[:0] as dst.
|
|
|
|
Seal(dst, nonce, plaintext, additionalData []byte) []byte
|
2014-09-21 17:33:12 +00:00
|
|
|
|
|
|
|
// Open decrypts and authenticates ciphertext, authenticates the
|
|
|
|
// additional data and, if successful, appends the resulting plaintext
|
2015-08-28 15:33:40 +00:00
|
|
|
// to dst, returning the updated slice. The nonce must be NonceSize()
|
|
|
|
// bytes long and both it and the additional data must match the
|
|
|
|
// value passed to Seal.
|
2014-09-21 17:33:12 +00:00
|
|
|
//
|
2017-04-10 11:32:00 +00:00
|
|
|
// The ciphertext and dst may alias exactly or not at all. To reuse
|
|
|
|
// ciphertext's storage for the decrypted output, use ciphertext[:0] as dst.
|
|
|
|
//
|
|
|
|
// Even if the function fails, the contents of dst, up to its capacity,
|
|
|
|
// may be overwritten.
|
|
|
|
Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error)
|
|
|
|
}
|
|
|
|
|
|
|
|
// gcmAble is an interface implemented by ciphers that have a specific optimized
|
|
|
|
// implementation of GCM, like crypto/aes. NewGCM will check for this interface
|
|
|
|
// and return the specific AEAD if found.
|
|
|
|
type gcmAble interface {
|
|
|
|
NewGCM(int) (AEAD, error)
|
2014-09-21 17:33:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// gcmFieldElement represents a value in GF(2¹²⁸). In order to reflect the GCM
|
|
|
|
// standard and make getUint64 suitable for marshaling these values, the bits
|
|
|
|
// are stored backwards. For example:
|
|
|
|
// the coefficient of x⁰ can be obtained by v.low >> 63.
|
|
|
|
// the coefficient of x⁶³ can be obtained by v.low & 1.
|
|
|
|
// the coefficient of x⁶⁴ can be obtained by v.high >> 63.
|
|
|
|
// the coefficient of x¹²⁷ can be obtained by v.high & 1.
|
|
|
|
type gcmFieldElement struct {
|
|
|
|
low, high uint64
|
|
|
|
}
|
|
|
|
|
|
|
|
// gcm represents a Galois Counter Mode with a specific key. See
|
|
|
|
// http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
|
|
|
|
type gcm struct {
|
2017-04-10 11:32:00 +00:00
|
|
|
cipher Block
|
|
|
|
nonceSize int
|
2014-09-21 17:33:12 +00:00
|
|
|
// productTable contains the first sixteen powers of the key, H.
|
2017-04-10 11:32:00 +00:00
|
|
|
// However, they are in bit reversed order. See NewGCMWithNonceSize.
|
2014-09-21 17:33:12 +00:00
|
|
|
productTable [16]gcmFieldElement
|
|
|
|
}
|
|
|
|
|
2017-04-10 11:32:00 +00:00
|
|
|
// NewGCM returns the given 128-bit, block cipher wrapped in Galois Counter Mode
|
|
|
|
// with the standard nonce length.
|
2017-10-07 00:16:47 +00:00
|
|
|
//
|
|
|
|
// In general, the GHASH operation performed by this implementation of GCM is not constant-time.
|
|
|
|
// An exception is when the underlying Block was created by aes.NewCipher
|
|
|
|
// on systems with hardware support for AES. See the crypto/aes package documentation for details.
|
2014-09-21 17:33:12 +00:00
|
|
|
func NewGCM(cipher Block) (AEAD, error) {
|
2017-04-10 11:32:00 +00:00
|
|
|
return NewGCMWithNonceSize(cipher, gcmStandardNonceSize)
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewGCMWithNonceSize returns the given 128-bit, block cipher wrapped in Galois
|
|
|
|
// Counter Mode, which accepts nonces of the given length.
|
|
|
|
//
|
|
|
|
// Only use this function if you require compatibility with an existing
|
|
|
|
// cryptosystem that uses non-standard nonce lengths. All other users should use
|
|
|
|
// NewGCM, which is faster and more resistant to misuse.
|
|
|
|
func NewGCMWithNonceSize(cipher Block, size int) (AEAD, error) {
|
|
|
|
if cipher, ok := cipher.(gcmAble); ok {
|
|
|
|
return cipher.NewGCM(size)
|
|
|
|
}
|
|
|
|
|
2014-09-21 17:33:12 +00:00
|
|
|
if cipher.BlockSize() != gcmBlockSize {
|
|
|
|
return nil, errors.New("cipher: NewGCM requires 128-bit block cipher")
|
|
|
|
}
|
|
|
|
|
|
|
|
var key [gcmBlockSize]byte
|
|
|
|
cipher.Encrypt(key[:], key[:])
|
|
|
|
|
2017-04-10 11:32:00 +00:00
|
|
|
g := &gcm{cipher: cipher, nonceSize: size}
|
2014-09-21 17:33:12 +00:00
|
|
|
|
|
|
|
// We precompute 16 multiples of |key|. However, when we do lookups
|
|
|
|
// into this table we'll be using bits from a field element and
|
|
|
|
// therefore the bits will be in the reverse order. So normally one
|
|
|
|
// would expect, say, 4*key to be in index 4 of the table but due to
|
|
|
|
// this bit ordering it will actually be in index 0010 (base 2) = 2.
|
|
|
|
x := gcmFieldElement{
|
|
|
|
getUint64(key[:8]),
|
|
|
|
getUint64(key[8:]),
|
|
|
|
}
|
|
|
|
g.productTable[reverseBits(1)] = x
|
|
|
|
|
|
|
|
for i := 2; i < 16; i += 2 {
|
|
|
|
g.productTable[reverseBits(i)] = gcmDouble(&g.productTable[reverseBits(i/2)])
|
|
|
|
g.productTable[reverseBits(i+1)] = gcmAdd(&g.productTable[reverseBits(i)], &x)
|
|
|
|
}
|
|
|
|
|
|
|
|
return g, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
const (
|
2017-04-10 11:32:00 +00:00
|
|
|
gcmBlockSize = 16
|
|
|
|
gcmTagSize = 16
|
|
|
|
gcmStandardNonceSize = 12
|
2014-09-21 17:33:12 +00:00
|
|
|
)
|
|
|
|
|
2017-04-10 11:32:00 +00:00
|
|
|
func (g *gcm) NonceSize() int {
|
|
|
|
return g.nonceSize
|
2014-09-21 17:33:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (*gcm) Overhead() int {
|
|
|
|
return gcmTagSize
|
|
|
|
}
|
|
|
|
|
|
|
|
func (g *gcm) Seal(dst, nonce, plaintext, data []byte) []byte {
|
2017-04-10 11:32:00 +00:00
|
|
|
if len(nonce) != g.nonceSize {
|
2014-09-21 17:33:12 +00:00
|
|
|
panic("cipher: incorrect nonce length given to GCM")
|
|
|
|
}
|
2017-10-07 00:16:47 +00:00
|
|
|
if uint64(len(plaintext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize()) {
|
|
|
|
panic("cipher: message too large for GCM")
|
|
|
|
}
|
|
|
|
|
2014-09-21 17:33:12 +00:00
|
|
|
ret, out := sliceForAppend(dst, len(plaintext)+gcmTagSize)
|
|
|
|
|
|
|
|
var counter, tagMask [gcmBlockSize]byte
|
2017-04-10 11:32:00 +00:00
|
|
|
g.deriveCounter(&counter, nonce)
|
2014-09-21 17:33:12 +00:00
|
|
|
|
|
|
|
g.cipher.Encrypt(tagMask[:], counter[:])
|
|
|
|
gcmInc32(&counter)
|
|
|
|
|
|
|
|
g.counterCrypt(out, plaintext, &counter)
|
|
|
|
g.auth(out[len(plaintext):], out[:len(plaintext)], data, &tagMask)
|
|
|
|
|
|
|
|
return ret
|
|
|
|
}
|
|
|
|
|
|
|
|
var errOpen = errors.New("cipher: message authentication failed")
|
|
|
|
|
|
|
|
func (g *gcm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
|
2017-04-10 11:32:00 +00:00
|
|
|
if len(nonce) != g.nonceSize {
|
2014-09-21 17:33:12 +00:00
|
|
|
panic("cipher: incorrect nonce length given to GCM")
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(ciphertext) < gcmTagSize {
|
|
|
|
return nil, errOpen
|
|
|
|
}
|
2017-10-07 00:16:47 +00:00
|
|
|
if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize())+gcmTagSize {
|
|
|
|
return nil, errOpen
|
|
|
|
}
|
|
|
|
|
2014-09-21 17:33:12 +00:00
|
|
|
tag := ciphertext[len(ciphertext)-gcmTagSize:]
|
|
|
|
ciphertext = ciphertext[:len(ciphertext)-gcmTagSize]
|
|
|
|
|
|
|
|
var counter, tagMask [gcmBlockSize]byte
|
2017-04-10 11:32:00 +00:00
|
|
|
g.deriveCounter(&counter, nonce)
|
2014-09-21 17:33:12 +00:00
|
|
|
|
|
|
|
g.cipher.Encrypt(tagMask[:], counter[:])
|
|
|
|
gcmInc32(&counter)
|
|
|
|
|
|
|
|
var expectedTag [gcmTagSize]byte
|
|
|
|
g.auth(expectedTag[:], ciphertext, data, &tagMask)
|
|
|
|
|
2017-04-10 11:32:00 +00:00
|
|
|
ret, out := sliceForAppend(dst, len(ciphertext))
|
|
|
|
|
2014-09-21 17:33:12 +00:00
|
|
|
if subtle.ConstantTimeCompare(expectedTag[:], tag) != 1 {
|
2017-04-10 11:32:00 +00:00
|
|
|
// The AESNI code decrypts and authenticates concurrently, and
|
|
|
|
// so overwrites dst in the event of a tag mismatch. That
|
2017-10-07 00:16:47 +00:00
|
|
|
// behavior is mimicked here in order to be consistent across
|
2017-04-10 11:32:00 +00:00
|
|
|
// platforms.
|
|
|
|
for i := range out {
|
|
|
|
out[i] = 0
|
|
|
|
}
|
2014-09-21 17:33:12 +00:00
|
|
|
return nil, errOpen
|
|
|
|
}
|
|
|
|
|
|
|
|
g.counterCrypt(out, ciphertext, &counter)
|
|
|
|
|
|
|
|
return ret, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// reverseBits reverses the order of the bits of 4-bit number in i.
|
|
|
|
func reverseBits(i int) int {
|
|
|
|
i = ((i << 2) & 0xc) | ((i >> 2) & 0x3)
|
|
|
|
i = ((i << 1) & 0xa) | ((i >> 1) & 0x5)
|
|
|
|
return i
|
|
|
|
}
|
|
|
|
|
|
|
|
// gcmAdd adds two elements of GF(2¹²⁸) and returns the sum.
|
|
|
|
func gcmAdd(x, y *gcmFieldElement) gcmFieldElement {
|
|
|
|
// Addition in a characteristic 2 field is just XOR.
|
|
|
|
return gcmFieldElement{x.low ^ y.low, x.high ^ y.high}
|
|
|
|
}
|
|
|
|
|
|
|
|
// gcmDouble returns the result of doubling an element of GF(2¹²⁸).
|
|
|
|
func gcmDouble(x *gcmFieldElement) (double gcmFieldElement) {
|
|
|
|
msbSet := x.high&1 == 1
|
|
|
|
|
|
|
|
// Because of the bit-ordering, doubling is actually a right shift.
|
|
|
|
double.high = x.high >> 1
|
|
|
|
double.high |= x.low << 63
|
|
|
|
double.low = x.low >> 1
|
|
|
|
|
|
|
|
// If the most-significant bit was set before shifting then it,
|
|
|
|
// conceptually, becomes a term of x^128. This is greater than the
|
|
|
|
// irreducible polynomial so the result has to be reduced. The
|
|
|
|
// irreducible polynomial is 1+x+x^2+x^7+x^128. We can subtract that to
|
|
|
|
// eliminate the term at x^128 which also means subtracting the other
|
|
|
|
// four terms. In characteristic 2 fields, subtraction == addition ==
|
|
|
|
// XOR.
|
|
|
|
if msbSet {
|
|
|
|
double.low ^= 0xe100000000000000
|
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
var gcmReductionTable = []uint16{
|
|
|
|
0x0000, 0x1c20, 0x3840, 0x2460, 0x7080, 0x6ca0, 0x48c0, 0x54e0,
|
|
|
|
0xe100, 0xfd20, 0xd940, 0xc560, 0x9180, 0x8da0, 0xa9c0, 0xb5e0,
|
|
|
|
}
|
|
|
|
|
2017-04-10 11:32:00 +00:00
|
|
|
// mul sets y to y*H, where H is the GCM key, fixed during NewGCMWithNonceSize.
|
2014-09-21 17:33:12 +00:00
|
|
|
func (g *gcm) mul(y *gcmFieldElement) {
|
|
|
|
var z gcmFieldElement
|
|
|
|
|
|
|
|
for i := 0; i < 2; i++ {
|
|
|
|
word := y.high
|
|
|
|
if i == 1 {
|
|
|
|
word = y.low
|
|
|
|
}
|
|
|
|
|
|
|
|
// Multiplication works by multiplying z by 16 and adding in
|
|
|
|
// one of the precomputed multiples of H.
|
|
|
|
for j := 0; j < 64; j += 4 {
|
|
|
|
msw := z.high & 0xf
|
|
|
|
z.high >>= 4
|
|
|
|
z.high |= z.low << 60
|
|
|
|
z.low >>= 4
|
|
|
|
z.low ^= uint64(gcmReductionTable[msw]) << 48
|
|
|
|
|
|
|
|
// the values in |table| are ordered for
|
|
|
|
// little-endian bit positions. See the comment
|
2017-04-10 11:32:00 +00:00
|
|
|
// in NewGCMWithNonceSize.
|
2014-09-21 17:33:12 +00:00
|
|
|
t := &g.productTable[word&0xf]
|
|
|
|
|
|
|
|
z.low ^= t.low
|
|
|
|
z.high ^= t.high
|
|
|
|
word >>= 4
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
*y = z
|
|
|
|
}
|
|
|
|
|
|
|
|
// updateBlocks extends y with more polynomial terms from blocks, based on
|
|
|
|
// Horner's rule. There must be a multiple of gcmBlockSize bytes in blocks.
|
|
|
|
func (g *gcm) updateBlocks(y *gcmFieldElement, blocks []byte) {
|
|
|
|
for len(blocks) > 0 {
|
|
|
|
y.low ^= getUint64(blocks)
|
|
|
|
y.high ^= getUint64(blocks[8:])
|
|
|
|
g.mul(y)
|
|
|
|
blocks = blocks[gcmBlockSize:]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// update extends y with more polynomial terms from data. If data is not a
|
|
|
|
// multiple of gcmBlockSize bytes long then the remainder is zero padded.
|
|
|
|
func (g *gcm) update(y *gcmFieldElement, data []byte) {
|
|
|
|
fullBlocks := (len(data) >> 4) << 4
|
|
|
|
g.updateBlocks(y, data[:fullBlocks])
|
|
|
|
|
|
|
|
if len(data) != fullBlocks {
|
|
|
|
var partialBlock [gcmBlockSize]byte
|
|
|
|
copy(partialBlock[:], data[fullBlocks:])
|
|
|
|
g.updateBlocks(y, partialBlock[:])
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// gcmInc32 treats the final four bytes of counterBlock as a big-endian value
|
|
|
|
// and increments it.
|
|
|
|
func gcmInc32(counterBlock *[16]byte) {
|
|
|
|
for i := gcmBlockSize - 1; i >= gcmBlockSize-4; i-- {
|
2015-08-28 15:33:40 +00:00
|
|
|
counterBlock[i]++
|
|
|
|
if counterBlock[i] != 0 {
|
|
|
|
break
|
|
|
|
}
|
2014-09-21 17:33:12 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// sliceForAppend takes a slice and a requested number of bytes. It returns a
|
|
|
|
// slice with the contents of the given slice followed by that many bytes and a
|
|
|
|
// second slice that aliases into it and contains only the extra bytes. If the
|
|
|
|
// original slice has sufficient capacity then no allocation is performed.
|
|
|
|
func sliceForAppend(in []byte, n int) (head, tail []byte) {
|
|
|
|
if total := len(in) + n; cap(in) >= total {
|
|
|
|
head = in[:total]
|
|
|
|
} else {
|
|
|
|
head = make([]byte, total)
|
|
|
|
copy(head, in)
|
|
|
|
}
|
|
|
|
tail = head[len(in):]
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// counterCrypt crypts in to out using g.cipher in counter mode.
|
|
|
|
func (g *gcm) counterCrypt(out, in []byte, counter *[gcmBlockSize]byte) {
|
|
|
|
var mask [gcmBlockSize]byte
|
|
|
|
|
|
|
|
for len(in) >= gcmBlockSize {
|
|
|
|
g.cipher.Encrypt(mask[:], counter[:])
|
|
|
|
gcmInc32(counter)
|
|
|
|
|
2015-08-28 15:33:40 +00:00
|
|
|
xorWords(out, in, mask[:])
|
2014-09-21 17:33:12 +00:00
|
|
|
out = out[gcmBlockSize:]
|
|
|
|
in = in[gcmBlockSize:]
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(in) > 0 {
|
|
|
|
g.cipher.Encrypt(mask[:], counter[:])
|
|
|
|
gcmInc32(counter)
|
2015-08-28 15:33:40 +00:00
|
|
|
xorBytes(out, in, mask[:])
|
2014-09-21 17:33:12 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-04-10 11:32:00 +00:00
|
|
|
// deriveCounter computes the initial GCM counter state from the given nonce.
|
|
|
|
// See NIST SP 800-38D, section 7.1. This assumes that counter is filled with
|
|
|
|
// zeros on entry.
|
|
|
|
func (g *gcm) deriveCounter(counter *[gcmBlockSize]byte, nonce []byte) {
|
|
|
|
// GCM has two modes of operation with respect to the initial counter
|
|
|
|
// state: a "fast path" for 96-bit (12-byte) nonces, and a "slow path"
|
|
|
|
// for nonces of other lengths. For a 96-bit nonce, the nonce, along
|
|
|
|
// with a four-byte big-endian counter starting at one, is used
|
|
|
|
// directly as the starting counter. For other nonce sizes, the counter
|
|
|
|
// is computed by passing it through the GHASH function.
|
|
|
|
if len(nonce) == gcmStandardNonceSize {
|
|
|
|
copy(counter[:], nonce)
|
|
|
|
counter[gcmBlockSize-1] = 1
|
|
|
|
} else {
|
|
|
|
var y gcmFieldElement
|
|
|
|
g.update(&y, nonce)
|
|
|
|
y.high ^= uint64(len(nonce)) * 8
|
|
|
|
g.mul(&y)
|
|
|
|
putUint64(counter[:8], y.low)
|
|
|
|
putUint64(counter[8:], y.high)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-09-21 17:33:12 +00:00
|
|
|
// auth calculates GHASH(ciphertext, additionalData), masks the result with
|
|
|
|
// tagMask and writes the result to out.
|
|
|
|
func (g *gcm) auth(out, ciphertext, additionalData []byte, tagMask *[gcmTagSize]byte) {
|
|
|
|
var y gcmFieldElement
|
|
|
|
g.update(&y, additionalData)
|
|
|
|
g.update(&y, ciphertext)
|
|
|
|
|
|
|
|
y.low ^= uint64(len(additionalData)) * 8
|
|
|
|
y.high ^= uint64(len(ciphertext)) * 8
|
|
|
|
|
|
|
|
g.mul(&y)
|
|
|
|
|
|
|
|
putUint64(out, y.low)
|
|
|
|
putUint64(out[8:], y.high)
|
|
|
|
|
2015-08-28 15:33:40 +00:00
|
|
|
xorWords(out, out, tagMask[:])
|
2014-09-21 17:33:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func getUint64(data []byte) uint64 {
|
|
|
|
r := uint64(data[0])<<56 |
|
|
|
|
uint64(data[1])<<48 |
|
|
|
|
uint64(data[2])<<40 |
|
|
|
|
uint64(data[3])<<32 |
|
|
|
|
uint64(data[4])<<24 |
|
|
|
|
uint64(data[5])<<16 |
|
|
|
|
uint64(data[6])<<8 |
|
|
|
|
uint64(data[7])
|
|
|
|
return r
|
|
|
|
}
|
|
|
|
|
|
|
|
func putUint64(out []byte, v uint64) {
|
|
|
|
out[0] = byte(v >> 56)
|
|
|
|
out[1] = byte(v >> 48)
|
|
|
|
out[2] = byte(v >> 40)
|
|
|
|
out[3] = byte(v >> 32)
|
|
|
|
out[4] = byte(v >> 24)
|
|
|
|
out[5] = byte(v >> 16)
|
|
|
|
out[6] = byte(v >> 8)
|
|
|
|
out[7] = byte(v)
|
|
|
|
}
|