1// Copyright 2013 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package cipher
6
7import (
8	"crypto/subtle"
9	"errors"
10)
11
12// AEAD is a cipher mode providing authenticated encryption with associated
13// data. For a description of the methodology, see
14//	https://en.wikipedia.org/wiki/Authenticated_encryption
15type AEAD interface {
16	// NonceSize returns the size of the nonce that must be passed to Seal
17	// and Open.
18	NonceSize() int
19
20	// Overhead returns the maximum difference between the lengths of a
21	// plaintext and its ciphertext.
22	Overhead() int
23
24	// Seal encrypts and authenticates plaintext, authenticates the
25	// additional data and appends the result to dst, returning the updated
26	// slice. The nonce must be NonceSize() bytes long and unique for all
27	// time, for a given key.
28	//
29	// The plaintext and dst must overlap exactly or not at all. To reuse
30	// plaintext's storage for the encrypted output, use plaintext[:0] as dst.
31	Seal(dst, nonce, plaintext, additionalData []byte) []byte
32
33	// Open decrypts and authenticates ciphertext, authenticates the
34	// additional data and, if successful, appends the resulting plaintext
35	// to dst, returning the updated slice. The nonce must be NonceSize()
36	// bytes long and both it and the additional data must match the
37	// value passed to Seal.
38	//
39	// The ciphertext and dst must overlap exactly or not at all. To reuse
40	// ciphertext's storage for the decrypted output, use ciphertext[:0] as dst.
41	//
42	// Even if the function fails, the contents of dst, up to its capacity,
43	// may be overwritten.
44	Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error)
45}
46
47// gcmAble is an interface implemented by ciphers that have a specific optimized
48// implementation of GCM, like crypto/aes. NewGCM will check for this interface
49// and return the specific AEAD if found.
50type gcmAble interface {
51	NewGCM(int) (AEAD, error)
52}
53
54// gcmFieldElement represents a value in GF(2¹²⁸). In order to reflect the GCM
55// standard and make getUint64 suitable for marshaling these values, the bits
56// are stored backwards. For example:
57//   the coefficient of x⁰ can be obtained by v.low >> 63.
58//   the coefficient of x⁶³ can be obtained by v.low & 1.
59//   the coefficient of x⁶⁴ can be obtained by v.high >> 63.
60//   the coefficient of x¹²⁷ can be obtained by v.high & 1.
61type gcmFieldElement struct {
62	low, high uint64
63}
64
65// gcm represents a Galois Counter Mode with a specific key. See
66// http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
67type gcm struct {
68	cipher    Block
69	nonceSize int
70	// productTable contains the first sixteen powers of the key, H.
71	// However, they are in bit reversed order. See NewGCMWithNonceSize.
72	productTable [16]gcmFieldElement
73}
74
75// NewGCM returns the given 128-bit, block cipher wrapped in Galois Counter Mode
76// with the standard nonce length.
77//
78// In general, the GHASH operation performed by this implementation of GCM is not constant-time.
79// An exception is when the underlying Block was created by aes.NewCipher
80// on systems with hardware support for AES. See the crypto/aes package documentation for details.
81func NewGCM(cipher Block) (AEAD, error) {
82	return NewGCMWithNonceSize(cipher, gcmStandardNonceSize)
83}
84
85// NewGCMWithNonceSize returns the given 128-bit, block cipher wrapped in Galois
86// Counter Mode, which accepts nonces of the given length.
87//
88// Only use this function if you require compatibility with an existing
89// cryptosystem that uses non-standard nonce lengths. All other users should use
90// NewGCM, which is faster and more resistant to misuse.
91func NewGCMWithNonceSize(cipher Block, size int) (AEAD, error) {
92	if cipher, ok := cipher.(gcmAble); ok {
93		return cipher.NewGCM(size)
94	}
95
96	if cipher.BlockSize() != gcmBlockSize {
97		return nil, errors.New("cipher: NewGCM requires 128-bit block cipher")
98	}
99
100	var key [gcmBlockSize]byte
101	cipher.Encrypt(key[:], key[:])
102
103	g := &gcm{cipher: cipher, nonceSize: size}
104
105	// We precompute 16 multiples of |key|. However, when we do lookups
106	// into this table we'll be using bits from a field element and
107	// therefore the bits will be in the reverse order. So normally one
108	// would expect, say, 4*key to be in index 4 of the table but due to
109	// this bit ordering it will actually be in index 0010 (base 2) = 2.
110	x := gcmFieldElement{
111		getUint64(key[:8]),
112		getUint64(key[8:]),
113	}
114	g.productTable[reverseBits(1)] = x
115
116	for i := 2; i < 16; i += 2 {
117		g.productTable[reverseBits(i)] = gcmDouble(&g.productTable[reverseBits(i/2)])
118		g.productTable[reverseBits(i+1)] = gcmAdd(&g.productTable[reverseBits(i)], &x)
119	}
120
121	return g, nil
122}
123
124const (
125	gcmBlockSize         = 16
126	gcmTagSize           = 16
127	gcmStandardNonceSize = 12
128)
129
130func (g *gcm) NonceSize() int {
131	return g.nonceSize
132}
133
134func (*gcm) Overhead() int {
135	return gcmTagSize
136}
137
138func (g *gcm) Seal(dst, nonce, plaintext, data []byte) []byte {
139	if len(nonce) != g.nonceSize {
140		panic("cipher: incorrect nonce length given to GCM")
141	}
142	if uint64(len(plaintext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize()) {
143		panic("cipher: message too large for GCM")
144	}
145
146	ret, out := sliceForAppend(dst, len(plaintext)+gcmTagSize)
147
148	var counter, tagMask [gcmBlockSize]byte
149	g.deriveCounter(&counter, nonce)
150
151	g.cipher.Encrypt(tagMask[:], counter[:])
152	gcmInc32(&counter)
153
154	g.counterCrypt(out, plaintext, &counter)
155	g.auth(out[len(plaintext):], out[:len(plaintext)], data, &tagMask)
156
157	return ret
158}
159
160var errOpen = errors.New("cipher: message authentication failed")
161
162func (g *gcm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
163	if len(nonce) != g.nonceSize {
164		panic("cipher: incorrect nonce length given to GCM")
165	}
166
167	if len(ciphertext) < gcmTagSize {
168		return nil, errOpen
169	}
170	if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize())+gcmTagSize {
171		return nil, errOpen
172	}
173
174	tag := ciphertext[len(ciphertext)-gcmTagSize:]
175	ciphertext = ciphertext[:len(ciphertext)-gcmTagSize]
176
177	var counter, tagMask [gcmBlockSize]byte
178	g.deriveCounter(&counter, nonce)
179
180	g.cipher.Encrypt(tagMask[:], counter[:])
181	gcmInc32(&counter)
182
183	var expectedTag [gcmTagSize]byte
184	g.auth(expectedTag[:], ciphertext, data, &tagMask)
185
186	ret, out := sliceForAppend(dst, len(ciphertext))
187
188	if subtle.ConstantTimeCompare(expectedTag[:], tag) != 1 {
189		// The AESNI code decrypts and authenticates concurrently, and
190		// so overwrites dst in the event of a tag mismatch. That
191		// behavior is mimicked here in order to be consistent across
192		// platforms.
193		for i := range out {
194			out[i] = 0
195		}
196		return nil, errOpen
197	}
198
199	g.counterCrypt(out, ciphertext, &counter)
200
201	return ret, nil
202}
203
204// reverseBits reverses the order of the bits of 4-bit number in i.
205func reverseBits(i int) int {
206	i = ((i << 2) & 0xc) | ((i >> 2) & 0x3)
207	i = ((i << 1) & 0xa) | ((i >> 1) & 0x5)
208	return i
209}
210
211// gcmAdd adds two elements of GF(2¹²⁸) and returns the sum.
212func gcmAdd(x, y *gcmFieldElement) gcmFieldElement {
213	// Addition in a characteristic 2 field is just XOR.
214	return gcmFieldElement{x.low ^ y.low, x.high ^ y.high}
215}
216
217// gcmDouble returns the result of doubling an element of GF(2¹²⁸).
218func gcmDouble(x *gcmFieldElement) (double gcmFieldElement) {
219	msbSet := x.high&1 == 1
220
221	// Because of the bit-ordering, doubling is actually a right shift.
222	double.high = x.high >> 1
223	double.high |= x.low << 63
224	double.low = x.low >> 1
225
226	// If the most-significant bit was set before shifting then it,
227	// conceptually, becomes a term of x^128. This is greater than the
228	// irreducible polynomial so the result has to be reduced. The
229	// irreducible polynomial is 1+x+x^2+x^7+x^128. We can subtract that to
230	// eliminate the term at x^128 which also means subtracting the other
231	// four terms. In characteristic 2 fields, subtraction == addition ==
232	// XOR.
233	if msbSet {
234		double.low ^= 0xe100000000000000
235	}
236
237	return
238}
239
240var gcmReductionTable = []uint16{
241	0x0000, 0x1c20, 0x3840, 0x2460, 0x7080, 0x6ca0, 0x48c0, 0x54e0,
242	0xe100, 0xfd20, 0xd940, 0xc560, 0x9180, 0x8da0, 0xa9c0, 0xb5e0,
243}
244
245// mul sets y to y*H, where H is the GCM key, fixed during NewGCMWithNonceSize.
246func (g *gcm) mul(y *gcmFieldElement) {
247	var z gcmFieldElement
248
249	for i := 0; i < 2; i++ {
250		word := y.high
251		if i == 1 {
252			word = y.low
253		}
254
255		// Multiplication works by multiplying z by 16 and adding in
256		// one of the precomputed multiples of H.
257		for j := 0; j < 64; j += 4 {
258			msw := z.high & 0xf
259			z.high >>= 4
260			z.high |= z.low << 60
261			z.low >>= 4
262			z.low ^= uint64(gcmReductionTable[msw]) << 48
263
264			// the values in |table| are ordered for
265			// little-endian bit positions. See the comment
266			// in NewGCMWithNonceSize.
267			t := &g.productTable[word&0xf]
268
269			z.low ^= t.low
270			z.high ^= t.high
271			word >>= 4
272		}
273	}
274
275	*y = z
276}
277
278// updateBlocks extends y with more polynomial terms from blocks, based on
279// Horner's rule. There must be a multiple of gcmBlockSize bytes in blocks.
280func (g *gcm) updateBlocks(y *gcmFieldElement, blocks []byte) {
281	for len(blocks) > 0 {
282		y.low ^= getUint64(blocks)
283		y.high ^= getUint64(blocks[8:])
284		g.mul(y)
285		blocks = blocks[gcmBlockSize:]
286	}
287}
288
289// update extends y with more polynomial terms from data. If data is not a
290// multiple of gcmBlockSize bytes long then the remainder is zero padded.
291func (g *gcm) update(y *gcmFieldElement, data []byte) {
292	fullBlocks := (len(data) >> 4) << 4
293	g.updateBlocks(y, data[:fullBlocks])
294
295	if len(data) != fullBlocks {
296		var partialBlock [gcmBlockSize]byte
297		copy(partialBlock[:], data[fullBlocks:])
298		g.updateBlocks(y, partialBlock[:])
299	}
300}
301
302// gcmInc32 treats the final four bytes of counterBlock as a big-endian value
303// and increments it.
304func gcmInc32(counterBlock *[16]byte) {
305	for i := gcmBlockSize - 1; i >= gcmBlockSize-4; i-- {
306		counterBlock[i]++
307		if counterBlock[i] != 0 {
308			break
309		}
310	}
311}
312
313// sliceForAppend takes a slice and a requested number of bytes. It returns a
314// slice with the contents of the given slice followed by that many bytes and a
315// second slice that aliases into it and contains only the extra bytes. If the
316// original slice has sufficient capacity then no allocation is performed.
317func sliceForAppend(in []byte, n int) (head, tail []byte) {
318	if total := len(in) + n; cap(in) >= total {
319		head = in[:total]
320	} else {
321		head = make([]byte, total)
322		copy(head, in)
323	}
324	tail = head[len(in):]
325	return
326}
327
328// counterCrypt crypts in to out using g.cipher in counter mode.
329func (g *gcm) counterCrypt(out, in []byte, counter *[gcmBlockSize]byte) {
330	var mask [gcmBlockSize]byte
331
332	for len(in) >= gcmBlockSize {
333		g.cipher.Encrypt(mask[:], counter[:])
334		gcmInc32(counter)
335
336		xorWords(out, in, mask[:])
337		out = out[gcmBlockSize:]
338		in = in[gcmBlockSize:]
339	}
340
341	if len(in) > 0 {
342		g.cipher.Encrypt(mask[:], counter[:])
343		gcmInc32(counter)
344		xorBytes(out, in, mask[:])
345	}
346}
347
348// deriveCounter computes the initial GCM counter state from the given nonce.
349// See NIST SP 800-38D, section 7.1. This assumes that counter is filled with
350// zeros on entry.
351func (g *gcm) deriveCounter(counter *[gcmBlockSize]byte, nonce []byte) {
352	// GCM has two modes of operation with respect to the initial counter
353	// state: a "fast path" for 96-bit (12-byte) nonces, and a "slow path"
354	// for nonces of other lengths. For a 96-bit nonce, the nonce, along
355	// with a four-byte big-endian counter starting at one, is used
356	// directly as the starting counter. For other nonce sizes, the counter
357	// is computed by passing it through the GHASH function.
358	if len(nonce) == gcmStandardNonceSize {
359		copy(counter[:], nonce)
360		counter[gcmBlockSize-1] = 1
361	} else {
362		var y gcmFieldElement
363		g.update(&y, nonce)
364		y.high ^= uint64(len(nonce)) * 8
365		g.mul(&y)
366		putUint64(counter[:8], y.low)
367		putUint64(counter[8:], y.high)
368	}
369}
370
371// auth calculates GHASH(ciphertext, additionalData), masks the result with
372// tagMask and writes the result to out.
373func (g *gcm) auth(out, ciphertext, additionalData []byte, tagMask *[gcmTagSize]byte) {
374	var y gcmFieldElement
375	g.update(&y, additionalData)
376	g.update(&y, ciphertext)
377
378	y.low ^= uint64(len(additionalData)) * 8
379	y.high ^= uint64(len(ciphertext)) * 8
380
381	g.mul(&y)
382
383	putUint64(out, y.low)
384	putUint64(out[8:], y.high)
385
386	xorWords(out, out, tagMask[:])
387}
388
389func getUint64(data []byte) uint64 {
390	r := uint64(data[0])<<56 |
391		uint64(data[1])<<48 |
392		uint64(data[2])<<40 |
393		uint64(data[3])<<32 |
394		uint64(data[4])<<24 |
395		uint64(data[5])<<16 |
396		uint64(data[6])<<8 |
397		uint64(data[7])
398	return r
399}
400
401func putUint64(out []byte, v uint64) {
402	out[0] = byte(v >> 56)
403	out[1] = byte(v >> 48)
404	out[2] = byte(v >> 40)
405	out[3] = byte(v >> 32)
406	out[4] = byte(v >> 24)
407	out[5] = byte(v >> 16)
408	out[6] = byte(v >> 8)
409	out[7] = byte(v)
410}
411