gitee.com/ks-custle/core-gm@v0.0.0-20230922171213-b83bdd97b62c/sm4/gcm_cipher_asm.go (about)

     1  //go:build amd64 || arm64
     2  // +build amd64 arm64
     3  
     4  package sm4
     5  
     6  import (
     7  	"crypto/cipher"
     8  	goSubtle "crypto/subtle"
     9  	"encoding/binary"
    10  	"errors"
    11  
    12  	"gitee.com/ks-custle/core-gm/internal/subtle"
    13  	"gitee.com/ks-custle/core-gm/internal/xor"
    14  )
    15  
    16  // Assert that sm4CipherAsm implements the gcmAble interface.
    17  var _ gcmAble = (*sm4CipherAsm)(nil)
    18  
    19  // NewGCM returns the SM4 cipher wrapped in Galois Counter Mode. This is only
    20  // called by crypto/cipher.NewGCM via the gcmAble interface.
    21  func (sm4c *sm4CipherAsm) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
    22  	// fmt.Println("sm4.NewGCM in sm4/gcm_cipher_asm.go")
    23  	var key [gcmBlockSize]byte
    24  	sm4c.Encrypt(key[:], key[:])
    25  	g := &gcm{cipher: sm4c, nonceSize: nonceSize, tagSize: tagSize}
    26  	// We precompute 16 multiples of |key|. However, when we do lookups
    27  	// into this table we'll be using bits from a field element and
    28  	// therefore the bits will be in the reverse order. So normally one
    29  	// would expect, say, 4*key to be in index 4 of the table but due to
    30  	// this bit ordering it will actually be in index 0010 (base 2) = 2.
    31  	x := gcmFieldElement{
    32  		binary.BigEndian.Uint64(key[:8]),
    33  		binary.BigEndian.Uint64(key[8:]),
    34  	}
    35  	g.productTable[reverseBits(1)] = x
    36  
    37  	for i := 2; i < 16; i += 2 {
    38  		g.productTable[reverseBits(i)] = gcmDouble(&g.productTable[reverseBits(i/2)])
    39  		g.productTable[reverseBits(i+1)] = gcmAdd(&g.productTable[reverseBits(i)], &x)
    40  	}
    41  
    42  	return g, nil
    43  }
    44  
    45  // gcmFieldElement represents a value in GF(2¹²⁸). In order to reflect the GCM
    46  // standard and make binary.BigEndian suitable for marshaling these values, the
    47  // bits are stored in big endian order. For example:
    48  //
    49  //	the coefficient of x⁰ can be obtained by v.low >> 63.
    50  //	the coefficient of x⁶³ can be obtained by v.low & 1.
    51  //	the coefficient of x⁶⁴ can be obtained by v.high >> 63.
    52  //	the coefficient of x¹²⁷ can be obtained by v.high & 1.
    53  type gcmFieldElement struct {
    54  	low, high uint64
    55  }
    56  
    57  // gcm represents a Galois Counter Mode with a specific key. See
    58  // https://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
    59  type gcm struct {
    60  	cipher    *sm4CipherAsm
    61  	nonceSize int
    62  	tagSize   int
    63  	// productTable contains the first sixteen powers of the key, H.
    64  	// However, they are in bit reversed order. See NewGCMWithNonceSize.
    65  	productTable [16]gcmFieldElement
    66  }
    67  
    68  const (
    69  	gcmBlockSize         = 16
    70  	gcmTagSize           = 16
    71  	gcmMinimumTagSize    = 12 // NIST SP 800-38D recommends tags with 12 or more bytes.
    72  	gcmStandardNonceSize = 12
    73  )
    74  
    75  func (g *gcm) NonceSize() int {
    76  	return g.nonceSize
    77  }
    78  
    79  func (g *gcm) Overhead() int {
    80  	return g.tagSize
    81  }
    82  
    83  func (g *gcm) Seal(dst, nonce, plaintext, data []byte) []byte {
    84  	// fmt.Println("sm4.Seal in sm4/gcm_cipher_asm.go")
    85  	if len(nonce) != g.nonceSize {
    86  		panic("cipher: incorrect nonce length given to GCM")
    87  	}
    88  	if uint64(len(plaintext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize()) {
    89  		panic("cipher: message too large for GCM")
    90  	}
    91  
    92  	ret, out := subtle.SliceForAppend(dst, len(plaintext)+g.tagSize)
    93  	if subtle.InexactOverlap(out, plaintext) {
    94  		panic("cipher: invalid buffer overlap")
    95  	}
    96  
    97  	var counter, tagMask [gcmBlockSize]byte
    98  	g.deriveCounter(&counter, nonce)
    99  
   100  	g.cipher.Encrypt(tagMask[:], counter[:])
   101  	gcmInc32(&counter)
   102  
   103  	g.counterCrypt(out, plaintext, &counter)
   104  
   105  	var tag [gcmTagSize]byte
   106  	g.auth(tag[:], out[:len(plaintext)], data, &tagMask)
   107  	copy(out[len(plaintext):], tag[:])
   108  
   109  	return ret
   110  }
   111  
   112  var errOpen = errors.New("cipher: message authentication failed")
   113  
   114  func (g *gcm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
   115  	// fmt.Println("sm4.Open in sm4/gcm_cipher_asm.go")
   116  	if len(nonce) != g.nonceSize {
   117  		panic("cipher: incorrect nonce length given to GCM")
   118  	}
   119  	// Sanity check to prevent the authentication from always succeeding if an implementation
   120  	// leaves tagSize uninitialized, for example.
   121  	if g.tagSize < gcmMinimumTagSize {
   122  		panic("cipher: incorrect GCM tag size")
   123  	}
   124  
   125  	if len(ciphertext) < g.tagSize {
   126  		return nil, errOpen
   127  	}
   128  	if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize())+uint64(g.tagSize) {
   129  		return nil, errOpen
   130  	}
   131  
   132  	tag := ciphertext[len(ciphertext)-g.tagSize:]
   133  	ciphertext = ciphertext[:len(ciphertext)-g.tagSize]
   134  
   135  	var counter, tagMask [gcmBlockSize]byte
   136  	g.deriveCounter(&counter, nonce)
   137  
   138  	g.cipher.Encrypt(tagMask[:], counter[:])
   139  	gcmInc32(&counter)
   140  
   141  	var expectedTag [gcmTagSize]byte
   142  	g.auth(expectedTag[:], ciphertext, data, &tagMask)
   143  
   144  	ret, out := subtle.SliceForAppend(dst, len(ciphertext))
   145  	if subtle.InexactOverlap(out, ciphertext) {
   146  		panic("cipher: invalid buffer overlap")
   147  	}
   148  
   149  	if goSubtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
   150  		// The AESNI code decrypts and authenticates concurrently, and
   151  		// so overwrites dst in the event of a tag mismatch. That
   152  		// behavior is mimicked here in order to be consistent across
   153  		// platforms.
   154  		for i := range out {
   155  			out[i] = 0
   156  		}
   157  		return nil, errOpen
   158  	}
   159  
   160  	g.counterCrypt(out, ciphertext, &counter)
   161  
   162  	return ret, nil
   163  }
   164  
   165  // reverseBits reverses the order of the bits of 4-bit number in i.
   166  func reverseBits(i int) int {
   167  	i = ((i << 2) & 0xc) | ((i >> 2) & 0x3)
   168  	i = ((i << 1) & 0xa) | ((i >> 1) & 0x5)
   169  	return i
   170  }
   171  
   172  // gcmAdd adds two elements of GF(2¹²⁸) and returns the sum.
   173  func gcmAdd(x, y *gcmFieldElement) gcmFieldElement {
   174  	// Addition in a characteristic 2 field is just XOR.
   175  	return gcmFieldElement{x.low ^ y.low, x.high ^ y.high}
   176  }
   177  
   178  // gcmDouble returns the result of doubling an element of GF(2¹²⁸).
   179  func gcmDouble(x *gcmFieldElement) (double gcmFieldElement) {
   180  	msbSet := x.high&1 == 1
   181  
   182  	// Because of the bit-ordering, doubling is actually a right shift.
   183  	double.high = x.high >> 1
   184  	double.high |= x.low << 63
   185  	double.low = x.low >> 1
   186  
   187  	// If the most-significant bit was set before shifting then it,
   188  	// conceptually, becomes a term of x^128. This is greater than the
   189  	// irreducible polynomial so the result has to be reduced. The
   190  	// irreducible polynomial is 1+x+x^2+x^7+x^128. We can subtract that to
   191  	// eliminate the term at x^128 which also means subtracting the other
   192  	// four terms. In characteristic 2 fields, subtraction == addition ==
   193  	// XOR.
   194  	if msbSet {
   195  		double.low ^= 0xe100000000000000
   196  	}
   197  
   198  	return
   199  }
   200  
   201  var gcmReductionTable = []uint16{
   202  	0x0000, 0x1c20, 0x3840, 0x2460, 0x7080, 0x6ca0, 0x48c0, 0x54e0,
   203  	0xe100, 0xfd20, 0xd940, 0xc560, 0x9180, 0x8da0, 0xa9c0, 0xb5e0,
   204  }
   205  
   206  // mul sets y to y*H, where H is the GCM key, fixed during NewGCMWithNonceSize.
   207  func (g *gcm) mul(y *gcmFieldElement) {
   208  	var z gcmFieldElement
   209  
   210  	for i := 0; i < 2; i++ {
   211  		word := y.high
   212  		if i == 1 {
   213  			word = y.low
   214  		}
   215  
   216  		// Multiplication works by multiplying z by 16 and adding in
   217  		// one of the precomputed multiples of H.
   218  		for j := 0; j < 64; j += 4 {
   219  			msw := z.high & 0xf
   220  			z.high >>= 4
   221  			z.high |= z.low << 60
   222  			z.low >>= 4
   223  			z.low ^= uint64(gcmReductionTable[msw]) << 48
   224  
   225  			// the values in |table| are ordered for
   226  			// little-endian bit positions. See the comment
   227  			// in NewGCMWithNonceSize.
   228  			t := &g.productTable[word&0xf]
   229  
   230  			z.low ^= t.low
   231  			z.high ^= t.high
   232  			word >>= 4
   233  		}
   234  	}
   235  
   236  	*y = z
   237  }
   238  
   239  // updateBlocks extends y with more polynomial terms from blocks, based on
   240  // Horner's rule. There must be a multiple of gcmBlockSize bytes in blocks.
   241  func (g *gcm) updateBlocks(y *gcmFieldElement, blocks []byte) {
   242  	for len(blocks) > 0 {
   243  		y.low ^= binary.BigEndian.Uint64(blocks)
   244  		y.high ^= binary.BigEndian.Uint64(blocks[8:])
   245  		g.mul(y)
   246  		blocks = blocks[gcmBlockSize:]
   247  	}
   248  }
   249  
   250  // update extends y with more polynomial terms from data. If data is not a
   251  // multiple of gcmBlockSize bytes long then the remainder is zero padded.
   252  func (g *gcm) update(y *gcmFieldElement, data []byte) {
   253  	fullBlocks := (len(data) >> 4) << 4
   254  	g.updateBlocks(y, data[:fullBlocks])
   255  
   256  	if len(data) != fullBlocks {
   257  		var partialBlock [gcmBlockSize]byte
   258  		copy(partialBlock[:], data[fullBlocks:])
   259  		g.updateBlocks(y, partialBlock[:])
   260  	}
   261  }
   262  
   263  // gcmInc32 treats the final four bytes of counterBlock as a big-endian value
   264  // and increments it.
   265  func gcmInc32(counterBlock *[16]byte) {
   266  	ctr := counterBlock[len(counterBlock)-4:]
   267  	binary.BigEndian.PutUint32(ctr, binary.BigEndian.Uint32(ctr)+1)
   268  }
   269  
   270  // counterCrypt crypts in to out using g.cipher in counter mode.
   271  func (g *gcm) counterCrypt(out, in []byte, counter *[gcmBlockSize]byte) {
   272  	mask := make([]byte, g.cipher.blocksSize)
   273  	counters := make([]byte, g.cipher.blocksSize)
   274  
   275  	for len(in) >= g.cipher.blocksSize {
   276  		for i := 0; i < g.cipher.batchBlocks; i++ {
   277  			copy(counters[i*gcmBlockSize:(i+1)*gcmBlockSize], counter[:])
   278  			gcmInc32(counter)
   279  		}
   280  		g.cipher.EncryptBlocks(mask, counters)
   281  		xor.XorWords(out, in, mask[:])
   282  		out = out[g.cipher.blocksSize:]
   283  		in = in[g.cipher.blocksSize:]
   284  	}
   285  
   286  	if len(in) > 0 {
   287  		blocks := (len(in) + gcmBlockSize - 1) / gcmBlockSize
   288  		for i := 0; i < blocks; i++ {
   289  			copy(counters[i*gcmBlockSize:], counter[:])
   290  			gcmInc32(counter)
   291  		}
   292  		g.cipher.EncryptBlocks(mask, counters)
   293  		xor.XorBytes(out, in, mask[:blocks*gcmBlockSize])
   294  	}
   295  }
   296  
   297  // deriveCounter computes the initial GCM counter state from the given nonce.
   298  // See NIST SP 800-38D, section 7.1. This assumes that counter is filled with
   299  // zeros on entry.
   300  func (g *gcm) deriveCounter(counter *[gcmBlockSize]byte, nonce []byte) {
   301  	// GCM has two modes of operation with respect to the initial counter
   302  	// state: a "fast path" for 96-bit (12-byte) nonces, and a "slow path"
   303  	// for nonces of other lengths. For a 96-bit nonce, the nonce, along
   304  	// with a four-byte big-endian counter starting at one, is used
   305  	// directly as the starting counter. For other nonce sizes, the counter
   306  	// is computed by passing it through the GHASH function.
   307  	if len(nonce) == gcmStandardNonceSize {
   308  		copy(counter[:], nonce)
   309  		counter[gcmBlockSize-1] = 1
   310  	} else {
   311  		var y gcmFieldElement
   312  		g.update(&y, nonce)
   313  		y.high ^= uint64(len(nonce)) * 8
   314  		g.mul(&y)
   315  		binary.BigEndian.PutUint64(counter[:8], y.low)
   316  		binary.BigEndian.PutUint64(counter[8:], y.high)
   317  	}
   318  }
   319  
   320  // auth calculates GHASH(ciphertext, additionalData), masks the result with
   321  // tagMask and writes the result to out.
   322  func (g *gcm) auth(out, ciphertext, additionalData []byte, tagMask *[gcmTagSize]byte) {
   323  	var y gcmFieldElement
   324  	g.update(&y, additionalData)
   325  	g.update(&y, ciphertext)
   326  
   327  	y.low ^= uint64(len(additionalData)) * 8
   328  	y.high ^= uint64(len(ciphertext)) * 8
   329  
   330  	g.mul(&y)
   331  
   332  	binary.BigEndian.PutUint64(out, y.low)
   333  	binary.BigEndian.PutUint64(out[8:], y.high)
   334  
   335  	xor.XorWords(out, out, tagMask[:])
   336  }