github.com/emmansun/gmsm@v0.29.1/sm4/gcm_cipher_asm.go (about) 1 //go:build (amd64 || arm64) && !purego 2 3 package sm4 4 5 import ( 6 "crypto/cipher" 7 goSubtle "crypto/subtle" 8 "encoding/binary" 9 "errors" 10 11 "github.com/emmansun/gmsm/internal/alias" 12 "github.com/emmansun/gmsm/internal/subtle" 13 ) 14 15 // Assert that sm4CipherAsm implements the gcmAble interface. 16 var _ gcmAble = (*sm4CipherAsm)(nil) 17 18 // NewGCM returns the SM4 cipher wrapped in Galois Counter Mode. This is only 19 // called by crypto/cipher.NewGCM via the gcmAble interface. 20 func (c *sm4CipherAsm) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) { 21 var key [gcmBlockSize]byte 22 c.Encrypt(key[:], key[:]) 23 g := &gcm{cipher: c, nonceSize: nonceSize, tagSize: tagSize} 24 // We precompute 16 multiples of |key|. However, when we do lookups 25 // into this table we'll be using bits from a field element and 26 // therefore the bits will be in the reverse order. So normally one 27 // would expect, say, 4*key to be in index 4 of the table but due to 28 // this bit ordering it will actually be in index 0010 (base 2) = 2. 29 x := gcmFieldElement{ 30 binary.BigEndian.Uint64(key[:8]), 31 binary.BigEndian.Uint64(key[8:]), 32 } 33 g.productTable[reverseBits(1)] = x 34 35 for i := 2; i < 16; i += 2 { 36 g.productTable[reverseBits(i)] = gcmDouble(&g.productTable[reverseBits(i/2)]) 37 g.productTable[reverseBits(i+1)] = gcmAdd(&g.productTable[reverseBits(i)], &x) 38 } 39 40 return g, nil 41 } 42 43 // gcmFieldElement represents a value in GF(2¹²⁸). In order to reflect the GCM 44 // standard and make binary.BigEndian suitable for marshaling these values, the 45 // bits are stored in big endian order. For example: 46 // the coefficient of x⁰ can be obtained by v.low >> 63. 47 // the coefficient of x⁶³ can be obtained by v.low & 1. 48 // the coefficient of x⁶⁴ can be obtained by v.high >> 63. 49 // the coefficient of x¹²⁷ can be obtained by v.high & 1. 50 type gcmFieldElement struct { 51 low, high uint64 52 } 53 54 // gcm represents a Galois Counter Mode with a specific key. See 55 // https://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf 56 type gcm struct { 57 cipher *sm4CipherAsm 58 nonceSize int 59 tagSize int 60 // productTable contains the first sixteen powers of the key, H. 61 // However, they are in bit reversed order. See NewGCMWithNonceSize. 62 productTable [16]gcmFieldElement 63 } 64 65 const ( 66 gcmBlockSize = 16 67 gcmTagSize = 16 68 gcmMinimumTagSize = 12 // NIST SP 800-38D recommends tags with 12 or more bytes. 69 gcmStandardNonceSize = 12 70 ) 71 72 func (g *gcm) NonceSize() int { 73 return g.nonceSize 74 } 75 76 func (g *gcm) Overhead() int { 77 return g.tagSize 78 } 79 80 func (g *gcm) Seal(dst, nonce, plaintext, data []byte) []byte { 81 if len(nonce) != g.nonceSize { 82 panic("cipher: incorrect nonce length given to GCM") 83 } 84 if uint64(len(plaintext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize()) { 85 panic("cipher: message too large for GCM") 86 } 87 88 ret, out := alias.SliceForAppend(dst, len(plaintext)+g.tagSize) 89 if alias.InexactOverlap(out, plaintext) { 90 panic("cipher: invalid buffer overlap") 91 } 92 93 var counter, tagMask [gcmBlockSize]byte 94 g.deriveCounter(&counter, nonce) 95 96 g.cipher.encrypt(tagMask[:], counter[:]) 97 gcmInc32(&counter) 98 99 g.counterCrypt(out, plaintext, &counter) 100 101 var tag [gcmTagSize]byte 102 g.auth(tag[:], out[:len(plaintext)], data, &tagMask) 103 copy(out[len(plaintext):], tag[:]) 104 105 return ret 106 } 107 108 var errOpen = errors.New("cipher: message authentication failed") 109 110 func (g *gcm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) { 111 if len(nonce) != g.nonceSize { 112 panic("cipher: incorrect nonce length given to GCM") 113 } 114 // Sanity check to prevent the authentication from always succeeding if an implementation 115 // leaves tagSize uninitialized, for example. 116 if g.tagSize < gcmMinimumTagSize { 117 panic("cipher: incorrect GCM tag size") 118 } 119 120 if len(ciphertext) < g.tagSize { 121 return nil, errOpen 122 } 123 if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize())+uint64(g.tagSize) { 124 return nil, errOpen 125 } 126 127 tag := ciphertext[len(ciphertext)-g.tagSize:] 128 ciphertext = ciphertext[:len(ciphertext)-g.tagSize] 129 130 var counter, tagMask [gcmBlockSize]byte 131 g.deriveCounter(&counter, nonce) 132 133 g.cipher.encrypt(tagMask[:], counter[:]) 134 gcmInc32(&counter) 135 136 var expectedTag [gcmTagSize]byte 137 g.auth(expectedTag[:], ciphertext, data, &tagMask) 138 139 ret, out := alias.SliceForAppend(dst, len(ciphertext)) 140 if alias.InexactOverlap(out, ciphertext) { 141 panic("cipher: invalid buffer overlap") 142 } 143 144 if goSubtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 { 145 // The AESNI code decrypts and authenticates concurrently, and 146 // so overwrites dst in the event of a tag mismatch. That 147 // behavior is mimicked here in order to be consistent across 148 // platforms. 149 for i := range out { 150 out[i] = 0 151 } 152 return nil, errOpen 153 } 154 155 g.counterCrypt(out, ciphertext, &counter) 156 157 return ret, nil 158 } 159 160 // reverseBits reverses the order of the bits of 4-bit number in i. 161 func reverseBits(i int) int { 162 i = ((i << 2) & 0xc) | ((i >> 2) & 0x3) 163 i = ((i << 1) & 0xa) | ((i >> 1) & 0x5) 164 return i 165 } 166 167 // gcmAdd adds two elements of GF(2¹²⁸) and returns the sum. 168 func gcmAdd(x, y *gcmFieldElement) gcmFieldElement { 169 // Addition in a characteristic 2 field is just XOR. 170 return gcmFieldElement{x.low ^ y.low, x.high ^ y.high} 171 } 172 173 // gcmDouble returns the result of doubling an element of GF(2¹²⁸). 174 func gcmDouble(x *gcmFieldElement) (double gcmFieldElement) { 175 msbSet := x.high&1 == 1 176 177 // Because of the bit-ordering, doubling is actually a right shift. 178 double.high = x.high >> 1 179 double.high |= x.low << 63 180 double.low = x.low >> 1 181 182 // If the most-significant bit was set before shifting then it, 183 // conceptually, becomes a term of x^128. This is greater than the 184 // irreducible polynomial so the result has to be reduced. The 185 // irreducible polynomial is 1+x+x^2+x^7+x^128. We can subtract that to 186 // eliminate the term at x^128 which also means subtracting the other 187 // four terms. In characteristic 2 fields, subtraction == addition == 188 // XOR. 189 if msbSet { 190 double.low ^= 0xe100000000000000 191 } 192 193 return 194 } 195 196 var gcmReductionTable = []uint16{ 197 0x0000, 0x1c20, 0x3840, 0x2460, 0x7080, 0x6ca0, 0x48c0, 0x54e0, 198 0xe100, 0xfd20, 0xd940, 0xc560, 0x9180, 0x8da0, 0xa9c0, 0xb5e0, 199 } 200 201 // mul sets y to y*H, where H is the GCM key, fixed during NewGCMWithNonceSize. 202 func (g *gcm) mul(y *gcmFieldElement) { 203 var z gcmFieldElement 204 205 for i := 0; i < 2; i++ { 206 word := y.high 207 if i == 1 { 208 word = y.low 209 } 210 211 // Multiplication works by multiplying z by 16 and adding in 212 // one of the precomputed multiples of H. 213 for j := 0; j < 64; j += 4 { 214 msw := z.high & 0xf 215 z.high >>= 4 216 z.high |= z.low << 60 217 z.low >>= 4 218 z.low ^= uint64(gcmReductionTable[msw]) << 48 219 220 // the values in |table| are ordered for 221 // little-endian bit positions. See the comment 222 // in NewGCMWithNonceSize. 223 t := &g.productTable[word&0xf] 224 225 z.low ^= t.low 226 z.high ^= t.high 227 word >>= 4 228 } 229 } 230 231 *y = z 232 } 233 234 // updateBlocks extends y with more polynomial terms from blocks, based on 235 // Horner's rule. There must be a multiple of gcmBlockSize bytes in blocks. 236 func (g *gcm) updateBlocks(y *gcmFieldElement, blocks []byte) { 237 for len(blocks) > 0 { 238 y.low ^= binary.BigEndian.Uint64(blocks) 239 y.high ^= binary.BigEndian.Uint64(blocks[8:]) 240 g.mul(y) 241 blocks = blocks[gcmBlockSize:] 242 } 243 } 244 245 // update extends y with more polynomial terms from data. If data is not a 246 // multiple of gcmBlockSize bytes long then the remainder is zero padded. 247 func (g *gcm) update(y *gcmFieldElement, data []byte) { 248 fullBlocks := (len(data) >> 4) << 4 249 g.updateBlocks(y, data[:fullBlocks]) 250 251 if len(data) != fullBlocks { 252 var partialBlock [gcmBlockSize]byte 253 copy(partialBlock[:], data[fullBlocks:]) 254 g.updateBlocks(y, partialBlock[:]) 255 } 256 } 257 258 // gcmInc32 treats the final four bytes of counterBlock as a big-endian value 259 // and increments it. 260 func gcmInc32(counterBlock *[16]byte) { 261 ctr := counterBlock[len(counterBlock)-4:] 262 binary.BigEndian.PutUint32(ctr, binary.BigEndian.Uint32(ctr)+1) 263 } 264 265 // counterCrypt crypts in to out using g.cipher in counter mode. 266 func (g *gcm) counterCrypt(out, in []byte, counter *[gcmBlockSize]byte) { 267 mask := make([]byte, g.cipher.blocksSize) 268 counters := make([]byte, g.cipher.blocksSize) 269 270 for len(in) >= g.cipher.blocksSize { 271 for i := 0; i < g.cipher.batchBlocks; i++ { 272 copy(counters[i*gcmBlockSize:(i+1)*gcmBlockSize], counter[:]) 273 gcmInc32(counter) 274 } 275 g.cipher.EncryptBlocks(mask, counters) 276 subtle.XORBytes(out, in, mask[:]) 277 out = out[g.cipher.blocksSize:] 278 in = in[g.cipher.blocksSize:] 279 } 280 281 if len(in) > 0 { 282 blocks := (len(in) + gcmBlockSize - 1) / gcmBlockSize 283 for i := 0; i < blocks; i++ { 284 copy(counters[i*gcmBlockSize:], counter[:]) 285 gcmInc32(counter) 286 } 287 g.cipher.EncryptBlocks(mask, counters) 288 subtle.XORBytes(out, in, mask[:blocks*gcmBlockSize]) 289 } 290 } 291 292 // deriveCounter computes the initial GCM counter state from the given nonce. 293 // See NIST SP 800-38D, section 7.1. This assumes that counter is filled with 294 // zeros on entry. 295 func (g *gcm) deriveCounter(counter *[gcmBlockSize]byte, nonce []byte) { 296 // GCM has two modes of operation with respect to the initial counter 297 // state: a "fast path" for 96-bit (12-byte) nonces, and a "slow path" 298 // for nonces of other lengths. For a 96-bit nonce, the nonce, along 299 // with a four-byte big-endian counter starting at one, is used 300 // directly as the starting counter. For other nonce sizes, the counter 301 // is computed by passing it through the GHASH function. 302 if len(nonce) == gcmStandardNonceSize { 303 copy(counter[:], nonce) 304 counter[gcmBlockSize-1] = 1 305 } else { 306 var y gcmFieldElement 307 g.update(&y, nonce) 308 y.high ^= uint64(len(nonce)) * 8 309 g.mul(&y) 310 binary.BigEndian.PutUint64(counter[:8], y.low) 311 binary.BigEndian.PutUint64(counter[8:], y.high) 312 } 313 } 314 315 // auth calculates GHASH(ciphertext, additionalData), masks the result with 316 // tagMask and writes the result to out. 317 func (g *gcm) auth(out, ciphertext, additionalData []byte, tagMask *[gcmTagSize]byte) { 318 var y gcmFieldElement 319 g.update(&y, additionalData) 320 g.update(&y, ciphertext) 321 322 y.low ^= uint64(len(additionalData)) * 8 323 y.high ^= uint64(len(ciphertext)) * 8 324 325 g.mul(&y) 326 327 binary.BigEndian.PutUint64(out, y.low) 328 binary.BigEndian.PutUint64(out[8:], y.high) 329 330 subtle.XORBytes(out, out, tagMask[:]) 331 }