github.com/hxx258456/ccgo@v0.0.5-0.20230213014102-48b35f46f66f/sm4/gcm_cipher_asm.go (about) 1 //go:build amd64 || arm64 2 // +build amd64 arm64 3 4 package sm4 5 6 import ( 7 "crypto/cipher" 8 goSubtle "crypto/subtle" 9 "encoding/binary" 10 "errors" 11 12 "github.com/hxx258456/ccgo/internal/subtle" 13 "github.com/hxx258456/ccgo/internal/xor" 14 ) 15 16 // Assert that sm4CipherAsm implements the gcmAble interface. 17 var _ gcmAble = (*sm4CipherAsm)(nil) 18 19 // NewGCM returns the SM4 cipher wrapped in Galois Counter Mode. This is only 20 // called by crypto/cipher.NewGCM via the gcmAble interface. 21 func (sm4c *sm4CipherAsm) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) { 22 // log.Print("sm4.NewGCM in sm4/gcm_cipher_asm.go") 23 var key [gcmBlockSize]byte 24 sm4c.Encrypt(key[:], key[:]) 25 g := &gcm{cipher: sm4c, nonceSize: nonceSize, tagSize: tagSize} 26 // We precompute 16 multiples of |key|. However, when we do lookups 27 // into this table we'll be using bits from a field element and 28 // therefore the bits will be in the reverse order. So normally one 29 // would expect, say, 4*key to be in index 4 of the table but due to 30 // this bit ordering it will actually be in index 0010 (base 2) = 2. 31 x := gcmFieldElement{ 32 binary.BigEndian.Uint64(key[:8]), 33 binary.BigEndian.Uint64(key[8:]), 34 } 35 g.productTable[reverseBits(1)] = x 36 37 for i := 2; i < 16; i += 2 { 38 g.productTable[reverseBits(i)] = gcmDouble(&g.productTable[reverseBits(i/2)]) 39 g.productTable[reverseBits(i+1)] = gcmAdd(&g.productTable[reverseBits(i)], &x) 40 } 41 42 return g, nil 43 } 44 45 // gcmFieldElement represents a value in GF(2¹²⁸). In order to reflect the GCM 46 // standard and make binary.BigEndian suitable for marshaling these values, the 47 // bits are stored in big endian order. For example: 48 // 49 // the coefficient of x⁰ can be obtained by v.low >> 63. 50 // the coefficient of x⁶³ can be obtained by v.low & 1. 51 // the coefficient of x⁶⁴ can be obtained by v.high >> 63. 52 // the coefficient of x¹²⁷ can be obtained by v.high & 1. 53 type gcmFieldElement struct { 54 low, high uint64 55 } 56 57 // gcm represents a Galois Counter Mode with a specific key. See 58 // https://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf 59 type gcm struct { 60 cipher *sm4CipherAsm 61 nonceSize int 62 tagSize int 63 // productTable contains the first sixteen powers of the key, H. 64 // However, they are in bit reversed order. See NewGCMWithNonceSize. 65 productTable [16]gcmFieldElement 66 } 67 68 const ( 69 gcmBlockSize = 16 70 gcmTagSize = 16 71 gcmMinimumTagSize = 12 // NIST SP 800-38D recommends tags with 12 or more bytes. 72 gcmStandardNonceSize = 12 73 ) 74 75 func (g *gcm) NonceSize() int { 76 return g.nonceSize 77 } 78 79 func (g *gcm) Overhead() int { 80 return g.tagSize 81 } 82 83 func (g *gcm) Seal(dst, nonce, plaintext, data []byte) []byte { 84 // log.Print("sm4.Seal in sm4/gcm_cipher_asm.go") 85 if len(nonce) != g.nonceSize { 86 panic("cipher: incorrect nonce length given to GCM") 87 } 88 if uint64(len(plaintext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize()) { 89 panic("cipher: message too large for GCM") 90 } 91 92 ret, out := subtle.SliceForAppend(dst, len(plaintext)+g.tagSize) 93 if subtle.InexactOverlap(out, plaintext) { 94 panic("cipher: invalid buffer overlap") 95 } 96 97 var counter, tagMask [gcmBlockSize]byte 98 g.deriveCounter(&counter, nonce) 99 100 g.cipher.Encrypt(tagMask[:], counter[:]) 101 gcmInc32(&counter) 102 103 g.counterCrypt(out, plaintext, &counter) 104 105 var tag [gcmTagSize]byte 106 g.auth(tag[:], out[:len(plaintext)], data, &tagMask) 107 copy(out[len(plaintext):], tag[:]) 108 109 return ret 110 } 111 112 var errOpen = errors.New("cipher: message authentication failed") 113 114 func (g *gcm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) { 115 // log.Print("sm4.Open in sm4/gcm_cipher_asm.go") 116 if len(nonce) != g.nonceSize { 117 panic("cipher: incorrect nonce length given to GCM") 118 } 119 // Sanity check to prevent the authentication from always succeeding if an implementation 120 // leaves tagSize uninitialized, for example. 121 if g.tagSize < gcmMinimumTagSize { 122 panic("cipher: incorrect GCM tag size") 123 } 124 125 if len(ciphertext) < g.tagSize { 126 return nil, errOpen 127 } 128 if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize())+uint64(g.tagSize) { 129 return nil, errOpen 130 } 131 132 tag := ciphertext[len(ciphertext)-g.tagSize:] 133 ciphertext = ciphertext[:len(ciphertext)-g.tagSize] 134 135 var counter, tagMask [gcmBlockSize]byte 136 g.deriveCounter(&counter, nonce) 137 138 g.cipher.Encrypt(tagMask[:], counter[:]) 139 gcmInc32(&counter) 140 141 var expectedTag [gcmTagSize]byte 142 g.auth(expectedTag[:], ciphertext, data, &tagMask) 143 144 ret, out := subtle.SliceForAppend(dst, len(ciphertext)) 145 if subtle.InexactOverlap(out, ciphertext) { 146 panic("cipher: invalid buffer overlap") 147 } 148 149 if goSubtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 { 150 // The AESNI code decrypts and authenticates concurrently, and 151 // so overwrites dst in the event of a tag mismatch. That 152 // behavior is mimicked here in order to be consistent across 153 // platforms. 154 for i := range out { 155 out[i] = 0 156 } 157 return nil, errOpen 158 } 159 160 g.counterCrypt(out, ciphertext, &counter) 161 162 return ret, nil 163 } 164 165 // reverseBits reverses the order of the bits of 4-bit number in i. 166 func reverseBits(i int) int { 167 i = ((i << 2) & 0xc) | ((i >> 2) & 0x3) 168 i = ((i << 1) & 0xa) | ((i >> 1) & 0x5) 169 return i 170 } 171 172 // gcmAdd adds two elements of GF(2¹²⁸) and returns the sum. 173 func gcmAdd(x, y *gcmFieldElement) gcmFieldElement { 174 // Addition in a characteristic 2 field is just XOR. 175 return gcmFieldElement{x.low ^ y.low, x.high ^ y.high} 176 } 177 178 // gcmDouble returns the result of doubling an element of GF(2¹²⁸). 179 func gcmDouble(x *gcmFieldElement) (double gcmFieldElement) { 180 msbSet := x.high&1 == 1 181 182 // Because of the bit-ordering, doubling is actually a right shift. 183 double.high = x.high >> 1 184 double.high |= x.low << 63 185 double.low = x.low >> 1 186 187 // If the most-significant bit was set before shifting then it, 188 // conceptually, becomes a term of x^128. This is greater than the 189 // irreducible polynomial so the result has to be reduced. The 190 // irreducible polynomial is 1+x+x^2+x^7+x^128. We can subtract that to 191 // eliminate the term at x^128 which also means subtracting the other 192 // four terms. In characteristic 2 fields, subtraction == addition == 193 // XOR. 194 if msbSet { 195 double.low ^= 0xe100000000000000 196 } 197 198 return 199 } 200 201 var gcmReductionTable = []uint16{ 202 0x0000, 0x1c20, 0x3840, 0x2460, 0x7080, 0x6ca0, 0x48c0, 0x54e0, 203 0xe100, 0xfd20, 0xd940, 0xc560, 0x9180, 0x8da0, 0xa9c0, 0xb5e0, 204 } 205 206 // mul sets y to y*H, where H is the GCM key, fixed during NewGCMWithNonceSize. 207 func (g *gcm) mul(y *gcmFieldElement) { 208 var z gcmFieldElement 209 210 for i := 0; i < 2; i++ { 211 word := y.high 212 if i == 1 { 213 word = y.low 214 } 215 216 // Multiplication works by multiplying z by 16 and adding in 217 // one of the precomputed multiples of H. 218 for j := 0; j < 64; j += 4 { 219 msw := z.high & 0xf 220 z.high >>= 4 221 z.high |= z.low << 60 222 z.low >>= 4 223 z.low ^= uint64(gcmReductionTable[msw]) << 48 224 225 // the values in |table| are ordered for 226 // little-endian bit positions. See the comment 227 // in NewGCMWithNonceSize. 228 t := &g.productTable[word&0xf] 229 230 z.low ^= t.low 231 z.high ^= t.high 232 word >>= 4 233 } 234 } 235 236 *y = z 237 } 238 239 // updateBlocks extends y with more polynomial terms from blocks, based on 240 // Horner's rule. There must be a multiple of gcmBlockSize bytes in blocks. 241 func (g *gcm) updateBlocks(y *gcmFieldElement, blocks []byte) { 242 for len(blocks) > 0 { 243 y.low ^= binary.BigEndian.Uint64(blocks) 244 y.high ^= binary.BigEndian.Uint64(blocks[8:]) 245 g.mul(y) 246 blocks = blocks[gcmBlockSize:] 247 } 248 } 249 250 // update extends y with more polynomial terms from data. If data is not a 251 // multiple of gcmBlockSize bytes long then the remainder is zero padded. 252 func (g *gcm) update(y *gcmFieldElement, data []byte) { 253 fullBlocks := (len(data) >> 4) << 4 254 g.updateBlocks(y, data[:fullBlocks]) 255 256 if len(data) != fullBlocks { 257 var partialBlock [gcmBlockSize]byte 258 copy(partialBlock[:], data[fullBlocks:]) 259 g.updateBlocks(y, partialBlock[:]) 260 } 261 } 262 263 // gcmInc32 treats the final four bytes of counterBlock as a big-endian value 264 // and increments it. 265 func gcmInc32(counterBlock *[16]byte) { 266 ctr := counterBlock[len(counterBlock)-4:] 267 binary.BigEndian.PutUint32(ctr, binary.BigEndian.Uint32(ctr)+1) 268 } 269 270 // counterCrypt crypts in to out using g.cipher in counter mode. 271 func (g *gcm) counterCrypt(out, in []byte, counter *[gcmBlockSize]byte) { 272 mask := make([]byte, g.cipher.blocksSize) 273 counters := make([]byte, g.cipher.blocksSize) 274 275 for len(in) >= g.cipher.blocksSize { 276 for i := 0; i < g.cipher.batchBlocks; i++ { 277 copy(counters[i*gcmBlockSize:(i+1)*gcmBlockSize], counter[:]) 278 gcmInc32(counter) 279 } 280 g.cipher.EncryptBlocks(mask, counters) 281 xor.XorWords(out, in, mask[:]) 282 out = out[g.cipher.blocksSize:] 283 in = in[g.cipher.blocksSize:] 284 } 285 286 if len(in) > 0 { 287 blocks := (len(in) + gcmBlockSize - 1) / gcmBlockSize 288 for i := 0; i < blocks; i++ { 289 copy(counters[i*gcmBlockSize:], counter[:]) 290 gcmInc32(counter) 291 } 292 g.cipher.EncryptBlocks(mask, counters) 293 xor.XorBytes(out, in, mask[:blocks*gcmBlockSize]) 294 } 295 } 296 297 // deriveCounter computes the initial GCM counter state from the given nonce. 298 // See NIST SP 800-38D, section 7.1. This assumes that counter is filled with 299 // zeros on entry. 300 func (g *gcm) deriveCounter(counter *[gcmBlockSize]byte, nonce []byte) { 301 // GCM has two modes of operation with respect to the initial counter 302 // state: a "fast path" for 96-bit (12-byte) nonces, and a "slow path" 303 // for nonces of other lengths. For a 96-bit nonce, the nonce, along 304 // with a four-byte big-endian counter starting at one, is used 305 // directly as the starting counter. For other nonce sizes, the counter 306 // is computed by passing it through the GHASH function. 307 if len(nonce) == gcmStandardNonceSize { 308 copy(counter[:], nonce) 309 counter[gcmBlockSize-1] = 1 310 } else { 311 var y gcmFieldElement 312 g.update(&y, nonce) 313 y.high ^= uint64(len(nonce)) * 8 314 g.mul(&y) 315 binary.BigEndian.PutUint64(counter[:8], y.low) 316 binary.BigEndian.PutUint64(counter[8:], y.high) 317 } 318 } 319 320 // auth calculates GHASH(ciphertext, additionalData), masks the result with 321 // tagMask and writes the result to out. 322 func (g *gcm) auth(out, ciphertext, additionalData []byte, tagMask *[gcmTagSize]byte) { 323 var y gcmFieldElement 324 g.update(&y, additionalData) 325 g.update(&y, ciphertext) 326 327 y.low ^= uint64(len(additionalData)) * 8 328 y.high ^= uint64(len(ciphertext)) * 8 329 330 g.mul(&y) 331 332 binary.BigEndian.PutUint64(out, y.low) 333 binary.BigEndian.PutUint64(out[8:], y.high) 334 335 xor.XorWords(out, out, tagMask[:]) 336 }