mirror of
https://github.com/bol-van/zapret.git
synced 2024-11-27 12:40:53 +03:00
512 lines
19 KiB
C
512 lines
19 KiB
C
/******************************************************************************
|
|
*
|
|
* THIS SOURCE CODE IS HEREBY PLACED INTO THE PUBLIC DOMAIN FOR THE GOOD OF ALL
|
|
*
|
|
* This is a simple and straightforward implementation of AES-GCM authenticated
|
|
* encryption. The focus of this work was correctness & accuracy. It is written
|
|
* in straight 'C' without any particular focus upon optimization or speed. It
|
|
* should be endian (memory byte order) neutral since the few places that care
|
|
* are handled explicitly.
|
|
*
|
|
* This implementation of AES-GCM was created by Steven M. Gibson of GRC.com.
|
|
*
|
|
* It is intended for general purpose use, but was written in support of GRC's
|
|
* reference implementation of the SQRL (Secure Quick Reliable Login) client.
|
|
*
|
|
* See: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
|
|
* http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/
|
|
* gcm/gcm-revised-spec.pdf
|
|
*
|
|
* NO COPYRIGHT IS CLAIMED IN THIS WORK, HOWEVER, NEITHER IS ANY WARRANTY MADE
|
|
* REGARDING ITS FITNESS FOR ANY PARTICULAR PURPOSE. USE IT AT YOUR OWN RISK.
|
|
*
|
|
*******************************************************************************/
|
|
|
|
#include "gcm.h"
|
|
#include "aes.h"
|
|
|
|
/******************************************************************************
|
|
* ==== IMPLEMENTATION WARNING ====
|
|
*
|
|
* This code was developed for use within SQRL's fixed environmnent. Thus, it
|
|
* is somewhat less "general purpose" than it would be if it were designed as
|
|
* a general purpose AES-GCM library. Specifically, it bothers with almost NO
|
|
* error checking on parameter limits, buffer bounds, etc. It assumes that it
|
|
* is being invoked by its author or by someone who understands the values it
|
|
* expects to receive. Its behavior will be undefined otherwise.
|
|
*
|
|
* All functions that might fail are defined to return 'ints' to indicate a
|
|
* problem. Most do not do so now. But this allows for error propagation out
|
|
* of internal functions if robust error checking should ever be desired.
|
|
*
|
|
******************************************************************************/
|
|
|
|
/* Calculating the "GHASH"
|
|
*
|
|
* There are many ways of calculating the so-called GHASH in software, each with
|
|
* a traditional size vs performance tradeoff. The GHASH (Galois field hash) is
|
|
* an intriguing construction which takes two 128-bit strings (also the cipher's
|
|
* block size and the fundamental operation size for the system) and hashes them
|
|
* into a third 128-bit result.
|
|
*
|
|
* Many implementation solutions have been worked out that use large precomputed
|
|
* table lookups in place of more time consuming bit fiddling, and this approach
|
|
* can be scaled easily upward or downward as needed to change the time/space
|
|
* tradeoff. It's been studied extensively and there's a solid body of theory and
|
|
* practice. For example, without using any lookup tables an implementation
|
|
* might obtain 119 cycles per byte throughput, whereas using a simple, though
|
|
* large, key-specific 64 kbyte 8-bit lookup table the performance jumps to 13
|
|
* cycles per byte.
|
|
*
|
|
* And Intel's processors have, since 2010, included an instruction which does
|
|
* the entire 128x128->128 bit job in just several 64x64->128 bit pieces.
|
|
*
|
|
* Since SQRL is interactive, and only processing a few 128-bit blocks, I've
|
|
* settled upon a relatively slower but appealing small-table compromise which
|
|
* folds a bunch of not only time consuming but also bit twiddling into a simple
|
|
* 16-entry table which is attributed to Victor Shoup's 1996 work while at
|
|
* Bellcore: "On Fast and Provably Secure MessageAuthentication Based on
|
|
* Universal Hashing." See: http://www.shoup.net/papers/macs.pdf
|
|
* See, also section 4.1 of the "gcm-revised-spec" cited above.
|
|
*/
|
|
|
|
/*
|
|
* This 16-entry table of pre-computed constants is used by the
|
|
* GHASH multiplier to improve over a strictly table-free but
|
|
* significantly slower 128x128 bit multiple within GF(2^128).
|
|
*/
|
|
static const uint64_t last4[16] = {
|
|
0x0000, 0x1c20, 0x3840, 0x2460, 0x7080, 0x6ca0, 0x48c0, 0x54e0,
|
|
0xe100, 0xfd20, 0xd940, 0xc560, 0x9180, 0x8da0, 0xa9c0, 0xb5e0 };
|
|
|
|
/*
|
|
* Platform Endianness Neutralizing Load and Store Macro definitions
|
|
* GCM wants platform-neutral Big Endian (BE) byte ordering
|
|
*/
|
|
#define GET_UINT32_BE(n,b,i) { \
|
|
(n) = ( (uint32_t) (b)[(i) ] << 24 ) \
|
|
| ( (uint32_t) (b)[(i) + 1] << 16 ) \
|
|
| ( (uint32_t) (b)[(i) + 2] << 8 ) \
|
|
| ( (uint32_t) (b)[(i) + 3] ); }
|
|
|
|
#define PUT_UINT32_BE(n,b,i) { \
|
|
(b)[(i) ] = (uchar) ( (n) >> 24 ); \
|
|
(b)[(i) + 1] = (uchar) ( (n) >> 16 ); \
|
|
(b)[(i) + 2] = (uchar) ( (n) >> 8 ); \
|
|
(b)[(i) + 3] = (uchar) ( (n) ); }
|
|
|
|
|
|
/******************************************************************************
|
|
*
|
|
* GCM_INITIALIZE
|
|
*
|
|
* Must be called once to initialize the GCM library.
|
|
*
|
|
* At present, this only calls the AES keygen table generator, which expands
|
|
* the AES keying tables for use. This is NOT A THREAD-SAFE function, so it
|
|
* MUST be called during system initialization before a multi-threading
|
|
* environment is running.
|
|
*
|
|
******************************************************************************/
|
|
int gcm_initialize(void)
|
|
{
|
|
aes_init_keygen_tables();
|
|
return(0);
|
|
}
|
|
|
|
|
|
/******************************************************************************
|
|
*
|
|
* GCM_MULT
|
|
*
|
|
* Performs a GHASH operation on the 128-bit input vector 'x', setting
|
|
* the 128-bit output vector to 'x' times H using our precomputed tables.
|
|
* 'x' and 'output' are seen as elements of GCM's GF(2^128) Galois field.
|
|
*
|
|
******************************************************************************/
|
|
static void gcm_mult(gcm_context *ctx, // pointer to established context
|
|
const uchar x[16], // pointer to 128-bit input vector
|
|
uchar output[16]) // pointer to 128-bit output vector
|
|
{
|
|
int i;
|
|
uchar lo, hi, rem;
|
|
uint64_t zh, zl;
|
|
|
|
lo = (uchar)(x[15] & 0x0f);
|
|
hi = (uchar)(x[15] >> 4);
|
|
zh = ctx->HH[lo];
|
|
zl = ctx->HL[lo];
|
|
|
|
for (i = 15; i >= 0; i--) {
|
|
lo = (uchar)(x[i] & 0x0f);
|
|
hi = (uchar)(x[i] >> 4);
|
|
|
|
if (i != 15) {
|
|
rem = (uchar)(zl & 0x0f);
|
|
zl = (zh << 60) | (zl >> 4);
|
|
zh = (zh >> 4);
|
|
zh ^= (uint64_t)last4[rem] << 48;
|
|
zh ^= ctx->HH[lo];
|
|
zl ^= ctx->HL[lo];
|
|
}
|
|
rem = (uchar)(zl & 0x0f);
|
|
zl = (zh << 60) | (zl >> 4);
|
|
zh = (zh >> 4);
|
|
zh ^= (uint64_t)last4[rem] << 48;
|
|
zh ^= ctx->HH[hi];
|
|
zl ^= ctx->HL[hi];
|
|
}
|
|
PUT_UINT32_BE(zh >> 32, output, 0);
|
|
PUT_UINT32_BE(zh, output, 4);
|
|
PUT_UINT32_BE(zl >> 32, output, 8);
|
|
PUT_UINT32_BE(zl, output, 12);
|
|
}
|
|
|
|
|
|
/******************************************************************************
|
|
*
|
|
* GCM_SETKEY
|
|
*
|
|
* This is called to set the AES-GCM key. It initializes the AES key
|
|
* and populates the gcm context's pre-calculated HTables.
|
|
*
|
|
******************************************************************************/
|
|
int gcm_setkey(gcm_context *ctx, // pointer to caller-provided gcm context
|
|
const uchar *key, // pointer to the AES encryption key
|
|
const uint keysize) // size in bytes (must be 16, 24, 32 for
|
|
// 128, 192 or 256-bit keys respectively)
|
|
{
|
|
int ret, i, j;
|
|
uint64_t hi, lo;
|
|
uint64_t vl, vh;
|
|
unsigned char h[16];
|
|
|
|
memset(ctx, 0, sizeof(gcm_context)); // zero caller-provided GCM context
|
|
memset(h, 0, 16); // initialize the block to encrypt
|
|
|
|
// encrypt the null 128-bit block to generate a key-based value
|
|
// which is then used to initialize our GHASH lookup tables
|
|
if ((ret = aes_setkey(&ctx->aes_ctx, AES_ENCRYPT, key, keysize)) != 0)
|
|
return(ret);
|
|
if ((ret = aes_cipher(&ctx->aes_ctx, h, h)) != 0)
|
|
return(ret);
|
|
|
|
GET_UINT32_BE(hi, h, 0); // pack h as two 64-bit ints, big-endian
|
|
GET_UINT32_BE(lo, h, 4);
|
|
vh = (uint64_t)hi << 32 | lo;
|
|
|
|
GET_UINT32_BE(hi, h, 8);
|
|
GET_UINT32_BE(lo, h, 12);
|
|
vl = (uint64_t)hi << 32 | lo;
|
|
|
|
ctx->HL[8] = vl; // 8 = 1000 corresponds to 1 in GF(2^128)
|
|
ctx->HH[8] = vh;
|
|
ctx->HH[0] = 0; // 0 corresponds to 0 in GF(2^128)
|
|
ctx->HL[0] = 0;
|
|
|
|
for (i = 4; i > 0; i >>= 1) {
|
|
uint32_t T = (uint32_t)(vl & 1) * 0xe1000000U;
|
|
vl = (vh << 63) | (vl >> 1);
|
|
vh = (vh >> 1) ^ ((uint64_t)T << 32);
|
|
ctx->HL[i] = vl;
|
|
ctx->HH[i] = vh;
|
|
}
|
|
for (i = 2; i < 16; i <<= 1) {
|
|
uint64_t *HiL = ctx->HL + i, *HiH = ctx->HH + i;
|
|
vh = *HiH;
|
|
vl = *HiL;
|
|
for (j = 1; j < i; j++) {
|
|
HiH[j] = vh ^ ctx->HH[j];
|
|
HiL[j] = vl ^ ctx->HL[j];
|
|
}
|
|
}
|
|
return(0);
|
|
}
|
|
|
|
|
|
/******************************************************************************
|
|
*
|
|
* GCM processing occurs four phases: SETKEY, START, UPDATE and FINISH.
|
|
*
|
|
* SETKEY:
|
|
*
|
|
* START: Sets the Encryption/Decryption mode.
|
|
* Accepts the initialization vector and additional data.
|
|
*
|
|
* UPDATE: Encrypts or decrypts the plaintext or ciphertext.
|
|
*
|
|
* FINISH: Performs a final GHASH to generate the authentication tag.
|
|
*
|
|
******************************************************************************
|
|
*
|
|
* GCM_START
|
|
*
|
|
* Given a user-provided GCM context, this initializes it, sets the encryption
|
|
* mode, and preprocesses the initialization vector and additional AEAD data.
|
|
*
|
|
******************************************************************************/
|
|
int gcm_start(gcm_context *ctx, // pointer to user-provided GCM context
|
|
int mode, // GCM_ENCRYPT or GCM_DECRYPT
|
|
const uchar *iv, // pointer to initialization vector
|
|
size_t iv_len, // IV length in bytes (should == 12)
|
|
const uchar *add, // ptr to additional AEAD data (NULL if none)
|
|
size_t add_len) // length of additional AEAD data (bytes)
|
|
{
|
|
int ret; // our error return if the AES encrypt fails
|
|
uchar work_buf[16]; // XOR source built from provided IV if len != 16
|
|
const uchar *p; // general purpose array pointer
|
|
size_t use_len; // byte count to process, up to 16 bytes
|
|
size_t i; // local loop iterator
|
|
|
|
// since the context might be reused under the same key
|
|
// we zero the working buffers for this next new process
|
|
memset(ctx->y, 0x00, sizeof(ctx->y));
|
|
memset(ctx->buf, 0x00, sizeof(ctx->buf));
|
|
ctx->len = 0;
|
|
ctx->add_len = 0;
|
|
|
|
ctx->mode = mode; // set the GCM encryption/decryption mode
|
|
ctx->aes_ctx.mode = AES_ENCRYPT; // GCM *always* runs AES in ENCRYPTION mode
|
|
|
|
if (iv_len == 12) { // GCM natively uses a 12-byte, 96-bit IV
|
|
memcpy(ctx->y, iv, iv_len); // copy the IV to the top of the 'y' buff
|
|
ctx->y[15] = 1; // start "counting" from 1 (not 0)
|
|
}
|
|
else // if we don't have a 12-byte IV, we GHASH whatever we've been given
|
|
{
|
|
memset(work_buf, 0x00, 16); // clear the working buffer
|
|
PUT_UINT32_BE(iv_len * 8, work_buf, 12); // place the IV into buffer
|
|
|
|
p = iv;
|
|
while (iv_len > 0) {
|
|
use_len = (iv_len < 16) ? iv_len : 16;
|
|
for (i = 0; i < use_len; i++) ctx->y[i] ^= p[i];
|
|
gcm_mult(ctx, ctx->y, ctx->y);
|
|
iv_len -= use_len;
|
|
p += use_len;
|
|
}
|
|
for (i = 0; i < 16; i++) ctx->y[i] ^= work_buf[i];
|
|
gcm_mult(ctx, ctx->y, ctx->y);
|
|
}
|
|
if ((ret = aes_cipher(&ctx->aes_ctx, ctx->y, ctx->base_ectr)) != 0)
|
|
return(ret);
|
|
|
|
ctx->add_len = add_len;
|
|
p = add;
|
|
while (add_len > 0) {
|
|
use_len = (add_len < 16) ? add_len : 16;
|
|
for (i = 0; i < use_len; i++) ctx->buf[i] ^= p[i];
|
|
gcm_mult(ctx, ctx->buf, ctx->buf);
|
|
add_len -= use_len;
|
|
p += use_len;
|
|
}
|
|
return(0);
|
|
}
|
|
|
|
/******************************************************************************
|
|
*
|
|
* GCM_UPDATE
|
|
*
|
|
* This is called once or more to process bulk plaintext or ciphertext data.
|
|
* We give this some number of bytes of input and it returns the same number
|
|
* of output bytes. If called multiple times (which is fine) all but the final
|
|
* invocation MUST be called with length mod 16 == 0. (Only the final call can
|
|
* have a partial block length of < 128 bits.)
|
|
*
|
|
******************************************************************************/
|
|
int gcm_update(gcm_context *ctx, // pointer to user-provided GCM context
|
|
size_t length, // length, in bytes, of data to process
|
|
const uchar *input, // pointer to source data
|
|
uchar *output) // pointer to destination data
|
|
{
|
|
int ret; // our error return if the AES encrypt fails
|
|
uchar ectr[16]; // counter-mode cipher output for XORing
|
|
size_t use_len; // byte count to process, up to 16 bytes
|
|
size_t i; // local loop iterator
|
|
|
|
ctx->len += length; // bump the GCM context's running length count
|
|
|
|
while (length > 0) {
|
|
// clamp the length to process at 16 bytes
|
|
use_len = (length < 16) ? length : 16;
|
|
|
|
// increment the context's 128-bit IV||Counter 'y' vector
|
|
for (i = 16; i > 12; i--) if (++ctx->y[i - 1] != 0) break;
|
|
|
|
// encrypt the context's 'y' vector under the established key
|
|
if ((ret = aes_cipher(&ctx->aes_ctx, ctx->y, ectr)) != 0)
|
|
return(ret);
|
|
|
|
// encrypt or decrypt the input to the output
|
|
if (ctx->mode == AES_ENCRYPT)
|
|
{
|
|
for (i = 0; i < use_len; i++) {
|
|
// XOR the cipher's ouptut vector (ectr) with our input
|
|
output[i] = (uchar)(ectr[i] ^ input[i]);
|
|
// now we mix in our data into the authentication hash.
|
|
// if we're ENcrypting we XOR in the post-XOR (output)
|
|
// results, but if we're DEcrypting we XOR in the input
|
|
// data
|
|
ctx->buf[i] ^= output[i];
|
|
}
|
|
}
|
|
else
|
|
{
|
|
for (i = 0; i < use_len; i++) {
|
|
// but if we're DEcrypting we XOR in the input data first,
|
|
// i.e. before saving to ouput data, otherwise if the input
|
|
// and output buffer are the same (inplace decryption) we
|
|
// would not get the correct auth tag
|
|
|
|
ctx->buf[i] ^= input[i];
|
|
|
|
// XOR the cipher's ouptut vector (ectr) with our input
|
|
output[i] = (uchar)(ectr[i] ^ input[i]);
|
|
}
|
|
}
|
|
gcm_mult(ctx, ctx->buf, ctx->buf); // perform a GHASH operation
|
|
|
|
length -= use_len; // drop the remaining byte count to process
|
|
input += use_len; // bump our input pointer forward
|
|
output += use_len; // bump our output pointer forward
|
|
}
|
|
return(0);
|
|
}
|
|
|
|
/******************************************************************************
|
|
*
|
|
* GCM_FINISH
|
|
*
|
|
* This is called once after all calls to GCM_UPDATE to finalize the GCM.
|
|
* It performs the final GHASH to produce the resulting authentication TAG.
|
|
*
|
|
******************************************************************************/
|
|
int gcm_finish(gcm_context *ctx, // pointer to user-provided GCM context
|
|
uchar *tag, // pointer to buffer which receives the tag
|
|
size_t tag_len) // length, in bytes, of the tag-receiving buf
|
|
{
|
|
uchar work_buf[16];
|
|
uint64_t orig_len = ctx->len * 8;
|
|
uint64_t orig_add_len = ctx->add_len * 8;
|
|
size_t i;
|
|
|
|
if (tag_len != 0) memcpy(tag, ctx->base_ectr, tag_len);
|
|
|
|
if (orig_len || orig_add_len) {
|
|
memset(work_buf, 0x00, 16);
|
|
|
|
PUT_UINT32_BE((orig_add_len >> 32), work_buf, 0);
|
|
PUT_UINT32_BE((orig_add_len), work_buf, 4);
|
|
PUT_UINT32_BE((orig_len >> 32), work_buf, 8);
|
|
PUT_UINT32_BE((orig_len), work_buf, 12);
|
|
|
|
for (i = 0; i < 16; i++) ctx->buf[i] ^= work_buf[i];
|
|
gcm_mult(ctx, ctx->buf, ctx->buf);
|
|
for (i = 0; i < tag_len; i++) tag[i] ^= ctx->buf[i];
|
|
}
|
|
return(0);
|
|
}
|
|
|
|
|
|
/******************************************************************************
|
|
*
|
|
* GCM_CRYPT_AND_TAG
|
|
*
|
|
* This either encrypts or decrypts the user-provided data and, either
|
|
* way, generates an authentication tag of the requested length. It must be
|
|
* called with a GCM context whose key has already been set with GCM_SETKEY.
|
|
*
|
|
* The user would typically call this explicitly to ENCRYPT a buffer of data
|
|
* and optional associated data, and produce its an authentication tag.
|
|
*
|
|
* To reverse the process the user would typically call the companion
|
|
* GCM_AUTH_DECRYPT function to decrypt data and verify a user-provided
|
|
* authentication tag. The GCM_AUTH_DECRYPT function calls this function
|
|
* to perform its decryption and tag generation, which it then compares.
|
|
*
|
|
******************************************************************************/
|
|
int gcm_crypt_and_tag(
|
|
gcm_context *ctx, // gcm context with key already setup
|
|
int mode, // cipher direction: GCM_ENCRYPT or GCM_DECRYPT
|
|
const uchar *iv, // pointer to the 12-byte initialization vector
|
|
size_t iv_len, // byte length if the IV. should always be 12
|
|
const uchar *add, // pointer to the non-ciphered additional data
|
|
size_t add_len, // byte length of the additional AEAD data
|
|
const uchar *input, // pointer to the cipher data source
|
|
uchar *output, // pointer to the cipher data destination
|
|
size_t length, // byte length of the cipher data
|
|
uchar *tag, // pointer to the tag to be generated
|
|
size_t tag_len) // byte length of the tag to be generated
|
|
{ /*
|
|
assuming that the caller has already invoked gcm_setkey to
|
|
prepare the gcm context with the keying material, we simply
|
|
invoke each of the three GCM sub-functions in turn...
|
|
*/
|
|
gcm_start(ctx, mode, iv, iv_len, add, add_len);
|
|
gcm_update(ctx, length, input, output);
|
|
gcm_finish(ctx, tag, tag_len);
|
|
return(0);
|
|
}
|
|
|
|
|
|
/******************************************************************************
|
|
*
|
|
* GCM_AUTH_DECRYPT
|
|
*
|
|
* This DECRYPTS a user-provided data buffer with optional associated data.
|
|
* It then verifies a user-supplied authentication tag against the tag just
|
|
* re-created during decryption to verify that the data has not been altered.
|
|
*
|
|
* This function calls GCM_CRYPT_AND_TAG (above) to perform the decryption
|
|
* and authentication tag generation.
|
|
*
|
|
******************************************************************************/
|
|
int gcm_auth_decrypt(
|
|
gcm_context *ctx, // gcm context with key already setup
|
|
const uchar *iv, // pointer to the 12-byte initialization vector
|
|
size_t iv_len, // byte length if the IV. should always be 12
|
|
const uchar *add, // pointer to the non-ciphered additional data
|
|
size_t add_len, // byte length of the additional AEAD data
|
|
const uchar *input, // pointer to the cipher data source
|
|
uchar *output, // pointer to the cipher data destination
|
|
size_t length, // byte length of the cipher data
|
|
const uchar *tag, // pointer to the tag to be authenticated
|
|
size_t tag_len) // byte length of the tag <= 16
|
|
{
|
|
uchar check_tag[16]; // the tag generated and returned by decryption
|
|
int diff; // an ORed flag to detect authentication errors
|
|
size_t i; // our local iterator
|
|
/*
|
|
we use GCM_DECRYPT_AND_TAG (above) to perform our decryption
|
|
(which is an identical XORing to reverse the previous one)
|
|
and also to re-generate the matching authentication tag
|
|
*/
|
|
gcm_crypt_and_tag(ctx, AES_DECRYPT, iv, iv_len, add, add_len,
|
|
input, output, length, check_tag, tag_len);
|
|
|
|
// now we verify the authentication tag in 'constant time'
|
|
for (diff = 0, i = 0; i < tag_len; i++)
|
|
diff |= tag[i] ^ check_tag[i];
|
|
|
|
if (diff != 0) { // see whether any bits differed?
|
|
memset(output, 0, length); // if so... wipe the output data
|
|
return(GCM_AUTH_FAILURE); // return GCM_AUTH_FAILURE
|
|
}
|
|
return(0);
|
|
}
|
|
|
|
/******************************************************************************
|
|
*
|
|
* GCM_ZERO_CTX
|
|
*
|
|
* The GCM context contains both the GCM context and the AES context.
|
|
* This includes keying and key-related material which is security-
|
|
* sensitive, so it MUST be zeroed after use. This function does that.
|
|
*
|
|
******************************************************************************/
|
|
void gcm_zero_ctx(gcm_context *ctx)
|
|
{
|
|
// zero the context originally provided to us
|
|
memset(ctx, 0, sizeof(gcm_context));
|
|
}
|