2024-03-05 09:47:49 +08:00
|
|
|
//go:build (amd64 || arm64) && !purego
|
2022-04-29 12:09:04 +08:00
|
|
|
|
|
|
|
|
package sm4
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"crypto/cipher"
|
2022-08-18 14:49:35 +08:00
|
|
|
"crypto/subtle"
|
2022-04-29 12:09:04 +08:00
|
|
|
|
2022-08-18 14:49:35 +08:00
|
|
|
"github.com/emmansun/gmsm/internal/alias"
|
2022-04-29 12:09:04 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
//go:noescape
|
|
|
|
|
func gcmSm4niEnc(productTable *[256]byte, dst, src []byte, ctr, T *[16]byte, rk []uint32)
|
|
|
|
|
|
|
|
|
|
//go:noescape
|
|
|
|
|
func gcmSm4niDec(productTable *[256]byte, dst, src []byte, ctr, T *[16]byte, rk []uint32)
|
|
|
|
|
|
|
|
|
|
// Assert that sm4CipherNIGCM implements the gcmAble interface.
|
|
|
|
|
var _ gcmAble = (*sm4CipherNIGCM)(nil)
|
|
|
|
|
|
|
|
|
|
type gcmNI struct {
|
|
|
|
|
cipher *sm4CipherNI
|
|
|
|
|
nonceSize int
|
|
|
|
|
tagSize int
|
|
|
|
|
bytesProductTable [256]byte
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (g *gcmNI) NonceSize() int {
|
|
|
|
|
return g.nonceSize
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (g *gcmNI) Overhead() int {
|
|
|
|
|
return g.tagSize
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewGCM returns the SM4 cipher wrapped in Galois Counter Mode. This is only
|
|
|
|
|
// called by crypto/cipher.NewGCM via the gcmAble interface.
|
|
|
|
|
func (c *sm4CipherNIGCM) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
|
|
|
|
|
g := &gcmNI{}
|
2024-03-27 08:38:25 +08:00
|
|
|
g.cipher = &c.sm4CipherNI
|
2022-04-29 12:09:04 +08:00
|
|
|
g.nonceSize = nonceSize
|
|
|
|
|
g.tagSize = tagSize
|
2024-03-27 08:38:25 +08:00
|
|
|
gcmSm4Init(&g.bytesProductTable, g.cipher.enc[:], INST_SM4)
|
2022-04-29 12:09:04 +08:00
|
|
|
return g, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Seal encrypts and authenticates plaintext. See the cipher.AEAD interface for
|
|
|
|
|
// details.
|
|
|
|
|
func (g *gcmNI) Seal(dst, nonce, plaintext, data []byte) []byte {
|
|
|
|
|
if len(nonce) != g.nonceSize {
|
|
|
|
|
panic("cipher: incorrect nonce length given to GCM")
|
|
|
|
|
}
|
|
|
|
|
if uint64(len(plaintext)) > ((1<<32)-2)*BlockSize {
|
|
|
|
|
panic("cipher: message too large for GCM")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var counter, tagMask [gcmBlockSize]byte
|
|
|
|
|
|
|
|
|
|
if len(nonce) == gcmStandardNonceSize {
|
|
|
|
|
// Init counter to nonce||1
|
|
|
|
|
copy(counter[:], nonce)
|
|
|
|
|
counter[gcmBlockSize-1] = 1
|
|
|
|
|
} else {
|
|
|
|
|
// Otherwise counter = GHASH(nonce)
|
|
|
|
|
gcmSm4Data(&g.bytesProductTable, nonce, &counter)
|
|
|
|
|
gcmSm4Finish(&g.bytesProductTable, &tagMask, &counter, uint64(len(nonce)), uint64(0))
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-27 09:36:56 +08:00
|
|
|
encryptBlockAsm(&g.cipher.enc[0], &tagMask[0], &counter[0], INST_SM4)
|
2022-04-29 12:09:04 +08:00
|
|
|
|
|
|
|
|
var tagOut [gcmTagSize]byte
|
|
|
|
|
gcmSm4Data(&g.bytesProductTable, data, &tagOut)
|
|
|
|
|
|
2022-08-18 14:49:35 +08:00
|
|
|
ret, out := alias.SliceForAppend(dst, len(plaintext)+g.tagSize)
|
|
|
|
|
if alias.InexactOverlap(out[:len(plaintext)], plaintext) {
|
2022-04-29 12:09:04 +08:00
|
|
|
panic("cipher: invalid buffer overlap")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(plaintext) > 0 {
|
2024-03-27 08:38:25 +08:00
|
|
|
gcmSm4niEnc(&g.bytesProductTable, out, plaintext, &counter, &tagOut, g.cipher.enc[:])
|
2022-04-29 12:09:04 +08:00
|
|
|
}
|
|
|
|
|
gcmSm4Finish(&g.bytesProductTable, &tagMask, &tagOut, uint64(len(plaintext)), uint64(len(data)))
|
|
|
|
|
copy(out[len(plaintext):], tagOut[:])
|
|
|
|
|
|
|
|
|
|
return ret
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Open authenticates and decrypts ciphertext. See the cipher.AEAD interface
|
|
|
|
|
// for details.
|
|
|
|
|
func (g *gcmNI) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
|
|
|
|
|
if len(nonce) != g.nonceSize {
|
|
|
|
|
panic("cipher: incorrect nonce length given to GCM")
|
|
|
|
|
}
|
|
|
|
|
// Sanity check to prevent the authentication from always succeeding if an implementation
|
|
|
|
|
// leaves tagSize uninitialized, for example.
|
|
|
|
|
if g.tagSize < gcmMinimumTagSize {
|
|
|
|
|
panic("cipher: incorrect GCM tag size")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(ciphertext) < g.tagSize {
|
|
|
|
|
return nil, errOpen
|
|
|
|
|
}
|
|
|
|
|
if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(BlockSize)+uint64(g.tagSize) {
|
|
|
|
|
return nil, errOpen
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tag := ciphertext[len(ciphertext)-g.tagSize:]
|
|
|
|
|
ciphertext = ciphertext[:len(ciphertext)-g.tagSize]
|
|
|
|
|
|
|
|
|
|
// See GCM spec, section 7.1.
|
|
|
|
|
var counter, tagMask [gcmBlockSize]byte
|
|
|
|
|
|
|
|
|
|
if len(nonce) == gcmStandardNonceSize {
|
|
|
|
|
// Init counter to nonce||1
|
|
|
|
|
copy(counter[:], nonce)
|
|
|
|
|
counter[gcmBlockSize-1] = 1
|
|
|
|
|
} else {
|
|
|
|
|
// Otherwise counter = GHASH(nonce)
|
|
|
|
|
gcmSm4Data(&g.bytesProductTable, nonce, &counter)
|
|
|
|
|
gcmSm4Finish(&g.bytesProductTable, &tagMask, &counter, uint64(len(nonce)), uint64(0))
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-27 09:36:56 +08:00
|
|
|
encryptBlockAsm(&g.cipher.enc[0], &tagMask[0], &counter[0], INST_SM4)
|
2022-04-29 12:09:04 +08:00
|
|
|
|
|
|
|
|
var expectedTag [gcmTagSize]byte
|
|
|
|
|
gcmSm4Data(&g.bytesProductTable, data, &expectedTag)
|
|
|
|
|
|
2022-08-18 14:49:35 +08:00
|
|
|
ret, out := alias.SliceForAppend(dst, len(ciphertext))
|
|
|
|
|
if alias.InexactOverlap(out, ciphertext) {
|
2022-04-29 12:09:04 +08:00
|
|
|
panic("cipher: invalid buffer overlap")
|
|
|
|
|
}
|
|
|
|
|
if len(ciphertext) > 0 {
|
2024-03-27 08:38:25 +08:00
|
|
|
gcmSm4niDec(&g.bytesProductTable, out, ciphertext, &counter, &expectedTag, g.cipher.enc[:])
|
2022-04-29 12:09:04 +08:00
|
|
|
}
|
|
|
|
|
gcmSm4Finish(&g.bytesProductTable, &tagMask, &expectedTag, uint64(len(ciphertext)), uint64(len(data)))
|
|
|
|
|
|
2022-08-18 14:49:35 +08:00
|
|
|
if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
|
2022-04-29 12:09:04 +08:00
|
|
|
for i := range out {
|
|
|
|
|
out[i] = 0
|
|
|
|
|
}
|
|
|
|
|
return nil, errOpen
|
|
|
|
|
}
|
|
|
|
|
return ret, nil
|
|
|
|
|
}
|
