GCM.h 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149
  1. /*
  2. * Copyright (c) 2020, Ali Mohammad Pur <mpfard@serenityos.org>
  3. *
  4. * SPDX-License-Identifier: BSD-2-Clause
  5. */
  6. #pragma once
  7. #include <AK/Memory.h>
  8. #include <AK/OwnPtr.h>
  9. #include <AK/StringBuilder.h>
  10. #include <AK/StringView.h>
  11. #include <LibCrypto/Authentication/GHash.h>
  12. #include <LibCrypto/Cipher/Mode/CTR.h>
  13. #include <LibCrypto/Verification.h>
  14. #ifndef KERNEL
  15. # include <AK/ByteString.h>
  16. #endif
  17. namespace Crypto::Cipher {
  18. using IncrementFunction = IncrementInplace;
  19. template<typename T>
  20. class GCM : public CTR<T, IncrementFunction> {
  21. public:
  22. constexpr static size_t IVSizeInBits = 128;
  23. virtual ~GCM() = default;
  24. template<typename... Args>
  25. explicit constexpr GCM<T>(Args... args)
  26. : CTR<T>(args...)
  27. {
  28. static_assert(T::BlockSizeInBits == 128u, "GCM Mode is only available for 128-bit Ciphers");
  29. __builtin_memset(m_auth_key_storage, 0, block_size);
  30. typename T::BlockType key_block(m_auth_key_storage, block_size);
  31. this->cipher().encrypt_block(key_block, key_block);
  32. key_block.bytes().copy_to(m_auth_key);
  33. m_ghash = Authentication::GHash(m_auth_key);
  34. }
  35. #ifndef KERNEL
  36. virtual ByteString class_name() const override
  37. {
  38. StringBuilder builder;
  39. builder.append(this->cipher().class_name());
  40. builder.append("_GCM"sv);
  41. return builder.to_byte_string();
  42. }
  43. #endif
  44. virtual size_t IV_length() const override
  45. {
  46. return IVSizeInBits / 8;
  47. }
  48. // FIXME: This overload throws away the auth stuff, think up a better way to return more than a single bytebuffer.
  49. virtual void encrypt(ReadonlyBytes in, Bytes& out, ReadonlyBytes ivec = {}, Bytes* = nullptr) override
  50. {
  51. VERIFY(!ivec.is_empty());
  52. static ByteBuffer dummy;
  53. encrypt(in, out, ivec, dummy, dummy);
  54. }
  55. virtual void decrypt(ReadonlyBytes in, Bytes& out, ReadonlyBytes ivec = {}) override
  56. {
  57. encrypt(in, out, ivec);
  58. }
  59. void encrypt(ReadonlyBytes in, Bytes out, ReadonlyBytes iv_in, ReadonlyBytes aad, Bytes tag)
  60. {
  61. auto iv_buf_result = ByteBuffer::copy(iv_in);
  62. // Not enough memory to figure out :shrug:
  63. if (iv_buf_result.is_error()) {
  64. dbgln("GCM::encrypt: Not enough memory to allocate {} bytes for IV", iv_in.size());
  65. return;
  66. }
  67. auto iv = iv_buf_result.value().bytes();
  68. // Increment the IV for block 0
  69. CTR<T>::increment(iv);
  70. typename T::BlockType block0;
  71. block0.overwrite(iv);
  72. this->cipher().encrypt_block(block0, block0);
  73. // Skip past block 0
  74. CTR<T>::increment(iv);
  75. if (in.is_empty())
  76. CTR<T>::key_stream(out, iv);
  77. else
  78. CTR<T>::encrypt(in, out, iv);
  79. auto auth_tag = m_ghash->process(aad, out);
  80. block0.apply_initialization_vector({ auth_tag.data, array_size(auth_tag.data) });
  81. block0.bytes().copy_to(tag);
  82. }
  83. VerificationConsistency decrypt(ReadonlyBytes in, Bytes out, ReadonlyBytes iv_in, ReadonlyBytes aad, ReadonlyBytes tag)
  84. {
  85. auto iv_buf_result = ByteBuffer::copy(iv_in);
  86. // Not enough memory to figure out :shrug:
  87. if (iv_buf_result.is_error())
  88. return VerificationConsistency::Inconsistent;
  89. auto iv = iv_buf_result.value().bytes();
  90. // Increment the IV for block 0
  91. CTR<T>::increment(iv);
  92. typename T::BlockType block0;
  93. block0.overwrite(iv);
  94. this->cipher().encrypt_block(block0, block0);
  95. // Skip past block 0
  96. CTR<T>::increment(iv);
  97. auto auth_tag = m_ghash->process(aad, in);
  98. block0.apply_initialization_vector({ auth_tag.data, array_size(auth_tag.data) });
  99. auto test_consistency = [&] {
  100. if (block0.block_size() != tag.size() || !timing_safe_compare(block0.bytes().data(), tag.data(), tag.size()))
  101. return VerificationConsistency::Inconsistent;
  102. return VerificationConsistency::Consistent;
  103. };
  104. if (in.is_empty()) {
  105. out = {};
  106. return test_consistency();
  107. }
  108. CTR<T>::encrypt(in, out, iv);
  109. return test_consistency();
  110. }
  111. private:
  112. static constexpr auto block_size = T::BlockType::BlockSizeInBits / 8;
  113. u8 m_auth_key_storage[block_size];
  114. Bytes m_auth_key { m_auth_key_storage, block_size };
  115. Optional<Authentication::GHash> m_ghash;
  116. };
  117. }