gcm.hpp
Go to the documentation of this file.
1 //---------------------------------------------------------------------------//
2 // Copyright (c) 2019 Mikhail Komarov <nemo@nil.foundation>
3 //
4 // MIT License
5 //
6 // Permission is hereby granted, free of charge, to any person obtaining a copy
7 // of this software and associated documentation files (the "Software"), to deal
8 // in the Software without restriction, including without limitation the rights
9 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 // copies of the Software, and to permit persons to whom the Software is
11 // furnished to do so, subject to the following conditions:
12 //
13 // The above copyright notice and this permission notice shall be included in all
14 // copies or substantial portions of the Software.
15 //
16 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 // SOFTWARE.
23 //---------------------------------------------------------------------------//
24 
25 #ifndef CRYPTO3_MODE_AEAD_GCM_HPP
26 #define CRYPTO3_MODE_AEAD_GCM_HPP
27 
28 #include <nil/crypto3/modes/aead/aead.hpp>
29 
30 #include <nil/crypto3/hash/ghash.hpp>
31 
32 namespace nil {
33  namespace crypto3 {
34  namespace hashes {
35  struct ghash;
36  }
37  namespace stream {
38  template<typename BlockCipher>
39  class ctr;
40  }
41  namespace block {
42  namespace modes {
43  namespace detail {
44  template<typename Cipher, std::size_t TagBits, typename Padding, typename StreamCipher,
45  typename Hash, template<typename> class Allocator>
46  struct gcm_policy {
47  typedef Cipher cipher_type;
48  typedef Padding padding_type;
49  typedef StreamCipher stream_cipher_type;
50  typedef Hash hash_type;
51 
52  template<typename T>
53  using allocator_type = Allocator<T>;
54 
55  constexpr static const std::size_t tag_bits = TagBits;
56 
57  BOOST_STATIC_ASSERT(tag_bits >= 12 * CHAR_BIT && tag_bits <= 16 * CHAR_BIT);
58 
59  constexpr static const std::size_t block_bits = cipher_type::block_bits;
60  constexpr static const std::size_t block_words = cipher_type::block_words;
61  typedef typename cipher_type::block_type block_type;
62 
63  BOOST_STATIC_ASSERT(block_bits == 128);
64 
65  typedef std::vector<boost::uint_t<CHAR_BIT>, allocator_type<boost::uint_t<CHAR_BIT>>>
66  associated_data_type;
67  typedef std::vector<boost::uint_t<CHAR_BIT>, allocator_type<boost::uint_t<CHAR_BIT>>>
68  nonce_type;
69 
70  inline static block_type begin_message(const cipher_type &cipher, const block_type &plaintext) {
71  block_type block = {0};
72 
73  // any size is valid for GCM nonce
74 
75  secure_vector<uint8_t> y0(GCM_BS);
76 
77  if (nonce_len == 12) {
78  copy_mem(y0.data(), nonce, nonce_len);
79  y0[15] = 1;
80  } else {
81  y0 = m_ghash->nonce_hash(nonce, nonce_len);
82  }
83 
84  m_ctr->set_iv(y0.data(), y0.size());
85 
86  zeroise(y0);
87  m_ctr->encipher(y0);
88 
89  m_ghash->start(y0.data(), y0.size());
90 
91  return cipher.encrypt(block);
92  }
93  };
94 
95  template<typename Cipher, std::size_t TagBits, typename Padding, typename StreamCipher,
96  typename Hash, template<typename> class Allocator>
97  class gcm_encryption_policy
98  : public gcm_policy<Cipher, TagBits, Padding, StreamCipher, Hash, Allocator> {
99  typedef gcm_policy<Cipher, TagBits, Padding, StreamCipher, Hash, Allocator> policy_type;
100 
101  public:
102  typedef typename policy_type::cipher_type cipher_type;
103  typedef typename policy_type::padding_type padding_type;
104  typedef typename policy_type::stream_cipher_type stream_cipher_type;
105  typedef typename policy_type::hash_type hash_type;
106 
107  typedef typename policy_type::associated_data_type associated_data_type;
108  typedef typename policy_type::nonce_type nonce_type;
109 
110  constexpr static const std::size_t tag_bits = policy_type::tag_bits;
111 
112  constexpr static const std::size_t block_bits = policy_type::block_bits;
113  constexpr static const std::size_t block_words = policy_type::block_words;
114  typedef typename policy_type::block_type block_type;
115 
116  inline static block_type begin_message(const cipher_type &cipher, const block_type &plaintext) {
117  return policy_type::begin_message(cipher, plaintext);
118  }
119 
120  inline static block_type process_block(const cipher_type &cipher, const block_type &plaintext) {
121  block_type block = {0};
122 
123  CRYPTO3_ARG_CHECK(sz % update_granularity() == 0);
124  m_ctr->cipher(buf, buf, sz);
125  m_ghash->update(buf, sz);
126 
127  return cipher.encrypt(block);
128  }
129 
130  inline static block_type end_message(const cipher_type &cipher, const block_type &plaintext) {
131  block_type result = {0};
132 
133  CRYPTO3_ARG_CHECK(offset <= buffer.size());
134  const size_t sz = buffer.size() - offset;
135  uint8_t *buf = buffer.data() + offset;
136 
137  m_ctr->cipher(buf, buf, sz);
138  m_ghash->update(buf, sz);
139  auto mac = m_ghash->final();
140  buffer += std::make_pair(mac.data(), tag_size());
141 
142  return result;
143  }
144  };
145 
146  template<typename Cipher, std::size_t TagBits, typename Padding, typename StreamCipher,
147  typename Hash, template<typename> class Allocator>
148  struct gcm_decryption_policy
149  : public gcm_policy<Cipher, TagBits, Padding, StreamCipher, Hash, Allocator> {
150  typedef gcm_policy<Cipher, TagBits, Padding, StreamCipher, Hash, Allocator> policy_type;
151 
152  public:
153  typedef typename policy_type::cipher_type cipher_type;
154  typedef typename policy_type::padding_type padding_type;
155  typedef typename policy_type::stream_cipher_type stream_cipher_type;
156  typedef typename policy_type::hash_type hash_type;
157 
158  typedef typename policy_type::associated_data_type associated_data_type;
159  typedef typename policy_type::nonce_type nonce_type;
160 
161  constexpr static const std::size_t tag_bits = policy_type::tag_bits;
162 
163  constexpr static const std::size_t block_bits = policy_type::block_bits;
164  constexpr static const std::size_t block_words = policy_type::block_words;
165  typedef typename policy_type::block_type block_type;
166 
167  inline static block_type begin_message(const cipher_type &cipher, const block_type &plaintext) {
168  return policy_type::begin_message(cipher, plaintext);
169  }
170 
171  inline static block_type process_block(const cipher_type &cipher, const block_type &plaintext) {
172  block_type block = {0};
173 
174  CRYPTO3_ARG_CHECK(sz % update_granularity() == 0);
175  m_ghash->update(buf, sz);
176  m_ctr->cipher(buf, buf, sz);
177 
178  return cipher.encrypt(block);
179  }
180 
181  inline static block_type end_message(const cipher_type &cipher, const block_type &plaintext) {
182  block_type result = {0};
183 
184  CRYPTO3_ARG_CHECK(offset <= buffer.size());
185  const size_t sz = buffer.size() - offset;
186  uint8_t *buf = buffer.data() + offset;
187 
188  if (sz < tag_size()) {
189  throw Exception("Insufficient input for GCM decryption, tag missing");
190  }
191 
192  const size_t remaining = sz - tag_size();
193 
194  // handle any final input before the tag
195  if (remaining) {
196  m_ghash->update(buf, remaining);
197  m_ctr->cipher(buf, buf, remaining);
198  }
199 
200  auto mac = m_ghash->final();
201 
202  const uint8_t *included_tag = &buffer[remaining + offset];
203 
204  if (!constant_time_compare(mac.data(), included_tag, tag_size())) {
205  throw integrity_failure("GCM tag check failed");
206  }
207 
208  buffer.resize(offset + remaining);
209 
210  return result;
211  }
212  };
213 
214  template<typename Policy>
215  class gcm {
216  typedef Policy policy_type;
217 
218  public:
219  typedef typename policy_type::cipher_type cipher_type;
220  typedef typename policy_type::padding_type padding_type;
221 
222  typedef typename cipher_type::key_type key_type;
223  typedef typename policy_type::associated_data_type associated_data_type;
224  typedef typename policy_type::nonce_type nonce_type;
225 
226  constexpr static const std::size_t block_bits = policy_type::block_bits;
227  constexpr static const std::size_t block_words = policy_type::block_words;
228  typedef typename cipher_type::block_type block_type;
229 
230  template<typename AssociatedDataContainer>
231  gcm(const cipher_type &cipher, const AssociatedDataContainer &associated_data) :
232  cipher(cipher) {
233  schedule_associated_data(associated_data);
234  }
235 
236  template<typename AssociatedDataContainer>
237  gcm(const key_type &key, const AssociatedDataContainer &associated_data) : cipher(key) {
238 
239  m_ctr->set_key(key, keylen);
240 
241  const std::vector<uint8_t> zeros(GCM_BS);
242  m_ctr->set_iv(zeros.data(), zeros.size());
243 
244  secure_vector<uint8_t> H(GCM_BS);
245  m_ctr->encipher(H);
246  m_ghash->set_key(H);
247 
248  schedule_associated_data(associated_data);
249  }
250 
251  inline block_type begin_message(const block_type &plaintext) {
252  return policy_type::begin_message(cipher, plaintext, ad);
253  }
254 
255  inline block_type process_block(const block_type &plaintext) {
256  return policy_type::process_block(cipher, plaintext, ad);
257  }
258 
259  inline block_type end_message(const block_type &plaintext) {
260  return policy_type::end_message(cipher, plaintext, ad);
261  }
262 
263  inline static std::size_t required_output_size(std::size_t inputlen) {
264  return padding_type::required_output_size(inputlen);
265  }
266 
267  protected:
268  template<typename AssociatedDataContainer>
269  inline void schedule_associated_data(const AssociatedDataContainer &iad) {
270  m_ghash->set_associated_data(ad, ad_len);
271  }
272 
273  associated_data_type ad;
274  nonce_type nonce;
275 
276  cipher_type cipher;
277  };
278  } // namespace detail
279 
288  template<typename BlockCipher, template<typename> class Padding, std::size_t TagBits = 16,
289 
290  typename Hash = hashes::ghash, typename StreamCipher = stream::ctr<BlockCipher>,
291  template<typename> class Allocator = std::allocator>
292  struct gcm {
293  typedef BlockCipher cipher_type;
294  typedef Padding<BlockCipher> padding_type;
295  typedef StreamCipher stream_cipher_type;
296  typedef Hash hash_type;
297 
298  template<typename T>
299  using allocator_type = Allocator<T>;
300 
301  typedef detail::gcm_encryption_policy<cipher_type, TagBits, padding_type, stream_cipher_type,
302  hash_type, allocator_type>
303  encryption_policy;
304  typedef detail::gcm_decryption_policy<cipher_type, TagBits, padding_type, stream_cipher_type,
305  hash_type, allocator_type>
306  decryption_policy;
307 
308  template<template<typename, std::size_t, typename, typename, typename, template<typename> class>
309  class Policy>
310  struct bind {
311  typedef detail::gcm<
312  Policy<cipher_type, TagBits, padding_type, stream_cipher_type, hash_type, allocator_type>>
313  type;
314  };
315  };
316  } // namespace modes
317  } // namespace block
318  } // namespace crypto3
319 } // namespace nil
320 
321 #endif
nil::crypto3::block::modes::detail::gcm_encryption_policy
Definition: gcm.hpp:98
nil::crypto3::block::modes::detail::gcm_encryption_policy::stream_cipher_type
policy_type::stream_cipher_type stream_cipher_type
Definition: gcm.hpp:104
nil::crypto3::block::modes::detail::gcm_encryption_policy::block_words
constexpr static const std::size_t block_words
Definition: gcm.hpp:113
nil::crypto3::block::modes::detail::gcm_encryption_policy::block_type
policy_type::block_type block_type
Definition: gcm.hpp:114
nil::crypto3::block::modes::detail::gcm_encryption_policy::tag_bits
constexpr static const std::size_t tag_bits
Definition: gcm.hpp:110
nil::crypto3::block::modes::detail::gcm_encryption_policy::associated_data_type
policy_type::associated_data_type associated_data_type
Definition: gcm.hpp:107
nil::crypto3::block::modes::detail::gcm_encryption_policy::nonce_type
policy_type::nonce_type nonce_type
Definition: gcm.hpp:108
nil::crypto3::block::modes::detail::gcm_encryption_policy::begin_message
static block_type begin_message(const cipher_type &cipher, const block_type &plaintext)
Definition: gcm.hpp:116
nil::crypto3::block::modes::detail::gcm_encryption_policy::padding_type
policy_type::padding_type padding_type
Definition: gcm.hpp:103
nil::crypto3::block::modes::detail::gcm_encryption_policy::end_message
static block_type end_message(const cipher_type &cipher, const block_type &plaintext)
Definition: gcm.hpp:130
nil::crypto3::block::modes::detail::gcm_encryption_policy::block_bits
constexpr static const std::size_t block_bits
Definition: gcm.hpp:112
nil::crypto3::block::modes::detail::gcm_encryption_policy::hash_type
policy_type::hash_type hash_type
Definition: gcm.hpp:105
nil::crypto3::block::modes::detail::gcm_encryption_policy::cipher_type
policy_type::cipher_type cipher_type
Definition: gcm.hpp:102
nil::crypto3::block::modes::detail::gcm_encryption_policy::process_block
static block_type process_block(const cipher_type &cipher, const block_type &plaintext)
Definition: gcm.hpp:120
nil::crypto3::block::modes::detail::gcm::block_words
constexpr static const std::size_t block_words
Definition: gcm.hpp:227
nil::crypto3::block::modes::detail::gcm::process_block
block_type process_block(const block_type &plaintext)
Definition: gcm.hpp:255
nil::crypto3::block::modes::detail::gcm::block_type
cipher_type::block_type block_type
Definition: gcm.hpp:228
nil::crypto3::block::modes::detail::gcm::required_output_size
static std::size_t required_output_size(std::size_t inputlen)
Definition: gcm.hpp:263
nil::crypto3::block::modes::detail::gcm::end_message
block_type end_message(const block_type &plaintext)
Definition: gcm.hpp:259
nil::crypto3::block::modes::detail::gcm::nonce
nonce_type nonce
Definition: gcm.hpp:274
nil::crypto3::block::modes::detail::gcm::cipher_type
policy_type::cipher_type cipher_type
Definition: gcm.hpp:219
nil::crypto3::block::modes::detail::gcm::ad
associated_data_type ad
Definition: gcm.hpp:273
nil::crypto3::block::modes::detail::gcm::schedule_associated_data
void schedule_associated_data(const AssociatedDataContainer &iad)
Definition: gcm.hpp:269
nil::crypto3::block::modes::detail::gcm::padding_type
policy_type::padding_type padding_type
Definition: gcm.hpp:220
nil::crypto3::block::modes::detail::gcm::block_bits
constexpr static const std::size_t block_bits
Definition: gcm.hpp:226
nil::crypto3::block::modes::detail::gcm::nonce_type
policy_type::nonce_type nonce_type
Definition: gcm.hpp:224
nil::crypto3::block::modes::detail::gcm::key_type
cipher_type::key_type key_type
Definition: gcm.hpp:222
nil::crypto3::block::modes::detail::gcm::gcm
gcm(const cipher_type &cipher, const AssociatedDataContainer &associated_data)
Definition: gcm.hpp:231
nil::crypto3::block::modes::detail::gcm::begin_message
block_type begin_message(const block_type &plaintext)
Definition: gcm.hpp:251
nil::crypto3::block::modes::detail::gcm::cipher
cipher_type cipher
Definition: gcm.hpp:276
nil::crypto3::block::modes::detail::gcm::gcm
gcm(const key_type &key, const AssociatedDataContainer &associated_data)
Definition: gcm.hpp:237
nil::crypto3::block::modes::detail::gcm::associated_data_type
policy_type::associated_data_type associated_data_type
Definition: gcm.hpp:223
nil::crypto3::stream::ctr
Definition: eax.hpp:39
nil::crypto3::block::modes::ctr
counter< Cipher, Padding, CiphertextStealingMode > ctr
Definition: ctr.hpp:531
nil::crypto3::accumulators::extract::mac
boost::mpl::apply< AccumulatorSet, tag::mac< ProcessingPolicy > >::type::result_type mac(const AccumulatorSet &acc)
Definition: accumulators/mac.hpp:99
nil::crypto3::accumulators::extract::block
boost::mpl::apply< AccumulatorSet, tag::block< Mode > >::type::result_type block(const AccumulatorSet &acc)
Definition: accumulators/block.hpp:259
nil::crypto3::accumulators::extract::stream
boost::mpl::apply< AccumulatorSet, tag::stream< Mode > >::type::result_type stream(const AccumulatorSet &acc)
Definition: accumulators/stream.hpp:175
nil::crypto3::mac::BlockCipher
boost::accumulators::accumulator_set< mac::digest< MessageAuthenticationCode::input_block_bits >, boost::accumulators::features< accumulators::tag::mac< MessageAuthenticationCode > >> BlockCipher
Definition: cbc_mac_state.hpp:40
nil::crypto3::constant_time_compare
bool constant_time_compare(const uint8_t x[], const uint8_t y[], size_t len)
Definition: memory_operations.hpp:143
nil::crypto3::copy_mem
void copy_mem(T *out, const T *in, size_t n)
Definition: memory_operations.hpp:186
nil
Definition: pair.hpp:31
nil::crypto3::block::cipher
Definition: cipher.hpp:38
nil::crypto3::block::modes::detail::gcm_decryption_policy
Definition: gcm.hpp:149
nil::crypto3::block::modes::detail::gcm_decryption_policy::hash_type
policy_type::hash_type hash_type
Definition: gcm.hpp:156
nil::crypto3::block::modes::detail::gcm_decryption_policy::associated_data_type
policy_type::associated_data_type associated_data_type
Definition: gcm.hpp:158
nil::crypto3::block::modes::detail::gcm_decryption_policy::tag_bits
constexpr static const std::size_t tag_bits
Definition: gcm.hpp:161
nil::crypto3::block::modes::detail::gcm_decryption_policy::nonce_type
policy_type::nonce_type nonce_type
Definition: gcm.hpp:159
nil::crypto3::block::modes::detail::gcm_decryption_policy::cipher_type
policy_type::cipher_type cipher_type
Definition: gcm.hpp:153
nil::crypto3::block::modes::detail::gcm_decryption_policy::block_bits
constexpr static const std::size_t block_bits
Definition: gcm.hpp:163
nil::crypto3::block::modes::detail::gcm_decryption_policy::end_message
static block_type end_message(const cipher_type &cipher, const block_type &plaintext)
Definition: gcm.hpp:181
nil::crypto3::block::modes::detail::gcm_decryption_policy::policy_type
gcm_policy< Cipher, TagBits, Padding, StreamCipher, Hash, Allocator > policy_type
Definition: gcm.hpp:150
nil::crypto3::block::modes::detail::gcm_decryption_policy::process_block
static block_type process_block(const cipher_type &cipher, const block_type &plaintext)
Definition: gcm.hpp:171
nil::crypto3::block::modes::detail::gcm_decryption_policy::block_words
constexpr static const std::size_t block_words
Definition: gcm.hpp:164
nil::crypto3::block::modes::detail::gcm_decryption_policy::block_type
policy_type::block_type block_type
Definition: gcm.hpp:165
nil::crypto3::block::modes::detail::gcm_decryption_policy::padding_type
policy_type::padding_type padding_type
Definition: gcm.hpp:154
nil::crypto3::block::modes::detail::gcm_decryption_policy::stream_cipher_type
policy_type::stream_cipher_type stream_cipher_type
Definition: gcm.hpp:155
nil::crypto3::block::modes::detail::gcm_decryption_policy::begin_message
static block_type begin_message(const cipher_type &cipher, const block_type &plaintext)
Definition: gcm.hpp:167
nil::crypto3::block::modes::detail::gcm_policy
Definition: gcm.hpp:46
nil::crypto3::block::modes::detail::gcm_policy::BOOST_STATIC_ASSERT
BOOST_STATIC_ASSERT(tag_bits >=12 *CHAR_BIT &&tag_bits<=16 *CHAR_BIT)
nil::crypto3::block::modes::detail::gcm_policy::cipher_type
Cipher cipher_type
Definition: gcm.hpp:47
nil::crypto3::block::modes::detail::gcm_policy::BOOST_STATIC_ASSERT
BOOST_STATIC_ASSERT(block_bits==128)
nil::crypto3::block::modes::detail::gcm_policy::nonce_type
std::vector< boost::uint_t< CHAR_BIT >, allocator_type< boost::uint_t< CHAR_BIT > > > nonce_type
Definition: gcm.hpp:68
nil::crypto3::block::modes::detail::gcm_policy::hash_type
Hash hash_type
Definition: gcm.hpp:50
nil::crypto3::block::modes::detail::gcm_policy::block_words
constexpr static const std::size_t block_words
Definition: gcm.hpp:60
nil::crypto3::block::modes::detail::gcm_policy::stream_cipher_type
StreamCipher stream_cipher_type
Definition: gcm.hpp:49
nil::crypto3::block::modes::detail::gcm_policy::padding_type
Padding padding_type
Definition: gcm.hpp:48
nil::crypto3::block::modes::detail::gcm_policy::block_type
cipher_type::block_type block_type
Definition: gcm.hpp:61
nil::crypto3::block::modes::detail::gcm_policy::begin_message
static block_type begin_message(const cipher_type &cipher, const block_type &plaintext)
Definition: gcm.hpp:70
nil::crypto3::block::modes::detail::gcm_policy::block_bits
constexpr static const std::size_t block_bits
Definition: gcm.hpp:59
nil::crypto3::block::modes::detail::gcm_policy::associated_data_type
std::vector< boost::uint_t< CHAR_BIT >, allocator_type< boost::uint_t< CHAR_BIT > > > associated_data_type
Definition: gcm.hpp:66
nil::crypto3::block::modes::detail::gcm_policy::allocator_type
Allocator< T > allocator_type
Definition: gcm.hpp:53
nil::crypto3::block::modes::detail::gcm_policy::tag_bits
constexpr static const std::size_t tag_bits
Definition: gcm.hpp:55
nil::crypto3::block::modes::gcm::bind::type
detail::gcm< Policy< cipher_type, TagBits, padding_type, stream_cipher_type, hash_type, allocator_type > > type
Definition: gcm.hpp:313
nil::crypto3::block::modes::gcm
Galois/Counter Mode.
Definition: gcm.hpp:292
nil::crypto3::block::modes::gcm::hash_type
Hash hash_type
Definition: gcm.hpp:296
nil::crypto3::block::modes::gcm::decryption_policy
detail::gcm_decryption_policy< cipher_type, TagBits, padding_type, stream_cipher_type, hash_type, allocator_type > decryption_policy
Definition: gcm.hpp:306
nil::crypto3::block::modes::gcm::padding_type
Padding< BlockCipher > padding_type
Definition: gcm.hpp:294
nil::crypto3::block::modes::gcm::encryption_policy
detail::gcm_encryption_policy< cipher_type, TagBits, padding_type, stream_cipher_type, hash_type, allocator_type > encryption_policy
Definition: gcm.hpp:303
nil::crypto3::block::modes::gcm::allocator_type
Allocator< T > allocator_type
Definition: gcm.hpp:299
nil::crypto3::block::modes::gcm::cipher_type
BlockCipher cipher_type
Definition: gcm.hpp:293
nil::crypto3::block::modes::gcm::stream_cipher_type
StreamCipher stream_cipher_type
Definition: gcm.hpp:295