commit
bd5d53f50e
@ -0,0 +1 @@
|
||||
*.o
|
@ -0,0 +1,18 @@
|
||||
.PHONY: test
|
||||
test: gcc
|
||||
# All three ways of building this must work
|
||||
go build
|
||||
go build -tags without_openssl
|
||||
CGO_ENABLED=0 go build -tags without_openssl
|
||||
# Likewise, all three ways of testing this must work
|
||||
go test -v
|
||||
go test -v -tags without_openssl
|
||||
CGO_ENABLED=0 go test -v -tags without_openssl
|
||||
|
||||
.PHONY: gcc
|
||||
gcc:
|
||||
gcc -Wall -Wextra -Wformat-security -Wconversion -lcrypto -c *.c
|
||||
|
||||
.PHONY: format
|
||||
format:
|
||||
clang-format --style=WebKit -i *.c *.h
|
@ -0,0 +1,54 @@
|
||||
// +build !without_openssl
|
||||
|
||||
package stupidgcm
|
||||
|
||||
import (
|
||||
"crypto/cipher"
|
||||
"log"
|
||||
|
||||
"golang.org/x/crypto/chacha20poly1305"
|
||||
)
|
||||
|
||||
/*
|
||||
#include <openssl/evp.h>
|
||||
*/
|
||||
import "C"
|
||||
|
||||
type stupidChacha20poly1305 struct {
|
||||
stupidAEADCommon
|
||||
}
|
||||
|
||||
// Verify that we satisfy the cipher.AEAD interface
|
||||
var _ cipher.AEAD = &stupidChacha20poly1305{}
|
||||
|
||||
// _EVP_chacha20_poly1305 caches C.EVP_chacha20_poly1305() to avoid the Cgo call
|
||||
// overhead for each instantiation of NewChacha20poly1305.
|
||||
var _EVP_chacha20_poly1305 *C.EVP_CIPHER
|
||||
|
||||
func init() {
|
||||
_EVP_chacha20_poly1305 = C.EVP_chacha20_poly1305()
|
||||
}
|
||||
|
||||
// NewChacha20poly1305 returns a new instance of the OpenSSL ChaCha20-Poly1305 AEAD
|
||||
// cipher ( https://www.openssl.org/docs/man1.1.1/man3/EVP_chacha20_poly1305.html ).
|
||||
//
|
||||
// gocryptfs only uses ChaCha20-Poly1305 as a building block for OpenSSL
|
||||
// XChaCha20-Poly1305. This function is hot because it gets called once for each
|
||||
// block by XChaCha20-Poly1305.
|
||||
//
|
||||
// Only 32-bytes keys and 12-byte IVs are supported.
|
||||
func NewChacha20poly1305(key []byte) cipher.AEAD {
|
||||
if len(key) != chacha20poly1305.KeySize {
|
||||
log.Panicf("Only %d-byte keys are supported, you passed %d bytes", chacha20poly1305.KeySize, len(key))
|
||||
}
|
||||
// private copy
|
||||
key2 := make([]byte, chacha20poly1305.KeySize)
|
||||
copy(key2, key)
|
||||
return &stupidChacha20poly1305{
|
||||
stupidAEADCommon{
|
||||
key: key2,
|
||||
openSSLEVPCipher: _EVP_chacha20_poly1305,
|
||||
nonceSize: chacha20poly1305.NonceSize,
|
||||
},
|
||||
}
|
||||
}
|
@ -0,0 +1,70 @@
|
||||
// +build !without_openssl
|
||||
|
||||
package stupidgcm
|
||||
|
||||
import (
|
||||
"log"
|
||||
)
|
||||
|
||||
/*
|
||||
#include <openssl/evp.h>
|
||||
*/
|
||||
import "C"
|
||||
|
||||
type stupidAEADCommon struct {
|
||||
wiped bool
|
||||
key []byte
|
||||
openSSLEVPCipher *C.EVP_CIPHER
|
||||
nonceSize int
|
||||
}
|
||||
|
||||
// Overhead returns the number of bytes that are added for authentication.
|
||||
//
|
||||
// Part of the cipher.AEAD interface.
|
||||
func (c *stupidAEADCommon) Overhead() int {
|
||||
return tagLen
|
||||
}
|
||||
|
||||
// NonceSize returns the required size of the nonce / IV
|
||||
//
|
||||
// Part of the cipher.AEAD interface.
|
||||
func (c *stupidAEADCommon) NonceSize() int {
|
||||
return c.nonceSize
|
||||
}
|
||||
|
||||
// Seal encrypts "in" using "iv" and "authData" and append the result to "dst"
|
||||
//
|
||||
// Part of the cipher.AEAD interface.
|
||||
func (c *stupidAEADCommon) Seal(dst, iv, in, authData []byte) []byte {
|
||||
return openSSLSeal(c, dst, iv, in, authData)
|
||||
}
|
||||
|
||||
// Open decrypts "in" using "iv" and "authData" and append the result to "dst"
|
||||
//
|
||||
// Part of the cipher.AEAD interface.
|
||||
func (c *stupidAEADCommon) Open(dst, iv, in, authData []byte) ([]byte, error) {
|
||||
return openSSLOpen(c, dst, iv, in, authData)
|
||||
}
|
||||
|
||||
// Wipe tries to wipe the key from memory by overwriting it with zeros.
|
||||
//
|
||||
// This is not bulletproof due to possible GC copies, but
|
||||
// still raises the bar for extracting the key.
|
||||
func (c *stupidAEADCommon) Wipe() {
|
||||
key := c.key
|
||||
c.wiped = true
|
||||
c.key = nil
|
||||
for i := range key {
|
||||
key[i] = 0
|
||||
}
|
||||
}
|
||||
|
||||
func (c *stupidAEADCommon) Wiped() bool {
|
||||
if c.wiped {
|
||||
return true
|
||||
}
|
||||
if len(c.key) != keyLen {
|
||||
log.Panicf("wrong key length %d", len(c.key))
|
||||
}
|
||||
return false
|
||||
}
|
@ -0,0 +1,59 @@
|
||||
// Package stupidgcm wraps OpenSSL to provide a cipher.AEAD interface for
|
||||
// authenticated encryption algorithms.
|
||||
//
|
||||
// The supported algorithms are:
|
||||
//
|
||||
// (1) AES-GCM-256 (OpenSSL EVP_aes_256_gcm)
|
||||
//
|
||||
// (2) ChaCha20-Poly1305 (OpenSSL EVP_chacha20_poly1305)
|
||||
//
|
||||
// (3) XChaCha20-Poly1305 (OpenSSL EVP_chacha20_poly1305 + Go HChaCha20)
|
||||
//
|
||||
// The golang.org/x/crypto libraries provides implementations for all algorithms,
|
||||
// and the test suite verifies that the implementation in this package gives
|
||||
// the exact same results.
|
||||
//
|
||||
// However, OpenSSL has optimized assembly for almost all platforms, which Go
|
||||
// does not. Example for a 32-bit ARM device (Odroid XU4):
|
||||
//
|
||||
// $ gocrypts -speed
|
||||
// gocryptfs v2.1-68-gedf9d4c.stupidchacha; go-fuse v2.1.1-0.20210825171523-3ab5d95a30ae; 2021-09-04 go1.16.7 linux/arm
|
||||
// AES-GCM-256-OpenSSL 56.84 MB/s (selected in auto mode)
|
||||
// AES-GCM-256-Go 16.61 MB/s
|
||||
// AES-SIV-512-Go 16.49 MB/s
|
||||
// XChaCha20-Poly1305-Go 39.08 MB/s (use via -xchacha flag)
|
||||
// XChaCha20-Poly1305-OpenSSL 141.82 MB/s
|
||||
//
|
||||
// This package is "stupid" in the sense that it only supports a narrow set of
|
||||
// key- and iv-lengths, and panics if it does not like what you pass it.
|
||||
// See the constructor functions for which restrictions apply for each algorithm.
|
||||
// Also, it is only tested for block lengths up to 5000 bytes, because this is
|
||||
// what gocryptfs uses.
|
||||
//
|
||||
// Corrupt ciphertexts never cause a panic. Instead, ErrAuth is returned on
|
||||
// decryption.
|
||||
//
|
||||
// XChaCha20-Poly1305
|
||||
//
|
||||
// The XChaCha20-Poly1305 implementation is more complicated than the others,
|
||||
// because OpenSSL does not support XChaCha20-Poly1305 directly. Follow
|
||||
// https://github.com/openssl/openssl/issues/5523 to get notified when it is
|
||||
// accepted into OpenSSL.
|
||||
//
|
||||
// Fortunately, XChaCha20-Poly1305 is just ChaCha20-Poly1305 with some key+iv
|
||||
// mixing using HChaCha20 in front:
|
||||
//
|
||||
// key (32 bytes), iv (24 bytes)
|
||||
// |
|
||||
// v
|
||||
// HChaCha20 (provided by golang.org/x/crypto/chacha20)
|
||||
// |
|
||||
// v
|
||||
// key2 (32 bytes), iv2 (16 bytes)
|
||||
// |
|
||||
// v
|
||||
// ChaCha20-Poly1305 (OpenSSL EVP_chacha20_poly1305)
|
||||
//
|
||||
// As HChaCha20 is very fast, XChaCha20-Poly1305 gets almost the same throughput
|
||||
// as ChaCha20-Poly1305 (for 4kiB blocks).
|
||||
package stupidgcm
|
@ -0,0 +1,41 @@
|
||||
// +build !without_openssl
|
||||
|
||||
package stupidgcm
|
||||
|
||||
// #include <openssl/evp.h>
|
||||
import "C"
|
||||
|
||||
import (
|
||||
"crypto/cipher"
|
||||
"log"
|
||||
)
|
||||
|
||||
const (
|
||||
// BuiltWithoutOpenssl indicates if openssl been disabled at compile-time
|
||||
BuiltWithoutOpenssl = false
|
||||
|
||||
keyLen = 32
|
||||
ivLen = 16
|
||||
tagLen = 16
|
||||
)
|
||||
|
||||
type stupidGCM struct {
|
||||
stupidAEADCommon
|
||||
}
|
||||
|
||||
// NewAES256GCM returns a new AES-256-GCM cipher that satisfies the cipher.AEAD interface.
|
||||
//
|
||||
// Only 32-bytes keys and 16-byte IVs are supported.
|
||||
func NewAES256GCM(keyIn []byte) cipher.AEAD {
|
||||
if len(keyIn) != keyLen {
|
||||
log.Panicf("Only %d-byte keys are supported", keyLen)
|
||||
}
|
||||
return &stupidGCM{
|
||||
stupidAEADCommon{
|
||||
// Create a private copy of the key
|
||||
key: append([]byte{}, keyIn...),
|
||||
openSSLEVPCipher: C.EVP_aes_256_gcm(),
|
||||
nonceSize: ivLen,
|
||||
},
|
||||
}
|
||||
}
|
@ -0,0 +1,123 @@
|
||||
// +build !without_openssl
|
||||
|
||||
package stupidgcm
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"log"
|
||||
)
|
||||
|
||||
/*
|
||||
#include "openssl_aead.h"
|
||||
#cgo pkg-config: libcrypto
|
||||
*/
|
||||
import "C"
|
||||
|
||||
func openSSLSeal(a *stupidAEADCommon, dst, iv, in, authData []byte) []byte {
|
||||
if a.Wiped() {
|
||||
log.Panic("BUG: tried to use wiped key")
|
||||
}
|
||||
if len(iv) != a.NonceSize() {
|
||||
log.Panicf("Only %d-byte IVs are supported, you passed %d bytes", a.NonceSize(), len(iv))
|
||||
}
|
||||
|
||||
// If the "dst" slice is large enough we can use it as our output buffer
|
||||
outLen := len(in) + tagLen
|
||||
var buf []byte
|
||||
inplace := false
|
||||
if cap(dst)-len(dst) >= outLen {
|
||||
inplace = true
|
||||
buf = dst[len(dst) : len(dst)+outLen]
|
||||
} else {
|
||||
buf = make([]byte, outLen)
|
||||
}
|
||||
|
||||
res := int(C.openssl_aead_seal(a.openSSLEVPCipher,
|
||||
slicePointerOrNull(in),
|
||||
C.int(len(in)),
|
||||
(*C.uchar)(&authData[0]),
|
||||
C.int(len(authData)),
|
||||
(*C.uchar)(&a.key[0]),
|
||||
C.int(len(a.key)),
|
||||
(*C.uchar)(&iv[0]),
|
||||
C.int(len(iv)),
|
||||
(*C.uchar)(&buf[0]),
|
||||
C.int(len(buf))))
|
||||
|
||||
if res != outLen {
|
||||
log.Panicf("expected length %d, got %d", outLen, res)
|
||||
}
|
||||
|
||||
if inplace {
|
||||
return dst[:len(dst)+outLen]
|
||||
}
|
||||
return append(dst, buf...)
|
||||
}
|
||||
|
||||
func openSSLOpen(a *stupidAEADCommon, dst, iv, in, authData []byte) ([]byte, error) {
|
||||
if a.Wiped() {
|
||||
log.Panic("BUG: tried to use wiped key")
|
||||
}
|
||||
if len(iv) != a.NonceSize() {
|
||||
log.Panicf("Only %d-byte IVs are supported, you passed %d bytes", a.NonceSize(), len(iv))
|
||||
}
|
||||
if len(in) < tagLen {
|
||||
return nil, fmt.Errorf("stupidChacha20poly1305: input data too short (%d bytes)", len(in))
|
||||
}
|
||||
|
||||
// If the "dst" slice is large enough we can use it as our output buffer
|
||||
outLen := len(in) - tagLen
|
||||
var buf []byte
|
||||
inplace := false
|
||||
if cap(dst)-len(dst) >= outLen {
|
||||
inplace = true
|
||||
buf = dst[len(dst) : len(dst)+outLen]
|
||||
} else {
|
||||
buf = make([]byte, len(in)-tagLen)
|
||||
}
|
||||
|
||||
ciphertext := in[:len(in)-tagLen]
|
||||
tag := in[len(in)-tagLen:]
|
||||
|
||||
res := int(C.openssl_aead_open(a.openSSLEVPCipher,
|
||||
slicePointerOrNull(ciphertext),
|
||||
C.int(len(ciphertext)),
|
||||
(*C.uchar)(&authData[0]),
|
||||
C.int(len(authData)),
|
||||
(*C.uchar)(&tag[0]),
|
||||
C.int(len(tag)),
|
||||
(*C.uchar)(&a.key[0]),
|
||||
C.int(len(a.key)),
|
||||
(*C.uchar)(&iv[0]),
|
||||
C.int(len(iv)),
|
||||
slicePointerOrNull(buf),
|
||||
C.int(len(buf))))
|
||||
|
||||
if res < 0 {
|
||||
return nil, ErrAuth
|
||||
}
|
||||
if res != outLen {
|
||||
log.Panicf("unexpected length %d", res)
|
||||
}
|
||||
|
||||
if inplace {
|
||||
return dst[:len(dst)+outLen], nil
|
||||
}
|
||||
return append(dst, buf...), nil
|
||||
}
|
||||
|
||||
// slicePointerOrNull returns a C pointer to the beginning of the byte slice,
|
||||
// or NULL if the byte slice is empty. This is useful for slices that can be
|
||||
// empty, otherwise you can directly use "(*C.uchar)(&s[0])".
|
||||
func slicePointerOrNull(s []byte) (ptr *C.uchar) {
|
||||
if len(s) == 0 {
|
||||
return
|
||||
}
|
||||
return (*C.uchar)(&s[0])
|
||||
}
|
||||
|
||||
// This functions exists to benchmark the C call overhead from Go.
|
||||
// See BenchmarkCCall for resuts.
|
||||
func noopCFunction() {
|
||||
C.noop_c_function()
|
||||
}
|
@ -0,0 +1,185 @@
|
||||
// +build !without_openssl
|
||||
|
||||
#include "openssl_aead.h"
|
||||
#include <openssl/evp.h>
|
||||
#include <stdio.h>
|
||||
//#cgo pkg-config: libcrypto
|
||||
|
||||
static void panic(const char* const msg)
|
||||
{
|
||||
fprintf(stderr, "panic in C code: %s\n", msg);
|
||||
__builtin_trap();
|
||||
}
|
||||
|
||||
// We only support 16-byte tags
|
||||
static const int supportedTagLen = 16;
|
||||
|
||||
// https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Encryption_using_GCM_mode
|
||||
int openssl_aead_seal(
|
||||
const EVP_CIPHER* evpCipher,
|
||||
const unsigned char* const plaintext,
|
||||
const int plaintextLen,
|
||||
const unsigned char* const authData,
|
||||
const int authDataLen,
|
||||
const unsigned char* const key,
|
||||
const int keyLen,
|
||||
const unsigned char* const iv,
|
||||
const int ivLen,
|
||||
unsigned char* const ciphertext,
|
||||
const int ciphertextBufLen)
|
||||
{
|
||||
// Create scratch space "ctx"
|
||||
EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new();
|
||||
if (!ctx) {
|
||||
panic("EVP_CIPHER_CTX_new failed");
|
||||
}
|
||||
|
||||
// Set cipher
|
||||
if (EVP_EncryptInit_ex(ctx, evpCipher, NULL, NULL, NULL) != 1) {
|
||||
panic("EVP_EncryptInit_ex set cipher failed");
|
||||
}
|
||||
|
||||
// Check keyLen by trying to set it (fails if keyLen != 32)
|
||||
if (EVP_CIPHER_CTX_set_key_length(ctx, keyLen) != 1) {
|
||||
panic("keyLen mismatch");
|
||||
}
|
||||
|
||||
// Set IV length so we do not depend on the default
|
||||
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivLen, NULL) != 1) {
|
||||
panic("EVP_CTRL_AEAD_SET_IVLEN failed");
|
||||
}
|
||||
|
||||
// Set key and IV
|
||||
if (EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv) != 1) {
|
||||
panic("EVP_EncryptInit_ex set key & iv failed");
|
||||
}
|
||||
|
||||
// Provide authentication data
|
||||
int outLen = 0;
|
||||
if (EVP_EncryptUpdate(ctx, NULL, &outLen, authData, authDataLen) != 1) {
|
||||
panic("EVP_EncryptUpdate authData failed");
|
||||
}
|
||||
if (outLen != authDataLen) {
|
||||
panic("EVP_EncryptUpdate authData: unexpected length");
|
||||
}
|
||||
|
||||
// Encrypt "plaintext" into "ciphertext"
|
||||
if (plaintextLen > ciphertextBufLen) {
|
||||
panic("plaintext overflows output buffer");
|
||||
}
|
||||
if (EVP_EncryptUpdate(ctx, ciphertext, &outLen, plaintext, plaintextLen) != 1) {
|
||||
panic("EVP_EncryptUpdate ciphertext failed");
|
||||
}
|
||||
if (outLen != plaintextLen) {
|
||||
panic("EVP_EncryptUpdate ciphertext: unexpected length");
|
||||
}
|
||||
int ciphertextLen = outLen;
|
||||
|
||||
// Finalise encryption
|
||||
// Normally ciphertext bytes may be written at this stage, but this does not occur in GCM mode
|
||||
if (EVP_EncryptFinal_ex(ctx, ciphertext + plaintextLen, &outLen) != 1) {
|
||||
panic("EVP_EncryptFinal_ex failed");
|
||||
}
|
||||
if (outLen != 0) {
|
||||
panic("EVP_EncryptFinal_ex: unexpected length");
|
||||
}
|
||||
|
||||
// Get MAC tag and append it to the ciphertext
|
||||
if (ciphertextLen + supportedTagLen > ciphertextBufLen) {
|
||||
panic("tag overflows output buffer");
|
||||
}
|
||||
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, supportedTagLen, ciphertext + plaintextLen) != 1) {
|
||||
panic("EVP_CTRL_AEAD_GET_TAG failed");
|
||||
}
|
||||
ciphertextLen += supportedTagLen;
|
||||
|
||||
// Free scratch space
|
||||
EVP_CIPHER_CTX_free(ctx);
|
||||
|
||||
return ciphertextLen;
|
||||
}
|
||||
|
||||
int openssl_aead_open(
|
||||
const EVP_CIPHER* evpCipher,
|
||||
const unsigned char* const ciphertext,
|
||||
const int ciphertextLen,
|
||||
const unsigned char* const authData,
|
||||
const int authDataLen,
|
||||
unsigned char* const tag,
|
||||
const int tagLen,
|
||||
const unsigned char* const key,
|
||||
const int keyLen,
|
||||
const unsigned char* const iv,
|
||||
const int ivLen,
|
||||
unsigned char* const plaintext,
|
||||
const int plaintextBufLen)
|
||||
{
|
||||
// Create scratch space "ctx"
|
||||
EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new();
|
||||
if (!ctx) {
|
||||
panic("EVP_CIPHER_CTX_new failed");
|
||||
}
|
||||
|
||||
// Set cipher
|
||||
if (EVP_DecryptInit_ex(ctx, evpCipher, NULL, NULL, NULL) != 1) {
|
||||
panic("EVP_DecryptInit_ex set cipher failed");
|
||||
}
|
||||
|
||||
// Check keyLen by trying to set it (fails if keyLen != 32)
|
||||
if (EVP_CIPHER_CTX_set_key_length(ctx, keyLen) != 1) {
|
||||
panic("keyLen mismatch");
|
||||
}
|
||||
|
||||
// Set IV length so we do not depend on the default
|
||||
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivLen, NULL) != 1) {
|
||||
panic("EVP_CTRL_AEAD_SET_IVLEN failed");
|
||||
}
|
||||
|
||||
// Set key and IV
|
||||
if (EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv) != 1) {
|
||||
panic("EVP_DecryptInit_ex set key & iv failed");
|
||||
}
|
||||
|
||||
// Provide authentication data
|
||||
int outLen = 0;
|
||||
if (EVP_DecryptUpdate(ctx, NULL, &outLen, authData, authDataLen) != 1) {
|
||||
panic("EVP_DecryptUpdate authData failed");
|
||||
}
|
||||
if (outLen != authDataLen) {
|
||||
panic("EVP_DecryptUpdate authData: unexpected length");
|
||||
}
|
||||
|
||||
// Decrypt "ciphertext" into "plaintext"
|
||||
if (ciphertextLen > plaintextBufLen) {
|
||||
panic("ciphertextLen overflows output buffer");
|
||||
}
|
||||
if (EVP_DecryptUpdate(ctx, plaintext, &outLen, ciphertext, ciphertextLen) != 1) {
|
||||
panic("EVP_DecryptUpdate failed");
|
||||
}
|
||||
int plaintextLen = outLen;
|
||||
|
||||
// Check tag
|
||||
if (tagLen != supportedTagLen) {
|
||||
panic("unsupported tag length");
|
||||
}
|
||||
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tagLen, tag) != 1) {
|
||||
panic("EVP_CTRL_AEAD_SET_TAG failed");
|
||||
}
|
||||
if (EVP_DecryptFinal_ex(ctx, plaintext + plaintextLen, &outLen) != 1) {
|
||||
// authentication failed
|
||||
return -1;
|
||||
}
|
||||
if (outLen != 0) {
|
||||
panic("EVP_EncryptFinal_ex: unexpected length");
|
||||
}
|
||||
|
||||
/* Clean up */
|
||||
EVP_CIPHER_CTX_free(ctx);
|
||||
|
||||
return plaintextLen;
|
||||
}
|
||||
|
||||
// This functions exists to benchmark the C call overhead from Go.
|
||||
void noop_c_function(void) {
|
||||
return;
|
||||
}
|
@ -0,0 +1,31 @@
|
||||
#include <openssl/evp.h>
|
||||
|
||||
int openssl_aead_seal(
|
||||
const EVP_CIPHER* evpCipher,
|
||||
const unsigned char* const plaintext,
|
||||
const int plaintextLen,
|
||||
const unsigned char* const authData,
|
||||
const int authDataLen,
|
||||
const unsigned char* const key,
|
||||
const int keyLen,
|
||||
const unsigned char* const iv,
|
||||
const int ivLen,
|
||||
unsigned char* const ciphertext,
|
||||
const int ciphertextBufLen);
|
||||
|
||||
int openssl_aead_open(
|
||||
const EVP_CIPHER* evpCipher,
|
||||
const unsigned char* const ciphertext,
|
||||
const int ciphertextLen,
|
||||
const unsigned char* const authData,
|
||||
const int authDataLen,
|
||||
unsigned char* const tag,
|
||||
const int tagLen,
|
||||
const unsigned char* const key,
|
||||
const int keyLen,
|
||||
const unsigned char* const iv,
|
||||
const int ivLen,
|
||||
unsigned char* const plaintext,
|
||||
const int plaintextBufLen);
|
||||
|
||||
void noop_c_function(void);
|
@ -1,249 +0,0 @@
|
||||
// +build !without_openssl
|
||||
|
||||
// Package stupidgcm is a thin wrapper for OpenSSL's GCM encryption and
|
||||
// decryption functions. It only support 32-byte keys and 16-bit IVs.
|
||||
package stupidgcm
|
||||
|
||||
// #include <openssl/evp.h>
|
||||
// #cgo pkg-config: libcrypto
|
||||
import "C"
|
||||
|
||||
import (
|
||||
"crypto/cipher"
|
||||
"fmt"
|
||||
"log"
|
||||
"unsafe"
|
||||
)
|
||||
|
||||
const (
|
||||
// BuiltWithoutOpenssl indicates if openssl been disabled at compile-time
|
||||
BuiltWithoutOpenssl = false
|
||||
|
||||
keyLen = 32
|
||||
ivLen = 16
|
||||
tagLen = 16
|
||||
)
|
||||
|
||||
// StupidGCM implements the cipher.AEAD interface
|
||||
type StupidGCM struct {
|
||||
key []byte
|
||||
forceDecode bool
|
||||
}
|
||||
|
||||
// Verify that we satisfy the cipher.AEAD interface
|
||||
var _ cipher.AEAD = &StupidGCM{}
|
||||
|
||||
// New returns a new cipher.AEAD implementation..
|
||||
func New(keyIn []byte, forceDecode bool) cipher.AEAD {
|
||||
if len(keyIn) != keyLen {
|
||||
log.Panicf("Only %d-byte keys are supported", keyLen)
|
||||
}
|
||||
// Create a private copy of the key
|
||||
key := append([]byte{}, keyIn...)
|
||||
return &StupidGCM{key: key, forceDecode: forceDecode}
|
||||
}
|
||||
|
||||
// NonceSize returns the required size of the nonce / IV.
|
||||
func (g *StupidGCM) NonceSize() int {
|
||||
return ivLen
|
||||
}
|
||||
|
||||
// Overhead returns the number of bytes that are added for authentication.
|
||||
func (g *StupidGCM) Overhead() int {
|
||||
return tagLen
|
||||
}
|
||||
|
||||
// Seal encrypts "in" using "iv" and "authData" and append the result to "dst"
|
||||
func (g *StupidGCM) Seal(dst, iv, in, authData []byte) []byte {
|
||||
if len(iv) != ivLen {
|
||||
log.Panicf("Only %d-byte IVs are supported", ivLen)
|
||||
}
|
||||
if len(in) == 0 {
|
||||
log.Panic("Zero-length input data is not supported")
|
||||
}
|
||||
if len(g.key) != keyLen {
|
||||
log.Panicf("Wrong key length: %d. Key has been wiped?", len(g.key))
|
||||
}
|
||||
|
||||
// If the "dst" slice is large enough we can use it as our output buffer
|
||||
outLen := len(in) + tagLen
|
||||
var buf []byte
|
||||
inplace := false
|
||||
if cap(dst)-len(dst) >= outLen {
|
||||
inplace = true
|
||||
buf = dst[len(dst) : len(dst)+outLen]
|
||||
} else {
|
||||
buf = make([]byte, outLen)
|
||||
}
|
||||
|
||||
// https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Encryption_using_GCM_mode
|
||||
|
||||
// Create scratch space "context"
|
||||
ctx := C.EVP_CIPHER_CTX_new()
|
||||
if ctx == nil {
|
||||
log.Panic("EVP_CIPHER_CTX_new failed")
|
||||
}
|
||||
|
||||
// Set cipher to AES-256
|
||||
if C.EVP_EncryptInit_ex(ctx, C.EVP_aes_256_gcm(), nil, nil, nil) != 1 {
|
||||
log.Panic("EVP_EncryptInit_ex I failed")
|
||||
}
|
||||
|
||||
// Use 16-byte IV
|
||||
if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_GCM_SET_IVLEN, ivLen, nil) != 1 {
|
||||
log.Panic("EVP_CIPHER_CTX_ctrl EVP_CTRL_GCM_SET_IVLEN failed")
|
||||
}
|
||||
|
||||
// Set key and IV
|
||||
if C.EVP_EncryptInit_ex(ctx, nil, nil, (*C.uchar)(&g.key[0]), (*C.uchar)(&iv[0])) != 1 {
|
||||
log.Panic("EVP_EncryptInit_ex II failed")
|
||||
}
|
||||
|
||||
// Provide authentication data
|
||||
var resultLen C.int
|
||||
if C.EVP_EncryptUpdate(ctx, nil, &resultLen, (*C.uchar)(&authData[0]), C.int(len(authData))) != 1 {
|
||||
log.Panic("EVP_EncryptUpdate authData failed")
|
||||
}
|
||||
if int(resultLen) != len(authData) {
|
||||
log.Panicf("Unexpected length %d", resultLen)
|
||||
}
|
||||
|
||||
// Encrypt "in" into "buf"
|
||||
if C.EVP_EncryptUpdate(ctx, (*C.uchar)(&buf[0]), &resultLen, (*C.uchar)(&in[0]), C.int(len(in))) != 1 {
|
||||
log.Panic("EVP_EncryptUpdate failed")
|
||||
}
|
||||
if int(resultLen) != len(in) {
|
||||
log.Panicf("Unexpected length %d", resultLen)
|
||||
}
|
||||
|
||||
// Finalise encryption
|
||||
// Because GCM is a stream encryption, this will not write out any data.
|
||||
dummy := make([]byte, 16)
|
||||
if C.EVP_EncryptFinal_ex(ctx, (*C.uchar)(&dummy[0]), &resultLen) != 1 {
|
||||
log.Panic("EVP_EncryptFinal_ex failed")
|
||||
}
|
||||
if resultLen != 0 {
|
||||
log.Panicf("Unexpected length %d", resultLen)
|
||||
}
|
||||
|
||||
// Get GMAC tag and append it to the ciphertext in "buf"
|
||||
if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_GCM_GET_TAG, tagLen, (unsafe.Pointer)(&buf[len(in)])) != 1 {
|
||||
log.Panic("EVP_CIPHER_CTX_ctrl EVP_CTRL_GCM_GET_TAG failed")
|
||||
}
|
||||
|
||||
// Free scratch space
|
||||
C.EVP_CIPHER_CTX_free(ctx)
|
||||
|
||||
if inplace {
|
||||
return dst[:len(dst)+outLen]
|
||||
}
|
||||
return append(dst, buf...)
|
||||
}
|
||||
|
||||
// Open decrypts "in" using "iv" and "authData" and append the result to "dst"
|
||||
func (g *StupidGCM) Open(dst, iv, in, authData []byte) ([]byte, error) {
|
||||
if len(iv) != ivLen {
|
||||
log.Panicf("Only %d-byte IVs are supported", ivLen)
|
||||
}
|
||||
if len(g.key) != keyLen {
|
||||
log.Panicf("Wrong key length: %d. Key has been wiped?", len(g.key))
|
||||
}
|
||||
if len(in) <= tagLen {
|
||||
return nil, fmt.Errorf("stupidgcm: input data too short (%d bytes)", len(in))
|
||||
}
|
||||
|
||||
// If the "dst" slice is large enough we can use it as our output buffer
|
||||
outLen := len(in) - tagLen
|
||||
var buf []byte
|
||||
inplace := false
|
||||
if cap(dst)-len(dst) >= outLen {
|
||||
inplace = true
|
||||
buf = dst[len(dst) : len(dst)+outLen]
|
||||
} else {
|
||||
buf = make([]byte, len(in)-tagLen)
|
||||
}
|
||||
|
||||
ciphertext := in[:len(in)-tagLen]
|
||||
tag := in[len(in)-tagLen:]
|
||||
|
||||
// https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Encryption_using_GCM_mode
|
||||
|
||||
// Create scratch space "context"
|
||||
ctx := C.EVP_CIPHER_CTX_new()
|
||||
if ctx == nil {
|
||||
log.Panic("EVP_CIPHER_CTX_new failed")
|
||||
}
|
||||
|
||||
// Set cipher to AES-256
|
||||
if C.EVP_DecryptInit_ex(ctx, C.EVP_aes_256_gcm(), nil, nil, nil) != 1 {
|
||||
log.Panic("EVP_DecryptInit_ex I failed")
|
||||
}
|
||||
|
||||
// Use 16-byte IV
|
||||
if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_GCM_SET_IVLEN, ivLen, nil) != 1 {
|
||||
log.Panic("EVP_CIPHER_CTX_ctrl EVP_CTRL_GCM_SET_IVLEN failed")
|
||||
}
|
||||
|
||||
// Set key and IV
|
||||
if C.EVP_DecryptInit_ex(ctx, nil, nil, (*C.uchar)(&g.key[0]), (*C.uchar)(&iv[0])) != 1 {
|
||||
log.Panic("EVP_DecryptInit_ex II failed")
|
||||
}
|
||||
|
||||
// Set expected GMAC tag
|
||||
if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_GCM_SET_TAG, tagLen, (unsafe.Pointer)(&tag[0])) != 1 {
|
||||
log.Panic("EVP_CIPHER_CTX_ctrl failed")
|
||||
}
|
||||
|
||||
// Provide authentication data
|
||||
var resultLen C.int
|
||||
if C.EVP_DecryptUpdate(ctx, nil, &resultLen, (*C.uchar)(&authData[0]), C.int(len(authData))) != 1 {
|
||||
log.Panic("EVP_DecryptUpdate authData failed")
|
||||
}
|
||||
if int(resultLen) != len(authData) {
|
||||
log.Panicf("Unexpected length %d", resultLen)
|
||||
}
|
||||
|
||||
// Decrypt "ciphertext" into "buf"
|
||||
if C.EVP_DecryptUpdate(ctx, (*C.uchar)(&buf[0]), &resultLen, (*C.uchar)(&ciphertext[0]), C.int(len(ciphertext))) != 1 {
|
||||
log.Panic("EVP_DecryptUpdate failed")
|
||||
}
|
||||
if int(resultLen) != len(ciphertext) {
|
||||
log.Panicf("Unexpected length %d", resultLen)
|
||||
}
|
||||
|
||||
// Check GMAC
|
||||
dummy := make([]byte, 16)
|
||||
res := C.EVP_DecryptFinal_ex(ctx, (*C.uchar)(&dummy[0]), &resultLen)
|
||||
if resultLen != 0 {
|
||||
log.Panicf("Unexpected length %d", resultLen)
|
||||
}
|
||||
|
||||
// Free scratch space
|
||||
C.EVP_CIPHER_CTX_free(ctx)
|
||||
|
||||
if res != 1 {
|
||||
// The error code must always be checked by the calling function, because the decrypted buffer
|
||||
// may contain corrupted data that we are returning in case the user forced reads
|
||||
if g.forceDecode {
|
||||
return append(dst, buf...), ErrAuth
|
||||
}
|
||||
return nil, ErrAuth
|
||||
}
|
||||
|
||||
if inplace {
|
||||
return dst[:len(dst)+outLen], nil
|
||||
}
|
||||
return append(dst, buf...), nil
|
||||
}
|
||||
|
||||
// Wipe tries to wipe the AES key from memory by overwriting it with zeros
|
||||
// and setting the reference to nil.
|
||||
//
|
||||
// This is not bulletproof due to possible GC copies, but
|
||||
// still raises to bar for extracting the key.
|
||||
func (g *StupidGCM) Wipe() {
|
||||
for i := range g.key {
|
||||
g.key[i] = 0
|
||||
}
|
||||
g.key = nil
|
||||
}
|
@ -0,0 +1,117 @@
|
||||
// +build !without_openssl
|
||||
|
||||
// Copyright 2018 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
//
|
||||
// Copied from
|
||||
// https://github.com/golang/crypto/blob/32db794688a5a24a23a43f2a984cecd5b3d8da58/chacha20poly1305/xchacha20poly1305.go
|
||||
// and adapted for stupidgcm by @rfjakob.
|
||||
|
||||
package stupidgcm
|
||||
|
||||
import (
|
||||
"crypto/cipher"
|
||||
"errors"
|
||||
"log"
|
||||
|
||||
"golang.org/x/crypto/chacha20"
|
||||
"golang.org/x/crypto/chacha20poly1305"
|
||||
)
|
||||
|
||||
type stupidXchacha20poly1305 struct {
|
||||
// array instead of byte slice like
|
||||
// `struct xchacha20poly1305` in x/crypto/chacha20poly1305
|
||||
key [chacha20poly1305.KeySize]byte
|
||||
wiped bool
|
||||
}
|
||||
|
||||
// NewXchacha20poly1305 returns a XChaCha20-Poly1305 cipher that satisfied the
|
||||
// cipher.AEAD interface.
|
||||
//
|
||||
// XChaCha20-Poly1305 is a ChaCha20-Poly1305 variant that takes a longer nonce,
|
||||
// suitable to be generated randomly without risk of collisions. It should be
|
||||
// preferred when nonce uniqueness cannot be trivially ensured, or whenever
|
||||
// nonces are randomly generated.
|
||||
//
|
||||
// Only 32-bytes keys and 24-byte IVs are supported.
|
||||
func NewXchacha20poly1305(key []byte) cipher.AEAD {
|
||||
if len(key) != chacha20poly1305.KeySize {
|
||||
log.Panic("bad key length")
|
||||
}
|
||||
ret := new(stupidXchacha20poly1305)
|
||||
copy(ret.key[:], key)
|
||||
return ret
|
||||
}
|
||||
|
||||
func (*stupidXchacha20poly1305) NonceSize() int {
|
||||
return chacha20poly1305.NonceSizeX
|
||||
}
|
||||
|
||||
func (*stupidXchacha20poly1305) Overhead() int {
|
||||
return tagLen
|
||||
}
|
||||
|
||||
func (x *stupidXchacha20poly1305) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
|
||||
if x.wiped {
|
||||
log.Panic("BUG: tried to use wiped key")
|
||||
}
|
||||
if len(nonce) != chacha20poly1305.NonceSizeX {
|
||||
log.Panic("bad nonce length passed to Seal")
|
||||
}
|
||||
|
||||
// XChaCha20-Poly1305 technically supports a 64-bit counter, so there is no
|
||||
// size limit. However, since we reuse the ChaCha20-Poly1305 implementation,
|
||||
// the second half of the counter is not available. This is unlikely to be
|
||||
// an issue because the cipher.AEAD API requires the entire message to be in
|
||||
// memory, and the counter overflows at 256 GB.
|
||||
if uint64(len(plaintext)) > (1<<38)-64 {
|
||||
log.Panic("plaintext too large")
|
||||
}
|
||||
|
||||
hKey, _ := chacha20.HChaCha20(x.key[:], nonce[0:16])
|
||||
c := NewChacha20poly1305(hKey).(*stupidChacha20poly1305)
|
||||
defer c.Wipe()
|
||||
|
||||
// The first 4 bytes of the final nonce are unused counter space.
|
||||
cNonce := make([]byte, chacha20poly1305.NonceSize)
|
||||
copy(cNonce[4:12], nonce[16:24])
|
||||
|
||||
return c.Seal(dst, cNonce[:], plaintext, additionalData)
|
||||
}
|
||||
|
||||
func (x *stupidXchacha20poly1305) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
|
||||
if x.wiped {
|
||||
log.Panic("BUG: tried to use wiped key")
|
||||
}
|
||||
if len(nonce) != chacha20poly1305.NonceSizeX {
|
||||
log.Panic("bad nonce length passed to Open")
|
||||
}
|
||||
if len(ciphertext) < 16 {
|
||||
return nil, errors.New("message too short")
|
||||
}
|
||||
if uint64(len(ciphertext)) > (1<<38)-48 {
|
||||
log.Panic("ciphertext too large")
|
||||
}
|
||||
|
||||
hKey, _ := chacha20.HChaCha20(x.key[:], nonce[0:16])
|
||||
c := NewChacha20poly1305(hKey).(*stupidChacha20poly1305)
|
||||
defer c.Wipe()
|
||||
|
||||
// The first 4 bytes of the final nonce are unused counter space.
|
||||
cNonce := make([]byte, chacha20poly1305.NonceSize)
|
||||
copy(cNonce[4:12], nonce[16:24])
|
||||
|
||||
return c.Open(dst, cNonce[:], ciphertext, additionalData)
|
||||
}
|
||||
|
||||
// Wipe tries to wipe the key from memory by overwriting it with zeros.
|
||||
//
|
||||
// This is not bulletproof due to possible GC copies, but
|
||||
// still raises the bar for extracting the key.
|
||||
func (g *stupidXchacha20poly1305) Wipe() {
|
||||
g.wiped = true
|
||||
for i := range g.key {
|
||||
g.key[i] = 0
|
||||
}
|
||||
}
|
@ -1,3 +1,6 @@
|
||||
// gocryptfs is an encrypted overlay filesystem written in Go.
|
||||
// See README.md ( https://github.com/rfjakob/gocryptfs/blob/master/README.md )
|
||||
// and the official website ( https://nuetzlich.net/gocryptfs/ ) for details.
|
||||
package main
|
||||
|
||||
func main() {}
|
||||
|
Loading…
Reference in new issue