22 changed files with 793 additions and 297 deletions
@ -0,0 +1,18 @@
|
||||
.PHONY: test |
||||
test: gcc |
||||
# All three ways of building this must work
|
||||
go build
|
||||
go build -tags without_openssl
|
||||
CGO_ENABLED=0 go build -tags without_openssl
|
||||
# Likewise, all three ways of testing this must work
|
||||
go test -v
|
||||
go test -v -tags without_openssl
|
||||
CGO_ENABLED=0 go test -v -tags without_openssl
|
||||
|
||||
.PHONY: gcc |
||||
gcc: |
||||
gcc -Wall -Wextra -Wformat-security -Wconversion -lcrypto -c *.c
|
||||
|
||||
.PHONY: format |
||||
format: |
||||
clang-format --style=WebKit -i *.c *.h
|
@ -0,0 +1,54 @@
|
||||
// +build !without_openssl
|
||||
|
||||
package stupidgcm |
||||
|
||||
import ( |
||||
"crypto/cipher" |
||||
"log" |
||||
|
||||
"golang.org/x/crypto/chacha20poly1305" |
||||
) |
||||
|
||||
/* |
||||
#include <openssl/evp.h> |
||||
*/ |
||||
import "C" |
||||
|
||||
type stupidChacha20poly1305 struct { |
||||
stupidAEADCommon |
||||
} |
||||
|
||||
// Verify that we satisfy the cipher.AEAD interface
|
||||
var _ cipher.AEAD = &stupidChacha20poly1305{} |
||||
|
||||
// _EVP_chacha20_poly1305 caches C.EVP_chacha20_poly1305() to avoid the Cgo call
|
||||
// overhead for each instantiation of NewChacha20poly1305.
|
||||
var _EVP_chacha20_poly1305 *C.EVP_CIPHER |
||||
|
||||
func init() { |
||||
_EVP_chacha20_poly1305 = C.EVP_chacha20_poly1305() |
||||
} |
||||
|
||||
// NewChacha20poly1305 returns a new instance of the OpenSSL ChaCha20-Poly1305 AEAD
|
||||
// cipher ( https://www.openssl.org/docs/man1.1.1/man3/EVP_chacha20_poly1305.html ).
|
||||
//
|
||||
// gocryptfs only uses ChaCha20-Poly1305 as a building block for OpenSSL
|
||||
// XChaCha20-Poly1305. This function is hot because it gets called once for each
|
||||
// block by XChaCha20-Poly1305.
|
||||
//
|
||||
// Only 32-bytes keys and 12-byte IVs are supported.
|
||||
func NewChacha20poly1305(key []byte) cipher.AEAD { |
||||
if len(key) != chacha20poly1305.KeySize { |
||||
log.Panicf("Only %d-byte keys are supported, you passed %d bytes", chacha20poly1305.KeySize, len(key)) |
||||
} |
||||
// private copy
|
||||
key2 := make([]byte, chacha20poly1305.KeySize) |
||||
copy(key2, key) |
||||
return &stupidChacha20poly1305{ |
||||
stupidAEADCommon{ |
||||
key: key2, |
||||
openSSLEVPCipher: _EVP_chacha20_poly1305, |
||||
nonceSize: chacha20poly1305.NonceSize, |
||||
}, |
||||
} |
||||
} |
@ -0,0 +1,70 @@
|
||||
// +build !without_openssl
|
||||
|
||||
package stupidgcm |
||||
|
||||
import ( |
||||
"log" |
||||
) |
||||
|
||||
/* |
||||
#include <openssl/evp.h> |
||||
*/ |
||||
import "C" |
||||
|
||||
type stupidAEADCommon struct { |
||||
wiped bool |
||||
key []byte |
||||
openSSLEVPCipher *C.EVP_CIPHER |
||||
nonceSize int |
||||
} |
||||
|
||||
// Overhead returns the number of bytes that are added for authentication.
|
||||
//
|
||||
// Part of the cipher.AEAD interface.
|
||||
func (c *stupidAEADCommon) Overhead() int { |
||||
return tagLen |
||||
} |
||||
|
||||
// NonceSize returns the required size of the nonce / IV
|
||||
//
|
||||
// Part of the cipher.AEAD interface.
|
||||
func (c *stupidAEADCommon) NonceSize() int { |
||||
return c.nonceSize |
||||
} |
||||
|
||||
// Seal encrypts "in" using "iv" and "authData" and append the result to "dst"
|
||||
//
|
||||
// Part of the cipher.AEAD interface.
|
||||
func (c *stupidAEADCommon) Seal(dst, iv, in, authData []byte) []byte { |
||||
return openSSLSeal(c, dst, iv, in, authData) |
||||
} |
||||
|
||||
// Open decrypts "in" using "iv" and "authData" and append the result to "dst"
|
||||
//
|
||||
// Part of the cipher.AEAD interface.
|
||||
func (c *stupidAEADCommon) Open(dst, iv, in, authData []byte) ([]byte, error) { |
||||
return openSSLOpen(c, dst, iv, in, authData) |
||||
} |
||||
|
||||
// Wipe tries to wipe the key from memory by overwriting it with zeros.
|
||||
//
|
||||
// This is not bulletproof due to possible GC copies, but
|
||||
// still raises the bar for extracting the key.
|
||||
func (c *stupidAEADCommon) Wipe() { |
||||
key := c.key |
||||
c.wiped = true |
||||
c.key = nil |
||||
for i := range key { |
||||
key[i] = 0 |
||||
} |
||||
} |
||||
|
||||
func (c *stupidAEADCommon) Wiped() bool { |
||||
if c.wiped { |
||||
return true |
||||
} |
||||
if len(c.key) != keyLen { |
||||
log.Panicf("wrong key length %d", len(c.key)) |
||||
} |
||||
return false |
||||
} |
@ -0,0 +1,59 @@
|
||||
// Package stupidgcm wraps OpenSSL to provide a cipher.AEAD interface for
|
||||
// authenticated encryption algorithms.
|
||||
//
|
||||
// The supported algorithms are:
|
||||
//
|
||||
// (1) AES-GCM-256 (OpenSSL EVP_aes_256_gcm)
|
||||
//
|
||||
// (2) ChaCha20-Poly1305 (OpenSSL EVP_chacha20_poly1305)
|
||||
//
|
||||
// (3) XChaCha20-Poly1305 (OpenSSL EVP_chacha20_poly1305 + Go HChaCha20)
|
||||
//
|
||||
// The golang.org/x/crypto libraries provides implementations for all algorithms,
|
||||
// and the test suite verifies that the implementation in this package gives
|
||||
// the exact same results.
|
||||
//
|
||||
// However, OpenSSL has optimized assembly for almost all platforms, which Go
|
||||
// does not. Example for a 32-bit ARM device (Odroid XU4):
|
||||
//
|
||||
// $ gocrypts -speed
|
||||
// gocryptfs v2.1-68-gedf9d4c.stupidchacha; go-fuse v2.1.1-0.20210825171523-3ab5d95a30ae; 2021-09-04 go1.16.7 linux/arm
|
||||
// AES-GCM-256-OpenSSL 56.84 MB/s (selected in auto mode)
|
||||
// AES-GCM-256-Go 16.61 MB/s
|
||||
// AES-SIV-512-Go 16.49 MB/s
|
||||
// XChaCha20-Poly1305-Go 39.08 MB/s (use via -xchacha flag)
|
||||
// XChaCha20-Poly1305-OpenSSL 141.82 MB/s
|
||||
//
|
||||
// This package is "stupid" in the sense that it only supports a narrow set of
|
||||
// key- and iv-lengths, and panics if it does not like what you pass it.
|
||||
// See the constructor functions for which restrictions apply for each algorithm.
|
||||
// Also, it is only tested for block lengths up to 5000 bytes, because this is
|
||||
// what gocryptfs uses.
|
||||
//
|
||||
// Corrupt ciphertexts never cause a panic. Instead, ErrAuth is returned on
|
||||
// decryption.
|
||||
//
|
||||
// XChaCha20-Poly1305
|
||||
//
|
||||
// The XChaCha20-Poly1305 implementation is more complicated than the others,
|
||||
// because OpenSSL does not support XChaCha20-Poly1305 directly. Follow
|
||||
// https://github.com/openssl/openssl/issues/5523 to get notified when it is
|
||||
// accepted into OpenSSL.
|
||||
//
|
||||
// Fortunately, XChaCha20-Poly1305 is just ChaCha20-Poly1305 with some key+iv
|
||||
// mixing using HChaCha20 in front:
|
||||
//
|
||||
// key (32 bytes), iv (24 bytes)
|
||||
// |
|
||||
// v
|
||||
// HChaCha20 (provided by golang.org/x/crypto/chacha20)
|
||||
// |
|
||||
// v
|
||||
// key2 (32 bytes), iv2 (16 bytes)
|
||||
// |
|
||||
// v
|
||||
// ChaCha20-Poly1305 (OpenSSL EVP_chacha20_poly1305)
|
||||
//
|
||||
// As HChaCha20 is very fast, XChaCha20-Poly1305 gets almost the same throughput
|
||||
// as ChaCha20-Poly1305 (for 4kiB blocks).
|
||||
package stupidgcm |
@ -0,0 +1,41 @@
|
||||
// +build !without_openssl
|
||||
|
||||
package stupidgcm |
||||
|
||||
// #include <openssl/evp.h>
|
||||
import "C" |
||||
|
||||
import ( |
||||
"crypto/cipher" |
||||
"log" |
||||
) |
||||
|
||||
const ( |
||||
// BuiltWithoutOpenssl indicates if openssl been disabled at compile-time
|
||||
BuiltWithoutOpenssl = false |
||||
|
||||
keyLen = 32 |
||||
ivLen = 16 |
||||
tagLen = 16 |
||||
) |
||||
|
||||
type stupidGCM struct { |
||||
stupidAEADCommon |
||||
} |
||||
|
||||
// NewAES256GCM returns a new AES-256-GCM cipher that satisfies the cipher.AEAD interface.
|
||||
//
|
||||
// Only 32-bytes keys and 16-byte IVs are supported.
|
||||
func NewAES256GCM(keyIn []byte) cipher.AEAD { |
||||
if len(keyIn) != keyLen { |
||||
log.Panicf("Only %d-byte keys are supported", keyLen) |
||||
} |
||||
return &stupidGCM{ |
||||
stupidAEADCommon{ |
||||
// Create a private copy of the key
|
||||
key: append([]byte{}, keyIn...), |
||||
openSSLEVPCipher: C.EVP_aes_256_gcm(), |
||||
nonceSize: ivLen, |
||||
}, |
||||
} |
||||
} |
@ -0,0 +1,123 @@
|
||||
// +build !without_openssl
|
||||
|
||||
package stupidgcm |
||||
|
||||
import ( |
||||
"fmt" |
||||
"log" |
||||
) |
||||
|
||||
/* |
||||
#include "openssl_aead.h" |
||||
#cgo pkg-config: libcrypto |
||||
*/ |
||||
import "C" |
||||
|
||||
func openSSLSeal(a *stupidAEADCommon, dst, iv, in, authData []byte) []byte { |
||||
if a.Wiped() { |
||||
log.Panic("BUG: tried to use wiped key") |
||||
} |
||||
if len(iv) != a.NonceSize() { |
||||
log.Panicf("Only %d-byte IVs are supported, you passed %d bytes", a.NonceSize(), len(iv)) |
||||
} |
||||
|
||||
// If the "dst" slice is large enough we can use it as our output buffer
|
||||
outLen := len(in) + tagLen |
||||
var buf []byte |
||||
inplace := false |
||||
if cap(dst)-len(dst) >= outLen { |
||||
inplace = true |
||||
buf = dst[len(dst) : len(dst)+outLen] |
||||
} else { |
||||
buf = make([]byte, outLen) |
||||
} |
||||
|
||||
res := int(C.openssl_aead_seal(a.openSSLEVPCipher, |
||||
slicePointerOrNull(in), |
||||
C.int(len(in)), |
||||
(*C.uchar)(&authData[0]), |
||||
C.int(len(authData)), |
||||
(*C.uchar)(&a.key[0]), |
||||
C.int(len(a.key)), |
||||
(*C.uchar)(&iv[0]), |
||||
C.int(len(iv)), |
||||
(*C.uchar)(&buf[0]), |
||||
C.int(len(buf)))) |
||||
|
||||
if res != outLen { |
||||
log.Panicf("expected length %d, got %d", outLen, res) |
||||
} |
||||
|
||||
if inplace { |
||||
return dst[:len(dst)+outLen] |
||||
} |
||||
return append(dst, buf...) |
||||
} |
||||
|
||||
func openSSLOpen(a *stupidAEADCommon, dst, iv, in, authData []byte) ([]byte, error) { |
||||
if a.Wiped() { |
||||
log.Panic("BUG: tried to use wiped key") |
||||
} |
||||
if len(iv) != a.NonceSize() { |
||||
log.Panicf("Only %d-byte IVs are supported, you passed %d bytes", a.NonceSize(), len(iv)) |
||||
} |
||||
if len(in) < tagLen { |
||||
return nil, fmt.Errorf("stupidChacha20poly1305: input data too short (%d bytes)", len(in)) |
||||
} |
||||
|
||||
// If the "dst" slice is large enough we can use it as our output buffer
|
||||
outLen := len(in) - tagLen |
||||
var buf []byte |
||||
inplace := false |
||||
if cap(dst)-len(dst) >= outLen { |
||||
inplace = true |
||||
buf = dst[len(dst) : len(dst)+outLen] |
||||
} else { |
||||
buf = make([]byte, len(in)-tagLen) |
||||
} |
||||
|
||||
ciphertext := in[:len(in)-tagLen] |
||||
tag := in[len(in)-tagLen:] |
||||
|
||||
res := int(C.openssl_aead_open(a.openSSLEVPCipher, |
||||
slicePointerOrNull(ciphertext), |
||||
C.int(len(ciphertext)), |
||||
(*C.uchar)(&authData[0]), |
||||
C.int(len(authData)), |
||||
(*C.uchar)(&tag[0]), |
||||
C.int(len(tag)), |
||||
(*C.uchar)(&a.key[0]), |
||||
C.int(len(a.key)), |
||||
(*C.uchar)(&iv[0]), |
||||
C.int(len(iv)), |
||||
slicePointerOrNull(buf), |
||||
C.int(len(buf)))) |
||||
|
||||
if res < 0 { |
||||
return nil, ErrAuth |
||||
} |
||||
if res != outLen { |
||||
log.Panicf("unexpected length %d", res) |
||||
} |
||||
|
||||
if inplace { |
||||
return dst[:len(dst)+outLen], nil |
||||
} |
||||
return append(dst, buf...), nil |
||||
} |
||||
|
||||
// slicePointerOrNull returns a C pointer to the beginning of the byte slice,
|
||||
// or NULL if the byte slice is empty. This is useful for slices that can be
|
||||
// empty, otherwise you can directly use "(*C.uchar)(&s[0])".
|
||||
func slicePointerOrNull(s []byte) (ptr *C.uchar) { |
||||
if len(s) == 0 { |
||||
return |
||||
} |
||||
return (*C.uchar)(&s[0]) |
||||
} |
||||
|
||||
// This functions exists to benchmark the C call overhead from Go.
|
||||
// See BenchmarkCCall for resuts.
|
||||
func noopCFunction() { |
||||
C.noop_c_function() |
||||
} |
@ -0,0 +1,185 @@
|
||||
// +build !without_openssl
|
||||
|
||||
#include "openssl_aead.h" |
||||
#include <openssl/evp.h> |
||||
#include <stdio.h> |
||||
//#cgo pkg-config: libcrypto
|
||||
|
||||
static void panic(const char* const msg) |
||||
{ |
||||
fprintf(stderr, "panic in C code: %s\n", msg); |
||||
__builtin_trap(); |
||||
} |
||||
|
||||
// We only support 16-byte tags
|
||||
static const int supportedTagLen = 16; |
||||
|
||||
// https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Encryption_using_GCM_mode
|
||||
int openssl_aead_seal( |
||||
const EVP_CIPHER* evpCipher, |
||||
const unsigned char* const plaintext, |
||||
const int plaintextLen, |
||||
const unsigned char* const authData, |
||||
const int authDataLen, |
||||
const unsigned char* const key, |
||||
const int keyLen, |
||||
const unsigned char* const iv, |
||||
const int ivLen, |
||||
unsigned char* const ciphertext, |
||||
const int ciphertextBufLen) |
||||
{ |
||||
// Create scratch space "ctx"
|
||||
EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); |
||||
if (!ctx) { |
||||
panic("EVP_CIPHER_CTX_new failed"); |
||||
} |
||||
|
||||
// Set cipher
|
||||
if (EVP_EncryptInit_ex(ctx, evpCipher, NULL, NULL, NULL) != 1) { |
||||
panic("EVP_EncryptInit_ex set cipher failed"); |
||||
} |
||||
|
||||
// Check keyLen by trying to set it (fails if keyLen != 32)
|
||||
if (EVP_CIPHER_CTX_set_key_length(ctx, keyLen) != 1) { |
||||
panic("keyLen mismatch"); |
||||
} |
||||
|
||||
// Set IV length so we do not depend on the default
|
||||
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivLen, NULL) != 1) { |
||||
panic("EVP_CTRL_AEAD_SET_IVLEN failed"); |
||||
} |
||||
|
||||
// Set key and IV
|
||||
if (EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv) != 1) { |
||||
panic("EVP_EncryptInit_ex set key & iv failed"); |
||||
} |
||||
|
||||
// Provide authentication data
|
||||
int outLen = 0; |
||||
if (EVP_EncryptUpdate(ctx, NULL, &outLen, authData, authDataLen) != 1) { |
||||
panic("EVP_EncryptUpdate authData failed"); |
||||
} |
||||
if (outLen != authDataLen) { |
||||
panic("EVP_EncryptUpdate authData: unexpected length"); |
||||
} |
||||
|
||||
// Encrypt "plaintext" into "ciphertext"
|
||||
if (plaintextLen > ciphertextBufLen) { |
||||
panic("plaintext overflows output buffer"); |
||||
} |
||||
if (EVP_EncryptUpdate(ctx, ciphertext, &outLen, plaintext, plaintextLen) != 1) { |
||||
panic("EVP_EncryptUpdate ciphertext failed"); |
||||
} |
||||
if (outLen != plaintextLen) { |
||||
panic("EVP_EncryptUpdate ciphertext: unexpected length"); |
||||
} |
||||
int ciphertextLen = outLen; |
||||
|
||||
// Finalise encryption
|
||||
// Normally ciphertext bytes may be written at this stage, but this does not occur in GCM mode
|
||||
if (EVP_EncryptFinal_ex(ctx, ciphertext + plaintextLen, &outLen) != 1) { |
||||
panic("EVP_EncryptFinal_ex failed"); |
||||
} |
||||
if (outLen != 0) { |
||||
panic("EVP_EncryptFinal_ex: unexpected length"); |
||||
} |
||||
|
||||
// Get MAC tag and append it to the ciphertext
|
||||
if (ciphertextLen + supportedTagLen > ciphertextBufLen) { |
||||
panic("tag overflows output buffer"); |
||||
} |
||||
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, supportedTagLen, ciphertext + plaintextLen) != 1) { |
||||
panic("EVP_CTRL_AEAD_GET_TAG failed"); |
||||
} |
||||
ciphertextLen += supportedTagLen; |
||||
|
||||
// Free scratch space
|
||||
EVP_CIPHER_CTX_free(ctx); |
||||
|
||||
return ciphertextLen; |
||||
} |
||||
|
||||
int openssl_aead_open( |
||||
const EVP_CIPHER* evpCipher, |
||||
const unsigned char* const ciphertext, |
||||
const int ciphertextLen, |
||||
const unsigned char* const authData, |
||||
const int authDataLen, |
||||
unsigned char* const tag, |
||||
const int tagLen, |
||||
const unsigned char* const key, |
||||
const int keyLen, |
||||
const unsigned char* const iv, |
||||
const int ivLen, |
||||
unsigned char* const plaintext, |
||||
const int plaintextBufLen) |
||||
{ |
||||
// Create scratch space "ctx"
|
||||
EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); |
||||
if (!ctx) { |
||||
panic("EVP_CIPHER_CTX_new failed"); |
||||
} |
||||
|
||||
// Set cipher
|
||||
if (EVP_DecryptInit_ex(ctx, evpCipher, NULL, NULL, NULL) != 1) { |
||||
panic("EVP_DecryptInit_ex set cipher failed"); |
||||
} |
||||
|
||||
// Check keyLen by trying to set it (fails if keyLen != 32)
|
||||
if (EVP_CIPHER_CTX_set_key_length(ctx, keyLen) != 1) { |
||||
panic("keyLen mismatch"); |
||||
} |
||||
|
||||
// Set IV length so we do not depend on the default
|
||||
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivLen, NULL) != 1) { |
||||
panic("EVP_CTRL_AEAD_SET_IVLEN failed"); |
||||
} |
||||
|
||||
// Set key and IV
|
||||
if (EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv) != 1) { |
||||
panic("EVP_DecryptInit_ex set key & iv failed"); |
||||
} |
||||
|
||||
// Provide authentication data
|
||||
int outLen = 0; |
||||
if (EVP_DecryptUpdate(ctx, NULL, &outLen, authData, authDataLen) != 1) { |
||||
panic("EVP_DecryptUpdate authData failed"); |
||||
} |
||||
if (outLen != authDataLen) { |
||||
panic("EVP_DecryptUpdate authData: unexpected length"); |
||||
} |
||||
|
||||
// Decrypt "ciphertext" into "plaintext"
|
||||
if (ciphertextLen > plaintextBufLen) { |
||||
panic("ciphertextLen overflows output buffer"); |
||||
} |
||||
if (EVP_DecryptUpdate(ctx, plaintext, &outLen, ciphertext, ciphertextLen) != 1) { |
||||
panic("EVP_DecryptUpdate failed"); |
||||
} |
||||
int plaintextLen = outLen; |
||||
|
||||
// Check tag
|
||||
if (tagLen != supportedTagLen) { |
||||
panic("unsupported tag length"); |
||||
} |
||||
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tagLen, tag) != 1) { |
||||
panic("EVP_CTRL_AEAD_SET_TAG failed"); |
||||
} |
||||
if (EVP_DecryptFinal_ex(ctx, plaintext + plaintextLen, &outLen) != 1) { |
||||
// authentication failed
|
||||
return -1; |
||||
} |
||||
if (outLen != 0) { |
||||
panic("EVP_EncryptFinal_ex: unexpected length"); |
||||
} |
||||
|
||||
/* Clean up */ |
||||
EVP_CIPHER_CTX_free(ctx); |
||||
|
||||
return plaintextLen; |
||||
} |
||||
|
||||
// This functions exists to benchmark the C call overhead from Go.
|
||||
void noop_c_function(void) { |
||||
return; |
||||
} |
@ -0,0 +1,31 @@
|
||||
#include <openssl/evp.h> |
||||
|
||||
int openssl_aead_seal( |
||||
const EVP_CIPHER* evpCipher, |
||||
const unsigned char* const plaintext, |
||||
const int plaintextLen, |
||||
const unsigned char* const authData, |
||||
const int authDataLen, |
||||
const unsigned char* const key, |
||||
const int keyLen, |
||||
const unsigned char* const iv, |
||||
const int ivLen, |
||||
unsigned char* const ciphertext, |
||||
const int ciphertextBufLen); |
||||
|
||||
int openssl_aead_open( |
||||
const EVP_CIPHER* evpCipher, |
||||
const unsigned char* const ciphertext, |
||||
const int ciphertextLen, |
||||
const unsigned char* const authData, |
||||
const int authDataLen, |
||||
unsigned char* const tag, |
||||
const int tagLen, |
||||
const unsigned char* const key, |
||||
const int keyLen, |
||||
const unsigned char* const iv, |
||||
const int ivLen, |
||||
unsigned char* const plaintext, |
||||
const int plaintextBufLen); |
||||
|
||||
void noop_c_function(void); |
@ -1,249 +0,0 @@
|
||||
// +build !without_openssl
|
||||
|
||||
// Package stupidgcm is a thin wrapper for OpenSSL's GCM encryption and
|
||||
// decryption functions. It only support 32-byte keys and 16-bit IVs.
|
||||
package stupidgcm |
||||
|
||||
// #include <openssl/evp.h>
|
||||
// #cgo pkg-config: libcrypto
|
||||
import "C" |
||||
|
||||
import ( |
||||
"crypto/cipher" |
||||
"fmt" |
||||
"log" |
||||
"unsafe" |
||||
) |
||||
|
||||
const ( |
||||
// BuiltWithoutOpenssl indicates if openssl been disabled at compile-time
|
||||
BuiltWithoutOpenssl = false |
||||
|
||||
keyLen = 32 |
||||
ivLen = 16 |
||||
tagLen = 16 |
||||
) |
||||
|
||||
// StupidGCM implements the cipher.AEAD interface
|
||||
type StupidGCM struct { |
||||
key []byte |
||||
forceDecode bool |
||||
} |
||||
|
||||
// Verify that we satisfy the cipher.AEAD interface
|
||||
var _ cipher.AEAD = &StupidGCM{} |
||||
|
||||
// New returns a new cipher.AEAD implementation..
|
||||
func New(keyIn []byte, forceDecode bool) cipher.AEAD { |
||||
if len(keyIn) != keyLen { |
||||
log.Panicf("Only %d-byte keys are supported", keyLen) |
||||
} |
||||
// Create a private copy of the key
|
||||
key := append([]byte{}, keyIn...) |
||||
return &StupidGCM{key: key, forceDecode: forceDecode} |
||||
} |
||||
|
||||
// NonceSize returns the required size of the nonce / IV.
|
||||
func (g *StupidGCM) NonceSize() int { |
||||
return ivLen |
||||
} |
||||
|
||||
// Overhead returns the number of bytes that are added for authentication.
|
||||
func (g *StupidGCM) Overhead() int { |
||||
return tagLen |
||||
} |
||||
|
||||
// Seal encrypts "in" using "iv" and "authData" and append the result to "dst"
|
||||
func (g *StupidGCM) Seal(dst, iv, in, authData []byte) []byte { |
||||
if len(iv) != ivLen { |
||||
log.Panicf("Only %d-byte IVs are supported", ivLen) |
||||
} |
||||
if len(in) == 0 { |
||||
log.Panic("Zero-length input data is not supported") |
||||
} |
||||
if len(g.key) != keyLen { |
||||
log.Panicf("Wrong key length: %d. Key has been wiped?", len(g.key)) |
||||
} |
||||
|
||||
// If the "dst" slice is large enough we can use it as our output buffer
|
||||
outLen := len(in) + tagLen |
||||
var buf []byte |
||||
inplace := false |
||||
if cap(dst)-len(dst) >= outLen { |
||||
inplace = true |
||||
buf = dst[len(dst) : len(dst)+outLen] |
||||
} else { |
||||
buf = make([]byte, outLen) |
||||
} |
||||
|
||||
// https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Encryption_using_GCM_mode
|
||||
|
||||
// Create scratch space "context"
|
||||
ctx := C.EVP_CIPHER_CTX_new() |
||||
if ctx == nil { |
||||
log.Panic("EVP_CIPHER_CTX_new failed") |
||||
} |
||||
|
||||
// Set cipher to AES-256
|
||||
if C.EVP_EncryptInit_ex(ctx, C.EVP_aes_256_gcm(), nil, nil, nil) != 1 { |
||||
log.Panic("EVP_EncryptInit_ex I failed") |
||||
} |
||||
|
||||
// Use 16-byte IV
|
||||
if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_GCM_SET_IVLEN, ivLen, nil) != 1 { |
||||
log.Panic("EVP_CIPHER_CTX_ctrl EVP_CTRL_GCM_SET_IVLEN failed") |
||||
} |
||||
|
||||
// Set key and IV
|
||||
if C.EVP_EncryptInit_ex(ctx, nil, nil, (*C.uchar)(&g.key[0]), (*C.uchar)(&iv[0])) != 1 { |
||||
log.Panic("EVP_EncryptInit_ex II failed") |
||||
} |
||||
|
||||
// Provide authentication data
|
||||
var resultLen C.int |
||||
if C.EVP_EncryptUpdate(ctx, nil, &resultLen, (*C.uchar)(&authData[0]), C.int(len(authData))) != 1 { |
||||
log.Panic("EVP_EncryptUpdate authData failed") |
||||
} |
||||
if int(resultLen) != len(authData) { |
||||
log.Panicf("Unexpected length %d", resultLen) |
||||
} |
||||
|
||||
// Encrypt "in" into "buf"
|
||||
if C.EVP_EncryptUpdate(ctx, (*C.uchar)(&buf[0]), &resultLen, (*C.uchar)(&in[0]), C.int(len(in))) != 1 { |
||||
log.Panic("EVP_EncryptUpdate failed") |
||||
} |
||||
if int(resultLen) != len(in) { |
||||
log.Panicf("Unexpected length %d", resultLen) |
||||
} |
||||
|
||||
// Finalise encryption
|
||||
// Because GCM is a stream encryption, this will not write out any data.
|
||||
dummy := make([]byte, 16) |
||||
if C.EVP_EncryptFinal_ex(ctx, (*C.uchar)(&dummy[0]), &resultLen) != 1 { |
||||
log.Panic("EVP_EncryptFinal_ex failed") |
||||
} |
||||
if resultLen != 0 { |
||||
log.Panicf("Unexpected length %d", resultLen) |
||||
} |
||||
|
||||
// Get GMAC tag and append it to the ciphertext in "buf"
|
||||
if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_GCM_GET_TAG, tagLen, (unsafe.Pointer)(&buf[len(in)])) != 1 { |
||||
log.Panic("EVP_CIPHER_CTX_ctrl EVP_CTRL_GCM_GET_TAG failed") |
||||
} |
||||
|
||||
// Free scratch space
|
||||
C.EVP_CIPHER_CTX_free(ctx) |
||||
|
||||
if inplace { |
||||
return dst[:len(dst)+outLen] |
||||
} |
||||
return append(dst, buf...) |
||||
} |
||||
|
||||
// Open decrypts "in" using "iv" and "authData" and append the result to "dst"
|
||||
func (g *StupidGCM) Open(dst, iv, in, authData []byte) ([]byte, error) { |
||||
if len(iv) != ivLen { |
||||
log.Panicf("Only %d-byte IVs are supported", ivLen) |
||||
} |
||||
if len(g.key) != keyLen { |
||||
log.Panicf("Wrong key length: %d. Key has been wiped?", len(g.key)) |
||||
} |
||||
if len(in) <= tagLen { |
||||
return nil, fmt.Errorf("stupidgcm: input data too short (%d bytes)", len(in)) |
||||
} |
||||
|
||||
// If the "dst" slice is large enough we can use it as our output buffer
|
||||
outLen := len(in) - tagLen |
||||
var buf []byte |
||||
inplace := false |
||||
if cap(dst)-len(dst) >= outLen { |
||||
inplace = true |
||||
buf = dst[len(dst) : len(dst)+outLen] |
||||
} else { |
||||
buf = make([]byte, len(in)-tagLen) |
||||
} |
||||
|
||||
ciphertext := in[:len(in)-tagLen] |
||||
tag := in[len(in)-tagLen:] |
||||
|
||||
// https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Encryption_using_GCM_mode
|
||||
|
||||
// Create scratch space "context"
|
||||
ctx := C.EVP_CIPHER_CTX_new() |
||||
if ctx == nil { |
||||
log.Panic("EVP_CIPHER_CTX_new failed") |
||||
} |
||||
|
||||
// Set cipher to AES-256
|
||||
if C.EVP_DecryptInit_ex(ctx, C.EVP_aes_256_gcm(), nil, nil, nil) != 1 { |
||||
log.Panic("EVP_DecryptInit_ex I failed") |
||||
} |
||||
|
||||
// Use 16-byte IV
|
||||
if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_GCM_SET_IVLEN, ivLen, nil) != 1 { |
||||
log.Panic("EVP_CIPHER_CTX_ctrl EVP_CTRL_GCM_SET_IVLEN failed") |
||||
} |
||||
|
||||
// Set key and IV
|
||||
if C.EVP_DecryptInit_ex(ctx, nil, nil, (*C.uchar)(&g.key[0]), (*C.uchar)(&iv[0])) != 1 { |
||||
log.Panic("EVP_DecryptInit_ex II failed") |
||||
} |
||||
|
||||
// Set expected GMAC tag
|
||||
if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_GCM_SET_TAG, tagLen, (unsafe.Pointer)(&tag[0])) != 1 { |
||||
log.Panic("EVP_CIPHER_CTX_ctrl failed") |
||||
} |
||||
|
||||
// Provide authentication data
|
||||
var resultLen C.int |
||||
if C.EVP_DecryptUpdate(ctx, nil, &resultLen, (*C.uchar)(&authData[0]), C.int(len(authData))) != 1 { |
||||
log.Panic("EVP_DecryptUpdate authData failed") |
||||
} |
||||
if int(resultLen) != len(authData) { |
||||
log.Panicf("Unexpected length %d", resultLen) |
||||
} |
||||
|
||||
// Decrypt "ciphertext" into "buf"
|
||||
if C.EVP_DecryptUpdate(ctx, (*C.uchar)(&buf[0]), &resultLen, (*C.uchar)(&ciphertext[0]), C.int(len(ciphertext))) != 1 { |
||||
log.Panic("EVP_DecryptUpdate failed") |
||||
} |
||||
if int(resultLen) != len(ciphertext) { |
||||
log.Panicf("Unexpected length %d", resultLen) |
||||
} |
||||
|
||||
// Check GMAC
|
||||
dummy := make([]byte, 16) |
||||
res := C.EVP_DecryptFinal_ex(ctx, (*C.uchar)(&dummy[0]), &resultLen) |
||||
if resultLen != 0 { |
||||
log.Panicf("Unexpected length %d", resultLen) |
||||
} |
||||
|
||||
// Free scratch space
|
||||
C.EVP_CIPHER_CTX_free(ctx) |
||||
|
||||
if res != 1 { |
||||
// The error code must always be checked by the calling function, because the decrypted buffer
|
||||
// may contain corrupted data that we are returning in case the user forced reads
|
||||
if g.forceDecode { |
||||
return append(dst, buf...), ErrAuth |
||||
} |
||||
return nil, ErrAuth |
||||
} |
||||
|
||||
if inplace { |
||||
return dst[:len(dst)+outLen], nil |
||||
} |
||||
return append(dst, buf...), nil |
||||
} |
||||
|
||||
// Wipe tries to wipe the AES key from memory by overwriting it with zeros
|
||||
// and setting the reference to nil.
|
||||
//
|
||||
// This is not bulletproof due to possible GC copies, but
|
||||
// still raises to bar for extracting the key.
|
||||
func (g *StupidGCM) Wipe() { |
||||
for i := range g.key { |
||||
g.key[i] = 0 |
||||
} |
||||
g.key = nil |
||||
} |
@ -0,0 +1,117 @@
|
||||
// +build !without_openssl
|
||||
|
||||
// Copyright 2018 The Go Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
//
|
||||
// Copied from
|
||||
// https://github.com/golang/crypto/blob/32db794688a5a24a23a43f2a984cecd5b3d8da58/chacha20poly1305/xchacha20poly1305.go
|
||||
// and adapted for stupidgcm by @rfjakob.
|
||||
|
||||
package stupidgcm |
||||
|
||||
import ( |
||||
"crypto/cipher" |
||||
"errors" |
||||
"log" |
||||
|
||||
"golang.org/x/crypto/chacha20" |
||||
"golang.org/x/crypto/chacha20poly1305" |
||||
) |
||||
|
||||
type stupidXchacha20poly1305 struct { |
||||
// array instead of byte slice like
|
||||
// `struct xchacha20poly1305` in x/crypto/chacha20poly1305
|
||||
key [chacha20poly1305.KeySize]byte |
||||
wiped bool |
||||
} |
||||
|
||||
// NewXchacha20poly1305 returns a XChaCha20-Poly1305 cipher that satisfied the
|
||||
// cipher.AEAD interface.
|
||||
//
|
||||
// XChaCha20-Poly1305 is a ChaCha20-Poly1305 variant that takes a longer nonce,
|
||||
// suitable to be generated randomly without risk of collisions. It should be
|
||||
// preferred when nonce uniqueness cannot be trivially ensured, or whenever
|
||||
// nonces are randomly generated.
|
||||
//
|
||||
// Only 32-bytes keys and 24-byte IVs are supported.
|
||||
func NewXchacha20poly1305(key []byte) cipher.AEAD { |
||||
if len(key) != chacha20poly1305.KeySize { |
||||
log.Panic("bad key length") |
||||
} |
||||
ret := new(stupidXchacha20poly1305) |
||||
copy(ret.key[:], key) |
||||
return ret |
||||
} |
||||
|
||||
func (*stupidXchacha20poly1305) NonceSize() int { |
||||
return chacha20poly1305.NonceSizeX |
||||
} |
||||
|
||||
func (*stupidXchacha20poly1305) Overhead() int { |
||||
return tagLen |
||||
} |
||||
|
||||
func (x *stupidXchacha20poly1305) Seal(dst, nonce, plaintext, additionalData []byte) []byte { |
||||
if x.wiped { |
||||
log.Panic("BUG: tried to use wiped key") |
||||
} |
||||
if len(nonce) != chacha20poly1305.NonceSizeX { |
||||
log.Panic("bad nonce length passed to Seal") |
||||
} |
||||
|
||||
// XChaCha20-Poly1305 technically supports a 64-bit counter, so there is no
|
||||
// size limit. However, since we reuse the ChaCha20-Poly1305 implementation,
|
||||
// the second half of the counter is not available. This is unlikely to be
|
||||
// an issue because the cipher.AEAD API requires the entire message to be in
|
||||
// memory, and the counter overflows at 256 GB.
|
||||
if uint64(len(plaintext)) > (1<<38)-64 { |
||||
log.Panic("plaintext too large") |
||||
} |
||||
|
||||
hKey, _ := chacha20.HChaCha20(x.key[:], nonce[0:16]) |
||||
c := NewChacha20poly1305(hKey).(*stupidChacha20poly1305) |
||||
defer c.Wipe() |
||||
|
||||
// The first 4 bytes of the final nonce are unused counter space.
|
||||
cNonce := make([]byte, chacha20poly1305.NonceSize) |
||||
copy(cNonce[4:12], nonce[16:24]) |
||||
|
||||
return c.Seal(dst, cNonce[:], plaintext, additionalData) |
||||
} |
||||
|
||||
func (x *stupidXchacha20poly1305) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) { |
||||
if x.wiped { |
||||
log.Panic("BUG: tried to use wiped key") |
||||
} |
||||
if len(nonce) != chacha20poly1305.NonceSizeX { |
||||
log.Panic("bad nonce length passed to Open") |
||||
} |
||||
if len(ciphertext) < 16 { |
||||
return nil, errors.New("message too short") |
||||
} |
||||
if uint64(len(ciphertext)) > (1<<38)-48 { |
||||
log.Panic("ciphertext too large") |
||||
} |
||||
|
||||
hKey, _ := chacha20.HChaCha20(x.key[:], nonce[0:16]) |
||||
c := NewChacha20poly1305(hKey).(*stupidChacha20poly1305) |
||||
defer c.Wipe() |
||||
|
||||
// The first 4 bytes of the final nonce are unused counter space.
|
||||
cNonce := make([]byte, chacha20poly1305.NonceSize) |
||||
copy(cNonce[4:12], nonce[16:24]) |
||||
|
||||
return c.Open(dst, cNonce[:], ciphertext, additionalData) |
||||
} |
||||
|
||||
// Wipe tries to wipe the key from memory by overwriting it with zeros.
|
||||
//
|
||||
// This is not bulletproof due to possible GC copies, but
|
||||
// still raises the bar for extracting the key.
|
||||
func (g *stupidXchacha20poly1305) Wipe() { |
||||
g.wiped = true |
||||
for i := range g.key { |
||||
g.key[i] = 0 |
||||
} |
||||
} |
@ -1,3 +1,6 @@
|
||||
// gocryptfs is an encrypted overlay filesystem written in Go.
|
||||
// See README.md ( https://github.com/rfjakob/gocryptfs/blob/master/README.md )
|
||||
// and the official website ( https://nuetzlich.net/gocryptfs/ ) for details.
|
||||
package main |
||||
|
||||
func main() {} |
||||
|
Loading…
Reference in new issue