ladybird/Userland/Libraries/LibCrypto/Cipher/Mode/GCM.h

/*
 * Copyright (c) 2020, Ali Mohammad Pur <mpfard@serenityos.org>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */

#pragma once

#include <AK/Memory.h>
#include <AK/OwnPtr.h>
#include <AK/StringBuilder.h>
#include <AK/StringView.h>
#include <LibCrypto/Authentication/GHash.h>
#include <LibCrypto/Cipher/Mode/CTR.h>
#include <LibCrypto/Verification.h>

#ifndef KERNEL
#    include <AK/ByteString.h>
#endif

namespace Crypto::Cipher {

using IncrementFunction = IncrementInplace;

template<typename T>
class GCM : public CTR<T, IncrementFunction> {
public:
    constexpr static size_t IVSizeInBits = 128;

    virtual ~GCM() = default;

    template<typename... Args>
    explicit constexpr GCM<T>(Args... args)
        : CTR<T>(args...)
    {
        static_assert(T::BlockSizeInBits == 128u, "GCM Mode is only available for 128-bit Ciphers");

        __builtin_memset(m_auth_key_storage, 0, block_size);
        typename T::BlockType key_block(m_auth_key_storage, block_size);
        this->cipher().encrypt_block(key_block, key_block);
        key_block.bytes().copy_to(m_auth_key);

        m_ghash = Authentication::GHash(m_auth_key);
    }

#ifndef KERNEL
    virtual ByteString class_name() const override
    {
        StringBuilder builder;
        builder.append(this->cipher().class_name());
        builder.append("_GCM"sv);
        return builder.to_byte_string();
    }
#endif

    virtual size_t IV_length() const override
    {
        return IVSizeInBits / 8;
    }

    // FIXME: This overload throws away the auth stuff, think up a better way to return more than a single bytebuffer.
    virtual void encrypt(ReadonlyBytes in, Bytes& out, ReadonlyBytes ivec = {}, Bytes* = nullptr) override
    {
        VERIFY(!ivec.is_empty());

        static ByteBuffer dummy;

        encrypt(in, out, ivec, dummy, dummy);
    }
    virtual void decrypt(ReadonlyBytes in, Bytes& out, ReadonlyBytes ivec = {}) override
    {
        encrypt(in, out, ivec);
    }

    void encrypt(ReadonlyBytes in, Bytes out, ReadonlyBytes iv_in, ReadonlyBytes aad, Bytes tag)
    {
        auto iv_buf_result = ByteBuffer::copy(iv_in);
        // Not enough memory to figure out :shrug:
        if (iv_buf_result.is_error()) {
            dbgln("GCM::encrypt: Not enough memory to allocate {} bytes for IV", iv_in.size());
            return;
        }

        auto iv = iv_buf_result.value().bytes();

        // Increment the IV for block 0
        CTR<T>::increment(iv);
        typename T::BlockType block0;
        block0.overwrite(iv);
        this->cipher().encrypt_block(block0, block0);

        // Skip past block 0
        CTR<T>::increment(iv);

        if (in.is_empty())
            CTR<T>::key_stream(out, iv);
        else
            CTR<T>::encrypt(in, out, iv);

        auto auth_tag = m_ghash->process(aad, out);
        block0.apply_initialization_vector({ auth_tag.data, array_size(auth_tag.data) });
        block0.bytes().copy_to(tag);
    }

    VerificationConsistency decrypt(ReadonlyBytes in, Bytes out, ReadonlyBytes iv_in, ReadonlyBytes aad, ReadonlyBytes tag)
    {
        auto iv_buf_result = ByteBuffer::copy(iv_in);
        // Not enough memory to figure out :shrug:
        if (iv_buf_result.is_error())
            return VerificationConsistency::Inconsistent;

        auto iv = iv_buf_result.value().bytes();

        // Increment the IV for block 0
        CTR<T>::increment(iv);
        typename T::BlockType block0;
        block0.overwrite(iv);
        this->cipher().encrypt_block(block0, block0);

        // Skip past block 0
        CTR<T>::increment(iv);

        auto auth_tag = m_ghash->process(aad, in);
        block0.apply_initialization_vector({ auth_tag.data, array_size(auth_tag.data) });

        auto test_consistency = [&] {
            if (block0.block_size() != tag.size() || !timing_safe_compare(block0.bytes().data(), tag.data(), tag.size()))
                return VerificationConsistency::Inconsistent;

            return VerificationConsistency::Consistent;
        };

        if (in.is_empty()) {
            out = {};
            return test_consistency();
        }

        CTR<T>::encrypt(in, out, iv);
        return test_consistency();
    }

private:
    static constexpr auto block_size = T::BlockType::BlockSizeInBits / 8;
    u8 m_auth_key_storage[block_size];
    Bytes m_auth_key { m_auth_key_storage, block_size };
    Optional<Authentication::GHash> m_ghash;
};

}
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30			`/*`
AK+Userland: Use mpfard@serenityos.org for my copyright headers 2021-04-23 00:43:01 +04:30			`* Copyright (c) 2020, Ali Mohammad Pur <mpfard@serenityos.org>`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30			`*`
Everything: Move to SPDX license identifiers in all files. SPDX License Identifiers are a more compact / standardized way of representing file license information. See: https://spdx.dev/resources/use/#identifiers This was done with the `ambr` search and replace tool. ambr --no-parent-ignore --key-from-file --rep-from-file key.txt rep.txt * 2021-04-22 01:24:48 -07:00			`* SPDX-License-Identifier: BSD-2-Clause`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30			`*/`

			`#pragma once`

LibCrypto: Use AK::timing_safe_compare to validate sensitive data Addresses one FIXME in GCM, and another similar issue in EMSA_PSS. We should be using constant time memory comparisons in all of our crypto code. 2022-03-12 22:06:46 -08:00			`#include <AK/Memory.h>`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30			`#include <AK/OwnPtr.h>`
			`#include <AK/StringBuilder.h>`
			`#include <AK/StringView.h>`
			`#include <LibCrypto/Authentication/GHash.h>`
			`#include <LibCrypto/Cipher/Mode/CTR.h>`
			`#include <LibCrypto/Verification.h>`

LibCrypto: Exclude class_name() methods from the Kernel These are only used by Userland and contain infallible String allocations, so let's just ifdef them out of the Kernel. 2022-02-15 21:36:46 +02:00			`#ifndef KERNEL`
Everywhere: Rename {Deprecated => Byte}String This commit un-deprecates DeprecatedString, and repurposes it as a byte string. As the null state has already been removed, there are no other particularly hairy blockers in repurposing this type as a byte string (what it _really_ is). This commit is auto-generated: $ xs=$(ack -l \bDeprecatedString\b\\|deprecated_string AK Userland \ Meta Ports Ladybird Tests Kernel) $ perl -pie 's/\bDeprecatedString\b/ByteString/g; s/deprecated_string/byte_string/g' $xs $ clang-format --style=file -i \ $(git diff --name-only \| grep \.cpp\\|\.h) $ gn format $(git ls-files '.gn' '.gni') 2023-12-16 17:49:34 +03:30			`# include <AK/ByteString.h>`
LibCrypto: Exclude class_name() methods from the Kernel These are only used by Userland and contain infallible String allocations, so let's just ifdef them out of the Kernel. 2022-02-15 21:36:46 +02:00			`#endif`

Everywhere: Use nested namespace qualifiers 2023-07-11 13:49:08 -04:00			`namespace Crypto::Cipher {`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30
			`using IncrementFunction = IncrementInplace;`

			`template<typename T>`
			`class GCM : public CTR<T, IncrementFunction> {`
			`public:`
			`constexpr static size_t IVSizeInBits = 128;`

LibCrypto: Use default instead of an empty constructor/destructor Default implementations allow for more optimizations. See: https://pvs-studio.com/en/docs/warnings/v832/ 2021-09-15 23:32:51 -07:00			`virtual ~GCM() = default;`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30
			`template<typename... Args>`
			`explicit constexpr GCM<T>(Args... args)`
			`: CTR<T>(args...)`
			`{`
			`static_assert(T::BlockSizeInBits == 128u, "GCM Mode is only available for 128-bit Ciphers");`

			`__builtin_memset(m_auth_key_storage, 0, block_size);`
			`typename T::BlockType key_block(m_auth_key_storage, block_size);`
			`this->cipher().encrypt_block(key_block, key_block);`
			`key_block.bytes().copy_to(m_auth_key);`

LibCrypto: Make GCM movable 2021-05-18 22:57:07 +02:00			`m_ghash = Authentication::GHash(m_auth_key);`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30			`}`

LibCrypto: Exclude class_name() methods from the Kernel These are only used by Userland and contain infallible String allocations, so let's just ifdef them out of the Kernel. 2022-02-15 21:36:46 +02:00			`#ifndef KERNEL`
Everywhere: Rename {Deprecated => Byte}String This commit un-deprecates DeprecatedString, and repurposes it as a byte string. As the null state has already been removed, there are no other particularly hairy blockers in repurposing this type as a byte string (what it _really_ is). This commit is auto-generated: $ xs=$(ack -l \bDeprecatedString\b\\|deprecated_string AK Userland \ Meta Ports Ladybird Tests Kernel) $ perl -pie 's/\bDeprecatedString\b/ByteString/g; s/deprecated_string/byte_string/g' $xs $ clang-format --style=file -i \ $(git diff --name-only \| grep \.cpp\\|\.h) $ gn format $(git ls-files '.gn' '.gni') 2023-12-16 17:49:34 +03:30			`virtual ByteString class_name() const override`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30			`{`
			`StringBuilder builder;`
			`builder.append(this->cipher().class_name());`
Everywhere: Add sv suffix to strings relying on StringView(char const) Each of these strings would previously rely on StringView's char const constructor overload, which would call __builtin_strlen on the string. Since we now have operator ""sv, we can replace these with much simpler versions. This opens the door to being able to remove StringView(char const*). No functional changes. 2022-07-11 17:32:29 +00:00			`builder.append("_GCM"sv);`
Everywhere: Rename {Deprecated => Byte}String This commit un-deprecates DeprecatedString, and repurposes it as a byte string. As the null state has already been removed, there are no other particularly hairy blockers in repurposing this type as a byte string (what it _really_ is). This commit is auto-generated: $ xs=$(ack -l \bDeprecatedString\b\\|deprecated_string AK Userland \ Meta Ports Ladybird Tests Kernel) $ perl -pie 's/\bDeprecatedString\b/ByteString/g; s/deprecated_string/byte_string/g' $xs $ clang-format --style=file -i \ $(git diff --name-only \| grep \.cpp\\|\.h) $ gn format $(git ls-files '.gn' '.gni') 2023-12-16 17:49:34 +03:30			`return builder.to_byte_string();`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30			`}`
LibCrypto: Exclude class_name() methods from the Kernel These are only used by Userland and contain infallible String allocations, so let's just ifdef them out of the Kernel. 2022-02-15 21:36:46 +02:00			`#endif`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30
LibCrypto: Exclude class_name() methods from the Kernel These are only used by Userland and contain infallible String allocations, so let's just ifdef them out of the Kernel. 2022-02-15 21:36:46 +02:00			`virtual size_t IV_length() const override`
			`{`
			`return IVSizeInBits / 8;`
			`}`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30
			`// FIXME: This overload throws away the auth stuff, think up a better way to return more than a single bytebuffer.`
LibTLS+LibCrypto: Replace a whole bunch of ByteBuffers with Spans 2020-12-19 15:07:09 +01:00			`virtual void encrypt(ReadonlyBytes in, Bytes& out, ReadonlyBytes ivec = {}, Bytes* = nullptr) override`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30			`{`
Everywhere: Rename ASSERT => VERIFY (...and ASSERT_NOT_REACHED => VERIFY_NOT_REACHED) Since all of these checks are done in release builds as well, let's rename them to VERIFY to prevent confusion, as everyone is used to assertions being compiled out in release. We can introduce a new ASSERT macro that is specifically for debug checks, but I'm doing this wholesale conversion first since we've accumulated thousands of these already, and it's not immediately obvious which ones are suitable for ASSERT. 2021-02-23 20:42:32 +01:00			`VERIFY(!ivec.is_empty());`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30
			`static ByteBuffer dummy;`

			`encrypt(in, out, ivec, dummy, dummy);`
			`}`
LibTLS+LibCrypto: Replace a whole bunch of ByteBuffers with Spans 2020-12-19 15:07:09 +01:00			`virtual void decrypt(ReadonlyBytes in, Bytes& out, ReadonlyBytes ivec = {}) override`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30			`{`
			`encrypt(in, out, ivec);`
			`}`

Everywhere: Pass AK::ReadonlyBytes by value 2021-11-11 01:06:34 +01:00			`void encrypt(ReadonlyBytes in, Bytes out, ReadonlyBytes iv_in, ReadonlyBytes aad, Bytes tag)`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30			`{`
Everywhere: Make ByteBuffer::{create_*,copy}() OOM-safe 2021-09-06 03:29:52 +04:30			`auto iv_buf_result = ByteBuffer::copy(iv_in);`
			`// Not enough memory to figure out :shrug:`
Everywhere: Convert ByteBuffer factory methods from Optional -> ErrorOr Apologies for the enormous commit, but I don't see a way to split this up nicely. In the vast majority of cases it's a simple change. A few extra places can use TRY instead of manual error checking though. :^) 2022-01-20 17:47:39 +00:00			`if (iv_buf_result.is_error()) {`
Everywhere: Make ByteBuffer::{create_*,copy}() OOM-safe 2021-09-06 03:29:52 +04:30			`dbgln("GCM::encrypt: Not enough memory to allocate {} bytes for IV", iv_in.size());`
			`return;`
			`}`

Everywhere: Convert ByteBuffer factory methods from Optional -> ErrorOr Apologies for the enormous commit, but I don't see a way to split this up nicely. In the vast majority of cases it's a simple change. A few extra places can use TRY instead of manual error checking though. :^) 2022-01-20 17:47:39 +00:00			`auto iv = iv_buf_result.value().bytes();`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30
			`// Increment the IV for block 0`
			`CTR<T>::increment(iv);`
			`typename T::BlockType block0;`
			`block0.overwrite(iv);`
			`this->cipher().encrypt_block(block0, block0);`

			`// Skip past block 0`
			`CTR<T>::increment(iv);`

			`if (in.is_empty())`
			`CTR<T>::key_stream(out, iv);`
			`else`
			`CTR<T>::encrypt(in, out, iv);`

			`auto auth_tag = m_ghash->process(aad, out);`
LibCrypto: Do not assume that the passed in IV is as long as a block Just take ReadonlyBytes instead of a raw pointer. Fixes #7072 (tested with the ASAN build fixed by #7060). 2021-05-14 09:32:24 +04:30			`block0.apply_initialization_vector({ auth_tag.data, array_size(auth_tag.data) });`
LibCrypto: Reduce use of ByteBuffer in AES code Use Bytes/ReadonlyBytes more where possible. 2021-01-12 09:25:55 +01:00			`block0.bytes().copy_to(tag);`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30			`}`

LibTLS+LibCrypto: Replace a whole bunch of ByteBuffers with Spans 2020-12-19 15:07:09 +01:00			`VerificationConsistency decrypt(ReadonlyBytes in, Bytes out, ReadonlyBytes iv_in, ReadonlyBytes aad, ReadonlyBytes tag)`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30			`{`
Everywhere: Make ByteBuffer::{create_*,copy}() OOM-safe 2021-09-06 03:29:52 +04:30			`auto iv_buf_result = ByteBuffer::copy(iv_in);`
			`// Not enough memory to figure out :shrug:`
Everywhere: Convert ByteBuffer factory methods from Optional -> ErrorOr Apologies for the enormous commit, but I don't see a way to split this up nicely. In the vast majority of cases it's a simple change. A few extra places can use TRY instead of manual error checking though. :^) 2022-01-20 17:47:39 +00:00			`if (iv_buf_result.is_error())`
Everywhere: Make ByteBuffer::{create_*,copy}() OOM-safe 2021-09-06 03:29:52 +04:30			`return VerificationConsistency::Inconsistent;`

Everywhere: Convert ByteBuffer factory methods from Optional -> ErrorOr Apologies for the enormous commit, but I don't see a way to split this up nicely. In the vast majority of cases it's a simple change. A few extra places can use TRY instead of manual error checking though. :^) 2022-01-20 17:47:39 +00:00			`auto iv = iv_buf_result.value().bytes();`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30
			`// Increment the IV for block 0`
			`CTR<T>::increment(iv);`
			`typename T::BlockType block0;`
			`block0.overwrite(iv);`
			`this->cipher().encrypt_block(block0, block0);`

			`// Skip past block 0`
			`CTR<T>::increment(iv);`

			`auto auth_tag = m_ghash->process(aad, in);`
LibCrypto: Do not assume that the passed in IV is as long as a block Just take ReadonlyBytes instead of a raw pointer. Fixes #7072 (tested with the ASAN build fixed by #7060). 2021-05-14 09:32:24 +04:30			`block0.apply_initialization_vector({ auth_tag.data, array_size(auth_tag.data) });`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30
			`auto test_consistency = [&] {`
LibCrypto: Use AK::timing_safe_compare to validate sensitive data Addresses one FIXME in GCM, and another similar issue in EMSA_PSS. We should be using constant time memory comparisons in all of our crypto code. 2022-03-12 22:06:46 -08:00			`if (block0.block_size() != tag.size() \|\| !timing_safe_compare(block0.bytes().data(), tag.data(), tag.size()))`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30			`return VerificationConsistency::Inconsistent;`

			`return VerificationConsistency::Consistent;`
			`};`

			`if (in.is_empty()) {`
			`out = {};`
			`return test_consistency();`
			`}`

			`CTR<T>::encrypt(in, out, iv);`
			`return test_consistency();`
			`}`

			`private:`
			`static constexpr auto block_size = T::BlockType::BlockSizeInBits / 8;`
			`u8 m_auth_key_storage[block_size];`
			`Bytes m_auth_key { m_auth_key_storage, block_size };`
LibCrypto: Make GCM movable 2021-05-18 22:57:07 +02:00			`Optional<Authentication::GHash> m_ghash;`
LibCrypto: Implement GCM mode 2020-11-11 13:17:23 +03:30			`};`

			`}`