This repository has been archived by the owner on Apr 21, 2021. It is now read-only.
forked from ekr/minq
-
Notifications
You must be signed in to change notification settings - Fork 0
/
aead.go
117 lines (98 loc) · 2.88 KB
/
aead.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
package minq
import (
"bytes"
"crypto/aes"
"crypto/cipher"
"fmt"
"hash/fnv"
)
// Definition for AEAD using 64-bit FNV-1a
type aeadFNV struct {
}
func (a *aeadFNV) NonceSize() int {
return 12
}
func (a *aeadFNV) Overhead() int {
return 8
}
func (a *aeadFNV) Seal(dst []byte, nonce []byte, plaintext []byte, aad []byte) []byte {
logf(logTypeAead, "FNV protecting aad len=%d, plaintext len=%d", len(aad), len(plaintext))
logf(logTypeTrace, "FNV input %x %x", aad, plaintext)
h := fnv.New64a()
h.Write(aad)
h.Write(plaintext)
res := encodeArgs(plaintext, h.Sum64())
dst = append(dst, res...)
logf(logTypeAead, "FNV ciphertext length=%d", len(dst))
return dst
}
func (a *aeadFNV) Open(dst []byte, nonce []byte, ciphertext []byte, aad []byte) ([]byte, error) {
logf(logTypeAead, "FNV unprotecting aad len=%d, ciphertext len=%d", len(aad), len(ciphertext))
if len(ciphertext) < 8 {
return nil, fmt.Errorf("Data too short to contain authentication tag")
}
pt := ciphertext[:len(ciphertext)-8]
at := ciphertext[len(ciphertext)-8:]
h := fnv.New64a()
h.Write(aad)
h.Write(pt)
at2 := encodeArgs(h.Sum64())
if !bytes.Equal(at, at2) {
return nil, fmt.Errorf("Invalid authentication tag")
}
dst = append(dst, pt...)
logf(logTypeAead, "FNV plaintext length=%d", len(dst))
return pt, nil
}
// aeadWrapper contains an existing AEAD object and does the
// QUIC nonce masking.
type aeadWrapper struct {
iv []byte
cipher cipher.AEAD
}
func (a *aeadWrapper) NonceSize() int {
return a.cipher.NonceSize()
}
func (a *aeadWrapper) Overhead() int {
return a.cipher.Overhead()
}
func (a *aeadWrapper) fmtNonce(in []byte) []byte {
// The input nonce is actually a packet number.
assert(len(in) == 8)
assert(a.NonceSize() == 12)
assert(len(a.iv) == a.NonceSize())
nonce := make([]byte, a.NonceSize())
copy(nonce[len(nonce)-len(in):], in)
for i, b := range a.iv {
nonce[i] ^= b
}
return nonce
}
func (a *aeadWrapper) Seal(dst []byte, nonce []byte, plaintext []byte, aad []byte) []byte {
logf(logTypeAead, "AES protecting aad len=%d, plaintext len=%d", len(aad), len(plaintext))
logf(logTypeTrace, "AES input %x %x", aad, plaintext)
ret := a.cipher.Seal(dst, a.fmtNonce(nonce), plaintext, aad)
logf(logTypeTrace, "AES output %x", ret)
return ret
}
func (a *aeadWrapper) Open(dst []byte, nonce []byte, ciphertext []byte, aad []byte) ([]byte, error) {
logf(logTypeAead, "AES unprotecting aad len=%d, ciphertext len=%d", len(aad), len(ciphertext))
logf(logTypeTrace, "AES input %x", ciphertext)
ret, err := a.cipher.Open(dst, a.fmtNonce(nonce), ciphertext, aad)
if err != nil {
return nil, err
}
logf(logTypeTrace, "AES output %x", ret)
return ret, err
}
func newWrappedAESGCM(key []byte, iv []byte) (cipher.AEAD, error) {
a, err := aes.NewCipher(key)
if err != nil {
return nil, err
}
aead, err := cipher.NewGCM(a)
if err != nil {
return nil, err
}
return &aeadWrapper{iv, aead}, nil
}