From: Russ Cox Date: Tue, 19 May 2009 21:58:49 +0000 (-0700) Subject: Xor-based crypto modes: OFB and CTR stream encryption. X-Git-Tag: weekly.2009-11-06~1603 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=20ea881c7909bb3a1f93b2b023a5b970d9c267cb;p=gostls13.git Xor-based crypto modes: OFB and CTR stream encryption. R=r DELTA=643 (643 added, 0 deleted, 0 changed) OCL=29017 CL=29047 --- diff --git a/src/lib/crypto/block/ctr.go b/src/lib/crypto/block/ctr.go new file mode 100644 index 0000000000..98fd193922 --- /dev/null +++ b/src/lib/crypto/block/ctr.go @@ -0,0 +1,69 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Counter (CTR) mode. + +// CTR converts a block cipher into a stream cipher by +// repeatedly encrypting an incrementing counter and +// xoring the resulting stream of data with the input. + +// See NIST SP 800-38A, pp 13-15 + +package block + +import ( + "crypto/block"; + "io"; +) + +type ctrStream struct { + c Cipher; + ctr []byte; + out []byte; +} + +func newCTRStream(c Cipher, ctr []byte) *ctrStream { + x := new(ctrStream); + x.c = c; + x.ctr = copy(ctr); + x.out = make([]byte, len(ctr)); + return x; +} + +func (x *ctrStream) Next() []byte { + // Next block is encryption of counter. + x.c.Encrypt(x.ctr, x.out); + + // Increment counter + for i := len(x.ctr) - 1; i >= 0; i-- { + x.ctr[i]++; + if x.ctr[i] != 0 { + break; + } + } + + return x.out; +} + +// NewCTRReader returns a reader that reads data from r, decrypts (or encrypts) +// it using c in counter (CTR) mode with the initialization vector iv. +// The returned Reader does not buffer and has no block size. +// In CTR mode, encryption and decryption are the same operation: +// a CTR reader applied to an encrypted stream produces a decrypted +// stream and vice versa. +func NewCTRReader(c Cipher, iv []byte, r io.Reader) io.Reader { + return NewXorReader(newCTRStream(c, iv), r); +} + +// NewCTRWriter returns a writer that encrypts (or decrypts) data using c +// in counter (CTR) mode with the initialization vector iv +// and writes the encrypted data to w. +// The returned Writer does not buffer and has no block size. +// In CTR mode, encryption and decryption are the same operation: +// a CTR writer applied to an decrypted stream produces an encrypted +// stream and vice versa. +func NewCTRWriter(c Cipher, iv []byte, w io.Writer) io.Writer { + return NewXorWriter(newCTRStream(c, iv), w); +} + diff --git a/src/lib/crypto/block/ctr_aes_test.go b/src/lib/crypto/block/ctr_aes_test.go new file mode 100644 index 0000000000..a3da1b5bfd --- /dev/null +++ b/src/lib/crypto/block/ctr_aes_test.go @@ -0,0 +1,115 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// CTR AES test vectors. + +// See U.S. National Institute of Standards and Technology (NIST) +// Special Publication 800-38A, ``Recommendation for Block Cipher +// Modes of Operation,'' 2001 Edition, pp. 55-58. + +package block + +import ( + "crypto/aes"; + "crypto/block"; + "io"; + "os"; + "testing"; + + "./ecb_aes_test"; +) + +type ctrTest struct { + name string; + key []byte; + iv []byte; + in []byte; + out []byte; +} + +var commonCounter = []byte { + 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff, +} + +var ctrAESTests = []ctrTest { + // NIST SP 800-38A pp 55-58 + ctrTest { + "CTR-AES128", + commonKey128, + commonCounter, + commonInput, + []byte { + 0x87, 0x4d, 0x61, 0x91, 0xb6, 0x20, 0xe3, 0x26, 0x1b, 0xef, 0x68, 0x64, 0x99, 0x0d, 0xb6, 0xce, + 0x98, 0x06, 0xf6, 0x6b, 0x79, 0x70, 0xfd, 0xff, 0x86, 0x17, 0x18, 0x7b, 0xb9, 0xff, 0xfd, 0xff, + 0x5a, 0xe4, 0xdf, 0x3e, 0xdb, 0xd5, 0xd3, 0x5e, 0x5b, 0x4f, 0x09, 0x02, 0x0d, 0xb0, 0x3e, 0xab, + 0x1e, 0x03, 0x1d, 0xda, 0x2f, 0xbe, 0x03, 0xd1, 0x79, 0x21, 0x70, 0xa0, 0xf3, 0x00, 0x9c, 0xee, + }, + }, + ctrTest { + "CTR-AES192", + commonKey192, + commonCounter, + commonInput, + []byte { + 0x1a, 0xbc, 0x93, 0x24, 0x17, 0x52, 0x1c, 0xa2, 0x4f, 0x2b, 0x04, 0x59, 0xfe, 0x7e, 0x6e, 0x0b, + 0x09, 0x03, 0x39, 0xec, 0x0a, 0xa6, 0xfa, 0xef, 0xd5, 0xcc, 0xc2, 0xc6, 0xf4, 0xce, 0x8e, 0x94, + 0x1e, 0x36, 0xb2, 0x6b, 0xd1, 0xeb, 0xc6, 0x70, 0xd1, 0xbd, 0x1d, 0x66, 0x56, 0x20, 0xab, 0xf7, + 0x4f, 0x78, 0xa7, 0xf6, 0xd2, 0x98, 0x09, 0x58, 0x5a, 0x97, 0xda, 0xec, 0x58, 0xc6, 0xb0, 0x50, + }, + }, + ctrTest { + "CTR-AES256", + commonKey256, + commonCounter, + commonInput, + []byte { + 0x60, 0x1e, 0xc3, 0x13, 0x77, 0x57, 0x89, 0xa5, 0xb7, 0xa7, 0xf5, 0x04, 0xbb, 0xf3, 0xd2, 0x28, + 0xf4, 0x43, 0xe3, 0xca, 0x4d, 0x62, 0xb5, 0x9a, 0xca, 0x84, 0xe9, 0x90, 0xca, 0xca, 0xf5, 0xc5, + 0x2b, 0x09, 0x30, 0xda, 0xa2, 0x3d, 0xe9, 0x4c, 0xe8, 0x70, 0x17, 0xba, 0x2d, 0x84, 0x98, 0x8d, + 0xdf, 0xc9, 0xc5, 0x8d, 0xb6, 0x7a, 0xad, 0xa6, 0x13, 0xc2, 0xdd, 0x08, 0x45, 0x79, 0x41, 0xa6, + } + }, +} + +func TestCTR_AES(t *testing.T) { + for i, tt := range ctrAESTests { + test := tt.name; + + c, err := aes.NewCipher(tt.key); + if err != nil { + t.Errorf("%s: NewCipher(%d bytes) = %s", test, len(tt.key), err); + continue; + } + + for j := 0; j <= 5; j += 5 { + var crypt io.ByteBuffer; + in := tt.in[0:len(tt.in) - j]; + w := block.NewCTRWriter(c, tt.iv, &crypt); + var r io.Reader = io.NewByteReader(in); + n, err := io.Copy(r, w); + if n != int64(len(in)) || err != nil { + t.Errorf("%s/%d: CTRWriter io.Copy = %d, %v want %d, nil", test, len(in), n, err, len(in)); + } else if d, out := crypt.Data(), tt.out[0:len(in)]; !same(out, d) { + t.Errorf("%s/%d: CTRWriter\ninpt %x\nhave %x\nwant %x", test, len(in), in, d, out); + } + } + + for j := 0; j <= 7; j += 7 { + var plain io.ByteBuffer; + out := tt.out[0:len(tt.out) - j]; + r := block.NewCTRReader(c, tt.iv, io.NewByteReader(out)); + w := &plain; + n, err := io.Copy(r, w); + if n != int64(len(out)) || err != nil { + t.Errorf("%s/%d: CTRReader io.Copy = %d, %v want %d, nil", test, len(out), n, err, len(out)); + } else if d, in := plain.Data(), tt.in[0:len(out)]; !same(in, d) { + t.Errorf("%s/%d: CTRReader\nhave %x\nwant %x", test, len(out), d, in); + } + } + + if t.Failed() { + break; + } + } +} diff --git a/src/lib/crypto/block/ofb.go b/src/lib/crypto/block/ofb.go new file mode 100644 index 0000000000..10f9a77371 --- /dev/null +++ b/src/lib/crypto/block/ofb.go @@ -0,0 +1,61 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Output feedback (OFB) mode. + +// OFB converts a block cipher into a stream cipher by +// repeatedly encrypting an initialization vector and +// xoring the resulting stream of data with the input. + +// See NIST SP 800-38A, pp 13-15 + +package block + +import ( + "crypto/block"; + "io"; +) + +type ofbStream struct { + c Cipher; + iv []byte; +} + +func newOFBStream(c Cipher, iv []byte) *ofbStream { + x := new(ofbStream); + x.c = c; + n := len(iv); + if n != c.BlockSize() { + panicln("crypto/block: newOFBStream: invalid iv size", n, "!=", c.BlockSize()); + } + x.iv = copy(iv); + return x; +} + +func (x *ofbStream) Next() []byte { + x.c.Encrypt(x.iv, x.iv); + return x.iv; +} + +// NewOFBReader returns a reader that reads data from r, decrypts (or encrypts) +// it using c in output feedback (OFB) mode with the initialization vector iv. +// The returned Reader does not buffer and has no block size. +// In OFB mode, encryption and decryption are the same operation: +// an OFB reader applied to an encrypted stream produces a decrypted +// stream and vice versa. +func NewOFBReader(c Cipher, iv []byte, r io.Reader) io.Reader { + return NewXorReader(newOFBStream(c, iv), r); +} + +// NewOFBWriter returns a writer that encrypts (or decrypts) data using c +// in cipher feedback (OFB) mode with the initialization vector iv +// and writes the encrypted data to w. +// The returned Writer does not buffer and has no block size. +// In OFB mode, encryption and decryption are the same operation: +// an OFB writer applied to an decrypted stream produces an encrypted +// stream and vice versa. +func NewOFBWriter(c Cipher, iv []byte, w io.Writer) io.Writer { + return NewXorWriter(newOFBStream(c, iv), w); +} + diff --git a/src/lib/crypto/block/ofb_aes_test.go b/src/lib/crypto/block/ofb_aes_test.go new file mode 100644 index 0000000000..3f5f9f482e --- /dev/null +++ b/src/lib/crypto/block/ofb_aes_test.go @@ -0,0 +1,113 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// OFB AES test vectors. + +// See U.S. National Institute of Standards and Technology (NIST) +// Special Publication 800-38A, ``Recommendation for Block Cipher +// Modes of Operation,'' 2001 Edition, pp. 52-55. + +package block + +// gotest: $GC ecb_aes_test.go + +import ( + "crypto/aes"; + "crypto/block"; + "io"; + "os"; + "testing"; + + "./ecb_aes_test"; +) + +type ofbTest struct { + name string; + key []byte; + iv []byte; + in []byte; + out []byte; +} + +var ofbAESTests = []ofbTest { + // NIST SP 800-38A pp 52-55 + ofbTest { + "OFB-AES128", + commonKey128, + commonIV, + commonInput, + []byte { + 0x3b, 0x3f, 0xd9, 0x2e, 0xb7, 0x2d, 0xad, 0x20, 0x33, 0x34, 0x49, 0xf8, 0xe8, 0x3c, 0xfb, 0x4a, + 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03, 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25, + 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6, 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc, + 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78, 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e, + }, + }, + ofbTest { + "OFB-AES192", + commonKey192, + commonIV, + commonInput, + []byte { + 0xcd, 0xc8, 0x0d, 0x6f, 0xdd, 0xf1, 0x8c, 0xab, 0x34, 0xc2, 0x59, 0x09, 0xc9, 0x9a, 0x41, 0x74, + 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c, 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01, + 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f, 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2, + 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e, 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a, + }, + }, + ofbTest { + "OFB-AES256", + commonKey256, + commonIV, + commonInput, + []byte { + 0xdc, 0x7e, 0x84, 0xbf, 0xda, 0x79, 0x16, 0x4b, 0x7e, 0xcd, 0x84, 0x86, 0x98, 0x5d, 0x38, 0x60, + 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a, 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d, + 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed, 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08, + 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8, 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84, + } + }, +} + +func TestOFB_AES(t *testing.T) { + for i, tt := range ofbAESTests { + test := tt.name; + + c, err := aes.NewCipher(tt.key); + if err != nil { + t.Errorf("%s: NewCipher(%d bytes) = %s", test, len(tt.key), err); + continue; + } + + for j := 0; j <= 5; j += 5 { + var crypt io.ByteBuffer; + in := tt.in[0:len(tt.in) - j]; + w := NewOFBWriter(c, tt.iv, &crypt); + var r io.Reader = io.NewByteReader(in); + n, err := io.Copy(r, w); + if n != int64(len(in)) || err != nil { + t.Errorf("%s/%d: OFBWriter io.Copy = %d, %v want %d, nil", test, len(in), n, err, len(in)); + } else if d, out := crypt.Data(), tt.out[0:len(in)]; !same(out, d) { + t.Errorf("%s/%d: OFBWriter\ninpt %x\nhave %x\nwant %x", test, len(in), in, d, out); + } + } + + for j := 0; j <= 7; j += 7 { + var plain io.ByteBuffer; + out := tt.out[0:len(tt.out) - j]; + r := NewOFBReader(c, tt.iv, io.NewByteReader(out)); + w := &plain; + n, err := io.Copy(r, w); + if n != int64(len(out)) || err != nil { + t.Errorf("%s/%d: OFBReader io.Copy = %d, %v want %d, nil", test, len(out), n, err, len(out)); + } else if d, in := plain.Data(), tt.in[0:len(out)]; !same(in, d) { + t.Errorf("%s/%d: OFBReader\nhave %x\nwant %x", test, len(out), d, in); + } + } + + if t.Failed() { + break; + } + } +} diff --git a/src/lib/crypto/block/xor.go b/src/lib/crypto/block/xor.go new file mode 100644 index 0000000000..35c1813844 --- /dev/null +++ b/src/lib/crypto/block/xor.go @@ -0,0 +1,122 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Encrypt/decrypt data by xor with a pseudo-random data stream. + +package block + +import ( + "crypto/block"; + "io"; + "os"; +) + +type DataStream interface { + Next() []byte +} + +type xorReader struct { + r io.Reader; + rand DataStream; // pseudo-random + buf []byte; // data available from last call to rand +} + +func NewXorReader(rand DataStream, r io.Reader) io.Reader { + x := new(xorReader); + x.r = r; + x.rand = rand; + return x; +} + +func (x *xorReader) Read(p []byte) (n int, err os.Error) { + n, err = x.r.Read(p); + + // xor input with stream. + bp := 0; + buf := x.buf; + for i := 0; i < n; i++ { + if bp >= len(buf) { + buf = x.rand.Next(); + bp = 0; + } + p[i] ^= buf[bp]; + bp++; + } + x.buf = buf[bp:len(buf)]; + return n, err; +} + +type xorWriter struct { + w io.Writer; + rand DataStream; // pseudo-random + buf []byte; // last buffer returned by rand + extra []byte; // extra random data (use before buf) + work []byte; // work space +} + +func NewXorWriter(rand DataStream, w io.Writer) io.Writer { + x := new(xorWriter); + x.w = w; + x.rand = rand; + x.work = make([]byte, 4096); + return x; +} + +func (x *xorWriter) Write(p []byte) (n int, err os.Error) { + for len(p) > 0 { + // Determine next chunk of random data + // and xor with p into x.work. + var chunk []byte; + m := len(p); + if nn := len(x.extra); nn > 0 { + // extra points into work, so edit directly + if m > nn { + m = nn; + } + for i := 0; i < m; i++ { + x.extra[i] ^= p[i]; + } + chunk = x.extra[0:m]; + } else { + // xor p ^ buf into work, refreshing buf as needed + if nn := len(x.work); m > nn { + m = nn; + } + bp := 0; + buf := x.buf; + for i := 0; i < m; i++ { + if bp >= len(buf) { + buf = x.rand.Next(); + bp = 0; + } + x.work[i] = buf[bp] ^ p[i]; + bp++; + } + x.buf = buf[bp:len(buf)]; + chunk = x.work[0:m]; + } + + // Write chunk. + var nn int; + nn, err = x.w.Write(chunk); + if nn != len(chunk) && err == nil { + err = io.ErrShortWrite; + } + if nn < len(chunk) { + // Reconstruct the random bits from the unwritten + // data and save them for next time. + for i := nn; i < m; i++ { + chunk[i] ^= p[i]; + } + x.extra = chunk[nn:len(chunk)]; + } + n += nn; + if err != nil { + return; + } + p = p[m:len(p)]; + } + return; +} + diff --git a/src/lib/crypto/block/xor_test.go b/src/lib/crypto/block/xor_test.go new file mode 100644 index 0000000000..a2166f884c --- /dev/null +++ b/src/lib/crypto/block/xor_test.go @@ -0,0 +1,169 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package block + +import ( + "crypto/block"; + "fmt"; + "io"; + "testing"; + "testing/iotest"; +) + +// Simple "pseudo-random" stream for testing. +type incStream struct { + buf []byte; + n byte; +} + +func newIncStream(blockSize int) *incStream { + x := new(incStream); + x.buf = make([]byte, blockSize); + return x; +} + +func (x *incStream) Next() []byte { + x.n++; + for i := range x.buf { + x.buf[i] = x.n; + x.n++; + } + return x.buf; +} + +func testXorWriter(t *testing.T, maxio int) { + var plain, crypt [256]byte; + for i := 0; i < len(plain); i++ { + plain[i] = byte(i); + } + b := new(io.ByteBuffer); + for block := 1; block <= 64 && block <= maxio; block *= 2 { + // compute encrypted version + n := byte(0); + for i := 0; i < len(crypt); i++ { + if i % block == 0 { + n++; + } + crypt[i] = plain[i] ^ n; + n++; + } + + for frag := 0; frag < 2; frag++ { + test := fmt.Sprintf("block=%d frag=%d maxio=%d", block, frag, maxio); + b.Reset(); + r := io.NewByteReader(&plain); + s := newIncStream(block); + w := NewXorWriter(s, b); + + // copy plain into w in increasingly large chunks: 1, 1, 2, 4, 8, ... + // if frag != 0, move the 1 to the end to cause fragmentation. + if frag == 0 { + nn, err := io.Copyn(r, w, 1); + if err != nil { + t.Errorf("%s: first Copyn: %s", test, err); + continue; + } + } + for n := 1; n <= len(plain)/2; n *= 2 { + nn, err := io.Copyn(r, w, int64(n)); + if err != nil { + t.Errorf("%s: Copyn %d: %s", test, n, err); + } + } + + // check output + crypt := crypt[0:len(crypt) - frag]; + data := b.Data(); + if len(data) != len(crypt) { + t.Errorf("%s: want %d bytes, got %d", test, len(crypt), len(data)); + continue; + } + + if string(data) != string(crypt) { + t.Errorf("%s: want %x got %x", test, data, crypt); + } + } + } +} + + +func TestXorWriter(t *testing.T) { + // Do shorter I/O sizes first; they're easier to debug. + for n := 1; n <= 256 && !t.Failed(); n *= 2 { + testXorWriter(t, n); + } +} + +func testXorReader(t *testing.T, maxio int) { + var readers = []func(io.Reader) io.Reader { + func (r io.Reader) io.Reader { return r }, + iotest.OneByteReader, + iotest.HalfReader, + }; + var plain, crypt [256]byte; + for i := 0; i < len(plain); i++ { + plain[i] = byte(255 - i); + } + b := new(io.ByteBuffer); + for block := 1; block <= 64 && block <= maxio; block *= 2 { + // compute encrypted version + n := byte(0); + for i := 0; i < len(crypt); i++ { + if i % block == 0 { + n++; + } + crypt[i] = plain[i] ^ n; + n++; + } + + for mode := 0; mode < len(readers); mode++ { + for frag := 0; frag < 2; frag++ { + test := fmt.Sprintf("block=%d mode=%d frag=%d maxio=%d", block, mode, frag, maxio); + s := newIncStream(block); + b.Reset(); + r := NewXorReader(s, readers[mode](io.NewByteReader(crypt[0:maxio]))); + + // read from crypt in increasingly large chunks: 1, 1, 2, 4, 8, ... + // if frag == 1, move the 1 to the end to cause fragmentation. + if frag == 0 { + nn, err := io.Copyn(r, b, 1); + if err != nil { + t.Errorf("%s: first Copyn: %s", test, err); + continue; + } + } + for n := 1; n <= maxio/2; n *= 2 { + nn, err := io.Copyn(r, b, int64(n)); + if err != nil { + t.Errorf("%s: Copyn %d: %s", test, n, err); + } + } + + // check output + data := b.Data(); + crypt := crypt[0:maxio - frag]; + plain := plain[0:maxio - frag]; + if len(data) != len(plain) { + t.Errorf("%s: want %d bytes, got %d", test, len(plain), len(data)); + continue; + } + + if string(data) != string(plain) { + t.Errorf("%s: input=%x want %x got %x", test, crypt, plain, data); + } + } + } + } +} + +func TestXorReader(t *testing.T) { + // Do shorter I/O sizes first; they're easier to debug. + for n := 1; n <= 256 && !t.Failed(); n *= 2 { + testXorReader(t, n); + } +} + +// TODO(rsc): Test handling of writes after write errors. +