Page Menu
Home
c4science
Search
Configure Global Search
Log In
Files
F122151459
cipherModes.js
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Subscribers
None
File Metadata
Details
File Info
Storage
Attached
Created
Wed, Jul 16, 04:46
Size
28 KB
Mime Type
text/x-Algol68
Expires
Fri, Jul 18, 04:46 (2 d)
Engine
blob
Format
Raw Data
Handle
27441466
Attached To
rOACCT Open Access Compliance Check Tool (OACCT)
cipherModes.js
View Options
/**
* Supported cipher modes.
*
* @author Dave Longley
*
* Copyright (c) 2010-2014 Digital Bazaar, Inc.
*/
var forge = require('./forge');
require('./util');
forge.cipher = forge.cipher || {};
// supported cipher modes
var modes = module.exports = forge.cipher.modes = forge.cipher.modes || {};
/** Electronic codebook (ECB) (Don't use this; it's not secure) **/
modes.ecb = function(options) {
options = options || {};
this.name = 'ECB';
this.cipher = options.cipher;
this.blockSize = options.blockSize || 16;
this._ints = this.blockSize / 4;
this._inBlock = new Array(this._ints);
this._outBlock = new Array(this._ints);
};
modes.ecb.prototype.start = function(options) {};
modes.ecb.prototype.encrypt = function(input, output, finish) {
// not enough input to encrypt
if(input.length() < this.blockSize && !(finish && input.length() > 0)) {
return true;
}
// get next block
for(var i = 0; i < this._ints; ++i) {
this._inBlock[i] = input.getInt32();
}
// encrypt block
this.cipher.encrypt(this._inBlock, this._outBlock);
// write output
for(var i = 0; i < this._ints; ++i) {
output.putInt32(this._outBlock[i]);
}
};
modes.ecb.prototype.decrypt = function(input, output, finish) {
// not enough input to decrypt
if(input.length() < this.blockSize && !(finish && input.length() > 0)) {
return true;
}
// get next block
for(var i = 0; i < this._ints; ++i) {
this._inBlock[i] = input.getInt32();
}
// decrypt block
this.cipher.decrypt(this._inBlock, this._outBlock);
// write output
for(var i = 0; i < this._ints; ++i) {
output.putInt32(this._outBlock[i]);
}
};
modes.ecb.prototype.pad = function(input, options) {
// add PKCS#7 padding to block (each pad byte is the
// value of the number of pad bytes)
var padding = (input.length() === this.blockSize ?
this.blockSize : (this.blockSize - input.length()));
input.fillWithByte(padding, padding);
return true;
};
modes.ecb.prototype.unpad = function(output, options) {
// check for error: input data not a multiple of blockSize
if(options.overflow > 0) {
return false;
}
// ensure padding byte count is valid
var len = output.length();
var count = output.at(len - 1);
if(count > (this.blockSize << 2)) {
return false;
}
// trim off padding bytes
output.truncate(count);
return true;
};
/** Cipher-block Chaining (CBC) **/
modes.cbc = function(options) {
options = options || {};
this.name = 'CBC';
this.cipher = options.cipher;
this.blockSize = options.blockSize || 16;
this._ints = this.blockSize / 4;
this._inBlock = new Array(this._ints);
this._outBlock = new Array(this._ints);
};
modes.cbc.prototype.start = function(options) {
// Note: legacy support for using IV residue (has security flaws)
// if IV is null, reuse block from previous processing
if(options.iv === null) {
// must have a previous block
if(!this._prev) {
throw new Error('Invalid IV parameter.');
}
this._iv = this._prev.slice(0);
} else if(!('iv' in options)) {
throw new Error('Invalid IV parameter.');
} else {
// save IV as "previous" block
this._iv = transformIV(options.iv, this.blockSize);
this._prev = this._iv.slice(0);
}
};
modes.cbc.prototype.encrypt = function(input, output, finish) {
// not enough input to encrypt
if(input.length() < this.blockSize && !(finish && input.length() > 0)) {
return true;
}
// get next block
// CBC XOR's IV (or previous block) with plaintext
for(var i = 0; i < this._ints; ++i) {
this._inBlock[i] = this._prev[i] ^ input.getInt32();
}
// encrypt block
this.cipher.encrypt(this._inBlock, this._outBlock);
// write output, save previous block
for(var i = 0; i < this._ints; ++i) {
output.putInt32(this._outBlock[i]);
}
this._prev = this._outBlock;
};
modes.cbc.prototype.decrypt = function(input, output, finish) {
// not enough input to decrypt
if(input.length() < this.blockSize && !(finish && input.length() > 0)) {
return true;
}
// get next block
for(var i = 0; i < this._ints; ++i) {
this._inBlock[i] = input.getInt32();
}
// decrypt block
this.cipher.decrypt(this._inBlock, this._outBlock);
// write output, save previous ciphered block
// CBC XOR's IV (or previous block) with ciphertext
for(var i = 0; i < this._ints; ++i) {
output.putInt32(this._prev[i] ^ this._outBlock[i]);
}
this._prev = this._inBlock.slice(0);
};
modes.cbc.prototype.pad = function(input, options) {
// add PKCS#7 padding to block (each pad byte is the
// value of the number of pad bytes)
var padding = (input.length() === this.blockSize ?
this.blockSize : (this.blockSize - input.length()));
input.fillWithByte(padding, padding);
return true;
};
modes.cbc.prototype.unpad = function(output, options) {
// check for error: input data not a multiple of blockSize
if(options.overflow > 0) {
return false;
}
// ensure padding byte count is valid
var len = output.length();
var count = output.at(len - 1);
if(count > (this.blockSize << 2)) {
return false;
}
// trim off padding bytes
output.truncate(count);
return true;
};
/** Cipher feedback (CFB) **/
modes.cfb = function(options) {
options = options || {};
this.name = 'CFB';
this.cipher = options.cipher;
this.blockSize = options.blockSize || 16;
this._ints = this.blockSize / 4;
this._inBlock = null;
this._outBlock = new Array(this._ints);
this._partialBlock = new Array(this._ints);
this._partialOutput = forge.util.createBuffer();
this._partialBytes = 0;
};
modes.cfb.prototype.start = function(options) {
if(!('iv' in options)) {
throw new Error('Invalid IV parameter.');
}
// use IV as first input
this._iv = transformIV(options.iv, this.blockSize);
this._inBlock = this._iv.slice(0);
this._partialBytes = 0;
};
modes.cfb.prototype.encrypt = function(input, output, finish) {
// not enough input to encrypt
var inputLength = input.length();
if(inputLength === 0) {
return true;
}
// encrypt block
this.cipher.encrypt(this._inBlock, this._outBlock);
// handle full block
if(this._partialBytes === 0 && inputLength >= this.blockSize) {
// XOR input with output, write input as output
for(var i = 0; i < this._ints; ++i) {
this._inBlock[i] = input.getInt32() ^ this._outBlock[i];
output.putInt32(this._inBlock[i]);
}
return;
}
// handle partial block
var partialBytes = (this.blockSize - inputLength) % this.blockSize;
if(partialBytes > 0) {
partialBytes = this.blockSize - partialBytes;
}
// XOR input with output, write input as partial output
this._partialOutput.clear();
for(var i = 0; i < this._ints; ++i) {
this._partialBlock[i] = input.getInt32() ^ this._outBlock[i];
this._partialOutput.putInt32(this._partialBlock[i]);
}
if(partialBytes > 0) {
// block still incomplete, restore input buffer
input.read -= this.blockSize;
} else {
// block complete, update input block
for(var i = 0; i < this._ints; ++i) {
this._inBlock[i] = this._partialBlock[i];
}
}
// skip any previous partial bytes
if(this._partialBytes > 0) {
this._partialOutput.getBytes(this._partialBytes);
}
if(partialBytes > 0 && !finish) {
output.putBytes(this._partialOutput.getBytes(
partialBytes - this._partialBytes));
this._partialBytes = partialBytes;
return true;
}
output.putBytes(this._partialOutput.getBytes(
inputLength - this._partialBytes));
this._partialBytes = 0;
};
modes.cfb.prototype.decrypt = function(input, output, finish) {
// not enough input to decrypt
var inputLength = input.length();
if(inputLength === 0) {
return true;
}
// encrypt block (CFB always uses encryption mode)
this.cipher.encrypt(this._inBlock, this._outBlock);
// handle full block
if(this._partialBytes === 0 && inputLength >= this.blockSize) {
// XOR input with output, write input as output
for(var i = 0; i < this._ints; ++i) {
this._inBlock[i] = input.getInt32();
output.putInt32(this._inBlock[i] ^ this._outBlock[i]);
}
return;
}
// handle partial block
var partialBytes = (this.blockSize - inputLength) % this.blockSize;
if(partialBytes > 0) {
partialBytes = this.blockSize - partialBytes;
}
// XOR input with output, write input as partial output
this._partialOutput.clear();
for(var i = 0; i < this._ints; ++i) {
this._partialBlock[i] = input.getInt32();
this._partialOutput.putInt32(this._partialBlock[i] ^ this._outBlock[i]);
}
if(partialBytes > 0) {
// block still incomplete, restore input buffer
input.read -= this.blockSize;
} else {
// block complete, update input block
for(var i = 0; i < this._ints; ++i) {
this._inBlock[i] = this._partialBlock[i];
}
}
// skip any previous partial bytes
if(this._partialBytes > 0) {
this._partialOutput.getBytes(this._partialBytes);
}
if(partialBytes > 0 && !finish) {
output.putBytes(this._partialOutput.getBytes(
partialBytes - this._partialBytes));
this._partialBytes = partialBytes;
return true;
}
output.putBytes(this._partialOutput.getBytes(
inputLength - this._partialBytes));
this._partialBytes = 0;
};
/** Output feedback (OFB) **/
modes.ofb = function(options) {
options = options || {};
this.name = 'OFB';
this.cipher = options.cipher;
this.blockSize = options.blockSize || 16;
this._ints = this.blockSize / 4;
this._inBlock = null;
this._outBlock = new Array(this._ints);
this._partialOutput = forge.util.createBuffer();
this._partialBytes = 0;
};
modes.ofb.prototype.start = function(options) {
if(!('iv' in options)) {
throw new Error('Invalid IV parameter.');
}
// use IV as first input
this._iv = transformIV(options.iv, this.blockSize);
this._inBlock = this._iv.slice(0);
this._partialBytes = 0;
};
modes.ofb.prototype.encrypt = function(input, output, finish) {
// not enough input to encrypt
var inputLength = input.length();
if(input.length() === 0) {
return true;
}
// encrypt block (OFB always uses encryption mode)
this.cipher.encrypt(this._inBlock, this._outBlock);
// handle full block
if(this._partialBytes === 0 && inputLength >= this.blockSize) {
// XOR input with output and update next input
for(var i = 0; i < this._ints; ++i) {
output.putInt32(input.getInt32() ^ this._outBlock[i]);
this._inBlock[i] = this._outBlock[i];
}
return;
}
// handle partial block
var partialBytes = (this.blockSize - inputLength) % this.blockSize;
if(partialBytes > 0) {
partialBytes = this.blockSize - partialBytes;
}
// XOR input with output
this._partialOutput.clear();
for(var i = 0; i < this._ints; ++i) {
this._partialOutput.putInt32(input.getInt32() ^ this._outBlock[i]);
}
if(partialBytes > 0) {
// block still incomplete, restore input buffer
input.read -= this.blockSize;
} else {
// block complete, update input block
for(var i = 0; i < this._ints; ++i) {
this._inBlock[i] = this._outBlock[i];
}
}
// skip any previous partial bytes
if(this._partialBytes > 0) {
this._partialOutput.getBytes(this._partialBytes);
}
if(partialBytes > 0 && !finish) {
output.putBytes(this._partialOutput.getBytes(
partialBytes - this._partialBytes));
this._partialBytes = partialBytes;
return true;
}
output.putBytes(this._partialOutput.getBytes(
inputLength - this._partialBytes));
this._partialBytes = 0;
};
modes.ofb.prototype.decrypt = modes.ofb.prototype.encrypt;
/** Counter (CTR) **/
modes.ctr = function(options) {
options = options || {};
this.name = 'CTR';
this.cipher = options.cipher;
this.blockSize = options.blockSize || 16;
this._ints = this.blockSize / 4;
this._inBlock = null;
this._outBlock = new Array(this._ints);
this._partialOutput = forge.util.createBuffer();
this._partialBytes = 0;
};
modes.ctr.prototype.start = function(options) {
if(!('iv' in options)) {
throw new Error('Invalid IV parameter.');
}
// use IV as first input
this._iv = transformIV(options.iv, this.blockSize);
this._inBlock = this._iv.slice(0);
this._partialBytes = 0;
};
modes.ctr.prototype.encrypt = function(input, output, finish) {
// not enough input to encrypt
var inputLength = input.length();
if(inputLength === 0) {
return true;
}
// encrypt block (CTR always uses encryption mode)
this.cipher.encrypt(this._inBlock, this._outBlock);
// handle full block
if(this._partialBytes === 0 && inputLength >= this.blockSize) {
// XOR input with output
for(var i = 0; i < this._ints; ++i) {
output.putInt32(input.getInt32() ^ this._outBlock[i]);
}
} else {
// handle partial block
var partialBytes = (this.blockSize - inputLength) % this.blockSize;
if(partialBytes > 0) {
partialBytes = this.blockSize - partialBytes;
}
// XOR input with output
this._partialOutput.clear();
for(var i = 0; i < this._ints; ++i) {
this._partialOutput.putInt32(input.getInt32() ^ this._outBlock[i]);
}
if(partialBytes > 0) {
// block still incomplete, restore input buffer
input.read -= this.blockSize;
}
// skip any previous partial bytes
if(this._partialBytes > 0) {
this._partialOutput.getBytes(this._partialBytes);
}
if(partialBytes > 0 && !finish) {
output.putBytes(this._partialOutput.getBytes(
partialBytes - this._partialBytes));
this._partialBytes = partialBytes;
return true;
}
output.putBytes(this._partialOutput.getBytes(
inputLength - this._partialBytes));
this._partialBytes = 0;
}
// block complete, increment counter (input block)
inc32(this._inBlock);
};
modes.ctr.prototype.decrypt = modes.ctr.prototype.encrypt;
/** Galois/Counter Mode (GCM) **/
modes.gcm = function(options) {
options = options || {};
this.name = 'GCM';
this.cipher = options.cipher;
this.blockSize = options.blockSize || 16;
this._ints = this.blockSize / 4;
this._inBlock = new Array(this._ints);
this._outBlock = new Array(this._ints);
this._partialOutput = forge.util.createBuffer();
this._partialBytes = 0;
// R is actually this value concatenated with 120 more zero bits, but
// we only XOR against R so the other zeros have no effect -- we just
// apply this value to the first integer in a block
this._R = 0xE1000000;
};
modes.gcm.prototype.start = function(options) {
if(!('iv' in options)) {
throw new Error('Invalid IV parameter.');
}
// ensure IV is a byte buffer
var iv = forge.util.createBuffer(options.iv);
// no ciphered data processed yet
this._cipherLength = 0;
// default additional data is none
var additionalData;
if('additionalData' in options) {
additionalData = forge.util.createBuffer(options.additionalData);
} else {
additionalData = forge.util.createBuffer();
}
// default tag length is 128 bits
if('tagLength' in options) {
this._tagLength = options.tagLength;
} else {
this._tagLength = 128;
}
// if tag is given, ensure tag matches tag length
this._tag = null;
if(options.decrypt) {
// save tag to check later
this._tag = forge.util.createBuffer(options.tag).getBytes();
if(this._tag.length !== (this._tagLength / 8)) {
throw new Error('Authentication tag does not match tag length.');
}
}
// create tmp storage for hash calculation
this._hashBlock = new Array(this._ints);
// no tag generated yet
this.tag = null;
// generate hash subkey
// (apply block cipher to "zero" block)
this._hashSubkey = new Array(this._ints);
this.cipher.encrypt([0, 0, 0, 0], this._hashSubkey);
// generate table M
// use 4-bit tables (32 component decomposition of a 16 byte value)
// 8-bit tables take more space and are known to have security
// vulnerabilities (in native implementations)
this.componentBits = 4;
this._m = this.generateHashTable(this._hashSubkey, this.componentBits);
// Note: support IV length different from 96 bits? (only supporting
// 96 bits is recommended by NIST SP-800-38D)
// generate J_0
var ivLength = iv.length();
if(ivLength === 12) {
// 96-bit IV
this._j0 = [iv.getInt32(), iv.getInt32(), iv.getInt32(), 1];
} else {
// IV is NOT 96-bits
this._j0 = [0, 0, 0, 0];
while(iv.length() > 0) {
this._j0 = this.ghash(
this._hashSubkey, this._j0,
[iv.getInt32(), iv.getInt32(), iv.getInt32(), iv.getInt32()]);
}
this._j0 = this.ghash(
this._hashSubkey, this._j0, [0, 0].concat(from64To32(ivLength * 8)));
}
// generate ICB (initial counter block)
this._inBlock = this._j0.slice(0);
inc32(this._inBlock);
this._partialBytes = 0;
// consume authentication data
additionalData = forge.util.createBuffer(additionalData);
// save additional data length as a BE 64-bit number
this._aDataLength = from64To32(additionalData.length() * 8);
// pad additional data to 128 bit (16 byte) block size
var overflow = additionalData.length() % this.blockSize;
if(overflow) {
additionalData.fillWithByte(0, this.blockSize - overflow);
}
this._s = [0, 0, 0, 0];
while(additionalData.length() > 0) {
this._s = this.ghash(this._hashSubkey, this._s, [
additionalData.getInt32(),
additionalData.getInt32(),
additionalData.getInt32(),
additionalData.getInt32()
]);
}
};
modes.gcm.prototype.encrypt = function(input, output, finish) {
// not enough input to encrypt
var inputLength = input.length();
if(inputLength === 0) {
return true;
}
// encrypt block
this.cipher.encrypt(this._inBlock, this._outBlock);
// handle full block
if(this._partialBytes === 0 && inputLength >= this.blockSize) {
// XOR input with output
for(var i = 0; i < this._ints; ++i) {
output.putInt32(this._outBlock[i] ^= input.getInt32());
}
this._cipherLength += this.blockSize;
} else {
// handle partial block
var partialBytes = (this.blockSize - inputLength) % this.blockSize;
if(partialBytes > 0) {
partialBytes = this.blockSize - partialBytes;
}
// XOR input with output
this._partialOutput.clear();
for(var i = 0; i < this._ints; ++i) {
this._partialOutput.putInt32(input.getInt32() ^ this._outBlock[i]);
}
if(partialBytes <= 0 || finish) {
// handle overflow prior to hashing
if(finish) {
// get block overflow
var overflow = inputLength % this.blockSize;
this._cipherLength += overflow;
// truncate for hash function
this._partialOutput.truncate(this.blockSize - overflow);
} else {
this._cipherLength += this.blockSize;
}
// get output block for hashing
for(var i = 0; i < this._ints; ++i) {
this._outBlock[i] = this._partialOutput.getInt32();
}
this._partialOutput.read -= this.blockSize;
}
// skip any previous partial bytes
if(this._partialBytes > 0) {
this._partialOutput.getBytes(this._partialBytes);
}
if(partialBytes > 0 && !finish) {
// block still incomplete, restore input buffer, get partial output,
// and return early
input.read -= this.blockSize;
output.putBytes(this._partialOutput.getBytes(
partialBytes - this._partialBytes));
this._partialBytes = partialBytes;
return true;
}
output.putBytes(this._partialOutput.getBytes(
inputLength - this._partialBytes));
this._partialBytes = 0;
}
// update hash block S
this._s = this.ghash(this._hashSubkey, this._s, this._outBlock);
// increment counter (input block)
inc32(this._inBlock);
};
modes.gcm.prototype.decrypt = function(input, output, finish) {
// not enough input to decrypt
var inputLength = input.length();
if(inputLength < this.blockSize && !(finish && inputLength > 0)) {
return true;
}
// encrypt block (GCM always uses encryption mode)
this.cipher.encrypt(this._inBlock, this._outBlock);
// increment counter (input block)
inc32(this._inBlock);
// update hash block S
this._hashBlock[0] = input.getInt32();
this._hashBlock[1] = input.getInt32();
this._hashBlock[2] = input.getInt32();
this._hashBlock[3] = input.getInt32();
this._s = this.ghash(this._hashSubkey, this._s, this._hashBlock);
// XOR hash input with output
for(var i = 0; i < this._ints; ++i) {
output.putInt32(this._outBlock[i] ^ this._hashBlock[i]);
}
// increment cipher data length
if(inputLength < this.blockSize) {
this._cipherLength += inputLength % this.blockSize;
} else {
this._cipherLength += this.blockSize;
}
};
modes.gcm.prototype.afterFinish = function(output, options) {
var rval = true;
// handle overflow
if(options.decrypt && options.overflow) {
output.truncate(this.blockSize - options.overflow);
}
// handle authentication tag
this.tag = forge.util.createBuffer();
// concatenate additional data length with cipher length
var lengths = this._aDataLength.concat(from64To32(this._cipherLength * 8));
// include lengths in hash
this._s = this.ghash(this._hashSubkey, this._s, lengths);
// do GCTR(J_0, S)
var tag = [];
this.cipher.encrypt(this._j0, tag);
for(var i = 0; i < this._ints; ++i) {
this.tag.putInt32(this._s[i] ^ tag[i]);
}
// trim tag to length
this.tag.truncate(this.tag.length() % (this._tagLength / 8));
// check authentication tag
if(options.decrypt && this.tag.bytes() !== this._tag) {
rval = false;
}
return rval;
};
/**
* See NIST SP-800-38D 6.3 (Algorithm 1). This function performs Galois
* field multiplication. The field, GF(2^128), is defined by the polynomial:
*
* x^128 + x^7 + x^2 + x + 1
*
* Which is represented in little-endian binary form as: 11100001 (0xe1). When
* the value of a coefficient is 1, a bit is set. The value R, is the
* concatenation of this value and 120 zero bits, yielding a 128-bit value
* which matches the block size.
*
* This function will multiply two elements (vectors of bytes), X and Y, in
* the field GF(2^128). The result is initialized to zero. For each bit of
* X (out of 128), x_i, if x_i is set, then the result is multiplied (XOR'd)
* by the current value of Y. For each bit, the value of Y will be raised by
* a power of x (multiplied by the polynomial x). This can be achieved by
* shifting Y once to the right. If the current value of Y, prior to being
* multiplied by x, has 0 as its LSB, then it is a 127th degree polynomial.
* Otherwise, we must divide by R after shifting to find the remainder.
*
* @param x the first block to multiply by the second.
* @param y the second block to multiply by the first.
*
* @return the block result of the multiplication.
*/
modes.gcm.prototype.multiply = function(x, y) {
var z_i = [0, 0, 0, 0];
var v_i = y.slice(0);
// calculate Z_128 (block has 128 bits)
for(var i = 0; i < 128; ++i) {
// if x_i is 0, Z_{i+1} = Z_i (unchanged)
// else Z_{i+1} = Z_i ^ V_i
// get x_i by finding 32-bit int position, then left shift 1 by remainder
var x_i = x[(i / 32) | 0] & (1 << (31 - i % 32));
if(x_i) {
z_i[0] ^= v_i[0];
z_i[1] ^= v_i[1];
z_i[2] ^= v_i[2];
z_i[3] ^= v_i[3];
}
// if LSB(V_i) is 1, V_i = V_i >> 1
// else V_i = (V_i >> 1) ^ R
this.pow(v_i, v_i);
}
return z_i;
};
modes.gcm.prototype.pow = function(x, out) {
// if LSB(x) is 1, x = x >>> 1
// else x = (x >>> 1) ^ R
var lsb = x[3] & 1;
// always do x >>> 1:
// starting with the rightmost integer, shift each integer to the right
// one bit, pulling in the bit from the integer to the left as its top
// most bit (do this for the last 3 integers)
for(var i = 3; i > 0; --i) {
out[i] = (x[i] >>> 1) | ((x[i - 1] & 1) << 31);
}
// shift the first integer normally
out[0] = x[0] >>> 1;
// if lsb was not set, then polynomial had a degree of 127 and doesn't
// need to divided; otherwise, XOR with R to find the remainder; we only
// need to XOR the first integer since R technically ends w/120 zero bits
if(lsb) {
out[0] ^= this._R;
}
};
modes.gcm.prototype.tableMultiply = function(x) {
// assumes 4-bit tables are used
var z = [0, 0, 0, 0];
for(var i = 0; i < 32; ++i) {
var idx = (i / 8) | 0;
var x_i = (x[idx] >>> ((7 - (i % 8)) * 4)) & 0xF;
var ah = this._m[i][x_i];
z[0] ^= ah[0];
z[1] ^= ah[1];
z[2] ^= ah[2];
z[3] ^= ah[3];
}
return z;
};
/**
* A continuing version of the GHASH algorithm that operates on a single
* block. The hash block, last hash value (Ym) and the new block to hash
* are given.
*
* @param h the hash block.
* @param y the previous value for Ym, use [0, 0, 0, 0] for a new hash.
* @param x the block to hash.
*
* @return the hashed value (Ym).
*/
modes.gcm.prototype.ghash = function(h, y, x) {
y[0] ^= x[0];
y[1] ^= x[1];
y[2] ^= x[2];
y[3] ^= x[3];
return this.tableMultiply(y);
//return this.multiply(y, h);
};
/**
* Precomputes a table for multiplying against the hash subkey. This
* mechanism provides a substantial speed increase over multiplication
* performed without a table. The table-based multiplication this table is
* for solves X * H by multiplying each component of X by H and then
* composing the results together using XOR.
*
* This function can be used to generate tables with different bit sizes
* for the components, however, this implementation assumes there are
* 32 components of X (which is a 16 byte vector), therefore each component
* takes 4-bits (so the table is constructed with bits=4).
*
* @param h the hash subkey.
* @param bits the bit size for a component.
*/
modes.gcm.prototype.generateHashTable = function(h, bits) {
// TODO: There are further optimizations that would use only the
// first table M_0 (or some variant) along with a remainder table;
// this can be explored in the future
var multiplier = 8 / bits;
var perInt = 4 * multiplier;
var size = 16 * multiplier;
var m = new Array(size);
for(var i = 0; i < size; ++i) {
var tmp = [0, 0, 0, 0];
var idx = (i / perInt) | 0;
var shft = ((perInt - 1 - (i % perInt)) * bits);
tmp[idx] = (1 << (bits - 1)) << shft;
m[i] = this.generateSubHashTable(this.multiply(tmp, h), bits);
}
return m;
};
/**
* Generates a table for multiplying against the hash subkey for one
* particular component (out of all possible component values).
*
* @param mid the pre-multiplied value for the middle key of the table.
* @param bits the bit size for a component.
*/
modes.gcm.prototype.generateSubHashTable = function(mid, bits) {
// compute the table quickly by minimizing the number of
// POW operations -- they only need to be performed for powers of 2,
// all other entries can be composed from those powers using XOR
var size = 1 << bits;
var half = size >>> 1;
var m = new Array(size);
m[half] = mid.slice(0);
var i = half >>> 1;
while(i > 0) {
// raise m0[2 * i] and store in m0[i]
this.pow(m[2 * i], m[i] = []);
i >>= 1;
}
i = 2;
while(i < half) {
for(var j = 1; j < i; ++j) {
var m_i = m[i];
var m_j = m[j];
m[i + j] = [
m_i[0] ^ m_j[0],
m_i[1] ^ m_j[1],
m_i[2] ^ m_j[2],
m_i[3] ^ m_j[3]
];
}
i *= 2;
}
m[0] = [0, 0, 0, 0];
/* Note: We could avoid storing these by doing composition during multiply
calculate top half using composition by speed is preferred. */
for(i = half + 1; i < size; ++i) {
var c = m[i ^ half];
m[i] = [mid[0] ^ c[0], mid[1] ^ c[1], mid[2] ^ c[2], mid[3] ^ c[3]];
}
return m;
};
/** Utility functions */
function transformIV(iv, blockSize) {
if(typeof iv === 'string') {
// convert iv string into byte buffer
iv = forge.util.createBuffer(iv);
}
if(forge.util.isArray(iv) && iv.length > 4) {
// convert iv byte array into byte buffer
var tmp = iv;
iv = forge.util.createBuffer();
for(var i = 0; i < tmp.length; ++i) {
iv.putByte(tmp[i]);
}
}
if(iv.length() < blockSize) {
throw new Error(
'Invalid IV length; got ' + iv.length() +
' bytes and expected ' + blockSize + ' bytes.');
}
if(!forge.util.isArray(iv)) {
// convert iv byte buffer into 32-bit integer array
var ints = [];
var blocks = blockSize / 4;
for(var i = 0; i < blocks; ++i) {
ints.push(iv.getInt32());
}
iv = ints;
}
return iv;
}
function inc32(block) {
// increment last 32 bits of block only
block[block.length - 1] = (block[block.length - 1] + 1) & 0xFFFFFFFF;
}
function from64To32(num) {
// convert 64-bit number to two BE Int32s
return [(num / 0x100000000) | 0, num & 0xFFFFFFFF];
}
Event Timeline
Log In to Comment