<?php
namespace Aws\Crypto\Polyfill;
/**
* Class Gmac
*
* @package Aws\Crypto\Polyfill
*/
class Gmac
{
use NeedsTrait;
const BLOCK_SIZE = 16;
/** @var ByteArray $buf */
protected $buf;
/** @var int $bufLength */
protected $bufLength = 0;
/** @var ByteArray $h */
protected $h;
/** @var ByteArray $hf */
protected $hf;
/** @var Key $key */
protected $key;
/** @var ByteArray $x */
protected $x;
/**
* Gmac constructor.
*
* @param Key $aesKey
* @param string $nonce
* @param int $keySize
*/
public function __construct(Key $aesKey, $nonce, $keySize = 256)
{
$this->buf = new ByteArray(16);
$this->h = new ByteArray(
\openssl_encrypt(
\str_repeat("\0", 16),
"aes-{$keySize}-ecb",
$aesKey->get(),
OPENSSL_RAW_DATA | OPENSSL_NO_PADDING
)
);
$this->key = $aesKey;
$this->x = new ByteArray(16);
$this->hf = new ByteArray(
\openssl_encrypt(
$nonce,
"aes-{$keySize}-ecb",
$aesKey->get(),
OPENSSL_RAW_DATA | OPENSSL_NO_PADDING
)
);
}
/**
* Update the object with some data.
*
* This method mutates this Gmac object.
*
* @param ByteArray $blocks
* @return self
*/
public function update(ByteArray $blocks)
{
if (($blocks->count() + $this->bufLength) < self::BLOCK_SIZE) {
// Write to internal buffer until we reach enough to write.
$this->buf->set($blocks, $this->bufLength);
$this->bufLength += $blocks->count();
return $this;
}
// Process internal buffer first.
if ($this->bufLength > 0) {
// 0 <= state.buf_len < BLOCK_SIZE is an invariant
$tmp = new ByteArray(self::BLOCK_SIZE);
$tmp->set($this->buf->slice(0, $this->bufLength));
$remainingBlockLength = self::BLOCK_SIZE - $this->bufLength;
$tmp->set($blocks->slice(0, $remainingBlockLength), $this->bufLength);
$blocks = $blocks->slice($remainingBlockLength);
$this->bufLength = 0;
$this->x = $this->blockMultiply($this->x->exclusiveOr($tmp), $this->h);
}
// Process full blocks.
$numBlocks = $blocks->count() >> 4;
for ($i = 0; $i < $numBlocks; ++$i) {
$tmp = $blocks->slice($i << 4, self::BLOCK_SIZE);
$this->x = $this->blockMultiply($this->x->exclusiveOr($tmp), $this->h);
}
$last = $numBlocks << 4;
// Zero-fill buffer
for ($i = 0; $i < 16; ++$i) {
$this->buf[$i] = 0;
}
// Feed leftover into buffer.
if ($last < $blocks->count()) {
$tmp = $blocks->slice($last);
$this->buf->set($tmp);
$this->bufLength += ($blocks->count() - $last);
}
return $this;
}
/**
* Finish processing the authentication tag.
*
* This method mutates this Gmac object (effectively resetting it).
*
* @param int $aadLength
* @param int $ciphertextLength
* @return ByteArray
*/
public function finish($aadLength, $ciphertextLength)
{
$lengthBlock = new ByteArray(16);
$state = $this->flush();
// AES-GCM expects bit lengths, not byte lengths.
$lengthBlock->set(ByteArray::enc32be($aadLength >> 29), 0);
$lengthBlock->set(ByteArray::enc32be($aadLength << 3), 4);
$lengthBlock->set(ByteArray::enc32be($ciphertextLength >> 29), 8);
$lengthBlock->set(ByteArray::enc32be($ciphertextLength << 3), 12);
$state->update($lengthBlock);
$output = $state->x->exclusiveOr($state->hf);
// Zeroize the internal values as a best-effort.
$state->buf->zeroize();
$state->x->zeroize();
$state->h->zeroize();
$state->hf->zeroize();
return $output;
}
/**
* Get a specific bit from the provided array, at the given index.
*
* [01234567], 8+[01234567], 16+[01234567], ...
*
* @param ByteArray $x
* @param int $i
* @return int
*/
protected function bit(ByteArray $x, $i)
{
$byte = $i >> 3;
return ($x[$byte] >> ((7 - $i) & 7)) & 1;
}
/**
* Galois Field Multiplication
*
* This function is the critical path that must be constant-time in order to
* avoid timing side-channels against AES-GCM.
*
* The contents of each are always calculated, regardless of the branching
* condition, to prevent another kind of timing leak.
*
* @param ByteArray $x
* @param ByteArray $y
* @return ByteArray
*/
protected function blockMultiply(ByteArray $x, ByteArray $y)
{
static $fieldPolynomial = null;
if (!$fieldPolynomial) {
$fieldPolynomial = new ByteArray([
0xe1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
]);
}
self::needs($x->count() === 16, 'Argument 1 must be a ByteArray of exactly 16 bytes');
self::needs($y->count() === 16, 'Argument 2 must be a ByteArray of exactly 16 bytes');
$v = clone $y;
$z = new ByteArray(16);
for ($i = 0; $i < 128; ++$i) {
// if ($b) $z = $z->exclusiveOr($v);
$b = $this->bit($x, $i);
$z = ByteArray::select(
$b,
$z->exclusiveOr($v),
$z
);
// if ($b) $v = $v->exclusiveOr($fieldPolynomial);
$b = $v[15] & 1;
$v = $v->rshift();
$v = ByteArray::select(
$b,
$v->exclusiveOr($fieldPolynomial),
$v
);
}
return $z;
}
/**
* Finish processing any leftover bytes in the internal buffer.
*
* @return self
*/
public function flush()
{
if ($this->bufLength !== 0) {
$this->x = $this->blockMultiply(
$this->x->exclusiveOr($this->buf),
$this->h
);
$this->bufLength = 0;
}
return $this;
}
}