Domů Procházet Nápověda
Registrovat se Přihlásit se
publics
/
aescts.v1
0
0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Větev: master
Větve Značky
aescts.v1
/
aescts.go

aescts.go 6.1 KB
Trvalý odkaz Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186 
  1. // Package aescts provides AES CBC CipherText Stealing encryption and decryption methods
    2. 

  2. package aescts
    3. 

  3. 

  4. import (
    5. 

  5. 	"crypto/aes"
    6. 

  6. 	"crypto/cipher"
    7. 

  7. 	"errors"
    8. 

  8. 	"fmt"
    9. 

  9. )
    10. 

  10. 

  11. // Encrypt the message with the key and the initial vector.
    12. 

  12. // Returns: next iv, ciphertext bytes, error
    13. 

  13. func Encrypt(key, iv, plaintext []byte) ([]byte, []byte, error) {
    14. 

  14. 	l := len(plaintext)
    15. 

  15. 

  16. 	block, err := aes.NewCipher(key)
    17. 

  17. 	if err != nil {
    18. 

  18. 		return []byte{}, []byte{}, fmt.Errorf("Error creating cipher: %v", err)
    19. 

  19. 	}
    20. 

  20. 	mode := cipher.NewCBCEncrypter(block, iv)
    21. 

  21. 

  22. 	m := make([]byte, len(plaintext))
    23. 

  23. 	copy(m, plaintext)
    24. 

  24. 

  25. 	/*For consistency, ciphertext stealing is always used for the last two
    26. 

  26. 	blocks of the data to be encrypted, as in [RC5].  If the data length
    27. 

  27. 	is a multiple of the block size, this is equivalent to plain CBC mode
    28. 

  28. 	with the last two ciphertext blocks swapped.*/
    29. 

  29. 	/*The initial vector carried out from one encryption for use in a
    30. 

  30. 	subsequent encryption is the next-to-last block of the encryption
    31. 

  31. 	output; this is the encrypted form of the last plaintext block.*/
    32. 

  32. 	if l <= aes.BlockSize {
    33. 

  33. 		m, _ = zeroPad(m, aes.BlockSize)
    34. 

  34. 		mode.CryptBlocks(m, m)
    35. 

  35. 		return m, m, nil
    36. 

  36. 	}
    37. 

  37. 	if l%aes.BlockSize == 0 {
    38. 

  38. 		mode.CryptBlocks(m, m)
    39. 

  39. 		iv = m[len(m)-aes.BlockSize:]
    40. 

  40. 		rb, _ := swapLastTwoBlocks(m, aes.BlockSize)
    41. 

  41. 		return iv, rb, nil
    42. 

  42. 	}
    43. 

  43. 	m, _ = zeroPad(m, aes.BlockSize)
    44. 

  44. 	rb, pb, lb, err := tailBlocks(m, aes.BlockSize)
    45. 

  45. 	if err != nil {
    46. 

  46. 		return []byte{}, []byte{}, fmt.Errorf("Error tailing blocks: %v", err)
    47. 

  47. 	}
    48. 

  48. 	var ct []byte
    49. 

  49. 	if rb != nil {
    50. 

  50. 		// Encrpt all but the lats 2 blocks and update the rolling iv
    51. 

  51. 		mode.CryptBlocks(rb, rb)
    52. 

  52. 		iv = rb[len(rb)-aes.BlockSize:]
    53. 

  53. 		mode = cipher.NewCBCEncrypter(block, iv)
    54. 

  54. 		ct = append(ct, rb...)
    55. 

  55. 	}
    56. 

  56. 	mode.CryptBlocks(pb, pb)
    57. 

  57. 	mode = cipher.NewCBCEncrypter(block, pb)
    58. 

  58. 	mode.CryptBlocks(lb, lb)
    59. 

  59. 	// Cipher Text Stealing (CTS) - Ref: https://en.wikipedia.org/wiki/Ciphertext_stealing#CBC_ciphertext_stealing
    60. 

  60. 	// Swap the last two cipher blocks
    61. 

  61. 	// Truncate the ciphertext to the length of the original plaintext
    62. 

  62. 	ct = append(ct, lb...)
    63. 

  63. 	ct = append(ct, pb...)
    64. 

  64. 	return lb, ct[:l], nil
    65. 

  65. }
    66. 

  66. 

  67. // Decrypt the ciphertext with the key and the initial vector.
    68. 

  68. func Decrypt(key, iv, ciphertext []byte) ([]byte, error) {
    69. 

  69. 	// Copy the cipher text as golang slices even when passed by value to this method can result in the backing arrays of the calling code value being updated.
    70. 

  70. 	ct := make([]byte, len(ciphertext))
    71. 

  71. 	copy(ct, ciphertext)
    72. 

  72. 	if len(ct) < aes.BlockSize {
    73. 

  73. 		return []byte{}, fmt.Errorf("Ciphertext is not large enough. It is less that one block size. Blocksize:%v; Ciphertext:%v", aes.BlockSize, len(ct))
    74. 

  74. 	}
    75. 

  75. 	// Configure the CBC
    76. 

  76. 	block, err := aes.NewCipher(key)
    77. 

  77. 	if err != nil {
    78. 

  78. 		return nil, fmt.Errorf("Error creating cipher: %v", err)
    79. 

  79. 	}
    80. 

  80. 	var mode cipher.BlockMode
    81. 

  81. 

  82. 	//If ciphertext is multiple of blocksize we just need to swap back the last two blocks and then do CBC
    83. 

  83. 	//If the ciphertext is just one block we can't swap so we just decrypt
    84. 

  84. 	if len(ct)%aes.BlockSize == 0 {
    85. 

  85. 		if len(ct) > aes.BlockSize {
    86. 

  86. 			ct, _ = swapLastTwoBlocks(ct, aes.BlockSize)
    87. 

  87. 		}
    88. 

  88. 		mode = cipher.NewCBCDecrypter(block, iv)
    89. 

  89. 		message := make([]byte, len(ct))
    90. 

  90. 		mode.CryptBlocks(message, ct)
    91. 

  91. 		return message[:len(ct)], nil
    92. 

  92. 	}
    93. 

  93. 

  94. 	// Cipher Text Stealing (CTS) using CBC interface. Ref: https://en.wikipedia.org/wiki/Ciphertext_stealing#CBC_ciphertext_stealing
    95. 

  95. 	// Get ciphertext of the 2nd to last (penultimate) block (cpb), the last block (clb) and the rest (crb)
    96. 

  96. 	crb, cpb, clb, _ := tailBlocks(ct, aes.BlockSize)
    97. 

  97. 	v := make([]byte, len(iv), len(iv))
    98. 

  98. 	copy(v, iv)
    99. 

  99. 	var message []byte
    100. 

  100. 	if crb != nil {
    101. 

  101. 		//If there is more than just the last and the penultimate block we decrypt it and the last bloc of this becomes the iv for later
    102. 

  102. 		rb := make([]byte, len(crb))
    103. 

  103. 		mode = cipher.NewCBCDecrypter(block, v)
    104. 

  104. 		v = crb[len(crb)-aes.BlockSize:]
    105. 

  105. 		mode.CryptBlocks(rb, crb)
    106. 

  106. 		message = append(message, rb...)
    107. 

  107. 	}
    108. 

  108. 

  109. 	// We need to modify the cipher text
    110. 

  110. 	// Decryt the 2nd to last (penultimate) block with a the original iv
    111. 

  111. 	pb := make([]byte, aes.BlockSize)
    112. 

  112. 	mode = cipher.NewCBCDecrypter(block, iv)
    113. 

  113. 	mode.CryptBlocks(pb, cpb)
    114. 

  114. 	// number of byte needed to pad
    115. 

  115. 	npb := aes.BlockSize - len(ct)%aes.BlockSize
    116. 

  116. 	//pad last block using the number of bytes needed from the tail of the plaintext 2nd to last (penultimate) block
    117. 

  117. 	clb = append(clb, pb[len(pb)-npb:]...)
    118. 

  118. 

  119. 	// Now decrypt the last block in the penultimate position (iv will be from the crb, if the is no crb it's zeros)
    120. 

  120. 	// iv for the penultimate block decrypted in the last position becomes the modified last block
    121. 

  121. 	lb := make([]byte, aes.BlockSize)
    122. 

  122. 	mode = cipher.NewCBCDecrypter(block, v)
    123. 

  123. 	v = clb
    124. 

  124. 	mode.CryptBlocks(lb, clb)
    125. 

  125. 	message = append(message, lb...)
    126. 

  126. 

  127. 	// Now decrypt the penultimate block in the last position (iv will be from the modified last block)
    128. 

  128. 	mode = cipher.NewCBCDecrypter(block, v)
    129. 

  129. 	mode.CryptBlocks(cpb, cpb)
    130. 

  130. 	message = append(message, cpb...)
    131. 

  131. 

  132. 	// Truncate to the size of the original cipher text
    133. 

  133. 	return message[:len(ct)], nil
    134. 

  134. }
    135. 

  135. 

  136. func tailBlocks(b []byte, c int) ([]byte, []byte, []byte, error) {
    137. 

  137. 	if len(b) <= c {
    138. 

  138. 		return []byte{}, []byte{}, []byte{}, errors.New("bytes slice is not larger than one block so cannot tail")
    139. 

  139. 	}
    140. 

  140. 	// Get size of last block
    141. 

  141. 	var lbs int
    142. 

  142. 	if l := len(b) % aes.BlockSize; l == 0 {
    143. 

  143. 		lbs = aes.BlockSize
    144. 

  144. 	} else {
    145. 

  145. 		lbs = l
    146. 

  146. 	}
    147. 

  147. 	// Get last block
    148. 

  148. 	lb := b[len(b)-lbs:]
    149. 

  149. 	// Get 2nd to last (penultimate) block
    150. 

  150. 	pb := b[len(b)-lbs-c : len(b)-lbs]
    151. 

  151. 	if len(b) > 2*c {
    152. 

  152. 		rb := b[:len(b)-lbs-c]
    153. 

  153. 		return rb, pb, lb, nil
    154. 

  154. 	}
    155. 

  155. 	return nil, pb, lb, nil
    156. 

  156. }
    157. 

  157. 

  158. func swapLastTwoBlocks(b []byte, c int) ([]byte, error) {
    159. 

  159. 	rb, pb, lb, err := tailBlocks(b, c)
    160. 

  160. 	if err != nil {
    161. 

  161. 		return nil, err
    162. 

  162. 	}
    163. 

  163. 	var out []byte
    164. 

  164. 	if rb != nil {
    165. 

  165. 		out = append(out, rb...)
    166. 

  166. 	}
    167. 

  167. 	out = append(out, lb...)
    168. 

  168. 	out = append(out, pb...)
    169. 

  169. 	return out, nil
    170. 

  170. }
    171. 

  171. 

  172. // zeroPad pads bytes with zeros to nearest multiple of message size m.
    173. 

  173. func zeroPad(b []byte, m int) ([]byte, error) {
    174. 

  174. 	if m <= 0 {
    175. 

  175. 		return nil, errors.New("Invalid message block size when padding")
    176. 

  176. 	}
    177. 

  177. 	if b == nil || len(b) == 0 {
    178. 

  178. 		return nil, errors.New("Data not valid to pad: Zero size")
    179. 

  179. 	}
    180. 

  180. 	if l := len(b) % m; l != 0 {
    181. 

  181. 		n := m - l
    182. 

  182. 		z := make([]byte, n)
    183. 

  183. 		b = append(b, z...)
    184. 

  184. 	}
    185. 

  185. 	return b, nil
    186. 

  186. }
    187.