GCM return authenticationTag

Sources/CryptoSwift/BlockMode/GCM.swift

@@ -18,7 +18,7 @@
 //  ref: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.694.695&rep=rep1&type=pdf
 //
 
-public struct GCM: BlockMode {
+public class GCM: BlockMode {
     public let options: BlockModeOptions = .initializationVectorRequired
 
     public enum Error: Swift.Error {
@@ -37,7 +37,7 @@ public struct GCM: BlockMode {
     }
 
     // decrypt
-    public init(iv: Array<UInt8>, authenticationTag: Array<UInt8>, additionalAuthenticatedData: Array<UInt8>? = nil) {
+    public convenience init(iv: Array<UInt8>, authenticationTag: Array<UInt8>, additionalAuthenticatedData: Array<UInt8>? = nil) {
         self.init(iv: iv, additionalAuthenticatedData: additionalAuthenticatedData)
         self.authenticationTag = authenticationTag
     }
@@ -47,31 +47,41 @@ public struct GCM: BlockMode {
             throw Error.invalidInitializationVector
         }
 
-        return GCMModeWorker(iv: iv.slice, aad: additionalAuthenticatedData?.slice, cipherOperation: cipherOperation)
+        var worker = GCMModeWorker(iv: iv.slice, aad: additionalAuthenticatedData?.slice, cipherOperation: cipherOperation)
+        worker.didCalculateTag = { tag in
+            self.authenticationTag = tag
+        }
+        return worker
     }
 }
 
 struct GCMModeWorker: BlockModeWorkerFinalizing {
     let cipherOperation: CipherOperationOnBlock
+
+    // Callback called when authenticationTag is ready
+    var didCalculateTag: ((Array<UInt8>) -> Void)? = nil
+
+    // 128 bit tag. Other possible tags 4,8,12,13,14,15,16
+    private static let tagSize = 16
     // GCM nonce is 96-bits by default. It's the most effective length for the IV
-    static let nonceSize = 12
+    private static let nonceSize = 12
+
     // GCM is designed for 128-bit ciphers like AES (but not really for Blowfish). 64-bit mode is not implemented.
     private let blockSize = 16 // 128 bit
     private let iv: ArraySlice<UInt8>
-    // 128 bit tag. Other possible tags 4,8,12,13,14,15,16
-    private static let tagSize = 16
     private var counter: UInt128
     private let eky0: UInt128 // move to GF?
-    private let h: UInt128    // move to GF?
+    private let h: UInt128
+
     // Additional authenticated data
     private let aad: ArraySlice<UInt8>?
 
     // Note: need new worker to reset instance
+    // Use empty aad if not specified. AAD is optional.
     private lazy var gf: GF = {
         if let aad = aad {
             return GF(aad: Array(aad), h: h, blockSize: blockSize)
         }
-        // Empty auth if not specified. AAD is optional.
         return GF(aad: [UInt8](), h: h, blockSize: blockSize)
     }()
 
@@ -135,6 +145,9 @@ struct GCMModeWorker: BlockModeWorkerFinalizing {
         // Calculate MAC tag for a given ciphertext.
         let ghash = gf.ghashFinish()
         let tag = Array((ghash ^ eky0).bytes.prefix(GCMModeWorker.tagSize))
+
+        // Notify handler
+        didCalculateTag?(tag)
         // Append Tag at the end (arguable, but popular)
         return Array(ciphertext) + tag
     }

Tests/Tests/AESTests.swift

@@ -370,11 +370,11 @@ extension AESTests {
         let key = Array<UInt8>(hex: "0x00000000000000000000000000000000")
         let iv = Array<UInt8>(hex: "0x000000000000000000000000")
 
-        var authenticationTag: Array<UInt8> = []
-        let aes = try! AES(key: key, blockMode: GCM(iv: iv), padding: .noPadding)
+        let gcm = GCM(iv: iv)
+        let aes = try! AES(key: key, blockMode: gcm, padding: .noPadding)
         let encrypted = try! aes.encrypt([UInt8]())
         XCTAssertEqual(Array(encrypted.prefix(encrypted.endIndex - 16)), [UInt8](hex: "")) // C
-        XCTAssertEqual(authenticationTag, [UInt8](hex: "58e2fccefa7e3061367f1d57a4e7455a")) // T (128-bit)
+        XCTAssertEqual(gcm.authenticationTag, [UInt8](hex: "58e2fccefa7e3061367f1d57a4e7455a")) // T (128-bit)
     }
 
     func testAESGCMTestCase2() {
@@ -383,11 +383,11 @@ extension AESTests {
         let plaintext = Array<UInt8>(hex: "0x00000000000000000000000000000000")
         let iv = Array<UInt8>(hex: "0x000000000000000000000000")
 
-        var authenticationTag: Array<UInt8> = []
-        let aes = try! AES(key: key, blockMode: GCM(iv: iv), padding: .noPadding)
+        let gcm = GCM(iv: iv)
+        let aes = try! AES(key: key, blockMode: gcm, padding: .noPadding)
         let encrypted = try! aes.encrypt(plaintext)
         XCTAssertEqual(Array(encrypted.prefix(encrypted.endIndex - 16)), [UInt8](hex: "0388dace60b6a392f328c2b971b2fe78")) // C
-        XCTAssertEqual(authenticationTag, [UInt8](hex: "ab6e47d42cec13bdf53a67b21257bddf")) // T (128-bit)
+        XCTAssertEqual(gcm.authenticationTag, [UInt8](hex: "ab6e47d42cec13bdf53a67b21257bddf")) // T (128-bit)
     }
 
     func testAESGCMTestCase3() {
@@ -396,12 +396,12 @@ extension AESTests {
         let plaintext = Array<UInt8>(hex: "0xd9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255")
         let iv = Array<UInt8>(hex: "0xcafebabefacedbaddecaf888")
 
-        var authenticationTag: Array<UInt8> = []
-        let aes = try! AES(key: key, blockMode: GCM(iv: iv), padding: .noPadding)
+        let gcm = GCM(iv: iv)
+        let aes = try! AES(key: key, blockMode: gcm, padding: .noPadding)
         let encrypted = try! aes.encrypt(plaintext)
 
         XCTAssertEqual(Array(encrypted.prefix(encrypted.endIndex - 16)), [UInt8](hex: "0x42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985")) // C
-        XCTAssertEqual(authenticationTag, [UInt8](hex: "0x4d5c2af327cd64a62cf35abd2ba6fab4")) // T (128-bit)
+        XCTAssertEqual(gcm.authenticationTag, [UInt8](hex: "0x4d5c2af327cd64a62cf35abd2ba6fab4")) // T (128-bit)
     }
 
     func testAESGCMTestCase4() {
@@ -411,12 +411,12 @@ extension AESTests {
         let iv = Array<UInt8>(hex: "0xcafebabefacedbaddecaf888")
         let auth = Array<UInt8>(hex: "0xfeedfacedeadbeeffeedfacedeadbeefabaddad2")
 
-        var authenticationTag: Array<UInt8> = []
-        let aes = try! AES(key: key, blockMode: GCM(iv: iv, additionalAuthenticatedData: auth), padding: .noPadding)
+        let gcm = GCM(iv: iv, additionalAuthenticatedData: auth)
+        let aes = try! AES(key: key, blockMode: gcm, padding: .noPadding)
         let encrypted = try! aes.encrypt(plaintext)
 
         XCTAssertEqual(Array(encrypted.prefix(encrypted.endIndex - 16)), [UInt8](hex: "0x42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091")) // C
-        XCTAssertEqual(authenticationTag, [UInt8](hex: "0x5bc94fbc3221a5db94fae95ae7121a47")) // T (128-bit)
+        XCTAssertEqual(gcm.authenticationTag, [UInt8](hex: "0x5bc94fbc3221a5db94fae95ae7121a47")) // T (128-bit)
     }
 
     func testAESGCMTestCase5() {
@@ -426,12 +426,12 @@ extension AESTests {
         let iv = Array<UInt8>(hex: "0xcafebabefacedbad")
         let auth = Array<UInt8>(hex: "0xfeedfacedeadbeeffeedfacedeadbeefabaddad2")
 
-        var authenticationTag: Array<UInt8> = []
-        let aes = try! AES(key: key, blockMode: GCM(iv: iv, additionalAuthenticatedData: auth), padding: .noPadding)
+        let gcm = GCM(iv: iv, additionalAuthenticatedData: auth)
+        let aes = try! AES(key: key, blockMode: gcm, padding: .noPadding)
         let encrypted = try! aes.encrypt(plaintext)
 
         XCTAssertEqual(Array(encrypted.prefix(encrypted.endIndex - 16)), [UInt8](hex: "0x61353b4c2806934a777ff51fa22a4755699b2a714fcdc6f83766e5f97b6c742373806900e49f24b22b097544d4896b424989b5e1ebac0f07c23f4598")) // C
-        XCTAssertEqual(authenticationTag, [UInt8](hex: "0x3612d2e79e3b0785561be14aaca2fccb")) // T (128-bit)
+        XCTAssertEqual(gcm.authenticationTag, [UInt8](hex: "0x3612d2e79e3b0785561be14aaca2fccb")) // T (128-bit)
     }
 
     func testAESGCMTestCase6() {
@@ -441,12 +441,12 @@ extension AESTests {
         let iv = Array<UInt8>(hex: "0x9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b")
         let auth = Array<UInt8>(hex: "0xfeedfacedeadbeeffeedfacedeadbeefabaddad2")
 
-        var authenticationTag: Array<UInt8> = []
-        let aes = try! AES(key: key, blockMode: GCM(iv: iv, additionalAuthenticatedData: auth), padding: .noPadding)
+        let gcm = GCM(iv: iv, additionalAuthenticatedData: auth)
+        let aes = try! AES(key: key, blockMode: gcm, padding: .noPadding)
         let encrypted = try! aes.encrypt(plaintext)
 
         XCTAssertEqual(Array(encrypted.prefix(encrypted.endIndex - 16)), [UInt8](hex: "0x8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4fba43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5")) // C
-        XCTAssertEqual(authenticationTag, [UInt8](hex: "0x619cc5aefffe0bfa462af43c1699d050")) // T (128-bit)
+        XCTAssertEqual(gcm.authenticationTag, [UInt8](hex: "0x619cc5aefffe0bfa462af43c1699d050")) // T (128-bit)
     }
 
     func testAESGCMTestCase7() {
@@ -455,12 +455,12 @@ extension AESTests {
         let plaintext = Array<UInt8>(hex: "")
         let iv = Array<UInt8>(hex: "0x000000000000000000000000")
 
-        var authenticationTag: Array<UInt8> = []
-        let aes = try! AES(key: key, blockMode: GCM(iv: iv), padding: .noPadding)
+        let gcm = GCM(iv: iv)
+        let aes = try! AES(key: key, blockMode: gcm, padding: .noPadding)
         let encrypted = try! aes.encrypt(plaintext)
 
         XCTAssertEqual(Array(encrypted.prefix(encrypted.endIndex - 16)), [UInt8](hex: "")) // C
-        XCTAssertEqual(authenticationTag, [UInt8](hex: "0xcd33b28ac773f74ba00ed1f312572435")) // T (128-bit)
+        XCTAssertEqual(gcm.authenticationTag, [UInt8](hex: "0xcd33b28ac773f74ba00ed1f312572435")) // T (128-bit)
     }
 }