aes_gcm.go

Documentation: crypto/aes

		 1  // Copyright 2015 The Go Authors. All rights reserved.
		 2  // Use of this source code is governed by a BSD-style
		 3  // license that can be found in the LICENSE file.
		 4  
		 5  //go:build amd64 || arm64
		 6  // +build amd64 arm64
		 7  
		 8  package aes
		 9  
		10  import (
		11  	"crypto/cipher"
		12  	subtleoverlap "crypto/internal/subtle"
		13  	"crypto/subtle"
		14  	"errors"
		15  )
		16  
		17  // The following functions are defined in gcm_*.s.
		18  
		19  //go:noescape
		20  func gcmAesInit(productTable *[256]byte, ks []uint32)
		21  
		22  //go:noescape
		23  func gcmAesData(productTable *[256]byte, data []byte, T *[16]byte)
		24  
		25  //go:noescape
		26  func gcmAesEnc(productTable *[256]byte, dst, src []byte, ctr, T *[16]byte, ks []uint32)
		27  
		28  //go:noescape
		29  func gcmAesDec(productTable *[256]byte, dst, src []byte, ctr, T *[16]byte, ks []uint32)
		30  
		31  //go:noescape
		32  func gcmAesFinish(productTable *[256]byte, tagMask, T *[16]byte, pLen, dLen uint64)
		33  
		34  const (
		35  	gcmBlockSize				 = 16
		36  	gcmTagSize					 = 16
		37  	gcmMinimumTagSize		= 12 // NIST SP 800-38D recommends tags with 12 or more bytes.
		38  	gcmStandardNonceSize = 12
		39  )
		40  
		41  var errOpen = errors.New("cipher: message authentication failed")
		42  
		43  // aesCipherGCM implements crypto/cipher.gcmAble so that crypto/cipher.NewGCM
		44  // will use the optimised implementation in this file when possible. Instances
		45  // of this type only exist when hasGCMAsm returns true.
		46  type aesCipherGCM struct {
		47  	aesCipherAsm
		48  }
		49  
		50  // Assert that aesCipherGCM implements the gcmAble interface.
		51  var _ gcmAble = (*aesCipherGCM)(nil)
		52  
		53  // NewGCM returns the AES cipher wrapped in Galois Counter Mode. This is only
		54  // called by crypto/cipher.NewGCM via the gcmAble interface.
		55  func (c *aesCipherGCM) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
		56  	g := &gcmAsm{ks: c.enc, nonceSize: nonceSize, tagSize: tagSize}
		57  	gcmAesInit(&g.productTable, g.ks)
		58  	return g, nil
		59  }
		60  
		61  type gcmAsm struct {
		62  	// ks is the key schedule, the length of which depends on the size of
		63  	// the AES key.
		64  	ks []uint32
		65  	// productTable contains pre-computed multiples of the binary-field
		66  	// element used in GHASH.
		67  	productTable [256]byte
		68  	// nonceSize contains the expected size of the nonce, in bytes.
		69  	nonceSize int
		70  	// tagSize contains the size of the tag, in bytes.
		71  	tagSize int
		72  }
		73  
		74  func (g *gcmAsm) NonceSize() int {
		75  	return g.nonceSize
		76  }
		77  
		78  func (g *gcmAsm) Overhead() int {
		79  	return g.tagSize
		80  }
		81  
		82  // sliceForAppend takes a slice and a requested number of bytes. It returns a
		83  // slice with the contents of the given slice followed by that many bytes and a
		84  // second slice that aliases into it and contains only the extra bytes. If the
		85  // original slice has sufficient capacity then no allocation is performed.
		86  func sliceForAppend(in []byte, n int) (head, tail []byte) {
		87  	if total := len(in) + n; cap(in) >= total {
		88  		head = in[:total]
		89  	} else {
		90  		head = make([]byte, total)
		91  		copy(head, in)
		92  	}
		93  	tail = head[len(in):]
		94  	return
		95  }
		96  
		97  // Seal encrypts and authenticates plaintext. See the cipher.AEAD interface for
		98  // details.
		99  func (g *gcmAsm) Seal(dst, nonce, plaintext, data []byte) []byte {
	 100  	if len(nonce) != g.nonceSize {
	 101  		panic("crypto/cipher: incorrect nonce length given to GCM")
	 102  	}
	 103  	if uint64(len(plaintext)) > ((1<<32)-2)*BlockSize {
	 104  		panic("crypto/cipher: message too large for GCM")
	 105  	}
	 106  
	 107  	var counter, tagMask [gcmBlockSize]byte
	 108  
	 109  	if len(nonce) == gcmStandardNonceSize {
	 110  		// Init counter to nonce||1
	 111  		copy(counter[:], nonce)
	 112  		counter[gcmBlockSize-1] = 1
	 113  	} else {
	 114  		// Otherwise counter = GHASH(nonce)
	 115  		gcmAesData(&g.productTable, nonce, &counter)
	 116  		gcmAesFinish(&g.productTable, &tagMask, &counter, uint64(len(nonce)), uint64(0))
	 117  	}
	 118  
	 119  	encryptBlockAsm(len(g.ks)/4-1, &g.ks[0], &tagMask[0], &counter[0])
	 120  
	 121  	var tagOut [gcmTagSize]byte
	 122  	gcmAesData(&g.productTable, data, &tagOut)
	 123  
	 124  	ret, out := sliceForAppend(dst, len(plaintext)+g.tagSize)
	 125  	if subtleoverlap.InexactOverlap(out[:len(plaintext)], plaintext) {
	 126  		panic("crypto/cipher: invalid buffer overlap")
	 127  	}
	 128  	if len(plaintext) > 0 {
	 129  		gcmAesEnc(&g.productTable, out, plaintext, &counter, &tagOut, g.ks)
	 130  	}
	 131  	gcmAesFinish(&g.productTable, &tagMask, &tagOut, uint64(len(plaintext)), uint64(len(data)))
	 132  	copy(out[len(plaintext):], tagOut[:])
	 133  
	 134  	return ret
	 135  }
	 136  
	 137  // Open authenticates and decrypts ciphertext. See the cipher.AEAD interface
	 138  // for details.
	 139  func (g *gcmAsm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
	 140  	if len(nonce) != g.nonceSize {
	 141  		panic("crypto/cipher: incorrect nonce length given to GCM")
	 142  	}
	 143  	// Sanity check to prevent the authentication from always succeeding if an implementation
	 144  	// leaves tagSize uninitialized, for example.
	 145  	if g.tagSize < gcmMinimumTagSize {
	 146  		panic("crypto/cipher: incorrect GCM tag size")
	 147  	}
	 148  
	 149  	if len(ciphertext) < g.tagSize {
	 150  		return nil, errOpen
	 151  	}
	 152  	if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(BlockSize)+uint64(g.tagSize) {
	 153  		return nil, errOpen
	 154  	}
	 155  
	 156  	tag := ciphertext[len(ciphertext)-g.tagSize:]
	 157  	ciphertext = ciphertext[:len(ciphertext)-g.tagSize]
	 158  
	 159  	// See GCM spec, section 7.1.
	 160  	var counter, tagMask [gcmBlockSize]byte
	 161  
	 162  	if len(nonce) == gcmStandardNonceSize {
	 163  		// Init counter to nonce||1
	 164  		copy(counter[:], nonce)
	 165  		counter[gcmBlockSize-1] = 1
	 166  	} else {
	 167  		// Otherwise counter = GHASH(nonce)
	 168  		gcmAesData(&g.productTable, nonce, &counter)
	 169  		gcmAesFinish(&g.productTable, &tagMask, &counter, uint64(len(nonce)), uint64(0))
	 170  	}
	 171  
	 172  	encryptBlockAsm(len(g.ks)/4-1, &g.ks[0], &tagMask[0], &counter[0])
	 173  
	 174  	var expectedTag [gcmTagSize]byte
	 175  	gcmAesData(&g.productTable, data, &expectedTag)
	 176  
	 177  	ret, out := sliceForAppend(dst, len(ciphertext))
	 178  	if subtleoverlap.InexactOverlap(out, ciphertext) {
	 179  		panic("crypto/cipher: invalid buffer overlap")
	 180  	}
	 181  	if len(ciphertext) > 0 {
	 182  		gcmAesDec(&g.productTable, out, ciphertext, &counter, &expectedTag, g.ks)
	 183  	}
	 184  	gcmAesFinish(&g.productTable, &tagMask, &expectedTag, uint64(len(ciphertext)), uint64(len(data)))
	 185  
	 186  	if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
	 187  		for i := range out {
	 188  			out[i] = 0
	 189  		}
	 190  		return nil, errOpen
	 191  	}
	 192  
	 193  	return ret, nil
	 194  }
	 195
View as plain text