// Copyright 2015 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. //go:build amd64 || arm64 package aes import ( "crypto/cipher" "crypto/internal/alias" "crypto/subtle" "errors" ) // The following functions are defined in gcm_*.s. //go:noescape func gcmAesInit(productTable *[256]byte, ks []uint32) //go:noescape func gcmAesData(productTable *[256]byte, data []byte, T *[16]byte) //go:noescape func gcmAesEnc(productTable *[256]byte, dst, src []byte, ctr, T *[16]byte, ks []uint32) //go:noescape func gcmAesDec(productTable *[256]byte, dst, src []byte, ctr, T *[16]byte, ks []uint32) //go:noescape func gcmAesFinish(productTable *[256]byte, tagMask, T *[16]byte, pLen, dLen uint64) const ( gcmBlockSize = 16 gcmTagSize = 16 gcmMinimumTagSize = 12 // NIST SP 800-38D recommends tags with 12 or more bytes. gcmStandardNonceSize = 12 ) var errOpen = errors.New("cipher: message authentication failed") // Assert that aesCipherGCM implements the gcmAble interface. var _ gcmAble = (*aesCipherGCM)(nil) // NewGCM returns the AES cipher wrapped in Galois Counter Mode. This is only // called by [crypto/cipher.NewGCM] via the gcmAble interface. func (c *aesCipherGCM) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) { g := &gcmAsm{ks: c.enc, nonceSize: nonceSize, tagSize: tagSize} gcmAesInit(&g.productTable, g.ks) return g, nil } type gcmAsm struct { // ks is the key schedule, the length of which depends on the size of // the AES key. ks []uint32 // productTable contains pre-computed multiples of the binary-field // element used in GHASH. productTable [256]byte // nonceSize contains the expected size of the nonce, in bytes. nonceSize int // tagSize contains the size of the tag, in bytes. tagSize int } func (g *gcmAsm) NonceSize() int { return g.nonceSize } func (g *gcmAsm) Overhead() int { return g.tagSize } // sliceForAppend takes a slice and a requested number of bytes. It returns a // slice with the contents of the given slice followed by that many bytes and a // second slice that aliases into it and contains only the extra bytes. If the // original slice has sufficient capacity then no allocation is performed. func sliceForAppend(in []byte, n int) (head, tail []byte) { if total := len(in) + n; cap(in) >= total { head = in[:total] } else { head = make([]byte, total) copy(head, in) } tail = head[len(in):] return } // Seal encrypts and authenticates plaintext. See the [cipher.AEAD] interface for // details. func (g *gcmAsm) Seal(dst, nonce, plaintext, data []byte) []byte { if len(nonce) != g.nonceSize { panic("crypto/cipher: incorrect nonce length given to GCM") } if uint64(len(plaintext)) > ((1<<32)-2)*BlockSize { panic("crypto/cipher: message too large for GCM") } var counter, tagMask [gcmBlockSize]byte if len(nonce) == gcmStandardNonceSize { // Init counter to nonce||1 copy(counter[:], nonce) counter[gcmBlockSize-1] = 1 } else { // Otherwise counter = GHASH(nonce) gcmAesData(&g.productTable, nonce, &counter) gcmAesFinish(&g.productTable, &tagMask, &counter, uint64(len(nonce)), uint64(0)) } encryptBlockAsm(len(g.ks)/4-1, &g.ks[0], &tagMask[0], &counter[0]) var tagOut [gcmTagSize]byte gcmAesData(&g.productTable, data, &tagOut) ret, out := sliceForAppend(dst, len(plaintext)+g.tagSize) if alias.InexactOverlap(out[:len(plaintext)], plaintext) { panic("crypto/cipher: invalid buffer overlap") } if len(plaintext) > 0 { gcmAesEnc(&g.productTable, out, plaintext, &counter, &tagOut, g.ks) } gcmAesFinish(&g.productTable, &tagMask, &tagOut, uint64(len(plaintext)), uint64(len(data))) copy(out[len(plaintext):], tagOut[:]) return ret } // Open authenticates and decrypts ciphertext. See the [cipher.AEAD] interface // for details. func (g *gcmAsm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) { if len(nonce) != g.nonceSize { panic("crypto/cipher: incorrect nonce length given to GCM") } // Sanity check to prevent the authentication from always succeeding if an implementation // leaves tagSize uninitialized, for example. if g.tagSize < gcmMinimumTagSize { panic("crypto/cipher: incorrect GCM tag size") } if len(ciphertext) < g.tagSize { return nil, errOpen } if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(BlockSize)+uint64(g.tagSize) { return nil, errOpen } tag := ciphertext[len(ciphertext)-g.tagSize:] ciphertext = ciphertext[:len(ciphertext)-g.tagSize] // See GCM spec, section 7.1. var counter, tagMask [gcmBlockSize]byte if len(nonce) == gcmStandardNonceSize { // Init counter to nonce||1 copy(counter[:], nonce) counter[gcmBlockSize-1] = 1 } else { // Otherwise counter = GHASH(nonce) gcmAesData(&g.productTable, nonce, &counter) gcmAesFinish(&g.productTable, &tagMask, &counter, uint64(len(nonce)), uint64(0)) } encryptBlockAsm(len(g.ks)/4-1, &g.ks[0], &tagMask[0], &counter[0]) var expectedTag [gcmTagSize]byte gcmAesData(&g.productTable, data, &expectedTag) ret, out := sliceForAppend(dst, len(ciphertext)) if alias.InexactOverlap(out, ciphertext) { panic("crypto/cipher: invalid buffer overlap") } if len(ciphertext) > 0 { gcmAesDec(&g.productTable, out, ciphertext, &counter, &expectedTag, g.ks) } gcmAesFinish(&g.productTable, &tagMask, &expectedTag, uint64(len(ciphertext)), uint64(len(data))) if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 { for i := range out { out[i] = 0 } return nil, errOpen } return ret, nil }