1 // Copyright 2015 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // +build amd64 6 7 package aes 8 9 import ( 10 "crypto/cipher" 11 "crypto/subtle" 12 "errors" 13 ) 14 15 // The following functions are defined in gcm_amd64.s. 16 func hasGCMAsm() bool 17 18 //go:noescape 19 func aesEncBlock(dst, src *[16]byte, ks []uint32) 20 21 //go:noescape 22 func gcmAesInit(productTable *[256]byte, ks []uint32) 23 24 //go:noescape 25 func gcmAesData(productTable *[256]byte, data []byte, T *[16]byte) 26 27 //go:noescape 28 func gcmAesEnc(productTable *[256]byte, dst, src []byte, ctr, T *[16]byte, ks []uint32) 29 30 //go:noescape 31 func gcmAesDec(productTable *[256]byte, dst, src []byte, ctr, T *[16]byte, ks []uint32) 32 33 //go:noescape 34 func gcmAesFinish(productTable *[256]byte, tagMask, T *[16]byte, pLen, dLen uint64) 35 36 const ( 37 gcmBlockSize = 16 38 gcmTagSize = 16 39 gcmStandardNonceSize = 12 40 ) 41 42 var errOpen = errors.New("cipher: message authentication failed") 43 44 // aesCipherGCM implements crypto/cipher.gcmAble so that crypto/cipher.NewGCM 45 // will use the optimised implementation in this file when possible. Instances 46 // of this type only exist when hasGCMAsm returns true. 47 type aesCipherGCM struct { 48 aesCipherAsm 49 } 50 51 // Assert that aesCipherGCM implements the gcmAble interface. 52 var _ gcmAble = (*aesCipherGCM)(nil) 53 54 // NewGCM returns the AES cipher wrapped in Galois Counter Mode. This is only 55 // called by crypto/cipher.NewGCM via the gcmAble interface. 56 func (c *aesCipherGCM) NewGCM(nonceSize int) (cipher.AEAD, error) { 57 g := &gcmAsm{ks: c.enc, nonceSize: nonceSize} 58 gcmAesInit(&g.productTable, g.ks) 59 return g, nil 60 } 61 62 type gcmAsm struct { 63 // ks is the key schedule, the length of which depends on the size of 64 // the AES key. 65 ks []uint32 66 // productTable contains pre-computed multiples of the binary-field 67 // element used in GHASH. 68 productTable [256]byte 69 // nonceSize contains the expected size of the nonce, in bytes. 70 nonceSize int 71 } 72 73 func (g *gcmAsm) NonceSize() int { 74 return g.nonceSize 75 } 76 77 func (*gcmAsm) Overhead() int { 78 return gcmTagSize 79 } 80 81 // sliceForAppend takes a slice and a requested number of bytes. It returns a 82 // slice with the contents of the given slice followed by that many bytes and a 83 // second slice that aliases into it and contains only the extra bytes. If the 84 // original slice has sufficient capacity then no allocation is performed. 85 func sliceForAppend(in []byte, n int) (head, tail []byte) { 86 if total := len(in) + n; cap(in) >= total { 87 head = in[:total] 88 } else { 89 head = make([]byte, total) 90 copy(head, in) 91 } 92 tail = head[len(in):] 93 return 94 } 95 96 // Seal encrypts and authenticates plaintext. See the cipher.AEAD interface for 97 // details. 98 func (g *gcmAsm) Seal(dst, nonce, plaintext, data []byte) []byte { 99 if len(nonce) != g.nonceSize { 100 panic("cipher: incorrect nonce length given to GCM") 101 } 102 if uint64(len(plaintext)) > ((1<<32)-2)*BlockSize { 103 panic("cipher: message too large for GCM") 104 } 105 106 var counter, tagMask [gcmBlockSize]byte 107 108 if len(nonce) == gcmStandardNonceSize { 109 // Init counter to nonce||1 110 copy(counter[:], nonce) 111 counter[gcmBlockSize-1] = 1 112 } else { 113 // Otherwise counter = GHASH(nonce) 114 gcmAesData(&g.productTable, nonce, &counter) 115 gcmAesFinish(&g.productTable, &tagMask, &counter, uint64(len(nonce)), uint64(0)) 116 } 117 118 aesEncBlock(&tagMask, &counter, g.ks) 119 120 var tagOut [gcmTagSize]byte 121 gcmAesData(&g.productTable, data, &tagOut) 122 123 ret, out := sliceForAppend(dst, len(plaintext)+gcmTagSize) 124 if len(plaintext) > 0 { 125 gcmAesEnc(&g.productTable, out, plaintext, &counter, &tagOut, g.ks) 126 } 127 gcmAesFinish(&g.productTable, &tagMask, &tagOut, uint64(len(plaintext)), uint64(len(data))) 128 copy(out[len(plaintext):], tagOut[:]) 129 130 return ret 131 } 132 133 // Open authenticates and decrypts ciphertext. See the cipher.AEAD interface 134 // for details. 135 func (g *gcmAsm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) { 136 if len(nonce) != g.nonceSize { 137 panic("cipher: incorrect nonce length given to GCM") 138 } 139 140 if len(ciphertext) < gcmTagSize { 141 return nil, errOpen 142 } 143 if uint64(len(ciphertext)) > ((1<<32)-2)*BlockSize+gcmTagSize { 144 return nil, errOpen 145 } 146 147 tag := ciphertext[len(ciphertext)-gcmTagSize:] 148 ciphertext = ciphertext[:len(ciphertext)-gcmTagSize] 149 150 // See GCM spec, section 7.1. 151 var counter, tagMask [gcmBlockSize]byte 152 153 if len(nonce) == gcmStandardNonceSize { 154 // Init counter to nonce||1 155 copy(counter[:], nonce) 156 counter[gcmBlockSize-1] = 1 157 } else { 158 // Otherwise counter = GHASH(nonce) 159 gcmAesData(&g.productTable, nonce, &counter) 160 gcmAesFinish(&g.productTable, &tagMask, &counter, uint64(len(nonce)), uint64(0)) 161 } 162 163 aesEncBlock(&tagMask, &counter, g.ks) 164 165 var expectedTag [gcmTagSize]byte 166 gcmAesData(&g.productTable, data, &expectedTag) 167 168 ret, out := sliceForAppend(dst, len(ciphertext)) 169 if len(ciphertext) > 0 { 170 gcmAesDec(&g.productTable, out, ciphertext, &counter, &expectedTag, g.ks) 171 } 172 gcmAesFinish(&g.productTable, &tagMask, &expectedTag, uint64(len(ciphertext)), uint64(len(data))) 173 174 if subtle.ConstantTimeCompare(expectedTag[:], tag) != 1 { 175 for i := range out { 176 out[i] = 0 177 } 178 return nil, errOpen 179 } 180 181 return ret, nil 182 } 183
