| blob | ba0af84a9d09d6c7966476796c83f6a6bd53928b |
1 // Copyright 2013 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
5 package cipher
8 subtleoverlap "crypto/internal/subtle"
9 "crypto/subtle"
10 "encoding/binary"
11 "errors"
12 )
14 // AEAD is a cipher mode providing authenticated encryption with associated
15 // data. For a description of the methodology, see
16 // https://en.wikipedia.org/wiki/Authenticated_encryption
18 // NonceSize returns the size of the nonce that must be passed to Seal
19 // and Open.
22 // Overhead returns the maximum difference between the lengths of a
23 // plaintext and its ciphertext.
26 // Seal encrypts and authenticates plaintext, authenticates the
27 // additional data and appends the result to dst, returning the updated
28 // slice. The nonce must be NonceSize() bytes long and unique for all
29 // time, for a given key.
30 //
31 // To reuse plaintext's storage for the encrypted output, use plaintext[:0]
32 // as dst. Otherwise, the remaining capacity of dst must not overlap plaintext.
35 // Open decrypts and authenticates ciphertext, authenticates the
36 // additional data and, if successful, appends the resulting plaintext
37 // to dst, returning the updated slice. The nonce must be NonceSize()
38 // bytes long and both it and the additional data must match the
39 // value passed to Seal.
40 //
41 // To reuse ciphertext's storage for the decrypted output, use ciphertext[:0]
42 // as dst. Otherwise, the remaining capacity of dst must not overlap plaintext.
43 //
44 // Even if the function fails, the contents of dst, up to its capacity,
45 // may be overwritten.
47 }
49 // gcmAble is an interface implemented by ciphers that have a specific optimized
50 // implementation of GCM, like crypto/aes. NewGCM will check for this interface
51 // and return the specific AEAD if found.
54 }
56 // gcmFieldElement represents a value in GF(2¹²⁸). In order to reflect the GCM
57 // standard and make binary.BigEndian suitable for marshaling these values, the
58 // bits are stored in big endian order. For example:
59 // the coefficient of x⁰ can be obtained by v.low >> 63.
60 // the coefficient of x⁶³ can be obtained by v.low & 1.
61 // the coefficient of x⁶⁴ can be obtained by v.high >> 63.
62 // the coefficient of x¹²⁷ can be obtained by v.high & 1.
65 }
67 // gcm represents a Galois Counter Mode with a specific key. See
68 // https://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
70 cipher Block
71 nonceSize int
72 tagSize int
73 // productTable contains the first sixteen powers of the key, H.
74 // However, they are in bit reversed order. See NewGCMWithNonceSize.
76 }
78 // NewGCM returns the given 128-bit, block cipher wrapped in Galois Counter Mode
79 // with the standard nonce length.
80 //
81 // In general, the GHASH operation performed by this implementation of GCM is not constant-time.
82 // An exception is when the underlying Block was created by aes.NewCipher
83 // on systems with hardware support for AES. See the crypto/aes package documentation for details.
86 }
88 // NewGCMWithNonceSize returns the given 128-bit, block cipher wrapped in Galois
89 // Counter Mode, which accepts nonces of the given length. The length must not
90 // be zero.
91 //
92 // Only use this function if you require compatibility with an existing
93 // cryptosystem that uses non-standard nonce lengths. All other users should use
94 // NewGCM, which is faster and more resistant to misuse.
97 }
99 // NewGCMWithTagSize returns the given 128-bit, block cipher wrapped in Galois
100 // Counter Mode, which generates tags with the given length.
101 //
102 // Tag sizes between 12 and 16 bytes are allowed.
103 //
104 // Only use this function if you require compatibility with an existing
105 // cryptosystem that uses non-standard tag lengths. All other users should use
106 // NewGCM, which is more resistant to misuse.
109 }
114 }
117 return nil, errors.New("cipher: the nonce can't have zero length, or the security of the key will be immediately compromised")
118 }
122 }
126 }
133 // We precompute 16 multiples of |key|. However, when we do lookups
134 // into this table we'll be using bits from a field element and
135 // therefore the bits will be in the reverse order. So normally one
136 // would expect, say, 4*key to be in index 4 of the table but due to
137 // this bit ordering it will actually be in index 0010 (base 2) = 2.
141 }
147 }
150 }
157 )
161 }
165 }
170 }
173 }
178 }
192 return ret
193 }
200 }
201 // Sanity check to prevent the authentication from always succeeding if an implementation
202 // leaves tagSize uninitialized, for example.
205 }
209 }
212 }
229 }
232 // The AESNI code decrypts and authenticates concurrently, and
233 // so overwrites dst in the event of a tag mismatch. That
234 // behavior is mimicked here in order to be consistent across
235 // platforms.
238 }
240 }
245 }
247 // reverseBits reverses the order of the bits of 4-bit number in i.
251 return i
252 }
254 // gcmAdd adds two elements of GF(2¹²⁸) and returns the sum.
256 // Addition in a characteristic 2 field is just XOR.
258 }
260 // gcmDouble returns the result of doubling an element of GF(2¹²⁸).
264 // Because of the bit-ordering, doubling is actually a right shift.
269 // If the most-significant bit was set before shifting then it,
270 // conceptually, becomes a term of x^128. This is greater than the
271 // irreducible polynomial so the result has to be reduced. The
272 // irreducible polynomial is 1+x+x^2+x^7+x^128. We can subtract that to
273 // eliminate the term at x^128 which also means subtracting the other
274 // four terms. In characteristic 2 fields, subtraction == addition ==
275 // XOR.
278 }
280 return
281 }
286 }
288 // mul sets y to y*H, where H is the GCM key, fixed during NewGCMWithNonceSize.
290 var z gcmFieldElement
296 }
298 // Multiplication works by multiplying z by 16 and adding in
299 // one of the precomputed multiples of H.
307 // the values in |table| are ordered for
308 // little-endian bit positions. See the comment
309 // in NewGCMWithNonceSize.
315 }
316 }
319 }
321 // updateBlocks extends y with more polynomial terms from blocks, based on
322 // Horner's rule. There must be a multiple of gcmBlockSize bytes in blocks.
329 }
330 }
332 // update extends y with more polynomial terms from data. If data is not a
333 // multiple of gcmBlockSize bytes long then the remainder is zero padded.
342 }
343 }
345 // gcmInc32 treats the final four bytes of counterBlock as a big-endian value
346 // and increments it.
350 }
352 // sliceForAppend takes a slice and a requested number of bytes. It returns a
353 // slice with the contents of the given slice followed by that many bytes and a
354 // second slice that aliases into it and contains only the extra bytes. If the
355 // original slice has sufficient capacity then no allocation is performed.
362 }
364 return
365 }
367 // counterCrypt crypts in to out using g.cipher in counter mode.
378 }
384 }
385 }
387 // deriveCounter computes the initial GCM counter state from the given nonce.
388 // See NIST SP 800-38D, section 7.1. This assumes that counter is filled with
389 // zeros on entry.
391 // GCM has two modes of operation with respect to the initial counter
392 // state: a "fast path" for 96-bit (12-byte) nonces, and a "slow path"
393 // for nonces of other lengths. For a 96-bit nonce, the nonce, along
394 // with a four-byte big-endian counter starting at one, is used
395 // directly as the starting counter. For other nonce sizes, the counter
396 // is computed by passing it through the GHASH function.
401 var y gcmFieldElement
407 }
408 }
410 // auth calculates GHASH(ciphertext, additionalData), masks the result with
411 // tagMask and writes the result to out.
413 var y gcmFieldElement
426 }