| // Copyright 2017 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| // +build linux,amd64 |
| // +build !android |
| // +build !cmd_go_bootstrap |
| // +build !msan |
| |
| package boring |
| |
| /* |
| |
| #include "goboringcrypto.h" |
| |
| // These wrappers allocate out_len on the C stack, and check that it matches the expected |
| // value, to avoid having to pass a pointer from Go, which would escape to the heap. |
| |
| int EVP_AEAD_CTX_seal_wrapper(const GO_EVP_AEAD_CTX *ctx, uint8_t *out, |
| size_t exp_out_len, |
| const uint8_t *nonce, size_t nonce_len, |
| const uint8_t *in, size_t in_len, |
| const uint8_t *ad, size_t ad_len) { |
| size_t out_len; |
| int ok = _goboringcrypto_EVP_AEAD_CTX_seal(ctx, out, &out_len, exp_out_len, |
| nonce, nonce_len, in, in_len, ad, ad_len); |
| if (out_len != exp_out_len) { |
| return 0; |
| } |
| return ok; |
| }; |
| |
| int EVP_AEAD_CTX_open_wrapper(const GO_EVP_AEAD_CTX *ctx, uint8_t *out, |
| size_t exp_out_len, |
| const uint8_t *nonce, size_t nonce_len, |
| const uint8_t *in, size_t in_len, |
| const uint8_t *ad, size_t ad_len) { |
| size_t out_len; |
| int ok = _goboringcrypto_EVP_AEAD_CTX_open(ctx, out, &out_len, exp_out_len, |
| nonce, nonce_len, in, in_len, ad, ad_len); |
| if (out_len != exp_out_len) { |
| return 0; |
| } |
| return ok; |
| }; |
| |
| */ |
| import "C" |
| import ( |
| "crypto/cipher" |
| "errors" |
| "runtime" |
| "strconv" |
| "unsafe" |
| ) |
| |
| type aesKeySizeError int |
| |
| func (k aesKeySizeError) Error() string { |
| return "crypto/aes: invalid key size " + strconv.Itoa(int(k)) |
| } |
| |
| const aesBlockSize = 16 |
| |
| type aesCipher struct { |
| key []byte |
| enc C.GO_AES_KEY |
| dec C.GO_AES_KEY |
| } |
| |
| type extraModes interface { |
| // Copied out of crypto/aes/modes.go. |
| NewCBCEncrypter(iv []byte) cipher.BlockMode |
| NewCBCDecrypter(iv []byte) cipher.BlockMode |
| NewCTR(iv []byte) cipher.Stream |
| NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) |
| |
| // Invented for BoringCrypto. |
| NewGCMTLS() (cipher.AEAD, error) |
| } |
| |
| var _ extraModes = (*aesCipher)(nil) |
| |
| func NewAESCipher(key []byte) (cipher.Block, error) { |
| c := &aesCipher{key: make([]byte, len(key))} |
| copy(c.key, key) |
| // Note: 0 is success, contradicting the usual BoringCrypto convention. |
| if C._goboringcrypto_AES_set_decrypt_key((*C.uint8_t)(unsafe.Pointer(&c.key[0])), C.uint(8*len(c.key)), &c.dec) != 0 || |
| C._goboringcrypto_AES_set_encrypt_key((*C.uint8_t)(unsafe.Pointer(&c.key[0])), C.uint(8*len(c.key)), &c.enc) != 0 { |
| return nil, aesKeySizeError(len(key)) |
| } |
| return c, nil |
| } |
| |
| func (c *aesCipher) BlockSize() int { return aesBlockSize } |
| |
| func (c *aesCipher) Encrypt(dst, src []byte) { |
| if inexactOverlap(dst, src) { |
| panic("crypto/cipher: invalid buffer overlap") |
| } |
| if len(src) < aesBlockSize { |
| panic("crypto/aes: input not full block") |
| } |
| if len(dst) < aesBlockSize { |
| panic("crypto/aes: output not full block") |
| } |
| C._goboringcrypto_AES_encrypt( |
| (*C.uint8_t)(unsafe.Pointer(&src[0])), |
| (*C.uint8_t)(unsafe.Pointer(&dst[0])), |
| &c.enc) |
| } |
| |
| func (c *aesCipher) Decrypt(dst, src []byte) { |
| if inexactOverlap(dst, src) { |
| panic("crypto/cipher: invalid buffer overlap") |
| } |
| if len(src) < aesBlockSize { |
| panic("crypto/aes: input not full block") |
| } |
| if len(dst) < aesBlockSize { |
| panic("crypto/aes: output not full block") |
| } |
| C._goboringcrypto_AES_decrypt( |
| (*C.uint8_t)(unsafe.Pointer(&src[0])), |
| (*C.uint8_t)(unsafe.Pointer(&dst[0])), |
| &c.dec) |
| } |
| |
| type aesCBC struct { |
| key *C.GO_AES_KEY |
| mode C.int |
| iv [aesBlockSize]byte |
| } |
| |
| func (x *aesCBC) BlockSize() int { return aesBlockSize } |
| |
| func (x *aesCBC) CryptBlocks(dst, src []byte) { |
| if inexactOverlap(dst, src) { |
| panic("crypto/cipher: invalid buffer overlap") |
| } |
| if len(src)%aesBlockSize != 0 { |
| panic("crypto/cipher: input not full blocks") |
| } |
| if len(dst) < len(src) { |
| panic("crypto/cipher: output smaller than input") |
| } |
| if len(src) > 0 { |
| C._goboringcrypto_AES_cbc_encrypt( |
| (*C.uint8_t)(unsafe.Pointer(&src[0])), |
| (*C.uint8_t)(unsafe.Pointer(&dst[0])), |
| C.size_t(len(src)), x.key, |
| (*C.uint8_t)(unsafe.Pointer(&x.iv[0])), x.mode) |
| } |
| } |
| |
| func (x *aesCBC) SetIV(iv []byte) { |
| if len(iv) != aesBlockSize { |
| panic("cipher: incorrect length IV") |
| } |
| copy(x.iv[:], iv) |
| } |
| |
| func (c *aesCipher) NewCBCEncrypter(iv []byte) cipher.BlockMode { |
| x := &aesCBC{key: &c.enc, mode: C.GO_AES_ENCRYPT} |
| copy(x.iv[:], iv) |
| return x |
| } |
| |
| func (c *aesCipher) NewCBCDecrypter(iv []byte) cipher.BlockMode { |
| x := &aesCBC{key: &c.dec, mode: C.GO_AES_DECRYPT} |
| copy(x.iv[:], iv) |
| return x |
| } |
| |
| type aesCTR struct { |
| key *C.GO_AES_KEY |
| iv [aesBlockSize]byte |
| num C.uint |
| ecount_buf [16]C.uint8_t |
| } |
| |
| func (x *aesCTR) XORKeyStream(dst, src []byte) { |
| if inexactOverlap(dst, src) { |
| panic("crypto/cipher: invalid buffer overlap") |
| } |
| if len(dst) < len(src) { |
| panic("crypto/cipher: output smaller than input") |
| } |
| if len(src) == 0 { |
| return |
| } |
| C._goboringcrypto_AES_ctr128_encrypt( |
| (*C.uint8_t)(unsafe.Pointer(&src[0])), |
| (*C.uint8_t)(unsafe.Pointer(&dst[0])), |
| C.size_t(len(src)), x.key, (*C.uint8_t)(unsafe.Pointer(&x.iv[0])), |
| &x.ecount_buf[0], &x.num) |
| } |
| |
| func (c *aesCipher) NewCTR(iv []byte) cipher.Stream { |
| x := &aesCTR{key: &c.enc} |
| copy(x.iv[:], iv) |
| return x |
| } |
| |
| type aesGCM struct { |
| ctx C.GO_EVP_AEAD_CTX |
| aead *C.GO_EVP_AEAD |
| } |
| |
| const ( |
| gcmBlockSize = 16 |
| gcmTagSize = 16 |
| gcmStandardNonceSize = 12 |
| ) |
| |
| type aesNonceSizeError int |
| |
| func (n aesNonceSizeError) Error() string { |
| return "crypto/aes: invalid GCM nonce size " + strconv.Itoa(int(n)) |
| } |
| |
| type noGCM struct { |
| cipher.Block |
| } |
| |
| func (c *aesCipher) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) { |
| if nonceSize != gcmStandardNonceSize && tagSize != gcmTagSize { |
| return nil, errors.New("crypto/aes: GCM tag and nonce sizes can't be non-standard at the same time") |
| } |
| // Fall back to standard library for GCM with non-standard nonce or tag size. |
| if nonceSize != gcmStandardNonceSize { |
| return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize) |
| } |
| if tagSize != gcmTagSize { |
| return cipher.NewGCMWithTagSize(&noGCM{c}, tagSize) |
| } |
| return c.newGCM(false) |
| } |
| |
| func (c *aesCipher) NewGCMTLS() (cipher.AEAD, error) { |
| return c.newGCM(true) |
| } |
| |
| func (c *aesCipher) newGCM(tls bool) (cipher.AEAD, error) { |
| var aead *C.GO_EVP_AEAD |
| switch len(c.key) * 8 { |
| case 128: |
| if tls { |
| aead = C._goboringcrypto_EVP_aead_aes_128_gcm_tls12() |
| } else { |
| aead = C._goboringcrypto_EVP_aead_aes_128_gcm() |
| } |
| case 256: |
| if tls { |
| aead = C._goboringcrypto_EVP_aead_aes_256_gcm_tls12() |
| } else { |
| aead = C._goboringcrypto_EVP_aead_aes_256_gcm() |
| } |
| default: |
| // Fall back to standard library for GCM with non-standard key size. |
| return cipher.NewGCMWithNonceSize(&noGCM{c}, gcmStandardNonceSize) |
| } |
| |
| g := &aesGCM{aead: aead} |
| if C._goboringcrypto_EVP_AEAD_CTX_init(&g.ctx, aead, (*C.uint8_t)(unsafe.Pointer(&c.key[0])), C.size_t(len(c.key)), C.GO_EVP_AEAD_DEFAULT_TAG_LENGTH, nil) == 0 { |
| return nil, fail("EVP_AEAD_CTX_init") |
| } |
| // Note: Because of the finalizer, any time g.ctx is passed to cgo, |
| // that call must be followed by a call to runtime.KeepAlive(g), |
| // to make sure g is not collected (and finalized) before the cgo |
| // call returns. |
| runtime.SetFinalizer(g, (*aesGCM).finalize) |
| if g.NonceSize() != gcmStandardNonceSize { |
| panic("boringcrypto: internal confusion about nonce size") |
| } |
| if g.Overhead() != gcmTagSize { |
| panic("boringcrypto: internal confusion about tag size") |
| } |
| |
| return g, nil |
| } |
| |
| func (g *aesGCM) finalize() { |
| C._goboringcrypto_EVP_AEAD_CTX_cleanup(&g.ctx) |
| } |
| |
| func (g *aesGCM) NonceSize() int { |
| return int(C._goboringcrypto_EVP_AEAD_nonce_length(g.aead)) |
| } |
| |
| func (g *aesGCM) Overhead() int { |
| return int(C._goboringcrypto_EVP_AEAD_max_overhead(g.aead)) |
| } |
| |
| // base returns the address of the underlying array in b, |
| // being careful not to panic when b has zero length. |
| func base(b []byte) *C.uint8_t { |
| if len(b) == 0 { |
| return nil |
| } |
| return (*C.uint8_t)(unsafe.Pointer(&b[0])) |
| } |
| |
| func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte { |
| if len(nonce) != gcmStandardNonceSize { |
| panic("cipher: incorrect nonce length given to GCM") |
| } |
| if uint64(len(plaintext)) > ((1<<32)-2)*aesBlockSize || len(plaintext)+gcmTagSize < len(plaintext) { |
| panic("cipher: message too large for GCM") |
| } |
| if len(dst)+len(plaintext)+gcmTagSize < len(dst) { |
| panic("cipher: message too large for buffer") |
| } |
| |
| // Make room in dst to append plaintext+overhead. |
| n := len(dst) |
| for cap(dst) < n+len(plaintext)+gcmTagSize { |
| dst = append(dst[:cap(dst)], 0) |
| } |
| dst = dst[:n+len(plaintext)+gcmTagSize] |
| |
| // Check delayed until now to make sure len(dst) is accurate. |
| if inexactOverlap(dst[n:], plaintext) { |
| panic("cipher: invalid buffer overlap") |
| } |
| |
| outLen := C.size_t(len(plaintext) + gcmTagSize) |
| ok := C.EVP_AEAD_CTX_seal_wrapper( |
| &g.ctx, |
| (*C.uint8_t)(unsafe.Pointer(&dst[n])), outLen, |
| base(nonce), C.size_t(len(nonce)), |
| base(plaintext), C.size_t(len(plaintext)), |
| base(additionalData), C.size_t(len(additionalData))) |
| runtime.KeepAlive(g) |
| if ok == 0 { |
| panic(fail("EVP_AEAD_CTX_seal")) |
| } |
| return dst[:n+int(outLen)] |
| } |
| |
| var errOpen = errors.New("cipher: message authentication failed") |
| |
| func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) { |
| if len(nonce) != gcmStandardNonceSize { |
| panic("cipher: incorrect nonce length given to GCM") |
| } |
| if len(ciphertext) < gcmTagSize { |
| return nil, errOpen |
| } |
| if uint64(len(ciphertext)) > ((1<<32)-2)*aesBlockSize+gcmTagSize { |
| return nil, errOpen |
| } |
| |
| // Make room in dst to append ciphertext without tag. |
| n := len(dst) |
| for cap(dst) < n+len(ciphertext)-gcmTagSize { |
| dst = append(dst[:cap(dst)], 0) |
| } |
| dst = dst[:n+len(ciphertext)-gcmTagSize] |
| |
| // Check delayed until now to make sure len(dst) is accurate. |
| if inexactOverlap(dst[n:], ciphertext) { |
| panic("cipher: invalid buffer overlap") |
| } |
| |
| outLen := C.size_t(len(ciphertext) - gcmTagSize) |
| ok := C.EVP_AEAD_CTX_open_wrapper( |
| &g.ctx, |
| base(dst[n:]), outLen, |
| base(nonce), C.size_t(len(nonce)), |
| base(ciphertext), C.size_t(len(ciphertext)), |
| base(additionalData), C.size_t(len(additionalData))) |
| runtime.KeepAlive(g) |
| if ok == 0 { |
| return nil, errOpen |
| } |
| return dst[:n+int(outLen)], nil |
| } |
| |
| func anyOverlap(x, y []byte) bool { |
| return len(x) > 0 && len(y) > 0 && |
| uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) && |
| uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1])) |
| } |
| |
| func inexactOverlap(x, y []byte) bool { |
| if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] { |
| return false |
| } |
| return anyOverlap(x, y) |
| } |