| // Copyright 2024 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| package cipher |
| |
| import ( |
| "crypto/internal/fips140/aes" |
| "crypto/internal/fips140/aes/gcm" |
| "crypto/internal/fips140/alias" |
| "crypto/internal/fips140only" |
| "crypto/subtle" |
| "errors" |
| "internal/byteorder" |
| ) |
| |
| const ( |
| gcmBlockSize = 16 |
| gcmStandardNonceSize = 12 |
| gcmTagSize = 16 |
| gcmMinimumTagSize = 12 // NIST SP 800-38D recommends tags with 12 or more bytes. |
| ) |
| |
| // NewGCM returns the given 128-bit, block cipher wrapped in Galois Counter Mode |
| // with the standard nonce length. |
| // |
| // In general, the GHASH operation performed by this implementation of GCM is not constant-time. |
| // An exception is when the underlying [Block] was created by aes.NewCipher |
| // on systems with hardware support for AES. See the [crypto/aes] package documentation for details. |
| func NewGCM(cipher Block) (AEAD, error) { |
| if fips140only.Enabled { |
| return nil, errors.New("crypto/cipher: use of GCM with arbitrary IVs is not allowed in FIPS 140-only mode, use NewGCMWithRandomNonce") |
| } |
| return newGCM(cipher, gcmStandardNonceSize, gcmTagSize) |
| } |
| |
| // NewGCMWithNonceSize returns the given 128-bit, block cipher wrapped in Galois |
| // Counter Mode, which accepts nonces of the given length. The length must not |
| // be zero. |
| // |
| // Only use this function if you require compatibility with an existing |
| // cryptosystem that uses non-standard nonce lengths. All other users should use |
| // [NewGCM], which is faster and more resistant to misuse. |
| func NewGCMWithNonceSize(cipher Block, size int) (AEAD, error) { |
| if fips140only.Enabled { |
| return nil, errors.New("crypto/cipher: use of GCM with arbitrary IVs is not allowed in FIPS 140-only mode, use NewGCMWithRandomNonce") |
| } |
| return newGCM(cipher, size, gcmTagSize) |
| } |
| |
| // NewGCMWithTagSize returns the given 128-bit, block cipher wrapped in Galois |
| // Counter Mode, which generates tags with the given length. |
| // |
| // Tag sizes between 12 and 16 bytes are allowed. |
| // |
| // Only use this function if you require compatibility with an existing |
| // cryptosystem that uses non-standard tag lengths. All other users should use |
| // [NewGCM], which is more resistant to misuse. |
| func NewGCMWithTagSize(cipher Block, tagSize int) (AEAD, error) { |
| if fips140only.Enabled { |
| return nil, errors.New("crypto/cipher: use of GCM with arbitrary IVs is not allowed in FIPS 140-only mode, use NewGCMWithRandomNonce") |
| } |
| return newGCM(cipher, gcmStandardNonceSize, tagSize) |
| } |
| |
| func newGCM(cipher Block, nonceSize, tagSize int) (AEAD, error) { |
| c, ok := cipher.(*aes.Block) |
| if !ok { |
| if fips140only.Enabled { |
| return nil, errors.New("crypto/cipher: use of GCM with non-AES ciphers is not allowed in FIPS 140-only mode") |
| } |
| return newGCMFallback(cipher, nonceSize, tagSize) |
| } |
| // We don't return gcm.New directly, because it would always return a non-nil |
| // AEAD interface value with type *gcm.GCM even if the *gcm.GCM is nil. |
| g, err := gcm.New(c, nonceSize, tagSize) |
| if err != nil { |
| return nil, err |
| } |
| return g, nil |
| } |
| |
| // NewGCMWithRandomNonce returns the given cipher wrapped in Galois Counter |
| // Mode, with randomly-generated nonces. The cipher must have been created by |
| // [crypto/aes.NewCipher]. |
| // |
| // It generates a random 96-bit nonce, which is prepended to the ciphertext by Seal, |
| // and is extracted from the ciphertext by Open. The NonceSize of the AEAD is zero, |
| // while the Overhead is 28 bytes (the combination of nonce size and tag size). |
| // |
| // A given key MUST NOT be used to encrypt more than 2^32 messages, to limit the |
| // risk of a random nonce collision to negligible levels. |
| func NewGCMWithRandomNonce(cipher Block) (AEAD, error) { |
| c, ok := cipher.(*aes.Block) |
| if !ok { |
| return nil, errors.New("cipher: NewGCMWithRandomNonce requires aes.Block") |
| } |
| g, err := gcm.New(c, gcmStandardNonceSize, gcmTagSize) |
| if err != nil { |
| return nil, err |
| } |
| return gcmWithRandomNonce{g}, nil |
| } |
| |
| type gcmWithRandomNonce struct { |
| *gcm.GCM |
| } |
| |
| func (g gcmWithRandomNonce) NonceSize() int { |
| return 0 |
| } |
| |
| func (g gcmWithRandomNonce) Overhead() int { |
| return gcmStandardNonceSize + gcmTagSize |
| } |
| |
| func (g gcmWithRandomNonce) Seal(dst, nonce, plaintext, additionalData []byte) []byte { |
| if len(nonce) != 0 { |
| panic("crypto/cipher: non-empty nonce passed to GCMWithRandomNonce") |
| } |
| |
| ret, out := sliceForAppend(dst, gcmStandardNonceSize+len(plaintext)+gcmTagSize) |
| if alias.InexactOverlap(out, plaintext) { |
| panic("crypto/cipher: invalid buffer overlap of output and input") |
| } |
| if alias.AnyOverlap(out, additionalData) { |
| panic("crypto/cipher: invalid buffer overlap of output and additional data") |
| } |
| nonce = out[:gcmStandardNonceSize] |
| ciphertext := out[gcmStandardNonceSize:] |
| |
| // The AEAD interface allows using plaintext[:0] or ciphertext[:0] as dst. |
| // |
| // This is kind of a problem when trying to prepend or trim a nonce, because the |
| // actual AES-GCTR blocks end up overlapping but not exactly. |
| // |
| // In Open, we write the output *before* the input, so unless we do something |
| // weird like working through a chunk of block backwards, it works out. |
| // |
| // In Seal, we could work through the input backwards or intentionally load |
| // ahead before writing. |
| // |
| // However, the crypto/internal/fips140/aes/gcm APIs also check for exact overlap, |
| // so for now we just do a memmove if we detect overlap. |
| // |
| // ┌───────────────────────────┬ ─ ─ |
| // │PPPPPPPPPPPPPPPPPPPPPPPPPPP│ │ |
| // └▽─────────────────────────▲┴ ─ ─ |
| // ╲ Seal ╲ |
| // ╲ Open ╲ |
| // ┌───▼─────────────────────────△──┐ |
| // │NN|CCCCCCCCCCCCCCCCCCCCCCCCCCC|T│ |
| // └────────────────────────────────┘ |
| // |
| if alias.AnyOverlap(out, plaintext) { |
| copy(ciphertext, plaintext) |
| plaintext = ciphertext[:len(plaintext)] |
| } |
| |
| gcm.SealWithRandomNonce(g.GCM, nonce, ciphertext, plaintext, additionalData) |
| return ret |
| } |
| |
| func (g gcmWithRandomNonce) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) { |
| if len(nonce) != 0 { |
| panic("crypto/cipher: non-empty nonce passed to GCMWithRandomNonce") |
| } |
| if len(ciphertext) < gcmStandardNonceSize+gcmTagSize { |
| return nil, errOpen |
| } |
| |
| ret, out := sliceForAppend(dst, len(ciphertext)-gcmStandardNonceSize-gcmTagSize) |
| if alias.InexactOverlap(out, ciphertext) { |
| panic("crypto/cipher: invalid buffer overlap of output and input") |
| } |
| if alias.AnyOverlap(out, additionalData) { |
| panic("crypto/cipher: invalid buffer overlap of output and additional data") |
| } |
| // See the discussion in Seal. Note that if there is any overlap at this |
| // point, it's because out = ciphertext, so out must have enough capacity |
| // even if we sliced the tag off. Also note how [AEAD] specifies that "the |
| // contents of dst, up to its capacity, may be overwritten". |
| if alias.AnyOverlap(out, ciphertext) { |
| nonce = make([]byte, gcmStandardNonceSize) |
| copy(nonce, ciphertext) |
| copy(out[:len(ciphertext)], ciphertext[gcmStandardNonceSize:]) |
| ciphertext = out[:len(ciphertext)-gcmStandardNonceSize] |
| } else { |
| nonce = ciphertext[:gcmStandardNonceSize] |
| ciphertext = ciphertext[gcmStandardNonceSize:] |
| } |
| |
| _, err := g.GCM.Open(out[:0], nonce, ciphertext, additionalData) |
| if err != nil { |
| return nil, err |
| } |
| return ret, nil |
| } |
| |
| // gcmAble is an interface implemented by ciphers that have a specific optimized |
| // implementation of GCM. crypto/aes doesn't use this anymore, and we'd like to |
| // eventually remove it. |
| type gcmAble interface { |
| NewGCM(nonceSize, tagSize int) (AEAD, error) |
| } |
| |
| func newGCMFallback(cipher Block, nonceSize, tagSize int) (AEAD, error) { |
| if tagSize < gcmMinimumTagSize || tagSize > gcmBlockSize { |
| return nil, errors.New("cipher: incorrect tag size given to GCM") |
| } |
| if nonceSize <= 0 { |
| return nil, errors.New("cipher: the nonce can't have zero length") |
| } |
| if cipher, ok := cipher.(gcmAble); ok { |
| return cipher.NewGCM(nonceSize, tagSize) |
| } |
| if cipher.BlockSize() != gcmBlockSize { |
| return nil, errors.New("cipher: NewGCM requires 128-bit block cipher") |
| } |
| return &gcmFallback{cipher: cipher, nonceSize: nonceSize, tagSize: tagSize}, nil |
| } |
| |
| // gcmFallback is only used for non-AES ciphers, which regrettably we |
| // theoretically support. It's a copy of the generic implementation from |
| // crypto/internal/fips140/aes/gcm/gcm_generic.go, refer to that file for more details. |
| type gcmFallback struct { |
| cipher Block |
| nonceSize int |
| tagSize int |
| } |
| |
| func (g *gcmFallback) NonceSize() int { |
| return g.nonceSize |
| } |
| |
| func (g *gcmFallback) Overhead() int { |
| return g.tagSize |
| } |
| |
| func (g *gcmFallback) Seal(dst, nonce, plaintext, additionalData []byte) []byte { |
| if len(nonce) != g.nonceSize { |
| panic("crypto/cipher: incorrect nonce length given to GCM") |
| } |
| if g.nonceSize == 0 { |
| panic("crypto/cipher: incorrect GCM nonce size") |
| } |
| if uint64(len(plaintext)) > uint64((1<<32)-2)*gcmBlockSize { |
| panic("crypto/cipher: message too large for GCM") |
| } |
| |
| ret, out := sliceForAppend(dst, len(plaintext)+g.tagSize) |
| if alias.InexactOverlap(out, plaintext) { |
| panic("crypto/cipher: invalid buffer overlap of output and input") |
| } |
| if alias.AnyOverlap(out, additionalData) { |
| panic("crypto/cipher: invalid buffer overlap of output and additional data") |
| } |
| |
| var H, counter, tagMask [gcmBlockSize]byte |
| g.cipher.Encrypt(H[:], H[:]) |
| deriveCounter(&H, &counter, nonce) |
| gcmCounterCryptGeneric(g.cipher, tagMask[:], tagMask[:], &counter) |
| |
| gcmCounterCryptGeneric(g.cipher, out, plaintext, &counter) |
| |
| var tag [gcmTagSize]byte |
| gcmAuth(tag[:], &H, &tagMask, out[:len(plaintext)], additionalData) |
| copy(out[len(plaintext):], tag[:]) |
| |
| return ret |
| } |
| |
| var errOpen = errors.New("cipher: message authentication failed") |
| |
| func (g *gcmFallback) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) { |
| if len(nonce) != g.nonceSize { |
| panic("crypto/cipher: incorrect nonce length given to GCM") |
| } |
| if g.tagSize < gcmMinimumTagSize { |
| panic("crypto/cipher: incorrect GCM tag size") |
| } |
| |
| if len(ciphertext) < g.tagSize { |
| return nil, errOpen |
| } |
| if uint64(len(ciphertext)) > uint64((1<<32)-2)*gcmBlockSize+uint64(g.tagSize) { |
| return nil, errOpen |
| } |
| |
| ret, out := sliceForAppend(dst, len(ciphertext)-g.tagSize) |
| if alias.InexactOverlap(out, ciphertext) { |
| panic("crypto/cipher: invalid buffer overlap of output and input") |
| } |
| if alias.AnyOverlap(out, additionalData) { |
| panic("crypto/cipher: invalid buffer overlap of output and additional data") |
| } |
| |
| var H, counter, tagMask [gcmBlockSize]byte |
| g.cipher.Encrypt(H[:], H[:]) |
| deriveCounter(&H, &counter, nonce) |
| gcmCounterCryptGeneric(g.cipher, tagMask[:], tagMask[:], &counter) |
| |
| tag := ciphertext[len(ciphertext)-g.tagSize:] |
| ciphertext = ciphertext[:len(ciphertext)-g.tagSize] |
| |
| var expectedTag [gcmTagSize]byte |
| gcmAuth(expectedTag[:], &H, &tagMask, ciphertext, additionalData) |
| if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 { |
| // We sometimes decrypt and authenticate concurrently, so we overwrite |
| // dst in the event of a tag mismatch. To be consistent across platforms |
| // and to avoid releasing unauthenticated plaintext, we clear the buffer |
| // in the event of an error. |
| clear(out) |
| return nil, errOpen |
| } |
| |
| gcmCounterCryptGeneric(g.cipher, out, ciphertext, &counter) |
| |
| return ret, nil |
| } |
| |
| func deriveCounter(H, counter *[gcmBlockSize]byte, nonce []byte) { |
| if len(nonce) == gcmStandardNonceSize { |
| copy(counter[:], nonce) |
| counter[gcmBlockSize-1] = 1 |
| } else { |
| lenBlock := make([]byte, 16) |
| byteorder.BEPutUint64(lenBlock[8:], uint64(len(nonce))*8) |
| J := gcm.GHASH(H, nonce, lenBlock) |
| copy(counter[:], J) |
| } |
| } |
| |
| func gcmCounterCryptGeneric(b Block, out, src []byte, counter *[gcmBlockSize]byte) { |
| var mask [gcmBlockSize]byte |
| for len(src) >= gcmBlockSize { |
| b.Encrypt(mask[:], counter[:]) |
| gcmInc32(counter) |
| |
| subtle.XORBytes(out, src, mask[:]) |
| out = out[gcmBlockSize:] |
| src = src[gcmBlockSize:] |
| } |
| if len(src) > 0 { |
| b.Encrypt(mask[:], counter[:]) |
| gcmInc32(counter) |
| subtle.XORBytes(out, src, mask[:]) |
| } |
| } |
| |
| func gcmInc32(counterBlock *[gcmBlockSize]byte) { |
| ctr := counterBlock[len(counterBlock)-4:] |
| byteorder.BEPutUint32(ctr, byteorder.BEUint32(ctr)+1) |
| } |
| |
| func gcmAuth(out []byte, H, tagMask *[gcmBlockSize]byte, ciphertext, additionalData []byte) { |
| lenBlock := make([]byte, 16) |
| byteorder.BEPutUint64(lenBlock[:8], uint64(len(additionalData))*8) |
| byteorder.BEPutUint64(lenBlock[8:], uint64(len(ciphertext))*8) |
| S := gcm.GHASH(H, additionalData, ciphertext, lenBlock) |
| subtle.XORBytes(out, S, tagMask[:]) |
| } |
| |
| // sliceForAppend takes a slice and a requested number of bytes. It returns a |
| // slice with the contents of the given slice followed by that many bytes and a |
| // second slice that aliases into it and contains only the extra bytes. If the |
| // original slice has sufficient capacity then no allocation is performed. |
| func sliceForAppend(in []byte, n int) (head, tail []byte) { |
| if total := len(in) + n; cap(in) >= total { |
| head = in[:total] |
| } else { |
| head = make([]byte, total) |
| copy(head, in) |
| } |
| tail = head[len(in):] |
| return |
| } |
