▽

Play

Package gcm

func GHASH ¶

func GHASH(key *[16]byte, inputs ...[]byte) []byte

GHASH is exposed to allow crypto/cipher to implement non-AES GCM modes. It is not allowed as a stand-alone operation in FIPS mode because it is not ACVP tested.

func SealWithRandomNonce ¶

func SealWithRandomNonce(g *GCM, nonce, out, plaintext, additionalData []byte)

SealWithRandomNonce encrypts plaintext to out, and writes a random nonce to nonce. nonce must be 12 bytes, and out must be 16 bytes longer than plaintext. out and plaintext may overlap exactly or not at all. additionalData and out must not overlap.

This complies with FIPS 140-3 IG C.H Scenario 2.

Note that this is NOT a [cipher.AEAD].Seal method.

type CMAC ¶

CMAC implements the CMAC mode from NIST SP 800-38B.

It is optimized for use in Counter KDF (SP 800-108r1) and XAES-256-GCM (https://c2sp.org/XAES-256-GCM), rather than for exposing it to applications as a stand-alone MAC.

type CMAC struct {
    // contains filtered or unexported fields
}

func NewCMAC ¶

func NewCMAC(b *aes.Block) *CMAC

func (*CMAC) MAC ¶

func (c *CMAC) MAC(m []byte) [aes.BlockSize]byte

type CounterKDF ¶

CounterKDF implements a KDF in Counter Mode instantiated with CMAC-AES, according to NIST SP 800-108 Revision 1 Update 1, Section 4.1.

It produces a 256-bit output, and accepts a 8-bit Label and a 96-bit Context. It uses a counter of 16 bits placed before the fixed data. The fixed data is the sequence Label || 0x00 || Context. The L field is omitted, since the output key length is fixed.

It's optimized for use in XAES-256-GCM (https://c2sp.org/XAES-256-GCM), rather than for exposing it to applications as a stand-alone KDF.

type CounterKDF struct {
    // contains filtered or unexported fields
}

func NewCounterKDF ¶

func NewCounterKDF(b *aes.Block) *CounterKDF

NewCounterKDF creates a new CounterKDF with the given key.

func (*CounterKDF) DeriveKey ¶

func (kdf *CounterKDF) DeriveKey(label byte, context [12]byte) [32]byte

DeriveKey derives a key from the given label and context.

type GCM ¶

GCM represents a Galois Counter Mode with a specific key.

type GCM struct {
    // contains filtered or unexported fields
}

func New ¶

func New(cipher *aes.Block, nonceSize, tagSize int) (*GCM, error)

func (*GCM) NonceSize ¶

func (g *GCM) NonceSize() int

func (*GCM) Open ¶

func (g *GCM) Open(dst, nonce, ciphertext, data []byte) ([]byte, error)

func (*GCM) Overhead ¶

func (g *GCM) Overhead() int

func (*GCM) Seal ¶

func (g *GCM) Seal(dst, nonce, plaintext, data []byte) []byte

type GCMWithCounterNonce ¶

type GCMWithCounterNonce struct {
    // contains filtered or unexported fields
}

func NewGCMForSSH ¶

func NewGCMForSSH(cipher *aes.Block) (*GCMWithCounterNonce, error)

NewGCMForSSH returns a new AEAD that works like GCM, but enforces the construction of nonces as specified in RFC 5647.

This complies with FIPS 140-3 IG C.H Scenario 1.d.

func NewGCMForTLS12 ¶

func NewGCMForTLS12(cipher *aes.Block) (*GCMWithCounterNonce, error)

NewGCMForTLS12 returns a new AEAD that works like GCM, but enforces the construction of nonces as specified in RFC 5288, Section 3 and RFC 9325, Section 7.2.1.

This complies with FIPS 140-3 IG C.H Scenario 1.a.

func NewGCMWithCounterNonce ¶

func NewGCMWithCounterNonce(cipher *aes.Block) (*GCMWithCounterNonce, error)

NewGCMWithCounterNonce returns a new AEAD that works like GCM, but enforces the construction of deterministic nonces. The nonce must be 96 bits, the first 32 bits must be an encoding of the module name, and the last 64 bits must be a counter. The starting value of the counter is set on the first call to Seal, and each subsequent call must increment it as a big-endian uint64. If the counter reaches the starting value minus one, Seal will panic.

This complies with FIPS 140-3 IG C.H Scenario 3.

func (*GCMWithCounterNonce) NonceSize ¶

func (g *GCMWithCounterNonce) NonceSize() int

func (*GCMWithCounterNonce) Open ¶

func (g *GCMWithCounterNonce) Open(dst, nonce, ciphertext, data []byte) ([]byte, error)

func (*GCMWithCounterNonce) Overhead ¶

func (g *GCMWithCounterNonce) Overhead() int

func (*GCMWithCounterNonce) Seal ¶

func (g *GCMWithCounterNonce) Seal(dst, nonce, plaintext, data []byte) []byte

Seal implements the [cipher.AEAD] interface, checking that the nonce prefix is stable and that the counter is strictly increasing.

It is not safe for concurrent use.

type GCMWithXORCounterNonce ¶

type GCMWithXORCounterNonce struct {
    // contains filtered or unexported fields
}

func NewGCMForHPKE ¶

func NewGCMForHPKE(cipher *aes.Block) (*GCMWithXORCounterNonce, error)

NewGCMForHPKE returns a new AEAD that works like GCM, but enforces the construction of nonces as specified in RFC 9180, Section 5.2.

This complies with FIPS 140-3 IG C.H Scenario 5.

func NewGCMForQUIC ¶

func NewGCMForQUIC(cipher *aes.Block, iv []byte) (*GCMWithXORCounterNonce, error)

NewGCMForQUIC returns a new AEAD that works like GCM, but enforces the construction of nonces as specified in RFC 9001, Section 5.3.

Unlike in TLS 1.3, the QUIC nonce counter does not always start at zero, as the packet number does not reset on key updates, so the XOR mask must be provided explicitly instead of being learned on the first Seal call. Note that the nonce passed to Seal must already be XOR'd with the IV, the IV is provided here only to allow Seal to enforce that the counter is strictly increasing.

This complies with FIPS 140-3 IG C.H Scenario 5.

func NewGCMForTLS13 ¶

func NewGCMForTLS13(cipher *aes.Block) (*GCMWithXORCounterNonce, error)

NewGCMForTLS13 returns a new AEAD that works like GCM, but enforces the construction of nonces as specified in RFC 8446, Section 5.3.

This complies with FIPS 140-3 IG C.H Scenario 1.a.

func NewGCMWithXORCounterNonce ¶

func NewGCMWithXORCounterNonce(cipher *aes.Block) (*GCMWithXORCounterNonce, error)

NewGCMWithXORCounterNonce returns a new AEAD that works like GCM, but enforces the construction of deterministic nonces. The nonce must be 96 bits, the first 32 bits must be an encoding of the module name, and the last 64 bits must be a counter XOR'd with a fixed value. The module name and XOR mask can be set with [GCMWithCounterNonce.SetNoncePrefixAndMask], or they are set on the first call to Seal, assuming the counter starts at zero. Each subsequent call must increment the counter as a big-endian uint64. If the counter reaches 2⁶⁴ minus one, Seal will panic.

This complies with FIPS 140-3 IG C.H Scenario 3.

func (*GCMWithXORCounterNonce) NonceSize ¶

func (g *GCMWithXORCounterNonce) NonceSize() int

func (*GCMWithXORCounterNonce) Open ¶

func (g *GCMWithXORCounterNonce) Open(dst, nonce, ciphertext, data []byte) ([]byte, error)

func (*GCMWithXORCounterNonce) Overhead ¶

func (g *GCMWithXORCounterNonce) Overhead() int

func (*GCMWithXORCounterNonce) Seal ¶

func (g *GCMWithXORCounterNonce) Seal(dst, nonce, plaintext, data []byte) []byte

Seal implements the [cipher.AEAD] interface, checking that the nonce prefix is stable and that the counter is strictly increasing.

It is not safe for concurrent use.

func (*GCMWithXORCounterNonce) SetNoncePrefixAndMask ¶

func (g *GCMWithXORCounterNonce) SetNoncePrefixAndMask(nonce []byte) error

SetNoncePrefixAndMask sets the fixed prefix and XOR mask for the nonces used in Seal. It must be called before the first call to Seal.

The first 32 bits of nonce are used as the fixed prefix, and the last 64 bits are used as the XOR mask.

Note that Seal expects the nonce to be already XOR'd with the mask. The mask is provided here only to allow Seal to enforce that the counter is strictly increasing.