const (
gcmBlockSize = 16
gcmTagSize = 16
+ gcmMinimumTagSize = 12 // NIST SP 800-38D recommends tags with 12 or more bytes.
gcmStandardNonceSize = 12
)
// NewGCM returns the AES cipher wrapped in Galois Counter Mode. This is only
// called by crypto/cipher.NewGCM via the gcmAble interface.
-func (c *aesCipherGCM) NewGCM(nonceSize int) (cipher.AEAD, error) {
- g := &gcmAsm{ks: c.enc, nonceSize: nonceSize}
+func (c *aesCipherGCM) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
+ g := &gcmAsm{ks: c.enc, nonceSize: nonceSize, tagSize: tagSize}
gcmAesInit(&g.productTable, g.ks)
return g, nil
}
productTable [256]byte
// nonceSize contains the expected size of the nonce, in bytes.
nonceSize int
+ // tagSize contains the size of the tag, in bytes.
+ tagSize int
}
func (g *gcmAsm) NonceSize() int {
return g.nonceSize
}
-func (*gcmAsm) Overhead() int {
- return gcmTagSize
+func (g *gcmAsm) Overhead() int {
+ return g.tagSize
}
// sliceForAppend takes a slice and a requested number of bytes. It returns a
var tagOut [gcmTagSize]byte
gcmAesData(&g.productTable, data, &tagOut)
- ret, out := sliceForAppend(dst, len(plaintext)+gcmTagSize)
+ ret, out := sliceForAppend(dst, len(plaintext)+g.tagSize)
if len(plaintext) > 0 {
gcmAesEnc(&g.productTable, out, plaintext, &counter, &tagOut, g.ks)
}
if len(nonce) != g.nonceSize {
panic("cipher: incorrect nonce length given to GCM")
}
+ // Sanity check to prevent the authentication from always succeeding if an implementation
+ // leaves tagSize uninitialized, for example.
+ if g.tagSize < gcmMinimumTagSize {
+ panic("cipher: incorrect GCM tag size")
+ }
- if len(ciphertext) < gcmTagSize {
+ if len(ciphertext) < g.tagSize {
return nil, errOpen
}
- if uint64(len(ciphertext)) > ((1<<32)-2)*BlockSize+gcmTagSize {
+ if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(BlockSize)+uint64(g.tagSize) {
return nil, errOpen
}
- tag := ciphertext[len(ciphertext)-gcmTagSize:]
- ciphertext = ciphertext[:len(ciphertext)-gcmTagSize]
+ tag := ciphertext[len(ciphertext)-g.tagSize:]
+ ciphertext = ciphertext[:len(ciphertext)-g.tagSize]
// See GCM spec, section 7.1.
var counter, tagMask [gcmBlockSize]byte
}
gcmAesFinish(&g.productTable, &tagMask, &expectedTag, uint64(len(ciphertext)), uint64(len(data)))
- if subtle.ConstantTimeCompare(expectedTag[:], tag) != 1 {
+ if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
for i := range out {
out[i] = 0
}
block *aesCipherAsm
hashKey gcmHashKey
nonceSize int
+ tagSize int
}
const (
gcmBlockSize = 16
gcmTagSize = 16
+ gcmMinimumTagSize = 12 // NIST SP 800-38D recommends tags with 12 or more bytes.
gcmStandardNonceSize = 12
)
// NewGCM returns the AES cipher wrapped in Galois Counter Mode. This is only
// called by crypto/cipher.NewGCM via the gcmAble interface.
-func (c *aesCipherAsm) NewGCM(nonceSize int) (cipher.AEAD, error) {
+func (c *aesCipherAsm) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
var hk gcmHashKey
c.Encrypt(hk[:], hk[:])
g := gcmAsm{
block: c,
hashKey: hk,
nonceSize: nonceSize,
+ tagSize: tagSize,
}
if hasKMA {
g := gcmKMA{g}
return g.nonceSize
}
-func (*gcmAsm) Overhead() int {
- return gcmTagSize
+func (g *gcmAsm) Overhead() int {
+ return g.tagSize
}
// sliceForAppend takes a slice and a requested number of bytes. It returns a
panic("cipher: message too large for GCM")
}
- ret, out := sliceForAppend(dst, len(plaintext)+gcmTagSize)
+ ret, out := sliceForAppend(dst, len(plaintext)+g.tagSize)
counter := g.deriveCounter(nonce)
g.block.Encrypt(tagMask[:], counter[:])
counter.inc()
+ var tagOut [gcmTagSize]byte
g.counterCrypt(out, plaintext, &counter)
- g.auth(out[len(plaintext):], out[:len(plaintext)], data, &tagMask)
+ g.auth(tagOut[:], out[:len(plaintext)], data, &tagMask)
+ copy(out[len(plaintext):], tagOut[:])
return ret
}
if len(nonce) != g.nonceSize {
panic("cipher: incorrect nonce length given to GCM")
}
- if len(ciphertext) < gcmTagSize {
+ // Sanity check to prevent the authentication from always succeeding if an implementation
+ // leaves tagSize uninitialized, for example.
+ if g.tagSize < gcmMinimumTagSize {
+ panic("cipher: incorrect GCM tag size")
+ }
+ if len(ciphertext) < g.tagSize {
return nil, errOpen
}
- if uint64(len(ciphertext)) > ((1<<32)-2)*BlockSize+gcmTagSize {
+ if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(BlockSize)+uint64(g.tagSize) {
return nil, errOpen
}
- tag := ciphertext[len(ciphertext)-gcmTagSize:]
- ciphertext = ciphertext[:len(ciphertext)-gcmTagSize]
+ tag := ciphertext[len(ciphertext)-g.tagSize:]
+ ciphertext = ciphertext[:len(ciphertext)-g.tagSize]
counter := g.deriveCounter(nonce)
ret, out := sliceForAppend(dst, len(ciphertext))
- if subtle.ConstantTimeCompare(expectedTag[:], tag) != 1 {
+ if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
// The AESNI code decrypts and authenticates concurrently, and
// so overwrites dst in the event of a tag mismatch. That
// behavior is mimicked here in order to be consistent across
panic("cipher: message too large for GCM")
}
- ret, out := sliceForAppend(dst, len(plaintext)+gcmTagSize)
+ ret, out := sliceForAppend(dst, len(plaintext)+g.tagSize)
counter := g.deriveCounter(nonce)
fc := g.block.function | kmaLAAD | kmaLPC
if len(nonce) != g.nonceSize {
panic("cipher: incorrect nonce length given to GCM")
}
- if len(ciphertext) < gcmTagSize {
+ if len(ciphertext) < g.tagSize {
return nil, errOpen
}
- if uint64(len(ciphertext)) > ((1<<32)-2)*BlockSize+gcmTagSize {
+ if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(BlockSize)+uint64(g.tagSize) {
return nil, errOpen
}
- tag := ciphertext[len(ciphertext)-gcmTagSize:]
- ciphertext = ciphertext[:len(ciphertext)-gcmTagSize]
+ tag := ciphertext[len(ciphertext)-g.tagSize:]
+ ciphertext = ciphertext[:len(ciphertext)-g.tagSize]
ret, out := sliceForAppend(dst, len(ciphertext))
+ if g.tagSize < gcmMinimumTagSize {
+ panic("cipher: incorrect GCM tag size")
+ }
+
counter := g.deriveCounter(nonce)
fc := g.block.function | kmaLAAD | kmaLPC | kmaDecrypt
var expectedTag [gcmTagSize]byte
kmaGCM(fc, g.block.key, out[:len(ciphertext)], ciphertext, data, &expectedTag, &counter)
- if subtle.ConstantTimeCompare(expectedTag[:], tag) != 1 {
+ if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
// The AESNI code decrypts and authenticates concurrently, and
// so overwrites dst in the event of a tag mismatch. That
// behavior is mimicked here in order to be consistent across
// implementation of GCM through the AEAD interface.
// See crypto/cipher/gcm.go.
type gcmAble interface {
- NewGCM(size int) (cipher.AEAD, error)
+ NewGCM(nonceSize, tagSize int) (cipher.AEAD, error)
}
// cbcEncAble is implemented by cipher.Blocks that can provide an optimized
func (*testBlock) BlockSize() int { return 0 }
func (*testBlock) Encrypt(a, b []byte) {}
func (*testBlock) Decrypt(a, b []byte) {}
-func (*testBlock) NewGCM(int) (cipher.AEAD, error) {
+func (*testBlock) NewGCM(int, int) (cipher.AEAD, error) {
return &testAEAD{}, nil
}
func (*testBlock) NewCBCEncrypter([]byte) cipher.BlockMode {
// implementation of GCM, like crypto/aes. NewGCM will check for this interface
// and return the specific AEAD if found.
type gcmAble interface {
- NewGCM(int) (AEAD, error)
+ NewGCM(nonceSize, tagSize int) (AEAD, error)
}
// gcmFieldElement represents a value in GF(2¹²⁸). In order to reflect the GCM
type gcm struct {
cipher Block
nonceSize int
+ tagSize int
// productTable contains the first sixteen powers of the key, H.
// However, they are in bit reversed order. See NewGCMWithNonceSize.
productTable [16]gcmFieldElement
// An exception is when the underlying Block was created by aes.NewCipher
// on systems with hardware support for AES. See the crypto/aes package documentation for details.
func NewGCM(cipher Block) (AEAD, error) {
- return NewGCMWithNonceSize(cipher, gcmStandardNonceSize)
+ return NewGCMWithNonceAndTagSize(cipher, gcmStandardNonceSize, gcmTagSize)
}
// NewGCMWithNonceSize returns the given 128-bit, block cipher wrapped in Galois
// cryptosystem that uses non-standard nonce lengths. All other users should use
// NewGCM, which is faster and more resistant to misuse.
func NewGCMWithNonceSize(cipher Block, size int) (AEAD, error) {
+ return NewGCMWithNonceAndTagSize(cipher, size, gcmTagSize)
+}
+
+// NewGCMWithNonceAndTagSize returns the given 128-bit, block cipher wrapped in Galois
+// Counter Mode, which accepts nonces of the given length and generates tags with the given length.
+//
+// Tag sizes between 12 and 16 bytes are allowed.
+//
+// Only use this function if you require compatibility with an existing
+// cryptosystem that uses non-standard tag lengths. All other users should use
+// NewGCM, which is more resistant to misuse.
+func NewGCMWithNonceAndTagSize(cipher Block, nonceSize, tagSize int) (AEAD, error) {
+ if tagSize < gcmMinimumTagSize || tagSize > gcmBlockSize {
+ return nil, errors.New("cipher: incorrect tag size given to GCM")
+ }
+
if cipher, ok := cipher.(gcmAble); ok {
- return cipher.NewGCM(size)
+ return cipher.NewGCM(nonceSize, tagSize)
}
if cipher.BlockSize() != gcmBlockSize {
var key [gcmBlockSize]byte
cipher.Encrypt(key[:], key[:])
- g := &gcm{cipher: cipher, nonceSize: size}
+ g := &gcm{cipher: cipher, nonceSize: nonceSize, tagSize: tagSize}
// We precompute 16 multiples of |key|. However, when we do lookups
// into this table we'll be using bits from a field element and
const (
gcmBlockSize = 16
gcmTagSize = 16
+ gcmMinimumTagSize = 12 // NIST SP 800-38D recommends tags with 12 or more bytes.
gcmStandardNonceSize = 12
)
return g.nonceSize
}
-func (*gcm) Overhead() int {
- return gcmTagSize
+func (g *gcm) Overhead() int {
+ return g.tagSize
}
func (g *gcm) Seal(dst, nonce, plaintext, data []byte) []byte {
panic("cipher: message too large for GCM")
}
- ret, out := sliceForAppend(dst, len(plaintext)+gcmTagSize)
+ ret, out := sliceForAppend(dst, len(plaintext)+g.tagSize)
var counter, tagMask [gcmBlockSize]byte
g.deriveCounter(&counter, nonce)
gcmInc32(&counter)
g.counterCrypt(out, plaintext, &counter)
- g.auth(out[len(plaintext):], out[:len(plaintext)], data, &tagMask)
+
+ var tag [gcmTagSize]byte
+ g.auth(tag[:], out[:len(plaintext)], data, &tagMask)
+ copy(out[len(plaintext):], tag[:])
return ret
}
if len(nonce) != g.nonceSize {
panic("cipher: incorrect nonce length given to GCM")
}
+ // Sanity check to prevent the authentication from always succeeding if an implementation
+ // leaves tagSize uninitialized, for example.
+ if g.tagSize < gcmMinimumTagSize {
+ panic("cipher: incorrect GCM tag size")
+ }
- if len(ciphertext) < gcmTagSize {
+ if len(ciphertext) < g.tagSize {
return nil, errOpen
}
- if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize())+gcmTagSize {
+ if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(g.cipher.BlockSize())+uint64(g.tagSize) {
return nil, errOpen
}
- tag := ciphertext[len(ciphertext)-gcmTagSize:]
- ciphertext = ciphertext[:len(ciphertext)-gcmTagSize]
+ tag := ciphertext[len(ciphertext)-g.tagSize:]
+ ciphertext = ciphertext[:len(ciphertext)-g.tagSize]
var counter, tagMask [gcmBlockSize]byte
g.deriveCounter(&counter, nonce)
ret, out := sliceForAppend(dst, len(ciphertext))
- if subtle.ConstantTimeCompare(expectedTag[:], tag) != 1 {
+ if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
// The AESNI code decrypts and authenticates concurrently, and
// so overwrites dst in the event of a tag mismatch. That
// behavior is mimicked here in order to be consistent across
"0feccdfae8ed65fa31a0858a1c466f79e8aa658c2f3ba93c3f92158b4e30955e1c62580450beff",
"b69a7e17bb5af688883274550a4ded0d1aff49a0b18343f4b382f745c163f7f714c9206a32a1ff012427e19431951edd0a755e5f491b0eedfd7df68bbc6085dd2888607a2f998c3e881eb1694109250db28291e71f4ad344a125624fb92e16ea9815047cd1111cabfdc9cb8c3b4b0f40aa91d31774009781231400789ed545404af6c3f76d07ddc984a7bd8f52728159782832e298cc4d529be96d17be898efd83e44dc7b0e2efc645849fd2bba61fef0ae7be0dcab233cc4e2b7ba4e887de9c64b97f2a1818aa54371a8d629dae37975f7784e5e3cc77055ed6e975b1e5f55e6bbacdc9f295ce4ada2c16113cd5b323cf78b7dde39f4a87aa8c141a31174e3584ccbd380cf5ec6d1dba539928b084fa9683e9c0953acf47cc3ac384a2c38914f1da01fb2cfd78905c2b58d36b2574b9df15535d82",
},
+ // These cases test non-standard tag sizes.
+ {
+ "89c54b0d3bc3c397d5039058c220685f",
+ "bc7f45c00868758d62d4bb4d",
+ "582670b0baf5540a3775b6615605bd05",
+ "48d16cda0337105a50e2ed76fd18e114",
+ "fc2d4c4eee2209ddbba6663c02765e6955e783b00156f5da0446e2970b877f",
+ },
+ {
+ "bad6049678bf75c9087b3e3ae7e72c13",
+ "a0a017b83a67d8f1b883e561",
+ "a1be93012f05a1958440f74a5311f4a1",
+ "f7c27b51d5367161dc2ff1e9e3edc6f2",
+ "36f032f7e3dc3275ca22aedcdc68436b99a2227f8bb69d45ea5d8842cd08",
+ },
+ {
+ "66a3c722ccf9709525650973ecc100a9",
+ "1621d42d3a6d42a2d2bf9494",
+ "61fa9dbbed2190fbc2ffabf5d2ea4ff8",
+ "d7a9b6523b8827068a6354a6d166c6b9",
+ "fef3b20f40e08a49637cc82f4c89b8603fd5c0132acfab97b5fff651c4",
+ },
+ {
+ "562ae8aadb8d23e0f271a99a7d1bd4d1",
+ "f7a5e2399413b89b6ad31aff",
+ "bbdc3504d803682aa08a773cde5f231a",
+ "2b9680b886b3efb7c6354b38c63b5373",
+ "e2b7e5ed5ff27fc8664148f5a628a46dcbf2015184fffb82f2651c36",
+ },
}
func TestAESGCM(t *testing.T) {
nonce, _ := hex.DecodeString(test.nonce)
plaintext, _ := hex.DecodeString(test.plaintext)
ad, _ := hex.DecodeString(test.ad)
- aesgcm, err := cipher.NewGCMWithNonceSize(aes, len(nonce))
+ tagSize := (len(test.result) - len(test.plaintext)) / 2
+ aesgcm, err := cipher.NewGCMWithNonceAndTagSize(aes, len(nonce), tagSize)
if err != nil {
t.Fatal(err)
}
}
}
+func TestGCMInvalidTagSize(t *testing.T) {
+ key, _ := hex.DecodeString("ab72c77b97cb5fe9a382d9fe81ffdbed")
+ nonce, _ := hex.DecodeString("54cc7dc2c37ec006bcc6d1db")
+
+ aes, _ := aes.NewCipher(key)
+
+ for _, tagSize := range []int{0, 1, aes.BlockSize() + 1} {
+ aesgcm, err := cipher.NewGCMWithNonceAndTagSize(aes, len(nonce), tagSize)
+ if aesgcm != nil || err == nil {
+ t.Fatalf("NewGCMWithNonceAndTagSize was successful with an invalid %d-byte tag size", tagSize)
+ }
+ }
+}
+
func TestTagFailureOverwrite(t *testing.T) {
// The AESNI GCM code decrypts and authenticates concurrently and so
// overwrites the output buffer before checking the authentication tag.