From 7eb1677c01c3decc510270d532ed69d0bf42bffa Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Fri, 3 Aug 2018 19:37:45 -0400 Subject: [PATCH] [dev.boringcrypto] crypto/internal/boring: fix aesCipher implementation of gcmAble In CL 48510 the gcmAble interface was changed to include the tag size. The BoringCrypto aesCipher implementation wasn't updated, causing a failed type assertion and consequently a performance degradation. Change-Id: Ie5cff9ef242218d60f82795f3eb6760a57fe06f5 Reviewed-on: https://go-review.googlesource.com/127821 Run-TryBot: Filippo Valsorda TryBot-Result: Gobot Gobot Reviewed-by: Adam Langley --- src/crypto/internal/boring/aes.go | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go index 8ca03b3f3e..881cd8e2dd 100644 --- a/src/crypto/internal/boring/aes.go +++ b/src/crypto/internal/boring/aes.go @@ -38,7 +38,7 @@ type extraModes interface { NewCBCEncrypter(iv []byte) cipher.BlockMode NewCBCDecrypter(iv []byte) cipher.BlockMode NewCTR(iv []byte) cipher.Stream - NewGCM(nonceSize int) (cipher.AEAD, error) + NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) // Invented for BoringCrypto. NewGCMTLS() (cipher.AEAD, error) @@ -188,20 +188,25 @@ type noGCM struct { cipher.Block } -func (c *aesCipher) NewGCM(nonceSize int) (cipher.AEAD, error) { - return c.newGCM(nonceSize, false) +func (c *aesCipher) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) { + if nonceSize != gcmStandardNonceSize && tagSize != gcmTagSize { + return nil, errors.New("crypto/aes: GCM tag and nonce sizes can't be non-standard at the same time") + } + // Fall back to standard library for GCM with non-standard nonce or tag size. + if nonceSize != gcmStandardNonceSize { + return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize) + } + if tagSize != gcmTagSize { + return cipher.NewGCMWithTagSize(&noGCM{c}, tagSize) + } + return c.newGCM(false) } func (c *aesCipher) NewGCMTLS() (cipher.AEAD, error) { - return c.newGCM(gcmStandardNonceSize, true) + return c.newGCM(true) } -func (c *aesCipher) newGCM(nonceSize int, tls bool) (cipher.AEAD, error) { - if nonceSize != gcmStandardNonceSize { - // Fall back to standard library for GCM with non-standard nonce size. - return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize) - } - +func (c *aesCipher) newGCM(tls bool) (cipher.AEAD, error) { var aead *C.GO_EVP_AEAD switch len(c.key) * 8 { case 128: @@ -218,7 +223,7 @@ func (c *aesCipher) newGCM(nonceSize int, tls bool) (cipher.AEAD, error) { } default: // Fall back to standard library for GCM with non-standard key size. - return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize) + return cipher.NewGCMWithNonceSize(&noGCM{c}, gcmStandardNonceSize) } g := &aesGCM{aead: aead} @@ -230,7 +235,7 @@ func (c *aesCipher) newGCM(nonceSize int, tls bool) (cipher.AEAD, error) { // to make sure g is not collected (and finalized) before the cgo // call returns. runtime.SetFinalizer(g, (*aesGCM).finalize) - if g.NonceSize() != nonceSize { + if g.NonceSize() != gcmStandardNonceSize { panic("boringcrypto: internal confusion about nonce size") } if g.Overhead() != gcmTagSize { -- 2.48.1