package gcm

import "crypto/internal/fips140/aes/gcm"

Index

Functions

func GHASH 

func GHASH(key *[16]byte, inputs ...[]byte) []byte

GHASH is exposed to allow crypto/cipher to implement non-AES GCM modes. It is not allowed as a stand-alone operation in FIPS mode because it is not ACVP tested.

func SealWithRandomNonce 

func SealWithRandomNonce(g *GCM, nonce, out, plaintext, additionalData []byte)

SealWithRandomNonce encrypts plaintext to out, and writes a random nonce to nonce. nonce must be 12 bytes, and out must be 16 bytes longer than plaintext. out and plaintext may overlap exactly or not at all. additionalData and out must not overlap.

This complies with FIPS 140-3 IG C.H Scenario 2.

Note that this is NOT a [cipher.AEAD].Seal method.

Types

type CMAC 

type CMAC struct {
	// contains filtered or unexported fields
}

CMAC implements the CMAC mode from NIST SP 800-38B.

It is optimized for use in Counter KDF (SP 800-108r1) and XAES-256-GCM (https://c2sp.org/XAES-256-GCM), rather than for exposing it to applications as a stand-alone MAC.

func NewCMAC 

func NewCMAC(b *aes.Block) *CMAC

func (*CMAC) MAC 

func (c *CMAC) MAC(m []byte) [aes.BlockSize]byte

type CounterKDF 

type CounterKDF struct {
	// contains filtered or unexported fields
}

CounterKDF implements a KDF in Counter Mode instantiated with CMAC-AES, according to NIST SP 800-108 Revision 1 Update 1, Section 4.1.

It produces a 256-bit output, and accepts a 8-bit Label and a 96-bit Context. It uses a counter of 16 bits placed before the fixed data. The fixed data is the sequence Label || 0x00 || Context. The L field is omitted, since the output key length is fixed.

It's optimized for use in XAES-256-GCM (https://c2sp.org/XAES-256-GCM), rather than for exposing it to applications as a stand-alone KDF.

func NewCounterKDF 

func NewCounterKDF(b *aes.Block) *CounterKDF

NewCounterKDF creates a new CounterKDF with the given key.

func (*CounterKDF) DeriveKey 

func (kdf *CounterKDF) DeriveKey(label byte, context [12]byte) [32]byte

DeriveKey derives a key from the given label and context.

type GCM 

type GCM struct {
	// contains filtered or unexported fields
}

GCM represents a Galois Counter Mode with a specific key.

func New 

func New(cipher *aes.Block, nonceSize, tagSize int) (*GCM, error)

func (*GCM) NonceSize 

func (g *GCM) NonceSize() int

func (*GCM) Open 

func (g *GCM) Open(dst, nonce, ciphertext, data []byte) ([]byte, error)

func (*GCM) Overhead 

func (g *GCM) Overhead() int

func (*GCM) Seal 

func (g *GCM) Seal(dst, nonce, plaintext, data []byte) []byte

type GCMForSSH 

type GCMForSSH struct {
	// contains filtered or unexported fields
}

func NewGCMForSSH 

func NewGCMForSSH(cipher *aes.Block) (*GCMForSSH, error)

NewGCMForSSH returns a new AEAD that works like GCM, but enforces the construction of nonces as specified in RFC 5647.

This complies with FIPS 140-3 IG C.H Scenario 1.d.

func (*GCMForSSH) NonceSize 

func (g *GCMForSSH) NonceSize() int

func (*GCMForSSH) Open 

func (g *GCMForSSH) Open(dst, nonce, ciphertext, data []byte) ([]byte, error)

func (*GCMForSSH) Overhead 

func (g *GCMForSSH) Overhead() int

func (*GCMForSSH) Seal 

func (g *GCMForSSH) Seal(dst, nonce, plaintext, data []byte) []byte

type GCMForTLS12 

type GCMForTLS12 struct {
	// contains filtered or unexported fields
}

func NewGCMForTLS12 

func NewGCMForTLS12(cipher *aes.Block) (*GCMForTLS12, error)

NewGCMForTLS12 returns a new AEAD that works like GCM, but enforces the construction of nonces as specified in RFC 5288, Section 3 and RFC 9325, Section 7.2.1.

This complies with FIPS 140-3 IG C.H Scenario 1.a.

func (*GCMForTLS12) NonceSize 

func (g *GCMForTLS12) NonceSize() int

func (*GCMForTLS12) Open 

func (g *GCMForTLS12) Open(dst, nonce, ciphertext, data []byte) ([]byte, error)

func (*GCMForTLS12) Overhead 

func (g *GCMForTLS12) Overhead() int

func (*GCMForTLS12) Seal 

func (g *GCMForTLS12) Seal(dst, nonce, plaintext, data []byte) []byte

type GCMForTLS13 

type GCMForTLS13 struct {
	// contains filtered or unexported fields
}

func NewGCMForTLS13 

func NewGCMForTLS13(cipher *aes.Block) (*GCMForTLS13, error)

NewGCMForTLS13 returns a new AEAD that works like GCM, but enforces the construction of nonces as specified in RFC 8446, Section 5.3.

func (*GCMForTLS13) NonceSize 

func (g *GCMForTLS13) NonceSize() int

func (*GCMForTLS13) Open 

func (g *GCMForTLS13) Open(dst, nonce, ciphertext, data []byte) ([]byte, error)

func (*GCMForTLS13) Overhead 

func (g *GCMForTLS13) Overhead() int

func (*GCMForTLS13) Seal 

func (g *GCMForTLS13) Seal(dst, nonce, plaintext, data []byte) []byte

type GCMWithCounterNonce 

type GCMWithCounterNonce struct {
	// contains filtered or unexported fields
}

func NewGCMWithCounterNonce 

func NewGCMWithCounterNonce(cipher *aes.Block) (*GCMWithCounterNonce, error)

NewGCMWithCounterNonce returns a new AEAD that works like GCM, but enforces the construction of deterministic nonces. The nonce must be 96 bits, the first 32 bits must be an encoding of the module name, and the last 64 bits must be a counter.

This complies with FIPS 140-3 IG C.H Scenario 3.

func (*GCMWithCounterNonce) NonceSize 

func (g *GCMWithCounterNonce) NonceSize() int

func (*GCMWithCounterNonce) Open 

func (g *GCMWithCounterNonce) Open(dst, nonce, ciphertext, data []byte) ([]byte, error)

func (*GCMWithCounterNonce) Overhead 

func (g *GCMWithCounterNonce) Overhead() int

func (*GCMWithCounterNonce) Seal 

func (g *GCMWithCounterNonce) Seal(dst, nonce, plaintext, data []byte) []byte

Source Files

cast.go cmac.go ctrkdf.go gcm.go gcm_asm.go gcm_generic.go gcm_nonces.go ghash.go

Directories

PathSynopsis
crypto/internal/fips140/aes/gcm/_asm
crypto/internal/fips140/aes/gcm/_asm/gcm
Version
v1.24.0 (latest)
Published
Feb 10, 2025
Platform
linux/amd64
Imports
11 packages
Last checked
3 minutes ago

Tools for package owners.