Package: crypto/internal/fips140/aes/gcm

package gcm Import Path crypto/internal/fips140/aes/gcm (on go.dev) Dependency Relation imports 11 packages, and imported by 3 packages

Involved Source Files cast.go cmac.go ctrkdf.go gcm.go gcm_asm.go gcm_generic.go gcm_nonces.go ghash.go gcm_amd64.s

Package-Level Type Names (total 5)

/* sort by: alphabet | popularity */

type CMAC (struct) CMAC implements the CMAC mode from NIST SP 800-38B. It is optimized for use in Counter KDF (SP 800-108r1) and XAES-256-GCM (https://c2sp.org/XAES-256-GCM), rather than for exposing it to applications as a stand-alone MAC. Methods (only one) (*CMAC) MAC(m []byte) [16]byte As Outputs Of (at least one exported) func NewCMAC(b *aes.Block) *CMAC

type CounterKDF (struct) CounterKDF implements a KDF in Counter Mode instantiated with CMAC-AES, according to NIST SP 800-108 Revision 1 Update 1, Section 4.1. It produces a 256-bit output, and accepts a 8-bit Label and a 96-bit Context. It uses a counter of 16 bits placed before the fixed data. The fixed data is the sequence Label || 0x00 || Context. The L field is omitted, since the output key length is fixed. It's optimized for use in XAES-256-GCM (https://c2sp.org/XAES-256-GCM), rather than for exposing it to applications as a stand-alone KDF. Methods (only one) (*CounterKDF) DeriveKey(label byte, context [12]byte) [32]byte DeriveKey derives a key from the given label and context. As Outputs Of (at least one exported) func NewCounterKDF(b *aes.Block) *CounterKDF

type GCM (struct) GCM represents a Galois Counter Mode with a specific key. Methods (total 4) (*GCM) NonceSize() int (*GCM) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) (*GCM) Overhead() int (*GCM) Seal(dst, nonce, plaintext, data []byte) []byte Implements (at least one exported) *GCM : crypto/cipher.AEAD As Outputs Of (at least one exported) func New(cipher *aes.Block, nonceSize, tagSize int) (*GCM, error) As Inputs Of (at least one exported) func SealWithRandomNonce(g *GCM, nonce, out, plaintext, additionalData []byte)

type GCMWithCounterNonce (struct) Methods (total 4) (*GCMWithCounterNonce) NonceSize() int (*GCMWithCounterNonce) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) (*GCMWithCounterNonce) Overhead() int (*GCMWithCounterNonce) Seal(dst, nonce, plaintext, data []byte) []byte Seal implements the [cipher.AEAD] interface, checking that the nonce prefix is stable and that the counter is strictly increasing. It is not safe for concurrent use. Implements (at least one exported) *GCMWithCounterNonce : crypto/cipher.AEAD As Outputs Of (at least 3) func NewGCMForSSH(cipher *aes.Block) (*GCMWithCounterNonce, error) func NewGCMForTLS12(cipher *aes.Block) (*GCMWithCounterNonce, error) func NewGCMWithCounterNonce(cipher *aes.Block) (*GCMWithCounterNonce, error)

type GCMWithXORCounterNonce (struct) Methods (total 5) (*GCMWithXORCounterNonce) NonceSize() int (*GCMWithXORCounterNonce) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) (*GCMWithXORCounterNonce) Overhead() int (*GCMWithXORCounterNonce) Seal(dst, nonce, plaintext, data []byte) []byte Seal implements the [cipher.AEAD] interface, checking that the nonce prefix is stable and that the counter is strictly increasing. It is not safe for concurrent use. (*GCMWithXORCounterNonce) SetNoncePrefixAndMask(nonce []byte) error SetNoncePrefixAndMask sets the fixed prefix and XOR mask for the nonces used in Seal. It must be called before the first call to Seal. The first 32 bits of nonce are used as the fixed prefix, and the last 64 bits are used as the XOR mask. Note that Seal expects the nonce to be already XOR'd with the mask. The mask is provided here only to allow Seal to enforce that the counter is strictly increasing. Implements (at least one exported) *GCMWithXORCounterNonce : crypto/cipher.AEAD As Outputs Of (at least 4) func NewGCMForHPKE(cipher *aes.Block) (*GCMWithXORCounterNonce, error) func NewGCMForQUIC(cipher *aes.Block, iv []byte) (*GCMWithXORCounterNonce, error) func NewGCMForTLS13(cipher *aes.Block) (*GCMWithXORCounterNonce, error) func NewGCMWithXORCounterNonce(cipher *aes.Block) (*GCMWithXORCounterNonce, error)

Package-Level Functions (total 12)

func GHASH(key *[16]byte, inputs ...[]byte) []byte GHASH is exposed to allow crypto/cipher to implement non-AES GCM modes. It is not allowed as a stand-alone operation in FIPS mode because it is not ACVP tested.

func New(cipher *aes.Block, nonceSize, tagSize int) (*GCM, error)

func NewCMAC(b *aes.Block) *CMAC

func NewCounterKDF(b *aes.Block) *CounterKDF NewCounterKDF creates a new CounterKDF with the given key.

func NewGCMForHPKE(cipher *aes.Block) (*GCMWithXORCounterNonce, error) NewGCMForHPKE returns a new AEAD that works like GCM, but enforces the construction of nonces as specified in RFC 9180, Section 5.2. This complies with FIPS 140-3 IG C.H Scenario 5.

func NewGCMForQUIC(cipher *aes.Block, iv []byte) (*GCMWithXORCounterNonce, error) NewGCMForQUIC returns a new AEAD that works like GCM, but enforces the construction of nonces as specified in RFC 9001, Section 5.3. Unlike in TLS 1.3, the QUIC nonce counter does not always start at zero, as the packet number does not reset on key updates, so the XOR mask must be provided explicitly instead of being learned on the first Seal call. Note that the nonce passed to Seal must already be XOR'd with the IV, the IV is provided here only to allow Seal to enforce that the counter is strictly increasing. This complies with FIPS 140-3 IG C.H Scenario 5.

func NewGCMForSSH(cipher *aes.Block) (*GCMWithCounterNonce, error) NewGCMForSSH returns a new AEAD that works like GCM, but enforces the construction of nonces as specified in RFC 5647. This complies with FIPS 140-3 IG C.H Scenario 1.d.

func NewGCMForTLS12(cipher *aes.Block) (*GCMWithCounterNonce, error) NewGCMForTLS12 returns a new AEAD that works like GCM, but enforces the construction of nonces as specified in RFC 5288, Section 3 and RFC 9325, Section 7.2.1. This complies with FIPS 140-3 IG C.H Scenario 1.a.

func NewGCMForTLS13(cipher *aes.Block) (*GCMWithXORCounterNonce, error) NewGCMForTLS13 returns a new AEAD that works like GCM, but enforces the construction of nonces as specified in RFC 8446, Section 5.3. This complies with FIPS 140-3 IG C.H Scenario 1.a.

func NewGCMWithCounterNonce(cipher *aes.Block) (*GCMWithCounterNonce, error) NewGCMWithCounterNonce returns a new AEAD that works like GCM, but enforces the construction of deterministic nonces. The nonce must be 96 bits, the first 32 bits must be an encoding of the module name, and the last 64 bits must be a counter. The starting value of the counter is set on the first call to Seal, and each subsequent call must increment it as a big-endian uint64. If the counter reaches the starting value minus one, Seal will panic. This complies with FIPS 140-3 IG C.H Scenario 3.

func NewGCMWithXORCounterNonce(cipher *aes.Block) (*GCMWithXORCounterNonce, error) NewGCMWithXORCounterNonce returns a new AEAD that works like GCM, but enforces the construction of deterministic nonces. The nonce must be 96 bits, the first 32 bits must be an encoding of the module name, and the last 64 bits must be a counter XOR'd with a fixed value. The module name and XOR mask can be set with [GCMWithCounterNonce.SetNoncePrefixAndMask], or they are set on the first call to Seal, assuming the counter starts at zero. Each subsequent call must increment the counter as a big-endian uint64. If the counter reaches 2⁶⁴ minus one, Seal will panic. This complies with FIPS 140-3 IG C.H Scenario 3.

func SealWithRandomNonce(g *GCM, nonce, out, plaintext, additionalData []byte) SealWithRandomNonce encrypts plaintext to out, and writes a random nonce to nonce. nonce must be 12 bytes, and out must be 16 bytes longer than plaintext. out and plaintext may overlap exactly or not at all. additionalData and out must not overlap. This complies with FIPS 140-3 IG C.H Scenario 2. Note that this is NOT a [cipher.AEAD].Seal method.