// Copyright 2015 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// +build amd64 arm64

package aes

import (
	
	subtleoverlap 
	
	
)

// The following functions are defined in gcm_*.s.

//go:noescape
func gcmAesInit( *[256]byte,  []uint32)

//go:noescape
func gcmAesData( *[256]byte,  []byte,  *[16]byte)

//go:noescape
func gcmAesEnc( *[256]byte, ,  []byte, ,  *[16]byte,  []uint32)

//go:noescape
func gcmAesDec( *[256]byte, ,  []byte, ,  *[16]byte,  []uint32)

//go:noescape
func gcmAesFinish( *[256]byte, ,  *[16]byte, ,  uint64)

const (
	gcmBlockSize         = 16
	gcmTagSize           = 16
	gcmMinimumTagSize    = 12 // NIST SP 800-38D recommends tags with 12 or more bytes.
	gcmStandardNonceSize = 12
)

var errOpen = errors.New("cipher: message authentication failed")

// aesCipherGCM implements crypto/cipher.gcmAble so that crypto/cipher.NewGCM
// will use the optimised implementation in this file when possible. Instances
// of this type only exist when hasGCMAsm returns true.
type aesCipherGCM struct {
	aesCipherAsm
}

// Assert that aesCipherGCM implements the gcmAble interface.
var _ gcmAble = (*aesCipherGCM)(nil)

// NewGCM returns the AES cipher wrapped in Galois Counter Mode. This is only
// called by crypto/cipher.NewGCM via the gcmAble interface.
func ( *aesCipherGCM) (,  int) (cipher.AEAD, error) {
	 := &gcmAsm{ks: .enc, nonceSize: , tagSize: }
	gcmAesInit(&.productTable, .ks)
	return , nil
}

type gcmAsm struct {
	// ks is the key schedule, the length of which depends on the size of
	// the AES key.
	ks []uint32
	// productTable contains pre-computed multiples of the binary-field
	// element used in GHASH.
	productTable [256]byte
	// nonceSize contains the expected size of the nonce, in bytes.
	nonceSize int
	// tagSize contains the size of the tag, in bytes.
	tagSize int
}

func ( *gcmAsm) () int {
	return .nonceSize
}

func ( *gcmAsm) () int {
	return .tagSize
}

// sliceForAppend takes a slice and a requested number of bytes. It returns a
// slice with the contents of the given slice followed by that many bytes and a
// second slice that aliases into it and contains only the extra bytes. If the
// original slice has sufficient capacity then no allocation is performed.
func sliceForAppend( []byte,  int) (,  []byte) {
	if  := len() + ; cap() >=  {
		 = [:]
	} else {
		 = make([]byte, )
		copy(, )
	}
	 = [len():]
	return
}

// Seal encrypts and authenticates plaintext. See the cipher.AEAD interface for
// details.
func ( *gcmAsm) (, , ,  []byte) []byte {
	if len() != .nonceSize {
		panic("crypto/cipher: incorrect nonce length given to GCM")
	}
	if uint64(len()) > ((1<<32)-2)*BlockSize {
		panic("crypto/cipher: message too large for GCM")
	}

	var ,  [gcmBlockSize]byte

	if len() == gcmStandardNonceSize {
		// Init counter to nonce||1
		copy([:], )
		[gcmBlockSize-1] = 1
	} else {
		// Otherwise counter = GHASH(nonce)
		gcmAesData(&.productTable, , &)
		gcmAesFinish(&.productTable, &, &, uint64(len()), uint64(0))
	}

	encryptBlockAsm(len(.ks)/4-1, &.ks[0], &[0], &[0])

	var  [gcmTagSize]byte
	gcmAesData(&.productTable, , &)

	,  := sliceForAppend(, len()+.tagSize)
	if subtleoverlap.InexactOverlap([:len()], ) {
		panic("crypto/cipher: invalid buffer overlap")
	}
	if len() > 0 {
		gcmAesEnc(&.productTable, , , &, &, .ks)
	}
	gcmAesFinish(&.productTable, &, &, uint64(len()), uint64(len()))
	copy([len():], [:])

	return 
}

// Open authenticates and decrypts ciphertext. See the cipher.AEAD interface
// for details.
func ( *gcmAsm) (, , ,  []byte) ([]byte, error) {
	if len() != .nonceSize {
		panic("crypto/cipher: incorrect nonce length given to GCM")
	}
	// Sanity check to prevent the authentication from always succeeding if an implementation
	// leaves tagSize uninitialized, for example.
	if .tagSize < gcmMinimumTagSize {
		panic("crypto/cipher: incorrect GCM tag size")
	}

	if len() < .tagSize {
		return nil, errOpen
	}
	if uint64(len()) > ((1<<32)-2)*uint64(BlockSize)+uint64(.tagSize) {
		return nil, errOpen
	}

	 := [len()-.tagSize:]
	 = [:len()-.tagSize]

	// See GCM spec, section 7.1.
	var ,  [gcmBlockSize]byte

	if len() == gcmStandardNonceSize {
		// Init counter to nonce||1
		copy([:], )
		[gcmBlockSize-1] = 1
	} else {
		// Otherwise counter = GHASH(nonce)
		gcmAesData(&.productTable, , &)
		gcmAesFinish(&.productTable, &, &, uint64(len()), uint64(0))
	}

	encryptBlockAsm(len(.ks)/4-1, &.ks[0], &[0], &[0])

	var  [gcmTagSize]byte
	gcmAesData(&.productTable, , &)

	,  := sliceForAppend(, len())
	if subtleoverlap.InexactOverlap(, ) {
		panic("crypto/cipher: invalid buffer overlap")
	}
	if len() > 0 {
		gcmAesDec(&.productTable, , , &, &, .ks)
	}
	gcmAesFinish(&.productTable, &, &, uint64(len()), uint64(len()))

	if subtle.ConstantTimeCompare([:.tagSize], ) != 1 {
		for  := range  {
			[] = 0
		}
		return nil, errOpen
	}

	return , nil
}