Source file src/pkg/crypto/aes/gcm_s390x.go

     1	// Copyright 2016 The Go Authors. All rights reserved.
     2	// Use of this source code is governed by a BSD-style
     3	// license that can be found in the LICENSE file.
     4	
     5	package aes
     6	
     7	import (
     8		"crypto/cipher"
     9		subtleoverlap "crypto/internal/subtle"
    10		"crypto/subtle"
    11		"encoding/binary"
    12		"errors"
    13		"internal/cpu"
    14	)
    15	
    16	// This file contains two implementations of AES-GCM. The first implementation
    17	// (gcmAsm) uses the KMCTR instruction to encrypt using AES in counter mode and
    18	// the KIMD instruction for GHASH. The second implementation (gcmKMA) uses the
    19	// newer KMA instruction which performs both operations.
    20	
    21	// gcmCount represents a 16-byte big-endian count value.
    22	type gcmCount [16]byte
    23	
    24	// inc increments the rightmost 32-bits of the count value by 1.
    25	func (x *gcmCount) inc() {
    26		binary.BigEndian.PutUint32(x[len(x)-4:], binary.BigEndian.Uint32(x[len(x)-4:])+1)
    27	}
    28	
    29	// gcmLengths writes len0 || len1 as big-endian values to a 16-byte array.
    30	func gcmLengths(len0, len1 uint64) [16]byte {
    31		v := [16]byte{}
    32		binary.BigEndian.PutUint64(v[0:], len0)
    33		binary.BigEndian.PutUint64(v[8:], len1)
    34		return v
    35	}
    36	
    37	// gcmHashKey represents the 16-byte hash key required by the GHASH algorithm.
    38	type gcmHashKey [16]byte
    39	
    40	type gcmAsm struct {
    41		block     *aesCipherAsm
    42		hashKey   gcmHashKey
    43		nonceSize int
    44		tagSize   int
    45	}
    46	
    47	const (
    48		gcmBlockSize         = 16
    49		gcmTagSize           = 16
    50		gcmMinimumTagSize    = 12 // NIST SP 800-38D recommends tags with 12 or more bytes.
    51		gcmStandardNonceSize = 12
    52	)
    53	
    54	var errOpen = errors.New("cipher: message authentication failed")
    55	
    56	// Assert that aesCipherAsm implements the gcmAble interface.
    57	var _ gcmAble = (*aesCipherAsm)(nil)
    58	
    59	// NewGCM returns the AES cipher wrapped in Galois Counter Mode. This is only
    60	// called by crypto/cipher.NewGCM via the gcmAble interface.
    61	func (c *aesCipherAsm) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
    62		var hk gcmHashKey
    63		c.Encrypt(hk[:], hk[:])
    64		g := gcmAsm{
    65			block:     c,
    66			hashKey:   hk,
    67			nonceSize: nonceSize,
    68			tagSize:   tagSize,
    69		}
    70		if cpu.S390X.HasAESGCM {
    71			g := gcmKMA{g}
    72			return &g, nil
    73		}
    74		return &g, nil
    75	}
    76	
    77	func (g *gcmAsm) NonceSize() int {
    78		return g.nonceSize
    79	}
    80	
    81	func (g *gcmAsm) Overhead() int {
    82		return g.tagSize
    83	}
    84	
    85	// sliceForAppend takes a slice and a requested number of bytes. It returns a
    86	// slice with the contents of the given slice followed by that many bytes and a
    87	// second slice that aliases into it and contains only the extra bytes. If the
    88	// original slice has sufficient capacity then no allocation is performed.
    89	func sliceForAppend(in []byte, n int) (head, tail []byte) {
    90		if total := len(in) + n; cap(in) >= total {
    91			head = in[:total]
    92		} else {
    93			head = make([]byte, total)
    94			copy(head, in)
    95		}
    96		tail = head[len(in):]
    97		return
    98	}
    99	
   100	// ghash uses the GHASH algorithm to hash data with the given key. The initial
   101	// hash value is given by hash which will be updated with the new hash value.
   102	// The length of data must be a multiple of 16-bytes.
   103	//go:noescape
   104	func ghash(key *gcmHashKey, hash *[16]byte, data []byte)
   105	
   106	// paddedGHASH pads data with zeroes until its length is a multiple of
   107	// 16-bytes. It then calculates a new value for hash using the GHASH algorithm.
   108	func (g *gcmAsm) paddedGHASH(hash *[16]byte, data []byte) {
   109		siz := len(data) &^ 0xf // align size to 16-bytes
   110		if siz > 0 {
   111			ghash(&g.hashKey, hash, data[:siz])
   112			data = data[siz:]
   113		}
   114		if len(data) > 0 {
   115			var s [16]byte
   116			copy(s[:], data)
   117			ghash(&g.hashKey, hash, s[:])
   118		}
   119	}
   120	
   121	// cryptBlocksGCM encrypts src using AES in counter mode using the given
   122	// function code and key. The rightmost 32-bits of the counter are incremented
   123	// between each block as required by the GCM spec. The initial counter value
   124	// is given by cnt, which is updated with the value of the next counter value
   125	// to use.
   126	//
   127	// The lengths of both dst and buf must be greater than or equal to the length
   128	// of src. buf may be partially or completely overwritten during the execution
   129	// of the function.
   130	//go:noescape
   131	func cryptBlocksGCM(fn code, key, dst, src, buf []byte, cnt *gcmCount)
   132	
   133	// counterCrypt encrypts src using AES in counter mode and places the result
   134	// into dst. cnt is the initial count value and will be updated with the next
   135	// count value. The length of dst must be greater than or equal to the length
   136	// of src.
   137	func (g *gcmAsm) counterCrypt(dst, src []byte, cnt *gcmCount) {
   138		// Copying src into a buffer improves performance on some models when
   139		// src and dst point to the same underlying array. We also need a
   140		// buffer for counter values.
   141		var ctrbuf, srcbuf [2048]byte
   142		for len(src) >= 16 {
   143			siz := len(src)
   144			if len(src) > len(ctrbuf) {
   145				siz = len(ctrbuf)
   146			}
   147			siz &^= 0xf // align siz to 16-bytes
   148			copy(srcbuf[:], src[:siz])
   149			cryptBlocksGCM(g.block.function, g.block.key, dst[:siz], srcbuf[:siz], ctrbuf[:], cnt)
   150			src = src[siz:]
   151			dst = dst[siz:]
   152		}
   153		if len(src) > 0 {
   154			var x [16]byte
   155			g.block.Encrypt(x[:], cnt[:])
   156			for i := range src {
   157				dst[i] = src[i] ^ x[i]
   158			}
   159			cnt.inc()
   160		}
   161	}
   162	
   163	// deriveCounter computes the initial GCM counter state from the given nonce.
   164	// See NIST SP 800-38D, section 7.1.
   165	func (g *gcmAsm) deriveCounter(nonce []byte) gcmCount {
   166		// GCM has two modes of operation with respect to the initial counter
   167		// state: a "fast path" for 96-bit (12-byte) nonces, and a "slow path"
   168		// for nonces of other lengths. For a 96-bit nonce, the nonce, along
   169		// with a four-byte big-endian counter starting at one, is used
   170		// directly as the starting counter. For other nonce sizes, the counter
   171		// is computed by passing it through the GHASH function.
   172		var counter gcmCount
   173		if len(nonce) == gcmStandardNonceSize {
   174			copy(counter[:], nonce)
   175			counter[gcmBlockSize-1] = 1
   176		} else {
   177			var hash [16]byte
   178			g.paddedGHASH(&hash, nonce)
   179			lens := gcmLengths(0, uint64(len(nonce))*8)
   180			g.paddedGHASH(&hash, lens[:])
   181			copy(counter[:], hash[:])
   182		}
   183		return counter
   184	}
   185	
   186	// auth calculates GHASH(ciphertext, additionalData), masks the result with
   187	// tagMask and writes the result to out.
   188	func (g *gcmAsm) auth(out, ciphertext, additionalData []byte, tagMask *[gcmTagSize]byte) {
   189		var hash [16]byte
   190		g.paddedGHASH(&hash, additionalData)
   191		g.paddedGHASH(&hash, ciphertext)
   192		lens := gcmLengths(uint64(len(additionalData))*8, uint64(len(ciphertext))*8)
   193		g.paddedGHASH(&hash, lens[:])
   194	
   195		copy(out, hash[:])
   196		for i := range out {
   197			out[i] ^= tagMask[i]
   198		}
   199	}
   200	
   201	// Seal encrypts and authenticates plaintext. See the cipher.AEAD interface for
   202	// details.
   203	func (g *gcmAsm) Seal(dst, nonce, plaintext, data []byte) []byte {
   204		if len(nonce) != g.nonceSize {
   205			panic("crypto/cipher: incorrect nonce length given to GCM")
   206		}
   207		if uint64(len(plaintext)) > ((1<<32)-2)*BlockSize {
   208			panic("crypto/cipher: message too large for GCM")
   209		}
   210	
   211		ret, out := sliceForAppend(dst, len(plaintext)+g.tagSize)
   212		if subtleoverlap.InexactOverlap(out[:len(plaintext)], plaintext) {
   213			panic("crypto/cipher: invalid buffer overlap")
   214		}
   215	
   216		counter := g.deriveCounter(nonce)
   217	
   218		var tagMask [gcmBlockSize]byte
   219		g.block.Encrypt(tagMask[:], counter[:])
   220		counter.inc()
   221	
   222		var tagOut [gcmTagSize]byte
   223		g.counterCrypt(out, plaintext, &counter)
   224		g.auth(tagOut[:], out[:len(plaintext)], data, &tagMask)
   225		copy(out[len(plaintext):], tagOut[:])
   226	
   227		return ret
   228	}
   229	
   230	// Open authenticates and decrypts ciphertext. See the cipher.AEAD interface
   231	// for details.
   232	func (g *gcmAsm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
   233		if len(nonce) != g.nonceSize {
   234			panic("crypto/cipher: incorrect nonce length given to GCM")
   235		}
   236		// Sanity check to prevent the authentication from always succeeding if an implementation
   237		// leaves tagSize uninitialized, for example.
   238		if g.tagSize < gcmMinimumTagSize {
   239			panic("crypto/cipher: incorrect GCM tag size")
   240		}
   241		if len(ciphertext) < g.tagSize {
   242			return nil, errOpen
   243		}
   244		if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(BlockSize)+uint64(g.tagSize) {
   245			return nil, errOpen
   246		}
   247	
   248		tag := ciphertext[len(ciphertext)-g.tagSize:]
   249		ciphertext = ciphertext[:len(ciphertext)-g.tagSize]
   250	
   251		counter := g.deriveCounter(nonce)
   252	
   253		var tagMask [gcmBlockSize]byte
   254		g.block.Encrypt(tagMask[:], counter[:])
   255		counter.inc()
   256	
   257		var expectedTag [gcmTagSize]byte
   258		g.auth(expectedTag[:], ciphertext, data, &tagMask)
   259	
   260		ret, out := sliceForAppend(dst, len(ciphertext))
   261		if subtleoverlap.InexactOverlap(out, ciphertext) {
   262			panic("crypto/cipher: invalid buffer overlap")
   263		}
   264	
   265		if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
   266			// The AESNI code decrypts and authenticates concurrently, and
   267			// so overwrites dst in the event of a tag mismatch. That
   268			// behavior is mimicked here in order to be consistent across
   269			// platforms.
   270			for i := range out {
   271				out[i] = 0
   272			}
   273			return nil, errOpen
   274		}
   275	
   276		g.counterCrypt(out, ciphertext, &counter)
   277		return ret, nil
   278	}
   279	
   280	// gcmKMA implements the cipher.AEAD interface using the KMA instruction. It should
   281	// only be used if hasKMA is true.
   282	type gcmKMA struct {
   283		gcmAsm
   284	}
   285	
   286	// flags for the KMA instruction
   287	const (
   288		kmaHS      = 1 << 10 // hash subkey supplied
   289		kmaLAAD    = 1 << 9  // last series of additional authenticated data
   290		kmaLPC     = 1 << 8  // last series of plaintext or ciphertext blocks
   291		kmaDecrypt = 1 << 7  // decrypt
   292	)
   293	
   294	// kmaGCM executes the encryption or decryption operation given by fn. The tag
   295	// will be calculated and written to tag. cnt should contain the current
   296	// counter state and will be overwritten with the updated counter state.
   297	// TODO(mundaym): could pass in hash subkey
   298	//go:noescape
   299	func kmaGCM(fn code, key, dst, src, aad []byte, tag *[16]byte, cnt *gcmCount)
   300	
   301	// Seal encrypts and authenticates plaintext. See the cipher.AEAD interface for
   302	// details.
   303	func (g *gcmKMA) Seal(dst, nonce, plaintext, data []byte) []byte {
   304		if len(nonce) != g.nonceSize {
   305			panic("crypto/cipher: incorrect nonce length given to GCM")
   306		}
   307		if uint64(len(plaintext)) > ((1<<32)-2)*BlockSize {
   308			panic("crypto/cipher: message too large for GCM")
   309		}
   310	
   311		ret, out := sliceForAppend(dst, len(plaintext)+g.tagSize)
   312		if subtleoverlap.InexactOverlap(out[:len(plaintext)], plaintext) {
   313			panic("crypto/cipher: invalid buffer overlap")
   314		}
   315	
   316		counter := g.deriveCounter(nonce)
   317		fc := g.block.function | kmaLAAD | kmaLPC
   318	
   319		var tag [gcmTagSize]byte
   320		kmaGCM(fc, g.block.key, out[:len(plaintext)], plaintext, data, &tag, &counter)
   321		copy(out[len(plaintext):], tag[:])
   322	
   323		return ret
   324	}
   325	
   326	// Open authenticates and decrypts ciphertext. See the cipher.AEAD interface
   327	// for details.
   328	func (g *gcmKMA) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
   329		if len(nonce) != g.nonceSize {
   330			panic("crypto/cipher: incorrect nonce length given to GCM")
   331		}
   332		if len(ciphertext) < g.tagSize {
   333			return nil, errOpen
   334		}
   335		if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(BlockSize)+uint64(g.tagSize) {
   336			return nil, errOpen
   337		}
   338	
   339		tag := ciphertext[len(ciphertext)-g.tagSize:]
   340		ciphertext = ciphertext[:len(ciphertext)-g.tagSize]
   341		ret, out := sliceForAppend(dst, len(ciphertext))
   342		if subtleoverlap.InexactOverlap(out, ciphertext) {
   343			panic("crypto/cipher: invalid buffer overlap")
   344		}
   345	
   346		if g.tagSize < gcmMinimumTagSize {
   347			panic("crypto/cipher: incorrect GCM tag size")
   348		}
   349	
   350		counter := g.deriveCounter(nonce)
   351		fc := g.block.function | kmaLAAD | kmaLPC | kmaDecrypt
   352	
   353		var expectedTag [gcmTagSize]byte
   354		kmaGCM(fc, g.block.key, out[:len(ciphertext)], ciphertext, data, &expectedTag, &counter)
   355	
   356		if subtle.ConstantTimeCompare(expectedTag[:g.tagSize], tag) != 1 {
   357			// The AESNI code decrypts and authenticates concurrently, and
   358			// so overwrites dst in the event of a tag mismatch. That
   359			// behavior is mimicked here in order to be consistent across
   360			// platforms.
   361			for i := range out {
   362				out[i] = 0
   363			}
   364			return nil, errOpen
   365		}
   366	
   367		return ret, nil
   368	}
   369	

View as plain text