type AEAD … type gcmAble … type gcmFieldElement … type gcm … // NewGCM returns the given 128-bit, block cipher wrapped in Galois Counter Mode // with the standard nonce length. // // In general, the GHASH operation performed by this implementation of GCM is not constant-time. // An exception is when the underlying [Block] was created by aes.NewCipher // on systems with hardware support for AES. See the [crypto/aes] package documentation for details. func NewGCM(cipher Block) (AEAD, error) { … } // NewGCMWithNonceSize returns the given 128-bit, block cipher wrapped in Galois // Counter Mode, which accepts nonces of the given length. The length must not // be zero. // // Only use this function if you require compatibility with an existing // cryptosystem that uses non-standard nonce lengths. All other users should use // [NewGCM], which is faster and more resistant to misuse. func NewGCMWithNonceSize(cipher Block, size int) (AEAD, error) { … } // NewGCMWithTagSize returns the given 128-bit, block cipher wrapped in Galois // Counter Mode, which generates tags with the given length. // // Tag sizes between 12 and 16 bytes are allowed. // // Only use this function if you require compatibility with an existing // cryptosystem that uses non-standard tag lengths. All other users should use // [NewGCM], which is more resistant to misuse. func NewGCMWithTagSize(cipher Block, tagSize int) (AEAD, error) { … } func newGCMWithNonceAndTagSize(cipher Block, nonceSize, tagSize int) (AEAD, error) { … } const gcmBlockSize … const gcmTagSize … const gcmMinimumTagSize … const gcmStandardNonceSize … func (g *gcm) NonceSize() int { … } func (g *gcm) Overhead() int { … } func (g *gcm) Seal(dst, nonce, plaintext, data []byte) []byte { … } var errOpen … func (g *gcm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) { … } // reverseBits reverses the order of the bits of 4-bit number in i. func reverseBits(i int) int { … } // gcmAdd adds two elements of GF(2¹²⁸) and returns the sum. func gcmAdd(x, y *gcmFieldElement) gcmFieldElement { … } // gcmDouble returns the result of doubling an element of GF(2¹²⁸). func gcmDouble(x *gcmFieldElement) (double gcmFieldElement) { … } var gcmReductionTable … // mul sets y to y*H, where H is the GCM key, fixed during NewGCMWithNonceSize. func (g *gcm) mul(y *gcmFieldElement) { … } // updateBlocks extends y with more polynomial terms from blocks, based on // Horner's rule. There must be a multiple of gcmBlockSize bytes in blocks. func (g *gcm) updateBlocks(y *gcmFieldElement, blocks []byte) { … } // update extends y with more polynomial terms from data. If data is not a // multiple of gcmBlockSize bytes long then the remainder is zero padded. func (g *gcm) update(y *gcmFieldElement, data []byte) { … } // gcmInc32 treats the final four bytes of counterBlock as a big-endian value // and increments it. func gcmInc32(counterBlock *[16]byte) { … } // sliceForAppend takes a slice and a requested number of bytes. It returns a // slice with the contents of the given slice followed by that many bytes and a // second slice that aliases into it and contains only the extra bytes. If the // original slice has sufficient capacity then no allocation is performed. func sliceForAppend(in []byte, n int) (head, tail []byte) { … } // counterCrypt crypts in to out using g.cipher in counter mode. func (g *gcm) counterCrypt(out, in []byte, counter *[gcmBlockSize]byte) { … } // deriveCounter computes the initial GCM counter state from the given nonce. // See NIST SP 800-38D, section 7.1. This assumes that counter is filled with // zeros on entry. func (g *gcm) deriveCounter(counter *[gcmBlockSize]byte, nonce []byte) { … } // auth calculates GHASH(ciphertext, additionalData), masks the result with // tagMask and writes the result to out. func (g *gcm) auth(out, ciphertext, additionalData []byte, tagMask *[gcmTagSize]byte) { … }
Codebase Browser
go