norx.go 2.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113
  1. // norx.go - High-level interface
  2. //
  3. // To the extent possible under law, Yawning Angel has waived all copyright
  4. // and related or neighboring rights to the software, using the Creative
  5. // Commons "CC0" public domain dedication. See LICENSE or
  6. // <http://creativecommons.org/publicdomain/zero/1.0/> for full details.
  7. package norx
  8. import (
  9. "crypto/subtle"
  10. "errors"
  11. )
  12. const (
  13. KeySize = 32
  14. NonceSize = 32
  15. TagSize = 32
  16. Version = "3.0"
  17. )
  18. var (
  19. ErrInvalidKeySize = errors.New("norx: invalid key size")
  20. ErrInvalidNonceSize = errors.New("norx: invalid nonce size")
  21. )
  22. func aeadEncrypt(l int, c, a, m, z, nonce, key []byte) []byte {
  23. var k [bytesK]byte
  24. s := &state{rounds: l}
  25. mLen := len(m)
  26. mustHaveValidArguments(key, nonce)
  27. ret, out := sliceForAppend(c, mLen+bytesT)
  28. copy(k[:], key)
  29. hardwareAccelImpl.initFn(s, k[:], nonce)
  30. hardwareAccelImpl.absorbDataFn(s, a, tagHeader)
  31. hardwareAccelImpl.encryptDataFn(s, out, m)
  32. hardwareAccelImpl.absorbDataFn(s, z, tagTrailer)
  33. hardwareAccelImpl.finalizeFn(s, out[mLen:], k[:])
  34. burnUint64s(s.s[:])
  35. burnBytes(k[:])
  36. return ret
  37. }
  38. func aeadDecrypt(l int, m, a, c, z, nonce, key []byte) ([]byte, bool) {
  39. var k [bytesK]byte
  40. var tag [bytesT]byte
  41. s := &state{rounds: l}
  42. cLen := len(c)
  43. mustHaveValidArguments(key, nonce)
  44. if cLen < bytesT {
  45. return nil, false
  46. }
  47. ret, out := sliceForAppend(m, cLen-bytesT)
  48. copy(k[:], key)
  49. hardwareAccelImpl.initFn(s, k[:], nonce)
  50. hardwareAccelImpl.absorbDataFn(s, a, tagHeader)
  51. hardwareAccelImpl.decryptDataFn(s, out, c[:cLen-bytesT])
  52. hardwareAccelImpl.absorbDataFn(s, z, tagTrailer)
  53. hardwareAccelImpl.finalizeFn(s, tag[:], k[:])
  54. srcTag := c[cLen-bytesT:]
  55. ok := subtle.ConstantTimeCompare(srcTag, tag[:]) == 1
  56. if !ok { // burn decrypted plaintext on auth failure
  57. burnBytes(out[:cLen-bytesT])
  58. }
  59. burnUint64s(s.s[:])
  60. burnBytes(k[:])
  61. return ret, ok
  62. }
  63. func mustHaveValidArguments(key, nonce []byte) {
  64. if len(key) != KeySize {
  65. panic(ErrInvalidKeySize)
  66. }
  67. if len(nonce) != NonceSize {
  68. panic(ErrInvalidNonceSize)
  69. }
  70. }
  71. // Shamelessly stolen from the Go runtime library.
  72. func sliceForAppend(in []byte, n int) (head, tail []byte) {
  73. if total := len(in) + n; cap(in) >= total {
  74. head = in[:total]
  75. } else {
  76. head = make([]byte, total)
  77. copy(head, in)
  78. }
  79. tail = head[len(in):]
  80. return
  81. }
  82. func init() {
  83. if KeySize != bytesK {
  84. panic("BUG: KeySize != paramK/8")
  85. }
  86. if NonceSize != paramN/8 {
  87. panic("BUG: NonceSize != paramN/8")
  88. }
  89. if TagSize != bytesT {
  90. panic("BUG: TagSize != bytesT")
  91. }
  92. }