Commit 007c907b authored by Adam Langley's avatar Adam Langley

crypto/tls: only store a single nonce for AES-GCM.

Although an AEAD, in general, can be used concurrently in both the seal
and open directions, TLS is easier. Since the transport keys are
different for different directions in TLS, an AEAD will only ever be
used in one direction. Thus we don't need separate buffers for seal and
open because they can never happen concurrently.

Also, fix the nonce size to twelve bytes since the fixed-prefix
construction for AEADs is superseded and will never be used for anything
else now.

Change-Id: Ibbf6c6b1da0e639f4ee0e3604410945dc7dcbb46
Reviewed-on: https://go-review.googlesource.com/30959
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: default avatarBrad Fitzpatrick <bradfitz@golang.org>
parent d1bfa3c6
...@@ -161,11 +161,9 @@ type aead interface { ...@@ -161,11 +161,9 @@ type aead interface {
// fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to // fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
// each call. // each call.
type fixedNonceAEAD struct { type fixedNonceAEAD struct {
// sealNonce and openNonce are buffers where the larger nonce will be // nonce contains the fixed part of the nonce in the first four bytes.
// constructed. Since a seal and open operation may be running nonce [12]byte
// concurrently, there is a separate buffer for each. aead cipher.AEAD
sealNonce, openNonce []byte
aead cipher.AEAD
} }
func (f *fixedNonceAEAD) NonceSize() int { return 8 } func (f *fixedNonceAEAD) NonceSize() int { return 8 }
...@@ -173,13 +171,13 @@ func (f *fixedNonceAEAD) Overhead() int { return f.aead.Overhead() } ...@@ -173,13 +171,13 @@ func (f *fixedNonceAEAD) Overhead() int { return f.aead.Overhead() }
func (f *fixedNonceAEAD) explicitNonceLen() int { return 8 } func (f *fixedNonceAEAD) explicitNonceLen() int { return 8 }
func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
copy(f.sealNonce[len(f.sealNonce)-8:], nonce) copy(f.nonce[4:], nonce)
return f.aead.Seal(out, f.sealNonce, plaintext, additionalData) return f.aead.Seal(out, f.nonce[:], plaintext, additionalData)
} }
func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) { func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
copy(f.openNonce[len(f.openNonce)-8:], nonce) copy(f.nonce[4:], nonce)
return f.aead.Open(out, f.openNonce, plaintext, additionalData) return f.aead.Open(out, f.nonce[:], plaintext, additionalData)
} }
// xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce // xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce
...@@ -227,11 +225,9 @@ func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD { ...@@ -227,11 +225,9 @@ func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
panic(err) panic(err)
} }
nonce1, nonce2 := make([]byte, 12), make([]byte, 12) ret := &fixedNonceAEAD{aead: aead}
copy(nonce1, fixedNonce) copy(ret.nonce[:], fixedNonce)
copy(nonce2, fixedNonce) return ret
return &fixedNonceAEAD{nonce1, nonce2, aead}
} }
func aeadChaCha20Poly1305(key, fixedNonce []byte) cipher.AEAD { func aeadChaCha20Poly1305(key, fixedNonce []byte) cipher.AEAD {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment