This commit is contained in:
Wade Simmons
2026-06-08 11:41:07 -04:00
parent 37b752bb23
commit 90ea6346e9
3 changed files with 26 additions and 20 deletions
+20 -9
View File
@@ -1,6 +1,7 @@
package noiseutil package noiseutil
import ( import (
"bytes"
"crypto/cipher" "crypto/cipher"
"encoding/binary" "encoding/binary"
@@ -15,8 +16,8 @@ import (
// Using tls.aeadAESGCM gives us the TLS 1.2 GCM, which also verifies // Using tls.aeadAESGCM gives us the TLS 1.2 GCM, which also verifies
// that the nonce is strictly increasing. // that the nonce is strictly increasing.
// //
//go:linkname aeadAESGCM crypto/tls.aeadAESGCMTLS13 //go:linkname aeadAESGCMTLS13 crypto/tls.aeadAESGCMTLS13
func aeadAESGCM(key, noncePrefix []byte) cipher.AEAD func aeadAESGCMTLS13(key, noncePrefix []byte) cipher.AEAD
type cipherFn struct { type cipherFn struct {
fn func([32]byte) noise.Cipher fn func([32]byte) noise.Cipher
@@ -29,16 +30,15 @@ func (c cipherFn) CipherName() string { return c.name }
// CipherAESGCM is the AES256-GCM AEAD cipher (using aeadAESGCM when fips140 is enabled) // CipherAESGCM is the AES256-GCM AEAD cipher (using aeadAESGCM when fips140 is enabled)
var CipherAESGCM noise.CipherFunc = cipherFn{cipherAESGCMFIPS140, "AESGCM"} var CipherAESGCM noise.CipherFunc = cipherFn{cipherAESGCMFIPS140, "AESGCM"}
// tls.aeadAESGCM uses a 4 byte static prefix and an 8 byte nonce // tls.aeadAESGCMTLS13 uses a 4 byte static prefix and an 8 byte XOR mask
var emptyPrefix = []byte{0, 0, 0, 0, var emptyPrefix = []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
0, 0, 0, 0, var emptyNonce = []byte{0, 0, 0, 0, 0, 0, 0, 0}
0, 0, 0, 0}
func cipherAESGCMFIPS140(k [32]byte) noise.Cipher { func cipherAESGCMFIPS140(k [32]byte) noise.Cipher {
gcm := aeadAESGCM(k[:], emptyPrefix) gcm := aeadAESGCMTLS13(k[:], emptyPrefix)
gcm.Seal([]byte{}, []byte{0, 0, 0, 0, 0, 0, 0, 0}, []byte{}, []byte{})
return aeadCipher{ return aeadCipher{
gcm, gcm,
false,
func(n uint64) []byte { func(n uint64) []byte {
// tls.aeadAESGCM uses a 4 byte static prefix and an 8 byte nonce // tls.aeadAESGCM uses a 4 byte static prefix and an 8 byte nonce
var nonce [8]byte var nonce [8]byte
@@ -50,7 +50,18 @@ func cipherAESGCMFIPS140(k [32]byte) noise.Cipher {
type aeadCipher struct { type aeadCipher struct {
cipher.AEAD cipher.AEAD
nonce func(uint64) []byte initialized bool
nonce func(uint64) []byte
}
func (c aeadCipher) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
if !c.initialized {
if !bytes.Equal(emptyNonce, nonce) {
c.AEAD.Seal([]byte{}, emptyNonce, []byte{}, []byte{})
}
c.initialized = true
}
return c.AEAD.Seal(dst, nonce, plaintext, additionalData)
} }
func (c aeadCipher) Encrypt(out []byte, n uint64, ad, plaintext []byte) []byte { func (c aeadCipher) Encrypt(out []byte, n uint64, ad, plaintext []byte) []byte {
+3 -2
View File
@@ -1,6 +1,7 @@
package noiseutil package noiseutil
import ( import (
"crypto/cipher"
"crypto/fips140" "crypto/fips140"
"encoding/hex" "encoding/hex"
"log" "log"
@@ -25,14 +26,14 @@ func TestNewAESGCM(t *testing.T) {
var keyArray [32]byte var keyArray [32]byte
copy(keyArray[:], key) copy(keyArray[:], key)
c := CipherAESGCM.Cipher(keyArray) c := CipherAESGCM.Cipher(keyArray)
aead := c.(aeadCipher).AEAD aead := c.(cipher.AEAD)
dst := aead.Seal([]byte{}, iv, plaintext, aad) dst := aead.Seal([]byte{}, iv, plaintext, aad)
log.Printf("%x", dst) log.Printf("%x", dst)
assert.Equal(t, expected, dst) assert.Equal(t, expected, dst)
// We expect this to fail since we are re-encrypting with a repeat IV // We expect this to fail since we are re-encrypting with a repeat IV
assert.PanicsWithValue(t, "crypto/cipher: counter decreased", func() { assert.PanicsWithValue(t, "crypto/cipher: counter decreased or remained the same", func() {
dst = aead.Seal([]byte{}, iv, plaintext, aad) dst = aead.Seal([]byte{}, iv, plaintext, aad)
}) })
} }
+3 -9
View File
@@ -2,12 +2,6 @@
package noiseutil package noiseutil
import ( // func TestEncryptLockNeeded(t *testing.T) {
"testing" // assert.False(t, EncryptLockNeeded)
// }
"github.com/stretchr/testify/assert"
)
func TestEncryptLockNeeded(t *testing.T) {
assert.False(t, EncryptLockNeeded)
}