Package: crypto/aes

package aes Import Path crypto/aes (on go.dev) Dependency Relation imports 9 packages, and imported by 7 packages

Involved Source Files aes_gcm.go block.go cipher.go cipher_asm.go d const.go Package aes implements AES encryption (formerly Rijndael), as defined in U.S. Federal Information Processing Standards Publication 197. The AES operations in this package are not implemented using constant-time algorithms. An exception is when running on systems with enabled hardware support for AES that makes these operations constant-time. Examples include amd64 systems using AES-NI extensions and s390x systems using Message-Security-Assist extensions. On such systems, when the result of NewCipher is passed to cipher.NewGCM, the GHASH operation used by GCM is also constant-time. modes.go asm_amd64.s gcm_amd64.s

Package-Level Type Names (total 9, in which 1 is exported)

/* sort exporteds by: alphabet | popularity */

type KeySizeError int (basic type) Methods (only one, which is exported) ( KeySizeError) Error() string Implements (at least one exported) KeySizeError : error

/* 8 unexporteds ... *//* 8 unexporteds: */

type aesCipher (struct) A cipher is an instance of AES encryption using a particular key. Fields (total 2, neither is exported) /* 2 unexporteds ... *//* 2 unexporteds: */ dec []uint32 enc []uint32 Methods (total 3, all are exported) (*aesCipher) BlockSize() int (*aesCipher) Decrypt(dst, src []byte) (*aesCipher) Encrypt(dst, src []byte) Implements (at least one exported) *aesCipher : crypto/cipher.Block

type aesCipherAsm (struct) Fields (total 3, none are exported) /* 3 unexporteds ... *//* 3 unexporteds: */ aesCipher aesCipher aesCipher.dec []uint32 aesCipher.enc []uint32 Methods (total 3, all are exported) (*aesCipherAsm) BlockSize() int (*aesCipherAsm) Decrypt(dst, src []byte) (*aesCipherAsm) Encrypt(dst, src []byte) Implements (at least one exported) *aesCipherAsm : crypto/cipher.Block

type aesCipherGCM (struct) aesCipherGCM implements crypto/cipher.gcmAble so that crypto/cipher.NewGCM will use the optimised implementation in aes_gcm.go when possible. Instances of this type only exist when hasGCMAsm returns true. Likewise, the gcmAble implementation is in aes_gcm.go. Fields (total 4, none are exported) /* 4 unexporteds ... *//* 4 unexporteds: */ aesCipherAsm aesCipherAsm aesCipherAsm.aesCipher aesCipher aesCipherAsm.aesCipher.dec []uint32 aesCipherAsm.aesCipher.enc []uint32 Methods (total 4, all are exported) (*aesCipherGCM) BlockSize() int (*aesCipherGCM) Decrypt(dst, src []byte) (*aesCipherGCM) Encrypt(dst, src []byte) (*aesCipherGCM) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) NewGCM returns the AES cipher wrapped in Galois Counter Mode. This is only called by crypto/cipher.NewGCM via the gcmAble interface. Implements (at least 3, in which 1 is exported) *aesCipherGCM : crypto/cipher.Block /* 2+ unexporteds ... *//* 2+ unexporteds: */ *aesCipherGCM : gcmAble *aesCipherGCM : crypto/cipher.gcmAble

type cbcDecAble (interface) cbcDecAble is implemented by cipher.Blocks that can provide an optimized implementation of CBC decryption through the cipher.BlockMode interface. See crypto/cipher/cbc.go. Methods (only one, which is exported) ( cbcDecAble) NewCBCDecrypter(iv []byte) cipher.BlockMode Implemented By (at least one unexported) /* at least one unexported ... *//* at least one unexported: */ crypto/cipher.cbcDecAble (interface) Implements (at least one unexported) /* at least one unexported ... *//* at least one unexported: */ cbcDecAble : crypto/cipher.cbcDecAble

type cbcEncAble (interface) cbcEncAble is implemented by cipher.Blocks that can provide an optimized implementation of CBC encryption through the cipher.BlockMode interface. See crypto/cipher/cbc.go. Methods (only one, which is exported) ( cbcEncAble) NewCBCEncrypter(iv []byte) cipher.BlockMode Implemented By (at least one unexported) /* at least one unexported ... *//* at least one unexported: */ crypto/cipher.cbcEncAble (interface) Implements (at least one unexported) /* at least one unexported ... *//* at least one unexported: */ cbcEncAble : crypto/cipher.cbcEncAble

type ctrAble (interface) ctrAble is implemented by cipher.Blocks that can provide an optimized implementation of CTR through the cipher.Stream interface. See crypto/cipher/ctr.go. Methods (only one, which is exported) ( ctrAble) NewCTR(iv []byte) cipher.Stream Implemented By (at least one unexported) /* at least one unexported ... *//* at least one unexported: */ crypto/cipher.ctrAble (interface) Implements (at least one unexported) /* at least one unexported ... *//* at least one unexported: */ ctrAble : crypto/cipher.ctrAble

type gcmAble (interface) gcmAble is implemented by cipher.Blocks that can provide an optimized implementation of GCM through the AEAD interface. See crypto/cipher/gcm.go. Methods (only one, which is exported) ( gcmAble) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) Implemented By (at least 2, neither is exported) /* 2+ unexporteds ... *//* 2+ unexporteds: */ *aesCipherGCM crypto/cipher.gcmAble (interface) Implements (at least one unexported) /* at least one unexported ... *//* at least one unexported: */ gcmAble : crypto/cipher.gcmAble

type gcmAsm (struct) Fields (total 4, none are exported) /* 4 unexporteds ... *//* 4 unexporteds: */ ks []uint32 ks is the key schedule, the length of which depends on the size of the AES key. nonceSize int nonceSize contains the expected size of the nonce, in bytes. productTable [256]byte productTable contains pre-computed multiples of the binary-field element used in GHASH. tagSize int tagSize contains the size of the tag, in bytes. Methods (total 4, all are exported) (*gcmAsm) NonceSize() int (*gcmAsm) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) Open authenticates and decrypts ciphertext. See the cipher.AEAD interface for details. (*gcmAsm) Overhead() int (*gcmAsm) Seal(dst, nonce, plaintext, data []byte) []byte Seal encrypts and authenticates plaintext. See the cipher.AEAD interface for details. Implements (at least one exported) *gcmAsm : crypto/cipher.AEAD

Package-Level Functions (total 18, in which 1 is exported)

func NewCipher(key []byte) (cipher.Block, error) NewCipher creates and returns a new cipher.Block. The key argument should be the AES key, either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.

/* 17 unexporteds ... *//* 17 unexporteds: */

func decryptBlockAsm(nr int, xk *uint32, dst, src *byte)

func decryptBlockGo(xk []uint32, dst, src []byte) Decrypt one block from src into dst, using the expanded key xk.

func encryptBlockAsm(nr int, xk *uint32, dst, src *byte)

func encryptBlockGo(xk []uint32, dst, src []byte) Encrypt one block from src into dst, using the expanded key xk.

func expandKey(key []byte, enc, dec []uint32) expandKey is used by BenchmarkExpand to ensure that the asm implementation of key expansion is used for the benchmark when it is available.

func expandKeyAsm(nr int, key *byte, enc *uint32, dec *uint32)

func expandKeyGo(key []byte, enc, dec []uint32) Key expansion algorithm. See FIPS-197, Figure 11. Their rcon[i] is our powx[i-1] << 24.

func gcmAesData(productTable *[256]byte, data []byte, T *[16]byte)

func gcmAesDec(productTable *[256]byte, dst, src []byte, ctr, T *[16]byte, ks []uint32)

func gcmAesEnc(productTable *[256]byte, dst, src []byte, ctr, T *[16]byte, ks []uint32)

func gcmAesFinish(productTable *[256]byte, tagMask, T *[16]byte, pLen, dLen uint64)

func gcmAesInit(productTable *[256]byte, ks []uint32)

func newCipher(key []byte) (cipher.Block, error)

func newCipherGeneric(key []byte) (cipher.Block, error) newCipherGeneric creates and returns a new cipher.Block implemented in pure Go.

func rotw(w uint32) uint32 Rotate

func sliceForAppend(in []byte, n int) (head, tail []byte) sliceForAppend takes a slice and a requested number of bytes. It returns a slice with the contents of the given slice followed by that many bytes and a second slice that aliases into it and contains only the extra bytes. If the original slice has sufficient capacity then no allocation is performed.

func subw(w uint32) uint32 Apply sbox0 to each byte in w.

Package-Level Variables (total 14, none are exported) /* 14 unexporteds ... *//* 14 unexporteds: */

var errOpen error

var powx [16]byte Powers of x mod poly in GF(2).

var sbox0 [256]byte FIPS-197 Figure 7. S-box substitution values in hexadecimal format.

var sbox1 [256]byte FIPS-197 Figure 14. Inverse S-box substitution values in hexadecimal format.

var supportsAES bool

var supportsGFMUL bool

var td0 [256]uint32

var td1 [256]uint32

var td2 [256]uint32

var td3 [256]uint32

var te0 [256]uint32

var te1 [256]uint32

var te2 [256]uint32

var te3 [256]uint32

Package-Level Constants (total 6, in which 1 is exported)

const BlockSize = 16 The AES block size in bytes.

/* 5 unexporteds ... *//* 5 unexporteds: */

const gcmBlockSize = 16

const gcmMinimumTagSize = 12 // NIST SP 800-38D recommends tags with 12 or more bytes.

const gcmStandardNonceSize = 12

const gcmTagSize = 16

const poly = 283 // x⁸ + x⁴ + x³ + x + 1 AES is based on the mathematical behavior of binary polynomials (polynomials over GF(2)) modulo the irreducible polynomial x⁸ + x⁴ + x³ + x + 1. Addition of these binary polynomials corresponds to binary xor. Reducing mod poly corresponds to binary xor with poly every time a 0x100 bit appears.