Merge pull request #92 from microsoft/add-sealrandomwithnonce-method

qmuntal · web-flow · commit fa74f148acbc · 2025-05-27T11:26:50.000+02:00
Add: SealWithRandomNonce logic
diff --git a/cng/aes.go b/cng/aes.go
@@ -337,6 +337,40 @@ func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
 	return ret
 }
 
+func (g *aesGCM) SealWithRandomNonce(out, nonce, plaintext, additionalData []byte) {
+	if uint64(len(plaintext)) > uint64((1<<32)-2)*aesBlockSize {
+		panic("crypto/cipher: message too large for GCM")
+	}
+	if len(nonce) != gcmStandardNonceSize {
+		panic("crypto/cipher: incorrect nonce length given to GCMWithRandomNonce")
+	}
+	if len(out) != len(plaintext)+gcmTagSize {
+		panic("crypto/cipher: incorrect output length given to GCMWithRandomNonce")
+	}
+	if subtle.InexactOverlap(out, plaintext) {
+		panic("crypto/cipher: invalid buffer overlap of output and input")
+	}
+	if subtle.AnyOverlap(out, additionalData) {
+		panic("crypto/cipher: invalid buffer overlap of output and additional data")
+	}
+
+	if g.tls != cipherGCMTLSNone {
+		panic("cipher: TLS 1.2 and 1.3 modes do not support random nonce")
+	}
+
+	RandReader.Read(nonce)
+	info := bcrypt.NewAUTHENTICATED_CIPHER_MODE_INFO(nonce, additionalData, out[len(out)-gcmTagSize:])
+	var encSize uint32
+	err := bcrypt.Encrypt(g.kh, plaintext, unsafe.Pointer(info), nil, out, &encSize, 0)
+	if err != nil {
+		panic(err)
+	}
+	if int(encSize) != len(plaintext) {
+		panic("crypto/cipher: plaintext not fully encrypted")
+	}
+	runtime.KeepAlive(g)
+}
+
 var errOpen = errors.New("cipher: message authentication failed")
 
 func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
