177 lines
7.1 KiB
Go
177 lines
7.1 KiB
Go
// Copyright 2009 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// This Go implementation is derived in part from the reference
|
|
// ANSI C implementation, which carries the following notice:
|
|
//
|
|
// rijndael-alg-fst.c
|
|
//
|
|
// @version 3.0 (December 2000)
|
|
//
|
|
// Optimised ANSI C code for the Rijndael cipher (now AES)
|
|
//
|
|
// @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
|
|
// @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
|
|
// @author Paulo Barreto <paulo.barreto@terra.com.br>
|
|
//
|
|
// This code is hereby placed in the public domain.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
|
|
// OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
// WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
// ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
|
|
// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
|
// BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
// WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
|
|
// OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
|
|
// EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
// See FIPS 197 for specification, and see Daemen and Rijmen's Rijndael submission
|
|
// for implementation details.
|
|
// http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf
|
|
// http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf
|
|
|
|
package aes12
|
|
|
|
// Encrypt one block from src into dst, using the expanded key xk.
|
|
func encryptBlockGo(xk []uint32, dst, src []byte) {
|
|
var s0, s1, s2, s3, t0, t1, t2, t3 uint32
|
|
|
|
s0 = uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
|
|
s1 = uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
|
|
s2 = uint32(src[8])<<24 | uint32(src[9])<<16 | uint32(src[10])<<8 | uint32(src[11])
|
|
s3 = uint32(src[12])<<24 | uint32(src[13])<<16 | uint32(src[14])<<8 | uint32(src[15])
|
|
|
|
// First round just XORs input with key.
|
|
s0 ^= xk[0]
|
|
s1 ^= xk[1]
|
|
s2 ^= xk[2]
|
|
s3 ^= xk[3]
|
|
|
|
// Middle rounds shuffle using tables.
|
|
// Number of rounds is set by length of expanded key.
|
|
nr := len(xk)/4 - 2 // - 2: one above, one more below
|
|
k := 4
|
|
for r := 0; r < nr; r++ {
|
|
t0 = xk[k+0] ^ te0[uint8(s0>>24)] ^ te1[uint8(s1>>16)] ^ te2[uint8(s2>>8)] ^ te3[uint8(s3)]
|
|
t1 = xk[k+1] ^ te0[uint8(s1>>24)] ^ te1[uint8(s2>>16)] ^ te2[uint8(s3>>8)] ^ te3[uint8(s0)]
|
|
t2 = xk[k+2] ^ te0[uint8(s2>>24)] ^ te1[uint8(s3>>16)] ^ te2[uint8(s0>>8)] ^ te3[uint8(s1)]
|
|
t3 = xk[k+3] ^ te0[uint8(s3>>24)] ^ te1[uint8(s0>>16)] ^ te2[uint8(s1>>8)] ^ te3[uint8(s2)]
|
|
k += 4
|
|
s0, s1, s2, s3 = t0, t1, t2, t3
|
|
}
|
|
|
|
// Last round uses s-box directly and XORs to produce output.
|
|
s0 = uint32(sbox0[t0>>24])<<24 | uint32(sbox0[t1>>16&0xff])<<16 | uint32(sbox0[t2>>8&0xff])<<8 | uint32(sbox0[t3&0xff])
|
|
s1 = uint32(sbox0[t1>>24])<<24 | uint32(sbox0[t2>>16&0xff])<<16 | uint32(sbox0[t3>>8&0xff])<<8 | uint32(sbox0[t0&0xff])
|
|
s2 = uint32(sbox0[t2>>24])<<24 | uint32(sbox0[t3>>16&0xff])<<16 | uint32(sbox0[t0>>8&0xff])<<8 | uint32(sbox0[t1&0xff])
|
|
s3 = uint32(sbox0[t3>>24])<<24 | uint32(sbox0[t0>>16&0xff])<<16 | uint32(sbox0[t1>>8&0xff])<<8 | uint32(sbox0[t2&0xff])
|
|
|
|
s0 ^= xk[k+0]
|
|
s1 ^= xk[k+1]
|
|
s2 ^= xk[k+2]
|
|
s3 ^= xk[k+3]
|
|
|
|
dst[0], dst[1], dst[2], dst[3] = byte(s0>>24), byte(s0>>16), byte(s0>>8), byte(s0)
|
|
dst[4], dst[5], dst[6], dst[7] = byte(s1>>24), byte(s1>>16), byte(s1>>8), byte(s1)
|
|
dst[8], dst[9], dst[10], dst[11] = byte(s2>>24), byte(s2>>16), byte(s2>>8), byte(s2)
|
|
dst[12], dst[13], dst[14], dst[15] = byte(s3>>24), byte(s3>>16), byte(s3>>8), byte(s3)
|
|
}
|
|
|
|
// Decrypt one block from src into dst, using the expanded key xk.
|
|
func decryptBlockGo(xk []uint32, dst, src []byte) {
|
|
var s0, s1, s2, s3, t0, t1, t2, t3 uint32
|
|
|
|
s0 = uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
|
|
s1 = uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
|
|
s2 = uint32(src[8])<<24 | uint32(src[9])<<16 | uint32(src[10])<<8 | uint32(src[11])
|
|
s3 = uint32(src[12])<<24 | uint32(src[13])<<16 | uint32(src[14])<<8 | uint32(src[15])
|
|
|
|
// First round just XORs input with key.
|
|
s0 ^= xk[0]
|
|
s1 ^= xk[1]
|
|
s2 ^= xk[2]
|
|
s3 ^= xk[3]
|
|
|
|
// Middle rounds shuffle using tables.
|
|
// Number of rounds is set by length of expanded key.
|
|
nr := len(xk)/4 - 2 // - 2: one above, one more below
|
|
k := 4
|
|
for r := 0; r < nr; r++ {
|
|
t0 = xk[k+0] ^ td0[uint8(s0>>24)] ^ td1[uint8(s3>>16)] ^ td2[uint8(s2>>8)] ^ td3[uint8(s1)]
|
|
t1 = xk[k+1] ^ td0[uint8(s1>>24)] ^ td1[uint8(s0>>16)] ^ td2[uint8(s3>>8)] ^ td3[uint8(s2)]
|
|
t2 = xk[k+2] ^ td0[uint8(s2>>24)] ^ td1[uint8(s1>>16)] ^ td2[uint8(s0>>8)] ^ td3[uint8(s3)]
|
|
t3 = xk[k+3] ^ td0[uint8(s3>>24)] ^ td1[uint8(s2>>16)] ^ td2[uint8(s1>>8)] ^ td3[uint8(s0)]
|
|
k += 4
|
|
s0, s1, s2, s3 = t0, t1, t2, t3
|
|
}
|
|
|
|
// Last round uses s-box directly and XORs to produce output.
|
|
s0 = uint32(sbox1[t0>>24])<<24 | uint32(sbox1[t3>>16&0xff])<<16 | uint32(sbox1[t2>>8&0xff])<<8 | uint32(sbox1[t1&0xff])
|
|
s1 = uint32(sbox1[t1>>24])<<24 | uint32(sbox1[t0>>16&0xff])<<16 | uint32(sbox1[t3>>8&0xff])<<8 | uint32(sbox1[t2&0xff])
|
|
s2 = uint32(sbox1[t2>>24])<<24 | uint32(sbox1[t1>>16&0xff])<<16 | uint32(sbox1[t0>>8&0xff])<<8 | uint32(sbox1[t3&0xff])
|
|
s3 = uint32(sbox1[t3>>24])<<24 | uint32(sbox1[t2>>16&0xff])<<16 | uint32(sbox1[t1>>8&0xff])<<8 | uint32(sbox1[t0&0xff])
|
|
|
|
s0 ^= xk[k+0]
|
|
s1 ^= xk[k+1]
|
|
s2 ^= xk[k+2]
|
|
s3 ^= xk[k+3]
|
|
|
|
dst[0], dst[1], dst[2], dst[3] = byte(s0>>24), byte(s0>>16), byte(s0>>8), byte(s0)
|
|
dst[4], dst[5], dst[6], dst[7] = byte(s1>>24), byte(s1>>16), byte(s1>>8), byte(s1)
|
|
dst[8], dst[9], dst[10], dst[11] = byte(s2>>24), byte(s2>>16), byte(s2>>8), byte(s2)
|
|
dst[12], dst[13], dst[14], dst[15] = byte(s3>>24), byte(s3>>16), byte(s3>>8), byte(s3)
|
|
}
|
|
|
|
// Apply sbox0 to each byte in w.
|
|
func subw(w uint32) uint32 {
|
|
return uint32(sbox0[w>>24])<<24 |
|
|
uint32(sbox0[w>>16&0xff])<<16 |
|
|
uint32(sbox0[w>>8&0xff])<<8 |
|
|
uint32(sbox0[w&0xff])
|
|
}
|
|
|
|
// Rotate
|
|
func rotw(w uint32) uint32 { return w<<8 | w>>24 }
|
|
|
|
// Key expansion algorithm. See FIPS-197, Figure 11.
|
|
// Their rcon[i] is our powx[i-1] << 24.
|
|
func expandKeyGo(key []byte, enc, dec []uint32) {
|
|
// Encryption key setup.
|
|
var i int
|
|
nk := len(key) / 4
|
|
for i = 0; i < nk; i++ {
|
|
enc[i] = uint32(key[4*i])<<24 | uint32(key[4*i+1])<<16 | uint32(key[4*i+2])<<8 | uint32(key[4*i+3])
|
|
}
|
|
for ; i < len(enc); i++ {
|
|
t := enc[i-1]
|
|
if i%nk == 0 {
|
|
t = subw(rotw(t)) ^ (uint32(powx[i/nk-1]) << 24)
|
|
} else if nk > 6 && i%nk == 4 {
|
|
t = subw(t)
|
|
}
|
|
enc[i] = enc[i-nk] ^ t
|
|
}
|
|
|
|
// Derive decryption key from encryption key.
|
|
// Reverse the 4-word round key sets from enc to produce dec.
|
|
// All sets but the first and last get the MixColumn transform applied.
|
|
if dec == nil {
|
|
return
|
|
}
|
|
n := len(enc)
|
|
for i := 0; i < n; i += 4 {
|
|
ei := n - i - 4
|
|
for j := 0; j < 4; j++ {
|
|
x := enc[ei+j]
|
|
if i > 0 && i+4 < n {
|
|
x = td0[sbox0[x>>24]] ^ td1[sbox0[x>>16&0xff]] ^ td2[sbox0[x>>8&0xff]] ^ td3[sbox0[x&0xff]]
|
|
}
|
|
dec[i+j] = x
|
|
}
|
|
}
|
|
}
|