Source file src/crypto/internal/fips140/aes/aes_generic.go

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // This Go implementation is derived in part from the reference
     6  // ANSI C implementation, which carries the following notice:
     7  //
     8  //	rijndael-alg-fst.c
     9  //
    10  //	@version 3.0 (December 2000)
    11  //
    12  //	Optimised ANSI C code for the Rijndael cipher (now AES)
    13  //
    14  //	@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
    15  //	@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
    16  //	@author Paulo Barreto <paulo.barreto@terra.com.br>
    17  //
    18  //	This code is hereby placed in the public domain.
    19  //
    20  //	THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
    21  //	OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
    22  //	WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    23  //	ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
    24  //	LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
    25  //	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
    26  //	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    27  //	BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    28  //	WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    29  //	OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
    30  //	EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    31  //
    32  // See FIPS 197 for specification, and see Daemen and Rijmen's Rijndael submission
    33  // for implementation details.
    34  //	https://csrc.nist.gov/csrc/media/publications/fips/197/final/documents/fips-197.pdf
    35  //	https://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf
    36  
    37  package aes
    38  
    39  import "crypto/internal/fips140deps/byteorder"
    40  
    41  // Encrypt one block from src into dst, using the expanded key xk.
    42  func encryptBlockGeneric(c *blockExpanded, dst, src []byte) {
    43  	checkGenericIsExpected()
    44  	xk := c.enc[:]
    45  
    46  	_ = src[15] // early bounds check
    47  	s0 := byteorder.BEUint32(src[0:4])
    48  	s1 := byteorder.BEUint32(src[4:8])
    49  	s2 := byteorder.BEUint32(src[8:12])
    50  	s3 := byteorder.BEUint32(src[12:16])
    51  
    52  	// First round just XORs input with key.
    53  	s0 ^= xk[0]
    54  	s1 ^= xk[1]
    55  	s2 ^= xk[2]
    56  	s3 ^= xk[3]
    57  
    58  	// Middle rounds shuffle using tables.
    59  	k := 4
    60  	var t0, t1, t2, t3 uint32
    61  	for r := 0; r < c.rounds-1; r++ {
    62  		t0 = xk[k+0] ^ te0[uint8(s0>>24)] ^ te1[uint8(s1>>16)] ^ te2[uint8(s2>>8)] ^ te3[uint8(s3)]
    63  		t1 = xk[k+1] ^ te0[uint8(s1>>24)] ^ te1[uint8(s2>>16)] ^ te2[uint8(s3>>8)] ^ te3[uint8(s0)]
    64  		t2 = xk[k+2] ^ te0[uint8(s2>>24)] ^ te1[uint8(s3>>16)] ^ te2[uint8(s0>>8)] ^ te3[uint8(s1)]
    65  		t3 = xk[k+3] ^ te0[uint8(s3>>24)] ^ te1[uint8(s0>>16)] ^ te2[uint8(s1>>8)] ^ te3[uint8(s2)]
    66  		k += 4
    67  		s0, s1, s2, s3 = t0, t1, t2, t3
    68  	}
    69  
    70  	// Last round uses s-box directly and XORs to produce output.
    71  	s0 = uint32(sbox0[t0>>24])<<24 | uint32(sbox0[t1>>16&0xff])<<16 | uint32(sbox0[t2>>8&0xff])<<8 | uint32(sbox0[t3&0xff])
    72  	s1 = uint32(sbox0[t1>>24])<<24 | uint32(sbox0[t2>>16&0xff])<<16 | uint32(sbox0[t3>>8&0xff])<<8 | uint32(sbox0[t0&0xff])
    73  	s2 = uint32(sbox0[t2>>24])<<24 | uint32(sbox0[t3>>16&0xff])<<16 | uint32(sbox0[t0>>8&0xff])<<8 | uint32(sbox0[t1&0xff])
    74  	s3 = uint32(sbox0[t3>>24])<<24 | uint32(sbox0[t0>>16&0xff])<<16 | uint32(sbox0[t1>>8&0xff])<<8 | uint32(sbox0[t2&0xff])
    75  
    76  	s0 ^= xk[k+0]
    77  	s1 ^= xk[k+1]
    78  	s2 ^= xk[k+2]
    79  	s3 ^= xk[k+3]
    80  
    81  	_ = dst[15] // early bounds check
    82  	byteorder.BEPutUint32(dst[0:4], s0)
    83  	byteorder.BEPutUint32(dst[4:8], s1)
    84  	byteorder.BEPutUint32(dst[8:12], s2)
    85  	byteorder.BEPutUint32(dst[12:16], s3)
    86  }
    87  
    88  // Decrypt one block from src into dst, using the expanded key xk.
    89  func decryptBlockGeneric(c *blockExpanded, dst, src []byte) {
    90  	checkGenericIsExpected()
    91  	xk := c.dec[:]
    92  
    93  	_ = src[15] // early bounds check
    94  	s0 := byteorder.BEUint32(src[0:4])
    95  	s1 := byteorder.BEUint32(src[4:8])
    96  	s2 := byteorder.BEUint32(src[8:12])
    97  	s3 := byteorder.BEUint32(src[12:16])
    98  
    99  	// First round just XORs input with key.
   100  	s0 ^= xk[0]
   101  	s1 ^= xk[1]
   102  	s2 ^= xk[2]
   103  	s3 ^= xk[3]
   104  
   105  	// Middle rounds shuffle using tables.
   106  	k := 4
   107  	var t0, t1, t2, t3 uint32
   108  	for r := 0; r < c.rounds-1; r++ {
   109  		t0 = xk[k+0] ^ td0[uint8(s0>>24)] ^ td1[uint8(s3>>16)] ^ td2[uint8(s2>>8)] ^ td3[uint8(s1)]
   110  		t1 = xk[k+1] ^ td0[uint8(s1>>24)] ^ td1[uint8(s0>>16)] ^ td2[uint8(s3>>8)] ^ td3[uint8(s2)]
   111  		t2 = xk[k+2] ^ td0[uint8(s2>>24)] ^ td1[uint8(s1>>16)] ^ td2[uint8(s0>>8)] ^ td3[uint8(s3)]
   112  		t3 = xk[k+3] ^ td0[uint8(s3>>24)] ^ td1[uint8(s2>>16)] ^ td2[uint8(s1>>8)] ^ td3[uint8(s0)]
   113  		k += 4
   114  		s0, s1, s2, s3 = t0, t1, t2, t3
   115  	}
   116  
   117  	// Last round uses s-box directly and XORs to produce output.
   118  	s0 = uint32(sbox1[t0>>24])<<24 | uint32(sbox1[t3>>16&0xff])<<16 | uint32(sbox1[t2>>8&0xff])<<8 | uint32(sbox1[t1&0xff])
   119  	s1 = uint32(sbox1[t1>>24])<<24 | uint32(sbox1[t0>>16&0xff])<<16 | uint32(sbox1[t3>>8&0xff])<<8 | uint32(sbox1[t2&0xff])
   120  	s2 = uint32(sbox1[t2>>24])<<24 | uint32(sbox1[t1>>16&0xff])<<16 | uint32(sbox1[t0>>8&0xff])<<8 | uint32(sbox1[t3&0xff])
   121  	s3 = uint32(sbox1[t3>>24])<<24 | uint32(sbox1[t2>>16&0xff])<<16 | uint32(sbox1[t1>>8&0xff])<<8 | uint32(sbox1[t0&0xff])
   122  
   123  	s0 ^= xk[k+0]
   124  	s1 ^= xk[k+1]
   125  	s2 ^= xk[k+2]
   126  	s3 ^= xk[k+3]
   127  
   128  	_ = dst[15] // early bounds check
   129  	byteorder.BEPutUint32(dst[0:4], s0)
   130  	byteorder.BEPutUint32(dst[4:8], s1)
   131  	byteorder.BEPutUint32(dst[8:12], s2)
   132  	byteorder.BEPutUint32(dst[12:16], s3)
   133  }
   134  
   135  // Apply sbox0 to each byte in w.
   136  func subw(w uint32) uint32 {
   137  	return uint32(sbox0[w>>24])<<24 |
   138  		uint32(sbox0[w>>16&0xff])<<16 |
   139  		uint32(sbox0[w>>8&0xff])<<8 |
   140  		uint32(sbox0[w&0xff])
   141  }
   142  
   143  // Rotate
   144  func rotw(w uint32) uint32 { return w<<8 | w>>24 }
   145  
   146  // Key expansion algorithm. See FIPS-197, Figure 11.
   147  // Their rcon[i] is our powx[i-1] << 24.
   148  func expandKeyGeneric(c *blockExpanded, key []byte) {
   149  	checkGenericIsExpected()
   150  
   151  	// Encryption key setup.
   152  	var i int
   153  	nk := len(key) / 4
   154  	for i = 0; i < nk; i++ {
   155  		c.enc[i] = byteorder.BEUint32(key[4*i:])
   156  	}
   157  	for ; i < c.roundKeysSize(); i++ {
   158  		t := c.enc[i-1]
   159  		if i%nk == 0 {
   160  			t = subw(rotw(t)) ^ (uint32(powx[i/nk-1]) << 24)
   161  		} else if nk > 6 && i%nk == 4 {
   162  			t = subw(t)
   163  		}
   164  		c.enc[i] = c.enc[i-nk] ^ t
   165  	}
   166  
   167  	// Derive decryption key from encryption key.
   168  	// Reverse the 4-word round key sets from enc to produce dec.
   169  	// All sets but the first and last get the MixColumn transform applied.
   170  	n := c.roundKeysSize()
   171  	for i := 0; i < n; i += 4 {
   172  		ei := n - i - 4
   173  		for j := 0; j < 4; j++ {
   174  			x := c.enc[ei+j]
   175  			if i > 0 && i+4 < n {
   176  				x = td0[sbox0[x>>24]] ^ td1[sbox0[x>>16&0xff]] ^ td2[sbox0[x>>8&0xff]] ^ td3[sbox0[x&0xff]]
   177  			}
   178  			c.dec[i+j] = x
   179  		}
   180  	}
   181  }
   182  

View as plain text