diff --git a/src/lib/crypto/aes/Makefile b/src/lib/crypto/aes/Makefile index 30941632405..f301d0cefb1 100644 --- a/src/lib/crypto/aes/Makefile +++ b/src/lib/crypto/aes/Makefile @@ -41,23 +41,29 @@ coverage: packages O1=\ const.$O\ - modes.$O\ O2=\ block.$O\ +O3=\ + cipher.$O\ -phases: a1 a2 + +phases: a1 a2 a3 _obj$D/aes.a: phases a1: $(O1) - $(AR) grc _obj$D/aes.a const.$O modes.$O + $(AR) grc _obj$D/aes.a const.$O rm -f $(O1) a2: $(O2) $(AR) grc _obj$D/aes.a block.$O rm -f $(O2) +a3: $(O3) + $(AR) grc _obj$D/aes.a cipher.$O + rm -f $(O3) + newpkg: clean mkdir -p _obj$D @@ -66,6 +72,7 @@ newpkg: clean $(O1): newpkg $(O2): a1 $(O3): a2 +$(O4): a3 nuke: clean rm -f $(GOROOT)/pkg$D/aes.a diff --git a/src/lib/crypto/aes/aes_test.go b/src/lib/crypto/aes/aes_test.go index f16cf4b2da2..2f6cb4a9230 100644 --- a/src/lib/crypto/aes/aes_test.go +++ b/src/lib/crypto/aes/aes_test.go @@ -126,7 +126,7 @@ func TestTd(t *testing.T) { // Appendix A of FIPS 197: Key expansion examples type KeyTest struct { - key []uint32; + key []byte; enc []uint32; dec []uint32; // decryption expansion; not in FIPS 197, computed from C implementation. } @@ -134,8 +134,8 @@ type KeyTest struct { var keyTests = []KeyTest { KeyTest { // A.1. Expansion of a 128-bit Cipher Key - []uint32 { - 0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c + []byte { + 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c }, []uint32 { 0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c, @@ -166,9 +166,9 @@ var keyTests = []KeyTest { }, KeyTest { // A.2. Expansion of a 192-bit Cipher Key - []uint32 { - 0x8e73b0f7, 0xda0e6452, 0xc810f32b, 0x809079e5, - 0x62f8ead2, 0x522c6b7b, + []byte { + 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5, + 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b, }, []uint32 { 0x8e73b0f7, 0xda0e6452, 0xc810f32b, 0x809079e5, @@ -189,9 +189,9 @@ var keyTests = []KeyTest { }, KeyTest { // A.3. Expansion of a 256-bit Cipher Key - []uint32 { - 0x603deb10, 0x15ca71be, 0x2b73aef0, 0x857d7781, - 0x1f352c07, 0x3b6108d7, 0x2d9810a3, 0x0914dff4, + []byte { + 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81, + 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4, }, []uint32 { 0x603deb10, 0x15ca71be, 0x2b73aef0, 0x857d7781, @@ -243,70 +243,108 @@ L: // Appendix B, C of FIPS 197: Cipher examples, Example vectors. type CryptTest struct { - key []uint32; - in []uint32; - out []uint32; + key []byte; + in []byte; + out []byte; } var encryptTests = []CryptTest { CryptTest { // Appendix B. - []uint32 { 0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c, }, - []uint32 { 0x3243f6a8, 0x885a308d, 0x313198a2, 0xe0370734, }, - []uint32 { 0x3925841d, 0x02dc09fb, 0xdc118597, 0x196a0b32, }, + []byte { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c, }, + []byte { 0x32, 0x43, 0xf6, 0xa8, 0x88, 0x5a, 0x30, 0x8d, 0x31, 0x31, 0x98, 0xa2, 0xe0, 0x37, 0x07, 0x34, }, + []byte { 0x39, 0x25, 0x84, 0x1d, 0x02, 0xdc, 0x09, 0xfb, 0xdc, 0x11, 0x85, 0x97, 0x19, 0x6a, 0x0b, 0x32, }, }, CryptTest { // Appendix C.1. AES-128 - []uint32 { 0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f, }, - []uint32 { 0x00112233, 0x44556677, 0x8899aabb, 0xccddeeff, }, - []uint32 { 0x69c4e0d8, 0x6a7b0430, 0xd8cdb780, 0x70b4c55a, }, + []byte { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, }, + []byte { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, }, + []byte { 0x69, 0xc4, 0xe0, 0xd8, 0x6a, 0x7b, 0x04, 0x30, 0xd8, 0xcd, 0xb7, 0x80, 0x70, 0xb4, 0xc5, 0x5a, }, }, CryptTest { // Appendix C.2. AES-192 - []uint32 { 0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f, - 0x10111213, 0x14151617, }, - []uint32 { 0x00112233, 0x44556677, 0x8899aabb, 0xccddeeff, }, - []uint32 { 0xdda97ca4, 0x864cdfe0, 0x6eaf70a0, 0xec0d7191, }, + []byte { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, }, + []byte { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, }, + []byte { 0xdd, 0xa9, 0x7c, 0xa4, 0x86, 0x4c, 0xdf, 0xe0, 0x6e, 0xaf, 0x70, 0xa0, 0xec, 0x0d, 0x71, 0x91, }, }, CryptTest { // Appendix C.3. AES-256 - []uint32 { 0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f, - 0x10111213, 0x14151617, 0x18191a1b, 0x1c1d1e1f, }, - []uint32 { 0x00112233, 0x44556677, 0x8899aabb, 0xccddeeff, }, - []uint32 { 0x8ea2b7ca, 0x516745bf, 0xeafc4990, 0x4b496089, }, + []byte { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, }, + []byte { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, }, + []byte { 0x8e, 0xa2, 0xb7, 0xca, 0x51, 0x67, 0x45, 0xbf, 0xea, 0xfc, 0x49, 0x90, 0x4b, 0x49, 0x60, 0x89, }, }, } -// Test encryption against FIPS 197 examples. -func TestEncrypt(t *testing.T) { +// Test encryptBlock against FIPS 197 examples. +func TestEncryptBlock(t *testing.T) { for i, tt := range encryptTests { - n := 4*(len(tt.key) + 7); + n := len(tt.key) + 28; enc := make([]uint32, n); dec := make([]uint32, n); expandKey(tt.key, enc, dec); - out := make([]uint32, len(tt.in)); + out := make([]byte, len(tt.in)); encryptBlock(enc, tt.in, out); for j, v := range out { if v != tt.out[j] { - t.Errorf("encrypt %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j]); + t.Errorf("encryptBlock %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j]); break; } } } } -// Test decryption against FIPS 197 examples. -func TestDecrypt(t *testing.T) { +// Test decryptBlock against FIPS 197 examples. +func TestDecryptBlock(t *testing.T) { for i, tt := range encryptTests { - n := 4*(len(tt.key) + 7); + n := len(tt.key) + 28; enc := make([]uint32, n); dec := make([]uint32, n); expandKey(tt.key, enc, dec); - plain := make([]uint32, len(tt.in)); + plain := make([]byte, len(tt.in)); decryptBlock(dec, tt.out, plain); for j, v := range plain { if v != tt.in[j] { - t.Errorf("decrypt %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j]); + t.Errorf("decryptBlock %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j]); + break; + } + } + } +} + +// Test Cipher Encrypt method against FIPS 197 examples. +func TestCipherEncrypt(t *testing.T) { + for i, tt := range encryptTests { + c, err := NewCipher(tt.key); + if err != nil { + t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err); + continue; + } + out := make([]byte, len(tt.in)); + c.Encrypt(tt.in, out); + for j, v := range out { + if v != tt.out[j] { + t.Errorf("Cipher.Encrypt %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j]); + break; + } + } + } +} + +// Test Cipher Decrypt against FIPS 197 examples. +func TestCipherDecrypt(t *testing.T) { + for i, tt := range encryptTests { + c, err := NewCipher(tt.key); + if err != nil { + t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err); + continue; + } + plain := make([]byte, len(tt.in)); + c.Decrypt(tt.out, plain); + for j, v := range plain { + if v != tt.in[j] { + t.Errorf("decryptBlock %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j]); break; } } diff --git a/src/lib/crypto/aes/block.go b/src/lib/crypto/aes/block.go index 56c48fe3430..3c67d1c3c05 100644 --- a/src/lib/crypto/aes/block.go +++ b/src/lib/crypto/aes/block.go @@ -39,14 +39,19 @@ package aes import "crypto/aes" // Encrypt one block from src into dst, using the expanded key xk. -func encryptBlock(xk, src, dst []uint32) { +func encryptBlock(xk []uint32, src, dst []byte) { var s0, s1, s2, s3, t0, t1, t2, t3 uint32; + s0 = uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]); + s1 = uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]); + s2 = uint32(src[8])<<24 | uint32(src[9])<<16 | uint32(src[10])<<8 | uint32(src[11]); + s3 = uint32(src[12])<<24 | uint32(src[13])<<16 | uint32(src[14])<<8 | uint32(src[15]); + // First round just XORs input with key. - s0 = src[0] ^ xk[0]; - s1 = src[1] ^ xk[1]; - s2 = src[2] ^ xk[2]; - s3 = src[3] ^ xk[3]; + s0 ^= xk[0]; + s1 ^= xk[1]; + s2 ^= xk[2]; + s3 ^= xk[3]; // Middle rounds shuffle using tables. // Number of rounds is set by length of expanded key. @@ -67,21 +72,31 @@ func encryptBlock(xk, src, dst []uint32) { s2 = uint32(sbox0[t2>>24])<<24 | uint32(sbox0[t3>>16 & 0xff])<<16 | uint32(sbox0[t0>>8 & 0xff])<<8 | uint32(sbox0[t1 & 0xff]); s3 = uint32(sbox0[t3>>24])<<24 | uint32(sbox0[t0>>16 & 0xff])<<16 | uint32(sbox0[t1>>8 & 0xff])<<8 | uint32(sbox0[t2 & 0xff]); - dst[0] = s0 ^ xk[k+0]; - dst[1] = s1 ^ xk[k+1]; - dst[2] = s2 ^ xk[k+2]; - dst[3] = s3 ^ xk[k+3]; + s0 ^= xk[k+0]; + s1 ^= xk[k+1]; + s2 ^= xk[k+2]; + s3 ^= xk[k+3]; + + dst[0], dst[1], dst[2], dst[3] = byte(s0>>24), byte(s0>>16), byte(s0>>8), byte(s0); + dst[4], dst[5], dst[6], dst[7] = byte(s1>>24), byte(s1>>16), byte(s1>>8), byte(s1); + dst[8], dst[9], dst[10], dst[11] = byte(s2>>24), byte(s2>>16), byte(s2>>8), byte(s2); + dst[12], dst[13], dst[14], dst[15] = byte(s3>>24), byte(s3>>16), byte(s3>>8), byte(s3); } // Decrypt one block from src into dst, using the expanded key xk. -func decryptBlock(xk, src, dst []uint32) { +func decryptBlock(xk []uint32, src, dst []byte) { var s0, s1, s2, s3, t0, t1, t2, t3 uint32; + s0 = uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]); + s1 = uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]); + s2 = uint32(src[8])<<24 | uint32(src[9])<<16 | uint32(src[10])<<8 | uint32(src[11]); + s3 = uint32(src[12])<<24 | uint32(src[13])<<16 | uint32(src[14])<<8 | uint32(src[15]); + // First round just XORs input with key. - s0 = src[0] ^ xk[0]; - s1 = src[1] ^ xk[1]; - s2 = src[2] ^ xk[2]; - s3 = src[3] ^ xk[3]; + s0 ^= xk[0]; + s1 ^= xk[1]; + s2 ^= xk[2]; + s3 ^= xk[3]; // Middle rounds shuffle using tables. // Number of rounds is set by length of expanded key. @@ -102,10 +117,15 @@ func decryptBlock(xk, src, dst []uint32) { s2 = uint32(sbox1[t2>>24])<<24 | uint32(sbox1[t1>>16 & 0xff])<<16 | uint32(sbox1[t0>>8 & 0xff])<<8 | uint32(sbox1[t3 & 0xff]); s3 = uint32(sbox1[t3>>24])<<24 | uint32(sbox1[t2>>16 & 0xff])<<16 | uint32(sbox1[t1>>8 & 0xff])<<8 | uint32(sbox1[t0 & 0xff]); - dst[0] = s0 ^ xk[k+0]; - dst[1] = s1 ^ xk[k+1]; - dst[2] = s2 ^ xk[k+2]; - dst[3] = s3 ^ xk[k+3]; + s0 ^= xk[k+0]; + s1 ^= xk[k+1]; + s2 ^= xk[k+2]; + s3 ^= xk[k+3]; + + dst[0], dst[1], dst[2], dst[3] = byte(s0>>24), byte(s0>>16), byte(s0>>8), byte(s0); + dst[4], dst[5], dst[6], dst[7] = byte(s1>>24), byte(s1>>16), byte(s1>>8), byte(s1); + dst[8], dst[9], dst[10], dst[11] = byte(s2>>24), byte(s2>>16), byte(s2>>8), byte(s2); + dst[12], dst[13], dst[14], dst[15] = byte(s3>>24), byte(s3>>16), byte(s3>>8), byte(s3); } // Apply sbox0 to each byte in w. @@ -124,12 +144,12 @@ func rotw(w uint32) uint32 { // Key expansion algorithm. See FIPS-197, Figure 11. // Their rcon[i] is our powx[i-1] << 24. -func expandKey(key, enc, dec []uint32) { +func expandKey(key []byte, enc, dec []uint32) { // Encryption key setup. var i int; - nk := len(key); + nk := len(key) / 4; for i = 0; i < nk; i++ { - enc[i] = key[i]; + enc[i] = uint32(key[4*i])<<24 | uint32(key[4*i+1])<<16 | uint32(key[4*i+2])<<8 | uint32(key[4*i+3]); } for ; i < len(enc); i++ { t := enc[i-1]; diff --git a/src/lib/crypto/aes/cipher.go b/src/lib/crypto/aes/cipher.go new file mode 100644 index 00000000000..fd8e43e1620 --- /dev/null +++ b/src/lib/crypto/aes/cipher.go @@ -0,0 +1,71 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package aes + +import ( + "crypto/aes"; + "os"; +) + +// The AES block size in bytes. +const BlockSize = 16; + +// A Cipher is an instance of AES encryption using a particular key. +type Cipher struct { + enc []uint32; + dec []uint32; +} + +// NewCipher creates and returns a new Cipher. +// The key argument should be the AES key, +// either 16, 24, or 32 bytes to select +// AES-128, AES-192, or AES-256. +func NewCipher(key []byte) (*Cipher, os.Error) { + switch len(key) { + default: + return nil, os.ErrorString("crypto/aes: invalid key size"); + case 16, 24, 32: + break; + } + + n := len(key) + 28; + c := &Cipher{make([]uint32, n), make([]uint32, n)}; + expandKey(key, c.enc, c.dec); + return c, nil; +} + +// BlockSize returns the AES block size, 16 bytes. +// It is necessary to satisfy the Key interface in the +// package "crypto/modes". +func (c *Cipher) BlockSize() int { + return BlockSize; +} + +// Encrypt encrypts the 16-byte buffer src using the key k +// and stores the result in dst. +// Note that for amounts of data larger than a block, +// it is not safe to just call Encrypt on successive blocks; +// instead, use an encryption mode like AESCBC (see modes.go). +func (c *Cipher) Encrypt(src, dst []byte) { + encryptBlock(c.enc, src, dst); +} + +// Decrypt decrypts the 16-byte buffer src using the key k +// and stores the result in dst. +func (c *Cipher) Decrypt(src, dst []byte) { + decryptBlock(c.dec, src, dst); +} + +// Reset zeros the key data, so that it will no longer +// appear in the process's memory. +func (c *Cipher) Reset() { + for i := 0; i < len(c.enc); i++ { + c.enc[i] = 0; + } + for i := 0; i < len(c.dec); i++ { + c.dec[i] = 0; + } +} + diff --git a/src/lib/crypto/aes/modes.go b/src/lib/crypto/aes/modes.go deleted file mode 100644 index 96d0154285e..00000000000 --- a/src/lib/crypto/aes/modes.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2009 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package aes - -// TODO(rsc): mode implementations go here.