Public AES block interface.

The higher-level stream modes will be in crypto/block. R=r DELTA=205 (136 added, 7 deleted, 62 changed) OCL=29002 CL=29006
2024-11-18 19:44:46 -07:00 · 2009-05-18 15:27:20 -07:00 · 2009-05-18 15:27:20 -07:00 · 80543aca7e
commit 80543aca7e
parent 1ed725d7cd
5 changed files with 196 additions and 67 deletions
--- a/src/lib/crypto/aes/Makefile
+++ b/src/lib/crypto/aes/Makefile
@ -41,23 +41,29 @@ coverage: packages

 O1=\
 	const.$O\
-	modes.$O\

 O2=\
 	block.$O\

+O3=\
+	cipher.$O\

-phases: a1 a2
+
+phases: a1 a2 a3
 _obj$D/aes.a: phases

 a1: $(O1)
-	$(AR) grc _obj$D/aes.a const.$O modes.$O
+	$(AR) grc _obj$D/aes.a const.$O
 	rm -f $(O1)

 a2: $(O2)
 	$(AR) grc _obj$D/aes.a block.$O
 	rm -f $(O2)

+a3: $(O3)
+	$(AR) grc _obj$D/aes.a cipher.$O
+	rm -f $(O3)
+

 newpkg: clean
 	mkdir -p _obj$D
@ -66,6 +72,7 @@ newpkg: clean
 $(O1): newpkg
 $(O2): a1
 $(O3): a2
+$(O4): a3

 nuke: clean
 	rm -f $(GOROOT)/pkg$D/aes.a
--- a/src/lib/crypto/aes/aes_test.go
+++ b/src/lib/crypto/aes/aes_test.go
@ -126,7 +126,7 @@ func TestTd(t *testing.T) {

 // Appendix A of FIPS 197: Key expansion examples
 type KeyTest struct {
-	key []uint32;
+	key []byte;
 	enc []uint32;
 	dec []uint32;	// decryption expansion; not in FIPS 197, computed from C implementation.
 }
@ -134,8 +134,8 @@ type KeyTest struct {
 var keyTests = []KeyTest {
 	KeyTest {
 		// A.1.  Expansion of a 128-bit Cipher Key
-		[]uint32 {
-			0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c
+		[]byte {
+			0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
 		},
 		[]uint32 {
 			0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c,
@ -166,9 +166,9 @@ var keyTests = []KeyTest {
 	},
 	KeyTest {
 		// A.2.  Expansion of a 192-bit Cipher Key
-		[]uint32 {
-			0x8e73b0f7, 0xda0e6452, 0xc810f32b, 0x809079e5,
-			0x62f8ead2, 0x522c6b7b,
+		[]byte {
+			0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
+			0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b,
 		},
 		[]uint32 {
 			0x8e73b0f7, 0xda0e6452, 0xc810f32b, 0x809079e5,
@ -189,9 +189,9 @@ var keyTests = []KeyTest {
 	},
 	KeyTest {
 		// A.3.  Expansion of a 256-bit Cipher Key
-		[]uint32 {
-			0x603deb10, 0x15ca71be, 0x2b73aef0, 0x857d7781,
-			0x1f352c07, 0x3b6108d7, 0x2d9810a3, 0x0914dff4,
+		[]byte {
+			0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
+			0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4,
 		},
 		[]uint32 {
 			0x603deb10, 0x15ca71be, 0x2b73aef0, 0x857d7781,
@ -243,70 +243,108 @@ L:

 // Appendix B, C of FIPS 197: Cipher examples, Example vectors.
 type CryptTest struct {
-	key []uint32;
-	in []uint32;
-	out []uint32;
+	key []byte;
+	in []byte;
+	out []byte;
 }

 var encryptTests = []CryptTest {
 	CryptTest {
 		// Appendix B.
-		[]uint32 { 0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c, },
-		[]uint32 { 0x3243f6a8, 0x885a308d, 0x313198a2, 0xe0370734, },
-		[]uint32 { 0x3925841d, 0x02dc09fb, 0xdc118597, 0x196a0b32, },
+		[]byte { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c, },
+		[]byte { 0x32, 0x43, 0xf6, 0xa8, 0x88, 0x5a, 0x30, 0x8d, 0x31, 0x31, 0x98, 0xa2, 0xe0, 0x37, 0x07, 0x34, },
+		[]byte { 0x39, 0x25, 0x84, 0x1d, 0x02, 0xdc, 0x09, 0xfb, 0xdc, 0x11, 0x85, 0x97, 0x19, 0x6a, 0x0b, 0x32, },
 	},
 	CryptTest {
 		// Appendix C.1.  AES-128
-		[]uint32 { 0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f, },
-		[]uint32 { 0x00112233, 0x44556677, 0x8899aabb, 0xccddeeff, },
-		[]uint32 { 0x69c4e0d8, 0x6a7b0430, 0xd8cdb780, 0x70b4c55a, },
+		[]byte { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, },
+		[]byte { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, },
+		[]byte { 0x69, 0xc4, 0xe0, 0xd8, 0x6a, 0x7b, 0x04, 0x30, 0xd8, 0xcd, 0xb7, 0x80, 0x70, 0xb4, 0xc5, 0x5a, },
 	},
 	CryptTest {
 		// Appendix C.2.  AES-192
-		[]uint32 { 0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f,
-			0x10111213, 0x14151617, },
-		[]uint32 { 0x00112233, 0x44556677, 0x8899aabb, 0xccddeeff, },
-		[]uint32 { 0xdda97ca4, 0x864cdfe0, 0x6eaf70a0, 0xec0d7191, },
+		[]byte { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+			0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, },
+		[]byte { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, },
+		[]byte { 0xdd, 0xa9, 0x7c, 0xa4, 0x86, 0x4c, 0xdf, 0xe0, 0x6e, 0xaf, 0x70, 0xa0, 0xec, 0x0d, 0x71, 0x91, },
 	},
 	CryptTest {
 		// Appendix C.3.  AES-256
-		[]uint32 { 0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f,
-			0x10111213, 0x14151617, 0x18191a1b, 0x1c1d1e1f, },
-		[]uint32 { 0x00112233, 0x44556677, 0x8899aabb, 0xccddeeff, },
-		[]uint32 { 0x8ea2b7ca, 0x516745bf, 0xeafc4990, 0x4b496089, },
+		[]byte { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+			0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, },
+		[]byte { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, },
+		[]byte { 0x8e, 0xa2, 0xb7, 0xca, 0x51, 0x67, 0x45, 0xbf, 0xea, 0xfc, 0x49, 0x90, 0x4b, 0x49, 0x60, 0x89, },
 	},
 }

-// Test encryption against FIPS 197 examples.
-func TestEncrypt(t *testing.T) {
+// Test encryptBlock against FIPS 197 examples.
+func TestEncryptBlock(t *testing.T) {
 	for i, tt := range encryptTests {
-		n := 4*(len(tt.key) + 7);
+		n := len(tt.key) + 28;
 		enc := make([]uint32, n);
 		dec := make([]uint32, n);
 		expandKey(tt.key, enc, dec);
-		out := make([]uint32, len(tt.in));
+		out := make([]byte, len(tt.in));
 		encryptBlock(enc, tt.in, out);
 		for j, v := range out {
 			if v != tt.out[j] {
-				t.Errorf("encrypt %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j]);
+				t.Errorf("encryptBlock %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j]);
 				break;
 			}
 		}
 	}
 }

-// Test decryption against FIPS 197 examples.
-func TestDecrypt(t *testing.T) {
+// Test decryptBlock against FIPS 197 examples.
+func TestDecryptBlock(t *testing.T) {
 	for i, tt := range encryptTests {
-		n := 4*(len(tt.key) + 7);
+		n := len(tt.key) + 28;
 		enc := make([]uint32, n);
 		dec := make([]uint32, n);
 		expandKey(tt.key, enc, dec);
-		plain := make([]uint32, len(tt.in));
+		plain := make([]byte, len(tt.in));
 		decryptBlock(dec, tt.out, plain);
 		for j, v := range plain {
 			if v != tt.in[j] {
-				t.Errorf("decrypt %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j]);
+				t.Errorf("decryptBlock %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j]);
+				break;
+			}
+		}
+	}
+}
+
+// Test Cipher Encrypt method against FIPS 197 examples.
+func TestCipherEncrypt(t *testing.T) {
+	for i, tt := range encryptTests {
+		c, err := NewCipher(tt.key);
+		if err != nil {
+			t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err);
+			continue;
+		}
+		out := make([]byte, len(tt.in));
+		c.Encrypt(tt.in, out);
+		for j, v := range out {
+			if v != tt.out[j] {
+				t.Errorf("Cipher.Encrypt %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j]);
+				break;
+			}
+		}
+	}
+}
+
+// Test Cipher Decrypt against FIPS 197 examples.
+func TestCipherDecrypt(t *testing.T) {
+	for i, tt := range encryptTests {
+		c, err := NewCipher(tt.key);
+		if err != nil {
+			t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err);
+			continue;
+		}
+		plain := make([]byte, len(tt.in));
+		c.Decrypt(tt.out, plain);
+		for j, v := range plain {
+			if v != tt.in[j] {
+				t.Errorf("decryptBlock %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j]);
 				break;
 			}
 		}
--- a/src/lib/crypto/aes/block.go
+++ b/src/lib/crypto/aes/block.go
@ -39,14 +39,19 @@ package aes
 import "crypto/aes"

 // Encrypt one block from src into dst, using the expanded key xk.
-func encryptBlock(xk, src, dst []uint32) {
+func encryptBlock(xk []uint32, src, dst []byte) {
 	var s0, s1, s2, s3, t0, t1, t2, t3 uint32;

+	s0 = uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]);
+	s1 = uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]);
+	s2 = uint32(src[8])<<24 | uint32(src[9])<<16 | uint32(src[10])<<8 | uint32(src[11]);
+	s3 = uint32(src[12])<<24 | uint32(src[13])<<16 | uint32(src[14])<<8 | uint32(src[15]);
+
 	// First round just XORs input with key.
-	s0 = src[0] ^ xk[0];
-	s1 = src[1] ^ xk[1];
-	s2 = src[2] ^ xk[2];
-	s3 = src[3] ^ xk[3];
+	s0 ^= xk[0];
+	s1 ^= xk[1];
+	s2 ^= xk[2];
+	s3 ^= xk[3];

 	// Middle rounds shuffle using tables.
 	// Number of rounds is set by length of expanded key.
@ -67,21 +72,31 @@ func encryptBlock(xk, src, dst []uint32) {
 	s2 = uint32(sbox0[t2>>24])<<24 | uint32(sbox0[t3>>16 & 0xff])<<16 | uint32(sbox0[t0>>8 & 0xff])<<8 | uint32(sbox0[t1 & 0xff]);
 	s3 = uint32(sbox0[t3>>24])<<24 | uint32(sbox0[t0>>16 & 0xff])<<16 | uint32(sbox0[t1>>8 & 0xff])<<8 | uint32(sbox0[t2 & 0xff]);

-	dst[0] = s0 ^ xk[k+0];
-	dst[1] = s1 ^ xk[k+1];
-	dst[2] = s2 ^ xk[k+2];
-	dst[3] = s3 ^ xk[k+3];
+	s0 ^= xk[k+0];
+	s1 ^= xk[k+1];
+	s2 ^= xk[k+2];
+	s3 ^= xk[k+3];
+
+	dst[0], dst[1], dst[2], dst[3] = byte(s0>>24), byte(s0>>16), byte(s0>>8), byte(s0);
+	dst[4], dst[5], dst[6], dst[7] = byte(s1>>24), byte(s1>>16), byte(s1>>8), byte(s1);
+	dst[8], dst[9], dst[10], dst[11] = byte(s2>>24), byte(s2>>16), byte(s2>>8), byte(s2);
+	dst[12], dst[13], dst[14], dst[15] = byte(s3>>24), byte(s3>>16), byte(s3>>8), byte(s3);
 }

 // Decrypt one block from src into dst, using the expanded key xk.
-func decryptBlock(xk, src, dst []uint32) {
+func decryptBlock(xk []uint32, src, dst []byte) {
 	var s0, s1, s2, s3, t0, t1, t2, t3 uint32;

+	s0 = uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]);
+	s1 = uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]);
+	s2 = uint32(src[8])<<24 | uint32(src[9])<<16 | uint32(src[10])<<8 | uint32(src[11]);
+	s3 = uint32(src[12])<<24 | uint32(src[13])<<16 | uint32(src[14])<<8 | uint32(src[15]);
+
 	// First round just XORs input with key.
-	s0 = src[0] ^ xk[0];
-	s1 = src[1] ^ xk[1];
-	s2 = src[2] ^ xk[2];
-	s3 = src[3] ^ xk[3];
+	s0 ^= xk[0];
+	s1 ^= xk[1];
+	s2 ^= xk[2];
+	s3 ^= xk[3];

 	// Middle rounds shuffle using tables.
 	// Number of rounds is set by length of expanded key.
@ -102,10 +117,15 @@ func decryptBlock(xk, src, dst []uint32) {
 	s2 = uint32(sbox1[t2>>24])<<24 | uint32(sbox1[t1>>16 & 0xff])<<16 | uint32(sbox1[t0>>8 & 0xff])<<8 | uint32(sbox1[t3 & 0xff]);
 	s3 = uint32(sbox1[t3>>24])<<24 | uint32(sbox1[t2>>16 & 0xff])<<16 | uint32(sbox1[t1>>8 & 0xff])<<8 | uint32(sbox1[t0 & 0xff]);

-	dst[0] = s0 ^ xk[k+0];
-	dst[1] = s1 ^ xk[k+1];
-	dst[2] = s2 ^ xk[k+2];
-	dst[3] = s3 ^ xk[k+3];
+	s0 ^= xk[k+0];
+	s1 ^= xk[k+1];
+	s2 ^= xk[k+2];
+	s3 ^= xk[k+3];
+
+	dst[0], dst[1], dst[2], dst[3] = byte(s0>>24), byte(s0>>16), byte(s0>>8), byte(s0);
+	dst[4], dst[5], dst[6], dst[7] = byte(s1>>24), byte(s1>>16), byte(s1>>8), byte(s1);
+	dst[8], dst[9], dst[10], dst[11] = byte(s2>>24), byte(s2>>16), byte(s2>>8), byte(s2);
+	dst[12], dst[13], dst[14], dst[15] = byte(s3>>24), byte(s3>>16), byte(s3>>8), byte(s3);
 }

 // Apply sbox0 to each byte in w.
@ -124,12 +144,12 @@ func rotw(w uint32) uint32 {

 // Key expansion algorithm.  See FIPS-197, Figure 11.
 // Their rcon[i] is our powx[i-1] << 24.
-func expandKey(key, enc, dec []uint32) {
+func expandKey(key []byte, enc, dec []uint32) {
 	// Encryption key setup.
 	var i int;
-	nk := len(key);
+	nk := len(key) / 4;
 	for i = 0; i < nk; i++ {
-		enc[i] = key[i];
+		enc[i] = uint32(key[4*i])<<24 | uint32(key[4*i+1])<<16 | uint32(key[4*i+2])<<8 | uint32(key[4*i+3]);
 	}
 	for ; i < len(enc); i++ {
 		t := enc[i-1];
--- a/src/lib/crypto/aes/cipher.go
+++ b/src/lib/crypto/aes/cipher.go
@ -0,0 +1,71 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package aes
+
+import (
+	"crypto/aes";
+	"os";
+)
+
+// The AES block size in bytes.
+const BlockSize = 16;
+
+// A Cipher is an instance of AES encryption using a particular key.
+type Cipher struct {
+	enc []uint32;
+	dec []uint32;
+}
+
+// NewCipher creates and returns a new Cipher.
+// The key argument should be the AES key,
+// either 16, 24, or 32 bytes to select
+// AES-128, AES-192, or AES-256.
+func NewCipher(key []byte) (*Cipher, os.Error) {
+	switch len(key) {
+	default:
+		return nil, os.ErrorString("crypto/aes: invalid key size");
+	case 16, 24, 32:
+		break;
+	}
+
+	n := len(key) + 28;
+	c := &Cipher{make([]uint32, n), make([]uint32, n)};
+	expandKey(key, c.enc, c.dec);
+	return c, nil;
+}
+
+// BlockSize returns the AES block size, 16 bytes.
+// It is necessary to satisfy the Key interface in the
+// package "crypto/modes".
+func (c *Cipher) BlockSize() int {
+	return BlockSize;
+}
+
+// Encrypt encrypts the 16-byte buffer src using the key k
+// and stores the result in dst.
+// Note that for amounts of data larger than a block,
+// it is not safe to just call Encrypt on successive blocks;
+// instead, use an encryption mode like AESCBC (see modes.go).
+func (c *Cipher) Encrypt(src, dst []byte) {
+	encryptBlock(c.enc, src, dst);
+}
+
+// Decrypt decrypts the 16-byte buffer src using the key k
+// and stores the result in dst.
+func (c *Cipher) Decrypt(src, dst []byte) {
+	decryptBlock(c.dec, src, dst);
+}
+
+// Reset zeros the key data, so that it will no longer
+// appear in the process's memory.
+func (c *Cipher) Reset() {
+	for i := 0; i < len(c.enc); i++ {
+		c.enc[i] = 0;
+	}
+	for i := 0; i < len(c.dec); i++ {
+		c.dec[i] = 0;
+	}
+}
+
--- a/src/lib/crypto/aes/modes.go
+++ b/src/lib/crypto/aes/modes.go
@ -1,7 +0,0 @@
-// Copyright 2009 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package aes
-
-// TODO(rsc): mode implementations go here.