kris
/
nobs
镜像来自 https://github.com/henrydcase/nobs.git
1
0
複製 0
程式碼 問題管理 0 版本發佈 1 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
75 Commit
11 分支
11 MiB
 
 
 
 
目錄樹: 1e84ed09cc
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from '1e84ed09cc'
${ noResults }
nobs/drbg/internal/aes/generic.go

183 line
6.5 KiB
原始文件 Blame 文件歷史 

  1. // Copyright 2009 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. // This Go implementation is derived in part from the reference

  6. // ANSI C implementation, which carries the following notice:

  7. //

  8. //	rijndael-alg-fst.c

  9. //

  10. //	@version 3.0 (December 2000)

  11. //

  12. //	Optimised ANSI C code for the Rijndael cipher (now AES)

  13. //

  14. //	@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>

  15. //	@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>

  16. //	@author Paulo Barreto <paulo.barreto@terra.com.br>

  17. //

  18. //	This code is hereby placed in the public domain.

  19. //

  20. //	THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS

  21. //	OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

  22. //	WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  23. //	ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE

  24. //	LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

  25. //	CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

  26. //	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR

  27. //	BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,

  28. //	WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE

  29. //	OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,

  30. //	EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

  31. //

  32. // See FIPS 197 for specification, and see Daemen and Rijmen's Rijndael submission

  33. // for implementation details.

  34. //	https://csrc.nist.gov/csrc/media/publications/fips/197/final/documents/fips-197.pdf

  35. //	https://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf

  36. 

  37. package aes

  38. 

  39. import (

  40. 	"encoding/binary"

  41. )

  42. 

  43. // Encrypt one block from src into dst, using the expanded key xk.

  44. func encryptBlockGo(xk []uint32, dst, src []byte) {

  45. 	_ = src[15] // early bounds check

  46. 	s0 := binary.BigEndian.Uint32(src[0:4])

  47. 	s1 := binary.BigEndian.Uint32(src[4:8])

  48. 	s2 := binary.BigEndian.Uint32(src[8:12])

  49. 	s3 := binary.BigEndian.Uint32(src[12:16])

  50. 

  51. 	// First round just XORs input with key.

  52. 	s0 ^= xk[0]

  53. 	s1 ^= xk[1]

  54. 	s2 ^= xk[2]

  55. 	s3 ^= xk[3]

  56. 

  57. 	// Middle rounds shuffle using tables.

  58. 	// Number of rounds is set by length of expanded key.

  59. 	nr := len(xk)/4 - 2 // - 2: one above, one more below

  60. 	k := 4

  61. 	var t0, t1, t2, t3 uint32

  62. 	for r := 0; r < nr; r++ {

  63. 		t0 = xk[k+0] ^ te0[uint8(s0>>24)] ^ te1[uint8(s1>>16)] ^ te2[uint8(s2>>8)] ^ te3[uint8(s3)]

  64. 		t1 = xk[k+1] ^ te0[uint8(s1>>24)] ^ te1[uint8(s2>>16)] ^ te2[uint8(s3>>8)] ^ te3[uint8(s0)]

  65. 		t2 = xk[k+2] ^ te0[uint8(s2>>24)] ^ te1[uint8(s3>>16)] ^ te2[uint8(s0>>8)] ^ te3[uint8(s1)]

  66. 		t3 = xk[k+3] ^ te0[uint8(s3>>24)] ^ te1[uint8(s0>>16)] ^ te2[uint8(s1>>8)] ^ te3[uint8(s2)]

  67. 		k += 4

  68. 		s0, s1, s2, s3 = t0, t1, t2, t3

  69. 	}

  70. 

  71. 	// Last round uses s-box directly and XORs to produce output.

  72. 	s0 = uint32(sbox0[t0>>24])<<24 | uint32(sbox0[t1>>16&0xff])<<16 | uint32(sbox0[t2>>8&0xff])<<8 | uint32(sbox0[t3&0xff])

  73. 	s1 = uint32(sbox0[t1>>24])<<24 | uint32(sbox0[t2>>16&0xff])<<16 | uint32(sbox0[t3>>8&0xff])<<8 | uint32(sbox0[t0&0xff])

  74. 	s2 = uint32(sbox0[t2>>24])<<24 | uint32(sbox0[t3>>16&0xff])<<16 | uint32(sbox0[t0>>8&0xff])<<8 | uint32(sbox0[t1&0xff])

  75. 	s3 = uint32(sbox0[t3>>24])<<24 | uint32(sbox0[t0>>16&0xff])<<16 | uint32(sbox0[t1>>8&0xff])<<8 | uint32(sbox0[t2&0xff])

  76. 

  77. 	s0 ^= xk[k+0]

  78. 	s1 ^= xk[k+1]

  79. 	s2 ^= xk[k+2]

  80. 	s3 ^= xk[k+3]

  81. 

  82. 	_ = dst[15] // early bounds check

  83. 	binary.BigEndian.PutUint32(dst[0:4], s0)

  84. 	binary.BigEndian.PutUint32(dst[4:8], s1)

  85. 	binary.BigEndian.PutUint32(dst[8:12], s2)

  86. 	binary.BigEndian.PutUint32(dst[12:16], s3)

  87. }

  88. 

  89. // Decrypt one block from src into dst, using the expanded key xk.

  90. func decryptBlockGo(xk []uint32, dst, src []byte) {

  91. 	_ = src[15] // early bounds check

  92. 	s0 := binary.BigEndian.Uint32(src[0:4])

  93. 	s1 := binary.BigEndian.Uint32(src[4:8])

  94. 	s2 := binary.BigEndian.Uint32(src[8:12])

  95. 	s3 := binary.BigEndian.Uint32(src[12:16])

  96. 

  97. 	// First round just XORs input with key.

  98. 	s0 ^= xk[0]

  99. 	s1 ^= xk[1]

  100. 	s2 ^= xk[2]

  101. 	s3 ^= xk[3]

  102. 

  103. 	// Middle rounds shuffle using tables.

  104. 	// Number of rounds is set by length of expanded key.

  105. 	nr := len(xk)/4 - 2 // - 2: one above, one more below

  106. 	k := 4

  107. 	var t0, t1, t2, t3 uint32

  108. 	for r := 0; r < nr; r++ {

  109. 		t0 = xk[k+0] ^ td0[uint8(s0>>24)] ^ td1[uint8(s3>>16)] ^ td2[uint8(s2>>8)] ^ td3[uint8(s1)]

  110. 		t1 = xk[k+1] ^ td0[uint8(s1>>24)] ^ td1[uint8(s0>>16)] ^ td2[uint8(s3>>8)] ^ td3[uint8(s2)]

  111. 		t2 = xk[k+2] ^ td0[uint8(s2>>24)] ^ td1[uint8(s1>>16)] ^ td2[uint8(s0>>8)] ^ td3[uint8(s3)]

  112. 		t3 = xk[k+3] ^ td0[uint8(s3>>24)] ^ td1[uint8(s2>>16)] ^ td2[uint8(s1>>8)] ^ td3[uint8(s0)]

  113. 		k += 4

  114. 		s0, s1, s2, s3 = t0, t1, t2, t3

  115. 	}

  116. 

  117. 	// Last round uses s-box directly and XORs to produce output.

  118. 	s0 = uint32(sbox1[t0>>24])<<24 | uint32(sbox1[t3>>16&0xff])<<16 | uint32(sbox1[t2>>8&0xff])<<8 | uint32(sbox1[t1&0xff])

  119. 	s1 = uint32(sbox1[t1>>24])<<24 | uint32(sbox1[t0>>16&0xff])<<16 | uint32(sbox1[t3>>8&0xff])<<8 | uint32(sbox1[t2&0xff])

  120. 	s2 = uint32(sbox1[t2>>24])<<24 | uint32(sbox1[t1>>16&0xff])<<16 | uint32(sbox1[t0>>8&0xff])<<8 | uint32(sbox1[t3&0xff])

  121. 	s3 = uint32(sbox1[t3>>24])<<24 | uint32(sbox1[t2>>16&0xff])<<16 | uint32(sbox1[t1>>8&0xff])<<8 | uint32(sbox1[t0&0xff])

  122. 

  123. 	s0 ^= xk[k+0]

  124. 	s1 ^= xk[k+1]

  125. 	s2 ^= xk[k+2]

  126. 	s3 ^= xk[k+3]

  127. 

  128. 	_ = dst[15] // early bounds check

  129. 	binary.BigEndian.PutUint32(dst[0:4], s0)

  130. 	binary.BigEndian.PutUint32(dst[4:8], s1)

  131. 	binary.BigEndian.PutUint32(dst[8:12], s2)

  132. 	binary.BigEndian.PutUint32(dst[12:16], s3)

  133. }

  134. 

  135. // Apply sbox0 to each byte in w.

  136. func subw(w uint32) uint32 {

  137. 	return uint32(sbox0[w>>24])<<24 |

  138. 		uint32(sbox0[w>>16&0xff])<<16 |

  139. 		uint32(sbox0[w>>8&0xff])<<8 |

  140. 		uint32(sbox0[w&0xff])

  141. }

  142. 

  143. // Rotate

  144. func rotw(w uint32) uint32 { return w<<8 | w>>24 }

  145. 

  146. // Key expansion algorithm. See FIPS-197, Figure 11.

  147. // Their rcon[i] is our powx[i-1] << 24.

  148. func expandKeyGo(key []byte, enc, dec []uint32) {

  149. 	// Encryption key setup.

  150. 	var i int

  151. 	nk := len(key) / 4

  152. 	for i = 0; i < nk; i++ {

  153. 		enc[i] = binary.BigEndian.Uint32(key[4*i:])

  154. 	}

  155. 	for ; i < len(enc); i++ {

  156. 		t := enc[i-1]

  157. 		if i%nk == 0 {

  158. 			t = subw(rotw(t)) ^ (uint32(powx[i/nk-1]) << 24)

  159. 		} else if nk > 6 && i%nk == 4 {

  160. 			t = subw(t)

  161. 		}

  162. 		enc[i] = enc[i-nk] ^ t

  163. 	}

  164. 

  165. 	// Derive decryption key from encryption key.

  166. 	// Reverse the 4-word round key sets from enc to produce dec.

  167. 	// All sets but the first and last get the MixColumn transform applied.

  168. 	if dec == nil {

  169. 		return

  170. 	}

  171. 	n := len(enc)

  172. 	for i := 0; i < n; i += 4 {

  173. 		ei := n - i - 4

  174. 		for j := 0; j < 4; j++ {

  175. 			x := enc[ei+j]

  176. 			if i > 0 && i+4 < n {

  177. 				x = td0[sbox0[x>>24]] ^ td1[sbox0[x>>16&0xff]] ^ td2[sbox0[x>>8&0xff]] ^ td3[sbox0[x&0xff]]

  178. 			}

  179. 			dec[i+j] = x

  180. 		}

  181. 	}

  182. }