search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge from mainline (167278:168000).
[official-gcc/graphite-test-results.git] / libgo / go / crypto / aes / block.go
blob130cd011c946e1bc35574cbbd513d0c0798124a2
1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4
5 // This Go implementation is derived in part from the reference
6 // ANSI C implementation, which carries the following notice:
7 //
8 // rijndael-alg-fst.c
9 //
10 // @version 3.0 (December 2000)
11 //
12 // Optimised ANSI C code for the Rijndael cipher (now AES)
13 //
14 // @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
15 // @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
16 // @author Paulo Barreto <paulo.barreto@terra.com.br>
17 //
18 // This code is hereby placed in the public domain.
19 //
20 // THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
21 // OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
22 // WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 // ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
24 // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
27 // BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
28 // WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
29 // OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
30 // EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 //
32 // See FIPS 197 for specification, and see Daemen and Rijmen's Rijndael submission
33 // for implementation details.
34 // http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf
35 // http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf
36
37 package aes
38
39 // Encrypt one block from src into dst, using the expanded key xk.
40 func encryptBlock(xk []uint32, dst, src []byte) {
41 var s0, s1, s2, s3, t0, t1, t2, t3 uint32
42
43 s0 = uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
44 s1 = uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
45 s2 = uint32(src[8])<<24 | uint32(src[9])<<16 | uint32(src[10])<<8 | uint32(src[11])
46 s3 = uint32(src[12])<<24 | uint32(src[13])<<16 | uint32(src[14])<<8 | uint32(src[15])
47
48 // First round just XORs input with key.
49 s0 ^= xk[0]
50 s1 ^= xk[1]
51 s2 ^= xk[2]
52 s3 ^= xk[3]
53
54 // Middle rounds shuffle using tables.
55 // Number of rounds is set by length of expanded key.
56 nr := len(xk)/4 - 2 // - 2: one above, one more below
57 k := 4
58 for r := 0; r < nr; r++ {
59 t0 = xk[k+0] ^ te[0][s0>>24] ^ te[1][s1>>16&0xff] ^ te[2][s2>>8&0xff] ^ te[3][s3&0xff]
60 t1 = xk[k+1] ^ te[0][s1>>24] ^ te[1][s2>>16&0xff] ^ te[2][s3>>8&0xff] ^ te[3][s0&0xff]
61 t2 = xk[k+2] ^ te[0][s2>>24] ^ te[1][s3>>16&0xff] ^ te[2][s0>>8&0xff] ^ te[3][s1&0xff]
62 t3 = xk[k+3] ^ te[0][s3>>24] ^ te[1][s0>>16&0xff] ^ te[2][s1>>8&0xff] ^ te[3][s2&0xff]
63 k += 4
64 s0, s1, s2, s3 = t0, t1, t2, t3
65 }
66
67 // Last round uses s-box directly and XORs to produce output.
68 s0 = uint32(sbox0[t0>>24])<<24 | uint32(sbox0[t1>>16&0xff])<<16 | uint32(sbox0[t2>>8&0xff])<<8 | uint32(sbox0[t3&0xff])
69 s1 = uint32(sbox0[t1>>24])<<24 | uint32(sbox0[t2>>16&0xff])<<16 | uint32(sbox0[t3>>8&0xff])<<8 | uint32(sbox0[t0&0xff])
70 s2 = uint32(sbox0[t2>>24])<<24 | uint32(sbox0[t3>>16&0xff])<<16 | uint32(sbox0[t0>>8&0xff])<<8 | uint32(sbox0[t1&0xff])
71 s3 = uint32(sbox0[t3>>24])<<24 | uint32(sbox0[t0>>16&0xff])<<16 | uint32(sbox0[t1>>8&0xff])<<8 | uint32(sbox0[t2&0xff])
72
73 s0 ^= xk[k+0]
74 s1 ^= xk[k+1]
75 s2 ^= xk[k+2]
76 s3 ^= xk[k+3]
77
78 dst[0], dst[1], dst[2], dst[3] = byte(s0>>24), byte(s0>>16), byte(s0>>8), byte(s0)
79 dst[4], dst[5], dst[6], dst[7] = byte(s1>>24), byte(s1>>16), byte(s1>>8), byte(s1)
80 dst[8], dst[9], dst[10], dst[11] = byte(s2>>24), byte(s2>>16), byte(s2>>8), byte(s2)
81 dst[12], dst[13], dst[14], dst[15] = byte(s3>>24), byte(s3>>16), byte(s3>>8), byte(s3)
82 }
83
84 // Decrypt one block from src into dst, using the expanded key xk.
85 func decryptBlock(xk []uint32, dst, src []byte) {
86 var s0, s1, s2, s3, t0, t1, t2, t3 uint32
87
88 s0 = uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
89 s1 = uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
90 s2 = uint32(src[8])<<24 | uint32(src[9])<<16 | uint32(src[10])<<8 | uint32(src[11])
91 s3 = uint32(src[12])<<24 | uint32(src[13])<<16 | uint32(src[14])<<8 | uint32(src[15])
92
93 // First round just XORs input with key.
94 s0 ^= xk[0]
95 s1 ^= xk[1]
96 s2 ^= xk[2]
97 s3 ^= xk[3]
98
99 // Middle rounds shuffle using tables.
100 // Number of rounds is set by length of expanded key.
101 nr := len(xk)/4 - 2 // - 2: one above, one more below
102 k := 4
103 for r := 0; r < nr; r++ {
104 t0 = xk[k+0] ^ td[0][s0>>24] ^ td[1][s3>>16&0xff] ^ td[2][s2>>8&0xff] ^ td[3][s1&0xff]
105 t1 = xk[k+1] ^ td[0][s1>>24] ^ td[1][s0>>16&0xff] ^ td[2][s3>>8&0xff] ^ td[3][s2&0xff]
106 t2 = xk[k+2] ^ td[0][s2>>24] ^ td[1][s1>>16&0xff] ^ td[2][s0>>8&0xff] ^ td[3][s3&0xff]
107 t3 = xk[k+3] ^ td[0][s3>>24] ^ td[1][s2>>16&0xff] ^ td[2][s1>>8&0xff] ^ td[3][s0&0xff]
108 k += 4
109 s0, s1, s2, s3 = t0, t1, t2, t3
110 }
111
112 // Last round uses s-box directly and XORs to produce output.
113 s0 = uint32(sbox1[t0>>24])<<24 | uint32(sbox1[t3>>16&0xff])<<16 | uint32(sbox1[t2>>8&0xff])<<8 | uint32(sbox1[t1&0xff])
114 s1 = uint32(sbox1[t1>>24])<<24 | uint32(sbox1[t0>>16&0xff])<<16 | uint32(sbox1[t3>>8&0xff])<<8 | uint32(sbox1[t2&0xff])
115 s2 = uint32(sbox1[t2>>24])<<24 | uint32(sbox1[t1>>16&0xff])<<16 | uint32(sbox1[t0>>8&0xff])<<8 | uint32(sbox1[t3&0xff])
116 s3 = uint32(sbox1[t3>>24])<<24 | uint32(sbox1[t2>>16&0xff])<<16 | uint32(sbox1[t1>>8&0xff])<<8 | uint32(sbox1[t0&0xff])
117
118 s0 ^= xk[k+0]
119 s1 ^= xk[k+1]
120 s2 ^= xk[k+2]
121 s3 ^= xk[k+3]
122
123 dst[0], dst[1], dst[2], dst[3] = byte(s0>>24), byte(s0>>16), byte(s0>>8), byte(s0)
124 dst[4], dst[5], dst[6], dst[7] = byte(s1>>24), byte(s1>>16), byte(s1>>8), byte(s1)
125 dst[8], dst[9], dst[10], dst[11] = byte(s2>>24), byte(s2>>16), byte(s2>>8), byte(s2)
126 dst[12], dst[13], dst[14], dst[15] = byte(s3>>24), byte(s3>>16), byte(s3>>8), byte(s3)
127 }
128
129 // Apply sbox0 to each byte in w.
130 func subw(w uint32) uint32 {
131 return uint32(sbox0[w>>24])<<24 |
132 uint32(sbox0[w>>16&0xff])<<16 |
133 uint32(sbox0[w>>8&0xff])<<8 |
134 uint32(sbox0[w&0xff])
135 }
136
137 // Rotate
138 func rotw(w uint32) uint32 { return w<<8 | w>>24 }
139
140 // Key expansion algorithm. See FIPS-197, Figure 11.
141 // Their rcon[i] is our powx[i-1] << 24.
142 func expandKey(key []byte, enc, dec []uint32) {
143 // Encryption key setup.
144 var i int
145 nk := len(key) / 4
146 for i = 0; i < nk; i++ {
147 enc[i] = uint32(key[4*i])<<24 | uint32(key[4*i+1])<<16 | uint32(key[4*i+2])<<8 | uint32(key[4*i+3])
148 }
149 for ; i < len(enc); i++ {
150 t := enc[i-1]
151 if i%nk == 0 {
152 t = subw(rotw(t)) ^ (uint32(powx[i/nk-1]) << 24)
153 } else if nk > 6 && i%nk == 4 {
154 t = subw(t)
155 }
156 enc[i] = enc[i-nk] ^ t
157 }
158
159 // Derive decryption key from encryption key.
160 // Reverse the 4-word round key sets from enc to produce dec.
161 // All sets but the first and last get the MixColumn transform applied.
162 if dec == nil {
163 return
164 }
165 n := len(enc)
166 for i := 0; i < n; i += 4 {
167 ei := n - i - 4
168 for j := 0; j < 4; j++ {
169 x := enc[ei+j]
170 if i > 0 && i+4 < n {
171 x = td[0][sbox0[x>>24]] ^ td[1][sbox0[x>>16&0xff]] ^ td[2][sbox0[x>>8&0xff]] ^ td[3][sbox0[x&0xff]]
172 }
173 dec[i+j] = x
174 }
175 }
176 }
GCC graphite test results