search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
vasnprintf: Don't use %n on modern, ISO C 99 compliant platforms.
[gnulib.git] / lib / rijndael-api-fst.c
blob7eee2be81f6ef73cccbb0aa8bfe6d87c224791a9
1 /* rijndael-api-fst.c --- Rijndael cipher implementation.
2 * Copyright (C) 2005-2006, 2009-2020 Free Software Foundation, Inc.
3 *
4 * This file is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published
6 * by the Free Software Foundation; either version 2, or (at your
7 * option) any later version.
8 *
9 * This file is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this file; if not, see <https://www.gnu.org/licenses/>.
16 *
17 */
18
19 /* Adapted for gnulib by Simon Josefsson.
20 *
21 * Based on public domain "Optimised C code" retrieved from (SHA1
22 * 7c8e4b00d06685d1dbc6724a9e0d502353de339e):
23 * https://web.archive.org/web/20060618010435/http://www.iaik.tu-graz.ac.at/research/krypto/AES/old/~rijmen/rijndael/rijndael-fst-3.0.zip
24 */
25
26 #include <config.h>
27
28 /**
29 * rijndael-api-fst.c
30 *
31 * @version 2.9 (December 2000)
32 *
33 * Optimised ANSI C code for the Rijndael cipher (now AES)
34 *
35 * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
36 * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
37 * @author Paulo Barreto <paulo.barreto@terra.com.br>
38 *
39 * This code is hereby placed in the public domain.
40 *
41 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
42 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
43 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
45 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
46 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
47 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
48 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
49 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
50 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
51 * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
52 *
53 * Acknowledgements:
54 *
55 * We are deeply indebted to the following people for their bug reports,
56 * fixes, and improvement suggestions to this implementation. Though we
57 * tried to list all contributions, we apologise in advance for any
58 * missing reference.
59 *
60 * Andrew Bales <Andrew.Bales@Honeywell.com>
61 * Markus Friedl <markus.friedl@informatik.uni-erlangen.de>
62 * John Skodon <skodonj@webquill.com>
63 */
64
65 #include "rijndael-alg-fst.h"
66 #include "rijndael-api-fst.h"
67
68 #include <assert.h>
69 #include <stdlib.h>
70 #include <string.h>
71
72 rijndael_rc
73 rijndaelMakeKey (rijndaelKeyInstance *key, rijndael_direction direction,
74 size_t keyLen, const char *keyMaterial)
75 {
76 size_t i;
77 char *keyMat;
78 char cipherKey[RIJNDAEL_MAXKB];
79
80 if (key == NULL)
81 {
82 return RIJNDAEL_BAD_KEY_INSTANCE;
83 }
84
85 if ((direction == RIJNDAEL_DIR_ENCRYPT)
86 || (direction == RIJNDAEL_DIR_DECRYPT))
87 {
88 key->direction = direction;
89 }
90 else
91 {
92 return RIJNDAEL_BAD_KEY_DIR;
93 }
94
95 if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256))
96 {
97 key->keyLen = keyLen;
98 }
99 else
100 {
101 return RIJNDAEL_BAD_KEY_MAT;
102 }
103
104 if (keyMaterial != NULL)
105 {
106 strncpy (key->keyMaterial, keyMaterial, keyLen / 4);
107 }
108
109 /* initialize key schedule: */
110 keyMat = key->keyMaterial;
111 for (i = 0; i < key->keyLen / 8; i++)
112 {
113 char t, v;
114
115 t = *keyMat++;
116 if ((t >= '0') && (t <= '9'))
117 v = (t - '0') << 4;
118 else if ((t >= 'a') && (t <= 'f'))
119 v = (t - 'a' + 10) << 4;
120 else if ((t >= 'A') && (t <= 'F'))
121 v = (t - 'A' + 10) << 4;
122 else
123 return RIJNDAEL_BAD_KEY_MAT;
124
125 t = *keyMat++;
126 if ((t >= '0') && (t <= '9'))
127 v ^= (t - '0');
128 else if ((t >= 'a') && (t <= 'f'))
129 v ^= (t - 'a' + 10);
130 else if ((t >= 'A') && (t <= 'F'))
131 v ^= (t - 'A' + 10);
132 else
133 return RIJNDAEL_BAD_KEY_MAT;
134
135 cipherKey[i] = v;
136 }
137 if (direction == RIJNDAEL_DIR_ENCRYPT)
138 {
139 key->Nr = rijndaelKeySetupEnc (key->rk, cipherKey, keyLen);
140 }
141 else
142 {
143 key->Nr = rijndaelKeySetupDec (key->rk, cipherKey, keyLen);
144 }
145 rijndaelKeySetupEnc (key->ek, cipherKey, keyLen);
146 return 0;
147 }
148
149 rijndael_rc
150 rijndaelCipherInit (rijndaelCipherInstance *cipher, rijndael_mode mode,
151 const char *IV)
152 {
153 if ((mode == RIJNDAEL_MODE_ECB) || (mode == RIJNDAEL_MODE_CBC)
154 || (mode == RIJNDAEL_MODE_CFB1))
155 {
156 cipher->mode = mode;
157 }
158 else
159 {
160 return RIJNDAEL_BAD_CIPHER_MODE;
161 }
162 if (IV != NULL)
163 {
164 int i;
165 for (i = 0; i < RIJNDAEL_MAX_IV_SIZE; i++)
166 {
167 int t, j;
168
169 t = IV[2 * i];
170 if ((t >= '0') && (t <= '9'))
171 j = (t - '0') << 4;
172 else if ((t >= 'a') && (t <= 'f'))
173 j = (t - 'a' + 10) << 4;
174 else if ((t >= 'A') && (t <= 'F'))
175 j = (t - 'A' + 10) << 4;
176 else
177 return RIJNDAEL_BAD_CIPHER_INSTANCE;
178
179 t = IV[2 * i + 1];
180 if ((t >= '0') && (t <= '9'))
181 j ^= (t - '0');
182 else if ((t >= 'a') && (t <= 'f'))
183 j ^= (t - 'a' + 10);
184 else if ((t >= 'A') && (t <= 'F'))
185 j ^= (t - 'A' + 10);
186 else
187 return RIJNDAEL_BAD_CIPHER_INSTANCE;
188
189 cipher->IV[i] = (uint8_t) j;
190 }
191 }
192 else
193 {
194 memset (cipher->IV, 0, RIJNDAEL_MAX_IV_SIZE);
195 }
196 return 0;
197 }
198
199 int
200 rijndaelBlockEncrypt (rijndaelCipherInstance *cipher,
201 const rijndaelKeyInstance *key,
202 const char *input,
203 size_t inputLen, char *outBuffer)
204 {
205 size_t i, k, t, numBlocks;
206 union { char bytes[16]; uint32_t words[4]; } block;
207 char *iv;
208
209 if (cipher == NULL || key == NULL || key->direction == RIJNDAEL_DIR_DECRYPT)
210 {
211 return RIJNDAEL_BAD_CIPHER_STATE;
212 }
213 if (input == NULL || inputLen <= 0)
214 {
215 return 0; /* nothing to do */
216 }
217
218 numBlocks = inputLen / 128;
219
220 switch (cipher->mode)
221 {
222 case RIJNDAEL_MODE_ECB:
223 for (i = numBlocks; i > 0; i--)
224 {
225 rijndaelEncrypt (key->rk, key->Nr, input, outBuffer);
226 input += 16;
227 outBuffer += 16;
228 }
229 break;
230
231 case RIJNDAEL_MODE_CBC:
232 iv = cipher->IV;
233 for (i = numBlocks; i > 0; i--)
234 {
235 block.words[0] = ((uint32_t *) input)[0] ^ ((uint32_t *) iv)[0];
236 block.words[1] = ((uint32_t *) input)[1] ^ ((uint32_t *) iv)[1];
237 block.words[2] = ((uint32_t *) input)[2] ^ ((uint32_t *) iv)[2];
238 block.words[3] = ((uint32_t *) input)[3] ^ ((uint32_t *) iv)[3];
239 rijndaelEncrypt (key->rk, key->Nr, block.bytes, outBuffer);
240 memcpy (cipher->IV, outBuffer, 16);
241 input += 16;
242 outBuffer += 16;
243 }
244 break;
245
246 case RIJNDAEL_MODE_CFB1:
247 iv = cipher->IV;
248 for (i = numBlocks; i > 0; i--)
249 {
250 memcpy (outBuffer, input, 16);
251 for (k = 0; k < 128; k++)
252 {
253 rijndaelEncrypt (key->ek, key->Nr, iv, block.bytes);
254 outBuffer[k >> 3] ^= (block.bytes[0] & 0x80U) >> (k & 7);
255 for (t = 0; t < 15; t++)
256 {
257 iv[t] = (iv[t] << 1) | (iv[t + 1] >> 7);
258 }
259 iv[15] = (iv[15] << 1) |
260 ((outBuffer[k >> 3] >> (7 - (k & 7))) & 1);
261 }
262 outBuffer += 16;
263 input += 16;
264 }
265 break;
266
267 default:
268 return RIJNDAEL_BAD_CIPHER_STATE;
269 }
270
271 return 128 * numBlocks;
272 }
273
274 int
275 rijndaelPadEncrypt (rijndaelCipherInstance *cipher,
276 const rijndaelKeyInstance *key,
277 const char *input,
278 size_t inputOctets, char *outBuffer)
279 {
280 size_t i, numBlocks, padLen;
281 union { char bytes[16]; uint32_t words[4]; } block;
282 char *iv;
283
284 if (cipher == NULL || key == NULL || key->direction == RIJNDAEL_DIR_DECRYPT)
285 {
286 return RIJNDAEL_BAD_CIPHER_STATE;
287 }
288 if (input == NULL || inputOctets <= 0)
289 {
290 return 0; /* nothing to do */
291 }
292
293 numBlocks = inputOctets / 16;
294
295 switch (cipher->mode)
296 {
297 case RIJNDAEL_MODE_ECB:
298 for (i = numBlocks; i > 0; i--)
299 {
300 rijndaelEncrypt (key->rk, key->Nr, input, outBuffer);
301 input += 16;
302 outBuffer += 16;
303 }
304 padLen = 16 - (inputOctets - 16 * numBlocks);
305 assert (padLen > 0 && padLen <= 16);
306 memcpy (block.bytes, input, 16 - padLen);
307 memset (block.bytes + 16 - padLen, padLen, padLen);
308 rijndaelEncrypt (key->rk, key->Nr, block.bytes, outBuffer);
309 break;
310
311 case RIJNDAEL_MODE_CBC:
312 iv = cipher->IV;
313 for (i = numBlocks; i > 0; i--)
314 {
315 block.words[0] = ((uint32_t *) input)[0] ^ ((uint32_t *) iv)[0];
316 block.words[1] = ((uint32_t *) input)[1] ^ ((uint32_t *) iv)[1];
317 block.words[2] = ((uint32_t *) input)[2] ^ ((uint32_t *) iv)[2];
318 block.words[3] = ((uint32_t *) input)[3] ^ ((uint32_t *) iv)[3];
319 rijndaelEncrypt (key->rk, key->Nr, block.bytes, outBuffer);
320 memcpy (cipher->IV, outBuffer, 16);
321 input += 16;
322 outBuffer += 16;
323 }
324 padLen = 16 - (inputOctets - 16 * numBlocks);
325 assert (padLen > 0 && padLen <= 16);
326 for (i = 0; i < 16 - padLen; i++)
327 {
328 block.bytes[i] = input[i] ^ iv[i];
329 }
330 for (i = 16 - padLen; i < 16; i++)
331 {
332 block.bytes[i] = (char) padLen ^ iv[i];
333 }
334 rijndaelEncrypt (key->rk, key->Nr, block.bytes, outBuffer);
335 memcpy (cipher->IV, outBuffer, 16);
336 break;
337
338 default:
339 return RIJNDAEL_BAD_CIPHER_STATE;
340 }
341
342 return 16 * (numBlocks + 1);
343 }
344
345 int
346 rijndaelBlockDecrypt (rijndaelCipherInstance *cipher,
347 const rijndaelKeyInstance *key,
348 const char *input,
349 size_t inputLen, char *outBuffer)
350 {
351 size_t i, k, t, numBlocks;
352 union { char bytes[16]; uint32_t words[4]; } block;
353 char *iv;
354
355 if (cipher == NULL
356 || key == NULL
357 || (cipher->mode != RIJNDAEL_MODE_CFB1
358 && key->direction == RIJNDAEL_DIR_ENCRYPT))
359 {
360 return RIJNDAEL_BAD_CIPHER_STATE;
361 }
362 if (input == NULL || inputLen <= 0)
363 {
364 return 0; /* nothing to do */
365 }
366
367 numBlocks = inputLen / 128;
368
369 switch (cipher->mode)
370 {
371 case RIJNDAEL_MODE_ECB:
372 for (i = numBlocks; i > 0; i--)
373 {
374 rijndaelDecrypt (key->rk, key->Nr, input, outBuffer);
375 input += 16;
376 outBuffer += 16;
377 }
378 break;
379
380 case RIJNDAEL_MODE_CBC:
381 iv = cipher->IV;
382 for (i = numBlocks; i > 0; i--)
383 {
384 rijndaelDecrypt (key->rk, key->Nr, input, block.bytes);
385 block.words[0] ^= ((uint32_t *) iv)[0];
386 block.words[1] ^= ((uint32_t *) iv)[1];
387 block.words[2] ^= ((uint32_t *) iv)[2];
388 block.words[3] ^= ((uint32_t *) iv)[3];
389 memcpy (cipher->IV, input, 16);
390 memcpy (outBuffer, block.bytes, 16);
391 input += 16;
392 outBuffer += 16;
393 }
394 break;
395
396 case RIJNDAEL_MODE_CFB1:
397 iv = cipher->IV;
398 for (i = numBlocks; i > 0; i--)
399 {
400 memcpy (outBuffer, input, 16);
401 for (k = 0; k < 128; k++)
402 {
403 rijndaelEncrypt (key->ek, key->Nr, iv, block.bytes);
404 for (t = 0; t < 15; t++)
405 {
406 iv[t] = (iv[t] << 1) | (iv[t + 1] >> 7);
407 }
408 iv[15] = (iv[15] << 1) | ((input[k >> 3] >> (7 - (k & 7))) & 1);
409 outBuffer[k >> 3] ^= (block.bytes[0] & 0x80U) >> (k & 7);
410 }
411 outBuffer += 16;
412 input += 16;
413 }
414 break;
415
416 default:
417 return RIJNDAEL_BAD_CIPHER_STATE;
418 }
419
420 return 128 * numBlocks;
421 }
422
423 int
424 rijndaelPadDecrypt (rijndaelCipherInstance *cipher,
425 const rijndaelKeyInstance *key,
426 const char *input,
427 size_t inputOctets, char *outBuffer)
428 {
429 size_t i, numBlocks, padLen;
430 union { char bytes[16]; uint32_t words[4]; } block;
431 char *iv;
432
433 if (cipher == NULL || key == NULL || key->direction == RIJNDAEL_DIR_ENCRYPT)
434 {
435 return RIJNDAEL_BAD_CIPHER_STATE;
436 }
437 if (input == NULL || inputOctets <= 0)
438 {
439 return 0; /* nothing to do */
440 }
441 if (inputOctets % 16 != 0)
442 {
443 return RIJNDAEL_BAD_DATA;
444 }
445
446 numBlocks = inputOctets / 16;
447
448 switch (cipher->mode)
449 {
450 case RIJNDAEL_MODE_ECB:
451 /* all blocks but last */
452 for (i = numBlocks - 1; i > 0; i--)
453 {
454 rijndaelDecrypt (key->rk, key->Nr, input, outBuffer);
455 input += 16;
456 outBuffer += 16;
457 }
458 /* last block */
459 rijndaelDecrypt (key->rk, key->Nr, input, block.bytes);
460 padLen = block.bytes[15];
461 if (padLen >= 16)
462 {
463 return RIJNDAEL_BAD_DATA;
464 }
465 for (i = 16 - padLen; i < 16; i++)
466 {
467 if (block.bytes[i] != padLen)
468 {
469 return RIJNDAEL_BAD_DATA;
470 }
471 }
472 memcpy (outBuffer, block.bytes, 16 - padLen);
473 break;
474
475 case RIJNDAEL_MODE_CBC:
476 iv = cipher->IV;
477 /* all blocks but last */
478 for (i = numBlocks - 1; i > 0; i--)
479 {
480 rijndaelDecrypt (key->rk, key->Nr, input, block.bytes);
481 block.words[0] ^= ((uint32_t *) iv)[0];
482 block.words[1] ^= ((uint32_t *) iv)[1];
483 block.words[2] ^= ((uint32_t *) iv)[2];
484 block.words[3] ^= ((uint32_t *) iv)[3];
485 memcpy (iv, input, 16);
486 memcpy (outBuffer, block.bytes, 16);
487 input += 16;
488 outBuffer += 16;
489 }
490 /* last block */
491 rijndaelDecrypt (key->rk, key->Nr, input, block.bytes);
492 block.words[0] ^= ((uint32_t *) iv)[0];
493 block.words[1] ^= ((uint32_t *) iv)[1];
494 block.words[2] ^= ((uint32_t *) iv)[2];
495 block.words[3] ^= ((uint32_t *) iv)[3];
496 padLen = block.bytes[15];
497 if (padLen <= 0 || padLen > 16)
498 {
499 return RIJNDAEL_BAD_DATA;
500 }
501 for (i = 16 - padLen; i < 16; i++)
502 {
503 if (block.bytes[i] != padLen)
504 {
505 return RIJNDAEL_BAD_DATA;
506 }
507 }
508 memcpy (outBuffer, block.bytes, 16 - padLen);
509 break;
510
511 default:
512 return RIJNDAEL_BAD_CIPHER_STATE;
513 }
514
515 return 16 * numBlocks - padLen;
516 }
Mirror of the GNU Gnulib repository