v

1
// Copyright (c) 2019-2024 Alexander Medvednikov. All rights reserved.
2
// Use of this source code is governed by an MIT license
3
// that can be found in the LICENSE file.
4
// This implementation is derived from the golang implementation
5
// which itself is derived in part from the reference
6
// ANSI C implementation, which carries the following notice:
7
//
8
// rijndael-alg-fst.c
9
//
10
// @version 3.0 (December 2000)
11
//
12
// Optimised ANSI C code for the Rijndael cipher (now AES)
13
//
14
// @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
15
// @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
16
// @author Paulo Barreto <paulo.barreto@Terra.com.br>
17
//
18
// This code is hereby placed in the public domain.
19
//
20
// THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
21
// OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
22
// WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23
// ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
24
// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26
// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
27
// BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
28
// WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
29
// OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
30
// EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31
//
32
// See FIPS 197 for specification, and see Daemen and Rijmen's Rijndael submission
33
// for implementation details.
34
// https://csrc.nist.gov/csrc/media/publications/fips/197/final/documents/fips-197.pdf
35
// https://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf
36
module aes
37

38
import encoding.binary
39

40
// Encrypt one block from src into dst, using the expanded key xk.
41
@[direct_array_access]
42
fn encrypt_block_generic(xk []u32, mut dst []u8, src []u8) {
43
	_ = src[15] // early bounds check
44
	mut s0 := binary.big_endian_u32(src[..4])
45
	mut s1 := binary.big_endian_u32(src[4..8])
46
	mut s2 := binary.big_endian_u32(src[8..12])
47
	mut s3 := binary.big_endian_u32(src[12..16])
48
	// First round just XORs input with key.
49
	s0 ^= xk[0]
50
	s1 ^= xk[1]
51
	s2 ^= xk[2]
52
	s3 ^= xk[3]
53
	// Middle rounds shuffle using tables.
54
	// Number of rounds is set by length of expanded key.
55
	nr := xk.len / 4 - 2 // - 2: one above, one more below
56
	mut k := 4
57
	mut t0 := u32(0)
58
	mut t1 := u32(0)
59
	mut t2 := u32(0)
60
	mut t3 := u32(0)
61
	for _ in 0 .. nr {
62
		t0 = xk[k + 0] ^ te0[u8(s0 >> 24)] ^ te1[u8(s1 >> 16)] ^ te2[u8(s2 >> 8)] ^ u32(te3[u8(s3)])
63
		t1 = xk[k + 1] ^ te0[u8(s1 >> 24)] ^ te1[u8(s2 >> 16)] ^ te2[u8(s3 >> 8)] ^ u32(te3[u8(s0)])
64
		t2 = xk[k + 2] ^ te0[u8(s2 >> 24)] ^ te1[u8(s3 >> 16)] ^ te2[u8(s0 >> 8)] ^ u32(te3[u8(s1)])
65
		t3 = xk[k + 3] ^ te0[u8(s3 >> 24)] ^ te1[u8(s0 >> 16)] ^ te2[u8(s1 >> 8)] ^ u32(te3[u8(s2)])
66
		k += 4
67
		s0 = t0
68
		s1 = t1
69
		s2 = t2
70
		s3 = t3
71
	}
72
	// Last round uses s-box directly and XORs to produce output.
73
	s0 = u32(s_box0[t0 >> 24]) << 24 | u32(s_box0[t1 >> 16 & 0xff]) << 16 | u32(s_box0[t2 >> 8 & 0xff]) << 8 | u32(s_box0[t3 & u32(0xff)])
74
	s1 = u32(s_box0[t1 >> 24]) << 24 | u32(s_box0[t2 >> 16 & 0xff]) << 16 | u32(s_box0[t3 >> 8 & 0xff]) << 8 | u32(s_box0[t0 & u32(0xff)])
75
	s2 = u32(s_box0[t2 >> 24]) << 24 | u32(s_box0[t3 >> 16 & 0xff]) << 16 | u32(s_box0[t0 >> 8 & 0xff]) << 8 | u32(s_box0[t1 & u32(0xff)])
76
	s3 = u32(s_box0[t3 >> 24]) << 24 | u32(s_box0[t0 >> 16 & 0xff]) << 16 | u32(s_box0[t1 >> 8 & 0xff]) << 8 | u32(s_box0[t2 & u32(0xff)])
77
	s0 ^= xk[k + 0]
78
	s1 ^= xk[k + 1]
79
	s2 ^= xk[k + 2]
80
	s3 ^= xk[k + 3]
81
	_ := dst[15] // early bounds check
82
	binary.big_endian_put_u32(mut (*dst)[0..4], s0)
83
	binary.big_endian_put_u32(mut (*dst)[4..8], s1)
84
	binary.big_endian_put_u32(mut (*dst)[8..12], s2)
85
	binary.big_endian_put_u32(mut (*dst)[12..16], s3)
86
}
87

88
// Decrypt one block from src into dst, using the expanded key xk.
89
@[direct_array_access]
90
fn decrypt_block_generic(xk []u32, mut dst []u8, src []u8) {
91
	_ = src[15] // early bounds check
92
	mut s0 := binary.big_endian_u32(src[0..4])
93
	mut s1 := binary.big_endian_u32(src[4..8])
94
	mut s2 := binary.big_endian_u32(src[8..12])
95
	mut s3 := binary.big_endian_u32(src[12..16])
96
	// First round just XORs input with key.
97
	s0 ^= xk[0]
98
	s1 ^= xk[1]
99
	s2 ^= xk[2]
100
	s3 ^= xk[3]
101
	// Middle rounds shuffle using tables.
102
	// Number of rounds is set by length of expanded key.
103
	nr := xk.len / 4 - 2 // - 2: one above, one more below
104
	mut k := 4
105
	mut t0 := u32(0)
106
	mut t1 := u32(0)
107
	mut t2 := u32(0)
108
	mut t3 := u32(0)
109
	for _ in 0 .. nr {
110
		t0 = xk[k + 0] ^ td0[u8(s0 >> 24)] ^ td1[u8(s3 >> 16)] ^ td2[u8(s2 >> 8)] ^ u32(td3[u8(s1)])
111
		t1 = xk[k + 1] ^ td0[u8(s1 >> 24)] ^ td1[u8(s0 >> 16)] ^ td2[u8(s3 >> 8)] ^ u32(td3[u8(s2)])
112
		t2 = xk[k + 2] ^ td0[u8(s2 >> 24)] ^ td1[u8(s1 >> 16)] ^ td2[u8(s0 >> 8)] ^ u32(td3[u8(s3)])
113
		t3 = xk[k + 3] ^ td0[u8(s3 >> 24)] ^ td1[u8(s2 >> 16)] ^ td2[u8(s1 >> 8)] ^ u32(td3[u8(s0)])
114
		k += 4
115
		s0 = t0
116
		s1 = t1
117
		s2 = t2
118
		s3 = t3
119
	}
120
	// Last round uses s-box directly and XORs to produce output.
121
	s0 = u32(s_box1[t0 >> 24]) << 24 | u32(s_box1[t3 >> 16 & 0xff]) << 16 | u32(s_box1[t2 >> 8 & 0xff]) << 8 | u32(s_box1[t1 & u32(0xff)])
122
	s1 = u32(s_box1[t1 >> 24]) << 24 | u32(s_box1[t0 >> 16 & 0xff]) << 16 | u32(s_box1[t3 >> 8 & 0xff]) << 8 | u32(s_box1[t2 & u32(0xff)])
123
	s2 = u32(s_box1[t2 >> 24]) << 24 | u32(s_box1[t1 >> 16 & 0xff]) << 16 | u32(s_box1[t0 >> 8 & 0xff]) << 8 | u32(s_box1[t3 & u32(0xff)])
124
	s3 = u32(s_box1[t3 >> 24]) << 24 | u32(s_box1[t2 >> 16 & 0xff]) << 16 | u32(s_box1[t1 >> 8 & 0xff]) << 8 | u32(s_box1[t0 & u32(0xff)])
125
	s0 ^= xk[k + 0]
126
	s1 ^= xk[k + 1]
127
	s2 ^= xk[k + 2]
128
	s3 ^= xk[k + 3]
129
	_ = dst[15] // early bounds check
130
	binary.big_endian_put_u32(mut (*dst)[..4], s0)
131
	binary.big_endian_put_u32(mut (*dst)[4..8], s1)
132
	binary.big_endian_put_u32(mut (*dst)[8..12], s2)
133
	binary.big_endian_put_u32(mut (*dst)[12..16], s3)
134
}
135

136
// Apply s_box0 to each byte in w.
137
@[direct_array_access; inline]
138
fn subw(w u32) u32 {
139
	return u32(s_box0[w >> 24]) << 24 | u32(s_box0[w >> 16 & 0xff]) << 16 | u32(s_box0[w >> 8 & 0xff]) << 8 | u32(s_box0[w & u32(0xff)])
140
}
141

142
// Rotate
143
@[inline]
144
fn rotw(w u32) u32 {
145
	return (w << 8) | (w >> 24)
146
}
147

148
// Key expansion algorithm. See FIPS-197, Figure 11.
149
// Their rcon[i] is our powx[i-1] << 24.
150
@[direct_array_access]
151
fn expand_key_generic(key []u8, mut enc []u32, mut dec []u32) {
152
	// Encryption key setup.
153
	mut i := 0
154
	nk := key.len / 4
155
	for i = 0; i < nk; i++ {
156
		if 4 * i >= key.len {
157
			break
158
		}
159
		enc[i] = binary.big_endian_u32(key[4 * i..])
160
	}
161
	for i < enc.len {
162
		mut t := enc[i - 1]
163
		if i % nk == 0 {
164
			t = subw(rotw(t)) ^ u32(pow_x[i / nk - 1]) << 24
165
		} else if nk > 6 && i % nk == 4 {
166
			t = subw(t)
167
		}
168
		enc[i] = enc[i - nk] ^ t
169
		i++
170
	}
171
	// Derive decryption key from encryption key.
172
	// Reverse the 4-word round key sets from enc to produce dec.
173
	// All sets but the first and last get the MixColumn transform applied.
174
	if dec.len == 0 {
175
		return
176
	}
177
	n := enc.len
178
	for i = 0; i < n; i += 4 {
179
		ei := n - i - 4
180
		for j in 0 .. 4 {
181
			mut x := enc[ei + j]
182
			if i > 0 && i + 4 < n {
183
				x = td0[s_box0[x >> 24]] ^ td1[s_box0[x >> 16 & 0xff]] ^ td2[s_box0[x >> 8 & 0xff]] ^ td3[s_box0[x & u32(0xff)]]
184
			}
185
			dec[i + j] = x
186
		}
187
	}
188
}
189