« back to all changes in this revision
Viewing changes to cipher/rijndael.c
- browse files at revision 1.2.3
- compare with another revision
- download diff
- download tarball
- view history from revision 1.2.3
- Committer: Bazaar Package Importer
- Author(s): Andreas Metzler
- Date: 2009-02-21 13:46:58 UTC
- mto: (1.1.6 upstream) (2.1.3 squeeze)
- mto: This revision was merged to the branch mainline in revision 18.
- Revision ID: james.westby@ubuntu.com-20090221134658-855twvcr4ezk2ron
ImportĀ upstreamĀ versionĀ 1.4.4
- files added:
- cipher/hash-common.c
- random
- files removed:
- BUGS
- files modified:
- AUTHORS
added
removed
cipher/rijndael.c
31
31
*
32
32
* This code is placed in the public domain.
33
33
*------------------------------------------
34
*
35
* The SP800-38a document is available at:
36
* http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
37
*
34
38
*/
35
39
36
40
#include <config.h>
93
97
static int initialized = 0;
94
98
static const char *selftest_failed=0;
95
99
int ROUNDS;
96
byte k[MAXKC][4];
97
100
int i,j, r, t, rconpointer = 0;
98
byte tk[MAXKC][4];
99
101
int KC;
100
101
if (!initialized)
102
union
103
{
104
PROPERLY_ALIGNED_TYPE dummy;
105
byte k[MAXKC][4];
106
} k;
107
#define k k.k
108
union
109
{
110
PROPERLY_ALIGNED_TYPE dummy;
111
byte tk[MAXKC][4];
112
} tk;
113
#define tk tk.tk
114
115
/* The on-the-fly self tests are only run in non-fips mode. In fips
116
mode explicit self-tests are required. Actually the on-the-fly
117
self-tests are not fully thread-safe and it might happen that a
118
failed self-test won't get noticed in another thread.
119
120
FIXME: We might want to have a central registry of succeeded
121
self-tests. */
122
if (!fips_mode () && !initialized)
102
123
{
103
124
initialized = 1;
104
125
selftest_failed = selftest ();
105
if( selftest_failed )
126
if (selftest_failed)
106
127
log_error ("%s\n", selftest_failed );
107
128
}
108
if( selftest_failed )
129
if (selftest_failed)
109
130
return GPG_ERR_SELFTEST_FAILED;
110
131
111
132
ctx->decryption_prepared = 0;
226
247
}
227
248
228
249
return 0;
250
#undef tk
251
#undef k
229
252
}
230
253
231
254
245
268
prepare_decryption( RIJNDAEL_context *ctx )
246
269
{
247
270
int r;
248
byte *w;
271
union
272
{
273
PROPERLY_ALIGNED_TYPE dummy;
274
byte *w;
275
} w;
276
#define w w.w
249
277
250
278
for (r=0; r < MAXROUNDS+1; r++ )
251
279
{
274
302
^ *((u32*)U3[w[2]]) ^ *((u32*)U4[w[3]]);
275
303
}
276
304
#undef W
305
#undef w
277
306
}
278
307
279
308
774
803
775
804
776
805
777
/* Test a single encryption and decryption with each key size. */
778
static const char*
779
selftest (void)
780
{
781
RIJNDAEL_context ctx;
782
byte scratch[16];
783
784
/* The test vectors are from the AES supplied ones; more or less
785
* randomly taken from ecb_tbl.txt (I=42,81,14)
786
*/
787
static byte plaintext[16] = {
788
0x01,0x4B,0xAF,0x22,0x78,0xA6,0x9D,0x33,
789
0x1D,0x51,0x80,0x10,0x36,0x43,0xE9,0x9A
790
};
791
static byte key[16] = {
792
0xE8,0xE9,0xEA,0xEB,0xED,0xEE,0xEF,0xF0,
793
0xF2,0xF3,0xF4,0xF5,0xF7,0xF8,0xF9,0xFA
794
};
795
static const byte ciphertext[16] = {
796
0x67,0x43,0xC3,0xD1,0x51,0x9A,0xB4,0xF2,
797
0xCD,0x9A,0x78,0xAB,0x09,0xA5,0x11,0xBD
798
};
799
800
static byte plaintext_192[16] = {
801
0x76,0x77,0x74,0x75,0xF1,0xF2,0xF3,0xF4,
802
0xF8,0xF9,0xE6,0xE7,0x77,0x70,0x71,0x72
803
};
804
static byte key_192[24] = {
805
0x04,0x05,0x06,0x07,0x09,0x0A,0x0B,0x0C,
806
0x0E,0x0F,0x10,0x11,0x13,0x14,0x15,0x16,
807
0x18,0x19,0x1A,0x1B,0x1D,0x1E,0x1F,0x20
808
};
809
static const byte ciphertext_192[16] = {
810
0x5D,0x1E,0xF2,0x0D,0xCE,0xD6,0xBC,0xBC,
811
0x12,0x13,0x1A,0xC7,0xC5,0x47,0x88,0xAA
812
};
806
/* Run the self-tests for AES 128. Returns NULL on success. */
807
static const char*
808
selftest_basic_128 (void)
809
{
810
RIJNDAEL_context ctx;
811
unsigned char scratch[16];
812
813
/* The test vectors are from the AES supplied ones; more or less
814
randomly taken from ecb_tbl.txt (I=42,81,14) */
815
static const unsigned char plaintext_128[16] =
816
{
817
0x01,0x4B,0xAF,0x22,0x78,0xA6,0x9D,0x33,
818
0x1D,0x51,0x80,0x10,0x36,0x43,0xE9,0x9A
819
};
820
static const unsigned char key_128[16] =
821
{
822
0xE8,0xE9,0xEA,0xEB,0xED,0xEE,0xEF,0xF0,
823
0xF2,0xF3,0xF4,0xF5,0xF7,0xF8,0xF9,0xFA
824
};
825
static const unsigned char ciphertext_128[16] =
826
{
827
0x67,0x43,0xC3,0xD1,0x51,0x9A,0xB4,0xF2,
828
0xCD,0x9A,0x78,0xAB,0x09,0xA5,0x11,0xBD
829
};
830
831
rijndael_setkey (&ctx, key_128, sizeof (key_128));
832
rijndael_encrypt (&ctx, scratch, plaintext_128);
833
if (memcmp (scratch, ciphertext_128, sizeof (ciphertext_128)))
834
return "AES-128 test encryption failed.";
835
rijndael_decrypt (&ctx, scratch, scratch);
836
if (memcmp (scratch, plaintext_128, sizeof (plaintext_128)))
837
return "AES-128 test decryption failed.";
838
839
return NULL;
840
}
841
842
/* Run the self-tests for AES 192. Returns NULL on success. */
843
static const char*
844
selftest_basic_192 (void)
845
{
846
RIJNDAEL_context ctx;
847
unsigned char scratch[16];
848
849
static unsigned char plaintext_192[16] =
850
{
851
0x76,0x77,0x74,0x75,0xF1,0xF2,0xF3,0xF4,
852
0xF8,0xF9,0xE6,0xE7,0x77,0x70,0x71,0x72
853
};
854
static unsigned char key_192[24] =
855
{
856
0x04,0x05,0x06,0x07,0x09,0x0A,0x0B,0x0C,
857
0x0E,0x0F,0x10,0x11,0x13,0x14,0x15,0x16,
858
0x18,0x19,0x1A,0x1B,0x1D,0x1E,0x1F,0x20
859
};
860
static const unsigned char ciphertext_192[16] =
861
{
862
0x5D,0x1E,0xF2,0x0D,0xCE,0xD6,0xBC,0xBC,
863
0x12,0x13,0x1A,0xC7,0xC5,0x47,0x88,0xAA
864
};
813
865
814
static byte plaintext_256[16] = {
815
0x06,0x9A,0x00,0x7F,0xC7,0x6A,0x45,0x9F,
816
0x98,0xBA,0xF9,0x17,0xFE,0xDF,0x95,0x21
817
};
818
static byte key_256[32] = {
819
0x08,0x09,0x0A,0x0B,0x0D,0x0E,0x0F,0x10,
820
0x12,0x13,0x14,0x15,0x17,0x18,0x19,0x1A,
821
0x1C,0x1D,0x1E,0x1F,0x21,0x22,0x23,0x24,
822
0x26,0x27,0x28,0x29,0x2B,0x2C,0x2D,0x2E
823
};
824
static const byte ciphertext_256[16] = {
825
0x08,0x0E,0x95,0x17,0xEB,0x16,0x77,0x71,
826
0x9A,0xCF,0x72,0x80,0x86,0x04,0x0A,0xE3
827
};
828
829
rijndael_setkey (&ctx, key, sizeof(key));
830
rijndael_encrypt (&ctx, scratch, plaintext);
831
if (memcmp (scratch, ciphertext, sizeof (ciphertext)))
832
return "Rijndael-128 test encryption failed.";
833
rijndael_decrypt (&ctx, scratch, scratch);
834
if (memcmp (scratch, plaintext, sizeof (plaintext)))
835
return "Rijndael-128 test decryption failed.";
836
837
866
rijndael_setkey (&ctx, key_192, sizeof(key_192));
838
867
rijndael_encrypt (&ctx, scratch, plaintext_192);
839
868
if (memcmp (scratch, ciphertext_192, sizeof (ciphertext_192)))
840
return "Rijndael-192 test encryption failed.";
869
return "AES-192 test encryption failed.";
841
870
rijndael_decrypt (&ctx, scratch, scratch);
842
871
if (memcmp (scratch, plaintext_192, sizeof (plaintext_192)))
843
return "Rijndael-192 test decryption failed.";
844
872
return "AES-192 test decryption failed.";
873
874
return NULL;
875
}
876
877
878
/* Run the self-tests for AES 256. Returns NULL on success. */
879
static const char*
880
selftest_basic_256 (void)
881
{
882
RIJNDAEL_context ctx;
883
unsigned char scratch[16];
884
885
static unsigned char plaintext_256[16] =
886
{
887
0x06,0x9A,0x00,0x7F,0xC7,0x6A,0x45,0x9F,
888
0x98,0xBA,0xF9,0x17,0xFE,0xDF,0x95,0x21
889
};
890
static unsigned char key_256[32] =
891
{
892
0x08,0x09,0x0A,0x0B,0x0D,0x0E,0x0F,0x10,
893
0x12,0x13,0x14,0x15,0x17,0x18,0x19,0x1A,
894
0x1C,0x1D,0x1E,0x1F,0x21,0x22,0x23,0x24,
895
0x26,0x27,0x28,0x29,0x2B,0x2C,0x2D,0x2E
896
};
897
static const unsigned char ciphertext_256[16] =
898
{
899
0x08,0x0E,0x95,0x17,0xEB,0x16,0x77,0x71,
900
0x9A,0xCF,0x72,0x80,0x86,0x04,0x0A,0xE3
901
};
902
845
903
rijndael_setkey (&ctx, key_256, sizeof(key_256));
846
904
rijndael_encrypt (&ctx, scratch, plaintext_256);
847
905
if (memcmp (scratch, ciphertext_256, sizeof (ciphertext_256)))
848
return "Rijndael-256 test encryption failed.";
906
return "AES-256 test encryption failed.";
849
907
rijndael_decrypt (&ctx, scratch, scratch);
850
908
if (memcmp (scratch, plaintext_256, sizeof (plaintext_256)))
851
return "Rijndael-256 test decryption failed.";
909
return "AES-256 test decryption failed.";
852
910
853
911
return NULL;
854
912
}
855
913
914
/* Run all the self-tests and return NULL on success. This function
915
is used for the on-the-fly self-tests. */
916
static const char *
917
selftest (void)
918
{
919
const char *r;
920
921
if ( (r = selftest_basic_128 ())
922
|| (r = selftest_basic_192 ())
923
|| (r = selftest_basic_256 ()) )
924
return r;
925
926
return r;
927
}
928
929
930
/* SP800-38a.pdf for AES-128. */
931
static const char *
932
selftest_fips_128_38a (int requested_mode)
933
{
934
struct tv
935
{
936
int mode;
937
const unsigned char key[16];
938
const unsigned char iv[16];
939
struct
940
{
941
const unsigned char input[16];
942
const unsigned char output[16];
943
} data[4];
944
} tv[2] =
945
{
946
{
947
GCRY_CIPHER_MODE_CFB, /* F.3.13, CFB128-AES128 */
948
{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
949
0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
950
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
951
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
952
{
953
{ { 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
954
0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a },
955
{ 0x3b, 0x3f, 0xd9, 0x2e, 0xb7, 0x2d, 0xad, 0x20,
956
0x33, 0x34, 0x49, 0xf8, 0xe8, 0x3c, 0xfb, 0x4a } },
957
958
{ { 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
959
0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51 },
960
{ 0xc8, 0xa6, 0x45, 0x37, 0xa0, 0xb3, 0xa9, 0x3f,
961
0xcd, 0xe3, 0xcd, 0xad, 0x9f, 0x1c, 0xe5, 0x8b } },
962
963
{ { 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
964
0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef },
965
{ 0x26, 0x75, 0x1f, 0x67, 0xa3, 0xcb, 0xb1, 0x40,
966
0xb1, 0x80, 0x8c, 0xf1, 0x87, 0xa4, 0xf4, 0xdf } },
967
968
{ { 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
969
0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 },
970
{ 0xc0, 0x4b, 0x05, 0x35, 0x7c, 0x5d, 0x1c, 0x0e,
971
0xea, 0xc4, 0xc6, 0x6f, 0x9f, 0xf7, 0xf2, 0xe6 } }
972
}
973
},
974
{
975
GCRY_CIPHER_MODE_OFB,
976
{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
977
0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
978
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
979
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
980
{
981
{ { 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
982
0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a },
983
{ 0x3b, 0x3f, 0xd9, 0x2e, 0xb7, 0x2d, 0xad, 0x20,
984
0x33, 0x34, 0x49, 0xf8, 0xe8, 0x3c, 0xfb, 0x4a } },
985
986
{ { 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
987
0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51 },
988
{ 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
989
0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25 } },
990
991
{ { 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
992
0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef },
993
{ 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
994
0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc } },
995
996
{ { 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
997
0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 },
998
{ 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
999
0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e } },
1000
}
1001
}
1002
};
1003
unsigned char scratch[16];
1004
gpg_error_t err;
1005
int tvi, idx;
1006
gcry_cipher_hd_t hdenc = NULL;
1007
gcry_cipher_hd_t hddec = NULL;
1008
1009
#define Fail(a) do { \
1010
_gcry_cipher_close (hdenc); \
1011
_gcry_cipher_close (hddec); \
1012
return a; \
1013
} while (0)
1014
1015
gcry_assert (sizeof tv[0].data[0].input == sizeof scratch);
1016
gcry_assert (sizeof tv[0].data[0].output == sizeof scratch);
1017
1018
for (tvi=0; tvi < DIM (tv); tvi++)
1019
if (tv[tvi].mode == requested_mode)
1020
break;
1021
if (tvi == DIM (tv))
1022
Fail ("no test data for this mode");
1023
1024
err = _gcry_cipher_open (&hdenc, GCRY_CIPHER_AES, tv[tvi].mode, 0);
1025
if (err)
1026
Fail ("open");
1027
err = _gcry_cipher_open (&hddec, GCRY_CIPHER_AES, tv[tvi].mode, 0);
1028
if (err)
1029
Fail ("open");
1030
err = _gcry_cipher_setkey (hdenc, tv[tvi].key, sizeof tv[tvi].key);
1031
if (!err)
1032
err = _gcry_cipher_setkey (hddec, tv[tvi].key, sizeof tv[tvi].key);
1033
if (err)
1034
Fail ("set key");
1035
err = _gcry_cipher_setiv (hdenc, tv[tvi].iv, sizeof tv[tvi].iv);
1036
if (!err)
1037
err = _gcry_cipher_setiv (hddec, tv[tvi].iv, sizeof tv[tvi].iv);
1038
if (err)
1039
Fail ("set IV");
1040
for (idx=0; idx < DIM (tv[tvi].data); idx++)
1041
{
1042
err = _gcry_cipher_encrypt (hdenc, scratch, sizeof scratch,
1043
tv[tvi].data[idx].input,
1044
sizeof tv[tvi].data[idx].input);
1045
if (err)
1046
Fail ("encrypt command");
1047
if (memcmp (scratch, tv[tvi].data[idx].output, sizeof scratch))
1048
Fail ("encrypt mismatch");
1049
err = _gcry_cipher_decrypt (hddec, scratch, sizeof scratch,
1050
tv[tvi].data[idx].output,
1051
sizeof tv[tvi].data[idx].output);
1052
if (err)
1053
Fail ("decrypt command");
1054
if (memcmp (scratch, tv[tvi].data[idx].input, sizeof scratch))
1055
Fail ("decrypt mismatch");
1056
}
1057
1058
#undef Fail
1059
_gcry_cipher_close (hdenc);
1060
_gcry_cipher_close (hddec);
1061
return NULL;
1062
}
1063
1064
1065
/* Complete selftest for AES-128 with all modes and driver code. */
1066
static gpg_err_code_t
1067
selftest_fips_128 (int extended, selftest_report_func_t report)
1068
{
1069
const char *what;
1070
const char *errtxt;
1071
1072
what = "low-level";
1073
errtxt = selftest_basic_128 ();
1074
if (errtxt)
1075
goto failed;
1076
1077
if (extended)
1078
{
1079
what = "cfb";
1080
errtxt = selftest_fips_128_38a (GCRY_CIPHER_MODE_CFB);
1081
if (errtxt)
1082
goto failed;
1083
1084
what = "ofb";
1085
errtxt = selftest_fips_128_38a (GCRY_CIPHER_MODE_OFB);
1086
if (errtxt)
1087
goto failed;
1088
}
1089
1090
return 0; /* Succeeded. */
1091
1092
failed:
1093
if (report)
1094
report ("cipher", GCRY_CIPHER_AES128, what, errtxt);
1095
return GPG_ERR_SELFTEST_FAILED;
1096
}
1097
1098
/* Complete selftest for AES-192. */
1099
static gpg_err_code_t
1100
selftest_fips_192 (int extended, selftest_report_func_t report)
1101
{
1102
const char *what;
1103
const char *errtxt;
1104
1105
(void)extended; /* No extended tests available. */
1106
1107
what = "low-level";
1108
errtxt = selftest_basic_192 ();
1109
if (errtxt)
1110
goto failed;
1111
1112
1113
return 0; /* Succeeded. */
1114
1115
failed:
1116
if (report)
1117
report ("cipher", GCRY_CIPHER_AES192, what, errtxt);
1118
return GPG_ERR_SELFTEST_FAILED;
1119
}
1120
1121
1122
/* Complete selftest for AES-256. */
1123
static gpg_err_code_t
1124
selftest_fips_256 (int extended, selftest_report_func_t report)
1125
{
1126
const char *what;
1127
const char *errtxt;
1128
1129
(void)extended; /* No extended tests available. */
1130
1131
what = "low-level";
1132
errtxt = selftest_basic_256 ();
1133
if (errtxt)
1134
goto failed;
1135
1136
return 0; /* Succeeded. */
1137
1138
failed:
1139
if (report)
1140
report ("cipher", GCRY_CIPHER_AES256, what, errtxt);
1141
return GPG_ERR_SELFTEST_FAILED;
1142
}
1143
1144
1145
1146
/* Run a full self-test for ALGO and return 0 on success. */
1147
static gpg_err_code_t
1148
run_selftests (int algo, int extended, selftest_report_func_t report)
1149
{
1150
gpg_err_code_t ec;
1151
1152
switch (algo)
1153
{
1154
case GCRY_CIPHER_AES128:
1155
ec = selftest_fips_128 (extended, report);
1156
break;
1157
case GCRY_CIPHER_AES192:
1158
ec = selftest_fips_192 (extended, report);
1159
break;
1160
case GCRY_CIPHER_AES256:
1161
ec = selftest_fips_256 (extended, report);
1162
break;
1163
default:
1164
ec = GPG_ERR_CIPHER_ALGO;
1165
break;
1166
1167
}
1168
return ec;
1169
}
1170
1171
856
1172
857
1173
858
1174
static const char *rijndael_names[] =
859
1175
{
860
1176
"RIJNDAEL",
1177
"AES128",
1178
"AES-128",
861
1179
NULL
862
1180
};
863
1181
875
1193
"AES", rijndael_names, rijndael_oids, 16, 128, sizeof (RIJNDAEL_context),
876
1194
rijndael_setkey, rijndael_encrypt, rijndael_decrypt
877
1195
};
1196
cipher_extra_spec_t _gcry_cipher_extraspec_aes =
1197
{
1198
run_selftests
1199
};
878
1200
879
1201
static const char *rijndael192_names[] =
880
1202
{
881
1203
"RIJNDAEL192",
1204
"AES-192",
882
1205
NULL
883
1206
};
884
1207
896
1219
"AES192", rijndael192_names, rijndael192_oids, 16, 192, sizeof (RIJNDAEL_context),
897
1220
rijndael_setkey, rijndael_encrypt, rijndael_decrypt
898
1221
};
1222
cipher_extra_spec_t _gcry_cipher_extraspec_aes192 =
1223
{
1224
run_selftests
1225
};
899
1226
900
1227
static const char *rijndael256_names[] =
901
1228
{
902
1229
"RIJNDAEL256",
1230
"AES-256",
903
1231
NULL
904
1232
};
905
1233
918
1246
sizeof (RIJNDAEL_context),
919
1247
rijndael_setkey, rijndael_encrypt, rijndael_decrypt
920
1248
};
1249
1250
cipher_extra_spec_t _gcry_cipher_extraspec_aes256 =
1251
{
1252
run_selftests
1253
};
Loggerhead is a web-based interface for Breezy
Version: 2.0.1