// Appendix A of FIPS 197: Key expansion examples
type KeyTest struct {
- key []uint32;
+ key []byte;
enc []uint32;
dec []uint32; // decryption expansion; not in FIPS 197, computed from C implementation.
}
var keyTests = []KeyTest {
KeyTest {
// A.1. Expansion of a 128-bit Cipher Key
- []uint32 {
- 0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c
+ []byte {
+ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
},
[]uint32 {
0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c,
},
KeyTest {
// A.2. Expansion of a 192-bit Cipher Key
- []uint32 {
- 0x8e73b0f7, 0xda0e6452, 0xc810f32b, 0x809079e5,
- 0x62f8ead2, 0x522c6b7b,
+ []byte {
+ 0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52, 0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
+ 0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b,
},
[]uint32 {
0x8e73b0f7, 0xda0e6452, 0xc810f32b, 0x809079e5,
},
KeyTest {
// A.3. Expansion of a 256-bit Cipher Key
- []uint32 {
- 0x603deb10, 0x15ca71be, 0x2b73aef0, 0x857d7781,
- 0x1f352c07, 0x3b6108d7, 0x2d9810a3, 0x0914dff4,
+ []byte {
+ 0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe, 0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
+ 0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7, 0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4,
},
[]uint32 {
0x603deb10, 0x15ca71be, 0x2b73aef0, 0x857d7781,
// Appendix B, C of FIPS 197: Cipher examples, Example vectors.
type CryptTest struct {
- key []uint32;
- in []uint32;
- out []uint32;
+ key []byte;
+ in []byte;
+ out []byte;
}
var encryptTests = []CryptTest {
CryptTest {
// Appendix B.
- []uint32 { 0x2b7e1516, 0x28aed2a6, 0xabf71588, 0x09cf4f3c, },
- []uint32 { 0x3243f6a8, 0x885a308d, 0x313198a2, 0xe0370734, },
- []uint32 { 0x3925841d, 0x02dc09fb, 0xdc118597, 0x196a0b32, },
+ []byte { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c, },
+ []byte { 0x32, 0x43, 0xf6, 0xa8, 0x88, 0x5a, 0x30, 0x8d, 0x31, 0x31, 0x98, 0xa2, 0xe0, 0x37, 0x07, 0x34, },
+ []byte { 0x39, 0x25, 0x84, 0x1d, 0x02, 0xdc, 0x09, 0xfb, 0xdc, 0x11, 0x85, 0x97, 0x19, 0x6a, 0x0b, 0x32, },
},
CryptTest {
// Appendix C.1. AES-128
- []uint32 { 0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f, },
- []uint32 { 0x00112233, 0x44556677, 0x8899aabb, 0xccddeeff, },
- []uint32 { 0x69c4e0d8, 0x6a7b0430, 0xd8cdb780, 0x70b4c55a, },
+ []byte { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, },
+ []byte { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, },
+ []byte { 0x69, 0xc4, 0xe0, 0xd8, 0x6a, 0x7b, 0x04, 0x30, 0xd8, 0xcd, 0xb7, 0x80, 0x70, 0xb4, 0xc5, 0x5a, },
},
CryptTest {
// Appendix C.2. AES-192
- []uint32 { 0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f,
- 0x10111213, 0x14151617, },
- []uint32 { 0x00112233, 0x44556677, 0x8899aabb, 0xccddeeff, },
- []uint32 { 0xdda97ca4, 0x864cdfe0, 0x6eaf70a0, 0xec0d7191, },
+ []byte { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, },
+ []byte { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, },
+ []byte { 0xdd, 0xa9, 0x7c, 0xa4, 0x86, 0x4c, 0xdf, 0xe0, 0x6e, 0xaf, 0x70, 0xa0, 0xec, 0x0d, 0x71, 0x91, },
},
CryptTest {
// Appendix C.3. AES-256
- []uint32 { 0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f,
- 0x10111213, 0x14151617, 0x18191a1b, 0x1c1d1e1f, },
- []uint32 { 0x00112233, 0x44556677, 0x8899aabb, 0xccddeeff, },
- []uint32 { 0x8ea2b7ca, 0x516745bf, 0xeafc4990, 0x4b496089, },
+ []byte { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, },
+ []byte { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, },
+ []byte { 0x8e, 0xa2, 0xb7, 0xca, 0x51, 0x67, 0x45, 0xbf, 0xea, 0xfc, 0x49, 0x90, 0x4b, 0x49, 0x60, 0x89, },
},
}
-// Test encryption against FIPS 197 examples.
-func TestEncrypt(t *testing.T) {
+// Test encryptBlock against FIPS 197 examples.
+func TestEncryptBlock(t *testing.T) {
for i, tt := range encryptTests {
- n := 4*(len(tt.key) + 7);
+ n := len(tt.key) + 28;
enc := make([]uint32, n);
dec := make([]uint32, n);
expandKey(tt.key, enc, dec);
- out := make([]uint32, len(tt.in));
+ out := make([]byte, len(tt.in));
encryptBlock(enc, tt.in, out);
for j, v := range out {
if v != tt.out[j] {
- t.Errorf("encrypt %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j]);
+ t.Errorf("encryptBlock %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j]);
break;
}
}
}
}
-// Test decryption against FIPS 197 examples.
-func TestDecrypt(t *testing.T) {
+// Test decryptBlock against FIPS 197 examples.
+func TestDecryptBlock(t *testing.T) {
for i, tt := range encryptTests {
- n := 4*(len(tt.key) + 7);
+ n := len(tt.key) + 28;
enc := make([]uint32, n);
dec := make([]uint32, n);
expandKey(tt.key, enc, dec);
- plain := make([]uint32, len(tt.in));
+ plain := make([]byte, len(tt.in));
decryptBlock(dec, tt.out, plain);
for j, v := range plain {
if v != tt.in[j] {
- t.Errorf("decrypt %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j]);
+ t.Errorf("decryptBlock %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j]);
+ break;
+ }
+ }
+ }
+}
+
+// Test Cipher Encrypt method against FIPS 197 examples.
+func TestCipherEncrypt(t *testing.T) {
+ for i, tt := range encryptTests {
+ c, err := NewCipher(tt.key);
+ if err != nil {
+ t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err);
+ continue;
+ }
+ out := make([]byte, len(tt.in));
+ c.Encrypt(tt.in, out);
+ for j, v := range out {
+ if v != tt.out[j] {
+ t.Errorf("Cipher.Encrypt %d: out[%d] = %#x, want %#x", i, j, v, tt.out[j]);
+ break;
+ }
+ }
+ }
+}
+
+// Test Cipher Decrypt against FIPS 197 examples.
+func TestCipherDecrypt(t *testing.T) {
+ for i, tt := range encryptTests {
+ c, err := NewCipher(tt.key);
+ if err != nil {
+ t.Errorf("NewCipher(%d bytes) = %s", len(tt.key), err);
+ continue;
+ }
+ plain := make([]byte, len(tt.in));
+ c.Decrypt(tt.out, plain);
+ for j, v := range plain {
+ if v != tt.in[j] {
+ t.Errorf("decryptBlock %d: plain[%d] = %#x, want %#x", i, j, v, tt.in[j]);
break;
}
}
import "crypto/aes"
// Encrypt one block from src into dst, using the expanded key xk.
-func encryptBlock(xk, src, dst []uint32) {
+func encryptBlock(xk []uint32, src, dst []byte) {
var s0, s1, s2, s3, t0, t1, t2, t3 uint32;
+ s0 = uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]);
+ s1 = uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]);
+ s2 = uint32(src[8])<<24 | uint32(src[9])<<16 | uint32(src[10])<<8 | uint32(src[11]);
+ s3 = uint32(src[12])<<24 | uint32(src[13])<<16 | uint32(src[14])<<8 | uint32(src[15]);
+
// First round just XORs input with key.
- s0 = src[0] ^ xk[0];
- s1 = src[1] ^ xk[1];
- s2 = src[2] ^ xk[2];
- s3 = src[3] ^ xk[3];
+ s0 ^= xk[0];
+ s1 ^= xk[1];
+ s2 ^= xk[2];
+ s3 ^= xk[3];
// Middle rounds shuffle using tables.
// Number of rounds is set by length of expanded key.
s2 = uint32(sbox0[t2>>24])<<24 | uint32(sbox0[t3>>16 & 0xff])<<16 | uint32(sbox0[t0>>8 & 0xff])<<8 | uint32(sbox0[t1 & 0xff]);
s3 = uint32(sbox0[t3>>24])<<24 | uint32(sbox0[t0>>16 & 0xff])<<16 | uint32(sbox0[t1>>8 & 0xff])<<8 | uint32(sbox0[t2 & 0xff]);
- dst[0] = s0 ^ xk[k+0];
- dst[1] = s1 ^ xk[k+1];
- dst[2] = s2 ^ xk[k+2];
- dst[3] = s3 ^ xk[k+3];
+ s0 ^= xk[k+0];
+ s1 ^= xk[k+1];
+ s2 ^= xk[k+2];
+ s3 ^= xk[k+3];
+
+ dst[0], dst[1], dst[2], dst[3] = byte(s0>>24), byte(s0>>16), byte(s0>>8), byte(s0);
+ dst[4], dst[5], dst[6], dst[7] = byte(s1>>24), byte(s1>>16), byte(s1>>8), byte(s1);
+ dst[8], dst[9], dst[10], dst[11] = byte(s2>>24), byte(s2>>16), byte(s2>>8), byte(s2);
+ dst[12], dst[13], dst[14], dst[15] = byte(s3>>24), byte(s3>>16), byte(s3>>8), byte(s3);
}
// Decrypt one block from src into dst, using the expanded key xk.
-func decryptBlock(xk, src, dst []uint32) {
+func decryptBlock(xk []uint32, src, dst []byte) {
var s0, s1, s2, s3, t0, t1, t2, t3 uint32;
+ s0 = uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]);
+ s1 = uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]);
+ s2 = uint32(src[8])<<24 | uint32(src[9])<<16 | uint32(src[10])<<8 | uint32(src[11]);
+ s3 = uint32(src[12])<<24 | uint32(src[13])<<16 | uint32(src[14])<<8 | uint32(src[15]);
+
// First round just XORs input with key.
- s0 = src[0] ^ xk[0];
- s1 = src[1] ^ xk[1];
- s2 = src[2] ^ xk[2];
- s3 = src[3] ^ xk[3];
+ s0 ^= xk[0];
+ s1 ^= xk[1];
+ s2 ^= xk[2];
+ s3 ^= xk[3];
// Middle rounds shuffle using tables.
// Number of rounds is set by length of expanded key.
s2 = uint32(sbox1[t2>>24])<<24 | uint32(sbox1[t1>>16 & 0xff])<<16 | uint32(sbox1[t0>>8 & 0xff])<<8 | uint32(sbox1[t3 & 0xff]);
s3 = uint32(sbox1[t3>>24])<<24 | uint32(sbox1[t2>>16 & 0xff])<<16 | uint32(sbox1[t1>>8 & 0xff])<<8 | uint32(sbox1[t0 & 0xff]);
- dst[0] = s0 ^ xk[k+0];
- dst[1] = s1 ^ xk[k+1];
- dst[2] = s2 ^ xk[k+2];
- dst[3] = s3 ^ xk[k+3];
+ s0 ^= xk[k+0];
+ s1 ^= xk[k+1];
+ s2 ^= xk[k+2];
+ s3 ^= xk[k+3];
+
+ dst[0], dst[1], dst[2], dst[3] = byte(s0>>24), byte(s0>>16), byte(s0>>8), byte(s0);
+ dst[4], dst[5], dst[6], dst[7] = byte(s1>>24), byte(s1>>16), byte(s1>>8), byte(s1);
+ dst[8], dst[9], dst[10], dst[11] = byte(s2>>24), byte(s2>>16), byte(s2>>8), byte(s2);
+ dst[12], dst[13], dst[14], dst[15] = byte(s3>>24), byte(s3>>16), byte(s3>>8), byte(s3);
}
// Apply sbox0 to each byte in w.
// Key expansion algorithm. See FIPS-197, Figure 11.
// Their rcon[i] is our powx[i-1] << 24.
-func expandKey(key, enc, dec []uint32) {
+func expandKey(key []byte, enc, dec []uint32) {
// Encryption key setup.
var i int;
- nk := len(key);
+ nk := len(key) / 4;
for i = 0; i < nk; i++ {
- enc[i] = key[i];
+ enc[i] = uint32(key[4*i])<<24 | uint32(key[4*i+1])<<16 | uint32(key[4*i+2])<<8 | uint32(key[4*i+3]);
}
for ; i < len(enc); i++ {
t := enc[i-1];