miracl_core/
aes.rs

1/*
2 * Copyright (c) 2012-2020 MIRACL UK Ltd.
3 *
4 * This file is part of MIRACL Core
5 * (see https://github.com/miracl/core).
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 *     http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20pub const ECB: usize = 0;
21pub const CBC: usize = 1;
22pub const CFB1: usize = 2;
23pub const CFB2: usize = 3;
24pub const CFB4: usize = 5;
25pub const OFB1: usize = 14;
26pub const OFB2: usize = 15;
27pub const OFB4: usize = 17;
28pub const OFB8: usize = 21;
29pub const OFB16: usize = 29;
30pub const CTR1: usize = 30;
31pub const CTR2: usize = 31;
32pub const CTR4: usize = 33;
33pub const CTR8: usize = 37;
34pub const CTR16: usize = 45;
35
36const INCO: [u8; 4] = [0xB, 0xD, 0x9, 0xE]; /* Inverse Coefficients */
37
38const PTAB: [u8; 256] = [
39    1, 3, 5, 15, 17, 51, 85, 255, 26, 46, 114, 150, 161, 248, 19, 53, 95, 225, 56, 72, 216, 115,
40    149, 164, 247, 2, 6, 10, 30, 34, 102, 170, 229, 52, 92, 228, 55, 89, 235, 38, 106, 190, 217,
41    112, 144, 171, 230, 49, 83, 245, 4, 12, 20, 60, 68, 204, 79, 209, 104, 184, 211, 110, 178, 205,
42    76, 212, 103, 169, 224, 59, 77, 215, 98, 166, 241, 8, 24, 40, 120, 136, 131, 158, 185, 208,
43    107, 189, 220, 127, 129, 152, 179, 206, 73, 219, 118, 154, 181, 196, 87, 249, 16, 48, 80, 240,
44    11, 29, 39, 105, 187, 214, 97, 163, 254, 25, 43, 125, 135, 146, 173, 236, 47, 113, 147, 174,
45    233, 32, 96, 160, 251, 22, 58, 78, 210, 109, 183, 194, 93, 231, 50, 86, 250, 21, 63, 65, 195,
46    94, 226, 61, 71, 201, 64, 192, 91, 237, 44, 116, 156, 191, 218, 117, 159, 186, 213, 100, 172,
47    239, 42, 126, 130, 157, 188, 223, 122, 142, 137, 128, 155, 182, 193, 88, 232, 35, 101, 175,
48    234, 37, 111, 177, 200, 67, 197, 84, 252, 31, 33, 99, 165, 244, 7, 9, 27, 45, 119, 153, 176,
49    203, 70, 202, 69, 207, 74, 222, 121, 139, 134, 145, 168, 227, 62, 66, 198, 81, 243, 14, 18, 54,
50    90, 238, 41, 123, 141, 140, 143, 138, 133, 148, 167, 242, 13, 23, 57, 75, 221, 124, 132, 151,
51    162, 253, 28, 36, 108, 180, 199, 82, 246, 1,
52];
53
54const LTAB: [u8; 256] = [
55    0, 255, 25, 1, 50, 2, 26, 198, 75, 199, 27, 104, 51, 238, 223, 3, 100, 4, 224, 14, 52, 141,
56    129, 239, 76, 113, 8, 200, 248, 105, 28, 193, 125, 194, 29, 181, 249, 185, 39, 106, 77, 228,
57    166, 114, 154, 201, 9, 120, 101, 47, 138, 5, 33, 15, 225, 36, 18, 240, 130, 69, 53, 147, 218,
58    142, 150, 143, 219, 189, 54, 208, 206, 148, 19, 92, 210, 241, 64, 70, 131, 56, 102, 221, 253,
59    48, 191, 6, 139, 98, 179, 37, 226, 152, 34, 136, 145, 16, 126, 110, 72, 195, 163, 182, 30, 66,
60    58, 107, 40, 84, 250, 133, 61, 186, 43, 121, 10, 21, 155, 159, 94, 202, 78, 212, 172, 229, 243,
61    115, 167, 87, 175, 88, 168, 80, 244, 234, 214, 116, 79, 174, 233, 213, 231, 230, 173, 232, 44,
62    215, 117, 122, 235, 22, 11, 245, 89, 203, 95, 176, 156, 169, 81, 160, 127, 12, 246, 111, 23,
63    196, 73, 236, 216, 67, 31, 45, 164, 118, 123, 183, 204, 187, 62, 90, 251, 96, 177, 134, 59, 82,
64    161, 108, 170, 85, 41, 157, 151, 178, 135, 144, 97, 190, 220, 252, 188, 149, 207, 205, 55, 63,
65    91, 209, 83, 57, 132, 60, 65, 162, 109, 71, 20, 42, 158, 93, 86, 242, 211, 171, 68, 17, 146,
66    217, 35, 32, 46, 137, 180, 124, 184, 38, 119, 153, 227, 165, 103, 74, 237, 222, 197, 49, 254,
67    24, 13, 99, 140, 128, 192, 247, 112, 7,
68];
69
70const FBSUB: [u8; 256] = [
71    99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, 118, 202, 130, 201, 125,
72    250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 183, 253, 147, 38, 54, 63, 247, 204,
73    52, 165, 229, 241, 113, 216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, 235,
74    39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179, 41, 227, 47, 132, 83, 209, 0,
75    237, 32, 252, 177, 91, 106, 203, 190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133,
76    69, 249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218, 33, 16,
77    255, 243, 210, 205, 12, 19, 236, 95, 151, 68, 23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129,
78    79, 220, 34, 42, 144, 136, 70, 238, 184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73, 6, 36, 92,
79    194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109, 141, 213, 78, 169, 108, 86, 244, 234,
80    101, 122, 174, 8, 186, 120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138,
81    112, 62, 181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, 225, 248, 152, 17, 105,
82    217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223, 140, 161, 137, 13, 191, 230, 66, 104, 65,
83    153, 45, 15, 176, 84, 187, 22,
84];
85
86const RBSUB: [u8; 256] = [
87    82, 9, 106, 213, 48, 54, 165, 56, 191, 64, 163, 158, 129, 243, 215, 251, 124, 227, 57, 130,
88    155, 47, 255, 135, 52, 142, 67, 68, 196, 222, 233, 203, 84, 123, 148, 50, 166, 194, 35, 61,
89    238, 76, 149, 11, 66, 250, 195, 78, 8, 46, 161, 102, 40, 217, 36, 178, 118, 91, 162, 73, 109,
90    139, 209, 37, 114, 248, 246, 100, 134, 104, 152, 22, 212, 164, 92, 204, 93, 101, 182, 146, 108,
91    112, 72, 80, 253, 237, 185, 218, 94, 21, 70, 87, 167, 141, 157, 132, 144, 216, 171, 0, 140,
92    188, 211, 10, 247, 228, 88, 5, 184, 179, 69, 6, 208, 44, 30, 143, 202, 63, 15, 2, 193, 175,
93    189, 3, 1, 19, 138, 107, 58, 145, 17, 65, 79, 103, 220, 234, 151, 242, 207, 206, 240, 180, 230,
94    115, 150, 172, 116, 34, 231, 173, 53, 133, 226, 249, 55, 232, 28, 117, 223, 110, 71, 241, 26,
95    113, 29, 41, 197, 137, 111, 183, 98, 14, 170, 24, 190, 27, 252, 86, 62, 75, 198, 210, 121, 32,
96    154, 219, 192, 254, 120, 205, 90, 244, 31, 221, 168, 51, 136, 7, 199, 49, 177, 18, 16, 89, 39,
97    128, 236, 95, 96, 81, 127, 169, 25, 181, 74, 13, 45, 229, 122, 159, 147, 201, 156, 239, 160,
98    224, 59, 77, 174, 42, 245, 176, 200, 235, 187, 60, 131, 83, 153, 97, 23, 43, 4, 126, 186, 119,
99    214, 38, 225, 105, 20, 99, 85, 33, 12, 125,
100];
101
102const RCO: [u8; 16] = [
103    1, 2, 4, 8, 16, 32, 64, 128, 27, 54, 108, 216, 171, 77, 154, 47,
104];
105
106const FTABLE: [u32; 256] = [
107    0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, 0xdf2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591,
108    0x50303060, 0x3010102, 0xa96767ce, 0x7d2b2b56, 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec,
109    0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, 0x15fafaef, 0xeb5959b2, 0xc947478e, 0xbf0f0fb,
110    0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b,
111    0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, 0x5a36366c, 0x413f3f7e, 0x2f7f7f5, 0x4fcccc83,
112    0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x8f1f1f9, 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
113    0xc040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, 0x28181830, 0xa1969637, 0xf05050a, 0xb59a9a2f,
114    0x907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea,
115    0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
116    0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413,
117    0xf55353a6, 0x68d1d1b9, 0x0, 0x2cededc1, 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6,
118    0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
119    0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511,
120    0xcf45458a, 0x10f9f9e9, 0x6020204, 0x817f7ffe, 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b,
121    0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, 0xad92923f, 0xbc9d9d21, 0x48383870, 0x4f5f5f1,
122    0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, 0x30101020, 0x1affffe5, 0xef3f3fd, 0x6dd2d2bf,
123    0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e,
124    0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
125    0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b,
126    0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad,
127    0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, 0xdb494992, 0xa06060c, 0x6c242448, 0xe45c5cb8,
128    0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2,
129    0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949,
130    0xb46c6cd8, 0xfa5656ac, 0x7f4f4f3, 0x25eaeacf, 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
131    0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697,
132    0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f,
133    0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, 0xd8484890, 0x5030306, 0x1f6f6f7, 0x120e0e1c,
134    0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27,
135    0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433,
136    0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
137    0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0,
138    0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c,
139];
140
141const RTABLE: [u32; 256] = [
142    0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a, 0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b,
143    0x55fa3020, 0xf66d76ad, 0x9176cc88, 0x254c02f5, 0xfcd7e54f, 0xd7cb2ac5, 0x80443526, 0x8fa362b5,
144    0x495ab1de, 0x671bba25, 0x980eea45, 0xe1c0fe5d, 0x2752fc3, 0x12f04c81, 0xa397468d, 0xc6f9d36b,
145    0xe75f8f03, 0x959c9215, 0xeb7a6dbf, 0xda595295, 0x2d83bed4, 0xd3217458, 0x2969e049, 0x44c8c98e,
146    0x6a89c275, 0x78798ef4, 0x6b3e5899, 0xdd71b927, 0xb64fe1be, 0x17ad88f0, 0x66ac20c9, 0xb43ace7d,
147    0x184adf63, 0x82311ae5, 0x60335197, 0x457f5362, 0xe07764b1, 0x84ae6bbb, 0x1ca081fe, 0x942b08f9,
148    0x58684870, 0x19fd458f, 0x876cde94, 0xb7f87b52, 0x23d373ab, 0xe2024b72, 0x578f1fe3, 0x2aab5566,
149    0x728ebb2, 0x3c2b52f, 0x9a7bc586, 0xa50837d3, 0xf2872830, 0xb2a5bf23, 0xba6a0302, 0x5c8216ed,
150    0x2b1ccf8a, 0x92b479a7, 0xf0f207f3, 0xa1e2694e, 0xcdf4da65, 0xd5be0506, 0x1f6234d1, 0x8afea6c4,
151    0x9d532e34, 0xa055f3a2, 0x32e18a05, 0x75ebf6a4, 0x39ec830b, 0xaaef6040, 0x69f715e, 0x51106ebd,
152    0xf98a213e, 0x3d06dd96, 0xae053edd, 0x46bde64d, 0xb58d5491, 0x55dc471, 0x6fd40604, 0xff155060,
153    0x24fb9819, 0x97e9bdd6, 0xcc434089, 0x779ed967, 0xbd42e8b0, 0x888b8907, 0x385b19e7, 0xdbeec879,
154    0x470a7ca1, 0xe90f427c, 0xc91e84f8, 0x0, 0x83868009, 0x48ed2b32, 0xac70111e, 0x4e725a6c,
155    0xfbff0efd, 0x5638850f, 0x1ed5ae3d, 0x27392d36, 0x64d90f0a, 0x21a65c68, 0xd1545b9b, 0x3a2e3624,
156    0xb1670a0c, 0xfe75793, 0xd296eeb4, 0x9e919b1b, 0x4fc5c080, 0xa220dc61, 0x694b775a, 0x161a121c,
157    0xaba93e2, 0xe52aa0c0, 0x43e0223c, 0x1d171b12, 0xb0d090e, 0xadc78bf2, 0xb9a8b62d, 0xc8a91e14,
158    0x8519f157, 0x4c0775af, 0xbbdd99ee, 0xfd607fa3, 0x9f2601f7, 0xbcf5725c, 0xc53b6644, 0x347efb5b,
159    0x7629438b, 0xdcc623cb, 0x68fcedb6, 0x63f1e4b8, 0xcadc31d7, 0x10856342, 0x40229713, 0x2011c684,
160    0x7d244a85, 0xf83dbbd2, 0x1132f9ae, 0x6da129c7, 0x4b2f9e1d, 0xf330b2dc, 0xec52860d, 0xd0e3c177,
161    0x6c16b32b, 0x99b970a9, 0xfa489411, 0x2264e947, 0xc48cfca8, 0x1a3ff0a0, 0xd82c7d56, 0xef903322,
162    0xc74e4987, 0xc1d138d9, 0xfea2ca8c, 0x360bd498, 0xcf81f5a6, 0x28de7aa5, 0x268eb7da, 0xa4bfad3f,
163    0xe49d3a2c, 0xd927850, 0x9bcc5f6a, 0x62467e54, 0xc2138df6, 0xe8b8d890, 0x5ef7392e, 0xf5afc382,
164    0xbe805d9f, 0x7c93d069, 0xa92dd56f, 0xb31225cf, 0x3b99acc8, 0xa77d1810, 0x6e639ce8, 0x7bbb3bdb,
165    0x97826cd, 0xf418596e, 0x1b79aec, 0xa89a4f83, 0x656e95e6, 0x7ee6ffaa, 0x8cfbc21, 0xe6e815ef,
166    0xd99be7ba, 0xce366f4a, 0xd4099fea, 0xd67cb029, 0xafb2a431, 0x31233f2a, 0x3094a5c6, 0xc066a235,
167    0x37bc4e74, 0xa6ca82fc, 0xb0d090e0, 0x15d8a733, 0x4a9804f1, 0xf7daec41, 0xe50cd7f, 0x2ff69117,
168    0x8dd64d76, 0x4db0ef43, 0x544daacc, 0xdf0496e4, 0xe3b5d19e, 0x1b886a4c, 0xb81f2cc1, 0x7f516546,
169    0x4ea5e9d, 0x5d358c01, 0x737487fa, 0x2e410bfb, 0x5a1d67b3, 0x52d2db92, 0x335610e9, 0x1347d66d,
170    0x8c61d79a, 0x7a0ca137, 0x8e14f859, 0x893c13eb, 0xee27a9ce, 0x35c961b7, 0xede51ce1, 0x3cb1477a,
171    0x59dfd29c, 0x3f73f255, 0x79ce1418, 0xbf37c773, 0xeacdf753, 0x5baafd5f, 0x146f3ddf, 0x86db4478,
172    0x81f3afca, 0x3ec468b9, 0x2c342438, 0x5f40a3c2, 0x72c31d16, 0xc25e2bc, 0x8b493c28, 0x41950dff,
173    0x7101a839, 0xdeb30c08, 0x9ce4b4d8, 0x90c15664, 0x6184cb7b, 0x70b632d5, 0x745c6c48, 0x4257b8d0,
174];
175
176pub struct AES {
177//    nk: usize,
178    nr: usize,
179    mode: usize,
180    fkey: [u32; 60],
181    rkey: [u32; 60],
182    pub f: [u8; 16],
183}
184
185
186fn rotl8(x: u32) -> u32 {
187    ((x) << 8) | ((x) >> 24)
188}
189
190fn rotl16(x: u32) -> u32 {
191    ((x) << 16) | ((x) >> 16)
192}
193
194fn rotl24(x: u32) -> u32 {
195    ((x) << 24) | ((x) >> 8)
196}
197
198fn pack(b: [u8; 4]) -> u32 {
199    /* pack bytes into a 32-bit Word */
200    ((b[3] as u32) << 24)
201        | ((b[2] as u32) << 16)
202        | ((b[1] as u32) << 8)
203        | (b[0] as u32)
204}
205
206fn unpack(a: u32) -> [u8; 4] {
207    /* unpack bytes from a word */
208    [
209        (a & 0xff) as u8,
210        ((a >> 8) & 0xff) as u8,
211        ((a >> 16) & 0xff) as u8,
212        ((a >> 24) & 0xff) as u8,
213    ]
214}
215
216fn bmul(x: u8, y: u8) -> u8 {
217    /* x.y= AntiLog(Log(x) + Log(y)) */
218    let ix = (x as usize) & 0xff;
219    let iy = (y as usize) & 0xff;
220    let lx = (LTAB[ix] as usize) & 0xff;
221    let ly = (LTAB[iy] as usize) & 0xff;
222
223    if x != 0 && y != 0 {
224        PTAB[(lx + ly) % 255]
225    } else {
226        0
227    }
228}
229
230fn subbyte(a: u32) -> u32 {
231    let mut b = unpack(a);
232    b[0] = FBSUB[b[0] as usize];
233    b[1] = FBSUB[b[1] as usize];
234    b[2] = FBSUB[b[2] as usize];
235    b[3] = FBSUB[b[3] as usize];
236    pack(b)
237}
238
239fn product(x: u32, y: u32) -> u8 {
240    /* dot product of two 4-byte arrays */
241    let xb = unpack(x);
242    let yb = unpack(y);
243
244    bmul(xb[0], yb[0])
245        ^ bmul(xb[1], yb[1])
246        ^ bmul(xb[2], yb[2])
247        ^ bmul(xb[3], yb[3])
248}
249
250fn invmixcol(x: u32) -> u32 {
251    /* matrix Multiplication */
252    let mut b: [u8; 4] = [0; 4];
253    let mut m = pack(INCO);
254    b[3] = product(m, x);
255    m = rotl24(m);
256    b[2] = product(m, x);
257    m = rotl24(m);
258    b[1] = product(m, x);
259    m = rotl24(m);
260    b[0] = product(m, x);
261    pack(b)
262}
263
264fn increment(f: &mut [u8; 16]) {
265    for i in 0..16 {
266        f[i] += 1;
267        if f[i] != 0 {
268            break;
269        }
270    }
271}
272
273impl AES {
274
275    pub fn new() -> AES {
276        AES {
277//            nk: 0,
278            nr: 0,
279            mode: 0,
280            fkey: [0; 60],
281            rkey: [0; 60],
282            f: [0; 16],
283        }
284    }
285
286    /* reset cipher */
287    pub fn reset(&mut self, m: usize, iv: Option<[u8; 16]>) {
288        /* reset mode, or reset iv */
289        self.mode = m;
290        for i in 0..16 {
291            self.f[i] = 0
292        }
293        if self.mode != ECB {
294            if let Some(x) = iv {
295                for i in 0..16 {
296                    self.f[i] = x[i]
297                }
298            }
299        }
300    }
301
302    pub fn init(&mut self, m: usize, nkey: usize, key: &[u8], iv: Option<[u8; 16]>) -> bool {
303        /* Key Scheduler. Create expanded encryption key */
304        let mut cipherkey: [u32; 8] = [0; 8];
305        let mut b: [u8; 4] = [0; 4];
306        let nk = nkey / 4;
307        if nk != 4 && nk != 6 && nk != 8 {
308            return false;
309        }
310        let nr = 6 + nk;
311        //self.nk = nk;
312        self.nr = nr;
313        self.reset(m, iv);
314        let n = 4 * (nr + 1);
315
316        let mut j = 0;
317        for i in 0..nk {
318            for k in 0..4 {
319                b[k] = key[j + k]
320            }
321            cipherkey[i] = pack(b);
322            j += 4;
323        }
324
325        for i in 0..nk {
326            self.fkey[i] = cipherkey[i]
327        }
328
329        j = nk;
330        let mut k = 0;
331        while j < n {
332            self.fkey[j] =
333                self.fkey[j - nk] ^ subbyte(rotl24(self.fkey[j - 1])) ^ (RCO[k] as u32);
334            if nk<=6 { 
335		for i in 1..nk {
336			if (i + j) >= n {
337				break;
338			}
339			self.fkey[i + j] = self.fkey[i + j - nk] ^ self.fkey[i + j - 1];
340		}
341	    } else {
342		for i in 1..4  {
343			if (i + j) >= n {
344				break;
345			}
346			self.fkey[i + j] = self.fkey[i + j - nk] ^ self.fkey[i + j - 1];
347		}
348		
349		if (j + 4) < n {
350			self.fkey[j + 4] = self.fkey[j + 4 - nk] ^ subbyte(self.fkey[j + 3]);
351		}
352		for i in 5..nk {
353			if (i + j) >= n {
354				break;
355			}
356			self.fkey[i + j] = self.fkey[i + j - nk] ^ self.fkey[i + j - 1];
357		}	        
358	    }
359            j += nk;
360            k += 1;
361        }
362
363        /* now for the expanded decrypt key in reverse order */
364
365        for j in 0..4 {
366            self.rkey[j + n - 4] = self.fkey[j]
367        }
368        let mut i = 4;
369        while i < n - 4 {
370            let k = n - 4 - i;
371            for j in 0..4 {
372                self.rkey[k + j] = invmixcol(self.fkey[i + j])
373            }
374            i += 4;
375        }
376        for j in n - 4..n {
377            self.rkey[j + 4 - n] = self.fkey[j]
378        }
379        true
380    }
381
382    pub fn getreg(&mut self) -> [u8; 16] {
383        let mut ir: [u8; 16] = [0; 16];
384        for i in 0..16 {
385            ir[i] = self.f[i]
386        }
387        ir
388    }
389
390    /* Encrypt a single block */
391    pub fn ecb_encrypt(&mut self, buff: &mut [u8; 16]) {
392        let mut b: [u8; 4] = [0; 4];
393        let mut p: [u32; 4] = [0; 4];
394        let mut q: [u32; 4] = [0; 4];
395
396        let mut j = 0;
397        for i in 0..4 {
398            for k in 0..4 {
399                b[k] = buff[j + k]
400            }
401            p[i] = pack(b);
402            p[i] ^= self.fkey[i];
403            j += 4;
404        }
405
406        let mut k = 4;
407
408        /* State alternates between p and q */
409        for _ in 1..self.nr {
410            q[0] = self.fkey[k]
411                ^ FTABLE[(p[0] & 0xff) as usize]
412                ^ rotl8(FTABLE[((p[1] >> 8) & 0xff) as usize])
413                ^ rotl16(FTABLE[((p[2] >> 16) & 0xff) as usize])
414                ^ rotl24(FTABLE[((p[3] >> 24) & 0xff) as usize]);
415
416            q[1] = self.fkey[k + 1]
417                ^ FTABLE[(p[1] & 0xff) as usize]
418                ^ rotl8(FTABLE[((p[2] >> 8) & 0xff) as usize])
419                ^ rotl16(FTABLE[((p[3] >> 16) & 0xff) as usize])
420                ^ rotl24(FTABLE[((p[0] >> 24) & 0xff) as usize]);
421
422            q[2] = self.fkey[k + 2]
423                ^ FTABLE[(p[2] & 0xff) as usize]
424                ^ rotl8(FTABLE[((p[3] >> 8) & 0xff) as usize])
425                ^ rotl16(FTABLE[((p[0] >> 16) & 0xff) as usize])
426                ^ rotl24(FTABLE[((p[1] >> 24) & 0xff) as usize]);
427
428            q[3] = self.fkey[k + 3]
429                ^ FTABLE[(p[3] & 0xff) as usize]
430                ^ rotl8(FTABLE[((p[0] >> 8) & 0xff) as usize])
431                ^ rotl16(FTABLE[((p[1] >> 16) & 0xff) as usize])
432                ^ rotl24(FTABLE[((p[2] >> 24) & 0xff) as usize]);
433
434            k += 4;
435            for j in 0..4 {
436                let t = p[j];
437                p[j] = q[j];
438                q[j] = t;
439            }
440        }
441
442        /* Last Round */
443
444        q[0] = self.fkey[k]
445            ^ (FBSUB[(p[0] & 0xff) as usize] as u32)
446            ^ rotl8((FBSUB[((p[1] >> 8) & 0xff) as usize]) as u32)
447            ^ rotl16((FBSUB[((p[2] >> 16) & 0xff) as usize]) as u32)
448            ^ rotl24((FBSUB[((p[3] >> 24) & 0xff) as usize]) as u32);
449
450        q[1] = self.fkey[k + 1]
451            ^ (FBSUB[(p[1] & 0xff) as usize] as u32)
452            ^ rotl8((FBSUB[((p[2] >> 8) & 0xff) as usize]) as u32)
453            ^ rotl16((FBSUB[((p[3] >> 16) & 0xff) as usize]) as u32)
454            ^ rotl24((FBSUB[((p[0] >> 24) & 0xff) as usize]) as u32);
455
456        q[2] = self.fkey[k + 2]
457            ^ (FBSUB[(p[2] & 0xff) as usize] as u32)
458            ^ rotl8((FBSUB[((p[3] >> 8) & 0xff) as usize]) as u32)
459            ^ rotl16((FBSUB[((p[0] >> 16) & 0xff) as usize]) as u32)
460            ^ rotl24((FBSUB[((p[1] >> 24) & 0xff) as usize]) as u32);
461
462        q[3] = self.fkey[k + 3]
463            ^ (FBSUB[(p[3] & 0xff) as usize] as u32)
464            ^ rotl8((FBSUB[((p[0] >> 8) & 0xff) as usize]) as u32)
465            ^ rotl16((FBSUB[((p[1] >> 16) & 0xff) as usize]) as u32)
466            ^ rotl24((FBSUB[((p[2] >> 24) & 0xff) as usize]) as u32);
467
468        j = 0;
469        for i in 0..4 {
470            b = unpack(q[i]);
471            for k in 0..4 {
472                buff[j + k] = b[k]
473            }
474            j += 4;
475        }
476    }
477
478    /* Decrypt a single block */
479    pub fn ecb_decrypt(&mut self, buff: &mut [u8; 16]) {
480        let mut b: [u8; 4] = [0; 4];
481        let mut p: [u32; 4] = [0; 4];
482        let mut q: [u32; 4] = [0; 4];
483
484        let mut j = 0;
485        for i in 0..4 {
486            for k in 0..4 {
487                b[k] = buff[j + k]
488            }
489            p[i] = pack(b);
490            p[i] ^= self.rkey[i];
491            j += 4;
492        }
493
494        let mut k = 4;
495
496        /* State alternates between p and q */
497        for _ in 1..self.nr {
498            q[0] = self.rkey[k]
499                ^ RTABLE[(p[0] & 0xff) as usize]
500                ^ rotl8(RTABLE[((p[3] >> 8) & 0xff) as usize])
501                ^ rotl16(RTABLE[((p[2] >> 16) & 0xff) as usize])
502                ^ rotl24(RTABLE[((p[1] >> 24) & 0xff) as usize]);
503
504            q[1] = self.rkey[k + 1]
505                ^ RTABLE[(p[1] & 0xff) as usize]
506                ^ rotl8(RTABLE[((p[0] >> 8) & 0xff) as usize])
507                ^ rotl16(RTABLE[((p[3] >> 16) & 0xff) as usize])
508                ^ rotl24(RTABLE[((p[2] >> 24) & 0xff) as usize]);
509
510            q[2] = self.rkey[k + 2]
511                ^ RTABLE[(p[2] & 0xff) as usize]
512                ^ rotl8(RTABLE[((p[1] >> 8) & 0xff) as usize])
513                ^ rotl16(RTABLE[((p[0] >> 16) & 0xff) as usize])
514                ^ rotl24(RTABLE[((p[3] >> 24) & 0xff) as usize]);
515
516            q[3] = self.rkey[k + 3]
517                ^ RTABLE[(p[3] & 0xff) as usize]
518                ^ rotl8(RTABLE[((p[2] >> 8) & 0xff) as usize])
519                ^ rotl16(RTABLE[((p[1] >> 16) & 0xff) as usize])
520                ^ rotl24(RTABLE[((p[0] >> 24) & 0xff) as usize]);
521
522            k += 4;
523            for j in 0..4 {
524                let t = p[j];
525                p[j] = q[j];
526                q[j] = t;
527            }
528        }
529
530        /* Last Round */
531
532        q[0] = self.rkey[k]
533            ^ (RBSUB[(p[0] & 0xff) as usize] as u32)
534            ^ rotl8((RBSUB[((p[3] >> 8) & 0xff) as usize]) as u32)
535            ^ rotl16((RBSUB[((p[2] >> 16) & 0xff) as usize]) as u32)
536            ^ rotl24((RBSUB[((p[1] >> 24) & 0xff) as usize]) as u32);
537
538        q[1] = self.rkey[k + 1]
539            ^ (RBSUB[(p[1] & 0xff) as usize] as u32)
540            ^ rotl8((RBSUB[((p[0] >> 8) & 0xff) as usize]) as u32)
541            ^ rotl16((RBSUB[((p[3] >> 16) & 0xff) as usize]) as u32)
542            ^ rotl24((RBSUB[((p[2] >> 24) & 0xff) as usize]) as u32);
543
544        q[2] = self.rkey[k + 2]
545            ^ (RBSUB[(p[2] & 0xff) as usize] as u32)
546            ^ rotl8((RBSUB[((p[1] >> 8) & 0xff) as usize]) as u32)
547            ^ rotl16((RBSUB[((p[0] >> 16) & 0xff) as usize]) as u32)
548            ^ rotl24((RBSUB[((p[3] >> 24) & 0xff) as usize]) as u32);
549
550        q[3] = self.rkey[k + 3]
551            ^ (RBSUB[((p[3]) & 0xff) as usize] as u32)
552            ^ rotl8((RBSUB[((p[2] >> 8) & 0xff) as usize]) as u32)
553            ^ rotl16((RBSUB[((p[1] >> 16) & 0xff) as usize]) as u32)
554            ^ rotl24((RBSUB[((p[0] >> 24) & 0xff) as usize]) as u32);
555
556        j = 0;
557        for i in 0..4 {
558            b = unpack(q[i]);
559            for k in 0..4 {
560                buff[j + k] = b[k]
561            }
562            j += 4;
563        }
564    }
565
566    /* Encrypt using selected mode of operation */
567    pub fn encrypt(&mut self, buff: &mut [u8; 16]) -> u32 {
568        let mut st: [u8; 16] = [0; 16];
569
570        // Supported Modes of Operation
571
572        let mut fell_off: u32 = 0;
573
574        match self.mode {
575            ECB => {
576                self.ecb_encrypt(buff);
577                0
578            }
579            CBC => {
580                for j in 0..16 {
581                    buff[j] ^= self.f[j]
582                }
583                self.ecb_encrypt(buff);
584                for j in 0..16 {
585                    self.f[j] = buff[j]
586                }
587                0
588            }
589
590            CFB1 | CFB2 | CFB4 => {
591                let bytes = self.mode - CFB1 + 1;
592                for j in 0..bytes {
593                    fell_off = (fell_off << 8) | (self.f[j] as u32)
594                }
595                for j in 0..16 {
596                    st[j] = self.f[j]
597                }
598                for j in bytes..16 {
599                    self.f[j - bytes] = self.f[j]
600                }
601                self.ecb_encrypt(&mut st);
602                for j in 0..bytes {
603                    buff[j] ^= st[j];
604                    self.f[16 - bytes + j] = buff[j];
605                }
606                fell_off
607            }
608
609            OFB1 | OFB2 | OFB4 | OFB8 | OFB16 => {
610                let bytes = self.mode - OFB1 + 1;
611                for j in 0..16 {
612                    st[j] = self.f[j]
613                }
614                self.ecb_encrypt(&mut st);
615                for j in 0..bytes {
616                    buff[j] ^= st[j]
617                }
618                for j in 0..16 {
619                    self.f[j] = st[j]
620                }
621
622                //self.ecb_encrypt(&mut (self.f));
623                //for j in 0..bytes {buff[j]^=self.f[j]}
624                0
625            }
626
627            CTR1 | CTR2 | CTR4 | CTR8 | CTR16 => {
628                let bytes = self.mode - CTR1 + 1;
629                for j in 0..16 {
630                    st[j] = self.f[j]
631                }
632                self.ecb_encrypt(&mut st);
633                for j in 0..bytes {
634                    buff[j] ^= st[j]
635                }
636                increment(&mut (self.f));
637                0
638            }
639
640            _ => {
641                0
642            }
643        }
644    }
645
646    /* Decrypt using selected mode of operation */
647    pub fn decrypt(&mut self, buff: &mut [u8; 16]) -> u32 {
648        let mut st: [u8; 16] = [0; 16];
649
650        // Supported Modes of Operation
651
652        let mut fell_off: u32 = 0;
653
654        match self.mode {
655            ECB => {
656                self.ecb_decrypt(buff);
657                0
658            }
659            CBC => {
660                for j in 0..16 {
661                    st[j] = self.f[j];
662                    self.f[j] = buff[j];
663                }
664                self.ecb_decrypt(buff);
665                for j in 0..16 {
666                    buff[j] ^= st[j];
667                    st[j] = 0;
668                }
669                0
670            }
671            CFB1 | CFB2 | CFB4 => {
672                let bytes = self.mode - CFB1 + 1;
673                for j in 0..bytes {
674                    fell_off = (fell_off << 8) | (self.f[j] as u32)
675                }
676                for j in 0..16 {
677                    st[j] = self.f[j]
678                }
679                for j in bytes..16 {
680                    self.f[j - bytes] = self.f[j]
681                }
682                self.ecb_encrypt(&mut st);
683                for j in 0..bytes {
684                    self.f[16 - bytes + j] = buff[j];
685                    buff[j] ^= st[j];
686                }
687                fell_off
688            }
689            OFB1 | OFB2 | OFB4 | OFB8 | OFB16 => {
690                let bytes = self.mode - OFB1 + 1;
691                for j in 0..16 {
692                    st[j] = self.f[j]
693                }
694                self.ecb_encrypt(&mut st);
695                for j in 0..bytes {
696                    buff[j] ^= st[j]
697                }
698                for j in 0..16 {
699                    self.f[j] = st[j]
700                }
701                //  self.ecb_encrypt(A.f[:]);
702                //  for j in 0..bytes {buff[j]^=self.f[j]}
703                0
704            }
705
706            CTR1 | CTR2 | CTR4 | CTR8 | CTR16 => {
707                let bytes = self.mode - CTR1 + 1;
708                for j in 0..16 {
709                    st[j] = self.f[j]
710                }
711                self.ecb_encrypt(&mut st);
712                for j in 0..bytes {
713                    buff[j] ^= st[j]
714                }
715                increment(&mut (self.f));
716                0
717            }
718
719            _ => {
720                0
721            }
722        }
723    }
724
725    /* Clean up and delete left-overs */
726    pub fn end(&mut self) {
727        // clean up
728        for i in 0..4 * (self.nr + 1) {
729            self.fkey[i] = 0;
730            self.rkey[i] = 0
731        }
732        for i in 0..16 {
733            self.f[i] = 0
734        }
735    }
736}
737
738/* AES encryption/decryption. Encrypt byte array m using key k and returns ciphertext c */
739pub fn cbc_iv0_encrypt(k: &[u8], m: &[u8],c: &mut [u8]) -> usize {
740    /* AES CBC encryption, with Null IV and key K */
741    /* Input is from an octet string m, output is to an octet string c */
742    /* Input is padded as necessary to make up a full final block */
743    let mut a = AES::new();
744    let mut fin = false;
745
746    let mut buff: [u8; 16] = [0; 16];
747
748    a.init(CBC, k.len(), k, None);
749
750    let mut ipt = 0;
751    let mut opt = 0;
752    let mut i;
753    loop {
754        i = 0;
755        while i < 16 {
756            if ipt < m.len() {
757                buff[i] = m[ipt];
758                i += 1;
759                ipt += 1;
760            } else {
761                fin = true;
762                break;
763            }
764        }
765        if fin {
766            break;
767        }
768        a.encrypt(&mut buff);
769        for j in 0..16 {
770            if opt < c.len() {
771                c[opt]=buff[j]; opt+=1;
772            }
773        }
774    }
775
776    /* last block, filled up to i-th index */
777
778    let padlen = 16 - i;
779    for j in i..16 {
780        buff[j] = padlen as u8
781    }
782
783    a.encrypt(&mut buff);
784
785    for j in 0..16 {
786        if opt<c.len() {
787            c[opt]=buff[j]; opt+=1;
788        }
789    }
790    a.end();
791    opt
792}
793
794/* returns plaintext if all consistent, else returns null string */
795pub fn cbc_iv0_decrypt(k: &[u8], c: &[u8], m: &mut [u8]) -> usize {
796    /* padding is removed */
797    let mut a = AES::new();
798    let mut fin = false;
799
800    let mut buff: [u8; 16] = [0; 16];
801
802    a.init(CBC, k.len(), k, None);
803
804    let mut ipt = 0;
805    let mut opt = 0;
806    let mut i;
807
808    if c.is_empty() {
809        return 0;
810    }
811    let mut ch = c[ipt];
812    ipt += 1;
813
814    loop {
815        i = 0;
816        while i < 16 {
817            buff[i] = ch;
818            if ipt >= c.len() {
819                fin = true;
820                break;
821            } else {
822                ch = c[ipt];
823                ipt += 1
824            }
825            i += 1;
826        }
827        a.decrypt(&mut buff);
828        if fin {
829            break;
830        }
831        for j in 0..16 {
832            if opt<m.len() {
833                m[opt]=buff[j]; opt+=1;
834            }
835        }
836    }
837
838    a.end();
839    let mut bad = false;
840    let padlen = buff[15] as usize;
841    if i != 15 || padlen < 1 || padlen > 16 {
842        bad = true
843    }
844    if padlen >= 2 && padlen <= 16 {
845        for j in 16 - padlen..16 {
846            if buff[j] != padlen as u8 {
847                bad = true
848            }
849        }
850    }
851
852    if !bad {
853        for i in 0..16 - padlen {
854            if opt<m.len() {
855                m[opt]=buff[i]; opt+=1;
856            }
857        }
858    }
859
860    if bad {
861        0
862    } else {
863        opt
864    }
865}
866
867/*
868fn main()
869{
870    let mut key:[u8;32]=[0;32];
871    let mut block:[u8;16]=[0;16];
872    let mut iv: [u8;16] = [0;16];
873
874    for i in 0..32 {key[i]=0}
875    key[0]=1;
876    for i in 0..16 {iv[i]=i as u8}
877    for i in 0..16 {block[i]=i as u8}
878
879    let mut aes=AES::new();
880    aes.init(CTR16,32,&key,Some(iv));
881
882    println!("Plain= ");
883    for i in 0..16 {print!("{:02x} ",block[i])}
884    println!("");
885
886    aes.encrypt(&mut block);
887
888    println!("Encrypt= ");
889    for i in 0..16 {print!("{:02x} ",block[i])}
890    println!("");
891
892    aes.reset(CTR16,Some(iv));
893    aes.decrypt(&mut block);
894
895    println!("Decrypt= ");
896    for i in 0..16 {print!("{:02x} ",block[i])}
897    println!("");
898
899    aes.end();
900}
901*/