| // Copyright 2009 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| package aes |
| |
| import ( |
| "crypto/internal/fips140" |
| "crypto/internal/fips140/alias" |
| "strconv" |
| ) |
| |
| // BlockSize is the AES block size in bytes. |
| const BlockSize = 16 |
| |
| // A Block is an instance of AES using a particular key. |
| // It is safe for concurrent use. |
| type Block struct { |
| block |
| } |
| |
| // blockExpanded is the block type used for all architectures except s390x, |
| // which feeds the raw key directly to its instructions. |
| type blockExpanded struct { |
| rounds int |
| // Round keys, where only the first (rounds + 1) × (128 ÷ 32) words are used. |
| enc [60]uint32 |
| dec [60]uint32 |
| } |
| |
| const ( |
| // AES-128 has 128-bit keys, 10 rounds, and uses 11 128-bit round keys |
| // (11×128÷32 = 44 32-bit words). |
| |
| // AES-192 has 192-bit keys, 12 rounds, and uses 13 128-bit round keys |
| // (13×128÷32 = 52 32-bit words). |
| |
| // AES-256 has 256-bit keys, 14 rounds, and uses 15 128-bit round keys |
| // (15×128÷32 = 60 32-bit words). |
| |
| aes128KeySize = 16 |
| aes192KeySize = 24 |
| aes256KeySize = 32 |
| |
| aes128Rounds = 10 |
| aes192Rounds = 12 |
| aes256Rounds = 14 |
| ) |
| |
| // roundKeysSize returns the number of uint32 of c.end or c.dec that are used. |
| func (b *blockExpanded) roundKeysSize() int { |
| return (b.rounds + 1) * (128 / 32) |
| } |
| |
| type KeySizeError int |
| |
| func (k KeySizeError) Error() string { |
| return "crypto/aes: invalid key size " + strconv.Itoa(int(k)) |
| } |
| |
| // New creates and returns a new [cipher.Block] implementation. |
| // The key argument should be the AES key, either 16, 24, or 32 bytes to select |
| // AES-128, AES-192, or AES-256. |
| func New(key []byte) (*Block, error) { |
| // This call is outline to let the allocation happen on the parent stack. |
| return newOutlined(&Block{}, key) |
| } |
| |
| // newOutlined is marked go:noinline to avoid it inlining into New, and making New |
| // too complex to inline itself. |
| // |
| //go:noinline |
| func newOutlined(b *Block, key []byte) (*Block, error) { |
| switch len(key) { |
| case aes128KeySize, aes192KeySize, aes256KeySize: |
| default: |
| return nil, KeySizeError(len(key)) |
| } |
| return newBlock(b, key), nil |
| } |
| |
| func newBlockExpanded(c *blockExpanded, key []byte) { |
| switch len(key) { |
| case aes128KeySize: |
| c.rounds = aes128Rounds |
| case aes192KeySize: |
| c.rounds = aes192Rounds |
| case aes256KeySize: |
| c.rounds = aes256Rounds |
| } |
| expandKeyGeneric(c, key) |
| } |
| |
| func (c *Block) BlockSize() int { return BlockSize } |
| |
| func (c *Block) Encrypt(dst, src []byte) { |
| // AES-ECB is not approved in FIPS 140-3 mode. |
| fips140.RecordNonApproved() |
| if len(src) < BlockSize { |
| panic("crypto/aes: input not full block") |
| } |
| if len(dst) < BlockSize { |
| panic("crypto/aes: output not full block") |
| } |
| if alias.InexactOverlap(dst[:BlockSize], src[:BlockSize]) { |
| panic("crypto/aes: invalid buffer overlap") |
| } |
| encryptBlock(c, dst, src) |
| } |
| |
| func (c *Block) Decrypt(dst, src []byte) { |
| // AES-ECB is not approved in FIPS 140-3 mode. |
| fips140.RecordNonApproved() |
| if len(src) < BlockSize { |
| panic("crypto/aes: input not full block") |
| } |
| if len(dst) < BlockSize { |
| panic("crypto/aes: output not full block") |
| } |
| if alias.InexactOverlap(dst[:BlockSize], src[:BlockSize]) { |
| panic("crypto/aes: invalid buffer overlap") |
| } |
| decryptBlock(c, dst, src) |
| } |
| |
| // EncryptBlockInternal applies the AES encryption function to one block. |
| // |
| // It is an internal function meant only for the gcm package. |
| func EncryptBlockInternal(c *Block, dst, src []byte) { |
| encryptBlock(c, dst, src) |
| } |
