1 |
#ifndef AES_H |
2 |
#define AES_H |
3 |
/* aes.h */ |
4 |
|
5 |
/* ---------- See examples at end of this file for typical usage -------- */ |
6 |
|
7 |
/* AES Cipher header file for ANSI C Submissions |
8 |
Lawrence E. Bassham III |
9 |
Computer Security Division |
10 |
National Institute of Standards and Technology |
11 |
|
12 |
This sample is to assist implementers developing to the |
13 |
Cryptographic API Profile for AES Candidate Algorithm Submissions. |
14 |
Please consult this document as a cross-reference. |
15 |
|
16 |
ANY CHANGES, WHERE APPROPRIATE, TO INFORMATION PROVIDED IN THIS FILE |
17 |
MUST BE DOCUMENTED. CHANGES ARE ONLY APPROPRIATE WHERE SPECIFIED WITH |
18 |
THE STRING "CHANGE POSSIBLE". FUNCTION CALLS AND THEIR PARAMETERS |
19 |
CANNOT BE CHANGED. STRUCTURES CAN BE ALTERED TO ALLOW IMPLEMENTERS TO |
20 |
INCLUDE IMPLEMENTATION SPECIFIC INFORMATION. |
21 |
*/ |
22 |
|
23 |
/* Includes: |
24 |
Standard include files |
25 |
*/ |
26 |
|
27 |
#include <stdio.h> |
28 |
#include "platform.h" /* platform-specific defines */ |
29 |
|
30 |
/* Defines: |
31 |
Add any additional defines you need |
32 |
*/ |
33 |
|
34 |
#define DIR_ENCRYPT 0 /* Are we encrpyting? */ |
35 |
#define DIR_DECRYPT 1 /* Are we decrpyting? */ |
36 |
#define MODE_ECB 1 /* Are we ciphering in ECB mode? */ |
37 |
#define MODE_CBC 2 /* Are we ciphering in CBC mode? */ |
38 |
#define MODE_CFB1 3 /* Are we ciphering in 1-bit CFB mode? */ |
39 |
|
40 |
#define BAD_KEY_DIR -5 /* Key direction is invalid (unknown value) */ |
41 |
#define BAD_KEY_MAT -6 /* Key material not of correct length */ |
42 |
#define BAD_KEY_INSTANCE -7 /* Key passed is not valid */ |
43 |
#define BAD_CIPHER_MODE -8 /* Params struct passed to cipherInit invalid */ |
44 |
#define BAD_CIPHER_STATE -9 /* Cipher in wrong state (e.g., not initialized) */ |
45 |
|
46 |
/* CHANGE POSSIBLE: inclusion of algorithm specific defines */ |
47 |
/* TWOFISH specific definitions */ |
48 |
#define MAX_KEY_SIZE 64 /* # of ASCII chars needed to represent a key */ |
49 |
#define MAX_IV_SIZE 16 /* # of bytes needed to represent an IV */ |
50 |
#define BAD_INPUT_LEN -6 /* inputLen not a multiple of block size */ |
51 |
#define BAD_PARAMS -7 /* invalid parameters */ |
52 |
#define BAD_IV_MAT -8 /* invalid IV text */ |
53 |
#define BAD_ENDIAN -9 /* incorrect endianness define */ |
54 |
#define BAD_ALIGN32 -10 /* incorrect 32-bit alignment */ |
55 |
|
56 |
#define BLOCK_SIZE 128 /* number of bits per block */ |
57 |
#define MAX_ROUNDS 16 /* max # rounds (for allocating subkey array) */ |
58 |
#define ROUNDS_128 16 /* default number of rounds for 128-bit keys*/ |
59 |
#define ROUNDS_192 16 /* default number of rounds for 192-bit keys*/ |
60 |
#define ROUNDS_256 16 /* default number of rounds for 256-bit keys*/ |
61 |
#define MAX_KEY_BITS 256 /* max number of bits of key */ |
62 |
#define MIN_KEY_BITS 128 /* min number of bits of key (zero pad) */ |
63 |
#define VALID_SIG 0x48534946 /* initialization signature ('FISH') */ |
64 |
#define MCT_OUTER 400 /* MCT outer loop */ |
65 |
#define MCT_INNER 10000 /* MCT inner loop */ |
66 |
#define REENTRANT 1 /* nonzero forces reentrant code (slightly slower) */ |
67 |
|
68 |
#define INPUT_WHITEN 0 /* subkey array indices */ |
69 |
#define OUTPUT_WHITEN ( INPUT_WHITEN + BLOCK_SIZE/32) |
70 |
#define ROUND_SUBKEYS (OUTPUT_WHITEN + BLOCK_SIZE/32) /* use 2 * (# rounds) */ |
71 |
#define TOTAL_SUBKEYS (ROUND_SUBKEYS + 2*MAX_ROUNDS) |
72 |
|
73 |
/* Typedefs: |
74 |
Typedef'ed data storage elements. Add any algorithm specific |
75 |
parameters at the bottom of the structs as appropriate. |
76 |
*/ |
77 |
|
78 |
typedef DWORD fullSbox[4][256]; |
79 |
|
80 |
/* The structure for key information */ |
81 |
typedef struct |
82 |
{ |
83 |
BYTE direction; /* Key used for encrypting or decrypting? */ |
84 |
#if ALIGN32 |
85 |
BYTE dummyAlign[3]; /* keep 32-bit alignment */ |
86 |
#endif |
87 |
int keyLen; /* Length of the key */ |
88 |
|
89 |
/* Twofish-specific parameters: */ |
90 |
DWORD keySig; /* set to VALID_SIG by makeKey() */ |
91 |
int numRounds; /* number of rounds in cipher */ |
92 |
DWORD key32[MAX_KEY_BITS/32]; /* actual key bits, in dwords */ |
93 |
DWORD sboxKeys[MAX_KEY_BITS/64];/* key bits used for S-boxes */ |
94 |
DWORD subKeys[TOTAL_SUBKEYS]; /* round subkeys, input/output whitening bits */ |
95 |
#if REENTRANT |
96 |
fullSbox sBox8x32; /* fully expanded S-box */ |
97 |
#if defined(COMPILE_KEY) && defined(USE_ASM) |
98 |
#undef VALID_SIG |
99 |
#define VALID_SIG 0x504D4F43 /* 'COMP': C is compiled with -DCOMPILE_KEY */ |
100 |
DWORD cSig1; /* set after first "compile" (zero at "init") */ |
101 |
void *encryptFuncPtr; /* ptr to asm encrypt function */ |
102 |
void *decryptFuncPtr; /* ptr to asm decrypt function */ |
103 |
DWORD codeSize; /* size of compiledCode */ |
104 |
DWORD cSig2; /* set after first "compile" */ |
105 |
BYTE compiledCode[5000]; /* make room for the code itself */ |
106 |
#endif |
107 |
#endif |
108 |
} keyInstance; |
109 |
|
110 |
/* The structure for cipher information */ |
111 |
typedef struct |
112 |
{ |
113 |
BYTE mode; /* MODE_ECB, MODE_CBC, or MODE_CFB1 */ |
114 |
#if ALIGN32 |
115 |
BYTE dummyAlign[3]; /* keep 32-bit alignment */ |
116 |
#endif |
117 |
BYTE IV[MAX_IV_SIZE]; /* CFB1 iv bytes (CBC uses iv32) */ |
118 |
|
119 |
/* Twofish-specific parameters: */ |
120 |
DWORD cipherSig; /* set to VALID_SIG by cipherInit() */ |
121 |
DWORD iv32[BLOCK_SIZE/32]; /* CBC IV bytes arranged as dwords */ |
122 |
} cipherInstance; |
123 |
|
124 |
/* Function protoypes */ |
125 |
static int makeKey(keyInstance *key, BYTE direction, int keyLen, char *keyMaterial); |
126 |
|
127 |
static int cipherInit(cipherInstance *cipher, BYTE mode, char *IV); |
128 |
|
129 |
static int blockEncrypt(cipherInstance *cipher, keyInstance *key, BYTE *input, |
130 |
int inputLen, BYTE *outBuffer); |
131 |
|
132 |
static int blockDecrypt(cipherInstance *cipher, keyInstance *key, BYTE *input, |
133 |
int inputLen, BYTE *outBuffer); |
134 |
|
135 |
static int reKey(keyInstance *key); /* do key schedule using modified key.keyDwords */ |
136 |
|
137 |
/* API to check table usage, for use in ECB_TBL KAT */ |
138 |
#define TAB_DISABLE 0 |
139 |
#define TAB_ENABLE 1 |
140 |
#define TAB_RESET 2 |
141 |
#define TAB_QUERY 3 |
142 |
#define TAB_MIN_QUERY 50 |
143 |
static int TableOp(int op); |
144 |
|
145 |
|
146 |
#define CONST /* helpful C++ syntax sugar, NOP for ANSI C */ |
147 |
|
148 |
#if BLOCK_SIZE == 128 /* optimize block copies */ |
149 |
#define Copy1(d,s,N) ((DWORD *)(d))[N] = ((DWORD *)(s))[N] |
150 |
#define BlockCopy(d,s) { Copy1(d,s,0);Copy1(d,s,1);Copy1(d,s,2);Copy1(d,s,3); } |
151 |
#else |
152 |
#define BlockCopy(d,s) { memcpy(d,s,BLOCK_SIZE/8); } |
153 |
#endif |
154 |
|
155 |
|
156 |
#ifdef TEST_2FISH |
157 |
/* ----- EXAMPLES ----- |
158 |
|
159 |
Unfortunately, the AES API is somewhat clumsy, and it is not entirely |
160 |
obvious how to use the above functions. In particular, note that |
161 |
makeKey() takes an ASCII hex nibble key string (e.g., 32 characters |
162 |
for a 128-bit key), which is rarely the way that keys are internally |
163 |
represented. The reKey() function uses instead the keyInstance.key32 |
164 |
array of key bits and is the preferred method. In fact, makeKey() |
165 |
initializes some internal keyInstance state, then parse the ASCII |
166 |
string into the binary key32, and calls reKey(). To initialize the |
167 |
keyInstance state, use a 'dummy' call to makeKey(); i.e., set the |
168 |
keyMaterial parameter to NULL. Then use reKey() for all key changes. |
169 |
Similarly, cipherInit takes an IV string in ASCII hex, so a dummy setup |
170 |
call with a null IV string will skip the ASCII parse. |
171 |
|
172 |
Note that CFB mode is not well tested nor defined by AES, so using the |
173 |
Twofish MODE_CFB it not recommended. If you wish to implement a CFB mode, |
174 |
build it external to the Twofish code, using the Twofish functions only |
175 |
in ECB mode. |
176 |
|
177 |
Below is a sample piece of code showing how the code is typically used |
178 |
to set up a key, encrypt, and decrypt. Error checking is somewhat limited |
179 |
in this example. Pseudorandom bytes are used for all key and text. |
180 |
|
181 |
If you compile TWOFISH2.C or TWOFISH.C as a DOS (or Windows Console) app |
182 |
with this code enabled, the test will be run. For example, using |
183 |
Borland C, you would compile using: |
184 |
BCC32 -DTEST_2FISH twofish2.c |
185 |
to run the test on the optimized code, or |
186 |
BCC32 -DTEST_2FISH twofish.c |
187 |
to run the test on the pedagogical code. |
188 |
|
189 |
*/ |
190 |
|
191 |
#include <stdio.h> |
192 |
#include <stdlib.h> |
193 |
#include <time.h> |
194 |
#include <string.h> |
195 |
|
196 |
#define MAX_BLK_CNT 4 /* max # blocks per call in TestTwofish */ |
197 |
static int TestTwofish(int mode,int keySize) /* keySize must be 128, 192, or 256 */ |
198 |
{ /* return 0 iff test passes */ |
199 |
keyInstance ki; /* key information, including tables */ |
200 |
cipherInstance ci; /* keeps mode (ECB, CBC) and IV */ |
201 |
BYTE plainText[MAX_BLK_CNT*(BLOCK_SIZE/8)]; |
202 |
BYTE cipherText[MAX_BLK_CNT*(BLOCK_SIZE/8)]; |
203 |
BYTE decryptOut[MAX_BLK_CNT*(BLOCK_SIZE/8)]; |
204 |
BYTE iv[BLOCK_SIZE/8]; |
205 |
int i,byteCnt; |
206 |
|
207 |
if (makeKey(&ki,DIR_ENCRYPT,keySize,NULL) != TRUE) |
208 |
return 1; /* 'dummy' setup for a 128-bit key */ |
209 |
if (cipherInit(&ci,mode,NULL) != TRUE) |
210 |
return 1; /* 'dummy' setup for cipher */ |
211 |
|
212 |
for (i=0;i<keySize/32;i++) /* select key bits */ |
213 |
ki.key32[i]=0x10003 * rand(); |
214 |
reKey(&ki); /* run the key schedule */ |
215 |
|
216 |
if (mode != MODE_ECB) /* set up random iv (if needed)*/ |
217 |
{ |
218 |
for (i=0;i<sizeof(iv);i++) |
219 |
iv[i]=(BYTE) rand(); |
220 |
memcpy(ci.iv32,iv,sizeof(ci.iv32)); /* copy the IV to ci */ |
221 |
} |
222 |
|
223 |
/* select number of bytes to encrypt (multiple of block) */ |
224 |
/* e.g., byteCnt = 16, 32, 48, 64 */ |
225 |
byteCnt = (BLOCK_SIZE/8) * (1 + (rand() % MAX_BLK_CNT)); |
226 |
|
227 |
for (i=0;i<byteCnt;i++) /* generate test data */ |
228 |
plainText[i]=(BYTE) rand(); |
229 |
|
230 |
/* encrypt the bytes */ |
231 |
if (blockEncrypt(&ci,&ki, plainText,byteCnt*8,cipherText) != byteCnt*8) |
232 |
return 1; |
233 |
|
234 |
/* decrypt the bytes */ |
235 |
if (mode != MODE_ECB) /* first re-init the IV (if needed) */ |
236 |
memcpy(ci.iv32,iv,sizeof(ci.iv32)); |
237 |
|
238 |
if (blockDecrypt(&ci,&ki,cipherText,byteCnt*8,decryptOut) != byteCnt*8) |
239 |
return 1; |
240 |
|
241 |
/* make sure the decrypt output matches original plaintext */ |
242 |
if (memcmp(plainText,decryptOut,byteCnt)) |
243 |
return 1; |
244 |
|
245 |
return 0; /* tests passed! */ |
246 |
} |
247 |
|
248 |
void main(void) |
249 |
{ |
250 |
int testCnt,keySize; |
251 |
|
252 |
srand((unsigned) time(NULL)); /* randomize */ |
253 |
|
254 |
for (keySize=128;keySize<=256;keySize+=64) |
255 |
for (testCnt=0;testCnt<10;testCnt++) |
256 |
{ |
257 |
if (TestTwofish(MODE_ECB,keySize)) |
258 |
{ printf("ECB Failure at keySize=%d",keySize); return; } |
259 |
if (TestTwofish(MODE_CBC,keySize)) |
260 |
{ printf("CBC Failure at keySize=%d",keySize); return; } |
261 |
} |
262 |
printf("Tests passed"); |
263 |
} |
264 |
#endif /* TEST_2FISH */ |
265 |
|
266 |
#endif |