Annotation of embedaddon/axTLS/crypto/aes.c, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (c) 2007, Cameron Rich
! 3: *
! 4: * All rights reserved.
! 5: *
! 6: * Redistribution and use in source and binary forms, with or without
! 7: * modification, are permitted provided that the following conditions are met:
! 8: *
! 9: * * Redistributions of source code must retain the above copyright notice,
! 10: * this list of conditions and the following disclaimer.
! 11: * * Redistributions in binary form must reproduce the above copyright notice,
! 12: * this list of conditions and the following disclaimer in the documentation
! 13: * and/or other materials provided with the distribution.
! 14: * * Neither the name of the axTLS project nor the names of its contributors
! 15: * may be used to endorse or promote products derived from this software
! 16: * without specific prior written permission.
! 17: *
! 18: * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
! 19: * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
! 20: * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
! 21: * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
! 22: * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
! 23: * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
! 24: * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
! 25: * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
! 26: * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
! 27: * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
! 28: * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 29: */
! 30:
! 31: /**
! 32: * AES implementation - this is a small code version. There are much faster
! 33: * versions around but they are much larger in size (i.e. they use large
! 34: * submix tables).
! 35: */
! 36:
! 37: #include <string.h>
! 38: #include "os_port.h"
! 39: #include "crypto.h"
! 40:
! 41: /* all commented out in skeleton mode */
! 42: #ifndef CONFIG_SSL_SKELETON_MODE
! 43:
! 44: #define rot1(x) (((x) << 24) | ((x) >> 8))
! 45: #define rot2(x) (((x) << 16) | ((x) >> 16))
! 46: #define rot3(x) (((x) << 8) | ((x) >> 24))
! 47:
! 48: /*
! 49: * This cute trick does 4 'mul by two' at once. Stolen from
! 50: * Dr B. R. Gladman <brg@gladman.uk.net> but I'm sure the u-(u>>7) is
! 51: * a standard graphics trick
! 52: * The key to this is that we need to xor with 0x1b if the top bit is set.
! 53: * a 1xxx xxxx 0xxx 0xxx First we mask the 7bit,
! 54: * b 1000 0000 0000 0000 then we shift right by 7 putting the 7bit in 0bit,
! 55: * c 0000 0001 0000 0000 we then subtract (c) from (b)
! 56: * d 0111 1111 0000 0000 and now we and with our mask
! 57: * e 0001 1011 0000 0000
! 58: */
! 59: #define mt 0x80808080
! 60: #define ml 0x7f7f7f7f
! 61: #define mh 0xfefefefe
! 62: #define mm 0x1b1b1b1b
! 63: #define mul2(x,t) ((t)=((x)&mt), \
! 64: ((((x)+(x))&mh)^(((t)-((t)>>7))&mm)))
! 65:
! 66: #define inv_mix_col(x,f2,f4,f8,f9) (\
! 67: (f2)=mul2(x,f2), \
! 68: (f4)=mul2(f2,f4), \
! 69: (f8)=mul2(f4,f8), \
! 70: (f9)=(x)^(f8), \
! 71: (f8)=((f2)^(f4)^(f8)), \
! 72: (f2)^=(f9), \
! 73: (f4)^=(f9), \
! 74: (f8)^=rot3(f2), \
! 75: (f8)^=rot2(f4), \
! 76: (f8)^rot1(f9))
! 77:
! 78: /*
! 79: * AES S-box
! 80: */
! 81: static const uint8_t aes_sbox[256] =
! 82: {
! 83: 0x63,0x7C,0x77,0x7B,0xF2,0x6B,0x6F,0xC5,
! 84: 0x30,0x01,0x67,0x2B,0xFE,0xD7,0xAB,0x76,
! 85: 0xCA,0x82,0xC9,0x7D,0xFA,0x59,0x47,0xF0,
! 86: 0xAD,0xD4,0xA2,0xAF,0x9C,0xA4,0x72,0xC0,
! 87: 0xB7,0xFD,0x93,0x26,0x36,0x3F,0xF7,0xCC,
! 88: 0x34,0xA5,0xE5,0xF1,0x71,0xD8,0x31,0x15,
! 89: 0x04,0xC7,0x23,0xC3,0x18,0x96,0x05,0x9A,
! 90: 0x07,0x12,0x80,0xE2,0xEB,0x27,0xB2,0x75,
! 91: 0x09,0x83,0x2C,0x1A,0x1B,0x6E,0x5A,0xA0,
! 92: 0x52,0x3B,0xD6,0xB3,0x29,0xE3,0x2F,0x84,
! 93: 0x53,0xD1,0x00,0xED,0x20,0xFC,0xB1,0x5B,
! 94: 0x6A,0xCB,0xBE,0x39,0x4A,0x4C,0x58,0xCF,
! 95: 0xD0,0xEF,0xAA,0xFB,0x43,0x4D,0x33,0x85,
! 96: 0x45,0xF9,0x02,0x7F,0x50,0x3C,0x9F,0xA8,
! 97: 0x51,0xA3,0x40,0x8F,0x92,0x9D,0x38,0xF5,
! 98: 0xBC,0xB6,0xDA,0x21,0x10,0xFF,0xF3,0xD2,
! 99: 0xCD,0x0C,0x13,0xEC,0x5F,0x97,0x44,0x17,
! 100: 0xC4,0xA7,0x7E,0x3D,0x64,0x5D,0x19,0x73,
! 101: 0x60,0x81,0x4F,0xDC,0x22,0x2A,0x90,0x88,
! 102: 0x46,0xEE,0xB8,0x14,0xDE,0x5E,0x0B,0xDB,
! 103: 0xE0,0x32,0x3A,0x0A,0x49,0x06,0x24,0x5C,
! 104: 0xC2,0xD3,0xAC,0x62,0x91,0x95,0xE4,0x79,
! 105: 0xE7,0xC8,0x37,0x6D,0x8D,0xD5,0x4E,0xA9,
! 106: 0x6C,0x56,0xF4,0xEA,0x65,0x7A,0xAE,0x08,
! 107: 0xBA,0x78,0x25,0x2E,0x1C,0xA6,0xB4,0xC6,
! 108: 0xE8,0xDD,0x74,0x1F,0x4B,0xBD,0x8B,0x8A,
! 109: 0x70,0x3E,0xB5,0x66,0x48,0x03,0xF6,0x0E,
! 110: 0x61,0x35,0x57,0xB9,0x86,0xC1,0x1D,0x9E,
! 111: 0xE1,0xF8,0x98,0x11,0x69,0xD9,0x8E,0x94,
! 112: 0x9B,0x1E,0x87,0xE9,0xCE,0x55,0x28,0xDF,
! 113: 0x8C,0xA1,0x89,0x0D,0xBF,0xE6,0x42,0x68,
! 114: 0x41,0x99,0x2D,0x0F,0xB0,0x54,0xBB,0x16,
! 115: };
! 116:
! 117: /*
! 118: * AES is-box
! 119: */
! 120: static const uint8_t aes_isbox[256] =
! 121: {
! 122: 0x52,0x09,0x6a,0xd5,0x30,0x36,0xa5,0x38,
! 123: 0xbf,0x40,0xa3,0x9e,0x81,0xf3,0xd7,0xfb,
! 124: 0x7c,0xe3,0x39,0x82,0x9b,0x2f,0xff,0x87,
! 125: 0x34,0x8e,0x43,0x44,0xc4,0xde,0xe9,0xcb,
! 126: 0x54,0x7b,0x94,0x32,0xa6,0xc2,0x23,0x3d,
! 127: 0xee,0x4c,0x95,0x0b,0x42,0xfa,0xc3,0x4e,
! 128: 0x08,0x2e,0xa1,0x66,0x28,0xd9,0x24,0xb2,
! 129: 0x76,0x5b,0xa2,0x49,0x6d,0x8b,0xd1,0x25,
! 130: 0x72,0xf8,0xf6,0x64,0x86,0x68,0x98,0x16,
! 131: 0xd4,0xa4,0x5c,0xcc,0x5d,0x65,0xb6,0x92,
! 132: 0x6c,0x70,0x48,0x50,0xfd,0xed,0xb9,0xda,
! 133: 0x5e,0x15,0x46,0x57,0xa7,0x8d,0x9d,0x84,
! 134: 0x90,0xd8,0xab,0x00,0x8c,0xbc,0xd3,0x0a,
! 135: 0xf7,0xe4,0x58,0x05,0xb8,0xb3,0x45,0x06,
! 136: 0xd0,0x2c,0x1e,0x8f,0xca,0x3f,0x0f,0x02,
! 137: 0xc1,0xaf,0xbd,0x03,0x01,0x13,0x8a,0x6b,
! 138: 0x3a,0x91,0x11,0x41,0x4f,0x67,0xdc,0xea,
! 139: 0x97,0xf2,0xcf,0xce,0xf0,0xb4,0xe6,0x73,
! 140: 0x96,0xac,0x74,0x22,0xe7,0xad,0x35,0x85,
! 141: 0xe2,0xf9,0x37,0xe8,0x1c,0x75,0xdf,0x6e,
! 142: 0x47,0xf1,0x1a,0x71,0x1d,0x29,0xc5,0x89,
! 143: 0x6f,0xb7,0x62,0x0e,0xaa,0x18,0xbe,0x1b,
! 144: 0xfc,0x56,0x3e,0x4b,0xc6,0xd2,0x79,0x20,
! 145: 0x9a,0xdb,0xc0,0xfe,0x78,0xcd,0x5a,0xf4,
! 146: 0x1f,0xdd,0xa8,0x33,0x88,0x07,0xc7,0x31,
! 147: 0xb1,0x12,0x10,0x59,0x27,0x80,0xec,0x5f,
! 148: 0x60,0x51,0x7f,0xa9,0x19,0xb5,0x4a,0x0d,
! 149: 0x2d,0xe5,0x7a,0x9f,0x93,0xc9,0x9c,0xef,
! 150: 0xa0,0xe0,0x3b,0x4d,0xae,0x2a,0xf5,0xb0,
! 151: 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61,
! 152: 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26,
! 153: 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d
! 154: };
! 155:
! 156: static const unsigned char Rcon[30]=
! 157: {
! 158: 0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80,
! 159: 0x1b,0x36,0x6c,0xd8,0xab,0x4d,0x9a,0x2f,
! 160: 0x5e,0xbc,0x63,0xc6,0x97,0x35,0x6a,0xd4,
! 161: 0xb3,0x7d,0xfa,0xef,0xc5,0x91,
! 162: };
! 163:
! 164: /* ----- static functions ----- */
! 165: static void AES_encrypt(const AES_CTX *ctx, uint32_t *data);
! 166: static void AES_decrypt(const AES_CTX *ctx, uint32_t *data);
! 167:
! 168: /* Perform doubling in Galois Field GF(2^8) using the irreducible polynomial
! 169: x^8+x^4+x^3+x+1 */
! 170: static unsigned char AES_xtime(uint32_t x)
! 171: {
! 172: return (x&0x80) ? (x<<1)^0x1b : x<<1;
! 173: }
! 174:
! 175: /**
! 176: * Set up AES with the key/iv and cipher size.
! 177: */
! 178: void AES_set_key(AES_CTX *ctx, const uint8_t *key,
! 179: const uint8_t *iv, AES_MODE mode)
! 180: {
! 181: int i, ii;
! 182: uint32_t *W, tmp, tmp2;
! 183: const unsigned char *ip;
! 184: int words;
! 185:
! 186: switch (mode)
! 187: {
! 188: case AES_MODE_128:
! 189: i = 10;
! 190: words = 4;
! 191: break;
! 192:
! 193: case AES_MODE_256:
! 194: i = 14;
! 195: words = 8;
! 196: break;
! 197:
! 198: default: /* fail silently */
! 199: return;
! 200: }
! 201:
! 202: ctx->rounds = i;
! 203: ctx->key_size = words;
! 204: W = ctx->ks;
! 205: for (i = 0; i < words; i+=2)
! 206: {
! 207: W[i+0]= ((uint32_t)key[ 0]<<24)|
! 208: ((uint32_t)key[ 1]<<16)|
! 209: ((uint32_t)key[ 2]<< 8)|
! 210: ((uint32_t)key[ 3] );
! 211: W[i+1]= ((uint32_t)key[ 4]<<24)|
! 212: ((uint32_t)key[ 5]<<16)|
! 213: ((uint32_t)key[ 6]<< 8)|
! 214: ((uint32_t)key[ 7] );
! 215: key += 8;
! 216: }
! 217:
! 218: ip = Rcon;
! 219: ii = 4 * (ctx->rounds+1);
! 220: for (i = words; i<ii; i++)
! 221: {
! 222: tmp = W[i-1];
! 223:
! 224: if ((i % words) == 0)
! 225: {
! 226: tmp2 =(uint32_t)aes_sbox[(tmp )&0xff]<< 8;
! 227: tmp2|=(uint32_t)aes_sbox[(tmp>> 8)&0xff]<<16;
! 228: tmp2|=(uint32_t)aes_sbox[(tmp>>16)&0xff]<<24;
! 229: tmp2|=(uint32_t)aes_sbox[(tmp>>24) ];
! 230: tmp=tmp2^(((unsigned int)*ip)<<24);
! 231: ip++;
! 232: }
! 233:
! 234: if ((words == 8) && ((i % words) == 4))
! 235: {
! 236: tmp2 =(uint32_t)aes_sbox[(tmp )&0xff] ;
! 237: tmp2|=(uint32_t)aes_sbox[(tmp>> 8)&0xff]<< 8;
! 238: tmp2|=(uint32_t)aes_sbox[(tmp>>16)&0xff]<<16;
! 239: tmp2|=(uint32_t)aes_sbox[(tmp>>24) ]<<24;
! 240: tmp=tmp2;
! 241: }
! 242:
! 243: W[i]=W[i-words]^tmp;
! 244: }
! 245:
! 246: /* copy the iv across */
! 247: memcpy(ctx->iv, iv, 16);
! 248: }
! 249:
! 250: /**
! 251: * Change a key for decryption.
! 252: */
! 253: void AES_convert_key(AES_CTX *ctx)
! 254: {
! 255: int i;
! 256: uint32_t *k,w,t1,t2,t3,t4;
! 257:
! 258: k = ctx->ks;
! 259: k += 4;
! 260:
! 261: for (i= ctx->rounds*4; i > 4; i--)
! 262: {
! 263: w= *k;
! 264: w = inv_mix_col(w,t1,t2,t3,t4);
! 265: *k++ =w;
! 266: }
! 267: }
! 268:
! 269: /**
! 270: * Encrypt a byte sequence (with a block size 16) using the AES cipher.
! 271: */
! 272: void AES_cbc_encrypt(AES_CTX *ctx, const uint8_t *msg, uint8_t *out, int length)
! 273: {
! 274: int i;
! 275: uint32_t tin[4], tout[4], iv[4];
! 276:
! 277: memcpy(iv, ctx->iv, AES_IV_SIZE);
! 278: for (i = 0; i < 4; i++)
! 279: tout[i] = ntohl(iv[i]);
! 280:
! 281: for (length -= AES_BLOCKSIZE; length >= 0; length -= AES_BLOCKSIZE)
! 282: {
! 283: uint32_t msg_32[4];
! 284: uint32_t out_32[4];
! 285: memcpy(msg_32, msg, AES_BLOCKSIZE);
! 286: msg += AES_BLOCKSIZE;
! 287:
! 288: for (i = 0; i < 4; i++)
! 289: tin[i] = ntohl(msg_32[i])^tout[i];
! 290:
! 291: AES_encrypt(ctx, tin);
! 292:
! 293: for (i = 0; i < 4; i++)
! 294: {
! 295: tout[i] = tin[i];
! 296: out_32[i] = htonl(tout[i]);
! 297: }
! 298:
! 299: memcpy(out, out_32, AES_BLOCKSIZE);
! 300: out += AES_BLOCKSIZE;
! 301: }
! 302:
! 303: for (i = 0; i < 4; i++)
! 304: iv[i] = htonl(tout[i]);
! 305: memcpy(ctx->iv, iv, AES_IV_SIZE);
! 306: }
! 307:
! 308: /**
! 309: * Decrypt a byte sequence (with a block size 16) using the AES cipher.
! 310: */
! 311: void AES_cbc_decrypt(AES_CTX *ctx, const uint8_t *msg, uint8_t *out, int length)
! 312: {
! 313: int i;
! 314: uint32_t tin[4], xor[4], tout[4], data[4], iv[4];
! 315:
! 316: memcpy(iv, ctx->iv, AES_IV_SIZE);
! 317: for (i = 0; i < 4; i++)
! 318: xor[i] = ntohl(iv[i]);
! 319:
! 320: for (length -= 16; length >= 0; length -= 16)
! 321: {
! 322: uint32_t msg_32[4];
! 323: uint32_t out_32[4];
! 324: memcpy(msg_32, msg, AES_BLOCKSIZE);
! 325: msg += AES_BLOCKSIZE;
! 326:
! 327: for (i = 0; i < 4; i++)
! 328: {
! 329: tin[i] = ntohl(msg_32[i]);
! 330: data[i] = tin[i];
! 331: }
! 332:
! 333: AES_decrypt(ctx, data);
! 334:
! 335: for (i = 0; i < 4; i++)
! 336: {
! 337: tout[i] = data[i]^xor[i];
! 338: xor[i] = tin[i];
! 339: out_32[i] = htonl(tout[i]);
! 340: }
! 341:
! 342: memcpy(out, out_32, AES_BLOCKSIZE);
! 343: out += AES_BLOCKSIZE;
! 344: }
! 345:
! 346: for (i = 0; i < 4; i++)
! 347: iv[i] = htonl(xor[i]);
! 348: memcpy(ctx->iv, iv, AES_IV_SIZE);
! 349: }
! 350:
! 351: /**
! 352: * Encrypt a single block (16 bytes) of data
! 353: */
! 354: static void AES_encrypt(const AES_CTX *ctx, uint32_t *data)
! 355: {
! 356: /* To make this code smaller, generate the sbox entries on the fly.
! 357: * This will have a really heavy effect upon performance.
! 358: */
! 359: uint32_t tmp[4];
! 360: uint32_t tmp1, old_a0, a0, a1, a2, a3, row;
! 361: int curr_rnd;
! 362: int rounds = ctx->rounds;
! 363: const uint32_t *k = ctx->ks;
! 364:
! 365: /* Pre-round key addition */
! 366: for (row = 0; row < 4; row++)
! 367: data[row] ^= *(k++);
! 368:
! 369: /* Encrypt one block. */
! 370: for (curr_rnd = 0; curr_rnd < rounds; curr_rnd++)
! 371: {
! 372: /* Perform ByteSub and ShiftRow operations together */
! 373: for (row = 0; row < 4; row++)
! 374: {
! 375: a0 = (uint32_t)aes_sbox[(data[row%4]>>24)&0xFF];
! 376: a1 = (uint32_t)aes_sbox[(data[(row+1)%4]>>16)&0xFF];
! 377: a2 = (uint32_t)aes_sbox[(data[(row+2)%4]>>8)&0xFF];
! 378: a3 = (uint32_t)aes_sbox[(data[(row+3)%4])&0xFF];
! 379:
! 380: /* Perform MixColumn iff not last round */
! 381: if (curr_rnd < (rounds - 1))
! 382: {
! 383: tmp1 = a0 ^ a1 ^ a2 ^ a3;
! 384: old_a0 = a0;
! 385: a0 ^= tmp1 ^ AES_xtime(a0 ^ a1);
! 386: a1 ^= tmp1 ^ AES_xtime(a1 ^ a2);
! 387: a2 ^= tmp1 ^ AES_xtime(a2 ^ a3);
! 388: a3 ^= tmp1 ^ AES_xtime(a3 ^ old_a0);
! 389: }
! 390:
! 391: tmp[row] = ((a0 << 24) | (a1 << 16) | (a2 << 8) | a3);
! 392: }
! 393:
! 394: /* KeyAddition - note that it is vital that this loop is separate from
! 395: the MixColumn operation, which must be atomic...*/
! 396: for (row = 0; row < 4; row++)
! 397: data[row] = tmp[row] ^ *(k++);
! 398: }
! 399: }
! 400:
! 401: /**
! 402: * Decrypt a single block (16 bytes) of data
! 403: */
! 404: static void AES_decrypt(const AES_CTX *ctx, uint32_t *data)
! 405: {
! 406: uint32_t tmp[4];
! 407: uint32_t xt0,xt1,xt2,xt3,xt4,xt5,xt6;
! 408: uint32_t a0, a1, a2, a3, row;
! 409: int curr_rnd;
! 410: int rounds = ctx->rounds;
! 411: const uint32_t *k = ctx->ks + ((rounds+1)*4);
! 412:
! 413: /* pre-round key addition */
! 414: for (row=4; row > 0;row--)
! 415: data[row-1] ^= *(--k);
! 416:
! 417: /* Decrypt one block */
! 418: for (curr_rnd = 0; curr_rnd < rounds; curr_rnd++)
! 419: {
! 420: /* Perform ByteSub and ShiftRow operations together */
! 421: for (row = 4; row > 0; row--)
! 422: {
! 423: a0 = aes_isbox[(data[(row+3)%4]>>24)&0xFF];
! 424: a1 = aes_isbox[(data[(row+2)%4]>>16)&0xFF];
! 425: a2 = aes_isbox[(data[(row+1)%4]>>8)&0xFF];
! 426: a3 = aes_isbox[(data[row%4])&0xFF];
! 427:
! 428: /* Perform MixColumn iff not last round */
! 429: if (curr_rnd<(rounds-1))
! 430: {
! 431: /* The MDS cofefficients (0x09, 0x0B, 0x0D, 0x0E)
! 432: are quite large compared to encryption; this
! 433: operation slows decryption down noticeably. */
! 434: xt0 = AES_xtime(a0^a1);
! 435: xt1 = AES_xtime(a1^a2);
! 436: xt2 = AES_xtime(a2^a3);
! 437: xt3 = AES_xtime(a3^a0);
! 438: xt4 = AES_xtime(xt0^xt1);
! 439: xt5 = AES_xtime(xt1^xt2);
! 440: xt6 = AES_xtime(xt4^xt5);
! 441:
! 442: xt0 ^= a1^a2^a3^xt4^xt6;
! 443: xt1 ^= a0^a2^a3^xt5^xt6;
! 444: xt2 ^= a0^a1^a3^xt4^xt6;
! 445: xt3 ^= a0^a1^a2^xt5^xt6;
! 446: tmp[row-1] = ((xt0<<24)|(xt1<<16)|(xt2<<8)|xt3);
! 447: }
! 448: else
! 449: tmp[row-1] = ((a0<<24)|(a1<<16)|(a2<<8)|a3);
! 450: }
! 451:
! 452: for (row = 4; row > 0; row--)
! 453: data[row-1] = tmp[row-1] ^ *(--k);
! 454: }
! 455: }
! 456:
! 457: #endif
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to aes.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / axTLS / crypto