![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to aes.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [Qemu by Fabrice Bellard] / qemu / roms / ipxe / src / crypto / axtls|
Return to aes.c CVS log | Up to [Qemu by Fabrice Bellard] / qemu / roms / ipxe / src / crypto / axtls |
1.1 root 1: /*
2: * Copyright(C) 2006 Cameron Rich
3: *
4: * This library is free software; you can redistribute it and/or modify
5: * it under the terms of the GNU Lesser General Public License as published by
6: * the Free Software Foundation; either version 2 of the License, or
7: * (at your option) any later version.
8: *
9: * This library is distributed in the hope that it will be useful,
10: * but WITHOUT ANY WARRANTY; without even the implied warranty of
11: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12: * GNU Lesser General Public License for more details.
13: *
14: * You should have received a copy of the GNU Lesser General Public License
15: * along with this library; if not, write to the Free Software
16: * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17: */
18:
19: FILE_LICENCE ( GPL2_OR_LATER );
20:
21: /**
22: * AES implementation - this is a small code version. There are much faster
23: * versions around but they are much larger in size (i.e. they use large
24: * submix tables).
25: */
26:
27: #include <string.h>
28: #include "crypto.h"
29:
30: /* all commented out in skeleton mode */
31: #ifndef CONFIG_SSL_SKELETON_MODE
32:
33: #define rot1(x) (((x) << 24) | ((x) >> 8))
34: #define rot2(x) (((x) << 16) | ((x) >> 16))
35: #define rot3(x) (((x) << 8) | ((x) >> 24))
36:
37: /*
38: * This cute trick does 4 'mul by two' at once. Stolen from
39: * Dr B. R. Gladman <[email protected]> but I'm sure the u-(u>>7) is
40: * a standard graphics trick
41: * The key to this is that we need to xor with 0x1b if the top bit is set.
42: * a 1xxx xxxx 0xxx 0xxx First we mask the 7bit,
43: * b 1000 0000 0000 0000 then we shift right by 7 putting the 7bit in 0bit,
44: * c 0000 0001 0000 0000 we then subtract (c) from (b)
45: * d 0111 1111 0000 0000 and now we and with our mask
46: * e 0001 1011 0000 0000
47: */
48: #define mt 0x80808080
49: #define ml 0x7f7f7f7f
50: #define mh 0xfefefefe
51: #define mm 0x1b1b1b1b
52: #define mul2(x,t) ((t)=((x)&mt), \
53: ((((x)+(x))&mh)^(((t)-((t)>>7))&mm)))
54:
55: #define inv_mix_col(x,f2,f4,f8,f9) (\
56: (f2)=mul2(x,f2), \
57: (f4)=mul2(f2,f4), \
58: (f8)=mul2(f4,f8), \
59: (f9)=(x)^(f8), \
60: (f8)=((f2)^(f4)^(f8)), \
61: (f2)^=(f9), \
62: (f4)^=(f9), \
63: (f8)^=rot3(f2), \
64: (f8)^=rot2(f4), \
65: (f8)^rot1(f9))
66:
67: /* some macros to do endian independent byte extraction */
68: #define n2l(c,l) l=ntohl(*c); c++
69: #define l2n(l,c) *c++=htonl(l)
70:
71: /*
72: * AES S-box
73: */
74: static const uint8_t aes_sbox[256] =
75: {
76: 0x63,0x7C,0x77,0x7B,0xF2,0x6B,0x6F,0xC5,
77: 0x30,0x01,0x67,0x2B,0xFE,0xD7,0xAB,0x76,
78: 0xCA,0x82,0xC9,0x7D,0xFA,0x59,0x47,0xF0,
79: 0xAD,0xD4,0xA2,0xAF,0x9C,0xA4,0x72,0xC0,
80: 0xB7,0xFD,0x93,0x26,0x36,0x3F,0xF7,0xCC,
81: 0x34,0xA5,0xE5,0xF1,0x71,0xD8,0x31,0x15,
82: 0x04,0xC7,0x23,0xC3,0x18,0x96,0x05,0x9A,
83: 0x07,0x12,0x80,0xE2,0xEB,0x27,0xB2,0x75,
84: 0x09,0x83,0x2C,0x1A,0x1B,0x6E,0x5A,0xA0,
85: 0x52,0x3B,0xD6,0xB3,0x29,0xE3,0x2F,0x84,
86: 0x53,0xD1,0x00,0xED,0x20,0xFC,0xB1,0x5B,
87: 0x6A,0xCB,0xBE,0x39,0x4A,0x4C,0x58,0xCF,
88: 0xD0,0xEF,0xAA,0xFB,0x43,0x4D,0x33,0x85,
89: 0x45,0xF9,0x02,0x7F,0x50,0x3C,0x9F,0xA8,
90: 0x51,0xA3,0x40,0x8F,0x92,0x9D,0x38,0xF5,
91: 0xBC,0xB6,0xDA,0x21,0x10,0xFF,0xF3,0xD2,
92: 0xCD,0x0C,0x13,0xEC,0x5F,0x97,0x44,0x17,
93: 0xC4,0xA7,0x7E,0x3D,0x64,0x5D,0x19,0x73,
94: 0x60,0x81,0x4F,0xDC,0x22,0x2A,0x90,0x88,
95: 0x46,0xEE,0xB8,0x14,0xDE,0x5E,0x0B,0xDB,
96: 0xE0,0x32,0x3A,0x0A,0x49,0x06,0x24,0x5C,
97: 0xC2,0xD3,0xAC,0x62,0x91,0x95,0xE4,0x79,
98: 0xE7,0xC8,0x37,0x6D,0x8D,0xD5,0x4E,0xA9,
99: 0x6C,0x56,0xF4,0xEA,0x65,0x7A,0xAE,0x08,
100: 0xBA,0x78,0x25,0x2E,0x1C,0xA6,0xB4,0xC6,
101: 0xE8,0xDD,0x74,0x1F,0x4B,0xBD,0x8B,0x8A,
102: 0x70,0x3E,0xB5,0x66,0x48,0x03,0xF6,0x0E,
103: 0x61,0x35,0x57,0xB9,0x86,0xC1,0x1D,0x9E,
104: 0xE1,0xF8,0x98,0x11,0x69,0xD9,0x8E,0x94,
105: 0x9B,0x1E,0x87,0xE9,0xCE,0x55,0x28,0xDF,
106: 0x8C,0xA1,0x89,0x0D,0xBF,0xE6,0x42,0x68,
107: 0x41,0x99,0x2D,0x0F,0xB0,0x54,0xBB,0x16,
108: };
109:
110: /*
111: * AES is-box
112: */
113: static const uint8_t aes_isbox[256] =
114: {
115: 0x52,0x09,0x6a,0xd5,0x30,0x36,0xa5,0x38,
116: 0xbf,0x40,0xa3,0x9e,0x81,0xf3,0xd7,0xfb,
117: 0x7c,0xe3,0x39,0x82,0x9b,0x2f,0xff,0x87,
118: 0x34,0x8e,0x43,0x44,0xc4,0xde,0xe9,0xcb,
119: 0x54,0x7b,0x94,0x32,0xa6,0xc2,0x23,0x3d,
120: 0xee,0x4c,0x95,0x0b,0x42,0xfa,0xc3,0x4e,
121: 0x08,0x2e,0xa1,0x66,0x28,0xd9,0x24,0xb2,
122: 0x76,0x5b,0xa2,0x49,0x6d,0x8b,0xd1,0x25,
123: 0x72,0xf8,0xf6,0x64,0x86,0x68,0x98,0x16,
124: 0xd4,0xa4,0x5c,0xcc,0x5d,0x65,0xb6,0x92,
125: 0x6c,0x70,0x48,0x50,0xfd,0xed,0xb9,0xda,
126: 0x5e,0x15,0x46,0x57,0xa7,0x8d,0x9d,0x84,
127: 0x90,0xd8,0xab,0x00,0x8c,0xbc,0xd3,0x0a,
128: 0xf7,0xe4,0x58,0x05,0xb8,0xb3,0x45,0x06,
129: 0xd0,0x2c,0x1e,0x8f,0xca,0x3f,0x0f,0x02,
130: 0xc1,0xaf,0xbd,0x03,0x01,0x13,0x8a,0x6b,
131: 0x3a,0x91,0x11,0x41,0x4f,0x67,0xdc,0xea,
132: 0x97,0xf2,0xcf,0xce,0xf0,0xb4,0xe6,0x73,
133: 0x96,0xac,0x74,0x22,0xe7,0xad,0x35,0x85,
134: 0xe2,0xf9,0x37,0xe8,0x1c,0x75,0xdf,0x6e,
135: 0x47,0xf1,0x1a,0x71,0x1d,0x29,0xc5,0x89,
136: 0x6f,0xb7,0x62,0x0e,0xaa,0x18,0xbe,0x1b,
137: 0xfc,0x56,0x3e,0x4b,0xc6,0xd2,0x79,0x20,
138: 0x9a,0xdb,0xc0,0xfe,0x78,0xcd,0x5a,0xf4,
139: 0x1f,0xdd,0xa8,0x33,0x88,0x07,0xc7,0x31,
140: 0xb1,0x12,0x10,0x59,0x27,0x80,0xec,0x5f,
141: 0x60,0x51,0x7f,0xa9,0x19,0xb5,0x4a,0x0d,
142: 0x2d,0xe5,0x7a,0x9f,0x93,0xc9,0x9c,0xef,
143: 0xa0,0xe0,0x3b,0x4d,0xae,0x2a,0xf5,0xb0,
144: 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61,
145: 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26,
146: 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d
147: };
148:
149: static const unsigned char Rcon[30]=
150: {
151: 0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80,
152: 0x1b,0x36,0x6c,0xd8,0xab,0x4d,0x9a,0x2f,
153: 0x5e,0xbc,0x63,0xc6,0x97,0x35,0x6a,0xd4,
154: 0xb3,0x7d,0xfa,0xef,0xc5,0x91,
155: };
156:
157: /* Perform doubling in Galois Field GF(2^8) using the irreducible polynomial
158: x^8+x^4+x^3+x+1 */
159: static unsigned char AES_xtime(uint32_t x)
160: {
161: return x = (x&0x80) ? (x<<1)^0x1b : x<<1;
162: }
163:
164: /**
165: * Set up AES with the key/iv and cipher size.
166: */
167: void AES_set_key(AES_CTX *ctx, const uint8_t *key,
168: const uint8_t *iv, AES_MODE mode)
169: {
170: int i, ii;
171: uint32_t *W, tmp, tmp2;
172: const unsigned char *ip;
173: int words;
174:
175: switch (mode)
176: {
177: case AES_MODE_128:
178: i = 10;
179: words = 4;
180: break;
181:
182: case AES_MODE_256:
183: i = 14;
184: words = 8;
185: break;
186:
187: default: /* fail silently */
188: return;
189: }
190:
191: ctx->rounds = i;
192: ctx->key_size = words;
193: W = ctx->ks;
194: for (i = 0; i < words; i+=2)
195: {
196: W[i+0]= ((uint32_t)key[ 0]<<24)|
197: ((uint32_t)key[ 1]<<16)|
198: ((uint32_t)key[ 2]<< 8)|
199: ((uint32_t)key[ 3] );
200: W[i+1]= ((uint32_t)key[ 4]<<24)|
201: ((uint32_t)key[ 5]<<16)|
202: ((uint32_t)key[ 6]<< 8)|
203: ((uint32_t)key[ 7] );
204: key += 8;
205: }
206:
207: ip = Rcon;
208: ii = 4 * (ctx->rounds+1);
209: for (i = words; i<ii; i++)
210: {
211: tmp = W[i-1];
212:
213: if ((i % words) == 0)
214: {
215: tmp2 =(uint32_t)aes_sbox[(tmp )&0xff]<< 8;
216: tmp2|=(uint32_t)aes_sbox[(tmp>> 8)&0xff]<<16;
217: tmp2|=(uint32_t)aes_sbox[(tmp>>16)&0xff]<<24;
218: tmp2|=(uint32_t)aes_sbox[(tmp>>24) ];
219: tmp=tmp2^(((unsigned int)*ip)<<24);
220: ip++;
221: }
222:
223: if ((words == 8) && ((i % words) == 4))
224: {
225: tmp2 =(uint32_t)aes_sbox[(tmp )&0xff] ;
226: tmp2|=(uint32_t)aes_sbox[(tmp>> 8)&0xff]<< 8;
227: tmp2|=(uint32_t)aes_sbox[(tmp>>16)&0xff]<<16;
228: tmp2|=(uint32_t)aes_sbox[(tmp>>24) ]<<24;
229: tmp=tmp2;
230: }
231:
232: W[i]=W[i-words]^tmp;
233: }
234:
235: /* copy the iv across */
236: memcpy(ctx->iv, iv, 16);
237: }
238:
239: /**
240: * Change a key for decryption.
241: */
242: void AES_convert_key(AES_CTX *ctx)
243: {
244: int i;
245: uint32_t *k,w,t1,t2,t3,t4;
246:
247: k = ctx->ks;
248: k += 4;
249:
250: for (i=ctx->rounds*4; i>4; i--)
251: {
252: w= *k;
253: w = inv_mix_col(w,t1,t2,t3,t4);
254: *k++ =w;
255: }
256: }
257:
258: #if 0
259: /**
260: * Encrypt a byte sequence (with a block size 16) using the AES cipher.
261: */
262: void AES_cbc_encrypt(AES_CTX *ctx, const uint8_t *msg, uint8_t *out, int length)
263: {
264: uint32_t tin0, tin1, tin2, tin3;
265: uint32_t tout0, tout1, tout2, tout3;
266: uint32_t tin[4];
267: uint32_t *iv = (uint32_t *)ctx->iv;
268: uint32_t *msg_32 = (uint32_t *)msg;
269: uint32_t *out_32 = (uint32_t *)out;
270:
271: n2l(iv, tout0);
272: n2l(iv, tout1);
273: n2l(iv, tout2);
274: n2l(iv, tout3);
275: iv -= 4;
276:
277: for (length -= 16; length >= 0; length -= 16)
278: {
279: n2l(msg_32, tin0);
280: n2l(msg_32, tin1);
281: n2l(msg_32, tin2);
282: n2l(msg_32, tin3);
283: tin[0] = tin0^tout0;
284: tin[1] = tin1^tout1;
285: tin[2] = tin2^tout2;
286: tin[3] = tin3^tout3;
287:
288: AES_encrypt(ctx, tin);
289:
290: tout0 = tin[0];
291: l2n(tout0, out_32);
292: tout1 = tin[1];
293: l2n(tout1, out_32);
294: tout2 = tin[2];
295: l2n(tout2, out_32);
296: tout3 = tin[3];
297: l2n(tout3, out_32);
298: }
299:
300: l2n(tout0, iv);
301: l2n(tout1, iv);
302: l2n(tout2, iv);
303: l2n(tout3, iv);
304: }
305:
306: /**
307: * Decrypt a byte sequence (with a block size 16) using the AES cipher.
308: */
309: void AES_cbc_decrypt(AES_CTX *ctx, const uint8_t *msg, uint8_t *out, int length)
310: {
311: uint32_t tin0, tin1, tin2, tin3;
312: uint32_t xor0,xor1,xor2,xor3;
313: uint32_t tout0,tout1,tout2,tout3;
314: uint32_t data[4];
315: uint32_t *iv = (uint32_t *)ctx->iv;
316: uint32_t *msg_32 = (uint32_t *)msg;
317: uint32_t *out_32 = (uint32_t *)out;
318:
319: n2l(iv ,xor0);
320: n2l(iv, xor1);
321: n2l(iv, xor2);
322: n2l(iv, xor3);
323: iv -= 4;
324:
325: for (length-=16; length >= 0; length -= 16)
326: {
327: n2l(msg_32, tin0);
328: n2l(msg_32, tin1);
329: n2l(msg_32, tin2);
330: n2l(msg_32, tin3);
331:
332: data[0] = tin0;
333: data[1] = tin1;
334: data[2] = tin2;
335: data[3] = tin3;
336:
337: AES_decrypt(ctx, data);
338:
339: tout0 = data[0]^xor0;
340: tout1 = data[1]^xor1;
341: tout2 = data[2]^xor2;
342: tout3 = data[3]^xor3;
343:
344: xor0 = tin0;
345: xor1 = tin1;
346: xor2 = tin2;
347: xor3 = tin3;
348:
349: l2n(tout0, out_32);
350: l2n(tout1, out_32);
351: l2n(tout2, out_32);
352: l2n(tout3, out_32);
353: }
354:
355: l2n(xor0, iv);
356: l2n(xor1, iv);
357: l2n(xor2, iv);
358: l2n(xor3, iv);
359: }
360: #endif
361:
362: /**
363: * Encrypt a single block (16 bytes) of data
364: */
365: void AES_encrypt(const AES_CTX *ctx, uint32_t *data)
366: {
367: /* To make this code smaller, generate the sbox entries on the fly.
368: * This will have a really heavy effect upon performance.
369: */
370: uint32_t tmp[4];
371: uint32_t tmp1, old_a0, a0, a1, a2, a3, row;
372: int curr_rnd;
373: int rounds = ctx->rounds;
374: const uint32_t *k = ctx->ks;
375:
376: /* Pre-round key addition */
377: for (row = 0; row < 4; row++)
378: {
379: data[row] ^= *(k++);
380: }
381:
382: /* Encrypt one block. */
383: for (curr_rnd = 0; curr_rnd < rounds; curr_rnd++)
384: {
385: /* Perform ByteSub and ShiftRow operations together */
386: for (row = 0; row < 4; row++)
387: {
388: a0 = (uint32_t)aes_sbox[(data[row%4]>>24)&0xFF];
389: a1 = (uint32_t)aes_sbox[(data[(row+1)%4]>>16)&0xFF];
390: a2 = (uint32_t)aes_sbox[(data[(row+2)%4]>>8)&0xFF];
391: a3 = (uint32_t)aes_sbox[(data[(row+3)%4])&0xFF];
392:
393: /* Perform MixColumn iff not last round */
394: if (curr_rnd < (rounds - 1))
395: {
396: tmp1 = a0 ^ a1 ^ a2 ^ a3;
397: old_a0 = a0;
398:
399: a0 ^= tmp1 ^ AES_xtime(a0 ^ a1);
400: a1 ^= tmp1 ^ AES_xtime(a1 ^ a2);
401: a2 ^= tmp1 ^ AES_xtime(a2 ^ a3);
402: a3 ^= tmp1 ^ AES_xtime(a3 ^ old_a0);
403:
404: }
405:
406: tmp[row] = ((a0 << 24) | (a1 << 16) | (a2 << 8) | a3);
407: }
408:
409: /* KeyAddition - note that it is vital that this loop is separate from
410: the MixColumn operation, which must be atomic...*/
411: for (row = 0; row < 4; row++)
412: {
413: data[row] = tmp[row] ^ *(k++);
414: }
415: }
416: }
417:
418: /**
419: * Decrypt a single block (16 bytes) of data
420: */
421: void AES_decrypt(const AES_CTX *ctx, uint32_t *data)
422: {
423: uint32_t tmp[4];
424: uint32_t xt0,xt1,xt2,xt3,xt4,xt5,xt6;
425: uint32_t a0, a1, a2, a3, row;
426: int curr_rnd;
427: int rounds = ctx->rounds;
428: uint32_t *k = (uint32_t*)ctx->ks + ((rounds+1)*4);
429:
430: /* pre-round key addition */
431: for (row=4; row > 0;row--)
432: {
433: data[row-1] ^= *(--k);
434: }
435:
436: /* Decrypt one block */
437: for (curr_rnd=0; curr_rnd < rounds; curr_rnd++)
438: {
439: /* Perform ByteSub and ShiftRow operations together */
440: for (row = 4; row > 0; row--)
441: {
442: a0 = aes_isbox[(data[(row+3)%4]>>24)&0xFF];
443: a1 = aes_isbox[(data[(row+2)%4]>>16)&0xFF];
444: a2 = aes_isbox[(data[(row+1)%4]>>8)&0xFF];
445: a3 = aes_isbox[(data[row%4])&0xFF];
446:
447: /* Perform MixColumn iff not last round */
448: if (curr_rnd<(rounds-1))
449: {
450: /* The MDS cofefficients (0x09, 0x0B, 0x0D, 0x0E)
451: are quite large compared to encryption; this
452: operation slows decryption down noticeably. */
453: xt0 = AES_xtime(a0^a1);
454: xt1 = AES_xtime(a1^a2);
455: xt2 = AES_xtime(a2^a3);
456: xt3 = AES_xtime(a3^a0);
457: xt4 = AES_xtime(xt0^xt1);
458: xt5 = AES_xtime(xt1^xt2);
459: xt6 = AES_xtime(xt4^xt5);
460:
461: xt0 ^= a1^a2^a3^xt4^xt6;
462: xt1 ^= a0^a2^a3^xt5^xt6;
463: xt2 ^= a0^a1^a3^xt4^xt6;
464: xt3 ^= a0^a1^a2^xt5^xt6;
465: tmp[row-1] = ((xt0<<24)|(xt1<<16)|(xt2<<8)|xt3);
466: }
467: else
468: tmp[row-1] = ((a0<<24)|(a1<<16)|(a2<<8)|a3);
469: }
470:
471: for (row = 4; row > 0; row--)
472: {
473: data[row-1] = tmp[row-1] ^ *(--k);
474: }
475: }
476: }
477:
478: #endif
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.