1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41#include "tls.h"
42
43
44
45
46static const uint8_t sbox[] = {
47 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
48 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
49 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
50 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
51 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
52 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
53 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
54 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
55 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
56 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
57 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
58 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
59 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
60 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
61 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
62 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
63 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
64 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
65 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
66 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
67 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
68 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
69 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
70 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
71 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
72 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
73 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
74 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
75 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
76 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
77 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
78 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16,
79};
80
81static const uint8_t rsbox[] = {
82 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
83 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
84 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
85 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
86 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,
87 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
88 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,
89 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
90 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
91 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
92 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
93 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
94 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
95 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
96 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
97 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
98 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,
99 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
100 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,
101 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
102 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
103 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
104 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,
105 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
106 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,
107 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
108 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
109 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
110 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,
111 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
112 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,
113 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d,
114};
115
116
117
118static uint32_t Subword(uint32_t x)
119{
120 return (sbox[(x >> 24) ] << 24)
121 | (sbox[(x >> 16) & 255] << 16)
122 | (sbox[(x >> 8 ) & 255] << 8 )
123 | (sbox[(x ) & 255] );
124}
125
126
127
128static int KeyExpansion(uint32_t *RoundKey, const void *key, unsigned key_len)
129{
130
131
132
133 static const uint8_t Rcon[] ALIGN1 = {
134 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36
135
136
137 };
138 int rounds, words_key, words_RoundKey;
139 int i, j, k;
140
141
142
143
144 words_key = key_len / 4;
145 rounds = 6 + (key_len / 4);
146 words_RoundKey = 28 + key_len;
147
148
149 for (i = 0; i < words_key; i++)
150 RoundKey[i] = get_unaligned_be32((uint32_t*)key + i);
151
152
153
154 j = k = 0;
155 for (; i < words_RoundKey; i++) {
156 uint32_t tempa;
157
158 tempa = RoundKey[i - 1];
159 if (j == 0) {
160
161 tempa = (tempa << 8) | (tempa >> 24);
162 tempa = Subword(tempa);
163 tempa ^= (uint32_t)Rcon[k] << 24;
164 } else if (words_key > 6 && j == 4) {
165 tempa = Subword(tempa);
166 }
167 RoundKey[i] = RoundKey[i - words_key] ^ tempa;
168 j++;
169 if (j == words_key) {
170 j = 0;
171 k++;
172 }
173 }
174 return rounds;
175}
176
177
178
179static void AddRoundKey(unsigned astate[16], const uint32_t *RoundKeys)
180{
181 int i;
182
183 for (i = 0; i < 16; i += 4) {
184 uint32_t n = *RoundKeys++;
185 astate[i + 0] ^= (n >> 24);
186 astate[i + 1] ^= (n >> 16) & 255;
187 astate[i + 2] ^= (n >> 8) & 255;
188 astate[i + 3] ^= n & 255;
189 }
190}
191
192
193
194static void SubBytes(unsigned astate[16])
195{
196 int i;
197
198 for (i = 0; i < 16; i++)
199 astate[i] = sbox[astate[i]];
200}
201
202
203
204
205
206#define ASTATE(col,row) astate[(col)*4 + (row)]
207
208
209
210
211static void ShiftRows(unsigned astate[16])
212{
213 unsigned v;
214
215
216 v = ASTATE(0,1);
217 ASTATE(0,1) = ASTATE(1,1);
218 ASTATE(1,1) = ASTATE(2,1);
219 ASTATE(2,1) = ASTATE(3,1);
220 ASTATE(3,1) = v;
221
222
223 v = ASTATE(0,2); ASTATE(0,2) = ASTATE(2,2); ASTATE(2,2) = v;
224 v = ASTATE(1,2); ASTATE(1,2) = ASTATE(3,2); ASTATE(3,2) = v;
225
226
227 v = ASTATE(3,3);
228 ASTATE(3,3) = ASTATE(2,3);
229 ASTATE(2,3) = ASTATE(1,3);
230 ASTATE(1,3) = ASTATE(0,3);
231 ASTATE(0,3) = v;
232}
233
234
235static void MixColumns(unsigned astate[16])
236{
237 int i;
238
239 for (i = 0; i < 16; i += 4) {
240 unsigned a, b, c, d;
241 unsigned x, y, z, t;
242
243 a = astate[i + 0];
244 b = astate[i + 1];
245 c = astate[i + 2];
246 d = astate[i + 3];
247 x = (a << 1) ^ b ^ (b << 1) ^ c ^ d;
248 y = a ^ (b << 1) ^ c ^ (c << 1) ^ d;
249 z = a ^ b ^ (c << 1) ^ d ^ (d << 1);
250 t = a ^ (a << 1) ^ b ^ c ^ (d << 1);
251 astate[i + 0] = x ^ ((-(int)(x >> 8)) & 0x11b);
252 astate[i + 1] = y ^ ((-(int)(y >> 8)) & 0x11b);
253 astate[i + 2] = z ^ ((-(int)(z >> 8)) & 0x11b);
254 astate[i + 3] = t ^ ((-(int)(t >> 8)) & 0x11b);
255 }
256}
257
258
259
260static void InvSubBytes(unsigned astate[16])
261{
262 int i;
263
264 for (i = 0; i < 16; i++)
265 astate[i] = rsbox[astate[i]];
266}
267
268static void InvShiftRows(unsigned astate[16])
269{
270 unsigned v;
271
272
273 v = ASTATE(3,1);
274 ASTATE(3,1) = ASTATE(2,1);
275 ASTATE(2,1) = ASTATE(1,1);
276 ASTATE(1,1) = ASTATE(0,1);
277 ASTATE(0,1) = v;
278
279
280 v = ASTATE(0,2); ASTATE(0,2) = ASTATE(2,2); ASTATE(2,2) = v;
281 v = ASTATE(1,2); ASTATE(1,2) = ASTATE(3,2); ASTATE(3,2) = v;
282
283
284 v = ASTATE(0,3);
285 ASTATE(0,3) = ASTATE(1,3);
286 ASTATE(1,3) = ASTATE(2,3);
287 ASTATE(2,3) = ASTATE(3,3);
288 ASTATE(3,3) = v;
289}
290
291static ALWAYS_INLINE unsigned Multiply(unsigned x)
292{
293 unsigned y;
294
295 y = x >> 8;
296 return (x ^ y ^ (y << 1) ^ (y << 3) ^ (y << 4)) & 255;
297}
298
299
300
301
302static void InvMixColumns(unsigned astate[16])
303{
304 int i;
305
306 for (i = 0; i < 16; i += 4) {
307 unsigned a, b, c, d;
308 unsigned x, y, z, t;
309
310 a = astate[i + 0];
311 b = astate[i + 1];
312 c = astate[i + 2];
313 d = astate[i + 3];
314 x = (a << 1) ^ (a << 2) ^ (a << 3) ^ b ^ (b << 1) ^ (b << 3)
315 ^ c ^ (c << 2) ^ (c << 3) ^ d ^ (d << 3);
316 astate[i + 0] = Multiply(x);
317 y = a ^ (a << 3) ^ (b << 1) ^ (b << 2) ^ (b << 3)
318 ^ c ^ (c << 1) ^ (c << 3) ^ d ^ (d << 2) ^ (d << 3);
319 astate[i + 1] = Multiply(y);
320 z = a ^ (a << 2) ^ (a << 3) ^ b ^ (b << 3)
321 ^ (c << 1) ^ (c << 2) ^ (c << 3) ^ d ^ (d << 1) ^ (d << 3);
322 astate[i + 2] = Multiply(z);
323 t = a ^ (a << 1) ^ (a << 3) ^ b ^ (b << 2) ^ (b << 3)
324 ^ c ^ (c << 3) ^ (d << 1) ^ (d << 2) ^ (d << 3);
325 astate[i + 3] = Multiply(t);
326 }
327}
328
329static void aes_encrypt_1(struct tls_aes *aes, unsigned astate[16])
330{
331 unsigned rounds = aes->rounds;
332 const uint32_t *RoundKey = aes->key;
333
334 for (;;) {
335 AddRoundKey(astate, RoundKey);
336 RoundKey += 4;
337 SubBytes(astate);
338 ShiftRows(astate);
339 if (--rounds == 0)
340 break;
341 MixColumns(astate);
342 }
343 AddRoundKey(astate, RoundKey);
344}
345
346void FAST_FUNC aes_setkey(struct tls_aes *aes, const void *key, unsigned key_len)
347{
348 aes->rounds = KeyExpansion(aes->key, key, key_len);
349}
350
351void FAST_FUNC aes_encrypt_one_block(struct tls_aes *aes, const void *data, void *dst)
352{
353 unsigned astate[16];
354 unsigned i;
355
356 const uint8_t *pt = data;
357 uint8_t *ct = dst;
358
359 for (i = 0; i < 16; i++)
360 astate[i] = pt[i];
361 aes_encrypt_1(aes, astate);
362 for (i = 0; i < 16; i++)
363 ct[i] = astate[i];
364}
365
366void FAST_FUNC aes_cbc_encrypt(struct tls_aes *aes, void *iv, const void *data, size_t len, void *dst)
367{
368 uint8_t iv2[16];
369
370 const uint8_t *pt = data;
371 uint8_t *ct = dst;
372
373 memcpy(iv2, iv, 16);
374 while (len > 0) {
375 {
376
377
378
379
380 int i;
381 unsigned astate[16];
382 for (i = 0; i < 16; i++)
383 astate[i] = pt[i] ^ iv2[i];
384 aes_encrypt_1(aes, astate);
385 for (i = 0; i < 16; i++)
386 iv2[i] = ct[i] = astate[i];
387 }
388 ct += 16;
389 pt += 16;
390 len -= 16;
391 }
392}
393
394static void aes_decrypt_1(struct tls_aes *aes, unsigned astate[16])
395{
396 unsigned rounds = aes->rounds;
397 const uint32_t *RoundKey = aes->key;
398
399 RoundKey += rounds * 4;
400 AddRoundKey(astate, RoundKey);
401 for (;;) {
402 InvShiftRows(astate);
403 InvSubBytes(astate);
404 RoundKey -= 4;
405 AddRoundKey(astate, RoundKey);
406 if (--rounds == 0)
407 break;
408 InvMixColumns(astate);
409 }
410}
411
412#if 0
413static void aes_decrypt_one_block(struct tls_aes *aes, const void *data, void *dst)
414{
415 unsigned rounds = aes->rounds;
416 const uint32_t *RoundKey = aes->key;
417 unsigned astate[16];
418 unsigned i;
419
420 const uint8_t *ct = data;
421 uint8_t *pt = dst;
422
423 for (i = 0; i < 16; i++)
424 astate[i] = ct[i];
425 aes_decrypt_1(aes, astate);
426 for (i = 0; i < 16; i++)
427 pt[i] = astate[i];
428}
429#endif
430
431void FAST_FUNC aes_cbc_decrypt(struct tls_aes *aes, void *iv, const void *data, size_t len, void *dst)
432{
433 uint8_t iv2[16];
434 uint8_t iv3[16];
435 uint8_t *ivbuf;
436 uint8_t *ivnext;
437
438 const uint8_t *ct = data;
439 uint8_t *pt = dst;
440
441 ivbuf = memcpy(iv2, iv, 16);
442 while (len) {
443 ivnext = (ivbuf==iv2) ? iv3 : iv2;
444 {
445
446
447
448 int i;
449 unsigned astate[16];
450 for (i = 0; i < 16; i++)
451 ivnext[i] = astate[i] = ct[i];
452 aes_decrypt_1(aes, astate);
453 for (i = 0; i < 16; i++)
454 pt[i] = astate[i] ^ ivbuf[i];
455 }
456 ivbuf = ivnext;
457 ct += 16;
458 pt += 16;
459 len -= 16;
460 }
461}
462