Embed:
(wiki syntax)
Show/hide line numbers
aes_mbedtls.c
00001 /* 00002 * Copyright (c) 2006-2017, Arm Limited and affiliates. 00003 * SPDX-License-Identifier: Apache-2.0 00004 * 00005 * Licensed under the Apache License, Version 2.0 (the "License"); 00006 * you may not use this file except in compliance with the License. 00007 * You may obtain a copy of the License at 00008 * 00009 * http://www.apache.org/licenses/LICENSE-2.0 00010 * 00011 * Unless required by applicable law or agreed to in writing, software 00012 * distributed under the License is distributed on an "AS IS" BASIS, 00013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00014 * See the License for the specific language governing permissions and 00015 * limitations under the License. 00016 */ 00017 00018 /* 00019 * FIPS-197 compliant AES implementation 00020 * 00021 * This file is derived from aes.c in mbed TLS 1.3.10, stripped down to 00022 * only support 128-bit encryption. 00023 * 00024 * Subsequently search-and-replaced to match later naming change. 00025 * 00026 * It is not intended to be used directly; it is conditionally included by 00027 * aes_common.c, so everything in the file is marked static. 00028 */ 00029 00030 #include <stdint.h> 00031 #include <string.h> 00032 00033 #define MBEDTLS_AES_ENCRYPT 1 00034 #define MBEDTLS_AES_DECRYPT 0 00035 00036 #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH -0x0020 /**< Invalid key length. */ 00037 #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH -0x0022 /**< Invalid data input length. */ 00038 #define MBEDTLS_ERR_AES_UNSUPPORTED -0x0023 /**< Operation not supported . */ 00039 00040 /** 00041 * \brief AES context structure 00042 */ 00043 typedef struct 00044 { 00045 int nr; /*!< number of rounds */ 00046 uint32_t *rk; /*!< AES round keys */ 00047 uint32_t buf[44]; /*!< unaligned data */ 00048 } 00049 mbedtls_aes_context; 00050 00051 /* Implementation that should never be optimized out by the compiler */ 00052 static void mbedtls_zeroize( void *v, size_t n ) { 00053 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 00054 } 00055 00056 /* 00057 * 32-bit integer manipulation macros (little endian) 00058 */ 00059 #ifndef GET_UINT32_LE 00060 #define GET_UINT32_LE(n,b,i) \ 00061 { \ 00062 (n) = ( (uint32_t) (b)[(i) ] ) \ 00063 | ( (uint32_t) (b)[(i) + 1] << 8 ) \ 00064 | ( (uint32_t) (b)[(i) + 2] << 16 ) \ 00065 | ( (uint32_t) (b)[(i) + 3] << 24 ); \ 00066 } 00067 #endif 00068 00069 #ifndef PUT_UINT32_LE 00070 #define PUT_UINT32_LE(n,b,i) \ 00071 { \ 00072 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ 00073 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ 00074 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ 00075 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ 00076 } 00077 #endif 00078 00079 /* 00080 * Forward S-box 00081 */ 00082 static const unsigned char FSb[256] = 00083 { 00084 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 00085 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 00086 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 00087 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 00088 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 00089 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 00090 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 00091 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 00092 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 00093 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 00094 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 00095 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 00096 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 00097 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 00098 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 00099 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 00100 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 00101 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 00102 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 00103 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 00104 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 00105 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 00106 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 00107 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 00108 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 00109 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 00110 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 00111 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 00112 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 00113 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 00114 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 00115 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 00116 }; 00117 00118 /* 00119 * Forward tables 00120 */ 00121 #define FT \ 00122 \ 00123 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \ 00124 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \ 00125 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \ 00126 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \ 00127 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \ 00128 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \ 00129 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \ 00130 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \ 00131 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \ 00132 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \ 00133 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \ 00134 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \ 00135 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \ 00136 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \ 00137 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \ 00138 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \ 00139 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \ 00140 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \ 00141 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \ 00142 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \ 00143 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \ 00144 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \ 00145 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \ 00146 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \ 00147 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \ 00148 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \ 00149 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \ 00150 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \ 00151 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \ 00152 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \ 00153 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \ 00154 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \ 00155 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \ 00156 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \ 00157 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \ 00158 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \ 00159 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \ 00160 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \ 00161 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \ 00162 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \ 00163 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \ 00164 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \ 00165 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \ 00166 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \ 00167 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \ 00168 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \ 00169 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \ 00170 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \ 00171 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \ 00172 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \ 00173 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \ 00174 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \ 00175 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \ 00176 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \ 00177 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \ 00178 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \ 00179 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \ 00180 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \ 00181 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \ 00182 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \ 00183 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \ 00184 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \ 00185 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \ 00186 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C) 00187 00188 #define V(a,b,c,d) 0x##a##b##c##d 00189 static const uint32_t FT0[256] = { FT }; 00190 #undef V 00191 00192 #define V(a,b,c,d) 0x##b##c##d##a 00193 static const uint32_t FT1[256] = { FT }; 00194 #undef V 00195 00196 #define V(a,b,c,d) 0x##c##d##a##b 00197 static const uint32_t FT2[256] = { FT }; 00198 #undef V 00199 00200 #define V(a,b,c,d) 0x##d##a##b##c 00201 static const uint32_t FT3[256] = { FT }; 00202 #undef V 00203 00204 #undef FT 00205 00206 00207 /* 00208 * Round constants 00209 */ 00210 static const uint32_t RCON[10] = 00211 { 00212 0x00000001, 0x00000002, 0x00000004, 0x00000008, 00213 0x00000010, 0x00000020, 0x00000040, 0x00000080, 00214 0x0000001B, 0x00000036 00215 }; 00216 00217 00218 static void mbedtls_aes_init( mbedtls_aes_context *ctx ) 00219 { 00220 memset( ctx, 0, sizeof( mbedtls_aes_context ) ); 00221 } 00222 00223 static void mbedtls_aes_free( mbedtls_aes_context *ctx ) 00224 { 00225 if( ctx == NULL ) 00226 return; 00227 00228 mbedtls_zeroize( ctx, sizeof( mbedtls_aes_context ) ); 00229 } 00230 00231 /* 00232 * AES key schedule (encryption) 00233 */ 00234 static int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, 00235 unsigned int keysize ) 00236 { 00237 unsigned int i; 00238 uint32_t *RK; 00239 00240 switch( keysize ) 00241 { 00242 case 128: ctx->nr = 10; break; 00243 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 00244 } 00245 00246 ctx->rk = RK = ctx->buf ; 00247 00248 for( i = 0; i < ( keysize >> 5 ); i++ ) 00249 { 00250 GET_UINT32_LE( RK[i], key, i << 2 ); 00251 } 00252 00253 switch( ctx->nr ) 00254 { 00255 case 10: 00256 00257 for( i = 0; i < 10; i++, RK += 4 ) 00258 { 00259 RK[4] = RK[0] ^ RCON[i] ^ 00260 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^ 00261 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^ 00262 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^ 00263 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 ); 00264 00265 RK[5] = RK[1] ^ RK[4]; 00266 RK[6] = RK[2] ^ RK[5]; 00267 RK[7] = RK[3] ^ RK[6]; 00268 } 00269 break; 00270 } 00271 00272 return( 0 ); 00273 } 00274 00275 00276 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 00277 { \ 00278 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \ 00279 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \ 00280 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \ 00281 FT3[ ( Y3 >> 24 ) & 0xFF ]; \ 00282 \ 00283 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \ 00284 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \ 00285 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \ 00286 FT3[ ( Y0 >> 24 ) & 0xFF ]; \ 00287 \ 00288 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \ 00289 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \ 00290 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \ 00291 FT3[ ( Y1 >> 24 ) & 0xFF ]; \ 00292 \ 00293 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \ 00294 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \ 00295 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \ 00296 FT3[ ( Y2 >> 24 ) & 0xFF ]; \ 00297 } 00298 00299 /* 00300 * AES-ECB block encryption/decryption 00301 */ 00302 static int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx, 00303 int mode, 00304 const unsigned char input[16], 00305 unsigned char output[16] ) 00306 { 00307 int i; 00308 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; 00309 00310 RK = ctx->rk ; 00311 00312 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++; 00313 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++; 00314 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++; 00315 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++; 00316 00317 if( mode == MBEDTLS_AES_DECRYPT ) 00318 { 00319 return( MBEDTLS_ERR_AES_UNSUPPORTED ); 00320 } 00321 else /* MBEDTLS_AES_ENCRYPT */ 00322 { 00323 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 00324 { 00325 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 00326 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); 00327 } 00328 00329 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 00330 00331 X0 = *RK++ ^ \ 00332 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^ 00333 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^ 00334 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^ 00335 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 ); 00336 00337 X1 = *RK++ ^ \ 00338 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^ 00339 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^ 00340 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^ 00341 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 ); 00342 00343 X2 = *RK++ ^ \ 00344 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^ 00345 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^ 00346 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^ 00347 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 ); 00348 00349 X3 = *RK++ ^ \ 00350 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^ 00351 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^ 00352 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^ 00353 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 ); 00354 } 00355 00356 PUT_UINT32_LE( X0, output, 0 ); 00357 PUT_UINT32_LE( X1, output, 4 ); 00358 PUT_UINT32_LE( X2, output, 8 ); 00359 PUT_UINT32_LE( X3, output, 12 ); 00360 00361 return( 0 ); 00362 }
Generated on Tue Jul 12 2022 12:21:34 by
1.7.2