/** * @file aes.c * @brief AES (Advanced Encryption Standard) * * @section License * * SPDX-License-Identifier: GPL-2.0-or-later * * Copyright (C) 2010-2024 Oryx Embedded SARL. All rights reserved. * * This file is part of CycloneCRYPTO Open. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software Foundation, * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. * * @section Description * * AES is an encryption standard based on Rijndael algorithm, a symmetric block * cipher that can process data blocks of 128 bits, using cipher keys with * lengths of 128, 192, and 256 bits. Refer to FIPS 197 for more details * * @author Oryx Embedded SARL (www.oryx-embedded.com) * @version 2.4.4 **/ //Switch to the appropriate trace level #define TRACE_LEVEL CRYPTO_TRACE_LEVEL //Dependencies #include "core/crypto.h" #include "cipher/aes.h" //Check crypto library configuration #if (AES_SUPPORT == ENABLED) //Substitution table used by encryption algorithm (S-box) static const uint8_t sbox[256] = { 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 }; //Substitution table used by decryption algorithm (inverse S-box) static const uint8_t isbox[256] = { 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D }; //Precalculated table (encryption) static const uint32_t te[256] = { 0xA56363C6, 0x847C7CF8, 0x997777EE, 0x8D7B7BF6, 0x0DF2F2FF, 0xBD6B6BD6, 0xB16F6FDE, 0x54C5C591, 0x50303060, 0x03010102, 0xA96767CE, 0x7D2B2B56, 0x19FEFEE7, 0x62D7D7B5, 0xE6ABAB4D, 0x9A7676EC, 0x45CACA8F, 0x9D82821F, 0x40C9C989, 0x877D7DFA, 0x15FAFAEF, 0xEB5959B2, 0xC947478E, 0x0BF0F0FB, 0xECADAD41, 0x67D4D4B3, 0xFDA2A25F, 0xEAAFAF45, 0xBF9C9C23, 0xF7A4A453, 0x967272E4, 0x5BC0C09B, 0xC2B7B775, 0x1CFDFDE1, 0xAE93933D, 0x6A26264C, 0x5A36366C, 0x413F3F7E, 0x02F7F7F5, 0x4FCCCC83, 0x5C343468, 0xF4A5A551, 0x34E5E5D1, 0x08F1F1F9, 0x937171E2, 0x73D8D8AB, 0x53313162, 0x3F15152A, 0x0C040408, 0x52C7C795, 0x65232346, 0x5EC3C39D, 0x28181830, 0xA1969637, 0x0F05050A, 0xB59A9A2F, 0x0907070E, 0x36121224, 0x9B80801B, 0x3DE2E2DF, 0x26EBEBCD, 0x6927274E, 0xCDB2B27F, 0x9F7575EA, 0x1B090912, 0x9E83831D, 0x742C2C58, 0x2E1A1A34, 0x2D1B1B36, 0xB26E6EDC, 0xEE5A5AB4, 0xFBA0A05B, 0xF65252A4, 0x4D3B3B76, 0x61D6D6B7, 0xCEB3B37D, 0x7B292952, 0x3EE3E3DD, 0x712F2F5E, 0x97848413, 0xF55353A6, 0x68D1D1B9, 0x00000000, 0x2CEDEDC1, 0x60202040, 0x1FFCFCE3, 0xC8B1B179, 0xED5B5BB6, 0xBE6A6AD4, 0x46CBCB8D, 0xD9BEBE67, 0x4B393972, 0xDE4A4A94, 0xD44C4C98, 0xE85858B0, 0x4ACFCF85, 0x6BD0D0BB, 0x2AEFEFC5, 0xE5AAAA4F, 0x16FBFBED, 0xC5434386, 0xD74D4D9A, 0x55333366, 0x94858511, 0xCF45458A, 0x10F9F9E9, 0x06020204, 0x817F7FFE, 0xF05050A0, 0x443C3C78, 0xBA9F9F25, 0xE3A8A84B, 0xF35151A2, 0xFEA3A35D, 0xC0404080, 0x8A8F8F05, 0xAD92923F, 0xBC9D9D21, 0x48383870, 0x04F5F5F1, 0xDFBCBC63, 0xC1B6B677, 0x75DADAAF, 0x63212142, 0x30101020, 0x1AFFFFE5, 0x0EF3F3FD, 0x6DD2D2BF, 0x4CCDCD81, 0x140C0C18, 0x35131326, 0x2FECECC3, 0xE15F5FBE, 0xA2979735, 0xCC444488, 0x3917172E, 0x57C4C493, 0xF2A7A755, 0x827E7EFC, 0x473D3D7A, 0xAC6464C8, 0xE75D5DBA, 0x2B191932, 0x957373E6, 0xA06060C0, 0x98818119, 0xD14F4F9E, 0x7FDCDCA3, 0x66222244, 0x7E2A2A54, 0xAB90903B, 0x8388880B, 0xCA46468C, 0x29EEEEC7, 0xD3B8B86B, 0x3C141428, 0x79DEDEA7, 0xE25E5EBC, 0x1D0B0B16, 0x76DBDBAD, 0x3BE0E0DB, 0x56323264, 0x4E3A3A74, 0x1E0A0A14, 0xDB494992, 0x0A06060C, 0x6C242448, 0xE45C5CB8, 0x5DC2C29F, 0x6ED3D3BD, 0xEFACAC43, 0xA66262C4, 0xA8919139, 0xA4959531, 0x37E4E4D3, 0x8B7979F2, 0x32E7E7D5, 0x43C8C88B, 0x5937376E, 0xB76D6DDA, 0x8C8D8D01, 0x64D5D5B1, 0xD24E4E9C, 0xE0A9A949, 0xB46C6CD8, 0xFA5656AC, 0x07F4F4F3, 0x25EAEACF, 0xAF6565CA, 0x8E7A7AF4, 0xE9AEAE47, 0x18080810, 0xD5BABA6F, 0x887878F0, 0x6F25254A, 0x722E2E5C, 0x241C1C38, 0xF1A6A657, 0xC7B4B473, 0x51C6C697, 0x23E8E8CB, 0x7CDDDDA1, 0x9C7474E8, 0x211F1F3E, 0xDD4B4B96, 0xDCBDBD61, 0x868B8B0D, 0x858A8A0F, 0x907070E0, 0x423E3E7C, 0xC4B5B571, 0xAA6666CC, 0xD8484890, 0x05030306, 0x01F6F6F7, 0x120E0E1C, 0xA36161C2, 0x5F35356A, 0xF95757AE, 0xD0B9B969, 0x91868617, 0x58C1C199, 0x271D1D3A, 0xB99E9E27, 0x38E1E1D9, 0x13F8F8EB, 0xB398982B, 0x33111122, 0xBB6969D2, 0x70D9D9A9, 0x898E8E07, 0xA7949433, 0xB69B9B2D, 0x221E1E3C, 0x92878715, 0x20E9E9C9, 0x49CECE87, 0xFF5555AA, 0x78282850, 0x7ADFDFA5, 0x8F8C8C03, 0xF8A1A159, 0x80898909, 0x170D0D1A, 0xDABFBF65, 0x31E6E6D7, 0xC6424284, 0xB86868D0, 0xC3414182, 0xB0999929, 0x772D2D5A, 0x110F0F1E, 0xCBB0B07B, 0xFC5454A8, 0xD6BBBB6D, 0x3A16162C }; //Precalculated table (decryption) static const uint32_t td[256] = { 0x50A7F451, 0x5365417E, 0xC3A4171A, 0x965E273A, 0xCB6BAB3B, 0xF1459D1F, 0xAB58FAAC, 0x9303E34B, 0x55FA3020, 0xF66D76AD, 0x9176CC88, 0x254C02F5, 0xFCD7E54F, 0xD7CB2AC5, 0x80443526, 0x8FA362B5, 0x495AB1DE, 0x671BBA25, 0x980EEA45, 0xE1C0FE5D, 0x02752FC3, 0x12F04C81, 0xA397468D, 0xC6F9D36B, 0xE75F8F03, 0x959C9215, 0xEB7A6DBF, 0xDA595295, 0x2D83BED4, 0xD3217458, 0x2969E049, 0x44C8C98E, 0x6A89C275, 0x78798EF4, 0x6B3E5899, 0xDD71B927, 0xB64FE1BE, 0x17AD88F0, 0x66AC20C9, 0xB43ACE7D, 0x184ADF63, 0x82311AE5, 0x60335197, 0x457F5362, 0xE07764B1, 0x84AE6BBB, 0x1CA081FE, 0x942B08F9, 0x58684870, 0x19FD458F, 0x876CDE94, 0xB7F87B52, 0x23D373AB, 0xE2024B72, 0x578F1FE3, 0x2AAB5566, 0x0728EBB2, 0x03C2B52F, 0x9A7BC586, 0xA50837D3, 0xF2872830, 0xB2A5BF23, 0xBA6A0302, 0x5C8216ED, 0x2B1CCF8A, 0x92B479A7, 0xF0F207F3, 0xA1E2694E, 0xCDF4DA65, 0xD5BE0506, 0x1F6234D1, 0x8AFEA6C4, 0x9D532E34, 0xA055F3A2, 0x32E18A05, 0x75EBF6A4, 0x39EC830B, 0xAAEF6040, 0x069F715E, 0x51106EBD, 0xF98A213E, 0x3D06DD96, 0xAE053EDD, 0x46BDE64D, 0xB58D5491, 0x055DC471, 0x6FD40604, 0xFF155060, 0x24FB9819, 0x97E9BDD6, 0xCC434089, 0x779ED967, 0xBD42E8B0, 0x888B8907, 0x385B19E7, 0xDBEEC879, 0x470A7CA1, 0xE90F427C, 0xC91E84F8, 0x00000000, 0x83868009, 0x48ED2B32, 0xAC70111E, 0x4E725A6C, 0xFBFF0EFD, 0x5638850F, 0x1ED5AE3D, 0x27392D36, 0x64D90F0A, 0x21A65C68, 0xD1545B9B, 0x3A2E3624, 0xB1670A0C, 0x0FE75793, 0xD296EEB4, 0x9E919B1B, 0x4FC5C080, 0xA220DC61, 0x694B775A, 0x161A121C, 0x0ABA93E2, 0xE52AA0C0, 0x43E0223C, 0x1D171B12, 0x0B0D090E, 0xADC78BF2, 0xB9A8B62D, 0xC8A91E14, 0x8519F157, 0x4C0775AF, 0xBBDD99EE, 0xFD607FA3, 0x9F2601F7, 0xBCF5725C, 0xC53B6644, 0x347EFB5B, 0x7629438B, 0xDCC623CB, 0x68FCEDB6, 0x63F1E4B8, 0xCADC31D7, 0x10856342, 0x40229713, 0x2011C684, 0x7D244A85, 0xF83DBBD2, 0x1132F9AE, 0x6DA129C7, 0x4B2F9E1D, 0xF330B2DC, 0xEC52860D, 0xD0E3C177, 0x6C16B32B, 0x99B970A9, 0xFA489411, 0x2264E947, 0xC48CFCA8, 0x1A3FF0A0, 0xD82C7D56, 0xEF903322, 0xC74E4987, 0xC1D138D9, 0xFEA2CA8C, 0x360BD498, 0xCF81F5A6, 0x28DE7AA5, 0x268EB7DA, 0xA4BFAD3F, 0xE49D3A2C, 0x0D927850, 0x9BCC5F6A, 0x62467E54, 0xC2138DF6, 0xE8B8D890, 0x5EF7392E, 0xF5AFC382, 0xBE805D9F, 0x7C93D069, 0xA92DD56F, 0xB31225CF, 0x3B99ACC8, 0xA77D1810, 0x6E639CE8, 0x7BBB3BDB, 0x097826CD, 0xF418596E, 0x01B79AEC, 0xA89A4F83, 0x656E95E6, 0x7EE6FFAA, 0x08CFBC21, 0xE6E815EF, 0xD99BE7BA, 0xCE366F4A, 0xD4099FEA, 0xD67CB029, 0xAFB2A431, 0x31233F2A, 0x3094A5C6, 0xC066A235, 0x37BC4E74, 0xA6CA82FC, 0xB0D090E0, 0x15D8A733, 0x4A9804F1, 0xF7DAEC41, 0x0E50CD7F, 0x2FF69117, 0x8DD64D76, 0x4DB0EF43, 0x544DAACC, 0xDF0496E4, 0xE3B5D19E, 0x1B886A4C, 0xB81F2CC1, 0x7F516546, 0x04EA5E9D, 0x5D358C01, 0x737487FA, 0x2E410BFB, 0x5A1D67B3, 0x52D2DB92, 0x335610E9, 0x1347D66D, 0x8C61D79A, 0x7A0CA137, 0x8E14F859, 0x893C13EB, 0xEE27A9CE, 0x35C961B7, 0xEDE51CE1, 0x3CB1477A, 0x59DFD29C, 0x3F73F255, 0x79CE1418, 0xBF37C773, 0xEACDF753, 0x5BAAFD5F, 0x146F3DDF, 0x86DB4478, 0x81F3AFCA, 0x3EC468B9, 0x2C342438, 0x5F40A3C2, 0x72C31D16, 0x0C25E2BC, 0x8B493C28, 0x41950DFF, 0x7101A839, 0xDEB30C08, 0x9CE4B4D8, 0x90C15664, 0x6184CB7B, 0x70B632D5, 0x745C6C48, 0x4257B8D0 }; //Round constant word array static const uint32_t rcon[11] = { 0x00000000, 0x00000001, 0x00000002, 0x00000004, 0x00000008, 0x00000010, 0x00000020, 0x00000040, 0x00000080, 0x0000001B, 0x00000036 }; //AES128-ECB OID (2.16.840.1.101.3.4.1.1) const uint8_t AES128_ECB_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x01}; //AES128-CBC OID (2.16.840.1.101.3.4.1.2) const uint8_t AES128_CBC_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x02}; //AES128-OFB OID (2.16.840.1.101.3.4.1.3) const uint8_t AES128_OFB_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x03}; //AES128-CFB OID (2.16.840.1.101.3.4.1.4) const uint8_t AES128_CFB_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x04}; //AES128-GCM OID (2.16.840.1.101.3.4.1.6) const uint8_t AES128_GCM_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x06}; //AES128-CCM OID (2.16.840.1.101.3.4.1.7) const uint8_t AES128_CCM_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x07}; //AES192-ECB OID (2.16.840.1.101.3.4.1.21) const uint8_t AES192_ECB_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x15}; //AES192-CBC OID (2.16.840.1.101.3.4.1.22) const uint8_t AES192_CBC_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x16}; //AES192-OFB OID (2.16.840.1.101.3.4.1.23) const uint8_t AES192_OFB_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x17}; //AES192-CFB OID (2.16.840.1.101.3.4.1.24) const uint8_t AES192_CFB_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x18}; //AES192-GCM OID (2.16.840.1.101.3.4.1.26) const uint8_t AES192_GCM_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x1A}; //AES192-CCM OID (2.16.840.1.101.3.4.1.27) const uint8_t AES192_CCM_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x1B}; //AES256-ECB OID (2.16.840.1.101.3.4.1.41) const uint8_t AES256_ECB_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x29}; //AES256-CBC OID (2.16.840.1.101.3.4.1.42) const uint8_t AES256_CBC_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2A}; //AES256-OFB OID (2.16.840.1.101.3.4.1.43) const uint8_t AES256_OFB_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2B}; //AES256-CFB OID (2.16.840.1.101.3.4.1.44) const uint8_t AES256_CFB_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2C}; //AES256-GCM OID (2.16.840.1.101.3.4.1.46) const uint8_t AES256_GCM_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2E}; //AES256-CCM OID (2.16.840.1.101.3.4.1.47) const uint8_t AES256_CCM_OID[9] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2F}; //Common interface for encryption algorithms const CipherAlgo aesCipherAlgo = { "AES", sizeof(AesContext), CIPHER_ALGO_TYPE_BLOCK, AES_BLOCK_SIZE, (CipherAlgoInit) aesInit, NULL, NULL, (CipherAlgoEncryptBlock) aesEncryptBlock, (CipherAlgoDecryptBlock) aesDecryptBlock, (CipherAlgoDeinit) aesDeinit }; /** * @brief Key expansion * @param[in] context Pointer to the AES context to initialize * @param[in] key Pointer to the key * @param[in] keyLen Length of the key * @return Error code **/ __weak_func error_t aesInit(AesContext *context, const uint8_t *key, size_t keyLen) { uint_t i; uint32_t temp; size_t keyScheduleSize; //Check parameters if(context == NULL || key == NULL) return ERROR_INVALID_PARAMETER; //Check the length of the key if(keyLen == 16) { //10 rounds are required for 128-bit key context->nr = 10; } else if(keyLen == 24) { //12 rounds are required for 192-bit key context->nr = 12; } else if(keyLen == 32) { //14 rounds are required for 256-bit key context->nr = 14; } else { //Report an error return ERROR_INVALID_KEY_LENGTH; } //Determine the number of 32-bit words in the key keyLen /= 4; //Copy the original key for(i = 0; i < keyLen; i++) { context->ek[i] = LOAD32LE(key + (i * 4)); } //The size of the key schedule depends on the number of rounds keyScheduleSize = 4 * (context->nr + 1); //Generate the key schedule (encryption) for(i = keyLen; i < keyScheduleSize; i++) { //Save previous word temp = context->ek[i - 1]; //Apply transformation if((i % keyLen) == 0) { context->ek[i] = sbox[(temp >> 8) & 0xFF]; context->ek[i] |= (sbox[(temp >> 16) & 0xFF] << 8); context->ek[i] |= (sbox[(temp >> 24) & 0xFF] << 16); context->ek[i] |= (sbox[temp & 0xFF] << 24); context->ek[i] ^= rcon[i / keyLen]; } else if(keyLen > 6 && (i % keyLen) == 4) { context->ek[i] = sbox[temp & 0xFF]; context->ek[i] |= (sbox[(temp >> 8) & 0xFF] << 8); context->ek[i] |= (sbox[(temp >> 16) & 0xFF] << 16); context->ek[i] |= (sbox[(temp >> 24) & 0xFF] << 24); } else { context->ek[i] = temp; } //Update the key schedule context->ek[i] ^= context->ek[i - keyLen]; } //Generate the key schedule (decryption) for(i = 0; i < keyScheduleSize; i++) { //Apply the InvMixColumns transformation to all round keys but the first //and the last if(i < 4 || i >= (keyScheduleSize - 4)) { context->dk[i] = context->ek[i]; } else { context->dk[i] = td[sbox[context->ek[i] & 0xFF]]; temp = td[sbox[(context->ek[i] >> 8) & 0xFF]]; context->dk[i] ^= ROL32(temp, 8); temp = td[sbox[(context->ek[i] >> 16) & 0xFF]]; context->dk[i] ^= ROL32(temp, 16); temp = td[sbox[(context->ek[i] >> 24) & 0xFF]]; context->dk[i] ^= ROL32(temp, 24); } } //No error to report return NO_ERROR; } /** * @brief Encrypt a 16-byte block using AES algorithm * @param[in] context Pointer to the AES context * @param[in] input Plaintext block to encrypt * @param[out] output Ciphertext block resulting from encryption **/ __weak_func void aesEncryptBlock(AesContext *context, const uint8_t *input, uint8_t *output) { uint_t i; uint32_t s0; uint32_t s1; uint32_t s2; uint32_t s3; uint32_t t0; uint32_t t1; uint32_t t2; uint32_t t3; uint32_t temp; //Copy the plaintext to the state array s0 = LOAD32LE(input + 0); s1 = LOAD32LE(input + 4); s2 = LOAD32LE(input + 8); s3 = LOAD32LE(input + 12); //Initial round key addition s0 ^= context->ek[0]; s1 ^= context->ek[1]; s2 ^= context->ek[2]; s3 ^= context->ek[3]; //The number of rounds depends on the key length for(i = 1; i < context->nr; i++) { //Apply round function t0 = te[s0 & 0xFF]; temp = te[(s1 >> 8) & 0xFF]; t0 ^= ROL32(temp, 8); temp = te[(s2 >> 16) & 0xFF]; t0 ^= ROL32(temp, 16); temp = te[(s3 >> 24) & 0xFF]; t0 ^= ROL32(temp, 24); t1 = te[s1 & 0xFF]; temp = te[(s2 >> 8) & 0xFF]; t1 ^= ROL32(temp, 8); temp = te[(s3 >> 16) & 0xFF]; t1 ^= ROL32(temp, 16); temp = te[(s0 >> 24) & 0xFF]; t1 ^= ROL32(temp, 24); t2 = te[s2 & 0xFF]; temp = te[(s3 >> 8) & 0xFF]; t2 ^= ROL32(temp, 8); temp = te[(s0 >> 16) & 0xFF]; t2 ^= ROL32(temp, 16); temp = te[(s1 >> 24) & 0xFF]; t2 ^= ROL32(temp, 24); t3 = te[s3 & 0xFF]; temp = te[(s0 >> 8) & 0xFF]; t3 ^= ROL32(temp, 8); temp = te[(s1 >> 16) & 0xFF]; t3 ^= ROL32(temp, 16); temp = te[(s2 >> 24) & 0xFF]; t3 ^= ROL32(temp, 24); //Round key addition s0 = t0 ^ context->ek[i * 4]; s1 = t1 ^ context->ek[i * 4 + 1]; s2 = t2 ^ context->ek[i * 4 + 2]; s3 = t3 ^ context->ek[i * 4 + 3]; } //The last round differs slightly from the first rounds t0 = sbox[s0 & 0xFF]; t0 |= sbox[(s1 >> 8) & 0xFF] << 8; t0 |= sbox[(s2 >> 16) & 0xFF] << 16; t0 |= sbox[(s3 >> 24) & 0xFF] << 24; t1 = sbox[s1 & 0xFF]; t1 |= sbox[(s2 >> 8) & 0xFF] << 8; t1 |= sbox[(s3 >> 16) & 0xFF] << 16; t1 |= sbox[(s0 >> 24) & 0xFF] << 24; t2 = sbox[s2 & 0xFF]; t2 |= sbox[(s3 >> 8) & 0xFF] << 8; t2 |= sbox[(s0 >> 16) & 0xFF] << 16; t2 |= sbox[(s1 >> 24) & 0xFF] << 24; t3 = sbox[s3 & 0xFF]; t3 |= sbox[(s0 >> 8) & 0xFF] << 8; t3 |= sbox[(s1 >> 16) & 0xFF] << 16; t3 |= sbox[(s2 >> 24) & 0xFF] << 24; //Last round key addition s0 = t0 ^ context->ek[context->nr * 4]; s1 = t1 ^ context->ek[context->nr * 4 + 1]; s2 = t2 ^ context->ek[context->nr * 4 + 2]; s3 = t3 ^ context->ek[context->nr * 4 + 3]; //The final state is then copied to the output STORE32LE(s0, output + 0); STORE32LE(s1, output + 4); STORE32LE(s2, output + 8); STORE32LE(s3, output + 12); } /** * @brief Decrypt a 16-byte block using AES algorithm * @param[in] context Pointer to the AES context * @param[in] input Ciphertext block to decrypt * @param[out] output Plaintext block resulting from decryption **/ __weak_func void aesDecryptBlock(AesContext *context, const uint8_t *input, uint8_t *output) { uint_t i; uint32_t s0; uint32_t s1; uint32_t s2; uint32_t s3; uint32_t t0; uint32_t t1; uint32_t t2; uint32_t t3; uint32_t temp; //Copy the ciphertext to the state array s0 = LOAD32LE(input + 0); s1 = LOAD32LE(input + 4); s2 = LOAD32LE(input + 8); s3 = LOAD32LE(input + 12); //Initial round key addition s0 ^= context->dk[context->nr * 4]; s1 ^= context->dk[context->nr * 4 + 1]; s2 ^= context->dk[context->nr * 4 + 2]; s3 ^= context->dk[context->nr * 4 + 3]; //The number of rounds depends on the key length for(i = context->nr - 1; i >= 1; i--) { //Apply round function t0 = td[s0 & 0xFF]; temp = td[(s3 >> 8) & 0xFF]; t0 ^= ROL32(temp, 8); temp = td[(s2 >> 16) & 0xFF]; t0 ^= ROL32(temp, 16); temp = td[(s1 >> 24) & 0xFF]; t0 ^= ROL32(temp, 24); t1 = td[s1 & 0xFF]; temp = td[(s0 >> 8) & 0xFF]; t1 ^= ROL32(temp, 8); temp = td[(s3 >> 16) & 0xFF]; t1 ^= ROL32(temp, 16); temp = td[(s2 >> 24) & 0xFF]; t1 ^= ROL32(temp, 24); t2 = td[s2 & 0xFF]; temp = td[(s1 >> 8) & 0xFF]; t2 ^= ROL32(temp, 8); temp = td[(s0 >> 16) & 0xFF]; t2 ^= ROL32(temp, 16); temp = td[(s3 >> 24) & 0xFF]; t2 ^= ROL32(temp, 24); t3 = td[s3 & 0xFF]; temp = td[(s2 >> 8) & 0xFF]; t3 ^= ROL32(temp, 8); temp = td[(s1 >> 16) & 0xFF]; t3 ^= ROL32(temp, 16); temp = td[(s0 >> 24) & 0xFF]; t3 ^= ROL32(temp, 24); //Round key addition s0 = t0 ^ context->dk[i * 4]; s1 = t1 ^ context->dk[i * 4 + 1]; s2 = t2 ^ context->dk[i * 4 + 2]; s3 = t3 ^ context->dk[i * 4 + 3]; } //The last round differs slightly from the first rounds t0 = isbox[s0 & 0xFF]; t0 |= isbox[(s3 >> 8) & 0xFF] << 8; t0 |= isbox[(s2 >> 16) & 0xFF] << 16; t0 |= isbox[(s1 >> 24) & 0xFF] << 24; t1 = isbox[s1 & 0xFF]; t1 |= isbox[(s0 >> 8) & 0xFF] << 8; t1 |= isbox[(s3 >> 16) & 0xFF] << 16; t1 |= isbox[(s2 >> 24) & 0xFF] << 24; t2 = isbox[s2 & 0xFF]; t2 |= isbox[(s1 >> 8) & 0xFF] << 8; t2 |= isbox[(s0 >> 16) & 0xFF] << 16; t2 |= isbox[(s3 >> 24) & 0xFF] << 24; t3 = isbox[s3 & 0xFF]; t3 |= isbox[(s2 >> 8) & 0xFF] << 8; t3 |= isbox[(s1 >> 16) & 0xFF] << 16; t3 |= isbox[(s0 >> 24) & 0xFF] << 24; //Last round key addition s0 = t0 ^ context->dk[0]; s1 = t1 ^ context->dk[1]; s2 = t2 ^ context->dk[2]; s3 = t3 ^ context->dk[3]; //The final state is then copied to the output STORE32LE(s0, output + 0); STORE32LE(s1, output + 4); STORE32LE(s2, output + 8); STORE32LE(s3, output + 12); } /** * @brief Release AES context * @param[in] context Pointer to the AES context **/ __weak_func void aesDeinit(AesContext *context) { //Clear AES context osMemset(context, 0, sizeof(AesContext)); } #endif