2022-03-25 16:55:54 +00:00
|
|
|
/******************************************************************************
|
|
|
|
*
|
|
|
|
* THIS SOURCE CODE IS HEREBY PLACED INTO THE PUBLIC DOMAIN FOR THE GOOD OF ALL
|
|
|
|
*
|
|
|
|
* This is a simple and straightforward implementation of the AES Rijndael
|
|
|
|
* 128-bit block cipher designed by Vincent Rijmen and Joan Daemen. The focus
|
|
|
|
* of this work was correctness & accuracy. It is written in 'C' without any
|
|
|
|
* particular focus upon optimization or speed. It should be endian (memory
|
|
|
|
* byte order) neutral since the few places that care are handled explicitly.
|
|
|
|
*
|
|
|
|
* This implementation of Rijndael was created by Steven M. Gibson of GRC.com.
|
|
|
|
*
|
|
|
|
* It is intended for general purpose use, but was written in support of GRC's
|
|
|
|
* reference implementation of the SQRL (Secure Quick Reliable Login) client.
|
|
|
|
*
|
|
|
|
* See: http://csrc.nist.gov/archive/aes/rijndael/wsdindex.html
|
|
|
|
*
|
|
|
|
* NO COPYRIGHT IS CLAIMED IN THIS WORK, HOWEVER, NEITHER IS ANY WARRANTY MADE
|
|
|
|
* REGARDING ITS FITNESS FOR ANY PARTICULAR PURPOSE. USE IT AT YOUR OWN RISK.
|
|
|
|
*
|
|
|
|
*******************************************************************************/
|
|
|
|
|
|
|
|
#include "aes.h"
|
|
|
|
|
|
|
|
static int aes_tables_inited = 0; // run-once flag for performing key
|
|
|
|
// expasion table generation (see below)
|
|
|
|
/*
|
|
|
|
* The following static local tables must be filled-in before the first use of
|
|
|
|
* the GCM or AES ciphers. They are used for the AES key expansion/scheduling
|
|
|
|
* and once built are read-only and thread safe. The "gcm_initialize" function
|
|
|
|
* must be called once during system initialization to populate these arrays
|
|
|
|
* for subsequent use by the AES key scheduler. If they have not been built
|
|
|
|
* before attempted use, an error will be returned to the caller.
|
|
|
|
*
|
|
|
|
* NOTE: GCM Encryption/Decryption does NOT REQUIRE AES decryption. Since
|
|
|
|
* GCM uses AES in counter-mode, where the AES cipher output is XORed with
|
|
|
|
* the GCM input, we ONLY NEED AES encryption. Thus, to save space AES
|
|
|
|
* decryption is typically disabled by setting AES_DECRYPTION to 0 in aes.h.
|
|
|
|
*/
|
|
|
|
// We always need our forward tables
|
|
|
|
static uchar FSb[256]; // Forward substitution box (FSb)
|
|
|
|
static uint32_t FT0[256]; // Forward key schedule assembly tables
|
|
|
|
static uint32_t FT1[256];
|
|
|
|
static uint32_t FT2[256];
|
|
|
|
static uint32_t FT3[256];
|
|
|
|
|
|
|
|
#if AES_DECRYPTION // We ONLY need reverse for decryption
|
|
|
|
static uchar RSb[256]; // Reverse substitution box (RSb)
|
|
|
|
static uint32_t RT0[256]; // Reverse key schedule assembly tables
|
|
|
|
static uint32_t RT1[256];
|
|
|
|
static uint32_t RT2[256];
|
|
|
|
static uint32_t RT3[256];
|
|
|
|
#endif /* AES_DECRYPTION */
|
|
|
|
|
|
|
|
static uint32_t RCON[10]; // AES round constants
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Platform Endianness Neutralizing Load and Store Macro definitions
|
|
|
|
* AES wants platform-neutral Little Endian (LE) byte ordering
|
|
|
|
*/
|
|
|
|
#define GET_UINT32_LE(n,b,i) { \
|
|
|
|
(n) = ( (uint32_t) (b)[(i) ] ) \
|
|
|
|
| ( (uint32_t) (b)[(i) + 1] << 8 ) \
|
|
|
|
| ( (uint32_t) (b)[(i) + 2] << 16 ) \
|
|
|
|
| ( (uint32_t) (b)[(i) + 3] << 24 ); }
|
|
|
|
|
|
|
|
#define PUT_UINT32_LE(n,b,i) { \
|
|
|
|
(b)[(i) ] = (uchar) ( (n) ); \
|
|
|
|
(b)[(i) + 1] = (uchar) ( (n) >> 8 ); \
|
|
|
|
(b)[(i) + 2] = (uchar) ( (n) >> 16 ); \
|
|
|
|
(b)[(i) + 3] = (uchar) ( (n) >> 24 ); }
|
|
|
|
|
|
|
|
/*
|
|
|
|
* AES forward and reverse encryption round processing macros
|
|
|
|
*/
|
|
|
|
#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
|
|
|
|
{ \
|
|
|
|
X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
|
|
|
|
FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
|
|
|
|
FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
|
|
|
|
FT3[ ( Y3 >> 24 ) & 0xFF ]; \
|
|
|
|
\
|
|
|
|
X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
|
|
|
|
FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
|
|
|
|
FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
|
|
|
|
FT3[ ( Y0 >> 24 ) & 0xFF ]; \
|
|
|
|
\
|
|
|
|
X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
|
|
|
|
FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
|
|
|
|
FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
|
|
|
|
FT3[ ( Y1 >> 24 ) & 0xFF ]; \
|
|
|
|
\
|
|
|
|
X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
|
|
|
|
FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
|
|
|
|
FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
|
|
|
|
FT3[ ( Y2 >> 24 ) & 0xFF ]; \
|
|
|
|
}
|
|
|
|
|
|
|
|
#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
|
|
|
|
{ \
|
|
|
|
X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
|
|
|
|
RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
|
|
|
|
RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
|
|
|
|
RT3[ ( Y1 >> 24 ) & 0xFF ]; \
|
|
|
|
\
|
|
|
|
X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
|
|
|
|
RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
|
|
|
|
RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
|
|
|
|
RT3[ ( Y2 >> 24 ) & 0xFF ]; \
|
|
|
|
\
|
|
|
|
X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
|
|
|
|
RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
|
|
|
|
RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
|
|
|
|
RT3[ ( Y3 >> 24 ) & 0xFF ]; \
|
|
|
|
\
|
|
|
|
X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
|
|
|
|
RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
|
|
|
|
RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
|
|
|
|
RT3[ ( Y0 >> 24 ) & 0xFF ]; \
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* These macros improve the readability of the key
|
|
|
|
* generation initialization code by collapsing
|
|
|
|
* repetitive common operations into logical pieces.
|
|
|
|
*/
|
|
|
|
#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
|
|
|
|
#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
|
|
|
|
#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
|
|
|
|
#define MIX(x,y) { y = ( (y << 1) | (y >> 7) ) & 0xFF; x ^= y; }
|
|
|
|
#define CPY128 { *RK++ = *SK++; *RK++ = *SK++; \
|
|
|
|
*RK++ = *SK++; *RK++ = *SK++; }
|
|
|
|
|
|
|
|
/******************************************************************************
|
|
|
|
*
|
|
|
|
* AES_INIT_KEYGEN_TABLES
|
|
|
|
*
|
|
|
|
* Fills the AES key expansion tables allocated above with their static
|
|
|
|
* data. This is not "per key" data, but static system-wide read-only
|
|
|
|
* table data. THIS FUNCTION IS NOT THREAD SAFE. It must be called once
|
|
|
|
* at system initialization to setup the tables for all subsequent use.
|
|
|
|
*
|
|
|
|
******************************************************************************/
|
|
|
|
void aes_init_keygen_tables(void)
|
|
|
|
{
|
|
|
|
int i, x, y, z; // general purpose iteration and computation locals
|
|
|
|
int pow[256];
|
|
|
|
int log[256];
|
|
|
|
|
|
|
|
if (aes_tables_inited) return;
|
|
|
|
|
|
|
|
// fill the 'pow' and 'log' tables over GF(2^8)
|
|
|
|
for (i = 0, x = 1; i < 256; i++) {
|
|
|
|
pow[i] = x;
|
|
|
|
log[x] = i;
|
|
|
|
x = (x ^ XTIME(x)) & 0xFF;
|
|
|
|
}
|
|
|
|
// compute the round constants
|
|
|
|
for (i = 0, x = 1; i < 10; i++) {
|
|
|
|
RCON[i] = (uint32_t)x;
|
|
|
|
x = XTIME(x) & 0xFF;
|
|
|
|
}
|
|
|
|
// fill the forward and reverse substitution boxes
|
|
|
|
FSb[0x00] = 0x63;
|
|
|
|
#if AES_DECRYPTION // whether AES decryption is supported
|
|
|
|
RSb[0x63] = 0x00;
|
|
|
|
#endif /* AES_DECRYPTION */
|
|
|
|
|
|
|
|
for (i = 1; i < 256; i++) {
|
|
|
|
x = y = pow[255 - log[i]];
|
|
|
|
MIX(x, y);
|
|
|
|
MIX(x, y);
|
|
|
|
MIX(x, y);
|
|
|
|
MIX(x, y);
|
|
|
|
FSb[i] = (uchar)(x ^= 0x63);
|
|
|
|
#if AES_DECRYPTION // whether AES decryption is supported
|
|
|
|
RSb[x] = (uchar)i;
|
|
|
|
#endif /* AES_DECRYPTION */
|
|
|
|
|
|
|
|
}
|
|
|
|
// generate the forward and reverse key expansion tables
|
|
|
|
for (i = 0; i < 256; i++) {
|
|
|
|
x = FSb[i];
|
|
|
|
y = XTIME(x) & 0xFF;
|
|
|
|
z = (y ^ x) & 0xFF;
|
|
|
|
|
|
|
|
FT0[i] = ((uint32_t)y) ^ ((uint32_t)x << 8) ^
|
|
|
|
((uint32_t)x << 16) ^ ((uint32_t)z << 24);
|
|
|
|
|
|
|
|
FT1[i] = ROTL8(FT0[i]);
|
|
|
|
FT2[i] = ROTL8(FT1[i]);
|
|
|
|
FT3[i] = ROTL8(FT2[i]);
|
|
|
|
|
|
|
|
#if AES_DECRYPTION // whether AES decryption is supported
|
|
|
|
x = RSb[i];
|
|
|
|
|
|
|
|
RT0[i] = ((uint32_t)MUL(0x0E, x)) ^
|
|
|
|
((uint32_t)MUL(0x09, x) << 8) ^
|
|
|
|
((uint32_t)MUL(0x0D, x) << 16) ^
|
|
|
|
((uint32_t)MUL(0x0B, x) << 24);
|
|
|
|
|
|
|
|
RT1[i] = ROTL8(RT0[i]);
|
|
|
|
RT2[i] = ROTL8(RT1[i]);
|
|
|
|
RT3[i] = ROTL8(RT2[i]);
|
|
|
|
#endif /* AES_DECRYPTION */
|
|
|
|
}
|
|
|
|
aes_tables_inited = 1; // flag that the tables have been generated
|
|
|
|
} // to permit subsequent use of the AES cipher
|
|
|
|
|
|
|
|
/******************************************************************************
|
|
|
|
*
|
|
|
|
* AES_SET_ENCRYPTION_KEY
|
|
|
|
*
|
|
|
|
* This is called by 'aes_setkey' when we're establishing a key for
|
|
|
|
* subsequent encryption. We give it a pointer to the encryption
|
|
|
|
* context, a pointer to the key, and the key's length in bytes.
|
|
|
|
* Valid lengths are: 16, 24 or 32 bytes (128, 192, 256 bits).
|
|
|
|
*
|
|
|
|
******************************************************************************/
|
|
|
|
int aes_set_encryption_key(aes_context *ctx,
|
|
|
|
const uchar *key,
|
|
|
|
uint keysize)
|
|
|
|
{
|
|
|
|
uint i; // general purpose iteration local
|
|
|
|
uint32_t *RK = ctx->rk; // initialize our RoundKey buffer pointer
|
|
|
|
|
|
|
|
for (i = 0; i < (keysize >> 2); i++) {
|
|
|
|
GET_UINT32_LE(RK[i], key, i << 2);
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (ctx->rounds)
|
|
|
|
{
|
|
|
|
case 10:
|
|
|
|
for (i = 0; i < 10; i++, RK += 4) {
|
|
|
|
RK[4] = RK[0] ^ RCON[i] ^
|
|
|
|
((uint32_t)FSb[(RK[3] >> 8) & 0xFF]) ^
|
|
|
|
((uint32_t)FSb[(RK[3] >> 16) & 0xFF] << 8) ^
|
|
|
|
((uint32_t)FSb[(RK[3] >> 24) & 0xFF] << 16) ^
|
|
|
|
((uint32_t)FSb[(RK[3]) & 0xFF] << 24);
|
|
|
|
|
|
|
|
RK[5] = RK[1] ^ RK[4];
|
|
|
|
RK[6] = RK[2] ^ RK[5];
|
|
|
|
RK[7] = RK[3] ^ RK[6];
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 12:
|
|
|
|
for (i = 0; i < 8; i++, RK += 6) {
|
|
|
|
RK[6] = RK[0] ^ RCON[i] ^
|
|
|
|
((uint32_t)FSb[(RK[5] >> 8) & 0xFF]) ^
|
|
|
|
((uint32_t)FSb[(RK[5] >> 16) & 0xFF] << 8) ^
|
|
|
|
((uint32_t)FSb[(RK[5] >> 24) & 0xFF] << 16) ^
|
|
|
|
((uint32_t)FSb[(RK[5]) & 0xFF] << 24);
|
|
|
|
|
|
|
|
RK[7] = RK[1] ^ RK[6];
|
|
|
|
RK[8] = RK[2] ^ RK[7];
|
|
|
|
RK[9] = RK[3] ^ RK[8];
|
|
|
|
RK[10] = RK[4] ^ RK[9];
|
|
|
|
RK[11] = RK[5] ^ RK[10];
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 14:
|
|
|
|
for (i = 0; i < 7; i++, RK += 8) {
|
|
|
|
RK[8] = RK[0] ^ RCON[i] ^
|
|
|
|
((uint32_t)FSb[(RK[7] >> 8) & 0xFF]) ^
|
|
|
|
((uint32_t)FSb[(RK[7] >> 16) & 0xFF] << 8) ^
|
|
|
|
((uint32_t)FSb[(RK[7] >> 24) & 0xFF] << 16) ^
|
|
|
|
((uint32_t)FSb[(RK[7]) & 0xFF] << 24);
|
|
|
|
|
|
|
|
RK[9] = RK[1] ^ RK[8];
|
|
|
|
RK[10] = RK[2] ^ RK[9];
|
|
|
|
RK[11] = RK[3] ^ RK[10];
|
|
|
|
|
|
|
|
RK[12] = RK[4] ^
|
|
|
|
((uint32_t)FSb[(RK[11]) & 0xFF]) ^
|
|
|
|
((uint32_t)FSb[(RK[11] >> 8) & 0xFF] << 8) ^
|
|
|
|
((uint32_t)FSb[(RK[11] >> 16) & 0xFF] << 16) ^
|
|
|
|
((uint32_t)FSb[(RK[11] >> 24) & 0xFF] << 24);
|
|
|
|
|
|
|
|
RK[13] = RK[5] ^ RK[12];
|
|
|
|
RK[14] = RK[6] ^ RK[13];
|
|
|
|
RK[15] = RK[7] ^ RK[14];
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
return(0);
|
|
|
|
}
|
|
|
|
|
|
|
|
#if AES_DECRYPTION // whether AES decryption is supported
|
|
|
|
|
|
|
|
/******************************************************************************
|
|
|
|
*
|
|
|
|
* AES_SET_DECRYPTION_KEY
|
|
|
|
*
|
|
|
|
* This is called by 'aes_setkey' when we're establishing a
|
|
|
|
* key for subsequent decryption. We give it a pointer to
|
|
|
|
* the encryption context, a pointer to the key, and the key's
|
|
|
|
* length in bits. Valid lengths are: 128, 192, or 256 bits.
|
|
|
|
*
|
|
|
|
******************************************************************************/
|
|
|
|
int aes_set_decryption_key(aes_context *ctx,
|
|
|
|
const uchar *key,
|
|
|
|
uint keysize)
|
|
|
|
{
|
|
|
|
int i, j;
|
|
|
|
aes_context cty; // a calling aes context for set_encryption_key
|
|
|
|
uint32_t *RK = ctx->rk; // initialize our RoundKey buffer pointer
|
|
|
|
uint32_t *SK;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
cty.rounds = ctx->rounds; // initialize our local aes context
|
|
|
|
cty.rk = cty.buf; // round count and key buf pointer
|
|
|
|
|
|
|
|
if ((ret = aes_set_encryption_key(&cty, key, keysize)) != 0)
|
|
|
|
return(ret);
|
|
|
|
|
|
|
|
SK = cty.rk + cty.rounds * 4;
|
|
|
|
|
|
|
|
CPY128 // copy a 128-bit block from *SK to *RK
|
|
|
|
|
|
|
|
for (i = ctx->rounds - 1, SK -= 8; i > 0; i--, SK -= 8) {
|
|
|
|
for (j = 0; j < 4; j++, SK++) {
|
|
|
|
*RK++ = RT0[FSb[(*SK) & 0xFF]] ^
|
|
|
|
RT1[FSb[(*SK >> 8) & 0xFF]] ^
|
|
|
|
RT2[FSb[(*SK >> 16) & 0xFF]] ^
|
|
|
|
RT3[FSb[(*SK >> 24) & 0xFF]];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
CPY128 // copy a 128-bit block from *SK to *RK
|
|
|
|
memset(&cty, 0, sizeof(aes_context)); // clear local aes context
|
|
|
|
return(0);
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* AES_DECRYPTION */
|
|
|
|
|
|
|
|
/******************************************************************************
|
|
|
|
*
|
|
|
|
* AES_SETKEY
|
|
|
|
*
|
|
|
|
* Invoked to establish the key schedule for subsequent encryption/decryption
|
|
|
|
*
|
|
|
|
******************************************************************************/
|
|
|
|
int aes_setkey(aes_context *ctx, // AES context provided by our caller
|
|
|
|
int mode, // ENCRYPT or DECRYPT flag
|
|
|
|
const uchar *key, // pointer to the key
|
|
|
|
uint keysize) // key length in bytes
|
|
|
|
{
|
|
|
|
// since table initialization is not thread safe, we could either add
|
|
|
|
// system-specific mutexes and init the AES key generation tables on
|
|
|
|
// demand, or ask the developer to simply call "gcm_initialize" once during
|
|
|
|
// application startup before threading begins. That's what we choose.
|
|
|
|
if (!aes_tables_inited) return (-1); // fail the call when not inited.
|
|
|
|
|
|
|
|
ctx->mode = mode; // capture the key type we're creating
|
|
|
|
ctx->rk = ctx->buf; // initialize our round key pointer
|
|
|
|
|
|
|
|
switch (keysize) // set the rounds count based upon the keysize
|
|
|
|
{
|
|
|
|
case 16: ctx->rounds = 10; break; // 16-byte, 128-bit key
|
|
|
|
case 24: ctx->rounds = 12; break; // 24-byte, 192-bit key
|
|
|
|
case 32: ctx->rounds = 14; break; // 32-byte, 256-bit key
|
|
|
|
default: return(-1);
|
|
|
|
}
|
|
|
|
|
|
|
|
#if AES_DECRYPTION
|
|
|
|
if (mode == DECRYPT) // expand our key for encryption or decryption
|
|
|
|
return(aes_set_decryption_key(ctx, key, keysize));
|
|
|
|
else /* ENCRYPT */
|
|
|
|
#endif /* AES_DECRYPTION */
|
|
|
|
return(aes_set_encryption_key(ctx, key, keysize));
|
|
|
|
}
|
|
|
|
|
|
|
|
/******************************************************************************
|
|
|
|
*
|
|
|
|
* AES_CIPHER
|
|
|
|
*
|
|
|
|
* Perform AES encryption and decryption.
|
|
|
|
* The AES context will have been setup with the encryption mode
|
|
|
|
* and all keying information appropriate for the task.
|
|
|
|
*
|
|
|
|
******************************************************************************/
|
|
|
|
int aes_cipher(aes_context *ctx,
|
|
|
|
const uchar input[16],
|
|
|
|
uchar output[16])
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; // general purpose locals
|
|
|
|
|
|
|
|
RK = ctx->rk;
|
|
|
|
|
|
|
|
GET_UINT32_LE(X0, input, 0); X0 ^= *RK++; // load our 128-bit
|
|
|
|
GET_UINT32_LE(X1, input, 4); X1 ^= *RK++; // input buffer in a storage
|
|
|
|
GET_UINT32_LE(X2, input, 8); X2 ^= *RK++; // memory endian-neutral way
|
|
|
|
GET_UINT32_LE(X3, input, 12); X3 ^= *RK++;
|
|
|
|
|
|
|
|
#if AES_DECRYPTION // whether AES decryption is supported
|
|
|
|
|
|
|
|
if (ctx->mode == DECRYPT)
|
|
|
|
{
|
|
|
|
for (i = (ctx->rounds >> 1) - 1; i > 0; i--)
|
|
|
|
{
|
|
|
|
AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
|
|
|
|
AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3);
|
|
|
|
}
|
|
|
|
|
|
|
|
AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
|
|
|
|
|
|
|
|
X0 = *RK++ ^ \
|
|
|
|
((uint32_t)RSb[(Y0) & 0xFF]) ^
|
|
|
|
((uint32_t)RSb[(Y3 >> 8) & 0xFF] << 8) ^
|
|
|
|
((uint32_t)RSb[(Y2 >> 16) & 0xFF] << 16) ^
|
|
|
|
((uint32_t)RSb[(Y1 >> 24) & 0xFF] << 24);
|
|
|
|
|
|
|
|
X1 = *RK++ ^ \
|
|
|
|
((uint32_t)RSb[(Y1) & 0xFF]) ^
|
|
|
|
((uint32_t)RSb[(Y0 >> 8) & 0xFF] << 8) ^
|
|
|
|
((uint32_t)RSb[(Y3 >> 16) & 0xFF] << 16) ^
|
|
|
|
((uint32_t)RSb[(Y2 >> 24) & 0xFF] << 24);
|
|
|
|
|
|
|
|
X2 = *RK++ ^ \
|
|
|
|
((uint32_t)RSb[(Y2) & 0xFF]) ^
|
|
|
|
((uint32_t)RSb[(Y1 >> 8) & 0xFF] << 8) ^
|
|
|
|
((uint32_t)RSb[(Y0 >> 16) & 0xFF] << 16) ^
|
|
|
|
((uint32_t)RSb[(Y3 >> 24) & 0xFF] << 24);
|
|
|
|
|
|
|
|
X3 = *RK++ ^ \
|
|
|
|
((uint32_t)RSb[(Y3) & 0xFF]) ^
|
|
|
|
((uint32_t)RSb[(Y2 >> 8) & 0xFF] << 8) ^
|
|
|
|
((uint32_t)RSb[(Y1 >> 16) & 0xFF] << 16) ^
|
|
|
|
((uint32_t)RSb[(Y0 >> 24) & 0xFF] << 24);
|
|
|
|
}
|
|
|
|
else /* ENCRYPT */
|
|
|
|
{
|
|
|
|
#endif /* AES_DECRYPTION */
|
|
|
|
|
|
|
|
for (i = (ctx->rounds >> 1) - 1; i > 0; i--)
|
|
|
|
{
|
|
|
|
AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
|
|
|
|
AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3);
|
|
|
|
}
|
|
|
|
|
|
|
|
AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
|
|
|
|
|
|
|
|
X0 = *RK++ ^ \
|
|
|
|
((uint32_t)FSb[(Y0) & 0xFF]) ^
|
|
|
|
((uint32_t)FSb[(Y1 >> 8) & 0xFF] << 8) ^
|
|
|
|
((uint32_t)FSb[(Y2 >> 16) & 0xFF] << 16) ^
|
|
|
|
((uint32_t)FSb[(Y3 >> 24) & 0xFF] << 24);
|
|
|
|
|
|
|
|
X1 = *RK++ ^ \
|
|
|
|
((uint32_t)FSb[(Y1) & 0xFF]) ^
|
|
|
|
((uint32_t)FSb[(Y2 >> 8) & 0xFF] << 8) ^
|
|
|
|
((uint32_t)FSb[(Y3 >> 16) & 0xFF] << 16) ^
|
|
|
|
((uint32_t)FSb[(Y0 >> 24) & 0xFF] << 24);
|
|
|
|
|
|
|
|
X2 = *RK++ ^ \
|
|
|
|
((uint32_t)FSb[(Y2) & 0xFF]) ^
|
|
|
|
((uint32_t)FSb[(Y3 >> 8) & 0xFF] << 8) ^
|
|
|
|
((uint32_t)FSb[(Y0 >> 16) & 0xFF] << 16) ^
|
|
|
|
((uint32_t)FSb[(Y1 >> 24) & 0xFF] << 24);
|
|
|
|
|
|
|
|
X3 = *RK++ ^ \
|
|
|
|
((uint32_t)FSb[(Y3) & 0xFF]) ^
|
|
|
|
((uint32_t)FSb[(Y0 >> 8) & 0xFF] << 8) ^
|
|
|
|
((uint32_t)FSb[(Y1 >> 16) & 0xFF] << 16) ^
|
|
|
|
((uint32_t)FSb[(Y2 >> 24) & 0xFF] << 24);
|
|
|
|
|
|
|
|
#if AES_DECRYPTION // whether AES decryption is supported
|
|
|
|
}
|
|
|
|
#endif /* AES_DECRYPTION */
|
|
|
|
|
|
|
|
PUT_UINT32_LE(X0, output, 0);
|
|
|
|
PUT_UINT32_LE(X1, output, 4);
|
|
|
|
PUT_UINT32_LE(X2, output, 8);
|
|
|
|
PUT_UINT32_LE(X3, output, 12);
|
|
|
|
|
|
|
|
return(0);
|
|
|
|
}
|
|
|
|
/* end of aes.c */
|