1 /* 2 * Copyright (c) 2011 The Chromium OS Authors. 3 * (C) Copyright 2011 NVIDIA Corporation www.nvidia.com 4 * 5 * SPDX-License-Identifier: GPL-2.0+ 6 */ 7 8 /* 9 * advanced encryption standard 10 * author: karl malbrain, malbrain@yahoo.com 11 * 12 * This work, including the source code, documentation 13 * and related data, is placed into the public domain. 14 * 15 * The orginal author is Karl Malbrain. 16 * 17 * THIS SOFTWARE IS PROVIDED AS-IS WITHOUT WARRANTY 18 * OF ANY KIND, NOT EVEN THE IMPLIED WARRANTY OF 19 * MERCHANTABILITY. THE AUTHOR OF THIS SOFTWARE, 20 * ASSUMES _NO_ RESPONSIBILITY FOR ANY CONSEQUENCE 21 * RESULTING FROM THE USE, MODIFICATION, OR 22 * REDISTRIBUTION OF THIS SOFTWARE. 23 */ 24 25 #ifndef USE_HOSTCC 26 #include <common.h> 27 #else 28 #include <string.h> 29 #endif 30 #include "aes.h" 31 32 /* forward s-box */ 33 static const u8 sbox[256] = { 34 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 35 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, 36 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 37 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 38 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 39 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, 40 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 41 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, 42 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 43 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, 44 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 45 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, 46 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 47 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, 48 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 49 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 50 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 51 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, 52 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 53 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, 54 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 55 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, 56 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 57 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, 58 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 59 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, 60 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 61 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, 62 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 63 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, 64 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 65 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 66 }; 67 68 /* inverse s-box */ 69 static const u8 inv_sbox[256] = { 70 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 71 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, 72 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 73 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, 74 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 75 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, 76 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 77 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, 78 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 79 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, 80 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 81 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, 82 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 83 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, 84 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 85 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, 86 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 87 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, 88 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 89 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e, 90 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 91 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, 92 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 93 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, 94 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 95 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f, 96 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 97 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, 98 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 99 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, 100 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 101 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d 102 }; 103 104 /* combined Xtimes2[Sbox[]] */ 105 static const u8 x2_sbox[256] = { 106 0xc6, 0xf8, 0xee, 0xf6, 0xff, 0xd6, 0xde, 0x91, 107 0x60, 0x02, 0xce, 0x56, 0xe7, 0xb5, 0x4d, 0xec, 108 0x8f, 0x1f, 0x89, 0xfa, 0xef, 0xb2, 0x8e, 0xfb, 109 0x41, 0xb3, 0x5f, 0x45, 0x23, 0x53, 0xe4, 0x9b, 110 0x75, 0xe1, 0x3d, 0x4c, 0x6c, 0x7e, 0xf5, 0x83, 111 0x68, 0x51, 0xd1, 0xf9, 0xe2, 0xab, 0x62, 0x2a, 112 0x08, 0x95, 0x46, 0x9d, 0x30, 0x37, 0x0a, 0x2f, 113 0x0e, 0x24, 0x1b, 0xdf, 0xcd, 0x4e, 0x7f, 0xea, 114 0x12, 0x1d, 0x58, 0x34, 0x36, 0xdc, 0xb4, 0x5b, 115 0xa4, 0x76, 0xb7, 0x7d, 0x52, 0xdd, 0x5e, 0x13, 116 0xa6, 0xb9, 0x00, 0xc1, 0x40, 0xe3, 0x79, 0xb6, 117 0xd4, 0x8d, 0x67, 0x72, 0x94, 0x98, 0xb0, 0x85, 118 0xbb, 0xc5, 0x4f, 0xed, 0x86, 0x9a, 0x66, 0x11, 119 0x8a, 0xe9, 0x04, 0xfe, 0xa0, 0x78, 0x25, 0x4b, 120 0xa2, 0x5d, 0x80, 0x05, 0x3f, 0x21, 0x70, 0xf1, 121 0x63, 0x77, 0xaf, 0x42, 0x20, 0xe5, 0xfd, 0xbf, 122 0x81, 0x18, 0x26, 0xc3, 0xbe, 0x35, 0x88, 0x2e, 123 0x93, 0x55, 0xfc, 0x7a, 0xc8, 0xba, 0x32, 0xe6, 124 0xc0, 0x19, 0x9e, 0xa3, 0x44, 0x54, 0x3b, 0x0b, 125 0x8c, 0xc7, 0x6b, 0x28, 0xa7, 0xbc, 0x16, 0xad, 126 0xdb, 0x64, 0x74, 0x14, 0x92, 0x0c, 0x48, 0xb8, 127 0x9f, 0xbd, 0x43, 0xc4, 0x39, 0x31, 0xd3, 0xf2, 128 0xd5, 0x8b, 0x6e, 0xda, 0x01, 0xb1, 0x9c, 0x49, 129 0xd8, 0xac, 0xf3, 0xcf, 0xca, 0xf4, 0x47, 0x10, 130 0x6f, 0xf0, 0x4a, 0x5c, 0x38, 0x57, 0x73, 0x97, 131 0xcb, 0xa1, 0xe8, 0x3e, 0x96, 0x61, 0x0d, 0x0f, 132 0xe0, 0x7c, 0x71, 0xcc, 0x90, 0x06, 0xf7, 0x1c, 133 0xc2, 0x6a, 0xae, 0x69, 0x17, 0x99, 0x3a, 0x27, 134 0xd9, 0xeb, 0x2b, 0x22, 0xd2, 0xa9, 0x07, 0x33, 135 0x2d, 0x3c, 0x15, 0xc9, 0x87, 0xaa, 0x50, 0xa5, 136 0x03, 0x59, 0x09, 0x1a, 0x65, 0xd7, 0x84, 0xd0, 137 0x82, 0x29, 0x5a, 0x1e, 0x7b, 0xa8, 0x6d, 0x2c 138 }; 139 140 /* combined Xtimes3[Sbox[]] */ 141 static const u8 x3_sbox[256] = { 142 0xa5, 0x84, 0x99, 0x8d, 0x0d, 0xbd, 0xb1, 0x54, 143 0x50, 0x03, 0xa9, 0x7d, 0x19, 0x62, 0xe6, 0x9a, 144 0x45, 0x9d, 0x40, 0x87, 0x15, 0xeb, 0xc9, 0x0b, 145 0xec, 0x67, 0xfd, 0xea, 0xbf, 0xf7, 0x96, 0x5b, 146 0xc2, 0x1c, 0xae, 0x6a, 0x5a, 0x41, 0x02, 0x4f, 147 0x5c, 0xf4, 0x34, 0x08, 0x93, 0x73, 0x53, 0x3f, 148 0x0c, 0x52, 0x65, 0x5e, 0x28, 0xa1, 0x0f, 0xb5, 149 0x09, 0x36, 0x9b, 0x3d, 0x26, 0x69, 0xcd, 0x9f, 150 0x1b, 0x9e, 0x74, 0x2e, 0x2d, 0xb2, 0xee, 0xfb, 151 0xf6, 0x4d, 0x61, 0xce, 0x7b, 0x3e, 0x71, 0x97, 152 0xf5, 0x68, 0x00, 0x2c, 0x60, 0x1f, 0xc8, 0xed, 153 0xbe, 0x46, 0xd9, 0x4b, 0xde, 0xd4, 0xe8, 0x4a, 154 0x6b, 0x2a, 0xe5, 0x16, 0xc5, 0xd7, 0x55, 0x94, 155 0xcf, 0x10, 0x06, 0x81, 0xf0, 0x44, 0xba, 0xe3, 156 0xf3, 0xfe, 0xc0, 0x8a, 0xad, 0xbc, 0x48, 0x04, 157 0xdf, 0xc1, 0x75, 0x63, 0x30, 0x1a, 0x0e, 0x6d, 158 0x4c, 0x14, 0x35, 0x2f, 0xe1, 0xa2, 0xcc, 0x39, 159 0x57, 0xf2, 0x82, 0x47, 0xac, 0xe7, 0x2b, 0x95, 160 0xa0, 0x98, 0xd1, 0x7f, 0x66, 0x7e, 0xab, 0x83, 161 0xca, 0x29, 0xd3, 0x3c, 0x79, 0xe2, 0x1d, 0x76, 162 0x3b, 0x56, 0x4e, 0x1e, 0xdb, 0x0a, 0x6c, 0xe4, 163 0x5d, 0x6e, 0xef, 0xa6, 0xa8, 0xa4, 0x37, 0x8b, 164 0x32, 0x43, 0x59, 0xb7, 0x8c, 0x64, 0xd2, 0xe0, 165 0xb4, 0xfa, 0x07, 0x25, 0xaf, 0x8e, 0xe9, 0x18, 166 0xd5, 0x88, 0x6f, 0x72, 0x24, 0xf1, 0xc7, 0x51, 167 0x23, 0x7c, 0x9c, 0x21, 0xdd, 0xdc, 0x86, 0x85, 168 0x90, 0x42, 0xc4, 0xaa, 0xd8, 0x05, 0x01, 0x12, 169 0xa3, 0x5f, 0xf9, 0xd0, 0x91, 0x58, 0x27, 0xb9, 170 0x38, 0x13, 0xb3, 0x33, 0xbb, 0x70, 0x89, 0xa7, 171 0xb6, 0x22, 0x92, 0x20, 0x49, 0xff, 0x78, 0x7a, 172 0x8f, 0xf8, 0x80, 0x17, 0xda, 0x31, 0xc6, 0xb8, 173 0xc3, 0xb0, 0x77, 0x11, 0xcb, 0xfc, 0xd6, 0x3a 174 }; 175 176 /* 177 * modular multiplication tables based on: 178 * 179 * Xtime2[x] = (x & 0x80 ? 0x1b : 0) ^ (x + x) 180 * Xtime3[x] = x^Xtime2[x]; 181 */ 182 static const u8 x_time_9[256] = { 183 0x00, 0x09, 0x12, 0x1b, 0x24, 0x2d, 0x36, 0x3f, 184 0x48, 0x41, 0x5a, 0x53, 0x6c, 0x65, 0x7e, 0x77, 185 0x90, 0x99, 0x82, 0x8b, 0xb4, 0xbd, 0xa6, 0xaf, 186 0xd8, 0xd1, 0xca, 0xc3, 0xfc, 0xf5, 0xee, 0xe7, 187 0x3b, 0x32, 0x29, 0x20, 0x1f, 0x16, 0x0d, 0x04, 188 0x73, 0x7a, 0x61, 0x68, 0x57, 0x5e, 0x45, 0x4c, 189 0xab, 0xa2, 0xb9, 0xb0, 0x8f, 0x86, 0x9d, 0x94, 190 0xe3, 0xea, 0xf1, 0xf8, 0xc7, 0xce, 0xd5, 0xdc, 191 0x76, 0x7f, 0x64, 0x6d, 0x52, 0x5b, 0x40, 0x49, 192 0x3e, 0x37, 0x2c, 0x25, 0x1a, 0x13, 0x08, 0x01, 193 0xe6, 0xef, 0xf4, 0xfd, 0xc2, 0xcb, 0xd0, 0xd9, 194 0xae, 0xa7, 0xbc, 0xb5, 0x8a, 0x83, 0x98, 0x91, 195 0x4d, 0x44, 0x5f, 0x56, 0x69, 0x60, 0x7b, 0x72, 196 0x05, 0x0c, 0x17, 0x1e, 0x21, 0x28, 0x33, 0x3a, 197 0xdd, 0xd4, 0xcf, 0xc6, 0xf9, 0xf0, 0xeb, 0xe2, 198 0x95, 0x9c, 0x87, 0x8e, 0xb1, 0xb8, 0xa3, 0xaa, 199 0xec, 0xe5, 0xfe, 0xf7, 0xc8, 0xc1, 0xda, 0xd3, 200 0xa4, 0xad, 0xb6, 0xbf, 0x80, 0x89, 0x92, 0x9b, 201 0x7c, 0x75, 0x6e, 0x67, 0x58, 0x51, 0x4a, 0x43, 202 0x34, 0x3d, 0x26, 0x2f, 0x10, 0x19, 0x02, 0x0b, 203 0xd7, 0xde, 0xc5, 0xcc, 0xf3, 0xfa, 0xe1, 0xe8, 204 0x9f, 0x96, 0x8d, 0x84, 0xbb, 0xb2, 0xa9, 0xa0, 205 0x47, 0x4e, 0x55, 0x5c, 0x63, 0x6a, 0x71, 0x78, 206 0x0f, 0x06, 0x1d, 0x14, 0x2b, 0x22, 0x39, 0x30, 207 0x9a, 0x93, 0x88, 0x81, 0xbe, 0xb7, 0xac, 0xa5, 208 0xd2, 0xdb, 0xc0, 0xc9, 0xf6, 0xff, 0xe4, 0xed, 209 0x0a, 0x03, 0x18, 0x11, 0x2e, 0x27, 0x3c, 0x35, 210 0x42, 0x4b, 0x50, 0x59, 0x66, 0x6f, 0x74, 0x7d, 211 0xa1, 0xa8, 0xb3, 0xba, 0x85, 0x8c, 0x97, 0x9e, 212 0xe9, 0xe0, 0xfb, 0xf2, 0xcd, 0xc4, 0xdf, 0xd6, 213 0x31, 0x38, 0x23, 0x2a, 0x15, 0x1c, 0x07, 0x0e, 214 0x79, 0x70, 0x6b, 0x62, 0x5d, 0x54, 0x4f, 0x46 215 }; 216 217 static const u8 x_time_b[256] = { 218 0x00, 0x0b, 0x16, 0x1d, 0x2c, 0x27, 0x3a, 0x31, 219 0x58, 0x53, 0x4e, 0x45, 0x74, 0x7f, 0x62, 0x69, 220 0xb0, 0xbb, 0xa6, 0xad, 0x9c, 0x97, 0x8a, 0x81, 221 0xe8, 0xe3, 0xfe, 0xf5, 0xc4, 0xcf, 0xd2, 0xd9, 222 0x7b, 0x70, 0x6d, 0x66, 0x57, 0x5c, 0x41, 0x4a, 223 0x23, 0x28, 0x35, 0x3e, 0x0f, 0x04, 0x19, 0x12, 224 0xcb, 0xc0, 0xdd, 0xd6, 0xe7, 0xec, 0xf1, 0xfa, 225 0x93, 0x98, 0x85, 0x8e, 0xbf, 0xb4, 0xa9, 0xa2, 226 0xf6, 0xfd, 0xe0, 0xeb, 0xda, 0xd1, 0xcc, 0xc7, 227 0xae, 0xa5, 0xb8, 0xb3, 0x82, 0x89, 0x94, 0x9f, 228 0x46, 0x4d, 0x50, 0x5b, 0x6a, 0x61, 0x7c, 0x77, 229 0x1e, 0x15, 0x08, 0x03, 0x32, 0x39, 0x24, 0x2f, 230 0x8d, 0x86, 0x9b, 0x90, 0xa1, 0xaa, 0xb7, 0xbc, 231 0xd5, 0xde, 0xc3, 0xc8, 0xf9, 0xf2, 0xef, 0xe4, 232 0x3d, 0x36, 0x2b, 0x20, 0x11, 0x1a, 0x07, 0x0c, 233 0x65, 0x6e, 0x73, 0x78, 0x49, 0x42, 0x5f, 0x54, 234 0xf7, 0xfc, 0xe1, 0xea, 0xdb, 0xd0, 0xcd, 0xc6, 235 0xaf, 0xa4, 0xb9, 0xb2, 0x83, 0x88, 0x95, 0x9e, 236 0x47, 0x4c, 0x51, 0x5a, 0x6b, 0x60, 0x7d, 0x76, 237 0x1f, 0x14, 0x09, 0x02, 0x33, 0x38, 0x25, 0x2e, 238 0x8c, 0x87, 0x9a, 0x91, 0xa0, 0xab, 0xb6, 0xbd, 239 0xd4, 0xdf, 0xc2, 0xc9, 0xf8, 0xf3, 0xee, 0xe5, 240 0x3c, 0x37, 0x2a, 0x21, 0x10, 0x1b, 0x06, 0x0d, 241 0x64, 0x6f, 0x72, 0x79, 0x48, 0x43, 0x5e, 0x55, 242 0x01, 0x0a, 0x17, 0x1c, 0x2d, 0x26, 0x3b, 0x30, 243 0x59, 0x52, 0x4f, 0x44, 0x75, 0x7e, 0x63, 0x68, 244 0xb1, 0xba, 0xa7, 0xac, 0x9d, 0x96, 0x8b, 0x80, 245 0xe9, 0xe2, 0xff, 0xf4, 0xc5, 0xce, 0xd3, 0xd8, 246 0x7a, 0x71, 0x6c, 0x67, 0x56, 0x5d, 0x40, 0x4b, 247 0x22, 0x29, 0x34, 0x3f, 0x0e, 0x05, 0x18, 0x13, 248 0xca, 0xc1, 0xdc, 0xd7, 0xe6, 0xed, 0xf0, 0xfb, 249 0x92, 0x99, 0x84, 0x8f, 0xbe, 0xb5, 0xa8, 0xa3 250 }; 251 252 static const u8 x_time_d[256] = { 253 0x00, 0x0d, 0x1a, 0x17, 0x34, 0x39, 0x2e, 0x23, 254 0x68, 0x65, 0x72, 0x7f, 0x5c, 0x51, 0x46, 0x4b, 255 0xd0, 0xdd, 0xca, 0xc7, 0xe4, 0xe9, 0xfe, 0xf3, 256 0xb8, 0xb5, 0xa2, 0xaf, 0x8c, 0x81, 0x96, 0x9b, 257 0xbb, 0xb6, 0xa1, 0xac, 0x8f, 0x82, 0x95, 0x98, 258 0xd3, 0xde, 0xc9, 0xc4, 0xe7, 0xea, 0xfd, 0xf0, 259 0x6b, 0x66, 0x71, 0x7c, 0x5f, 0x52, 0x45, 0x48, 260 0x03, 0x0e, 0x19, 0x14, 0x37, 0x3a, 0x2d, 0x20, 261 0x6d, 0x60, 0x77, 0x7a, 0x59, 0x54, 0x43, 0x4e, 262 0x05, 0x08, 0x1f, 0x12, 0x31, 0x3c, 0x2b, 0x26, 263 0xbd, 0xb0, 0xa7, 0xaa, 0x89, 0x84, 0x93, 0x9e, 264 0xd5, 0xd8, 0xcf, 0xc2, 0xe1, 0xec, 0xfb, 0xf6, 265 0xd6, 0xdb, 0xcc, 0xc1, 0xe2, 0xef, 0xf8, 0xf5, 266 0xbe, 0xb3, 0xa4, 0xa9, 0x8a, 0x87, 0x90, 0x9d, 267 0x06, 0x0b, 0x1c, 0x11, 0x32, 0x3f, 0x28, 0x25, 268 0x6e, 0x63, 0x74, 0x79, 0x5a, 0x57, 0x40, 0x4d, 269 0xda, 0xd7, 0xc0, 0xcd, 0xee, 0xe3, 0xf4, 0xf9, 270 0xb2, 0xbf, 0xa8, 0xa5, 0x86, 0x8b, 0x9c, 0x91, 271 0x0a, 0x07, 0x10, 0x1d, 0x3e, 0x33, 0x24, 0x29, 272 0x62, 0x6f, 0x78, 0x75, 0x56, 0x5b, 0x4c, 0x41, 273 0x61, 0x6c, 0x7b, 0x76, 0x55, 0x58, 0x4f, 0x42, 274 0x09, 0x04, 0x13, 0x1e, 0x3d, 0x30, 0x27, 0x2a, 275 0xb1, 0xbc, 0xab, 0xa6, 0x85, 0x88, 0x9f, 0x92, 276 0xd9, 0xd4, 0xc3, 0xce, 0xed, 0xe0, 0xf7, 0xfa, 277 0xb7, 0xba, 0xad, 0xa0, 0x83, 0x8e, 0x99, 0x94, 278 0xdf, 0xd2, 0xc5, 0xc8, 0xeb, 0xe6, 0xf1, 0xfc, 279 0x67, 0x6a, 0x7d, 0x70, 0x53, 0x5e, 0x49, 0x44, 280 0x0f, 0x02, 0x15, 0x18, 0x3b, 0x36, 0x21, 0x2c, 281 0x0c, 0x01, 0x16, 0x1b, 0x38, 0x35, 0x22, 0x2f, 282 0x64, 0x69, 0x7e, 0x73, 0x50, 0x5d, 0x4a, 0x47, 283 0xdc, 0xd1, 0xc6, 0xcb, 0xe8, 0xe5, 0xf2, 0xff, 284 0xb4, 0xb9, 0xae, 0xa3, 0x80, 0x8d, 0x9a, 0x97 285 }; 286 287 static const u8 x_time_e[256] = { 288 0x00, 0x0e, 0x1c, 0x12, 0x38, 0x36, 0x24, 0x2a, 289 0x70, 0x7e, 0x6c, 0x62, 0x48, 0x46, 0x54, 0x5a, 290 0xe0, 0xee, 0xfc, 0xf2, 0xd8, 0xd6, 0xc4, 0xca, 291 0x90, 0x9e, 0x8c, 0x82, 0xa8, 0xa6, 0xb4, 0xba, 292 0xdb, 0xd5, 0xc7, 0xc9, 0xe3, 0xed, 0xff, 0xf1, 293 0xab, 0xa5, 0xb7, 0xb9, 0x93, 0x9d, 0x8f, 0x81, 294 0x3b, 0x35, 0x27, 0x29, 0x03, 0x0d, 0x1f, 0x11, 295 0x4b, 0x45, 0x57, 0x59, 0x73, 0x7d, 0x6f, 0x61, 296 0xad, 0xa3, 0xb1, 0xbf, 0x95, 0x9b, 0x89, 0x87, 297 0xdd, 0xd3, 0xc1, 0xcf, 0xe5, 0xeb, 0xf9, 0xf7, 298 0x4d, 0x43, 0x51, 0x5f, 0x75, 0x7b, 0x69, 0x67, 299 0x3d, 0x33, 0x21, 0x2f, 0x05, 0x0b, 0x19, 0x17, 300 0x76, 0x78, 0x6a, 0x64, 0x4e, 0x40, 0x52, 0x5c, 301 0x06, 0x08, 0x1a, 0x14, 0x3e, 0x30, 0x22, 0x2c, 302 0x96, 0x98, 0x8a, 0x84, 0xae, 0xa0, 0xb2, 0xbc, 303 0xe6, 0xe8, 0xfa, 0xf4, 0xde, 0xd0, 0xc2, 0xcc, 304 0x41, 0x4f, 0x5d, 0x53, 0x79, 0x77, 0x65, 0x6b, 305 0x31, 0x3f, 0x2d, 0x23, 0x09, 0x07, 0x15, 0x1b, 306 0xa1, 0xaf, 0xbd, 0xb3, 0x99, 0x97, 0x85, 0x8b, 307 0xd1, 0xdf, 0xcd, 0xc3, 0xe9, 0xe7, 0xf5, 0xfb, 308 0x9a, 0x94, 0x86, 0x88, 0xa2, 0xac, 0xbe, 0xb0, 309 0xea, 0xe4, 0xf6, 0xf8, 0xd2, 0xdc, 0xce, 0xc0, 310 0x7a, 0x74, 0x66, 0x68, 0x42, 0x4c, 0x5e, 0x50, 311 0x0a, 0x04, 0x16, 0x18, 0x32, 0x3c, 0x2e, 0x20, 312 0xec, 0xe2, 0xf0, 0xfe, 0xd4, 0xda, 0xc8, 0xc6, 313 0x9c, 0x92, 0x80, 0x8e, 0xa4, 0xaa, 0xb8, 0xb6, 314 0x0c, 0x02, 0x10, 0x1e, 0x34, 0x3a, 0x28, 0x26, 315 0x7c, 0x72, 0x60, 0x6e, 0x44, 0x4a, 0x58, 0x56, 316 0x37, 0x39, 0x2b, 0x25, 0x0f, 0x01, 0x13, 0x1d, 317 0x47, 0x49, 0x5b, 0x55, 0x7f, 0x71, 0x63, 0x6d, 318 0xd7, 0xd9, 0xcb, 0xc5, 0xef, 0xe1, 0xf3, 0xfd, 319 0xa7, 0xa9, 0xbb, 0xb5, 0x9f, 0x91, 0x83, 0x8d 320 }; 321 322 /* 323 * Exchanges columns in each of 4 rows 324 * row0 - unchanged, row1- shifted left 1, 325 * row2 - shifted left 2 and row3 - shifted left 3 326 */ 327 static void shift_rows(u8 *state) 328 { 329 u8 tmp; 330 331 /* just substitute row 0 */ 332 state[0] = sbox[state[0]]; 333 state[4] = sbox[state[4]]; 334 state[8] = sbox[state[8]]; 335 state[12] = sbox[state[12]]; 336 337 /* rotate row 1 */ 338 tmp = sbox[state[1]]; 339 state[1] = sbox[state[5]]; 340 state[5] = sbox[state[9]]; 341 state[9] = sbox[state[13]]; 342 state[13] = tmp; 343 344 /* rotate row 2 */ 345 tmp = sbox[state[2]]; 346 state[2] = sbox[state[10]]; 347 state[10] = tmp; 348 tmp = sbox[state[6]]; 349 state[6] = sbox[state[14]]; 350 state[14] = tmp; 351 352 /* rotate row 3 */ 353 tmp = sbox[state[15]]; 354 state[15] = sbox[state[11]]; 355 state[11] = sbox[state[7]]; 356 state[7] = sbox[state[3]]; 357 state[3] = tmp; 358 } 359 360 /* 361 * restores columns in each of 4 rows 362 * row0 - unchanged, row1- shifted right 1, 363 * row2 - shifted right 2 and row3 - shifted right 3 364 */ 365 static void inv_shift_rows(u8 *state) 366 { 367 u8 tmp; 368 369 /* restore row 0 */ 370 state[0] = inv_sbox[state[0]]; 371 state[4] = inv_sbox[state[4]]; 372 state[8] = inv_sbox[state[8]]; 373 state[12] = inv_sbox[state[12]]; 374 375 /* restore row 1 */ 376 tmp = inv_sbox[state[13]]; 377 state[13] = inv_sbox[state[9]]; 378 state[9] = inv_sbox[state[5]]; 379 state[5] = inv_sbox[state[1]]; 380 state[1] = tmp; 381 382 /* restore row 2 */ 383 tmp = inv_sbox[state[2]]; 384 state[2] = inv_sbox[state[10]]; 385 state[10] = tmp; 386 tmp = inv_sbox[state[6]]; 387 state[6] = inv_sbox[state[14]]; 388 state[14] = tmp; 389 390 /* restore row 3 */ 391 tmp = inv_sbox[state[3]]; 392 state[3] = inv_sbox[state[7]]; 393 state[7] = inv_sbox[state[11]]; 394 state[11] = inv_sbox[state[15]]; 395 state[15] = tmp; 396 } 397 398 /* recombine and mix each row in a column */ 399 static void mix_sub_columns(u8 *state) 400 { 401 u8 tmp[4 * AES_STATECOLS]; 402 403 /* mixing column 0 */ 404 tmp[0] = x2_sbox[state[0]] ^ x3_sbox[state[5]] ^ 405 sbox[state[10]] ^ sbox[state[15]]; 406 tmp[1] = sbox[state[0]] ^ x2_sbox[state[5]] ^ 407 x3_sbox[state[10]] ^ sbox[state[15]]; 408 tmp[2] = sbox[state[0]] ^ sbox[state[5]] ^ 409 x2_sbox[state[10]] ^ x3_sbox[state[15]]; 410 tmp[3] = x3_sbox[state[0]] ^ sbox[state[5]] ^ 411 sbox[state[10]] ^ x2_sbox[state[15]]; 412 413 /* mixing column 1 */ 414 tmp[4] = x2_sbox[state[4]] ^ x3_sbox[state[9]] ^ 415 sbox[state[14]] ^ sbox[state[3]]; 416 tmp[5] = sbox[state[4]] ^ x2_sbox[state[9]] ^ 417 x3_sbox[state[14]] ^ sbox[state[3]]; 418 tmp[6] = sbox[state[4]] ^ sbox[state[9]] ^ 419 x2_sbox[state[14]] ^ x3_sbox[state[3]]; 420 tmp[7] = x3_sbox[state[4]] ^ sbox[state[9]] ^ 421 sbox[state[14]] ^ x2_sbox[state[3]]; 422 423 /* mixing column 2 */ 424 tmp[8] = x2_sbox[state[8]] ^ x3_sbox[state[13]] ^ 425 sbox[state[2]] ^ sbox[state[7]]; 426 tmp[9] = sbox[state[8]] ^ x2_sbox[state[13]] ^ 427 x3_sbox[state[2]] ^ sbox[state[7]]; 428 tmp[10] = sbox[state[8]] ^ sbox[state[13]] ^ 429 x2_sbox[state[2]] ^ x3_sbox[state[7]]; 430 tmp[11] = x3_sbox[state[8]] ^ sbox[state[13]] ^ 431 sbox[state[2]] ^ x2_sbox[state[7]]; 432 433 /* mixing column 3 */ 434 tmp[12] = x2_sbox[state[12]] ^ x3_sbox[state[1]] ^ 435 sbox[state[6]] ^ sbox[state[11]]; 436 tmp[13] = sbox[state[12]] ^ x2_sbox[state[1]] ^ 437 x3_sbox[state[6]] ^ sbox[state[11]]; 438 tmp[14] = sbox[state[12]] ^ sbox[state[1]] ^ 439 x2_sbox[state[6]] ^ x3_sbox[state[11]]; 440 tmp[15] = x3_sbox[state[12]] ^ sbox[state[1]] ^ 441 sbox[state[6]] ^ x2_sbox[state[11]]; 442 443 memcpy(state, tmp, sizeof(tmp)); 444 } 445 446 /* restore and un-mix each row in a column */ 447 static void inv_mix_sub_columns(u8 *state) 448 { 449 u8 tmp[4 * AES_STATECOLS]; 450 int i; 451 452 /* restore column 0 */ 453 tmp[0] = x_time_e[state[0]] ^ x_time_b[state[1]] ^ 454 x_time_d[state[2]] ^ x_time_9[state[3]]; 455 tmp[5] = x_time_9[state[0]] ^ x_time_e[state[1]] ^ 456 x_time_b[state[2]] ^ x_time_d[state[3]]; 457 tmp[10] = x_time_d[state[0]] ^ x_time_9[state[1]] ^ 458 x_time_e[state[2]] ^ x_time_b[state[3]]; 459 tmp[15] = x_time_b[state[0]] ^ x_time_d[state[1]] ^ 460 x_time_9[state[2]] ^ x_time_e[state[3]]; 461 462 /* restore column 1 */ 463 tmp[4] = x_time_e[state[4]] ^ x_time_b[state[5]] ^ 464 x_time_d[state[6]] ^ x_time_9[state[7]]; 465 tmp[9] = x_time_9[state[4]] ^ x_time_e[state[5]] ^ 466 x_time_b[state[6]] ^ x_time_d[state[7]]; 467 tmp[14] = x_time_d[state[4]] ^ x_time_9[state[5]] ^ 468 x_time_e[state[6]] ^ x_time_b[state[7]]; 469 tmp[3] = x_time_b[state[4]] ^ x_time_d[state[5]] ^ 470 x_time_9[state[6]] ^ x_time_e[state[7]]; 471 472 /* restore column 2 */ 473 tmp[8] = x_time_e[state[8]] ^ x_time_b[state[9]] ^ 474 x_time_d[state[10]] ^ x_time_9[state[11]]; 475 tmp[13] = x_time_9[state[8]] ^ x_time_e[state[9]] ^ 476 x_time_b[state[10]] ^ x_time_d[state[11]]; 477 tmp[2] = x_time_d[state[8]] ^ x_time_9[state[9]] ^ 478 x_time_e[state[10]] ^ x_time_b[state[11]]; 479 tmp[7] = x_time_b[state[8]] ^ x_time_d[state[9]] ^ 480 x_time_9[state[10]] ^ x_time_e[state[11]]; 481 482 /* restore column 3 */ 483 tmp[12] = x_time_e[state[12]] ^ x_time_b[state[13]] ^ 484 x_time_d[state[14]] ^ x_time_9[state[15]]; 485 tmp[1] = x_time_9[state[12]] ^ x_time_e[state[13]] ^ 486 x_time_b[state[14]] ^ x_time_d[state[15]]; 487 tmp[6] = x_time_d[state[12]] ^ x_time_9[state[13]] ^ 488 x_time_e[state[14]] ^ x_time_b[state[15]]; 489 tmp[11] = x_time_b[state[12]] ^ x_time_d[state[13]] ^ 490 x_time_9[state[14]] ^ x_time_e[state[15]]; 491 492 for (i = 0; i < 4 * AES_STATECOLS; i++) 493 state[i] = inv_sbox[tmp[i]]; 494 } 495 496 /* 497 * encrypt/decrypt columns of the key 498 * n.b. you can replace this with byte-wise xor if you wish. 499 */ 500 static void add_round_key(u32 *state, u32 *key) 501 { 502 int idx; 503 504 for (idx = 0; idx < 4; idx++) 505 state[idx] ^= key[idx]; 506 } 507 508 static u8 rcon[11] = { 509 0x00, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36 510 }; 511 512 /* produce AES_STATECOLS bytes for each round */ 513 void aes_expand_key(u8 *key, u8 *expkey) 514 { 515 u8 tmp0, tmp1, tmp2, tmp3, tmp4; 516 u32 idx; 517 518 memcpy(expkey, key, AES_KEYCOLS * 4); 519 520 for (idx = AES_KEYCOLS; idx < AES_STATECOLS * (AES_ROUNDS + 1); idx++) { 521 tmp0 = expkey[4*idx - 4]; 522 tmp1 = expkey[4*idx - 3]; 523 tmp2 = expkey[4*idx - 2]; 524 tmp3 = expkey[4*idx - 1]; 525 if (!(idx % AES_KEYCOLS)) { 526 tmp4 = tmp3; 527 tmp3 = sbox[tmp0]; 528 tmp0 = sbox[tmp1] ^ rcon[idx / AES_KEYCOLS]; 529 tmp1 = sbox[tmp2]; 530 tmp2 = sbox[tmp4]; 531 } else if ((AES_KEYCOLS > 6) && (idx % AES_KEYCOLS == 4)) { 532 tmp0 = sbox[tmp0]; 533 tmp1 = sbox[tmp1]; 534 tmp2 = sbox[tmp2]; 535 tmp3 = sbox[tmp3]; 536 } 537 538 expkey[4*idx+0] = expkey[4*idx - 4*AES_KEYCOLS + 0] ^ tmp0; 539 expkey[4*idx+1] = expkey[4*idx - 4*AES_KEYCOLS + 1] ^ tmp1; 540 expkey[4*idx+2] = expkey[4*idx - 4*AES_KEYCOLS + 2] ^ tmp2; 541 expkey[4*idx+3] = expkey[4*idx - 4*AES_KEYCOLS + 3] ^ tmp3; 542 } 543 } 544 545 /* encrypt one 128 bit block */ 546 void aes_encrypt(u8 *in, u8 *expkey, u8 *out) 547 { 548 u8 state[AES_STATECOLS * 4]; 549 u32 round; 550 551 memcpy(state, in, AES_STATECOLS * 4); 552 add_round_key((u32 *)state, (u32 *)expkey); 553 554 for (round = 1; round < AES_ROUNDS + 1; round++) { 555 if (round < AES_ROUNDS) 556 mix_sub_columns(state); 557 else 558 shift_rows(state); 559 560 add_round_key((u32 *)state, 561 (u32 *)expkey + round * AES_STATECOLS); 562 } 563 564 memcpy(out, state, sizeof(state)); 565 } 566 567 void aes_decrypt(u8 *in, u8 *expkey, u8 *out) 568 { 569 u8 state[AES_STATECOLS * 4]; 570 int round; 571 572 memcpy(state, in, sizeof(state)); 573 574 add_round_key((u32 *)state, 575 (u32 *)expkey + AES_ROUNDS * AES_STATECOLS); 576 inv_shift_rows(state); 577 578 for (round = AES_ROUNDS; round--; ) { 579 add_round_key((u32 *)state, 580 (u32 *)expkey + round * AES_STATECOLS); 581 if (round) 582 inv_mix_sub_columns(state); 583 } 584 585 memcpy(out, state, sizeof(state)); 586 } 587 588 static void debug_print_vector(char *name, u32 num_bytes, u8 *data) 589 { 590 #ifdef DEBUG 591 printf("%s [%d] @0x%08x", name, num_bytes, (u32)data); 592 print_buffer(0, data, 1, num_bytes, 16); 593 #endif 594 } 595 596 void aes_apply_cbc_chain_data(u8 *cbc_chain_data, u8 *src, u8 *dst) 597 { 598 int i; 599 600 for (i = 0; i < AES_KEY_LENGTH; i++) 601 *dst++ = *src++ ^ *cbc_chain_data++; 602 } 603 604 void aes_cbc_encrypt_blocks(u8 *key_exp, u8 *src, u8 *dst, u32 num_aes_blocks) 605 { 606 u8 zero_key[AES_KEY_LENGTH] = { 0 }; 607 u8 tmp_data[AES_KEY_LENGTH]; 608 /* Convenient array of 0's for IV */ 609 u8 *cbc_chain_data = zero_key; 610 u32 i; 611 612 for (i = 0; i < num_aes_blocks; i++) { 613 debug("encrypt_object: block %d of %d\n", i, num_aes_blocks); 614 debug_print_vector("AES Src", AES_KEY_LENGTH, src); 615 616 /* Apply the chain data */ 617 aes_apply_cbc_chain_data(cbc_chain_data, src, tmp_data); 618 debug_print_vector("AES Xor", AES_KEY_LENGTH, tmp_data); 619 620 /* Encrypt the AES block */ 621 aes_encrypt(tmp_data, key_exp, dst); 622 debug_print_vector("AES Dst", AES_KEY_LENGTH, dst); 623 624 /* Update pointers for next loop. */ 625 cbc_chain_data = dst; 626 src += AES_KEY_LENGTH; 627 dst += AES_KEY_LENGTH; 628 } 629 } 630 631 void aes_cbc_decrypt_blocks(u8 *key_exp, u8 *src, u8 *dst, u32 num_aes_blocks) 632 { 633 u8 tmp_data[AES_KEY_LENGTH], tmp_block[AES_KEY_LENGTH]; 634 /* Convenient array of 0's for IV */ 635 u8 cbc_chain_data[AES_KEY_LENGTH] = { 0 }; 636 u32 i; 637 638 for (i = 0; i < num_aes_blocks; i++) { 639 debug("encrypt_object: block %d of %d\n", i, num_aes_blocks); 640 debug_print_vector("AES Src", AES_KEY_LENGTH, src); 641 642 memcpy(tmp_block, src, AES_KEY_LENGTH); 643 644 /* Decrypt the AES block */ 645 aes_decrypt(src, key_exp, tmp_data); 646 debug_print_vector("AES Xor", AES_KEY_LENGTH, tmp_data); 647 648 /* Apply the chain data */ 649 aes_apply_cbc_chain_data(cbc_chain_data, tmp_data, dst); 650 debug_print_vector("AES Dst", AES_KEY_LENGTH, dst); 651 652 /* Update pointers for next loop. */ 653 memcpy(cbc_chain_data, tmp_block, AES_KEY_LENGTH); 654 src += AES_KEY_LENGTH; 655 dst += AES_KEY_LENGTH; 656 } 657 } 658