1 /*
2 * Copyright (C) 2015-2018 Alibaba Group Holding Limited
3 */
4
5 /*
6 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
7 *
8 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
9 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
10 */
11 #if defined(INFRA_AES)
12 #include "linkkit/infra/infra_config.h"
13 #include "linkkit/infra/infra_aes.h"
14 #include <string.h>
15 #include <stdlib.h>
16 #include "linkkit/infra/infra_compat.h"
17
18 #ifdef INFRA_AES_BUILDIN
19
20 #if !defined(INFRA_CONFIG_FILE)
21 #include "linkkit/infra/infra_aes_config.h"
22 #else
23 #include INFRA_CONFIG_FILE
24 #endif
25
26 /* Implementation that should never be optimized out by the compiler */
infra_aes_zeroize(void * v,size_t n)27 static void infra_aes_zeroize(void *v, size_t n)
28 {
29 volatile unsigned char *p = (unsigned char *)v; // avoid be optimized by compiler
30
31 while (n--)
32 *p++ = 0;
33 }
34
35 /*
36 * 32-bit integer manipulation macros (little endian)
37 */
38 #ifndef GET_UINT32_LE
39 #define GET_UINT32_LE(n, b, i) \
40 { \
41 (n) = ((uint32_t)(b)[(i)]) | ((uint32_t)(b)[(i) + 1] << 8) | \
42 ((uint32_t)(b)[(i) + 2] << 16) | ((uint32_t)(b)[(i) + 3] << 24); \
43 }
44 #endif
45
46 #ifndef PUT_UINT32_LE
47 #define PUT_UINT32_LE(n, b, i) \
48 { \
49 (b)[(i)] = (unsigned char)(((n)) & 0xFF); \
50 (b)[(i) + 1] = (unsigned char)(((n) >> 8) & 0xFF); \
51 (b)[(i) + 2] = (unsigned char)(((n) >> 16) & 0xFF); \
52 (b)[(i) + 3] = (unsigned char)(((n) >> 24) & 0xFF); \
53 }
54 #endif
55
56 #if defined(INFRA_PADLOCK_C) && \
57 (defined(INFRA_HAVE_X86) || defined(INFRA_PADLOCK_ALIGN16))
58 static int aes_padlock_ace = -1;
59 #endif
60
61 #if defined(INFRA_AES_ROM_TABLES)
62 /*
63 * Forward S-box
64 */
65 static const unsigned char FSb[256] = {
66 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
67 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
68 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
69 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
70 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
71 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
72 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
73 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
74 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
75 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
76 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
77 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
78 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
79 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
80 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
81 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
82 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
83 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
84 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
85 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
86 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
87 0xB0, 0x54, 0xBB, 0x16
88 };
89
90 /*
91 * Forward tables
92 */
93 #define FT \
94 \
95 V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), \
96 V(8D, 7B, 7B, F6), V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), \
97 V(B1, 6F, 6F, DE), V(54, C5, C5, 91), V(50, 30, 30, 60), \
98 V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \
99 V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), \
100 V(9A, 76, 76, EC), V(45, CA, CA, 8F), V(9D, 82, 82, 1F), \
101 V(40, C9, C9, 89), V(87, 7D, 7D, FA), V(15, FA, FA, EF), \
102 V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \
103 V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), \
104 V(EA, AF, AF, 45), V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), \
105 V(96, 72, 72, E4), V(5B, C0, C0, 9B), V(C2, B7, B7, 75), \
106 V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \
107 V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), \
108 V(4F, CC, CC, 83), V(5C, 34, 34, 68), V(F4, A5, A5, 51), \
109 V(34, E5, E5, D1), V(08, F1, F1, F9), V(93, 71, 71, E2), \
110 V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \
111 V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), \
112 V(5E, C3, C3, 9D), V(28, 18, 18, 30), V(A1, 96, 96, 37), \
113 V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), V(09, 07, 07, 0E), \
114 V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \
115 V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), \
116 V(9F, 75, 75, EA), V(1B, 09, 09, 12), V(9E, 83, 83, 1D), \
117 V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), V(2D, 1B, 1B, 36), \
118 V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \
119 V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), \
120 V(CE, B3, B3, 7D), V(7B, 29, 29, 52), V(3E, E3, E3, DD), \
121 V(71, 2F, 2F, 5E), V(97, 84, 84, 13), V(F5, 53, 53, A6), \
122 V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \
123 V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), \
124 V(ED, 5B, 5B, B6), V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), \
125 V(D9, BE, BE, 67), V(4B, 39, 39, 72), V(DE, 4A, 4A, 94), \
126 V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \
127 V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), \
128 V(16, FB, FB, ED), V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), \
129 V(55, 33, 33, 66), V(94, 85, 85, 11), V(CF, 45, 45, 8A), \
130 V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \
131 V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), \
132 V(E3, A8, A8, 4B), V(F3, 51, 51, A2), V(FE, A3, A3, 5D), \
133 V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), V(AD, 92, 92, 3F), \
134 V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \
135 V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), \
136 V(63, 21, 21, 42), V(30, 10, 10, 20), V(1A, FF, FF, E5), \
137 V(0E, F3, F3, FD), V(6D, D2, D2, BF), V(4C, CD, CD, 81), \
138 V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \
139 V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), \
140 V(39, 17, 17, 2E), V(57, C4, C4, 93), V(F2, A7, A7, 55), \
141 V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), V(AC, 64, 64, C8), \
142 V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \
143 V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), \
144 V(7F, DC, DC, A3), V(66, 22, 22, 44), V(7E, 2A, 2A, 54), \
145 V(AB, 90, 90, 3B), V(83, 88, 88, 0B), V(CA, 46, 46, 8C), \
146 V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \
147 V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), \
148 V(76, DB, DB, AD), V(3B, E0, E0, DB), V(56, 32, 32, 64), \
149 V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), V(DB, 49, 49, 92), \
150 V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \
151 V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), \
152 V(A6, 62, 62, C4), V(A8, 91, 91, 39), V(A4, 95, 95, 31), \
153 V(37, E4, E4, D3), V(8B, 79, 79, F2), V(32, E7, E7, D5), \
154 V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \
155 V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), \
156 V(E0, A9, A9, 49), V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), \
157 V(07, F4, F4, F3), V(25, EA, EA, CF), V(AF, 65, 65, CA), \
158 V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \
159 V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), \
160 V(72, 2E, 2E, 5C), V(24, 1C, 1C, 38), V(F1, A6, A6, 57), \
161 V(C7, B4, B4, 73), V(51, C6, C6, 97), V(23, E8, E8, CB), \
162 V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \
163 V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), \
164 V(85, 8A, 8A, 0F), V(90, 70, 70, E0), V(42, 3E, 3E, 7C), \
165 V(C4, B5, B5, 71), V(AA, 66, 66, CC), V(D8, 48, 48, 90), \
166 V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \
167 V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), \
168 V(D0, B9, B9, 69), V(91, 86, 86, 17), V(58, C1, C1, 99), \
169 V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), V(38, E1, E1, D9), \
170 V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \
171 V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), \
172 V(A7, 94, 94, 33), V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), \
173 V(92, 87, 87, 15), V(20, E9, E9, C9), V(49, CE, CE, 87), \
174 V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \
175 V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), \
176 V(17, 0D, 0D, 1A), V(DA, BF, BF, 65), V(31, E6, E6, D7), \
177 V(C6, 42, 42, 84), V(B8, 68, 68, D0), V(C3, 41, 41, 82), \
178 V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \
179 V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), \
180 V(3A, 16, 16, 2C)
181
182 #define V(a, b, c, d) 0x##a##b##c##d
183 static const uint32_t FT0[256] = { FT };
184 #undef V
185
186 #define V(a, b, c, d) 0x##b##c##d##a
187 static const uint32_t FT1[256] = { FT };
188 #undef V
189
190 #define V(a, b, c, d) 0x##c##d##a##b
191 static const uint32_t FT2[256] = { FT };
192 #undef V
193
194 #define V(a, b, c, d) 0x##d##a##b##c
195 static const uint32_t FT3[256] = { FT };
196 #undef V
197
198 #undef FT
199
200 /*
201 * Reverse S-box
202 */
203 static const unsigned char RSb[256] = {
204 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
205 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
206 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
207 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
208 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
209 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
210 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
211 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
212 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
213 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
214 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
215 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
216 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
217 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
218 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
219 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
220 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
221 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
222 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
223 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
224 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
225 0x55, 0x21, 0x0C, 0x7D
226 };
227
228 /*
229 * Reverse tables
230 */
231 #define RT \
232 \
233 V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), \
234 V(96, 5E, 27, 3A), V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), \
235 V(AB, 58, FA, AC), V(93, 03, E3, 4B), V(55, FA, 30, 20), \
236 V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \
237 V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), \
238 V(8F, A3, 62, B5), V(49, 5A, B1, DE), V(67, 1B, BA, 25), \
239 V(98, 0E, EA, 45), V(E1, C0, FE, 5D), V(02, 75, 2F, C3), \
240 V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \
241 V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), \
242 V(DA, 59, 52, 95), V(2D, 83, BE, D4), V(D3, 21, 74, 58), \
243 V(29, 69, E0, 49), V(44, C8, C9, 8E), V(6A, 89, C2, 75), \
244 V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \
245 V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), \
246 V(B4, 3A, CE, 7D), V(18, 4A, DF, 63), V(82, 31, 1A, E5), \
247 V(60, 33, 51, 97), V(45, 7F, 53, 62), V(E0, 77, 64, B1), \
248 V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \
249 V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), \
250 V(B7, F8, 7B, 52), V(23, D3, 73, AB), V(E2, 02, 4B, 72), \
251 V(57, 8F, 1F, E3), V(2A, AB, 55, 66), V(07, 28, EB, B2), \
252 V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \
253 V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), \
254 V(5C, 82, 16, ED), V(2B, 1C, CF, 8A), V(92, B4, 79, A7), \
255 V(F0, F2, 07, F3), V(A1, E2, 69, 4E), V(CD, F4, DA, 65), \
256 V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \
257 V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), \
258 V(75, EB, F6, A4), V(39, EC, 83, 0B), V(AA, EF, 60, 40), \
259 V(06, 9F, 71, 5E), V(51, 10, 6E, BD), V(F9, 8A, 21, 3E), \
260 V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \
261 V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), \
262 V(FF, 15, 50, 60), V(24, FB, 98, 19), V(97, E9, BD, D6), \
263 V(CC, 43, 40, 89), V(77, 9E, D9, 67), V(BD, 42, E8, B0), \
264 V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \
265 V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), \
266 V(00, 00, 00, 00), V(83, 86, 80, 09), V(48, ED, 2B, 32), \
267 V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), V(FB, FF, 0E, FD), \
268 V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \
269 V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), \
270 V(3A, 2E, 36, 24), V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), \
271 V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), V(4F, C5, C0, 80), \
272 V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \
273 V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), \
274 V(1D, 17, 1B, 12), V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), \
275 V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), V(85, 19, F1, 57), \
276 V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \
277 V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), \
278 V(34, 7E, FB, 5B), V(76, 29, 43, 8B), V(DC, C6, 23, CB), \
279 V(68, FC, ED, B6), V(63, F1, E4, B8), V(CA, DC, 31, D7), \
280 V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \
281 V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), \
282 V(6D, A1, 29, C7), V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), \
283 V(EC, 52, 86, 0D), V(D0, E3, C1, 77), V(6C, 16, B3, 2B), \
284 V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \
285 V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), \
286 V(EF, 90, 33, 22), V(C7, 4E, 49, 87), V(C1, D1, 38, D9), \
287 V(FE, A2, CA, 8C), V(36, 0B, D4, 98), V(CF, 81, F5, A6), \
288 V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \
289 V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), \
290 V(62, 46, 7E, 54), V(C2, 13, 8D, F6), V(E8, B8, D8, 90), \
291 V(5E, F7, 39, 2E), V(F5, AF, C3, 82), V(BE, 80, 5D, 9F), \
292 V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \
293 V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), \
294 V(7B, BB, 3B, DB), V(09, 78, 26, CD), V(F4, 18, 59, 6E), \
295 V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), V(65, 6E, 95, E6), \
296 V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \
297 V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), \
298 V(D6, 7C, B0, 29), V(AF, B2, A4, 31), V(31, 23, 3F, 2A), \
299 V(30, 94, A5, C6), V(C0, 66, A2, 35), V(37, BC, 4E, 74), \
300 V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \
301 V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), \
302 V(2F, F6, 91, 17), V(8D, D6, 4D, 76), V(4D, B0, EF, 43), \
303 V(54, 4D, AA, CC), V(DF, 04, 96, E4), V(E3, B5, D1, 9E), \
304 V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \
305 V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), \
306 V(2E, 41, 0B, FB), V(5A, 1D, 67, B3), V(52, D2, DB, 92), \
307 V(33, 56, 10, E9), V(13, 47, D6, 6D), V(8C, 61, D7, 9A), \
308 V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \
309 V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), \
310 V(3C, B1, 47, 7A), V(59, DF, D2, 9C), V(3F, 73, F2, 55), \
311 V(79, CE, 14, 18), V(BF, 37, C7, 73), V(EA, CD, F7, 53), \
312 V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \
313 V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), \
314 V(5F, 40, A3, C2), V(72, C3, 1D, 16), V(0C, 25, E2, BC), \
315 V(8B, 49, 3C, 28), V(41, 95, 0D, FF), V(71, 01, A8, 39), \
316 V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \
317 V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), \
318 V(42, 57, B8, D0)
319
320 #define V(a, b, c, d) 0x##a##b##c##d
321 static const uint32_t RT0[256] = { RT };
322 #undef V
323
324 #define V(a, b, c, d) 0x##b##c##d##a
325 static const uint32_t RT1[256] = { RT };
326 #undef V
327
328 #define V(a, b, c, d) 0x##c##d##a##b
329 static const uint32_t RT2[256] = { RT };
330 #undef V
331
332 #define V(a, b, c, d) 0x##d##a##b##c
333 static const uint32_t RT3[256] = { RT };
334 #undef V
335
336 #undef RT
337
338 /*
339 * Round constants
340 */
341 static const uint32_t RCON[10] = { 0x00000001, 0x00000002, 0x00000004,
342 0x00000008, 0x00000010, 0x00000020,
343 0x00000040, 0x00000080, 0x0000001B,
344 0x00000036 };
345
346 #else /* INFRA_AES_ROM_TABLES */
347
348 /*
349 * Forward S-box & tables
350 */
351 static unsigned char FSb[256];
352 static uint32_t FT0[256];
353 static uint32_t FT1[256];
354 static uint32_t FT2[256];
355 static uint32_t FT3[256];
356
357 /*
358 * Reverse S-box & tables
359 */
360 static unsigned char RSb[256];
361 static uint32_t RT0[256];
362 static uint32_t RT1[256];
363 static uint32_t RT2[256];
364 static uint32_t RT3[256];
365
366 /*
367 * Round constants
368 */
369 static uint32_t RCON[10];
370
371 /*
372 * Tables generation code
373 */
374 #define ROTL8(x) (((x << 8) & 0xFFFFFFFF) | (x >> 24))
375 #define XTIME(x) ((x << 1) ^ ((x & 0x80) ? 0x1B : 0x00))
376 #define MUL(x, y) ((x && y) ? pow[(log[x] + log[y]) % 255] : 0)
377
378 static int aes_init_done = 0;
379
aes_gen_tables(void)380 static void aes_gen_tables(void)
381 {
382 int i, x, y, z;
383 int pow[256];
384 int log[256];
385
386 /*
387 * compute pow and log tables over GF(2^8)
388 */
389 for (i = 0, x = 1; i < 256; i++) {
390 pow[i] = x;
391 log[x] = i;
392 x = (x ^ XTIME(x)) & 0xFF;
393 }
394
395 /*
396 * calculate the round constants
397 */
398 for (i = 0, x = 1; i < 10; i++) {
399 RCON[i] = (uint32_t)x;
400 x = XTIME(x) & 0xFF;
401 }
402
403 /*
404 * generate the forward and reverse S-boxes
405 */
406 FSb[0x00] = 0x63;
407 RSb[0x63] = 0x00;
408
409 for (i = 1; i < 256; i++) {
410 x = pow[255 - log[i]];
411
412 y = x;
413 y = ((y << 1) | (y >> 7)) & 0xFF;
414 x ^= y;
415 y = ((y << 1) | (y >> 7)) & 0xFF;
416 x ^= y;
417 y = ((y << 1) | (y >> 7)) & 0xFF;
418 x ^= y;
419 y = ((y << 1) | (y >> 7)) & 0xFF;
420 x ^= y ^ 0x63;
421
422 FSb[i] = (unsigned char)x;
423 RSb[x] = (unsigned char)i;
424 }
425
426 /*
427 * generate the forward and reverse tables
428 */
429 for (i = 0; i < 256; i++) {
430 x = FSb[i];
431 y = XTIME(x) & 0xFF;
432 z = (y ^ x) & 0xFF;
433
434 FT0[i] = ((uint32_t)y) ^ ((uint32_t)x << 8) ^ ((uint32_t)x << 16) ^
435 ((uint32_t)z << 24);
436
437 FT1[i] = ROTL8(FT0[i]);
438 FT2[i] = ROTL8(FT1[i]);
439 FT3[i] = ROTL8(FT2[i]);
440
441 x = RSb[i];
442
443 RT0[i] = ((uint32_t)MUL(0x0E, x)) ^ ((uint32_t)MUL(0x09, x) << 8) ^
444 ((uint32_t)MUL(0x0D, x) << 16) ^
445 ((uint32_t)MUL(0x0B, x) << 24);
446
447 RT1[i] = ROTL8(RT0[i]);
448 RT2[i] = ROTL8(RT1[i]);
449 RT3[i] = ROTL8(RT2[i]);
450 }
451 }
452
453 #endif /* INFRA_AES_ROM_TABLES */
454
infra_aes_init(infra_aes_context * ctx)455 void infra_aes_init(infra_aes_context *ctx)
456 {
457 memset(ctx, 0, sizeof(infra_aes_context));
458 }
459
infra_aes_free(infra_aes_context * ctx)460 void infra_aes_free(infra_aes_context *ctx)
461 {
462 if (ctx == NULL)
463 return;
464
465 infra_aes_zeroize(ctx, sizeof(infra_aes_context));
466 }
467
468 /*
469 * AES key schedule (encryption)
470 */
471 #if !defined(INFRA_AES_SETKEY_ENC_ALT)
infra_aes_setkey_enc(infra_aes_context * ctx,const unsigned char * key,unsigned int keybits)472 int infra_aes_setkey_enc(infra_aes_context *ctx, const unsigned char *key,
473 unsigned int keybits)
474 {
475 unsigned int i;
476 uint32_t *RK;
477
478 #if !defined(INFRA_AES_ROM_TABLES)
479 if (aes_init_done == 0) {
480 aes_gen_tables();
481 aes_init_done = 1;
482 }
483 #endif
484
485 switch (keybits) {
486 case 128:
487 ctx->nr = 10;
488 break;
489 case 192:
490 ctx->nr = 12;
491 break;
492 case 256:
493 ctx->nr = 14;
494 break;
495 default:
496 return INFRA_ERR_AES_INVALID_KEY_LENGTH;
497 }
498
499 #if defined(INFRA_PADLOCK_C) && defined(INFRA_PADLOCK_ALIGN16)
500 if (aes_padlock_ace == -1)
501 aes_padlock_ace = infra_aes_padlock_has_support(INFRA_PADLOCK_ACE);
502
503 if (aes_padlock_ace)
504 ctx->rk = RK = INFRA_PADLOCK_ALIGN16(ctx->buf);
505 else
506 #endif
507 ctx->rk = RK = ctx->buf;
508
509 #if defined(INFRA_AESNI_C) && defined(INFRA_HAVE_X86_64)
510 if (infra_aesni_has_support(INFRA_AESNI_AES))
511 return infra_aesni_setkey_enc((unsigned char *)ctx->rk, key, keybits);
512 #endif
513
514 for (i = 0; i < (keybits >> 5); i++) {
515 GET_UINT32_LE(RK[i], key, i << 2);
516 }
517
518 switch (ctx->nr) {
519 case 10:
520
521 for (i = 0; i < 10; i++, RK += 4) {
522 RK[4] = RK[0] ^ RCON[i] ^ ((uint32_t)FSb[(RK[3] >> 8) & 0xFF]) ^
523 ((uint32_t)FSb[(RK[3] >> 16) & 0xFF] << 8) ^
524 ((uint32_t)FSb[(RK[3] >> 24) & 0xFF] << 16) ^
525 ((uint32_t)FSb[(RK[3]) & 0xFF] << 24);
526
527 RK[5] = RK[1] ^ RK[4];
528 RK[6] = RK[2] ^ RK[5];
529 RK[7] = RK[3] ^ RK[6];
530 }
531 break;
532
533 case 12:
534
535 for (i = 0; i < 8; i++, RK += 6) {
536 RK[6] = RK[0] ^ RCON[i] ^ ((uint32_t)FSb[(RK[5] >> 8) & 0xFF]) ^
537 ((uint32_t)FSb[(RK[5] >> 16) & 0xFF] << 8) ^
538 ((uint32_t)FSb[(RK[5] >> 24) & 0xFF] << 16) ^
539 ((uint32_t)FSb[(RK[5]) & 0xFF] << 24);
540
541 RK[7] = RK[1] ^ RK[6];
542 RK[8] = RK[2] ^ RK[7];
543 RK[9] = RK[3] ^ RK[8];
544 RK[10] = RK[4] ^ RK[9];
545 RK[11] = RK[5] ^ RK[10];
546 }
547 break;
548
549 case 14:
550
551 for (i = 0; i < 7; i++, RK += 8) {
552 RK[8] = RK[0] ^ RCON[i] ^ ((uint32_t)FSb[(RK[7] >> 8) & 0xFF]) ^
553 ((uint32_t)FSb[(RK[7] >> 16) & 0xFF] << 8) ^
554 ((uint32_t)FSb[(RK[7] >> 24) & 0xFF] << 16) ^
555 ((uint32_t)FSb[(RK[7]) & 0xFF] << 24);
556
557 RK[9] = RK[1] ^ RK[8];
558 RK[10] = RK[2] ^ RK[9];
559 RK[11] = RK[3] ^ RK[10];
560
561 RK[12] = RK[4] ^ ((uint32_t)FSb[(RK[11]) & 0xFF]) ^
562 ((uint32_t)FSb[(RK[11] >> 8) & 0xFF] << 8) ^
563 ((uint32_t)FSb[(RK[11] >> 16) & 0xFF] << 16) ^
564 ((uint32_t)FSb[(RK[11] >> 24) & 0xFF] << 24);
565
566 RK[13] = RK[5] ^ RK[12];
567 RK[14] = RK[6] ^ RK[13];
568 RK[15] = RK[7] ^ RK[14];
569 }
570 break;
571 }
572
573 return 0;
574 }
575 #endif /* !INFRA_AES_SETKEY_ENC_ALT */
576
577 /*
578 * AES key schedule (decryption)
579 */
580 #if !defined(INFRA_AES_SETKEY_DEC_ALT)
infra_aes_setkey_dec(infra_aes_context * ctx,const unsigned char * key,unsigned int keybits)581 int infra_aes_setkey_dec(infra_aes_context *ctx, const unsigned char *key,
582 unsigned int keybits)
583 {
584 int i, j, ret;
585 infra_aes_context cty;
586 uint32_t *RK;
587 uint32_t *SK;
588
589 infra_aes_init(&cty);
590
591 #if defined(INFRA_PADLOCK_C) && defined(INFRA_PADLOCK_ALIGN16)
592 if (aes_padlock_ace == -1)
593 aes_padlock_ace = infra_aes_padlock_has_support(INFRA_PADLOCK_ACE);
594
595 if (aes_padlock_ace)
596 ctx->rk = RK = INFRA_PADLOCK_ALIGN16(ctx->buf);
597 else
598 #endif
599 ctx->rk = RK = ctx->buf;
600
601 /* Also checks keybits */
602 ret = infra_aes_setkey_enc(&cty, key, keybits);
603 if (ret != 0)
604 goto exit;
605
606 ctx->nr = cty.nr;
607
608 #if defined(INFRA_AESNI_C) && defined(INFRA_HAVE_X86_64)
609 if (infra_aesni_has_support(INFRA_AESNI_AES)) {
610 infra_aesni_inverse_key((unsigned char *)ctx->rk,
611 (const unsigned char *)cty.rk, ctx->nr);
612 goto exit;
613 }
614 #endif
615
616 SK = cty.rk + cty.nr * 4;
617
618 *RK++ = *SK++;
619 *RK++ = *SK++;
620 *RK++ = *SK++;
621 *RK++ = *SK++;
622
623 for (i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8) {
624 for (j = 0; j < 4; j++, SK++) {
625 *RK++ = RT0[FSb[(*SK) & 0xFF]] ^ RT1[FSb[(*SK >> 8) & 0xFF]] ^
626 RT2[FSb[(*SK >> 16) & 0xFF]] ^ RT3[FSb[(*SK >> 24) & 0xFF]];
627 }
628 }
629
630 *RK++ = *SK++;
631 *RK++ = *SK++;
632 *RK++ = *SK++;
633 *RK++ = *SK++;
634
635 exit:
636 infra_aes_free(&cty);
637
638 return ret;
639 }
640 #endif /* !INFRA_AES_SETKEY_DEC_ALT */
641
642 #define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
643 { \
644 X0 = *RK++ ^ FT0[(Y0) & 0xFF] ^ FT1[(Y1 >> 8) & 0xFF] ^ \
645 FT2[(Y2 >> 16) & 0xFF] ^ FT3[(Y3 >> 24) & 0xFF]; \
646 \
647 X1 = *RK++ ^ FT0[(Y1) & 0xFF] ^ FT1[(Y2 >> 8) & 0xFF] ^ \
648 FT2[(Y3 >> 16) & 0xFF] ^ FT3[(Y0 >> 24) & 0xFF]; \
649 \
650 X2 = *RK++ ^ FT0[(Y2) & 0xFF] ^ FT1[(Y3 >> 8) & 0xFF] ^ \
651 FT2[(Y0 >> 16) & 0xFF] ^ FT3[(Y1 >> 24) & 0xFF]; \
652 \
653 X3 = *RK++ ^ FT0[(Y3) & 0xFF] ^ FT1[(Y0 >> 8) & 0xFF] ^ \
654 FT2[(Y1 >> 16) & 0xFF] ^ FT3[(Y2 >> 24) & 0xFF]; \
655 }
656
657 #define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
658 { \
659 X0 = *RK++ ^ RT0[(Y0) & 0xFF] ^ RT1[(Y3 >> 8) & 0xFF] ^ \
660 RT2[(Y2 >> 16) & 0xFF] ^ RT3[(Y1 >> 24) & 0xFF]; \
661 \
662 X1 = *RK++ ^ RT0[(Y1) & 0xFF] ^ RT1[(Y0 >> 8) & 0xFF] ^ \
663 RT2[(Y3 >> 16) & 0xFF] ^ RT3[(Y2 >> 24) & 0xFF]; \
664 \
665 X2 = *RK++ ^ RT0[(Y2) & 0xFF] ^ RT1[(Y1 >> 8) & 0xFF] ^ \
666 RT2[(Y0 >> 16) & 0xFF] ^ RT3[(Y3 >> 24) & 0xFF]; \
667 \
668 X3 = *RK++ ^ RT0[(Y3) & 0xFF] ^ RT1[(Y2 >> 8) & 0xFF] ^ \
669 RT2[(Y1 >> 16) & 0xFF] ^ RT3[(Y0 >> 24) & 0xFF]; \
670 }
671
672 /*
673 * AES-ECB block encryption
674 */
675 #if !defined(INFRA_AES_ENCRYPT_ALT)
infra_aes_internal_aes_encrypt(infra_aes_context * ctx,const unsigned char input[16],unsigned char output[16])676 static int infra_aes_internal_aes_encrypt(infra_aes_context *ctx,
677 const unsigned char input[16],
678 unsigned char output[16])
679 {
680 int i;
681 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
682
683 RK = ctx->rk;
684
685 GET_UINT32_LE(X0, input, 0);
686 X0 ^= *RK++;
687 GET_UINT32_LE(X1, input, 4);
688 X1 ^= *RK++;
689 GET_UINT32_LE(X2, input, 8);
690 X2 ^= *RK++;
691 GET_UINT32_LE(X3, input, 12);
692 X3 ^= *RK++;
693
694 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
695 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
696 AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3);
697 }
698
699 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
700
701 X0 = *RK++ ^ ((uint32_t)FSb[(Y0) & 0xFF]) ^
702 ((uint32_t)FSb[(Y1 >> 8) & 0xFF] << 8) ^
703 ((uint32_t)FSb[(Y2 >> 16) & 0xFF] << 16) ^
704 ((uint32_t)FSb[(Y3 >> 24) & 0xFF] << 24);
705
706 X1 = *RK++ ^ ((uint32_t)FSb[(Y1) & 0xFF]) ^
707 ((uint32_t)FSb[(Y2 >> 8) & 0xFF] << 8) ^
708 ((uint32_t)FSb[(Y3 >> 16) & 0xFF] << 16) ^
709 ((uint32_t)FSb[(Y0 >> 24) & 0xFF] << 24);
710
711 X2 = *RK++ ^ ((uint32_t)FSb[(Y2) & 0xFF]) ^
712 ((uint32_t)FSb[(Y3 >> 8) & 0xFF] << 8) ^
713 ((uint32_t)FSb[(Y0 >> 16) & 0xFF] << 16) ^
714 ((uint32_t)FSb[(Y1 >> 24) & 0xFF] << 24);
715
716 X3 = *RK++ ^ ((uint32_t)FSb[(Y3) & 0xFF]) ^
717 ((uint32_t)FSb[(Y0 >> 8) & 0xFF] << 8) ^
718 ((uint32_t)FSb[(Y1 >> 16) & 0xFF] << 16) ^
719 ((uint32_t)FSb[(Y2 >> 24) & 0xFF] << 24);
720
721 PUT_UINT32_LE(X0, output, 0);
722 PUT_UINT32_LE(X1, output, 4);
723 PUT_UINT32_LE(X2, output, 8);
724 PUT_UINT32_LE(X3, output, 12);
725
726 return 0;
727 }
728 #endif /* !INFRA_AES_ENCRYPT_ALT */
729
730 /*
731 * AES-ECB block decryption
732 */
733 #if !defined(INFRA_AES_DECRYPT_ALT)
infra_aes_internal_aes_decrypt(infra_aes_context * ctx,const unsigned char input[16],unsigned char output[16])734 static int infra_aes_internal_aes_decrypt(infra_aes_context *ctx,
735 const unsigned char input[16],
736 unsigned char output[16])
737 {
738 int i;
739 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
740
741 RK = ctx->rk;
742
743 GET_UINT32_LE(X0, input, 0);
744 X0 ^= *RK++;
745 GET_UINT32_LE(X1, input, 4);
746 X1 ^= *RK++;
747 GET_UINT32_LE(X2, input, 8);
748 X2 ^= *RK++;
749 GET_UINT32_LE(X3, input, 12);
750 X3 ^= *RK++;
751
752 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
753 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
754 AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3);
755 }
756
757 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
758
759 X0 = *RK++ ^ ((uint32_t)RSb[(Y0) & 0xFF]) ^
760 ((uint32_t)RSb[(Y3 >> 8) & 0xFF] << 8) ^
761 ((uint32_t)RSb[(Y2 >> 16) & 0xFF] << 16) ^
762 ((uint32_t)RSb[(Y1 >> 24) & 0xFF] << 24);
763
764 X1 = *RK++ ^ ((uint32_t)RSb[(Y1) & 0xFF]) ^
765 ((uint32_t)RSb[(Y0 >> 8) & 0xFF] << 8) ^
766 ((uint32_t)RSb[(Y3 >> 16) & 0xFF] << 16) ^
767 ((uint32_t)RSb[(Y2 >> 24) & 0xFF] << 24);
768
769 X2 = *RK++ ^ ((uint32_t)RSb[(Y2) & 0xFF]) ^
770 ((uint32_t)RSb[(Y1 >> 8) & 0xFF] << 8) ^
771 ((uint32_t)RSb[(Y0 >> 16) & 0xFF] << 16) ^
772 ((uint32_t)RSb[(Y3 >> 24) & 0xFF] << 24);
773
774 X3 = *RK++ ^ ((uint32_t)RSb[(Y3) & 0xFF]) ^
775 ((uint32_t)RSb[(Y2 >> 8) & 0xFF] << 8) ^
776 ((uint32_t)RSb[(Y1 >> 16) & 0xFF] << 16) ^
777 ((uint32_t)RSb[(Y0 >> 24) & 0xFF] << 24);
778
779 PUT_UINT32_LE(X0, output, 0);
780 PUT_UINT32_LE(X1, output, 4);
781 PUT_UINT32_LE(X2, output, 8);
782 PUT_UINT32_LE(X3, output, 12);
783
784 return 0;
785 }
786 #endif /* !INFRA_AES_DECRYPT_ALT */
787
788 /*
789 * AES-ECB block encryption/decryption
790 */
infra_aes_crypt_ecb(infra_aes_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])791 int infra_aes_crypt_ecb(infra_aes_context *ctx, int mode,
792 const unsigned char input[16], unsigned char output[16])
793 {
794 #if defined(INFRA_AESNI_C) && defined(INFRA_HAVE_X86_64)
795 if (infra_aesni_has_support(INFRA_AESNI_AES))
796 return infra_aesni_crypt_ecb(ctx, mode, input, output);
797 #endif
798
799 #if defined(INFRA_PADLOCK_C) && defined(INFRA_HAVE_X86)
800 if (aes_padlock_ace) {
801 if (infra_aes_padlock_xcryptecb(ctx, mode, input, output) == 0)
802 return 0;
803
804 // If padlock data misaligned, we just fall back to
805 // unaccelerated mode
806 }
807 #endif
808
809 if (mode == INFRA_AES_ENCRYPT)
810 return infra_aes_internal_aes_encrypt(ctx, input, output);
811 else
812 return infra_aes_internal_aes_decrypt(ctx, input, output);
813 }
814
815 #if defined(INFRA_CIPHER_MODE_CBC)
816 /*
817 * AES-CBC buffer encryption/decryption
818 */
infra_aes_crypt_cbc(infra_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)819 int infra_aes_crypt_cbc(infra_aes_context *ctx, int mode, size_t length,
820 unsigned char iv[16], const unsigned char *input,
821 unsigned char *output)
822 {
823 int i;
824 unsigned char temp[16];
825
826 if (length % 16)
827 return INFRA_ERR_AES_INVALID_INPUT_LENGTH;
828
829 #if defined(INFRA_PADLOCK_C) && defined(INFRA_HAVE_X86)
830 if (aes_padlock_ace) {
831 if (infra_aes_padlock_xcryptcbc(ctx, mode, length, iv, input, output) ==
832 0)
833 return 0;
834
835 // If padlock data misaligned, we just fall back to
836 // unaccelerated mode
837 }
838 #endif
839
840 if (mode == INFRA_AES_DECRYPT) {
841 while (length > 0) {
842 memcpy(temp, input, 16);
843 infra_aes_crypt_ecb(ctx, mode, input, output);
844
845 for (i = 0; i < 16; i++)
846 output[i] = (unsigned char)(output[i] ^ iv[i]);
847
848 memcpy(iv, temp, 16);
849
850 input += 16;
851 output += 16;
852 length -= 16;
853 }
854 } else {
855 while (length > 0) {
856 for (i = 0; i < 16; i++)
857 output[i] = (unsigned char)(input[i] ^ iv[i]);
858
859 infra_aes_crypt_ecb(ctx, mode, output, output);
860 memcpy(iv, output, 16);
861
862 input += 16;
863 output += 16;
864 length -= 16;
865 }
866 }
867
868 return 0;
869 }
870 #endif /* INFRA_CIPHER_MODE_CBC */
871
872 #if defined(INFRA_CIPHER_MODE_CFB)
873 /*
874 * AES-CFB128 buffer encryption/decryption
875 */
infra_aes_crypt_cfb128(infra_aes_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)876 int infra_aes_crypt_cfb128(infra_aes_context *ctx, int mode, size_t length,
877 size_t *iv_off, unsigned char iv[16],
878 const unsigned char *input, unsigned char *output)
879 {
880 int c;
881 size_t n = *iv_off;
882
883 if (mode == INFRA_AES_DECRYPT) {
884 while (length--) {
885 if (n == 0)
886 infra_aes_crypt_ecb(ctx, INFRA_AES_ENCRYPT, iv, iv);
887
888 c = *input++;
889 *output++ = (unsigned char)(c ^ iv[n]);
890 iv[n] = (unsigned char)c;
891
892 n = (n + 1) & 0x0F;
893 }
894 } else {
895 while (length--) {
896 if (n == 0)
897 infra_aes_crypt_ecb(ctx, INFRA_AES_ENCRYPT, iv, iv);
898
899 iv[n] = *output++ = (unsigned char)(iv[n] ^ *input++);
900
901 n = (n + 1) & 0x0F;
902 }
903 }
904
905 *iv_off = n;
906
907 return 0;
908 }
909
910 #endif /*INFRA_CIPHER_MODE_CFB */
911
912 #endif /* INFRA_AES_BUILDIN */
913
914 typedef struct {
915 #if defined(INFRA_AES_BUILDIN)
916 infra_aes_context ctx;
917 #else
918 mbedtls_aes_context ctx;
919 #endif
920 uint8_t iv[16];
921 uint8_t key[16];
922 } platform_aes_t;
923
infra_aes128_init(const uint8_t * key,const uint8_t * iv,AES_DIR_t dir)924 p_Aes128_t infra_aes128_init(const uint8_t *key, const uint8_t *iv,
925 AES_DIR_t dir)
926 {
927 int ret = 0;
928 platform_aes_t *p_aes128 = NULL;
929
930 if (!key || !iv)
931 return p_aes128;
932
933 p_aes128 = (platform_aes_t *)calloc(1, sizeof(platform_aes_t));
934 if (!p_aes128)
935 return p_aes128;
936
937 #if defined(INFRA_AES_BUILDIN)
938 infra_aes_init(&p_aes128->ctx);
939 if (dir == AES_ENCRYPTION) {
940 ret = infra_aes_setkey_enc(&p_aes128->ctx, key, 128);
941 } else {
942 ret = infra_aes_setkey_dec(&p_aes128->ctx, key, 128);
943 }
944 #else
945 mbedtls_aes_init(&p_aes128->ctx);
946 if (dir == AES_ENCRYPTION) {
947 ret = mbedtls_aes_setkey_enc(&p_aes128->ctx, key, 128);
948 } else {
949 ret = mbedtls_aes_setkey_dec(&p_aes128->ctx, key, 128);
950 }
951 #endif
952
953 if (ret == 0) {
954 memcpy(p_aes128->iv, iv, 16);
955 memcpy(p_aes128->key, key, 16);
956 } else {
957 free(p_aes128);
958 p_aes128 = NULL;
959 }
960
961 return (p_Aes128_t)p_aes128;
962 }
963
infra_aes128_destroy(p_Aes128_t aes)964 int infra_aes128_destroy(p_Aes128_t aes)
965 {
966 if (!aes)
967 return -1;
968
969 #if defined(INFRA_AES_BUILDIN)
970 infra_aes_free(&((platform_aes_t *)aes)->ctx);
971 #else
972 mbedtls_aes_free(&((platform_aes_t *)aes)->ctx);
973 #endif
974
975 free(aes);
976 return 0;
977 }
978
infra_aes128_cbc_decrypt(p_Aes128_t aes,const void * src,size_t blockNum,void * dst)979 int infra_aes128_cbc_decrypt(p_Aes128_t aes, const void *src, size_t blockNum,
980 void *dst)
981 {
982 int i = 0;
983 int ret = -1;
984 platform_aes_t *p_aes128 = (platform_aes_t *)aes;
985
986 if (!aes || !src || !dst)
987 return ret;
988
989 for (i = 0; i < blockNum; ++i) {
990 #if defined(INFRA_AES_BUILDIN)
991 ret = infra_aes_crypt_cbc(&p_aes128->ctx, INFRA_AES_DECRYPT,
992 AES_BLOCK_SIZE, p_aes128->iv, src, dst);
993 #else
994 ret = mbedtls_aes_crypt_cbc(&p_aes128->ctx, MBEDTLS_AES_DECRYPT,
995 AES_BLOCK_SIZE, p_aes128->iv, src, dst);
996 #endif
997 src = (unsigned char *)src + 16;
998 dst = (unsigned char *)dst + 16;
999 }
1000
1001 return ret;
1002 }
1003
infra_aes128_cfb_decrypt(p_Aes128_t aes,const void * src,size_t length,void * dst)1004 int infra_aes128_cfb_decrypt(p_Aes128_t aes, const void *src, size_t length,
1005 void *dst)
1006 {
1007 size_t offset = 0;
1008 int ret = -1;
1009 platform_aes_t *p_aes128 = (platform_aes_t *)aes;
1010
1011 if (!aes || !src || !dst)
1012 return ret;
1013
1014 #if defined(INFRA_AES_BUILDIN)
1015 ret = infra_aes_setkey_enc(&p_aes128->ctx, p_aes128->key, 128);
1016 ret = infra_aes_crypt_cfb128(&p_aes128->ctx, INFRA_AES_DECRYPT, length,
1017 &offset, p_aes128->iv, src, dst);
1018 #else
1019 ret = mbedtls_aes_setkey_enc(&p_aes128->ctx, p_aes128->key, 128);
1020 ret = mbedtls_aes_crypt_cfb128(&p_aes128->ctx, MBEDTLS_AES_DECRYPT, length,
1021 &offset, p_aes128->iv, src, dst);
1022 #endif
1023
1024 return ret;
1025 }
1026
infra_aes128_cfb_encrypt(p_Aes128_t aes,const void * src,size_t length,void * dst)1027 int infra_aes128_cfb_encrypt(p_Aes128_t aes, const void *src, size_t length,
1028 void *dst)
1029 {
1030 size_t offset = 0;
1031 int ret = -1;
1032 platform_aes_t *p_aes128 = (platform_aes_t *)aes;
1033
1034 if (!aes || !src || !dst)
1035 return ret;
1036
1037 #if defined(INFRA_AES_BUILDIN)
1038 ret = infra_aes_crypt_cfb128(&p_aes128->ctx, INFRA_AES_ENCRYPT, length,
1039 &offset, p_aes128->iv, src, dst);
1040 #else
1041 ret = mbedtls_aes_crypt_cfb128(&p_aes128->ctx, MBEDTLS_AES_ENCRYPT, length,
1042 &offset, p_aes128->iv, src, dst);
1043 #endif
1044 return ret;
1045 }
1046
infra_aes128_cbc_encrypt(p_Aes128_t aes,const void * src,size_t blockNum,void * dst)1047 int infra_aes128_cbc_encrypt(p_Aes128_t aes, const void *src, size_t blockNum,
1048 void *dst)
1049 {
1050 int i = 0;
1051 int ret = ret;
1052 platform_aes_t *p_aes128 = (platform_aes_t *)aes;
1053
1054 if (!aes || !src || !dst)
1055 return -1;
1056
1057 for (i = 0; i < blockNum; ++i) {
1058 #if defined(INFRA_AES_BUILDIN)
1059 ret = infra_aes_crypt_cbc(&p_aes128->ctx, INFRA_AES_ENCRYPT,
1060 AES_BLOCK_SIZE, p_aes128->iv, src, dst);
1061 #else
1062 ret = mbedtls_aes_crypt_cbc(&p_aes128->ctx, MBEDTLS_AES_ENCRYPT,
1063 AES_BLOCK_SIZE, p_aes128->iv, src, dst);
1064 #endif
1065 src = (unsigned char *)src + 16;
1066 dst = (unsigned char *)dst + 16;
1067 }
1068
1069 return ret;
1070 }
1071
1072 #endif /* INFRA_AES */
1073