1 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
3 * LibTomCrypt is a library that provides various cryptographic
4 * algorithms in a highly modular and flexible manner.
6 * The library is free for all purposes without any express
10 /* AES implementation by Tom St Denis
12 * Derived from the Public Domain source code by
17 * @version 3.0 (December 2000)
19 * Optimised ANSI C code for the Rijndael cipher (now AES)
21 * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
22 * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
23 * @author Paulo Barreto <paulo.barreto@terra.com.br>
37 #define SETUP rijndael_setup
38 #define ECB_ENC rijndael_ecb_encrypt
39 #define ECB_DEC rijndael_ecb_decrypt
40 #define ECB_DONE rijndael_done
41 #define ECB_TEST rijndael_test
42 #define ECB_KS rijndael_keysize
44 const struct ltc_cipher_descriptor rijndael_desc =
49 SETUP, ECB_ENC, ECB_DEC, ECB_TEST, ECB_DONE, ECB_KS,
50 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
53 const struct ltc_cipher_descriptor aes_desc =
58 SETUP, ECB_ENC, ECB_DEC, ECB_TEST, ECB_DONE, ECB_KS,
59 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
64 #define SETUP rijndael_enc_setup
65 #define ECB_ENC rijndael_enc_ecb_encrypt
66 #define ECB_KS rijndael_enc_keysize
67 #define ECB_DONE rijndael_enc_done
69 const struct ltc_cipher_descriptor rijndael_enc_desc =
74 SETUP, ECB_ENC, NULL, NULL, ECB_DONE, ECB_KS,
75 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
78 const struct ltc_cipher_descriptor aes_enc_desc =
83 SETUP, ECB_ENC, NULL, NULL, ECB_DONE, ECB_KS,
84 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
89 #define __LTC_AES_TAB_C__
92 static ulong32 setup_mix(ulong32 temp)
94 return (Te4_3[byte(temp, 2)]) ^
95 (Te4_2[byte(temp, 1)]) ^
96 (Te4_1[byte(temp, 0)]) ^
97 (Te4_0[byte(temp, 3)]);
101 #ifdef LTC_SMALL_CODE
102 static ulong32 setup_mix2(ulong32 temp)
104 return Td0(255 & Te4[byte(temp, 3)]) ^
105 Td1(255 & Te4[byte(temp, 2)]) ^
106 Td2(255 & Te4[byte(temp, 1)]) ^
107 Td3(255 & Te4[byte(temp, 0)]);
113 Initialize the AES (Rijndael) block cipher
114 @param key The symmetric key you wish to pass
115 @param keylen The key length in bytes
116 @param num_rounds The number of rounds desired (0 for default)
117 @param skey The key in as scheduled by this function.
118 @return CRYPT_OK if successful
120 int SETUP(const unsigned char *key, int keylen, int num_rounds, symmetric_key *skey)
127 LTC_ARGCHK(key != NULL);
128 LTC_ARGCHK(skey != NULL);
130 if (keylen != 16 && keylen != 24 && keylen != 32) {
131 return CRYPT_INVALID_KEYSIZE;
134 if (num_rounds != 0 && num_rounds != (10 + ((keylen/8)-2)*2)) {
135 return CRYPT_INVALID_ROUNDS;
138 skey->rijndael.Nr = 10 + ((keylen/8)-2)*2;
140 /* setup the forward key */
142 rk = skey->rijndael.eK;
143 LOAD32H(rk[0], key );
144 LOAD32H(rk[1], key + 4);
145 LOAD32H(rk[2], key + 8);
146 LOAD32H(rk[3], key + 12);
150 rk[4] = rk[0] ^ setup_mix(temp) ^ rcon[i];
151 rk[5] = rk[1] ^ rk[4];
152 rk[6] = rk[2] ^ rk[5];
153 rk[7] = rk[3] ^ rk[6];
159 } else if (keylen == 24) {
160 LOAD32H(rk[4], key + 16);
161 LOAD32H(rk[5], key + 20);
164 temp = skey->rijndael.eK[rk - skey->rijndael.eK + 5];
168 rk[ 6] = rk[ 0] ^ setup_mix(temp) ^ rcon[i];
169 rk[ 7] = rk[ 1] ^ rk[ 6];
170 rk[ 8] = rk[ 2] ^ rk[ 7];
171 rk[ 9] = rk[ 3] ^ rk[ 8];
175 rk[10] = rk[ 4] ^ rk[ 9];
176 rk[11] = rk[ 5] ^ rk[10];
179 } else if (keylen == 32) {
180 LOAD32H(rk[4], key + 16);
181 LOAD32H(rk[5], key + 20);
182 LOAD32H(rk[6], key + 24);
183 LOAD32H(rk[7], key + 28);
186 temp = skey->rijndael.eK[rk - skey->rijndael.eK + 7];
190 rk[ 8] = rk[ 0] ^ setup_mix(temp) ^ rcon[i];
191 rk[ 9] = rk[ 1] ^ rk[ 8];
192 rk[10] = rk[ 2] ^ rk[ 9];
193 rk[11] = rk[ 3] ^ rk[10];
198 rk[12] = rk[ 4] ^ setup_mix(RORc(temp, 8));
199 rk[13] = rk[ 5] ^ rk[12];
200 rk[14] = rk[ 6] ^ rk[13];
201 rk[15] = rk[ 7] ^ rk[14];
205 /* this can't happen */
206 /* coverity[dead_error_line] */
211 /* setup the inverse key now */
212 rk = skey->rijndael.dK;
213 rrk = skey->rijndael.eK + (28 + keylen) - 4;
215 /* apply the inverse MixColumn transform to all round keys but the first and the last: */
223 for (i = 1; i < skey->rijndael.Nr; i++) {
226 #ifdef LTC_SMALL_CODE
228 rk[0] = setup_mix2(temp);
230 rk[1] = setup_mix2(temp);
232 rk[2] = setup_mix2(temp);
234 rk[3] = setup_mix2(temp);
238 Tks0[byte(temp, 3)] ^
239 Tks1[byte(temp, 2)] ^
240 Tks2[byte(temp, 1)] ^
244 Tks0[byte(temp, 3)] ^
245 Tks1[byte(temp, 2)] ^
246 Tks2[byte(temp, 1)] ^
250 Tks0[byte(temp, 3)] ^
251 Tks1[byte(temp, 2)] ^
252 Tks2[byte(temp, 1)] ^
256 Tks0[byte(temp, 3)] ^
257 Tks1[byte(temp, 2)] ^
258 Tks2[byte(temp, 1)] ^
271 #endif /* ENCRYPT_ONLY */
277 Encrypts a block of text with AES
278 @param pt The input plaintext (16 bytes)
279 @param ct The output ciphertext (16 bytes)
280 @param skey The key as scheduled
281 @return CRYPT_OK if successful
283 #ifdef LTC_CLEAN_STACK
284 static int _rijndael_ecb_encrypt(const unsigned char *pt, unsigned char *ct, symmetric_key *skey)
286 int ECB_ENC(const unsigned char *pt, unsigned char *ct, symmetric_key *skey)
289 ulong32 s0, s1, s2, s3, t0, t1, t2, t3, *rk;
292 LTC_ARGCHK(pt != NULL);
293 LTC_ARGCHK(ct != NULL);
294 LTC_ARGCHK(skey != NULL);
296 Nr = skey->rijndael.Nr;
297 rk = skey->rijndael.eK;
300 * map byte array block to cipher state
301 * and add initial round key:
303 LOAD32H(s0, pt ); s0 ^= rk[0];
304 LOAD32H(s1, pt + 4); s1 ^= rk[1];
305 LOAD32H(s2, pt + 8); s2 ^= rk[2];
306 LOAD32H(s3, pt + 12); s3 ^= rk[3];
308 #ifdef LTC_SMALL_CODE
339 s0 = t0; s1 = t1; s2 = t2; s3 = t3;
346 * Nr - 1 full rounds:
409 * apply last round and
410 * map cipher state to byte array block:
413 (Te4_3[byte(t0, 3)]) ^
414 (Te4_2[byte(t1, 2)]) ^
415 (Te4_1[byte(t2, 1)]) ^
416 (Te4_0[byte(t3, 0)]) ^
420 (Te4_3[byte(t1, 3)]) ^
421 (Te4_2[byte(t2, 2)]) ^
422 (Te4_1[byte(t3, 1)]) ^
423 (Te4_0[byte(t0, 0)]) ^
427 (Te4_3[byte(t2, 3)]) ^
428 (Te4_2[byte(t3, 2)]) ^
429 (Te4_1[byte(t0, 1)]) ^
430 (Te4_0[byte(t1, 0)]) ^
434 (Te4_3[byte(t3, 3)]) ^
435 (Te4_2[byte(t0, 2)]) ^
436 (Te4_1[byte(t1, 1)]) ^
437 (Te4_0[byte(t2, 0)]) ^
444 #ifdef LTC_CLEAN_STACK
445 int ECB_ENC(const unsigned char *pt, unsigned char *ct, symmetric_key *skey)
447 int err = _rijndael_ecb_encrypt(pt, ct, skey);
448 burn_stack(sizeof(unsigned long)*8 + sizeof(unsigned long*) + sizeof(int)*2);
456 Decrypts a block of text with AES
457 @param ct The input ciphertext (16 bytes)
458 @param pt The output plaintext (16 bytes)
459 @param skey The key as scheduled
460 @return CRYPT_OK if successful
462 #ifdef LTC_CLEAN_STACK
463 static int _rijndael_ecb_decrypt(const unsigned char *ct, unsigned char *pt, symmetric_key *skey)
465 int ECB_DEC(const unsigned char *ct, unsigned char *pt, symmetric_key *skey)
468 ulong32 s0, s1, s2, s3, t0, t1, t2, t3, *rk;
471 LTC_ARGCHK(pt != NULL);
472 LTC_ARGCHK(ct != NULL);
473 LTC_ARGCHK(skey != NULL);
475 Nr = skey->rijndael.Nr;
476 rk = skey->rijndael.dK;
479 * map byte array block to cipher state
480 * and add initial round key:
482 LOAD32H(s0, ct ); s0 ^= rk[0];
483 LOAD32H(s1, ct + 4); s1 ^= rk[1];
484 LOAD32H(s2, ct + 8); s2 ^= rk[2];
485 LOAD32H(s3, ct + 12); s3 ^= rk[3];
487 #ifdef LTC_SMALL_CODE
517 s0 = t0; s1 = t1; s2 = t2; s3 = t3;
524 * Nr - 1 full rounds:
588 * apply last round and
589 * map cipher state to byte array block:
592 (Td4[byte(t0, 3)] & 0xff000000) ^
593 (Td4[byte(t3, 2)] & 0x00ff0000) ^
594 (Td4[byte(t2, 1)] & 0x0000ff00) ^
595 (Td4[byte(t1, 0)] & 0x000000ff) ^
599 (Td4[byte(t1, 3)] & 0xff000000) ^
600 (Td4[byte(t0, 2)] & 0x00ff0000) ^
601 (Td4[byte(t3, 1)] & 0x0000ff00) ^
602 (Td4[byte(t2, 0)] & 0x000000ff) ^
606 (Td4[byte(t2, 3)] & 0xff000000) ^
607 (Td4[byte(t1, 2)] & 0x00ff0000) ^
608 (Td4[byte(t0, 1)] & 0x0000ff00) ^
609 (Td4[byte(t3, 0)] & 0x000000ff) ^
613 (Td4[byte(t3, 3)] & 0xff000000) ^
614 (Td4[byte(t2, 2)] & 0x00ff0000) ^
615 (Td4[byte(t1, 1)] & 0x0000ff00) ^
616 (Td4[byte(t0, 0)] & 0x000000ff) ^
624 #ifdef LTC_CLEAN_STACK
625 int ECB_DEC(const unsigned char *ct, unsigned char *pt, symmetric_key *skey)
627 int err = _rijndael_ecb_decrypt(ct, pt, skey);
628 burn_stack(sizeof(unsigned long)*8 + sizeof(unsigned long*) + sizeof(int)*2);
634 Performs a self-test of the AES block cipher
635 @return CRYPT_OK if functional, CRYPT_NOP if self-test has been disabled
643 static const struct {
645 unsigned char key[32], pt[16], ct[16];
648 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
649 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
650 { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
651 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
652 { 0x69, 0xc4, 0xe0, 0xd8, 0x6a, 0x7b, 0x04, 0x30,
653 0xd8, 0xcd, 0xb7, 0x80, 0x70, 0xb4, 0xc5, 0x5a }
656 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
657 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
658 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17 },
659 { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
660 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
661 { 0xdd, 0xa9, 0x7c, 0xa4, 0x86, 0x4c, 0xdf, 0xe0,
662 0x6e, 0xaf, 0x70, 0xa0, 0xec, 0x0d, 0x71, 0x91 }
665 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
666 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
667 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
668 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f },
669 { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
670 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
671 { 0x8e, 0xa2, 0xb7, 0xca, 0x51, 0x67, 0x45, 0xbf,
672 0xea, 0xfc, 0x49, 0x90, 0x4b, 0x49, 0x60, 0x89 }
677 unsigned char tmp[2][16];
680 for (i = 0; i < (int)(sizeof(tests)/sizeof(tests[0])); i++) {
681 zeromem(&key, sizeof(key));
682 if ((err = rijndael_setup(tests[i].key, tests[i].keylen, 0, &key)) != CRYPT_OK) {
686 rijndael_ecb_encrypt(tests[i].pt, tmp[0], &key);
687 rijndael_ecb_decrypt(tmp[0], tmp[1], &key);
688 if (compare_testvector(tmp[0], 16, tests[i].ct, 16, "AES Encrypt", i) ||
689 compare_testvector(tmp[1], 16, tests[i].pt, 16, "AES Decrypt", i)) {
690 return CRYPT_FAIL_TESTVECTOR;
693 /* now see if we can encrypt all zero bytes 1000 times, decrypt and come back where we started */
694 for (y = 0; y < 16; y++) tmp[0][y] = 0;
695 for (y = 0; y < 1000; y++) rijndael_ecb_encrypt(tmp[0], tmp[0], &key);
696 for (y = 0; y < 1000; y++) rijndael_ecb_decrypt(tmp[0], tmp[0], &key);
697 for (y = 0; y < 16; y++) if (tmp[0][y] != 0) return CRYPT_FAIL_TESTVECTOR;
703 #endif /* ENCRYPT_ONLY */
706 /** Terminate the context
707 @param skey The scheduled key
709 void ECB_DONE(symmetric_key *skey)
711 LTC_UNUSED_PARAM(skey);
716 Gets suitable key size
717 @param keysize [in/out] The length of the recommended key (in bytes). This function will store the suitable size back in this variable.
718 @return CRYPT_OK if the input key size is acceptable.
720 int ECB_KS(int *keysize)
722 LTC_ARGCHK(keysize != NULL);
725 return CRYPT_INVALID_KEYSIZE;
729 } else if (*keysize < 32) {
741 /* ref: $Format:%D$ */
742 /* git commit: $Format:%H$ */
743 /* commit time: $Format:%ai$ */