AES algorithm. More...

#include <stdint.h>
#include <string.h>
#include <errno.h>
#include <assert.h>
#include <byteswap.h>
#include <ipxe/rotate.h>
#include <ipxe/crypto.h>
#include <ipxe/ecb.h>
#include <ipxe/cbc.h>
#include <ipxe/gcm.h>
#include <ipxe/aes.h>

Data Structures
union	aes_table_entry
	A single AES lookup table entry. More...
struct	aes_table
	An AES lookup table. More...

Enumerations
enum	aes_stride { AES_STRIDE_SHIFTROWS = +5 , AES_STRIDE_INVSHIFTROWS = -3 }
	AES strides. More...

Functions
	FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
	FILE_SECBOOT (PERMITTED)
static uint32_t	aes_entry_column (const union aes_table_entry *entry, unsigned int column)
	Multiply [Inv]MixColumns matrix column by scalar multiplicand.
static uint32_t	aes_column (const struct aes_table table, size_t stride, const union aes_matrix in, size_t offset)
	Multiply [Inv]MixColumns matrix column by S-boxed input byte.
static uint32_t	aes_output (const struct aes_table table, size_t stride, const union aes_matrix in, const union aes_matrix *key, unsigned int column)
	Calculate intermediate round output column.
static void	aes_round (const struct aes_table table, size_t stride, const union aes_matrix in, union aes_matrix out, const union aes_matrix key)
	Perform a single intermediate round.
static void	aes_encrypt_rounds (union aes_matrix in, union aes_matrix out, const union aes_matrix *key, unsigned int rounds)
	Perform encryption intermediate rounds.
static void	aes_decrypt_rounds (union aes_matrix in, union aes_matrix out, const union aes_matrix *key, unsigned int rounds)
	Perform decryption intermediate rounds.
static void	aes_addroundkey (union aes_matrix state, const union aes_matrix key)
	Perform standalone AddRoundKey.
static void	aes_final (const struct aes_table table, size_t stride, const union aes_matrix in, union aes_matrix out, const union aes_matrix key)
	Perform final round.
static void	aes_encrypt (void ctx, const void src, void *dst, size_t len)
	Encrypt data.
static void	aes_decrypt (void ctx, const void src, void *dst, size_t len)
	Decrypt data.
static unsigned int	aes_double (unsigned int poly)
	Multiply a polynomial by (x) modulo (x^8 + x^4 + x^3 + x^2 + 1) in GF(2^8)
static void	aes_mixcolumns_entry (union aes_table_entry *entry)
	Fill in MixColumns lookup table entry.
static void	aes_invmixcolumns_entry (union aes_table_entry *entry)
	Fill in InvMixColumns lookup table entry.
static void	aes_generate (void)
	Generate AES lookup tables.
static uint32_t	aes_key_rotate (uint32_t column)
	Rotate key column.
static uint32_t	aes_key_sbox (uint32_t column)
	Apply S-box to key column.
static uint32_t	aes_key_rcon (uint32_t column, unsigned int rcon)
	Apply schedule round constant to key column.
static int	aes_setkey (void ctx, const void key, size_t keylen)
	Set key.
	ECB_CIPHER (aes_ecb, aes_ecb_algorithm, aes_algorithm, struct aes_context, AES_BLOCKSIZE)
	CBC_CIPHER (aes_cbc, aes_cbc_algorithm, aes_algorithm, struct aes_context, AES_BLOCKSIZE)
	GCM_CIPHER (aes_gcm, aes_gcm_algorithm, aes_algorithm, struct aes_context, AES_BLOCKSIZE)

Variables
static struct aes_table	aes_mixcolumns
	AES MixColumns lookup table.
static struct aes_table	aes_invmixcolumns
	AES InvMixColumns lookup table.
struct cipher_algorithm	aes_algorithm
	Basic AES algorithm.

Detailed Description

AES algorithm.

Definition in file aes.c.

Enumeration Type Documentation

◆ aes_stride

enum aes_stride

AES strides.

These are the strides (modulo 16) used to walk through the AES input state bytes in order of byte position after [Inv]ShiftRows.

Enumerator

AES_STRIDE_SHIFTROWS

Input stride for ShiftRows.

0 4 8 c \ \ \ 1 5 9 d \ \ \ 2 6 a e \ \ \ 3 7 b f

AES_STRIDE_INVSHIFTROWS

Input stride for InvShiftRows.

0 4 8 c / / / 1 5 9 d / / / 2 6 a e / / / 3 7 b f

Definition at line 50 of file aes.c.

                {
        /** Input stride for ShiftRows
         *
         *    0 4 8 c
         *     \ \ \
         *    1 5 9 d
         *     \ \ \
         *    2 6 a e
         *     \ \ \
         *    3 7 b f
         */
        AES_STRIDE_SHIFTROWS = +5,
        /** Input stride for InvShiftRows
         *
         *    0 4 8 c
         *     / / /
         *    1 5 9 d
         *     / / /
         *    2 6 a e
         *     / / /
         *    3 7 b f
         */
        AES_STRIDE_INVSHIFTROWS = -3,
};

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL )

◆ FILE_SECBOOT()

FILE_SECBOOT ( PERMITTED )

◆ aes_entry_column()

uint32_t aes_entry_column	(	const union aes_table_entry *	entry,
		unsigned int	column )

inlinestatic

Multiply [Inv]MixColumns matrix column by scalar multiplicand.

Parameters

entry	AES lookup table entry for scalar multiplicand
column	[Inv]MixColumns matrix column index

Return values

product Product of matrix column with scalar multiplicand

Definition at line 160 of file aes.c.

                                                                             {
        const union {
                uint8_t byte;
                uint32_t column;
        } __attribute__ (( may_alias )) *product;
 
        /* Locate relevant four-byte subset */
        product = container_of ( &entry->byte[ 4 - column ],
                                 typeof ( *product ), byte );
 
        /* Extract this four-byte subset */
        return product->column;
}

References __attribute__, aes_table_entry::byte, container_of, product, and typeof().

Referenced by aes_column().

◆ aes_column()

uint32_t aes_column	(	const struct aes_table *	table,
		size_t	stride,
		const union aes_matrix *	in,
		size_t	offset )

inlinestatic

Multiply [Inv]MixColumns matrix column by S-boxed input byte.

Parameters

table	AES lookup table
stride	AES row shift stride
in	AES input state
offset	Output byte offset (after [Inv]ShiftRows)

Return values

product Product of matrix column with S(input byte)

Note that the specified offset is not the offset of the input byte; it is the offset of the output byte which corresponds to the input byte. This output byte offset is used to calculate both the input byte offset and to select the appropriate matric column.

With a compile-time constant offset, this function will optimise down to a single "movzbl" (to extract the input byte) and will generate a single x86 memory reference expression which can then be used directly within a single "xorl" instruction.

Definition at line 194 of file aes.c.

                                                         {
        const union aes_table_entry *entry;
        unsigned int byte;
 
        /* Extract input byte corresponding to this output byte offset
         * (i.e. perform [Inv]ShiftRows).
         */
        byte = in->byte[ ( stride * offset ) & 0xf ];
 
        /* Locate lookup table entry for this input byte (i.e. perform
         * [Inv]SubBytes).
         */
        entry = &table->entry[byte];
 
        /* Multiply appropriate matrix column by this input byte
         * (i.e. perform [Inv]MixColumns).
         */
        return aes_entry_column ( entry, ( offset & 0x3 ) );
}

References aes_entry_column(), aes_table::entry, in, offset, and stride.

Referenced by aes_output().

◆ aes_output()

uint32_t aes_output	(	const struct aes_table *	table,
		size_t	stride,
		const union aes_matrix *	in,
		const union aes_matrix *	key,
		unsigned int	column )

inlinestatic

Calculate intermediate round output column.

Parameters

table	AES lookup table
stride	AES row shift stride
in	AES input state
key	AES round key
column	Column index

Return values

output Output column value

Definition at line 226 of file aes.c.

                                   {
        size_t offset = ( column * 4 );
 
        /* Perform [Inv]ShiftRows, [Inv]SubBytes, [Inv]MixColumns, and
         * AddRoundKey for this column.  The loop is unrolled to allow
         * for the required compile-time constant optimisations.
         */
        return ( aes_column ( table, stride, in, ( offset + 0 ) ) ^
                 aes_column ( table, stride, in, ( offset + 1 ) ) ^
                 aes_column ( table, stride, in, ( offset + 2 ) ) ^
                 aes_column ( table, stride, in, ( offset + 3 ) ) ^
                 key->column[column] );
}

References aes_column(), in, key, offset, and stride.

Referenced by aes_round().

◆ aes_round()

void aes_round	(	const struct aes_table *	table,
		size_t	stride,
		const union aes_matrix *	in,
		union aes_matrix *	out,
		const union aes_matrix *	key )

inlinestatic

Perform a single intermediate round.

Parameters

table	AES lookup table
stride	AES row shift stride
in	AES input state
out	AES output state
key	AES round key

Definition at line 252 of file aes.c.

                                          {
 
        /* Perform [Inv]ShiftRows, [Inv]SubBytes, [Inv]MixColumns, and
         * AddRoundKey for all columns.  The loop is unrolled to allow
         * for the required compile-time constant optimisations.
         */
        out->column[0] = aes_output ( table, stride, in, key, 0 );
        out->column[1] = aes_output ( table, stride, in, key, 1 );
        out->column[2] = aes_output ( table, stride, in, key, 2 );
        out->column[3] = aes_output ( table, stride, in, key, 3 );
}

References aes_output(), in, key, out, and stride.

Referenced by aes_decrypt_rounds(), and aes_encrypt_rounds().

◆ aes_encrypt_rounds()

void aes_encrypt_rounds	(	union aes_matrix *	in,
		union aes_matrix *	out,
		const union aes_matrix *	key,
		unsigned int	rounds )

static

Perform encryption intermediate rounds.

Parameters

in	AES input state
out	AES output state
key	Round keys
rounds	Number of rounds (must be odd)

This function is deliberately marked as non-inlinable to ensure maximal availability of registers for GCC's register allocator, which has a tendency to otherwise spill performance-critical registers to the stack.

Definition at line 280 of file aes.c.

                                                                        {
        union aes_matrix *tmp;
 
        /* Perform intermediate rounds */
        do {
                /* Perform one intermediate round */
                aes_round ( &aes_mixcolumns, AES_STRIDE_SHIFTROWS,
                            in, out, key++ );
 
                /* Swap input and output states for next round */
                tmp = in;
                in = out;
                out = tmp;
 
        } while ( --rounds );
}

References aes_mixcolumns, aes_round(), AES_STRIDE_SHIFTROWS, in, key, out, and tmp.

Referenced by aes_encrypt().

◆ aes_decrypt_rounds()

void aes_decrypt_rounds	(	union aes_matrix *	in,
		union aes_matrix *	out,
		const union aes_matrix *	key,
		unsigned int	rounds )

static

Perform decryption intermediate rounds.

Parameters

in	AES input state
out	AES output state
key	Round keys
rounds	Number of rounds (must be odd)

As with aes_encrypt_rounds(), this function is deliberately marked as non-inlinable.

This function could potentially use the same binary code as is used for encryption. To compensate for the difference between ShiftRows and InvShiftRows, half of the input byte offsets would have to be modifiable at runtime (half by an offset of +4/-4, half by an offset of -4/+4 for ShiftRows/InvShiftRows). This can be accomplished in x86 assembly within the number of available registers, but GCC's register allocator struggles to do so, resulting in a significant performance decrease due to registers being spilled to the stack. We therefore use two separate but very similar binary functions based on the same C source.

Definition at line 321 of file aes.c.

                                                                        {
        union aes_matrix *tmp;
 
        /* Perform intermediate rounds */
        do {
                /* Perform one intermediate round */
                aes_round ( &aes_invmixcolumns, AES_STRIDE_INVSHIFTROWS,
                            in, out, key++ );
 
                /* Swap input and output states for next round */
                tmp = in;
                in = out;
                out = tmp;
 
        } while ( --rounds );
}

References aes_invmixcolumns, aes_round(), AES_STRIDE_INVSHIFTROWS, in, key, out, and tmp.

Referenced by aes_decrypt(), and aes_setkey().

◆ aes_addroundkey()

void aes_addroundkey	(	union aes_matrix *	state,
		const union aes_matrix *	key )

inlinestatic

Perform standalone AddRoundKey.

Parameters

state	AES state
key	AES round key

Definition at line 346 of file aes.c.

                                                                         {
 
        state->column[0] ^= key->column[0];
        state->column[1] ^= key->column[1];
        state->column[2] ^= key->column[2];
        state->column[3] ^= key->column[3];
}

References key, and state.

Referenced by aes_decrypt(), aes_encrypt(), and aes_final().

◆ aes_final()

void aes_final	(	const struct aes_table *	table,
		size_t	stride,
		const union aes_matrix *	in,
		union aes_matrix *	out,
		const union aes_matrix *	key )

static

Perform final round.

Parameters

table	AES lookup table
stride	AES row shift stride
in	AES input state
out	AES output state
key	AES round key

Definition at line 363 of file aes.c.

                                                      {
        const union aes_table_entry *entry;
        unsigned int byte;
        size_t out_offset;
        size_t in_offset;
 
        /* Perform [Inv]ShiftRows and [Inv]SubBytes */
        for ( out_offset = 0, in_offset = 0 ; out_offset < 16 ;
              out_offset++, in_offset = ( ( in_offset + stride ) & 0xf ) ) {
 
                /* Extract input byte (i.e. perform [Inv]ShiftRows) */
                byte = in->byte[in_offset];
 
                /* Locate lookup table entry for this input byte
                 * (i.e. perform [Inv]SubBytes).
                 */
                entry = &table->entry[byte];
 
                /* Store output byte */
                out->byte[out_offset] = entry->byte[0];
        }
 
        /* Perform AddRoundKey */
        aes_addroundkey ( out, key );
}

References aes_addroundkey(), aes_table_entry::byte, aes_table::entry, in, key, out, and stride.

Referenced by aes_decrypt(), aes_encrypt(), and aes_setkey().

◆ aes_encrypt()

void aes_encrypt	(	void *	ctx,
		const void *	src,
		void *	dst,
		size_t	len )

static

Encrypt data.

Parameters

ctx	Context
src	Data to encrypt
dst	Buffer for encrypted data
len	Length of data

Definition at line 399 of file aes.c.

                                                                              {
        struct aes_context *aes = ctx;
        union aes_matrix buffer[2];
        union aes_matrix *in = &buffer[0];
        union aes_matrix *out = &buffer[1];
        unsigned int rounds = aes->rounds;
 
        /* Sanity check */
        assert ( len == sizeof ( *in ) );
 
        /* Initialise input state */
        memcpy ( in, src, sizeof ( *in ) );
 
        /* Perform initial round (AddRoundKey) */
        aes_addroundkey ( in, &aes->encrypt.key[0] );
 
        /* Perform intermediate rounds (ShiftRows, SubBytes,
         * MixColumns, AddRoundKey).
         */
        aes_encrypt_rounds ( in, out, &aes->encrypt.key[1], ( rounds - 2 ) );
        in = out;
 
        /* Perform final round (ShiftRows, SubBytes, AddRoundKey) */
        out = dst;
        aes_final ( &aes_mixcolumns, AES_STRIDE_SHIFTROWS, in, out,
                    &aes->encrypt.key[ rounds - 1 ] );
}

References aes_addroundkey(), aes_encrypt_rounds(), aes_final(), aes_mixcolumns, AES_STRIDE_SHIFTROWS, assert, buffer, ctx, aes_context::encrypt, in, aes_round_keys::key, len, memcpy(), out, aes_context::rounds, and src.

◆ aes_decrypt()

void aes_decrypt	(	void *	ctx,
		const void *	src,
		void *	dst,
		size_t	len )

static

Decrypt data.

Parameters

ctx	Context
src	Data to decrypt
dst	Buffer for decrypted data
len	Length of data

Definition at line 435 of file aes.c.

                                                                              {
        struct aes_context *aes = ctx;
        union aes_matrix buffer[2];
        union aes_matrix *in = &buffer[0];
        union aes_matrix *out = &buffer[1];
        unsigned int rounds = aes->rounds;
 
        /* Sanity check */
        assert ( len == sizeof ( *in ) );
 
        /* Initialise input state */
        memcpy ( in, src, sizeof ( *in ) );
 
        /* Perform initial round (AddRoundKey) */
        aes_addroundkey ( in, &aes->decrypt.key[0] );
 
        /* Perform intermediate rounds (InvShiftRows, InvSubBytes,
         * InvMixColumns, AddRoundKey).
         */
        aes_decrypt_rounds ( in, out, &aes->decrypt.key[1], ( rounds - 2 ) );
        in = out;
 
        /* Perform final round (InvShiftRows, InvSubBytes, AddRoundKey) */
        out = dst;
        aes_final ( &aes_invmixcolumns, AES_STRIDE_INVSHIFTROWS, in, out,
                    &aes->decrypt.key[ rounds - 1 ] );
}

References aes_addroundkey(), aes_decrypt_rounds(), aes_final(), aes_invmixcolumns, AES_STRIDE_INVSHIFTROWS, assert, buffer, ctx, aes_context::decrypt, in, aes_round_keys::key, len, memcpy(), out, aes_context::rounds, and src.

◆ aes_double()

unsigned int aes_double ( unsigned int poly )

static

Multiply a polynomial by (x) modulo (x^8 + x^4 + x^3 + x^2 + 1) in GF(2^8)

Parameters

poly	Polynomial to be multiplied

Return values

result Result

Definition at line 469 of file aes.c.

                                                                               {
 
        /* Multiply polynomial by (x), placing the resulting x^8
         * coefficient in the LSB (i.e. rotate byte left by one).
         */
        poly = rol8 ( poly, 1 );
 
        /* If coefficient of x^8 (in LSB) is non-zero, then reduce by
         * subtracting (x^8 + x^4 + x^3 + x^2 + 1) in GF(2^8).
         */
        if ( poly & 0x01 ) {
                poly ^= 0x01; /* Subtract x^8 (currently in LSB) */
                poly ^= 0x1b; /* Subtract (x^4 + x^3 + x^2 + 1) */
        }
 
        return poly;
}

References aes_double().

Referenced by aes_double(), aes_generate(), aes_invmixcolumns_entry(), aes_mixcolumns_entry(), and aes_setkey().

◆ aes_mixcolumns_entry()

void aes_mixcolumns_entry ( union aes_table_entry * entry )

static

Fill in MixColumns lookup table entry.

Parameters

entry AES lookup table entry for scalar multiplicand

The MixColumns lookup table vector multiplier is {1,1,1,3,2,1,1,3}.

Definition at line 494 of file aes.c.

                                                                  {
        unsigned int scalar_x_1;
        unsigned int scalar_x;
        unsigned int scalar;
 
        /* Retrieve scalar multiplicand */
        scalar = entry->byte[0];
        entry->byte[1] = scalar;
        entry->byte[2] = scalar;
        entry->byte[5] = scalar;
        entry->byte[6] = scalar;
 
        /* Calculate scalar multiplied by (x) */
        scalar_x = aes_double ( scalar );
        entry->byte[4] = scalar_x;
 
        /* Calculate scalar multiplied by (x + 1) */
        scalar_x_1 = ( scalar_x ^ scalar );
        entry->byte[3] = scalar_x_1;
        entry->byte[7] = scalar_x_1;
}

References aes_double(), and aes_table_entry::byte.

Referenced by aes_generate().

◆ aes_invmixcolumns_entry()

void aes_invmixcolumns_entry ( union aes_table_entry * entry )

static

Fill in InvMixColumns lookup table entry.

Parameters

entry AES lookup table entry for scalar multiplicand

The InvMixColumns lookup table vector multiplier is {1,9,13,11,14,9,13,11}.

Definition at line 523 of file aes.c.

                                                                     {
        unsigned int scalar_x3_x2_x;
        unsigned int scalar_x3_x2_1;
        unsigned int scalar_x3_x2;
        unsigned int scalar_x3_x_1;
        unsigned int scalar_x3_1;
        unsigned int scalar_x3;
        unsigned int scalar_x2;
        unsigned int scalar_x;
        unsigned int scalar;
 
        /* Retrieve scalar multiplicand */
        scalar = entry->byte[0];
 
        /* Calculate scalar multiplied by (x) */
        scalar_x = aes_double ( scalar );
 
        /* Calculate scalar multiplied by (x^2) */
        scalar_x2 = aes_double ( scalar_x );
 
        /* Calculate scalar multiplied by (x^3) */
        scalar_x3 = aes_double ( scalar_x2 );
 
        /* Calculate scalar multiplied by (x^3 + 1) */
        scalar_x3_1 = ( scalar_x3 ^ scalar );
        entry->byte[1] = scalar_x3_1;
        entry->byte[5] = scalar_x3_1;
 
        /* Calculate scalar multiplied by (x^3 + x + 1) */
        scalar_x3_x_1 = ( scalar_x3_1 ^ scalar_x );
        entry->byte[3] = scalar_x3_x_1;
        entry->byte[7] = scalar_x3_x_1;
 
        /* Calculate scalar multiplied by (x^3 + x^2) */
        scalar_x3_x2 = ( scalar_x3 ^ scalar_x2 );
 
        /* Calculate scalar multiplied by (x^3 + x^2 + 1) */
        scalar_x3_x2_1 = ( scalar_x3_x2 ^ scalar );
        entry->byte[2] = scalar_x3_x2_1;
        entry->byte[6] = scalar_x3_x2_1;
 
        /* Calculate scalar multiplied by (x^3 + x^2 + x) */
        scalar_x3_x2_x = ( scalar_x3_x2 ^ scalar_x );
        entry->byte[4] = scalar_x3_x2_x;
}

References aes_double(), and aes_table_entry::byte.

Referenced by aes_generate().

◆ aes_generate()

void aes_generate ( void )

static

Generate AES lookup tables.

Definition at line 573 of file aes.c.

                                  {
        union aes_table_entry *entry;
        union aes_table_entry *inventry;
        unsigned int poly = 0x01;
        unsigned int invpoly = 0x01;
        unsigned int transformed;
        unsigned int i;
 
        /* Iterate over non-zero values of GF(2^8) using generator (x + 1) */
        do {
 
                /* Multiply polynomial by (x + 1) */
                poly ^= aes_double ( poly );
 
                /* Divide inverse polynomial by (x + 1).  This code
                 * fragment is taken directly from the Wikipedia page
                 * on the Rijndael S-box.  An explanation of why it
                 * works would be greatly appreciated.
                 */
                invpoly ^= ( invpoly << 1 );
                invpoly ^= ( invpoly << 2 );
                invpoly ^= ( invpoly << 4 );
                if ( invpoly & 0x80 )
                        invpoly ^= 0x09;
                invpoly &= 0xff;
 
                /* Apply affine transformation */
                transformed = ( 0x63 ^ invpoly ^ rol8 ( invpoly, 1 ) ^
                                rol8 ( invpoly, 2 ) ^ rol8 ( invpoly, 3 ) ^
                                rol8 ( invpoly, 4 ) );
 
                /* Populate S-box (within MixColumns lookup table) */
                aes_mixcolumns.entry[poly].byte[0] = transformed;
 
        } while ( poly != 0x01 );
 
        /* Populate zeroth S-box entry (which has no inverse) */
        aes_mixcolumns.entry[0].byte[0] = 0x63;
 
        /* Fill in MixColumns and InvMixColumns lookup tables */
        for ( i = 0 ; i < 256 ; i++ ) {
 
                /* Fill in MixColumns lookup table entry */
                entry = &aes_mixcolumns.entry[i];
                aes_mixcolumns_entry ( entry );
 
                /* Populate inverse S-box (within InvMixColumns lookup table) */
                inventry = &aes_invmixcolumns.entry[ entry->byte[0] ];
                inventry->byte[0] = i;
 
                /* Fill in InvMixColumns lookup table entry */
                aes_invmixcolumns_entry ( inventry );
        }
}

References aes_double(), aes_invmixcolumns, aes_invmixcolumns_entry(), aes_mixcolumns, aes_mixcolumns_entry(), and aes_table_entry::byte.

Referenced by aes_setkey().

◆ aes_key_rotate()

uint32_t aes_key_rotate ( uint32_t column )

inlinestatic

Rotate key column.

Parameters

column Key column

Return values

column Updated key column

Definition at line 635 of file aes.c.

                                   {
 
        return ( ( __BYTE_ORDER == __LITTLE_ENDIAN ) ?
                 ror32 ( column, 8 ) : rol32 ( column, 8 ) );
}

References __BYTE_ORDER, __LITTLE_ENDIAN, rol32(), and ror32().

Referenced by aes_setkey().

◆ aes_key_sbox()

uint32_t aes_key_sbox ( uint32_t column )

static

Apply S-box to key column.

Parameters

column Key column

Return values

column Updated key column

Definition at line 647 of file aes.c.

                                                 {
        unsigned int i;
        uint8_t byte;
 
        for ( i = 0 ; i < 4 ; i++ ) {
                byte = ( column & 0xff );
                byte = aes_mixcolumns.entry[byte].byte[0];
                column = ( ( column & ~0xff ) | byte );
                column = rol32 ( column, 8 );
        }
        return column;
}

References aes_mixcolumns, and rol32().

Referenced by aes_setkey().

◆ aes_key_rcon()

uint32_t aes_key_rcon	(	uint32_t	column,
		unsigned int	rcon )

inlinestatic

Apply schedule round constant to key column.

Parameters

column	Key column
rcon	Round constant

Return values

column Updated key column

Definition at line 668 of file aes.c.

                                                    {
 
        return ( ( __BYTE_ORDER == __LITTLE_ENDIAN ) ?
                 ( column ^ rcon ) : ( column ^ ( rcon << 24 ) ) );
}

References __BYTE_ORDER, and __LITTLE_ENDIAN.

Referenced by aes_setkey().

◆ aes_setkey()

int aes_setkey	(	void *	ctx,
		const void *	key,
		size_t	keylen )

static

Set key.

Parameters

ctx	Context
key	Key
keylen	Key length

Return values

rc	Return status code

Definition at line 682 of file aes.c.

                                                                    {
        struct aes_context *aes = ctx;
        union aes_matrix *enc;
        union aes_matrix *dec;
        union aes_matrix temp;
        union aes_matrix zero;
        unsigned int rcon = 0x01;
        unsigned int rounds;
        size_t offset = 0;
        uint32_t *prev;
        uint32_t *next;
        uint32_t *end;
        uint32_t tmp;
 
        /* Generate lookup tables, if not already done */
        if ( ! aes_mixcolumns.entry[0].byte[0] )
                aes_generate();
 
        /* Validate key length and calculate number of intermediate rounds */
        switch ( keylen ) {
        case ( 128 / 8 ) :
                rounds = 11;
                break;
        case ( 192 / 8 ) :
                rounds = 13;
                break;
        case ( 256 / 8 ) :
                rounds = 15;
                break;
        default:
                DBGC ( aes, "AES %p unsupported key length (%zd bits)\n",
                       aes, ( keylen * 8 ) );
                return -EINVAL;
        }
        aes->rounds = rounds;
        enc = aes->encrypt.key;
        end = enc[rounds].column;
 
        /* Copy raw key */
        memcpy ( enc, key, keylen );
        prev = enc->column;
        next = ( ( ( void * ) prev ) + keylen );
        tmp = next[-1];
 
        /* Construct expanded key */
        while ( next < end ) {
 
                /* If this is the first column of an expanded key
                 * block, or the middle column of an AES-256 key
                 * block, then apply the S-box.
                 */
                if ( ( offset == 0 ) || ( ( offset | keylen ) == 48 ) )
                        tmp = aes_key_sbox ( tmp );
 
                /* If this is the first column of an expanded key
                 * block then rotate and apply the round constant.
                 */
                if ( offset == 0 ) {
                        tmp = aes_key_rotate ( tmp );
                        tmp = aes_key_rcon ( tmp, rcon );
                        rcon = aes_double ( rcon );
                }
 
                /* XOR with previous key column */
                tmp ^= *prev;
 
                /* Store column */
                *next = tmp;
 
                /* Move to next column */
                offset += sizeof ( *next );
                if ( offset == keylen )
                        offset = 0;
                next++;
                prev++;
        }
        DBGC2 ( aes, "AES %p expanded %zd-bit key:\n", aes, ( keylen * 8 ) );
        DBGC2_HDA ( aes, 0, &aes->encrypt, ( rounds * sizeof ( *enc ) ) );
 
        /* Convert to decryption key */
        memset ( &zero, 0, sizeof ( zero ) );
        dec = &aes->decrypt.key[ rounds - 1 ];
        memcpy ( dec--, enc++, sizeof ( *dec ) );
        while ( dec > aes->decrypt.key ) {
                /* Perform InvMixColumns (by reusing the encryption
                 * final-round code to perform ShiftRows+SubBytes and
                 * reusing the decryption intermediate-round code to
                 * perform InvShiftRows+InvSubBytes+InvMixColumns, all
                 * with a zero encryption key).
                 */
                aes_final ( &aes_mixcolumns, AES_STRIDE_SHIFTROWS,
                            enc++, &temp, &zero );
                aes_decrypt_rounds ( &temp, dec--, &zero, 1 );
        }
        memcpy ( dec--, enc++, sizeof ( *dec ) );
        DBGC2 ( aes, "AES %p inverted %zd-bit key:\n", aes, ( keylen * 8 ) );
        DBGC2_HDA ( aes, 0, &aes->decrypt, ( rounds * sizeof ( *dec ) ) );
 
        return 0;
}

References aes_decrypt_rounds(), aes_double(), aes_final(), aes_generate(), aes_key_rcon(), aes_key_rotate(), aes_key_sbox(), aes_mixcolumns, AES_STRIDE_SHIFTROWS, aes_matrix::column, ctx, DBGC, DBGC2, DBGC2_HDA, aes_context::decrypt, EINVAL, aes_context::encrypt, end, aes_round_keys::key, key, memcpy(), memset(), next, offset, aes_context::rounds, and tmp.

◆ ECB_CIPHER()

ECB_CIPHER	(	aes_ecb	,
		aes_ecb_algorithm	,
		aes_algorithm	,
		struct aes_context	,
		AES_BLOCKSIZE	)

References aes_algorithm, AES_BLOCKSIZE, and aes_ecb_algorithm.

◆ CBC_CIPHER()

CBC_CIPHER	(	aes_cbc	,
		aes_cbc_algorithm	,
		aes_algorithm	,
		struct aes_context	,
		AES_BLOCKSIZE	)

References aes_algorithm, AES_BLOCKSIZE, and aes_cbc_algorithm.

◆ GCM_CIPHER()

GCM_CIPHER	(	aes_gcm	,
		aes_gcm_algorithm	,
		aes_algorithm	,
		struct aes_context	,
		AES_BLOCKSIZE	)

References aes_algorithm, AES_BLOCKSIZE, and aes_gcm_algorithm.

Variable Documentation

◆ aes_mixcolumns

struct aes_table aes_mixcolumns

static

AES MixColumns lookup table.

Definition at line 147 of file aes.c.

Referenced by aes_encrypt(), aes_encrypt_rounds(), aes_generate(), aes_key_sbox(), and aes_setkey().

◆ aes_invmixcolumns

struct aes_table aes_invmixcolumns

static

AES InvMixColumns lookup table.

Definition at line 150 of file aes.c.

Referenced by aes_decrypt(), aes_decrypt_rounds(), and aes_generate().

◆ aes_algorithm

struct cipher_algorithm aes_algorithm

Initial value:

= {
        .name = "aes",
        .ctxsize = sizeof ( struct aes_context ),
        .blocksize = AES_BLOCKSIZE,
        .alignsize = 0,
        .authsize = 0,
        .setkey = aes_setkey,
        .setiv = cipher_null_setiv,
        .encrypt = aes_encrypt,
        .decrypt = aes_decrypt,
        .auth = cipher_null_auth,
}

Basic AES algorithm.

Definition at line 784 of file aes.c.

                                        {
        .name = "aes",
        .ctxsize = sizeof ( struct aes_context ),
        .blocksize = AES_BLOCKSIZE,
        .alignsize = 0,
        .authsize = 0,
        .setkey = aes_setkey,
        .setiv = cipher_null_setiv,
        .encrypt = aes_encrypt,
        .decrypt = aes_decrypt,
        .auth = cipher_null_auth,
};

Referenced by aes_unwrap(), aes_wrap(), CBC_CIPHER(), ccmp_cbc_mac(), ccmp_ctr_xor(), ccmp_feed_cbc_mac(), ccmp_init(), ECB_CIPHER(), and GCM_CIPHER().

Data Structures

Enumerations

Functions

Variables

Detailed Description

Enumeration Type Documentation

◆ aes_stride

Function Documentation

◆ FILE_LICENCE()

◆ FILE_SECBOOT()

◆ aes_entry_column()

◆ aes_column()

◆ aes_output()

◆ aes_round()

◆ aes_encrypt_rounds()

◆ aes_decrypt_rounds()

◆ aes_addroundkey()

◆ aes_final()

◆ aes_encrypt()

◆ aes_decrypt()

◆ aes_double()

◆ aes_mixcolumns_entry()

◆ aes_invmixcolumns_entry()

◆ aes_generate()

◆ aes_key_rotate()

◆ aes_key_sbox()

◆ aes_key_rcon()

◆ aes_setkey()

◆ ECB_CIPHER()

◆ CBC_CIPHER()

◆ GCM_CIPHER()

Variable Documentation

◆ aes_mixcolumns

◆ aes_invmixcolumns

◆ aes_algorithm