aes.c File Reference

AES algorithm. More...

#include <stdint.h>
#include <string.h>
#include <errno.h>
#include <assert.h>
#include <byteswap.h>
#include <ipxe/rotate.h>
#include <ipxe/crypto.h>
#include <ipxe/ecb.h>
#include <ipxe/cbc.h>
#include <ipxe/gcm.h>
#include <ipxe/aes.h>

Go to the source code of this file.

Data Structures
union	aes_table_entry
	A single AES lookup table entry. More...
struct	aes_table
	An AES lookup table. More...

Enumerations
enum	aes_stride { AES_STRIDE_SHIFTROWS = +5, AES_STRIDE_INVSHIFTROWS = -3 }
	AES strides. More...

Functions
	FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
static uint32_t	aes_entry_column (const union aes_table_entry *entry, unsigned int column)
	Multiply [Inv]MixColumns matrix column by scalar multiplicand. More...
static uint32_t	aes_column (const struct aes_table *table, size_t stride, const union aes_matrix *in, size_t offset)
	Multiply [Inv]MixColumns matrix column by S-boxed input byte. More...
static uint32_t	aes_output (const struct aes_table *table, size_t stride, const union aes_matrix *in, const union aes_matrix *key, unsigned int column)
	Calculate intermediate round output column. More...
static void	aes_round (const struct aes_table *table, size_t stride, const union aes_matrix *in, union aes_matrix *out, const union aes_matrix *key)
	Perform a single intermediate round. More...
static void	aes_encrypt_rounds (union aes_matrix *in, union aes_matrix *out, const union aes_matrix *key, unsigned int rounds)
	Perform encryption intermediate rounds. More...
static void	aes_decrypt_rounds (union aes_matrix *in, union aes_matrix *out, const union aes_matrix *key, unsigned int rounds)
	Perform decryption intermediate rounds. More...
static void	aes_addroundkey (union aes_matrix *state, const union aes_matrix *key)
	Perform standalone AddRoundKey. More...
static void	aes_final (const struct aes_table *table, size_t stride, const union aes_matrix *in, union aes_matrix *out, const union aes_matrix *key)
	Perform final round. More...
static void	aes_encrypt (void *ctx, const void *src, void *dst, size_t len)
	Encrypt data. More...
static void	aes_decrypt (void *ctx, const void *src, void *dst, size_t len)
	Decrypt data. More...
static unsigned int	aes_double (unsigned int poly)
	Multiply a polynomial by (x) modulo (x^8 + x^4 + x^3 + x^2 + 1) in GF(2^8) More...
static void	aes_mixcolumns_entry (union aes_table_entry *entry)
	Fill in MixColumns lookup table entry. More...
static void	aes_invmixcolumns_entry (union aes_table_entry *entry)
	Fill in InvMixColumns lookup table entry. More...
static void	aes_generate (void)
	Generate AES lookup tables. More...
static uint32_t	aes_key_rotate (uint32_t column)
	Rotate key column. More...
static uint32_t	aes_key_sbox (uint32_t column)
	Apply S-box to key column. More...
static uint32_t	aes_key_rcon (uint32_t column, unsigned int rcon)
	Apply schedule round constant to key column. More...
static int	aes_setkey (void *ctx, const void *key, size_t keylen)
	Set key. More...
	ECB_CIPHER (aes_ecb, aes_ecb_algorithm, aes_algorithm, struct aes_context, AES_BLOCKSIZE)
	CBC_CIPHER (aes_cbc, aes_cbc_algorithm, aes_algorithm, struct aes_context, AES_BLOCKSIZE)
	GCM_CIPHER (aes_gcm, aes_gcm_algorithm, aes_algorithm, struct aes_context, AES_BLOCKSIZE)

Variables
static struct aes_table	aes_mixcolumns
	AES MixColumns lookup table. More...
static struct aes_table	aes_invmixcolumns
	AES InvMixColumns lookup table. More...
struct cipher_algorithm	aes_algorithm
	Basic AES algorithm. More...

Detailed Description

AES algorithm.

Definition in file aes.c.

Enumeration Type Documentation

aes_stride

enum aes_stride

AES strides.

These are the strides (modulo 16) used to walk through the AES input state bytes in order of byte position after [Inv]ShiftRows.

Enumerator
AES_STRIDE_SHIFTROWS	Input stride for ShiftRows. 0 4 8 c \ \ \ 1 5 9 d \ \ \ 2 6 a e \ \ \ 3 7 b f
AES_STRIDE_INVSHIFTROWS	Input stride for InvShiftRows. 0 4 8 c / / / 1 5 9 d / / / 2 6 a e / / / 3 7 b f

Definition at line 49 of file aes.c.

                {
        /** Input stride for ShiftRows
         *
         *    0 4 8 c
         *     \ \ \
         *    1 5 9 d
         *     \ \ \
         *    2 6 a e
         *     \ \ \
         *    3 7 b f
         */
        AES_STRIDE_SHIFTROWS = +5,
        /** Input stride for InvShiftRows
         *
         *    0 4 8 c
         *     / / /
         *    1 5 9 d
         *     / / /
         *    2 6 a e
         *     / / /
         *    3 7 b f
         */
        AES_STRIDE_INVSHIFTROWS = -3,
};

Function Documentation

FILE_LICENCE()

FILE_LICENCE

(

GPL2_OR_LATER_OR_UBDL

)

aes_entry_column()

static uint32_t aes_entry_column ( const union aes_table_entry *  entry, unsigned int  column  )

inlinestatic

Multiply [Inv]MixColumns matrix column by scalar multiplicand.

Parameters

entry	AES lookup table entry for scalar multiplicand
column	[Inv]MixColumns matrix column index

Return values

product

Product of matrix column with scalar multiplicand

Definition at line 159 of file aes.c.

                                                                             {
        const union {
                uint8_t byte;
                uint32_t column;
        } __attribute__ (( may_alias )) *product;

        /* Locate relevant four-byte subset */
        product = container_of ( &entry->byte[ 4 - column ],
                                 typeof ( *product ), byte );

        /* Extract this four-byte subset */
        return product->column;
}

References __attribute__, aes_table_entry::byte, container_of, product, and typeof().

Referenced by aes_column().

aes_column()

static uint32_t aes_column ( const struct aes_table *  table, size_t  stride, const union aes_matrix *  in, size_t  offset  )

inlinestatic

Multiply [Inv]MixColumns matrix column by S-boxed input byte.

Parameters

table	AES lookup table
stride	AES row shift stride
in	AES input state
offset	Output byte offset (after [Inv]ShiftRows)

Return values

product

Product of matrix column with S(input byte)

Note that the specified offset is not the offset of the input byte; it is the offset of the output byte which corresponds to the input byte. This output byte offset is used to calculate both the input byte offset and to select the appropriate matric column.

With a compile-time constant offset, this function will optimise down to a single "movzbl" (to extract the input byte) and will generate a single x86 memory reference expression which can then be used directly within a single "xorl" instruction.

Definition at line 193 of file aes.c.

                                                         {
        const union aes_table_entry *entry;
        unsigned int byte;

        /* Extract input byte corresponding to this output byte offset
         * (i.e. perform [Inv]ShiftRows).
         */
        byte = in->byte[ ( stride * offset ) & 0xf ];

        /* Locate lookup table entry for this input byte (i.e. perform
         * [Inv]SubBytes).
         */
        entry = &table->entry[byte];

        /* Multiply appropriate matrix column by this input byte
         * (i.e. perform [Inv]MixColumns).
         */
        return aes_entry_column ( entry, ( offset & 0x3 ) );
}

References aes_entry_column(), aes_table::entry, in, and offset.

Referenced by aes_output().

aes_output()

static uint32_t aes_output ( const struct aes_table *  table, size_t  stride, const union aes_matrix *  in, const union aes_matrix *  key, unsigned int  column  )

inlinestatic

Calculate intermediate round output column.

Parameters

table	AES lookup table
stride	AES row shift stride
in	AES input state
key	AES round key
column	Column index

Return values

output

Output column value

Definition at line 225 of file aes.c.

                                   {
        size_t offset = ( column * 4 );

        /* Perform [Inv]ShiftRows, [Inv]SubBytes, [Inv]MixColumns, and
         * AddRoundKey for this column.  The loop is unrolled to allow
         * for the required compile-time constant optimisations.
         */
        return ( aes_column ( table, stride, in, ( offset + 0 ) ) ^
                 aes_column ( table, stride, in, ( offset + 1 ) ) ^
                 aes_column ( table, stride, in, ( offset + 2 ) ) ^
                 aes_column ( table, stride, in, ( offset + 3 ) ) ^
                 key->column[column] );
}

References aes_column(), in, key, and offset.

Referenced by aes_round().

aes_round()

static void aes_round ( const struct aes_table *  table, size_t  stride, const union aes_matrix *  in, union aes_matrix *  out, const union aes_matrix *  key  )

inlinestatic

Perform a single intermediate round.

Parameters

table	AES lookup table
stride	AES row shift stride
in	AES input state
out	AES output state
key	AES round key

Definition at line 251 of file aes.c.

                                          {

        /* Perform [Inv]ShiftRows, [Inv]SubBytes, [Inv]MixColumns, and
         * AddRoundKey for all columns.  The loop is unrolled to allow
         * for the required compile-time constant optimisations.
         */
        out->column[0] = aes_output ( table, stride, in, key, 0 );
        out->column[1] = aes_output ( table, stride, in, key, 1 );
        out->column[2] = aes_output ( table, stride, in, key, 2 );
        out->column[3] = aes_output ( table, stride, in, key, 3 );
}

References aes_output(), in, key, and out.

Referenced by aes_decrypt_rounds(), and aes_encrypt_rounds().

aes_encrypt_rounds()

static void aes_encrypt_rounds ( union aes_matrix *  in, union aes_matrix *  out, const union aes_matrix *  key, unsigned int  rounds  )

static

Perform encryption intermediate rounds.

Parameters

in	AES input state
out	AES output state
key	Round keys
rounds	Number of rounds (must be odd)

This function is deliberately marked as non-inlinable to ensure maximal availability of registers for GCC's register allocator, which has a tendency to otherwise spill performance-critical registers to the stack.

Definition at line 279 of file aes.c.

                                                                        {
        union aes_matrix *tmp;

        /* Perform intermediate rounds */
        do {
                /* Perform one intermediate round */
                aes_round ( &aes_mixcolumns, AES_STRIDE_SHIFTROWS,
                            in, out, key++ );

                /* Swap input and output states for next round */
                tmp = in;
                in = out;
                out = tmp;

        } while ( --rounds );
}

References aes_mixcolumns, aes_round(), AES_STRIDE_SHIFTROWS, in, key, out, and tmp.

Referenced by aes_encrypt().

aes_decrypt_rounds()

static void aes_decrypt_rounds ( union aes_matrix *  in, union aes_matrix *  out, const union aes_matrix *  key, unsigned int  rounds  )

static

Perform decryption intermediate rounds.

Parameters

in	AES input state
out	AES output state
key	Round keys
rounds	Number of rounds (must be odd)

As with aes_encrypt_rounds(), this function is deliberately marked as non-inlinable.

This function could potentially use the same binary code as is used for encryption. To compensate for the difference between ShiftRows and InvShiftRows, half of the input byte offsets would have to be modifiable at runtime (half by an offset of +4/-4, half by an offset of -4/+4 for ShiftRows/InvShiftRows). This can be accomplished in x86 assembly within the number of available registers, but GCC's register allocator struggles to do so, resulting in a significant performance decrease due to registers being spilled to the stack. We therefore use two separate but very similar binary functions based on the same C source.

Definition at line 320 of file aes.c.

                                                                        {
        union aes_matrix *tmp;

        /* Perform intermediate rounds */
        do {
                /* Perform one intermediate round */
                aes_round ( &aes_invmixcolumns, AES_STRIDE_INVSHIFTROWS,
                            in, out, key++ );

                /* Swap input and output states for next round */
                tmp = in;
                in = out;
                out = tmp;

        } while ( --rounds );
}

References aes_invmixcolumns, aes_round(), AES_STRIDE_INVSHIFTROWS, in, key, out, and tmp.

Referenced by aes_decrypt(), and aes_setkey().

aes_addroundkey()

static void aes_addroundkey ( union aes_matrix *  state, const union aes_matrix *  key  )

inlinestatic

Perform standalone AddRoundKey.

Parameters

state	AES state
key	AES round key

Definition at line 345 of file aes.c.

                                                                         {

        state->column[0] ^= key->column[0];
        state->column[1] ^= key->column[1];
        state->column[2] ^= key->column[2];
        state->column[3] ^= key->column[3];
}

References key, and state.

Referenced by aes_decrypt(), aes_encrypt(), and aes_final().

aes_final()

static void aes_final ( const struct aes_table *  table, size_t  stride, const union aes_matrix *  in, union aes_matrix *  out, const union aes_matrix *  key  )

static

Perform final round.

Parameters

table	AES lookup table
stride	AES row shift stride
in	AES input state
out	AES output state
key	AES round key

Definition at line 362 of file aes.c.

                                                      {
        const union aes_table_entry *entry;
        unsigned int byte;
        size_t out_offset;
        size_t in_offset;

        /* Perform [Inv]ShiftRows and [Inv]SubBytes */
        for ( out_offset = 0, in_offset = 0 ; out_offset < 16 ;
              out_offset++, in_offset = ( ( in_offset + stride ) & 0xf ) ) {

                /* Extract input byte (i.e. perform [Inv]ShiftRows) */
                byte = in->byte[in_offset];

                /* Locate lookup table entry for this input byte
                 * (i.e. perform [Inv]SubBytes).
                 */
                entry = &table->entry[byte];

                /* Store output byte */
                out->byte[out_offset] = entry->byte[0];
        }

        /* Perform AddRoundKey */
        aes_addroundkey ( out, key );
}

References aes_addroundkey(), aes_table_entry::byte, aes_table::entry, in, key, and out.

Referenced by aes_decrypt(), aes_encrypt(), and aes_setkey().

aes_encrypt()

static void aes_encrypt ( void *  ctx, const void *  src, void *  dst, size_t  len  )

static

Encrypt data.

Parameters

ctx	Context
src	Data to encrypt
dst	Buffer for encrypted data
len	Length of data

Definition at line 398 of file aes.c.

                                                                              {
        struct aes_context *aes = ctx;
        union aes_matrix buffer[2];
        union aes_matrix *in = &buffer[0];
        union aes_matrix *out = &buffer[1];
        unsigned int rounds = aes->rounds;

        /* Sanity check */
        assert ( len == sizeof ( *in ) );

        /* Initialise input state */
        memcpy ( in, src, sizeof ( *in ) );

        /* Perform initial round (AddRoundKey) */
        aes_addroundkey ( in, &aes->encrypt.key[0] );

        /* Perform intermediate rounds (ShiftRows, SubBytes,
         * MixColumns, AddRoundKey).
         */
        aes_encrypt_rounds ( in, out, &aes->encrypt.key[1], ( rounds - 2 ) );
        in = out;

        /* Perform final round (ShiftRows, SubBytes, AddRoundKey) */
        out = dst;
        aes_final ( &aes_mixcolumns, AES_STRIDE_SHIFTROWS, in, out,
                    &aes->encrypt.key[ rounds - 1 ] );
}

References aes_addroundkey(), aes_encrypt_rounds(), aes_final(), aes_mixcolumns, AES_STRIDE_SHIFTROWS, assert(), buffer, ctx, aes_context::encrypt, in, aes_round_keys::key, len, memcpy(), out, aes_context::rounds, and src.

aes_decrypt()

static void aes_decrypt ( void *  ctx, const void *  src, void *  dst, size_t  len  )

static

Decrypt data.

Parameters

ctx	Context
src	Data to decrypt
dst	Buffer for decrypted data
len	Length of data

Definition at line 434 of file aes.c.

                                                                              {
        struct aes_context *aes = ctx;
        union aes_matrix buffer[2];
        union aes_matrix *in = &buffer[0];
        union aes_matrix *out = &buffer[1];
        unsigned int rounds = aes->rounds;

        /* Sanity check */
        assert ( len == sizeof ( *in ) );

        /* Initialise input state */
        memcpy ( in, src, sizeof ( *in ) );

        /* Perform initial round (AddRoundKey) */
        aes_addroundkey ( in, &aes->decrypt.key[0] );

        /* Perform intermediate rounds (InvShiftRows, InvSubBytes,
         * InvMixColumns, AddRoundKey).
         */
        aes_decrypt_rounds ( in, out, &aes->decrypt.key[1], ( rounds - 2 ) );
        in = out;

        /* Perform final round (InvShiftRows, InvSubBytes, AddRoundKey) */
        out = dst;
        aes_final ( &aes_invmixcolumns, AES_STRIDE_INVSHIFTROWS, in, out,
                    &aes->decrypt.key[ rounds - 1 ] );
}

References aes_addroundkey(), aes_decrypt_rounds(), aes_final(), aes_invmixcolumns, AES_STRIDE_INVSHIFTROWS, assert(), buffer, ctx, aes_context::decrypt, in, aes_round_keys::key, len, memcpy(), out, aes_context::rounds, and src.

aes_double()

static unsigned int aes_double ( unsigned int  poly )

static

Multiply a polynomial by (x) modulo (x^8 + x^4 + x^3 + x^2 + 1) in GF(2^8)

Parameters

poly	Polynomial to be multiplied

Return values

result

Result

Definition at line 468 of file aes.c.

                                                                               {

        /* Multiply polynomial by (x), placing the resulting x^8
         * coefficient in the LSB (i.e. rotate byte left by one).
         */
        poly = rol8 ( poly, 1 );

        /* If coefficient of x^8 (in LSB) is non-zero, then reduce by
         * subtracting (x^8 + x^4 + x^3 + x^2 + 1) in GF(2^8).
         */
        if ( poly & 0x01 ) {
                poly ^= 0x01; /* Subtract x^8 (currently in LSB) */
                poly ^= 0x1b; /* Subtract (x^4 + x^3 + x^2 + 1) */
        }

        return poly;
}

Referenced by aes_generate(), aes_invmixcolumns_entry(), aes_mixcolumns_entry(), and aes_setkey().

aes_mixcolumns_entry()

static void aes_mixcolumns_entry ( union aes_table_entry *  entry )

static

Fill in MixColumns lookup table entry.

Parameters

entry

AES lookup table entry for scalar multiplicand

The MixColumns lookup table vector multiplier is {1,1,1,3,2,1,1,3}.

Definition at line 493 of file aes.c.

                                                                  {
        unsigned int scalar_x_1;
        unsigned int scalar_x;
        unsigned int scalar;

        /* Retrieve scalar multiplicand */
        scalar = entry->byte[0];
        entry->byte[1] = scalar;
        entry->byte[2] = scalar;
        entry->byte[5] = scalar;
        entry->byte[6] = scalar;

        /* Calculate scalar multiplied by (x) */
        scalar_x = aes_double ( scalar );
        entry->byte[4] = scalar_x;

        /* Calculate scalar multiplied by (x + 1) */
        scalar_x_1 = ( scalar_x ^ scalar );
        entry->byte[3] = scalar_x_1;
        entry->byte[7] = scalar_x_1;
}

References aes_double(), and aes_table_entry::byte.

Referenced by aes_generate().

aes_invmixcolumns_entry()

static void aes_invmixcolumns_entry ( union aes_table_entry *  entry )

static

Fill in InvMixColumns lookup table entry.

Parameters

entry

AES lookup table entry for scalar multiplicand

The InvMixColumns lookup table vector multiplier is {1,9,13,11,14,9,13,11}.

Definition at line 522 of file aes.c.

                                                                     {
        unsigned int scalar_x3_x2_x;
        unsigned int scalar_x3_x2_1;
        unsigned int scalar_x3_x2;
        unsigned int scalar_x3_x_1;
        unsigned int scalar_x3_1;
        unsigned int scalar_x3;
        unsigned int scalar_x2;
        unsigned int scalar_x;
        unsigned int scalar;

        /* Retrieve scalar multiplicand */
        scalar = entry->byte[0];

        /* Calculate scalar multiplied by (x) */
        scalar_x = aes_double ( scalar );

        /* Calculate scalar multiplied by (x^2) */
        scalar_x2 = aes_double ( scalar_x );

        /* Calculate scalar multiplied by (x^3) */
        scalar_x3 = aes_double ( scalar_x2 );

        /* Calculate scalar multiplied by (x^3 + 1) */
        scalar_x3_1 = ( scalar_x3 ^ scalar );
        entry->byte[1] = scalar_x3_1;
        entry->byte[5] = scalar_x3_1;

        /* Calculate scalar multiplied by (x^3 + x + 1) */
        scalar_x3_x_1 = ( scalar_x3_1 ^ scalar_x );
        entry->byte[3] = scalar_x3_x_1;
        entry->byte[7] = scalar_x3_x_1;

        /* Calculate scalar multiplied by (x^3 + x^2) */
        scalar_x3_x2 = ( scalar_x3 ^ scalar_x2 );

        /* Calculate scalar multiplied by (x^3 + x^2 + 1) */
        scalar_x3_x2_1 = ( scalar_x3_x2 ^ scalar );
        entry->byte[2] = scalar_x3_x2_1;
        entry->byte[6] = scalar_x3_x2_1;

        /* Calculate scalar multiplied by (x^3 + x^2 + x) */
        scalar_x3_x2_x = ( scalar_x3_x2 ^ scalar_x );
        entry->byte[4] = scalar_x3_x2_x;
}

References aes_double(), and aes_table_entry::byte.

Referenced by aes_generate().

aes_generate()

static void aes_generate ( void  )

static

Generate AES lookup tables.

Definition at line 572 of file aes.c.

                                  {
        union aes_table_entry *entry;
        union aes_table_entry *inventry;
        unsigned int poly = 0x01;
        unsigned int invpoly = 0x01;
        unsigned int transformed;
        unsigned int i;

        /* Iterate over non-zero values of GF(2^8) using generator (x + 1) */
        do {

                /* Multiply polynomial by (x + 1) */
                poly ^= aes_double ( poly );

                /* Divide inverse polynomial by (x + 1).  This code
                 * fragment is taken directly from the Wikipedia page
                 * on the Rijndael S-box.  An explanation of why it
                 * works would be greatly appreciated.
                 */
                invpoly ^= ( invpoly << 1 );
                invpoly ^= ( invpoly << 2 );
                invpoly ^= ( invpoly << 4 );
                if ( invpoly & 0x80 )
                        invpoly ^= 0x09;
                invpoly &= 0xff;

                /* Apply affine transformation */
                transformed = ( 0x63 ^ invpoly ^ rol8 ( invpoly, 1 ) ^
                                rol8 ( invpoly, 2 ) ^ rol8 ( invpoly, 3 ) ^
                                rol8 ( invpoly, 4 ) );

                /* Populate S-box (within MixColumns lookup table) */
                aes_mixcolumns.entry[poly].byte[0] = transformed;

        } while ( poly != 0x01 );

        /* Populate zeroth S-box entry (which has no inverse) */
        aes_mixcolumns.entry[0].byte[0] = 0x63;

        /* Fill in MixColumns and InvMixColumns lookup tables */
        for ( i = 0 ; i < 256 ; i++ ) {

                /* Fill in MixColumns lookup table entry */
                entry = &aes_mixcolumns.entry[i];
                aes_mixcolumns_entry ( entry );

                /* Populate inverse S-box (within InvMixColumns lookup table) */
                inventry = &aes_invmixcolumns.entry[ entry->byte[0] ];
                inventry->byte[0] = i;

                /* Fill in InvMixColumns lookup table entry */
                aes_invmixcolumns_entry ( inventry );
        }
}

References aes_double(), aes_invmixcolumns, aes_invmixcolumns_entry(), aes_mixcolumns, aes_mixcolumns_entry(), aes_table_entry::byte, and aes_table::entry.

Referenced by aes_setkey().

aes_key_rotate()

static uint32_t aes_key_rotate ( uint32_t  column )

inlinestatic

Rotate key column.

Parameters

column

Key column

Return values

column

Updated key column

Definition at line 634 of file aes.c.

                                   {

        return ( ( __BYTE_ORDER == __LITTLE_ENDIAN ) ?
                 ror32 ( column, 8 ) : rol32 ( column, 8 ) );
}

References __BYTE_ORDER, __LITTLE_ENDIAN, rol32(), and ror32().

Referenced by aes_setkey().

aes_key_sbox()

static uint32_t aes_key_sbox ( uint32_t  column )

static

Apply S-box to key column.

Parameters

column

Key column

Return values

column

Updated key column

Definition at line 646 of file aes.c.

                                                 {
        unsigned int i;
        uint8_t byte;

        for ( i = 0 ; i < 4 ; i++ ) {
                byte = ( column & 0xff );
                byte = aes_mixcolumns.entry[byte].byte[0];
                column = ( ( column & ~0xff ) | byte );
                column = rol32 ( column, 8 );
        }
        return column;
}

References aes_mixcolumns, aes_table_entry::byte, aes_table::entry, and rol32().

Referenced by aes_setkey().

aes_key_rcon()

static uint32_t aes_key_rcon ( uint32_t  column, unsigned int  rcon  )

inlinestatic

Apply schedule round constant to key column.

Parameters

column	Key column
rcon	Round constant

Return values

column

Updated key column

Definition at line 667 of file aes.c.

                                                    {

        return ( ( __BYTE_ORDER == __LITTLE_ENDIAN ) ?
                 ( column ^ rcon ) : ( column ^ ( rcon << 24 ) ) );
}

References __BYTE_ORDER, and __LITTLE_ENDIAN.

Referenced by aes_setkey().

aes_setkey()

static int aes_setkey ( void *  ctx, const void *  key, size_t  keylen  )

static

Set key.

Parameters

ctx	Context
key	Key
keylen	Key length

Return values

rc	Return status code

Definition at line 681 of file aes.c.

                                                                    {
        struct aes_context *aes = ctx;
        union aes_matrix *enc;
        union aes_matrix *dec;
        union aes_matrix temp;
        union aes_matrix zero;
        unsigned int rcon = 0x01;
        unsigned int rounds;
        size_t offset = 0;
        uint32_t *prev;
        uint32_t *next;
        uint32_t *end;
        uint32_t tmp;

        /* Generate lookup tables, if not already done */
        if ( ! aes_mixcolumns.entry[0].byte[0] )
                aes_generate();

        /* Validate key length and calculate number of intermediate rounds */
        switch ( keylen ) {
        case ( 128 / 8 ) :
                rounds = 11;
                break;
        case ( 192 / 8 ) :
                rounds = 13;
                break;
        case ( 256 / 8 ) :
                rounds = 15;
                break;
        default:
                DBGC ( aes, "AES %p unsupported key length (%zd bits)\n",
                       aes, ( keylen * 8 ) );
                return -EINVAL;
        }
        aes->rounds = rounds;
        enc = aes->encrypt.key;
        end = enc[rounds].column;

        /* Copy raw key */
        memcpy ( enc, key, keylen );
        prev = enc->column;
        next = ( ( ( void * ) prev ) + keylen );
        tmp = next[-1];

        /* Construct expanded key */
        while ( next < end ) {

                /* If this is the first column of an expanded key
                 * block, or the middle column of an AES-256 key
                 * block, then apply the S-box.
                 */
                if ( ( offset == 0 ) || ( ( offset | keylen ) == 48 ) )
                        tmp = aes_key_sbox ( tmp );

                /* If this is the first column of an expanded key
                 * block then rotate and apply the round constant.
                 */
                if ( offset == 0 ) {
                        tmp = aes_key_rotate ( tmp );
                        tmp = aes_key_rcon ( tmp, rcon );
                        rcon = aes_double ( rcon );
                }

                /* XOR with previous key column */
                tmp ^= *prev;

                /* Store column */
                *next = tmp;

                /* Move to next column */
                offset += sizeof ( *next );
                if ( offset == keylen )
                        offset = 0;
                next++;
                prev++;
        }
        DBGC2 ( aes, "AES %p expanded %zd-bit key:\n", aes, ( keylen * 8 ) );
        DBGC2_HDA ( aes, 0, &aes->encrypt, ( rounds * sizeof ( *enc ) ) );

        /* Convert to decryption key */
        memset ( &zero, 0, sizeof ( zero ) );
        dec = &aes->decrypt.key[ rounds - 1 ];
        memcpy ( dec--, enc++, sizeof ( *dec ) );
        while ( dec > aes->decrypt.key ) {
                /* Perform InvMixColumns (by reusing the encryption
                 * final-round code to perform ShiftRows+SubBytes and
                 * reusing the decryption intermediate-round code to
                 * perform InvShiftRows+InvSubBytes+InvMixColumns, all
                 * with a zero encryption key).
                 */
                aes_final ( &aes_mixcolumns, AES_STRIDE_SHIFTROWS,
                            enc++, &temp, &zero );
                aes_decrypt_rounds ( &temp, dec--, &zero, 1 );
        }
        memcpy ( dec--, enc++, sizeof ( *dec ) );
        DBGC2 ( aes, "AES %p inverted %zd-bit key:\n", aes, ( keylen * 8 ) );
        DBGC2_HDA ( aes, 0, &aes->decrypt, ( rounds * sizeof ( *dec ) ) );

        return 0;
}

References aes_decrypt_rounds(), aes_double(), aes_final(), aes_generate(), aes_key_rcon(), aes_key_rotate(), aes_key_sbox(), aes_mixcolumns, AES_STRIDE_SHIFTROWS, aes_table_entry::byte, aes_matrix::column, ctx, DBGC, DBGC2, DBGC2_HDA, aes_context::decrypt, EINVAL, aes_context::encrypt, end, aes_table::entry, aes_round_keys::key, key, memcpy(), memset(), next, offset, aes_context::rounds, and tmp.

ECB_CIPHER()

ECB_CIPHER	(	aes_ecb	,
		aes_ecb_algorithm	,
		aes_algorithm	,
		struct aes_context	,
		AES_BLOCKSIZE
	)

CBC_CIPHER()

CBC_CIPHER	(	aes_cbc	,
		aes_cbc_algorithm	,
		aes_algorithm	,
		struct aes_context	,
		AES_BLOCKSIZE
	)

GCM_CIPHER()

GCM_CIPHER	(	aes_gcm	,
		aes_gcm_algorithm	,
		aes_algorithm	,
		struct aes_context	,
		AES_BLOCKSIZE
	)

Variable Documentation

aes_mixcolumns

struct aes_table aes_mixcolumns

static

AES MixColumns lookup table.

Definition at line 146 of file aes.c.

Referenced by aes_encrypt(), aes_encrypt_rounds(), aes_generate(), aes_key_sbox(), and aes_setkey().

aes_invmixcolumns

struct aes_table aes_invmixcolumns

static

AES InvMixColumns lookup table.

Definition at line 149 of file aes.c.

Referenced by aes_decrypt(), aes_decrypt_rounds(), and aes_generate().

aes_algorithm

struct cipher_algorithm aes_algorithm

Initial value:

= {
        .name = "aes",
        .ctxsize = sizeof ( struct aes_context ),
        .blocksize = AES_BLOCKSIZE,
        .alignsize = 0,
        .authsize = 0,
        .setkey = aes_setkey,
        .setiv = cipher_null_setiv,
        .encrypt = aes_encrypt,
        .decrypt = aes_decrypt,
        .auth = cipher_null_auth,
}

Basic AES algorithm.

Definition at line 783 of file aes.c.

Referenced by aes_unwrap(), aes_wrap(), ccmp_cbc_mac(), ccmp_ctr_xor(), ccmp_feed_cbc_mac(), and ccmp_init().