/**
* Copyright (c) 2007, Cameron Rich
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* * Neither the name of the axTLS project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/#include <stdlib.h>
#include "sw_aes.h"/**
* AES implementation - this is a small code version. There are much faster
* versions around but they are much larger in size (i.e. they use large
* submix tables).
*/#include <string.h>
#include <stdint.h>
#include "sw_aes.h"#ifndef htonl
#define htonl(a) \
((((a) >> ) & 0x000000ff) | \
(((a) >> ) & 0x0000ff00) | \
(((a) << ) & 0x00ff0000) | \
(((a) << ) & 0xff000000))
#endif#ifndef ntohl
#define ntohl(a) htonl((a))
#endif#ifndef htons
#define htons(a) \
((((a) >> ) & 0x00ff) | \
(((a) << ) & 0xff00))
#endif#ifndef ntohs
#define ntohs(a) htons((a))
#endif#define rot1(x) (((x) << 24) | ((x) >> 8))
#define rot2(x) (((x) << 16) | ((x) >> 16))
#define rot3(x) (((x) << 8) | ((x) >> 24))/*
* This cute trick does 4 'mul by two' at once. Stolen from
* Dr B. R. Gladman <brg@gladman.uk.net> but I'm sure the u-(u>>7) is
* a standard graphics trick
* The key to this is that we need to xor with 0x1b if the top bit is set.
* a 1xxx xxxx 0xxx 0xxx First we mask the 7bit,
* b 1000 0000 0000 0000 then we shift right by 7 putting the 7bit in 0bit,
* c 0000 0001 0000 0000 we then subtract (c) from (b)
* d 0111 1111 0000 0000 and now we and with our mask
* e 0001 1011 0000 0000
*/
#define mt 0x80808080
#define ml 0x7f7f7f7f
#define mh 0xfefefefe
#define mm 0x1b1b1b1b
#define mul2(x,t) ((t)=((x)&mt), \
((((x)+(x))&mh)^(((t)-((t)>>))&mm)))#define inv_mix_col(x,f2,f4,f8,f9) (\
(f2)=mul2(x,f2), \
(f4)=mul2(f2,f4), \
(f8)=mul2(f4,f8), \
(f9)=(x)^(f8), \
(f8)=((f2)^(f4)^(f8)), \
(f2)^=(f9), \
(f4)^=(f9), \
(f8)^=rot3(f2), \
(f8)^=rot2(f4), \
(f8)^rot1(f9))/*
* AES S-box
*/
static const uint8_t aes_sbox[] =
{
0x63,0x7C,0x77,0x7B,0xF2,0x6B,0x6F,0xC5,
0x30,0x01,0x67,0x2B,0xFE,0xD7,0xAB,0x76,
0xCA,0x82,0xC9,0x7D,0xFA,0x59,0x47,0xF0,
0xAD,0xD4,0xA2,0xAF,0x9C,0xA4,0x72,0xC0,
0xB7,0xFD,0x93,0x26,0x36,0x3F,0xF7,0xCC,
0x34,0xA5,0xE5,0xF1,0x71,0xD8,0x31,0x15,
0x04,0xC7,0x23,0xC3,0x18,0x96,0x05,0x9A,
0x07,0x12,0x80,0xE2,0xEB,0x27,0xB2,0x75,
0x09,0x83,0x2C,0x1A,0x1B,0x6E,0x5A,0xA0,
0x52,0x3B,0xD6,0xB3,0x29,0xE3,0x2F,0x84,
0x53,0xD1,0x00,0xED,0x20,0xFC,0xB1,0x5B,
0x6A,0xCB,0xBE,0x39,0x4A,0x4C,0x58,0xCF,
0xD0,0xEF,0xAA,0xFB,0x43,0x4D,0x33,0x85,
0x45,0xF9,0x02,0x7F,0x50,0x3C,0x9F,0xA8,
0x51,0xA3,0x40,0x8F,0x92,0x9D,0x38,0xF5,
0xBC,0xB6,0xDA,0x21,0x10,0xFF,0xF3,0xD2,
0xCD,0x0C,0x13,0xEC,0x5F,0x97,0x44,0x17,
0xC4,0xA7,0x7E,0x3D,0x64,0x5D,0x19,0x73,
0x60,0x81,0x4F,0xDC,0x22,0x2A,0x90,0x88,
0x46,0xEE,0xB8,0x14,0xDE,0x5E,0x0B,0xDB,
0xE0,0x32,0x3A,0x0A,0x49,0x06,0x24,0x5C,
0xC2,0xD3,0xAC,0x62,0x91,0x95,0xE4,0x79,
0xE7,0xC8,0x37,0x6D,0x8D,0xD5,0x4E,0xA9,
0x6C,0x56,0xF4,0xEA,0x65,0x7A,0xAE,0x08,
0xBA,0x78,0x25,0x2E,0x1C,0xA6,0xB4,0xC6,
0xE8,0xDD,0x74,0x1F,0x4B,0xBD,0x8B,0x8A,
0x70,0x3E,0xB5,0x66,0x48,0x03,0xF6,0x0E,
0x61,0x35,0x57,0xB9,0x86,0xC1,0x1D,0x9E,
0xE1,0xF8,0x98,0x11,0x69,0xD9,0x8E,0x94,
0x9B,0x1E,0x87,0xE9,0xCE,0x55,0x28,0xDF,
0x8C,0xA1,0x89,0x0D,0xBF,0xE6,0x42,0x68,
0x41,0x99,0x2D,0x0F,0xB0,0x54,0xBB,0x16,
};/*
* AES is-box
*/
static const uint8_t aes_isbox[] =
{
0x52,0x09,0x6a,0xd5,0x30,0x36,0xa5,0x38,
0xbf,0x40,0xa3,0x9e,0x81,0xf3,0xd7,0xfb,
0x7c,0xe3,0x39,0x82,0x9b,0x2f,0xff,0x87,
0x34,0x8e,0x43,0x44,0xc4,0xde,0xe9,0xcb,
0x54,0x7b,0x94,0x32,0xa6,0xc2,0x23,0x3d,
0xee,0x4c,0x95,0x0b,0x42,0xfa,0xc3,0x4e,
0x08,0x2e,0xa1,0x66,0x28,0xd9,0x24,0xb2,
0x76,0x5b,0xa2,0x49,0x6d,0x8b,0xd1,0x25,
0x72,0xf8,0xf6,0x64,0x86,0x68,0x98,0x16,
0xd4,0xa4,0x5c,0xcc,0x5d,0x65,0xb6,0x92,
0x6c,0x70,0x48,0x50,0xfd,0xed,0xb9,0xda,
0x5e,0x15,0x46,0x57,0xa7,0x8d,0x9d,0x84,
0x90,0xd8,0xab,0x00,0x8c,0xbc,0xd3,0x0a,
0xf7,0xe4,0x58,0x05,0xb8,0xb3,0x45,0x06,
0xd0,0x2c,0x1e,0x8f,0xca,0x3f,0x0f,0x02,
0xc1,0xaf,0xbd,0x03,0x01,0x13,0x8a,0x6b,
0x3a,0x91,0x11,0x41,0x4f,0x67,0xdc,0xea,
0x97,0xf2,0xcf,0xce,0xf0,0xb4,0xe6,0x73,
0x96,0xac,0x74,0x22,0xe7,0xad,0x35,0x85,
0xe2,0xf9,0x37,0xe8,0x1c,0x75,0xdf,0x6e,
0x47,0xf1,0x1a,0x71,0x1d,0x29,0xc5,0x89,
0x6f,0xb7,0x62,0x0e,0xaa,0x18,0xbe,0x1b,
0xfc,0x56,0x3e,0x4b,0xc6,0xd2,0x79,0x20,
0x9a,0xdb,0xc0,0xfe,0x78,0xcd,0x5a,0xf4,
0x1f,0xdd,0xa8,0x33,0x88,0x07,0xc7,0x31,
0xb1,0x12,0x10,0x59,0x27,0x80,0xec,0x5f,
0x60,0x51,0x7f,0xa9,0x19,0xb5,0x4a,0x0d,
0x2d,0xe5,0x7a,0x9f,0x93,0xc9,0x9c,0xef,
0xa0,0xe0,0x3b,0x4d,0xae,0x2a,0xf5,0xb0,
0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61,
0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26,
0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d
};static const unsigned char Rcon[]=
{
0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80,
0x1b,0x36,0x6c,0xd8,0xab,0x4d,0x9a,0x2f,
0x5e,0xbc,0x63,0xc6,0x97,0x35,0x6a,0xd4,
0xb3,0x7d,0xfa,0xef,0xc5,0x91,
};/* ----- no more static functions ----- */
void AES_encrypt(const AES_CTX *ctx, uint32_t *data);
void AES_decrypt(const AES_CTX *ctx, uint32_t *data);/* Perform doubling in Galois Field GF(2^8) using the irreducible polynomial
x^8+x^4+x^3+x+1 */
static unsigned char AES_xtime(uint32_t x)
{
return (x&0x80) ? (x<<)^0x1b : x<<;
}/**
* Set up AES with the key/iv and cipher size.
*/
void AES_set_key(AES_CTX *ctx, const uint8_t *key,
const uint8_t *iv, AES_MODE mode)
{
int i, ii;
uint32_t *W, tmp, tmp2;
const unsigned char *ip;
int words; switch (mode)
{
case AES_MODE_128:
i = ;
words = ;
break; case AES_MODE_256:
i = ;
words = ;
break; default: /* fail silently */
return;
} ctx->rounds = i;
ctx->key_size = words;
W = ctx->ks;
for (i = ; i < words; i+=)
{
W[i+]= ((uint32_t)key[ ]<<)|
((uint32_t)key[ ]<<)|
((uint32_t)key[ ]<< )|
((uint32_t)key[ ] );
W[i+]= ((uint32_t)key[ ]<<)|
((uint32_t)key[ ]<<)|
((uint32_t)key[ ]<< )|
((uint32_t)key[ ] );
key += ;
} ip = Rcon;
ii = * (ctx->rounds+);
for (i = words; i<ii; i++)
{
tmp = W[i-]; if ((i % words) == )
{
tmp2 =(uint32_t)aes_sbox[(tmp )&0xff]<< ;
tmp2|=(uint32_t)aes_sbox[(tmp>> )&0xff]<<;
tmp2|=(uint32_t)aes_sbox[(tmp>>)&0xff]<<;
tmp2|=(uint32_t)aes_sbox[(tmp>>) ];
tmp=tmp2^(((unsigned int)*ip)<<);
ip++;
} if ((words == ) && ((i % words) == ))
{
tmp2 =(uint32_t)aes_sbox[(tmp )&0xff] ;
tmp2|=(uint32_t)aes_sbox[(tmp>> )&0xff]<< ;
tmp2|=(uint32_t)aes_sbox[(tmp>>)&0xff]<<;
tmp2|=(uint32_t)aes_sbox[(tmp>>) ]<<;
tmp=tmp2;
} W[i]=W[i-words]^tmp;
} /* copy the iv across */
memcpy(ctx->iv, iv, );
}/**
* Change a key for decryption.
*/
void AES_convert_key(AES_CTX *ctx)
{
int i;
uint32_t *k,w,t1,t2,t3,t4; k = ctx->ks;
k += ; for (i= ctx->rounds*; i > ; i--)
{
w= *k;
w = inv_mix_col(w,t1,t2,t3,t4);
*k++ =w;
}
}/**
* Encrypt a byte sequence (with a block size 16) using the AES cipher.
*/
void AES_cbc_encrypt(AES_CTX *ctx, const uint8_t *msg, uint8_t *out, int length)
{
int i;
uint32_t tin[], tout[], iv[]; memcpy(iv, ctx->iv, AES_IV_SIZE);
for (i = ; i < ; i++)
tout[i] = ntohl(iv[i]); for (length -= AES_BLOCKSIZE; length >= ; length -= AES_BLOCKSIZE)
{
uint32_t msg_32[];
uint32_t out_32[];
memcpy(msg_32, msg, AES_BLOCKSIZE);
msg += AES_BLOCKSIZE; for (i = ; i < ; i++)
tin[i] = ntohl(msg_32[i])^tout[i]; AES_encrypt(ctx, tin); for (i = ; i < ; i++)
{
tout[i] = tin[i];
out_32[i] = htonl(tout[i]);
} memcpy(out, out_32, AES_BLOCKSIZE);
out += AES_BLOCKSIZE;
} for (i = ; i < ; i++)
iv[i] = htonl(tout[i]);
memcpy(ctx->iv, iv, AES_IV_SIZE);
}/**
* Decrypt a byte sequence (with a block size 16) using the AES cipher.
*/
void AES_cbc_decrypt(AES_CTX *ctx, const uint8_t *msg, uint8_t *out, int length)
{
int i;
uint32_t tin[], xor[], tout[], data[], iv[]; memcpy(iv, ctx->iv, AES_IV_SIZE);
for (i = ; i < ; i++)
xor[i] = ntohl(iv[i]); for (length -= ; length >= ; length -= )
{
uint32_t msg_32[];
uint32_t out_32[];
memcpy(msg_32, msg, AES_BLOCKSIZE);
msg += AES_BLOCKSIZE; for (i = ; i < ; i++)
{
tin[i] = ntohl(msg_32[i]);
data[i] = tin[i];
} AES_decrypt(ctx, data); for (i = ; i < ; i++)
{
tout[i] = data[i]^xor[i];
xor[i] = tin[i];
out_32[i] = htonl(tout[i]);
} memcpy(out, out_32, AES_BLOCKSIZE);
out += AES_BLOCKSIZE;
} for (i = ; i < ; i++)
iv[i] = htonl(xor[i]);
memcpy(ctx->iv, iv, AES_IV_SIZE);
}/**
* Encrypt a single block (16 bytes) of data
*/
void AES_encrypt(const AES_CTX *ctx, uint32_t *data)
{
/* To make this code smaller, generate the sbox entries on the fly.
* This will have a really heavy effect upon performance.
*/
uint32_t tmp[];
uint32_t tmp1, old_a0, a0, a1, a2, a3, row;
int curr_rnd;
int rounds = ctx->rounds;
const uint32_t *k = ctx->ks; /* Pre-round key addition */
for (row = ; row < ; row++)
data[row] ^= *(k++); /* Encrypt one block. */
for (curr_rnd = ; curr_rnd < rounds; curr_rnd++)
{
/* Perform ByteSub and ShiftRow operations together */
for (row = ; row < ; row++)
{
a0 = (uint32_t)aes_sbox[(data[row%]>>)&0xFF];
a1 = (uint32_t)aes_sbox[(data[(row+)%]>>)&0xFF];
a2 = (uint32_t)aes_sbox[(data[(row+)%]>>)&0xFF];
a3 = (uint32_t)aes_sbox[(data[(row+)%])&0xFF]; /* Perform MixColumn iff not last round */
if (curr_rnd < (rounds - ))
{
tmp1 = a0 ^ a1 ^ a2 ^ a3;
old_a0 = a0;
a0 ^= tmp1 ^ AES_xtime(a0 ^ a1);
a1 ^= tmp1 ^ AES_xtime(a1 ^ a2);
a2 ^= tmp1 ^ AES_xtime(a2 ^ a3);
a3 ^= tmp1 ^ AES_xtime(a3 ^ old_a0);
} tmp[row] = ((a0 << ) | (a1 << ) | (a2 << ) | a3);
} /* KeyAddition - note that it is vital that this loop is separate from
the MixColumn operation, which must be atomic...*/
for (row = ; row < ; row++)
data[row] = tmp[row] ^ *(k++);
}
}/**
* Decrypt a single block (16 bytes) of data
*/
void AES_decrypt(const AES_CTX *ctx, uint32_t *data)
{
uint32_t tmp[];
uint32_t xt0,xt1,xt2,xt3,xt4,xt5,xt6;
uint32_t a0, a1, a2, a3, row;
int curr_rnd;
int rounds = ctx->rounds;
const uint32_t *k = ctx->ks + ((rounds+)*); /* pre-round key addition */
for (row=; row > ; row--)
data[row-] ^= *(--k); /* Decrypt one block */
for (curr_rnd = ; curr_rnd < rounds; curr_rnd++)
{
/* Perform ByteSub and ShiftRow operations together */
for (row = ; row > ; row--)
{
a0 = aes_isbox[(data[(row+)%]>>)&0xFF];
a1 = aes_isbox[(data[(row+)%]>>)&0xFF];
a2 = aes_isbox[(data[(row+)%]>>)&0xFF];
a3 = aes_isbox[(data[row%])&0xFF]; /* Perform MixColumn iff not last round */
if (curr_rnd<(rounds-))
{
/* The MDS cofefficients (0x09, 0x0B, 0x0D, 0x0E)
are quite large compared to encryption; this
operation slows decryption down noticeably. */
xt0 = AES_xtime(a0^a1);
xt1 = AES_xtime(a1^a2);
xt2 = AES_xtime(a2^a3);
xt3 = AES_xtime(a3^a0);
xt4 = AES_xtime(xt0^xt1);
xt5 = AES_xtime(xt1^xt2);
xt6 = AES_xtime(xt4^xt5); xt0 ^= a1^a2^a3^xt4^xt6;
xt1 ^= a0^a2^a3^xt5^xt6;
xt2 ^= a0^a1^a3^xt4^xt6;
xt3 ^= a0^a1^a2^xt5^xt6;
tmp[row-] = ((xt0<<)|(xt1<<)|(xt2<<)|xt3);
}
else
tmp[row-] = ((a0<<)|(a1<<)|(a2<<)|a3);
} for (row = ; row > ; row--)
data[row-] = tmp[row-] ^ *(--k);
}
}
sw_aes.C
/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */#ifndef HEADER_AES_H
#define HEADER_AES_H#include <stdint.h>/**************************************************************************
* AES declarations
**************************************************************************/#define AES_MAXROUNDS 14
#define AES_BLOCKSIZE 16
#define AES_IV_SIZE 16#ifndef htonl
#define htonl(a) \
((((a) >> ) & 0x000000ff) | \
(((a) >> ) & 0x0000ff00) | \
(((a) << ) & 0x00ff0000) | \
(((a) << ) & 0xff000000))
#endif#ifndef ntohl
#define ntohl(a) htonl((a))
#endiftypedef struct aes_key_st
{
uint16_t rounds;
uint16_t key_size;
uint32_t ks[(AES_MAXROUNDS+)*];
uint8_t iv[AES_IV_SIZE];
} AES_CTX;typedef enum
{
AES_MODE_128,
AES_MODE_256
} AES_MODE;/**
* Set up AES with the key/iv and cipher size.
*/
void AES_set_key(AES_CTX *ctx, const uint8_t *key,
const uint8_t *iv, AES_MODE mode);/**
* Encrypt a byte sequence (with a block size 16) using the AES cipher.
*/
void AES_cbc_encrypt(AES_CTX *ctx, const uint8_t *msg,
uint8_t *out, int length);/**
* Decrypt a byte sequence (with a block size 16) using the AES cipher.
*/
void AES_cbc_decrypt(AES_CTX *ks, const uint8_t *in, uint8_t *out, int length);/**
* Change a key for decryption.
*/
void AES_convert_key(AES_CTX *ctx);/**
* Decrypt a single block (16 bytes) of data
*/
void AES_decrypt(const AES_CTX *ctx, uint32_t *data);/**
* Encrypt a single block (16 bytes) of data
*/
void AES_encrypt(const AES_CTX *ctx, uint32_t *data);#endif /* !HEADER_AES_H */
sw_aes.h
#define AES_MAXROUNDS 14
#define AES_BLOCKSIZE 16
#define AES_IV_SIZE 16
#define KEYSIZE 16
#define MSG_SIZE KEYSIZE * 4static const uint8_t key[KEYSIZE] =
{
0xff, 0xde, 0x00, 0xad,
0xff, 0xb0, 0x00, 0x0b,
0xff, 0xde, 0x00, 0xad,
0xff, 0xb0, 0x00, 0x0b
};static const uint8_t iv[KEYSIZE] =
{
0xff, 0xc0, 0x00, 0xfe,
0xff, 0xc0, 0x00, 0x7d,
0xff, 0xc0, 0x00, 0xfe,
0xff, 0xc0, 0x00, 0x7d
};static const uint8_t original_msg[MSG_SIZE] =
{
0xf4, 0xfc, 0xa2, 0xf4,
0x93, 0xfa, 0x64, 0xeb,
0x87, 0xca, 0xeb, 0x62,
0x90, 0x89, 0x34, 0xdb,
0x34, 0xe3, 0xf8, 0xc6,
0xd7, 0xf6, 0x89, 0xe7,
0xc0, 0x37, 0x43, 0xcd,
0x32, 0x69, 0xcd, 0xbd,
0x05, 0xec, 0x97, 0xbf,
0x05, 0x92, 0xc9, 0xf7,
0x8d, 0x4b, 0xb0, 0x88,
0x1a, 0xc2, 0x15, 0x2e,
0xba, 0x46, 0x58, 0xf9,
0x4d, 0x1f, 0xe9, 0xef,
0xa8, 0x6b, 0x5a, 0x6f,
0x8b, 0xe6, 0x7d, 0x51
};static uint8_t out[MSG_SIZE] ;
static uint8_t msg[MSG_SIZE] ;static AES_CTX context ;void test_setup()
{
}void test_clear()
{
uint8_t i =; memcpy(msg, original_msg, MSG_SIZE);
memset(out, , MSG_SIZE);
memset(&context, , sizeof(context)); printf("\r\n original_msg[%d]\r\n",MSG_SIZE);
for(i = ; i<MSG_SIZE ; i++)
{
printf("%02x", original_msg[i]);
}
printf("\r\n");
}void test_run()
{
uint8_t i =; AES_set_key(&context, key, iv, AES_MODE_128);
AES_cbc_encrypt(&context, msg, out, MSG_SIZE); printf("\r\n out[%d]\r\n",MSG_SIZE);
for(i = ; i<MSG_SIZE ; i++)
{
printf("%02x", out[i]);
}
printf("\r\n"); memset(msg, , MSG_SIZE);
memset(&context, , sizeof(context));
AES_set_key(&context, key, iv, AES_MODE_128); AES_convert_key(&context);
AES_cbc_decrypt(&context, out, msg, MSG_SIZE); printf("\r\n msg[%d]\r\n",MSG_SIZE);
for(i = ; i<MSG_SIZE ; i++)
{
printf("%02x", msg[i]);
}
printf("\r\n");
}int test_check()
{
return == memcmp(msg, original_msg, MSG_SIZE);
}int main(void)
{ test_clear();
test_run();
test_check(); for(;;)
{ }
}
更多可以参考:
https://coolshell.cn/wp-content/uploads/2010/10/rijndael_ingles2004.swf
