]>
git.zerfleddert.de Git - hmcfgusb/blob - aes.c
1 /*********************************************************************
3 * Author: Brad Conte (brad AT bradconte.com)
5 * Disclaimer: This code is presented "as is" without any guarantees.
6 * Details: This code is the implementation of the AES algorithm and
7 the CTR, CBC, and CCM modes of operation it can be used in.
8 AES is, specified by the NIST in in publication FIPS PUB 197,
10 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf .
11 The CBC and CTR modes of operation are specified by
12 NIST SP 800-38 A, available at:
13 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf .
14 The CCM mode of operation is specified by NIST SP80-38 C, available at:
15 * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
16 *********************************************************************/
18 /*************************** HEADER FILES ***************************/
25 /****************************** MACROS ******************************/
26 // The least significant byte of the word is rotated to the end.
27 #define KE_ROTWORD(x) (((x) << 8) | ((x) >> 24))
32 /**************************** DATA TYPES ****************************/
33 #define AES_128_ROUNDS 10
34 #define AES_192_ROUNDS 12
35 #define AES_256_ROUNDS 14
37 /*********************** FUNCTION DECLARATIONS **********************/
38 void ccm_prepare_first_ctr_blk(BYTE counter
[], const BYTE nonce
[], int nonce_len
, int payload_len_store_size
);
39 void ccm_prepare_first_format_blk(BYTE buf
[], int assoc_len
, int payload_len
, int payload_len_store_size
, int mac_len
, const BYTE nonce
[], int nonce_len
);
40 void ccm_format_assoc_data(BYTE buf
[], int *end_of_buf
, const BYTE assoc
[], int assoc_len
);
41 void ccm_format_payload_data(BYTE buf
[], int *end_of_buf
, const BYTE payload
[], int payload_len
);
43 /**************************** VARIABLES *****************************/
44 // This is the specified AES SBox. To look up a substitution value, put the first
45 // nibble in the first index (row) and the second nibble in the second index (column).
46 static const BYTE aes_sbox
[16][16] = {
47 {0x63,0x7C,0x77,0x7B,0xF2,0x6B,0x6F,0xC5,0x30,0x01,0x67,0x2B,0xFE,0xD7,0xAB,0x76},
48 {0xCA,0x82,0xC9,0x7D,0xFA,0x59,0x47,0xF0,0xAD,0xD4,0xA2,0xAF,0x9C,0xA4,0x72,0xC0},
49 {0xB7,0xFD,0x93,0x26,0x36,0x3F,0xF7,0xCC,0x34,0xA5,0xE5,0xF1,0x71,0xD8,0x31,0x15},
50 {0x04,0xC7,0x23,0xC3,0x18,0x96,0x05,0x9A,0x07,0x12,0x80,0xE2,0xEB,0x27,0xB2,0x75},
51 {0x09,0x83,0x2C,0x1A,0x1B,0x6E,0x5A,0xA0,0x52,0x3B,0xD6,0xB3,0x29,0xE3,0x2F,0x84},
52 {0x53,0xD1,0x00,0xED,0x20,0xFC,0xB1,0x5B,0x6A,0xCB,0xBE,0x39,0x4A,0x4C,0x58,0xCF},
53 {0xD0,0xEF,0xAA,0xFB,0x43,0x4D,0x33,0x85,0x45,0xF9,0x02,0x7F,0x50,0x3C,0x9F,0xA8},
54 {0x51,0xA3,0x40,0x8F,0x92,0x9D,0x38,0xF5,0xBC,0xB6,0xDA,0x21,0x10,0xFF,0xF3,0xD2},
55 {0xCD,0x0C,0x13,0xEC,0x5F,0x97,0x44,0x17,0xC4,0xA7,0x7E,0x3D,0x64,0x5D,0x19,0x73},
56 {0x60,0x81,0x4F,0xDC,0x22,0x2A,0x90,0x88,0x46,0xEE,0xB8,0x14,0xDE,0x5E,0x0B,0xDB},
57 {0xE0,0x32,0x3A,0x0A,0x49,0x06,0x24,0x5C,0xC2,0xD3,0xAC,0x62,0x91,0x95,0xE4,0x79},
58 {0xE7,0xC8,0x37,0x6D,0x8D,0xD5,0x4E,0xA9,0x6C,0x56,0xF4,0xEA,0x65,0x7A,0xAE,0x08},
59 {0xBA,0x78,0x25,0x2E,0x1C,0xA6,0xB4,0xC6,0xE8,0xDD,0x74,0x1F,0x4B,0xBD,0x8B,0x8A},
60 {0x70,0x3E,0xB5,0x66,0x48,0x03,0xF6,0x0E,0x61,0x35,0x57,0xB9,0x86,0xC1,0x1D,0x9E},
61 {0xE1,0xF8,0x98,0x11,0x69,0xD9,0x8E,0x94,0x9B,0x1E,0x87,0xE9,0xCE,0x55,0x28,0xDF},
62 {0x8C,0xA1,0x89,0x0D,0xBF,0xE6,0x42,0x68,0x41,0x99,0x2D,0x0F,0xB0,0x54,0xBB,0x16}
65 static const BYTE aes_invsbox
[16][16] = {
66 {0x52,0x09,0x6A,0xD5,0x30,0x36,0xA5,0x38,0xBF,0x40,0xA3,0x9E,0x81,0xF3,0xD7,0xFB},
67 {0x7C,0xE3,0x39,0x82,0x9B,0x2F,0xFF,0x87,0x34,0x8E,0x43,0x44,0xC4,0xDE,0xE9,0xCB},
68 {0x54,0x7B,0x94,0x32,0xA6,0xC2,0x23,0x3D,0xEE,0x4C,0x95,0x0B,0x42,0xFA,0xC3,0x4E},
69 {0x08,0x2E,0xA1,0x66,0x28,0xD9,0x24,0xB2,0x76,0x5B,0xA2,0x49,0x6D,0x8B,0xD1,0x25},
70 {0x72,0xF8,0xF6,0x64,0x86,0x68,0x98,0x16,0xD4,0xA4,0x5C,0xCC,0x5D,0x65,0xB6,0x92},
71 {0x6C,0x70,0x48,0x50,0xFD,0xED,0xB9,0xDA,0x5E,0x15,0x46,0x57,0xA7,0x8D,0x9D,0x84},
72 {0x90,0xD8,0xAB,0x00,0x8C,0xBC,0xD3,0x0A,0xF7,0xE4,0x58,0x05,0xB8,0xB3,0x45,0x06},
73 {0xD0,0x2C,0x1E,0x8F,0xCA,0x3F,0x0F,0x02,0xC1,0xAF,0xBD,0x03,0x01,0x13,0x8A,0x6B},
74 {0x3A,0x91,0x11,0x41,0x4F,0x67,0xDC,0xEA,0x97,0xF2,0xCF,0xCE,0xF0,0xB4,0xE6,0x73},
75 {0x96,0xAC,0x74,0x22,0xE7,0xAD,0x35,0x85,0xE2,0xF9,0x37,0xE8,0x1C,0x75,0xDF,0x6E},
76 {0x47,0xF1,0x1A,0x71,0x1D,0x29,0xC5,0x89,0x6F,0xB7,0x62,0x0E,0xAA,0x18,0xBE,0x1B},
77 {0xFC,0x56,0x3E,0x4B,0xC6,0xD2,0x79,0x20,0x9A,0xDB,0xC0,0xFE,0x78,0xCD,0x5A,0xF4},
78 {0x1F,0xDD,0xA8,0x33,0x88,0x07,0xC7,0x31,0xB1,0x12,0x10,0x59,0x27,0x80,0xEC,0x5F},
79 {0x60,0x51,0x7F,0xA9,0x19,0xB5,0x4A,0x0D,0x2D,0xE5,0x7A,0x9F,0x93,0xC9,0x9C,0xEF},
80 {0xA0,0xE0,0x3B,0x4D,0xAE,0x2A,0xF5,0xB0,0xC8,0xEB,0xBB,0x3C,0x83,0x53,0x99,0x61},
81 {0x17,0x2B,0x04,0x7E,0xBA,0x77,0xD6,0x26,0xE1,0x69,0x14,0x63,0x55,0x21,0x0C,0x7D}
84 // This table stores pre-calculated values for all possible GF(2^8) calculations.This
85 // table is only used by the (Inv)MixColumns steps.
86 // USAGE: The second index (column) is the coefficient of multiplication. Only 7 different
87 // coefficients are used: 0x01, 0x02, 0x03, 0x09, 0x0b, 0x0d, 0x0e, but multiplication by
88 // 1 is negligible leaving only 6 coefficients. Each column of the table is devoted to one
89 // of these coefficients, in the ascending order of value, from values 0x00 to 0xFF.
90 static const BYTE gf_mul
[256][6] = {
91 {0x00,0x00,0x00,0x00,0x00,0x00},{0x02,0x03,0x09,0x0b,0x0d,0x0e},
92 {0x04,0x06,0x12,0x16,0x1a,0x1c},{0x06,0x05,0x1b,0x1d,0x17,0x12},
93 {0x08,0x0c,0x24,0x2c,0x34,0x38},{0x0a,0x0f,0x2d,0x27,0x39,0x36},
94 {0x0c,0x0a,0x36,0x3a,0x2e,0x24},{0x0e,0x09,0x3f,0x31,0x23,0x2a},
95 {0x10,0x18,0x48,0x58,0x68,0x70},{0x12,0x1b,0x41,0x53,0x65,0x7e},
96 {0x14,0x1e,0x5a,0x4e,0x72,0x6c},{0x16,0x1d,0x53,0x45,0x7f,0x62},
97 {0x18,0x14,0x6c,0x74,0x5c,0x48},{0x1a,0x17,0x65,0x7f,0x51,0x46},
98 {0x1c,0x12,0x7e,0x62,0x46,0x54},{0x1e,0x11,0x77,0x69,0x4b,0x5a},
99 {0x20,0x30,0x90,0xb0,0xd0,0xe0},{0x22,0x33,0x99,0xbb,0xdd,0xee},
100 {0x24,0x36,0x82,0xa6,0xca,0xfc},{0x26,0x35,0x8b,0xad,0xc7,0xf2},
101 {0x28,0x3c,0xb4,0x9c,0xe4,0xd8},{0x2a,0x3f,0xbd,0x97,0xe9,0xd6},
102 {0x2c,0x3a,0xa6,0x8a,0xfe,0xc4},{0x2e,0x39,0xaf,0x81,0xf3,0xca},
103 {0x30,0x28,0xd8,0xe8,0xb8,0x90},{0x32,0x2b,0xd1,0xe3,0xb5,0x9e},
104 {0x34,0x2e,0xca,0xfe,0xa2,0x8c},{0x36,0x2d,0xc3,0xf5,0xaf,0x82},
105 {0x38,0x24,0xfc,0xc4,0x8c,0xa8},{0x3a,0x27,0xf5,0xcf,0x81,0xa6},
106 {0x3c,0x22,0xee,0xd2,0x96,0xb4},{0x3e,0x21,0xe7,0xd9,0x9b,0xba},
107 {0x40,0x60,0x3b,0x7b,0xbb,0xdb},{0x42,0x63,0x32,0x70,0xb6,0xd5},
108 {0x44,0x66,0x29,0x6d,0xa1,0xc7},{0x46,0x65,0x20,0x66,0xac,0xc9},
109 {0x48,0x6c,0x1f,0x57,0x8f,0xe3},{0x4a,0x6f,0x16,0x5c,0x82,0xed},
110 {0x4c,0x6a,0x0d,0x41,0x95,0xff},{0x4e,0x69,0x04,0x4a,0x98,0xf1},
111 {0x50,0x78,0x73,0x23,0xd3,0xab},{0x52,0x7b,0x7a,0x28,0xde,0xa5},
112 {0x54,0x7e,0x61,0x35,0xc9,0xb7},{0x56,0x7d,0x68,0x3e,0xc4,0xb9},
113 {0x58,0x74,0x57,0x0f,0xe7,0x93},{0x5a,0x77,0x5e,0x04,0xea,0x9d},
114 {0x5c,0x72,0x45,0x19,0xfd,0x8f},{0x5e,0x71,0x4c,0x12,0xf0,0x81},
115 {0x60,0x50,0xab,0xcb,0x6b,0x3b},{0x62,0x53,0xa2,0xc0,0x66,0x35},
116 {0x64,0x56,0xb9,0xdd,0x71,0x27},{0x66,0x55,0xb0,0xd6,0x7c,0x29},
117 {0x68,0x5c,0x8f,0xe7,0x5f,0x03},{0x6a,0x5f,0x86,0xec,0x52,0x0d},
118 {0x6c,0x5a,0x9d,0xf1,0x45,0x1f},{0x6e,0x59,0x94,0xfa,0x48,0x11},
119 {0x70,0x48,0xe3,0x93,0x03,0x4b},{0x72,0x4b,0xea,0x98,0x0e,0x45},
120 {0x74,0x4e,0xf1,0x85,0x19,0x57},{0x76,0x4d,0xf8,0x8e,0x14,0x59},
121 {0x78,0x44,0xc7,0xbf,0x37,0x73},{0x7a,0x47,0xce,0xb4,0x3a,0x7d},
122 {0x7c,0x42,0xd5,0xa9,0x2d,0x6f},{0x7e,0x41,0xdc,0xa2,0x20,0x61},
123 {0x80,0xc0,0x76,0xf6,0x6d,0xad},{0x82,0xc3,0x7f,0xfd,0x60,0xa3},
124 {0x84,0xc6,0x64,0xe0,0x77,0xb1},{0x86,0xc5,0x6d,0xeb,0x7a,0xbf},
125 {0x88,0xcc,0x52,0xda,0x59,0x95},{0x8a,0xcf,0x5b,0xd1,0x54,0x9b},
126 {0x8c,0xca,0x40,0xcc,0x43,0x89},{0x8e,0xc9,0x49,0xc7,0x4e,0x87},
127 {0x90,0xd8,0x3e,0xae,0x05,0xdd},{0x92,0xdb,0x37,0xa5,0x08,0xd3},
128 {0x94,0xde,0x2c,0xb8,0x1f,0xc1},{0x96,0xdd,0x25,0xb3,0x12,0xcf},
129 {0x98,0xd4,0x1a,0x82,0x31,0xe5},{0x9a,0xd7,0x13,0x89,0x3c,0xeb},
130 {0x9c,0xd2,0x08,0x94,0x2b,0xf9},{0x9e,0xd1,0x01,0x9f,0x26,0xf7},
131 {0xa0,0xf0,0xe6,0x46,0xbd,0x4d},{0xa2,0xf3,0xef,0x4d,0xb0,0x43},
132 {0xa4,0xf6,0xf4,0x50,0xa7,0x51},{0xa6,0xf5,0xfd,0x5b,0xaa,0x5f},
133 {0xa8,0xfc,0xc2,0x6a,0x89,0x75},{0xaa,0xff,0xcb,0x61,0x84,0x7b},
134 {0xac,0xfa,0xd0,0x7c,0x93,0x69},{0xae,0xf9,0xd9,0x77,0x9e,0x67},
135 {0xb0,0xe8,0xae,0x1e,0xd5,0x3d},{0xb2,0xeb,0xa7,0x15,0xd8,0x33},
136 {0xb4,0xee,0xbc,0x08,0xcf,0x21},{0xb6,0xed,0xb5,0x03,0xc2,0x2f},
137 {0xb8,0xe4,0x8a,0x32,0xe1,0x05},{0xba,0xe7,0x83,0x39,0xec,0x0b},
138 {0xbc,0xe2,0x98,0x24,0xfb,0x19},{0xbe,0xe1,0x91,0x2f,0xf6,0x17},
139 {0xc0,0xa0,0x4d,0x8d,0xd6,0x76},{0xc2,0xa3,0x44,0x86,0xdb,0x78},
140 {0xc4,0xa6,0x5f,0x9b,0xcc,0x6a},{0xc6,0xa5,0x56,0x90,0xc1,0x64},
141 {0xc8,0xac,0x69,0xa1,0xe2,0x4e},{0xca,0xaf,0x60,0xaa,0xef,0x40},
142 {0xcc,0xaa,0x7b,0xb7,0xf8,0x52},{0xce,0xa9,0x72,0xbc,0xf5,0x5c},
143 {0xd0,0xb8,0x05,0xd5,0xbe,0x06},{0xd2,0xbb,0x0c,0xde,0xb3,0x08},
144 {0xd4,0xbe,0x17,0xc3,0xa4,0x1a},{0xd6,0xbd,0x1e,0xc8,0xa9,0x14},
145 {0xd8,0xb4,0x21,0xf9,0x8a,0x3e},{0xda,0xb7,0x28,0xf2,0x87,0x30},
146 {0xdc,0xb2,0x33,0xef,0x90,0x22},{0xde,0xb1,0x3a,0xe4,0x9d,0x2c},
147 {0xe0,0x90,0xdd,0x3d,0x06,0x96},{0xe2,0x93,0xd4,0x36,0x0b,0x98},
148 {0xe4,0x96,0xcf,0x2b,0x1c,0x8a},{0xe6,0x95,0xc6,0x20,0x11,0x84},
149 {0xe8,0x9c,0xf9,0x11,0x32,0xae},{0xea,0x9f,0xf0,0x1a,0x3f,0xa0},
150 {0xec,0x9a,0xeb,0x07,0x28,0xb2},{0xee,0x99,0xe2,0x0c,0x25,0xbc},
151 {0xf0,0x88,0x95,0x65,0x6e,0xe6},{0xf2,0x8b,0x9c,0x6e,0x63,0xe8},
152 {0xf4,0x8e,0x87,0x73,0x74,0xfa},{0xf6,0x8d,0x8e,0x78,0x79,0xf4},
153 {0xf8,0x84,0xb1,0x49,0x5a,0xde},{0xfa,0x87,0xb8,0x42,0x57,0xd0},
154 {0xfc,0x82,0xa3,0x5f,0x40,0xc2},{0xfe,0x81,0xaa,0x54,0x4d,0xcc},
155 {0x1b,0x9b,0xec,0xf7,0xda,0x41},{0x19,0x98,0xe5,0xfc,0xd7,0x4f},
156 {0x1f,0x9d,0xfe,0xe1,0xc0,0x5d},{0x1d,0x9e,0xf7,0xea,0xcd,0x53},
157 {0x13,0x97,0xc8,0xdb,0xee,0x79},{0x11,0x94,0xc1,0xd0,0xe3,0x77},
158 {0x17,0x91,0xda,0xcd,0xf4,0x65},{0x15,0x92,0xd3,0xc6,0xf9,0x6b},
159 {0x0b,0x83,0xa4,0xaf,0xb2,0x31},{0x09,0x80,0xad,0xa4,0xbf,0x3f},
160 {0x0f,0x85,0xb6,0xb9,0xa8,0x2d},{0x0d,0x86,0xbf,0xb2,0xa5,0x23},
161 {0x03,0x8f,0x80,0x83,0x86,0x09},{0x01,0x8c,0x89,0x88,0x8b,0x07},
162 {0x07,0x89,0x92,0x95,0x9c,0x15},{0x05,0x8a,0x9b,0x9e,0x91,0x1b},
163 {0x3b,0xab,0x7c,0x47,0x0a,0xa1},{0x39,0xa8,0x75,0x4c,0x07,0xaf},
164 {0x3f,0xad,0x6e,0x51,0x10,0xbd},{0x3d,0xae,0x67,0x5a,0x1d,0xb3},
165 {0x33,0xa7,0x58,0x6b,0x3e,0x99},{0x31,0xa4,0x51,0x60,0x33,0x97},
166 {0x37,0xa1,0x4a,0x7d,0x24,0x85},{0x35,0xa2,0x43,0x76,0x29,0x8b},
167 {0x2b,0xb3,0x34,0x1f,0x62,0xd1},{0x29,0xb0,0x3d,0x14,0x6f,0xdf},
168 {0x2f,0xb5,0x26,0x09,0x78,0xcd},{0x2d,0xb6,0x2f,0x02,0x75,0xc3},
169 {0x23,0xbf,0x10,0x33,0x56,0xe9},{0x21,0xbc,0x19,0x38,0x5b,0xe7},
170 {0x27,0xb9,0x02,0x25,0x4c,0xf5},{0x25,0xba,0x0b,0x2e,0x41,0xfb},
171 {0x5b,0xfb,0xd7,0x8c,0x61,0x9a},{0x59,0xf8,0xde,0x87,0x6c,0x94},
172 {0x5f,0xfd,0xc5,0x9a,0x7b,0x86},{0x5d,0xfe,0xcc,0x91,0x76,0x88},
173 {0x53,0xf7,0xf3,0xa0,0x55,0xa2},{0x51,0xf4,0xfa,0xab,0x58,0xac},
174 {0x57,0xf1,0xe1,0xb6,0x4f,0xbe},{0x55,0xf2,0xe8,0xbd,0x42,0xb0},
175 {0x4b,0xe3,0x9f,0xd4,0x09,0xea},{0x49,0xe0,0x96,0xdf,0x04,0xe4},
176 {0x4f,0xe5,0x8d,0xc2,0x13,0xf6},{0x4d,0xe6,0x84,0xc9,0x1e,0xf8},
177 {0x43,0xef,0xbb,0xf8,0x3d,0xd2},{0x41,0xec,0xb2,0xf3,0x30,0xdc},
178 {0x47,0xe9,0xa9,0xee,0x27,0xce},{0x45,0xea,0xa0,0xe5,0x2a,0xc0},
179 {0x7b,0xcb,0x47,0x3c,0xb1,0x7a},{0x79,0xc8,0x4e,0x37,0xbc,0x74},
180 {0x7f,0xcd,0x55,0x2a,0xab,0x66},{0x7d,0xce,0x5c,0x21,0xa6,0x68},
181 {0x73,0xc7,0x63,0x10,0x85,0x42},{0x71,0xc4,0x6a,0x1b,0x88,0x4c},
182 {0x77,0xc1,0x71,0x06,0x9f,0x5e},{0x75,0xc2,0x78,0x0d,0x92,0x50},
183 {0x6b,0xd3,0x0f,0x64,0xd9,0x0a},{0x69,0xd0,0x06,0x6f,0xd4,0x04},
184 {0x6f,0xd5,0x1d,0x72,0xc3,0x16},{0x6d,0xd6,0x14,0x79,0xce,0x18},
185 {0x63,0xdf,0x2b,0x48,0xed,0x32},{0x61,0xdc,0x22,0x43,0xe0,0x3c},
186 {0x67,0xd9,0x39,0x5e,0xf7,0x2e},{0x65,0xda,0x30,0x55,0xfa,0x20},
187 {0x9b,0x5b,0x9a,0x01,0xb7,0xec},{0x99,0x58,0x93,0x0a,0xba,0xe2},
188 {0x9f,0x5d,0x88,0x17,0xad,0xf0},{0x9d,0x5e,0x81,0x1c,0xa0,0xfe},
189 {0x93,0x57,0xbe,0x2d,0x83,0xd4},{0x91,0x54,0xb7,0x26,0x8e,0xda},
190 {0x97,0x51,0xac,0x3b,0x99,0xc8},{0x95,0x52,0xa5,0x30,0x94,0xc6},
191 {0x8b,0x43,0xd2,0x59,0xdf,0x9c},{0x89,0x40,0xdb,0x52,0xd2,0x92},
192 {0x8f,0x45,0xc0,0x4f,0xc5,0x80},{0x8d,0x46,0xc9,0x44,0xc8,0x8e},
193 {0x83,0x4f,0xf6,0x75,0xeb,0xa4},{0x81,0x4c,0xff,0x7e,0xe6,0xaa},
194 {0x87,0x49,0xe4,0x63,0xf1,0xb8},{0x85,0x4a,0xed,0x68,0xfc,0xb6},
195 {0xbb,0x6b,0x0a,0xb1,0x67,0x0c},{0xb9,0x68,0x03,0xba,0x6a,0x02},
196 {0xbf,0x6d,0x18,0xa7,0x7d,0x10},{0xbd,0x6e,0x11,0xac,0x70,0x1e},
197 {0xb3,0x67,0x2e,0x9d,0x53,0x34},{0xb1,0x64,0x27,0x96,0x5e,0x3a},
198 {0xb7,0x61,0x3c,0x8b,0x49,0x28},{0xb5,0x62,0x35,0x80,0x44,0x26},
199 {0xab,0x73,0x42,0xe9,0x0f,0x7c},{0xa9,0x70,0x4b,0xe2,0x02,0x72},
200 {0xaf,0x75,0x50,0xff,0x15,0x60},{0xad,0x76,0x59,0xf4,0x18,0x6e},
201 {0xa3,0x7f,0x66,0xc5,0x3b,0x44},{0xa1,0x7c,0x6f,0xce,0x36,0x4a},
202 {0xa7,0x79,0x74,0xd3,0x21,0x58},{0xa5,0x7a,0x7d,0xd8,0x2c,0x56},
203 {0xdb,0x3b,0xa1,0x7a,0x0c,0x37},{0xd9,0x38,0xa8,0x71,0x01,0x39},
204 {0xdf,0x3d,0xb3,0x6c,0x16,0x2b},{0xdd,0x3e,0xba,0x67,0x1b,0x25},
205 {0xd3,0x37,0x85,0x56,0x38,0x0f},{0xd1,0x34,0x8c,0x5d,0x35,0x01},
206 {0xd7,0x31,0x97,0x40,0x22,0x13},{0xd5,0x32,0x9e,0x4b,0x2f,0x1d},
207 {0xcb,0x23,0xe9,0x22,0x64,0x47},{0xc9,0x20,0xe0,0x29,0x69,0x49},
208 {0xcf,0x25,0xfb,0x34,0x7e,0x5b},{0xcd,0x26,0xf2,0x3f,0x73,0x55},
209 {0xc3,0x2f,0xcd,0x0e,0x50,0x7f},{0xc1,0x2c,0xc4,0x05,0x5d,0x71},
210 {0xc7,0x29,0xdf,0x18,0x4a,0x63},{0xc5,0x2a,0xd6,0x13,0x47,0x6d},
211 {0xfb,0x0b,0x31,0xca,0xdc,0xd7},{0xf9,0x08,0x38,0xc1,0xd1,0xd9},
212 {0xff,0x0d,0x23,0xdc,0xc6,0xcb},{0xfd,0x0e,0x2a,0xd7,0xcb,0xc5},
213 {0xf3,0x07,0x15,0xe6,0xe8,0xef},{0xf1,0x04,0x1c,0xed,0xe5,0xe1},
214 {0xf7,0x01,0x07,0xf0,0xf2,0xf3},{0xf5,0x02,0x0e,0xfb,0xff,0xfd},
215 {0xeb,0x13,0x79,0x92,0xb4,0xa7},{0xe9,0x10,0x70,0x99,0xb9,0xa9},
216 {0xef,0x15,0x6b,0x84,0xae,0xbb},{0xed,0x16,0x62,0x8f,0xa3,0xb5},
217 {0xe3,0x1f,0x5d,0xbe,0x80,0x9f},{0xe1,0x1c,0x54,0xb5,0x8d,0x91},
218 {0xe7,0x19,0x4f,0xa8,0x9a,0x83},{0xe5,0x1a,0x46,0xa3,0x97,0x8d}
221 /*********************** FUNCTION DEFINITIONS ***********************/
222 // XORs the in and out buffers, storing the result in out. Length is in bytes.
223 void xor_buf(const BYTE in
[], BYTE out
[], size_t len
)
227 for (idx
= 0; idx
< len
; idx
++)
234 int aes_encrypt_cbc(const BYTE in
[], size_t in_len
, BYTE out
[], const WORD key
[], int keysize
, const BYTE iv
[])
236 BYTE buf_in
[AES_BLOCK_SIZE
], buf_out
[AES_BLOCK_SIZE
], iv_buf
[AES_BLOCK_SIZE
];
239 if (in_len
% AES_BLOCK_SIZE
!= 0)
242 blocks
= in_len
/ AES_BLOCK_SIZE
;
244 memcpy(iv_buf
, iv
, AES_BLOCK_SIZE
);
246 for (idx
= 0; idx
< blocks
; idx
++) {
247 memcpy(buf_in
, &in
[idx
* AES_BLOCK_SIZE
], AES_BLOCK_SIZE
);
248 xor_buf(iv_buf
, buf_in
, AES_BLOCK_SIZE
);
249 aes_encrypt(buf_in
, buf_out
, key
, keysize
);
250 memcpy(&out
[idx
* AES_BLOCK_SIZE
], buf_out
, AES_BLOCK_SIZE
);
251 memcpy(iv_buf
, buf_out
, AES_BLOCK_SIZE
);
257 int aes_encrypt_cbc_mac(const BYTE in
[], size_t in_len
, BYTE out
[], const WORD key
[], int keysize
, const BYTE iv
[])
259 BYTE buf_in
[AES_BLOCK_SIZE
], buf_out
[AES_BLOCK_SIZE
], iv_buf
[AES_BLOCK_SIZE
];
262 if (in_len
% AES_BLOCK_SIZE
!= 0)
265 blocks
= in_len
/ AES_BLOCK_SIZE
;
267 memcpy(iv_buf
, iv
, AES_BLOCK_SIZE
);
269 for (idx
= 0; idx
< blocks
; idx
++) {
270 memcpy(buf_in
, &in
[idx
* AES_BLOCK_SIZE
], AES_BLOCK_SIZE
);
271 xor_buf(iv_buf
, buf_in
, AES_BLOCK_SIZE
);
272 aes_encrypt(buf_in
, buf_out
, key
, keysize
);
273 memcpy(iv_buf
, buf_out
, AES_BLOCK_SIZE
);
274 // Do not output all encrypted blocks.
277 memcpy(out
, buf_out
, AES_BLOCK_SIZE
); // Only output the last block.
282 int aes_decrypt_cbc(const BYTE in
[], size_t in_len
, BYTE out
[], const WORD key
[], int keysize
, const BYTE iv
[])
284 BYTE buf_in
[AES_BLOCK_SIZE
], buf_out
[AES_BLOCK_SIZE
], iv_buf
[AES_BLOCK_SIZE
];
287 if (in_len
% AES_BLOCK_SIZE
!= 0)
290 blocks
= in_len
/ AES_BLOCK_SIZE
;
292 memcpy(iv_buf
, iv
, AES_BLOCK_SIZE
);
294 for (idx
= 0; idx
< blocks
; idx
++) {
295 memcpy(buf_in
, &in
[idx
* AES_BLOCK_SIZE
], AES_BLOCK_SIZE
);
296 aes_decrypt(buf_in
, buf_out
, key
, keysize
);
297 xor_buf(iv_buf
, buf_out
, AES_BLOCK_SIZE
);
298 memcpy(&out
[idx
* AES_BLOCK_SIZE
], buf_out
, AES_BLOCK_SIZE
);
299 memcpy(iv_buf
, buf_in
, AES_BLOCK_SIZE
);
308 void increment_iv(BYTE iv
[], int counter_size
)
312 // Use counter_size bytes at the end of the IV as the big-endian integer to increment.
313 for (idx
= AES_BLOCK_SIZE
- 1; idx
>= AES_BLOCK_SIZE
- counter_size
; idx
--) {
315 if (iv
[idx
] != 0 || idx
== AES_BLOCK_SIZE
- counter_size
)
320 // Performs the encryption in-place, the input and output buffers may be the same.
321 // Input may be an arbitrary length (in bytes).
322 void aes_encrypt_ctr(const BYTE in
[], size_t in_len
, BYTE out
[], const WORD key
[], int keysize
, const BYTE iv
[])
324 size_t idx
= 0, last_block_length
;
325 BYTE iv_buf
[AES_BLOCK_SIZE
], out_buf
[AES_BLOCK_SIZE
];
328 memcpy(out
, in
, in_len
);
330 memcpy(iv_buf
, iv
, AES_BLOCK_SIZE
);
331 last_block_length
= in_len
- AES_BLOCK_SIZE
;
333 if (in_len
> AES_BLOCK_SIZE
) {
334 for (idx
= 0; idx
< last_block_length
; idx
+= AES_BLOCK_SIZE
) {
335 aes_encrypt(iv_buf
, out_buf
, key
, keysize
);
336 xor_buf(out_buf
, &out
[idx
], AES_BLOCK_SIZE
);
337 increment_iv(iv_buf
, AES_BLOCK_SIZE
);
341 aes_encrypt(iv_buf
, out_buf
, key
, keysize
);
342 xor_buf(out_buf
, &out
[idx
], in_len
- idx
); // Use the Most Significant bytes.
345 void aes_decrypt_ctr(const BYTE in
[], size_t in_len
, BYTE out
[], const WORD key
[], int keysize
, const BYTE iv
[])
347 // CTR encryption is its own inverse function.
348 aes_encrypt_ctr(in
, in_len
, out
, key
, keysize
, iv
);
354 // out_len = payload_len + assoc_len
355 int aes_encrypt_ccm(const BYTE payload
[], WORD payload_len
, const BYTE assoc
[], unsigned short assoc_len
,
356 const BYTE nonce
[], unsigned short nonce_len
, BYTE out
[], WORD
*out_len
,
357 WORD mac_len
, const BYTE key_str
[], int keysize
)
359 BYTE temp_iv
[AES_BLOCK_SIZE
], counter
[AES_BLOCK_SIZE
], mac
[16], *buf
;
360 int end_of_buf
, payload_len_store_size
;
363 if (mac_len
!= 4 && mac_len
!= 6 && mac_len
!= 8 && mac_len
!= 10 &&
364 mac_len
!= 12 && mac_len
!= 14 && mac_len
!= 16)
367 if (nonce_len
< 7 || nonce_len
> 13)
370 if (assoc_len
> 32768 /* = 2^15 */)
373 buf
= (BYTE
*)malloc(payload_len
+ assoc_len
+ 48 /*Round both payload and associated data up a block size and add an extra block.*/);
377 // Prepare the key for usage.
378 aes_key_setup(key_str
, key
, keysize
);
380 // Format the first block of the formatted data.
381 payload_len_store_size
= AES_BLOCK_SIZE
- 1 - nonce_len
;
382 ccm_prepare_first_format_blk(buf
, assoc_len
, payload_len
, payload_len_store_size
, mac_len
, nonce
, nonce_len
);
383 end_of_buf
= AES_BLOCK_SIZE
;
385 // Format the Associated Data, aka, assoc[].
386 ccm_format_assoc_data(buf
, &end_of_buf
, assoc
, assoc_len
);
388 // Format the Payload, aka payload[].
389 ccm_format_payload_data(buf
, &end_of_buf
, payload
, payload_len
);
391 // Create the first counter block.
392 ccm_prepare_first_ctr_blk(counter
, nonce
, nonce_len
, payload_len_store_size
);
394 // Perform the CBC operation with an IV of zeros on the formatted buffer to calculate the MAC.
395 memset(temp_iv
, 0, AES_BLOCK_SIZE
);
396 aes_encrypt_cbc_mac(buf
, end_of_buf
, mac
, key
, keysize
, temp_iv
);
398 // Copy the Payload and MAC to the output buffer.
399 memcpy(out
, payload
, payload_len
);
400 memcpy(&out
[payload_len
], mac
, mac_len
);
402 // Encrypt the Payload with CTR mode with a counter starting at 1.
403 memcpy(temp_iv
, counter
, AES_BLOCK_SIZE
);
404 increment_iv(temp_iv
, AES_BLOCK_SIZE
- 1 - mac_len
); // Last argument is the byte size of the counting portion of the counter block. /*BUG?*/
405 aes_encrypt_ctr(out
, payload_len
, out
, key
, keysize
, temp_iv
);
407 // Encrypt the MAC with CTR mode with a counter starting at 0.
408 aes_encrypt_ctr(&out
[payload_len
], mac_len
, &out
[payload_len
], key
, keysize
, counter
);
411 *out_len
= payload_len
+ mac_len
;
416 // plaintext_len = ciphertext_len - mac_len
417 // Needs a flag for whether the MAC matches.
418 int aes_decrypt_ccm(const BYTE ciphertext
[], WORD ciphertext_len
, const BYTE assoc
[], unsigned short assoc_len
,
419 const BYTE nonce
[], unsigned short nonce_len
, BYTE plaintext
[], WORD
*plaintext_len
,
420 WORD mac_len
, int *mac_auth
, const BYTE key_str
[], int keysize
)
422 BYTE temp_iv
[AES_BLOCK_SIZE
], counter
[AES_BLOCK_SIZE
], mac
[16], mac_buf
[16], *buf
;
423 int end_of_buf
, plaintext_len_store_size
;
426 if (ciphertext_len
<= mac_len
)
429 buf
= (BYTE
*)malloc(assoc_len
+ ciphertext_len
/*ciphertext_len = plaintext_len + mac_len*/ + 48);
433 // Prepare the key for usage.
434 aes_key_setup(key_str
, key
, keysize
);
436 // Copy the plaintext and MAC to the output buffers.
437 *plaintext_len
= ciphertext_len
- mac_len
;
438 plaintext_len_store_size
= AES_BLOCK_SIZE
- 1 - nonce_len
;
439 memcpy(plaintext
, ciphertext
, *plaintext_len
);
440 memcpy(mac
, &ciphertext
[*plaintext_len
], mac_len
);
442 // Prepare the first counter block for use in decryption.
443 ccm_prepare_first_ctr_blk(counter
, nonce
, nonce_len
, plaintext_len_store_size
);
445 // Decrypt the Payload with CTR mode with a counter starting at 1.
446 memcpy(temp_iv
, counter
, AES_BLOCK_SIZE
);
447 increment_iv(temp_iv
, AES_BLOCK_SIZE
- 1 - mac_len
); // (AES_BLOCK_SIZE - 1 - mac_len) is the byte size of the counting portion of the counter block.
448 aes_decrypt_ctr(plaintext
, *plaintext_len
, plaintext
, key
, keysize
, temp_iv
);
450 // Setting mac_auth to NULL disables the authentication check.
451 if (mac_auth
!= NULL
) {
452 // Decrypt the MAC with CTR mode with a counter starting at 0.
453 aes_decrypt_ctr(mac
, mac_len
, mac
, key
, keysize
, counter
);
455 // Format the first block of the formatted data.
456 plaintext_len_store_size
= AES_BLOCK_SIZE
- 1 - nonce_len
;
457 ccm_prepare_first_format_blk(buf
, assoc_len
, *plaintext_len
, plaintext_len_store_size
, mac_len
, nonce
, nonce_len
);
458 end_of_buf
= AES_BLOCK_SIZE
;
460 // Format the Associated Data into the authentication buffer.
461 ccm_format_assoc_data(buf
, &end_of_buf
, assoc
, assoc_len
);
463 // Format the Payload into the authentication buffer.
464 ccm_format_payload_data(buf
, &end_of_buf
, plaintext
, *plaintext_len
);
466 // Perform the CBC operation with an IV of zeros on the formatted buffer to calculate the MAC.
467 memset(temp_iv
, 0, AES_BLOCK_SIZE
);
468 aes_encrypt_cbc_mac(buf
, end_of_buf
, mac_buf
, key
, keysize
, temp_iv
);
470 // Compare the calculated MAC against the MAC embedded in the ciphertext to see if they are the same.
471 if (! memcmp(mac
, mac_buf
, mac_len
)) {
476 memset(plaintext
, 0, *plaintext_len
);
485 // Creates the first counter block. First byte is flags, then the nonce, then the incremented part.
486 void ccm_prepare_first_ctr_blk(BYTE counter
[], const BYTE nonce
[], int nonce_len
, int payload_len_store_size
)
488 memset(counter
, 0, AES_BLOCK_SIZE
);
489 counter
[0] = (payload_len_store_size
- 1) & 0x07;
490 memcpy(&counter
[1], nonce
, nonce_len
);
493 void ccm_prepare_first_format_blk(BYTE buf
[], int assoc_len
, int payload_len
, int payload_len_store_size
, int mac_len
, const BYTE nonce
[], int nonce_len
)
495 // Set the flags for the first byte of the first block.
496 buf
[0] = ((((mac_len
- 2) / 2) & 0x07) << 3) | ((payload_len_store_size
- 1) & 0x07);
499 // Format the rest of the first block, storing the nonce and the size of the payload.
500 memcpy(&buf
[1], nonce
, nonce_len
);
501 memset(&buf
[1 + nonce_len
], 0, AES_BLOCK_SIZE
- 1 - nonce_len
);
502 buf
[15] = payload_len
& 0x000000FF;
503 buf
[14] = (payload_len
>> 8) & 0x000000FF;
506 void ccm_format_assoc_data(BYTE buf
[], int *end_of_buf
, const BYTE assoc
[], int assoc_len
)
510 buf
[*end_of_buf
+ 1] = assoc_len
& 0x00FF;
511 buf
[*end_of_buf
] = (assoc_len
>> 8) & 0x00FF;
513 memcpy(&buf
[*end_of_buf
], assoc
, assoc_len
);
514 *end_of_buf
+= assoc_len
;
515 pad
= AES_BLOCK_SIZE
- (*end_of_buf
% AES_BLOCK_SIZE
); /*BUG?*/
516 memset(&buf
[*end_of_buf
], 0, pad
);
520 void ccm_format_payload_data(BYTE buf
[], int *end_of_buf
, const BYTE payload
[], int payload_len
)
524 memcpy(&buf
[*end_of_buf
], payload
, payload_len
);
525 *end_of_buf
+= payload_len
;
526 pad
= *end_of_buf
% AES_BLOCK_SIZE
;
528 pad
= AES_BLOCK_SIZE
- pad
;
529 memset(&buf
[*end_of_buf
], 0, pad
);
540 // Substitutes a word using the AES S-Box.
541 WORD
SubWord(WORD word
)
545 result
= (int)aes_sbox
[(word
>> 4) & 0x0000000F][word
& 0x0000000F];
546 result
+= (int)aes_sbox
[(word
>> 12) & 0x0000000F][(word
>> 8) & 0x0000000F] << 8;
547 result
+= (int)aes_sbox
[(word
>> 20) & 0x0000000F][(word
>> 16) & 0x0000000F] << 16;
548 result
+= (int)aes_sbox
[(word
>> 28) & 0x0000000F][(word
>> 24) & 0x0000000F] << 24;
552 // Performs the action of generating the keys that will be used in every round of
553 // encryption. "key" is the user-supplied input key, "w" is the output key schedule,
554 // "keysize" is the length in bits of "key", must be 128, 192, or 256.
555 void aes_key_setup(const BYTE key
[], WORD w
[], int keysize
)
558 WORD temp
,Rcon
[]={0x01000000,0x02000000,0x04000000,0x08000000,0x10000000,0x20000000,
559 0x40000000,0x80000000,0x1b000000,0x36000000,0x6c000000,0xd8000000,
560 0xab000000,0x4d000000,0x9a000000};
563 case 128: Nr
= 10; Nk
= 4; break;
564 case 192: Nr
= 12; Nk
= 6; break;
565 case 256: Nr
= 14; Nk
= 8; break;
569 for (idx
=0; idx
< Nk
; ++idx
) {
570 w
[idx
] = ((key
[4 * idx
]) << 24) | ((key
[4 * idx
+ 1]) << 16) |
571 ((key
[4 * idx
+ 2]) << 8) | ((key
[4 * idx
+ 3]));
574 for (idx
= Nk
; idx
< Nb
* (Nr
+1); ++idx
) {
577 temp
= SubWord(KE_ROTWORD(temp
)) ^ Rcon
[(idx
-1)/Nk
];
578 else if (Nk
> 6 && (idx
% Nk
) == 4)
579 temp
= SubWord(temp
);
580 w
[idx
] = w
[idx
-Nk
] ^ temp
;
588 // Performs the AddRoundKey step. Each round has its own pre-generated 16-byte key in the
589 // form of 4 integers (the "w" array). Each integer is XOR'd by one column of the state.
590 // Also performs the job of InvAddRoundKey(); since the function is a simple XOR process,
591 // it is its own inverse.
592 void AddRoundKey(BYTE state
[][4], const WORD w
[])
596 // memcpy(subkey,&w[idx],4); // Not accurate for big endian machines
598 subkey
[0] = w
[0] >> 24;
599 subkey
[1] = w
[0] >> 16;
600 subkey
[2] = w
[0] >> 8;
602 state
[0][0] ^= subkey
[0];
603 state
[1][0] ^= subkey
[1];
604 state
[2][0] ^= subkey
[2];
605 state
[3][0] ^= subkey
[3];
607 subkey
[0] = w
[1] >> 24;
608 subkey
[1] = w
[1] >> 16;
609 subkey
[2] = w
[1] >> 8;
611 state
[0][1] ^= subkey
[0];
612 state
[1][1] ^= subkey
[1];
613 state
[2][1] ^= subkey
[2];
614 state
[3][1] ^= subkey
[3];
616 subkey
[0] = w
[2] >> 24;
617 subkey
[1] = w
[2] >> 16;
618 subkey
[2] = w
[2] >> 8;
620 state
[0][2] ^= subkey
[0];
621 state
[1][2] ^= subkey
[1];
622 state
[2][2] ^= subkey
[2];
623 state
[3][2] ^= subkey
[3];
625 subkey
[0] = w
[3] >> 24;
626 subkey
[1] = w
[3] >> 16;
627 subkey
[2] = w
[3] >> 8;
629 state
[0][3] ^= subkey
[0];
630 state
[1][3] ^= subkey
[1];
631 state
[2][3] ^= subkey
[2];
632 state
[3][3] ^= subkey
[3];
639 // Performs the SubBytes step. All bytes in the state are substituted with a
640 // pre-calculated value from a lookup table.
641 void SubBytes(BYTE state
[][4])
643 state
[0][0] = aes_sbox
[state
[0][0] >> 4][state
[0][0] & 0x0F];
644 state
[0][1] = aes_sbox
[state
[0][1] >> 4][state
[0][1] & 0x0F];
645 state
[0][2] = aes_sbox
[state
[0][2] >> 4][state
[0][2] & 0x0F];
646 state
[0][3] = aes_sbox
[state
[0][3] >> 4][state
[0][3] & 0x0F];
647 state
[1][0] = aes_sbox
[state
[1][0] >> 4][state
[1][0] & 0x0F];
648 state
[1][1] = aes_sbox
[state
[1][1] >> 4][state
[1][1] & 0x0F];
649 state
[1][2] = aes_sbox
[state
[1][2] >> 4][state
[1][2] & 0x0F];
650 state
[1][3] = aes_sbox
[state
[1][3] >> 4][state
[1][3] & 0x0F];
651 state
[2][0] = aes_sbox
[state
[2][0] >> 4][state
[2][0] & 0x0F];
652 state
[2][1] = aes_sbox
[state
[2][1] >> 4][state
[2][1] & 0x0F];
653 state
[2][2] = aes_sbox
[state
[2][2] >> 4][state
[2][2] & 0x0F];
654 state
[2][3] = aes_sbox
[state
[2][3] >> 4][state
[2][3] & 0x0F];
655 state
[3][0] = aes_sbox
[state
[3][0] >> 4][state
[3][0] & 0x0F];
656 state
[3][1] = aes_sbox
[state
[3][1] >> 4][state
[3][1] & 0x0F];
657 state
[3][2] = aes_sbox
[state
[3][2] >> 4][state
[3][2] & 0x0F];
658 state
[3][3] = aes_sbox
[state
[3][3] >> 4][state
[3][3] & 0x0F];
661 void InvSubBytes(BYTE state
[][4])
663 state
[0][0] = aes_invsbox
[state
[0][0] >> 4][state
[0][0] & 0x0F];
664 state
[0][1] = aes_invsbox
[state
[0][1] >> 4][state
[0][1] & 0x0F];
665 state
[0][2] = aes_invsbox
[state
[0][2] >> 4][state
[0][2] & 0x0F];
666 state
[0][3] = aes_invsbox
[state
[0][3] >> 4][state
[0][3] & 0x0F];
667 state
[1][0] = aes_invsbox
[state
[1][0] >> 4][state
[1][0] & 0x0F];
668 state
[1][1] = aes_invsbox
[state
[1][1] >> 4][state
[1][1] & 0x0F];
669 state
[1][2] = aes_invsbox
[state
[1][2] >> 4][state
[1][2] & 0x0F];
670 state
[1][3] = aes_invsbox
[state
[1][3] >> 4][state
[1][3] & 0x0F];
671 state
[2][0] = aes_invsbox
[state
[2][0] >> 4][state
[2][0] & 0x0F];
672 state
[2][1] = aes_invsbox
[state
[2][1] >> 4][state
[2][1] & 0x0F];
673 state
[2][2] = aes_invsbox
[state
[2][2] >> 4][state
[2][2] & 0x0F];
674 state
[2][3] = aes_invsbox
[state
[2][3] >> 4][state
[2][3] & 0x0F];
675 state
[3][0] = aes_invsbox
[state
[3][0] >> 4][state
[3][0] & 0x0F];
676 state
[3][1] = aes_invsbox
[state
[3][1] >> 4][state
[3][1] & 0x0F];
677 state
[3][2] = aes_invsbox
[state
[3][2] >> 4][state
[3][2] & 0x0F];
678 state
[3][3] = aes_invsbox
[state
[3][3] >> 4][state
[3][3] & 0x0F];
685 // Performs the ShiftRows step. All rows are shifted cylindrically to the left.
686 void ShiftRows(BYTE state
[][4])
692 state
[1][0] = state
[1][1];
693 state
[1][1] = state
[1][2];
694 state
[1][2] = state
[1][3];
698 state
[2][0] = state
[2][2];
701 state
[2][1] = state
[2][3];
705 state
[3][0] = state
[3][3];
706 state
[3][3] = state
[3][2];
707 state
[3][2] = state
[3][1];
711 // All rows are shifted cylindrically to the right.
712 void InvShiftRows(BYTE state
[][4])
718 state
[1][3] = state
[1][2];
719 state
[1][2] = state
[1][1];
720 state
[1][1] = state
[1][0];
724 state
[2][3] = state
[2][1];
727 state
[2][2] = state
[2][0];
731 state
[3][3] = state
[3][0];
732 state
[3][0] = state
[3][1];
733 state
[3][1] = state
[3][2];
741 // Performs the MixColums step. The state is multiplied by itself using matrix
742 // multiplication in a Galios Field 2^8. All multiplication is pre-computed in a table.
743 // Addition is equivilent to XOR. (Must always make a copy of the column as the original
744 // values will be destoyed.)
745 void MixColumns(BYTE state
[][4])
750 col
[0] = state
[0][0];
751 col
[1] = state
[1][0];
752 col
[2] = state
[2][0];
753 col
[3] = state
[3][0];
754 state
[0][0] = gf_mul
[col
[0]][0];
755 state
[0][0] ^= gf_mul
[col
[1]][1];
756 state
[0][0] ^= col
[2];
757 state
[0][0] ^= col
[3];
758 state
[1][0] = col
[0];
759 state
[1][0] ^= gf_mul
[col
[1]][0];
760 state
[1][0] ^= gf_mul
[col
[2]][1];
761 state
[1][0] ^= col
[3];
762 state
[2][0] = col
[0];
763 state
[2][0] ^= col
[1];
764 state
[2][0] ^= gf_mul
[col
[2]][0];
765 state
[2][0] ^= gf_mul
[col
[3]][1];
766 state
[3][0] = gf_mul
[col
[0]][1];
767 state
[3][0] ^= col
[1];
768 state
[3][0] ^= col
[2];
769 state
[3][0] ^= gf_mul
[col
[3]][0];
771 col
[0] = state
[0][1];
772 col
[1] = state
[1][1];
773 col
[2] = state
[2][1];
774 col
[3] = state
[3][1];
775 state
[0][1] = gf_mul
[col
[0]][0];
776 state
[0][1] ^= gf_mul
[col
[1]][1];
777 state
[0][1] ^= col
[2];
778 state
[0][1] ^= col
[3];
779 state
[1][1] = col
[0];
780 state
[1][1] ^= gf_mul
[col
[1]][0];
781 state
[1][1] ^= gf_mul
[col
[2]][1];
782 state
[1][1] ^= col
[3];
783 state
[2][1] = col
[0];
784 state
[2][1] ^= col
[1];
785 state
[2][1] ^= gf_mul
[col
[2]][0];
786 state
[2][1] ^= gf_mul
[col
[3]][1];
787 state
[3][1] = gf_mul
[col
[0]][1];
788 state
[3][1] ^= col
[1];
789 state
[3][1] ^= col
[2];
790 state
[3][1] ^= gf_mul
[col
[3]][0];
792 col
[0] = state
[0][2];
793 col
[1] = state
[1][2];
794 col
[2] = state
[2][2];
795 col
[3] = state
[3][2];
796 state
[0][2] = gf_mul
[col
[0]][0];
797 state
[0][2] ^= gf_mul
[col
[1]][1];
798 state
[0][2] ^= col
[2];
799 state
[0][2] ^= col
[3];
800 state
[1][2] = col
[0];
801 state
[1][2] ^= gf_mul
[col
[1]][0];
802 state
[1][2] ^= gf_mul
[col
[2]][1];
803 state
[1][2] ^= col
[3];
804 state
[2][2] = col
[0];
805 state
[2][2] ^= col
[1];
806 state
[2][2] ^= gf_mul
[col
[2]][0];
807 state
[2][2] ^= gf_mul
[col
[3]][1];
808 state
[3][2] = gf_mul
[col
[0]][1];
809 state
[3][2] ^= col
[1];
810 state
[3][2] ^= col
[2];
811 state
[3][2] ^= gf_mul
[col
[3]][0];
813 col
[0] = state
[0][3];
814 col
[1] = state
[1][3];
815 col
[2] = state
[2][3];
816 col
[3] = state
[3][3];
817 state
[0][3] = gf_mul
[col
[0]][0];
818 state
[0][3] ^= gf_mul
[col
[1]][1];
819 state
[0][3] ^= col
[2];
820 state
[0][3] ^= col
[3];
821 state
[1][3] = col
[0];
822 state
[1][3] ^= gf_mul
[col
[1]][0];
823 state
[1][3] ^= gf_mul
[col
[2]][1];
824 state
[1][3] ^= col
[3];
825 state
[2][3] = col
[0];
826 state
[2][3] ^= col
[1];
827 state
[2][3] ^= gf_mul
[col
[2]][0];
828 state
[2][3] ^= gf_mul
[col
[3]][1];
829 state
[3][3] = gf_mul
[col
[0]][1];
830 state
[3][3] ^= col
[1];
831 state
[3][3] ^= col
[2];
832 state
[3][3] ^= gf_mul
[col
[3]][0];
835 void InvMixColumns(BYTE state
[][4])
840 col
[0] = state
[0][0];
841 col
[1] = state
[1][0];
842 col
[2] = state
[2][0];
843 col
[3] = state
[3][0];
844 state
[0][0] = gf_mul
[col
[0]][5];
845 state
[0][0] ^= gf_mul
[col
[1]][3];
846 state
[0][0] ^= gf_mul
[col
[2]][4];
847 state
[0][0] ^= gf_mul
[col
[3]][2];
848 state
[1][0] = gf_mul
[col
[0]][2];
849 state
[1][0] ^= gf_mul
[col
[1]][5];
850 state
[1][0] ^= gf_mul
[col
[2]][3];
851 state
[1][0] ^= gf_mul
[col
[3]][4];
852 state
[2][0] = gf_mul
[col
[0]][4];
853 state
[2][0] ^= gf_mul
[col
[1]][2];
854 state
[2][0] ^= gf_mul
[col
[2]][5];
855 state
[2][0] ^= gf_mul
[col
[3]][3];
856 state
[3][0] = gf_mul
[col
[0]][3];
857 state
[3][0] ^= gf_mul
[col
[1]][4];
858 state
[3][0] ^= gf_mul
[col
[2]][2];
859 state
[3][0] ^= gf_mul
[col
[3]][5];
861 col
[0] = state
[0][1];
862 col
[1] = state
[1][1];
863 col
[2] = state
[2][1];
864 col
[3] = state
[3][1];
865 state
[0][1] = gf_mul
[col
[0]][5];
866 state
[0][1] ^= gf_mul
[col
[1]][3];
867 state
[0][1] ^= gf_mul
[col
[2]][4];
868 state
[0][1] ^= gf_mul
[col
[3]][2];
869 state
[1][1] = gf_mul
[col
[0]][2];
870 state
[1][1] ^= gf_mul
[col
[1]][5];
871 state
[1][1] ^= gf_mul
[col
[2]][3];
872 state
[1][1] ^= gf_mul
[col
[3]][4];
873 state
[2][1] = gf_mul
[col
[0]][4];
874 state
[2][1] ^= gf_mul
[col
[1]][2];
875 state
[2][1] ^= gf_mul
[col
[2]][5];
876 state
[2][1] ^= gf_mul
[col
[3]][3];
877 state
[3][1] = gf_mul
[col
[0]][3];
878 state
[3][1] ^= gf_mul
[col
[1]][4];
879 state
[3][1] ^= gf_mul
[col
[2]][2];
880 state
[3][1] ^= gf_mul
[col
[3]][5];
882 col
[0] = state
[0][2];
883 col
[1] = state
[1][2];
884 col
[2] = state
[2][2];
885 col
[3] = state
[3][2];
886 state
[0][2] = gf_mul
[col
[0]][5];
887 state
[0][2] ^= gf_mul
[col
[1]][3];
888 state
[0][2] ^= gf_mul
[col
[2]][4];
889 state
[0][2] ^= gf_mul
[col
[3]][2];
890 state
[1][2] = gf_mul
[col
[0]][2];
891 state
[1][2] ^= gf_mul
[col
[1]][5];
892 state
[1][2] ^= gf_mul
[col
[2]][3];
893 state
[1][2] ^= gf_mul
[col
[3]][4];
894 state
[2][2] = gf_mul
[col
[0]][4];
895 state
[2][2] ^= gf_mul
[col
[1]][2];
896 state
[2][2] ^= gf_mul
[col
[2]][5];
897 state
[2][2] ^= gf_mul
[col
[3]][3];
898 state
[3][2] = gf_mul
[col
[0]][3];
899 state
[3][2] ^= gf_mul
[col
[1]][4];
900 state
[3][2] ^= gf_mul
[col
[2]][2];
901 state
[3][2] ^= gf_mul
[col
[3]][5];
903 col
[0] = state
[0][3];
904 col
[1] = state
[1][3];
905 col
[2] = state
[2][3];
906 col
[3] = state
[3][3];
907 state
[0][3] = gf_mul
[col
[0]][5];
908 state
[0][3] ^= gf_mul
[col
[1]][3];
909 state
[0][3] ^= gf_mul
[col
[2]][4];
910 state
[0][3] ^= gf_mul
[col
[3]][2];
911 state
[1][3] = gf_mul
[col
[0]][2];
912 state
[1][3] ^= gf_mul
[col
[1]][5];
913 state
[1][3] ^= gf_mul
[col
[2]][3];
914 state
[1][3] ^= gf_mul
[col
[3]][4];
915 state
[2][3] = gf_mul
[col
[0]][4];
916 state
[2][3] ^= gf_mul
[col
[1]][2];
917 state
[2][3] ^= gf_mul
[col
[2]][5];
918 state
[2][3] ^= gf_mul
[col
[3]][3];
919 state
[3][3] = gf_mul
[col
[0]][3];
920 state
[3][3] ^= gf_mul
[col
[1]][4];
921 state
[3][3] ^= gf_mul
[col
[2]][2];
922 state
[3][3] ^= gf_mul
[col
[3]][5];
929 void aes_encrypt(const BYTE in
[], BYTE out
[], const WORD key
[], int keysize
)
933 // Copy input array (should be 16 bytes long) to a matrix (sequential bytes are ordered
934 // by row, not col) called "state" for processing.
935 // *** Implementation note: The official AES documentation references the state by
936 // column, then row. Accessing an element in C requires row then column. Thus, all state
937 // references in AES must have the column and row indexes reversed for C implementation.
948 state
[2][2] = in
[10];
949 state
[3][2] = in
[11];
950 state
[0][3] = in
[12];
951 state
[1][3] = in
[13];
952 state
[2][3] = in
[14];
953 state
[3][3] = in
[15];
955 // Perform the necessary number of rounds. The round key is added first.
956 // The last round does not perform the MixColumns step.
957 AddRoundKey(state
,&key
[0]);
958 SubBytes(state
); ShiftRows(state
); MixColumns(state
); AddRoundKey(state
,&key
[4]);
959 SubBytes(state
); ShiftRows(state
); MixColumns(state
); AddRoundKey(state
,&key
[8]);
960 SubBytes(state
); ShiftRows(state
); MixColumns(state
); AddRoundKey(state
,&key
[12]);
961 SubBytes(state
); ShiftRows(state
); MixColumns(state
); AddRoundKey(state
,&key
[16]);
962 SubBytes(state
); ShiftRows(state
); MixColumns(state
); AddRoundKey(state
,&key
[20]);
963 SubBytes(state
); ShiftRows(state
); MixColumns(state
); AddRoundKey(state
,&key
[24]);
964 SubBytes(state
); ShiftRows(state
); MixColumns(state
); AddRoundKey(state
,&key
[28]);
965 SubBytes(state
); ShiftRows(state
); MixColumns(state
); AddRoundKey(state
,&key
[32]);
966 SubBytes(state
); ShiftRows(state
); MixColumns(state
); AddRoundKey(state
,&key
[36]);
967 if (keysize
!= 128) {
968 SubBytes(state
); ShiftRows(state
); MixColumns(state
); AddRoundKey(state
,&key
[40]);
969 SubBytes(state
); ShiftRows(state
); MixColumns(state
); AddRoundKey(state
,&key
[44]);
970 if (keysize
!= 192) {
971 SubBytes(state
); ShiftRows(state
); MixColumns(state
); AddRoundKey(state
,&key
[48]);
972 SubBytes(state
); ShiftRows(state
); MixColumns(state
); AddRoundKey(state
,&key
[52]);
973 SubBytes(state
); ShiftRows(state
); AddRoundKey(state
,&key
[56]);
976 SubBytes(state
); ShiftRows(state
); AddRoundKey(state
,&key
[48]);
980 SubBytes(state
); ShiftRows(state
); AddRoundKey(state
,&key
[40]);
983 // Copy the state to the output array.
984 out
[0] = state
[0][0];
985 out
[1] = state
[1][0];
986 out
[2] = state
[2][0];
987 out
[3] = state
[3][0];
988 out
[4] = state
[0][1];
989 out
[5] = state
[1][1];
990 out
[6] = state
[2][1];
991 out
[7] = state
[3][1];
992 out
[8] = state
[0][2];
993 out
[9] = state
[1][2];
994 out
[10] = state
[2][2];
995 out
[11] = state
[3][2];
996 out
[12] = state
[0][3];
997 out
[13] = state
[1][3];
998 out
[14] = state
[2][3];
999 out
[15] = state
[3][3];
1002 void aes_decrypt(const BYTE in
[], BYTE out
[], const WORD key
[], int keysize
)
1006 // Copy the input to the state.
1007 state
[0][0] = in
[0];
1008 state
[1][0] = in
[1];
1009 state
[2][0] = in
[2];
1010 state
[3][0] = in
[3];
1011 state
[0][1] = in
[4];
1012 state
[1][1] = in
[5];
1013 state
[2][1] = in
[6];
1014 state
[3][1] = in
[7];
1015 state
[0][2] = in
[8];
1016 state
[1][2] = in
[9];
1017 state
[2][2] = in
[10];
1018 state
[3][2] = in
[11];
1019 state
[0][3] = in
[12];
1020 state
[1][3] = in
[13];
1021 state
[2][3] = in
[14];
1022 state
[3][3] = in
[15];
1024 // Perform the necessary number of rounds. The round key is added first.
1025 // The last round does not perform the MixColumns step.
1026 if (keysize
> 128) {
1027 if (keysize
> 192) {
1028 AddRoundKey(state
,&key
[56]);
1029 InvShiftRows(state
);InvSubBytes(state
);AddRoundKey(state
,&key
[52]);InvMixColumns(state
);
1030 InvShiftRows(state
);InvSubBytes(state
);AddRoundKey(state
,&key
[48]);InvMixColumns(state
);
1033 AddRoundKey(state
,&key
[48]);
1035 InvShiftRows(state
);InvSubBytes(state
);AddRoundKey(state
,&key
[44]);InvMixColumns(state
);
1036 InvShiftRows(state
);InvSubBytes(state
);AddRoundKey(state
,&key
[40]);InvMixColumns(state
);
1039 AddRoundKey(state
,&key
[40]);
1041 InvShiftRows(state
);InvSubBytes(state
);AddRoundKey(state
,&key
[36]);InvMixColumns(state
);
1042 InvShiftRows(state
);InvSubBytes(state
);AddRoundKey(state
,&key
[32]);InvMixColumns(state
);
1043 InvShiftRows(state
);InvSubBytes(state
);AddRoundKey(state
,&key
[28]);InvMixColumns(state
);
1044 InvShiftRows(state
);InvSubBytes(state
);AddRoundKey(state
,&key
[24]);InvMixColumns(state
);
1045 InvShiftRows(state
);InvSubBytes(state
);AddRoundKey(state
,&key
[20]);InvMixColumns(state
);
1046 InvShiftRows(state
);InvSubBytes(state
);AddRoundKey(state
,&key
[16]);InvMixColumns(state
);
1047 InvShiftRows(state
);InvSubBytes(state
);AddRoundKey(state
,&key
[12]);InvMixColumns(state
);
1048 InvShiftRows(state
);InvSubBytes(state
);AddRoundKey(state
,&key
[8]);InvMixColumns(state
);
1049 InvShiftRows(state
);InvSubBytes(state
);AddRoundKey(state
,&key
[4]);InvMixColumns(state
);
1050 InvShiftRows(state
);InvSubBytes(state
);AddRoundKey(state
,&key
[0]);
1052 // Copy the state to the output array.
1053 out
[0] = state
[0][0];
1054 out
[1] = state
[1][0];
1055 out
[2] = state
[2][0];
1056 out
[3] = state
[3][0];
1057 out
[4] = state
[0][1];
1058 out
[5] = state
[1][1];
1059 out
[6] = state
[2][1];
1060 out
[7] = state
[3][1];
1061 out
[8] = state
[0][2];
1062 out
[9] = state
[1][2];
1063 out
[10] = state
[2][2];
1064 out
[11] = state
[3][2];
1065 out
[12] = state
[0][3];
1066 out
[13] = state
[1][3];
1067 out
[14] = state
[2][3];
1068 out
[15] = state
[3][3];
1071 /*******************
1072 ** AES DEBUGGING FUNCTIONS
1073 *******************/
1075 // This prints the "state" grid as a linear hex string.
1076 void print_state(BYTE state[][4])
1080 for (idx=0; idx < 4; idx++)
1081 for (idx2=0; idx2 < 4; idx2++)
1082 printf("%02x",state[idx2][idx]);
1086 // This prints the key (4 consecutive ints) used for a given round as a linear hex string.
1087 void print_rnd_key(WORD key[])
1091 for (idx=0; idx < 4; idx++)
1092 printf("%08x",key[idx]);