/** \file aes.cpp

*

* \author Steven M. Gibson

*

* This file is part of libsqrl. It is released under the MIT license.

* For more details, see the LICENSE file included with this package.

**/

/******************************************************************************

*

* THIS SOURCE CODE IS HEREBY PLACED INTO THE PUBLIC DOMAIN FOR THE GOOD OF ALL

*

* This is a simple and straightforward implementation of the AES Rijndael

* 128-bit block cipher designed by Vincent Rijmen and Joan Daemen. The focus

* of this work was correctness & accuracy. It is written in 'C' without any

* particular focus upon optimization or speed. It should be endian (memory

* byte order) neutral since the few places that care are handled explicitly.

*

* This implementation of Rijndael was created by Steven M. Gibson of GRC.com.

*

* It is intended for general purpose use, but was written in support of GRC's

* reference implementation of the SQRL (Secure Quick Reliable Login) client.

*

* See: http://csrc.nist.gov/archive/aes/rijndael/wsdindex.html

*

* NO COPYRIGHT IS CLAIMED IN THIS WORK, HOWEVER, NEITHER IS ANY WARRANTY MADE

* REGARDING ITS FITNESS FOR ANY PARTICULAR PURPOSE. USE IT AT YOUR OWN RISK.

*

*******************************************************************************/

#include "aes.h"

namespace libsqrl

{

static int aes_tables_inited = 0; // run-once flag for performing key

// expasion table generation (see below)

/*

* The following static local tables must be filled-in before the first use of

* the GCM or AES ciphers. They are used for the AES key expansion/scheduling

* and once built are read-only and thread safe. The "gcm_initialize" function

* must be called once during system initialization to populate these arrays

* for subsequent use by the AES key scheduler. If they have not been built

* before attempted use, an ERR will be returned to the caller.

*

* NOTE: GCM Encryption/Decryption does NOT REQUIRE AES decryption. Since

* GCM uses AES in counter-mode, where the AES cipher output is XORed with

* the GCM input, we ONLY NEED AES encryption. Thus, to save space AES

* decryption is typically disabled by setting AES_DECRYPTION to 0 in aes.h.

*/

// We always need our forward tables

static uchar FSb[256]; // Forward substitution box (FSb)

static uint32_t FT0[256]; // Forward key schedule assembly tables

static uint32_t FT1[256];

static uint32_t FT2[256];

static uint32_t FT3[256];

#if AES_DECRYPTION // We ONLY need reverse for decryption

static uchar RSb[256]; // Reverse substitution box (RSb)

static uint32_t RT0[256]; // Reverse key schedule assembly tables

static uint32_t RT1[256];

static uint32_t RT2[256];

static uint32_t RT3[256];

#endif /* AES_DECRYPTION */

static uint32_t RCON[10]; // AES round constants

/*

* Platform Endianness Neutralizing Load and Store Macro definitions

* AES wants platform-neutral Little Endian (LE) byte ordering

*/

#define GET_UINT32_LE(n,b,i) { \

(n) = ( (uint32_t) (b)[(i) ] ) \

| ( (uint32_t) (b)[(i) + 1] << 8 ) \

| ( (uint32_t) (b)[(i) + 2] << 16 ) \

| ( (uint32_t) (b)[(i) + 3] << 24 ); }

#define PUT_UINT32_LE(n,b,i) { \

(b)[(i) ] = (uchar) ( (n) ); \

(b)[(i) + 1] = (uchar) ( (n) >> 8 ); \

(b)[(i) + 2] = (uchar) ( (n) >> 16 ); \

(b)[(i) + 3] = (uchar) ( (n) >> 24 ); }

/*

* AES forward and reverse encryption round processing macros

*/

#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \

{ \

X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \

FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \

FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \

FT3[ ( Y3 >> 24 ) & 0xFF ]; \

\

X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \

FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \

FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \

FT3[ ( Y0 >> 24 ) & 0xFF ]; \

\

X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \

FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \

FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \

FT3[ ( Y1 >> 24 ) & 0xFF ]; \

\

X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \

FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \

FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \

FT3[ ( Y2 >> 24 ) & 0xFF ]; \

}

#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \

{ \

X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \

RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \

RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \

RT3[ ( Y1 >> 24 ) & 0xFF ]; \

\

X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \

RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \

RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \

RT3[ ( Y2 >> 24 ) & 0xFF ]; \

\

X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \

RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \

RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \

RT3[ ( Y3 >> 24 ) & 0xFF ]; \

\

X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \

RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \

RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \

RT3[ ( Y0 >> 24 ) & 0xFF ]; \

}

/*

* These macros improve the readability of the key

* generation initialization code by collapsing

* repetitive common operations into logical pieces.

*/

#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )

#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )

#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )

#define MIX(x,y) { y = ( (y << 1) | (y >> 7) ) & 0xFF; x ^= y; }

#define CPY128 { *RK++ = *SK++; *RK++ = *SK++; \

*RK++ = *SK++; *RK++ = *SK++; }

/******************************************************************************

*

* AES_INIT_KEYGEN_TABLES

*

* Fills the AES key expansion tables allocated above with their static

* data. This is not "per key" data, but static system-wide read-only

* table data. THIS FUNCTION IS NOT THREAD SAFE. It must be called once

* at system initialization to setup the tables for all subsequent use.

*

******************************************************************************/

void aes_init_keygen_tables( void ) {

int i, x, y, z; // general purpose iteration and computation locals

int pow[256];

int log[256];

// fill the 'pow' and 'log' tables over GF(2^8)

for( i = 0, x = 1; i < 256; i++ ) {

pow[i] = x;

log[x] = i;

x = (x ^ XTIME( x )) & 0xFF;

}

// compute the round constants

for( i = 0, x = 1; i < 10; i++ ) {

RCON[i] = (uint32_t)x;

x = XTIME( x ) & 0xFF;

}

// fill the forward and reverse substitution boxes

FSb[0x00] = 0x63;

#if AES_DECRYPTION // whether AES decryption is supported

RSb[0x63] = 0x00;

#endif /* AES_DECRYPTION */

for( i = 1; i < 256; i++ ) {

x = y = pow[255 - log[i]];

MIX( x, y );

MIX( x, y );

MIX( x, y );

MIX( x, y );

FSb[i] = (uchar)(x ^= 0x63);

#if AES_DECRYPTION // whether AES decryption is supported

RSb[x] = (uchar)i;

#endif /* AES_DECRYPTION */

}

// generate the forward and reverse key expansion tables

for( i = 0; i < 256; i++ ) {

x = FSb[i];

y = XTIME( x ) & 0xFF;

z = (y ^ x) & 0xFF;

FT0[i] = ((uint32_t)y) ^ ((uint32_t)x << 8) ^

((uint32_t)x << 16) ^ ((uint32_t)z << 24);

FT1[i] = ROTL8( FT0[i] );

FT2[i] = ROTL8( FT1[i] );

FT3[i] = ROTL8( FT2[i] );

#if AES_DECRYPTION // whether AES decryption is supported

x = RSb[i];

RT0[i] = ((uint32_t)MUL( 0x0E, x )) ^

((uint32_t)MUL( 0x09, x ) << 8) ^

((uint32_t)MUL( 0x0D, x ) << 16) ^

((uint32_t)MUL( 0x0B, x ) << 24);

RT1[i] = ROTL8( RT0[i] );

RT2[i] = ROTL8( RT1[i] );

RT3[i] = ROTL8( RT2[i] );

#endif /* AES_DECRYPTION */

}

aes_tables_inited = 1; // flag that the tables have been generated

} // to permit subsequent use of the AES cipher

/******************************************************************************

*

* AES_SET_ENCRYPTION_KEY

*

* This is called by 'aes_setkey' when we're establishing a key for

* subsequent encryption. We give it a pointer to the encryption

* context, a pointer to the key, and the key's length in bytes.

* Valid lengths are: 16, 24 or 32 bytes (128, 192, 256 bits).

*

******************************************************************************/

int aes_set_encryption_key( aes_context *ctx,

const uchar *key,

uint keysize ) {

uint i; // general purpose iteration local

uint32_t *RK = ctx->rk; // initialize our RoundKey buffer pointer

for( i = 0; i < (keysize >> 2); i++ ) {

GET_UINT32_LE( RK[i], key, i << 2 );

}

switch( ctx->rounds ) {

case 10:

for( i = 0; i < 10; i++, RK += 4 ) {

RK[4] = RK[0] ^ RCON[i] ^

((uint32_t)FSb[(RK[3] >> 8) & 0xFF]) ^

((uint32_t)FSb[(RK[3] >> 16) & 0xFF] << 8) ^

((uint32_t)FSb[(RK[3] >> 24) & 0xFF] << 16) ^

((uint32_t)FSb[(RK[3]) & 0xFF] << 24);

RK[5] = RK[1] ^ RK[4];

RK[6] = RK[2] ^ RK[5];

RK[7] = RK[3] ^ RK[6];

}

break;

case 12:

for( i = 0; i < 8; i++, RK += 6 ) {

RK[6] = RK[0] ^ RCON[i] ^

((uint32_t)FSb[(RK[5] >> 8) & 0xFF]) ^

((uint32_t)FSb[(RK[5] >> 16) & 0xFF] << 8) ^

((uint32_t)FSb[(RK[5] >> 24) & 0xFF] << 16) ^

((uint32_t)FSb[(RK[5]) & 0xFF] << 24);

RK[7] = RK[1] ^ RK[6];

RK[8] = RK[2] ^ RK[7];

RK[9] = RK[3] ^ RK[8];

RK[10] = RK[4] ^ RK[9];

RK[11] = RK[5] ^ RK[10];

}

break;

case 14:

for( i = 0; i < 7; i++, RK += 8 ) {

RK[8] = RK[0] ^ RCON[i] ^

((uint32_t)FSb[(RK[7] >> 8) & 0xFF]) ^

((uint32_t)FSb[(RK[7] >> 16) & 0xFF] << 8) ^

((uint32_t)FSb[(RK[7] >> 24) & 0xFF] << 16) ^

((uint32_t)FSb[(RK[7]) & 0xFF] << 24);

RK[9] = RK[1] ^ RK[8];

RK[10] = RK[2] ^ RK[9];

RK[11] = RK[3] ^ RK[10];

RK[12] = RK[4] ^

((uint32_t)FSb[(RK[11]) & 0xFF]) ^

((uint32_t)FSb[(RK[11] >> 8) & 0xFF] << 8) ^

((uint32_t)FSb[(RK[11] >> 16) & 0xFF] << 16) ^

((uint32_t)FSb[(RK[11] >> 24) & 0xFF] << 24);

RK[13] = RK[5] ^ RK[12];

RK[14] = RK[6] ^ RK[13];

RK[15] = RK[7] ^ RK[14];

}

break;

}

return(0);

}

#if AES_DECRYPTION // whether AES decryption is supported

/******************************************************************************

*

* AES_SET_DECRYPTION_KEY

*

* This is called by 'aes_setkey' when we're establishing a

* key for subsequent decryption. We give it a pointer to

* the encryption context, a pointer to the key, and the key's

* length in bits. Valid lengths are: 128, 192, or 256 bits.

*

******************************************************************************/

int aes_set_decryption_key( aes_context *ctx,

const uchar *key,

uint keysize ) {

int i, j;

aes_context cty; // a calling aes context for set_encryption_key

uint32_t *RK = ctx->rk; // initialize our RoundKey buffer pointer

uint32_t *SK;

int ret;

cty.rounds = ctx->rounds; // initialize our local aes context

cty.rk = cty.buf; // round count and key buf pointer

if( (ret = aes_set_encryption_key( &cty, key, keysize )) != 0 )

return(ret);

SK = cty.rk + cty.rounds * 4;

CPY128 // copy a 128-bit block from *SK to *RK

for( i = ctx->rounds - 1, SK -= 8; i > 0; i--, SK -= 8 ) {

for( j = 0; j < 4; j++, SK++ ) {

*RK++ = RT0[FSb[(*SK) & 0xFF]] ^

RT1[FSb[(*SK >> 8) & 0xFF]] ^

RT2[FSb[(*SK >> 16) & 0xFF]] ^

RT3[FSb[(*SK >> 24) & 0xFF]];

}

}

CPY128 // copy a 128-bit block from *SK to *RK

memset( &cty, 0, sizeof( aes_context ) ); // clear local aes context

return(0);

}

#endif /* AES_DECRYPTION */

/******************************************************************************

*

* AES_SETKEY

*

* Invoked to establish the key schedule for subsequent encryption/decryption

*

******************************************************************************/

int aes_setkey( aes_context *ctx, // AES context provided by our caller

int mode, // ENCRYPT or DECRYPT flag

const uchar *key, // pointer to the key

uint keysize ) // key length in bytes

{

// since table initialization is not thread safe, we could either add

// system-specific mutexes and init the AES key generation tables on

// demand, or ask the developer to simply call "gcm_initialize" once during

// application startup before threading begins. That's what we choose.

if( !aes_tables_inited ) return (0); // fail the call when not inited.

ctx->mode = mode; // capture the key type we're creating

ctx->rk = ctx->buf; // initialize our round key pointer

switch( keysize ) // set the rounds count based upon the keysize

{

case 16: ctx->rounds = 10; break; // 16-byte, 128-bit key

case 24: ctx->rounds = 12; break; // 24-byte, 192-bit key

case 32: ctx->rounds = 14; break; // 32-byte, 256-bit key

}

#if AES_DECRYPTION

if( mode == DECRYPT ) // expand our key for encryption or decryption

return(aes_set_decryption_key( ctx, key, keysize ));

else /* ENCRYPT */

#endif /* AES_DECRYPTION */

return(aes_set_encryption_key( ctx, key, keysize ));

}

/******************************************************************************

*

* AES_CIPHER

*

* Perform AES encryption and decryption.

* The AES context will have been setup with the encryption mode

* and all keying information appropriate for the task.

*

******************************************************************************/

int aes_cipher( aes_context *ctx,

const uchar input[16],

uchar output[16] ) {

int i;

uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; // general purpose locals

RK = ctx->rk;

GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++; // load our 128-bit

GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++; // input buffer in a storage

GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++; // memory endian-neutral way

GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;

#if AES_DECRYPTION // whether AES decryption is supported

if( ctx->mode == DECRYPT ) {

for( i = (ctx->rounds >> 1) - 1; i > 0; i-- ) {

AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );

AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );

}

AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );

X0 = *RK++ ^ \

((uint32_t)RSb[(Y0) & 0xFF]) ^

((uint32_t)RSb[(Y3 >> 8) & 0xFF] << 8) ^

((uint32_t)RSb[(Y2 >> 16) & 0xFF] << 16) ^

((uint32_t)RSb[(Y1 >> 24) & 0xFF] << 24);

X1 = *RK++ ^ \

((uint32_t)RSb[(Y1) & 0xFF]) ^

((uint32_t)RSb[(Y0 >> 8) & 0xFF] << 8) ^

((uint32_t)RSb[(Y3 >> 16) & 0xFF] << 16) ^

((uint32_t)RSb[(Y2 >> 24) & 0xFF] << 24);

X2 = *RK++ ^ \

((uint32_t)RSb[(Y2) & 0xFF]) ^

((uint32_t)RSb[(Y1 >> 8) & 0xFF] << 8) ^

((uint32_t)RSb[(Y0 >> 16) & 0xFF] << 16) ^

((uint32_t)RSb[(Y3 >> 24) & 0xFF] << 24);

X3 = *RK++ ^ \

((uint32_t)RSb[(Y3) & 0xFF]) ^

((uint32_t)RSb[(Y2 >> 8) & 0xFF] << 8) ^

((uint32_t)RSb[(Y1 >> 16) & 0xFF] << 16) ^

((uint32_t)RSb[(Y0 >> 24) & 0xFF] << 24);

} else /* ENCRYPT */

{

#endif /* AES_DECRYPTION */

for( i = (ctx->rounds >> 1) - 1; i > 0; i-- ) {

AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );

AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );

}

AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );

X0 = *RK++ ^ \

((uint32_t)FSb[(Y0) & 0xFF]) ^

((uint32_t)FSb[(Y1 >> 8) & 0xFF] << 8) ^

((uint32_t)FSb[(Y2 >> 16) & 0xFF] << 16) ^

((uint32_t)FSb[(Y3 >> 24) & 0xFF] << 24);

X1 = *RK++ ^ \

((uint32_t)FSb[(Y1) & 0xFF]) ^

((uint32_t)FSb[(Y2 >> 8) & 0xFF] << 8) ^

((uint32_t)FSb[(Y3 >> 16) & 0xFF] << 16) ^

((uint32_t)FSb[(Y0 >> 24) & 0xFF] << 24);

X2 = *RK++ ^ \

((uint32_t)FSb[(Y2) & 0xFF]) ^

((uint32_t)FSb[(Y3 >> 8) & 0xFF] << 8) ^

((uint32_t)FSb[(Y0 >> 16) & 0xFF] << 16) ^

((uint32_t)FSb[(Y1 >> 24) & 0xFF] << 24);

X3 = *RK++ ^ \

((uint32_t)FSb[(Y3) & 0xFF]) ^

((uint32_t)FSb[(Y0 >> 8) & 0xFF] << 8) ^

((uint32_t)FSb[(Y1 >> 16) & 0xFF] << 16) ^

((uint32_t)FSb[(Y2 >> 24) & 0xFF] << 24);

#if AES_DECRYPTION // whether AES decryption is supported

}

#endif /* AES_DECRYPTION */

PUT_UINT32_LE( X0, output, 0 );

PUT_UINT32_LE( X1, output, 4 );

PUT_UINT32_LE( X2, output, 8 );

PUT_UINT32_LE( X3, output, 12 );

return(0);

}

}

/* end of aes.c */