source: UsbWattMeter/trunk/wolfssl-3.7.0/wolfcrypt/src/aes.c@ 164

Last change on this file since 164 was 164, checked in by coas-nagasima, 6 years ago

TOPPERS/ECNLサンプルアプリ「USB充電器電力計」を追加

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
  • Property svn:mime-type set to text/x-csrc
File size: 130.2 KB
Line 
1/* aes.c
2 *
3 * Copyright (C) 2006-2015 wolfSSL Inc.
4 *
5 * This file is part of wolfSSL. (formerly known as CyaSSL)
6 *
7 * wolfSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * wolfSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
20 */
21
22#ifdef HAVE_CONFIG_H
23 #include <config.h>
24#endif
25
26#include <wolfssl/wolfcrypt/settings.h>
27
28#ifndef NO_AES
29
30#include <wolfssl/wolfcrypt/aes.h>
31
32#ifdef HAVE_FIPS
33int wc_AesSetKey(Aes* aes, const byte* key, word32 len, const byte* iv,
34 int dir)
35{
36 return AesSetKey_fips(aes, key, len, iv, dir);
37}
38
39
40int wc_AesSetIV(Aes* aes, const byte* iv)
41{
42 return AesSetIV_fips(aes, iv);
43}
44
45
46int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
47{
48 return AesCbcEncrypt_fips(aes, out, in, sz);
49}
50
51
52int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
53{
54 return AesCbcDecrypt_fips(aes, out, in, sz);
55}
56
57
58/* AES-CTR */
59#ifdef WOLFSSL_AES_COUNTER
60void wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
61{
62 AesCtrEncrypt(aes, out, in, sz);
63}
64#endif
65
66/* AES-DIRECT */
67#if defined(WOLFSSL_AES_DIRECT)
68void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
69{
70 AesEncryptDirect(aes, out, in);
71}
72
73
74void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)
75{
76 AesDecryptDirect(aes, out, in);
77}
78
79
80int wc_AesSetKeyDirect(Aes* aes, const byte* key, word32 len,
81 const byte* iv, int dir)
82{
83 return AesSetKeyDirect(aes, key, len, iv, dir);
84}
85#endif
86
87
88#ifdef HAVE_AESGCM
89int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len)
90{
91 return AesGcmSetKey_fips(aes, key, len);
92}
93
94
95int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
96 const byte* iv, word32 ivSz,
97 byte* authTag, word32 authTagSz,
98 const byte* authIn, word32 authInSz)
99{
100 return AesGcmEncrypt_fips(aes, out, in, sz, iv, ivSz, authTag, authTagSz,
101 authIn, authInSz);
102}
103
104
105int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
106 const byte* iv, word32 ivSz,
107 const byte* authTag, word32 authTagSz,
108 const byte* authIn, word32 authInSz)
109{
110 return AesGcmDecrypt_fips(aes, out, in, sz, iv, ivSz, authTag, authTagSz,
111 authIn, authInSz);
112}
113
114
115int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len)
116{
117 return GmacSetKey(gmac, key, len);
118}
119
120
121int wc_GmacUpdate(Gmac* gmac, const byte* iv, word32 ivSz,
122 const byte* authIn, word32 authInSz,
123 byte* authTag, word32 authTagSz)
124{
125 return GmacUpdate(gmac, iv, ivSz, authIn, authInSz,
126 authTag, authTagSz);
127}
128
129#endif /* HAVE_AESGCM */
130#ifdef HAVE_AESCCM
131void wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
132{
133 AesCcmSetKey(aes, key, keySz);
134}
135
136
137int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
138 const byte* nonce, word32 nonceSz,
139 byte* authTag, word32 authTagSz,
140 const byte* authIn, word32 authInSz)
141{
142 /* sanity check on arugments */
143 if (aes == NULL || out == NULL || in == NULL || nonce == NULL
144 || authTag == NULL || nonceSz < 7 || nonceSz > 13)
145 return BAD_FUNC_ARG;
146
147 AesCcmEncrypt(aes, out, in, inSz, nonce, nonceSz, authTag, authTagSz,
148 authIn, authInSz);
149 return 0;
150}
151
152
153int wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
154 const byte* nonce, word32 nonceSz,
155 const byte* authTag, word32 authTagSz,
156 const byte* authIn, word32 authInSz)
157{
158 return AesCcmDecrypt(aes, out, in, inSz, nonce, nonceSz, authTag, authTagSz,
159 authIn, authInSz);
160}
161#endif /* HAVE_AESCCM */
162
163#ifdef HAVE_CAVIUM
164int wc_AesInitCavium(Aes* aes, int i)
165{
166 return AesInitCavium(aes, i);
167}
168
169
170void wc_AesFreeCavium(Aes* aes)
171{
172 AesFreeCavium(aes);
173}
174#endif
175#else /* HAVE_FIPS */
176
177#ifdef WOLFSSL_TI_CRYPT
178#include <wolfcrypt/src/port/ti/ti-aes.c>
179#else
180
181#include <wolfssl/wolfcrypt/error-crypt.h>
182#include <wolfssl/wolfcrypt/logging.h>
183#ifdef NO_INLINE
184 #include <wolfssl/wolfcrypt/misc.h>
185#else
186 #include <wolfcrypt/src/misc.c>
187#endif
188#ifdef DEBUG_AESNI
189 #include <stdio.h>
190#endif
191
192
193#ifdef _MSC_VER
194 /* 4127 warning constant while(1) */
195 #pragma warning(disable: 4127)
196#endif
197
198
199#if defined(STM32F2_CRYPTO)
200 /* STM32F2 hardware AES support for CBC, CTR modes through the STM32F2
201 * Standard Peripheral Library. Documentation located in STM32F2xx
202 * Standard Peripheral Library document (See note in README).
203 * NOTE: no support for AES-GCM/CCM/Direct */
204 #include "stm32f2xx.h"
205 #include "stm32f2xx_cryp.h"
206#elif defined(HAVE_COLDFIRE_SEC)
207 /* Freescale Coldfire SEC support for CBC mode.
208 * NOTE: no support for AES-CTR/GCM/CCM/Direct */
209 #include <wolfssl/wolfcrypt/types.h>
210 #include "sec.h"
211 #include "mcf5475_sec.h"
212 #include "mcf5475_siu.h"
213#elif defined(FREESCALE_MMCAU)
214 /* Freescale mmCAU hardware AES support for Direct, CBC, CCM, GCM modes
215 * through the CAU/mmCAU library. Documentation located in
216 * ColdFire/ColdFire+ CAU and Kinetis mmCAU Software Library User
217 * Guide (See note in README).
218 * NOTE: no support for AES-CTR */
219 #include "cau_api.h"
220
221 static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
222 {
223 int ret = wolfSSL_CryptHwMutexLock();
224 if(ret == 0) {
225 cau_aes_encrypt(inBlock, (byte*)aes->key, aes->rounds, outBlock);
226 wolfSSL_CryptHwMutexUnLock();
227 }
228 return ret;
229 }
230 static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
231 {
232 int ret = wolfSSL_CryptHwMutexLock();
233 if(ret == 0) {
234 cau_aes_decrypt(inBlock, (byte*)aes->key, aes->rounds, outBlock);
235 wolfSSL_CryptHwMutexUnLock();
236 }
237 return ret;
238 }
239#elif defined(WOLFSSL_PIC32MZ_CRYPT)
240 /* NOTE: no support for AES-CCM/Direct */
241 #define DEBUG_WOLFSSL
242 #include "wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h"
243#elif defined(HAVE_CAVIUM)
244 #include <wolfssl/wolfcrypt/logging.h>
245 #include "cavium_common.h"
246
247 /* still leave SW crypto available */
248 #define NEED_AES_TABLES
249
250 static int wc_AesCaviumSetKey(Aes* aes, const byte* key, word32 length,
251 const byte* iv);
252 static int wc_AesCaviumCbcEncrypt(Aes* aes, byte* out, const byte* in,
253 word32 length);
254 static int wc_AesCaviumCbcDecrypt(Aes* aes, byte* out, const byte* in,
255 word32 length);
256#else
257 /* using CTaoCrypt software AES implementation */
258 #define NEED_AES_TABLES
259#endif /* STM32F2_CRYPTO */
260
261
262#ifdef NEED_AES_TABLES
263
264static const word32 rcon[] = {
265 0x01000000, 0x02000000, 0x04000000, 0x08000000,
266 0x10000000, 0x20000000, 0x40000000, 0x80000000,
267 0x1B000000, 0x36000000,
268 /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
269};
270
271static const word32 Te[5][256] = {
272{
273 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
274 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
275 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
276 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
277 0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
278 0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
279 0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
280 0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
281 0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
282 0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
283 0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
284 0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
285 0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
286 0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
287 0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
288 0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
289 0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
290 0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
291 0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
292 0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
293 0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
294 0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
295 0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
296 0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
297 0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
298 0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
299 0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
300 0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
301 0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
302 0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
303 0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
304 0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
305 0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
306 0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
307 0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
308 0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
309 0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
310 0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
311 0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
312 0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
313 0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
314 0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
315 0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
316 0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
317 0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
318 0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
319 0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
320 0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
321 0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
322 0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
323 0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
324 0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
325 0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
326 0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
327 0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
328 0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
329 0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
330 0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
331 0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
332 0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
333 0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
334 0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
335 0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
336 0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
337},
338{
339 0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU,
340 0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U,
341 0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU,
342 0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U,
343 0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU,
344 0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U,
345 0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU,
346 0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U,
347 0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U,
348 0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU,
349 0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U,
350 0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U,
351 0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U,
352 0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU,
353 0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U,
354 0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U,
355 0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU,
356 0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U,
357 0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U,
358 0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U,
359 0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU,
360 0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU,
361 0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U,
362 0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU,
363 0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU,
364 0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U,
365 0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU,
366 0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U,
367 0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU,
368 0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U,
369 0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U,
370 0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U,
371 0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU,
372 0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U,
373 0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU,
374 0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U,
375 0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU,
376 0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U,
377 0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U,
378 0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU,
379 0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU,
380 0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU,
381 0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U,
382 0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U,
383 0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU,
384 0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U,
385 0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU,
386 0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U,
387 0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU,
388 0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U,
389 0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU,
390 0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU,
391 0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U,
392 0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU,
393 0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U,
394 0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU,
395 0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U,
396 0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U,
397 0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U,
398 0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU,
399 0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU,
400 0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U,
401 0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU,
402 0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U,
403},
404{
405 0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU,
406 0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U,
407 0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU,
408 0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U,
409 0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU,
410 0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U,
411 0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU,
412 0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U,
413 0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U,
414 0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU,
415 0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U,
416 0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U,
417 0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U,
418 0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU,
419 0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U,
420 0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U,
421 0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU,
422 0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U,
423 0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U,
424 0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U,
425 0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU,
426 0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU,
427 0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U,
428 0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU,
429 0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU,
430 0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U,
431 0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU,
432 0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U,
433 0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU,
434 0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U,
435 0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U,
436 0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U,
437 0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU,
438 0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U,
439 0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU,
440 0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U,
441 0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU,
442 0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U,
443 0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U,
444 0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU,
445 0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU,
446 0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU,
447 0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U,
448 0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U,
449 0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU,
450 0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U,
451 0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU,
452 0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U,
453 0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU,
454 0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U,
455 0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU,
456 0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU,
457 0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U,
458 0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU,
459 0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U,
460 0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU,
461 0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U,
462 0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U,
463 0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U,
464 0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU,
465 0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU,
466 0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U,
467 0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU,
468 0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
469},
470{
471 0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
472 0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
473 0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
474 0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU,
475 0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU,
476 0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU,
477 0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U,
478 0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU,
479 0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU,
480 0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U,
481 0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U,
482 0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU,
483 0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU,
484 0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU,
485 0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU,
486 0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU,
487 0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U,
488 0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU,
489 0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU,
490 0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U,
491 0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U,
492 0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U,
493 0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U,
494 0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U,
495 0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU,
496 0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U,
497 0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU,
498 0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU,
499 0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U,
500 0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U,
501 0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U,
502 0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU,
503 0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U,
504 0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU,
505 0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU,
506 0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U,
507 0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U,
508 0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU,
509 0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U,
510 0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU,
511 0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U,
512 0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U,
513 0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U,
514 0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U,
515 0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU,
516 0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U,
517 0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU,
518 0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U,
519 0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU,
520 0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U,
521 0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU,
522 0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU,
523 0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU,
524 0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU,
525 0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U,
526 0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U,
527 0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U,
528 0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U,
529 0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U,
530 0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U,
531 0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU,
532 0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U,
533 0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,
534 0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
535},
536{
537 0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
538 0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
539 0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU,
540 0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U,
541 0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU,
542 0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U,
543 0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU,
544 0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U,
545 0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U,
546 0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU,
547 0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U,
548 0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U,
549 0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U,
550 0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU,
551 0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U,
552 0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U,
553 0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU,
554 0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U,
555 0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U,
556 0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U,
557 0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU,
558 0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU,
559 0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U,
560 0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU,
561 0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU,
562 0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U,
563 0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU,
564 0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U,
565 0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU,
566 0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U,
567 0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U,
568 0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U,
569 0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU,
570 0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U,
571 0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU,
572 0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U,
573 0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU,
574 0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U,
575 0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U,
576 0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU,
577 0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU,
578 0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU,
579 0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U,
580 0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U,
581 0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU,
582 0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U,
583 0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
584 0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
585 0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
586 0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
587 0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
588 0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
589 0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
590 0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
591 0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
592 0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
593 0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
594 0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
595 0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
596 0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
597 0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
598 0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
599 0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
600 0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U,
601}
602};
603
604static const word32 Td[5][256] = {
605{
606 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
607 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
608 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
609 0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
610 0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
611 0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
612 0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
613 0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
614 0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
615 0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
616 0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
617 0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
618 0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
619 0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
620 0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
621 0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
622 0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
623 0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
624 0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U,
625 0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U,
626 0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U,
627 0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU,
628 0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U,
629 0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU,
630 0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U,
631 0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU,
632 0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U,
633 0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU,
634 0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU,
635 0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U,
636 0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU,
637 0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U,
638 0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU,
639 0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U,
640 0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U,
641 0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U,
642 0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU,
643 0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U,
644 0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U,
645 0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU,
646 0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U,
647 0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U,
648 0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U,
649 0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U,
650 0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U,
651 0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU,
652 0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U,
653 0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U,
654 0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U,
655 0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U,
656 0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U,
657 0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU,
658 0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU,
659 0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU,
660 0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU,
661 0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U,
662 0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U,
663 0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU,
664 0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU,
665 0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U,
666 0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU,
667 0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U,
668 0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
669 0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,
670},
671{
672 0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU,
673 0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U,
674 0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU,
675 0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U,
676 0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U,
677 0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U,
678 0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U,
679 0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U,
680 0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U,
681 0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU,
682 0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU,
683 0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU,
684 0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U,
685 0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU,
686 0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U,
687 0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U,
688 0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U,
689 0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU,
690 0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU,
691 0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U,
692 0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU,
693 0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U,
694 0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU,
695 0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU,
696 0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U,
697 0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U,
698 0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U,
699 0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU,
700 0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U,
701 0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU,
702 0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U,
703 0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U,
704 0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U,
705 0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU,
706 0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U,
707 0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U,
708 0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U,
709 0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U,
710 0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U,
711 0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U,
712 0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU,
713 0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU,
714 0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U,
715 0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU,
716 0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U,
717 0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU,
718 0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU,
719 0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U,
720 0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU,
721 0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U,
722 0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U,
723 0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U,
724 0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U,
725 0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U,
726 0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U,
727 0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U,
728 0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU,
729 0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U,
730 0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U,
731 0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU,
732 0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U,
733 0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U,
734 0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U,
735 0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U,
736},
737{
738 0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U,
739 0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U,
740 0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U,
741 0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U,
742 0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU,
743 0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U,
744 0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U,
745 0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U,
746 0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U,
747 0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU,
748 0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U,
749 0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U,
750 0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU,
751 0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U,
752 0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U,
753 0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U,
754 0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U,
755 0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U,
756 0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U,
757 0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU,
758
759 0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U,
760 0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U,
761 0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U,
762 0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U,
763 0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U,
764 0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU,
765 0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU,
766 0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U,
767 0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU,
768 0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U,
769 0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU,
770 0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU,
771 0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU,
772 0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU,
773 0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U,
774 0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U,
775 0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U,
776 0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U,
777 0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U,
778 0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U,
779 0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U,
780 0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU,
781 0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU,
782 0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U,
783 0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U,
784 0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU,
785 0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU,
786 0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U,
787 0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U,
788 0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U,
789 0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U,
790 0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U,
791 0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U,
792 0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U,
793 0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU,
794 0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U,
795 0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U,
796 0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U,
797 0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U,
798 0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U,
799 0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U,
800 0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU,
801 0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U,
802 0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U,
803},
804{
805 0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU,
806 0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU,
807 0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U,
808 0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U,
809 0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU,
810 0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU,
811 0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U,
812 0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU,
813 0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U,
814 0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU,
815 0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U,
816 0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U,
817 0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U,
818 0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U,
819 0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U,
820 0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU,
821 0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU,
822 0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U,
823 0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U,
824 0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU,
825 0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU,
826 0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U,
827 0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U,
828 0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U,
829 0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U,
830 0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU,
831 0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U,
832 0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U,
833 0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU,
834 0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU,
835 0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U,
836 0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U,
837 0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U,
838 0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU,
839 0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U,
840 0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U,
841 0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U,
842 0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U,
843 0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U,
844 0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U,
845 0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U,
846 0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU,
847 0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U,
848 0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U,
849 0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU,
850 0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU,
851 0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U,
852 0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU,
853 0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U,
854 0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U,
855 0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U,
856 0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U,
857 0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U,
858 0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U,
859 0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU,
860 0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU,
861 0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU,
862 0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU,
863 0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U,
864 0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U,
865 0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U,
866 0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU,
867 0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U,
868 0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U,
869},
870{
871 0x52525252U, 0x09090909U, 0x6a6a6a6aU, 0xd5d5d5d5U,
872 0x30303030U, 0x36363636U, 0xa5a5a5a5U, 0x38383838U,
873 0xbfbfbfbfU, 0x40404040U, 0xa3a3a3a3U, 0x9e9e9e9eU,
874 0x81818181U, 0xf3f3f3f3U, 0xd7d7d7d7U, 0xfbfbfbfbU,
875 0x7c7c7c7cU, 0xe3e3e3e3U, 0x39393939U, 0x82828282U,
876 0x9b9b9b9bU, 0x2f2f2f2fU, 0xffffffffU, 0x87878787U,
877 0x34343434U, 0x8e8e8e8eU, 0x43434343U, 0x44444444U,
878 0xc4c4c4c4U, 0xdedededeU, 0xe9e9e9e9U, 0xcbcbcbcbU,
879 0x54545454U, 0x7b7b7b7bU, 0x94949494U, 0x32323232U,
880 0xa6a6a6a6U, 0xc2c2c2c2U, 0x23232323U, 0x3d3d3d3dU,
881 0xeeeeeeeeU, 0x4c4c4c4cU, 0x95959595U, 0x0b0b0b0bU,
882 0x42424242U, 0xfafafafaU, 0xc3c3c3c3U, 0x4e4e4e4eU,
883 0x08080808U, 0x2e2e2e2eU, 0xa1a1a1a1U, 0x66666666U,
884 0x28282828U, 0xd9d9d9d9U, 0x24242424U, 0xb2b2b2b2U,
885 0x76767676U, 0x5b5b5b5bU, 0xa2a2a2a2U, 0x49494949U,
886 0x6d6d6d6dU, 0x8b8b8b8bU, 0xd1d1d1d1U, 0x25252525U,
887 0x72727272U, 0xf8f8f8f8U, 0xf6f6f6f6U, 0x64646464U,
888 0x86868686U, 0x68686868U, 0x98989898U, 0x16161616U,
889 0xd4d4d4d4U, 0xa4a4a4a4U, 0x5c5c5c5cU, 0xccccccccU,
890 0x5d5d5d5dU, 0x65656565U, 0xb6b6b6b6U, 0x92929292U,
891 0x6c6c6c6cU, 0x70707070U, 0x48484848U, 0x50505050U,
892 0xfdfdfdfdU, 0xededededU, 0xb9b9b9b9U, 0xdadadadaU,
893 0x5e5e5e5eU, 0x15151515U, 0x46464646U, 0x57575757U,
894 0xa7a7a7a7U, 0x8d8d8d8dU, 0x9d9d9d9dU, 0x84848484U,
895 0x90909090U, 0xd8d8d8d8U, 0xababababU, 0x00000000U,
896 0x8c8c8c8cU, 0xbcbcbcbcU, 0xd3d3d3d3U, 0x0a0a0a0aU,
897 0xf7f7f7f7U, 0xe4e4e4e4U, 0x58585858U, 0x05050505U,
898 0xb8b8b8b8U, 0xb3b3b3b3U, 0x45454545U, 0x06060606U,
899 0xd0d0d0d0U, 0x2c2c2c2cU, 0x1e1e1e1eU, 0x8f8f8f8fU,
900 0xcacacacaU, 0x3f3f3f3fU, 0x0f0f0f0fU, 0x02020202U,
901 0xc1c1c1c1U, 0xafafafafU, 0xbdbdbdbdU, 0x03030303U,
902 0x01010101U, 0x13131313U, 0x8a8a8a8aU, 0x6b6b6b6bU,
903 0x3a3a3a3aU, 0x91919191U, 0x11111111U, 0x41414141U,
904 0x4f4f4f4fU, 0x67676767U, 0xdcdcdcdcU, 0xeaeaeaeaU,
905 0x97979797U, 0xf2f2f2f2U, 0xcfcfcfcfU, 0xcecececeU,
906 0xf0f0f0f0U, 0xb4b4b4b4U, 0xe6e6e6e6U, 0x73737373U,
907 0x96969696U, 0xacacacacU, 0x74747474U, 0x22222222U,
908 0xe7e7e7e7U, 0xadadadadU, 0x35353535U, 0x85858585U,
909 0xe2e2e2e2U, 0xf9f9f9f9U, 0x37373737U, 0xe8e8e8e8U,
910 0x1c1c1c1cU, 0x75757575U, 0xdfdfdfdfU, 0x6e6e6e6eU,
911 0x47474747U, 0xf1f1f1f1U, 0x1a1a1a1aU, 0x71717171U,
912 0x1d1d1d1dU, 0x29292929U, 0xc5c5c5c5U, 0x89898989U,
913 0x6f6f6f6fU, 0xb7b7b7b7U, 0x62626262U, 0x0e0e0e0eU,
914 0xaaaaaaaaU, 0x18181818U, 0xbebebebeU, 0x1b1b1b1bU,
915 0xfcfcfcfcU, 0x56565656U, 0x3e3e3e3eU, 0x4b4b4b4bU,
916 0xc6c6c6c6U, 0xd2d2d2d2U, 0x79797979U, 0x20202020U,
917 0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU,
918 0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U,
919 0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U,
920 0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U,
921 0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U,
922 0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU,
923 0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U,
924 0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU,
925 0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU,
926 0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU,
927 0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU,
928 0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U,
929 0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU,
930 0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U,
931 0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU,
932 0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U,
933 0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U,
934 0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU,
935}
936};
937
938#define GETBYTE(x, y) (word32)((byte)((x) >> (8 * (y))))
939
940#ifdef WOLFSSL_AESNI
941
942/* Each platform needs to query info type 1 from cpuid to see if aesni is
943 * supported. Also, let's setup a macro for proper linkage w/o ABI conflicts
944 */
945
946#ifndef _MSC_VER
947
948 #define cpuid(reg, func)\
949 __asm__ __volatile__ ("cpuid":\
950 "=a" (reg[0]), "=b" (reg[1]), "=c" (reg[2]), "=d" (reg[3]) :\
951 "a" (func));
952
953 #define XASM_LINK(f) asm(f)
954#else
955
956 #include <intrin.h>
957 #define cpuid(a,b) __cpuid((int*)a,b)
958
959 #define XASM_LINK(f)
960
961#endif /* _MSC_VER */
962
963
964static int Check_CPU_support_AES(void)
965{
966 unsigned int reg[4]; /* put a,b,c,d into 0,1,2,3 */
967 cpuid(reg, 1); /* query info 1 */
968
969 if (reg[2] & 0x2000000)
970 return 1;
971
972 return 0;
973}
974
975static int checkAESNI = 0;
976static int haveAESNI = 0;
977
978
979/* tell C compiler these are asm functions in case any mix up of ABI underscore
980 prefix between clang/gcc/llvm etc */
981void AES_CBC_encrypt(const unsigned char* in, unsigned char* out,
982 unsigned char* ivec, unsigned long length,
983 const unsigned char* KS, int nr)
984 XASM_LINK("AES_CBC_encrypt");
985
986
987void AES_CBC_decrypt(const unsigned char* in, unsigned char* out,
988 unsigned char* ivec, unsigned long length,
989 const unsigned char* KS, int nr)
990 XASM_LINK("AES_CBC_decrypt");
991
992void AES_ECB_encrypt(const unsigned char* in, unsigned char* out,
993 unsigned long length, const unsigned char* KS, int nr)
994 XASM_LINK("AES_ECB_encrypt");
995
996
997void AES_ECB_decrypt(const unsigned char* in, unsigned char* out,
998 unsigned long length, const unsigned char* KS, int nr)
999 XASM_LINK("AES_ECB_decrypt");
1000
1001void AES_128_Key_Expansion(const unsigned char* userkey,
1002 unsigned char* key_schedule)
1003 XASM_LINK("AES_128_Key_Expansion");
1004
1005void AES_192_Key_Expansion(const unsigned char* userkey,
1006 unsigned char* key_schedule)
1007 XASM_LINK("AES_192_Key_Expansion");
1008
1009void AES_256_Key_Expansion(const unsigned char* userkey,
1010 unsigned char* key_schedule)
1011 XASM_LINK("AES_256_Key_Expansion");
1012
1013
1014static int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
1015 Aes* aes)
1016{
1017 if (!userKey || !aes)
1018 return BAD_FUNC_ARG;
1019
1020 if (bits == 128) {
1021 AES_128_Key_Expansion (userKey,(byte*)aes->key); aes->rounds = 10;
1022 return 0;
1023 }
1024 else if (bits == 192) {
1025 AES_192_Key_Expansion (userKey,(byte*)aes->key); aes->rounds = 12;
1026 return 0;
1027 }
1028 else if (bits == 256) {
1029 AES_256_Key_Expansion (userKey,(byte*)aes->key); aes->rounds = 14;
1030 return 0;
1031 }
1032 return BAD_FUNC_ARG;
1033}
1034
1035
1036static int AES_set_decrypt_key(const unsigned char* userKey, const int bits,
1037 Aes* aes)
1038{
1039 int nr;
1040 Aes temp_key;
1041 __m128i *Key_Schedule = (__m128i*)aes->key;
1042 __m128i *Temp_Key_Schedule = (__m128i*)temp_key.key;
1043
1044 if (!userKey || !aes)
1045 return BAD_FUNC_ARG;
1046
1047 if (AES_set_encrypt_key(userKey,bits,&temp_key) == BAD_FUNC_ARG)
1048 return BAD_FUNC_ARG;
1049
1050 nr = temp_key.rounds;
1051 aes->rounds = nr;
1052
1053 Key_Schedule[nr] = Temp_Key_Schedule[0];
1054 Key_Schedule[nr-1] = _mm_aesimc_si128(Temp_Key_Schedule[1]);
1055 Key_Schedule[nr-2] = _mm_aesimc_si128(Temp_Key_Schedule[2]);
1056 Key_Schedule[nr-3] = _mm_aesimc_si128(Temp_Key_Schedule[3]);
1057 Key_Schedule[nr-4] = _mm_aesimc_si128(Temp_Key_Schedule[4]);
1058 Key_Schedule[nr-5] = _mm_aesimc_si128(Temp_Key_Schedule[5]);
1059 Key_Schedule[nr-6] = _mm_aesimc_si128(Temp_Key_Schedule[6]);
1060 Key_Schedule[nr-7] = _mm_aesimc_si128(Temp_Key_Schedule[7]);
1061 Key_Schedule[nr-8] = _mm_aesimc_si128(Temp_Key_Schedule[8]);
1062 Key_Schedule[nr-9] = _mm_aesimc_si128(Temp_Key_Schedule[9]);
1063
1064 if(nr>10) {
1065 Key_Schedule[nr-10] = _mm_aesimc_si128(Temp_Key_Schedule[10]);
1066 Key_Schedule[nr-11] = _mm_aesimc_si128(Temp_Key_Schedule[11]);
1067 }
1068
1069 if(nr>12) {
1070 Key_Schedule[nr-12] = _mm_aesimc_si128(Temp_Key_Schedule[12]);
1071 Key_Schedule[nr-13] = _mm_aesimc_si128(Temp_Key_Schedule[13]);
1072 }
1073
1074 Key_Schedule[0] = Temp_Key_Schedule[nr];
1075
1076 return 0;
1077}
1078
1079
1080
1081#endif /* WOLFSSL_AESNI */
1082
1083
1084static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
1085{
1086 word32 s0, s1, s2, s3;
1087 word32 t0, t1, t2, t3;
1088 word32 r = aes->rounds >> 1;
1089
1090 const word32* rk = aes->key;
1091 if (r > 7 || r == 0) {
1092 WOLFSSL_MSG("AesEncrypt encountered improper key, set it up");
1093 return; /* stop instead of segfaulting, set up your keys! */
1094 }
1095#ifdef WOLFSSL_AESNI
1096 if (haveAESNI && aes->use_aesni) {
1097 #ifdef DEBUG_AESNI
1098 printf("about to aes encrypt\n");
1099 printf("in = %p\n", inBlock);
1100 printf("out = %p\n", outBlock);
1101 printf("aes->key = %p\n", aes->key);
1102 printf("aes->rounds = %d\n", aes->rounds);
1103 printf("sz = %d\n", AES_BLOCK_SIZE);
1104 #endif
1105
1106 /* check alignment, decrypt doesn't need alignment */
1107 if ((wolfssl_word)inBlock % 16) {
1108 #ifndef NO_WOLFSSL_ALLOC_ALIGN
1109 byte* tmp = (byte*)XMALLOC(AES_BLOCK_SIZE, NULL,
1110 DYNAMIC_TYPE_TMP_BUFFER);
1111 if (tmp == NULL) return;
1112
1113 XMEMCPY(tmp, inBlock, AES_BLOCK_SIZE);
1114 AES_ECB_encrypt(tmp, tmp, AES_BLOCK_SIZE, (byte*)aes->key,
1115 aes->rounds);
1116 XMEMCPY(outBlock, tmp, AES_BLOCK_SIZE);
1117 XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
1118 return;
1119 #else
1120 WOLFSSL_MSG("AES-ECB encrypt with bad alignment");
1121 return;
1122 #endif
1123 }
1124
1125 AES_ECB_encrypt(inBlock, outBlock, AES_BLOCK_SIZE, (byte*)aes->key,
1126 aes->rounds);
1127
1128 return;
1129 }
1130 else {
1131 #ifdef DEBUG_AESNI
1132 printf("Skipping AES-NI\n");
1133 #endif
1134 }
1135#endif
1136
1137 /*
1138 * map byte array block to cipher state
1139 * and add initial round key:
1140 */
1141 XMEMCPY(&s0, inBlock, sizeof(s0));
1142 XMEMCPY(&s1, inBlock + sizeof(s0), sizeof(s1));
1143 XMEMCPY(&s2, inBlock + 2 * sizeof(s0), sizeof(s2));
1144 XMEMCPY(&s3, inBlock + 3 * sizeof(s0), sizeof(s3));
1145
1146 #ifdef LITTLE_ENDIAN_ORDER
1147 s0 = ByteReverseWord32(s0);
1148 s1 = ByteReverseWord32(s1);
1149 s2 = ByteReverseWord32(s2);
1150 s3 = ByteReverseWord32(s3);
1151 #endif
1152
1153 s0 ^= rk[0];
1154 s1 ^= rk[1];
1155 s2 ^= rk[2];
1156 s3 ^= rk[3];
1157
1158 /*
1159 * Nr - 1 full rounds:
1160 */
1161
1162 for (;;) {
1163 t0 =
1164 Te[0][GETBYTE(s0, 3)] ^
1165 Te[1][GETBYTE(s1, 2)] ^
1166 Te[2][GETBYTE(s2, 1)] ^
1167 Te[3][GETBYTE(s3, 0)] ^
1168 rk[4];
1169 t1 =
1170 Te[0][GETBYTE(s1, 3)] ^
1171 Te[1][GETBYTE(s2, 2)] ^
1172 Te[2][GETBYTE(s3, 1)] ^
1173 Te[3][GETBYTE(s0, 0)] ^
1174 rk[5];
1175 t2 =
1176 Te[0][GETBYTE(s2, 3)] ^
1177 Te[1][GETBYTE(s3, 2)] ^
1178 Te[2][GETBYTE(s0, 1)] ^
1179 Te[3][GETBYTE(s1, 0)] ^
1180 rk[6];
1181 t3 =
1182 Te[0][GETBYTE(s3, 3)] ^
1183 Te[1][GETBYTE(s0, 2)] ^
1184 Te[2][GETBYTE(s1, 1)] ^
1185 Te[3][GETBYTE(s2, 0)] ^
1186 rk[7];
1187
1188 rk += 8;
1189 if (--r == 0) {
1190 break;
1191 }
1192
1193 s0 =
1194 Te[0][GETBYTE(t0, 3)] ^
1195 Te[1][GETBYTE(t1, 2)] ^
1196 Te[2][GETBYTE(t2, 1)] ^
1197 Te[3][GETBYTE(t3, 0)] ^
1198 rk[0];
1199 s1 =
1200 Te[0][GETBYTE(t1, 3)] ^
1201 Te[1][GETBYTE(t2, 2)] ^
1202 Te[2][GETBYTE(t3, 1)] ^
1203 Te[3][GETBYTE(t0, 0)] ^
1204 rk[1];
1205 s2 =
1206 Te[0][GETBYTE(t2, 3)] ^
1207 Te[1][GETBYTE(t3, 2)] ^
1208 Te[2][GETBYTE(t0, 1)] ^
1209 Te[3][GETBYTE(t1, 0)] ^
1210 rk[2];
1211 s3 =
1212 Te[0][GETBYTE(t3, 3)] ^
1213 Te[1][GETBYTE(t0, 2)] ^
1214 Te[2][GETBYTE(t1, 1)] ^
1215 Te[3][GETBYTE(t2, 0)] ^
1216 rk[3];
1217 }
1218
1219 /*
1220 * apply last round and
1221 * map cipher state to byte array block:
1222 */
1223
1224 s0 =
1225 (Te[4][GETBYTE(t0, 3)] & 0xff000000) ^
1226 (Te[4][GETBYTE(t1, 2)] & 0x00ff0000) ^
1227 (Te[4][GETBYTE(t2, 1)] & 0x0000ff00) ^
1228 (Te[4][GETBYTE(t3, 0)] & 0x000000ff) ^
1229 rk[0];
1230 s1 =
1231 (Te[4][GETBYTE(t1, 3)] & 0xff000000) ^
1232 (Te[4][GETBYTE(t2, 2)] & 0x00ff0000) ^
1233 (Te[4][GETBYTE(t3, 1)] & 0x0000ff00) ^
1234 (Te[4][GETBYTE(t0, 0)] & 0x000000ff) ^
1235 rk[1];
1236 s2 =
1237 (Te[4][GETBYTE(t2, 3)] & 0xff000000) ^
1238 (Te[4][GETBYTE(t3, 2)] & 0x00ff0000) ^
1239 (Te[4][GETBYTE(t0, 1)] & 0x0000ff00) ^
1240 (Te[4][GETBYTE(t1, 0)] & 0x000000ff) ^
1241 rk[2];
1242 s3 =
1243 (Te[4][GETBYTE(t3, 3)] & 0xff000000) ^
1244 (Te[4][GETBYTE(t0, 2)] & 0x00ff0000) ^
1245 (Te[4][GETBYTE(t1, 1)] & 0x0000ff00) ^
1246 (Te[4][GETBYTE(t2, 0)] & 0x000000ff) ^
1247 rk[3];
1248
1249 /* write out */
1250 #ifdef LITTLE_ENDIAN_ORDER
1251 s0 = ByteReverseWord32(s0);
1252 s1 = ByteReverseWord32(s1);
1253 s2 = ByteReverseWord32(s2);
1254 s3 = ByteReverseWord32(s3);
1255 #endif
1256
1257 XMEMCPY(outBlock, &s0, sizeof(s0));
1258 XMEMCPY(outBlock + sizeof(s0), &s1, sizeof(s1));
1259 XMEMCPY(outBlock + 2 * sizeof(s0), &s2, sizeof(s2));
1260 XMEMCPY(outBlock + 3 * sizeof(s0), &s3, sizeof(s3));
1261}
1262
1263static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
1264{
1265 word32 s0, s1, s2, s3;
1266 word32 t0, t1, t2, t3;
1267 word32 r = aes->rounds >> 1;
1268
1269 const word32* rk = aes->key;
1270 if (r > 7 || r == 0) {
1271 WOLFSSL_MSG("AesDecrypt encountered improper key, set it up");
1272 return; /* stop instead of segfaulting, set up your keys! */
1273 }
1274#ifdef WOLFSSL_AESNI
1275 if (haveAESNI && aes->use_aesni) {
1276 #ifdef DEBUG_AESNI
1277 printf("about to aes decrypt\n");
1278 printf("in = %p\n", inBlock);
1279 printf("out = %p\n", outBlock);
1280 printf("aes->key = %p\n", aes->key);
1281 printf("aes->rounds = %d\n", aes->rounds);
1282 printf("sz = %d\n", AES_BLOCK_SIZE);
1283 #endif
1284
1285 /* if input and output same will overwrite input iv */
1286 XMEMCPY(aes->tmp, inBlock, AES_BLOCK_SIZE);
1287 AES_ECB_decrypt(inBlock, outBlock, AES_BLOCK_SIZE, (byte*)aes->key,
1288 aes->rounds);
1289 return;
1290 }
1291 else {
1292 #ifdef DEBUG_AESNI
1293 printf("Skipping AES-NI\n");
1294 #endif
1295 }
1296#endif
1297
1298 /*
1299 * map byte array block to cipher state
1300 * and add initial round key:
1301 */
1302 XMEMCPY(&s0, inBlock, sizeof(s0));
1303 XMEMCPY(&s1, inBlock + sizeof(s0), sizeof(s1));
1304 XMEMCPY(&s2, inBlock + 2 * sizeof(s0), sizeof(s2));
1305 XMEMCPY(&s3, inBlock + 3 * sizeof(s0), sizeof(s3));
1306
1307 #ifdef LITTLE_ENDIAN_ORDER
1308 s0 = ByteReverseWord32(s0);
1309 s1 = ByteReverseWord32(s1);
1310 s2 = ByteReverseWord32(s2);
1311 s3 = ByteReverseWord32(s3);
1312 #endif
1313
1314 s0 ^= rk[0];
1315 s1 ^= rk[1];
1316 s2 ^= rk[2];
1317 s3 ^= rk[3];
1318
1319 /*
1320 * Nr - 1 full rounds:
1321 */
1322
1323 for (;;) {
1324 t0 =
1325 Td[0][GETBYTE(s0, 3)] ^
1326 Td[1][GETBYTE(s3, 2)] ^
1327 Td[2][GETBYTE(s2, 1)] ^
1328 Td[3][GETBYTE(s1, 0)] ^
1329 rk[4];
1330 t1 =
1331 Td[0][GETBYTE(s1, 3)] ^
1332 Td[1][GETBYTE(s0, 2)] ^
1333 Td[2][GETBYTE(s3, 1)] ^
1334 Td[3][GETBYTE(s2, 0)] ^
1335 rk[5];
1336 t2 =
1337 Td[0][GETBYTE(s2, 3)] ^
1338 Td[1][GETBYTE(s1, 2)] ^
1339 Td[2][GETBYTE(s0, 1)] ^
1340 Td[3][GETBYTE(s3, 0)] ^
1341 rk[6];
1342 t3 =
1343 Td[0][GETBYTE(s3, 3)] ^
1344 Td[1][GETBYTE(s2, 2)] ^
1345 Td[2][GETBYTE(s1, 1)] ^
1346 Td[3][GETBYTE(s0, 0)] ^
1347 rk[7];
1348
1349 rk += 8;
1350 if (--r == 0) {
1351 break;
1352 }
1353
1354 s0 =
1355 Td[0][GETBYTE(t0, 3)] ^
1356 Td[1][GETBYTE(t3, 2)] ^
1357 Td[2][GETBYTE(t2, 1)] ^
1358 Td[3][GETBYTE(t1, 0)] ^
1359 rk[0];
1360 s1 =
1361 Td[0][GETBYTE(t1, 3)] ^
1362 Td[1][GETBYTE(t0, 2)] ^
1363 Td[2][GETBYTE(t3, 1)] ^
1364 Td[3][GETBYTE(t2, 0)] ^
1365 rk[1];
1366 s2 =
1367 Td[0][GETBYTE(t2, 3)] ^
1368 Td[1][GETBYTE(t1, 2)] ^
1369 Td[2][GETBYTE(t0, 1)] ^
1370 Td[3][GETBYTE(t3, 0)] ^
1371 rk[2];
1372 s3 =
1373 Td[0][GETBYTE(t3, 3)] ^
1374 Td[1][GETBYTE(t2, 2)] ^
1375 Td[2][GETBYTE(t1, 1)] ^
1376 Td[3][GETBYTE(t0, 0)] ^
1377 rk[3];
1378 }
1379 /*
1380 * apply last round and
1381 * map cipher state to byte array block:
1382 */
1383 s0 =
1384 (Td[4][GETBYTE(t0, 3)] & 0xff000000) ^
1385 (Td[4][GETBYTE(t3, 2)] & 0x00ff0000) ^
1386 (Td[4][GETBYTE(t2, 1)] & 0x0000ff00) ^
1387 (Td[4][GETBYTE(t1, 0)] & 0x000000ff) ^
1388 rk[0];
1389 s1 =
1390 (Td[4][GETBYTE(t1, 3)] & 0xff000000) ^
1391 (Td[4][GETBYTE(t0, 2)] & 0x00ff0000) ^
1392 (Td[4][GETBYTE(t3, 1)] & 0x0000ff00) ^
1393 (Td[4][GETBYTE(t2, 0)] & 0x000000ff) ^
1394 rk[1];
1395 s2 =
1396 (Td[4][GETBYTE(t2, 3)] & 0xff000000) ^
1397 (Td[4][GETBYTE(t1, 2)] & 0x00ff0000) ^
1398 (Td[4][GETBYTE(t0, 1)] & 0x0000ff00) ^
1399 (Td[4][GETBYTE(t3, 0)] & 0x000000ff) ^
1400 rk[2];
1401 s3 =
1402 (Td[4][GETBYTE(t3, 3)] & 0xff000000) ^
1403 (Td[4][GETBYTE(t2, 2)] & 0x00ff0000) ^
1404 (Td[4][GETBYTE(t1, 1)] & 0x0000ff00) ^
1405 (Td[4][GETBYTE(t0, 0)] & 0x000000ff) ^
1406 rk[3];
1407
1408 /* write out */
1409 #ifdef LITTLE_ENDIAN_ORDER
1410 s0 = ByteReverseWord32(s0);
1411 s1 = ByteReverseWord32(s1);
1412 s2 = ByteReverseWord32(s2);
1413 s3 = ByteReverseWord32(s3);
1414 #endif
1415
1416 XMEMCPY(outBlock, &s0, sizeof(s0));
1417 XMEMCPY(outBlock + sizeof(s0), &s1, sizeof(s1));
1418 XMEMCPY(outBlock + 2 * sizeof(s0), &s2, sizeof(s2));
1419 XMEMCPY(outBlock + 3 * sizeof(s0), &s3, sizeof(s3));
1420}
1421
1422#endif /* NEED_AES_TABLES */
1423
1424
1425/* wc_AesSetKey */
1426#ifdef STM32F2_CRYPTO
1427 int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
1428 int dir)
1429 {
1430 word32 *rk = aes->key;
1431
1432 if (!((keylen == 16) || (keylen == 24) || (keylen == 32)))
1433 return BAD_FUNC_ARG;
1434
1435 aes->rounds = keylen/4 + 6;
1436 XMEMCPY(rk, userKey, keylen);
1437 ByteReverseWords(rk, rk, keylen);
1438
1439 return wc_AesSetIV(aes, iv);
1440 }
1441
1442 int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
1443 const byte* iv, int dir)
1444 {
1445 return wc_AesSetKey(aes, userKey, keylen, iv, dir);
1446 }
1447
1448#elif defined(HAVE_COLDFIRE_SEC)
1449 #if defined (HAVE_THREADX)
1450 #include "memory_pools.h"
1451 extern TX_BYTE_POOL mp_ncached; /* Non Cached memory pool */
1452 #endif
1453
1454 #define AES_BUFFER_SIZE (AES_BLOCK_SIZE * 64)
1455 static unsigned char *AESBuffIn = NULL;
1456 static unsigned char *AESBuffOut = NULL;
1457 static byte *secReg;
1458 static byte *secKey;
1459 static volatile SECdescriptorType *secDesc;
1460
1461 static wolfSSL_Mutex Mutex_AesSEC;
1462
1463 #define SEC_DESC_AES_CBC_ENCRYPT 0x60300010
1464 #define SEC_DESC_AES_CBC_DECRYPT 0x60200010
1465
1466 extern volatile unsigned char __MBAR[];
1467
1468 int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
1469 int dir)
1470 {
1471 if (AESBuffIn == NULL) {
1472 #if defined (HAVE_THREADX)
1473 int s1, s2, s3, s4, s5 ;
1474 s5 = tx_byte_allocate(&mp_ncached,(void *)&secDesc,
1475 sizeof(SECdescriptorType), TX_NO_WAIT);
1476 s1 = tx_byte_allocate(&mp_ncached, (void *)&AESBuffIn,
1477 AES_BUFFER_SIZE, TX_NO_WAIT);
1478 s2 = tx_byte_allocate(&mp_ncached, (void *)&AESBuffOut,
1479 AES_BUFFER_SIZE, TX_NO_WAIT);
1480 s3 = tx_byte_allocate(&mp_ncached, (void *)&secKey,
1481 AES_BLOCK_SIZE*2, TX_NO_WAIT);
1482 s4 = tx_byte_allocate(&mp_ncached, (void *)&secReg,
1483 AES_BLOCK_SIZE, TX_NO_WAIT);
1484
1485 if(s1 || s2 || s3 || s4 || s5)
1486 return BAD_FUNC_ARG;
1487 #else
1488 #warning "Allocate non-Cache buffers"
1489 #endif
1490
1491 InitMutex(&Mutex_AesSEC);
1492 }
1493
1494 if (!((keylen == 16) || (keylen == 24) || (keylen == 32)))
1495 return BAD_FUNC_ARG;
1496
1497 if (aes == NULL)
1498 return BAD_FUNC_ARG;
1499
1500 aes->rounds = keylen/4 + 6;
1501 XMEMCPY(aes->key, userKey, keylen);
1502
1503 if (iv)
1504 XMEMCPY(aes->reg, iv, AES_BLOCK_SIZE);
1505
1506 return 0;
1507 }
1508#elif defined(FREESCALE_MMCAU)
1509 int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
1510 int dir)
1511 {
1512 int ret;
1513 byte *rk = (byte*)aes->key;
1514
1515 if (!((keylen == 16) || (keylen == 24) || (keylen == 32)))
1516 return BAD_FUNC_ARG;
1517
1518 if (rk == NULL)
1519 return BAD_FUNC_ARG;
1520
1521 aes->rounds = keylen/4 + 6;
1522
1523 ret = wolfSSL_CryptHwMutexLock();
1524 if(ret == 0) {
1525 cau_aes_set_key(userKey, keylen*8, rk);
1526 wolfSSL_CryptHwMutexUnLock();
1527
1528 ret = wc_AesSetIV(aes, iv);
1529 }
1530
1531 return ret;
1532 }
1533
1534 int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
1535 const byte* iv, int dir)
1536 {
1537 return wc_AesSetKey(aes, userKey, keylen, iv, dir);
1538 }
1539#else
1540 static int wc_AesSetKeyLocal(Aes* aes, const byte* userKey, word32 keylen,
1541 const byte* iv, int dir)
1542 {
1543 word32 temp, *rk = aes->key;
1544 unsigned int i = 0;
1545
1546 #ifdef WOLFSSL_AESNI
1547 aes->use_aesni = 0;
1548 #endif /* WOLFSSL_AESNI */
1549 #ifdef WOLFSSL_AES_COUNTER
1550 aes->left = 0;
1551 #endif /* WOLFSSL_AES_COUNTER */
1552
1553 aes->rounds = keylen/4 + 6;
1554
1555 XMEMCPY(rk, userKey, keylen);
1556 #ifdef LITTLE_ENDIAN_ORDER
1557 ByteReverseWords(rk, rk, keylen);
1558 #endif
1559
1560 #ifdef WOLFSSL_PIC32MZ_CRYPT
1561 {
1562 word32 *akey1 = aes->key_ce;
1563 word32 *areg = aes->iv_ce ;
1564 aes->keylen = keylen ;
1565 XMEMCPY(akey1, userKey, keylen);
1566 if (iv)
1567 XMEMCPY(areg, iv, AES_BLOCK_SIZE);
1568 else
1569 XMEMSET(areg, 0, AES_BLOCK_SIZE);
1570 }
1571 #endif
1572
1573 switch(keylen)
1574 {
1575 case 16:
1576 while (1)
1577 {
1578 temp = rk[3];
1579 rk[4] = rk[0] ^
1580 (Te[4][GETBYTE(temp, 2)] & 0xff000000) ^
1581 (Te[4][GETBYTE(temp, 1)] & 0x00ff0000) ^
1582 (Te[4][GETBYTE(temp, 0)] & 0x0000ff00) ^
1583 (Te[4][GETBYTE(temp, 3)] & 0x000000ff) ^
1584 rcon[i];
1585 rk[5] = rk[1] ^ rk[4];
1586 rk[6] = rk[2] ^ rk[5];
1587 rk[7] = rk[3] ^ rk[6];
1588 if (++i == 10)
1589 break;
1590 rk += 4;
1591 }
1592 break;
1593
1594 case 24:
1595 /* for (;;) here triggers a bug in VC60 SP4 w/ Pro Pack */
1596 while (1)
1597 {
1598 temp = rk[ 5];
1599 rk[ 6] = rk[ 0] ^
1600 (Te[4][GETBYTE(temp, 2)] & 0xff000000) ^
1601 (Te[4][GETBYTE(temp, 1)] & 0x00ff0000) ^
1602 (Te[4][GETBYTE(temp, 0)] & 0x0000ff00) ^
1603 (Te[4][GETBYTE(temp, 3)] & 0x000000ff) ^
1604 rcon[i];
1605 rk[ 7] = rk[ 1] ^ rk[ 6];
1606 rk[ 8] = rk[ 2] ^ rk[ 7];
1607 rk[ 9] = rk[ 3] ^ rk[ 8];
1608 if (++i == 8)
1609 break;
1610 rk[10] = rk[ 4] ^ rk[ 9];
1611 rk[11] = rk[ 5] ^ rk[10];
1612 rk += 6;
1613 }
1614 break;
1615
1616 case 32:
1617 while (1)
1618 {
1619 temp = rk[ 7];
1620 rk[ 8] = rk[ 0] ^
1621 (Te[4][GETBYTE(temp, 2)] & 0xff000000) ^
1622 (Te[4][GETBYTE(temp, 1)] & 0x00ff0000) ^
1623 (Te[4][GETBYTE(temp, 0)] & 0x0000ff00) ^
1624 (Te[4][GETBYTE(temp, 3)] & 0x000000ff) ^
1625 rcon[i];
1626 rk[ 9] = rk[ 1] ^ rk[ 8];
1627 rk[10] = rk[ 2] ^ rk[ 9];
1628 rk[11] = rk[ 3] ^ rk[10];
1629 if (++i == 7)
1630 break;
1631 temp = rk[11];
1632 rk[12] = rk[ 4] ^
1633 (Te[4][GETBYTE(temp, 3)] & 0xff000000) ^
1634 (Te[4][GETBYTE(temp, 2)] & 0x00ff0000) ^
1635 (Te[4][GETBYTE(temp, 1)] & 0x0000ff00) ^
1636 (Te[4][GETBYTE(temp, 0)] & 0x000000ff);
1637 rk[13] = rk[ 5] ^ rk[12];
1638 rk[14] = rk[ 6] ^ rk[13];
1639 rk[15] = rk[ 7] ^ rk[14];
1640
1641 rk += 8;
1642 }
1643 break;
1644
1645 default:
1646 return BAD_FUNC_ARG;
1647 }
1648
1649 if (dir == AES_DECRYPTION)
1650 {
1651 unsigned int j;
1652 rk = aes->key;
1653
1654 /* invert the order of the round keys: */
1655 for (i = 0, j = 4* aes->rounds; i < j; i += 4, j -= 4) {
1656 temp = rk[i ]; rk[i ] = rk[j ]; rk[j ] = temp;
1657 temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp;
1658 temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
1659 temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp;
1660 }
1661 /* apply the inverse MixColumn transform to all round keys but the
1662 first and the last: */
1663 for (i = 1; i < aes->rounds; i++) {
1664 rk += 4;
1665 rk[0] =
1666 Td[0][Te[4][GETBYTE(rk[0], 3)] & 0xff] ^
1667 Td[1][Te[4][GETBYTE(rk[0], 2)] & 0xff] ^
1668 Td[2][Te[4][GETBYTE(rk[0], 1)] & 0xff] ^
1669 Td[3][Te[4][GETBYTE(rk[0], 0)] & 0xff];
1670 rk[1] =
1671 Td[0][Te[4][GETBYTE(rk[1], 3)] & 0xff] ^
1672 Td[1][Te[4][GETBYTE(rk[1], 2)] & 0xff] ^
1673 Td[2][Te[4][GETBYTE(rk[1], 1)] & 0xff] ^
1674 Td[3][Te[4][GETBYTE(rk[1], 0)] & 0xff];
1675 rk[2] =
1676 Td[0][Te[4][GETBYTE(rk[2], 3)] & 0xff] ^
1677 Td[1][Te[4][GETBYTE(rk[2], 2)] & 0xff] ^
1678 Td[2][Te[4][GETBYTE(rk[2], 1)] & 0xff] ^
1679 Td[3][Te[4][GETBYTE(rk[2], 0)] & 0xff];
1680 rk[3] =
1681 Td[0][Te[4][GETBYTE(rk[3], 3)] & 0xff] ^
1682 Td[1][Te[4][GETBYTE(rk[3], 2)] & 0xff] ^
1683 Td[2][Te[4][GETBYTE(rk[3], 1)] & 0xff] ^
1684 Td[3][Te[4][GETBYTE(rk[3], 0)] & 0xff];
1685 }
1686 }
1687
1688 return wc_AesSetIV(aes, iv);
1689 }
1690
1691 int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
1692 int dir)
1693 {
1694
1695 if (!((keylen == 16) || (keylen == 24) || (keylen == 32)))
1696 return BAD_FUNC_ARG;
1697
1698 #ifdef HAVE_CAVIUM
1699 if (aes->magic == WOLFSSL_AES_CAVIUM_MAGIC)
1700 return wc_AesCaviumSetKey(aes, userKey, keylen, iv);
1701 #endif
1702
1703 #ifdef WOLFSSL_AESNI
1704 if (checkAESNI == 0) {
1705 haveAESNI = Check_CPU_support_AES();
1706 checkAESNI = 1;
1707 }
1708 if (haveAESNI) {
1709 aes->use_aesni = 1;
1710 if (iv)
1711 XMEMCPY(aes->reg, iv, AES_BLOCK_SIZE);
1712 if (dir == AES_ENCRYPTION)
1713 return AES_set_encrypt_key(userKey, keylen * 8, aes);
1714 else
1715 return AES_set_decrypt_key(userKey, keylen * 8, aes);
1716 }
1717 #endif /* WOLFSSL_AESNI */
1718
1719 return wc_AesSetKeyLocal(aes, userKey, keylen, iv, dir);
1720 }
1721
1722 #if defined(WOLFSSL_AES_DIRECT) || defined(WOLFSSL_AES_COUNTER)
1723
1724 /* AES-CTR and AES-DIRECT need to use this for key setup, no aesni yet */
1725 int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
1726 const byte* iv, int dir)
1727 {
1728 return wc_AesSetKeyLocal(aes, userKey, keylen, iv, dir);
1729 }
1730
1731 #endif /* WOLFSSL_AES_DIRECT || WOLFSSL_AES_COUNTER */
1732#endif /* STM32F2_CRYPTO, wc_AesSetKey block */
1733
1734
1735/* wc_AesSetIV is shared between software and hardware */
1736int wc_AesSetIV(Aes* aes, const byte* iv)
1737{
1738 if (aes == NULL)
1739 return BAD_FUNC_ARG;
1740
1741 if (iv)
1742 XMEMCPY(aes->reg, iv, AES_BLOCK_SIZE);
1743 else
1744 XMEMSET(aes->reg, 0, AES_BLOCK_SIZE);
1745
1746 return 0;
1747}
1748
1749
1750
1751
1752/* AES-DIRECT */
1753#if defined(WOLFSSL_AES_DIRECT)
1754 #if defined(STM32F2_CRYPTO)
1755 #error "STM32F2 crypto doesn't yet support AES direct"
1756
1757 #elif defined(HAVE_COLDFIRE_SEC)
1758 #error "Coldfire SEC doesn't yet support AES direct"
1759
1760 #elif defined(WOLFSSL_PIC32MZ_CRYPT)
1761 #error "PIC32MZ doesn't yet support AES direct"
1762
1763 #else
1764 /* Allow direct access to one block encrypt */
1765 void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
1766 {
1767 wc_AesEncrypt(aes, in, out);
1768 }
1769
1770 /* Allow direct access to one block decrypt */
1771 void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)
1772 {
1773 wc_AesDecrypt(aes, in, out);
1774 }
1775
1776 #endif /* AES direct block */
1777#endif /* WOLFSSL_AES_DIRECT */
1778
1779
1780/* AES-CBC */
1781#ifdef STM32F2_CRYPTO
1782 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
1783 {
1784 word32 *enc_key, *iv;
1785 CRYP_InitTypeDef AES_CRYP_InitStructure;
1786 CRYP_KeyInitTypeDef AES_CRYP_KeyInitStructure;
1787 CRYP_IVInitTypeDef AES_CRYP_IVInitStructure;
1788
1789 enc_key = aes->key;
1790 iv = aes->reg;
1791
1792 /* crypto structure initialization */
1793 CRYP_KeyStructInit(&AES_CRYP_KeyInitStructure);
1794 CRYP_StructInit(&AES_CRYP_InitStructure);
1795 CRYP_IVStructInit(&AES_CRYP_IVInitStructure);
1796
1797 /* reset registers to their default values */
1798 CRYP_DeInit();
1799
1800 /* load key into correct registers */
1801 switch(aes->rounds)
1802 {
1803 case 10: /* 128-bit key */
1804 AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_128b;
1805 AES_CRYP_KeyInitStructure.CRYP_Key2Left = enc_key[0];
1806 AES_CRYP_KeyInitStructure.CRYP_Key2Right = enc_key[1];
1807 AES_CRYP_KeyInitStructure.CRYP_Key3Left = enc_key[2];
1808 AES_CRYP_KeyInitStructure.CRYP_Key3Right = enc_key[3];
1809 break;
1810
1811 case 12: /* 192-bit key */
1812 AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_192b;
1813 AES_CRYP_KeyInitStructure.CRYP_Key1Left = enc_key[0];
1814 AES_CRYP_KeyInitStructure.CRYP_Key1Right = enc_key[1];
1815 AES_CRYP_KeyInitStructure.CRYP_Key2Left = enc_key[2];
1816 AES_CRYP_KeyInitStructure.CRYP_Key2Right = enc_key[3];
1817 AES_CRYP_KeyInitStructure.CRYP_Key3Left = enc_key[4];
1818 AES_CRYP_KeyInitStructure.CRYP_Key3Right = enc_key[5];
1819 break;
1820
1821 case 14: /* 256-bit key */
1822 AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_256b;
1823 AES_CRYP_KeyInitStructure.CRYP_Key0Left = enc_key[0];
1824 AES_CRYP_KeyInitStructure.CRYP_Key0Right = enc_key[1];
1825 AES_CRYP_KeyInitStructure.CRYP_Key1Left = enc_key[2];
1826 AES_CRYP_KeyInitStructure.CRYP_Key1Right = enc_key[3];
1827 AES_CRYP_KeyInitStructure.CRYP_Key2Left = enc_key[4];
1828 AES_CRYP_KeyInitStructure.CRYP_Key2Right = enc_key[5];
1829 AES_CRYP_KeyInitStructure.CRYP_Key3Left = enc_key[6];
1830 AES_CRYP_KeyInitStructure.CRYP_Key3Right = enc_key[7];
1831 break;
1832
1833 default:
1834 break;
1835 }
1836 CRYP_KeyInit(&AES_CRYP_KeyInitStructure);
1837
1838 /* set iv */
1839 ByteReverseWords(iv, iv, AES_BLOCK_SIZE);
1840 AES_CRYP_IVInitStructure.CRYP_IV0Left = iv[0];
1841 AES_CRYP_IVInitStructure.CRYP_IV0Right = iv[1];
1842 AES_CRYP_IVInitStructure.CRYP_IV1Left = iv[2];
1843 AES_CRYP_IVInitStructure.CRYP_IV1Right = iv[3];
1844 CRYP_IVInit(&AES_CRYP_IVInitStructure);
1845
1846 /* set direction, mode, and datatype */
1847 AES_CRYP_InitStructure.CRYP_AlgoDir = CRYP_AlgoDir_Encrypt;
1848 AES_CRYP_InitStructure.CRYP_AlgoMode = CRYP_AlgoMode_AES_CBC;
1849 AES_CRYP_InitStructure.CRYP_DataType = CRYP_DataType_8b;
1850 CRYP_Init(&AES_CRYP_InitStructure);
1851
1852 /* enable crypto processor */
1853 CRYP_Cmd(ENABLE);
1854
1855 while (sz > 0)
1856 {
1857 /* flush IN/OUT FIFOs */
1858 CRYP_FIFOFlush();
1859
1860 CRYP_DataIn(*(uint32_t*)&in[0]);
1861 CRYP_DataIn(*(uint32_t*)&in[4]);
1862 CRYP_DataIn(*(uint32_t*)&in[8]);
1863 CRYP_DataIn(*(uint32_t*)&in[12]);
1864
1865 /* wait until the complete message has been processed */
1866 while(CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
1867
1868 *(uint32_t*)&out[0] = CRYP_DataOut();
1869 *(uint32_t*)&out[4] = CRYP_DataOut();
1870 *(uint32_t*)&out[8] = CRYP_DataOut();
1871 *(uint32_t*)&out[12] = CRYP_DataOut();
1872
1873 /* store iv for next call */
1874 XMEMCPY(aes->reg, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
1875
1876 sz -= 16;
1877 in += 16;
1878 out += 16;
1879 }
1880
1881 /* disable crypto processor */
1882 CRYP_Cmd(DISABLE);
1883
1884 return 0;
1885 }
1886
1887 int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
1888 {
1889 word32 *dec_key, *iv;
1890 CRYP_InitTypeDef AES_CRYP_InitStructure;
1891 CRYP_KeyInitTypeDef AES_CRYP_KeyInitStructure;
1892 CRYP_IVInitTypeDef AES_CRYP_IVInitStructure;
1893
1894 dec_key = aes->key;
1895 iv = aes->reg;
1896
1897 /* crypto structure initialization */
1898 CRYP_KeyStructInit(&AES_CRYP_KeyInitStructure);
1899 CRYP_StructInit(&AES_CRYP_InitStructure);
1900 CRYP_IVStructInit(&AES_CRYP_IVInitStructure);
1901
1902 /* if input and output same will overwrite input iv */
1903 XMEMCPY(aes->tmp, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
1904
1905 /* reset registers to their default values */
1906 CRYP_DeInit();
1907
1908 /* load key into correct registers */
1909 switch(aes->rounds)
1910 {
1911 case 10: /* 128-bit key */
1912 AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_128b;
1913 AES_CRYP_KeyInitStructure.CRYP_Key2Left = dec_key[0];
1914 AES_CRYP_KeyInitStructure.CRYP_Key2Right = dec_key[1];
1915 AES_CRYP_KeyInitStructure.CRYP_Key3Left = dec_key[2];
1916 AES_CRYP_KeyInitStructure.CRYP_Key3Right = dec_key[3];
1917 break;
1918
1919 case 12: /* 192-bit key */
1920 AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_192b;
1921 AES_CRYP_KeyInitStructure.CRYP_Key1Left = dec_key[0];
1922 AES_CRYP_KeyInitStructure.CRYP_Key1Right = dec_key[1];
1923 AES_CRYP_KeyInitStructure.CRYP_Key2Left = dec_key[2];
1924 AES_CRYP_KeyInitStructure.CRYP_Key2Right = dec_key[3];
1925 AES_CRYP_KeyInitStructure.CRYP_Key3Left = dec_key[4];
1926 AES_CRYP_KeyInitStructure.CRYP_Key3Right = dec_key[5];
1927 break;
1928
1929 case 14: /* 256-bit key */
1930 AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_256b;
1931 AES_CRYP_KeyInitStructure.CRYP_Key0Left = dec_key[0];
1932 AES_CRYP_KeyInitStructure.CRYP_Key0Right = dec_key[1];
1933 AES_CRYP_KeyInitStructure.CRYP_Key1Left = dec_key[2];
1934 AES_CRYP_KeyInitStructure.CRYP_Key1Right = dec_key[3];
1935 AES_CRYP_KeyInitStructure.CRYP_Key2Left = dec_key[4];
1936 AES_CRYP_KeyInitStructure.CRYP_Key2Right = dec_key[5];
1937 AES_CRYP_KeyInitStructure.CRYP_Key3Left = dec_key[6];
1938 AES_CRYP_KeyInitStructure.CRYP_Key3Right = dec_key[7];
1939 break;
1940
1941 default:
1942 break;
1943 }
1944
1945 /* set direction, mode, and datatype for key preparation */
1946 AES_CRYP_InitStructure.CRYP_AlgoDir = CRYP_AlgoDir_Decrypt;
1947 AES_CRYP_InitStructure.CRYP_AlgoMode = CRYP_AlgoMode_AES_Key;
1948 AES_CRYP_InitStructure.CRYP_DataType = CRYP_DataType_32b;
1949 CRYP_Init(&AES_CRYP_InitStructure);
1950 CRYP_KeyInit(&AES_CRYP_KeyInitStructure);
1951
1952 /* enable crypto processor */
1953 CRYP_Cmd(ENABLE);
1954
1955 /* wait until key has been prepared */
1956 while(CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
1957
1958 /* set direction, mode, and datatype for decryption */
1959 AES_CRYP_InitStructure.CRYP_AlgoDir = CRYP_AlgoDir_Decrypt;
1960 AES_CRYP_InitStructure.CRYP_AlgoMode = CRYP_AlgoMode_AES_CBC;
1961 AES_CRYP_InitStructure.CRYP_DataType = CRYP_DataType_8b;
1962 CRYP_Init(&AES_CRYP_InitStructure);
1963
1964 /* set iv */
1965 ByteReverseWords(iv, iv, AES_BLOCK_SIZE);
1966
1967 AES_CRYP_IVInitStructure.CRYP_IV0Left = iv[0];
1968 AES_CRYP_IVInitStructure.CRYP_IV0Right = iv[1];
1969 AES_CRYP_IVInitStructure.CRYP_IV1Left = iv[2];
1970 AES_CRYP_IVInitStructure.CRYP_IV1Right = iv[3];
1971 CRYP_IVInit(&AES_CRYP_IVInitStructure);
1972
1973 /* enable crypto processor */
1974 CRYP_Cmd(ENABLE);
1975
1976 while (sz > 0)
1977 {
1978 /* flush IN/OUT FIFOs */
1979 CRYP_FIFOFlush();
1980
1981 CRYP_DataIn(*(uint32_t*)&in[0]);
1982 CRYP_DataIn(*(uint32_t*)&in[4]);
1983 CRYP_DataIn(*(uint32_t*)&in[8]);
1984 CRYP_DataIn(*(uint32_t*)&in[12]);
1985
1986 /* wait until the complete message has been processed */
1987 while(CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
1988
1989 *(uint32_t*)&out[0] = CRYP_DataOut();
1990 *(uint32_t*)&out[4] = CRYP_DataOut();
1991 *(uint32_t*)&out[8] = CRYP_DataOut();
1992 *(uint32_t*)&out[12] = CRYP_DataOut();
1993
1994 /* store iv for next call */
1995 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
1996
1997 sz -= 16;
1998 in += 16;
1999 out += 16;
2000 }
2001
2002 /* disable crypto processor */
2003 CRYP_Cmd(DISABLE);
2004
2005 return 0;
2006 }
2007
2008#elif defined(HAVE_COLDFIRE_SEC)
2009 static int wc_AesCbcCrypt(Aes* aes, byte* po, const byte* pi, word32 sz,
2010 word32 descHeader)
2011 {
2012 #ifdef DEBUG_WOLFSSL
2013 int i; int stat1, stat2; int ret;
2014 #endif
2015
2016 int size;
2017 volatile int v;
2018
2019 if ((pi == NULL) || (po == NULL))
2020 return BAD_FUNC_ARG; /*wrong pointer*/
2021
2022 LockMutex(&Mutex_AesSEC);
2023
2024 /* Set descriptor for SEC */
2025 secDesc->length1 = 0x0;
2026 secDesc->pointer1 = NULL;
2027
2028 secDesc->length2 = AES_BLOCK_SIZE;
2029 secDesc->pointer2 = (byte *)secReg; /* Initial Vector */
2030
2031 switch(aes->rounds) {
2032 case 10: secDesc->length3 = 16 ; break ;
2033 case 12: secDesc->length3 = 24 ; break ;
2034 case 14: secDesc->length3 = 32 ; break ;
2035 }
2036 XMEMCPY(secKey, aes->key, secDesc->length3);
2037
2038 secDesc->pointer3 = (byte *)secKey;
2039 secDesc->pointer4 = AESBuffIn;
2040 secDesc->pointer5 = AESBuffOut;
2041 secDesc->length6 = 0x0;
2042 secDesc->pointer6 = NULL;
2043 secDesc->length7 = 0x0;
2044 secDesc->pointer7 = NULL;
2045 secDesc->nextDescriptorPtr = NULL;
2046
2047 while (sz) {
2048 secDesc->header = descHeader;
2049 XMEMCPY(secReg, aes->reg, AES_BLOCK_SIZE);
2050 if ((sz % AES_BUFFER_SIZE) == sz) {
2051 size = sz;
2052 sz = 0;
2053 } else {
2054 size = AES_BUFFER_SIZE;
2055 sz -= AES_BUFFER_SIZE;
2056 }
2057 secDesc->length4 = size;
2058 secDesc->length5 = size;
2059
2060 XMEMCPY(AESBuffIn, pi, size);
2061 if(descHeader == SEC_DESC_AES_CBC_DECRYPT) {
2062 XMEMCPY((void*)aes->tmp, (void*)&(pi[size-AES_BLOCK_SIZE]),
2063 AES_BLOCK_SIZE);
2064 }
2065
2066 /* Point SEC to the location of the descriptor */
2067 MCF_SEC_FR0 = (uint32)secDesc;
2068 /* Initialize SEC and wait for encryption to complete */
2069 MCF_SEC_CCCR0 = 0x0000001a;
2070 /* poll SISR to determine when channel is complete */
2071 v=0;
2072
2073 while ((secDesc->header>> 24) != 0xff) v++;
2074
2075 #ifdef DEBUG_WOLFSSL
2076 ret = MCF_SEC_SISRH;
2077 stat1 = MCF_SEC_AESSR;
2078 stat2 = MCF_SEC_AESISR;
2079 if (ret & 0xe0000000) {
2080 db_printf("Aes_Cbc(i=%d):ISRH=%08x, AESSR=%08x, "
2081 "AESISR=%08x\n", i, ret, stat1, stat2);
2082 }
2083 #endif
2084
2085 XMEMCPY(po, AESBuffOut, size);
2086
2087 if (descHeader == SEC_DESC_AES_CBC_ENCRYPT) {
2088 XMEMCPY((void*)aes->reg, (void*)&(po[size-AES_BLOCK_SIZE]),
2089 AES_BLOCK_SIZE);
2090 } else {
2091 XMEMCPY((void*)aes->reg, (void*)aes->tmp, AES_BLOCK_SIZE);
2092 }
2093
2094 pi += size;
2095 po += size;
2096 }
2097
2098 UnLockMutex(&Mutex_AesSEC);
2099 return 0;
2100 }
2101
2102 int wc_AesCbcEncrypt(Aes* aes, byte* po, const byte* pi, word32 sz)
2103 {
2104 return (wc_AesCbcCrypt(aes, po, pi, sz, SEC_DESC_AES_CBC_ENCRYPT));
2105 }
2106
2107 int wc_AesCbcDecrypt(Aes* aes, byte* po, const byte* pi, word32 sz)
2108 {
2109 return (wc_AesCbcCrypt(aes, po, pi, sz, SEC_DESC_AES_CBC_DECRYPT));
2110 }
2111
2112#elif defined(FREESCALE_MMCAU)
2113 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
2114 {
2115 int i;
2116 int offset = 0;
2117 int len = sz;
2118
2119 byte *iv;
2120 byte temp_block[AES_BLOCK_SIZE];
2121
2122 iv = (byte*)aes->reg;
2123
2124 if ((wolfssl_word)out % WOLFSSL_MMCAU_ALIGNMENT) {
2125 WOLFSSL_MSG("Bad cau_aes_encrypt alignment");
2126 return BAD_ALIGN_E;
2127 }
2128
2129 while (len > 0)
2130 {
2131 XMEMCPY(temp_block, in + offset, AES_BLOCK_SIZE);
2132
2133 /* XOR block with IV for CBC */
2134 for (i = 0; i < AES_BLOCK_SIZE; i++)
2135 temp_block[i] ^= iv[i];
2136
2137 wc_AesEncrypt(aes, temp_block, out + offset);
2138
2139 len -= AES_BLOCK_SIZE;
2140 offset += AES_BLOCK_SIZE;
2141
2142 /* store IV for next block */
2143 XMEMCPY(iv, out + offset - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
2144 }
2145
2146 return 0;
2147 }
2148
2149 int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
2150 {
2151 int i;
2152 int offset = 0;
2153 int len = sz;
2154
2155 byte* iv;
2156 byte temp_block[AES_BLOCK_SIZE];
2157
2158 iv = (byte*)aes->reg;
2159
2160 if ((wolfssl_word)out % WOLFSSL_MMCAU_ALIGNMENT) {
2161 WOLFSSL_MSG("Bad cau_aes_decrypt alignment");
2162 return BAD_ALIGN_E;
2163 }
2164
2165 while (len > 0)
2166 {
2167 XMEMCPY(temp_block, in + offset, AES_BLOCK_SIZE);
2168
2169 wc_AesEncrypt(aes, in + offset, out + offset);
2170
2171 /* XOR block with IV for CBC */
2172 for (i = 0; i < AES_BLOCK_SIZE; i++)
2173 (out + offset)[i] ^= iv[i];
2174
2175 /* store IV for next block */
2176 XMEMCPY(iv, temp_block, AES_BLOCK_SIZE);
2177
2178 len -= AES_BLOCK_SIZE;
2179 offset += AES_BLOCK_SIZE;
2180 }
2181
2182 return 0;
2183 }
2184
2185#elif defined(WOLFSSL_PIC32MZ_CRYPT)
2186 /* core hardware crypt engine driver */
2187 static void wc_AesCrypt(Aes *aes, byte* out, const byte* in, word32 sz,
2188 int dir, int algo, int cryptoalgo)
2189 {
2190 securityAssociation *sa_p ;
2191 bufferDescriptor *bd_p ;
2192
2193 volatile securityAssociation sa __attribute__((aligned (8)));
2194 volatile bufferDescriptor bd __attribute__((aligned (8)));
2195 volatile int k ;
2196
2197 /* get uncached address */
2198 sa_p = KVA0_TO_KVA1(&sa) ;
2199 bd_p = KVA0_TO_KVA1(&bd) ;
2200
2201 /* Sync cache and physical memory */
2202 if(PIC32MZ_IF_RAM(in)) {
2203 XMEMCPY((void *)KVA0_TO_KVA1(in), (void *)in, sz);
2204 }
2205 XMEMSET((void *)KVA0_TO_KVA1(out), 0, sz);
2206 /* Set up the Security Association */
2207 XMEMSET((byte *)KVA0_TO_KVA1(&sa), 0, sizeof(sa));
2208 sa_p->SA_CTRL.ALGO = algo ; /* AES */
2209 sa_p->SA_CTRL.LNC = 1;
2210 sa_p->SA_CTRL.LOADIV = 1;
2211 sa_p->SA_CTRL.FB = 1;
2212 sa_p->SA_CTRL.ENCTYPE = dir ; /* Encryption/Decryption */
2213 sa_p->SA_CTRL.CRYPTOALGO = cryptoalgo;
2214
2215 if(cryptoalgo == PIC32_CRYPTOALGO_AES_GCM){
2216 switch(aes->keylen) {
2217 case 32:
2218 sa_p->SA_CTRL.KEYSIZE = PIC32_AES_KEYSIZE_256 ;
2219 break ;
2220 case 24:
2221 sa_p->SA_CTRL.KEYSIZE = PIC32_AES_KEYSIZE_192 ;
2222 break ;
2223 case 16:
2224 sa_p->SA_CTRL.KEYSIZE = PIC32_AES_KEYSIZE_128 ;
2225 break ;
2226 }
2227 } else
2228 sa_p->SA_CTRL.KEYSIZE = PIC32_AES_KEYSIZE_128 ;
2229
2230 ByteReverseWords(
2231 (word32 *)KVA0_TO_KVA1(sa.SA_ENCKEY + 8 - aes->keylen/sizeof(word32)),
2232 (word32 *)aes->key_ce, aes->keylen);
2233 ByteReverseWords(
2234 (word32*)KVA0_TO_KVA1(sa.SA_ENCIV), (word32 *)aes->iv_ce, 16);
2235
2236 XMEMSET((byte *)KVA0_TO_KVA1(&bd), 0, sizeof(bd));
2237 /* Set up the Buffer Descriptor */
2238 bd_p->BD_CTRL.BUFLEN = sz;
2239 if(cryptoalgo == PIC32_CRYPTOALGO_AES_GCM) {
2240 if(sz % 0x10)
2241 bd_p->BD_CTRL.BUFLEN = (sz/0x10 + 1) * 0x10 ;
2242 }
2243 bd_p->BD_CTRL.LIFM = 1;
2244 bd_p->BD_CTRL.SA_FETCH_EN = 1;
2245 bd_p->BD_CTRL.LAST_BD = 1;
2246 bd_p->BD_CTRL.DESC_EN = 1;
2247
2248 bd_p->SA_ADDR = (unsigned int)KVA_TO_PA(&sa) ;
2249 bd_p->SRCADDR = (unsigned int)KVA_TO_PA(in) ;
2250 bd_p->DSTADDR = (unsigned int)KVA_TO_PA(out);
2251 bd_p->MSGLEN = sz ;
2252
2253 CECON = 1 << 6;
2254 while (CECON);
2255
2256 /* Run the engine */
2257 CEBDPADDR = (unsigned int)KVA_TO_PA(&bd) ;
2258 CEINTEN = 0x07;
2259 CECON = 0x27;
2260
2261 WAIT_ENGINE ;
2262
2263 if((cryptoalgo == PIC32_CRYPTOALGO_CBC) ||
2264 (cryptoalgo == PIC32_CRYPTOALGO_TCBC)||
2265 (cryptoalgo == PIC32_CRYPTOALGO_RCBC)) {
2266 /* set iv for the next call */
2267 if(dir == PIC32_ENCRYPTION) {
2268 XMEMCPY((void *)aes->iv_ce,
2269 (void*)KVA0_TO_KVA1(out + sz - AES_BLOCK_SIZE),
2270 AES_BLOCK_SIZE) ;
2271 } else {
2272 ByteReverseWords((word32*)aes->iv_ce,
2273 (word32 *)KVA0_TO_KVA1(in + sz - AES_BLOCK_SIZE),
2274 AES_BLOCK_SIZE);
2275 }
2276 }
2277 XMEMCPY((byte *)out, (byte *)KVA0_TO_KVA1(out), sz) ;
2278 ByteReverseWords((word32*)out, (word32 *)out, sz);
2279 }
2280
2281 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
2282 {
2283 wc_AesCrypt(aes, out, in, sz, PIC32_ENCRYPTION, PIC32_ALGO_AES,
2284 PIC32_CRYPTOALGO_RCBC );
2285 return 0 ;
2286 }
2287
2288 int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
2289 {
2290 wc_AesCrypt(aes, out, in, sz, PIC32_DECRYPTION, PIC32_ALGO_AES,
2291 PIC32_CRYPTOALGO_RCBC);
2292 return 0 ;
2293 }
2294
2295#else
2296 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
2297 {
2298 word32 blocks = sz / AES_BLOCK_SIZE;
2299
2300 #ifdef HAVE_CAVIUM
2301 if (aes->magic == WOLFSSL_AES_CAVIUM_MAGIC)
2302 return wc_AesCaviumCbcEncrypt(aes, out, in, sz);
2303 #endif
2304
2305 #ifdef WOLFSSL_AESNI
2306 if (haveAESNI) {
2307 #ifdef DEBUG_AESNI
2308 printf("about to aes cbc encrypt\n");
2309 printf("in = %p\n", in);
2310 printf("out = %p\n", out);
2311 printf("aes->key = %p\n", aes->key);
2312 printf("aes->reg = %p\n", aes->reg);
2313 printf("aes->rounds = %d\n", aes->rounds);
2314 printf("sz = %d\n", sz);
2315 #endif
2316
2317 /* check alignment, decrypt doesn't need alignment */
2318 if ((wolfssl_word)in % 16) {
2319 #ifndef NO_WOLFSSL_ALLOC_ALIGN
2320 byte* tmp = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
2321 WOLFSSL_MSG("AES-CBC encrypt with bad alignment");
2322 if (tmp == NULL) return MEMORY_E;
2323
2324 XMEMCPY(tmp, in, sz);
2325 AES_CBC_encrypt(tmp, tmp, (byte*)aes->reg, sz, (byte*)aes->key,
2326 aes->rounds);
2327 /* store iv for next call */
2328 XMEMCPY(aes->reg, tmp + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
2329
2330 XMEMCPY(out, tmp, sz);
2331 XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
2332 return 0;
2333 #else
2334 return BAD_ALIGN_E;
2335 #endif
2336 }
2337
2338 AES_CBC_encrypt(in, out, (byte*)aes->reg, sz, (byte*)aes->key,
2339 aes->rounds);
2340 /* store iv for next call */
2341 XMEMCPY(aes->reg, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
2342
2343 return 0;
2344 }
2345 #endif
2346
2347 while (blocks--) {
2348 xorbuf((byte*)aes->reg, in, AES_BLOCK_SIZE);
2349 wc_AesEncrypt(aes, (byte*)aes->reg, (byte*)aes->reg);
2350 XMEMCPY(out, aes->reg, AES_BLOCK_SIZE);
2351
2352 out += AES_BLOCK_SIZE;
2353 in += AES_BLOCK_SIZE;
2354 }
2355
2356 return 0;
2357 }
2358
2359 int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
2360 {
2361 word32 blocks = sz / AES_BLOCK_SIZE;
2362
2363 #ifdef HAVE_CAVIUM
2364 if (aes->magic == WOLFSSL_AES_CAVIUM_MAGIC)
2365 return wc_AesCaviumCbcDecrypt(aes, out, in, sz);
2366 #endif
2367
2368 #ifdef WOLFSSL_AESNI
2369 if (haveAESNI) {
2370 #ifdef DEBUG_AESNI
2371 printf("about to aes cbc decrypt\n");
2372 printf("in = %p\n", in);
2373 printf("out = %p\n", out);
2374 printf("aes->key = %p\n", aes->key);
2375 printf("aes->reg = %p\n", aes->reg);
2376 printf("aes->rounds = %d\n", aes->rounds);
2377 printf("sz = %d\n", sz);
2378 #endif
2379
2380 /* if input and output same will overwrite input iv */
2381 XMEMCPY(aes->tmp, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
2382 AES_CBC_decrypt(in, out, (byte*)aes->reg, sz, (byte*)aes->key,
2383 aes->rounds);
2384 /* store iv for next call */
2385 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
2386 return 0;
2387 }
2388 #endif
2389
2390 while (blocks--) {
2391 XMEMCPY(aes->tmp, in, AES_BLOCK_SIZE);
2392 wc_AesDecrypt(aes, (byte*)aes->tmp, out);
2393 xorbuf(out, (byte*)aes->reg, AES_BLOCK_SIZE);
2394 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
2395
2396 out += AES_BLOCK_SIZE;
2397 in += AES_BLOCK_SIZE;
2398 }
2399
2400 return 0;
2401 }
2402
2403#endif /* STM32F2_CRYPTO, AES-CBC block */
2404
2405/* AES-CTR */
2406#ifdef WOLFSSL_AES_COUNTER
2407
2408 #ifdef STM32F2_CRYPTO
2409 void wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
2410 {
2411 word32 *enc_key, *iv;
2412 CRYP_InitTypeDef AES_CRYP_InitStructure;
2413 CRYP_KeyInitTypeDef AES_CRYP_KeyInitStructure;
2414 CRYP_IVInitTypeDef AES_CRYP_IVInitStructure;
2415
2416 enc_key = aes->key;
2417 iv = aes->reg;
2418
2419 /* crypto structure initialization */
2420 CRYP_KeyStructInit(&AES_CRYP_KeyInitStructure);
2421 CRYP_StructInit(&AES_CRYP_InitStructure);
2422 CRYP_IVStructInit(&AES_CRYP_IVInitStructure);
2423
2424 /* reset registers to their default values */
2425 CRYP_DeInit();
2426
2427 /* load key into correct registers */
2428 switch(aes->rounds)
2429 {
2430 case 10: /* 128-bit key */
2431 AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_128b;
2432 AES_CRYP_KeyInitStructure.CRYP_Key2Left = enc_key[0];
2433 AES_CRYP_KeyInitStructure.CRYP_Key2Right = enc_key[1];
2434 AES_CRYP_KeyInitStructure.CRYP_Key3Left = enc_key[2];
2435 AES_CRYP_KeyInitStructure.CRYP_Key3Right = enc_key[3];
2436 break;
2437
2438 case 12: /* 192-bit key */
2439 AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_192b;
2440 AES_CRYP_KeyInitStructure.CRYP_Key1Left = enc_key[0];
2441 AES_CRYP_KeyInitStructure.CRYP_Key1Right = enc_key[1];
2442 AES_CRYP_KeyInitStructure.CRYP_Key2Left = enc_key[2];
2443 AES_CRYP_KeyInitStructure.CRYP_Key2Right = enc_key[3];
2444 AES_CRYP_KeyInitStructure.CRYP_Key3Left = enc_key[4];
2445 AES_CRYP_KeyInitStructure.CRYP_Key3Right = enc_key[5];
2446 break;
2447
2448 case 14: /* 256-bit key */
2449 AES_CRYP_InitStructure.CRYP_KeySize = CRYP_KeySize_256b;
2450 AES_CRYP_KeyInitStructure.CRYP_Key0Left = enc_key[0];
2451 AES_CRYP_KeyInitStructure.CRYP_Key0Right = enc_key[1];
2452 AES_CRYP_KeyInitStructure.CRYP_Key1Left = enc_key[2];
2453 AES_CRYP_KeyInitStructure.CRYP_Key1Right = enc_key[3];
2454 AES_CRYP_KeyInitStructure.CRYP_Key2Left = enc_key[4];
2455 AES_CRYP_KeyInitStructure.CRYP_Key2Right = enc_key[5];
2456 AES_CRYP_KeyInitStructure.CRYP_Key3Left = enc_key[6];
2457 AES_CRYP_KeyInitStructure.CRYP_Key3Right = enc_key[7];
2458 break;
2459
2460 default:
2461 break;
2462 }
2463 CRYP_KeyInit(&AES_CRYP_KeyInitStructure);
2464
2465 /* set iv */
2466 ByteReverseWords(iv, iv, AES_BLOCK_SIZE);
2467 AES_CRYP_IVInitStructure.CRYP_IV0Left = iv[0];
2468 AES_CRYP_IVInitStructure.CRYP_IV0Right = iv[1];
2469 AES_CRYP_IVInitStructure.CRYP_IV1Left = iv[2];
2470 AES_CRYP_IVInitStructure.CRYP_IV1Right = iv[3];
2471 CRYP_IVInit(&AES_CRYP_IVInitStructure);
2472
2473 /* set direction, mode, and datatype */
2474 AES_CRYP_InitStructure.CRYP_AlgoDir = CRYP_AlgoDir_Encrypt;
2475 AES_CRYP_InitStructure.CRYP_AlgoMode = CRYP_AlgoMode_AES_CTR;
2476 AES_CRYP_InitStructure.CRYP_DataType = CRYP_DataType_8b;
2477 CRYP_Init(&AES_CRYP_InitStructure);
2478
2479 /* enable crypto processor */
2480 CRYP_Cmd(ENABLE);
2481
2482 while (sz > 0)
2483 {
2484 /* flush IN/OUT FIFOs */
2485 CRYP_FIFOFlush();
2486
2487 CRYP_DataIn(*(uint32_t*)&in[0]);
2488 CRYP_DataIn(*(uint32_t*)&in[4]);
2489 CRYP_DataIn(*(uint32_t*)&in[8]);
2490 CRYP_DataIn(*(uint32_t*)&in[12]);
2491
2492 /* wait until the complete message has been processed */
2493 while(CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
2494
2495 *(uint32_t*)&out[0] = CRYP_DataOut();
2496 *(uint32_t*)&out[4] = CRYP_DataOut();
2497 *(uint32_t*)&out[8] = CRYP_DataOut();
2498 *(uint32_t*)&out[12] = CRYP_DataOut();
2499
2500 /* store iv for next call */
2501 XMEMCPY(aes->reg, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
2502
2503 sz -= 16;
2504 in += 16;
2505 out += 16;
2506 }
2507
2508 /* disable crypto processor */
2509 CRYP_Cmd(DISABLE);
2510 }
2511
2512 #elif defined(WOLFSSL_PIC32MZ_CRYPT)
2513 void wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
2514 {
2515 int i ;
2516 char out_block[AES_BLOCK_SIZE] ;
2517 int odd ;
2518 int even ;
2519 char *tmp ; /* (char *)aes->tmp, for short */
2520
2521 tmp = (char *)aes->tmp ;
2522 if(aes->left) {
2523 if((aes->left + sz) >= AES_BLOCK_SIZE){
2524 odd = AES_BLOCK_SIZE - aes->left ;
2525 } else {
2526 odd = sz ;
2527 }
2528 XMEMCPY(tmp+aes->left, in, odd) ;
2529 if((odd+aes->left) == AES_BLOCK_SIZE){
2530 wc_AesCrypt(aes, out_block, tmp, AES_BLOCK_SIZE,
2531 PIC32_ENCRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_RCTR);
2532 XMEMCPY(out, out_block+aes->left, odd) ;
2533 aes->left = 0 ;
2534 XMEMSET(tmp, 0x0, AES_BLOCK_SIZE) ;
2535 /* Increment IV */
2536 for (i = AES_BLOCK_SIZE - 1; i >= 0; i--) {
2537 if (++((byte *)aes->iv_ce)[i])
2538 break ;
2539 }
2540 }
2541 in += odd ;
2542 out+= odd ;
2543 sz -= odd ;
2544 }
2545 odd = sz % AES_BLOCK_SIZE ; /* if there is tail flagment */
2546 if(sz / AES_BLOCK_SIZE) {
2547 even = (sz/AES_BLOCK_SIZE)*AES_BLOCK_SIZE ;
2548 wc_AesCrypt(aes, out, in, even, PIC32_ENCRYPTION, PIC32_ALGO_AES,
2549 PIC32_CRYPTOALGO_RCTR);
2550 out += even ;
2551 in += even ;
2552 do { /* Increment IV */
2553 for (i = AES_BLOCK_SIZE - 1; i >= 0; i--) {
2554 if (++((byte *)aes->iv_ce)[i])
2555 break ;
2556 }
2557 even -= AES_BLOCK_SIZE ;
2558 } while((int)even > 0) ;
2559 }
2560 if(odd) {
2561 XMEMSET(tmp+aes->left, 0x0, AES_BLOCK_SIZE - aes->left) ;
2562 XMEMCPY(tmp+aes->left, in, odd) ;
2563 wc_AesCrypt(aes, out_block, tmp, AES_BLOCK_SIZE,
2564 PIC32_ENCRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_RCTR);
2565 XMEMCPY(out, out_block+aes->left,odd) ;
2566 aes->left += odd ;
2567 }
2568 }
2569
2570 #elif defined(HAVE_COLDFIRE_SEC)
2571 #error "Coldfire SEC doesn't currently support AES-CTR mode"
2572
2573 #elif defined(FREESCALE_MMCAU)
2574 #error "Freescale mmCAU doesn't currently support AES-CTR mode"
2575
2576 #else
2577 /* Increment AES counter */
2578 static INLINE void IncrementAesCounter(byte* inOutCtr)
2579 {
2580 int i;
2581
2582 /* in network byte order so start at end and work back */
2583 for (i = AES_BLOCK_SIZE - 1; i >= 0; i--) {
2584 if (++inOutCtr[i]) /* we're done unless we overflow */
2585 return;
2586 }
2587 }
2588
2589 void wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
2590 {
2591 byte* tmp = (byte*)aes->tmp + AES_BLOCK_SIZE - aes->left;
2592
2593 /* consume any unused bytes left in aes->tmp */
2594 while (aes->left && sz) {
2595 *(out++) = *(in++) ^ *(tmp++);
2596 aes->left--;
2597 sz--;
2598 }
2599
2600 /* do as many block size ops as possible */
2601 while (sz >= AES_BLOCK_SIZE) {
2602 wc_AesEncrypt(aes, (byte*)aes->reg, out);
2603 IncrementAesCounter((byte*)aes->reg);
2604 xorbuf(out, in, AES_BLOCK_SIZE);
2605
2606 out += AES_BLOCK_SIZE;
2607 in += AES_BLOCK_SIZE;
2608 sz -= AES_BLOCK_SIZE;
2609 aes->left = 0;
2610 }
2611
2612 /* handle non block size remaining and sotre unused byte count in left */
2613 if (sz) {
2614 wc_AesEncrypt(aes, (byte*)aes->reg, (byte*)aes->tmp);
2615 IncrementAesCounter((byte*)aes->reg);
2616
2617 aes->left = AES_BLOCK_SIZE;
2618 tmp = (byte*)aes->tmp;
2619
2620 while (sz--) {
2621 *(out++) = *(in++) ^ *(tmp++);
2622 aes->left--;
2623 }
2624 }
2625 }
2626
2627 #endif /* STM32F2_CRYPTO, AES-CTR block */
2628
2629#endif /* WOLFSSL_AES_COUNTER */
2630
2631#ifdef HAVE_AESGCM
2632
2633/*
2634 * The IV for AES GCM, stored in struct Aes's member reg, is comprised of
2635 * three parts in order:
2636 * 1. The implicit IV. This is generated from the PRF using the shared
2637 * secrets between endpoints. It is 4 bytes long.
2638 * 2. The explicit IV. This is set by the user of the AES. It needs to be
2639 * unique for each call to encrypt. The explicit IV is shared with the
2640 * other end of the transaction in the clear.
2641 * 3. The counter. Each block of data is encrypted with its own sequence
2642 * number counter.
2643 */
2644
2645#ifdef STM32F2_CRYPTO
2646 #error "STM32F2 crypto doesn't currently support AES-GCM mode"
2647
2648#elif defined(HAVE_COLDFIRE_SEC)
2649 #error "Coldfire SEC doesn't currently support AES-GCM mode"
2650
2651#endif
2652
2653enum {
2654 CTR_SZ = 4
2655};
2656
2657
2658static INLINE void InitGcmCounter(byte* inOutCtr)
2659{
2660 inOutCtr[AES_BLOCK_SIZE - 4] = 0;
2661 inOutCtr[AES_BLOCK_SIZE - 3] = 0;
2662 inOutCtr[AES_BLOCK_SIZE - 2] = 0;
2663 inOutCtr[AES_BLOCK_SIZE - 1] = 1;
2664}
2665
2666
2667static INLINE void IncrementGcmCounter(byte* inOutCtr)
2668{
2669 int i;
2670
2671 /* in network byte order so start at end and work back */
2672 for (i = AES_BLOCK_SIZE - 1; i >= AES_BLOCK_SIZE - CTR_SZ; i--) {
2673 if (++inOutCtr[i]) /* we're done unless we overflow */
2674 return;
2675 }
2676}
2677
2678
2679#if defined(GCM_SMALL) || defined(GCM_TABLE)
2680
2681static INLINE void FlattenSzInBits(byte* buf, word32 sz)
2682{
2683 /* Multiply the sz by 8 */
2684 word32 szHi = (sz >> (8*sizeof(sz) - 3));
2685 sz <<= 3;
2686
2687 /* copy over the words of the sz into the destination buffer */
2688 buf[0] = (szHi >> 24) & 0xff;
2689 buf[1] = (szHi >> 16) & 0xff;
2690 buf[2] = (szHi >> 8) & 0xff;
2691 buf[3] = szHi & 0xff;
2692 buf[4] = (sz >> 24) & 0xff;
2693 buf[5] = (sz >> 16) & 0xff;
2694 buf[6] = (sz >> 8) & 0xff;
2695 buf[7] = sz & 0xff;
2696}
2697
2698
2699static INLINE void RIGHTSHIFTX(byte* x)
2700{
2701 int i;
2702 int carryOut = 0;
2703 int carryIn = 0;
2704 int borrow = x[15] & 0x01;
2705
2706 for (i = 0; i < AES_BLOCK_SIZE; i++) {
2707 carryOut = x[i] & 0x01;
2708 x[i] = (x[i] >> 1) | (carryIn ? 0x80 : 0);
2709 carryIn = carryOut;
2710 }
2711 if (borrow) x[0] ^= 0xE1;
2712}
2713
2714#endif /* defined(GCM_SMALL) || defined(GCM_TABLE) */
2715
2716
2717#ifdef GCM_TABLE
2718
2719static void GenerateM0(Aes* aes)
2720{
2721 int i, j;
2722 byte (*m)[AES_BLOCK_SIZE] = aes->M0;
2723
2724 XMEMCPY(m[128], aes->H, AES_BLOCK_SIZE);
2725
2726 for (i = 64; i > 0; i /= 2) {
2727 XMEMCPY(m[i], m[i*2], AES_BLOCK_SIZE);
2728 RIGHTSHIFTX(m[i]);
2729 }
2730
2731 for (i = 2; i < 256; i *= 2) {
2732 for (j = 1; j < i; j++) {
2733 XMEMCPY(m[i+j], m[i], AES_BLOCK_SIZE);
2734 xorbuf(m[i+j], m[j], AES_BLOCK_SIZE);
2735 }
2736 }
2737
2738 XMEMSET(m[0], 0, AES_BLOCK_SIZE);
2739}
2740
2741#endif /* GCM_TABLE */
2742
2743
2744int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len)
2745{
2746 int ret;
2747 byte iv[AES_BLOCK_SIZE];
2748
2749 if (!((len == 16) || (len == 24) || (len == 32)))
2750 return BAD_FUNC_ARG;
2751
2752 XMEMSET(iv, 0, AES_BLOCK_SIZE);
2753 ret = wc_AesSetKey(aes, key, len, iv, AES_ENCRYPTION);
2754
2755 if (ret == 0) {
2756 wc_AesEncrypt(aes, iv, aes->H);
2757 #ifdef GCM_TABLE
2758 GenerateM0(aes);
2759 #endif /* GCM_TABLE */
2760 }
2761
2762 return ret;
2763}
2764
2765
2766#if defined(GCM_SMALL)
2767
2768static void GMULT(byte* X, byte* Y)
2769{
2770 byte Z[AES_BLOCK_SIZE];
2771 byte V[AES_BLOCK_SIZE];
2772 int i, j;
2773
2774 XMEMSET(Z, 0, AES_BLOCK_SIZE);
2775 XMEMCPY(V, X, AES_BLOCK_SIZE);
2776 for (i = 0; i < AES_BLOCK_SIZE; i++)
2777 {
2778 byte y = Y[i];
2779 for (j = 0; j < 8; j++)
2780 {
2781 if (y & 0x80) {
2782 xorbuf(Z, V, AES_BLOCK_SIZE);
2783 }
2784
2785 RIGHTSHIFTX(V);
2786 y = y << 1;
2787 }
2788 }
2789 XMEMCPY(X, Z, AES_BLOCK_SIZE);
2790}
2791
2792
2793static void GHASH(Aes* aes, const byte* a, word32 aSz,
2794 const byte* c, word32 cSz, byte* s, word32 sSz)
2795{
2796 byte x[AES_BLOCK_SIZE];
2797 byte scratch[AES_BLOCK_SIZE];
2798 word32 blocks, partial;
2799 byte* h = aes->H;
2800
2801 XMEMSET(x, 0, AES_BLOCK_SIZE);
2802
2803 /* Hash in A, the Additional Authentication Data */
2804 if (aSz != 0 && a != NULL) {
2805 blocks = aSz / AES_BLOCK_SIZE;
2806 partial = aSz % AES_BLOCK_SIZE;
2807 while (blocks--) {
2808 xorbuf(x, a, AES_BLOCK_SIZE);
2809 GMULT(x, h);
2810 a += AES_BLOCK_SIZE;
2811 }
2812 if (partial != 0) {
2813 XMEMSET(scratch, 0, AES_BLOCK_SIZE);
2814 XMEMCPY(scratch, a, partial);
2815 xorbuf(x, scratch, AES_BLOCK_SIZE);
2816 GMULT(x, h);
2817 }
2818 }
2819
2820 /* Hash in C, the Ciphertext */
2821 if (cSz != 0 && c != NULL) {
2822 blocks = cSz / AES_BLOCK_SIZE;
2823 partial = cSz % AES_BLOCK_SIZE;
2824 while (blocks--) {
2825 xorbuf(x, c, AES_BLOCK_SIZE);
2826 GMULT(x, h);
2827 c += AES_BLOCK_SIZE;
2828 }
2829 if (partial != 0) {
2830 XMEMSET(scratch, 0, AES_BLOCK_SIZE);
2831 XMEMCPY(scratch, c, partial);
2832 xorbuf(x, scratch, AES_BLOCK_SIZE);
2833 GMULT(x, h);
2834 }
2835 }
2836
2837 /* Hash in the lengths of A and C in bits */
2838 FlattenSzInBits(&scratch[0], aSz);
2839 FlattenSzInBits(&scratch[8], cSz);
2840 xorbuf(x, scratch, AES_BLOCK_SIZE);
2841 GMULT(x, h);
2842
2843 /* Copy the result into s. */
2844 XMEMCPY(s, x, sSz);
2845}
2846
2847/* end GCM_SMALL */
2848#elif defined(GCM_TABLE)
2849
2850static const byte R[256][2] = {
2851 {0x00, 0x00}, {0x01, 0xc2}, {0x03, 0x84}, {0x02, 0x46},
2852 {0x07, 0x08}, {0x06, 0xca}, {0x04, 0x8c}, {0x05, 0x4e},
2853 {0x0e, 0x10}, {0x0f, 0xd2}, {0x0d, 0x94}, {0x0c, 0x56},
2854 {0x09, 0x18}, {0x08, 0xda}, {0x0a, 0x9c}, {0x0b, 0x5e},
2855 {0x1c, 0x20}, {0x1d, 0xe2}, {0x1f, 0xa4}, {0x1e, 0x66},
2856 {0x1b, 0x28}, {0x1a, 0xea}, {0x18, 0xac}, {0x19, 0x6e},
2857 {0x12, 0x30}, {0x13, 0xf2}, {0x11, 0xb4}, {0x10, 0x76},
2858 {0x15, 0x38}, {0x14, 0xfa}, {0x16, 0xbc}, {0x17, 0x7e},
2859 {0x38, 0x40}, {0x39, 0x82}, {0x3b, 0xc4}, {0x3a, 0x06},
2860 {0x3f, 0x48}, {0x3e, 0x8a}, {0x3c, 0xcc}, {0x3d, 0x0e},
2861 {0x36, 0x50}, {0x37, 0x92}, {0x35, 0xd4}, {0x34, 0x16},
2862 {0x31, 0x58}, {0x30, 0x9a}, {0x32, 0xdc}, {0x33, 0x1e},
2863 {0x24, 0x60}, {0x25, 0xa2}, {0x27, 0xe4}, {0x26, 0x26},
2864 {0x23, 0x68}, {0x22, 0xaa}, {0x20, 0xec}, {0x21, 0x2e},
2865 {0x2a, 0x70}, {0x2b, 0xb2}, {0x29, 0xf4}, {0x28, 0x36},
2866 {0x2d, 0x78}, {0x2c, 0xba}, {0x2e, 0xfc}, {0x2f, 0x3e},
2867 {0x70, 0x80}, {0x71, 0x42}, {0x73, 0x04}, {0x72, 0xc6},
2868 {0x77, 0x88}, {0x76, 0x4a}, {0x74, 0x0c}, {0x75, 0xce},
2869 {0x7e, 0x90}, {0x7f, 0x52}, {0x7d, 0x14}, {0x7c, 0xd6},
2870 {0x79, 0x98}, {0x78, 0x5a}, {0x7a, 0x1c}, {0x7b, 0xde},
2871 {0x6c, 0xa0}, {0x6d, 0x62}, {0x6f, 0x24}, {0x6e, 0xe6},
2872 {0x6b, 0xa8}, {0x6a, 0x6a}, {0x68, 0x2c}, {0x69, 0xee},
2873 {0x62, 0xb0}, {0x63, 0x72}, {0x61, 0x34}, {0x60, 0xf6},
2874 {0x65, 0xb8}, {0x64, 0x7a}, {0x66, 0x3c}, {0x67, 0xfe},
2875 {0x48, 0xc0}, {0x49, 0x02}, {0x4b, 0x44}, {0x4a, 0x86},
2876 {0x4f, 0xc8}, {0x4e, 0x0a}, {0x4c, 0x4c}, {0x4d, 0x8e},
2877 {0x46, 0xd0}, {0x47, 0x12}, {0x45, 0x54}, {0x44, 0x96},
2878 {0x41, 0xd8}, {0x40, 0x1a}, {0x42, 0x5c}, {0x43, 0x9e},
2879 {0x54, 0xe0}, {0x55, 0x22}, {0x57, 0x64}, {0x56, 0xa6},
2880 {0x53, 0xe8}, {0x52, 0x2a}, {0x50, 0x6c}, {0x51, 0xae},
2881 {0x5a, 0xf0}, {0x5b, 0x32}, {0x59, 0x74}, {0x58, 0xb6},
2882 {0x5d, 0xf8}, {0x5c, 0x3a}, {0x5e, 0x7c}, {0x5f, 0xbe},
2883 {0xe1, 0x00}, {0xe0, 0xc2}, {0xe2, 0x84}, {0xe3, 0x46},
2884 {0xe6, 0x08}, {0xe7, 0xca}, {0xe5, 0x8c}, {0xe4, 0x4e},
2885 {0xef, 0x10}, {0xee, 0xd2}, {0xec, 0x94}, {0xed, 0x56},
2886 {0xe8, 0x18}, {0xe9, 0xda}, {0xeb, 0x9c}, {0xea, 0x5e},
2887 {0xfd, 0x20}, {0xfc, 0xe2}, {0xfe, 0xa4}, {0xff, 0x66},
2888 {0xfa, 0x28}, {0xfb, 0xea}, {0xf9, 0xac}, {0xf8, 0x6e},
2889 {0xf3, 0x30}, {0xf2, 0xf2}, {0xf0, 0xb4}, {0xf1, 0x76},
2890 {0xf4, 0x38}, {0xf5, 0xfa}, {0xf7, 0xbc}, {0xf6, 0x7e},
2891 {0xd9, 0x40}, {0xd8, 0x82}, {0xda, 0xc4}, {0xdb, 0x06},
2892 {0xde, 0x48}, {0xdf, 0x8a}, {0xdd, 0xcc}, {0xdc, 0x0e},
2893 {0xd7, 0x50}, {0xd6, 0x92}, {0xd4, 0xd4}, {0xd5, 0x16},
2894 {0xd0, 0x58}, {0xd1, 0x9a}, {0xd3, 0xdc}, {0xd2, 0x1e},
2895 {0xc5, 0x60}, {0xc4, 0xa2}, {0xc6, 0xe4}, {0xc7, 0x26},
2896 {0xc2, 0x68}, {0xc3, 0xaa}, {0xc1, 0xec}, {0xc0, 0x2e},
2897 {0xcb, 0x70}, {0xca, 0xb2}, {0xc8, 0xf4}, {0xc9, 0x36},
2898 {0xcc, 0x78}, {0xcd, 0xba}, {0xcf, 0xfc}, {0xce, 0x3e},
2899 {0x91, 0x80}, {0x90, 0x42}, {0x92, 0x04}, {0x93, 0xc6},
2900 {0x96, 0x88}, {0x97, 0x4a}, {0x95, 0x0c}, {0x94, 0xce},
2901 {0x9f, 0x90}, {0x9e, 0x52}, {0x9c, 0x14}, {0x9d, 0xd6},
2902 {0x98, 0x98}, {0x99, 0x5a}, {0x9b, 0x1c}, {0x9a, 0xde},
2903 {0x8d, 0xa0}, {0x8c, 0x62}, {0x8e, 0x24}, {0x8f, 0xe6},
2904 {0x8a, 0xa8}, {0x8b, 0x6a}, {0x89, 0x2c}, {0x88, 0xee},
2905 {0x83, 0xb0}, {0x82, 0x72}, {0x80, 0x34}, {0x81, 0xf6},
2906 {0x84, 0xb8}, {0x85, 0x7a}, {0x87, 0x3c}, {0x86, 0xfe},
2907 {0xa9, 0xc0}, {0xa8, 0x02}, {0xaa, 0x44}, {0xab, 0x86},
2908 {0xae, 0xc8}, {0xaf, 0x0a}, {0xad, 0x4c}, {0xac, 0x8e},
2909 {0xa7, 0xd0}, {0xa6, 0x12}, {0xa4, 0x54}, {0xa5, 0x96},
2910 {0xa0, 0xd8}, {0xa1, 0x1a}, {0xa3, 0x5c}, {0xa2, 0x9e},
2911 {0xb5, 0xe0}, {0xb4, 0x22}, {0xb6, 0x64}, {0xb7, 0xa6},
2912 {0xb2, 0xe8}, {0xb3, 0x2a}, {0xb1, 0x6c}, {0xb0, 0xae},
2913 {0xbb, 0xf0}, {0xba, 0x32}, {0xb8, 0x74}, {0xb9, 0xb6},
2914 {0xbc, 0xf8}, {0xbd, 0x3a}, {0xbf, 0x7c}, {0xbe, 0xbe} };
2915
2916
2917static void GMULT(byte *x, byte m[256][AES_BLOCK_SIZE])
2918{
2919 int i, j;
2920 byte Z[AES_BLOCK_SIZE];
2921 byte a;
2922
2923 XMEMSET(Z, 0, sizeof(Z));
2924
2925 for (i = 15; i > 0; i--) {
2926 xorbuf(Z, m[x[i]], AES_BLOCK_SIZE);
2927 a = Z[15];
2928
2929 for (j = 15; j > 0; j--) {
2930 Z[j] = Z[j-1];
2931 }
2932
2933 Z[0] = R[a][0];
2934 Z[1] ^= R[a][1];
2935 }
2936 xorbuf(Z, m[x[0]], AES_BLOCK_SIZE);
2937
2938 XMEMCPY(x, Z, AES_BLOCK_SIZE);
2939}
2940
2941
2942static void GHASH(Aes* aes, const byte* a, word32 aSz,
2943 const byte* c, word32 cSz, byte* s, word32 sSz)
2944{
2945 byte x[AES_BLOCK_SIZE];
2946 byte scratch[AES_BLOCK_SIZE];
2947 word32 blocks, partial;
2948
2949 XMEMSET(x, 0, AES_BLOCK_SIZE);
2950
2951 /* Hash in A, the Additional Authentication Data */
2952 if (aSz != 0 && a != NULL) {
2953 blocks = aSz / AES_BLOCK_SIZE;
2954 partial = aSz % AES_BLOCK_SIZE;
2955 while (blocks--) {
2956 xorbuf(x, a, AES_BLOCK_SIZE);
2957 GMULT(x, aes->M0);
2958 a += AES_BLOCK_SIZE;
2959 }
2960 if (partial != 0) {
2961 XMEMSET(scratch, 0, AES_BLOCK_SIZE);
2962 XMEMCPY(scratch, a, partial);
2963 xorbuf(x, scratch, AES_BLOCK_SIZE);
2964 GMULT(x, aes->M0);
2965 }
2966 }
2967
2968 /* Hash in C, the Ciphertext */
2969 if (cSz != 0 && c != NULL) {
2970 blocks = cSz / AES_BLOCK_SIZE;
2971 partial = cSz % AES_BLOCK_SIZE;
2972 while (blocks--) {
2973 xorbuf(x, c, AES_BLOCK_SIZE);
2974 GMULT(x, aes->M0);
2975 c += AES_BLOCK_SIZE;
2976 }
2977 if (partial != 0) {
2978 XMEMSET(scratch, 0, AES_BLOCK_SIZE);
2979 XMEMCPY(scratch, c, partial);
2980 xorbuf(x, scratch, AES_BLOCK_SIZE);
2981 GMULT(x, aes->M0);
2982 }
2983 }
2984
2985 /* Hash in the lengths of A and C in bits */
2986 FlattenSzInBits(&scratch[0], aSz);
2987 FlattenSzInBits(&scratch[8], cSz);
2988 xorbuf(x, scratch, AES_BLOCK_SIZE);
2989 GMULT(x, aes->M0);
2990
2991 /* Copy the result into s. */
2992 XMEMCPY(s, x, sSz);
2993}
2994
2995/* end GCM_TABLE */
2996#elif defined(WORD64_AVAILABLE) && !defined(GCM_WORD32)
2997
2998static void GMULT(word64* X, word64* Y)
2999{
3000 word64 Z[2] = {0,0};
3001 word64 V[2] ;
3002 int i, j;
3003 V[0] = X[0] ; V[1] = X[1] ;
3004
3005 for (i = 0; i < 2; i++)
3006 {
3007 word64 y = Y[i];
3008 for (j = 0; j < 64; j++)
3009 {
3010 if (y & 0x8000000000000000ULL) {
3011 Z[0] ^= V[0];
3012 Z[1] ^= V[1];
3013 }
3014
3015 if (V[1] & 0x0000000000000001) {
3016 V[1] >>= 1;
3017 V[1] |= ((V[0] & 0x0000000000000001) ? 0x8000000000000000ULL : 0);
3018 V[0] >>= 1;
3019 V[0] ^= 0xE100000000000000ULL;
3020 }
3021 else {
3022 V[1] >>= 1;
3023 V[1] |= ((V[0] & 0x0000000000000001) ? 0x8000000000000000ULL : 0);
3024 V[0] >>= 1;
3025 }
3026 y <<= 1;
3027 }
3028 }
3029 X[0] = Z[0];
3030 X[1] = Z[1];
3031}
3032
3033
3034static void GHASH(Aes* aes, const byte* a, word32 aSz,
3035 const byte* c, word32 cSz, byte* s, word32 sSz)
3036{
3037 word64 x[2] = {0,0};
3038 word32 blocks, partial;
3039 word64 bigH[2];
3040
3041 XMEMCPY(bigH, aes->H, AES_BLOCK_SIZE);
3042 #ifdef LITTLE_ENDIAN_ORDER
3043 ByteReverseWords64(bigH, bigH, AES_BLOCK_SIZE);
3044 #endif
3045
3046 /* Hash in A, the Additional Authentication Data */
3047 if (aSz != 0 && a != NULL) {
3048 word64 bigA[2];
3049 blocks = aSz / AES_BLOCK_SIZE;
3050 partial = aSz % AES_BLOCK_SIZE;
3051 while (blocks--) {
3052 XMEMCPY(bigA, a, AES_BLOCK_SIZE);
3053 #ifdef LITTLE_ENDIAN_ORDER
3054 ByteReverseWords64(bigA, bigA, AES_BLOCK_SIZE);
3055 #endif
3056 x[0] ^= bigA[0];
3057 x[1] ^= bigA[1];
3058 GMULT(x, bigH);
3059 a += AES_BLOCK_SIZE;
3060 }
3061 if (partial != 0) {
3062 XMEMSET(bigA, 0, AES_BLOCK_SIZE);
3063 XMEMCPY(bigA, a, partial);
3064 #ifdef LITTLE_ENDIAN_ORDER
3065 ByteReverseWords64(bigA, bigA, AES_BLOCK_SIZE);
3066 #endif
3067 x[0] ^= bigA[0];
3068 x[1] ^= bigA[1];
3069 GMULT(x, bigH);
3070 }
3071 }
3072
3073 /* Hash in C, the Ciphertext */
3074 if (cSz != 0 && c != NULL) {
3075 word64 bigC[2];
3076 blocks = cSz / AES_BLOCK_SIZE;
3077 partial = cSz % AES_BLOCK_SIZE;
3078 while (blocks--) {
3079 XMEMCPY(bigC, c, AES_BLOCK_SIZE);
3080 #ifdef LITTLE_ENDIAN_ORDER
3081 ByteReverseWords64(bigC, bigC, AES_BLOCK_SIZE);
3082 #endif
3083 x[0] ^= bigC[0];
3084 x[1] ^= bigC[1];
3085 GMULT(x, bigH);
3086 c += AES_BLOCK_SIZE;
3087 }
3088 if (partial != 0) {
3089 XMEMSET(bigC, 0, AES_BLOCK_SIZE);
3090 XMEMCPY(bigC, c, partial);
3091 #ifdef LITTLE_ENDIAN_ORDER
3092 ByteReverseWords64(bigC, bigC, AES_BLOCK_SIZE);
3093 #endif
3094 x[0] ^= bigC[0];
3095 x[1] ^= bigC[1];
3096 GMULT(x, bigH);
3097 }
3098 }
3099
3100 /* Hash in the lengths in bits of A and C */
3101 {
3102 word64 len[2] ;
3103 len[0] = aSz ; len[1] = cSz;
3104
3105 /* Lengths are in bytes. Convert to bits. */
3106 len[0] *= 8;
3107 len[1] *= 8;
3108
3109 x[0] ^= len[0];
3110 x[1] ^= len[1];
3111 GMULT(x, bigH);
3112 }
3113 #ifdef LITTLE_ENDIAN_ORDER
3114 ByteReverseWords64(x, x, AES_BLOCK_SIZE);
3115 #endif
3116 XMEMCPY(s, x, sSz);
3117}
3118
3119/* end defined(WORD64_AVAILABLE) && !defined(GCM_WORD32) */
3120#else /* GCM_WORD32 */
3121
3122static void GMULT(word32* X, word32* Y)
3123{
3124 word32 Z[4] = {0,0,0,0};
3125 word32 V[4] ;
3126 int i, j;
3127
3128 V[0] = X[0]; V[1] = X[1]; V[2] = X[2]; V[3] = X[3];
3129
3130 for (i = 0; i < 4; i++)
3131 {
3132 word32 y = Y[i];
3133 for (j = 0; j < 32; j++)
3134 {
3135 if (y & 0x80000000) {
3136 Z[0] ^= V[0];
3137 Z[1] ^= V[1];
3138 Z[2] ^= V[2];
3139 Z[3] ^= V[3];
3140 }
3141
3142 if (V[3] & 0x00000001) {
3143 V[3] >>= 1;
3144 V[3] |= ((V[2] & 0x00000001) ? 0x80000000 : 0);
3145 V[2] >>= 1;
3146 V[2] |= ((V[1] & 0x00000001) ? 0x80000000 : 0);
3147 V[1] >>= 1;
3148 V[1] |= ((V[0] & 0x00000001) ? 0x80000000 : 0);
3149 V[0] >>= 1;
3150 V[0] ^= 0xE1000000;
3151 } else {
3152 V[3] >>= 1;
3153 V[3] |= ((V[2] & 0x00000001) ? 0x80000000 : 0);
3154 V[2] >>= 1;
3155 V[2] |= ((V[1] & 0x00000001) ? 0x80000000 : 0);
3156 V[1] >>= 1;
3157 V[1] |= ((V[0] & 0x00000001) ? 0x80000000 : 0);
3158 V[0] >>= 1;
3159 }
3160 y <<= 1;
3161 }
3162 }
3163 X[0] = Z[0];
3164 X[1] = Z[1];
3165 X[2] = Z[2];
3166 X[3] = Z[3];
3167}
3168
3169
3170static void GHASH(Aes* aes, const byte* a, word32 aSz,
3171 const byte* c, word32 cSz, byte* s, word32 sSz)
3172{
3173 word32 x[4] = {0,0,0,0};
3174 word32 blocks, partial;
3175 word32 bigH[4];
3176
3177 XMEMCPY(bigH, aes->H, AES_BLOCK_SIZE);
3178 #ifdef LITTLE_ENDIAN_ORDER
3179 ByteReverseWords(bigH, bigH, AES_BLOCK_SIZE);
3180 #endif
3181
3182 /* Hash in A, the Additional Authentication Data */
3183 if (aSz != 0 && a != NULL) {
3184 word32 bigA[4];
3185 blocks = aSz / AES_BLOCK_SIZE;
3186 partial = aSz % AES_BLOCK_SIZE;
3187 while (blocks--) {
3188 XMEMCPY(bigA, a, AES_BLOCK_SIZE);
3189 #ifdef LITTLE_ENDIAN_ORDER
3190 ByteReverseWords(bigA, bigA, AES_BLOCK_SIZE);
3191 #endif
3192 x[0] ^= bigA[0];
3193 x[1] ^= bigA[1];
3194 x[2] ^= bigA[2];
3195 x[3] ^= bigA[3];
3196 GMULT(x, bigH);
3197 a += AES_BLOCK_SIZE;
3198 }
3199 if (partial != 0) {
3200 XMEMSET(bigA, 0, AES_BLOCK_SIZE);
3201 XMEMCPY(bigA, a, partial);
3202 #ifdef LITTLE_ENDIAN_ORDER
3203 ByteReverseWords(bigA, bigA, AES_BLOCK_SIZE);
3204 #endif
3205 x[0] ^= bigA[0];
3206 x[1] ^= bigA[1];
3207 x[2] ^= bigA[2];
3208 x[3] ^= bigA[3];
3209 GMULT(x, bigH);
3210 }
3211 }
3212
3213 /* Hash in C, the Ciphertext */
3214 if (cSz != 0 && c != NULL) {
3215 word32 bigC[4];
3216 blocks = cSz / AES_BLOCK_SIZE;
3217 partial = cSz % AES_BLOCK_SIZE;
3218 while (blocks--) {
3219 XMEMCPY(bigC, c, AES_BLOCK_SIZE);
3220 #ifdef LITTLE_ENDIAN_ORDER
3221 ByteReverseWords(bigC, bigC, AES_BLOCK_SIZE);
3222 #endif
3223 x[0] ^= bigC[0];
3224 x[1] ^= bigC[1];
3225 x[2] ^= bigC[2];
3226 x[3] ^= bigC[3];
3227 GMULT(x, bigH);
3228 c += AES_BLOCK_SIZE;
3229 }
3230 if (partial != 0) {
3231 XMEMSET(bigC, 0, AES_BLOCK_SIZE);
3232 XMEMCPY(bigC, c, partial);
3233 #ifdef LITTLE_ENDIAN_ORDER
3234 ByteReverseWords(bigC, bigC, AES_BLOCK_SIZE);
3235 #endif
3236 x[0] ^= bigC[0];
3237 x[1] ^= bigC[1];
3238 x[2] ^= bigC[2];
3239 x[3] ^= bigC[3];
3240 GMULT(x, bigH);
3241 }
3242 }
3243
3244 /* Hash in the lengths in bits of A and C */
3245 {
3246 word32 len[4];
3247
3248 /* Lengths are in bytes. Convert to bits. */
3249 len[0] = (aSz >> (8*sizeof(aSz) - 3));
3250 len[1] = aSz << 3;
3251 len[2] = (cSz >> (8*sizeof(cSz) - 3));
3252 len[3] = cSz << 3;
3253
3254 x[0] ^= len[0];
3255 x[1] ^= len[1];
3256 x[2] ^= len[2];
3257 x[3] ^= len[3];
3258 GMULT(x, bigH);
3259 }
3260 #ifdef LITTLE_ENDIAN_ORDER
3261 ByteReverseWords(x, x, AES_BLOCK_SIZE);
3262 #endif
3263 XMEMCPY(s, x, sSz);
3264}
3265
3266#endif /* end GCM_WORD32 */
3267
3268
3269int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
3270 const byte* iv, word32 ivSz,
3271 byte* authTag, word32 authTagSz,
3272 const byte* authIn, word32 authInSz)
3273{
3274 word32 blocks = sz / AES_BLOCK_SIZE;
3275 word32 partial = sz % AES_BLOCK_SIZE;
3276 const byte* p = in;
3277 byte* c = out;
3278 byte counter[AES_BLOCK_SIZE];
3279 byte *ctr ;
3280 byte scratch[AES_BLOCK_SIZE];
3281
3282 WOLFSSL_ENTER("AesGcmEncrypt");
3283
3284#ifdef WOLFSSL_PIC32MZ_CRYPT
3285 ctr = (char *)aes->iv_ce ;
3286#else
3287 ctr = counter ;
3288#endif
3289
3290 XMEMSET(ctr, 0, AES_BLOCK_SIZE);
3291 XMEMCPY(ctr, iv, ivSz);
3292 InitGcmCounter(ctr);
3293
3294#ifdef WOLFSSL_PIC32MZ_CRYPT
3295 if(blocks)
3296 wc_AesCrypt(aes, out, in, blocks*AES_BLOCK_SIZE,
3297 PIC32_ENCRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_AES_GCM );
3298#endif
3299 while (blocks--) {
3300 IncrementGcmCounter(ctr);
3301 #ifndef WOLFSSL_PIC32MZ_CRYPT
3302 wc_AesEncrypt(aes, ctr, scratch);
3303 xorbuf(scratch, p, AES_BLOCK_SIZE);
3304 XMEMCPY(c, scratch, AES_BLOCK_SIZE);
3305 #endif
3306 p += AES_BLOCK_SIZE;
3307 c += AES_BLOCK_SIZE;
3308 }
3309
3310 if (partial != 0) {
3311 IncrementGcmCounter(ctr);
3312 wc_AesEncrypt(aes, ctr, scratch);
3313 xorbuf(scratch, p, partial);
3314 XMEMCPY(c, scratch, partial);
3315
3316 }
3317
3318 GHASH(aes, authIn, authInSz, out, sz, authTag, authTagSz);
3319 InitGcmCounter(ctr);
3320 wc_AesEncrypt(aes, ctr, scratch);
3321 xorbuf(authTag, scratch, authTagSz);
3322
3323 return 0;
3324}
3325
3326
3327int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
3328 const byte* iv, word32 ivSz,
3329 const byte* authTag, word32 authTagSz,
3330 const byte* authIn, word32 authInSz)
3331{
3332 word32 blocks = sz / AES_BLOCK_SIZE;
3333 word32 partial = sz % AES_BLOCK_SIZE;
3334 const byte* c = in;
3335 byte* p = out;
3336 byte counter[AES_BLOCK_SIZE];
3337 byte *ctr ;
3338 byte scratch[AES_BLOCK_SIZE];
3339
3340 WOLFSSL_ENTER("AesGcmDecrypt");
3341
3342#ifdef WOLFSSL_PIC32MZ_CRYPT
3343 ctr = (char *)aes->iv_ce ;
3344#else
3345 ctr = counter ;
3346#endif
3347
3348 XMEMSET(ctr, 0, AES_BLOCK_SIZE);
3349 XMEMCPY(ctr, iv, ivSz);
3350 InitGcmCounter(ctr);
3351
3352 /* Calculate the authTag again using the received auth data and the
3353 * cipher text. */
3354 {
3355 byte Tprime[AES_BLOCK_SIZE];
3356 byte EKY0[AES_BLOCK_SIZE];
3357
3358 GHASH(aes, authIn, authInSz, in, sz, Tprime, sizeof(Tprime));
3359 wc_AesEncrypt(aes, ctr, EKY0);
3360 xorbuf(Tprime, EKY0, sizeof(Tprime));
3361
3362 if (ConstantCompare(authTag, Tprime, authTagSz) != 0) {
3363 return AES_GCM_AUTH_E;
3364 }
3365 }
3366
3367#ifdef WOLFSSL_PIC32MZ_CRYPT
3368 if(blocks)
3369 wc_AesCrypt(aes, out, in, blocks*AES_BLOCK_SIZE,
3370 PIC32_DECRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_AES_GCM );
3371#endif
3372
3373 while (blocks--) {
3374 IncrementGcmCounter(ctr);
3375 #ifndef WOLFSSL_PIC32MZ_CRYPT
3376 wc_AesEncrypt(aes, ctr, scratch);
3377 xorbuf(scratch, c, AES_BLOCK_SIZE);
3378 XMEMCPY(p, scratch, AES_BLOCK_SIZE);
3379 #endif
3380 p += AES_BLOCK_SIZE;
3381 c += AES_BLOCK_SIZE;
3382 }
3383 if (partial != 0) {
3384 IncrementGcmCounter(ctr);
3385 wc_AesEncrypt(aes, ctr, scratch);
3386 xorbuf(scratch, c, partial);
3387 XMEMCPY(p, scratch, partial);
3388 }
3389 return 0;
3390}
3391
3392
3393
3394WOLFSSL_API int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len)
3395{
3396 return wc_AesGcmSetKey(&gmac->aes, key, len);
3397}
3398
3399
3400WOLFSSL_API int wc_GmacUpdate(Gmac* gmac, const byte* iv, word32 ivSz,
3401 const byte* authIn, word32 authInSz,
3402 byte* authTag, word32 authTagSz)
3403{
3404 return wc_AesGcmEncrypt(&gmac->aes, NULL, NULL, 0, iv, ivSz,
3405 authTag, authTagSz, authIn, authInSz);
3406}
3407
3408#endif /* HAVE_AESGCM */
3409
3410
3411#ifdef HAVE_AESCCM
3412
3413#ifdef STM32F2_CRYPTO
3414 #error "STM32F2 crypto doesn't currently support AES-CCM mode"
3415
3416#elif defined(HAVE_COLDFIRE_SEC)
3417 #error "Coldfire SEC doesn't currently support AES-CCM mode"
3418
3419#elif defined(WOLFSSL_PIC32MZ_CRYPT)
3420 #error "PIC32MZ doesn't currently support AES-CCM mode"
3421
3422#endif
3423
3424void wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
3425{
3426 byte nonce[AES_BLOCK_SIZE];
3427
3428 if (!((keySz == 16) || (keySz == 24) || (keySz == 32)))
3429 return;
3430
3431 XMEMSET(nonce, 0, sizeof(nonce));
3432 wc_AesSetKey(aes, key, keySz, nonce, AES_ENCRYPTION);
3433}
3434
3435
3436static void roll_x(Aes* aes, const byte* in, word32 inSz, byte* out)
3437{
3438 /* process the bulk of the data */
3439 while (inSz >= AES_BLOCK_SIZE) {
3440 xorbuf(out, in, AES_BLOCK_SIZE);
3441 in += AES_BLOCK_SIZE;
3442 inSz -= AES_BLOCK_SIZE;
3443
3444 wc_AesEncrypt(aes, out, out);
3445 }
3446
3447 /* process remainder of the data */
3448 if (inSz > 0) {
3449 xorbuf(out, in, inSz);
3450 wc_AesEncrypt(aes, out, out);
3451 }
3452}
3453
3454
3455static void roll_auth(Aes* aes, const byte* in, word32 inSz, byte* out)
3456{
3457 word32 authLenSz;
3458 word32 remainder;
3459
3460 /* encode the length in */
3461 if (inSz <= 0xFEFF) {
3462 authLenSz = 2;
3463 out[0] ^= ((inSz & 0xFF00) >> 8);
3464 out[1] ^= (inSz & 0x00FF);
3465 }
3466 else if (inSz <= 0xFFFFFFFF) {
3467 authLenSz = 6;
3468 out[0] ^= 0xFF; out[1] ^= 0xFE;
3469 out[2] ^= ((inSz & 0xFF000000) >> 24);
3470 out[3] ^= ((inSz & 0x00FF0000) >> 16);
3471 out[4] ^= ((inSz & 0x0000FF00) >> 8);
3472 out[5] ^= (inSz & 0x000000FF);
3473 }
3474 /* Note, the protocol handles auth data up to 2^64, but we are
3475 * using 32-bit sizes right now, so the bigger data isn't handled
3476 * else if (inSz <= 0xFFFFFFFFFFFFFFFF) {} */
3477 else
3478 return;
3479
3480 /* start fill out the rest of the first block */
3481 remainder = AES_BLOCK_SIZE - authLenSz;
3482 if (inSz >= remainder) {
3483 /* plenty of bulk data to fill the remainder of this block */
3484 xorbuf(out + authLenSz, in, remainder);
3485 inSz -= remainder;
3486 in += remainder;
3487 }
3488 else {
3489 /* not enough bulk data, copy what is available, and pad zero */
3490 xorbuf(out + authLenSz, in, inSz);
3491 inSz = 0;
3492 }
3493 wc_AesEncrypt(aes, out, out);
3494
3495 if (inSz > 0)
3496 roll_x(aes, in, inSz, out);
3497}
3498
3499
3500static INLINE void AesCcmCtrInc(byte* B, word32 lenSz)
3501{
3502 word32 i;
3503
3504 for (i = 0; i < lenSz; i++) {
3505 if (++B[AES_BLOCK_SIZE - 1 - i] != 0) return;
3506 }
3507}
3508
3509
3510/* return 0 on success */
3511int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
3512 const byte* nonce, word32 nonceSz,
3513 byte* authTag, word32 authTagSz,
3514 const byte* authIn, word32 authInSz)
3515{
3516 byte A[AES_BLOCK_SIZE];
3517 byte B[AES_BLOCK_SIZE];
3518 byte lenSz;
3519 word32 i;
3520 byte mask = 0xFF;
3521 word32 wordSz = (word32)sizeof(word32);
3522
3523 /* sanity check on arugments */
3524 if (aes == NULL || out == NULL || in == NULL || nonce == NULL
3525 || authTag == NULL || nonceSz < 7 || nonceSz > 13)
3526 return BAD_FUNC_ARG;
3527
3528 XMEMCPY(B+1, nonce, nonceSz);
3529 lenSz = AES_BLOCK_SIZE - 1 - (byte)nonceSz;
3530 B[0] = (authInSz > 0 ? 64 : 0)
3531 + (8 * (((byte)authTagSz - 2) / 2))
3532 + (lenSz - 1);
3533 for (i = 0; i < lenSz; i++) {
3534 if (mask && i >= wordSz)
3535 mask = 0x00;
3536 B[AES_BLOCK_SIZE - 1 - i] = (inSz >> ((8 * i) & mask)) & mask;
3537 }
3538
3539 wc_AesEncrypt(aes, B, A);
3540
3541 if (authInSz > 0)
3542 roll_auth(aes, authIn, authInSz, A);
3543 if (inSz > 0)
3544 roll_x(aes, in, inSz, A);
3545 XMEMCPY(authTag, A, authTagSz);
3546
3547 B[0] = lenSz - 1;
3548 for (i = 0; i < lenSz; i++)
3549 B[AES_BLOCK_SIZE - 1 - i] = 0;
3550 wc_AesEncrypt(aes, B, A);
3551 xorbuf(authTag, A, authTagSz);
3552
3553 B[15] = 1;
3554 while (inSz >= AES_BLOCK_SIZE) {
3555 wc_AesEncrypt(aes, B, A);
3556 xorbuf(A, in, AES_BLOCK_SIZE);
3557 XMEMCPY(out, A, AES_BLOCK_SIZE);
3558
3559 AesCcmCtrInc(B, lenSz);
3560 inSz -= AES_BLOCK_SIZE;
3561 in += AES_BLOCK_SIZE;
3562 out += AES_BLOCK_SIZE;
3563 }
3564 if (inSz > 0) {
3565 wc_AesEncrypt(aes, B, A);
3566 xorbuf(A, in, inSz);
3567 XMEMCPY(out, A, inSz);
3568 }
3569
3570 ForceZero(A, AES_BLOCK_SIZE);
3571 ForceZero(B, AES_BLOCK_SIZE);
3572
3573 return 0;
3574}
3575
3576
3577int wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
3578 const byte* nonce, word32 nonceSz,
3579 const byte* authTag, word32 authTagSz,
3580 const byte* authIn, word32 authInSz)
3581{
3582 byte A[AES_BLOCK_SIZE];
3583 byte B[AES_BLOCK_SIZE];
3584 byte* o;
3585 byte lenSz;
3586 word32 i, oSz;
3587 int result = 0;
3588 byte mask = 0xFF;
3589 word32 wordSz = (word32)sizeof(word32);
3590
3591 /* sanity check on arugments */
3592 if (aes == NULL || out == NULL || in == NULL || nonce == NULL
3593 || authTag == NULL || nonceSz < 7 || nonceSz > 13)
3594 return BAD_FUNC_ARG;
3595
3596 o = out;
3597 oSz = inSz;
3598 XMEMCPY(B+1, nonce, nonceSz);
3599 lenSz = AES_BLOCK_SIZE - 1 - (byte)nonceSz;
3600
3601 B[0] = lenSz - 1;
3602 for (i = 0; i < lenSz; i++)
3603 B[AES_BLOCK_SIZE - 1 - i] = 0;
3604 B[15] = 1;
3605
3606 while (oSz >= AES_BLOCK_SIZE) {
3607 wc_AesEncrypt(aes, B, A);
3608 xorbuf(A, in, AES_BLOCK_SIZE);
3609 XMEMCPY(o, A, AES_BLOCK_SIZE);
3610
3611 AesCcmCtrInc(B, lenSz);
3612 oSz -= AES_BLOCK_SIZE;
3613 in += AES_BLOCK_SIZE;
3614 o += AES_BLOCK_SIZE;
3615 }
3616 if (inSz > 0) {
3617 wc_AesEncrypt(aes, B, A);
3618 xorbuf(A, in, oSz);
3619 XMEMCPY(o, A, oSz);
3620 }
3621
3622 for (i = 0; i < lenSz; i++)
3623 B[AES_BLOCK_SIZE - 1 - i] = 0;
3624 wc_AesEncrypt(aes, B, A);
3625
3626 o = out;
3627 oSz = inSz;
3628
3629 B[0] = (authInSz > 0 ? 64 : 0)
3630 + (8 * (((byte)authTagSz - 2) / 2))
3631 + (lenSz - 1);
3632 for (i = 0; i < lenSz; i++) {
3633 if (mask && i >= wordSz)
3634 mask = 0x00;
3635 B[AES_BLOCK_SIZE - 1 - i] = (inSz >> ((8 * i) & mask)) & mask;
3636 }
3637
3638 wc_AesEncrypt(aes, B, A);
3639
3640 if (authInSz > 0)
3641 roll_auth(aes, authIn, authInSz, A);
3642 if (inSz > 0)
3643 roll_x(aes, o, oSz, A);
3644
3645 B[0] = lenSz - 1;
3646 for (i = 0; i < lenSz; i++)
3647 B[AES_BLOCK_SIZE - 1 - i] = 0;
3648 wc_AesEncrypt(aes, B, B);
3649 xorbuf(A, B, authTagSz);
3650
3651 if (ConstantCompare(A, authTag, authTagSz) != 0) {
3652 /* If the authTag check fails, don't keep the decrypted data.
3653 * Unfortunately, you need the decrypted data to calculate the
3654 * check value. */
3655 XMEMSET(out, 0, inSz);
3656 result = AES_CCM_AUTH_E;
3657 }
3658
3659 ForceZero(A, AES_BLOCK_SIZE);
3660 ForceZero(B, AES_BLOCK_SIZE);
3661 o = NULL;
3662
3663 return result;
3664}
3665
3666#endif /* HAVE_AESCCM */
3667
3668
3669#ifdef HAVE_CAVIUM
3670
3671#include <wolfssl/ctaocrypt/logging.h>
3672#include "cavium_common.h"
3673
3674/* Initiliaze Aes for use with Nitrox device */
3675int wc_AesInitCavium(Aes* aes, int devId)
3676{
3677 if (aes == NULL)
3678 return -1;
3679
3680 if (CspAllocContext(CONTEXT_SSL, &aes->contextHandle, devId) != 0)
3681 return -1;
3682
3683 aes->devId = devId;
3684 aes->magic = WOLFSSL_AES_CAVIUM_MAGIC;
3685
3686 return 0;
3687}
3688
3689
3690/* Free Aes from use with Nitrox device */
3691void wc_AesFreeCavium(Aes* aes)
3692{
3693 if (aes == NULL)
3694 return;
3695
3696 if (aes->magic != WOLFSSL_AES_CAVIUM_MAGIC)
3697 return;
3698
3699 CspFreeContext(CONTEXT_SSL, aes->contextHandle, aes->devId);
3700 aes->magic = 0;
3701}
3702
3703
3704static int wc_AesCaviumSetKey(Aes* aes, const byte* key, word32 length,
3705 const byte* iv)
3706{
3707 if (aes == NULL)
3708 return -1;
3709
3710 XMEMCPY(aes->key, key, length); /* key still holds key, iv still in reg */
3711 if (length == 16)
3712 aes->type = AES_128;
3713 else if (length == 24)
3714 aes->type = AES_192;
3715 else if (length == 32)
3716 aes->type = AES_256;
3717
3718 return wc_AesSetIV(aes, iv);
3719}
3720
3721
3722static int AesCaviumCbcEncrypt(Aes* aes, byte* out, const byte* in,
3723 word32 length)
3724{
3725 wolfssl_word offset = 0;
3726 word32 requestId;
3727
3728 while (length > WOLFSSL_MAX_16BIT) {
3729 word16 slen = (word16)WOLFSSL_MAX_16BIT;
3730 if (CspEncryptAes(CAVIUM_BLOCKING, aes->contextHandle, CAVIUM_NO_UPDATE,
3731 aes->type, slen, (byte*)in + offset, out + offset,
3732 (byte*)aes->reg, (byte*)aes->key, &requestId,
3733 aes->devId) != 0) {
3734 WOLFSSL_MSG("Bad Cavium Aes Encrypt");
3735 return -1;
3736 }
3737 length -= WOLFSSL_MAX_16BIT;
3738 offset += WOLFSSL_MAX_16BIT;
3739 XMEMCPY(aes->reg, out + offset - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
3740 }
3741 if (length) {
3742 word16 slen = (word16)length;
3743 if (CspEncryptAes(CAVIUM_BLOCKING, aes->contextHandle, CAVIUM_NO_UPDATE,
3744 aes->type, slen, (byte*)in + offset, out + offset,
3745 (byte*)aes->reg, (byte*)aes->key, &requestId,
3746 aes->devId) != 0) {
3747 WOLFSSL_MSG("Bad Cavium Aes Encrypt");
3748 return -1;
3749 }
3750 XMEMCPY(aes->reg, out + offset+length - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
3751 }
3752 return 0;
3753}
3754
3755static int AesCaviumCbcDecrypt(Aes* aes, byte* out, const byte* in,
3756 word32 length)
3757{
3758 word32 requestId;
3759 wolfssl_word offset = 0;
3760
3761 while (length > WOLFSSL_MAX_16BIT) {
3762 word16 slen = (word16)WOLFSSL_MAX_16BIT;
3763 XMEMCPY(aes->tmp, in + offset + slen - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
3764 if (CspDecryptAes(CAVIUM_BLOCKING, aes->contextHandle, CAVIUM_NO_UPDATE,
3765 aes->type, slen, (byte*)in + offset, out + offset,
3766 (byte*)aes->reg, (byte*)aes->key, &requestId,
3767 aes->devId) != 0) {
3768 WOLFSSL_MSG("Bad Cavium Aes Decrypt");
3769 return -1;
3770 }
3771 length -= WOLFSSL_MAX_16BIT;
3772 offset += WOLFSSL_MAX_16BIT;
3773 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
3774 }
3775 if (length) {
3776 word16 slen = (word16)length;
3777 XMEMCPY(aes->tmp, in + offset + slen - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
3778 if (CspDecryptAes(CAVIUM_BLOCKING, aes->contextHandle, CAVIUM_NO_UPDATE,
3779 aes->type, slen, (byte*)in + offset, out + offset,
3780 (byte*)aes->reg, (byte*)aes->key, &requestId,
3781 aes->devId) != 0) {
3782 WOLFSSL_MSG("Bad Cavium Aes Decrypt");
3783 return -1;
3784 }
3785 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
3786 }
3787 return 0;
3788}
3789
3790#endif /* HAVE_CAVIUM */
3791
3792#endif /* WOLFSSL_TI_CRYPT */
3793
3794#endif /* HAVE_FIPS */
3795
3796#endif /* NO_AES */
Note: See TracBrowser for help on using the repository browser.