wolf SSL / wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents:   CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

wolfcrypt/src/aes.c@17:a5f916481144, 2020-06-05 (annotated)

Committer:
wolfSSL
Date:
Fri Jun 05 00:11:07 2020 +0000
Revision:
17:a5f916481144
Parent:
16:8e0d178b1d1e 
wolfSSL 4.4.0

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 15:117db924cf7c 1 /* aes.c
wolfSSL 15:117db924cf7c 2 *
wolfSSL 16:8e0d178b1d1e 3 * Copyright (C) 2006-2020 wolfSSL Inc.
wolfSSL 15:117db924cf7c 4 *
wolfSSL 15:117db924cf7c 5 * This file is part of wolfSSL.
wolfSSL 15:117db924cf7c 6 *
wolfSSL 15:117db924cf7c 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 15:117db924cf7c 8 * it under the terms of the GNU General Public License as published by
wolfSSL 15:117db924cf7c 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 15:117db924cf7c 10 * (at your option) any later version.
wolfSSL 15:117db924cf7c 11 *
wolfSSL 15:117db924cf7c 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 15:117db924cf7c 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 15:117db924cf7c 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 15:117db924cf7c 15 * GNU General Public License for more details.
wolfSSL 15:117db924cf7c 16 *
wolfSSL 15:117db924cf7c 17 * You should have received a copy of the GNU General Public License
wolfSSL 15:117db924cf7c 18 * along with this program; if not, write to the Free Software
wolfSSL 15:117db924cf7c 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL 15:117db924cf7c 20 */
wolfSSL 15:117db924cf7c 21
wolfSSL 15:117db924cf7c 22
wolfSSL 15:117db924cf7c 23 #ifdef HAVE_CONFIG_H
wolfSSL 15:117db924cf7c 24 #include <config.h>
wolfSSL 15:117db924cf7c 25 #endif
wolfSSL 15:117db924cf7c 26
wolfSSL 15:117db924cf7c 27 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 15:117db924cf7c 28 #include <wolfssl/wolfcrypt/error-crypt.h>
wolfSSL 15:117db924cf7c 29
wolfSSL 15:117db924cf7c 30 #if !defined(NO_AES)
wolfSSL 15:117db924cf7c 31
wolfSSL 16:8e0d178b1d1e 32 /* Tip: Locate the software cipher modes by searching for "Software AES" */
wolfSSL 16:8e0d178b1d1e 33
wolfSSL 15:117db924cf7c 34 #if defined(HAVE_FIPS) && \
wolfSSL 15:117db924cf7c 35 defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
wolfSSL 15:117db924cf7c 36
wolfSSL 15:117db924cf7c 37 /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */
wolfSSL 15:117db924cf7c 38 #define FIPS_NO_WRAPPERS
wolfSSL 15:117db924cf7c 39
wolfSSL 15:117db924cf7c 40 #ifdef USE_WINDOWS_API
wolfSSL 15:117db924cf7c 41 #pragma code_seg(".fipsA$g")
wolfSSL 15:117db924cf7c 42 #pragma const_seg(".fipsB$g")
wolfSSL 15:117db924cf7c 43 #endif
wolfSSL 15:117db924cf7c 44 #endif
wolfSSL 15:117db924cf7c 45
wolfSSL 15:117db924cf7c 46 #include <wolfssl/wolfcrypt/aes.h>
wolfSSL 15:117db924cf7c 47 #include <wolfssl/wolfcrypt/cpuid.h>
wolfSSL 15:117db924cf7c 48
wolfSSL 16:8e0d178b1d1e 49 #ifdef WOLF_CRYPTO_CB
wolfSSL 16:8e0d178b1d1e 50 #include <wolfssl/wolfcrypt/cryptocb.h>
wolfSSL 16:8e0d178b1d1e 51 #endif
wolfSSL 16:8e0d178b1d1e 52
wolfSSL 15:117db924cf7c 53
wolfSSL 15:117db924cf7c 54 /* fips wrapper calls, user can call direct */
wolfSSL 15:117db924cf7c 55 #if defined(HAVE_FIPS) && \
wolfSSL 15:117db924cf7c 56 (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
wolfSSL 15:117db924cf7c 57
wolfSSL 15:117db924cf7c 58 int wc_AesSetKey(Aes* aes, const byte* key, word32 len, const byte* iv,
wolfSSL 15:117db924cf7c 59 int dir)
wolfSSL 15:117db924cf7c 60 {
wolfSSL 15:117db924cf7c 61 if (aes == NULL || !( (len == 16) || (len == 24) || (len == 32)) ) {
wolfSSL 15:117db924cf7c 62 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 63 }
wolfSSL 15:117db924cf7c 64
wolfSSL 15:117db924cf7c 65 return AesSetKey_fips(aes, key, len, iv, dir);
wolfSSL 15:117db924cf7c 66 }
wolfSSL 15:117db924cf7c 67 int wc_AesSetIV(Aes* aes, const byte* iv)
wolfSSL 15:117db924cf7c 68 {
wolfSSL 15:117db924cf7c 69 if (aes == NULL) {
wolfSSL 15:117db924cf7c 70 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 71 }
wolfSSL 15:117db924cf7c 72
wolfSSL 15:117db924cf7c 73 return AesSetIV_fips(aes, iv);
wolfSSL 15:117db924cf7c 74 }
wolfSSL 15:117db924cf7c 75 #ifdef HAVE_AES_CBC
wolfSSL 15:117db924cf7c 76 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 77 {
wolfSSL 15:117db924cf7c 78 if (aes == NULL || out == NULL || in == NULL) {
wolfSSL 15:117db924cf7c 79 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 80 }
wolfSSL 15:117db924cf7c 81
wolfSSL 15:117db924cf7c 82 return AesCbcEncrypt_fips(aes, out, in, sz);
wolfSSL 15:117db924cf7c 83 }
wolfSSL 15:117db924cf7c 84 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 85 int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 86 {
wolfSSL 15:117db924cf7c 87 if (aes == NULL || out == NULL || in == NULL
wolfSSL 15:117db924cf7c 88 || sz % AES_BLOCK_SIZE != 0) {
wolfSSL 15:117db924cf7c 89 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 90 }
wolfSSL 15:117db924cf7c 91
wolfSSL 15:117db924cf7c 92 return AesCbcDecrypt_fips(aes, out, in, sz);
wolfSSL 15:117db924cf7c 93 }
wolfSSL 15:117db924cf7c 94 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 95 #endif /* HAVE_AES_CBC */
wolfSSL 15:117db924cf7c 96
wolfSSL 15:117db924cf7c 97 /* AES-CTR */
wolfSSL 15:117db924cf7c 98 #ifdef WOLFSSL_AES_COUNTER
wolfSSL 15:117db924cf7c 99 int wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 100 {
wolfSSL 15:117db924cf7c 101 if (aes == NULL || out == NULL || in == NULL) {
wolfSSL 15:117db924cf7c 102 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 103 }
wolfSSL 15:117db924cf7c 104
wolfSSL 15:117db924cf7c 105 return AesCtrEncrypt(aes, out, in, sz);
wolfSSL 15:117db924cf7c 106 }
wolfSSL 15:117db924cf7c 107 #endif
wolfSSL 15:117db924cf7c 108
wolfSSL 15:117db924cf7c 109 /* AES-DIRECT */
wolfSSL 15:117db924cf7c 110 #if defined(WOLFSSL_AES_DIRECT)
wolfSSL 15:117db924cf7c 111 void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
wolfSSL 15:117db924cf7c 112 {
wolfSSL 15:117db924cf7c 113 AesEncryptDirect(aes, out, in);
wolfSSL 15:117db924cf7c 114 }
wolfSSL 15:117db924cf7c 115
wolfSSL 15:117db924cf7c 116 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 117 void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)
wolfSSL 15:117db924cf7c 118 {
wolfSSL 15:117db924cf7c 119 AesDecryptDirect(aes, out, in);
wolfSSL 15:117db924cf7c 120 }
wolfSSL 15:117db924cf7c 121 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 122
wolfSSL 15:117db924cf7c 123 int wc_AesSetKeyDirect(Aes* aes, const byte* key, word32 len,
wolfSSL 15:117db924cf7c 124 const byte* iv, int dir)
wolfSSL 15:117db924cf7c 125 {
wolfSSL 15:117db924cf7c 126 return AesSetKeyDirect(aes, key, len, iv, dir);
wolfSSL 15:117db924cf7c 127 }
wolfSSL 15:117db924cf7c 128 #endif /* WOLFSSL_AES_DIRECT */
wolfSSL 15:117db924cf7c 129
wolfSSL 15:117db924cf7c 130 /* AES-GCM */
wolfSSL 15:117db924cf7c 131 #ifdef HAVE_AESGCM
wolfSSL 15:117db924cf7c 132 int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len)
wolfSSL 15:117db924cf7c 133 {
wolfSSL 15:117db924cf7c 134 if (aes == NULL || !( (len == 16) || (len == 24) || (len == 32)) ) {
wolfSSL 15:117db924cf7c 135 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 136 }
wolfSSL 15:117db924cf7c 137
wolfSSL 15:117db924cf7c 138 return AesGcmSetKey_fips(aes, key, len);
wolfSSL 15:117db924cf7c 139 }
wolfSSL 15:117db924cf7c 140 int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
wolfSSL 15:117db924cf7c 141 const byte* iv, word32 ivSz,
wolfSSL 15:117db924cf7c 142 byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 143 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 144 {
wolfSSL 16:8e0d178b1d1e 145 if (aes == NULL || authTagSz > AES_BLOCK_SIZE ||
wolfSSL 16:8e0d178b1d1e 146 authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ ||
wolfSSL 16:8e0d178b1d1e 147 ivSz == 0 || ivSz > AES_BLOCK_SIZE) {
wolfSSL 15:117db924cf7c 148 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 149 }
wolfSSL 15:117db924cf7c 150
wolfSSL 15:117db924cf7c 151 return AesGcmEncrypt_fips(aes, out, in, sz, iv, ivSz, authTag,
wolfSSL 15:117db924cf7c 152 authTagSz, authIn, authInSz);
wolfSSL 15:117db924cf7c 153 }
wolfSSL 15:117db924cf7c 154
wolfSSL 15:117db924cf7c 155 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 156 int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
wolfSSL 15:117db924cf7c 157 const byte* iv, word32 ivSz,
wolfSSL 15:117db924cf7c 158 const byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 159 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 160 {
wolfSSL 15:117db924cf7c 161 if (aes == NULL || out == NULL || in == NULL || iv == NULL
wolfSSL 15:117db924cf7c 162 || authTag == NULL || authTagSz > AES_BLOCK_SIZE ||
wolfSSL 16:8e0d178b1d1e 163 ivSz == 0 || ivSz > AES_BLOCK_SIZE) {
wolfSSL 15:117db924cf7c 164 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 165 }
wolfSSL 15:117db924cf7c 166
wolfSSL 15:117db924cf7c 167 return AesGcmDecrypt_fips(aes, out, in, sz, iv, ivSz, authTag,
wolfSSL 15:117db924cf7c 168 authTagSz, authIn, authInSz);
wolfSSL 15:117db924cf7c 169 }
wolfSSL 15:117db924cf7c 170 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 171
wolfSSL 15:117db924cf7c 172 int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len)
wolfSSL 15:117db924cf7c 173 {
wolfSSL 15:117db924cf7c 174 if (gmac == NULL || key == NULL || !((len == 16) ||
wolfSSL 15:117db924cf7c 175 (len == 24) || (len == 32)) ) {
wolfSSL 15:117db924cf7c 176 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 177 }
wolfSSL 15:117db924cf7c 178
wolfSSL 15:117db924cf7c 179 return GmacSetKey(gmac, key, len);
wolfSSL 15:117db924cf7c 180 }
wolfSSL 15:117db924cf7c 181 int wc_GmacUpdate(Gmac* gmac, const byte* iv, word32 ivSz,
wolfSSL 15:117db924cf7c 182 const byte* authIn, word32 authInSz,
wolfSSL 15:117db924cf7c 183 byte* authTag, word32 authTagSz)
wolfSSL 15:117db924cf7c 184 {
wolfSSL 15:117db924cf7c 185 if (gmac == NULL || authTagSz > AES_BLOCK_SIZE ||
wolfSSL 15:117db924cf7c 186 authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) {
wolfSSL 15:117db924cf7c 187 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 188 }
wolfSSL 15:117db924cf7c 189
wolfSSL 15:117db924cf7c 190 return GmacUpdate(gmac, iv, ivSz, authIn, authInSz,
wolfSSL 15:117db924cf7c 191 authTag, authTagSz);
wolfSSL 15:117db924cf7c 192 }
wolfSSL 15:117db924cf7c 193 #endif /* HAVE_AESGCM */
wolfSSL 15:117db924cf7c 194
wolfSSL 15:117db924cf7c 195 /* AES-CCM */
wolfSSL 15:117db924cf7c 196 #if defined(HAVE_AESCCM) && \
wolfSSL 15:117db924cf7c 197 defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
wolfSSL 15:117db924cf7c 198 int wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
wolfSSL 15:117db924cf7c 199 {
wolfSSL 15:117db924cf7c 200 return AesCcmSetKey(aes, key, keySz);
wolfSSL 15:117db924cf7c 201 }
wolfSSL 15:117db924cf7c 202 int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
wolfSSL 15:117db924cf7c 203 const byte* nonce, word32 nonceSz,
wolfSSL 15:117db924cf7c 204 byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 205 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 206 {
wolfSSL 15:117db924cf7c 207 /* sanity check on arguments */
wolfSSL 15:117db924cf7c 208 if (aes == NULL || out == NULL || in == NULL || nonce == NULL
wolfSSL 15:117db924cf7c 209 || authTag == NULL || nonceSz < 7 || nonceSz > 13)
wolfSSL 15:117db924cf7c 210 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 211
wolfSSL 15:117db924cf7c 212 AesCcmEncrypt(aes, out, in, inSz, nonce, nonceSz, authTag,
wolfSSL 15:117db924cf7c 213 authTagSz, authIn, authInSz);
wolfSSL 15:117db924cf7c 214 return 0;
wolfSSL 15:117db924cf7c 215 }
wolfSSL 15:117db924cf7c 216
wolfSSL 15:117db924cf7c 217 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 218 int wc_AesCcmDecrypt(Aes* aes, byte* out,
wolfSSL 15:117db924cf7c 219 const byte* in, word32 inSz,
wolfSSL 15:117db924cf7c 220 const byte* nonce, word32 nonceSz,
wolfSSL 15:117db924cf7c 221 const byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 222 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 223 {
wolfSSL 15:117db924cf7c 224
wolfSSL 15:117db924cf7c 225 if (aes == NULL || out == NULL || in == NULL || nonce == NULL
wolfSSL 15:117db924cf7c 226 || authTag == NULL || nonceSz < 7 || nonceSz > 13) {
wolfSSL 15:117db924cf7c 227 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 228 }
wolfSSL 15:117db924cf7c 229
wolfSSL 15:117db924cf7c 230 return AesCcmDecrypt(aes, out, in, inSz, nonce, nonceSz,
wolfSSL 15:117db924cf7c 231 authTag, authTagSz, authIn, authInSz);
wolfSSL 15:117db924cf7c 232 }
wolfSSL 15:117db924cf7c 233 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 234 #endif /* HAVE_AESCCM && HAVE_FIPS_VERSION 2 */
wolfSSL 15:117db924cf7c 235
wolfSSL 16:8e0d178b1d1e 236 int wc_AesInit(Aes* aes, void* h, int i)
wolfSSL 15:117db924cf7c 237 {
wolfSSL 16:8e0d178b1d1e 238 if (aes == NULL)
wolfSSL 16:8e0d178b1d1e 239 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 240
wolfSSL 15:117db924cf7c 241 (void)h;
wolfSSL 15:117db924cf7c 242 (void)i;
wolfSSL 16:8e0d178b1d1e 243
wolfSSL 15:117db924cf7c 244 /* FIPS doesn't support:
wolfSSL 15:117db924cf7c 245 return AesInit(aes, h, i); */
wolfSSL 15:117db924cf7c 246 return 0;
wolfSSL 15:117db924cf7c 247 }
wolfSSL 15:117db924cf7c 248 void wc_AesFree(Aes* aes)
wolfSSL 15:117db924cf7c 249 {
wolfSSL 15:117db924cf7c 250 (void)aes;
wolfSSL 15:117db924cf7c 251 /* FIPS doesn't support:
wolfSSL 15:117db924cf7c 252 AesFree(aes); */
wolfSSL 15:117db924cf7c 253 }
wolfSSL 15:117db924cf7c 254
wolfSSL 15:117db924cf7c 255 #else /* else build without fips, or for FIPS v2 */
wolfSSL 15:117db924cf7c 256
wolfSSL 15:117db924cf7c 257
wolfSSL 15:117db924cf7c 258 #if defined(WOLFSSL_TI_CRYPT)
wolfSSL 15:117db924cf7c 259 #include <wolfcrypt/src/port/ti/ti-aes.c>
wolfSSL 15:117db924cf7c 260 #else
wolfSSL 15:117db924cf7c 261
wolfSSL 15:117db924cf7c 262 #include <wolfssl/wolfcrypt/logging.h>
wolfSSL 15:117db924cf7c 263
wolfSSL 15:117db924cf7c 264 #ifdef NO_INLINE
wolfSSL 15:117db924cf7c 265 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 15:117db924cf7c 266 #else
wolfSSL 15:117db924cf7c 267 #define WOLFSSL_MISC_INCLUDED
wolfSSL 15:117db924cf7c 268 #include <wolfcrypt/src/misc.c>
wolfSSL 15:117db924cf7c 269 #endif
wolfSSL 15:117db924cf7c 270
wolfSSL 15:117db924cf7c 271 #if !defined(WOLFSSL_ARMASM)
wolfSSL 15:117db924cf7c 272
wolfSSL 15:117db924cf7c 273 #ifdef WOLFSSL_IMX6_CAAM_BLOB
wolfSSL 15:117db924cf7c 274 /* case of possibly not using hardware acceleration for AES but using key
wolfSSL 15:117db924cf7c 275 blobs */
wolfSSL 15:117db924cf7c 276 #include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
wolfSSL 15:117db924cf7c 277 #endif
wolfSSL 15:117db924cf7c 278
wolfSSL 15:117db924cf7c 279 #ifdef DEBUG_AESNI
wolfSSL 15:117db924cf7c 280 #include <stdio.h>
wolfSSL 15:117db924cf7c 281 #endif
wolfSSL 15:117db924cf7c 282
wolfSSL 15:117db924cf7c 283 #ifdef _MSC_VER
wolfSSL 15:117db924cf7c 284 /* 4127 warning constant while(1) */
wolfSSL 15:117db924cf7c 285 #pragma warning(disable: 4127)
wolfSSL 15:117db924cf7c 286 #endif
wolfSSL 15:117db924cf7c 287
wolfSSL 15:117db924cf7c 288
wolfSSL 15:117db924cf7c 289 /* Define AES implementation includes and functions */
wolfSSL 15:117db924cf7c 290 #if defined(STM32_CRYPTO)
wolfSSL 16:8e0d178b1d1e 291 /* STM32F2/F4/F7/L4 hardware AES support for ECB, CBC, CTR and GCM modes */
wolfSSL 15:117db924cf7c 292
wolfSSL 15:117db924cf7c 293 #if defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESGCM) || defined(HAVE_AESCCM)
wolfSSL 16:8e0d178b1d1e 294
wolfSSL 15:117db924cf7c 295 static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 15:117db924cf7c 296 {
wolfSSL 15:117db924cf7c 297 int ret = 0;
wolfSSL 15:117db924cf7c 298 #ifdef WOLFSSL_STM32_CUBEMX
wolfSSL 15:117db924cf7c 299 CRYP_HandleTypeDef hcryp;
wolfSSL 16:8e0d178b1d1e 300 #else
wolfSSL 16:8e0d178b1d1e 301 CRYP_InitTypeDef cryptInit;
wolfSSL 16:8e0d178b1d1e 302 CRYP_KeyInitTypeDef keyInit;
wolfSSL 16:8e0d178b1d1e 303 #endif
wolfSSL 16:8e0d178b1d1e 304
wolfSSL 16:8e0d178b1d1e 305 #ifdef WOLFSSL_STM32_CUBEMX
wolfSSL 16:8e0d178b1d1e 306 ret = wc_Stm32_Aes_Init(aes, &hcryp);
wolfSSL 16:8e0d178b1d1e 307 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 308 return ret;
wolfSSL 16:8e0d178b1d1e 309
wolfSSL 16:8e0d178b1d1e 310 #ifdef STM32_CRYPTO_AES_ONLY
wolfSSL 16:8e0d178b1d1e 311 hcryp.Init.OperatingMode = CRYP_ALGOMODE_ENCRYPT;
wolfSSL 16:8e0d178b1d1e 312 hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_ECB;
wolfSSL 16:8e0d178b1d1e 313 hcryp.Init.KeyWriteFlag = CRYP_KEY_WRITE_ENABLE;
wolfSSL 16:8e0d178b1d1e 314 #elif defined(STM32_HAL_V2)
wolfSSL 16:8e0d178b1d1e 315 hcryp.Init.Algorithm = CRYP_AES_ECB;
wolfSSL 16:8e0d178b1d1e 316 #endif
wolfSSL 15:117db924cf7c 317 HAL_CRYP_Init(&hcryp);
wolfSSL 15:117db924cf7c 318
wolfSSL 16:8e0d178b1d1e 319 #ifdef STM32_CRYPTO_AES_ONLY
wolfSSL 16:8e0d178b1d1e 320 ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)inBlock, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 321 outBlock, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 322 #elif defined(STM32_HAL_V2)
wolfSSL 16:8e0d178b1d1e 323 ret = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)inBlock, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 324 (uint32_t*)outBlock, STM32_HAL_TIMEOUT);
wolfSSL 15:117db924cf7c 325 #else
wolfSSL 16:8e0d178b1d1e 326 ret = HAL_CRYP_AESECB_Encrypt(&hcryp, (uint8_t*)inBlock, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 327 outBlock, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 328 #endif
wolfSSL 16:8e0d178b1d1e 329 if (ret != HAL_OK) {
wolfSSL 16:8e0d178b1d1e 330 ret = WC_TIMEOUT_E;
wolfSSL 16:8e0d178b1d1e 331 }
wolfSSL 16:8e0d178b1d1e 332 HAL_CRYP_DeInit(&hcryp);
wolfSSL 16:8e0d178b1d1e 333
wolfSSL 16:8e0d178b1d1e 334 #else /* STD_PERI_LIB */
wolfSSL 16:8e0d178b1d1e 335 ret = wc_Stm32_Aes_Init(aes, &cryptInit, &keyInit);
wolfSSL 16:8e0d178b1d1e 336 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 337 return ret;
wolfSSL 15:117db924cf7c 338
wolfSSL 15:117db924cf7c 339 /* reset registers to their default values */
wolfSSL 15:117db924cf7c 340 CRYP_DeInit();
wolfSSL 15:117db924cf7c 341
wolfSSL 16:8e0d178b1d1e 342 /* setup key */
wolfSSL 16:8e0d178b1d1e 343 CRYP_KeyInit(&keyInit);
wolfSSL 16:8e0d178b1d1e 344
wolfSSL 16:8e0d178b1d1e 345 /* set direction and mode */
wolfSSL 16:8e0d178b1d1e 346 cryptInit.CRYP_AlgoDir = CRYP_AlgoDir_Encrypt;
wolfSSL 16:8e0d178b1d1e 347 cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_ECB;
wolfSSL 16:8e0d178b1d1e 348 CRYP_Init(&cryptInit);
wolfSSL 15:117db924cf7c 349
wolfSSL 15:117db924cf7c 350 /* enable crypto processor */
wolfSSL 15:117db924cf7c 351 CRYP_Cmd(ENABLE);
wolfSSL 15:117db924cf7c 352
wolfSSL 15:117db924cf7c 353 /* flush IN/OUT FIFOs */
wolfSSL 15:117db924cf7c 354 CRYP_FIFOFlush();
wolfSSL 15:117db924cf7c 355
wolfSSL 15:117db924cf7c 356 CRYP_DataIn(*(uint32_t*)&inBlock[0]);
wolfSSL 15:117db924cf7c 357 CRYP_DataIn(*(uint32_t*)&inBlock[4]);
wolfSSL 15:117db924cf7c 358 CRYP_DataIn(*(uint32_t*)&inBlock[8]);
wolfSSL 15:117db924cf7c 359 CRYP_DataIn(*(uint32_t*)&inBlock[12]);
wolfSSL 15:117db924cf7c 360
wolfSSL 15:117db924cf7c 361 /* wait until the complete message has been processed */
wolfSSL 15:117db924cf7c 362 while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
wolfSSL 15:117db924cf7c 363
wolfSSL 15:117db924cf7c 364 *(uint32_t*)&outBlock[0] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 365 *(uint32_t*)&outBlock[4] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 366 *(uint32_t*)&outBlock[8] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 367 *(uint32_t*)&outBlock[12] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 368
wolfSSL 15:117db924cf7c 369 /* disable crypto processor */
wolfSSL 15:117db924cf7c 370 CRYP_Cmd(DISABLE);
wolfSSL 15:117db924cf7c 371 #endif /* WOLFSSL_STM32_CUBEMX */
wolfSSL 16:8e0d178b1d1e 372
wolfSSL 15:117db924cf7c 373 return ret;
wolfSSL 15:117db924cf7c 374 }
wolfSSL 15:117db924cf7c 375 #endif /* WOLFSSL_AES_DIRECT || HAVE_AESGCM || HAVE_AESCCM */
wolfSSL 15:117db924cf7c 376
wolfSSL 15:117db924cf7c 377 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 378 #if defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESCCM)
wolfSSL 15:117db924cf7c 379 static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 15:117db924cf7c 380 {
wolfSSL 15:117db924cf7c 381 int ret = 0;
wolfSSL 15:117db924cf7c 382 #ifdef WOLFSSL_STM32_CUBEMX
wolfSSL 15:117db924cf7c 383 CRYP_HandleTypeDef hcryp;
wolfSSL 16:8e0d178b1d1e 384 #else
wolfSSL 16:8e0d178b1d1e 385 CRYP_InitTypeDef cryptInit;
wolfSSL 16:8e0d178b1d1e 386 CRYP_KeyInitTypeDef keyInit;
wolfSSL 16:8e0d178b1d1e 387 #endif
wolfSSL 16:8e0d178b1d1e 388
wolfSSL 16:8e0d178b1d1e 389 #ifdef WOLFSSL_STM32_CUBEMX
wolfSSL 16:8e0d178b1d1e 390 ret = wc_Stm32_Aes_Init(aes, &hcryp);
wolfSSL 16:8e0d178b1d1e 391 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 392 return ret;
wolfSSL 16:8e0d178b1d1e 393
wolfSSL 16:8e0d178b1d1e 394 #ifdef STM32_CRYPTO_AES_ONLY
wolfSSL 16:8e0d178b1d1e 395 hcryp.Init.OperatingMode = CRYP_ALGOMODE_DECRYPT;
wolfSSL 16:8e0d178b1d1e 396 hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_ECB;
wolfSSL 16:8e0d178b1d1e 397 hcryp.Init.KeyWriteFlag = CRYP_KEY_WRITE_ENABLE;
wolfSSL 16:8e0d178b1d1e 398 #elif defined(STM32_HAL_V2)
wolfSSL 16:8e0d178b1d1e 399 hcryp.Init.Algorithm = CRYP_AES_ECB;
wolfSSL 16:8e0d178b1d1e 400 #endif
wolfSSL 15:117db924cf7c 401 HAL_CRYP_Init(&hcryp);
wolfSSL 15:117db924cf7c 402
wolfSSL 16:8e0d178b1d1e 403 #ifdef STM32_CRYPTO_AES_ONLY
wolfSSL 16:8e0d178b1d1e 404 ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)inBlock, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 405 outBlock, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 406 #elif defined(STM32_HAL_V2)
wolfSSL 16:8e0d178b1d1e 407 ret = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)inBlock, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 408 (uint32_t*)outBlock, STM32_HAL_TIMEOUT);
wolfSSL 15:117db924cf7c 409 #else
wolfSSL 16:8e0d178b1d1e 410 ret = HAL_CRYP_AESECB_Decrypt(&hcryp, (uint8_t*)inBlock, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 411 outBlock, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 412 #endif
wolfSSL 16:8e0d178b1d1e 413 if (ret != HAL_OK) {
wolfSSL 16:8e0d178b1d1e 414 ret = WC_TIMEOUT_E;
wolfSSL 16:8e0d178b1d1e 415 }
wolfSSL 16:8e0d178b1d1e 416 HAL_CRYP_DeInit(&hcryp);
wolfSSL 16:8e0d178b1d1e 417
wolfSSL 16:8e0d178b1d1e 418 #else /* STD_PERI_LIB */
wolfSSL 16:8e0d178b1d1e 419 ret = wc_Stm32_Aes_Init(aes, &cryptInit, &keyInit);
wolfSSL 16:8e0d178b1d1e 420 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 421 return ret;
wolfSSL 15:117db924cf7c 422
wolfSSL 15:117db924cf7c 423 /* reset registers to their default values */
wolfSSL 15:117db924cf7c 424 CRYP_DeInit();
wolfSSL 15:117db924cf7c 425
wolfSSL 16:8e0d178b1d1e 426 /* set direction and key */
wolfSSL 16:8e0d178b1d1e 427 CRYP_KeyInit(&keyInit);
wolfSSL 16:8e0d178b1d1e 428 cryptInit.CRYP_AlgoDir = CRYP_AlgoDir_Decrypt;
wolfSSL 16:8e0d178b1d1e 429 cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_Key;
wolfSSL 16:8e0d178b1d1e 430 CRYP_Init(&cryptInit);
wolfSSL 15:117db924cf7c 431
wolfSSL 15:117db924cf7c 432 /* enable crypto processor */
wolfSSL 15:117db924cf7c 433 CRYP_Cmd(ENABLE);
wolfSSL 15:117db924cf7c 434
wolfSSL 16:8e0d178b1d1e 435 /* wait until decrypt key has been initialized */
wolfSSL 15:117db924cf7c 436 while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
wolfSSL 15:117db924cf7c 437
wolfSSL 16:8e0d178b1d1e 438 /* set direction and mode */
wolfSSL 16:8e0d178b1d1e 439 cryptInit.CRYP_AlgoDir = CRYP_AlgoDir_Decrypt;
wolfSSL 16:8e0d178b1d1e 440 cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_ECB;
wolfSSL 16:8e0d178b1d1e 441 CRYP_Init(&cryptInit);
wolfSSL 15:117db924cf7c 442
wolfSSL 15:117db924cf7c 443 /* enable crypto processor */
wolfSSL 15:117db924cf7c 444 CRYP_Cmd(ENABLE);
wolfSSL 15:117db924cf7c 445
wolfSSL 15:117db924cf7c 446 /* flush IN/OUT FIFOs */
wolfSSL 15:117db924cf7c 447 CRYP_FIFOFlush();
wolfSSL 15:117db924cf7c 448
wolfSSL 15:117db924cf7c 449 CRYP_DataIn(*(uint32_t*)&inBlock[0]);
wolfSSL 15:117db924cf7c 450 CRYP_DataIn(*(uint32_t*)&inBlock[4]);
wolfSSL 15:117db924cf7c 451 CRYP_DataIn(*(uint32_t*)&inBlock[8]);
wolfSSL 15:117db924cf7c 452 CRYP_DataIn(*(uint32_t*)&inBlock[12]);
wolfSSL 15:117db924cf7c 453
wolfSSL 15:117db924cf7c 454 /* wait until the complete message has been processed */
wolfSSL 15:117db924cf7c 455 while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
wolfSSL 15:117db924cf7c 456
wolfSSL 15:117db924cf7c 457 *(uint32_t*)&outBlock[0] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 458 *(uint32_t*)&outBlock[4] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 459 *(uint32_t*)&outBlock[8] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 460 *(uint32_t*)&outBlock[12] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 461
wolfSSL 15:117db924cf7c 462 /* disable crypto processor */
wolfSSL 15:117db924cf7c 463 CRYP_Cmd(DISABLE);
wolfSSL 15:117db924cf7c 464 #endif /* WOLFSSL_STM32_CUBEMX */
wolfSSL 16:8e0d178b1d1e 465
wolfSSL 15:117db924cf7c 466 return ret;
wolfSSL 15:117db924cf7c 467 }
wolfSSL 15:117db924cf7c 468 #endif /* WOLFSSL_AES_DIRECT || HAVE_AESCCM */
wolfSSL 15:117db924cf7c 469 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 470
wolfSSL 15:117db924cf7c 471 #elif defined(HAVE_COLDFIRE_SEC)
wolfSSL 15:117db924cf7c 472 /* Freescale Coldfire SEC support for CBC mode.
wolfSSL 15:117db924cf7c 473 * NOTE: no support for AES-CTR/GCM/CCM/Direct */
wolfSSL 15:117db924cf7c 474 #include <wolfssl/wolfcrypt/types.h>
wolfSSL 15:117db924cf7c 475 #include "sec.h"
wolfSSL 15:117db924cf7c 476 #include "mcf5475_sec.h"
wolfSSL 15:117db924cf7c 477 #include "mcf5475_siu.h"
wolfSSL 15:117db924cf7c 478 #elif defined(FREESCALE_LTC)
wolfSSL 15:117db924cf7c 479 #include "fsl_ltc.h"
wolfSSL 15:117db924cf7c 480 #if defined(FREESCALE_LTC_AES_GCM)
wolfSSL 15:117db924cf7c 481 #undef NEED_AES_TABLES
wolfSSL 15:117db924cf7c 482 #undef GCM_TABLE
wolfSSL 15:117db924cf7c 483 #else
wolfSSL 15:117db924cf7c 484 /* if LTC doesn't have GCM, use software with LTC AES ECB mode */
wolfSSL 15:117db924cf7c 485 static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 15:117db924cf7c 486 {
wolfSSL 15:117db924cf7c 487 wc_AesEncryptDirect(aes, outBlock, inBlock);
wolfSSL 15:117db924cf7c 488 return 0;
wolfSSL 15:117db924cf7c 489 }
wolfSSL 15:117db924cf7c 490 static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 15:117db924cf7c 491 {
wolfSSL 15:117db924cf7c 492 wc_AesDecryptDirect(aes, outBlock, inBlock);
wolfSSL 15:117db924cf7c 493 return 0;
wolfSSL 15:117db924cf7c 494 }
wolfSSL 15:117db924cf7c 495 #endif
wolfSSL 15:117db924cf7c 496 #elif defined(FREESCALE_MMCAU)
wolfSSL 15:117db924cf7c 497 /* Freescale mmCAU hardware AES support for Direct, CBC, CCM, GCM modes
wolfSSL 15:117db924cf7c 498 * through the CAU/mmCAU library. Documentation located in
wolfSSL 15:117db924cf7c 499 * ColdFire/ColdFire+ CAU and Kinetis mmCAU Software Library User
wolfSSL 15:117db924cf7c 500 * Guide (See note in README). */
wolfSSL 15:117db924cf7c 501 #ifdef FREESCALE_MMCAU_CLASSIC
wolfSSL 15:117db924cf7c 502 /* MMCAU 1.4 library used with non-KSDK / classic MQX builds */
wolfSSL 15:117db924cf7c 503 #include "cau_api.h"
wolfSSL 15:117db924cf7c 504 #else
wolfSSL 15:117db924cf7c 505 #include "fsl_mmcau.h"
wolfSSL 15:117db924cf7c 506 #endif
wolfSSL 15:117db924cf7c 507
wolfSSL 15:117db924cf7c 508 static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 15:117db924cf7c 509 {
wolfSSL 15:117db924cf7c 510 int ret;
wolfSSL 15:117db924cf7c 511
wolfSSL 15:117db924cf7c 512 #ifdef FREESCALE_MMCAU_CLASSIC
wolfSSL 15:117db924cf7c 513 if ((wolfssl_word)outBlock % WOLFSSL_MMCAU_ALIGNMENT) {
wolfSSL 15:117db924cf7c 514 WOLFSSL_MSG("Bad cau_aes_encrypt alignment");
wolfSSL 15:117db924cf7c 515 return BAD_ALIGN_E;
wolfSSL 15:117db924cf7c 516 }
wolfSSL 15:117db924cf7c 517 #endif
wolfSSL 15:117db924cf7c 518
wolfSSL 15:117db924cf7c 519 ret = wolfSSL_CryptHwMutexLock();
wolfSSL 15:117db924cf7c 520 if(ret == 0) {
wolfSSL 15:117db924cf7c 521 #ifdef FREESCALE_MMCAU_CLASSIC
wolfSSL 15:117db924cf7c 522 cau_aes_encrypt(inBlock, (byte*)aes->key, aes->rounds, outBlock);
wolfSSL 15:117db924cf7c 523 #else
wolfSSL 15:117db924cf7c 524 MMCAU_AES_EncryptEcb(inBlock, (byte*)aes->key, aes->rounds,
wolfSSL 15:117db924cf7c 525 outBlock);
wolfSSL 15:117db924cf7c 526 #endif
wolfSSL 15:117db924cf7c 527 wolfSSL_CryptHwMutexUnLock();
wolfSSL 15:117db924cf7c 528 }
wolfSSL 15:117db924cf7c 529 return ret;
wolfSSL 15:117db924cf7c 530 }
wolfSSL 15:117db924cf7c 531 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 532 static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 15:117db924cf7c 533 {
wolfSSL 15:117db924cf7c 534 int ret;
wolfSSL 15:117db924cf7c 535
wolfSSL 15:117db924cf7c 536 #ifdef FREESCALE_MMCAU_CLASSIC
wolfSSL 15:117db924cf7c 537 if ((wolfssl_word)outBlock % WOLFSSL_MMCAU_ALIGNMENT) {
wolfSSL 15:117db924cf7c 538 WOLFSSL_MSG("Bad cau_aes_decrypt alignment");
wolfSSL 15:117db924cf7c 539 return BAD_ALIGN_E;
wolfSSL 15:117db924cf7c 540 }
wolfSSL 15:117db924cf7c 541 #endif
wolfSSL 15:117db924cf7c 542
wolfSSL 15:117db924cf7c 543 ret = wolfSSL_CryptHwMutexLock();
wolfSSL 15:117db924cf7c 544 if(ret == 0) {
wolfSSL 15:117db924cf7c 545 #ifdef FREESCALE_MMCAU_CLASSIC
wolfSSL 15:117db924cf7c 546 cau_aes_decrypt(inBlock, (byte*)aes->key, aes->rounds, outBlock);
wolfSSL 15:117db924cf7c 547 #else
wolfSSL 15:117db924cf7c 548 MMCAU_AES_DecryptEcb(inBlock, (byte*)aes->key, aes->rounds,
wolfSSL 15:117db924cf7c 549 outBlock);
wolfSSL 15:117db924cf7c 550 #endif
wolfSSL 15:117db924cf7c 551 wolfSSL_CryptHwMutexUnLock();
wolfSSL 15:117db924cf7c 552 }
wolfSSL 15:117db924cf7c 553 return ret;
wolfSSL 15:117db924cf7c 554 }
wolfSSL 15:117db924cf7c 555 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 556
wolfSSL 15:117db924cf7c 557 #elif defined(WOLFSSL_PIC32MZ_CRYPT)
wolfSSL 15:117db924cf7c 558
wolfSSL 15:117db924cf7c 559 #include <wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h>
wolfSSL 15:117db924cf7c 560
wolfSSL 15:117db924cf7c 561 #if defined(HAVE_AESGCM) || defined(WOLFSSL_AES_DIRECT)
wolfSSL 15:117db924cf7c 562 static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 15:117db924cf7c 563 {
wolfSSL 15:117db924cf7c 564 return wc_Pic32AesCrypt(aes->key, aes->keylen, NULL, 0,
wolfSSL 15:117db924cf7c 565 outBlock, inBlock, AES_BLOCK_SIZE,
wolfSSL 15:117db924cf7c 566 PIC32_ENCRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_RECB);
wolfSSL 15:117db924cf7c 567 }
wolfSSL 15:117db924cf7c 568 #endif
wolfSSL 15:117db924cf7c 569
wolfSSL 15:117db924cf7c 570 #if defined(HAVE_AES_DECRYPT) && defined(WOLFSSL_AES_DIRECT)
wolfSSL 15:117db924cf7c 571 static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 15:117db924cf7c 572 {
wolfSSL 15:117db924cf7c 573 return wc_Pic32AesCrypt(aes->key, aes->keylen, NULL, 0,
wolfSSL 15:117db924cf7c 574 outBlock, inBlock, AES_BLOCK_SIZE,
wolfSSL 15:117db924cf7c 575 PIC32_DECRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_RECB);
wolfSSL 15:117db924cf7c 576 }
wolfSSL 15:117db924cf7c 577 #endif
wolfSSL 15:117db924cf7c 578
wolfSSL 15:117db924cf7c 579 #elif defined(WOLFSSL_NRF51_AES)
wolfSSL 15:117db924cf7c 580 /* Use built-in AES hardware - AES 128 ECB Encrypt Only */
wolfSSL 15:117db924cf7c 581 #include "wolfssl/wolfcrypt/port/nrf51.h"
wolfSSL 15:117db924cf7c 582
wolfSSL 15:117db924cf7c 583 static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 15:117db924cf7c 584 {
wolfSSL 15:117db924cf7c 585 return nrf51_aes_encrypt(inBlock, (byte*)aes->key, aes->rounds, outBlock);
wolfSSL 15:117db924cf7c 586 }
wolfSSL 15:117db924cf7c 587
wolfSSL 15:117db924cf7c 588 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 589 #error nRF51 AES Hardware does not support decrypt
wolfSSL 15:117db924cf7c 590 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 591
wolfSSL 16:8e0d178b1d1e 592 #elif defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
wolfSSL 16:8e0d178b1d1e 593 !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES)
wolfSSL 16:8e0d178b1d1e 594
wolfSSL 16:8e0d178b1d1e 595 #include "wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h"
wolfSSL 16:8e0d178b1d1e 596
wolfSSL 16:8e0d178b1d1e 597 #if defined(HAVE_AESGCM) || defined(WOLFSSL_AES_DIRECT)
wolfSSL 16:8e0d178b1d1e 598 static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 16:8e0d178b1d1e 599 {
wolfSSL 16:8e0d178b1d1e 600 return wc_esp32AesEncrypt(aes, inBlock, outBlock);
wolfSSL 16:8e0d178b1d1e 601 }
wolfSSL 16:8e0d178b1d1e 602 #endif
wolfSSL 16:8e0d178b1d1e 603
wolfSSL 16:8e0d178b1d1e 604 #if defined(HAVE_AES_DECRYPT) && defined(WOLFSSL_AES_DIRECT)
wolfSSL 16:8e0d178b1d1e 605 static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 16:8e0d178b1d1e 606 {
wolfSSL 16:8e0d178b1d1e 607 return wc_esp32AesDecrypt(aes, inBlock, outBlock);
wolfSSL 16:8e0d178b1d1e 608 }
wolfSSL 16:8e0d178b1d1e 609 #endif
wolfSSL 15:117db924cf7c 610
wolfSSL 15:117db924cf7c 611 #elif defined(WOLFSSL_AESNI)
wolfSSL 15:117db924cf7c 612
wolfSSL 15:117db924cf7c 613 #define NEED_AES_TABLES
wolfSSL 15:117db924cf7c 614
wolfSSL 15:117db924cf7c 615 /* Each platform needs to query info type 1 from cpuid to see if aesni is
wolfSSL 15:117db924cf7c 616 * supported. Also, let's setup a macro for proper linkage w/o ABI conflicts
wolfSSL 15:117db924cf7c 617 */
wolfSSL 15:117db924cf7c 618
wolfSSL 15:117db924cf7c 619 #ifndef AESNI_ALIGN
wolfSSL 15:117db924cf7c 620 #define AESNI_ALIGN 16
wolfSSL 15:117db924cf7c 621 #endif
wolfSSL 15:117db924cf7c 622
wolfSSL 16:8e0d178b1d1e 623 #ifdef _MSC_VER
wolfSSL 16:8e0d178b1d1e 624 #define XASM_LINK(f)
wolfSSL 16:8e0d178b1d1e 625 #elif defined(__APPLE__)
wolfSSL 16:8e0d178b1d1e 626 #define XASM_LINK(f) asm("_" f)
wolfSSL 16:8e0d178b1d1e 627 #else
wolfSSL 15:117db924cf7c 628 #define XASM_LINK(f) asm(f)
wolfSSL 15:117db924cf7c 629 #endif /* _MSC_VER */
wolfSSL 15:117db924cf7c 630
wolfSSL 15:117db924cf7c 631 static int checkAESNI = 0;
wolfSSL 15:117db924cf7c 632 static int haveAESNI = 0;
wolfSSL 15:117db924cf7c 633 static word32 intel_flags = 0;
wolfSSL 15:117db924cf7c 634
wolfSSL 15:117db924cf7c 635 static int Check_CPU_support_AES(void)
wolfSSL 15:117db924cf7c 636 {
wolfSSL 15:117db924cf7c 637 intel_flags = cpuid_get_flags();
wolfSSL 15:117db924cf7c 638
wolfSSL 15:117db924cf7c 639 return IS_INTEL_AESNI(intel_flags) != 0;
wolfSSL 15:117db924cf7c 640 }
wolfSSL 15:117db924cf7c 641
wolfSSL 15:117db924cf7c 642
wolfSSL 15:117db924cf7c 643 /* tell C compiler these are asm functions in case any mix up of ABI underscore
wolfSSL 15:117db924cf7c 644 prefix between clang/gcc/llvm etc */
wolfSSL 15:117db924cf7c 645 #ifdef HAVE_AES_CBC
wolfSSL 15:117db924cf7c 646 void AES_CBC_encrypt(const unsigned char* in, unsigned char* out,
wolfSSL 15:117db924cf7c 647 unsigned char* ivec, unsigned long length,
wolfSSL 15:117db924cf7c 648 const unsigned char* KS, int nr)
wolfSSL 15:117db924cf7c 649 XASM_LINK("AES_CBC_encrypt");
wolfSSL 15:117db924cf7c 650
wolfSSL 15:117db924cf7c 651 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 652 #if defined(WOLFSSL_AESNI_BY4)
wolfSSL 15:117db924cf7c 653 void AES_CBC_decrypt_by4(const unsigned char* in, unsigned char* out,
wolfSSL 15:117db924cf7c 654 unsigned char* ivec, unsigned long length,
wolfSSL 15:117db924cf7c 655 const unsigned char* KS, int nr)
wolfSSL 15:117db924cf7c 656 XASM_LINK("AES_CBC_decrypt_by4");
wolfSSL 15:117db924cf7c 657 #elif defined(WOLFSSL_AESNI_BY6)
wolfSSL 15:117db924cf7c 658 void AES_CBC_decrypt_by6(const unsigned char* in, unsigned char* out,
wolfSSL 15:117db924cf7c 659 unsigned char* ivec, unsigned long length,
wolfSSL 15:117db924cf7c 660 const unsigned char* KS, int nr)
wolfSSL 15:117db924cf7c 661 XASM_LINK("AES_CBC_decrypt_by6");
wolfSSL 15:117db924cf7c 662 #else /* WOLFSSL_AESNI_BYx */
wolfSSL 15:117db924cf7c 663 void AES_CBC_decrypt_by8(const unsigned char* in, unsigned char* out,
wolfSSL 15:117db924cf7c 664 unsigned char* ivec, unsigned long length,
wolfSSL 15:117db924cf7c 665 const unsigned char* KS, int nr)
wolfSSL 15:117db924cf7c 666 XASM_LINK("AES_CBC_decrypt_by8");
wolfSSL 15:117db924cf7c 667 #endif /* WOLFSSL_AESNI_BYx */
wolfSSL 15:117db924cf7c 668 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 669 #endif /* HAVE_AES_CBC */
wolfSSL 15:117db924cf7c 670
wolfSSL 15:117db924cf7c 671 void AES_ECB_encrypt(const unsigned char* in, unsigned char* out,
wolfSSL 15:117db924cf7c 672 unsigned long length, const unsigned char* KS, int nr)
wolfSSL 15:117db924cf7c 673 XASM_LINK("AES_ECB_encrypt");
wolfSSL 15:117db924cf7c 674
wolfSSL 15:117db924cf7c 675 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 676 void AES_ECB_decrypt(const unsigned char* in, unsigned char* out,
wolfSSL 15:117db924cf7c 677 unsigned long length, const unsigned char* KS, int nr)
wolfSSL 15:117db924cf7c 678 XASM_LINK("AES_ECB_decrypt");
wolfSSL 15:117db924cf7c 679 #endif
wolfSSL 15:117db924cf7c 680
wolfSSL 15:117db924cf7c 681 void AES_128_Key_Expansion(const unsigned char* userkey,
wolfSSL 15:117db924cf7c 682 unsigned char* key_schedule)
wolfSSL 15:117db924cf7c 683 XASM_LINK("AES_128_Key_Expansion");
wolfSSL 15:117db924cf7c 684
wolfSSL 15:117db924cf7c 685 void AES_192_Key_Expansion(const unsigned char* userkey,
wolfSSL 15:117db924cf7c 686 unsigned char* key_schedule)
wolfSSL 15:117db924cf7c 687 XASM_LINK("AES_192_Key_Expansion");
wolfSSL 15:117db924cf7c 688
wolfSSL 15:117db924cf7c 689 void AES_256_Key_Expansion(const unsigned char* userkey,
wolfSSL 15:117db924cf7c 690 unsigned char* key_schedule)
wolfSSL 15:117db924cf7c 691 XASM_LINK("AES_256_Key_Expansion");
wolfSSL 15:117db924cf7c 692
wolfSSL 15:117db924cf7c 693
wolfSSL 15:117db924cf7c 694 static int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
wolfSSL 15:117db924cf7c 695 Aes* aes)
wolfSSL 15:117db924cf7c 696 {
wolfSSL 15:117db924cf7c 697 int ret;
wolfSSL 15:117db924cf7c 698
wolfSSL 15:117db924cf7c 699 if (!userKey || !aes)
wolfSSL 15:117db924cf7c 700 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 701
wolfSSL 15:117db924cf7c 702 switch (bits) {
wolfSSL 15:117db924cf7c 703 case 128:
wolfSSL 15:117db924cf7c 704 AES_128_Key_Expansion (userKey,(byte*)aes->key); aes->rounds = 10;
wolfSSL 15:117db924cf7c 705 return 0;
wolfSSL 15:117db924cf7c 706 case 192:
wolfSSL 15:117db924cf7c 707 AES_192_Key_Expansion (userKey,(byte*)aes->key); aes->rounds = 12;
wolfSSL 15:117db924cf7c 708 return 0;
wolfSSL 15:117db924cf7c 709 case 256:
wolfSSL 15:117db924cf7c 710 AES_256_Key_Expansion (userKey,(byte*)aes->key); aes->rounds = 14;
wolfSSL 15:117db924cf7c 711 return 0;
wolfSSL 15:117db924cf7c 712 default:
wolfSSL 15:117db924cf7c 713 ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 714 }
wolfSSL 15:117db924cf7c 715
wolfSSL 15:117db924cf7c 716 return ret;
wolfSSL 15:117db924cf7c 717 }
wolfSSL 15:117db924cf7c 718
wolfSSL 15:117db924cf7c 719 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 720 static int AES_set_decrypt_key(const unsigned char* userKey,
wolfSSL 15:117db924cf7c 721 const int bits, Aes* aes)
wolfSSL 15:117db924cf7c 722 {
wolfSSL 15:117db924cf7c 723 int nr;
wolfSSL 15:117db924cf7c 724 Aes temp_key;
wolfSSL 15:117db924cf7c 725 __m128i *Key_Schedule = (__m128i*)aes->key;
wolfSSL 15:117db924cf7c 726 __m128i *Temp_Key_Schedule = (__m128i*)temp_key.key;
wolfSSL 15:117db924cf7c 727
wolfSSL 15:117db924cf7c 728 if (!userKey || !aes)
wolfSSL 15:117db924cf7c 729 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 730
wolfSSL 15:117db924cf7c 731 if (AES_set_encrypt_key(userKey,bits,&temp_key) == BAD_FUNC_ARG)
wolfSSL 15:117db924cf7c 732 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 733
wolfSSL 15:117db924cf7c 734 nr = temp_key.rounds;
wolfSSL 15:117db924cf7c 735 aes->rounds = nr;
wolfSSL 15:117db924cf7c 736
wolfSSL 15:117db924cf7c 737 Key_Schedule[nr] = Temp_Key_Schedule[0];
wolfSSL 15:117db924cf7c 738 Key_Schedule[nr-1] = _mm_aesimc_si128(Temp_Key_Schedule[1]);
wolfSSL 15:117db924cf7c 739 Key_Schedule[nr-2] = _mm_aesimc_si128(Temp_Key_Schedule[2]);
wolfSSL 15:117db924cf7c 740 Key_Schedule[nr-3] = _mm_aesimc_si128(Temp_Key_Schedule[3]);
wolfSSL 15:117db924cf7c 741 Key_Schedule[nr-4] = _mm_aesimc_si128(Temp_Key_Schedule[4]);
wolfSSL 15:117db924cf7c 742 Key_Schedule[nr-5] = _mm_aesimc_si128(Temp_Key_Schedule[5]);
wolfSSL 15:117db924cf7c 743 Key_Schedule[nr-6] = _mm_aesimc_si128(Temp_Key_Schedule[6]);
wolfSSL 15:117db924cf7c 744 Key_Schedule[nr-7] = _mm_aesimc_si128(Temp_Key_Schedule[7]);
wolfSSL 15:117db924cf7c 745 Key_Schedule[nr-8] = _mm_aesimc_si128(Temp_Key_Schedule[8]);
wolfSSL 15:117db924cf7c 746 Key_Schedule[nr-9] = _mm_aesimc_si128(Temp_Key_Schedule[9]);
wolfSSL 15:117db924cf7c 747
wolfSSL 15:117db924cf7c 748 if (nr>10) {
wolfSSL 15:117db924cf7c 749 Key_Schedule[nr-10] = _mm_aesimc_si128(Temp_Key_Schedule[10]);
wolfSSL 15:117db924cf7c 750 Key_Schedule[nr-11] = _mm_aesimc_si128(Temp_Key_Schedule[11]);
wolfSSL 15:117db924cf7c 751 }
wolfSSL 15:117db924cf7c 752
wolfSSL 15:117db924cf7c 753 if (nr>12) {
wolfSSL 15:117db924cf7c 754 Key_Schedule[nr-12] = _mm_aesimc_si128(Temp_Key_Schedule[12]);
wolfSSL 15:117db924cf7c 755 Key_Schedule[nr-13] = _mm_aesimc_si128(Temp_Key_Schedule[13]);
wolfSSL 15:117db924cf7c 756 }
wolfSSL 15:117db924cf7c 757
wolfSSL 15:117db924cf7c 758 Key_Schedule[0] = Temp_Key_Schedule[nr];
wolfSSL 15:117db924cf7c 759
wolfSSL 15:117db924cf7c 760 return 0;
wolfSSL 15:117db924cf7c 761 }
wolfSSL 15:117db924cf7c 762 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 763
wolfSSL 16:8e0d178b1d1e 764 #elif (defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)) || \
wolfSSL 16:8e0d178b1d1e 765 ((defined(WOLFSSL_AFALG) || defined(WOLFSSL_DEVCRYPTO_AES)) && \
wolfSSL 16:8e0d178b1d1e 766 defined(HAVE_AESCCM))
wolfSSL 15:117db924cf7c 767 static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 15:117db924cf7c 768 {
wolfSSL 15:117db924cf7c 769 wc_AesEncryptDirect(aes, outBlock, inBlock);
wolfSSL 15:117db924cf7c 770 return 0;
wolfSSL 15:117db924cf7c 771 }
wolfSSL 16:8e0d178b1d1e 772
wolfSSL 16:8e0d178b1d1e 773 #elif defined(WOLFSSL_AFALG)
wolfSSL 16:8e0d178b1d1e 774 #elif defined(WOLFSSL_DEVCRYPTO_AES)
wolfSSL 16:8e0d178b1d1e 775
wolfSSL 16:8e0d178b1d1e 776 #elif defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_AES)
wolfSSL 16:8e0d178b1d1e 777 #include "hal_data.h"
wolfSSL 16:8e0d178b1d1e 778
wolfSSL 16:8e0d178b1d1e 779 #ifndef WOLFSSL_SCE_AES256_HANDLE
wolfSSL 16:8e0d178b1d1e 780 #define WOLFSSL_SCE_AES256_HANDLE g_sce_aes_256
wolfSSL 16:8e0d178b1d1e 781 #endif
wolfSSL 16:8e0d178b1d1e 782
wolfSSL 16:8e0d178b1d1e 783 #ifndef WOLFSSL_SCE_AES192_HANDLE
wolfSSL 16:8e0d178b1d1e 784 #define WOLFSSL_SCE_AES192_HANDLE g_sce_aes_192
wolfSSL 16:8e0d178b1d1e 785 #endif
wolfSSL 16:8e0d178b1d1e 786
wolfSSL 16:8e0d178b1d1e 787 #ifndef WOLFSSL_SCE_AES128_HANDLE
wolfSSL 16:8e0d178b1d1e 788 #define WOLFSSL_SCE_AES128_HANDLE g_sce_aes_128
wolfSSL 16:8e0d178b1d1e 789 #endif
wolfSSL 16:8e0d178b1d1e 790
wolfSSL 16:8e0d178b1d1e 791 static int AES_ECB_encrypt(Aes* aes, const byte* inBlock, byte* outBlock,
wolfSSL 16:8e0d178b1d1e 792 int sz)
wolfSSL 16:8e0d178b1d1e 793 {
wolfSSL 16:8e0d178b1d1e 794 uint32_t ret;
wolfSSL 16:8e0d178b1d1e 795
wolfSSL 16:8e0d178b1d1e 796 if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==
wolfSSL 16:8e0d178b1d1e 797 CRYPTO_WORD_ENDIAN_BIG) {
wolfSSL 16:8e0d178b1d1e 798 ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz);
wolfSSL 16:8e0d178b1d1e 799 }
wolfSSL 16:8e0d178b1d1e 800
wolfSSL 16:8e0d178b1d1e 801 switch (aes->keylen) {
wolfSSL 16:8e0d178b1d1e 802 #ifdef WOLFSSL_AES_128
wolfSSL 16:8e0d178b1d1e 803 case AES_128_KEY_SIZE:
wolfSSL 16:8e0d178b1d1e 804 ret = WOLFSSL_SCE_AES128_HANDLE.p_api->encrypt(
wolfSSL 16:8e0d178b1d1e 805 WOLFSSL_SCE_AES128_HANDLE.p_ctrl, aes->key,
wolfSSL 16:8e0d178b1d1e 806 NULL, (sz / sizeof(word32)), (word32*)inBlock,
wolfSSL 16:8e0d178b1d1e 807 (word32*)outBlock);
wolfSSL 16:8e0d178b1d1e 808 break;
wolfSSL 16:8e0d178b1d1e 809 #endif
wolfSSL 16:8e0d178b1d1e 810 #ifdef WOLFSSL_AES_192
wolfSSL 16:8e0d178b1d1e 811 case AES_192_KEY_SIZE:
wolfSSL 16:8e0d178b1d1e 812 ret = WOLFSSL_SCE_AES192_HANDLE.p_api->encrypt(
wolfSSL 16:8e0d178b1d1e 813 WOLFSSL_SCE_AES192_HANDLE.p_ctrl, aes->key,
wolfSSL 16:8e0d178b1d1e 814 NULL, (sz / sizeof(word32)), (word32*)inBlock,
wolfSSL 16:8e0d178b1d1e 815 (word32*)outBlock);
wolfSSL 16:8e0d178b1d1e 816 break;
wolfSSL 16:8e0d178b1d1e 817 #endif
wolfSSL 16:8e0d178b1d1e 818 #ifdef WOLFSSL_AES_256
wolfSSL 16:8e0d178b1d1e 819 case AES_256_KEY_SIZE:
wolfSSL 16:8e0d178b1d1e 820 ret = WOLFSSL_SCE_AES256_HANDLE.p_api->encrypt(
wolfSSL 16:8e0d178b1d1e 821 WOLFSSL_SCE_AES256_HANDLE.p_ctrl, aes->key,
wolfSSL 16:8e0d178b1d1e 822 NULL, (sz / sizeof(word32)), (word32*)inBlock,
wolfSSL 16:8e0d178b1d1e 823 (word32*)outBlock);
wolfSSL 16:8e0d178b1d1e 824 break;
wolfSSL 16:8e0d178b1d1e 825 #endif
wolfSSL 16:8e0d178b1d1e 826 default:
wolfSSL 16:8e0d178b1d1e 827 WOLFSSL_MSG("Unknown key size");
wolfSSL 16:8e0d178b1d1e 828 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 829 }
wolfSSL 16:8e0d178b1d1e 830
wolfSSL 16:8e0d178b1d1e 831 if (ret != SSP_SUCCESS) {
wolfSSL 16:8e0d178b1d1e 832 /* revert input */
wolfSSL 16:8e0d178b1d1e 833 ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz);
wolfSSL 16:8e0d178b1d1e 834 return WC_HW_E;
wolfSSL 16:8e0d178b1d1e 835 }
wolfSSL 16:8e0d178b1d1e 836
wolfSSL 16:8e0d178b1d1e 837 if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==
wolfSSL 16:8e0d178b1d1e 838 CRYPTO_WORD_ENDIAN_BIG) {
wolfSSL 16:8e0d178b1d1e 839 ByteReverseWords((word32*)outBlock, (word32*)outBlock, sz);
wolfSSL 16:8e0d178b1d1e 840 if (inBlock != outBlock) {
wolfSSL 16:8e0d178b1d1e 841 /* revert input */
wolfSSL 16:8e0d178b1d1e 842 ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz);
wolfSSL 16:8e0d178b1d1e 843 }
wolfSSL 16:8e0d178b1d1e 844 }
wolfSSL 16:8e0d178b1d1e 845 return 0;
wolfSSL 16:8e0d178b1d1e 846 }
wolfSSL 16:8e0d178b1d1e 847
wolfSSL 16:8e0d178b1d1e 848 #if defined(HAVE_AES_DECRYPT)
wolfSSL 16:8e0d178b1d1e 849 static int AES_ECB_decrypt(Aes* aes, const byte* inBlock, byte* outBlock,
wolfSSL 16:8e0d178b1d1e 850 int sz)
wolfSSL 16:8e0d178b1d1e 851 {
wolfSSL 16:8e0d178b1d1e 852 uint32_t ret;
wolfSSL 16:8e0d178b1d1e 853
wolfSSL 16:8e0d178b1d1e 854 if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==
wolfSSL 16:8e0d178b1d1e 855 CRYPTO_WORD_ENDIAN_BIG) {
wolfSSL 16:8e0d178b1d1e 856 ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz);
wolfSSL 16:8e0d178b1d1e 857 }
wolfSSL 16:8e0d178b1d1e 858
wolfSSL 16:8e0d178b1d1e 859 switch (aes->keylen) {
wolfSSL 16:8e0d178b1d1e 860 #ifdef WOLFSSL_AES_128
wolfSSL 16:8e0d178b1d1e 861 case AES_128_KEY_SIZE:
wolfSSL 16:8e0d178b1d1e 862 ret = WOLFSSL_SCE_AES128_HANDLE.p_api->decrypt(
wolfSSL 16:8e0d178b1d1e 863 WOLFSSL_SCE_AES128_HANDLE.p_ctrl, aes->key, aes->reg,
wolfSSL 16:8e0d178b1d1e 864 (sz / sizeof(word32)), (word32*)inBlock,
wolfSSL 16:8e0d178b1d1e 865 (word32*)outBlock);
wolfSSL 16:8e0d178b1d1e 866 break;
wolfSSL 16:8e0d178b1d1e 867 #endif
wolfSSL 16:8e0d178b1d1e 868 #ifdef WOLFSSL_AES_192
wolfSSL 16:8e0d178b1d1e 869 case AES_192_KEY_SIZE:
wolfSSL 16:8e0d178b1d1e 870 ret = WOLFSSL_SCE_AES192_HANDLE.p_api->decrypt(
wolfSSL 16:8e0d178b1d1e 871 WOLFSSL_SCE_AES192_HANDLE.p_ctrl, aes->key, aes->reg,
wolfSSL 16:8e0d178b1d1e 872 (sz / sizeof(word32)), (word32*)inBlock,
wolfSSL 16:8e0d178b1d1e 873 (word32*)outBlock);
wolfSSL 16:8e0d178b1d1e 874 break;
wolfSSL 16:8e0d178b1d1e 875 #endif
wolfSSL 16:8e0d178b1d1e 876 #ifdef WOLFSSL_AES_256
wolfSSL 16:8e0d178b1d1e 877 case AES_256_KEY_SIZE:
wolfSSL 16:8e0d178b1d1e 878 ret = WOLFSSL_SCE_AES256_HANDLE.p_api->decrypt(
wolfSSL 16:8e0d178b1d1e 879 WOLFSSL_SCE_AES256_HANDLE.p_ctrl, aes->key, aes->reg,
wolfSSL 16:8e0d178b1d1e 880 (sz / sizeof(word32)), (word32*)inBlock,
wolfSSL 16:8e0d178b1d1e 881 (word32*)outBlock);
wolfSSL 16:8e0d178b1d1e 882 break;
wolfSSL 16:8e0d178b1d1e 883 #endif
wolfSSL 16:8e0d178b1d1e 884 default:
wolfSSL 16:8e0d178b1d1e 885 WOLFSSL_MSG("Unknown key size");
wolfSSL 16:8e0d178b1d1e 886 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 887 }
wolfSSL 16:8e0d178b1d1e 888 if (ret != SSP_SUCCESS) {
wolfSSL 16:8e0d178b1d1e 889 return WC_HW_E;
wolfSSL 16:8e0d178b1d1e 890 }
wolfSSL 16:8e0d178b1d1e 891
wolfSSL 16:8e0d178b1d1e 892 if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==
wolfSSL 16:8e0d178b1d1e 893 CRYPTO_WORD_ENDIAN_BIG) {
wolfSSL 16:8e0d178b1d1e 894 ByteReverseWords((word32*)outBlock, (word32*)outBlock, sz);
wolfSSL 16:8e0d178b1d1e 895 if (inBlock != outBlock) {
wolfSSL 16:8e0d178b1d1e 896 /* revert input */
wolfSSL 16:8e0d178b1d1e 897 ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz);
wolfSSL 16:8e0d178b1d1e 898 }
wolfSSL 16:8e0d178b1d1e 899 }
wolfSSL 16:8e0d178b1d1e 900
wolfSSL 16:8e0d178b1d1e 901 return 0;
wolfSSL 16:8e0d178b1d1e 902 }
wolfSSL 16:8e0d178b1d1e 903
wolfSSL 16:8e0d178b1d1e 904 #endif
wolfSSL 16:8e0d178b1d1e 905
wolfSSL 16:8e0d178b1d1e 906 #if defined(HAVE_AESGCM) || defined(WOLFSSL_AES_DIRECT)
wolfSSL 16:8e0d178b1d1e 907 static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 16:8e0d178b1d1e 908 {
wolfSSL 16:8e0d178b1d1e 909 return AES_ECB_encrypt(aes, inBlock, outBlock, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 910 }
wolfSSL 16:8e0d178b1d1e 911 #endif
wolfSSL 16:8e0d178b1d1e 912
wolfSSL 16:8e0d178b1d1e 913 #if defined(HAVE_AES_DECRYPT) && defined(WOLFSSL_AES_DIRECT)
wolfSSL 16:8e0d178b1d1e 914 static int wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 16:8e0d178b1d1e 915 {
wolfSSL 16:8e0d178b1d1e 916 return AES_ECB_decrypt(aes, inBlock, outBlock, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 917 }
wolfSSL 16:8e0d178b1d1e 918 #endif
wolfSSL 15:117db924cf7c 919 #else
wolfSSL 15:117db924cf7c 920
wolfSSL 16:8e0d178b1d1e 921 /* using wolfCrypt software implementation */
wolfSSL 15:117db924cf7c 922 #define NEED_AES_TABLES
wolfSSL 15:117db924cf7c 923 #endif
wolfSSL 15:117db924cf7c 924
wolfSSL 15:117db924cf7c 925
wolfSSL 15:117db924cf7c 926
wolfSSL 15:117db924cf7c 927 #ifdef NEED_AES_TABLES
wolfSSL 15:117db924cf7c 928
wolfSSL 15:117db924cf7c 929 static const word32 rcon[] = {
wolfSSL 15:117db924cf7c 930 0x01000000, 0x02000000, 0x04000000, 0x08000000,
wolfSSL 15:117db924cf7c 931 0x10000000, 0x20000000, 0x40000000, 0x80000000,
wolfSSL 15:117db924cf7c 932 0x1B000000, 0x36000000,
wolfSSL 15:117db924cf7c 933 /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
wolfSSL 15:117db924cf7c 934 };
wolfSSL 15:117db924cf7c 935
wolfSSL 16:8e0d178b1d1e 936 #ifndef WOLFSSL_AES_SMALL_TABLES
wolfSSL 15:117db924cf7c 937 static const word32 Te[4][256] = {
wolfSSL 15:117db924cf7c 938 {
wolfSSL 15:117db924cf7c 939 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
wolfSSL 15:117db924cf7c 940 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
wolfSSL 15:117db924cf7c 941 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
wolfSSL 15:117db924cf7c 942 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
wolfSSL 15:117db924cf7c 943 0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
wolfSSL 15:117db924cf7c 944 0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
wolfSSL 15:117db924cf7c 945 0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
wolfSSL 15:117db924cf7c 946 0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
wolfSSL 15:117db924cf7c 947 0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
wolfSSL 15:117db924cf7c 948 0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
wolfSSL 15:117db924cf7c 949 0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
wolfSSL 15:117db924cf7c 950 0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
wolfSSL 15:117db924cf7c 951 0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
wolfSSL 15:117db924cf7c 952 0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
wolfSSL 15:117db924cf7c 953 0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
wolfSSL 15:117db924cf7c 954 0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
wolfSSL 15:117db924cf7c 955 0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
wolfSSL 15:117db924cf7c 956 0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
wolfSSL 15:117db924cf7c 957 0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
wolfSSL 15:117db924cf7c 958 0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
wolfSSL 15:117db924cf7c 959 0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
wolfSSL 15:117db924cf7c 960 0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
wolfSSL 15:117db924cf7c 961 0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
wolfSSL 15:117db924cf7c 962 0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
wolfSSL 15:117db924cf7c 963 0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
wolfSSL 15:117db924cf7c 964 0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
wolfSSL 15:117db924cf7c 965 0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
wolfSSL 15:117db924cf7c 966 0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
wolfSSL 15:117db924cf7c 967 0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
wolfSSL 15:117db924cf7c 968 0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
wolfSSL 15:117db924cf7c 969 0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
wolfSSL 15:117db924cf7c 970 0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
wolfSSL 15:117db924cf7c 971 0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
wolfSSL 15:117db924cf7c 972 0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
wolfSSL 15:117db924cf7c 973 0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
wolfSSL 15:117db924cf7c 974 0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
wolfSSL 15:117db924cf7c 975 0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
wolfSSL 15:117db924cf7c 976 0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
wolfSSL 15:117db924cf7c 977 0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
wolfSSL 15:117db924cf7c 978 0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
wolfSSL 15:117db924cf7c 979 0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
wolfSSL 15:117db924cf7c 980 0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
wolfSSL 15:117db924cf7c 981 0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
wolfSSL 15:117db924cf7c 982 0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
wolfSSL 15:117db924cf7c 983 0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
wolfSSL 15:117db924cf7c 984 0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
wolfSSL 15:117db924cf7c 985 0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
wolfSSL 15:117db924cf7c 986 0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
wolfSSL 15:117db924cf7c 987 0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
wolfSSL 15:117db924cf7c 988 0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
wolfSSL 15:117db924cf7c 989 0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
wolfSSL 15:117db924cf7c 990 0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
wolfSSL 15:117db924cf7c 991 0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
wolfSSL 15:117db924cf7c 992 0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
wolfSSL 15:117db924cf7c 993 0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
wolfSSL 15:117db924cf7c 994 0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
wolfSSL 15:117db924cf7c 995 0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
wolfSSL 15:117db924cf7c 996 0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
wolfSSL 15:117db924cf7c 997 0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
wolfSSL 15:117db924cf7c 998 0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
wolfSSL 15:117db924cf7c 999 0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
wolfSSL 15:117db924cf7c 1000 0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
wolfSSL 15:117db924cf7c 1001 0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
wolfSSL 15:117db924cf7c 1002 0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
wolfSSL 15:117db924cf7c 1003 },
wolfSSL 15:117db924cf7c 1004 {
wolfSSL 15:117db924cf7c 1005 0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU,
wolfSSL 15:117db924cf7c 1006 0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U,
wolfSSL 15:117db924cf7c 1007 0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU,
wolfSSL 15:117db924cf7c 1008 0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U,
wolfSSL 15:117db924cf7c 1009 0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU,
wolfSSL 15:117db924cf7c 1010 0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U,
wolfSSL 15:117db924cf7c 1011 0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU,
wolfSSL 15:117db924cf7c 1012 0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U,
wolfSSL 15:117db924cf7c 1013 0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U,
wolfSSL 15:117db924cf7c 1014 0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU,
wolfSSL 15:117db924cf7c 1015 0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U,
wolfSSL 15:117db924cf7c 1016 0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U,
wolfSSL 15:117db924cf7c 1017 0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U,
wolfSSL 15:117db924cf7c 1018 0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU,
wolfSSL 15:117db924cf7c 1019 0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U,
wolfSSL 15:117db924cf7c 1020 0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U,
wolfSSL 15:117db924cf7c 1021 0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU,
wolfSSL 15:117db924cf7c 1022 0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U,
wolfSSL 15:117db924cf7c 1023 0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U,
wolfSSL 15:117db924cf7c 1024 0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U,
wolfSSL 15:117db924cf7c 1025 0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU,
wolfSSL 15:117db924cf7c 1026 0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU,
wolfSSL 15:117db924cf7c 1027 0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U,
wolfSSL 15:117db924cf7c 1028 0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU,
wolfSSL 15:117db924cf7c 1029 0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU,
wolfSSL 15:117db924cf7c 1030 0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U,
wolfSSL 15:117db924cf7c 1031 0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU,
wolfSSL 15:117db924cf7c 1032 0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U,
wolfSSL 15:117db924cf7c 1033 0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU,
wolfSSL 15:117db924cf7c 1034 0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U,
wolfSSL 15:117db924cf7c 1035 0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U,
wolfSSL 15:117db924cf7c 1036 0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U,
wolfSSL 15:117db924cf7c 1037 0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU,
wolfSSL 15:117db924cf7c 1038 0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U,
wolfSSL 15:117db924cf7c 1039 0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU,
wolfSSL 15:117db924cf7c 1040 0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U,
wolfSSL 15:117db924cf7c 1041 0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU,
wolfSSL 15:117db924cf7c 1042 0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U,
wolfSSL 15:117db924cf7c 1043 0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U,
wolfSSL 15:117db924cf7c 1044 0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU,
wolfSSL 15:117db924cf7c 1045 0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU,
wolfSSL 15:117db924cf7c 1046 0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU,
wolfSSL 15:117db924cf7c 1047 0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U,
wolfSSL 15:117db924cf7c 1048 0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U,
wolfSSL 15:117db924cf7c 1049 0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU,
wolfSSL 15:117db924cf7c 1050 0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U,
wolfSSL 15:117db924cf7c 1051 0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU,
wolfSSL 15:117db924cf7c 1052 0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U,
wolfSSL 15:117db924cf7c 1053 0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU,
wolfSSL 15:117db924cf7c 1054 0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U,
wolfSSL 15:117db924cf7c 1055 0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU,
wolfSSL 15:117db924cf7c 1056 0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU,
wolfSSL 15:117db924cf7c 1057 0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U,
wolfSSL 15:117db924cf7c 1058 0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU,
wolfSSL 15:117db924cf7c 1059 0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U,
wolfSSL 15:117db924cf7c 1060 0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU,
wolfSSL 15:117db924cf7c 1061 0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U,
wolfSSL 15:117db924cf7c 1062 0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U,
wolfSSL 15:117db924cf7c 1063 0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U,
wolfSSL 15:117db924cf7c 1064 0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU,
wolfSSL 15:117db924cf7c 1065 0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU,
wolfSSL 15:117db924cf7c 1066 0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U,
wolfSSL 15:117db924cf7c 1067 0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU,
wolfSSL 15:117db924cf7c 1068 0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U,
wolfSSL 15:117db924cf7c 1069 },
wolfSSL 15:117db924cf7c 1070 {
wolfSSL 15:117db924cf7c 1071 0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU,
wolfSSL 15:117db924cf7c 1072 0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U,
wolfSSL 15:117db924cf7c 1073 0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU,
wolfSSL 15:117db924cf7c 1074 0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U,
wolfSSL 15:117db924cf7c 1075 0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU,
wolfSSL 15:117db924cf7c 1076 0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U,
wolfSSL 15:117db924cf7c 1077 0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU,
wolfSSL 15:117db924cf7c 1078 0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U,
wolfSSL 15:117db924cf7c 1079 0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U,
wolfSSL 15:117db924cf7c 1080 0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU,
wolfSSL 15:117db924cf7c 1081 0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U,
wolfSSL 15:117db924cf7c 1082 0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U,
wolfSSL 15:117db924cf7c 1083 0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U,
wolfSSL 15:117db924cf7c 1084 0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU,
wolfSSL 15:117db924cf7c 1085 0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U,
wolfSSL 15:117db924cf7c 1086 0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U,
wolfSSL 15:117db924cf7c 1087 0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU,
wolfSSL 15:117db924cf7c 1088 0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U,
wolfSSL 15:117db924cf7c 1089 0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U,
wolfSSL 15:117db924cf7c 1090 0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U,
wolfSSL 15:117db924cf7c 1091 0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU,
wolfSSL 15:117db924cf7c 1092 0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU,
wolfSSL 15:117db924cf7c 1093 0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U,
wolfSSL 15:117db924cf7c 1094 0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU,
wolfSSL 15:117db924cf7c 1095 0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU,
wolfSSL 15:117db924cf7c 1096 0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U,
wolfSSL 15:117db924cf7c 1097 0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU,
wolfSSL 15:117db924cf7c 1098 0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U,
wolfSSL 15:117db924cf7c 1099 0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU,
wolfSSL 15:117db924cf7c 1100 0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U,
wolfSSL 15:117db924cf7c 1101 0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U,
wolfSSL 15:117db924cf7c 1102 0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U,
wolfSSL 15:117db924cf7c 1103 0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU,
wolfSSL 15:117db924cf7c 1104 0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U,
wolfSSL 15:117db924cf7c 1105 0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU,
wolfSSL 15:117db924cf7c 1106 0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U,
wolfSSL 15:117db924cf7c 1107 0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU,
wolfSSL 15:117db924cf7c 1108 0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U,
wolfSSL 15:117db924cf7c 1109 0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U,
wolfSSL 15:117db924cf7c 1110 0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU,
wolfSSL 15:117db924cf7c 1111 0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU,
wolfSSL 15:117db924cf7c 1112 0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU,
wolfSSL 15:117db924cf7c 1113 0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U,
wolfSSL 15:117db924cf7c 1114 0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U,
wolfSSL 15:117db924cf7c 1115 0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU,
wolfSSL 15:117db924cf7c 1116 0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U,
wolfSSL 15:117db924cf7c 1117 0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU,
wolfSSL 15:117db924cf7c 1118 0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U,
wolfSSL 15:117db924cf7c 1119 0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU,
wolfSSL 15:117db924cf7c 1120 0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U,
wolfSSL 15:117db924cf7c 1121 0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU,
wolfSSL 15:117db924cf7c 1122 0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU,
wolfSSL 15:117db924cf7c 1123 0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U,
wolfSSL 15:117db924cf7c 1124 0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU,
wolfSSL 15:117db924cf7c 1125 0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U,
wolfSSL 15:117db924cf7c 1126 0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU,
wolfSSL 15:117db924cf7c 1127 0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U,
wolfSSL 15:117db924cf7c 1128 0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U,
wolfSSL 15:117db924cf7c 1129 0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U,
wolfSSL 15:117db924cf7c 1130 0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU,
wolfSSL 15:117db924cf7c 1131 0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU,
wolfSSL 15:117db924cf7c 1132 0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U,
wolfSSL 15:117db924cf7c 1133 0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU,
wolfSSL 15:117db924cf7c 1134 0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
wolfSSL 15:117db924cf7c 1135 },
wolfSSL 15:117db924cf7c 1136 {
wolfSSL 15:117db924cf7c 1137 0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
wolfSSL 15:117db924cf7c 1138 0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
wolfSSL 15:117db924cf7c 1139 0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
wolfSSL 15:117db924cf7c 1140 0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU,
wolfSSL 15:117db924cf7c 1141 0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU,
wolfSSL 15:117db924cf7c 1142 0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU,
wolfSSL 15:117db924cf7c 1143 0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U,
wolfSSL 15:117db924cf7c 1144 0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU,
wolfSSL 15:117db924cf7c 1145 0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU,
wolfSSL 15:117db924cf7c 1146 0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U,
wolfSSL 15:117db924cf7c 1147 0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U,
wolfSSL 15:117db924cf7c 1148 0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU,
wolfSSL 15:117db924cf7c 1149 0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU,
wolfSSL 15:117db924cf7c 1150 0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU,
wolfSSL 15:117db924cf7c 1151 0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU,
wolfSSL 15:117db924cf7c 1152 0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU,
wolfSSL 15:117db924cf7c 1153 0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U,
wolfSSL 15:117db924cf7c 1154 0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU,
wolfSSL 15:117db924cf7c 1155 0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU,
wolfSSL 15:117db924cf7c 1156 0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U,
wolfSSL 15:117db924cf7c 1157 0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U,
wolfSSL 15:117db924cf7c 1158 0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U,
wolfSSL 15:117db924cf7c 1159 0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U,
wolfSSL 15:117db924cf7c 1160 0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U,
wolfSSL 15:117db924cf7c 1161 0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU,
wolfSSL 15:117db924cf7c 1162 0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U,
wolfSSL 15:117db924cf7c 1163 0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU,
wolfSSL 15:117db924cf7c 1164 0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU,
wolfSSL 15:117db924cf7c 1165 0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U,
wolfSSL 15:117db924cf7c 1166 0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U,
wolfSSL 15:117db924cf7c 1167 0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U,
wolfSSL 15:117db924cf7c 1168 0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU,
wolfSSL 15:117db924cf7c 1169 0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U,
wolfSSL 15:117db924cf7c 1170 0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU,
wolfSSL 15:117db924cf7c 1171 0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU,
wolfSSL 15:117db924cf7c 1172 0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U,
wolfSSL 15:117db924cf7c 1173 0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U,
wolfSSL 15:117db924cf7c 1174 0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU,
wolfSSL 15:117db924cf7c 1175 0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U,
wolfSSL 15:117db924cf7c 1176 0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU,
wolfSSL 15:117db924cf7c 1177 0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U,
wolfSSL 15:117db924cf7c 1178 0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U,
wolfSSL 15:117db924cf7c 1179 0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U,
wolfSSL 15:117db924cf7c 1180 0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U,
wolfSSL 15:117db924cf7c 1181 0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU,
wolfSSL 15:117db924cf7c 1182 0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U,
wolfSSL 15:117db924cf7c 1183 0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU,
wolfSSL 15:117db924cf7c 1184 0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U,
wolfSSL 15:117db924cf7c 1185 0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU,
wolfSSL 15:117db924cf7c 1186 0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U,
wolfSSL 15:117db924cf7c 1187 0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU,
wolfSSL 15:117db924cf7c 1188 0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU,
wolfSSL 15:117db924cf7c 1189 0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU,
wolfSSL 15:117db924cf7c 1190 0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU,
wolfSSL 15:117db924cf7c 1191 0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U,
wolfSSL 15:117db924cf7c 1192 0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U,
wolfSSL 15:117db924cf7c 1193 0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U,
wolfSSL 15:117db924cf7c 1194 0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U,
wolfSSL 15:117db924cf7c 1195 0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U,
wolfSSL 15:117db924cf7c 1196 0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U,
wolfSSL 15:117db924cf7c 1197 0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU,
wolfSSL 15:117db924cf7c 1198 0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U,
wolfSSL 15:117db924cf7c 1199 0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,
wolfSSL 15:117db924cf7c 1200 0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
wolfSSL 15:117db924cf7c 1201 }
wolfSSL 15:117db924cf7c 1202 };
wolfSSL 15:117db924cf7c 1203
wolfSSL 15:117db924cf7c 1204 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 1205 static const word32 Td[4][256] = {
wolfSSL 15:117db924cf7c 1206 {
wolfSSL 15:117db924cf7c 1207 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
wolfSSL 15:117db924cf7c 1208 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
wolfSSL 15:117db924cf7c 1209 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
wolfSSL 15:117db924cf7c 1210 0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
wolfSSL 15:117db924cf7c 1211 0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
wolfSSL 15:117db924cf7c 1212 0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
wolfSSL 15:117db924cf7c 1213 0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
wolfSSL 15:117db924cf7c 1214 0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
wolfSSL 15:117db924cf7c 1215 0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
wolfSSL 15:117db924cf7c 1216 0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
wolfSSL 15:117db924cf7c 1217 0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
wolfSSL 15:117db924cf7c 1218 0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
wolfSSL 15:117db924cf7c 1219 0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
wolfSSL 15:117db924cf7c 1220 0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
wolfSSL 15:117db924cf7c 1221 0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
wolfSSL 15:117db924cf7c 1222 0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
wolfSSL 15:117db924cf7c 1223 0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
wolfSSL 15:117db924cf7c 1224 0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
wolfSSL 15:117db924cf7c 1225 0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U,
wolfSSL 15:117db924cf7c 1226 0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U,
wolfSSL 15:117db924cf7c 1227 0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U,
wolfSSL 15:117db924cf7c 1228 0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU,
wolfSSL 15:117db924cf7c 1229 0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U,
wolfSSL 15:117db924cf7c 1230 0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU,
wolfSSL 15:117db924cf7c 1231 0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U,
wolfSSL 15:117db924cf7c 1232 0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU,
wolfSSL 15:117db924cf7c 1233 0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U,
wolfSSL 15:117db924cf7c 1234 0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU,
wolfSSL 15:117db924cf7c 1235 0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU,
wolfSSL 15:117db924cf7c 1236 0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U,
wolfSSL 15:117db924cf7c 1237 0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU,
wolfSSL 15:117db924cf7c 1238 0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U,
wolfSSL 15:117db924cf7c 1239 0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU,
wolfSSL 15:117db924cf7c 1240 0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U,
wolfSSL 15:117db924cf7c 1241 0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U,
wolfSSL 15:117db924cf7c 1242 0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U,
wolfSSL 15:117db924cf7c 1243 0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU,
wolfSSL 15:117db924cf7c 1244 0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U,
wolfSSL 15:117db924cf7c 1245 0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U,
wolfSSL 15:117db924cf7c 1246 0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU,
wolfSSL 15:117db924cf7c 1247 0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U,
wolfSSL 15:117db924cf7c 1248 0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U,
wolfSSL 15:117db924cf7c 1249 0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U,
wolfSSL 15:117db924cf7c 1250 0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U,
wolfSSL 15:117db924cf7c 1251 0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U,
wolfSSL 15:117db924cf7c 1252 0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU,
wolfSSL 15:117db924cf7c 1253 0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U,
wolfSSL 15:117db924cf7c 1254 0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U,
wolfSSL 15:117db924cf7c 1255 0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U,
wolfSSL 15:117db924cf7c 1256 0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U,
wolfSSL 15:117db924cf7c 1257 0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U,
wolfSSL 15:117db924cf7c 1258 0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU,
wolfSSL 15:117db924cf7c 1259 0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU,
wolfSSL 15:117db924cf7c 1260 0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU,
wolfSSL 15:117db924cf7c 1261 0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU,
wolfSSL 15:117db924cf7c 1262 0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U,
wolfSSL 15:117db924cf7c 1263 0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U,
wolfSSL 15:117db924cf7c 1264 0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU,
wolfSSL 15:117db924cf7c 1265 0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU,
wolfSSL 15:117db924cf7c 1266 0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U,
wolfSSL 15:117db924cf7c 1267 0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU,
wolfSSL 15:117db924cf7c 1268 0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U,
wolfSSL 15:117db924cf7c 1269 0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
wolfSSL 15:117db924cf7c 1270 0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,
wolfSSL 15:117db924cf7c 1271 },
wolfSSL 15:117db924cf7c 1272 {
wolfSSL 15:117db924cf7c 1273 0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU,
wolfSSL 15:117db924cf7c 1274 0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U,
wolfSSL 15:117db924cf7c 1275 0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU,
wolfSSL 15:117db924cf7c 1276 0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U,
wolfSSL 15:117db924cf7c 1277 0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U,
wolfSSL 15:117db924cf7c 1278 0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U,
wolfSSL 15:117db924cf7c 1279 0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U,
wolfSSL 15:117db924cf7c 1280 0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U,
wolfSSL 15:117db924cf7c 1281 0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U,
wolfSSL 15:117db924cf7c 1282 0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU,
wolfSSL 15:117db924cf7c 1283 0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU,
wolfSSL 15:117db924cf7c 1284 0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU,
wolfSSL 15:117db924cf7c 1285 0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U,
wolfSSL 15:117db924cf7c 1286 0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU,
wolfSSL 15:117db924cf7c 1287 0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U,
wolfSSL 15:117db924cf7c 1288 0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U,
wolfSSL 15:117db924cf7c 1289 0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U,
wolfSSL 15:117db924cf7c 1290 0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU,
wolfSSL 15:117db924cf7c 1291 0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU,
wolfSSL 15:117db924cf7c 1292 0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U,
wolfSSL 15:117db924cf7c 1293 0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU,
wolfSSL 15:117db924cf7c 1294 0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U,
wolfSSL 15:117db924cf7c 1295 0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU,
wolfSSL 15:117db924cf7c 1296 0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU,
wolfSSL 15:117db924cf7c 1297 0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U,
wolfSSL 15:117db924cf7c 1298 0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U,
wolfSSL 15:117db924cf7c 1299 0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U,
wolfSSL 15:117db924cf7c 1300 0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU,
wolfSSL 15:117db924cf7c 1301 0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U,
wolfSSL 15:117db924cf7c 1302 0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU,
wolfSSL 15:117db924cf7c 1303 0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U,
wolfSSL 15:117db924cf7c 1304 0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U,
wolfSSL 15:117db924cf7c 1305 0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U,
wolfSSL 15:117db924cf7c 1306 0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU,
wolfSSL 15:117db924cf7c 1307 0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U,
wolfSSL 15:117db924cf7c 1308 0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U,
wolfSSL 15:117db924cf7c 1309 0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U,
wolfSSL 15:117db924cf7c 1310 0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U,
wolfSSL 15:117db924cf7c 1311 0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U,
wolfSSL 15:117db924cf7c 1312 0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U,
wolfSSL 15:117db924cf7c 1313 0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU,
wolfSSL 15:117db924cf7c 1314 0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU,
wolfSSL 15:117db924cf7c 1315 0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U,
wolfSSL 15:117db924cf7c 1316 0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU,
wolfSSL 15:117db924cf7c 1317 0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U,
wolfSSL 15:117db924cf7c 1318 0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU,
wolfSSL 15:117db924cf7c 1319 0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU,
wolfSSL 15:117db924cf7c 1320 0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U,
wolfSSL 15:117db924cf7c 1321 0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU,
wolfSSL 15:117db924cf7c 1322 0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U,
wolfSSL 15:117db924cf7c 1323 0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U,
wolfSSL 15:117db924cf7c 1324 0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U,
wolfSSL 15:117db924cf7c 1325 0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U,
wolfSSL 15:117db924cf7c 1326 0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U,
wolfSSL 15:117db924cf7c 1327 0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U,
wolfSSL 15:117db924cf7c 1328 0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U,
wolfSSL 15:117db924cf7c 1329 0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU,
wolfSSL 15:117db924cf7c 1330 0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U,
wolfSSL 15:117db924cf7c 1331 0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U,
wolfSSL 15:117db924cf7c 1332 0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU,
wolfSSL 15:117db924cf7c 1333 0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U,
wolfSSL 15:117db924cf7c 1334 0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U,
wolfSSL 15:117db924cf7c 1335 0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U,
wolfSSL 15:117db924cf7c 1336 0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U,
wolfSSL 15:117db924cf7c 1337 },
wolfSSL 15:117db924cf7c 1338 {
wolfSSL 15:117db924cf7c 1339 0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U,
wolfSSL 15:117db924cf7c 1340 0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U,
wolfSSL 15:117db924cf7c 1341 0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U,
wolfSSL 15:117db924cf7c 1342 0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U,
wolfSSL 15:117db924cf7c 1343 0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU,
wolfSSL 15:117db924cf7c 1344 0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U,
wolfSSL 15:117db924cf7c 1345 0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U,
wolfSSL 15:117db924cf7c 1346 0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U,
wolfSSL 15:117db924cf7c 1347 0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U,
wolfSSL 15:117db924cf7c 1348 0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU,
wolfSSL 15:117db924cf7c 1349 0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U,
wolfSSL 15:117db924cf7c 1350 0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U,
wolfSSL 15:117db924cf7c 1351 0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU,
wolfSSL 15:117db924cf7c 1352 0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U,
wolfSSL 15:117db924cf7c 1353 0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U,
wolfSSL 15:117db924cf7c 1354 0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U,
wolfSSL 15:117db924cf7c 1355 0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U,
wolfSSL 15:117db924cf7c 1356 0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U,
wolfSSL 15:117db924cf7c 1357 0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U,
wolfSSL 15:117db924cf7c 1358 0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU,
wolfSSL 15:117db924cf7c 1359
wolfSSL 15:117db924cf7c 1360 0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U,
wolfSSL 15:117db924cf7c 1361 0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U,
wolfSSL 15:117db924cf7c 1362 0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U,
wolfSSL 15:117db924cf7c 1363 0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U,
wolfSSL 15:117db924cf7c 1364 0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U,
wolfSSL 15:117db924cf7c 1365 0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU,
wolfSSL 15:117db924cf7c 1366 0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU,
wolfSSL 15:117db924cf7c 1367 0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U,
wolfSSL 15:117db924cf7c 1368 0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU,
wolfSSL 15:117db924cf7c 1369 0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U,
wolfSSL 15:117db924cf7c 1370 0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU,
wolfSSL 15:117db924cf7c 1371 0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU,
wolfSSL 15:117db924cf7c 1372 0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU,
wolfSSL 15:117db924cf7c 1373 0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU,
wolfSSL 15:117db924cf7c 1374 0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U,
wolfSSL 15:117db924cf7c 1375 0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U,
wolfSSL 15:117db924cf7c 1376 0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U,
wolfSSL 15:117db924cf7c 1377 0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U,
wolfSSL 15:117db924cf7c 1378 0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U,
wolfSSL 15:117db924cf7c 1379 0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U,
wolfSSL 15:117db924cf7c 1380 0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U,
wolfSSL 15:117db924cf7c 1381 0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU,
wolfSSL 15:117db924cf7c 1382 0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU,
wolfSSL 15:117db924cf7c 1383 0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U,
wolfSSL 15:117db924cf7c 1384 0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U,
wolfSSL 15:117db924cf7c 1385 0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU,
wolfSSL 15:117db924cf7c 1386 0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU,
wolfSSL 15:117db924cf7c 1387 0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U,
wolfSSL 15:117db924cf7c 1388 0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U,
wolfSSL 15:117db924cf7c 1389 0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U,
wolfSSL 15:117db924cf7c 1390 0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U,
wolfSSL 15:117db924cf7c 1391 0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U,
wolfSSL 15:117db924cf7c 1392 0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U,
wolfSSL 15:117db924cf7c 1393 0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U,
wolfSSL 15:117db924cf7c 1394 0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU,
wolfSSL 15:117db924cf7c 1395 0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U,
wolfSSL 15:117db924cf7c 1396 0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U,
wolfSSL 15:117db924cf7c 1397 0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U,
wolfSSL 15:117db924cf7c 1398 0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U,
wolfSSL 15:117db924cf7c 1399 0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U,
wolfSSL 15:117db924cf7c 1400 0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U,
wolfSSL 15:117db924cf7c 1401 0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU,
wolfSSL 15:117db924cf7c 1402 0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U,
wolfSSL 15:117db924cf7c 1403 0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U,
wolfSSL 15:117db924cf7c 1404 },
wolfSSL 15:117db924cf7c 1405 {
wolfSSL 15:117db924cf7c 1406 0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU,
wolfSSL 15:117db924cf7c 1407 0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU,
wolfSSL 15:117db924cf7c 1408 0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U,
wolfSSL 15:117db924cf7c 1409 0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U,
wolfSSL 15:117db924cf7c 1410 0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU,
wolfSSL 15:117db924cf7c 1411 0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU,
wolfSSL 15:117db924cf7c 1412 0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U,
wolfSSL 15:117db924cf7c 1413 0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU,
wolfSSL 15:117db924cf7c 1414 0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U,
wolfSSL 15:117db924cf7c 1415 0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU,
wolfSSL 15:117db924cf7c 1416 0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U,
wolfSSL 15:117db924cf7c 1417 0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U,
wolfSSL 15:117db924cf7c 1418 0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U,
wolfSSL 15:117db924cf7c 1419 0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U,
wolfSSL 15:117db924cf7c 1420 0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U,
wolfSSL 15:117db924cf7c 1421 0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU,
wolfSSL 15:117db924cf7c 1422 0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU,
wolfSSL 15:117db924cf7c 1423 0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U,
wolfSSL 15:117db924cf7c 1424 0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U,
wolfSSL 15:117db924cf7c 1425 0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU,
wolfSSL 15:117db924cf7c 1426 0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU,
wolfSSL 15:117db924cf7c 1427 0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U,
wolfSSL 15:117db924cf7c 1428 0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U,
wolfSSL 15:117db924cf7c 1429 0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U,
wolfSSL 15:117db924cf7c 1430 0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U,
wolfSSL 15:117db924cf7c 1431 0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU,
wolfSSL 15:117db924cf7c 1432 0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U,
wolfSSL 15:117db924cf7c 1433 0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U,
wolfSSL 15:117db924cf7c 1434 0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU,
wolfSSL 15:117db924cf7c 1435 0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU,
wolfSSL 15:117db924cf7c 1436 0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U,
wolfSSL 15:117db924cf7c 1437 0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U,
wolfSSL 15:117db924cf7c 1438 0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U,
wolfSSL 15:117db924cf7c 1439 0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU,
wolfSSL 15:117db924cf7c 1440 0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U,
wolfSSL 15:117db924cf7c 1441 0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U,
wolfSSL 15:117db924cf7c 1442 0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U,
wolfSSL 15:117db924cf7c 1443 0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U,
wolfSSL 15:117db924cf7c 1444 0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U,
wolfSSL 15:117db924cf7c 1445 0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U,
wolfSSL 15:117db924cf7c 1446 0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U,
wolfSSL 15:117db924cf7c 1447 0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU,
wolfSSL 15:117db924cf7c 1448 0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U,
wolfSSL 15:117db924cf7c 1449 0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U,
wolfSSL 15:117db924cf7c 1450 0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU,
wolfSSL 15:117db924cf7c 1451 0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU,
wolfSSL 15:117db924cf7c 1452 0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U,
wolfSSL 15:117db924cf7c 1453 0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU,
wolfSSL 15:117db924cf7c 1454 0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U,
wolfSSL 15:117db924cf7c 1455 0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U,
wolfSSL 15:117db924cf7c 1456 0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U,
wolfSSL 15:117db924cf7c 1457 0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U,
wolfSSL 15:117db924cf7c 1458 0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U,
wolfSSL 15:117db924cf7c 1459 0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U,
wolfSSL 15:117db924cf7c 1460 0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU,
wolfSSL 15:117db924cf7c 1461 0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU,
wolfSSL 15:117db924cf7c 1462 0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU,
wolfSSL 15:117db924cf7c 1463 0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU,
wolfSSL 15:117db924cf7c 1464 0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U,
wolfSSL 15:117db924cf7c 1465 0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U,
wolfSSL 15:117db924cf7c 1466 0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U,
wolfSSL 15:117db924cf7c 1467 0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU,
wolfSSL 15:117db924cf7c 1468 0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U,
wolfSSL 15:117db924cf7c 1469 0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U,
wolfSSL 15:117db924cf7c 1470 }
wolfSSL 15:117db924cf7c 1471 };
wolfSSL 16:8e0d178b1d1e 1472 #endif /* HAVE_AES_DECRYPT */
wolfSSL 16:8e0d178b1d1e 1473 #endif
wolfSSL 16:8e0d178b1d1e 1474
wolfSSL 16:8e0d178b1d1e 1475 #ifdef HAVE_AES_DECRYPT
wolfSSL 16:8e0d178b1d1e 1476 #if (defined(HAVE_AES_CBC) && !defined(WOLFSSL_DEVCRYPTO_CBC)) \
wolfSSL 16:8e0d178b1d1e 1477 || defined(WOLFSSL_AES_DIRECT)
wolfSSL 15:117db924cf7c 1478 static const byte Td4[256] =
wolfSSL 15:117db924cf7c 1479 {
wolfSSL 15:117db924cf7c 1480 0x52U, 0x09U, 0x6aU, 0xd5U, 0x30U, 0x36U, 0xa5U, 0x38U,
wolfSSL 15:117db924cf7c 1481 0xbfU, 0x40U, 0xa3U, 0x9eU, 0x81U, 0xf3U, 0xd7U, 0xfbU,
wolfSSL 15:117db924cf7c 1482 0x7cU, 0xe3U, 0x39U, 0x82U, 0x9bU, 0x2fU, 0xffU, 0x87U,
wolfSSL 15:117db924cf7c 1483 0x34U, 0x8eU, 0x43U, 0x44U, 0xc4U, 0xdeU, 0xe9U, 0xcbU,
wolfSSL 15:117db924cf7c 1484 0x54U, 0x7bU, 0x94U, 0x32U, 0xa6U, 0xc2U, 0x23U, 0x3dU,
wolfSSL 15:117db924cf7c 1485 0xeeU, 0x4cU, 0x95U, 0x0bU, 0x42U, 0xfaU, 0xc3U, 0x4eU,
wolfSSL 15:117db924cf7c 1486 0x08U, 0x2eU, 0xa1U, 0x66U, 0x28U, 0xd9U, 0x24U, 0xb2U,
wolfSSL 15:117db924cf7c 1487 0x76U, 0x5bU, 0xa2U, 0x49U, 0x6dU, 0x8bU, 0xd1U, 0x25U,
wolfSSL 15:117db924cf7c 1488 0x72U, 0xf8U, 0xf6U, 0x64U, 0x86U, 0x68U, 0x98U, 0x16U,
wolfSSL 15:117db924cf7c 1489 0xd4U, 0xa4U, 0x5cU, 0xccU, 0x5dU, 0x65U, 0xb6U, 0x92U,
wolfSSL 15:117db924cf7c 1490 0x6cU, 0x70U, 0x48U, 0x50U, 0xfdU, 0xedU, 0xb9U, 0xdaU,
wolfSSL 15:117db924cf7c 1491 0x5eU, 0x15U, 0x46U, 0x57U, 0xa7U, 0x8dU, 0x9dU, 0x84U,
wolfSSL 15:117db924cf7c 1492 0x90U, 0xd8U, 0xabU, 0x00U, 0x8cU, 0xbcU, 0xd3U, 0x0aU,
wolfSSL 15:117db924cf7c 1493 0xf7U, 0xe4U, 0x58U, 0x05U, 0xb8U, 0xb3U, 0x45U, 0x06U,
wolfSSL 15:117db924cf7c 1494 0xd0U, 0x2cU, 0x1eU, 0x8fU, 0xcaU, 0x3fU, 0x0fU, 0x02U,
wolfSSL 15:117db924cf7c 1495 0xc1U, 0xafU, 0xbdU, 0x03U, 0x01U, 0x13U, 0x8aU, 0x6bU,
wolfSSL 15:117db924cf7c 1496 0x3aU, 0x91U, 0x11U, 0x41U, 0x4fU, 0x67U, 0xdcU, 0xeaU,
wolfSSL 15:117db924cf7c 1497 0x97U, 0xf2U, 0xcfU, 0xceU, 0xf0U, 0xb4U, 0xe6U, 0x73U,
wolfSSL 15:117db924cf7c 1498 0x96U, 0xacU, 0x74U, 0x22U, 0xe7U, 0xadU, 0x35U, 0x85U,
wolfSSL 15:117db924cf7c 1499 0xe2U, 0xf9U, 0x37U, 0xe8U, 0x1cU, 0x75U, 0xdfU, 0x6eU,
wolfSSL 15:117db924cf7c 1500 0x47U, 0xf1U, 0x1aU, 0x71U, 0x1dU, 0x29U, 0xc5U, 0x89U,
wolfSSL 15:117db924cf7c 1501 0x6fU, 0xb7U, 0x62U, 0x0eU, 0xaaU, 0x18U, 0xbeU, 0x1bU,
wolfSSL 15:117db924cf7c 1502 0xfcU, 0x56U, 0x3eU, 0x4bU, 0xc6U, 0xd2U, 0x79U, 0x20U,
wolfSSL 15:117db924cf7c 1503 0x9aU, 0xdbU, 0xc0U, 0xfeU, 0x78U, 0xcdU, 0x5aU, 0xf4U,
wolfSSL 15:117db924cf7c 1504 0x1fU, 0xddU, 0xa8U, 0x33U, 0x88U, 0x07U, 0xc7U, 0x31U,
wolfSSL 15:117db924cf7c 1505 0xb1U, 0x12U, 0x10U, 0x59U, 0x27U, 0x80U, 0xecU, 0x5fU,
wolfSSL 15:117db924cf7c 1506 0x60U, 0x51U, 0x7fU, 0xa9U, 0x19U, 0xb5U, 0x4aU, 0x0dU,
wolfSSL 15:117db924cf7c 1507 0x2dU, 0xe5U, 0x7aU, 0x9fU, 0x93U, 0xc9U, 0x9cU, 0xefU,
wolfSSL 15:117db924cf7c 1508 0xa0U, 0xe0U, 0x3bU, 0x4dU, 0xaeU, 0x2aU, 0xf5U, 0xb0U,
wolfSSL 15:117db924cf7c 1509 0xc8U, 0xebU, 0xbbU, 0x3cU, 0x83U, 0x53U, 0x99U, 0x61U,
wolfSSL 15:117db924cf7c 1510 0x17U, 0x2bU, 0x04U, 0x7eU, 0xbaU, 0x77U, 0xd6U, 0x26U,
wolfSSL 15:117db924cf7c 1511 0xe1U, 0x69U, 0x14U, 0x63U, 0x55U, 0x21U, 0x0cU, 0x7dU,
wolfSSL 15:117db924cf7c 1512 };
wolfSSL 16:8e0d178b1d1e 1513 #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */
wolfSSL 15:117db924cf7c 1514 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 1515
wolfSSL 15:117db924cf7c 1516 #define GETBYTE(x, y) (word32)((byte)((x) >> (8 * (y))))
wolfSSL 15:117db924cf7c 1517
wolfSSL 16:8e0d178b1d1e 1518 #ifdef WOLFSSL_AES_SMALL_TABLES
wolfSSL 16:8e0d178b1d1e 1519 static const byte Tsbox[256] = {
wolfSSL 16:8e0d178b1d1e 1520 0x63U, 0x7cU, 0x77U, 0x7bU, 0xf2U, 0x6bU, 0x6fU, 0xc5U,
wolfSSL 16:8e0d178b1d1e 1521 0x30U, 0x01U, 0x67U, 0x2bU, 0xfeU, 0xd7U, 0xabU, 0x76U,
wolfSSL 16:8e0d178b1d1e 1522 0xcaU, 0x82U, 0xc9U, 0x7dU, 0xfaU, 0x59U, 0x47U, 0xf0U,
wolfSSL 16:8e0d178b1d1e 1523 0xadU, 0xd4U, 0xa2U, 0xafU, 0x9cU, 0xa4U, 0x72U, 0xc0U,
wolfSSL 16:8e0d178b1d1e 1524 0xb7U, 0xfdU, 0x93U, 0x26U, 0x36U, 0x3fU, 0xf7U, 0xccU,
wolfSSL 16:8e0d178b1d1e 1525 0x34U, 0xa5U, 0xe5U, 0xf1U, 0x71U, 0xd8U, 0x31U, 0x15U,
wolfSSL 16:8e0d178b1d1e 1526 0x04U, 0xc7U, 0x23U, 0xc3U, 0x18U, 0x96U, 0x05U, 0x9aU,
wolfSSL 16:8e0d178b1d1e 1527 0x07U, 0x12U, 0x80U, 0xe2U, 0xebU, 0x27U, 0xb2U, 0x75U,
wolfSSL 16:8e0d178b1d1e 1528 0x09U, 0x83U, 0x2cU, 0x1aU, 0x1bU, 0x6eU, 0x5aU, 0xa0U,
wolfSSL 16:8e0d178b1d1e 1529 0x52U, 0x3bU, 0xd6U, 0xb3U, 0x29U, 0xe3U, 0x2fU, 0x84U,
wolfSSL 16:8e0d178b1d1e 1530 0x53U, 0xd1U, 0x00U, 0xedU, 0x20U, 0xfcU, 0xb1U, 0x5bU,
wolfSSL 16:8e0d178b1d1e 1531 0x6aU, 0xcbU, 0xbeU, 0x39U, 0x4aU, 0x4cU, 0x58U, 0xcfU,
wolfSSL 16:8e0d178b1d1e 1532 0xd0U, 0xefU, 0xaaU, 0xfbU, 0x43U, 0x4dU, 0x33U, 0x85U,
wolfSSL 16:8e0d178b1d1e 1533 0x45U, 0xf9U, 0x02U, 0x7fU, 0x50U, 0x3cU, 0x9fU, 0xa8U,
wolfSSL 16:8e0d178b1d1e 1534 0x51U, 0xa3U, 0x40U, 0x8fU, 0x92U, 0x9dU, 0x38U, 0xf5U,
wolfSSL 16:8e0d178b1d1e 1535 0xbcU, 0xb6U, 0xdaU, 0x21U, 0x10U, 0xffU, 0xf3U, 0xd2U,
wolfSSL 16:8e0d178b1d1e 1536 0xcdU, 0x0cU, 0x13U, 0xecU, 0x5fU, 0x97U, 0x44U, 0x17U,
wolfSSL 16:8e0d178b1d1e 1537 0xc4U, 0xa7U, 0x7eU, 0x3dU, 0x64U, 0x5dU, 0x19U, 0x73U,
wolfSSL 16:8e0d178b1d1e 1538 0x60U, 0x81U, 0x4fU, 0xdcU, 0x22U, 0x2aU, 0x90U, 0x88U,
wolfSSL 16:8e0d178b1d1e 1539 0x46U, 0xeeU, 0xb8U, 0x14U, 0xdeU, 0x5eU, 0x0bU, 0xdbU,
wolfSSL 16:8e0d178b1d1e 1540 0xe0U, 0x32U, 0x3aU, 0x0aU, 0x49U, 0x06U, 0x24U, 0x5cU,
wolfSSL 16:8e0d178b1d1e 1541 0xc2U, 0xd3U, 0xacU, 0x62U, 0x91U, 0x95U, 0xe4U, 0x79U,
wolfSSL 16:8e0d178b1d1e 1542 0xe7U, 0xc8U, 0x37U, 0x6dU, 0x8dU, 0xd5U, 0x4eU, 0xa9U,
wolfSSL 16:8e0d178b1d1e 1543 0x6cU, 0x56U, 0xf4U, 0xeaU, 0x65U, 0x7aU, 0xaeU, 0x08U,
wolfSSL 16:8e0d178b1d1e 1544 0xbaU, 0x78U, 0x25U, 0x2eU, 0x1cU, 0xa6U, 0xb4U, 0xc6U,
wolfSSL 16:8e0d178b1d1e 1545 0xe8U, 0xddU, 0x74U, 0x1fU, 0x4bU, 0xbdU, 0x8bU, 0x8aU,
wolfSSL 16:8e0d178b1d1e 1546 0x70U, 0x3eU, 0xb5U, 0x66U, 0x48U, 0x03U, 0xf6U, 0x0eU,
wolfSSL 16:8e0d178b1d1e 1547 0x61U, 0x35U, 0x57U, 0xb9U, 0x86U, 0xc1U, 0x1dU, 0x9eU,
wolfSSL 16:8e0d178b1d1e 1548 0xe1U, 0xf8U, 0x98U, 0x11U, 0x69U, 0xd9U, 0x8eU, 0x94U,
wolfSSL 16:8e0d178b1d1e 1549 0x9bU, 0x1eU, 0x87U, 0xe9U, 0xceU, 0x55U, 0x28U, 0xdfU,
wolfSSL 16:8e0d178b1d1e 1550 0x8cU, 0xa1U, 0x89U, 0x0dU, 0xbfU, 0xe6U, 0x42U, 0x68U,
wolfSSL 16:8e0d178b1d1e 1551 0x41U, 0x99U, 0x2dU, 0x0fU, 0xb0U, 0x54U, 0xbbU, 0x16U
wolfSSL 16:8e0d178b1d1e 1552 };
wolfSSL 16:8e0d178b1d1e 1553
wolfSSL 16:8e0d178b1d1e 1554 #define AES_XTIME(x) ((byte)((byte)((x) << 1) ^ ((0 - ((x) >> 7)) & 0x1b)))
wolfSSL 16:8e0d178b1d1e 1555
wolfSSL 16:8e0d178b1d1e 1556 static word32 col_mul(word32 t, int i2, int i3, int ia, int ib)
wolfSSL 16:8e0d178b1d1e 1557 {
wolfSSL 16:8e0d178b1d1e 1558 byte t3 = GETBYTE(t, i3);
wolfSSL 16:8e0d178b1d1e 1559 byte tm = AES_XTIME(GETBYTE(t, i2) ^ t3);
wolfSSL 16:8e0d178b1d1e 1560
wolfSSL 16:8e0d178b1d1e 1561 return GETBYTE(t, ia) ^ GETBYTE(t, ib) ^ t3 ^ tm;
wolfSSL 16:8e0d178b1d1e 1562 }
wolfSSL 16:8e0d178b1d1e 1563
wolfSSL 16:8e0d178b1d1e 1564 static word32 inv_col_mul(word32 t, int i9, int ib, int id, int ie)
wolfSSL 16:8e0d178b1d1e 1565 {
wolfSSL 16:8e0d178b1d1e 1566 byte t9 = GETBYTE(t, i9);
wolfSSL 16:8e0d178b1d1e 1567 byte tb = GETBYTE(t, ib);
wolfSSL 16:8e0d178b1d1e 1568 byte td = GETBYTE(t, id);
wolfSSL 16:8e0d178b1d1e 1569 byte te = GETBYTE(t, ie);
wolfSSL 16:8e0d178b1d1e 1570 byte t0 = t9 ^ tb ^ td;
wolfSSL 16:8e0d178b1d1e 1571 return t0 ^ AES_XTIME(AES_XTIME(AES_XTIME(t0 ^ te) ^ td ^ te) ^ tb ^ te);
wolfSSL 16:8e0d178b1d1e 1572 }
wolfSSL 16:8e0d178b1d1e 1573 #endif
wolfSSL 15:117db924cf7c 1574
wolfSSL 15:117db924cf7c 1575 #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESGCM)
wolfSSL 15:117db924cf7c 1576
wolfSSL 15:117db924cf7c 1577 #ifndef WC_CACHE_LINE_SZ
wolfSSL 15:117db924cf7c 1578 #if defined(__x86_64__) || defined(_M_X64) || \
wolfSSL 15:117db924cf7c 1579 (defined(__ILP32__) && (__ILP32__ >= 1))
wolfSSL 15:117db924cf7c 1580 #define WC_CACHE_LINE_SZ 64
wolfSSL 15:117db924cf7c 1581 #else
wolfSSL 15:117db924cf7c 1582 /* default cache line size */
wolfSSL 15:117db924cf7c 1583 #define WC_CACHE_LINE_SZ 32
wolfSSL 15:117db924cf7c 1584 #endif
wolfSSL 15:117db924cf7c 1585 #endif
wolfSSL 15:117db924cf7c 1586
wolfSSL 15:117db924cf7c 1587
wolfSSL 16:8e0d178b1d1e 1588 #ifndef WOLFSSL_AES_SMALL_TABLES
wolfSSL 15:117db924cf7c 1589 /* load 4 Te Tables into cache by cache line stride */
wolfSSL 15:117db924cf7c 1590 static WC_INLINE word32 PreFetchTe(void)
wolfSSL 15:117db924cf7c 1591 {
wolfSSL 15:117db924cf7c 1592 word32 x = 0;
wolfSSL 15:117db924cf7c 1593 int i,j;
wolfSSL 15:117db924cf7c 1594
wolfSSL 15:117db924cf7c 1595 for (i = 0; i < 4; i++) {
wolfSSL 15:117db924cf7c 1596 /* 256 elements, each one is 4 bytes */
wolfSSL 15:117db924cf7c 1597 for (j = 0; j < 256; j += WC_CACHE_LINE_SZ/4) {
wolfSSL 15:117db924cf7c 1598 x &= Te[i][j];
wolfSSL 15:117db924cf7c 1599 }
wolfSSL 15:117db924cf7c 1600 }
wolfSSL 15:117db924cf7c 1601 return x;
wolfSSL 15:117db924cf7c 1602 }
wolfSSL 16:8e0d178b1d1e 1603 #else
wolfSSL 16:8e0d178b1d1e 1604 /* load sbox into cache by cache line stride */
wolfSSL 16:8e0d178b1d1e 1605 static WC_INLINE word32 PreFetchSBox(void)
wolfSSL 16:8e0d178b1d1e 1606 {
wolfSSL 16:8e0d178b1d1e 1607 word32 x = 0;
wolfSSL 16:8e0d178b1d1e 1608 int i;
wolfSSL 16:8e0d178b1d1e 1609
wolfSSL 16:8e0d178b1d1e 1610 for (i = 0; i < 256; i += WC_CACHE_LINE_SZ/4) {
wolfSSL 16:8e0d178b1d1e 1611 x &= Tsbox[i];
wolfSSL 16:8e0d178b1d1e 1612 }
wolfSSL 16:8e0d178b1d1e 1613 return x;
wolfSSL 16:8e0d178b1d1e 1614 }
wolfSSL 16:8e0d178b1d1e 1615 #endif
wolfSSL 16:8e0d178b1d1e 1616
wolfSSL 16:8e0d178b1d1e 1617 /* Software AES - ECB Encrypt */
wolfSSL 15:117db924cf7c 1618 static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 15:117db924cf7c 1619 {
wolfSSL 15:117db924cf7c 1620 word32 s0, s1, s2, s3;
wolfSSL 15:117db924cf7c 1621 word32 t0, t1, t2, t3;
wolfSSL 15:117db924cf7c 1622 word32 r = aes->rounds >> 1;
wolfSSL 15:117db924cf7c 1623 const word32* rk = aes->key;
wolfSSL 15:117db924cf7c 1624
wolfSSL 15:117db924cf7c 1625 if (r > 7 || r == 0) {
wolfSSL 15:117db924cf7c 1626 WOLFSSL_MSG("AesEncrypt encountered improper key, set it up");
wolfSSL 16:8e0d178b1d1e 1627 return; /* stop instead of seg-faulting, set up your keys! */
wolfSSL 15:117db924cf7c 1628 }
wolfSSL 15:117db924cf7c 1629
wolfSSL 15:117db924cf7c 1630 #ifdef WOLFSSL_AESNI
wolfSSL 15:117db924cf7c 1631 if (haveAESNI && aes->use_aesni) {
wolfSSL 15:117db924cf7c 1632 #ifdef DEBUG_AESNI
wolfSSL 15:117db924cf7c 1633 printf("about to aes encrypt\n");
wolfSSL 15:117db924cf7c 1634 printf("in = %p\n", inBlock);
wolfSSL 15:117db924cf7c 1635 printf("out = %p\n", outBlock);
wolfSSL 15:117db924cf7c 1636 printf("aes->key = %p\n", aes->key);
wolfSSL 15:117db924cf7c 1637 printf("aes->rounds = %d\n", aes->rounds);
wolfSSL 15:117db924cf7c 1638 printf("sz = %d\n", AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 1639 #endif
wolfSSL 15:117db924cf7c 1640
wolfSSL 15:117db924cf7c 1641 /* check alignment, decrypt doesn't need alignment */
wolfSSL 15:117db924cf7c 1642 if ((wolfssl_word)inBlock % AESNI_ALIGN) {
wolfSSL 15:117db924cf7c 1643 #ifndef NO_WOLFSSL_ALLOC_ALIGN
wolfSSL 15:117db924cf7c 1644 byte* tmp = (byte*)XMALLOC(AES_BLOCK_SIZE + AESNI_ALIGN, aes->heap,
wolfSSL 15:117db924cf7c 1645 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 1646 byte* tmp_align;
wolfSSL 15:117db924cf7c 1647 if (tmp == NULL) return;
wolfSSL 15:117db924cf7c 1648
wolfSSL 15:117db924cf7c 1649 tmp_align = tmp + (AESNI_ALIGN - ((size_t)tmp % AESNI_ALIGN));
wolfSSL 15:117db924cf7c 1650
wolfSSL 15:117db924cf7c 1651 XMEMCPY(tmp_align, inBlock, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 1652 AES_ECB_encrypt(tmp_align, tmp_align, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 1653 (byte*)aes->key, aes->rounds);
wolfSSL 15:117db924cf7c 1654 XMEMCPY(outBlock, tmp_align, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 1655 XFREE(tmp, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 1656 return;
wolfSSL 15:117db924cf7c 1657 #else
wolfSSL 15:117db924cf7c 1658 WOLFSSL_MSG("AES-ECB encrypt with bad alignment");
wolfSSL 15:117db924cf7c 1659 return;
wolfSSL 15:117db924cf7c 1660 #endif
wolfSSL 15:117db924cf7c 1661 }
wolfSSL 15:117db924cf7c 1662
wolfSSL 15:117db924cf7c 1663 AES_ECB_encrypt(inBlock, outBlock, AES_BLOCK_SIZE, (byte*)aes->key,
wolfSSL 15:117db924cf7c 1664 aes->rounds);
wolfSSL 15:117db924cf7c 1665
wolfSSL 15:117db924cf7c 1666 return;
wolfSSL 15:117db924cf7c 1667 }
wolfSSL 15:117db924cf7c 1668 else {
wolfSSL 15:117db924cf7c 1669 #ifdef DEBUG_AESNI
wolfSSL 15:117db924cf7c 1670 printf("Skipping AES-NI\n");
wolfSSL 15:117db924cf7c 1671 #endif
wolfSSL 15:117db924cf7c 1672 }
wolfSSL 15:117db924cf7c 1673 #endif
wolfSSL 16:8e0d178b1d1e 1674 #if defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_AES)
wolfSSL 16:8e0d178b1d1e 1675 AES_ECB_encrypt(aes, inBlock, outBlock, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 1676 return;
wolfSSL 16:8e0d178b1d1e 1677 #endif
wolfSSL 15:117db924cf7c 1678
wolfSSL 15:117db924cf7c 1679 /*
wolfSSL 15:117db924cf7c 1680 * map byte array block to cipher state
wolfSSL 15:117db924cf7c 1681 * and add initial round key:
wolfSSL 15:117db924cf7c 1682 */
wolfSSL 15:117db924cf7c 1683 XMEMCPY(&s0, inBlock, sizeof(s0));
wolfSSL 15:117db924cf7c 1684 XMEMCPY(&s1, inBlock + sizeof(s0), sizeof(s1));
wolfSSL 15:117db924cf7c 1685 XMEMCPY(&s2, inBlock + 2 * sizeof(s0), sizeof(s2));
wolfSSL 15:117db924cf7c 1686 XMEMCPY(&s3, inBlock + 3 * sizeof(s0), sizeof(s3));
wolfSSL 15:117db924cf7c 1687
wolfSSL 15:117db924cf7c 1688 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 1689 s0 = ByteReverseWord32(s0);
wolfSSL 15:117db924cf7c 1690 s1 = ByteReverseWord32(s1);
wolfSSL 15:117db924cf7c 1691 s2 = ByteReverseWord32(s2);
wolfSSL 15:117db924cf7c 1692 s3 = ByteReverseWord32(s3);
wolfSSL 15:117db924cf7c 1693 #endif
wolfSSL 15:117db924cf7c 1694
wolfSSL 16:8e0d178b1d1e 1695 /* AddRoundKey */
wolfSSL 15:117db924cf7c 1696 s0 ^= rk[0];
wolfSSL 15:117db924cf7c 1697 s1 ^= rk[1];
wolfSSL 15:117db924cf7c 1698 s2 ^= rk[2];
wolfSSL 15:117db924cf7c 1699 s3 ^= rk[3];
wolfSSL 15:117db924cf7c 1700
wolfSSL 16:8e0d178b1d1e 1701 #ifndef WOLFSSL_AES_SMALL_TABLES
wolfSSL 15:117db924cf7c 1702 s0 |= PreFetchTe();
wolfSSL 15:117db924cf7c 1703
wolfSSL 15:117db924cf7c 1704 /*
wolfSSL 15:117db924cf7c 1705 * Nr - 1 full rounds:
wolfSSL 15:117db924cf7c 1706 */
wolfSSL 15:117db924cf7c 1707
wolfSSL 15:117db924cf7c 1708 for (;;) {
wolfSSL 15:117db924cf7c 1709 t0 =
wolfSSL 16:8e0d178b1d1e 1710 Te[0][GETBYTE(s0, 3)] ^
wolfSSL 16:8e0d178b1d1e 1711 Te[1][GETBYTE(s1, 2)] ^
wolfSSL 16:8e0d178b1d1e 1712 Te[2][GETBYTE(s2, 1)] ^
wolfSSL 16:8e0d178b1d1e 1713 Te[3][GETBYTE(s3, 0)] ^
wolfSSL 15:117db924cf7c 1714 rk[4];
wolfSSL 15:117db924cf7c 1715 t1 =
wolfSSL 16:8e0d178b1d1e 1716 Te[0][GETBYTE(s1, 3)] ^
wolfSSL 16:8e0d178b1d1e 1717 Te[1][GETBYTE(s2, 2)] ^
wolfSSL 16:8e0d178b1d1e 1718 Te[2][GETBYTE(s3, 1)] ^
wolfSSL 16:8e0d178b1d1e 1719 Te[3][GETBYTE(s0, 0)] ^
wolfSSL 15:117db924cf7c 1720 rk[5];
wolfSSL 15:117db924cf7c 1721 t2 =
wolfSSL 15:117db924cf7c 1722 Te[0][GETBYTE(s2, 3)] ^
wolfSSL 16:8e0d178b1d1e 1723 Te[1][GETBYTE(s3, 2)] ^
wolfSSL 16:8e0d178b1d1e 1724 Te[2][GETBYTE(s0, 1)] ^
wolfSSL 16:8e0d178b1d1e 1725 Te[3][GETBYTE(s1, 0)] ^
wolfSSL 15:117db924cf7c 1726 rk[6];
wolfSSL 15:117db924cf7c 1727 t3 =
wolfSSL 15:117db924cf7c 1728 Te[0][GETBYTE(s3, 3)] ^
wolfSSL 16:8e0d178b1d1e 1729 Te[1][GETBYTE(s0, 2)] ^
wolfSSL 16:8e0d178b1d1e 1730 Te[2][GETBYTE(s1, 1)] ^
wolfSSL 16:8e0d178b1d1e 1731 Te[3][GETBYTE(s2, 0)] ^
wolfSSL 15:117db924cf7c 1732 rk[7];
wolfSSL 15:117db924cf7c 1733
wolfSSL 15:117db924cf7c 1734 rk += 8;
wolfSSL 15:117db924cf7c 1735 if (--r == 0) {
wolfSSL 15:117db924cf7c 1736 break;
wolfSSL 15:117db924cf7c 1737 }
wolfSSL 15:117db924cf7c 1738
wolfSSL 15:117db924cf7c 1739 s0 =
wolfSSL 15:117db924cf7c 1740 Te[0][GETBYTE(t0, 3)] ^
wolfSSL 15:117db924cf7c 1741 Te[1][GETBYTE(t1, 2)] ^
wolfSSL 15:117db924cf7c 1742 Te[2][GETBYTE(t2, 1)] ^
wolfSSL 15:117db924cf7c 1743 Te[3][GETBYTE(t3, 0)] ^
wolfSSL 15:117db924cf7c 1744 rk[0];
wolfSSL 15:117db924cf7c 1745 s1 =
wolfSSL 15:117db924cf7c 1746 Te[0][GETBYTE(t1, 3)] ^
wolfSSL 15:117db924cf7c 1747 Te[1][GETBYTE(t2, 2)] ^
wolfSSL 15:117db924cf7c 1748 Te[2][GETBYTE(t3, 1)] ^
wolfSSL 15:117db924cf7c 1749 Te[3][GETBYTE(t0, 0)] ^
wolfSSL 15:117db924cf7c 1750 rk[1];
wolfSSL 15:117db924cf7c 1751 s2 =
wolfSSL 15:117db924cf7c 1752 Te[0][GETBYTE(t2, 3)] ^
wolfSSL 15:117db924cf7c 1753 Te[1][GETBYTE(t3, 2)] ^
wolfSSL 15:117db924cf7c 1754 Te[2][GETBYTE(t0, 1)] ^
wolfSSL 15:117db924cf7c 1755 Te[3][GETBYTE(t1, 0)] ^
wolfSSL 15:117db924cf7c 1756 rk[2];
wolfSSL 15:117db924cf7c 1757 s3 =
wolfSSL 15:117db924cf7c 1758 Te[0][GETBYTE(t3, 3)] ^
wolfSSL 15:117db924cf7c 1759 Te[1][GETBYTE(t0, 2)] ^
wolfSSL 15:117db924cf7c 1760 Te[2][GETBYTE(t1, 1)] ^
wolfSSL 15:117db924cf7c 1761 Te[3][GETBYTE(t2, 0)] ^
wolfSSL 15:117db924cf7c 1762 rk[3];
wolfSSL 15:117db924cf7c 1763 }
wolfSSL 15:117db924cf7c 1764
wolfSSL 15:117db924cf7c 1765 /*
wolfSSL 15:117db924cf7c 1766 * apply last round and
wolfSSL 15:117db924cf7c 1767 * map cipher state to byte array block:
wolfSSL 15:117db924cf7c 1768 */
wolfSSL 15:117db924cf7c 1769
wolfSSL 15:117db924cf7c 1770 s0 =
wolfSSL 15:117db924cf7c 1771 (Te[2][GETBYTE(t0, 3)] & 0xff000000) ^
wolfSSL 15:117db924cf7c 1772 (Te[3][GETBYTE(t1, 2)] & 0x00ff0000) ^
wolfSSL 15:117db924cf7c 1773 (Te[0][GETBYTE(t2, 1)] & 0x0000ff00) ^
wolfSSL 15:117db924cf7c 1774 (Te[1][GETBYTE(t3, 0)] & 0x000000ff) ^
wolfSSL 15:117db924cf7c 1775 rk[0];
wolfSSL 15:117db924cf7c 1776 s1 =
wolfSSL 15:117db924cf7c 1777 (Te[2][GETBYTE(t1, 3)] & 0xff000000) ^
wolfSSL 15:117db924cf7c 1778 (Te[3][GETBYTE(t2, 2)] & 0x00ff0000) ^
wolfSSL 15:117db924cf7c 1779 (Te[0][GETBYTE(t3, 1)] & 0x0000ff00) ^
wolfSSL 15:117db924cf7c 1780 (Te[1][GETBYTE(t0, 0)] & 0x000000ff) ^
wolfSSL 15:117db924cf7c 1781 rk[1];
wolfSSL 15:117db924cf7c 1782 s2 =
wolfSSL 15:117db924cf7c 1783 (Te[2][GETBYTE(t2, 3)] & 0xff000000) ^
wolfSSL 15:117db924cf7c 1784 (Te[3][GETBYTE(t3, 2)] & 0x00ff0000) ^
wolfSSL 15:117db924cf7c 1785 (Te[0][GETBYTE(t0, 1)] & 0x0000ff00) ^
wolfSSL 15:117db924cf7c 1786 (Te[1][GETBYTE(t1, 0)] & 0x000000ff) ^
wolfSSL 15:117db924cf7c 1787 rk[2];
wolfSSL 15:117db924cf7c 1788 s3 =
wolfSSL 15:117db924cf7c 1789 (Te[2][GETBYTE(t3, 3)] & 0xff000000) ^
wolfSSL 15:117db924cf7c 1790 (Te[3][GETBYTE(t0, 2)] & 0x00ff0000) ^
wolfSSL 15:117db924cf7c 1791 (Te[0][GETBYTE(t1, 1)] & 0x0000ff00) ^
wolfSSL 15:117db924cf7c 1792 (Te[1][GETBYTE(t2, 0)] & 0x000000ff) ^
wolfSSL 15:117db924cf7c 1793 rk[3];
wolfSSL 16:8e0d178b1d1e 1794 #else
wolfSSL 16:8e0d178b1d1e 1795 s0 |= PreFetchSBox();
wolfSSL 16:8e0d178b1d1e 1796
wolfSSL 16:8e0d178b1d1e 1797 r *= 2;
wolfSSL 16:8e0d178b1d1e 1798 /* Two rounds at a time */
wolfSSL 16:8e0d178b1d1e 1799 for (rk += 4; r > 1; r--, rk += 4) {
wolfSSL 16:8e0d178b1d1e 1800 t0 =
wolfSSL 16:8e0d178b1d1e 1801 ((word32)Tsbox[GETBYTE(s0, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 1802 ((word32)Tsbox[GETBYTE(s1, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 1803 ((word32)Tsbox[GETBYTE(s2, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 1804 ((word32)Tsbox[GETBYTE(s3, 0)]);
wolfSSL 16:8e0d178b1d1e 1805 t1 =
wolfSSL 16:8e0d178b1d1e 1806 ((word32)Tsbox[GETBYTE(s1, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 1807 ((word32)Tsbox[GETBYTE(s2, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 1808 ((word32)Tsbox[GETBYTE(s3, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 1809 ((word32)Tsbox[GETBYTE(s0, 0)]);
wolfSSL 16:8e0d178b1d1e 1810 t2 =
wolfSSL 16:8e0d178b1d1e 1811 ((word32)Tsbox[GETBYTE(s2, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 1812 ((word32)Tsbox[GETBYTE(s3, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 1813 ((word32)Tsbox[GETBYTE(s0, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 1814 ((word32)Tsbox[GETBYTE(s1, 0)]);
wolfSSL 16:8e0d178b1d1e 1815 t3 =
wolfSSL 16:8e0d178b1d1e 1816 ((word32)Tsbox[GETBYTE(s3, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 1817 ((word32)Tsbox[GETBYTE(s0, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 1818 ((word32)Tsbox[GETBYTE(s1, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 1819 ((word32)Tsbox[GETBYTE(s2, 0)]);
wolfSSL 16:8e0d178b1d1e 1820
wolfSSL 16:8e0d178b1d1e 1821 s0 =
wolfSSL 16:8e0d178b1d1e 1822 (col_mul(t0, 3, 2, 0, 1) << 24) ^
wolfSSL 16:8e0d178b1d1e 1823 (col_mul(t0, 2, 1, 0, 3) << 16) ^
wolfSSL 16:8e0d178b1d1e 1824 (col_mul(t0, 1, 0, 2, 3) << 8) ^
wolfSSL 16:8e0d178b1d1e 1825 (col_mul(t0, 0, 3, 2, 1) ) ^
wolfSSL 16:8e0d178b1d1e 1826 rk[0];
wolfSSL 16:8e0d178b1d1e 1827 s1 =
wolfSSL 16:8e0d178b1d1e 1828 (col_mul(t1, 3, 2, 0, 1) << 24) ^
wolfSSL 16:8e0d178b1d1e 1829 (col_mul(t1, 2, 1, 0, 3) << 16) ^
wolfSSL 16:8e0d178b1d1e 1830 (col_mul(t1, 1, 0, 2, 3) << 8) ^
wolfSSL 16:8e0d178b1d1e 1831 (col_mul(t1, 0, 3, 2, 1) ) ^
wolfSSL 16:8e0d178b1d1e 1832 rk[1];
wolfSSL 16:8e0d178b1d1e 1833 s2 =
wolfSSL 16:8e0d178b1d1e 1834 (col_mul(t2, 3, 2, 0, 1) << 24) ^
wolfSSL 16:8e0d178b1d1e 1835 (col_mul(t2, 2, 1, 0, 3) << 16) ^
wolfSSL 16:8e0d178b1d1e 1836 (col_mul(t2, 1, 0, 2, 3) << 8) ^
wolfSSL 16:8e0d178b1d1e 1837 (col_mul(t2, 0, 3, 2, 1) ) ^
wolfSSL 16:8e0d178b1d1e 1838 rk[2];
wolfSSL 16:8e0d178b1d1e 1839 s3 =
wolfSSL 16:8e0d178b1d1e 1840 (col_mul(t3, 3, 2, 0, 1) << 24) ^
wolfSSL 16:8e0d178b1d1e 1841 (col_mul(t3, 2, 1, 0, 3) << 16) ^
wolfSSL 16:8e0d178b1d1e 1842 (col_mul(t3, 1, 0, 2, 3) << 8) ^
wolfSSL 16:8e0d178b1d1e 1843 (col_mul(t3, 0, 3, 2, 1) ) ^
wolfSSL 16:8e0d178b1d1e 1844 rk[3];
wolfSSL 16:8e0d178b1d1e 1845 }
wolfSSL 16:8e0d178b1d1e 1846
wolfSSL 16:8e0d178b1d1e 1847 t0 =
wolfSSL 16:8e0d178b1d1e 1848 ((word32)Tsbox[GETBYTE(s0, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 1849 ((word32)Tsbox[GETBYTE(s1, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 1850 ((word32)Tsbox[GETBYTE(s2, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 1851 ((word32)Tsbox[GETBYTE(s3, 0)]);
wolfSSL 16:8e0d178b1d1e 1852 t1 =
wolfSSL 16:8e0d178b1d1e 1853 ((word32)Tsbox[GETBYTE(s1, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 1854 ((word32)Tsbox[GETBYTE(s2, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 1855 ((word32)Tsbox[GETBYTE(s3, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 1856 ((word32)Tsbox[GETBYTE(s0, 0)]);
wolfSSL 16:8e0d178b1d1e 1857 t2 =
wolfSSL 16:8e0d178b1d1e 1858 ((word32)Tsbox[GETBYTE(s2, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 1859 ((word32)Tsbox[GETBYTE(s3, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 1860 ((word32)Tsbox[GETBYTE(s0, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 1861 ((word32)Tsbox[GETBYTE(s1, 0)]);
wolfSSL 16:8e0d178b1d1e 1862 t3 =
wolfSSL 16:8e0d178b1d1e 1863 ((word32)Tsbox[GETBYTE(s3, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 1864 ((word32)Tsbox[GETBYTE(s0, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 1865 ((word32)Tsbox[GETBYTE(s1, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 1866 ((word32)Tsbox[GETBYTE(s2, 0)]);
wolfSSL 16:8e0d178b1d1e 1867 s0 = t0 ^ rk[0];
wolfSSL 16:8e0d178b1d1e 1868 s1 = t1 ^ rk[1];
wolfSSL 16:8e0d178b1d1e 1869 s2 = t2 ^ rk[2];
wolfSSL 16:8e0d178b1d1e 1870 s3 = t3 ^ rk[3];
wolfSSL 16:8e0d178b1d1e 1871 #endif
wolfSSL 15:117db924cf7c 1872
wolfSSL 15:117db924cf7c 1873 /* write out */
wolfSSL 15:117db924cf7c 1874 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 1875 s0 = ByteReverseWord32(s0);
wolfSSL 15:117db924cf7c 1876 s1 = ByteReverseWord32(s1);
wolfSSL 15:117db924cf7c 1877 s2 = ByteReverseWord32(s2);
wolfSSL 15:117db924cf7c 1878 s3 = ByteReverseWord32(s3);
wolfSSL 15:117db924cf7c 1879 #endif
wolfSSL 15:117db924cf7c 1880
wolfSSL 15:117db924cf7c 1881 XMEMCPY(outBlock, &s0, sizeof(s0));
wolfSSL 15:117db924cf7c 1882 XMEMCPY(outBlock + sizeof(s0), &s1, sizeof(s1));
wolfSSL 15:117db924cf7c 1883 XMEMCPY(outBlock + 2 * sizeof(s0), &s2, sizeof(s2));
wolfSSL 15:117db924cf7c 1884 XMEMCPY(outBlock + 3 * sizeof(s0), &s3, sizeof(s3));
wolfSSL 15:117db924cf7c 1885
wolfSSL 15:117db924cf7c 1886 }
wolfSSL 15:117db924cf7c 1887 #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT || HAVE_AESGCM */
wolfSSL 15:117db924cf7c 1888
wolfSSL 15:117db924cf7c 1889 #if defined(HAVE_AES_DECRYPT)
wolfSSL 16:8e0d178b1d1e 1890 #if (defined(HAVE_AES_CBC) && !defined(WOLFSSL_DEVCRYPTO_CBC)) || \
wolfSSL 16:8e0d178b1d1e 1891 defined(WOLFSSL_AES_DIRECT)
wolfSSL 16:8e0d178b1d1e 1892
wolfSSL 16:8e0d178b1d1e 1893 #ifndef WOLFSSL_AES_SMALL_TABLES
wolfSSL 15:117db924cf7c 1894 /* load 4 Td Tables into cache by cache line stride */
wolfSSL 15:117db924cf7c 1895 static WC_INLINE word32 PreFetchTd(void)
wolfSSL 15:117db924cf7c 1896 {
wolfSSL 15:117db924cf7c 1897 word32 x = 0;
wolfSSL 15:117db924cf7c 1898 int i,j;
wolfSSL 15:117db924cf7c 1899
wolfSSL 15:117db924cf7c 1900 for (i = 0; i < 4; i++) {
wolfSSL 15:117db924cf7c 1901 /* 256 elements, each one is 4 bytes */
wolfSSL 15:117db924cf7c 1902 for (j = 0; j < 256; j += WC_CACHE_LINE_SZ/4) {
wolfSSL 15:117db924cf7c 1903 x &= Td[i][j];
wolfSSL 15:117db924cf7c 1904 }
wolfSSL 15:117db924cf7c 1905 }
wolfSSL 15:117db924cf7c 1906 return x;
wolfSSL 15:117db924cf7c 1907 }
wolfSSL 16:8e0d178b1d1e 1908 #endif
wolfSSL 15:117db924cf7c 1909
wolfSSL 15:117db924cf7c 1910 /* load Td Table4 into cache by cache line stride */
wolfSSL 15:117db924cf7c 1911 static WC_INLINE word32 PreFetchTd4(void)
wolfSSL 15:117db924cf7c 1912 {
wolfSSL 15:117db924cf7c 1913 word32 x = 0;
wolfSSL 15:117db924cf7c 1914 int i;
wolfSSL 15:117db924cf7c 1915
wolfSSL 15:117db924cf7c 1916 for (i = 0; i < 256; i += WC_CACHE_LINE_SZ) {
wolfSSL 15:117db924cf7c 1917 x &= (word32)Td4[i];
wolfSSL 15:117db924cf7c 1918 }
wolfSSL 15:117db924cf7c 1919 return x;
wolfSSL 15:117db924cf7c 1920 }
wolfSSL 15:117db924cf7c 1921
wolfSSL 16:8e0d178b1d1e 1922 /* Software AES - ECB Decrypt */
wolfSSL 15:117db924cf7c 1923 static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
wolfSSL 15:117db924cf7c 1924 {
wolfSSL 15:117db924cf7c 1925 word32 s0, s1, s2, s3;
wolfSSL 15:117db924cf7c 1926 word32 t0, t1, t2, t3;
wolfSSL 15:117db924cf7c 1927 word32 r = aes->rounds >> 1;
wolfSSL 15:117db924cf7c 1928
wolfSSL 15:117db924cf7c 1929 const word32* rk = aes->key;
wolfSSL 15:117db924cf7c 1930 if (r > 7 || r == 0) {
wolfSSL 15:117db924cf7c 1931 WOLFSSL_MSG("AesDecrypt encountered improper key, set it up");
wolfSSL 16:8e0d178b1d1e 1932 return; /* stop instead of seg-faulting, set up your keys! */
wolfSSL 15:117db924cf7c 1933 }
wolfSSL 15:117db924cf7c 1934 #ifdef WOLFSSL_AESNI
wolfSSL 15:117db924cf7c 1935 if (haveAESNI && aes->use_aesni) {
wolfSSL 15:117db924cf7c 1936 #ifdef DEBUG_AESNI
wolfSSL 15:117db924cf7c 1937 printf("about to aes decrypt\n");
wolfSSL 15:117db924cf7c 1938 printf("in = %p\n", inBlock);
wolfSSL 15:117db924cf7c 1939 printf("out = %p\n", outBlock);
wolfSSL 15:117db924cf7c 1940 printf("aes->key = %p\n", aes->key);
wolfSSL 15:117db924cf7c 1941 printf("aes->rounds = %d\n", aes->rounds);
wolfSSL 15:117db924cf7c 1942 printf("sz = %d\n", AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 1943 #endif
wolfSSL 15:117db924cf7c 1944
wolfSSL 15:117db924cf7c 1945 /* if input and output same will overwrite input iv */
wolfSSL 16:8e0d178b1d1e 1946 if ((const byte*)aes->tmp != inBlock)
wolfSSL 16:8e0d178b1d1e 1947 XMEMCPY(aes->tmp, inBlock, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 1948 AES_ECB_decrypt(inBlock, outBlock, AES_BLOCK_SIZE, (byte*)aes->key,
wolfSSL 15:117db924cf7c 1949 aes->rounds);
wolfSSL 15:117db924cf7c 1950 return;
wolfSSL 15:117db924cf7c 1951 }
wolfSSL 15:117db924cf7c 1952 else {
wolfSSL 15:117db924cf7c 1953 #ifdef DEBUG_AESNI
wolfSSL 15:117db924cf7c 1954 printf("Skipping AES-NI\n");
wolfSSL 15:117db924cf7c 1955 #endif
wolfSSL 15:117db924cf7c 1956 }
wolfSSL 15:117db924cf7c 1957 #endif /* WOLFSSL_AESNI */
wolfSSL 16:8e0d178b1d1e 1958 #if defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_AES)
wolfSSL 16:8e0d178b1d1e 1959 return AES_ECB_decrypt(aes, inBlock, outBlock, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 1960 #endif
wolfSSL 15:117db924cf7c 1961
wolfSSL 15:117db924cf7c 1962 /*
wolfSSL 15:117db924cf7c 1963 * map byte array block to cipher state
wolfSSL 15:117db924cf7c 1964 * and add initial round key:
wolfSSL 15:117db924cf7c 1965 */
wolfSSL 15:117db924cf7c 1966 XMEMCPY(&s0, inBlock, sizeof(s0));
wolfSSL 15:117db924cf7c 1967 XMEMCPY(&s1, inBlock + sizeof(s0), sizeof(s1));
wolfSSL 15:117db924cf7c 1968 XMEMCPY(&s2, inBlock + 2 * sizeof(s0), sizeof(s2));
wolfSSL 15:117db924cf7c 1969 XMEMCPY(&s3, inBlock + 3 * sizeof(s0), sizeof(s3));
wolfSSL 15:117db924cf7c 1970
wolfSSL 15:117db924cf7c 1971 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 1972 s0 = ByteReverseWord32(s0);
wolfSSL 15:117db924cf7c 1973 s1 = ByteReverseWord32(s1);
wolfSSL 15:117db924cf7c 1974 s2 = ByteReverseWord32(s2);
wolfSSL 15:117db924cf7c 1975 s3 = ByteReverseWord32(s3);
wolfSSL 15:117db924cf7c 1976 #endif
wolfSSL 15:117db924cf7c 1977
wolfSSL 15:117db924cf7c 1978 s0 ^= rk[0];
wolfSSL 15:117db924cf7c 1979 s1 ^= rk[1];
wolfSSL 15:117db924cf7c 1980 s2 ^= rk[2];
wolfSSL 15:117db924cf7c 1981 s3 ^= rk[3];
wolfSSL 15:117db924cf7c 1982
wolfSSL 16:8e0d178b1d1e 1983 #ifndef WOLFSSL_AES_SMALL_TABLES
wolfSSL 15:117db924cf7c 1984 s0 |= PreFetchTd();
wolfSSL 15:117db924cf7c 1985
wolfSSL 15:117db924cf7c 1986 /*
wolfSSL 15:117db924cf7c 1987 * Nr - 1 full rounds:
wolfSSL 15:117db924cf7c 1988 */
wolfSSL 15:117db924cf7c 1989
wolfSSL 15:117db924cf7c 1990 for (;;) {
wolfSSL 15:117db924cf7c 1991 t0 =
wolfSSL 15:117db924cf7c 1992 Td[0][GETBYTE(s0, 3)] ^
wolfSSL 15:117db924cf7c 1993 Td[1][GETBYTE(s3, 2)] ^
wolfSSL 15:117db924cf7c 1994 Td[2][GETBYTE(s2, 1)] ^
wolfSSL 15:117db924cf7c 1995 Td[3][GETBYTE(s1, 0)] ^
wolfSSL 15:117db924cf7c 1996 rk[4];
wolfSSL 15:117db924cf7c 1997 t1 =
wolfSSL 15:117db924cf7c 1998 Td[0][GETBYTE(s1, 3)] ^
wolfSSL 15:117db924cf7c 1999 Td[1][GETBYTE(s0, 2)] ^
wolfSSL 15:117db924cf7c 2000 Td[2][GETBYTE(s3, 1)] ^
wolfSSL 15:117db924cf7c 2001 Td[3][GETBYTE(s2, 0)] ^
wolfSSL 15:117db924cf7c 2002 rk[5];
wolfSSL 15:117db924cf7c 2003 t2 =
wolfSSL 15:117db924cf7c 2004 Td[0][GETBYTE(s2, 3)] ^
wolfSSL 15:117db924cf7c 2005 Td[1][GETBYTE(s1, 2)] ^
wolfSSL 15:117db924cf7c 2006 Td[2][GETBYTE(s0, 1)] ^
wolfSSL 15:117db924cf7c 2007 Td[3][GETBYTE(s3, 0)] ^
wolfSSL 15:117db924cf7c 2008 rk[6];
wolfSSL 15:117db924cf7c 2009 t3 =
wolfSSL 15:117db924cf7c 2010 Td[0][GETBYTE(s3, 3)] ^
wolfSSL 15:117db924cf7c 2011 Td[1][GETBYTE(s2, 2)] ^
wolfSSL 15:117db924cf7c 2012 Td[2][GETBYTE(s1, 1)] ^
wolfSSL 15:117db924cf7c 2013 Td[3][GETBYTE(s0, 0)] ^
wolfSSL 15:117db924cf7c 2014 rk[7];
wolfSSL 15:117db924cf7c 2015
wolfSSL 15:117db924cf7c 2016 rk += 8;
wolfSSL 15:117db924cf7c 2017 if (--r == 0) {
wolfSSL 15:117db924cf7c 2018 break;
wolfSSL 15:117db924cf7c 2019 }
wolfSSL 15:117db924cf7c 2020
wolfSSL 15:117db924cf7c 2021 s0 =
wolfSSL 15:117db924cf7c 2022 Td[0][GETBYTE(t0, 3)] ^
wolfSSL 15:117db924cf7c 2023 Td[1][GETBYTE(t3, 2)] ^
wolfSSL 15:117db924cf7c 2024 Td[2][GETBYTE(t2, 1)] ^
wolfSSL 15:117db924cf7c 2025 Td[3][GETBYTE(t1, 0)] ^
wolfSSL 15:117db924cf7c 2026 rk[0];
wolfSSL 15:117db924cf7c 2027 s1 =
wolfSSL 15:117db924cf7c 2028 Td[0][GETBYTE(t1, 3)] ^
wolfSSL 15:117db924cf7c 2029 Td[1][GETBYTE(t0, 2)] ^
wolfSSL 15:117db924cf7c 2030 Td[2][GETBYTE(t3, 1)] ^
wolfSSL 15:117db924cf7c 2031 Td[3][GETBYTE(t2, 0)] ^
wolfSSL 15:117db924cf7c 2032 rk[1];
wolfSSL 15:117db924cf7c 2033 s2 =
wolfSSL 15:117db924cf7c 2034 Td[0][GETBYTE(t2, 3)] ^
wolfSSL 15:117db924cf7c 2035 Td[1][GETBYTE(t1, 2)] ^
wolfSSL 15:117db924cf7c 2036 Td[2][GETBYTE(t0, 1)] ^
wolfSSL 15:117db924cf7c 2037 Td[3][GETBYTE(t3, 0)] ^
wolfSSL 15:117db924cf7c 2038 rk[2];
wolfSSL 15:117db924cf7c 2039 s3 =
wolfSSL 15:117db924cf7c 2040 Td[0][GETBYTE(t3, 3)] ^
wolfSSL 15:117db924cf7c 2041 Td[1][GETBYTE(t2, 2)] ^
wolfSSL 15:117db924cf7c 2042 Td[2][GETBYTE(t1, 1)] ^
wolfSSL 15:117db924cf7c 2043 Td[3][GETBYTE(t0, 0)] ^
wolfSSL 15:117db924cf7c 2044 rk[3];
wolfSSL 15:117db924cf7c 2045 }
wolfSSL 15:117db924cf7c 2046 /*
wolfSSL 15:117db924cf7c 2047 * apply last round and
wolfSSL 15:117db924cf7c 2048 * map cipher state to byte array block:
wolfSSL 15:117db924cf7c 2049 */
wolfSSL 15:117db924cf7c 2050
wolfSSL 15:117db924cf7c 2051 t0 |= PreFetchTd4();
wolfSSL 15:117db924cf7c 2052
wolfSSL 15:117db924cf7c 2053 s0 =
wolfSSL 15:117db924cf7c 2054 ((word32)Td4[GETBYTE(t0, 3)] << 24) ^
wolfSSL 15:117db924cf7c 2055 ((word32)Td4[GETBYTE(t3, 2)] << 16) ^
wolfSSL 15:117db924cf7c 2056 ((word32)Td4[GETBYTE(t2, 1)] << 8) ^
wolfSSL 15:117db924cf7c 2057 ((word32)Td4[GETBYTE(t1, 0)]) ^
wolfSSL 15:117db924cf7c 2058 rk[0];
wolfSSL 15:117db924cf7c 2059 s1 =
wolfSSL 15:117db924cf7c 2060 ((word32)Td4[GETBYTE(t1, 3)] << 24) ^
wolfSSL 15:117db924cf7c 2061 ((word32)Td4[GETBYTE(t0, 2)] << 16) ^
wolfSSL 15:117db924cf7c 2062 ((word32)Td4[GETBYTE(t3, 1)] << 8) ^
wolfSSL 15:117db924cf7c 2063 ((word32)Td4[GETBYTE(t2, 0)]) ^
wolfSSL 15:117db924cf7c 2064 rk[1];
wolfSSL 15:117db924cf7c 2065 s2 =
wolfSSL 15:117db924cf7c 2066 ((word32)Td4[GETBYTE(t2, 3)] << 24) ^
wolfSSL 15:117db924cf7c 2067 ((word32)Td4[GETBYTE(t1, 2)] << 16) ^
wolfSSL 15:117db924cf7c 2068 ((word32)Td4[GETBYTE(t0, 1)] << 8) ^
wolfSSL 15:117db924cf7c 2069 ((word32)Td4[GETBYTE(t3, 0)]) ^
wolfSSL 15:117db924cf7c 2070 rk[2];
wolfSSL 15:117db924cf7c 2071 s3 =
wolfSSL 15:117db924cf7c 2072 ((word32)Td4[GETBYTE(t3, 3)] << 24) ^
wolfSSL 15:117db924cf7c 2073 ((word32)Td4[GETBYTE(t2, 2)] << 16) ^
wolfSSL 15:117db924cf7c 2074 ((word32)Td4[GETBYTE(t1, 1)] << 8) ^
wolfSSL 15:117db924cf7c 2075 ((word32)Td4[GETBYTE(t0, 0)]) ^
wolfSSL 15:117db924cf7c 2076 rk[3];
wolfSSL 16:8e0d178b1d1e 2077 #else
wolfSSL 16:8e0d178b1d1e 2078 s0 |= PreFetchTd4();
wolfSSL 16:8e0d178b1d1e 2079
wolfSSL 16:8e0d178b1d1e 2080 r *= 2;
wolfSSL 16:8e0d178b1d1e 2081 for (rk += 4; r > 1; r--, rk += 4) {
wolfSSL 16:8e0d178b1d1e 2082 t0 =
wolfSSL 16:8e0d178b1d1e 2083 ((word32)Td4[GETBYTE(s0, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 2084 ((word32)Td4[GETBYTE(s3, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 2085 ((word32)Td4[GETBYTE(s2, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 2086 ((word32)Td4[GETBYTE(s1, 0)]) ^
wolfSSL 16:8e0d178b1d1e 2087 rk[0];
wolfSSL 16:8e0d178b1d1e 2088 t1 =
wolfSSL 16:8e0d178b1d1e 2089 ((word32)Td4[GETBYTE(s1, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 2090 ((word32)Td4[GETBYTE(s0, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 2091 ((word32)Td4[GETBYTE(s3, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 2092 ((word32)Td4[GETBYTE(s2, 0)]) ^
wolfSSL 16:8e0d178b1d1e 2093 rk[1];
wolfSSL 16:8e0d178b1d1e 2094 t2 =
wolfSSL 16:8e0d178b1d1e 2095 ((word32)Td4[GETBYTE(s2, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 2096 ((word32)Td4[GETBYTE(s1, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 2097 ((word32)Td4[GETBYTE(s0, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 2098 ((word32)Td4[GETBYTE(s3, 0)]) ^
wolfSSL 16:8e0d178b1d1e 2099 rk[2];
wolfSSL 16:8e0d178b1d1e 2100 t3 =
wolfSSL 16:8e0d178b1d1e 2101 ((word32)Td4[GETBYTE(s3, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 2102 ((word32)Td4[GETBYTE(s2, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 2103 ((word32)Td4[GETBYTE(s1, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 2104 ((word32)Td4[GETBYTE(s0, 0)]) ^
wolfSSL 16:8e0d178b1d1e 2105 rk[3];
wolfSSL 16:8e0d178b1d1e 2106
wolfSSL 16:8e0d178b1d1e 2107 s0 =
wolfSSL 16:8e0d178b1d1e 2108 (inv_col_mul(t0, 0, 2, 1, 3) << 24) ^
wolfSSL 16:8e0d178b1d1e 2109 (inv_col_mul(t0, 3, 1, 0, 2) << 16) ^
wolfSSL 16:8e0d178b1d1e 2110 (inv_col_mul(t0, 2, 0, 3, 1) << 8) ^
wolfSSL 16:8e0d178b1d1e 2111 (inv_col_mul(t0, 1, 3, 2, 0) );
wolfSSL 16:8e0d178b1d1e 2112 s1 =
wolfSSL 16:8e0d178b1d1e 2113 (inv_col_mul(t1, 0, 2, 1, 3) << 24) ^
wolfSSL 16:8e0d178b1d1e 2114 (inv_col_mul(t1, 3, 1, 0, 2) << 16) ^
wolfSSL 16:8e0d178b1d1e 2115 (inv_col_mul(t1, 2, 0, 3, 1) << 8) ^
wolfSSL 16:8e0d178b1d1e 2116 (inv_col_mul(t1, 1, 3, 2, 0) );
wolfSSL 16:8e0d178b1d1e 2117 s2 =
wolfSSL 16:8e0d178b1d1e 2118 (inv_col_mul(t2, 0, 2, 1, 3) << 24) ^
wolfSSL 16:8e0d178b1d1e 2119 (inv_col_mul(t2, 3, 1, 0, 2) << 16) ^
wolfSSL 16:8e0d178b1d1e 2120 (inv_col_mul(t2, 2, 0, 3, 1) << 8) ^
wolfSSL 16:8e0d178b1d1e 2121 (inv_col_mul(t2, 1, 3, 2, 0) );
wolfSSL 16:8e0d178b1d1e 2122 s3 =
wolfSSL 16:8e0d178b1d1e 2123 (inv_col_mul(t3, 0, 2, 1, 3) << 24) ^
wolfSSL 16:8e0d178b1d1e 2124 (inv_col_mul(t3, 3, 1, 0, 2) << 16) ^
wolfSSL 16:8e0d178b1d1e 2125 (inv_col_mul(t3, 2, 0, 3, 1) << 8) ^
wolfSSL 16:8e0d178b1d1e 2126 (inv_col_mul(t3, 1, 3, 2, 0) );
wolfSSL 16:8e0d178b1d1e 2127 }
wolfSSL 16:8e0d178b1d1e 2128
wolfSSL 16:8e0d178b1d1e 2129 t0 =
wolfSSL 16:8e0d178b1d1e 2130 ((word32)Td4[GETBYTE(s0, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 2131 ((word32)Td4[GETBYTE(s3, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 2132 ((word32)Td4[GETBYTE(s2, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 2133 ((word32)Td4[GETBYTE(s1, 0)]);
wolfSSL 16:8e0d178b1d1e 2134 t1 =
wolfSSL 16:8e0d178b1d1e 2135 ((word32)Td4[GETBYTE(s1, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 2136 ((word32)Td4[GETBYTE(s0, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 2137 ((word32)Td4[GETBYTE(s3, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 2138 ((word32)Td4[GETBYTE(s2, 0)]);
wolfSSL 16:8e0d178b1d1e 2139 t2 =
wolfSSL 16:8e0d178b1d1e 2140 ((word32)Td4[GETBYTE(s2, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 2141 ((word32)Td4[GETBYTE(s1, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 2142 ((word32)Td4[GETBYTE(s0, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 2143 ((word32)Td4[GETBYTE(s3, 0)]);
wolfSSL 16:8e0d178b1d1e 2144 t3 =
wolfSSL 16:8e0d178b1d1e 2145 ((word32)Td4[GETBYTE(s3, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 2146 ((word32)Td4[GETBYTE(s2, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 2147 ((word32)Td4[GETBYTE(s1, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 2148 ((word32)Td4[GETBYTE(s0, 0)]);
wolfSSL 16:8e0d178b1d1e 2149 s0 = t0 ^ rk[0];
wolfSSL 16:8e0d178b1d1e 2150 s1 = t1 ^ rk[1];
wolfSSL 16:8e0d178b1d1e 2151 s2 = t2 ^ rk[2];
wolfSSL 16:8e0d178b1d1e 2152 s3 = t3 ^ rk[3];
wolfSSL 16:8e0d178b1d1e 2153 #endif
wolfSSL 15:117db924cf7c 2154
wolfSSL 15:117db924cf7c 2155 /* write out */
wolfSSL 15:117db924cf7c 2156 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 2157 s0 = ByteReverseWord32(s0);
wolfSSL 15:117db924cf7c 2158 s1 = ByteReverseWord32(s1);
wolfSSL 15:117db924cf7c 2159 s2 = ByteReverseWord32(s2);
wolfSSL 15:117db924cf7c 2160 s3 = ByteReverseWord32(s3);
wolfSSL 15:117db924cf7c 2161 #endif
wolfSSL 15:117db924cf7c 2162
wolfSSL 15:117db924cf7c 2163 XMEMCPY(outBlock, &s0, sizeof(s0));
wolfSSL 15:117db924cf7c 2164 XMEMCPY(outBlock + sizeof(s0), &s1, sizeof(s1));
wolfSSL 15:117db924cf7c 2165 XMEMCPY(outBlock + 2 * sizeof(s0), &s2, sizeof(s2));
wolfSSL 15:117db924cf7c 2166 XMEMCPY(outBlock + 3 * sizeof(s0), &s3, sizeof(s3));
wolfSSL 15:117db924cf7c 2167 }
wolfSSL 15:117db924cf7c 2168 #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */
wolfSSL 15:117db924cf7c 2169 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 2170
wolfSSL 15:117db924cf7c 2171 #endif /* NEED_AES_TABLES */
wolfSSL 15:117db924cf7c 2172
wolfSSL 15:117db924cf7c 2173
wolfSSL 15:117db924cf7c 2174
wolfSSL 15:117db924cf7c 2175 /* wc_AesSetKey */
wolfSSL 15:117db924cf7c 2176 #if defined(STM32_CRYPTO)
wolfSSL 15:117db924cf7c 2177
wolfSSL 15:117db924cf7c 2178 int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
wolfSSL 15:117db924cf7c 2179 const byte* iv, int dir)
wolfSSL 15:117db924cf7c 2180 {
wolfSSL 16:8e0d178b1d1e 2181 word32 *rk;
wolfSSL 15:117db924cf7c 2182
wolfSSL 15:117db924cf7c 2183 (void)dir;
wolfSSL 15:117db924cf7c 2184
wolfSSL 16:8e0d178b1d1e 2185 if (aes == NULL || (keylen != 16 &&
wolfSSL 16:8e0d178b1d1e 2186 #ifdef WOLFSSL_AES_192
wolfSSL 16:8e0d178b1d1e 2187 keylen != 24 &&
wolfSSL 16:8e0d178b1d1e 2188 #endif
wolfSSL 16:8e0d178b1d1e 2189 keylen != 32)) {
wolfSSL 15:117db924cf7c 2190 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 2191 }
wolfSSL 16:8e0d178b1d1e 2192
wolfSSL 16:8e0d178b1d1e 2193 rk = aes->key;
wolfSSL 15:117db924cf7c 2194 aes->keylen = keylen;
wolfSSL 15:117db924cf7c 2195 aes->rounds = keylen/4 + 6;
wolfSSL 15:117db924cf7c 2196 XMEMCPY(rk, userKey, keylen);
wolfSSL 16:8e0d178b1d1e 2197 #if !defined(WOLFSSL_STM32_CUBEMX) || defined(STM32_HAL_V2)
wolfSSL 15:117db924cf7c 2198 ByteReverseWords(rk, rk, keylen);
wolfSSL 15:117db924cf7c 2199 #endif
wolfSSL 16:8e0d178b1d1e 2200 #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \
wolfSSL 16:8e0d178b1d1e 2201 defined(WOLFSSL_AES_OFB)
wolfSSL 15:117db924cf7c 2202 aes->left = 0;
wolfSSL 15:117db924cf7c 2203 #endif
wolfSSL 15:117db924cf7c 2204
wolfSSL 15:117db924cf7c 2205 return wc_AesSetIV(aes, iv);
wolfSSL 15:117db924cf7c 2206 }
wolfSSL 15:117db924cf7c 2207 #if defined(WOLFSSL_AES_DIRECT)
wolfSSL 15:117db924cf7c 2208 int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
wolfSSL 15:117db924cf7c 2209 const byte* iv, int dir)
wolfSSL 15:117db924cf7c 2210 {
wolfSSL 15:117db924cf7c 2211 return wc_AesSetKey(aes, userKey, keylen, iv, dir);
wolfSSL 15:117db924cf7c 2212 }
wolfSSL 15:117db924cf7c 2213 #endif
wolfSSL 15:117db924cf7c 2214
wolfSSL 15:117db924cf7c 2215 #elif defined(HAVE_COLDFIRE_SEC)
wolfSSL 15:117db924cf7c 2216 #if defined (HAVE_THREADX)
wolfSSL 15:117db924cf7c 2217 #include "memory_pools.h"
wolfSSL 15:117db924cf7c 2218 extern TX_BYTE_POOL mp_ncached; /* Non Cached memory pool */
wolfSSL 15:117db924cf7c 2219 #endif
wolfSSL 15:117db924cf7c 2220
wolfSSL 15:117db924cf7c 2221 #define AES_BUFFER_SIZE (AES_BLOCK_SIZE * 64)
wolfSSL 15:117db924cf7c 2222 static unsigned char *AESBuffIn = NULL;
wolfSSL 15:117db924cf7c 2223 static unsigned char *AESBuffOut = NULL;
wolfSSL 15:117db924cf7c 2224 static byte *secReg;
wolfSSL 15:117db924cf7c 2225 static byte *secKey;
wolfSSL 15:117db924cf7c 2226 static volatile SECdescriptorType *secDesc;
wolfSSL 15:117db924cf7c 2227
wolfSSL 15:117db924cf7c 2228 static wolfSSL_Mutex Mutex_AesSEC;
wolfSSL 15:117db924cf7c 2229
wolfSSL 15:117db924cf7c 2230 #define SEC_DESC_AES_CBC_ENCRYPT 0x60300010
wolfSSL 15:117db924cf7c 2231 #define SEC_DESC_AES_CBC_DECRYPT 0x60200010
wolfSSL 15:117db924cf7c 2232
wolfSSL 15:117db924cf7c 2233 extern volatile unsigned char __MBAR[];
wolfSSL 15:117db924cf7c 2234
wolfSSL 15:117db924cf7c 2235 int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
wolfSSL 15:117db924cf7c 2236 const byte* iv, int dir)
wolfSSL 15:117db924cf7c 2237 {
wolfSSL 15:117db924cf7c 2238 if (AESBuffIn == NULL) {
wolfSSL 15:117db924cf7c 2239 #if defined (HAVE_THREADX)
wolfSSL 15:117db924cf7c 2240 int s1, s2, s3, s4, s5;
wolfSSL 15:117db924cf7c 2241 s5 = tx_byte_allocate(&mp_ncached,(void *)&secDesc,
wolfSSL 15:117db924cf7c 2242 sizeof(SECdescriptorType), TX_NO_WAIT);
wolfSSL 15:117db924cf7c 2243 s1 = tx_byte_allocate(&mp_ncached, (void *)&AESBuffIn,
wolfSSL 15:117db924cf7c 2244 AES_BUFFER_SIZE, TX_NO_WAIT);
wolfSSL 15:117db924cf7c 2245 s2 = tx_byte_allocate(&mp_ncached, (void *)&AESBuffOut,
wolfSSL 15:117db924cf7c 2246 AES_BUFFER_SIZE, TX_NO_WAIT);
wolfSSL 15:117db924cf7c 2247 s3 = tx_byte_allocate(&mp_ncached, (void *)&secKey,
wolfSSL 15:117db924cf7c 2248 AES_BLOCK_SIZE*2, TX_NO_WAIT);
wolfSSL 15:117db924cf7c 2249 s4 = tx_byte_allocate(&mp_ncached, (void *)&secReg,
wolfSSL 15:117db924cf7c 2250 AES_BLOCK_SIZE, TX_NO_WAIT);
wolfSSL 15:117db924cf7c 2251
wolfSSL 15:117db924cf7c 2252 if (s1 || s2 || s3 || s4 || s5)
wolfSSL 15:117db924cf7c 2253 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2254 #else
wolfSSL 15:117db924cf7c 2255 #warning "Allocate non-Cache buffers"
wolfSSL 15:117db924cf7c 2256 #endif
wolfSSL 15:117db924cf7c 2257
wolfSSL 15:117db924cf7c 2258 wc_InitMutex(&Mutex_AesSEC);
wolfSSL 15:117db924cf7c 2259 }
wolfSSL 15:117db924cf7c 2260
wolfSSL 15:117db924cf7c 2261 if (!((keylen == 16) || (keylen == 24) || (keylen == 32)))
wolfSSL 15:117db924cf7c 2262 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2263
wolfSSL 15:117db924cf7c 2264 if (aes == NULL)
wolfSSL 15:117db924cf7c 2265 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2266
wolfSSL 15:117db924cf7c 2267 aes->keylen = keylen;
wolfSSL 15:117db924cf7c 2268 aes->rounds = keylen/4 + 6;
wolfSSL 15:117db924cf7c 2269 XMEMCPY(aes->key, userKey, keylen);
wolfSSL 15:117db924cf7c 2270
wolfSSL 15:117db924cf7c 2271 if (iv)
wolfSSL 15:117db924cf7c 2272 XMEMCPY(aes->reg, iv, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 2273
wolfSSL 16:8e0d178b1d1e 2274 #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \
wolfSSL 16:8e0d178b1d1e 2275 defined(WOLFSSL_AES_OFB)
wolfSSL 15:117db924cf7c 2276 aes->left = 0;
wolfSSL 15:117db924cf7c 2277 #endif
wolfSSL 15:117db924cf7c 2278
wolfSSL 15:117db924cf7c 2279 return 0;
wolfSSL 15:117db924cf7c 2280 }
wolfSSL 15:117db924cf7c 2281 #elif defined(FREESCALE_LTC)
wolfSSL 15:117db924cf7c 2282 int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
wolfSSL 15:117db924cf7c 2283 int dir)
wolfSSL 15:117db924cf7c 2284 {
wolfSSL 16:8e0d178b1d1e 2285 if (aes == NULL || !((keylen == 16) || (keylen == 24) || (keylen == 32)))
wolfSSL 15:117db924cf7c 2286 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2287
wolfSSL 15:117db924cf7c 2288 aes->rounds = keylen/4 + 6;
wolfSSL 15:117db924cf7c 2289 XMEMCPY(aes->key, userKey, keylen);
wolfSSL 15:117db924cf7c 2290
wolfSSL 16:8e0d178b1d1e 2291 #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \
wolfSSL 16:8e0d178b1d1e 2292 defined(WOLFSSL_AES_OFB)
wolfSSL 15:117db924cf7c 2293 aes->left = 0;
wolfSSL 15:117db924cf7c 2294 #endif
wolfSSL 15:117db924cf7c 2295
wolfSSL 15:117db924cf7c 2296 return wc_AesSetIV(aes, iv);
wolfSSL 15:117db924cf7c 2297 }
wolfSSL 15:117db924cf7c 2298
wolfSSL 15:117db924cf7c 2299 int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
wolfSSL 15:117db924cf7c 2300 const byte* iv, int dir)
wolfSSL 15:117db924cf7c 2301 {
wolfSSL 15:117db924cf7c 2302 return wc_AesSetKey(aes, userKey, keylen, iv, dir);
wolfSSL 15:117db924cf7c 2303 }
wolfSSL 15:117db924cf7c 2304 #elif defined(FREESCALE_MMCAU)
wolfSSL 15:117db924cf7c 2305 int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
wolfSSL 15:117db924cf7c 2306 const byte* iv, int dir)
wolfSSL 15:117db924cf7c 2307 {
wolfSSL 15:117db924cf7c 2308 int ret;
wolfSSL 16:8e0d178b1d1e 2309 byte* rk;
wolfSSL 16:8e0d178b1d1e 2310 byte* tmpKey = (byte*)userKey;
wolfSSL 16:8e0d178b1d1e 2311 int tmpKeyDynamic = 0;
wolfSSL 16:8e0d178b1d1e 2312 word32 alignOffset = 0;
wolfSSL 15:117db924cf7c 2313
wolfSSL 15:117db924cf7c 2314 (void)dir;
wolfSSL 15:117db924cf7c 2315
wolfSSL 15:117db924cf7c 2316 if (!((keylen == 16) || (keylen == 24) || (keylen == 32)))
wolfSSL 15:117db924cf7c 2317 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 2318 if (aes == NULL)
wolfSSL 16:8e0d178b1d1e 2319 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 2320
wolfSSL 16:8e0d178b1d1e 2321 rk = (byte*)aes->key;
wolfSSL 15:117db924cf7c 2322 if (rk == NULL)
wolfSSL 15:117db924cf7c 2323 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2324
wolfSSL 16:8e0d178b1d1e 2325 #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \
wolfSSL 16:8e0d178b1d1e 2326 defined(WOLFSSL_AES_OFB)
wolfSSL 15:117db924cf7c 2327 aes->left = 0;
wolfSSL 15:117db924cf7c 2328 #endif
wolfSSL 15:117db924cf7c 2329
wolfSSL 15:117db924cf7c 2330 aes->rounds = keylen/4 + 6;
wolfSSL 15:117db924cf7c 2331
wolfSSL 16:8e0d178b1d1e 2332 #ifdef FREESCALE_MMCAU_CLASSIC
wolfSSL 16:8e0d178b1d1e 2333 if ((wolfssl_word)userKey % WOLFSSL_MMCAU_ALIGNMENT) {
wolfSSL 16:8e0d178b1d1e 2334 #ifndef NO_WOLFSSL_ALLOC_ALIGN
wolfSSL 16:8e0d178b1d1e 2335 byte* tmp = (byte*)XMALLOC(keylen + WOLFSSL_MMCAU_ALIGNMENT,
wolfSSL 16:8e0d178b1d1e 2336 aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 16:8e0d178b1d1e 2337 if (tmp == NULL) {
wolfSSL 16:8e0d178b1d1e 2338 return MEMORY_E;
wolfSSL 16:8e0d178b1d1e 2339 }
wolfSSL 16:8e0d178b1d1e 2340 alignOffset = WOLFSSL_MMCAU_ALIGNMENT -
wolfSSL 16:8e0d178b1d1e 2341 ((wolfssl_word)tmp % WOLFSSL_MMCAU_ALIGNMENT);
wolfSSL 16:8e0d178b1d1e 2342 tmpKey = tmp + alignOffset;
wolfSSL 16:8e0d178b1d1e 2343 XMEMCPY(tmpKey, userKey, keylen);
wolfSSL 16:8e0d178b1d1e 2344 tmpKeyDynamic = 1;
wolfSSL 16:8e0d178b1d1e 2345 #else
wolfSSL 16:8e0d178b1d1e 2346 WOLFSSL_MSG("Bad cau_aes_set_key alignment");
wolfSSL 16:8e0d178b1d1e 2347 return BAD_ALIGN_E;
wolfSSL 16:8e0d178b1d1e 2348 #endif
wolfSSL 16:8e0d178b1d1e 2349 }
wolfSSL 16:8e0d178b1d1e 2350 #endif
wolfSSL 16:8e0d178b1d1e 2351
wolfSSL 15:117db924cf7c 2352 ret = wolfSSL_CryptHwMutexLock();
wolfSSL 15:117db924cf7c 2353 if(ret == 0) {
wolfSSL 15:117db924cf7c 2354 #ifdef FREESCALE_MMCAU_CLASSIC
wolfSSL 16:8e0d178b1d1e 2355 cau_aes_set_key(tmpKey, keylen*8, rk);
wolfSSL 15:117db924cf7c 2356 #else
wolfSSL 16:8e0d178b1d1e 2357 MMCAU_AES_SetKey(tmpKey, keylen, rk);
wolfSSL 15:117db924cf7c 2358 #endif
wolfSSL 15:117db924cf7c 2359 wolfSSL_CryptHwMutexUnLock();
wolfSSL 15:117db924cf7c 2360
wolfSSL 15:117db924cf7c 2361 ret = wc_AesSetIV(aes, iv);
wolfSSL 15:117db924cf7c 2362 }
wolfSSL 15:117db924cf7c 2363
wolfSSL 16:8e0d178b1d1e 2364 if (tmpKeyDynamic == 1) {
wolfSSL 16:8e0d178b1d1e 2365 XFREE(tmpKey - alignOffset, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 16:8e0d178b1d1e 2366 }
wolfSSL 16:8e0d178b1d1e 2367
wolfSSL 15:117db924cf7c 2368 return ret;
wolfSSL 15:117db924cf7c 2369 }
wolfSSL 15:117db924cf7c 2370
wolfSSL 15:117db924cf7c 2371 int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
wolfSSL 15:117db924cf7c 2372 const byte* iv, int dir)
wolfSSL 15:117db924cf7c 2373 {
wolfSSL 15:117db924cf7c 2374 return wc_AesSetKey(aes, userKey, keylen, iv, dir);
wolfSSL 15:117db924cf7c 2375 }
wolfSSL 15:117db924cf7c 2376
wolfSSL 15:117db924cf7c 2377 #elif defined(WOLFSSL_NRF51_AES)
wolfSSL 15:117db924cf7c 2378 int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
wolfSSL 15:117db924cf7c 2379 const byte* iv, int dir)
wolfSSL 15:117db924cf7c 2380 {
wolfSSL 15:117db924cf7c 2381 int ret;
wolfSSL 15:117db924cf7c 2382
wolfSSL 15:117db924cf7c 2383 (void)dir;
wolfSSL 15:117db924cf7c 2384 (void)iv;
wolfSSL 15:117db924cf7c 2385
wolfSSL 16:8e0d178b1d1e 2386 if (aes == NULL || keylen != 16)
wolfSSL 15:117db924cf7c 2387 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2388
wolfSSL 15:117db924cf7c 2389 aes->keylen = keylen;
wolfSSL 15:117db924cf7c 2390 aes->rounds = keylen/4 + 6;
wolfSSL 15:117db924cf7c 2391 ret = nrf51_aes_set_key(userKey);
wolfSSL 15:117db924cf7c 2392
wolfSSL 16:8e0d178b1d1e 2393 #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \
wolfSSL 16:8e0d178b1d1e 2394 defined(WOLFSSL_AES_OFB)
wolfSSL 15:117db924cf7c 2395 aes->left = 0;
wolfSSL 15:117db924cf7c 2396 #endif
wolfSSL 15:117db924cf7c 2397
wolfSSL 15:117db924cf7c 2398 return ret;
wolfSSL 15:117db924cf7c 2399 }
wolfSSL 15:117db924cf7c 2400
wolfSSL 15:117db924cf7c 2401 int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
wolfSSL 15:117db924cf7c 2402 const byte* iv, int dir)
wolfSSL 15:117db924cf7c 2403 {
wolfSSL 15:117db924cf7c 2404 return wc_AesSetKey(aes, userKey, keylen, iv, dir);
wolfSSL 15:117db924cf7c 2405 }
wolfSSL 16:8e0d178b1d1e 2406 #elif defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
wolfSSL 16:8e0d178b1d1e 2407 !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES)
wolfSSL 16:8e0d178b1d1e 2408
wolfSSL 16:8e0d178b1d1e 2409 int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
wolfSSL 16:8e0d178b1d1e 2410 const byte* iv, int dir)
wolfSSL 16:8e0d178b1d1e 2411 {
wolfSSL 16:8e0d178b1d1e 2412 (void)dir;
wolfSSL 16:8e0d178b1d1e 2413 (void)iv;
wolfSSL 16:8e0d178b1d1e 2414
wolfSSL 16:8e0d178b1d1e 2415 if (aes == NULL || (keylen != 16 && keylen != 24 && keylen != 32)) {
wolfSSL 16:8e0d178b1d1e 2416 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 2417 }
wolfSSL 16:8e0d178b1d1e 2418
wolfSSL 16:8e0d178b1d1e 2419 aes->keylen = keylen;
wolfSSL 16:8e0d178b1d1e 2420 aes->rounds = keylen/4 + 6;
wolfSSL 16:8e0d178b1d1e 2421
wolfSSL 16:8e0d178b1d1e 2422 XMEMCPY(aes->key, userKey, keylen);
wolfSSL 16:8e0d178b1d1e 2423 #if defined(WOLFSSL_AES_COUNTER)
wolfSSL 16:8e0d178b1d1e 2424 aes->left = 0;
wolfSSL 16:8e0d178b1d1e 2425 #endif
wolfSSL 16:8e0d178b1d1e 2426 return wc_AesSetIV(aes, iv);
wolfSSL 16:8e0d178b1d1e 2427 }
wolfSSL 16:8e0d178b1d1e 2428
wolfSSL 16:8e0d178b1d1e 2429 int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
wolfSSL 16:8e0d178b1d1e 2430 const byte* iv, int dir)
wolfSSL 16:8e0d178b1d1e 2431 {
wolfSSL 16:8e0d178b1d1e 2432 return wc_AesSetKey(aes, userKey, keylen, iv, dir);
wolfSSL 16:8e0d178b1d1e 2433 }
wolfSSL 16:8e0d178b1d1e 2434 #elif defined(WOLFSSL_CRYPTOCELL) && defined(WOLFSSL_CRYPTOCELL_AES)
wolfSSL 16:8e0d178b1d1e 2435
wolfSSL 16:8e0d178b1d1e 2436 int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
wolfSSL 16:8e0d178b1d1e 2437 int dir)
wolfSSL 16:8e0d178b1d1e 2438 {
wolfSSL 16:8e0d178b1d1e 2439 SaSiError_t ret = SASI_OK;
wolfSSL 16:8e0d178b1d1e 2440 SaSiAesIv_t iv_aes;
wolfSSL 16:8e0d178b1d1e 2441
wolfSSL 16:8e0d178b1d1e 2442 if (aes == NULL ||
wolfSSL 16:8e0d178b1d1e 2443 (keylen != AES_128_KEY_SIZE &&
wolfSSL 16:8e0d178b1d1e 2444 keylen != AES_192_KEY_SIZE &&
wolfSSL 16:8e0d178b1d1e 2445 keylen != AES_256_KEY_SIZE)) {
wolfSSL 16:8e0d178b1d1e 2446 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 2447 }
wolfSSL 16:8e0d178b1d1e 2448 #if defined(AES_MAX_KEY_SIZE)
wolfSSL 16:8e0d178b1d1e 2449 if (keylen > (AES_MAX_KEY_SIZE/8)) {
wolfSSL 16:8e0d178b1d1e 2450 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 2451 }
wolfSSL 16:8e0d178b1d1e 2452 #endif
wolfSSL 16:8e0d178b1d1e 2453 if (dir != AES_ENCRYPTION &&
wolfSSL 16:8e0d178b1d1e 2454 dir != AES_DECRYPTION) {
wolfSSL 16:8e0d178b1d1e 2455 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 2456 }
wolfSSL 16:8e0d178b1d1e 2457
wolfSSL 16:8e0d178b1d1e 2458 if (dir == AES_ENCRYPTION) {
wolfSSL 16:8e0d178b1d1e 2459 aes->ctx.mode = SASI_AES_ENCRYPT;
wolfSSL 16:8e0d178b1d1e 2460 SaSi_AesInit(&aes->ctx.user_ctx,
wolfSSL 16:8e0d178b1d1e 2461 SASI_AES_ENCRYPT,
wolfSSL 16:8e0d178b1d1e 2462 SASI_AES_MODE_CBC,
wolfSSL 16:8e0d178b1d1e 2463 SASI_AES_PADDING_NONE);
wolfSSL 16:8e0d178b1d1e 2464 }
wolfSSL 16:8e0d178b1d1e 2465 else {
wolfSSL 16:8e0d178b1d1e 2466 aes->ctx.mode = SASI_AES_DECRYPT;
wolfSSL 16:8e0d178b1d1e 2467 SaSi_AesInit(&aes->ctx.user_ctx,
wolfSSL 16:8e0d178b1d1e 2468 SASI_AES_DECRYPT,
wolfSSL 16:8e0d178b1d1e 2469 SASI_AES_MODE_CBC,
wolfSSL 16:8e0d178b1d1e 2470 SASI_AES_PADDING_NONE);
wolfSSL 16:8e0d178b1d1e 2471 }
wolfSSL 16:8e0d178b1d1e 2472
wolfSSL 16:8e0d178b1d1e 2473 aes->keylen = keylen;
wolfSSL 16:8e0d178b1d1e 2474 aes->rounds = keylen/4 + 6;
wolfSSL 16:8e0d178b1d1e 2475 XMEMCPY(aes->key, userKey, keylen);
wolfSSL 16:8e0d178b1d1e 2476
wolfSSL 16:8e0d178b1d1e 2477 aes->ctx.key.pKey = (uint8_t*)aes->key;
wolfSSL 16:8e0d178b1d1e 2478 aes->ctx.key.keySize= keylen;
wolfSSL 16:8e0d178b1d1e 2479
wolfSSL 16:8e0d178b1d1e 2480 ret = SaSi_AesSetKey(&aes->ctx.user_ctx,
wolfSSL 16:8e0d178b1d1e 2481 SASI_AES_USER_KEY,
wolfSSL 16:8e0d178b1d1e 2482 &aes->ctx.key,
wolfSSL 16:8e0d178b1d1e 2483 sizeof(aes->ctx.key));
wolfSSL 16:8e0d178b1d1e 2484 if (ret != SASI_OK) {
wolfSSL 16:8e0d178b1d1e 2485 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 2486 }
wolfSSL 16:8e0d178b1d1e 2487
wolfSSL 16:8e0d178b1d1e 2488 ret = wc_AesSetIV(aes, iv);
wolfSSL 16:8e0d178b1d1e 2489
wolfSSL 16:8e0d178b1d1e 2490 if (iv)
wolfSSL 16:8e0d178b1d1e 2491 XMEMCPY(iv_aes, iv, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 2492 else
wolfSSL 16:8e0d178b1d1e 2493 XMEMSET(iv_aes, 0, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 2494
wolfSSL 16:8e0d178b1d1e 2495
wolfSSL 16:8e0d178b1d1e 2496 ret = SaSi_AesSetIv(&aes->ctx.user_ctx, iv_aes);
wolfSSL 16:8e0d178b1d1e 2497 if (ret != SASI_OK) {
wolfSSL 16:8e0d178b1d1e 2498 return ret;
wolfSSL 16:8e0d178b1d1e 2499 }
wolfSSL 16:8e0d178b1d1e 2500 return ret;
wolfSSL 16:8e0d178b1d1e 2501 }
wolfSSL 16:8e0d178b1d1e 2502 #if defined(WOLFSSL_AES_DIRECT)
wolfSSL 16:8e0d178b1d1e 2503 int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
wolfSSL 16:8e0d178b1d1e 2504 const byte* iv, int dir)
wolfSSL 16:8e0d178b1d1e 2505 {
wolfSSL 16:8e0d178b1d1e 2506 return wc_AesSetKey(aes, userKey, keylen, iv, dir);
wolfSSL 16:8e0d178b1d1e 2507 }
wolfSSL 16:8e0d178b1d1e 2508 #endif
wolfSSL 15:117db924cf7c 2509
wolfSSL 15:117db924cf7c 2510 #elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)
wolfSSL 15:117db924cf7c 2511 /* implemented in wolfcrypt/src/port/caam/caam_aes.c */
wolfSSL 15:117db924cf7c 2512
wolfSSL 16:8e0d178b1d1e 2513 #elif defined(WOLFSSL_AFALG)
wolfSSL 16:8e0d178b1d1e 2514 /* implemented in wolfcrypt/src/port/af_alg/afalg_aes.c */
wolfSSL 16:8e0d178b1d1e 2515
wolfSSL 16:8e0d178b1d1e 2516 #elif defined(WOLFSSL_DEVCRYPTO_AES)
wolfSSL 16:8e0d178b1d1e 2517 /* implemented in wolfcrypt/src/port/devcrypto/devcrypto_aes.c */
wolfSSL 16:8e0d178b1d1e 2518
wolfSSL 15:117db924cf7c 2519 #else
wolfSSL 16:8e0d178b1d1e 2520
wolfSSL 16:8e0d178b1d1e 2521 /* Software AES - SetKey */
wolfSSL 15:117db924cf7c 2522 static int wc_AesSetKeyLocal(Aes* aes, const byte* userKey, word32 keylen,
wolfSSL 15:117db924cf7c 2523 const byte* iv, int dir)
wolfSSL 15:117db924cf7c 2524 {
wolfSSL 15:117db924cf7c 2525 word32 *rk = aes->key;
wolfSSL 15:117db924cf7c 2526 #ifdef NEED_AES_TABLES
wolfSSL 15:117db924cf7c 2527 word32 temp;
wolfSSL 15:117db924cf7c 2528 unsigned int i = 0;
wolfSSL 15:117db924cf7c 2529 #endif
wolfSSL 15:117db924cf7c 2530
wolfSSL 15:117db924cf7c 2531 #ifdef WOLFSSL_AESNI
wolfSSL 15:117db924cf7c 2532 aes->use_aesni = 0;
wolfSSL 15:117db924cf7c 2533 #endif /* WOLFSSL_AESNI */
wolfSSL 16:8e0d178b1d1e 2534 #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \
wolfSSL 16:8e0d178b1d1e 2535 defined(WOLFSSL_AES_OFB)
wolfSSL 15:117db924cf7c 2536 aes->left = 0;
wolfSSL 15:117db924cf7c 2537 #endif
wolfSSL 15:117db924cf7c 2538
wolfSSL 15:117db924cf7c 2539 aes->keylen = keylen;
wolfSSL 15:117db924cf7c 2540 aes->rounds = (keylen/4) + 6;
wolfSSL 15:117db924cf7c 2541
wolfSSL 15:117db924cf7c 2542 XMEMCPY(rk, userKey, keylen);
wolfSSL 16:8e0d178b1d1e 2543 #if defined(LITTLE_ENDIAN_ORDER) && !defined(WOLFSSL_PIC32MZ_CRYPT) && \
wolfSSL 16:8e0d178b1d1e 2544 (!defined(WOLFSSL_ESP32WROOM32_CRYPT) || \
wolfSSL 16:8e0d178b1d1e 2545 defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES))
wolfSSL 15:117db924cf7c 2546 ByteReverseWords(rk, rk, keylen);
wolfSSL 15:117db924cf7c 2547 #endif
wolfSSL 15:117db924cf7c 2548
wolfSSL 15:117db924cf7c 2549 #ifdef NEED_AES_TABLES
wolfSSL 15:117db924cf7c 2550 switch (keylen) {
wolfSSL 15:117db924cf7c 2551 #if defined(AES_MAX_KEY_SIZE) && AES_MAX_KEY_SIZE >= 128 && \
wolfSSL 15:117db924cf7c 2552 defined(WOLFSSL_AES_128)
wolfSSL 15:117db924cf7c 2553 case 16:
wolfSSL 15:117db924cf7c 2554 while (1)
wolfSSL 15:117db924cf7c 2555 {
wolfSSL 15:117db924cf7c 2556 temp = rk[3];
wolfSSL 15:117db924cf7c 2557 rk[4] = rk[0] ^
wolfSSL 16:8e0d178b1d1e 2558 #ifndef WOLFSSL_AES_SMALL_TABLES
wolfSSL 15:117db924cf7c 2559 (Te[2][GETBYTE(temp, 2)] & 0xff000000) ^
wolfSSL 15:117db924cf7c 2560 (Te[3][GETBYTE(temp, 1)] & 0x00ff0000) ^
wolfSSL 15:117db924cf7c 2561 (Te[0][GETBYTE(temp, 0)] & 0x0000ff00) ^
wolfSSL 15:117db924cf7c 2562 (Te[1][GETBYTE(temp, 3)] & 0x000000ff) ^
wolfSSL 16:8e0d178b1d1e 2563 #else
wolfSSL 16:8e0d178b1d1e 2564 ((word32)Tsbox[GETBYTE(temp, 2)] << 24) ^
wolfSSL 16:8e0d178b1d1e 2565 ((word32)Tsbox[GETBYTE(temp, 1)] << 16) ^
wolfSSL 16:8e0d178b1d1e 2566 ((word32)Tsbox[GETBYTE(temp, 0)] << 8) ^
wolfSSL 16:8e0d178b1d1e 2567 ((word32)Tsbox[GETBYTE(temp, 3)]) ^
wolfSSL 16:8e0d178b1d1e 2568 #endif
wolfSSL 15:117db924cf7c 2569 rcon[i];
wolfSSL 15:117db924cf7c 2570 rk[5] = rk[1] ^ rk[4];
wolfSSL 15:117db924cf7c 2571 rk[6] = rk[2] ^ rk[5];
wolfSSL 15:117db924cf7c 2572 rk[7] = rk[3] ^ rk[6];
wolfSSL 15:117db924cf7c 2573 if (++i == 10)
wolfSSL 15:117db924cf7c 2574 break;
wolfSSL 15:117db924cf7c 2575 rk += 4;
wolfSSL 15:117db924cf7c 2576 }
wolfSSL 15:117db924cf7c 2577 break;
wolfSSL 15:117db924cf7c 2578 #endif /* 128 */
wolfSSL 15:117db924cf7c 2579
wolfSSL 15:117db924cf7c 2580 #if defined(AES_MAX_KEY_SIZE) && AES_MAX_KEY_SIZE >= 192 && \
wolfSSL 15:117db924cf7c 2581 defined(WOLFSSL_AES_192)
wolfSSL 15:117db924cf7c 2582 case 24:
wolfSSL 15:117db924cf7c 2583 /* for (;;) here triggers a bug in VC60 SP4 w/ Pro Pack */
wolfSSL 15:117db924cf7c 2584 while (1)
wolfSSL 15:117db924cf7c 2585 {
wolfSSL 15:117db924cf7c 2586 temp = rk[ 5];
wolfSSL 15:117db924cf7c 2587 rk[ 6] = rk[ 0] ^
wolfSSL 16:8e0d178b1d1e 2588 #ifndef WOLFSSL_AES_SMALL_TABLES
wolfSSL 15:117db924cf7c 2589 (Te[2][GETBYTE(temp, 2)] & 0xff000000) ^
wolfSSL 15:117db924cf7c 2590 (Te[3][GETBYTE(temp, 1)] & 0x00ff0000) ^
wolfSSL 15:117db924cf7c 2591 (Te[0][GETBYTE(temp, 0)] & 0x0000ff00) ^
wolfSSL 15:117db924cf7c 2592 (Te[1][GETBYTE(temp, 3)] & 0x000000ff) ^
wolfSSL 16:8e0d178b1d1e 2593 #else
wolfSSL 16:8e0d178b1d1e 2594 ((word32)Tsbox[GETBYTE(temp, 2)] << 24) ^
wolfSSL 16:8e0d178b1d1e 2595 ((word32)Tsbox[GETBYTE(temp, 1)] << 16) ^
wolfSSL 16:8e0d178b1d1e 2596 ((word32)Tsbox[GETBYTE(temp, 0)] << 8) ^
wolfSSL 16:8e0d178b1d1e 2597 ((word32)Tsbox[GETBYTE(temp, 3)]) ^
wolfSSL 16:8e0d178b1d1e 2598 #endif
wolfSSL 15:117db924cf7c 2599 rcon[i];
wolfSSL 15:117db924cf7c 2600 rk[ 7] = rk[ 1] ^ rk[ 6];
wolfSSL 15:117db924cf7c 2601 rk[ 8] = rk[ 2] ^ rk[ 7];
wolfSSL 15:117db924cf7c 2602 rk[ 9] = rk[ 3] ^ rk[ 8];
wolfSSL 15:117db924cf7c 2603 if (++i == 8)
wolfSSL 15:117db924cf7c 2604 break;
wolfSSL 15:117db924cf7c 2605 rk[10] = rk[ 4] ^ rk[ 9];
wolfSSL 15:117db924cf7c 2606 rk[11] = rk[ 5] ^ rk[10];
wolfSSL 15:117db924cf7c 2607 rk += 6;
wolfSSL 15:117db924cf7c 2608 }
wolfSSL 15:117db924cf7c 2609 break;
wolfSSL 15:117db924cf7c 2610 #endif /* 192 */
wolfSSL 15:117db924cf7c 2611
wolfSSL 15:117db924cf7c 2612 #if defined(AES_MAX_KEY_SIZE) && AES_MAX_KEY_SIZE >= 256 && \
wolfSSL 15:117db924cf7c 2613 defined(WOLFSSL_AES_256)
wolfSSL 15:117db924cf7c 2614 case 32:
wolfSSL 15:117db924cf7c 2615 while (1)
wolfSSL 15:117db924cf7c 2616 {
wolfSSL 15:117db924cf7c 2617 temp = rk[ 7];
wolfSSL 15:117db924cf7c 2618 rk[ 8] = rk[ 0] ^
wolfSSL 16:8e0d178b1d1e 2619 #ifndef WOLFSSL_AES_SMALL_TABLES
wolfSSL 15:117db924cf7c 2620 (Te[2][GETBYTE(temp, 2)] & 0xff000000) ^
wolfSSL 15:117db924cf7c 2621 (Te[3][GETBYTE(temp, 1)] & 0x00ff0000) ^
wolfSSL 15:117db924cf7c 2622 (Te[0][GETBYTE(temp, 0)] & 0x0000ff00) ^
wolfSSL 15:117db924cf7c 2623 (Te[1][GETBYTE(temp, 3)] & 0x000000ff) ^
wolfSSL 16:8e0d178b1d1e 2624 #else
wolfSSL 16:8e0d178b1d1e 2625 ((word32)Tsbox[GETBYTE(temp, 2)] << 24) ^
wolfSSL 16:8e0d178b1d1e 2626 ((word32)Tsbox[GETBYTE(temp, 1)] << 16) ^
wolfSSL 16:8e0d178b1d1e 2627 ((word32)Tsbox[GETBYTE(temp, 0)] << 8) ^
wolfSSL 16:8e0d178b1d1e 2628 ((word32)Tsbox[GETBYTE(temp, 3)]) ^
wolfSSL 16:8e0d178b1d1e 2629 #endif
wolfSSL 15:117db924cf7c 2630 rcon[i];
wolfSSL 15:117db924cf7c 2631 rk[ 9] = rk[ 1] ^ rk[ 8];
wolfSSL 15:117db924cf7c 2632 rk[10] = rk[ 2] ^ rk[ 9];
wolfSSL 15:117db924cf7c 2633 rk[11] = rk[ 3] ^ rk[10];
wolfSSL 15:117db924cf7c 2634 if (++i == 7)
wolfSSL 15:117db924cf7c 2635 break;
wolfSSL 15:117db924cf7c 2636 temp = rk[11];
wolfSSL 15:117db924cf7c 2637 rk[12] = rk[ 4] ^
wolfSSL 16:8e0d178b1d1e 2638 #ifndef WOLFSSL_AES_SMALL_TABLES
wolfSSL 15:117db924cf7c 2639 (Te[2][GETBYTE(temp, 3)] & 0xff000000) ^
wolfSSL 15:117db924cf7c 2640 (Te[3][GETBYTE(temp, 2)] & 0x00ff0000) ^
wolfSSL 15:117db924cf7c 2641 (Te[0][GETBYTE(temp, 1)] & 0x0000ff00) ^
wolfSSL 15:117db924cf7c 2642 (Te[1][GETBYTE(temp, 0)] & 0x000000ff);
wolfSSL 16:8e0d178b1d1e 2643 #else
wolfSSL 16:8e0d178b1d1e 2644 ((word32)Tsbox[GETBYTE(temp, 3)] << 24) ^
wolfSSL 16:8e0d178b1d1e 2645 ((word32)Tsbox[GETBYTE(temp, 2)] << 16) ^
wolfSSL 16:8e0d178b1d1e 2646 ((word32)Tsbox[GETBYTE(temp, 1)] << 8) ^
wolfSSL 16:8e0d178b1d1e 2647 ((word32)Tsbox[GETBYTE(temp, 0)]);
wolfSSL 16:8e0d178b1d1e 2648 #endif
wolfSSL 15:117db924cf7c 2649 rk[13] = rk[ 5] ^ rk[12];
wolfSSL 15:117db924cf7c 2650 rk[14] = rk[ 6] ^ rk[13];
wolfSSL 15:117db924cf7c 2651 rk[15] = rk[ 7] ^ rk[14];
wolfSSL 15:117db924cf7c 2652
wolfSSL 15:117db924cf7c 2653 rk += 8;
wolfSSL 15:117db924cf7c 2654 }
wolfSSL 15:117db924cf7c 2655 break;
wolfSSL 15:117db924cf7c 2656 #endif /* 256 */
wolfSSL 15:117db924cf7c 2657
wolfSSL 15:117db924cf7c 2658 default:
wolfSSL 15:117db924cf7c 2659 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2660 } /* switch */
wolfSSL 15:117db924cf7c 2661
wolfSSL 16:8e0d178b1d1e 2662 #if defined(HAVE_AES_DECRYPT)
wolfSSL 15:117db924cf7c 2663 if (dir == AES_DECRYPTION) {
wolfSSL 15:117db924cf7c 2664 unsigned int j;
wolfSSL 15:117db924cf7c 2665 rk = aes->key;
wolfSSL 15:117db924cf7c 2666
wolfSSL 15:117db924cf7c 2667 /* invert the order of the round keys: */
wolfSSL 15:117db924cf7c 2668 for (i = 0, j = 4* aes->rounds; i < j; i += 4, j -= 4) {
wolfSSL 15:117db924cf7c 2669 temp = rk[i ]; rk[i ] = rk[j ]; rk[j ] = temp;
wolfSSL 15:117db924cf7c 2670 temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp;
wolfSSL 15:117db924cf7c 2671 temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
wolfSSL 15:117db924cf7c 2672 temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp;
wolfSSL 15:117db924cf7c 2673 }
wolfSSL 16:8e0d178b1d1e 2674 #if !defined(WOLFSSL_AES_SMALL_TABLES)
wolfSSL 15:117db924cf7c 2675 /* apply the inverse MixColumn transform to all round keys but the
wolfSSL 15:117db924cf7c 2676 first and the last: */
wolfSSL 15:117db924cf7c 2677 for (i = 1; i < aes->rounds; i++) {
wolfSSL 15:117db924cf7c 2678 rk += 4;
wolfSSL 15:117db924cf7c 2679 rk[0] =
wolfSSL 15:117db924cf7c 2680 Td[0][Te[1][GETBYTE(rk[0], 3)] & 0xff] ^
wolfSSL 15:117db924cf7c 2681 Td[1][Te[1][GETBYTE(rk[0], 2)] & 0xff] ^
wolfSSL 15:117db924cf7c 2682 Td[2][Te[1][GETBYTE(rk[0], 1)] & 0xff] ^
wolfSSL 15:117db924cf7c 2683 Td[3][Te[1][GETBYTE(rk[0], 0)] & 0xff];
wolfSSL 15:117db924cf7c 2684 rk[1] =
wolfSSL 15:117db924cf7c 2685 Td[0][Te[1][GETBYTE(rk[1], 3)] & 0xff] ^
wolfSSL 15:117db924cf7c 2686 Td[1][Te[1][GETBYTE(rk[1], 2)] & 0xff] ^
wolfSSL 15:117db924cf7c 2687 Td[2][Te[1][GETBYTE(rk[1], 1)] & 0xff] ^
wolfSSL 15:117db924cf7c 2688 Td[3][Te[1][GETBYTE(rk[1], 0)] & 0xff];
wolfSSL 15:117db924cf7c 2689 rk[2] =
wolfSSL 15:117db924cf7c 2690 Td[0][Te[1][GETBYTE(rk[2], 3)] & 0xff] ^
wolfSSL 15:117db924cf7c 2691 Td[1][Te[1][GETBYTE(rk[2], 2)] & 0xff] ^
wolfSSL 15:117db924cf7c 2692 Td[2][Te[1][GETBYTE(rk[2], 1)] & 0xff] ^
wolfSSL 15:117db924cf7c 2693 Td[3][Te[1][GETBYTE(rk[2], 0)] & 0xff];
wolfSSL 15:117db924cf7c 2694 rk[3] =
wolfSSL 15:117db924cf7c 2695 Td[0][Te[1][GETBYTE(rk[3], 3)] & 0xff] ^
wolfSSL 15:117db924cf7c 2696 Td[1][Te[1][GETBYTE(rk[3], 2)] & 0xff] ^
wolfSSL 15:117db924cf7c 2697 Td[2][Te[1][GETBYTE(rk[3], 1)] & 0xff] ^
wolfSSL 15:117db924cf7c 2698 Td[3][Te[1][GETBYTE(rk[3], 0)] & 0xff];
wolfSSL 15:117db924cf7c 2699 }
wolfSSL 16:8e0d178b1d1e 2700 #endif
wolfSSL 15:117db924cf7c 2701 }
wolfSSL 15:117db924cf7c 2702 #else
wolfSSL 15:117db924cf7c 2703 (void)dir;
wolfSSL 15:117db924cf7c 2704 #endif /* HAVE_AES_DECRYPT */
wolfSSL 16:8e0d178b1d1e 2705 (void)temp;
wolfSSL 15:117db924cf7c 2706 #endif /* NEED_AES_TABLES */
wolfSSL 15:117db924cf7c 2707
wolfSSL 16:8e0d178b1d1e 2708 #if defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_AES)
wolfSSL 16:8e0d178b1d1e 2709 XMEMCPY((byte*)aes->key, userKey, keylen);
wolfSSL 16:8e0d178b1d1e 2710 if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag == CRYPTO_WORD_ENDIAN_BIG) {
wolfSSL 16:8e0d178b1d1e 2711 ByteReverseWords(aes->key, aes->key, 32);
wolfSSL 16:8e0d178b1d1e 2712 }
wolfSSL 16:8e0d178b1d1e 2713 #endif
wolfSSL 16:8e0d178b1d1e 2714
wolfSSL 15:117db924cf7c 2715 return wc_AesSetIV(aes, iv);
wolfSSL 15:117db924cf7c 2716 }
wolfSSL 15:117db924cf7c 2717
wolfSSL 15:117db924cf7c 2718 int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
wolfSSL 15:117db924cf7c 2719 const byte* iv, int dir)
wolfSSL 15:117db924cf7c 2720 {
wolfSSL 15:117db924cf7c 2721 int ret;
wolfSSL 15:117db924cf7c 2722 #if defined(AES_MAX_KEY_SIZE)
wolfSSL 15:117db924cf7c 2723 const word32 max_key_len = (AES_MAX_KEY_SIZE / 8);
wolfSSL 15:117db924cf7c 2724 #endif
wolfSSL 15:117db924cf7c 2725
wolfSSL 15:117db924cf7c 2726 #ifdef WOLFSSL_IMX6_CAAM_BLOB
wolfSSL 15:117db924cf7c 2727 byte local[32];
wolfSSL 15:117db924cf7c 2728 word32 localSz = 32;
wolfSSL 15:117db924cf7c 2729
wolfSSL 15:117db924cf7c 2730 if (keylen == (16 + WC_CAAM_BLOB_SZ) ||
wolfSSL 15:117db924cf7c 2731 keylen == (24 + WC_CAAM_BLOB_SZ) ||
wolfSSL 15:117db924cf7c 2732 keylen == (32 + WC_CAAM_BLOB_SZ)) {
wolfSSL 15:117db924cf7c 2733 if (wc_caamOpenBlob((byte*)userKey, keylen, local, &localSz) != 0) {
wolfSSL 15:117db924cf7c 2734 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2735 }
wolfSSL 15:117db924cf7c 2736
wolfSSL 15:117db924cf7c 2737 /* set local values */
wolfSSL 15:117db924cf7c 2738 userKey = local;
wolfSSL 15:117db924cf7c 2739 keylen = localSz;
wolfSSL 15:117db924cf7c 2740 }
wolfSSL 15:117db924cf7c 2741 #endif
wolfSSL 15:117db924cf7c 2742 if (aes == NULL ||
wolfSSL 15:117db924cf7c 2743 !((keylen == 16) || (keylen == 24) || (keylen == 32))) {
wolfSSL 15:117db924cf7c 2744 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2745 }
wolfSSL 15:117db924cf7c 2746
wolfSSL 15:117db924cf7c 2747 #if defined(AES_MAX_KEY_SIZE)
wolfSSL 15:117db924cf7c 2748 /* Check key length */
wolfSSL 15:117db924cf7c 2749 if (keylen > max_key_len) {
wolfSSL 15:117db924cf7c 2750 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2751 }
wolfSSL 15:117db924cf7c 2752 #endif
wolfSSL 15:117db924cf7c 2753 aes->keylen = keylen;
wolfSSL 15:117db924cf7c 2754 aes->rounds = keylen/4 + 6;
wolfSSL 15:117db924cf7c 2755
wolfSSL 16:8e0d178b1d1e 2756 #if defined(WOLF_CRYPTO_CB) || (defined(WOLFSSL_DEVCRYPTO) && \
wolfSSL 16:8e0d178b1d1e 2757 (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))) || \
wolfSSL 16:8e0d178b1d1e 2758 (defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES))
wolfSSL 16:8e0d178b1d1e 2759 #ifdef WOLF_CRYPTO_CB
wolfSSL 16:8e0d178b1d1e 2760 if (aes->devId != INVALID_DEVID)
wolfSSL 16:8e0d178b1d1e 2761 #endif
wolfSSL 16:8e0d178b1d1e 2762 {
wolfSSL 16:8e0d178b1d1e 2763 XMEMCPY(aes->devKey, userKey, keylen);
wolfSSL 16:8e0d178b1d1e 2764 }
wolfSSL 16:8e0d178b1d1e 2765 #endif
wolfSSL 15:117db924cf7c 2766
wolfSSL 15:117db924cf7c 2767 #ifdef WOLFSSL_AESNI
wolfSSL 15:117db924cf7c 2768 if (checkAESNI == 0) {
wolfSSL 15:117db924cf7c 2769 haveAESNI = Check_CPU_support_AES();
wolfSSL 15:117db924cf7c 2770 checkAESNI = 1;
wolfSSL 15:117db924cf7c 2771 }
wolfSSL 15:117db924cf7c 2772 if (haveAESNI) {
wolfSSL 16:8e0d178b1d1e 2773 #if defined(WOLFSSL_AES_COUNTER) || defined(WOLFSSL_AES_CFB) || \
wolfSSL 16:8e0d178b1d1e 2774 defined(WOLFSSL_AES_OFB)
wolfSSL 15:117db924cf7c 2775 aes->left = 0;
wolfSSL 15:117db924cf7c 2776 #endif /* WOLFSSL_AES_COUNTER */
wolfSSL 15:117db924cf7c 2777 aes->use_aesni = 1;
wolfSSL 15:117db924cf7c 2778 if (iv)
wolfSSL 15:117db924cf7c 2779 XMEMCPY(aes->reg, iv, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 2780 else
wolfSSL 16:8e0d178b1d1e 2781 XMEMSET(aes->reg, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 2782 if (dir == AES_ENCRYPTION)
wolfSSL 15:117db924cf7c 2783 return AES_set_encrypt_key(userKey, keylen * 8, aes);
wolfSSL 15:117db924cf7c 2784 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 2785 else
wolfSSL 15:117db924cf7c 2786 return AES_set_decrypt_key(userKey, keylen * 8, aes);
wolfSSL 15:117db924cf7c 2787 #endif
wolfSSL 15:117db924cf7c 2788 }
wolfSSL 15:117db924cf7c 2789 #endif /* WOLFSSL_AESNI */
wolfSSL 15:117db924cf7c 2790
wolfSSL 15:117db924cf7c 2791 ret = wc_AesSetKeyLocal(aes, userKey, keylen, iv, dir);
wolfSSL 15:117db924cf7c 2792
wolfSSL 16:8e0d178b1d1e 2793 #if defined(WOLFSSL_DEVCRYPTO) && \
wolfSSL 16:8e0d178b1d1e 2794 (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))
wolfSSL 16:8e0d178b1d1e 2795 aes->ctx.cfd = -1;
wolfSSL 16:8e0d178b1d1e 2796 #endif
wolfSSL 15:117db924cf7c 2797 #ifdef WOLFSSL_IMX6_CAAM_BLOB
wolfSSL 15:117db924cf7c 2798 ForceZero(local, sizeof(local));
wolfSSL 15:117db924cf7c 2799 #endif
wolfSSL 15:117db924cf7c 2800 return ret;
wolfSSL 15:117db924cf7c 2801 }
wolfSSL 15:117db924cf7c 2802
wolfSSL 15:117db924cf7c 2803 #if defined(WOLFSSL_AES_DIRECT) || defined(WOLFSSL_AES_COUNTER)
wolfSSL 15:117db924cf7c 2804 /* AES-CTR and AES-DIRECT need to use this for key setup, no aesni yet */
wolfSSL 15:117db924cf7c 2805 int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
wolfSSL 15:117db924cf7c 2806 const byte* iv, int dir)
wolfSSL 15:117db924cf7c 2807 {
wolfSSL 15:117db924cf7c 2808 int ret;
wolfSSL 15:117db924cf7c 2809
wolfSSL 15:117db924cf7c 2810 #ifdef WOLFSSL_IMX6_CAAM_BLOB
wolfSSL 15:117db924cf7c 2811 byte local[32];
wolfSSL 15:117db924cf7c 2812 word32 localSz = 32;
wolfSSL 15:117db924cf7c 2813
wolfSSL 15:117db924cf7c 2814 if (keylen == (16 + WC_CAAM_BLOB_SZ) ||
wolfSSL 15:117db924cf7c 2815 keylen == (24 + WC_CAAM_BLOB_SZ) ||
wolfSSL 15:117db924cf7c 2816 keylen == (32 + WC_CAAM_BLOB_SZ)) {
wolfSSL 15:117db924cf7c 2817 if (wc_caamOpenBlob((byte*)userKey, keylen, local, &localSz)
wolfSSL 15:117db924cf7c 2818 != 0) {
wolfSSL 15:117db924cf7c 2819 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2820 }
wolfSSL 15:117db924cf7c 2821
wolfSSL 15:117db924cf7c 2822 /* set local values */
wolfSSL 15:117db924cf7c 2823 userKey = local;
wolfSSL 15:117db924cf7c 2824 keylen = localSz;
wolfSSL 15:117db924cf7c 2825 }
wolfSSL 15:117db924cf7c 2826 #endif
wolfSSL 15:117db924cf7c 2827 ret = wc_AesSetKeyLocal(aes, userKey, keylen, iv, dir);
wolfSSL 15:117db924cf7c 2828
wolfSSL 15:117db924cf7c 2829 #ifdef WOLFSSL_IMX6_CAAM_BLOB
wolfSSL 15:117db924cf7c 2830 ForceZero(local, sizeof(local));
wolfSSL 15:117db924cf7c 2831 #endif
wolfSSL 15:117db924cf7c 2832
wolfSSL 15:117db924cf7c 2833 return ret;
wolfSSL 15:117db924cf7c 2834 }
wolfSSL 15:117db924cf7c 2835 #endif /* WOLFSSL_AES_DIRECT || WOLFSSL_AES_COUNTER */
wolfSSL 15:117db924cf7c 2836 #endif /* wc_AesSetKey block */
wolfSSL 15:117db924cf7c 2837
wolfSSL 15:117db924cf7c 2838
wolfSSL 15:117db924cf7c 2839 /* wc_AesSetIV is shared between software and hardware */
wolfSSL 15:117db924cf7c 2840 int wc_AesSetIV(Aes* aes, const byte* iv)
wolfSSL 15:117db924cf7c 2841 {
wolfSSL 15:117db924cf7c 2842 if (aes == NULL)
wolfSSL 15:117db924cf7c 2843 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 2844
wolfSSL 15:117db924cf7c 2845 if (iv)
wolfSSL 15:117db924cf7c 2846 XMEMCPY(aes->reg, iv, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 2847 else
wolfSSL 15:117db924cf7c 2848 XMEMSET(aes->reg, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 2849
wolfSSL 15:117db924cf7c 2850 return 0;
wolfSSL 15:117db924cf7c 2851 }
wolfSSL 15:117db924cf7c 2852
wolfSSL 15:117db924cf7c 2853 /* AES-DIRECT */
wolfSSL 15:117db924cf7c 2854 #if defined(WOLFSSL_AES_DIRECT)
wolfSSL 15:117db924cf7c 2855 #if defined(HAVE_COLDFIRE_SEC)
wolfSSL 15:117db924cf7c 2856 #error "Coldfire SEC doesn't yet support AES direct"
wolfSSL 15:117db924cf7c 2857
wolfSSL 15:117db924cf7c 2858 #elif defined(FREESCALE_LTC)
wolfSSL 15:117db924cf7c 2859 /* Allow direct access to one block encrypt */
wolfSSL 15:117db924cf7c 2860 void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
wolfSSL 15:117db924cf7c 2861 {
wolfSSL 15:117db924cf7c 2862 byte *key;
wolfSSL 15:117db924cf7c 2863 uint32_t keySize;
wolfSSL 15:117db924cf7c 2864
wolfSSL 15:117db924cf7c 2865 key = (byte*)aes->key;
wolfSSL 15:117db924cf7c 2866 wc_AesGetKeySize(aes, &keySize);
wolfSSL 15:117db924cf7c 2867
wolfSSL 15:117db924cf7c 2868 LTC_AES_EncryptEcb(LTC_BASE, in, out, AES_BLOCK_SIZE,
wolfSSL 15:117db924cf7c 2869 key, keySize);
wolfSSL 15:117db924cf7c 2870 }
wolfSSL 15:117db924cf7c 2871
wolfSSL 15:117db924cf7c 2872 /* Allow direct access to one block decrypt */
wolfSSL 15:117db924cf7c 2873 void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)
wolfSSL 15:117db924cf7c 2874 {
wolfSSL 15:117db924cf7c 2875 byte *key;
wolfSSL 15:117db924cf7c 2876 uint32_t keySize;
wolfSSL 15:117db924cf7c 2877
wolfSSL 15:117db924cf7c 2878 key = (byte*)aes->key;
wolfSSL 15:117db924cf7c 2879 wc_AesGetKeySize(aes, &keySize);
wolfSSL 15:117db924cf7c 2880
wolfSSL 15:117db924cf7c 2881 LTC_AES_DecryptEcb(LTC_BASE, in, out, AES_BLOCK_SIZE,
wolfSSL 15:117db924cf7c 2882 key, keySize, kLTC_EncryptKey);
wolfSSL 15:117db924cf7c 2883 }
wolfSSL 15:117db924cf7c 2884
wolfSSL 15:117db924cf7c 2885 #elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)
wolfSSL 15:117db924cf7c 2886 /* implemented in wolfcrypt/src/port/caam/caam_aes.c */
wolfSSL 15:117db924cf7c 2887
wolfSSL 16:8e0d178b1d1e 2888 #elif defined(WOLFSSL_AFALG)
wolfSSL 16:8e0d178b1d1e 2889 /* implemented in wolfcrypt/src/port/af_alg/afalg_aes.c */
wolfSSL 16:8e0d178b1d1e 2890
wolfSSL 16:8e0d178b1d1e 2891 #elif defined(WOLFSSL_DEVCRYPTO_AES)
wolfSSL 16:8e0d178b1d1e 2892 /* implemented in wolfcrypt/src/port/devcrypt/devcrypto_aes.c */
wolfSSL 16:8e0d178b1d1e 2893
wolfSSL 16:8e0d178b1d1e 2894 #elif defined(STM32_CRYPTO)
wolfSSL 16:8e0d178b1d1e 2895 /* Allow direct access to one block encrypt */
wolfSSL 16:8e0d178b1d1e 2896 void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
wolfSSL 16:8e0d178b1d1e 2897 {
wolfSSL 16:8e0d178b1d1e 2898 if (wolfSSL_CryptHwMutexLock() == 0) {
wolfSSL 16:8e0d178b1d1e 2899 wc_AesEncrypt(aes, in, out);
wolfSSL 16:8e0d178b1d1e 2900 wolfSSL_CryptHwMutexUnLock();
wolfSSL 16:8e0d178b1d1e 2901 }
wolfSSL 16:8e0d178b1d1e 2902 }
wolfSSL 16:8e0d178b1d1e 2903 #ifdef HAVE_AES_DECRYPT
wolfSSL 16:8e0d178b1d1e 2904 /* Allow direct access to one block decrypt */
wolfSSL 16:8e0d178b1d1e 2905 void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)
wolfSSL 16:8e0d178b1d1e 2906 {
wolfSSL 16:8e0d178b1d1e 2907 if (wolfSSL_CryptHwMutexLock() == 0) {
wolfSSL 16:8e0d178b1d1e 2908 wc_AesDecrypt(aes, in, out);
wolfSSL 16:8e0d178b1d1e 2909 wolfSSL_CryptHwMutexUnLock();
wolfSSL 16:8e0d178b1d1e 2910 }
wolfSSL 16:8e0d178b1d1e 2911 }
wolfSSL 16:8e0d178b1d1e 2912 #endif /* HAVE_AES_DECRYPT */
wolfSSL 16:8e0d178b1d1e 2913
wolfSSL 16:8e0d178b1d1e 2914 #elif defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
wolfSSL 16:8e0d178b1d1e 2915 !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES)
wolfSSL 16:8e0d178b1d1e 2916
wolfSSL 16:8e0d178b1d1e 2917 /* Allow direct access to one block encrypt */
wolfSSL 16:8e0d178b1d1e 2918 void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
wolfSSL 16:8e0d178b1d1e 2919 {
wolfSSL 16:8e0d178b1d1e 2920 wc_AesEncrypt(aes, in, out);
wolfSSL 16:8e0d178b1d1e 2921 }
wolfSSL 16:8e0d178b1d1e 2922 #ifdef HAVE_AES_DECRYPT
wolfSSL 16:8e0d178b1d1e 2923 /* Allow direct access to one block decrypt */
wolfSSL 16:8e0d178b1d1e 2924 void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)
wolfSSL 16:8e0d178b1d1e 2925 {
wolfSSL 16:8e0d178b1d1e 2926 wc_AesDecrypt(aes, in, out);
wolfSSL 16:8e0d178b1d1e 2927 }
wolfSSL 16:8e0d178b1d1e 2928 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 2929 #else
wolfSSL 15:117db924cf7c 2930 /* Allow direct access to one block encrypt */
wolfSSL 15:117db924cf7c 2931 void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
wolfSSL 15:117db924cf7c 2932 {
wolfSSL 15:117db924cf7c 2933 wc_AesEncrypt(aes, in, out);
wolfSSL 15:117db924cf7c 2934 }
wolfSSL 16:8e0d178b1d1e 2935 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 2936 /* Allow direct access to one block decrypt */
wolfSSL 15:117db924cf7c 2937 void wc_AesDecryptDirect(Aes* aes, byte* out, const byte* in)
wolfSSL 15:117db924cf7c 2938 {
wolfSSL 15:117db924cf7c 2939 wc_AesDecrypt(aes, in, out);
wolfSSL 15:117db924cf7c 2940 }
wolfSSL 16:8e0d178b1d1e 2941 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 2942 #endif /* AES direct block */
wolfSSL 15:117db924cf7c 2943 #endif /* WOLFSSL_AES_DIRECT */
wolfSSL 15:117db924cf7c 2944
wolfSSL 15:117db924cf7c 2945
wolfSSL 15:117db924cf7c 2946 /* AES-CBC */
wolfSSL 15:117db924cf7c 2947 #ifdef HAVE_AES_CBC
wolfSSL 15:117db924cf7c 2948 #if defined(STM32_CRYPTO)
wolfSSL 15:117db924cf7c 2949
wolfSSL 15:117db924cf7c 2950 #ifdef WOLFSSL_STM32_CUBEMX
wolfSSL 15:117db924cf7c 2951 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 2952 {
wolfSSL 15:117db924cf7c 2953 int ret = 0;
wolfSSL 15:117db924cf7c 2954 word32 blocks = (sz / AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 2955 CRYP_HandleTypeDef hcryp;
wolfSSL 15:117db924cf7c 2956
wolfSSL 16:8e0d178b1d1e 2957 ret = wc_Stm32_Aes_Init(aes, &hcryp);
wolfSSL 16:8e0d178b1d1e 2958 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 2959 return ret;
wolfSSL 16:8e0d178b1d1e 2960
wolfSSL 16:8e0d178b1d1e 2961 ret = wolfSSL_CryptHwMutexLock();
wolfSSL 16:8e0d178b1d1e 2962 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 2963 return ret;
wolfSSL 16:8e0d178b1d1e 2964 }
wolfSSL 16:8e0d178b1d1e 2965
wolfSSL 16:8e0d178b1d1e 2966 #ifdef STM32_CRYPTO_AES_ONLY
wolfSSL 16:8e0d178b1d1e 2967 hcryp.Init.OperatingMode = CRYP_ALGOMODE_ENCRYPT;
wolfSSL 16:8e0d178b1d1e 2968 hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_CBC;
wolfSSL 16:8e0d178b1d1e 2969 hcryp.Init.KeyWriteFlag = CRYP_KEY_WRITE_ENABLE;
wolfSSL 16:8e0d178b1d1e 2970 #elif defined(STM32_HAL_V2)
wolfSSL 16:8e0d178b1d1e 2971 hcryp.Init.Algorithm = CRYP_AES_CBC;
wolfSSL 16:8e0d178b1d1e 2972 ByteReverseWords(aes->reg, aes->reg, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 2973 #endif
wolfSSL 16:8e0d178b1d1e 2974 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)aes->reg;
wolfSSL 15:117db924cf7c 2975 HAL_CRYP_Init(&hcryp);
wolfSSL 15:117db924cf7c 2976
wolfSSL 15:117db924cf7c 2977 while (blocks--) {
wolfSSL 16:8e0d178b1d1e 2978 #ifdef STM32_CRYPTO_AES_ONLY
wolfSSL 16:8e0d178b1d1e 2979 ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)in, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 2980 out, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 2981 #elif defined(STM32_HAL_V2)
wolfSSL 16:8e0d178b1d1e 2982 ret = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 2983 (uint32_t*)out, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 2984 #else
wolfSSL 16:8e0d178b1d1e 2985 ret = HAL_CRYP_AESCBC_Encrypt(&hcryp, (uint8_t*)in, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 2986 out, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 2987 #endif
wolfSSL 16:8e0d178b1d1e 2988 if (ret != HAL_OK) {
wolfSSL 15:117db924cf7c 2989 ret = WC_TIMEOUT_E;
wolfSSL 15:117db924cf7c 2990 break;
wolfSSL 15:117db924cf7c 2991 }
wolfSSL 15:117db924cf7c 2992
wolfSSL 15:117db924cf7c 2993 /* store iv for next call */
wolfSSL 15:117db924cf7c 2994 XMEMCPY(aes->reg, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 2995
wolfSSL 15:117db924cf7c 2996 sz -= AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 2997 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 2998 out += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 2999 }
wolfSSL 15:117db924cf7c 3000
wolfSSL 15:117db924cf7c 3001 HAL_CRYP_DeInit(&hcryp);
wolfSSL 15:117db924cf7c 3002
wolfSSL 16:8e0d178b1d1e 3003 wolfSSL_CryptHwMutexUnLock();
wolfSSL 16:8e0d178b1d1e 3004
wolfSSL 15:117db924cf7c 3005 return ret;
wolfSSL 15:117db924cf7c 3006 }
wolfSSL 15:117db924cf7c 3007 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 3008 int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 3009 {
wolfSSL 15:117db924cf7c 3010 int ret = 0;
wolfSSL 15:117db924cf7c 3011 word32 blocks = (sz / AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3012 CRYP_HandleTypeDef hcryp;
wolfSSL 15:117db924cf7c 3013
wolfSSL 16:8e0d178b1d1e 3014 ret = wc_Stm32_Aes_Init(aes, &hcryp);
wolfSSL 16:8e0d178b1d1e 3015 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 3016 return ret;
wolfSSL 16:8e0d178b1d1e 3017
wolfSSL 16:8e0d178b1d1e 3018 ret = wolfSSL_CryptHwMutexLock();
wolfSSL 16:8e0d178b1d1e 3019 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 3020 return ret;
wolfSSL 16:8e0d178b1d1e 3021 }
wolfSSL 16:8e0d178b1d1e 3022
wolfSSL 16:8e0d178b1d1e 3023 /* if input and output same will overwrite input iv */
wolfSSL 16:8e0d178b1d1e 3024 XMEMCPY(aes->tmp, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 3025
wolfSSL 16:8e0d178b1d1e 3026 #ifdef STM32_CRYPTO_AES_ONLY
wolfSSL 16:8e0d178b1d1e 3027 hcryp.Init.OperatingMode = CRYP_ALGOMODE_KEYDERIVATION_DECRYPT;
wolfSSL 16:8e0d178b1d1e 3028 hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_CBC;
wolfSSL 16:8e0d178b1d1e 3029 hcryp.Init.KeyWriteFlag = CRYP_KEY_WRITE_ENABLE;
wolfSSL 16:8e0d178b1d1e 3030 #elif defined(STM32_HAL_V2)
wolfSSL 16:8e0d178b1d1e 3031 hcryp.Init.Algorithm = CRYP_AES_CBC;
wolfSSL 16:8e0d178b1d1e 3032 ByteReverseWords(aes->reg, aes->reg, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 3033 #endif
wolfSSL 16:8e0d178b1d1e 3034
wolfSSL 16:8e0d178b1d1e 3035 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)aes->reg;
wolfSSL 15:117db924cf7c 3036 HAL_CRYP_Init(&hcryp);
wolfSSL 15:117db924cf7c 3037
wolfSSL 15:117db924cf7c 3038 while (blocks--) {
wolfSSL 16:8e0d178b1d1e 3039 #ifdef STM32_CRYPTO_AES_ONLY
wolfSSL 16:8e0d178b1d1e 3040 ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)in, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 3041 out, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 3042 #elif defined(STM32_HAL_V2)
wolfSSL 16:8e0d178b1d1e 3043 ret = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 3044 (uint32_t*)out, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 3045 #else
wolfSSL 16:8e0d178b1d1e 3046 ret = HAL_CRYP_AESCBC_Decrypt(&hcryp, (uint8_t*)in, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 3047 out, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 3048 #endif
wolfSSL 16:8e0d178b1d1e 3049 if (ret != HAL_OK) {
wolfSSL 15:117db924cf7c 3050 ret = WC_TIMEOUT_E;
wolfSSL 16:8e0d178b1d1e 3051 break;
wolfSSL 15:117db924cf7c 3052 }
wolfSSL 15:117db924cf7c 3053
wolfSSL 15:117db924cf7c 3054 /* store iv for next call */
wolfSSL 15:117db924cf7c 3055 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3056
wolfSSL 15:117db924cf7c 3057 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3058 out += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3059 }
wolfSSL 15:117db924cf7c 3060
wolfSSL 15:117db924cf7c 3061 HAL_CRYP_DeInit(&hcryp);
wolfSSL 16:8e0d178b1d1e 3062 wolfSSL_CryptHwMutexUnLock();
wolfSSL 15:117db924cf7c 3063
wolfSSL 15:117db924cf7c 3064 return ret;
wolfSSL 15:117db924cf7c 3065 }
wolfSSL 15:117db924cf7c 3066 #endif /* HAVE_AES_DECRYPT */
wolfSSL 16:8e0d178b1d1e 3067
wolfSSL 16:8e0d178b1d1e 3068 #else /* STD_PERI_LIB */
wolfSSL 15:117db924cf7c 3069 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 3070 {
wolfSSL 16:8e0d178b1d1e 3071 int ret;
wolfSSL 16:8e0d178b1d1e 3072 word32 *iv;
wolfSSL 15:117db924cf7c 3073 word32 blocks = (sz / AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 3074 CRYP_InitTypeDef cryptInit;
wolfSSL 16:8e0d178b1d1e 3075 CRYP_KeyInitTypeDef keyInit;
wolfSSL 16:8e0d178b1d1e 3076 CRYP_IVInitTypeDef ivInit;
wolfSSL 16:8e0d178b1d1e 3077
wolfSSL 16:8e0d178b1d1e 3078 ret = wc_Stm32_Aes_Init(aes, &cryptInit, &keyInit);
wolfSSL 16:8e0d178b1d1e 3079 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 3080 return ret;
wolfSSL 16:8e0d178b1d1e 3081
wolfSSL 16:8e0d178b1d1e 3082 ret = wolfSSL_CryptHwMutexLock();
wolfSSL 16:8e0d178b1d1e 3083 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 3084 return ret;
wolfSSL 16:8e0d178b1d1e 3085 }
wolfSSL 15:117db924cf7c 3086
wolfSSL 15:117db924cf7c 3087 /* reset registers to their default values */
wolfSSL 15:117db924cf7c 3088 CRYP_DeInit();
wolfSSL 15:117db924cf7c 3089
wolfSSL 16:8e0d178b1d1e 3090 /* set key */
wolfSSL 16:8e0d178b1d1e 3091 CRYP_KeyInit(&keyInit);
wolfSSL 15:117db924cf7c 3092
wolfSSL 15:117db924cf7c 3093 /* set iv */
wolfSSL 16:8e0d178b1d1e 3094 iv = aes->reg;
wolfSSL 16:8e0d178b1d1e 3095 CRYP_IVStructInit(&ivInit);
wolfSSL 15:117db924cf7c 3096 ByteReverseWords(iv, iv, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 3097 ivInit.CRYP_IV0Left = iv[0];
wolfSSL 16:8e0d178b1d1e 3098 ivInit.CRYP_IV0Right = iv[1];
wolfSSL 16:8e0d178b1d1e 3099 ivInit.CRYP_IV1Left = iv[2];
wolfSSL 16:8e0d178b1d1e 3100 ivInit.CRYP_IV1Right = iv[3];
wolfSSL 16:8e0d178b1d1e 3101 CRYP_IVInit(&ivInit);
wolfSSL 16:8e0d178b1d1e 3102
wolfSSL 16:8e0d178b1d1e 3103 /* set direction and mode */
wolfSSL 16:8e0d178b1d1e 3104 cryptInit.CRYP_AlgoDir = CRYP_AlgoDir_Encrypt;
wolfSSL 16:8e0d178b1d1e 3105 cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_CBC;
wolfSSL 16:8e0d178b1d1e 3106 CRYP_Init(&cryptInit);
wolfSSL 15:117db924cf7c 3107
wolfSSL 15:117db924cf7c 3108 /* enable crypto processor */
wolfSSL 15:117db924cf7c 3109 CRYP_Cmd(ENABLE);
wolfSSL 15:117db924cf7c 3110
wolfSSL 15:117db924cf7c 3111 while (blocks--) {
wolfSSL 15:117db924cf7c 3112 /* flush IN/OUT FIFOs */
wolfSSL 15:117db924cf7c 3113 CRYP_FIFOFlush();
wolfSSL 15:117db924cf7c 3114
wolfSSL 15:117db924cf7c 3115 CRYP_DataIn(*(uint32_t*)&in[0]);
wolfSSL 15:117db924cf7c 3116 CRYP_DataIn(*(uint32_t*)&in[4]);
wolfSSL 15:117db924cf7c 3117 CRYP_DataIn(*(uint32_t*)&in[8]);
wolfSSL 15:117db924cf7c 3118 CRYP_DataIn(*(uint32_t*)&in[12]);
wolfSSL 15:117db924cf7c 3119
wolfSSL 15:117db924cf7c 3120 /* wait until the complete message has been processed */
wolfSSL 15:117db924cf7c 3121 while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
wolfSSL 15:117db924cf7c 3122
wolfSSL 15:117db924cf7c 3123 *(uint32_t*)&out[0] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 3124 *(uint32_t*)&out[4] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 3125 *(uint32_t*)&out[8] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 3126 *(uint32_t*)&out[12] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 3127
wolfSSL 15:117db924cf7c 3128 /* store iv for next call */
wolfSSL 15:117db924cf7c 3129 XMEMCPY(aes->reg, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3130
wolfSSL 15:117db924cf7c 3131 sz -= AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3132 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3133 out += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3134 }
wolfSSL 15:117db924cf7c 3135
wolfSSL 15:117db924cf7c 3136 /* disable crypto processor */
wolfSSL 15:117db924cf7c 3137 CRYP_Cmd(DISABLE);
wolfSSL 16:8e0d178b1d1e 3138 wolfSSL_CryptHwMutexUnLock();
wolfSSL 16:8e0d178b1d1e 3139
wolfSSL 16:8e0d178b1d1e 3140 return ret;
wolfSSL 15:117db924cf7c 3141 }
wolfSSL 15:117db924cf7c 3142
wolfSSL 15:117db924cf7c 3143 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 3144 int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 3145 {
wolfSSL 16:8e0d178b1d1e 3146 int ret;
wolfSSL 16:8e0d178b1d1e 3147 word32 *iv;
wolfSSL 15:117db924cf7c 3148 word32 blocks = (sz / AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 3149 CRYP_InitTypeDef cryptInit;
wolfSSL 16:8e0d178b1d1e 3150 CRYP_KeyInitTypeDef keyInit;
wolfSSL 16:8e0d178b1d1e 3151 CRYP_IVInitTypeDef ivInit;
wolfSSL 16:8e0d178b1d1e 3152
wolfSSL 16:8e0d178b1d1e 3153 ret = wc_Stm32_Aes_Init(aes, &cryptInit, &keyInit);
wolfSSL 16:8e0d178b1d1e 3154 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 3155 return ret;
wolfSSL 16:8e0d178b1d1e 3156
wolfSSL 16:8e0d178b1d1e 3157 ret = wolfSSL_CryptHwMutexLock();
wolfSSL 16:8e0d178b1d1e 3158 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 3159 return ret;
wolfSSL 16:8e0d178b1d1e 3160 }
wolfSSL 15:117db924cf7c 3161
wolfSSL 15:117db924cf7c 3162 /* if input and output same will overwrite input iv */
wolfSSL 15:117db924cf7c 3163 XMEMCPY(aes->tmp, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3164
wolfSSL 15:117db924cf7c 3165 /* reset registers to their default values */
wolfSSL 15:117db924cf7c 3166 CRYP_DeInit();
wolfSSL 15:117db924cf7c 3167
wolfSSL 16:8e0d178b1d1e 3168 /* set direction and key */
wolfSSL 16:8e0d178b1d1e 3169 CRYP_KeyInit(&keyInit);
wolfSSL 16:8e0d178b1d1e 3170 cryptInit.CRYP_AlgoDir = CRYP_AlgoDir_Decrypt;
wolfSSL 16:8e0d178b1d1e 3171 cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_Key;
wolfSSL 16:8e0d178b1d1e 3172 CRYP_Init(&cryptInit);
wolfSSL 15:117db924cf7c 3173
wolfSSL 15:117db924cf7c 3174 /* enable crypto processor */
wolfSSL 15:117db924cf7c 3175 CRYP_Cmd(ENABLE);
wolfSSL 15:117db924cf7c 3176
wolfSSL 15:117db924cf7c 3177 /* wait until key has been prepared */
wolfSSL 15:117db924cf7c 3178 while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
wolfSSL 15:117db924cf7c 3179
wolfSSL 16:8e0d178b1d1e 3180 /* set direction and mode */
wolfSSL 16:8e0d178b1d1e 3181 cryptInit.CRYP_AlgoDir = CRYP_AlgoDir_Decrypt;
wolfSSL 16:8e0d178b1d1e 3182 cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_CBC;
wolfSSL 16:8e0d178b1d1e 3183 CRYP_Init(&cryptInit);
wolfSSL 15:117db924cf7c 3184
wolfSSL 15:117db924cf7c 3185 /* set iv */
wolfSSL 16:8e0d178b1d1e 3186 iv = aes->reg;
wolfSSL 16:8e0d178b1d1e 3187 CRYP_IVStructInit(&ivInit);
wolfSSL 15:117db924cf7c 3188 ByteReverseWords(iv, iv, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 3189 ivInit.CRYP_IV0Left = iv[0];
wolfSSL 16:8e0d178b1d1e 3190 ivInit.CRYP_IV0Right = iv[1];
wolfSSL 16:8e0d178b1d1e 3191 ivInit.CRYP_IV1Left = iv[2];
wolfSSL 16:8e0d178b1d1e 3192 ivInit.CRYP_IV1Right = iv[3];
wolfSSL 16:8e0d178b1d1e 3193 CRYP_IVInit(&ivInit);
wolfSSL 15:117db924cf7c 3194
wolfSSL 15:117db924cf7c 3195 /* enable crypto processor */
wolfSSL 15:117db924cf7c 3196 CRYP_Cmd(ENABLE);
wolfSSL 15:117db924cf7c 3197
wolfSSL 15:117db924cf7c 3198 while (blocks--) {
wolfSSL 15:117db924cf7c 3199 /* flush IN/OUT FIFOs */
wolfSSL 15:117db924cf7c 3200 CRYP_FIFOFlush();
wolfSSL 15:117db924cf7c 3201
wolfSSL 15:117db924cf7c 3202 CRYP_DataIn(*(uint32_t*)&in[0]);
wolfSSL 15:117db924cf7c 3203 CRYP_DataIn(*(uint32_t*)&in[4]);
wolfSSL 15:117db924cf7c 3204 CRYP_DataIn(*(uint32_t*)&in[8]);
wolfSSL 15:117db924cf7c 3205 CRYP_DataIn(*(uint32_t*)&in[12]);
wolfSSL 15:117db924cf7c 3206
wolfSSL 15:117db924cf7c 3207 /* wait until the complete message has been processed */
wolfSSL 15:117db924cf7c 3208 while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
wolfSSL 15:117db924cf7c 3209
wolfSSL 15:117db924cf7c 3210 *(uint32_t*)&out[0] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 3211 *(uint32_t*)&out[4] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 3212 *(uint32_t*)&out[8] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 3213 *(uint32_t*)&out[12] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 3214
wolfSSL 15:117db924cf7c 3215 /* store iv for next call */
wolfSSL 15:117db924cf7c 3216 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3217
wolfSSL 15:117db924cf7c 3218 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3219 out += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3220 }
wolfSSL 15:117db924cf7c 3221
wolfSSL 15:117db924cf7c 3222 /* disable crypto processor */
wolfSSL 15:117db924cf7c 3223 CRYP_Cmd(DISABLE);
wolfSSL 16:8e0d178b1d1e 3224 wolfSSL_CryptHwMutexUnLock();
wolfSSL 16:8e0d178b1d1e 3225
wolfSSL 16:8e0d178b1d1e 3226 return ret;
wolfSSL 15:117db924cf7c 3227 }
wolfSSL 15:117db924cf7c 3228 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 3229 #endif /* WOLFSSL_STM32_CUBEMX */
wolfSSL 15:117db924cf7c 3230
wolfSSL 15:117db924cf7c 3231 #elif defined(HAVE_COLDFIRE_SEC)
wolfSSL 15:117db924cf7c 3232 static int wc_AesCbcCrypt(Aes* aes, byte* po, const byte* pi, word32 sz,
wolfSSL 15:117db924cf7c 3233 word32 descHeader)
wolfSSL 15:117db924cf7c 3234 {
wolfSSL 15:117db924cf7c 3235 #ifdef DEBUG_WOLFSSL
wolfSSL 15:117db924cf7c 3236 int i; int stat1, stat2; int ret;
wolfSSL 15:117db924cf7c 3237 #endif
wolfSSL 15:117db924cf7c 3238
wolfSSL 15:117db924cf7c 3239 int size;
wolfSSL 15:117db924cf7c 3240 volatile int v;
wolfSSL 15:117db924cf7c 3241
wolfSSL 15:117db924cf7c 3242 if ((pi == NULL) || (po == NULL))
wolfSSL 15:117db924cf7c 3243 return BAD_FUNC_ARG; /*wrong pointer*/
wolfSSL 15:117db924cf7c 3244
wolfSSL 15:117db924cf7c 3245 wc_LockMutex(&Mutex_AesSEC);
wolfSSL 15:117db924cf7c 3246
wolfSSL 15:117db924cf7c 3247 /* Set descriptor for SEC */
wolfSSL 15:117db924cf7c 3248 secDesc->length1 = 0x0;
wolfSSL 15:117db924cf7c 3249 secDesc->pointer1 = NULL;
wolfSSL 15:117db924cf7c 3250
wolfSSL 15:117db924cf7c 3251 secDesc->length2 = AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3252 secDesc->pointer2 = (byte *)secReg; /* Initial Vector */
wolfSSL 15:117db924cf7c 3253
wolfSSL 15:117db924cf7c 3254 switch(aes->rounds) {
wolfSSL 15:117db924cf7c 3255 case 10: secDesc->length3 = 16; break;
wolfSSL 15:117db924cf7c 3256 case 12: secDesc->length3 = 24; break;
wolfSSL 15:117db924cf7c 3257 case 14: secDesc->length3 = 32; break;
wolfSSL 15:117db924cf7c 3258 }
wolfSSL 15:117db924cf7c 3259 XMEMCPY(secKey, aes->key, secDesc->length3);
wolfSSL 15:117db924cf7c 3260
wolfSSL 15:117db924cf7c 3261 secDesc->pointer3 = (byte *)secKey;
wolfSSL 15:117db924cf7c 3262 secDesc->pointer4 = AESBuffIn;
wolfSSL 15:117db924cf7c 3263 secDesc->pointer5 = AESBuffOut;
wolfSSL 15:117db924cf7c 3264 secDesc->length6 = 0x0;
wolfSSL 15:117db924cf7c 3265 secDesc->pointer6 = NULL;
wolfSSL 15:117db924cf7c 3266 secDesc->length7 = 0x0;
wolfSSL 15:117db924cf7c 3267 secDesc->pointer7 = NULL;
wolfSSL 15:117db924cf7c 3268 secDesc->nextDescriptorPtr = NULL;
wolfSSL 15:117db924cf7c 3269
wolfSSL 15:117db924cf7c 3270 while (sz) {
wolfSSL 15:117db924cf7c 3271 secDesc->header = descHeader;
wolfSSL 15:117db924cf7c 3272 XMEMCPY(secReg, aes->reg, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3273 if ((sz % AES_BUFFER_SIZE) == sz) {
wolfSSL 15:117db924cf7c 3274 size = sz;
wolfSSL 15:117db924cf7c 3275 sz = 0;
wolfSSL 15:117db924cf7c 3276 } else {
wolfSSL 15:117db924cf7c 3277 size = AES_BUFFER_SIZE;
wolfSSL 15:117db924cf7c 3278 sz -= AES_BUFFER_SIZE;
wolfSSL 15:117db924cf7c 3279 }
wolfSSL 15:117db924cf7c 3280 secDesc->length4 = size;
wolfSSL 15:117db924cf7c 3281 secDesc->length5 = size;
wolfSSL 15:117db924cf7c 3282
wolfSSL 15:117db924cf7c 3283 XMEMCPY(AESBuffIn, pi, size);
wolfSSL 15:117db924cf7c 3284 if(descHeader == SEC_DESC_AES_CBC_DECRYPT) {
wolfSSL 15:117db924cf7c 3285 XMEMCPY((void*)aes->tmp, (void*)&(pi[size-AES_BLOCK_SIZE]),
wolfSSL 15:117db924cf7c 3286 AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3287 }
wolfSSL 15:117db924cf7c 3288
wolfSSL 15:117db924cf7c 3289 /* Point SEC to the location of the descriptor */
wolfSSL 15:117db924cf7c 3290 MCF_SEC_FR0 = (uint32)secDesc;
wolfSSL 15:117db924cf7c 3291 /* Initialize SEC and wait for encryption to complete */
wolfSSL 15:117db924cf7c 3292 MCF_SEC_CCCR0 = 0x0000001a;
wolfSSL 15:117db924cf7c 3293 /* poll SISR to determine when channel is complete */
wolfSSL 15:117db924cf7c 3294 v=0;
wolfSSL 15:117db924cf7c 3295
wolfSSL 15:117db924cf7c 3296 while ((secDesc->header>> 24) != 0xff) v++;
wolfSSL 15:117db924cf7c 3297
wolfSSL 15:117db924cf7c 3298 #ifdef DEBUG_WOLFSSL
wolfSSL 15:117db924cf7c 3299 ret = MCF_SEC_SISRH;
wolfSSL 15:117db924cf7c 3300 stat1 = MCF_SEC_AESSR;
wolfSSL 15:117db924cf7c 3301 stat2 = MCF_SEC_AESISR;
wolfSSL 15:117db924cf7c 3302 if (ret & 0xe0000000) {
wolfSSL 15:117db924cf7c 3303 db_printf("Aes_Cbc(i=%d):ISRH=%08x, AESSR=%08x, "
wolfSSL 15:117db924cf7c 3304 "AESISR=%08x\n", i, ret, stat1, stat2);
wolfSSL 15:117db924cf7c 3305 }
wolfSSL 15:117db924cf7c 3306 #endif
wolfSSL 15:117db924cf7c 3307
wolfSSL 15:117db924cf7c 3308 XMEMCPY(po, AESBuffOut, size);
wolfSSL 15:117db924cf7c 3309
wolfSSL 15:117db924cf7c 3310 if (descHeader == SEC_DESC_AES_CBC_ENCRYPT) {
wolfSSL 15:117db924cf7c 3311 XMEMCPY((void*)aes->reg, (void*)&(po[size-AES_BLOCK_SIZE]),
wolfSSL 15:117db924cf7c 3312 AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3313 } else {
wolfSSL 15:117db924cf7c 3314 XMEMCPY((void*)aes->reg, (void*)aes->tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3315 }
wolfSSL 15:117db924cf7c 3316
wolfSSL 15:117db924cf7c 3317 pi += size;
wolfSSL 15:117db924cf7c 3318 po += size;
wolfSSL 15:117db924cf7c 3319 }
wolfSSL 15:117db924cf7c 3320
wolfSSL 15:117db924cf7c 3321 wc_UnLockMutex(&Mutex_AesSEC);
wolfSSL 15:117db924cf7c 3322 return 0;
wolfSSL 15:117db924cf7c 3323 }
wolfSSL 15:117db924cf7c 3324
wolfSSL 15:117db924cf7c 3325 int wc_AesCbcEncrypt(Aes* aes, byte* po, const byte* pi, word32 sz)
wolfSSL 15:117db924cf7c 3326 {
wolfSSL 15:117db924cf7c 3327 return (wc_AesCbcCrypt(aes, po, pi, sz, SEC_DESC_AES_CBC_ENCRYPT));
wolfSSL 15:117db924cf7c 3328 }
wolfSSL 15:117db924cf7c 3329
wolfSSL 15:117db924cf7c 3330 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 3331 int wc_AesCbcDecrypt(Aes* aes, byte* po, const byte* pi, word32 sz)
wolfSSL 15:117db924cf7c 3332 {
wolfSSL 15:117db924cf7c 3333 return (wc_AesCbcCrypt(aes, po, pi, sz, SEC_DESC_AES_CBC_DECRYPT));
wolfSSL 15:117db924cf7c 3334 }
wolfSSL 15:117db924cf7c 3335 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 3336
wolfSSL 15:117db924cf7c 3337 #elif defined(FREESCALE_LTC)
wolfSSL 15:117db924cf7c 3338 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 3339 {
wolfSSL 15:117db924cf7c 3340 uint32_t keySize;
wolfSSL 15:117db924cf7c 3341 status_t status;
wolfSSL 15:117db924cf7c 3342 byte *iv, *enc_key;
wolfSSL 15:117db924cf7c 3343 word32 blocks = (sz / AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3344
wolfSSL 15:117db924cf7c 3345 iv = (byte*)aes->reg;
wolfSSL 15:117db924cf7c 3346 enc_key = (byte*)aes->key;
wolfSSL 15:117db924cf7c 3347
wolfSSL 15:117db924cf7c 3348 status = wc_AesGetKeySize(aes, &keySize);
wolfSSL 15:117db924cf7c 3349 if (status != 0) {
wolfSSL 15:117db924cf7c 3350 return status;
wolfSSL 15:117db924cf7c 3351 }
wolfSSL 15:117db924cf7c 3352
wolfSSL 15:117db924cf7c 3353 status = LTC_AES_EncryptCbc(LTC_BASE, in, out, blocks * AES_BLOCK_SIZE,
wolfSSL 15:117db924cf7c 3354 iv, enc_key, keySize);
wolfSSL 16:8e0d178b1d1e 3355
wolfSSL 16:8e0d178b1d1e 3356 /* store iv for next call */
wolfSSL 16:8e0d178b1d1e 3357 if (status == kStatus_Success) {
wolfSSL 16:8e0d178b1d1e 3358 XMEMCPY(iv, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 3359 }
wolfSSL 16:8e0d178b1d1e 3360
wolfSSL 15:117db924cf7c 3361 return (status == kStatus_Success) ? 0 : -1;
wolfSSL 15:117db924cf7c 3362 }
wolfSSL 15:117db924cf7c 3363
wolfSSL 15:117db924cf7c 3364 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 3365 int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 3366 {
wolfSSL 15:117db924cf7c 3367 uint32_t keySize;
wolfSSL 15:117db924cf7c 3368 status_t status;
wolfSSL 15:117db924cf7c 3369 byte* iv, *dec_key;
wolfSSL 15:117db924cf7c 3370 word32 blocks = (sz / AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 3371 byte temp_block[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 3372
wolfSSL 15:117db924cf7c 3373 iv = (byte*)aes->reg;
wolfSSL 15:117db924cf7c 3374 dec_key = (byte*)aes->key;
wolfSSL 15:117db924cf7c 3375
wolfSSL 15:117db924cf7c 3376 status = wc_AesGetKeySize(aes, &keySize);
wolfSSL 15:117db924cf7c 3377 if (status != 0) {
wolfSSL 15:117db924cf7c 3378 return status;
wolfSSL 15:117db924cf7c 3379 }
wolfSSL 15:117db924cf7c 3380
wolfSSL 16:8e0d178b1d1e 3381 /* get IV for next call */
wolfSSL 16:8e0d178b1d1e 3382 XMEMCPY(temp_block, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 3383
wolfSSL 15:117db924cf7c 3384 status = LTC_AES_DecryptCbc(LTC_BASE, in, out, blocks * AES_BLOCK_SIZE,
wolfSSL 15:117db924cf7c 3385 iv, dec_key, keySize, kLTC_EncryptKey);
wolfSSL 16:8e0d178b1d1e 3386
wolfSSL 16:8e0d178b1d1e 3387 /* store IV for next call */
wolfSSL 16:8e0d178b1d1e 3388 if (status == kStatus_Success) {
wolfSSL 16:8e0d178b1d1e 3389 XMEMCPY(iv, temp_block, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 3390 }
wolfSSL 16:8e0d178b1d1e 3391
wolfSSL 15:117db924cf7c 3392 return (status == kStatus_Success) ? 0 : -1;
wolfSSL 15:117db924cf7c 3393 }
wolfSSL 15:117db924cf7c 3394 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 3395
wolfSSL 15:117db924cf7c 3396 #elif defined(FREESCALE_MMCAU)
wolfSSL 15:117db924cf7c 3397 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 3398 {
wolfSSL 15:117db924cf7c 3399 int i;
wolfSSL 15:117db924cf7c 3400 int offset = 0;
wolfSSL 15:117db924cf7c 3401 word32 blocks = (sz / AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3402 byte *iv;
wolfSSL 15:117db924cf7c 3403 byte temp_block[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 3404
wolfSSL 15:117db924cf7c 3405 iv = (byte*)aes->reg;
wolfSSL 15:117db924cf7c 3406
wolfSSL 15:117db924cf7c 3407 while (blocks--) {
wolfSSL 15:117db924cf7c 3408 XMEMCPY(temp_block, in + offset, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3409
wolfSSL 15:117db924cf7c 3410 /* XOR block with IV for CBC */
wolfSSL 15:117db924cf7c 3411 for (i = 0; i < AES_BLOCK_SIZE; i++)
wolfSSL 15:117db924cf7c 3412 temp_block[i] ^= iv[i];
wolfSSL 15:117db924cf7c 3413
wolfSSL 15:117db924cf7c 3414 wc_AesEncrypt(aes, temp_block, out + offset);
wolfSSL 15:117db924cf7c 3415
wolfSSL 15:117db924cf7c 3416 offset += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3417
wolfSSL 15:117db924cf7c 3418 /* store IV for next block */
wolfSSL 15:117db924cf7c 3419 XMEMCPY(iv, out + offset - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3420 }
wolfSSL 15:117db924cf7c 3421
wolfSSL 15:117db924cf7c 3422 return 0;
wolfSSL 15:117db924cf7c 3423 }
wolfSSL 15:117db924cf7c 3424 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 3425 int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 3426 {
wolfSSL 15:117db924cf7c 3427 int i;
wolfSSL 15:117db924cf7c 3428 int offset = 0;
wolfSSL 15:117db924cf7c 3429 word32 blocks = (sz / AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3430 byte* iv;
wolfSSL 15:117db924cf7c 3431 byte temp_block[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 3432
wolfSSL 15:117db924cf7c 3433 iv = (byte*)aes->reg;
wolfSSL 15:117db924cf7c 3434
wolfSSL 15:117db924cf7c 3435 while (blocks--) {
wolfSSL 15:117db924cf7c 3436 XMEMCPY(temp_block, in + offset, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3437
wolfSSL 15:117db924cf7c 3438 wc_AesDecrypt(aes, in + offset, out + offset);
wolfSSL 15:117db924cf7c 3439
wolfSSL 15:117db924cf7c 3440 /* XOR block with IV for CBC */
wolfSSL 15:117db924cf7c 3441 for (i = 0; i < AES_BLOCK_SIZE; i++)
wolfSSL 15:117db924cf7c 3442 (out + offset)[i] ^= iv[i];
wolfSSL 15:117db924cf7c 3443
wolfSSL 15:117db924cf7c 3444 /* store IV for next block */
wolfSSL 15:117db924cf7c 3445 XMEMCPY(iv, temp_block, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3446
wolfSSL 15:117db924cf7c 3447 offset += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3448 }
wolfSSL 15:117db924cf7c 3449
wolfSSL 15:117db924cf7c 3450 return 0;
wolfSSL 15:117db924cf7c 3451 }
wolfSSL 15:117db924cf7c 3452 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 3453
wolfSSL 15:117db924cf7c 3454 #elif defined(WOLFSSL_PIC32MZ_CRYPT)
wolfSSL 15:117db924cf7c 3455
wolfSSL 15:117db924cf7c 3456 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 3457 {
wolfSSL 15:117db924cf7c 3458 int ret;
wolfSSL 15:117db924cf7c 3459
wolfSSL 15:117db924cf7c 3460 /* hardware fails on input that is not a multiple of AES block size */
wolfSSL 15:117db924cf7c 3461 if (sz % AES_BLOCK_SIZE != 0) {
wolfSSL 15:117db924cf7c 3462 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 3463 }
wolfSSL 15:117db924cf7c 3464
wolfSSL 15:117db924cf7c 3465 ret = wc_Pic32AesCrypt(
wolfSSL 15:117db924cf7c 3466 aes->key, aes->keylen, aes->reg, AES_BLOCK_SIZE,
wolfSSL 15:117db924cf7c 3467 out, in, sz, PIC32_ENCRYPTION,
wolfSSL 15:117db924cf7c 3468 PIC32_ALGO_AES, PIC32_CRYPTOALGO_RCBC);
wolfSSL 15:117db924cf7c 3469
wolfSSL 15:117db924cf7c 3470 /* store iv for next call */
wolfSSL 15:117db924cf7c 3471 if (ret == 0) {
wolfSSL 15:117db924cf7c 3472 XMEMCPY(aes->reg, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3473 }
wolfSSL 15:117db924cf7c 3474
wolfSSL 15:117db924cf7c 3475 return ret;
wolfSSL 15:117db924cf7c 3476 }
wolfSSL 15:117db924cf7c 3477 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 3478 int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 3479 {
wolfSSL 15:117db924cf7c 3480 int ret;
wolfSSL 15:117db924cf7c 3481 byte scratch[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 3482
wolfSSL 15:117db924cf7c 3483 /* hardware fails on input that is not a multiple of AES block size */
wolfSSL 15:117db924cf7c 3484 if (sz % AES_BLOCK_SIZE != 0) {
wolfSSL 15:117db924cf7c 3485 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 3486 }
wolfSSL 15:117db924cf7c 3487 XMEMCPY(scratch, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3488
wolfSSL 15:117db924cf7c 3489 ret = wc_Pic32AesCrypt(
wolfSSL 15:117db924cf7c 3490 aes->key, aes->keylen, aes->reg, AES_BLOCK_SIZE,
wolfSSL 15:117db924cf7c 3491 out, in, sz, PIC32_DECRYPTION,
wolfSSL 15:117db924cf7c 3492 PIC32_ALGO_AES, PIC32_CRYPTOALGO_RCBC);
wolfSSL 15:117db924cf7c 3493
wolfSSL 15:117db924cf7c 3494 /* store iv for next call */
wolfSSL 15:117db924cf7c 3495 if (ret == 0) {
wolfSSL 15:117db924cf7c 3496 XMEMCPY((byte*)aes->reg, scratch, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3497 }
wolfSSL 15:117db924cf7c 3498
wolfSSL 15:117db924cf7c 3499 return ret;
wolfSSL 15:117db924cf7c 3500 }
wolfSSL 15:117db924cf7c 3501 #endif /* HAVE_AES_DECRYPT */
wolfSSL 16:8e0d178b1d1e 3502 #elif defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
wolfSSL 16:8e0d178b1d1e 3503 !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES)
wolfSSL 16:8e0d178b1d1e 3504
wolfSSL 16:8e0d178b1d1e 3505 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 16:8e0d178b1d1e 3506 {
wolfSSL 16:8e0d178b1d1e 3507 return wc_esp32AesCbcEncrypt(aes, out, in, sz);
wolfSSL 16:8e0d178b1d1e 3508 }
wolfSSL 16:8e0d178b1d1e 3509 int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 16:8e0d178b1d1e 3510 {
wolfSSL 16:8e0d178b1d1e 3511 return wc_esp32AesCbcDecrypt(aes, out, in, sz);
wolfSSL 16:8e0d178b1d1e 3512 }
wolfSSL 16:8e0d178b1d1e 3513 #elif defined(WOLFSSL_CRYPTOCELL) && defined(WOLFSSL_CRYPTOCELL_AES)
wolfSSL 16:8e0d178b1d1e 3514 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 16:8e0d178b1d1e 3515 {
wolfSSL 16:8e0d178b1d1e 3516 return SaSi_AesBlock(&aes->ctx.user_ctx, (uint8_t* )in, sz, out);
wolfSSL 16:8e0d178b1d1e 3517 }
wolfSSL 16:8e0d178b1d1e 3518 int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 16:8e0d178b1d1e 3519 {
wolfSSL 16:8e0d178b1d1e 3520 return SaSi_AesBlock(&aes->ctx.user_ctx, (uint8_t* )in, sz, out);
wolfSSL 16:8e0d178b1d1e 3521 }
wolfSSL 15:117db924cf7c 3522 #elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)
wolfSSL 15:117db924cf7c 3523 /* implemented in wolfcrypt/src/port/caam/caam_aes.c */
wolfSSL 15:117db924cf7c 3524
wolfSSL 16:8e0d178b1d1e 3525 #elif defined(WOLFSSL_AFALG)
wolfSSL 16:8e0d178b1d1e 3526 /* implemented in wolfcrypt/src/port/af_alg/afalg_aes.c */
wolfSSL 16:8e0d178b1d1e 3527
wolfSSL 16:8e0d178b1d1e 3528 #elif defined(WOLFSSL_DEVCRYPTO_CBC)
wolfSSL 16:8e0d178b1d1e 3529 /* implemented in wolfcrypt/src/port/devcrypt/devcrypto_aes.c */
wolfSSL 16:8e0d178b1d1e 3530
wolfSSL 15:117db924cf7c 3531 #else
wolfSSL 15:117db924cf7c 3532
wolfSSL 16:8e0d178b1d1e 3533 /* Software AES - CBC Encrypt */
wolfSSL 15:117db924cf7c 3534 int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 3535 {
wolfSSL 15:117db924cf7c 3536 word32 blocks = (sz / AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3537
wolfSSL 15:117db924cf7c 3538 if (aes == NULL || out == NULL || in == NULL) {
wolfSSL 15:117db924cf7c 3539 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 3540 }
wolfSSL 15:117db924cf7c 3541
wolfSSL 16:8e0d178b1d1e 3542 #ifdef WOLF_CRYPTO_CB
wolfSSL 16:8e0d178b1d1e 3543 if (aes->devId != INVALID_DEVID) {
wolfSSL 16:8e0d178b1d1e 3544 int ret = wc_CryptoCb_AesCbcEncrypt(aes, out, in, sz);
wolfSSL 16:8e0d178b1d1e 3545 if (ret != CRYPTOCB_UNAVAILABLE)
wolfSSL 16:8e0d178b1d1e 3546 return ret;
wolfSSL 16:8e0d178b1d1e 3547 /* fall-through when unavailable */
wolfSSL 16:8e0d178b1d1e 3548 }
wolfSSL 16:8e0d178b1d1e 3549 #endif
wolfSSL 15:117db924cf7c 3550 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
wolfSSL 15:117db924cf7c 3551 /* if async and byte count above threshold */
wolfSSL 15:117db924cf7c 3552 if (aes->asyncDev.marker == WOLFSSL_ASYNC_MARKER_AES &&
wolfSSL 15:117db924cf7c 3553 sz >= WC_ASYNC_THRESH_AES_CBC) {
wolfSSL 15:117db924cf7c 3554 #if defined(HAVE_CAVIUM)
wolfSSL 15:117db924cf7c 3555 return NitroxAesCbcEncrypt(aes, out, in, sz);
wolfSSL 15:117db924cf7c 3556 #elif defined(HAVE_INTEL_QA)
wolfSSL 15:117db924cf7c 3557 return IntelQaSymAesCbcEncrypt(&aes->asyncDev, out, in, sz,
wolfSSL 16:8e0d178b1d1e 3558 (const byte*)aes->devKey, aes->keylen,
wolfSSL 16:8e0d178b1d1e 3559 (byte*)aes->reg, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3560 #else /* WOLFSSL_ASYNC_CRYPT_TEST */
wolfSSL 15:117db924cf7c 3561 if (wc_AsyncTestInit(&aes->asyncDev, ASYNC_TEST_AES_CBC_ENCRYPT)) {
wolfSSL 15:117db924cf7c 3562 WC_ASYNC_TEST* testDev = &aes->asyncDev.test;
wolfSSL 15:117db924cf7c 3563 testDev->aes.aes = aes;
wolfSSL 15:117db924cf7c 3564 testDev->aes.out = out;
wolfSSL 15:117db924cf7c 3565 testDev->aes.in = in;
wolfSSL 15:117db924cf7c 3566 testDev->aes.sz = sz;
wolfSSL 15:117db924cf7c 3567 return WC_PENDING_E;
wolfSSL 15:117db924cf7c 3568 }
wolfSSL 15:117db924cf7c 3569 #endif
wolfSSL 15:117db924cf7c 3570 }
wolfSSL 15:117db924cf7c 3571 #endif /* WOLFSSL_ASYNC_CRYPT */
wolfSSL 15:117db924cf7c 3572
wolfSSL 15:117db924cf7c 3573 #ifdef WOLFSSL_AESNI
wolfSSL 15:117db924cf7c 3574 if (haveAESNI) {
wolfSSL 15:117db924cf7c 3575 #ifdef DEBUG_AESNI
wolfSSL 15:117db924cf7c 3576 printf("about to aes cbc encrypt\n");
wolfSSL 15:117db924cf7c 3577 printf("in = %p\n", in);
wolfSSL 15:117db924cf7c 3578 printf("out = %p\n", out);
wolfSSL 15:117db924cf7c 3579 printf("aes->key = %p\n", aes->key);
wolfSSL 15:117db924cf7c 3580 printf("aes->reg = %p\n", aes->reg);
wolfSSL 15:117db924cf7c 3581 printf("aes->rounds = %d\n", aes->rounds);
wolfSSL 15:117db924cf7c 3582 printf("sz = %d\n", sz);
wolfSSL 15:117db924cf7c 3583 #endif
wolfSSL 15:117db924cf7c 3584
wolfSSL 15:117db924cf7c 3585 /* check alignment, decrypt doesn't need alignment */
wolfSSL 15:117db924cf7c 3586 if ((wolfssl_word)in % AESNI_ALIGN) {
wolfSSL 15:117db924cf7c 3587 #ifndef NO_WOLFSSL_ALLOC_ALIGN
wolfSSL 15:117db924cf7c 3588 byte* tmp = (byte*)XMALLOC(sz + AES_BLOCK_SIZE + AESNI_ALIGN,
wolfSSL 15:117db924cf7c 3589 aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 3590 byte* tmp_align;
wolfSSL 15:117db924cf7c 3591 if (tmp == NULL) return MEMORY_E;
wolfSSL 15:117db924cf7c 3592
wolfSSL 15:117db924cf7c 3593 tmp_align = tmp + (AESNI_ALIGN - ((size_t)tmp % AESNI_ALIGN));
wolfSSL 15:117db924cf7c 3594 XMEMCPY(tmp_align, in, sz);
wolfSSL 15:117db924cf7c 3595 AES_CBC_encrypt(tmp_align, tmp_align, (byte*)aes->reg, sz,
wolfSSL 15:117db924cf7c 3596 (byte*)aes->key, aes->rounds);
wolfSSL 15:117db924cf7c 3597 /* store iv for next call */
wolfSSL 15:117db924cf7c 3598 XMEMCPY(aes->reg, tmp_align + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3599
wolfSSL 15:117db924cf7c 3600 XMEMCPY(out, tmp_align, sz);
wolfSSL 15:117db924cf7c 3601 XFREE(tmp, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 3602 return 0;
wolfSSL 15:117db924cf7c 3603 #else
wolfSSL 15:117db924cf7c 3604 WOLFSSL_MSG("AES-CBC encrypt with bad alignment");
wolfSSL 15:117db924cf7c 3605 return BAD_ALIGN_E;
wolfSSL 15:117db924cf7c 3606 #endif
wolfSSL 15:117db924cf7c 3607 }
wolfSSL 15:117db924cf7c 3608
wolfSSL 15:117db924cf7c 3609 AES_CBC_encrypt(in, out, (byte*)aes->reg, sz, (byte*)aes->key,
wolfSSL 15:117db924cf7c 3610 aes->rounds);
wolfSSL 15:117db924cf7c 3611 /* store iv for next call */
wolfSSL 15:117db924cf7c 3612 XMEMCPY(aes->reg, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3613
wolfSSL 15:117db924cf7c 3614 return 0;
wolfSSL 15:117db924cf7c 3615 }
wolfSSL 15:117db924cf7c 3616 #endif
wolfSSL 15:117db924cf7c 3617
wolfSSL 15:117db924cf7c 3618 while (blocks--) {
wolfSSL 15:117db924cf7c 3619 xorbuf((byte*)aes->reg, in, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3620 wc_AesEncrypt(aes, (byte*)aes->reg, (byte*)aes->reg);
wolfSSL 15:117db924cf7c 3621 XMEMCPY(out, aes->reg, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3622
wolfSSL 15:117db924cf7c 3623 out += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3624 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3625 }
wolfSSL 15:117db924cf7c 3626
wolfSSL 15:117db924cf7c 3627 return 0;
wolfSSL 15:117db924cf7c 3628 }
wolfSSL 15:117db924cf7c 3629
wolfSSL 15:117db924cf7c 3630 #ifdef HAVE_AES_DECRYPT
wolfSSL 16:8e0d178b1d1e 3631 /* Software AES - CBC Decrypt */
wolfSSL 15:117db924cf7c 3632 int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 3633 {
wolfSSL 15:117db924cf7c 3634 word32 blocks;
wolfSSL 15:117db924cf7c 3635
wolfSSL 15:117db924cf7c 3636 if (aes == NULL || out == NULL || in == NULL
wolfSSL 15:117db924cf7c 3637 || sz % AES_BLOCK_SIZE != 0) {
wolfSSL 15:117db924cf7c 3638 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 3639 }
wolfSSL 15:117db924cf7c 3640
wolfSSL 16:8e0d178b1d1e 3641 #ifdef WOLF_CRYPTO_CB
wolfSSL 16:8e0d178b1d1e 3642 if (aes->devId != INVALID_DEVID) {
wolfSSL 16:8e0d178b1d1e 3643 int ret = wc_CryptoCb_AesCbcDecrypt(aes, out, in, sz);
wolfSSL 16:8e0d178b1d1e 3644 if (ret != CRYPTOCB_UNAVAILABLE)
wolfSSL 16:8e0d178b1d1e 3645 return ret;
wolfSSL 16:8e0d178b1d1e 3646 /* fall-through when unavailable */
wolfSSL 16:8e0d178b1d1e 3647 }
wolfSSL 16:8e0d178b1d1e 3648 #endif
wolfSSL 15:117db924cf7c 3649 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
wolfSSL 15:117db924cf7c 3650 /* if async and byte count above threshold */
wolfSSL 15:117db924cf7c 3651 if (aes->asyncDev.marker == WOLFSSL_ASYNC_MARKER_AES &&
wolfSSL 15:117db924cf7c 3652 sz >= WC_ASYNC_THRESH_AES_CBC) {
wolfSSL 15:117db924cf7c 3653 #if defined(HAVE_CAVIUM)
wolfSSL 15:117db924cf7c 3654 return NitroxAesCbcDecrypt(aes, out, in, sz);
wolfSSL 15:117db924cf7c 3655 #elif defined(HAVE_INTEL_QA)
wolfSSL 15:117db924cf7c 3656 return IntelQaSymAesCbcDecrypt(&aes->asyncDev, out, in, sz,
wolfSSL 16:8e0d178b1d1e 3657 (const byte*)aes->devKey, aes->keylen,
wolfSSL 16:8e0d178b1d1e 3658 (byte*)aes->reg, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3659 #else /* WOLFSSL_ASYNC_CRYPT_TEST */
wolfSSL 15:117db924cf7c 3660 if (wc_AsyncTestInit(&aes->asyncDev, ASYNC_TEST_AES_CBC_DECRYPT)) {
wolfSSL 15:117db924cf7c 3661 WC_ASYNC_TEST* testDev = &aes->asyncDev.test;
wolfSSL 15:117db924cf7c 3662 testDev->aes.aes = aes;
wolfSSL 15:117db924cf7c 3663 testDev->aes.out = out;
wolfSSL 15:117db924cf7c 3664 testDev->aes.in = in;
wolfSSL 15:117db924cf7c 3665 testDev->aes.sz = sz;
wolfSSL 15:117db924cf7c 3666 return WC_PENDING_E;
wolfSSL 15:117db924cf7c 3667 }
wolfSSL 15:117db924cf7c 3668 #endif
wolfSSL 15:117db924cf7c 3669 }
wolfSSL 15:117db924cf7c 3670 #endif
wolfSSL 15:117db924cf7c 3671
wolfSSL 15:117db924cf7c 3672 #ifdef WOLFSSL_AESNI
wolfSSL 15:117db924cf7c 3673 if (haveAESNI) {
wolfSSL 15:117db924cf7c 3674 #ifdef DEBUG_AESNI
wolfSSL 15:117db924cf7c 3675 printf("about to aes cbc decrypt\n");
wolfSSL 15:117db924cf7c 3676 printf("in = %p\n", in);
wolfSSL 15:117db924cf7c 3677 printf("out = %p\n", out);
wolfSSL 15:117db924cf7c 3678 printf("aes->key = %p\n", aes->key);
wolfSSL 15:117db924cf7c 3679 printf("aes->reg = %p\n", aes->reg);
wolfSSL 15:117db924cf7c 3680 printf("aes->rounds = %d\n", aes->rounds);
wolfSSL 15:117db924cf7c 3681 printf("sz = %d\n", sz);
wolfSSL 15:117db924cf7c 3682 #endif
wolfSSL 15:117db924cf7c 3683
wolfSSL 15:117db924cf7c 3684 /* if input and output same will overwrite input iv */
wolfSSL 15:117db924cf7c 3685 XMEMCPY(aes->tmp, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3686 #if defined(WOLFSSL_AESNI_BY4)
wolfSSL 15:117db924cf7c 3687 AES_CBC_decrypt_by4(in, out, (byte*)aes->reg, sz, (byte*)aes->key,
wolfSSL 15:117db924cf7c 3688 aes->rounds);
wolfSSL 15:117db924cf7c 3689 #elif defined(WOLFSSL_AESNI_BY6)
wolfSSL 15:117db924cf7c 3690 AES_CBC_decrypt_by6(in, out, (byte*)aes->reg, sz, (byte*)aes->key,
wolfSSL 15:117db924cf7c 3691 aes->rounds);
wolfSSL 15:117db924cf7c 3692 #else /* WOLFSSL_AESNI_BYx */
wolfSSL 15:117db924cf7c 3693 AES_CBC_decrypt_by8(in, out, (byte*)aes->reg, sz, (byte*)aes->key,
wolfSSL 15:117db924cf7c 3694 aes->rounds);
wolfSSL 15:117db924cf7c 3695 #endif /* WOLFSSL_AESNI_BYx */
wolfSSL 15:117db924cf7c 3696 /* store iv for next call */
wolfSSL 15:117db924cf7c 3697 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3698 return 0;
wolfSSL 15:117db924cf7c 3699 }
wolfSSL 15:117db924cf7c 3700 #endif
wolfSSL 15:117db924cf7c 3701
wolfSSL 15:117db924cf7c 3702 blocks = sz / AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3703 while (blocks--) {
wolfSSL 15:117db924cf7c 3704 XMEMCPY(aes->tmp, in, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3705 wc_AesDecrypt(aes, (byte*)aes->tmp, out);
wolfSSL 15:117db924cf7c 3706 xorbuf(out, (byte*)aes->reg, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 3707 /* store iv for next call */
wolfSSL 15:117db924cf7c 3708 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3709
wolfSSL 15:117db924cf7c 3710 out += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3711 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3712 }
wolfSSL 15:117db924cf7c 3713
wolfSSL 15:117db924cf7c 3714 return 0;
wolfSSL 15:117db924cf7c 3715 }
wolfSSL 15:117db924cf7c 3716 #endif
wolfSSL 15:117db924cf7c 3717
wolfSSL 15:117db924cf7c 3718 #endif /* AES-CBC block */
wolfSSL 15:117db924cf7c 3719 #endif /* HAVE_AES_CBC */
wolfSSL 15:117db924cf7c 3720
wolfSSL 15:117db924cf7c 3721 /* AES-CTR */
wolfSSL 15:117db924cf7c 3722 #if defined(WOLFSSL_AES_COUNTER)
wolfSSL 15:117db924cf7c 3723
wolfSSL 15:117db924cf7c 3724 #ifdef STM32_CRYPTO
wolfSSL 15:117db924cf7c 3725 #define NEED_AES_CTR_SOFT
wolfSSL 15:117db924cf7c 3726 #define XTRANSFORM_AESCTRBLOCK wc_AesCtrEncryptBlock
wolfSSL 15:117db924cf7c 3727
wolfSSL 15:117db924cf7c 3728 int wc_AesCtrEncryptBlock(Aes* aes, byte* out, const byte* in)
wolfSSL 15:117db924cf7c 3729 {
wolfSSL 15:117db924cf7c 3730 int ret = 0;
wolfSSL 15:117db924cf7c 3731 #ifdef WOLFSSL_STM32_CUBEMX
wolfSSL 15:117db924cf7c 3732 CRYP_HandleTypeDef hcryp;
wolfSSL 16:8e0d178b1d1e 3733 #ifdef STM32_HAL_V2
wolfSSL 16:8e0d178b1d1e 3734 word32 iv[AES_BLOCK_SIZE/sizeof(word32)];
wolfSSL 16:8e0d178b1d1e 3735 #endif
wolfSSL 16:8e0d178b1d1e 3736 #else
wolfSSL 16:8e0d178b1d1e 3737 word32 *iv;
wolfSSL 16:8e0d178b1d1e 3738 CRYP_InitTypeDef cryptInit;
wolfSSL 16:8e0d178b1d1e 3739 CRYP_KeyInitTypeDef keyInit;
wolfSSL 16:8e0d178b1d1e 3740 CRYP_IVInitTypeDef ivInit;
wolfSSL 16:8e0d178b1d1e 3741 #endif
wolfSSL 16:8e0d178b1d1e 3742
wolfSSL 16:8e0d178b1d1e 3743 ret = wolfSSL_CryptHwMutexLock();
wolfSSL 16:8e0d178b1d1e 3744 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 3745 return ret;
wolfSSL 16:8e0d178b1d1e 3746 }
wolfSSL 16:8e0d178b1d1e 3747
wolfSSL 16:8e0d178b1d1e 3748 #ifdef WOLFSSL_STM32_CUBEMX
wolfSSL 16:8e0d178b1d1e 3749 ret = wc_Stm32_Aes_Init(aes, &hcryp);
wolfSSL 16:8e0d178b1d1e 3750 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 3751 wolfSSL_CryptHwMutexUnLock();
wolfSSL 16:8e0d178b1d1e 3752 return ret;
wolfSSL 15:117db924cf7c 3753 }
wolfSSL 16:8e0d178b1d1e 3754
wolfSSL 16:8e0d178b1d1e 3755 #ifdef STM32_CRYPTO_AES_ONLY
wolfSSL 16:8e0d178b1d1e 3756 hcryp.Init.OperatingMode = CRYP_ALGOMODE_ENCRYPT;
wolfSSL 16:8e0d178b1d1e 3757 hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_CTR;
wolfSSL 16:8e0d178b1d1e 3758 hcryp.Init.KeyWriteFlag = CRYP_KEY_WRITE_ENABLE;
wolfSSL 16:8e0d178b1d1e 3759 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)aes->reg;
wolfSSL 16:8e0d178b1d1e 3760 #elif defined(STM32_HAL_V2)
wolfSSL 16:8e0d178b1d1e 3761 hcryp.Init.Algorithm = CRYP_AES_CTR;
wolfSSL 16:8e0d178b1d1e 3762 ByteReverseWords(iv, aes->reg, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 3763 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)iv;
wolfSSL 16:8e0d178b1d1e 3764 #else
wolfSSL 16:8e0d178b1d1e 3765 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)aes->reg;
wolfSSL 16:8e0d178b1d1e 3766 #endif
wolfSSL 15:117db924cf7c 3767 HAL_CRYP_Init(&hcryp);
wolfSSL 15:117db924cf7c 3768
wolfSSL 16:8e0d178b1d1e 3769 #ifdef STM32_CRYPTO_AES_ONLY
wolfSSL 16:8e0d178b1d1e 3770 ret = HAL_CRYPEx_AES(&hcryp, (byte*)in, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 3771 out, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 3772 #elif defined(STM32_HAL_V2)
wolfSSL 16:8e0d178b1d1e 3773 ret = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 3774 (uint32_t*)out, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 3775 #else
wolfSSL 16:8e0d178b1d1e 3776 ret = HAL_CRYP_AESCTR_Encrypt(&hcryp, (byte*)in, AES_BLOCK_SIZE,
wolfSSL 16:8e0d178b1d1e 3777 out, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 3778 #endif
wolfSSL 16:8e0d178b1d1e 3779 if (ret != HAL_OK) {
wolfSSL 15:117db924cf7c 3780 ret = WC_TIMEOUT_E;
wolfSSL 15:117db924cf7c 3781 }
wolfSSL 15:117db924cf7c 3782 HAL_CRYP_DeInit(&hcryp);
wolfSSL 15:117db924cf7c 3783
wolfSSL 15:117db924cf7c 3784 #else /* STD_PERI_LIB */
wolfSSL 16:8e0d178b1d1e 3785 ret = wc_Stm32_Aes_Init(aes, &cryptInit, &keyInit);
wolfSSL 16:8e0d178b1d1e 3786 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 3787 wolfSSL_CryptHwMutexUnLock();
wolfSSL 16:8e0d178b1d1e 3788 return ret;
wolfSSL 16:8e0d178b1d1e 3789 }
wolfSSL 15:117db924cf7c 3790
wolfSSL 15:117db924cf7c 3791 /* reset registers to their default values */
wolfSSL 15:117db924cf7c 3792 CRYP_DeInit();
wolfSSL 15:117db924cf7c 3793
wolfSSL 16:8e0d178b1d1e 3794 /* set key */
wolfSSL 16:8e0d178b1d1e 3795 CRYP_KeyInit(&keyInit);
wolfSSL 15:117db924cf7c 3796
wolfSSL 15:117db924cf7c 3797 /* set iv */
wolfSSL 16:8e0d178b1d1e 3798 iv = aes->reg;
wolfSSL 16:8e0d178b1d1e 3799 CRYP_IVStructInit(&ivInit);
wolfSSL 16:8e0d178b1d1e 3800 ivInit.CRYP_IV0Left = ByteReverseWord32(iv[0]);
wolfSSL 16:8e0d178b1d1e 3801 ivInit.CRYP_IV0Right = ByteReverseWord32(iv[1]);
wolfSSL 16:8e0d178b1d1e 3802 ivInit.CRYP_IV1Left = ByteReverseWord32(iv[2]);
wolfSSL 16:8e0d178b1d1e 3803 ivInit.CRYP_IV1Right = ByteReverseWord32(iv[3]);
wolfSSL 16:8e0d178b1d1e 3804 CRYP_IVInit(&ivInit);
wolfSSL 16:8e0d178b1d1e 3805
wolfSSL 16:8e0d178b1d1e 3806 /* set direction and mode */
wolfSSL 16:8e0d178b1d1e 3807 cryptInit.CRYP_AlgoDir = CRYP_AlgoDir_Encrypt;
wolfSSL 16:8e0d178b1d1e 3808 cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_CTR;
wolfSSL 16:8e0d178b1d1e 3809 CRYP_Init(&cryptInit);
wolfSSL 15:117db924cf7c 3810
wolfSSL 15:117db924cf7c 3811 /* enable crypto processor */
wolfSSL 15:117db924cf7c 3812 CRYP_Cmd(ENABLE);
wolfSSL 15:117db924cf7c 3813
wolfSSL 15:117db924cf7c 3814 /* flush IN/OUT FIFOs */
wolfSSL 15:117db924cf7c 3815 CRYP_FIFOFlush();
wolfSSL 15:117db924cf7c 3816
wolfSSL 15:117db924cf7c 3817 CRYP_DataIn(*(uint32_t*)&in[0]);
wolfSSL 15:117db924cf7c 3818 CRYP_DataIn(*(uint32_t*)&in[4]);
wolfSSL 15:117db924cf7c 3819 CRYP_DataIn(*(uint32_t*)&in[8]);
wolfSSL 15:117db924cf7c 3820 CRYP_DataIn(*(uint32_t*)&in[12]);
wolfSSL 15:117db924cf7c 3821
wolfSSL 15:117db924cf7c 3822 /* wait until the complete message has been processed */
wolfSSL 15:117db924cf7c 3823 while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}
wolfSSL 15:117db924cf7c 3824
wolfSSL 15:117db924cf7c 3825 *(uint32_t*)&out[0] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 3826 *(uint32_t*)&out[4] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 3827 *(uint32_t*)&out[8] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 3828 *(uint32_t*)&out[12] = CRYP_DataOut();
wolfSSL 15:117db924cf7c 3829
wolfSSL 15:117db924cf7c 3830 /* disable crypto processor */
wolfSSL 15:117db924cf7c 3831 CRYP_Cmd(DISABLE);
wolfSSL 15:117db924cf7c 3832
wolfSSL 15:117db924cf7c 3833 #endif /* WOLFSSL_STM32_CUBEMX */
wolfSSL 16:8e0d178b1d1e 3834
wolfSSL 16:8e0d178b1d1e 3835 wolfSSL_CryptHwMutexUnLock();
wolfSSL 15:117db924cf7c 3836 return ret;
wolfSSL 15:117db924cf7c 3837 }
wolfSSL 15:117db924cf7c 3838
wolfSSL 15:117db924cf7c 3839
wolfSSL 15:117db924cf7c 3840 #elif defined(WOLFSSL_PIC32MZ_CRYPT)
wolfSSL 15:117db924cf7c 3841
wolfSSL 15:117db924cf7c 3842 #define NEED_AES_CTR_SOFT
wolfSSL 15:117db924cf7c 3843 #define XTRANSFORM_AESCTRBLOCK wc_AesCtrEncryptBlock
wolfSSL 15:117db924cf7c 3844
wolfSSL 15:117db924cf7c 3845 int wc_AesCtrEncryptBlock(Aes* aes, byte* out, const byte* in)
wolfSSL 15:117db924cf7c 3846 {
wolfSSL 15:117db924cf7c 3847 word32 tmpIv[AES_BLOCK_SIZE / sizeof(word32)];
wolfSSL 15:117db924cf7c 3848 XMEMCPY(tmpIv, aes->reg, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3849 return wc_Pic32AesCrypt(
wolfSSL 15:117db924cf7c 3850 aes->key, aes->keylen, tmpIv, AES_BLOCK_SIZE,
wolfSSL 15:117db924cf7c 3851 out, in, AES_BLOCK_SIZE,
wolfSSL 15:117db924cf7c 3852 PIC32_ENCRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_RCTR);
wolfSSL 15:117db924cf7c 3853 }
wolfSSL 15:117db924cf7c 3854
wolfSSL 15:117db924cf7c 3855 #elif defined(HAVE_COLDFIRE_SEC)
wolfSSL 15:117db924cf7c 3856 #error "Coldfire SEC doesn't currently support AES-CTR mode"
wolfSSL 15:117db924cf7c 3857
wolfSSL 15:117db924cf7c 3858 #elif defined(FREESCALE_LTC)
wolfSSL 15:117db924cf7c 3859 int wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 3860 {
wolfSSL 15:117db924cf7c 3861 uint32_t keySize;
wolfSSL 15:117db924cf7c 3862 byte *iv, *enc_key;
wolfSSL 15:117db924cf7c 3863 byte* tmp;
wolfSSL 15:117db924cf7c 3864
wolfSSL 15:117db924cf7c 3865 if (aes == NULL || out == NULL || in == NULL) {
wolfSSL 15:117db924cf7c 3866 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 3867 }
wolfSSL 15:117db924cf7c 3868
wolfSSL 15:117db924cf7c 3869 /* consume any unused bytes left in aes->tmp */
wolfSSL 15:117db924cf7c 3870 tmp = (byte*)aes->tmp + AES_BLOCK_SIZE - aes->left;
wolfSSL 15:117db924cf7c 3871 while (aes->left && sz) {
wolfSSL 15:117db924cf7c 3872 *(out++) = *(in++) ^ *(tmp++);
wolfSSL 15:117db924cf7c 3873 aes->left--;
wolfSSL 15:117db924cf7c 3874 sz--;
wolfSSL 15:117db924cf7c 3875 }
wolfSSL 15:117db924cf7c 3876
wolfSSL 15:117db924cf7c 3877 if (sz) {
wolfSSL 15:117db924cf7c 3878 iv = (byte*)aes->reg;
wolfSSL 15:117db924cf7c 3879 enc_key = (byte*)aes->key;
wolfSSL 15:117db924cf7c 3880
wolfSSL 15:117db924cf7c 3881 wc_AesGetKeySize(aes, &keySize);
wolfSSL 15:117db924cf7c 3882
wolfSSL 15:117db924cf7c 3883 LTC_AES_CryptCtr(LTC_BASE, in, out, sz,
wolfSSL 15:117db924cf7c 3884 iv, enc_key, keySize, (byte*)aes->tmp,
wolfSSL 15:117db924cf7c 3885 (uint32_t*)&aes->left);
wolfSSL 15:117db924cf7c 3886 }
wolfSSL 15:117db924cf7c 3887
wolfSSL 15:117db924cf7c 3888 return 0;
wolfSSL 15:117db924cf7c 3889 }
wolfSSL 15:117db924cf7c 3890
wolfSSL 15:117db924cf7c 3891 #elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)
wolfSSL 15:117db924cf7c 3892 /* implemented in wolfcrypt/src/port/caam/caam_aes.c */
wolfSSL 15:117db924cf7c 3893
wolfSSL 16:8e0d178b1d1e 3894 #elif defined(WOLFSSL_AFALG)
wolfSSL 16:8e0d178b1d1e 3895 /* implemented in wolfcrypt/src/port/af_alg/afalg_aes.c */
wolfSSL 16:8e0d178b1d1e 3896
wolfSSL 16:8e0d178b1d1e 3897 #elif defined(WOLFSSL_DEVCRYPTO_AES)
wolfSSL 16:8e0d178b1d1e 3898 /* implemented in wolfcrypt/src/port/devcrypt/devcrypto_aes.c */
wolfSSL 16:8e0d178b1d1e 3899
wolfSSL 16:8e0d178b1d1e 3900 #elif defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
wolfSSL 16:8e0d178b1d1e 3901 !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_AES)
wolfSSL 16:8e0d178b1d1e 3902 /* esp32 doesn't support CRT mode by hw. */
wolfSSL 16:8e0d178b1d1e 3903 /* use aes ecnryption plus sw implementation */
wolfSSL 16:8e0d178b1d1e 3904 #define NEED_AES_CTR_SOFT
wolfSSL 16:8e0d178b1d1e 3905
wolfSSL 15:117db924cf7c 3906 #else
wolfSSL 15:117db924cf7c 3907
wolfSSL 15:117db924cf7c 3908 /* Use software based AES counter */
wolfSSL 15:117db924cf7c 3909 #define NEED_AES_CTR_SOFT
wolfSSL 15:117db924cf7c 3910 #endif
wolfSSL 15:117db924cf7c 3911
wolfSSL 15:117db924cf7c 3912 #ifdef NEED_AES_CTR_SOFT
wolfSSL 15:117db924cf7c 3913 /* Increment AES counter */
wolfSSL 15:117db924cf7c 3914 static WC_INLINE void IncrementAesCounter(byte* inOutCtr)
wolfSSL 15:117db924cf7c 3915 {
wolfSSL 15:117db924cf7c 3916 /* in network byte order so start at end and work back */
wolfSSL 15:117db924cf7c 3917 int i;
wolfSSL 15:117db924cf7c 3918 for (i = AES_BLOCK_SIZE - 1; i >= 0; i--) {
wolfSSL 15:117db924cf7c 3919 if (++inOutCtr[i]) /* we're done unless we overflow */
wolfSSL 15:117db924cf7c 3920 return;
wolfSSL 15:117db924cf7c 3921 }
wolfSSL 15:117db924cf7c 3922 }
wolfSSL 15:117db924cf7c 3923
wolfSSL 16:8e0d178b1d1e 3924 /* Software AES - CTR Encrypt */
wolfSSL 15:117db924cf7c 3925 int wc_AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 3926 {
wolfSSL 15:117db924cf7c 3927 byte* tmp;
wolfSSL 16:8e0d178b1d1e 3928 byte scratch[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 3929
wolfSSL 15:117db924cf7c 3930 if (aes == NULL || out == NULL || in == NULL) {
wolfSSL 15:117db924cf7c 3931 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 3932 }
wolfSSL 15:117db924cf7c 3933
wolfSSL 15:117db924cf7c 3934 /* consume any unused bytes left in aes->tmp */
wolfSSL 15:117db924cf7c 3935 tmp = (byte*)aes->tmp + AES_BLOCK_SIZE - aes->left;
wolfSSL 15:117db924cf7c 3936 while (aes->left && sz) {
wolfSSL 15:117db924cf7c 3937 *(out++) = *(in++) ^ *(tmp++);
wolfSSL 15:117db924cf7c 3938 aes->left--;
wolfSSL 15:117db924cf7c 3939 sz--;
wolfSSL 15:117db924cf7c 3940 }
wolfSSL 15:117db924cf7c 3941
wolfSSL 15:117db924cf7c 3942 /* do as many block size ops as possible */
wolfSSL 15:117db924cf7c 3943 while (sz >= AES_BLOCK_SIZE) {
wolfSSL 15:117db924cf7c 3944 #ifdef XTRANSFORM_AESCTRBLOCK
wolfSSL 15:117db924cf7c 3945 XTRANSFORM_AESCTRBLOCK(aes, out, in);
wolfSSL 15:117db924cf7c 3946 #else
wolfSSL 16:8e0d178b1d1e 3947 wc_AesEncrypt(aes, (byte*)aes->reg, scratch);
wolfSSL 16:8e0d178b1d1e 3948 xorbuf(scratch, in, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 3949 XMEMCPY(out, scratch, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3950 #endif
wolfSSL 15:117db924cf7c 3951 IncrementAesCounter((byte*)aes->reg);
wolfSSL 15:117db924cf7c 3952
wolfSSL 15:117db924cf7c 3953 out += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3954 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3955 sz -= AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3956 aes->left = 0;
wolfSSL 15:117db924cf7c 3957 }
wolfSSL 16:8e0d178b1d1e 3958 ForceZero(scratch, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 3959
wolfSSL 15:117db924cf7c 3960 /* handle non block size remaining and store unused byte count in left */
wolfSSL 15:117db924cf7c 3961 if (sz) {
wolfSSL 15:117db924cf7c 3962 wc_AesEncrypt(aes, (byte*)aes->reg, (byte*)aes->tmp);
wolfSSL 15:117db924cf7c 3963 IncrementAesCounter((byte*)aes->reg);
wolfSSL 15:117db924cf7c 3964
wolfSSL 15:117db924cf7c 3965 aes->left = AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 3966 tmp = (byte*)aes->tmp;
wolfSSL 15:117db924cf7c 3967
wolfSSL 15:117db924cf7c 3968 while (sz--) {
wolfSSL 15:117db924cf7c 3969 *(out++) = *(in++) ^ *(tmp++);
wolfSSL 15:117db924cf7c 3970 aes->left--;
wolfSSL 15:117db924cf7c 3971 }
wolfSSL 15:117db924cf7c 3972 }
wolfSSL 15:117db924cf7c 3973
wolfSSL 15:117db924cf7c 3974 return 0;
wolfSSL 15:117db924cf7c 3975 }
wolfSSL 15:117db924cf7c 3976
wolfSSL 15:117db924cf7c 3977 #endif /* NEED_AES_CTR_SOFT */
wolfSSL 15:117db924cf7c 3978
wolfSSL 15:117db924cf7c 3979 #endif /* WOLFSSL_AES_COUNTER */
wolfSSL 15:117db924cf7c 3980 #endif /* !WOLFSSL_ARMASM */
wolfSSL 15:117db924cf7c 3981
wolfSSL 15:117db924cf7c 3982
wolfSSL 15:117db924cf7c 3983 /*
wolfSSL 15:117db924cf7c 3984 * The IV for AES GCM and CCM, stored in struct Aes's member reg, is comprised
wolfSSL 15:117db924cf7c 3985 * of two parts in order:
wolfSSL 15:117db924cf7c 3986 * 1. The fixed field which may be 0 or 4 bytes long. In TLS, this is set
wolfSSL 15:117db924cf7c 3987 * to the implicit IV.
wolfSSL 15:117db924cf7c 3988 * 2. The explicit IV is generated by wolfCrypt. It needs to be managed
wolfSSL 15:117db924cf7c 3989 * by wolfCrypt to ensure the IV is unique for each call to encrypt.
wolfSSL 15:117db924cf7c 3990 * The IV may be a 96-bit random value, or the 32-bit fixed value and a
wolfSSL 15:117db924cf7c 3991 * 64-bit set of 0 or random data. The final 32-bits of reg is used as a
wolfSSL 15:117db924cf7c 3992 * block counter during the encryption.
wolfSSL 15:117db924cf7c 3993 */
wolfSSL 15:117db924cf7c 3994
wolfSSL 15:117db924cf7c 3995 #if (defined(HAVE_AESGCM) && !defined(WC_NO_RNG)) || defined(HAVE_AESCCM)
wolfSSL 15:117db924cf7c 3996 static WC_INLINE void IncCtr(byte* ctr, word32 ctrSz)
wolfSSL 15:117db924cf7c 3997 {
wolfSSL 15:117db924cf7c 3998 int i;
wolfSSL 15:117db924cf7c 3999 for (i = ctrSz-1; i >= 0; i--) {
wolfSSL 15:117db924cf7c 4000 if (++ctr[i])
wolfSSL 15:117db924cf7c 4001 break;
wolfSSL 15:117db924cf7c 4002 }
wolfSSL 15:117db924cf7c 4003 }
wolfSSL 15:117db924cf7c 4004 #endif /* HAVE_AESGCM || HAVE_AESCCM */
wolfSSL 15:117db924cf7c 4005
wolfSSL 15:117db924cf7c 4006
wolfSSL 15:117db924cf7c 4007 #ifdef HAVE_AESGCM
wolfSSL 15:117db924cf7c 4008
wolfSSL 15:117db924cf7c 4009 #if defined(HAVE_COLDFIRE_SEC)
wolfSSL 15:117db924cf7c 4010 #error "Coldfire SEC doesn't currently support AES-GCM mode"
wolfSSL 15:117db924cf7c 4011
wolfSSL 15:117db924cf7c 4012 #elif defined(WOLFSSL_NRF51_AES)
wolfSSL 15:117db924cf7c 4013 #error "nRF51 doesn't currently support AES-GCM mode"
wolfSSL 15:117db924cf7c 4014
wolfSSL 15:117db924cf7c 4015 #endif
wolfSSL 15:117db924cf7c 4016
wolfSSL 15:117db924cf7c 4017 #ifdef WOLFSSL_ARMASM
wolfSSL 15:117db924cf7c 4018 /* implementation is located in wolfcrypt/src/port/arm/armv8-aes.c */
wolfSSL 16:8e0d178b1d1e 4019
wolfSSL 16:8e0d178b1d1e 4020 #elif defined(WOLFSSL_AFALG)
wolfSSL 16:8e0d178b1d1e 4021 /* implemented in wolfcrypt/src/port/afalg/afalg_aes.c */
wolfSSL 16:8e0d178b1d1e 4022
wolfSSL 16:8e0d178b1d1e 4023 #elif defined(WOLFSSL_DEVCRYPTO_AES)
wolfSSL 16:8e0d178b1d1e 4024 /* implemented in wolfcrypt/src/port/devcrypt/devcrypto_aes.c */
wolfSSL 16:8e0d178b1d1e 4025
wolfSSL 15:117db924cf7c 4026 #else /* software + AESNI implementation */
wolfSSL 15:117db924cf7c 4027
wolfSSL 15:117db924cf7c 4028 #if !defined(FREESCALE_LTC_AES_GCM)
wolfSSL 15:117db924cf7c 4029 static WC_INLINE void IncrementGcmCounter(byte* inOutCtr)
wolfSSL 15:117db924cf7c 4030 {
wolfSSL 15:117db924cf7c 4031 int i;
wolfSSL 15:117db924cf7c 4032
wolfSSL 15:117db924cf7c 4033 /* in network byte order so start at end and work back */
wolfSSL 15:117db924cf7c 4034 for (i = AES_BLOCK_SIZE - 1; i >= AES_BLOCK_SIZE - CTR_SZ; i--) {
wolfSSL 15:117db924cf7c 4035 if (++inOutCtr[i]) /* we're done unless we overflow */
wolfSSL 15:117db924cf7c 4036 return;
wolfSSL 15:117db924cf7c 4037 }
wolfSSL 15:117db924cf7c 4038 }
wolfSSL 16:8e0d178b1d1e 4039 #ifdef STM32_CRYPTO_AES_GCM
wolfSSL 16:8e0d178b1d1e 4040 static WC_INLINE void DecrementGcmCounter(byte* inOutCtr)
wolfSSL 16:8e0d178b1d1e 4041 {
wolfSSL 16:8e0d178b1d1e 4042 int i;
wolfSSL 16:8e0d178b1d1e 4043
wolfSSL 16:8e0d178b1d1e 4044 /* in network byte order so start at end and work back */
wolfSSL 16:8e0d178b1d1e 4045 for (i = AES_BLOCK_SIZE - 1; i >= AES_BLOCK_SIZE - CTR_SZ; i--) {
wolfSSL 16:8e0d178b1d1e 4046 if (--inOutCtr[i] != 0xFF) /* we're done unless we underflow */
wolfSSL 16:8e0d178b1d1e 4047 return;
wolfSSL 16:8e0d178b1d1e 4048 }
wolfSSL 16:8e0d178b1d1e 4049 }
wolfSSL 16:8e0d178b1d1e 4050 #endif /* STM32_CRYPTO_AES_GCM */
wolfSSL 15:117db924cf7c 4051 #endif /* !FREESCALE_LTC_AES_GCM */
wolfSSL 15:117db924cf7c 4052
wolfSSL 15:117db924cf7c 4053 #if defined(GCM_SMALL) || defined(GCM_TABLE)
wolfSSL 15:117db924cf7c 4054
wolfSSL 15:117db924cf7c 4055 static WC_INLINE void FlattenSzInBits(byte* buf, word32 sz)
wolfSSL 15:117db924cf7c 4056 {
wolfSSL 15:117db924cf7c 4057 /* Multiply the sz by 8 */
wolfSSL 15:117db924cf7c 4058 word32 szHi = (sz >> (8*sizeof(sz) - 3));
wolfSSL 15:117db924cf7c 4059 sz <<= 3;
wolfSSL 15:117db924cf7c 4060
wolfSSL 15:117db924cf7c 4061 /* copy over the words of the sz into the destination buffer */
wolfSSL 15:117db924cf7c 4062 buf[0] = (szHi >> 24) & 0xff;
wolfSSL 15:117db924cf7c 4063 buf[1] = (szHi >> 16) & 0xff;
wolfSSL 15:117db924cf7c 4064 buf[2] = (szHi >> 8) & 0xff;
wolfSSL 15:117db924cf7c 4065 buf[3] = szHi & 0xff;
wolfSSL 15:117db924cf7c 4066 buf[4] = (sz >> 24) & 0xff;
wolfSSL 15:117db924cf7c 4067 buf[5] = (sz >> 16) & 0xff;
wolfSSL 15:117db924cf7c 4068 buf[6] = (sz >> 8) & 0xff;
wolfSSL 15:117db924cf7c 4069 buf[7] = sz & 0xff;
wolfSSL 15:117db924cf7c 4070 }
wolfSSL 15:117db924cf7c 4071
wolfSSL 15:117db924cf7c 4072
wolfSSL 15:117db924cf7c 4073 static WC_INLINE void RIGHTSHIFTX(byte* x)
wolfSSL 15:117db924cf7c 4074 {
wolfSSL 15:117db924cf7c 4075 int i;
wolfSSL 15:117db924cf7c 4076 int carryOut = 0;
wolfSSL 15:117db924cf7c 4077 int carryIn = 0;
wolfSSL 15:117db924cf7c 4078 int borrow = x[15] & 0x01;
wolfSSL 15:117db924cf7c 4079
wolfSSL 15:117db924cf7c 4080 for (i = 0; i < AES_BLOCK_SIZE; i++) {
wolfSSL 15:117db924cf7c 4081 carryOut = x[i] & 0x01;
wolfSSL 15:117db924cf7c 4082 x[i] = (x[i] >> 1) | (carryIn ? 0x80 : 0);
wolfSSL 15:117db924cf7c 4083 carryIn = carryOut;
wolfSSL 15:117db924cf7c 4084 }
wolfSSL 15:117db924cf7c 4085 if (borrow) x[0] ^= 0xE1;
wolfSSL 15:117db924cf7c 4086 }
wolfSSL 15:117db924cf7c 4087
wolfSSL 15:117db924cf7c 4088 #endif /* defined(GCM_SMALL) || defined(GCM_TABLE) */
wolfSSL 15:117db924cf7c 4089
wolfSSL 15:117db924cf7c 4090
wolfSSL 15:117db924cf7c 4091 #ifdef GCM_TABLE
wolfSSL 15:117db924cf7c 4092
wolfSSL 15:117db924cf7c 4093 static void GenerateM0(Aes* aes)
wolfSSL 15:117db924cf7c 4094 {
wolfSSL 15:117db924cf7c 4095 int i, j;
wolfSSL 15:117db924cf7c 4096 byte (*m)[AES_BLOCK_SIZE] = aes->M0;
wolfSSL 15:117db924cf7c 4097
wolfSSL 15:117db924cf7c 4098 XMEMCPY(m[128], aes->H, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 4099
wolfSSL 15:117db924cf7c 4100 for (i = 64; i > 0; i /= 2) {
wolfSSL 15:117db924cf7c 4101 XMEMCPY(m[i], m[i*2], AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 4102 RIGHTSHIFTX(m[i]);
wolfSSL 15:117db924cf7c 4103 }
wolfSSL 15:117db924cf7c 4104
wolfSSL 15:117db924cf7c 4105 for (i = 2; i < 256; i *= 2) {
wolfSSL 15:117db924cf7c 4106 for (j = 1; j < i; j++) {
wolfSSL 15:117db924cf7c 4107 XMEMCPY(m[i+j], m[i], AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 4108 xorbuf(m[i+j], m[j], AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 4109 }
wolfSSL 15:117db924cf7c 4110 }
wolfSSL 15:117db924cf7c 4111
wolfSSL 15:117db924cf7c 4112 XMEMSET(m[0], 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 4113 }
wolfSSL 15:117db924cf7c 4114
wolfSSL 15:117db924cf7c 4115 #endif /* GCM_TABLE */
wolfSSL 15:117db924cf7c 4116
wolfSSL 16:8e0d178b1d1e 4117 /* Software AES - GCM SetKey */
wolfSSL 15:117db924cf7c 4118 int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len)
wolfSSL 15:117db924cf7c 4119 {
wolfSSL 15:117db924cf7c 4120 int ret;
wolfSSL 15:117db924cf7c 4121 byte iv[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 4122
wolfSSL 15:117db924cf7c 4123 #ifdef WOLFSSL_IMX6_CAAM_BLOB
wolfSSL 15:117db924cf7c 4124 byte local[32];
wolfSSL 15:117db924cf7c 4125 word32 localSz = 32;
wolfSSL 15:117db924cf7c 4126
wolfSSL 15:117db924cf7c 4127 if (len == (16 + WC_CAAM_BLOB_SZ) ||
wolfSSL 15:117db924cf7c 4128 len == (24 + WC_CAAM_BLOB_SZ) ||
wolfSSL 15:117db924cf7c 4129 len == (32 + WC_CAAM_BLOB_SZ)) {
wolfSSL 15:117db924cf7c 4130 if (wc_caamOpenBlob((byte*)key, len, local, &localSz) != 0) {
wolfSSL 15:117db924cf7c 4131 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 4132 }
wolfSSL 15:117db924cf7c 4133
wolfSSL 15:117db924cf7c 4134 /* set local values */
wolfSSL 15:117db924cf7c 4135 key = local;
wolfSSL 15:117db924cf7c 4136 len = localSz;
wolfSSL 15:117db924cf7c 4137 }
wolfSSL 15:117db924cf7c 4138 #endif
wolfSSL 15:117db924cf7c 4139
wolfSSL 15:117db924cf7c 4140 if (!((len == 16) || (len == 24) || (len == 32)))
wolfSSL 15:117db924cf7c 4141 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 4142
wolfSSL 16:8e0d178b1d1e 4143 #ifdef OPENSSL_EXTRA
wolfSSL 16:8e0d178b1d1e 4144 if (aes != NULL) {
wolfSSL 16:8e0d178b1d1e 4145 XMEMSET(aes->aadH, 0, sizeof(aes->aadH));
wolfSSL 16:8e0d178b1d1e 4146 aes->aadLen = 0;
wolfSSL 16:8e0d178b1d1e 4147 }
wolfSSL 16:8e0d178b1d1e 4148 #endif
wolfSSL 15:117db924cf7c 4149 XMEMSET(iv, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 4150 ret = wc_AesSetKey(aes, key, len, iv, AES_ENCRYPTION);
wolfSSL 15:117db924cf7c 4151
wolfSSL 15:117db924cf7c 4152 #ifdef WOLFSSL_AESNI
wolfSSL 15:117db924cf7c 4153 /* AES-NI code generates its own H value. */
wolfSSL 15:117db924cf7c 4154 if (haveAESNI)
wolfSSL 15:117db924cf7c 4155 return ret;
wolfSSL 15:117db924cf7c 4156 #endif /* WOLFSSL_AESNI */
wolfSSL 15:117db924cf7c 4157
wolfSSL 15:117db924cf7c 4158 #if !defined(FREESCALE_LTC_AES_GCM)
wolfSSL 15:117db924cf7c 4159 if (ret == 0) {
wolfSSL 15:117db924cf7c 4160 wc_AesEncrypt(aes, iv, aes->H);
wolfSSL 15:117db924cf7c 4161 #ifdef GCM_TABLE
wolfSSL 15:117db924cf7c 4162 GenerateM0(aes);
wolfSSL 15:117db924cf7c 4163 #endif /* GCM_TABLE */
wolfSSL 15:117db924cf7c 4164 }
wolfSSL 15:117db924cf7c 4165 #endif /* FREESCALE_LTC_AES_GCM */
wolfSSL 15:117db924cf7c 4166
wolfSSL 15:117db924cf7c 4167 #if defined(WOLFSSL_XILINX_CRYPT)
wolfSSL 15:117db924cf7c 4168 wc_AesGcmSetKey_ex(aes, key, len, XSECURE_CSU_AES_KEY_SRC_KUP);
wolfSSL 16:8e0d178b1d1e 4169 #elif defined(WOLFSSL_AFALG_XILINX_AES)
wolfSSL 16:8e0d178b1d1e 4170 wc_AesGcmSetKey_ex(aes, key, len, 0);
wolfSSL 16:8e0d178b1d1e 4171 #endif
wolfSSL 16:8e0d178b1d1e 4172
wolfSSL 16:8e0d178b1d1e 4173 #ifdef WOLF_CRYPTO_CB
wolfSSL 16:8e0d178b1d1e 4174 if (aes->devId != INVALID_DEVID) {
wolfSSL 16:8e0d178b1d1e 4175 XMEMCPY(aes->devKey, key, len);
wolfSSL 16:8e0d178b1d1e 4176 }
wolfSSL 15:117db924cf7c 4177 #endif
wolfSSL 15:117db924cf7c 4178
wolfSSL 15:117db924cf7c 4179 #ifdef WOLFSSL_IMX6_CAAM_BLOB
wolfSSL 15:117db924cf7c 4180 ForceZero(local, sizeof(local));
wolfSSL 15:117db924cf7c 4181 #endif
wolfSSL 15:117db924cf7c 4182
wolfSSL 15:117db924cf7c 4183 return ret;
wolfSSL 15:117db924cf7c 4184 }
wolfSSL 15:117db924cf7c 4185
wolfSSL 15:117db924cf7c 4186
wolfSSL 15:117db924cf7c 4187 #ifdef WOLFSSL_AESNI
wolfSSL 15:117db924cf7c 4188
wolfSSL 15:117db924cf7c 4189 #if defined(USE_INTEL_SPEEDUP)
wolfSSL 15:117db924cf7c 4190 #define HAVE_INTEL_AVX1
wolfSSL 15:117db924cf7c 4191 #define HAVE_INTEL_AVX2
wolfSSL 15:117db924cf7c 4192 #endif /* USE_INTEL_SPEEDUP */
wolfSSL 15:117db924cf7c 4193
wolfSSL 16:8e0d178b1d1e 4194 #ifndef _MSC_VER
wolfSSL 16:8e0d178b1d1e 4195
wolfSSL 16:8e0d178b1d1e 4196 void AES_GCM_encrypt(const unsigned char *in, unsigned char *out,
wolfSSL 16:8e0d178b1d1e 4197 const unsigned char* addt, const unsigned char* ivec,
wolfSSL 16:8e0d178b1d1e 4198 unsigned char *tag, unsigned int nbytes,
wolfSSL 16:8e0d178b1d1e 4199 unsigned int abytes, unsigned int ibytes,
wolfSSL 16:8e0d178b1d1e 4200 unsigned int tbytes, const unsigned char* key, int nr)
wolfSSL 16:8e0d178b1d1e 4201 XASM_LINK("AES_GCM_encrypt");
wolfSSL 16:8e0d178b1d1e 4202 #ifdef HAVE_INTEL_AVX1
wolfSSL 16:8e0d178b1d1e 4203 void AES_GCM_encrypt_avx1(const unsigned char *in, unsigned char *out,
wolfSSL 16:8e0d178b1d1e 4204 const unsigned char* addt, const unsigned char* ivec,
wolfSSL 16:8e0d178b1d1e 4205 unsigned char *tag, unsigned int nbytes,
wolfSSL 16:8e0d178b1d1e 4206 unsigned int abytes, unsigned int ibytes,
wolfSSL 16:8e0d178b1d1e 4207 unsigned int tbytes, const unsigned char* key,
wolfSSL 16:8e0d178b1d1e 4208 int nr)
wolfSSL 16:8e0d178b1d1e 4209 XASM_LINK("AES_GCM_encrypt_avx1");
wolfSSL 16:8e0d178b1d1e 4210 #ifdef HAVE_INTEL_AVX2
wolfSSL 16:8e0d178b1d1e 4211 void AES_GCM_encrypt_avx2(const unsigned char *in, unsigned char *out,
wolfSSL 16:8e0d178b1d1e 4212 const unsigned char* addt, const unsigned char* ivec,
wolfSSL 16:8e0d178b1d1e 4213 unsigned char *tag, unsigned int nbytes,
wolfSSL 16:8e0d178b1d1e 4214 unsigned int abytes, unsigned int ibytes,
wolfSSL 16:8e0d178b1d1e 4215 unsigned int tbytes, const unsigned char* key,
wolfSSL 16:8e0d178b1d1e 4216 int nr)
wolfSSL 16:8e0d178b1d1e 4217 XASM_LINK("AES_GCM_encrypt_avx2");
wolfSSL 16:8e0d178b1d1e 4218 #endif /* HAVE_INTEL_AVX2 */
wolfSSL 16:8e0d178b1d1e 4219 #endif /* HAVE_INTEL_AVX1 */
wolfSSL 16:8e0d178b1d1e 4220
wolfSSL 16:8e0d178b1d1e 4221 #ifdef HAVE_AES_DECRYPT
wolfSSL 16:8e0d178b1d1e 4222 void AES_GCM_decrypt(const unsigned char *in, unsigned char *out,
wolfSSL 16:8e0d178b1d1e 4223 const unsigned char* addt, const unsigned char* ivec,
wolfSSL 16:8e0d178b1d1e 4224 const unsigned char *tag, int nbytes, int abytes,
wolfSSL 16:8e0d178b1d1e 4225 int ibytes, int tbytes, const unsigned char* key, int nr,
wolfSSL 16:8e0d178b1d1e 4226 int* res)
wolfSSL 16:8e0d178b1d1e 4227 XASM_LINK("AES_GCM_decrypt");
wolfSSL 16:8e0d178b1d1e 4228 #ifdef HAVE_INTEL_AVX1
wolfSSL 16:8e0d178b1d1e 4229 void AES_GCM_decrypt_avx1(const unsigned char *in, unsigned char *out,
wolfSSL 16:8e0d178b1d1e 4230 const unsigned char* addt, const unsigned char* ivec,
wolfSSL 16:8e0d178b1d1e 4231 const unsigned char *tag, int nbytes, int abytes,
wolfSSL 16:8e0d178b1d1e 4232 int ibytes, int tbytes, const unsigned char* key,
wolfSSL 16:8e0d178b1d1e 4233 int nr, int* res)
wolfSSL 16:8e0d178b1d1e 4234 XASM_LINK("AES_GCM_decrypt_avx1");
wolfSSL 16:8e0d178b1d1e 4235 #ifdef HAVE_INTEL_AVX2
wolfSSL 16:8e0d178b1d1e 4236 void AES_GCM_decrypt_avx2(const unsigned char *in, unsigned char *out,
wolfSSL 16:8e0d178b1d1e 4237 const unsigned char* addt, const unsigned char* ivec,
wolfSSL 16:8e0d178b1d1e 4238 const unsigned char *tag, int nbytes, int abytes,
wolfSSL 16:8e0d178b1d1e 4239 int ibytes, int tbytes, const unsigned char* key,
wolfSSL 16:8e0d178b1d1e 4240 int nr, int* res)
wolfSSL 16:8e0d178b1d1e 4241 XASM_LINK("AES_GCM_decrypt_avx2");
wolfSSL 16:8e0d178b1d1e 4242 #endif /* HAVE_INTEL_AVX2 */
wolfSSL 16:8e0d178b1d1e 4243 #endif /* HAVE_INTEL_AVX1 */
wolfSSL 16:8e0d178b1d1e 4244 #endif /* HAVE_AES_DECRYPT */
wolfSSL 16:8e0d178b1d1e 4245
wolfSSL 16:8e0d178b1d1e 4246 #else /* _MSC_VER */
wolfSSL 16:8e0d178b1d1e 4247
wolfSSL 16:8e0d178b1d1e 4248 #define S(w,z) ((char)((unsigned long long)(w) >> (8*(7-(z))) & 0xFF))
wolfSSL 16:8e0d178b1d1e 4249 #define M128_INIT(x,y) { S((x),7), S((x),6), S((x),5), S((x),4), \
wolfSSL 16:8e0d178b1d1e 4250 S((x),3), S((x),2), S((x),1), S((x),0), \
wolfSSL 16:8e0d178b1d1e 4251 S((y),7), S((y),6), S((y),5), S((y),4), \
wolfSSL 16:8e0d178b1d1e 4252 S((y),3), S((y),2), S((y),1), S((y),0) }
wolfSSL 16:8e0d178b1d1e 4253
wolfSSL 16:8e0d178b1d1e 4254 static const __m128i MOD2_128 =
wolfSSL 16:8e0d178b1d1e 4255 M128_INIT(0x1, (long long int)0xc200000000000000UL);
wolfSSL 15:117db924cf7c 4256
wolfSSL 15:117db924cf7c 4257
wolfSSL 15:117db924cf7c 4258 /* See Intel® Carry-Less Multiplication Instruction
wolfSSL 15:117db924cf7c 4259 * and its Usage for Computing the GCM Mode White Paper
wolfSSL 15:117db924cf7c 4260 * by Shay Gueron, Intel Mobility Group, Israel Development Center;
wolfSSL 15:117db924cf7c 4261 * and Michael E. Kounavis, Intel Labs, Circuits and Systems Research */
wolfSSL 15:117db924cf7c 4262
wolfSSL 15:117db924cf7c 4263
wolfSSL 15:117db924cf7c 4264 /* Figure 9. AES-GCM – Encrypt With Single Block Ghash at a Time */
wolfSSL 15:117db924cf7c 4265
wolfSSL 15:117db924cf7c 4266 static const __m128i ONE = M128_INIT(0x0, 0x1);
wolfSSL 15:117db924cf7c 4267 #ifndef AES_GCM_AESNI_NO_UNROLL
wolfSSL 15:117db924cf7c 4268 static const __m128i TWO = M128_INIT(0x0, 0x2);
wolfSSL 15:117db924cf7c 4269 static const __m128i THREE = M128_INIT(0x0, 0x3);
wolfSSL 15:117db924cf7c 4270 static const __m128i FOUR = M128_INIT(0x0, 0x4);
wolfSSL 15:117db924cf7c 4271 static const __m128i FIVE = M128_INIT(0x0, 0x5);
wolfSSL 15:117db924cf7c 4272 static const __m128i SIX = M128_INIT(0x0, 0x6);
wolfSSL 15:117db924cf7c 4273 static const __m128i SEVEN = M128_INIT(0x0, 0x7);
wolfSSL 15:117db924cf7c 4274 static const __m128i EIGHT = M128_INIT(0x0, 0x8);
wolfSSL 15:117db924cf7c 4275 #endif
wolfSSL 16:8e0d178b1d1e 4276 static const __m128i BSWAP_EPI64 =
wolfSSL 16:8e0d178b1d1e 4277 M128_INIT(0x0001020304050607, 0x08090a0b0c0d0e0f);
wolfSSL 16:8e0d178b1d1e 4278 static const __m128i BSWAP_MASK =
wolfSSL 16:8e0d178b1d1e 4279 M128_INIT(0x08090a0b0c0d0e0f, 0x0001020304050607);
wolfSSL 16:8e0d178b1d1e 4280
wolfSSL 16:8e0d178b1d1e 4281
wolfSSL 15:117db924cf7c 4282 /* The following are for MSC based builds which do not allow
wolfSSL 15:117db924cf7c 4283 * inline assembly. Intrinsic functions are used instead. */
wolfSSL 15:117db924cf7c 4284
wolfSSL 15:117db924cf7c 4285 #define aes_gcm_calc_iv_12(KEY, ivec, nr, H, Y, T) \
wolfSSL 15:117db924cf7c 4286 do \
wolfSSL 15:117db924cf7c 4287 { \
wolfSSL 15:117db924cf7c 4288 word32 iv12[4]; \
wolfSSL 15:117db924cf7c 4289 iv12[0] = *(word32*)&ivec[0]; \
wolfSSL 15:117db924cf7c 4290 iv12[1] = *(word32*)&ivec[4]; \
wolfSSL 15:117db924cf7c 4291 iv12[2] = *(word32*)&ivec[8]; \
wolfSSL 15:117db924cf7c 4292 iv12[3] = 0x01000000; \
wolfSSL 15:117db924cf7c 4293 Y = _mm_loadu_si128((__m128i*)iv12); \
wolfSSL 15:117db924cf7c 4294 \
wolfSSL 15:117db924cf7c 4295 /* (Compute E[ZERO, KS] and E[Y0, KS] together */ \
wolfSSL 15:117db924cf7c 4296 tmp1 = _mm_load_si128(&KEY[0]); \
wolfSSL 15:117db924cf7c 4297 tmp2 = _mm_xor_si128(Y, KEY[0]); \
wolfSSL 15:117db924cf7c 4298 tmp1 = _mm_aesenc_si128(tmp1, KEY[1]); \
wolfSSL 15:117db924cf7c 4299 tmp2 = _mm_aesenc_si128(tmp2, KEY[1]); \
wolfSSL 15:117db924cf7c 4300 tmp1 = _mm_aesenc_si128(tmp1, KEY[2]); \
wolfSSL 15:117db924cf7c 4301 tmp2 = _mm_aesenc_si128(tmp2, KEY[2]); \
wolfSSL 15:117db924cf7c 4302 tmp1 = _mm_aesenc_si128(tmp1, KEY[3]); \
wolfSSL 15:117db924cf7c 4303 tmp2 = _mm_aesenc_si128(tmp2, KEY[3]); \
wolfSSL 15:117db924cf7c 4304 tmp1 = _mm_aesenc_si128(tmp1, KEY[4]); \
wolfSSL 15:117db924cf7c 4305 tmp2 = _mm_aesenc_si128(tmp2, KEY[4]); \
wolfSSL 15:117db924cf7c 4306 tmp1 = _mm_aesenc_si128(tmp1, KEY[5]); \
wolfSSL 15:117db924cf7c 4307 tmp2 = _mm_aesenc_si128(tmp2, KEY[5]); \
wolfSSL 15:117db924cf7c 4308 tmp1 = _mm_aesenc_si128(tmp1, KEY[6]); \
wolfSSL 15:117db924cf7c 4309 tmp2 = _mm_aesenc_si128(tmp2, KEY[6]); \
wolfSSL 15:117db924cf7c 4310 tmp1 = _mm_aesenc_si128(tmp1, KEY[7]); \
wolfSSL 15:117db924cf7c 4311 tmp2 = _mm_aesenc_si128(tmp2, KEY[7]); \
wolfSSL 15:117db924cf7c 4312 tmp1 = _mm_aesenc_si128(tmp1, KEY[8]); \
wolfSSL 15:117db924cf7c 4313 tmp2 = _mm_aesenc_si128(tmp2, KEY[8]); \
wolfSSL 15:117db924cf7c 4314 tmp1 = _mm_aesenc_si128(tmp1, KEY[9]); \
wolfSSL 15:117db924cf7c 4315 tmp2 = _mm_aesenc_si128(tmp2, KEY[9]); \
wolfSSL 15:117db924cf7c 4316 lastKey = KEY[10]; \
wolfSSL 15:117db924cf7c 4317 if (nr > 10) { \
wolfSSL 15:117db924cf7c 4318 tmp1 = _mm_aesenc_si128(tmp1, lastKey); \
wolfSSL 15:117db924cf7c 4319 tmp2 = _mm_aesenc_si128(tmp2, lastKey); \
wolfSSL 15:117db924cf7c 4320 tmp1 = _mm_aesenc_si128(tmp1, KEY[11]); \
wolfSSL 15:117db924cf7c 4321 tmp2 = _mm_aesenc_si128(tmp2, KEY[11]); \
wolfSSL 15:117db924cf7c 4322 lastKey = KEY[12]; \
wolfSSL 15:117db924cf7c 4323 if (nr > 12) { \
wolfSSL 15:117db924cf7c 4324 tmp1 = _mm_aesenc_si128(tmp1, lastKey); \
wolfSSL 15:117db924cf7c 4325 tmp2 = _mm_aesenc_si128(tmp2, lastKey); \
wolfSSL 15:117db924cf7c 4326 tmp1 = _mm_aesenc_si128(tmp1, KEY[13]); \
wolfSSL 15:117db924cf7c 4327 tmp2 = _mm_aesenc_si128(tmp2, KEY[13]); \
wolfSSL 15:117db924cf7c 4328 lastKey = KEY[14]; \
wolfSSL 15:117db924cf7c 4329 } \
wolfSSL 15:117db924cf7c 4330 } \
wolfSSL 15:117db924cf7c 4331 H = _mm_aesenclast_si128(tmp1, lastKey); \
wolfSSL 15:117db924cf7c 4332 T = _mm_aesenclast_si128(tmp2, lastKey); \
wolfSSL 15:117db924cf7c 4333 H = _mm_shuffle_epi8(H, BSWAP_MASK); \
wolfSSL 15:117db924cf7c 4334 } \
wolfSSL 15:117db924cf7c 4335 while (0)
wolfSSL 15:117db924cf7c 4336
wolfSSL 15:117db924cf7c 4337 #define aes_gcm_calc_iv(KEY, ivec, ibytes, nr, H, Y, T) \
wolfSSL 15:117db924cf7c 4338 do \
wolfSSL 15:117db924cf7c 4339 { \
wolfSSL 15:117db924cf7c 4340 if (ibytes % 16) { \
wolfSSL 15:117db924cf7c 4341 i = ibytes / 16; \
wolfSSL 15:117db924cf7c 4342 for (j=0; j < (int)(ibytes%16); j++) \
wolfSSL 15:117db924cf7c 4343 ((unsigned char*)&last_block)[j] = ivec[i*16+j]; \
wolfSSL 15:117db924cf7c 4344 } \
wolfSSL 15:117db924cf7c 4345 tmp1 = _mm_load_si128(&KEY[0]); \
wolfSSL 15:117db924cf7c 4346 tmp1 = _mm_aesenc_si128(tmp1, KEY[1]); \
wolfSSL 15:117db924cf7c 4347 tmp1 = _mm_aesenc_si128(tmp1, KEY[2]); \
wolfSSL 15:117db924cf7c 4348 tmp1 = _mm_aesenc_si128(tmp1, KEY[3]); \
wolfSSL 15:117db924cf7c 4349 tmp1 = _mm_aesenc_si128(tmp1, KEY[4]); \
wolfSSL 15:117db924cf7c 4350 tmp1 = _mm_aesenc_si128(tmp1, KEY[5]); \
wolfSSL 15:117db924cf7c 4351 tmp1 = _mm_aesenc_si128(tmp1, KEY[6]); \
wolfSSL 15:117db924cf7c 4352 tmp1 = _mm_aesenc_si128(tmp1, KEY[7]); \
wolfSSL 15:117db924cf7c 4353 tmp1 = _mm_aesenc_si128(tmp1, KEY[8]); \
wolfSSL 15:117db924cf7c 4354 tmp1 = _mm_aesenc_si128(tmp1, KEY[9]); \
wolfSSL 15:117db924cf7c 4355 lastKey = KEY[10]; \
wolfSSL 15:117db924cf7c 4356 if (nr > 10) { \
wolfSSL 15:117db924cf7c 4357 tmp1 = _mm_aesenc_si128(tmp1, lastKey); \
wolfSSL 15:117db924cf7c 4358 tmp1 = _mm_aesenc_si128(tmp1, KEY[11]); \
wolfSSL 15:117db924cf7c 4359 lastKey = KEY[12]; \
wolfSSL 15:117db924cf7c 4360 if (nr > 12) { \
wolfSSL 15:117db924cf7c 4361 tmp1 = _mm_aesenc_si128(tmp1, lastKey); \
wolfSSL 15:117db924cf7c 4362 tmp1 = _mm_aesenc_si128(tmp1, KEY[13]); \
wolfSSL 15:117db924cf7c 4363 lastKey = KEY[14]; \
wolfSSL 15:117db924cf7c 4364 } \
wolfSSL 15:117db924cf7c 4365 } \
wolfSSL 15:117db924cf7c 4366 H = _mm_aesenclast_si128(tmp1, lastKey); \
wolfSSL 15:117db924cf7c 4367 H = _mm_shuffle_epi8(H, BSWAP_MASK); \
wolfSSL 15:117db924cf7c 4368 Y = _mm_setzero_si128(); \
wolfSSL 15:117db924cf7c 4369 for (i=0; i < (int)(ibytes/16); i++) { \
wolfSSL 15:117db924cf7c 4370 tmp1 = _mm_loadu_si128(&((__m128i*)ivec)[i]); \
wolfSSL 15:117db924cf7c 4371 tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK); \
wolfSSL 15:117db924cf7c 4372 Y = _mm_xor_si128(Y, tmp1); \
wolfSSL 15:117db924cf7c 4373 Y = gfmul_sw(Y, H); \
wolfSSL 15:117db924cf7c 4374 } \
wolfSSL 15:117db924cf7c 4375 if (ibytes % 16) { \
wolfSSL 15:117db924cf7c 4376 tmp1 = last_block; \
wolfSSL 15:117db924cf7c 4377 tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK); \
wolfSSL 15:117db924cf7c 4378 Y = _mm_xor_si128(Y, tmp1); \
wolfSSL 15:117db924cf7c 4379 Y = gfmul_sw(Y, H); \
wolfSSL 15:117db924cf7c 4380 } \
wolfSSL 15:117db924cf7c 4381 tmp1 = _mm_insert_epi64(tmp1, ibytes*8, 0); \
wolfSSL 15:117db924cf7c 4382 tmp1 = _mm_insert_epi64(tmp1, 0, 1); \
wolfSSL 15:117db924cf7c 4383 Y = _mm_xor_si128(Y, tmp1); \
wolfSSL 15:117db924cf7c 4384 Y = gfmul_sw(Y, H); \
wolfSSL 15:117db924cf7c 4385 Y = _mm_shuffle_epi8(Y, BSWAP_MASK); /* Compute E(K, Y0) */ \
wolfSSL 15:117db924cf7c 4386 tmp1 = _mm_xor_si128(Y, KEY[0]); \
wolfSSL 15:117db924cf7c 4387 tmp1 = _mm_aesenc_si128(tmp1, KEY[1]); \
wolfSSL 15:117db924cf7c 4388 tmp1 = _mm_aesenc_si128(tmp1, KEY[2]); \
wolfSSL 15:117db924cf7c 4389 tmp1 = _mm_aesenc_si128(tmp1, KEY[3]); \
wolfSSL 15:117db924cf7c 4390 tmp1 = _mm_aesenc_si128(tmp1, KEY[4]); \
wolfSSL 15:117db924cf7c 4391 tmp1 = _mm_aesenc_si128(tmp1, KEY[5]); \
wolfSSL 15:117db924cf7c 4392 tmp1 = _mm_aesenc_si128(tmp1, KEY[6]); \
wolfSSL 15:117db924cf7c 4393 tmp1 = _mm_aesenc_si128(tmp1, KEY[7]); \
wolfSSL 15:117db924cf7c 4394 tmp1 = _mm_aesenc_si128(tmp1, KEY[8]); \
wolfSSL 15:117db924cf7c 4395 tmp1 = _mm_aesenc_si128(tmp1, KEY[9]); \
wolfSSL 15:117db924cf7c 4396 lastKey = KEY[10]; \
wolfSSL 15:117db924cf7c 4397 if (nr > 10) { \
wolfSSL 15:117db924cf7c 4398 tmp1 = _mm_aesenc_si128(tmp1, lastKey); \
wolfSSL 15:117db924cf7c 4399 tmp1 = _mm_aesenc_si128(tmp1, KEY[11]); \
wolfSSL 15:117db924cf7c 4400 lastKey = KEY[12]; \
wolfSSL 15:117db924cf7c 4401 if (nr > 12) { \
wolfSSL 15:117db924cf7c 4402 tmp1 = _mm_aesenc_si128(tmp1, lastKey); \
wolfSSL 15:117db924cf7c 4403 tmp1 = _mm_aesenc_si128(tmp1, KEY[13]); \
wolfSSL 15:117db924cf7c 4404 lastKey = KEY[14]; \
wolfSSL 15:117db924cf7c 4405 } \
wolfSSL 15:117db924cf7c 4406 } \
wolfSSL 15:117db924cf7c 4407 T = _mm_aesenclast_si128(tmp1, lastKey); \
wolfSSL 15:117db924cf7c 4408 } \
wolfSSL 15:117db924cf7c 4409 while (0)
wolfSSL 15:117db924cf7c 4410
wolfSSL 15:117db924cf7c 4411 #define AES_ENC_8(j) \
wolfSSL 15:117db924cf7c 4412 tmp1 = _mm_aesenc_si128(tmp1, KEY[j]); \
wolfSSL 15:117db924cf7c 4413 tmp2 = _mm_aesenc_si128(tmp2, KEY[j]); \
wolfSSL 15:117db924cf7c 4414 tmp3 = _mm_aesenc_si128(tmp3, KEY[j]); \
wolfSSL 15:117db924cf7c 4415 tmp4 = _mm_aesenc_si128(tmp4, KEY[j]); \
wolfSSL 15:117db924cf7c 4416 tmp5 = _mm_aesenc_si128(tmp5, KEY[j]); \
wolfSSL 15:117db924cf7c 4417 tmp6 = _mm_aesenc_si128(tmp6, KEY[j]); \
wolfSSL 15:117db924cf7c 4418 tmp7 = _mm_aesenc_si128(tmp7, KEY[j]); \
wolfSSL 15:117db924cf7c 4419 tmp8 = _mm_aesenc_si128(tmp8, KEY[j]);
wolfSSL 15:117db924cf7c 4420
wolfSSL 15:117db924cf7c 4421 #define AES_ENC_LAST_8() \
wolfSSL 15:117db924cf7c 4422 tmp1 =_mm_aesenclast_si128(tmp1, lastKey); \
wolfSSL 15:117db924cf7c 4423 tmp2 =_mm_aesenclast_si128(tmp2, lastKey); \
wolfSSL 15:117db924cf7c 4424 tmp1 = _mm_xor_si128(tmp1, _mm_loadu_si128(&((__m128i*)in)[i*8+0])); \
wolfSSL 15:117db924cf7c 4425 tmp2 = _mm_xor_si128(tmp2, _mm_loadu_si128(&((__m128i*)in)[i*8+1])); \
wolfSSL 15:117db924cf7c 4426 _mm_storeu_si128(&((__m128i*)out)[i*8+0], tmp1); \
wolfSSL 15:117db924cf7c 4427 _mm_storeu_si128(&((__m128i*)out)[i*8+1], tmp2); \
wolfSSL 15:117db924cf7c 4428 tmp3 =_mm_aesenclast_si128(tmp3, lastKey); \
wolfSSL 15:117db924cf7c 4429 tmp4 =_mm_aesenclast_si128(tmp4, lastKey); \
wolfSSL 15:117db924cf7c 4430 tmp3 = _mm_xor_si128(tmp3, _mm_loadu_si128(&((__m128i*)in)[i*8+2])); \
wolfSSL 15:117db924cf7c 4431 tmp4 = _mm_xor_si128(tmp4, _mm_loadu_si128(&((__m128i*)in)[i*8+3])); \
wolfSSL 15:117db924cf7c 4432 _mm_storeu_si128(&((__m128i*)out)[i*8+2], tmp3); \
wolfSSL 15:117db924cf7c 4433 _mm_storeu_si128(&((__m128i*)out)[i*8+3], tmp4); \
wolfSSL 15:117db924cf7c 4434 tmp5 =_mm_aesenclast_si128(tmp5, lastKey); \
wolfSSL 15:117db924cf7c 4435 tmp6 =_mm_aesenclast_si128(tmp6, lastKey); \
wolfSSL 15:117db924cf7c 4436 tmp5 = _mm_xor_si128(tmp5, _mm_loadu_si128(&((__m128i*)in)[i*8+4])); \
wolfSSL 15:117db924cf7c 4437 tmp6 = _mm_xor_si128(tmp6, _mm_loadu_si128(&((__m128i*)in)[i*8+5])); \
wolfSSL 15:117db924cf7c 4438 _mm_storeu_si128(&((__m128i*)out)[i*8+4], tmp5); \
wolfSSL 15:117db924cf7c 4439 _mm_storeu_si128(&((__m128i*)out)[i*8+5], tmp6); \
wolfSSL 15:117db924cf7c 4440 tmp7 =_mm_aesenclast_si128(tmp7, lastKey); \
wolfSSL 15:117db924cf7c 4441 tmp8 =_mm_aesenclast_si128(tmp8, lastKey); \
wolfSSL 15:117db924cf7c 4442 tmp7 = _mm_xor_si128(tmp7, _mm_loadu_si128(&((__m128i*)in)[i*8+6])); \
wolfSSL 15:117db924cf7c 4443 tmp8 = _mm_xor_si128(tmp8, _mm_loadu_si128(&((__m128i*)in)[i*8+7])); \
wolfSSL 15:117db924cf7c 4444 _mm_storeu_si128(&((__m128i*)out)[i*8+6], tmp7); \
wolfSSL 15:117db924cf7c 4445 _mm_storeu_si128(&((__m128i*)out)[i*8+7], tmp8);
wolfSSL 15:117db924cf7c 4446
wolfSSL 15:117db924cf7c 4447
wolfSSL 15:117db924cf7c 4448 static __m128i gfmul_sw(__m128i a, __m128i b)
wolfSSL 15:117db924cf7c 4449 {
wolfSSL 15:117db924cf7c 4450 __m128i r, t1, t2, t3, t4, t5, t6, t7;
wolfSSL 15:117db924cf7c 4451 t2 = _mm_shuffle_epi32(b, 78);
wolfSSL 15:117db924cf7c 4452 t3 = _mm_shuffle_epi32(a, 78);
wolfSSL 15:117db924cf7c 4453 t2 = _mm_xor_si128(t2, b);
wolfSSL 15:117db924cf7c 4454 t3 = _mm_xor_si128(t3, a);
wolfSSL 15:117db924cf7c 4455 t4 = _mm_clmulepi64_si128(b, a, 0x11);
wolfSSL 15:117db924cf7c 4456 t1 = _mm_clmulepi64_si128(b, a, 0x00);
wolfSSL 15:117db924cf7c 4457 t2 = _mm_clmulepi64_si128(t2, t3, 0x00);
wolfSSL 15:117db924cf7c 4458 t2 = _mm_xor_si128(t2, t1);
wolfSSL 15:117db924cf7c 4459 t2 = _mm_xor_si128(t2, t4);
wolfSSL 15:117db924cf7c 4460 t3 = _mm_slli_si128(t2, 8);
wolfSSL 15:117db924cf7c 4461 t2 = _mm_srli_si128(t2, 8);
wolfSSL 15:117db924cf7c 4462 t1 = _mm_xor_si128(t1, t3);
wolfSSL 15:117db924cf7c 4463 t4 = _mm_xor_si128(t4, t2);
wolfSSL 15:117db924cf7c 4464
wolfSSL 15:117db924cf7c 4465 t5 = _mm_srli_epi32(t1, 31);
wolfSSL 15:117db924cf7c 4466 t6 = _mm_srli_epi32(t4, 31);
wolfSSL 15:117db924cf7c 4467 t1 = _mm_slli_epi32(t1, 1);
wolfSSL 15:117db924cf7c 4468 t4 = _mm_slli_epi32(t4, 1);
wolfSSL 15:117db924cf7c 4469 t7 = _mm_srli_si128(t5, 12);
wolfSSL 15:117db924cf7c 4470 t5 = _mm_slli_si128(t5, 4);
wolfSSL 15:117db924cf7c 4471 t6 = _mm_slli_si128(t6, 4);
wolfSSL 15:117db924cf7c 4472 t4 = _mm_or_si128(t4, t7);
wolfSSL 15:117db924cf7c 4473 t1 = _mm_or_si128(t1, t5);
wolfSSL 15:117db924cf7c 4474 t4 = _mm_or_si128(t4, t6);
wolfSSL 15:117db924cf7c 4475
wolfSSL 15:117db924cf7c 4476 t5 = _mm_slli_epi32(t1, 31);
wolfSSL 15:117db924cf7c 4477 t6 = _mm_slli_epi32(t1, 30);
wolfSSL 15:117db924cf7c 4478 t7 = _mm_slli_epi32(t1, 25);
wolfSSL 15:117db924cf7c 4479 t5 = _mm_xor_si128(t5, t6);
wolfSSL 15:117db924cf7c 4480 t5 = _mm_xor_si128(t5, t7);
wolfSSL 15:117db924cf7c 4481
wolfSSL 15:117db924cf7c 4482 t6 = _mm_srli_si128(t5, 4);
wolfSSL 15:117db924cf7c 4483 t5 = _mm_slli_si128(t5, 12);
wolfSSL 15:117db924cf7c 4484 t1 = _mm_xor_si128(t1, t5);
wolfSSL 15:117db924cf7c 4485 t7 = _mm_srli_epi32(t1, 1);
wolfSSL 15:117db924cf7c 4486 t3 = _mm_srli_epi32(t1, 2);
wolfSSL 15:117db924cf7c 4487 t2 = _mm_srli_epi32(t1, 7);
wolfSSL 15:117db924cf7c 4488
wolfSSL 15:117db924cf7c 4489 t7 = _mm_xor_si128(t7, t3);
wolfSSL 15:117db924cf7c 4490 t7 = _mm_xor_si128(t7, t2);
wolfSSL 15:117db924cf7c 4491 t7 = _mm_xor_si128(t7, t6);
wolfSSL 15:117db924cf7c 4492 t7 = _mm_xor_si128(t7, t1);
wolfSSL 15:117db924cf7c 4493 r = _mm_xor_si128(t4, t7);
wolfSSL 15:117db924cf7c 4494
wolfSSL 15:117db924cf7c 4495 return r;
wolfSSL 15:117db924cf7c 4496 }
wolfSSL 15:117db924cf7c 4497
wolfSSL 15:117db924cf7c 4498 static void gfmul_only(__m128i a, __m128i b, __m128i* r0, __m128i* r1)
wolfSSL 15:117db924cf7c 4499 {
wolfSSL 15:117db924cf7c 4500 __m128i t1, t2, t3, t4;
wolfSSL 15:117db924cf7c 4501
wolfSSL 15:117db924cf7c 4502 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 4503 t2 = _mm_shuffle_epi32(b, 78);
wolfSSL 15:117db924cf7c 4504 t3 = _mm_shuffle_epi32(a, 78);
wolfSSL 15:117db924cf7c 4505 t2 = _mm_xor_si128(t2, b);
wolfSSL 15:117db924cf7c 4506 t3 = _mm_xor_si128(t3, a);
wolfSSL 15:117db924cf7c 4507 t4 = _mm_clmulepi64_si128(b, a, 0x11);
wolfSSL 15:117db924cf7c 4508 t1 = _mm_clmulepi64_si128(b, a, 0x00);
wolfSSL 15:117db924cf7c 4509 t2 = _mm_clmulepi64_si128(t2, t3, 0x00);
wolfSSL 15:117db924cf7c 4510 t2 = _mm_xor_si128(t2, t1);
wolfSSL 15:117db924cf7c 4511 t2 = _mm_xor_si128(t2, t4);
wolfSSL 15:117db924cf7c 4512 t3 = _mm_slli_si128(t2, 8);
wolfSSL 15:117db924cf7c 4513 t2 = _mm_srli_si128(t2, 8);
wolfSSL 15:117db924cf7c 4514 t1 = _mm_xor_si128(t1, t3);
wolfSSL 15:117db924cf7c 4515 t4 = _mm_xor_si128(t4, t2);
wolfSSL 15:117db924cf7c 4516 *r0 = _mm_xor_si128(t1, *r0);
wolfSSL 15:117db924cf7c 4517 *r1 = _mm_xor_si128(t4, *r1);
wolfSSL 15:117db924cf7c 4518 }
wolfSSL 15:117db924cf7c 4519
wolfSSL 15:117db924cf7c 4520 static __m128i gfmul_shl1(__m128i a)
wolfSSL 15:117db924cf7c 4521 {
wolfSSL 15:117db924cf7c 4522 __m128i t1 = a, t2;
wolfSSL 15:117db924cf7c 4523 t2 = _mm_srli_epi64(t1, 63);
wolfSSL 15:117db924cf7c 4524 t1 = _mm_slli_epi64(t1, 1);
wolfSSL 15:117db924cf7c 4525 t2 = _mm_slli_si128(t2, 8);
wolfSSL 15:117db924cf7c 4526 t1 = _mm_or_si128(t1, t2);
wolfSSL 15:117db924cf7c 4527 /* if (a[1] >> 63) t1 = _mm_xor_si128(t1, MOD2_128); */
wolfSSL 15:117db924cf7c 4528 a = _mm_shuffle_epi32(a, 0xff);
wolfSSL 15:117db924cf7c 4529 a = _mm_srai_epi32(a, 31);
wolfSSL 15:117db924cf7c 4530 a = _mm_and_si128(a, MOD2_128);
wolfSSL 15:117db924cf7c 4531 t1 = _mm_xor_si128(t1, a);
wolfSSL 15:117db924cf7c 4532 return t1;
wolfSSL 15:117db924cf7c 4533 }
wolfSSL 15:117db924cf7c 4534
wolfSSL 15:117db924cf7c 4535 static __m128i ghash_red(__m128i r0, __m128i r1)
wolfSSL 15:117db924cf7c 4536 {
wolfSSL 15:117db924cf7c 4537 __m128i t2, t3;
wolfSSL 15:117db924cf7c 4538 __m128i t5, t6, t7;
wolfSSL 15:117db924cf7c 4539
wolfSSL 15:117db924cf7c 4540 t5 = _mm_slli_epi32(r0, 31);
wolfSSL 15:117db924cf7c 4541 t6 = _mm_slli_epi32(r0, 30);
wolfSSL 15:117db924cf7c 4542 t7 = _mm_slli_epi32(r0, 25);
wolfSSL 15:117db924cf7c 4543 t5 = _mm_xor_si128(t5, t6);
wolfSSL 15:117db924cf7c 4544 t5 = _mm_xor_si128(t5, t7);
wolfSSL 15:117db924cf7c 4545
wolfSSL 15:117db924cf7c 4546 t6 = _mm_srli_si128(t5, 4);
wolfSSL 15:117db924cf7c 4547 t5 = _mm_slli_si128(t5, 12);
wolfSSL 15:117db924cf7c 4548 r0 = _mm_xor_si128(r0, t5);
wolfSSL 15:117db924cf7c 4549 t7 = _mm_srli_epi32(r0, 1);
wolfSSL 15:117db924cf7c 4550 t3 = _mm_srli_epi32(r0, 2);
wolfSSL 15:117db924cf7c 4551 t2 = _mm_srli_epi32(r0, 7);
wolfSSL 15:117db924cf7c 4552
wolfSSL 15:117db924cf7c 4553 t7 = _mm_xor_si128(t7, t3);
wolfSSL 15:117db924cf7c 4554 t7 = _mm_xor_si128(t7, t2);
wolfSSL 15:117db924cf7c 4555 t7 = _mm_xor_si128(t7, t6);
wolfSSL 15:117db924cf7c 4556 t7 = _mm_xor_si128(t7, r0);
wolfSSL 15:117db924cf7c 4557 return _mm_xor_si128(r1, t7);
wolfSSL 15:117db924cf7c 4558 }
wolfSSL 15:117db924cf7c 4559
wolfSSL 15:117db924cf7c 4560 static __m128i gfmul_shifted(__m128i a, __m128i b)
wolfSSL 15:117db924cf7c 4561 {
wolfSSL 15:117db924cf7c 4562 __m128i t0 = _mm_setzero_si128(), t1 = _mm_setzero_si128();
wolfSSL 15:117db924cf7c 4563 gfmul_only(a, b, &t0, &t1);
wolfSSL 15:117db924cf7c 4564 return ghash_red(t0, t1);
wolfSSL 15:117db924cf7c 4565 }
wolfSSL 15:117db924cf7c 4566
wolfSSL 15:117db924cf7c 4567 #ifndef AES_GCM_AESNI_NO_UNROLL
wolfSSL 15:117db924cf7c 4568 static __m128i gfmul8(__m128i a1, __m128i a2, __m128i a3, __m128i a4,
wolfSSL 15:117db924cf7c 4569 __m128i a5, __m128i a6, __m128i a7, __m128i a8,
wolfSSL 15:117db924cf7c 4570 __m128i b1, __m128i b2, __m128i b3, __m128i b4,
wolfSSL 15:117db924cf7c 4571 __m128i b5, __m128i b6, __m128i b7, __m128i b8)
wolfSSL 15:117db924cf7c 4572 {
wolfSSL 15:117db924cf7c 4573 __m128i t0 = _mm_setzero_si128(), t1 = _mm_setzero_si128();
wolfSSL 15:117db924cf7c 4574 gfmul_only(a1, b8, &t0, &t1);
wolfSSL 15:117db924cf7c 4575 gfmul_only(a2, b7, &t0, &t1);
wolfSSL 15:117db924cf7c 4576 gfmul_only(a3, b6, &t0, &t1);
wolfSSL 15:117db924cf7c 4577 gfmul_only(a4, b5, &t0, &t1);
wolfSSL 15:117db924cf7c 4578 gfmul_only(a5, b4, &t0, &t1);
wolfSSL 15:117db924cf7c 4579 gfmul_only(a6, b3, &t0, &t1);
wolfSSL 15:117db924cf7c 4580 gfmul_only(a7, b2, &t0, &t1);
wolfSSL 15:117db924cf7c 4581 gfmul_only(a8, b1, &t0, &t1);
wolfSSL 15:117db924cf7c 4582 return ghash_red(t0, t1);
wolfSSL 15:117db924cf7c 4583 }
wolfSSL 15:117db924cf7c 4584 #endif
wolfSSL 15:117db924cf7c 4585
wolfSSL 15:117db924cf7c 4586
wolfSSL 15:117db924cf7c 4587 static void AES_GCM_encrypt(const unsigned char *in,
wolfSSL 15:117db924cf7c 4588 unsigned char *out,
wolfSSL 15:117db924cf7c 4589 const unsigned char* addt,
wolfSSL 15:117db924cf7c 4590 const unsigned char* ivec,
wolfSSL 15:117db924cf7c 4591 unsigned char *tag, unsigned int nbytes,
wolfSSL 15:117db924cf7c 4592 unsigned int abytes, unsigned int ibytes,
wolfSSL 15:117db924cf7c 4593 unsigned int tbytes,
wolfSSL 15:117db924cf7c 4594 const unsigned char* key, int nr)
wolfSSL 15:117db924cf7c 4595 {
wolfSSL 15:117db924cf7c 4596 int i, j ,k;
wolfSSL 15:117db924cf7c 4597 __m128i ctr1;
wolfSSL 15:117db924cf7c 4598 __m128i H, Y, T;
wolfSSL 15:117db924cf7c 4599 __m128i X = _mm_setzero_si128();
wolfSSL 15:117db924cf7c 4600 __m128i *KEY = (__m128i*)key, lastKey;
wolfSSL 15:117db924cf7c 4601 __m128i last_block = _mm_setzero_si128();
wolfSSL 15:117db924cf7c 4602 __m128i tmp1, tmp2;
wolfSSL 15:117db924cf7c 4603 #ifndef AES_GCM_AESNI_NO_UNROLL
wolfSSL 15:117db924cf7c 4604 __m128i HT[8];
wolfSSL 15:117db924cf7c 4605 __m128i r0, r1;
wolfSSL 15:117db924cf7c 4606 __m128i XV;
wolfSSL 15:117db924cf7c 4607 __m128i tmp3, tmp4, tmp5, tmp6, tmp7, tmp8;
wolfSSL 15:117db924cf7c 4608 #endif
wolfSSL 15:117db924cf7c 4609
wolfSSL 16:8e0d178b1d1e 4610 if (ibytes == GCM_NONCE_MID_SZ)
wolfSSL 15:117db924cf7c 4611 aes_gcm_calc_iv_12(KEY, ivec, nr, H, Y, T);
wolfSSL 15:117db924cf7c 4612 else
wolfSSL 15:117db924cf7c 4613 aes_gcm_calc_iv(KEY, ivec, ibytes, nr, H, Y, T);
wolfSSL 15:117db924cf7c 4614
wolfSSL 15:117db924cf7c 4615 for (i=0; i < (int)(abytes/16); i++) {
wolfSSL 15:117db924cf7c 4616 tmp1 = _mm_loadu_si128(&((__m128i*)addt)[i]);
wolfSSL 15:117db924cf7c 4617 tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4618 X = _mm_xor_si128(X, tmp1);
wolfSSL 15:117db924cf7c 4619 X = gfmul_sw(X, H);
wolfSSL 15:117db924cf7c 4620 }
wolfSSL 15:117db924cf7c 4621 if (abytes%16) {
wolfSSL 15:117db924cf7c 4622 last_block = _mm_setzero_si128();
wolfSSL 15:117db924cf7c 4623 for (j=0; j < (int)(abytes%16); j++)
wolfSSL 15:117db924cf7c 4624 ((unsigned char*)&last_block)[j] = addt[i*16+j];
wolfSSL 15:117db924cf7c 4625 tmp1 = last_block;
wolfSSL 15:117db924cf7c 4626 tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4627 X = _mm_xor_si128(X, tmp1);
wolfSSL 15:117db924cf7c 4628 X = gfmul_sw(X, H);
wolfSSL 15:117db924cf7c 4629 }
wolfSSL 15:117db924cf7c 4630 tmp1 = _mm_shuffle_epi8(Y, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4631 ctr1 = _mm_add_epi32(tmp1, ONE);
wolfSSL 15:117db924cf7c 4632 H = gfmul_shl1(H);
wolfSSL 15:117db924cf7c 4633
wolfSSL 15:117db924cf7c 4634 #ifndef AES_GCM_AESNI_NO_UNROLL
wolfSSL 15:117db924cf7c 4635 i = 0;
wolfSSL 15:117db924cf7c 4636 if (nbytes >= 16*8) {
wolfSSL 15:117db924cf7c 4637 HT[0] = H;
wolfSSL 15:117db924cf7c 4638 HT[1] = gfmul_shifted(H, H);
wolfSSL 15:117db924cf7c 4639 HT[2] = gfmul_shifted(H, HT[1]);
wolfSSL 15:117db924cf7c 4640 HT[3] = gfmul_shifted(HT[1], HT[1]);
wolfSSL 15:117db924cf7c 4641 HT[4] = gfmul_shifted(HT[1], HT[2]);
wolfSSL 15:117db924cf7c 4642 HT[5] = gfmul_shifted(HT[2], HT[2]);
wolfSSL 15:117db924cf7c 4643 HT[6] = gfmul_shifted(HT[2], HT[3]);
wolfSSL 15:117db924cf7c 4644 HT[7] = gfmul_shifted(HT[3], HT[3]);
wolfSSL 15:117db924cf7c 4645
wolfSSL 15:117db924cf7c 4646 tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4647 tmp2 = _mm_add_epi32(ctr1, ONE);
wolfSSL 15:117db924cf7c 4648 tmp2 = _mm_shuffle_epi8(tmp2, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4649 tmp3 = _mm_add_epi32(ctr1, TWO);
wolfSSL 15:117db924cf7c 4650 tmp3 = _mm_shuffle_epi8(tmp3, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4651 tmp4 = _mm_add_epi32(ctr1, THREE);
wolfSSL 15:117db924cf7c 4652 tmp4 = _mm_shuffle_epi8(tmp4, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4653 tmp5 = _mm_add_epi32(ctr1, FOUR);
wolfSSL 15:117db924cf7c 4654 tmp5 = _mm_shuffle_epi8(tmp5, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4655 tmp6 = _mm_add_epi32(ctr1, FIVE);
wolfSSL 15:117db924cf7c 4656 tmp6 = _mm_shuffle_epi8(tmp6, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4657 tmp7 = _mm_add_epi32(ctr1, SIX);
wolfSSL 15:117db924cf7c 4658 tmp7 = _mm_shuffle_epi8(tmp7, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4659 tmp8 = _mm_add_epi32(ctr1, SEVEN);
wolfSSL 15:117db924cf7c 4660 tmp8 = _mm_shuffle_epi8(tmp8, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4661 ctr1 = _mm_add_epi32(ctr1, EIGHT);
wolfSSL 15:117db924cf7c 4662 tmp1 =_mm_xor_si128(tmp1, KEY[0]);
wolfSSL 15:117db924cf7c 4663 tmp2 =_mm_xor_si128(tmp2, KEY[0]);
wolfSSL 15:117db924cf7c 4664 tmp3 =_mm_xor_si128(tmp3, KEY[0]);
wolfSSL 15:117db924cf7c 4665 tmp4 =_mm_xor_si128(tmp4, KEY[0]);
wolfSSL 15:117db924cf7c 4666 tmp5 =_mm_xor_si128(tmp5, KEY[0]);
wolfSSL 15:117db924cf7c 4667 tmp6 =_mm_xor_si128(tmp6, KEY[0]);
wolfSSL 15:117db924cf7c 4668 tmp7 =_mm_xor_si128(tmp7, KEY[0]);
wolfSSL 15:117db924cf7c 4669 tmp8 =_mm_xor_si128(tmp8, KEY[0]);
wolfSSL 15:117db924cf7c 4670 AES_ENC_8(1);
wolfSSL 15:117db924cf7c 4671 AES_ENC_8(2);
wolfSSL 15:117db924cf7c 4672 AES_ENC_8(3);
wolfSSL 15:117db924cf7c 4673 AES_ENC_8(4);
wolfSSL 15:117db924cf7c 4674 AES_ENC_8(5);
wolfSSL 15:117db924cf7c 4675 AES_ENC_8(6);
wolfSSL 15:117db924cf7c 4676 AES_ENC_8(7);
wolfSSL 15:117db924cf7c 4677 AES_ENC_8(8);
wolfSSL 15:117db924cf7c 4678 AES_ENC_8(9);
wolfSSL 15:117db924cf7c 4679 lastKey = KEY[10];
wolfSSL 15:117db924cf7c 4680 if (nr > 10) {
wolfSSL 15:117db924cf7c 4681 AES_ENC_8(10);
wolfSSL 15:117db924cf7c 4682 AES_ENC_8(11);
wolfSSL 15:117db924cf7c 4683 lastKey = KEY[12];
wolfSSL 15:117db924cf7c 4684 if (nr > 12) {
wolfSSL 15:117db924cf7c 4685 AES_ENC_8(12);
wolfSSL 15:117db924cf7c 4686 AES_ENC_8(13);
wolfSSL 15:117db924cf7c 4687 lastKey = KEY[14];
wolfSSL 15:117db924cf7c 4688 }
wolfSSL 15:117db924cf7c 4689 }
wolfSSL 15:117db924cf7c 4690 AES_ENC_LAST_8();
wolfSSL 15:117db924cf7c 4691
wolfSSL 15:117db924cf7c 4692 for (i=1; i < (int)(nbytes/16/8); i++) {
wolfSSL 15:117db924cf7c 4693 r0 = _mm_setzero_si128();
wolfSSL 15:117db924cf7c 4694 r1 = _mm_setzero_si128();
wolfSSL 15:117db924cf7c 4695 tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4696 tmp2 = _mm_add_epi32(ctr1, ONE);
wolfSSL 15:117db924cf7c 4697 tmp2 = _mm_shuffle_epi8(tmp2, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4698 tmp3 = _mm_add_epi32(ctr1, TWO);
wolfSSL 15:117db924cf7c 4699 tmp3 = _mm_shuffle_epi8(tmp3, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4700 tmp4 = _mm_add_epi32(ctr1, THREE);
wolfSSL 15:117db924cf7c 4701 tmp4 = _mm_shuffle_epi8(tmp4, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4702 tmp5 = _mm_add_epi32(ctr1, FOUR);
wolfSSL 15:117db924cf7c 4703 tmp5 = _mm_shuffle_epi8(tmp5, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4704 tmp6 = _mm_add_epi32(ctr1, FIVE);
wolfSSL 15:117db924cf7c 4705 tmp6 = _mm_shuffle_epi8(tmp6, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4706 tmp7 = _mm_add_epi32(ctr1, SIX);
wolfSSL 15:117db924cf7c 4707 tmp7 = _mm_shuffle_epi8(tmp7, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4708 tmp8 = _mm_add_epi32(ctr1, SEVEN);
wolfSSL 15:117db924cf7c 4709 tmp8 = _mm_shuffle_epi8(tmp8, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4710 ctr1 = _mm_add_epi32(ctr1, EIGHT);
wolfSSL 15:117db924cf7c 4711 tmp1 =_mm_xor_si128(tmp1, KEY[0]);
wolfSSL 15:117db924cf7c 4712 tmp2 =_mm_xor_si128(tmp2, KEY[0]);
wolfSSL 15:117db924cf7c 4713 tmp3 =_mm_xor_si128(tmp3, KEY[0]);
wolfSSL 15:117db924cf7c 4714 tmp4 =_mm_xor_si128(tmp4, KEY[0]);
wolfSSL 15:117db924cf7c 4715 tmp5 =_mm_xor_si128(tmp5, KEY[0]);
wolfSSL 15:117db924cf7c 4716 tmp6 =_mm_xor_si128(tmp6, KEY[0]);
wolfSSL 15:117db924cf7c 4717 tmp7 =_mm_xor_si128(tmp7, KEY[0]);
wolfSSL 15:117db924cf7c 4718 tmp8 =_mm_xor_si128(tmp8, KEY[0]);
wolfSSL 15:117db924cf7c 4719 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 4720 XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+0]);
wolfSSL 15:117db924cf7c 4721 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4722 XV = _mm_xor_si128(XV, X);
wolfSSL 15:117db924cf7c 4723 gfmul_only(XV, HT[7], &r0, &r1);
wolfSSL 15:117db924cf7c 4724 tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
wolfSSL 15:117db924cf7c 4725 tmp2 = _mm_aesenc_si128(tmp2, KEY[1]);
wolfSSL 15:117db924cf7c 4726 tmp3 = _mm_aesenc_si128(tmp3, KEY[1]);
wolfSSL 15:117db924cf7c 4727 tmp4 = _mm_aesenc_si128(tmp4, KEY[1]);
wolfSSL 15:117db924cf7c 4728 tmp5 = _mm_aesenc_si128(tmp5, KEY[1]);
wolfSSL 15:117db924cf7c 4729 tmp6 = _mm_aesenc_si128(tmp6, KEY[1]);
wolfSSL 15:117db924cf7c 4730 tmp7 = _mm_aesenc_si128(tmp7, KEY[1]);
wolfSSL 15:117db924cf7c 4731 tmp8 = _mm_aesenc_si128(tmp8, KEY[1]);
wolfSSL 15:117db924cf7c 4732 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 4733 XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+1]);
wolfSSL 15:117db924cf7c 4734 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4735 gfmul_only(XV, HT[6], &r0, &r1);
wolfSSL 15:117db924cf7c 4736 tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
wolfSSL 15:117db924cf7c 4737 tmp2 = _mm_aesenc_si128(tmp2, KEY[2]);
wolfSSL 15:117db924cf7c 4738 tmp3 = _mm_aesenc_si128(tmp3, KEY[2]);
wolfSSL 15:117db924cf7c 4739 tmp4 = _mm_aesenc_si128(tmp4, KEY[2]);
wolfSSL 15:117db924cf7c 4740 tmp5 = _mm_aesenc_si128(tmp5, KEY[2]);
wolfSSL 15:117db924cf7c 4741 tmp6 = _mm_aesenc_si128(tmp6, KEY[2]);
wolfSSL 15:117db924cf7c 4742 tmp7 = _mm_aesenc_si128(tmp7, KEY[2]);
wolfSSL 15:117db924cf7c 4743 tmp8 = _mm_aesenc_si128(tmp8, KEY[2]);
wolfSSL 15:117db924cf7c 4744 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 4745 XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+2]);
wolfSSL 15:117db924cf7c 4746 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4747 gfmul_only(XV, HT[5], &r0, &r1);
wolfSSL 15:117db924cf7c 4748 tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
wolfSSL 15:117db924cf7c 4749 tmp2 = _mm_aesenc_si128(tmp2, KEY[3]);
wolfSSL 15:117db924cf7c 4750 tmp3 = _mm_aesenc_si128(tmp3, KEY[3]);
wolfSSL 15:117db924cf7c 4751 tmp4 = _mm_aesenc_si128(tmp4, KEY[3]);
wolfSSL 15:117db924cf7c 4752 tmp5 = _mm_aesenc_si128(tmp5, KEY[3]);
wolfSSL 15:117db924cf7c 4753 tmp6 = _mm_aesenc_si128(tmp6, KEY[3]);
wolfSSL 15:117db924cf7c 4754 tmp7 = _mm_aesenc_si128(tmp7, KEY[3]);
wolfSSL 15:117db924cf7c 4755 tmp8 = _mm_aesenc_si128(tmp8, KEY[3]);
wolfSSL 15:117db924cf7c 4756 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 4757 XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+3]);
wolfSSL 15:117db924cf7c 4758 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4759 gfmul_only(XV, HT[4], &r0, &r1);
wolfSSL 15:117db924cf7c 4760 tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
wolfSSL 15:117db924cf7c 4761 tmp2 = _mm_aesenc_si128(tmp2, KEY[4]);
wolfSSL 15:117db924cf7c 4762 tmp3 = _mm_aesenc_si128(tmp3, KEY[4]);
wolfSSL 15:117db924cf7c 4763 tmp4 = _mm_aesenc_si128(tmp4, KEY[4]);
wolfSSL 15:117db924cf7c 4764 tmp5 = _mm_aesenc_si128(tmp5, KEY[4]);
wolfSSL 15:117db924cf7c 4765 tmp6 = _mm_aesenc_si128(tmp6, KEY[4]);
wolfSSL 15:117db924cf7c 4766 tmp7 = _mm_aesenc_si128(tmp7, KEY[4]);
wolfSSL 15:117db924cf7c 4767 tmp8 = _mm_aesenc_si128(tmp8, KEY[4]);
wolfSSL 15:117db924cf7c 4768 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 4769 XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+4]);
wolfSSL 15:117db924cf7c 4770 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4771 gfmul_only(XV, HT[3], &r0, &r1);
wolfSSL 15:117db924cf7c 4772 tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
wolfSSL 15:117db924cf7c 4773 tmp2 = _mm_aesenc_si128(tmp2, KEY[5]);
wolfSSL 15:117db924cf7c 4774 tmp3 = _mm_aesenc_si128(tmp3, KEY[5]);
wolfSSL 15:117db924cf7c 4775 tmp4 = _mm_aesenc_si128(tmp4, KEY[5]);
wolfSSL 15:117db924cf7c 4776 tmp5 = _mm_aesenc_si128(tmp5, KEY[5]);
wolfSSL 15:117db924cf7c 4777 tmp6 = _mm_aesenc_si128(tmp6, KEY[5]);
wolfSSL 15:117db924cf7c 4778 tmp7 = _mm_aesenc_si128(tmp7, KEY[5]);
wolfSSL 15:117db924cf7c 4779 tmp8 = _mm_aesenc_si128(tmp8, KEY[5]);
wolfSSL 15:117db924cf7c 4780 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 4781 XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+5]);
wolfSSL 15:117db924cf7c 4782 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4783 gfmul_only(XV, HT[2], &r0, &r1);
wolfSSL 15:117db924cf7c 4784 tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
wolfSSL 15:117db924cf7c 4785 tmp2 = _mm_aesenc_si128(tmp2, KEY[6]);
wolfSSL 15:117db924cf7c 4786 tmp3 = _mm_aesenc_si128(tmp3, KEY[6]);
wolfSSL 15:117db924cf7c 4787 tmp4 = _mm_aesenc_si128(tmp4, KEY[6]);
wolfSSL 15:117db924cf7c 4788 tmp5 = _mm_aesenc_si128(tmp5, KEY[6]);
wolfSSL 15:117db924cf7c 4789 tmp6 = _mm_aesenc_si128(tmp6, KEY[6]);
wolfSSL 15:117db924cf7c 4790 tmp7 = _mm_aesenc_si128(tmp7, KEY[6]);
wolfSSL 15:117db924cf7c 4791 tmp8 = _mm_aesenc_si128(tmp8, KEY[6]);
wolfSSL 15:117db924cf7c 4792 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 4793 XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+6]);
wolfSSL 15:117db924cf7c 4794 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4795 gfmul_only(XV, HT[1], &r0, &r1);
wolfSSL 15:117db924cf7c 4796 tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
wolfSSL 15:117db924cf7c 4797 tmp2 = _mm_aesenc_si128(tmp2, KEY[7]);
wolfSSL 15:117db924cf7c 4798 tmp3 = _mm_aesenc_si128(tmp3, KEY[7]);
wolfSSL 15:117db924cf7c 4799 tmp4 = _mm_aesenc_si128(tmp4, KEY[7]);
wolfSSL 15:117db924cf7c 4800 tmp5 = _mm_aesenc_si128(tmp5, KEY[7]);
wolfSSL 15:117db924cf7c 4801 tmp6 = _mm_aesenc_si128(tmp6, KEY[7]);
wolfSSL 15:117db924cf7c 4802 tmp7 = _mm_aesenc_si128(tmp7, KEY[7]);
wolfSSL 15:117db924cf7c 4803 tmp8 = _mm_aesenc_si128(tmp8, KEY[7]);
wolfSSL 15:117db924cf7c 4804 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 4805 XV = _mm_loadu_si128(&((__m128i*)out)[(i-1)*8+7]);
wolfSSL 15:117db924cf7c 4806 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4807 gfmul_only(XV, HT[0], &r0, &r1);
wolfSSL 15:117db924cf7c 4808 tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
wolfSSL 15:117db924cf7c 4809 tmp2 = _mm_aesenc_si128(tmp2, KEY[8]);
wolfSSL 15:117db924cf7c 4810 tmp3 = _mm_aesenc_si128(tmp3, KEY[8]);
wolfSSL 15:117db924cf7c 4811 tmp4 = _mm_aesenc_si128(tmp4, KEY[8]);
wolfSSL 15:117db924cf7c 4812 tmp5 = _mm_aesenc_si128(tmp5, KEY[8]);
wolfSSL 15:117db924cf7c 4813 tmp6 = _mm_aesenc_si128(tmp6, KEY[8]);
wolfSSL 15:117db924cf7c 4814 tmp7 = _mm_aesenc_si128(tmp7, KEY[8]);
wolfSSL 15:117db924cf7c 4815 tmp8 = _mm_aesenc_si128(tmp8, KEY[8]);
wolfSSL 15:117db924cf7c 4816 /* Reduction */
wolfSSL 15:117db924cf7c 4817 X = ghash_red(r0, r1);
wolfSSL 15:117db924cf7c 4818 tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
wolfSSL 15:117db924cf7c 4819 tmp2 = _mm_aesenc_si128(tmp2, KEY[9]);
wolfSSL 15:117db924cf7c 4820 tmp3 = _mm_aesenc_si128(tmp3, KEY[9]);
wolfSSL 15:117db924cf7c 4821 tmp4 = _mm_aesenc_si128(tmp4, KEY[9]);
wolfSSL 15:117db924cf7c 4822 tmp5 = _mm_aesenc_si128(tmp5, KEY[9]);
wolfSSL 15:117db924cf7c 4823 tmp6 = _mm_aesenc_si128(tmp6, KEY[9]);
wolfSSL 15:117db924cf7c 4824 tmp7 = _mm_aesenc_si128(tmp7, KEY[9]);
wolfSSL 15:117db924cf7c 4825 tmp8 = _mm_aesenc_si128(tmp8, KEY[9]);
wolfSSL 15:117db924cf7c 4826 lastKey = KEY[10];
wolfSSL 15:117db924cf7c 4827 if (nr > 10) {
wolfSSL 15:117db924cf7c 4828 tmp1 = _mm_aesenc_si128(tmp1, KEY[10]);
wolfSSL 15:117db924cf7c 4829 tmp2 = _mm_aesenc_si128(tmp2, KEY[10]);
wolfSSL 15:117db924cf7c 4830 tmp3 = _mm_aesenc_si128(tmp3, KEY[10]);
wolfSSL 15:117db924cf7c 4831 tmp4 = _mm_aesenc_si128(tmp4, KEY[10]);
wolfSSL 15:117db924cf7c 4832 tmp5 = _mm_aesenc_si128(tmp5, KEY[10]);
wolfSSL 15:117db924cf7c 4833 tmp6 = _mm_aesenc_si128(tmp6, KEY[10]);
wolfSSL 15:117db924cf7c 4834 tmp7 = _mm_aesenc_si128(tmp7, KEY[10]);
wolfSSL 15:117db924cf7c 4835 tmp8 = _mm_aesenc_si128(tmp8, KEY[10]);
wolfSSL 15:117db924cf7c 4836 tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
wolfSSL 15:117db924cf7c 4837 tmp2 = _mm_aesenc_si128(tmp2, KEY[11]);
wolfSSL 15:117db924cf7c 4838 tmp3 = _mm_aesenc_si128(tmp3, KEY[11]);
wolfSSL 15:117db924cf7c 4839 tmp4 = _mm_aesenc_si128(tmp4, KEY[11]);
wolfSSL 15:117db924cf7c 4840 tmp5 = _mm_aesenc_si128(tmp5, KEY[11]);
wolfSSL 15:117db924cf7c 4841 tmp6 = _mm_aesenc_si128(tmp6, KEY[11]);
wolfSSL 15:117db924cf7c 4842 tmp7 = _mm_aesenc_si128(tmp7, KEY[11]);
wolfSSL 15:117db924cf7c 4843 tmp8 = _mm_aesenc_si128(tmp8, KEY[11]);
wolfSSL 15:117db924cf7c 4844 lastKey = KEY[12];
wolfSSL 15:117db924cf7c 4845 if (nr > 12) {
wolfSSL 15:117db924cf7c 4846 tmp1 = _mm_aesenc_si128(tmp1, KEY[12]);
wolfSSL 15:117db924cf7c 4847 tmp2 = _mm_aesenc_si128(tmp2, KEY[12]);
wolfSSL 15:117db924cf7c 4848 tmp3 = _mm_aesenc_si128(tmp3, KEY[12]);
wolfSSL 15:117db924cf7c 4849 tmp4 = _mm_aesenc_si128(tmp4, KEY[12]);
wolfSSL 15:117db924cf7c 4850 tmp5 = _mm_aesenc_si128(tmp5, KEY[12]);
wolfSSL 15:117db924cf7c 4851 tmp6 = _mm_aesenc_si128(tmp6, KEY[12]);
wolfSSL 15:117db924cf7c 4852 tmp7 = _mm_aesenc_si128(tmp7, KEY[12]);
wolfSSL 15:117db924cf7c 4853 tmp8 = _mm_aesenc_si128(tmp8, KEY[12]);
wolfSSL 15:117db924cf7c 4854 tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
wolfSSL 15:117db924cf7c 4855 tmp2 = _mm_aesenc_si128(tmp2, KEY[13]);
wolfSSL 15:117db924cf7c 4856 tmp3 = _mm_aesenc_si128(tmp3, KEY[13]);
wolfSSL 15:117db924cf7c 4857 tmp4 = _mm_aesenc_si128(tmp4, KEY[13]);
wolfSSL 15:117db924cf7c 4858 tmp5 = _mm_aesenc_si128(tmp5, KEY[13]);
wolfSSL 15:117db924cf7c 4859 tmp6 = _mm_aesenc_si128(tmp6, KEY[13]);
wolfSSL 15:117db924cf7c 4860 tmp7 = _mm_aesenc_si128(tmp7, KEY[13]);
wolfSSL 15:117db924cf7c 4861 tmp8 = _mm_aesenc_si128(tmp8, KEY[13]);
wolfSSL 15:117db924cf7c 4862 lastKey = KEY[14];
wolfSSL 15:117db924cf7c 4863 }
wolfSSL 15:117db924cf7c 4864 }
wolfSSL 15:117db924cf7c 4865 AES_ENC_LAST_8();
wolfSSL 15:117db924cf7c 4866 }
wolfSSL 15:117db924cf7c 4867
wolfSSL 15:117db924cf7c 4868 tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4869 tmp2 = _mm_shuffle_epi8(tmp2, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4870 tmp3 = _mm_shuffle_epi8(tmp3, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4871 tmp4 = _mm_shuffle_epi8(tmp4, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4872 tmp5 = _mm_shuffle_epi8(tmp5, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4873 tmp6 = _mm_shuffle_epi8(tmp6, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4874 tmp7 = _mm_shuffle_epi8(tmp7, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4875 tmp8 = _mm_shuffle_epi8(tmp8, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4876 tmp1 = _mm_xor_si128(X, tmp1);
wolfSSL 15:117db924cf7c 4877 X = gfmul8(tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7, tmp8,
wolfSSL 15:117db924cf7c 4878 HT[0], HT[1], HT[2], HT[3], HT[4], HT[5], HT[6], HT[7]);
wolfSSL 15:117db924cf7c 4879 }
wolfSSL 15:117db924cf7c 4880 for (k = i*8; k < (int)(nbytes/16); k++) {
wolfSSL 15:117db924cf7c 4881 tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4882 ctr1 = _mm_add_epi32(ctr1, ONE);
wolfSSL 15:117db924cf7c 4883 tmp1 = _mm_xor_si128(tmp1, KEY[0]);
wolfSSL 15:117db924cf7c 4884 tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
wolfSSL 15:117db924cf7c 4885 tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
wolfSSL 15:117db924cf7c 4886 tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
wolfSSL 15:117db924cf7c 4887 tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
wolfSSL 15:117db924cf7c 4888 tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
wolfSSL 15:117db924cf7c 4889 tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
wolfSSL 15:117db924cf7c 4890 tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
wolfSSL 15:117db924cf7c 4891 tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
wolfSSL 15:117db924cf7c 4892 tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
wolfSSL 15:117db924cf7c 4893 lastKey = KEY[10];
wolfSSL 15:117db924cf7c 4894 if (nr > 10) {
wolfSSL 15:117db924cf7c 4895 tmp1 = _mm_aesenc_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 4896 tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
wolfSSL 15:117db924cf7c 4897 lastKey = KEY[12];
wolfSSL 15:117db924cf7c 4898 if (nr > 12) {
wolfSSL 15:117db924cf7c 4899 tmp1 = _mm_aesenc_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 4900 tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
wolfSSL 15:117db924cf7c 4901 lastKey = KEY[14];
wolfSSL 15:117db924cf7c 4902 }
wolfSSL 15:117db924cf7c 4903 }
wolfSSL 15:117db924cf7c 4904 tmp1 = _mm_aesenclast_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 4905 tmp1 = _mm_xor_si128(tmp1, _mm_loadu_si128(&((__m128i*)in)[k]));
wolfSSL 15:117db924cf7c 4906 _mm_storeu_si128(&((__m128i*)out)[k], tmp1);
wolfSSL 15:117db924cf7c 4907 tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4908 X =_mm_xor_si128(X, tmp1);
wolfSSL 15:117db924cf7c 4909 X = gfmul_shifted(X, H);
wolfSSL 15:117db924cf7c 4910 }
wolfSSL 15:117db924cf7c 4911 #else /* AES_GCM_AESNI_NO_UNROLL */
wolfSSL 15:117db924cf7c 4912 for (k = 0; k < (int)(nbytes/16) && k < 1; k++) {
wolfSSL 15:117db924cf7c 4913 tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4914 ctr1 = _mm_add_epi32(ctr1, ONE);
wolfSSL 15:117db924cf7c 4915 tmp1 = _mm_xor_si128(tmp1, KEY[0]);
wolfSSL 15:117db924cf7c 4916 tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
wolfSSL 15:117db924cf7c 4917 tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
wolfSSL 15:117db924cf7c 4918 tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
wolfSSL 15:117db924cf7c 4919 tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
wolfSSL 15:117db924cf7c 4920 tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
wolfSSL 15:117db924cf7c 4921 tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
wolfSSL 15:117db924cf7c 4922 tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
wolfSSL 15:117db924cf7c 4923 tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
wolfSSL 15:117db924cf7c 4924 tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
wolfSSL 15:117db924cf7c 4925 lastKey = KEY[10];
wolfSSL 15:117db924cf7c 4926 if (nr > 10) {
wolfSSL 15:117db924cf7c 4927 tmp1 = _mm_aesenc_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 4928 tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
wolfSSL 15:117db924cf7c 4929 lastKey = KEY[12];
wolfSSL 15:117db924cf7c 4930 if (nr > 12) {
wolfSSL 15:117db924cf7c 4931 tmp1 = _mm_aesenc_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 4932 tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
wolfSSL 15:117db924cf7c 4933 lastKey = KEY[14];
wolfSSL 15:117db924cf7c 4934 }
wolfSSL 15:117db924cf7c 4935 }
wolfSSL 15:117db924cf7c 4936 tmp1 = _mm_aesenclast_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 4937 tmp1 = _mm_xor_si128(tmp1, _mm_loadu_si128(&((__m128i*)in)[k]));
wolfSSL 15:117db924cf7c 4938 _mm_storeu_si128(&((__m128i*)out)[k], tmp1);
wolfSSL 15:117db924cf7c 4939 tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4940 X =_mm_xor_si128(X, tmp1);
wolfSSL 15:117db924cf7c 4941 }
wolfSSL 15:117db924cf7c 4942 for (; k < (int)(nbytes/16); k++) {
wolfSSL 15:117db924cf7c 4943 tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4944 ctr1 = _mm_add_epi32(ctr1, ONE);
wolfSSL 15:117db924cf7c 4945 tmp1 = _mm_xor_si128(tmp1, KEY[0]);
wolfSSL 15:117db924cf7c 4946 tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
wolfSSL 15:117db924cf7c 4947 tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
wolfSSL 15:117db924cf7c 4948 tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
wolfSSL 15:117db924cf7c 4949 tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
wolfSSL 15:117db924cf7c 4950 tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
wolfSSL 15:117db924cf7c 4951 tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
wolfSSL 15:117db924cf7c 4952 tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
wolfSSL 15:117db924cf7c 4953 tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
wolfSSL 15:117db924cf7c 4954 tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
wolfSSL 15:117db924cf7c 4955 X = gfmul_shifted(X, H);
wolfSSL 15:117db924cf7c 4956 lastKey = KEY[10];
wolfSSL 15:117db924cf7c 4957 if (nr > 10) {
wolfSSL 15:117db924cf7c 4958 tmp1 = _mm_aesenc_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 4959 tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
wolfSSL 15:117db924cf7c 4960 lastKey = KEY[12];
wolfSSL 15:117db924cf7c 4961 if (nr > 12) {
wolfSSL 15:117db924cf7c 4962 tmp1 = _mm_aesenc_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 4963 tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
wolfSSL 15:117db924cf7c 4964 lastKey = KEY[14];
wolfSSL 15:117db924cf7c 4965 }
wolfSSL 15:117db924cf7c 4966 }
wolfSSL 15:117db924cf7c 4967 tmp1 = _mm_aesenclast_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 4968 tmp1 = _mm_xor_si128(tmp1, _mm_loadu_si128(&((__m128i*)in)[k]));
wolfSSL 15:117db924cf7c 4969 _mm_storeu_si128(&((__m128i*)out)[k], tmp1);
wolfSSL 15:117db924cf7c 4970 tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
wolfSSL 15:117db924cf7c 4971 X =_mm_xor_si128(X, tmp1);
wolfSSL 15:117db924cf7c 4972 }
wolfSSL 15:117db924cf7c 4973 if (k > 0) {
wolfSSL 15:117db924cf7c 4974 X = gfmul_shifted(X, H);
wolfSSL 15:117db924cf7c 4975 }
wolfSSL 15:117db924cf7c 4976 #endif /* AES_GCM_AESNI_NO_UNROLL */
wolfSSL 15:117db924cf7c 4977
wolfSSL 15:117db924cf7c 4978 /* If one partial block remains */
wolfSSL 15:117db924cf7c 4979 if (nbytes % 16) {
wolfSSL 15:117db924cf7c 4980 tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 4981 tmp1 = _mm_xor_si128(tmp1, KEY[0]);
wolfSSL 15:117db924cf7c 4982 tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
wolfSSL 15:117db924cf7c 4983 tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
wolfSSL 15:117db924cf7c 4984 tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
wolfSSL 15:117db924cf7c 4985 tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
wolfSSL 15:117db924cf7c 4986 tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
wolfSSL 15:117db924cf7c 4987 tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
wolfSSL 15:117db924cf7c 4988 tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
wolfSSL 15:117db924cf7c 4989 tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
wolfSSL 15:117db924cf7c 4990 tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
wolfSSL 15:117db924cf7c 4991 lastKey = KEY[10];
wolfSSL 15:117db924cf7c 4992 if (nr > 10) {
wolfSSL 15:117db924cf7c 4993 tmp1 = _mm_aesenc_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 4994 tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
wolfSSL 15:117db924cf7c 4995 lastKey = KEY[12];
wolfSSL 15:117db924cf7c 4996 if (nr > 12) {
wolfSSL 15:117db924cf7c 4997 tmp1 = _mm_aesenc_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 4998 tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
wolfSSL 15:117db924cf7c 4999 lastKey = KEY[14];
wolfSSL 15:117db924cf7c 5000 }
wolfSSL 15:117db924cf7c 5001 }
wolfSSL 15:117db924cf7c 5002 tmp1 = _mm_aesenclast_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 5003 last_block = tmp1;
wolfSSL 15:117db924cf7c 5004 for (j=0; j < (int)(nbytes%16); j++)
wolfSSL 15:117db924cf7c 5005 ((unsigned char*)&last_block)[j] = in[k*16+j];
wolfSSL 15:117db924cf7c 5006 tmp1 = _mm_xor_si128(tmp1, last_block);
wolfSSL 15:117db924cf7c 5007 last_block = tmp1;
wolfSSL 15:117db924cf7c 5008 for (j=0; j < (int)(nbytes%16); j++)
wolfSSL 15:117db924cf7c 5009 out[k*16+j] = ((unsigned char*)&last_block)[j];
wolfSSL 15:117db924cf7c 5010 tmp1 = last_block;
wolfSSL 15:117db924cf7c 5011 tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
wolfSSL 15:117db924cf7c 5012 X =_mm_xor_si128(X, tmp1);
wolfSSL 15:117db924cf7c 5013 X = gfmul_shifted(X, H);
wolfSSL 15:117db924cf7c 5014 }
wolfSSL 15:117db924cf7c 5015 tmp1 = _mm_insert_epi64(tmp1, nbytes*8, 0);
wolfSSL 15:117db924cf7c 5016 tmp1 = _mm_insert_epi64(tmp1, abytes*8, 1);
wolfSSL 15:117db924cf7c 5017 X = _mm_xor_si128(X, tmp1);
wolfSSL 15:117db924cf7c 5018 X = gfmul_shifted(X, H);
wolfSSL 15:117db924cf7c 5019 X = _mm_shuffle_epi8(X, BSWAP_MASK);
wolfSSL 15:117db924cf7c 5020 T = _mm_xor_si128(X, T);
wolfSSL 15:117db924cf7c 5021 /*_mm_storeu_si128((__m128i*)tag, T);*/
wolfSSL 15:117db924cf7c 5022 XMEMCPY(tag, &T, tbytes);
wolfSSL 15:117db924cf7c 5023 }
wolfSSL 15:117db924cf7c 5024
wolfSSL 15:117db924cf7c 5025 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 5026
wolfSSL 15:117db924cf7c 5027 static void AES_GCM_decrypt(const unsigned char *in,
wolfSSL 15:117db924cf7c 5028 unsigned char *out,
wolfSSL 15:117db924cf7c 5029 const unsigned char* addt,
wolfSSL 15:117db924cf7c 5030 const unsigned char* ivec,
wolfSSL 15:117db924cf7c 5031 const unsigned char *tag, int nbytes, int abytes,
wolfSSL 15:117db924cf7c 5032 int ibytes, word32 tbytes, const unsigned char* key,
wolfSSL 15:117db924cf7c 5033 int nr, int* res)
wolfSSL 15:117db924cf7c 5034 {
wolfSSL 15:117db924cf7c 5035 int i, j ,k;
wolfSSL 15:117db924cf7c 5036 __m128i H, Y, T;
wolfSSL 15:117db924cf7c 5037 __m128i *KEY = (__m128i*)key, lastKey;
wolfSSL 15:117db924cf7c 5038 __m128i ctr1;
wolfSSL 15:117db924cf7c 5039 __m128i last_block = _mm_setzero_si128();
wolfSSL 15:117db924cf7c 5040 __m128i X = _mm_setzero_si128();
wolfSSL 15:117db924cf7c 5041 __m128i tmp1, tmp2, XV;
wolfSSL 15:117db924cf7c 5042 #ifndef AES_GCM_AESNI_NO_UNROLL
wolfSSL 15:117db924cf7c 5043 __m128i HT[8];
wolfSSL 15:117db924cf7c 5044 __m128i r0, r1;
wolfSSL 15:117db924cf7c 5045 __m128i tmp3, tmp4, tmp5, tmp6, tmp7, tmp8;
wolfSSL 15:117db924cf7c 5046 #endif /* AES_GCM_AESNI_NO_UNROLL */
wolfSSL 15:117db924cf7c 5047
wolfSSL 16:8e0d178b1d1e 5048 if (ibytes == GCM_NONCE_MID_SZ)
wolfSSL 15:117db924cf7c 5049 aes_gcm_calc_iv_12(KEY, ivec, nr, H, Y, T);
wolfSSL 15:117db924cf7c 5050 else
wolfSSL 15:117db924cf7c 5051 aes_gcm_calc_iv(KEY, ivec, ibytes, nr, H, Y, T);
wolfSSL 15:117db924cf7c 5052
wolfSSL 15:117db924cf7c 5053 for (i=0; i<abytes/16; i++) {
wolfSSL 15:117db924cf7c 5054 tmp1 = _mm_loadu_si128(&((__m128i*)addt)[i]);
wolfSSL 15:117db924cf7c 5055 tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
wolfSSL 15:117db924cf7c 5056 X = _mm_xor_si128(X, tmp1);
wolfSSL 15:117db924cf7c 5057 X = gfmul_sw(X, H);
wolfSSL 15:117db924cf7c 5058 }
wolfSSL 15:117db924cf7c 5059 if (abytes%16) {
wolfSSL 15:117db924cf7c 5060 last_block = _mm_setzero_si128();
wolfSSL 15:117db924cf7c 5061 for (j=0; j<abytes%16; j++)
wolfSSL 15:117db924cf7c 5062 ((unsigned char*)&last_block)[j] = addt[i*16+j];
wolfSSL 15:117db924cf7c 5063 tmp1 = last_block;
wolfSSL 15:117db924cf7c 5064 tmp1 = _mm_shuffle_epi8(tmp1, BSWAP_MASK);
wolfSSL 15:117db924cf7c 5065 X = _mm_xor_si128(X, tmp1);
wolfSSL 15:117db924cf7c 5066 X = gfmul_sw(X, H);
wolfSSL 15:117db924cf7c 5067 }
wolfSSL 15:117db924cf7c 5068
wolfSSL 15:117db924cf7c 5069 tmp1 = _mm_shuffle_epi8(Y, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 5070 ctr1 = _mm_add_epi32(tmp1, ONE);
wolfSSL 15:117db924cf7c 5071 H = gfmul_shl1(H);
wolfSSL 15:117db924cf7c 5072 i = 0;
wolfSSL 15:117db924cf7c 5073
wolfSSL 15:117db924cf7c 5074 #ifndef AES_GCM_AESNI_NO_UNROLL
wolfSSL 15:117db924cf7c 5075
wolfSSL 15:117db924cf7c 5076 if (0 < nbytes/16/8) {
wolfSSL 15:117db924cf7c 5077 HT[0] = H;
wolfSSL 15:117db924cf7c 5078 HT[1] = gfmul_shifted(H, H);
wolfSSL 15:117db924cf7c 5079 HT[2] = gfmul_shifted(H, HT[1]);
wolfSSL 15:117db924cf7c 5080 HT[3] = gfmul_shifted(HT[1], HT[1]);
wolfSSL 15:117db924cf7c 5081 HT[4] = gfmul_shifted(HT[1], HT[2]);
wolfSSL 15:117db924cf7c 5082 HT[5] = gfmul_shifted(HT[2], HT[2]);
wolfSSL 15:117db924cf7c 5083 HT[6] = gfmul_shifted(HT[2], HT[3]);
wolfSSL 15:117db924cf7c 5084 HT[7] = gfmul_shifted(HT[3], HT[3]);
wolfSSL 15:117db924cf7c 5085
wolfSSL 15:117db924cf7c 5086 for (; i < nbytes/16/8; i++) {
wolfSSL 15:117db924cf7c 5087 r0 = _mm_setzero_si128();
wolfSSL 15:117db924cf7c 5088 r1 = _mm_setzero_si128();
wolfSSL 15:117db924cf7c 5089
wolfSSL 15:117db924cf7c 5090 tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 5091 tmp2 = _mm_add_epi32(ctr1, ONE);
wolfSSL 15:117db924cf7c 5092 tmp2 = _mm_shuffle_epi8(tmp2, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 5093 tmp3 = _mm_add_epi32(ctr1, TWO);
wolfSSL 15:117db924cf7c 5094 tmp3 = _mm_shuffle_epi8(tmp3, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 5095 tmp4 = _mm_add_epi32(ctr1, THREE);
wolfSSL 15:117db924cf7c 5096 tmp4 = _mm_shuffle_epi8(tmp4, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 5097 tmp5 = _mm_add_epi32(ctr1, FOUR);
wolfSSL 15:117db924cf7c 5098 tmp5 = _mm_shuffle_epi8(tmp5, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 5099 tmp6 = _mm_add_epi32(ctr1, FIVE);
wolfSSL 15:117db924cf7c 5100 tmp6 = _mm_shuffle_epi8(tmp6, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 5101 tmp7 = _mm_add_epi32(ctr1, SIX);
wolfSSL 15:117db924cf7c 5102 tmp7 = _mm_shuffle_epi8(tmp7, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 5103 tmp8 = _mm_add_epi32(ctr1, SEVEN);
wolfSSL 15:117db924cf7c 5104 tmp8 = _mm_shuffle_epi8(tmp8, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 5105 ctr1 = _mm_add_epi32(ctr1, EIGHT);
wolfSSL 15:117db924cf7c 5106 tmp1 =_mm_xor_si128(tmp1, KEY[0]);
wolfSSL 15:117db924cf7c 5107 tmp2 =_mm_xor_si128(tmp2, KEY[0]);
wolfSSL 15:117db924cf7c 5108 tmp3 =_mm_xor_si128(tmp3, KEY[0]);
wolfSSL 15:117db924cf7c 5109 tmp4 =_mm_xor_si128(tmp4, KEY[0]);
wolfSSL 15:117db924cf7c 5110 tmp5 =_mm_xor_si128(tmp5, KEY[0]);
wolfSSL 15:117db924cf7c 5111 tmp6 =_mm_xor_si128(tmp6, KEY[0]);
wolfSSL 15:117db924cf7c 5112 tmp7 =_mm_xor_si128(tmp7, KEY[0]);
wolfSSL 15:117db924cf7c 5113 tmp8 =_mm_xor_si128(tmp8, KEY[0]);
wolfSSL 15:117db924cf7c 5114 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 5115 XV = _mm_loadu_si128(&((__m128i*)in)[i*8+0]);
wolfSSL 15:117db924cf7c 5116 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 5117 XV = _mm_xor_si128(XV, X);
wolfSSL 15:117db924cf7c 5118 gfmul_only(XV, HT[7], &r0, &r1);
wolfSSL 15:117db924cf7c 5119 tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
wolfSSL 15:117db924cf7c 5120 tmp2 = _mm_aesenc_si128(tmp2, KEY[1]);
wolfSSL 15:117db924cf7c 5121 tmp3 = _mm_aesenc_si128(tmp3, KEY[1]);
wolfSSL 15:117db924cf7c 5122 tmp4 = _mm_aesenc_si128(tmp4, KEY[1]);
wolfSSL 15:117db924cf7c 5123 tmp5 = _mm_aesenc_si128(tmp5, KEY[1]);
wolfSSL 15:117db924cf7c 5124 tmp6 = _mm_aesenc_si128(tmp6, KEY[1]);
wolfSSL 15:117db924cf7c 5125 tmp7 = _mm_aesenc_si128(tmp7, KEY[1]);
wolfSSL 15:117db924cf7c 5126 tmp8 = _mm_aesenc_si128(tmp8, KEY[1]);
wolfSSL 15:117db924cf7c 5127 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 5128 XV = _mm_loadu_si128(&((__m128i*)in)[i*8+1]);
wolfSSL 15:117db924cf7c 5129 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 5130 gfmul_only(XV, HT[6], &r0, &r1);
wolfSSL 15:117db924cf7c 5131 tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
wolfSSL 15:117db924cf7c 5132 tmp2 = _mm_aesenc_si128(tmp2, KEY[2]);
wolfSSL 15:117db924cf7c 5133 tmp3 = _mm_aesenc_si128(tmp3, KEY[2]);
wolfSSL 15:117db924cf7c 5134 tmp4 = _mm_aesenc_si128(tmp4, KEY[2]);
wolfSSL 15:117db924cf7c 5135 tmp5 = _mm_aesenc_si128(tmp5, KEY[2]);
wolfSSL 15:117db924cf7c 5136 tmp6 = _mm_aesenc_si128(tmp6, KEY[2]);
wolfSSL 15:117db924cf7c 5137 tmp7 = _mm_aesenc_si128(tmp7, KEY[2]);
wolfSSL 15:117db924cf7c 5138 tmp8 = _mm_aesenc_si128(tmp8, KEY[2]);
wolfSSL 15:117db924cf7c 5139 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 5140 XV = _mm_loadu_si128(&((__m128i*)in)[i*8+2]);
wolfSSL 15:117db924cf7c 5141 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 5142 gfmul_only(XV, HT[5], &r0, &r1);
wolfSSL 15:117db924cf7c 5143 tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
wolfSSL 15:117db924cf7c 5144 tmp2 = _mm_aesenc_si128(tmp2, KEY[3]);
wolfSSL 15:117db924cf7c 5145 tmp3 = _mm_aesenc_si128(tmp3, KEY[3]);
wolfSSL 15:117db924cf7c 5146 tmp4 = _mm_aesenc_si128(tmp4, KEY[3]);
wolfSSL 15:117db924cf7c 5147 tmp5 = _mm_aesenc_si128(tmp5, KEY[3]);
wolfSSL 15:117db924cf7c 5148 tmp6 = _mm_aesenc_si128(tmp6, KEY[3]);
wolfSSL 15:117db924cf7c 5149 tmp7 = _mm_aesenc_si128(tmp7, KEY[3]);
wolfSSL 15:117db924cf7c 5150 tmp8 = _mm_aesenc_si128(tmp8, KEY[3]);
wolfSSL 15:117db924cf7c 5151 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 5152 XV = _mm_loadu_si128(&((__m128i*)in)[i*8+3]);
wolfSSL 15:117db924cf7c 5153 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 5154 gfmul_only(XV, HT[4], &r0, &r1);
wolfSSL 15:117db924cf7c 5155 tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
wolfSSL 15:117db924cf7c 5156 tmp2 = _mm_aesenc_si128(tmp2, KEY[4]);
wolfSSL 15:117db924cf7c 5157 tmp3 = _mm_aesenc_si128(tmp3, KEY[4]);
wolfSSL 15:117db924cf7c 5158 tmp4 = _mm_aesenc_si128(tmp4, KEY[4]);
wolfSSL 15:117db924cf7c 5159 tmp5 = _mm_aesenc_si128(tmp5, KEY[4]);
wolfSSL 15:117db924cf7c 5160 tmp6 = _mm_aesenc_si128(tmp6, KEY[4]);
wolfSSL 15:117db924cf7c 5161 tmp7 = _mm_aesenc_si128(tmp7, KEY[4]);
wolfSSL 15:117db924cf7c 5162 tmp8 = _mm_aesenc_si128(tmp8, KEY[4]);
wolfSSL 15:117db924cf7c 5163 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 5164 XV = _mm_loadu_si128(&((__m128i*)in)[i*8+4]);
wolfSSL 15:117db924cf7c 5165 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 5166 gfmul_only(XV, HT[3], &r0, &r1);
wolfSSL 15:117db924cf7c 5167 tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
wolfSSL 15:117db924cf7c 5168 tmp2 = _mm_aesenc_si128(tmp2, KEY[5]);
wolfSSL 15:117db924cf7c 5169 tmp3 = _mm_aesenc_si128(tmp3, KEY[5]);
wolfSSL 15:117db924cf7c 5170 tmp4 = _mm_aesenc_si128(tmp4, KEY[5]);
wolfSSL 15:117db924cf7c 5171 tmp5 = _mm_aesenc_si128(tmp5, KEY[5]);
wolfSSL 15:117db924cf7c 5172 tmp6 = _mm_aesenc_si128(tmp6, KEY[5]);
wolfSSL 15:117db924cf7c 5173 tmp7 = _mm_aesenc_si128(tmp7, KEY[5]);
wolfSSL 15:117db924cf7c 5174 tmp8 = _mm_aesenc_si128(tmp8, KEY[5]);
wolfSSL 15:117db924cf7c 5175 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 5176 XV = _mm_loadu_si128(&((__m128i*)in)[i*8+5]);
wolfSSL 15:117db924cf7c 5177 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 5178 gfmul_only(XV, HT[2], &r0, &r1);
wolfSSL 15:117db924cf7c 5179 tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
wolfSSL 15:117db924cf7c 5180 tmp2 = _mm_aesenc_si128(tmp2, KEY[6]);
wolfSSL 15:117db924cf7c 5181 tmp3 = _mm_aesenc_si128(tmp3, KEY[6]);
wolfSSL 15:117db924cf7c 5182 tmp4 = _mm_aesenc_si128(tmp4, KEY[6]);
wolfSSL 15:117db924cf7c 5183 tmp5 = _mm_aesenc_si128(tmp5, KEY[6]);
wolfSSL 15:117db924cf7c 5184 tmp6 = _mm_aesenc_si128(tmp6, KEY[6]);
wolfSSL 15:117db924cf7c 5185 tmp7 = _mm_aesenc_si128(tmp7, KEY[6]);
wolfSSL 15:117db924cf7c 5186 tmp8 = _mm_aesenc_si128(tmp8, KEY[6]);
wolfSSL 15:117db924cf7c 5187 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 5188 XV = _mm_loadu_si128(&((__m128i*)in)[i*8+6]);
wolfSSL 15:117db924cf7c 5189 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 5190 gfmul_only(XV, HT[1], &r0, &r1);
wolfSSL 15:117db924cf7c 5191 tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
wolfSSL 15:117db924cf7c 5192 tmp2 = _mm_aesenc_si128(tmp2, KEY[7]);
wolfSSL 15:117db924cf7c 5193 tmp3 = _mm_aesenc_si128(tmp3, KEY[7]);
wolfSSL 15:117db924cf7c 5194 tmp4 = _mm_aesenc_si128(tmp4, KEY[7]);
wolfSSL 15:117db924cf7c 5195 tmp5 = _mm_aesenc_si128(tmp5, KEY[7]);
wolfSSL 15:117db924cf7c 5196 tmp6 = _mm_aesenc_si128(tmp6, KEY[7]);
wolfSSL 15:117db924cf7c 5197 tmp7 = _mm_aesenc_si128(tmp7, KEY[7]);
wolfSSL 15:117db924cf7c 5198 tmp8 = _mm_aesenc_si128(tmp8, KEY[7]);
wolfSSL 15:117db924cf7c 5199 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 5200 XV = _mm_loadu_si128(&((__m128i*)in)[i*8+7]);
wolfSSL 15:117db924cf7c 5201 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 5202 gfmul_only(XV, HT[0], &r0, &r1);
wolfSSL 15:117db924cf7c 5203 tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
wolfSSL 15:117db924cf7c 5204 tmp2 = _mm_aesenc_si128(tmp2, KEY[8]);
wolfSSL 15:117db924cf7c 5205 tmp3 = _mm_aesenc_si128(tmp3, KEY[8]);
wolfSSL 15:117db924cf7c 5206 tmp4 = _mm_aesenc_si128(tmp4, KEY[8]);
wolfSSL 15:117db924cf7c 5207 tmp5 = _mm_aesenc_si128(tmp5, KEY[8]);
wolfSSL 15:117db924cf7c 5208 tmp6 = _mm_aesenc_si128(tmp6, KEY[8]);
wolfSSL 15:117db924cf7c 5209 tmp7 = _mm_aesenc_si128(tmp7, KEY[8]);
wolfSSL 15:117db924cf7c 5210 tmp8 = _mm_aesenc_si128(tmp8, KEY[8]);
wolfSSL 15:117db924cf7c 5211 /* Reduction */
wolfSSL 15:117db924cf7c 5212 X = ghash_red(r0, r1);
wolfSSL 15:117db924cf7c 5213 tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
wolfSSL 15:117db924cf7c 5214 tmp2 = _mm_aesenc_si128(tmp2, KEY[9]);
wolfSSL 15:117db924cf7c 5215 tmp3 = _mm_aesenc_si128(tmp3, KEY[9]);
wolfSSL 15:117db924cf7c 5216 tmp4 = _mm_aesenc_si128(tmp4, KEY[9]);
wolfSSL 15:117db924cf7c 5217 tmp5 = _mm_aesenc_si128(tmp5, KEY[9]);
wolfSSL 15:117db924cf7c 5218 tmp6 = _mm_aesenc_si128(tmp6, KEY[9]);
wolfSSL 15:117db924cf7c 5219 tmp7 = _mm_aesenc_si128(tmp7, KEY[9]);
wolfSSL 15:117db924cf7c 5220 tmp8 = _mm_aesenc_si128(tmp8, KEY[9]);
wolfSSL 15:117db924cf7c 5221 lastKey = KEY[10];
wolfSSL 15:117db924cf7c 5222 if (nr > 10) {
wolfSSL 15:117db924cf7c 5223 tmp1 = _mm_aesenc_si128(tmp1, KEY[10]);
wolfSSL 15:117db924cf7c 5224 tmp2 = _mm_aesenc_si128(tmp2, KEY[10]);
wolfSSL 15:117db924cf7c 5225 tmp3 = _mm_aesenc_si128(tmp3, KEY[10]);
wolfSSL 15:117db924cf7c 5226 tmp4 = _mm_aesenc_si128(tmp4, KEY[10]);
wolfSSL 15:117db924cf7c 5227 tmp5 = _mm_aesenc_si128(tmp5, KEY[10]);
wolfSSL 15:117db924cf7c 5228 tmp6 = _mm_aesenc_si128(tmp6, KEY[10]);
wolfSSL 15:117db924cf7c 5229 tmp7 = _mm_aesenc_si128(tmp7, KEY[10]);
wolfSSL 15:117db924cf7c 5230 tmp8 = _mm_aesenc_si128(tmp8, KEY[10]);
wolfSSL 15:117db924cf7c 5231 tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
wolfSSL 15:117db924cf7c 5232 tmp2 = _mm_aesenc_si128(tmp2, KEY[11]);
wolfSSL 15:117db924cf7c 5233 tmp3 = _mm_aesenc_si128(tmp3, KEY[11]);
wolfSSL 15:117db924cf7c 5234 tmp4 = _mm_aesenc_si128(tmp4, KEY[11]);
wolfSSL 15:117db924cf7c 5235 tmp5 = _mm_aesenc_si128(tmp5, KEY[11]);
wolfSSL 15:117db924cf7c 5236 tmp6 = _mm_aesenc_si128(tmp6, KEY[11]);
wolfSSL 15:117db924cf7c 5237 tmp7 = _mm_aesenc_si128(tmp7, KEY[11]);
wolfSSL 15:117db924cf7c 5238 tmp8 = _mm_aesenc_si128(tmp8, KEY[11]);
wolfSSL 15:117db924cf7c 5239 lastKey = KEY[12];
wolfSSL 15:117db924cf7c 5240 if (nr > 12) {
wolfSSL 15:117db924cf7c 5241 tmp1 = _mm_aesenc_si128(tmp1, KEY[12]);
wolfSSL 15:117db924cf7c 5242 tmp2 = _mm_aesenc_si128(tmp2, KEY[12]);
wolfSSL 15:117db924cf7c 5243 tmp3 = _mm_aesenc_si128(tmp3, KEY[12]);
wolfSSL 15:117db924cf7c 5244 tmp4 = _mm_aesenc_si128(tmp4, KEY[12]);
wolfSSL 15:117db924cf7c 5245 tmp5 = _mm_aesenc_si128(tmp5, KEY[12]);
wolfSSL 15:117db924cf7c 5246 tmp6 = _mm_aesenc_si128(tmp6, KEY[12]);
wolfSSL 15:117db924cf7c 5247 tmp7 = _mm_aesenc_si128(tmp7, KEY[12]);
wolfSSL 15:117db924cf7c 5248 tmp8 = _mm_aesenc_si128(tmp8, KEY[12]);
wolfSSL 15:117db924cf7c 5249 tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
wolfSSL 15:117db924cf7c 5250 tmp2 = _mm_aesenc_si128(tmp2, KEY[13]);
wolfSSL 15:117db924cf7c 5251 tmp3 = _mm_aesenc_si128(tmp3, KEY[13]);
wolfSSL 15:117db924cf7c 5252 tmp4 = _mm_aesenc_si128(tmp4, KEY[13]);
wolfSSL 15:117db924cf7c 5253 tmp5 = _mm_aesenc_si128(tmp5, KEY[13]);
wolfSSL 15:117db924cf7c 5254 tmp6 = _mm_aesenc_si128(tmp6, KEY[13]);
wolfSSL 15:117db924cf7c 5255 tmp7 = _mm_aesenc_si128(tmp7, KEY[13]);
wolfSSL 15:117db924cf7c 5256 tmp8 = _mm_aesenc_si128(tmp8, KEY[13]);
wolfSSL 15:117db924cf7c 5257 lastKey = KEY[14];
wolfSSL 15:117db924cf7c 5258 }
wolfSSL 15:117db924cf7c 5259 }
wolfSSL 15:117db924cf7c 5260 AES_ENC_LAST_8();
wolfSSL 15:117db924cf7c 5261 }
wolfSSL 15:117db924cf7c 5262 }
wolfSSL 15:117db924cf7c 5263
wolfSSL 15:117db924cf7c 5264 #endif /* AES_GCM_AESNI_NO_UNROLL */
wolfSSL 15:117db924cf7c 5265
wolfSSL 15:117db924cf7c 5266 for (k = i*8; k < nbytes/16; k++) {
wolfSSL 15:117db924cf7c 5267 tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 5268 ctr1 = _mm_add_epi32(ctr1, ONE);
wolfSSL 15:117db924cf7c 5269 tmp1 = _mm_xor_si128(tmp1, KEY[0]);
wolfSSL 15:117db924cf7c 5270 tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
wolfSSL 15:117db924cf7c 5271 tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
wolfSSL 15:117db924cf7c 5272 tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
wolfSSL 15:117db924cf7c 5273 tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
wolfSSL 15:117db924cf7c 5274 tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
wolfSSL 15:117db924cf7c 5275 tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
wolfSSL 15:117db924cf7c 5276 tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
wolfSSL 15:117db924cf7c 5277 tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
wolfSSL 15:117db924cf7c 5278 tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
wolfSSL 15:117db924cf7c 5279 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 5280 XV = _mm_loadu_si128(&((__m128i*)in)[k]);
wolfSSL 15:117db924cf7c 5281 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 5282 XV = _mm_xor_si128(XV, X);
wolfSSL 15:117db924cf7c 5283 X = gfmul_shifted(XV, H);
wolfSSL 15:117db924cf7c 5284 lastKey = KEY[10];
wolfSSL 15:117db924cf7c 5285 if (nr > 10) {
wolfSSL 15:117db924cf7c 5286 tmp1 = _mm_aesenc_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 5287 tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
wolfSSL 15:117db924cf7c 5288 lastKey = KEY[12];
wolfSSL 15:117db924cf7c 5289 if (nr > 12) {
wolfSSL 15:117db924cf7c 5290 tmp1 = _mm_aesenc_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 5291 tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
wolfSSL 15:117db924cf7c 5292 lastKey = KEY[14];
wolfSSL 15:117db924cf7c 5293 }
wolfSSL 15:117db924cf7c 5294 }
wolfSSL 15:117db924cf7c 5295 tmp1 = _mm_aesenclast_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 5296 tmp2 = _mm_loadu_si128(&((__m128i*)in)[k]);
wolfSSL 15:117db924cf7c 5297 tmp1 = _mm_xor_si128(tmp1, tmp2);
wolfSSL 15:117db924cf7c 5298 _mm_storeu_si128(&((__m128i*)out)[k], tmp1);
wolfSSL 15:117db924cf7c 5299 }
wolfSSL 15:117db924cf7c 5300
wolfSSL 15:117db924cf7c 5301 /* If one partial block remains */
wolfSSL 15:117db924cf7c 5302 if (nbytes % 16) {
wolfSSL 15:117db924cf7c 5303 tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64);
wolfSSL 15:117db924cf7c 5304 tmp1 = _mm_xor_si128(tmp1, KEY[0]);
wolfSSL 15:117db924cf7c 5305 tmp1 = _mm_aesenc_si128(tmp1, KEY[1]);
wolfSSL 15:117db924cf7c 5306 tmp1 = _mm_aesenc_si128(tmp1, KEY[2]);
wolfSSL 15:117db924cf7c 5307 tmp1 = _mm_aesenc_si128(tmp1, KEY[3]);
wolfSSL 15:117db924cf7c 5308 tmp1 = _mm_aesenc_si128(tmp1, KEY[4]);
wolfSSL 15:117db924cf7c 5309 tmp1 = _mm_aesenc_si128(tmp1, KEY[5]);
wolfSSL 15:117db924cf7c 5310 tmp1 = _mm_aesenc_si128(tmp1, KEY[6]);
wolfSSL 15:117db924cf7c 5311 tmp1 = _mm_aesenc_si128(tmp1, KEY[7]);
wolfSSL 15:117db924cf7c 5312 tmp1 = _mm_aesenc_si128(tmp1, KEY[8]);
wolfSSL 15:117db924cf7c 5313 tmp1 = _mm_aesenc_si128(tmp1, KEY[9]);
wolfSSL 15:117db924cf7c 5314 lastKey = KEY[10];
wolfSSL 15:117db924cf7c 5315 if (nr > 10) {
wolfSSL 15:117db924cf7c 5316 tmp1 = _mm_aesenc_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 5317 tmp1 = _mm_aesenc_si128(tmp1, KEY[11]);
wolfSSL 15:117db924cf7c 5318 lastKey = KEY[12];
wolfSSL 15:117db924cf7c 5319 if (nr > 12) {
wolfSSL 15:117db924cf7c 5320 tmp1 = _mm_aesenc_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 5321 tmp1 = _mm_aesenc_si128(tmp1, KEY[13]);
wolfSSL 15:117db924cf7c 5322 lastKey = KEY[14];
wolfSSL 15:117db924cf7c 5323 }
wolfSSL 15:117db924cf7c 5324 }
wolfSSL 15:117db924cf7c 5325 tmp1 = _mm_aesenclast_si128(tmp1, lastKey);
wolfSSL 15:117db924cf7c 5326 last_block = _mm_setzero_si128();
wolfSSL 15:117db924cf7c 5327 for (j=0; j < nbytes%16; j++)
wolfSSL 15:117db924cf7c 5328 ((unsigned char*)&last_block)[j] = in[k*16+j];
wolfSSL 15:117db924cf7c 5329 XV = last_block;
wolfSSL 15:117db924cf7c 5330 tmp1 = _mm_xor_si128(tmp1, last_block);
wolfSSL 15:117db924cf7c 5331 last_block = tmp1;
wolfSSL 15:117db924cf7c 5332 for (j=0; j < nbytes%16; j++)
wolfSSL 15:117db924cf7c 5333 out[k*16+j] = ((unsigned char*)&last_block)[j];
wolfSSL 15:117db924cf7c 5334 XV = _mm_shuffle_epi8(XV, BSWAP_MASK);
wolfSSL 15:117db924cf7c 5335 XV = _mm_xor_si128(XV, X);
wolfSSL 15:117db924cf7c 5336 X = gfmul_shifted(XV, H);
wolfSSL 15:117db924cf7c 5337 }
wolfSSL 15:117db924cf7c 5338
wolfSSL 15:117db924cf7c 5339 tmp1 = _mm_insert_epi64(tmp1, nbytes*8, 0);
wolfSSL 15:117db924cf7c 5340 tmp1 = _mm_insert_epi64(tmp1, abytes*8, 1);
wolfSSL 15:117db924cf7c 5341 /* 128 x 128 Carryless Multiply */
wolfSSL 15:117db924cf7c 5342 X = _mm_xor_si128(X, tmp1);
wolfSSL 15:117db924cf7c 5343 X = gfmul_shifted(X, H);
wolfSSL 15:117db924cf7c 5344 X = _mm_shuffle_epi8(X, BSWAP_MASK);
wolfSSL 15:117db924cf7c 5345 T = _mm_xor_si128(X, T);
wolfSSL 15:117db924cf7c 5346
wolfSSL 15:117db924cf7c 5347 /* if (0xffff !=
wolfSSL 15:117db924cf7c 5348 _mm_movemask_epi8(_mm_cmpeq_epi8(T, _mm_loadu_si128((__m128i*)tag)))) */
wolfSSL 15:117db924cf7c 5349 if (XMEMCMP(tag, &T, tbytes) != 0)
wolfSSL 15:117db924cf7c 5350 *res = 0; /* in case the authentication failed */
wolfSSL 15:117db924cf7c 5351 else
wolfSSL 15:117db924cf7c 5352 *res = 1; /* when successful returns 1 */
wolfSSL 15:117db924cf7c 5353 }
wolfSSL 15:117db924cf7c 5354
wolfSSL 15:117db924cf7c 5355 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 5356 #endif /* _MSC_VER */
wolfSSL 15:117db924cf7c 5357 #endif /* WOLFSSL_AESNI */
wolfSSL 15:117db924cf7c 5358
wolfSSL 15:117db924cf7c 5359
wolfSSL 15:117db924cf7c 5360 #if defined(GCM_SMALL)
wolfSSL 15:117db924cf7c 5361 static void GMULT(byte* X, byte* Y)
wolfSSL 15:117db924cf7c 5362 {
wolfSSL 15:117db924cf7c 5363 byte Z[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 5364 byte V[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 5365 int i, j;
wolfSSL 15:117db924cf7c 5366
wolfSSL 15:117db924cf7c 5367 XMEMSET(Z, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5368 XMEMCPY(V, X, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5369 for (i = 0; i < AES_BLOCK_SIZE; i++)
wolfSSL 15:117db924cf7c 5370 {
wolfSSL 15:117db924cf7c 5371 byte y = Y[i];
wolfSSL 15:117db924cf7c 5372 for (j = 0; j < 8; j++)
wolfSSL 15:117db924cf7c 5373 {
wolfSSL 15:117db924cf7c 5374 if (y & 0x80) {
wolfSSL 15:117db924cf7c 5375 xorbuf(Z, V, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5376 }
wolfSSL 15:117db924cf7c 5377
wolfSSL 15:117db924cf7c 5378 RIGHTSHIFTX(V);
wolfSSL 15:117db924cf7c 5379 y = y << 1;
wolfSSL 15:117db924cf7c 5380 }
wolfSSL 15:117db924cf7c 5381 }
wolfSSL 15:117db924cf7c 5382 XMEMCPY(X, Z, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5383 }
wolfSSL 15:117db924cf7c 5384
wolfSSL 15:117db924cf7c 5385
wolfSSL 15:117db924cf7c 5386 void GHASH(Aes* aes, const byte* a, word32 aSz, const byte* c,
wolfSSL 15:117db924cf7c 5387 word32 cSz, byte* s, word32 sSz)
wolfSSL 15:117db924cf7c 5388 {
wolfSSL 15:117db924cf7c 5389 byte x[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 5390 byte scratch[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 5391 word32 blocks, partial;
wolfSSL 15:117db924cf7c 5392 byte* h = aes->H;
wolfSSL 15:117db924cf7c 5393
wolfSSL 15:117db924cf7c 5394 XMEMSET(x, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5395
wolfSSL 15:117db924cf7c 5396 /* Hash in A, the Additional Authentication Data */
wolfSSL 15:117db924cf7c 5397 if (aSz != 0 && a != NULL) {
wolfSSL 15:117db924cf7c 5398 blocks = aSz / AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5399 partial = aSz % AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5400 while (blocks--) {
wolfSSL 15:117db924cf7c 5401 xorbuf(x, a, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5402 GMULT(x, h);
wolfSSL 15:117db924cf7c 5403 a += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5404 }
wolfSSL 15:117db924cf7c 5405 if (partial != 0) {
wolfSSL 15:117db924cf7c 5406 XMEMSET(scratch, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5407 XMEMCPY(scratch, a, partial);
wolfSSL 15:117db924cf7c 5408 xorbuf(x, scratch, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5409 GMULT(x, h);
wolfSSL 15:117db924cf7c 5410 }
wolfSSL 15:117db924cf7c 5411 }
wolfSSL 15:117db924cf7c 5412
wolfSSL 15:117db924cf7c 5413 /* Hash in C, the Ciphertext */
wolfSSL 15:117db924cf7c 5414 if (cSz != 0 && c != NULL) {
wolfSSL 15:117db924cf7c 5415 blocks = cSz / AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5416 partial = cSz % AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5417 while (blocks--) {
wolfSSL 15:117db924cf7c 5418 xorbuf(x, c, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5419 GMULT(x, h);
wolfSSL 15:117db924cf7c 5420 c += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5421 }
wolfSSL 15:117db924cf7c 5422 if (partial != 0) {
wolfSSL 15:117db924cf7c 5423 XMEMSET(scratch, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5424 XMEMCPY(scratch, c, partial);
wolfSSL 15:117db924cf7c 5425 xorbuf(x, scratch, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5426 GMULT(x, h);
wolfSSL 15:117db924cf7c 5427 }
wolfSSL 15:117db924cf7c 5428 }
wolfSSL 15:117db924cf7c 5429
wolfSSL 15:117db924cf7c 5430 /* Hash in the lengths of A and C in bits */
wolfSSL 15:117db924cf7c 5431 FlattenSzInBits(&scratch[0], aSz);
wolfSSL 15:117db924cf7c 5432 FlattenSzInBits(&scratch[8], cSz);
wolfSSL 15:117db924cf7c 5433 xorbuf(x, scratch, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5434 GMULT(x, h);
wolfSSL 15:117db924cf7c 5435
wolfSSL 15:117db924cf7c 5436 /* Copy the result into s. */
wolfSSL 15:117db924cf7c 5437 XMEMCPY(s, x, sSz);
wolfSSL 15:117db924cf7c 5438 }
wolfSSL 15:117db924cf7c 5439
wolfSSL 15:117db924cf7c 5440 /* end GCM_SMALL */
wolfSSL 15:117db924cf7c 5441 #elif defined(GCM_TABLE)
wolfSSL 15:117db924cf7c 5442
wolfSSL 15:117db924cf7c 5443 static const byte R[256][2] = {
wolfSSL 15:117db924cf7c 5444 {0x00, 0x00}, {0x01, 0xc2}, {0x03, 0x84}, {0x02, 0x46},
wolfSSL 15:117db924cf7c 5445 {0x07, 0x08}, {0x06, 0xca}, {0x04, 0x8c}, {0x05, 0x4e},
wolfSSL 15:117db924cf7c 5446 {0x0e, 0x10}, {0x0f, 0xd2}, {0x0d, 0x94}, {0x0c, 0x56},
wolfSSL 15:117db924cf7c 5447 {0x09, 0x18}, {0x08, 0xda}, {0x0a, 0x9c}, {0x0b, 0x5e},
wolfSSL 15:117db924cf7c 5448 {0x1c, 0x20}, {0x1d, 0xe2}, {0x1f, 0xa4}, {0x1e, 0x66},
wolfSSL 15:117db924cf7c 5449 {0x1b, 0x28}, {0x1a, 0xea}, {0x18, 0xac}, {0x19, 0x6e},
wolfSSL 15:117db924cf7c 5450 {0x12, 0x30}, {0x13, 0xf2}, {0x11, 0xb4}, {0x10, 0x76},
wolfSSL 15:117db924cf7c 5451 {0x15, 0x38}, {0x14, 0xfa}, {0x16, 0xbc}, {0x17, 0x7e},
wolfSSL 15:117db924cf7c 5452 {0x38, 0x40}, {0x39, 0x82}, {0x3b, 0xc4}, {0x3a, 0x06},
wolfSSL 15:117db924cf7c 5453 {0x3f, 0x48}, {0x3e, 0x8a}, {0x3c, 0xcc}, {0x3d, 0x0e},
wolfSSL 15:117db924cf7c 5454 {0x36, 0x50}, {0x37, 0x92}, {0x35, 0xd4}, {0x34, 0x16},
wolfSSL 15:117db924cf7c 5455 {0x31, 0x58}, {0x30, 0x9a}, {0x32, 0xdc}, {0x33, 0x1e},
wolfSSL 15:117db924cf7c 5456 {0x24, 0x60}, {0x25, 0xa2}, {0x27, 0xe4}, {0x26, 0x26},
wolfSSL 15:117db924cf7c 5457 {0x23, 0x68}, {0x22, 0xaa}, {0x20, 0xec}, {0x21, 0x2e},
wolfSSL 15:117db924cf7c 5458 {0x2a, 0x70}, {0x2b, 0xb2}, {0x29, 0xf4}, {0x28, 0x36},
wolfSSL 15:117db924cf7c 5459 {0x2d, 0x78}, {0x2c, 0xba}, {0x2e, 0xfc}, {0x2f, 0x3e},
wolfSSL 15:117db924cf7c 5460 {0x70, 0x80}, {0x71, 0x42}, {0x73, 0x04}, {0x72, 0xc6},
wolfSSL 15:117db924cf7c 5461 {0x77, 0x88}, {0x76, 0x4a}, {0x74, 0x0c}, {0x75, 0xce},
wolfSSL 15:117db924cf7c 5462 {0x7e, 0x90}, {0x7f, 0x52}, {0x7d, 0x14}, {0x7c, 0xd6},
wolfSSL 15:117db924cf7c 5463 {0x79, 0x98}, {0x78, 0x5a}, {0x7a, 0x1c}, {0x7b, 0xde},
wolfSSL 15:117db924cf7c 5464 {0x6c, 0xa0}, {0x6d, 0x62}, {0x6f, 0x24}, {0x6e, 0xe6},
wolfSSL 15:117db924cf7c 5465 {0x6b, 0xa8}, {0x6a, 0x6a}, {0x68, 0x2c}, {0x69, 0xee},
wolfSSL 15:117db924cf7c 5466 {0x62, 0xb0}, {0x63, 0x72}, {0x61, 0x34}, {0x60, 0xf6},
wolfSSL 15:117db924cf7c 5467 {0x65, 0xb8}, {0x64, 0x7a}, {0x66, 0x3c}, {0x67, 0xfe},
wolfSSL 15:117db924cf7c 5468 {0x48, 0xc0}, {0x49, 0x02}, {0x4b, 0x44}, {0x4a, 0x86},
wolfSSL 15:117db924cf7c 5469 {0x4f, 0xc8}, {0x4e, 0x0a}, {0x4c, 0x4c}, {0x4d, 0x8e},
wolfSSL 15:117db924cf7c 5470 {0x46, 0xd0}, {0x47, 0x12}, {0x45, 0x54}, {0x44, 0x96},
wolfSSL 15:117db924cf7c 5471 {0x41, 0xd8}, {0x40, 0x1a}, {0x42, 0x5c}, {0x43, 0x9e},
wolfSSL 15:117db924cf7c 5472 {0x54, 0xe0}, {0x55, 0x22}, {0x57, 0x64}, {0x56, 0xa6},
wolfSSL 15:117db924cf7c 5473 {0x53, 0xe8}, {0x52, 0x2a}, {0x50, 0x6c}, {0x51, 0xae},
wolfSSL 15:117db924cf7c 5474 {0x5a, 0xf0}, {0x5b, 0x32}, {0x59, 0x74}, {0x58, 0xb6},
wolfSSL 15:117db924cf7c 5475 {0x5d, 0xf8}, {0x5c, 0x3a}, {0x5e, 0x7c}, {0x5f, 0xbe},
wolfSSL 15:117db924cf7c 5476 {0xe1, 0x00}, {0xe0, 0xc2}, {0xe2, 0x84}, {0xe3, 0x46},
wolfSSL 15:117db924cf7c 5477 {0xe6, 0x08}, {0xe7, 0xca}, {0xe5, 0x8c}, {0xe4, 0x4e},
wolfSSL 15:117db924cf7c 5478 {0xef, 0x10}, {0xee, 0xd2}, {0xec, 0x94}, {0xed, 0x56},
wolfSSL 15:117db924cf7c 5479 {0xe8, 0x18}, {0xe9, 0xda}, {0xeb, 0x9c}, {0xea, 0x5e},
wolfSSL 15:117db924cf7c 5480 {0xfd, 0x20}, {0xfc, 0xe2}, {0xfe, 0xa4}, {0xff, 0x66},
wolfSSL 15:117db924cf7c 5481 {0xfa, 0x28}, {0xfb, 0xea}, {0xf9, 0xac}, {0xf8, 0x6e},
wolfSSL 15:117db924cf7c 5482 {0xf3, 0x30}, {0xf2, 0xf2}, {0xf0, 0xb4}, {0xf1, 0x76},
wolfSSL 15:117db924cf7c 5483 {0xf4, 0x38}, {0xf5, 0xfa}, {0xf7, 0xbc}, {0xf6, 0x7e},
wolfSSL 15:117db924cf7c 5484 {0xd9, 0x40}, {0xd8, 0x82}, {0xda, 0xc4}, {0xdb, 0x06},
wolfSSL 15:117db924cf7c 5485 {0xde, 0x48}, {0xdf, 0x8a}, {0xdd, 0xcc}, {0xdc, 0x0e},
wolfSSL 15:117db924cf7c 5486 {0xd7, 0x50}, {0xd6, 0x92}, {0xd4, 0xd4}, {0xd5, 0x16},
wolfSSL 15:117db924cf7c 5487 {0xd0, 0x58}, {0xd1, 0x9a}, {0xd3, 0xdc}, {0xd2, 0x1e},
wolfSSL 15:117db924cf7c 5488 {0xc5, 0x60}, {0xc4, 0xa2}, {0xc6, 0xe4}, {0xc7, 0x26},
wolfSSL 15:117db924cf7c 5489 {0xc2, 0x68}, {0xc3, 0xaa}, {0xc1, 0xec}, {0xc0, 0x2e},
wolfSSL 15:117db924cf7c 5490 {0xcb, 0x70}, {0xca, 0xb2}, {0xc8, 0xf4}, {0xc9, 0x36},
wolfSSL 15:117db924cf7c 5491 {0xcc, 0x78}, {0xcd, 0xba}, {0xcf, 0xfc}, {0xce, 0x3e},
wolfSSL 15:117db924cf7c 5492 {0x91, 0x80}, {0x90, 0x42}, {0x92, 0x04}, {0x93, 0xc6},
wolfSSL 15:117db924cf7c 5493 {0x96, 0x88}, {0x97, 0x4a}, {0x95, 0x0c}, {0x94, 0xce},
wolfSSL 15:117db924cf7c 5494 {0x9f, 0x90}, {0x9e, 0x52}, {0x9c, 0x14}, {0x9d, 0xd6},
wolfSSL 15:117db924cf7c 5495 {0x98, 0x98}, {0x99, 0x5a}, {0x9b, 0x1c}, {0x9a, 0xde},
wolfSSL 15:117db924cf7c 5496 {0x8d, 0xa0}, {0x8c, 0x62}, {0x8e, 0x24}, {0x8f, 0xe6},
wolfSSL 15:117db924cf7c 5497 {0x8a, 0xa8}, {0x8b, 0x6a}, {0x89, 0x2c}, {0x88, 0xee},
wolfSSL 15:117db924cf7c 5498 {0x83, 0xb0}, {0x82, 0x72}, {0x80, 0x34}, {0x81, 0xf6},
wolfSSL 15:117db924cf7c 5499 {0x84, 0xb8}, {0x85, 0x7a}, {0x87, 0x3c}, {0x86, 0xfe},
wolfSSL 15:117db924cf7c 5500 {0xa9, 0xc0}, {0xa8, 0x02}, {0xaa, 0x44}, {0xab, 0x86},
wolfSSL 15:117db924cf7c 5501 {0xae, 0xc8}, {0xaf, 0x0a}, {0xad, 0x4c}, {0xac, 0x8e},
wolfSSL 15:117db924cf7c 5502 {0xa7, 0xd0}, {0xa6, 0x12}, {0xa4, 0x54}, {0xa5, 0x96},
wolfSSL 15:117db924cf7c 5503 {0xa0, 0xd8}, {0xa1, 0x1a}, {0xa3, 0x5c}, {0xa2, 0x9e},
wolfSSL 15:117db924cf7c 5504 {0xb5, 0xe0}, {0xb4, 0x22}, {0xb6, 0x64}, {0xb7, 0xa6},
wolfSSL 15:117db924cf7c 5505 {0xb2, 0xe8}, {0xb3, 0x2a}, {0xb1, 0x6c}, {0xb0, 0xae},
wolfSSL 15:117db924cf7c 5506 {0xbb, 0xf0}, {0xba, 0x32}, {0xb8, 0x74}, {0xb9, 0xb6},
wolfSSL 15:117db924cf7c 5507 {0xbc, 0xf8}, {0xbd, 0x3a}, {0xbf, 0x7c}, {0xbe, 0xbe} };
wolfSSL 15:117db924cf7c 5508
wolfSSL 15:117db924cf7c 5509
wolfSSL 15:117db924cf7c 5510 static void GMULT(byte *x, byte m[256][AES_BLOCK_SIZE])
wolfSSL 15:117db924cf7c 5511 {
wolfSSL 15:117db924cf7c 5512 int i, j;
wolfSSL 15:117db924cf7c 5513 byte Z[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 5514 byte a;
wolfSSL 15:117db924cf7c 5515
wolfSSL 15:117db924cf7c 5516 XMEMSET(Z, 0, sizeof(Z));
wolfSSL 15:117db924cf7c 5517
wolfSSL 15:117db924cf7c 5518 for (i = 15; i > 0; i--) {
wolfSSL 15:117db924cf7c 5519 xorbuf(Z, m[x[i]], AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5520 a = Z[15];
wolfSSL 15:117db924cf7c 5521
wolfSSL 15:117db924cf7c 5522 for (j = 15; j > 0; j--) {
wolfSSL 15:117db924cf7c 5523 Z[j] = Z[j-1];
wolfSSL 15:117db924cf7c 5524 }
wolfSSL 15:117db924cf7c 5525
wolfSSL 15:117db924cf7c 5526 Z[0] = R[a][0];
wolfSSL 15:117db924cf7c 5527 Z[1] ^= R[a][1];
wolfSSL 15:117db924cf7c 5528 }
wolfSSL 15:117db924cf7c 5529 xorbuf(Z, m[x[0]], AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5530
wolfSSL 15:117db924cf7c 5531 XMEMCPY(x, Z, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5532 }
wolfSSL 15:117db924cf7c 5533
wolfSSL 15:117db924cf7c 5534
wolfSSL 15:117db924cf7c 5535 void GHASH(Aes* aes, const byte* a, word32 aSz, const byte* c,
wolfSSL 15:117db924cf7c 5536 word32 cSz, byte* s, word32 sSz)
wolfSSL 15:117db924cf7c 5537 {
wolfSSL 15:117db924cf7c 5538 byte x[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 5539 byte scratch[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 5540 word32 blocks, partial;
wolfSSL 15:117db924cf7c 5541
wolfSSL 15:117db924cf7c 5542 XMEMSET(x, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5543
wolfSSL 15:117db924cf7c 5544 /* Hash in A, the Additional Authentication Data */
wolfSSL 15:117db924cf7c 5545 if (aSz != 0 && a != NULL) {
wolfSSL 15:117db924cf7c 5546 blocks = aSz / AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5547 partial = aSz % AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5548 while (blocks--) {
wolfSSL 15:117db924cf7c 5549 xorbuf(x, a, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5550 GMULT(x, aes->M0);
wolfSSL 15:117db924cf7c 5551 a += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5552 }
wolfSSL 15:117db924cf7c 5553 if (partial != 0) {
wolfSSL 15:117db924cf7c 5554 XMEMSET(scratch, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5555 XMEMCPY(scratch, a, partial);
wolfSSL 15:117db924cf7c 5556 xorbuf(x, scratch, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5557 GMULT(x, aes->M0);
wolfSSL 15:117db924cf7c 5558 }
wolfSSL 15:117db924cf7c 5559 }
wolfSSL 15:117db924cf7c 5560
wolfSSL 15:117db924cf7c 5561 /* Hash in C, the Ciphertext */
wolfSSL 15:117db924cf7c 5562 if (cSz != 0 && c != NULL) {
wolfSSL 15:117db924cf7c 5563 blocks = cSz / AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5564 partial = cSz % AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5565 while (blocks--) {
wolfSSL 15:117db924cf7c 5566 xorbuf(x, c, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5567 GMULT(x, aes->M0);
wolfSSL 15:117db924cf7c 5568 c += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5569 }
wolfSSL 15:117db924cf7c 5570 if (partial != 0) {
wolfSSL 15:117db924cf7c 5571 XMEMSET(scratch, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5572 XMEMCPY(scratch, c, partial);
wolfSSL 15:117db924cf7c 5573 xorbuf(x, scratch, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5574 GMULT(x, aes->M0);
wolfSSL 15:117db924cf7c 5575 }
wolfSSL 15:117db924cf7c 5576 }
wolfSSL 15:117db924cf7c 5577
wolfSSL 15:117db924cf7c 5578 /* Hash in the lengths of A and C in bits */
wolfSSL 15:117db924cf7c 5579 FlattenSzInBits(&scratch[0], aSz);
wolfSSL 15:117db924cf7c 5580 FlattenSzInBits(&scratch[8], cSz);
wolfSSL 15:117db924cf7c 5581 xorbuf(x, scratch, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5582 GMULT(x, aes->M0);
wolfSSL 15:117db924cf7c 5583
wolfSSL 15:117db924cf7c 5584 /* Copy the result into s. */
wolfSSL 15:117db924cf7c 5585 XMEMCPY(s, x, sSz);
wolfSSL 15:117db924cf7c 5586 }
wolfSSL 15:117db924cf7c 5587
wolfSSL 15:117db924cf7c 5588 /* end GCM_TABLE */
wolfSSL 15:117db924cf7c 5589 #elif defined(WORD64_AVAILABLE) && !defined(GCM_WORD32)
wolfSSL 15:117db924cf7c 5590
wolfSSL 15:117db924cf7c 5591 #if !defined(FREESCALE_LTC_AES_GCM)
wolfSSL 15:117db924cf7c 5592 static void GMULT(word64* X, word64* Y)
wolfSSL 15:117db924cf7c 5593 {
wolfSSL 15:117db924cf7c 5594 word64 Z[2] = {0,0};
wolfSSL 15:117db924cf7c 5595 word64 V[2];
wolfSSL 15:117db924cf7c 5596 int i, j;
wolfSSL 15:117db924cf7c 5597 V[0] = X[0]; V[1] = X[1];
wolfSSL 15:117db924cf7c 5598
wolfSSL 15:117db924cf7c 5599 for (i = 0; i < 2; i++)
wolfSSL 15:117db924cf7c 5600 {
wolfSSL 15:117db924cf7c 5601 word64 y = Y[i];
wolfSSL 15:117db924cf7c 5602 for (j = 0; j < 64; j++)
wolfSSL 15:117db924cf7c 5603 {
wolfSSL 15:117db924cf7c 5604 if (y & 0x8000000000000000ULL) {
wolfSSL 15:117db924cf7c 5605 Z[0] ^= V[0];
wolfSSL 15:117db924cf7c 5606 Z[1] ^= V[1];
wolfSSL 15:117db924cf7c 5607 }
wolfSSL 15:117db924cf7c 5608
wolfSSL 15:117db924cf7c 5609 if (V[1] & 0x0000000000000001) {
wolfSSL 15:117db924cf7c 5610 V[1] >>= 1;
wolfSSL 15:117db924cf7c 5611 V[1] |= ((V[0] & 0x0000000000000001) ?
wolfSSL 15:117db924cf7c 5612 0x8000000000000000ULL : 0);
wolfSSL 15:117db924cf7c 5613 V[0] >>= 1;
wolfSSL 15:117db924cf7c 5614 V[0] ^= 0xE100000000000000ULL;
wolfSSL 15:117db924cf7c 5615 }
wolfSSL 15:117db924cf7c 5616 else {
wolfSSL 15:117db924cf7c 5617 V[1] >>= 1;
wolfSSL 15:117db924cf7c 5618 V[1] |= ((V[0] & 0x0000000000000001) ?
wolfSSL 15:117db924cf7c 5619 0x8000000000000000ULL : 0);
wolfSSL 15:117db924cf7c 5620 V[0] >>= 1;
wolfSSL 15:117db924cf7c 5621 }
wolfSSL 15:117db924cf7c 5622 y <<= 1;
wolfSSL 15:117db924cf7c 5623 }
wolfSSL 15:117db924cf7c 5624 }
wolfSSL 15:117db924cf7c 5625 X[0] = Z[0];
wolfSSL 15:117db924cf7c 5626 X[1] = Z[1];
wolfSSL 15:117db924cf7c 5627 }
wolfSSL 15:117db924cf7c 5628
wolfSSL 15:117db924cf7c 5629
wolfSSL 15:117db924cf7c 5630 void GHASH(Aes* aes, const byte* a, word32 aSz, const byte* c,
wolfSSL 15:117db924cf7c 5631 word32 cSz, byte* s, word32 sSz)
wolfSSL 15:117db924cf7c 5632 {
wolfSSL 15:117db924cf7c 5633 word64 x[2] = {0,0};
wolfSSL 15:117db924cf7c 5634 word32 blocks, partial;
wolfSSL 15:117db924cf7c 5635 word64 bigH[2];
wolfSSL 15:117db924cf7c 5636
wolfSSL 15:117db924cf7c 5637 XMEMCPY(bigH, aes->H, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5638 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 5639 ByteReverseWords64(bigH, bigH, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5640 #endif
wolfSSL 15:117db924cf7c 5641
wolfSSL 15:117db924cf7c 5642 /* Hash in A, the Additional Authentication Data */
wolfSSL 15:117db924cf7c 5643 if (aSz != 0 && a != NULL) {
wolfSSL 15:117db924cf7c 5644 word64 bigA[2];
wolfSSL 15:117db924cf7c 5645 blocks = aSz / AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5646 partial = aSz % AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5647 while (blocks--) {
wolfSSL 15:117db924cf7c 5648 XMEMCPY(bigA, a, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5649 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 5650 ByteReverseWords64(bigA, bigA, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5651 #endif
wolfSSL 15:117db924cf7c 5652 x[0] ^= bigA[0];
wolfSSL 15:117db924cf7c 5653 x[1] ^= bigA[1];
wolfSSL 15:117db924cf7c 5654 GMULT(x, bigH);
wolfSSL 15:117db924cf7c 5655 a += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5656 }
wolfSSL 15:117db924cf7c 5657 if (partial != 0) {
wolfSSL 15:117db924cf7c 5658 XMEMSET(bigA, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5659 XMEMCPY(bigA, a, partial);
wolfSSL 15:117db924cf7c 5660 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 5661 ByteReverseWords64(bigA, bigA, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5662 #endif
wolfSSL 15:117db924cf7c 5663 x[0] ^= bigA[0];
wolfSSL 15:117db924cf7c 5664 x[1] ^= bigA[1];
wolfSSL 15:117db924cf7c 5665 GMULT(x, bigH);
wolfSSL 15:117db924cf7c 5666 }
wolfSSL 16:8e0d178b1d1e 5667 #ifdef OPENSSL_EXTRA
wolfSSL 16:8e0d178b1d1e 5668 /* store AAD partial tag for next call */
wolfSSL 16:8e0d178b1d1e 5669 aes->aadH[0] = (word32)((x[0] & 0xFFFFFFFF00000000) >> 32);
wolfSSL 16:8e0d178b1d1e 5670 aes->aadH[1] = (word32)(x[0] & 0xFFFFFFFF);
wolfSSL 16:8e0d178b1d1e 5671 aes->aadH[2] = (word32)((x[1] & 0xFFFFFFFF00000000) >> 32);
wolfSSL 16:8e0d178b1d1e 5672 aes->aadH[3] = (word32)(x[1] & 0xFFFFFFFF);
wolfSSL 16:8e0d178b1d1e 5673 #endif
wolfSSL 15:117db924cf7c 5674 }
wolfSSL 15:117db924cf7c 5675
wolfSSL 15:117db924cf7c 5676 /* Hash in C, the Ciphertext */
wolfSSL 15:117db924cf7c 5677 if (cSz != 0 && c != NULL) {
wolfSSL 15:117db924cf7c 5678 word64 bigC[2];
wolfSSL 15:117db924cf7c 5679 blocks = cSz / AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5680 partial = cSz % AES_BLOCK_SIZE;
wolfSSL 16:8e0d178b1d1e 5681 #ifdef OPENSSL_EXTRA
wolfSSL 16:8e0d178b1d1e 5682 /* Start from last AAD partial tag */
wolfSSL 16:8e0d178b1d1e 5683 if(aes->aadLen) {
wolfSSL 16:8e0d178b1d1e 5684 x[0] = ((word64)aes->aadH[0]) << 32 | aes->aadH[1];
wolfSSL 16:8e0d178b1d1e 5685 x[1] = ((word64)aes->aadH[2]) << 32 | aes->aadH[3];
wolfSSL 16:8e0d178b1d1e 5686 }
wolfSSL 16:8e0d178b1d1e 5687 #endif
wolfSSL 15:117db924cf7c 5688 while (blocks--) {
wolfSSL 15:117db924cf7c 5689 XMEMCPY(bigC, c, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5690 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 5691 ByteReverseWords64(bigC, bigC, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5692 #endif
wolfSSL 15:117db924cf7c 5693 x[0] ^= bigC[0];
wolfSSL 15:117db924cf7c 5694 x[1] ^= bigC[1];
wolfSSL 15:117db924cf7c 5695 GMULT(x, bigH);
wolfSSL 15:117db924cf7c 5696 c += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5697 }
wolfSSL 15:117db924cf7c 5698 if (partial != 0) {
wolfSSL 15:117db924cf7c 5699 XMEMSET(bigC, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5700 XMEMCPY(bigC, c, partial);
wolfSSL 15:117db924cf7c 5701 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 5702 ByteReverseWords64(bigC, bigC, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5703 #endif
wolfSSL 15:117db924cf7c 5704 x[0] ^= bigC[0];
wolfSSL 15:117db924cf7c 5705 x[1] ^= bigC[1];
wolfSSL 15:117db924cf7c 5706 GMULT(x, bigH);
wolfSSL 15:117db924cf7c 5707 }
wolfSSL 15:117db924cf7c 5708 }
wolfSSL 15:117db924cf7c 5709
wolfSSL 15:117db924cf7c 5710 /* Hash in the lengths in bits of A and C */
wolfSSL 15:117db924cf7c 5711 {
wolfSSL 15:117db924cf7c 5712 word64 len[2];
wolfSSL 15:117db924cf7c 5713 len[0] = aSz; len[1] = cSz;
wolfSSL 16:8e0d178b1d1e 5714 #ifdef OPENSSL_EXTRA
wolfSSL 16:8e0d178b1d1e 5715 if (aes->aadLen)
wolfSSL 16:8e0d178b1d1e 5716 len[0] = (word64)aes->aadLen;
wolfSSL 16:8e0d178b1d1e 5717 #endif
wolfSSL 15:117db924cf7c 5718 /* Lengths are in bytes. Convert to bits. */
wolfSSL 15:117db924cf7c 5719 len[0] *= 8;
wolfSSL 15:117db924cf7c 5720 len[1] *= 8;
wolfSSL 15:117db924cf7c 5721
wolfSSL 15:117db924cf7c 5722 x[0] ^= len[0];
wolfSSL 15:117db924cf7c 5723 x[1] ^= len[1];
wolfSSL 15:117db924cf7c 5724 GMULT(x, bigH);
wolfSSL 15:117db924cf7c 5725 }
wolfSSL 15:117db924cf7c 5726 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 5727 ByteReverseWords64(x, x, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5728 #endif
wolfSSL 15:117db924cf7c 5729 XMEMCPY(s, x, sSz);
wolfSSL 15:117db924cf7c 5730 }
wolfSSL 15:117db924cf7c 5731 #endif /* !FREESCALE_LTC_AES_GCM */
wolfSSL 15:117db924cf7c 5732
wolfSSL 15:117db924cf7c 5733 /* end defined(WORD64_AVAILABLE) && !defined(GCM_WORD32) */
wolfSSL 15:117db924cf7c 5734 #else /* GCM_WORD32 */
wolfSSL 15:117db924cf7c 5735
wolfSSL 15:117db924cf7c 5736 static void GMULT(word32* X, word32* Y)
wolfSSL 15:117db924cf7c 5737 {
wolfSSL 15:117db924cf7c 5738 word32 Z[4] = {0,0,0,0};
wolfSSL 15:117db924cf7c 5739 word32 V[4];
wolfSSL 15:117db924cf7c 5740 int i, j;
wolfSSL 15:117db924cf7c 5741
wolfSSL 15:117db924cf7c 5742 V[0] = X[0]; V[1] = X[1]; V[2] = X[2]; V[3] = X[3];
wolfSSL 15:117db924cf7c 5743
wolfSSL 15:117db924cf7c 5744 for (i = 0; i < 4; i++)
wolfSSL 15:117db924cf7c 5745 {
wolfSSL 15:117db924cf7c 5746 word32 y = Y[i];
wolfSSL 15:117db924cf7c 5747 for (j = 0; j < 32; j++)
wolfSSL 15:117db924cf7c 5748 {
wolfSSL 15:117db924cf7c 5749 if (y & 0x80000000) {
wolfSSL 15:117db924cf7c 5750 Z[0] ^= V[0];
wolfSSL 15:117db924cf7c 5751 Z[1] ^= V[1];
wolfSSL 15:117db924cf7c 5752 Z[2] ^= V[2];
wolfSSL 15:117db924cf7c 5753 Z[3] ^= V[3];
wolfSSL 15:117db924cf7c 5754 }
wolfSSL 15:117db924cf7c 5755
wolfSSL 15:117db924cf7c 5756 if (V[3] & 0x00000001) {
wolfSSL 15:117db924cf7c 5757 V[3] >>= 1;
wolfSSL 15:117db924cf7c 5758 V[3] |= ((V[2] & 0x00000001) ? 0x80000000 : 0);
wolfSSL 15:117db924cf7c 5759 V[2] >>= 1;
wolfSSL 15:117db924cf7c 5760 V[2] |= ((V[1] & 0x00000001) ? 0x80000000 : 0);
wolfSSL 15:117db924cf7c 5761 V[1] >>= 1;
wolfSSL 15:117db924cf7c 5762 V[1] |= ((V[0] & 0x00000001) ? 0x80000000 : 0);
wolfSSL 15:117db924cf7c 5763 V[0] >>= 1;
wolfSSL 15:117db924cf7c 5764 V[0] ^= 0xE1000000;
wolfSSL 15:117db924cf7c 5765 } else {
wolfSSL 15:117db924cf7c 5766 V[3] >>= 1;
wolfSSL 15:117db924cf7c 5767 V[3] |= ((V[2] & 0x00000001) ? 0x80000000 : 0);
wolfSSL 15:117db924cf7c 5768 V[2] >>= 1;
wolfSSL 15:117db924cf7c 5769 V[2] |= ((V[1] & 0x00000001) ? 0x80000000 : 0);
wolfSSL 15:117db924cf7c 5770 V[1] >>= 1;
wolfSSL 15:117db924cf7c 5771 V[1] |= ((V[0] & 0x00000001) ? 0x80000000 : 0);
wolfSSL 15:117db924cf7c 5772 V[0] >>= 1;
wolfSSL 15:117db924cf7c 5773 }
wolfSSL 15:117db924cf7c 5774 y <<= 1;
wolfSSL 15:117db924cf7c 5775 }
wolfSSL 15:117db924cf7c 5776 }
wolfSSL 15:117db924cf7c 5777 X[0] = Z[0];
wolfSSL 15:117db924cf7c 5778 X[1] = Z[1];
wolfSSL 15:117db924cf7c 5779 X[2] = Z[2];
wolfSSL 15:117db924cf7c 5780 X[3] = Z[3];
wolfSSL 15:117db924cf7c 5781 }
wolfSSL 15:117db924cf7c 5782
wolfSSL 15:117db924cf7c 5783
wolfSSL 15:117db924cf7c 5784 void GHASH(Aes* aes, const byte* a, word32 aSz, const byte* c,
wolfSSL 15:117db924cf7c 5785 word32 cSz, byte* s, word32 sSz)
wolfSSL 15:117db924cf7c 5786 {
wolfSSL 15:117db924cf7c 5787 word32 x[4] = {0,0,0,0};
wolfSSL 15:117db924cf7c 5788 word32 blocks, partial;
wolfSSL 15:117db924cf7c 5789 word32 bigH[4];
wolfSSL 15:117db924cf7c 5790
wolfSSL 15:117db924cf7c 5791 XMEMCPY(bigH, aes->H, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5792 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 5793 ByteReverseWords(bigH, bigH, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5794 #endif
wolfSSL 15:117db924cf7c 5795
wolfSSL 15:117db924cf7c 5796 /* Hash in A, the Additional Authentication Data */
wolfSSL 15:117db924cf7c 5797 if (aSz != 0 && a != NULL) {
wolfSSL 15:117db924cf7c 5798 word32 bigA[4];
wolfSSL 15:117db924cf7c 5799 blocks = aSz / AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5800 partial = aSz % AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5801 while (blocks--) {
wolfSSL 15:117db924cf7c 5802 XMEMCPY(bigA, a, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5803 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 5804 ByteReverseWords(bigA, bigA, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5805 #endif
wolfSSL 15:117db924cf7c 5806 x[0] ^= bigA[0];
wolfSSL 15:117db924cf7c 5807 x[1] ^= bigA[1];
wolfSSL 15:117db924cf7c 5808 x[2] ^= bigA[2];
wolfSSL 15:117db924cf7c 5809 x[3] ^= bigA[3];
wolfSSL 15:117db924cf7c 5810 GMULT(x, bigH);
wolfSSL 15:117db924cf7c 5811 a += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5812 }
wolfSSL 15:117db924cf7c 5813 if (partial != 0) {
wolfSSL 15:117db924cf7c 5814 XMEMSET(bigA, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5815 XMEMCPY(bigA, a, partial);
wolfSSL 15:117db924cf7c 5816 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 5817 ByteReverseWords(bigA, bigA, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5818 #endif
wolfSSL 15:117db924cf7c 5819 x[0] ^= bigA[0];
wolfSSL 15:117db924cf7c 5820 x[1] ^= bigA[1];
wolfSSL 15:117db924cf7c 5821 x[2] ^= bigA[2];
wolfSSL 15:117db924cf7c 5822 x[3] ^= bigA[3];
wolfSSL 15:117db924cf7c 5823 GMULT(x, bigH);
wolfSSL 15:117db924cf7c 5824 }
wolfSSL 15:117db924cf7c 5825 }
wolfSSL 15:117db924cf7c 5826
wolfSSL 15:117db924cf7c 5827 /* Hash in C, the Ciphertext */
wolfSSL 15:117db924cf7c 5828 if (cSz != 0 && c != NULL) {
wolfSSL 15:117db924cf7c 5829 word32 bigC[4];
wolfSSL 15:117db924cf7c 5830 blocks = cSz / AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5831 partial = cSz % AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5832 while (blocks--) {
wolfSSL 15:117db924cf7c 5833 XMEMCPY(bigC, c, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5834 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 5835 ByteReverseWords(bigC, bigC, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5836 #endif
wolfSSL 15:117db924cf7c 5837 x[0] ^= bigC[0];
wolfSSL 15:117db924cf7c 5838 x[1] ^= bigC[1];
wolfSSL 15:117db924cf7c 5839 x[2] ^= bigC[2];
wolfSSL 15:117db924cf7c 5840 x[3] ^= bigC[3];
wolfSSL 15:117db924cf7c 5841 GMULT(x, bigH);
wolfSSL 15:117db924cf7c 5842 c += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 5843 }
wolfSSL 15:117db924cf7c 5844 if (partial != 0) {
wolfSSL 15:117db924cf7c 5845 XMEMSET(bigC, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5846 XMEMCPY(bigC, c, partial);
wolfSSL 15:117db924cf7c 5847 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 5848 ByteReverseWords(bigC, bigC, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5849 #endif
wolfSSL 15:117db924cf7c 5850 x[0] ^= bigC[0];
wolfSSL 15:117db924cf7c 5851 x[1] ^= bigC[1];
wolfSSL 15:117db924cf7c 5852 x[2] ^= bigC[2];
wolfSSL 15:117db924cf7c 5853 x[3] ^= bigC[3];
wolfSSL 15:117db924cf7c 5854 GMULT(x, bigH);
wolfSSL 15:117db924cf7c 5855 }
wolfSSL 15:117db924cf7c 5856 }
wolfSSL 15:117db924cf7c 5857
wolfSSL 15:117db924cf7c 5858 /* Hash in the lengths in bits of A and C */
wolfSSL 15:117db924cf7c 5859 {
wolfSSL 15:117db924cf7c 5860 word32 len[4];
wolfSSL 15:117db924cf7c 5861
wolfSSL 15:117db924cf7c 5862 /* Lengths are in bytes. Convert to bits. */
wolfSSL 15:117db924cf7c 5863 len[0] = (aSz >> (8*sizeof(aSz) - 3));
wolfSSL 15:117db924cf7c 5864 len[1] = aSz << 3;
wolfSSL 15:117db924cf7c 5865 len[2] = (cSz >> (8*sizeof(cSz) - 3));
wolfSSL 15:117db924cf7c 5866 len[3] = cSz << 3;
wolfSSL 15:117db924cf7c 5867
wolfSSL 15:117db924cf7c 5868 x[0] ^= len[0];
wolfSSL 15:117db924cf7c 5869 x[1] ^= len[1];
wolfSSL 15:117db924cf7c 5870 x[2] ^= len[2];
wolfSSL 15:117db924cf7c 5871 x[3] ^= len[3];
wolfSSL 15:117db924cf7c 5872 GMULT(x, bigH);
wolfSSL 15:117db924cf7c 5873 }
wolfSSL 15:117db924cf7c 5874 #ifdef LITTLE_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 5875 ByteReverseWords(x, x, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 5876 #endif
wolfSSL 15:117db924cf7c 5877 XMEMCPY(s, x, sSz);
wolfSSL 15:117db924cf7c 5878 }
wolfSSL 15:117db924cf7c 5879
wolfSSL 15:117db924cf7c 5880 #endif /* end GCM_WORD32 */
wolfSSL 15:117db924cf7c 5881
wolfSSL 15:117db924cf7c 5882
wolfSSL 16:8e0d178b1d1e 5883 #if !defined(WOLFSSL_XILINX_CRYPT) && !defined(WOLFSSL_AFALG_XILINX_AES)
wolfSSL 15:117db924cf7c 5884 #ifdef FREESCALE_LTC_AES_GCM
wolfSSL 15:117db924cf7c 5885 int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
wolfSSL 15:117db924cf7c 5886 const byte* iv, word32 ivSz,
wolfSSL 15:117db924cf7c 5887 byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 5888 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 5889 {
wolfSSL 15:117db924cf7c 5890 status_t status;
wolfSSL 15:117db924cf7c 5891 word32 keySize;
wolfSSL 15:117db924cf7c 5892
wolfSSL 15:117db924cf7c 5893 /* argument checks */
wolfSSL 16:8e0d178b1d1e 5894 if (aes == NULL || authTagSz > AES_BLOCK_SIZE || ivSz == 0) {
wolfSSL 15:117db924cf7c 5895 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 5896 }
wolfSSL 15:117db924cf7c 5897
wolfSSL 15:117db924cf7c 5898 if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) {
wolfSSL 15:117db924cf7c 5899 WOLFSSL_MSG("GcmEncrypt authTagSz too small error");
wolfSSL 15:117db924cf7c 5900 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 5901 }
wolfSSL 15:117db924cf7c 5902
wolfSSL 15:117db924cf7c 5903 status = wc_AesGetKeySize(aes, &keySize);
wolfSSL 15:117db924cf7c 5904 if (status)
wolfSSL 15:117db924cf7c 5905 return status;
wolfSSL 15:117db924cf7c 5906
wolfSSL 15:117db924cf7c 5907 status = LTC_AES_EncryptTagGcm(LTC_BASE, in, out, sz, iv, ivSz,
wolfSSL 15:117db924cf7c 5908 authIn, authInSz, (byte*)aes->key, keySize, authTag, authTagSz);
wolfSSL 15:117db924cf7c 5909
wolfSSL 15:117db924cf7c 5910 return (status == kStatus_Success) ? 0 : AES_GCM_AUTH_E;
wolfSSL 15:117db924cf7c 5911 }
wolfSSL 16:8e0d178b1d1e 5912
wolfSSL 15:117db924cf7c 5913 #else
wolfSSL 16:8e0d178b1d1e 5914
wolfSSL 16:8e0d178b1d1e 5915 #ifdef STM32_CRYPTO_AES_GCM
wolfSSL 16:8e0d178b1d1e 5916
wolfSSL 16:8e0d178b1d1e 5917 /* this function supports inline encrypt */
wolfSSL 16:8e0d178b1d1e 5918 static int wc_AesGcmEncrypt_STM32(Aes* aes, byte* out, const byte* in, word32 sz,
wolfSSL 16:8e0d178b1d1e 5919 const byte* iv, word32 ivSz,
wolfSSL 16:8e0d178b1d1e 5920 byte* authTag, word32 authTagSz,
wolfSSL 16:8e0d178b1d1e 5921 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 5922 {
wolfSSL 15:117db924cf7c 5923 int ret;
wolfSSL 16:8e0d178b1d1e 5924 #ifdef WOLFSSL_STM32_CUBEMX
wolfSSL 16:8e0d178b1d1e 5925 CRYP_HandleTypeDef hcryp;
wolfSSL 16:8e0d178b1d1e 5926 #else
wolfSSL 16:8e0d178b1d1e 5927 word32 keyCopy[AES_256_KEY_SIZE/sizeof(word32)];
wolfSSL 16:8e0d178b1d1e 5928 #endif
wolfSSL 15:117db924cf7c 5929 word32 keySize;
wolfSSL 16:8e0d178b1d1e 5930 int status = HAL_OK;
wolfSSL 16:8e0d178b1d1e 5931 word32 blocks = sz / AES_BLOCK_SIZE;
wolfSSL 16:8e0d178b1d1e 5932 word32 partial = sz % AES_BLOCK_SIZE;
wolfSSL 16:8e0d178b1d1e 5933 byte tag[AES_BLOCK_SIZE];
wolfSSL 16:8e0d178b1d1e 5934 byte partialBlock[AES_BLOCK_SIZE];
wolfSSL 16:8e0d178b1d1e 5935 byte ctr[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 5936 byte* authInPadded = NULL;
wolfSSL 15:117db924cf7c 5937 int authPadSz;
wolfSSL 15:117db924cf7c 5938
wolfSSL 15:117db924cf7c 5939 ret = wc_AesGetKeySize(aes, &keySize);
wolfSSL 15:117db924cf7c 5940 if (ret != 0)
wolfSSL 15:117db924cf7c 5941 return ret;
wolfSSL 15:117db924cf7c 5942
wolfSSL 16:8e0d178b1d1e 5943 #ifdef WOLFSSL_STM32_CUBEMX
wolfSSL 16:8e0d178b1d1e 5944 ret = wc_Stm32_Aes_Init(aes, &hcryp);
wolfSSL 16:8e0d178b1d1e 5945 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 5946 return ret;
wolfSSL 16:8e0d178b1d1e 5947 #endif
wolfSSL 16:8e0d178b1d1e 5948
wolfSSL 16:8e0d178b1d1e 5949 ret = wolfSSL_CryptHwMutexLock();
wolfSSL 16:8e0d178b1d1e 5950 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 5951 return ret;
wolfSSL 16:8e0d178b1d1e 5952 }
wolfSSL 16:8e0d178b1d1e 5953
wolfSSL 16:8e0d178b1d1e 5954 XMEMSET(ctr, 0, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 5955 if (ivSz == GCM_NONCE_MID_SZ) {
wolfSSL 16:8e0d178b1d1e 5956 XMEMCPY(ctr, iv, ivSz);
wolfSSL 16:8e0d178b1d1e 5957 ctr[AES_BLOCK_SIZE - 1] = 1;
wolfSSL 16:8e0d178b1d1e 5958 }
wolfSSL 16:8e0d178b1d1e 5959 else {
wolfSSL 16:8e0d178b1d1e 5960 GHASH(aes, NULL, 0, iv, ivSz, ctr, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 5961 }
wolfSSL 16:8e0d178b1d1e 5962 /* Hardware requires counter + 1 */
wolfSSL 16:8e0d178b1d1e 5963 IncrementGcmCounter(ctr);
wolfSSL 16:8e0d178b1d1e 5964
wolfSSL 16:8e0d178b1d1e 5965 if (authInSz == 0 || (authInSz % AES_BLOCK_SIZE) != 0) {
wolfSSL 16:8e0d178b1d1e 5966 /* Need to pad the AAD to a full block with zeros. */
wolfSSL 15:117db924cf7c 5967 authPadSz = ((authInSz / AES_BLOCK_SIZE) + 1) * AES_BLOCK_SIZE;
wolfSSL 16:8e0d178b1d1e 5968 authInPadded = (byte*)XMALLOC(authPadSz, aes->heap,
wolfSSL 16:8e0d178b1d1e 5969 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 5970 if (authInPadded == NULL) {
wolfSSL 16:8e0d178b1d1e 5971 wolfSSL_CryptHwMutexUnLock();
wolfSSL 15:117db924cf7c 5972 return MEMORY_E;
wolfSSL 15:117db924cf7c 5973 }
wolfSSL 15:117db924cf7c 5974 XMEMSET(authInPadded, 0, authPadSz);
wolfSSL 15:117db924cf7c 5975 XMEMCPY(authInPadded, authIn, authInSz);
wolfSSL 15:117db924cf7c 5976 } else {
wolfSSL 15:117db924cf7c 5977 authPadSz = authInSz;
wolfSSL 15:117db924cf7c 5978 authInPadded = (byte*)authIn;
wolfSSL 15:117db924cf7c 5979 }
wolfSSL 15:117db924cf7c 5980
wolfSSL 15:117db924cf7c 5981 #ifdef WOLFSSL_STM32_CUBEMX
wolfSSL 16:8e0d178b1d1e 5982 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr;
wolfSSL 16:8e0d178b1d1e 5983 hcryp.Init.Header = (STM_CRYPT_TYPE*)authInPadded;
wolfSSL 15:117db924cf7c 5984 hcryp.Init.HeaderSize = authInSz;
wolfSSL 15:117db924cf7c 5985
wolfSSL 16:8e0d178b1d1e 5986 #ifdef STM32_CRYPTO_AES_ONLY
wolfSSL 15:117db924cf7c 5987 /* Set the CRYP parameters */
wolfSSL 15:117db924cf7c 5988 hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_GCM_GMAC;
wolfSSL 15:117db924cf7c 5989 hcryp.Init.OperatingMode = CRYP_ALGOMODE_ENCRYPT;
wolfSSL 15:117db924cf7c 5990 hcryp.Init.GCMCMACPhase = CRYP_INIT_PHASE;
wolfSSL 15:117db924cf7c 5991 HAL_CRYP_Init(&hcryp);
wolfSSL 15:117db924cf7c 5992
wolfSSL 15:117db924cf7c 5993 /* GCM init phase */
wolfSSL 15:117db924cf7c 5994 status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, 0, NULL, STM32_HAL_TIMEOUT);
wolfSSL 15:117db924cf7c 5995 if (status == HAL_OK) {
wolfSSL 15:117db924cf7c 5996 /* GCM header phase */
wolfSSL 15:117db924cf7c 5997 hcryp.Init.GCMCMACPhase = CRYP_HEADER_PHASE;
wolfSSL 15:117db924cf7c 5998 status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, 0, NULL, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 5999 }
wolfSSL 16:8e0d178b1d1e 6000 if (status == HAL_OK) {
wolfSSL 16:8e0d178b1d1e 6001 /* GCM payload phase - blocks */
wolfSSL 16:8e0d178b1d1e 6002 hcryp.Init.GCMCMACPhase = CRYP_PAYLOAD_PHASE;
wolfSSL 16:8e0d178b1d1e 6003 if (blocks) {
wolfSSL 16:8e0d178b1d1e 6004 status = HAL_CRYPEx_AES_Auth(&hcryp, (byte*)in,
wolfSSL 16:8e0d178b1d1e 6005 (blocks * AES_BLOCK_SIZE), out, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 6006 }
wolfSSL 16:8e0d178b1d1e 6007 }
wolfSSL 16:8e0d178b1d1e 6008 if (status == HAL_OK && (partial != 0 || blocks == 0)) {
wolfSSL 16:8e0d178b1d1e 6009 /* GCM payload phase - partial remainder */
wolfSSL 16:8e0d178b1d1e 6010 XMEMSET(partialBlock, 0, sizeof(partialBlock));
wolfSSL 16:8e0d178b1d1e 6011 XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial);
wolfSSL 16:8e0d178b1d1e 6012 status = HAL_CRYPEx_AES_Auth(&hcryp, partialBlock, partial,
wolfSSL 16:8e0d178b1d1e 6013 partialBlock, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 6014 XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial);
wolfSSL 16:8e0d178b1d1e 6015 }
wolfSSL 16:8e0d178b1d1e 6016 if (status == HAL_OK) {
wolfSSL 16:8e0d178b1d1e 6017 /* GCM final phase */
wolfSSL 16:8e0d178b1d1e 6018 hcryp.Init.GCMCMACPhase = CRYP_FINAL_PHASE;
wolfSSL 16:8e0d178b1d1e 6019 status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, sz, tag, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 6020 }
wolfSSL 16:8e0d178b1d1e 6021 #elif defined(STM32_HAL_V2)
wolfSSL 16:8e0d178b1d1e 6022 hcryp.Init.Algorithm = CRYP_AES_GCM;
wolfSSL 16:8e0d178b1d1e 6023 ByteReverseWords((word32*)partialBlock, (word32*)ctr, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 6024 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)partialBlock;
wolfSSL 16:8e0d178b1d1e 6025 HAL_CRYP_Init(&hcryp);
wolfSSL 16:8e0d178b1d1e 6026
wolfSSL 16:8e0d178b1d1e 6027 /* GCM payload phase - can handle partial blocks */
wolfSSL 16:8e0d178b1d1e 6028 status = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)in,
wolfSSL 16:8e0d178b1d1e 6029 (blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 6030 if (status == HAL_OK) {
wolfSSL 16:8e0d178b1d1e 6031 /* Compute the authTag */
wolfSSL 16:8e0d178b1d1e 6032 status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag,
wolfSSL 16:8e0d178b1d1e 6033 STM32_HAL_TIMEOUT);
wolfSSL 15:117db924cf7c 6034 }
wolfSSL 15:117db924cf7c 6035 #else
wolfSSL 15:117db924cf7c 6036 HAL_CRYP_Init(&hcryp);
wolfSSL 16:8e0d178b1d1e 6037 if (blocks) {
wolfSSL 16:8e0d178b1d1e 6038 /* GCM payload phase - blocks */
wolfSSL 16:8e0d178b1d1e 6039 status = HAL_CRYPEx_AESGCM_Encrypt(&hcryp, (byte*)in,
wolfSSL 16:8e0d178b1d1e 6040 (blocks * AES_BLOCK_SIZE), out, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 6041 }
wolfSSL 16:8e0d178b1d1e 6042 if (status == HAL_OK && (partial != 0 || blocks == 0)) {
wolfSSL 16:8e0d178b1d1e 6043 /* GCM payload phase - partial remainder */
wolfSSL 16:8e0d178b1d1e 6044 XMEMSET(partialBlock, 0, sizeof(partialBlock));
wolfSSL 16:8e0d178b1d1e 6045 XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial);
wolfSSL 16:8e0d178b1d1e 6046 status = HAL_CRYPEx_AESGCM_Encrypt(&hcryp, partialBlock, partial,
wolfSSL 16:8e0d178b1d1e 6047 partialBlock, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 6048 XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial);
wolfSSL 16:8e0d178b1d1e 6049 }
wolfSSL 15:117db924cf7c 6050 if (status == HAL_OK) {
wolfSSL 16:8e0d178b1d1e 6051 /* Compute the authTag */
wolfSSL 15:117db924cf7c 6052 status = HAL_CRYPEx_AESGCM_Finish(&hcryp, sz, tag, STM32_HAL_TIMEOUT);
wolfSSL 15:117db924cf7c 6053 }
wolfSSL 15:117db924cf7c 6054 #endif
wolfSSL 15:117db924cf7c 6055
wolfSSL 15:117db924cf7c 6056 if (status != HAL_OK)
wolfSSL 15:117db924cf7c 6057 ret = AES_GCM_AUTH_E;
wolfSSL 15:117db924cf7c 6058 HAL_CRYP_DeInit(&hcryp);
wolfSSL 16:8e0d178b1d1e 6059
wolfSSL 16:8e0d178b1d1e 6060 #else /* STD_PERI_LIB */
wolfSSL 16:8e0d178b1d1e 6061 ByteReverseWords(keyCopy, (word32*)aes->key, keySize);
wolfSSL 16:8e0d178b1d1e 6062 status = CRYP_AES_GCM(MODE_ENCRYPT, (uint8_t*)ctr,
wolfSSL 16:8e0d178b1d1e 6063 (uint8_t*)keyCopy, keySize * 8,
wolfSSL 16:8e0d178b1d1e 6064 (uint8_t*)in, sz,
wolfSSL 16:8e0d178b1d1e 6065 (uint8_t*)authInPadded, authInSz,
wolfSSL 16:8e0d178b1d1e 6066 (uint8_t*)out, tag);
wolfSSL 15:117db924cf7c 6067 if (status != SUCCESS)
wolfSSL 15:117db924cf7c 6068 ret = AES_GCM_AUTH_E;
wolfSSL 15:117db924cf7c 6069 #endif /* WOLFSSL_STM32_CUBEMX */
wolfSSL 15:117db924cf7c 6070
wolfSSL 16:8e0d178b1d1e 6071 if (ret == 0) {
wolfSSL 16:8e0d178b1d1e 6072 /* return authTag */
wolfSSL 16:8e0d178b1d1e 6073 if (authTag) {
wolfSSL 16:8e0d178b1d1e 6074 /* STM32 GCM won't compute Auth correctly for partial or
wolfSSL 16:8e0d178b1d1e 6075 when IV != 12, so use software here */
wolfSSL 16:8e0d178b1d1e 6076 if (sz == 0 || partial != 0 || ivSz != GCM_NONCE_MID_SZ) {
wolfSSL 16:8e0d178b1d1e 6077 DecrementGcmCounter(ctr); /* hardware requires +1, so subtract it */
wolfSSL 16:8e0d178b1d1e 6078 GHASH(aes, authIn, authInSz, out, sz, authTag, authTagSz);
wolfSSL 16:8e0d178b1d1e 6079 wc_AesEncrypt(aes, ctr, tag);
wolfSSL 16:8e0d178b1d1e 6080 xorbuf(authTag, tag, authTagSz);
wolfSSL 16:8e0d178b1d1e 6081 }
wolfSSL 16:8e0d178b1d1e 6082 else {
wolfSSL 16:8e0d178b1d1e 6083 XMEMCPY(authTag, tag, authTagSz);
wolfSSL 16:8e0d178b1d1e 6084 }
wolfSSL 16:8e0d178b1d1e 6085 }
wolfSSL 16:8e0d178b1d1e 6086 }
wolfSSL 16:8e0d178b1d1e 6087
wolfSSL 16:8e0d178b1d1e 6088 /* Free memory if not a multiple of AES_BLOCK_SZ */
wolfSSL 16:8e0d178b1d1e 6089 if (authInPadded != authIn) {
wolfSSL 15:117db924cf7c 6090 XFREE(authInPadded, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 6091 }
wolfSSL 15:117db924cf7c 6092
wolfSSL 16:8e0d178b1d1e 6093 wolfSSL_CryptHwMutexUnLock();
wolfSSL 16:8e0d178b1d1e 6094
wolfSSL 15:117db924cf7c 6095 return ret;
wolfSSL 15:117db924cf7c 6096 }
wolfSSL 16:8e0d178b1d1e 6097
wolfSSL 16:8e0d178b1d1e 6098 #endif /* STM32_CRYPTO_AES_GCM */
wolfSSL 15:117db924cf7c 6099
wolfSSL 15:117db924cf7c 6100 #ifdef WOLFSSL_AESNI
wolfSSL 15:117db924cf7c 6101 int AES_GCM_encrypt_C(Aes* aes, byte* out, const byte* in, word32 sz,
wolfSSL 15:117db924cf7c 6102 const byte* iv, word32 ivSz,
wolfSSL 15:117db924cf7c 6103 byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 6104 const byte* authIn, word32 authInSz);
wolfSSL 15:117db924cf7c 6105 #else
wolfSSL 15:117db924cf7c 6106 static
wolfSSL 15:117db924cf7c 6107 #endif
wolfSSL 15:117db924cf7c 6108 int AES_GCM_encrypt_C(Aes* aes, byte* out, const byte* in, word32 sz,
wolfSSL 15:117db924cf7c 6109 const byte* iv, word32 ivSz,
wolfSSL 15:117db924cf7c 6110 byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 6111 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 6112 {
wolfSSL 15:117db924cf7c 6113 int ret = 0;
wolfSSL 15:117db924cf7c 6114 word32 blocks = sz / AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 6115 word32 partial = sz % AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 6116 const byte* p = in;
wolfSSL 15:117db924cf7c 6117 byte* c = out;
wolfSSL 15:117db924cf7c 6118 byte counter[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 6119 byte initialCounter[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 6120 byte *ctr;
wolfSSL 15:117db924cf7c 6121 byte scratch[AES_BLOCK_SIZE];
wolfSSL 16:8e0d178b1d1e 6122 #ifdef OPENSSL_EXTRA
wolfSSL 16:8e0d178b1d1e 6123 word32 aadTemp;
wolfSSL 16:8e0d178b1d1e 6124 #endif
wolfSSL 15:117db924cf7c 6125 ctr = counter;
wolfSSL 15:117db924cf7c 6126 XMEMSET(initialCounter, 0, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 6127 XMEMSET(scratch, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 6128 if (ivSz == GCM_NONCE_MID_SZ) {
wolfSSL 15:117db924cf7c 6129 XMEMCPY(initialCounter, iv, ivSz);
wolfSSL 15:117db924cf7c 6130 initialCounter[AES_BLOCK_SIZE - 1] = 1;
wolfSSL 15:117db924cf7c 6131 }
wolfSSL 15:117db924cf7c 6132 else {
wolfSSL 16:8e0d178b1d1e 6133 #ifdef OPENSSL_EXTRA
wolfSSL 16:8e0d178b1d1e 6134 aadTemp = aes->aadLen;
wolfSSL 16:8e0d178b1d1e 6135 aes->aadLen = 0;
wolfSSL 16:8e0d178b1d1e 6136 #endif
wolfSSL 15:117db924cf7c 6137 GHASH(aes, NULL, 0, iv, ivSz, initialCounter, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 6138 #ifdef OPENSSL_EXTRA
wolfSSL 16:8e0d178b1d1e 6139 aes->aadLen = aadTemp;
wolfSSL 16:8e0d178b1d1e 6140 #endif
wolfSSL 15:117db924cf7c 6141 }
wolfSSL 15:117db924cf7c 6142 XMEMCPY(ctr, initialCounter, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 6143
wolfSSL 15:117db924cf7c 6144 #ifdef WOLFSSL_PIC32MZ_CRYPT
wolfSSL 15:117db924cf7c 6145 if (blocks) {
wolfSSL 16:8e0d178b1d1e 6146 /* use initial IV for HW, but don't use it below */
wolfSSL 15:117db924cf7c 6147 XMEMCPY(aes->reg, ctr, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 6148
wolfSSL 15:117db924cf7c 6149 ret = wc_Pic32AesCrypt(
wolfSSL 15:117db924cf7c 6150 aes->key, aes->keylen, aes->reg, AES_BLOCK_SIZE,
wolfSSL 15:117db924cf7c 6151 out, in, (blocks * AES_BLOCK_SIZE),
wolfSSL 15:117db924cf7c 6152 PIC32_ENCRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_AES_GCM);
wolfSSL 15:117db924cf7c 6153 if (ret != 0)
wolfSSL 15:117db924cf7c 6154 return ret;
wolfSSL 15:117db924cf7c 6155 }
wolfSSL 15:117db924cf7c 6156 /* process remainder using partial handling */
wolfSSL 15:117db924cf7c 6157 #endif
wolfSSL 15:117db924cf7c 6158
wolfSSL 15:117db924cf7c 6159 #if defined(HAVE_AES_ECB) && !defined(WOLFSSL_PIC32MZ_CRYPT)
wolfSSL 15:117db924cf7c 6160 /* some hardware acceleration can gain performance from doing AES encryption
wolfSSL 15:117db924cf7c 6161 * of the whole buffer at once */
wolfSSL 16:8e0d178b1d1e 6162 if (c != p && blocks > 0) { /* can not handle inline encryption */
wolfSSL 15:117db924cf7c 6163 while (blocks--) {
wolfSSL 15:117db924cf7c 6164 IncrementGcmCounter(ctr);
wolfSSL 15:117db924cf7c 6165 XMEMCPY(c, ctr, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 6166 c += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 6167 }
wolfSSL 15:117db924cf7c 6168
wolfSSL 15:117db924cf7c 6169 /* reset number of blocks and then do encryption */
wolfSSL 15:117db924cf7c 6170 blocks = sz / AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 6171 wc_AesEcbEncrypt(aes, out, out, AES_BLOCK_SIZE * blocks);
wolfSSL 15:117db924cf7c 6172 xorbuf(out, p, AES_BLOCK_SIZE * blocks);
wolfSSL 15:117db924cf7c 6173 p += AES_BLOCK_SIZE * blocks;
wolfSSL 15:117db924cf7c 6174 }
wolfSSL 15:117db924cf7c 6175 else
wolfSSL 16:8e0d178b1d1e 6176 #endif /* HAVE_AES_ECB && !WOLFSSL_PIC32MZ_CRYPT */
wolfSSL 15:117db924cf7c 6177
wolfSSL 15:117db924cf7c 6178 while (blocks--) {
wolfSSL 15:117db924cf7c 6179 IncrementGcmCounter(ctr);
wolfSSL 16:8e0d178b1d1e 6180 #if !defined(WOLFSSL_PIC32MZ_CRYPT)
wolfSSL 15:117db924cf7c 6181 wc_AesEncrypt(aes, ctr, scratch);
wolfSSL 15:117db924cf7c 6182 xorbuf(scratch, p, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 6183 XMEMCPY(c, scratch, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 6184 #endif
wolfSSL 15:117db924cf7c 6185 p += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 6186 c += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 6187 }
wolfSSL 15:117db924cf7c 6188
wolfSSL 15:117db924cf7c 6189 if (partial != 0) {
wolfSSL 15:117db924cf7c 6190 IncrementGcmCounter(ctr);
wolfSSL 15:117db924cf7c 6191 wc_AesEncrypt(aes, ctr, scratch);
wolfSSL 15:117db924cf7c 6192 xorbuf(scratch, p, partial);
wolfSSL 15:117db924cf7c 6193 XMEMCPY(c, scratch, partial);
wolfSSL 15:117db924cf7c 6194 }
wolfSSL 16:8e0d178b1d1e 6195 if (authTag) {
wolfSSL 16:8e0d178b1d1e 6196 GHASH(aes, authIn, authInSz, out, sz, authTag, authTagSz);
wolfSSL 16:8e0d178b1d1e 6197 wc_AesEncrypt(aes, initialCounter, scratch);
wolfSSL 16:8e0d178b1d1e 6198 xorbuf(authTag, scratch, authTagSz);
wolfSSL 16:8e0d178b1d1e 6199 #ifdef OPENSSL_EXTRA
wolfSSL 16:8e0d178b1d1e 6200 if (!in && !sz)
wolfSSL 16:8e0d178b1d1e 6201 /* store AAD size for next call */
wolfSSL 16:8e0d178b1d1e 6202 aes->aadLen = authInSz;
wolfSSL 16:8e0d178b1d1e 6203 #endif
wolfSSL 16:8e0d178b1d1e 6204 }
wolfSSL 15:117db924cf7c 6205
wolfSSL 15:117db924cf7c 6206 return ret;
wolfSSL 15:117db924cf7c 6207 }
wolfSSL 15:117db924cf7c 6208
wolfSSL 16:8e0d178b1d1e 6209 /* Software AES - GCM Encrypt */
wolfSSL 15:117db924cf7c 6210 int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
wolfSSL 15:117db924cf7c 6211 const byte* iv, word32 ivSz,
wolfSSL 15:117db924cf7c 6212 byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 6213 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 6214 {
wolfSSL 15:117db924cf7c 6215 /* argument checks */
wolfSSL 16:8e0d178b1d1e 6216 if (aes == NULL || authTagSz > AES_BLOCK_SIZE || ivSz == 0) {
wolfSSL 15:117db924cf7c 6217 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 6218 }
wolfSSL 15:117db924cf7c 6219
wolfSSL 15:117db924cf7c 6220 if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) {
wolfSSL 15:117db924cf7c 6221 WOLFSSL_MSG("GcmEncrypt authTagSz too small error");
wolfSSL 15:117db924cf7c 6222 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 6223 }
wolfSSL 15:117db924cf7c 6224
wolfSSL 16:8e0d178b1d1e 6225 #ifdef WOLF_CRYPTO_CB
wolfSSL 16:8e0d178b1d1e 6226 if (aes->devId != INVALID_DEVID) {
wolfSSL 16:8e0d178b1d1e 6227 int ret = wc_CryptoCb_AesGcmEncrypt(aes, out, in, sz, iv, ivSz,
wolfSSL 16:8e0d178b1d1e 6228 authTag, authTagSz, authIn, authInSz);
wolfSSL 16:8e0d178b1d1e 6229 if (ret != CRYPTOCB_UNAVAILABLE)
wolfSSL 16:8e0d178b1d1e 6230 return ret;
wolfSSL 16:8e0d178b1d1e 6231 /* fall-through when unavailable */
wolfSSL 15:117db924cf7c 6232 }
wolfSSL 15:117db924cf7c 6233 #endif
wolfSSL 15:117db924cf7c 6234
wolfSSL 15:117db924cf7c 6235 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
wolfSSL 15:117db924cf7c 6236 /* if async and byte count above threshold */
wolfSSL 15:117db924cf7c 6237 /* only 12-byte IV is supported in HW */
wolfSSL 15:117db924cf7c 6238 if (aes->asyncDev.marker == WOLFSSL_ASYNC_MARKER_AES &&
wolfSSL 15:117db924cf7c 6239 sz >= WC_ASYNC_THRESH_AES_GCM && ivSz == GCM_NONCE_MID_SZ) {
wolfSSL 15:117db924cf7c 6240 #if defined(HAVE_CAVIUM)
wolfSSL 15:117db924cf7c 6241 #ifdef HAVE_CAVIUM_V
wolfSSL 15:117db924cf7c 6242 if (authInSz == 20) { /* Nitrox V GCM is only working with 20 byte AAD */
wolfSSL 15:117db924cf7c 6243 return NitroxAesGcmEncrypt(aes, out, in, sz,
wolfSSL 16:8e0d178b1d1e 6244 (const byte*)aes->devKey, aes->keylen, iv, ivSz,
wolfSSL 15:117db924cf7c 6245 authTag, authTagSz, authIn, authInSz);
wolfSSL 15:117db924cf7c 6246 }
wolfSSL 15:117db924cf7c 6247 #endif
wolfSSL 15:117db924cf7c 6248 #elif defined(HAVE_INTEL_QA)
wolfSSL 15:117db924cf7c 6249 return IntelQaSymAesGcmEncrypt(&aes->asyncDev, out, in, sz,
wolfSSL 16:8e0d178b1d1e 6250 (const byte*)aes->devKey, aes->keylen, iv, ivSz,
wolfSSL 15:117db924cf7c 6251 authTag, authTagSz, authIn, authInSz);
wolfSSL 15:117db924cf7c 6252 #else /* WOLFSSL_ASYNC_CRYPT_TEST */
wolfSSL 15:117db924cf7c 6253 if (wc_AsyncTestInit(&aes->asyncDev, ASYNC_TEST_AES_GCM_ENCRYPT)) {
wolfSSL 15:117db924cf7c 6254 WC_ASYNC_TEST* testDev = &aes->asyncDev.test;
wolfSSL 15:117db924cf7c 6255 testDev->aes.aes = aes;
wolfSSL 15:117db924cf7c 6256 testDev->aes.out = out;
wolfSSL 15:117db924cf7c 6257 testDev->aes.in = in;
wolfSSL 15:117db924cf7c 6258 testDev->aes.sz = sz;
wolfSSL 15:117db924cf7c 6259 testDev->aes.iv = iv;
wolfSSL 15:117db924cf7c 6260 testDev->aes.ivSz = ivSz;
wolfSSL 15:117db924cf7c 6261 testDev->aes.authTag = authTag;
wolfSSL 15:117db924cf7c 6262 testDev->aes.authTagSz = authTagSz;
wolfSSL 15:117db924cf7c 6263 testDev->aes.authIn = authIn;
wolfSSL 15:117db924cf7c 6264 testDev->aes.authInSz = authInSz;
wolfSSL 15:117db924cf7c 6265 return WC_PENDING_E;
wolfSSL 15:117db924cf7c 6266 }
wolfSSL 15:117db924cf7c 6267 #endif
wolfSSL 15:117db924cf7c 6268 }
wolfSSL 15:117db924cf7c 6269 #endif /* WOLFSSL_ASYNC_CRYPT */
wolfSSL 15:117db924cf7c 6270
wolfSSL 16:8e0d178b1d1e 6271 #ifdef STM32_CRYPTO_AES_GCM
wolfSSL 16:8e0d178b1d1e 6272 /* The STM standard peripheral library API's doesn't support partial blocks */
wolfSSL 16:8e0d178b1d1e 6273 #ifdef STD_PERI_LIB
wolfSSL 16:8e0d178b1d1e 6274 if (partial == 0)
wolfSSL 16:8e0d178b1d1e 6275 #endif
wolfSSL 16:8e0d178b1d1e 6276 {
wolfSSL 16:8e0d178b1d1e 6277 return wc_AesGcmEncrypt_STM32(
wolfSSL 16:8e0d178b1d1e 6278 aes, out, in, sz, iv, ivSz,
wolfSSL 16:8e0d178b1d1e 6279 authTag, authTagSz, authIn, authInSz);
wolfSSL 16:8e0d178b1d1e 6280 }
wolfSSL 16:8e0d178b1d1e 6281 #endif /* STM32_CRYPTO_AES_GCM */
wolfSSL 15:117db924cf7c 6282
wolfSSL 15:117db924cf7c 6283 #ifdef WOLFSSL_AESNI
wolfSSL 15:117db924cf7c 6284 #ifdef HAVE_INTEL_AVX2
wolfSSL 15:117db924cf7c 6285 if (IS_INTEL_AVX2(intel_flags)) {
wolfSSL 15:117db924cf7c 6286 AES_GCM_encrypt_avx2(in, out, authIn, iv, authTag, sz, authInSz, ivSz,
wolfSSL 15:117db924cf7c 6287 authTagSz, (const byte*)aes->key, aes->rounds);
wolfSSL 15:117db924cf7c 6288 return 0;
wolfSSL 15:117db924cf7c 6289 }
wolfSSL 15:117db924cf7c 6290 else
wolfSSL 15:117db924cf7c 6291 #endif
wolfSSL 15:117db924cf7c 6292 #ifdef HAVE_INTEL_AVX1
wolfSSL 15:117db924cf7c 6293 if (IS_INTEL_AVX1(intel_flags)) {
wolfSSL 15:117db924cf7c 6294 AES_GCM_encrypt_avx1(in, out, authIn, iv, authTag, sz, authInSz, ivSz,
wolfSSL 15:117db924cf7c 6295 authTagSz, (const byte*)aes->key, aes->rounds);
wolfSSL 15:117db924cf7c 6296 return 0;
wolfSSL 15:117db924cf7c 6297 }
wolfSSL 15:117db924cf7c 6298 else
wolfSSL 15:117db924cf7c 6299 #endif
wolfSSL 15:117db924cf7c 6300 if (haveAESNI) {
wolfSSL 15:117db924cf7c 6301 AES_GCM_encrypt(in, out, authIn, iv, authTag, sz, authInSz, ivSz,
wolfSSL 15:117db924cf7c 6302 authTagSz, (const byte*)aes->key, aes->rounds);
wolfSSL 15:117db924cf7c 6303 return 0;
wolfSSL 15:117db924cf7c 6304 }
wolfSSL 15:117db924cf7c 6305 else
wolfSSL 15:117db924cf7c 6306 #endif
wolfSSL 15:117db924cf7c 6307 {
wolfSSL 15:117db924cf7c 6308 return AES_GCM_encrypt_C(aes, out, in, sz, iv, ivSz, authTag, authTagSz,
wolfSSL 15:117db924cf7c 6309 authIn, authInSz);
wolfSSL 15:117db924cf7c 6310 }
wolfSSL 15:117db924cf7c 6311 }
wolfSSL 15:117db924cf7c 6312 #endif
wolfSSL 15:117db924cf7c 6313
wolfSSL 15:117db924cf7c 6314
wolfSSL 16:8e0d178b1d1e 6315
wolfSSL 16:8e0d178b1d1e 6316 /* AES GCM Decrypt */
wolfSSL 15:117db924cf7c 6317 #if defined(HAVE_AES_DECRYPT) || defined(HAVE_AESGCM_DECRYPT)
wolfSSL 15:117db924cf7c 6318 #ifdef FREESCALE_LTC_AES_GCM
wolfSSL 15:117db924cf7c 6319 int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
wolfSSL 15:117db924cf7c 6320 const byte* iv, word32 ivSz,
wolfSSL 15:117db924cf7c 6321 const byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 6322 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 6323 {
wolfSSL 15:117db924cf7c 6324 int ret;
wolfSSL 15:117db924cf7c 6325 word32 keySize;
wolfSSL 15:117db924cf7c 6326 status_t status;
wolfSSL 15:117db924cf7c 6327
wolfSSL 15:117db924cf7c 6328 /* argument checks */
wolfSSL 16:8e0d178b1d1e 6329 /* If the sz is non-zero, both in and out must be set. If sz is 0,
wolfSSL 16:8e0d178b1d1e 6330 * in and out are don't cares, as this is is the GMAC case. */
wolfSSL 16:8e0d178b1d1e 6331 if (aes == NULL || iv == NULL || (sz != 0 && (in == NULL || out == NULL)) ||
wolfSSL 16:8e0d178b1d1e 6332 authTag == NULL || authTagSz > AES_BLOCK_SIZE || authTagSz == 0 ||
wolfSSL 16:8e0d178b1d1e 6333 ivSz == 0) {
wolfSSL 16:8e0d178b1d1e 6334
wolfSSL 15:117db924cf7c 6335 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 6336 }
wolfSSL 15:117db924cf7c 6337
wolfSSL 15:117db924cf7c 6338 ret = wc_AesGetKeySize(aes, &keySize);
wolfSSL 15:117db924cf7c 6339 if (ret != 0) {
wolfSSL 15:117db924cf7c 6340 return ret;
wolfSSL 15:117db924cf7c 6341 }
wolfSSL 15:117db924cf7c 6342
wolfSSL 15:117db924cf7c 6343 status = LTC_AES_DecryptTagGcm(LTC_BASE, in, out, sz, iv, ivSz,
wolfSSL 15:117db924cf7c 6344 authIn, authInSz, (byte*)aes->key, keySize, authTag, authTagSz);
wolfSSL 15:117db924cf7c 6345
wolfSSL 15:117db924cf7c 6346 return (status == kStatus_Success) ? 0 : AES_GCM_AUTH_E;
wolfSSL 15:117db924cf7c 6347 }
wolfSSL 16:8e0d178b1d1e 6348
wolfSSL 16:8e0d178b1d1e 6349 #else
wolfSSL 16:8e0d178b1d1e 6350
wolfSSL 16:8e0d178b1d1e 6351 #ifdef STM32_CRYPTO_AES_GCM
wolfSSL 16:8e0d178b1d1e 6352 /* this function supports inline decrypt */
wolfSSL 16:8e0d178b1d1e 6353 static int wc_AesGcmDecrypt_STM32(Aes* aes, byte* out,
wolfSSL 16:8e0d178b1d1e 6354 const byte* in, word32 sz,
wolfSSL 16:8e0d178b1d1e 6355 const byte* iv, word32 ivSz,
wolfSSL 16:8e0d178b1d1e 6356 const byte* authTag, word32 authTagSz,
wolfSSL 16:8e0d178b1d1e 6357 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 6358 {
wolfSSL 15:117db924cf7c 6359 int ret;
wolfSSL 16:8e0d178b1d1e 6360 #ifdef WOLFSSL_STM32_CUBEMX
wolfSSL 16:8e0d178b1d1e 6361 CRYP_HandleTypeDef hcryp;
wolfSSL 16:8e0d178b1d1e 6362 #else
wolfSSL 16:8e0d178b1d1e 6363 word32 keyCopy[AES_256_KEY_SIZE/sizeof(word32)];
wolfSSL 16:8e0d178b1d1e 6364 #endif
wolfSSL 15:117db924cf7c 6365 word32 keySize;
wolfSSL 16:8e0d178b1d1e 6366 int status = HAL_OK;
wolfSSL 16:8e0d178b1d1e 6367 word32 blocks = sz / AES_BLOCK_SIZE;
wolfSSL 16:8e0d178b1d1e 6368 word32 partial = sz % AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 6369 byte tag[AES_BLOCK_SIZE];
wolfSSL 16:8e0d178b1d1e 6370 byte partialBlock[AES_BLOCK_SIZE];
wolfSSL 16:8e0d178b1d1e 6371 byte ctr[AES_BLOCK_SIZE];
wolfSSL 16:8e0d178b1d1e 6372 byte* authInPadded = NULL;
wolfSSL 16:8e0d178b1d1e 6373 int authPadSz;
wolfSSL 15:117db924cf7c 6374
wolfSSL 15:117db924cf7c 6375 ret = wc_AesGetKeySize(aes, &keySize);
wolfSSL 16:8e0d178b1d1e 6376 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 6377 return ret;
wolfSSL 16:8e0d178b1d1e 6378
wolfSSL 16:8e0d178b1d1e 6379 #ifdef WOLFSSL_STM32_CUBEMX
wolfSSL 16:8e0d178b1d1e 6380 ret = wc_Stm32_Aes_Init(aes, &hcryp);
wolfSSL 16:8e0d178b1d1e 6381 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 6382 return ret;
wolfSSL 16:8e0d178b1d1e 6383 #endif
wolfSSL 16:8e0d178b1d1e 6384
wolfSSL 16:8e0d178b1d1e 6385 ret = wolfSSL_CryptHwMutexLock();
wolfSSL 15:117db924cf7c 6386 if (ret != 0) {
wolfSSL 15:117db924cf7c 6387 return ret;
wolfSSL 15:117db924cf7c 6388 }
wolfSSL 15:117db924cf7c 6389
wolfSSL 16:8e0d178b1d1e 6390 XMEMSET(ctr, 0, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 6391 if (ivSz == GCM_NONCE_MID_SZ) {
wolfSSL 16:8e0d178b1d1e 6392 XMEMCPY(ctr, iv, ivSz);
wolfSSL 16:8e0d178b1d1e 6393 ctr[AES_BLOCK_SIZE - 1] = 1;
wolfSSL 16:8e0d178b1d1e 6394 }
wolfSSL 16:8e0d178b1d1e 6395 else {
wolfSSL 16:8e0d178b1d1e 6396 GHASH(aes, NULL, 0, iv, ivSz, ctr, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 6397 }
wolfSSL 16:8e0d178b1d1e 6398 /* Hardware requires counter + 1 */
wolfSSL 16:8e0d178b1d1e 6399 IncrementGcmCounter(ctr);
wolfSSL 16:8e0d178b1d1e 6400
wolfSSL 16:8e0d178b1d1e 6401 if (authInSz == 0 || (authInSz % AES_BLOCK_SIZE) != 0) {
wolfSSL 16:8e0d178b1d1e 6402 /* Need to pad the AAD to a full block with zeros. */
wolfSSL 15:117db924cf7c 6403 authPadSz = ((authInSz / AES_BLOCK_SIZE) + 1) * AES_BLOCK_SIZE;
wolfSSL 16:8e0d178b1d1e 6404 authInPadded = (byte*)XMALLOC(authPadSz, aes->heap,
wolfSSL 16:8e0d178b1d1e 6405 DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 6406 if (authInPadded == NULL) {
wolfSSL 16:8e0d178b1d1e 6407 wolfSSL_CryptHwMutexUnLock();
wolfSSL 15:117db924cf7c 6408 return MEMORY_E;
wolfSSL 15:117db924cf7c 6409 }
wolfSSL 15:117db924cf7c 6410 XMEMSET(authInPadded, 0, authPadSz);
wolfSSL 15:117db924cf7c 6411 XMEMCPY(authInPadded, authIn, authInSz);
wolfSSL 15:117db924cf7c 6412 } else {
wolfSSL 15:117db924cf7c 6413 authPadSz = authInSz;
wolfSSL 15:117db924cf7c 6414 authInPadded = (byte*)authIn;
wolfSSL 15:117db924cf7c 6415 }
wolfSSL 15:117db924cf7c 6416
wolfSSL 15:117db924cf7c 6417 #ifdef WOLFSSL_STM32_CUBEMX
wolfSSL 16:8e0d178b1d1e 6418 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)ctr;
wolfSSL 16:8e0d178b1d1e 6419 hcryp.Init.Header = (STM_CRYPT_TYPE*)authInPadded;
wolfSSL 15:117db924cf7c 6420 hcryp.Init.HeaderSize = authInSz;
wolfSSL 15:117db924cf7c 6421
wolfSSL 16:8e0d178b1d1e 6422 #ifdef STM32_CRYPTO_AES_ONLY
wolfSSL 15:117db924cf7c 6423 /* Set the CRYP parameters */
wolfSSL 15:117db924cf7c 6424 hcryp.Init.ChainingMode = CRYP_CHAINMODE_AES_GCM_GMAC;
wolfSSL 15:117db924cf7c 6425 hcryp.Init.OperatingMode = CRYP_ALGOMODE_DECRYPT;
wolfSSL 15:117db924cf7c 6426 hcryp.Init.GCMCMACPhase = CRYP_INIT_PHASE;
wolfSSL 15:117db924cf7c 6427 HAL_CRYP_Init(&hcryp);
wolfSSL 15:117db924cf7c 6428
wolfSSL 15:117db924cf7c 6429 /* GCM init phase */
wolfSSL 15:117db924cf7c 6430 status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, 0, NULL, STM32_HAL_TIMEOUT);
wolfSSL 15:117db924cf7c 6431 if (status == HAL_OK) {
wolfSSL 15:117db924cf7c 6432 /* GCM header phase */
wolfSSL 16:8e0d178b1d1e 6433 hcryp.Init.GCMCMACPhase = CRYP_HEADER_PHASE;
wolfSSL 15:117db924cf7c 6434 status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, 0, NULL, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 6435 }
wolfSSL 16:8e0d178b1d1e 6436 if (status == HAL_OK) {
wolfSSL 16:8e0d178b1d1e 6437 /* GCM payload phase - blocks */
wolfSSL 16:8e0d178b1d1e 6438 hcryp.Init.GCMCMACPhase = CRYP_PAYLOAD_PHASE;
wolfSSL 16:8e0d178b1d1e 6439 if (blocks) {
wolfSSL 16:8e0d178b1d1e 6440 status = HAL_CRYPEx_AES_Auth(&hcryp, (byte*)in,
wolfSSL 16:8e0d178b1d1e 6441 (blocks * AES_BLOCK_SIZE), out, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 6442 }
wolfSSL 16:8e0d178b1d1e 6443 }
wolfSSL 16:8e0d178b1d1e 6444 if (status == HAL_OK && (partial != 0 || blocks == 0)) {
wolfSSL 16:8e0d178b1d1e 6445 /* GCM payload phase - partial remainder */
wolfSSL 16:8e0d178b1d1e 6446 XMEMSET(partialBlock, 0, sizeof(partialBlock));
wolfSSL 16:8e0d178b1d1e 6447 XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial);
wolfSSL 16:8e0d178b1d1e 6448 status = HAL_CRYPEx_AES_Auth(&hcryp, partialBlock, partial,
wolfSSL 16:8e0d178b1d1e 6449 partialBlock, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 6450 XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial);
wolfSSL 16:8e0d178b1d1e 6451 }
wolfSSL 16:8e0d178b1d1e 6452 if (status == HAL_OK) {
wolfSSL 16:8e0d178b1d1e 6453 /* GCM final phase */
wolfSSL 16:8e0d178b1d1e 6454 hcryp.Init.GCMCMACPhase = CRYP_FINAL_PHASE;
wolfSSL 16:8e0d178b1d1e 6455 status = HAL_CRYPEx_AES_Auth(&hcryp, NULL, sz, tag, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 6456 }
wolfSSL 16:8e0d178b1d1e 6457 #elif defined(STM32_HAL_V2)
wolfSSL 16:8e0d178b1d1e 6458 hcryp.Init.Algorithm = CRYP_AES_GCM;
wolfSSL 16:8e0d178b1d1e 6459 ByteReverseWords((word32*)partialBlock, (word32*)ctr, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 6460 hcryp.Init.pInitVect = (STM_CRYPT_TYPE*)partialBlock;
wolfSSL 16:8e0d178b1d1e 6461 HAL_CRYP_Init(&hcryp);
wolfSSL 16:8e0d178b1d1e 6462
wolfSSL 16:8e0d178b1d1e 6463 /* GCM payload phase - can handle partial blocks */
wolfSSL 16:8e0d178b1d1e 6464 status = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)in,
wolfSSL 16:8e0d178b1d1e 6465 (blocks * AES_BLOCK_SIZE) + partial, (uint32_t*)out, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 6466 if (status == HAL_OK) {
wolfSSL 16:8e0d178b1d1e 6467 /* Compute the authTag */
wolfSSL 16:8e0d178b1d1e 6468 status = HAL_CRYPEx_AESGCM_GenerateAuthTAG(&hcryp, (uint32_t*)tag,
wolfSSL 16:8e0d178b1d1e 6469 STM32_HAL_TIMEOUT);
wolfSSL 15:117db924cf7c 6470 }
wolfSSL 15:117db924cf7c 6471 #else
wolfSSL 15:117db924cf7c 6472 HAL_CRYP_Init(&hcryp);
wolfSSL 16:8e0d178b1d1e 6473 if (blocks) {
wolfSSL 16:8e0d178b1d1e 6474 /* GCM payload phase - blocks */
wolfSSL 16:8e0d178b1d1e 6475 status = HAL_CRYPEx_AESGCM_Decrypt(&hcryp, (byte*)in,
wolfSSL 16:8e0d178b1d1e 6476 (blocks * AES_BLOCK_SIZE), out, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 6477 }
wolfSSL 16:8e0d178b1d1e 6478 if (status == HAL_OK && (partial != 0 || blocks == 0)) {
wolfSSL 16:8e0d178b1d1e 6479 /* GCM payload phase - partial remainder */
wolfSSL 16:8e0d178b1d1e 6480 XMEMSET(partialBlock, 0, sizeof(partialBlock));
wolfSSL 16:8e0d178b1d1e 6481 XMEMCPY(partialBlock, in + (blocks * AES_BLOCK_SIZE), partial);
wolfSSL 16:8e0d178b1d1e 6482 status = HAL_CRYPEx_AESGCM_Decrypt(&hcryp, partialBlock, partial,
wolfSSL 16:8e0d178b1d1e 6483 partialBlock, STM32_HAL_TIMEOUT);
wolfSSL 16:8e0d178b1d1e 6484 XMEMCPY(out + (blocks * AES_BLOCK_SIZE), partialBlock, partial);
wolfSSL 16:8e0d178b1d1e 6485 }
wolfSSL 15:117db924cf7c 6486 if (status == HAL_OK) {
wolfSSL 16:8e0d178b1d1e 6487 /* Compute the authTag */
wolfSSL 15:117db924cf7c 6488 status = HAL_CRYPEx_AESGCM_Finish(&hcryp, sz, tag, STM32_HAL_TIMEOUT);
wolfSSL 15:117db924cf7c 6489 }
wolfSSL 15:117db924cf7c 6490 #endif
wolfSSL 15:117db924cf7c 6491
wolfSSL 15:117db924cf7c 6492 if (status != HAL_OK)
wolfSSL 15:117db924cf7c 6493 ret = AES_GCM_AUTH_E;
wolfSSL 15:117db924cf7c 6494
wolfSSL 15:117db924cf7c 6495 HAL_CRYP_DeInit(&hcryp);
wolfSSL 16:8e0d178b1d1e 6496
wolfSSL 16:8e0d178b1d1e 6497 #else /* STD_PERI_LIB */
wolfSSL 16:8e0d178b1d1e 6498 ByteReverseWords(keyCopy, (word32*)aes->key, aes->keylen);
wolfSSL 15:117db924cf7c 6499
wolfSSL 15:117db924cf7c 6500 /* Input size and auth size need to be the actual sizes, even though
wolfSSL 15:117db924cf7c 6501 * they are not block aligned, because this length (in bits) is used
wolfSSL 16:8e0d178b1d1e 6502 * in the final GHASH. */
wolfSSL 16:8e0d178b1d1e 6503 status = CRYP_AES_GCM(MODE_DECRYPT, (uint8_t*)ctr,
wolfSSL 16:8e0d178b1d1e 6504 (uint8_t*)keyCopy, keySize * 8,
wolfSSL 16:8e0d178b1d1e 6505 (uint8_t*)in, sz,
wolfSSL 16:8e0d178b1d1e 6506 (uint8_t*)authInPadded, authInSz,
wolfSSL 16:8e0d178b1d1e 6507 (uint8_t*)out, tag);
wolfSSL 15:117db924cf7c 6508 if (status != SUCCESS)
wolfSSL 15:117db924cf7c 6509 ret = AES_GCM_AUTH_E;
wolfSSL 15:117db924cf7c 6510 #endif /* WOLFSSL_STM32_CUBEMX */
wolfSSL 15:117db924cf7c 6511
wolfSSL 16:8e0d178b1d1e 6512 /* STM32 GCM hardware only supports IV of 12 bytes, so use software for auth */
wolfSSL 16:8e0d178b1d1e 6513 if (sz == 0 || ivSz != GCM_NONCE_MID_SZ) {
wolfSSL 16:8e0d178b1d1e 6514 DecrementGcmCounter(ctr); /* hardware requires +1, so subtract it */
wolfSSL 16:8e0d178b1d1e 6515 GHASH(aes, authIn, authInSz, in, sz, tag, sizeof(tag));
wolfSSL 16:8e0d178b1d1e 6516 wc_AesEncrypt(aes, ctr, partialBlock);
wolfSSL 16:8e0d178b1d1e 6517 xorbuf(tag, partialBlock, sizeof(tag));
wolfSSL 16:8e0d178b1d1e 6518 }
wolfSSL 16:8e0d178b1d1e 6519
wolfSSL 16:8e0d178b1d1e 6520 if (ConstantCompare(authTag, tag, authTagSz) != 0) {
wolfSSL 16:8e0d178b1d1e 6521 ret = AES_GCM_AUTH_E;
wolfSSL 16:8e0d178b1d1e 6522 }
wolfSSL 16:8e0d178b1d1e 6523
wolfSSL 16:8e0d178b1d1e 6524 /* Free memory if not a multiple of AES_BLOCK_SZ */
wolfSSL 16:8e0d178b1d1e 6525 if (authInPadded != authIn) {
wolfSSL 15:117db924cf7c 6526 XFREE(authInPadded, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 16:8e0d178b1d1e 6527 }
wolfSSL 16:8e0d178b1d1e 6528
wolfSSL 16:8e0d178b1d1e 6529 wolfSSL_CryptHwMutexUnLock();
wolfSSL 15:117db924cf7c 6530
wolfSSL 15:117db924cf7c 6531 return ret;
wolfSSL 15:117db924cf7c 6532 }
wolfSSL 16:8e0d178b1d1e 6533
wolfSSL 16:8e0d178b1d1e 6534 #endif /* STM32_CRYPTO_AES_GCM */
wolfSSL 16:8e0d178b1d1e 6535
wolfSSL 15:117db924cf7c 6536 #ifdef WOLFSSL_AESNI
wolfSSL 15:117db924cf7c 6537 int AES_GCM_decrypt_C(Aes* aes, byte* out, const byte* in, word32 sz,
wolfSSL 15:117db924cf7c 6538 const byte* iv, word32 ivSz,
wolfSSL 15:117db924cf7c 6539 const byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 6540 const byte* authIn, word32 authInSz);
wolfSSL 15:117db924cf7c 6541 #else
wolfSSL 15:117db924cf7c 6542 static
wolfSSL 15:117db924cf7c 6543 #endif
wolfSSL 15:117db924cf7c 6544 int AES_GCM_decrypt_C(Aes* aes, byte* out, const byte* in, word32 sz,
wolfSSL 15:117db924cf7c 6545 const byte* iv, word32 ivSz,
wolfSSL 15:117db924cf7c 6546 const byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 6547 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 6548 {
wolfSSL 15:117db924cf7c 6549 int ret = 0;
wolfSSL 15:117db924cf7c 6550 word32 blocks = sz / AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 6551 word32 partial = sz % AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 6552 const byte* c = in;
wolfSSL 15:117db924cf7c 6553 byte* p = out;
wolfSSL 15:117db924cf7c 6554 byte counter[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 6555 byte initialCounter[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 6556 byte *ctr;
wolfSSL 15:117db924cf7c 6557 byte scratch[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 6558 byte Tprime[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 6559 byte EKY0[AES_BLOCK_SIZE];
wolfSSL 16:8e0d178b1d1e 6560 #ifdef OPENSSL_EXTRA
wolfSSL 16:8e0d178b1d1e 6561 word32 aadTemp;
wolfSSL 16:8e0d178b1d1e 6562 #endif
wolfSSL 15:117db924cf7c 6563 ctr = counter;
wolfSSL 15:117db924cf7c 6564 XMEMSET(initialCounter, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 6565 if (ivSz == GCM_NONCE_MID_SZ) {
wolfSSL 15:117db924cf7c 6566 XMEMCPY(initialCounter, iv, ivSz);
wolfSSL 15:117db924cf7c 6567 initialCounter[AES_BLOCK_SIZE - 1] = 1;
wolfSSL 15:117db924cf7c 6568 }
wolfSSL 15:117db924cf7c 6569 else {
wolfSSL 16:8e0d178b1d1e 6570 #ifdef OPENSSL_EXTRA
wolfSSL 16:8e0d178b1d1e 6571 aadTemp = aes->aadLen;
wolfSSL 16:8e0d178b1d1e 6572 aes->aadLen = 0;
wolfSSL 16:8e0d178b1d1e 6573 #endif
wolfSSL 15:117db924cf7c 6574 GHASH(aes, NULL, 0, iv, ivSz, initialCounter, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 6575 #ifdef OPENSSL_EXTRA
wolfSSL 16:8e0d178b1d1e 6576 aes->aadLen = aadTemp;
wolfSSL 16:8e0d178b1d1e 6577 #endif
wolfSSL 15:117db924cf7c 6578 }
wolfSSL 15:117db924cf7c 6579 XMEMCPY(ctr, initialCounter, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 6580
wolfSSL 15:117db924cf7c 6581 /* Calc the authTag again using the received auth data and the cipher text */
wolfSSL 15:117db924cf7c 6582 GHASH(aes, authIn, authInSz, in, sz, Tprime, sizeof(Tprime));
wolfSSL 15:117db924cf7c 6583 wc_AesEncrypt(aes, ctr, EKY0);
wolfSSL 15:117db924cf7c 6584 xorbuf(Tprime, EKY0, sizeof(Tprime));
wolfSSL 15:117db924cf7c 6585
wolfSSL 16:8e0d178b1d1e 6586 #ifdef OPENSSL_EXTRA
wolfSSL 16:8e0d178b1d1e 6587 if (!out) {
wolfSSL 16:8e0d178b1d1e 6588 /* authenticated, non-confidential data */
wolfSSL 16:8e0d178b1d1e 6589 /* store AAD size for next call */
wolfSSL 16:8e0d178b1d1e 6590 aes->aadLen = authInSz;
wolfSSL 16:8e0d178b1d1e 6591 }
wolfSSL 16:8e0d178b1d1e 6592 #endif
wolfSSL 15:117db924cf7c 6593 if (ConstantCompare(authTag, Tprime, authTagSz) != 0) {
wolfSSL 15:117db924cf7c 6594 return AES_GCM_AUTH_E;
wolfSSL 15:117db924cf7c 6595 }
wolfSSL 15:117db924cf7c 6596
wolfSSL 16:8e0d178b1d1e 6597 #if defined(WOLFSSL_PIC32MZ_CRYPT)
wolfSSL 15:117db924cf7c 6598 if (blocks) {
wolfSSL 16:8e0d178b1d1e 6599 /* use initial IV for HW, but don't use it below */
wolfSSL 15:117db924cf7c 6600 XMEMCPY(aes->reg, ctr, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 6601
wolfSSL 15:117db924cf7c 6602 ret = wc_Pic32AesCrypt(
wolfSSL 15:117db924cf7c 6603 aes->key, aes->keylen, aes->reg, AES_BLOCK_SIZE,
wolfSSL 15:117db924cf7c 6604 out, in, (blocks * AES_BLOCK_SIZE),
wolfSSL 15:117db924cf7c 6605 PIC32_DECRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_AES_GCM);
wolfSSL 15:117db924cf7c 6606 if (ret != 0)
wolfSSL 15:117db924cf7c 6607 return ret;
wolfSSL 15:117db924cf7c 6608 }
wolfSSL 15:117db924cf7c 6609 /* process remainder using partial handling */
wolfSSL 15:117db924cf7c 6610 #endif
wolfSSL 15:117db924cf7c 6611
wolfSSL 15:117db924cf7c 6612 #if defined(HAVE_AES_ECB) && !defined(WOLFSSL_PIC32MZ_CRYPT)
wolfSSL 15:117db924cf7c 6613 /* some hardware acceleration can gain performance from doing AES encryption
wolfSSL 15:117db924cf7c 6614 * of the whole buffer at once */
wolfSSL 16:8e0d178b1d1e 6615 if (c != p && blocks > 0) { /* can not handle inline decryption */
wolfSSL 15:117db924cf7c 6616 while (blocks--) {
wolfSSL 15:117db924cf7c 6617 IncrementGcmCounter(ctr);
wolfSSL 15:117db924cf7c 6618 XMEMCPY(p, ctr, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 6619 p += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 6620 }
wolfSSL 15:117db924cf7c 6621
wolfSSL 15:117db924cf7c 6622 /* reset number of blocks and then do encryption */
wolfSSL 15:117db924cf7c 6623 blocks = sz / AES_BLOCK_SIZE;
wolfSSL 16:8e0d178b1d1e 6624
wolfSSL 15:117db924cf7c 6625 wc_AesEcbEncrypt(aes, out, out, AES_BLOCK_SIZE * blocks);
wolfSSL 15:117db924cf7c 6626 xorbuf(out, c, AES_BLOCK_SIZE * blocks);
wolfSSL 15:117db924cf7c 6627 c += AES_BLOCK_SIZE * blocks;
wolfSSL 15:117db924cf7c 6628 }
wolfSSL 15:117db924cf7c 6629 else
wolfSSL 16:8e0d178b1d1e 6630 #endif /* HAVE_AES_ECB && !PIC32MZ */
wolfSSL 15:117db924cf7c 6631 while (blocks--) {
wolfSSL 15:117db924cf7c 6632 IncrementGcmCounter(ctr);
wolfSSL 16:8e0d178b1d1e 6633 #if !defined(WOLFSSL_PIC32MZ_CRYPT)
wolfSSL 15:117db924cf7c 6634 wc_AesEncrypt(aes, ctr, scratch);
wolfSSL 15:117db924cf7c 6635 xorbuf(scratch, c, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 6636 XMEMCPY(p, scratch, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 6637 #endif
wolfSSL 15:117db924cf7c 6638 p += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 6639 c += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 6640 }
wolfSSL 15:117db924cf7c 6641
wolfSSL 15:117db924cf7c 6642 if (partial != 0) {
wolfSSL 15:117db924cf7c 6643 IncrementGcmCounter(ctr);
wolfSSL 15:117db924cf7c 6644 wc_AesEncrypt(aes, ctr, scratch);
wolfSSL 15:117db924cf7c 6645 xorbuf(scratch, c, partial);
wolfSSL 15:117db924cf7c 6646 XMEMCPY(p, scratch, partial);
wolfSSL 15:117db924cf7c 6647 }
wolfSSL 15:117db924cf7c 6648
wolfSSL 15:117db924cf7c 6649 return ret;
wolfSSL 15:117db924cf7c 6650 }
wolfSSL 15:117db924cf7c 6651
wolfSSL 16:8e0d178b1d1e 6652 /* Software AES - GCM Decrypt */
wolfSSL 15:117db924cf7c 6653 int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
wolfSSL 15:117db924cf7c 6654 const byte* iv, word32 ivSz,
wolfSSL 15:117db924cf7c 6655 const byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 6656 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 6657 {
wolfSSL 15:117db924cf7c 6658 #ifdef WOLFSSL_AESNI
wolfSSL 16:8e0d178b1d1e 6659 int res = AES_GCM_AUTH_E;
wolfSSL 15:117db924cf7c 6660 #endif
wolfSSL 15:117db924cf7c 6661
wolfSSL 15:117db924cf7c 6662 /* argument checks */
wolfSSL 15:117db924cf7c 6663 /* If the sz is non-zero, both in and out must be set. If sz is 0,
wolfSSL 15:117db924cf7c 6664 * in and out are don't cares, as this is is the GMAC case. */
wolfSSL 15:117db924cf7c 6665 if (aes == NULL || iv == NULL || (sz != 0 && (in == NULL || out == NULL)) ||
wolfSSL 16:8e0d178b1d1e 6666 authTag == NULL || authTagSz > AES_BLOCK_SIZE || authTagSz == 0 ||
wolfSSL 16:8e0d178b1d1e 6667 ivSz == 0) {
wolfSSL 15:117db924cf7c 6668
wolfSSL 15:117db924cf7c 6669 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 6670 }
wolfSSL 15:117db924cf7c 6671
wolfSSL 16:8e0d178b1d1e 6672 #ifdef WOLF_CRYPTO_CB
wolfSSL 16:8e0d178b1d1e 6673 if (aes->devId != INVALID_DEVID) {
wolfSSL 16:8e0d178b1d1e 6674 int ret = wc_CryptoCb_AesGcmDecrypt(aes, out, in, sz, iv, ivSz,
wolfSSL 16:8e0d178b1d1e 6675 authTag, authTagSz, authIn, authInSz);
wolfSSL 16:8e0d178b1d1e 6676 if (ret != CRYPTOCB_UNAVAILABLE)
wolfSSL 16:8e0d178b1d1e 6677 return ret;
wolfSSL 16:8e0d178b1d1e 6678 /* fall-through when unavailable */
wolfSSL 16:8e0d178b1d1e 6679 }
wolfSSL 16:8e0d178b1d1e 6680 #endif
wolfSSL 16:8e0d178b1d1e 6681
wolfSSL 15:117db924cf7c 6682 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
wolfSSL 15:117db924cf7c 6683 /* if async and byte count above threshold */
wolfSSL 15:117db924cf7c 6684 /* only 12-byte IV is supported in HW */
wolfSSL 15:117db924cf7c 6685 if (aes->asyncDev.marker == WOLFSSL_ASYNC_MARKER_AES &&
wolfSSL 15:117db924cf7c 6686 sz >= WC_ASYNC_THRESH_AES_GCM && ivSz == GCM_NONCE_MID_SZ) {
wolfSSL 15:117db924cf7c 6687 #if defined(HAVE_CAVIUM)
wolfSSL 15:117db924cf7c 6688 #ifdef HAVE_CAVIUM_V
wolfSSL 15:117db924cf7c 6689 if (authInSz == 20) { /* Nitrox V GCM is only working with 20 byte AAD */
wolfSSL 15:117db924cf7c 6690 return NitroxAesGcmDecrypt(aes, out, in, sz,
wolfSSL 16:8e0d178b1d1e 6691 (const byte*)aes->devKey, aes->keylen, iv, ivSz,
wolfSSL 15:117db924cf7c 6692 authTag, authTagSz, authIn, authInSz);
wolfSSL 15:117db924cf7c 6693 }
wolfSSL 15:117db924cf7c 6694 #endif
wolfSSL 15:117db924cf7c 6695 #elif defined(HAVE_INTEL_QA)
wolfSSL 15:117db924cf7c 6696 return IntelQaSymAesGcmDecrypt(&aes->asyncDev, out, in, sz,
wolfSSL 16:8e0d178b1d1e 6697 (const byte*)aes->devKey, aes->keylen, iv, ivSz,
wolfSSL 15:117db924cf7c 6698 authTag, authTagSz, authIn, authInSz);
wolfSSL 15:117db924cf7c 6699 #else /* WOLFSSL_ASYNC_CRYPT_TEST */
wolfSSL 15:117db924cf7c 6700 if (wc_AsyncTestInit(&aes->asyncDev, ASYNC_TEST_AES_GCM_DECRYPT)) {
wolfSSL 15:117db924cf7c 6701 WC_ASYNC_TEST* testDev = &aes->asyncDev.test;
wolfSSL 15:117db924cf7c 6702 testDev->aes.aes = aes;
wolfSSL 15:117db924cf7c 6703 testDev->aes.out = out;
wolfSSL 15:117db924cf7c 6704 testDev->aes.in = in;
wolfSSL 15:117db924cf7c 6705 testDev->aes.sz = sz;
wolfSSL 15:117db924cf7c 6706 testDev->aes.iv = iv;
wolfSSL 15:117db924cf7c 6707 testDev->aes.ivSz = ivSz;
wolfSSL 15:117db924cf7c 6708 testDev->aes.authTag = (byte*)authTag;
wolfSSL 15:117db924cf7c 6709 testDev->aes.authTagSz = authTagSz;
wolfSSL 15:117db924cf7c 6710 testDev->aes.authIn = authIn;
wolfSSL 15:117db924cf7c 6711 testDev->aes.authInSz = authInSz;
wolfSSL 15:117db924cf7c 6712 return WC_PENDING_E;
wolfSSL 15:117db924cf7c 6713 }
wolfSSL 15:117db924cf7c 6714 #endif
wolfSSL 15:117db924cf7c 6715 }
wolfSSL 15:117db924cf7c 6716 #endif /* WOLFSSL_ASYNC_CRYPT */
wolfSSL 15:117db924cf7c 6717
wolfSSL 16:8e0d178b1d1e 6718 #ifdef STM32_CRYPTO_AES_GCM
wolfSSL 16:8e0d178b1d1e 6719 /* The STM standard peripheral library API's doesn't support partial blocks */
wolfSSL 16:8e0d178b1d1e 6720 #ifdef STD_PERI_LIB
wolfSSL 16:8e0d178b1d1e 6721 if (partial == 0)
wolfSSL 16:8e0d178b1d1e 6722 #endif
wolfSSL 16:8e0d178b1d1e 6723 {
wolfSSL 16:8e0d178b1d1e 6724 return wc_AesGcmDecrypt_STM32(
wolfSSL 16:8e0d178b1d1e 6725 aes, out, in, sz, iv, ivSz,
wolfSSL 16:8e0d178b1d1e 6726 authTag, authTagSz, authIn, authInSz);
wolfSSL 16:8e0d178b1d1e 6727 }
wolfSSL 16:8e0d178b1d1e 6728 #endif /* STM32_CRYPTO_AES_GCM */
wolfSSL 15:117db924cf7c 6729
wolfSSL 15:117db924cf7c 6730 #ifdef WOLFSSL_AESNI
wolfSSL 15:117db924cf7c 6731 #ifdef HAVE_INTEL_AVX2
wolfSSL 15:117db924cf7c 6732 if (IS_INTEL_AVX2(intel_flags)) {
wolfSSL 15:117db924cf7c 6733 AES_GCM_decrypt_avx2(in, out, authIn, iv, authTag, sz, authInSz, ivSz,
wolfSSL 15:117db924cf7c 6734 authTagSz, (byte*)aes->key, aes->rounds, &res);
wolfSSL 15:117db924cf7c 6735 if (res == 0)
wolfSSL 15:117db924cf7c 6736 return AES_GCM_AUTH_E;
wolfSSL 15:117db924cf7c 6737 return 0;
wolfSSL 15:117db924cf7c 6738 }
wolfSSL 15:117db924cf7c 6739 else
wolfSSL 15:117db924cf7c 6740 #endif
wolfSSL 15:117db924cf7c 6741 #ifdef HAVE_INTEL_AVX1
wolfSSL 15:117db924cf7c 6742 if (IS_INTEL_AVX1(intel_flags)) {
wolfSSL 15:117db924cf7c 6743 AES_GCM_decrypt_avx1(in, out, authIn, iv, authTag, sz, authInSz, ivSz,
wolfSSL 15:117db924cf7c 6744 authTagSz, (byte*)aes->key, aes->rounds, &res);
wolfSSL 15:117db924cf7c 6745 if (res == 0)
wolfSSL 15:117db924cf7c 6746 return AES_GCM_AUTH_E;
wolfSSL 15:117db924cf7c 6747 return 0;
wolfSSL 15:117db924cf7c 6748 }
wolfSSL 15:117db924cf7c 6749 else
wolfSSL 15:117db924cf7c 6750 #endif
wolfSSL 15:117db924cf7c 6751 if (haveAESNI) {
wolfSSL 15:117db924cf7c 6752 AES_GCM_decrypt(in, out, authIn, iv, authTag, sz, authInSz, ivSz,
wolfSSL 15:117db924cf7c 6753 authTagSz, (byte*)aes->key, aes->rounds, &res);
wolfSSL 15:117db924cf7c 6754 if (res == 0)
wolfSSL 15:117db924cf7c 6755 return AES_GCM_AUTH_E;
wolfSSL 15:117db924cf7c 6756 return 0;
wolfSSL 15:117db924cf7c 6757 }
wolfSSL 15:117db924cf7c 6758 else
wolfSSL 15:117db924cf7c 6759 #endif
wolfSSL 15:117db924cf7c 6760 {
wolfSSL 15:117db924cf7c 6761 return AES_GCM_decrypt_C(aes, out, in, sz, iv, ivSz, authTag, authTagSz,
wolfSSL 15:117db924cf7c 6762 authIn, authInSz);
wolfSSL 15:117db924cf7c 6763 }
wolfSSL 15:117db924cf7c 6764 }
wolfSSL 15:117db924cf7c 6765 #endif
wolfSSL 15:117db924cf7c 6766 #endif /* HAVE_AES_DECRYPT || HAVE_AESGCM_DECRYPT */
wolfSSL 16:8e0d178b1d1e 6767 #endif /* WOLFSSL_XILINX_CRYPT */
wolfSSL 15:117db924cf7c 6768 #endif /* end of block for AESGCM implementation selection */
wolfSSL 15:117db924cf7c 6769
wolfSSL 15:117db924cf7c 6770
wolfSSL 15:117db924cf7c 6771 /* Common to all, abstract functions that build off of lower level AESGCM
wolfSSL 15:117db924cf7c 6772 * functions */
wolfSSL 15:117db924cf7c 6773 #ifndef WC_NO_RNG
wolfSSL 15:117db924cf7c 6774
wolfSSL 15:117db924cf7c 6775 int wc_AesGcmSetExtIV(Aes* aes, const byte* iv, word32 ivSz)
wolfSSL 15:117db924cf7c 6776 {
wolfSSL 15:117db924cf7c 6777 int ret = 0;
wolfSSL 15:117db924cf7c 6778
wolfSSL 15:117db924cf7c 6779 if (aes == NULL || iv == NULL ||
wolfSSL 15:117db924cf7c 6780 (ivSz != GCM_NONCE_MIN_SZ && ivSz != GCM_NONCE_MID_SZ &&
wolfSSL 15:117db924cf7c 6781 ivSz != GCM_NONCE_MAX_SZ)) {
wolfSSL 15:117db924cf7c 6782
wolfSSL 15:117db924cf7c 6783 ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 6784 }
wolfSSL 15:117db924cf7c 6785
wolfSSL 15:117db924cf7c 6786 if (ret == 0) {
wolfSSL 15:117db924cf7c 6787 XMEMCPY((byte*)aes->reg, iv, ivSz);
wolfSSL 15:117db924cf7c 6788
wolfSSL 15:117db924cf7c 6789 /* If the IV is 96, allow for a 2^64 invocation counter.
wolfSSL 15:117db924cf7c 6790 * For any other size for the nonce, limit the invocation
wolfSSL 15:117db924cf7c 6791 * counter to 32-bits. (SP 800-38D 8.3) */
wolfSSL 15:117db924cf7c 6792 aes->invokeCtr[0] = 0;
wolfSSL 15:117db924cf7c 6793 aes->invokeCtr[1] = (ivSz == GCM_NONCE_MID_SZ) ? 0 : 0xFFFFFFFF;
wolfSSL 15:117db924cf7c 6794 aes->nonceSz = ivSz;
wolfSSL 15:117db924cf7c 6795 }
wolfSSL 15:117db924cf7c 6796
wolfSSL 15:117db924cf7c 6797 return ret;
wolfSSL 15:117db924cf7c 6798 }
wolfSSL 15:117db924cf7c 6799
wolfSSL 15:117db924cf7c 6800
wolfSSL 15:117db924cf7c 6801 int wc_AesGcmSetIV(Aes* aes, word32 ivSz,
wolfSSL 15:117db924cf7c 6802 const byte* ivFixed, word32 ivFixedSz,
wolfSSL 15:117db924cf7c 6803 WC_RNG* rng)
wolfSSL 15:117db924cf7c 6804 {
wolfSSL 15:117db924cf7c 6805 int ret = 0;
wolfSSL 15:117db924cf7c 6806
wolfSSL 15:117db924cf7c 6807 if (aes == NULL || rng == NULL ||
wolfSSL 15:117db924cf7c 6808 (ivSz != GCM_NONCE_MIN_SZ && ivSz != GCM_NONCE_MID_SZ &&
wolfSSL 15:117db924cf7c 6809 ivSz != GCM_NONCE_MAX_SZ) ||
wolfSSL 15:117db924cf7c 6810 (ivFixed == NULL && ivFixedSz != 0) ||
wolfSSL 15:117db924cf7c 6811 (ivFixed != NULL && ivFixedSz != AES_IV_FIXED_SZ)) {
wolfSSL 15:117db924cf7c 6812
wolfSSL 15:117db924cf7c 6813 ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 6814 }
wolfSSL 15:117db924cf7c 6815
wolfSSL 15:117db924cf7c 6816 if (ret == 0) {
wolfSSL 15:117db924cf7c 6817 byte* iv = (byte*)aes->reg;
wolfSSL 15:117db924cf7c 6818
wolfSSL 15:117db924cf7c 6819 if (ivFixedSz)
wolfSSL 15:117db924cf7c 6820 XMEMCPY(iv, ivFixed, ivFixedSz);
wolfSSL 15:117db924cf7c 6821
wolfSSL 15:117db924cf7c 6822 ret = wc_RNG_GenerateBlock(rng, iv + ivFixedSz, ivSz - ivFixedSz);
wolfSSL 15:117db924cf7c 6823 }
wolfSSL 15:117db924cf7c 6824
wolfSSL 15:117db924cf7c 6825 if (ret == 0) {
wolfSSL 15:117db924cf7c 6826 /* If the IV is 96, allow for a 2^64 invocation counter.
wolfSSL 15:117db924cf7c 6827 * For any other size for the nonce, limit the invocation
wolfSSL 15:117db924cf7c 6828 * counter to 32-bits. (SP 800-38D 8.3) */
wolfSSL 15:117db924cf7c 6829 aes->invokeCtr[0] = 0;
wolfSSL 15:117db924cf7c 6830 aes->invokeCtr[1] = (ivSz == GCM_NONCE_MID_SZ) ? 0 : 0xFFFFFFFF;
wolfSSL 15:117db924cf7c 6831 aes->nonceSz = ivSz;
wolfSSL 15:117db924cf7c 6832 }
wolfSSL 15:117db924cf7c 6833
wolfSSL 15:117db924cf7c 6834 return ret;
wolfSSL 15:117db924cf7c 6835 }
wolfSSL 15:117db924cf7c 6836
wolfSSL 15:117db924cf7c 6837
wolfSSL 15:117db924cf7c 6838 int wc_AesGcmEncrypt_ex(Aes* aes, byte* out, const byte* in, word32 sz,
wolfSSL 15:117db924cf7c 6839 byte* ivOut, word32 ivOutSz,
wolfSSL 15:117db924cf7c 6840 byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 6841 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 6842 {
wolfSSL 15:117db924cf7c 6843 int ret = 0;
wolfSSL 15:117db924cf7c 6844
wolfSSL 15:117db924cf7c 6845 if (aes == NULL || (sz != 0 && (in == NULL || out == NULL)) ||
wolfSSL 15:117db924cf7c 6846 ivOut == NULL || ivOutSz != aes->nonceSz ||
wolfSSL 15:117db924cf7c 6847 (authIn == NULL && authInSz != 0)) {
wolfSSL 15:117db924cf7c 6848
wolfSSL 15:117db924cf7c 6849 ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 6850 }
wolfSSL 15:117db924cf7c 6851
wolfSSL 15:117db924cf7c 6852 if (ret == 0) {
wolfSSL 15:117db924cf7c 6853 aes->invokeCtr[0]++;
wolfSSL 15:117db924cf7c 6854 if (aes->invokeCtr[0] == 0) {
wolfSSL 15:117db924cf7c 6855 aes->invokeCtr[1]++;
wolfSSL 15:117db924cf7c 6856 if (aes->invokeCtr[1] == 0)
wolfSSL 15:117db924cf7c 6857 ret = AES_GCM_OVERFLOW_E;
wolfSSL 15:117db924cf7c 6858 }
wolfSSL 15:117db924cf7c 6859 }
wolfSSL 15:117db924cf7c 6860
wolfSSL 15:117db924cf7c 6861 if (ret == 0) {
wolfSSL 15:117db924cf7c 6862 XMEMCPY(ivOut, aes->reg, ivOutSz);
wolfSSL 15:117db924cf7c 6863 ret = wc_AesGcmEncrypt(aes, out, in, sz,
wolfSSL 15:117db924cf7c 6864 (byte*)aes->reg, ivOutSz,
wolfSSL 15:117db924cf7c 6865 authTag, authTagSz,
wolfSSL 15:117db924cf7c 6866 authIn, authInSz);
wolfSSL 16:8e0d178b1d1e 6867 if (ret == 0)
wolfSSL 16:8e0d178b1d1e 6868 IncCtr((byte*)aes->reg, ivOutSz);
wolfSSL 15:117db924cf7c 6869 }
wolfSSL 15:117db924cf7c 6870
wolfSSL 15:117db924cf7c 6871 return ret;
wolfSSL 15:117db924cf7c 6872 }
wolfSSL 15:117db924cf7c 6873
wolfSSL 15:117db924cf7c 6874 int wc_Gmac(const byte* key, word32 keySz, byte* iv, word32 ivSz,
wolfSSL 15:117db924cf7c 6875 const byte* authIn, word32 authInSz,
wolfSSL 15:117db924cf7c 6876 byte* authTag, word32 authTagSz, WC_RNG* rng)
wolfSSL 15:117db924cf7c 6877 {
wolfSSL 15:117db924cf7c 6878 Aes aes;
wolfSSL 16:8e0d178b1d1e 6879 int ret;
wolfSSL 15:117db924cf7c 6880
wolfSSL 15:117db924cf7c 6881 if (key == NULL || iv == NULL || (authIn == NULL && authInSz != 0) ||
wolfSSL 15:117db924cf7c 6882 authTag == NULL || authTagSz == 0 || rng == NULL) {
wolfSSL 15:117db924cf7c 6883
wolfSSL 16:8e0d178b1d1e 6884 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 6885 }
wolfSSL 16:8e0d178b1d1e 6886
wolfSSL 16:8e0d178b1d1e 6887 ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
wolfSSL 16:8e0d178b1d1e 6888 if (ret == 0) {
wolfSSL 15:117db924cf7c 6889 ret = wc_AesGcmSetKey(&aes, key, keySz);
wolfSSL 16:8e0d178b1d1e 6890 if (ret == 0)
wolfSSL 16:8e0d178b1d1e 6891 ret = wc_AesGcmSetIV(&aes, ivSz, NULL, 0, rng);
wolfSSL 16:8e0d178b1d1e 6892 if (ret == 0)
wolfSSL 16:8e0d178b1d1e 6893 ret = wc_AesGcmEncrypt_ex(&aes, NULL, NULL, 0, iv, ivSz,
wolfSSL 15:117db924cf7c 6894 authTag, authTagSz, authIn, authInSz);
wolfSSL 16:8e0d178b1d1e 6895 wc_AesFree(&aes);
wolfSSL 16:8e0d178b1d1e 6896 }
wolfSSL 15:117db924cf7c 6897 ForceZero(&aes, sizeof(aes));
wolfSSL 15:117db924cf7c 6898
wolfSSL 15:117db924cf7c 6899 return ret;
wolfSSL 15:117db924cf7c 6900 }
wolfSSL 15:117db924cf7c 6901
wolfSSL 15:117db924cf7c 6902 int wc_GmacVerify(const byte* key, word32 keySz,
wolfSSL 15:117db924cf7c 6903 const byte* iv, word32 ivSz,
wolfSSL 15:117db924cf7c 6904 const byte* authIn, word32 authInSz,
wolfSSL 15:117db924cf7c 6905 const byte* authTag, word32 authTagSz)
wolfSSL 15:117db924cf7c 6906 {
wolfSSL 16:8e0d178b1d1e 6907 int ret;
wolfSSL 16:8e0d178b1d1e 6908 #ifndef NO_AES_DECRYPT
wolfSSL 15:117db924cf7c 6909 Aes aes;
wolfSSL 15:117db924cf7c 6910
wolfSSL 15:117db924cf7c 6911 if (key == NULL || iv == NULL || (authIn == NULL && authInSz != 0) ||
wolfSSL 15:117db924cf7c 6912 authTag == NULL || authTagSz == 0 || authTagSz > AES_BLOCK_SIZE) {
wolfSSL 15:117db924cf7c 6913
wolfSSL 16:8e0d178b1d1e 6914 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 6915 }
wolfSSL 16:8e0d178b1d1e 6916
wolfSSL 16:8e0d178b1d1e 6917 ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
wolfSSL 16:8e0d178b1d1e 6918 if (ret == 0) {
wolfSSL 15:117db924cf7c 6919 ret = wc_AesGcmSetKey(&aes, key, keySz);
wolfSSL 16:8e0d178b1d1e 6920 if (ret == 0)
wolfSSL 16:8e0d178b1d1e 6921 ret = wc_AesGcmDecrypt(&aes, NULL, NULL, 0, iv, ivSz,
wolfSSL 15:117db924cf7c 6922 authTag, authTagSz, authIn, authInSz);
wolfSSL 16:8e0d178b1d1e 6923 wc_AesFree(&aes);
wolfSSL 16:8e0d178b1d1e 6924 }
wolfSSL 15:117db924cf7c 6925 ForceZero(&aes, sizeof(aes));
wolfSSL 16:8e0d178b1d1e 6926 #else
wolfSSL 16:8e0d178b1d1e 6927 (void)key;
wolfSSL 16:8e0d178b1d1e 6928 (void)keySz;
wolfSSL 16:8e0d178b1d1e 6929 (void)iv;
wolfSSL 16:8e0d178b1d1e 6930 (void)ivSz;
wolfSSL 16:8e0d178b1d1e 6931 (void)authIn;
wolfSSL 16:8e0d178b1d1e 6932 (void)authInSz;
wolfSSL 16:8e0d178b1d1e 6933 (void)authTag;
wolfSSL 16:8e0d178b1d1e 6934 (void)authTagSz;
wolfSSL 16:8e0d178b1d1e 6935 ret = NOT_COMPILED_IN;
wolfSSL 16:8e0d178b1d1e 6936 #endif
wolfSSL 15:117db924cf7c 6937 return ret;
wolfSSL 15:117db924cf7c 6938 }
wolfSSL 15:117db924cf7c 6939
wolfSSL 15:117db924cf7c 6940 #endif /* WC_NO_RNG */
wolfSSL 15:117db924cf7c 6941
wolfSSL 15:117db924cf7c 6942
wolfSSL 15:117db924cf7c 6943 WOLFSSL_API int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len)
wolfSSL 15:117db924cf7c 6944 {
wolfSSL 15:117db924cf7c 6945 if (gmac == NULL || key == NULL) {
wolfSSL 15:117db924cf7c 6946 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 6947 }
wolfSSL 15:117db924cf7c 6948 return wc_AesGcmSetKey(&gmac->aes, key, len);
wolfSSL 15:117db924cf7c 6949 }
wolfSSL 15:117db924cf7c 6950
wolfSSL 15:117db924cf7c 6951
wolfSSL 15:117db924cf7c 6952 WOLFSSL_API int wc_GmacUpdate(Gmac* gmac, const byte* iv, word32 ivSz,
wolfSSL 15:117db924cf7c 6953 const byte* authIn, word32 authInSz,
wolfSSL 15:117db924cf7c 6954 byte* authTag, word32 authTagSz)
wolfSSL 15:117db924cf7c 6955 {
wolfSSL 15:117db924cf7c 6956 return wc_AesGcmEncrypt(&gmac->aes, NULL, NULL, 0, iv, ivSz,
wolfSSL 15:117db924cf7c 6957 authTag, authTagSz, authIn, authInSz);
wolfSSL 15:117db924cf7c 6958 }
wolfSSL 15:117db924cf7c 6959
wolfSSL 15:117db924cf7c 6960 #endif /* HAVE_AESGCM */
wolfSSL 15:117db924cf7c 6961
wolfSSL 15:117db924cf7c 6962
wolfSSL 15:117db924cf7c 6963 #ifdef HAVE_AESCCM
wolfSSL 15:117db924cf7c 6964
wolfSSL 15:117db924cf7c 6965 int wc_AesCcmSetKey(Aes* aes, const byte* key, word32 keySz)
wolfSSL 15:117db924cf7c 6966 {
wolfSSL 15:117db924cf7c 6967 if (!((keySz == 16) || (keySz == 24) || (keySz == 32)))
wolfSSL 15:117db924cf7c 6968 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 6969
wolfSSL 15:117db924cf7c 6970 return wc_AesSetKey(aes, key, keySz, NULL, AES_ENCRYPTION);
wolfSSL 15:117db924cf7c 6971 }
wolfSSL 15:117db924cf7c 6972
wolfSSL 15:117db924cf7c 6973 #ifdef WOLFSSL_ARMASM
wolfSSL 15:117db924cf7c 6974 /* implementation located in wolfcrypt/src/port/arm/armv8-aes.c */
wolfSSL 15:117db924cf7c 6975
wolfSSL 15:117db924cf7c 6976 #elif defined(HAVE_COLDFIRE_SEC)
wolfSSL 15:117db924cf7c 6977 #error "Coldfire SEC doesn't currently support AES-CCM mode"
wolfSSL 15:117db924cf7c 6978
wolfSSL 15:117db924cf7c 6979 #elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)
wolfSSL 15:117db924cf7c 6980 /* implemented in wolfcrypt/src/port/caam_aes.c */
wolfSSL 15:117db924cf7c 6981
wolfSSL 15:117db924cf7c 6982 #elif defined(FREESCALE_LTC)
wolfSSL 15:117db924cf7c 6983
wolfSSL 15:117db924cf7c 6984 /* return 0 on success */
wolfSSL 15:117db924cf7c 6985 int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
wolfSSL 15:117db924cf7c 6986 const byte* nonce, word32 nonceSz,
wolfSSL 15:117db924cf7c 6987 byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 6988 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 6989 {
wolfSSL 15:117db924cf7c 6990 byte *key;
wolfSSL 15:117db924cf7c 6991 uint32_t keySize;
wolfSSL 15:117db924cf7c 6992 status_t status;
wolfSSL 15:117db924cf7c 6993
wolfSSL 15:117db924cf7c 6994 /* sanity check on arguments */
wolfSSL 15:117db924cf7c 6995 if (aes == NULL || out == NULL || in == NULL || nonce == NULL
wolfSSL 15:117db924cf7c 6996 || authTag == NULL || nonceSz < 7 || nonceSz > 13)
wolfSSL 15:117db924cf7c 6997 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 6998
wolfSSL 15:117db924cf7c 6999 key = (byte*)aes->key;
wolfSSL 15:117db924cf7c 7000
wolfSSL 15:117db924cf7c 7001 status = wc_AesGetKeySize(aes, &keySize);
wolfSSL 15:117db924cf7c 7002 if (status != 0) {
wolfSSL 15:117db924cf7c 7003 return status;
wolfSSL 15:117db924cf7c 7004 }
wolfSSL 15:117db924cf7c 7005
wolfSSL 15:117db924cf7c 7006 status = LTC_AES_EncryptTagCcm(LTC_BASE, in, out, inSz,
wolfSSL 15:117db924cf7c 7007 nonce, nonceSz, authIn, authInSz, key, keySize, authTag, authTagSz);
wolfSSL 15:117db924cf7c 7008
wolfSSL 15:117db924cf7c 7009 return (kStatus_Success == status) ? 0 : BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7010 }
wolfSSL 15:117db924cf7c 7011
wolfSSL 15:117db924cf7c 7012 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 7013 int wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
wolfSSL 15:117db924cf7c 7014 const byte* nonce, word32 nonceSz,
wolfSSL 15:117db924cf7c 7015 const byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 7016 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 7017 {
wolfSSL 15:117db924cf7c 7018 byte *key;
wolfSSL 15:117db924cf7c 7019 uint32_t keySize;
wolfSSL 15:117db924cf7c 7020 status_t status;
wolfSSL 15:117db924cf7c 7021
wolfSSL 15:117db924cf7c 7022 /* sanity check on arguments */
wolfSSL 15:117db924cf7c 7023 if (aes == NULL || out == NULL || in == NULL || nonce == NULL
wolfSSL 15:117db924cf7c 7024 || authTag == NULL || nonceSz < 7 || nonceSz > 13)
wolfSSL 15:117db924cf7c 7025 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7026
wolfSSL 15:117db924cf7c 7027 key = (byte*)aes->key;
wolfSSL 15:117db924cf7c 7028
wolfSSL 15:117db924cf7c 7029 status = wc_AesGetKeySize(aes, &keySize);
wolfSSL 15:117db924cf7c 7030 if (status != 0) {
wolfSSL 15:117db924cf7c 7031 return status;
wolfSSL 15:117db924cf7c 7032 }
wolfSSL 15:117db924cf7c 7033
wolfSSL 15:117db924cf7c 7034 status = LTC_AES_DecryptTagCcm(LTC_BASE, in, out, inSz,
wolfSSL 15:117db924cf7c 7035 nonce, nonceSz, authIn, authInSz, key, keySize, authTag, authTagSz);
wolfSSL 15:117db924cf7c 7036
wolfSSL 15:117db924cf7c 7037 if (status == kStatus_Success) {
wolfSSL 15:117db924cf7c 7038 return 0;
wolfSSL 15:117db924cf7c 7039 }
wolfSSL 15:117db924cf7c 7040 else {
wolfSSL 15:117db924cf7c 7041 XMEMSET(out, 0, inSz);
wolfSSL 15:117db924cf7c 7042 return AES_CCM_AUTH_E;
wolfSSL 15:117db924cf7c 7043 }
wolfSSL 15:117db924cf7c 7044 }
wolfSSL 15:117db924cf7c 7045 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 7046
wolfSSL 15:117db924cf7c 7047 #else
wolfSSL 15:117db924cf7c 7048
wolfSSL 16:8e0d178b1d1e 7049 /* Software CCM */
wolfSSL 15:117db924cf7c 7050 static void roll_x(Aes* aes, const byte* in, word32 inSz, byte* out)
wolfSSL 15:117db924cf7c 7051 {
wolfSSL 15:117db924cf7c 7052 /* process the bulk of the data */
wolfSSL 15:117db924cf7c 7053 while (inSz >= AES_BLOCK_SIZE) {
wolfSSL 15:117db924cf7c 7054 xorbuf(out, in, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 7055 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7056 inSz -= AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7057
wolfSSL 15:117db924cf7c 7058 wc_AesEncrypt(aes, out, out);
wolfSSL 15:117db924cf7c 7059 }
wolfSSL 15:117db924cf7c 7060
wolfSSL 15:117db924cf7c 7061 /* process remainder of the data */
wolfSSL 15:117db924cf7c 7062 if (inSz > 0) {
wolfSSL 15:117db924cf7c 7063 xorbuf(out, in, inSz);
wolfSSL 15:117db924cf7c 7064 wc_AesEncrypt(aes, out, out);
wolfSSL 15:117db924cf7c 7065 }
wolfSSL 15:117db924cf7c 7066 }
wolfSSL 15:117db924cf7c 7067
wolfSSL 15:117db924cf7c 7068 static void roll_auth(Aes* aes, const byte* in, word32 inSz, byte* out)
wolfSSL 15:117db924cf7c 7069 {
wolfSSL 15:117db924cf7c 7070 word32 authLenSz;
wolfSSL 15:117db924cf7c 7071 word32 remainder;
wolfSSL 15:117db924cf7c 7072
wolfSSL 15:117db924cf7c 7073 /* encode the length in */
wolfSSL 15:117db924cf7c 7074 if (inSz <= 0xFEFF) {
wolfSSL 15:117db924cf7c 7075 authLenSz = 2;
wolfSSL 15:117db924cf7c 7076 out[0] ^= ((inSz & 0xFF00) >> 8);
wolfSSL 15:117db924cf7c 7077 out[1] ^= (inSz & 0x00FF);
wolfSSL 15:117db924cf7c 7078 }
wolfSSL 15:117db924cf7c 7079 else if (inSz <= 0xFFFFFFFF) {
wolfSSL 15:117db924cf7c 7080 authLenSz = 6;
wolfSSL 15:117db924cf7c 7081 out[0] ^= 0xFF; out[1] ^= 0xFE;
wolfSSL 15:117db924cf7c 7082 out[2] ^= ((inSz & 0xFF000000) >> 24);
wolfSSL 15:117db924cf7c 7083 out[3] ^= ((inSz & 0x00FF0000) >> 16);
wolfSSL 15:117db924cf7c 7084 out[4] ^= ((inSz & 0x0000FF00) >> 8);
wolfSSL 15:117db924cf7c 7085 out[5] ^= (inSz & 0x000000FF);
wolfSSL 15:117db924cf7c 7086 }
wolfSSL 15:117db924cf7c 7087 /* Note, the protocol handles auth data up to 2^64, but we are
wolfSSL 15:117db924cf7c 7088 * using 32-bit sizes right now, so the bigger data isn't handled
wolfSSL 15:117db924cf7c 7089 * else if (inSz <= 0xFFFFFFFFFFFFFFFF) {} */
wolfSSL 15:117db924cf7c 7090 else
wolfSSL 15:117db924cf7c 7091 return;
wolfSSL 15:117db924cf7c 7092
wolfSSL 15:117db924cf7c 7093 /* start fill out the rest of the first block */
wolfSSL 15:117db924cf7c 7094 remainder = AES_BLOCK_SIZE - authLenSz;
wolfSSL 15:117db924cf7c 7095 if (inSz >= remainder) {
wolfSSL 15:117db924cf7c 7096 /* plenty of bulk data to fill the remainder of this block */
wolfSSL 15:117db924cf7c 7097 xorbuf(out + authLenSz, in, remainder);
wolfSSL 15:117db924cf7c 7098 inSz -= remainder;
wolfSSL 15:117db924cf7c 7099 in += remainder;
wolfSSL 15:117db924cf7c 7100 }
wolfSSL 15:117db924cf7c 7101 else {
wolfSSL 15:117db924cf7c 7102 /* not enough bulk data, copy what is available, and pad zero */
wolfSSL 15:117db924cf7c 7103 xorbuf(out + authLenSz, in, inSz);
wolfSSL 15:117db924cf7c 7104 inSz = 0;
wolfSSL 15:117db924cf7c 7105 }
wolfSSL 15:117db924cf7c 7106 wc_AesEncrypt(aes, out, out);
wolfSSL 15:117db924cf7c 7107
wolfSSL 15:117db924cf7c 7108 if (inSz > 0)
wolfSSL 15:117db924cf7c 7109 roll_x(aes, in, inSz, out);
wolfSSL 15:117db924cf7c 7110 }
wolfSSL 15:117db924cf7c 7111
wolfSSL 15:117db924cf7c 7112
wolfSSL 15:117db924cf7c 7113 static WC_INLINE void AesCcmCtrInc(byte* B, word32 lenSz)
wolfSSL 15:117db924cf7c 7114 {
wolfSSL 15:117db924cf7c 7115 word32 i;
wolfSSL 15:117db924cf7c 7116
wolfSSL 15:117db924cf7c 7117 for (i = 0; i < lenSz; i++) {
wolfSSL 15:117db924cf7c 7118 if (++B[AES_BLOCK_SIZE - 1 - i] != 0) return;
wolfSSL 15:117db924cf7c 7119 }
wolfSSL 15:117db924cf7c 7120 }
wolfSSL 15:117db924cf7c 7121
wolfSSL 16:8e0d178b1d1e 7122 #ifdef WOLFSSL_AESNI
wolfSSL 16:8e0d178b1d1e 7123 static WC_INLINE void AesCcmCtrIncSet4(byte* B, word32 lenSz)
wolfSSL 16:8e0d178b1d1e 7124 {
wolfSSL 16:8e0d178b1d1e 7125 word32 i;
wolfSSL 16:8e0d178b1d1e 7126
wolfSSL 16:8e0d178b1d1e 7127 /* B+1 = B */
wolfSSL 16:8e0d178b1d1e 7128 XMEMCPY(B + AES_BLOCK_SIZE * 1, B, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 7129 /* B+2,B+3 = B,B+1 */
wolfSSL 16:8e0d178b1d1e 7130 XMEMCPY(B + AES_BLOCK_SIZE * 2, B, AES_BLOCK_SIZE * 2);
wolfSSL 16:8e0d178b1d1e 7131
wolfSSL 16:8e0d178b1d1e 7132 for (i = 0; i < lenSz; i++) {
wolfSSL 16:8e0d178b1d1e 7133 if (++B[AES_BLOCK_SIZE * 1 - 1 - i] != 0) break;
wolfSSL 16:8e0d178b1d1e 7134 }
wolfSSL 16:8e0d178b1d1e 7135 B[AES_BLOCK_SIZE * 2 - 1] += 2;
wolfSSL 16:8e0d178b1d1e 7136 if (B[AES_BLOCK_SIZE * 2 - 1] < 2) {
wolfSSL 16:8e0d178b1d1e 7137 for (i = 1; i < lenSz; i++) {
wolfSSL 16:8e0d178b1d1e 7138 if (++B[AES_BLOCK_SIZE * 2 - 1 - i] != 0) break;
wolfSSL 16:8e0d178b1d1e 7139 }
wolfSSL 16:8e0d178b1d1e 7140 }
wolfSSL 16:8e0d178b1d1e 7141 B[AES_BLOCK_SIZE * 3 - 1] += 3;
wolfSSL 16:8e0d178b1d1e 7142 if (B[AES_BLOCK_SIZE * 3 - 1] < 3) {
wolfSSL 16:8e0d178b1d1e 7143 for (i = 1; i < lenSz; i++) {
wolfSSL 16:8e0d178b1d1e 7144 if (++B[AES_BLOCK_SIZE * 3 - 1 - i] != 0) break;
wolfSSL 16:8e0d178b1d1e 7145 }
wolfSSL 16:8e0d178b1d1e 7146 }
wolfSSL 16:8e0d178b1d1e 7147 }
wolfSSL 16:8e0d178b1d1e 7148
wolfSSL 16:8e0d178b1d1e 7149 static WC_INLINE void AesCcmCtrInc4(byte* B, word32 lenSz)
wolfSSL 16:8e0d178b1d1e 7150 {
wolfSSL 16:8e0d178b1d1e 7151 word32 i;
wolfSSL 16:8e0d178b1d1e 7152
wolfSSL 16:8e0d178b1d1e 7153 B[AES_BLOCK_SIZE - 1] += 4;
wolfSSL 16:8e0d178b1d1e 7154 if (B[AES_BLOCK_SIZE - 1] < 4) {
wolfSSL 16:8e0d178b1d1e 7155 for (i = 1; i < lenSz; i++) {
wolfSSL 16:8e0d178b1d1e 7156 if (++B[AES_BLOCK_SIZE - 1 - i] != 0) break;
wolfSSL 16:8e0d178b1d1e 7157 }
wolfSSL 16:8e0d178b1d1e 7158 }
wolfSSL 16:8e0d178b1d1e 7159 }
wolfSSL 16:8e0d178b1d1e 7160 #endif
wolfSSL 16:8e0d178b1d1e 7161
wolfSSL 16:8e0d178b1d1e 7162 /* Software AES - CCM Encrypt */
wolfSSL 15:117db924cf7c 7163 /* return 0 on success */
wolfSSL 15:117db924cf7c 7164 int wc_AesCcmEncrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
wolfSSL 15:117db924cf7c 7165 const byte* nonce, word32 nonceSz,
wolfSSL 15:117db924cf7c 7166 byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 7167 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 7168 {
wolfSSL 16:8e0d178b1d1e 7169 #ifndef WOLFSSL_AESNI
wolfSSL 15:117db924cf7c 7170 byte A[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 7171 byte B[AES_BLOCK_SIZE];
wolfSSL 16:8e0d178b1d1e 7172 #else
wolfSSL 16:8e0d178b1d1e 7173 ALIGN128 byte A[AES_BLOCK_SIZE * 4];
wolfSSL 16:8e0d178b1d1e 7174 ALIGN128 byte B[AES_BLOCK_SIZE * 4];
wolfSSL 16:8e0d178b1d1e 7175 #endif
wolfSSL 15:117db924cf7c 7176 byte lenSz;
wolfSSL 15:117db924cf7c 7177 word32 i;
wolfSSL 15:117db924cf7c 7178 byte mask = 0xFF;
wolfSSL 15:117db924cf7c 7179 const word32 wordSz = (word32)sizeof(word32);
wolfSSL 15:117db924cf7c 7180
wolfSSL 15:117db924cf7c 7181 /* sanity check on arguments */
wolfSSL 15:117db924cf7c 7182 if (aes == NULL || out == NULL || in == NULL || nonce == NULL
wolfSSL 15:117db924cf7c 7183 || authTag == NULL || nonceSz < 7 || nonceSz > 13 ||
wolfSSL 15:117db924cf7c 7184 authTagSz > AES_BLOCK_SIZE)
wolfSSL 15:117db924cf7c 7185 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7186
wolfSSL 16:8e0d178b1d1e 7187 XMEMSET(A, 0, sizeof(A));
wolfSSL 15:117db924cf7c 7188 XMEMCPY(B+1, nonce, nonceSz);
wolfSSL 15:117db924cf7c 7189 lenSz = AES_BLOCK_SIZE - 1 - (byte)nonceSz;
wolfSSL 15:117db924cf7c 7190 B[0] = (authInSz > 0 ? 64 : 0)
wolfSSL 15:117db924cf7c 7191 + (8 * (((byte)authTagSz - 2) / 2))
wolfSSL 15:117db924cf7c 7192 + (lenSz - 1);
wolfSSL 15:117db924cf7c 7193 for (i = 0; i < lenSz; i++) {
wolfSSL 15:117db924cf7c 7194 if (mask && i >= wordSz)
wolfSSL 15:117db924cf7c 7195 mask = 0x00;
wolfSSL 15:117db924cf7c 7196 B[AES_BLOCK_SIZE - 1 - i] = (inSz >> ((8 * i) & mask)) & mask;
wolfSSL 15:117db924cf7c 7197 }
wolfSSL 15:117db924cf7c 7198
wolfSSL 15:117db924cf7c 7199 wc_AesEncrypt(aes, B, A);
wolfSSL 15:117db924cf7c 7200
wolfSSL 15:117db924cf7c 7201 if (authInSz > 0)
wolfSSL 15:117db924cf7c 7202 roll_auth(aes, authIn, authInSz, A);
wolfSSL 15:117db924cf7c 7203 if (inSz > 0)
wolfSSL 15:117db924cf7c 7204 roll_x(aes, in, inSz, A);
wolfSSL 15:117db924cf7c 7205 XMEMCPY(authTag, A, authTagSz);
wolfSSL 15:117db924cf7c 7206
wolfSSL 15:117db924cf7c 7207 B[0] = lenSz - 1;
wolfSSL 15:117db924cf7c 7208 for (i = 0; i < lenSz; i++)
wolfSSL 15:117db924cf7c 7209 B[AES_BLOCK_SIZE - 1 - i] = 0;
wolfSSL 15:117db924cf7c 7210 wc_AesEncrypt(aes, B, A);
wolfSSL 15:117db924cf7c 7211 xorbuf(authTag, A, authTagSz);
wolfSSL 15:117db924cf7c 7212
wolfSSL 15:117db924cf7c 7213 B[15] = 1;
wolfSSL 16:8e0d178b1d1e 7214 #ifdef WOLFSSL_AESNI
wolfSSL 16:8e0d178b1d1e 7215 if (haveAESNI && aes->use_aesni) {
wolfSSL 16:8e0d178b1d1e 7216 while (inSz >= AES_BLOCK_SIZE * 4) {
wolfSSL 16:8e0d178b1d1e 7217 AesCcmCtrIncSet4(B, lenSz);
wolfSSL 16:8e0d178b1d1e 7218
wolfSSL 16:8e0d178b1d1e 7219 AES_ECB_encrypt(B, A, AES_BLOCK_SIZE * 4, (byte*)aes->key,
wolfSSL 16:8e0d178b1d1e 7220 aes->rounds);
wolfSSL 16:8e0d178b1d1e 7221 xorbuf(A, in, AES_BLOCK_SIZE * 4);
wolfSSL 16:8e0d178b1d1e 7222 XMEMCPY(out, A, AES_BLOCK_SIZE * 4);
wolfSSL 16:8e0d178b1d1e 7223
wolfSSL 16:8e0d178b1d1e 7224 inSz -= AES_BLOCK_SIZE * 4;
wolfSSL 16:8e0d178b1d1e 7225 in += AES_BLOCK_SIZE * 4;
wolfSSL 16:8e0d178b1d1e 7226 out += AES_BLOCK_SIZE * 4;
wolfSSL 16:8e0d178b1d1e 7227
wolfSSL 16:8e0d178b1d1e 7228 if (inSz < AES_BLOCK_SIZE * 4) {
wolfSSL 16:8e0d178b1d1e 7229 AesCcmCtrInc4(B, lenSz);
wolfSSL 16:8e0d178b1d1e 7230 }
wolfSSL 16:8e0d178b1d1e 7231 }
wolfSSL 16:8e0d178b1d1e 7232 }
wolfSSL 16:8e0d178b1d1e 7233 #endif
wolfSSL 15:117db924cf7c 7234 while (inSz >= AES_BLOCK_SIZE) {
wolfSSL 15:117db924cf7c 7235 wc_AesEncrypt(aes, B, A);
wolfSSL 15:117db924cf7c 7236 xorbuf(A, in, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 7237 XMEMCPY(out, A, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 7238
wolfSSL 15:117db924cf7c 7239 AesCcmCtrInc(B, lenSz);
wolfSSL 15:117db924cf7c 7240 inSz -= AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7241 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7242 out += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7243 }
wolfSSL 15:117db924cf7c 7244 if (inSz > 0) {
wolfSSL 15:117db924cf7c 7245 wc_AesEncrypt(aes, B, A);
wolfSSL 15:117db924cf7c 7246 xorbuf(A, in, inSz);
wolfSSL 15:117db924cf7c 7247 XMEMCPY(out, A, inSz);
wolfSSL 15:117db924cf7c 7248 }
wolfSSL 15:117db924cf7c 7249
wolfSSL 15:117db924cf7c 7250 ForceZero(A, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 7251 ForceZero(B, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 7252
wolfSSL 15:117db924cf7c 7253 return 0;
wolfSSL 15:117db924cf7c 7254 }
wolfSSL 15:117db924cf7c 7255
wolfSSL 15:117db924cf7c 7256 #ifdef HAVE_AES_DECRYPT
wolfSSL 16:8e0d178b1d1e 7257 /* Software AES - CCM Decrypt */
wolfSSL 15:117db924cf7c 7258 int wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
wolfSSL 15:117db924cf7c 7259 const byte* nonce, word32 nonceSz,
wolfSSL 15:117db924cf7c 7260 const byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 7261 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 7262 {
wolfSSL 16:8e0d178b1d1e 7263 #ifndef WOLFSSL_AESNI
wolfSSL 15:117db924cf7c 7264 byte A[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 7265 byte B[AES_BLOCK_SIZE];
wolfSSL 16:8e0d178b1d1e 7266 #else
wolfSSL 16:8e0d178b1d1e 7267 ALIGN128 byte B[AES_BLOCK_SIZE * 4];
wolfSSL 16:8e0d178b1d1e 7268 ALIGN128 byte A[AES_BLOCK_SIZE * 4];
wolfSSL 16:8e0d178b1d1e 7269 #endif
wolfSSL 15:117db924cf7c 7270 byte* o;
wolfSSL 15:117db924cf7c 7271 byte lenSz;
wolfSSL 15:117db924cf7c 7272 word32 i, oSz;
wolfSSL 15:117db924cf7c 7273 int result = 0;
wolfSSL 15:117db924cf7c 7274 byte mask = 0xFF;
wolfSSL 15:117db924cf7c 7275 const word32 wordSz = (word32)sizeof(word32);
wolfSSL 15:117db924cf7c 7276
wolfSSL 15:117db924cf7c 7277 /* sanity check on arguments */
wolfSSL 15:117db924cf7c 7278 if (aes == NULL || out == NULL || in == NULL || nonce == NULL
wolfSSL 15:117db924cf7c 7279 || authTag == NULL || nonceSz < 7 || nonceSz > 13 ||
wolfSSL 15:117db924cf7c 7280 authTagSz > AES_BLOCK_SIZE)
wolfSSL 15:117db924cf7c 7281 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7282
wolfSSL 15:117db924cf7c 7283 o = out;
wolfSSL 15:117db924cf7c 7284 oSz = inSz;
wolfSSL 15:117db924cf7c 7285 XMEMCPY(B+1, nonce, nonceSz);
wolfSSL 15:117db924cf7c 7286 lenSz = AES_BLOCK_SIZE - 1 - (byte)nonceSz;
wolfSSL 15:117db924cf7c 7287
wolfSSL 15:117db924cf7c 7288 B[0] = lenSz - 1;
wolfSSL 15:117db924cf7c 7289 for (i = 0; i < lenSz; i++)
wolfSSL 15:117db924cf7c 7290 B[AES_BLOCK_SIZE - 1 - i] = 0;
wolfSSL 15:117db924cf7c 7291 B[15] = 1;
wolfSSL 15:117db924cf7c 7292
wolfSSL 16:8e0d178b1d1e 7293 #ifdef WOLFSSL_AESNI
wolfSSL 16:8e0d178b1d1e 7294 if (haveAESNI && aes->use_aesni) {
wolfSSL 16:8e0d178b1d1e 7295 while (oSz >= AES_BLOCK_SIZE * 4) {
wolfSSL 16:8e0d178b1d1e 7296 AesCcmCtrIncSet4(B, lenSz);
wolfSSL 16:8e0d178b1d1e 7297
wolfSSL 16:8e0d178b1d1e 7298 AES_ECB_encrypt(B, A, AES_BLOCK_SIZE * 4, (byte*)aes->key,
wolfSSL 16:8e0d178b1d1e 7299 aes->rounds);
wolfSSL 16:8e0d178b1d1e 7300 xorbuf(A, in, AES_BLOCK_SIZE * 4);
wolfSSL 16:8e0d178b1d1e 7301 XMEMCPY(o, A, AES_BLOCK_SIZE * 4);
wolfSSL 16:8e0d178b1d1e 7302
wolfSSL 16:8e0d178b1d1e 7303 oSz -= AES_BLOCK_SIZE * 4;
wolfSSL 16:8e0d178b1d1e 7304 in += AES_BLOCK_SIZE * 4;
wolfSSL 16:8e0d178b1d1e 7305 o += AES_BLOCK_SIZE * 4;
wolfSSL 16:8e0d178b1d1e 7306
wolfSSL 16:8e0d178b1d1e 7307 if (oSz < AES_BLOCK_SIZE * 4) {
wolfSSL 16:8e0d178b1d1e 7308 AesCcmCtrInc4(B, lenSz);
wolfSSL 16:8e0d178b1d1e 7309 }
wolfSSL 16:8e0d178b1d1e 7310 }
wolfSSL 16:8e0d178b1d1e 7311 }
wolfSSL 16:8e0d178b1d1e 7312 #endif
wolfSSL 15:117db924cf7c 7313 while (oSz >= AES_BLOCK_SIZE) {
wolfSSL 15:117db924cf7c 7314 wc_AesEncrypt(aes, B, A);
wolfSSL 15:117db924cf7c 7315 xorbuf(A, in, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 7316 XMEMCPY(o, A, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 7317
wolfSSL 15:117db924cf7c 7318 AesCcmCtrInc(B, lenSz);
wolfSSL 15:117db924cf7c 7319 oSz -= AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7320 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7321 o += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7322 }
wolfSSL 15:117db924cf7c 7323 if (inSz > 0) {
wolfSSL 15:117db924cf7c 7324 wc_AesEncrypt(aes, B, A);
wolfSSL 15:117db924cf7c 7325 xorbuf(A, in, oSz);
wolfSSL 15:117db924cf7c 7326 XMEMCPY(o, A, oSz);
wolfSSL 15:117db924cf7c 7327 }
wolfSSL 15:117db924cf7c 7328
wolfSSL 15:117db924cf7c 7329 for (i = 0; i < lenSz; i++)
wolfSSL 15:117db924cf7c 7330 B[AES_BLOCK_SIZE - 1 - i] = 0;
wolfSSL 15:117db924cf7c 7331 wc_AesEncrypt(aes, B, A);
wolfSSL 15:117db924cf7c 7332
wolfSSL 15:117db924cf7c 7333 o = out;
wolfSSL 15:117db924cf7c 7334 oSz = inSz;
wolfSSL 15:117db924cf7c 7335
wolfSSL 15:117db924cf7c 7336 B[0] = (authInSz > 0 ? 64 : 0)
wolfSSL 15:117db924cf7c 7337 + (8 * (((byte)authTagSz - 2) / 2))
wolfSSL 15:117db924cf7c 7338 + (lenSz - 1);
wolfSSL 15:117db924cf7c 7339 for (i = 0; i < lenSz; i++) {
wolfSSL 15:117db924cf7c 7340 if (mask && i >= wordSz)
wolfSSL 15:117db924cf7c 7341 mask = 0x00;
wolfSSL 15:117db924cf7c 7342 B[AES_BLOCK_SIZE - 1 - i] = (inSz >> ((8 * i) & mask)) & mask;
wolfSSL 15:117db924cf7c 7343 }
wolfSSL 15:117db924cf7c 7344
wolfSSL 15:117db924cf7c 7345 wc_AesEncrypt(aes, B, A);
wolfSSL 15:117db924cf7c 7346
wolfSSL 15:117db924cf7c 7347 if (authInSz > 0)
wolfSSL 15:117db924cf7c 7348 roll_auth(aes, authIn, authInSz, A);
wolfSSL 15:117db924cf7c 7349 if (inSz > 0)
wolfSSL 15:117db924cf7c 7350 roll_x(aes, o, oSz, A);
wolfSSL 15:117db924cf7c 7351
wolfSSL 15:117db924cf7c 7352 B[0] = lenSz - 1;
wolfSSL 15:117db924cf7c 7353 for (i = 0; i < lenSz; i++)
wolfSSL 15:117db924cf7c 7354 B[AES_BLOCK_SIZE - 1 - i] = 0;
wolfSSL 15:117db924cf7c 7355 wc_AesEncrypt(aes, B, B);
wolfSSL 15:117db924cf7c 7356 xorbuf(A, B, authTagSz);
wolfSSL 15:117db924cf7c 7357
wolfSSL 15:117db924cf7c 7358 if (ConstantCompare(A, authTag, authTagSz) != 0) {
wolfSSL 15:117db924cf7c 7359 /* If the authTag check fails, don't keep the decrypted data.
wolfSSL 15:117db924cf7c 7360 * Unfortunately, you need the decrypted data to calculate the
wolfSSL 15:117db924cf7c 7361 * check value. */
wolfSSL 15:117db924cf7c 7362 XMEMSET(out, 0, inSz);
wolfSSL 15:117db924cf7c 7363 result = AES_CCM_AUTH_E;
wolfSSL 15:117db924cf7c 7364 }
wolfSSL 15:117db924cf7c 7365
wolfSSL 15:117db924cf7c 7366 ForceZero(A, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 7367 ForceZero(B, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 7368 o = NULL;
wolfSSL 15:117db924cf7c 7369
wolfSSL 15:117db924cf7c 7370 return result;
wolfSSL 15:117db924cf7c 7371 }
wolfSSL 15:117db924cf7c 7372
wolfSSL 15:117db924cf7c 7373 #endif /* HAVE_AES_DECRYPT */
wolfSSL 16:8e0d178b1d1e 7374 #endif /* software CCM */
wolfSSL 15:117db924cf7c 7375
wolfSSL 15:117db924cf7c 7376 /* abstract functions that call lower level AESCCM functions */
wolfSSL 15:117db924cf7c 7377 #ifndef WC_NO_RNG
wolfSSL 15:117db924cf7c 7378
wolfSSL 15:117db924cf7c 7379 int wc_AesCcmSetNonce(Aes* aes, const byte* nonce, word32 nonceSz)
wolfSSL 15:117db924cf7c 7380 {
wolfSSL 15:117db924cf7c 7381 int ret = 0;
wolfSSL 15:117db924cf7c 7382
wolfSSL 15:117db924cf7c 7383 if (aes == NULL || nonce == NULL ||
wolfSSL 15:117db924cf7c 7384 nonceSz < CCM_NONCE_MIN_SZ || nonceSz > CCM_NONCE_MAX_SZ) {
wolfSSL 15:117db924cf7c 7385
wolfSSL 15:117db924cf7c 7386 ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7387 }
wolfSSL 15:117db924cf7c 7388
wolfSSL 15:117db924cf7c 7389 if (ret == 0) {
wolfSSL 15:117db924cf7c 7390 XMEMCPY(aes->reg, nonce, nonceSz);
wolfSSL 15:117db924cf7c 7391 aes->nonceSz = nonceSz;
wolfSSL 15:117db924cf7c 7392
wolfSSL 15:117db924cf7c 7393 /* Invocation counter should be 2^61 */
wolfSSL 15:117db924cf7c 7394 aes->invokeCtr[0] = 0;
wolfSSL 15:117db924cf7c 7395 aes->invokeCtr[1] = 0xE0000000;
wolfSSL 15:117db924cf7c 7396 }
wolfSSL 15:117db924cf7c 7397
wolfSSL 15:117db924cf7c 7398 return ret;
wolfSSL 15:117db924cf7c 7399 }
wolfSSL 15:117db924cf7c 7400
wolfSSL 15:117db924cf7c 7401
wolfSSL 15:117db924cf7c 7402 int wc_AesCcmEncrypt_ex(Aes* aes, byte* out, const byte* in, word32 sz,
wolfSSL 15:117db924cf7c 7403 byte* ivOut, word32 ivOutSz,
wolfSSL 15:117db924cf7c 7404 byte* authTag, word32 authTagSz,
wolfSSL 15:117db924cf7c 7405 const byte* authIn, word32 authInSz)
wolfSSL 15:117db924cf7c 7406 {
wolfSSL 15:117db924cf7c 7407 int ret = 0;
wolfSSL 15:117db924cf7c 7408
wolfSSL 15:117db924cf7c 7409 if (aes == NULL || out == NULL ||
wolfSSL 15:117db924cf7c 7410 (in == NULL && sz != 0) ||
wolfSSL 15:117db924cf7c 7411 ivOut == NULL ||
wolfSSL 15:117db924cf7c 7412 (authIn == NULL && authInSz != 0) ||
wolfSSL 15:117db924cf7c 7413 (ivOutSz != aes->nonceSz)) {
wolfSSL 15:117db924cf7c 7414
wolfSSL 15:117db924cf7c 7415 ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7416 }
wolfSSL 15:117db924cf7c 7417
wolfSSL 15:117db924cf7c 7418 if (ret == 0) {
wolfSSL 15:117db924cf7c 7419 aes->invokeCtr[0]++;
wolfSSL 15:117db924cf7c 7420 if (aes->invokeCtr[0] == 0) {
wolfSSL 15:117db924cf7c 7421 aes->invokeCtr[1]++;
wolfSSL 15:117db924cf7c 7422 if (aes->invokeCtr[1] == 0)
wolfSSL 15:117db924cf7c 7423 ret = AES_CCM_OVERFLOW_E;
wolfSSL 15:117db924cf7c 7424 }
wolfSSL 15:117db924cf7c 7425 }
wolfSSL 15:117db924cf7c 7426
wolfSSL 15:117db924cf7c 7427 if (ret == 0) {
wolfSSL 15:117db924cf7c 7428 ret = wc_AesCcmEncrypt(aes, out, in, sz,
wolfSSL 15:117db924cf7c 7429 (byte*)aes->reg, aes->nonceSz,
wolfSSL 15:117db924cf7c 7430 authTag, authTagSz,
wolfSSL 15:117db924cf7c 7431 authIn, authInSz);
wolfSSL 16:8e0d178b1d1e 7432 if (ret == 0) {
wolfSSL 16:8e0d178b1d1e 7433 XMEMCPY(ivOut, aes->reg, aes->nonceSz);
wolfSSL 16:8e0d178b1d1e 7434 IncCtr((byte*)aes->reg, aes->nonceSz);
wolfSSL 16:8e0d178b1d1e 7435 }
wolfSSL 15:117db924cf7c 7436 }
wolfSSL 15:117db924cf7c 7437
wolfSSL 15:117db924cf7c 7438 return ret;
wolfSSL 15:117db924cf7c 7439 }
wolfSSL 15:117db924cf7c 7440
wolfSSL 15:117db924cf7c 7441 #endif /* WC_NO_RNG */
wolfSSL 15:117db924cf7c 7442
wolfSSL 15:117db924cf7c 7443 #endif /* HAVE_AESCCM */
wolfSSL 15:117db924cf7c 7444
wolfSSL 15:117db924cf7c 7445
wolfSSL 15:117db924cf7c 7446 /* Initialize Aes for use with async hardware */
wolfSSL 15:117db924cf7c 7447 int wc_AesInit(Aes* aes, void* heap, int devId)
wolfSSL 15:117db924cf7c 7448 {
wolfSSL 15:117db924cf7c 7449 int ret = 0;
wolfSSL 15:117db924cf7c 7450
wolfSSL 15:117db924cf7c 7451 if (aes == NULL)
wolfSSL 15:117db924cf7c 7452 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7453
wolfSSL 15:117db924cf7c 7454 aes->heap = heap;
wolfSSL 15:117db924cf7c 7455
wolfSSL 16:8e0d178b1d1e 7456 #ifdef WOLF_CRYPTO_CB
wolfSSL 16:8e0d178b1d1e 7457 aes->devId = devId;
wolfSSL 16:8e0d178b1d1e 7458 aes->devCtx = NULL;
wolfSSL 16:8e0d178b1d1e 7459 #else
wolfSSL 16:8e0d178b1d1e 7460 (void)devId;
wolfSSL 16:8e0d178b1d1e 7461 #endif
wolfSSL 15:117db924cf7c 7462 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
wolfSSL 15:117db924cf7c 7463 ret = wolfAsync_DevCtxInit(&aes->asyncDev, WOLFSSL_ASYNC_MARKER_AES,
wolfSSL 15:117db924cf7c 7464 aes->heap, devId);
wolfSSL 15:117db924cf7c 7465 #endif /* WOLFSSL_ASYNC_CRYPT */
wolfSSL 15:117db924cf7c 7466
wolfSSL 16:8e0d178b1d1e 7467 #ifdef WOLFSSL_AFALG
wolfSSL 16:8e0d178b1d1e 7468 aes->alFd = -1;
wolfSSL 16:8e0d178b1d1e 7469 aes->rdFd = -1;
wolfSSL 16:8e0d178b1d1e 7470 #endif
wolfSSL 16:8e0d178b1d1e 7471 #if defined(WOLFSSL_DEVCRYPTO) && \
wolfSSL 16:8e0d178b1d1e 7472 (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))
wolfSSL 16:8e0d178b1d1e 7473 aes->ctx.cfd = -1;
wolfSSL 16:8e0d178b1d1e 7474 #endif
wolfSSL 16:8e0d178b1d1e 7475 #if defined(WOLFSSL_CRYPTOCELL) && defined(WOLFSSL_CRYPTOCELL_AES)
wolfSSL 16:8e0d178b1d1e 7476 XMEMSET(&aes->ctx, 0, sizeof(aes->ctx));
wolfSSL 16:8e0d178b1d1e 7477 #endif
wolfSSL 16:8e0d178b1d1e 7478 #ifdef HAVE_AESGCM
wolfSSL 16:8e0d178b1d1e 7479 #ifdef OPENSSL_EXTRA
wolfSSL 16:8e0d178b1d1e 7480 XMEMSET(aes->aadH, 0, sizeof(aes->aadH));
wolfSSL 16:8e0d178b1d1e 7481 aes->aadLen = 0;
wolfSSL 16:8e0d178b1d1e 7482 #endif
wolfSSL 16:8e0d178b1d1e 7483 #endif
wolfSSL 16:8e0d178b1d1e 7484 return ret;
wolfSSL 16:8e0d178b1d1e 7485 }
wolfSSL 16:8e0d178b1d1e 7486
wolfSSL 16:8e0d178b1d1e 7487 #ifdef HAVE_PKCS11
wolfSSL 16:8e0d178b1d1e 7488 int wc_AesInit_Id(Aes* aes, unsigned char* id, int len, void* heap, int devId)
wolfSSL 16:8e0d178b1d1e 7489 {
wolfSSL 16:8e0d178b1d1e 7490 int ret = 0;
wolfSSL 16:8e0d178b1d1e 7491
wolfSSL 16:8e0d178b1d1e 7492 if (aes == NULL)
wolfSSL 16:8e0d178b1d1e 7493 ret = BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 7494 if (ret == 0 && (len < 0 || len > AES_MAX_ID_LEN))
wolfSSL 16:8e0d178b1d1e 7495 ret = BUFFER_E;
wolfSSL 16:8e0d178b1d1e 7496
wolfSSL 16:8e0d178b1d1e 7497 if (ret == 0)
wolfSSL 16:8e0d178b1d1e 7498 ret = wc_AesInit(aes, heap, devId);
wolfSSL 16:8e0d178b1d1e 7499 if (ret == 0) {
wolfSSL 16:8e0d178b1d1e 7500 XMEMCPY(aes->id, id, len);
wolfSSL 16:8e0d178b1d1e 7501 aes->idLen = len;
wolfSSL 16:8e0d178b1d1e 7502 }
wolfSSL 16:8e0d178b1d1e 7503
wolfSSL 15:117db924cf7c 7504 return ret;
wolfSSL 15:117db924cf7c 7505 }
wolfSSL 16:8e0d178b1d1e 7506 #endif
wolfSSL 15:117db924cf7c 7507
wolfSSL 15:117db924cf7c 7508 /* Free Aes from use with async hardware */
wolfSSL 15:117db924cf7c 7509 void wc_AesFree(Aes* aes)
wolfSSL 15:117db924cf7c 7510 {
wolfSSL 15:117db924cf7c 7511 if (aes == NULL)
wolfSSL 15:117db924cf7c 7512 return;
wolfSSL 15:117db924cf7c 7513
wolfSSL 15:117db924cf7c 7514 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
wolfSSL 15:117db924cf7c 7515 wolfAsync_DevCtxFree(&aes->asyncDev, WOLFSSL_ASYNC_MARKER_AES);
wolfSSL 15:117db924cf7c 7516 #endif /* WOLFSSL_ASYNC_CRYPT */
wolfSSL 16:8e0d178b1d1e 7517 #if defined(WOLFSSL_AFALG) || defined(WOLFSSL_AFALG_XILINX_AES)
wolfSSL 16:8e0d178b1d1e 7518 if (aes->rdFd > 0) { /* negative is error case */
wolfSSL 16:8e0d178b1d1e 7519 close(aes->rdFd);
wolfSSL 16:8e0d178b1d1e 7520 }
wolfSSL 16:8e0d178b1d1e 7521 if (aes->alFd > 0) {
wolfSSL 16:8e0d178b1d1e 7522 close(aes->alFd);
wolfSSL 16:8e0d178b1d1e 7523 }
wolfSSL 16:8e0d178b1d1e 7524 #endif /* WOLFSSL_AFALG */
wolfSSL 16:8e0d178b1d1e 7525 #if defined(WOLFSSL_DEVCRYPTO) && \
wolfSSL 16:8e0d178b1d1e 7526 (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))
wolfSSL 16:8e0d178b1d1e 7527 wc_DevCryptoFree(&aes->ctx);
wolfSSL 16:8e0d178b1d1e 7528 #endif
wolfSSL 16:8e0d178b1d1e 7529 #if defined(WOLF_CRYPTO_CB) || (defined(WOLFSSL_DEVCRYPTO) && \
wolfSSL 16:8e0d178b1d1e 7530 (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))) || \
wolfSSL 16:8e0d178b1d1e 7531 (defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES))
wolfSSL 16:8e0d178b1d1e 7532 ForceZero((byte*)aes->devKey, AES_MAX_KEY_SIZE/WOLFSSL_BIT_SIZE);
wolfSSL 16:8e0d178b1d1e 7533 #endif
wolfSSL 15:117db924cf7c 7534 }
wolfSSL 15:117db924cf7c 7535
wolfSSL 15:117db924cf7c 7536
wolfSSL 15:117db924cf7c 7537 int wc_AesGetKeySize(Aes* aes, word32* keySize)
wolfSSL 15:117db924cf7c 7538 {
wolfSSL 15:117db924cf7c 7539 int ret = 0;
wolfSSL 15:117db924cf7c 7540
wolfSSL 15:117db924cf7c 7541 if (aes == NULL || keySize == NULL) {
wolfSSL 15:117db924cf7c 7542 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7543 }
wolfSSL 16:8e0d178b1d1e 7544 #if defined(WOLFSSL_CRYPTOCELL) && defined(WOLFSSL_CRYPTOCELL_AES)
wolfSSL 16:8e0d178b1d1e 7545 *keySize = aes->ctx.key.keySize;
wolfSSL 16:8e0d178b1d1e 7546 return ret;
wolfSSL 16:8e0d178b1d1e 7547 #endif
wolfSSL 15:117db924cf7c 7548 switch (aes->rounds) {
wolfSSL 16:8e0d178b1d1e 7549 #ifdef WOLFSSL_AES_128
wolfSSL 15:117db924cf7c 7550 case 10:
wolfSSL 15:117db924cf7c 7551 *keySize = 16;
wolfSSL 15:117db924cf7c 7552 break;
wolfSSL 16:8e0d178b1d1e 7553 #endif
wolfSSL 16:8e0d178b1d1e 7554 #ifdef WOLFSSL_AES_192
wolfSSL 15:117db924cf7c 7555 case 12:
wolfSSL 15:117db924cf7c 7556 *keySize = 24;
wolfSSL 15:117db924cf7c 7557 break;
wolfSSL 16:8e0d178b1d1e 7558 #endif
wolfSSL 16:8e0d178b1d1e 7559 #ifdef WOLFSSL_AES_256
wolfSSL 15:117db924cf7c 7560 case 14:
wolfSSL 15:117db924cf7c 7561 *keySize = 32;
wolfSSL 15:117db924cf7c 7562 break;
wolfSSL 16:8e0d178b1d1e 7563 #endif
wolfSSL 15:117db924cf7c 7564 default:
wolfSSL 15:117db924cf7c 7565 *keySize = 0;
wolfSSL 15:117db924cf7c 7566 ret = BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7567 }
wolfSSL 15:117db924cf7c 7568
wolfSSL 15:117db924cf7c 7569 return ret;
wolfSSL 15:117db924cf7c 7570 }
wolfSSL 15:117db924cf7c 7571
wolfSSL 15:117db924cf7c 7572 #endif /* !WOLFSSL_TI_CRYPT */
wolfSSL 15:117db924cf7c 7573
wolfSSL 15:117db924cf7c 7574 #ifdef HAVE_AES_ECB
wolfSSL 15:117db924cf7c 7575 #if defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)
wolfSSL 15:117db924cf7c 7576 /* implemented in wolfcrypt/src/port/caam/caam_aes.c */
wolfSSL 16:8e0d178b1d1e 7577
wolfSSL 16:8e0d178b1d1e 7578 #elif defined(WOLFSSL_AFALG)
wolfSSL 16:8e0d178b1d1e 7579 /* implemented in wolfcrypt/src/port/af_alg/afalg_aes.c */
wolfSSL 16:8e0d178b1d1e 7580
wolfSSL 16:8e0d178b1d1e 7581 #elif defined(WOLFSSL_DEVCRYPTO_AES)
wolfSSL 16:8e0d178b1d1e 7582 /* implemented in wolfcrypt/src/port/devcrypt/devcrypto_aes.c */
wolfSSL 16:8e0d178b1d1e 7583
wolfSSL 16:8e0d178b1d1e 7584 #elif defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_AES)
wolfSSL 16:8e0d178b1d1e 7585
wolfSSL 16:8e0d178b1d1e 7586 /* Software AES - ECB */
wolfSSL 16:8e0d178b1d1e 7587 int wc_AesEcbEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 16:8e0d178b1d1e 7588 {
wolfSSL 16:8e0d178b1d1e 7589 if ((in == NULL) || (out == NULL) || (aes == NULL))
wolfSSL 16:8e0d178b1d1e 7590 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 7591
wolfSSL 16:8e0d178b1d1e 7592 return AES_ECB_encrypt(aes, in, out, sz);
wolfSSL 16:8e0d178b1d1e 7593 }
wolfSSL 16:8e0d178b1d1e 7594
wolfSSL 16:8e0d178b1d1e 7595
wolfSSL 16:8e0d178b1d1e 7596 int wc_AesEcbDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 16:8e0d178b1d1e 7597 {
wolfSSL 16:8e0d178b1d1e 7598 if ((in == NULL) || (out == NULL) || (aes == NULL))
wolfSSL 16:8e0d178b1d1e 7599 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 7600
wolfSSL 16:8e0d178b1d1e 7601 return AES_ECB_decrypt(aes, in, out, sz);
wolfSSL 16:8e0d178b1d1e 7602 }
wolfSSL 16:8e0d178b1d1e 7603
wolfSSL 15:117db924cf7c 7604 #else
wolfSSL 15:117db924cf7c 7605
wolfSSL 16:8e0d178b1d1e 7606 /* Software AES - ECB */
wolfSSL 15:117db924cf7c 7607 int wc_AesEcbEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 7608 {
wolfSSL 15:117db924cf7c 7609 word32 blocks = sz / AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7610
wolfSSL 15:117db924cf7c 7611 if ((in == NULL) || (out == NULL) || (aes == NULL))
wolfSSL 15:117db924cf7c 7612 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7613 while (blocks>0) {
wolfSSL 15:117db924cf7c 7614 wc_AesEncryptDirect(aes, out, in);
wolfSSL 15:117db924cf7c 7615 out += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7616 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7617 sz -= AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7618 blocks--;
wolfSSL 15:117db924cf7c 7619 }
wolfSSL 15:117db924cf7c 7620 return 0;
wolfSSL 15:117db924cf7c 7621 }
wolfSSL 15:117db924cf7c 7622
wolfSSL 15:117db924cf7c 7623
wolfSSL 15:117db924cf7c 7624 int wc_AesEcbDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 15:117db924cf7c 7625 {
wolfSSL 15:117db924cf7c 7626 word32 blocks = sz / AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7627
wolfSSL 15:117db924cf7c 7628 if ((in == NULL) || (out == NULL) || (aes == NULL))
wolfSSL 15:117db924cf7c 7629 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7630 while (blocks>0) {
wolfSSL 15:117db924cf7c 7631 wc_AesDecryptDirect(aes, out, in);
wolfSSL 15:117db924cf7c 7632 out += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7633 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7634 sz -= AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7635 blocks--;
wolfSSL 15:117db924cf7c 7636 }
wolfSSL 15:117db924cf7c 7637 return 0;
wolfSSL 15:117db924cf7c 7638 }
wolfSSL 15:117db924cf7c 7639 #endif
wolfSSL 15:117db924cf7c 7640 #endif /* HAVE_AES_ECB */
wolfSSL 15:117db924cf7c 7641
wolfSSL 16:8e0d178b1d1e 7642 #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_OFB)
wolfSSL 16:8e0d178b1d1e 7643 /* Feedback AES mode
wolfSSL 15:117db924cf7c 7644 *
wolfSSL 15:117db924cf7c 7645 * aes structure holding key to use for encryption
wolfSSL 15:117db924cf7c 7646 * out buffer to hold result of encryption (must be at least as large as input
wolfSSL 15:117db924cf7c 7647 * buffer)
wolfSSL 15:117db924cf7c 7648 * in buffer to encrypt
wolfSSL 15:117db924cf7c 7649 * sz size of input buffer
wolfSSL 16:8e0d178b1d1e 7650 * mode flag to specify AES mode
wolfSSL 15:117db924cf7c 7651 *
wolfSSL 15:117db924cf7c 7652 * returns 0 on success and negative error values on failure
wolfSSL 15:117db924cf7c 7653 */
wolfSSL 16:8e0d178b1d1e 7654 /* Software AES - CFB Encrypt */
wolfSSL 16:8e0d178b1d1e 7655 static int wc_AesFeedbackEncrypt(Aes* aes, byte* out, const byte* in,
wolfSSL 16:8e0d178b1d1e 7656 word32 sz, byte mode)
wolfSSL 15:117db924cf7c 7657 {
wolfSSL 15:117db924cf7c 7658 byte* tmp = NULL;
wolfSSL 16:8e0d178b1d1e 7659 #ifdef WOLFSSL_AES_CFB
wolfSSL 15:117db924cf7c 7660 byte* reg = NULL;
wolfSSL 16:8e0d178b1d1e 7661 #endif
wolfSSL 15:117db924cf7c 7662
wolfSSL 15:117db924cf7c 7663 if (aes == NULL || out == NULL || in == NULL) {
wolfSSL 15:117db924cf7c 7664 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7665 }
wolfSSL 15:117db924cf7c 7666
wolfSSL 16:8e0d178b1d1e 7667 #ifdef WOLFSSL_AES_CFB
wolfSSL 15:117db924cf7c 7668 if (aes->left && sz) {
wolfSSL 15:117db924cf7c 7669 reg = (byte*)aes->reg + AES_BLOCK_SIZE - aes->left;
wolfSSL 15:117db924cf7c 7670 }
wolfSSL 16:8e0d178b1d1e 7671 #endif
wolfSSL 15:117db924cf7c 7672
wolfSSL 15:117db924cf7c 7673 /* consume any unused bytes left in aes->tmp */
wolfSSL 15:117db924cf7c 7674 tmp = (byte*)aes->tmp + AES_BLOCK_SIZE - aes->left;
wolfSSL 15:117db924cf7c 7675 while (aes->left && sz) {
wolfSSL 16:8e0d178b1d1e 7676 *(out) = *(in++) ^ *(tmp++);
wolfSSL 16:8e0d178b1d1e 7677 #ifdef WOLFSSL_AES_CFB
wolfSSL 16:8e0d178b1d1e 7678 if (mode == AES_CFB_MODE) {
wolfSSL 16:8e0d178b1d1e 7679 *(reg++) = *out;
wolfSSL 16:8e0d178b1d1e 7680 }
wolfSSL 16:8e0d178b1d1e 7681 #endif
wolfSSL 16:8e0d178b1d1e 7682 out++;
wolfSSL 15:117db924cf7c 7683 aes->left--;
wolfSSL 15:117db924cf7c 7684 sz--;
wolfSSL 15:117db924cf7c 7685 }
wolfSSL 15:117db924cf7c 7686
wolfSSL 15:117db924cf7c 7687 while (sz >= AES_BLOCK_SIZE) {
wolfSSL 16:8e0d178b1d1e 7688 /* Using aes->tmp here for inline case i.e. in=out */
wolfSSL 16:8e0d178b1d1e 7689 wc_AesEncryptDirect(aes, (byte*)aes->tmp, (byte*)aes->reg);
wolfSSL 16:8e0d178b1d1e 7690 #ifdef WOLFSSL_AES_OFB
wolfSSL 16:8e0d178b1d1e 7691 if (mode == AES_OFB_MODE) {
wolfSSL 16:8e0d178b1d1e 7692 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 7693 }
wolfSSL 16:8e0d178b1d1e 7694 #endif
wolfSSL 16:8e0d178b1d1e 7695 xorbuf((byte*)aes->tmp, in, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 7696 #ifdef WOLFSSL_AES_CFB
wolfSSL 16:8e0d178b1d1e 7697 if (mode == AES_CFB_MODE) {
wolfSSL 16:8e0d178b1d1e 7698 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 7699 }
wolfSSL 16:8e0d178b1d1e 7700 #endif
wolfSSL 16:8e0d178b1d1e 7701 XMEMCPY(out, aes->tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 7702 out += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7703 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7704 sz -= AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7705 aes->left = 0;
wolfSSL 15:117db924cf7c 7706 }
wolfSSL 15:117db924cf7c 7707
wolfSSL 15:117db924cf7c 7708 /* encrypt left over data */
wolfSSL 15:117db924cf7c 7709 if (sz) {
wolfSSL 15:117db924cf7c 7710 wc_AesEncryptDirect(aes, (byte*)aes->tmp, (byte*)aes->reg);
wolfSSL 15:117db924cf7c 7711 aes->left = AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7712 tmp = (byte*)aes->tmp;
wolfSSL 16:8e0d178b1d1e 7713 #ifdef WOLFSSL_AES_OFB
wolfSSL 16:8e0d178b1d1e 7714 if (mode == AES_OFB_MODE) {
wolfSSL 16:8e0d178b1d1e 7715 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 7716 }
wolfSSL 16:8e0d178b1d1e 7717 #endif
wolfSSL 16:8e0d178b1d1e 7718 #ifdef WOLFSSL_AES_CFB
wolfSSL 15:117db924cf7c 7719 reg = (byte*)aes->reg;
wolfSSL 16:8e0d178b1d1e 7720 #endif
wolfSSL 15:117db924cf7c 7721
wolfSSL 15:117db924cf7c 7722 while (sz--) {
wolfSSL 16:8e0d178b1d1e 7723 *(out) = *(in++) ^ *(tmp++);
wolfSSL 16:8e0d178b1d1e 7724 #ifdef WOLFSSL_AES_CFB
wolfSSL 16:8e0d178b1d1e 7725 if (mode == AES_CFB_MODE) {
wolfSSL 16:8e0d178b1d1e 7726 *(reg++) = *out;
wolfSSL 16:8e0d178b1d1e 7727 }
wolfSSL 16:8e0d178b1d1e 7728 #endif
wolfSSL 16:8e0d178b1d1e 7729 out++;
wolfSSL 15:117db924cf7c 7730 aes->left--;
wolfSSL 15:117db924cf7c 7731 }
wolfSSL 15:117db924cf7c 7732 }
wolfSSL 15:117db924cf7c 7733
wolfSSL 15:117db924cf7c 7734 return 0;
wolfSSL 15:117db924cf7c 7735 }
wolfSSL 15:117db924cf7c 7736
wolfSSL 15:117db924cf7c 7737
wolfSSL 15:117db924cf7c 7738 #ifdef HAVE_AES_DECRYPT
wolfSSL 15:117db924cf7c 7739 /* CFB 128
wolfSSL 15:117db924cf7c 7740 *
wolfSSL 15:117db924cf7c 7741 * aes structure holding key to use for decryption
wolfSSL 15:117db924cf7c 7742 * out buffer to hold result of decryption (must be at least as large as input
wolfSSL 15:117db924cf7c 7743 * buffer)
wolfSSL 15:117db924cf7c 7744 * in buffer to decrypt
wolfSSL 15:117db924cf7c 7745 * sz size of input buffer
wolfSSL 15:117db924cf7c 7746 *
wolfSSL 15:117db924cf7c 7747 * returns 0 on success and negative error values on failure
wolfSSL 15:117db924cf7c 7748 */
wolfSSL 16:8e0d178b1d1e 7749 /* Software AES - CFB Decrypt */
wolfSSL 16:8e0d178b1d1e 7750 static int wc_AesFeedbackDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
wolfSSL 16:8e0d178b1d1e 7751 byte mode)
wolfSSL 15:117db924cf7c 7752 {
wolfSSL 15:117db924cf7c 7753 byte* tmp;
wolfSSL 15:117db924cf7c 7754
wolfSSL 15:117db924cf7c 7755 if (aes == NULL || out == NULL || in == NULL) {
wolfSSL 15:117db924cf7c 7756 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 7757 }
wolfSSL 15:117db924cf7c 7758
wolfSSL 16:8e0d178b1d1e 7759 #ifdef WOLFSSL_AES_CFB
wolfSSL 15:117db924cf7c 7760 /* check if more input needs copied over to aes->reg */
wolfSSL 16:8e0d178b1d1e 7761 if (aes->left && sz && mode == AES_CFB_MODE) {
wolfSSL 15:117db924cf7c 7762 int size = min(aes->left, sz);
wolfSSL 15:117db924cf7c 7763 XMEMCPY((byte*)aes->reg + AES_BLOCK_SIZE - aes->left, in, size);
wolfSSL 15:117db924cf7c 7764 }
wolfSSL 16:8e0d178b1d1e 7765 #endif
wolfSSL 15:117db924cf7c 7766
wolfSSL 15:117db924cf7c 7767 /* consume any unused bytes left in aes->tmp */
wolfSSL 15:117db924cf7c 7768 tmp = (byte*)aes->tmp + AES_BLOCK_SIZE - aes->left;
wolfSSL 15:117db924cf7c 7769 while (aes->left && sz) {
wolfSSL 15:117db924cf7c 7770 *(out++) = *(in++) ^ *(tmp++);
wolfSSL 15:117db924cf7c 7771 aes->left--;
wolfSSL 15:117db924cf7c 7772 sz--;
wolfSSL 15:117db924cf7c 7773 }
wolfSSL 15:117db924cf7c 7774
wolfSSL 15:117db924cf7c 7775 while (sz > AES_BLOCK_SIZE) {
wolfSSL 16:8e0d178b1d1e 7776 /* Using aes->tmp here for inline case i.e. in=out */
wolfSSL 16:8e0d178b1d1e 7777 wc_AesEncryptDirect(aes, (byte*)aes->tmp, (byte*)aes->reg);
wolfSSL 16:8e0d178b1d1e 7778 #ifdef WOLFSSL_AES_OFB
wolfSSL 16:8e0d178b1d1e 7779 if (mode == AES_OFB_MODE) {
wolfSSL 16:8e0d178b1d1e 7780 XMEMCPY((byte*)aes->reg, (byte*)aes->tmp, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 7781 }
wolfSSL 16:8e0d178b1d1e 7782 #endif
wolfSSL 16:8e0d178b1d1e 7783 xorbuf((byte*)aes->tmp, in, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 7784 #ifdef WOLFSSL_AES_CFB
wolfSSL 16:8e0d178b1d1e 7785 if (mode == AES_CFB_MODE) {
wolfSSL 16:8e0d178b1d1e 7786 XMEMCPY(aes->reg, in, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 7787 }
wolfSSL 16:8e0d178b1d1e 7788 #endif
wolfSSL 16:8e0d178b1d1e 7789 XMEMCPY(out, (byte*)aes->tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 7790 out += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7791 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7792 sz -= AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7793 aes->left = 0;
wolfSSL 15:117db924cf7c 7794 }
wolfSSL 15:117db924cf7c 7795
wolfSSL 15:117db924cf7c 7796 /* decrypt left over data */
wolfSSL 15:117db924cf7c 7797 if (sz) {
wolfSSL 15:117db924cf7c 7798 wc_AesEncryptDirect(aes, (byte*)aes->tmp, (byte*)aes->reg);
wolfSSL 16:8e0d178b1d1e 7799 #ifdef WOLFSSL_AES_CFB
wolfSSL 16:8e0d178b1d1e 7800 if (mode == AES_CFB_MODE) {
wolfSSL 16:8e0d178b1d1e 7801 XMEMCPY(aes->reg, in, sz);
wolfSSL 16:8e0d178b1d1e 7802 }
wolfSSL 16:8e0d178b1d1e 7803 #endif
wolfSSL 16:8e0d178b1d1e 7804 #ifdef WOLFSSL_AES_OFB
wolfSSL 16:8e0d178b1d1e 7805 if (mode == AES_OFB_MODE) {
wolfSSL 16:8e0d178b1d1e 7806 XMEMCPY(aes->reg, aes->tmp, AES_BLOCK_SIZE);
wolfSSL 16:8e0d178b1d1e 7807 }
wolfSSL 16:8e0d178b1d1e 7808 #endif
wolfSSL 16:8e0d178b1d1e 7809
wolfSSL 15:117db924cf7c 7810 aes->left = AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 7811 tmp = (byte*)aes->tmp;
wolfSSL 15:117db924cf7c 7812
wolfSSL 15:117db924cf7c 7813 while (sz--) {
wolfSSL 15:117db924cf7c 7814 *(out++) = *(in++) ^ *(tmp++);
wolfSSL 15:117db924cf7c 7815 aes->left--;
wolfSSL 15:117db924cf7c 7816 }
wolfSSL 15:117db924cf7c 7817 }
wolfSSL 15:117db924cf7c 7818
wolfSSL 15:117db924cf7c 7819 return 0;
wolfSSL 15:117db924cf7c 7820 }
wolfSSL 15:117db924cf7c 7821 #endif /* HAVE_AES_DECRYPT */
wolfSSL 15:117db924cf7c 7822 #endif /* WOLFSSL_AES_CFB */
wolfSSL 15:117db924cf7c 7823
wolfSSL 16:8e0d178b1d1e 7824 #ifdef WOLFSSL_AES_CFB
wolfSSL 16:8e0d178b1d1e 7825 /* CFB 128
wolfSSL 16:8e0d178b1d1e 7826 *
wolfSSL 16:8e0d178b1d1e 7827 * aes structure holding key to use for encryption
wolfSSL 16:8e0d178b1d1e 7828 * out buffer to hold result of encryption (must be at least as large as input
wolfSSL 16:8e0d178b1d1e 7829 * buffer)
wolfSSL 16:8e0d178b1d1e 7830 * in buffer to encrypt
wolfSSL 16:8e0d178b1d1e 7831 * sz size of input buffer
wolfSSL 16:8e0d178b1d1e 7832 *
wolfSSL 16:8e0d178b1d1e 7833 * returns 0 on success and negative error values on failure
wolfSSL 16:8e0d178b1d1e 7834 */
wolfSSL 16:8e0d178b1d1e 7835 /* Software AES - CFB Encrypt */
wolfSSL 16:8e0d178b1d1e 7836 int wc_AesCfbEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 16:8e0d178b1d1e 7837 {
wolfSSL 16:8e0d178b1d1e 7838 return wc_AesFeedbackEncrypt(aes, out, in, sz, AES_CFB_MODE);
wolfSSL 16:8e0d178b1d1e 7839 }
wolfSSL 16:8e0d178b1d1e 7840
wolfSSL 16:8e0d178b1d1e 7841
wolfSSL 16:8e0d178b1d1e 7842 #ifdef HAVE_AES_DECRYPT
wolfSSL 16:8e0d178b1d1e 7843 /* CFB 128
wolfSSL 16:8e0d178b1d1e 7844 *
wolfSSL 16:8e0d178b1d1e 7845 * aes structure holding key to use for decryption
wolfSSL 16:8e0d178b1d1e 7846 * out buffer to hold result of decryption (must be at least as large as input
wolfSSL 16:8e0d178b1d1e 7847 * buffer)
wolfSSL 16:8e0d178b1d1e 7848 * in buffer to decrypt
wolfSSL 16:8e0d178b1d1e 7849 * sz size of input buffer
wolfSSL 16:8e0d178b1d1e 7850 *
wolfSSL 16:8e0d178b1d1e 7851 * returns 0 on success and negative error values on failure
wolfSSL 16:8e0d178b1d1e 7852 */
wolfSSL 16:8e0d178b1d1e 7853 /* Software AES - CFB Decrypt */
wolfSSL 16:8e0d178b1d1e 7854 int wc_AesCfbDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 16:8e0d178b1d1e 7855 {
wolfSSL 16:8e0d178b1d1e 7856 return wc_AesFeedbackDecrypt(aes, out, in, sz, AES_CFB_MODE);
wolfSSL 16:8e0d178b1d1e 7857 }
wolfSSL 16:8e0d178b1d1e 7858 #endif /* HAVE_AES_DECRYPT */
wolfSSL 16:8e0d178b1d1e 7859
wolfSSL 16:8e0d178b1d1e 7860
wolfSSL 16:8e0d178b1d1e 7861 /* shift the whole AES_BLOCK_SIZE array left by 8 or 1 bits */
wolfSSL 16:8e0d178b1d1e 7862 static void shiftLeftArray(byte* ary, byte shift)
wolfSSL 16:8e0d178b1d1e 7863 {
wolfSSL 16:8e0d178b1d1e 7864 int i;
wolfSSL 16:8e0d178b1d1e 7865
wolfSSL 16:8e0d178b1d1e 7866 if (shift == WOLFSSL_BIT_SIZE) {
wolfSSL 16:8e0d178b1d1e 7867 /* shifting over by 8 bits */
wolfSSL 16:8e0d178b1d1e 7868 for (i = 0; i < AES_BLOCK_SIZE - 1; i++) {
wolfSSL 16:8e0d178b1d1e 7869 ary[i] = ary[i+1];
wolfSSL 16:8e0d178b1d1e 7870 }
wolfSSL 16:8e0d178b1d1e 7871 ary[i] = 0;
wolfSSL 16:8e0d178b1d1e 7872 }
wolfSSL 16:8e0d178b1d1e 7873 else {
wolfSSL 16:8e0d178b1d1e 7874 byte carry = 0;
wolfSSL 16:8e0d178b1d1e 7875
wolfSSL 16:8e0d178b1d1e 7876 /* shifting over by 7 or less bits */
wolfSSL 16:8e0d178b1d1e 7877 for (i = 0; i < AES_BLOCK_SIZE - 1; i++) {
wolfSSL 16:8e0d178b1d1e 7878 carry = ary[i+1] & (0XFF << (WOLFSSL_BIT_SIZE - shift));
wolfSSL 16:8e0d178b1d1e 7879 carry >>= (WOLFSSL_BIT_SIZE - shift);
wolfSSL 16:8e0d178b1d1e 7880 ary[i] = (ary[i] << shift) + carry;
wolfSSL 16:8e0d178b1d1e 7881 }
wolfSSL 16:8e0d178b1d1e 7882 ary[i] = ary[i] << shift;
wolfSSL 16:8e0d178b1d1e 7883 }
wolfSSL 16:8e0d178b1d1e 7884 }
wolfSSL 16:8e0d178b1d1e 7885
wolfSSL 16:8e0d178b1d1e 7886
wolfSSL 16:8e0d178b1d1e 7887 /* returns 0 on success and negative values on failure */
wolfSSL 16:8e0d178b1d1e 7888 static int wc_AesFeedbackCFB8(Aes* aes, byte* out, const byte* in,
wolfSSL 16:8e0d178b1d1e 7889 word32 sz, byte dir)
wolfSSL 16:8e0d178b1d1e 7890 {
wolfSSL 16:8e0d178b1d1e 7891 byte *pt;
wolfSSL 16:8e0d178b1d1e 7892
wolfSSL 16:8e0d178b1d1e 7893 if (aes == NULL || out == NULL || in == NULL) {
wolfSSL 16:8e0d178b1d1e 7894 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 7895 }
wolfSSL 16:8e0d178b1d1e 7896
wolfSSL 16:8e0d178b1d1e 7897 if (sz == 0) {
wolfSSL 16:8e0d178b1d1e 7898 return 0;
wolfSSL 16:8e0d178b1d1e 7899 }
wolfSSL 16:8e0d178b1d1e 7900
wolfSSL 16:8e0d178b1d1e 7901 while (sz > 0) {
wolfSSL 16:8e0d178b1d1e 7902 wc_AesEncryptDirect(aes, (byte*)aes->tmp, (byte*)aes->reg);
wolfSSL 16:8e0d178b1d1e 7903 if (dir == AES_DECRYPTION) {
wolfSSL 16:8e0d178b1d1e 7904 pt = (byte*)aes->reg;
wolfSSL 16:8e0d178b1d1e 7905
wolfSSL 16:8e0d178b1d1e 7906 /* LSB + CAT */
wolfSSL 16:8e0d178b1d1e 7907 shiftLeftArray(pt, WOLFSSL_BIT_SIZE);
wolfSSL 16:8e0d178b1d1e 7908 pt[AES_BLOCK_SIZE - 1] = in[0];
wolfSSL 16:8e0d178b1d1e 7909 }
wolfSSL 16:8e0d178b1d1e 7910
wolfSSL 16:8e0d178b1d1e 7911 /* MSB + XOR */
wolfSSL 16:8e0d178b1d1e 7912 out[0] = aes->tmp[0] ^ in[0];
wolfSSL 16:8e0d178b1d1e 7913 if (dir == AES_ENCRYPTION) {
wolfSSL 16:8e0d178b1d1e 7914 pt = (byte*)aes->reg;
wolfSSL 16:8e0d178b1d1e 7915
wolfSSL 16:8e0d178b1d1e 7916 /* LSB + CAT */
wolfSSL 16:8e0d178b1d1e 7917 shiftLeftArray(pt, WOLFSSL_BIT_SIZE);
wolfSSL 16:8e0d178b1d1e 7918 pt[AES_BLOCK_SIZE - 1] = out[0];
wolfSSL 16:8e0d178b1d1e 7919 }
wolfSSL 16:8e0d178b1d1e 7920
wolfSSL 16:8e0d178b1d1e 7921 out += 1;
wolfSSL 16:8e0d178b1d1e 7922 in += 1;
wolfSSL 16:8e0d178b1d1e 7923 sz -= 1;
wolfSSL 16:8e0d178b1d1e 7924 }
wolfSSL 16:8e0d178b1d1e 7925
wolfSSL 16:8e0d178b1d1e 7926 return 0;
wolfSSL 16:8e0d178b1d1e 7927 }
wolfSSL 16:8e0d178b1d1e 7928
wolfSSL 16:8e0d178b1d1e 7929
wolfSSL 16:8e0d178b1d1e 7930 /* returns 0 on success and negative values on failure */
wolfSSL 16:8e0d178b1d1e 7931 static int wc_AesFeedbackCFB1(Aes* aes, byte* out, const byte* in,
wolfSSL 16:8e0d178b1d1e 7932 word32 sz, byte dir)
wolfSSL 16:8e0d178b1d1e 7933 {
wolfSSL 16:8e0d178b1d1e 7934 byte tmp;
wolfSSL 16:8e0d178b1d1e 7935 byte cur = 0; /* hold current work in order to handle inline in=out */
wolfSSL 16:8e0d178b1d1e 7936 byte* pt;
wolfSSL 16:8e0d178b1d1e 7937 int bit = 7;
wolfSSL 16:8e0d178b1d1e 7938
wolfSSL 16:8e0d178b1d1e 7939 if (aes == NULL || out == NULL || in == NULL) {
wolfSSL 16:8e0d178b1d1e 7940 return BAD_FUNC_ARG;
wolfSSL 16:8e0d178b1d1e 7941 }
wolfSSL 16:8e0d178b1d1e 7942
wolfSSL 16:8e0d178b1d1e 7943 if (sz == 0) {
wolfSSL 16:8e0d178b1d1e 7944 return 0;
wolfSSL 16:8e0d178b1d1e 7945 }
wolfSSL 16:8e0d178b1d1e 7946
wolfSSL 16:8e0d178b1d1e 7947 while (sz > 0) {
wolfSSL 16:8e0d178b1d1e 7948 wc_AesEncryptDirect(aes, (byte*)aes->tmp, (byte*)aes->reg);
wolfSSL 16:8e0d178b1d1e 7949 if (dir == AES_DECRYPTION) {
wolfSSL 16:8e0d178b1d1e 7950 pt = (byte*)aes->reg;
wolfSSL 16:8e0d178b1d1e 7951
wolfSSL 16:8e0d178b1d1e 7952 /* LSB + CAT */
wolfSSL 16:8e0d178b1d1e 7953 tmp = (0X01 << bit) & in[0];
wolfSSL 16:8e0d178b1d1e 7954 tmp = tmp >> bit;
wolfSSL 16:8e0d178b1d1e 7955 tmp &= 0x01;
wolfSSL 16:8e0d178b1d1e 7956 shiftLeftArray((byte*)aes->reg, 1);
wolfSSL 16:8e0d178b1d1e 7957 pt[AES_BLOCK_SIZE - 1] |= tmp;
wolfSSL 16:8e0d178b1d1e 7958 }
wolfSSL 16:8e0d178b1d1e 7959
wolfSSL 16:8e0d178b1d1e 7960 /* MSB + XOR */
wolfSSL 16:8e0d178b1d1e 7961 tmp = (0X01 << bit) & in[0];
wolfSSL 16:8e0d178b1d1e 7962 pt = (byte*)aes->tmp;
wolfSSL 16:8e0d178b1d1e 7963 tmp = (pt[0] >> 7) ^ (tmp >> bit);
wolfSSL 16:8e0d178b1d1e 7964 tmp &= 0x01;
wolfSSL 16:8e0d178b1d1e 7965 cur |= (tmp << bit);
wolfSSL 16:8e0d178b1d1e 7966
wolfSSL 16:8e0d178b1d1e 7967
wolfSSL 16:8e0d178b1d1e 7968 if (dir == AES_ENCRYPTION) {
wolfSSL 16:8e0d178b1d1e 7969 pt = (byte*)aes->reg;
wolfSSL 16:8e0d178b1d1e 7970
wolfSSL 16:8e0d178b1d1e 7971 /* LSB + CAT */
wolfSSL 16:8e0d178b1d1e 7972 shiftLeftArray((byte*)aes->reg, 1);
wolfSSL 16:8e0d178b1d1e 7973 pt[AES_BLOCK_SIZE - 1] |= tmp;
wolfSSL 16:8e0d178b1d1e 7974 }
wolfSSL 16:8e0d178b1d1e 7975
wolfSSL 16:8e0d178b1d1e 7976 bit--;
wolfSSL 16:8e0d178b1d1e 7977 if (bit < 0) {
wolfSSL 16:8e0d178b1d1e 7978 out[0] = cur;
wolfSSL 16:8e0d178b1d1e 7979 out += 1;
wolfSSL 16:8e0d178b1d1e 7980 in += 1;
wolfSSL 16:8e0d178b1d1e 7981 sz -= 1;
wolfSSL 16:8e0d178b1d1e 7982 bit = 7;
wolfSSL 16:8e0d178b1d1e 7983 cur = 0;
wolfSSL 16:8e0d178b1d1e 7984 }
wolfSSL 16:8e0d178b1d1e 7985 else {
wolfSSL 16:8e0d178b1d1e 7986 sz -= 1;
wolfSSL 16:8e0d178b1d1e 7987 }
wolfSSL 16:8e0d178b1d1e 7988 }
wolfSSL 16:8e0d178b1d1e 7989
wolfSSL 16:8e0d178b1d1e 7990 if (bit > 0 && bit < 7) {
wolfSSL 16:8e0d178b1d1e 7991 out[0] = cur;
wolfSSL 16:8e0d178b1d1e 7992 }
wolfSSL 16:8e0d178b1d1e 7993
wolfSSL 16:8e0d178b1d1e 7994 return 0;
wolfSSL 16:8e0d178b1d1e 7995 }
wolfSSL 16:8e0d178b1d1e 7996
wolfSSL 16:8e0d178b1d1e 7997
wolfSSL 16:8e0d178b1d1e 7998 /* CFB 1
wolfSSL 16:8e0d178b1d1e 7999 *
wolfSSL 16:8e0d178b1d1e 8000 * aes structure holding key to use for encryption
wolfSSL 16:8e0d178b1d1e 8001 * out buffer to hold result of encryption (must be at least as large as input
wolfSSL 16:8e0d178b1d1e 8002 * buffer)
wolfSSL 16:8e0d178b1d1e 8003 * in buffer to encrypt (packed to left, i.e. 101 is 0x90)
wolfSSL 16:8e0d178b1d1e 8004 * sz size of input buffer in bits (0x1 would be size of 1 and 0xFF size of 8)
wolfSSL 16:8e0d178b1d1e 8005 *
wolfSSL 16:8e0d178b1d1e 8006 * returns 0 on success and negative values on failure
wolfSSL 16:8e0d178b1d1e 8007 */
wolfSSL 16:8e0d178b1d1e 8008 int wc_AesCfb1Encrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 16:8e0d178b1d1e 8009 {
wolfSSL 16:8e0d178b1d1e 8010 return wc_AesFeedbackCFB1(aes, out, in, sz, AES_ENCRYPTION);
wolfSSL 16:8e0d178b1d1e 8011 }
wolfSSL 16:8e0d178b1d1e 8012
wolfSSL 16:8e0d178b1d1e 8013
wolfSSL 16:8e0d178b1d1e 8014 /* CFB 8
wolfSSL 16:8e0d178b1d1e 8015 *
wolfSSL 16:8e0d178b1d1e 8016 * aes structure holding key to use for encryption
wolfSSL 16:8e0d178b1d1e 8017 * out buffer to hold result of encryption (must be at least as large as input
wolfSSL 16:8e0d178b1d1e 8018 * buffer)
wolfSSL 16:8e0d178b1d1e 8019 * in buffer to encrypt
wolfSSL 16:8e0d178b1d1e 8020 * sz size of input buffer
wolfSSL 16:8e0d178b1d1e 8021 *
wolfSSL 16:8e0d178b1d1e 8022 * returns 0 on success and negative values on failure
wolfSSL 16:8e0d178b1d1e 8023 */
wolfSSL 16:8e0d178b1d1e 8024 int wc_AesCfb8Encrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 16:8e0d178b1d1e 8025 {
wolfSSL 16:8e0d178b1d1e 8026 return wc_AesFeedbackCFB8(aes, out, in, sz, AES_ENCRYPTION);
wolfSSL 16:8e0d178b1d1e 8027 }
wolfSSL 16:8e0d178b1d1e 8028 #ifdef HAVE_AES_DECRYPT
wolfSSL 16:8e0d178b1d1e 8029
wolfSSL 16:8e0d178b1d1e 8030 /* CFB 1
wolfSSL 16:8e0d178b1d1e 8031 *
wolfSSL 16:8e0d178b1d1e 8032 * aes structure holding key to use for encryption
wolfSSL 16:8e0d178b1d1e 8033 * out buffer to hold result of encryption (must be at least as large as input
wolfSSL 16:8e0d178b1d1e 8034 * buffer)
wolfSSL 16:8e0d178b1d1e 8035 * in buffer to encrypt
wolfSSL 16:8e0d178b1d1e 8036 * sz size of input buffer in bits (0x1 would be size of 1 and 0xFF size of 8)
wolfSSL 16:8e0d178b1d1e 8037 *
wolfSSL 16:8e0d178b1d1e 8038 * returns 0 on success and negative values on failure
wolfSSL 16:8e0d178b1d1e 8039 */
wolfSSL 16:8e0d178b1d1e 8040 int wc_AesCfb1Decrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 16:8e0d178b1d1e 8041 {
wolfSSL 16:8e0d178b1d1e 8042 return wc_AesFeedbackCFB1(aes, out, in, sz, AES_DECRYPTION);
wolfSSL 16:8e0d178b1d1e 8043 }
wolfSSL 16:8e0d178b1d1e 8044
wolfSSL 16:8e0d178b1d1e 8045
wolfSSL 16:8e0d178b1d1e 8046 /* CFB 8
wolfSSL 16:8e0d178b1d1e 8047 *
wolfSSL 16:8e0d178b1d1e 8048 * aes structure holding key to use for encryption
wolfSSL 16:8e0d178b1d1e 8049 * out buffer to hold result of encryption (must be at least as large as input
wolfSSL 16:8e0d178b1d1e 8050 * buffer)
wolfSSL 16:8e0d178b1d1e 8051 * in buffer to encrypt
wolfSSL 16:8e0d178b1d1e 8052 * sz size of input buffer
wolfSSL 16:8e0d178b1d1e 8053 *
wolfSSL 16:8e0d178b1d1e 8054 * returns 0 on success and negative values on failure
wolfSSL 16:8e0d178b1d1e 8055 */
wolfSSL 16:8e0d178b1d1e 8056 int wc_AesCfb8Decrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 16:8e0d178b1d1e 8057 {
wolfSSL 16:8e0d178b1d1e 8058 return wc_AesFeedbackCFB8(aes, out, in, sz, AES_DECRYPTION);
wolfSSL 16:8e0d178b1d1e 8059 }
wolfSSL 16:8e0d178b1d1e 8060 #endif /* HAVE_AES_DECRYPT */
wolfSSL 16:8e0d178b1d1e 8061 #endif /* WOLFSSL_AES_CFB */
wolfSSL 16:8e0d178b1d1e 8062
wolfSSL 16:8e0d178b1d1e 8063 #ifdef WOLFSSL_AES_OFB
wolfSSL 16:8e0d178b1d1e 8064 /* OFB
wolfSSL 16:8e0d178b1d1e 8065 *
wolfSSL 16:8e0d178b1d1e 8066 * aes structure holding key to use for encryption
wolfSSL 16:8e0d178b1d1e 8067 * out buffer to hold result of encryption (must be at least as large as input
wolfSSL 16:8e0d178b1d1e 8068 * buffer)
wolfSSL 16:8e0d178b1d1e 8069 * in buffer to encrypt
wolfSSL 16:8e0d178b1d1e 8070 * sz size of input buffer
wolfSSL 16:8e0d178b1d1e 8071 *
wolfSSL 16:8e0d178b1d1e 8072 * returns 0 on success and negative error values on failure
wolfSSL 16:8e0d178b1d1e 8073 */
wolfSSL 16:8e0d178b1d1e 8074 /* Software AES - CFB Encrypt */
wolfSSL 16:8e0d178b1d1e 8075 int wc_AesOfbEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 16:8e0d178b1d1e 8076 {
wolfSSL 16:8e0d178b1d1e 8077 return wc_AesFeedbackEncrypt(aes, out, in, sz, AES_OFB_MODE);
wolfSSL 16:8e0d178b1d1e 8078 }
wolfSSL 16:8e0d178b1d1e 8079
wolfSSL 16:8e0d178b1d1e 8080
wolfSSL 16:8e0d178b1d1e 8081 #ifdef HAVE_AES_DECRYPT
wolfSSL 16:8e0d178b1d1e 8082 /* OFB
wolfSSL 16:8e0d178b1d1e 8083 *
wolfSSL 16:8e0d178b1d1e 8084 * aes structure holding key to use for decryption
wolfSSL 16:8e0d178b1d1e 8085 * out buffer to hold result of decryption (must be at least as large as input
wolfSSL 16:8e0d178b1d1e 8086 * buffer)
wolfSSL 16:8e0d178b1d1e 8087 * in buffer to decrypt
wolfSSL 16:8e0d178b1d1e 8088 * sz size of input buffer
wolfSSL 16:8e0d178b1d1e 8089 *
wolfSSL 16:8e0d178b1d1e 8090 * returns 0 on success and negative error values on failure
wolfSSL 16:8e0d178b1d1e 8091 */
wolfSSL 16:8e0d178b1d1e 8092 /* Software AES - OFB Decrypt */
wolfSSL 16:8e0d178b1d1e 8093 int wc_AesOfbDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
wolfSSL 16:8e0d178b1d1e 8094 {
wolfSSL 16:8e0d178b1d1e 8095 return wc_AesFeedbackDecrypt(aes, out, in, sz, AES_OFB_MODE);
wolfSSL 16:8e0d178b1d1e 8096 }
wolfSSL 16:8e0d178b1d1e 8097 #endif /* HAVE_AES_DECRYPT */
wolfSSL 16:8e0d178b1d1e 8098 #endif /* WOLFSSL_AES_OFB */
wolfSSL 16:8e0d178b1d1e 8099
wolfSSL 15:117db924cf7c 8100
wolfSSL 15:117db924cf7c 8101 #ifdef HAVE_AES_KEYWRAP
wolfSSL 15:117db924cf7c 8102
wolfSSL 15:117db924cf7c 8103 /* Initialize key wrap counter with value */
wolfSSL 15:117db924cf7c 8104 static WC_INLINE void InitKeyWrapCounter(byte* inOutCtr, word32 value)
wolfSSL 15:117db924cf7c 8105 {
wolfSSL 15:117db924cf7c 8106 int i;
wolfSSL 15:117db924cf7c 8107 word32 bytes;
wolfSSL 15:117db924cf7c 8108
wolfSSL 15:117db924cf7c 8109 bytes = sizeof(word32);
wolfSSL 15:117db924cf7c 8110 for (i = 0; i < (int)sizeof(word32); i++) {
wolfSSL 15:117db924cf7c 8111 inOutCtr[i+sizeof(word32)] = (value >> ((bytes - 1) * 8)) & 0xFF;
wolfSSL 15:117db924cf7c 8112 bytes--;
wolfSSL 15:117db924cf7c 8113 }
wolfSSL 15:117db924cf7c 8114 }
wolfSSL 15:117db924cf7c 8115
wolfSSL 15:117db924cf7c 8116 /* Increment key wrap counter */
wolfSSL 15:117db924cf7c 8117 static WC_INLINE void IncrementKeyWrapCounter(byte* inOutCtr)
wolfSSL 15:117db924cf7c 8118 {
wolfSSL 15:117db924cf7c 8119 int i;
wolfSSL 15:117db924cf7c 8120
wolfSSL 15:117db924cf7c 8121 /* in network byte order so start at end and work back */
wolfSSL 15:117db924cf7c 8122 for (i = KEYWRAP_BLOCK_SIZE - 1; i >= 0; i--) {
wolfSSL 15:117db924cf7c 8123 if (++inOutCtr[i]) /* we're done unless we overflow */
wolfSSL 15:117db924cf7c 8124 return;
wolfSSL 15:117db924cf7c 8125 }
wolfSSL 15:117db924cf7c 8126 }
wolfSSL 15:117db924cf7c 8127
wolfSSL 15:117db924cf7c 8128 /* Decrement key wrap counter */
wolfSSL 15:117db924cf7c 8129 static WC_INLINE void DecrementKeyWrapCounter(byte* inOutCtr)
wolfSSL 15:117db924cf7c 8130 {
wolfSSL 15:117db924cf7c 8131 int i;
wolfSSL 15:117db924cf7c 8132
wolfSSL 15:117db924cf7c 8133 for (i = KEYWRAP_BLOCK_SIZE - 1; i >= 0; i--) {
wolfSSL 15:117db924cf7c 8134 if (--inOutCtr[i] != 0xFF) /* we're done unless we underflow */
wolfSSL 15:117db924cf7c 8135 return;
wolfSSL 15:117db924cf7c 8136 }
wolfSSL 15:117db924cf7c 8137 }
wolfSSL 15:117db924cf7c 8138
wolfSSL 15:117db924cf7c 8139 /* perform AES key wrap (RFC3394), return out sz on success, negative on err */
wolfSSL 15:117db924cf7c 8140 int wc_AesKeyWrap(const byte* key, word32 keySz, const byte* in, word32 inSz,
wolfSSL 15:117db924cf7c 8141 byte* out, word32 outSz, const byte* iv)
wolfSSL 15:117db924cf7c 8142 {
wolfSSL 15:117db924cf7c 8143 Aes aes;
wolfSSL 15:117db924cf7c 8144 byte* r;
wolfSSL 15:117db924cf7c 8145 word32 i;
wolfSSL 15:117db924cf7c 8146 int ret, j;
wolfSSL 15:117db924cf7c 8147
wolfSSL 15:117db924cf7c 8148 byte t[KEYWRAP_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 8149 byte tmp[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 8150
wolfSSL 15:117db924cf7c 8151 /* n must be at least 2, output size is n + 8 bytes */
wolfSSL 15:117db924cf7c 8152 if (key == NULL || in == NULL || inSz < 2 ||
wolfSSL 15:117db924cf7c 8153 out == NULL || outSz < (inSz + KEYWRAP_BLOCK_SIZE))
wolfSSL 15:117db924cf7c 8154 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8155
wolfSSL 15:117db924cf7c 8156 /* input must be multiple of 64-bits */
wolfSSL 15:117db924cf7c 8157 if (inSz % KEYWRAP_BLOCK_SIZE != 0)
wolfSSL 15:117db924cf7c 8158 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8159
wolfSSL 15:117db924cf7c 8160 /* user IV is optional */
wolfSSL 15:117db924cf7c 8161 if (iv == NULL) {
wolfSSL 15:117db924cf7c 8162 XMEMSET(tmp, 0xA6, KEYWRAP_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8163 } else {
wolfSSL 15:117db924cf7c 8164 XMEMCPY(tmp, iv, KEYWRAP_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8165 }
wolfSSL 15:117db924cf7c 8166
wolfSSL 15:117db924cf7c 8167 r = out + 8;
wolfSSL 15:117db924cf7c 8168 XMEMCPY(r, in, inSz);
wolfSSL 15:117db924cf7c 8169 XMEMSET(t, 0, sizeof(t));
wolfSSL 15:117db924cf7c 8170
wolfSSL 15:117db924cf7c 8171 ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
wolfSSL 15:117db924cf7c 8172 if (ret != 0)
wolfSSL 15:117db924cf7c 8173 return ret;
wolfSSL 15:117db924cf7c 8174
wolfSSL 15:117db924cf7c 8175 ret = wc_AesSetKey(&aes, key, keySz, NULL, AES_ENCRYPTION);
wolfSSL 15:117db924cf7c 8176 if (ret != 0)
wolfSSL 15:117db924cf7c 8177 return ret;
wolfSSL 15:117db924cf7c 8178
wolfSSL 15:117db924cf7c 8179 for (j = 0; j <= 5; j++) {
wolfSSL 15:117db924cf7c 8180 for (i = 1; i <= inSz / KEYWRAP_BLOCK_SIZE; i++) {
wolfSSL 15:117db924cf7c 8181
wolfSSL 15:117db924cf7c 8182 /* load R[i] */
wolfSSL 15:117db924cf7c 8183 XMEMCPY(tmp + KEYWRAP_BLOCK_SIZE, r, KEYWRAP_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8184
wolfSSL 15:117db924cf7c 8185 wc_AesEncryptDirect(&aes, tmp, tmp);
wolfSSL 15:117db924cf7c 8186
wolfSSL 15:117db924cf7c 8187 /* calculate new A */
wolfSSL 15:117db924cf7c 8188 IncrementKeyWrapCounter(t);
wolfSSL 15:117db924cf7c 8189 xorbuf(tmp, t, KEYWRAP_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8190
wolfSSL 15:117db924cf7c 8191 /* save R[i] */
wolfSSL 15:117db924cf7c 8192 XMEMCPY(r, tmp + KEYWRAP_BLOCK_SIZE, KEYWRAP_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8193 r += KEYWRAP_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8194 }
wolfSSL 15:117db924cf7c 8195 r = out + KEYWRAP_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8196 }
wolfSSL 15:117db924cf7c 8197
wolfSSL 15:117db924cf7c 8198 /* C[0] = A */
wolfSSL 15:117db924cf7c 8199 XMEMCPY(out, tmp, KEYWRAP_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8200
wolfSSL 15:117db924cf7c 8201 wc_AesFree(&aes);
wolfSSL 15:117db924cf7c 8202
wolfSSL 15:117db924cf7c 8203 return inSz + KEYWRAP_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8204 }
wolfSSL 15:117db924cf7c 8205
wolfSSL 15:117db924cf7c 8206 int wc_AesKeyUnWrap(const byte* key, word32 keySz, const byte* in, word32 inSz,
wolfSSL 15:117db924cf7c 8207 byte* out, word32 outSz, const byte* iv)
wolfSSL 15:117db924cf7c 8208 {
wolfSSL 15:117db924cf7c 8209 Aes aes;
wolfSSL 15:117db924cf7c 8210 byte* r;
wolfSSL 15:117db924cf7c 8211 word32 i, n;
wolfSSL 15:117db924cf7c 8212 int ret, j;
wolfSSL 15:117db924cf7c 8213
wolfSSL 15:117db924cf7c 8214 byte t[KEYWRAP_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 8215 byte tmp[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 8216
wolfSSL 15:117db924cf7c 8217 const byte* expIv;
wolfSSL 15:117db924cf7c 8218 const byte defaultIV[] = {
wolfSSL 15:117db924cf7c 8219 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6
wolfSSL 15:117db924cf7c 8220 };
wolfSSL 15:117db924cf7c 8221
wolfSSL 15:117db924cf7c 8222 (void)iv;
wolfSSL 15:117db924cf7c 8223
wolfSSL 15:117db924cf7c 8224 if (key == NULL || in == NULL || inSz < 3 ||
wolfSSL 15:117db924cf7c 8225 out == NULL || outSz < (inSz - KEYWRAP_BLOCK_SIZE))
wolfSSL 15:117db924cf7c 8226 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8227
wolfSSL 15:117db924cf7c 8228 /* input must be multiple of 64-bits */
wolfSSL 15:117db924cf7c 8229 if (inSz % KEYWRAP_BLOCK_SIZE != 0)
wolfSSL 15:117db924cf7c 8230 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8231
wolfSSL 15:117db924cf7c 8232 /* user IV optional */
wolfSSL 15:117db924cf7c 8233 if (iv != NULL) {
wolfSSL 15:117db924cf7c 8234 expIv = iv;
wolfSSL 15:117db924cf7c 8235 } else {
wolfSSL 15:117db924cf7c 8236 expIv = defaultIV;
wolfSSL 15:117db924cf7c 8237 }
wolfSSL 15:117db924cf7c 8238
wolfSSL 15:117db924cf7c 8239 /* A = C[0], R[i] = C[i] */
wolfSSL 15:117db924cf7c 8240 XMEMCPY(tmp, in, KEYWRAP_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8241 XMEMCPY(out, in + KEYWRAP_BLOCK_SIZE, inSz - KEYWRAP_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8242 XMEMSET(t, 0, sizeof(t));
wolfSSL 15:117db924cf7c 8243
wolfSSL 15:117db924cf7c 8244 ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
wolfSSL 15:117db924cf7c 8245 if (ret != 0)
wolfSSL 15:117db924cf7c 8246 return ret;
wolfSSL 15:117db924cf7c 8247
wolfSSL 15:117db924cf7c 8248 ret = wc_AesSetKey(&aes, key, keySz, NULL, AES_DECRYPTION);
wolfSSL 15:117db924cf7c 8249 if (ret != 0)
wolfSSL 15:117db924cf7c 8250 return ret;
wolfSSL 15:117db924cf7c 8251
wolfSSL 15:117db924cf7c 8252 /* initialize counter to 6n */
wolfSSL 15:117db924cf7c 8253 n = (inSz - 1) / KEYWRAP_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8254 InitKeyWrapCounter(t, 6 * n);
wolfSSL 15:117db924cf7c 8255
wolfSSL 15:117db924cf7c 8256 for (j = 5; j >= 0; j--) {
wolfSSL 15:117db924cf7c 8257 for (i = n; i >= 1; i--) {
wolfSSL 15:117db924cf7c 8258
wolfSSL 15:117db924cf7c 8259 /* calculate A */
wolfSSL 15:117db924cf7c 8260 xorbuf(tmp, t, KEYWRAP_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8261 DecrementKeyWrapCounter(t);
wolfSSL 15:117db924cf7c 8262
wolfSSL 15:117db924cf7c 8263 /* load R[i], starting at end of R */
wolfSSL 15:117db924cf7c 8264 r = out + ((i - 1) * KEYWRAP_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8265 XMEMCPY(tmp + KEYWRAP_BLOCK_SIZE, r, KEYWRAP_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8266 wc_AesDecryptDirect(&aes, tmp, tmp);
wolfSSL 15:117db924cf7c 8267
wolfSSL 15:117db924cf7c 8268 /* save R[i] */
wolfSSL 15:117db924cf7c 8269 XMEMCPY(r, tmp + KEYWRAP_BLOCK_SIZE, KEYWRAP_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8270 }
wolfSSL 15:117db924cf7c 8271 }
wolfSSL 15:117db924cf7c 8272
wolfSSL 15:117db924cf7c 8273 wc_AesFree(&aes);
wolfSSL 15:117db924cf7c 8274
wolfSSL 15:117db924cf7c 8275 /* verify IV */
wolfSSL 15:117db924cf7c 8276 if (XMEMCMP(tmp, expIv, KEYWRAP_BLOCK_SIZE) != 0)
wolfSSL 15:117db924cf7c 8277 return BAD_KEYWRAP_IV_E;
wolfSSL 15:117db924cf7c 8278
wolfSSL 15:117db924cf7c 8279 return inSz - KEYWRAP_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8280 }
wolfSSL 15:117db924cf7c 8281
wolfSSL 15:117db924cf7c 8282 #endif /* HAVE_AES_KEYWRAP */
wolfSSL 15:117db924cf7c 8283
wolfSSL 15:117db924cf7c 8284 #ifdef WOLFSSL_AES_XTS
wolfSSL 15:117db924cf7c 8285
wolfSSL 15:117db924cf7c 8286 /* Galios Field to use */
wolfSSL 15:117db924cf7c 8287 #define GF_XTS 0x87
wolfSSL 15:117db924cf7c 8288
wolfSSL 15:117db924cf7c 8289 /* This is to help with setting keys to correct encrypt or decrypt type.
wolfSSL 15:117db924cf7c 8290 *
wolfSSL 15:117db924cf7c 8291 * tweak AES key for tweak in XTS
wolfSSL 15:117db924cf7c 8292 * aes AES key for encrypt/decrypt process
wolfSSL 15:117db924cf7c 8293 * key buffer holding aes key | tweak key
wolfSSL 15:117db924cf7c 8294 * len length of key buffer in bytes. Should be twice that of key size. i.e.
wolfSSL 15:117db924cf7c 8295 * 32 for a 16 byte key.
wolfSSL 15:117db924cf7c 8296 * dir direction, either AES_ENCRYPTION or AES_DECRYPTION
wolfSSL 15:117db924cf7c 8297 * heap heap hint to use for memory. Can be NULL
wolfSSL 15:117db924cf7c 8298 * devId id to use with async crypto. Can be 0
wolfSSL 15:117db924cf7c 8299 *
wolfSSL 15:117db924cf7c 8300 * Note: is up to user to call wc_AesFree on tweak and aes key when done.
wolfSSL 15:117db924cf7c 8301 *
wolfSSL 15:117db924cf7c 8302 * return 0 on success
wolfSSL 15:117db924cf7c 8303 */
wolfSSL 15:117db924cf7c 8304 int wc_AesXtsSetKey(XtsAes* aes, const byte* key, word32 len, int dir,
wolfSSL 15:117db924cf7c 8305 void* heap, int devId)
wolfSSL 15:117db924cf7c 8306 {
wolfSSL 15:117db924cf7c 8307 word32 keySz;
wolfSSL 15:117db924cf7c 8308 int ret = 0;
wolfSSL 15:117db924cf7c 8309
wolfSSL 15:117db924cf7c 8310 if (aes == NULL || key == NULL) {
wolfSSL 15:117db924cf7c 8311 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8312 }
wolfSSL 15:117db924cf7c 8313
wolfSSL 15:117db924cf7c 8314 if ((ret = wc_AesInit(&aes->tweak, heap, devId)) != 0) {
wolfSSL 15:117db924cf7c 8315 return ret;
wolfSSL 15:117db924cf7c 8316 }
wolfSSL 15:117db924cf7c 8317 if ((ret = wc_AesInit(&aes->aes, heap, devId)) != 0) {
wolfSSL 15:117db924cf7c 8318 return ret;
wolfSSL 15:117db924cf7c 8319 }
wolfSSL 15:117db924cf7c 8320
wolfSSL 15:117db924cf7c 8321 keySz = len/2;
wolfSSL 15:117db924cf7c 8322 if (keySz != 16 && keySz != 32) {
wolfSSL 15:117db924cf7c 8323 WOLFSSL_MSG("Unsupported key size");
wolfSSL 15:117db924cf7c 8324 return WC_KEY_SIZE_E;
wolfSSL 15:117db924cf7c 8325 }
wolfSSL 15:117db924cf7c 8326
wolfSSL 15:117db924cf7c 8327 if ((ret = wc_AesSetKey(&aes->aes, key, keySz, NULL, dir)) == 0) {
wolfSSL 15:117db924cf7c 8328 ret = wc_AesSetKey(&aes->tweak, key + keySz, keySz, NULL,
wolfSSL 15:117db924cf7c 8329 AES_ENCRYPTION);
wolfSSL 15:117db924cf7c 8330 if (ret != 0) {
wolfSSL 15:117db924cf7c 8331 wc_AesFree(&aes->aes);
wolfSSL 15:117db924cf7c 8332 }
wolfSSL 15:117db924cf7c 8333 }
wolfSSL 15:117db924cf7c 8334
wolfSSL 15:117db924cf7c 8335 return ret;
wolfSSL 15:117db924cf7c 8336 }
wolfSSL 15:117db924cf7c 8337
wolfSSL 15:117db924cf7c 8338
wolfSSL 15:117db924cf7c 8339 /* This is used to free up resources used by Aes structs
wolfSSL 15:117db924cf7c 8340 *
wolfSSL 15:117db924cf7c 8341 * aes AES keys to free
wolfSSL 15:117db924cf7c 8342 *
wolfSSL 15:117db924cf7c 8343 * return 0 on success
wolfSSL 15:117db924cf7c 8344 */
wolfSSL 15:117db924cf7c 8345 int wc_AesXtsFree(XtsAes* aes)
wolfSSL 15:117db924cf7c 8346 {
wolfSSL 15:117db924cf7c 8347 if (aes != NULL) {
wolfSSL 15:117db924cf7c 8348 wc_AesFree(&aes->aes);
wolfSSL 15:117db924cf7c 8349 wc_AesFree(&aes->tweak);
wolfSSL 15:117db924cf7c 8350 }
wolfSSL 15:117db924cf7c 8351
wolfSSL 15:117db924cf7c 8352 return 0;
wolfSSL 15:117db924cf7c 8353 }
wolfSSL 15:117db924cf7c 8354
wolfSSL 15:117db924cf7c 8355
wolfSSL 15:117db924cf7c 8356 /* Same process as wc_AesXtsEncrypt but uses a word64 type as the tweak value
wolfSSL 15:117db924cf7c 8357 * instead of a byte array. This just converts the word64 to a byte array and
wolfSSL 15:117db924cf7c 8358 * calls wc_AesXtsEncrypt.
wolfSSL 15:117db924cf7c 8359 *
wolfSSL 15:117db924cf7c 8360 * aes AES keys to use for block encrypt/decrypt
wolfSSL 15:117db924cf7c 8361 * out output buffer to hold cipher text
wolfSSL 15:117db924cf7c 8362 * in input plain text buffer to encrypt
wolfSSL 15:117db924cf7c 8363 * sz size of both out and in buffers
wolfSSL 15:117db924cf7c 8364 * sector value to use for tweak
wolfSSL 15:117db924cf7c 8365 *
wolfSSL 15:117db924cf7c 8366 * returns 0 on success
wolfSSL 15:117db924cf7c 8367 */
wolfSSL 15:117db924cf7c 8368 int wc_AesXtsEncryptSector(XtsAes* aes, byte* out, const byte* in,
wolfSSL 15:117db924cf7c 8369 word32 sz, word64 sector)
wolfSSL 15:117db924cf7c 8370 {
wolfSSL 15:117db924cf7c 8371 byte* pt;
wolfSSL 15:117db924cf7c 8372 byte i[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 8373
wolfSSL 15:117db924cf7c 8374 XMEMSET(i, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8375 #ifdef BIG_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 8376 sector = ByteReverseWord64(sector);
wolfSSL 15:117db924cf7c 8377 #endif
wolfSSL 15:117db924cf7c 8378 pt = (byte*)&sector;
wolfSSL 15:117db924cf7c 8379 XMEMCPY(i, pt, sizeof(word64));
wolfSSL 15:117db924cf7c 8380
wolfSSL 15:117db924cf7c 8381 return wc_AesXtsEncrypt(aes, out, in, sz, (const byte*)i, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8382 }
wolfSSL 15:117db924cf7c 8383
wolfSSL 15:117db924cf7c 8384
wolfSSL 15:117db924cf7c 8385 /* Same process as wc_AesXtsDecrypt but uses a word64 type as the tweak value
wolfSSL 15:117db924cf7c 8386 * instead of a byte array. This just converts the word64 to a byte array.
wolfSSL 15:117db924cf7c 8387 *
wolfSSL 15:117db924cf7c 8388 * aes AES keys to use for block encrypt/decrypt
wolfSSL 15:117db924cf7c 8389 * out output buffer to hold plain text
wolfSSL 15:117db924cf7c 8390 * in input cipher text buffer to encrypt
wolfSSL 15:117db924cf7c 8391 * sz size of both out and in buffers
wolfSSL 15:117db924cf7c 8392 * sector value to use for tweak
wolfSSL 15:117db924cf7c 8393 *
wolfSSL 15:117db924cf7c 8394 * returns 0 on success
wolfSSL 15:117db924cf7c 8395 */
wolfSSL 15:117db924cf7c 8396 int wc_AesXtsDecryptSector(XtsAes* aes, byte* out, const byte* in, word32 sz,
wolfSSL 15:117db924cf7c 8397 word64 sector)
wolfSSL 15:117db924cf7c 8398 {
wolfSSL 15:117db924cf7c 8399 byte* pt;
wolfSSL 15:117db924cf7c 8400 byte i[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 8401
wolfSSL 15:117db924cf7c 8402 XMEMSET(i, 0, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8403 #ifdef BIG_ENDIAN_ORDER
wolfSSL 15:117db924cf7c 8404 sector = ByteReverseWord64(sector);
wolfSSL 15:117db924cf7c 8405 #endif
wolfSSL 15:117db924cf7c 8406 pt = (byte*)&sector;
wolfSSL 15:117db924cf7c 8407 XMEMCPY(i, pt, sizeof(word64));
wolfSSL 15:117db924cf7c 8408
wolfSSL 15:117db924cf7c 8409 return wc_AesXtsDecrypt(aes, out, in, sz, (const byte*)i, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8410 }
wolfSSL 15:117db924cf7c 8411
wolfSSL 15:117db924cf7c 8412 #ifdef HAVE_AES_ECB
wolfSSL 15:117db924cf7c 8413 /* helper function for encrypting / decrypting full buffer at once */
wolfSSL 15:117db924cf7c 8414 static int _AesXtsHelper(Aes* aes, byte* out, const byte* in, word32 sz, int dir)
wolfSSL 15:117db924cf7c 8415 {
wolfSSL 15:117db924cf7c 8416 word32 outSz = sz;
wolfSSL 15:117db924cf7c 8417 word32 totalSz = (sz / AES_BLOCK_SIZE) * AES_BLOCK_SIZE; /* total bytes */
wolfSSL 15:117db924cf7c 8418 byte* pt = out;
wolfSSL 15:117db924cf7c 8419
wolfSSL 15:117db924cf7c 8420 outSz -= AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8421
wolfSSL 15:117db924cf7c 8422 while (outSz > 0) {
wolfSSL 15:117db924cf7c 8423 word32 j;
wolfSSL 15:117db924cf7c 8424 byte carry = 0;
wolfSSL 15:117db924cf7c 8425
wolfSSL 16:8e0d178b1d1e 8426 /* multiply by shift left and propagate carry */
wolfSSL 15:117db924cf7c 8427 for (j = 0; j < AES_BLOCK_SIZE && outSz > 0; j++, outSz--) {
wolfSSL 15:117db924cf7c 8428 byte tmpC;
wolfSSL 15:117db924cf7c 8429
wolfSSL 15:117db924cf7c 8430 tmpC = (pt[j] >> 7) & 0x01;
wolfSSL 15:117db924cf7c 8431 pt[j+AES_BLOCK_SIZE] = ((pt[j] << 1) + carry) & 0xFF;
wolfSSL 15:117db924cf7c 8432 carry = tmpC;
wolfSSL 15:117db924cf7c 8433 }
wolfSSL 15:117db924cf7c 8434 if (carry) {
wolfSSL 15:117db924cf7c 8435 pt[AES_BLOCK_SIZE] ^= GF_XTS;
wolfSSL 15:117db924cf7c 8436 }
wolfSSL 15:117db924cf7c 8437
wolfSSL 15:117db924cf7c 8438 pt += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8439 }
wolfSSL 15:117db924cf7c 8440
wolfSSL 15:117db924cf7c 8441 xorbuf(out, in, totalSz);
wolfSSL 15:117db924cf7c 8442 if (dir == AES_ENCRYPTION) {
wolfSSL 15:117db924cf7c 8443 return wc_AesEcbEncrypt(aes, out, out, totalSz);
wolfSSL 15:117db924cf7c 8444 }
wolfSSL 15:117db924cf7c 8445 else {
wolfSSL 15:117db924cf7c 8446 return wc_AesEcbDecrypt(aes, out, out, totalSz);
wolfSSL 15:117db924cf7c 8447 }
wolfSSL 15:117db924cf7c 8448 }
wolfSSL 15:117db924cf7c 8449 #endif /* HAVE_AES_ECB */
wolfSSL 15:117db924cf7c 8450
wolfSSL 15:117db924cf7c 8451
wolfSSL 15:117db924cf7c 8452 /* AES with XTS mode. (XTS) XEX encryption with Tweak and cipher text Stealing.
wolfSSL 15:117db924cf7c 8453 *
wolfSSL 15:117db924cf7c 8454 * xaes AES keys to use for block encrypt/decrypt
wolfSSL 15:117db924cf7c 8455 * out output buffer to hold cipher text
wolfSSL 15:117db924cf7c 8456 * in input plain text buffer to encrypt
wolfSSL 15:117db924cf7c 8457 * sz size of both out and in buffers
wolfSSL 15:117db924cf7c 8458 * i value to use for tweak
wolfSSL 15:117db924cf7c 8459 * iSz size of i buffer, should always be AES_BLOCK_SIZE but having this input
wolfSSL 15:117db924cf7c 8460 * adds a sanity check on how the user calls the function.
wolfSSL 15:117db924cf7c 8461 *
wolfSSL 15:117db924cf7c 8462 * returns 0 on success
wolfSSL 15:117db924cf7c 8463 */
wolfSSL 16:8e0d178b1d1e 8464 /* Software AES - XTS Encrypt */
wolfSSL 15:117db924cf7c 8465 int wc_AesXtsEncrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz,
wolfSSL 15:117db924cf7c 8466 const byte* i, word32 iSz)
wolfSSL 15:117db924cf7c 8467 {
wolfSSL 15:117db924cf7c 8468 int ret = 0;
wolfSSL 15:117db924cf7c 8469 word32 blocks = (sz / AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8470 Aes *aes, *tweak;
wolfSSL 15:117db924cf7c 8471
wolfSSL 15:117db924cf7c 8472 if (xaes == NULL || out == NULL || in == NULL) {
wolfSSL 15:117db924cf7c 8473 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8474 }
wolfSSL 15:117db924cf7c 8475
wolfSSL 15:117db924cf7c 8476 aes = &xaes->aes;
wolfSSL 15:117db924cf7c 8477 tweak = &xaes->tweak;
wolfSSL 15:117db924cf7c 8478
wolfSSL 15:117db924cf7c 8479 if (iSz < AES_BLOCK_SIZE) {
wolfSSL 15:117db924cf7c 8480 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8481 }
wolfSSL 15:117db924cf7c 8482
wolfSSL 15:117db924cf7c 8483 if (blocks > 0) {
wolfSSL 15:117db924cf7c 8484 byte tmp[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 8485
wolfSSL 15:117db924cf7c 8486 XMEMSET(tmp, 0, AES_BLOCK_SIZE); /* set to 0's in case of improper AES
wolfSSL 15:117db924cf7c 8487 * key setup passed to encrypt direct*/
wolfSSL 15:117db924cf7c 8488
wolfSSL 15:117db924cf7c 8489 wc_AesEncryptDirect(tweak, tmp, i);
wolfSSL 15:117db924cf7c 8490
wolfSSL 15:117db924cf7c 8491 #ifdef HAVE_AES_ECB
wolfSSL 15:117db924cf7c 8492 /* encrypt all of buffer at once when possible */
wolfSSL 15:117db924cf7c 8493 if (in != out) { /* can not handle inline */
wolfSSL 15:117db924cf7c 8494 XMEMCPY(out, tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8495 if ((ret = _AesXtsHelper(aes, out, in, sz, AES_ENCRYPTION)) != 0) {
wolfSSL 15:117db924cf7c 8496 return ret;
wolfSSL 15:117db924cf7c 8497 }
wolfSSL 15:117db924cf7c 8498 }
wolfSSL 15:117db924cf7c 8499 #endif
wolfSSL 15:117db924cf7c 8500
wolfSSL 15:117db924cf7c 8501 while (blocks > 0) {
wolfSSL 15:117db924cf7c 8502 word32 j;
wolfSSL 15:117db924cf7c 8503 byte carry = 0;
wolfSSL 15:117db924cf7c 8504 byte buf[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 8505
wolfSSL 15:117db924cf7c 8506 #ifdef HAVE_AES_ECB
wolfSSL 15:117db924cf7c 8507 if (in == out) { /* check for if inline */
wolfSSL 15:117db924cf7c 8508 #endif
wolfSSL 15:117db924cf7c 8509 XMEMCPY(buf, in, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8510 xorbuf(buf, tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8511 wc_AesEncryptDirect(aes, out, buf);
wolfSSL 15:117db924cf7c 8512 #ifdef HAVE_AES_ECB
wolfSSL 15:117db924cf7c 8513 }
wolfSSL 15:117db924cf7c 8514 #endif
wolfSSL 15:117db924cf7c 8515 xorbuf(out, tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8516
wolfSSL 16:8e0d178b1d1e 8517 /* multiply by shift left and propagate carry */
wolfSSL 15:117db924cf7c 8518 for (j = 0; j < AES_BLOCK_SIZE; j++) {
wolfSSL 15:117db924cf7c 8519 byte tmpC;
wolfSSL 15:117db924cf7c 8520
wolfSSL 15:117db924cf7c 8521 tmpC = (tmp[j] >> 7) & 0x01;
wolfSSL 15:117db924cf7c 8522 tmp[j] = ((tmp[j] << 1) + carry) & 0xFF;
wolfSSL 15:117db924cf7c 8523 carry = tmpC;
wolfSSL 15:117db924cf7c 8524 }
wolfSSL 15:117db924cf7c 8525 if (carry) {
wolfSSL 15:117db924cf7c 8526 tmp[0] ^= GF_XTS;
wolfSSL 15:117db924cf7c 8527 }
wolfSSL 15:117db924cf7c 8528
wolfSSL 15:117db924cf7c 8529 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8530 out += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8531 sz -= AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8532 blocks--;
wolfSSL 15:117db924cf7c 8533 }
wolfSSL 15:117db924cf7c 8534
wolfSSL 15:117db924cf7c 8535 /* stealing operation of XTS to handle left overs */
wolfSSL 15:117db924cf7c 8536 if (sz > 0) {
wolfSSL 15:117db924cf7c 8537 byte buf[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 8538
wolfSSL 15:117db924cf7c 8539 XMEMCPY(buf, out - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8540 if (sz >= AES_BLOCK_SIZE) { /* extra sanity check before copy */
wolfSSL 15:117db924cf7c 8541 return BUFFER_E;
wolfSSL 15:117db924cf7c 8542 }
wolfSSL 15:117db924cf7c 8543 XMEMCPY(out, buf, sz);
wolfSSL 15:117db924cf7c 8544 XMEMCPY(buf, in, sz);
wolfSSL 15:117db924cf7c 8545
wolfSSL 15:117db924cf7c 8546 xorbuf(buf, tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8547 wc_AesEncryptDirect(aes, out - AES_BLOCK_SIZE, buf);
wolfSSL 15:117db924cf7c 8548 xorbuf(out - AES_BLOCK_SIZE, tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8549 }
wolfSSL 15:117db924cf7c 8550 }
wolfSSL 15:117db924cf7c 8551 else {
wolfSSL 15:117db924cf7c 8552 WOLFSSL_MSG("Plain text input too small for encryption");
wolfSSL 15:117db924cf7c 8553 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8554 }
wolfSSL 15:117db924cf7c 8555
wolfSSL 15:117db924cf7c 8556 return ret;
wolfSSL 15:117db924cf7c 8557 }
wolfSSL 15:117db924cf7c 8558
wolfSSL 15:117db924cf7c 8559
wolfSSL 15:117db924cf7c 8560 /* Same process as encryption but Aes key is AES_DECRYPTION type.
wolfSSL 15:117db924cf7c 8561 *
wolfSSL 15:117db924cf7c 8562 * xaes AES keys to use for block encrypt/decrypt
wolfSSL 15:117db924cf7c 8563 * out output buffer to hold plain text
wolfSSL 15:117db924cf7c 8564 * in input cipher text buffer to decrypt
wolfSSL 15:117db924cf7c 8565 * sz size of both out and in buffers
wolfSSL 15:117db924cf7c 8566 * i value to use for tweak
wolfSSL 15:117db924cf7c 8567 * iSz size of i buffer, should always be AES_BLOCK_SIZE but having this input
wolfSSL 15:117db924cf7c 8568 * adds a sanity check on how the user calls the function.
wolfSSL 15:117db924cf7c 8569 *
wolfSSL 15:117db924cf7c 8570 * returns 0 on success
wolfSSL 15:117db924cf7c 8571 */
wolfSSL 16:8e0d178b1d1e 8572 /* Software AES - XTS Decrypt */
wolfSSL 15:117db924cf7c 8573 int wc_AesXtsDecrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz,
wolfSSL 15:117db924cf7c 8574 const byte* i, word32 iSz)
wolfSSL 15:117db924cf7c 8575 {
wolfSSL 15:117db924cf7c 8576 int ret = 0;
wolfSSL 15:117db924cf7c 8577 word32 blocks = (sz / AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8578 Aes *aes, *tweak;
wolfSSL 15:117db924cf7c 8579
wolfSSL 15:117db924cf7c 8580 if (xaes == NULL || out == NULL || in == NULL) {
wolfSSL 15:117db924cf7c 8581 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8582 }
wolfSSL 15:117db924cf7c 8583
wolfSSL 15:117db924cf7c 8584 aes = &xaes->aes;
wolfSSL 15:117db924cf7c 8585 tweak = &xaes->tweak;
wolfSSL 15:117db924cf7c 8586
wolfSSL 15:117db924cf7c 8587 if (iSz < AES_BLOCK_SIZE) {
wolfSSL 15:117db924cf7c 8588 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8589 }
wolfSSL 15:117db924cf7c 8590
wolfSSL 15:117db924cf7c 8591 if (blocks > 0) {
wolfSSL 15:117db924cf7c 8592 word32 j;
wolfSSL 15:117db924cf7c 8593 byte carry = 0;
wolfSSL 15:117db924cf7c 8594 byte tmp[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 8595 byte stl = (sz % AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8596
wolfSSL 15:117db924cf7c 8597 XMEMSET(tmp, 0, AES_BLOCK_SIZE); /* set to 0's in case of improper AES
wolfSSL 15:117db924cf7c 8598 * key setup passed to decrypt direct*/
wolfSSL 15:117db924cf7c 8599
wolfSSL 15:117db924cf7c 8600 wc_AesEncryptDirect(tweak, tmp, i);
wolfSSL 15:117db924cf7c 8601
wolfSSL 15:117db924cf7c 8602 /* if Stealing then break out of loop one block early to handle special
wolfSSL 15:117db924cf7c 8603 * case */
wolfSSL 15:117db924cf7c 8604 if (stl > 0) {
wolfSSL 15:117db924cf7c 8605 blocks--;
wolfSSL 15:117db924cf7c 8606 }
wolfSSL 15:117db924cf7c 8607
wolfSSL 15:117db924cf7c 8608 #ifdef HAVE_AES_ECB
wolfSSL 15:117db924cf7c 8609 /* decrypt all of buffer at once when possible */
wolfSSL 15:117db924cf7c 8610 if (in != out) { /* can not handle inline */
wolfSSL 15:117db924cf7c 8611 XMEMCPY(out, tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8612 if ((ret = _AesXtsHelper(aes, out, in, sz, AES_DECRYPTION)) != 0) {
wolfSSL 15:117db924cf7c 8613 return ret;
wolfSSL 15:117db924cf7c 8614 }
wolfSSL 15:117db924cf7c 8615 }
wolfSSL 15:117db924cf7c 8616 #endif
wolfSSL 15:117db924cf7c 8617
wolfSSL 15:117db924cf7c 8618 while (blocks > 0) {
wolfSSL 15:117db924cf7c 8619 byte buf[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 8620
wolfSSL 15:117db924cf7c 8621 #ifdef HAVE_AES_ECB
wolfSSL 15:117db924cf7c 8622 if (in == out) { /* check for if inline */
wolfSSL 15:117db924cf7c 8623 #endif
wolfSSL 15:117db924cf7c 8624 XMEMCPY(buf, in, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8625 xorbuf(buf, tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8626 wc_AesDecryptDirect(aes, out, buf);
wolfSSL 15:117db924cf7c 8627 #ifdef HAVE_AES_ECB
wolfSSL 15:117db924cf7c 8628 }
wolfSSL 15:117db924cf7c 8629 #endif
wolfSSL 15:117db924cf7c 8630 xorbuf(out, tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8631
wolfSSL 16:8e0d178b1d1e 8632 /* multiply by shift left and propagate carry */
wolfSSL 15:117db924cf7c 8633 for (j = 0; j < AES_BLOCK_SIZE; j++) {
wolfSSL 15:117db924cf7c 8634 byte tmpC;
wolfSSL 15:117db924cf7c 8635
wolfSSL 15:117db924cf7c 8636 tmpC = (tmp[j] >> 7) & 0x01;
wolfSSL 15:117db924cf7c 8637 tmp[j] = ((tmp[j] << 1) + carry) & 0xFF;
wolfSSL 15:117db924cf7c 8638 carry = tmpC;
wolfSSL 15:117db924cf7c 8639 }
wolfSSL 15:117db924cf7c 8640 if (carry) {
wolfSSL 15:117db924cf7c 8641 tmp[0] ^= GF_XTS;
wolfSSL 15:117db924cf7c 8642 }
wolfSSL 15:117db924cf7c 8643 carry = 0;
wolfSSL 15:117db924cf7c 8644
wolfSSL 15:117db924cf7c 8645 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8646 out += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8647 sz -= AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8648 blocks--;
wolfSSL 15:117db924cf7c 8649 }
wolfSSL 15:117db924cf7c 8650
wolfSSL 15:117db924cf7c 8651 /* stealing operation of XTS to handle left overs */
wolfSSL 15:117db924cf7c 8652 if (sz > 0) {
wolfSSL 15:117db924cf7c 8653 byte buf[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 8654 byte tmp2[AES_BLOCK_SIZE];
wolfSSL 15:117db924cf7c 8655
wolfSSL 16:8e0d178b1d1e 8656 /* multiply by shift left and propagate carry */
wolfSSL 15:117db924cf7c 8657 for (j = 0; j < AES_BLOCK_SIZE; j++) {
wolfSSL 15:117db924cf7c 8658 byte tmpC;
wolfSSL 15:117db924cf7c 8659
wolfSSL 15:117db924cf7c 8660 tmpC = (tmp[j] >> 7) & 0x01;
wolfSSL 15:117db924cf7c 8661 tmp2[j] = ((tmp[j] << 1) + carry) & 0xFF;
wolfSSL 15:117db924cf7c 8662 carry = tmpC;
wolfSSL 15:117db924cf7c 8663 }
wolfSSL 15:117db924cf7c 8664 if (carry) {
wolfSSL 15:117db924cf7c 8665 tmp2[0] ^= GF_XTS;
wolfSSL 15:117db924cf7c 8666 }
wolfSSL 15:117db924cf7c 8667
wolfSSL 15:117db924cf7c 8668 XMEMCPY(buf, in, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8669 xorbuf(buf, tmp2, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8670 wc_AesDecryptDirect(aes, out, buf);
wolfSSL 15:117db924cf7c 8671 xorbuf(out, tmp2, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8672
wolfSSL 15:117db924cf7c 8673 /* tmp2 holds partial | last */
wolfSSL 15:117db924cf7c 8674 XMEMCPY(tmp2, out, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8675 in += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8676 out += AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8677 sz -= AES_BLOCK_SIZE;
wolfSSL 15:117db924cf7c 8678
wolfSSL 15:117db924cf7c 8679 /* Make buffer with end of cipher text | last */
wolfSSL 15:117db924cf7c 8680 XMEMCPY(buf, tmp2, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8681 if (sz >= AES_BLOCK_SIZE) { /* extra sanity check before copy */
wolfSSL 15:117db924cf7c 8682 return BUFFER_E;
wolfSSL 15:117db924cf7c 8683 }
wolfSSL 15:117db924cf7c 8684 XMEMCPY(buf, in, sz);
wolfSSL 15:117db924cf7c 8685 XMEMCPY(out, tmp2, sz);
wolfSSL 15:117db924cf7c 8686
wolfSSL 15:117db924cf7c 8687 xorbuf(buf, tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8688 wc_AesDecryptDirect(aes, tmp2, buf);
wolfSSL 15:117db924cf7c 8689 xorbuf(tmp2, tmp, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8690 XMEMCPY(out - AES_BLOCK_SIZE, tmp2, AES_BLOCK_SIZE);
wolfSSL 15:117db924cf7c 8691 }
wolfSSL 15:117db924cf7c 8692 }
wolfSSL 15:117db924cf7c 8693 else {
wolfSSL 15:117db924cf7c 8694 WOLFSSL_MSG("Plain text input too small for encryption");
wolfSSL 15:117db924cf7c 8695 return BAD_FUNC_ARG;
wolfSSL 15:117db924cf7c 8696 }
wolfSSL 15:117db924cf7c 8697
wolfSSL 15:117db924cf7c 8698 return ret;
wolfSSL 15:117db924cf7c 8699 }
wolfSSL 15:117db924cf7c 8700
wolfSSL 15:117db924cf7c 8701 #endif /* WOLFSSL_AES_XTS */
wolfSSL 15:117db924cf7c 8702
wolfSSL 15:117db924cf7c 8703 #endif /* HAVE_FIPS */
wolfSSL 15:117db924cf7c 8704 #endif /* !NO_AES */
wolfSSL 15:117db924cf7c 8705