Botan  2.1.0
Crypto and TLS for C++11
aes.cpp
Go to the documentation of this file.
1 /*
2 * AES
3 * (C) 1999-2010,2015 Jack Lloyd
4 *
5 * Based on the public domain reference implementation by Paulo Baretto
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/aes.h>
11 #include <botan/loadstor.h>
12 #include <botan/cpuid.h>
13 #include <botan/internal/bit_ops.h>
14 
15 /*
16 * This implementation is based on table lookups which are known to be
17 * vulnerable to timing and cache based side channel attacks. Some
18 * countermeasures are used which may be helpful in some situations:
19 *
20 * - Small tables are used in the first and last rounds.
21 *
22 * - The TE and TD tables are computed at runtime to avoid flush+reload
23 * attacks using clflush. As different processes will not share the
24 * same underlying table data, an attacker can't manipulate another
25 * processes cache lines via their shared reference to the library
26 * read only segment.
27 *
28 * - Each cache line of the lookup tables is accessed at the beginning
29 * of each call to encrypt or decrypt. (See the Z variable below)
30 *
31 * If available SSSE3 or AES-NI are used instead of this version, as both
32 * are faster and immune to side channel attacks.
33 *
34 * Some AES cache timing papers for reference:
35 *
36 * "Software mitigations to hedge AES against cache-based software side
37 * channel vulnerabilities" https://eprint.iacr.org/2006/052.pdf
38 *
39 * "Cache Games - Bringing Access-Based Cache Attacks on AES to Practice"
40 * http://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper031.pdf
41 *
42 * "Cache-Collision Timing Attacks Against AES" Bonneau, Mironov
43 * http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.88.4753
44 */
45 
46 namespace Botan {
47 
48 namespace {
49 
50 const uint8_t SE[256] = {
51  0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
52  0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
53  0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
54  0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
55  0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
56  0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
57  0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
58  0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
59  0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
60  0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
61  0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
62  0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
63  0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
64  0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
65  0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
66  0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
67  0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
68  0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
69  0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
70  0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
71  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
72  0xB0, 0x54, 0xBB, 0x16 };
73 
74 const uint8_t SD[256] = {
75  0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
76  0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
77  0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
78  0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
79  0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
80  0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
81  0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
82  0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
83  0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
84  0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
85  0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
86  0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
87  0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
88  0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
89  0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
90  0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
91  0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
92  0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
93  0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
94  0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
95  0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
96  0x55, 0x21, 0x0C, 0x7D };
97 
98 inline uint8_t xtime(uint8_t s) { return (s << 1) ^ ((s >> 7) * 0x1B); }
99 inline uint8_t xtime4(uint8_t s) { return xtime(xtime(s)); }
100 inline uint8_t xtime8(uint8_t s) { return xtime(xtime(xtime(s))); }
101 
102 inline uint8_t xtime3(uint8_t s) { return xtime(s) ^ s; }
103 inline uint8_t xtime9(uint8_t s) { return xtime8(s) ^ s; }
104 inline uint8_t xtime11(uint8_t s) { return xtime8(s) ^ xtime(s) ^ s; }
105 inline uint8_t xtime13(uint8_t s) { return xtime8(s) ^ xtime4(s) ^ s; }
106 inline uint8_t xtime14(uint8_t s) { return xtime8(s) ^ xtime4(s) ^ xtime(s); }
107 
108 const std::vector<uint32_t>& AES_TE()
109  {
110  auto compute_TE = []() -> std::vector<uint32_t> {
111  std::vector<uint32_t> TE(1024);
112  for(size_t i = 0; i != 256; ++i)
113  {
114  const uint8_t s = SE[i];
115  const uint32_t x = make_uint32(xtime(s), s, s, xtime3(s));
116 
117  TE[i] = x;
118  TE[i+256] = rotate_right(x, 8);
119  TE[i+512] = rotate_right(x, 16);
120  TE[i+768] = rotate_right(x, 24);
121  }
122  return TE;
123  };
124 
125  static const std::vector<uint32_t> TE = compute_TE();
126  return TE;
127  }
128 
129 const std::vector<uint32_t>& AES_TD()
130  {
131  auto compute_TD = []() -> std::vector<uint32_t> {
132  std::vector<uint32_t> TD(1024);
133  for(size_t i = 0; i != 256; ++i)
134  {
135  const uint8_t s = SD[i];
136  const uint32_t x = make_uint32(xtime14(s), xtime9(s), xtime13(s), xtime11(s));
137 
138  TD[i] = x;
139  TD[i+256] = rotate_right(x, 8);
140  TD[i+512] = rotate_right(x, 16);
141  TD[i+768] = rotate_right(x, 24);
142  }
143  return TD;
144  };
145  static const std::vector<uint32_t> TD = compute_TD();
146  return TD;
147  }
148 
149 /*
150 * AES Encryption
151 */
152 void aes_encrypt_n(const uint8_t in[], uint8_t out[],
153  size_t blocks,
154  const secure_vector<uint32_t>& EK,
155  const secure_vector<uint8_t>& ME)
156  {
157  BOTAN_ASSERT(EK.size() && ME.size() == 16, "Key was set");
158 
159  const size_t cache_line_size = CPUID::cache_line_size();
160 
161  const std::vector<uint32_t>& TE = AES_TE();
162 
163  // Hit every cache line of TE
164  uint32_t Z = 0;
165  for(size_t i = 0; i < TE.size(); i += cache_line_size / sizeof(uint32_t))
166  {
167  Z |= TE[i];
168  }
169  Z &= TE[82]; // this is zero, which hopefully the compiler cannot deduce
170 
171  BOTAN_PARALLEL_FOR(size_t i = 0; i < blocks; ++i)
172  {
173  uint32_t T0, T1, T2, T3;
174  load_be(in + 16*i, T0, T1, T2, T3);
175 
176  T0 ^= EK[0];
177  T1 ^= EK[1];
178  T2 ^= EK[2];
179  T3 ^= EK[3];
180 
181  T0 ^= Z;
182 
183  /* Use only the first 256 entries of the TE table and do the
184  * rotations directly in the code. This reduces the number of
185  * cache lines potentially used in the first round from 64 to 16
186  * (assuming a typical 64 byte cache line), which makes timing
187  * attacks a little harder; the first round is particularly
188  * vulnerable.
189  */
190 
191  uint32_t B0 = TE[get_byte(0, T0)] ^
192  rotate_right(TE[get_byte(1, T1)], 8) ^
193  rotate_right(TE[get_byte(2, T2)], 16) ^
194  rotate_right(TE[get_byte(3, T3)], 24) ^ EK[4];
195 
196  uint32_t B1 = TE[get_byte(0, T1)] ^
197  rotate_right(TE[get_byte(1, T2)], 8) ^
198  rotate_right(TE[get_byte(2, T3)], 16) ^
199  rotate_right(TE[get_byte(3, T0)], 24) ^ EK[5];
200 
201  uint32_t B2 = TE[get_byte(0, T2)] ^
202  rotate_right(TE[get_byte(1, T3)], 8) ^
203  rotate_right(TE[get_byte(2, T0)], 16) ^
204  rotate_right(TE[get_byte(3, T1)], 24) ^ EK[6];
205 
206  uint32_t B3 = TE[get_byte(0, T3)] ^
207  rotate_right(TE[get_byte(1, T0)], 8) ^
208  rotate_right(TE[get_byte(2, T1)], 16) ^
209  rotate_right(TE[get_byte(3, T2)], 24) ^ EK[7];
210 
211  for(size_t r = 2*4; r < EK.size(); r += 2*4)
212  {
213  T0 = EK[r ] ^ TE[get_byte(0, B0) ] ^ TE[get_byte(1, B1) + 256] ^
214  TE[get_byte(2, B2) + 512] ^ TE[get_byte(3, B3) + 768];
215  T1 = EK[r+1] ^ TE[get_byte(0, B1) ] ^ TE[get_byte(1, B2) + 256] ^
216  TE[get_byte(2, B3) + 512] ^ TE[get_byte(3, B0) + 768];
217  T2 = EK[r+2] ^ TE[get_byte(0, B2) ] ^ TE[get_byte(1, B3) + 256] ^
218  TE[get_byte(2, B0) + 512] ^ TE[get_byte(3, B1) + 768];
219  T3 = EK[r+3] ^ TE[get_byte(0, B3) ] ^ TE[get_byte(1, B0) + 256] ^
220  TE[get_byte(2, B1) + 512] ^ TE[get_byte(3, B2) + 768];
221 
222  B0 = EK[r+4] ^ TE[get_byte(0, T0) ] ^ TE[get_byte(1, T1) + 256] ^
223  TE[get_byte(2, T2) + 512] ^ TE[get_byte(3, T3) + 768];
224  B1 = EK[r+5] ^ TE[get_byte(0, T1) ] ^ TE[get_byte(1, T2) + 256] ^
225  TE[get_byte(2, T3) + 512] ^ TE[get_byte(3, T0) + 768];
226  B2 = EK[r+6] ^ TE[get_byte(0, T2) ] ^ TE[get_byte(1, T3) + 256] ^
227  TE[get_byte(2, T0) + 512] ^ TE[get_byte(3, T1) + 768];
228  B3 = EK[r+7] ^ TE[get_byte(0, T3) ] ^ TE[get_byte(1, T0) + 256] ^
229  TE[get_byte(2, T1) + 512] ^ TE[get_byte(3, T2) + 768];
230  }
231 
232  out[16*i+ 0] = SE[get_byte(0, B0)] ^ ME[0];
233  out[16*i+ 1] = SE[get_byte(1, B1)] ^ ME[1];
234  out[16*i+ 2] = SE[get_byte(2, B2)] ^ ME[2];
235  out[16*i+ 3] = SE[get_byte(3, B3)] ^ ME[3];
236  out[16*i+ 4] = SE[get_byte(0, B1)] ^ ME[4];
237  out[16*i+ 5] = SE[get_byte(1, B2)] ^ ME[5];
238  out[16*i+ 6] = SE[get_byte(2, B3)] ^ ME[6];
239  out[16*i+ 7] = SE[get_byte(3, B0)] ^ ME[7];
240  out[16*i+ 8] = SE[get_byte(0, B2)] ^ ME[8];
241  out[16*i+ 9] = SE[get_byte(1, B3)] ^ ME[9];
242  out[16*i+10] = SE[get_byte(2, B0)] ^ ME[10];
243  out[16*i+11] = SE[get_byte(3, B1)] ^ ME[11];
244  out[16*i+12] = SE[get_byte(0, B3)] ^ ME[12];
245  out[16*i+13] = SE[get_byte(1, B0)] ^ ME[13];
246  out[16*i+14] = SE[get_byte(2, B1)] ^ ME[14];
247  out[16*i+15] = SE[get_byte(3, B2)] ^ ME[15];
248  }
249  }
250 
251 /*
252 * AES Decryption
253 */
254 void aes_decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks,
255  const secure_vector<uint32_t>& DK,
256  const secure_vector<uint8_t>& MD)
257  {
258  BOTAN_ASSERT(DK.size() && MD.size() == 16, "Key was set");
259 
260  const size_t cache_line_size = CPUID::cache_line_size();
261  const std::vector<uint32_t>& TD = AES_TD();
262 
263  uint32_t Z = 0;
264  for(size_t i = 0; i < TD.size(); i += cache_line_size / sizeof(uint32_t))
265  {
266  Z |= TD[i];
267  }
268  Z &= TD[99]; // this is zero, which hopefully the compiler cannot deduce
269 
270  for(size_t i = 0; i != blocks; ++i)
271  {
272  uint32_t T0 = load_be<uint32_t>(in, 0) ^ DK[0];
273  uint32_t T1 = load_be<uint32_t>(in, 1) ^ DK[1];
274  uint32_t T2 = load_be<uint32_t>(in, 2) ^ DK[2];
275  uint32_t T3 = load_be<uint32_t>(in, 3) ^ DK[3];
276 
277  T0 ^= Z;
278 
279  uint32_t B0 = TD[get_byte(0, T0)] ^
280  rotate_right(TD[get_byte(1, T3)], 8) ^
281  rotate_right(TD[get_byte(2, T2)], 16) ^
282  rotate_right(TD[get_byte(3, T1)], 24) ^ DK[4];
283 
284  uint32_t B1 = TD[get_byte(0, T1)] ^
285  rotate_right(TD[get_byte(1, T0)], 8) ^
286  rotate_right(TD[get_byte(2, T3)], 16) ^
287  rotate_right(TD[get_byte(3, T2)], 24) ^ DK[5];
288 
289  uint32_t B2 = TD[get_byte(0, T2)] ^
290  rotate_right(TD[get_byte(1, T1)], 8) ^
291  rotate_right(TD[get_byte(2, T0)], 16) ^
292  rotate_right(TD[get_byte(3, T3)], 24) ^ DK[6];
293 
294  uint32_t B3 = TD[get_byte(0, T3)] ^
295  rotate_right(TD[get_byte(1, T2)], 8) ^
296  rotate_right(TD[get_byte(2, T1)], 16) ^
297  rotate_right(TD[get_byte(3, T0)], 24) ^ DK[7];
298 
299  for(size_t r = 2*4; r < DK.size(); r += 2*4)
300  {
301  T0 = DK[r ] ^ TD[get_byte(0, B0) ] ^ TD[get_byte(1, B3) + 256] ^
302  TD[get_byte(2, B2) + 512] ^ TD[get_byte(3, B1) + 768];
303  T1 = DK[r+1] ^ TD[get_byte(0, B1) ] ^ TD[get_byte(1, B0) + 256] ^
304  TD[get_byte(2, B3) + 512] ^ TD[get_byte(3, B2) + 768];
305  T2 = DK[r+2] ^ TD[get_byte(0, B2) ] ^ TD[get_byte(1, B1) + 256] ^
306  TD[get_byte(2, B0) + 512] ^ TD[get_byte(3, B3) + 768];
307  T3 = DK[r+3] ^ TD[get_byte(0, B3) ] ^ TD[get_byte(1, B2) + 256] ^
308  TD[get_byte(2, B1) + 512] ^ TD[get_byte(3, B0) + 768];
309 
310  B0 = DK[r+4] ^ TD[get_byte(0, T0) ] ^ TD[get_byte(1, T3) + 256] ^
311  TD[get_byte(2, T2) + 512] ^ TD[get_byte(3, T1) + 768];
312  B1 = DK[r+5] ^ TD[get_byte(0, T1) ] ^ TD[get_byte(1, T0) + 256] ^
313  TD[get_byte(2, T3) + 512] ^ TD[get_byte(3, T2) + 768];
314  B2 = DK[r+6] ^ TD[get_byte(0, T2) ] ^ TD[get_byte(1, T1) + 256] ^
315  TD[get_byte(2, T0) + 512] ^ TD[get_byte(3, T3) + 768];
316  B3 = DK[r+7] ^ TD[get_byte(0, T3) ] ^ TD[get_byte(1, T2) + 256] ^
317  TD[get_byte(2, T1) + 512] ^ TD[get_byte(3, T0) + 768];
318  }
319 
320  out[ 0] = SD[get_byte(0, B0)] ^ MD[0];
321  out[ 1] = SD[get_byte(1, B3)] ^ MD[1];
322  out[ 2] = SD[get_byte(2, B2)] ^ MD[2];
323  out[ 3] = SD[get_byte(3, B1)] ^ MD[3];
324  out[ 4] = SD[get_byte(0, B1)] ^ MD[4];
325  out[ 5] = SD[get_byte(1, B0)] ^ MD[5];
326  out[ 6] = SD[get_byte(2, B3)] ^ MD[6];
327  out[ 7] = SD[get_byte(3, B2)] ^ MD[7];
328  out[ 8] = SD[get_byte(0, B2)] ^ MD[8];
329  out[ 9] = SD[get_byte(1, B1)] ^ MD[9];
330  out[10] = SD[get_byte(2, B0)] ^ MD[10];
331  out[11] = SD[get_byte(3, B3)] ^ MD[11];
332  out[12] = SD[get_byte(0, B3)] ^ MD[12];
333  out[13] = SD[get_byte(1, B2)] ^ MD[13];
334  out[14] = SD[get_byte(2, B1)] ^ MD[14];
335  out[15] = SD[get_byte(3, B0)] ^ MD[15];
336 
337  in += 16;
338  out += 16;
339  }
340  }
341 
342 void aes_key_schedule(const uint8_t key[], size_t length,
343  secure_vector<uint32_t>& EK,
344  secure_vector<uint32_t>& DK,
345  secure_vector<uint8_t>& ME,
346  secure_vector<uint8_t>& MD)
347  {
348  static const uint32_t RC[10] = {
349  0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000,
350  0x20000000, 0x40000000, 0x80000000, 0x1B000000, 0x36000000 };
351 
352  const size_t rounds = (length / 4) + 6;
353 
354  secure_vector<uint32_t> XEK(length + 32), XDK(length + 32);
355 
356  const size_t X = length / 4;
357 
358  // Make clang-analyzer happy
359  BOTAN_ASSERT(X == 4 || X == 6 || X == 8, "Valid AES key size");
360 
361  for(size_t i = 0; i != X; ++i)
362  XEK[i] = load_be<uint32_t>(key, i);
363 
364  for(size_t i = X; i < 4*(rounds+1); i += X)
365  {
366  XEK[i] = XEK[i-X] ^ RC[(i-X)/X] ^
367  make_uint32(SE[get_byte(1, XEK[i-1])],
368  SE[get_byte(2, XEK[i-1])],
369  SE[get_byte(3, XEK[i-1])],
370  SE[get_byte(0, XEK[i-1])]);
371 
372  for(size_t j = 1; j != X; ++j)
373  {
374  XEK[i+j] = XEK[i+j-X];
375 
376  if(X == 8 && j == 4)
377  XEK[i+j] ^= make_uint32(SE[get_byte(0, XEK[i+j-1])],
378  SE[get_byte(1, XEK[i+j-1])],
379  SE[get_byte(2, XEK[i+j-1])],
380  SE[get_byte(3, XEK[i+j-1])]);
381  else
382  XEK[i+j] ^= XEK[i+j-1];
383  }
384  }
385 
386  const std::vector<uint32_t>& TD = AES_TD();
387 
388  for(size_t i = 0; i != 4*(rounds+1); i += 4)
389  {
390  XDK[i ] = XEK[4*rounds-i ];
391  XDK[i+1] = XEK[4*rounds-i+1];
392  XDK[i+2] = XEK[4*rounds-i+2];
393  XDK[i+3] = XEK[4*rounds-i+3];
394  }
395 
396  for(size_t i = 4; i != length + 24; ++i)
397  XDK[i] = TD[SE[get_byte(0, XDK[i])] + 0] ^
398  TD[SE[get_byte(1, XDK[i])] + 256] ^
399  TD[SE[get_byte(2, XDK[i])] + 512] ^
400  TD[SE[get_byte(3, XDK[i])] + 768];
401 
402  ME.resize(16);
403  MD.resize(16);
404 
405  for(size_t i = 0; i != 4; ++i)
406  {
407  store_be(XEK[i+4*rounds], &ME[4*i]);
408  store_be(XEK[i], &MD[4*i]);
409  }
410 
411  EK.resize(length + 24);
412  DK.resize(length + 24);
413  copy_mem(EK.data(), XEK.data(), EK.size());
414  copy_mem(DK.data(), XDK.data(), DK.size());
415  }
416 
417 const char* aes_provider()
418  {
419 #if defined(BOTAN_HAS_AES_NI)
420  if(CPUID::has_aes_ni())
421  {
422  return "aesni";
423  }
424 #endif
425 
426 #if defined(BOTAN_HAS_AES_SSSE3)
427  if(CPUID::has_ssse3())
428  {
429  return "ssse3";
430  }
431 #endif
432 
433  return "base";
434  }
435 
436 }
437 
438 std::string AES_128::provider() const { return aes_provider(); }
439 std::string AES_192::provider() const { return aes_provider(); }
440 std::string AES_256::provider() const { return aes_provider(); }
441 
442 void AES_128::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
443  {
444 #if defined(BOTAN_HAS_AES_NI)
445  if(CPUID::has_aes_ni())
446  {
447  return aesni_encrypt_n(in, out, blocks);
448  }
449 #endif
450 
451 #if defined(BOTAN_HAS_AES_SSSE3)
452  if(CPUID::has_ssse3())
453  {
454  return ssse3_encrypt_n(in, out, blocks);
455  }
456 #endif
457 
458  aes_encrypt_n(in, out, blocks, m_EK, m_ME);
459  }
460 
461 void AES_128::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
462  {
463 #if defined(BOTAN_HAS_AES_NI)
464  if(CPUID::has_aes_ni())
465  {
466  return aesni_decrypt_n(in, out, blocks);
467  }
468 #endif
469 
470 #if defined(BOTAN_HAS_AES_SSSE3)
471  if(CPUID::has_ssse3())
472  {
473  return ssse3_decrypt_n(in, out, blocks);
474  }
475 #endif
476 
477  aes_decrypt_n(in, out, blocks, m_DK, m_MD);
478  }
479 
480 void AES_128::key_schedule(const uint8_t key[], size_t length)
481  {
482 #if defined(BOTAN_HAS_AES_NI)
483  if(CPUID::has_aes_ni())
484  {
485  return aesni_key_schedule(key, length);
486  }
487 #endif
488 
489 #if defined(BOTAN_HAS_AES_SSSE3)
490  if(CPUID::has_ssse3())
491  {
492  return ssse3_key_schedule(key, length);
493  }
494 #endif
495 
496  aes_key_schedule(key, length, m_EK, m_DK, m_ME, m_MD);
497  }
498 
500  {
501  zap(m_EK);
502  zap(m_DK);
503  zap(m_ME);
504  zap(m_MD);
505  }
506 
507 void AES_192::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
508  {
509 #if defined(BOTAN_HAS_AES_NI)
510  if(CPUID::has_aes_ni())
511  {
512  return aesni_encrypt_n(in, out, blocks);
513  }
514 #endif
515 
516 #if defined(BOTAN_HAS_AES_SSSE3)
517  if(CPUID::has_ssse3())
518  {
519  return ssse3_encrypt_n(in, out, blocks);
520  }
521 #endif
522 
523  aes_encrypt_n(in, out, blocks, m_EK, m_ME);
524  }
525 
526 void AES_192::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
527  {
528 #if defined(BOTAN_HAS_AES_NI)
529  if(CPUID::has_aes_ni())
530  {
531  return aesni_decrypt_n(in, out, blocks);
532  }
533 #endif
534 
535 #if defined(BOTAN_HAS_AES_SSSE3)
536  if(CPUID::has_ssse3())
537  {
538  return ssse3_decrypt_n(in, out, blocks);
539  }
540 #endif
541 
542  aes_decrypt_n(in, out, blocks, m_DK, m_MD);
543  }
544 
545 void AES_192::key_schedule(const uint8_t key[], size_t length)
546  {
547 #if defined(BOTAN_HAS_AES_NI)
548  if(CPUID::has_aes_ni())
549  {
550  return aesni_key_schedule(key, length);
551  }
552 #endif
553 
554 #if defined(BOTAN_HAS_AES_SSSE3)
555  if(CPUID::has_ssse3())
556  {
557  return ssse3_key_schedule(key, length);
558  }
559 #endif
560 
561  aes_key_schedule(key, length, m_EK, m_DK, m_ME, m_MD);
562  }
563 
565  {
566  zap(m_EK);
567  zap(m_DK);
568  zap(m_ME);
569  zap(m_MD);
570  }
571 
572 void AES_256::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
573  {
574 #if defined(BOTAN_HAS_AES_NI)
575  if(CPUID::has_aes_ni())
576  {
577  return aesni_encrypt_n(in, out, blocks);
578  }
579 #endif
580 
581 #if defined(BOTAN_HAS_AES_SSSE3)
582  if(CPUID::has_ssse3())
583  {
584  return ssse3_encrypt_n(in, out, blocks);
585  }
586 #endif
587 
588  aes_encrypt_n(in, out, blocks, m_EK, m_ME);
589  }
590 
591 void AES_256::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
592  {
593 #if defined(BOTAN_HAS_AES_NI)
594  if(CPUID::has_aes_ni())
595  {
596  return aesni_decrypt_n(in, out, blocks);
597  }
598 #endif
599 
600 #if defined(BOTAN_HAS_AES_SSSE3)
601  if(CPUID::has_ssse3())
602  {
603  return ssse3_decrypt_n(in, out, blocks);
604  }
605 #endif
606 
607  aes_decrypt_n(in, out, blocks, m_DK, m_MD);
608  }
609 
610 void AES_256::key_schedule(const uint8_t key[], size_t length)
611  {
612 #if defined(BOTAN_HAS_AES_NI)
613  if(CPUID::has_aes_ni())
614  {
615  return aesni_key_schedule(key, length);
616  }
617 #endif
618 
619 #if defined(BOTAN_HAS_AES_SSSE3)
620  if(CPUID::has_ssse3())
621  {
622  return ssse3_key_schedule(key, length);
623  }
624 #endif
625 
626  aes_key_schedule(key, length, m_EK, m_DK, m_ME, m_MD);
627  }
628 
630  {
631  zap(m_EK);
632  zap(m_DK);
633  zap(m_ME);
634  zap(m_MD);
635  }
636 
637 }
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: aes.cpp:442
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:221
void store_be(uint16_t in, uint8_t out[2])
Definition: loadstor.h:441
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: aes.cpp:526
uint32_t load_be< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:185
static size_t cache_line_size()
Definition: cpuid.h:65
void clear() override
Definition: aes.cpp:564
void clear() override
Definition: aes.cpp:499
#define BOTAN_PARALLEL_FOR
Definition: compiler.h:129
void clear() override
Definition: aes.cpp:629
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:27
std::string provider() const override
Definition: aes.cpp:439
T rotate_right(T input, size_t rot)
Definition: rotate.h:32
T load_be(const uint8_t in[], size_t off)
Definition: loadstor.h:113
std::string provider() const override
Definition: aes.cpp:438
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: aes.cpp:461
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:68
Definition: alg_id.cpp:13
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: aes.cpp:507
std::string provider() const override
Definition: aes.cpp:440
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: aes.cpp:591
uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:47
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: aes.cpp:572
uint32_t make_uint32(uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3)
Definition: loadstor.h:73