Botan  2.13.0
Crypto and TLS for C++11
aes.cpp
Go to the documentation of this file.
1 /*
2 * AES
3 * (C) 1999-2010,2015,2017,2018 Jack Lloyd
4 *
5 * Based on the public domain reference implementation by Paulo Baretto
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/aes.h>
11 #include <botan/loadstor.h>
12 #include <botan/cpuid.h>
13 #include <botan/rotate.h>
14 #include <type_traits>
15 
16 /*
17 * This implementation is based on table lookups which are known to be
18 * vulnerable to timing and cache based side channel attacks. Some
19 * countermeasures are used which may be helpful in some situations:
20 *
21 * - Only a single 256-word T-table is used, with rotations applied.
22 * Most implementations use 4 (or sometimes 5) T-tables, which leaks
23 * much more information via cache usage.
24 *
25 * - The TE and TD tables are computed at runtime to avoid flush+reload
26 * attacks using clflush. As different processes will not share the
27 * same underlying table data, an attacker can't manipulate another
28 * processes cache lines via their shared reference to the library
29 * read only segment. (However, prime+probe attacks are still possible.)
30 *
31 * - Each cache line of the lookup tables is accessed at the beginning
32 * of each call to encrypt or decrypt. (See the Z variable below)
33 *
34 * If available SSSE3 or AES-NI are used instead of this version, as both
35 * are faster and immune to side channel attacks.
36 *
37 * Some AES cache timing papers for reference:
38 *
39 * "Software mitigations to hedge AES against cache-based software side
40 * channel vulnerabilities" https://eprint.iacr.org/2006/052.pdf
41 *
42 * "Cache Games - Bringing Access-Based Cache Attacks on AES to Practice"
43 * http://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper031.pdf
44 *
45 * "Cache-Collision Timing Attacks Against AES" Bonneau, Mironov
46 * http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.88.4753
47 */
48 
49 namespace Botan {
50 
51 namespace {
52 
53 alignas(64)
54 const uint8_t SE[256] = {
55  0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
56  0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
57  0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
58  0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
59  0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
60  0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
61  0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
62  0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
63  0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
64  0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
65  0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
66  0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
67  0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
68  0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
69  0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
70  0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
71  0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
72  0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
73  0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
74  0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
75  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
76  0xB0, 0x54, 0xBB, 0x16 };
77 
78 alignas(64)
79 const uint8_t SD[256] = {
80  0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
81  0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
82  0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
83  0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
84  0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
85  0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
86  0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
87  0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
88  0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
89  0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
90  0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
91  0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
92  0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
93  0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
94  0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
95  0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
96  0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
97  0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
98  0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
99  0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
100  0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
101  0x55, 0x21, 0x0C, 0x7D };
102 
103 inline constexpr uint8_t xtime(uint8_t s) { return static_cast<uint8_t>(s << 1) ^ ((s >> 7) * 0x1B); }
104 inline constexpr uint8_t xtime4(uint8_t s) { return xtime(xtime(s)); }
105 inline constexpr uint8_t xtime8(uint8_t s) { return xtime(xtime(xtime(s))); }
106 
107 inline constexpr uint8_t xtime3(uint8_t s) { return xtime(s) ^ s; }
108 inline constexpr uint8_t xtime9(uint8_t s) { return xtime8(s) ^ s; }
109 inline constexpr uint8_t xtime11(uint8_t s) { return xtime8(s) ^ xtime(s) ^ s; }
110 inline constexpr uint8_t xtime13(uint8_t s) { return xtime8(s) ^ xtime4(s) ^ s; }
111 inline constexpr uint8_t xtime14(uint8_t s) { return xtime8(s) ^ xtime4(s) ^ xtime(s); }
112 
113 inline uint32_t SE_word(uint32_t x)
114  {
115  return make_uint32(SE[get_byte(0, x)],
116  SE[get_byte(1, x)],
117  SE[get_byte(2, x)],
118  SE[get_byte(3, x)]);
119  }
120 
121 const uint32_t* AES_TE()
122  {
123  class TE_Table final
124  {
125  public:
126  TE_Table()
127  {
128  uint32_t* p = reinterpret_cast<uint32_t*>(&data);
129  for(size_t i = 0; i != 256; ++i)
130  {
131  const uint8_t s = SE[i];
132  p[i] = make_uint32(xtime(s), s, s, xtime3(s));
133  }
134  }
135 
136  const uint32_t* ptr() const
137  {
138  return reinterpret_cast<const uint32_t*>(&data);
139  }
140  private:
141  std::aligned_storage<256*sizeof(uint32_t), 64>::type data;
142  };
143 
144  static TE_Table table;
145  return table.ptr();
146  }
147 
148 const uint32_t* AES_TD()
149  {
150  class TD_Table final
151  {
152  public:
153  TD_Table()
154  {
155  uint32_t* p = reinterpret_cast<uint32_t*>(&data);
156  for(size_t i = 0; i != 256; ++i)
157  {
158  const uint8_t s = SD[i];
159  p[i] = make_uint32(xtime14(s), xtime9(s), xtime13(s), xtime11(s));
160  }
161  }
162 
163  const uint32_t* ptr() const
164  {
165  return reinterpret_cast<const uint32_t*>(&data);
166  }
167  private:
168  std::aligned_storage<256*sizeof(uint32_t), 64>::type data;
169  };
170 
171  static TD_Table table;
172  return table.ptr();
173  }
174 
175 #define AES_T(T, K, V0, V1, V2, V3) \
176  (K ^ T[get_byte(0, V0)] ^ \
177  rotr< 8>(T[get_byte(1, V1)]) ^ \
178  rotr<16>(T[get_byte(2, V2)]) ^ \
179  rotr<24>(T[get_byte(3, V3)]))
180 
181 /*
182 * AES Encryption
183 */
184 void aes_encrypt_n(const uint8_t in[], uint8_t out[],
185  size_t blocks,
186  const secure_vector<uint32_t>& EK,
187  const secure_vector<uint8_t>& ME)
188  {
189  BOTAN_ASSERT(EK.size() && ME.size() == 16, "Key was set");
190 
191  const size_t cache_line_size = CPUID::cache_line_size();
192  const uint32_t* TE = AES_TE();
193 
194  // Hit every cache line of TE
195  volatile uint32_t Z = 0;
196  for(size_t i = 0; i < 256; i += cache_line_size / sizeof(uint32_t))
197  {
198  Z |= TE[i];
199  }
200  Z &= TE[82]; // this is zero, which hopefully the compiler cannot deduce
201 
202  for(size_t i = 0; i < blocks; ++i)
203  {
204  uint32_t T0, T1, T2, T3;
205  load_be(in + 16*i, T0, T1, T2, T3);
206 
207  T0 ^= EK[0];
208  T1 ^= EK[1];
209  T2 ^= EK[2];
210  T3 ^= EK[3];
211 
212  T0 ^= Z;
213 
214  uint32_t B0 = AES_T(TE, EK[4], T0, T1, T2, T3);
215  uint32_t B1 = AES_T(TE, EK[5], T1, T2, T3, T0);
216  uint32_t B2 = AES_T(TE, EK[6], T2, T3, T0, T1);
217  uint32_t B3 = AES_T(TE, EK[7], T3, T0, T1, T2);
218 
219  for(size_t r = 2*4; r < EK.size(); r += 2*4)
220  {
221  T0 = AES_T(TE, EK[r ], B0, B1, B2, B3);
222  T1 = AES_T(TE, EK[r+1], B1, B2, B3, B0);
223  T2 = AES_T(TE, EK[r+2], B2, B3, B0, B1);
224  T3 = AES_T(TE, EK[r+3], B3, B0, B1, B2);
225 
226  B0 = AES_T(TE, EK[r+4], T0, T1, T2, T3);
227  B1 = AES_T(TE, EK[r+5], T1, T2, T3, T0);
228  B2 = AES_T(TE, EK[r+6], T2, T3, T0, T1);
229  B3 = AES_T(TE, EK[r+7], T3, T0, T1, T2);
230  }
231 
232  /*
233  * Use TE[x] >> 8 instead of SE[] so encryption only references a single
234  * lookup table.
235  */
236  out[16*i+ 0] = static_cast<uint8_t>(TE[get_byte(0, B0)] >> 8) ^ ME[0];
237  out[16*i+ 1] = static_cast<uint8_t>(TE[get_byte(1, B1)] >> 8) ^ ME[1];
238  out[16*i+ 2] = static_cast<uint8_t>(TE[get_byte(2, B2)] >> 8) ^ ME[2];
239  out[16*i+ 3] = static_cast<uint8_t>(TE[get_byte(3, B3)] >> 8) ^ ME[3];
240  out[16*i+ 4] = static_cast<uint8_t>(TE[get_byte(0, B1)] >> 8) ^ ME[4];
241  out[16*i+ 5] = static_cast<uint8_t>(TE[get_byte(1, B2)] >> 8) ^ ME[5];
242  out[16*i+ 6] = static_cast<uint8_t>(TE[get_byte(2, B3)] >> 8) ^ ME[6];
243  out[16*i+ 7] = static_cast<uint8_t>(TE[get_byte(3, B0)] >> 8) ^ ME[7];
244  out[16*i+ 8] = static_cast<uint8_t>(TE[get_byte(0, B2)] >> 8) ^ ME[8];
245  out[16*i+ 9] = static_cast<uint8_t>(TE[get_byte(1, B3)] >> 8) ^ ME[9];
246  out[16*i+10] = static_cast<uint8_t>(TE[get_byte(2, B0)] >> 8) ^ ME[10];
247  out[16*i+11] = static_cast<uint8_t>(TE[get_byte(3, B1)] >> 8) ^ ME[11];
248  out[16*i+12] = static_cast<uint8_t>(TE[get_byte(0, B3)] >> 8) ^ ME[12];
249  out[16*i+13] = static_cast<uint8_t>(TE[get_byte(1, B0)] >> 8) ^ ME[13];
250  out[16*i+14] = static_cast<uint8_t>(TE[get_byte(2, B1)] >> 8) ^ ME[14];
251  out[16*i+15] = static_cast<uint8_t>(TE[get_byte(3, B2)] >> 8) ^ ME[15];
252  }
253  }
254 
255 /*
256 * AES Decryption
257 */
258 void aes_decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks,
259  const secure_vector<uint32_t>& DK,
260  const secure_vector<uint8_t>& MD)
261  {
262  BOTAN_ASSERT(DK.size() && MD.size() == 16, "Key was set");
263 
264  const size_t cache_line_size = CPUID::cache_line_size();
265  const uint32_t* TD = AES_TD();
266 
267  volatile uint32_t Z = 0;
268  for(size_t i = 0; i < 256; i += cache_line_size / sizeof(uint32_t))
269  {
270  Z |= TD[i];
271  }
272  for(size_t i = 0; i < 256; i += cache_line_size)
273  {
274  Z |= SD[i];
275  }
276  Z &= TD[99]; // this is zero, which hopefully the compiler cannot deduce
277 
278  for(size_t i = 0; i != blocks; ++i)
279  {
280  uint32_t T0 = load_be<uint32_t>(in, 0) ^ DK[0];
281  uint32_t T1 = load_be<uint32_t>(in, 1) ^ DK[1];
282  uint32_t T2 = load_be<uint32_t>(in, 2) ^ DK[2];
283  uint32_t T3 = load_be<uint32_t>(in, 3) ^ DK[3];
284 
285  T0 ^= Z;
286 
287  uint32_t B0 = AES_T(TD, DK[4], T0, T3, T2, T1);
288  uint32_t B1 = AES_T(TD, DK[5], T1, T0, T3, T2);
289  uint32_t B2 = AES_T(TD, DK[6], T2, T1, T0, T3);
290  uint32_t B3 = AES_T(TD, DK[7], T3, T2, T1, T0);
291 
292  for(size_t r = 2*4; r < DK.size(); r += 2*4)
293  {
294  T0 = AES_T(TD, DK[r ], B0, B3, B2, B1);
295  T1 = AES_T(TD, DK[r+1], B1, B0, B3, B2);
296  T2 = AES_T(TD, DK[r+2], B2, B1, B0, B3);
297  T3 = AES_T(TD, DK[r+3], B3, B2, B1, B0);
298 
299  B0 = AES_T(TD, DK[r+4], T0, T3, T2, T1);
300  B1 = AES_T(TD, DK[r+5], T1, T0, T3, T2);
301  B2 = AES_T(TD, DK[r+6], T2, T1, T0, T3);
302  B3 = AES_T(TD, DK[r+7], T3, T2, T1, T0);
303  }
304 
305  out[ 0] = SD[get_byte(0, B0)] ^ MD[0];
306  out[ 1] = SD[get_byte(1, B3)] ^ MD[1];
307  out[ 2] = SD[get_byte(2, B2)] ^ MD[2];
308  out[ 3] = SD[get_byte(3, B1)] ^ MD[3];
309  out[ 4] = SD[get_byte(0, B1)] ^ MD[4];
310  out[ 5] = SD[get_byte(1, B0)] ^ MD[5];
311  out[ 6] = SD[get_byte(2, B3)] ^ MD[6];
312  out[ 7] = SD[get_byte(3, B2)] ^ MD[7];
313  out[ 8] = SD[get_byte(0, B2)] ^ MD[8];
314  out[ 9] = SD[get_byte(1, B1)] ^ MD[9];
315  out[10] = SD[get_byte(2, B0)] ^ MD[10];
316  out[11] = SD[get_byte(3, B3)] ^ MD[11];
317  out[12] = SD[get_byte(0, B3)] ^ MD[12];
318  out[13] = SD[get_byte(1, B2)] ^ MD[13];
319  out[14] = SD[get_byte(2, B1)] ^ MD[14];
320  out[15] = SD[get_byte(3, B0)] ^ MD[15];
321 
322  in += 16;
323  out += 16;
324  }
325  }
326 
327 void aes_key_schedule(const uint8_t key[], size_t length,
328  secure_vector<uint32_t>& EK,
329  secure_vector<uint32_t>& DK,
330  secure_vector<uint8_t>& ME,
331  secure_vector<uint8_t>& MD)
332  {
333  static const uint32_t RC[10] = {
334  0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000,
335  0x20000000, 0x40000000, 0x80000000, 0x1B000000, 0x36000000 };
336 
337  const size_t rounds = (length / 4) + 6;
338 
339  secure_vector<uint32_t> XEK(length + 32), XDK(length + 32);
340 
341  const size_t X = length / 4;
342 
343  // Can't happen, but make static analyzers happy
344  BOTAN_ARG_CHECK(X == 4 || X == 6 || X == 8, "Invalid AES key size");
345 
346  const uint32_t* TD = AES_TD();
347 
348  // Prefetch TD and SE which are used later on in this function
349  volatile uint32_t Z = 0;
350  const size_t cache_line_size = CPUID::cache_line_size();
351 
352  for(size_t i = 0; i < 256; i += cache_line_size / sizeof(uint32_t))
353  {
354  Z |= TD[i];
355  }
356  for(size_t i = 0; i < 256; i += cache_line_size)
357  {
358  Z |= SE[i];
359  }
360  Z &= TD[99]; // this is zero, which hopefully the compiler cannot deduce
361 
362  for(size_t i = 0; i != X; ++i)
363  XEK[i] = Z ^ load_be<uint32_t>(key, i);
364 
365  for(size_t i = X; i < 4*(rounds+1); i += X)
366  {
367  XEK[i] = XEK[i-X] ^ RC[(i-X)/X] ^ SE_word(rotl<8>(XEK[i-1]));
368 
369  for(size_t j = 1; j != X; ++j)
370  {
371  XEK[i+j] = XEK[i+j-X];
372 
373  if(X == 8 && j == 4)
374  XEK[i+j] ^= SE_word(XEK[i+j-1]);
375  else
376  XEK[i+j] ^= XEK[i+j-1];
377  }
378  }
379 
380  for(size_t i = 0; i != 4*(rounds+1); i += 4)
381  {
382  XDK[i ] = XEK[4*rounds-i ];
383  XDK[i+1] = XEK[4*rounds-i+1];
384  XDK[i+2] = XEK[4*rounds-i+2];
385  XDK[i+3] = XEK[4*rounds-i+3];
386  }
387 
388  for(size_t i = 4; i != length + 24; ++i)
389  {
390  XDK[i] = Z ^ SE_word(XDK[i]);
391  XDK[i] = AES_T(TD, 0, XDK[i], XDK[i], XDK[i], XDK[i]);
392  }
393 
394  ME.resize(16);
395  MD.resize(16);
396 
397  for(size_t i = 0; i != 4; ++i)
398  {
399  store_be(XEK[i+4*rounds], &ME[4*i]);
400  store_be(XEK[i], &MD[4*i]);
401  }
402 
403  EK.resize(length + 24);
404  DK.resize(length + 24);
405  copy_mem(EK.data(), XEK.data(), EK.size());
406  copy_mem(DK.data(), XDK.data(), DK.size());
407 
408 #if defined(BOTAN_HAS_AES_ARMV8)
409  if(CPUID::has_arm_aes())
410  {
411  // ARM needs the subkeys to be byte reversed
412 
413  for(size_t i = 0; i != EK.size(); ++i)
414  EK[i] = reverse_bytes(EK[i]);
415  for(size_t i = 0; i != DK.size(); ++i)
416  DK[i] = reverse_bytes(DK[i]);
417  }
418 #endif
419 
420  }
421 
422 #undef AES_T
423 
424 size_t aes_parallelism()
425  {
426 #if defined(BOTAN_HAS_AES_NI)
427  if(CPUID::has_aes_ni())
428  {
429  return 4;
430  }
431 #endif
432 
433 #if defined(BOTAN_HAS_AES_POWER8)
434  if(CPUID::has_power_crypto())
435  {
436  return 4;
437  }
438 #endif
439 
440 #if defined(BOTAN_HAS_AES_ARMV8)
441  if(CPUID::has_arm_aes())
442  {
443  return 4;
444  }
445 #endif
446 
447  return 1;
448  }
449 
450 const char* aes_provider()
451  {
452 #if defined(BOTAN_HAS_AES_NI)
453  if(CPUID::has_aes_ni())
454  {
455  return "aesni";
456  }
457 #endif
458 
459 #if defined(BOTAN_HAS_AES_POWER8)
460  if(CPUID::has_power_crypto())
461  {
462  return "power8";
463  }
464 #endif
465 
466 #if defined(BOTAN_HAS_AES_ARMV8)
467  if(CPUID::has_arm_aes())
468  {
469  return "armv8";
470  }
471 #endif
472 
473 #if defined(BOTAN_HAS_AES_VPERM)
474  if(CPUID::has_vperm())
475  {
476  return "vperm";
477  }
478 #endif
479 
480  return "base";
481  }
482 
483 }
484 
485 std::string AES_128::provider() const { return aes_provider(); }
486 std::string AES_192::provider() const { return aes_provider(); }
487 std::string AES_256::provider() const { return aes_provider(); }
488 
489 size_t AES_128::parallelism() const { return aes_parallelism(); }
490 size_t AES_192::parallelism() const { return aes_parallelism(); }
491 size_t AES_256::parallelism() const { return aes_parallelism(); }
492 
493 void AES_128::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
494  {
495  verify_key_set(m_EK.empty() == false);
496 
497 #if defined(BOTAN_HAS_AES_NI)
498  if(CPUID::has_aes_ni())
499  {
500  return aesni_encrypt_n(in, out, blocks);
501  }
502 #endif
503 
504 #if defined(BOTAN_HAS_AES_ARMV8)
505  if(CPUID::has_arm_aes())
506  {
507  return armv8_encrypt_n(in, out, blocks);
508  }
509 #endif
510 
511 #if defined(BOTAN_HAS_AES_POWER8)
512  if(CPUID::has_power_crypto())
513  {
514  return power8_encrypt_n(in, out, blocks);
515  }
516 #endif
517 
518 #if defined(BOTAN_HAS_AES_VPERM)
519  if(CPUID::has_vperm())
520  {
521  return vperm_encrypt_n(in, out, blocks);
522  }
523 #endif
524 
525  aes_encrypt_n(in, out, blocks, m_EK, m_ME);
526  }
527 
528 void AES_128::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
529  {
530  verify_key_set(m_DK.empty() == false);
531 
532 #if defined(BOTAN_HAS_AES_NI)
533  if(CPUID::has_aes_ni())
534  {
535  return aesni_decrypt_n(in, out, blocks);
536  }
537 #endif
538 
539 #if defined(BOTAN_HAS_AES_ARMV8)
540  if(CPUID::has_arm_aes())
541  {
542  return armv8_decrypt_n(in, out, blocks);
543  }
544 #endif
545 
546 #if defined(BOTAN_HAS_AES_POWER8)
547  if(CPUID::has_power_crypto())
548  {
549  return power8_decrypt_n(in, out, blocks);
550  }
551 #endif
552 
553 #if defined(BOTAN_HAS_AES_VPERM)
554  if(CPUID::has_vperm())
555  {
556  return vperm_decrypt_n(in, out, blocks);
557  }
558 #endif
559 
560  aes_decrypt_n(in, out, blocks, m_DK, m_MD);
561  }
562 
563 void AES_128::key_schedule(const uint8_t key[], size_t length)
564  {
565 #if defined(BOTAN_HAS_AES_NI)
566  if(CPUID::has_aes_ni())
567  {
568  return aesni_key_schedule(key, length);
569  }
570 #endif
571 
572 #if defined(BOTAN_HAS_AES_ARMV8)
573  if(CPUID::has_arm_aes())
574  {
575  return aes_key_schedule(key, length, m_EK, m_DK, m_ME, m_MD);
576  }
577 #endif
578 
579 #if defined(BOTAN_HAS_AES_POWER8)
580  if(CPUID::has_power_crypto())
581  {
582  return aes_key_schedule(key, length, m_EK, m_DK, m_ME, m_MD);
583  }
584 #endif
585 
586 #if defined(BOTAN_HAS_AES_VPERM)
587  if(CPUID::has_vperm())
588  {
589  return vperm_key_schedule(key, length);
590  }
591 #endif
592 
593  aes_key_schedule(key, length, m_EK, m_DK, m_ME, m_MD);
594  }
595 
596 void AES_128::clear()
597  {
598  zap(m_EK);
599  zap(m_DK);
600  zap(m_ME);
601  zap(m_MD);
602  }
603 
604 void AES_192::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
605  {
606  verify_key_set(m_EK.empty() == false);
607 
608 #if defined(BOTAN_HAS_AES_NI)
609  if(CPUID::has_aes_ni())
610  {
611  return aesni_encrypt_n(in, out, blocks);
612  }
613 #endif
614 
615 #if defined(BOTAN_HAS_AES_ARMV8)
616  if(CPUID::has_arm_aes())
617  {
618  return armv8_encrypt_n(in, out, blocks);
619  }
620 #endif
621 
622 #if defined(BOTAN_HAS_AES_POWER8)
623  if(CPUID::has_power_crypto())
624  {
625  return power8_encrypt_n(in, out, blocks);
626  }
627 #endif
628 
629 #if defined(BOTAN_HAS_AES_VPERM)
630  if(CPUID::has_vperm())
631  {
632  return vperm_encrypt_n(in, out, blocks);
633  }
634 #endif
635 
636  aes_encrypt_n(in, out, blocks, m_EK, m_ME);
637  }
638 
639 void AES_192::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
640  {
641  verify_key_set(m_DK.empty() == false);
642 
643 #if defined(BOTAN_HAS_AES_NI)
644  if(CPUID::has_aes_ni())
645  {
646  return aesni_decrypt_n(in, out, blocks);
647  }
648 #endif
649 
650 #if defined(BOTAN_HAS_AES_ARMV8)
651  if(CPUID::has_arm_aes())
652  {
653  return armv8_decrypt_n(in, out, blocks);
654  }
655 #endif
656 
657 #if defined(BOTAN_HAS_AES_POWER8)
658  if(CPUID::has_power_crypto())
659  {
660  return power8_decrypt_n(in, out, blocks);
661  }
662 #endif
663 
664 #if defined(BOTAN_HAS_AES_VPERM)
665  if(CPUID::has_vperm())
666  {
667  return vperm_decrypt_n(in, out, blocks);
668  }
669 #endif
670 
671  aes_decrypt_n(in, out, blocks, m_DK, m_MD);
672  }
673 
674 void AES_192::key_schedule(const uint8_t key[], size_t length)
675  {
676 #if defined(BOTAN_HAS_AES_NI)
677  if(CPUID::has_aes_ni())
678  {
679  return aesni_key_schedule(key, length);
680  }
681 #endif
682 
683 #if defined(BOTAN_HAS_AES_ARMV8)
684  if(CPUID::has_arm_aes())
685  {
686  return aes_key_schedule(key, length, m_EK, m_DK, m_ME, m_MD);
687  }
688 #endif
689 
690 #if defined(BOTAN_HAS_AES_POWER8)
691  if(CPUID::has_power_crypto())
692  {
693  return aes_key_schedule(key, length, m_EK, m_DK, m_ME, m_MD);
694  }
695 #endif
696 
697 #if defined(BOTAN_HAS_AES_VPERM)
698  if(CPUID::has_vperm())
699  {
700  return vperm_key_schedule(key, length);
701  }
702 #endif
703 
704  aes_key_schedule(key, length, m_EK, m_DK, m_ME, m_MD);
705  }
706 
707 void AES_192::clear()
708  {
709  zap(m_EK);
710  zap(m_DK);
711  zap(m_ME);
712  zap(m_MD);
713  }
714 
715 void AES_256::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
716  {
717  verify_key_set(m_EK.empty() == false);
718 
719 #if defined(BOTAN_HAS_AES_NI)
720  if(CPUID::has_aes_ni())
721  {
722  return aesni_encrypt_n(in, out, blocks);
723  }
724 #endif
725 
726 #if defined(BOTAN_HAS_AES_ARMV8)
727  if(CPUID::has_arm_aes())
728  {
729  return armv8_encrypt_n(in, out, blocks);
730  }
731 #endif
732 
733 #if defined(BOTAN_HAS_AES_POWER8)
734  if(CPUID::has_power_crypto())
735  {
736  return power8_encrypt_n(in, out, blocks);
737  }
738 #endif
739 
740 #if defined(BOTAN_HAS_AES_VPERM)
741  if(CPUID::has_vperm())
742  {
743  return vperm_encrypt_n(in, out, blocks);
744  }
745 #endif
746 
747  aes_encrypt_n(in, out, blocks, m_EK, m_ME);
748  }
749 
750 void AES_256::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
751  {
752  verify_key_set(m_DK.empty() == false);
753 
754 #if defined(BOTAN_HAS_AES_NI)
755  if(CPUID::has_aes_ni())
756  {
757  return aesni_decrypt_n(in, out, blocks);
758  }
759 #endif
760 
761 #if defined(BOTAN_HAS_AES_ARMV8)
762  if(CPUID::has_arm_aes())
763  {
764  return armv8_decrypt_n(in, out, blocks);
765  }
766 #endif
767 
768 #if defined(BOTAN_HAS_AES_POWER8)
769  if(CPUID::has_power_crypto())
770  {
771  return power8_decrypt_n(in, out, blocks);
772  }
773 #endif
774 
775 #if defined(BOTAN_HAS_AES_VPERM)
776  if(CPUID::has_vperm())
777  {
778  return vperm_decrypt_n(in, out, blocks);
779  }
780 #endif
781 
782  aes_decrypt_n(in, out, blocks, m_DK, m_MD);
783  }
784 
785 void AES_256::key_schedule(const uint8_t key[], size_t length)
786  {
787 #if defined(BOTAN_HAS_AES_NI)
788  if(CPUID::has_aes_ni())
789  {
790  return aesni_key_schedule(key, length);
791  }
792 #endif
793 
794 #if defined(BOTAN_HAS_AES_ARMV8)
795  if(CPUID::has_arm_aes())
796  {
797  return aes_key_schedule(key, length, m_EK, m_DK, m_ME, m_MD);
798  }
799 #endif
800 
801 #if defined(BOTAN_HAS_AES_POWER8)
802  if(CPUID::has_power_crypto())
803  {
804  return aes_key_schedule(key, length, m_EK, m_DK, m_ME, m_MD);
805  }
806 #endif
807 
808 #if defined(BOTAN_HAS_AES_VPERM)
809  if(CPUID::has_vperm())
810  {
811  return vperm_key_schedule(key, length);
812  }
813 #endif
814 
815  aes_key_schedule(key, length, m_EK, m_DK, m_ME, m_MD);
816  }
817 
818 void AES_256::clear()
819  {
820  zap(m_EK);
821  zap(m_DK);
822  zap(m_ME);
823  zap(m_MD);
824  }
825 
826 }
X
fe X
Definition: ge.cpp:27
Botan::AES_128::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: aes.cpp:493
Botan::zap
void zap(std::vector< T, Alloc > &vec)
Definition: secmem.h:170
Botan::store_be
void store_be(uint16_t in, uint8_t out[2])
Definition: loadstor.h:438
Botan::AES_192::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: aes.cpp:639
Botan::load_be< uint32_t >
uint32_t load_be< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:179
Botan::CPUID::cache_line_size
static size_t cache_line_size()
Definition: cpuid.h:68
final
int(* final)(unsigned char *, CTX *)
Definition: commoncrypto_hash.cpp:28
Botan::get_byte
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
Botan::AES_192::clear
void clear() override
Definition: aes.cpp:707
Botan::AES_128::clear
void clear() override
Definition: aes.cpp:596
type
MechanismType type
Definition: p11_mechanism.cpp:44
Botan::AES_256::clear
void clear() override
Definition: aes.cpp:818
Botan::AES_192::parallelism
size_t parallelism() const override
Definition: aes.cpp:490
Botan::make_uint32
constexpr uint32_t make_uint32(uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3)
Definition: loadstor.h:67
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
Botan::AES_192::provider
std::string provider() const override
Definition: aes.cpp:486
Botan::load_be
T load_be(const uint8_t in[], size_t off)
Definition: loadstor.h:107
Botan::AES_128::provider
std::string provider() const override
Definition: aes.cpp:485
Botan::AES_128::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: aes.cpp:528
Botan::copy_mem
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:132
Botan
Definition: alg_id.cpp:13
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
Botan::reverse_bytes
uint16_t reverse_bytes(uint16_t val)
Definition: bswap.h:25
AES_T
#define AES_T(T, K, V0, V1, V2, V3)
Definition: aes.cpp:175
Botan::AES_192::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: aes.cpp:604
Botan::SymmetricAlgorithm::verify_key_set
void verify_key_set(bool cond) const
Definition: sym_algo.h:89
Botan::AES_256::parallelism
size_t parallelism() const override
Definition: aes.cpp:491
Botan::CPUID::has_vperm
static bool has_vperm()
Definition: cpuid.h:324
Botan::AES_256::provider
std::string provider() const override
Definition: aes.cpp:487
Botan::AES_256::decrypt_n
void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: aes.cpp:750
Botan::AES_256::encrypt_n
void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const override
Definition: aes.cpp:715
Z
fe Z
Definition: ge.cpp:29
Botan::AES_128::parallelism
size_t parallelism() const override
Definition: aes.cpp:489
Generated on Mon Jan 13 2020 21:02:49 for Botan by   doxygen 1.8.9.1