wpa_supplicant_node: wpa_supplicant_node: aes-internal-dec.c Source File

00001 /*
00002  * AES (Rijndael) cipher - decrypt
00003  *
00004  * Modifications to public domain implementation:
00005  * - support only 128-bit keys
00006  * - cleanup
00007  * - use C pre-processor to make it easier to change S table access
00008  * - added option (AES_SMALL_TABLES) for reducing code size by about 8 kB at
00009  *   cost of reduced throughput (quite small difference on Pentium 4,
00010  *   10-25% when using -O1 or -O2 optimization)
00011  *
00012  * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi>
00013  *
00014  * This program is free software; you can redistribute it and/or modify
00015  * it under the terms of the GNU General Public License version 2 as
00016  * published by the Free Software Foundation.
00017  *
00018  * Alternatively, this software may be distributed under the terms of BSD
00019  * license.
00020  *
00021  * See README and COPYING for more details.
00022  */
00023 
00024 #include "includes.h"
00025 
00026 #include "common.h"
00027 #include "crypto.h"
00028 #include "aes_i.h"
00029 
00035 void rijndaelKeySetupDec(u32 rk[/*44*/], const u8 cipherKey[])
00036 {
00037         int Nr = 10, i, j;
00038         u32 temp;
00039 
00040         /* expand the cipher key: */
00041         rijndaelKeySetupEnc(rk, cipherKey);
00042         /* invert the order of the round keys: */
00043         for (i = 0, j = 4*Nr; i < j; i += 4, j -= 4) {
00044                 temp = rk[i    ]; rk[i    ] = rk[j    ]; rk[j    ] = temp;
00045                 temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp;
00046                 temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
00047                 temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp;
00048         }
00049         /* apply the inverse MixColumn transform to all round keys but the
00050          * first and the last: */
00051         for (i = 1; i < Nr; i++) {
00052                 rk += 4;
00053                 for (j = 0; j < 4; j++) {
00054                         rk[j] = TD0_(TE4((rk[j] >> 24)       )) ^
00055                                 TD1_(TE4((rk[j] >> 16) & 0xff)) ^
00056                                 TD2_(TE4((rk[j] >>  8) & 0xff)) ^
00057                                 TD3_(TE4((rk[j]      ) & 0xff));
00058                 }
00059         }
00060 }
00061 
00062 void * aes_decrypt_init(const u8 *key, size_t len)
00063 {
00064         u32 *rk;
00065         if (len != 16)
00066                 return NULL;
00067         rk = os_malloc(AES_PRIV_SIZE);
00068         if (rk == NULL)
00069                 return NULL;
00070         rijndaelKeySetupDec(rk, key);
00071         return rk;
00072 }
00073 
00074 static void rijndaelDecrypt(const u32 rk[/*44*/], const u8 ct[16], u8 pt[16])
00075 {
00076         u32 s0, s1, s2, s3, t0, t1, t2, t3;
00077         const int Nr = 10;
00078 #ifndef FULL_UNROLL
00079         int r;
00080 #endif /* ?FULL_UNROLL */
00081 
00082         /*
00083          * map byte array block to cipher state
00084          * and add initial round key:
00085          */
00086         s0 = GETU32(ct     ) ^ rk[0];
00087         s1 = GETU32(ct +  4) ^ rk[1];
00088         s2 = GETU32(ct +  8) ^ rk[2];
00089         s3 = GETU32(ct + 12) ^ rk[3];
00090 
00091 #define ROUND(i,d,s) \
00092 d##0 = TD0(s##0) ^ TD1(s##3) ^ TD2(s##2) ^ TD3(s##1) ^ rk[4 * i]; \
00093 d##1 = TD0(s##1) ^ TD1(s##0) ^ TD2(s##3) ^ TD3(s##2) ^ rk[4 * i + 1]; \
00094 d##2 = TD0(s##2) ^ TD1(s##1) ^ TD2(s##0) ^ TD3(s##3) ^ rk[4 * i + 2]; \
00095 d##3 = TD0(s##3) ^ TD1(s##2) ^ TD2(s##1) ^ TD3(s##0) ^ rk[4 * i + 3]
00096 
00097 #ifdef FULL_UNROLL
00098 
00099         ROUND(1,t,s);
00100         ROUND(2,s,t);
00101         ROUND(3,t,s);
00102         ROUND(4,s,t);
00103         ROUND(5,t,s);
00104         ROUND(6,s,t);
00105         ROUND(7,t,s);
00106         ROUND(8,s,t);
00107         ROUND(9,t,s);
00108 
00109         rk += Nr << 2;
00110 
00111 #else  /* !FULL_UNROLL */
00112 
00113         /* Nr - 1 full rounds: */
00114         r = Nr >> 1;
00115         for (;;) {
00116                 ROUND(1,t,s);
00117                 rk += 8;
00118                 if (--r == 0)
00119                         break;
00120                 ROUND(0,s,t);
00121         }
00122 
00123 #endif /* ?FULL_UNROLL */
00124 
00125 #undef ROUND
00126 
00127         /*
00128          * apply last round and
00129          * map cipher state to byte array block:
00130          */
00131         s0 = TD41(t0) ^ TD42(t3) ^ TD43(t2) ^ TD44(t1) ^ rk[0];
00132         PUTU32(pt     , s0);
00133         s1 = TD41(t1) ^ TD42(t0) ^ TD43(t3) ^ TD44(t2) ^ rk[1];
00134         PUTU32(pt +  4, s1);
00135         s2 = TD41(t2) ^ TD42(t1) ^ TD43(t0) ^ TD44(t3) ^ rk[2];
00136         PUTU32(pt +  8, s2);
00137         s3 = TD41(t3) ^ TD42(t2) ^ TD43(t1) ^ TD44(t0) ^ rk[3];
00138         PUTU32(pt + 12, s3);
00139 }
00140 
00141 void aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
00142 {
00143         rijndaelDecrypt(ctx, crypt, plain);
00144 }
00145 
00146 
00147 void aes_decrypt_deinit(void *ctx)
00148 {
00149         os_memset(ctx, 0, AES_PRIV_SIZE);
00150         os_free(ctx);
00151 }