taigrr/arduinolibs
1
0
Fork 0
mirror of https://github.com/taigrr/arduinolibs synced 2025-01-18 04:33:12 -08:00
Code Issues Projects Releases Wiki Activity

Basic AES implementation in the Crypto library

Browse Source
This commit is contained in:
Rhys Weatherley 2014-12-23 13:31:11 +10:00
parent 60432d9942
commit f6bbdb8e77
11 changed files with 1161 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
doc/Doxyfile
View File

@ -663,6 +663,7 @@ INPUT = ../libraries/LCD \
../libraries/PowerSave \ ../libraries/PowerSave \
../libraries/DMD \ ../libraries/DMD \
../libraries/IR \ ../libraries/IR \
../libraries/Crypto \
. .
# This tag can be used to specify the character encoding of the source files # This tag can be used to specify the character encoding of the source files

98
libraries/Crypto/AES.h Normal file
View File

@ -0,0 +1,98 @@
/*
* Copyright (C) 2014 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#ifndef CRYPTO_AES_h
#define CRYPTO_AES_h
#include "BlockCipher.h"
class AESCommon : public BlockCipher
{
public:
virtual ~AESCommon();
size_t blockSize();
void encryptBlock(uint8_t *output, const uint8_t *input);
void decryptBlock(uint8_t *output, const uint8_t *input);
void clear();
protected:
AESCommon();
/** @cond */
uint8_t rounds;
uint8_t *schedule;
void keyScheduleCore(uint8_t *output, const uint8_t *input, uint8_t iteration);
void applySbox(uint8_t *output, const uint8_t *input);
/** @endcond */
private:
uint8_t state1[16];
uint8_t state2[16];
};
class AES128 : public AESCommon
{
public:
AES128();
virtual ~AES128();
size_t keySize();
bool setKey(const uint8_t *key, size_t len);
private:
uint8_t sched[176];
};
class AES192 : public AESCommon
{
public:
AES192();
virtual ~AES192();
size_t keySize();
bool setKey(const uint8_t *key, size_t len);
private:
uint8_t sched[208];
};
class AES256 : public AESCommon
{
public:
AES256();
virtual ~AES256();
size_t keySize();
bool setKey(const uint8_t *key, size_t len);
private:
uint8_t sched[240];
};
#endif

98
libraries/Crypto/AES128.cpp Normal file
View File

@ -0,0 +1,98 @@
/*
* Copyright (C) 2014 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#include "AES.h"
#include "Crypto.h"
#include <string.h>
/**
* \class AES128 AES.h <AES.h>
* \brief AES block cipher with 128-bit keys.
*
* \sa AES192, AES256
*/
/**
* \brief Constructs an AES 128-bit block cipher with no initial key.
*
* This constructor must be followed by a call to setKey() before the
* block cipher can be used for encryption or decryption.
*/
AES128::AES128()
{
rounds = 10;
schedule = sched;
}
AES128::~AES128()
{
clean(sched);
}
/**
* \brief Size of a 128-bit AES key in bytes.
* \return Always returns 16.
*/
size_t AES128::keySize()
{
return 16;
}
bool AES128::setKey(const uint8_t *key, size_t len)
{
if (len != 16)
return false;
// Copy the key itself into the first 16 bytes of the schedule.
uint8_t *schedule = sched;
memcpy(schedule, key, 16);
// Expand the key schedule until we have 176 bytes of expanded key.
uint8_t iteration = 1;
uint8_t n = 16;
uint8_t w = 4;
while (n < 176) {
if (w == 4) {
// Every 16 bytes (4 words) we need to apply the key schedule core.
keyScheduleCore(schedule + 16, schedule + 12, iteration);
schedule[16] ^= schedule[0];
schedule[17] ^= schedule[1];
schedule[18] ^= schedule[2];
schedule[19] ^= schedule[3];
++iteration;
w = 0;
} else {
// Otherwise just XOR the word with the one 16 bytes previous.
schedule[16] = schedule[12] ^ schedule[0];
schedule[17] = schedule[13] ^ schedule[1];
schedule[18] = schedule[14] ^ schedule[2];
schedule[19] = schedule[15] ^ schedule[3];
}
// Advance to the next word in the schedule.
schedule += 4;
n += 4;
++w;
}
return true;
}

98
libraries/Crypto/AES192.cpp Normal file
View File

@ -0,0 +1,98 @@
/*
* Copyright (C) 2014 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#include "AES.h"
#include "Crypto.h"
#include <string.h>
/**
* \class AES192 AES.h <AES.h>
* \brief AES block cipher with 192-bit keys.
*
* \sa AES128, AES256
*/
/**
* \brief Constructs an AES 192-bit block cipher with no initial key.
*
* This constructor must be followed by a call to setKey() before the
* block cipher can be used for encryption or decryption.
*/
AES192::AES192()
{
rounds = 12;
schedule = sched;
}
AES192::~AES192()
{
clean(sched);
}
/**
* \brief Size of a 192-bit AES key in bytes.
* \return Always returns 24.
*/
size_t AES192::keySize()
{
return 24;
}
bool AES192::setKey(const uint8_t *key, size_t len)
{
if (len != 24)
return false;
// Copy the key itself into the first 24 bytes of the schedule.
uint8_t *schedule = sched;
memcpy(schedule, key, 24);
// Expand the key schedule until we have 208 bytes of expanded key.
uint8_t iteration = 1;
uint8_t n = 24;
uint8_t w = 6;
while (n < 208) {
if (w == 6) {
// Every 24 bytes (6 words) we need to apply the key schedule core.
keyScheduleCore(schedule + 24, schedule + 20, iteration);
schedule[24] ^= schedule[0];
schedule[25] ^= schedule[1];
schedule[26] ^= schedule[2];
schedule[27] ^= schedule[3];
++iteration;
w = 0;
} else {
// Otherwise just XOR the word with the one 24 bytes previous.
schedule[24] = schedule[20] ^ schedule[0];
schedule[25] = schedule[21] ^ schedule[1];
schedule[26] = schedule[22] ^ schedule[2];
schedule[27] = schedule[23] ^ schedule[3];
}
// Advance to the next word in the schedule.
schedule += 4;
n += 4;
++w;
}
return true;
}

105
libraries/Crypto/AES256.cpp Normal file
View File

@ -0,0 +1,105 @@
/*
* Copyright (C) 2014 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#include "AES.h"
#include "Crypto.h"
#include <string.h>
/**
* \class AES256 AES.h <AES.h>
* \brief AES block cipher with 56-bit keys.
*
* \sa AES128, AES192
*/
/**
* \brief Constructs an AES 256-bit block cipher with no initial key.
*
* This constructor must be followed by a call to setKey() before the
* block cipher can be used for encryption or decryption.
*/
AES256::AES256()
{
rounds = 14;
schedule = sched;
}
AES256::~AES256()
{
clean(sched);
}
/**
* \brief Size of a 256-bit AES key in bytes.
* \return Always returns 32.
*/
size_t AES256::keySize()
{
return 32;
}
bool AES256::setKey(const uint8_t *key, size_t len)
{
if (len != 32)
return false;
// Copy the key itself into the first 32 bytes of the schedule.
uint8_t *schedule = sched;
memcpy(schedule, key, 32);
// Expand the key schedule until we have 240 bytes of expanded key.
uint8_t iteration = 1;
uint8_t n = 32;
uint8_t w = 8;
while (n < 240) {
if (w == 8) {
// Every 32 bytes (8 words) we need to apply the key schedule core.
keyScheduleCore(schedule + 32, schedule + 28, iteration);
schedule[32] ^= schedule[0];
schedule[33] ^= schedule[1];
schedule[34] ^= schedule[2];
schedule[35] ^= schedule[3];
++iteration;
w = 0;
} else if (w == 4) {
// At the 16 byte mark we need to apply the S-box.
applySbox(schedule + 32, schedule + 28);
schedule[32] ^= schedule[0];
schedule[33] ^= schedule[1];
schedule[34] ^= schedule[2];
schedule[35] ^= schedule[3];
} else {
// Otherwise just XOR the word with the one 32 bytes previous.
schedule[32] = schedule[28] ^ schedule[0];
schedule[33] = schedule[29] ^ schedule[1];
schedule[34] = schedule[30] ^ schedule[2];
schedule[35] = schedule[31] ^ schedule[3];
}
// Advance to the next word in the schedule.
schedule += 4;
n += 4;
++w;
}
return true;
}

360
libraries/Crypto/AESCommon.cpp Normal file
View File

@ -0,0 +1,360 @@
/*
* Copyright (C) 2014 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#include "AES.h"
#include "Crypto.h"
/**
* \class AESCommon AES.h <AES.h>
* \brief Abstract base class for AES block ciphers.
*
* This class is abstract. The caller should instantiate AES128,
* AES192, or AES256 to create an AES block cipher with a specific
* key size.
*
* Reference: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
*
* \sa AES128, AES192, AES256
*/
// AES S-box (http://en.wikipedia.org/wiki/Rijndael_S-box)
static uint8_t const sbox[256] = {
0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, // 0x00
0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, // 0x10
0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, // 0x20
0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, // 0x30
0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, // 0x40
0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, // 0x50
0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, // 0x60
0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, // 0x70
0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, // 0x80
0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, // 0x90
0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, // 0xA0
0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, // 0xB0
0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, // 0xC0
0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, // 0xD0
0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, // 0xE0
0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, // 0xF0
0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
};
// AES inverse S-box (http://en.wikipedia.org/wiki/Rijndael_S-box)
static uint8_t const sbox_inverse[256] = {
0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, // 0x00
0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, // 0x10
0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, // 0x20
0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, // 0x30
0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, // 0x40
0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, // 0x50
0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, // 0x60
0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, // 0x70
0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, // 0x80
0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, // 0x90
0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, // 0xA0
0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, // 0xB0
0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, // 0xC0
0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, // 0xD0
0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, // 0xE0
0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, // 0xF0
0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
};
/**
* \brief Constructs an AES block cipher object.
*/
AESCommon::AESCommon()
: rounds(0), schedule(0)
{
}
/**
* \brief Destroys this AES block cipher object after clearing
* sensitive information.
*/
AESCommon::~AESCommon()
{
clean(state1);
clean(state2);
}
/**
* \brief Size of an AES block in bytes.
* \return Always returns 16.
*/
size_t AESCommon::blockSize()
{
return 16;
}
// Constants to correct Galois multiplication for the high bits
// that are shifted out when multiplying by powers of two.
static uint8_t const K[8] = {
0x00,
0x1B,
(0x1B << 1),
(0x1B << 1) ^ 0x1B,
(0x1B << 2),
(0x1B << 2) ^ 0x1B,
(0x1B << 2) ^ (0x1B << 1),
(0x1B << 2) ^ (0x1B << 1) ^ 0x1B
};
// Multiply x by 2 in the Galois field.
inline uint8_t gmul2(uint8_t x)
{
// We need the effect of the following code:
//
// if (x & 0x80)
// return (x << 1) ^ 0x1B;
// else
// return (x << 1);
//
// However, we don't want to use runtime conditionals if we can help it
// to avoid leaking timing information from the implementation.
// In this case, multiplication is slightly faster than table lookup on AVR.
uint16_t y = ((uint16_t)x) << 1;
return ((uint8_t)y) ^ (uint8_t)(0x1B * ((uint8_t)(y >> 8)));
}
// Multiply x by 3 in the Galois field.
inline uint8_t gmul3(uint8_t x)
{
return x ^ gmul2(x);
}
// Multiply x by 4 in the Galois field.
inline uint8_t gmul4(uint8_t x)
{
uint16_t y = ((uint16_t)x) << 2;
return ((uint8_t)y) ^ K[y >> 8];
}
// Multiply x by 8 in the Galois field.
inline uint8_t gmul8(uint8_t x)
{
uint16_t y = ((uint16_t)x) << 3;
return ((uint8_t)y) ^ K[y >> 8];
}
// Multiply x by 9 in the Galois field.
inline uint8_t gmul9(uint8_t x)
{
return x ^ gmul8(x);
}
// Multiply x by 11 in the Galois field.
inline uint8_t gmul11(uint8_t x)
{
return x ^ gmul2(x) ^ gmul8(x);
}
// Multiply x by 13 in the Galois field.
inline uint8_t gmul13(uint8_t x)
{
return x ^ gmul4(x) ^ gmul8(x);
}
// Multiply x by 14 in the Galois field.
inline uint8_t gmul14(uint8_t x)
{
return gmul2(x) ^ gmul4(x) ^ gmul8(x);
}
#define OUT(col, row) output[(col) * 4 + (row)]
#define IN(col, row) input[(col) * 4 + (row)]
static void subBytesAndShiftRows(uint8_t *output, const uint8_t *input)
{
OUT(0, 0) = sbox[IN(0, 0)];
OUT(0, 1) = sbox[IN(1, 1)];
OUT(0, 2) = sbox[IN(2, 2)];
OUT(0, 3) = sbox[IN(3, 3)];
OUT(1, 0) = sbox[IN(1, 0)];
OUT(1, 1) = sbox[IN(2, 1)];
OUT(1, 2) = sbox[IN(3, 2)];
OUT(1, 3) = sbox[IN(0, 3)];
OUT(2, 0) = sbox[IN(2, 0)];
OUT(2, 1) = sbox[IN(3, 1)];
OUT(2, 2) = sbox[IN(0, 2)];
OUT(2, 3) = sbox[IN(1, 3)];
OUT(3, 0) = sbox[IN(3, 0)];
OUT(3, 1) = sbox[IN(0, 1)];
OUT(3, 2) = sbox[IN(1, 2)];
OUT(3, 3) = sbox[IN(2, 3)];
}
static void inverseShiftRowsAndSubBytes(uint8_t *output, const uint8_t *input)
{
OUT(0, 0) = sbox_inverse[IN(0, 0)];
OUT(0, 1) = sbox_inverse[IN(3, 1)];
OUT(0, 2) = sbox_inverse[IN(2, 2)];
OUT(0, 3) = sbox_inverse[IN(1, 3)];
OUT(1, 0) = sbox_inverse[IN(1, 0)];
OUT(1, 1) = sbox_inverse[IN(0, 1)];
OUT(1, 2) = sbox_inverse[IN(3, 2)];
OUT(1, 3) = sbox_inverse[IN(2, 3)];
OUT(2, 0) = sbox_inverse[IN(2, 0)];
OUT(2, 1) = sbox_inverse[IN(1, 1)];
OUT(2, 2) = sbox_inverse[IN(0, 2)];
OUT(2, 3) = sbox_inverse[IN(3, 3)];
OUT(3, 0) = sbox_inverse[IN(3, 0)];
OUT(3, 1) = sbox_inverse[IN(2, 1)];
OUT(3, 2) = sbox_inverse[IN(1, 2)];
OUT(3, 3) = sbox_inverse[IN(0, 3)];
}
static void mixColumn(uint8_t *output, uint8_t *input)
{
output[0] = gmul2(input[0]) ^ gmul3(input[1]) ^ input[2] ^ input[3];
output[1] = input[0] ^ gmul2(input[1]) ^ gmul3(input[2]) ^ input[3];
output[2] = input[0] ^ input[1] ^ gmul2(input[2]) ^ gmul3(input[3]);
output[3] = gmul3(input[0]) ^ input[1] ^ input[2] ^ gmul2(input[3]);
}
static void inverseMixColumn(uint8_t *output, const uint8_t *input)
{
output[0] = gmul14(input[0]) ^ gmul11(input[1]) ^ gmul13(input[2]) ^ gmul9(input[3]);
output[1] = gmul9(input[0]) ^ gmul14(input[1]) ^ gmul11(input[2]) ^ gmul13(input[3]);
output[2] = gmul13(input[0]) ^ gmul9(input[1]) ^ gmul14(input[2]) ^ gmul11(input[3]);
output[3] = gmul11(input[0]) ^ gmul13(input[1]) ^ gmul9(input[2]) ^ gmul14(input[3]);
}
void AESCommon::encryptBlock(uint8_t *output, const uint8_t *input)
{
const uint8_t *roundKey = schedule;
uint8_t posn;
uint8_t round;
// Copy the input into the state and XOR with the first round key.
for (posn = 0; posn < 16; ++posn)
state1[posn] = input[posn] ^ roundKey[posn];
roundKey += 16;
// Perform all rounds except the last.
for (round = rounds; round > 1; --round) {
subBytesAndShiftRows(state2, state1);
mixColumn(state1, state2);
mixColumn(state1 + 4, state2 + 4);
mixColumn(state1 + 8, state2 + 8);
mixColumn(state1 + 12, state2 + 12);
for (posn = 0; posn < 16; ++posn)
state1[posn] ^= roundKey[posn];
roundKey += 16;
}
// Perform the final round.
subBytesAndShiftRows(state2, state1);
for (posn = 0; posn < 16; ++posn)
output[posn] = state2[posn] ^ roundKey[posn];
}
void AESCommon::decryptBlock(uint8_t *output, const uint8_t *input)
{
const uint8_t *roundKey = schedule + rounds * 16;
uint8_t round;
uint8_t posn;
// Copy the input into the state and reverse the final round.
for (posn = 0; posn < 16; ++posn)
state1[posn] = input[posn] ^ roundKey[posn];
inverseShiftRowsAndSubBytes(state2, state1);
// Perform all other rounds in reverse.
for (round = rounds; round > 1; --round) {
roundKey -= 16;
for (posn = 0; posn < 16; ++posn)
state2[posn] ^= roundKey[posn];
inverseMixColumn(state1, state2);
inverseMixColumn(state1 + 4, state2 + 4);
inverseMixColumn(state1 + 8, state2 + 8);
inverseMixColumn(state1 + 12, state2 + 12);
inverseShiftRowsAndSubBytes(state2, state1);
}
// Reverse the initial round and create the output words.
roundKey -= 16;
for (posn = 0; posn < 16; ++posn)
output[posn] = state2[posn] ^ roundKey[posn];
}
void AESCommon::clear()
{
clean(schedule, (rounds + 1) * 16);
clean(state1);
clean(state2);
}
/** @cond */
void AESCommon::keyScheduleCore(uint8_t *output, const uint8_t *input, uint8_t iteration)
{
// Rcon(i), 2^i in the Rijndael finite field, for i = 0..10.
// http://en.wikipedia.org/wiki/Rijndael_key_schedule
static uint8_t const rcon[11] = {
0x00, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, // 0x00
0x80, 0x1B, 0x36
};
output[0] = sbox[input[1]] ^ rcon[iteration];
output[1] = sbox[input[2]];
output[2] = sbox[input[3]];
output[3] = sbox[input[0]];
}
void AESCommon::applySbox(uint8_t *output, const uint8_t *input)
{
output[0] = sbox[input[0]];
output[1] = sbox[input[1]];
output[2] = sbox[input[2]];
output[3] = sbox[input[3]];
}
/** @endcond */

124
libraries/Crypto/BlockCipher.cpp Normal file
View File

@ -0,0 +1,124 @@
/*
* Copyright (C) 2014 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#include "BlockCipher.h"
/**
* \class BlockCipher BlockCipher.h <BlockCipher.h>
* \brief Abstract base class for block ciphers.
*
* Block ciphers always operate in electronic codebook (ECB) mode.
* Higher-level classes such as CFB and CTR wrap the block cipher to
* create more useful classes for encryption and decryption of bulk data.
*
* References: http://en.wikipedia.org/wiki/Block_cipher,
* http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29
*/
/**
* \brief Constructs a block cipher.
*/
BlockCipher::BlockCipher()
{
}
/**
* \brief Destroys this block cipher object.
*
* Subclasses are responsible for clearing temporary key schedules
* and other buffers so as to avoid leaking sensitive information.
*
* \sa clear()
*/
BlockCipher::~BlockCipher()
{
}
/**
* \fn size_t BlockCipher::blockSize() const
* \brief Size of a single block processed by this cipher, in bytes.
*
* \return Returns the size of a block in bytes.
*
* \sa keySize(), encryptBlock()
*/
/**
* \fn size_t BlockCipher::keySize() const
* \brief Default size of the key for this block cipher, in bytes.
*
* This value indicates the default, or recommended, size for the key.
*
* \sa setKey(), blockSize()
*/
/**
* \fn bool BlockCipher::setKey(const uint8_t *key, size_t len)
* \brief Sets the key to use for future encryption and decryption operations.
*
* \param key The key to use.
* \param len The length of the key.
* \return Returns false if the key length is not supported, or the key
* is somehow "weak" and unusable by this cipher.
*
* Use clear() or the destructor to remove the key and any other sensitive
* data from the object once encryption or decryption is complete.
*
* \sa keySize(), clear()
*/
/**
* \fn void BlockCipher::encryptBlock(uint8_t *output, const uint8_t *input)
* \brief Encrypts a single block using this cipher.
*
* \param output The output buffer to put the ciphertext into.
* Must be at least blockSize() bytes in length.
* \param input The input buffer to read the plaintext from which is
* allowed to overlap with \a output. Must be at least blockSize()
* bytes in length.
*
* \sa decryptBlock(), blockSize()
*/
/**
* \fn void BlockCipher::decryptBlock(uint8_t *output, const uint8_t *input)
* \brief Decrypts a single block using this cipher.
*
* \param output The output buffer to put the plaintext into.
* Must be at least blockSize() bytes in length.
* \param input The input buffer to read the ciphertext from which is
* allowed to overlap with \a output. Must be at least blockSize()
* bytes in length.
*
* \sa encryptBlock(), blockSize()
*/
/**
* \fn void BlockCipher::clear()
* \brief Clears all security-sensitive state from this block cipher.
*
* Security-sensitive information includes key schedules and any
* temporary state that is used by encryptBlock() or decryptBlock()
* which is stored in the object itself.
*
* \sa setKey(), encryptBlock(), decryptBlock()
*/

46
libraries/Crypto/BlockCipher.h Normal file
View File

@ -0,0 +1,46 @@
/*
* Copyright (C) 2014 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#ifndef CRYPTO_BLOCKCIPHER_h
#define CRYPTO_BLOCKCIPHER_h
#include <inttypes.h>
#include <stddef.h>
class BlockCipher
{
public:
BlockCipher();
virtual ~BlockCipher();
virtual size_t blockSize() = 0;
virtual size_t keySize() = 0;
virtual bool setKey(const uint8_t *key, size_t len) = 0;
virtual void encryptBlock(uint8_t *output, const uint8_t *input) = 0;
virtual void decryptBlock(uint8_t *output, const uint8_t *input) = 0;
virtual void clear() = 0;
};
#endif

55
libraries/Crypto/Crypto.cpp Normal file
View File

@ -0,0 +1,55 @@
/*
* Copyright (C) 2014 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#include "Crypto.h"
/**
* \brief Cleans a block of bytes.
*
* \param dest The destination block to be cleaned.
* \param size The size of the destination to be cleaned in bytes.
*
* Unlike memset(), this function attempts to prevent the compiler
* from optimizing away the clear on a memory buffer.
*/
void clean(void *dest, size_t size)
{
// Force the use of volatile so that we actually clear the memory.
// Otherwise the compiler might optimise the entire contents of this
// function away, which will not be secure.
volatile uint8_t *d = (volatile uint8_t *)dest;
while (size > 0) {
*d++ = 0;
--size;
}
}
/**
* \fn void clean(T &var)
* \brief Template function that cleans a variable.
*
* \param var A reference to the variable to clean.
*
* The variable will be cleared to all-zeroes in a secure manner.
* Unlike memset(), this function attempts to prevent the compiler
* from optimizing away the variable clear.
*/

37
libraries/Crypto/Crypto.h Normal file
View File

@ -0,0 +1,37 @@
/*
* Copyright (C) 2014 Southern Storm Software, Pty Ltd.
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#ifndef CRYPTO_h
#define CRYPTO_h
#include <inttypes.h>
#include <stddef.h>
void clean(void *dest, size_t size);
template <typename T>
inline void clean(T &var)
{
clean(&var, sizeof(T));
}
#endif

139
libraries/Crypto/examples/TestAES/TestAES.ino Normal file
View File

@ -0,0 +1,139 @@
/*
This example runs tests on the AES implementation to verify correct behaviour.
*/
#include <Crypto.h>
#include <AES.h>
#include <string.h>
struct TestVector
{
const char *name;
byte key[32];
byte plaintext[16];
byte ciphertext[16];
};
// Define the test vectors from the FIPS specification.
static TestVector const testVectorAES128 = {
.name = "AES-128",
.key = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F},
.plaintext = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF},
.ciphertext = {0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30,
0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A}
};
static TestVector const testVectorAES192 = {
.name = "AES-192",
.key = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17},
.plaintext = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF},
.ciphertext = {0xDD, 0xA9, 0x7C, 0xA4, 0x86, 0x4C, 0xDF, 0xE0,
0x6E, 0xAF, 0x70, 0xA0, 0xEC, 0x0D, 0x71, 0x91}
};
static TestVector const testVectorAES256 = {
.name = "AES-256",
.key = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F},
.plaintext = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF},
.ciphertext = {0x8E, 0xA2, 0xB7, 0xCA, 0x51, 0x67, 0x45, 0xBF,
0xEA, 0xFC, 0x49, 0x90, 0x4B, 0x49, 0x60, 0x89}
};
AES128 aes128;
AES192 aes192;
AES256 aes256;
byte buffer[16];
void testCipher(BlockCipher *cipher, const struct TestVector *test)
{
Serial.print(test->name);
Serial.print(" Encryption ... ");
cipher->setKey(test->key, cipher->keySize());
cipher->encryptBlock(buffer, test->plaintext);
if (memcmp(buffer, test->ciphertext, 16) == 0)
Serial.println("Passed");
else
Serial.println("Failed");
Serial.print(test->name);
Serial.print(" Decryption ... ");
cipher->decryptBlock(buffer, test->ciphertext);
if (memcmp(buffer, test->plaintext, 16) == 0)
Serial.println("Passed");
else
Serial.println("Failed");
}
void perfCipher(BlockCipher *cipher, const struct TestVector *test)
{
unsigned long start;
unsigned long elapsed;
int count;
Serial.print(test->name);
Serial.print(" Set Key ... ");
start = micros();
for (count = 0; count < 10000; ++count) {
cipher->setKey(test->key, cipher->keySize());
}
elapsed = micros() - start;
Serial.print(elapsed / 10000.0);
Serial.print("us per operation, ");
Serial.print((10000.0 * 1000000.0) / elapsed);
Serial.println(" per second");
Serial.print(test->name);
Serial.print(" Encrypt ... ");
start = micros();
for (count = 0; count < 5000; ++count) {
cipher->encryptBlock(buffer, buffer);
}
elapsed = micros() - start;
Serial.print(elapsed / (5000.0 * 16.0));
Serial.print("us per byte, ");
Serial.print((16.0 * 5000.0 * 1000000.0) / elapsed);
Serial.println(" bytes per second");
Serial.print(test->name);
Serial.print(" Decrypt ... ");
start = micros();
for (count = 0; count < 5000; ++count) {
cipher->decryptBlock(buffer, buffer);
}
elapsed = micros() - start;
Serial.print(elapsed / (5000.0 * 16.0));
Serial.print("us per byte, ");
Serial.print((16.0 * 5000.0 * 1000000.0) / elapsed);
Serial.println(" bytes per second");
Serial.println();
}
void setup() {
Serial.begin(9600);
Serial.println();
Serial.println("Test Vectors:");
testCipher(&aes128, &testVectorAES128);
testCipher(&aes192, &testVectorAES192);
testCipher(&aes256, &testVectorAES256);
Serial.println();
Serial.println("Performance Tests:");
perfCipher(&aes128, &testVectorAES128);
perfCipher(&aes192, &testVectorAES192);
perfCipher(&aes256, &testVectorAES256);
}
void loop() {
}