2 *************************************************************************
4 * 5F., No.36, Taiyuan St., Jhubei City,
8 * (c) Copyright 2002-2007, Ralink Technology, Inc.
10 * This program is free software; you can redistribute it and/or modify *
11 * it under the terms of the GNU General Public License as published by *
12 * the Free Software Foundation; either version 2 of the License, or *
13 * (at your option) any later version. *
15 * This program is distributed in the hope that it will be useful, *
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
18 * GNU General Public License for more details. *
20 * You should have received a copy of the GNU General Public License *
21 * along with this program; if not, write to the *
22 * Free Software Foundation, Inc., *
23 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
25 *************************************************************************
34 -------- ---------- ----------------------------------------------
35 Paul Wu 02-25-02 Initial
38 #include "../rt_config.h"
41 u32 erk[64]; /* encryption round keys */
42 u32 drk[64]; /* decryption round keys */
43 int nr; /* number of rounds */
46 /*****************************/
47 /******** SBOX Table *********/
48 /*****************************/
51 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
52 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
53 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
54 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
55 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
56 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
57 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
58 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
59 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
60 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
61 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
62 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
63 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
64 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
65 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
66 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
67 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
68 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
69 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
70 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
71 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
72 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
73 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
74 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
75 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
76 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
77 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
78 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
79 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
80 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
81 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
82 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
85 void xor_32(u8 *a, u8 *b, u8 *out)
89 for (i = 0; i < 4; i++) {
94 void xor_128(u8 *a, u8 *b, u8 *out)
98 for (i = 0; i < 16; i++) {
103 u8 RTMPCkipSbox(u8 a)
105 return SboxTable[(int)a];
108 void next_key(u8 *key, int round)
112 u8 rcon_table[12] = {
113 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80,
114 0x1b, 0x36, 0x36, 0x36
117 sbox_key[0] = RTMPCkipSbox(key[13]);
118 sbox_key[1] = RTMPCkipSbox(key[14]);
119 sbox_key[2] = RTMPCkipSbox(key[15]);
120 sbox_key[3] = RTMPCkipSbox(key[12]);
122 rcon = rcon_table[round];
124 xor_32(&key[0], sbox_key, &key[0]);
125 key[0] = key[0] ^ rcon;
127 xor_32(&key[4], &key[0], &key[4]);
128 xor_32(&key[8], &key[4], &key[8]);
129 xor_32(&key[12], &key[8], &key[12]);
132 void byte_sub(u8 *in, u8 *out)
136 for (i = 0; i < 16; i++) {
137 out[i] = RTMPCkipSbox(in[i]);
141 /************************************/
143 /* A 128 bit, bitwise exclusive or */
144 /************************************/
146 void bitwise_xor(unsigned char *ina, unsigned char *inb, unsigned char *out)
149 for (i = 0; i < 16; i++) {
150 out[i] = ina[i] ^ inb[i];
154 void shift_row(u8 *in, u8 *out)
174 void mix_column(u8 *in, u8 *out)
186 for (i = 0; i < 4; i++) {
187 if ((in[i] & 0x80) == 0x80)
193 swap_halfs[0] = in[2]; /* Swap halfs */
194 swap_halfs[1] = in[3];
195 swap_halfs[2] = in[0];
196 swap_halfs[3] = in[1];
198 rotl[0] = in[3]; /* Rotate left 8 bits */
203 andf7[0] = in[0] & 0x7f;
204 andf7[1] = in[1] & 0x7f;
205 andf7[2] = in[2] & 0x7f;
206 andf7[3] = in[3] & 0x7f;
208 for (i = 3; i > 0; i--) { /* logical shift left 1 bit */
209 andf7[i] = andf7[i] << 1;
210 if ((andf7[i - 1] & 0x80) == 0x80) {
211 andf7[i] = (andf7[i] | 0x01);
214 andf7[0] = andf7[0] << 1;
215 andf7[0] = andf7[0] & 0xfe;
217 xor_32(add1b, andf7, add1bf7);
219 xor_32(in, add1bf7, rotr);
221 temp[0] = rotr[0]; /* Rotate right 8 bits */
227 xor_32(add1bf7, rotr, temp);
228 xor_32(swap_halfs, rotl, tempb);
229 xor_32(temp, tempb, out);
232 /************************************************/
233 /* construct_mic_header1() */
234 /* Builds the first MIC header block from */
236 /************************************************/
238 void construct_mic_header1(unsigned char *mic_header1,
239 int header_length, unsigned char *mpdu)
241 mic_header1[0] = (unsigned char)((header_length - 2) / 256);
242 mic_header1[1] = (unsigned char)((header_length - 2) % 256);
243 mic_header1[2] = mpdu[0] & 0xcf; /* Mute CF poll & CF ack bits */
244 mic_header1[3] = mpdu[1] & 0xc7; /* Mute retry, more data and pwr mgt bits */
245 mic_header1[4] = mpdu[4]; /* A1 */
246 mic_header1[5] = mpdu[5];
247 mic_header1[6] = mpdu[6];
248 mic_header1[7] = mpdu[7];
249 mic_header1[8] = mpdu[8];
250 mic_header1[9] = mpdu[9];
251 mic_header1[10] = mpdu[10]; /* A2 */
252 mic_header1[11] = mpdu[11];
253 mic_header1[12] = mpdu[12];
254 mic_header1[13] = mpdu[13];
255 mic_header1[14] = mpdu[14];
256 mic_header1[15] = mpdu[15];
259 /************************************************/
260 /* construct_mic_header2() */
261 /* Builds the last MIC header block from */
263 /************************************************/
265 void construct_mic_header2(unsigned char *mic_header2,
266 unsigned char *mpdu, int a4_exists, int qc_exists)
270 for (i = 0; i < 16; i++)
271 mic_header2[i] = 0x00;
273 mic_header2[0] = mpdu[16]; /* A3 */
274 mic_header2[1] = mpdu[17];
275 mic_header2[2] = mpdu[18];
276 mic_header2[3] = mpdu[19];
277 mic_header2[4] = mpdu[20];
278 mic_header2[5] = mpdu[21];
280 /* In Sequence Control field, mute sequence numer bits (12-bit) */
281 mic_header2[6] = mpdu[22] & 0x0f; /* SC */
282 mic_header2[7] = 0x00; /* mpdu[23]; */
284 if ((!qc_exists) && a4_exists) {
285 for (i = 0; i < 6; i++)
286 mic_header2[8 + i] = mpdu[24 + i]; /* A4 */
290 if (qc_exists && (!a4_exists)) {
291 mic_header2[8] = mpdu[24] & 0x0f; /* mute bits 15 - 4 */
292 mic_header2[9] = mpdu[25] & 0x00;
295 if (qc_exists && a4_exists) {
296 for (i = 0; i < 6; i++)
297 mic_header2[8 + i] = mpdu[24 + i]; /* A4 */
299 mic_header2[14] = mpdu[30] & 0x0f;
300 mic_header2[15] = mpdu[31] & 0x00;
304 /************************************************/
305 /* construct_mic_iv() */
306 /* Builds the MIC IV from header fields and PN */
307 /************************************************/
309 void construct_mic_iv(unsigned char *mic_iv,
313 unsigned int payload_length, unsigned char *pn_vector)
318 if (qc_exists && a4_exists)
319 mic_iv[1] = mpdu[30] & 0x0f; /* QoS_TC */
320 if (qc_exists && !a4_exists)
321 mic_iv[1] = mpdu[24] & 0x0f; /* mute bits 7-4 */
324 for (i = 2; i < 8; i++)
325 mic_iv[i] = mpdu[i + 8]; /* mic_iv[2:7] = A2[0:5] = mpdu[10:15] */
326 #ifdef CONSISTENT_PN_ORDER
327 for (i = 8; i < 14; i++)
328 mic_iv[i] = pn_vector[i - 8]; /* mic_iv[8:13] = PN[0:5] */
330 for (i = 8; i < 14; i++)
331 mic_iv[i] = pn_vector[13 - i]; /* mic_iv[8:13] = PN[5:0] */
333 mic_iv[14] = (unsigned char)(payload_length / 256);
334 mic_iv[15] = (unsigned char)(payload_length % 256);
338 /****************************************/
340 /* Performs a 128 bit AES encrypt with */
342 /****************************************/
343 void aes128k128d(unsigned char *key, unsigned char *data,
344 unsigned char *ciphertext)
348 unsigned char intermediatea[16];
349 unsigned char intermediateb[16];
350 unsigned char round_key[16];
352 for (i = 0; i < 16; i++)
353 round_key[i] = key[i];
355 for (round = 0; round < 11; round++) {
357 xor_128(round_key, data, ciphertext);
358 next_key(round_key, round);
359 } else if (round == 10) {
360 byte_sub(ciphertext, intermediatea);
361 shift_row(intermediatea, intermediateb);
362 xor_128(intermediateb, round_key, ciphertext);
365 byte_sub(ciphertext, intermediatea);
366 shift_row(intermediatea, intermediateb);
367 mix_column(&intermediateb[0], &intermediatea[0]);
368 mix_column(&intermediateb[4], &intermediatea[4]);
369 mix_column(&intermediateb[8], &intermediatea[8]);
370 mix_column(&intermediateb[12], &intermediatea[12]);
371 xor_128(intermediatea, round_key, ciphertext);
372 next_key(round_key, round);
378 void construct_ctr_preload(unsigned char *ctr_preload,
381 unsigned char *mpdu, unsigned char *pn_vector, int c)
385 for (i = 0; i < 16; i++)
386 ctr_preload[i] = 0x00;
389 ctr_preload[0] = 0x01; /* flag */
390 if (qc_exists && a4_exists)
391 ctr_preload[1] = mpdu[30] & 0x0f; /* QoC_Control */
392 if (qc_exists && !a4_exists)
393 ctr_preload[1] = mpdu[24] & 0x0f;
395 for (i = 2; i < 8; i++)
396 ctr_preload[i] = mpdu[i + 8]; /* ctr_preload[2:7] = A2[0:5] = mpdu[10:15] */
397 #ifdef CONSISTENT_PN_ORDER
398 for (i = 8; i < 14; i++)
399 ctr_preload[i] = pn_vector[i - 8]; /* ctr_preload[8:13] = PN[0:5] */
401 for (i = 8; i < 14; i++)
402 ctr_preload[i] = pn_vector[13 - i]; /* ctr_preload[8:13] = PN[5:0] */
404 ctr_preload[14] = (unsigned char)(c / 256); /* Ctr */
405 ctr_preload[15] = (unsigned char)(c % 256);
409 BOOLEAN RTMPSoftDecryptAES(struct rt_rtmp_adapter *pAd,
411 unsigned long DataByteCnt, struct rt_cipher_key *pWpaKey)
418 u32 payload_remainder;
433 u8 padded_buffer[16];
443 fc = *((u16 *)pData);
445 frame_type = ((fc0 >> 2) & 0x03);
446 frame_subtype = ((fc0 >> 4) & 0x0f);
448 from_ds = (fc1 & 0x2) >> 1;
451 a4_exists = (from_ds & to_ds);
452 qc_exists = ((frame_subtype == 0x08) || /* Assumed QoS subtypes */
453 (frame_subtype == 0x09) || /* Likely to change. */
454 (frame_subtype == 0x0a) || (frame_subtype == 0x0b)
461 KeyID = *((u8 *)(pData + HeaderLen + 3));
464 if (pWpaKey[KeyID].KeyLen == 0) {
465 DBGPRINT(RT_DEBUG_TRACE,
466 ("RTMPSoftDecryptAES failed!(KeyID[%d] Length can not be 0)\n",
471 PN[0] = *(pData + HeaderLen);
472 PN[1] = *(pData + HeaderLen + 1);
473 PN[2] = *(pData + HeaderLen + 4);
474 PN[3] = *(pData + HeaderLen + 5);
475 PN[4] = *(pData + HeaderLen + 6);
476 PN[5] = *(pData + HeaderLen + 7);
478 payload_len = DataByteCnt - HeaderLen - 8 - 8; /* 8 bytes for CCMP header , 8 bytes for MIC */
479 payload_remainder = (payload_len) % 16;
480 num_blocks = (payload_len) / 16;
482 /* Find start of payload */
483 payload_index = HeaderLen + 8; /*IV+EIV */
485 for (i = 0; i < num_blocks; i++) {
486 construct_ctr_preload(ctr_preload,
487 a4_exists, qc_exists, pData, PN, i + 1);
489 aes128k128d(pWpaKey[KeyID].Key, ctr_preload, aes_out);
491 bitwise_xor(aes_out, pData + payload_index, chain_buffer);
492 NdisMoveMemory(pData + payload_index - 8, chain_buffer, 16);
497 /* If there is a short final block, then pad it */
498 /* encrypt it and copy the unpadded part back */
500 if (payload_remainder > 0) {
501 construct_ctr_preload(ctr_preload,
503 qc_exists, pData, PN, num_blocks + 1);
505 NdisZeroMemory(padded_buffer, 16);
506 NdisMoveMemory(padded_buffer, pData + payload_index,
509 aes128k128d(pWpaKey[KeyID].Key, ctr_preload, aes_out);
511 bitwise_xor(aes_out, padded_buffer, chain_buffer);
512 NdisMoveMemory(pData + payload_index - 8, chain_buffer,
514 payload_index += payload_remainder;
517 /* Descrypt the MIC */
519 construct_ctr_preload(ctr_preload, a4_exists, qc_exists, pData, PN, 0);
520 NdisZeroMemory(padded_buffer, 16);
521 NdisMoveMemory(padded_buffer, pData + payload_index, 8);
523 aes128k128d(pWpaKey[KeyID].Key, ctr_preload, aes_out);
525 bitwise_xor(aes_out, padded_buffer, chain_buffer);
527 NdisMoveMemory(TrailMIC, chain_buffer, 8);
533 /*Force the protected frame bit on */
534 *(pData + 1) = *(pData + 1) | 0x40;
536 /* Find start of payload */
537 /* Because the CCMP header has been removed */
538 payload_index = HeaderLen;
540 construct_mic_iv(mic_iv, qc_exists, a4_exists, pData, payload_len, PN);
542 construct_mic_header1(mic_header1, HeaderLen, pData);
544 construct_mic_header2(mic_header2, pData, a4_exists, qc_exists);
546 aes128k128d(pWpaKey[KeyID].Key, mic_iv, aes_out);
547 bitwise_xor(aes_out, mic_header1, chain_buffer);
548 aes128k128d(pWpaKey[KeyID].Key, chain_buffer, aes_out);
549 bitwise_xor(aes_out, mic_header2, chain_buffer);
550 aes128k128d(pWpaKey[KeyID].Key, chain_buffer, aes_out);
552 /* iterate through each 16 byte payload block */
553 for (i = 0; i < num_blocks; i++) {
554 bitwise_xor(aes_out, pData + payload_index, chain_buffer);
556 aes128k128d(pWpaKey[KeyID].Key, chain_buffer, aes_out);
559 /* Add on the final payload block if it needs padding */
560 if (payload_remainder > 0) {
561 NdisZeroMemory(padded_buffer, 16);
562 NdisMoveMemory(padded_buffer, pData + payload_index,
565 bitwise_xor(aes_out, padded_buffer, chain_buffer);
566 aes128k128d(pWpaKey[KeyID].Key, chain_buffer, aes_out);
568 /* aes_out contains padded mic, discard most significant */
569 /* 8 bytes to generate 64 bit MIC */
570 for (i = 0; i < 8; i++)
573 if (!NdisEqualMemory(MIC, TrailMIC, 8)) {
574 DBGPRINT(RT_DEBUG_ERROR, ("RTMPSoftDecryptAES, MIC Error !\n")); /*MIC error. */
581 /* ========================= AES En/Decryption ========================== */
583 #define uint8 unsigned char
587 #define uint32 unsigned int
591 static uint32 FSb[256] = {
592 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
593 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
594 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
595 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
596 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
597 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
598 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
599 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
600 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
601 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
602 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
603 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
604 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
605 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
606 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
607 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
608 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
609 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
610 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
611 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
612 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
613 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
614 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
615 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
616 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
617 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
618 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
619 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
620 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
621 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
622 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
623 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
629 V(C6,63,63,A5), V(F8,7C,7C,84), V(EE,77,77,99), V(F6,7B,7B,8D), \
630 V(FF,F2,F2,0D), V(D6,6B,6B,BD), V(DE,6F,6F,B1), V(91,C5,C5,54), \
631 V(60,30,30,50), V(02,01,01,03), V(CE,67,67,A9), V(56,2B,2B,7D), \
632 V(E7,FE,FE,19), V(B5,D7,D7,62), V(4D,AB,AB,E6), V(EC,76,76,9A), \
633 V(8F,CA,CA,45), V(1F,82,82,9D), V(89,C9,C9,40), V(FA,7D,7D,87), \
634 V(EF,FA,FA,15), V(B2,59,59,EB), V(8E,47,47,C9), V(FB,F0,F0,0B), \
635 V(41,AD,AD,EC), V(B3,D4,D4,67), V(5F,A2,A2,FD), V(45,AF,AF,EA), \
636 V(23,9C,9C,BF), V(53,A4,A4,F7), V(E4,72,72,96), V(9B,C0,C0,5B), \
637 V(75,B7,B7,C2), V(E1,FD,FD,1C), V(3D,93,93,AE), V(4C,26,26,6A), \
638 V(6C,36,36,5A), V(7E,3F,3F,41), V(F5,F7,F7,02), V(83,CC,CC,4F), \
639 V(68,34,34,5C), V(51,A5,A5,F4), V(D1,E5,E5,34), V(F9,F1,F1,08), \
640 V(E2,71,71,93), V(AB,D8,D8,73), V(62,31,31,53), V(2A,15,15,3F), \
641 V(08,04,04,0C), V(95,C7,C7,52), V(46,23,23,65), V(9D,C3,C3,5E), \
642 V(30,18,18,28), V(37,96,96,A1), V(0A,05,05,0F), V(2F,9A,9A,B5), \
643 V(0E,07,07,09), V(24,12,12,36), V(1B,80,80,9B), V(DF,E2,E2,3D), \
644 V(CD,EB,EB,26), V(4E,27,27,69), V(7F,B2,B2,CD), V(EA,75,75,9F), \
645 V(12,09,09,1B), V(1D,83,83,9E), V(58,2C,2C,74), V(34,1A,1A,2E), \
646 V(36,1B,1B,2D), V(DC,6E,6E,B2), V(B4,5A,5A,EE), V(5B,A0,A0,FB), \
647 V(A4,52,52,F6), V(76,3B,3B,4D), V(B7,D6,D6,61), V(7D,B3,B3,CE), \
648 V(52,29,29,7B), V(DD,E3,E3,3E), V(5E,2F,2F,71), V(13,84,84,97), \
649 V(A6,53,53,F5), V(B9,D1,D1,68), V(00,00,00,00), V(C1,ED,ED,2C), \
650 V(40,20,20,60), V(E3,FC,FC,1F), V(79,B1,B1,C8), V(B6,5B,5B,ED), \
651 V(D4,6A,6A,BE), V(8D,CB,CB,46), V(67,BE,BE,D9), V(72,39,39,4B), \
652 V(94,4A,4A,DE), V(98,4C,4C,D4), V(B0,58,58,E8), V(85,CF,CF,4A), \
653 V(BB,D0,D0,6B), V(C5,EF,EF,2A), V(4F,AA,AA,E5), V(ED,FB,FB,16), \
654 V(86,43,43,C5), V(9A,4D,4D,D7), V(66,33,33,55), V(11,85,85,94), \
655 V(8A,45,45,CF), V(E9,F9,F9,10), V(04,02,02,06), V(FE,7F,7F,81), \
656 V(A0,50,50,F0), V(78,3C,3C,44), V(25,9F,9F,BA), V(4B,A8,A8,E3), \
657 V(A2,51,51,F3), V(5D,A3,A3,FE), V(80,40,40,C0), V(05,8F,8F,8A), \
658 V(3F,92,92,AD), V(21,9D,9D,BC), V(70,38,38,48), V(F1,F5,F5,04), \
659 V(63,BC,BC,DF), V(77,B6,B6,C1), V(AF,DA,DA,75), V(42,21,21,63), \
660 V(20,10,10,30), V(E5,FF,FF,1A), V(FD,F3,F3,0E), V(BF,D2,D2,6D), \
661 V(81,CD,CD,4C), V(18,0C,0C,14), V(26,13,13,35), V(C3,EC,EC,2F), \
662 V(BE,5F,5F,E1), V(35,97,97,A2), V(88,44,44,CC), V(2E,17,17,39), \
663 V(93,C4,C4,57), V(55,A7,A7,F2), V(FC,7E,7E,82), V(7A,3D,3D,47), \
664 V(C8,64,64,AC), V(BA,5D,5D,E7), V(32,19,19,2B), V(E6,73,73,95), \
665 V(C0,60,60,A0), V(19,81,81,98), V(9E,4F,4F,D1), V(A3,DC,DC,7F), \
666 V(44,22,22,66), V(54,2A,2A,7E), V(3B,90,90,AB), V(0B,88,88,83), \
667 V(8C,46,46,CA), V(C7,EE,EE,29), V(6B,B8,B8,D3), V(28,14,14,3C), \
668 V(A7,DE,DE,79), V(BC,5E,5E,E2), V(16,0B,0B,1D), V(AD,DB,DB,76), \
669 V(DB,E0,E0,3B), V(64,32,32,56), V(74,3A,3A,4E), V(14,0A,0A,1E), \
670 V(92,49,49,DB), V(0C,06,06,0A), V(48,24,24,6C), V(B8,5C,5C,E4), \
671 V(9F,C2,C2,5D), V(BD,D3,D3,6E), V(43,AC,AC,EF), V(C4,62,62,A6), \
672 V(39,91,91,A8), V(31,95,95,A4), V(D3,E4,E4,37), V(F2,79,79,8B), \
673 V(D5,E7,E7,32), V(8B,C8,C8,43), V(6E,37,37,59), V(DA,6D,6D,B7), \
674 V(01,8D,8D,8C), V(B1,D5,D5,64), V(9C,4E,4E,D2), V(49,A9,A9,E0), \
675 V(D8,6C,6C,B4), V(AC,56,56,FA), V(F3,F4,F4,07), V(CF,EA,EA,25), \
676 V(CA,65,65,AF), V(F4,7A,7A,8E), V(47,AE,AE,E9), V(10,08,08,18), \
677 V(6F,BA,BA,D5), V(F0,78,78,88), V(4A,25,25,6F), V(5C,2E,2E,72), \
678 V(38,1C,1C,24), V(57,A6,A6,F1), V(73,B4,B4,C7), V(97,C6,C6,51), \
679 V(CB,E8,E8,23), V(A1,DD,DD,7C), V(E8,74,74,9C), V(3E,1F,1F,21), \
680 V(96,4B,4B,DD), V(61,BD,BD,DC), V(0D,8B,8B,86), V(0F,8A,8A,85), \
681 V(E0,70,70,90), V(7C,3E,3E,42), V(71,B5,B5,C4), V(CC,66,66,AA), \
682 V(90,48,48,D8), V(06,03,03,05), V(F7,F6,F6,01), V(1C,0E,0E,12), \
683 V(C2,61,61,A3), V(6A,35,35,5F), V(AE,57,57,F9), V(69,B9,B9,D0), \
684 V(17,86,86,91), V(99,C1,C1,58), V(3A,1D,1D,27), V(27,9E,9E,B9), \
685 V(D9,E1,E1,38), V(EB,F8,F8,13), V(2B,98,98,B3), V(22,11,11,33), \
686 V(D2,69,69,BB), V(A9,D9,D9,70), V(07,8E,8E,89), V(33,94,94,A7), \
687 V(2D,9B,9B,B6), V(3C,1E,1E,22), V(15,87,87,92), V(C9,E9,E9,20), \
688 V(87,CE,CE,49), V(AA,55,55,FF), V(50,28,28,78), V(A5,DF,DF,7A), \
689 V(03,8C,8C,8F), V(59,A1,A1,F8), V(09,89,89,80), V(1A,0D,0D,17), \
690 V(65,BF,BF,DA), V(D7,E6,E6,31), V(84,42,42,C6), V(D0,68,68,B8), \
691 V(82,41,41,C3), V(29,99,99,B0), V(5A,2D,2D,77), V(1E,0F,0F,11), \
692 V(7B,B0,B0,CB), V(A8,54,54,FC), V(6D,BB,BB,D6), V(2C,16,16,3A)
694 #define V(a,b,c,d) 0x##a##b##c##d
695 static uint32 FT0[256] = { FT };
699 #define V(a,b,c,d) 0x##d##a##b##c
700 static uint32 FT1[256] = { FT };
704 #define V(a,b,c,d) 0x##c##d##a##b
705 static uint32 FT2[256] = { FT };
709 #define V(a,b,c,d) 0x##b##c##d##a
710 static uint32 FT3[256] = { FT };
718 static uint32 RSb[256] = {
719 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
720 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
721 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
722 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
723 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
724 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
725 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
726 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
727 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
728 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
729 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
730 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
731 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
732 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
733 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
734 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
735 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
736 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
737 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
738 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
739 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
740 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
741 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
742 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
743 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
744 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
745 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
746 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
747 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
748 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
749 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
750 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
757 V(51,F4,A7,50), V(7E,41,65,53), V(1A,17,A4,C3), V(3A,27,5E,96), \
758 V(3B,AB,6B,CB), V(1F,9D,45,F1), V(AC,FA,58,AB), V(4B,E3,03,93), \
759 V(20,30,FA,55), V(AD,76,6D,F6), V(88,CC,76,91), V(F5,02,4C,25), \
760 V(4F,E5,D7,FC), V(C5,2A,CB,D7), V(26,35,44,80), V(B5,62,A3,8F), \
761 V(DE,B1,5A,49), V(25,BA,1B,67), V(45,EA,0E,98), V(5D,FE,C0,E1), \
762 V(C3,2F,75,02), V(81,4C,F0,12), V(8D,46,97,A3), V(6B,D3,F9,C6), \
763 V(03,8F,5F,E7), V(15,92,9C,95), V(BF,6D,7A,EB), V(95,52,59,DA), \
764 V(D4,BE,83,2D), V(58,74,21,D3), V(49,E0,69,29), V(8E,C9,C8,44), \
765 V(75,C2,89,6A), V(F4,8E,79,78), V(99,58,3E,6B), V(27,B9,71,DD), \
766 V(BE,E1,4F,B6), V(F0,88,AD,17), V(C9,20,AC,66), V(7D,CE,3A,B4), \
767 V(63,DF,4A,18), V(E5,1A,31,82), V(97,51,33,60), V(62,53,7F,45), \
768 V(B1,64,77,E0), V(BB,6B,AE,84), V(FE,81,A0,1C), V(F9,08,2B,94), \
769 V(70,48,68,58), V(8F,45,FD,19), V(94,DE,6C,87), V(52,7B,F8,B7), \
770 V(AB,73,D3,23), V(72,4B,02,E2), V(E3,1F,8F,57), V(66,55,AB,2A), \
771 V(B2,EB,28,07), V(2F,B5,C2,03), V(86,C5,7B,9A), V(D3,37,08,A5), \
772 V(30,28,87,F2), V(23,BF,A5,B2), V(02,03,6A,BA), V(ED,16,82,5C), \
773 V(8A,CF,1C,2B), V(A7,79,B4,92), V(F3,07,F2,F0), V(4E,69,E2,A1), \
774 V(65,DA,F4,CD), V(06,05,BE,D5), V(D1,34,62,1F), V(C4,A6,FE,8A), \
775 V(34,2E,53,9D), V(A2,F3,55,A0), V(05,8A,E1,32), V(A4,F6,EB,75), \
776 V(0B,83,EC,39), V(40,60,EF,AA), V(5E,71,9F,06), V(BD,6E,10,51), \
777 V(3E,21,8A,F9), V(96,DD,06,3D), V(DD,3E,05,AE), V(4D,E6,BD,46), \
778 V(91,54,8D,B5), V(71,C4,5D,05), V(04,06,D4,6F), V(60,50,15,FF), \
779 V(19,98,FB,24), V(D6,BD,E9,97), V(89,40,43,CC), V(67,D9,9E,77), \
780 V(B0,E8,42,BD), V(07,89,8B,88), V(E7,19,5B,38), V(79,C8,EE,DB), \
781 V(A1,7C,0A,47), V(7C,42,0F,E9), V(F8,84,1E,C9), V(00,00,00,00), \
782 V(09,80,86,83), V(32,2B,ED,48), V(1E,11,70,AC), V(6C,5A,72,4E), \
783 V(FD,0E,FF,FB), V(0F,85,38,56), V(3D,AE,D5,1E), V(36,2D,39,27), \
784 V(0A,0F,D9,64), V(68,5C,A6,21), V(9B,5B,54,D1), V(24,36,2E,3A), \
785 V(0C,0A,67,B1), V(93,57,E7,0F), V(B4,EE,96,D2), V(1B,9B,91,9E), \
786 V(80,C0,C5,4F), V(61,DC,20,A2), V(5A,77,4B,69), V(1C,12,1A,16), \
787 V(E2,93,BA,0A), V(C0,A0,2A,E5), V(3C,22,E0,43), V(12,1B,17,1D), \
788 V(0E,09,0D,0B), V(F2,8B,C7,AD), V(2D,B6,A8,B9), V(14,1E,A9,C8), \
789 V(57,F1,19,85), V(AF,75,07,4C), V(EE,99,DD,BB), V(A3,7F,60,FD), \
790 V(F7,01,26,9F), V(5C,72,F5,BC), V(44,66,3B,C5), V(5B,FB,7E,34), \
791 V(8B,43,29,76), V(CB,23,C6,DC), V(B6,ED,FC,68), V(B8,E4,F1,63), \
792 V(D7,31,DC,CA), V(42,63,85,10), V(13,97,22,40), V(84,C6,11,20), \
793 V(85,4A,24,7D), V(D2,BB,3D,F8), V(AE,F9,32,11), V(C7,29,A1,6D), \
794 V(1D,9E,2F,4B), V(DC,B2,30,F3), V(0D,86,52,EC), V(77,C1,E3,D0), \
795 V(2B,B3,16,6C), V(A9,70,B9,99), V(11,94,48,FA), V(47,E9,64,22), \
796 V(A8,FC,8C,C4), V(A0,F0,3F,1A), V(56,7D,2C,D8), V(22,33,90,EF), \
797 V(87,49,4E,C7), V(D9,38,D1,C1), V(8C,CA,A2,FE), V(98,D4,0B,36), \
798 V(A6,F5,81,CF), V(A5,7A,DE,28), V(DA,B7,8E,26), V(3F,AD,BF,A4), \
799 V(2C,3A,9D,E4), V(50,78,92,0D), V(6A,5F,CC,9B), V(54,7E,46,62), \
800 V(F6,8D,13,C2), V(90,D8,B8,E8), V(2E,39,F7,5E), V(82,C3,AF,F5), \
801 V(9F,5D,80,BE), V(69,D0,93,7C), V(6F,D5,2D,A9), V(CF,25,12,B3), \
802 V(C8,AC,99,3B), V(10,18,7D,A7), V(E8,9C,63,6E), V(DB,3B,BB,7B), \
803 V(CD,26,78,09), V(6E,59,18,F4), V(EC,9A,B7,01), V(83,4F,9A,A8), \
804 V(E6,95,6E,65), V(AA,FF,E6,7E), V(21,BC,CF,08), V(EF,15,E8,E6), \
805 V(BA,E7,9B,D9), V(4A,6F,36,CE), V(EA,9F,09,D4), V(29,B0,7C,D6), \
806 V(31,A4,B2,AF), V(2A,3F,23,31), V(C6,A5,94,30), V(35,A2,66,C0), \
807 V(74,4E,BC,37), V(FC,82,CA,A6), V(E0,90,D0,B0), V(33,A7,D8,15), \
808 V(F1,04,98,4A), V(41,EC,DA,F7), V(7F,CD,50,0E), V(17,91,F6,2F), \
809 V(76,4D,D6,8D), V(43,EF,B0,4D), V(CC,AA,4D,54), V(E4,96,04,DF), \
810 V(9E,D1,B5,E3), V(4C,6A,88,1B), V(C1,2C,1F,B8), V(46,65,51,7F), \
811 V(9D,5E,EA,04), V(01,8C,35,5D), V(FA,87,74,73), V(FB,0B,41,2E), \
812 V(B3,67,1D,5A), V(92,DB,D2,52), V(E9,10,56,33), V(6D,D6,47,13), \
813 V(9A,D7,61,8C), V(37,A1,0C,7A), V(59,F8,14,8E), V(EB,13,3C,89), \
814 V(CE,A9,27,EE), V(B7,61,C9,35), V(E1,1C,E5,ED), V(7A,47,B1,3C), \
815 V(9C,D2,DF,59), V(55,F2,73,3F), V(18,14,CE,79), V(73,C7,37,BF), \
816 V(53,F7,CD,EA), V(5F,FD,AA,5B), V(DF,3D,6F,14), V(78,44,DB,86), \
817 V(CA,AF,F3,81), V(B9,68,C4,3E), V(38,24,34,2C), V(C2,A3,40,5F), \
818 V(16,1D,C3,72), V(BC,E2,25,0C), V(28,3C,49,8B), V(FF,0D,95,41), \
819 V(39,A8,01,71), V(08,0C,B3,DE), V(D8,B4,E4,9C), V(64,56,C1,90), \
820 V(7B,CB,84,61), V(D5,32,B6,70), V(48,6C,5C,74), V(D0,B8,57,42)
822 #define V(a,b,c,d) 0x##a##b##c##d
823 static uint32 RT0[256] = { RT };
827 #define V(a,b,c,d) 0x##d##a##b##c
828 static uint32 RT1[256] = { RT };
832 #define V(a,b,c,d) 0x##c##d##a##b
833 static uint32 RT2[256] = { RT };
837 #define V(a,b,c,d) 0x##b##c##d##a
838 static uint32 RT3[256] = { RT };
844 /* round constants */
846 static uint32 RCON[10] = {
847 0x01000000, 0x02000000, 0x04000000, 0x08000000,
848 0x10000000, 0x20000000, 0x40000000, 0x80000000,
849 0x1B000000, 0x36000000
852 /* key schedule tables */
854 static int KT_init = 1;
856 static uint32 KT0[256];
857 static uint32 KT1[256];
858 static uint32 KT2[256];
859 static uint32 KT3[256];
861 /* platform-independant 32-bit integer manipulation macros */
863 #define GET_UINT32(n,b,i) \
865 (n) = ( (uint32) (b)[(i) ] << 24 ) \
866 | ( (uint32) (b)[(i) + 1] << 16 ) \
867 | ( (uint32) (b)[(i) + 2] << 8 ) \
868 | ( (uint32) (b)[(i) + 3] ); \
871 #define PUT_UINT32(n,b,i) \
873 (b)[(i) ] = (uint8) ( (n) >> 24 ); \
874 (b)[(i) + 1] = (uint8) ( (n) >> 16 ); \
875 (b)[(i) + 2] = (uint8) ( (n) >> 8 ); \
876 (b)[(i) + 3] = (uint8) ( (n) ); \
879 int rt_aes_set_key(struct aes_context * ctx, uint8 * key, int nbits)
898 RK = (uint32 *) ctx->erk;
900 for (i = 0; i < (nbits >> 5); i++) {
901 GET_UINT32(RK[i], key, i * 4);
904 /* setup encryption round keys */
909 for (i = 0; i < 10; i++, RK += 4) {
910 RK[4] = RK[0] ^ RCON[i] ^
911 (FSb[(uint8) (RK[3] >> 16)] << 24) ^
912 (FSb[(uint8) (RK[3] >> 8)] << 16) ^
913 (FSb[(uint8) (RK[3])] << 8) ^
914 (FSb[(uint8) (RK[3] >> 24)]);
916 RK[5] = RK[1] ^ RK[4];
917 RK[6] = RK[2] ^ RK[5];
918 RK[7] = RK[3] ^ RK[6];
924 for (i = 0; i < 8; i++, RK += 6) {
925 RK[6] = RK[0] ^ RCON[i] ^
926 (FSb[(uint8) (RK[5] >> 16)] << 24) ^
927 (FSb[(uint8) (RK[5] >> 8)] << 16) ^
928 (FSb[(uint8) (RK[5])] << 8) ^
929 (FSb[(uint8) (RK[5] >> 24)]);
931 RK[7] = RK[1] ^ RK[6];
932 RK[8] = RK[2] ^ RK[7];
933 RK[9] = RK[3] ^ RK[8];
934 RK[10] = RK[4] ^ RK[9];
935 RK[11] = RK[5] ^ RK[10];
941 for (i = 0; i < 7; i++, RK += 8) {
942 RK[8] = RK[0] ^ RCON[i] ^
943 (FSb[(uint8) (RK[7] >> 16)] << 24) ^
944 (FSb[(uint8) (RK[7] >> 8)] << 16) ^
945 (FSb[(uint8) (RK[7])] << 8) ^
946 (FSb[(uint8) (RK[7] >> 24)]);
948 RK[9] = RK[1] ^ RK[8];
949 RK[10] = RK[2] ^ RK[9];
950 RK[11] = RK[3] ^ RK[10];
953 (FSb[(uint8) (RK[11] >> 24)] << 24) ^
954 (FSb[(uint8) (RK[11] >> 16)] << 16) ^
955 (FSb[(uint8) (RK[11] >> 8)] << 8) ^
956 (FSb[(uint8) (RK[11])]);
958 RK[13] = RK[5] ^ RK[12];
959 RK[14] = RK[6] ^ RK[13];
960 RK[15] = RK[7] ^ RK[14];
965 /* setup decryption round keys */
968 for (i = 0; i < 256; i++) {
969 KT0[i] = RT0[FSb[i]];
970 KT1[i] = RT1[FSb[i]];
971 KT2[i] = RT2[FSb[i]];
972 KT3[i] = RT3[FSb[i]];
978 SK = (uint32 *) ctx->drk;
985 for (i = 1; i < ctx->nr; i++) {
988 *SK++ = KT0[(uint8) (*RK >> 24)] ^
989 KT1[(uint8) (*RK >> 16)] ^
990 KT2[(uint8) (*RK >> 8)] ^ KT3[(uint8) (*RK)];
993 *SK++ = KT0[(uint8) (*RK >> 24)] ^
994 KT1[(uint8) (*RK >> 16)] ^
995 KT2[(uint8) (*RK >> 8)] ^ KT3[(uint8) (*RK)];
998 *SK++ = KT0[(uint8) (*RK >> 24)] ^
999 KT1[(uint8) (*RK >> 16)] ^
1000 KT2[(uint8) (*RK >> 8)] ^ KT3[(uint8) (*RK)];
1003 *SK++ = KT0[(uint8) (*RK >> 24)] ^
1004 KT1[(uint8) (*RK >> 16)] ^
1005 KT2[(uint8) (*RK >> 8)] ^ KT3[(uint8) (*RK)];
1019 /* AES 128-bit block encryption routine */
1021 void rt_aes_encrypt(struct aes_context * ctx, uint8 input[16], uint8 output[16])
1023 uint32 *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
1025 RK = (uint32 *) ctx->erk;
1026 GET_UINT32(X0, input, 0);
1028 GET_UINT32(X1, input, 4);
1030 GET_UINT32(X2, input, 8);
1032 GET_UINT32(X3, input, 12);
1035 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
1039 X0 = RK[0] ^ FT0[ (uint8) ( Y0 >> 24 ) ] ^ \
1040 FT1[ (uint8) ( Y1 >> 16 ) ] ^ \
1041 FT2[ (uint8) ( Y2 >> 8 ) ] ^ \
1042 FT3[ (uint8) ( Y3 ) ]; \
1044 X1 = RK[1] ^ FT0[ (uint8) ( Y1 >> 24 ) ] ^ \
1045 FT1[ (uint8) ( Y2 >> 16 ) ] ^ \
1046 FT2[ (uint8) ( Y3 >> 8 ) ] ^ \
1047 FT3[ (uint8) ( Y0 ) ]; \
1049 X2 = RK[2] ^ FT0[ (uint8) ( Y2 >> 24 ) ] ^ \
1050 FT1[ (uint8) ( Y3 >> 16 ) ] ^ \
1051 FT2[ (uint8) ( Y0 >> 8 ) ] ^ \
1052 FT3[ (uint8) ( Y1 ) ]; \
1054 X3 = RK[3] ^ FT0[ (uint8) ( Y3 >> 24 ) ] ^ \
1055 FT1[ (uint8) ( Y0 >> 16 ) ] ^ \
1056 FT2[ (uint8) ( Y1 >> 8 ) ] ^ \
1057 FT3[ (uint8) ( Y2 ) ]; \
1060 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 1 */
1061 AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 2 */
1062 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 3 */
1063 AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 4 */
1064 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 5 */
1065 AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 6 */
1066 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 7 */
1067 AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 8 */
1068 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 9 */
1071 AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 10 */
1072 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 11 */
1076 AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 12 */
1077 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 13 */
1084 X0 = RK[0] ^ (FSb[(uint8) (Y0 >> 24)] << 24) ^
1085 (FSb[(uint8) (Y1 >> 16)] << 16) ^
1086 (FSb[(uint8) (Y2 >> 8)] << 8) ^ (FSb[(uint8) (Y3)]);
1088 X1 = RK[1] ^ (FSb[(uint8) (Y1 >> 24)] << 24) ^
1089 (FSb[(uint8) (Y2 >> 16)] << 16) ^
1090 (FSb[(uint8) (Y3 >> 8)] << 8) ^ (FSb[(uint8) (Y0)]);
1092 X2 = RK[2] ^ (FSb[(uint8) (Y2 >> 24)] << 24) ^
1093 (FSb[(uint8) (Y3 >> 16)] << 16) ^
1094 (FSb[(uint8) (Y0 >> 8)] << 8) ^ (FSb[(uint8) (Y1)]);
1096 X3 = RK[3] ^ (FSb[(uint8) (Y3 >> 24)] << 24) ^
1097 (FSb[(uint8) (Y0 >> 16)] << 16) ^
1098 (FSb[(uint8) (Y1 >> 8)] << 8) ^ (FSb[(uint8) (Y2)]);
1100 PUT_UINT32(X0, output, 0);
1101 PUT_UINT32(X1, output, 4);
1102 PUT_UINT32(X2, output, 8);
1103 PUT_UINT32(X3, output, 12);
1106 /* AES 128-bit block decryption routine */
1108 void rt_aes_decrypt(struct aes_context * ctx, uint8 input[16], uint8 output[16])
1110 uint32 *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
1112 RK = (uint32 *) ctx->drk;
1114 GET_UINT32(X0, input, 0);
1116 GET_UINT32(X1, input, 4);
1118 GET_UINT32(X2, input, 8);
1120 GET_UINT32(X3, input, 12);
1123 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
1127 X0 = RK[0] ^ RT0[ (uint8) ( Y0 >> 24 ) ] ^ \
1128 RT1[ (uint8) ( Y3 >> 16 ) ] ^ \
1129 RT2[ (uint8) ( Y2 >> 8 ) ] ^ \
1130 RT3[ (uint8) ( Y1 ) ]; \
1132 X1 = RK[1] ^ RT0[ (uint8) ( Y1 >> 24 ) ] ^ \
1133 RT1[ (uint8) ( Y0 >> 16 ) ] ^ \
1134 RT2[ (uint8) ( Y3 >> 8 ) ] ^ \
1135 RT3[ (uint8) ( Y2 ) ]; \
1137 X2 = RK[2] ^ RT0[ (uint8) ( Y2 >> 24 ) ] ^ \
1138 RT1[ (uint8) ( Y1 >> 16 ) ] ^ \
1139 RT2[ (uint8) ( Y0 >> 8 ) ] ^ \
1140 RT3[ (uint8) ( Y3 ) ]; \
1142 X3 = RK[3] ^ RT0[ (uint8) ( Y3 >> 24 ) ] ^ \
1143 RT1[ (uint8) ( Y2 >> 16 ) ] ^ \
1144 RT2[ (uint8) ( Y1 >> 8 ) ] ^ \
1145 RT3[ (uint8) ( Y0 ) ]; \
1148 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 1 */
1149 AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 2 */
1150 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 3 */
1151 AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 4 */
1152 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 5 */
1153 AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 6 */
1154 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 7 */
1155 AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 8 */
1156 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 9 */
1159 AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 10 */
1160 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 11 */
1164 AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3); /* round 12 */
1165 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3); /* round 13 */
1172 X0 = RK[0] ^ (RSb[(uint8) (Y0 >> 24)] << 24) ^
1173 (RSb[(uint8) (Y3 >> 16)] << 16) ^
1174 (RSb[(uint8) (Y2 >> 8)] << 8) ^ (RSb[(uint8) (Y1)]);
1176 X1 = RK[1] ^ (RSb[(uint8) (Y1 >> 24)] << 24) ^
1177 (RSb[(uint8) (Y0 >> 16)] << 16) ^
1178 (RSb[(uint8) (Y3 >> 8)] << 8) ^ (RSb[(uint8) (Y2)]);
1180 X2 = RK[2] ^ (RSb[(uint8) (Y2 >> 24)] << 24) ^
1181 (RSb[(uint8) (Y1 >> 16)] << 16) ^
1182 (RSb[(uint8) (Y0 >> 8)] << 8) ^ (RSb[(uint8) (Y3)]);
1184 X3 = RK[3] ^ (RSb[(uint8) (Y3 >> 24)] << 24) ^
1185 (RSb[(uint8) (Y2 >> 16)] << 16) ^
1186 (RSb[(uint8) (Y1 >> 8)] << 8) ^ (RSb[(uint8) (Y0)]);
1188 PUT_UINT32(X0, output, 0);
1189 PUT_UINT32(X1, output, 4);
1190 PUT_UINT32(X2, output, 8);
1191 PUT_UINT32(X3, output, 12);
1195 ==========================================================================
1197 ENCRYPT AES GTK before sending in EAPOL frame.
1198 AES GTK length = 128 bit, so fix blocks for aes-key-wrap as 2 in this function.
1199 This function references to RFC 3394 for aes key wrap algorithm.
1201 ==========================================================================
1203 void AES_GTK_KEY_WRAP(u8 * key,
1205 u32 p_len, u8 * ciphertext)
1207 u8 A[8], BIN[16], BOUT[16];
1209 int num_blocks = p_len / 8; /* unit:64bits */
1211 struct aes_context aesctx;
1214 rt_aes_set_key(&aesctx, key, 128);
1217 for (i = 0; i < 8; i++)
1220 /*Input plaintext */
1221 for (i = 0; i < num_blocks; i++) {
1222 for (j = 0; j < 8; j++)
1223 R[8 * (i + 1) + j] = plaintext[8 * i + j];
1227 for (j = 0; j < 6; j++) {
1228 for (i = 1; i <= num_blocks; i++) {
1230 NdisMoveMemory(BIN, A, 8);
1231 NdisMoveMemory(&BIN[8], &R[8 * i], 8);
1232 rt_aes_encrypt(&aesctx, BIN, BOUT);
1234 NdisMoveMemory(A, &BOUT[0], 8);
1235 xor = num_blocks * j + i;
1236 A[7] = BOUT[7] ^ xor;
1237 NdisMoveMemory(&R[8 * i], &BOUT[8], 8);
1241 /* Output ciphertext */
1242 NdisMoveMemory(ciphertext, A, 8);
1244 for (i = 1; i <= num_blocks; i++) {
1245 for (j = 0; j < 8; j++)
1246 ciphertext[8 * i + j] = R[8 * i + j];
1251 ========================================================================
1253 Routine Description:
1254 Misc function to decrypt AES body
1261 This function references to RFC 3394 for aes key unwrap algorithm.
1263 ========================================================================
1265 void AES_GTK_KEY_UNWRAP(u8 * key,
1267 u32 c_len, u8 * ciphertext)
1269 u8 A[8], BIN[16], BOUT[16];
1272 struct aes_context aesctx;
1274 int num_blocks = c_len / 8; /* unit:64bits */
1276 os_alloc_mem(NULL, (u8 **) & R, 512);
1279 DBGPRINT(RT_DEBUG_ERROR,
1280 ("AES_GTK_KEY_UNWRAP: no memory!\n"));
1285 NdisMoveMemory(A, ciphertext, 8);
1286 /*Input plaintext */
1287 for (i = 0; i < (c_len - 8); i++) {
1288 R[i] = ciphertext[i + 8];
1291 rt_aes_set_key(&aesctx, key, 128);
1293 for (j = 5; j >= 0; j--) {
1294 for (i = (num_blocks - 1); i > 0; i--) {
1295 xor = (num_blocks - 1) * j + i;
1296 NdisMoveMemory(BIN, A, 8);
1297 BIN[7] = A[7] ^ xor;
1298 NdisMoveMemory(&BIN[8], &R[(i - 1) * 8], 8);
1299 rt_aes_decrypt(&aesctx, BIN, BOUT);
1300 NdisMoveMemory(A, &BOUT[0], 8);
1301 NdisMoveMemory(&R[(i - 1) * 8], &BOUT[8], 8);
1306 for (i = 0; i < c_len; i++) {
1307 plaintext[i] = R[i];
1310 os_free_mem(NULL, R);