; Implementation of AES crypto algorithm.
; Buffer size is 0x10 bytes (128 bits), key size is not fixed.
; Written by diamond in 2007.
uglobal
aes.pow_table rb 256 ; pow[a] = 3^a
aes.log_table rb 256 ; log[3^a] = a
aes.sbox rb 256 ; ShiftBytes(a)
aes.sbox_rev rb 256 ; ShiftBytes^{-1}(a)
aes.mctable rd 256 ; MixColumns(ShiftBytes(a,0,0,0))
aes.mcrtable rd 256 ; MixColumns^{-1}(a,0,0,0)
endg
init_aes:
; Byte values in SubBytes transform are interpreted as items of
; GF(2^8) \cong F_2[x]/(x^8+x^4+x^3+x+1)F_2[x].
; x+1 is primitive item in this field.
xor ebx, ebx
push 1
pop eax
.1:
mov [aes.pow_table+ebx], al
mov [aes.log_table+eax], bl
; Multiplication by x+1...
mov cl, al ; save value
; ...multiply by x with mod (x^8+x^4+x^3+x+1) = 0x11B...
add al, al
jnc @f
xor al, 0x1B
@@:
; ...and add operand
xor al, cl
inc bl
jnz .1
; generate table for SubBytes transform
mov [aes.sbox+0], 0x63
mov [aes.sbox_rev+0x63], bl
inc ebx
.2:
; calculate inverse in GF(2^8)
mov al, [aes.log_table+ebx]
xor al, 0xFF ; equivalent to "al = 0xFF - al"
mov cl, [aes.pow_table+eax]
; linear transform of byte as vector over F_2
mov al, cl
rol cl, 1
xor al, cl
rol cl, 1
xor al, cl
rol cl, 1
xor al, cl
rol cl, 1
xor al, cl
xor al, 0x63
mov [aes.sbox+ebx], al
mov [aes.sbox_rev+eax], bl
inc bl
jnz .2
; generate table for SubBytes + MixColumn transforms
.3:
mov al, [aes.sbox+ebx] ; SubBytes transform
mov cl, al
add cl, cl
jnc @f
xor cl, 0x1B
@@:
mov byte [aes.mctable+ebx*4], cl ; low byte of MixColumn(a,0,0,0)
mov byte [aes.mctable+ebx*4+1], al
mov byte [aes.mctable+ebx*4+2], al
xor cl, al
mov byte [aes.mctable+ebx*4+3], cl ; high byte of MixColumn(a,0,0,0)
inc bl
jnz .3
; generate table for reverse MixColumn transform
mov dword [aes.mcrtable+0], ebx
inc ebx
.4:
; log_table[9]=0xC7, log_table[0xB]=0x68, log_table[0xD]=0xEE, log_table[0xE]=0xDF
mov cl, [aes.log_table+ebx]
mov al, cl
add al, 0xDF
adc al, 0
mov al, [aes.pow_table+eax]
mov byte [aes.mcrtable+ebx*4], al
mov al, cl
add al, 0xC7
adc al, 0
mov al, [aes.pow_table+eax]
mov byte [aes.mcrtable+ebx*4+1], al
mov al, cl
add al, 0xEE
adc al, 0
mov al, [aes.pow_table+eax]
mov byte [aes.mcrtable+ebx*4+2], al
mov al, cl
add al, 0x68
adc al, 0
mov al, [aes.pow_table+eax]
mov byte [aes.mcrtable+ebx*4+3], al
inc bl
jnz .4
ret
aes_setkey:
; in: esi->key, edx=key size in dwords, edi->AES data struc
lea eax, [edx+6] ; calc number of rounds (buffer size=4)
stosd
shl eax, 4
lea ebx, [edi+eax+16]
mov ecx, edx
rep movsd
push ebx
mov bl, 1
.0:
push 4
pop ecx
@@:
movzx esi, byte [edi-5+ecx]
mov al, [aes.sbox+esi]
rol eax, 8
loop @b
ror eax, 16
mov esi, edx
neg esi
xor eax, [edi+esi*4]
xor al, bl
add bl, bl
jnc @f
xor bl, 0x1B
@@:
stosd
lea ecx, [edx-1]
.1:
cmp edi, [esp]
jz .ret
cmp edx, 8
jnz @f
cmp ecx, 4
jnz @f
push eax
movzx eax, al
mov al, [aes.sbox+eax]
mov [esp], al
mov al, byte [esp+1]
mov al, [aes.sbox+eax]
mov [esp+1], al
mov al, byte [esp+2]
mov al, [aes.sbox+eax]
mov [esp+2], al
mov al, byte [esp+3]
mov al, [aes.sbox+eax]
mov [esp+3], al
pop eax
@@:
xor eax, [edi+esi*4]
stosd
loop .1
cmp edi, [esp]
jnz .0
.ret:
pop eax
ret
aes_decode:
; in: esi->in, ebx->out, edi->AES state
push ebx ebp
push dword [esi+12]
push dword [esi+8]
push dword [esi+4]
push dword [esi]
mov esi, esp
; reverse final round
mov ebp, [edi] ; number of rounds
mov ecx, ebp
shl ecx, 4
lea edi, [edi+ecx+4] ; edi->last round key
; load buffer into registers
mov eax, [esi]
mov ebx, [esi+4]
mov ecx, [esi+8]
mov edx, [esi+12]
; (AddRoundKey)
xor eax, [edi]
xor ebx, [edi+4]
xor ecx, [edi+8]
xor edx, [edi+12]
; (ShiftRows)
.loop0:
xchg ch, dh
xchg bh, ch
xchg ah, bh
rol eax, 16
rol ebx, 16
rol ecx, 16
rol edx, 16
xchg al, cl
xchg bl, dl
xchg ah, bh
xchg bh, ch
xchg ch, dh
rol eax, 16
rol ebx, 16
rol ecx, 16
rol edx, 16
; (SubBytes)
mov [esi], eax
mov [esi+4], ebx
mov [esi+8], ecx
mov [esi+12], edx
mov ecx, 16
@@:
movzx eax, byte [esi]
mov al, [aes.sbox_rev+eax]
mov byte [esi], al
add esi, 1
sub ecx, 1
jnz @b
sub esi, 16
sub edi, 16
; reverse normal rounds
sub ebp, 1
jz .done
mov eax, [esi]
mov ebx, [esi+4]
mov ecx, [esi+8]
mov edx, [esi+12]
push esi edi
; (AddRoundKey)
xor eax, [edi]
xor ebx, [edi+4]
xor ecx, [edi+8]
xor edx, [edi+12]
; (MixColumns)
macro mix_reg reg {
movzx esi, reg#l
mov edi, [aes.mcrtable+esi*4]
movzx esi, reg#h
rol e#reg#x, 16
mov esi, [aes.mcrtable+esi*4]
rol esi, 8
xor edi, esi
movzx esi, reg#l
mov esi, [aes.mcrtable+esi*4]
rol esi, 16
xor edi, esi
movzx esi, reg#h
mov esi, [aes.mcrtable+esi*4]
ror esi, 8
xor edi, esi
mov e#reg#x, edi
}
mix_reg a
mix_reg b
mix_reg c
mix_reg d
purge mix_reg
pop edi esi
jmp .loop0
.done:
; (AddRoundKey)
mov esi, [esp+20]
pop eax
xor eax, [edi]
mov [esi], eax
pop eax
xor eax, [edi+4]
mov [esi+4], eax
pop eax
xor eax, [edi+8]
mov [esi+8], eax
pop eax
xor eax, [edi+12]
mov [esi+12], eax
pop ebp ebx
ret