2 * An extremely minimal crypto library for Arduino devices.
4 * The SHA256 and AES implementations are derived from axTLS
5 * (http://axtls.sourceforge.net/), Copyright (c) 2008, Cameron Rich.
7 * Ported and refactored by Chris Ellis 2016.
18 //#if BYTE_ORDER == BIG_ENDIAN
20 inline static uint16_t crypto_htons(uint16_t x)
25 inline static uint16_t crypto_ntohs(uint16_t x)
30 inline static uint32_t crypto_htonl(uint32_t x)
35 inline static uint32_t crypto_ntohl(uint32_t x)
42 inline static uint16_t crypto_htons(uint16_t x)
50 inline static uint16_t crypto_ntohs(uint16_t x)
58 inline static uint32_t crypto_htonl(uint32_t x)
63 ((x & 0xff0000UL) >> 8) |
64 ((x & 0xff000000UL) >> 24)
68 inline static uint32_t crypto_ntohl(uint32_t x)
73 ((x & 0xff0000UL) >> 8) |
74 ((x & 0xff000000UL) >> 24)
80 #define GET_UINT32(n,b,i) \
82 (n) = ((uint32_t) (b)[(i) ] << 24) \
83 | ((uint32_t) (b)[(i) + 1] << 16) \
84 | ((uint32_t) (b)[(i) + 2] << 8) \
85 | ((uint32_t) (b)[(i) + 3] ); \
88 #define PUT_UINT32(n,b,i) \
90 (b)[(i) ] = (byte) ((n) >> 24); \
91 (b)[(i) + 1] = (byte) ((n) >> 16); \
92 (b)[(i) + 2] = (byte) ((n) >> 8); \
93 (b)[(i) + 3] = (byte) ((n) ); \
96 static const byte sha256_padding[64] =
98 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
99 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
100 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
101 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
105 * Initialize the SHA256 hash
111 state[0] = 0x6A09E667;
112 state[1] = 0xBB67AE85;
113 state[2] = 0x3C6EF372;
114 state[3] = 0xA54FF53A;
115 state[4] = 0x510E527F;
116 state[5] = 0x9B05688C;
117 state[6] = 0x1F83D9AB;
118 state[7] = 0x5BE0CD19;
121 void SHA256::SHA256_Process(const byte digest[64])
123 uint32_t temp1, temp2, W[64];
124 uint32_t A, B, C, D, E, F, G, H;
126 GET_UINT32(W[0], digest, 0);
127 GET_UINT32(W[1], digest, 4);
128 GET_UINT32(W[2], digest, 8);
129 GET_UINT32(W[3], digest, 12);
130 GET_UINT32(W[4], digest, 16);
131 GET_UINT32(W[5], digest, 20);
132 GET_UINT32(W[6], digest, 24);
133 GET_UINT32(W[7], digest, 28);
134 GET_UINT32(W[8], digest, 32);
135 GET_UINT32(W[9], digest, 36);
136 GET_UINT32(W[10], digest, 40);
137 GET_UINT32(W[11], digest, 44);
138 GET_UINT32(W[12], digest, 48);
139 GET_UINT32(W[13], digest, 52);
140 GET_UINT32(W[14], digest, 56);
141 GET_UINT32(W[15], digest, 60);
143 #define SHR(x,n) ((x & 0xFFFFFFFF) >> n)
144 #define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
146 #define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
147 #define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
149 #define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
150 #define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
152 #define F0(x,y,z) ((x & y) | (z & (x | y)))
153 #define F1(x,y,z) (z ^ (x & (y ^ z)))
157 W[t] = S1(W[t - 2]) + W[t - 7] + \
158 S0(W[t - 15]) + W[t - 16] \
161 #define P(a,b,c,d,e,f,g,h,x,K) \
163 temp1 = h + S3(e) + F1(e,f,g) + K + x; \
164 temp2 = S2(a) + F0(a,b,c); \
165 d += temp1; h = temp1 + temp2; \
177 P(A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98);
178 P(H, A, B, C, D, E, F, G, W[ 1], 0x71374491);
179 P(G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF);
180 P(F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5);
181 P(E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B);
182 P(D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1);
183 P(C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4);
184 P(B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5);
185 P(A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98);
186 P(H, A, B, C, D, E, F, G, W[ 9], 0x12835B01);
187 P(G, H, A, B, C, D, E, F, W[10], 0x243185BE);
188 P(F, G, H, A, B, C, D, E, W[11], 0x550C7DC3);
189 P(E, F, G, H, A, B, C, D, W[12], 0x72BE5D74);
190 P(D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE);
191 P(C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7);
192 P(B, C, D, E, F, G, H, A, W[15], 0xC19BF174);
193 P(A, B, C, D, E, F, G, H, R(16), 0xE49B69C1);
194 P(H, A, B, C, D, E, F, G, R(17), 0xEFBE4786);
195 P(G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6);
196 P(F, G, H, A, B, C, D, E, R(19), 0x240CA1CC);
197 P(E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F);
198 P(D, E, F, G, H, A, B, C, R(21), 0x4A7484AA);
199 P(C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC);
200 P(B, C, D, E, F, G, H, A, R(23), 0x76F988DA);
201 P(A, B, C, D, E, F, G, H, R(24), 0x983E5152);
202 P(H, A, B, C, D, E, F, G, R(25), 0xA831C66D);
203 P(G, H, A, B, C, D, E, F, R(26), 0xB00327C8);
204 P(F, G, H, A, B, C, D, E, R(27), 0xBF597FC7);
205 P(E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3);
206 P(D, E, F, G, H, A, B, C, R(29), 0xD5A79147);
207 P(C, D, E, F, G, H, A, B, R(30), 0x06CA6351);
208 P(B, C, D, E, F, G, H, A, R(31), 0x14292967);
209 P(A, B, C, D, E, F, G, H, R(32), 0x27B70A85);
210 P(H, A, B, C, D, E, F, G, R(33), 0x2E1B2138);
211 P(G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC);
212 P(F, G, H, A, B, C, D, E, R(35), 0x53380D13);
213 P(E, F, G, H, A, B, C, D, R(36), 0x650A7354);
214 P(D, E, F, G, H, A, B, C, R(37), 0x766A0ABB);
215 P(C, D, E, F, G, H, A, B, R(38), 0x81C2C92E);
216 P(B, C, D, E, F, G, H, A, R(39), 0x92722C85);
217 P(A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1);
218 P(H, A, B, C, D, E, F, G, R(41), 0xA81A664B);
219 P(G, H, A, B, C, D, E, F, R(42), 0xC24B8B70);
220 P(F, G, H, A, B, C, D, E, R(43), 0xC76C51A3);
221 P(E, F, G, H, A, B, C, D, R(44), 0xD192E819);
222 P(D, E, F, G, H, A, B, C, R(45), 0xD6990624);
223 P(C, D, E, F, G, H, A, B, R(46), 0xF40E3585);
224 P(B, C, D, E, F, G, H, A, R(47), 0x106AA070);
225 P(A, B, C, D, E, F, G, H, R(48), 0x19A4C116);
226 P(H, A, B, C, D, E, F, G, R(49), 0x1E376C08);
227 P(G, H, A, B, C, D, E, F, R(50), 0x2748774C);
228 P(F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5);
229 P(E, F, G, H, A, B, C, D, R(52), 0x391C0CB3);
230 P(D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A);
231 P(C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F);
232 P(B, C, D, E, F, G, H, A, R(55), 0x682E6FF3);
233 P(A, B, C, D, E, F, G, H, R(56), 0x748F82EE);
234 P(H, A, B, C, D, E, F, G, R(57), 0x78A5636F);
235 P(G, H, A, B, C, D, E, F, R(58), 0x84C87814);
236 P(F, G, H, A, B, C, D, E, R(59), 0x8CC70208);
237 P(E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA);
238 P(D, E, F, G, H, A, B, C, R(61), 0xA4506CEB);
239 P(C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7);
240 P(B, C, D, E, F, G, H, A, R(63), 0xC67178F2);
253 * Accepts an array of octets as the next portion of the message.
255 void SHA256::doUpdate(const byte * msg, int len)
257 uint32_t left = total[0] & 0x3F;
258 uint32_t fill = 64 - left;
261 total[0] &= 0xFFFFFFFF;
266 if (left && len >= fill)
268 memcpy((void *) (buffer + left), (void *) msg, fill);
269 SHA256::SHA256_Process(buffer);
277 SHA256::SHA256_Process(msg);
284 memcpy((void *) (buffer + left), (void *) msg, len);
289 * Return the 256-bit message digest into the user's array
291 void SHA256::doFinal(byte *digest)
297 high = (total[0] >> 29)
299 low = (total[0] << 3);
301 PUT_UINT32(high, msglen, 0);
302 PUT_UINT32(low, msglen, 4);
304 last = total[0] & 0x3F;
305 padn = (last < 56) ? (56 - last) : (120 - last);
307 SHA256::doUpdate(sha256_padding, padn);
308 SHA256::doUpdate(msglen, 8);
310 PUT_UINT32(state[0], digest, 0);
311 PUT_UINT32(state[1], digest, 4);
312 PUT_UINT32(state[2], digest, 8);
313 PUT_UINT32(state[3], digest, 12);
314 PUT_UINT32(state[4], digest, 16);
315 PUT_UINT32(state[5], digest, 20);
316 PUT_UINT32(state[6], digest, 24);
317 PUT_UINT32(state[7], digest, 28);
320 bool SHA256::matches(const byte *expected)
322 byte theDigest[SHA256_SIZE];
324 for (byte i = 0; i < SHA256_SIZE; i++)
326 if (expected[i] != theDigest[i])
332 /******************************************************************************/
334 #define rot1(x) (((x) << 24) | ((x) >> 8))
335 #define rot2(x) (((x) << 16) | ((x) >> 16))
336 #define rot3(x) (((x) << 8) | ((x) >> 24))
339 * This cute trick does 4 'mul by two' at once. Stolen from
340 * Dr B. R. Gladman <brg@gladman.uk.net> but I'm sure the u-(u>>7) is
341 * a standard graphics trick
342 * The key to this is that we need to xor with 0x1b if the top bit is set.
343 * a 1xxx xxxx 0xxx 0xxx First we mask the 7bit,
344 * b 1000 0000 0000 0000 then we shift right by 7 putting the 7bit in 0bit,
345 * c 0000 0001 0000 0000 we then subtract (c) from (b)
346 * d 0111 1111 0000 0000 and now we and with our mask
347 * e 0001 1011 0000 0000
349 #define mt 0x80808080
350 #define ml 0x7f7f7f7f
351 #define mh 0xfefefefe
352 #define mm 0x1b1b1b1b
353 #define mul2(x,t) ((t)=((x)&mt), \
354 ((((x)+(x))&mh)^(((t)-((t)>>7))&mm)))
356 #define inv_mix_col(x,f2,f4,f8,f9) (\
361 (f8)=((f2)^(f4)^(f8)), \
371 static const uint8_t aes_sbox[256] =
373 0x63,0x7C,0x77,0x7B,0xF2,0x6B,0x6F,0xC5,
374 0x30,0x01,0x67,0x2B,0xFE,0xD7,0xAB,0x76,
375 0xCA,0x82,0xC9,0x7D,0xFA,0x59,0x47,0xF0,
376 0xAD,0xD4,0xA2,0xAF,0x9C,0xA4,0x72,0xC0,
377 0xB7,0xFD,0x93,0x26,0x36,0x3F,0xF7,0xCC,
378 0x34,0xA5,0xE5,0xF1,0x71,0xD8,0x31,0x15,
379 0x04,0xC7,0x23,0xC3,0x18,0x96,0x05,0x9A,
380 0x07,0x12,0x80,0xE2,0xEB,0x27,0xB2,0x75,
381 0x09,0x83,0x2C,0x1A,0x1B,0x6E,0x5A,0xA0,
382 0x52,0x3B,0xD6,0xB3,0x29,0xE3,0x2F,0x84,
383 0x53,0xD1,0x00,0xED,0x20,0xFC,0xB1,0x5B,
384 0x6A,0xCB,0xBE,0x39,0x4A,0x4C,0x58,0xCF,
385 0xD0,0xEF,0xAA,0xFB,0x43,0x4D,0x33,0x85,
386 0x45,0xF9,0x02,0x7F,0x50,0x3C,0x9F,0xA8,
387 0x51,0xA3,0x40,0x8F,0x92,0x9D,0x38,0xF5,
388 0xBC,0xB6,0xDA,0x21,0x10,0xFF,0xF3,0xD2,
389 0xCD,0x0C,0x13,0xEC,0x5F,0x97,0x44,0x17,
390 0xC4,0xA7,0x7E,0x3D,0x64,0x5D,0x19,0x73,
391 0x60,0x81,0x4F,0xDC,0x22,0x2A,0x90,0x88,
392 0x46,0xEE,0xB8,0x14,0xDE,0x5E,0x0B,0xDB,
393 0xE0,0x32,0x3A,0x0A,0x49,0x06,0x24,0x5C,
394 0xC2,0xD3,0xAC,0x62,0x91,0x95,0xE4,0x79,
395 0xE7,0xC8,0x37,0x6D,0x8D,0xD5,0x4E,0xA9,
396 0x6C,0x56,0xF4,0xEA,0x65,0x7A,0xAE,0x08,
397 0xBA,0x78,0x25,0x2E,0x1C,0xA6,0xB4,0xC6,
398 0xE8,0xDD,0x74,0x1F,0x4B,0xBD,0x8B,0x8A,
399 0x70,0x3E,0xB5,0x66,0x48,0x03,0xF6,0x0E,
400 0x61,0x35,0x57,0xB9,0x86,0xC1,0x1D,0x9E,
401 0xE1,0xF8,0x98,0x11,0x69,0xD9,0x8E,0x94,
402 0x9B,0x1E,0x87,0xE9,0xCE,0x55,0x28,0xDF,
403 0x8C,0xA1,0x89,0x0D,0xBF,0xE6,0x42,0x68,
404 0x41,0x99,0x2D,0x0F,0xB0,0x54,0xBB,0x16,
410 static const uint8_t aes_isbox[256] =
412 0x52,0x09,0x6a,0xd5,0x30,0x36,0xa5,0x38,
413 0xbf,0x40,0xa3,0x9e,0x81,0xf3,0xd7,0xfb,
414 0x7c,0xe3,0x39,0x82,0x9b,0x2f,0xff,0x87,
415 0x34,0x8e,0x43,0x44,0xc4,0xde,0xe9,0xcb,
416 0x54,0x7b,0x94,0x32,0xa6,0xc2,0x23,0x3d,
417 0xee,0x4c,0x95,0x0b,0x42,0xfa,0xc3,0x4e,
418 0x08,0x2e,0xa1,0x66,0x28,0xd9,0x24,0xb2,
419 0x76,0x5b,0xa2,0x49,0x6d,0x8b,0xd1,0x25,
420 0x72,0xf8,0xf6,0x64,0x86,0x68,0x98,0x16,
421 0xd4,0xa4,0x5c,0xcc,0x5d,0x65,0xb6,0x92,
422 0x6c,0x70,0x48,0x50,0xfd,0xed,0xb9,0xda,
423 0x5e,0x15,0x46,0x57,0xa7,0x8d,0x9d,0x84,
424 0x90,0xd8,0xab,0x00,0x8c,0xbc,0xd3,0x0a,
425 0xf7,0xe4,0x58,0x05,0xb8,0xb3,0x45,0x06,
426 0xd0,0x2c,0x1e,0x8f,0xca,0x3f,0x0f,0x02,
427 0xc1,0xaf,0xbd,0x03,0x01,0x13,0x8a,0x6b,
428 0x3a,0x91,0x11,0x41,0x4f,0x67,0xdc,0xea,
429 0x97,0xf2,0xcf,0xce,0xf0,0xb4,0xe6,0x73,
430 0x96,0xac,0x74,0x22,0xe7,0xad,0x35,0x85,
431 0xe2,0xf9,0x37,0xe8,0x1c,0x75,0xdf,0x6e,
432 0x47,0xf1,0x1a,0x71,0x1d,0x29,0xc5,0x89,
433 0x6f,0xb7,0x62,0x0e,0xaa,0x18,0xbe,0x1b,
434 0xfc,0x56,0x3e,0x4b,0xc6,0xd2,0x79,0x20,
435 0x9a,0xdb,0xc0,0xfe,0x78,0xcd,0x5a,0xf4,
436 0x1f,0xdd,0xa8,0x33,0x88,0x07,0xc7,0x31,
437 0xb1,0x12,0x10,0x59,0x27,0x80,0xec,0x5f,
438 0x60,0x51,0x7f,0xa9,0x19,0xb5,0x4a,0x0d,
439 0x2d,0xe5,0x7a,0x9f,0x93,0xc9,0x9c,0xef,
440 0xa0,0xe0,0x3b,0x4d,0xae,0x2a,0xf5,0xb0,
441 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61,
442 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26,
443 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d
446 static const unsigned char Rcon[30]=
448 0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80,
449 0x1b,0x36,0x6c,0xd8,0xab,0x4d,0x9a,0x2f,
450 0x5e,0xbc,0x63,0xc6,0x97,0x35,0x6a,0xd4,
451 0xb3,0x7d,0xfa,0xef,0xc5,0x91,
454 /* Perform doubling in Galois Field GF(2^8) using the irreducible polynomial
456 static unsigned char AES_xtime(uint32_t x)
458 return (x&0x80) ? (x<<1)^0x1b : x<<1;
463 * Encrypt a single block (16 bytes) of data
465 void AES::encrypt(uint32_t *data)
467 /* To make this code smaller, generate the sbox entries on the fly.
468 * This will have a really heavy effect upon performance.
471 uint32_t tmp1, old_a0, a0, a1, a2, a3, row;
473 int rounds = _rounds;
474 const uint32_t *k = _ks;
476 /* Pre-round key addition */
477 for (row = 0; row < 4; row++)
480 /* Encrypt one block. */
481 for (curr_rnd = 0; curr_rnd < rounds; curr_rnd++)
483 /* Perform ByteSub and ShiftRow operations together */
484 for (row = 0; row < 4; row++)
486 a0 = (uint32_t)aes_sbox[(data[row%4]>>24)&0xFF];
487 a1 = (uint32_t)aes_sbox[(data[(row+1)%4]>>16)&0xFF];
488 a2 = (uint32_t)aes_sbox[(data[(row+2)%4]>>8)&0xFF];
489 a3 = (uint32_t)aes_sbox[(data[(row+3)%4])&0xFF];
491 /* Perform MixColumn iff not last round */
492 if (curr_rnd < (rounds - 1))
494 tmp1 = a0 ^ a1 ^ a2 ^ a3;
496 a0 ^= tmp1 ^ AES_xtime(a0 ^ a1);
497 a1 ^= tmp1 ^ AES_xtime(a1 ^ a2);
498 a2 ^= tmp1 ^ AES_xtime(a2 ^ a3);
499 a3 ^= tmp1 ^ AES_xtime(a3 ^ old_a0);
502 tmp[row] = ((a0 << 24) | (a1 << 16) | (a2 << 8) | a3);
505 /* KeyAddition - note that it is vital that this loop is separate from
506 the MixColumn operation, which must be atomic...*/
507 for (row = 0; row < 4; row++)
508 data[row] = tmp[row] ^ *(k++);
513 * Decrypt a single block (16 bytes) of data
515 void AES::decrypt(uint32_t *data)
518 uint32_t xt0,xt1,xt2,xt3,xt4,xt5,xt6;
519 uint32_t a0, a1, a2, a3, row;
521 int rounds = _rounds;
522 const uint32_t *k = _ks + ((rounds+1)*4);
524 /* pre-round key addition */
525 for (row=4; row > 0;row--)
526 data[row-1] ^= *(--k);
528 /* Decrypt one block */
529 for (curr_rnd = 0; curr_rnd < rounds; curr_rnd++)
531 /* Perform ByteSub and ShiftRow operations together */
532 for (row = 4; row > 0; row--)
534 a0 = aes_isbox[(data[(row+3)%4]>>24)&0xFF];
535 a1 = aes_isbox[(data[(row+2)%4]>>16)&0xFF];
536 a2 = aes_isbox[(data[(row+1)%4]>>8)&0xFF];
537 a3 = aes_isbox[(data[row%4])&0xFF];
539 /* Perform MixColumn iff not last round */
540 if (curr_rnd<(rounds-1))
542 /* The MDS cofefficients (0x09, 0x0B, 0x0D, 0x0E)
543 are quite large compared to encryption; this
544 operation slows decryption down noticeably. */
545 xt0 = AES_xtime(a0^a1);
546 xt1 = AES_xtime(a1^a2);
547 xt2 = AES_xtime(a2^a3);
548 xt3 = AES_xtime(a3^a0);
549 xt4 = AES_xtime(xt0^xt1);
550 xt5 = AES_xtime(xt1^xt2);
551 xt6 = AES_xtime(xt4^xt5);
553 xt0 ^= a1^a2^a3^xt4^xt6;
554 xt1 ^= a0^a2^a3^xt5^xt6;
555 xt2 ^= a0^a1^a3^xt4^xt6;
556 xt3 ^= a0^a1^a2^xt5^xt6;
557 tmp[row-1] = ((xt0<<24)|(xt1<<16)|(xt2<<8)|xt3);
560 tmp[row-1] = ((a0<<24)|(a1<<16)|(a2<<8)|a3);
563 for (row = 4; row > 0; row--)
564 data[row-1] = tmp[row-1] ^ *(--k);
568 AES::AES(const uint8_t *key, const uint8_t *iv, AES_MODE mode, CIPHER_MODE cipherMode)
570 _cipherMode = cipherMode;
573 uint32_t *W, tmp, tmp2;
574 const unsigned char *ip;
589 default: /* fail silently */
596 for (i = 0; i < words; i+=2)
598 W[i+0]= ((uint32_t)key[ 0]<<24)|
599 ((uint32_t)key[ 1]<<16)|
600 ((uint32_t)key[ 2]<< 8)|
601 ((uint32_t)key[ 3] );
602 W[i+1]= ((uint32_t)key[ 4]<<24)|
603 ((uint32_t)key[ 5]<<16)|
604 ((uint32_t)key[ 6]<< 8)|
605 ((uint32_t)key[ 7] );
610 ii = 4 * (_rounds+1);
611 for (i = words; i<ii; i++)
615 if ((i % words) == 0)
617 tmp2 =(uint32_t)aes_sbox[(tmp )&0xff]<< 8;
618 tmp2|=(uint32_t)aes_sbox[(tmp>> 8)&0xff]<<16;
619 tmp2|=(uint32_t)aes_sbox[(tmp>>16)&0xff]<<24;
620 tmp2|=(uint32_t)aes_sbox[(tmp>>24) ];
621 tmp=tmp2^(((unsigned int)*ip)<<24);
625 if ((words == 8) && ((i % words) == 4))
627 tmp2 =(uint32_t)aes_sbox[(tmp )&0xff] ;
628 tmp2|=(uint32_t)aes_sbox[(tmp>> 8)&0xff]<< 8;
629 tmp2|=(uint32_t)aes_sbox[(tmp>>16)&0xff]<<16;
630 tmp2|=(uint32_t)aes_sbox[(tmp>>24) ]<<24;
637 /* copy the iv across */
640 /* Do we need to convert the key */
641 if (_cipherMode == CIPHER_DECRYPT)
647 void AES::process(const uint8_t *in, uint8_t *out, int length)
649 if (_cipherMode == CIPHER_ENCRYPT)
650 encryptCBC(in, out, length);
652 decryptCBC(in, out, length);
655 void AES::encryptCBC(const uint8_t *in, uint8_t *out, int length)
658 uint32_t tin[4], tout[4], iv[4];
660 memcpy(iv, _iv, AES_IV_SIZE);
661 for (i = 0; i < 4; i++)
662 tout[i] = crypto_ntohl(iv[i]);
664 for (length -= AES_BLOCKSIZE; length >= 0; length -= AES_BLOCKSIZE)
668 memcpy(msg_32, in, AES_BLOCKSIZE);
671 for (i = 0; i < 4; i++)
672 tin[i] = crypto_ntohl(msg_32[i])^tout[i];
676 for (i = 0; i < 4; i++)
679 out_32[i] = crypto_htonl(tout[i]);
682 memcpy(out, out_32, AES_BLOCKSIZE);
683 out += AES_BLOCKSIZE;
686 for (i = 0; i < 4; i++)
687 iv[i] = crypto_htonl(tout[i]);
688 memcpy(_iv, iv, AES_IV_SIZE);
691 void AES::decryptCBC(const uint8_t *in, uint8_t *out, int length)
694 uint32_t tin[4], bufxor[4], tout[4], data[4], iv[4];
696 memcpy(iv, _iv, AES_IV_SIZE);
697 for (i = 0; i < 4; i++)
698 bufxor[i] = crypto_ntohl(iv[i]);
700 for (length -= 16; length >= 0; length -= 16)
704 memcpy(msg_32, in, AES_BLOCKSIZE);
707 for (i = 0; i < 4; i++)
709 tin[i] = crypto_ntohl(msg_32[i]);
715 for (i = 0; i < 4; i++)
717 tout[i] = data[i] ^ bufxor[i];
719 out_32[i] = crypto_htonl(tout[i]);
722 memcpy(out, out_32, AES_BLOCKSIZE);
723 out += AES_BLOCKSIZE;
726 for (i = 0; i < 4; i++)
727 iv[i] = crypto_htonl(bufxor[i]);
728 memcpy(_iv, iv, AES_IV_SIZE);
731 void AES::convertKey()
734 uint32_t *k,w,t1,t2,t3,t4;
739 for (i= _rounds*4; i > 4; i--)
742 w = inv_mix_col(w,t1,t2,t3,t4);
748 * ESP8266 specific RNG which use seems to use the hardware RNG provided on
752 void RNG::fill(uint8_t *dst, unsigned int length)
755 for (int i = 0; i < length; i++)
764 uint32_t* randReg = (uint32_t*) 0x3FF20E44L;
765 return (byte) *randReg;
768 uint32_t RNG::getLong()
771 uint32_t* randReg = (uint32_t*) 0x3FF20E44L;
780 SHA256HMAC::SHA256HMAC(const byte *key, unsigned int keyLen)
783 byte theKey[SHA256HMAC_BLOCKSIZE];
784 memset(theKey, 0, SHA256HMAC_BLOCKSIZE);
785 if (keyLen > SHA256HMAC_BLOCKSIZE)
787 // take a hash of the key
789 keyHahser.doUpdate(key, keyLen);
790 keyHahser.doFinal(theKey);
794 // we already set the buffer to 0s, so just copy keyLen
796 memcpy(theKey, key, keyLen);
798 // explicitly zero pads
799 memset(_innerKey, 0, SHA256HMAC_BLOCKSIZE);
800 memset(_outerKey, 0, SHA256HMAC_BLOCKSIZE);
802 blockXor(theKey, _innerKey, HMAC_IPAD, SHA256HMAC_BLOCKSIZE);
803 blockXor(theKey, _outerKey, HMAC_OPAD, SHA256HMAC_BLOCKSIZE);
804 // start the intermediate hash
805 _hash.doUpdate(_innerKey, SHA256HMAC_BLOCKSIZE);
808 void SHA256HMAC::doUpdate(const byte *msg, unsigned int len)
810 _hash.doUpdate(msg, len);
813 void SHA256HMAC::doFinal(byte *digest)
815 // compute the intermediate hash
816 byte interHash[SHA256_SIZE];
817 _hash.doFinal(interHash);
818 // compute the final hash
820 finalHash.doUpdate(_outerKey, SHA256HMAC_BLOCKSIZE);
821 finalHash.doUpdate(interHash, SHA256_SIZE);
822 finalHash.doFinal(digest);
825 bool SHA256HMAC::matches(const byte *expected)
827 byte theDigest[SHA256_SIZE];
829 for (byte i = 0; i < SHA256_SIZE; i++)
831 if (expected[i] != theDigest[i])
837 void SHA256HMAC::blockXor(const byte *in, byte *out, byte val, byte len)
839 for (byte i = 0; i < len; i++)
841 out[i] = in[i] ^ val;
