TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 2b222c830b74ddbc98e6cb26dfc28dc8f3f2501a / . / library / aes.c
blob: 90473668184d468cea37a295858d1eaf8d136fed [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
5 *
Paul Bakker785a9ee2009-01-25 14:15:10 +0000[diff] [blame]6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
24 *
25 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
26 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
27 */
28
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]29#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]30
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]31#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#include "polarssl/aes.h"
34#include "polarssl/padlock.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
36#include <string.h>
37
38/*
39 * 32-bit integer manipulation macros (little endian)
40 */
41#ifndef GET_ULONG_LE
42#define GET_ULONG_LE(n,b,i) \
43{ \
44 (n) = ( (unsigned long) (b)[(i) ] ) \
45 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
46 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
47 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
48}
49#endif
50
51#ifndef PUT_ULONG_LE
52#define PUT_ULONG_LE(n,b,i) \
53{ \
54 (b)[(i) ] = (unsigned char) ( (n) ); \
55 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
56 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
57 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
58}
59#endif
60
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]61#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62/*
63 * Forward S-box
64 */
65static const unsigned char FSb[256] =
66{
67 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
68 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
69 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
70 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
71 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
72 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
73 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
74 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
75 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
76 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
77 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
78 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
79 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
80 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
81 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
82 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
83 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
84 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
85 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
86 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
87 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
88 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
89 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
90 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
91 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
92 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
93 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
94 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
95 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
96 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
97 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
98 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
99};
100
101/*
102 * Forward tables
103 */
104#define FT \
105\
106 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
107 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
108 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
109 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
110 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
111 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
112 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
113 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
114 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
115 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
116 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
117 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
118 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
119 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
120 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
121 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
122 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
123 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
124 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
125 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
126 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
127 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
128 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
129 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
130 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
131 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
132 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
133 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
134 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
135 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
136 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
137 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
138 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
139 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
140 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
141 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
142 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
143 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
144 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
145 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
146 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
147 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
148 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
149 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
150 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
151 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
152 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
153 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
154 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
155 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
156 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
157 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
158 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
159 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
160 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
161 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
162 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
163 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
164 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
165 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
166 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
167 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
168 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
169 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
170
171#define V(a,b,c,d) 0x##a##b##c##d
172static const unsigned long FT0[256] = { FT };
173#undef V
174
175#define V(a,b,c,d) 0x##b##c##d##a
176static const unsigned long FT1[256] = { FT };
177#undef V
178
179#define V(a,b,c,d) 0x##c##d##a##b
180static const unsigned long FT2[256] = { FT };
181#undef V
182
183#define V(a,b,c,d) 0x##d##a##b##c
184static const unsigned long FT3[256] = { FT };
185#undef V
186
187#undef FT
188
189/*
190 * Reverse S-box
191 */
192static const unsigned char RSb[256] =
193{
194 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
195 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
196 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
197 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
198 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
199 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
200 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
201 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
202 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
203 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
204 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
205 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
206 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
207 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
208 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
209 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
210 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
211 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
212 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
213 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
214 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
215 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
216 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
217 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
218 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
219 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
220 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
221 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
222 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
223 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
224 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
225 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
226};
227
228/*
229 * Reverse tables
230 */
231#define RT \
232\
233 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
234 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
235 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
236 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
237 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
238 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
239 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
240 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
241 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
242 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
243 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
244 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
245 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
246 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
247 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
248 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
249 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
250 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
251 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
252 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
253 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
254 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
255 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
256 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
257 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
258 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
259 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
260 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
261 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
262 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
263 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
264 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
265 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
266 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
267 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
268 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
269 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
270 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
271 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
272 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
273 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
274 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
275 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
276 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
277 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
278 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
279 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
280 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
281 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
282 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
283 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
284 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
285 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
286 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
287 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
288 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
289 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
290 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
291 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
292 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
293 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
294 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
295 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
296 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
297
298#define V(a,b,c,d) 0x##a##b##c##d
299static const unsigned long RT0[256] = { RT };
300#undef V
301
302#define V(a,b,c,d) 0x##b##c##d##a
303static const unsigned long RT1[256] = { RT };
304#undef V
305
306#define V(a,b,c,d) 0x##c##d##a##b
307static const unsigned long RT2[256] = { RT };
308#undef V
309
310#define V(a,b,c,d) 0x##d##a##b##c
311static const unsigned long RT3[256] = { RT };
312#undef V
313
314#undef RT
315
316/*
317 * Round constants
318 */
319static const unsigned long RCON[10] =
320{
321 0x00000001, 0x00000002, 0x00000004, 0x00000008,
322 0x00000010, 0x00000020, 0x00000040, 0x00000080,
323 0x0000001B, 0x00000036
324};
325
326#else
327
328/*
329 * Forward S-box & tables
330 */
331static unsigned char FSb[256];
332static unsigned long FT0[256];
333static unsigned long FT1[256];
334static unsigned long FT2[256];
335static unsigned long FT3[256];
336
337/*
338 * Reverse S-box & tables
339 */
340static unsigned char RSb[256];
341static unsigned long RT0[256];
342static unsigned long RT1[256];
343static unsigned long RT2[256];
344static unsigned long RT3[256];
345
346/*
347 * Round constants
348 */
349static unsigned long RCON[10];
350
351/*
352 * Tables generation code
353 */
354#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
355#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
356#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
357
358static int aes_init_done = 0;
359
360static void aes_gen_tables( void )
361{
362 int i, x, y, z;
363 int pow[256];
364 int log[256];
365
366 /*
367 * compute pow and log tables over GF(2^8)
368 */
369 for( i = 0, x = 1; i < 256; i++ )
370 {
371 pow[i] = x;
372 log[x] = i;
373 x = ( x ^ XTIME( x ) ) & 0xFF;
374 }
375
376 /*
377 * calculate the round constants
378 */
379 for( i = 0, x = 1; i < 10; i++ )
380 {
381 RCON[i] = (unsigned long) x;
382 x = XTIME( x ) & 0xFF;
383 }
384
385 /*
386 * generate the forward and reverse S-boxes
387 */
388 FSb[0x00] = 0x63;
389 RSb[0x63] = 0x00;
390
391 for( i = 1; i < 256; i++ )
392 {
393 x = pow[255 - log[i]];
394
395 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
396 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
397 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
398 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
399 x ^= y ^ 0x63;
400
401 FSb[i] = (unsigned char) x;
402 RSb[x] = (unsigned char) i;
403 }
404
405 /*
406 * generate the forward and reverse tables
407 */
408 for( i = 0; i < 256; i++ )
409 {
410 x = FSb[i];
411 y = XTIME( x ) & 0xFF;
412 z = ( y ^ x ) & 0xFF;
413
414 FT0[i] = ( (unsigned long) y ) ^
415 ( (unsigned long) x << 8 ) ^
416 ( (unsigned long) x << 16 ) ^
417 ( (unsigned long) z << 24 );
418
419 FT1[i] = ROTL8( FT0[i] );
420 FT2[i] = ROTL8( FT1[i] );
421 FT3[i] = ROTL8( FT2[i] );
422
423 x = RSb[i];
424
425 RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
426 ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
427 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
428 ( (unsigned long) MUL( 0x0B, x ) << 24 );
429
430 RT1[i] = ROTL8( RT0[i] );
431 RT2[i] = ROTL8( RT1[i] );
432 RT3[i] = ROTL8( RT2[i] );
433 }
434}
435
436#endif
437
438/*
439 * AES key schedule (encryption)
440 */
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame^]441int aes_setkey_enc( aes_context *ctx, unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]442{
443 int i;
444 unsigned long *RK;
445
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]446#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447 if( aes_init_done == 0 )
448 {
449 aes_gen_tables();
450 aes_init_done = 1;
451 }
452#endif
453
454 switch( keysize )
455 {
456 case 128: ctx->nr = 10; break;
457 case 192: ctx->nr = 12; break;
458 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame^]459 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460 }
461
462#if defined(PADLOCK_ALIGN16)
463 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
464#else
465 ctx->rk = RK = ctx->buf;
466#endif
467
468 for( i = 0; i < (keysize >> 5); i++ )
469 {
470 GET_ULONG_LE( RK[i], key, i << 2 );
471 }
472
473 switch( ctx->nr )
474 {
475 case 10:
476
477 for( i = 0; i < 10; i++, RK += 4 )
478 {
479 RK[4] = RK[0] ^ RCON[i] ^
480 ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
481 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
482 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
483 ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
484
485 RK[5] = RK[1] ^ RK[4];
486 RK[6] = RK[2] ^ RK[5];
487 RK[7] = RK[3] ^ RK[6];
488 }
489 break;
490
491 case 12:
492
493 for( i = 0; i < 8; i++, RK += 6 )
494 {
495 RK[6] = RK[0] ^ RCON[i] ^
496 ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
497 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
498 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
499 ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
500
501 RK[7] = RK[1] ^ RK[6];
502 RK[8] = RK[2] ^ RK[7];
503 RK[9] = RK[3] ^ RK[8];
504 RK[10] = RK[4] ^ RK[9];
505 RK[11] = RK[5] ^ RK[10];
506 }
507 break;
508
509 case 14:
510
511 for( i = 0; i < 7; i++, RK += 8 )
512 {
513 RK[8] = RK[0] ^ RCON[i] ^
514 ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
515 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
516 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
517 ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
518
519 RK[9] = RK[1] ^ RK[8];
520 RK[10] = RK[2] ^ RK[9];
521 RK[11] = RK[3] ^ RK[10];
522
523 RK[12] = RK[4] ^
524 ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
525 ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
526 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
527 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
528
529 RK[13] = RK[5] ^ RK[12];
530 RK[14] = RK[6] ^ RK[13];
531 RK[15] = RK[7] ^ RK[14];
532 }
533 break;
534
535 default:
536
537 break;
538 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame^]539
540 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]541}
542
543/*
544 * AES key schedule (decryption)
545 */
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame^]546int aes_setkey_dec( aes_context *ctx, unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547{
548 int i, j;
549 aes_context cty;
550 unsigned long *RK;
551 unsigned long *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame^]552 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553
554 switch( keysize )
555 {
556 case 128: ctx->nr = 10; break;
557 case 192: ctx->nr = 12; break;
558 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame^]559 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]560 }
561
562#if defined(PADLOCK_ALIGN16)
563 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
564#else
565 ctx->rk = RK = ctx->buf;
566#endif
567
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame^]568 ret = aes_setkey_enc( &cty, key, keysize );
569 if( ret != 0 )
570 return( ret );
571
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]572 SK = cty.rk + cty.nr * 4;
573
574 *RK++ = *SK++;
575 *RK++ = *SK++;
576 *RK++ = *SK++;
577 *RK++ = *SK++;
578
579 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
580 {
581 for( j = 0; j < 4; j++, SK++ )
582 {
583 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
584 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
585 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
586 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
587 }
588 }
589
590 *RK++ = *SK++;
591 *RK++ = *SK++;
592 *RK++ = *SK++;
593 *RK++ = *SK++;
594
595 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame^]596
597 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598}
599
600#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
601{ \
602 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
603 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
604 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
605 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
606 \
607 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
608 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
609 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
610 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
611 \
612 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
613 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
614 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
615 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
616 \
617 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
618 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
619 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
620 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
621}
622
623#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
624{ \
625 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
626 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
627 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
628 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
629 \
630 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
631 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
632 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
633 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
634 \
635 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
636 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
637 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
638 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
639 \
640 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
641 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
642 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
643 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
644}
645
646/*
647 * AES-ECB block encryption/decryption
648 */
649void aes_crypt_ecb( aes_context *ctx,
650 int mode,
651 unsigned char input[16],
652 unsigned char output[16] )
653{
654 int i;
655 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
656
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]657#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]658 if( padlock_supports( PADLOCK_ACE ) )
659 {
660 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
661 return;
662 }
663#endif
664
665 RK = ctx->rk;
666
667 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
668 GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
669 GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
670 GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
671
672 if( mode == AES_DECRYPT )
673 {
674 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
675 {
676 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
677 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
678 }
679
680 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
681
682 X0 = *RK++ ^ \
683 ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
684 ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
685 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
686 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
687
688 X1 = *RK++ ^ \
689 ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
690 ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
691 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
692 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
693
694 X2 = *RK++ ^ \
695 ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
696 ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
697 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
698 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
699
700 X3 = *RK++ ^ \
701 ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
702 ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
703 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
704 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
705 }
706 else /* AES_ENCRYPT */
707 {
708 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
709 {
710 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
711 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
712 }
713
714 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
715
716 X0 = *RK++ ^ \
717 ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
718 ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
719 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
720 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
721
722 X1 = *RK++ ^ \
723 ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
724 ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
725 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
726 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
727
728 X2 = *RK++ ^ \
729 ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
730 ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
731 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
732 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
733
734 X3 = *RK++ ^ \
735 ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
736 ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
737 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
738 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
739 }
740
741 PUT_ULONG_LE( X0, output, 0 );
742 PUT_ULONG_LE( X1, output, 4 );
743 PUT_ULONG_LE( X2, output, 8 );
744 PUT_ULONG_LE( X3, output, 12 );
745}
746
747/*
748 * AES-CBC buffer encryption/decryption
749 */
750void aes_crypt_cbc( aes_context *ctx,
751 int mode,
752 int length,
753 unsigned char iv[16],
754 unsigned char *input,
755 unsigned char *output )
756{
757 int i;
758 unsigned char temp[16];
759
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]760#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]761 if( padlock_supports( PADLOCK_ACE ) )
762 {
763 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
764 return;
765 }
766#endif
767
768 if( mode == AES_DECRYPT )
769 {
770 while( length > 0 )
771 {
772 memcpy( temp, input, 16 );
773 aes_crypt_ecb( ctx, mode, input, output );
774
775 for( i = 0; i < 16; i++ )
776 output[i] = (unsigned char)( output[i] ^ iv[i] );
777
778 memcpy( iv, temp, 16 );
779
780 input += 16;
781 output += 16;
782 length -= 16;
783 }
784 }
785 else
786 {
787 while( length > 0 )
788 {
789 for( i = 0; i < 16; i++ )
790 output[i] = (unsigned char)( input[i] ^ iv[i] );
791
792 aes_crypt_ecb( ctx, mode, output, output );
793 memcpy( iv, output, 16 );
794
795 input += 16;
796 output += 16;
797 length -= 16;
798 }
799 }
800}
801
802/*
803 * AES-CFB128 buffer encryption/decryption
804 */
805void aes_crypt_cfb128( aes_context *ctx,
806 int mode,
807 int length,
808 int *iv_off,
809 unsigned char iv[16],
810 unsigned char *input,
811 unsigned char *output )
812{
813 int c, n = *iv_off;
814
815 if( mode == AES_DECRYPT )
816 {
817 while( length-- )
818 {
819 if( n == 0 )
820 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
821
822 c = *input++;
823 *output++ = (unsigned char)( c ^ iv[n] );
824 iv[n] = (unsigned char) c;
825
826 n = (n + 1) & 0x0F;
827 }
828 }
829 else
830 {
831 while( length-- )
832 {
833 if( n == 0 )
834 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
835
836 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
837
838 n = (n + 1) & 0x0F;
839 }
840 }
841
842 *iv_off = n;
843}
844
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]845#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]846
847#include <stdio.h>
848
849/*
850 * AES test vectors from:
851 *
852 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
853 */
854static const unsigned char aes_test_ecb_dec[3][16] =
855{
856 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
857 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
858 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
859 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
860 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
861 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
862};
863
864static const unsigned char aes_test_ecb_enc[3][16] =
865{
866 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
867 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
868 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
869 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
870 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
871 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
872};
873
874static const unsigned char aes_test_cbc_dec[3][16] =
875{
876 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
877 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
878 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
879 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
880 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
881 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
882};
883
884static const unsigned char aes_test_cbc_enc[3][16] =
885{
886 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
887 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
888 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
889 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
890 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
891 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
892};
893
894/*
895 * AES-CFB128 test vectors from:
896 *
897 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
898 */
899static const unsigned char aes_test_cfb128_key[3][32] =
900{
901 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
902 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
903 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
904 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
905 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
906 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
907 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
908 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
909 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
910};
911
912static const unsigned char aes_test_cfb128_iv[16] =
913{
914 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
915 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
916};
917
918static const unsigned char aes_test_cfb128_pt[64] =
919{
920 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
921 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
922 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
923 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
924 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
925 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
926 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
927 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
928};
929
930static const unsigned char aes_test_cfb128_ct[3][64] =
931{
932 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
933 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
934 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
935 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
936 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
937 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
938 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
939 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
940 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
941 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
942 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
943 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
944 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
945 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
946 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
947 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
948 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
949 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
950 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
951 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
952 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
953 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
954 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
955 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
956};
957
958/*
959 * Checkup routine
960 */
961int aes_self_test( int verbose )
962{
963 int i, j, u, v, offset;
964 unsigned char key[32];
965 unsigned char buf[64];
966 unsigned char prv[16];
967 unsigned char iv[16];
968 aes_context ctx;
969
970 memset( key, 0, 32 );
971
972 /*
973 * ECB mode
974 */
975 for( i = 0; i < 6; i++ )
976 {
977 u = i >> 1;
978 v = i & 1;
979
980 if( verbose != 0 )
981 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
982 ( v == AES_DECRYPT ) ? "dec" : "enc" );
983
984 memset( buf, 0, 16 );
985
986 if( v == AES_DECRYPT )
987 {
988 aes_setkey_dec( &ctx, key, 128 + u * 64 );
989
990 for( j = 0; j < 10000; j++ )
991 aes_crypt_ecb( &ctx, v, buf, buf );
992
993 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
994 {
995 if( verbose != 0 )
996 printf( "failed\n" );
997
998 return( 1 );
999 }
1000 }
1001 else
1002 {
1003 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1004
1005 for( j = 0; j < 10000; j++ )
1006 aes_crypt_ecb( &ctx, v, buf, buf );
1007
1008 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1009 {
1010 if( verbose != 0 )
1011 printf( "failed\n" );
1012
1013 return( 1 );
1014 }
1015 }
1016
1017 if( verbose != 0 )
1018 printf( "passed\n" );
1019 }
1020
1021 if( verbose != 0 )
1022 printf( "\n" );
1023
1024 /*
1025 * CBC mode
1026 */
1027 for( i = 0; i < 6; i++ )
1028 {
1029 u = i >> 1;
1030 v = i & 1;
1031
1032 if( verbose != 0 )
1033 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1034 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1035
1036 memset( iv , 0, 16 );
1037 memset( prv, 0, 16 );
1038 memset( buf, 0, 16 );
1039
1040 if( v == AES_DECRYPT )
1041 {
1042 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1043
1044 for( j = 0; j < 10000; j++ )
1045 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1046
1047 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1048 {
1049 if( verbose != 0 )
1050 printf( "failed\n" );
1051
1052 return( 1 );
1053 }
1054 }
1055 else
1056 {
1057 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1058
1059 for( j = 0; j < 10000; j++ )
1060 {
1061 unsigned char tmp[16];
1062
1063 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1064
1065 memcpy( tmp, prv, 16 );
1066 memcpy( prv, buf, 16 );
1067 memcpy( buf, tmp, 16 );
1068 }
1069
1070 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1071 {
1072 if( verbose != 0 )
1073 printf( "failed\n" );
1074
1075 return( 1 );
1076 }
1077 }
1078
1079 if( verbose != 0 )
1080 printf( "passed\n" );
1081 }
1082
1083 if( verbose != 0 )
1084 printf( "\n" );
1085
1086 /*
1087 * CFB128 mode
1088 */
1089 for( i = 0; i < 6; i++ )
1090 {
1091 u = i >> 1;
1092 v = i & 1;
1093
1094 if( verbose != 0 )
1095 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1096 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1097
1098 memcpy( iv, aes_test_cfb128_iv, 16 );
1099 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1100
1101 offset = 0;
1102 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1103
1104 if( v == AES_DECRYPT )
1105 {
1106 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1107 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1108
1109 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1110 {
1111 if( verbose != 0 )
1112 printf( "failed\n" );
1113
1114 return( 1 );
1115 }
1116 }
1117 else
1118 {
1119 memcpy( buf, aes_test_cfb128_pt, 64 );
1120 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1121
1122 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1123 {
1124 if( verbose != 0 )
1125 printf( "failed\n" );
1126
1127 return( 1 );
1128 }
1129 }
1130
1131 if( verbose != 0 )
1132 printf( "passed\n" );
1133 }
1134
1135
1136 if( verbose != 0 )
1137 printf( "\n" );
1138
1139 return( 0 );
1140}
1141
1142#endif
1143
1144#endif