TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 01e31bbffb3a975576b5e67dfe94764e2438370e / . / library / aes.c
blob: 44770844451e091536d0b60986169e8510cf1ff1 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]37#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]39#endif
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]40#if defined(POLARSSL_AESNI_C)
41#include "polarssl/aesni.h"
42#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]44#if !defined(POLARSSL_AES_ALT)
45
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46/*
47 * 32-bit integer manipulation macros (little endian)
48 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]49#ifndef GET_UINT32_LE
50#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]51{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]52 (n) = ( (uint32_t) (b)[(i) ] ) \
53 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
54 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
55 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56}
57#endif
58
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]59#ifndef PUT_UINT32_LE
60#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]61{ \
62 (b)[(i) ] = (unsigned char) ( (n) ); \
63 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
64 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
65 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
66}
67#endif
68
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]69#if defined(POLARSSL_PADLOCK_C) && \
70 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]71static int aes_padlock_ace = -1;
72#endif
73
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]74#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75/*
76 * Forward S-box
77 */
78static const unsigned char FSb[256] =
79{
80 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
81 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
82 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
83 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
84 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
85 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
86 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
87 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
88 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
89 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
90 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
91 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
92 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
93 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
94 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
95 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
96 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
97 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
98 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
99 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
100 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
101 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
102 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
103 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
104 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
105 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
106 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
107 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
108 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
109 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
110 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
111 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
112};
113
114/*
115 * Forward tables
116 */
117#define FT \
118\
119 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
120 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
121 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
122 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
123 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
124 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
125 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
126 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
127 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
128 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
129 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
130 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
131 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
132 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
133 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
134 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
135 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
136 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
137 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
138 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
139 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
140 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
141 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
142 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
143 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
144 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
145 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
146 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
147 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
148 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
149 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
150 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
151 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
152 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
153 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
154 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
155 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
156 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
157 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
158 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
159 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
160 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
161 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
162 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
163 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
164 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
165 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
166 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
167 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
168 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
169 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
170 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
171 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
172 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
173 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
174 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
175 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
176 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
177 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
178 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
179 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
180 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
181 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
182 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
183
184#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]185static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]186#undef V
187
188#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]189static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]190#undef V
191
192#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]193static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]194#undef V
195
196#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]197static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]198#undef V
199
200#undef FT
201
202/*
203 * Reverse S-box
204 */
205static const unsigned char RSb[256] =
206{
207 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
208 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
209 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
210 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
211 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
212 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
213 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
214 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
215 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
216 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
217 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
218 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
219 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
220 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
221 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
222 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
223 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
224 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
225 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
226 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
227 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
228 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
229 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
230 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
231 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
232 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
233 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
234 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
235 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
236 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
237 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
238 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
239};
240
241/*
242 * Reverse tables
243 */
244#define RT \
245\
246 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
247 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
248 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
249 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
250 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
251 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
252 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
253 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
254 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
255 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
256 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
257 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
258 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
259 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
260 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
261 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
262 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
263 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
264 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
265 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
266 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
267 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
268 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
269 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
270 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
271 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
272 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
273 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
274 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
275 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
276 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
277 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
278 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
279 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
280 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
281 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
282 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
283 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
284 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
285 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
286 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
287 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
288 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
289 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
290 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
291 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
292 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
293 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
294 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
295 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
296 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
297 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
298 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
299 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
300 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
301 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
302 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
303 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
304 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
305 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
306 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
307 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
308 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
309 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
310
311#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]312static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]313#undef V
314
315#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]316static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]317#undef V
318
319#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]320static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]321#undef V
322
323#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]324static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]325#undef V
326
327#undef RT
328
329/*
330 * Round constants
331 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]332static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333{
334 0x00000001, 0x00000002, 0x00000004, 0x00000008,
335 0x00000010, 0x00000020, 0x00000040, 0x00000080,
336 0x0000001B, 0x00000036
337};
338
339#else
340
341/*
342 * Forward S-box & tables
343 */
344static unsigned char FSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]345static uint32_t FT0[256];
346static uint32_t FT1[256];
347static uint32_t FT2[256];
348static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349
350/*
351 * Reverse S-box & tables
352 */
353static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]354static uint32_t RT0[256];
355static uint32_t RT1[256];
356static uint32_t RT2[256];
357static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358
359/*
360 * Round constants
361 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]362static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]363
364/*
365 * Tables generation code
366 */
367#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
368#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
369#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
370
371static int aes_init_done = 0;
372
373static void aes_gen_tables( void )
374{
375 int i, x, y, z;
376 int pow[256];
377 int log[256];
378
379 /*
380 * compute pow and log tables over GF(2^8)
381 */
382 for( i = 0, x = 1; i < 256; i++ )
383 {
384 pow[i] = x;
385 log[x] = i;
386 x = ( x ^ XTIME( x ) ) & 0xFF;
387 }
388
389 /*
390 * calculate the round constants
391 */
392 for( i = 0, x = 1; i < 10; i++ )
393 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]394 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]395 x = XTIME( x ) & 0xFF;
396 }
397
398 /*
399 * generate the forward and reverse S-boxes
400 */
401 FSb[0x00] = 0x63;
402 RSb[0x63] = 0x00;
403
404 for( i = 1; i < 256; i++ )
405 {
406 x = pow[255 - log[i]];
407
408 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
409 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
410 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
411 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
412 x ^= y ^ 0x63;
413
414 FSb[i] = (unsigned char) x;
415 RSb[x] = (unsigned char) i;
416 }
417
418 /*
419 * generate the forward and reverse tables
420 */
421 for( i = 0; i < 256; i++ )
422 {
423 x = FSb[i];
424 y = XTIME( x ) & 0xFF;
425 z = ( y ^ x ) & 0xFF;
426
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]427 FT0[i] = ( (uint32_t) y ) ^
428 ( (uint32_t) x << 8 ) ^
429 ( (uint32_t) x << 16 ) ^
430 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]431
432 FT1[i] = ROTL8( FT0[i] );
433 FT2[i] = ROTL8( FT1[i] );
434 FT3[i] = ROTL8( FT2[i] );
435
436 x = RSb[i];
437
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]438 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
439 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
440 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
441 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]442
443 RT1[i] = ROTL8( RT0[i] );
444 RT2[i] = ROTL8( RT1[i] );
445 RT3[i] = ROTL8( RT2[i] );
446 }
447}
448
449#endif
450
451/*
452 * AES key schedule (encryption)
453 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]454int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]456 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]457 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]458
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]459#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460 if( aes_init_done == 0 )
461 {
462 aes_gen_tables();
463 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]464
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]465 }
466#endif
467
468 switch( keysize )
469 {
470 case 128: ctx->nr = 10; break;
471 case 192: ctx->nr = 12; break;
472 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]473 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 }
475
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]476#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
477 if( aes_padlock_ace == -1 )
478 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
479
480 if( aes_padlock_ace )
481 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
482 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]483#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]484 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]485
486 for( i = 0; i < (keysize >> 5); i++ )
487 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]488 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 }
490
491 switch( ctx->nr )
492 {
493 case 10:
494
495 for( i = 0; i < 10; i++, RK += 4 )
496 {
497 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]498 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
499 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
500 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
501 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]502
503 RK[5] = RK[1] ^ RK[4];
504 RK[6] = RK[2] ^ RK[5];
505 RK[7] = RK[3] ^ RK[6];
506 }
507 break;
508
509 case 12:
510
511 for( i = 0; i < 8; i++, RK += 6 )
512 {
513 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]514 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
515 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
516 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
517 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]518
519 RK[7] = RK[1] ^ RK[6];
520 RK[8] = RK[2] ^ RK[7];
521 RK[9] = RK[3] ^ RK[8];
522 RK[10] = RK[4] ^ RK[9];
523 RK[11] = RK[5] ^ RK[10];
524 }
525 break;
526
527 case 14:
528
529 for( i = 0; i < 7; i++, RK += 8 )
530 {
531 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]532 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
533 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
534 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
535 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]536
537 RK[9] = RK[1] ^ RK[8];
538 RK[10] = RK[2] ^ RK[9];
539 RK[11] = RK[3] ^ RK[10];
540
541 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]542 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
543 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
544 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
545 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]546
547 RK[13] = RK[5] ^ RK[12];
548 RK[14] = RK[6] ^ RK[13];
549 RK[15] = RK[7] ^ RK[14];
550 }
551 break;
552
553 default:
554
555 break;
556 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]557
558 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]559}
560
561/*
562 * AES key schedule (decryption)
563 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]564int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]565{
566 int i, j;
567 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]568 uint32_t *RK;
569 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]570 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571
572 switch( keysize )
573 {
574 case 128: ctx->nr = 10; break;
575 case 192: ctx->nr = 12; break;
576 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]577 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]578 }
579
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]580#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
581 if( aes_padlock_ace == -1 )
582 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
583
584 if( aes_padlock_ace )
585 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
586 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]587#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]588 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]590 ret = aes_setkey_enc( &cty, key, keysize );
591 if( ret != 0 )
592 return( ret );
593
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame^]594#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
595 if( aesni_supports( POLARSSL_AESNI_AES ) )
596 {
597 aesni_inverse_key( (unsigned char *) ctx->rk,
598 (const unsigned char *) cty.rk, ctx->nr );
599 goto done;
600 }
601#endif
602
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]603 SK = cty.rk + cty.nr * 4;
604
605 *RK++ = *SK++;
606 *RK++ = *SK++;
607 *RK++ = *SK++;
608 *RK++ = *SK++;
609
610 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
611 {
612 for( j = 0; j < 4; j++, SK++ )
613 {
614 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
615 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
616 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
617 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
618 }
619 }
620
621 *RK++ = *SK++;
622 *RK++ = *SK++;
623 *RK++ = *SK++;
624 *RK++ = *SK++;
625
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame^]626done:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]627 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]628
629 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]630}
631
632#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
633{ \
634 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
635 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
636 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
637 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
638 \
639 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
640 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
641 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
642 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
643 \
644 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
645 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
646 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
647 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
648 \
649 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
650 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
651 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
652 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
653}
654
655#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
656{ \
657 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
658 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
659 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
660 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
661 \
662 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
663 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
664 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
665 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
666 \
667 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
668 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
669 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
670 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
671 \
672 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
673 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
674 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
675 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
676}
677
678/*
679 * AES-ECB block encryption/decryption
680 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]681int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]682 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]683 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]684 unsigned char output[16] )
685{
686 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]687 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]688
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]689#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard8eaf20b2013-12-18 19:14:53 +0100[diff] [blame]690 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]691 return( aesni_crypt_ecb( ctx, mode, input, output ) );
692#endif
693
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]694#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]695 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]696 {
697 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]698 return( 0 );
699
700 // If padlock data misaligned, we just fall back to
701 // unaccelerated mode
702 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]703 }
704#endif
705
706 RK = ctx->rk;
707
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]708 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
709 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
710 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
711 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]712
713 if( mode == AES_DECRYPT )
714 {
715 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
716 {
717 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
718 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
719 }
720
721 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
722
723 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]724 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
725 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
726 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
727 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]728
729 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]730 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
731 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
732 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
733 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]734
735 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]736 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
737 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
738 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
739 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]740
741 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]742 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
743 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
744 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
745 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]746 }
747 else /* AES_ENCRYPT */
748 {
749 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
750 {
751 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
752 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
753 }
754
755 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
756
757 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]758 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
759 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
760 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
761 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]762
763 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]764 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
765 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
766 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
767 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]768
769 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]770 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
771 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
772 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
773 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]774
775 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]776 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
777 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
778 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
779 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]780 }
781
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]782 PUT_UINT32_LE( X0, output, 0 );
783 PUT_UINT32_LE( X1, output, 4 );
784 PUT_UINT32_LE( X2, output, 8 );
785 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]786
787 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]788}
789
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]790#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]791/*
792 * AES-CBC buffer encryption/decryption
793 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]794int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]795 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]796 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]797 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]798 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]799 unsigned char *output )
800{
801 int i;
802 unsigned char temp[16];
803
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]804 if( length % 16 )
805 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
806
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]807#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]808 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]809 {
810 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]811 return( 0 );
812
813 // If padlock data misaligned, we just fall back to
814 // unaccelerated mode
815 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]816 }
817#endif
818
819 if( mode == AES_DECRYPT )
820 {
821 while( length > 0 )
822 {
823 memcpy( temp, input, 16 );
824 aes_crypt_ecb( ctx, mode, input, output );
825
826 for( i = 0; i < 16; i++ )
827 output[i] = (unsigned char)( output[i] ^ iv[i] );
828
829 memcpy( iv, temp, 16 );
830
831 input += 16;
832 output += 16;
833 length -= 16;
834 }
835 }
836 else
837 {
838 while( length > 0 )
839 {
840 for( i = 0; i < 16; i++ )
841 output[i] = (unsigned char)( input[i] ^ iv[i] );
842
843 aes_crypt_ecb( ctx, mode, output, output );
844 memcpy( iv, output, 16 );
845
846 input += 16;
847 output += 16;
848 length -= 16;
849 }
850 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]851
852 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]853}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]854#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]855
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]856#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]857/*
858 * AES-CFB128 buffer encryption/decryption
859 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]860int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]861 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]862 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]863 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]865 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866 unsigned char *output )
867{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]868 int c;
869 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]870
871 if( mode == AES_DECRYPT )
872 {
873 while( length-- )
874 {
875 if( n == 0 )
876 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
877
878 c = *input++;
879 *output++ = (unsigned char)( c ^ iv[n] );
880 iv[n] = (unsigned char) c;
881
882 n = (n + 1) & 0x0F;
883 }
884 }
885 else
886 {
887 while( length-- )
888 {
889 if( n == 0 )
890 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
891
892 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
893
894 n = (n + 1) & 0x0F;
895 }
896 }
897
898 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]899
900 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]901}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]902#endif /*POLARSSL_CIPHER_MODE_CFB */
903
904#if defined(POLARSSL_CIPHER_MODE_CTR)
905/*
906 * AES-CTR buffer encryption/decryption
907 */
908int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]909 size_t length,
910 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]911 unsigned char nonce_counter[16],
912 unsigned char stream_block[16],
913 const unsigned char *input,
914 unsigned char *output )
915{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]916 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]917 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]918
919 while( length-- )
920 {
921 if( n == 0 ) {
922 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
923
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]924 for( i = 16; i > 0; i-- )
925 if( ++nonce_counter[i - 1] != 0 )
926 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]927 }
928 c = *input++;
929 *output++ = (unsigned char)( c ^ stream_block[n] );
930
931 n = (n + 1) & 0x0F;
932 }
933
934 *nc_off = n;
935
936 return( 0 );
937}
938#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]939#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]940
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]941#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]942
943#include <stdio.h>
944
945/*
946 * AES test vectors from:
947 *
948 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
949 */
950static const unsigned char aes_test_ecb_dec[3][16] =
951{
952 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
953 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
954 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
955 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
956 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
957 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
958};
959
960static const unsigned char aes_test_ecb_enc[3][16] =
961{
962 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
963 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
964 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
965 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
966 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
967 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
968};
969
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]970#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]971static const unsigned char aes_test_cbc_dec[3][16] =
972{
973 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
974 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
975 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
976 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
977 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
978 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
979};
980
981static const unsigned char aes_test_cbc_enc[3][16] =
982{
983 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
984 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
985 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
986 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
987 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
988 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
989};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]990#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]991
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]992#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]993/*
994 * AES-CFB128 test vectors from:
995 *
996 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
997 */
998static const unsigned char aes_test_cfb128_key[3][32] =
999{
1000 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1001 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1002 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1003 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1004 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1005 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1006 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1007 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1008 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1009};
1010
1011static const unsigned char aes_test_cfb128_iv[16] =
1012{
1013 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1014 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1015};
1016
1017static const unsigned char aes_test_cfb128_pt[64] =
1018{
1019 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1020 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1021 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1022 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1023 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1024 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1025 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1026 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1027};
1028
1029static const unsigned char aes_test_cfb128_ct[3][64] =
1030{
1031 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1032 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1033 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1034 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1035 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1036 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1037 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1038 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1039 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1040 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1041 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1042 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1043 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1044 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1045 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1046 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1047 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1048 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1049 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1050 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1051 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1052 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1053 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1054 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1055};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1056#endif /* POLARSSL_CIPHER_MODE_CFB */
1057
1058#if defined(POLARSSL_CIPHER_MODE_CTR)
1059/*
1060 * AES-CTR test vectors from:
1061 *
1062 * http://www.faqs.org/rfcs/rfc3686.html
1063 */
1064
1065static const unsigned char aes_test_ctr_key[3][16] =
1066{
1067 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1068 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1069 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1070 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1071 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1072 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1073};
1074
1075static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1076{
1077 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1078 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1079 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1080 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1081 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1082 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1083};
1084
1085static const unsigned char aes_test_ctr_pt[3][48] =
1086{
1087 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1088 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1089
1090 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1091 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1092 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1093 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1094
1095 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1096 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1097 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1098 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1099 0x20, 0x21, 0x22, 0x23 }
1100};
1101
1102static const unsigned char aes_test_ctr_ct[3][48] =
1103{
1104 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1105 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1106 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1107 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1108 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1109 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1110 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1111 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1112 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1113 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1114 0x25, 0xB2, 0x07, 0x2F }
1115};
1116
1117static const int aes_test_ctr_len[3] =
1118 { 16, 32, 36 };
1119#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1120
1121/*
1122 * Checkup routine
1123 */
1124int aes_self_test( int verbose )
1125{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1126 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1127 unsigned char key[32];
1128 unsigned char buf[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1129 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1130#if defined(POLARSSL_CIPHER_MODE_CBC)
1131 unsigned char prv[16];
1132#endif
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1133#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1134 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1135#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1136#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1137 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1138 unsigned char nonce_counter[16];
1139 unsigned char stream_block[16];
1140#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1141 aes_context ctx;
1142
1143 memset( key, 0, 32 );
1144
1145 /*
1146 * ECB mode
1147 */
1148 for( i = 0; i < 6; i++ )
1149 {
1150 u = i >> 1;
1151 v = i & 1;
1152
1153 if( verbose != 0 )
1154 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1155 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1156
1157 memset( buf, 0, 16 );
1158
1159 if( v == AES_DECRYPT )
1160 {
1161 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1162
1163 for( j = 0; j < 10000; j++ )
1164 aes_crypt_ecb( &ctx, v, buf, buf );
1165
1166 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1167 {
1168 if( verbose != 0 )
1169 printf( "failed\n" );
1170
1171 return( 1 );
1172 }
1173 }
1174 else
1175 {
1176 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1177
1178 for( j = 0; j < 10000; j++ )
1179 aes_crypt_ecb( &ctx, v, buf, buf );
1180
1181 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1182 {
1183 if( verbose != 0 )
1184 printf( "failed\n" );
1185
1186 return( 1 );
1187 }
1188 }
1189
1190 if( verbose != 0 )
1191 printf( "passed\n" );
1192 }
1193
1194 if( verbose != 0 )
1195 printf( "\n" );
1196
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1197#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1198 /*
1199 * CBC mode
1200 */
1201 for( i = 0; i < 6; i++ )
1202 {
1203 u = i >> 1;
1204 v = i & 1;
1205
1206 if( verbose != 0 )
1207 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1208 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1209
1210 memset( iv , 0, 16 );
1211 memset( prv, 0, 16 );
1212 memset( buf, 0, 16 );
1213
1214 if( v == AES_DECRYPT )
1215 {
1216 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1217
1218 for( j = 0; j < 10000; j++ )
1219 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1220
1221 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1222 {
1223 if( verbose != 0 )
1224 printf( "failed\n" );
1225
1226 return( 1 );
1227 }
1228 }
1229 else
1230 {
1231 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1232
1233 for( j = 0; j < 10000; j++ )
1234 {
1235 unsigned char tmp[16];
1236
1237 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1238
1239 memcpy( tmp, prv, 16 );
1240 memcpy( prv, buf, 16 );
1241 memcpy( buf, tmp, 16 );
1242 }
1243
1244 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1245 {
1246 if( verbose != 0 )
1247 printf( "failed\n" );
1248
1249 return( 1 );
1250 }
1251 }
1252
1253 if( verbose != 0 )
1254 printf( "passed\n" );
1255 }
1256
1257 if( verbose != 0 )
1258 printf( "\n" );
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1259#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1260
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1261#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1262 /*
1263 * CFB128 mode
1264 */
1265 for( i = 0; i < 6; i++ )
1266 {
1267 u = i >> 1;
1268 v = i & 1;
1269
1270 if( verbose != 0 )
1271 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1272 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1273
1274 memcpy( iv, aes_test_cfb128_iv, 16 );
1275 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1276
1277 offset = 0;
1278 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1279
1280 if( v == AES_DECRYPT )
1281 {
1282 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1283 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1284
1285 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1286 {
1287 if( verbose != 0 )
1288 printf( "failed\n" );
1289
1290 return( 1 );
1291 }
1292 }
1293 else
1294 {
1295 memcpy( buf, aes_test_cfb128_pt, 64 );
1296 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1297
1298 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1299 {
1300 if( verbose != 0 )
1301 printf( "failed\n" );
1302
1303 return( 1 );
1304 }
1305 }
1306
1307 if( verbose != 0 )
1308 printf( "passed\n" );
1309 }
1310
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1311 if( verbose != 0 )
1312 printf( "\n" );
1313#endif /* POLARSSL_CIPHER_MODE_CFB */
1314
1315#if defined(POLARSSL_CIPHER_MODE_CTR)
1316 /*
1317 * CTR mode
1318 */
1319 for( i = 0; i < 6; i++ )
1320 {
1321 u = i >> 1;
1322 v = i & 1;
1323
1324 if( verbose != 0 )
1325 printf( " AES-CTR-128 (%s): ",
1326 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1327
1328 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1329 memcpy( key, aes_test_ctr_key[u], 16 );
1330
1331 offset = 0;
1332 aes_setkey_enc( &ctx, key, 128 );
1333
1334 if( v == AES_DECRYPT )
1335 {
1336 len = aes_test_ctr_len[u];
1337 memcpy( buf, aes_test_ctr_ct[u], len );
1338
1339 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1340
1341 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1342 {
1343 if( verbose != 0 )
1344 printf( "failed\n" );
1345
1346 return( 1 );
1347 }
1348 }
1349 else
1350 {
1351 len = aes_test_ctr_len[u];
1352 memcpy( buf, aes_test_ctr_pt[u], len );
1353
1354 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1355
1356 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1357 {
1358 if( verbose != 0 )
1359 printf( "failed\n" );
1360
1361 return( 1 );
1362 }
1363 }
1364
1365 if( verbose != 0 )
1366 printf( "passed\n" );
1367 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1368
1369 if( verbose != 0 )
1370 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1371#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1372
1373 return( 0 );
1374}
1375
1376#endif
1377
1378#endif