TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 47a3536a3185a7664effe6cfd50d60c9e9c8fab6 / . / library / aes.c
blob: 331698f5dc9f914c757edc5fbd0441552621f2dd [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]37#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]39#endif
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]40#if defined(POLARSSL_AESNI_C)
41#include "polarssl/aesni.h"
42#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]44#if !defined(POLARSSL_AES_ALT)
45
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46/*
47 * 32-bit integer manipulation macros (little endian)
48 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]49#ifndef GET_UINT32_LE
50#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]51{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]52 (n) = ( (uint32_t) (b)[(i) ] ) \
53 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
54 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
55 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56}
57#endif
58
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]59#ifndef PUT_UINT32_LE
60#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]61{ \
62 (b)[(i) ] = (unsigned char) ( (n) ); \
63 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
64 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
65 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
66}
67#endif
68
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]69#if defined(POLARSSL_PADLOCK_C) && \
70 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]71static int aes_padlock_ace = -1;
72#endif
73
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]74#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75/*
76 * Forward S-box
77 */
78static const unsigned char FSb[256] =
79{
80 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
81 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
82 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
83 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
84 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
85 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
86 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
87 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
88 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
89 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
90 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
91 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
92 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
93 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
94 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
95 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
96 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
97 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
98 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
99 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
100 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
101 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
102 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
103 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
104 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
105 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
106 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
107 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
108 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
109 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
110 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
111 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
112};
113
114/*
115 * Forward tables
116 */
117#define FT \
118\
119 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
120 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
121 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
122 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
123 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
124 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
125 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
126 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
127 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
128 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
129 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
130 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
131 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
132 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
133 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
134 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
135 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
136 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
137 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
138 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
139 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
140 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
141 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
142 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
143 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
144 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
145 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
146 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
147 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
148 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
149 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
150 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
151 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
152 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
153 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
154 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
155 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
156 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
157 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
158 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
159 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
160 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
161 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
162 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
163 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
164 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
165 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
166 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
167 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
168 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
169 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
170 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
171 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
172 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
173 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
174 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
175 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
176 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
177 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
178 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
179 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
180 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
181 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
182 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
183
184#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]185static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]186#undef V
187
188#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]189static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]190#undef V
191
192#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]193static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]194#undef V
195
196#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]197static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]198#undef V
199
200#undef FT
201
202/*
203 * Reverse S-box
204 */
205static const unsigned char RSb[256] =
206{
207 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
208 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
209 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
210 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
211 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
212 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
213 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
214 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
215 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
216 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
217 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
218 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
219 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
220 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
221 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
222 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
223 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
224 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
225 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
226 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
227 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
228 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
229 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
230 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
231 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
232 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
233 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
234 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
235 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
236 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
237 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
238 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
239};
240
241/*
242 * Reverse tables
243 */
244#define RT \
245\
246 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
247 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
248 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
249 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
250 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
251 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
252 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
253 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
254 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
255 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
256 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
257 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
258 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
259 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
260 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
261 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
262 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
263 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
264 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
265 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
266 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
267 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
268 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
269 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
270 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
271 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
272 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
273 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
274 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
275 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
276 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
277 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
278 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
279 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
280 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
281 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
282 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
283 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
284 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
285 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
286 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
287 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
288 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
289 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
290 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
291 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
292 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
293 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
294 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
295 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
296 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
297 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
298 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
299 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
300 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
301 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
302 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
303 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
304 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
305 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
306 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
307 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
308 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
309 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
310
311#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]312static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]313#undef V
314
315#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]316static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]317#undef V
318
319#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]320static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]321#undef V
322
323#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]324static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]325#undef V
326
327#undef RT
328
329/*
330 * Round constants
331 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]332static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333{
334 0x00000001, 0x00000002, 0x00000004, 0x00000008,
335 0x00000010, 0x00000020, 0x00000040, 0x00000080,
336 0x0000001B, 0x00000036
337};
338
339#else
340
341/*
342 * Forward S-box & tables
343 */
344static unsigned char FSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]345static uint32_t FT0[256];
346static uint32_t FT1[256];
347static uint32_t FT2[256];
348static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349
350/*
351 * Reverse S-box & tables
352 */
353static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]354static uint32_t RT0[256];
355static uint32_t RT1[256];
356static uint32_t RT2[256];
357static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358
359/*
360 * Round constants
361 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]362static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]363
364/*
365 * Tables generation code
366 */
367#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
368#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
369#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
370
371static int aes_init_done = 0;
372
373static void aes_gen_tables( void )
374{
375 int i, x, y, z;
376 int pow[256];
377 int log[256];
378
379 /*
380 * compute pow and log tables over GF(2^8)
381 */
382 for( i = 0, x = 1; i < 256; i++ )
383 {
384 pow[i] = x;
385 log[x] = i;
386 x = ( x ^ XTIME( x ) ) & 0xFF;
387 }
388
389 /*
390 * calculate the round constants
391 */
392 for( i = 0, x = 1; i < 10; i++ )
393 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]394 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]395 x = XTIME( x ) & 0xFF;
396 }
397
398 /*
399 * generate the forward and reverse S-boxes
400 */
401 FSb[0x00] = 0x63;
402 RSb[0x63] = 0x00;
403
404 for( i = 1; i < 256; i++ )
405 {
406 x = pow[255 - log[i]];
407
408 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
409 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
410 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
411 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
412 x ^= y ^ 0x63;
413
414 FSb[i] = (unsigned char) x;
415 RSb[x] = (unsigned char) i;
416 }
417
418 /*
419 * generate the forward and reverse tables
420 */
421 for( i = 0; i < 256; i++ )
422 {
423 x = FSb[i];
424 y = XTIME( x ) & 0xFF;
425 z = ( y ^ x ) & 0xFF;
426
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]427 FT0[i] = ( (uint32_t) y ) ^
428 ( (uint32_t) x << 8 ) ^
429 ( (uint32_t) x << 16 ) ^
430 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]431
432 FT1[i] = ROTL8( FT0[i] );
433 FT2[i] = ROTL8( FT1[i] );
434 FT3[i] = ROTL8( FT2[i] );
435
436 x = RSb[i];
437
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]438 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
439 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
440 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
441 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]442
443 RT1[i] = ROTL8( RT0[i] );
444 RT2[i] = ROTL8( RT1[i] );
445 RT3[i] = ROTL8( RT2[i] );
446 }
447}
448
449#endif
450
451/*
452 * AES key schedule (encryption)
453 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]454int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]456 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]457 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]458
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]459#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460 if( aes_init_done == 0 )
461 {
462 aes_gen_tables();
463 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]464
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]465 }
466#endif
467
468 switch( keysize )
469 {
470 case 128: ctx->nr = 10; break;
471 case 192: ctx->nr = 12; break;
472 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]473 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 }
475
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]476#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
477 if( aes_padlock_ace == -1 )
478 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
479
480 if( aes_padlock_ace )
481 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
482 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]483#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]484 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]485
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame^]486#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
487 if( aesni_supports( POLARSSL_AESNI_AES ) )
488 {
489 int ret = aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize );
490 // XXX: temporary while some key size aren't handled
491 if( ret == 0 ) return( ret );
492 }
493#endif
494
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]495 for( i = 0; i < (keysize >> 5); i++ )
496 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]497 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]498 }
499
500 switch( ctx->nr )
501 {
502 case 10:
503
504 for( i = 0; i < 10; i++, RK += 4 )
505 {
506 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]507 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
508 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
509 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
510 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]511
512 RK[5] = RK[1] ^ RK[4];
513 RK[6] = RK[2] ^ RK[5];
514 RK[7] = RK[3] ^ RK[6];
515 }
516 break;
517
518 case 12:
519
520 for( i = 0; i < 8; i++, RK += 6 )
521 {
522 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]523 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
524 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
525 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
526 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]527
528 RK[7] = RK[1] ^ RK[6];
529 RK[8] = RK[2] ^ RK[7];
530 RK[9] = RK[3] ^ RK[8];
531 RK[10] = RK[4] ^ RK[9];
532 RK[11] = RK[5] ^ RK[10];
533 }
534 break;
535
536 case 14:
537
538 for( i = 0; i < 7; i++, RK += 8 )
539 {
540 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]541 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
542 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
543 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
544 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]545
546 RK[9] = RK[1] ^ RK[8];
547 RK[10] = RK[2] ^ RK[9];
548 RK[11] = RK[3] ^ RK[10];
549
550 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]551 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
552 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
553 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
554 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]555
556 RK[13] = RK[5] ^ RK[12];
557 RK[14] = RK[6] ^ RK[13];
558 RK[15] = RK[7] ^ RK[14];
559 }
560 break;
561
562 default:
563
564 break;
565 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]566
567 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]568}
569
570/*
571 * AES key schedule (decryption)
572 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]573int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]574{
575 int i, j;
576 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]577 uint32_t *RK;
578 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]579 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]580
581 switch( keysize )
582 {
583 case 128: ctx->nr = 10; break;
584 case 192: ctx->nr = 12; break;
585 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]586 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]587 }
588
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]589#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
590 if( aes_padlock_ace == -1 )
591 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
592
593 if( aes_padlock_ace )
594 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
595 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]597 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]599 ret = aes_setkey_enc( &cty, key, keysize );
600 if( ret != 0 )
601 return( ret );
602
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]603#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
604 if( aesni_supports( POLARSSL_AESNI_AES ) )
605 {
606 aesni_inverse_key( (unsigned char *) ctx->rk,
607 (const unsigned char *) cty.rk, ctx->nr );
608 goto done;
609 }
610#endif
611
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]612 SK = cty.rk + cty.nr * 4;
613
614 *RK++ = *SK++;
615 *RK++ = *SK++;
616 *RK++ = *SK++;
617 *RK++ = *SK++;
618
619 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
620 {
621 for( j = 0; j < 4; j++, SK++ )
622 {
623 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
624 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
625 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
626 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
627 }
628 }
629
630 *RK++ = *SK++;
631 *RK++ = *SK++;
632 *RK++ = *SK++;
633 *RK++ = *SK++;
634
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]635done:
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]636 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]637
638 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]639}
640
641#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
642{ \
643 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
644 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
645 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
646 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
647 \
648 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
649 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
650 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
651 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
652 \
653 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
654 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
655 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
656 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
657 \
658 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
659 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
660 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
661 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
662}
663
664#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
665{ \
666 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
667 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
668 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
669 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
670 \
671 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
672 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
673 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
674 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
675 \
676 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
677 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
678 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
679 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
680 \
681 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
682 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
683 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
684 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
685}
686
687/*
688 * AES-ECB block encryption/decryption
689 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]690int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]691 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]692 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]693 unsigned char output[16] )
694{
695 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]696 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]697
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]698#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard8eaf20b2013-12-18 19:14:53 +0100[diff] [blame]699 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]700 return( aesni_crypt_ecb( ctx, mode, input, output ) );
701#endif
702
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]703#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]704 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]705 {
706 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]707 return( 0 );
708
709 // If padlock data misaligned, we just fall back to
710 // unaccelerated mode
711 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]712 }
713#endif
714
715 RK = ctx->rk;
716
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]717 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
718 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
719 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
720 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]721
722 if( mode == AES_DECRYPT )
723 {
724 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
725 {
726 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
727 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
728 }
729
730 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
731
732 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]733 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
734 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
735 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
736 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]737
738 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]739 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
740 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
741 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
742 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]743
744 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]745 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
746 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
747 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
748 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]749
750 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]751 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
752 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
753 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
754 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]755 }
756 else /* AES_ENCRYPT */
757 {
758 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
759 {
760 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
761 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
762 }
763
764 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
765
766 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]767 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
768 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
769 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
770 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]771
772 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]773 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
774 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
775 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
776 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]777
778 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]779 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
780 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
781 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
782 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]783
784 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]785 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
786 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
787 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
788 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]789 }
790
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]791 PUT_UINT32_LE( X0, output, 0 );
792 PUT_UINT32_LE( X1, output, 4 );
793 PUT_UINT32_LE( X2, output, 8 );
794 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]795
796 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]797}
798
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]799#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]800/*
801 * AES-CBC buffer encryption/decryption
802 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]803int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]804 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]805 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]806 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]807 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]808 unsigned char *output )
809{
810 int i;
811 unsigned char temp[16];
812
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]813 if( length % 16 )
814 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
815
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]816#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]817 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]818 {
819 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]820 return( 0 );
821
822 // If padlock data misaligned, we just fall back to
823 // unaccelerated mode
824 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]825 }
826#endif
827
828 if( mode == AES_DECRYPT )
829 {
830 while( length > 0 )
831 {
832 memcpy( temp, input, 16 );
833 aes_crypt_ecb( ctx, mode, input, output );
834
835 for( i = 0; i < 16; i++ )
836 output[i] = (unsigned char)( output[i] ^ iv[i] );
837
838 memcpy( iv, temp, 16 );
839
840 input += 16;
841 output += 16;
842 length -= 16;
843 }
844 }
845 else
846 {
847 while( length > 0 )
848 {
849 for( i = 0; i < 16; i++ )
850 output[i] = (unsigned char)( input[i] ^ iv[i] );
851
852 aes_crypt_ecb( ctx, mode, output, output );
853 memcpy( iv, output, 16 );
854
855 input += 16;
856 output += 16;
857 length -= 16;
858 }
859 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]860
861 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]862}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]863#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]865#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866/*
867 * AES-CFB128 buffer encryption/decryption
868 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]869int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]870 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]871 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]872 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]873 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]874 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]875 unsigned char *output )
876{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]877 int c;
878 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]879
880 if( mode == AES_DECRYPT )
881 {
882 while( length-- )
883 {
884 if( n == 0 )
885 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
886
887 c = *input++;
888 *output++ = (unsigned char)( c ^ iv[n] );
889 iv[n] = (unsigned char) c;
890
891 n = (n + 1) & 0x0F;
892 }
893 }
894 else
895 {
896 while( length-- )
897 {
898 if( n == 0 )
899 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
900
901 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
902
903 n = (n + 1) & 0x0F;
904 }
905 }
906
907 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]908
909 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]910}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]911#endif /*POLARSSL_CIPHER_MODE_CFB */
912
913#if defined(POLARSSL_CIPHER_MODE_CTR)
914/*
915 * AES-CTR buffer encryption/decryption
916 */
917int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]918 size_t length,
919 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]920 unsigned char nonce_counter[16],
921 unsigned char stream_block[16],
922 const unsigned char *input,
923 unsigned char *output )
924{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]925 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]926 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]927
928 while( length-- )
929 {
930 if( n == 0 ) {
931 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
932
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]933 for( i = 16; i > 0; i-- )
934 if( ++nonce_counter[i - 1] != 0 )
935 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]936 }
937 c = *input++;
938 *output++ = (unsigned char)( c ^ stream_block[n] );
939
940 n = (n + 1) & 0x0F;
941 }
942
943 *nc_off = n;
944
945 return( 0 );
946}
947#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]948#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]949
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]950#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]951
952#include <stdio.h>
953
954/*
955 * AES test vectors from:
956 *
957 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
958 */
959static const unsigned char aes_test_ecb_dec[3][16] =
960{
961 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
962 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
963 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
964 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
965 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
966 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
967};
968
969static const unsigned char aes_test_ecb_enc[3][16] =
970{
971 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
972 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
973 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
974 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
975 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
976 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
977};
978
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]979#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]980static const unsigned char aes_test_cbc_dec[3][16] =
981{
982 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
983 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
984 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
985 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
986 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
987 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
988};
989
990static const unsigned char aes_test_cbc_enc[3][16] =
991{
992 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
993 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
994 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
995 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
996 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
997 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
998};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]999#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1000
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1001#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1002/*
1003 * AES-CFB128 test vectors from:
1004 *
1005 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1006 */
1007static const unsigned char aes_test_cfb128_key[3][32] =
1008{
1009 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1010 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1011 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1012 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1013 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1014 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1015 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1016 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1017 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1018};
1019
1020static const unsigned char aes_test_cfb128_iv[16] =
1021{
1022 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1023 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1024};
1025
1026static const unsigned char aes_test_cfb128_pt[64] =
1027{
1028 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1029 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1030 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1031 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1032 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1033 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1034 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1035 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1036};
1037
1038static const unsigned char aes_test_cfb128_ct[3][64] =
1039{
1040 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1041 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1042 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1043 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1044 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1045 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1046 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1047 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1048 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1049 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1050 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1051 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1052 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1053 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1054 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1055 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1056 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1057 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1058 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1059 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1060 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1061 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1062 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1063 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1064};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1065#endif /* POLARSSL_CIPHER_MODE_CFB */
1066
1067#if defined(POLARSSL_CIPHER_MODE_CTR)
1068/*
1069 * AES-CTR test vectors from:
1070 *
1071 * http://www.faqs.org/rfcs/rfc3686.html
1072 */
1073
1074static const unsigned char aes_test_ctr_key[3][16] =
1075{
1076 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1077 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1078 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1079 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1080 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1081 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1082};
1083
1084static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1085{
1086 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1087 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1088 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1089 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1090 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1091 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1092};
1093
1094static const unsigned char aes_test_ctr_pt[3][48] =
1095{
1096 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1097 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1098
1099 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1100 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1101 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1102 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1103
1104 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1105 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1106 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1107 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1108 0x20, 0x21, 0x22, 0x23 }
1109};
1110
1111static const unsigned char aes_test_ctr_ct[3][48] =
1112{
1113 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1114 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1115 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1116 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1117 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1118 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1119 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1120 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1121 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1122 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1123 0x25, 0xB2, 0x07, 0x2F }
1124};
1125
1126static const int aes_test_ctr_len[3] =
1127 { 16, 32, 36 };
1128#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1129
1130/*
1131 * Checkup routine
1132 */
1133int aes_self_test( int verbose )
1134{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1135 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1136 unsigned char key[32];
1137 unsigned char buf[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1138 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1139#if defined(POLARSSL_CIPHER_MODE_CBC)
1140 unsigned char prv[16];
1141#endif
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1142#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1143 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1144#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1145#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1146 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1147 unsigned char nonce_counter[16];
1148 unsigned char stream_block[16];
1149#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1150 aes_context ctx;
1151
1152 memset( key, 0, 32 );
1153
1154 /*
1155 * ECB mode
1156 */
1157 for( i = 0; i < 6; i++ )
1158 {
1159 u = i >> 1;
1160 v = i & 1;
1161
1162 if( verbose != 0 )
1163 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1164 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1165
1166 memset( buf, 0, 16 );
1167
1168 if( v == AES_DECRYPT )
1169 {
1170 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1171
1172 for( j = 0; j < 10000; j++ )
1173 aes_crypt_ecb( &ctx, v, buf, buf );
1174
1175 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1176 {
1177 if( verbose != 0 )
1178 printf( "failed\n" );
1179
1180 return( 1 );
1181 }
1182 }
1183 else
1184 {
1185 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1186
1187 for( j = 0; j < 10000; j++ )
1188 aes_crypt_ecb( &ctx, v, buf, buf );
1189
1190 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1191 {
1192 if( verbose != 0 )
1193 printf( "failed\n" );
1194
1195 return( 1 );
1196 }
1197 }
1198
1199 if( verbose != 0 )
1200 printf( "passed\n" );
1201 }
1202
1203 if( verbose != 0 )
1204 printf( "\n" );
1205
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1206#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1207 /*
1208 * CBC mode
1209 */
1210 for( i = 0; i < 6; i++ )
1211 {
1212 u = i >> 1;
1213 v = i & 1;
1214
1215 if( verbose != 0 )
1216 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1217 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1218
1219 memset( iv , 0, 16 );
1220 memset( prv, 0, 16 );
1221 memset( buf, 0, 16 );
1222
1223 if( v == AES_DECRYPT )
1224 {
1225 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1226
1227 for( j = 0; j < 10000; j++ )
1228 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1229
1230 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1231 {
1232 if( verbose != 0 )
1233 printf( "failed\n" );
1234
1235 return( 1 );
1236 }
1237 }
1238 else
1239 {
1240 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1241
1242 for( j = 0; j < 10000; j++ )
1243 {
1244 unsigned char tmp[16];
1245
1246 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1247
1248 memcpy( tmp, prv, 16 );
1249 memcpy( prv, buf, 16 );
1250 memcpy( buf, tmp, 16 );
1251 }
1252
1253 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1254 {
1255 if( verbose != 0 )
1256 printf( "failed\n" );
1257
1258 return( 1 );
1259 }
1260 }
1261
1262 if( verbose != 0 )
1263 printf( "passed\n" );
1264 }
1265
1266 if( verbose != 0 )
1267 printf( "\n" );
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1268#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1269
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1270#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1271 /*
1272 * CFB128 mode
1273 */
1274 for( i = 0; i < 6; i++ )
1275 {
1276 u = i >> 1;
1277 v = i & 1;
1278
1279 if( verbose != 0 )
1280 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1281 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1282
1283 memcpy( iv, aes_test_cfb128_iv, 16 );
1284 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1285
1286 offset = 0;
1287 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1288
1289 if( v == AES_DECRYPT )
1290 {
1291 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1292 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1293
1294 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1295 {
1296 if( verbose != 0 )
1297 printf( "failed\n" );
1298
1299 return( 1 );
1300 }
1301 }
1302 else
1303 {
1304 memcpy( buf, aes_test_cfb128_pt, 64 );
1305 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1306
1307 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1308 {
1309 if( verbose != 0 )
1310 printf( "failed\n" );
1311
1312 return( 1 );
1313 }
1314 }
1315
1316 if( verbose != 0 )
1317 printf( "passed\n" );
1318 }
1319
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1320 if( verbose != 0 )
1321 printf( "\n" );
1322#endif /* POLARSSL_CIPHER_MODE_CFB */
1323
1324#if defined(POLARSSL_CIPHER_MODE_CTR)
1325 /*
1326 * CTR mode
1327 */
1328 for( i = 0; i < 6; i++ )
1329 {
1330 u = i >> 1;
1331 v = i & 1;
1332
1333 if( verbose != 0 )
1334 printf( " AES-CTR-128 (%s): ",
1335 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1336
1337 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1338 memcpy( key, aes_test_ctr_key[u], 16 );
1339
1340 offset = 0;
1341 aes_setkey_enc( &ctx, key, 128 );
1342
1343 if( v == AES_DECRYPT )
1344 {
1345 len = aes_test_ctr_len[u];
1346 memcpy( buf, aes_test_ctr_ct[u], len );
1347
1348 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1349
1350 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1351 {
1352 if( verbose != 0 )
1353 printf( "failed\n" );
1354
1355 return( 1 );
1356 }
1357 }
1358 else
1359 {
1360 len = aes_test_ctr_len[u];
1361 memcpy( buf, aes_test_ctr_pt[u], len );
1362
1363 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1364
1365 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1366 {
1367 if( verbose != 0 )
1368 printf( "failed\n" );
1369
1370 return( 1 );
1371 }
1372 }
1373
1374 if( verbose != 0 )
1375 printf( "passed\n" );
1376 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1377
1378 if( verbose != 0 )
1379 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1380#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1381
1382 return( 0 );
1383}
1384
1385#endif
1386
1387#endif