TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 80637c7520eef006a0abb712d21f201692a3d580 / . / library / aes.c
blob: d2d1c0c436cd5e680516a59246f2813add72b3b8 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]37#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]39#endif
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]40#if defined(POLARSSL_AESNI_C)
41#include "polarssl/aesni.h"
42#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]44#if !defined(POLARSSL_AES_ALT)
45
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46/*
47 * 32-bit integer manipulation macros (little endian)
48 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]49#ifndef GET_UINT32_LE
50#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]51{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]52 (n) = ( (uint32_t) (b)[(i) ] ) \
53 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
54 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
55 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56}
57#endif
58
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]59#ifndef PUT_UINT32_LE
60#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]61{ \
62 (b)[(i) ] = (unsigned char) ( (n) ); \
63 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
64 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
65 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
66}
67#endif
68
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]69#if defined(POLARSSL_PADLOCK_C) && \
70 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]71static int aes_padlock_ace = -1;
72#endif
73
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]74#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75/*
76 * Forward S-box
77 */
78static const unsigned char FSb[256] =
79{
80 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
81 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
82 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
83 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
84 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
85 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
86 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
87 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
88 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
89 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
90 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
91 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
92 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
93 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
94 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
95 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
96 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
97 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
98 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
99 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
100 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
101 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
102 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
103 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
104 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
105 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
106 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
107 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
108 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
109 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
110 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
111 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
112};
113
114/*
115 * Forward tables
116 */
117#define FT \
118\
119 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
120 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
121 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
122 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
123 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
124 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
125 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
126 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
127 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
128 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
129 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
130 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
131 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
132 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
133 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
134 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
135 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
136 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
137 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
138 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
139 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
140 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
141 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
142 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
143 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
144 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
145 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
146 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
147 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
148 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
149 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
150 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
151 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
152 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
153 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
154 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
155 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
156 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
157 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
158 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
159 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
160 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
161 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
162 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
163 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
164 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
165 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
166 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
167 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
168 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
169 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
170 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
171 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
172 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
173 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
174 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
175 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
176 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
177 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
178 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
179 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
180 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
181 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
182 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
183
184#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]185static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]186#undef V
187
188#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]189static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]190#undef V
191
192#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]193static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]194#undef V
195
196#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]197static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]198#undef V
199
200#undef FT
201
202/*
203 * Reverse S-box
204 */
205static const unsigned char RSb[256] =
206{
207 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
208 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
209 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
210 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
211 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
212 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
213 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
214 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
215 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
216 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
217 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
218 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
219 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
220 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
221 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
222 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
223 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
224 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
225 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
226 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
227 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
228 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
229 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
230 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
231 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
232 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
233 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
234 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
235 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
236 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
237 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
238 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
239};
240
241/*
242 * Reverse tables
243 */
244#define RT \
245\
246 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
247 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
248 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
249 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
250 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
251 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
252 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
253 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
254 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
255 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
256 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
257 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
258 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
259 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
260 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
261 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
262 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
263 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
264 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
265 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
266 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
267 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
268 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
269 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
270 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
271 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
272 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
273 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
274 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
275 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
276 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
277 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
278 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
279 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
280 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
281 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
282 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
283 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
284 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
285 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
286 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
287 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
288 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
289 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
290 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
291 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
292 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
293 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
294 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
295 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
296 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
297 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
298 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
299 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
300 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
301 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
302 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
303 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
304 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
305 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
306 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
307 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
308 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
309 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
310
311#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]312static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]313#undef V
314
315#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]316static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]317#undef V
318
319#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]320static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]321#undef V
322
323#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]324static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]325#undef V
326
327#undef RT
328
329/*
330 * Round constants
331 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]332static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333{
334 0x00000001, 0x00000002, 0x00000004, 0x00000008,
335 0x00000010, 0x00000020, 0x00000040, 0x00000080,
336 0x0000001B, 0x00000036
337};
338
339#else
340
341/*
342 * Forward S-box & tables
343 */
344static unsigned char FSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]345static uint32_t FT0[256];
346static uint32_t FT1[256];
347static uint32_t FT2[256];
348static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349
350/*
351 * Reverse S-box & tables
352 */
353static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]354static uint32_t RT0[256];
355static uint32_t RT1[256];
356static uint32_t RT2[256];
357static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358
359/*
360 * Round constants
361 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]362static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]363
364/*
365 * Tables generation code
366 */
367#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
368#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
369#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
370
371static int aes_init_done = 0;
372
373static void aes_gen_tables( void )
374{
375 int i, x, y, z;
376 int pow[256];
377 int log[256];
378
379 /*
380 * compute pow and log tables over GF(2^8)
381 */
382 for( i = 0, x = 1; i < 256; i++ )
383 {
384 pow[i] = x;
385 log[x] = i;
386 x = ( x ^ XTIME( x ) ) & 0xFF;
387 }
388
389 /*
390 * calculate the round constants
391 */
392 for( i = 0, x = 1; i < 10; i++ )
393 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]394 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]395 x = XTIME( x ) & 0xFF;
396 }
397
398 /*
399 * generate the forward and reverse S-boxes
400 */
401 FSb[0x00] = 0x63;
402 RSb[0x63] = 0x00;
403
404 for( i = 1; i < 256; i++ )
405 {
406 x = pow[255 - log[i]];
407
408 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
409 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
410 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
411 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
412 x ^= y ^ 0x63;
413
414 FSb[i] = (unsigned char) x;
415 RSb[x] = (unsigned char) i;
416 }
417
418 /*
419 * generate the forward and reverse tables
420 */
421 for( i = 0; i < 256; i++ )
422 {
423 x = FSb[i];
424 y = XTIME( x ) & 0xFF;
425 z = ( y ^ x ) & 0xFF;
426
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]427 FT0[i] = ( (uint32_t) y ) ^
428 ( (uint32_t) x << 8 ) ^
429 ( (uint32_t) x << 16 ) ^
430 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]431
432 FT1[i] = ROTL8( FT0[i] );
433 FT2[i] = ROTL8( FT1[i] );
434 FT3[i] = ROTL8( FT2[i] );
435
436 x = RSb[i];
437
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]438 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
439 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
440 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
441 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]442
443 RT1[i] = ROTL8( RT0[i] );
444 RT2[i] = ROTL8( RT1[i] );
445 RT3[i] = ROTL8( RT2[i] );
446 }
447}
448
449#endif
450
451/*
452 * AES key schedule (encryption)
453 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]454int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]456 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]457 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]458
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]459#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460 if( aes_init_done == 0 )
461 {
462 aes_gen_tables();
463 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]464
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]465 }
466#endif
467
468 switch( keysize )
469 {
470 case 128: ctx->nr = 10; break;
471 case 192: ctx->nr = 12; break;
472 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]473 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 }
475
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]476#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
477 if( aes_padlock_ace == -1 )
478 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
479
480 if( aes_padlock_ace )
481 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
482 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]483#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]484 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]485
486 for( i = 0; i < (keysize >> 5); i++ )
487 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]488 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 }
490
491 switch( ctx->nr )
492 {
493 case 10:
494
495 for( i = 0; i < 10; i++, RK += 4 )
496 {
497 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]498 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
499 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
500 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
501 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]502
503 RK[5] = RK[1] ^ RK[4];
504 RK[6] = RK[2] ^ RK[5];
505 RK[7] = RK[3] ^ RK[6];
506 }
507 break;
508
509 case 12:
510
511 for( i = 0; i < 8; i++, RK += 6 )
512 {
513 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]514 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
515 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
516 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
517 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]518
519 RK[7] = RK[1] ^ RK[6];
520 RK[8] = RK[2] ^ RK[7];
521 RK[9] = RK[3] ^ RK[8];
522 RK[10] = RK[4] ^ RK[9];
523 RK[11] = RK[5] ^ RK[10];
524 }
525 break;
526
527 case 14:
528
529 for( i = 0; i < 7; i++, RK += 8 )
530 {
531 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]532 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
533 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
534 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
535 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]536
537 RK[9] = RK[1] ^ RK[8];
538 RK[10] = RK[2] ^ RK[9];
539 RK[11] = RK[3] ^ RK[10];
540
541 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]542 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
543 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
544 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
545 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]546
547 RK[13] = RK[5] ^ RK[12];
548 RK[14] = RK[6] ^ RK[13];
549 RK[15] = RK[7] ^ RK[14];
550 }
551 break;
552
553 default:
554
555 break;
556 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]557
558 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]559}
560
561/*
562 * AES key schedule (decryption)
563 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]564int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]565{
566 int i, j;
567 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]568 uint32_t *RK;
569 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]570 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571
572 switch( keysize )
573 {
574 case 128: ctx->nr = 10; break;
575 case 192: ctx->nr = 12; break;
576 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]577 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]578 }
579
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]580#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
581 if( aes_padlock_ace == -1 )
582 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
583
584 if( aes_padlock_ace )
585 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
586 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]587#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]588 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]590 ret = aes_setkey_enc( &cty, key, keysize );
591 if( ret != 0 )
592 return( ret );
593
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594 SK = cty.rk + cty.nr * 4;
595
596 *RK++ = *SK++;
597 *RK++ = *SK++;
598 *RK++ = *SK++;
599 *RK++ = *SK++;
600
601 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
602 {
603 for( j = 0; j < 4; j++, SK++ )
604 {
605 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
606 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
607 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
608 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
609 }
610 }
611
612 *RK++ = *SK++;
613 *RK++ = *SK++;
614 *RK++ = *SK++;
615 *RK++ = *SK++;
616
617 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]618
619 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]620}
621
622#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
623{ \
624 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
625 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
626 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
627 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
628 \
629 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
630 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
631 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
632 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
633 \
634 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
635 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
636 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
637 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
638 \
639 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
640 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
641 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
642 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
643}
644
645#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
646{ \
647 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
648 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
649 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
650 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
651 \
652 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
653 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
654 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
655 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
656 \
657 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
658 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
659 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
660 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
661 \
662 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
663 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
664 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
665 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
666}
667
668/*
669 * AES-ECB block encryption/decryption
670 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]671int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]672 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]673 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674 unsigned char output[16] )
675{
676 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]677 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]678
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]679#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard8eaf20b2013-12-18 19:14:53 +0100[diff] [blame]680 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]681 return( aesni_crypt_ecb( ctx, mode, input, output ) );
682#endif
683
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]684#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]685 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]686 {
687 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]688 return( 0 );
689
690 // If padlock data misaligned, we just fall back to
691 // unaccelerated mode
692 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]693 }
694#endif
695
696 RK = ctx->rk;
697
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]698 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
699 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
700 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
701 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]702
703 if( mode == AES_DECRYPT )
704 {
705 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
706 {
707 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
708 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
709 }
710
711 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
712
713 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]714 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
715 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
716 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
717 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]718
719 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]720 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
721 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
722 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
723 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]724
725 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]726 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
727 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
728 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
729 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]730
731 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]732 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
733 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
734 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
735 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]736 }
737 else /* AES_ENCRYPT */
738 {
739 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
740 {
741 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
742 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
743 }
744
745 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
746
747 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]748 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
749 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
750 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
751 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]752
753 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]754 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
755 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
756 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
757 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]758
759 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]760 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
761 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
762 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
763 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]764
765 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]766 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
767 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
768 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
769 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]770 }
771
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]772 PUT_UINT32_LE( X0, output, 0 );
773 PUT_UINT32_LE( X1, output, 4 );
774 PUT_UINT32_LE( X2, output, 8 );
775 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]776
777 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]778}
779
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]780#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]781/*
782 * AES-CBC buffer encryption/decryption
783 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]784int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]785 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]786 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]787 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]788 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]789 unsigned char *output )
790{
791 int i;
792 unsigned char temp[16];
793
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]794 if( length % 16 )
795 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
796
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]797#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]798 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]799 {
800 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]801 return( 0 );
802
803 // If padlock data misaligned, we just fall back to
804 // unaccelerated mode
805 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]806 }
807#endif
808
809 if( mode == AES_DECRYPT )
810 {
811 while( length > 0 )
812 {
813 memcpy( temp, input, 16 );
814 aes_crypt_ecb( ctx, mode, input, output );
815
816 for( i = 0; i < 16; i++ )
817 output[i] = (unsigned char)( output[i] ^ iv[i] );
818
819 memcpy( iv, temp, 16 );
820
821 input += 16;
822 output += 16;
823 length -= 16;
824 }
825 }
826 else
827 {
828 while( length > 0 )
829 {
830 for( i = 0; i < 16; i++ )
831 output[i] = (unsigned char)( input[i] ^ iv[i] );
832
833 aes_crypt_ecb( ctx, mode, output, output );
834 memcpy( iv, output, 16 );
835
836 input += 16;
837 output += 16;
838 length -= 16;
839 }
840 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]841
842 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]843}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]844#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]845
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]846#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]847/*
848 * AES-CFB128 buffer encryption/decryption
849 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]850int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]851 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]852 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]853 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]854 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]855 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]856 unsigned char *output )
857{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]858 int c;
859 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]860
861 if( mode == AES_DECRYPT )
862 {
863 while( length-- )
864 {
865 if( n == 0 )
866 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
867
868 c = *input++;
869 *output++ = (unsigned char)( c ^ iv[n] );
870 iv[n] = (unsigned char) c;
871
872 n = (n + 1) & 0x0F;
873 }
874 }
875 else
876 {
877 while( length-- )
878 {
879 if( n == 0 )
880 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
881
882 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
883
884 n = (n + 1) & 0x0F;
885 }
886 }
887
888 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]889
890 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]891}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]892#endif /*POLARSSL_CIPHER_MODE_CFB */
893
894#if defined(POLARSSL_CIPHER_MODE_CTR)
895/*
896 * AES-CTR buffer encryption/decryption
897 */
898int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]899 size_t length,
900 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]901 unsigned char nonce_counter[16],
902 unsigned char stream_block[16],
903 const unsigned char *input,
904 unsigned char *output )
905{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]906 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]907 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]908
909 while( length-- )
910 {
911 if( n == 0 ) {
912 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
913
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]914 for( i = 16; i > 0; i-- )
915 if( ++nonce_counter[i - 1] != 0 )
916 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]917 }
918 c = *input++;
919 *output++ = (unsigned char)( c ^ stream_block[n] );
920
921 n = (n + 1) & 0x0F;
922 }
923
924 *nc_off = n;
925
926 return( 0 );
927}
928#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]929#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]930
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]931#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]932
933#include <stdio.h>
934
935/*
936 * AES test vectors from:
937 *
938 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
939 */
940static const unsigned char aes_test_ecb_dec[3][16] =
941{
942 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
943 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
944 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
945 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
946 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
947 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
948};
949
950static const unsigned char aes_test_ecb_enc[3][16] =
951{
952 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
953 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
954 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
955 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
956 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
957 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
958};
959
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]960#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]961static const unsigned char aes_test_cbc_dec[3][16] =
962{
963 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
964 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
965 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
966 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
967 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
968 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
969};
970
971static const unsigned char aes_test_cbc_enc[3][16] =
972{
973 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
974 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
975 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
976 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
977 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
978 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
979};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]980#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]981
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]982#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]983/*
984 * AES-CFB128 test vectors from:
985 *
986 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
987 */
988static const unsigned char aes_test_cfb128_key[3][32] =
989{
990 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
991 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
992 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
993 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
994 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
995 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
996 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
997 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
998 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
999};
1000
1001static const unsigned char aes_test_cfb128_iv[16] =
1002{
1003 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1004 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1005};
1006
1007static const unsigned char aes_test_cfb128_pt[64] =
1008{
1009 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1010 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1011 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1012 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1013 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1014 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1015 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1016 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1017};
1018
1019static const unsigned char aes_test_cfb128_ct[3][64] =
1020{
1021 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1022 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1023 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1024 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1025 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1026 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1027 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1028 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1029 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1030 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1031 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1032 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1033 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1034 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1035 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1036 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1037 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1038 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1039 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1040 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1041 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1042 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1043 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1044 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1045};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1046#endif /* POLARSSL_CIPHER_MODE_CFB */
1047
1048#if defined(POLARSSL_CIPHER_MODE_CTR)
1049/*
1050 * AES-CTR test vectors from:
1051 *
1052 * http://www.faqs.org/rfcs/rfc3686.html
1053 */
1054
1055static const unsigned char aes_test_ctr_key[3][16] =
1056{
1057 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1058 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1059 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1060 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1061 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1062 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1063};
1064
1065static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1066{
1067 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1068 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1069 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1070 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1071 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1072 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1073};
1074
1075static const unsigned char aes_test_ctr_pt[3][48] =
1076{
1077 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1078 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1079
1080 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1081 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1082 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1083 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1084
1085 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1086 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1087 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1088 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1089 0x20, 0x21, 0x22, 0x23 }
1090};
1091
1092static const unsigned char aes_test_ctr_ct[3][48] =
1093{
1094 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1095 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1096 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1097 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1098 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1099 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1100 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1101 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1102 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1103 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1104 0x25, 0xB2, 0x07, 0x2F }
1105};
1106
1107static const int aes_test_ctr_len[3] =
1108 { 16, 32, 36 };
1109#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1110
1111/*
1112 * Checkup routine
1113 */
1114int aes_self_test( int verbose )
1115{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1116 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1117 unsigned char key[32];
1118 unsigned char buf[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1119 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1120#if defined(POLARSSL_CIPHER_MODE_CBC)
1121 unsigned char prv[16];
1122#endif
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1123#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1124 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1125#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1126#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1127 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1128 unsigned char nonce_counter[16];
1129 unsigned char stream_block[16];
1130#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1131 aes_context ctx;
1132
1133 memset( key, 0, 32 );
1134
1135 /*
1136 * ECB mode
1137 */
1138 for( i = 0; i < 6; i++ )
1139 {
1140 u = i >> 1;
1141 v = i & 1;
1142
1143 if( verbose != 0 )
1144 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1145 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1146
1147 memset( buf, 0, 16 );
1148
1149 if( v == AES_DECRYPT )
1150 {
1151 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1152
1153 for( j = 0; j < 10000; j++ )
1154 aes_crypt_ecb( &ctx, v, buf, buf );
1155
1156 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1157 {
1158 if( verbose != 0 )
1159 printf( "failed\n" );
1160
1161 return( 1 );
1162 }
1163 }
1164 else
1165 {
1166 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1167
1168 for( j = 0; j < 10000; j++ )
1169 aes_crypt_ecb( &ctx, v, buf, buf );
1170
1171 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1172 {
1173 if( verbose != 0 )
1174 printf( "failed\n" );
1175
1176 return( 1 );
1177 }
1178 }
1179
1180 if( verbose != 0 )
1181 printf( "passed\n" );
1182 }
1183
1184 if( verbose != 0 )
1185 printf( "\n" );
1186
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1187#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1188 /*
1189 * CBC mode
1190 */
1191 for( i = 0; i < 6; i++ )
1192 {
1193 u = i >> 1;
1194 v = i & 1;
1195
1196 if( verbose != 0 )
1197 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1198 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1199
1200 memset( iv , 0, 16 );
1201 memset( prv, 0, 16 );
1202 memset( buf, 0, 16 );
1203
1204 if( v == AES_DECRYPT )
1205 {
1206 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1207
1208 for( j = 0; j < 10000; j++ )
1209 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1210
1211 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1212 {
1213 if( verbose != 0 )
1214 printf( "failed\n" );
1215
1216 return( 1 );
1217 }
1218 }
1219 else
1220 {
1221 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1222
1223 for( j = 0; j < 10000; j++ )
1224 {
1225 unsigned char tmp[16];
1226
1227 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1228
1229 memcpy( tmp, prv, 16 );
1230 memcpy( prv, buf, 16 );
1231 memcpy( buf, tmp, 16 );
1232 }
1233
1234 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1235 {
1236 if( verbose != 0 )
1237 printf( "failed\n" );
1238
1239 return( 1 );
1240 }
1241 }
1242
1243 if( verbose != 0 )
1244 printf( "passed\n" );
1245 }
1246
1247 if( verbose != 0 )
1248 printf( "\n" );
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1249#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1250
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1251#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1252 /*
1253 * CFB128 mode
1254 */
1255 for( i = 0; i < 6; i++ )
1256 {
1257 u = i >> 1;
1258 v = i & 1;
1259
1260 if( verbose != 0 )
1261 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1262 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1263
1264 memcpy( iv, aes_test_cfb128_iv, 16 );
1265 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1266
1267 offset = 0;
1268 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1269
1270 if( v == AES_DECRYPT )
1271 {
1272 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1273 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1274
1275 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1276 {
1277 if( verbose != 0 )
1278 printf( "failed\n" );
1279
1280 return( 1 );
1281 }
1282 }
1283 else
1284 {
1285 memcpy( buf, aes_test_cfb128_pt, 64 );
1286 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1287
1288 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1289 {
1290 if( verbose != 0 )
1291 printf( "failed\n" );
1292
1293 return( 1 );
1294 }
1295 }
1296
1297 if( verbose != 0 )
1298 printf( "passed\n" );
1299 }
1300
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1301 if( verbose != 0 )
1302 printf( "\n" );
1303#endif /* POLARSSL_CIPHER_MODE_CFB */
1304
1305#if defined(POLARSSL_CIPHER_MODE_CTR)
1306 /*
1307 * CTR mode
1308 */
1309 for( i = 0; i < 6; i++ )
1310 {
1311 u = i >> 1;
1312 v = i & 1;
1313
1314 if( verbose != 0 )
1315 printf( " AES-CTR-128 (%s): ",
1316 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1317
1318 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1319 memcpy( key, aes_test_ctr_key[u], 16 );
1320
1321 offset = 0;
1322 aes_setkey_enc( &ctx, key, 128 );
1323
1324 if( v == AES_DECRYPT )
1325 {
1326 len = aes_test_ctr_len[u];
1327 memcpy( buf, aes_test_ctr_ct[u], len );
1328
1329 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1330
1331 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1332 {
1333 if( verbose != 0 )
1334 printf( "failed\n" );
1335
1336 return( 1 );
1337 }
1338 }
1339 else
1340 {
1341 len = aes_test_ctr_len[u];
1342 memcpy( buf, aes_test_ctr_pt[u], len );
1343
1344 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1345
1346 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1347 {
1348 if( verbose != 0 )
1349 printf( "failed\n" );
1350
1351 return( 1 );
1352 }
1353 }
1354
1355 if( verbose != 0 )
1356 printf( "passed\n" );
1357 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1358
1359 if( verbose != 0 )
1360 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1361#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1362
1363 return( 0 );
1364}
1365
1366#endif
1367
1368#endif