TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 39dfdaca8f19a157bb95e2b544f44c4c3f13134f / . / library / aes.c
blob: 7bccdf93a10258b111778d25b646439e351bce34 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
37#include "polarssl/padlock.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]39/*
40 * 32-bit integer manipulation macros (little endian)
41 */
42#ifndef GET_ULONG_LE
43#define GET_ULONG_LE(n,b,i) \
44{ \
45 (n) = ( (unsigned long) (b)[(i) ] ) \
46 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
47 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
48 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
49}
50#endif
51
52#ifndef PUT_ULONG_LE
53#define PUT_ULONG_LE(n,b,i) \
54{ \
55 (b)[(i) ] = (unsigned char) ( (n) ); \
56 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
57 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
58 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
59}
60#endif
61
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]62#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]63/*
64 * Forward S-box
65 */
66static const unsigned char FSb[256] =
67{
68 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
69 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
70 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
71 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
72 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
73 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
74 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
75 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
76 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
77 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
78 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
79 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
80 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
81 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
82 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
83 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
84 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
85 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
86 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
87 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
88 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
89 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
90 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
91 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
92 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
93 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
94 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
95 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
96 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
97 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
98 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
99 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
100};
101
102/*
103 * Forward tables
104 */
105#define FT \
106\
107 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
108 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
109 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
110 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
111 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
112 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
113 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
114 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
115 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
116 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
117 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
118 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
119 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
120 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
121 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
122 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
123 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
124 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
125 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
126 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
127 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
128 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
129 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
130 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
131 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
132 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
133 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
134 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
135 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
136 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
137 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
138 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
139 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
140 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
141 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
142 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
143 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
144 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
145 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
146 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
147 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
148 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
149 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
150 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
151 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
152 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
153 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
154 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
155 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
156 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
157 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
158 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
159 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
160 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
161 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
162 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
163 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
164 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
165 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
166 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
167 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
168 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
169 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
170 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
171
172#define V(a,b,c,d) 0x##a##b##c##d
173static const unsigned long FT0[256] = { FT };
174#undef V
175
176#define V(a,b,c,d) 0x##b##c##d##a
177static const unsigned long FT1[256] = { FT };
178#undef V
179
180#define V(a,b,c,d) 0x##c##d##a##b
181static const unsigned long FT2[256] = { FT };
182#undef V
183
184#define V(a,b,c,d) 0x##d##a##b##c
185static const unsigned long FT3[256] = { FT };
186#undef V
187
188#undef FT
189
190/*
191 * Reverse S-box
192 */
193static const unsigned char RSb[256] =
194{
195 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
196 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
197 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
198 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
199 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
200 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
201 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
202 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
203 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
204 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
205 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
206 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
207 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
208 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
209 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
210 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
211 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
212 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
213 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
214 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
215 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
216 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
217 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
218 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
219 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
220 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
221 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
222 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
223 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
224 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
225 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
226 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
227};
228
229/*
230 * Reverse tables
231 */
232#define RT \
233\
234 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
235 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
236 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
237 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
238 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
239 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
240 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
241 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
242 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
243 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
244 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
245 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
246 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
247 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
248 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
249 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
250 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
251 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
252 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
253 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
254 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
255 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
256 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
257 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
258 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
259 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
260 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
261 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
262 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
263 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
264 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
265 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
266 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
267 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
268 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
269 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
270 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
271 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
272 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
273 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
274 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
275 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
276 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
277 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
278 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
279 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
280 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
281 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
282 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
283 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
284 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
285 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
286 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
287 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
288 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
289 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
290 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
291 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
292 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
293 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
294 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
295 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
296 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
297 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
298
299#define V(a,b,c,d) 0x##a##b##c##d
300static const unsigned long RT0[256] = { RT };
301#undef V
302
303#define V(a,b,c,d) 0x##b##c##d##a
304static const unsigned long RT1[256] = { RT };
305#undef V
306
307#define V(a,b,c,d) 0x##c##d##a##b
308static const unsigned long RT2[256] = { RT };
309#undef V
310
311#define V(a,b,c,d) 0x##d##a##b##c
312static const unsigned long RT3[256] = { RT };
313#undef V
314
315#undef RT
316
317/*
318 * Round constants
319 */
320static const unsigned long RCON[10] =
321{
322 0x00000001, 0x00000002, 0x00000004, 0x00000008,
323 0x00000010, 0x00000020, 0x00000040, 0x00000080,
324 0x0000001B, 0x00000036
325};
326
327#else
328
329/*
330 * Forward S-box & tables
331 */
332static unsigned char FSb[256];
333static unsigned long FT0[256];
334static unsigned long FT1[256];
335static unsigned long FT2[256];
336static unsigned long FT3[256];
337
338/*
339 * Reverse S-box & tables
340 */
341static unsigned char RSb[256];
342static unsigned long RT0[256];
343static unsigned long RT1[256];
344static unsigned long RT2[256];
345static unsigned long RT3[256];
346
347/*
348 * Round constants
349 */
350static unsigned long RCON[10];
351
352/*
353 * Tables generation code
354 */
355#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
356#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
357#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
358
359static int aes_init_done = 0;
360
361static void aes_gen_tables( void )
362{
363 int i, x, y, z;
364 int pow[256];
365 int log[256];
366
367 /*
368 * compute pow and log tables over GF(2^8)
369 */
370 for( i = 0, x = 1; i < 256; i++ )
371 {
372 pow[i] = x;
373 log[x] = i;
374 x = ( x ^ XTIME( x ) ) & 0xFF;
375 }
376
377 /*
378 * calculate the round constants
379 */
380 for( i = 0, x = 1; i < 10; i++ )
381 {
382 RCON[i] = (unsigned long) x;
383 x = XTIME( x ) & 0xFF;
384 }
385
386 /*
387 * generate the forward and reverse S-boxes
388 */
389 FSb[0x00] = 0x63;
390 RSb[0x63] = 0x00;
391
392 for( i = 1; i < 256; i++ )
393 {
394 x = pow[255 - log[i]];
395
396 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
397 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
398 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
399 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
400 x ^= y ^ 0x63;
401
402 FSb[i] = (unsigned char) x;
403 RSb[x] = (unsigned char) i;
404 }
405
406 /*
407 * generate the forward and reverse tables
408 */
409 for( i = 0; i < 256; i++ )
410 {
411 x = FSb[i];
412 y = XTIME( x ) & 0xFF;
413 z = ( y ^ x ) & 0xFF;
414
415 FT0[i] = ( (unsigned long) y ) ^
416 ( (unsigned long) x << 8 ) ^
417 ( (unsigned long) x << 16 ) ^
418 ( (unsigned long) z << 24 );
419
420 FT1[i] = ROTL8( FT0[i] );
421 FT2[i] = ROTL8( FT1[i] );
422 FT3[i] = ROTL8( FT2[i] );
423
424 x = RSb[i];
425
426 RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
427 ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
428 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
429 ( (unsigned long) MUL( 0x0B, x ) << 24 );
430
431 RT1[i] = ROTL8( RT0[i] );
432 RT2[i] = ROTL8( RT1[i] );
433 RT3[i] = ROTL8( RT2[i] );
434 }
435}
436
437#endif
438
439/*
440 * AES key schedule (encryption)
441 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]442int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]444 unsigned int i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]445 unsigned long *RK;
446
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]447#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]448 if( aes_init_done == 0 )
449 {
450 aes_gen_tables();
451 aes_init_done = 1;
452 }
453#endif
454
455 switch( keysize )
456 {
457 case 128: ctx->nr = 10; break;
458 case 192: ctx->nr = 12; break;
459 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]460 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]461 }
462
463#if defined(PADLOCK_ALIGN16)
464 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
465#else
466 ctx->rk = RK = ctx->buf;
467#endif
468
469 for( i = 0; i < (keysize >> 5); i++ )
470 {
471 GET_ULONG_LE( RK[i], key, i << 2 );
472 }
473
474 switch( ctx->nr )
475 {
476 case 10:
477
478 for( i = 0; i < 10; i++, RK += 4 )
479 {
480 RK[4] = RK[0] ^ RCON[i] ^
481 ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
482 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
483 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
484 ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
485
486 RK[5] = RK[1] ^ RK[4];
487 RK[6] = RK[2] ^ RK[5];
488 RK[7] = RK[3] ^ RK[6];
489 }
490 break;
491
492 case 12:
493
494 for( i = 0; i < 8; i++, RK += 6 )
495 {
496 RK[6] = RK[0] ^ RCON[i] ^
497 ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
498 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
499 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
500 ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
501
502 RK[7] = RK[1] ^ RK[6];
503 RK[8] = RK[2] ^ RK[7];
504 RK[9] = RK[3] ^ RK[8];
505 RK[10] = RK[4] ^ RK[9];
506 RK[11] = RK[5] ^ RK[10];
507 }
508 break;
509
510 case 14:
511
512 for( i = 0; i < 7; i++, RK += 8 )
513 {
514 RK[8] = RK[0] ^ RCON[i] ^
515 ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
516 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
517 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
518 ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
519
520 RK[9] = RK[1] ^ RK[8];
521 RK[10] = RK[2] ^ RK[9];
522 RK[11] = RK[3] ^ RK[10];
523
524 RK[12] = RK[4] ^
525 ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
526 ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
527 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
528 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
529
530 RK[13] = RK[5] ^ RK[12];
531 RK[14] = RK[6] ^ RK[13];
532 RK[15] = RK[7] ^ RK[14];
533 }
534 break;
535
536 default:
537
538 break;
539 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]540
541 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]542}
543
544/*
545 * AES key schedule (decryption)
546 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]547int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]548{
549 int i, j;
550 aes_context cty;
551 unsigned long *RK;
552 unsigned long *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]553 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554
555 switch( keysize )
556 {
557 case 128: ctx->nr = 10; break;
558 case 192: ctx->nr = 12; break;
559 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]560 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561 }
562
563#if defined(PADLOCK_ALIGN16)
564 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
565#else
566 ctx->rk = RK = ctx->buf;
567#endif
568
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]569 ret = aes_setkey_enc( &cty, key, keysize );
570 if( ret != 0 )
571 return( ret );
572
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]573 SK = cty.rk + cty.nr * 4;
574
575 *RK++ = *SK++;
576 *RK++ = *SK++;
577 *RK++ = *SK++;
578 *RK++ = *SK++;
579
580 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
581 {
582 for( j = 0; j < 4; j++, SK++ )
583 {
584 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
585 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
586 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
587 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
588 }
589 }
590
591 *RK++ = *SK++;
592 *RK++ = *SK++;
593 *RK++ = *SK++;
594 *RK++ = *SK++;
595
596 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]597
598 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599}
600
601#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
602{ \
603 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
604 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
605 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
606 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
607 \
608 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
609 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
610 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
611 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
612 \
613 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
614 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
615 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
616 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
617 \
618 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
619 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
620 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
621 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
622}
623
624#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
625{ \
626 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
627 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
628 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
629 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
630 \
631 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
632 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
633 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
634 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
635 \
636 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
637 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
638 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
639 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
640 \
641 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
642 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
643 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
644 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
645}
646
647/*
648 * AES-ECB block encryption/decryption
649 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]650int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]652 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653 unsigned char output[16] )
654{
655 int i;
656 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
657
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]658#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]659 if( padlock_supports( PADLOCK_ACE ) )
660 {
661 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]662 return( 0 );
663
664 // If padlock data misaligned, we just fall back to
665 // unaccelerated mode
666 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667 }
668#endif
669
670 RK = ctx->rk;
671
672 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
673 GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
674 GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
675 GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
676
677 if( mode == AES_DECRYPT )
678 {
679 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
680 {
681 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
682 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
683 }
684
685 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
686
687 X0 = *RK++ ^ \
688 ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
689 ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
690 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
691 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
692
693 X1 = *RK++ ^ \
694 ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
695 ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
696 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
697 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
698
699 X2 = *RK++ ^ \
700 ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
701 ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
702 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
703 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
704
705 X3 = *RK++ ^ \
706 ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
707 ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
708 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
709 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
710 }
711 else /* AES_ENCRYPT */
712 {
713 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
714 {
715 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
716 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
717 }
718
719 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
720
721 X0 = *RK++ ^ \
722 ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
723 ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
724 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
725 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
726
727 X1 = *RK++ ^ \
728 ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
729 ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
730 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
731 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
732
733 X2 = *RK++ ^ \
734 ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
735 ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
736 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
737 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
738
739 X3 = *RK++ ^ \
740 ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
741 ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
742 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
743 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
744 }
745
746 PUT_ULONG_LE( X0, output, 0 );
747 PUT_ULONG_LE( X1, output, 4 );
748 PUT_ULONG_LE( X2, output, 8 );
749 PUT_ULONG_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]750
751 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]752}
753
754/*
755 * AES-CBC buffer encryption/decryption
756 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]757int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]758 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]759 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]760 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]761 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]762 unsigned char *output )
763{
764 int i;
765 unsigned char temp[16];
766
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]767 if( length % 16 )
768 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
769
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]770#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]771 if( padlock_supports( PADLOCK_ACE ) )
772 {
773 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]774 return( 0 );
775
776 // If padlock data misaligned, we just fall back to
777 // unaccelerated mode
778 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]779 }
780#endif
781
782 if( mode == AES_DECRYPT )
783 {
784 while( length > 0 )
785 {
786 memcpy( temp, input, 16 );
787 aes_crypt_ecb( ctx, mode, input, output );
788
789 for( i = 0; i < 16; i++ )
790 output[i] = (unsigned char)( output[i] ^ iv[i] );
791
792 memcpy( iv, temp, 16 );
793
794 input += 16;
795 output += 16;
796 length -= 16;
797 }
798 }
799 else
800 {
801 while( length > 0 )
802 {
803 for( i = 0; i < 16; i++ )
804 output[i] = (unsigned char)( input[i] ^ iv[i] );
805
806 aes_crypt_ecb( ctx, mode, output, output );
807 memcpy( iv, output, 16 );
808
809 input += 16;
810 output += 16;
811 length -= 16;
812 }
813 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]814
815 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]816}
817
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]818#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]819/*
820 * AES-CFB128 buffer encryption/decryption
821 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]822int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]823 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]824 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]825 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]826 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]827 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]828 unsigned char *output )
829{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]830 int c;
831 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]832
833 if( mode == AES_DECRYPT )
834 {
835 while( length-- )
836 {
837 if( n == 0 )
838 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
839
840 c = *input++;
841 *output++ = (unsigned char)( c ^ iv[n] );
842 iv[n] = (unsigned char) c;
843
844 n = (n + 1) & 0x0F;
845 }
846 }
847 else
848 {
849 while( length-- )
850 {
851 if( n == 0 )
852 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
853
854 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
855
856 n = (n + 1) & 0x0F;
857 }
858 }
859
860 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]861
862 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]863}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]864#endif /*POLARSSL_CIPHER_MODE_CFB */
865
866#if defined(POLARSSL_CIPHER_MODE_CTR)
867/*
868 * AES-CTR buffer encryption/decryption
869 */
870int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]871 size_t length,
872 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]873 unsigned char nonce_counter[16],
874 unsigned char stream_block[16],
875 const unsigned char *input,
876 unsigned char *output )
877{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]878 int c, i, cb;
879 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]880
881 while( length-- )
882 {
883 if( n == 0 ) {
884 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
885
886 i = 15;
887 do {
888 nonce_counter[i]++;
889 cb = nonce_counter[i] == 0;
890 } while( i-- && cb );
891
892 }
893 c = *input++;
894 *output++ = (unsigned char)( c ^ stream_block[n] );
895
896 n = (n + 1) & 0x0F;
897 }
898
899 *nc_off = n;
900
901 return( 0 );
902}
903#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]904
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]905#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]906
907#include <stdio.h>
908
909/*
910 * AES test vectors from:
911 *
912 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
913 */
914static const unsigned char aes_test_ecb_dec[3][16] =
915{
916 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
917 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
918 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
919 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
920 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
921 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
922};
923
924static const unsigned char aes_test_ecb_enc[3][16] =
925{
926 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
927 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
928 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
929 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
930 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
931 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
932};
933
934static const unsigned char aes_test_cbc_dec[3][16] =
935{
936 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
937 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
938 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
939 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
940 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
941 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
942};
943
944static const unsigned char aes_test_cbc_enc[3][16] =
945{
946 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
947 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
948 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
949 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
950 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
951 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
952};
953
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]954#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]955/*
956 * AES-CFB128 test vectors from:
957 *
958 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
959 */
960static const unsigned char aes_test_cfb128_key[3][32] =
961{
962 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
963 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
964 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
965 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
966 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
967 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
968 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
969 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
970 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
971};
972
973static const unsigned char aes_test_cfb128_iv[16] =
974{
975 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
976 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
977};
978
979static const unsigned char aes_test_cfb128_pt[64] =
980{
981 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
982 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
983 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
984 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
985 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
986 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
987 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
988 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
989};
990
991static const unsigned char aes_test_cfb128_ct[3][64] =
992{
993 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
994 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
995 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
996 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
997 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
998 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
999 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1000 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1001 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1002 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1003 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1004 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1005 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1006 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1007 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1008 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1009 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1010 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1011 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1012 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1013 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1014 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1015 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1016 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1017};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1018#endif /* POLARSSL_CIPHER_MODE_CFB */
1019
1020#if defined(POLARSSL_CIPHER_MODE_CTR)
1021/*
1022 * AES-CTR test vectors from:
1023 *
1024 * http://www.faqs.org/rfcs/rfc3686.html
1025 */
1026
1027static const unsigned char aes_test_ctr_key[3][16] =
1028{
1029 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1030 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1031 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1032 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1033 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1034 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1035};
1036
1037static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1038{
1039 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1040 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1041 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1042 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1043 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1044 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1045};
1046
1047static const unsigned char aes_test_ctr_pt[3][48] =
1048{
1049 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1050 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1051
1052 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1053 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1054 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1055 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1056
1057 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1058 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1059 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1060 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1061 0x20, 0x21, 0x22, 0x23 }
1062};
1063
1064static const unsigned char aes_test_ctr_ct[3][48] =
1065{
1066 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1067 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1068 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1069 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1070 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1071 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1072 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1073 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1074 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1075 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1076 0x25, 0xB2, 0x07, 0x2F }
1077};
1078
1079static const int aes_test_ctr_len[3] =
1080 { 16, 32, 36 };
1081#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1082
1083/*
1084 * Checkup routine
1085 */
1086int aes_self_test( int verbose )
1087{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1088 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1089 unsigned char key[32];
1090 unsigned char buf[64];
1091 unsigned char prv[16];
1092 unsigned char iv[16];
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1093#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1094 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1095#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1096#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1097 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1098 unsigned char nonce_counter[16];
1099 unsigned char stream_block[16];
1100#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1101 aes_context ctx;
1102
1103 memset( key, 0, 32 );
1104
1105 /*
1106 * ECB mode
1107 */
1108 for( i = 0; i < 6; i++ )
1109 {
1110 u = i >> 1;
1111 v = i & 1;
1112
1113 if( verbose != 0 )
1114 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1115 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1116
1117 memset( buf, 0, 16 );
1118
1119 if( v == AES_DECRYPT )
1120 {
1121 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1122
1123 for( j = 0; j < 10000; j++ )
1124 aes_crypt_ecb( &ctx, v, buf, buf );
1125
1126 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1127 {
1128 if( verbose != 0 )
1129 printf( "failed\n" );
1130
1131 return( 1 );
1132 }
1133 }
1134 else
1135 {
1136 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1137
1138 for( j = 0; j < 10000; j++ )
1139 aes_crypt_ecb( &ctx, v, buf, buf );
1140
1141 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1142 {
1143 if( verbose != 0 )
1144 printf( "failed\n" );
1145
1146 return( 1 );
1147 }
1148 }
1149
1150 if( verbose != 0 )
1151 printf( "passed\n" );
1152 }
1153
1154 if( verbose != 0 )
1155 printf( "\n" );
1156
1157 /*
1158 * CBC mode
1159 */
1160 for( i = 0; i < 6; i++ )
1161 {
1162 u = i >> 1;
1163 v = i & 1;
1164
1165 if( verbose != 0 )
1166 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1167 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1168
1169 memset( iv , 0, 16 );
1170 memset( prv, 0, 16 );
1171 memset( buf, 0, 16 );
1172
1173 if( v == AES_DECRYPT )
1174 {
1175 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1176
1177 for( j = 0; j < 10000; j++ )
1178 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1179
1180 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1181 {
1182 if( verbose != 0 )
1183 printf( "failed\n" );
1184
1185 return( 1 );
1186 }
1187 }
1188 else
1189 {
1190 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1191
1192 for( j = 0; j < 10000; j++ )
1193 {
1194 unsigned char tmp[16];
1195
1196 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1197
1198 memcpy( tmp, prv, 16 );
1199 memcpy( prv, buf, 16 );
1200 memcpy( buf, tmp, 16 );
1201 }
1202
1203 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1204 {
1205 if( verbose != 0 )
1206 printf( "failed\n" );
1207
1208 return( 1 );
1209 }
1210 }
1211
1212 if( verbose != 0 )
1213 printf( "passed\n" );
1214 }
1215
1216 if( verbose != 0 )
1217 printf( "\n" );
1218
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1219#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1220 /*
1221 * CFB128 mode
1222 */
1223 for( i = 0; i < 6; i++ )
1224 {
1225 u = i >> 1;
1226 v = i & 1;
1227
1228 if( verbose != 0 )
1229 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1230 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1231
1232 memcpy( iv, aes_test_cfb128_iv, 16 );
1233 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1234
1235 offset = 0;
1236 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1237
1238 if( v == AES_DECRYPT )
1239 {
1240 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1241 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1242
1243 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1244 {
1245 if( verbose != 0 )
1246 printf( "failed\n" );
1247
1248 return( 1 );
1249 }
1250 }
1251 else
1252 {
1253 memcpy( buf, aes_test_cfb128_pt, 64 );
1254 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1255
1256 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1257 {
1258 if( verbose != 0 )
1259 printf( "failed\n" );
1260
1261 return( 1 );
1262 }
1263 }
1264
1265 if( verbose != 0 )
1266 printf( "passed\n" );
1267 }
1268
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1269 if( verbose != 0 )
1270 printf( "\n" );
1271#endif /* POLARSSL_CIPHER_MODE_CFB */
1272
1273#if defined(POLARSSL_CIPHER_MODE_CTR)
1274 /*
1275 * CTR mode
1276 */
1277 for( i = 0; i < 6; i++ )
1278 {
1279 u = i >> 1;
1280 v = i & 1;
1281
1282 if( verbose != 0 )
1283 printf( " AES-CTR-128 (%s): ",
1284 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1285
1286 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1287 memcpy( key, aes_test_ctr_key[u], 16 );
1288
1289 offset = 0;
1290 aes_setkey_enc( &ctx, key, 128 );
1291
1292 if( v == AES_DECRYPT )
1293 {
1294 len = aes_test_ctr_len[u];
1295 memcpy( buf, aes_test_ctr_ct[u], len );
1296
1297 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1298
1299 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1300 {
1301 if( verbose != 0 )
1302 printf( "failed\n" );
1303
1304 return( 1 );
1305 }
1306 }
1307 else
1308 {
1309 len = aes_test_ctr_len[u];
1310 memcpy( buf, aes_test_ctr_pt[u], len );
1311
1312 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1313
1314 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1315 {
1316 if( verbose != 0 )
1317 printf( "failed\n" );
1318
1319 return( 1 );
1320 }
1321 }
1322
1323 if( verbose != 0 )
1324 printf( "passed\n" );
1325 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1326
1327 if( verbose != 0 )
1328 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1329#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1330
1331 return( 0 );
1332}
1333
1334#endif
1335
1336#endif