TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 27db1f52606db454c70d84506d167fee571b8e74 / . / library / aes.c
blob: 003325d186fd5f0f3351aba429f853f50f7d279a [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
5 *
Paul Bakker27db1f52009-01-25 15:27:00 +0000[diff] [blame^]6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
24 *
25 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
26 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
27 */
28
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]29#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]30
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]31#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#include "polarssl/aes.h"
34#include "polarssl/padlock.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
36#include <string.h>
37
38/*
39 * 32-bit integer manipulation macros (little endian)
40 */
41#ifndef GET_ULONG_LE
42#define GET_ULONG_LE(n,b,i) \
43{ \
44 (n) = ( (unsigned long) (b)[(i) ] ) \
45 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
46 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
47 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
48}
49#endif
50
51#ifndef PUT_ULONG_LE
52#define PUT_ULONG_LE(n,b,i) \
53{ \
54 (b)[(i) ] = (unsigned char) ( (n) ); \
55 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
56 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
57 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
58}
59#endif
60
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]61#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62/*
63 * Forward S-box
64 */
65static const unsigned char FSb[256] =
66{
67 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
68 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
69 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
70 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
71 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
72 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
73 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
74 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
75 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
76 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
77 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
78 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
79 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
80 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
81 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
82 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
83 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
84 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
85 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
86 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
87 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
88 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
89 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
90 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
91 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
92 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
93 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
94 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
95 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
96 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
97 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
98 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
99};
100
101/*
102 * Forward tables
103 */
104#define FT \
105\
106 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
107 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
108 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
109 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
110 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
111 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
112 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
113 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
114 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
115 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
116 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
117 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
118 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
119 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
120 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
121 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
122 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
123 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
124 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
125 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
126 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
127 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
128 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
129 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
130 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
131 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
132 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
133 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
134 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
135 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
136 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
137 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
138 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
139 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
140 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
141 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
142 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
143 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
144 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
145 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
146 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
147 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
148 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
149 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
150 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
151 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
152 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
153 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
154 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
155 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
156 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
157 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
158 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
159 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
160 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
161 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
162 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
163 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
164 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
165 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
166 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
167 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
168 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
169 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
170
171#define V(a,b,c,d) 0x##a##b##c##d
172static const unsigned long FT0[256] = { FT };
173#undef V
174
175#define V(a,b,c,d) 0x##b##c##d##a
176static const unsigned long FT1[256] = { FT };
177#undef V
178
179#define V(a,b,c,d) 0x##c##d##a##b
180static const unsigned long FT2[256] = { FT };
181#undef V
182
183#define V(a,b,c,d) 0x##d##a##b##c
184static const unsigned long FT3[256] = { FT };
185#undef V
186
187#undef FT
188
189/*
190 * Reverse S-box
191 */
192static const unsigned char RSb[256] =
193{
194 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
195 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
196 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
197 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
198 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
199 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
200 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
201 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
202 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
203 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
204 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
205 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
206 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
207 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
208 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
209 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
210 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
211 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
212 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
213 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
214 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
215 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
216 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
217 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
218 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
219 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
220 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
221 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
222 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
223 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
224 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
225 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
226};
227
228/*
229 * Reverse tables
230 */
231#define RT \
232\
233 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
234 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
235 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
236 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
237 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
238 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
239 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
240 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
241 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
242 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
243 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
244 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
245 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
246 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
247 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
248 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
249 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
250 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
251 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
252 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
253 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
254 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
255 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
256 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
257 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
258 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
259 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
260 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
261 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
262 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
263 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
264 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
265 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
266 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
267 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
268 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
269 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
270 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
271 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
272 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
273 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
274 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
275 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
276 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
277 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
278 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
279 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
280 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
281 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
282 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
283 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
284 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
285 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
286 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
287 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
288 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
289 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
290 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
291 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
292 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
293 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
294 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
295 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
296 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
297
298#define V(a,b,c,d) 0x##a##b##c##d
299static const unsigned long RT0[256] = { RT };
300#undef V
301
302#define V(a,b,c,d) 0x##b##c##d##a
303static const unsigned long RT1[256] = { RT };
304#undef V
305
306#define V(a,b,c,d) 0x##c##d##a##b
307static const unsigned long RT2[256] = { RT };
308#undef V
309
310#define V(a,b,c,d) 0x##d##a##b##c
311static const unsigned long RT3[256] = { RT };
312#undef V
313
314#undef RT
315
316/*
317 * Round constants
318 */
319static const unsigned long RCON[10] =
320{
321 0x00000001, 0x00000002, 0x00000004, 0x00000008,
322 0x00000010, 0x00000020, 0x00000040, 0x00000080,
323 0x0000001B, 0x00000036
324};
325
326#else
327
328/*
329 * Forward S-box & tables
330 */
331static unsigned char FSb[256];
332static unsigned long FT0[256];
333static unsigned long FT1[256];
334static unsigned long FT2[256];
335static unsigned long FT3[256];
336
337/*
338 * Reverse S-box & tables
339 */
340static unsigned char RSb[256];
341static unsigned long RT0[256];
342static unsigned long RT1[256];
343static unsigned long RT2[256];
344static unsigned long RT3[256];
345
346/*
347 * Round constants
348 */
349static unsigned long RCON[10];
350
351/*
352 * Tables generation code
353 */
354#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
355#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
356#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
357
358static int aes_init_done = 0;
359
360static void aes_gen_tables( void )
361{
362 int i, x, y, z;
363 int pow[256];
364 int log[256];
365
366 /*
367 * compute pow and log tables over GF(2^8)
368 */
369 for( i = 0, x = 1; i < 256; i++ )
370 {
371 pow[i] = x;
372 log[x] = i;
373 x = ( x ^ XTIME( x ) ) & 0xFF;
374 }
375
376 /*
377 * calculate the round constants
378 */
379 for( i = 0, x = 1; i < 10; i++ )
380 {
381 RCON[i] = (unsigned long) x;
382 x = XTIME( x ) & 0xFF;
383 }
384
385 /*
386 * generate the forward and reverse S-boxes
387 */
388 FSb[0x00] = 0x63;
389 RSb[0x63] = 0x00;
390
391 for( i = 1; i < 256; i++ )
392 {
393 x = pow[255 - log[i]];
394
395 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
396 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
397 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
398 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
399 x ^= y ^ 0x63;
400
401 FSb[i] = (unsigned char) x;
402 RSb[x] = (unsigned char) i;
403 }
404
405 /*
406 * generate the forward and reverse tables
407 */
408 for( i = 0; i < 256; i++ )
409 {
410 x = FSb[i];
411 y = XTIME( x ) & 0xFF;
412 z = ( y ^ x ) & 0xFF;
413
414 FT0[i] = ( (unsigned long) y ) ^
415 ( (unsigned long) x << 8 ) ^
416 ( (unsigned long) x << 16 ) ^
417 ( (unsigned long) z << 24 );
418
419 FT1[i] = ROTL8( FT0[i] );
420 FT2[i] = ROTL8( FT1[i] );
421 FT3[i] = ROTL8( FT2[i] );
422
423 x = RSb[i];
424
425 RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
426 ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
427 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
428 ( (unsigned long) MUL( 0x0B, x ) << 24 );
429
430 RT1[i] = ROTL8( RT0[i] );
431 RT2[i] = ROTL8( RT1[i] );
432 RT3[i] = ROTL8( RT2[i] );
433 }
434}
435
436#endif
437
438/*
439 * AES key schedule (encryption)
440 */
441void aes_setkey_enc( aes_context *ctx, unsigned char *key, int keysize )
442{
443 int i;
444 unsigned long *RK;
445
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]446#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447 if( aes_init_done == 0 )
448 {
449 aes_gen_tables();
450 aes_init_done = 1;
451 }
452#endif
453
454 switch( keysize )
455 {
456 case 128: ctx->nr = 10; break;
457 case 192: ctx->nr = 12; break;
458 case 256: ctx->nr = 14; break;
459 default : return;
460 }
461
462#if defined(PADLOCK_ALIGN16)
463 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
464#else
465 ctx->rk = RK = ctx->buf;
466#endif
467
468 for( i = 0; i < (keysize >> 5); i++ )
469 {
470 GET_ULONG_LE( RK[i], key, i << 2 );
471 }
472
473 switch( ctx->nr )
474 {
475 case 10:
476
477 for( i = 0; i < 10; i++, RK += 4 )
478 {
479 RK[4] = RK[0] ^ RCON[i] ^
480 ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
481 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
482 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
483 ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
484
485 RK[5] = RK[1] ^ RK[4];
486 RK[6] = RK[2] ^ RK[5];
487 RK[7] = RK[3] ^ RK[6];
488 }
489 break;
490
491 case 12:
492
493 for( i = 0; i < 8; i++, RK += 6 )
494 {
495 RK[6] = RK[0] ^ RCON[i] ^
496 ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
497 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
498 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
499 ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
500
501 RK[7] = RK[1] ^ RK[6];
502 RK[8] = RK[2] ^ RK[7];
503 RK[9] = RK[3] ^ RK[8];
504 RK[10] = RK[4] ^ RK[9];
505 RK[11] = RK[5] ^ RK[10];
506 }
507 break;
508
509 case 14:
510
511 for( i = 0; i < 7; i++, RK += 8 )
512 {
513 RK[8] = RK[0] ^ RCON[i] ^
514 ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
515 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
516 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
517 ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
518
519 RK[9] = RK[1] ^ RK[8];
520 RK[10] = RK[2] ^ RK[9];
521 RK[11] = RK[3] ^ RK[10];
522
523 RK[12] = RK[4] ^
524 ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
525 ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
526 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
527 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
528
529 RK[13] = RK[5] ^ RK[12];
530 RK[14] = RK[6] ^ RK[13];
531 RK[15] = RK[7] ^ RK[14];
532 }
533 break;
534
535 default:
536
537 break;
538 }
539}
540
541/*
542 * AES key schedule (decryption)
543 */
544void aes_setkey_dec( aes_context *ctx, unsigned char *key, int keysize )
545{
546 int i, j;
547 aes_context cty;
548 unsigned long *RK;
549 unsigned long *SK;
550
551 switch( keysize )
552 {
553 case 128: ctx->nr = 10; break;
554 case 192: ctx->nr = 12; break;
555 case 256: ctx->nr = 14; break;
556 default : return;
557 }
558
559#if defined(PADLOCK_ALIGN16)
560 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
561#else
562 ctx->rk = RK = ctx->buf;
563#endif
564
565 aes_setkey_enc( &cty, key, keysize );
566 SK = cty.rk + cty.nr * 4;
567
568 *RK++ = *SK++;
569 *RK++ = *SK++;
570 *RK++ = *SK++;
571 *RK++ = *SK++;
572
573 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
574 {
575 for( j = 0; j < 4; j++, SK++ )
576 {
577 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
578 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
579 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
580 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
581 }
582 }
583
584 *RK++ = *SK++;
585 *RK++ = *SK++;
586 *RK++ = *SK++;
587 *RK++ = *SK++;
588
589 memset( &cty, 0, sizeof( aes_context ) );
590}
591
592#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
593{ \
594 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
595 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
596 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
597 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
598 \
599 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
600 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
601 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
602 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
603 \
604 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
605 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
606 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
607 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
608 \
609 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
610 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
611 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
612 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
613}
614
615#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
616{ \
617 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
618 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
619 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
620 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
621 \
622 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
623 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
624 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
625 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
626 \
627 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
628 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
629 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
630 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
631 \
632 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
633 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
634 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
635 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
636}
637
638/*
639 * AES-ECB block encryption/decryption
640 */
641void aes_crypt_ecb( aes_context *ctx,
642 int mode,
643 unsigned char input[16],
644 unsigned char output[16] )
645{
646 int i;
647 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
648
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]649#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]650 if( padlock_supports( PADLOCK_ACE ) )
651 {
652 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
653 return;
654 }
655#endif
656
657 RK = ctx->rk;
658
659 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
660 GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
661 GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
662 GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
663
664 if( mode == AES_DECRYPT )
665 {
666 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
667 {
668 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
669 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
670 }
671
672 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
673
674 X0 = *RK++ ^ \
675 ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
676 ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
677 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
678 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
679
680 X1 = *RK++ ^ \
681 ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
682 ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
683 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
684 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
685
686 X2 = *RK++ ^ \
687 ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
688 ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
689 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
690 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
691
692 X3 = *RK++ ^ \
693 ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
694 ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
695 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
696 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
697 }
698 else /* AES_ENCRYPT */
699 {
700 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
701 {
702 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
703 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
704 }
705
706 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
707
708 X0 = *RK++ ^ \
709 ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
710 ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
711 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
712 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
713
714 X1 = *RK++ ^ \
715 ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
716 ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
717 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
718 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
719
720 X2 = *RK++ ^ \
721 ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
722 ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
723 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
724 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
725
726 X3 = *RK++ ^ \
727 ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
728 ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
729 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
730 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
731 }
732
733 PUT_ULONG_LE( X0, output, 0 );
734 PUT_ULONG_LE( X1, output, 4 );
735 PUT_ULONG_LE( X2, output, 8 );
736 PUT_ULONG_LE( X3, output, 12 );
737}
738
739/*
740 * AES-CBC buffer encryption/decryption
741 */
742void aes_crypt_cbc( aes_context *ctx,
743 int mode,
744 int length,
745 unsigned char iv[16],
746 unsigned char *input,
747 unsigned char *output )
748{
749 int i;
750 unsigned char temp[16];
751
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]752#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]753 if( padlock_supports( PADLOCK_ACE ) )
754 {
755 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
756 return;
757 }
758#endif
759
760 if( mode == AES_DECRYPT )
761 {
762 while( length > 0 )
763 {
764 memcpy( temp, input, 16 );
765 aes_crypt_ecb( ctx, mode, input, output );
766
767 for( i = 0; i < 16; i++ )
768 output[i] = (unsigned char)( output[i] ^ iv[i] );
769
770 memcpy( iv, temp, 16 );
771
772 input += 16;
773 output += 16;
774 length -= 16;
775 }
776 }
777 else
778 {
779 while( length > 0 )
780 {
781 for( i = 0; i < 16; i++ )
782 output[i] = (unsigned char)( input[i] ^ iv[i] );
783
784 aes_crypt_ecb( ctx, mode, output, output );
785 memcpy( iv, output, 16 );
786
787 input += 16;
788 output += 16;
789 length -= 16;
790 }
791 }
792}
793
794/*
795 * AES-CFB128 buffer encryption/decryption
796 */
797void aes_crypt_cfb128( aes_context *ctx,
798 int mode,
799 int length,
800 int *iv_off,
801 unsigned char iv[16],
802 unsigned char *input,
803 unsigned char *output )
804{
805 int c, n = *iv_off;
806
807 if( mode == AES_DECRYPT )
808 {
809 while( length-- )
810 {
811 if( n == 0 )
812 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
813
814 c = *input++;
815 *output++ = (unsigned char)( c ^ iv[n] );
816 iv[n] = (unsigned char) c;
817
818 n = (n + 1) & 0x0F;
819 }
820 }
821 else
822 {
823 while( length-- )
824 {
825 if( n == 0 )
826 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
827
828 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
829
830 n = (n + 1) & 0x0F;
831 }
832 }
833
834 *iv_off = n;
835}
836
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]837#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]838
839#include <stdio.h>
840
841/*
842 * AES test vectors from:
843 *
844 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
845 */
846static const unsigned char aes_test_ecb_dec[3][16] =
847{
848 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
849 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
850 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
851 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
852 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
853 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
854};
855
856static const unsigned char aes_test_ecb_enc[3][16] =
857{
858 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
859 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
860 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
861 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
862 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
863 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
864};
865
866static const unsigned char aes_test_cbc_dec[3][16] =
867{
868 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
869 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
870 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
871 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
872 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
873 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
874};
875
876static const unsigned char aes_test_cbc_enc[3][16] =
877{
878 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
879 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
880 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
881 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
882 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
883 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
884};
885
886/*
887 * AES-CFB128 test vectors from:
888 *
889 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
890 */
891static const unsigned char aes_test_cfb128_key[3][32] =
892{
893 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
894 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
895 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
896 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
897 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
898 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
899 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
900 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
901 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
902};
903
904static const unsigned char aes_test_cfb128_iv[16] =
905{
906 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
907 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
908};
909
910static const unsigned char aes_test_cfb128_pt[64] =
911{
912 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
913 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
914 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
915 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
916 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
917 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
918 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
919 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
920};
921
922static const unsigned char aes_test_cfb128_ct[3][64] =
923{
924 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
925 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
926 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
927 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
928 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
929 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
930 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
931 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
932 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
933 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
934 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
935 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
936 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
937 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
938 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
939 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
940 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
941 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
942 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
943 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
944 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
945 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
946 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
947 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
948};
949
950/*
951 * Checkup routine
952 */
953int aes_self_test( int verbose )
954{
955 int i, j, u, v, offset;
956 unsigned char key[32];
957 unsigned char buf[64];
958 unsigned char prv[16];
959 unsigned char iv[16];
960 aes_context ctx;
961
962 memset( key, 0, 32 );
963
964 /*
965 * ECB mode
966 */
967 for( i = 0; i < 6; i++ )
968 {
969 u = i >> 1;
970 v = i & 1;
971
972 if( verbose != 0 )
973 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
974 ( v == AES_DECRYPT ) ? "dec" : "enc" );
975
976 memset( buf, 0, 16 );
977
978 if( v == AES_DECRYPT )
979 {
980 aes_setkey_dec( &ctx, key, 128 + u * 64 );
981
982 for( j = 0; j < 10000; j++ )
983 aes_crypt_ecb( &ctx, v, buf, buf );
984
985 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
986 {
987 if( verbose != 0 )
988 printf( "failed\n" );
989
990 return( 1 );
991 }
992 }
993 else
994 {
995 aes_setkey_enc( &ctx, key, 128 + u * 64 );
996
997 for( j = 0; j < 10000; j++ )
998 aes_crypt_ecb( &ctx, v, buf, buf );
999
1000 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1001 {
1002 if( verbose != 0 )
1003 printf( "failed\n" );
1004
1005 return( 1 );
1006 }
1007 }
1008
1009 if( verbose != 0 )
1010 printf( "passed\n" );
1011 }
1012
1013 if( verbose != 0 )
1014 printf( "\n" );
1015
1016 /*
1017 * CBC mode
1018 */
1019 for( i = 0; i < 6; i++ )
1020 {
1021 u = i >> 1;
1022 v = i & 1;
1023
1024 if( verbose != 0 )
1025 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1026 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1027
1028 memset( iv , 0, 16 );
1029 memset( prv, 0, 16 );
1030 memset( buf, 0, 16 );
1031
1032 if( v == AES_DECRYPT )
1033 {
1034 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1035
1036 for( j = 0; j < 10000; j++ )
1037 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1038
1039 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1040 {
1041 if( verbose != 0 )
1042 printf( "failed\n" );
1043
1044 return( 1 );
1045 }
1046 }
1047 else
1048 {
1049 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1050
1051 for( j = 0; j < 10000; j++ )
1052 {
1053 unsigned char tmp[16];
1054
1055 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1056
1057 memcpy( tmp, prv, 16 );
1058 memcpy( prv, buf, 16 );
1059 memcpy( buf, tmp, 16 );
1060 }
1061
1062 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1063 {
1064 if( verbose != 0 )
1065 printf( "failed\n" );
1066
1067 return( 1 );
1068 }
1069 }
1070
1071 if( verbose != 0 )
1072 printf( "passed\n" );
1073 }
1074
1075 if( verbose != 0 )
1076 printf( "\n" );
1077
1078 /*
1079 * CFB128 mode
1080 */
1081 for( i = 0; i < 6; i++ )
1082 {
1083 u = i >> 1;
1084 v = i & 1;
1085
1086 if( verbose != 0 )
1087 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1088 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1089
1090 memcpy( iv, aes_test_cfb128_iv, 16 );
1091 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1092
1093 offset = 0;
1094 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1095
1096 if( v == AES_DECRYPT )
1097 {
1098 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1099 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1100
1101 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1102 {
1103 if( verbose != 0 )
1104 printf( "failed\n" );
1105
1106 return( 1 );
1107 }
1108 }
1109 else
1110 {
1111 memcpy( buf, aes_test_cfb128_pt, 64 );
1112 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1113
1114 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1115 {
1116 if( verbose != 0 )
1117 printf( "failed\n" );
1118
1119 return( 1 );
1120 }
1121 }
1122
1123 if( verbose != 0 )
1124 printf( "passed\n" );
1125 }
1126
1127
1128 if( verbose != 0 )
1129 printf( "\n" );
1130
1131 return( 0 );
1132}
1133
1134#endif
1135
1136#endif