TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 312da33ef121dcbaad3dee049f7b34243aead792 / . / library / aes.c
blob: 8b67cbb346d51dad63b182345b33214760b597a2 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker4087c472013-06-12 16:49:10 +0200[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]37#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]39#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]40
Paul Bakker4087c472013-06-12 16:49:10 +0200[diff] [blame]41#if !defined(POLARSSL_AES_ALT)
42
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame^]43/* Implementation that should never be optimized out by the compiler */
44static void polarssl_zeroize( void *v, size_t n ) {
45 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
46}
47
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]48/*
49 * 32-bit integer manipulation macros (little endian)
50 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]51#ifndef GET_UINT32_LE
52#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]53{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]54 (n) = ( (uint32_t) (b)[(i) ] ) \
55 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
56 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
57 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58}
59#endif
60
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]61#ifndef PUT_UINT32_LE
62#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]63{ \
64 (b)[(i) ] = (unsigned char) ( (n) ); \
65 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
66 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
67 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
68}
69#endif
70
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]71#if defined(POLARSSL_PADLOCK_C) && \
72 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]73static int aes_padlock_ace = -1;
74#endif
75
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]76#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]77/*
78 * Forward S-box
79 */
80static const unsigned char FSb[256] =
81{
82 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
83 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
84 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
85 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
86 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
87 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
88 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
89 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
90 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
91 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
92 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
93 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
94 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
95 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
96 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
97 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
98 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
99 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
100 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
101 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
102 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
103 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
104 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
105 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
106 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
107 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
108 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
109 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
110 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
111 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
112 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
113 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
114};
115
116/*
117 * Forward tables
118 */
119#define FT \
120\
121 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
122 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
123 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
124 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
125 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
126 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
127 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
128 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
129 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
130 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
131 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
132 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
133 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
134 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
135 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
136 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
137 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
138 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
139 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
140 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
141 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
142 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
143 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
144 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
145 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
146 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
147 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
148 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
149 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
150 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
151 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
152 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
153 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
154 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
155 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
156 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
157 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
158 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
159 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
160 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
161 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
162 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
163 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
164 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
165 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
166 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
167 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
168 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
169 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
170 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
171 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
172 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
173 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
174 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
175 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
176 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
177 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
178 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
179 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
180 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
181 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
182 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
183 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
184 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
185
186#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]187static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]188#undef V
189
190#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]191static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]192#undef V
193
194#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]195static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]196#undef V
197
198#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]199static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]200#undef V
201
202#undef FT
203
204/*
205 * Reverse S-box
206 */
207static const unsigned char RSb[256] =
208{
209 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
210 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
211 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
212 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
213 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
214 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
215 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
216 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
217 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
218 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
219 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
220 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
221 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
222 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
223 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
224 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
225 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
226 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
227 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
228 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
229 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
230 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
231 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
232 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
233 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
234 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
235 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
236 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
237 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
238 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
239 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
240 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
241};
242
243/*
244 * Reverse tables
245 */
246#define RT \
247\
248 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
249 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
250 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
251 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
252 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
253 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
254 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
255 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
256 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
257 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
258 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
259 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
260 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
261 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
262 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
263 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
264 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
265 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
266 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
267 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
268 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
269 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
270 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
271 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
272 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
273 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
274 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
275 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
276 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
277 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
278 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
279 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
280 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
281 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
282 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
283 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
284 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
285 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
286 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
287 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
288 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
289 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
290 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
291 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
292 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
293 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
294 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
295 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
296 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
297 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
298 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
299 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
300 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
301 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
302 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
303 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
304 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
305 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
306 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
307 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
308 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
309 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
310 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
311 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
312
313#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]314static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]315#undef V
316
317#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]318static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]319#undef V
320
321#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]322static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]323#undef V
324
325#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]326static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]327#undef V
328
329#undef RT
330
331/*
332 * Round constants
333 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]334static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335{
336 0x00000001, 0x00000002, 0x00000004, 0x00000008,
337 0x00000010, 0x00000020, 0x00000040, 0x00000080,
338 0x0000001B, 0x00000036
339};
340
341#else
342
343/*
344 * Forward S-box & tables
345 */
346static unsigned char FSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]347static uint32_t FT0[256];
348static uint32_t FT1[256];
349static uint32_t FT2[256];
350static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]351
352/*
353 * Reverse S-box & tables
354 */
355static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]356static uint32_t RT0[256];
357static uint32_t RT1[256];
358static uint32_t RT2[256];
359static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360
361/*
362 * Round constants
363 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]364static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]365
366/*
367 * Tables generation code
368 */
369#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
370#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
371#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
372
373static int aes_init_done = 0;
374
375static void aes_gen_tables( void )
376{
377 int i, x, y, z;
378 int pow[256];
379 int log[256];
380
381 /*
382 * compute pow and log tables over GF(2^8)
383 */
384 for( i = 0, x = 1; i < 256; i++ )
385 {
386 pow[i] = x;
387 log[x] = i;
388 x = ( x ^ XTIME( x ) ) & 0xFF;
389 }
390
391 /*
392 * calculate the round constants
393 */
394 for( i = 0, x = 1; i < 10; i++ )
395 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]396 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]397 x = XTIME( x ) & 0xFF;
398 }
399
400 /*
401 * generate the forward and reverse S-boxes
402 */
403 FSb[0x00] = 0x63;
404 RSb[0x63] = 0x00;
405
406 for( i = 1; i < 256; i++ )
407 {
408 x = pow[255 - log[i]];
409
410 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
411 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
412 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
413 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
414 x ^= y ^ 0x63;
415
416 FSb[i] = (unsigned char) x;
417 RSb[x] = (unsigned char) i;
418 }
419
420 /*
421 * generate the forward and reverse tables
422 */
423 for( i = 0; i < 256; i++ )
424 {
425 x = FSb[i];
426 y = XTIME( x ) & 0xFF;
427 z = ( y ^ x ) & 0xFF;
428
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]429 FT0[i] = ( (uint32_t) y ) ^
430 ( (uint32_t) x << 8 ) ^
431 ( (uint32_t) x << 16 ) ^
432 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]433
434 FT1[i] = ROTL8( FT0[i] );
435 FT2[i] = ROTL8( FT1[i] );
436 FT3[i] = ROTL8( FT2[i] );
437
438 x = RSb[i];
439
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]440 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
441 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
442 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
443 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]444
445 RT1[i] = ROTL8( RT0[i] );
446 RT2[i] = ROTL8( RT1[i] );
447 RT3[i] = ROTL8( RT2[i] );
448 }
449}
450
451#endif
452
453/*
454 * AES key schedule (encryption)
455 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]456int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]458 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]459 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]461#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]462 if( aes_init_done == 0 )
463 {
464 aes_gen_tables();
465 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]466
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]467 }
468#endif
469
470 switch( keysize )
471 {
472 case 128: ctx->nr = 10; break;
473 case 192: ctx->nr = 12; break;
474 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]475 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476 }
477
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]478#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
479 if( aes_padlock_ace == -1 )
480 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
481
482 if( aes_padlock_ace )
483 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
484 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]485#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]486 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
488 for( i = 0; i < (keysize >> 5); i++ )
489 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]490 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491 }
492
493 switch( ctx->nr )
494 {
495 case 10:
496
497 for( i = 0; i < 10; i++, RK += 4 )
498 {
499 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]500 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
501 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
502 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
503 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]504
505 RK[5] = RK[1] ^ RK[4];
506 RK[6] = RK[2] ^ RK[5];
507 RK[7] = RK[3] ^ RK[6];
508 }
509 break;
510
511 case 12:
512
513 for( i = 0; i < 8; i++, RK += 6 )
514 {
515 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]516 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
517 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
518 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
519 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]520
521 RK[7] = RK[1] ^ RK[6];
522 RK[8] = RK[2] ^ RK[7];
523 RK[9] = RK[3] ^ RK[8];
524 RK[10] = RK[4] ^ RK[9];
525 RK[11] = RK[5] ^ RK[10];
526 }
527 break;
528
529 case 14:
530
531 for( i = 0; i < 7; i++, RK += 8 )
532 {
533 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]534 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
535 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
536 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
537 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]538
539 RK[9] = RK[1] ^ RK[8];
540 RK[10] = RK[2] ^ RK[9];
541 RK[11] = RK[3] ^ RK[10];
542
543 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]544 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
545 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
546 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
547 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]548
549 RK[13] = RK[5] ^ RK[12];
550 RK[14] = RK[6] ^ RK[13];
551 RK[15] = RK[7] ^ RK[14];
552 }
553 break;
554
555 default:
556
557 break;
558 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]559
560 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561}
562
563/*
564 * AES key schedule (decryption)
565 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]566int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]567{
568 int i, j;
569 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]570 uint32_t *RK;
571 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]572 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]573
574 switch( keysize )
575 {
576 case 128: ctx->nr = 10; break;
577 case 192: ctx->nr = 12; break;
578 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]579 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]580 }
581
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]582#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
583 if( aes_padlock_ace == -1 )
584 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
585
586 if( aes_padlock_ace )
587 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
588 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]590 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]592 ret = aes_setkey_enc( &cty, key, keysize );
593 if( ret != 0 )
594 return( ret );
595
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596 SK = cty.rk + cty.nr * 4;
597
598 *RK++ = *SK++;
599 *RK++ = *SK++;
600 *RK++ = *SK++;
601 *RK++ = *SK++;
602
603 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
604 {
605 for( j = 0; j < 4; j++, SK++ )
606 {
607 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
608 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
609 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
610 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
611 }
612 }
613
614 *RK++ = *SK++;
615 *RK++ = *SK++;
616 *RK++ = *SK++;
617 *RK++ = *SK++;
618
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame^]619 polarssl_zeroize( &cty, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]620
621 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]622}
623
624#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
625{ \
626 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
627 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
628 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
629 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
630 \
631 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
632 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
633 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
634 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
635 \
636 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
637 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
638 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
639 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
640 \
641 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
642 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
643 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
644 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
645}
646
647#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
648{ \
649 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
650 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
651 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
652 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
653 \
654 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
655 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
656 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
657 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
658 \
659 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
660 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
661 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
662 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
663 \
664 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
665 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
666 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
667 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
668}
669
670/*
671 * AES-ECB block encryption/decryption
672 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]673int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]675 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]676 unsigned char output[16] )
677{
678 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]679 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]680
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]681#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]682 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]683 {
684 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]685 return( 0 );
686
687 // If padlock data misaligned, we just fall back to
688 // unaccelerated mode
689 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]690 }
691#endif
692
693 RK = ctx->rk;
694
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]695 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
696 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
697 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
698 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]699
700 if( mode == AES_DECRYPT )
701 {
702 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
703 {
704 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
705 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
706 }
707
708 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
709
710 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]711 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
712 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
713 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
714 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]715
716 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]717 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
718 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
719 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
720 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]721
722 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]723 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
724 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
725 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
726 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]727
728 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]729 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
730 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
731 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
732 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]733 }
734 else /* AES_ENCRYPT */
735 {
736 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
737 {
738 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
739 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
740 }
741
742 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
743
744 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]745 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
746 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
747 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
748 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]749
750 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]751 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
752 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
753 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
754 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]755
756 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]757 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
758 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
759 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
760 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]761
762 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]763 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
764 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
765 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
766 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]767 }
768
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]769 PUT_UINT32_LE( X0, output, 0 );
770 PUT_UINT32_LE( X1, output, 4 );
771 PUT_UINT32_LE( X2, output, 8 );
772 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]773
774 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]775}
776
777/*
778 * AES-CBC buffer encryption/decryption
779 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]780int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]781 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]782 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]783 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]784 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]785 unsigned char *output )
786{
787 int i;
788 unsigned char temp[16];
789
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]790 if( length % 16 )
791 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
792
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]793#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]794 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]795 {
796 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]797 return( 0 );
798
799 // If padlock data misaligned, we just fall back to
800 // unaccelerated mode
801 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]802 }
803#endif
804
805 if( mode == AES_DECRYPT )
806 {
807 while( length > 0 )
808 {
809 memcpy( temp, input, 16 );
810 aes_crypt_ecb( ctx, mode, input, output );
811
812 for( i = 0; i < 16; i++ )
813 output[i] = (unsigned char)( output[i] ^ iv[i] );
814
815 memcpy( iv, temp, 16 );
816
817 input += 16;
818 output += 16;
819 length -= 16;
820 }
821 }
822 else
823 {
824 while( length > 0 )
825 {
826 for( i = 0; i < 16; i++ )
827 output[i] = (unsigned char)( input[i] ^ iv[i] );
828
829 aes_crypt_ecb( ctx, mode, output, output );
830 memcpy( iv, output, 16 );
831
832 input += 16;
833 output += 16;
834 length -= 16;
835 }
836 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]837
838 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]839}
840
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]841#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]842/*
843 * AES-CFB128 buffer encryption/decryption
844 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]845int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]846 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]847 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]848 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]849 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]850 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]851 unsigned char *output )
852{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]853 int c;
854 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]855
856 if( mode == AES_DECRYPT )
857 {
858 while( length-- )
859 {
860 if( n == 0 )
861 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
862
863 c = *input++;
864 *output++ = (unsigned char)( c ^ iv[n] );
865 iv[n] = (unsigned char) c;
866
867 n = (n + 1) & 0x0F;
868 }
869 }
870 else
871 {
872 while( length-- )
873 {
874 if( n == 0 )
875 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
876
877 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
878
879 n = (n + 1) & 0x0F;
880 }
881 }
882
883 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]884
885 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]886}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]887#endif /*POLARSSL_CIPHER_MODE_CFB */
888
889#if defined(POLARSSL_CIPHER_MODE_CTR)
890/*
891 * AES-CTR buffer encryption/decryption
892 */
893int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]894 size_t length,
895 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]896 unsigned char nonce_counter[16],
897 unsigned char stream_block[16],
898 const unsigned char *input,
899 unsigned char *output )
900{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]901 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]902 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]903
904 while( length-- )
905 {
906 if( n == 0 ) {
907 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
908
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]909 for( i = 16; i > 0; i-- )
910 if( ++nonce_counter[i - 1] != 0 )
911 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]912 }
913 c = *input++;
914 *output++ = (unsigned char)( c ^ stream_block[n] );
915
916 n = (n + 1) & 0x0F;
917 }
918
919 *nc_off = n;
920
921 return( 0 );
922}
923#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker4087c472013-06-12 16:49:10 +0200[diff] [blame]924#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]925
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]926#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]927
928#include <stdio.h>
929
930/*
931 * AES test vectors from:
932 *
933 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
934 */
935static const unsigned char aes_test_ecb_dec[3][16] =
936{
937 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
938 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
939 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
940 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
941 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
942 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
943};
944
945static const unsigned char aes_test_ecb_enc[3][16] =
946{
947 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
948 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
949 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
950 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
951 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
952 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
953};
954
955static const unsigned char aes_test_cbc_dec[3][16] =
956{
957 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
958 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
959 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
960 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
961 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
962 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
963};
964
965static const unsigned char aes_test_cbc_enc[3][16] =
966{
967 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
968 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
969 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
970 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
971 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
972 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
973};
974
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]975#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]976/*
977 * AES-CFB128 test vectors from:
978 *
979 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
980 */
981static const unsigned char aes_test_cfb128_key[3][32] =
982{
983 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
984 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
985 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
986 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
987 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
988 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
989 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
990 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
991 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
992};
993
994static const unsigned char aes_test_cfb128_iv[16] =
995{
996 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
997 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
998};
999
1000static const unsigned char aes_test_cfb128_pt[64] =
1001{
1002 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1003 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1004 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1005 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1006 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1007 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1008 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1009 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1010};
1011
1012static const unsigned char aes_test_cfb128_ct[3][64] =
1013{
1014 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1015 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1016 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1017 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1018 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1019 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1020 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1021 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1022 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1023 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1024 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1025 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1026 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1027 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1028 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1029 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1030 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1031 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1032 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1033 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1034 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1035 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1036 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1037 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1038};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1039#endif /* POLARSSL_CIPHER_MODE_CFB */
1040
1041#if defined(POLARSSL_CIPHER_MODE_CTR)
1042/*
1043 * AES-CTR test vectors from:
1044 *
1045 * http://www.faqs.org/rfcs/rfc3686.html
1046 */
1047
1048static const unsigned char aes_test_ctr_key[3][16] =
1049{
1050 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1051 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1052 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1053 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1054 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1055 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1056};
1057
1058static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1059{
1060 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1061 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1062 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1063 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1064 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1065 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1066};
1067
1068static const unsigned char aes_test_ctr_pt[3][48] =
1069{
1070 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1071 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1072
1073 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1074 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1075 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1076 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1077
1078 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1079 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1080 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1081 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1082 0x20, 0x21, 0x22, 0x23 }
1083};
1084
1085static const unsigned char aes_test_ctr_ct[3][48] =
1086{
1087 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1088 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1089 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1090 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1091 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1092 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1093 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1094 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1095 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1096 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1097 0x25, 0xB2, 0x07, 0x2F }
1098};
1099
1100static const int aes_test_ctr_len[3] =
1101 { 16, 32, 36 };
1102#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1103
1104/*
1105 * Checkup routine
1106 */
1107int aes_self_test( int verbose )
1108{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1109 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1110 unsigned char key[32];
1111 unsigned char buf[64];
1112 unsigned char prv[16];
1113 unsigned char iv[16];
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1114#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1115 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1116#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1117#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1118 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1119 unsigned char nonce_counter[16];
1120 unsigned char stream_block[16];
1121#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1122 aes_context ctx;
1123
1124 memset( key, 0, 32 );
1125
1126 /*
1127 * ECB mode
1128 */
1129 for( i = 0; i < 6; i++ )
1130 {
1131 u = i >> 1;
1132 v = i & 1;
1133
1134 if( verbose != 0 )
1135 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1136 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1137
1138 memset( buf, 0, 16 );
1139
1140 if( v == AES_DECRYPT )
1141 {
1142 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1143
1144 for( j = 0; j < 10000; j++ )
1145 aes_crypt_ecb( &ctx, v, buf, buf );
1146
1147 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1148 {
1149 if( verbose != 0 )
1150 printf( "failed\n" );
1151
1152 return( 1 );
1153 }
1154 }
1155 else
1156 {
1157 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1158
1159 for( j = 0; j < 10000; j++ )
1160 aes_crypt_ecb( &ctx, v, buf, buf );
1161
1162 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1163 {
1164 if( verbose != 0 )
1165 printf( "failed\n" );
1166
1167 return( 1 );
1168 }
1169 }
1170
1171 if( verbose != 0 )
1172 printf( "passed\n" );
1173 }
1174
1175 if( verbose != 0 )
1176 printf( "\n" );
1177
1178 /*
1179 * CBC mode
1180 */
1181 for( i = 0; i < 6; i++ )
1182 {
1183 u = i >> 1;
1184 v = i & 1;
1185
1186 if( verbose != 0 )
1187 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1188 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1189
1190 memset( iv , 0, 16 );
1191 memset( prv, 0, 16 );
1192 memset( buf, 0, 16 );
1193
1194 if( v == AES_DECRYPT )
1195 {
1196 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1197
1198 for( j = 0; j < 10000; j++ )
1199 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1200
1201 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1202 {
1203 if( verbose != 0 )
1204 printf( "failed\n" );
1205
1206 return( 1 );
1207 }
1208 }
1209 else
1210 {
1211 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1212
1213 for( j = 0; j < 10000; j++ )
1214 {
1215 unsigned char tmp[16];
1216
1217 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1218
1219 memcpy( tmp, prv, 16 );
1220 memcpy( prv, buf, 16 );
1221 memcpy( buf, tmp, 16 );
1222 }
1223
1224 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1225 {
1226 if( verbose != 0 )
1227 printf( "failed\n" );
1228
1229 return( 1 );
1230 }
1231 }
1232
1233 if( verbose != 0 )
1234 printf( "passed\n" );
1235 }
1236
1237 if( verbose != 0 )
1238 printf( "\n" );
1239
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1240#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1241 /*
1242 * CFB128 mode
1243 */
1244 for( i = 0; i < 6; i++ )
1245 {
1246 u = i >> 1;
1247 v = i & 1;
1248
1249 if( verbose != 0 )
1250 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1251 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1252
1253 memcpy( iv, aes_test_cfb128_iv, 16 );
1254 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1255
1256 offset = 0;
1257 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1258
1259 if( v == AES_DECRYPT )
1260 {
1261 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1262 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1263
1264 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1265 {
1266 if( verbose != 0 )
1267 printf( "failed\n" );
1268
1269 return( 1 );
1270 }
1271 }
1272 else
1273 {
1274 memcpy( buf, aes_test_cfb128_pt, 64 );
1275 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1276
1277 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1278 {
1279 if( verbose != 0 )
1280 printf( "failed\n" );
1281
1282 return( 1 );
1283 }
1284 }
1285
1286 if( verbose != 0 )
1287 printf( "passed\n" );
1288 }
1289
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1290 if( verbose != 0 )
1291 printf( "\n" );
1292#endif /* POLARSSL_CIPHER_MODE_CFB */
1293
1294#if defined(POLARSSL_CIPHER_MODE_CTR)
1295 /*
1296 * CTR mode
1297 */
1298 for( i = 0; i < 6; i++ )
1299 {
1300 u = i >> 1;
1301 v = i & 1;
1302
1303 if( verbose != 0 )
1304 printf( " AES-CTR-128 (%s): ",
1305 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1306
1307 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1308 memcpy( key, aes_test_ctr_key[u], 16 );
1309
1310 offset = 0;
1311 aes_setkey_enc( &ctx, key, 128 );
1312
1313 if( v == AES_DECRYPT )
1314 {
1315 len = aes_test_ctr_len[u];
1316 memcpy( buf, aes_test_ctr_ct[u], len );
1317
1318 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1319
1320 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1321 {
1322 if( verbose != 0 )
1323 printf( "failed\n" );
1324
1325 return( 1 );
1326 }
1327 }
1328 else
1329 {
1330 len = aes_test_ctr_len[u];
1331 memcpy( buf, aes_test_ctr_pt[u], len );
1332
1333 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1334
1335 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1336 {
1337 if( verbose != 0 )
1338 printf( "failed\n" );
1339
1340 return( 1 );
1341 }
1342 }
1343
1344 if( verbose != 0 )
1345 printf( "passed\n" );
1346 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1347
1348 if( verbose != 0 )
1349 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1350#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1351
1352 return( 0 );
1353}
1354
1355#endif
1356
1357#endif