TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 7890405856d350d5f8f1a5180a0103ffb5f25eb6 / . / library / aes.c
blob: c355bfcbb0c0d4abfc405321cd895f0b2481abc3 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
37#include "polarssl/padlock.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]39/*
40 * 32-bit integer manipulation macros (little endian)
41 */
42#ifndef GET_ULONG_LE
43#define GET_ULONG_LE(n,b,i) \
44{ \
45 (n) = ( (unsigned long) (b)[(i) ] ) \
46 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
47 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
48 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
49}
50#endif
51
52#ifndef PUT_ULONG_LE
53#define PUT_ULONG_LE(n,b,i) \
54{ \
55 (b)[(i) ] = (unsigned char) ( (n) ); \
56 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
57 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
58 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
59}
60#endif
61
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]62#if defined(POLARSSL_PADLOCK_C)
63static int aes_padlock_ace = -1;
64#endif
65
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]66#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]67/*
68 * Forward S-box
69 */
70static const unsigned char FSb[256] =
71{
72 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
73 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
74 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
75 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
76 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
77 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
78 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
79 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
80 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
81 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
82 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
83 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
84 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
85 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
86 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
87 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
88 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
89 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
90 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
91 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
92 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
93 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
94 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
95 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
96 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
97 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
98 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
99 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
100 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
101 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
102 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
103 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
104};
105
106/*
107 * Forward tables
108 */
109#define FT \
110\
111 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
112 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
113 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
114 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
115 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
116 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
117 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
118 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
119 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
120 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
121 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
122 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
123 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
124 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
125 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
126 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
127 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
128 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
129 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
130 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
131 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
132 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
133 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
134 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
135 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
136 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
137 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
138 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
139 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
140 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
141 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
142 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
143 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
144 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
145 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
146 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
147 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
148 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
149 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
150 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
151 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
152 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
153 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
154 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
155 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
156 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
157 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
158 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
159 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
160 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
161 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
162 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
163 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
164 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
165 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
166 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
167 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
168 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
169 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
170 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
171 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
172 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
173 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
174 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
175
176#define V(a,b,c,d) 0x##a##b##c##d
177static const unsigned long FT0[256] = { FT };
178#undef V
179
180#define V(a,b,c,d) 0x##b##c##d##a
181static const unsigned long FT1[256] = { FT };
182#undef V
183
184#define V(a,b,c,d) 0x##c##d##a##b
185static const unsigned long FT2[256] = { FT };
186#undef V
187
188#define V(a,b,c,d) 0x##d##a##b##c
189static const unsigned long FT3[256] = { FT };
190#undef V
191
192#undef FT
193
194/*
195 * Reverse S-box
196 */
197static const unsigned char RSb[256] =
198{
199 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
200 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
201 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
202 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
203 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
204 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
205 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
206 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
207 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
208 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
209 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
210 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
211 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
212 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
213 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
214 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
215 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
216 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
217 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
218 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
219 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
220 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
221 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
222 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
223 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
224 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
225 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
226 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
227 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
228 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
229 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
230 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
231};
232
233/*
234 * Reverse tables
235 */
236#define RT \
237\
238 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
239 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
240 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
241 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
242 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
243 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
244 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
245 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
246 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
247 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
248 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
249 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
250 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
251 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
252 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
253 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
254 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
255 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
256 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
257 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
258 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
259 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
260 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
261 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
262 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
263 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
264 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
265 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
266 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
267 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
268 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
269 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
270 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
271 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
272 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
273 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
274 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
275 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
276 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
277 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
278 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
279 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
280 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
281 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
282 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
283 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
284 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
285 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
286 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
287 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
288 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
289 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
290 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
291 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
292 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
293 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
294 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
295 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
296 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
297 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
298 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
299 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
300 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
301 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
302
303#define V(a,b,c,d) 0x##a##b##c##d
304static const unsigned long RT0[256] = { RT };
305#undef V
306
307#define V(a,b,c,d) 0x##b##c##d##a
308static const unsigned long RT1[256] = { RT };
309#undef V
310
311#define V(a,b,c,d) 0x##c##d##a##b
312static const unsigned long RT2[256] = { RT };
313#undef V
314
315#define V(a,b,c,d) 0x##d##a##b##c
316static const unsigned long RT3[256] = { RT };
317#undef V
318
319#undef RT
320
321/*
322 * Round constants
323 */
324static const unsigned long RCON[10] =
325{
326 0x00000001, 0x00000002, 0x00000004, 0x00000008,
327 0x00000010, 0x00000020, 0x00000040, 0x00000080,
328 0x0000001B, 0x00000036
329};
330
331#else
332
333/*
334 * Forward S-box & tables
335 */
336static unsigned char FSb[256];
337static unsigned long FT0[256];
338static unsigned long FT1[256];
339static unsigned long FT2[256];
340static unsigned long FT3[256];
341
342/*
343 * Reverse S-box & tables
344 */
345static unsigned char RSb[256];
346static unsigned long RT0[256];
347static unsigned long RT1[256];
348static unsigned long RT2[256];
349static unsigned long RT3[256];
350
351/*
352 * Round constants
353 */
354static unsigned long RCON[10];
355
356/*
357 * Tables generation code
358 */
359#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
360#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
361#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
362
363static int aes_init_done = 0;
364
365static void aes_gen_tables( void )
366{
367 int i, x, y, z;
368 int pow[256];
369 int log[256];
370
371 /*
372 * compute pow and log tables over GF(2^8)
373 */
374 for( i = 0, x = 1; i < 256; i++ )
375 {
376 pow[i] = x;
377 log[x] = i;
378 x = ( x ^ XTIME( x ) ) & 0xFF;
379 }
380
381 /*
382 * calculate the round constants
383 */
384 for( i = 0, x = 1; i < 10; i++ )
385 {
386 RCON[i] = (unsigned long) x;
387 x = XTIME( x ) & 0xFF;
388 }
389
390 /*
391 * generate the forward and reverse S-boxes
392 */
393 FSb[0x00] = 0x63;
394 RSb[0x63] = 0x00;
395
396 for( i = 1; i < 256; i++ )
397 {
398 x = pow[255 - log[i]];
399
400 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
401 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
402 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
403 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
404 x ^= y ^ 0x63;
405
406 FSb[i] = (unsigned char) x;
407 RSb[x] = (unsigned char) i;
408 }
409
410 /*
411 * generate the forward and reverse tables
412 */
413 for( i = 0; i < 256; i++ )
414 {
415 x = FSb[i];
416 y = XTIME( x ) & 0xFF;
417 z = ( y ^ x ) & 0xFF;
418
419 FT0[i] = ( (unsigned long) y ) ^
420 ( (unsigned long) x << 8 ) ^
421 ( (unsigned long) x << 16 ) ^
422 ( (unsigned long) z << 24 );
423
424 FT1[i] = ROTL8( FT0[i] );
425 FT2[i] = ROTL8( FT1[i] );
426 FT3[i] = ROTL8( FT2[i] );
427
428 x = RSb[i];
429
430 RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
431 ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
432 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
433 ( (unsigned long) MUL( 0x0B, x ) << 24 );
434
435 RT1[i] = ROTL8( RT0[i] );
436 RT2[i] = ROTL8( RT1[i] );
437 RT3[i] = ROTL8( RT2[i] );
438 }
439}
440
441#endif
442
443/*
444 * AES key schedule (encryption)
445 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]446int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]448 unsigned int i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]449 unsigned long *RK;
450
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]451#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]452 if( aes_init_done == 0 )
453 {
454 aes_gen_tables();
455 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]456
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457 }
458#endif
459
460 switch( keysize )
461 {
462 case 128: ctx->nr = 10; break;
463 case 192: ctx->nr = 12; break;
464 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]465 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466 }
467
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]468#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
469 if( aes_padlock_ace == -1 )
470 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
471
472 if( aes_padlock_ace )
473 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
474 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]476 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]477
478 for( i = 0; i < (keysize >> 5); i++ )
479 {
480 GET_ULONG_LE( RK[i], key, i << 2 );
481 }
482
483 switch( ctx->nr )
484 {
485 case 10:
486
487 for( i = 0; i < 10; i++, RK += 4 )
488 {
489 RK[4] = RK[0] ^ RCON[i] ^
490 ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
491 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
492 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
493 ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
494
495 RK[5] = RK[1] ^ RK[4];
496 RK[6] = RK[2] ^ RK[5];
497 RK[7] = RK[3] ^ RK[6];
498 }
499 break;
500
501 case 12:
502
503 for( i = 0; i < 8; i++, RK += 6 )
504 {
505 RK[6] = RK[0] ^ RCON[i] ^
506 ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
507 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
508 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
509 ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
510
511 RK[7] = RK[1] ^ RK[6];
512 RK[8] = RK[2] ^ RK[7];
513 RK[9] = RK[3] ^ RK[8];
514 RK[10] = RK[4] ^ RK[9];
515 RK[11] = RK[5] ^ RK[10];
516 }
517 break;
518
519 case 14:
520
521 for( i = 0; i < 7; i++, RK += 8 )
522 {
523 RK[8] = RK[0] ^ RCON[i] ^
524 ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
525 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
526 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
527 ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
528
529 RK[9] = RK[1] ^ RK[8];
530 RK[10] = RK[2] ^ RK[9];
531 RK[11] = RK[3] ^ RK[10];
532
533 RK[12] = RK[4] ^
534 ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
535 ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
536 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
537 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
538
539 RK[13] = RK[5] ^ RK[12];
540 RK[14] = RK[6] ^ RK[13];
541 RK[15] = RK[7] ^ RK[14];
542 }
543 break;
544
545 default:
546
547 break;
548 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]549
550 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]551}
552
553/*
554 * AES key schedule (decryption)
555 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]556int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]557{
558 int i, j;
559 aes_context cty;
560 unsigned long *RK;
561 unsigned long *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]562 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]563
564 switch( keysize )
565 {
566 case 128: ctx->nr = 10; break;
567 case 192: ctx->nr = 12; break;
568 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]569 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570 }
571
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]572#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
573 if( aes_padlock_ace == -1 )
574 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
575
576 if( aes_padlock_ace )
577 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
578 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]579#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]580 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]581
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]582 ret = aes_setkey_enc( &cty, key, keysize );
583 if( ret != 0 )
584 return( ret );
585
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]586 SK = cty.rk + cty.nr * 4;
587
588 *RK++ = *SK++;
589 *RK++ = *SK++;
590 *RK++ = *SK++;
591 *RK++ = *SK++;
592
593 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
594 {
595 for( j = 0; j < 4; j++, SK++ )
596 {
597 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
598 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
599 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
600 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
601 }
602 }
603
604 *RK++ = *SK++;
605 *RK++ = *SK++;
606 *RK++ = *SK++;
607 *RK++ = *SK++;
608
609 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]610
611 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]612}
613
614#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
615{ \
616 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
617 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
618 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
619 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
620 \
621 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
622 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
623 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
624 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
625 \
626 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
627 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
628 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
629 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
630 \
631 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
632 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
633 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
634 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
635}
636
637#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
638{ \
639 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
640 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
641 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
642 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
643 \
644 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
645 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
646 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
647 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
648 \
649 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
650 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
651 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
652 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
653 \
654 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
655 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
656 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
657 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
658}
659
660/*
661 * AES-ECB block encryption/decryption
662 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]663int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]664 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]665 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666 unsigned char output[16] )
667{
668 int i;
669 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
670
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]671#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]672 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]673 {
674 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]675 return( 0 );
676
677 // If padlock data misaligned, we just fall back to
678 // unaccelerated mode
679 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]680 }
681#endif
682
683 RK = ctx->rk;
684
685 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
686 GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
687 GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
688 GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
689
690 if( mode == AES_DECRYPT )
691 {
692 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
693 {
694 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
695 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
696 }
697
698 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
699
700 X0 = *RK++ ^ \
701 ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
702 ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
703 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
704 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
705
706 X1 = *RK++ ^ \
707 ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
708 ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
709 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
710 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
711
712 X2 = *RK++ ^ \
713 ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
714 ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
715 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
716 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
717
718 X3 = *RK++ ^ \
719 ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
720 ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
721 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
722 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
723 }
724 else /* AES_ENCRYPT */
725 {
726 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
727 {
728 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
729 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
730 }
731
732 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
733
734 X0 = *RK++ ^ \
735 ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
736 ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
737 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
738 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
739
740 X1 = *RK++ ^ \
741 ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
742 ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
743 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
744 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
745
746 X2 = *RK++ ^ \
747 ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
748 ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
749 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
750 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
751
752 X3 = *RK++ ^ \
753 ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
754 ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
755 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
756 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
757 }
758
759 PUT_ULONG_LE( X0, output, 0 );
760 PUT_ULONG_LE( X1, output, 4 );
761 PUT_ULONG_LE( X2, output, 8 );
762 PUT_ULONG_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]763
764 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]765}
766
767/*
768 * AES-CBC buffer encryption/decryption
769 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]770int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]771 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]772 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]773 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]774 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]775 unsigned char *output )
776{
777 int i;
778 unsigned char temp[16];
779
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]780 if( length % 16 )
781 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
782
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]783#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]784 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]785 {
786 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]787 return( 0 );
788
789 // If padlock data misaligned, we just fall back to
790 // unaccelerated mode
791 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]792 }
793#endif
794
795 if( mode == AES_DECRYPT )
796 {
797 while( length > 0 )
798 {
799 memcpy( temp, input, 16 );
800 aes_crypt_ecb( ctx, mode, input, output );
801
802 for( i = 0; i < 16; i++ )
803 output[i] = (unsigned char)( output[i] ^ iv[i] );
804
805 memcpy( iv, temp, 16 );
806
807 input += 16;
808 output += 16;
809 length -= 16;
810 }
811 }
812 else
813 {
814 while( length > 0 )
815 {
816 for( i = 0; i < 16; i++ )
817 output[i] = (unsigned char)( input[i] ^ iv[i] );
818
819 aes_crypt_ecb( ctx, mode, output, output );
820 memcpy( iv, output, 16 );
821
822 input += 16;
823 output += 16;
824 length -= 16;
825 }
826 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]827
828 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]829}
830
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]831#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]832/*
833 * AES-CFB128 buffer encryption/decryption
834 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]835int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]836 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]837 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]838 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]839 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]840 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]841 unsigned char *output )
842{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]843 int c;
844 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]845
846 if( mode == AES_DECRYPT )
847 {
848 while( length-- )
849 {
850 if( n == 0 )
851 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
852
853 c = *input++;
854 *output++ = (unsigned char)( c ^ iv[n] );
855 iv[n] = (unsigned char) c;
856
857 n = (n + 1) & 0x0F;
858 }
859 }
860 else
861 {
862 while( length-- )
863 {
864 if( n == 0 )
865 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
866
867 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
868
869 n = (n + 1) & 0x0F;
870 }
871 }
872
873 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]874
875 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]876}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]877#endif /*POLARSSL_CIPHER_MODE_CFB */
878
879#if defined(POLARSSL_CIPHER_MODE_CTR)
880/*
881 * AES-CTR buffer encryption/decryption
882 */
883int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]884 size_t length,
885 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]886 unsigned char nonce_counter[16],
887 unsigned char stream_block[16],
888 const unsigned char *input,
889 unsigned char *output )
890{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]891 int c, i, cb;
892 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]893
894 while( length-- )
895 {
896 if( n == 0 ) {
897 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
898
899 i = 15;
900 do {
901 nonce_counter[i]++;
902 cb = nonce_counter[i] == 0;
903 } while( i-- && cb );
904
905 }
906 c = *input++;
907 *output++ = (unsigned char)( c ^ stream_block[n] );
908
909 n = (n + 1) & 0x0F;
910 }
911
912 *nc_off = n;
913
914 return( 0 );
915}
916#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]917
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]918#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]919
920#include <stdio.h>
921
922/*
923 * AES test vectors from:
924 *
925 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
926 */
927static const unsigned char aes_test_ecb_dec[3][16] =
928{
929 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
930 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
931 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
932 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
933 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
934 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
935};
936
937static const unsigned char aes_test_ecb_enc[3][16] =
938{
939 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
940 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
941 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
942 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
943 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
944 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
945};
946
947static const unsigned char aes_test_cbc_dec[3][16] =
948{
949 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
950 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
951 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
952 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
953 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
954 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
955};
956
957static const unsigned char aes_test_cbc_enc[3][16] =
958{
959 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
960 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
961 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
962 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
963 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
964 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
965};
966
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]967#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]968/*
969 * AES-CFB128 test vectors from:
970 *
971 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
972 */
973static const unsigned char aes_test_cfb128_key[3][32] =
974{
975 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
976 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
977 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
978 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
979 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
980 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
981 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
982 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
983 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
984};
985
986static const unsigned char aes_test_cfb128_iv[16] =
987{
988 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
989 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
990};
991
992static const unsigned char aes_test_cfb128_pt[64] =
993{
994 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
995 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
996 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
997 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
998 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
999 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1000 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1001 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1002};
1003
1004static const unsigned char aes_test_cfb128_ct[3][64] =
1005{
1006 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1007 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1008 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1009 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1010 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1011 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1012 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1013 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1014 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1015 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1016 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1017 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1018 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1019 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1020 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1021 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1022 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1023 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1024 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1025 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1026 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1027 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1028 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1029 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1030};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1031#endif /* POLARSSL_CIPHER_MODE_CFB */
1032
1033#if defined(POLARSSL_CIPHER_MODE_CTR)
1034/*
1035 * AES-CTR test vectors from:
1036 *
1037 * http://www.faqs.org/rfcs/rfc3686.html
1038 */
1039
1040static const unsigned char aes_test_ctr_key[3][16] =
1041{
1042 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1043 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1044 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1045 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1046 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1047 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1048};
1049
1050static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1051{
1052 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1053 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1054 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1055 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1056 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1057 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1058};
1059
1060static const unsigned char aes_test_ctr_pt[3][48] =
1061{
1062 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1063 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1064
1065 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1066 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1067 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1068 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1069
1070 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1071 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1072 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1073 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1074 0x20, 0x21, 0x22, 0x23 }
1075};
1076
1077static const unsigned char aes_test_ctr_ct[3][48] =
1078{
1079 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1080 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1081 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1082 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1083 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1084 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1085 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1086 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1087 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1088 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1089 0x25, 0xB2, 0x07, 0x2F }
1090};
1091
1092static const int aes_test_ctr_len[3] =
1093 { 16, 32, 36 };
1094#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1095
1096/*
1097 * Checkup routine
1098 */
1099int aes_self_test( int verbose )
1100{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1101 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1102 unsigned char key[32];
1103 unsigned char buf[64];
1104 unsigned char prv[16];
1105 unsigned char iv[16];
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1106#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1107 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1108#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1109#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1110 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1111 unsigned char nonce_counter[16];
1112 unsigned char stream_block[16];
1113#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1114 aes_context ctx;
1115
1116 memset( key, 0, 32 );
1117
1118 /*
1119 * ECB mode
1120 */
1121 for( i = 0; i < 6; i++ )
1122 {
1123 u = i >> 1;
1124 v = i & 1;
1125
1126 if( verbose != 0 )
1127 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1128 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1129
1130 memset( buf, 0, 16 );
1131
1132 if( v == AES_DECRYPT )
1133 {
1134 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1135
1136 for( j = 0; j < 10000; j++ )
1137 aes_crypt_ecb( &ctx, v, buf, buf );
1138
1139 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1140 {
1141 if( verbose != 0 )
1142 printf( "failed\n" );
1143
1144 return( 1 );
1145 }
1146 }
1147 else
1148 {
1149 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1150
1151 for( j = 0; j < 10000; j++ )
1152 aes_crypt_ecb( &ctx, v, buf, buf );
1153
1154 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1155 {
1156 if( verbose != 0 )
1157 printf( "failed\n" );
1158
1159 return( 1 );
1160 }
1161 }
1162
1163 if( verbose != 0 )
1164 printf( "passed\n" );
1165 }
1166
1167 if( verbose != 0 )
1168 printf( "\n" );
1169
1170 /*
1171 * CBC mode
1172 */
1173 for( i = 0; i < 6; i++ )
1174 {
1175 u = i >> 1;
1176 v = i & 1;
1177
1178 if( verbose != 0 )
1179 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1180 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1181
1182 memset( iv , 0, 16 );
1183 memset( prv, 0, 16 );
1184 memset( buf, 0, 16 );
1185
1186 if( v == AES_DECRYPT )
1187 {
1188 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1189
1190 for( j = 0; j < 10000; j++ )
1191 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1192
1193 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1194 {
1195 if( verbose != 0 )
1196 printf( "failed\n" );
1197
1198 return( 1 );
1199 }
1200 }
1201 else
1202 {
1203 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1204
1205 for( j = 0; j < 10000; j++ )
1206 {
1207 unsigned char tmp[16];
1208
1209 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1210
1211 memcpy( tmp, prv, 16 );
1212 memcpy( prv, buf, 16 );
1213 memcpy( buf, tmp, 16 );
1214 }
1215
1216 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1217 {
1218 if( verbose != 0 )
1219 printf( "failed\n" );
1220
1221 return( 1 );
1222 }
1223 }
1224
1225 if( verbose != 0 )
1226 printf( "passed\n" );
1227 }
1228
1229 if( verbose != 0 )
1230 printf( "\n" );
1231
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1232#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1233 /*
1234 * CFB128 mode
1235 */
1236 for( i = 0; i < 6; i++ )
1237 {
1238 u = i >> 1;
1239 v = i & 1;
1240
1241 if( verbose != 0 )
1242 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1243 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1244
1245 memcpy( iv, aes_test_cfb128_iv, 16 );
1246 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1247
1248 offset = 0;
1249 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1250
1251 if( v == AES_DECRYPT )
1252 {
1253 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1254 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1255
1256 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1257 {
1258 if( verbose != 0 )
1259 printf( "failed\n" );
1260
1261 return( 1 );
1262 }
1263 }
1264 else
1265 {
1266 memcpy( buf, aes_test_cfb128_pt, 64 );
1267 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1268
1269 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1270 {
1271 if( verbose != 0 )
1272 printf( "failed\n" );
1273
1274 return( 1 );
1275 }
1276 }
1277
1278 if( verbose != 0 )
1279 printf( "passed\n" );
1280 }
1281
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1282 if( verbose != 0 )
1283 printf( "\n" );
1284#endif /* POLARSSL_CIPHER_MODE_CFB */
1285
1286#if defined(POLARSSL_CIPHER_MODE_CTR)
1287 /*
1288 * CTR mode
1289 */
1290 for( i = 0; i < 6; i++ )
1291 {
1292 u = i >> 1;
1293 v = i & 1;
1294
1295 if( verbose != 0 )
1296 printf( " AES-CTR-128 (%s): ",
1297 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1298
1299 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1300 memcpy( key, aes_test_ctr_key[u], 16 );
1301
1302 offset = 0;
1303 aes_setkey_enc( &ctx, key, 128 );
1304
1305 if( v == AES_DECRYPT )
1306 {
1307 len = aes_test_ctr_len[u];
1308 memcpy( buf, aes_test_ctr_ct[u], len );
1309
1310 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1311
1312 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1313 {
1314 if( verbose != 0 )
1315 printf( "failed\n" );
1316
1317 return( 1 );
1318 }
1319 }
1320 else
1321 {
1322 len = aes_test_ctr_len[u];
1323 memcpy( buf, aes_test_ctr_pt[u], len );
1324
1325 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1326
1327 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1328 {
1329 if( verbose != 0 )
1330 printf( "failed\n" );
1331
1332 return( 1 );
1333 }
1334 }
1335
1336 if( verbose != 0 )
1337 printf( "passed\n" );
1338 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1339
1340 if( verbose != 0 )
1341 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1342#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1343
1344 return( 0 );
1345}
1346
1347#endif
1348
1349#endif