blob: 039f3dc6bb0140f15497b3c165f865883f608492 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * FIPS-197 compliant AES implementation
3 *
4 * Copyright (C) 2006-2007 Christophe Devine
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19 */
20/*
21 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
22 *
23 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
24 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
25 */
26
Paul Bakker40e46942009-01-03 21:51:57 +000027#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000028
Paul Bakker40e46942009-01-03 21:51:57 +000029#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000030
Paul Bakker40e46942009-01-03 21:51:57 +000031#include "polarssl/aes.h"
32#include "polarssl/padlock.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000033
34#include <string.h>
35
36/*
37 * 32-bit integer manipulation macros (little endian)
38 */
39#ifndef GET_ULONG_LE
40#define GET_ULONG_LE(n,b,i) \
41{ \
42 (n) = ( (unsigned long) (b)[(i) ] ) \
43 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
44 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
45 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
46}
47#endif
48
49#ifndef PUT_ULONG_LE
50#define PUT_ULONG_LE(n,b,i) \
51{ \
52 (b)[(i) ] = (unsigned char) ( (n) ); \
53 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
54 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
55 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
56}
57#endif
58
Paul Bakker40e46942009-01-03 21:51:57 +000059#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +000060/*
61 * Forward S-box
62 */
63static const unsigned char FSb[256] =
64{
65 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
66 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
67 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
68 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
69 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
70 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
71 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
72 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
73 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
74 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
75 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
76 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
77 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
78 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
79 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
80 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
81 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
82 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
83 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
84 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
85 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
86 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
87 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
88 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
89 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
90 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
91 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
92 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
93 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
94 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
95 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
96 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
97};
98
99/*
100 * Forward tables
101 */
102#define FT \
103\
104 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
105 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
106 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
107 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
108 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
109 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
110 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
111 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
112 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
113 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
114 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
115 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
116 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
117 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
118 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
119 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
120 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
121 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
122 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
123 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
124 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
125 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
126 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
127 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
128 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
129 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
130 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
131 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
132 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
133 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
134 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
135 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
136 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
137 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
138 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
139 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
140 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
141 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
142 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
143 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
144 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
145 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
146 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
147 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
148 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
149 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
150 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
151 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
152 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
153 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
154 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
155 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
156 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
157 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
158 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
159 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
160 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
161 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
162 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
163 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
164 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
165 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
166 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
167 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
168
169#define V(a,b,c,d) 0x##a##b##c##d
170static const unsigned long FT0[256] = { FT };
171#undef V
172
173#define V(a,b,c,d) 0x##b##c##d##a
174static const unsigned long FT1[256] = { FT };
175#undef V
176
177#define V(a,b,c,d) 0x##c##d##a##b
178static const unsigned long FT2[256] = { FT };
179#undef V
180
181#define V(a,b,c,d) 0x##d##a##b##c
182static const unsigned long FT3[256] = { FT };
183#undef V
184
185#undef FT
186
187/*
188 * Reverse S-box
189 */
190static const unsigned char RSb[256] =
191{
192 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
193 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
194 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
195 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
196 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
197 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
198 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
199 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
200 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
201 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
202 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
203 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
204 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
205 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
206 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
207 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
208 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
209 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
210 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
211 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
212 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
213 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
214 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
215 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
216 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
217 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
218 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
219 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
220 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
221 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
222 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
223 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
224};
225
226/*
227 * Reverse tables
228 */
229#define RT \
230\
231 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
232 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
233 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
234 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
235 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
236 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
237 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
238 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
239 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
240 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
241 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
242 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
243 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
244 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
245 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
246 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
247 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
248 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
249 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
250 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
251 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
252 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
253 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
254 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
255 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
256 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
257 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
258 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
259 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
260 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
261 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
262 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
263 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
264 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
265 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
266 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
267 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
268 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
269 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
270 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
271 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
272 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
273 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
274 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
275 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
276 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
277 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
278 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
279 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
280 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
281 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
282 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
283 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
284 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
285 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
286 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
287 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
288 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
289 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
290 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
291 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
292 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
293 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
294 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
295
296#define V(a,b,c,d) 0x##a##b##c##d
297static const unsigned long RT0[256] = { RT };
298#undef V
299
300#define V(a,b,c,d) 0x##b##c##d##a
301static const unsigned long RT1[256] = { RT };
302#undef V
303
304#define V(a,b,c,d) 0x##c##d##a##b
305static const unsigned long RT2[256] = { RT };
306#undef V
307
308#define V(a,b,c,d) 0x##d##a##b##c
309static const unsigned long RT3[256] = { RT };
310#undef V
311
312#undef RT
313
314/*
315 * Round constants
316 */
317static const unsigned long RCON[10] =
318{
319 0x00000001, 0x00000002, 0x00000004, 0x00000008,
320 0x00000010, 0x00000020, 0x00000040, 0x00000080,
321 0x0000001B, 0x00000036
322};
323
324#else
325
326/*
327 * Forward S-box & tables
328 */
329static unsigned char FSb[256];
330static unsigned long FT0[256];
331static unsigned long FT1[256];
332static unsigned long FT2[256];
333static unsigned long FT3[256];
334
335/*
336 * Reverse S-box & tables
337 */
338static unsigned char RSb[256];
339static unsigned long RT0[256];
340static unsigned long RT1[256];
341static unsigned long RT2[256];
342static unsigned long RT3[256];
343
344/*
345 * Round constants
346 */
347static unsigned long RCON[10];
348
349/*
350 * Tables generation code
351 */
352#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
353#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
354#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
355
356static int aes_init_done = 0;
357
358static void aes_gen_tables( void )
359{
360 int i, x, y, z;
361 int pow[256];
362 int log[256];
363
364 /*
365 * compute pow and log tables over GF(2^8)
366 */
367 for( i = 0, x = 1; i < 256; i++ )
368 {
369 pow[i] = x;
370 log[x] = i;
371 x = ( x ^ XTIME( x ) ) & 0xFF;
372 }
373
374 /*
375 * calculate the round constants
376 */
377 for( i = 0, x = 1; i < 10; i++ )
378 {
379 RCON[i] = (unsigned long) x;
380 x = XTIME( x ) & 0xFF;
381 }
382
383 /*
384 * generate the forward and reverse S-boxes
385 */
386 FSb[0x00] = 0x63;
387 RSb[0x63] = 0x00;
388
389 for( i = 1; i < 256; i++ )
390 {
391 x = pow[255 - log[i]];
392
393 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
394 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
395 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
396 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
397 x ^= y ^ 0x63;
398
399 FSb[i] = (unsigned char) x;
400 RSb[x] = (unsigned char) i;
401 }
402
403 /*
404 * generate the forward and reverse tables
405 */
406 for( i = 0; i < 256; i++ )
407 {
408 x = FSb[i];
409 y = XTIME( x ) & 0xFF;
410 z = ( y ^ x ) & 0xFF;
411
412 FT0[i] = ( (unsigned long) y ) ^
413 ( (unsigned long) x << 8 ) ^
414 ( (unsigned long) x << 16 ) ^
415 ( (unsigned long) z << 24 );
416
417 FT1[i] = ROTL8( FT0[i] );
418 FT2[i] = ROTL8( FT1[i] );
419 FT3[i] = ROTL8( FT2[i] );
420
421 x = RSb[i];
422
423 RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
424 ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
425 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
426 ( (unsigned long) MUL( 0x0B, x ) << 24 );
427
428 RT1[i] = ROTL8( RT0[i] );
429 RT2[i] = ROTL8( RT1[i] );
430 RT3[i] = ROTL8( RT2[i] );
431 }
432}
433
434#endif
435
436/*
437 * AES key schedule (encryption)
438 */
439void aes_setkey_enc( aes_context *ctx, unsigned char *key, int keysize )
440{
441 int i;
442 unsigned long *RK;
443
Paul Bakker40e46942009-01-03 21:51:57 +0000444#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000445 if( aes_init_done == 0 )
446 {
447 aes_gen_tables();
448 aes_init_done = 1;
449 }
450#endif
451
452 switch( keysize )
453 {
454 case 128: ctx->nr = 10; break;
455 case 192: ctx->nr = 12; break;
456 case 256: ctx->nr = 14; break;
457 default : return;
458 }
459
460#if defined(PADLOCK_ALIGN16)
461 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
462#else
463 ctx->rk = RK = ctx->buf;
464#endif
465
466 for( i = 0; i < (keysize >> 5); i++ )
467 {
468 GET_ULONG_LE( RK[i], key, i << 2 );
469 }
470
471 switch( ctx->nr )
472 {
473 case 10:
474
475 for( i = 0; i < 10; i++, RK += 4 )
476 {
477 RK[4] = RK[0] ^ RCON[i] ^
478 ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
479 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
480 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
481 ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
482
483 RK[5] = RK[1] ^ RK[4];
484 RK[6] = RK[2] ^ RK[5];
485 RK[7] = RK[3] ^ RK[6];
486 }
487 break;
488
489 case 12:
490
491 for( i = 0; i < 8; i++, RK += 6 )
492 {
493 RK[6] = RK[0] ^ RCON[i] ^
494 ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
495 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
496 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
497 ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
498
499 RK[7] = RK[1] ^ RK[6];
500 RK[8] = RK[2] ^ RK[7];
501 RK[9] = RK[3] ^ RK[8];
502 RK[10] = RK[4] ^ RK[9];
503 RK[11] = RK[5] ^ RK[10];
504 }
505 break;
506
507 case 14:
508
509 for( i = 0; i < 7; i++, RK += 8 )
510 {
511 RK[8] = RK[0] ^ RCON[i] ^
512 ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
513 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
514 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
515 ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
516
517 RK[9] = RK[1] ^ RK[8];
518 RK[10] = RK[2] ^ RK[9];
519 RK[11] = RK[3] ^ RK[10];
520
521 RK[12] = RK[4] ^
522 ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
523 ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
524 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
525 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
526
527 RK[13] = RK[5] ^ RK[12];
528 RK[14] = RK[6] ^ RK[13];
529 RK[15] = RK[7] ^ RK[14];
530 }
531 break;
532
533 default:
534
535 break;
536 }
537}
538
539/*
540 * AES key schedule (decryption)
541 */
542void aes_setkey_dec( aes_context *ctx, unsigned char *key, int keysize )
543{
544 int i, j;
545 aes_context cty;
546 unsigned long *RK;
547 unsigned long *SK;
548
549 switch( keysize )
550 {
551 case 128: ctx->nr = 10; break;
552 case 192: ctx->nr = 12; break;
553 case 256: ctx->nr = 14; break;
554 default : return;
555 }
556
557#if defined(PADLOCK_ALIGN16)
558 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
559#else
560 ctx->rk = RK = ctx->buf;
561#endif
562
563 aes_setkey_enc( &cty, key, keysize );
564 SK = cty.rk + cty.nr * 4;
565
566 *RK++ = *SK++;
567 *RK++ = *SK++;
568 *RK++ = *SK++;
569 *RK++ = *SK++;
570
571 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
572 {
573 for( j = 0; j < 4; j++, SK++ )
574 {
575 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
576 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
577 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
578 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
579 }
580 }
581
582 *RK++ = *SK++;
583 *RK++ = *SK++;
584 *RK++ = *SK++;
585 *RK++ = *SK++;
586
587 memset( &cty, 0, sizeof( aes_context ) );
588}
589
590#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
591{ \
592 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
593 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
594 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
595 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
596 \
597 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
598 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
599 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
600 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
601 \
602 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
603 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
604 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
605 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
606 \
607 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
608 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
609 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
610 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
611}
612
613#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
614{ \
615 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
616 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
617 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
618 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
619 \
620 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
621 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
622 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
623 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
624 \
625 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
626 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
627 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
628 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
629 \
630 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
631 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
632 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
633 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
634}
635
636/*
637 * AES-ECB block encryption/decryption
638 */
639void aes_crypt_ecb( aes_context *ctx,
640 int mode,
641 unsigned char input[16],
642 unsigned char output[16] )
643{
644 int i;
645 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
646
Paul Bakker40e46942009-01-03 21:51:57 +0000647#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000648 if( padlock_supports( PADLOCK_ACE ) )
649 {
650 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
651 return;
652 }
653#endif
654
655 RK = ctx->rk;
656
657 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
658 GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
659 GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
660 GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
661
662 if( mode == AES_DECRYPT )
663 {
664 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
665 {
666 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
667 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
668 }
669
670 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
671
672 X0 = *RK++ ^ \
673 ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
674 ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
675 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
676 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
677
678 X1 = *RK++ ^ \
679 ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
680 ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
681 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
682 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
683
684 X2 = *RK++ ^ \
685 ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
686 ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
687 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
688 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
689
690 X3 = *RK++ ^ \
691 ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
692 ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
693 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
694 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
695 }
696 else /* AES_ENCRYPT */
697 {
698 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
699 {
700 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
701 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
702 }
703
704 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
705
706 X0 = *RK++ ^ \
707 ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
708 ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
709 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
710 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
711
712 X1 = *RK++ ^ \
713 ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
714 ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
715 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
716 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
717
718 X2 = *RK++ ^ \
719 ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
720 ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
721 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
722 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
723
724 X3 = *RK++ ^ \
725 ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
726 ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
727 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
728 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
729 }
730
731 PUT_ULONG_LE( X0, output, 0 );
732 PUT_ULONG_LE( X1, output, 4 );
733 PUT_ULONG_LE( X2, output, 8 );
734 PUT_ULONG_LE( X3, output, 12 );
735}
736
737/*
738 * AES-CBC buffer encryption/decryption
739 */
740void aes_crypt_cbc( aes_context *ctx,
741 int mode,
742 int length,
743 unsigned char iv[16],
744 unsigned char *input,
745 unsigned char *output )
746{
747 int i;
748 unsigned char temp[16];
749
Paul Bakker40e46942009-01-03 21:51:57 +0000750#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000751 if( padlock_supports( PADLOCK_ACE ) )
752 {
753 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
754 return;
755 }
756#endif
757
758 if( mode == AES_DECRYPT )
759 {
760 while( length > 0 )
761 {
762 memcpy( temp, input, 16 );
763 aes_crypt_ecb( ctx, mode, input, output );
764
765 for( i = 0; i < 16; i++ )
766 output[i] = (unsigned char)( output[i] ^ iv[i] );
767
768 memcpy( iv, temp, 16 );
769
770 input += 16;
771 output += 16;
772 length -= 16;
773 }
774 }
775 else
776 {
777 while( length > 0 )
778 {
779 for( i = 0; i < 16; i++ )
780 output[i] = (unsigned char)( input[i] ^ iv[i] );
781
782 aes_crypt_ecb( ctx, mode, output, output );
783 memcpy( iv, output, 16 );
784
785 input += 16;
786 output += 16;
787 length -= 16;
788 }
789 }
790}
791
792/*
793 * AES-CFB128 buffer encryption/decryption
794 */
795void aes_crypt_cfb128( aes_context *ctx,
796 int mode,
797 int length,
798 int *iv_off,
799 unsigned char iv[16],
800 unsigned char *input,
801 unsigned char *output )
802{
803 int c, n = *iv_off;
804
805 if( mode == AES_DECRYPT )
806 {
807 while( length-- )
808 {
809 if( n == 0 )
810 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
811
812 c = *input++;
813 *output++ = (unsigned char)( c ^ iv[n] );
814 iv[n] = (unsigned char) c;
815
816 n = (n + 1) & 0x0F;
817 }
818 }
819 else
820 {
821 while( length-- )
822 {
823 if( n == 0 )
824 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
825
826 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
827
828 n = (n + 1) & 0x0F;
829 }
830 }
831
832 *iv_off = n;
833}
834
Paul Bakker40e46942009-01-03 21:51:57 +0000835#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000836
837#include <stdio.h>
838
839/*
840 * AES test vectors from:
841 *
842 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
843 */
844static const unsigned char aes_test_ecb_dec[3][16] =
845{
846 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
847 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
848 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
849 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
850 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
851 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
852};
853
854static const unsigned char aes_test_ecb_enc[3][16] =
855{
856 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
857 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
858 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
859 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
860 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
861 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
862};
863
864static const unsigned char aes_test_cbc_dec[3][16] =
865{
866 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
867 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
868 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
869 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
870 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
871 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
872};
873
874static const unsigned char aes_test_cbc_enc[3][16] =
875{
876 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
877 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
878 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
879 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
880 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
881 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
882};
883
884/*
885 * AES-CFB128 test vectors from:
886 *
887 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
888 */
889static const unsigned char aes_test_cfb128_key[3][32] =
890{
891 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
892 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
893 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
894 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
895 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
896 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
897 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
898 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
899 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
900};
901
902static const unsigned char aes_test_cfb128_iv[16] =
903{
904 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
905 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
906};
907
908static const unsigned char aes_test_cfb128_pt[64] =
909{
910 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
911 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
912 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
913 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
914 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
915 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
916 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
917 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
918};
919
920static const unsigned char aes_test_cfb128_ct[3][64] =
921{
922 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
923 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
924 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
925 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
926 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
927 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
928 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
929 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
930 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
931 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
932 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
933 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
934 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
935 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
936 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
937 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
938 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
939 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
940 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
941 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
942 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
943 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
944 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
945 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
946};
947
948/*
949 * Checkup routine
950 */
951int aes_self_test( int verbose )
952{
953 int i, j, u, v, offset;
954 unsigned char key[32];
955 unsigned char buf[64];
956 unsigned char prv[16];
957 unsigned char iv[16];
958 aes_context ctx;
959
960 memset( key, 0, 32 );
961
962 /*
963 * ECB mode
964 */
965 for( i = 0; i < 6; i++ )
966 {
967 u = i >> 1;
968 v = i & 1;
969
970 if( verbose != 0 )
971 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
972 ( v == AES_DECRYPT ) ? "dec" : "enc" );
973
974 memset( buf, 0, 16 );
975
976 if( v == AES_DECRYPT )
977 {
978 aes_setkey_dec( &ctx, key, 128 + u * 64 );
979
980 for( j = 0; j < 10000; j++ )
981 aes_crypt_ecb( &ctx, v, buf, buf );
982
983 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
984 {
985 if( verbose != 0 )
986 printf( "failed\n" );
987
988 return( 1 );
989 }
990 }
991 else
992 {
993 aes_setkey_enc( &ctx, key, 128 + u * 64 );
994
995 for( j = 0; j < 10000; j++ )
996 aes_crypt_ecb( &ctx, v, buf, buf );
997
998 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
999 {
1000 if( verbose != 0 )
1001 printf( "failed\n" );
1002
1003 return( 1 );
1004 }
1005 }
1006
1007 if( verbose != 0 )
1008 printf( "passed\n" );
1009 }
1010
1011 if( verbose != 0 )
1012 printf( "\n" );
1013
1014 /*
1015 * CBC mode
1016 */
1017 for( i = 0; i < 6; i++ )
1018 {
1019 u = i >> 1;
1020 v = i & 1;
1021
1022 if( verbose != 0 )
1023 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1024 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1025
1026 memset( iv , 0, 16 );
1027 memset( prv, 0, 16 );
1028 memset( buf, 0, 16 );
1029
1030 if( v == AES_DECRYPT )
1031 {
1032 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1033
1034 for( j = 0; j < 10000; j++ )
1035 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1036
1037 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1038 {
1039 if( verbose != 0 )
1040 printf( "failed\n" );
1041
1042 return( 1 );
1043 }
1044 }
1045 else
1046 {
1047 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1048
1049 for( j = 0; j < 10000; j++ )
1050 {
1051 unsigned char tmp[16];
1052
1053 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1054
1055 memcpy( tmp, prv, 16 );
1056 memcpy( prv, buf, 16 );
1057 memcpy( buf, tmp, 16 );
1058 }
1059
1060 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1061 {
1062 if( verbose != 0 )
1063 printf( "failed\n" );
1064
1065 return( 1 );
1066 }
1067 }
1068
1069 if( verbose != 0 )
1070 printf( "passed\n" );
1071 }
1072
1073 if( verbose != 0 )
1074 printf( "\n" );
1075
1076 /*
1077 * CFB128 mode
1078 */
1079 for( i = 0; i < 6; i++ )
1080 {
1081 u = i >> 1;
1082 v = i & 1;
1083
1084 if( verbose != 0 )
1085 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1086 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1087
1088 memcpy( iv, aes_test_cfb128_iv, 16 );
1089 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1090
1091 offset = 0;
1092 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1093
1094 if( v == AES_DECRYPT )
1095 {
1096 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1097 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1098
1099 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1100 {
1101 if( verbose != 0 )
1102 printf( "failed\n" );
1103
1104 return( 1 );
1105 }
1106 }
1107 else
1108 {
1109 memcpy( buf, aes_test_cfb128_pt, 64 );
1110 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1111
1112 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1113 {
1114 if( verbose != 0 )
1115 printf( "failed\n" );
1116
1117 return( 1 );
1118 }
1119 }
1120
1121 if( verbose != 0 )
1122 printf( "passed\n" );
1123 }
1124
1125
1126 if( verbose != 0 )
1127 printf( "\n" );
1128
1129 return( 0 );
1130}
1131
1132#endif
1133
1134#endif