TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / c38b2f5bcf7af32a9cdff4850345cdae1949439f / . / library / aes.c
blob: 7e6357c3f3aae5d0781902bd89618b5b5ef651ac [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakkerfc8c4362010-03-21 17:37:16 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]5 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]6 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]28#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]30#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/aes.h"
33#include "polarssl/padlock.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]34
35#include <string.h>
36
37/*
38 * 32-bit integer manipulation macros (little endian)
39 */
40#ifndef GET_ULONG_LE
41#define GET_ULONG_LE(n,b,i) \
42{ \
43 (n) = ( (unsigned long) (b)[(i) ] ) \
44 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
45 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
46 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
47}
48#endif
49
50#ifndef PUT_ULONG_LE
51#define PUT_ULONG_LE(n,b,i) \
52{ \
53 (b)[(i) ] = (unsigned char) ( (n) ); \
54 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
55 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
56 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
57}
58#endif
59
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]60#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]61/*
62 * Forward S-box
63 */
64static const unsigned char FSb[256] =
65{
66 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
67 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
68 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
69 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
70 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
71 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
72 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
73 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
74 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
75 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
76 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
77 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
78 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
79 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
80 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
81 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
82 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
83 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
84 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
85 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
86 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
87 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
88 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
89 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
90 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
91 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
92 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
93 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
94 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
95 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
96 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
97 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
98};
99
100/*
101 * Forward tables
102 */
103#define FT \
104\
105 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
106 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
107 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
108 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
109 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
110 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
111 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
112 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
113 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
114 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
115 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
116 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
117 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
118 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
119 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
120 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
121 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
122 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
123 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
124 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
125 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
126 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
127 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
128 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
129 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
130 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
131 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
132 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
133 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
134 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
135 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
136 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
137 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
138 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
139 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
140 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
141 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
142 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
143 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
144 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
145 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
146 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
147 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
148 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
149 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
150 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
151 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
152 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
153 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
154 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
155 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
156 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
157 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
158 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
159 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
160 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
161 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
162 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
163 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
164 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
165 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
166 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
167 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
168 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
169
170#define V(a,b,c,d) 0x##a##b##c##d
171static const unsigned long FT0[256] = { FT };
172#undef V
173
174#define V(a,b,c,d) 0x##b##c##d##a
175static const unsigned long FT1[256] = { FT };
176#undef V
177
178#define V(a,b,c,d) 0x##c##d##a##b
179static const unsigned long FT2[256] = { FT };
180#undef V
181
182#define V(a,b,c,d) 0x##d##a##b##c
183static const unsigned long FT3[256] = { FT };
184#undef V
185
186#undef FT
187
188/*
189 * Reverse S-box
190 */
191static const unsigned char RSb[256] =
192{
193 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
194 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
195 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
196 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
197 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
198 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
199 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
200 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
201 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
202 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
203 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
204 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
205 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
206 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
207 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
208 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
209 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
210 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
211 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
212 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
213 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
214 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
215 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
216 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
217 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
218 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
219 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
220 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
221 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
222 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
223 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
224 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
225};
226
227/*
228 * Reverse tables
229 */
230#define RT \
231\
232 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
233 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
234 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
235 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
236 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
237 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
238 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
239 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
240 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
241 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
242 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
243 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
244 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
245 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
246 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
247 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
248 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
249 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
250 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
251 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
252 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
253 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
254 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
255 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
256 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
257 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
258 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
259 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
260 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
261 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
262 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
263 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
264 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
265 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
266 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
267 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
268 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
269 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
270 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
271 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
272 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
273 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
274 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
275 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
276 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
277 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
278 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
279 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
280 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
281 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
282 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
283 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
284 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
285 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
286 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
287 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
288 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
289 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
290 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
291 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
292 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
293 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
294 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
295 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
296
297#define V(a,b,c,d) 0x##a##b##c##d
298static const unsigned long RT0[256] = { RT };
299#undef V
300
301#define V(a,b,c,d) 0x##b##c##d##a
302static const unsigned long RT1[256] = { RT };
303#undef V
304
305#define V(a,b,c,d) 0x##c##d##a##b
306static const unsigned long RT2[256] = { RT };
307#undef V
308
309#define V(a,b,c,d) 0x##d##a##b##c
310static const unsigned long RT3[256] = { RT };
311#undef V
312
313#undef RT
314
315/*
316 * Round constants
317 */
318static const unsigned long RCON[10] =
319{
320 0x00000001, 0x00000002, 0x00000004, 0x00000008,
321 0x00000010, 0x00000020, 0x00000040, 0x00000080,
322 0x0000001B, 0x00000036
323};
324
325#else
326
327/*
328 * Forward S-box & tables
329 */
330static unsigned char FSb[256];
331static unsigned long FT0[256];
332static unsigned long FT1[256];
333static unsigned long FT2[256];
334static unsigned long FT3[256];
335
336/*
337 * Reverse S-box & tables
338 */
339static unsigned char RSb[256];
340static unsigned long RT0[256];
341static unsigned long RT1[256];
342static unsigned long RT2[256];
343static unsigned long RT3[256];
344
345/*
346 * Round constants
347 */
348static unsigned long RCON[10];
349
350/*
351 * Tables generation code
352 */
353#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
354#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
355#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
356
357static int aes_init_done = 0;
358
359static void aes_gen_tables( void )
360{
361 int i, x, y, z;
362 int pow[256];
363 int log[256];
364
365 /*
366 * compute pow and log tables over GF(2^8)
367 */
368 for( i = 0, x = 1; i < 256; i++ )
369 {
370 pow[i] = x;
371 log[x] = i;
372 x = ( x ^ XTIME( x ) ) & 0xFF;
373 }
374
375 /*
376 * calculate the round constants
377 */
378 for( i = 0, x = 1; i < 10; i++ )
379 {
380 RCON[i] = (unsigned long) x;
381 x = XTIME( x ) & 0xFF;
382 }
383
384 /*
385 * generate the forward and reverse S-boxes
386 */
387 FSb[0x00] = 0x63;
388 RSb[0x63] = 0x00;
389
390 for( i = 1; i < 256; i++ )
391 {
392 x = pow[255 - log[i]];
393
394 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
395 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
396 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
397 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
398 x ^= y ^ 0x63;
399
400 FSb[i] = (unsigned char) x;
401 RSb[x] = (unsigned char) i;
402 }
403
404 /*
405 * generate the forward and reverse tables
406 */
407 for( i = 0; i < 256; i++ )
408 {
409 x = FSb[i];
410 y = XTIME( x ) & 0xFF;
411 z = ( y ^ x ) & 0xFF;
412
413 FT0[i] = ( (unsigned long) y ) ^
414 ( (unsigned long) x << 8 ) ^
415 ( (unsigned long) x << 16 ) ^
416 ( (unsigned long) z << 24 );
417
418 FT1[i] = ROTL8( FT0[i] );
419 FT2[i] = ROTL8( FT1[i] );
420 FT3[i] = ROTL8( FT2[i] );
421
422 x = RSb[i];
423
424 RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
425 ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
426 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
427 ( (unsigned long) MUL( 0x0B, x ) << 24 );
428
429 RT1[i] = ROTL8( RT0[i] );
430 RT2[i] = ROTL8( RT1[i] );
431 RT3[i] = ROTL8( RT2[i] );
432 }
433}
434
435#endif
436
437/*
438 * AES key schedule (encryption)
439 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]440int aes_setkey_enc( aes_context *ctx, const unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]441{
442 int i;
443 unsigned long *RK;
444
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]445#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]446 if( aes_init_done == 0 )
447 {
448 aes_gen_tables();
449 aes_init_done = 1;
450 }
451#endif
452
453 switch( keysize )
454 {
455 case 128: ctx->nr = 10; break;
456 case 192: ctx->nr = 12; break;
457 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]458 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459 }
460
461#if defined(PADLOCK_ALIGN16)
462 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
463#else
464 ctx->rk = RK = ctx->buf;
465#endif
466
467 for( i = 0; i < (keysize >> 5); i++ )
468 {
469 GET_ULONG_LE( RK[i], key, i << 2 );
470 }
471
472 switch( ctx->nr )
473 {
474 case 10:
475
476 for( i = 0; i < 10; i++, RK += 4 )
477 {
478 RK[4] = RK[0] ^ RCON[i] ^
479 ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
480 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
481 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
482 ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
483
484 RK[5] = RK[1] ^ RK[4];
485 RK[6] = RK[2] ^ RK[5];
486 RK[7] = RK[3] ^ RK[6];
487 }
488 break;
489
490 case 12:
491
492 for( i = 0; i < 8; i++, RK += 6 )
493 {
494 RK[6] = RK[0] ^ RCON[i] ^
495 ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
496 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
497 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
498 ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
499
500 RK[7] = RK[1] ^ RK[6];
501 RK[8] = RK[2] ^ RK[7];
502 RK[9] = RK[3] ^ RK[8];
503 RK[10] = RK[4] ^ RK[9];
504 RK[11] = RK[5] ^ RK[10];
505 }
506 break;
507
508 case 14:
509
510 for( i = 0; i < 7; i++, RK += 8 )
511 {
512 RK[8] = RK[0] ^ RCON[i] ^
513 ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
514 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
515 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
516 ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
517
518 RK[9] = RK[1] ^ RK[8];
519 RK[10] = RK[2] ^ RK[9];
520 RK[11] = RK[3] ^ RK[10];
521
522 RK[12] = RK[4] ^
523 ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
524 ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
525 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
526 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
527
528 RK[13] = RK[5] ^ RK[12];
529 RK[14] = RK[6] ^ RK[13];
530 RK[15] = RK[7] ^ RK[14];
531 }
532 break;
533
534 default:
535
536 break;
537 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]538
539 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]540}
541
542/*
543 * AES key schedule (decryption)
544 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]545int aes_setkey_dec( aes_context *ctx, const unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]546{
547 int i, j;
548 aes_context cty;
549 unsigned long *RK;
550 unsigned long *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]551 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552
553 switch( keysize )
554 {
555 case 128: ctx->nr = 10; break;
556 case 192: ctx->nr = 12; break;
557 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]558 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]559 }
560
561#if defined(PADLOCK_ALIGN16)
562 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
563#else
564 ctx->rk = RK = ctx->buf;
565#endif
566
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]567 ret = aes_setkey_enc( &cty, key, keysize );
568 if( ret != 0 )
569 return( ret );
570
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571 SK = cty.rk + cty.nr * 4;
572
573 *RK++ = *SK++;
574 *RK++ = *SK++;
575 *RK++ = *SK++;
576 *RK++ = *SK++;
577
578 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
579 {
580 for( j = 0; j < 4; j++, SK++ )
581 {
582 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
583 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
584 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
585 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
586 }
587 }
588
589 *RK++ = *SK++;
590 *RK++ = *SK++;
591 *RK++ = *SK++;
592 *RK++ = *SK++;
593
594 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]595
596 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]597}
598
599#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
600{ \
601 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
602 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
603 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
604 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
605 \
606 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
607 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
608 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
609 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
610 \
611 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
612 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
613 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
614 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
615 \
616 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
617 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
618 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
619 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
620}
621
622#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
623{ \
624 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
625 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
626 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
627 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
628 \
629 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
630 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
631 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
632 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
633 \
634 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
635 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
636 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
637 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
638 \
639 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
640 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
641 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
642 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
643}
644
645/*
646 * AES-ECB block encryption/decryption
647 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]648int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]649 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]650 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651 unsigned char output[16] )
652{
653 int i;
654 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
655
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]656#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657 if( padlock_supports( PADLOCK_ACE ) )
658 {
659 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]660 return( 0 );
661
662 // If padlock data misaligned, we just fall back to
663 // unaccelerated mode
664 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665 }
666#endif
667
668 RK = ctx->rk;
669
670 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
671 GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
672 GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
673 GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
674
675 if( mode == AES_DECRYPT )
676 {
677 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
678 {
679 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
680 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
681 }
682
683 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
684
685 X0 = *RK++ ^ \
686 ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
687 ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
688 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
689 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
690
691 X1 = *RK++ ^ \
692 ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
693 ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
694 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
695 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
696
697 X2 = *RK++ ^ \
698 ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
699 ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
700 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
701 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
702
703 X3 = *RK++ ^ \
704 ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
705 ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
706 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
707 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
708 }
709 else /* AES_ENCRYPT */
710 {
711 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
712 {
713 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
714 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
715 }
716
717 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
718
719 X0 = *RK++ ^ \
720 ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
721 ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
722 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
723 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
724
725 X1 = *RK++ ^ \
726 ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
727 ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
728 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
729 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
730
731 X2 = *RK++ ^ \
732 ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
733 ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
734 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
735 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
736
737 X3 = *RK++ ^ \
738 ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
739 ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
740 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
741 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
742 }
743
744 PUT_ULONG_LE( X0, output, 0 );
745 PUT_ULONG_LE( X1, output, 4 );
746 PUT_ULONG_LE( X2, output, 8 );
747 PUT_ULONG_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]748
749 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]750}
751
752/*
753 * AES-CBC buffer encryption/decryption
754 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]755int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]756 int mode,
757 int length,
758 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]759 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]760 unsigned char *output )
761{
762 int i;
763 unsigned char temp[16];
764
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]765 if( length % 16 )
766 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
767
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]768#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]769 if( padlock_supports( PADLOCK_ACE ) )
770 {
771 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]772 return( 0 );
773
774 // If padlock data misaligned, we just fall back to
775 // unaccelerated mode
776 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]777 }
778#endif
779
780 if( mode == AES_DECRYPT )
781 {
782 while( length > 0 )
783 {
784 memcpy( temp, input, 16 );
785 aes_crypt_ecb( ctx, mode, input, output );
786
787 for( i = 0; i < 16; i++ )
788 output[i] = (unsigned char)( output[i] ^ iv[i] );
789
790 memcpy( iv, temp, 16 );
791
792 input += 16;
793 output += 16;
794 length -= 16;
795 }
796 }
797 else
798 {
799 while( length > 0 )
800 {
801 for( i = 0; i < 16; i++ )
802 output[i] = (unsigned char)( input[i] ^ iv[i] );
803
804 aes_crypt_ecb( ctx, mode, output, output );
805 memcpy( iv, output, 16 );
806
807 input += 16;
808 output += 16;
809 length -= 16;
810 }
811 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]812
813 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]814}
815
816/*
817 * AES-CFB128 buffer encryption/decryption
818 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]819int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]820 int mode,
821 int length,
822 int *iv_off,
823 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]824 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]825 unsigned char *output )
826{
827 int c, n = *iv_off;
828
829 if( mode == AES_DECRYPT )
830 {
831 while( length-- )
832 {
833 if( n == 0 )
834 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
835
836 c = *input++;
837 *output++ = (unsigned char)( c ^ iv[n] );
838 iv[n] = (unsigned char) c;
839
840 n = (n + 1) & 0x0F;
841 }
842 }
843 else
844 {
845 while( length-- )
846 {
847 if( n == 0 )
848 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
849
850 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
851
852 n = (n + 1) & 0x0F;
853 }
854 }
855
856 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]857
858 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]859}
860
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]861#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]862
863#include <stdio.h>
864
865/*
866 * AES test vectors from:
867 *
868 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
869 */
870static const unsigned char aes_test_ecb_dec[3][16] =
871{
872 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
873 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
874 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
875 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
876 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
877 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
878};
879
880static const unsigned char aes_test_ecb_enc[3][16] =
881{
882 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
883 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
884 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
885 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
886 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
887 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
888};
889
890static const unsigned char aes_test_cbc_dec[3][16] =
891{
892 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
893 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
894 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
895 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
896 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
897 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
898};
899
900static const unsigned char aes_test_cbc_enc[3][16] =
901{
902 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
903 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
904 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
905 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
906 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
907 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
908};
909
910/*
911 * AES-CFB128 test vectors from:
912 *
913 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
914 */
915static const unsigned char aes_test_cfb128_key[3][32] =
916{
917 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
918 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
919 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
920 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
921 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
922 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
923 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
924 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
925 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
926};
927
928static const unsigned char aes_test_cfb128_iv[16] =
929{
930 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
931 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
932};
933
934static const unsigned char aes_test_cfb128_pt[64] =
935{
936 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
937 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
938 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
939 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
940 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
941 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
942 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
943 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
944};
945
946static const unsigned char aes_test_cfb128_ct[3][64] =
947{
948 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
949 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
950 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
951 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
952 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
953 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
954 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
955 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
956 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
957 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
958 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
959 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
960 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
961 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
962 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
963 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
964 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
965 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
966 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
967 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
968 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
969 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
970 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
971 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
972};
973
974/*
975 * Checkup routine
976 */
977int aes_self_test( int verbose )
978{
979 int i, j, u, v, offset;
980 unsigned char key[32];
981 unsigned char buf[64];
982 unsigned char prv[16];
983 unsigned char iv[16];
984 aes_context ctx;
985
986 memset( key, 0, 32 );
987
988 /*
989 * ECB mode
990 */
991 for( i = 0; i < 6; i++ )
992 {
993 u = i >> 1;
994 v = i & 1;
995
996 if( verbose != 0 )
997 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
998 ( v == AES_DECRYPT ) ? "dec" : "enc" );
999
1000 memset( buf, 0, 16 );
1001
1002 if( v == AES_DECRYPT )
1003 {
1004 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1005
1006 for( j = 0; j < 10000; j++ )
1007 aes_crypt_ecb( &ctx, v, buf, buf );
1008
1009 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1010 {
1011 if( verbose != 0 )
1012 printf( "failed\n" );
1013
1014 return( 1 );
1015 }
1016 }
1017 else
1018 {
1019 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1020
1021 for( j = 0; j < 10000; j++ )
1022 aes_crypt_ecb( &ctx, v, buf, buf );
1023
1024 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1025 {
1026 if( verbose != 0 )
1027 printf( "failed\n" );
1028
1029 return( 1 );
1030 }
1031 }
1032
1033 if( verbose != 0 )
1034 printf( "passed\n" );
1035 }
1036
1037 if( verbose != 0 )
1038 printf( "\n" );
1039
1040 /*
1041 * CBC mode
1042 */
1043 for( i = 0; i < 6; i++ )
1044 {
1045 u = i >> 1;
1046 v = i & 1;
1047
1048 if( verbose != 0 )
1049 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1050 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1051
1052 memset( iv , 0, 16 );
1053 memset( prv, 0, 16 );
1054 memset( buf, 0, 16 );
1055
1056 if( v == AES_DECRYPT )
1057 {
1058 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1059
1060 for( j = 0; j < 10000; j++ )
1061 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1062
1063 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1064 {
1065 if( verbose != 0 )
1066 printf( "failed\n" );
1067
1068 return( 1 );
1069 }
1070 }
1071 else
1072 {
1073 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1074
1075 for( j = 0; j < 10000; j++ )
1076 {
1077 unsigned char tmp[16];
1078
1079 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1080
1081 memcpy( tmp, prv, 16 );
1082 memcpy( prv, buf, 16 );
1083 memcpy( buf, tmp, 16 );
1084 }
1085
1086 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1087 {
1088 if( verbose != 0 )
1089 printf( "failed\n" );
1090
1091 return( 1 );
1092 }
1093 }
1094
1095 if( verbose != 0 )
1096 printf( "passed\n" );
1097 }
1098
1099 if( verbose != 0 )
1100 printf( "\n" );
1101
1102 /*
1103 * CFB128 mode
1104 */
1105 for( i = 0; i < 6; i++ )
1106 {
1107 u = i >> 1;
1108 v = i & 1;
1109
1110 if( verbose != 0 )
1111 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1112 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1113
1114 memcpy( iv, aes_test_cfb128_iv, 16 );
1115 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1116
1117 offset = 0;
1118 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1119
1120 if( v == AES_DECRYPT )
1121 {
1122 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1123 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1124
1125 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1126 {
1127 if( verbose != 0 )
1128 printf( "failed\n" );
1129
1130 return( 1 );
1131 }
1132 }
1133 else
1134 {
1135 memcpy( buf, aes_test_cfb128_pt, 64 );
1136 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1137
1138 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1139 {
1140 if( verbose != 0 )
1141 printf( "failed\n" );
1142
1143 return( 1 );
1144 }
1145 }
1146
1147 if( verbose != 0 )
1148 printf( "passed\n" );
1149 }
1150
1151
1152 if( verbose != 0 )
1153 printf( "\n" );
1154
1155 return( 0 );
1156}
1157
1158#endif
1159
1160#endif