TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 90995b5ce3295685586b740aa6f511cef05d51f1 / . / library / aes.c
blob: 6456c54d19ba839fa92334cd0fb7975d459cfba0 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame^]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]37#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]39#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]40
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame^]41#if !defined(POLARSSL_AES_ALT)
42
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43/*
44 * 32-bit integer manipulation macros (little endian)
45 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]46#ifndef GET_UINT32_LE
47#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]48{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]49 (n) = ( (uint32_t) (b)[(i) ] ) \
50 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
51 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
52 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]53}
54#endif
55
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]56#ifndef PUT_UINT32_LE
57#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58{ \
59 (b)[(i) ] = (unsigned char) ( (n) ); \
60 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
61 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
62 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
63}
64#endif
65
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]66#if defined(POLARSSL_PADLOCK_C) && \
67 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]68static int aes_padlock_ace = -1;
69#endif
70
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]71#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72/*
73 * Forward S-box
74 */
75static const unsigned char FSb[256] =
76{
77 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
78 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
79 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
80 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
81 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
82 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
83 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
84 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
85 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
86 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
87 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
88 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
89 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
90 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
91 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
92 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
93 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
94 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
95 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
96 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
97 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
98 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
99 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
100 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
101 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
102 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
103 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
104 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
105 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
106 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
107 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
108 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
109};
110
111/*
112 * Forward tables
113 */
114#define FT \
115\
116 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
117 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
118 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
119 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
120 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
121 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
122 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
123 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
124 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
125 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
126 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
127 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
128 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
129 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
130 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
131 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
132 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
133 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
134 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
135 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
136 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
137 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
138 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
139 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
140 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
141 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
142 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
143 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
144 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
145 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
146 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
147 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
148 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
149 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
150 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
151 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
152 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
153 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
154 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
155 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
156 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
157 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
158 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
159 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
160 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
161 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
162 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
163 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
164 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
165 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
166 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
167 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
168 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
169 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
170 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
171 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
172 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
173 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
174 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
175 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
176 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
177 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
178 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
179 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
180
181#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]182static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]183#undef V
184
185#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]186static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]187#undef V
188
189#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]190static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]191#undef V
192
193#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]194static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]195#undef V
196
197#undef FT
198
199/*
200 * Reverse S-box
201 */
202static const unsigned char RSb[256] =
203{
204 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
205 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
206 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
207 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
208 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
209 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
210 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
211 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
212 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
213 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
214 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
215 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
216 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
217 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
218 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
219 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
220 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
221 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
222 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
223 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
224 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
225 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
226 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
227 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
228 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
229 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
230 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
231 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
232 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
233 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
234 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
235 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
236};
237
238/*
239 * Reverse tables
240 */
241#define RT \
242\
243 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
244 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
245 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
246 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
247 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
248 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
249 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
250 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
251 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
252 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
253 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
254 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
255 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
256 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
257 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
258 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
259 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
260 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
261 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
262 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
263 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
264 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
265 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
266 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
267 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
268 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
269 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
270 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
271 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
272 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
273 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
274 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
275 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
276 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
277 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
278 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
279 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
280 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
281 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
282 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
283 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
284 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
285 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
286 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
287 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
288 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
289 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
290 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
291 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
292 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
293 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
294 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
295 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
296 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
297 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
298 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
299 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
300 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
301 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
302 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
303 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
304 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
305 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
306 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
307
308#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]309static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]310#undef V
311
312#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]313static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]314#undef V
315
316#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]317static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]318#undef V
319
320#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]321static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]322#undef V
323
324#undef RT
325
326/*
327 * Round constants
328 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]329static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]330{
331 0x00000001, 0x00000002, 0x00000004, 0x00000008,
332 0x00000010, 0x00000020, 0x00000040, 0x00000080,
333 0x0000001B, 0x00000036
334};
335
336#else
337
338/*
339 * Forward S-box & tables
340 */
341static unsigned char FSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static uint32_t FT0[256];
343static uint32_t FT1[256];
344static uint32_t FT2[256];
345static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]346
347/*
348 * Reverse S-box & tables
349 */
350static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]351static uint32_t RT0[256];
352static uint32_t RT1[256];
353static uint32_t RT2[256];
354static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355
356/*
357 * Round constants
358 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360
361/*
362 * Tables generation code
363 */
364#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
365#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
366#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
367
368static int aes_init_done = 0;
369
370static void aes_gen_tables( void )
371{
372 int i, x, y, z;
373 int pow[256];
374 int log[256];
375
376 /*
377 * compute pow and log tables over GF(2^8)
378 */
379 for( i = 0, x = 1; i < 256; i++ )
380 {
381 pow[i] = x;
382 log[x] = i;
383 x = ( x ^ XTIME( x ) ) & 0xFF;
384 }
385
386 /*
387 * calculate the round constants
388 */
389 for( i = 0, x = 1; i < 10; i++ )
390 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]391 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]392 x = XTIME( x ) & 0xFF;
393 }
394
395 /*
396 * generate the forward and reverse S-boxes
397 */
398 FSb[0x00] = 0x63;
399 RSb[0x63] = 0x00;
400
401 for( i = 1; i < 256; i++ )
402 {
403 x = pow[255 - log[i]];
404
405 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
406 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
407 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
408 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
409 x ^= y ^ 0x63;
410
411 FSb[i] = (unsigned char) x;
412 RSb[x] = (unsigned char) i;
413 }
414
415 /*
416 * generate the forward and reverse tables
417 */
418 for( i = 0; i < 256; i++ )
419 {
420 x = FSb[i];
421 y = XTIME( x ) & 0xFF;
422 z = ( y ^ x ) & 0xFF;
423
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]424 FT0[i] = ( (uint32_t) y ) ^
425 ( (uint32_t) x << 8 ) ^
426 ( (uint32_t) x << 16 ) ^
427 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]428
429 FT1[i] = ROTL8( FT0[i] );
430 FT2[i] = ROTL8( FT1[i] );
431 FT3[i] = ROTL8( FT2[i] );
432
433 x = RSb[i];
434
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]435 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
436 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
437 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
438 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]439
440 RT1[i] = ROTL8( RT0[i] );
441 RT2[i] = ROTL8( RT1[i] );
442 RT3[i] = ROTL8( RT2[i] );
443 }
444}
445
446#endif
447
448/*
449 * AES key schedule (encryption)
450 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]451int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]452{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]453 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]454 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]456#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457 if( aes_init_done == 0 )
458 {
459 aes_gen_tables();
460 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]461
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]462 }
463#endif
464
465 switch( keysize )
466 {
467 case 128: ctx->nr = 10; break;
468 case 192: ctx->nr = 12; break;
469 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]470 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]471 }
472
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]473#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
474 if( aes_padlock_ace == -1 )
475 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
476
477 if( aes_padlock_ace )
478 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
479 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]480#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]481 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482
483 for( i = 0; i < (keysize >> 5); i++ )
484 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]485 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]486 }
487
488 switch( ctx->nr )
489 {
490 case 10:
491
492 for( i = 0; i < 10; i++, RK += 4 )
493 {
494 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]495 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
496 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
497 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
498 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]499
500 RK[5] = RK[1] ^ RK[4];
501 RK[6] = RK[2] ^ RK[5];
502 RK[7] = RK[3] ^ RK[6];
503 }
504 break;
505
506 case 12:
507
508 for( i = 0; i < 8; i++, RK += 6 )
509 {
510 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]511 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
512 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
513 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
514 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]515
516 RK[7] = RK[1] ^ RK[6];
517 RK[8] = RK[2] ^ RK[7];
518 RK[9] = RK[3] ^ RK[8];
519 RK[10] = RK[4] ^ RK[9];
520 RK[11] = RK[5] ^ RK[10];
521 }
522 break;
523
524 case 14:
525
526 for( i = 0; i < 7; i++, RK += 8 )
527 {
528 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]529 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
530 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
531 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
532 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]533
534 RK[9] = RK[1] ^ RK[8];
535 RK[10] = RK[2] ^ RK[9];
536 RK[11] = RK[3] ^ RK[10];
537
538 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]539 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
540 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
541 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
542 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]543
544 RK[13] = RK[5] ^ RK[12];
545 RK[14] = RK[6] ^ RK[13];
546 RK[15] = RK[7] ^ RK[14];
547 }
548 break;
549
550 default:
551
552 break;
553 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]554
555 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556}
557
558/*
559 * AES key schedule (decryption)
560 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]561int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562{
563 int i, j;
564 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]565 uint32_t *RK;
566 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]567 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]568
569 switch( keysize )
570 {
571 case 128: ctx->nr = 10; break;
572 case 192: ctx->nr = 12; break;
573 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]574 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]575 }
576
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]577#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
578 if( aes_padlock_ace == -1 )
579 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
580
581 if( aes_padlock_ace )
582 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
583 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]584#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]585 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]586
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]587 ret = aes_setkey_enc( &cty, key, keysize );
588 if( ret != 0 )
589 return( ret );
590
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591 SK = cty.rk + cty.nr * 4;
592
593 *RK++ = *SK++;
594 *RK++ = *SK++;
595 *RK++ = *SK++;
596 *RK++ = *SK++;
597
598 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
599 {
600 for( j = 0; j < 4; j++, SK++ )
601 {
602 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
603 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
604 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
605 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
606 }
607 }
608
609 *RK++ = *SK++;
610 *RK++ = *SK++;
611 *RK++ = *SK++;
612 *RK++ = *SK++;
613
614 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]615
616 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]617}
618
619#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
620{ \
621 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
622 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
623 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
624 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
625 \
626 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
627 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
628 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
629 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
630 \
631 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
632 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
633 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
634 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
635 \
636 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
637 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
638 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
639 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
640}
641
642#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
643{ \
644 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
645 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
646 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
647 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
648 \
649 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
650 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
651 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
652 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
653 \
654 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
655 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
656 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
657 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
658 \
659 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
660 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
661 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
662 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
663}
664
665/*
666 * AES-ECB block encryption/decryption
667 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]668int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]670 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671 unsigned char output[16] )
672{
673 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]674 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]676#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]677 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]678 {
679 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]680 return( 0 );
681
682 // If padlock data misaligned, we just fall back to
683 // unaccelerated mode
684 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]685 }
686#endif
687
688 RK = ctx->rk;
689
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]690 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
691 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
692 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
693 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]694
695 if( mode == AES_DECRYPT )
696 {
697 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
698 {
699 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
700 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
701 }
702
703 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
704
705 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]706 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
707 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
708 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
709 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]710
711 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]712 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
713 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
714 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
715 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]716
717 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]718 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
719 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
720 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
721 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]722
723 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]724 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
725 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
726 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
727 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]728 }
729 else /* AES_ENCRYPT */
730 {
731 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
732 {
733 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
734 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
735 }
736
737 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
738
739 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]740 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
741 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
742 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
743 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]744
745 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]746 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
747 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
748 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
749 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]750
751 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]752 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
753 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
754 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
755 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]756
757 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]758 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
759 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
760 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
761 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]762 }
763
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]764 PUT_UINT32_LE( X0, output, 0 );
765 PUT_UINT32_LE( X1, output, 4 );
766 PUT_UINT32_LE( X2, output, 8 );
767 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]768
769 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]770}
771
772/*
773 * AES-CBC buffer encryption/decryption
774 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]775int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]776 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]777 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]778 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]779 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]780 unsigned char *output )
781{
782 int i;
783 unsigned char temp[16];
784
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]785 if( length % 16 )
786 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
787
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]788#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]789 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]790 {
791 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]792 return( 0 );
793
794 // If padlock data misaligned, we just fall back to
795 // unaccelerated mode
796 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]797 }
798#endif
799
800 if( mode == AES_DECRYPT )
801 {
802 while( length > 0 )
803 {
804 memcpy( temp, input, 16 );
805 aes_crypt_ecb( ctx, mode, input, output );
806
807 for( i = 0; i < 16; i++ )
808 output[i] = (unsigned char)( output[i] ^ iv[i] );
809
810 memcpy( iv, temp, 16 );
811
812 input += 16;
813 output += 16;
814 length -= 16;
815 }
816 }
817 else
818 {
819 while( length > 0 )
820 {
821 for( i = 0; i < 16; i++ )
822 output[i] = (unsigned char)( input[i] ^ iv[i] );
823
824 aes_crypt_ecb( ctx, mode, output, output );
825 memcpy( iv, output, 16 );
826
827 input += 16;
828 output += 16;
829 length -= 16;
830 }
831 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]832
833 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]834}
835
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]836#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]837/*
838 * AES-CFB128 buffer encryption/decryption
839 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]840int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]841 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]842 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]843 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]844 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]845 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]846 unsigned char *output )
847{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]848 int c;
849 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]850
851 if( mode == AES_DECRYPT )
852 {
853 while( length-- )
854 {
855 if( n == 0 )
856 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
857
858 c = *input++;
859 *output++ = (unsigned char)( c ^ iv[n] );
860 iv[n] = (unsigned char) c;
861
862 n = (n + 1) & 0x0F;
863 }
864 }
865 else
866 {
867 while( length-- )
868 {
869 if( n == 0 )
870 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
871
872 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
873
874 n = (n + 1) & 0x0F;
875 }
876 }
877
878 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]879
880 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]881}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]882#endif /*POLARSSL_CIPHER_MODE_CFB */
883
884#if defined(POLARSSL_CIPHER_MODE_CTR)
885/*
886 * AES-CTR buffer encryption/decryption
887 */
888int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]889 size_t length,
890 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]891 unsigned char nonce_counter[16],
892 unsigned char stream_block[16],
893 const unsigned char *input,
894 unsigned char *output )
895{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]896 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]897 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]898
899 while( length-- )
900 {
901 if( n == 0 ) {
902 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
903
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]904 for( i = 16; i > 0; i-- )
905 if( ++nonce_counter[i - 1] != 0 )
906 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]907 }
908 c = *input++;
909 *output++ = (unsigned char)( c ^ stream_block[n] );
910
911 n = (n + 1) & 0x0F;
912 }
913
914 *nc_off = n;
915
916 return( 0 );
917}
918#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame^]919#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]920
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]921#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]922
923#include <stdio.h>
924
925/*
926 * AES test vectors from:
927 *
928 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
929 */
930static const unsigned char aes_test_ecb_dec[3][16] =
931{
932 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
933 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
934 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
935 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
936 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
937 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
938};
939
940static const unsigned char aes_test_ecb_enc[3][16] =
941{
942 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
943 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
944 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
945 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
946 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
947 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
948};
949
950static const unsigned char aes_test_cbc_dec[3][16] =
951{
952 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
953 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
954 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
955 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
956 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
957 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
958};
959
960static const unsigned char aes_test_cbc_enc[3][16] =
961{
962 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
963 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
964 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
965 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
966 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
967 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
968};
969
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]970#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]971/*
972 * AES-CFB128 test vectors from:
973 *
974 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
975 */
976static const unsigned char aes_test_cfb128_key[3][32] =
977{
978 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
979 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
980 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
981 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
982 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
983 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
984 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
985 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
986 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
987};
988
989static const unsigned char aes_test_cfb128_iv[16] =
990{
991 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
992 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
993};
994
995static const unsigned char aes_test_cfb128_pt[64] =
996{
997 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
998 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
999 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1000 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1001 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1002 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1003 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1004 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1005};
1006
1007static const unsigned char aes_test_cfb128_ct[3][64] =
1008{
1009 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1010 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1011 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1012 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1013 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1014 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1015 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1016 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1017 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1018 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1019 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1020 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1021 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1022 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1023 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1024 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1025 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1026 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1027 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1028 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1029 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1030 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1031 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1032 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1033};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1034#endif /* POLARSSL_CIPHER_MODE_CFB */
1035
1036#if defined(POLARSSL_CIPHER_MODE_CTR)
1037/*
1038 * AES-CTR test vectors from:
1039 *
1040 * http://www.faqs.org/rfcs/rfc3686.html
1041 */
1042
1043static const unsigned char aes_test_ctr_key[3][16] =
1044{
1045 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1046 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1047 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1048 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1049 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1050 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1051};
1052
1053static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1054{
1055 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1056 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1057 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1058 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1059 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1060 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1061};
1062
1063static const unsigned char aes_test_ctr_pt[3][48] =
1064{
1065 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1066 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1067
1068 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1069 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1070 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1071 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1072
1073 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1074 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1075 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1076 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1077 0x20, 0x21, 0x22, 0x23 }
1078};
1079
1080static const unsigned char aes_test_ctr_ct[3][48] =
1081{
1082 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1083 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1084 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1085 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1086 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1087 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1088 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1089 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1090 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1091 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1092 0x25, 0xB2, 0x07, 0x2F }
1093};
1094
1095static const int aes_test_ctr_len[3] =
1096 { 16, 32, 36 };
1097#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1098
1099/*
1100 * Checkup routine
1101 */
1102int aes_self_test( int verbose )
1103{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1104 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1105 unsigned char key[32];
1106 unsigned char buf[64];
1107 unsigned char prv[16];
1108 unsigned char iv[16];
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1109#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1110 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1111#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1112#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1113 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1114 unsigned char nonce_counter[16];
1115 unsigned char stream_block[16];
1116#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1117 aes_context ctx;
1118
1119 memset( key, 0, 32 );
1120
1121 /*
1122 * ECB mode
1123 */
1124 for( i = 0; i < 6; i++ )
1125 {
1126 u = i >> 1;
1127 v = i & 1;
1128
1129 if( verbose != 0 )
1130 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1131 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1132
1133 memset( buf, 0, 16 );
1134
1135 if( v == AES_DECRYPT )
1136 {
1137 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1138
1139 for( j = 0; j < 10000; j++ )
1140 aes_crypt_ecb( &ctx, v, buf, buf );
1141
1142 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1143 {
1144 if( verbose != 0 )
1145 printf( "failed\n" );
1146
1147 return( 1 );
1148 }
1149 }
1150 else
1151 {
1152 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1153
1154 for( j = 0; j < 10000; j++ )
1155 aes_crypt_ecb( &ctx, v, buf, buf );
1156
1157 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1158 {
1159 if( verbose != 0 )
1160 printf( "failed\n" );
1161
1162 return( 1 );
1163 }
1164 }
1165
1166 if( verbose != 0 )
1167 printf( "passed\n" );
1168 }
1169
1170 if( verbose != 0 )
1171 printf( "\n" );
1172
1173 /*
1174 * CBC mode
1175 */
1176 for( i = 0; i < 6; i++ )
1177 {
1178 u = i >> 1;
1179 v = i & 1;
1180
1181 if( verbose != 0 )
1182 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1183 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1184
1185 memset( iv , 0, 16 );
1186 memset( prv, 0, 16 );
1187 memset( buf, 0, 16 );
1188
1189 if( v == AES_DECRYPT )
1190 {
1191 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1192
1193 for( j = 0; j < 10000; j++ )
1194 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1195
1196 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1197 {
1198 if( verbose != 0 )
1199 printf( "failed\n" );
1200
1201 return( 1 );
1202 }
1203 }
1204 else
1205 {
1206 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1207
1208 for( j = 0; j < 10000; j++ )
1209 {
1210 unsigned char tmp[16];
1211
1212 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1213
1214 memcpy( tmp, prv, 16 );
1215 memcpy( prv, buf, 16 );
1216 memcpy( buf, tmp, 16 );
1217 }
1218
1219 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1220 {
1221 if( verbose != 0 )
1222 printf( "failed\n" );
1223
1224 return( 1 );
1225 }
1226 }
1227
1228 if( verbose != 0 )
1229 printf( "passed\n" );
1230 }
1231
1232 if( verbose != 0 )
1233 printf( "\n" );
1234
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1235#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1236 /*
1237 * CFB128 mode
1238 */
1239 for( i = 0; i < 6; i++ )
1240 {
1241 u = i >> 1;
1242 v = i & 1;
1243
1244 if( verbose != 0 )
1245 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1246 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1247
1248 memcpy( iv, aes_test_cfb128_iv, 16 );
1249 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1250
1251 offset = 0;
1252 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1253
1254 if( v == AES_DECRYPT )
1255 {
1256 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1257 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1258
1259 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1260 {
1261 if( verbose != 0 )
1262 printf( "failed\n" );
1263
1264 return( 1 );
1265 }
1266 }
1267 else
1268 {
1269 memcpy( buf, aes_test_cfb128_pt, 64 );
1270 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1271
1272 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1273 {
1274 if( verbose != 0 )
1275 printf( "failed\n" );
1276
1277 return( 1 );
1278 }
1279 }
1280
1281 if( verbose != 0 )
1282 printf( "passed\n" );
1283 }
1284
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1285 if( verbose != 0 )
1286 printf( "\n" );
1287#endif /* POLARSSL_CIPHER_MODE_CFB */
1288
1289#if defined(POLARSSL_CIPHER_MODE_CTR)
1290 /*
1291 * CTR mode
1292 */
1293 for( i = 0; i < 6; i++ )
1294 {
1295 u = i >> 1;
1296 v = i & 1;
1297
1298 if( verbose != 0 )
1299 printf( " AES-CTR-128 (%s): ",
1300 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1301
1302 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1303 memcpy( key, aes_test_ctr_key[u], 16 );
1304
1305 offset = 0;
1306 aes_setkey_enc( &ctx, key, 128 );
1307
1308 if( v == AES_DECRYPT )
1309 {
1310 len = aes_test_ctr_len[u];
1311 memcpy( buf, aes_test_ctr_ct[u], len );
1312
1313 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1314
1315 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1316 {
1317 if( verbose != 0 )
1318 printf( "failed\n" );
1319
1320 return( 1 );
1321 }
1322 }
1323 else
1324 {
1325 len = aes_test_ctr_len[u];
1326 memcpy( buf, aes_test_ctr_pt[u], len );
1327
1328 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1329
1330 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1331 {
1332 if( verbose != 0 )
1333 printf( "failed\n" );
1334
1335 return( 1 );
1336 }
1337 }
1338
1339 if( verbose != 0 )
1340 printf( "passed\n" );
1341 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342
1343 if( verbose != 0 )
1344 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1345#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1346
1347 return( 0 );
1348}
1349
1350#endif
1351
1352#endif