TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / f0ba6a479aff489c268b664ae370aa5ab301b23f / . / library / aes.c
blob: 34ed2589ce0bbdd17e280dd544eafeaac4300c76 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
5 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]6 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]7 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
24 *
25 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
26 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
27 */
28
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]29#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]30
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]31#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#include "polarssl/aes.h"
34#include "polarssl/padlock.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
36#include <string.h>
37
38/*
39 * 32-bit integer manipulation macros (little endian)
40 */
41#ifndef GET_ULONG_LE
42#define GET_ULONG_LE(n,b,i) \
43{ \
44 (n) = ( (unsigned long) (b)[(i) ] ) \
45 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
46 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
47 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
48}
49#endif
50
51#ifndef PUT_ULONG_LE
52#define PUT_ULONG_LE(n,b,i) \
53{ \
54 (b)[(i) ] = (unsigned char) ( (n) ); \
55 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
56 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
57 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
58}
59#endif
60
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]61#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62/*
63 * Forward S-box
64 */
65static const unsigned char FSb[256] =
66{
67 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
68 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
69 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
70 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
71 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
72 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
73 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
74 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
75 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
76 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
77 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
78 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
79 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
80 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
81 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
82 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
83 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
84 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
85 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
86 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
87 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
88 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
89 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
90 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
91 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
92 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
93 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
94 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
95 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
96 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
97 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
98 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
99};
100
101/*
102 * Forward tables
103 */
104#define FT \
105\
106 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
107 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
108 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
109 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
110 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
111 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
112 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
113 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
114 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
115 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
116 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
117 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
118 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
119 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
120 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
121 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
122 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
123 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
124 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
125 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
126 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
127 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
128 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
129 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
130 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
131 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
132 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
133 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
134 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
135 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
136 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
137 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
138 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
139 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
140 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
141 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
142 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
143 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
144 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
145 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
146 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
147 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
148 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
149 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
150 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
151 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
152 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
153 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
154 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
155 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
156 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
157 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
158 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
159 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
160 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
161 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
162 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
163 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
164 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
165 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
166 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
167 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
168 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
169 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
170
171#define V(a,b,c,d) 0x##a##b##c##d
172static const unsigned long FT0[256] = { FT };
173#undef V
174
175#define V(a,b,c,d) 0x##b##c##d##a
176static const unsigned long FT1[256] = { FT };
177#undef V
178
179#define V(a,b,c,d) 0x##c##d##a##b
180static const unsigned long FT2[256] = { FT };
181#undef V
182
183#define V(a,b,c,d) 0x##d##a##b##c
184static const unsigned long FT3[256] = { FT };
185#undef V
186
187#undef FT
188
189/*
190 * Reverse S-box
191 */
192static const unsigned char RSb[256] =
193{
194 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
195 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
196 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
197 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
198 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
199 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
200 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
201 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
202 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
203 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
204 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
205 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
206 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
207 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
208 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
209 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
210 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
211 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
212 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
213 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
214 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
215 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
216 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
217 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
218 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
219 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
220 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
221 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
222 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
223 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
224 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
225 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
226};
227
228/*
229 * Reverse tables
230 */
231#define RT \
232\
233 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
234 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
235 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
236 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
237 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
238 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
239 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
240 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
241 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
242 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
243 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
244 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
245 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
246 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
247 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
248 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
249 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
250 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
251 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
252 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
253 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
254 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
255 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
256 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
257 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
258 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
259 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
260 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
261 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
262 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
263 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
264 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
265 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
266 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
267 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
268 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
269 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
270 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
271 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
272 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
273 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
274 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
275 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
276 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
277 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
278 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
279 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
280 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
281 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
282 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
283 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
284 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
285 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
286 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
287 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
288 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
289 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
290 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
291 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
292 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
293 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
294 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
295 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
296 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
297
298#define V(a,b,c,d) 0x##a##b##c##d
299static const unsigned long RT0[256] = { RT };
300#undef V
301
302#define V(a,b,c,d) 0x##b##c##d##a
303static const unsigned long RT1[256] = { RT };
304#undef V
305
306#define V(a,b,c,d) 0x##c##d##a##b
307static const unsigned long RT2[256] = { RT };
308#undef V
309
310#define V(a,b,c,d) 0x##d##a##b##c
311static const unsigned long RT3[256] = { RT };
312#undef V
313
314#undef RT
315
316/*
317 * Round constants
318 */
319static const unsigned long RCON[10] =
320{
321 0x00000001, 0x00000002, 0x00000004, 0x00000008,
322 0x00000010, 0x00000020, 0x00000040, 0x00000080,
323 0x0000001B, 0x00000036
324};
325
326#else
327
328/*
329 * Forward S-box & tables
330 */
331static unsigned char FSb[256];
332static unsigned long FT0[256];
333static unsigned long FT1[256];
334static unsigned long FT2[256];
335static unsigned long FT3[256];
336
337/*
338 * Reverse S-box & tables
339 */
340static unsigned char RSb[256];
341static unsigned long RT0[256];
342static unsigned long RT1[256];
343static unsigned long RT2[256];
344static unsigned long RT3[256];
345
346/*
347 * Round constants
348 */
349static unsigned long RCON[10];
350
351/*
352 * Tables generation code
353 */
354#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
355#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
356#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
357
358static int aes_init_done = 0;
359
360static void aes_gen_tables( void )
361{
362 int i, x, y, z;
363 int pow[256];
364 int log[256];
365
366 /*
367 * compute pow and log tables over GF(2^8)
368 */
369 for( i = 0, x = 1; i < 256; i++ )
370 {
371 pow[i] = x;
372 log[x] = i;
373 x = ( x ^ XTIME( x ) ) & 0xFF;
374 }
375
376 /*
377 * calculate the round constants
378 */
379 for( i = 0, x = 1; i < 10; i++ )
380 {
381 RCON[i] = (unsigned long) x;
382 x = XTIME( x ) & 0xFF;
383 }
384
385 /*
386 * generate the forward and reverse S-boxes
387 */
388 FSb[0x00] = 0x63;
389 RSb[0x63] = 0x00;
390
391 for( i = 1; i < 256; i++ )
392 {
393 x = pow[255 - log[i]];
394
395 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
396 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
397 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
398 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
399 x ^= y ^ 0x63;
400
401 FSb[i] = (unsigned char) x;
402 RSb[x] = (unsigned char) i;
403 }
404
405 /*
406 * generate the forward and reverse tables
407 */
408 for( i = 0; i < 256; i++ )
409 {
410 x = FSb[i];
411 y = XTIME( x ) & 0xFF;
412 z = ( y ^ x ) & 0xFF;
413
414 FT0[i] = ( (unsigned long) y ) ^
415 ( (unsigned long) x << 8 ) ^
416 ( (unsigned long) x << 16 ) ^
417 ( (unsigned long) z << 24 );
418
419 FT1[i] = ROTL8( FT0[i] );
420 FT2[i] = ROTL8( FT1[i] );
421 FT3[i] = ROTL8( FT2[i] );
422
423 x = RSb[i];
424
425 RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
426 ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
427 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
428 ( (unsigned long) MUL( 0x0B, x ) << 24 );
429
430 RT1[i] = ROTL8( RT0[i] );
431 RT2[i] = ROTL8( RT1[i] );
432 RT3[i] = ROTL8( RT2[i] );
433 }
434}
435
436#endif
437
438/*
439 * AES key schedule (encryption)
440 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]441int aes_setkey_enc( aes_context *ctx, const unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]442{
443 int i;
444 unsigned long *RK;
445
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]446#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447 if( aes_init_done == 0 )
448 {
449 aes_gen_tables();
450 aes_init_done = 1;
451 }
452#endif
453
454 switch( keysize )
455 {
456 case 128: ctx->nr = 10; break;
457 case 192: ctx->nr = 12; break;
458 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]459 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460 }
461
462#if defined(PADLOCK_ALIGN16)
463 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
464#else
465 ctx->rk = RK = ctx->buf;
466#endif
467
468 for( i = 0; i < (keysize >> 5); i++ )
469 {
470 GET_ULONG_LE( RK[i], key, i << 2 );
471 }
472
473 switch( ctx->nr )
474 {
475 case 10:
476
477 for( i = 0; i < 10; i++, RK += 4 )
478 {
479 RK[4] = RK[0] ^ RCON[i] ^
480 ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
481 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
482 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
483 ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
484
485 RK[5] = RK[1] ^ RK[4];
486 RK[6] = RK[2] ^ RK[5];
487 RK[7] = RK[3] ^ RK[6];
488 }
489 break;
490
491 case 12:
492
493 for( i = 0; i < 8; i++, RK += 6 )
494 {
495 RK[6] = RK[0] ^ RCON[i] ^
496 ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
497 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
498 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
499 ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
500
501 RK[7] = RK[1] ^ RK[6];
502 RK[8] = RK[2] ^ RK[7];
503 RK[9] = RK[3] ^ RK[8];
504 RK[10] = RK[4] ^ RK[9];
505 RK[11] = RK[5] ^ RK[10];
506 }
507 break;
508
509 case 14:
510
511 for( i = 0; i < 7; i++, RK += 8 )
512 {
513 RK[8] = RK[0] ^ RCON[i] ^
514 ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
515 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
516 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
517 ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
518
519 RK[9] = RK[1] ^ RK[8];
520 RK[10] = RK[2] ^ RK[9];
521 RK[11] = RK[3] ^ RK[10];
522
523 RK[12] = RK[4] ^
524 ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
525 ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
526 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
527 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
528
529 RK[13] = RK[5] ^ RK[12];
530 RK[14] = RK[6] ^ RK[13];
531 RK[15] = RK[7] ^ RK[14];
532 }
533 break;
534
535 default:
536
537 break;
538 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]539
540 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]541}
542
543/*
544 * AES key schedule (decryption)
545 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]546int aes_setkey_dec( aes_context *ctx, const unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547{
548 int i, j;
549 aes_context cty;
550 unsigned long *RK;
551 unsigned long *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]552 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553
554 switch( keysize )
555 {
556 case 128: ctx->nr = 10; break;
557 case 192: ctx->nr = 12; break;
558 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]559 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]560 }
561
562#if defined(PADLOCK_ALIGN16)
563 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
564#else
565 ctx->rk = RK = ctx->buf;
566#endif
567
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]568 ret = aes_setkey_enc( &cty, key, keysize );
569 if( ret != 0 )
570 return( ret );
571
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]572 SK = cty.rk + cty.nr * 4;
573
574 *RK++ = *SK++;
575 *RK++ = *SK++;
576 *RK++ = *SK++;
577 *RK++ = *SK++;
578
579 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
580 {
581 for( j = 0; j < 4; j++, SK++ )
582 {
583 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
584 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
585 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
586 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
587 }
588 }
589
590 *RK++ = *SK++;
591 *RK++ = *SK++;
592 *RK++ = *SK++;
593 *RK++ = *SK++;
594
595 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]596
597 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598}
599
600#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
601{ \
602 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
603 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
604 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
605 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
606 \
607 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
608 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
609 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
610 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
611 \
612 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
613 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
614 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
615 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
616 \
617 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
618 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
619 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
620 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
621}
622
623#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
624{ \
625 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
626 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
627 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
628 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
629 \
630 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
631 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
632 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
633 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
634 \
635 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
636 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
637 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
638 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
639 \
640 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
641 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
642 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
643 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
644}
645
646/*
647 * AES-ECB block encryption/decryption
648 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]649int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]650 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]651 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]652 unsigned char output[16] )
653{
654 int i;
655 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
656
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]657#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]658 if( padlock_supports( PADLOCK_ACE ) )
659 {
660 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]661 return( 0 );
662
663 // If padlock data misaligned, we just fall back to
664 // unaccelerated mode
665 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666 }
667#endif
668
669 RK = ctx->rk;
670
671 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
672 GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
673 GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
674 GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
675
676 if( mode == AES_DECRYPT )
677 {
678 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
679 {
680 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
681 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
682 }
683
684 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
685
686 X0 = *RK++ ^ \
687 ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
688 ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
689 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
690 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
691
692 X1 = *RK++ ^ \
693 ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
694 ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
695 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
696 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
697
698 X2 = *RK++ ^ \
699 ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
700 ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
701 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
702 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
703
704 X3 = *RK++ ^ \
705 ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
706 ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
707 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
708 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
709 }
710 else /* AES_ENCRYPT */
711 {
712 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
713 {
714 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
715 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
716 }
717
718 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
719
720 X0 = *RK++ ^ \
721 ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
722 ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
723 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
724 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
725
726 X1 = *RK++ ^ \
727 ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
728 ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
729 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
730 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
731
732 X2 = *RK++ ^ \
733 ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
734 ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
735 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
736 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
737
738 X3 = *RK++ ^ \
739 ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
740 ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
741 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
742 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
743 }
744
745 PUT_ULONG_LE( X0, output, 0 );
746 PUT_ULONG_LE( X1, output, 4 );
747 PUT_ULONG_LE( X2, output, 8 );
748 PUT_ULONG_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]749
750 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]751}
752
753/*
754 * AES-CBC buffer encryption/decryption
755 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]756int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]757 int mode,
758 int length,
759 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]760 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]761 unsigned char *output )
762{
763 int i;
764 unsigned char temp[16];
765
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]766 if( length % 16 )
767 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
768
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]769#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]770 if( padlock_supports( PADLOCK_ACE ) )
771 {
772 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]773 return( 0 );
774
775 // If padlock data misaligned, we just fall back to
776 // unaccelerated mode
777 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]778 }
779#endif
780
781 if( mode == AES_DECRYPT )
782 {
783 while( length > 0 )
784 {
785 memcpy( temp, input, 16 );
786 aes_crypt_ecb( ctx, mode, input, output );
787
788 for( i = 0; i < 16; i++ )
789 output[i] = (unsigned char)( output[i] ^ iv[i] );
790
791 memcpy( iv, temp, 16 );
792
793 input += 16;
794 output += 16;
795 length -= 16;
796 }
797 }
798 else
799 {
800 while( length > 0 )
801 {
802 for( i = 0; i < 16; i++ )
803 output[i] = (unsigned char)( input[i] ^ iv[i] );
804
805 aes_crypt_ecb( ctx, mode, output, output );
806 memcpy( iv, output, 16 );
807
808 input += 16;
809 output += 16;
810 length -= 16;
811 }
812 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]813
814 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]815}
816
817/*
818 * AES-CFB128 buffer encryption/decryption
819 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]820int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]821 int mode,
822 int length,
823 int *iv_off,
824 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]825 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]826 unsigned char *output )
827{
828 int c, n = *iv_off;
829
830 if( mode == AES_DECRYPT )
831 {
832 while( length-- )
833 {
834 if( n == 0 )
835 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
836
837 c = *input++;
838 *output++ = (unsigned char)( c ^ iv[n] );
839 iv[n] = (unsigned char) c;
840
841 n = (n + 1) & 0x0F;
842 }
843 }
844 else
845 {
846 while( length-- )
847 {
848 if( n == 0 )
849 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
850
851 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
852
853 n = (n + 1) & 0x0F;
854 }
855 }
856
857 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]858
859 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]860}
861
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]862#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]863
864#include <stdio.h>
865
866/*
867 * AES test vectors from:
868 *
869 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
870 */
871static const unsigned char aes_test_ecb_dec[3][16] =
872{
873 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
874 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
875 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
876 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
877 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
878 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
879};
880
881static const unsigned char aes_test_ecb_enc[3][16] =
882{
883 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
884 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
885 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
886 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
887 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
888 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
889};
890
891static const unsigned char aes_test_cbc_dec[3][16] =
892{
893 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
894 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
895 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
896 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
897 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
898 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
899};
900
901static const unsigned char aes_test_cbc_enc[3][16] =
902{
903 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
904 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
905 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
906 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
907 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
908 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
909};
910
911/*
912 * AES-CFB128 test vectors from:
913 *
914 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
915 */
916static const unsigned char aes_test_cfb128_key[3][32] =
917{
918 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
919 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
920 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
921 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
922 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
923 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
924 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
925 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
926 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
927};
928
929static const unsigned char aes_test_cfb128_iv[16] =
930{
931 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
932 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
933};
934
935static const unsigned char aes_test_cfb128_pt[64] =
936{
937 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
938 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
939 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
940 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
941 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
942 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
943 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
944 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
945};
946
947static const unsigned char aes_test_cfb128_ct[3][64] =
948{
949 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
950 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
951 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
952 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
953 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
954 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
955 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
956 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
957 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
958 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
959 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
960 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
961 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
962 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
963 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
964 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
965 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
966 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
967 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
968 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
969 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
970 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
971 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
972 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
973};
974
975/*
976 * Checkup routine
977 */
978int aes_self_test( int verbose )
979{
980 int i, j, u, v, offset;
981 unsigned char key[32];
982 unsigned char buf[64];
983 unsigned char prv[16];
984 unsigned char iv[16];
985 aes_context ctx;
986
987 memset( key, 0, 32 );
988
989 /*
990 * ECB mode
991 */
992 for( i = 0; i < 6; i++ )
993 {
994 u = i >> 1;
995 v = i & 1;
996
997 if( verbose != 0 )
998 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
999 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1000
1001 memset( buf, 0, 16 );
1002
1003 if( v == AES_DECRYPT )
1004 {
1005 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1006
1007 for( j = 0; j < 10000; j++ )
1008 aes_crypt_ecb( &ctx, v, buf, buf );
1009
1010 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1011 {
1012 if( verbose != 0 )
1013 printf( "failed\n" );
1014
1015 return( 1 );
1016 }
1017 }
1018 else
1019 {
1020 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1021
1022 for( j = 0; j < 10000; j++ )
1023 aes_crypt_ecb( &ctx, v, buf, buf );
1024
1025 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1026 {
1027 if( verbose != 0 )
1028 printf( "failed\n" );
1029
1030 return( 1 );
1031 }
1032 }
1033
1034 if( verbose != 0 )
1035 printf( "passed\n" );
1036 }
1037
1038 if( verbose != 0 )
1039 printf( "\n" );
1040
1041 /*
1042 * CBC mode
1043 */
1044 for( i = 0; i < 6; i++ )
1045 {
1046 u = i >> 1;
1047 v = i & 1;
1048
1049 if( verbose != 0 )
1050 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1051 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1052
1053 memset( iv , 0, 16 );
1054 memset( prv, 0, 16 );
1055 memset( buf, 0, 16 );
1056
1057 if( v == AES_DECRYPT )
1058 {
1059 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1060
1061 for( j = 0; j < 10000; j++ )
1062 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1063
1064 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1065 {
1066 if( verbose != 0 )
1067 printf( "failed\n" );
1068
1069 return( 1 );
1070 }
1071 }
1072 else
1073 {
1074 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1075
1076 for( j = 0; j < 10000; j++ )
1077 {
1078 unsigned char tmp[16];
1079
1080 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1081
1082 memcpy( tmp, prv, 16 );
1083 memcpy( prv, buf, 16 );
1084 memcpy( buf, tmp, 16 );
1085 }
1086
1087 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1088 {
1089 if( verbose != 0 )
1090 printf( "failed\n" );
1091
1092 return( 1 );
1093 }
1094 }
1095
1096 if( verbose != 0 )
1097 printf( "passed\n" );
1098 }
1099
1100 if( verbose != 0 )
1101 printf( "\n" );
1102
1103 /*
1104 * CFB128 mode
1105 */
1106 for( i = 0; i < 6; i++ )
1107 {
1108 u = i >> 1;
1109 v = i & 1;
1110
1111 if( verbose != 0 )
1112 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1113 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1114
1115 memcpy( iv, aes_test_cfb128_iv, 16 );
1116 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1117
1118 offset = 0;
1119 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1120
1121 if( v == AES_DECRYPT )
1122 {
1123 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1124 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1125
1126 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1127 {
1128 if( verbose != 0 )
1129 printf( "failed\n" );
1130
1131 return( 1 );
1132 }
1133 }
1134 else
1135 {
1136 memcpy( buf, aes_test_cfb128_pt, 64 );
1137 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1138
1139 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1140 {
1141 if( verbose != 0 )
1142 printf( "failed\n" );
1143
1144 return( 1 );
1145 }
1146 }
1147
1148 if( verbose != 0 )
1149 printf( "passed\n" );
1150 }
1151
1152
1153 if( verbose != 0 )
1154 printf( "\n" );
1155
1156 return( 0 );
1157}
1158
1159#endif
1160
1161#endif