TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/archive/polarssl-1.2 / . / library / aes.c
blob: 24e576a7d1e7c7a19d8ca82a8f7abf9608693acd [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker530927b2015-02-13 14:24:10 +0100[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
Manuel Pégourié-Gonnarde12abf92015-01-28 17:13:45 +0000[diff] [blame]6 * This file is part of mbed TLS (https://polarssl.org)
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]7 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
24 *
25 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
26 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
27 */
28
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]29#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]30
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]31#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]34#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]35#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]36#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker4087c472013-06-12 16:49:10 +0200[diff] [blame]38#if !defined(POLARSSL_AES_ALT)
39
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame]40/* Implementation that should never be optimized out by the compiler */
41static void polarssl_zeroize( void *v, size_t n ) {
42 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
43}
44
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45/*
46 * 32-bit integer manipulation macros (little endian)
47 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]48#ifndef GET_UINT32_LE
49#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]50{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]51 (n) = ( (uint32_t) (b)[(i) ] ) \
52 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
53 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
54 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]55}
56#endif
57
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]58#ifndef PUT_UINT32_LE
59#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60{ \
61 (b)[(i) ] = (unsigned char) ( (n) ); \
62 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
63 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
64 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
65}
66#endif
67
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]68#if defined(POLARSSL_PADLOCK_C) && \
69 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]70static int aes_padlock_ace = -1;
71#endif
72
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]73#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]74/*
75 * Forward S-box
76 */
77static const unsigned char FSb[256] =
78{
79 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
80 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
81 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
82 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
83 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
84 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
85 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
86 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
87 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
88 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
89 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
90 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
91 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
92 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
93 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
94 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
95 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
96 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
97 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
98 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
99 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
100 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
101 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
102 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
103 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
104 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
105 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
106 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
107 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
108 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
109 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
110 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
111};
112
113/*
114 * Forward tables
115 */
116#define FT \
117\
118 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
119 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
120 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
121 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
122 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
123 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
124 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
125 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
126 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
127 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
128 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
129 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
130 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
131 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
132 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
133 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
134 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
135 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
136 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
137 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
138 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
139 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
140 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
141 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
142 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
143 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
144 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
145 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
146 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
147 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
148 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
149 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
150 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
151 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
152 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
153 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
154 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
155 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
156 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
157 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
158 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
159 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
160 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
161 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
162 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
163 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
164 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
165 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
166 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
167 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
168 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
169 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
170 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
171 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
172 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
173 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
174 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
175 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
176 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
177 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
178 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
179 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
180 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
181 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
182
183#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]184static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]185#undef V
186
187#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]188static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]189#undef V
190
191#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]192static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]193#undef V
194
195#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]196static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]197#undef V
198
199#undef FT
200
201/*
202 * Reverse S-box
203 */
204static const unsigned char RSb[256] =
205{
206 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
207 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
208 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
209 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
210 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
211 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
212 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
213 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
214 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
215 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
216 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
217 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
218 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
219 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
220 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
221 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
222 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
223 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
224 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
225 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
226 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
227 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
228 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
229 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
230 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
231 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
232 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
233 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
234 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
235 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
236 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
237 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
238};
239
240/*
241 * Reverse tables
242 */
243#define RT \
244\
245 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
246 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
247 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
248 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
249 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
250 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
251 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
252 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
253 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
254 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
255 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
256 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
257 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
258 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
259 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
260 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
261 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
262 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
263 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
264 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
265 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
266 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
267 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
268 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
269 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
270 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
271 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
272 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
273 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
274 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
275 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
276 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
277 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
278 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
279 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
280 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
281 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
282 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
283 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
284 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
285 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
286 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
287 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
288 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
289 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
290 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
291 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
292 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
293 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
294 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
295 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
296 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
297 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
298 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
299 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
300 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
301 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
302 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
303 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
304 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
305 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
306 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
307 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
308 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
309
310#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]311static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]312#undef V
313
314#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]315static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]316#undef V
317
318#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]319static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]320#undef V
321
322#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]323static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]324#undef V
325
326#undef RT
327
328/*
329 * Round constants
330 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]331static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]332{
333 0x00000001, 0x00000002, 0x00000004, 0x00000008,
334 0x00000010, 0x00000020, 0x00000040, 0x00000080,
335 0x0000001B, 0x00000036
336};
337
338#else
339
340/*
341 * Forward S-box & tables
342 */
343static unsigned char FSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]344static uint32_t FT0[256];
345static uint32_t FT1[256];
346static uint32_t FT2[256];
347static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]348
349/*
350 * Reverse S-box & tables
351 */
352static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]353static uint32_t RT0[256];
354static uint32_t RT1[256];
355static uint32_t RT2[256];
356static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]357
358/*
359 * Round constants
360 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]361static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]362
363/*
364 * Tables generation code
365 */
366#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
367#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
368#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
369
370static int aes_init_done = 0;
371
372static void aes_gen_tables( void )
373{
374 int i, x, y, z;
375 int pow[256];
376 int log[256];
377
378 /*
379 * compute pow and log tables over GF(2^8)
380 */
381 for( i = 0, x = 1; i < 256; i++ )
382 {
383 pow[i] = x;
384 log[x] = i;
385 x = ( x ^ XTIME( x ) ) & 0xFF;
386 }
387
388 /*
389 * calculate the round constants
390 */
391 for( i = 0, x = 1; i < 10; i++ )
392 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]393 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]394 x = XTIME( x ) & 0xFF;
395 }
396
397 /*
398 * generate the forward and reverse S-boxes
399 */
400 FSb[0x00] = 0x63;
401 RSb[0x63] = 0x00;
402
403 for( i = 1; i < 256; i++ )
404 {
405 x = pow[255 - log[i]];
406
407 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
408 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
409 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
410 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
411 x ^= y ^ 0x63;
412
413 FSb[i] = (unsigned char) x;
414 RSb[x] = (unsigned char) i;
415 }
416
417 /*
418 * generate the forward and reverse tables
419 */
420 for( i = 0; i < 256; i++ )
421 {
422 x = FSb[i];
423 y = XTIME( x ) & 0xFF;
424 z = ( y ^ x ) & 0xFF;
425
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]426 FT0[i] = ( (uint32_t) y ) ^
427 ( (uint32_t) x << 8 ) ^
428 ( (uint32_t) x << 16 ) ^
429 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]430
431 FT1[i] = ROTL8( FT0[i] );
432 FT2[i] = ROTL8( FT1[i] );
433 FT3[i] = ROTL8( FT2[i] );
434
435 x = RSb[i];
436
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]437 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
438 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
439 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
440 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]441
442 RT1[i] = ROTL8( RT0[i] );
443 RT2[i] = ROTL8( RT1[i] );
444 RT3[i] = ROTL8( RT2[i] );
445 }
446}
447
448#endif
449
450/*
451 * AES key schedule (encryption)
452 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]453int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]454{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]455 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]456 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]458#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459 if( aes_init_done == 0 )
460 {
461 aes_gen_tables();
462 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]463
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]464 }
465#endif
466
467 switch( keysize )
468 {
469 case 128: ctx->nr = 10; break;
470 case 192: ctx->nr = 12; break;
471 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]472 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]473 }
474
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]475#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
476 if( aes_padlock_ace == -1 )
477 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
478
479 if( aes_padlock_ace )
480 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
481 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]483 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]484
485 for( i = 0; i < (keysize >> 5); i++ )
486 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]487 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]488 }
489
490 switch( ctx->nr )
491 {
492 case 10:
493
494 for( i = 0; i < 10; i++, RK += 4 )
495 {
496 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]497 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
498 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
499 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
500 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]501
502 RK[5] = RK[1] ^ RK[4];
503 RK[6] = RK[2] ^ RK[5];
504 RK[7] = RK[3] ^ RK[6];
505 }
506 break;
507
508 case 12:
509
510 for( i = 0; i < 8; i++, RK += 6 )
511 {
512 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]513 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
514 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
515 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
516 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]517
518 RK[7] = RK[1] ^ RK[6];
519 RK[8] = RK[2] ^ RK[7];
520 RK[9] = RK[3] ^ RK[8];
521 RK[10] = RK[4] ^ RK[9];
522 RK[11] = RK[5] ^ RK[10];
523 }
524 break;
525
526 case 14:
527
528 for( i = 0; i < 7; i++, RK += 8 )
529 {
530 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]531 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
532 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
533 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
534 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]535
536 RK[9] = RK[1] ^ RK[8];
537 RK[10] = RK[2] ^ RK[9];
538 RK[11] = RK[3] ^ RK[10];
539
540 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]541 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
542 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
543 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
544 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]545
546 RK[13] = RK[5] ^ RK[12];
547 RK[14] = RK[6] ^ RK[13];
548 RK[15] = RK[7] ^ RK[14];
549 }
550 break;
551
552 default:
553
554 break;
555 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]556
557 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558}
559
560/*
561 * AES key schedule (decryption)
562 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]563int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564{
565 int i, j;
566 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]567 uint32_t *RK;
568 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]569 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570
571 switch( keysize )
572 {
573 case 128: ctx->nr = 10; break;
574 case 192: ctx->nr = 12; break;
575 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]576 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]577 }
578
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]579#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
580 if( aes_padlock_ace == -1 )
581 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
582
583 if( aes_padlock_ace )
584 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
585 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]586#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]587 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]588
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]589 ret = aes_setkey_enc( &cty, key, keysize );
590 if( ret != 0 )
591 return( ret );
592
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]593 SK = cty.rk + cty.nr * 4;
594
595 *RK++ = *SK++;
596 *RK++ = *SK++;
597 *RK++ = *SK++;
598 *RK++ = *SK++;
599
600 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
601 {
602 for( j = 0; j < 4; j++, SK++ )
603 {
604 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
605 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
606 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
607 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
608 }
609 }
610
611 *RK++ = *SK++;
612 *RK++ = *SK++;
613 *RK++ = *SK++;
614 *RK++ = *SK++;
615
Paul Bakker312da332014-06-13 17:20:13 +0200[diff] [blame]616 polarssl_zeroize( &cty, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]617
618 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]619}
620
621#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
622{ \
623 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
624 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
625 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
626 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
627 \
628 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
629 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
630 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
631 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
632 \
633 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
634 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
635 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
636 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
637 \
638 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
639 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
640 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
641 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
642}
643
644#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
645{ \
646 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
647 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
648 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
649 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
650 \
651 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
652 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
653 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
654 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
655 \
656 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
657 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
658 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
659 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
660 \
661 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
662 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
663 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
664 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
665}
666
667/*
668 * AES-ECB block encryption/decryption
669 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]670int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]672 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]673 unsigned char output[16] )
674{
675 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]676 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]677
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]678#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]679 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]680 {
681 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]682 return( 0 );
683
684 // If padlock data misaligned, we just fall back to
685 // unaccelerated mode
686 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687 }
688#endif
689
690 RK = ctx->rk;
691
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]692 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
693 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
694 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
695 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]696
697 if( mode == AES_DECRYPT )
698 {
699 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
700 {
701 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
702 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
703 }
704
705 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
706
707 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]708 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
709 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
710 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
711 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]712
713 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]714 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
715 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
716 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
717 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]718
719 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]720 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
721 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
722 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
723 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]724
725 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]726 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
727 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
728 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
729 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]730 }
731 else /* AES_ENCRYPT */
732 {
733 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
734 {
735 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
736 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
737 }
738
739 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
740
741 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]742 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
743 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
744 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
745 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]746
747 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]748 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
749 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
750 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
751 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]752
753 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]754 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
755 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
756 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
757 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]758
759 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]760 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
761 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
762 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
763 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]764 }
765
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]766 PUT_UINT32_LE( X0, output, 0 );
767 PUT_UINT32_LE( X1, output, 4 );
768 PUT_UINT32_LE( X2, output, 8 );
769 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]770
771 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]772}
773
774/*
775 * AES-CBC buffer encryption/decryption
776 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]777int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]778 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]779 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]780 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]781 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]782 unsigned char *output )
783{
784 int i;
785 unsigned char temp[16];
786
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]787 if( length % 16 )
788 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
789
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]790#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]791 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]792 {
793 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]794 return( 0 );
795
796 // If padlock data misaligned, we just fall back to
797 // unaccelerated mode
798 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]799 }
800#endif
801
802 if( mode == AES_DECRYPT )
803 {
804 while( length > 0 )
805 {
806 memcpy( temp, input, 16 );
807 aes_crypt_ecb( ctx, mode, input, output );
808
809 for( i = 0; i < 16; i++ )
810 output[i] = (unsigned char)( output[i] ^ iv[i] );
811
812 memcpy( iv, temp, 16 );
813
814 input += 16;
815 output += 16;
816 length -= 16;
817 }
818 }
819 else
820 {
821 while( length > 0 )
822 {
823 for( i = 0; i < 16; i++ )
824 output[i] = (unsigned char)( input[i] ^ iv[i] );
825
826 aes_crypt_ecb( ctx, mode, output, output );
827 memcpy( iv, output, 16 );
828
829 input += 16;
830 output += 16;
831 length -= 16;
832 }
833 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]834
835 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]836}
837
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]838#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]839/*
840 * AES-CFB128 buffer encryption/decryption
841 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]842int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]843 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]844 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]845 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]846 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]847 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]848 unsigned char *output )
849{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]850 int c;
851 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]852
853 if( mode == AES_DECRYPT )
854 {
855 while( length-- )
856 {
857 if( n == 0 )
858 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
859
860 c = *input++;
861 *output++ = (unsigned char)( c ^ iv[n] );
862 iv[n] = (unsigned char) c;
863
864 n = (n + 1) & 0x0F;
865 }
866 }
867 else
868 {
869 while( length-- )
870 {
871 if( n == 0 )
872 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
873
874 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
875
876 n = (n + 1) & 0x0F;
877 }
878 }
879
880 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]881
882 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]883}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]884#endif /*POLARSSL_CIPHER_MODE_CFB */
885
886#if defined(POLARSSL_CIPHER_MODE_CTR)
887/*
888 * AES-CTR buffer encryption/decryption
889 */
890int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]891 size_t length,
892 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]893 unsigned char nonce_counter[16],
894 unsigned char stream_block[16],
895 const unsigned char *input,
896 unsigned char *output )
897{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]898 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]899 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]900
901 while( length-- )
902 {
903 if( n == 0 ) {
904 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
905
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]906 for( i = 16; i > 0; i-- )
907 if( ++nonce_counter[i - 1] != 0 )
908 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]909 }
910 c = *input++;
911 *output++ = (unsigned char)( c ^ stream_block[n] );
912
913 n = (n + 1) & 0x0F;
914 }
915
916 *nc_off = n;
917
918 return( 0 );
919}
920#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker4087c472013-06-12 16:49:10 +0200[diff] [blame]921#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]922
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]923#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]924
925#include <stdio.h>
926
927/*
928 * AES test vectors from:
929 *
930 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
931 */
932static const unsigned char aes_test_ecb_dec[3][16] =
933{
934 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
935 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
936 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
937 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
938 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
939 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
940};
941
942static const unsigned char aes_test_ecb_enc[3][16] =
943{
944 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
945 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
946 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
947 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
948 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
949 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
950};
951
952static const unsigned char aes_test_cbc_dec[3][16] =
953{
954 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
955 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
956 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
957 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
958 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
959 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
960};
961
962static const unsigned char aes_test_cbc_enc[3][16] =
963{
964 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
965 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
966 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
967 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
968 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
969 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
970};
971
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]972#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]973/*
974 * AES-CFB128 test vectors from:
975 *
976 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
977 */
978static const unsigned char aes_test_cfb128_key[3][32] =
979{
980 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
981 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
982 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
983 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
984 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
985 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
986 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
987 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
988 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
989};
990
991static const unsigned char aes_test_cfb128_iv[16] =
992{
993 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
994 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
995};
996
997static const unsigned char aes_test_cfb128_pt[64] =
998{
999 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1000 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1001 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1002 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1003 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1004 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1005 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1006 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1007};
1008
1009static const unsigned char aes_test_cfb128_ct[3][64] =
1010{
1011 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1012 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1013 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1014 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1015 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1016 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1017 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1018 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1019 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1020 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1021 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1022 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1023 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1024 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1025 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1026 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1027 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1028 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1029 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1030 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1031 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1032 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1033 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1034 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1035};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1036#endif /* POLARSSL_CIPHER_MODE_CFB */
1037
1038#if defined(POLARSSL_CIPHER_MODE_CTR)
1039/*
1040 * AES-CTR test vectors from:
1041 *
1042 * http://www.faqs.org/rfcs/rfc3686.html
1043 */
1044
1045static const unsigned char aes_test_ctr_key[3][16] =
1046{
1047 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1048 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1049 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1050 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1051 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1052 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1053};
1054
1055static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1056{
1057 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1058 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1059 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1060 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1061 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1062 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1063};
1064
1065static const unsigned char aes_test_ctr_pt[3][48] =
1066{
1067 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1068 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1069
1070 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1071 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1072 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1073 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1074
1075 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1076 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1077 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1078 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1079 0x20, 0x21, 0x22, 0x23 }
1080};
1081
1082static const unsigned char aes_test_ctr_ct[3][48] =
1083{
1084 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1085 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1086 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1087 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1088 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1089 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1090 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1091 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1092 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1093 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1094 0x25, 0xB2, 0x07, 0x2F }
1095};
1096
1097static const int aes_test_ctr_len[3] =
1098 { 16, 32, 36 };
1099#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1100
1101/*
1102 * Checkup routine
1103 */
1104int aes_self_test( int verbose )
1105{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1106 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1107 unsigned char key[32];
1108 unsigned char buf[64];
1109 unsigned char prv[16];
1110 unsigned char iv[16];
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1111#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1112 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1113#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1114#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1115 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1116 unsigned char nonce_counter[16];
1117 unsigned char stream_block[16];
1118#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1119 aes_context ctx;
1120
1121 memset( key, 0, 32 );
1122
1123 /*
1124 * ECB mode
1125 */
1126 for( i = 0; i < 6; i++ )
1127 {
1128 u = i >> 1;
1129 v = i & 1;
1130
1131 if( verbose != 0 )
1132 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1133 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1134
1135 memset( buf, 0, 16 );
1136
1137 if( v == AES_DECRYPT )
1138 {
1139 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1140
1141 for( j = 0; j < 10000; j++ )
1142 aes_crypt_ecb( &ctx, v, buf, buf );
1143
1144 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1145 {
1146 if( verbose != 0 )
1147 printf( "failed\n" );
1148
1149 return( 1 );
1150 }
1151 }
1152 else
1153 {
1154 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1155
1156 for( j = 0; j < 10000; j++ )
1157 aes_crypt_ecb( &ctx, v, buf, buf );
1158
1159 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1160 {
1161 if( verbose != 0 )
1162 printf( "failed\n" );
1163
1164 return( 1 );
1165 }
1166 }
1167
1168 if( verbose != 0 )
1169 printf( "passed\n" );
1170 }
1171
1172 if( verbose != 0 )
1173 printf( "\n" );
1174
1175 /*
1176 * CBC mode
1177 */
1178 for( i = 0; i < 6; i++ )
1179 {
1180 u = i >> 1;
1181 v = i & 1;
1182
1183 if( verbose != 0 )
1184 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1185 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1186
1187 memset( iv , 0, 16 );
1188 memset( prv, 0, 16 );
1189 memset( buf, 0, 16 );
1190
1191 if( v == AES_DECRYPT )
1192 {
1193 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1194
1195 for( j = 0; j < 10000; j++ )
1196 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1197
1198 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1199 {
1200 if( verbose != 0 )
1201 printf( "failed\n" );
1202
1203 return( 1 );
1204 }
1205 }
1206 else
1207 {
1208 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1209
1210 for( j = 0; j < 10000; j++ )
1211 {
1212 unsigned char tmp[16];
1213
1214 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1215
1216 memcpy( tmp, prv, 16 );
1217 memcpy( prv, buf, 16 );
1218 memcpy( buf, tmp, 16 );
1219 }
1220
1221 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1222 {
1223 if( verbose != 0 )
1224 printf( "failed\n" );
1225
1226 return( 1 );
1227 }
1228 }
1229
1230 if( verbose != 0 )
1231 printf( "passed\n" );
1232 }
1233
1234 if( verbose != 0 )
1235 printf( "\n" );
1236
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1237#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1238 /*
1239 * CFB128 mode
1240 */
1241 for( i = 0; i < 6; i++ )
1242 {
1243 u = i >> 1;
1244 v = i & 1;
1245
1246 if( verbose != 0 )
1247 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1248 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1249
1250 memcpy( iv, aes_test_cfb128_iv, 16 );
1251 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1252
1253 offset = 0;
1254 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1255
1256 if( v == AES_DECRYPT )
1257 {
1258 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1259 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1260
1261 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1262 {
1263 if( verbose != 0 )
1264 printf( "failed\n" );
1265
1266 return( 1 );
1267 }
1268 }
1269 else
1270 {
1271 memcpy( buf, aes_test_cfb128_pt, 64 );
1272 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1273
1274 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1275 {
1276 if( verbose != 0 )
1277 printf( "failed\n" );
1278
1279 return( 1 );
1280 }
1281 }
1282
1283 if( verbose != 0 )
1284 printf( "passed\n" );
1285 }
1286
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1287 if( verbose != 0 )
1288 printf( "\n" );
1289#endif /* POLARSSL_CIPHER_MODE_CFB */
1290
1291#if defined(POLARSSL_CIPHER_MODE_CTR)
1292 /*
1293 * CTR mode
1294 */
1295 for( i = 0; i < 6; i++ )
1296 {
1297 u = i >> 1;
1298 v = i & 1;
1299
1300 if( verbose != 0 )
1301 printf( " AES-CTR-128 (%s): ",
1302 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1303
1304 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1305 memcpy( key, aes_test_ctr_key[u], 16 );
1306
1307 offset = 0;
1308 aes_setkey_enc( &ctx, key, 128 );
1309
1310 if( v == AES_DECRYPT )
1311 {
1312 len = aes_test_ctr_len[u];
1313 memcpy( buf, aes_test_ctr_ct[u], len );
1314
1315 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1316
1317 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1318 {
1319 if( verbose != 0 )
1320 printf( "failed\n" );
1321
1322 return( 1 );
1323 }
1324 }
1325 else
1326 {
1327 len = aes_test_ctr_len[u];
1328 memcpy( buf, aes_test_ctr_pt[u], len );
1329
1330 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1331
1332 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1333 {
1334 if( verbose != 0 )
1335 printf( "failed\n" );
1336
1337 return( 1 );
1338 }
1339 }
1340
1341 if( verbose != 0 )
1342 printf( "passed\n" );
1343 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1344
1345 if( verbose != 0 )
1346 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1347#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1348
1349 return( 0 );
1350}
1351
1352#endif
1353
1354#endif