TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 369e14bbf168ddb0d97e1ee9ddf40ed3a095d10d / . / library / aes.c
blob: 2f52202800a6b0fea6843d49c1b4b21202047b7a [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
37#include "polarssl/padlock.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]39/*
40 * 32-bit integer manipulation macros (little endian)
41 */
42#ifndef GET_ULONG_LE
43#define GET_ULONG_LE(n,b,i) \
44{ \
45 (n) = ( (unsigned long) (b)[(i) ] ) \
46 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
47 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
48 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
49}
50#endif
51
52#ifndef PUT_ULONG_LE
53#define PUT_ULONG_LE(n,b,i) \
54{ \
55 (b)[(i) ] = (unsigned char) ( (n) ); \
56 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
57 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
58 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
59}
60#endif
61
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]62#if defined(POLARSSL_PADLOCK_C)
63static int aes_padlock_ace = -1;
64#endif
65
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]66#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]67/*
68 * Forward S-box
69 */
70static const unsigned char FSb[256] =
71{
72 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
73 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
74 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
75 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
76 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
77 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
78 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
79 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
80 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
81 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
82 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
83 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
84 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
85 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
86 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
87 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
88 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
89 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
90 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
91 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
92 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
93 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
94 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
95 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
96 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
97 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
98 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
99 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
100 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
101 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
102 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
103 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
104};
105
106/*
107 * Forward tables
108 */
109#define FT \
110\
111 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
112 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
113 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
114 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
115 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
116 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
117 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
118 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
119 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
120 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
121 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
122 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
123 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
124 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
125 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
126 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
127 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
128 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
129 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
130 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
131 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
132 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
133 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
134 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
135 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
136 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
137 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
138 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
139 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
140 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
141 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
142 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
143 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
144 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
145 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
146 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
147 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
148 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
149 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
150 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
151 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
152 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
153 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
154 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
155 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
156 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
157 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
158 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
159 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
160 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
161 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
162 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
163 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
164 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
165 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
166 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
167 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
168 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
169 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
170 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
171 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
172 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
173 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
174 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
175
176#define V(a,b,c,d) 0x##a##b##c##d
177static const unsigned long FT0[256] = { FT };
178#undef V
179
180#define V(a,b,c,d) 0x##b##c##d##a
181static const unsigned long FT1[256] = { FT };
182#undef V
183
184#define V(a,b,c,d) 0x##c##d##a##b
185static const unsigned long FT2[256] = { FT };
186#undef V
187
188#define V(a,b,c,d) 0x##d##a##b##c
189static const unsigned long FT3[256] = { FT };
190#undef V
191
192#undef FT
193
194/*
195 * Reverse S-box
196 */
197static const unsigned char RSb[256] =
198{
199 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
200 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
201 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
202 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
203 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
204 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
205 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
206 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
207 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
208 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
209 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
210 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
211 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
212 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
213 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
214 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
215 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
216 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
217 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
218 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
219 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
220 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
221 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
222 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
223 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
224 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
225 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
226 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
227 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
228 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
229 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
230 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
231};
232
233/*
234 * Reverse tables
235 */
236#define RT \
237\
238 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
239 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
240 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
241 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
242 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
243 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
244 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
245 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
246 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
247 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
248 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
249 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
250 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
251 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
252 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
253 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
254 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
255 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
256 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
257 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
258 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
259 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
260 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
261 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
262 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
263 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
264 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
265 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
266 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
267 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
268 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
269 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
270 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
271 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
272 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
273 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
274 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
275 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
276 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
277 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
278 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
279 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
280 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
281 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
282 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
283 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
284 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
285 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
286 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
287 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
288 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
289 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
290 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
291 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
292 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
293 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
294 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
295 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
296 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
297 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
298 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
299 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
300 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
301 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
302
303#define V(a,b,c,d) 0x##a##b##c##d
304static const unsigned long RT0[256] = { RT };
305#undef V
306
307#define V(a,b,c,d) 0x##b##c##d##a
308static const unsigned long RT1[256] = { RT };
309#undef V
310
311#define V(a,b,c,d) 0x##c##d##a##b
312static const unsigned long RT2[256] = { RT };
313#undef V
314
315#define V(a,b,c,d) 0x##d##a##b##c
316static const unsigned long RT3[256] = { RT };
317#undef V
318
319#undef RT
320
321/*
322 * Round constants
323 */
324static const unsigned long RCON[10] =
325{
326 0x00000001, 0x00000002, 0x00000004, 0x00000008,
327 0x00000010, 0x00000020, 0x00000040, 0x00000080,
328 0x0000001B, 0x00000036
329};
330
331#else
332
333/*
334 * Forward S-box & tables
335 */
336static unsigned char FSb[256];
337static unsigned long FT0[256];
338static unsigned long FT1[256];
339static unsigned long FT2[256];
340static unsigned long FT3[256];
341
342/*
343 * Reverse S-box & tables
344 */
345static unsigned char RSb[256];
346static unsigned long RT0[256];
347static unsigned long RT1[256];
348static unsigned long RT2[256];
349static unsigned long RT3[256];
350
351/*
352 * Round constants
353 */
354static unsigned long RCON[10];
355
356/*
357 * Tables generation code
358 */
359#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
360#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
361#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
362
363static int aes_init_done = 0;
364
365static void aes_gen_tables( void )
366{
367 int i, x, y, z;
368 int pow[256];
369 int log[256];
370
371 /*
372 * compute pow and log tables over GF(2^8)
373 */
374 for( i = 0, x = 1; i < 256; i++ )
375 {
376 pow[i] = x;
377 log[x] = i;
378 x = ( x ^ XTIME( x ) ) & 0xFF;
379 }
380
381 /*
382 * calculate the round constants
383 */
384 for( i = 0, x = 1; i < 10; i++ )
385 {
386 RCON[i] = (unsigned long) x;
387 x = XTIME( x ) & 0xFF;
388 }
389
390 /*
391 * generate the forward and reverse S-boxes
392 */
393 FSb[0x00] = 0x63;
394 RSb[0x63] = 0x00;
395
396 for( i = 1; i < 256; i++ )
397 {
398 x = pow[255 - log[i]];
399
400 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
401 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
402 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
403 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
404 x ^= y ^ 0x63;
405
406 FSb[i] = (unsigned char) x;
407 RSb[x] = (unsigned char) i;
408 }
409
410 /*
411 * generate the forward and reverse tables
412 */
413 for( i = 0; i < 256; i++ )
414 {
415 x = FSb[i];
416 y = XTIME( x ) & 0xFF;
417 z = ( y ^ x ) & 0xFF;
418
419 FT0[i] = ( (unsigned long) y ) ^
420 ( (unsigned long) x << 8 ) ^
421 ( (unsigned long) x << 16 ) ^
422 ( (unsigned long) z << 24 );
423
424 FT1[i] = ROTL8( FT0[i] );
425 FT2[i] = ROTL8( FT1[i] );
426 FT3[i] = ROTL8( FT2[i] );
427
428 x = RSb[i];
429
430 RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
431 ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
432 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
433 ( (unsigned long) MUL( 0x0B, x ) << 24 );
434
435 RT1[i] = ROTL8( RT0[i] );
436 RT2[i] = ROTL8( RT1[i] );
437 RT3[i] = ROTL8( RT2[i] );
438 }
439}
440
441#endif
442
443/*
444 * AES key schedule (encryption)
445 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]446int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]448 unsigned int i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]449 unsigned long *RK;
450
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]451#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]452 if( aes_init_done == 0 )
453 {
454 aes_gen_tables();
455 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]456
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457 }
458#endif
459
460 switch( keysize )
461 {
462 case 128: ctx->nr = 10; break;
463 case 192: ctx->nr = 12; break;
464 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]465 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466 }
467
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]468#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
469 if( aes_padlock_ace == -1 )
470 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
471
472 if( aes_padlock_ace )
473 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
474 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]476 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]477
478 for( i = 0; i < (keysize >> 5); i++ )
479 {
480 GET_ULONG_LE( RK[i], key, i << 2 );
481 }
482
483 switch( ctx->nr )
484 {
485 case 10:
486
487 for( i = 0; i < 10; i++, RK += 4 )
488 {
489 RK[4] = RK[0] ^ RCON[i] ^
490 ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
491 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
492 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
493 ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
494
495 RK[5] = RK[1] ^ RK[4];
496 RK[6] = RK[2] ^ RK[5];
497 RK[7] = RK[3] ^ RK[6];
498 }
499 break;
500
501 case 12:
502
503 for( i = 0; i < 8; i++, RK += 6 )
504 {
505 RK[6] = RK[0] ^ RCON[i] ^
506 ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
507 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
508 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
509 ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
510
511 RK[7] = RK[1] ^ RK[6];
512 RK[8] = RK[2] ^ RK[7];
513 RK[9] = RK[3] ^ RK[8];
514 RK[10] = RK[4] ^ RK[9];
515 RK[11] = RK[5] ^ RK[10];
516 }
517 break;
518
519 case 14:
520
521 for( i = 0; i < 7; i++, RK += 8 )
522 {
523 RK[8] = RK[0] ^ RCON[i] ^
524 ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
525 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
526 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
527 ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
528
529 RK[9] = RK[1] ^ RK[8];
530 RK[10] = RK[2] ^ RK[9];
531 RK[11] = RK[3] ^ RK[10];
532
533 RK[12] = RK[4] ^
534 ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
535 ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
536 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
537 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
538
539 RK[13] = RK[5] ^ RK[12];
540 RK[14] = RK[6] ^ RK[13];
541 RK[15] = RK[7] ^ RK[14];
542 }
543 break;
544
545 default:
546
547 break;
548 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]549
550 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]551}
552
553/*
554 * AES key schedule (decryption)
555 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]556int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]557{
558 int i, j;
559 aes_context cty;
560 unsigned long *RK;
561 unsigned long *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]562 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]563
564 switch( keysize )
565 {
566 case 128: ctx->nr = 10; break;
567 case 192: ctx->nr = 12; break;
568 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]569 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570 }
571
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]572#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
573 if( aes_padlock_ace == -1 )
574 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
575
576 if( aes_padlock_ace )
577 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
578 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]579#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]580 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]581
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]582 ret = aes_setkey_enc( &cty, key, keysize );
583 if( ret != 0 )
584 return( ret );
585
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]586 SK = cty.rk + cty.nr * 4;
587
588 *RK++ = *SK++;
589 *RK++ = *SK++;
590 *RK++ = *SK++;
591 *RK++ = *SK++;
592
593 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
594 {
595 for( j = 0; j < 4; j++, SK++ )
596 {
597 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
598 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
599 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
600 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
601 }
602 }
603
604 *RK++ = *SK++;
605 *RK++ = *SK++;
606 *RK++ = *SK++;
607 *RK++ = *SK++;
608
609 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]610
611 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]612}
613
614#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
615{ \
616 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
617 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
618 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
619 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
620 \
621 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
622 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
623 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
624 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
625 \
626 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
627 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
628 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
629 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
630 \
631 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
632 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
633 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
634 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
635}
636
637#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
638{ \
639 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
640 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
641 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
642 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
643 \
644 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
645 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
646 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
647 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
648 \
649 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
650 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
651 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
652 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
653 \
654 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
655 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
656 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
657 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
658}
659
660/*
661 * AES-ECB block encryption/decryption
662 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]663int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]664 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]665 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666 unsigned char output[16] )
667{
668 int i;
669 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
670
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]671#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]672 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]673 {
674 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]675 return( 0 );
676
677 // If padlock data misaligned, we just fall back to
678 // unaccelerated mode
679 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]680 }
681#endif
682
683 RK = ctx->rk;
684
685 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
686 GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
687 GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
688 GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
689
690 if( mode == AES_DECRYPT )
691 {
692 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
693 {
694 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
695 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
696 }
697
698 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
699
700 X0 = *RK++ ^ \
701 ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
702 ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
703 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
704 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
705
706 X1 = *RK++ ^ \
707 ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
708 ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
709 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
710 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
711
712 X2 = *RK++ ^ \
713 ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
714 ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
715 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
716 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
717
718 X3 = *RK++ ^ \
719 ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
720 ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
721 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
722 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
723 }
724 else /* AES_ENCRYPT */
725 {
726 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
727 {
728 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
729 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
730 }
731
732 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
733
734 X0 = *RK++ ^ \
735 ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
736 ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
737 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
738 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
739
740 X1 = *RK++ ^ \
741 ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
742 ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
743 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
744 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
745
746 X2 = *RK++ ^ \
747 ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
748 ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
749 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
750 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
751
752 X3 = *RK++ ^ \
753 ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
754 ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
755 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
756 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
757 }
758
759 PUT_ULONG_LE( X0, output, 0 );
760 PUT_ULONG_LE( X1, output, 4 );
761 PUT_ULONG_LE( X2, output, 8 );
762 PUT_ULONG_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]763
764 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]765}
766
767/*
768 * AES-CBC buffer encryption/decryption
769 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]770int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]771 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]772 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]773 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]774 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]775 unsigned char *output )
776{
777 int i;
778 unsigned char temp[16];
779
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]780 if( length % 16 )
781 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
782
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]783#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]784 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]785 {
786 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]787 return( 0 );
788
789 // If padlock data misaligned, we just fall back to
790 // unaccelerated mode
791 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]792 }
793#endif
794
795 if( mode == AES_DECRYPT )
796 {
797 while( length > 0 )
798 {
799 memcpy( temp, input, 16 );
800 aes_crypt_ecb( ctx, mode, input, output );
801
802 for( i = 0; i < 16; i++ )
803 output[i] = (unsigned char)( output[i] ^ iv[i] );
804
805 memcpy( iv, temp, 16 );
806
807 input += 16;
808 output += 16;
809 length -= 16;
810 }
811 }
812 else
813 {
814 while( length > 0 )
815 {
816 for( i = 0; i < 16; i++ )
817 output[i] = (unsigned char)( input[i] ^ iv[i] );
818
819 aes_crypt_ecb( ctx, mode, output, output );
820 memcpy( iv, output, 16 );
821
822 input += 16;
823 output += 16;
824 length -= 16;
825 }
826 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]827
828 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]829}
830
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]831#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]832/*
833 * AES-CFB128 buffer encryption/decryption
834 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]835int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]836 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]837 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]838 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]839 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]840 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]841 unsigned char *output )
842{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]843 int c;
844 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]845
846 if( mode == AES_DECRYPT )
847 {
848 while( length-- )
849 {
850 if( n == 0 )
851 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
852
853 c = *input++;
854 *output++ = (unsigned char)( c ^ iv[n] );
855 iv[n] = (unsigned char) c;
856
857 n = (n + 1) & 0x0F;
858 }
859 }
860 else
861 {
862 while( length-- )
863 {
864 if( n == 0 )
865 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
866
867 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
868
869 n = (n + 1) & 0x0F;
870 }
871 }
872
873 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]874
875 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]876}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]877#endif /*POLARSSL_CIPHER_MODE_CFB */
878
879#if defined(POLARSSL_CIPHER_MODE_CTR)
880/*
881 * AES-CTR buffer encryption/decryption
882 */
883int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]884 size_t length,
885 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]886 unsigned char nonce_counter[16],
887 unsigned char stream_block[16],
888 const unsigned char *input,
889 unsigned char *output )
890{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame^]891 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]892 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]893
894 while( length-- )
895 {
896 if( n == 0 ) {
897 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
898
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame^]899 for( i = 16; i > 0; i-- )
900 if( ++nonce_counter[i - 1] != 0 )
901 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]902 }
903 c = *input++;
904 *output++ = (unsigned char)( c ^ stream_block[n] );
905
906 n = (n + 1) & 0x0F;
907 }
908
909 *nc_off = n;
910
911 return( 0 );
912}
913#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]914
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]915#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]916
917#include <stdio.h>
918
919/*
920 * AES test vectors from:
921 *
922 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
923 */
924static const unsigned char aes_test_ecb_dec[3][16] =
925{
926 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
927 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
928 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
929 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
930 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
931 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
932};
933
934static const unsigned char aes_test_ecb_enc[3][16] =
935{
936 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
937 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
938 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
939 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
940 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
941 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
942};
943
944static const unsigned char aes_test_cbc_dec[3][16] =
945{
946 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
947 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
948 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
949 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
950 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
951 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
952};
953
954static const unsigned char aes_test_cbc_enc[3][16] =
955{
956 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
957 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
958 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
959 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
960 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
961 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
962};
963
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]964#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]965/*
966 * AES-CFB128 test vectors from:
967 *
968 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
969 */
970static const unsigned char aes_test_cfb128_key[3][32] =
971{
972 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
973 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
974 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
975 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
976 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
977 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
978 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
979 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
980 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
981};
982
983static const unsigned char aes_test_cfb128_iv[16] =
984{
985 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
986 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
987};
988
989static const unsigned char aes_test_cfb128_pt[64] =
990{
991 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
992 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
993 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
994 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
995 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
996 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
997 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
998 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
999};
1000
1001static const unsigned char aes_test_cfb128_ct[3][64] =
1002{
1003 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1004 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1005 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1006 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1007 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1008 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1009 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1010 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1011 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1012 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1013 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1014 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1015 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1016 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1017 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1018 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1019 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1020 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1021 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1022 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1023 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1024 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1025 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1026 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1027};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1028#endif /* POLARSSL_CIPHER_MODE_CFB */
1029
1030#if defined(POLARSSL_CIPHER_MODE_CTR)
1031/*
1032 * AES-CTR test vectors from:
1033 *
1034 * http://www.faqs.org/rfcs/rfc3686.html
1035 */
1036
1037static const unsigned char aes_test_ctr_key[3][16] =
1038{
1039 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1040 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1041 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1042 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1043 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1044 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1045};
1046
1047static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1048{
1049 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1050 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1051 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1052 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1053 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1054 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1055};
1056
1057static const unsigned char aes_test_ctr_pt[3][48] =
1058{
1059 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1060 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1061
1062 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1063 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1064 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1065 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1066
1067 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1068 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1069 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1070 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1071 0x20, 0x21, 0x22, 0x23 }
1072};
1073
1074static const unsigned char aes_test_ctr_ct[3][48] =
1075{
1076 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1077 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1078 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1079 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1080 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1081 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1082 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1083 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1084 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1085 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1086 0x25, 0xB2, 0x07, 0x2F }
1087};
1088
1089static const int aes_test_ctr_len[3] =
1090 { 16, 32, 36 };
1091#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1092
1093/*
1094 * Checkup routine
1095 */
1096int aes_self_test( int verbose )
1097{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1098 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1099 unsigned char key[32];
1100 unsigned char buf[64];
1101 unsigned char prv[16];
1102 unsigned char iv[16];
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1103#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1104 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1105#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1106#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1107 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1108 unsigned char nonce_counter[16];
1109 unsigned char stream_block[16];
1110#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1111 aes_context ctx;
1112
1113 memset( key, 0, 32 );
1114
1115 /*
1116 * ECB mode
1117 */
1118 for( i = 0; i < 6; i++ )
1119 {
1120 u = i >> 1;
1121 v = i & 1;
1122
1123 if( verbose != 0 )
1124 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1125 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1126
1127 memset( buf, 0, 16 );
1128
1129 if( v == AES_DECRYPT )
1130 {
1131 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1132
1133 for( j = 0; j < 10000; j++ )
1134 aes_crypt_ecb( &ctx, v, buf, buf );
1135
1136 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1137 {
1138 if( verbose != 0 )
1139 printf( "failed\n" );
1140
1141 return( 1 );
1142 }
1143 }
1144 else
1145 {
1146 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1147
1148 for( j = 0; j < 10000; j++ )
1149 aes_crypt_ecb( &ctx, v, buf, buf );
1150
1151 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1152 {
1153 if( verbose != 0 )
1154 printf( "failed\n" );
1155
1156 return( 1 );
1157 }
1158 }
1159
1160 if( verbose != 0 )
1161 printf( "passed\n" );
1162 }
1163
1164 if( verbose != 0 )
1165 printf( "\n" );
1166
1167 /*
1168 * CBC mode
1169 */
1170 for( i = 0; i < 6; i++ )
1171 {
1172 u = i >> 1;
1173 v = i & 1;
1174
1175 if( verbose != 0 )
1176 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1177 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1178
1179 memset( iv , 0, 16 );
1180 memset( prv, 0, 16 );
1181 memset( buf, 0, 16 );
1182
1183 if( v == AES_DECRYPT )
1184 {
1185 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1186
1187 for( j = 0; j < 10000; j++ )
1188 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1189
1190 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1191 {
1192 if( verbose != 0 )
1193 printf( "failed\n" );
1194
1195 return( 1 );
1196 }
1197 }
1198 else
1199 {
1200 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1201
1202 for( j = 0; j < 10000; j++ )
1203 {
1204 unsigned char tmp[16];
1205
1206 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1207
1208 memcpy( tmp, prv, 16 );
1209 memcpy( prv, buf, 16 );
1210 memcpy( buf, tmp, 16 );
1211 }
1212
1213 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1214 {
1215 if( verbose != 0 )
1216 printf( "failed\n" );
1217
1218 return( 1 );
1219 }
1220 }
1221
1222 if( verbose != 0 )
1223 printf( "passed\n" );
1224 }
1225
1226 if( verbose != 0 )
1227 printf( "\n" );
1228
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1229#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1230 /*
1231 * CFB128 mode
1232 */
1233 for( i = 0; i < 6; i++ )
1234 {
1235 u = i >> 1;
1236 v = i & 1;
1237
1238 if( verbose != 0 )
1239 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1240 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1241
1242 memcpy( iv, aes_test_cfb128_iv, 16 );
1243 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1244
1245 offset = 0;
1246 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1247
1248 if( v == AES_DECRYPT )
1249 {
1250 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1251 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1252
1253 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1254 {
1255 if( verbose != 0 )
1256 printf( "failed\n" );
1257
1258 return( 1 );
1259 }
1260 }
1261 else
1262 {
1263 memcpy( buf, aes_test_cfb128_pt, 64 );
1264 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1265
1266 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1267 {
1268 if( verbose != 0 )
1269 printf( "failed\n" );
1270
1271 return( 1 );
1272 }
1273 }
1274
1275 if( verbose != 0 )
1276 printf( "passed\n" );
1277 }
1278
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1279 if( verbose != 0 )
1280 printf( "\n" );
1281#endif /* POLARSSL_CIPHER_MODE_CFB */
1282
1283#if defined(POLARSSL_CIPHER_MODE_CTR)
1284 /*
1285 * CTR mode
1286 */
1287 for( i = 0; i < 6; i++ )
1288 {
1289 u = i >> 1;
1290 v = i & 1;
1291
1292 if( verbose != 0 )
1293 printf( " AES-CTR-128 (%s): ",
1294 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1295
1296 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1297 memcpy( key, aes_test_ctr_key[u], 16 );
1298
1299 offset = 0;
1300 aes_setkey_enc( &ctx, key, 128 );
1301
1302 if( v == AES_DECRYPT )
1303 {
1304 len = aes_test_ctr_len[u];
1305 memcpy( buf, aes_test_ctr_ct[u], len );
1306
1307 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1308
1309 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1310 {
1311 if( verbose != 0 )
1312 printf( "failed\n" );
1313
1314 return( 1 );
1315 }
1316 }
1317 else
1318 {
1319 len = aes_test_ctr_len[u];
1320 memcpy( buf, aes_test_ctr_pt[u], len );
1321
1322 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1323
1324 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1325 {
1326 if( verbose != 0 )
1327 printf( "failed\n" );
1328
1329 return( 1 );
1330 }
1331 }
1332
1333 if( verbose != 0 )
1334 printf( "passed\n" );
1335 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336
1337 if( verbose != 0 )
1338 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1339#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1340
1341 return( 0 );
1342}
1343
1344#endif
1345
1346#endif