TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 67820bd38e276ca51bb564873e5ea441d4a14373 / . / library / aes.c
blob: 2880cdb0e66df2f28ece7ea590e7472e4cd2f61c [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame^]37#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame^]39#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]40
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]41/*
42 * 32-bit integer manipulation macros (little endian)
43 */
44#ifndef GET_ULONG_LE
45#define GET_ULONG_LE(n,b,i) \
46{ \
47 (n) = ( (unsigned long) (b)[(i) ] ) \
48 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
49 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
50 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
51}
52#endif
53
54#ifndef PUT_ULONG_LE
55#define PUT_ULONG_LE(n,b,i) \
56{ \
57 (b)[(i) ] = (unsigned char) ( (n) ); \
58 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
59 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
60 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
61}
62#endif
63
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]64#if defined(POLARSSL_PADLOCK_C)
65static int aes_padlock_ace = -1;
66#endif
67
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]68#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]69/*
70 * Forward S-box
71 */
72static const unsigned char FSb[256] =
73{
74 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
75 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
76 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
77 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
78 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
79 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
80 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
81 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
82 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
83 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
84 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
85 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
86 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
87 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
88 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
89 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
90 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
91 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
92 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
93 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
94 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
95 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
96 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
97 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
98 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
99 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
100 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
101 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
102 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
103 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
104 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
105 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
106};
107
108/*
109 * Forward tables
110 */
111#define FT \
112\
113 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
114 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
115 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
116 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
117 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
118 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
119 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
120 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
121 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
122 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
123 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
124 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
125 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
126 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
127 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
128 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
129 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
130 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
131 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
132 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
133 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
134 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
135 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
136 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
137 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
138 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
139 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
140 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
141 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
142 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
143 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
144 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
145 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
146 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
147 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
148 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
149 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
150 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
151 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
152 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
153 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
154 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
155 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
156 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
157 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
158 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
159 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
160 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
161 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
162 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
163 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
164 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
165 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
166 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
167 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
168 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
169 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
170 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
171 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
172 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
173 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
174 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
175 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
176 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
177
178#define V(a,b,c,d) 0x##a##b##c##d
179static const unsigned long FT0[256] = { FT };
180#undef V
181
182#define V(a,b,c,d) 0x##b##c##d##a
183static const unsigned long FT1[256] = { FT };
184#undef V
185
186#define V(a,b,c,d) 0x##c##d##a##b
187static const unsigned long FT2[256] = { FT };
188#undef V
189
190#define V(a,b,c,d) 0x##d##a##b##c
191static const unsigned long FT3[256] = { FT };
192#undef V
193
194#undef FT
195
196/*
197 * Reverse S-box
198 */
199static const unsigned char RSb[256] =
200{
201 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
202 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
203 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
204 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
205 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
206 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
207 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
208 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
209 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
210 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
211 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
212 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
213 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
214 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
215 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
216 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
217 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
218 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
219 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
220 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
221 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
222 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
223 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
224 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
225 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
226 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
227 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
228 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
229 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
230 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
231 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
232 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
233};
234
235/*
236 * Reverse tables
237 */
238#define RT \
239\
240 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
241 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
242 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
243 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
244 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
245 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
246 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
247 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
248 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
249 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
250 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
251 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
252 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
253 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
254 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
255 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
256 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
257 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
258 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
259 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
260 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
261 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
262 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
263 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
264 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
265 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
266 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
267 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
268 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
269 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
270 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
271 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
272 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
273 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
274 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
275 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
276 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
277 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
278 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
279 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
280 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
281 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
282 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
283 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
284 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
285 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
286 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
287 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
288 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
289 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
290 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
291 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
292 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
293 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
294 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
295 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
296 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
297 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
298 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
299 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
300 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
301 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
302 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
303 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
304
305#define V(a,b,c,d) 0x##a##b##c##d
306static const unsigned long RT0[256] = { RT };
307#undef V
308
309#define V(a,b,c,d) 0x##b##c##d##a
310static const unsigned long RT1[256] = { RT };
311#undef V
312
313#define V(a,b,c,d) 0x##c##d##a##b
314static const unsigned long RT2[256] = { RT };
315#undef V
316
317#define V(a,b,c,d) 0x##d##a##b##c
318static const unsigned long RT3[256] = { RT };
319#undef V
320
321#undef RT
322
323/*
324 * Round constants
325 */
326static const unsigned long RCON[10] =
327{
328 0x00000001, 0x00000002, 0x00000004, 0x00000008,
329 0x00000010, 0x00000020, 0x00000040, 0x00000080,
330 0x0000001B, 0x00000036
331};
332
333#else
334
335/*
336 * Forward S-box & tables
337 */
338static unsigned char FSb[256];
339static unsigned long FT0[256];
340static unsigned long FT1[256];
341static unsigned long FT2[256];
342static unsigned long FT3[256];
343
344/*
345 * Reverse S-box & tables
346 */
347static unsigned char RSb[256];
348static unsigned long RT0[256];
349static unsigned long RT1[256];
350static unsigned long RT2[256];
351static unsigned long RT3[256];
352
353/*
354 * Round constants
355 */
356static unsigned long RCON[10];
357
358/*
359 * Tables generation code
360 */
361#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
362#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
363#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
364
365static int aes_init_done = 0;
366
367static void aes_gen_tables( void )
368{
369 int i, x, y, z;
370 int pow[256];
371 int log[256];
372
373 /*
374 * compute pow and log tables over GF(2^8)
375 */
376 for( i = 0, x = 1; i < 256; i++ )
377 {
378 pow[i] = x;
379 log[x] = i;
380 x = ( x ^ XTIME( x ) ) & 0xFF;
381 }
382
383 /*
384 * calculate the round constants
385 */
386 for( i = 0, x = 1; i < 10; i++ )
387 {
388 RCON[i] = (unsigned long) x;
389 x = XTIME( x ) & 0xFF;
390 }
391
392 /*
393 * generate the forward and reverse S-boxes
394 */
395 FSb[0x00] = 0x63;
396 RSb[0x63] = 0x00;
397
398 for( i = 1; i < 256; i++ )
399 {
400 x = pow[255 - log[i]];
401
402 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
403 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
404 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
405 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
406 x ^= y ^ 0x63;
407
408 FSb[i] = (unsigned char) x;
409 RSb[x] = (unsigned char) i;
410 }
411
412 /*
413 * generate the forward and reverse tables
414 */
415 for( i = 0; i < 256; i++ )
416 {
417 x = FSb[i];
418 y = XTIME( x ) & 0xFF;
419 z = ( y ^ x ) & 0xFF;
420
421 FT0[i] = ( (unsigned long) y ) ^
422 ( (unsigned long) x << 8 ) ^
423 ( (unsigned long) x << 16 ) ^
424 ( (unsigned long) z << 24 );
425
426 FT1[i] = ROTL8( FT0[i] );
427 FT2[i] = ROTL8( FT1[i] );
428 FT3[i] = ROTL8( FT2[i] );
429
430 x = RSb[i];
431
432 RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
433 ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
434 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
435 ( (unsigned long) MUL( 0x0B, x ) << 24 );
436
437 RT1[i] = ROTL8( RT0[i] );
438 RT2[i] = ROTL8( RT1[i] );
439 RT3[i] = ROTL8( RT2[i] );
440 }
441}
442
443#endif
444
445/*
446 * AES key schedule (encryption)
447 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]448int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]449{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]450 unsigned int i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]451 unsigned long *RK;
452
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]453#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]454 if( aes_init_done == 0 )
455 {
456 aes_gen_tables();
457 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]458
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459 }
460#endif
461
462 switch( keysize )
463 {
464 case 128: ctx->nr = 10; break;
465 case 192: ctx->nr = 12; break;
466 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]467 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468 }
469
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]470#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
471 if( aes_padlock_ace == -1 )
472 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
473
474 if( aes_padlock_ace )
475 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
476 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]477#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]478 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]479
480 for( i = 0; i < (keysize >> 5); i++ )
481 {
482 GET_ULONG_LE( RK[i], key, i << 2 );
483 }
484
485 switch( ctx->nr )
486 {
487 case 10:
488
489 for( i = 0; i < 10; i++, RK += 4 )
490 {
491 RK[4] = RK[0] ^ RCON[i] ^
492 ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
493 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
494 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
495 ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
496
497 RK[5] = RK[1] ^ RK[4];
498 RK[6] = RK[2] ^ RK[5];
499 RK[7] = RK[3] ^ RK[6];
500 }
501 break;
502
503 case 12:
504
505 for( i = 0; i < 8; i++, RK += 6 )
506 {
507 RK[6] = RK[0] ^ RCON[i] ^
508 ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
509 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
510 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
511 ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
512
513 RK[7] = RK[1] ^ RK[6];
514 RK[8] = RK[2] ^ RK[7];
515 RK[9] = RK[3] ^ RK[8];
516 RK[10] = RK[4] ^ RK[9];
517 RK[11] = RK[5] ^ RK[10];
518 }
519 break;
520
521 case 14:
522
523 for( i = 0; i < 7; i++, RK += 8 )
524 {
525 RK[8] = RK[0] ^ RCON[i] ^
526 ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
527 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
528 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
529 ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
530
531 RK[9] = RK[1] ^ RK[8];
532 RK[10] = RK[2] ^ RK[9];
533 RK[11] = RK[3] ^ RK[10];
534
535 RK[12] = RK[4] ^
536 ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
537 ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
538 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
539 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
540
541 RK[13] = RK[5] ^ RK[12];
542 RK[14] = RK[6] ^ RK[13];
543 RK[15] = RK[7] ^ RK[14];
544 }
545 break;
546
547 default:
548
549 break;
550 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]551
552 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553}
554
555/*
556 * AES key schedule (decryption)
557 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]558int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]559{
560 int i, j;
561 aes_context cty;
562 unsigned long *RK;
563 unsigned long *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]564 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]565
566 switch( keysize )
567 {
568 case 128: ctx->nr = 10; break;
569 case 192: ctx->nr = 12; break;
570 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]571 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]572 }
573
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]574#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
575 if( aes_padlock_ace == -1 )
576 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
577
578 if( aes_padlock_ace )
579 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
580 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]581#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]582 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]584 ret = aes_setkey_enc( &cty, key, keysize );
585 if( ret != 0 )
586 return( ret );
587
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]588 SK = cty.rk + cty.nr * 4;
589
590 *RK++ = *SK++;
591 *RK++ = *SK++;
592 *RK++ = *SK++;
593 *RK++ = *SK++;
594
595 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
596 {
597 for( j = 0; j < 4; j++, SK++ )
598 {
599 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
600 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
601 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
602 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
603 }
604 }
605
606 *RK++ = *SK++;
607 *RK++ = *SK++;
608 *RK++ = *SK++;
609 *RK++ = *SK++;
610
611 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]612
613 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]614}
615
616#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
617{ \
618 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
619 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
620 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
621 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
622 \
623 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
624 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
625 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
626 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
627 \
628 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
629 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
630 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
631 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
632 \
633 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
634 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
635 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
636 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
637}
638
639#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
640{ \
641 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
642 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
643 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
644 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
645 \
646 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
647 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
648 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
649 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
650 \
651 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
652 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
653 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
654 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
655 \
656 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
657 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
658 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
659 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
660}
661
662/*
663 * AES-ECB block encryption/decryption
664 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]665int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]667 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]668 unsigned char output[16] )
669{
670 int i;
671 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
672
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]673#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]674 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675 {
676 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]677 return( 0 );
678
679 // If padlock data misaligned, we just fall back to
680 // unaccelerated mode
681 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]682 }
683#endif
684
685 RK = ctx->rk;
686
687 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
688 GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
689 GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
690 GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
691
692 if( mode == AES_DECRYPT )
693 {
694 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
695 {
696 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
697 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
698 }
699
700 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
701
702 X0 = *RK++ ^ \
703 ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
704 ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
705 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
706 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
707
708 X1 = *RK++ ^ \
709 ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
710 ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
711 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
712 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
713
714 X2 = *RK++ ^ \
715 ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
716 ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
717 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
718 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
719
720 X3 = *RK++ ^ \
721 ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
722 ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
723 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
724 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
725 }
726 else /* AES_ENCRYPT */
727 {
728 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
729 {
730 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
731 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
732 }
733
734 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
735
736 X0 = *RK++ ^ \
737 ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
738 ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
739 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
740 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
741
742 X1 = *RK++ ^ \
743 ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
744 ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
745 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
746 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
747
748 X2 = *RK++ ^ \
749 ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
750 ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
751 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
752 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
753
754 X3 = *RK++ ^ \
755 ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
756 ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
757 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
758 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
759 }
760
761 PUT_ULONG_LE( X0, output, 0 );
762 PUT_ULONG_LE( X1, output, 4 );
763 PUT_ULONG_LE( X2, output, 8 );
764 PUT_ULONG_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]765
766 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]767}
768
769/*
770 * AES-CBC buffer encryption/decryption
771 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]772int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]773 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]774 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]775 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]776 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]777 unsigned char *output )
778{
779 int i;
780 unsigned char temp[16];
781
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]782 if( length % 16 )
783 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
784
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]785#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]786 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]787 {
788 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]789 return( 0 );
790
791 // If padlock data misaligned, we just fall back to
792 // unaccelerated mode
793 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]794 }
795#endif
796
797 if( mode == AES_DECRYPT )
798 {
799 while( length > 0 )
800 {
801 memcpy( temp, input, 16 );
802 aes_crypt_ecb( ctx, mode, input, output );
803
804 for( i = 0; i < 16; i++ )
805 output[i] = (unsigned char)( output[i] ^ iv[i] );
806
807 memcpy( iv, temp, 16 );
808
809 input += 16;
810 output += 16;
811 length -= 16;
812 }
813 }
814 else
815 {
816 while( length > 0 )
817 {
818 for( i = 0; i < 16; i++ )
819 output[i] = (unsigned char)( input[i] ^ iv[i] );
820
821 aes_crypt_ecb( ctx, mode, output, output );
822 memcpy( iv, output, 16 );
823
824 input += 16;
825 output += 16;
826 length -= 16;
827 }
828 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]829
830 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]831}
832
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]833#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]834/*
835 * AES-CFB128 buffer encryption/decryption
836 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]837int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]838 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]839 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]840 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]841 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]842 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]843 unsigned char *output )
844{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]845 int c;
846 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]847
848 if( mode == AES_DECRYPT )
849 {
850 while( length-- )
851 {
852 if( n == 0 )
853 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
854
855 c = *input++;
856 *output++ = (unsigned char)( c ^ iv[n] );
857 iv[n] = (unsigned char) c;
858
859 n = (n + 1) & 0x0F;
860 }
861 }
862 else
863 {
864 while( length-- )
865 {
866 if( n == 0 )
867 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
868
869 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
870
871 n = (n + 1) & 0x0F;
872 }
873 }
874
875 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]876
877 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]878}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]879#endif /*POLARSSL_CIPHER_MODE_CFB */
880
881#if defined(POLARSSL_CIPHER_MODE_CTR)
882/*
883 * AES-CTR buffer encryption/decryption
884 */
885int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]886 size_t length,
887 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]888 unsigned char nonce_counter[16],
889 unsigned char stream_block[16],
890 const unsigned char *input,
891 unsigned char *output )
892{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]893 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]894 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]895
896 while( length-- )
897 {
898 if( n == 0 ) {
899 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
900
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]901 for( i = 16; i > 0; i-- )
902 if( ++nonce_counter[i - 1] != 0 )
903 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]904 }
905 c = *input++;
906 *output++ = (unsigned char)( c ^ stream_block[n] );
907
908 n = (n + 1) & 0x0F;
909 }
910
911 *nc_off = n;
912
913 return( 0 );
914}
915#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]916
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]917#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]918
919#include <stdio.h>
920
921/*
922 * AES test vectors from:
923 *
924 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
925 */
926static const unsigned char aes_test_ecb_dec[3][16] =
927{
928 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
929 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
930 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
931 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
932 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
933 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
934};
935
936static const unsigned char aes_test_ecb_enc[3][16] =
937{
938 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
939 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
940 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
941 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
942 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
943 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
944};
945
946static const unsigned char aes_test_cbc_dec[3][16] =
947{
948 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
949 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
950 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
951 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
952 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
953 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
954};
955
956static const unsigned char aes_test_cbc_enc[3][16] =
957{
958 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
959 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
960 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
961 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
962 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
963 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
964};
965
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]966#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]967/*
968 * AES-CFB128 test vectors from:
969 *
970 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
971 */
972static const unsigned char aes_test_cfb128_key[3][32] =
973{
974 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
975 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
976 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
977 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
978 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
979 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
980 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
981 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
982 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
983};
984
985static const unsigned char aes_test_cfb128_iv[16] =
986{
987 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
988 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
989};
990
991static const unsigned char aes_test_cfb128_pt[64] =
992{
993 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
994 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
995 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
996 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
997 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
998 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
999 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1000 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1001};
1002
1003static const unsigned char aes_test_cfb128_ct[3][64] =
1004{
1005 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1006 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1007 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1008 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1009 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1010 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1011 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1012 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1013 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1014 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1015 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1016 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1017 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1018 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1019 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1020 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1021 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1022 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1023 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1024 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1025 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1026 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1027 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1028 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1029};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1030#endif /* POLARSSL_CIPHER_MODE_CFB */
1031
1032#if defined(POLARSSL_CIPHER_MODE_CTR)
1033/*
1034 * AES-CTR test vectors from:
1035 *
1036 * http://www.faqs.org/rfcs/rfc3686.html
1037 */
1038
1039static const unsigned char aes_test_ctr_key[3][16] =
1040{
1041 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1042 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1043 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1044 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1045 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1046 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1047};
1048
1049static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1050{
1051 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1052 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1053 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1054 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1055 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1056 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1057};
1058
1059static const unsigned char aes_test_ctr_pt[3][48] =
1060{
1061 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1062 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1063
1064 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1065 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1066 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1067 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1068
1069 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1070 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1071 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1072 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1073 0x20, 0x21, 0x22, 0x23 }
1074};
1075
1076static const unsigned char aes_test_ctr_ct[3][48] =
1077{
1078 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1079 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1080 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1081 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1082 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1083 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1084 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1085 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1086 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1087 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1088 0x25, 0xB2, 0x07, 0x2F }
1089};
1090
1091static const int aes_test_ctr_len[3] =
1092 { 16, 32, 36 };
1093#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1094
1095/*
1096 * Checkup routine
1097 */
1098int aes_self_test( int verbose )
1099{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1100 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1101 unsigned char key[32];
1102 unsigned char buf[64];
1103 unsigned char prv[16];
1104 unsigned char iv[16];
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1105#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1106 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1107#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1108#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1109 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1110 unsigned char nonce_counter[16];
1111 unsigned char stream_block[16];
1112#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1113 aes_context ctx;
1114
1115 memset( key, 0, 32 );
1116
1117 /*
1118 * ECB mode
1119 */
1120 for( i = 0; i < 6; i++ )
1121 {
1122 u = i >> 1;
1123 v = i & 1;
1124
1125 if( verbose != 0 )
1126 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1127 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1128
1129 memset( buf, 0, 16 );
1130
1131 if( v == AES_DECRYPT )
1132 {
1133 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1134
1135 for( j = 0; j < 10000; j++ )
1136 aes_crypt_ecb( &ctx, v, buf, buf );
1137
1138 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1139 {
1140 if( verbose != 0 )
1141 printf( "failed\n" );
1142
1143 return( 1 );
1144 }
1145 }
1146 else
1147 {
1148 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1149
1150 for( j = 0; j < 10000; j++ )
1151 aes_crypt_ecb( &ctx, v, buf, buf );
1152
1153 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1154 {
1155 if( verbose != 0 )
1156 printf( "failed\n" );
1157
1158 return( 1 );
1159 }
1160 }
1161
1162 if( verbose != 0 )
1163 printf( "passed\n" );
1164 }
1165
1166 if( verbose != 0 )
1167 printf( "\n" );
1168
1169 /*
1170 * CBC mode
1171 */
1172 for( i = 0; i < 6; i++ )
1173 {
1174 u = i >> 1;
1175 v = i & 1;
1176
1177 if( verbose != 0 )
1178 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1179 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1180
1181 memset( iv , 0, 16 );
1182 memset( prv, 0, 16 );
1183 memset( buf, 0, 16 );
1184
1185 if( v == AES_DECRYPT )
1186 {
1187 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1188
1189 for( j = 0; j < 10000; j++ )
1190 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1191
1192 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1193 {
1194 if( verbose != 0 )
1195 printf( "failed\n" );
1196
1197 return( 1 );
1198 }
1199 }
1200 else
1201 {
1202 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1203
1204 for( j = 0; j < 10000; j++ )
1205 {
1206 unsigned char tmp[16];
1207
1208 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1209
1210 memcpy( tmp, prv, 16 );
1211 memcpy( prv, buf, 16 );
1212 memcpy( buf, tmp, 16 );
1213 }
1214
1215 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1216 {
1217 if( verbose != 0 )
1218 printf( "failed\n" );
1219
1220 return( 1 );
1221 }
1222 }
1223
1224 if( verbose != 0 )
1225 printf( "passed\n" );
1226 }
1227
1228 if( verbose != 0 )
1229 printf( "\n" );
1230
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1231#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1232 /*
1233 * CFB128 mode
1234 */
1235 for( i = 0; i < 6; i++ )
1236 {
1237 u = i >> 1;
1238 v = i & 1;
1239
1240 if( verbose != 0 )
1241 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1242 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1243
1244 memcpy( iv, aes_test_cfb128_iv, 16 );
1245 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1246
1247 offset = 0;
1248 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1249
1250 if( v == AES_DECRYPT )
1251 {
1252 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1253 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1254
1255 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1256 {
1257 if( verbose != 0 )
1258 printf( "failed\n" );
1259
1260 return( 1 );
1261 }
1262 }
1263 else
1264 {
1265 memcpy( buf, aes_test_cfb128_pt, 64 );
1266 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1267
1268 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1269 {
1270 if( verbose != 0 )
1271 printf( "failed\n" );
1272
1273 return( 1 );
1274 }
1275 }
1276
1277 if( verbose != 0 )
1278 printf( "passed\n" );
1279 }
1280
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1281 if( verbose != 0 )
1282 printf( "\n" );
1283#endif /* POLARSSL_CIPHER_MODE_CFB */
1284
1285#if defined(POLARSSL_CIPHER_MODE_CTR)
1286 /*
1287 * CTR mode
1288 */
1289 for( i = 0; i < 6; i++ )
1290 {
1291 u = i >> 1;
1292 v = i & 1;
1293
1294 if( verbose != 0 )
1295 printf( " AES-CTR-128 (%s): ",
1296 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1297
1298 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1299 memcpy( key, aes_test_ctr_key[u], 16 );
1300
1301 offset = 0;
1302 aes_setkey_enc( &ctx, key, 128 );
1303
1304 if( v == AES_DECRYPT )
1305 {
1306 len = aes_test_ctr_len[u];
1307 memcpy( buf, aes_test_ctr_ct[u], len );
1308
1309 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1310
1311 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1312 {
1313 if( verbose != 0 )
1314 printf( "failed\n" );
1315
1316 return( 1 );
1317 }
1318 }
1319 else
1320 {
1321 len = aes_test_ctr_len[u];
1322 memcpy( buf, aes_test_ctr_pt[u], len );
1323
1324 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1325
1326 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1327 {
1328 if( verbose != 0 )
1329 printf( "failed\n" );
1330
1331 return( 1 );
1332 }
1333 }
1334
1335 if( verbose != 0 )
1336 printf( "passed\n" );
1337 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1338
1339 if( verbose != 0 )
1340 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1341#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342
1343 return( 0 );
1344}
1345
1346#endif
1347
1348#endif