TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 27f1caed0284c5e4e6245dafb30375f9567db87e / . / library / aes.c
blob: fb211fe3c27bd5aa3fa7ac0d7304737e3ab9522d [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]4 * Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]37#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]39#endif
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]40#if defined(POLARSSL_AESNI_C)
41#include "polarssl/aesni.h"
42#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]44#if defined(POLARSSL_PLATFORM_C)
45#include "polarssl/platform.h"
46#else
47#define polarssl_printf printf
48#endif
49
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]50#if !defined(POLARSSL_AES_ALT)
51
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]52/*
53 * 32-bit integer manipulation macros (little endian)
54 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]55#ifndef GET_UINT32_LE
56#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]57{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]58 (n) = ( (uint32_t) (b)[(i) ] ) \
59 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
60 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
61 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62}
63#endif
64
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]65#ifndef PUT_UINT32_LE
66#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]67{ \
68 (b)[(i) ] = (unsigned char) ( (n) ); \
69 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
70 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
71 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
72}
73#endif
74
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]75#if defined(POLARSSL_PADLOCK_C) && \
76 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]77static int aes_padlock_ace = -1;
78#endif
79
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]80#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]81/*
82 * Forward S-box
83 */
84static const unsigned char FSb[256] =
85{
86 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
87 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
88 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
89 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
90 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
91 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
92 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
93 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
94 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
95 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
96 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
97 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
98 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
99 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
100 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
101 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
102 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
103 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
104 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
105 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
106 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
107 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
108 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
109 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
110 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
111 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
112 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
113 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
114 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
115 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
116 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
117 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
118};
119
120/*
121 * Forward tables
122 */
123#define FT \
124\
125 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
126 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
127 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
128 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
129 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
130 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
131 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
132 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
133 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
134 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
135 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
136 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
137 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
138 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
139 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
140 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
141 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
142 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
143 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
144 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
145 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
146 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
147 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
148 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
149 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
150 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
151 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
152 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
153 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
154 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
155 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
156 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
157 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
158 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
159 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
160 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
161 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
162 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
163 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
164 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
165 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
166 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
167 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
168 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
169 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
170 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
171 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
172 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
173 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
174 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
175 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
176 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
177 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
178 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
179 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
180 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
181 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
182 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
183 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
184 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
185 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
186 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
187 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
188 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
189
190#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]191static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]192#undef V
193
194#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]195static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]196#undef V
197
198#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]199static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]200#undef V
201
202#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]203static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204#undef V
205
206#undef FT
207
208/*
209 * Reverse S-box
210 */
211static const unsigned char RSb[256] =
212{
213 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
214 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
215 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
216 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
217 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
218 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
219 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
220 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
221 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
222 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
223 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
224 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
225 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
226 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
227 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
228 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
229 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
230 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
231 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
232 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
233 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
234 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
235 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
236 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
237 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
238 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
239 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
240 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
241 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
242 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
243 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
244 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
245};
246
247/*
248 * Reverse tables
249 */
250#define RT \
251\
252 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
253 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
254 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
255 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
256 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
257 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
258 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
259 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
260 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
261 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
262 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
263 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
264 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
265 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
266 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
267 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
268 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
269 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
270 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
271 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
272 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
273 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
274 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
275 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
276 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
277 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
278 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
279 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
280 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
281 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
282 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
283 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
284 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
285 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
286 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
287 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
288 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
289 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
290 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
291 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
292 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
293 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
294 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
295 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
296 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
297 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
298 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
299 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
300 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
301 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
302 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
303 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
304 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
305 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
306 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
307 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
308 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
309 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
310 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
311 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
312 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
313 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
314 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
315 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
316
317#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]318static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]319#undef V
320
321#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]322static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]323#undef V
324
325#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]326static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]327#undef V
328
329#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]330static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]331#undef V
332
333#undef RT
334
335/*
336 * Round constants
337 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]338static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339{
340 0x00000001, 0x00000002, 0x00000004, 0x00000008,
341 0x00000010, 0x00000020, 0x00000040, 0x00000080,
342 0x0000001B, 0x00000036
343};
344
345#else
346
347/*
348 * Forward S-box & tables
349 */
350static unsigned char FSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]351static uint32_t FT0[256];
352static uint32_t FT1[256];
353static uint32_t FT2[256];
354static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355
356/*
357 * Reverse S-box & tables
358 */
359static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]360static uint32_t RT0[256];
361static uint32_t RT1[256];
362static uint32_t RT2[256];
363static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364
365/*
366 * Round constants
367 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]368static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]369
370/*
371 * Tables generation code
372 */
373#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
374#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
375#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
376
377static int aes_init_done = 0;
378
379static void aes_gen_tables( void )
380{
381 int i, x, y, z;
382 int pow[256];
383 int log[256];
384
385 /*
386 * compute pow and log tables over GF(2^8)
387 */
388 for( i = 0, x = 1; i < 256; i++ )
389 {
390 pow[i] = x;
391 log[x] = i;
392 x = ( x ^ XTIME( x ) ) & 0xFF;
393 }
394
395 /*
396 * calculate the round constants
397 */
398 for( i = 0, x = 1; i < 10; i++ )
399 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]400 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]401 x = XTIME( x ) & 0xFF;
402 }
403
404 /*
405 * generate the forward and reverse S-boxes
406 */
407 FSb[0x00] = 0x63;
408 RSb[0x63] = 0x00;
409
410 for( i = 1; i < 256; i++ )
411 {
412 x = pow[255 - log[i]];
413
414 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
415 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
416 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
417 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
418 x ^= y ^ 0x63;
419
420 FSb[i] = (unsigned char) x;
421 RSb[x] = (unsigned char) i;
422 }
423
424 /*
425 * generate the forward and reverse tables
426 */
427 for( i = 0; i < 256; i++ )
428 {
429 x = FSb[i];
430 y = XTIME( x ) & 0xFF;
431 z = ( y ^ x ) & 0xFF;
432
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]433 FT0[i] = ( (uint32_t) y ) ^
434 ( (uint32_t) x << 8 ) ^
435 ( (uint32_t) x << 16 ) ^
436 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]437
438 FT1[i] = ROTL8( FT0[i] );
439 FT2[i] = ROTL8( FT1[i] );
440 FT3[i] = ROTL8( FT2[i] );
441
442 x = RSb[i];
443
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]444 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
445 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
446 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
447 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]448
449 RT1[i] = ROTL8( RT0[i] );
450 RT2[i] = ROTL8( RT1[i] );
451 RT3[i] = ROTL8( RT2[i] );
452 }
453}
454
455#endif
456
457/*
458 * AES key schedule (encryption)
459 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]460int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]461{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]462 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]463 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]464
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]465#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466 if( aes_init_done == 0 )
467 {
468 aes_gen_tables();
469 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]470
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]471 }
472#endif
473
474 switch( keysize )
475 {
476 case 128: ctx->nr = 10; break;
477 case 192: ctx->nr = 12; break;
478 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]479 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]480 }
481
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]482#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
483 if( aes_padlock_ace == -1 )
484 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
485
486 if( aes_padlock_ace )
487 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
488 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]490 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]492#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
493 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnardbfa3c9a2013-12-30 13:53:58 +0100[diff] [blame]494 return( aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]495#endif
496
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]497 for( i = 0; i < (keysize >> 5); i++ )
498 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]499 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]500 }
501
502 switch( ctx->nr )
503 {
504 case 10:
505
506 for( i = 0; i < 10; i++, RK += 4 )
507 {
508 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]509 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
510 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
511 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
512 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]513
514 RK[5] = RK[1] ^ RK[4];
515 RK[6] = RK[2] ^ RK[5];
516 RK[7] = RK[3] ^ RK[6];
517 }
518 break;
519
520 case 12:
521
522 for( i = 0; i < 8; i++, RK += 6 )
523 {
524 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]525 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
526 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
527 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
528 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]529
530 RK[7] = RK[1] ^ RK[6];
531 RK[8] = RK[2] ^ RK[7];
532 RK[9] = RK[3] ^ RK[8];
533 RK[10] = RK[4] ^ RK[9];
534 RK[11] = RK[5] ^ RK[10];
535 }
536 break;
537
538 case 14:
539
540 for( i = 0; i < 7; i++, RK += 8 )
541 {
542 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]543 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
544 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
545 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
546 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547
548 RK[9] = RK[1] ^ RK[8];
549 RK[10] = RK[2] ^ RK[9];
550 RK[11] = RK[3] ^ RK[10];
551
552 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]553 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
554 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
555 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
556 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]557
558 RK[13] = RK[5] ^ RK[12];
559 RK[14] = RK[6] ^ RK[13];
560 RK[15] = RK[7] ^ RK[14];
561 }
562 break;
563
564 default:
565
566 break;
567 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]568
569 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570}
571
572/*
573 * AES key schedule (decryption)
574 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]575int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]576{
577 int i, j;
578 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]579 uint32_t *RK;
580 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]581 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]582
583 switch( keysize )
584 {
585 case 128: ctx->nr = 10; break;
586 case 192: ctx->nr = 12; break;
587 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]588 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589 }
590
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]591#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
592 if( aes_padlock_ace == -1 )
593 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
594
595 if( aes_padlock_ace )
596 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
597 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]599 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]600
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]601 ret = aes_setkey_enc( &cty, key, keysize );
602 if( ret != 0 )
603 return( ret );
604
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]605#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
606 if( aesni_supports( POLARSSL_AESNI_AES ) )
607 {
608 aesni_inverse_key( (unsigned char *) ctx->rk,
609 (const unsigned char *) cty.rk, ctx->nr );
610 goto done;
611 }
612#endif
613
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]614 SK = cty.rk + cty.nr * 4;
615
616 *RK++ = *SK++;
617 *RK++ = *SK++;
618 *RK++ = *SK++;
619 *RK++ = *SK++;
620
621 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
622 {
623 for( j = 0; j < 4; j++, SK++ )
624 {
625 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
626 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
627 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
628 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
629 }
630 }
631
632 *RK++ = *SK++;
633 *RK++ = *SK++;
634 *RK++ = *SK++;
635 *RK++ = *SK++;
636
Paul Bakker0d0de922013-12-30 15:29:04 +0100[diff] [blame]637#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]638done:
Paul Bakker0d0de922013-12-30 15:29:04 +0100[diff] [blame]639#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]640 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]641
642 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]643}
644
645#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
646{ \
647 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
648 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
649 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
650 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
651 \
652 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
653 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
654 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
655 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
656 \
657 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
658 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
659 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
660 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
661 \
662 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
663 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
664 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
665 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
666}
667
668#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
669{ \
670 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
671 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
672 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
673 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
674 \
675 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
676 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
677 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
678 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
679 \
680 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
681 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
682 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
683 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
684 \
685 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
686 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
687 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
688 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
689}
690
691/*
692 * AES-ECB block encryption/decryption
693 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]694int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]695 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]696 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]697 unsigned char output[16] )
698{
699 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]700 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]701
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]702#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard8eaf20b2013-12-18 19:14:53 +0100[diff] [blame]703 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]704 return( aesni_crypt_ecb( ctx, mode, input, output ) );
705#endif
706
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]707#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]708 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]709 {
710 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]711 return( 0 );
712
713 // If padlock data misaligned, we just fall back to
714 // unaccelerated mode
715 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]716 }
717#endif
718
719 RK = ctx->rk;
720
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]721 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
722 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
723 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
724 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]725
726 if( mode == AES_DECRYPT )
727 {
728 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
729 {
730 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
731 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
732 }
733
734 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
735
736 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]737 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
738 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
739 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
740 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]741
742 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]743 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
744 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
745 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
746 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]747
748 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]749 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
750 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
751 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
752 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]753
754 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]755 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
756 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
757 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
758 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]759 }
760 else /* AES_ENCRYPT */
761 {
762 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
763 {
764 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
765 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
766 }
767
768 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
769
770 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]771 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
772 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
773 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
774 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]775
776 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]777 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
778 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
779 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
780 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]781
782 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]783 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
784 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
785 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
786 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]787
788 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]789 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
790 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
791 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
792 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]793 }
794
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]795 PUT_UINT32_LE( X0, output, 0 );
796 PUT_UINT32_LE( X1, output, 4 );
797 PUT_UINT32_LE( X2, output, 8 );
798 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]799
800 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]801}
802
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]803#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]804/*
805 * AES-CBC buffer encryption/decryption
806 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]807int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]808 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]809 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]810 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]811 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]812 unsigned char *output )
813{
814 int i;
815 unsigned char temp[16];
816
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]817 if( length % 16 )
818 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
819
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]820#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]821 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]822 {
823 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]824 return( 0 );
825
826 // If padlock data misaligned, we just fall back to
827 // unaccelerated mode
828 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]829 }
830#endif
831
832 if( mode == AES_DECRYPT )
833 {
834 while( length > 0 )
835 {
836 memcpy( temp, input, 16 );
837 aes_crypt_ecb( ctx, mode, input, output );
838
839 for( i = 0; i < 16; i++ )
840 output[i] = (unsigned char)( output[i] ^ iv[i] );
841
842 memcpy( iv, temp, 16 );
843
844 input += 16;
845 output += 16;
846 length -= 16;
847 }
848 }
849 else
850 {
851 while( length > 0 )
852 {
853 for( i = 0; i < 16; i++ )
854 output[i] = (unsigned char)( input[i] ^ iv[i] );
855
856 aes_crypt_ecb( ctx, mode, output, output );
857 memcpy( iv, output, 16 );
858
859 input += 16;
860 output += 16;
861 length -= 16;
862 }
863 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]864
865 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]867#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]868
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]869#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]870/*
871 * AES-CFB128 buffer encryption/decryption
872 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]873int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]874 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]875 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]876 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]877 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]878 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]879 unsigned char *output )
880{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]881 int c;
882 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]883
884 if( mode == AES_DECRYPT )
885 {
886 while( length-- )
887 {
888 if( n == 0 )
889 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
890
891 c = *input++;
892 *output++ = (unsigned char)( c ^ iv[n] );
893 iv[n] = (unsigned char) c;
894
895 n = (n + 1) & 0x0F;
896 }
897 }
898 else
899 {
900 while( length-- )
901 {
902 if( n == 0 )
903 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
904
905 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
906
907 n = (n + 1) & 0x0F;
908 }
909 }
910
911 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]912
913 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]914}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]915
916/*
917 * AES-CFB8 buffer encryption/decryption
918 */
919#include <stdio.h>
920int aes_crypt_cfb8( aes_context *ctx,
921 int mode,
922 size_t length,
923 unsigned char iv[16],
924 const unsigned char *input,
925 unsigned char *output )
926{
927 unsigned char c;
928 unsigned char ov[17];
929
930 while( length-- )
931 {
932 memcpy(ov, iv, 16);
933 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
934
935 if( mode == AES_DECRYPT )
936 ov[16] = *input;
937
938 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
939
940 if( mode == AES_ENCRYPT )
941 ov[16] = c;
942
943 memcpy(iv, ov + 1, 16);
944 }
945
946 return( 0 );
947}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]948#endif /*POLARSSL_CIPHER_MODE_CFB */
949
950#if defined(POLARSSL_CIPHER_MODE_CTR)
951/*
952 * AES-CTR buffer encryption/decryption
953 */
954int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]955 size_t length,
956 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]957 unsigned char nonce_counter[16],
958 unsigned char stream_block[16],
959 const unsigned char *input,
960 unsigned char *output )
961{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]962 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]963 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]964
965 while( length-- )
966 {
967 if( n == 0 ) {
968 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
969
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]970 for( i = 16; i > 0; i-- )
971 if( ++nonce_counter[i - 1] != 0 )
972 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]973 }
974 c = *input++;
975 *output++ = (unsigned char)( c ^ stream_block[n] );
976
977 n = (n + 1) & 0x0F;
978 }
979
980 *nc_off = n;
981
982 return( 0 );
983}
984#endif /* POLARSSL_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]985
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]986#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]987
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]988#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]989
990#include <stdio.h>
991
992/*
993 * AES test vectors from:
994 *
995 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
996 */
997static const unsigned char aes_test_ecb_dec[3][16] =
998{
999 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1000 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1001 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1002 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1003 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1004 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1005};
1006
1007static const unsigned char aes_test_ecb_enc[3][16] =
1008{
1009 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1010 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1011 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1012 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1013 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1014 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1015};
1016
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1017#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1018static const unsigned char aes_test_cbc_dec[3][16] =
1019{
1020 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1021 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1022 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1023 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1024 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1025 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1026};
1027
1028static const unsigned char aes_test_cbc_enc[3][16] =
1029{
1030 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1031 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1032 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1033 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1034 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1035 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1036};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1037#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1038
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1039#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1040/*
1041 * AES-CFB128 test vectors from:
1042 *
1043 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1044 */
1045static const unsigned char aes_test_cfb128_key[3][32] =
1046{
1047 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1048 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1049 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1050 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1051 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1052 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1053 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1054 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1055 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1056};
1057
1058static const unsigned char aes_test_cfb128_iv[16] =
1059{
1060 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1061 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1062};
1063
1064static const unsigned char aes_test_cfb128_pt[64] =
1065{
1066 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1067 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1068 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1069 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1070 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1071 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1072 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1073 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1074};
1075
1076static const unsigned char aes_test_cfb128_ct[3][64] =
1077{
1078 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1079 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1080 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1081 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1082 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1083 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1084 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1085 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1086 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1087 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1088 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1089 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1090 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1091 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1092 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1093 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1094 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1095 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1096 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1097 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1098 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1099 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1100 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1101 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1102};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1103#endif /* POLARSSL_CIPHER_MODE_CFB */
1104
1105#if defined(POLARSSL_CIPHER_MODE_CTR)
1106/*
1107 * AES-CTR test vectors from:
1108 *
1109 * http://www.faqs.org/rfcs/rfc3686.html
1110 */
1111
1112static const unsigned char aes_test_ctr_key[3][16] =
1113{
1114 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1115 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1116 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1117 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1118 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1119 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1120};
1121
1122static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1123{
1124 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1125 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1126 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1127 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1128 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1129 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1130};
1131
1132static const unsigned char aes_test_ctr_pt[3][48] =
1133{
1134 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1135 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1136
1137 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1138 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1139 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1140 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1141
1142 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1143 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1144 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1145 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1146 0x20, 0x21, 0x22, 0x23 }
1147};
1148
1149static const unsigned char aes_test_ctr_ct[3][48] =
1150{
1151 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1152 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1153 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1154 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1155 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1156 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1157 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1158 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1159 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1160 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1161 0x25, 0xB2, 0x07, 0x2F }
1162};
1163
1164static const int aes_test_ctr_len[3] =
1165 { 16, 32, 36 };
1166#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1167
1168/*
1169 * Checkup routine
1170 */
1171int aes_self_test( int verbose )
1172{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1173 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1174 unsigned char key[32];
1175 unsigned char buf[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1176 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1177#if defined(POLARSSL_CIPHER_MODE_CBC)
1178 unsigned char prv[16];
1179#endif
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1180#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1181 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1182#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1183#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1184 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1185 unsigned char nonce_counter[16];
1186 unsigned char stream_block[16];
1187#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1188 aes_context ctx;
1189
1190 memset( key, 0, 32 );
1191
1192 /*
1193 * ECB mode
1194 */
1195 for( i = 0; i < 6; i++ )
1196 {
1197 u = i >> 1;
1198 v = i & 1;
1199
1200 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1201 polarssl_printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1202 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1203
1204 memset( buf, 0, 16 );
1205
1206 if( v == AES_DECRYPT )
1207 {
1208 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1209
1210 for( j = 0; j < 10000; j++ )
1211 aes_crypt_ecb( &ctx, v, buf, buf );
1212
1213 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1214 {
1215 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1216 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1217
1218 return( 1 );
1219 }
1220 }
1221 else
1222 {
1223 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1224
1225 for( j = 0; j < 10000; j++ )
1226 aes_crypt_ecb( &ctx, v, buf, buf );
1227
1228 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1229 {
1230 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1231 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1232
1233 return( 1 );
1234 }
1235 }
1236
1237 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1238 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1239 }
1240
1241 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1242 polarssl_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1243
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1244#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1245 /*
1246 * CBC mode
1247 */
1248 for( i = 0; i < 6; i++ )
1249 {
1250 u = i >> 1;
1251 v = i & 1;
1252
1253 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1254 polarssl_printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1255 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1256
1257 memset( iv , 0, 16 );
1258 memset( prv, 0, 16 );
1259 memset( buf, 0, 16 );
1260
1261 if( v == AES_DECRYPT )
1262 {
1263 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1264
1265 for( j = 0; j < 10000; j++ )
1266 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1267
1268 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1269 {
1270 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1271 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1272
1273 return( 1 );
1274 }
1275 }
1276 else
1277 {
1278 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1279
1280 for( j = 0; j < 10000; j++ )
1281 {
1282 unsigned char tmp[16];
1283
1284 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1285
1286 memcpy( tmp, prv, 16 );
1287 memcpy( prv, buf, 16 );
1288 memcpy( buf, tmp, 16 );
1289 }
1290
1291 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1292 {
1293 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1294 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1295
1296 return( 1 );
1297 }
1298 }
1299
1300 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1301 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1302 }
1303
1304 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1305 polarssl_printf( "\n" );
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1306#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1307
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1308#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1309 /*
1310 * CFB128 mode
1311 */
1312 for( i = 0; i < 6; i++ )
1313 {
1314 u = i >> 1;
1315 v = i & 1;
1316
1317 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1318 polarssl_printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1319 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1320
1321 memcpy( iv, aes_test_cfb128_iv, 16 );
1322 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1323
1324 offset = 0;
1325 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1326
1327 if( v == AES_DECRYPT )
1328 {
1329 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1330 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1331
1332 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1333 {
1334 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1335 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336
1337 return( 1 );
1338 }
1339 }
1340 else
1341 {
1342 memcpy( buf, aes_test_cfb128_pt, 64 );
1343 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1344
1345 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1346 {
1347 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1348 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1349
1350 return( 1 );
1351 }
1352 }
1353
1354 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1355 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1356 }
1357
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1358 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1359 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1360#endif /* POLARSSL_CIPHER_MODE_CFB */
1361
1362#if defined(POLARSSL_CIPHER_MODE_CTR)
1363 /*
1364 * CTR mode
1365 */
1366 for( i = 0; i < 6; i++ )
1367 {
1368 u = i >> 1;
1369 v = i & 1;
1370
1371 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1372 polarssl_printf( " AES-CTR-128 (%s): ",
1373 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1374
1375 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1376 memcpy( key, aes_test_ctr_key[u], 16 );
1377
1378 offset = 0;
1379 aes_setkey_enc( &ctx, key, 128 );
1380
1381 if( v == AES_DECRYPT )
1382 {
1383 len = aes_test_ctr_len[u];
1384 memcpy( buf, aes_test_ctr_ct[u], len );
1385
1386 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1387
1388 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1389 {
1390 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1391 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1392
1393 return( 1 );
1394 }
1395 }
1396 else
1397 {
1398 len = aes_test_ctr_len[u];
1399 memcpy( buf, aes_test_ctr_pt[u], len );
1400
1401 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1402
1403 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1404 {
1405 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1406 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1407
1408 return( 1 );
1409 }
1410 }
1411
1412 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1413 polarssl_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1414 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1415
1416 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1417 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1418#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1419
1420 return( 0 );
1421}
1422
1423#endif
1424
1425#endif