TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / f3ccc681001b8bc3a74e060597203a682072d6f6 / . / library / aes.c
blob: bf7b337b6c518b0458bb5ac3f75ebe361532dac3 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]4 * Copyright (C) 2006-2009, Paul Bakker <polarssl_maintainer at polarssl.org>
5 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]6 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]7 * Joined copyright on original XySSL code with: Christophe Devine
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23/*
24 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
25 *
26 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
27 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
28 */
29
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]30#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/aes.h"
35#include "polarssl/padlock.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]36
37#include <string.h>
38
39/*
40 * 32-bit integer manipulation macros (little endian)
41 */
42#ifndef GET_ULONG_LE
43#define GET_ULONG_LE(n,b,i) \
44{ \
45 (n) = ( (unsigned long) (b)[(i) ] ) \
46 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
47 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
48 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
49}
50#endif
51
52#ifndef PUT_ULONG_LE
53#define PUT_ULONG_LE(n,b,i) \
54{ \
55 (b)[(i) ] = (unsigned char) ( (n) ); \
56 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
57 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
58 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
59}
60#endif
61
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]62#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]63/*
64 * Forward S-box
65 */
66static const unsigned char FSb[256] =
67{
68 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
69 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
70 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
71 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
72 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
73 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
74 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
75 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
76 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
77 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
78 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
79 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
80 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
81 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
82 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
83 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
84 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
85 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
86 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
87 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
88 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
89 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
90 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
91 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
92 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
93 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
94 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
95 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
96 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
97 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
98 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
99 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
100};
101
102/*
103 * Forward tables
104 */
105#define FT \
106\
107 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
108 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
109 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
110 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
111 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
112 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
113 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
114 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
115 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
116 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
117 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
118 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
119 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
120 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
121 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
122 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
123 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
124 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
125 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
126 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
127 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
128 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
129 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
130 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
131 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
132 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
133 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
134 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
135 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
136 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
137 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
138 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
139 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
140 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
141 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
142 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
143 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
144 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
145 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
146 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
147 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
148 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
149 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
150 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
151 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
152 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
153 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
154 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
155 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
156 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
157 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
158 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
159 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
160 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
161 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
162 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
163 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
164 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
165 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
166 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
167 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
168 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
169 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
170 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
171
172#define V(a,b,c,d) 0x##a##b##c##d
173static const unsigned long FT0[256] = { FT };
174#undef V
175
176#define V(a,b,c,d) 0x##b##c##d##a
177static const unsigned long FT1[256] = { FT };
178#undef V
179
180#define V(a,b,c,d) 0x##c##d##a##b
181static const unsigned long FT2[256] = { FT };
182#undef V
183
184#define V(a,b,c,d) 0x##d##a##b##c
185static const unsigned long FT3[256] = { FT };
186#undef V
187
188#undef FT
189
190/*
191 * Reverse S-box
192 */
193static const unsigned char RSb[256] =
194{
195 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
196 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
197 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
198 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
199 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
200 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
201 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
202 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
203 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
204 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
205 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
206 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
207 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
208 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
209 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
210 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
211 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
212 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
213 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
214 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
215 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
216 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
217 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
218 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
219 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
220 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
221 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
222 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
223 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
224 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
225 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
226 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
227};
228
229/*
230 * Reverse tables
231 */
232#define RT \
233\
234 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
235 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
236 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
237 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
238 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
239 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
240 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
241 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
242 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
243 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
244 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
245 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
246 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
247 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
248 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
249 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
250 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
251 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
252 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
253 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
254 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
255 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
256 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
257 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
258 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
259 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
260 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
261 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
262 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
263 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
264 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
265 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
266 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
267 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
268 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
269 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
270 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
271 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
272 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
273 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
274 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
275 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
276 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
277 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
278 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
279 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
280 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
281 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
282 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
283 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
284 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
285 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
286 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
287 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
288 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
289 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
290 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
291 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
292 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
293 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
294 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
295 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
296 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
297 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
298
299#define V(a,b,c,d) 0x##a##b##c##d
300static const unsigned long RT0[256] = { RT };
301#undef V
302
303#define V(a,b,c,d) 0x##b##c##d##a
304static const unsigned long RT1[256] = { RT };
305#undef V
306
307#define V(a,b,c,d) 0x##c##d##a##b
308static const unsigned long RT2[256] = { RT };
309#undef V
310
311#define V(a,b,c,d) 0x##d##a##b##c
312static const unsigned long RT3[256] = { RT };
313#undef V
314
315#undef RT
316
317/*
318 * Round constants
319 */
320static const unsigned long RCON[10] =
321{
322 0x00000001, 0x00000002, 0x00000004, 0x00000008,
323 0x00000010, 0x00000020, 0x00000040, 0x00000080,
324 0x0000001B, 0x00000036
325};
326
327#else
328
329/*
330 * Forward S-box & tables
331 */
332static unsigned char FSb[256];
333static unsigned long FT0[256];
334static unsigned long FT1[256];
335static unsigned long FT2[256];
336static unsigned long FT3[256];
337
338/*
339 * Reverse S-box & tables
340 */
341static unsigned char RSb[256];
342static unsigned long RT0[256];
343static unsigned long RT1[256];
344static unsigned long RT2[256];
345static unsigned long RT3[256];
346
347/*
348 * Round constants
349 */
350static unsigned long RCON[10];
351
352/*
353 * Tables generation code
354 */
355#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
356#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
357#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
358
359static int aes_init_done = 0;
360
361static void aes_gen_tables( void )
362{
363 int i, x, y, z;
364 int pow[256];
365 int log[256];
366
367 /*
368 * compute pow and log tables over GF(2^8)
369 */
370 for( i = 0, x = 1; i < 256; i++ )
371 {
372 pow[i] = x;
373 log[x] = i;
374 x = ( x ^ XTIME( x ) ) & 0xFF;
375 }
376
377 /*
378 * calculate the round constants
379 */
380 for( i = 0, x = 1; i < 10; i++ )
381 {
382 RCON[i] = (unsigned long) x;
383 x = XTIME( x ) & 0xFF;
384 }
385
386 /*
387 * generate the forward and reverse S-boxes
388 */
389 FSb[0x00] = 0x63;
390 RSb[0x63] = 0x00;
391
392 for( i = 1; i < 256; i++ )
393 {
394 x = pow[255 - log[i]];
395
396 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
397 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
398 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
399 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
400 x ^= y ^ 0x63;
401
402 FSb[i] = (unsigned char) x;
403 RSb[x] = (unsigned char) i;
404 }
405
406 /*
407 * generate the forward and reverse tables
408 */
409 for( i = 0; i < 256; i++ )
410 {
411 x = FSb[i];
412 y = XTIME( x ) & 0xFF;
413 z = ( y ^ x ) & 0xFF;
414
415 FT0[i] = ( (unsigned long) y ) ^
416 ( (unsigned long) x << 8 ) ^
417 ( (unsigned long) x << 16 ) ^
418 ( (unsigned long) z << 24 );
419
420 FT1[i] = ROTL8( FT0[i] );
421 FT2[i] = ROTL8( FT1[i] );
422 FT3[i] = ROTL8( FT2[i] );
423
424 x = RSb[i];
425
426 RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
427 ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
428 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
429 ( (unsigned long) MUL( 0x0B, x ) << 24 );
430
431 RT1[i] = ROTL8( RT0[i] );
432 RT2[i] = ROTL8( RT1[i] );
433 RT3[i] = ROTL8( RT2[i] );
434 }
435}
436
437#endif
438
439/*
440 * AES key schedule (encryption)
441 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]442int aes_setkey_enc( aes_context *ctx, const unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443{
444 int i;
445 unsigned long *RK;
446
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]447#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]448 if( aes_init_done == 0 )
449 {
450 aes_gen_tables();
451 aes_init_done = 1;
452 }
453#endif
454
455 switch( keysize )
456 {
457 case 128: ctx->nr = 10; break;
458 case 192: ctx->nr = 12; break;
459 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]460 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]461 }
462
463#if defined(PADLOCK_ALIGN16)
464 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
465#else
466 ctx->rk = RK = ctx->buf;
467#endif
468
469 for( i = 0; i < (keysize >> 5); i++ )
470 {
471 GET_ULONG_LE( RK[i], key, i << 2 );
472 }
473
474 switch( ctx->nr )
475 {
476 case 10:
477
478 for( i = 0; i < 10; i++, RK += 4 )
479 {
480 RK[4] = RK[0] ^ RCON[i] ^
481 ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
482 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
483 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
484 ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
485
486 RK[5] = RK[1] ^ RK[4];
487 RK[6] = RK[2] ^ RK[5];
488 RK[7] = RK[3] ^ RK[6];
489 }
490 break;
491
492 case 12:
493
494 for( i = 0; i < 8; i++, RK += 6 )
495 {
496 RK[6] = RK[0] ^ RCON[i] ^
497 ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
498 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
499 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
500 ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
501
502 RK[7] = RK[1] ^ RK[6];
503 RK[8] = RK[2] ^ RK[7];
504 RK[9] = RK[3] ^ RK[8];
505 RK[10] = RK[4] ^ RK[9];
506 RK[11] = RK[5] ^ RK[10];
507 }
508 break;
509
510 case 14:
511
512 for( i = 0; i < 7; i++, RK += 8 )
513 {
514 RK[8] = RK[0] ^ RCON[i] ^
515 ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
516 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
517 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
518 ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
519
520 RK[9] = RK[1] ^ RK[8];
521 RK[10] = RK[2] ^ RK[9];
522 RK[11] = RK[3] ^ RK[10];
523
524 RK[12] = RK[4] ^
525 ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
526 ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
527 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
528 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
529
530 RK[13] = RK[5] ^ RK[12];
531 RK[14] = RK[6] ^ RK[13];
532 RK[15] = RK[7] ^ RK[14];
533 }
534 break;
535
536 default:
537
538 break;
539 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]540
541 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]542}
543
544/*
545 * AES key schedule (decryption)
546 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]547int aes_setkey_dec( aes_context *ctx, const unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]548{
549 int i, j;
550 aes_context cty;
551 unsigned long *RK;
552 unsigned long *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]553 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554
555 switch( keysize )
556 {
557 case 128: ctx->nr = 10; break;
558 case 192: ctx->nr = 12; break;
559 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]560 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561 }
562
563#if defined(PADLOCK_ALIGN16)
564 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
565#else
566 ctx->rk = RK = ctx->buf;
567#endif
568
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]569 ret = aes_setkey_enc( &cty, key, keysize );
570 if( ret != 0 )
571 return( ret );
572
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]573 SK = cty.rk + cty.nr * 4;
574
575 *RK++ = *SK++;
576 *RK++ = *SK++;
577 *RK++ = *SK++;
578 *RK++ = *SK++;
579
580 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
581 {
582 for( j = 0; j < 4; j++, SK++ )
583 {
584 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
585 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
586 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
587 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
588 }
589 }
590
591 *RK++ = *SK++;
592 *RK++ = *SK++;
593 *RK++ = *SK++;
594 *RK++ = *SK++;
595
596 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]597
598 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599}
600
601#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
602{ \
603 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
604 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
605 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
606 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
607 \
608 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
609 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
610 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
611 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
612 \
613 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
614 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
615 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
616 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
617 \
618 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
619 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
620 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
621 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
622}
623
624#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
625{ \
626 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
627 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
628 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
629 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
630 \
631 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
632 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
633 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
634 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
635 \
636 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
637 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
638 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
639 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
640 \
641 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
642 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
643 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
644 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
645}
646
647/*
648 * AES-ECB block encryption/decryption
649 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]650int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]652 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653 unsigned char output[16] )
654{
655 int i;
656 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
657
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]658#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]659 if( padlock_supports( PADLOCK_ACE ) )
660 {
661 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]662 return( 0 );
663
664 // If padlock data misaligned, we just fall back to
665 // unaccelerated mode
666 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667 }
668#endif
669
670 RK = ctx->rk;
671
672 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
673 GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
674 GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
675 GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
676
677 if( mode == AES_DECRYPT )
678 {
679 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
680 {
681 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
682 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
683 }
684
685 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
686
687 X0 = *RK++ ^ \
688 ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
689 ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
690 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
691 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
692
693 X1 = *RK++ ^ \
694 ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
695 ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
696 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
697 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
698
699 X2 = *RK++ ^ \
700 ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
701 ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
702 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
703 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
704
705 X3 = *RK++ ^ \
706 ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
707 ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
708 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
709 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
710 }
711 else /* AES_ENCRYPT */
712 {
713 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
714 {
715 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
716 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
717 }
718
719 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
720
721 X0 = *RK++ ^ \
722 ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
723 ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
724 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
725 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
726
727 X1 = *RK++ ^ \
728 ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
729 ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
730 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
731 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
732
733 X2 = *RK++ ^ \
734 ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
735 ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
736 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
737 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
738
739 X3 = *RK++ ^ \
740 ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
741 ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
742 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
743 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
744 }
745
746 PUT_ULONG_LE( X0, output, 0 );
747 PUT_ULONG_LE( X1, output, 4 );
748 PUT_ULONG_LE( X2, output, 8 );
749 PUT_ULONG_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]750
751 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]752}
753
754/*
755 * AES-CBC buffer encryption/decryption
756 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]757int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]758 int mode,
759 int length,
760 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]761 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]762 unsigned char *output )
763{
764 int i;
765 unsigned char temp[16];
766
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]767 if( length % 16 )
768 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
769
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]770#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]771 if( padlock_supports( PADLOCK_ACE ) )
772 {
773 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]774 return( 0 );
775
776 // If padlock data misaligned, we just fall back to
777 // unaccelerated mode
778 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]779 }
780#endif
781
782 if( mode == AES_DECRYPT )
783 {
784 while( length > 0 )
785 {
786 memcpy( temp, input, 16 );
787 aes_crypt_ecb( ctx, mode, input, output );
788
789 for( i = 0; i < 16; i++ )
790 output[i] = (unsigned char)( output[i] ^ iv[i] );
791
792 memcpy( iv, temp, 16 );
793
794 input += 16;
795 output += 16;
796 length -= 16;
797 }
798 }
799 else
800 {
801 while( length > 0 )
802 {
803 for( i = 0; i < 16; i++ )
804 output[i] = (unsigned char)( input[i] ^ iv[i] );
805
806 aes_crypt_ecb( ctx, mode, output, output );
807 memcpy( iv, output, 16 );
808
809 input += 16;
810 output += 16;
811 length -= 16;
812 }
813 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]814
815 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]816}
817
818/*
819 * AES-CFB128 buffer encryption/decryption
820 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]821int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]822 int mode,
823 int length,
824 int *iv_off,
825 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]826 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]827 unsigned char *output )
828{
829 int c, n = *iv_off;
830
831 if( mode == AES_DECRYPT )
832 {
833 while( length-- )
834 {
835 if( n == 0 )
836 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
837
838 c = *input++;
839 *output++ = (unsigned char)( c ^ iv[n] );
840 iv[n] = (unsigned char) c;
841
842 n = (n + 1) & 0x0F;
843 }
844 }
845 else
846 {
847 while( length-- )
848 {
849 if( n == 0 )
850 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
851
852 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
853
854 n = (n + 1) & 0x0F;
855 }
856 }
857
858 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame^]859
860 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]861}
862
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]863#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864
865#include <stdio.h>
866
867/*
868 * AES test vectors from:
869 *
870 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
871 */
872static const unsigned char aes_test_ecb_dec[3][16] =
873{
874 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
875 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
876 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
877 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
878 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
879 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
880};
881
882static const unsigned char aes_test_ecb_enc[3][16] =
883{
884 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
885 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
886 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
887 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
888 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
889 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
890};
891
892static const unsigned char aes_test_cbc_dec[3][16] =
893{
894 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
895 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
896 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
897 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
898 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
899 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
900};
901
902static const unsigned char aes_test_cbc_enc[3][16] =
903{
904 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
905 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
906 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
907 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
908 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
909 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
910};
911
912/*
913 * AES-CFB128 test vectors from:
914 *
915 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
916 */
917static const unsigned char aes_test_cfb128_key[3][32] =
918{
919 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
920 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
921 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
922 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
923 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
924 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
925 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
926 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
927 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
928};
929
930static const unsigned char aes_test_cfb128_iv[16] =
931{
932 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
933 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
934};
935
936static const unsigned char aes_test_cfb128_pt[64] =
937{
938 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
939 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
940 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
941 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
942 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
943 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
944 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
945 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
946};
947
948static const unsigned char aes_test_cfb128_ct[3][64] =
949{
950 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
951 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
952 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
953 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
954 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
955 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
956 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
957 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
958 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
959 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
960 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
961 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
962 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
963 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
964 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
965 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
966 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
967 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
968 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
969 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
970 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
971 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
972 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
973 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
974};
975
976/*
977 * Checkup routine
978 */
979int aes_self_test( int verbose )
980{
981 int i, j, u, v, offset;
982 unsigned char key[32];
983 unsigned char buf[64];
984 unsigned char prv[16];
985 unsigned char iv[16];
986 aes_context ctx;
987
988 memset( key, 0, 32 );
989
990 /*
991 * ECB mode
992 */
993 for( i = 0; i < 6; i++ )
994 {
995 u = i >> 1;
996 v = i & 1;
997
998 if( verbose != 0 )
999 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1000 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1001
1002 memset( buf, 0, 16 );
1003
1004 if( v == AES_DECRYPT )
1005 {
1006 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1007
1008 for( j = 0; j < 10000; j++ )
1009 aes_crypt_ecb( &ctx, v, buf, buf );
1010
1011 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1012 {
1013 if( verbose != 0 )
1014 printf( "failed\n" );
1015
1016 return( 1 );
1017 }
1018 }
1019 else
1020 {
1021 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1022
1023 for( j = 0; j < 10000; j++ )
1024 aes_crypt_ecb( &ctx, v, buf, buf );
1025
1026 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1027 {
1028 if( verbose != 0 )
1029 printf( "failed\n" );
1030
1031 return( 1 );
1032 }
1033 }
1034
1035 if( verbose != 0 )
1036 printf( "passed\n" );
1037 }
1038
1039 if( verbose != 0 )
1040 printf( "\n" );
1041
1042 /*
1043 * CBC mode
1044 */
1045 for( i = 0; i < 6; i++ )
1046 {
1047 u = i >> 1;
1048 v = i & 1;
1049
1050 if( verbose != 0 )
1051 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1052 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1053
1054 memset( iv , 0, 16 );
1055 memset( prv, 0, 16 );
1056 memset( buf, 0, 16 );
1057
1058 if( v == AES_DECRYPT )
1059 {
1060 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1061
1062 for( j = 0; j < 10000; j++ )
1063 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1064
1065 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1066 {
1067 if( verbose != 0 )
1068 printf( "failed\n" );
1069
1070 return( 1 );
1071 }
1072 }
1073 else
1074 {
1075 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1076
1077 for( j = 0; j < 10000; j++ )
1078 {
1079 unsigned char tmp[16];
1080
1081 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1082
1083 memcpy( tmp, prv, 16 );
1084 memcpy( prv, buf, 16 );
1085 memcpy( buf, tmp, 16 );
1086 }
1087
1088 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1089 {
1090 if( verbose != 0 )
1091 printf( "failed\n" );
1092
1093 return( 1 );
1094 }
1095 }
1096
1097 if( verbose != 0 )
1098 printf( "passed\n" );
1099 }
1100
1101 if( verbose != 0 )
1102 printf( "\n" );
1103
1104 /*
1105 * CFB128 mode
1106 */
1107 for( i = 0; i < 6; i++ )
1108 {
1109 u = i >> 1;
1110 v = i & 1;
1111
1112 if( verbose != 0 )
1113 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1114 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1115
1116 memcpy( iv, aes_test_cfb128_iv, 16 );
1117 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1118
1119 offset = 0;
1120 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1121
1122 if( v == AES_DECRYPT )
1123 {
1124 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1125 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1126
1127 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1128 {
1129 if( verbose != 0 )
1130 printf( "failed\n" );
1131
1132 return( 1 );
1133 }
1134 }
1135 else
1136 {
1137 memcpy( buf, aes_test_cfb128_pt, 64 );
1138 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1139
1140 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1141 {
1142 if( verbose != 0 )
1143 printf( "failed\n" );
1144
1145 return( 1 );
1146 }
1147 }
1148
1149 if( verbose != 0 )
1150 printf( "passed\n" );
1151 }
1152
1153
1154 if( verbose != 0 )
1155 printf( "\n" );
1156
1157 return( 0 );
1158}
1159
1160#endif
1161
1162#endif