TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 80025417eb1b5205223cd10588faf52bdc6c198a / . / library / aes.c
blob: 69da3f681da8556afe9138e0174dca423a4176e1 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]37#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]39#endif
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]40#if defined(POLARSSL_AESNI_C)
41#include "polarssl/aesni.h"
42#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]44#if !defined(POLARSSL_AES_ALT)
45
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46/*
47 * 32-bit integer manipulation macros (little endian)
48 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]49#ifndef GET_UINT32_LE
50#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]51{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]52 (n) = ( (uint32_t) (b)[(i) ] ) \
53 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
54 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
55 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56}
57#endif
58
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]59#ifndef PUT_UINT32_LE
60#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]61{ \
62 (b)[(i) ] = (unsigned char) ( (n) ); \
63 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
64 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
65 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
66}
67#endif
68
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]69#if defined(POLARSSL_PADLOCK_C) && \
70 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]71static int aes_padlock_ace = -1;
72#endif
73
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]74#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75/*
76 * Forward S-box
77 */
78static const unsigned char FSb[256] =
79{
80 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
81 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
82 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
83 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
84 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
85 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
86 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
87 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
88 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
89 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
90 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
91 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
92 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
93 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
94 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
95 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
96 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
97 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
98 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
99 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
100 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
101 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
102 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
103 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
104 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
105 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
106 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
107 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
108 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
109 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
110 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
111 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
112};
113
114/*
115 * Forward tables
116 */
117#define FT \
118\
119 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
120 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
121 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
122 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
123 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
124 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
125 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
126 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
127 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
128 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
129 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
130 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
131 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
132 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
133 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
134 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
135 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
136 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
137 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
138 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
139 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
140 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
141 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
142 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
143 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
144 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
145 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
146 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
147 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
148 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
149 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
150 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
151 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
152 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
153 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
154 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
155 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
156 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
157 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
158 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
159 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
160 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
161 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
162 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
163 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
164 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
165 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
166 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
167 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
168 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
169 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
170 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
171 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
172 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
173 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
174 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
175 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
176 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
177 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
178 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
179 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
180 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
181 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
182 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
183
184#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]185static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]186#undef V
187
188#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]189static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]190#undef V
191
192#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]193static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]194#undef V
195
196#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]197static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]198#undef V
199
200#undef FT
201
202/*
203 * Reverse S-box
204 */
205static const unsigned char RSb[256] =
206{
207 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
208 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
209 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
210 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
211 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
212 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
213 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
214 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
215 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
216 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
217 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
218 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
219 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
220 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
221 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
222 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
223 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
224 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
225 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
226 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
227 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
228 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
229 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
230 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
231 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
232 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
233 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
234 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
235 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
236 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
237 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
238 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
239};
240
241/*
242 * Reverse tables
243 */
244#define RT \
245\
246 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
247 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
248 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
249 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
250 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
251 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
252 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
253 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
254 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
255 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
256 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
257 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
258 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
259 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
260 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
261 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
262 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
263 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
264 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
265 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
266 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
267 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
268 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
269 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
270 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
271 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
272 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
273 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
274 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
275 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
276 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
277 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
278 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
279 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
280 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
281 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
282 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
283 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
284 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
285 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
286 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
287 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
288 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
289 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
290 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
291 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
292 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
293 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
294 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
295 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
296 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
297 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
298 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
299 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
300 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
301 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
302 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
303 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
304 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
305 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
306 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
307 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
308 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
309 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
310
311#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]312static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]313#undef V
314
315#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]316static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]317#undef V
318
319#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]320static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]321#undef V
322
323#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]324static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]325#undef V
326
327#undef RT
328
329/*
330 * Round constants
331 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]332static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333{
334 0x00000001, 0x00000002, 0x00000004, 0x00000008,
335 0x00000010, 0x00000020, 0x00000040, 0x00000080,
336 0x0000001B, 0x00000036
337};
338
339#else
340
341/*
342 * Forward S-box & tables
343 */
344static unsigned char FSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]345static uint32_t FT0[256];
346static uint32_t FT1[256];
347static uint32_t FT2[256];
348static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349
350/*
351 * Reverse S-box & tables
352 */
353static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]354static uint32_t RT0[256];
355static uint32_t RT1[256];
356static uint32_t RT2[256];
357static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358
359/*
360 * Round constants
361 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]362static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]363
364/*
365 * Tables generation code
366 */
367#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
368#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
369#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
370
371static int aes_init_done = 0;
372
373static void aes_gen_tables( void )
374{
375 int i, x, y, z;
376 int pow[256];
377 int log[256];
378
379 /*
380 * compute pow and log tables over GF(2^8)
381 */
382 for( i = 0, x = 1; i < 256; i++ )
383 {
384 pow[i] = x;
385 log[x] = i;
386 x = ( x ^ XTIME( x ) ) & 0xFF;
387 }
388
389 /*
390 * calculate the round constants
391 */
392 for( i = 0, x = 1; i < 10; i++ )
393 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]394 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]395 x = XTIME( x ) & 0xFF;
396 }
397
398 /*
399 * generate the forward and reverse S-boxes
400 */
401 FSb[0x00] = 0x63;
402 RSb[0x63] = 0x00;
403
404 for( i = 1; i < 256; i++ )
405 {
406 x = pow[255 - log[i]];
407
408 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
409 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
410 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
411 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
412 x ^= y ^ 0x63;
413
414 FSb[i] = (unsigned char) x;
415 RSb[x] = (unsigned char) i;
416 }
417
418 /*
419 * generate the forward and reverse tables
420 */
421 for( i = 0; i < 256; i++ )
422 {
423 x = FSb[i];
424 y = XTIME( x ) & 0xFF;
425 z = ( y ^ x ) & 0xFF;
426
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]427 FT0[i] = ( (uint32_t) y ) ^
428 ( (uint32_t) x << 8 ) ^
429 ( (uint32_t) x << 16 ) ^
430 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]431
432 FT1[i] = ROTL8( FT0[i] );
433 FT2[i] = ROTL8( FT1[i] );
434 FT3[i] = ROTL8( FT2[i] );
435
436 x = RSb[i];
437
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]438 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
439 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
440 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
441 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]442
443 RT1[i] = ROTL8( RT0[i] );
444 RT2[i] = ROTL8( RT1[i] );
445 RT3[i] = ROTL8( RT2[i] );
446 }
447}
448
449#endif
450
451/*
452 * AES key schedule (encryption)
453 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]454int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]456 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]457 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]458
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]459#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460 if( aes_init_done == 0 )
461 {
462 aes_gen_tables();
463 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]464
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]465 }
466#endif
467
468 switch( keysize )
469 {
470 case 128: ctx->nr = 10; break;
471 case 192: ctx->nr = 12; break;
472 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]473 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 }
475
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]476#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
477 if( aes_padlock_ace == -1 )
478 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
479
480 if( aes_padlock_ace )
481 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
482 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]483#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]484 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]485
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]486#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
487 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnardbfa3c9a2013-12-30 13:53:58 +0100[diff] [blame]488 return( aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]489#endif
490
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491 for( i = 0; i < (keysize >> 5); i++ )
492 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]493 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]494 }
495
496 switch( ctx->nr )
497 {
498 case 10:
499
500 for( i = 0; i < 10; i++, RK += 4 )
501 {
502 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]503 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
504 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
505 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
506 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]507
508 RK[5] = RK[1] ^ RK[4];
509 RK[6] = RK[2] ^ RK[5];
510 RK[7] = RK[3] ^ RK[6];
511 }
512 break;
513
514 case 12:
515
516 for( i = 0; i < 8; i++, RK += 6 )
517 {
518 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]519 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
520 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
521 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
522 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]523
524 RK[7] = RK[1] ^ RK[6];
525 RK[8] = RK[2] ^ RK[7];
526 RK[9] = RK[3] ^ RK[8];
527 RK[10] = RK[4] ^ RK[9];
528 RK[11] = RK[5] ^ RK[10];
529 }
530 break;
531
532 case 14:
533
534 for( i = 0; i < 7; i++, RK += 8 )
535 {
536 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]537 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
538 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
539 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
540 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]541
542 RK[9] = RK[1] ^ RK[8];
543 RK[10] = RK[2] ^ RK[9];
544 RK[11] = RK[3] ^ RK[10];
545
546 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]547 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
548 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
549 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
550 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]551
552 RK[13] = RK[5] ^ RK[12];
553 RK[14] = RK[6] ^ RK[13];
554 RK[15] = RK[7] ^ RK[14];
555 }
556 break;
557
558 default:
559
560 break;
561 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]562
563 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564}
565
566/*
567 * AES key schedule (decryption)
568 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]569int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570{
571 int i, j;
572 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]573 uint32_t *RK;
574 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]575 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]576
577 switch( keysize )
578 {
579 case 128: ctx->nr = 10; break;
580 case 192: ctx->nr = 12; break;
581 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]582 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583 }
584
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]585#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
586 if( aes_padlock_ace == -1 )
587 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
588
589 if( aes_padlock_ace )
590 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
591 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]592#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]593 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]595 ret = aes_setkey_enc( &cty, key, keysize );
596 if( ret != 0 )
597 return( ret );
598
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]599#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
600 if( aesni_supports( POLARSSL_AESNI_AES ) )
601 {
602 aesni_inverse_key( (unsigned char *) ctx->rk,
603 (const unsigned char *) cty.rk, ctx->nr );
604 goto done;
605 }
606#endif
607
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]608 SK = cty.rk + cty.nr * 4;
609
610 *RK++ = *SK++;
611 *RK++ = *SK++;
612 *RK++ = *SK++;
613 *RK++ = *SK++;
614
615 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
616 {
617 for( j = 0; j < 4; j++, SK++ )
618 {
619 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
620 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
621 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
622 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
623 }
624 }
625
626 *RK++ = *SK++;
627 *RK++ = *SK++;
628 *RK++ = *SK++;
629 *RK++ = *SK++;
630
Paul Bakker0d0de922013-12-30 15:29:04 +0100[diff] [blame]631#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]632done:
Paul Bakker0d0de922013-12-30 15:29:04 +0100[diff] [blame]633#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]634 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]635
636 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]637}
638
639#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
640{ \
641 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
642 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
643 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
644 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
645 \
646 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
647 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
648 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
649 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
650 \
651 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
652 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
653 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
654 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
655 \
656 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
657 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
658 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
659 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
660}
661
662#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
663{ \
664 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
665 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
666 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
667 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
668 \
669 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
670 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
671 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
672 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
673 \
674 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
675 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
676 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
677 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
678 \
679 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
680 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
681 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
682 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
683}
684
685/*
686 * AES-ECB block encryption/decryption
687 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]688int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]690 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]691 unsigned char output[16] )
692{
693 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]694 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]695
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]696#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard8eaf20b2013-12-18 19:14:53 +0100[diff] [blame]697 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]698 return( aesni_crypt_ecb( ctx, mode, input, output ) );
699#endif
700
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]701#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]702 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]703 {
704 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]705 return( 0 );
706
707 // If padlock data misaligned, we just fall back to
708 // unaccelerated mode
709 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]710 }
711#endif
712
713 RK = ctx->rk;
714
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]715 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
716 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
717 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
718 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]719
720 if( mode == AES_DECRYPT )
721 {
722 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
723 {
724 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
725 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
726 }
727
728 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
729
730 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]731 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
732 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
733 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
734 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]735
736 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]737 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
738 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
739 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
740 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]741
742 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]743 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
744 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
745 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
746 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]747
748 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]749 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
750 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
751 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
752 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]753 }
754 else /* AES_ENCRYPT */
755 {
756 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
757 {
758 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
759 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
760 }
761
762 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
763
764 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]765 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
766 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
767 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
768 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]769
770 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]771 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
772 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
773 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
774 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]775
776 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]777 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
778 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
779 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
780 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]781
782 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]783 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
784 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
785 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
786 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]787 }
788
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]789 PUT_UINT32_LE( X0, output, 0 );
790 PUT_UINT32_LE( X1, output, 4 );
791 PUT_UINT32_LE( X2, output, 8 );
792 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]793
794 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]795}
796
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]797#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]798/*
799 * AES-CBC buffer encryption/decryption
800 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]801int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]802 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]803 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]804 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]805 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]806 unsigned char *output )
807{
808 int i;
809 unsigned char temp[16];
810
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]811 if( length % 16 )
812 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
813
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]814#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]815 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]816 {
817 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]818 return( 0 );
819
820 // If padlock data misaligned, we just fall back to
821 // unaccelerated mode
822 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]823 }
824#endif
825
826 if( mode == AES_DECRYPT )
827 {
828 while( length > 0 )
829 {
830 memcpy( temp, input, 16 );
831 aes_crypt_ecb( ctx, mode, input, output );
832
833 for( i = 0; i < 16; i++ )
834 output[i] = (unsigned char)( output[i] ^ iv[i] );
835
836 memcpy( iv, temp, 16 );
837
838 input += 16;
839 output += 16;
840 length -= 16;
841 }
842 }
843 else
844 {
845 while( length > 0 )
846 {
847 for( i = 0; i < 16; i++ )
848 output[i] = (unsigned char)( input[i] ^ iv[i] );
849
850 aes_crypt_ecb( ctx, mode, output, output );
851 memcpy( iv, output, 16 );
852
853 input += 16;
854 output += 16;
855 length -= 16;
856 }
857 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]858
859 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]860}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]861#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]862
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]863#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864/*
865 * AES-CFB128 buffer encryption/decryption
866 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]867int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]868 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]869 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]870 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]871 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]872 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]873 unsigned char *output )
874{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]875 int c;
876 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]877
878 if( mode == AES_DECRYPT )
879 {
880 while( length-- )
881 {
882 if( n == 0 )
883 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
884
885 c = *input++;
886 *output++ = (unsigned char)( c ^ iv[n] );
887 iv[n] = (unsigned char) c;
888
889 n = (n + 1) & 0x0F;
890 }
891 }
892 else
893 {
894 while( length-- )
895 {
896 if( n == 0 )
897 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
898
899 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
900
901 n = (n + 1) & 0x0F;
902 }
903 }
904
905 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]906
907 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]908}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]909#endif /*POLARSSL_CIPHER_MODE_CFB */
910
911#if defined(POLARSSL_CIPHER_MODE_CTR)
912/*
913 * AES-CTR buffer encryption/decryption
914 */
915int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]916 size_t length,
917 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]918 unsigned char nonce_counter[16],
919 unsigned char stream_block[16],
920 const unsigned char *input,
921 unsigned char *output )
922{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]923 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]924 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]925
926 while( length-- )
927 {
928 if( n == 0 ) {
929 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
930
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]931 for( i = 16; i > 0; i-- )
932 if( ++nonce_counter[i - 1] != 0 )
933 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]934 }
935 c = *input++;
936 *output++ = (unsigned char)( c ^ stream_block[n] );
937
938 n = (n + 1) & 0x0F;
939 }
940
941 *nc_off = n;
942
943 return( 0 );
944}
945#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]946#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]947
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]948#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]949
950#include <stdio.h>
951
952/*
953 * AES test vectors from:
954 *
955 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
956 */
957static const unsigned char aes_test_ecb_dec[3][16] =
958{
959 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
960 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
961 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
962 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
963 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
964 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
965};
966
967static const unsigned char aes_test_ecb_enc[3][16] =
968{
969 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
970 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
971 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
972 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
973 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
974 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
975};
976
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]977#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]978static const unsigned char aes_test_cbc_dec[3][16] =
979{
980 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
981 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
982 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
983 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
984 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
985 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
986};
987
988static const unsigned char aes_test_cbc_enc[3][16] =
989{
990 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
991 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
992 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
993 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
994 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
995 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
996};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]997#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]998
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]999#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1000/*
1001 * AES-CFB128 test vectors from:
1002 *
1003 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1004 */
1005static const unsigned char aes_test_cfb128_key[3][32] =
1006{
1007 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1008 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1009 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1010 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1011 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1012 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1013 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1014 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1015 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1016};
1017
1018static const unsigned char aes_test_cfb128_iv[16] =
1019{
1020 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1021 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1022};
1023
1024static const unsigned char aes_test_cfb128_pt[64] =
1025{
1026 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1027 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1028 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1029 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1030 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1031 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1032 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1033 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1034};
1035
1036static const unsigned char aes_test_cfb128_ct[3][64] =
1037{
1038 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1039 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1040 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1041 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1042 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1043 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1044 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1045 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1046 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1047 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1048 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1049 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1050 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1051 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1052 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1053 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1054 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1055 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1056 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1057 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1058 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1059 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1060 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1061 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1062};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1063#endif /* POLARSSL_CIPHER_MODE_CFB */
1064
1065#if defined(POLARSSL_CIPHER_MODE_CTR)
1066/*
1067 * AES-CTR test vectors from:
1068 *
1069 * http://www.faqs.org/rfcs/rfc3686.html
1070 */
1071
1072static const unsigned char aes_test_ctr_key[3][16] =
1073{
1074 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1075 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1076 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1077 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1078 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1079 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1080};
1081
1082static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1083{
1084 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1085 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1086 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1087 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1088 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1089 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1090};
1091
1092static const unsigned char aes_test_ctr_pt[3][48] =
1093{
1094 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1095 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1096
1097 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1098 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1099 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1100 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1101
1102 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1103 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1104 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1105 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1106 0x20, 0x21, 0x22, 0x23 }
1107};
1108
1109static const unsigned char aes_test_ctr_ct[3][48] =
1110{
1111 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1112 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1113 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1114 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1115 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1116 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1117 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1118 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1119 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1120 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1121 0x25, 0xB2, 0x07, 0x2F }
1122};
1123
1124static const int aes_test_ctr_len[3] =
1125 { 16, 32, 36 };
1126#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1127
1128/*
1129 * Checkup routine
1130 */
1131int aes_self_test( int verbose )
1132{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1133 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1134 unsigned char key[32];
1135 unsigned char buf[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1136 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1137#if defined(POLARSSL_CIPHER_MODE_CBC)
1138 unsigned char prv[16];
1139#endif
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1140#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1141 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1142#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1143#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1144 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1145 unsigned char nonce_counter[16];
1146 unsigned char stream_block[16];
1147#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1148 aes_context ctx;
1149
1150 memset( key, 0, 32 );
1151
1152 /*
1153 * ECB mode
1154 */
1155 for( i = 0; i < 6; i++ )
1156 {
1157 u = i >> 1;
1158 v = i & 1;
1159
1160 if( verbose != 0 )
1161 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1162 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1163
1164 memset( buf, 0, 16 );
1165
1166 if( v == AES_DECRYPT )
1167 {
1168 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1169
1170 for( j = 0; j < 10000; j++ )
1171 aes_crypt_ecb( &ctx, v, buf, buf );
1172
1173 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1174 {
1175 if( verbose != 0 )
1176 printf( "failed\n" );
1177
1178 return( 1 );
1179 }
1180 }
1181 else
1182 {
1183 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1184
1185 for( j = 0; j < 10000; j++ )
1186 aes_crypt_ecb( &ctx, v, buf, buf );
1187
1188 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1189 {
1190 if( verbose != 0 )
1191 printf( "failed\n" );
1192
1193 return( 1 );
1194 }
1195 }
1196
1197 if( verbose != 0 )
1198 printf( "passed\n" );
1199 }
1200
1201 if( verbose != 0 )
1202 printf( "\n" );
1203
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1204#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1205 /*
1206 * CBC mode
1207 */
1208 for( i = 0; i < 6; i++ )
1209 {
1210 u = i >> 1;
1211 v = i & 1;
1212
1213 if( verbose != 0 )
1214 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1215 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1216
1217 memset( iv , 0, 16 );
1218 memset( prv, 0, 16 );
1219 memset( buf, 0, 16 );
1220
1221 if( v == AES_DECRYPT )
1222 {
1223 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1224
1225 for( j = 0; j < 10000; j++ )
1226 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1227
1228 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1229 {
1230 if( verbose != 0 )
1231 printf( "failed\n" );
1232
1233 return( 1 );
1234 }
1235 }
1236 else
1237 {
1238 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1239
1240 for( j = 0; j < 10000; j++ )
1241 {
1242 unsigned char tmp[16];
1243
1244 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1245
1246 memcpy( tmp, prv, 16 );
1247 memcpy( prv, buf, 16 );
1248 memcpy( buf, tmp, 16 );
1249 }
1250
1251 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1252 {
1253 if( verbose != 0 )
1254 printf( "failed\n" );
1255
1256 return( 1 );
1257 }
1258 }
1259
1260 if( verbose != 0 )
1261 printf( "passed\n" );
1262 }
1263
1264 if( verbose != 0 )
1265 printf( "\n" );
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1266#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1267
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1268#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1269 /*
1270 * CFB128 mode
1271 */
1272 for( i = 0; i < 6; i++ )
1273 {
1274 u = i >> 1;
1275 v = i & 1;
1276
1277 if( verbose != 0 )
1278 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1279 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1280
1281 memcpy( iv, aes_test_cfb128_iv, 16 );
1282 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1283
1284 offset = 0;
1285 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1286
1287 if( v == AES_DECRYPT )
1288 {
1289 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1290 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1291
1292 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1293 {
1294 if( verbose != 0 )
1295 printf( "failed\n" );
1296
1297 return( 1 );
1298 }
1299 }
1300 else
1301 {
1302 memcpy( buf, aes_test_cfb128_pt, 64 );
1303 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1304
1305 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1306 {
1307 if( verbose != 0 )
1308 printf( "failed\n" );
1309
1310 return( 1 );
1311 }
1312 }
1313
1314 if( verbose != 0 )
1315 printf( "passed\n" );
1316 }
1317
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1318 if( verbose != 0 )
1319 printf( "\n" );
1320#endif /* POLARSSL_CIPHER_MODE_CFB */
1321
1322#if defined(POLARSSL_CIPHER_MODE_CTR)
1323 /*
1324 * CTR mode
1325 */
1326 for( i = 0; i < 6; i++ )
1327 {
1328 u = i >> 1;
1329 v = i & 1;
1330
1331 if( verbose != 0 )
1332 printf( " AES-CTR-128 (%s): ",
1333 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1334
1335 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1336 memcpy( key, aes_test_ctr_key[u], 16 );
1337
1338 offset = 0;
1339 aes_setkey_enc( &ctx, key, 128 );
1340
1341 if( v == AES_DECRYPT )
1342 {
1343 len = aes_test_ctr_len[u];
1344 memcpy( buf, aes_test_ctr_ct[u], len );
1345
1346 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1347
1348 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1349 {
1350 if( verbose != 0 )
1351 printf( "failed\n" );
1352
1353 return( 1 );
1354 }
1355 }
1356 else
1357 {
1358 len = aes_test_ctr_len[u];
1359 memcpy( buf, aes_test_ctr_pt[u], len );
1360
1361 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1362
1363 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1364 {
1365 if( verbose != 0 )
1366 printf( "failed\n" );
1367
1368 return( 1 );
1369 }
1370 }
1371
1372 if( verbose != 0 )
1373 printf( "passed\n" );
1374 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1375
1376 if( verbose != 0 )
1377 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1378#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1379
1380 return( 0 );
1381}
1382
1383#endif
1384
1385#endif