TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 556efba51ce93beadb039359d05dc3e58623e26f / . / library / aes.c
blob: bc4b178ed6fa2044a760d9a4eb8f7c63be7cf0bd [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]37#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]39#endif
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]40#if defined(POLARSSL_AESNI_C)
41#include "polarssl/aesni.h"
42#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]44#if !defined(POLARSSL_AES_ALT)
45
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46/*
47 * 32-bit integer manipulation macros (little endian)
48 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]49#ifndef GET_UINT32_LE
50#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]51{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]52 (n) = ( (uint32_t) (b)[(i) ] ) \
53 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
54 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
55 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56}
57#endif
58
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]59#ifndef PUT_UINT32_LE
60#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]61{ \
62 (b)[(i) ] = (unsigned char) ( (n) ); \
63 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
64 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
65 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
66}
67#endif
68
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]69#if defined(POLARSSL_PADLOCK_C) && \
70 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]71static int aes_padlock_ace = -1;
72#endif
73
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]74#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75/*
76 * Forward S-box
77 */
78static const unsigned char FSb[256] =
79{
80 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
81 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
82 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
83 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
84 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
85 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
86 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
87 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
88 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
89 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
90 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
91 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
92 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
93 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
94 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
95 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
96 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
97 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
98 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
99 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
100 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
101 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
102 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
103 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
104 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
105 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
106 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
107 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
108 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
109 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
110 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
111 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
112};
113
114/*
115 * Forward tables
116 */
117#define FT \
118\
119 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
120 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
121 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
122 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
123 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
124 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
125 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
126 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
127 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
128 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
129 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
130 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
131 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
132 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
133 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
134 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
135 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
136 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
137 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
138 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
139 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
140 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
141 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
142 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
143 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
144 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
145 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
146 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
147 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
148 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
149 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
150 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
151 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
152 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
153 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
154 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
155 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
156 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
157 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
158 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
159 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
160 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
161 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
162 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
163 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
164 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
165 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
166 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
167 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
168 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
169 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
170 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
171 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
172 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
173 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
174 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
175 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
176 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
177 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
178 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
179 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
180 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
181 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
182 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
183
184#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]185static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]186#undef V
187
188#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]189static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]190#undef V
191
192#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]193static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]194#undef V
195
196#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]197static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]198#undef V
199
200#undef FT
201
202/*
203 * Reverse S-box
204 */
205static const unsigned char RSb[256] =
206{
207 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
208 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
209 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
210 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
211 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
212 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
213 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
214 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
215 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
216 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
217 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
218 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
219 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
220 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
221 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
222 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
223 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
224 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
225 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
226 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
227 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
228 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
229 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
230 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
231 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
232 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
233 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
234 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
235 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
236 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
237 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
238 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
239};
240
241/*
242 * Reverse tables
243 */
244#define RT \
245\
246 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
247 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
248 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
249 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
250 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
251 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
252 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
253 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
254 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
255 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
256 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
257 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
258 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
259 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
260 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
261 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
262 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
263 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
264 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
265 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
266 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
267 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
268 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
269 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
270 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
271 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
272 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
273 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
274 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
275 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
276 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
277 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
278 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
279 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
280 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
281 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
282 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
283 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
284 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
285 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
286 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
287 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
288 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
289 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
290 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
291 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
292 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
293 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
294 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
295 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
296 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
297 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
298 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
299 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
300 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
301 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
302 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
303 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
304 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
305 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
306 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
307 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
308 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
309 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
310
311#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]312static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]313#undef V
314
315#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]316static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]317#undef V
318
319#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]320static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]321#undef V
322
323#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]324static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]325#undef V
326
327#undef RT
328
329/*
330 * Round constants
331 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]332static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333{
334 0x00000001, 0x00000002, 0x00000004, 0x00000008,
335 0x00000010, 0x00000020, 0x00000040, 0x00000080,
336 0x0000001B, 0x00000036
337};
338
339#else
340
341/*
342 * Forward S-box & tables
343 */
344static unsigned char FSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]345static uint32_t FT0[256];
346static uint32_t FT1[256];
347static uint32_t FT2[256];
348static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349
350/*
351 * Reverse S-box & tables
352 */
353static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]354static uint32_t RT0[256];
355static uint32_t RT1[256];
356static uint32_t RT2[256];
357static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358
359/*
360 * Round constants
361 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]362static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]363
364/*
365 * Tables generation code
366 */
367#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
368#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
369#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
370
371static int aes_init_done = 0;
372
373static void aes_gen_tables( void )
374{
375 int i, x, y, z;
376 int pow[256];
377 int log[256];
378
379 /*
380 * compute pow and log tables over GF(2^8)
381 */
382 for( i = 0, x = 1; i < 256; i++ )
383 {
384 pow[i] = x;
385 log[x] = i;
386 x = ( x ^ XTIME( x ) ) & 0xFF;
387 }
388
389 /*
390 * calculate the round constants
391 */
392 for( i = 0, x = 1; i < 10; i++ )
393 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]394 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]395 x = XTIME( x ) & 0xFF;
396 }
397
398 /*
399 * generate the forward and reverse S-boxes
400 */
401 FSb[0x00] = 0x63;
402 RSb[0x63] = 0x00;
403
404 for( i = 1; i < 256; i++ )
405 {
406 x = pow[255 - log[i]];
407
408 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
409 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
410 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
411 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
412 x ^= y ^ 0x63;
413
414 FSb[i] = (unsigned char) x;
415 RSb[x] = (unsigned char) i;
416 }
417
418 /*
419 * generate the forward and reverse tables
420 */
421 for( i = 0; i < 256; i++ )
422 {
423 x = FSb[i];
424 y = XTIME( x ) & 0xFF;
425 z = ( y ^ x ) & 0xFF;
426
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]427 FT0[i] = ( (uint32_t) y ) ^
428 ( (uint32_t) x << 8 ) ^
429 ( (uint32_t) x << 16 ) ^
430 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]431
432 FT1[i] = ROTL8( FT0[i] );
433 FT2[i] = ROTL8( FT1[i] );
434 FT3[i] = ROTL8( FT2[i] );
435
436 x = RSb[i];
437
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]438 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
439 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
440 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
441 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]442
443 RT1[i] = ROTL8( RT0[i] );
444 RT2[i] = ROTL8( RT1[i] );
445 RT3[i] = ROTL8( RT2[i] );
446 }
447}
448
449#endif
450
451/*
452 * AES key schedule (encryption)
453 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]454int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]456 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]457 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]458
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]459#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460 if( aes_init_done == 0 )
461 {
462 aes_gen_tables();
463 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]464
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]465 }
466#endif
467
468 switch( keysize )
469 {
470 case 128: ctx->nr = 10; break;
471 case 192: ctx->nr = 12; break;
472 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]473 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 }
475
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]476#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
477 if( aes_padlock_ace == -1 )
478 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
479
480 if( aes_padlock_ace )
481 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
482 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]483#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]484 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]485
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]486#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
487 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnardbfa3c9a2013-12-30 13:53:58 +0100[diff] [blame]488 return( aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]489#endif
490
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491 for( i = 0; i < (keysize >> 5); i++ )
492 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]493 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]494 }
495
496 switch( ctx->nr )
497 {
498 case 10:
499
500 for( i = 0; i < 10; i++, RK += 4 )
501 {
502 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]503 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
504 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
505 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
506 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]507
508 RK[5] = RK[1] ^ RK[4];
509 RK[6] = RK[2] ^ RK[5];
510 RK[7] = RK[3] ^ RK[6];
511 }
512 break;
513
514 case 12:
515
516 for( i = 0; i < 8; i++, RK += 6 )
517 {
518 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]519 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
520 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
521 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
522 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]523
524 RK[7] = RK[1] ^ RK[6];
525 RK[8] = RK[2] ^ RK[7];
526 RK[9] = RK[3] ^ RK[8];
527 RK[10] = RK[4] ^ RK[9];
528 RK[11] = RK[5] ^ RK[10];
529 }
530 break;
531
532 case 14:
533
534 for( i = 0; i < 7; i++, RK += 8 )
535 {
536 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]537 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
538 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
539 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
540 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]541
542 RK[9] = RK[1] ^ RK[8];
543 RK[10] = RK[2] ^ RK[9];
544 RK[11] = RK[3] ^ RK[10];
545
546 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]547 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
548 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
549 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
550 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]551
552 RK[13] = RK[5] ^ RK[12];
553 RK[14] = RK[6] ^ RK[13];
554 RK[15] = RK[7] ^ RK[14];
555 }
556 break;
557
558 default:
559
560 break;
561 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]562
563 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564}
565
566/*
567 * AES key schedule (decryption)
568 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]569int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570{
571 int i, j;
572 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]573 uint32_t *RK;
574 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]575 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]576
577 switch( keysize )
578 {
579 case 128: ctx->nr = 10; break;
580 case 192: ctx->nr = 12; break;
581 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]582 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583 }
584
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]585#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
586 if( aes_padlock_ace == -1 )
587 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
588
589 if( aes_padlock_ace )
590 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
591 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]592#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]593 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]595 ret = aes_setkey_enc( &cty, key, keysize );
596 if( ret != 0 )
597 return( ret );
598
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]599#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
600 if( aesni_supports( POLARSSL_AESNI_AES ) )
601 {
602 aesni_inverse_key( (unsigned char *) ctx->rk,
603 (const unsigned char *) cty.rk, ctx->nr );
604 goto done;
605 }
606#endif
607
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]608 SK = cty.rk + cty.nr * 4;
609
610 *RK++ = *SK++;
611 *RK++ = *SK++;
612 *RK++ = *SK++;
613 *RK++ = *SK++;
614
615 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
616 {
617 for( j = 0; j < 4; j++, SK++ )
618 {
619 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
620 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
621 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
622 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
623 }
624 }
625
626 *RK++ = *SK++;
627 *RK++ = *SK++;
628 *RK++ = *SK++;
629 *RK++ = *SK++;
630
Paul Bakker0d0de922013-12-30 15:29:04 +0100[diff] [blame]631#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]632done:
Paul Bakker0d0de922013-12-30 15:29:04 +0100[diff] [blame]633#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]634 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]635
636 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]637}
638
639#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
640{ \
641 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
642 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
643 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
644 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
645 \
646 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
647 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
648 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
649 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
650 \
651 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
652 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
653 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
654 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
655 \
656 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
657 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
658 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
659 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
660}
661
662#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
663{ \
664 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
665 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
666 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
667 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
668 \
669 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
670 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
671 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
672 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
673 \
674 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
675 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
676 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
677 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
678 \
679 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
680 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
681 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
682 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
683}
684
685/*
686 * AES-ECB block encryption/decryption
687 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]688int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]690 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]691 unsigned char output[16] )
692{
693 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]694 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]695
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]696#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard8eaf20b2013-12-18 19:14:53 +0100[diff] [blame]697 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]698 return( aesni_crypt_ecb( ctx, mode, input, output ) );
699#endif
700
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]701#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]702 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]703 {
704 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]705 return( 0 );
706
707 // If padlock data misaligned, we just fall back to
708 // unaccelerated mode
709 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]710 }
711#endif
712
713 RK = ctx->rk;
714
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]715 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
716 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
717 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
718 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]719
720 if( mode == AES_DECRYPT )
721 {
722 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
723 {
724 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
725 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
726 }
727
728 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
729
730 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]731 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
732 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
733 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
734 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]735
736 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]737 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
738 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
739 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
740 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]741
742 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]743 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
744 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
745 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
746 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]747
748 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]749 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
750 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
751 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
752 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]753 }
754 else /* AES_ENCRYPT */
755 {
756 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
757 {
758 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
759 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
760 }
761
762 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
763
764 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]765 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
766 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
767 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
768 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]769
770 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]771 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
772 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
773 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
774 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]775
776 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]777 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
778 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
779 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
780 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]781
782 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]783 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
784 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
785 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
786 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]787 }
788
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]789 PUT_UINT32_LE( X0, output, 0 );
790 PUT_UINT32_LE( X1, output, 4 );
791 PUT_UINT32_LE( X2, output, 8 );
792 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]793
794 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]795}
796
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]797#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]798/*
799 * AES-CBC buffer encryption/decryption
800 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]801int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]802 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]803 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]804 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]805 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]806 unsigned char *output )
807{
808 int i;
809 unsigned char temp[16];
810
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]811 if( length % 16 )
812 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
813
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]814#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]815 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]816 {
817 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]818 return( 0 );
819
820 // If padlock data misaligned, we just fall back to
821 // unaccelerated mode
822 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]823 }
824#endif
825
826 if( mode == AES_DECRYPT )
827 {
828 while( length > 0 )
829 {
830 memcpy( temp, input, 16 );
831 aes_crypt_ecb( ctx, mode, input, output );
832
833 for( i = 0; i < 16; i++ )
834 output[i] = (unsigned char)( output[i] ^ iv[i] );
835
836 memcpy( iv, temp, 16 );
837
838 input += 16;
839 output += 16;
840 length -= 16;
841 }
842 }
843 else
844 {
845 while( length > 0 )
846 {
847 for( i = 0; i < 16; i++ )
848 output[i] = (unsigned char)( input[i] ^ iv[i] );
849
850 aes_crypt_ecb( ctx, mode, output, output );
851 memcpy( iv, output, 16 );
852
853 input += 16;
854 output += 16;
855 length -= 16;
856 }
857 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]858
859 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]860}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]861#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]862
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]863#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864/*
865 * AES-CFB128 buffer encryption/decryption
866 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]867int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]868 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]869 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]870 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]871 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]872 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]873 unsigned char *output )
874{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]875 int c;
876 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]877
878 if( mode == AES_DECRYPT )
879 {
880 while( length-- )
881 {
882 if( n == 0 )
883 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
884
885 c = *input++;
886 *output++ = (unsigned char)( c ^ iv[n] );
887 iv[n] = (unsigned char) c;
888
889 n = (n + 1) & 0x0F;
890 }
891 }
892 else
893 {
894 while( length-- )
895 {
896 if( n == 0 )
897 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
898
899 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
900
901 n = (n + 1) & 0x0F;
902 }
903 }
904
905 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]906
907 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]908}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame^]909
910/*
911 * AES-CFB8 buffer encryption/decryption
912 */
913#include <stdio.h>
914int aes_crypt_cfb8( aes_context *ctx,
915 int mode,
916 size_t length,
917 unsigned char iv[16],
918 const unsigned char *input,
919 unsigned char *output )
920{
921 unsigned char c;
922 unsigned char ov[17];
923
924 while( length-- )
925 {
926 memcpy(ov, iv, 16);
927 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
928
929 if( mode == AES_DECRYPT )
930 ov[16] = *input;
931
932 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
933
934 if( mode == AES_ENCRYPT )
935 ov[16] = c;
936
937 memcpy(iv, ov + 1, 16);
938 }
939
940 return( 0 );
941}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]942#endif /*POLARSSL_CIPHER_MODE_CFB */
943
944#if defined(POLARSSL_CIPHER_MODE_CTR)
945/*
946 * AES-CTR buffer encryption/decryption
947 */
948int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]949 size_t length,
950 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]951 unsigned char nonce_counter[16],
952 unsigned char stream_block[16],
953 const unsigned char *input,
954 unsigned char *output )
955{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]956 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]957 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]958
959 while( length-- )
960 {
961 if( n == 0 ) {
962 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
963
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]964 for( i = 16; i > 0; i-- )
965 if( ++nonce_counter[i - 1] != 0 )
966 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]967 }
968 c = *input++;
969 *output++ = (unsigned char)( c ^ stream_block[n] );
970
971 n = (n + 1) & 0x0F;
972 }
973
974 *nc_off = n;
975
976 return( 0 );
977}
978#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]979#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]980
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]981#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982
983#include <stdio.h>
984
985/*
986 * AES test vectors from:
987 *
988 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
989 */
990static const unsigned char aes_test_ecb_dec[3][16] =
991{
992 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
993 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
994 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
995 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
996 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
997 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
998};
999
1000static const unsigned char aes_test_ecb_enc[3][16] =
1001{
1002 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1003 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1004 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1005 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1006 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1007 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1008};
1009
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1010#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1011static const unsigned char aes_test_cbc_dec[3][16] =
1012{
1013 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1014 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1015 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1016 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1017 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1018 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1019};
1020
1021static const unsigned char aes_test_cbc_enc[3][16] =
1022{
1023 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1024 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1025 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1026 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1027 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1028 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1029};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1030#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1031
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1032#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1033/*
1034 * AES-CFB128 test vectors from:
1035 *
1036 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1037 */
1038static const unsigned char aes_test_cfb128_key[3][32] =
1039{
1040 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1041 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1042 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1043 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1044 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1045 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1046 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1047 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1048 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1049};
1050
1051static const unsigned char aes_test_cfb128_iv[16] =
1052{
1053 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1054 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1055};
1056
1057static const unsigned char aes_test_cfb128_pt[64] =
1058{
1059 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1060 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1061 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1062 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1063 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1064 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1065 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1066 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1067};
1068
1069static const unsigned char aes_test_cfb128_ct[3][64] =
1070{
1071 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1072 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1073 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1074 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1075 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1076 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1077 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1078 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1079 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1080 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1081 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1082 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1083 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1084 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1085 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1086 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1087 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1088 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1089 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1090 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1091 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1092 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1093 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1094 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1095};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1096#endif /* POLARSSL_CIPHER_MODE_CFB */
1097
1098#if defined(POLARSSL_CIPHER_MODE_CTR)
1099/*
1100 * AES-CTR test vectors from:
1101 *
1102 * http://www.faqs.org/rfcs/rfc3686.html
1103 */
1104
1105static const unsigned char aes_test_ctr_key[3][16] =
1106{
1107 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1108 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1109 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1110 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1111 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1112 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1113};
1114
1115static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1116{
1117 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1118 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1119 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1120 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1121 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1122 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1123};
1124
1125static const unsigned char aes_test_ctr_pt[3][48] =
1126{
1127 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1128 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1129
1130 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1131 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1132 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1133 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1134
1135 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1136 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1137 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1138 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1139 0x20, 0x21, 0x22, 0x23 }
1140};
1141
1142static const unsigned char aes_test_ctr_ct[3][48] =
1143{
1144 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1145 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1146 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1147 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1148 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1149 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1150 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1151 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1152 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1153 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1154 0x25, 0xB2, 0x07, 0x2F }
1155};
1156
1157static const int aes_test_ctr_len[3] =
1158 { 16, 32, 36 };
1159#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1160
1161/*
1162 * Checkup routine
1163 */
1164int aes_self_test( int verbose )
1165{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1166 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1167 unsigned char key[32];
1168 unsigned char buf[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1169 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1170#if defined(POLARSSL_CIPHER_MODE_CBC)
1171 unsigned char prv[16];
1172#endif
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1173#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1174 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1175#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1176#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1177 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1178 unsigned char nonce_counter[16];
1179 unsigned char stream_block[16];
1180#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1181 aes_context ctx;
1182
1183 memset( key, 0, 32 );
1184
1185 /*
1186 * ECB mode
1187 */
1188 for( i = 0; i < 6; i++ )
1189 {
1190 u = i >> 1;
1191 v = i & 1;
1192
1193 if( verbose != 0 )
1194 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1195 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1196
1197 memset( buf, 0, 16 );
1198
1199 if( v == AES_DECRYPT )
1200 {
1201 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1202
1203 for( j = 0; j < 10000; j++ )
1204 aes_crypt_ecb( &ctx, v, buf, buf );
1205
1206 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1207 {
1208 if( verbose != 0 )
1209 printf( "failed\n" );
1210
1211 return( 1 );
1212 }
1213 }
1214 else
1215 {
1216 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1217
1218 for( j = 0; j < 10000; j++ )
1219 aes_crypt_ecb( &ctx, v, buf, buf );
1220
1221 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1222 {
1223 if( verbose != 0 )
1224 printf( "failed\n" );
1225
1226 return( 1 );
1227 }
1228 }
1229
1230 if( verbose != 0 )
1231 printf( "passed\n" );
1232 }
1233
1234 if( verbose != 0 )
1235 printf( "\n" );
1236
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1237#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1238 /*
1239 * CBC mode
1240 */
1241 for( i = 0; i < 6; i++ )
1242 {
1243 u = i >> 1;
1244 v = i & 1;
1245
1246 if( verbose != 0 )
1247 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1248 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1249
1250 memset( iv , 0, 16 );
1251 memset( prv, 0, 16 );
1252 memset( buf, 0, 16 );
1253
1254 if( v == AES_DECRYPT )
1255 {
1256 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1257
1258 for( j = 0; j < 10000; j++ )
1259 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1260
1261 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1262 {
1263 if( verbose != 0 )
1264 printf( "failed\n" );
1265
1266 return( 1 );
1267 }
1268 }
1269 else
1270 {
1271 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1272
1273 for( j = 0; j < 10000; j++ )
1274 {
1275 unsigned char tmp[16];
1276
1277 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1278
1279 memcpy( tmp, prv, 16 );
1280 memcpy( prv, buf, 16 );
1281 memcpy( buf, tmp, 16 );
1282 }
1283
1284 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1285 {
1286 if( verbose != 0 )
1287 printf( "failed\n" );
1288
1289 return( 1 );
1290 }
1291 }
1292
1293 if( verbose != 0 )
1294 printf( "passed\n" );
1295 }
1296
1297 if( verbose != 0 )
1298 printf( "\n" );
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1299#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1300
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1301#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1302 /*
1303 * CFB128 mode
1304 */
1305 for( i = 0; i < 6; i++ )
1306 {
1307 u = i >> 1;
1308 v = i & 1;
1309
1310 if( verbose != 0 )
1311 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1312 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1313
1314 memcpy( iv, aes_test_cfb128_iv, 16 );
1315 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1316
1317 offset = 0;
1318 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1319
1320 if( v == AES_DECRYPT )
1321 {
1322 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1323 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1324
1325 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1326 {
1327 if( verbose != 0 )
1328 printf( "failed\n" );
1329
1330 return( 1 );
1331 }
1332 }
1333 else
1334 {
1335 memcpy( buf, aes_test_cfb128_pt, 64 );
1336 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1337
1338 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1339 {
1340 if( verbose != 0 )
1341 printf( "failed\n" );
1342
1343 return( 1 );
1344 }
1345 }
1346
1347 if( verbose != 0 )
1348 printf( "passed\n" );
1349 }
1350
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1351 if( verbose != 0 )
1352 printf( "\n" );
1353#endif /* POLARSSL_CIPHER_MODE_CFB */
1354
1355#if defined(POLARSSL_CIPHER_MODE_CTR)
1356 /*
1357 * CTR mode
1358 */
1359 for( i = 0; i < 6; i++ )
1360 {
1361 u = i >> 1;
1362 v = i & 1;
1363
1364 if( verbose != 0 )
1365 printf( " AES-CTR-128 (%s): ",
1366 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1367
1368 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1369 memcpy( key, aes_test_ctr_key[u], 16 );
1370
1371 offset = 0;
1372 aes_setkey_enc( &ctx, key, 128 );
1373
1374 if( v == AES_DECRYPT )
1375 {
1376 len = aes_test_ctr_len[u];
1377 memcpy( buf, aes_test_ctr_ct[u], len );
1378
1379 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1380
1381 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1382 {
1383 if( verbose != 0 )
1384 printf( "failed\n" );
1385
1386 return( 1 );
1387 }
1388 }
1389 else
1390 {
1391 len = aes_test_ctr_len[u];
1392 memcpy( buf, aes_test_ctr_pt[u], len );
1393
1394 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1395
1396 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1397 {
1398 if( verbose != 0 )
1399 printf( "failed\n" );
1400
1401 return( 1 );
1402 }
1403 }
1404
1405 if( verbose != 0 )
1406 printf( "passed\n" );
1407 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1408
1409 if( verbose != 0 )
1410 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1411#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1412
1413 return( 0 );
1414}
1415
1416#endif
1417
1418#endif