TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 5c2364c2bac4c0c0c269235aa701ec7e07a1e00e / . / library / aes.c
blob: 0295f3f28e2a04b38644b5d33c320699b66e5d88 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]37#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]39#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]40
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]41/*
42 * 32-bit integer manipulation macros (little endian)
43 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]44#ifndef GET_UINT32_LE
45#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]47 (n) = ( (uint32_t) (b)[(i) ] ) \
48 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
49 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
50 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]51}
52#endif
53
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]54#ifndef PUT_UINT32_LE
55#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56{ \
57 (b)[(i) ] = (unsigned char) ( (n) ); \
58 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
59 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
60 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
61}
62#endif
63
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]64#if defined(POLARSSL_PADLOCK_C) && \
65 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]66static int aes_padlock_ace = -1;
67#endif
68
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]69#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70/*
71 * Forward S-box
72 */
73static const unsigned char FSb[256] =
74{
75 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
76 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
77 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
78 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
79 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
80 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
81 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
82 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
83 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
84 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
85 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
86 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
87 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
88 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
89 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
90 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
91 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
92 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
93 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
94 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
95 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
96 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
97 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
98 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
99 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
100 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
101 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
102 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
103 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
104 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
105 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
106 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
107};
108
109/*
110 * Forward tables
111 */
112#define FT \
113\
114 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
115 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
116 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
117 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
118 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
119 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
120 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
121 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
122 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
123 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
124 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
125 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
126 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
127 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
128 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
129 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
130 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
131 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
132 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
133 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
134 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
135 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
136 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
137 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
138 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
139 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
140 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
141 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
142 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
143 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
144 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
145 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
146 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
147 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
148 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
149 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
150 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
151 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
152 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
153 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
154 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
155 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
156 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
157 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
158 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
159 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
160 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
161 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
162 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
163 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
164 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
165 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
166 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
167 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
168 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
169 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
170 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
171 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
172 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
173 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
174 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
175 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
176 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
177 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
178
179#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]180static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]181#undef V
182
183#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]184static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]185#undef V
186
187#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]188static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]189#undef V
190
191#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]192static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]193#undef V
194
195#undef FT
196
197/*
198 * Reverse S-box
199 */
200static const unsigned char RSb[256] =
201{
202 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
203 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
204 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
205 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
206 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
207 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
208 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
209 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
210 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
211 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
212 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
213 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
214 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
215 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
216 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
217 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
218 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
219 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
220 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
221 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
222 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
223 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
224 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
225 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
226 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
227 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
228 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
229 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
230 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
231 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
232 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
233 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
234};
235
236/*
237 * Reverse tables
238 */
239#define RT \
240\
241 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
242 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
243 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
244 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
245 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
246 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
247 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
248 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
249 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
250 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
251 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
252 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
253 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
254 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
255 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
256 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
257 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
258 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
259 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
260 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
261 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
262 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
263 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
264 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
265 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
266 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
267 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
268 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
269 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
270 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
271 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
272 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
273 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
274 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
275 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
276 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
277 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
278 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
279 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
280 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
281 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
282 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
283 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
284 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
285 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
286 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
287 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
288 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
289 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
290 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
291 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
292 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
293 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
294 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
295 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
296 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
297 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
298 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
299 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
300 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
301 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
302 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
303 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
304 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
305
306#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]307static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]308#undef V
309
310#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]311static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]312#undef V
313
314#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]315static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]316#undef V
317
318#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]319static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]320#undef V
321
322#undef RT
323
324/*
325 * Round constants
326 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]327static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]328{
329 0x00000001, 0x00000002, 0x00000004, 0x00000008,
330 0x00000010, 0x00000020, 0x00000040, 0x00000080,
331 0x0000001B, 0x00000036
332};
333
334#else
335
336/*
337 * Forward S-box & tables
338 */
339static unsigned char FSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]340static uint32_t FT0[256];
341static uint32_t FT1[256];
342static uint32_t FT2[256];
343static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]344
345/*
346 * Reverse S-box & tables
347 */
348static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]349static uint32_t RT0[256];
350static uint32_t RT1[256];
351static uint32_t RT2[256];
352static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353
354/*
355 * Round constants
356 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]357static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358
359/*
360 * Tables generation code
361 */
362#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
363#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
364#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
365
366static int aes_init_done = 0;
367
368static void aes_gen_tables( void )
369{
370 int i, x, y, z;
371 int pow[256];
372 int log[256];
373
374 /*
375 * compute pow and log tables over GF(2^8)
376 */
377 for( i = 0, x = 1; i < 256; i++ )
378 {
379 pow[i] = x;
380 log[x] = i;
381 x = ( x ^ XTIME( x ) ) & 0xFF;
382 }
383
384 /*
385 * calculate the round constants
386 */
387 for( i = 0, x = 1; i < 10; i++ )
388 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]389 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]390 x = XTIME( x ) & 0xFF;
391 }
392
393 /*
394 * generate the forward and reverse S-boxes
395 */
396 FSb[0x00] = 0x63;
397 RSb[0x63] = 0x00;
398
399 for( i = 1; i < 256; i++ )
400 {
401 x = pow[255 - log[i]];
402
403 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
404 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
405 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
406 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
407 x ^= y ^ 0x63;
408
409 FSb[i] = (unsigned char) x;
410 RSb[x] = (unsigned char) i;
411 }
412
413 /*
414 * generate the forward and reverse tables
415 */
416 for( i = 0; i < 256; i++ )
417 {
418 x = FSb[i];
419 y = XTIME( x ) & 0xFF;
420 z = ( y ^ x ) & 0xFF;
421
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]422 FT0[i] = ( (uint32_t) y ) ^
423 ( (uint32_t) x << 8 ) ^
424 ( (uint32_t) x << 16 ) ^
425 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426
427 FT1[i] = ROTL8( FT0[i] );
428 FT2[i] = ROTL8( FT1[i] );
429 FT3[i] = ROTL8( FT2[i] );
430
431 x = RSb[i];
432
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]433 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
434 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
435 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
436 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]437
438 RT1[i] = ROTL8( RT0[i] );
439 RT2[i] = ROTL8( RT1[i] );
440 RT3[i] = ROTL8( RT2[i] );
441 }
442}
443
444#endif
445
446/*
447 * AES key schedule (encryption)
448 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]449int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]450{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]451 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]452 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]453
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]454#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455 if( aes_init_done == 0 )
456 {
457 aes_gen_tables();
458 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]459
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460 }
461#endif
462
463 switch( keysize )
464 {
465 case 128: ctx->nr = 10; break;
466 case 192: ctx->nr = 12; break;
467 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]468 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]469 }
470
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]471#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
472 if( aes_padlock_ace == -1 )
473 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
474
475 if( aes_padlock_ace )
476 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
477 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]478#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]479 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]480
481 for( i = 0; i < (keysize >> 5); i++ )
482 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]483 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]484 }
485
486 switch( ctx->nr )
487 {
488 case 10:
489
490 for( i = 0; i < 10; i++, RK += 4 )
491 {
492 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]493 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
494 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
495 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
496 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]497
498 RK[5] = RK[1] ^ RK[4];
499 RK[6] = RK[2] ^ RK[5];
500 RK[7] = RK[3] ^ RK[6];
501 }
502 break;
503
504 case 12:
505
506 for( i = 0; i < 8; i++, RK += 6 )
507 {
508 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]509 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
510 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
511 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
512 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]513
514 RK[7] = RK[1] ^ RK[6];
515 RK[8] = RK[2] ^ RK[7];
516 RK[9] = RK[3] ^ RK[8];
517 RK[10] = RK[4] ^ RK[9];
518 RK[11] = RK[5] ^ RK[10];
519 }
520 break;
521
522 case 14:
523
524 for( i = 0; i < 7; i++, RK += 8 )
525 {
526 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]527 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
528 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
529 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
530 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]531
532 RK[9] = RK[1] ^ RK[8];
533 RK[10] = RK[2] ^ RK[9];
534 RK[11] = RK[3] ^ RK[10];
535
536 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]537 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
538 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
539 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
540 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]541
542 RK[13] = RK[5] ^ RK[12];
543 RK[14] = RK[6] ^ RK[13];
544 RK[15] = RK[7] ^ RK[14];
545 }
546 break;
547
548 default:
549
550 break;
551 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]552
553 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554}
555
556/*
557 * AES key schedule (decryption)
558 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]559int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]560{
561 int i, j;
562 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]563 uint32_t *RK;
564 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]565 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]566
567 switch( keysize )
568 {
569 case 128: ctx->nr = 10; break;
570 case 192: ctx->nr = 12; break;
571 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]572 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]573 }
574
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]575#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
576 if( aes_padlock_ace == -1 )
577 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
578
579 if( aes_padlock_ace )
580 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
581 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]582#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]583 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]584
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]585 ret = aes_setkey_enc( &cty, key, keysize );
586 if( ret != 0 )
587 return( ret );
588
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589 SK = cty.rk + cty.nr * 4;
590
591 *RK++ = *SK++;
592 *RK++ = *SK++;
593 *RK++ = *SK++;
594 *RK++ = *SK++;
595
596 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
597 {
598 for( j = 0; j < 4; j++, SK++ )
599 {
600 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
601 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
602 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
603 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
604 }
605 }
606
607 *RK++ = *SK++;
608 *RK++ = *SK++;
609 *RK++ = *SK++;
610 *RK++ = *SK++;
611
612 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]613
614 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]615}
616
617#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
618{ \
619 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
620 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
621 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
622 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
623 \
624 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
625 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
626 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
627 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
628 \
629 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
630 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
631 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
632 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
633 \
634 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
635 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
636 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
637 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
638}
639
640#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
641{ \
642 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
643 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
644 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
645 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
646 \
647 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
648 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
649 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
650 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
651 \
652 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
653 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
654 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
655 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
656 \
657 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
658 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
659 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
660 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
661}
662
663/*
664 * AES-ECB block encryption/decryption
665 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]666int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]668 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669 unsigned char output[16] )
670{
671 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]672 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]673
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]674#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]675 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]676 {
677 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]678 return( 0 );
679
680 // If padlock data misaligned, we just fall back to
681 // unaccelerated mode
682 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]683 }
684#endif
685
686 RK = ctx->rk;
687
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]688 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
689 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
690 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
691 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692
693 if( mode == AES_DECRYPT )
694 {
695 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
696 {
697 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
698 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
699 }
700
701 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
702
703 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]704 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
705 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
706 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
707 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]708
709 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]710 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
711 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
712 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
713 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]714
715 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]716 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
717 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
718 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
719 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]720
721 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]722 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
723 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
724 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
725 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]726 }
727 else /* AES_ENCRYPT */
728 {
729 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
730 {
731 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
732 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
733 }
734
735 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
736
737 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]738 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
739 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
740 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
741 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]742
743 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]744 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
745 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
746 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
747 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]748
749 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]750 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
751 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
752 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
753 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]754
755 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]756 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
757 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
758 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
759 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]760 }
761
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame^]762 PUT_UINT32_LE( X0, output, 0 );
763 PUT_UINT32_LE( X1, output, 4 );
764 PUT_UINT32_LE( X2, output, 8 );
765 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]766
767 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]768}
769
770/*
771 * AES-CBC buffer encryption/decryption
772 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]773int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]774 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]775 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]776 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]777 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]778 unsigned char *output )
779{
780 int i;
781 unsigned char temp[16];
782
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]783 if( length % 16 )
784 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
785
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]786#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]787 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]788 {
789 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]790 return( 0 );
791
792 // If padlock data misaligned, we just fall back to
793 // unaccelerated mode
794 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]795 }
796#endif
797
798 if( mode == AES_DECRYPT )
799 {
800 while( length > 0 )
801 {
802 memcpy( temp, input, 16 );
803 aes_crypt_ecb( ctx, mode, input, output );
804
805 for( i = 0; i < 16; i++ )
806 output[i] = (unsigned char)( output[i] ^ iv[i] );
807
808 memcpy( iv, temp, 16 );
809
810 input += 16;
811 output += 16;
812 length -= 16;
813 }
814 }
815 else
816 {
817 while( length > 0 )
818 {
819 for( i = 0; i < 16; i++ )
820 output[i] = (unsigned char)( input[i] ^ iv[i] );
821
822 aes_crypt_ecb( ctx, mode, output, output );
823 memcpy( iv, output, 16 );
824
825 input += 16;
826 output += 16;
827 length -= 16;
828 }
829 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]830
831 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]832}
833
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]834#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]835/*
836 * AES-CFB128 buffer encryption/decryption
837 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]838int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]839 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]840 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]841 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]842 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]843 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]844 unsigned char *output )
845{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]846 int c;
847 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]848
849 if( mode == AES_DECRYPT )
850 {
851 while( length-- )
852 {
853 if( n == 0 )
854 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
855
856 c = *input++;
857 *output++ = (unsigned char)( c ^ iv[n] );
858 iv[n] = (unsigned char) c;
859
860 n = (n + 1) & 0x0F;
861 }
862 }
863 else
864 {
865 while( length-- )
866 {
867 if( n == 0 )
868 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
869
870 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
871
872 n = (n + 1) & 0x0F;
873 }
874 }
875
876 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]877
878 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]879}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]880#endif /*POLARSSL_CIPHER_MODE_CFB */
881
882#if defined(POLARSSL_CIPHER_MODE_CTR)
883/*
884 * AES-CTR buffer encryption/decryption
885 */
886int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]887 size_t length,
888 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]889 unsigned char nonce_counter[16],
890 unsigned char stream_block[16],
891 const unsigned char *input,
892 unsigned char *output )
893{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]894 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]895 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]896
897 while( length-- )
898 {
899 if( n == 0 ) {
900 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
901
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]902 for( i = 16; i > 0; i-- )
903 if( ++nonce_counter[i - 1] != 0 )
904 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]905 }
906 c = *input++;
907 *output++ = (unsigned char)( c ^ stream_block[n] );
908
909 n = (n + 1) & 0x0F;
910 }
911
912 *nc_off = n;
913
914 return( 0 );
915}
916#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]917
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]918#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]919
920#include <stdio.h>
921
922/*
923 * AES test vectors from:
924 *
925 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
926 */
927static const unsigned char aes_test_ecb_dec[3][16] =
928{
929 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
930 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
931 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
932 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
933 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
934 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
935};
936
937static const unsigned char aes_test_ecb_enc[3][16] =
938{
939 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
940 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
941 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
942 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
943 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
944 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
945};
946
947static const unsigned char aes_test_cbc_dec[3][16] =
948{
949 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
950 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
951 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
952 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
953 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
954 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
955};
956
957static const unsigned char aes_test_cbc_enc[3][16] =
958{
959 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
960 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
961 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
962 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
963 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
964 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
965};
966
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]967#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]968/*
969 * AES-CFB128 test vectors from:
970 *
971 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
972 */
973static const unsigned char aes_test_cfb128_key[3][32] =
974{
975 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
976 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
977 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
978 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
979 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
980 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
981 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
982 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
983 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
984};
985
986static const unsigned char aes_test_cfb128_iv[16] =
987{
988 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
989 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
990};
991
992static const unsigned char aes_test_cfb128_pt[64] =
993{
994 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
995 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
996 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
997 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
998 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
999 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1000 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1001 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1002};
1003
1004static const unsigned char aes_test_cfb128_ct[3][64] =
1005{
1006 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1007 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1008 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1009 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1010 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1011 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1012 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1013 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1014 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1015 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1016 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1017 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1018 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1019 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1020 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1021 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1022 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1023 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1024 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1025 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1026 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1027 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1028 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1029 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1030};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1031#endif /* POLARSSL_CIPHER_MODE_CFB */
1032
1033#if defined(POLARSSL_CIPHER_MODE_CTR)
1034/*
1035 * AES-CTR test vectors from:
1036 *
1037 * http://www.faqs.org/rfcs/rfc3686.html
1038 */
1039
1040static const unsigned char aes_test_ctr_key[3][16] =
1041{
1042 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1043 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1044 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1045 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1046 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1047 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1048};
1049
1050static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1051{
1052 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1053 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1054 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1055 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1056 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1057 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1058};
1059
1060static const unsigned char aes_test_ctr_pt[3][48] =
1061{
1062 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1063 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1064
1065 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1066 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1067 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1068 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1069
1070 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1071 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1072 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1073 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1074 0x20, 0x21, 0x22, 0x23 }
1075};
1076
1077static const unsigned char aes_test_ctr_ct[3][48] =
1078{
1079 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1080 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1081 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1082 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1083 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1084 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1085 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1086 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1087 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1088 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1089 0x25, 0xB2, 0x07, 0x2F }
1090};
1091
1092static const int aes_test_ctr_len[3] =
1093 { 16, 32, 36 };
1094#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1095
1096/*
1097 * Checkup routine
1098 */
1099int aes_self_test( int verbose )
1100{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1101 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1102 unsigned char key[32];
1103 unsigned char buf[64];
1104 unsigned char prv[16];
1105 unsigned char iv[16];
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1106#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1107 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1108#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1109#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1110 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1111 unsigned char nonce_counter[16];
1112 unsigned char stream_block[16];
1113#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1114 aes_context ctx;
1115
1116 memset( key, 0, 32 );
1117
1118 /*
1119 * ECB mode
1120 */
1121 for( i = 0; i < 6; i++ )
1122 {
1123 u = i >> 1;
1124 v = i & 1;
1125
1126 if( verbose != 0 )
1127 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1128 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1129
1130 memset( buf, 0, 16 );
1131
1132 if( v == AES_DECRYPT )
1133 {
1134 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1135
1136 for( j = 0; j < 10000; j++ )
1137 aes_crypt_ecb( &ctx, v, buf, buf );
1138
1139 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1140 {
1141 if( verbose != 0 )
1142 printf( "failed\n" );
1143
1144 return( 1 );
1145 }
1146 }
1147 else
1148 {
1149 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1150
1151 for( j = 0; j < 10000; j++ )
1152 aes_crypt_ecb( &ctx, v, buf, buf );
1153
1154 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1155 {
1156 if( verbose != 0 )
1157 printf( "failed\n" );
1158
1159 return( 1 );
1160 }
1161 }
1162
1163 if( verbose != 0 )
1164 printf( "passed\n" );
1165 }
1166
1167 if( verbose != 0 )
1168 printf( "\n" );
1169
1170 /*
1171 * CBC mode
1172 */
1173 for( i = 0; i < 6; i++ )
1174 {
1175 u = i >> 1;
1176 v = i & 1;
1177
1178 if( verbose != 0 )
1179 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1180 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1181
1182 memset( iv , 0, 16 );
1183 memset( prv, 0, 16 );
1184 memset( buf, 0, 16 );
1185
1186 if( v == AES_DECRYPT )
1187 {
1188 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1189
1190 for( j = 0; j < 10000; j++ )
1191 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1192
1193 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1194 {
1195 if( verbose != 0 )
1196 printf( "failed\n" );
1197
1198 return( 1 );
1199 }
1200 }
1201 else
1202 {
1203 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1204
1205 for( j = 0; j < 10000; j++ )
1206 {
1207 unsigned char tmp[16];
1208
1209 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1210
1211 memcpy( tmp, prv, 16 );
1212 memcpy( prv, buf, 16 );
1213 memcpy( buf, tmp, 16 );
1214 }
1215
1216 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1217 {
1218 if( verbose != 0 )
1219 printf( "failed\n" );
1220
1221 return( 1 );
1222 }
1223 }
1224
1225 if( verbose != 0 )
1226 printf( "passed\n" );
1227 }
1228
1229 if( verbose != 0 )
1230 printf( "\n" );
1231
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1232#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1233 /*
1234 * CFB128 mode
1235 */
1236 for( i = 0; i < 6; i++ )
1237 {
1238 u = i >> 1;
1239 v = i & 1;
1240
1241 if( verbose != 0 )
1242 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1243 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1244
1245 memcpy( iv, aes_test_cfb128_iv, 16 );
1246 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1247
1248 offset = 0;
1249 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1250
1251 if( v == AES_DECRYPT )
1252 {
1253 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1254 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1255
1256 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1257 {
1258 if( verbose != 0 )
1259 printf( "failed\n" );
1260
1261 return( 1 );
1262 }
1263 }
1264 else
1265 {
1266 memcpy( buf, aes_test_cfb128_pt, 64 );
1267 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1268
1269 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1270 {
1271 if( verbose != 0 )
1272 printf( "failed\n" );
1273
1274 return( 1 );
1275 }
1276 }
1277
1278 if( verbose != 0 )
1279 printf( "passed\n" );
1280 }
1281
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1282 if( verbose != 0 )
1283 printf( "\n" );
1284#endif /* POLARSSL_CIPHER_MODE_CFB */
1285
1286#if defined(POLARSSL_CIPHER_MODE_CTR)
1287 /*
1288 * CTR mode
1289 */
1290 for( i = 0; i < 6; i++ )
1291 {
1292 u = i >> 1;
1293 v = i & 1;
1294
1295 if( verbose != 0 )
1296 printf( " AES-CTR-128 (%s): ",
1297 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1298
1299 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1300 memcpy( key, aes_test_ctr_key[u], 16 );
1301
1302 offset = 0;
1303 aes_setkey_enc( &ctx, key, 128 );
1304
1305 if( v == AES_DECRYPT )
1306 {
1307 len = aes_test_ctr_len[u];
1308 memcpy( buf, aes_test_ctr_ct[u], len );
1309
1310 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1311
1312 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1313 {
1314 if( verbose != 0 )
1315 printf( "failed\n" );
1316
1317 return( 1 );
1318 }
1319 }
1320 else
1321 {
1322 len = aes_test_ctr_len[u];
1323 memcpy( buf, aes_test_ctr_pt[u], len );
1324
1325 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1326
1327 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1328 {
1329 if( verbose != 0 )
1330 printf( "failed\n" );
1331
1332 return( 1 );
1333 }
1334 }
1335
1336 if( verbose != 0 )
1337 printf( "passed\n" );
1338 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1339
1340 if( verbose != 0 )
1341 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1342#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1343
1344 return( 0 );
1345}
1346
1347#endif
1348
1349#endif