TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 648656a628c666f07d140fc449546ff6b06ee1de / . / library / aes.c
blob: f516fba67b466699307af18b843f53c378e9b095 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]4 * Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]37#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]39#endif
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]40#if defined(POLARSSL_AESNI_C)
41#include "polarssl/aesni.h"
42#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]44#if defined(POLARSSL_PLATFORM_C)
45#include "polarssl/platform.h"
46#else
47#define polarssl_printf printf
48#endif
49
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]50#if !defined(POLARSSL_AES_ALT)
51
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]52/*
53 * 32-bit integer manipulation macros (little endian)
54 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]55#ifndef GET_UINT32_LE
56#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]57{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]58 (n) = ( (uint32_t) (b)[(i) ] ) \
59 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
60 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
61 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62}
63#endif
64
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]65#ifndef PUT_UINT32_LE
66#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]67{ \
68 (b)[(i) ] = (unsigned char) ( (n) ); \
69 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
70 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
71 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
72}
73#endif
74
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]75#if defined(POLARSSL_PADLOCK_C) && \
76 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]77static int aes_padlock_ace = -1;
78#endif
79
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]80#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]81/*
82 * Forward S-box
83 */
84static const unsigned char FSb[256] =
85{
86 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
87 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
88 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
89 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
90 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
91 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
92 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
93 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
94 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
95 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
96 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
97 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
98 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
99 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
100 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
101 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
102 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
103 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
104 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
105 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
106 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
107 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
108 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
109 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
110 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
111 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
112 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
113 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
114 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
115 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
116 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
117 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
118};
119
120/*
121 * Forward tables
122 */
123#define FT \
124\
125 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
126 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
127 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
128 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
129 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
130 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
131 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
132 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
133 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
134 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
135 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
136 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
137 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
138 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
139 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
140 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
141 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
142 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
143 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
144 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
145 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
146 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
147 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
148 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
149 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
150 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
151 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
152 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
153 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
154 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
155 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
156 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
157 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
158 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
159 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
160 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
161 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
162 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
163 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
164 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
165 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
166 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
167 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
168 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
169 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
170 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
171 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
172 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
173 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
174 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
175 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
176 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
177 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
178 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
179 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
180 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
181 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
182 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
183 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
184 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
185 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
186 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
187 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
188 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
189
190#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]191static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]192#undef V
193
194#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]195static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]196#undef V
197
198#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]199static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]200#undef V
201
202#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]203static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204#undef V
205
206#undef FT
207
208/*
209 * Reverse S-box
210 */
211static const unsigned char RSb[256] =
212{
213 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
214 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
215 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
216 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
217 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
218 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
219 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
220 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
221 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
222 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
223 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
224 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
225 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
226 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
227 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
228 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
229 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
230 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
231 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
232 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
233 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
234 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
235 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
236 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
237 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
238 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
239 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
240 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
241 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
242 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
243 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
244 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
245};
246
247/*
248 * Reverse tables
249 */
250#define RT \
251\
252 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
253 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
254 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
255 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
256 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
257 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
258 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
259 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
260 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
261 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
262 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
263 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
264 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
265 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
266 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
267 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
268 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
269 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
270 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
271 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
272 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
273 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
274 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
275 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
276 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
277 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
278 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
279 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
280 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
281 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
282 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
283 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
284 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
285 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
286 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
287 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
288 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
289 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
290 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
291 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
292 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
293 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
294 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
295 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
296 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
297 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
298 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
299 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
300 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
301 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
302 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
303 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
304 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
305 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
306 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
307 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
308 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
309 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
310 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
311 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
312 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
313 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
314 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
315 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
316
317#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]318static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]319#undef V
320
321#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]322static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]323#undef V
324
325#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]326static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]327#undef V
328
329#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]330static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]331#undef V
332
333#undef RT
334
335/*
336 * Round constants
337 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]338static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339{
340 0x00000001, 0x00000002, 0x00000004, 0x00000008,
341 0x00000010, 0x00000020, 0x00000040, 0x00000080,
342 0x0000001B, 0x00000036
343};
344
345#else
346
347/*
348 * Forward S-box & tables
349 */
350static unsigned char FSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]351static uint32_t FT0[256];
352static uint32_t FT1[256];
353static uint32_t FT2[256];
354static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355
356/*
357 * Reverse S-box & tables
358 */
359static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]360static uint32_t RT0[256];
361static uint32_t RT1[256];
362static uint32_t RT2[256];
363static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364
365/*
366 * Round constants
367 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]368static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]369
370/*
371 * Tables generation code
372 */
373#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
374#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
375#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
376
377static int aes_init_done = 0;
378
379static void aes_gen_tables( void )
380{
381 int i, x, y, z;
382 int pow[256];
383 int log[256];
384
385 /*
386 * compute pow and log tables over GF(2^8)
387 */
388 for( i = 0, x = 1; i < 256; i++ )
389 {
390 pow[i] = x;
391 log[x] = i;
392 x = ( x ^ XTIME( x ) ) & 0xFF;
393 }
394
395 /*
396 * calculate the round constants
397 */
398 for( i = 0, x = 1; i < 10; i++ )
399 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]400 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]401 x = XTIME( x ) & 0xFF;
402 }
403
404 /*
405 * generate the forward and reverse S-boxes
406 */
407 FSb[0x00] = 0x63;
408 RSb[0x63] = 0x00;
409
410 for( i = 1; i < 256; i++ )
411 {
412 x = pow[255 - log[i]];
413
414 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
415 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
416 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
417 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
418 x ^= y ^ 0x63;
419
420 FSb[i] = (unsigned char) x;
421 RSb[x] = (unsigned char) i;
422 }
423
424 /*
425 * generate the forward and reverse tables
426 */
427 for( i = 0; i < 256; i++ )
428 {
429 x = FSb[i];
430 y = XTIME( x ) & 0xFF;
431 z = ( y ^ x ) & 0xFF;
432
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]433 FT0[i] = ( (uint32_t) y ) ^
434 ( (uint32_t) x << 8 ) ^
435 ( (uint32_t) x << 16 ) ^
436 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]437
438 FT1[i] = ROTL8( FT0[i] );
439 FT2[i] = ROTL8( FT1[i] );
440 FT3[i] = ROTL8( FT2[i] );
441
442 x = RSb[i];
443
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]444 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
445 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
446 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
447 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]448
449 RT1[i] = ROTL8( RT0[i] );
450 RT2[i] = ROTL8( RT1[i] );
451 RT3[i] = ROTL8( RT2[i] );
452 }
453}
454
455#endif
456
457/*
458 * AES key schedule (encryption)
459 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]460int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]461{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]462 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]463 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]464
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]465#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466 if( aes_init_done == 0 )
467 {
468 aes_gen_tables();
469 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]470
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]471 }
472#endif
473
474 switch( keysize )
475 {
476 case 128: ctx->nr = 10; break;
477 case 192: ctx->nr = 12; break;
478 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]479 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]480 }
481
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]482#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
483 if( aes_padlock_ace == -1 )
484 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
485
486 if( aes_padlock_ace )
487 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
488 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]490 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]492#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
493 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnardbfa3c9a2013-12-30 13:53:58 +0100[diff] [blame]494 return( aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]495#endif
496
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]497 for( i = 0; i < (keysize >> 5); i++ )
498 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]499 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]500 }
501
502 switch( ctx->nr )
503 {
504 case 10:
505
506 for( i = 0; i < 10; i++, RK += 4 )
507 {
508 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]509 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
510 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
511 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
512 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]513
514 RK[5] = RK[1] ^ RK[4];
515 RK[6] = RK[2] ^ RK[5];
516 RK[7] = RK[3] ^ RK[6];
517 }
518 break;
519
520 case 12:
521
522 for( i = 0; i < 8; i++, RK += 6 )
523 {
524 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]525 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
526 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
527 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
528 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]529
530 RK[7] = RK[1] ^ RK[6];
531 RK[8] = RK[2] ^ RK[7];
532 RK[9] = RK[3] ^ RK[8];
533 RK[10] = RK[4] ^ RK[9];
534 RK[11] = RK[5] ^ RK[10];
535 }
536 break;
537
538 case 14:
539
540 for( i = 0; i < 7; i++, RK += 8 )
541 {
542 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]543 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
544 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
545 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
546 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547
548 RK[9] = RK[1] ^ RK[8];
549 RK[10] = RK[2] ^ RK[9];
550 RK[11] = RK[3] ^ RK[10];
551
552 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]553 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
554 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
555 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
556 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]557
558 RK[13] = RK[5] ^ RK[12];
559 RK[14] = RK[6] ^ RK[13];
560 RK[15] = RK[7] ^ RK[14];
561 }
562 break;
563
564 default:
565
566 break;
567 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]568
569 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570}
571
572/*
573 * AES key schedule (decryption)
574 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]575int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]576{
577 int i, j;
578 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]579 uint32_t *RK;
580 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]581 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]582
583 switch( keysize )
584 {
585 case 128: ctx->nr = 10; break;
586 case 192: ctx->nr = 12; break;
587 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]588 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589 }
590
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]591#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
592 if( aes_padlock_ace == -1 )
593 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
594
595 if( aes_padlock_ace )
596 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
597 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]599 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]600
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]601 ret = aes_setkey_enc( &cty, key, keysize );
602 if( ret != 0 )
603 return( ret );
604
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]605#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
606 if( aesni_supports( POLARSSL_AESNI_AES ) )
607 {
608 aesni_inverse_key( (unsigned char *) ctx->rk,
609 (const unsigned char *) cty.rk, ctx->nr );
610 goto done;
611 }
612#endif
613
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]614 SK = cty.rk + cty.nr * 4;
615
616 *RK++ = *SK++;
617 *RK++ = *SK++;
618 *RK++ = *SK++;
619 *RK++ = *SK++;
620
621 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
622 {
623 for( j = 0; j < 4; j++, SK++ )
624 {
625 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
626 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
627 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
628 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
629 }
630 }
631
632 *RK++ = *SK++;
633 *RK++ = *SK++;
634 *RK++ = *SK++;
635 *RK++ = *SK++;
636
Paul Bakker0d0de922013-12-30 15:29:04 +0100[diff] [blame]637#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]638done:
Paul Bakker0d0de922013-12-30 15:29:04 +0100[diff] [blame]639#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]640 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]641
642 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]643}
644
645#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
646{ \
647 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
648 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
649 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
650 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
651 \
652 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
653 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
654 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
655 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
656 \
657 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
658 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
659 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
660 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
661 \
662 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
663 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
664 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
665 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
666}
667
668#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
669{ \
670 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
671 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
672 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
673 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
674 \
675 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
676 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
677 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
678 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
679 \
680 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
681 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
682 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
683 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
684 \
685 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
686 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
687 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
688 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
689}
690
691/*
692 * AES-ECB block encryption/decryption
693 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]694int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]695 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]696 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]697 unsigned char output[16] )
698{
699 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]700 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]701
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]702#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard8eaf20b2013-12-18 19:14:53 +0100[diff] [blame]703 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]704 return( aesni_crypt_ecb( ctx, mode, input, output ) );
705#endif
706
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]707#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]708 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]709 {
710 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]711 return( 0 );
712
713 // If padlock data misaligned, we just fall back to
714 // unaccelerated mode
715 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]716 }
717#endif
718
719 RK = ctx->rk;
720
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]721 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
722 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
723 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
724 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]725
726 if( mode == AES_DECRYPT )
727 {
728 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
729 {
730 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
731 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
732 }
733
734 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
735
736 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]737 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
738 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
739 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
740 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]741
742 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]743 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
744 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
745 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
746 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]747
748 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]749 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
750 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
751 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
752 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]753
754 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]755 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
756 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
757 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
758 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]759 }
760 else /* AES_ENCRYPT */
761 {
762 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
763 {
764 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
765 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
766 }
767
768 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
769
770 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]771 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
772 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
773 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
774 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]775
776 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]777 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
778 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
779 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
780 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]781
782 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]783 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
784 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
785 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
786 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]787
788 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]789 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
790 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
791 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
792 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]793 }
794
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]795 PUT_UINT32_LE( X0, output, 0 );
796 PUT_UINT32_LE( X1, output, 4 );
797 PUT_UINT32_LE( X2, output, 8 );
798 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]799
800 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]801}
802
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]803#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]804/*
805 * AES-CBC buffer encryption/decryption
806 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]807int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]808 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]809 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]810 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]811 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]812 unsigned char *output )
813{
814 int i;
815 unsigned char temp[16];
816
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]817 if( length % 16 )
818 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
819
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]820#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]821 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]822 {
823 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]824 return( 0 );
825
826 // If padlock data misaligned, we just fall back to
827 // unaccelerated mode
828 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]829 }
830#endif
831
832 if( mode == AES_DECRYPT )
833 {
834 while( length > 0 )
835 {
836 memcpy( temp, input, 16 );
837 aes_crypt_ecb( ctx, mode, input, output );
838
839 for( i = 0; i < 16; i++ )
840 output[i] = (unsigned char)( output[i] ^ iv[i] );
841
842 memcpy( iv, temp, 16 );
843
844 input += 16;
845 output += 16;
846 length -= 16;
847 }
848 }
849 else
850 {
851 while( length > 0 )
852 {
853 for( i = 0; i < 16; i++ )
854 output[i] = (unsigned char)( input[i] ^ iv[i] );
855
856 aes_crypt_ecb( ctx, mode, output, output );
857 memcpy( iv, output, 16 );
858
859 input += 16;
860 output += 16;
861 length -= 16;
862 }
863 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]864
865 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]867#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]868
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]869#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]870/*
871 * AES-CFB128 buffer encryption/decryption
872 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]873int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]874 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]875 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]876 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]877 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]878 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]879 unsigned char *output )
880{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]881 int c;
882 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]883
884 if( mode == AES_DECRYPT )
885 {
886 while( length-- )
887 {
888 if( n == 0 )
889 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
890
891 c = *input++;
892 *output++ = (unsigned char)( c ^ iv[n] );
893 iv[n] = (unsigned char) c;
894
895 n = (n + 1) & 0x0F;
896 }
897 }
898 else
899 {
900 while( length-- )
901 {
902 if( n == 0 )
903 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
904
905 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
906
907 n = (n + 1) & 0x0F;
908 }
909 }
910
911 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]912
913 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]914}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]915
916/*
917 * AES-CFB8 buffer encryption/decryption
918 */
919#include <stdio.h>
920int aes_crypt_cfb8( aes_context *ctx,
921 int mode,
922 size_t length,
923 unsigned char iv[16],
924 const unsigned char *input,
925 unsigned char *output )
926{
927 unsigned char c;
928 unsigned char ov[17];
929
930 while( length-- )
931 {
932 memcpy(ov, iv, 16);
933 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
934
935 if( mode == AES_DECRYPT )
936 ov[16] = *input;
937
938 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
939
940 if( mode == AES_ENCRYPT )
941 ov[16] = c;
942
943 memcpy(iv, ov + 1, 16);
944 }
945
946 return( 0 );
947}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]948#endif /*POLARSSL_CIPHER_MODE_CFB */
949
950#if defined(POLARSSL_CIPHER_MODE_CTR)
951/*
952 * AES-CTR buffer encryption/decryption
953 */
954int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]955 size_t length,
956 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]957 unsigned char nonce_counter[16],
958 unsigned char stream_block[16],
959 const unsigned char *input,
960 unsigned char *output )
961{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]962 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]963 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]964
965 while( length-- )
966 {
967 if( n == 0 ) {
968 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
969
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]970 for( i = 16; i > 0; i-- )
971 if( ++nonce_counter[i - 1] != 0 )
972 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]973 }
974 c = *input++;
975 *output++ = (unsigned char)( c ^ stream_block[n] );
976
977 n = (n + 1) & 0x0F;
978 }
979
980 *nc_off = n;
981
982 return( 0 );
983}
984#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]985#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]986
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]987#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]988
989#include <stdio.h>
990
991/*
992 * AES test vectors from:
993 *
994 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
995 */
996static const unsigned char aes_test_ecb_dec[3][16] =
997{
998 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
999 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1000 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1001 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1002 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1003 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1004};
1005
1006static const unsigned char aes_test_ecb_enc[3][16] =
1007{
1008 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1009 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1010 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1011 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1012 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1013 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1014};
1015
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1016#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1017static const unsigned char aes_test_cbc_dec[3][16] =
1018{
1019 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1020 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1021 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1022 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1023 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1024 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1025};
1026
1027static const unsigned char aes_test_cbc_enc[3][16] =
1028{
1029 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1030 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1031 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1032 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1033 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1034 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1035};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1036#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1037
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1038#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1039/*
1040 * AES-CFB128 test vectors from:
1041 *
1042 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1043 */
1044static const unsigned char aes_test_cfb128_key[3][32] =
1045{
1046 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1047 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1048 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1049 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1050 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1051 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1052 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1053 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1054 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1055};
1056
1057static const unsigned char aes_test_cfb128_iv[16] =
1058{
1059 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1060 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1061};
1062
1063static const unsigned char aes_test_cfb128_pt[64] =
1064{
1065 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1066 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1067 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1068 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1069 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1070 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1071 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1072 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1073};
1074
1075static const unsigned char aes_test_cfb128_ct[3][64] =
1076{
1077 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1078 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1079 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1080 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1081 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1082 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1083 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1084 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1085 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1086 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1087 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1088 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1089 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1090 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1091 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1092 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1093 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1094 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1095 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1096 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1097 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1098 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1099 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1100 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1101};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1102#endif /* POLARSSL_CIPHER_MODE_CFB */
1103
1104#if defined(POLARSSL_CIPHER_MODE_CTR)
1105/*
1106 * AES-CTR test vectors from:
1107 *
1108 * http://www.faqs.org/rfcs/rfc3686.html
1109 */
1110
1111static const unsigned char aes_test_ctr_key[3][16] =
1112{
1113 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1114 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1115 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1116 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1117 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1118 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1119};
1120
1121static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1122{
1123 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1124 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1125 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1126 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1127 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1128 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1129};
1130
1131static const unsigned char aes_test_ctr_pt[3][48] =
1132{
1133 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1134 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1135
1136 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1137 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1138 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1139 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1140
1141 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1142 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1143 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1144 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1145 0x20, 0x21, 0x22, 0x23 }
1146};
1147
1148static const unsigned char aes_test_ctr_ct[3][48] =
1149{
1150 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1151 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1152 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1153 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1154 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1155 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1156 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1157 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1158 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1159 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1160 0x25, 0xB2, 0x07, 0x2F }
1161};
1162
1163static const int aes_test_ctr_len[3] =
1164 { 16, 32, 36 };
1165#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1166
1167/*
1168 * Checkup routine
1169 */
1170int aes_self_test( int verbose )
1171{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1172 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1173 unsigned char key[32];
1174 unsigned char buf[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1175 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1176#if defined(POLARSSL_CIPHER_MODE_CBC)
1177 unsigned char prv[16];
1178#endif
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1179#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1180 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1181#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1182#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1183 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1184 unsigned char nonce_counter[16];
1185 unsigned char stream_block[16];
1186#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1187 aes_context ctx;
1188
1189 memset( key, 0, 32 );
1190
1191 /*
1192 * ECB mode
1193 */
1194 for( i = 0; i < 6; i++ )
1195 {
1196 u = i >> 1;
1197 v = i & 1;
1198
1199 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1200 polarssl_printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1201 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1202
1203 memset( buf, 0, 16 );
1204
1205 if( v == AES_DECRYPT )
1206 {
1207 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1208
1209 for( j = 0; j < 10000; j++ )
1210 aes_crypt_ecb( &ctx, v, buf, buf );
1211
1212 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1213 {
1214 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1215 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1216
1217 return( 1 );
1218 }
1219 }
1220 else
1221 {
1222 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1223
1224 for( j = 0; j < 10000; j++ )
1225 aes_crypt_ecb( &ctx, v, buf, buf );
1226
1227 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1228 {
1229 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1230 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1231
1232 return( 1 );
1233 }
1234 }
1235
1236 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1237 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1238 }
1239
1240 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1241 polarssl_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1242
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1243#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1244 /*
1245 * CBC mode
1246 */
1247 for( i = 0; i < 6; i++ )
1248 {
1249 u = i >> 1;
1250 v = i & 1;
1251
1252 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1253 polarssl_printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1254 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1255
1256 memset( iv , 0, 16 );
1257 memset( prv, 0, 16 );
1258 memset( buf, 0, 16 );
1259
1260 if( v == AES_DECRYPT )
1261 {
1262 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1263
1264 for( j = 0; j < 10000; j++ )
1265 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1266
1267 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1268 {
1269 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1270 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1271
1272 return( 1 );
1273 }
1274 }
1275 else
1276 {
1277 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1278
1279 for( j = 0; j < 10000; j++ )
1280 {
1281 unsigned char tmp[16];
1282
1283 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1284
1285 memcpy( tmp, prv, 16 );
1286 memcpy( prv, buf, 16 );
1287 memcpy( buf, tmp, 16 );
1288 }
1289
1290 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1291 {
1292 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1293 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1294
1295 return( 1 );
1296 }
1297 }
1298
1299 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1300 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1301 }
1302
1303 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1304 polarssl_printf( "\n" );
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1305#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1306
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1307#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1308 /*
1309 * CFB128 mode
1310 */
1311 for( i = 0; i < 6; i++ )
1312 {
1313 u = i >> 1;
1314 v = i & 1;
1315
1316 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1317 polarssl_printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1318 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1319
1320 memcpy( iv, aes_test_cfb128_iv, 16 );
1321 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1322
1323 offset = 0;
1324 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1325
1326 if( v == AES_DECRYPT )
1327 {
1328 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1329 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1330
1331 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1332 {
1333 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1334 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1335
1336 return( 1 );
1337 }
1338 }
1339 else
1340 {
1341 memcpy( buf, aes_test_cfb128_pt, 64 );
1342 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1343
1344 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1345 {
1346 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1347 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1348
1349 return( 1 );
1350 }
1351 }
1352
1353 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1354 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1355 }
1356
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1357 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1358 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1359#endif /* POLARSSL_CIPHER_MODE_CFB */
1360
1361#if defined(POLARSSL_CIPHER_MODE_CTR)
1362 /*
1363 * CTR mode
1364 */
1365 for( i = 0; i < 6; i++ )
1366 {
1367 u = i >> 1;
1368 v = i & 1;
1369
1370 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1371 polarssl_printf( " AES-CTR-128 (%s): ",
1372 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1373
1374 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1375 memcpy( key, aes_test_ctr_key[u], 16 );
1376
1377 offset = 0;
1378 aes_setkey_enc( &ctx, key, 128 );
1379
1380 if( v == AES_DECRYPT )
1381 {
1382 len = aes_test_ctr_len[u];
1383 memcpy( buf, aes_test_ctr_ct[u], len );
1384
1385 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1386
1387 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1388 {
1389 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1390 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1391
1392 return( 1 );
1393 }
1394 }
1395 else
1396 {
1397 len = aes_test_ctr_len[u];
1398 memcpy( buf, aes_test_ctr_pt[u], len );
1399
1400 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1401
1402 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1403 {
1404 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1405 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1406
1407 return( 1 );
1408 }
1409 }
1410
1411 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1412 polarssl_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1413 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1414
1415 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1416 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1417#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1418
1419 return( 0 );
1420}
1421
1422#endif
1423
1424#endif