blob: 7fc7af4a2efa14e85f13abb96027cd085973ab06 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker7dc4c442014-02-01 22:50:26 +01004 * Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +00005 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +00008 *
Paul Bakker77b385e2009-07-28 17:23:11 +00009 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +000010 *
Paul Bakker5121ce52009-01-03 21:22:43 +000011 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020032#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker40e46942009-01-03 21:51:57 +000033#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +020034#else
35#include POLARSSL_CONFIG_FILE
36#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000037
Paul Bakker40e46942009-01-03 21:51:57 +000038#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +000039
Paul Bakker40e46942009-01-03 21:51:57 +000040#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +000041#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +000042#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +000043#endif
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +010044#if defined(POLARSSL_AESNI_C)
45#include "polarssl/aesni.h"
46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +000047
Paul Bakker7dc4c442014-02-01 22:50:26 +010048#if defined(POLARSSL_PLATFORM_C)
49#include "polarssl/platform.h"
50#else
51#define polarssl_printf printf
52#endif
53
Paul Bakker90995b52013-06-24 19:20:35 +020054#if !defined(POLARSSL_AES_ALT)
55
Paul Bakker5121ce52009-01-03 21:22:43 +000056/*
57 * 32-bit integer manipulation macros (little endian)
58 */
Paul Bakker5c2364c2012-10-01 14:41:15 +000059#ifndef GET_UINT32_LE
60#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +000061{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +000062 (n) = ( (uint32_t) (b)[(i) ] ) \
63 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
64 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
65 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +000066}
67#endif
68
Paul Bakker5c2364c2012-10-01 14:41:15 +000069#ifndef PUT_UINT32_LE
70#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +000071{ \
72 (b)[(i) ] = (unsigned char) ( (n) ); \
73 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
74 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
75 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
76}
77#endif
78
Paul Bakker0e19e9f2012-10-01 11:02:48 +000079#if defined(POLARSSL_PADLOCK_C) && \
80 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +000081static int aes_padlock_ace = -1;
82#endif
83
Paul Bakker40e46942009-01-03 21:51:57 +000084#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +000085/*
86 * Forward S-box
87 */
88static const unsigned char FSb[256] =
89{
90 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
91 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
92 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
93 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
94 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
95 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
96 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
97 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
98 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
99 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
100 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
101 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
102 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
103 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
104 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
105 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
106 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
107 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
108 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
109 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
110 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
111 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
112 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
113 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
114 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
115 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
116 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
117 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
118 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
119 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
120 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
121 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
122};
123
124/*
125 * Forward tables
126 */
127#define FT \
128\
129 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
130 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
131 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
132 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
133 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
134 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
135 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
136 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
137 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
138 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
139 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
140 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
141 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
142 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
143 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
144 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
145 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
146 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
147 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
148 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
149 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
150 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
151 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
152 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
153 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
154 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
155 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
156 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
157 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
158 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
159 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
160 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
161 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
162 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
163 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
164 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
165 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
166 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
167 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
168 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
169 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
170 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
171 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
172 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
173 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
174 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
175 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
176 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
177 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
178 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
179 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
180 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
181 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
182 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
183 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
184 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
185 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
186 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
187 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
188 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
189 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
190 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
191 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
192 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
193
194#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000195static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000196#undef V
197
198#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000199static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000200#undef V
201
202#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000203static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000204#undef V
205
206#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000207static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000208#undef V
209
210#undef FT
211
212/*
213 * Reverse S-box
214 */
215static const unsigned char RSb[256] =
216{
217 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
218 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
219 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
220 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
221 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
222 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
223 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
224 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
225 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
226 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
227 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
228 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
229 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
230 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
231 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
232 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
233 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
234 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
235 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
236 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
237 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
238 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
239 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
240 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
241 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
242 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
243 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
244 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
245 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
246 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
247 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
248 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
249};
250
251/*
252 * Reverse tables
253 */
254#define RT \
255\
256 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
257 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
258 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
259 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
260 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
261 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
262 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
263 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
264 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
265 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
266 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
267 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
268 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
269 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
270 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
271 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
272 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
273 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
274 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
275 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
276 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
277 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
278 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
279 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
280 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
281 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
282 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
283 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
284 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
285 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
286 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
287 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
288 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
289 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
290 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
291 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
292 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
293 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
294 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
295 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
296 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
297 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
298 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
299 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
300 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
301 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
302 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
303 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
304 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
305 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
306 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
307 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
308 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
309 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
310 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
311 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
312 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
313 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
314 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
315 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
316 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
317 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
318 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
319 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
320
321#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000322static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000323#undef V
324
325#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000326static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000327#undef V
328
329#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000330static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000331#undef V
332
333#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000334static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000335#undef V
336
337#undef RT
338
339/*
340 * Round constants
341 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000342static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000343{
344 0x00000001, 0x00000002, 0x00000004, 0x00000008,
345 0x00000010, 0x00000020, 0x00000040, 0x00000080,
346 0x0000001B, 0x00000036
347};
348
Paul Bakker9af723c2014-05-01 13:03:14 +0200349#else /* POLARSSL_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000350
351/*
352 * Forward S-box & tables
353 */
354static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200355static uint32_t FT0[256];
356static uint32_t FT1[256];
357static uint32_t FT2[256];
358static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000359
360/*
361 * Reverse S-box & tables
362 */
363static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000364static uint32_t RT0[256];
365static uint32_t RT1[256];
366static uint32_t RT2[256];
367static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000368
369/*
370 * Round constants
371 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000372static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000373
374/*
375 * Tables generation code
376 */
377#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
378#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
379#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
380
381static int aes_init_done = 0;
382
383static void aes_gen_tables( void )
384{
385 int i, x, y, z;
386 int pow[256];
387 int log[256];
388
389 /*
390 * compute pow and log tables over GF(2^8)
391 */
392 for( i = 0, x = 1; i < 256; i++ )
393 {
394 pow[i] = x;
395 log[x] = i;
396 x = ( x ^ XTIME( x ) ) & 0xFF;
397 }
398
399 /*
400 * calculate the round constants
401 */
402 for( i = 0, x = 1; i < 10; i++ )
403 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000404 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000405 x = XTIME( x ) & 0xFF;
406 }
407
408 /*
409 * generate the forward and reverse S-boxes
410 */
411 FSb[0x00] = 0x63;
412 RSb[0x63] = 0x00;
413
414 for( i = 1; i < 256; i++ )
415 {
416 x = pow[255 - log[i]];
417
418 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
419 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
420 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
421 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
422 x ^= y ^ 0x63;
423
424 FSb[i] = (unsigned char) x;
425 RSb[x] = (unsigned char) i;
426 }
427
428 /*
429 * generate the forward and reverse tables
430 */
431 for( i = 0; i < 256; i++ )
432 {
433 x = FSb[i];
434 y = XTIME( x ) & 0xFF;
435 z = ( y ^ x ) & 0xFF;
436
Paul Bakker5c2364c2012-10-01 14:41:15 +0000437 FT0[i] = ( (uint32_t) y ) ^
438 ( (uint32_t) x << 8 ) ^
439 ( (uint32_t) x << 16 ) ^
440 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000441
442 FT1[i] = ROTL8( FT0[i] );
443 FT2[i] = ROTL8( FT1[i] );
444 FT3[i] = ROTL8( FT2[i] );
445
446 x = RSb[i];
447
Paul Bakker5c2364c2012-10-01 14:41:15 +0000448 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
449 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
450 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
451 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000452
453 RT1[i] = ROTL8( RT0[i] );
454 RT2[i] = ROTL8( RT1[i] );
455 RT3[i] = ROTL8( RT2[i] );
456 }
457}
458
Paul Bakker9af723c2014-05-01 13:03:14 +0200459#endif /* POLARSSL_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000460
461/*
462 * AES key schedule (encryption)
463 */
Paul Bakker23986e52011-04-24 08:57:21 +0000464int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000465{
Paul Bakker23986e52011-04-24 08:57:21 +0000466 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000467 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000468
Paul Bakker40e46942009-01-03 21:51:57 +0000469#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000470 if( aes_init_done == 0 )
471 {
472 aes_gen_tables();
473 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000474
Paul Bakker5121ce52009-01-03 21:22:43 +0000475 }
476#endif
477
478 switch( keysize )
479 {
480 case 128: ctx->nr = 10; break;
481 case 192: ctx->nr = 12; break;
482 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000483 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000484 }
485
Paul Bakker048d04e2012-02-12 17:31:04 +0000486#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
487 if( aes_padlock_ace == -1 )
488 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
489
490 if( aes_padlock_ace )
491 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
492 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000493#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000494 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000495
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100496#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
497 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnardbfa3c9a2013-12-30 13:53:58 +0100498 return( aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100499#endif
500
Paul Bakker5121ce52009-01-03 21:22:43 +0000501 for( i = 0; i < (keysize >> 5); i++ )
502 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000503 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000504 }
505
506 switch( ctx->nr )
507 {
508 case 10:
509
510 for( i = 0; i < 10; i++, RK += 4 )
511 {
512 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000513 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
514 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
515 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
516 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000517
518 RK[5] = RK[1] ^ RK[4];
519 RK[6] = RK[2] ^ RK[5];
520 RK[7] = RK[3] ^ RK[6];
521 }
522 break;
523
524 case 12:
525
526 for( i = 0; i < 8; i++, RK += 6 )
527 {
528 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000529 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
530 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
531 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
532 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000533
534 RK[7] = RK[1] ^ RK[6];
535 RK[8] = RK[2] ^ RK[7];
536 RK[9] = RK[3] ^ RK[8];
537 RK[10] = RK[4] ^ RK[9];
538 RK[11] = RK[5] ^ RK[10];
539 }
540 break;
541
542 case 14:
543
544 for( i = 0; i < 7; i++, RK += 8 )
545 {
546 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000547 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
548 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
549 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
550 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000551
552 RK[9] = RK[1] ^ RK[8];
553 RK[10] = RK[2] ^ RK[9];
554 RK[11] = RK[3] ^ RK[10];
555
556 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000557 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
558 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
559 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
560 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000561
562 RK[13] = RK[5] ^ RK[12];
563 RK[14] = RK[6] ^ RK[13];
564 RK[15] = RK[7] ^ RK[14];
565 }
566 break;
567
568 default:
569
570 break;
571 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000572
573 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000574}
575
576/*
577 * AES key schedule (decryption)
578 */
Paul Bakker23986e52011-04-24 08:57:21 +0000579int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000580{
581 int i, j;
582 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000583 uint32_t *RK;
584 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000585 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000586
587 switch( keysize )
588 {
589 case 128: ctx->nr = 10; break;
590 case 192: ctx->nr = 12; break;
591 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000592 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000593 }
594
Paul Bakker048d04e2012-02-12 17:31:04 +0000595#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
596 if( aes_padlock_ace == -1 )
597 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
598
599 if( aes_padlock_ace )
600 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
601 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000602#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000603 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000604
Paul Bakker2b222c82009-07-27 21:03:45 +0000605 ret = aes_setkey_enc( &cty, key, keysize );
606 if( ret != 0 )
607 return( ret );
608
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100609#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
610 if( aesni_supports( POLARSSL_AESNI_AES ) )
611 {
612 aesni_inverse_key( (unsigned char *) ctx->rk,
613 (const unsigned char *) cty.rk, ctx->nr );
614 goto done;
615 }
616#endif
617
Paul Bakker5121ce52009-01-03 21:22:43 +0000618 SK = cty.rk + cty.nr * 4;
619
620 *RK++ = *SK++;
621 *RK++ = *SK++;
622 *RK++ = *SK++;
623 *RK++ = *SK++;
624
625 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
626 {
627 for( j = 0; j < 4; j++, SK++ )
628 {
629 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
630 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
631 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
632 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
633 }
634 }
635
636 *RK++ = *SK++;
637 *RK++ = *SK++;
638 *RK++ = *SK++;
639 *RK++ = *SK++;
640
Paul Bakker0d0de922013-12-30 15:29:04 +0100641#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100642done:
Paul Bakker0d0de922013-12-30 15:29:04 +0100643#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000644 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000645
646 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000647}
648
649#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
650{ \
651 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
652 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
653 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
654 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
655 \
656 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
657 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
658 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
659 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
660 \
661 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
662 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
663 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
664 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
665 \
666 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
667 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
668 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
669 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
670}
671
672#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
673{ \
674 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
675 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
676 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
677 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
678 \
679 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
680 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
681 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
682 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
683 \
684 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
685 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
686 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
687 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
688 \
689 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
690 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
691 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
692 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
693}
694
695/*
696 * AES-ECB block encryption/decryption
697 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000698int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000699 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000700 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000701 unsigned char output[16] )
702{
703 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000704 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000705
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100706#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard8eaf20b2013-12-18 19:14:53 +0100707 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100708 return( aesni_crypt_ecb( ctx, mode, input, output ) );
709#endif
710
Paul Bakker40e46942009-01-03 21:51:57 +0000711#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000712 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000713 {
714 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000715 return( 0 );
716
717 // If padlock data misaligned, we just fall back to
718 // unaccelerated mode
719 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000720 }
721#endif
722
723 RK = ctx->rk;
724
Paul Bakker5c2364c2012-10-01 14:41:15 +0000725 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
726 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
727 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
728 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000729
730 if( mode == AES_DECRYPT )
731 {
732 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
733 {
734 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
735 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
736 }
737
738 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
739
740 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000741 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
742 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
743 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
744 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000745
746 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000747 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
748 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
749 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
750 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000751
752 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000753 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
754 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
755 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
756 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000757
758 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000759 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
760 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
761 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
762 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000763 }
764 else /* AES_ENCRYPT */
765 {
766 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
767 {
768 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
769 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
770 }
771
772 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
773
774 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000775 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
776 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
777 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
778 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000779
780 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000781 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
782 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
783 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
784 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000785
786 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000787 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
788 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
789 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
790 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000791
792 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000793 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
794 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
795 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
796 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000797 }
798
Paul Bakker5c2364c2012-10-01 14:41:15 +0000799 PUT_UINT32_LE( X0, output, 0 );
800 PUT_UINT32_LE( X1, output, 4 );
801 PUT_UINT32_LE( X2, output, 8 );
802 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000803
804 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000805}
806
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200807#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000808/*
809 * AES-CBC buffer encryption/decryption
810 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000811int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000812 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000813 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000814 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000815 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000816 unsigned char *output )
817{
818 int i;
819 unsigned char temp[16];
820
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000821 if( length % 16 )
822 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
823
Paul Bakker40e46942009-01-03 21:51:57 +0000824#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000825 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000826 {
827 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000828 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200829
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000830 // If padlock data misaligned, we just fall back to
831 // unaccelerated mode
832 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000833 }
834#endif
835
836 if( mode == AES_DECRYPT )
837 {
838 while( length > 0 )
839 {
840 memcpy( temp, input, 16 );
841 aes_crypt_ecb( ctx, mode, input, output );
842
843 for( i = 0; i < 16; i++ )
844 output[i] = (unsigned char)( output[i] ^ iv[i] );
845
846 memcpy( iv, temp, 16 );
847
848 input += 16;
849 output += 16;
850 length -= 16;
851 }
852 }
853 else
854 {
855 while( length > 0 )
856 {
857 for( i = 0; i < 16; i++ )
858 output[i] = (unsigned char)( input[i] ^ iv[i] );
859
860 aes_crypt_ecb( ctx, mode, output, output );
861 memcpy( iv, output, 16 );
862
863 input += 16;
864 output += 16;
865 length -= 16;
866 }
867 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000868
869 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000870}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200871#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000872
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000873#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000874/*
875 * AES-CFB128 buffer encryption/decryption
876 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000877int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000878 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000879 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000880 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000881 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000882 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000883 unsigned char *output )
884{
Paul Bakker27fdf462011-06-09 13:55:13 +0000885 int c;
886 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000887
888 if( mode == AES_DECRYPT )
889 {
890 while( length-- )
891 {
892 if( n == 0 )
893 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
894
895 c = *input++;
896 *output++ = (unsigned char)( c ^ iv[n] );
897 iv[n] = (unsigned char) c;
898
899 n = (n + 1) & 0x0F;
900 }
901 }
902 else
903 {
904 while( length-- )
905 {
906 if( n == 0 )
907 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
908
909 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
910
911 n = (n + 1) & 0x0F;
912 }
913 }
914
915 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000916
917 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000918}
Paul Bakker556efba2014-01-24 15:38:12 +0100919
920/*
921 * AES-CFB8 buffer encryption/decryption
922 */
923#include <stdio.h>
924int aes_crypt_cfb8( aes_context *ctx,
925 int mode,
926 size_t length,
927 unsigned char iv[16],
928 const unsigned char *input,
929 unsigned char *output )
930{
931 unsigned char c;
932 unsigned char ov[17];
933
934 while( length-- )
935 {
936 memcpy(ov, iv, 16);
937 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
938
939 if( mode == AES_DECRYPT )
940 ov[16] = *input;
941
942 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
943
944 if( mode == AES_ENCRYPT )
945 ov[16] = c;
946
947 memcpy(iv, ov + 1, 16);
948 }
949
950 return( 0 );
951}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000952#endif /*POLARSSL_CIPHER_MODE_CFB */
953
954#if defined(POLARSSL_CIPHER_MODE_CTR)
955/*
956 * AES-CTR buffer encryption/decryption
957 */
958int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000959 size_t length,
960 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000961 unsigned char nonce_counter[16],
962 unsigned char stream_block[16],
963 const unsigned char *input,
964 unsigned char *output )
965{
Paul Bakker369e14b2012-04-18 14:16:09 +0000966 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000967 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000968
969 while( length-- )
970 {
971 if( n == 0 ) {
972 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
973
Paul Bakker369e14b2012-04-18 14:16:09 +0000974 for( i = 16; i > 0; i-- )
975 if( ++nonce_counter[i - 1] != 0 )
976 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000977 }
978 c = *input++;
979 *output++ = (unsigned char)( c ^ stream_block[n] );
980
981 n = (n + 1) & 0x0F;
982 }
983
984 *nc_off = n;
985
986 return( 0 );
987}
988#endif /* POLARSSL_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100989
Paul Bakker90995b52013-06-24 19:20:35 +0200990#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000991
Paul Bakker40e46942009-01-03 21:51:57 +0000992#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000993
994#include <stdio.h>
995
996/*
997 * AES test vectors from:
998 *
999 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1000 */
1001static const unsigned char aes_test_ecb_dec[3][16] =
1002{
1003 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1004 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1005 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1006 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1007 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1008 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1009};
1010
1011static const unsigned char aes_test_ecb_enc[3][16] =
1012{
1013 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1014 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1015 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1016 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1017 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1018 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1019};
1020
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +02001021#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +00001022static const unsigned char aes_test_cbc_dec[3][16] =
1023{
1024 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1025 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1026 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1027 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1028 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1029 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1030};
1031
1032static const unsigned char aes_test_cbc_enc[3][16] =
1033{
1034 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1035 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1036 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1037 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1038 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1039 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1040};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +02001041#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +00001042
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001043#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +00001044/*
1045 * AES-CFB128 test vectors from:
1046 *
1047 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1048 */
1049static const unsigned char aes_test_cfb128_key[3][32] =
1050{
1051 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1052 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1053 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1054 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1055 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1056 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1057 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1058 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1059 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1060};
1061
1062static const unsigned char aes_test_cfb128_iv[16] =
1063{
1064 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1065 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1066};
1067
1068static const unsigned char aes_test_cfb128_pt[64] =
1069{
1070 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1071 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1072 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1073 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1074 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1075 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1076 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1077 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1078};
1079
1080static const unsigned char aes_test_cfb128_ct[3][64] =
1081{
1082 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1083 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1084 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1085 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1086 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1087 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1088 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1089 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1090 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1091 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1092 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1093 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1094 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1095 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1096 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1097 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1098 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1099 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1100 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1101 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1102 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1103 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1104 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1105 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1106};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001107#endif /* POLARSSL_CIPHER_MODE_CFB */
1108
1109#if defined(POLARSSL_CIPHER_MODE_CTR)
1110/*
1111 * AES-CTR test vectors from:
1112 *
1113 * http://www.faqs.org/rfcs/rfc3686.html
1114 */
1115
1116static const unsigned char aes_test_ctr_key[3][16] =
1117{
1118 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1119 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1120 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1121 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1122 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1123 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1124};
1125
1126static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1127{
1128 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1129 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1130 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1131 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1132 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1133 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1134};
1135
1136static const unsigned char aes_test_ctr_pt[3][48] =
1137{
1138 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1139 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1140
1141 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1142 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1143 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1144 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1145
1146 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1147 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1148 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1149 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1150 0x20, 0x21, 0x22, 0x23 }
1151};
1152
1153static const unsigned char aes_test_ctr_ct[3][48] =
1154{
1155 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1156 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1157 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1158 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1159 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1160 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1161 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1162 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1163 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1164 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1165 0x25, 0xB2, 0x07, 0x2F }
1166};
1167
1168static const int aes_test_ctr_len[3] =
1169 { 16, 32, 36 };
1170#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +00001171
1172/*
1173 * Checkup routine
1174 */
1175int aes_self_test( int verbose )
1176{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001177 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +00001178 unsigned char key[32];
1179 unsigned char buf[64];
Paul Bakker5121ce52009-01-03 21:22:43 +00001180 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +02001181#if defined(POLARSSL_CIPHER_MODE_CBC)
1182 unsigned char prv[16];
1183#endif
Paul Bakkere91d01e2011-04-19 15:55:50 +00001184#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +00001185 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +00001186#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001187#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +00001188 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001189 unsigned char nonce_counter[16];
1190 unsigned char stream_block[16];
1191#endif
Paul Bakker5121ce52009-01-03 21:22:43 +00001192 aes_context ctx;
1193
1194 memset( key, 0, 32 );
1195
1196 /*
1197 * ECB mode
1198 */
1199 for( i = 0; i < 6; i++ )
1200 {
1201 u = i >> 1;
1202 v = i & 1;
1203
1204 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001205 polarssl_printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1206 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +00001207
1208 memset( buf, 0, 16 );
1209
1210 if( v == AES_DECRYPT )
1211 {
1212 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1213
1214 for( j = 0; j < 10000; j++ )
1215 aes_crypt_ecb( &ctx, v, buf, buf );
1216
1217 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1218 {
1219 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001220 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00001221
1222 return( 1 );
1223 }
1224 }
1225 else
1226 {
1227 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1228
1229 for( j = 0; j < 10000; j++ )
1230 aes_crypt_ecb( &ctx, v, buf, buf );
1231
1232 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1233 {
1234 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001235 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00001236
1237 return( 1 );
1238 }
1239 }
1240
1241 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001242 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00001243 }
1244
1245 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001246 polarssl_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00001247
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +02001248#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +00001249 /*
1250 * CBC mode
1251 */
1252 for( i = 0; i < 6; i++ )
1253 {
1254 u = i >> 1;
1255 v = i & 1;
1256
1257 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001258 polarssl_printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1259 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +00001260
1261 memset( iv , 0, 16 );
1262 memset( prv, 0, 16 );
1263 memset( buf, 0, 16 );
1264
1265 if( v == AES_DECRYPT )
1266 {
1267 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1268
1269 for( j = 0; j < 10000; j++ )
1270 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1271
1272 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1273 {
1274 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001275 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00001276
1277 return( 1 );
1278 }
1279 }
1280 else
1281 {
1282 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1283
1284 for( j = 0; j < 10000; j++ )
1285 {
1286 unsigned char tmp[16];
1287
1288 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1289
1290 memcpy( tmp, prv, 16 );
1291 memcpy( prv, buf, 16 );
1292 memcpy( buf, tmp, 16 );
1293 }
1294
1295 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1296 {
1297 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001298 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00001299
1300 return( 1 );
1301 }
1302 }
1303
1304 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001305 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00001306 }
1307
1308 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001309 polarssl_printf( "\n" );
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +02001310#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +00001311
Paul Bakkere91d01e2011-04-19 15:55:50 +00001312#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +00001313 /*
1314 * CFB128 mode
1315 */
1316 for( i = 0; i < 6; i++ )
1317 {
1318 u = i >> 1;
1319 v = i & 1;
1320
1321 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001322 polarssl_printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1323 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +00001324
1325 memcpy( iv, aes_test_cfb128_iv, 16 );
1326 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1327
1328 offset = 0;
1329 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1330
1331 if( v == AES_DECRYPT )
1332 {
1333 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1334 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1335
1336 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1337 {
1338 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001339 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00001340
1341 return( 1 );
1342 }
1343 }
1344 else
1345 {
1346 memcpy( buf, aes_test_cfb128_pt, 64 );
1347 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1348
1349 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1350 {
1351 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001352 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00001353
1354 return( 1 );
1355 }
1356 }
1357
1358 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001359 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +00001360 }
1361
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001362 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001363 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001364#endif /* POLARSSL_CIPHER_MODE_CFB */
1365
1366#if defined(POLARSSL_CIPHER_MODE_CTR)
1367 /*
1368 * CTR mode
1369 */
1370 for( i = 0; i < 6; i++ )
1371 {
1372 u = i >> 1;
1373 v = i & 1;
1374
1375 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001376 polarssl_printf( " AES-CTR-128 (%s): ",
1377 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001378
1379 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1380 memcpy( key, aes_test_ctr_key[u], 16 );
1381
1382 offset = 0;
1383 aes_setkey_enc( &ctx, key, 128 );
1384
1385 if( v == AES_DECRYPT )
1386 {
1387 len = aes_test_ctr_len[u];
1388 memcpy( buf, aes_test_ctr_ct[u], len );
1389
1390 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1391
1392 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1393 {
1394 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001395 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001396
1397 return( 1 );
1398 }
1399 }
1400 else
1401 {
1402 len = aes_test_ctr_len[u];
1403 memcpy( buf, aes_test_ctr_pt[u], len );
1404
1405 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1406
1407 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1408 {
1409 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001410 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001411
1412 return( 1 );
1413 }
1414 }
1415
1416 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001417 polarssl_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001418 }
Paul Bakker5121ce52009-01-03 21:22:43 +00001419
1420 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +01001421 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +00001422#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +00001423
1424 return( 0 );
1425}
1426
Paul Bakker9af723c2014-05-01 13:03:14 +02001427#endif /* POLARSSL_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +00001428
Paul Bakker9af723c2014-05-01 13:03:14 +02001429#endif /* POLARSSL_AES_C */