Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / 76791f7c328cc28f1cb2e76f3974e72cf8ffdd05 / . / library / aes.c
blob: 04049a4090ab2ab8273ebf4a675f8e1c8c22c0ac [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]4 * Copyright (C) 2006-2009, Paul Bakker <polarssl_maintainer at polarssl.org>
5 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]6 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]7 * Joined copyright on original XySSL code with: Christophe Devine
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23/*
24 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
25 *
26 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
27 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
28 */
29
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]30#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#include "polarssl/aes.h"
35#include "polarssl/padlock.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]36
37#include <string.h>
38
39/*
40 * 32-bit integer manipulation macros (little endian)
41 */
42#ifndef GET_ULONG_LE
43#define GET_ULONG_LE(n,b,i) \
44{ \
45 (n) = ( (unsigned long) (b)[(i) ] ) \
46 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
47 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
48 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
49}
50#endif
51
52#ifndef PUT_ULONG_LE
53#define PUT_ULONG_LE(n,b,i) \
54{ \
55 (b)[(i) ] = (unsigned char) ( (n) ); \
56 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
57 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
58 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
59}
60#endif
61
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]62#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]63/*
64 * Forward S-box
65 */
66static const unsigned char FSb[256] =
67{
68 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
69 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
70 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
71 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
72 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
73 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
74 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
75 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
76 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
77 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
78 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
79 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
80 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
81 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
82 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
83 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
84 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
85 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
86 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
87 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
88 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
89 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
90 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
91 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
92 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
93 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
94 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
95 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
96 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
97 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
98 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
99 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
100};
101
102/*
103 * Forward tables
104 */
105#define FT \
106\
107 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
108 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
109 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
110 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
111 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
112 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
113 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
114 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
115 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
116 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
117 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
118 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
119 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
120 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
121 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
122 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
123 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
124 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
125 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
126 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
127 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
128 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
129 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
130 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
131 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
132 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
133 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
134 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
135 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
136 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
137 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
138 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
139 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
140 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
141 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
142 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
143 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
144 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
145 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
146 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
147 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
148 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
149 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
150 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
151 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
152 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
153 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
154 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
155 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
156 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
157 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
158 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
159 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
160 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
161 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
162 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
163 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
164 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
165 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
166 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
167 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
168 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
169 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
170 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
171
172#define V(a,b,c,d) 0x##a##b##c##d
173static const unsigned long FT0[256] = { FT };
174#undef V
175
176#define V(a,b,c,d) 0x##b##c##d##a
177static const unsigned long FT1[256] = { FT };
178#undef V
179
180#define V(a,b,c,d) 0x##c##d##a##b
181static const unsigned long FT2[256] = { FT };
182#undef V
183
184#define V(a,b,c,d) 0x##d##a##b##c
185static const unsigned long FT3[256] = { FT };
186#undef V
187
188#undef FT
189
190/*
191 * Reverse S-box
192 */
193static const unsigned char RSb[256] =
194{
195 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
196 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
197 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
198 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
199 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
200 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
201 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
202 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
203 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
204 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
205 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
206 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
207 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
208 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
209 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
210 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
211 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
212 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
213 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
214 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
215 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
216 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
217 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
218 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
219 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
220 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
221 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
222 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
223 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
224 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
225 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
226 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
227};
228
229/*
230 * Reverse tables
231 */
232#define RT \
233\
234 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
235 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
236 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
237 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
238 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
239 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
240 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
241 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
242 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
243 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
244 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
245 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
246 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
247 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
248 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
249 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
250 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
251 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
252 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
253 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
254 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
255 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
256 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
257 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
258 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
259 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
260 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
261 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
262 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
263 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
264 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
265 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
266 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
267 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
268 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
269 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
270 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
271 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
272 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
273 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
274 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
275 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
276 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
277 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
278 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
279 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
280 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
281 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
282 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
283 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
284 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
285 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
286 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
287 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
288 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
289 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
290 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
291 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
292 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
293 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
294 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
295 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
296 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
297 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
298
299#define V(a,b,c,d) 0x##a##b##c##d
300static const unsigned long RT0[256] = { RT };
301#undef V
302
303#define V(a,b,c,d) 0x##b##c##d##a
304static const unsigned long RT1[256] = { RT };
305#undef V
306
307#define V(a,b,c,d) 0x##c##d##a##b
308static const unsigned long RT2[256] = { RT };
309#undef V
310
311#define V(a,b,c,d) 0x##d##a##b##c
312static const unsigned long RT3[256] = { RT };
313#undef V
314
315#undef RT
316
317/*
318 * Round constants
319 */
320static const unsigned long RCON[10] =
321{
322 0x00000001, 0x00000002, 0x00000004, 0x00000008,
323 0x00000010, 0x00000020, 0x00000040, 0x00000080,
324 0x0000001B, 0x00000036
325};
326
327#else
328
329/*
330 * Forward S-box & tables
331 */
332static unsigned char FSb[256];
333static unsigned long FT0[256];
334static unsigned long FT1[256];
335static unsigned long FT2[256];
336static unsigned long FT3[256];
337
338/*
339 * Reverse S-box & tables
340 */
341static unsigned char RSb[256];
342static unsigned long RT0[256];
343static unsigned long RT1[256];
344static unsigned long RT2[256];
345static unsigned long RT3[256];
346
347/*
348 * Round constants
349 */
350static unsigned long RCON[10];
351
352/*
353 * Tables generation code
354 */
355#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
356#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
357#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
358
359static int aes_init_done = 0;
360
361static void aes_gen_tables( void )
362{
363 int i, x, y, z;
364 int pow[256];
365 int log[256];
366
367 /*
368 * compute pow and log tables over GF(2^8)
369 */
370 for( i = 0, x = 1; i < 256; i++ )
371 {
372 pow[i] = x;
373 log[x] = i;
374 x = ( x ^ XTIME( x ) ) & 0xFF;
375 }
376
377 /*
378 * calculate the round constants
379 */
380 for( i = 0, x = 1; i < 10; i++ )
381 {
382 RCON[i] = (unsigned long) x;
383 x = XTIME( x ) & 0xFF;
384 }
385
386 /*
387 * generate the forward and reverse S-boxes
388 */
389 FSb[0x00] = 0x63;
390 RSb[0x63] = 0x00;
391
392 for( i = 1; i < 256; i++ )
393 {
394 x = pow[255 - log[i]];
395
396 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
397 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
398 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
399 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
400 x ^= y ^ 0x63;
401
402 FSb[i] = (unsigned char) x;
403 RSb[x] = (unsigned char) i;
404 }
405
406 /*
407 * generate the forward and reverse tables
408 */
409 for( i = 0; i < 256; i++ )
410 {
411 x = FSb[i];
412 y = XTIME( x ) & 0xFF;
413 z = ( y ^ x ) & 0xFF;
414
415 FT0[i] = ( (unsigned long) y ) ^
416 ( (unsigned long) x << 8 ) ^
417 ( (unsigned long) x << 16 ) ^
418 ( (unsigned long) z << 24 );
419
420 FT1[i] = ROTL8( FT0[i] );
421 FT2[i] = ROTL8( FT1[i] );
422 FT3[i] = ROTL8( FT2[i] );
423
424 x = RSb[i];
425
426 RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
427 ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
428 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
429 ( (unsigned long) MUL( 0x0B, x ) << 24 );
430
431 RT1[i] = ROTL8( RT0[i] );
432 RT2[i] = ROTL8( RT1[i] );
433 RT3[i] = ROTL8( RT2[i] );
434 }
435}
436
437#endif
438
439/*
440 * AES key schedule (encryption)
441 */
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]442int aes_setkey_enc( aes_context *ctx, unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443{
444 int i;
445 unsigned long *RK;
446
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]447#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]448 if( aes_init_done == 0 )
449 {
450 aes_gen_tables();
451 aes_init_done = 1;
452 }
453#endif
454
455 switch( keysize )
456 {
457 case 128: ctx->nr = 10; break;
458 case 192: ctx->nr = 12; break;
459 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]460 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]461 }
462
463#if defined(PADLOCK_ALIGN16)
464 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
465#else
466 ctx->rk = RK = ctx->buf;
467#endif
468
469 for( i = 0; i < (keysize >> 5); i++ )
470 {
471 GET_ULONG_LE( RK[i], key, i << 2 );
472 }
473
474 switch( ctx->nr )
475 {
476 case 10:
477
478 for( i = 0; i < 10; i++, RK += 4 )
479 {
480 RK[4] = RK[0] ^ RCON[i] ^
481 ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
482 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
483 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
484 ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
485
486 RK[5] = RK[1] ^ RK[4];
487 RK[6] = RK[2] ^ RK[5];
488 RK[7] = RK[3] ^ RK[6];
489 }
490 break;
491
492 case 12:
493
494 for( i = 0; i < 8; i++, RK += 6 )
495 {
496 RK[6] = RK[0] ^ RCON[i] ^
497 ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
498 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
499 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
500 ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
501
502 RK[7] = RK[1] ^ RK[6];
503 RK[8] = RK[2] ^ RK[7];
504 RK[9] = RK[3] ^ RK[8];
505 RK[10] = RK[4] ^ RK[9];
506 RK[11] = RK[5] ^ RK[10];
507 }
508 break;
509
510 case 14:
511
512 for( i = 0; i < 7; i++, RK += 8 )
513 {
514 RK[8] = RK[0] ^ RCON[i] ^
515 ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
516 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
517 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
518 ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
519
520 RK[9] = RK[1] ^ RK[8];
521 RK[10] = RK[2] ^ RK[9];
522 RK[11] = RK[3] ^ RK[10];
523
524 RK[12] = RK[4] ^
525 ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
526 ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
527 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
528 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
529
530 RK[13] = RK[5] ^ RK[12];
531 RK[14] = RK[6] ^ RK[13];
532 RK[15] = RK[7] ^ RK[14];
533 }
534 break;
535
536 default:
537
538 break;
539 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]540
541 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]542}
543
544/*
545 * AES key schedule (decryption)
546 */
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]547int aes_setkey_dec( aes_context *ctx, unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]548{
549 int i, j;
550 aes_context cty;
551 unsigned long *RK;
552 unsigned long *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]553 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554
555 switch( keysize )
556 {
557 case 128: ctx->nr = 10; break;
558 case 192: ctx->nr = 12; break;
559 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]560 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561 }
562
563#if defined(PADLOCK_ALIGN16)
564 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
565#else
566 ctx->rk = RK = ctx->buf;
567#endif
568
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]569 ret = aes_setkey_enc( &cty, key, keysize );
570 if( ret != 0 )
571 return( ret );
572
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]573 SK = cty.rk + cty.nr * 4;
574
575 *RK++ = *SK++;
576 *RK++ = *SK++;
577 *RK++ = *SK++;
578 *RK++ = *SK++;
579
580 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
581 {
582 for( j = 0; j < 4; j++, SK++ )
583 {
584 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
585 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
586 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
587 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
588 }
589 }
590
591 *RK++ = *SK++;
592 *RK++ = *SK++;
593 *RK++ = *SK++;
594 *RK++ = *SK++;
595
596 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]597
598 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599}
600
601#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
602{ \
603 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
604 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
605 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
606 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
607 \
608 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
609 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
610 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
611 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
612 \
613 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
614 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
615 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
616 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
617 \
618 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
619 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
620 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
621 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
622}
623
624#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
625{ \
626 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
627 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
628 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
629 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
630 \
631 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
632 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
633 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
634 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
635 \
636 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
637 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
638 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
639 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
640 \
641 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
642 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
643 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
644 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
645}
646
647/*
648 * AES-ECB block encryption/decryption
649 */
650void aes_crypt_ecb( aes_context *ctx,
651 int mode,
652 unsigned char input[16],
653 unsigned char output[16] )
654{
655 int i;
656 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
657
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]658#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]659 if( padlock_supports( PADLOCK_ACE ) )
660 {
661 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
662 return;
663 }
664#endif
665
666 RK = ctx->rk;
667
668 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
669 GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
670 GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
671 GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
672
673 if( mode == AES_DECRYPT )
674 {
675 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
676 {
677 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
678 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
679 }
680
681 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
682
683 X0 = *RK++ ^ \
684 ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
685 ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
686 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
687 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
688
689 X1 = *RK++ ^ \
690 ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
691 ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
692 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
693 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
694
695 X2 = *RK++ ^ \
696 ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
697 ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
698 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
699 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
700
701 X3 = *RK++ ^ \
702 ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
703 ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
704 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
705 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
706 }
707 else /* AES_ENCRYPT */
708 {
709 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
710 {
711 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
712 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
713 }
714
715 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
716
717 X0 = *RK++ ^ \
718 ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
719 ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
720 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
721 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
722
723 X1 = *RK++ ^ \
724 ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
725 ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
726 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
727 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
728
729 X2 = *RK++ ^ \
730 ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
731 ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
732 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
733 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
734
735 X3 = *RK++ ^ \
736 ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
737 ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
738 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
739 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
740 }
741
742 PUT_ULONG_LE( X0, output, 0 );
743 PUT_ULONG_LE( X1, output, 4 );
744 PUT_ULONG_LE( X2, output, 8 );
745 PUT_ULONG_LE( X3, output, 12 );
746}
747
748/*
749 * AES-CBC buffer encryption/decryption
750 */
751void aes_crypt_cbc( aes_context *ctx,
752 int mode,
753 int length,
754 unsigned char iv[16],
755 unsigned char *input,
756 unsigned char *output )
757{
758 int i;
759 unsigned char temp[16];
760
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]761#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]762 if( padlock_supports( PADLOCK_ACE ) )
763 {
764 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
765 return;
766 }
767#endif
768
769 if( mode == AES_DECRYPT )
770 {
771 while( length > 0 )
772 {
773 memcpy( temp, input, 16 );
774 aes_crypt_ecb( ctx, mode, input, output );
775
776 for( i = 0; i < 16; i++ )
777 output[i] = (unsigned char)( output[i] ^ iv[i] );
778
779 memcpy( iv, temp, 16 );
780
781 input += 16;
782 output += 16;
783 length -= 16;
784 }
785 }
786 else
787 {
788 while( length > 0 )
789 {
790 for( i = 0; i < 16; i++ )
791 output[i] = (unsigned char)( input[i] ^ iv[i] );
792
793 aes_crypt_ecb( ctx, mode, output, output );
794 memcpy( iv, output, 16 );
795
796 input += 16;
797 output += 16;
798 length -= 16;
799 }
800 }
801}
802
803/*
804 * AES-CFB128 buffer encryption/decryption
805 */
806void aes_crypt_cfb128( aes_context *ctx,
807 int mode,
808 int length,
809 int *iv_off,
810 unsigned char iv[16],
811 unsigned char *input,
812 unsigned char *output )
813{
814 int c, n = *iv_off;
815
816 if( mode == AES_DECRYPT )
817 {
818 while( length-- )
819 {
820 if( n == 0 )
821 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
822
823 c = *input++;
824 *output++ = (unsigned char)( c ^ iv[n] );
825 iv[n] = (unsigned char) c;
826
827 n = (n + 1) & 0x0F;
828 }
829 }
830 else
831 {
832 while( length-- )
833 {
834 if( n == 0 )
835 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
836
837 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
838
839 n = (n + 1) & 0x0F;
840 }
841 }
842
843 *iv_off = n;
844}
845
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]846#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]847
848#include <stdio.h>
849
850/*
851 * AES test vectors from:
852 *
853 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
854 */
855static const unsigned char aes_test_ecb_dec[3][16] =
856{
857 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
858 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
859 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
860 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
861 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
862 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
863};
864
865static const unsigned char aes_test_ecb_enc[3][16] =
866{
867 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
868 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
869 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
870 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
871 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
872 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
873};
874
875static const unsigned char aes_test_cbc_dec[3][16] =
876{
877 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
878 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
879 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
880 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
881 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
882 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
883};
884
885static const unsigned char aes_test_cbc_enc[3][16] =
886{
887 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
888 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
889 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
890 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
891 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
892 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
893};
894
895/*
896 * AES-CFB128 test vectors from:
897 *
898 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
899 */
900static const unsigned char aes_test_cfb128_key[3][32] =
901{
902 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
903 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
904 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
905 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
906 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
907 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
908 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
909 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
910 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
911};
912
913static const unsigned char aes_test_cfb128_iv[16] =
914{
915 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
916 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
917};
918
919static const unsigned char aes_test_cfb128_pt[64] =
920{
921 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
922 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
923 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
924 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
925 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
926 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
927 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
928 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
929};
930
931static const unsigned char aes_test_cfb128_ct[3][64] =
932{
933 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
934 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
935 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
936 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
937 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
938 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
939 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
940 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
941 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
942 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
943 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
944 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
945 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
946 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
947 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
948 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
949 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
950 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
951 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
952 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
953 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
954 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
955 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
956 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
957};
958
959/*
960 * Checkup routine
961 */
962int aes_self_test( int verbose )
963{
964 int i, j, u, v, offset;
965 unsigned char key[32];
966 unsigned char buf[64];
967 unsigned char prv[16];
968 unsigned char iv[16];
969 aes_context ctx;
970
971 memset( key, 0, 32 );
972
973 /*
974 * ECB mode
975 */
976 for( i = 0; i < 6; i++ )
977 {
978 u = i >> 1;
979 v = i & 1;
980
981 if( verbose != 0 )
982 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
983 ( v == AES_DECRYPT ) ? "dec" : "enc" );
984
985 memset( buf, 0, 16 );
986
987 if( v == AES_DECRYPT )
988 {
989 aes_setkey_dec( &ctx, key, 128 + u * 64 );
990
991 for( j = 0; j < 10000; j++ )
992 aes_crypt_ecb( &ctx, v, buf, buf );
993
994 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
995 {
996 if( verbose != 0 )
997 printf( "failed\n" );
998
999 return( 1 );
1000 }
1001 }
1002 else
1003 {
1004 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1005
1006 for( j = 0; j < 10000; j++ )
1007 aes_crypt_ecb( &ctx, v, buf, buf );
1008
1009 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1010 {
1011 if( verbose != 0 )
1012 printf( "failed\n" );
1013
1014 return( 1 );
1015 }
1016 }
1017
1018 if( verbose != 0 )
1019 printf( "passed\n" );
1020 }
1021
1022 if( verbose != 0 )
1023 printf( "\n" );
1024
1025 /*
1026 * CBC mode
1027 */
1028 for( i = 0; i < 6; i++ )
1029 {
1030 u = i >> 1;
1031 v = i & 1;
1032
1033 if( verbose != 0 )
1034 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1035 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1036
1037 memset( iv , 0, 16 );
1038 memset( prv, 0, 16 );
1039 memset( buf, 0, 16 );
1040
1041 if( v == AES_DECRYPT )
1042 {
1043 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1044
1045 for( j = 0; j < 10000; j++ )
1046 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1047
1048 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1049 {
1050 if( verbose != 0 )
1051 printf( "failed\n" );
1052
1053 return( 1 );
1054 }
1055 }
1056 else
1057 {
1058 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1059
1060 for( j = 0; j < 10000; j++ )
1061 {
1062 unsigned char tmp[16];
1063
1064 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1065
1066 memcpy( tmp, prv, 16 );
1067 memcpy( prv, buf, 16 );
1068 memcpy( buf, tmp, 16 );
1069 }
1070
1071 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1072 {
1073 if( verbose != 0 )
1074 printf( "failed\n" );
1075
1076 return( 1 );
1077 }
1078 }
1079
1080 if( verbose != 0 )
1081 printf( "passed\n" );
1082 }
1083
1084 if( verbose != 0 )
1085 printf( "\n" );
1086
1087 /*
1088 * CFB128 mode
1089 */
1090 for( i = 0; i < 6; i++ )
1091 {
1092 u = i >> 1;
1093 v = i & 1;
1094
1095 if( verbose != 0 )
1096 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1097 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1098
1099 memcpy( iv, aes_test_cfb128_iv, 16 );
1100 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1101
1102 offset = 0;
1103 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1104
1105 if( v == AES_DECRYPT )
1106 {
1107 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1108 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1109
1110 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1111 {
1112 if( verbose != 0 )
1113 printf( "failed\n" );
1114
1115 return( 1 );
1116 }
1117 }
1118 else
1119 {
1120 memcpy( buf, aes_test_cfb128_pt, 64 );
1121 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1122
1123 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1124 {
1125 if( verbose != 0 )
1126 printf( "failed\n" );
1127
1128 return( 1 );
1129 }
1130 }
1131
1132 if( verbose != 0 )
1133 printf( "passed\n" );
1134 }
1135
1136
1137 if( verbose != 0 )
1138 printf( "\n" );
1139
1140 return( 0 );
1141}
1142
1143#endif
1144
1145#endif