Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / ae102995a75019d0aefdb47cdd7aa8754748e3da / . / library / aes.c
blob: a3835cead6df1a4050546b09fd9740fa3e496ff0 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]4 * Copyright (C) 2006-2013, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]37#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]39#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]40
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]41#if !defined(POLARSSL_AES_ALT)
42
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43/*
44 * 32-bit integer manipulation macros (little endian)
45 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]46#ifndef GET_UINT32_LE
47#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]48{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]49 (n) = ( (uint32_t) (b)[(i) ] ) \
50 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
51 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
52 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]53}
54#endif
55
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]56#ifndef PUT_UINT32_LE
57#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58{ \
59 (b)[(i) ] = (unsigned char) ( (n) ); \
60 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
61 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
62 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
63}
64#endif
65
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]66#if defined(POLARSSL_PADLOCK_C) && \
67 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]68static int aes_padlock_ace = -1;
69#endif
70
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]71#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72/*
73 * Forward S-box
74 */
75static const unsigned char FSb[256] =
76{
77 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
78 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
79 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
80 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
81 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
82 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
83 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
84 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
85 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
86 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
87 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
88 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
89 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
90 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
91 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
92 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
93 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
94 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
95 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
96 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
97 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
98 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
99 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
100 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
101 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
102 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
103 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
104 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
105 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
106 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
107 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
108 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
109};
110
111/*
112 * Forward tables
113 */
114#define FT \
115\
116 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
117 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
118 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
119 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
120 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
121 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
122 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
123 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
124 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
125 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
126 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
127 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
128 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
129 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
130 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
131 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
132 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
133 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
134 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
135 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
136 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
137 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
138 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
139 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
140 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
141 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
142 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
143 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
144 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
145 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
146 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
147 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
148 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
149 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
150 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
151 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
152 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
153 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
154 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
155 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
156 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
157 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
158 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
159 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
160 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
161 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
162 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
163 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
164 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
165 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
166 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
167 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
168 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
169 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
170 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
171 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
172 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
173 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
174 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
175 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
176 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
177 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
178 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
179 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
180
181#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]182static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]183#undef V
184
185#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]186static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]187#undef V
188
189#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]190static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]191#undef V
192
193#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]194static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]195#undef V
196
197#undef FT
198
199/*
200 * Reverse S-box
201 */
202static const unsigned char RSb[256] =
203{
204 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
205 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
206 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
207 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
208 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
209 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
210 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
211 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
212 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
213 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
214 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
215 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
216 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
217 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
218 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
219 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
220 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
221 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
222 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
223 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
224 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
225 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
226 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
227 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
228 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
229 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
230 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
231 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
232 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
233 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
234 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
235 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
236};
237
238/*
239 * Reverse tables
240 */
241#define RT \
242\
243 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
244 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
245 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
246 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
247 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
248 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
249 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
250 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
251 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
252 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
253 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
254 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
255 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
256 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
257 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
258 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
259 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
260 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
261 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
262 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
263 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
264 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
265 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
266 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
267 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
268 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
269 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
270 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
271 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
272 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
273 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
274 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
275 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
276 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
277 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
278 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
279 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
280 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
281 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
282 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
283 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
284 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
285 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
286 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
287 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
288 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
289 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
290 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
291 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
292 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
293 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
294 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
295 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
296 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
297 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
298 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
299 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
300 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
301 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
302 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
303 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
304 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
305 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
306 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
307
308#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]309static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]310#undef V
311
312#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]313static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]314#undef V
315
316#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]317static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]318#undef V
319
320#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]321static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]322#undef V
323
324#undef RT
325
326/*
327 * Round constants
328 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]329static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]330{
331 0x00000001, 0x00000002, 0x00000004, 0x00000008,
332 0x00000010, 0x00000020, 0x00000040, 0x00000080,
333 0x0000001B, 0x00000036
334};
335
336#else
337
338/*
339 * Forward S-box & tables
340 */
341static unsigned char FSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static uint32_t FT0[256];
343static uint32_t FT1[256];
344static uint32_t FT2[256];
345static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]346
347/*
348 * Reverse S-box & tables
349 */
350static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]351static uint32_t RT0[256];
352static uint32_t RT1[256];
353static uint32_t RT2[256];
354static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355
356/*
357 * Round constants
358 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360
361/*
362 * Tables generation code
363 */
364#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
365#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
366#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
367
368static int aes_init_done = 0;
369
370static void aes_gen_tables( void )
371{
372 int i, x, y, z;
373 int pow[256];
374 int log[256];
375
376 /*
377 * compute pow and log tables over GF(2^8)
378 */
379 for( i = 0, x = 1; i < 256; i++ )
380 {
381 pow[i] = x;
382 log[x] = i;
383 x = ( x ^ XTIME( x ) ) & 0xFF;
384 }
385
386 /*
387 * calculate the round constants
388 */
389 for( i = 0, x = 1; i < 10; i++ )
390 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]391 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]392 x = XTIME( x ) & 0xFF;
393 }
394
395 /*
396 * generate the forward and reverse S-boxes
397 */
398 FSb[0x00] = 0x63;
399 RSb[0x63] = 0x00;
400
401 for( i = 1; i < 256; i++ )
402 {
403 x = pow[255 - log[i]];
404
405 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
406 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
407 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
408 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
409 x ^= y ^ 0x63;
410
411 FSb[i] = (unsigned char) x;
412 RSb[x] = (unsigned char) i;
413 }
414
415 /*
416 * generate the forward and reverse tables
417 */
418 for( i = 0; i < 256; i++ )
419 {
420 x = FSb[i];
421 y = XTIME( x ) & 0xFF;
422 z = ( y ^ x ) & 0xFF;
423
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]424 FT0[i] = ( (uint32_t) y ) ^
425 ( (uint32_t) x << 8 ) ^
426 ( (uint32_t) x << 16 ) ^
427 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]428
429 FT1[i] = ROTL8( FT0[i] );
430 FT2[i] = ROTL8( FT1[i] );
431 FT3[i] = ROTL8( FT2[i] );
432
433 x = RSb[i];
434
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]435 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
436 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
437 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
438 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]439
440 RT1[i] = ROTL8( RT0[i] );
441 RT2[i] = ROTL8( RT1[i] );
442 RT3[i] = ROTL8( RT2[i] );
443 }
444}
445
446#endif
447
448/*
449 * AES key schedule (encryption)
450 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]451int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]452{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]453 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]454 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]456#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457 if( aes_init_done == 0 )
458 {
459 aes_gen_tables();
460 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]461
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]462 }
463#endif
464
465 switch( keysize )
466 {
467 case 128: ctx->nr = 10; break;
468 case 192: ctx->nr = 12; break;
469 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]470 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]471 }
472
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]473#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
474 if( aes_padlock_ace == -1 )
475 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
476
477 if( aes_padlock_ace )
478 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
479 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]480#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]481 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482
483 for( i = 0; i < (keysize >> 5); i++ )
484 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]485 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]486 }
487
488 switch( ctx->nr )
489 {
490 case 10:
491
492 for( i = 0; i < 10; i++, RK += 4 )
493 {
494 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]495 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
496 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
497 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
498 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]499
500 RK[5] = RK[1] ^ RK[4];
501 RK[6] = RK[2] ^ RK[5];
502 RK[7] = RK[3] ^ RK[6];
503 }
504 break;
505
506 case 12:
507
508 for( i = 0; i < 8; i++, RK += 6 )
509 {
510 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]511 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
512 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
513 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
514 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]515
516 RK[7] = RK[1] ^ RK[6];
517 RK[8] = RK[2] ^ RK[7];
518 RK[9] = RK[3] ^ RK[8];
519 RK[10] = RK[4] ^ RK[9];
520 RK[11] = RK[5] ^ RK[10];
521 }
522 break;
523
524 case 14:
525
526 for( i = 0; i < 7; i++, RK += 8 )
527 {
528 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]529 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
530 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
531 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
532 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]533
534 RK[9] = RK[1] ^ RK[8];
535 RK[10] = RK[2] ^ RK[9];
536 RK[11] = RK[3] ^ RK[10];
537
538 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]539 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
540 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
541 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
542 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]543
544 RK[13] = RK[5] ^ RK[12];
545 RK[14] = RK[6] ^ RK[13];
546 RK[15] = RK[7] ^ RK[14];
547 }
548 break;
549
550 default:
551
552 break;
553 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]554
555 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556}
557
558/*
559 * AES key schedule (decryption)
560 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]561int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562{
563 int i, j;
564 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]565 uint32_t *RK;
566 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]567 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]568
569 switch( keysize )
570 {
571 case 128: ctx->nr = 10; break;
572 case 192: ctx->nr = 12; break;
573 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]574 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]575 }
576
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]577#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
578 if( aes_padlock_ace == -1 )
579 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
580
581 if( aes_padlock_ace )
582 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
583 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]584#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]585 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]586
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]587 ret = aes_setkey_enc( &cty, key, keysize );
588 if( ret != 0 )
589 return( ret );
590
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591 SK = cty.rk + cty.nr * 4;
592
593 *RK++ = *SK++;
594 *RK++ = *SK++;
595 *RK++ = *SK++;
596 *RK++ = *SK++;
597
598 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
599 {
600 for( j = 0; j < 4; j++, SK++ )
601 {
602 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
603 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
604 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
605 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
606 }
607 }
608
609 *RK++ = *SK++;
610 *RK++ = *SK++;
611 *RK++ = *SK++;
612 *RK++ = *SK++;
613
614 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]615
616 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]617}
618
619#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
620{ \
621 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
622 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
623 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
624 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
625 \
626 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
627 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
628 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
629 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
630 \
631 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
632 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
633 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
634 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
635 \
636 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
637 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
638 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
639 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
640}
641
642#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
643{ \
644 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
645 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
646 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
647 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
648 \
649 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
650 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
651 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
652 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
653 \
654 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
655 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
656 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
657 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
658 \
659 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
660 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
661 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
662 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
663}
664
665/*
666 * AES-ECB block encryption/decryption
667 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]668int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]670 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671 unsigned char output[16] )
672{
673 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]674 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]676#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]677 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]678 {
679 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]680 return( 0 );
681
682 // If padlock data misaligned, we just fall back to
683 // unaccelerated mode
684 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]685 }
686#endif
687
688 RK = ctx->rk;
689
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]690 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
691 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
692 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
693 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]694
695 if( mode == AES_DECRYPT )
696 {
697 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
698 {
699 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
700 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
701 }
702
703 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
704
705 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]706 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
707 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
708 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
709 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]710
711 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]712 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
713 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
714 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
715 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]716
717 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]718 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
719 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
720 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
721 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]722
723 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]724 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
725 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
726 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
727 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]728 }
729 else /* AES_ENCRYPT */
730 {
731 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
732 {
733 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
734 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
735 }
736
737 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
738
739 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]740 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
741 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
742 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
743 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]744
745 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]746 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
747 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
748 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
749 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]750
751 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]752 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
753 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
754 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
755 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]756
757 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]758 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
759 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
760 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
761 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]762 }
763
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]764 PUT_UINT32_LE( X0, output, 0 );
765 PUT_UINT32_LE( X1, output, 4 );
766 PUT_UINT32_LE( X2, output, 8 );
767 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]768
769 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]770}
771
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]772#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]773/*
774 * AES-CBC buffer encryption/decryption
775 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]776int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]777 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]778 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]779 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]780 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]781 unsigned char *output )
782{
783 int i;
784 unsigned char temp[16];
785
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]786 if( length % 16 )
787 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
788
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]789#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]790 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]791 {
792 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]793 return( 0 );
794
795 // If padlock data misaligned, we just fall back to
796 // unaccelerated mode
797 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]798 }
799#endif
800
801 if( mode == AES_DECRYPT )
802 {
803 while( length > 0 )
804 {
805 memcpy( temp, input, 16 );
806 aes_crypt_ecb( ctx, mode, input, output );
807
808 for( i = 0; i < 16; i++ )
809 output[i] = (unsigned char)( output[i] ^ iv[i] );
810
811 memcpy( iv, temp, 16 );
812
813 input += 16;
814 output += 16;
815 length -= 16;
816 }
817 }
818 else
819 {
820 while( length > 0 )
821 {
822 for( i = 0; i < 16; i++ )
823 output[i] = (unsigned char)( input[i] ^ iv[i] );
824
825 aes_crypt_ecb( ctx, mode, output, output );
826 memcpy( iv, output, 16 );
827
828 input += 16;
829 output += 16;
830 length -= 16;
831 }
832 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]833
834 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]835}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]836#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]837
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]838#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]839/*
840 * AES-CFB128 buffer encryption/decryption
841 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]842int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]843 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]844 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]845 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]846 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]847 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]848 unsigned char *output )
849{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]850 int c;
851 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]852
853 if( mode == AES_DECRYPT )
854 {
855 while( length-- )
856 {
857 if( n == 0 )
858 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
859
860 c = *input++;
861 *output++ = (unsigned char)( c ^ iv[n] );
862 iv[n] = (unsigned char) c;
863
864 n = (n + 1) & 0x0F;
865 }
866 }
867 else
868 {
869 while( length-- )
870 {
871 if( n == 0 )
872 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
873
874 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
875
876 n = (n + 1) & 0x0F;
877 }
878 }
879
880 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]881
882 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]883}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]884#endif /*POLARSSL_CIPHER_MODE_CFB */
885
886#if defined(POLARSSL_CIPHER_MODE_CTR)
887/*
888 * AES-CTR buffer encryption/decryption
889 */
890int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]891 size_t length,
892 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]893 unsigned char nonce_counter[16],
894 unsigned char stream_block[16],
895 const unsigned char *input,
896 unsigned char *output )
897{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]898 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]899 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]900
901 while( length-- )
902 {
903 if( n == 0 ) {
904 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
905
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]906 for( i = 16; i > 0; i-- )
907 if( ++nonce_counter[i - 1] != 0 )
908 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]909 }
910 c = *input++;
911 *output++ = (unsigned char)( c ^ stream_block[n] );
912
913 n = (n + 1) & 0x0F;
914 }
915
916 *nc_off = n;
917
918 return( 0 );
919}
920#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]921#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]922
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]923#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]924
925#include <stdio.h>
926
927/*
928 * AES test vectors from:
929 *
930 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
931 */
932static const unsigned char aes_test_ecb_dec[3][16] =
933{
934 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
935 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
936 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
937 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
938 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
939 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
940};
941
942static const unsigned char aes_test_ecb_enc[3][16] =
943{
944 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
945 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
946 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
947 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
948 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
949 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
950};
951
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]952#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]953static const unsigned char aes_test_cbc_dec[3][16] =
954{
955 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
956 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
957 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
958 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
959 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
960 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
961};
962
963static const unsigned char aes_test_cbc_enc[3][16] =
964{
965 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
966 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
967 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
968 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
969 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
970 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
971};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]972#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]973
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]974#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]975/*
976 * AES-CFB128 test vectors from:
977 *
978 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
979 */
980static const unsigned char aes_test_cfb128_key[3][32] =
981{
982 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
983 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
984 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
985 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
986 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
987 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
988 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
989 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
990 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
991};
992
993static const unsigned char aes_test_cfb128_iv[16] =
994{
995 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
996 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
997};
998
999static const unsigned char aes_test_cfb128_pt[64] =
1000{
1001 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1002 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1003 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1004 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1005 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1006 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1007 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1008 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1009};
1010
1011static const unsigned char aes_test_cfb128_ct[3][64] =
1012{
1013 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1014 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1015 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1016 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1017 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1018 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1019 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1020 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1021 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1022 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1023 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1024 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1025 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1026 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1027 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1028 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1029 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1030 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1031 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1032 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1033 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1034 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1035 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1036 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1037};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1038#endif /* POLARSSL_CIPHER_MODE_CFB */
1039
1040#if defined(POLARSSL_CIPHER_MODE_CTR)
1041/*
1042 * AES-CTR test vectors from:
1043 *
1044 * http://www.faqs.org/rfcs/rfc3686.html
1045 */
1046
1047static const unsigned char aes_test_ctr_key[3][16] =
1048{
1049 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1050 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1051 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1052 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1053 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1054 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1055};
1056
1057static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1058{
1059 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1060 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1061 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1062 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1063 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1064 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1065};
1066
1067static const unsigned char aes_test_ctr_pt[3][48] =
1068{
1069 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1070 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1071
1072 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1073 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1074 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1075 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1076
1077 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1078 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1079 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1080 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1081 0x20, 0x21, 0x22, 0x23 }
1082};
1083
1084static const unsigned char aes_test_ctr_ct[3][48] =
1085{
1086 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1087 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1088 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1089 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1090 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1091 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1092 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1093 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1094 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1095 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1096 0x25, 0xB2, 0x07, 0x2F }
1097};
1098
1099static const int aes_test_ctr_len[3] =
1100 { 16, 32, 36 };
1101#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1102
1103/*
1104 * Checkup routine
1105 */
1106int aes_self_test( int verbose )
1107{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1108 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1109 unsigned char key[32];
1110 unsigned char buf[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1111 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1112#if defined(POLARSSL_CIPHER_MODE_CBC)
1113 unsigned char prv[16];
1114#endif
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1115#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1116 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1117#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1118#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1119 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1120 unsigned char nonce_counter[16];
1121 unsigned char stream_block[16];
1122#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1123 aes_context ctx;
1124
1125 memset( key, 0, 32 );
1126
1127 /*
1128 * ECB mode
1129 */
1130 for( i = 0; i < 6; i++ )
1131 {
1132 u = i >> 1;
1133 v = i & 1;
1134
1135 if( verbose != 0 )
1136 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1137 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1138
1139 memset( buf, 0, 16 );
1140
1141 if( v == AES_DECRYPT )
1142 {
1143 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1144
1145 for( j = 0; j < 10000; j++ )
1146 aes_crypt_ecb( &ctx, v, buf, buf );
1147
1148 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1149 {
1150 if( verbose != 0 )
1151 printf( "failed\n" );
1152
1153 return( 1 );
1154 }
1155 }
1156 else
1157 {
1158 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1159
1160 for( j = 0; j < 10000; j++ )
1161 aes_crypt_ecb( &ctx, v, buf, buf );
1162
1163 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1164 {
1165 if( verbose != 0 )
1166 printf( "failed\n" );
1167
1168 return( 1 );
1169 }
1170 }
1171
1172 if( verbose != 0 )
1173 printf( "passed\n" );
1174 }
1175
1176 if( verbose != 0 )
1177 printf( "\n" );
1178
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1179#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1180 /*
1181 * CBC mode
1182 */
1183 for( i = 0; i < 6; i++ )
1184 {
1185 u = i >> 1;
1186 v = i & 1;
1187
1188 if( verbose != 0 )
1189 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1190 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1191
1192 memset( iv , 0, 16 );
1193 memset( prv, 0, 16 );
1194 memset( buf, 0, 16 );
1195
1196 if( v == AES_DECRYPT )
1197 {
1198 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1199
1200 for( j = 0; j < 10000; j++ )
1201 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1202
1203 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1204 {
1205 if( verbose != 0 )
1206 printf( "failed\n" );
1207
1208 return( 1 );
1209 }
1210 }
1211 else
1212 {
1213 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1214
1215 for( j = 0; j < 10000; j++ )
1216 {
1217 unsigned char tmp[16];
1218
1219 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1220
1221 memcpy( tmp, prv, 16 );
1222 memcpy( prv, buf, 16 );
1223 memcpy( buf, tmp, 16 );
1224 }
1225
1226 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1227 {
1228 if( verbose != 0 )
1229 printf( "failed\n" );
1230
1231 return( 1 );
1232 }
1233 }
1234
1235 if( verbose != 0 )
1236 printf( "passed\n" );
1237 }
1238
1239 if( verbose != 0 )
1240 printf( "\n" );
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1241#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1242
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1243#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1244 /*
1245 * CFB128 mode
1246 */
1247 for( i = 0; i < 6; i++ )
1248 {
1249 u = i >> 1;
1250 v = i & 1;
1251
1252 if( verbose != 0 )
1253 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1254 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1255
1256 memcpy( iv, aes_test_cfb128_iv, 16 );
1257 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1258
1259 offset = 0;
1260 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1261
1262 if( v == AES_DECRYPT )
1263 {
1264 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1265 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1266
1267 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1268 {
1269 if( verbose != 0 )
1270 printf( "failed\n" );
1271
1272 return( 1 );
1273 }
1274 }
1275 else
1276 {
1277 memcpy( buf, aes_test_cfb128_pt, 64 );
1278 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1279
1280 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1281 {
1282 if( verbose != 0 )
1283 printf( "failed\n" );
1284
1285 return( 1 );
1286 }
1287 }
1288
1289 if( verbose != 0 )
1290 printf( "passed\n" );
1291 }
1292
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1293 if( verbose != 0 )
1294 printf( "\n" );
1295#endif /* POLARSSL_CIPHER_MODE_CFB */
1296
1297#if defined(POLARSSL_CIPHER_MODE_CTR)
1298 /*
1299 * CTR mode
1300 */
1301 for( i = 0; i < 6; i++ )
1302 {
1303 u = i >> 1;
1304 v = i & 1;
1305
1306 if( verbose != 0 )
1307 printf( " AES-CTR-128 (%s): ",
1308 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1309
1310 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1311 memcpy( key, aes_test_ctr_key[u], 16 );
1312
1313 offset = 0;
1314 aes_setkey_enc( &ctx, key, 128 );
1315
1316 if( v == AES_DECRYPT )
1317 {
1318 len = aes_test_ctr_len[u];
1319 memcpy( buf, aes_test_ctr_ct[u], len );
1320
1321 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1322
1323 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1324 {
1325 if( verbose != 0 )
1326 printf( "failed\n" );
1327
1328 return( 1 );
1329 }
1330 }
1331 else
1332 {
1333 len = aes_test_ctr_len[u];
1334 memcpy( buf, aes_test_ctr_pt[u], len );
1335
1336 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1337
1338 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1339 {
1340 if( verbose != 0 )
1341 printf( "failed\n" );
1342
1343 return( 1 );
1344 }
1345 }
1346
1347 if( verbose != 0 )
1348 printf( "passed\n" );
1349 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1350
1351 if( verbose != 0 )
1352 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1353#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1354
1355 return( 0 );
1356}
1357
1358#endif
1359
1360#endif