Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / fbc4a45f155f62e8a3cb472c5f004699c4bdacbb / . / library / aes.c
blob: 45f74a616da989f8f3b561cb25a5de1686646199 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
37#include "polarssl/padlock.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38
39#include <string.h>
40
41/*
42 * 32-bit integer manipulation macros (little endian)
43 */
44#ifndef GET_ULONG_LE
45#define GET_ULONG_LE(n,b,i) \
46{ \
47 (n) = ( (unsigned long) (b)[(i) ] ) \
48 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
49 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
50 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
51}
52#endif
53
54#ifndef PUT_ULONG_LE
55#define PUT_ULONG_LE(n,b,i) \
56{ \
57 (b)[(i) ] = (unsigned char) ( (n) ); \
58 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
59 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
60 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
61}
62#endif
63
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]64#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * Forward S-box
67 */
68static const unsigned char FSb[256] =
69{
70 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
71 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
72 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
73 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
74 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
75 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
76 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
77 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
78 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
79 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
80 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
81 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
82 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
83 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
84 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
85 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
86 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
87 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
88 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
89 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
90 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
91 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
92 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
93 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
94 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
95 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
96 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
97 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
98 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
99 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
100 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
101 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
102};
103
104/*
105 * Forward tables
106 */
107#define FT \
108\
109 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
110 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
111 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
112 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
113 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
114 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
115 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
116 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
117 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
118 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
119 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
120 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
121 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
122 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
123 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
124 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
125 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
126 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
127 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
128 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
129 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
130 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
131 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
132 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
133 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
134 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
135 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
136 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
137 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
138 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
139 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
140 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
141 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
142 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
143 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
144 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
145 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
146 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
147 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
148 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
149 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
150 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
151 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
152 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
153 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
154 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
155 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
156 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
157 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
158 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
159 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
160 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
161 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
162 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
163 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
164 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
165 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
166 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
167 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
168 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
169 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
170 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
171 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
172 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
173
174#define V(a,b,c,d) 0x##a##b##c##d
175static const unsigned long FT0[256] = { FT };
176#undef V
177
178#define V(a,b,c,d) 0x##b##c##d##a
179static const unsigned long FT1[256] = { FT };
180#undef V
181
182#define V(a,b,c,d) 0x##c##d##a##b
183static const unsigned long FT2[256] = { FT };
184#undef V
185
186#define V(a,b,c,d) 0x##d##a##b##c
187static const unsigned long FT3[256] = { FT };
188#undef V
189
190#undef FT
191
192/*
193 * Reverse S-box
194 */
195static const unsigned char RSb[256] =
196{
197 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
198 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
199 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
200 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
201 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
202 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
203 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
204 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
205 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
206 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
207 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
208 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
209 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
210 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
211 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
212 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
213 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
214 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
215 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
216 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
217 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
218 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
219 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
220 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
221 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
222 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
223 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
224 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
225 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
226 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
227 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
228 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
229};
230
231/*
232 * Reverse tables
233 */
234#define RT \
235\
236 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
237 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
238 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
239 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
240 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
241 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
242 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
243 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
244 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
245 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
246 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
247 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
248 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
249 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
250 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
251 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
252 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
253 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
254 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
255 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
256 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
257 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
258 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
259 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
260 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
261 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
262 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
263 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
264 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
265 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
266 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
267 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
268 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
269 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
270 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
271 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
272 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
273 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
274 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
275 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
276 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
277 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
278 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
279 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
280 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
281 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
282 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
283 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
284 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
285 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
286 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
287 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
288 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
289 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
290 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
291 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
292 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
293 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
294 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
295 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
296 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
297 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
298 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
299 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
300
301#define V(a,b,c,d) 0x##a##b##c##d
302static const unsigned long RT0[256] = { RT };
303#undef V
304
305#define V(a,b,c,d) 0x##b##c##d##a
306static const unsigned long RT1[256] = { RT };
307#undef V
308
309#define V(a,b,c,d) 0x##c##d##a##b
310static const unsigned long RT2[256] = { RT };
311#undef V
312
313#define V(a,b,c,d) 0x##d##a##b##c
314static const unsigned long RT3[256] = { RT };
315#undef V
316
317#undef RT
318
319/*
320 * Round constants
321 */
322static const unsigned long RCON[10] =
323{
324 0x00000001, 0x00000002, 0x00000004, 0x00000008,
325 0x00000010, 0x00000020, 0x00000040, 0x00000080,
326 0x0000001B, 0x00000036
327};
328
329#else
330
331/*
332 * Forward S-box & tables
333 */
334static unsigned char FSb[256];
335static unsigned long FT0[256];
336static unsigned long FT1[256];
337static unsigned long FT2[256];
338static unsigned long FT3[256];
339
340/*
341 * Reverse S-box & tables
342 */
343static unsigned char RSb[256];
344static unsigned long RT0[256];
345static unsigned long RT1[256];
346static unsigned long RT2[256];
347static unsigned long RT3[256];
348
349/*
350 * Round constants
351 */
352static unsigned long RCON[10];
353
354/*
355 * Tables generation code
356 */
357#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
358#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
359#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
360
361static int aes_init_done = 0;
362
363static void aes_gen_tables( void )
364{
365 int i, x, y, z;
366 int pow[256];
367 int log[256];
368
369 /*
370 * compute pow and log tables over GF(2^8)
371 */
372 for( i = 0, x = 1; i < 256; i++ )
373 {
374 pow[i] = x;
375 log[x] = i;
376 x = ( x ^ XTIME( x ) ) & 0xFF;
377 }
378
379 /*
380 * calculate the round constants
381 */
382 for( i = 0, x = 1; i < 10; i++ )
383 {
384 RCON[i] = (unsigned long) x;
385 x = XTIME( x ) & 0xFF;
386 }
387
388 /*
389 * generate the forward and reverse S-boxes
390 */
391 FSb[0x00] = 0x63;
392 RSb[0x63] = 0x00;
393
394 for( i = 1; i < 256; i++ )
395 {
396 x = pow[255 - log[i]];
397
398 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
399 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
400 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
401 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
402 x ^= y ^ 0x63;
403
404 FSb[i] = (unsigned char) x;
405 RSb[x] = (unsigned char) i;
406 }
407
408 /*
409 * generate the forward and reverse tables
410 */
411 for( i = 0; i < 256; i++ )
412 {
413 x = FSb[i];
414 y = XTIME( x ) & 0xFF;
415 z = ( y ^ x ) & 0xFF;
416
417 FT0[i] = ( (unsigned long) y ) ^
418 ( (unsigned long) x << 8 ) ^
419 ( (unsigned long) x << 16 ) ^
420 ( (unsigned long) z << 24 );
421
422 FT1[i] = ROTL8( FT0[i] );
423 FT2[i] = ROTL8( FT1[i] );
424 FT3[i] = ROTL8( FT2[i] );
425
426 x = RSb[i];
427
428 RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
429 ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
430 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
431 ( (unsigned long) MUL( 0x0B, x ) << 24 );
432
433 RT1[i] = ROTL8( RT0[i] );
434 RT2[i] = ROTL8( RT1[i] );
435 RT3[i] = ROTL8( RT2[i] );
436 }
437}
438
439#endif
440
441/*
442 * AES key schedule (encryption)
443 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]444int aes_setkey_enc( aes_context *ctx, const unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]445{
446 int i;
447 unsigned long *RK;
448
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]449#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]450 if( aes_init_done == 0 )
451 {
452 aes_gen_tables();
453 aes_init_done = 1;
454 }
455#endif
456
457 switch( keysize )
458 {
459 case 128: ctx->nr = 10; break;
460 case 192: ctx->nr = 12; break;
461 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]462 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463 }
464
465#if defined(PADLOCK_ALIGN16)
466 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
467#else
468 ctx->rk = RK = ctx->buf;
469#endif
470
471 for( i = 0; i < (keysize >> 5); i++ )
472 {
473 GET_ULONG_LE( RK[i], key, i << 2 );
474 }
475
476 switch( ctx->nr )
477 {
478 case 10:
479
480 for( i = 0; i < 10; i++, RK += 4 )
481 {
482 RK[4] = RK[0] ^ RCON[i] ^
483 ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
484 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
485 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
486 ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
487
488 RK[5] = RK[1] ^ RK[4];
489 RK[6] = RK[2] ^ RK[5];
490 RK[7] = RK[3] ^ RK[6];
491 }
492 break;
493
494 case 12:
495
496 for( i = 0; i < 8; i++, RK += 6 )
497 {
498 RK[6] = RK[0] ^ RCON[i] ^
499 ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
500 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
501 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
502 ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
503
504 RK[7] = RK[1] ^ RK[6];
505 RK[8] = RK[2] ^ RK[7];
506 RK[9] = RK[3] ^ RK[8];
507 RK[10] = RK[4] ^ RK[9];
508 RK[11] = RK[5] ^ RK[10];
509 }
510 break;
511
512 case 14:
513
514 for( i = 0; i < 7; i++, RK += 8 )
515 {
516 RK[8] = RK[0] ^ RCON[i] ^
517 ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
518 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
519 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
520 ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
521
522 RK[9] = RK[1] ^ RK[8];
523 RK[10] = RK[2] ^ RK[9];
524 RK[11] = RK[3] ^ RK[10];
525
526 RK[12] = RK[4] ^
527 ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
528 ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
529 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
530 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
531
532 RK[13] = RK[5] ^ RK[12];
533 RK[14] = RK[6] ^ RK[13];
534 RK[15] = RK[7] ^ RK[14];
535 }
536 break;
537
538 default:
539
540 break;
541 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]542
543 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]544}
545
546/*
547 * AES key schedule (decryption)
548 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]549int aes_setkey_dec( aes_context *ctx, const unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]550{
551 int i, j;
552 aes_context cty;
553 unsigned long *RK;
554 unsigned long *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]555 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556
557 switch( keysize )
558 {
559 case 128: ctx->nr = 10; break;
560 case 192: ctx->nr = 12; break;
561 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]562 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]563 }
564
565#if defined(PADLOCK_ALIGN16)
566 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
567#else
568 ctx->rk = RK = ctx->buf;
569#endif
570
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]571 ret = aes_setkey_enc( &cty, key, keysize );
572 if( ret != 0 )
573 return( ret );
574
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]575 SK = cty.rk + cty.nr * 4;
576
577 *RK++ = *SK++;
578 *RK++ = *SK++;
579 *RK++ = *SK++;
580 *RK++ = *SK++;
581
582 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
583 {
584 for( j = 0; j < 4; j++, SK++ )
585 {
586 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
587 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
588 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
589 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
590 }
591 }
592
593 *RK++ = *SK++;
594 *RK++ = *SK++;
595 *RK++ = *SK++;
596 *RK++ = *SK++;
597
598 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]599
600 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]601}
602
603#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
604{ \
605 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
606 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
607 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
608 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
609 \
610 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
611 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
612 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
613 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
614 \
615 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
616 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
617 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
618 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
619 \
620 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
621 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
622 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
623 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
624}
625
626#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
627{ \
628 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
629 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
630 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
631 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
632 \
633 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
634 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
635 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
636 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
637 \
638 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
639 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
640 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
641 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
642 \
643 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
644 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
645 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
646 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
647}
648
649/*
650 * AES-ECB block encryption/decryption
651 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]652int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]654 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]655 unsigned char output[16] )
656{
657 int i;
658 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
659
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]660#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]661 if( padlock_supports( PADLOCK_ACE ) )
662 {
663 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]664 return( 0 );
665
666 // If padlock data misaligned, we just fall back to
667 // unaccelerated mode
668 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669 }
670#endif
671
672 RK = ctx->rk;
673
674 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
675 GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
676 GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
677 GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
678
679 if( mode == AES_DECRYPT )
680 {
681 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
682 {
683 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
684 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
685 }
686
687 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
688
689 X0 = *RK++ ^ \
690 ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
691 ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
692 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
693 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
694
695 X1 = *RK++ ^ \
696 ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
697 ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
698 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
699 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
700
701 X2 = *RK++ ^ \
702 ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
703 ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
704 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
705 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
706
707 X3 = *RK++ ^ \
708 ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
709 ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
710 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
711 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
712 }
713 else /* AES_ENCRYPT */
714 {
715 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
716 {
717 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
718 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
719 }
720
721 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
722
723 X0 = *RK++ ^ \
724 ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
725 ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
726 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
727 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
728
729 X1 = *RK++ ^ \
730 ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
731 ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
732 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
733 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
734
735 X2 = *RK++ ^ \
736 ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
737 ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
738 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
739 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
740
741 X3 = *RK++ ^ \
742 ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
743 ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
744 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
745 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
746 }
747
748 PUT_ULONG_LE( X0, output, 0 );
749 PUT_ULONG_LE( X1, output, 4 );
750 PUT_ULONG_LE( X2, output, 8 );
751 PUT_ULONG_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]752
753 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]754}
755
756/*
757 * AES-CBC buffer encryption/decryption
758 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]759int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]760 int mode,
761 int length,
762 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]763 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]764 unsigned char *output )
765{
766 int i;
767 unsigned char temp[16];
768
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]769 if( length % 16 )
770 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
771
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]772#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]773 if( padlock_supports( PADLOCK_ACE ) )
774 {
775 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]776 return( 0 );
777
778 // If padlock data misaligned, we just fall back to
779 // unaccelerated mode
780 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]781 }
782#endif
783
784 if( mode == AES_DECRYPT )
785 {
786 while( length > 0 )
787 {
788 memcpy( temp, input, 16 );
789 aes_crypt_ecb( ctx, mode, input, output );
790
791 for( i = 0; i < 16; i++ )
792 output[i] = (unsigned char)( output[i] ^ iv[i] );
793
794 memcpy( iv, temp, 16 );
795
796 input += 16;
797 output += 16;
798 length -= 16;
799 }
800 }
801 else
802 {
803 while( length > 0 )
804 {
805 for( i = 0; i < 16; i++ )
806 output[i] = (unsigned char)( input[i] ^ iv[i] );
807
808 aes_crypt_ecb( ctx, mode, output, output );
809 memcpy( iv, output, 16 );
810
811 input += 16;
812 output += 16;
813 length -= 16;
814 }
815 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]816
817 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]818}
819
820/*
821 * AES-CFB128 buffer encryption/decryption
822 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]823int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]824 int mode,
825 int length,
826 int *iv_off,
827 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]828 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]829 unsigned char *output )
830{
831 int c, n = *iv_off;
832
833 if( mode == AES_DECRYPT )
834 {
835 while( length-- )
836 {
837 if( n == 0 )
838 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
839
840 c = *input++;
841 *output++ = (unsigned char)( c ^ iv[n] );
842 iv[n] = (unsigned char) c;
843
844 n = (n + 1) & 0x0F;
845 }
846 }
847 else
848 {
849 while( length-- )
850 {
851 if( n == 0 )
852 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
853
854 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
855
856 n = (n + 1) & 0x0F;
857 }
858 }
859
860 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]861
862 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]863}
864
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]865#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866
867#include <stdio.h>
868
869/*
870 * AES test vectors from:
871 *
872 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
873 */
874static const unsigned char aes_test_ecb_dec[3][16] =
875{
876 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
877 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
878 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
879 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
880 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
881 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
882};
883
884static const unsigned char aes_test_ecb_enc[3][16] =
885{
886 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
887 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
888 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
889 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
890 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
891 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
892};
893
894static const unsigned char aes_test_cbc_dec[3][16] =
895{
896 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
897 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
898 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
899 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
900 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
901 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
902};
903
904static const unsigned char aes_test_cbc_enc[3][16] =
905{
906 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
907 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
908 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
909 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
910 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
911 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
912};
913
914/*
915 * AES-CFB128 test vectors from:
916 *
917 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
918 */
919static const unsigned char aes_test_cfb128_key[3][32] =
920{
921 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
922 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
923 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
924 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
925 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
926 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
927 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
928 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
929 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
930};
931
932static const unsigned char aes_test_cfb128_iv[16] =
933{
934 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
935 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
936};
937
938static const unsigned char aes_test_cfb128_pt[64] =
939{
940 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
941 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
942 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
943 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
944 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
945 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
946 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
947 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
948};
949
950static const unsigned char aes_test_cfb128_ct[3][64] =
951{
952 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
953 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
954 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
955 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
956 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
957 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
958 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
959 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
960 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
961 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
962 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
963 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
964 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
965 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
966 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
967 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
968 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
969 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
970 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
971 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
972 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
973 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
974 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
975 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
976};
977
978/*
979 * Checkup routine
980 */
981int aes_self_test( int verbose )
982{
983 int i, j, u, v, offset;
984 unsigned char key[32];
985 unsigned char buf[64];
986 unsigned char prv[16];
987 unsigned char iv[16];
988 aes_context ctx;
989
990 memset( key, 0, 32 );
991
992 /*
993 * ECB mode
994 */
995 for( i = 0; i < 6; i++ )
996 {
997 u = i >> 1;
998 v = i & 1;
999
1000 if( verbose != 0 )
1001 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1002 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1003
1004 memset( buf, 0, 16 );
1005
1006 if( v == AES_DECRYPT )
1007 {
1008 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1009
1010 for( j = 0; j < 10000; j++ )
1011 aes_crypt_ecb( &ctx, v, buf, buf );
1012
1013 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1014 {
1015 if( verbose != 0 )
1016 printf( "failed\n" );
1017
1018 return( 1 );
1019 }
1020 }
1021 else
1022 {
1023 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1024
1025 for( j = 0; j < 10000; j++ )
1026 aes_crypt_ecb( &ctx, v, buf, buf );
1027
1028 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1029 {
1030 if( verbose != 0 )
1031 printf( "failed\n" );
1032
1033 return( 1 );
1034 }
1035 }
1036
1037 if( verbose != 0 )
1038 printf( "passed\n" );
1039 }
1040
1041 if( verbose != 0 )
1042 printf( "\n" );
1043
1044 /*
1045 * CBC mode
1046 */
1047 for( i = 0; i < 6; i++ )
1048 {
1049 u = i >> 1;
1050 v = i & 1;
1051
1052 if( verbose != 0 )
1053 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1054 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1055
1056 memset( iv , 0, 16 );
1057 memset( prv, 0, 16 );
1058 memset( buf, 0, 16 );
1059
1060 if( v == AES_DECRYPT )
1061 {
1062 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1063
1064 for( j = 0; j < 10000; j++ )
1065 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1066
1067 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1068 {
1069 if( verbose != 0 )
1070 printf( "failed\n" );
1071
1072 return( 1 );
1073 }
1074 }
1075 else
1076 {
1077 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1078
1079 for( j = 0; j < 10000; j++ )
1080 {
1081 unsigned char tmp[16];
1082
1083 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1084
1085 memcpy( tmp, prv, 16 );
1086 memcpy( prv, buf, 16 );
1087 memcpy( buf, tmp, 16 );
1088 }
1089
1090 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1091 {
1092 if( verbose != 0 )
1093 printf( "failed\n" );
1094
1095 return( 1 );
1096 }
1097 }
1098
1099 if( verbose != 0 )
1100 printf( "passed\n" );
1101 }
1102
1103 if( verbose != 0 )
1104 printf( "\n" );
1105
1106 /*
1107 * CFB128 mode
1108 */
1109 for( i = 0; i < 6; i++ )
1110 {
1111 u = i >> 1;
1112 v = i & 1;
1113
1114 if( verbose != 0 )
1115 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1116 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1117
1118 memcpy( iv, aes_test_cfb128_iv, 16 );
1119 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1120
1121 offset = 0;
1122 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1123
1124 if( v == AES_DECRYPT )
1125 {
1126 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1127 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1128
1129 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1130 {
1131 if( verbose != 0 )
1132 printf( "failed\n" );
1133
1134 return( 1 );
1135 }
1136 }
1137 else
1138 {
1139 memcpy( buf, aes_test_cfb128_pt, 64 );
1140 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1141
1142 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1143 {
1144 if( verbose != 0 )
1145 printf( "failed\n" );
1146
1147 return( 1 );
1148 }
1149 }
1150
1151 if( verbose != 0 )
1152 printf( "passed\n" );
1153 }
1154
1155
1156 if( verbose != 0 )
1157 printf( "\n" );
1158
1159 return( 0 );
1160}
1161
1162#endif
1163
1164#endif