Context Navigation

aes.c @ 1201

Revision 1201, 44.0 KB checked in by paul, 10 days ago (diff)
AES code only check for Padlock once

Line
1	/*
2	* FIPS-197 compliant AES implementation
3	*
4	* Copyright (C) 2006-2010, Brainspark B.V.
5	*
6	* This file is part of PolarSSL (http://www.polarssl.org)
7	* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8	*
9	* All rights reserved.
10	*
11	* This program is free software; you can redistribute it and/or modify
12	* it under the terms of the GNU General Public License as published by
13	* the Free Software Foundation; either version 2 of the License, or
14	* (at your option) any later version.
15	*
16	* This program is distributed in the hope that it will be useful,
17	* but WITHOUT ANY WARRANTY; without even the implied warranty of
18	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19	* GNU General Public License for more details.
20	*
21	* You should have received a copy of the GNU General Public License along
22	* with this program; if not, write to the Free Software Foundation, Inc.,
23	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24	*/
25	/*
26	* The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27	*
28	* http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29	* http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30	*/
31
32	#include "polarssl/config.h"
33
34	#if defined(POLARSSL_AES_C)
35
36	#include "polarssl/aes.h"
37	#include "polarssl/padlock.h"
38
39	/*
40	* 32-bit integer manipulation macros (little endian)
41	*/
42	#ifndef GET_ULONG_LE
43	#define GET_ULONG_LE(n,b,i) \
44	{ \
45	(n) = ( (unsigned long) (b)[(i) ] ) \
46	\| ( (unsigned long) (b)[(i) + 1] << 8 ) \
47	\| ( (unsigned long) (b)[(i) + 2] << 16 ) \
48	\| ( (unsigned long) (b)[(i) + 3] << 24 ); \
49	}
50	#endif
51
52	#ifndef PUT_ULONG_LE
53	#define PUT_ULONG_LE(n,b,i) \
54	{ \
55	(b)[(i) ] = (unsigned char) ( (n) ); \
56	(b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
57	(b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
58	(b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
59	}
60	#endif
61
62	#if defined(POLARSSL_PADLOCK_C)
63	static int aes_padlock_ace = -1;
64	#endif
65
66	#if defined(POLARSSL_AES_ROM_TABLES)
67	/*
68	* Forward S-box
69	*/
70	static const unsigned char FSb[256] =
71	{
72	0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
73	0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
74	0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
75	0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
76	0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
77	0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
78	0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
79	0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
80	0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
81	0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
82	0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
83	0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
84	0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
85	0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
86	0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
87	0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
88	0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
89	0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
90	0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
91	0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
92	0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
93	0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
94	0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
95	0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
96	0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
97	0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
98	0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
99	0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
100	0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
101	0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
102	0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
103	0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
104	};
105
106	/*
107	* Forward tables
108	*/
109	#define FT \
110	\
111	V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
112	V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
113	V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
114	V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
115	V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
116	V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
117	V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
118	V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
119	V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
120	V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
121	V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
122	V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
123	V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
124	V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
125	V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
126	V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
127	V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
128	V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
129	V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
130	V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
131	V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
132	V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
133	V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
134	V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
135	V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
136	V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
137	V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
138	V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
139	V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
140	V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
141	V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
142	V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
143	V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
144	V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
145	V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
146	V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
147	V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
148	V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
149	V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
150	V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
151	V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
152	V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
153	V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
154	V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
155	V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
156	V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
157	V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
158	V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
159	V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
160	V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
161	V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
162	V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
163	V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
164	V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
165	V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
166	V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
167	V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
168	V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
169	V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
170	V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
171	V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
172	V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
173	V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
174	V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
175
176	#define V(a,b,c,d) 0x##a##b##c##d
177	static const unsigned long FT0[256] = { FT };
178	#undef V
179
180	#define V(a,b,c,d) 0x##b##c##d##a
181	static const unsigned long FT1[256] = { FT };
182	#undef V
183
184	#define V(a,b,c,d) 0x##c##d##a##b
185	static const unsigned long FT2[256] = { FT };
186	#undef V
187
188	#define V(a,b,c,d) 0x##d##a##b##c
189	static const unsigned long FT3[256] = { FT };
190	#undef V
191
192	#undef FT
193
194	/*
195	* Reverse S-box
196	*/
197	static const unsigned char RSb[256] =
198	{
199	0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
200	0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
201	0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
202	0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
203	0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
204	0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
205	0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
206	0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
207	0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
208	0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
209	0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
210	0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
211	0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
212	0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
213	0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
214	0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
215	0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
216	0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
217	0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
218	0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
219	0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
220	0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
221	0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
222	0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
223	0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
224	0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
225	0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
226	0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
227	0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
228	0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
229	0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
230	0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
231	};
232
233	/*
234	* Reverse tables
235	*/
236	#define RT \
237	\
238	V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
239	V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
240	V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
241	V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
242	V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
243	V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
244	V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
245	V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
246	V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
247	V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
248	V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
249	V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
250	V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
251	V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
252	V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
253	V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
254	V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
255	V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
256	V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
257	V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
258	V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
259	V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
260	V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
261	V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
262	V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
263	V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
264	V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
265	V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
266	V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
267	V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
268	V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
269	V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
270	V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
271	V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
272	V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
273	V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
274	V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
275	V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
276	V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
277	V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
278	V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
279	V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
280	V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
281	V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
282	V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
283	V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
284	V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
285	V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
286	V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
287	V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
288	V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
289	V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
290	V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
291	V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
292	V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
293	V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
294	V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
295	V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
296	V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
297	V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
298	V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
299	V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
300	V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
301	V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
302
303	#define V(a,b,c,d) 0x##a##b##c##d
304	static const unsigned long RT0[256] = { RT };
305	#undef V
306
307	#define V(a,b,c,d) 0x##b##c##d##a
308	static const unsigned long RT1[256] = { RT };
309	#undef V
310
311	#define V(a,b,c,d) 0x##c##d##a##b
312	static const unsigned long RT2[256] = { RT };
313	#undef V
314
315	#define V(a,b,c,d) 0x##d##a##b##c
316	static const unsigned long RT3[256] = { RT };
317	#undef V
318
319	#undef RT
320
321	/*
322	* Round constants
323	*/
324	static const unsigned long RCON[10] =
325	{
326	0x00000001, 0x00000002, 0x00000004, 0x00000008,
327	0x00000010, 0x00000020, 0x00000040, 0x00000080,
328	0x0000001B, 0x00000036
329	};
330
331	#else
332
333	/*
334	* Forward S-box & tables
335	*/
336	static unsigned char FSb[256];
337	static unsigned long FT0[256];
338	static unsigned long FT1[256];
339	static unsigned long FT2[256];
340	static unsigned long FT3[256];
341
342	/*
343	* Reverse S-box & tables
344	*/
345	static unsigned char RSb[256];
346	static unsigned long RT0[256];
347	static unsigned long RT1[256];
348	static unsigned long RT2[256];
349	static unsigned long RT3[256];
350
351	/*
352	* Round constants
353	*/
354	static unsigned long RCON[10];
355
356	/*
357	* Tables generation code
358	*/
359	#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) \| ( x >> 24 )
360	#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
361	#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
362
363	static int aes_init_done = 0;
364
365	static void aes_gen_tables( void )
366	{
367	int i, x, y, z;
368	int pow[256];
369	int log[256];
370
371	/*
372	* compute pow and log tables over GF(2^8)
373	*/
374	for( i = 0, x = 1; i < 256; i++ )
375	{
376	pow[i] = x;
377	log[x] = i;
378	x = ( x ^ XTIME( x ) ) & 0xFF;
379	}
380
381	/*
382	* calculate the round constants
383	*/
384	for( i = 0, x = 1; i < 10; i++ )
385	{
386	RCON[i] = (unsigned long) x;
387	x = XTIME( x ) & 0xFF;
388	}
389
390	/*
391	* generate the forward and reverse S-boxes
392	*/
393	FSb[0x00] = 0x63;
394	RSb[0x63] = 0x00;
395
396	for( i = 1; i < 256; i++ )
397	{
398	x = pow[255 - log[i]];
399
400	y = x; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
401	x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
402	x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
403	x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
404	x ^= y ^ 0x63;
405
406	FSb[i] = (unsigned char) x;
407	RSb[x] = (unsigned char) i;
408	}
409
410	/*
411	* generate the forward and reverse tables
412	*/
413	for( i = 0; i < 256; i++ )
414	{
415	x = FSb[i];
416	y = XTIME( x ) & 0xFF;
417	z = ( y ^ x ) & 0xFF;
418
419	FT0[i] = ( (unsigned long) y ) ^
420	( (unsigned long) x << 8 ) ^
421	( (unsigned long) x << 16 ) ^
422	( (unsigned long) z << 24 );
423
424	FT1[i] = ROTL8( FT0[i] );
425	FT2[i] = ROTL8( FT1[i] );
426	FT3[i] = ROTL8( FT2[i] );
427
428	x = RSb[i];
429
430	RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
431	( (unsigned long) MUL( 0x09, x ) << 8 ) ^
432	( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
433	( (unsigned long) MUL( 0x0B, x ) << 24 );
434
435	RT1[i] = ROTL8( RT0[i] );
436	RT2[i] = ROTL8( RT1[i] );
437	RT3[i] = ROTL8( RT2[i] );
438	}
439	}
440
441	#endif
442
443	/*
444	* AES key schedule (encryption)
445	*/
446	int aes_setkey_enc( aes_context ctx, const unsigned char key, unsigned int keysize )
447	{
448	unsigned int i;
449	unsigned long *RK;
450
451	#if !defined(POLARSSL_AES_ROM_TABLES)
452	if( aes_init_done == 0 )
453	{
454	aes_gen_tables();
455	aes_init_done = 1;
456
457	}
458	#endif
459
460	switch( keysize )
461	{
462	case 128: ctx->nr = 10; break;
463	case 192: ctx->nr = 12; break;
464	case 256: ctx->nr = 14; break;
465	default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
466	}
467
468	#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
469	if( aes_padlock_ace == -1 )
470	aes_padlock_ace = padlock_supports( PADLOCK_ACE );
471
472	if( aes_padlock_ace )
473	ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
474	else
475	#endif
476	ctx->rk = RK = ctx->buf;
477
478	for( i = 0; i < (keysize >> 5); i++ )
479	{
480	GET_ULONG_LE( RK[i], key, i << 2 );
481	}
482
483	switch( ctx->nr )
484	{
485	case 10:
486
487	for( i = 0; i < 10; i++, RK += 4 )
488	{
489	RK[4] = RK[0] ^ RCON[i] ^
490	( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
491	( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
492	( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
493	( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
494
495	RK[5] = RK[1] ^ RK[4];
496	RK[6] = RK[2] ^ RK[5];
497	RK[7] = RK[3] ^ RK[6];
498	}
499	break;
500
501	case 12:
502
503	for( i = 0; i < 8; i++, RK += 6 )
504	{
505	RK[6] = RK[0] ^ RCON[i] ^
506	( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
507	( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
508	( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
509	( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
510
511	RK[7] = RK[1] ^ RK[6];
512	RK[8] = RK[2] ^ RK[7];
513	RK[9] = RK[3] ^ RK[8];
514	RK[10] = RK[4] ^ RK[9];
515	RK[11] = RK[5] ^ RK[10];
516	}
517	break;
518
519	case 14:
520
521	for( i = 0; i < 7; i++, RK += 8 )
522	{
523	RK[8] = RK[0] ^ RCON[i] ^
524	( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
525	( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
526	( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
527	( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
528
529	RK[9] = RK[1] ^ RK[8];
530	RK[10] = RK[2] ^ RK[9];
531	RK[11] = RK[3] ^ RK[10];
532
533	RK[12] = RK[4] ^
534	( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
535	( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
536	( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
537	( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
538
539	RK[13] = RK[5] ^ RK[12];
540	RK[14] = RK[6] ^ RK[13];
541	RK[15] = RK[7] ^ RK[14];
542	}
543	break;
544
545	default:
546
547	break;
548	}
549
550	return( 0 );
551	}
552
553	/*
554	* AES key schedule (decryption)
555	*/
556	int aes_setkey_dec( aes_context ctx, const unsigned char key, unsigned int keysize )
557	{
558	int i, j;
559	aes_context cty;
560	unsigned long *RK;
561	unsigned long *SK;
562	int ret;
563
564	switch( keysize )
565	{
566	case 128: ctx->nr = 10; break;
567	case 192: ctx->nr = 12; break;
568	case 256: ctx->nr = 14; break;
569	default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
570	}
571
572	#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
573	if( aes_padlock_ace == -1 )
574	aes_padlock_ace = padlock_supports( PADLOCK_ACE );
575
576	if( aes_padlock_ace )
577	ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
578	else
579	#endif
580	ctx->rk = RK = ctx->buf;
581
582	ret = aes_setkey_enc( &cty, key, keysize );
583	if( ret != 0 )
584	return( ret );
585
586	SK = cty.rk + cty.nr * 4;
587
588	RK++ = SK++;
589	RK++ = SK++;
590	RK++ = SK++;
591	RK++ = SK++;
592
593	for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
594	{
595	for( j = 0; j < 4; j++, SK++ )
596	{
597	RK++ = RT0[ FSb[ ( SK ) & 0xFF ] ] ^
598	RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
599	RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
600	RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
601	}
602	}
603
604	RK++ = SK++;
605	RK++ = SK++;
606	RK++ = SK++;
607	RK++ = SK++;
608
609	memset( &cty, 0, sizeof( aes_context ) );
610
611	return( 0 );
612	}
613
614	#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
615	{ \
616	X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
617	FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
618	FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
619	FT3[ ( Y3 >> 24 ) & 0xFF ]; \
620	\
621	X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
622	FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
623	FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
624	FT3[ ( Y0 >> 24 ) & 0xFF ]; \
625	\
626	X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
627	FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
628	FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
629	FT3[ ( Y1 >> 24 ) & 0xFF ]; \
630	\
631	X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
632	FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
633	FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
634	FT3[ ( Y2 >> 24 ) & 0xFF ]; \
635	}
636
637	#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
638	{ \
639	X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
640	RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
641	RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
642	RT3[ ( Y1 >> 24 ) & 0xFF ]; \
643	\
644	X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
645	RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
646	RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
647	RT3[ ( Y2 >> 24 ) & 0xFF ]; \
648	\
649	X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
650	RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
651	RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
652	RT3[ ( Y3 >> 24 ) & 0xFF ]; \
653	\
654	X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
655	RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
656	RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
657	RT3[ ( Y0 >> 24 ) & 0xFF ]; \
658	}
659
660	/*
661	* AES-ECB block encryption/decryption
662	*/
663	int aes_crypt_ecb( aes_context *ctx,
664	int mode,
665	const unsigned char input[16],
666	unsigned char output[16] )
667	{
668	int i;
669	unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
670
671	#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
672	if( aes_padlock_ace )
673	{
674	if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
675	return( 0 );
676
677	// If padlock data misaligned, we just fall back to
678	// unaccelerated mode
679	//
680	}
681	#endif
682
683	RK = ctx->rk;
684
685	GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
686	GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
687	GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
688	GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
689
690	if( mode == AES_DECRYPT )
691	{
692	for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
693	{
694	AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
695	AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
696	}
697
698	AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
699
700	X0 = *RK++ ^ \
701	( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
702	( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
703	( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
704	( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
705
706	X1 = *RK++ ^ \
707	( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
708	( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
709	( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
710	( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
711
712	X2 = *RK++ ^ \
713	( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
714	( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
715	( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
716	( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
717
718	X3 = *RK++ ^ \
719	( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
720	( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
721	( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
722	( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
723	}
724	else /* AES_ENCRYPT */
725	{
726	for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
727	{
728	AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
729	AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
730	}
731
732	AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
733
734	X0 = *RK++ ^ \
735	( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
736	( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
737	( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
738	( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
739
740	X1 = *RK++ ^ \
741	( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
742	( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
743	( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
744	( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
745
746	X2 = *RK++ ^ \
747	( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
748	( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
749	( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
750	( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
751
752	X3 = *RK++ ^ \
753	( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
754	( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
755	( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
756	( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
757	}
758
759	PUT_ULONG_LE( X0, output, 0 );
760	PUT_ULONG_LE( X1, output, 4 );
761	PUT_ULONG_LE( X2, output, 8 );
762	PUT_ULONG_LE( X3, output, 12 );
763
764	return( 0 );
765	}
766
767	/*
768	* AES-CBC buffer encryption/decryption
769	*/
770	int aes_crypt_cbc( aes_context *ctx,
771	int mode,
772	size_t length,
773	unsigned char iv[16],
774	const unsigned char *input,
775	unsigned char *output )
776	{
777	int i;
778	unsigned char temp[16];
779
780	if( length % 16 )
781	return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
782
783	#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
784	if( aes_padlock_ace )
785	{
786	if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
787	return( 0 );
788
789	// If padlock data misaligned, we just fall back to
790	// unaccelerated mode
791	//
792	}
793	#endif
794
795	if( mode == AES_DECRYPT )
796	{
797	while( length > 0 )
798	{
799	memcpy( temp, input, 16 );
800	aes_crypt_ecb( ctx, mode, input, output );
801
802	for( i = 0; i < 16; i++ )
803	output[i] = (unsigned char)( output[i] ^ iv[i] );
804
805	memcpy( iv, temp, 16 );
806
807	input += 16;
808	output += 16;
809	length -= 16;
810	}
811	}
812	else
813	{
814	while( length > 0 )
815	{
816	for( i = 0; i < 16; i++ )
817	output[i] = (unsigned char)( input[i] ^ iv[i] );
818
819	aes_crypt_ecb( ctx, mode, output, output );
820	memcpy( iv, output, 16 );
821
822	input += 16;
823	output += 16;
824	length -= 16;
825	}
826	}
827
828	return( 0 );
829	}
830
831	#if defined(POLARSSL_CIPHER_MODE_CFB)
832	/*
833	* AES-CFB128 buffer encryption/decryption
834	*/
835	int aes_crypt_cfb128( aes_context *ctx,
836	int mode,
837	size_t length,
838	size_t *iv_off,
839	unsigned char iv[16],
840	const unsigned char *input,
841	unsigned char *output )
842	{
843	int c;
844	size_t n = *iv_off;
845
846	if( mode == AES_DECRYPT )
847	{
848	while( length-- )
849	{
850	if( n == 0 )
851	aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
852
853	c = *input++;
854	*output++ = (unsigned char)( c ^ iv[n] );
855	iv[n] = (unsigned char) c;
856
857	n = (n + 1) & 0x0F;
858	}
859	}
860	else
861	{
862	while( length-- )
863	{
864	if( n == 0 )
865	aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
866
867	iv[n] = output++ = (unsigned char)( iv[n] ^ input++ );
868
869	n = (n + 1) & 0x0F;
870	}
871	}
872
873	*iv_off = n;
874
875	return( 0 );
876	}
877	#endif /POLARSSL_CIPHER_MODE_CFB /
878
879	#if defined(POLARSSL_CIPHER_MODE_CTR)
880	/*
881	* AES-CTR buffer encryption/decryption
882	*/
883	int aes_crypt_ctr( aes_context *ctx,
884	size_t length,
885	size_t *nc_off,
886	unsigned char nonce_counter[16],
887	unsigned char stream_block[16],
888	const unsigned char *input,
889	unsigned char *output )
890	{
891	int c, i, cb;
892	size_t n = *nc_off;
893
894	while( length-- )
895	{
896	if( n == 0 ) {
897	aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
898
899	i = 15;
900	do {
901	nonce_counter[i]++;
902	cb = nonce_counter[i] == 0;
903	} while( i-- && cb );
904
905	}
906	c = *input++;
907	*output++ = (unsigned char)( c ^ stream_block[n] );
908
909	n = (n + 1) & 0x0F;
910	}
911
912	*nc_off = n;
913
914	return( 0 );
915	}
916	#endif /* POLARSSL_CIPHER_MODE_CTR */
917
918	#if defined(POLARSSL_SELF_TEST)
919
920	#include <stdio.h>
921
922	/*
923	* AES test vectors from:
924	*
925	* http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
926	*/
927	static const unsigned char aes_test_ecb_dec[3][16] =
928	{
929	{ 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
930	0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
931	{ 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
932	0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
933	{ 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
934	0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
935	};
936
937	static const unsigned char aes_test_ecb_enc[3][16] =
938	{
939	{ 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
940	0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
941	{ 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
942	0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
943	{ 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
944	0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
945	};
946
947	static const unsigned char aes_test_cbc_dec[3][16] =
948	{
949	{ 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
950	0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
951	{ 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
952	0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
953	{ 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
954	0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
955	};
956
957	static const unsigned char aes_test_cbc_enc[3][16] =
958	{
959	{ 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
960	0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
961	{ 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
962	0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
963	{ 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
964	0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
965	};
966
967	#if defined(POLARSSL_CIPHER_MODE_CFB)
968	/*
969	* AES-CFB128 test vectors from:
970	*
971	* http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
972	*/
973	static const unsigned char aes_test_cfb128_key[3][32] =
974	{
975	{ 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
976	0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
977	{ 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
978	0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
979	0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
980	{ 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
981	0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
982	0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
983	0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
984	};
985
986	static const unsigned char aes_test_cfb128_iv[16] =
987	{
988	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
989	0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
990	};
991
992	static const unsigned char aes_test_cfb128_pt[64] =
993	{
994	0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
995	0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
996	0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
997	0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
998	0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
999	0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1000	0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1001	0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1002	};
1003
1004	static const unsigned char aes_test_cfb128_ct[3][64] =
1005	{
1006	{ 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1007	0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1008	0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1009	0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1010	0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1011	0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1012	0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1013	0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1014	{ 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1015	0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1016	0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1017	0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1018	0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1019	0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1020	0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1021	0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1022	{ 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1023	0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1024	0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1025	0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1026	0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1027	0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1028	0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1029	0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1030	};
1031	#endif /* POLARSSL_CIPHER_MODE_CFB */
1032
1033	#if defined(POLARSSL_CIPHER_MODE_CTR)
1034	/*
1035	* AES-CTR test vectors from:
1036	*
1037	* http://www.faqs.org/rfcs/rfc3686.html
1038	*/
1039
1040	static const unsigned char aes_test_ctr_key[3][16] =
1041	{
1042	{ 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1043	0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1044	{ 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1045	0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1046	{ 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1047	0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1048	};
1049
1050	static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1051	{
1052	{ 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1053	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1054	{ 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1055	0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1056	{ 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1057	0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1058	};
1059
1060	static const unsigned char aes_test_ctr_pt[3][48] =
1061	{
1062	{ 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1063	0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1064
1065	{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1066	0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1067	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1068	0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1069
1070	{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1071	0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1072	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1073	0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1074	0x20, 0x21, 0x22, 0x23 }
1075	};
1076
1077	static const unsigned char aes_test_ctr_ct[3][48] =
1078	{
1079	{ 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1080	0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1081	{ 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1082	0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1083	0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1084	0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1085	{ 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1086	0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1087	0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1088	0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1089	0x25, 0xB2, 0x07, 0x2F }
1090	};
1091
1092	static const int aes_test_ctr_len[3] =
1093	{ 16, 32, 36 };
1094	#endif /* POLARSSL_CIPHER_MODE_CTR */
1095
1096	/*
1097	* Checkup routine
1098	*/
1099	int aes_self_test( int verbose )
1100	{
1101	int i, j, u, v;
1102	unsigned char key[32];
1103	unsigned char buf[64];
1104	unsigned char prv[16];
1105	unsigned char iv[16];
1106	#if defined(POLARSSL_CIPHER_MODE_CTR) \|\| defined(POLARSSL_CIPHER_MODE_CFB)
1107	size_t offset;
1108	#endif
1109	#if defined(POLARSSL_CIPHER_MODE_CTR)
1110	int len;
1111	unsigned char nonce_counter[16];
1112	unsigned char stream_block[16];
1113	#endif
1114	aes_context ctx;
1115
1116	memset( key, 0, 32 );
1117
1118	/*
1119	* ECB mode
1120	*/
1121	for( i = 0; i < 6; i++ )
1122	{
1123	u = i >> 1;
1124	v = i & 1;
1125
1126	if( verbose != 0 )
1127	printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1128	( v == AES_DECRYPT ) ? "dec" : "enc" );
1129
1130	memset( buf, 0, 16 );
1131
1132	if( v == AES_DECRYPT )
1133	{
1134	aes_setkey_dec( &ctx, key, 128 + u * 64 );
1135
1136	for( j = 0; j < 10000; j++ )
1137	aes_crypt_ecb( &ctx, v, buf, buf );
1138
1139	if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1140	{
1141	if( verbose != 0 )
1142	printf( "failed\n" );
1143
1144	return( 1 );
1145	}
1146	}
1147	else
1148	{
1149	aes_setkey_enc( &ctx, key, 128 + u * 64 );
1150
1151	for( j = 0; j < 10000; j++ )
1152	aes_crypt_ecb( &ctx, v, buf, buf );
1153
1154	if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1155	{
1156	if( verbose != 0 )
1157	printf( "failed\n" );
1158
1159	return( 1 );
1160	}
1161	}
1162
1163	if( verbose != 0 )
1164	printf( "passed\n" );
1165	}
1166
1167	if( verbose != 0 )
1168	printf( "\n" );
1169
1170	/*
1171	* CBC mode
1172	*/
1173	for( i = 0; i < 6; i++ )
1174	{
1175	u = i >> 1;
1176	v = i & 1;
1177
1178	if( verbose != 0 )
1179	printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1180	( v == AES_DECRYPT ) ? "dec" : "enc" );
1181
1182	memset( iv , 0, 16 );
1183	memset( prv, 0, 16 );
1184	memset( buf, 0, 16 );
1185
1186	if( v == AES_DECRYPT )
1187	{
1188	aes_setkey_dec( &ctx, key, 128 + u * 64 );
1189
1190	for( j = 0; j < 10000; j++ )
1191	aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1192
1193	if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1194	{
1195	if( verbose != 0 )
1196	printf( "failed\n" );
1197
1198	return( 1 );
1199	}
1200	}
1201	else
1202	{
1203	aes_setkey_enc( &ctx, key, 128 + u * 64 );
1204
1205	for( j = 0; j < 10000; j++ )
1206	{
1207	unsigned char tmp[16];
1208
1209	aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1210
1211	memcpy( tmp, prv, 16 );
1212	memcpy( prv, buf, 16 );
1213	memcpy( buf, tmp, 16 );
1214	}
1215
1216	if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1217	{
1218	if( verbose != 0 )
1219	printf( "failed\n" );
1220
1221	return( 1 );
1222	}
1223	}
1224
1225	if( verbose != 0 )
1226	printf( "passed\n" );
1227	}
1228
1229	if( verbose != 0 )
1230	printf( "\n" );
1231
1232	#if defined(POLARSSL_CIPHER_MODE_CFB)
1233	/*
1234	* CFB128 mode
1235	*/
1236	for( i = 0; i < 6; i++ )
1237	{
1238	u = i >> 1;
1239	v = i & 1;
1240
1241	if( verbose != 0 )
1242	printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1243	( v == AES_DECRYPT ) ? "dec" : "enc" );
1244
1245	memcpy( iv, aes_test_cfb128_iv, 16 );
1246	memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1247
1248	offset = 0;
1249	aes_setkey_enc( &ctx, key, 128 + u * 64 );
1250
1251	if( v == AES_DECRYPT )
1252	{
1253	memcpy( buf, aes_test_cfb128_ct[u], 64 );
1254	aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1255
1256	if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1257	{
1258	if( verbose != 0 )
1259	printf( "failed\n" );
1260
1261	return( 1 );
1262	}
1263	}
1264	else
1265	{
1266	memcpy( buf, aes_test_cfb128_pt, 64 );
1267	aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1268
1269	if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1270	{
1271	if( verbose != 0 )
1272	printf( "failed\n" );
1273
1274	return( 1 );
1275	}
1276	}
1277
1278	if( verbose != 0 )
1279	printf( "passed\n" );
1280	}
1281
1282	if( verbose != 0 )
1283	printf( "\n" );
1284	#endif /* POLARSSL_CIPHER_MODE_CFB */
1285
1286	#if defined(POLARSSL_CIPHER_MODE_CTR)
1287	/*
1288	* CTR mode
1289	*/
1290	for( i = 0; i < 6; i++ )
1291	{
1292	u = i >> 1;
1293	v = i & 1;
1294
1295	if( verbose != 0 )
1296	printf( " AES-CTR-128 (%s): ",
1297	( v == AES_DECRYPT ) ? "dec" : "enc" );
1298
1299	memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1300	memcpy( key, aes_test_ctr_key[u], 16 );
1301
1302	offset = 0;
1303	aes_setkey_enc( &ctx, key, 128 );
1304
1305	if( v == AES_DECRYPT )
1306	{
1307	len = aes_test_ctr_len[u];
1308	memcpy( buf, aes_test_ctr_ct[u], len );
1309
1310	aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1311
1312	if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1313	{
1314	if( verbose != 0 )
1315	printf( "failed\n" );
1316
1317	return( 1 );
1318	}
1319	}
1320	else
1321	{
1322	len = aes_test_ctr_len[u];
1323	memcpy( buf, aes_test_ctr_pt[u], len );
1324
1325	aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1326
1327	if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1328	{
1329	if( verbose != 0 )
1330	printf( "failed\n" );
1331
1332	return( 1 );
1333	}
1334	}
1335
1336	if( verbose != 0 )
1337	printf( "passed\n" );
1338	}
1339
1340	if( verbose != 0 )
1341	printf( "\n" );
1342	#endif /* POLARSSL_CIPHER_MODE_CTR */
1343
1344	return( 0 );
1345	}
1346
1347	#endif
1348
1349	#endif

Note: See TracBrowser for help on using the repository browser.

PolarSSL

Cryptography and SSL made easy

Context Navigation

source: trunk/library/aes.c @ 1201

Download in other formats:

What are you looking for?

Main links

Community links

Documentation

Block cipher sources

Hash sources