Context Navigation

aes.c @ 1238

Visit:

Revision 1238, 44.0 KB checked in by paul, 4 weeks ago (diff)
Small code rewrite

Line
1	/*
2	* FIPS-197 compliant AES implementation
3	*
4	* Copyright (C) 2006-2010, Brainspark B.V.
5	*
6	* This file is part of PolarSSL (http://www.polarssl.org)
7	* Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8	*
9	* All rights reserved.
10	*
11	* This program is free software; you can redistribute it and/or modify
12	* it under the terms of the GNU General Public License as published by
13	* the Free Software Foundation; either version 2 of the License, or
14	* (at your option) any later version.
15	*
16	* This program is distributed in the hope that it will be useful,
17	* but WITHOUT ANY WARRANTY; without even the implied warranty of
18	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19	* GNU General Public License for more details.
20	*
21	* You should have received a copy of the GNU General Public License along
22	* with this program; if not, write to the Free Software Foundation, Inc.,
23	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24	*/
25	/*
26	* The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27	*
28	* http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29	* http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30	*/
31
32	#include "polarssl/config.h"
33
34	#if defined(POLARSSL_AES_C)
35
36	#include "polarssl/aes.h"
37	#include "polarssl/padlock.h"
38
39	/*
40	* 32-bit integer manipulation macros (little endian)
41	*/
42	#ifndef GET_ULONG_LE
43	#define GET_ULONG_LE(n,b,i) \
44	{ \
45	(n) = ( (unsigned long) (b)[(i) ] ) \
46	\| ( (unsigned long) (b)[(i) + 1] << 8 ) \
47	\| ( (unsigned long) (b)[(i) + 2] << 16 ) \
48	\| ( (unsigned long) (b)[(i) + 3] << 24 ); \
49	}
50	#endif
51
52	#ifndef PUT_ULONG_LE
53	#define PUT_ULONG_LE(n,b,i) \
54	{ \
55	(b)[(i) ] = (unsigned char) ( (n) ); \
56	(b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
57	(b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
58	(b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
59	}
60	#endif
61
62	#if defined(POLARSSL_PADLOCK_C)
63	static int aes_padlock_ace = -1;
64	#endif
65
66	#if defined(POLARSSL_AES_ROM_TABLES)
67	/*
68	* Forward S-box
69	*/
70	static const unsigned char FSb[256] =
71	{
72	0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
73	0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
74	0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
75	0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
76	0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
77	0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
78	0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
79	0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
80	0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
81	0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
82	0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
83	0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
84	0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
85	0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
86	0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
87	0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
88	0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
89	0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
90	0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
91	0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
92	0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
93	0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
94	0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
95	0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
96	0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
97	0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
98	0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
99	0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
100	0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
101	0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
102	0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
103	0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
104	};
105
106	/*
107	* Forward tables
108	*/
109	#define FT \
110	\
111	V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
112	V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
113	V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
114	V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
115	V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
116	V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
117	V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
118	V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
119	V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
120	V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
121	V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
122	V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
123	V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
124	V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
125	V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
126	V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
127	V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
128	V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
129	V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
130	V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
131	V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
132	V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
133	V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
134	V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
135	V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
136	V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
137	V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
138	V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
139	V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
140	V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
141	V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
142	V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
143	V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
144	V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
145	V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
146	V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
147	V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
148	V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
149	V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
150	V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
151	V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
152	V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
153	V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
154	V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
155	V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
156	V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
157	V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
158	V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
159	V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
160	V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
161	V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
162	V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
163	V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
164	V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
165	V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
166	V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
167	V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
168	V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
169	V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
170	V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
171	V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
172	V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
173	V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
174	V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
175
176	#define V(a,b,c,d) 0x##a##b##c##d
177	static const unsigned long FT0[256] = { FT };
178	#undef V
179
180	#define V(a,b,c,d) 0x##b##c##d##a
181	static const unsigned long FT1[256] = { FT };
182	#undef V
183
184	#define V(a,b,c,d) 0x##c##d##a##b
185	static const unsigned long FT2[256] = { FT };
186	#undef V
187
188	#define V(a,b,c,d) 0x##d##a##b##c
189	static const unsigned long FT3[256] = { FT };
190	#undef V
191
192	#undef FT
193
194	/*
195	* Reverse S-box
196	*/
197	static const unsigned char RSb[256] =
198	{
199	0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
200	0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
201	0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
202	0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
203	0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
204	0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
205	0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
206	0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
207	0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
208	0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
209	0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
210	0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
211	0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
212	0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
213	0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
214	0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
215	0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
216	0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
217	0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
218	0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
219	0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
220	0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
221	0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
222	0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
223	0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
224	0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
225	0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
226	0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
227	0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
228	0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
229	0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
230	0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
231	};
232
233	/*
234	* Reverse tables
235	*/
236	#define RT \
237	\
238	V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
239	V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
240	V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
241	V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
242	V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
243	V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
244	V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
245	V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
246	V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
247	V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
248	V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
249	V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
250	V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
251	V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
252	V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
253	V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
254	V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
255	V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
256	V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
257	V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
258	V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
259	V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
260	V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
261	V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
262	V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
263	V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
264	V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
265	V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
266	V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
267	V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
268	V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
269	V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
270	V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
271	V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
272	V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
273	V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
274	V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
275	V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
276	V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
277	V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
278	V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
279	V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
280	V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
281	V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
282	V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
283	V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
284	V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
285	V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
286	V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
287	V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
288	V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
289	V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
290	V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
291	V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
292	V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
293	V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
294	V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
295	V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
296	V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
297	V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
298	V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
299	V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
300	V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
301	V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
302
303	#define V(a,b,c,d) 0x##a##b##c##d
304	static const unsigned long RT0[256] = { RT };
305	#undef V
306
307	#define V(a,b,c,d) 0x##b##c##d##a
308	static const unsigned long RT1[256] = { RT };
309	#undef V
310
311	#define V(a,b,c,d) 0x##c##d##a##b
312	static const unsigned long RT2[256] = { RT };
313	#undef V
314
315	#define V(a,b,c,d) 0x##d##a##b##c
316	static const unsigned long RT3[256] = { RT };
317	#undef V
318
319	#undef RT
320
321	/*
322	* Round constants
323	*/
324	static const unsigned long RCON[10] =
325	{
326	0x00000001, 0x00000002, 0x00000004, 0x00000008,
327	0x00000010, 0x00000020, 0x00000040, 0x00000080,
328	0x0000001B, 0x00000036
329	};
330
331	#else
332
333	/*
334	* Forward S-box & tables
335	*/
336	static unsigned char FSb[256];
337	static unsigned long FT0[256];
338	static unsigned long FT1[256];
339	static unsigned long FT2[256];
340	static unsigned long FT3[256];
341
342	/*
343	* Reverse S-box & tables
344	*/
345	static unsigned char RSb[256];
346	static unsigned long RT0[256];
347	static unsigned long RT1[256];
348	static unsigned long RT2[256];
349	static unsigned long RT3[256];
350
351	/*
352	* Round constants
353	*/
354	static unsigned long RCON[10];
355
356	/*
357	* Tables generation code
358	*/
359	#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) \| ( x >> 24 )
360	#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
361	#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
362
363	static int aes_init_done = 0;
364
365	static void aes_gen_tables( void )
366	{
367	int i, x, y, z;
368	int pow[256];
369	int log[256];
370
371	/*
372	* compute pow and log tables over GF(2^8)
373	*/
374	for( i = 0, x = 1; i < 256; i++ )
375	{
376	pow[i] = x;
377	log[x] = i;
378	x = ( x ^ XTIME( x ) ) & 0xFF;
379	}
380
381	/*
382	* calculate the round constants
383	*/
384	for( i = 0, x = 1; i < 10; i++ )
385	{
386	RCON[i] = (unsigned long) x;
387	x = XTIME( x ) & 0xFF;
388	}
389
390	/*
391	* generate the forward and reverse S-boxes
392	*/
393	FSb[0x00] = 0x63;
394	RSb[0x63] = 0x00;
395
396	for( i = 1; i < 256; i++ )
397	{
398	x = pow[255 - log[i]];
399
400	y = x; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
401	x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
402	x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
403	x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
404	x ^= y ^ 0x63;
405
406	FSb[i] = (unsigned char) x;
407	RSb[x] = (unsigned char) i;
408	}
409
410	/*
411	* generate the forward and reverse tables
412	*/
413	for( i = 0; i < 256; i++ )
414	{
415	x = FSb[i];
416	y = XTIME( x ) & 0xFF;
417	z = ( y ^ x ) & 0xFF;
418
419	FT0[i] = ( (unsigned long) y ) ^
420	( (unsigned long) x << 8 ) ^
421	( (unsigned long) x << 16 ) ^
422	( (unsigned long) z << 24 );
423
424	FT1[i] = ROTL8( FT0[i] );
425	FT2[i] = ROTL8( FT1[i] );
426	FT3[i] = ROTL8( FT2[i] );
427
428	x = RSb[i];
429
430	RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
431	( (unsigned long) MUL( 0x09, x ) << 8 ) ^
432	( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
433	( (unsigned long) MUL( 0x0B, x ) << 24 );
434
435	RT1[i] = ROTL8( RT0[i] );
436	RT2[i] = ROTL8( RT1[i] );
437	RT3[i] = ROTL8( RT2[i] );
438	}
439	}
440
441	#endif
442
443	/*
444	* AES key schedule (encryption)
445	*/
446	int aes_setkey_enc( aes_context ctx, const unsigned char key, unsigned int keysize )
447	{
448	unsigned int i;
449	unsigned long *RK;
450
451	#if !defined(POLARSSL_AES_ROM_TABLES)
452	if( aes_init_done == 0 )
453	{
454	aes_gen_tables();
455	aes_init_done = 1;
456
457	}
458	#endif
459
460	switch( keysize )
461	{
462	case 128: ctx->nr = 10; break;
463	case 192: ctx->nr = 12; break;
464	case 256: ctx->nr = 14; break;
465	default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
466	}
467
468	#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
469	if( aes_padlock_ace == -1 )
470	aes_padlock_ace = padlock_supports( PADLOCK_ACE );
471
472	if( aes_padlock_ace )
473	ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
474	else
475	#endif
476	ctx->rk = RK = ctx->buf;
477
478	for( i = 0; i < (keysize >> 5); i++ )
479	{
480	GET_ULONG_LE( RK[i], key, i << 2 );
481	}
482
483	switch( ctx->nr )
484	{
485	case 10:
486
487	for( i = 0; i < 10; i++, RK += 4 )
488	{
489	RK[4] = RK[0] ^ RCON[i] ^
490	( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
491	( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
492	( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
493	( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
494
495	RK[5] = RK[1] ^ RK[4];
496	RK[6] = RK[2] ^ RK[5];
497	RK[7] = RK[3] ^ RK[6];
498	}
499	break;
500
501	case 12:
502
503	for( i = 0; i < 8; i++, RK += 6 )
504	{
505	RK[6] = RK[0] ^ RCON[i] ^
506	( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
507	( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
508	( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
509	( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
510
511	RK[7] = RK[1] ^ RK[6];
512	RK[8] = RK[2] ^ RK[7];
513	RK[9] = RK[3] ^ RK[8];
514	RK[10] = RK[4] ^ RK[9];
515	RK[11] = RK[5] ^ RK[10];
516	}
517	break;
518
519	case 14:
520
521	for( i = 0; i < 7; i++, RK += 8 )
522	{
523	RK[8] = RK[0] ^ RCON[i] ^
524	( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
525	( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
526	( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
527	( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
528
529	RK[9] = RK[1] ^ RK[8];
530	RK[10] = RK[2] ^ RK[9];
531	RK[11] = RK[3] ^ RK[10];
532
533	RK[12] = RK[4] ^
534	( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
535	( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
536	( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
537	( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
538
539	RK[13] = RK[5] ^ RK[12];
540	RK[14] = RK[6] ^ RK[13];
541	RK[15] = RK[7] ^ RK[14];
542	}
543	break;
544
545	default:
546
547	break;
548	}
549
550	return( 0 );
551	}
552
553	/*
554	* AES key schedule (decryption)
555	*/
556	int aes_setkey_dec( aes_context ctx, const unsigned char key, unsigned int keysize )
557	{
558	int i, j;
559	aes_context cty;
560	unsigned long *RK;
561	unsigned long *SK;
562	int ret;
563
564	switch( keysize )
565	{
566	case 128: ctx->nr = 10; break;
567	case 192: ctx->nr = 12; break;
568	case 256: ctx->nr = 14; break;
569	default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
570	}
571
572	#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
573	if( aes_padlock_ace == -1 )
574	aes_padlock_ace = padlock_supports( PADLOCK_ACE );
575
576	if( aes_padlock_ace )
577	ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
578	else
579	#endif
580	ctx->rk = RK = ctx->buf;
581
582	ret = aes_setkey_enc( &cty, key, keysize );
583	if( ret != 0 )
584	return( ret );
585
586	SK = cty.rk + cty.nr * 4;
587
588	RK++ = SK++;
589	RK++ = SK++;
590	RK++ = SK++;
591	RK++ = SK++;
592
593	for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
594	{
595	for( j = 0; j < 4; j++, SK++ )
596	{
597	RK++ = RT0[ FSb[ ( SK ) & 0xFF ] ] ^
598	RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
599	RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
600	RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
601	}
602	}
603
604	RK++ = SK++;
605	RK++ = SK++;
606	RK++ = SK++;
607	RK++ = SK++;
608
609	memset( &cty, 0, sizeof( aes_context ) );
610
611	return( 0 );
612	}
613
614	#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
615	{ \
616	X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
617	FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
618	FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
619	FT3[ ( Y3 >> 24 ) & 0xFF ]; \
620	\
621	X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
622	FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
623	FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
624	FT3[ ( Y0 >> 24 ) & 0xFF ]; \
625	\
626	X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
627	FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
628	FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
629	FT3[ ( Y1 >> 24 ) & 0xFF ]; \
630	\
631	X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
632	FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
633	FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
634	FT3[ ( Y2 >> 24 ) & 0xFF ]; \
635	}
636
637	#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
638	{ \
639	X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
640	RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
641	RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
642	RT3[ ( Y1 >> 24 ) & 0xFF ]; \
643	\
644	X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
645	RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
646	RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
647	RT3[ ( Y2 >> 24 ) & 0xFF ]; \
648	\
649	X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
650	RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
651	RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
652	RT3[ ( Y3 >> 24 ) & 0xFF ]; \
653	\
654	X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
655	RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
656	RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
657	RT3[ ( Y0 >> 24 ) & 0xFF ]; \
658	}
659
660	/*
661	* AES-ECB block encryption/decryption
662	*/
663	int aes_crypt_ecb( aes_context *ctx,
664	int mode,
665	const unsigned char input[16],
666	unsigned char output[16] )
667	{
668	int i;
669	unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
670
671	#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
672	if( aes_padlock_ace )
673	{
674	if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
675	return( 0 );
676
677	// If padlock data misaligned, we just fall back to
678	// unaccelerated mode
679	//
680	}
681	#endif
682
683	RK = ctx->rk;
684
685	GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
686	GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
687	GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
688	GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
689
690	if( mode == AES_DECRYPT )
691	{
692	for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
693	{
694	AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
695	AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
696	}
697
698	AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
699
700	X0 = *RK++ ^ \
701	( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
702	( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
703	( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
704	( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
705
706	X1 = *RK++ ^ \
707	( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
708	( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
709	( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
710	( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
711
712	X2 = *RK++ ^ \
713	( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
714	( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
715	( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
716	( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
717
718	X3 = *RK++ ^ \
719	( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
720	( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
721	( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
722	( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
723	}
724	else /* AES_ENCRYPT */
725	{
726	for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
727	{
728	AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
729	AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
730	}
731
732	AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
733
734	X0 = *RK++ ^ \
735	( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
736	( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
737	( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
738	( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
739
740	X1 = *RK++ ^ \
741	( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
742	( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
743	( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
744	( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
745
746	X2 = *RK++ ^ \
747	( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
748	( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
749	( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
750	( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
751
752	X3 = *RK++ ^ \
753	( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
754	( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
755	( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
756	( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
757	}
758
759	PUT_ULONG_LE( X0, output, 0 );
760	PUT_ULONG_LE( X1, output, 4 );
761	PUT_ULONG_LE( X2, output, 8 );
762	PUT_ULONG_LE( X3, output, 12 );
763
764	return( 0 );
765	}
766
767	/*
768	* AES-CBC buffer encryption/decryption
769	*/
770	int aes_crypt_cbc( aes_context *ctx,
771	int mode,
772	size_t length,
773	unsigned char iv[16],
774	const unsigned char *input,
775	unsigned char *output )
776	{
777	int i;
778	unsigned char temp[16];
779
780	if( length % 16 )
781	return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
782
783	#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
784	if( aes_padlock_ace )
785	{
786	if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
787	return( 0 );
788
789	// If padlock data misaligned, we just fall back to
790	// unaccelerated mode
791	//
792	}
793	#endif
794
795	if( mode == AES_DECRYPT )
796	{
797	while( length > 0 )
798	{
799	memcpy( temp, input, 16 );
800	aes_crypt_ecb( ctx, mode, input, output );
801
802	for( i = 0; i < 16; i++ )
803	output[i] = (unsigned char)( output[i] ^ iv[i] );
804
805	memcpy( iv, temp, 16 );
806
807	input += 16;
808	output += 16;
809	length -= 16;
810	}
811	}
812	else
813	{
814	while( length > 0 )
815	{
816	for( i = 0; i < 16; i++ )
817	output[i] = (unsigned char)( input[i] ^ iv[i] );
818
819	aes_crypt_ecb( ctx, mode, output, output );
820	memcpy( iv, output, 16 );
821
822	input += 16;
823	output += 16;
824	length -= 16;
825	}
826	}
827
828	return( 0 );
829	}
830
831	#if defined(POLARSSL_CIPHER_MODE_CFB)
832	/*
833	* AES-CFB128 buffer encryption/decryption
834	*/
835	int aes_crypt_cfb128( aes_context *ctx,
836	int mode,
837	size_t length,
838	size_t *iv_off,
839	unsigned char iv[16],
840	const unsigned char *input,
841	unsigned char *output )
842	{
843	int c;
844	size_t n = *iv_off;
845
846	if( mode == AES_DECRYPT )
847	{
848	while( length-- )
849	{
850	if( n == 0 )
851	aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
852
853	c = *input++;
854	*output++ = (unsigned char)( c ^ iv[n] );
855	iv[n] = (unsigned char) c;
856
857	n = (n + 1) & 0x0F;
858	}
859	}
860	else
861	{
862	while( length-- )
863	{
864	if( n == 0 )
865	aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
866
867	iv[n] = output++ = (unsigned char)( iv[n] ^ input++ );
868
869	n = (n + 1) & 0x0F;
870	}
871	}
872
873	*iv_off = n;
874
875	return( 0 );
876	}
877	#endif /POLARSSL_CIPHER_MODE_CFB /
878
879	#if defined(POLARSSL_CIPHER_MODE_CTR)
880	/*
881	* AES-CTR buffer encryption/decryption
882	*/
883	int aes_crypt_ctr( aes_context *ctx,
884	size_t length,
885	size_t *nc_off,
886	unsigned char nonce_counter[16],
887	unsigned char stream_block[16],
888	const unsigned char *input,
889	unsigned char *output )
890	{
891	int c, i;
892	size_t n = *nc_off;
893
894	while( length-- )
895	{
896	if( n == 0 ) {
897	aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
898
899	for( i = 16; i > 0; i-- )
900	if( ++nonce_counter[i - 1] != 0 )
901	break;
902	}
903	c = *input++;
904	*output++ = (unsigned char)( c ^ stream_block[n] );
905
906	n = (n + 1) & 0x0F;
907	}
908
909	*nc_off = n;
910
911	return( 0 );
912	}
913	#endif /* POLARSSL_CIPHER_MODE_CTR */
914
915	#if defined(POLARSSL_SELF_TEST)
916
917	#include <stdio.h>
918
919	/*
920	* AES test vectors from:
921	*
922	* http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
923	*/
924	static const unsigned char aes_test_ecb_dec[3][16] =
925	{
926	{ 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
927	0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
928	{ 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
929	0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
930	{ 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
931	0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
932	};
933
934	static const unsigned char aes_test_ecb_enc[3][16] =
935	{
936	{ 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
937	0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
938	{ 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
939	0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
940	{ 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
941	0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
942	};
943
944	static const unsigned char aes_test_cbc_dec[3][16] =
945	{
946	{ 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
947	0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
948	{ 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
949	0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
950	{ 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
951	0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
952	};
953
954	static const unsigned char aes_test_cbc_enc[3][16] =
955	{
956	{ 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
957	0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
958	{ 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
959	0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
960	{ 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
961	0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
962	};
963
964	#if defined(POLARSSL_CIPHER_MODE_CFB)
965	/*
966	* AES-CFB128 test vectors from:
967	*
968	* http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
969	*/
970	static const unsigned char aes_test_cfb128_key[3][32] =
971	{
972	{ 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
973	0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
974	{ 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
975	0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
976	0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
977	{ 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
978	0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
979	0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
980	0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
981	};
982
983	static const unsigned char aes_test_cfb128_iv[16] =
984	{
985	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
986	0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
987	};
988
989	static const unsigned char aes_test_cfb128_pt[64] =
990	{
991	0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
992	0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
993	0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
994	0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
995	0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
996	0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
997	0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
998	0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
999	};
1000
1001	static const unsigned char aes_test_cfb128_ct[3][64] =
1002	{
1003	{ 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1004	0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1005	0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1006	0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1007	0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1008	0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1009	0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1010	0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1011	{ 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1012	0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1013	0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1014	0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1015	0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1016	0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1017	0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1018	0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1019	{ 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1020	0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1021	0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1022	0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1023	0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1024	0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1025	0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1026	0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1027	};
1028	#endif /* POLARSSL_CIPHER_MODE_CFB */
1029
1030	#if defined(POLARSSL_CIPHER_MODE_CTR)
1031	/*
1032	* AES-CTR test vectors from:
1033	*
1034	* http://www.faqs.org/rfcs/rfc3686.html
1035	*/
1036
1037	static const unsigned char aes_test_ctr_key[3][16] =
1038	{
1039	{ 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1040	0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1041	{ 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1042	0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1043	{ 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1044	0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1045	};
1046
1047	static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1048	{
1049	{ 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1050	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1051	{ 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1052	0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1053	{ 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1054	0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1055	};
1056
1057	static const unsigned char aes_test_ctr_pt[3][48] =
1058	{
1059	{ 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1060	0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1061
1062	{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1063	0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1064	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1065	0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1066
1067	{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1068	0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1069	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1070	0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1071	0x20, 0x21, 0x22, 0x23 }
1072	};
1073
1074	static const unsigned char aes_test_ctr_ct[3][48] =
1075	{
1076	{ 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1077	0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1078	{ 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1079	0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1080	0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1081	0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1082	{ 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1083	0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1084	0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1085	0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1086	0x25, 0xB2, 0x07, 0x2F }
1087	};
1088
1089	static const int aes_test_ctr_len[3] =
1090	{ 16, 32, 36 };
1091	#endif /* POLARSSL_CIPHER_MODE_CTR */
1092
1093	/*
1094	* Checkup routine
1095	*/
1096	int aes_self_test( int verbose )
1097	{
1098	int i, j, u, v;
1099	unsigned char key[32];
1100	unsigned char buf[64];
1101	unsigned char prv[16];
1102	unsigned char iv[16];
1103	#if defined(POLARSSL_CIPHER_MODE_CTR) \|\| defined(POLARSSL_CIPHER_MODE_CFB)
1104	size_t offset;
1105	#endif
1106	#if defined(POLARSSL_CIPHER_MODE_CTR)
1107	int len;
1108	unsigned char nonce_counter[16];
1109	unsigned char stream_block[16];
1110	#endif
1111	aes_context ctx;
1112
1113	memset( key, 0, 32 );
1114
1115	/*
1116	* ECB mode
1117	*/
1118	for( i = 0; i < 6; i++ )
1119	{
1120	u = i >> 1;
1121	v = i & 1;
1122
1123	if( verbose != 0 )
1124	printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1125	( v == AES_DECRYPT ) ? "dec" : "enc" );
1126
1127	memset( buf, 0, 16 );
1128
1129	if( v == AES_DECRYPT )
1130	{
1131	aes_setkey_dec( &ctx, key, 128 + u * 64 );
1132
1133	for( j = 0; j < 10000; j++ )
1134	aes_crypt_ecb( &ctx, v, buf, buf );
1135
1136	if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1137	{
1138	if( verbose != 0 )
1139	printf( "failed\n" );
1140
1141	return( 1 );
1142	}
1143	}
1144	else
1145	{
1146	aes_setkey_enc( &ctx, key, 128 + u * 64 );
1147
1148	for( j = 0; j < 10000; j++ )
1149	aes_crypt_ecb( &ctx, v, buf, buf );
1150
1151	if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1152	{
1153	if( verbose != 0 )
1154	printf( "failed\n" );
1155
1156	return( 1 );
1157	}
1158	}
1159
1160	if( verbose != 0 )
1161	printf( "passed\n" );
1162	}
1163
1164	if( verbose != 0 )
1165	printf( "\n" );
1166
1167	/*
1168	* CBC mode
1169	*/
1170	for( i = 0; i < 6; i++ )
1171	{
1172	u = i >> 1;
1173	v = i & 1;
1174
1175	if( verbose != 0 )
1176	printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1177	( v == AES_DECRYPT ) ? "dec" : "enc" );
1178
1179	memset( iv , 0, 16 );
1180	memset( prv, 0, 16 );
1181	memset( buf, 0, 16 );
1182
1183	if( v == AES_DECRYPT )
1184	{
1185	aes_setkey_dec( &ctx, key, 128 + u * 64 );
1186
1187	for( j = 0; j < 10000; j++ )
1188	aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1189
1190	if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1191	{
1192	if( verbose != 0 )
1193	printf( "failed\n" );
1194
1195	return( 1 );
1196	}
1197	}
1198	else
1199	{
1200	aes_setkey_enc( &ctx, key, 128 + u * 64 );
1201
1202	for( j = 0; j < 10000; j++ )
1203	{
1204	unsigned char tmp[16];
1205
1206	aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1207
1208	memcpy( tmp, prv, 16 );
1209	memcpy( prv, buf, 16 );
1210	memcpy( buf, tmp, 16 );
1211	}
1212
1213	if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1214	{
1215	if( verbose != 0 )
1216	printf( "failed\n" );
1217
1218	return( 1 );
1219	}
1220	}
1221
1222	if( verbose != 0 )
1223	printf( "passed\n" );
1224	}
1225
1226	if( verbose != 0 )
1227	printf( "\n" );
1228
1229	#if defined(POLARSSL_CIPHER_MODE_CFB)
1230	/*
1231	* CFB128 mode
1232	*/
1233	for( i = 0; i < 6; i++ )
1234	{
1235	u = i >> 1;
1236	v = i & 1;
1237
1238	if( verbose != 0 )
1239	printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1240	( v == AES_DECRYPT ) ? "dec" : "enc" );
1241
1242	memcpy( iv, aes_test_cfb128_iv, 16 );
1243	memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1244
1245	offset = 0;
1246	aes_setkey_enc( &ctx, key, 128 + u * 64 );
1247
1248	if( v == AES_DECRYPT )
1249	{
1250	memcpy( buf, aes_test_cfb128_ct[u], 64 );
1251	aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1252
1253	if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1254	{
1255	if( verbose != 0 )
1256	printf( "failed\n" );
1257
1258	return( 1 );
1259	}
1260	}
1261	else
1262	{
1263	memcpy( buf, aes_test_cfb128_pt, 64 );
1264	aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1265
1266	if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1267	{
1268	if( verbose != 0 )
1269	printf( "failed\n" );
1270
1271	return( 1 );
1272	}
1273	}
1274
1275	if( verbose != 0 )
1276	printf( "passed\n" );
1277	}
1278
1279	if( verbose != 0 )
1280	printf( "\n" );
1281	#endif /* POLARSSL_CIPHER_MODE_CFB */
1282
1283	#if defined(POLARSSL_CIPHER_MODE_CTR)
1284	/*
1285	* CTR mode
1286	*/
1287	for( i = 0; i < 6; i++ )
1288	{
1289	u = i >> 1;
1290	v = i & 1;
1291
1292	if( verbose != 0 )
1293	printf( " AES-CTR-128 (%s): ",
1294	( v == AES_DECRYPT ) ? "dec" : "enc" );
1295
1296	memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1297	memcpy( key, aes_test_ctr_key[u], 16 );
1298
1299	offset = 0;
1300	aes_setkey_enc( &ctx, key, 128 );
1301
1302	if( v == AES_DECRYPT )
1303	{
1304	len = aes_test_ctr_len[u];
1305	memcpy( buf, aes_test_ctr_ct[u], len );
1306
1307	aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1308
1309	if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1310	{
1311	if( verbose != 0 )
1312	printf( "failed\n" );
1313
1314	return( 1 );
1315	}
1316	}
1317	else
1318	{
1319	len = aes_test_ctr_len[u];
1320	memcpy( buf, aes_test_ctr_pt[u], len );
1321
1322	aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1323
1324	if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1325	{
1326	if( verbose != 0 )
1327	printf( "failed\n" );
1328
1329	return( 1 );
1330	}
1331	}
1332
1333	if( verbose != 0 )
1334	printf( "passed\n" );
1335	}
1336
1337	if( verbose != 0 )
1338	printf( "\n" );
1339	#endif /* POLARSSL_CIPHER_MODE_CTR */
1340
1341	return( 0 );
1342	}
1343
1344	#endif
1345
1346	#endif

Note: See TracBrowser for help on using the repository browser.

PolarSSL

Cryptography and SSL made easy

Context Navigation

source: trunk/library/aes.c @ 1238

Download in other formats:

What are you looking for?

Main links

Community links

Documentation

Block cipher sources

Hash sources