search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
initial commit; it works
[psslcertgen.git] / src / libpolarssl / aes.c
blob2dae01979c7b1b79223334e1d9ca6e78f853ed77
1 /*
2 * FIPS-197 compliant AES implementation
3 *
4 * Copyright (C) 2006-2013, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25 /*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
32 #include "config.h"
33
34 #if defined(POLARSSL_AES_C)
35
36 #include "aes.h"
37 #if defined(POLARSSL_PADLOCK_C)
38 #include "padlock.h"
39 #endif
40
41 #if !defined(POLARSSL_AES_ALT)
42
43 /*
44 * 32-bit integer manipulation macros (little endian)
45 */
46 #ifndef GET_UINT32_LE
47 #define GET_UINT32_LE(n,b,i) \
48 { \
49 (n) = ( (uint32_t) (b)[(i) ] ) \
50 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
51 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
52 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
53 }
54 #endif
55
56 #ifndef PUT_UINT32_LE
57 #define PUT_UINT32_LE(n,b,i) \
58 { \
59 (b)[(i) ] = (unsigned char) ( (n) ); \
60 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
61 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
62 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
63 }
64 #endif
65
66 #if defined(POLARSSL_PADLOCK_C) && \
67 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
68 static int aes_padlock_ace = -1;
69 #endif
70
71 #if defined(POLARSSL_AES_ROM_TABLES)
72 /*
73 * Forward S-box
74 */
75 static const unsigned char FSb[256] =
76 {
77 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
78 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
79 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
80 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
81 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
82 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
83 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
84 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
85 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
86 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
87 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
88 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
89 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
90 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
91 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
92 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
93 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
94 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
95 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
96 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
97 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
98 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
99 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
100 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
101 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
102 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
103 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
104 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
105 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
106 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
107 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
108 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
109 };
110
111 /*
112 * Forward tables
113 */
114 #define FT \
115 \
116 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
117 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
118 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
119 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
120 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
121 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
122 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
123 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
124 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
125 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
126 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
127 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
128 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
129 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
130 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
131 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
132 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
133 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
134 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
135 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
136 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
137 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
138 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
139 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
140 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
141 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
142 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
143 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
144 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
145 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
146 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
147 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
148 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
149 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
150 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
151 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
152 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
153 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
154 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
155 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
156 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
157 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
158 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
159 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
160 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
161 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
162 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
163 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
164 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
165 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
166 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
167 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
168 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
169 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
170 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
171 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
172 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
173 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
174 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
175 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
176 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
177 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
178 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
179 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
180
181 #define V(a,b,c,d) 0x##a##b##c##d
182 static const uint32_t FT0[256] = { FT };
183 #undef V
184
185 #define V(a,b,c,d) 0x##b##c##d##a
186 static const uint32_t FT1[256] = { FT };
187 #undef V
188
189 #define V(a,b,c,d) 0x##c##d##a##b
190 static const uint32_t FT2[256] = { FT };
191 #undef V
192
193 #define V(a,b,c,d) 0x##d##a##b##c
194 static const uint32_t FT3[256] = { FT };
195 #undef V
196
197 #undef FT
198
199 /*
200 * Reverse S-box
201 */
202 static const unsigned char RSb[256] =
203 {
204 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
205 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
206 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
207 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
208 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
209 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
210 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
211 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
212 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
213 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
214 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
215 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
216 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
217 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
218 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
219 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
220 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
221 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
222 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
223 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
224 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
225 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
226 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
227 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
228 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
229 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
230 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
231 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
232 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
233 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
234 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
235 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
236 };
237
238 /*
239 * Reverse tables
240 */
241 #define RT \
242 \
243 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
244 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
245 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
246 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
247 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
248 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
249 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
250 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
251 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
252 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
253 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
254 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
255 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
256 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
257 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
258 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
259 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
260 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
261 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
262 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
263 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
264 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
265 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
266 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
267 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
268 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
269 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
270 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
271 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
272 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
273 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
274 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
275 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
276 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
277 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
278 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
279 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
280 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
281 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
282 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
283 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
284 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
285 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
286 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
287 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
288 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
289 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
290 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
291 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
292 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
293 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
294 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
295 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
296 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
297 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
298 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
299 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
300 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
301 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
302 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
303 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
304 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
305 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
306 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
307
308 #define V(a,b,c,d) 0x##a##b##c##d
309 static const uint32_t RT0[256] = { RT };
310 #undef V
311
312 #define V(a,b,c,d) 0x##b##c##d##a
313 static const uint32_t RT1[256] = { RT };
314 #undef V
315
316 #define V(a,b,c,d) 0x##c##d##a##b
317 static const uint32_t RT2[256] = { RT };
318 #undef V
319
320 #define V(a,b,c,d) 0x##d##a##b##c
321 static const uint32_t RT3[256] = { RT };
322 #undef V
323
324 #undef RT
325
326 /*
327 * Round constants
328 */
329 static const uint32_t RCON[10] =
330 {
331 0x00000001, 0x00000002, 0x00000004, 0x00000008,
332 0x00000010, 0x00000020, 0x00000040, 0x00000080,
333 0x0000001B, 0x00000036
334 };
335
336 #else
337
338 /*
339 * Forward S-box & tables
340 */
341 static unsigned char FSb[256];
342 static uint32_t FT0[256];
343 static uint32_t FT1[256];
344 static uint32_t FT2[256];
345 static uint32_t FT3[256];
346
347 /*
348 * Reverse S-box & tables
349 */
350 static unsigned char RSb[256];
351 static uint32_t RT0[256];
352 static uint32_t RT1[256];
353 static uint32_t RT2[256];
354 static uint32_t RT3[256];
355
356 /*
357 * Round constants
358 */
359 static uint32_t RCON[10];
360
361 /*
362 * Tables generation code
363 */
364 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
365 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
366 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
367
368 static int aes_init_done = 0;
369
370 static void aes_gen_tables( void )
371 {
372 int i, x, y, z;
373 int pow[256];
374 int log[256];
375
376 /*
377 * compute pow and log tables over GF(2^8)
378 */
379 for( i = 0, x = 1; i < 256; i++ )
380 {
381 pow[i] = x;
382 log[x] = i;
383 x = ( x ^ XTIME( x ) ) & 0xFF;
384 }
385
386 /*
387 * calculate the round constants
388 */
389 for( i = 0, x = 1; i < 10; i++ )
390 {
391 RCON[i] = (uint32_t) x;
392 x = XTIME( x ) & 0xFF;
393 }
394
395 /*
396 * generate the forward and reverse S-boxes
397 */
398 FSb[0x00] = 0x63;
399 RSb[0x63] = 0x00;
400
401 for( i = 1; i < 256; i++ )
402 {
403 x = pow[255 - log[i]];
404
405 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
406 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
407 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
408 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
409 x ^= y ^ 0x63;
410
411 FSb[i] = (unsigned char) x;
412 RSb[x] = (unsigned char) i;
413 }
414
415 /*
416 * generate the forward and reverse tables
417 */
418 for( i = 0; i < 256; i++ )
419 {
420 x = FSb[i];
421 y = XTIME( x ) & 0xFF;
422 z = ( y ^ x ) & 0xFF;
423
424 FT0[i] = ( (uint32_t) y ) ^
425 ( (uint32_t) x << 8 ) ^
426 ( (uint32_t) x << 16 ) ^
427 ( (uint32_t) z << 24 );
428
429 FT1[i] = ROTL8( FT0[i] );
430 FT2[i] = ROTL8( FT1[i] );
431 FT3[i] = ROTL8( FT2[i] );
432
433 x = RSb[i];
434
435 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
436 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
437 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
438 ( (uint32_t) MUL( 0x0B, x ) << 24 );
439
440 RT1[i] = ROTL8( RT0[i] );
441 RT2[i] = ROTL8( RT1[i] );
442 RT3[i] = ROTL8( RT2[i] );
443 }
444 }
445
446 #endif
447
448 /*
449 * AES key schedule (encryption)
450 */
451 int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
452 {
453 unsigned int i;
454 uint32_t *RK;
455
456 #if !defined(POLARSSL_AES_ROM_TABLES)
457 if( aes_init_done == 0 )
458 {
459 aes_gen_tables();
460 aes_init_done = 1;
461
462 }
463 #endif
464
465 switch( keysize )
466 {
467 case 128: ctx->nr = 10; break;
468 case 192: ctx->nr = 12; break;
469 case 256: ctx->nr = 14; break;
470 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
471 }
472
473 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
474 if( aes_padlock_ace == -1 )
475 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
476
477 if( aes_padlock_ace )
478 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
479 else
480 #endif
481 ctx->rk = RK = ctx->buf;
482
483 for( i = 0; i < (keysize >> 5); i++ )
484 {
485 GET_UINT32_LE( RK[i], key, i << 2 );
486 }
487
488 switch( ctx->nr )
489 {
490 case 10:
491
492 for( i = 0; i < 10; i++, RK += 4 )
493 {
494 RK[4] = RK[0] ^ RCON[i] ^
495 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
496 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
497 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
498 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
499
500 RK[5] = RK[1] ^ RK[4];
501 RK[6] = RK[2] ^ RK[5];
502 RK[7] = RK[3] ^ RK[6];
503 }
504 break;
505
506 case 12:
507
508 for( i = 0; i < 8; i++, RK += 6 )
509 {
510 RK[6] = RK[0] ^ RCON[i] ^
511 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
512 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
513 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
514 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
515
516 RK[7] = RK[1] ^ RK[6];
517 RK[8] = RK[2] ^ RK[7];
518 RK[9] = RK[3] ^ RK[8];
519 RK[10] = RK[4] ^ RK[9];
520 RK[11] = RK[5] ^ RK[10];
521 }
522 break;
523
524 case 14:
525
526 for( i = 0; i < 7; i++, RK += 8 )
527 {
528 RK[8] = RK[0] ^ RCON[i] ^
529 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
530 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
531 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
532 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
533
534 RK[9] = RK[1] ^ RK[8];
535 RK[10] = RK[2] ^ RK[9];
536 RK[11] = RK[3] ^ RK[10];
537
538 RK[12] = RK[4] ^
539 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
540 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
541 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
542 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
543
544 RK[13] = RK[5] ^ RK[12];
545 RK[14] = RK[6] ^ RK[13];
546 RK[15] = RK[7] ^ RK[14];
547 }
548 break;
549
550 default:
551
552 break;
553 }
554
555 return( 0 );
556 }
557
558 /*
559 * AES key schedule (decryption)
560 */
561 int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
562 {
563 int i, j;
564 aes_context cty;
565 uint32_t *RK;
566 uint32_t *SK;
567 int ret;
568
569 switch( keysize )
570 {
571 case 128: ctx->nr = 10; break;
572 case 192: ctx->nr = 12; break;
573 case 256: ctx->nr = 14; break;
574 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
575 }
576
577 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
578 if( aes_padlock_ace == -1 )
579 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
580
581 if( aes_padlock_ace )
582 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
583 else
584 #endif
585 ctx->rk = RK = ctx->buf;
586
587 ret = aes_setkey_enc( &cty, key, keysize );
588 if( ret != 0 )
589 return( ret );
590
591 SK = cty.rk + cty.nr * 4;
592
593 *RK++ = *SK++;
594 *RK++ = *SK++;
595 *RK++ = *SK++;
596 *RK++ = *SK++;
597
598 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
599 {
600 for( j = 0; j < 4; j++, SK++ )
601 {
602 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
603 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
604 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
605 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
606 }
607 }
608
609 *RK++ = *SK++;
610 *RK++ = *SK++;
611 *RK++ = *SK++;
612 *RK++ = *SK++;
613
614 memset( &cty, 0, sizeof( aes_context ) );
615
616 return( 0 );
617 }
618
619 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
620 { \
621 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
622 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
623 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
624 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
625 \
626 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
627 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
628 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
629 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
630 \
631 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
632 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
633 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
634 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
635 \
636 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
637 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
638 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
639 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
640 }
641
642 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
643 { \
644 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
645 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
646 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
647 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
648 \
649 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
650 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
651 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
652 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
653 \
654 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
655 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
656 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
657 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
658 \
659 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
660 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
661 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
662 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
663 }
664
665 /*
666 * AES-ECB block encryption/decryption
667 */
668 int aes_crypt_ecb( aes_context *ctx,
669 int mode,
670 const unsigned char input[16],
671 unsigned char output[16] )
672 {
673 int i;
674 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
675
676 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
677 if( aes_padlock_ace )
678 {
679 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
680 return( 0 );
681
682 // If padlock data misaligned, we just fall back to
683 // unaccelerated mode
684 //
685 }
686 #endif
687
688 RK = ctx->rk;
689
690 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
691 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
692 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
693 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
694
695 if( mode == AES_DECRYPT )
696 {
697 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
698 {
699 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
700 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
701 }
702
703 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
704
705 X0 = *RK++ ^ \
706 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
707 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
708 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
709 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
710
711 X1 = *RK++ ^ \
712 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
713 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
714 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
715 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
716
717 X2 = *RK++ ^ \
718 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
719 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
720 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
721 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
722
723 X3 = *RK++ ^ \
724 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
725 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
726 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
727 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
728 }
729 else /* AES_ENCRYPT */
730 {
731 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
732 {
733 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
734 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
735 }
736
737 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
738
739 X0 = *RK++ ^ \
740 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
741 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
742 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
743 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
744
745 X1 = *RK++ ^ \
746 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
747 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
748 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
749 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
750
751 X2 = *RK++ ^ \
752 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
753 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
754 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
755 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
756
757 X3 = *RK++ ^ \
758 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
759 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
760 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
761 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
762 }
763
764 PUT_UINT32_LE( X0, output, 0 );
765 PUT_UINT32_LE( X1, output, 4 );
766 PUT_UINT32_LE( X2, output, 8 );
767 PUT_UINT32_LE( X3, output, 12 );
768
769 return( 0 );
770 }
771
772 /*
773 * AES-CBC buffer encryption/decryption
774 */
775 int aes_crypt_cbc( aes_context *ctx,
776 int mode,
777 size_t length,
778 unsigned char iv[16],
779 const unsigned char *input,
780 unsigned char *output )
781 {
782 int i;
783 unsigned char temp[16];
784
785 if( length % 16 )
786 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
787
788 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
789 if( aes_padlock_ace )
790 {
791 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
792 return( 0 );
793
794 // If padlock data misaligned, we just fall back to
795 // unaccelerated mode
796 //
797 }
798 #endif
799
800 if( mode == AES_DECRYPT )
801 {
802 while( length > 0 )
803 {
804 memcpy( temp, input, 16 );
805 aes_crypt_ecb( ctx, mode, input, output );
806
807 for( i = 0; i < 16; i++ )
808 output[i] = (unsigned char)( output[i] ^ iv[i] );
809
810 memcpy( iv, temp, 16 );
811
812 input += 16;
813 output += 16;
814 length -= 16;
815 }
816 }
817 else
818 {
819 while( length > 0 )
820 {
821 for( i = 0; i < 16; i++ )
822 output[i] = (unsigned char)( input[i] ^ iv[i] );
823
824 aes_crypt_ecb( ctx, mode, output, output );
825 memcpy( iv, output, 16 );
826
827 input += 16;
828 output += 16;
829 length -= 16;
830 }
831 }
832
833 return( 0 );
834 }
835
836 #if defined(POLARSSL_CIPHER_MODE_CFB)
837 /*
838 * AES-CFB128 buffer encryption/decryption
839 */
840 int aes_crypt_cfb128( aes_context *ctx,
841 int mode,
842 size_t length,
843 size_t *iv_off,
844 unsigned char iv[16],
845 const unsigned char *input,
846 unsigned char *output )
847 {
848 int c;
849 size_t n = *iv_off;
850
851 if( mode == AES_DECRYPT )
852 {
853 while( length-- )
854 {
855 if( n == 0 )
856 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
857
858 c = *input++;
859 *output++ = (unsigned char)( c ^ iv[n] );
860 iv[n] = (unsigned char) c;
861
862 n = (n + 1) & 0x0F;
863 }
864 }
865 else
866 {
867 while( length-- )
868 {
869 if( n == 0 )
870 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
871
872 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
873
874 n = (n + 1) & 0x0F;
875 }
876 }
877
878 *iv_off = n;
879
880 return( 0 );
881 }
882 #endif /*POLARSSL_CIPHER_MODE_CFB */
883
884 #if defined(POLARSSL_CIPHER_MODE_CTR)
885 /*
886 * AES-CTR buffer encryption/decryption
887 */
888 int aes_crypt_ctr( aes_context *ctx,
889 size_t length,
890 size_t *nc_off,
891 unsigned char nonce_counter[16],
892 unsigned char stream_block[16],
893 const unsigned char *input,
894 unsigned char *output )
895 {
896 int c, i;
897 size_t n = *nc_off;
898
899 while( length-- )
900 {
901 if( n == 0 ) {
902 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
903
904 for( i = 16; i > 0; i-- )
905 if( ++nonce_counter[i - 1] != 0 )
906 break;
907 }
908 c = *input++;
909 *output++ = (unsigned char)( c ^ stream_block[n] );
910
911 n = (n + 1) & 0x0F;
912 }
913
914 *nc_off = n;
915
916 return( 0 );
917 }
918 #endif /* POLARSSL_CIPHER_MODE_CTR */
919 #endif /* !POLARSSL_AES_ALT */
920
921 #if defined(POLARSSL_SELF_TEST)
922
923 #include <stdio.h>
924
925 /*
926 * AES test vectors from:
927 *
928 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
929 */
930 static const unsigned char aes_test_ecb_dec[3][16] =
931 {
932 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
933 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
934 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
935 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
936 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
937 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
938 };
939
940 static const unsigned char aes_test_ecb_enc[3][16] =
941 {
942 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
943 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
944 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
945 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
946 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
947 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
948 };
949
950 static const unsigned char aes_test_cbc_dec[3][16] =
951 {
952 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
953 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
954 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
955 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
956 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
957 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
958 };
959
960 static const unsigned char aes_test_cbc_enc[3][16] =
961 {
962 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
963 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
964 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
965 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
966 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
967 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
968 };
969
970 #if defined(POLARSSL_CIPHER_MODE_CFB)
971 /*
972 * AES-CFB128 test vectors from:
973 *
974 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
975 */
976 static const unsigned char aes_test_cfb128_key[3][32] =
977 {
978 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
979 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
980 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
981 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
982 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
983 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
984 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
985 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
986 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
987 };
988
989 static const unsigned char aes_test_cfb128_iv[16] =
990 {
991 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
992 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
993 };
994
995 static const unsigned char aes_test_cfb128_pt[64] =
996 {
997 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
998 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
999 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1000 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1001 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1002 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1003 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1004 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1005 };
1006
1007 static const unsigned char aes_test_cfb128_ct[3][64] =
1008 {
1009 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1010 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1011 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1012 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1013 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1014 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1015 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1016 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1017 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1018 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1019 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1020 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1021 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1022 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1023 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1024 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1025 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1026 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1027 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1028 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1029 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1030 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1031 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1032 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1033 };
1034 #endif /* POLARSSL_CIPHER_MODE_CFB */
1035
1036 #if defined(POLARSSL_CIPHER_MODE_CTR)
1037 /*
1038 * AES-CTR test vectors from:
1039 *
1040 * http://www.faqs.org/rfcs/rfc3686.html
1041 */
1042
1043 static const unsigned char aes_test_ctr_key[3][16] =
1044 {
1045 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1046 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1047 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1048 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1049 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1050 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1051 };
1052
1053 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1054 {
1055 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1056 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1057 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1058 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1059 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1060 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1061 };
1062
1063 static const unsigned char aes_test_ctr_pt[3][48] =
1064 {
1065 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1066 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1067
1068 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1069 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1070 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1071 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1072
1073 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1074 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1075 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1076 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1077 0x20, 0x21, 0x22, 0x23 }
1078 };
1079
1080 static const unsigned char aes_test_ctr_ct[3][48] =
1081 {
1082 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1083 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1084 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1085 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1086 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1087 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1088 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1089 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1090 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1091 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1092 0x25, 0xB2, 0x07, 0x2F }
1093 };
1094
1095 static const int aes_test_ctr_len[3] =
1096 { 16, 32, 36 };
1097 #endif /* POLARSSL_CIPHER_MODE_CTR */
1098
1099 /*
1100 * Checkup routine
1101 */
1102 int aes_self_test( int verbose )
1103 {
1104 int i, j, u, v;
1105 unsigned char key[32];
1106 unsigned char buf[64];
1107 unsigned char prv[16];
1108 unsigned char iv[16];
1109 #if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
1110 size_t offset;
1111 #endif
1112 #if defined(POLARSSL_CIPHER_MODE_CTR)
1113 int len;
1114 unsigned char nonce_counter[16];
1115 unsigned char stream_block[16];
1116 #endif
1117 aes_context ctx;
1118
1119 memset( key, 0, 32 );
1120
1121 /*
1122 * ECB mode
1123 */
1124 for( i = 0; i < 6; i++ )
1125 {
1126 u = i >> 1;
1127 v = i & 1;
1128
1129 if( verbose != 0 )
1130 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1131 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1132
1133 memset( buf, 0, 16 );
1134
1135 if( v == AES_DECRYPT )
1136 {
1137 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1138
1139 for( j = 0; j < 10000; j++ )
1140 aes_crypt_ecb( &ctx, v, buf, buf );
1141
1142 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1143 {
1144 if( verbose != 0 )
1145 printf( "failed\n" );
1146
1147 return( 1 );
1148 }
1149 }
1150 else
1151 {
1152 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1153
1154 for( j = 0; j < 10000; j++ )
1155 aes_crypt_ecb( &ctx, v, buf, buf );
1156
1157 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1158 {
1159 if( verbose != 0 )
1160 printf( "failed\n" );
1161
1162 return( 1 );
1163 }
1164 }
1165
1166 if( verbose != 0 )
1167 printf( "passed\n" );
1168 }
1169
1170 if( verbose != 0 )
1171 printf( "\n" );
1172
1173 /*
1174 * CBC mode
1175 */
1176 for( i = 0; i < 6; i++ )
1177 {
1178 u = i >> 1;
1179 v = i & 1;
1180
1181 if( verbose != 0 )
1182 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1183 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1184
1185 memset( iv , 0, 16 );
1186 memset( prv, 0, 16 );
1187 memset( buf, 0, 16 );
1188
1189 if( v == AES_DECRYPT )
1190 {
1191 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1192
1193 for( j = 0; j < 10000; j++ )
1194 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1195
1196 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1197 {
1198 if( verbose != 0 )
1199 printf( "failed\n" );
1200
1201 return( 1 );
1202 }
1203 }
1204 else
1205 {
1206 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1207
1208 for( j = 0; j < 10000; j++ )
1209 {
1210 unsigned char tmp[16];
1211
1212 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1213
1214 memcpy( tmp, prv, 16 );
1215 memcpy( prv, buf, 16 );
1216 memcpy( buf, tmp, 16 );
1217 }
1218
1219 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1220 {
1221 if( verbose != 0 )
1222 printf( "failed\n" );
1223
1224 return( 1 );
1225 }
1226 }
1227
1228 if( verbose != 0 )
1229 printf( "passed\n" );
1230 }
1231
1232 if( verbose != 0 )
1233 printf( "\n" );
1234
1235 #if defined(POLARSSL_CIPHER_MODE_CFB)
1236 /*
1237 * CFB128 mode
1238 */
1239 for( i = 0; i < 6; i++ )
1240 {
1241 u = i >> 1;
1242 v = i & 1;
1243
1244 if( verbose != 0 )
1245 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1246 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1247
1248 memcpy( iv, aes_test_cfb128_iv, 16 );
1249 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1250
1251 offset = 0;
1252 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1253
1254 if( v == AES_DECRYPT )
1255 {
1256 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1257 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1258
1259 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1260 {
1261 if( verbose != 0 )
1262 printf( "failed\n" );
1263
1264 return( 1 );
1265 }
1266 }
1267 else
1268 {
1269 memcpy( buf, aes_test_cfb128_pt, 64 );
1270 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1271
1272 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1273 {
1274 if( verbose != 0 )
1275 printf( "failed\n" );
1276
1277 return( 1 );
1278 }
1279 }
1280
1281 if( verbose != 0 )
1282 printf( "passed\n" );
1283 }
1284
1285 if( verbose != 0 )
1286 printf( "\n" );
1287 #endif /* POLARSSL_CIPHER_MODE_CFB */
1288
1289 #if defined(POLARSSL_CIPHER_MODE_CTR)
1290 /*
1291 * CTR mode
1292 */
1293 for( i = 0; i < 6; i++ )
1294 {
1295 u = i >> 1;
1296 v = i & 1;
1297
1298 if( verbose != 0 )
1299 printf( " AES-CTR-128 (%s): ",
1300 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1301
1302 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1303 memcpy( key, aes_test_ctr_key[u], 16 );
1304
1305 offset = 0;
1306 aes_setkey_enc( &ctx, key, 128 );
1307
1308 if( v == AES_DECRYPT )
1309 {
1310 len = aes_test_ctr_len[u];
1311 memcpy( buf, aes_test_ctr_ct[u], len );
1312
1313 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1314
1315 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1316 {
1317 if( verbose != 0 )
1318 printf( "failed\n" );
1319
1320 return( 1 );
1321 }
1322 }
1323 else
1324 {
1325 len = aes_test_ctr_len[u];
1326 memcpy( buf, aes_test_ctr_pt[u], len );
1327
1328 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1329
1330 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1331 {
1332 if( verbose != 0 )
1333 printf( "failed\n" );
1334
1335 return( 1 );
1336 }
1337 }
1338
1339 if( verbose != 0 )
1340 printf( "passed\n" );
1341 }
1342
1343 if( verbose != 0 )
1344 printf( "\n" );
1345 #endif /* POLARSSL_CIPHER_MODE_CTR */
1346
1347 return( 0 );
1348 }
1349
1350 #endif
1351
1352 #endif
per-site certificate generator for PolarSSL