search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ssl_tls: fix format warning in ssl_parse_certificate() on x86_64
[tropicssl.git] / library / aes.c
blobaba1c0ac5ce2867a558f552ecd658d52ef29800d
1 /*
2 * FIPS-197 compliant AES implementation
3 *
4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
5 *
6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
7 *
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 *
14 * * Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * * Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * * Neither the names of PolarSSL or XySSL nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
26 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35 /*
36 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
37 *
38 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
39 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
40 */
41
42 #include "tropicssl/config.h"
43
44 #if defined(TROPICSSL_AES_C)
45
46 #include "tropicssl/aes.h"
47 #include "tropicssl/padlock.h"
48
49 #include <string.h>
50
51 /*
52 * 32-bit integer manipulation macros (little endian)
53 */
54 #ifndef GET_ULONG_LE
55 #define GET_ULONG_LE(n,b,i) \
56 { \
57 (n) = ( (unsigned long) (b)[(i) ] ) \
58 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
59 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
60 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
61 }
62 #endif
63
64 #ifndef PUT_ULONG_LE
65 #define PUT_ULONG_LE(n,b,i) \
66 { \
67 (b)[(i) ] = (unsigned char) ( (n) ); \
68 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
69 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
70 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
71 }
72 #endif
73
74 #if defined(TROPICSSL_AES_ROM_TABLES)
75 /*
76 * Forward S-box
77 */
78 static const unsigned char FSb[256] = {
79 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
80 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
81 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
82 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
83 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
84 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
85 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
86 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
87 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
88 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
89 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
90 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
91 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
92 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
93 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
94 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
95 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
96 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
97 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
98 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
99 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
100 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
101 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
102 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
103 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
104 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
105 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
106 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
107 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
108 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
109 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
110 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
111 };
112
113 /*
114 * Forward tables
115 */
116 #define FT \
117 \
118 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
119 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
120 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
121 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
122 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
123 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
124 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
125 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
126 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
127 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
128 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
129 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
130 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
131 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
132 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
133 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
134 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
135 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
136 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
137 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
138 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
139 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
140 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
141 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
142 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
143 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
144 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
145 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
146 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
147 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
148 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
149 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
150 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
151 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
152 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
153 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
154 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
155 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
156 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
157 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
158 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
159 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
160 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
161 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
162 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
163 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
164 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
165 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
166 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
167 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
168 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
169 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
170 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
171 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
172 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
173 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
174 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
175 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
176 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
177 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
178 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
179 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
180 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
181 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
182
183 #define V(a,b,c,d) 0x##a##b##c##d
184 static const unsigned long FT0[256] = { FT };
185
186 #undef V
187
188 #define V(a,b,c,d) 0x##b##c##d##a
189 static const unsigned long FT1[256] = { FT };
190
191 #undef V
192
193 #define V(a,b,c,d) 0x##c##d##a##b
194 static const unsigned long FT2[256] = { FT };
195
196 #undef V
197
198 #define V(a,b,c,d) 0x##d##a##b##c
199 static const unsigned long FT3[256] = { FT };
200
201 #undef V
202
203 #undef FT
204
205 /*
206 * Reverse S-box
207 */
208 static const unsigned char RSb[256] = {
209 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
210 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
211 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
212 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
213 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
214 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
215 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
216 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
217 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
218 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
219 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
220 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
221 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
222 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
223 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
224 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
225 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
226 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
227 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
228 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
229 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
230 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
231 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
232 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
233 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
234 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
235 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
236 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
237 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
238 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
239 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
240 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
241 };
242
243 /*
244 * Reverse tables
245 */
246 #define RT \
247 \
248 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
249 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
250 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
251 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
252 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
253 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
254 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
255 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
256 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
257 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
258 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
259 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
260 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
261 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
262 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
263 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
264 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
265 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
266 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
267 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
268 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
269 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
270 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
271 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
272 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
273 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
274 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
275 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
276 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
277 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
278 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
279 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
280 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
281 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
282 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
283 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
284 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
285 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
286 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
287 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
288 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
289 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
290 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
291 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
292 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
293 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
294 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
295 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
296 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
297 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
298 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
299 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
300 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
301 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
302 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
303 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
304 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
305 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
306 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
307 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
308 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
309 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
310 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
311 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
312
313 #define V(a,b,c,d) 0x##a##b##c##d
314 static const unsigned long RT0[256] = { RT };
315
316 #undef V
317
318 #define V(a,b,c,d) 0x##b##c##d##a
319 static const unsigned long RT1[256] = { RT };
320
321 #undef V
322
323 #define V(a,b,c,d) 0x##c##d##a##b
324 static const unsigned long RT2[256] = { RT };
325
326 #undef V
327
328 #define V(a,b,c,d) 0x##d##a##b##c
329 static const unsigned long RT3[256] = { RT };
330
331 #undef V
332
333 #undef RT
334
335 /*
336 * Round constants
337 */
338 static const unsigned long RCON[10] = {
339 0x00000001, 0x00000002, 0x00000004, 0x00000008,
340 0x00000010, 0x00000020, 0x00000040, 0x00000080,
341 0x0000001B, 0x00000036
342 };
343
344 #else
345
346 /*
347 * Forward S-box & tables
348 */
349 static unsigned char FSb[256];
350 static unsigned long FT0[256];
351 static unsigned long FT1[256];
352 static unsigned long FT2[256];
353 static unsigned long FT3[256];
354
355 /*
356 * Reverse S-box & tables
357 */
358 static unsigned char RSb[256];
359 static unsigned long RT0[256];
360 static unsigned long RT1[256];
361 static unsigned long RT2[256];
362 static unsigned long RT3[256];
363
364 /*
365 * Round constants
366 */
367 static unsigned long RCON[10];
368
369 /*
370 * Tables generation code
371 */
372 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
373 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
374 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
375
376 static int aes_init_done = 0;
377
378 static void aes_gen_tables(void)
379 {
380 int i, x, y, z;
381 int pow[256];
382 int log[256];
383
384 /*
385 * compute pow and log tables over GF(2^8)
386 */
387 for (i = 0, x = 1; i < 256; i++) {
388 pow[i] = x;
389 log[x] = i;
390 x = (x ^ XTIME(x)) & 0xFF;
391 }
392
393 /*
394 * calculate the round constants
395 */
396 for (i = 0, x = 1; i < 10; i++) {
397 RCON[i] = (unsigned long)x;
398 x = XTIME(x) & 0xFF;
399 }
400
401 /*
402 * generate the forward and reverse S-boxes
403 */
404 FSb[0x00] = 0x63;
405 RSb[0x63] = 0x00;
406
407 for (i = 1; i < 256; i++) {
408 x = pow[255 - log[i]];
409
410 y = x;
411 y = ((y << 1) | (y >> 7)) & 0xFF;
412 x ^= y;
413 y = ((y << 1) | (y >> 7)) & 0xFF;
414 x ^= y;
415 y = ((y << 1) | (y >> 7)) & 0xFF;
416 x ^= y;
417 y = ((y << 1) | (y >> 7)) & 0xFF;
418 x ^= y ^ 0x63;
419
420 FSb[i] = (unsigned char)x;
421 RSb[x] = (unsigned char)i;
422 }
423
424 /*
425 * generate the forward and reverse tables
426 */
427 for (i = 0; i < 256; i++) {
428 x = FSb[i];
429 y = XTIME(x) & 0xFF;
430 z = (y ^ x) & 0xFF;
431
432 FT0[i] = ((unsigned long)y) ^
433 ((unsigned long)x << 8) ^
434 ((unsigned long)x << 16) ^ ((unsigned long)z << 24);
435
436 FT1[i] = ROTL8(FT0[i]);
437 FT2[i] = ROTL8(FT1[i]);
438 FT3[i] = ROTL8(FT2[i]);
439
440 x = RSb[i];
441
442 RT0[i] = ((unsigned long)MUL(0x0E, x)) ^
443 ((unsigned long)MUL(0x09, x) << 8) ^
444 ((unsigned long)MUL(0x0D, x) << 16) ^
445 ((unsigned long)MUL(0x0B, x) << 24);
446
447 RT1[i] = ROTL8(RT0[i]);
448 RT2[i] = ROTL8(RT1[i]);
449 RT3[i] = ROTL8(RT2[i]);
450 }
451 }
452
453 #endif
454
455 /*
456 * AES key schedule (encryption)
457 */
458 void aes_setkey_enc(aes_context * ctx, const unsigned char *key, int keysize)
459 {
460 int i;
461 unsigned long *RK;
462
463 #if !defined(TROPICSSL_AES_ROM_TABLES)
464 if (aes_init_done == 0) {
465 aes_gen_tables();
466 aes_init_done = 1;
467 }
468 #endif
469
470 switch (keysize) {
471 case 128:
472 ctx->nr = 10;
473 break;
474 case 192:
475 ctx->nr = 12;
476 break;
477 case 256:
478 ctx->nr = 14;
479 break;
480 default:
481 return;
482 }
483
484 #if defined(PADLOCK_ALIGN16)
485 ctx->rk = RK = PADLOCK_ALIGN16(ctx->buf);
486 #else
487 ctx->rk = RK = ctx->buf;
488 #endif
489
490 for (i = 0; i < (keysize >> 5); i++) {
491 GET_ULONG_LE(RK[i], key, i << 2);
492 }
493
494 switch (ctx->nr) {
495 case 10:
496
497 for (i = 0; i < 10; i++, RK += 4) {
498 RK[4] = RK[0] ^ RCON[i] ^
499 ((unsigned long)FSb[(RK[3] >> 8) & 0xFF]) ^
500 ((unsigned long)FSb[(RK[3] >> 16) & 0xFF] << 8) ^
501 ((unsigned long)FSb[(RK[3] >> 24) & 0xFF] << 16) ^
502 ((unsigned long)FSb[(RK[3]) & 0xFF] << 24);
503
504 RK[5] = RK[1] ^ RK[4];
505 RK[6] = RK[2] ^ RK[5];
506 RK[7] = RK[3] ^ RK[6];
507 }
508 break;
509
510 case 12:
511
512 for (i = 0; i < 8; i++, RK += 6) {
513 RK[6] = RK[0] ^ RCON[i] ^
514 ((unsigned long)FSb[(RK[5] >> 8) & 0xFF]) ^
515 ((unsigned long)FSb[(RK[5] >> 16) & 0xFF] << 8) ^
516 ((unsigned long)FSb[(RK[5] >> 24) & 0xFF] << 16) ^
517 ((unsigned long)FSb[(RK[5]) & 0xFF] << 24);
518
519 RK[7] = RK[1] ^ RK[6];
520 RK[8] = RK[2] ^ RK[7];
521 RK[9] = RK[3] ^ RK[8];
522 RK[10] = RK[4] ^ RK[9];
523 RK[11] = RK[5] ^ RK[10];
524 }
525 break;
526
527 case 14:
528
529 for (i = 0; i < 7; i++, RK += 8) {
530 RK[8] = RK[0] ^ RCON[i] ^
531 ((unsigned long)FSb[(RK[7] >> 8) & 0xFF]) ^
532 ((unsigned long)FSb[(RK[7] >> 16) & 0xFF] << 8) ^
533 ((unsigned long)FSb[(RK[7] >> 24) & 0xFF] << 16) ^
534 ((unsigned long)FSb[(RK[7]) & 0xFF] << 24);
535
536 RK[9] = RK[1] ^ RK[8];
537 RK[10] = RK[2] ^ RK[9];
538 RK[11] = RK[3] ^ RK[10];
539
540 RK[12] = RK[4] ^
541 ((unsigned long)FSb[(RK[11]) & 0xFF]) ^
542 ((unsigned long)FSb[(RK[11] >> 8) & 0xFF] << 8) ^
543 ((unsigned long)FSb[(RK[11] >> 16) & 0xFF] << 16) ^
544 ((unsigned long)FSb[(RK[11] >> 24) & 0xFF] << 24);
545
546 RK[13] = RK[5] ^ RK[12];
547 RK[14] = RK[6] ^ RK[13];
548 RK[15] = RK[7] ^ RK[14];
549 }
550 break;
551
552 default:
553
554 break;
555 }
556 }
557
558 /*
559 * AES key schedule (decryption)
560 */
561 void aes_setkey_dec(aes_context * ctx, const unsigned char *key, int keysize)
562 {
563 int i, j;
564 aes_context cty;
565 unsigned long *RK;
566 unsigned long *SK;
567
568 switch (keysize) {
569 case 128:
570 ctx->nr = 10;
571 break;
572 case 192:
573 ctx->nr = 12;
574 break;
575 case 256:
576 ctx->nr = 14;
577 break;
578 default:
579 return;
580 }
581
582 #if defined(PADLOCK_ALIGN16)
583 ctx->rk = RK = PADLOCK_ALIGN16(ctx->buf);
584 #else
585 ctx->rk = RK = ctx->buf;
586 #endif
587
588 aes_setkey_enc(&cty, key, keysize);
589 SK = cty.rk + cty.nr * 4;
590
591 *RK++ = *SK++;
592 *RK++ = *SK++;
593 *RK++ = *SK++;
594 *RK++ = *SK++;
595
596 for (i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8) {
597 for (j = 0; j < 4; j++, SK++) {
598 *RK++ = RT0[FSb[(*SK) & 0xFF]] ^
599 RT1[FSb[(*SK >> 8) & 0xFF]] ^
600 RT2[FSb[(*SK >> 16) & 0xFF]] ^
601 RT3[FSb[(*SK >> 24) & 0xFF]];
602 }
603 }
604
605 *RK++ = *SK++;
606 *RK++ = *SK++;
607 *RK++ = *SK++;
608 *RK++ = *SK++;
609
610 memset(&cty, 0, sizeof(aes_context));
611 }
612
613 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
614 { \
615 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
616 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
617 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
618 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
619 \
620 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
621 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
622 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
623 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
624 \
625 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
626 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
627 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
628 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
629 \
630 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
631 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
632 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
633 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
634 }
635
636 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
637 { \
638 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
639 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
640 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
641 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
642 \
643 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
644 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
645 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
646 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
647 \
648 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
649 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
650 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
651 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
652 \
653 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
654 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
655 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
656 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
657 }
658
659 /*
660 * AES-ECB block encryption/decryption
661 */
662 void aes_crypt_ecb(aes_context * ctx,
663 int mode, const unsigned char input[16],
664 unsigned char output[16])
665 {
666 int i;
667 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
668
669 #if defined(TROPICSSL_PADLOCK_C) && defined(TROPICSSL_HAVE_X86)
670 if (padlock_supports(PADLOCK_ACE)) {
671 if (padlock_xcryptecb(ctx, mode, input, output) == 0)
672 return;
673 }
674 #endif
675
676 RK = ctx->rk;
677
678 GET_ULONG_LE(X0, input, 0);
679 X0 ^= *RK++;
680 GET_ULONG_LE(X1, input, 4);
681 X1 ^= *RK++;
682 GET_ULONG_LE(X2, input, 8);
683 X2 ^= *RK++;
684 GET_ULONG_LE(X3, input, 12);
685 X3 ^= *RK++;
686
687 if (mode == AES_DECRYPT) {
688 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
689 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
690 AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3);
691 }
692
693 AES_RROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
694
695 X0 = *RK++ ^
696 ((unsigned long)RSb[(Y0) & 0xFF]) ^
697 ((unsigned long)RSb[(Y3 >> 8) & 0xFF] << 8) ^
698 ((unsigned long)RSb[(Y2 >> 16) & 0xFF] << 16) ^
699 ((unsigned long)RSb[(Y1 >> 24) & 0xFF] << 24);
700
701 X1 = *RK++ ^
702 ((unsigned long)RSb[(Y1) & 0xFF]) ^
703 ((unsigned long)RSb[(Y0 >> 8) & 0xFF] << 8) ^
704 ((unsigned long)RSb[(Y3 >> 16) & 0xFF] << 16) ^
705 ((unsigned long)RSb[(Y2 >> 24) & 0xFF] << 24);
706
707 X2 = *RK++ ^
708 ((unsigned long)RSb[(Y2) & 0xFF]) ^
709 ((unsigned long)RSb[(Y1 >> 8) & 0xFF] << 8) ^
710 ((unsigned long)RSb[(Y0 >> 16) & 0xFF] << 16) ^
711 ((unsigned long)RSb[(Y3 >> 24) & 0xFF] << 24);
712
713 X3 = *RK++ ^
714 ((unsigned long)RSb[(Y3) & 0xFF]) ^
715 ((unsigned long)RSb[(Y2 >> 8) & 0xFF] << 8) ^
716 ((unsigned long)RSb[(Y1 >> 16) & 0xFF] << 16) ^
717 ((unsigned long)RSb[(Y0 >> 24) & 0xFF] << 24);
718 } else { /* AES_ENCRYPT */
719 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
720 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
721 AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3);
722 }
723
724 AES_FROUND(Y0, Y1, Y2, Y3, X0, X1, X2, X3);
725
726 X0 = *RK++ ^
727 ((unsigned long)FSb[(Y0) & 0xFF]) ^
728 ((unsigned long)FSb[(Y1 >> 8) & 0xFF] << 8) ^
729 ((unsigned long)FSb[(Y2 >> 16) & 0xFF] << 16) ^
730 ((unsigned long)FSb[(Y3 >> 24) & 0xFF] << 24);
731
732 X1 = *RK++ ^
733 ((unsigned long)FSb[(Y1) & 0xFF]) ^
734 ((unsigned long)FSb[(Y2 >> 8) & 0xFF] << 8) ^
735 ((unsigned long)FSb[(Y3 >> 16) & 0xFF] << 16) ^
736 ((unsigned long)FSb[(Y0 >> 24) & 0xFF] << 24);
737
738 X2 = *RK++ ^
739 ((unsigned long)FSb[(Y2) & 0xFF]) ^
740 ((unsigned long)FSb[(Y3 >> 8) & 0xFF] << 8) ^
741 ((unsigned long)FSb[(Y0 >> 16) & 0xFF] << 16) ^
742 ((unsigned long)FSb[(Y1 >> 24) & 0xFF] << 24);
743
744 X3 = *RK++ ^
745 ((unsigned long)FSb[(Y3) & 0xFF]) ^
746 ((unsigned long)FSb[(Y0 >> 8) & 0xFF] << 8) ^
747 ((unsigned long)FSb[(Y1 >> 16) & 0xFF] << 16) ^
748 ((unsigned long)FSb[(Y2 >> 24) & 0xFF] << 24);
749 }
750
751 PUT_ULONG_LE(X0, output, 0);
752 PUT_ULONG_LE(X1, output, 4);
753 PUT_ULONG_LE(X2, output, 8);
754 PUT_ULONG_LE(X3, output, 12);
755 }
756
757 /*
758 * AES-CBC buffer encryption/decryption
759 */
760 void aes_crypt_cbc(aes_context * ctx,
761 int mode,
762 int length,
763 unsigned char iv[16],
764 const unsigned char *input,
765 unsigned char *output)
766 {
767 int i;
768 unsigned char temp[16];
769
770 #if defined(TROPICSSL_PADLOCK_C) && defined(TROPICSSL_HAVE_X86)
771 if (padlock_supports(PADLOCK_ACE)) {
772 if (padlock_xcryptcbc(ctx, mode, length, iv, input, output) ==
773 0)
774 return;
775 }
776 #endif
777
778 if (mode == AES_DECRYPT) {
779 while (length > 0) {
780 memcpy(temp, input, 16);
781 aes_crypt_ecb(ctx, mode, input, output);
782
783 for (i = 0; i < 16; i++)
784 output[i] = (unsigned char)(output[i] ^ iv[i]);
785
786 memcpy(iv, temp, 16);
787
788 input += 16;
789 output += 16;
790 length -= 16;
791 }
792 } else {
793 while (length > 0) {
794 for (i = 0; i < 16; i++)
795 output[i] = (unsigned char)(input[i] ^ iv[i]);
796
797 aes_crypt_ecb(ctx, mode, output, output);
798 memcpy(iv, output, 16);
799
800 input += 16;
801 output += 16;
802 length -= 16;
803 }
804 }
805 }
806
807 /*
808 * AES-CFB128 buffer encryption/decryption
809 */
810 void aes_crypt_cfb128(aes_context * ctx,
811 int mode,
812 int length,
813 int *iv_off,
814 unsigned char iv[16],
815 const unsigned char *input,
816 unsigned char *output)
817 {
818 int c, n = *iv_off;
819
820 if (mode == AES_DECRYPT) {
821 while (length--) {
822 if (n == 0)
823 aes_crypt_ecb(ctx, AES_ENCRYPT, iv, iv);
824
825 c = *input++;
826 *output++ = (unsigned char)(c ^ iv[n]);
827 iv[n] = (unsigned char)c;
828
829 n = (n + 1) & 0x0F;
830 }
831 } else {
832 while (length--) {
833 if (n == 0)
834 aes_crypt_ecb(ctx, AES_ENCRYPT, iv, iv);
835
836 iv[n] = *output++ = (unsigned char)(iv[n] ^ *input++);
837
838 n = (n + 1) & 0x0F;
839 }
840 }
841
842 *iv_off = n;
843 }
844
845 #if defined(TROPICSSL_SELF_TEST)
846
847 #include <stdio.h>
848
849 /*
850 * AES test vectors from:
851 *
852 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
853 */
854 static const unsigned char aes_test_ecb_dec[3][16] = {
855 {
856 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
857 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0},
858 {
859 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
860 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4},
861 {
862 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
863 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE}
864 };
865
866 static const unsigned char aes_test_ecb_enc[3][16] = {
867 {
868 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
869 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F},
870 {
871 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
872 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14},
873 {
874 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
875 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4}
876 };
877
878 static const unsigned char aes_test_cbc_dec[3][16] = {
879 {
880 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
881 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86},
882 {
883 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
884 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B},
885 {
886 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
887 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13}
888 };
889
890 static const unsigned char aes_test_cbc_enc[3][16] = {
891 {
892 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
893 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D},
894 {
895 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
896 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04},
897 {
898 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
899 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0}
900 };
901
902 /*
903 * AES-CFB128 test vectors from:
904 *
905 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
906 */
907 static const unsigned char aes_test_cfb128_key[3][32] = {
908 {
909 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
910 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C},
911 {
912 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
913 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
914 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B},
915 {
916 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
917 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
918 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
919 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4}
920 };
921
922 static const unsigned char aes_test_cfb128_iv[16] = {
923 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
924 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
925 };
926
927 static const unsigned char aes_test_cfb128_pt[64] = {
928 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
929 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
930 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
931 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
932 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
933 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
934 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
935 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
936 };
937
938 static const unsigned char aes_test_cfb128_ct[3][64] = {
939 {
940 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
941 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
942 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
943 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
944 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
945 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
946 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
947 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6},
948 {
949 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
950 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
951 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
952 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
953 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
954 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
955 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
956 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF},
957 {
958 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
959 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
960 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
961 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
962 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
963 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
964 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
965 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71}
966 };
967
968 /*
969 * Checkup routine
970 */
971 int aes_self_test(int verbose)
972 {
973 int i, j, u, v, offset;
974 unsigned char key[32];
975 unsigned char buf[64];
976 unsigned char prv[16];
977 unsigned char iv[16];
978 aes_context ctx;
979
980 memset(key, 0, 32);
981
982 /*
983 * ECB mode
984 */
985 for (i = 0; i < 6; i++) {
986 u = i >> 1;
987 v = i & 1;
988
989 if (verbose != 0)
990 printf(" AES-ECB-%3d (%s): ", 128 + u * 64,
991 (v == AES_DECRYPT) ? "dec" : "enc");
992
993 memset(buf, 0, 16);
994
995 if (v == AES_DECRYPT) {
996 aes_setkey_dec(&ctx, key, 128 + u * 64);
997
998 for (j = 0; j < 10000; j++)
999 aes_crypt_ecb(&ctx, v, buf, buf);
1000
1001 if (memcmp(buf, aes_test_ecb_dec[u], 16) != 0) {
1002 if (verbose != 0)
1003 printf("failed\n");
1004
1005 return (1);
1006 }
1007 } else {
1008 aes_setkey_enc(&ctx, key, 128 + u * 64);
1009
1010 for (j = 0; j < 10000; j++)
1011 aes_crypt_ecb(&ctx, v, buf, buf);
1012
1013 if (memcmp(buf, aes_test_ecb_enc[u], 16) != 0) {
1014 if (verbose != 0)
1015 printf("failed\n");
1016
1017 return (1);
1018 }
1019 }
1020
1021 if (verbose != 0)
1022 printf("passed\n");
1023 }
1024
1025 if (verbose != 0)
1026 printf("\n");
1027
1028 /*
1029 * CBC mode
1030 */
1031 for (i = 0; i < 6; i++) {
1032 u = i >> 1;
1033 v = i & 1;
1034
1035 if (verbose != 0)
1036 printf(" AES-CBC-%3d (%s): ", 128 + u * 64,
1037 (v == AES_DECRYPT) ? "dec" : "enc");
1038
1039 memset(iv, 0, 16);
1040 memset(prv, 0, 16);
1041 memset(buf, 0, 16);
1042
1043 if (v == AES_DECRYPT) {
1044 aes_setkey_dec(&ctx, key, 128 + u * 64);
1045
1046 for (j = 0; j < 10000; j++)
1047 aes_crypt_cbc(&ctx, v, 16, iv, buf, buf);
1048
1049 if (memcmp(buf, aes_test_cbc_dec[u], 16) != 0) {
1050 if (verbose != 0)
1051 printf("failed\n");
1052
1053 return (1);
1054 }
1055 } else {
1056 aes_setkey_enc(&ctx, key, 128 + u * 64);
1057
1058 for (j = 0; j < 10000; j++) {
1059 unsigned char tmp[16];
1060
1061 aes_crypt_cbc(&ctx, v, 16, iv, buf, buf);
1062
1063 memcpy(tmp, prv, 16);
1064 memcpy(prv, buf, 16);
1065 memcpy(buf, tmp, 16);
1066 }
1067
1068 if (memcmp(prv, aes_test_cbc_enc[u], 16) != 0) {
1069 if (verbose != 0)
1070 printf("failed\n");
1071
1072 return (1);
1073 }
1074 }
1075
1076 if (verbose != 0)
1077 printf("passed\n");
1078 }
1079
1080 if (verbose != 0)
1081 printf("\n");
1082
1083 /*
1084 * CFB128 mode
1085 */
1086 for (i = 0; i < 6; i++) {
1087 u = i >> 1;
1088 v = i & 1;
1089
1090 if (verbose != 0)
1091 printf(" AES-CFB128-%3d (%s): ", 128 + u * 64,
1092 (v == AES_DECRYPT) ? "dec" : "enc");
1093
1094 memcpy(iv, aes_test_cfb128_iv, 16);
1095 memcpy(key, aes_test_cfb128_key[u], 16 + u * 8);
1096
1097 offset = 0;
1098 aes_setkey_enc(&ctx, key, 128 + u * 64);
1099
1100 if (v == AES_DECRYPT) {
1101 memcpy(buf, aes_test_cfb128_ct[u], 64);
1102 aes_crypt_cfb128(&ctx, v, 64, &offset, iv, buf, buf);
1103
1104 if (memcmp(buf, aes_test_cfb128_pt, 64) != 0) {
1105 if (verbose != 0)
1106 printf("failed\n");
1107
1108 return (1);
1109 }
1110 } else {
1111 memcpy(buf, aes_test_cfb128_pt, 64);
1112 aes_crypt_cfb128(&ctx, v, 64, &offset, iv, buf, buf);
1113
1114 if (memcmp(buf, aes_test_cfb128_ct[u], 64) != 0) {
1115 if (verbose != 0)
1116 printf("failed\n");
1117
1118 return (1);
1119 }
1120 }
1121
1122 if (verbose != 0)
1123 printf("passed\n");
1124 }
1125
1126 if (verbose != 0)
1127 printf("\n");
1128
1129 return (0);
1130 }
1131
1132 #endif
1133
1134 #endif
fork of last BSD polarssl