PolarSSL v1.2.8
aes.c
Go to the documentation of this file.
1 /*
2  * FIPS-197 compliant AES implementation
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27  *
28  * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29  * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30  */
31 
32 #include "polarssl/config.h"
33 
34 #if defined(POLARSSL_AES_C)
35 
36 #include "polarssl/aes.h"
37 #if defined(POLARSSL_PADLOCK_C)
38 #include "polarssl/padlock.h"
39 #endif
40 
41 #if !defined(POLARSSL_AES_ALT)
42 
43 /*
44  * 32-bit integer manipulation macros (little endian)
45  */
46 #ifndef GET_UINT32_LE
47 #define GET_UINT32_LE(n,b,i) \
48 { \
49  (n) = ( (uint32_t) (b)[(i) ] ) \
50  | ( (uint32_t) (b)[(i) + 1] << 8 ) \
51  | ( (uint32_t) (b)[(i) + 2] << 16 ) \
52  | ( (uint32_t) (b)[(i) + 3] << 24 ); \
53 }
54 #endif
55 
56 #ifndef PUT_UINT32_LE
57 #define PUT_UINT32_LE(n,b,i) \
58 { \
59  (b)[(i) ] = (unsigned char) ( (n) ); \
60  (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
61  (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
62  (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
63 }
64 #endif
65 
66 #if defined(POLARSSL_PADLOCK_C) && \
67  ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
68 static int aes_padlock_ace = -1;
69 #endif
70 
71 #if defined(POLARSSL_AES_ROM_TABLES)
72 /*
73  * Forward S-box
74  */
75 static const unsigned char FSb[256] =
76 {
77  0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
78  0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
79  0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
80  0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
81  0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
82  0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
83  0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
84  0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
85  0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
86  0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
87  0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
88  0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
89  0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
90  0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
91  0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
92  0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
93  0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
94  0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
95  0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
96  0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
97  0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
98  0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
99  0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
100  0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
101  0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
102  0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
103  0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
104  0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
105  0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
106  0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
107  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
108  0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
109 };
110 
111 /*
112  * Forward tables
113  */
114 #define FT \
115 \
116  V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
117  V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
118  V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
119  V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
120  V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
121  V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
122  V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
123  V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
124  V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
125  V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
126  V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
127  V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
128  V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
129  V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
130  V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
131  V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
132  V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
133  V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
134  V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
135  V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
136  V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
137  V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
138  V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
139  V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
140  V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
141  V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
142  V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
143  V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
144  V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
145  V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
146  V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
147  V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
148  V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
149  V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
150  V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
151  V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
152  V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
153  V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
154  V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
155  V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
156  V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
157  V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
158  V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
159  V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
160  V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
161  V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
162  V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
163  V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
164  V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
165  V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
166  V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
167  V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
168  V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
169  V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
170  V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
171  V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
172  V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
173  V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
174  V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
175  V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
176  V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
177  V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
178  V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
179  V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
180 
181 #define V(a,b,c,d) 0x##a##b##c##d
182 static const uint32_t FT0[256] = { FT };
183 #undef V
184 
185 #define V(a,b,c,d) 0x##b##c##d##a
186 static const uint32_t FT1[256] = { FT };
187 #undef V
188 
189 #define V(a,b,c,d) 0x##c##d##a##b
190 static const uint32_t FT2[256] = { FT };
191 #undef V
192 
193 #define V(a,b,c,d) 0x##d##a##b##c
194 static const uint32_t FT3[256] = { FT };
195 #undef V
196 
197 #undef FT
198 
199 /*
200  * Reverse S-box
201  */
202 static const unsigned char RSb[256] =
203 {
204  0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
205  0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
206  0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
207  0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
208  0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
209  0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
210  0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
211  0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
212  0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
213  0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
214  0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
215  0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
216  0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
217  0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
218  0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
219  0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
220  0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
221  0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
222  0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
223  0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
224  0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
225  0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
226  0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
227  0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
228  0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
229  0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
230  0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
231  0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
232  0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
233  0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
234  0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
235  0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
236 };
237 
238 /*
239  * Reverse tables
240  */
241 #define RT \
242 \
243  V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
244  V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
245  V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
246  V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
247  V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
248  V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
249  V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
250  V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
251  V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
252  V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
253  V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
254  V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
255  V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
256  V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
257  V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
258  V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
259  V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
260  V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
261  V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
262  V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
263  V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
264  V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
265  V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
266  V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
267  V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
268  V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
269  V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
270  V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
271  V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
272  V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
273  V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
274  V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
275  V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
276  V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
277  V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
278  V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
279  V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
280  V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
281  V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
282  V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
283  V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
284  V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
285  V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
286  V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
287  V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
288  V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
289  V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
290  V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
291  V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
292  V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
293  V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
294  V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
295  V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
296  V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
297  V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
298  V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
299  V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
300  V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
301  V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
302  V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
303  V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
304  V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
305  V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
306  V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
307 
308 #define V(a,b,c,d) 0x##a##b##c##d
309 static const uint32_t RT0[256] = { RT };
310 #undef V
311 
312 #define V(a,b,c,d) 0x##b##c##d##a
313 static const uint32_t RT1[256] = { RT };
314 #undef V
315 
316 #define V(a,b,c,d) 0x##c##d##a##b
317 static const uint32_t RT2[256] = { RT };
318 #undef V
319 
320 #define V(a,b,c,d) 0x##d##a##b##c
321 static const uint32_t RT3[256] = { RT };
322 #undef V
323 
324 #undef RT
325 
326 /*
327  * Round constants
328  */
329 static const uint32_t RCON[10] =
330 {
331  0x00000001, 0x00000002, 0x00000004, 0x00000008,
332  0x00000010, 0x00000020, 0x00000040, 0x00000080,
333  0x0000001B, 0x00000036
334 };
335 
336 #else
337 
338 /*
339  * Forward S-box & tables
340  */
341 static unsigned char FSb[256];
342 static uint32_t FT0[256];
343 static uint32_t FT1[256];
344 static uint32_t FT2[256];
345 static uint32_t FT3[256];
346 
347 /*
348  * Reverse S-box & tables
349  */
350 static unsigned char RSb[256];
351 static uint32_t RT0[256];
352 static uint32_t RT1[256];
353 static uint32_t RT2[256];
354 static uint32_t RT3[256];
355 
356 /*
357  * Round constants
358  */
359 static uint32_t RCON[10];
360 
361 /*
362  * Tables generation code
363  */
364 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
365 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
366 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
367 
368 static int aes_init_done = 0;
369 
370 static void aes_gen_tables( void )
371 {
372  int i, x, y, z;
373  int pow[256];
374  int log[256];
375 
376  /*
377  * compute pow and log tables over GF(2^8)
378  */
379  for( i = 0, x = 1; i < 256; i++ )
380  {
381  pow[i] = x;
382  log[x] = i;
383  x = ( x ^ XTIME( x ) ) & 0xFF;
384  }
385 
386  /*
387  * calculate the round constants
388  */
389  for( i = 0, x = 1; i < 10; i++ )
390  {
391  RCON[i] = (uint32_t) x;
392  x = XTIME( x ) & 0xFF;
393  }
394 
395  /*
396  * generate the forward and reverse S-boxes
397  */
398  FSb[0x00] = 0x63;
399  RSb[0x63] = 0x00;
400 
401  for( i = 1; i < 256; i++ )
402  {
403  x = pow[255 - log[i]];
404 
405  y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
406  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
407  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
408  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
409  x ^= y ^ 0x63;
410 
411  FSb[i] = (unsigned char) x;
412  RSb[x] = (unsigned char) i;
413  }
414 
415  /*
416  * generate the forward and reverse tables
417  */
418  for( i = 0; i < 256; i++ )
419  {
420  x = FSb[i];
421  y = XTIME( x ) & 0xFF;
422  z = ( y ^ x ) & 0xFF;
423 
424  FT0[i] = ( (uint32_t) y ) ^
425  ( (uint32_t) x << 8 ) ^
426  ( (uint32_t) x << 16 ) ^
427  ( (uint32_t) z << 24 );
428 
429  FT1[i] = ROTL8( FT0[i] );
430  FT2[i] = ROTL8( FT1[i] );
431  FT3[i] = ROTL8( FT2[i] );
432 
433  x = RSb[i];
434 
435  RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
436  ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
437  ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
438  ( (uint32_t) MUL( 0x0B, x ) << 24 );
439 
440  RT1[i] = ROTL8( RT0[i] );
441  RT2[i] = ROTL8( RT1[i] );
442  RT3[i] = ROTL8( RT2[i] );
443  }
444 }
445 
446 #endif
447 
448 /*
449  * AES key schedule (encryption)
450  */
451 int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
452 {
453  unsigned int i;
454  uint32_t *RK;
455 
456 #if !defined(POLARSSL_AES_ROM_TABLES)
457  if( aes_init_done == 0 )
458  {
459  aes_gen_tables();
460  aes_init_done = 1;
461 
462  }
463 #endif
464 
465  switch( keysize )
466  {
467  case 128: ctx->nr = 10; break;
468  case 192: ctx->nr = 12; break;
469  case 256: ctx->nr = 14; break;
470  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
471  }
472 
473 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
474  if( aes_padlock_ace == -1 )
475  aes_padlock_ace = padlock_supports( PADLOCK_ACE );
476 
477  if( aes_padlock_ace )
478  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
479  else
480 #endif
481  ctx->rk = RK = ctx->buf;
482 
483  for( i = 0; i < (keysize >> 5); i++ )
484  {
485  GET_UINT32_LE( RK[i], key, i << 2 );
486  }
487 
488  switch( ctx->nr )
489  {
490  case 10:
491 
492  for( i = 0; i < 10; i++, RK += 4 )
493  {
494  RK[4] = RK[0] ^ RCON[i] ^
495  ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
496  ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
497  ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
498  ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
499 
500  RK[5] = RK[1] ^ RK[4];
501  RK[6] = RK[2] ^ RK[5];
502  RK[7] = RK[3] ^ RK[6];
503  }
504  break;
505 
506  case 12:
507 
508  for( i = 0; i < 8; i++, RK += 6 )
509  {
510  RK[6] = RK[0] ^ RCON[i] ^
511  ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
512  ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
513  ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
514  ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
515 
516  RK[7] = RK[1] ^ RK[6];
517  RK[8] = RK[2] ^ RK[7];
518  RK[9] = RK[3] ^ RK[8];
519  RK[10] = RK[4] ^ RK[9];
520  RK[11] = RK[5] ^ RK[10];
521  }
522  break;
523 
524  case 14:
525 
526  for( i = 0; i < 7; i++, RK += 8 )
527  {
528  RK[8] = RK[0] ^ RCON[i] ^
529  ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
530  ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
531  ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
532  ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
533 
534  RK[9] = RK[1] ^ RK[8];
535  RK[10] = RK[2] ^ RK[9];
536  RK[11] = RK[3] ^ RK[10];
537 
538  RK[12] = RK[4] ^
539  ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
540  ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
541  ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
542  ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
543 
544  RK[13] = RK[5] ^ RK[12];
545  RK[14] = RK[6] ^ RK[13];
546  RK[15] = RK[7] ^ RK[14];
547  }
548  break;
549 
550  default:
551 
552  break;
553  }
554 
555  return( 0 );
556 }
557 
558 /*
559  * AES key schedule (decryption)
560  */
561 int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
562 {
563  int i, j;
564  aes_context cty;
565  uint32_t *RK;
566  uint32_t *SK;
567  int ret;
568 
569  switch( keysize )
570  {
571  case 128: ctx->nr = 10; break;
572  case 192: ctx->nr = 12; break;
573  case 256: ctx->nr = 14; break;
574  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
575  }
576 
577 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
578  if( aes_padlock_ace == -1 )
579  aes_padlock_ace = padlock_supports( PADLOCK_ACE );
580 
581  if( aes_padlock_ace )
582  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
583  else
584 #endif
585  ctx->rk = RK = ctx->buf;
586 
587  ret = aes_setkey_enc( &cty, key, keysize );
588  if( ret != 0 )
589  return( ret );
590 
591  SK = cty.rk + cty.nr * 4;
592 
593  *RK++ = *SK++;
594  *RK++ = *SK++;
595  *RK++ = *SK++;
596  *RK++ = *SK++;
597 
598  for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
599  {
600  for( j = 0; j < 4; j++, SK++ )
601  {
602  *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
603  RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
604  RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
605  RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
606  }
607  }
608 
609  *RK++ = *SK++;
610  *RK++ = *SK++;
611  *RK++ = *SK++;
612  *RK++ = *SK++;
613 
614  memset( &cty, 0, sizeof( aes_context ) );
615 
616  return( 0 );
617 }
618 
619 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
620 { \
621  X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
622  FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
623  FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
624  FT3[ ( Y3 >> 24 ) & 0xFF ]; \
625  \
626  X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
627  FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
628  FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
629  FT3[ ( Y0 >> 24 ) & 0xFF ]; \
630  \
631  X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
632  FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
633  FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
634  FT3[ ( Y1 >> 24 ) & 0xFF ]; \
635  \
636  X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
637  FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
638  FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
639  FT3[ ( Y2 >> 24 ) & 0xFF ]; \
640 }
641 
642 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
643 { \
644  X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
645  RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
646  RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
647  RT3[ ( Y1 >> 24 ) & 0xFF ]; \
648  \
649  X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
650  RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
651  RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
652  RT3[ ( Y2 >> 24 ) & 0xFF ]; \
653  \
654  X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
655  RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
656  RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
657  RT3[ ( Y3 >> 24 ) & 0xFF ]; \
658  \
659  X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
660  RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
661  RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
662  RT3[ ( Y0 >> 24 ) & 0xFF ]; \
663 }
664 
665 /*
666  * AES-ECB block encryption/decryption
667  */
668 int aes_crypt_ecb( aes_context *ctx,
669  int mode,
670  const unsigned char input[16],
671  unsigned char output[16] )
672 {
673  int i;
674  uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
675 
676 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
677  if( aes_padlock_ace )
678  {
679  if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
680  return( 0 );
681 
682  // If padlock data misaligned, we just fall back to
683  // unaccelerated mode
684  //
685  }
686 #endif
687 
688  RK = ctx->rk;
689 
690  GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
691  GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
692  GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
693  GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
694 
695  if( mode == AES_DECRYPT )
696  {
697  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
698  {
699  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
700  AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
701  }
702 
703  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
704 
705  X0 = *RK++ ^ \
706  ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
707  ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
708  ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
709  ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
710 
711  X1 = *RK++ ^ \
712  ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
713  ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
714  ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
715  ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
716 
717  X2 = *RK++ ^ \
718  ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
719  ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
720  ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
721  ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
722 
723  X3 = *RK++ ^ \
724  ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
725  ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
726  ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
727  ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
728  }
729  else /* AES_ENCRYPT */
730  {
731  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
732  {
733  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
734  AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
735  }
736 
737  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
738 
739  X0 = *RK++ ^ \
740  ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
741  ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
742  ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
743  ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
744 
745  X1 = *RK++ ^ \
746  ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
747  ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
748  ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
749  ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
750 
751  X2 = *RK++ ^ \
752  ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
753  ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
754  ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
755  ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
756 
757  X3 = *RK++ ^ \
758  ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
759  ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
760  ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
761  ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
762  }
763 
764  PUT_UINT32_LE( X0, output, 0 );
765  PUT_UINT32_LE( X1, output, 4 );
766  PUT_UINT32_LE( X2, output, 8 );
767  PUT_UINT32_LE( X3, output, 12 );
768 
769  return( 0 );
770 }
771 
772 /*
773  * AES-CBC buffer encryption/decryption
774  */
775 int aes_crypt_cbc( aes_context *ctx,
776  int mode,
777  size_t length,
778  unsigned char iv[16],
779  const unsigned char *input,
780  unsigned char *output )
781 {
782  int i;
783  unsigned char temp[16];
784 
785  if( length % 16 )
787 
788 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
789  if( aes_padlock_ace )
790  {
791  if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
792  return( 0 );
793 
794  // If padlock data misaligned, we just fall back to
795  // unaccelerated mode
796  //
797  }
798 #endif
799 
800  if( mode == AES_DECRYPT )
801  {
802  while( length > 0 )
803  {
804  memcpy( temp, input, 16 );
805  aes_crypt_ecb( ctx, mode, input, output );
806 
807  for( i = 0; i < 16; i++ )
808  output[i] = (unsigned char)( output[i] ^ iv[i] );
809 
810  memcpy( iv, temp, 16 );
811 
812  input += 16;
813  output += 16;
814  length -= 16;
815  }
816  }
817  else
818  {
819  while( length > 0 )
820  {
821  for( i = 0; i < 16; i++ )
822  output[i] = (unsigned char)( input[i] ^ iv[i] );
823 
824  aes_crypt_ecb( ctx, mode, output, output );
825  memcpy( iv, output, 16 );
826 
827  input += 16;
828  output += 16;
829  length -= 16;
830  }
831  }
832 
833  return( 0 );
834 }
835 
836 #if defined(POLARSSL_CIPHER_MODE_CFB)
837 /*
838  * AES-CFB128 buffer encryption/decryption
839  */
840 int aes_crypt_cfb128( aes_context *ctx,
841  int mode,
842  size_t length,
843  size_t *iv_off,
844  unsigned char iv[16],
845  const unsigned char *input,
846  unsigned char *output )
847 {
848  int c;
849  size_t n = *iv_off;
850 
851  if( mode == AES_DECRYPT )
852  {
853  while( length-- )
854  {
855  if( n == 0 )
856  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
857 
858  c = *input++;
859  *output++ = (unsigned char)( c ^ iv[n] );
860  iv[n] = (unsigned char) c;
861 
862  n = (n + 1) & 0x0F;
863  }
864  }
865  else
866  {
867  while( length-- )
868  {
869  if( n == 0 )
870  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
871 
872  iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
873 
874  n = (n + 1) & 0x0F;
875  }
876  }
877 
878  *iv_off = n;
879 
880  return( 0 );
881 }
882 #endif /*POLARSSL_CIPHER_MODE_CFB */
883 
884 #if defined(POLARSSL_CIPHER_MODE_CTR)
885 /*
886  * AES-CTR buffer encryption/decryption
887  */
888 int aes_crypt_ctr( aes_context *ctx,
889  size_t length,
890  size_t *nc_off,
891  unsigned char nonce_counter[16],
892  unsigned char stream_block[16],
893  const unsigned char *input,
894  unsigned char *output )
895 {
896  int c, i;
897  size_t n = *nc_off;
898 
899  while( length-- )
900  {
901  if( n == 0 ) {
902  aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
903 
904  for( i = 16; i > 0; i-- )
905  if( ++nonce_counter[i - 1] != 0 )
906  break;
907  }
908  c = *input++;
909  *output++ = (unsigned char)( c ^ stream_block[n] );
910 
911  n = (n + 1) & 0x0F;
912  }
913 
914  *nc_off = n;
915 
916  return( 0 );
917 }
918 #endif /* POLARSSL_CIPHER_MODE_CTR */
919 #endif /* !POLARSSL_AES_ALT */
920 
921 #if defined(POLARSSL_SELF_TEST)
922 
923 #include <stdio.h>
924 
925 /*
926  * AES test vectors from:
927  *
928  * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
929  */
930 static const unsigned char aes_test_ecb_dec[3][16] =
931 {
932  { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
933  0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
934  { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
935  0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
936  { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
937  0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
938 };
939 
940 static const unsigned char aes_test_ecb_enc[3][16] =
941 {
942  { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
943  0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
944  { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
945  0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
946  { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
947  0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
948 };
949 
950 static const unsigned char aes_test_cbc_dec[3][16] =
951 {
952  { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
953  0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
954  { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
955  0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
956  { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
957  0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
958 };
959 
960 static const unsigned char aes_test_cbc_enc[3][16] =
961 {
962  { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
963  0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
964  { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
965  0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
966  { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
967  0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
968 };
969 
970 #if defined(POLARSSL_CIPHER_MODE_CFB)
971 /*
972  * AES-CFB128 test vectors from:
973  *
974  * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
975  */
976 static const unsigned char aes_test_cfb128_key[3][32] =
977 {
978  { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
979  0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
980  { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
981  0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
982  0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
983  { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
984  0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
985  0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
986  0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
987 };
988 
989 static const unsigned char aes_test_cfb128_iv[16] =
990 {
991  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
992  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
993 };
994 
995 static const unsigned char aes_test_cfb128_pt[64] =
996 {
997  0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
998  0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
999  0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1000  0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1001  0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1002  0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1003  0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1004  0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1005 };
1006 
1007 static const unsigned char aes_test_cfb128_ct[3][64] =
1008 {
1009  { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1010  0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1011  0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1012  0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1013  0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1014  0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1015  0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1016  0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1017  { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1018  0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1019  0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1020  0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1021  0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1022  0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1023  0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1024  0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1025  { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1026  0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1027  0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1028  0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1029  0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1030  0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1031  0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1032  0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1033 };
1034 #endif /* POLARSSL_CIPHER_MODE_CFB */
1035 
1036 #if defined(POLARSSL_CIPHER_MODE_CTR)
1037 /*
1038  * AES-CTR test vectors from:
1039  *
1040  * http://www.faqs.org/rfcs/rfc3686.html
1041  */
1042 
1043 static const unsigned char aes_test_ctr_key[3][16] =
1044 {
1045  { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1046  0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1047  { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1048  0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1049  { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1050  0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1051 };
1052 
1053 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1054 {
1055  { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1056  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1057  { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1058  0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1059  { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1060  0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1061 };
1062 
1063 static const unsigned char aes_test_ctr_pt[3][48] =
1064 {
1065  { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1066  0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1067 
1068  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1069  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1070  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1071  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1072 
1073  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1074  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1075  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1076  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1077  0x20, 0x21, 0x22, 0x23 }
1078 };
1079 
1080 static const unsigned char aes_test_ctr_ct[3][48] =
1081 {
1082  { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1083  0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1084  { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1085  0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1086  0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1087  0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1088  { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1089  0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1090  0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1091  0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1092  0x25, 0xB2, 0x07, 0x2F }
1093 };
1094 
1095 static const int aes_test_ctr_len[3] =
1096  { 16, 32, 36 };
1097 #endif /* POLARSSL_CIPHER_MODE_CTR */
1098 
1099 /*
1100  * Checkup routine
1101  */
1102 int aes_self_test( int verbose )
1103 {
1104  int i, j, u, v;
1105  unsigned char key[32];
1106  unsigned char buf[64];
1107  unsigned char prv[16];
1108  unsigned char iv[16];
1109 #if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
1110  size_t offset;
1111 #endif
1112 #if defined(POLARSSL_CIPHER_MODE_CTR)
1113  int len;
1114  unsigned char nonce_counter[16];
1115  unsigned char stream_block[16];
1116 #endif
1117  aes_context ctx;
1118 
1119  memset( key, 0, 32 );
1120 
1121  /*
1122  * ECB mode
1123  */
1124  for( i = 0; i < 6; i++ )
1125  {
1126  u = i >> 1;
1127  v = i & 1;
1128 
1129  if( verbose != 0 )
1130  printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1131  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1132 
1133  memset( buf, 0, 16 );
1134 
1135  if( v == AES_DECRYPT )
1136  {
1137  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1138 
1139  for( j = 0; j < 10000; j++ )
1140  aes_crypt_ecb( &ctx, v, buf, buf );
1141 
1142  if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1143  {
1144  if( verbose != 0 )
1145  printf( "failed\n" );
1146 
1147  return( 1 );
1148  }
1149  }
1150  else
1151  {
1152  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1153 
1154  for( j = 0; j < 10000; j++ )
1155  aes_crypt_ecb( &ctx, v, buf, buf );
1156 
1157  if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1158  {
1159  if( verbose != 0 )
1160  printf( "failed\n" );
1161 
1162  return( 1 );
1163  }
1164  }
1165 
1166  if( verbose != 0 )
1167  printf( "passed\n" );
1168  }
1169 
1170  if( verbose != 0 )
1171  printf( "\n" );
1172 
1173  /*
1174  * CBC mode
1175  */
1176  for( i = 0; i < 6; i++ )
1177  {
1178  u = i >> 1;
1179  v = i & 1;
1180 
1181  if( verbose != 0 )
1182  printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1183  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1184 
1185  memset( iv , 0, 16 );
1186  memset( prv, 0, 16 );
1187  memset( buf, 0, 16 );
1188 
1189  if( v == AES_DECRYPT )
1190  {
1191  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1192 
1193  for( j = 0; j < 10000; j++ )
1194  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1195 
1196  if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1197  {
1198  if( verbose != 0 )
1199  printf( "failed\n" );
1200 
1201  return( 1 );
1202  }
1203  }
1204  else
1205  {
1206  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1207 
1208  for( j = 0; j < 10000; j++ )
1209  {
1210  unsigned char tmp[16];
1211 
1212  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1213 
1214  memcpy( tmp, prv, 16 );
1215  memcpy( prv, buf, 16 );
1216  memcpy( buf, tmp, 16 );
1217  }
1218 
1219  if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1220  {
1221  if( verbose != 0 )
1222  printf( "failed\n" );
1223 
1224  return( 1 );
1225  }
1226  }
1227 
1228  if( verbose != 0 )
1229  printf( "passed\n" );
1230  }
1231 
1232  if( verbose != 0 )
1233  printf( "\n" );
1234 
1235 #if defined(POLARSSL_CIPHER_MODE_CFB)
1236  /*
1237  * CFB128 mode
1238  */
1239  for( i = 0; i < 6; i++ )
1240  {
1241  u = i >> 1;
1242  v = i & 1;
1243 
1244  if( verbose != 0 )
1245  printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1246  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1247 
1248  memcpy( iv, aes_test_cfb128_iv, 16 );
1249  memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1250 
1251  offset = 0;
1252  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1253 
1254  if( v == AES_DECRYPT )
1255  {
1256  memcpy( buf, aes_test_cfb128_ct[u], 64 );
1257  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1258 
1259  if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1260  {
1261  if( verbose != 0 )
1262  printf( "failed\n" );
1263 
1264  return( 1 );
1265  }
1266  }
1267  else
1268  {
1269  memcpy( buf, aes_test_cfb128_pt, 64 );
1270  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1271 
1272  if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1273  {
1274  if( verbose != 0 )
1275  printf( "failed\n" );
1276 
1277  return( 1 );
1278  }
1279  }
1280 
1281  if( verbose != 0 )
1282  printf( "passed\n" );
1283  }
1284 
1285  if( verbose != 0 )
1286  printf( "\n" );
1287 #endif /* POLARSSL_CIPHER_MODE_CFB */
1288 
1289 #if defined(POLARSSL_CIPHER_MODE_CTR)
1290  /*
1291  * CTR mode
1292  */
1293  for( i = 0; i < 6; i++ )
1294  {
1295  u = i >> 1;
1296  v = i & 1;
1297 
1298  if( verbose != 0 )
1299  printf( " AES-CTR-128 (%s): ",
1300  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1301 
1302  memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1303  memcpy( key, aes_test_ctr_key[u], 16 );
1304 
1305  offset = 0;
1306  aes_setkey_enc( &ctx, key, 128 );
1307 
1308  if( v == AES_DECRYPT )
1309  {
1310  len = aes_test_ctr_len[u];
1311  memcpy( buf, aes_test_ctr_ct[u], len );
1312 
1313  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1314 
1315  if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1316  {
1317  if( verbose != 0 )
1318  printf( "failed\n" );
1319 
1320  return( 1 );
1321  }
1322  }
1323  else
1324  {
1325  len = aes_test_ctr_len[u];
1326  memcpy( buf, aes_test_ctr_pt[u], len );
1327 
1328  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1329 
1330  if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1331  {
1332  if( verbose != 0 )
1333  printf( "failed\n" );
1334 
1335  return( 1 );
1336  }
1337  }
1338 
1339  if( verbose != 0 )
1340  printf( "passed\n" );
1341  }
1342 
1343  if( verbose != 0 )
1344  printf( "\n" );
1345 #endif /* POLARSSL_CIPHER_MODE_CTR */
1346 
1347  return( 0 );
1348 }
1349 
1350 #endif
1351 
1352 #endif