PolarSSL v1.2.12
aes.c
Go to the documentation of this file.
1 /*
2  * FIPS-197 compliant AES implementation
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27  *
28  * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29  * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30  */
31 
32 #include "polarssl/config.h"
33 
34 #if defined(POLARSSL_AES_C)
35 
36 #include "polarssl/aes.h"
37 #if defined(POLARSSL_PADLOCK_C)
38 #include "polarssl/padlock.h"
39 #endif
40 
41 #if !defined(POLARSSL_AES_ALT)
42 
43 /* Implementation that should never be optimized out by the compiler */
44 static void polarssl_zeroize( void *v, size_t n ) {
45  volatile unsigned char *p = v; while( n-- ) *p++ = 0;
46 }
47 
48 /*
49  * 32-bit integer manipulation macros (little endian)
50  */
51 #ifndef GET_UINT32_LE
52 #define GET_UINT32_LE(n,b,i) \
53 { \
54  (n) = ( (uint32_t) (b)[(i) ] ) \
55  | ( (uint32_t) (b)[(i) + 1] << 8 ) \
56  | ( (uint32_t) (b)[(i) + 2] << 16 ) \
57  | ( (uint32_t) (b)[(i) + 3] << 24 ); \
58 }
59 #endif
60 
61 #ifndef PUT_UINT32_LE
62 #define PUT_UINT32_LE(n,b,i) \
63 { \
64  (b)[(i) ] = (unsigned char) ( (n) ); \
65  (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
66  (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
67  (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
68 }
69 #endif
70 
71 #if defined(POLARSSL_PADLOCK_C) && \
72  ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
73 static int aes_padlock_ace = -1;
74 #endif
75 
76 #if defined(POLARSSL_AES_ROM_TABLES)
77 /*
78  * Forward S-box
79  */
80 static const unsigned char FSb[256] =
81 {
82  0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
83  0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
84  0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
85  0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
86  0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
87  0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
88  0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
89  0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
90  0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
91  0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
92  0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
93  0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
94  0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
95  0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
96  0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
97  0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
98  0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
99  0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
100  0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
101  0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
102  0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
103  0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
104  0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
105  0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
106  0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
107  0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
108  0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
109  0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
110  0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
111  0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
112  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
113  0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
114 };
115 
116 /*
117  * Forward tables
118  */
119 #define FT \
120 \
121  V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
122  V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
123  V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
124  V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
125  V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
126  V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
127  V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
128  V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
129  V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
130  V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
131  V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
132  V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
133  V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
134  V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
135  V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
136  V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
137  V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
138  V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
139  V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
140  V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
141  V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
142  V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
143  V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
144  V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
145  V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
146  V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
147  V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
148  V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
149  V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
150  V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
151  V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
152  V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
153  V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
154  V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
155  V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
156  V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
157  V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
158  V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
159  V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
160  V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
161  V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
162  V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
163  V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
164  V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
165  V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
166  V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
167  V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
168  V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
169  V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
170  V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
171  V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
172  V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
173  V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
174  V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
175  V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
176  V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
177  V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
178  V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
179  V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
180  V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
181  V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
182  V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
183  V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
184  V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
185 
186 #define V(a,b,c,d) 0x##a##b##c##d
187 static const uint32_t FT0[256] = { FT };
188 #undef V
189 
190 #define V(a,b,c,d) 0x##b##c##d##a
191 static const uint32_t FT1[256] = { FT };
192 #undef V
193 
194 #define V(a,b,c,d) 0x##c##d##a##b
195 static const uint32_t FT2[256] = { FT };
196 #undef V
197 
198 #define V(a,b,c,d) 0x##d##a##b##c
199 static const uint32_t FT3[256] = { FT };
200 #undef V
201 
202 #undef FT
203 
204 /*
205  * Reverse S-box
206  */
207 static const unsigned char RSb[256] =
208 {
209  0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
210  0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
211  0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
212  0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
213  0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
214  0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
215  0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
216  0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
217  0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
218  0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
219  0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
220  0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
221  0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
222  0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
223  0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
224  0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
225  0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
226  0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
227  0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
228  0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
229  0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
230  0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
231  0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
232  0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
233  0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
234  0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
235  0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
236  0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
237  0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
238  0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
239  0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
240  0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
241 };
242 
243 /*
244  * Reverse tables
245  */
246 #define RT \
247 \
248  V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
249  V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
250  V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
251  V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
252  V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
253  V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
254  V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
255  V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
256  V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
257  V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
258  V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
259  V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
260  V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
261  V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
262  V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
263  V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
264  V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
265  V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
266  V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
267  V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
268  V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
269  V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
270  V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
271  V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
272  V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
273  V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
274  V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
275  V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
276  V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
277  V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
278  V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
279  V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
280  V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
281  V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
282  V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
283  V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
284  V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
285  V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
286  V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
287  V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
288  V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
289  V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
290  V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
291  V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
292  V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
293  V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
294  V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
295  V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
296  V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
297  V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
298  V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
299  V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
300  V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
301  V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
302  V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
303  V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
304  V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
305  V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
306  V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
307  V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
308  V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
309  V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
310  V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
311  V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
312 
313 #define V(a,b,c,d) 0x##a##b##c##d
314 static const uint32_t RT0[256] = { RT };
315 #undef V
316 
317 #define V(a,b,c,d) 0x##b##c##d##a
318 static const uint32_t RT1[256] = { RT };
319 #undef V
320 
321 #define V(a,b,c,d) 0x##c##d##a##b
322 static const uint32_t RT2[256] = { RT };
323 #undef V
324 
325 #define V(a,b,c,d) 0x##d##a##b##c
326 static const uint32_t RT3[256] = { RT };
327 #undef V
328 
329 #undef RT
330 
331 /*
332  * Round constants
333  */
334 static const uint32_t RCON[10] =
335 {
336  0x00000001, 0x00000002, 0x00000004, 0x00000008,
337  0x00000010, 0x00000020, 0x00000040, 0x00000080,
338  0x0000001B, 0x00000036
339 };
340 
341 #else
342 
343 /*
344  * Forward S-box & tables
345  */
346 static unsigned char FSb[256];
347 static uint32_t FT0[256];
348 static uint32_t FT1[256];
349 static uint32_t FT2[256];
350 static uint32_t FT3[256];
351 
352 /*
353  * Reverse S-box & tables
354  */
355 static unsigned char RSb[256];
356 static uint32_t RT0[256];
357 static uint32_t RT1[256];
358 static uint32_t RT2[256];
359 static uint32_t RT3[256];
360 
361 /*
362  * Round constants
363  */
364 static uint32_t RCON[10];
365 
366 /*
367  * Tables generation code
368  */
369 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
370 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
371 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
372 
373 static int aes_init_done = 0;
374 
375 static void aes_gen_tables( void )
376 {
377  int i, x, y, z;
378  int pow[256];
379  int log[256];
380 
381  /*
382  * compute pow and log tables over GF(2^8)
383  */
384  for( i = 0, x = 1; i < 256; i++ )
385  {
386  pow[i] = x;
387  log[x] = i;
388  x = ( x ^ XTIME( x ) ) & 0xFF;
389  }
390 
391  /*
392  * calculate the round constants
393  */
394  for( i = 0, x = 1; i < 10; i++ )
395  {
396  RCON[i] = (uint32_t) x;
397  x = XTIME( x ) & 0xFF;
398  }
399 
400  /*
401  * generate the forward and reverse S-boxes
402  */
403  FSb[0x00] = 0x63;
404  RSb[0x63] = 0x00;
405 
406  for( i = 1; i < 256; i++ )
407  {
408  x = pow[255 - log[i]];
409 
410  y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
411  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
412  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
413  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
414  x ^= y ^ 0x63;
415 
416  FSb[i] = (unsigned char) x;
417  RSb[x] = (unsigned char) i;
418  }
419 
420  /*
421  * generate the forward and reverse tables
422  */
423  for( i = 0; i < 256; i++ )
424  {
425  x = FSb[i];
426  y = XTIME( x ) & 0xFF;
427  z = ( y ^ x ) & 0xFF;
428 
429  FT0[i] = ( (uint32_t) y ) ^
430  ( (uint32_t) x << 8 ) ^
431  ( (uint32_t) x << 16 ) ^
432  ( (uint32_t) z << 24 );
433 
434  FT1[i] = ROTL8( FT0[i] );
435  FT2[i] = ROTL8( FT1[i] );
436  FT3[i] = ROTL8( FT2[i] );
437 
438  x = RSb[i];
439 
440  RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
441  ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
442  ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
443  ( (uint32_t) MUL( 0x0B, x ) << 24 );
444 
445  RT1[i] = ROTL8( RT0[i] );
446  RT2[i] = ROTL8( RT1[i] );
447  RT3[i] = ROTL8( RT2[i] );
448  }
449 }
450 
451 #endif
452 
453 /*
454  * AES key schedule (encryption)
455  */
456 int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
457 {
458  unsigned int i;
459  uint32_t *RK;
460 
461 #if !defined(POLARSSL_AES_ROM_TABLES)
462  if( aes_init_done == 0 )
463  {
464  aes_gen_tables();
465  aes_init_done = 1;
466 
467  }
468 #endif
469 
470  switch( keysize )
471  {
472  case 128: ctx->nr = 10; break;
473  case 192: ctx->nr = 12; break;
474  case 256: ctx->nr = 14; break;
475  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
476  }
477 
478 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
479  if( aes_padlock_ace == -1 )
480  aes_padlock_ace = padlock_supports( PADLOCK_ACE );
481 
482  if( aes_padlock_ace )
483  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
484  else
485 #endif
486  ctx->rk = RK = ctx->buf;
487 
488  for( i = 0; i < (keysize >> 5); i++ )
489  {
490  GET_UINT32_LE( RK[i], key, i << 2 );
491  }
492 
493  switch( ctx->nr )
494  {
495  case 10:
496 
497  for( i = 0; i < 10; i++, RK += 4 )
498  {
499  RK[4] = RK[0] ^ RCON[i] ^
500  ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
501  ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
502  ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
503  ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
504 
505  RK[5] = RK[1] ^ RK[4];
506  RK[6] = RK[2] ^ RK[5];
507  RK[7] = RK[3] ^ RK[6];
508  }
509  break;
510 
511  case 12:
512 
513  for( i = 0; i < 8; i++, RK += 6 )
514  {
515  RK[6] = RK[0] ^ RCON[i] ^
516  ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
517  ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
518  ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
519  ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
520 
521  RK[7] = RK[1] ^ RK[6];
522  RK[8] = RK[2] ^ RK[7];
523  RK[9] = RK[3] ^ RK[8];
524  RK[10] = RK[4] ^ RK[9];
525  RK[11] = RK[5] ^ RK[10];
526  }
527  break;
528 
529  case 14:
530 
531  for( i = 0; i < 7; i++, RK += 8 )
532  {
533  RK[8] = RK[0] ^ RCON[i] ^
534  ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
535  ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
536  ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
537  ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
538 
539  RK[9] = RK[1] ^ RK[8];
540  RK[10] = RK[2] ^ RK[9];
541  RK[11] = RK[3] ^ RK[10];
542 
543  RK[12] = RK[4] ^
544  ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
545  ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
546  ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
547  ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
548 
549  RK[13] = RK[5] ^ RK[12];
550  RK[14] = RK[6] ^ RK[13];
551  RK[15] = RK[7] ^ RK[14];
552  }
553  break;
554 
555  default:
556 
557  break;
558  }
559 
560  return( 0 );
561 }
562 
563 /*
564  * AES key schedule (decryption)
565  */
566 int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
567 {
568  int i, j;
569  aes_context cty;
570  uint32_t *RK;
571  uint32_t *SK;
572  int ret;
573 
574  switch( keysize )
575  {
576  case 128: ctx->nr = 10; break;
577  case 192: ctx->nr = 12; break;
578  case 256: ctx->nr = 14; break;
579  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
580  }
581 
582 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
583  if( aes_padlock_ace == -1 )
584  aes_padlock_ace = padlock_supports( PADLOCK_ACE );
585 
586  if( aes_padlock_ace )
587  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
588  else
589 #endif
590  ctx->rk = RK = ctx->buf;
591 
592  ret = aes_setkey_enc( &cty, key, keysize );
593  if( ret != 0 )
594  return( ret );
595 
596  SK = cty.rk + cty.nr * 4;
597 
598  *RK++ = *SK++;
599  *RK++ = *SK++;
600  *RK++ = *SK++;
601  *RK++ = *SK++;
602 
603  for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
604  {
605  for( j = 0; j < 4; j++, SK++ )
606  {
607  *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
608  RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
609  RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
610  RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
611  }
612  }
613 
614  *RK++ = *SK++;
615  *RK++ = *SK++;
616  *RK++ = *SK++;
617  *RK++ = *SK++;
618 
619  polarssl_zeroize( &cty, sizeof( aes_context ) );
620 
621  return( 0 );
622 }
623 
624 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
625 { \
626  X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
627  FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
628  FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
629  FT3[ ( Y3 >> 24 ) & 0xFF ]; \
630  \
631  X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
632  FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
633  FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
634  FT3[ ( Y0 >> 24 ) & 0xFF ]; \
635  \
636  X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
637  FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
638  FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
639  FT3[ ( Y1 >> 24 ) & 0xFF ]; \
640  \
641  X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
642  FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
643  FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
644  FT3[ ( Y2 >> 24 ) & 0xFF ]; \
645 }
646 
647 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
648 { \
649  X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
650  RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
651  RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
652  RT3[ ( Y1 >> 24 ) & 0xFF ]; \
653  \
654  X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
655  RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
656  RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
657  RT3[ ( Y2 >> 24 ) & 0xFF ]; \
658  \
659  X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
660  RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
661  RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
662  RT3[ ( Y3 >> 24 ) & 0xFF ]; \
663  \
664  X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
665  RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
666  RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
667  RT3[ ( Y0 >> 24 ) & 0xFF ]; \
668 }
669 
670 /*
671  * AES-ECB block encryption/decryption
672  */
673 int aes_crypt_ecb( aes_context *ctx,
674  int mode,
675  const unsigned char input[16],
676  unsigned char output[16] )
677 {
678  int i;
679  uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
680 
681 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
682  if( aes_padlock_ace )
683  {
684  if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
685  return( 0 );
686 
687  // If padlock data misaligned, we just fall back to
688  // unaccelerated mode
689  //
690  }
691 #endif
692 
693  RK = ctx->rk;
694 
695  GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
696  GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
697  GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
698  GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
699 
700  if( mode == AES_DECRYPT )
701  {
702  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
703  {
704  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
705  AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
706  }
707 
708  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
709 
710  X0 = *RK++ ^ \
711  ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
712  ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
713  ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
714  ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
715 
716  X1 = *RK++ ^ \
717  ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
718  ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
719  ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
720  ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
721 
722  X2 = *RK++ ^ \
723  ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
724  ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
725  ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
726  ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
727 
728  X3 = *RK++ ^ \
729  ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
730  ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
731  ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
732  ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
733  }
734  else /* AES_ENCRYPT */
735  {
736  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
737  {
738  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
739  AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
740  }
741 
742  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
743 
744  X0 = *RK++ ^ \
745  ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
746  ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
747  ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
748  ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
749 
750  X1 = *RK++ ^ \
751  ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
752  ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
753  ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
754  ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
755 
756  X2 = *RK++ ^ \
757  ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
758  ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
759  ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
760  ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
761 
762  X3 = *RK++ ^ \
763  ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
764  ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
765  ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
766  ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
767  }
768 
769  PUT_UINT32_LE( X0, output, 0 );
770  PUT_UINT32_LE( X1, output, 4 );
771  PUT_UINT32_LE( X2, output, 8 );
772  PUT_UINT32_LE( X3, output, 12 );
773 
774  return( 0 );
775 }
776 
777 /*
778  * AES-CBC buffer encryption/decryption
779  */
780 int aes_crypt_cbc( aes_context *ctx,
781  int mode,
782  size_t length,
783  unsigned char iv[16],
784  const unsigned char *input,
785  unsigned char *output )
786 {
787  int i;
788  unsigned char temp[16];
789 
790  if( length % 16 )
792 
793 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
794  if( aes_padlock_ace )
795  {
796  if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
797  return( 0 );
798 
799  // If padlock data misaligned, we just fall back to
800  // unaccelerated mode
801  //
802  }
803 #endif
804 
805  if( mode == AES_DECRYPT )
806  {
807  while( length > 0 )
808  {
809  memcpy( temp, input, 16 );
810  aes_crypt_ecb( ctx, mode, input, output );
811 
812  for( i = 0; i < 16; i++ )
813  output[i] = (unsigned char)( output[i] ^ iv[i] );
814 
815  memcpy( iv, temp, 16 );
816 
817  input += 16;
818  output += 16;
819  length -= 16;
820  }
821  }
822  else
823  {
824  while( length > 0 )
825  {
826  for( i = 0; i < 16; i++ )
827  output[i] = (unsigned char)( input[i] ^ iv[i] );
828 
829  aes_crypt_ecb( ctx, mode, output, output );
830  memcpy( iv, output, 16 );
831 
832  input += 16;
833  output += 16;
834  length -= 16;
835  }
836  }
837 
838  return( 0 );
839 }
840 
841 #if defined(POLARSSL_CIPHER_MODE_CFB)
842 /*
843  * AES-CFB128 buffer encryption/decryption
844  */
845 int aes_crypt_cfb128( aes_context *ctx,
846  int mode,
847  size_t length,
848  size_t *iv_off,
849  unsigned char iv[16],
850  const unsigned char *input,
851  unsigned char *output )
852 {
853  int c;
854  size_t n = *iv_off;
855 
856  if( mode == AES_DECRYPT )
857  {
858  while( length-- )
859  {
860  if( n == 0 )
861  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
862 
863  c = *input++;
864  *output++ = (unsigned char)( c ^ iv[n] );
865  iv[n] = (unsigned char) c;
866 
867  n = (n + 1) & 0x0F;
868  }
869  }
870  else
871  {
872  while( length-- )
873  {
874  if( n == 0 )
875  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
876 
877  iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
878 
879  n = (n + 1) & 0x0F;
880  }
881  }
882 
883  *iv_off = n;
884 
885  return( 0 );
886 }
887 #endif /*POLARSSL_CIPHER_MODE_CFB */
888 
889 #if defined(POLARSSL_CIPHER_MODE_CTR)
890 /*
891  * AES-CTR buffer encryption/decryption
892  */
893 int aes_crypt_ctr( aes_context *ctx,
894  size_t length,
895  size_t *nc_off,
896  unsigned char nonce_counter[16],
897  unsigned char stream_block[16],
898  const unsigned char *input,
899  unsigned char *output )
900 {
901  int c, i;
902  size_t n = *nc_off;
903 
904  while( length-- )
905  {
906  if( n == 0 ) {
907  aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
908 
909  for( i = 16; i > 0; i-- )
910  if( ++nonce_counter[i - 1] != 0 )
911  break;
912  }
913  c = *input++;
914  *output++ = (unsigned char)( c ^ stream_block[n] );
915 
916  n = (n + 1) & 0x0F;
917  }
918 
919  *nc_off = n;
920 
921  return( 0 );
922 }
923 #endif /* POLARSSL_CIPHER_MODE_CTR */
924 #endif /* !POLARSSL_AES_ALT */
925 
926 #if defined(POLARSSL_SELF_TEST)
927 
928 #include <stdio.h>
929 
930 /*
931  * AES test vectors from:
932  *
933  * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
934  */
935 static const unsigned char aes_test_ecb_dec[3][16] =
936 {
937  { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
938  0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
939  { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
940  0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
941  { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
942  0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
943 };
944 
945 static const unsigned char aes_test_ecb_enc[3][16] =
946 {
947  { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
948  0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
949  { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
950  0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
951  { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
952  0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
953 };
954 
955 static const unsigned char aes_test_cbc_dec[3][16] =
956 {
957  { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
958  0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
959  { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
960  0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
961  { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
962  0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
963 };
964 
965 static const unsigned char aes_test_cbc_enc[3][16] =
966 {
967  { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
968  0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
969  { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
970  0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
971  { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
972  0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
973 };
974 
975 #if defined(POLARSSL_CIPHER_MODE_CFB)
976 /*
977  * AES-CFB128 test vectors from:
978  *
979  * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
980  */
981 static const unsigned char aes_test_cfb128_key[3][32] =
982 {
983  { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
984  0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
985  { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
986  0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
987  0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
988  { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
989  0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
990  0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
991  0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
992 };
993 
994 static const unsigned char aes_test_cfb128_iv[16] =
995 {
996  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
997  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
998 };
999 
1000 static const unsigned char aes_test_cfb128_pt[64] =
1001 {
1002  0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1003  0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1004  0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1005  0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1006  0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1007  0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1008  0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1009  0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1010 };
1011 
1012 static const unsigned char aes_test_cfb128_ct[3][64] =
1013 {
1014  { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1015  0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1016  0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1017  0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1018  0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1019  0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1020  0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1021  0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1022  { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1023  0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1024  0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1025  0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1026  0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1027  0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1028  0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1029  0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1030  { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1031  0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1032  0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1033  0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1034  0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1035  0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1036  0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1037  0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1038 };
1039 #endif /* POLARSSL_CIPHER_MODE_CFB */
1040 
1041 #if defined(POLARSSL_CIPHER_MODE_CTR)
1042 /*
1043  * AES-CTR test vectors from:
1044  *
1045  * http://www.faqs.org/rfcs/rfc3686.html
1046  */
1047 
1048 static const unsigned char aes_test_ctr_key[3][16] =
1049 {
1050  { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1051  0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1052  { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1053  0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1054  { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1055  0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1056 };
1057 
1058 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1059 {
1060  { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1061  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1062  { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1063  0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1064  { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1065  0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1066 };
1067 
1068 static const unsigned char aes_test_ctr_pt[3][48] =
1069 {
1070  { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1071  0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1072 
1073  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1074  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1075  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1076  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1077 
1078  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1079  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1080  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1081  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1082  0x20, 0x21, 0x22, 0x23 }
1083 };
1084 
1085 static const unsigned char aes_test_ctr_ct[3][48] =
1086 {
1087  { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1088  0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1089  { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1090  0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1091  0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1092  0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1093  { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1094  0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1095  0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1096  0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1097  0x25, 0xB2, 0x07, 0x2F }
1098 };
1099 
1100 static const int aes_test_ctr_len[3] =
1101  { 16, 32, 36 };
1102 #endif /* POLARSSL_CIPHER_MODE_CTR */
1103 
1104 /*
1105  * Checkup routine
1106  */
1107 int aes_self_test( int verbose )
1108 {
1109  int i, j, u, v;
1110  unsigned char key[32];
1111  unsigned char buf[64];
1112  unsigned char prv[16];
1113  unsigned char iv[16];
1114 #if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
1115  size_t offset;
1116 #endif
1117 #if defined(POLARSSL_CIPHER_MODE_CTR)
1118  int len;
1119  unsigned char nonce_counter[16];
1120  unsigned char stream_block[16];
1121 #endif
1122  aes_context ctx;
1123 
1124  memset( key, 0, 32 );
1125 
1126  /*
1127  * ECB mode
1128  */
1129  for( i = 0; i < 6; i++ )
1130  {
1131  u = i >> 1;
1132  v = i & 1;
1133 
1134  if( verbose != 0 )
1135  printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1136  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1137 
1138  memset( buf, 0, 16 );
1139 
1140  if( v == AES_DECRYPT )
1141  {
1142  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1143 
1144  for( j = 0; j < 10000; j++ )
1145  aes_crypt_ecb( &ctx, v, buf, buf );
1146 
1147  if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1148  {
1149  if( verbose != 0 )
1150  printf( "failed\n" );
1151 
1152  return( 1 );
1153  }
1154  }
1155  else
1156  {
1157  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1158 
1159  for( j = 0; j < 10000; j++ )
1160  aes_crypt_ecb( &ctx, v, buf, buf );
1161 
1162  if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1163  {
1164  if( verbose != 0 )
1165  printf( "failed\n" );
1166 
1167  return( 1 );
1168  }
1169  }
1170 
1171  if( verbose != 0 )
1172  printf( "passed\n" );
1173  }
1174 
1175  if( verbose != 0 )
1176  printf( "\n" );
1177 
1178  /*
1179  * CBC mode
1180  */
1181  for( i = 0; i < 6; i++ )
1182  {
1183  u = i >> 1;
1184  v = i & 1;
1185 
1186  if( verbose != 0 )
1187  printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1188  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1189 
1190  memset( iv , 0, 16 );
1191  memset( prv, 0, 16 );
1192  memset( buf, 0, 16 );
1193 
1194  if( v == AES_DECRYPT )
1195  {
1196  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1197 
1198  for( j = 0; j < 10000; j++ )
1199  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1200 
1201  if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1202  {
1203  if( verbose != 0 )
1204  printf( "failed\n" );
1205 
1206  return( 1 );
1207  }
1208  }
1209  else
1210  {
1211  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1212 
1213  for( j = 0; j < 10000; j++ )
1214  {
1215  unsigned char tmp[16];
1216 
1217  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1218 
1219  memcpy( tmp, prv, 16 );
1220  memcpy( prv, buf, 16 );
1221  memcpy( buf, tmp, 16 );
1222  }
1223 
1224  if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1225  {
1226  if( verbose != 0 )
1227  printf( "failed\n" );
1228 
1229  return( 1 );
1230  }
1231  }
1232 
1233  if( verbose != 0 )
1234  printf( "passed\n" );
1235  }
1236 
1237  if( verbose != 0 )
1238  printf( "\n" );
1239 
1240 #if defined(POLARSSL_CIPHER_MODE_CFB)
1241  /*
1242  * CFB128 mode
1243  */
1244  for( i = 0; i < 6; i++ )
1245  {
1246  u = i >> 1;
1247  v = i & 1;
1248 
1249  if( verbose != 0 )
1250  printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1251  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1252 
1253  memcpy( iv, aes_test_cfb128_iv, 16 );
1254  memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1255 
1256  offset = 0;
1257  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1258 
1259  if( v == AES_DECRYPT )
1260  {
1261  memcpy( buf, aes_test_cfb128_ct[u], 64 );
1262  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1263 
1264  if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1265  {
1266  if( verbose != 0 )
1267  printf( "failed\n" );
1268 
1269  return( 1 );
1270  }
1271  }
1272  else
1273  {
1274  memcpy( buf, aes_test_cfb128_pt, 64 );
1275  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1276 
1277  if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1278  {
1279  if( verbose != 0 )
1280  printf( "failed\n" );
1281 
1282  return( 1 );
1283  }
1284  }
1285 
1286  if( verbose != 0 )
1287  printf( "passed\n" );
1288  }
1289 
1290  if( verbose != 0 )
1291  printf( "\n" );
1292 #endif /* POLARSSL_CIPHER_MODE_CFB */
1293 
1294 #if defined(POLARSSL_CIPHER_MODE_CTR)
1295  /*
1296  * CTR mode
1297  */
1298  for( i = 0; i < 6; i++ )
1299  {
1300  u = i >> 1;
1301  v = i & 1;
1302 
1303  if( verbose != 0 )
1304  printf( " AES-CTR-128 (%s): ",
1305  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1306 
1307  memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1308  memcpy( key, aes_test_ctr_key[u], 16 );
1309 
1310  offset = 0;
1311  aes_setkey_enc( &ctx, key, 128 );
1312 
1313  if( v == AES_DECRYPT )
1314  {
1315  len = aes_test_ctr_len[u];
1316  memcpy( buf, aes_test_ctr_ct[u], len );
1317 
1318  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1319 
1320  if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1321  {
1322  if( verbose != 0 )
1323  printf( "failed\n" );
1324 
1325  return( 1 );
1326  }
1327  }
1328  else
1329  {
1330  len = aes_test_ctr_len[u];
1331  memcpy( buf, aes_test_ctr_pt[u], len );
1332 
1333  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1334 
1335  if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1336  {
1337  if( verbose != 0 )
1338  printf( "failed\n" );
1339 
1340  return( 1 );
1341  }
1342  }
1343 
1344  if( verbose != 0 )
1345  printf( "passed\n" );
1346  }
1347 
1348  if( verbose != 0 )
1349  printf( "\n" );
1350 #endif /* POLARSSL_CIPHER_MODE_CTR */
1351 
1352  return( 0 );
1353 }
1354 
1355 #endif
1356 
1357 #endif