PolarSSL v1.3.1
aes.c
Go to the documentation of this file.
1 /*
2  * FIPS-197 compliant AES implementation
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27  *
28  * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29  * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30  */
31 
32 #include "polarssl/config.h"
33 
34 #if defined(POLARSSL_AES_C)
35 
36 #include "polarssl/aes.h"
37 #if defined(POLARSSL_PADLOCK_C)
38 #include "polarssl/padlock.h"
39 #endif
40 
41 #if !defined(POLARSSL_AES_ALT)
42 
43 /*
44  * 32-bit integer manipulation macros (little endian)
45  */
46 #ifndef GET_UINT32_LE
47 #define GET_UINT32_LE(n,b,i) \
48 { \
49  (n) = ( (uint32_t) (b)[(i) ] ) \
50  | ( (uint32_t) (b)[(i) + 1] << 8 ) \
51  | ( (uint32_t) (b)[(i) + 2] << 16 ) \
52  | ( (uint32_t) (b)[(i) + 3] << 24 ); \
53 }
54 #endif
55 
56 #ifndef PUT_UINT32_LE
57 #define PUT_UINT32_LE(n,b,i) \
58 { \
59  (b)[(i) ] = (unsigned char) ( (n) ); \
60  (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
61  (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
62  (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
63 }
64 #endif
65 
66 #if defined(POLARSSL_PADLOCK_C) && \
67  ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
68 static int aes_padlock_ace = -1;
69 #endif
70 
71 #if defined(POLARSSL_AES_ROM_TABLES)
72 /*
73  * Forward S-box
74  */
75 static const unsigned char FSb[256] =
76 {
77  0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
78  0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
79  0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
80  0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
81  0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
82  0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
83  0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
84  0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
85  0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
86  0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
87  0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
88  0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
89  0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
90  0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
91  0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
92  0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
93  0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
94  0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
95  0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
96  0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
97  0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
98  0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
99  0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
100  0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
101  0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
102  0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
103  0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
104  0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
105  0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
106  0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
107  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
108  0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
109 };
110 
111 /*
112  * Forward tables
113  */
114 #define FT \
115 \
116  V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
117  V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
118  V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
119  V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
120  V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
121  V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
122  V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
123  V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
124  V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
125  V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
126  V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
127  V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
128  V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
129  V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
130  V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
131  V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
132  V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
133  V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
134  V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
135  V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
136  V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
137  V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
138  V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
139  V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
140  V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
141  V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
142  V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
143  V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
144  V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
145  V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
146  V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
147  V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
148  V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
149  V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
150  V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
151  V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
152  V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
153  V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
154  V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
155  V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
156  V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
157  V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
158  V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
159  V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
160  V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
161  V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
162  V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
163  V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
164  V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
165  V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
166  V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
167  V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
168  V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
169  V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
170  V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
171  V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
172  V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
173  V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
174  V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
175  V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
176  V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
177  V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
178  V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
179  V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
180 
181 #define V(a,b,c,d) 0x##a##b##c##d
182 static const uint32_t FT0[256] = { FT };
183 #undef V
184 
185 #define V(a,b,c,d) 0x##b##c##d##a
186 static const uint32_t FT1[256] = { FT };
187 #undef V
188 
189 #define V(a,b,c,d) 0x##c##d##a##b
190 static const uint32_t FT2[256] = { FT };
191 #undef V
192 
193 #define V(a,b,c,d) 0x##d##a##b##c
194 static const uint32_t FT3[256] = { FT };
195 #undef V
196 
197 #undef FT
198 
199 /*
200  * Reverse S-box
201  */
202 static const unsigned char RSb[256] =
203 {
204  0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
205  0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
206  0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
207  0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
208  0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
209  0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
210  0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
211  0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
212  0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
213  0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
214  0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
215  0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
216  0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
217  0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
218  0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
219  0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
220  0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
221  0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
222  0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
223  0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
224  0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
225  0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
226  0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
227  0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
228  0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
229  0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
230  0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
231  0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
232  0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
233  0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
234  0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
235  0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
236 };
237 
238 /*
239  * Reverse tables
240  */
241 #define RT \
242 \
243  V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
244  V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
245  V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
246  V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
247  V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
248  V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
249  V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
250  V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
251  V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
252  V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
253  V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
254  V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
255  V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
256  V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
257  V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
258  V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
259  V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
260  V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
261  V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
262  V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
263  V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
264  V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
265  V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
266  V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
267  V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
268  V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
269  V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
270  V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
271  V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
272  V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
273  V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
274  V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
275  V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
276  V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
277  V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
278  V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
279  V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
280  V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
281  V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
282  V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
283  V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
284  V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
285  V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
286  V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
287  V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
288  V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
289  V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
290  V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
291  V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
292  V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
293  V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
294  V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
295  V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
296  V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
297  V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
298  V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
299  V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
300  V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
301  V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
302  V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
303  V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
304  V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
305  V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
306  V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
307 
308 #define V(a,b,c,d) 0x##a##b##c##d
309 static const uint32_t RT0[256] = { RT };
310 #undef V
311 
312 #define V(a,b,c,d) 0x##b##c##d##a
313 static const uint32_t RT1[256] = { RT };
314 #undef V
315 
316 #define V(a,b,c,d) 0x##c##d##a##b
317 static const uint32_t RT2[256] = { RT };
318 #undef V
319 
320 #define V(a,b,c,d) 0x##d##a##b##c
321 static const uint32_t RT3[256] = { RT };
322 #undef V
323 
324 #undef RT
325 
326 /*
327  * Round constants
328  */
329 static const uint32_t RCON[10] =
330 {
331  0x00000001, 0x00000002, 0x00000004, 0x00000008,
332  0x00000010, 0x00000020, 0x00000040, 0x00000080,
333  0x0000001B, 0x00000036
334 };
335 
336 #else
337 
338 /*
339  * Forward S-box & tables
340  */
341 static unsigned char FSb[256];
342 static uint32_t FT0[256];
343 static uint32_t FT1[256];
344 static uint32_t FT2[256];
345 static uint32_t FT3[256];
346 
347 /*
348  * Reverse S-box & tables
349  */
350 static unsigned char RSb[256];
351 static uint32_t RT0[256];
352 static uint32_t RT1[256];
353 static uint32_t RT2[256];
354 static uint32_t RT3[256];
355 
356 /*
357  * Round constants
358  */
359 static uint32_t RCON[10];
360 
361 /*
362  * Tables generation code
363  */
364 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
365 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
366 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
367 
368 static int aes_init_done = 0;
369 
370 static void aes_gen_tables( void )
371 {
372  int i, x, y, z;
373  int pow[256];
374  int log[256];
375 
376  /*
377  * compute pow and log tables over GF(2^8)
378  */
379  for( i = 0, x = 1; i < 256; i++ )
380  {
381  pow[i] = x;
382  log[x] = i;
383  x = ( x ^ XTIME( x ) ) & 0xFF;
384  }
385 
386  /*
387  * calculate the round constants
388  */
389  for( i = 0, x = 1; i < 10; i++ )
390  {
391  RCON[i] = (uint32_t) x;
392  x = XTIME( x ) & 0xFF;
393  }
394 
395  /*
396  * generate the forward and reverse S-boxes
397  */
398  FSb[0x00] = 0x63;
399  RSb[0x63] = 0x00;
400 
401  for( i = 1; i < 256; i++ )
402  {
403  x = pow[255 - log[i]];
404 
405  y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
406  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
407  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
408  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
409  x ^= y ^ 0x63;
410 
411  FSb[i] = (unsigned char) x;
412  RSb[x] = (unsigned char) i;
413  }
414 
415  /*
416  * generate the forward and reverse tables
417  */
418  for( i = 0; i < 256; i++ )
419  {
420  x = FSb[i];
421  y = XTIME( x ) & 0xFF;
422  z = ( y ^ x ) & 0xFF;
423 
424  FT0[i] = ( (uint32_t) y ) ^
425  ( (uint32_t) x << 8 ) ^
426  ( (uint32_t) x << 16 ) ^
427  ( (uint32_t) z << 24 );
428 
429  FT1[i] = ROTL8( FT0[i] );
430  FT2[i] = ROTL8( FT1[i] );
431  FT3[i] = ROTL8( FT2[i] );
432 
433  x = RSb[i];
434 
435  RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
436  ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
437  ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
438  ( (uint32_t) MUL( 0x0B, x ) << 24 );
439 
440  RT1[i] = ROTL8( RT0[i] );
441  RT2[i] = ROTL8( RT1[i] );
442  RT3[i] = ROTL8( RT2[i] );
443  }
444 }
445 
446 #endif
447 
448 /*
449  * AES key schedule (encryption)
450  */
451 int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
452 {
453  unsigned int i;
454  uint32_t *RK;
455 
456 #if !defined(POLARSSL_AES_ROM_TABLES)
457  if( aes_init_done == 0 )
458  {
459  aes_gen_tables();
460  aes_init_done = 1;
461 
462  }
463 #endif
464 
465  switch( keysize )
466  {
467  case 128: ctx->nr = 10; break;
468  case 192: ctx->nr = 12; break;
469  case 256: ctx->nr = 14; break;
470  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
471  }
472 
473 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
474  if( aes_padlock_ace == -1 )
475  aes_padlock_ace = padlock_supports( PADLOCK_ACE );
476 
477  if( aes_padlock_ace )
478  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
479  else
480 #endif
481  ctx->rk = RK = ctx->buf;
482 
483  for( i = 0; i < (keysize >> 5); i++ )
484  {
485  GET_UINT32_LE( RK[i], key, i << 2 );
486  }
487 
488  switch( ctx->nr )
489  {
490  case 10:
491 
492  for( i = 0; i < 10; i++, RK += 4 )
493  {
494  RK[4] = RK[0] ^ RCON[i] ^
495  ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
496  ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
497  ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
498  ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
499 
500  RK[5] = RK[1] ^ RK[4];
501  RK[6] = RK[2] ^ RK[5];
502  RK[7] = RK[3] ^ RK[6];
503  }
504  break;
505 
506  case 12:
507 
508  for( i = 0; i < 8; i++, RK += 6 )
509  {
510  RK[6] = RK[0] ^ RCON[i] ^
511  ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
512  ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
513  ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
514  ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
515 
516  RK[7] = RK[1] ^ RK[6];
517  RK[8] = RK[2] ^ RK[7];
518  RK[9] = RK[3] ^ RK[8];
519  RK[10] = RK[4] ^ RK[9];
520  RK[11] = RK[5] ^ RK[10];
521  }
522  break;
523 
524  case 14:
525 
526  for( i = 0; i < 7; i++, RK += 8 )
527  {
528  RK[8] = RK[0] ^ RCON[i] ^
529  ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
530  ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
531  ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
532  ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
533 
534  RK[9] = RK[1] ^ RK[8];
535  RK[10] = RK[2] ^ RK[9];
536  RK[11] = RK[3] ^ RK[10];
537 
538  RK[12] = RK[4] ^
539  ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
540  ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
541  ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
542  ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
543 
544  RK[13] = RK[5] ^ RK[12];
545  RK[14] = RK[6] ^ RK[13];
546  RK[15] = RK[7] ^ RK[14];
547  }
548  break;
549 
550  default:
551 
552  break;
553  }
554 
555  return( 0 );
556 }
557 
558 /*
559  * AES key schedule (decryption)
560  */
561 int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
562 {
563  int i, j;
564  aes_context cty;
565  uint32_t *RK;
566  uint32_t *SK;
567  int ret;
568 
569  switch( keysize )
570  {
571  case 128: ctx->nr = 10; break;
572  case 192: ctx->nr = 12; break;
573  case 256: ctx->nr = 14; break;
574  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
575  }
576 
577 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
578  if( aes_padlock_ace == -1 )
579  aes_padlock_ace = padlock_supports( PADLOCK_ACE );
580 
581  if( aes_padlock_ace )
582  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
583  else
584 #endif
585  ctx->rk = RK = ctx->buf;
586 
587  ret = aes_setkey_enc( &cty, key, keysize );
588  if( ret != 0 )
589  return( ret );
590 
591  SK = cty.rk + cty.nr * 4;
592 
593  *RK++ = *SK++;
594  *RK++ = *SK++;
595  *RK++ = *SK++;
596  *RK++ = *SK++;
597 
598  for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
599  {
600  for( j = 0; j < 4; j++, SK++ )
601  {
602  *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
603  RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
604  RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
605  RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
606  }
607  }
608 
609  *RK++ = *SK++;
610  *RK++ = *SK++;
611  *RK++ = *SK++;
612  *RK++ = *SK++;
613 
614  memset( &cty, 0, sizeof( aes_context ) );
615 
616  return( 0 );
617 }
618 
619 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
620 { \
621  X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
622  FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
623  FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
624  FT3[ ( Y3 >> 24 ) & 0xFF ]; \
625  \
626  X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
627  FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
628  FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
629  FT3[ ( Y0 >> 24 ) & 0xFF ]; \
630  \
631  X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
632  FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
633  FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
634  FT3[ ( Y1 >> 24 ) & 0xFF ]; \
635  \
636  X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
637  FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
638  FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
639  FT3[ ( Y2 >> 24 ) & 0xFF ]; \
640 }
641 
642 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
643 { \
644  X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
645  RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
646  RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
647  RT3[ ( Y1 >> 24 ) & 0xFF ]; \
648  \
649  X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
650  RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
651  RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
652  RT3[ ( Y2 >> 24 ) & 0xFF ]; \
653  \
654  X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
655  RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
656  RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
657  RT3[ ( Y3 >> 24 ) & 0xFF ]; \
658  \
659  X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
660  RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
661  RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
662  RT3[ ( Y0 >> 24 ) & 0xFF ]; \
663 }
664 
665 /*
666  * AES-ECB block encryption/decryption
667  */
668 int aes_crypt_ecb( aes_context *ctx,
669  int mode,
670  const unsigned char input[16],
671  unsigned char output[16] )
672 {
673  int i;
674  uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
675 
676 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
677  if( aes_padlock_ace )
678  {
679  if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
680  return( 0 );
681 
682  // If padlock data misaligned, we just fall back to
683  // unaccelerated mode
684  //
685  }
686 #endif
687 
688  RK = ctx->rk;
689 
690  GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
691  GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
692  GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
693  GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
694 
695  if( mode == AES_DECRYPT )
696  {
697  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
698  {
699  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
700  AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
701  }
702 
703  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
704 
705  X0 = *RK++ ^ \
706  ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
707  ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
708  ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
709  ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
710 
711  X1 = *RK++ ^ \
712  ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
713  ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
714  ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
715  ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
716 
717  X2 = *RK++ ^ \
718  ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
719  ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
720  ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
721  ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
722 
723  X3 = *RK++ ^ \
724  ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
725  ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
726  ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
727  ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
728  }
729  else /* AES_ENCRYPT */
730  {
731  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
732  {
733  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
734  AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
735  }
736 
737  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
738 
739  X0 = *RK++ ^ \
740  ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
741  ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
742  ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
743  ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
744 
745  X1 = *RK++ ^ \
746  ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
747  ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
748  ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
749  ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
750 
751  X2 = *RK++ ^ \
752  ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
753  ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
754  ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
755  ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
756 
757  X3 = *RK++ ^ \
758  ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
759  ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
760  ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
761  ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
762  }
763 
764  PUT_UINT32_LE( X0, output, 0 );
765  PUT_UINT32_LE( X1, output, 4 );
766  PUT_UINT32_LE( X2, output, 8 );
767  PUT_UINT32_LE( X3, output, 12 );
768 
769  return( 0 );
770 }
771 
772 #if defined(POLARSSL_CIPHER_MODE_CBC)
773 /*
774  * AES-CBC buffer encryption/decryption
775  */
776 int aes_crypt_cbc( aes_context *ctx,
777  int mode,
778  size_t length,
779  unsigned char iv[16],
780  const unsigned char *input,
781  unsigned char *output )
782 {
783  int i;
784  unsigned char temp[16];
785 
786  if( length % 16 )
788 
789 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
790  if( aes_padlock_ace )
791  {
792  if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
793  return( 0 );
794 
795  // If padlock data misaligned, we just fall back to
796  // unaccelerated mode
797  //
798  }
799 #endif
800 
801  if( mode == AES_DECRYPT )
802  {
803  while( length > 0 )
804  {
805  memcpy( temp, input, 16 );
806  aes_crypt_ecb( ctx, mode, input, output );
807 
808  for( i = 0; i < 16; i++ )
809  output[i] = (unsigned char)( output[i] ^ iv[i] );
810 
811  memcpy( iv, temp, 16 );
812 
813  input += 16;
814  output += 16;
815  length -= 16;
816  }
817  }
818  else
819  {
820  while( length > 0 )
821  {
822  for( i = 0; i < 16; i++ )
823  output[i] = (unsigned char)( input[i] ^ iv[i] );
824 
825  aes_crypt_ecb( ctx, mode, output, output );
826  memcpy( iv, output, 16 );
827 
828  input += 16;
829  output += 16;
830  length -= 16;
831  }
832  }
833 
834  return( 0 );
835 }
836 #endif /* POLARSSL_CIPHER_MODE_CBC */
837 
838 #if defined(POLARSSL_CIPHER_MODE_CFB)
839 /*
840  * AES-CFB128 buffer encryption/decryption
841  */
842 int aes_crypt_cfb128( aes_context *ctx,
843  int mode,
844  size_t length,
845  size_t *iv_off,
846  unsigned char iv[16],
847  const unsigned char *input,
848  unsigned char *output )
849 {
850  int c;
851  size_t n = *iv_off;
852 
853  if( mode == AES_DECRYPT )
854  {
855  while( length-- )
856  {
857  if( n == 0 )
858  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
859 
860  c = *input++;
861  *output++ = (unsigned char)( c ^ iv[n] );
862  iv[n] = (unsigned char) c;
863 
864  n = (n + 1) & 0x0F;
865  }
866  }
867  else
868  {
869  while( length-- )
870  {
871  if( n == 0 )
872  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
873 
874  iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
875 
876  n = (n + 1) & 0x0F;
877  }
878  }
879 
880  *iv_off = n;
881 
882  return( 0 );
883 }
884 #endif /*POLARSSL_CIPHER_MODE_CFB */
885 
886 #if defined(POLARSSL_CIPHER_MODE_CTR)
887 /*
888  * AES-CTR buffer encryption/decryption
889  */
890 int aes_crypt_ctr( aes_context *ctx,
891  size_t length,
892  size_t *nc_off,
893  unsigned char nonce_counter[16],
894  unsigned char stream_block[16],
895  const unsigned char *input,
896  unsigned char *output )
897 {
898  int c, i;
899  size_t n = *nc_off;
900 
901  while( length-- )
902  {
903  if( n == 0 ) {
904  aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
905 
906  for( i = 16; i > 0; i-- )
907  if( ++nonce_counter[i - 1] != 0 )
908  break;
909  }
910  c = *input++;
911  *output++ = (unsigned char)( c ^ stream_block[n] );
912 
913  n = (n + 1) & 0x0F;
914  }
915 
916  *nc_off = n;
917 
918  return( 0 );
919 }
920 #endif /* POLARSSL_CIPHER_MODE_CTR */
921 #endif /* !POLARSSL_AES_ALT */
922 
923 #if defined(POLARSSL_SELF_TEST)
924 
925 #include <stdio.h>
926 
927 /*
928  * AES test vectors from:
929  *
930  * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
931  */
932 static const unsigned char aes_test_ecb_dec[3][16] =
933 {
934  { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
935  0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
936  { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
937  0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
938  { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
939  0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
940 };
941 
942 static const unsigned char aes_test_ecb_enc[3][16] =
943 {
944  { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
945  0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
946  { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
947  0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
948  { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
949  0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
950 };
951 
952 #if defined(POLARSSL_CIPHER_MODE_CBC)
953 static const unsigned char aes_test_cbc_dec[3][16] =
954 {
955  { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
956  0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
957  { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
958  0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
959  { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
960  0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
961 };
962 
963 static const unsigned char aes_test_cbc_enc[3][16] =
964 {
965  { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
966  0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
967  { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
968  0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
969  { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
970  0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
971 };
972 #endif /* POLARSSL_CIPHER_MODE_CBC */
973 
974 #if defined(POLARSSL_CIPHER_MODE_CFB)
975 /*
976  * AES-CFB128 test vectors from:
977  *
978  * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
979  */
980 static const unsigned char aes_test_cfb128_key[3][32] =
981 {
982  { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
983  0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
984  { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
985  0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
986  0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
987  { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
988  0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
989  0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
990  0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
991 };
992 
993 static const unsigned char aes_test_cfb128_iv[16] =
994 {
995  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
996  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
997 };
998 
999 static const unsigned char aes_test_cfb128_pt[64] =
1000 {
1001  0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1002  0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1003  0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1004  0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1005  0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1006  0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1007  0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1008  0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1009 };
1010 
1011 static const unsigned char aes_test_cfb128_ct[3][64] =
1012 {
1013  { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1014  0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1015  0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1016  0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1017  0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1018  0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1019  0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1020  0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1021  { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1022  0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1023  0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1024  0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1025  0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1026  0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1027  0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1028  0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1029  { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1030  0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1031  0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1032  0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1033  0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1034  0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1035  0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1036  0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1037 };
1038 #endif /* POLARSSL_CIPHER_MODE_CFB */
1039 
1040 #if defined(POLARSSL_CIPHER_MODE_CTR)
1041 /*
1042  * AES-CTR test vectors from:
1043  *
1044  * http://www.faqs.org/rfcs/rfc3686.html
1045  */
1046 
1047 static const unsigned char aes_test_ctr_key[3][16] =
1048 {
1049  { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1050  0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1051  { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1052  0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1053  { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1054  0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1055 };
1056 
1057 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1058 {
1059  { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1060  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1061  { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1062  0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1063  { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1064  0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1065 };
1066 
1067 static const unsigned char aes_test_ctr_pt[3][48] =
1068 {
1069  { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1070  0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1071 
1072  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1073  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1074  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1075  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1076 
1077  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1078  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1079  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1080  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1081  0x20, 0x21, 0x22, 0x23 }
1082 };
1083 
1084 static const unsigned char aes_test_ctr_ct[3][48] =
1085 {
1086  { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1087  0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1088  { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1089  0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1090  0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1091  0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1092  { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1093  0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1094  0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1095  0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1096  0x25, 0xB2, 0x07, 0x2F }
1097 };
1098 
1099 static const int aes_test_ctr_len[3] =
1100  { 16, 32, 36 };
1101 #endif /* POLARSSL_CIPHER_MODE_CTR */
1102 
1103 /*
1104  * Checkup routine
1105  */
1106 int aes_self_test( int verbose )
1107 {
1108  int i, j, u, v;
1109  unsigned char key[32];
1110  unsigned char buf[64];
1111  unsigned char iv[16];
1112 #if defined(POLARSSL_CIPHER_MODE_CBC)
1113  unsigned char prv[16];
1114 #endif
1115 #if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
1116  size_t offset;
1117 #endif
1118 #if defined(POLARSSL_CIPHER_MODE_CTR)
1119  int len;
1120  unsigned char nonce_counter[16];
1121  unsigned char stream_block[16];
1122 #endif
1123  aes_context ctx;
1124 
1125  memset( key, 0, 32 );
1126 
1127  /*
1128  * ECB mode
1129  */
1130  for( i = 0; i < 6; i++ )
1131  {
1132  u = i >> 1;
1133  v = i & 1;
1134 
1135  if( verbose != 0 )
1136  printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1137  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1138 
1139  memset( buf, 0, 16 );
1140 
1141  if( v == AES_DECRYPT )
1142  {
1143  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1144 
1145  for( j = 0; j < 10000; j++ )
1146  aes_crypt_ecb( &ctx, v, buf, buf );
1147 
1148  if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1149  {
1150  if( verbose != 0 )
1151  printf( "failed\n" );
1152 
1153  return( 1 );
1154  }
1155  }
1156  else
1157  {
1158  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1159 
1160  for( j = 0; j < 10000; j++ )
1161  aes_crypt_ecb( &ctx, v, buf, buf );
1162 
1163  if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1164  {
1165  if( verbose != 0 )
1166  printf( "failed\n" );
1167 
1168  return( 1 );
1169  }
1170  }
1171 
1172  if( verbose != 0 )
1173  printf( "passed\n" );
1174  }
1175 
1176  if( verbose != 0 )
1177  printf( "\n" );
1178 
1179 #if defined(POLARSSL_CIPHER_MODE_CBC)
1180  /*
1181  * CBC mode
1182  */
1183  for( i = 0; i < 6; i++ )
1184  {
1185  u = i >> 1;
1186  v = i & 1;
1187 
1188  if( verbose != 0 )
1189  printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1190  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1191 
1192  memset( iv , 0, 16 );
1193  memset( prv, 0, 16 );
1194  memset( buf, 0, 16 );
1195 
1196  if( v == AES_DECRYPT )
1197  {
1198  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1199 
1200  for( j = 0; j < 10000; j++ )
1201  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1202 
1203  if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1204  {
1205  if( verbose != 0 )
1206  printf( "failed\n" );
1207 
1208  return( 1 );
1209  }
1210  }
1211  else
1212  {
1213  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1214 
1215  for( j = 0; j < 10000; j++ )
1216  {
1217  unsigned char tmp[16];
1218 
1219  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1220 
1221  memcpy( tmp, prv, 16 );
1222  memcpy( prv, buf, 16 );
1223  memcpy( buf, tmp, 16 );
1224  }
1225 
1226  if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1227  {
1228  if( verbose != 0 )
1229  printf( "failed\n" );
1230 
1231  return( 1 );
1232  }
1233  }
1234 
1235  if( verbose != 0 )
1236  printf( "passed\n" );
1237  }
1238 
1239  if( verbose != 0 )
1240  printf( "\n" );
1241 #endif /* POLARSSL_CIPHER_MODE_CBC */
1242 
1243 #if defined(POLARSSL_CIPHER_MODE_CFB)
1244  /*
1245  * CFB128 mode
1246  */
1247  for( i = 0; i < 6; i++ )
1248  {
1249  u = i >> 1;
1250  v = i & 1;
1251 
1252  if( verbose != 0 )
1253  printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1254  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1255 
1256  memcpy( iv, aes_test_cfb128_iv, 16 );
1257  memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1258 
1259  offset = 0;
1260  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1261 
1262  if( v == AES_DECRYPT )
1263  {
1264  memcpy( buf, aes_test_cfb128_ct[u], 64 );
1265  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1266 
1267  if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1268  {
1269  if( verbose != 0 )
1270  printf( "failed\n" );
1271 
1272  return( 1 );
1273  }
1274  }
1275  else
1276  {
1277  memcpy( buf, aes_test_cfb128_pt, 64 );
1278  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1279 
1280  if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1281  {
1282  if( verbose != 0 )
1283  printf( "failed\n" );
1284 
1285  return( 1 );
1286  }
1287  }
1288 
1289  if( verbose != 0 )
1290  printf( "passed\n" );
1291  }
1292 
1293  if( verbose != 0 )
1294  printf( "\n" );
1295 #endif /* POLARSSL_CIPHER_MODE_CFB */
1296 
1297 #if defined(POLARSSL_CIPHER_MODE_CTR)
1298  /*
1299  * CTR mode
1300  */
1301  for( i = 0; i < 6; i++ )
1302  {
1303  u = i >> 1;
1304  v = i & 1;
1305 
1306  if( verbose != 0 )
1307  printf( " AES-CTR-128 (%s): ",
1308  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1309 
1310  memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1311  memcpy( key, aes_test_ctr_key[u], 16 );
1312 
1313  offset = 0;
1314  aes_setkey_enc( &ctx, key, 128 );
1315 
1316  if( v == AES_DECRYPT )
1317  {
1318  len = aes_test_ctr_len[u];
1319  memcpy( buf, aes_test_ctr_ct[u], len );
1320 
1321  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1322 
1323  if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1324  {
1325  if( verbose != 0 )
1326  printf( "failed\n" );
1327 
1328  return( 1 );
1329  }
1330  }
1331  else
1332  {
1333  len = aes_test_ctr_len[u];
1334  memcpy( buf, aes_test_ctr_pt[u], len );
1335 
1336  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1337 
1338  if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1339  {
1340  if( verbose != 0 )
1341  printf( "failed\n" );
1342 
1343  return( 1 );
1344  }
1345  }
1346 
1347  if( verbose != 0 )
1348  printf( "passed\n" );
1349  }
1350 
1351  if( verbose != 0 )
1352  printf( "\n" );
1353 #endif /* POLARSSL_CIPHER_MODE_CTR */
1354 
1355  return( 0 );
1356 }
1357 
1358 #endif
1359 
1360 #endif