PolarSSL v1.1.4
aes.c
Go to the documentation of this file.
1 /*
2  * FIPS-197 compliant AES implementation
3  *
4  * Copyright (C) 2006-2010, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27  *
28  * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29  * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30  */
31 
32 #include "polarssl/config.h"
33 
34 #if defined(POLARSSL_AES_C)
35 
36 #include "polarssl/aes.h"
37 #include "polarssl/padlock.h"
38 
39 /*
40  * 32-bit integer manipulation macros (little endian)
41  */
42 #ifndef GET_ULONG_LE
43 #define GET_ULONG_LE(n,b,i) \
44 { \
45  (n) = ( (unsigned long) (b)[(i) ] ) \
46  | ( (unsigned long) (b)[(i) + 1] << 8 ) \
47  | ( (unsigned long) (b)[(i) + 2] << 16 ) \
48  | ( (unsigned long) (b)[(i) + 3] << 24 ); \
49 }
50 #endif
51 
52 #ifndef PUT_ULONG_LE
53 #define PUT_ULONG_LE(n,b,i) \
54 { \
55  (b)[(i) ] = (unsigned char) ( (n) ); \
56  (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
57  (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
58  (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
59 }
60 #endif
61 
62 #if defined(POLARSSL_AES_ROM_TABLES)
63 /*
64  * Forward S-box
65  */
66 static const unsigned char FSb[256] =
67 {
68  0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
69  0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
70  0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
71  0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
72  0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
73  0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
74  0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
75  0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
76  0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
77  0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
78  0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
79  0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
80  0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
81  0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
82  0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
83  0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
84  0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
85  0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
86  0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
87  0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
88  0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
89  0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
90  0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
91  0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
92  0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
93  0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
94  0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
95  0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
96  0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
97  0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
98  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
99  0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
100 };
101 
102 /*
103  * Forward tables
104  */
105 #define FT \
106 \
107  V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
108  V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
109  V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
110  V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
111  V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
112  V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
113  V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
114  V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
115  V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
116  V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
117  V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
118  V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
119  V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
120  V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
121  V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
122  V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
123  V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
124  V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
125  V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
126  V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
127  V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
128  V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
129  V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
130  V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
131  V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
132  V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
133  V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
134  V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
135  V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
136  V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
137  V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
138  V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
139  V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
140  V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
141  V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
142  V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
143  V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
144  V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
145  V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
146  V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
147  V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
148  V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
149  V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
150  V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
151  V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
152  V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
153  V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
154  V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
155  V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
156  V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
157  V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
158  V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
159  V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
160  V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
161  V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
162  V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
163  V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
164  V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
165  V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
166  V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
167  V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
168  V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
169  V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
170  V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
171 
172 #define V(a,b,c,d) 0x##a##b##c##d
173 static const unsigned long FT0[256] = { FT };
174 #undef V
175 
176 #define V(a,b,c,d) 0x##b##c##d##a
177 static const unsigned long FT1[256] = { FT };
178 #undef V
179 
180 #define V(a,b,c,d) 0x##c##d##a##b
181 static const unsigned long FT2[256] = { FT };
182 #undef V
183 
184 #define V(a,b,c,d) 0x##d##a##b##c
185 static const unsigned long FT3[256] = { FT };
186 #undef V
187 
188 #undef FT
189 
190 /*
191  * Reverse S-box
192  */
193 static const unsigned char RSb[256] =
194 {
195  0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
196  0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
197  0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
198  0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
199  0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
200  0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
201  0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
202  0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
203  0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
204  0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
205  0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
206  0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
207  0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
208  0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
209  0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
210  0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
211  0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
212  0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
213  0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
214  0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
215  0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
216  0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
217  0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
218  0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
219  0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
220  0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
221  0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
222  0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
223  0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
224  0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
225  0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
226  0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
227 };
228 
229 /*
230  * Reverse tables
231  */
232 #define RT \
233 \
234  V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
235  V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
236  V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
237  V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
238  V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
239  V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
240  V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
241  V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
242  V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
243  V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
244  V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
245  V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
246  V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
247  V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
248  V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
249  V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
250  V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
251  V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
252  V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
253  V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
254  V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
255  V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
256  V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
257  V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
258  V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
259  V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
260  V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
261  V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
262  V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
263  V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
264  V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
265  V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
266  V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
267  V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
268  V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
269  V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
270  V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
271  V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
272  V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
273  V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
274  V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
275  V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
276  V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
277  V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
278  V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
279  V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
280  V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
281  V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
282  V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
283  V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
284  V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
285  V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
286  V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
287  V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
288  V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
289  V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
290  V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
291  V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
292  V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
293  V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
294  V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
295  V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
296  V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
297  V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
298 
299 #define V(a,b,c,d) 0x##a##b##c##d
300 static const unsigned long RT0[256] = { RT };
301 #undef V
302 
303 #define V(a,b,c,d) 0x##b##c##d##a
304 static const unsigned long RT1[256] = { RT };
305 #undef V
306 
307 #define V(a,b,c,d) 0x##c##d##a##b
308 static const unsigned long RT2[256] = { RT };
309 #undef V
310 
311 #define V(a,b,c,d) 0x##d##a##b##c
312 static const unsigned long RT3[256] = { RT };
313 #undef V
314 
315 #undef RT
316 
317 /*
318  * Round constants
319  */
320 static const unsigned long RCON[10] =
321 {
322  0x00000001, 0x00000002, 0x00000004, 0x00000008,
323  0x00000010, 0x00000020, 0x00000040, 0x00000080,
324  0x0000001B, 0x00000036
325 };
326 
327 #else
328 
329 /*
330  * Forward S-box & tables
331  */
332 static unsigned char FSb[256];
333 static unsigned long FT0[256];
334 static unsigned long FT1[256];
335 static unsigned long FT2[256];
336 static unsigned long FT3[256];
337 
338 /*
339  * Reverse S-box & tables
340  */
341 static unsigned char RSb[256];
342 static unsigned long RT0[256];
343 static unsigned long RT1[256];
344 static unsigned long RT2[256];
345 static unsigned long RT3[256];
346 
347 /*
348  * Round constants
349  */
350 static unsigned long RCON[10];
351 
352 /*
353  * Tables generation code
354  */
355 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
356 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
357 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
358 
359 static int aes_init_done = 0;
360 
361 static void aes_gen_tables( void )
362 {
363  int i, x, y, z;
364  int pow[256];
365  int log[256];
366 
367  /*
368  * compute pow and log tables over GF(2^8)
369  */
370  for( i = 0, x = 1; i < 256; i++ )
371  {
372  pow[i] = x;
373  log[x] = i;
374  x = ( x ^ XTIME( x ) ) & 0xFF;
375  }
376 
377  /*
378  * calculate the round constants
379  */
380  for( i = 0, x = 1; i < 10; i++ )
381  {
382  RCON[i] = (unsigned long) x;
383  x = XTIME( x ) & 0xFF;
384  }
385 
386  /*
387  * generate the forward and reverse S-boxes
388  */
389  FSb[0x00] = 0x63;
390  RSb[0x63] = 0x00;
391 
392  for( i = 1; i < 256; i++ )
393  {
394  x = pow[255 - log[i]];
395 
396  y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
397  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
398  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
399  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
400  x ^= y ^ 0x63;
401 
402  FSb[i] = (unsigned char) x;
403  RSb[x] = (unsigned char) i;
404  }
405 
406  /*
407  * generate the forward and reverse tables
408  */
409  for( i = 0; i < 256; i++ )
410  {
411  x = FSb[i];
412  y = XTIME( x ) & 0xFF;
413  z = ( y ^ x ) & 0xFF;
414 
415  FT0[i] = ( (unsigned long) y ) ^
416  ( (unsigned long) x << 8 ) ^
417  ( (unsigned long) x << 16 ) ^
418  ( (unsigned long) z << 24 );
419 
420  FT1[i] = ROTL8( FT0[i] );
421  FT2[i] = ROTL8( FT1[i] );
422  FT3[i] = ROTL8( FT2[i] );
423 
424  x = RSb[i];
425 
426  RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
427  ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
428  ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
429  ( (unsigned long) MUL( 0x0B, x ) << 24 );
430 
431  RT1[i] = ROTL8( RT0[i] );
432  RT2[i] = ROTL8( RT1[i] );
433  RT3[i] = ROTL8( RT2[i] );
434  }
435 }
436 
437 #endif
438 
439 /*
440  * AES key schedule (encryption)
441  */
442 int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
443 {
444  unsigned int i;
445  unsigned long *RK;
446 
447 #if !defined(POLARSSL_AES_ROM_TABLES)
448  if( aes_init_done == 0 )
449  {
450  aes_gen_tables();
451  aes_init_done = 1;
452  }
453 #endif
454 
455  switch( keysize )
456  {
457  case 128: ctx->nr = 10; break;
458  case 192: ctx->nr = 12; break;
459  case 256: ctx->nr = 14; break;
460  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
461  }
462 
463 #if defined(PADLOCK_ALIGN16)
464  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
465 #else
466  ctx->rk = RK = ctx->buf;
467 #endif
468 
469  for( i = 0; i < (keysize >> 5); i++ )
470  {
471  GET_ULONG_LE( RK[i], key, i << 2 );
472  }
473 
474  switch( ctx->nr )
475  {
476  case 10:
477 
478  for( i = 0; i < 10; i++, RK += 4 )
479  {
480  RK[4] = RK[0] ^ RCON[i] ^
481  ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
482  ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
483  ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
484  ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
485 
486  RK[5] = RK[1] ^ RK[4];
487  RK[6] = RK[2] ^ RK[5];
488  RK[7] = RK[3] ^ RK[6];
489  }
490  break;
491 
492  case 12:
493 
494  for( i = 0; i < 8; i++, RK += 6 )
495  {
496  RK[6] = RK[0] ^ RCON[i] ^
497  ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
498  ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
499  ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
500  ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
501 
502  RK[7] = RK[1] ^ RK[6];
503  RK[8] = RK[2] ^ RK[7];
504  RK[9] = RK[3] ^ RK[8];
505  RK[10] = RK[4] ^ RK[9];
506  RK[11] = RK[5] ^ RK[10];
507  }
508  break;
509 
510  case 14:
511 
512  for( i = 0; i < 7; i++, RK += 8 )
513  {
514  RK[8] = RK[0] ^ RCON[i] ^
515  ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
516  ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
517  ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
518  ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
519 
520  RK[9] = RK[1] ^ RK[8];
521  RK[10] = RK[2] ^ RK[9];
522  RK[11] = RK[3] ^ RK[10];
523 
524  RK[12] = RK[4] ^
525  ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
526  ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
527  ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
528  ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
529 
530  RK[13] = RK[5] ^ RK[12];
531  RK[14] = RK[6] ^ RK[13];
532  RK[15] = RK[7] ^ RK[14];
533  }
534  break;
535 
536  default:
537 
538  break;
539  }
540 
541  return( 0 );
542 }
543 
544 /*
545  * AES key schedule (decryption)
546  */
547 int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
548 {
549  int i, j;
550  aes_context cty;
551  unsigned long *RK;
552  unsigned long *SK;
553  int ret;
554 
555  switch( keysize )
556  {
557  case 128: ctx->nr = 10; break;
558  case 192: ctx->nr = 12; break;
559  case 256: ctx->nr = 14; break;
560  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
561  }
562 
563 #if defined(PADLOCK_ALIGN16)
564  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
565 #else
566  ctx->rk = RK = ctx->buf;
567 #endif
568 
569  ret = aes_setkey_enc( &cty, key, keysize );
570  if( ret != 0 )
571  return( ret );
572 
573  SK = cty.rk + cty.nr * 4;
574 
575  *RK++ = *SK++;
576  *RK++ = *SK++;
577  *RK++ = *SK++;
578  *RK++ = *SK++;
579 
580  for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
581  {
582  for( j = 0; j < 4; j++, SK++ )
583  {
584  *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
585  RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
586  RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
587  RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
588  }
589  }
590 
591  *RK++ = *SK++;
592  *RK++ = *SK++;
593  *RK++ = *SK++;
594  *RK++ = *SK++;
595 
596  memset( &cty, 0, sizeof( aes_context ) );
597 
598  return( 0 );
599 }
600 
601 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
602 { \
603  X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
604  FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
605  FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
606  FT3[ ( Y3 >> 24 ) & 0xFF ]; \
607  \
608  X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
609  FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
610  FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
611  FT3[ ( Y0 >> 24 ) & 0xFF ]; \
612  \
613  X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
614  FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
615  FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
616  FT3[ ( Y1 >> 24 ) & 0xFF ]; \
617  \
618  X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
619  FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
620  FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
621  FT3[ ( Y2 >> 24 ) & 0xFF ]; \
622 }
623 
624 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
625 { \
626  X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
627  RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
628  RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
629  RT3[ ( Y1 >> 24 ) & 0xFF ]; \
630  \
631  X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
632  RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
633  RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
634  RT3[ ( Y2 >> 24 ) & 0xFF ]; \
635  \
636  X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
637  RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
638  RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
639  RT3[ ( Y3 >> 24 ) & 0xFF ]; \
640  \
641  X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
642  RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
643  RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
644  RT3[ ( Y0 >> 24 ) & 0xFF ]; \
645 }
646 
647 /*
648  * AES-ECB block encryption/decryption
649  */
650 int aes_crypt_ecb( aes_context *ctx,
651  int mode,
652  const unsigned char input[16],
653  unsigned char output[16] )
654 {
655  int i;
656  unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
657 
658 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
659  if( padlock_supports( PADLOCK_ACE ) )
660  {
661  if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
662  return( 0 );
663 
664  // If padlock data misaligned, we just fall back to
665  // unaccelerated mode
666  //
667  }
668 #endif
669 
670  RK = ctx->rk;
671 
672  GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
673  GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
674  GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
675  GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
676 
677  if( mode == AES_DECRYPT )
678  {
679  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
680  {
681  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
682  AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
683  }
684 
685  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
686 
687  X0 = *RK++ ^ \
688  ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
689  ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
690  ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
691  ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
692 
693  X1 = *RK++ ^ \
694  ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
695  ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
696  ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
697  ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
698 
699  X2 = *RK++ ^ \
700  ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
701  ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
702  ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
703  ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
704 
705  X3 = *RK++ ^ \
706  ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
707  ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
708  ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
709  ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
710  }
711  else /* AES_ENCRYPT */
712  {
713  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
714  {
715  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
716  AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
717  }
718 
719  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
720 
721  X0 = *RK++ ^ \
722  ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
723  ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
724  ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
725  ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
726 
727  X1 = *RK++ ^ \
728  ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
729  ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
730  ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
731  ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
732 
733  X2 = *RK++ ^ \
734  ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
735  ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
736  ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
737  ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
738 
739  X3 = *RK++ ^ \
740  ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
741  ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
742  ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
743  ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
744  }
745 
746  PUT_ULONG_LE( X0, output, 0 );
747  PUT_ULONG_LE( X1, output, 4 );
748  PUT_ULONG_LE( X2, output, 8 );
749  PUT_ULONG_LE( X3, output, 12 );
750 
751  return( 0 );
752 }
753 
754 /*
755  * AES-CBC buffer encryption/decryption
756  */
757 int aes_crypt_cbc( aes_context *ctx,
758  int mode,
759  size_t length,
760  unsigned char iv[16],
761  const unsigned char *input,
762  unsigned char *output )
763 {
764  int i;
765  unsigned char temp[16];
766 
767  if( length % 16 )
769 
770 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
771  if( padlock_supports( PADLOCK_ACE ) )
772  {
773  if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
774  return( 0 );
775 
776  // If padlock data misaligned, we just fall back to
777  // unaccelerated mode
778  //
779  }
780 #endif
781 
782  if( mode == AES_DECRYPT )
783  {
784  while( length > 0 )
785  {
786  memcpy( temp, input, 16 );
787  aes_crypt_ecb( ctx, mode, input, output );
788 
789  for( i = 0; i < 16; i++ )
790  output[i] = (unsigned char)( output[i] ^ iv[i] );
791 
792  memcpy( iv, temp, 16 );
793 
794  input += 16;
795  output += 16;
796  length -= 16;
797  }
798  }
799  else
800  {
801  while( length > 0 )
802  {
803  for( i = 0; i < 16; i++ )
804  output[i] = (unsigned char)( input[i] ^ iv[i] );
805 
806  aes_crypt_ecb( ctx, mode, output, output );
807  memcpy( iv, output, 16 );
808 
809  input += 16;
810  output += 16;
811  length -= 16;
812  }
813  }
814 
815  return( 0 );
816 }
817 
818 #if defined(POLARSSL_CIPHER_MODE_CFB)
819 /*
820  * AES-CFB128 buffer encryption/decryption
821  */
822 int aes_crypt_cfb128( aes_context *ctx,
823  int mode,
824  size_t length,
825  size_t *iv_off,
826  unsigned char iv[16],
827  const unsigned char *input,
828  unsigned char *output )
829 {
830  int c;
831  size_t n = *iv_off;
832 
833  if( mode == AES_DECRYPT )
834  {
835  while( length-- )
836  {
837  if( n == 0 )
838  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
839 
840  c = *input++;
841  *output++ = (unsigned char)( c ^ iv[n] );
842  iv[n] = (unsigned char) c;
843 
844  n = (n + 1) & 0x0F;
845  }
846  }
847  else
848  {
849  while( length-- )
850  {
851  if( n == 0 )
852  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
853 
854  iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
855 
856  n = (n + 1) & 0x0F;
857  }
858  }
859 
860  *iv_off = n;
861 
862  return( 0 );
863 }
864 #endif /*POLARSSL_CIPHER_MODE_CFB */
865 
866 #if defined(POLARSSL_CIPHER_MODE_CTR)
867 /*
868  * AES-CTR buffer encryption/decryption
869  */
870 int aes_crypt_ctr( aes_context *ctx,
871  size_t length,
872  size_t *nc_off,
873  unsigned char nonce_counter[16],
874  unsigned char stream_block[16],
875  const unsigned char *input,
876  unsigned char *output )
877 {
878  int c, i, cb;
879  size_t n = *nc_off;
880 
881  while( length-- )
882  {
883  if( n == 0 ) {
884  aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
885 
886  i = 15;
887  do {
888  nonce_counter[i]++;
889  cb = nonce_counter[i] == 0;
890  } while( i-- && cb );
891 
892  }
893  c = *input++;
894  *output++ = (unsigned char)( c ^ stream_block[n] );
895 
896  n = (n + 1) & 0x0F;
897  }
898 
899  *nc_off = n;
900 
901  return( 0 );
902 }
903 #endif /* POLARSSL_CIPHER_MODE_CTR */
904 
905 #if defined(POLARSSL_SELF_TEST)
906 
907 #include <stdio.h>
908 
909 /*
910  * AES test vectors from:
911  *
912  * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
913  */
914 static const unsigned char aes_test_ecb_dec[3][16] =
915 {
916  { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
917  0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
918  { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
919  0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
920  { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
921  0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
922 };
923 
924 static const unsigned char aes_test_ecb_enc[3][16] =
925 {
926  { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
927  0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
928  { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
929  0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
930  { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
931  0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
932 };
933 
934 static const unsigned char aes_test_cbc_dec[3][16] =
935 {
936  { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
937  0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
938  { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
939  0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
940  { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
941  0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
942 };
943 
944 static const unsigned char aes_test_cbc_enc[3][16] =
945 {
946  { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
947  0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
948  { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
949  0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
950  { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
951  0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
952 };
953 
954 #if defined(POLARSSL_CIPHER_MODE_CFB)
955 /*
956  * AES-CFB128 test vectors from:
957  *
958  * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
959  */
960 static const unsigned char aes_test_cfb128_key[3][32] =
961 {
962  { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
963  0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
964  { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
965  0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
966  0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
967  { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
968  0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
969  0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
970  0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
971 };
972 
973 static const unsigned char aes_test_cfb128_iv[16] =
974 {
975  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
976  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
977 };
978 
979 static const unsigned char aes_test_cfb128_pt[64] =
980 {
981  0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
982  0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
983  0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
984  0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
985  0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
986  0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
987  0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
988  0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
989 };
990 
991 static const unsigned char aes_test_cfb128_ct[3][64] =
992 {
993  { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
994  0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
995  0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
996  0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
997  0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
998  0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
999  0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1000  0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1001  { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1002  0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1003  0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1004  0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1005  0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1006  0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1007  0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1008  0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1009  { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1010  0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1011  0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1012  0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1013  0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1014  0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1015  0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1016  0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1017 };
1018 #endif /* POLARSSL_CIPHER_MODE_CFB */
1019 
1020 #if defined(POLARSSL_CIPHER_MODE_CTR)
1021 /*
1022  * AES-CTR test vectors from:
1023  *
1024  * http://www.faqs.org/rfcs/rfc3686.html
1025  */
1026 
1027 static const unsigned char aes_test_ctr_key[3][16] =
1028 {
1029  { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1030  0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1031  { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1032  0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1033  { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1034  0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1035 };
1036 
1037 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1038 {
1039  { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1040  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1041  { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1042  0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1043  { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1044  0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1045 };
1046 
1047 static const unsigned char aes_test_ctr_pt[3][48] =
1048 {
1049  { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1050  0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1051 
1052  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1053  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1054  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1055  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1056 
1057  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1058  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1059  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1060  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1061  0x20, 0x21, 0x22, 0x23 }
1062 };
1063 
1064 static const unsigned char aes_test_ctr_ct[3][48] =
1065 {
1066  { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1067  0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1068  { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1069  0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1070  0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1071  0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1072  { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1073  0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1074  0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1075  0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1076  0x25, 0xB2, 0x07, 0x2F }
1077 };
1078 
1079 static const int aes_test_ctr_len[3] =
1080  { 16, 32, 36 };
1081 #endif /* POLARSSL_CIPHER_MODE_CTR */
1082 
1083 /*
1084  * Checkup routine
1085  */
1086 int aes_self_test( int verbose )
1087 {
1088  int i, j, u, v;
1089  unsigned char key[32];
1090  unsigned char buf[64];
1091  unsigned char prv[16];
1092  unsigned char iv[16];
1093 #if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
1094  size_t offset;
1095 #endif
1096 #if defined(POLARSSL_CIPHER_MODE_CTR)
1097  int len;
1098  unsigned char nonce_counter[16];
1099  unsigned char stream_block[16];
1100 #endif
1101  aes_context ctx;
1102 
1103  memset( key, 0, 32 );
1104 
1105  /*
1106  * ECB mode
1107  */
1108  for( i = 0; i < 6; i++ )
1109  {
1110  u = i >> 1;
1111  v = i & 1;
1112 
1113  if( verbose != 0 )
1114  printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1115  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1116 
1117  memset( buf, 0, 16 );
1118 
1119  if( v == AES_DECRYPT )
1120  {
1121  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1122 
1123  for( j = 0; j < 10000; j++ )
1124  aes_crypt_ecb( &ctx, v, buf, buf );
1125 
1126  if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1127  {
1128  if( verbose != 0 )
1129  printf( "failed\n" );
1130 
1131  return( 1 );
1132  }
1133  }
1134  else
1135  {
1136  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1137 
1138  for( j = 0; j < 10000; j++ )
1139  aes_crypt_ecb( &ctx, v, buf, buf );
1140 
1141  if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1142  {
1143  if( verbose != 0 )
1144  printf( "failed\n" );
1145 
1146  return( 1 );
1147  }
1148  }
1149 
1150  if( verbose != 0 )
1151  printf( "passed\n" );
1152  }
1153 
1154  if( verbose != 0 )
1155  printf( "\n" );
1156 
1157  /*
1158  * CBC mode
1159  */
1160  for( i = 0; i < 6; i++ )
1161  {
1162  u = i >> 1;
1163  v = i & 1;
1164 
1165  if( verbose != 0 )
1166  printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1167  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1168 
1169  memset( iv , 0, 16 );
1170  memset( prv, 0, 16 );
1171  memset( buf, 0, 16 );
1172 
1173  if( v == AES_DECRYPT )
1174  {
1175  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1176 
1177  for( j = 0; j < 10000; j++ )
1178  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1179 
1180  if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1181  {
1182  if( verbose != 0 )
1183  printf( "failed\n" );
1184 
1185  return( 1 );
1186  }
1187  }
1188  else
1189  {
1190  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1191 
1192  for( j = 0; j < 10000; j++ )
1193  {
1194  unsigned char tmp[16];
1195 
1196  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1197 
1198  memcpy( tmp, prv, 16 );
1199  memcpy( prv, buf, 16 );
1200  memcpy( buf, tmp, 16 );
1201  }
1202 
1203  if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1204  {
1205  if( verbose != 0 )
1206  printf( "failed\n" );
1207 
1208  return( 1 );
1209  }
1210  }
1211 
1212  if( verbose != 0 )
1213  printf( "passed\n" );
1214  }
1215 
1216  if( verbose != 0 )
1217  printf( "\n" );
1218 
1219 #if defined(POLARSSL_CIPHER_MODE_CFB)
1220  /*
1221  * CFB128 mode
1222  */
1223  for( i = 0; i < 6; i++ )
1224  {
1225  u = i >> 1;
1226  v = i & 1;
1227 
1228  if( verbose != 0 )
1229  printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1230  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1231 
1232  memcpy( iv, aes_test_cfb128_iv, 16 );
1233  memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1234 
1235  offset = 0;
1236  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1237 
1238  if( v == AES_DECRYPT )
1239  {
1240  memcpy( buf, aes_test_cfb128_ct[u], 64 );
1241  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1242 
1243  if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1244  {
1245  if( verbose != 0 )
1246  printf( "failed\n" );
1247 
1248  return( 1 );
1249  }
1250  }
1251  else
1252  {
1253  memcpy( buf, aes_test_cfb128_pt, 64 );
1254  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1255 
1256  if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1257  {
1258  if( verbose != 0 )
1259  printf( "failed\n" );
1260 
1261  return( 1 );
1262  }
1263  }
1264 
1265  if( verbose != 0 )
1266  printf( "passed\n" );
1267  }
1268 
1269  if( verbose != 0 )
1270  printf( "\n" );
1271 #endif /* POLARSSL_CIPHER_MODE_CFB */
1272 
1273 #if defined(POLARSSL_CIPHER_MODE_CTR)
1274  /*
1275  * CTR mode
1276  */
1277  for( i = 0; i < 6; i++ )
1278  {
1279  u = i >> 1;
1280  v = i & 1;
1281 
1282  if( verbose != 0 )
1283  printf( " AES-CTR-128 (%s): ",
1284  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1285 
1286  memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1287  memcpy( key, aes_test_ctr_key[u], 16 );
1288 
1289  offset = 0;
1290  aes_setkey_enc( &ctx, key, 128 );
1291 
1292  if( v == AES_DECRYPT )
1293  {
1294  len = aes_test_ctr_len[u];
1295  memcpy( buf, aes_test_ctr_ct[u], len );
1296 
1297  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1298 
1299  if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1300  {
1301  if( verbose != 0 )
1302  printf( "failed\n" );
1303 
1304  return( 1 );
1305  }
1306  }
1307  else
1308  {
1309  len = aes_test_ctr_len[u];
1310  memcpy( buf, aes_test_ctr_pt[u], len );
1311 
1312  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1313 
1314  if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1315  {
1316  if( verbose != 0 )
1317  printf( "failed\n" );
1318 
1319  return( 1 );
1320  }
1321  }
1322 
1323  if( verbose != 0 )
1324  printf( "passed\n" );
1325  }
1326 
1327  if( verbose != 0 )
1328  printf( "\n" );
1329 #endif /* POLARSSL_CIPHER_MODE_CTR */
1330 
1331  return( 0 );
1332 }
1333 
1334 #endif
1335 
1336 #endif