PolarSSL v1.2.7
aes.c
Go to the documentation of this file.
1 /*
2  * FIPS-197 compliant AES implementation
3  *
4  * Copyright (C) 2006-2010, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27  *
28  * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29  * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30  */
31 
32 #include "polarssl/config.h"
33 
34 #if defined(POLARSSL_AES_C)
35 
36 #include "polarssl/aes.h"
37 #if defined(POLARSSL_PADLOCK_C)
38 #include "polarssl/padlock.h"
39 #endif
40 
41 /*
42  * 32-bit integer manipulation macros (little endian)
43  */
44 #ifndef GET_UINT32_LE
45 #define GET_UINT32_LE(n,b,i) \
46 { \
47  (n) = ( (uint32_t) (b)[(i) ] ) \
48  | ( (uint32_t) (b)[(i) + 1] << 8 ) \
49  | ( (uint32_t) (b)[(i) + 2] << 16 ) \
50  | ( (uint32_t) (b)[(i) + 3] << 24 ); \
51 }
52 #endif
53 
54 #ifndef PUT_UINT32_LE
55 #define PUT_UINT32_LE(n,b,i) \
56 { \
57  (b)[(i) ] = (unsigned char) ( (n) ); \
58  (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
59  (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
60  (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
61 }
62 #endif
63 
64 #if defined(POLARSSL_PADLOCK_C) && \
65  ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
66 static int aes_padlock_ace = -1;
67 #endif
68 
69 #if defined(POLARSSL_AES_ROM_TABLES)
70 /*
71  * Forward S-box
72  */
73 static const unsigned char FSb[256] =
74 {
75  0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
76  0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
77  0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
78  0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
79  0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
80  0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
81  0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
82  0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
83  0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
84  0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
85  0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
86  0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
87  0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
88  0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
89  0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
90  0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
91  0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
92  0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
93  0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
94  0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
95  0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
96  0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
97  0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
98  0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
99  0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
100  0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
101  0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
102  0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
103  0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
104  0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
105  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
106  0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
107 };
108 
109 /*
110  * Forward tables
111  */
112 #define FT \
113 \
114  V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
115  V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
116  V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
117  V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
118  V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
119  V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
120  V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
121  V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
122  V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
123  V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
124  V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
125  V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
126  V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
127  V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
128  V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
129  V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
130  V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
131  V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
132  V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
133  V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
134  V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
135  V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
136  V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
137  V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
138  V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
139  V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
140  V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
141  V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
142  V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
143  V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
144  V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
145  V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
146  V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
147  V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
148  V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
149  V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
150  V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
151  V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
152  V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
153  V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
154  V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
155  V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
156  V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
157  V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
158  V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
159  V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
160  V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
161  V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
162  V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
163  V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
164  V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
165  V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
166  V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
167  V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
168  V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
169  V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
170  V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
171  V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
172  V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
173  V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
174  V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
175  V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
176  V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
177  V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
178 
179 #define V(a,b,c,d) 0x##a##b##c##d
180 static const uint32_t FT0[256] = { FT };
181 #undef V
182 
183 #define V(a,b,c,d) 0x##b##c##d##a
184 static const uint32_t FT1[256] = { FT };
185 #undef V
186 
187 #define V(a,b,c,d) 0x##c##d##a##b
188 static const uint32_t FT2[256] = { FT };
189 #undef V
190 
191 #define V(a,b,c,d) 0x##d##a##b##c
192 static const uint32_t FT3[256] = { FT };
193 #undef V
194 
195 #undef FT
196 
197 /*
198  * Reverse S-box
199  */
200 static const unsigned char RSb[256] =
201 {
202  0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
203  0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
204  0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
205  0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
206  0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
207  0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
208  0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
209  0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
210  0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
211  0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
212  0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
213  0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
214  0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
215  0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
216  0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
217  0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
218  0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
219  0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
220  0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
221  0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
222  0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
223  0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
224  0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
225  0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
226  0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
227  0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
228  0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
229  0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
230  0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
231  0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
232  0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
233  0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
234 };
235 
236 /*
237  * Reverse tables
238  */
239 #define RT \
240 \
241  V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
242  V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
243  V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
244  V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
245  V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
246  V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
247  V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
248  V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
249  V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
250  V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
251  V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
252  V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
253  V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
254  V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
255  V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
256  V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
257  V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
258  V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
259  V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
260  V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
261  V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
262  V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
263  V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
264  V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
265  V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
266  V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
267  V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
268  V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
269  V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
270  V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
271  V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
272  V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
273  V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
274  V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
275  V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
276  V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
277  V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
278  V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
279  V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
280  V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
281  V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
282  V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
283  V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
284  V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
285  V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
286  V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
287  V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
288  V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
289  V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
290  V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
291  V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
292  V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
293  V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
294  V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
295  V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
296  V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
297  V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
298  V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
299  V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
300  V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
301  V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
302  V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
303  V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
304  V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
305 
306 #define V(a,b,c,d) 0x##a##b##c##d
307 static const uint32_t RT0[256] = { RT };
308 #undef V
309 
310 #define V(a,b,c,d) 0x##b##c##d##a
311 static const uint32_t RT1[256] = { RT };
312 #undef V
313 
314 #define V(a,b,c,d) 0x##c##d##a##b
315 static const uint32_t RT2[256] = { RT };
316 #undef V
317 
318 #define V(a,b,c,d) 0x##d##a##b##c
319 static const uint32_t RT3[256] = { RT };
320 #undef V
321 
322 #undef RT
323 
324 /*
325  * Round constants
326  */
327 static const uint32_t RCON[10] =
328 {
329  0x00000001, 0x00000002, 0x00000004, 0x00000008,
330  0x00000010, 0x00000020, 0x00000040, 0x00000080,
331  0x0000001B, 0x00000036
332 };
333 
334 #else
335 
336 /*
337  * Forward S-box & tables
338  */
339 static unsigned char FSb[256];
340 static uint32_t FT0[256];
341 static uint32_t FT1[256];
342 static uint32_t FT2[256];
343 static uint32_t FT3[256];
344 
345 /*
346  * Reverse S-box & tables
347  */
348 static unsigned char RSb[256];
349 static uint32_t RT0[256];
350 static uint32_t RT1[256];
351 static uint32_t RT2[256];
352 static uint32_t RT3[256];
353 
354 /*
355  * Round constants
356  */
357 static uint32_t RCON[10];
358 
359 /*
360  * Tables generation code
361  */
362 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
363 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
364 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
365 
366 static int aes_init_done = 0;
367 
368 static void aes_gen_tables( void )
369 {
370  int i, x, y, z;
371  int pow[256];
372  int log[256];
373 
374  /*
375  * compute pow and log tables over GF(2^8)
376  */
377  for( i = 0, x = 1; i < 256; i++ )
378  {
379  pow[i] = x;
380  log[x] = i;
381  x = ( x ^ XTIME( x ) ) & 0xFF;
382  }
383 
384  /*
385  * calculate the round constants
386  */
387  for( i = 0, x = 1; i < 10; i++ )
388  {
389  RCON[i] = (uint32_t) x;
390  x = XTIME( x ) & 0xFF;
391  }
392 
393  /*
394  * generate the forward and reverse S-boxes
395  */
396  FSb[0x00] = 0x63;
397  RSb[0x63] = 0x00;
398 
399  for( i = 1; i < 256; i++ )
400  {
401  x = pow[255 - log[i]];
402 
403  y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
404  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
405  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
406  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
407  x ^= y ^ 0x63;
408 
409  FSb[i] = (unsigned char) x;
410  RSb[x] = (unsigned char) i;
411  }
412 
413  /*
414  * generate the forward and reverse tables
415  */
416  for( i = 0; i < 256; i++ )
417  {
418  x = FSb[i];
419  y = XTIME( x ) & 0xFF;
420  z = ( y ^ x ) & 0xFF;
421 
422  FT0[i] = ( (uint32_t) y ) ^
423  ( (uint32_t) x << 8 ) ^
424  ( (uint32_t) x << 16 ) ^
425  ( (uint32_t) z << 24 );
426 
427  FT1[i] = ROTL8( FT0[i] );
428  FT2[i] = ROTL8( FT1[i] );
429  FT3[i] = ROTL8( FT2[i] );
430 
431  x = RSb[i];
432 
433  RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
434  ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
435  ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
436  ( (uint32_t) MUL( 0x0B, x ) << 24 );
437 
438  RT1[i] = ROTL8( RT0[i] );
439  RT2[i] = ROTL8( RT1[i] );
440  RT3[i] = ROTL8( RT2[i] );
441  }
442 }
443 
444 #endif
445 
446 /*
447  * AES key schedule (encryption)
448  */
449 int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
450 {
451  unsigned int i;
452  uint32_t *RK;
453 
454 #if !defined(POLARSSL_AES_ROM_TABLES)
455  if( aes_init_done == 0 )
456  {
457  aes_gen_tables();
458  aes_init_done = 1;
459 
460  }
461 #endif
462 
463  switch( keysize )
464  {
465  case 128: ctx->nr = 10; break;
466  case 192: ctx->nr = 12; break;
467  case 256: ctx->nr = 14; break;
468  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
469  }
470 
471 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
472  if( aes_padlock_ace == -1 )
473  aes_padlock_ace = padlock_supports( PADLOCK_ACE );
474 
475  if( aes_padlock_ace )
476  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
477  else
478 #endif
479  ctx->rk = RK = ctx->buf;
480 
481  for( i = 0; i < (keysize >> 5); i++ )
482  {
483  GET_UINT32_LE( RK[i], key, i << 2 );
484  }
485 
486  switch( ctx->nr )
487  {
488  case 10:
489 
490  for( i = 0; i < 10; i++, RK += 4 )
491  {
492  RK[4] = RK[0] ^ RCON[i] ^
493  ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
494  ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
495  ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
496  ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
497 
498  RK[5] = RK[1] ^ RK[4];
499  RK[6] = RK[2] ^ RK[5];
500  RK[7] = RK[3] ^ RK[6];
501  }
502  break;
503 
504  case 12:
505 
506  for( i = 0; i < 8; i++, RK += 6 )
507  {
508  RK[6] = RK[0] ^ RCON[i] ^
509  ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
510  ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
511  ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
512  ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
513 
514  RK[7] = RK[1] ^ RK[6];
515  RK[8] = RK[2] ^ RK[7];
516  RK[9] = RK[3] ^ RK[8];
517  RK[10] = RK[4] ^ RK[9];
518  RK[11] = RK[5] ^ RK[10];
519  }
520  break;
521 
522  case 14:
523 
524  for( i = 0; i < 7; i++, RK += 8 )
525  {
526  RK[8] = RK[0] ^ RCON[i] ^
527  ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
528  ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
529  ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
530  ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
531 
532  RK[9] = RK[1] ^ RK[8];
533  RK[10] = RK[2] ^ RK[9];
534  RK[11] = RK[3] ^ RK[10];
535 
536  RK[12] = RK[4] ^
537  ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
538  ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
539  ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
540  ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
541 
542  RK[13] = RK[5] ^ RK[12];
543  RK[14] = RK[6] ^ RK[13];
544  RK[15] = RK[7] ^ RK[14];
545  }
546  break;
547 
548  default:
549 
550  break;
551  }
552 
553  return( 0 );
554 }
555 
556 /*
557  * AES key schedule (decryption)
558  */
559 int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
560 {
561  int i, j;
562  aes_context cty;
563  uint32_t *RK;
564  uint32_t *SK;
565  int ret;
566 
567  switch( keysize )
568  {
569  case 128: ctx->nr = 10; break;
570  case 192: ctx->nr = 12; break;
571  case 256: ctx->nr = 14; break;
572  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
573  }
574 
575 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
576  if( aes_padlock_ace == -1 )
577  aes_padlock_ace = padlock_supports( PADLOCK_ACE );
578 
579  if( aes_padlock_ace )
580  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
581  else
582 #endif
583  ctx->rk = RK = ctx->buf;
584 
585  ret = aes_setkey_enc( &cty, key, keysize );
586  if( ret != 0 )
587  return( ret );
588 
589  SK = cty.rk + cty.nr * 4;
590 
591  *RK++ = *SK++;
592  *RK++ = *SK++;
593  *RK++ = *SK++;
594  *RK++ = *SK++;
595 
596  for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
597  {
598  for( j = 0; j < 4; j++, SK++ )
599  {
600  *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
601  RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
602  RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
603  RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
604  }
605  }
606 
607  *RK++ = *SK++;
608  *RK++ = *SK++;
609  *RK++ = *SK++;
610  *RK++ = *SK++;
611 
612  memset( &cty, 0, sizeof( aes_context ) );
613 
614  return( 0 );
615 }
616 
617 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
618 { \
619  X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
620  FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
621  FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
622  FT3[ ( Y3 >> 24 ) & 0xFF ]; \
623  \
624  X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
625  FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
626  FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
627  FT3[ ( Y0 >> 24 ) & 0xFF ]; \
628  \
629  X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
630  FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
631  FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
632  FT3[ ( Y1 >> 24 ) & 0xFF ]; \
633  \
634  X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
635  FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
636  FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
637  FT3[ ( Y2 >> 24 ) & 0xFF ]; \
638 }
639 
640 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
641 { \
642  X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
643  RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
644  RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
645  RT3[ ( Y1 >> 24 ) & 0xFF ]; \
646  \
647  X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
648  RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
649  RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
650  RT3[ ( Y2 >> 24 ) & 0xFF ]; \
651  \
652  X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
653  RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
654  RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
655  RT3[ ( Y3 >> 24 ) & 0xFF ]; \
656  \
657  X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
658  RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
659  RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
660  RT3[ ( Y0 >> 24 ) & 0xFF ]; \
661 }
662 
663 /*
664  * AES-ECB block encryption/decryption
665  */
666 int aes_crypt_ecb( aes_context *ctx,
667  int mode,
668  const unsigned char input[16],
669  unsigned char output[16] )
670 {
671  int i;
672  uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
673 
674 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
675  if( aes_padlock_ace )
676  {
677  if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
678  return( 0 );
679 
680  // If padlock data misaligned, we just fall back to
681  // unaccelerated mode
682  //
683  }
684 #endif
685 
686  RK = ctx->rk;
687 
688  GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
689  GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
690  GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
691  GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
692 
693  if( mode == AES_DECRYPT )
694  {
695  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
696  {
697  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
698  AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
699  }
700 
701  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
702 
703  X0 = *RK++ ^ \
704  ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
705  ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
706  ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
707  ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
708 
709  X1 = *RK++ ^ \
710  ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
711  ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
712  ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
713  ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
714 
715  X2 = *RK++ ^ \
716  ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
717  ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
718  ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
719  ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
720 
721  X3 = *RK++ ^ \
722  ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
723  ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
724  ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
725  ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
726  }
727  else /* AES_ENCRYPT */
728  {
729  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
730  {
731  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
732  AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
733  }
734 
735  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
736 
737  X0 = *RK++ ^ \
738  ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
739  ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
740  ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
741  ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
742 
743  X1 = *RK++ ^ \
744  ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
745  ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
746  ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
747  ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
748 
749  X2 = *RK++ ^ \
750  ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
751  ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
752  ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
753  ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
754 
755  X3 = *RK++ ^ \
756  ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
757  ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
758  ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
759  ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
760  }
761 
762  PUT_UINT32_LE( X0, output, 0 );
763  PUT_UINT32_LE( X1, output, 4 );
764  PUT_UINT32_LE( X2, output, 8 );
765  PUT_UINT32_LE( X3, output, 12 );
766 
767  return( 0 );
768 }
769 
770 /*
771  * AES-CBC buffer encryption/decryption
772  */
773 int aes_crypt_cbc( aes_context *ctx,
774  int mode,
775  size_t length,
776  unsigned char iv[16],
777  const unsigned char *input,
778  unsigned char *output )
779 {
780  int i;
781  unsigned char temp[16];
782 
783  if( length % 16 )
785 
786 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
787  if( aes_padlock_ace )
788  {
789  if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
790  return( 0 );
791 
792  // If padlock data misaligned, we just fall back to
793  // unaccelerated mode
794  //
795  }
796 #endif
797 
798  if( mode == AES_DECRYPT )
799  {
800  while( length > 0 )
801  {
802  memcpy( temp, input, 16 );
803  aes_crypt_ecb( ctx, mode, input, output );
804 
805  for( i = 0; i < 16; i++ )
806  output[i] = (unsigned char)( output[i] ^ iv[i] );
807 
808  memcpy( iv, temp, 16 );
809 
810  input += 16;
811  output += 16;
812  length -= 16;
813  }
814  }
815  else
816  {
817  while( length > 0 )
818  {
819  for( i = 0; i < 16; i++ )
820  output[i] = (unsigned char)( input[i] ^ iv[i] );
821 
822  aes_crypt_ecb( ctx, mode, output, output );
823  memcpy( iv, output, 16 );
824 
825  input += 16;
826  output += 16;
827  length -= 16;
828  }
829  }
830 
831  return( 0 );
832 }
833 
834 #if defined(POLARSSL_CIPHER_MODE_CFB)
835 /*
836  * AES-CFB128 buffer encryption/decryption
837  */
838 int aes_crypt_cfb128( aes_context *ctx,
839  int mode,
840  size_t length,
841  size_t *iv_off,
842  unsigned char iv[16],
843  const unsigned char *input,
844  unsigned char *output )
845 {
846  int c;
847  size_t n = *iv_off;
848 
849  if( mode == AES_DECRYPT )
850  {
851  while( length-- )
852  {
853  if( n == 0 )
854  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
855 
856  c = *input++;
857  *output++ = (unsigned char)( c ^ iv[n] );
858  iv[n] = (unsigned char) c;
859 
860  n = (n + 1) & 0x0F;
861  }
862  }
863  else
864  {
865  while( length-- )
866  {
867  if( n == 0 )
868  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
869 
870  iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
871 
872  n = (n + 1) & 0x0F;
873  }
874  }
875 
876  *iv_off = n;
877 
878  return( 0 );
879 }
880 #endif /*POLARSSL_CIPHER_MODE_CFB */
881 
882 #if defined(POLARSSL_CIPHER_MODE_CTR)
883 /*
884  * AES-CTR buffer encryption/decryption
885  */
886 int aes_crypt_ctr( aes_context *ctx,
887  size_t length,
888  size_t *nc_off,
889  unsigned char nonce_counter[16],
890  unsigned char stream_block[16],
891  const unsigned char *input,
892  unsigned char *output )
893 {
894  int c, i;
895  size_t n = *nc_off;
896 
897  while( length-- )
898  {
899  if( n == 0 ) {
900  aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
901 
902  for( i = 16; i > 0; i-- )
903  if( ++nonce_counter[i - 1] != 0 )
904  break;
905  }
906  c = *input++;
907  *output++ = (unsigned char)( c ^ stream_block[n] );
908 
909  n = (n + 1) & 0x0F;
910  }
911 
912  *nc_off = n;
913 
914  return( 0 );
915 }
916 #endif /* POLARSSL_CIPHER_MODE_CTR */
917 
918 #if defined(POLARSSL_SELF_TEST)
919 
920 #include <stdio.h>
921 
922 /*
923  * AES test vectors from:
924  *
925  * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
926  */
927 static const unsigned char aes_test_ecb_dec[3][16] =
928 {
929  { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
930  0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
931  { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
932  0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
933  { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
934  0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
935 };
936 
937 static const unsigned char aes_test_ecb_enc[3][16] =
938 {
939  { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
940  0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
941  { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
942  0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
943  { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
944  0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
945 };
946 
947 static const unsigned char aes_test_cbc_dec[3][16] =
948 {
949  { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
950  0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
951  { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
952  0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
953  { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
954  0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
955 };
956 
957 static const unsigned char aes_test_cbc_enc[3][16] =
958 {
959  { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
960  0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
961  { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
962  0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
963  { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
964  0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
965 };
966 
967 #if defined(POLARSSL_CIPHER_MODE_CFB)
968 /*
969  * AES-CFB128 test vectors from:
970  *
971  * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
972  */
973 static const unsigned char aes_test_cfb128_key[3][32] =
974 {
975  { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
976  0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
977  { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
978  0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
979  0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
980  { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
981  0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
982  0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
983  0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
984 };
985 
986 static const unsigned char aes_test_cfb128_iv[16] =
987 {
988  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
989  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
990 };
991 
992 static const unsigned char aes_test_cfb128_pt[64] =
993 {
994  0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
995  0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
996  0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
997  0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
998  0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
999  0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1000  0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1001  0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1002 };
1003 
1004 static const unsigned char aes_test_cfb128_ct[3][64] =
1005 {
1006  { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1007  0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1008  0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1009  0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1010  0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1011  0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1012  0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1013  0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1014  { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1015  0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1016  0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1017  0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1018  0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1019  0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1020  0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1021  0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1022  { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1023  0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1024  0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1025  0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1026  0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1027  0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1028  0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1029  0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1030 };
1031 #endif /* POLARSSL_CIPHER_MODE_CFB */
1032 
1033 #if defined(POLARSSL_CIPHER_MODE_CTR)
1034 /*
1035  * AES-CTR test vectors from:
1036  *
1037  * http://www.faqs.org/rfcs/rfc3686.html
1038  */
1039 
1040 static const unsigned char aes_test_ctr_key[3][16] =
1041 {
1042  { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1043  0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1044  { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1045  0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1046  { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1047  0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1048 };
1049 
1050 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1051 {
1052  { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1053  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1054  { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1055  0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1056  { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1057  0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1058 };
1059 
1060 static const unsigned char aes_test_ctr_pt[3][48] =
1061 {
1062  { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1063  0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1064 
1065  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1066  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1067  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1068  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1069 
1070  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1071  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1072  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1073  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1074  0x20, 0x21, 0x22, 0x23 }
1075 };
1076 
1077 static const unsigned char aes_test_ctr_ct[3][48] =
1078 {
1079  { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1080  0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1081  { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1082  0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1083  0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1084  0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1085  { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1086  0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1087  0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1088  0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1089  0x25, 0xB2, 0x07, 0x2F }
1090 };
1091 
1092 static const int aes_test_ctr_len[3] =
1093  { 16, 32, 36 };
1094 #endif /* POLARSSL_CIPHER_MODE_CTR */
1095 
1096 /*
1097  * Checkup routine
1098  */
1099 int aes_self_test( int verbose )
1100 {
1101  int i, j, u, v;
1102  unsigned char key[32];
1103  unsigned char buf[64];
1104  unsigned char prv[16];
1105  unsigned char iv[16];
1106 #if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
1107  size_t offset;
1108 #endif
1109 #if defined(POLARSSL_CIPHER_MODE_CTR)
1110  int len;
1111  unsigned char nonce_counter[16];
1112  unsigned char stream_block[16];
1113 #endif
1114  aes_context ctx;
1115 
1116  memset( key, 0, 32 );
1117 
1118  /*
1119  * ECB mode
1120  */
1121  for( i = 0; i < 6; i++ )
1122  {
1123  u = i >> 1;
1124  v = i & 1;
1125 
1126  if( verbose != 0 )
1127  printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1128  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1129 
1130  memset( buf, 0, 16 );
1131 
1132  if( v == AES_DECRYPT )
1133  {
1134  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1135 
1136  for( j = 0; j < 10000; j++ )
1137  aes_crypt_ecb( &ctx, v, buf, buf );
1138 
1139  if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1140  {
1141  if( verbose != 0 )
1142  printf( "failed\n" );
1143 
1144  return( 1 );
1145  }
1146  }
1147  else
1148  {
1149  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1150 
1151  for( j = 0; j < 10000; j++ )
1152  aes_crypt_ecb( &ctx, v, buf, buf );
1153 
1154  if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1155  {
1156  if( verbose != 0 )
1157  printf( "failed\n" );
1158 
1159  return( 1 );
1160  }
1161  }
1162 
1163  if( verbose != 0 )
1164  printf( "passed\n" );
1165  }
1166 
1167  if( verbose != 0 )
1168  printf( "\n" );
1169 
1170  /*
1171  * CBC mode
1172  */
1173  for( i = 0; i < 6; i++ )
1174  {
1175  u = i >> 1;
1176  v = i & 1;
1177 
1178  if( verbose != 0 )
1179  printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1180  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1181 
1182  memset( iv , 0, 16 );
1183  memset( prv, 0, 16 );
1184  memset( buf, 0, 16 );
1185 
1186  if( v == AES_DECRYPT )
1187  {
1188  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1189 
1190  for( j = 0; j < 10000; j++ )
1191  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1192 
1193  if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1194  {
1195  if( verbose != 0 )
1196  printf( "failed\n" );
1197 
1198  return( 1 );
1199  }
1200  }
1201  else
1202  {
1203  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1204 
1205  for( j = 0; j < 10000; j++ )
1206  {
1207  unsigned char tmp[16];
1208 
1209  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1210 
1211  memcpy( tmp, prv, 16 );
1212  memcpy( prv, buf, 16 );
1213  memcpy( buf, tmp, 16 );
1214  }
1215 
1216  if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1217  {
1218  if( verbose != 0 )
1219  printf( "failed\n" );
1220 
1221  return( 1 );
1222  }
1223  }
1224 
1225  if( verbose != 0 )
1226  printf( "passed\n" );
1227  }
1228 
1229  if( verbose != 0 )
1230  printf( "\n" );
1231 
1232 #if defined(POLARSSL_CIPHER_MODE_CFB)
1233  /*
1234  * CFB128 mode
1235  */
1236  for( i = 0; i < 6; i++ )
1237  {
1238  u = i >> 1;
1239  v = i & 1;
1240 
1241  if( verbose != 0 )
1242  printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1243  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1244 
1245  memcpy( iv, aes_test_cfb128_iv, 16 );
1246  memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1247 
1248  offset = 0;
1249  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1250 
1251  if( v == AES_DECRYPT )
1252  {
1253  memcpy( buf, aes_test_cfb128_ct[u], 64 );
1254  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1255 
1256  if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1257  {
1258  if( verbose != 0 )
1259  printf( "failed\n" );
1260 
1261  return( 1 );
1262  }
1263  }
1264  else
1265  {
1266  memcpy( buf, aes_test_cfb128_pt, 64 );
1267  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1268 
1269  if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1270  {
1271  if( verbose != 0 )
1272  printf( "failed\n" );
1273 
1274  return( 1 );
1275  }
1276  }
1277 
1278  if( verbose != 0 )
1279  printf( "passed\n" );
1280  }
1281 
1282  if( verbose != 0 )
1283  printf( "\n" );
1284 #endif /* POLARSSL_CIPHER_MODE_CFB */
1285 
1286 #if defined(POLARSSL_CIPHER_MODE_CTR)
1287  /*
1288  * CTR mode
1289  */
1290  for( i = 0; i < 6; i++ )
1291  {
1292  u = i >> 1;
1293  v = i & 1;
1294 
1295  if( verbose != 0 )
1296  printf( " AES-CTR-128 (%s): ",
1297  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1298 
1299  memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1300  memcpy( key, aes_test_ctr_key[u], 16 );
1301 
1302  offset = 0;
1303  aes_setkey_enc( &ctx, key, 128 );
1304 
1305  if( v == AES_DECRYPT )
1306  {
1307  len = aes_test_ctr_len[u];
1308  memcpy( buf, aes_test_ctr_ct[u], len );
1309 
1310  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1311 
1312  if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1313  {
1314  if( verbose != 0 )
1315  printf( "failed\n" );
1316 
1317  return( 1 );
1318  }
1319  }
1320  else
1321  {
1322  len = aes_test_ctr_len[u];
1323  memcpy( buf, aes_test_ctr_pt[u], len );
1324 
1325  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1326 
1327  if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1328  {
1329  if( verbose != 0 )
1330  printf( "failed\n" );
1331 
1332  return( 1 );
1333  }
1334  }
1335 
1336  if( verbose != 0 )
1337  printf( "passed\n" );
1338  }
1339 
1340  if( verbose != 0 )
1341  printf( "\n" );
1342 #endif /* POLARSSL_CIPHER_MODE_CTR */
1343 
1344  return( 0 );
1345 }
1346 
1347 #endif
1348 
1349 #endif