00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024
00025
00026
00027
00028
00029
00030
00031
00032 #include "polarssl/config.h"
00033
00034 #if defined(POLARSSL_AES_C)
00035
00036 #include "polarssl/aes.h"
00037 #if defined(POLARSSL_PADLOCK_C)
00038 #include "polarssl/padlock.h"
00039 #endif
00040
00041 #if !defined(POLARSSL_AES_ALT)
00042
00043
00044
00045
00046 #ifndef GET_UINT32_LE
00047 #define GET_UINT32_LE(n,b,i) \
00048 { \
00049 (n) = ( (uint32_t) (b)[(i) ] ) \
00050 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
00051 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
00052 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
00053 }
00054 #endif
00055
00056 #ifndef PUT_UINT32_LE
00057 #define PUT_UINT32_LE(n,b,i) \
00058 { \
00059 (b)[(i) ] = (unsigned char) ( (n) ); \
00060 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
00061 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
00062 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
00063 }
00064 #endif
00065
00066 #if defined(POLARSSL_PADLOCK_C) && \
00067 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
00068 static int aes_padlock_ace = -1;
00069 #endif
00070
00071 #if defined(POLARSSL_AES_ROM_TABLES)
00072
00073
00074
00075 static const unsigned char FSb[256] =
00076 {
00077 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
00078 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
00079 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
00080 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
00081 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
00082 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
00083 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
00084 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
00085 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
00086 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
00087 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
00088 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
00089 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
00090 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
00091 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
00092 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
00093 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
00094 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
00095 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
00096 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
00097 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
00098 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
00099 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
00100 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
00101 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
00102 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
00103 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
00104 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
00105 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
00106 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
00107 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
00108 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
00109 };
00110
00111
00112
00113
00114 #define FT \
00115 \
00116 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
00117 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
00118 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
00119 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
00120 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
00121 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
00122 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
00123 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
00124 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
00125 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
00126 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
00127 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
00128 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
00129 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
00130 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
00131 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
00132 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
00133 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
00134 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
00135 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
00136 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
00137 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
00138 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
00139 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
00140 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
00141 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
00142 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
00143 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
00144 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
00145 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
00146 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
00147 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
00148 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
00149 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
00150 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
00151 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
00152 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
00153 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
00154 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
00155 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
00156 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
00157 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
00158 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
00159 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
00160 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
00161 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
00162 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
00163 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
00164 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
00165 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
00166 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
00167 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
00168 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
00169 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
00170 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
00171 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
00172 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
00173 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
00174 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
00175 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
00176 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
00177 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
00178 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
00179 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
00180
00181 #define V(a,b,c,d) 0x##a##b##c##d
00182 static const uint32_t FT0[256] = { FT };
00183 #undef V
00184
00185 #define V(a,b,c,d) 0x##b##c##d##a
00186 static const uint32_t FT1[256] = { FT };
00187 #undef V
00188
00189 #define V(a,b,c,d) 0x##c##d##a##b
00190 static const uint32_t FT2[256] = { FT };
00191 #undef V
00192
00193 #define V(a,b,c,d) 0x##d##a##b##c
00194 static const uint32_t FT3[256] = { FT };
00195 #undef V
00196
00197 #undef FT
00198
00199
00200
00201
00202 static const unsigned char RSb[256] =
00203 {
00204 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
00205 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
00206 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
00207 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
00208 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
00209 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
00210 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
00211 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
00212 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
00213 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
00214 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
00215 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
00216 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
00217 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
00218 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
00219 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
00220 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
00221 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
00222 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
00223 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
00224 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
00225 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
00226 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
00227 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
00228 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
00229 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
00230 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
00231 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
00232 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
00233 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
00234 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
00235 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
00236 };
00237
00238
00239
00240
00241 #define RT \
00242 \
00243 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
00244 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
00245 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
00246 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
00247 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
00248 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
00249 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
00250 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
00251 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
00252 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
00253 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
00254 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
00255 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
00256 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
00257 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
00258 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
00259 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
00260 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
00261 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
00262 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
00263 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
00264 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
00265 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
00266 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
00267 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
00268 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
00269 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
00270 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
00271 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
00272 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
00273 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
00274 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
00275 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
00276 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
00277 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
00278 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
00279 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
00280 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
00281 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
00282 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
00283 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
00284 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
00285 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
00286 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
00287 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
00288 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
00289 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
00290 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
00291 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
00292 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
00293 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
00294 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
00295 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
00296 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
00297 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
00298 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
00299 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
00300 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
00301 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
00302 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
00303 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
00304 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
00305 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
00306 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
00307
00308 #define V(a,b,c,d) 0x##a##b##c##d
00309 static const uint32_t RT0[256] = { RT };
00310 #undef V
00311
00312 #define V(a,b,c,d) 0x##b##c##d##a
00313 static const uint32_t RT1[256] = { RT };
00314 #undef V
00315
00316 #define V(a,b,c,d) 0x##c##d##a##b
00317 static const uint32_t RT2[256] = { RT };
00318 #undef V
00319
00320 #define V(a,b,c,d) 0x##d##a##b##c
00321 static const uint32_t RT3[256] = { RT };
00322 #undef V
00323
00324 #undef RT
00325
00326
00327
00328
00329 static const uint32_t RCON[10] =
00330 {
00331 0x00000001, 0x00000002, 0x00000004, 0x00000008,
00332 0x00000010, 0x00000020, 0x00000040, 0x00000080,
00333 0x0000001B, 0x00000036
00334 };
00335
00336 #else
00337
00338
00339
00340
00341 static unsigned char FSb[256];
00342 static uint32_t FT0[256];
00343 static uint32_t FT1[256];
00344 static uint32_t FT2[256];
00345 static uint32_t FT3[256];
00346
00347
00348
00349
00350 static unsigned char RSb[256];
00351 static uint32_t RT0[256];
00352 static uint32_t RT1[256];
00353 static uint32_t RT2[256];
00354 static uint32_t RT3[256];
00355
00356
00357
00358
00359 static uint32_t RCON[10];
00360
00361
00362
00363
00364 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
00365 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
00366 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
00367
00368 static int aes_init_done = 0;
00369
00370 static void aes_gen_tables( void )
00371 {
00372 int i, x, y, z;
00373 int pow[256];
00374 int log[256];
00375
00376
00377
00378
00379 for( i = 0, x = 1; i < 256; i++ )
00380 {
00381 pow[i] = x;
00382 log[x] = i;
00383 x = ( x ^ XTIME( x ) ) & 0xFF;
00384 }
00385
00386
00387
00388
00389 for( i = 0, x = 1; i < 10; i++ )
00390 {
00391 RCON[i] = (uint32_t) x;
00392 x = XTIME( x ) & 0xFF;
00393 }
00394
00395
00396
00397
00398 FSb[0x00] = 0x63;
00399 RSb[0x63] = 0x00;
00400
00401 for( i = 1; i < 256; i++ )
00402 {
00403 x = pow[255 - log[i]];
00404
00405 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
00406 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
00407 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
00408 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
00409 x ^= y ^ 0x63;
00410
00411 FSb[i] = (unsigned char) x;
00412 RSb[x] = (unsigned char) i;
00413 }
00414
00415
00416
00417
00418 for( i = 0; i < 256; i++ )
00419 {
00420 x = FSb[i];
00421 y = XTIME( x ) & 0xFF;
00422 z = ( y ^ x ) & 0xFF;
00423
00424 FT0[i] = ( (uint32_t) y ) ^
00425 ( (uint32_t) x << 8 ) ^
00426 ( (uint32_t) x << 16 ) ^
00427 ( (uint32_t) z << 24 );
00428
00429 FT1[i] = ROTL8( FT0[i] );
00430 FT2[i] = ROTL8( FT1[i] );
00431 FT3[i] = ROTL8( FT2[i] );
00432
00433 x = RSb[i];
00434
00435 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
00436 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
00437 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
00438 ( (uint32_t) MUL( 0x0B, x ) << 24 );
00439
00440 RT1[i] = ROTL8( RT0[i] );
00441 RT2[i] = ROTL8( RT1[i] );
00442 RT3[i] = ROTL8( RT2[i] );
00443 }
00444 }
00445
00446 #endif
00447
00448
00449
00450
00451 int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
00452 {
00453 unsigned int i;
00454 uint32_t *RK;
00455
00456 #if !defined(POLARSSL_AES_ROM_TABLES)
00457 if( aes_init_done == 0 )
00458 {
00459 aes_gen_tables();
00460 aes_init_done = 1;
00461
00462 }
00463 #endif
00464
00465 switch( keysize )
00466 {
00467 case 128: ctx->nr = 10; break;
00468 case 192: ctx->nr = 12; break;
00469 case 256: ctx->nr = 14; break;
00470 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
00471 }
00472
00473 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
00474 if( aes_padlock_ace == -1 )
00475 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
00476
00477 if( aes_padlock_ace )
00478 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
00479 else
00480 #endif
00481 ctx->rk = RK = ctx->buf;
00482
00483 for( i = 0; i < (keysize >> 5); i++ )
00484 {
00485 GET_UINT32_LE( RK[i], key, i << 2 );
00486 }
00487
00488 switch( ctx->nr )
00489 {
00490 case 10:
00491
00492 for( i = 0; i < 10; i++, RK += 4 )
00493 {
00494 RK[4] = RK[0] ^ RCON[i] ^
00495 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
00496 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
00497 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
00498 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
00499
00500 RK[5] = RK[1] ^ RK[4];
00501 RK[6] = RK[2] ^ RK[5];
00502 RK[7] = RK[3] ^ RK[6];
00503 }
00504 break;
00505
00506 case 12:
00507
00508 for( i = 0; i < 8; i++, RK += 6 )
00509 {
00510 RK[6] = RK[0] ^ RCON[i] ^
00511 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
00512 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
00513 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
00514 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
00515
00516 RK[7] = RK[1] ^ RK[6];
00517 RK[8] = RK[2] ^ RK[7];
00518 RK[9] = RK[3] ^ RK[8];
00519 RK[10] = RK[4] ^ RK[9];
00520 RK[11] = RK[5] ^ RK[10];
00521 }
00522 break;
00523
00524 case 14:
00525
00526 for( i = 0; i < 7; i++, RK += 8 )
00527 {
00528 RK[8] = RK[0] ^ RCON[i] ^
00529 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
00530 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
00531 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
00532 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
00533
00534 RK[9] = RK[1] ^ RK[8];
00535 RK[10] = RK[2] ^ RK[9];
00536 RK[11] = RK[3] ^ RK[10];
00537
00538 RK[12] = RK[4] ^
00539 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
00540 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
00541 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
00542 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
00543
00544 RK[13] = RK[5] ^ RK[12];
00545 RK[14] = RK[6] ^ RK[13];
00546 RK[15] = RK[7] ^ RK[14];
00547 }
00548 break;
00549
00550 default:
00551
00552 break;
00553 }
00554
00555 return( 0 );
00556 }
00557
00558
00559
00560
00561 int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
00562 {
00563 int i, j;
00564 aes_context cty;
00565 uint32_t *RK;
00566 uint32_t *SK;
00567 int ret;
00568
00569 switch( keysize )
00570 {
00571 case 128: ctx->nr = 10; break;
00572 case 192: ctx->nr = 12; break;
00573 case 256: ctx->nr = 14; break;
00574 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
00575 }
00576
00577 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
00578 if( aes_padlock_ace == -1 )
00579 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
00580
00581 if( aes_padlock_ace )
00582 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
00583 else
00584 #endif
00585 ctx->rk = RK = ctx->buf;
00586
00587 ret = aes_setkey_enc( &cty, key, keysize );
00588 if( ret != 0 )
00589 return( ret );
00590
00591 SK = cty.rk + cty.nr * 4;
00592
00593 *RK++ = *SK++;
00594 *RK++ = *SK++;
00595 *RK++ = *SK++;
00596 *RK++ = *SK++;
00597
00598 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
00599 {
00600 for( j = 0; j < 4; j++, SK++ )
00601 {
00602 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
00603 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
00604 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
00605 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
00606 }
00607 }
00608
00609 *RK++ = *SK++;
00610 *RK++ = *SK++;
00611 *RK++ = *SK++;
00612 *RK++ = *SK++;
00613
00614 memset( &cty, 0, sizeof( aes_context ) );
00615
00616 return( 0 );
00617 }
00618
00619 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
00620 { \
00621 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
00622 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
00623 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
00624 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
00625 \
00626 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
00627 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
00628 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
00629 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
00630 \
00631 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
00632 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
00633 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
00634 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
00635 \
00636 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
00637 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
00638 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
00639 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
00640 }
00641
00642 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
00643 { \
00644 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
00645 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
00646 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
00647 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
00648 \
00649 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
00650 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
00651 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
00652 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
00653 \
00654 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
00655 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
00656 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
00657 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
00658 \
00659 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
00660 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
00661 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
00662 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
00663 }
00664
00665
00666
00667
00668 int aes_crypt_ecb( aes_context *ctx,
00669 int mode,
00670 const unsigned char input[16],
00671 unsigned char output[16] )
00672 {
00673 int i;
00674 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
00675
00676 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
00677 if( aes_padlock_ace )
00678 {
00679 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
00680 return( 0 );
00681
00682
00683
00684
00685 }
00686 #endif
00687
00688 RK = ctx->rk;
00689
00690 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
00691 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
00692 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
00693 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
00694
00695 if( mode == AES_DECRYPT )
00696 {
00697 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
00698 {
00699 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
00700 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
00701 }
00702
00703 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
00704
00705 X0 = *RK++ ^ \
00706 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
00707 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
00708 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
00709 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
00710
00711 X1 = *RK++ ^ \
00712 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
00713 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
00714 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
00715 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
00716
00717 X2 = *RK++ ^ \
00718 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
00719 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
00720 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
00721 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
00722
00723 X3 = *RK++ ^ \
00724 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
00725 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
00726 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
00727 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
00728 }
00729 else
00730 {
00731 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
00732 {
00733 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
00734 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
00735 }
00736
00737 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
00738
00739 X0 = *RK++ ^ \
00740 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
00741 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
00742 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
00743 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
00744
00745 X1 = *RK++ ^ \
00746 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
00747 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
00748 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
00749 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
00750
00751 X2 = *RK++ ^ \
00752 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
00753 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
00754 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
00755 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
00756
00757 X3 = *RK++ ^ \
00758 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
00759 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
00760 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
00761 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
00762 }
00763
00764 PUT_UINT32_LE( X0, output, 0 );
00765 PUT_UINT32_LE( X1, output, 4 );
00766 PUT_UINT32_LE( X2, output, 8 );
00767 PUT_UINT32_LE( X3, output, 12 );
00768
00769 return( 0 );
00770 }
00771
00772 #if defined(POLARSSL_CIPHER_MODE_CBC)
00773
00774
00775
00776 int aes_crypt_cbc( aes_context *ctx,
00777 int mode,
00778 size_t length,
00779 unsigned char iv[16],
00780 const unsigned char *input,
00781 unsigned char *output )
00782 {
00783 int i;
00784 unsigned char temp[16];
00785
00786 if( length % 16 )
00787 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
00788
00789 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
00790 if( aes_padlock_ace )
00791 {
00792 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
00793 return( 0 );
00794
00795
00796
00797
00798 }
00799 #endif
00800
00801 if( mode == AES_DECRYPT )
00802 {
00803 while( length > 0 )
00804 {
00805 memcpy( temp, input, 16 );
00806 aes_crypt_ecb( ctx, mode, input, output );
00807
00808 for( i = 0; i < 16; i++ )
00809 output[i] = (unsigned char)( output[i] ^ iv[i] );
00810
00811 memcpy( iv, temp, 16 );
00812
00813 input += 16;
00814 output += 16;
00815 length -= 16;
00816 }
00817 }
00818 else
00819 {
00820 while( length > 0 )
00821 {
00822 for( i = 0; i < 16; i++ )
00823 output[i] = (unsigned char)( input[i] ^ iv[i] );
00824
00825 aes_crypt_ecb( ctx, mode, output, output );
00826 memcpy( iv, output, 16 );
00827
00828 input += 16;
00829 output += 16;
00830 length -= 16;
00831 }
00832 }
00833
00834 return( 0 );
00835 }
00836 #endif
00837
00838 #if defined(POLARSSL_CIPHER_MODE_CFB)
00839
00840
00841
00842 int aes_crypt_cfb128( aes_context *ctx,
00843 int mode,
00844 size_t length,
00845 size_t *iv_off,
00846 unsigned char iv[16],
00847 const unsigned char *input,
00848 unsigned char *output )
00849 {
00850 int c;
00851 size_t n = *iv_off;
00852
00853 if( mode == AES_DECRYPT )
00854 {
00855 while( length-- )
00856 {
00857 if( n == 0 )
00858 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
00859
00860 c = *input++;
00861 *output++ = (unsigned char)( c ^ iv[n] );
00862 iv[n] = (unsigned char) c;
00863
00864 n = (n + 1) & 0x0F;
00865 }
00866 }
00867 else
00868 {
00869 while( length-- )
00870 {
00871 if( n == 0 )
00872 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
00873
00874 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
00875
00876 n = (n + 1) & 0x0F;
00877 }
00878 }
00879
00880 *iv_off = n;
00881
00882 return( 0 );
00883 }
00884 #endif
00885
00886 #if defined(POLARSSL_CIPHER_MODE_CTR)
00887
00888
00889
00890 int aes_crypt_ctr( aes_context *ctx,
00891 size_t length,
00892 size_t *nc_off,
00893 unsigned char nonce_counter[16],
00894 unsigned char stream_block[16],
00895 const unsigned char *input,
00896 unsigned char *output )
00897 {
00898 int c, i;
00899 size_t n = *nc_off;
00900
00901 while( length-- )
00902 {
00903 if( n == 0 ) {
00904 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
00905
00906 for( i = 16; i > 0; i-- )
00907 if( ++nonce_counter[i - 1] != 0 )
00908 break;
00909 }
00910 c = *input++;
00911 *output++ = (unsigned char)( c ^ stream_block[n] );
00912
00913 n = (n + 1) & 0x0F;
00914 }
00915
00916 *nc_off = n;
00917
00918 return( 0 );
00919 }
00920 #endif
00921 #endif
00922
00923 #if defined(POLARSSL_SELF_TEST)
00924
00925 #include <stdio.h>
00926
00927
00928
00929
00930
00931
00932 static const unsigned char aes_test_ecb_dec[3][16] =
00933 {
00934 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
00935 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
00936 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
00937 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
00938 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
00939 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
00940 };
00941
00942 static const unsigned char aes_test_ecb_enc[3][16] =
00943 {
00944 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
00945 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
00946 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
00947 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
00948 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
00949 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
00950 };
00951
00952 #if defined(POLARSSL_CIPHER_MODE_CBC)
00953 static const unsigned char aes_test_cbc_dec[3][16] =
00954 {
00955 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
00956 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
00957 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
00958 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
00959 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
00960 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
00961 };
00962
00963 static const unsigned char aes_test_cbc_enc[3][16] =
00964 {
00965 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
00966 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
00967 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
00968 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
00969 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
00970 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
00971 };
00972 #endif
00973
00974 #if defined(POLARSSL_CIPHER_MODE_CFB)
00975
00976
00977
00978
00979
00980 static const unsigned char aes_test_cfb128_key[3][32] =
00981 {
00982 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
00983 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
00984 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
00985 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
00986 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
00987 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
00988 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
00989 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
00990 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
00991 };
00992
00993 static const unsigned char aes_test_cfb128_iv[16] =
00994 {
00995 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
00996 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
00997 };
00998
00999 static const unsigned char aes_test_cfb128_pt[64] =
01000 {
01001 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
01002 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
01003 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
01004 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
01005 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
01006 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
01007 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
01008 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
01009 };
01010
01011 static const unsigned char aes_test_cfb128_ct[3][64] =
01012 {
01013 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
01014 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
01015 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
01016 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
01017 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
01018 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
01019 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
01020 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
01021 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
01022 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
01023 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
01024 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
01025 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
01026 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
01027 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
01028 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
01029 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
01030 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
01031 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
01032 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
01033 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
01034 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
01035 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
01036 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
01037 };
01038 #endif
01039
01040 #if defined(POLARSSL_CIPHER_MODE_CTR)
01041
01042
01043
01044
01045
01046
01047 static const unsigned char aes_test_ctr_key[3][16] =
01048 {
01049 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
01050 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
01051 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
01052 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
01053 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
01054 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
01055 };
01056
01057 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
01058 {
01059 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
01060 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
01061 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
01062 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
01063 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
01064 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
01065 };
01066
01067 static const unsigned char aes_test_ctr_pt[3][48] =
01068 {
01069 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
01070 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
01071
01072 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
01073 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
01074 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
01075 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
01076
01077 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
01078 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
01079 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
01080 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
01081 0x20, 0x21, 0x22, 0x23 }
01082 };
01083
01084 static const unsigned char aes_test_ctr_ct[3][48] =
01085 {
01086 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
01087 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
01088 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
01089 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
01090 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
01091 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
01092 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
01093 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
01094 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
01095 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
01096 0x25, 0xB2, 0x07, 0x2F }
01097 };
01098
01099 static const int aes_test_ctr_len[3] =
01100 { 16, 32, 36 };
01101 #endif
01102
01103
01104
01105
01106 int aes_self_test( int verbose )
01107 {
01108 int i, j, u, v;
01109 unsigned char key[32];
01110 unsigned char buf[64];
01111 unsigned char iv[16];
01112 #if defined(POLARSSL_CIPHER_MODE_CBC)
01113 unsigned char prv[16];
01114 #endif
01115 #if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
01116 size_t offset;
01117 #endif
01118 #if defined(POLARSSL_CIPHER_MODE_CTR)
01119 int len;
01120 unsigned char nonce_counter[16];
01121 unsigned char stream_block[16];
01122 #endif
01123 aes_context ctx;
01124
01125 memset( key, 0, 32 );
01126
01127
01128
01129
01130 for( i = 0; i < 6; i++ )
01131 {
01132 u = i >> 1;
01133 v = i & 1;
01134
01135 if( verbose != 0 )
01136 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
01137 ( v == AES_DECRYPT ) ? "dec" : "enc" );
01138
01139 memset( buf, 0, 16 );
01140
01141 if( v == AES_DECRYPT )
01142 {
01143 aes_setkey_dec( &ctx, key, 128 + u * 64 );
01144
01145 for( j = 0; j < 10000; j++ )
01146 aes_crypt_ecb( &ctx, v, buf, buf );
01147
01148 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
01149 {
01150 if( verbose != 0 )
01151 printf( "failed\n" );
01152
01153 return( 1 );
01154 }
01155 }
01156 else
01157 {
01158 aes_setkey_enc( &ctx, key, 128 + u * 64 );
01159
01160 for( j = 0; j < 10000; j++ )
01161 aes_crypt_ecb( &ctx, v, buf, buf );
01162
01163 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
01164 {
01165 if( verbose != 0 )
01166 printf( "failed\n" );
01167
01168 return( 1 );
01169 }
01170 }
01171
01172 if( verbose != 0 )
01173 printf( "passed\n" );
01174 }
01175
01176 if( verbose != 0 )
01177 printf( "\n" );
01178
01179 #if defined(POLARSSL_CIPHER_MODE_CBC)
01180
01181
01182
01183 for( i = 0; i < 6; i++ )
01184 {
01185 u = i >> 1;
01186 v = i & 1;
01187
01188 if( verbose != 0 )
01189 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
01190 ( v == AES_DECRYPT ) ? "dec" : "enc" );
01191
01192 memset( iv , 0, 16 );
01193 memset( prv, 0, 16 );
01194 memset( buf, 0, 16 );
01195
01196 if( v == AES_DECRYPT )
01197 {
01198 aes_setkey_dec( &ctx, key, 128 + u * 64 );
01199
01200 for( j = 0; j < 10000; j++ )
01201 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
01202
01203 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
01204 {
01205 if( verbose != 0 )
01206 printf( "failed\n" );
01207
01208 return( 1 );
01209 }
01210 }
01211 else
01212 {
01213 aes_setkey_enc( &ctx, key, 128 + u * 64 );
01214
01215 for( j = 0; j < 10000; j++ )
01216 {
01217 unsigned char tmp[16];
01218
01219 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
01220
01221 memcpy( tmp, prv, 16 );
01222 memcpy( prv, buf, 16 );
01223 memcpy( buf, tmp, 16 );
01224 }
01225
01226 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
01227 {
01228 if( verbose != 0 )
01229 printf( "failed\n" );
01230
01231 return( 1 );
01232 }
01233 }
01234
01235 if( verbose != 0 )
01236 printf( "passed\n" );
01237 }
01238
01239 if( verbose != 0 )
01240 printf( "\n" );
01241 #endif
01242
01243 #if defined(POLARSSL_CIPHER_MODE_CFB)
01244
01245
01246
01247 for( i = 0; i < 6; i++ )
01248 {
01249 u = i >> 1;
01250 v = i & 1;
01251
01252 if( verbose != 0 )
01253 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
01254 ( v == AES_DECRYPT ) ? "dec" : "enc" );
01255
01256 memcpy( iv, aes_test_cfb128_iv, 16 );
01257 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
01258
01259 offset = 0;
01260 aes_setkey_enc( &ctx, key, 128 + u * 64 );
01261
01262 if( v == AES_DECRYPT )
01263 {
01264 memcpy( buf, aes_test_cfb128_ct[u], 64 );
01265 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
01266
01267 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
01268 {
01269 if( verbose != 0 )
01270 printf( "failed\n" );
01271
01272 return( 1 );
01273 }
01274 }
01275 else
01276 {
01277 memcpy( buf, aes_test_cfb128_pt, 64 );
01278 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
01279
01280 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
01281 {
01282 if( verbose != 0 )
01283 printf( "failed\n" );
01284
01285 return( 1 );
01286 }
01287 }
01288
01289 if( verbose != 0 )
01290 printf( "passed\n" );
01291 }
01292
01293 if( verbose != 0 )
01294 printf( "\n" );
01295 #endif
01296
01297 #if defined(POLARSSL_CIPHER_MODE_CTR)
01298
01299
01300
01301 for( i = 0; i < 6; i++ )
01302 {
01303 u = i >> 1;
01304 v = i & 1;
01305
01306 if( verbose != 0 )
01307 printf( " AES-CTR-128 (%s): ",
01308 ( v == AES_DECRYPT ) ? "dec" : "enc" );
01309
01310 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
01311 memcpy( key, aes_test_ctr_key[u], 16 );
01312
01313 offset = 0;
01314 aes_setkey_enc( &ctx, key, 128 );
01315
01316 if( v == AES_DECRYPT )
01317 {
01318 len = aes_test_ctr_len[u];
01319 memcpy( buf, aes_test_ctr_ct[u], len );
01320
01321 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
01322
01323 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
01324 {
01325 if( verbose != 0 )
01326 printf( "failed\n" );
01327
01328 return( 1 );
01329 }
01330 }
01331 else
01332 {
01333 len = aes_test_ctr_len[u];
01334 memcpy( buf, aes_test_ctr_pt[u], len );
01335
01336 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
01337
01338 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
01339 {
01340 if( verbose != 0 )
01341 printf( "failed\n" );
01342
01343 return( 1 );
01344 }
01345 }
01346
01347 if( verbose != 0 )
01348 printf( "passed\n" );
01349 }
01350
01351 if( verbose != 0 )
01352 printf( "\n" );
01353 #endif
01354
01355 return( 0 );
01356 }
01357
01358 #endif
01359
01360 #endif