1
/* Rijndael (AES) for GnuPG
2
* Copyright (C) 2000, 2001, 2002, 2003, 2007,
3
* 2008 Free Software Foundation, Inc.
5
* This file is part of Libgcrypt.
7
* Libgcrypt is free software; you can redistribute it and/or modify
8
* it under the terms of the GNU Lesser General Public License as
9
* published by the Free Software Foundation; either version 2.1 of
10
* the License, or (at your option) any later version.
12
* Libgcrypt is distributed in the hope that it will be useful,
13
* but WITHOUT ANY WARRANTY; without even the implied warranty of
14
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
* GNU Lesser General Public License for more details.
17
* You should have received a copy of the GNU Lesser General Public
18
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
19
*******************************************************************
20
* The code here is based on the optimized implementation taken from
21
* http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ on Oct 2, 2000,
22
* which carries this notice:
23
*------------------------------------------
24
* rijndael-alg-fst.c v2.3 April '2000
26
* Optimised ANSI C code
28
* authors: v1.0: Antoon Bosselaers
29
* v2.0: Vincent Rijmen
32
* This code is placed in the public domain.
33
*------------------------------------------
35
* The SP800-38a document is available at:
36
* http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
43
#include <string.h> /* for memcmp() */
45
#include "types.h" /* for byte and u32 typedefs */
49
#define MAXKC (256/32)
51
#define BLOCKSIZE (128/8)
54
/* USE_PADLOCK indicates whether to compile the padlock specific
57
#ifdef ENABLE_PADLOCK_SUPPORT
58
# if defined (__i386__) && SIZEOF_UNSIGNED_LONG == 4 && defined (__GNUC__)
61
#endif /*ENABLE_PADLOCK_SUPPORT*/
63
static const char *selftest(void);
67
int ROUNDS; /* Key-length-dependent number of rounds. */
68
int decryption_prepared; /* The decryption key schedule is available. */
70
int use_padlock; /* Padlock shall be used. */
71
/* The key as passed to the padlock engine. */
72
unsigned char padlock_key[16] __attribute__ ((aligned (16)));
76
PROPERLY_ALIGNED_TYPE dummy;
77
byte keyschedule[MAXROUNDS+1][4][4];
81
PROPERLY_ALIGNED_TYPE dummy;
82
byte keyschedule[MAXROUNDS+1][4][4];
86
#define keySched u1.keyschedule
87
#define keySched2 u2.keyschedule
89
/* All the numbers. */
90
#include "rijndael-tables.h"
93
/* Perform the key setup. */
94
static gcry_err_code_t
95
do_setkey (RIJNDAEL_context *ctx, const byte *key, const unsigned keylen)
97
static int initialized = 0;
98
static const char *selftest_failed=0;
100
int i,j, r, t, rconpointer = 0;
104
PROPERLY_ALIGNED_TYPE dummy;
110
PROPERLY_ALIGNED_TYPE dummy;
115
/* The on-the-fly self tests are only run in non-fips mode. In fips
116
mode explicit self-tests are required. Actually the on-the-fly
117
self-tests are not fully thread-safe and it might happen that a
118
failed self-test won't get noticed in another thread.
120
FIXME: We might want to have a central registry of succeeded
122
if (!fips_mode () && !initialized)
125
selftest_failed = selftest ();
127
log_error ("%s\n", selftest_failed );
130
return GPG_ERR_SELFTEST_FAILED;
132
ctx->decryption_prepared = 0;
134
ctx->use_padlock = 0;
137
if( keylen == 128/8 )
142
if ((_gcry_get_hw_features () & HWF_PADLOCK_AES))
144
ctx->use_padlock = 1;
145
memcpy (ctx->padlock_key, key, keylen);
149
else if ( keylen == 192/8 )
154
else if ( keylen == 256/8 )
160
return GPG_ERR_INV_KEYLEN;
162
ctx->ROUNDS = ROUNDS;
165
if (ctx->use_padlock)
167
/* Nothing to do as we support only hardware key generation for
171
#endif /*USE_PADLOCK*/
173
#define W (ctx->keySched)
174
for (i = 0; i < keylen; i++)
176
k[i >> 2][i & 3] = key[i];
179
for (j = KC-1; j >= 0; j--)
181
*((u32*)tk[j]) = *((u32*)k[j]);
185
/* Copy values into round key array. */
186
for (j = 0; (j < KC) && (r < ROUNDS + 1); )
188
for (; (j < KC) && (t < 4); j++, t++)
190
*((u32*)W[r][t]) = *((u32*)tk[j]);
199
while (r < ROUNDS + 1)
201
/* While not enough round key material calculated calculate
203
tk[0][0] ^= S[tk[KC-1][1]];
204
tk[0][1] ^= S[tk[KC-1][2]];
205
tk[0][2] ^= S[tk[KC-1][3]];
206
tk[0][3] ^= S[tk[KC-1][0]];
207
tk[0][0] ^= rcon[rconpointer++];
211
for (j = 1; j < KC; j++)
213
*((u32*)tk[j]) ^= *((u32*)tk[j-1]);
218
for (j = 1; j < KC/2; j++)
220
*((u32*)tk[j]) ^= *((u32*)tk[j-1]);
222
tk[KC/2][0] ^= S[tk[KC/2 - 1][0]];
223
tk[KC/2][1] ^= S[tk[KC/2 - 1][1]];
224
tk[KC/2][2] ^= S[tk[KC/2 - 1][2]];
225
tk[KC/2][3] ^= S[tk[KC/2 - 1][3]];
226
for (j = KC/2 + 1; j < KC; j++)
228
*((u32*)tk[j]) ^= *((u32*)tk[j-1]);
232
/* Copy values into round key array. */
233
for (j = 0; (j < KC) && (r < ROUNDS + 1); )
235
for (; (j < KC) && (t < 4); j++, t++)
237
*((u32*)W[r][t]) = *((u32*)tk[j]);
255
static gcry_err_code_t
256
rijndael_setkey (void *context, const byte *key, const unsigned keylen)
258
RIJNDAEL_context *ctx = context;
260
int rc = do_setkey (ctx, key, keylen);
261
_gcry_burn_stack ( 100 + 16*sizeof(int));
266
/* Make a decryption key from an encryption key. */
268
prepare_decryption( RIJNDAEL_context *ctx )
273
PROPERLY_ALIGNED_TYPE dummy;
278
for (r=0; r < MAXROUNDS+1; r++ )
280
*((u32*)ctx->keySched2[r][0]) = *((u32*)ctx->keySched[r][0]);
281
*((u32*)ctx->keySched2[r][1]) = *((u32*)ctx->keySched[r][1]);
282
*((u32*)ctx->keySched2[r][2]) = *((u32*)ctx->keySched[r][2]);
283
*((u32*)ctx->keySched2[r][3]) = *((u32*)ctx->keySched[r][3]);
285
#define W (ctx->keySched2)
286
for (r = 1; r < ctx->ROUNDS; r++)
289
*((u32*)w) = *((u32*)U1[w[0]]) ^ *((u32*)U2[w[1]])
290
^ *((u32*)U3[w[2]]) ^ *((u32*)U4[w[3]]);
293
*((u32*)w) = *((u32*)U1[w[0]]) ^ *((u32*)U2[w[1]])
294
^ *((u32*)U3[w[2]]) ^ *((u32*)U4[w[3]]);
297
*((u32*)w) = *((u32*)U1[w[0]]) ^ *((u32*)U2[w[1]])
298
^ *((u32*)U3[w[2]]) ^ *((u32*)U4[w[3]]);
301
*((u32*)w) = *((u32*)U1[w[0]]) ^ *((u32*)U2[w[1]])
302
^ *((u32*)U3[w[2]]) ^ *((u32*)U4[w[3]]);
310
/* Encrypt one block. A and B need to be aligned on a 4 byte
311
boundary. A and B may be the same. */
313
do_encrypt_aligned (const RIJNDAEL_context *ctx,
314
unsigned char *b, const unsigned char *a)
316
#define rk (ctx->keySched)
317
int ROUNDS = ctx->ROUNDS;
321
u32 tempu32[4]; /* Force correct alignment. */
325
*((u32*)u.temp[0]) = *((u32*)(a )) ^ *((u32*)rk[0][0]);
326
*((u32*)u.temp[1]) = *((u32*)(a+ 4)) ^ *((u32*)rk[0][1]);
327
*((u32*)u.temp[2]) = *((u32*)(a+ 8)) ^ *((u32*)rk[0][2]);
328
*((u32*)u.temp[3]) = *((u32*)(a+12)) ^ *((u32*)rk[0][3]);
329
*((u32*)(b )) = (*((u32*)T1[u.temp[0][0]])
330
^ *((u32*)T2[u.temp[1][1]])
331
^ *((u32*)T3[u.temp[2][2]])
332
^ *((u32*)T4[u.temp[3][3]]));
333
*((u32*)(b + 4)) = (*((u32*)T1[u.temp[1][0]])
334
^ *((u32*)T2[u.temp[2][1]])
335
^ *((u32*)T3[u.temp[3][2]])
336
^ *((u32*)T4[u.temp[0][3]]));
337
*((u32*)(b + 8)) = (*((u32*)T1[u.temp[2][0]])
338
^ *((u32*)T2[u.temp[3][1]])
339
^ *((u32*)T3[u.temp[0][2]])
340
^ *((u32*)T4[u.temp[1][3]]));
341
*((u32*)(b +12)) = (*((u32*)T1[u.temp[3][0]])
342
^ *((u32*)T2[u.temp[0][1]])
343
^ *((u32*)T3[u.temp[1][2]])
344
^ *((u32*)T4[u.temp[2][3]]));
346
for (r = 1; r < ROUNDS-1; r++)
348
*((u32*)u.temp[0]) = *((u32*)(b )) ^ *((u32*)rk[r][0]);
349
*((u32*)u.temp[1]) = *((u32*)(b+ 4)) ^ *((u32*)rk[r][1]);
350
*((u32*)u.temp[2]) = *((u32*)(b+ 8)) ^ *((u32*)rk[r][2]);
351
*((u32*)u.temp[3]) = *((u32*)(b+12)) ^ *((u32*)rk[r][3]);
353
*((u32*)(b )) = (*((u32*)T1[u.temp[0][0]])
354
^ *((u32*)T2[u.temp[1][1]])
355
^ *((u32*)T3[u.temp[2][2]])
356
^ *((u32*)T4[u.temp[3][3]]));
357
*((u32*)(b + 4)) = (*((u32*)T1[u.temp[1][0]])
358
^ *((u32*)T2[u.temp[2][1]])
359
^ *((u32*)T3[u.temp[3][2]])
360
^ *((u32*)T4[u.temp[0][3]]));
361
*((u32*)(b + 8)) = (*((u32*)T1[u.temp[2][0]])
362
^ *((u32*)T2[u.temp[3][1]])
363
^ *((u32*)T3[u.temp[0][2]])
364
^ *((u32*)T4[u.temp[1][3]]));
365
*((u32*)(b +12)) = (*((u32*)T1[u.temp[3][0]])
366
^ *((u32*)T2[u.temp[0][1]])
367
^ *((u32*)T3[u.temp[1][2]])
368
^ *((u32*)T4[u.temp[2][3]]));
371
/* Last round is special. */
372
*((u32*)u.temp[0]) = *((u32*)(b )) ^ *((u32*)rk[ROUNDS-1][0]);
373
*((u32*)u.temp[1]) = *((u32*)(b+ 4)) ^ *((u32*)rk[ROUNDS-1][1]);
374
*((u32*)u.temp[2]) = *((u32*)(b+ 8)) ^ *((u32*)rk[ROUNDS-1][2]);
375
*((u32*)u.temp[3]) = *((u32*)(b+12)) ^ *((u32*)rk[ROUNDS-1][3]);
376
b[ 0] = T1[u.temp[0][0]][1];
377
b[ 1] = T1[u.temp[1][1]][1];
378
b[ 2] = T1[u.temp[2][2]][1];
379
b[ 3] = T1[u.temp[3][3]][1];
380
b[ 4] = T1[u.temp[1][0]][1];
381
b[ 5] = T1[u.temp[2][1]][1];
382
b[ 6] = T1[u.temp[3][2]][1];
383
b[ 7] = T1[u.temp[0][3]][1];
384
b[ 8] = T1[u.temp[2][0]][1];
385
b[ 9] = T1[u.temp[3][1]][1];
386
b[10] = T1[u.temp[0][2]][1];
387
b[11] = T1[u.temp[1][3]][1];
388
b[12] = T1[u.temp[3][0]][1];
389
b[13] = T1[u.temp[0][1]][1];
390
b[14] = T1[u.temp[1][2]][1];
391
b[15] = T1[u.temp[2][3]][1];
392
*((u32*)(b )) ^= *((u32*)rk[ROUNDS][0]);
393
*((u32*)(b+ 4)) ^= *((u32*)rk[ROUNDS][1]);
394
*((u32*)(b+ 8)) ^= *((u32*)rk[ROUNDS][2]);
395
*((u32*)(b+12)) ^= *((u32*)rk[ROUNDS][3]);
401
do_encrypt (const RIJNDAEL_context *ctx,
402
unsigned char *bx, const unsigned char *ax)
404
/* BX and AX are not necessary correctly aligned. Thus we need to
417
memcpy (a.a, ax, 16);
418
do_encrypt_aligned (ctx, b.b, a.a);
419
memcpy (bx, b.b, 16);
423
/* Encrypt or decrypt one block using the padlock engine. A and B may
427
do_padlock (const RIJNDAEL_context *ctx, int decrypt_flag,
428
unsigned char *bx, const unsigned char *ax)
430
/* BX and AX are not necessary correctly aligned. Thus we need to
432
unsigned char a[16] __attribute__ ((aligned (16)));
433
unsigned char b[16] __attribute__ ((aligned (16)));
434
unsigned int cword[4] __attribute__ ((aligned (16)));
436
/* The control word fields are:
437
127:12 11:10 9 8 7 6 5 4 3:0
438
RESERVED KSIZE CRYPT INTER KEYGN CIPHR ALIGN DGEST ROUND */
439
cword[0] = (ctx->ROUNDS & 15); /* (The mask is just a safeguard.) */
444
cword[0] |= 0x00000200;
449
("pushfl\n\t" /* Force key reload. */
451
"xchg %3, %%ebx\n\t" /* Load key. */
452
"movl $1, %%ecx\n\t" /* Init counter for just one block. */
453
".byte 0xf3, 0x0f, 0xa7, 0xc8\n\t" /* REP XSTORE ECB. */
454
"xchg %3, %%ebx\n" /* Restore GOT register. */
456
: "S" (a), "D" (b), "d" (cword), "r" (ctx->padlock_key)
457
: "%ecx", "cc", "memory"
463
#endif /*USE_PADLOCK*/
467
rijndael_encrypt (void *context, byte *b, const byte *a)
469
RIJNDAEL_context *ctx = context;
472
if (ctx->use_padlock)
474
do_padlock (ctx, 0, b, a);
475
_gcry_burn_stack (48 + 15 /* possible padding for alignment */);
478
#endif /*USE_PADLOCK*/
480
do_encrypt (ctx, b, a);
481
_gcry_burn_stack (48 + 2*sizeof(int));
486
/* Bulk encryption of complete blocks in CFB mode. Caller needs to
487
make sure that IV is aligned on an unsigned long boundary. This
488
function is only intended for the bulk encryption feature of
491
_gcry_aes_cfb_enc (void *context, unsigned char *iv,
492
void *outbuf_arg, const void *inbuf_arg,
493
unsigned int nblocks)
495
RIJNDAEL_context *ctx = context;
496
unsigned char *outbuf = outbuf_arg;
497
const unsigned char *inbuf = inbuf_arg;
502
if (ctx->use_padlock)
504
/* Fixme: Let Padlock do the CFBing. */
505
for ( ;nblocks; nblocks-- )
507
/* Encrypt the IV. */
508
do_padlock (ctx, 0, iv, iv);
509
/* XOR the input with the IV and store input into IV. */
510
for (ivp=iv,i=0; i < BLOCKSIZE; i++ )
511
*outbuf++ = (*ivp++ ^= *inbuf++);
515
#endif /* USE_PADLOCK*/
517
for ( ;nblocks; nblocks-- )
519
/* Encrypt the IV. */
520
do_encrypt_aligned (ctx, iv, iv);
521
/* XOR the input with the IV and store input into IV. */
522
for (ivp=iv,i=0; i < BLOCKSIZE; i++ )
523
*outbuf++ = (*ivp++ ^= *inbuf++);
527
_gcry_burn_stack (48 + 2*sizeof(int));
531
/* Bulk encryption of complete blocks in CBC mode. Caller needs to
532
make sure that IV is aligned on an unsigned long boundary. This
533
function is only intended for the bulk encryption feature of
536
_gcry_aes_cbc_enc (void *context, unsigned char *iv,
537
void *outbuf_arg, const void *inbuf_arg,
538
unsigned int nblocks, int cbc_mac)
540
RIJNDAEL_context *ctx = context;
541
unsigned char *outbuf = outbuf_arg;
542
const unsigned char *inbuf = inbuf_arg;
546
for ( ;nblocks; nblocks-- )
548
for (ivp=iv, i=0; i < BLOCKSIZE; i++ )
549
outbuf[i] = inbuf[i] ^ *ivp++;
552
if (ctx->use_padlock)
553
do_padlock (ctx, 0, outbuf, outbuf);
555
#endif /*USE_PADLOCK*/
556
do_encrypt (ctx, outbuf, outbuf );
558
memcpy (iv, outbuf, BLOCKSIZE);
564
_gcry_burn_stack (48 + 2*sizeof(int));
569
/* Decrypt one block. A and B need to be aligned on a 4 byte boundary
570
and the decryption must have been prepared. A and B may be the
573
do_decrypt_aligned (RIJNDAEL_context *ctx,
574
unsigned char *b, const unsigned char *a)
576
#define rk (ctx->keySched2)
577
int ROUNDS = ctx->ROUNDS;
581
u32 tempu32[4]; /* Force correct alignment. */
586
*((u32*)u.temp[0]) = *((u32*)(a )) ^ *((u32*)rk[ROUNDS][0]);
587
*((u32*)u.temp[1]) = *((u32*)(a+ 4)) ^ *((u32*)rk[ROUNDS][1]);
588
*((u32*)u.temp[2]) = *((u32*)(a+ 8)) ^ *((u32*)rk[ROUNDS][2]);
589
*((u32*)u.temp[3]) = *((u32*)(a+12)) ^ *((u32*)rk[ROUNDS][3]);
591
*((u32*)(b )) = (*((u32*)T5[u.temp[0][0]])
592
^ *((u32*)T6[u.temp[3][1]])
593
^ *((u32*)T7[u.temp[2][2]])
594
^ *((u32*)T8[u.temp[1][3]]));
595
*((u32*)(b+ 4)) = (*((u32*)T5[u.temp[1][0]])
596
^ *((u32*)T6[u.temp[0][1]])
597
^ *((u32*)T7[u.temp[3][2]])
598
^ *((u32*)T8[u.temp[2][3]]));
599
*((u32*)(b+ 8)) = (*((u32*)T5[u.temp[2][0]])
600
^ *((u32*)T6[u.temp[1][1]])
601
^ *((u32*)T7[u.temp[0][2]])
602
^ *((u32*)T8[u.temp[3][3]]));
603
*((u32*)(b+12)) = (*((u32*)T5[u.temp[3][0]])
604
^ *((u32*)T6[u.temp[2][1]])
605
^ *((u32*)T7[u.temp[1][2]])
606
^ *((u32*)T8[u.temp[0][3]]));
608
for (r = ROUNDS-1; r > 1; r--)
610
*((u32*)u.temp[0]) = *((u32*)(b )) ^ *((u32*)rk[r][0]);
611
*((u32*)u.temp[1]) = *((u32*)(b+ 4)) ^ *((u32*)rk[r][1]);
612
*((u32*)u.temp[2]) = *((u32*)(b+ 8)) ^ *((u32*)rk[r][2]);
613
*((u32*)u.temp[3]) = *((u32*)(b+12)) ^ *((u32*)rk[r][3]);
614
*((u32*)(b )) = (*((u32*)T5[u.temp[0][0]])
615
^ *((u32*)T6[u.temp[3][1]])
616
^ *((u32*)T7[u.temp[2][2]])
617
^ *((u32*)T8[u.temp[1][3]]));
618
*((u32*)(b+ 4)) = (*((u32*)T5[u.temp[1][0]])
619
^ *((u32*)T6[u.temp[0][1]])
620
^ *((u32*)T7[u.temp[3][2]])
621
^ *((u32*)T8[u.temp[2][3]]));
622
*((u32*)(b+ 8)) = (*((u32*)T5[u.temp[2][0]])
623
^ *((u32*)T6[u.temp[1][1]])
624
^ *((u32*)T7[u.temp[0][2]])
625
^ *((u32*)T8[u.temp[3][3]]));
626
*((u32*)(b+12)) = (*((u32*)T5[u.temp[3][0]])
627
^ *((u32*)T6[u.temp[2][1]])
628
^ *((u32*)T7[u.temp[1][2]])
629
^ *((u32*)T8[u.temp[0][3]]));
632
/* Last round is special. */
633
*((u32*)u.temp[0]) = *((u32*)(b )) ^ *((u32*)rk[1][0]);
634
*((u32*)u.temp[1]) = *((u32*)(b+ 4)) ^ *((u32*)rk[1][1]);
635
*((u32*)u.temp[2]) = *((u32*)(b+ 8)) ^ *((u32*)rk[1][2]);
636
*((u32*)u.temp[3]) = *((u32*)(b+12)) ^ *((u32*)rk[1][3]);
637
b[ 0] = S5[u.temp[0][0]];
638
b[ 1] = S5[u.temp[3][1]];
639
b[ 2] = S5[u.temp[2][2]];
640
b[ 3] = S5[u.temp[1][3]];
641
b[ 4] = S5[u.temp[1][0]];
642
b[ 5] = S5[u.temp[0][1]];
643
b[ 6] = S5[u.temp[3][2]];
644
b[ 7] = S5[u.temp[2][3]];
645
b[ 8] = S5[u.temp[2][0]];
646
b[ 9] = S5[u.temp[1][1]];
647
b[10] = S5[u.temp[0][2]];
648
b[11] = S5[u.temp[3][3]];
649
b[12] = S5[u.temp[3][0]];
650
b[13] = S5[u.temp[2][1]];
651
b[14] = S5[u.temp[1][2]];
652
b[15] = S5[u.temp[0][3]];
653
*((u32*)(b )) ^= *((u32*)rk[0][0]);
654
*((u32*)(b+ 4)) ^= *((u32*)rk[0][1]);
655
*((u32*)(b+ 8)) ^= *((u32*)rk[0][2]);
656
*((u32*)(b+12)) ^= *((u32*)rk[0][3]);
661
/* Decrypt one block. AX and BX may be the same. */
663
do_decrypt (RIJNDAEL_context *ctx, byte *bx, const byte *ax)
665
/* BX and AX are not necessary correctly aligned. Thus we need to
678
if ( !ctx->decryption_prepared )
680
prepare_decryption ( ctx );
681
_gcry_burn_stack (64);
682
ctx->decryption_prepared = 1;
685
memcpy (a.a, ax, 16);
686
do_decrypt_aligned (ctx, b.b, a.a);
687
memcpy (bx, b.b, 16);
695
rijndael_decrypt (void *context, byte *b, const byte *a)
697
RIJNDAEL_context *ctx = context;
700
if (ctx->use_padlock)
702
do_padlock (ctx, 1, b, a);
703
_gcry_burn_stack (48 + 2*sizeof(int) /* FIXME */);
706
#endif /*USE_PADLOCK*/
708
do_decrypt (ctx, b, a);
709
_gcry_burn_stack (48+2*sizeof(int));
714
/* Bulk decryption of complete blocks in CFB mode. Caller needs to
715
make sure that IV is aligned on an unisgned lonhg boundary. This
716
function is only intended for the bulk encryption feature of
719
_gcry_aes_cfb_dec (void *context, unsigned char *iv,
720
void *outbuf_arg, const void *inbuf_arg,
721
unsigned int nblocks)
723
RIJNDAEL_context *ctx = context;
724
unsigned char *outbuf = outbuf_arg;
725
const unsigned char *inbuf = inbuf_arg;
731
if (ctx->use_padlock)
733
/* Fixme: Let Padlock do the CFBing. */
734
for ( ;nblocks; nblocks-- )
736
do_padlock (ctx, 0, iv, iv);
737
for (ivp=iv,i=0; i < BLOCKSIZE; i++ )
740
*outbuf++ = *ivp ^ temp;
746
#endif /*USE_PADLOCK*/
748
for ( ;nblocks; nblocks-- )
750
do_encrypt_aligned (ctx, iv, iv);
751
for (ivp=iv,i=0; i < BLOCKSIZE; i++ )
754
*outbuf++ = *ivp ^ temp;
760
_gcry_burn_stack (48 + 2*sizeof(int));
764
/* Bulk decryption of complete blocks in CBC mode. Caller needs to
765
make sure that IV is aligned on an unsigned long boundary. This
766
function is only intended for the bulk encryption feature of
769
_gcry_aes_cbc_dec (void *context, unsigned char *iv,
770
void *outbuf_arg, const void *inbuf_arg,
771
unsigned int nblocks)
773
RIJNDAEL_context *ctx = context;
774
unsigned char *outbuf = outbuf_arg;
775
const unsigned char *inbuf = inbuf_arg;
778
unsigned char savebuf[BLOCKSIZE];
780
for ( ;nblocks; nblocks-- )
782
/* We need to save INBUF away because it may be identical to
784
memcpy (savebuf, inbuf, BLOCKSIZE);
787
if (ctx->use_padlock)
788
do_padlock (ctx, 1, outbuf, inbuf);
790
#endif /*USE_PADLOCK*/
791
do_decrypt (ctx, outbuf, inbuf);
793
for (ivp=iv, i=0; i < BLOCKSIZE; i++ )
795
memcpy (iv, savebuf, BLOCKSIZE);
800
_gcry_burn_stack (48 + 2*sizeof(int) + BLOCKSIZE + 4*sizeof (char*));
806
/* Run the self-tests for AES 128. Returns NULL on success. */
808
selftest_basic_128 (void)
810
RIJNDAEL_context ctx;
811
unsigned char scratch[16];
813
/* The test vectors are from the AES supplied ones; more or less
814
randomly taken from ecb_tbl.txt (I=42,81,14) */
815
static const unsigned char plaintext_128[16] =
817
0x01,0x4B,0xAF,0x22,0x78,0xA6,0x9D,0x33,
818
0x1D,0x51,0x80,0x10,0x36,0x43,0xE9,0x9A
820
static const unsigned char key_128[16] =
822
0xE8,0xE9,0xEA,0xEB,0xED,0xEE,0xEF,0xF0,
823
0xF2,0xF3,0xF4,0xF5,0xF7,0xF8,0xF9,0xFA
825
static const unsigned char ciphertext_128[16] =
827
0x67,0x43,0xC3,0xD1,0x51,0x9A,0xB4,0xF2,
828
0xCD,0x9A,0x78,0xAB,0x09,0xA5,0x11,0xBD
831
rijndael_setkey (&ctx, key_128, sizeof (key_128));
832
rijndael_encrypt (&ctx, scratch, plaintext_128);
833
if (memcmp (scratch, ciphertext_128, sizeof (ciphertext_128)))
834
return "AES-128 test encryption failed.";
835
rijndael_decrypt (&ctx, scratch, scratch);
836
if (memcmp (scratch, plaintext_128, sizeof (plaintext_128)))
837
return "AES-128 test decryption failed.";
842
/* Run the self-tests for AES 192. Returns NULL on success. */
844
selftest_basic_192 (void)
846
RIJNDAEL_context ctx;
847
unsigned char scratch[16];
849
static unsigned char plaintext_192[16] =
851
0x76,0x77,0x74,0x75,0xF1,0xF2,0xF3,0xF4,
852
0xF8,0xF9,0xE6,0xE7,0x77,0x70,0x71,0x72
854
static unsigned char key_192[24] =
856
0x04,0x05,0x06,0x07,0x09,0x0A,0x0B,0x0C,
857
0x0E,0x0F,0x10,0x11,0x13,0x14,0x15,0x16,
858
0x18,0x19,0x1A,0x1B,0x1D,0x1E,0x1F,0x20
860
static const unsigned char ciphertext_192[16] =
862
0x5D,0x1E,0xF2,0x0D,0xCE,0xD6,0xBC,0xBC,
863
0x12,0x13,0x1A,0xC7,0xC5,0x47,0x88,0xAA
866
rijndael_setkey (&ctx, key_192, sizeof(key_192));
867
rijndael_encrypt (&ctx, scratch, plaintext_192);
868
if (memcmp (scratch, ciphertext_192, sizeof (ciphertext_192)))
869
return "AES-192 test encryption failed.";
870
rijndael_decrypt (&ctx, scratch, scratch);
871
if (memcmp (scratch, plaintext_192, sizeof (plaintext_192)))
872
return "AES-192 test decryption failed.";
878
/* Run the self-tests for AES 256. Returns NULL on success. */
880
selftest_basic_256 (void)
882
RIJNDAEL_context ctx;
883
unsigned char scratch[16];
885
static unsigned char plaintext_256[16] =
887
0x06,0x9A,0x00,0x7F,0xC7,0x6A,0x45,0x9F,
888
0x98,0xBA,0xF9,0x17,0xFE,0xDF,0x95,0x21
890
static unsigned char key_256[32] =
892
0x08,0x09,0x0A,0x0B,0x0D,0x0E,0x0F,0x10,
893
0x12,0x13,0x14,0x15,0x17,0x18,0x19,0x1A,
894
0x1C,0x1D,0x1E,0x1F,0x21,0x22,0x23,0x24,
895
0x26,0x27,0x28,0x29,0x2B,0x2C,0x2D,0x2E
897
static const unsigned char ciphertext_256[16] =
899
0x08,0x0E,0x95,0x17,0xEB,0x16,0x77,0x71,
900
0x9A,0xCF,0x72,0x80,0x86,0x04,0x0A,0xE3
903
rijndael_setkey (&ctx, key_256, sizeof(key_256));
904
rijndael_encrypt (&ctx, scratch, plaintext_256);
905
if (memcmp (scratch, ciphertext_256, sizeof (ciphertext_256)))
906
return "AES-256 test encryption failed.";
907
rijndael_decrypt (&ctx, scratch, scratch);
908
if (memcmp (scratch, plaintext_256, sizeof (plaintext_256)))
909
return "AES-256 test decryption failed.";
914
/* Run all the self-tests and return NULL on success. This function
915
is used for the on-the-fly self-tests. */
921
if ( (r = selftest_basic_128 ())
922
|| (r = selftest_basic_192 ())
923
|| (r = selftest_basic_256 ()) )
930
/* SP800-38a.pdf for AES-128. */
932
selftest_fips_128_38a (int requested_mode)
937
const unsigned char key[16];
938
const unsigned char iv[16];
941
const unsigned char input[16];
942
const unsigned char output[16];
947
GCRY_CIPHER_MODE_CFB, /* F.3.13, CFB128-AES128 */
948
{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
949
0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
950
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
951
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
953
{ { 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
954
0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a },
955
{ 0x3b, 0x3f, 0xd9, 0x2e, 0xb7, 0x2d, 0xad, 0x20,
956
0x33, 0x34, 0x49, 0xf8, 0xe8, 0x3c, 0xfb, 0x4a } },
958
{ { 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
959
0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51 },
960
{ 0xc8, 0xa6, 0x45, 0x37, 0xa0, 0xb3, 0xa9, 0x3f,
961
0xcd, 0xe3, 0xcd, 0xad, 0x9f, 0x1c, 0xe5, 0x8b } },
963
{ { 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
964
0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef },
965
{ 0x26, 0x75, 0x1f, 0x67, 0xa3, 0xcb, 0xb1, 0x40,
966
0xb1, 0x80, 0x8c, 0xf1, 0x87, 0xa4, 0xf4, 0xdf } },
968
{ { 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
969
0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 },
970
{ 0xc0, 0x4b, 0x05, 0x35, 0x7c, 0x5d, 0x1c, 0x0e,
971
0xea, 0xc4, 0xc6, 0x6f, 0x9f, 0xf7, 0xf2, 0xe6 } }
975
GCRY_CIPHER_MODE_OFB,
976
{ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
977
0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c },
978
{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
979
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f },
981
{ { 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
982
0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a },
983
{ 0x3b, 0x3f, 0xd9, 0x2e, 0xb7, 0x2d, 0xad, 0x20,
984
0x33, 0x34, 0x49, 0xf8, 0xe8, 0x3c, 0xfb, 0x4a } },
986
{ { 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
987
0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51 },
988
{ 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
989
0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25 } },
991
{ { 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
992
0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef },
993
{ 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
994
0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc } },
996
{ { 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
997
0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10 },
998
{ 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
999
0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e } },
1003
unsigned char scratch[16];
1006
gcry_cipher_hd_t hdenc = NULL;
1007
gcry_cipher_hd_t hddec = NULL;
1009
#define Fail(a) do { \
1010
_gcry_cipher_close (hdenc); \
1011
_gcry_cipher_close (hddec); \
1015
gcry_assert (sizeof tv[0].data[0].input == sizeof scratch);
1016
gcry_assert (sizeof tv[0].data[0].output == sizeof scratch);
1018
for (tvi=0; tvi < DIM (tv); tvi++)
1019
if (tv[tvi].mode == requested_mode)
1021
if (tvi == DIM (tv))
1022
Fail ("no test data for this mode");
1024
err = _gcry_cipher_open (&hdenc, GCRY_CIPHER_AES, tv[tvi].mode, 0);
1027
err = _gcry_cipher_open (&hddec, GCRY_CIPHER_AES, tv[tvi].mode, 0);
1030
err = _gcry_cipher_setkey (hdenc, tv[tvi].key, sizeof tv[tvi].key);
1032
err = _gcry_cipher_setkey (hddec, tv[tvi].key, sizeof tv[tvi].key);
1035
err = _gcry_cipher_setiv (hdenc, tv[tvi].iv, sizeof tv[tvi].iv);
1037
err = _gcry_cipher_setiv (hddec, tv[tvi].iv, sizeof tv[tvi].iv);
1040
for (idx=0; idx < DIM (tv[tvi].data); idx++)
1042
err = _gcry_cipher_encrypt (hdenc, scratch, sizeof scratch,
1043
tv[tvi].data[idx].input,
1044
sizeof tv[tvi].data[idx].input);
1046
Fail ("encrypt command");
1047
if (memcmp (scratch, tv[tvi].data[idx].output, sizeof scratch))
1048
Fail ("encrypt mismatch");
1049
err = _gcry_cipher_decrypt (hddec, scratch, sizeof scratch,
1050
tv[tvi].data[idx].output,
1051
sizeof tv[tvi].data[idx].output);
1053
Fail ("decrypt command");
1054
if (memcmp (scratch, tv[tvi].data[idx].input, sizeof scratch))
1055
Fail ("decrypt mismatch");
1059
_gcry_cipher_close (hdenc);
1060
_gcry_cipher_close (hddec);
1065
/* Complete selftest for AES-128 with all modes and driver code. */
1066
static gpg_err_code_t
1067
selftest_fips_128 (int extended, selftest_report_func_t report)
1073
errtxt = selftest_basic_128 ();
1080
errtxt = selftest_fips_128_38a (GCRY_CIPHER_MODE_CFB);
1085
errtxt = selftest_fips_128_38a (GCRY_CIPHER_MODE_OFB);
1090
return 0; /* Succeeded. */
1094
report ("cipher", GCRY_CIPHER_AES128, what, errtxt);
1095
return GPG_ERR_SELFTEST_FAILED;
1098
/* Complete selftest for AES-192. */
1099
static gpg_err_code_t
1100
selftest_fips_192 (int extended, selftest_report_func_t report)
1105
(void)extended; /* No extended tests available. */
1108
errtxt = selftest_basic_192 ();
1113
return 0; /* Succeeded. */
1117
report ("cipher", GCRY_CIPHER_AES192, what, errtxt);
1118
return GPG_ERR_SELFTEST_FAILED;
1122
/* Complete selftest for AES-256. */
1123
static gpg_err_code_t
1124
selftest_fips_256 (int extended, selftest_report_func_t report)
1129
(void)extended; /* No extended tests available. */
1132
errtxt = selftest_basic_256 ();
1136
return 0; /* Succeeded. */
1140
report ("cipher", GCRY_CIPHER_AES256, what, errtxt);
1141
return GPG_ERR_SELFTEST_FAILED;
1146
/* Run a full self-test for ALGO and return 0 on success. */
1147
static gpg_err_code_t
1148
run_selftests (int algo, int extended, selftest_report_func_t report)
1154
case GCRY_CIPHER_AES128:
1155
ec = selftest_fips_128 (extended, report);
1157
case GCRY_CIPHER_AES192:
1158
ec = selftest_fips_192 (extended, report);
1160
case GCRY_CIPHER_AES256:
1161
ec = selftest_fips_256 (extended, report);
1164
ec = GPG_ERR_CIPHER_ALGO;
1174
static const char *rijndael_names[] =
1182
static gcry_cipher_oid_spec_t rijndael_oids[] =
1184
{ "2.16.840.1.101.3.4.1.1", GCRY_CIPHER_MODE_ECB },
1185
{ "2.16.840.1.101.3.4.1.2", GCRY_CIPHER_MODE_CBC },
1186
{ "2.16.840.1.101.3.4.1.3", GCRY_CIPHER_MODE_OFB },
1187
{ "2.16.840.1.101.3.4.1.4", GCRY_CIPHER_MODE_CFB },
1191
gcry_cipher_spec_t _gcry_cipher_spec_aes =
1193
"AES", rijndael_names, rijndael_oids, 16, 128, sizeof (RIJNDAEL_context),
1194
rijndael_setkey, rijndael_encrypt, rijndael_decrypt
1196
cipher_extra_spec_t _gcry_cipher_extraspec_aes =
1201
static const char *rijndael192_names[] =
1208
static gcry_cipher_oid_spec_t rijndael192_oids[] =
1210
{ "2.16.840.1.101.3.4.1.21", GCRY_CIPHER_MODE_ECB },
1211
{ "2.16.840.1.101.3.4.1.22", GCRY_CIPHER_MODE_CBC },
1212
{ "2.16.840.1.101.3.4.1.23", GCRY_CIPHER_MODE_OFB },
1213
{ "2.16.840.1.101.3.4.1.24", GCRY_CIPHER_MODE_CFB },
1217
gcry_cipher_spec_t _gcry_cipher_spec_aes192 =
1219
"AES192", rijndael192_names, rijndael192_oids, 16, 192, sizeof (RIJNDAEL_context),
1220
rijndael_setkey, rijndael_encrypt, rijndael_decrypt
1222
cipher_extra_spec_t _gcry_cipher_extraspec_aes192 =
1227
static const char *rijndael256_names[] =
1234
static gcry_cipher_oid_spec_t rijndael256_oids[] =
1236
{ "2.16.840.1.101.3.4.1.41", GCRY_CIPHER_MODE_ECB },
1237
{ "2.16.840.1.101.3.4.1.42", GCRY_CIPHER_MODE_CBC },
1238
{ "2.16.840.1.101.3.4.1.43", GCRY_CIPHER_MODE_OFB },
1239
{ "2.16.840.1.101.3.4.1.44", GCRY_CIPHER_MODE_CFB },
1243
gcry_cipher_spec_t _gcry_cipher_spec_aes256 =
1245
"AES256", rijndael256_names, rijndael256_oids, 16, 256,
1246
sizeof (RIJNDAEL_context),
1247
rijndael_setkey, rijndael_encrypt, rijndael_decrypt
1250
cipher_extra_spec_t _gcry_cipher_extraspec_aes256 =