2
* FIPS-197 compliant AES implementation
4
* Copyright (C) 2006-2010, Paul Bakker <polarssl_maintainer at polarssl.org>
7
* This program is free software; you can redistribute it and/or modify
8
* it under the terms of the GNU General Public License as published by
9
* the Free Software Foundation; either version 2 of the License, or
10
* (at your option) any later version.
12
* This program is distributed in the hope that it will be useful,
13
* but WITHOUT ANY WARRANTY; without even the implied warranty of
14
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
* GNU General Public License for more details.
17
* You should have received a copy of the GNU General Public License along
18
* with this program; if not, write to the Free Software Foundation, Inc.,
19
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22
* The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
24
* http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25
* http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
28
#include "polarssl/config.h"
30
#if defined(POLARSSL_AES_C)
32
#include "polarssl/aes.h"
33
#include "polarssl/padlock.h"
38
* 32-bit integer manipulation macros (little endian)
41
#define GET_ULONG_LE(n,b,i) \
43
(n) = ( (unsigned long) (b)[(i) ] ) \
44
| ( (unsigned long) (b)[(i) + 1] << 8 ) \
45
| ( (unsigned long) (b)[(i) + 2] << 16 ) \
46
| ( (unsigned long) (b)[(i) + 3] << 24 ); \
51
#define PUT_ULONG_LE(n,b,i) \
53
(b)[(i) ] = (unsigned char) ( (n) ); \
54
(b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
55
(b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
56
(b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
60
#if defined(POLARSSL_AES_ROM_TABLES)
64
static const unsigned char FSb[256] =
66
0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
67
0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
68
0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
69
0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
70
0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
71
0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
72
0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
73
0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
74
0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
75
0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
76
0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
77
0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
78
0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
79
0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
80
0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
81
0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
82
0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
83
0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
84
0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
85
0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
86
0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
87
0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
88
0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
89
0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
90
0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
91
0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
92
0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
93
0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
94
0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
95
0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
96
0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
97
0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
105
V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
106
V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
107
V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
108
V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
109
V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
110
V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
111
V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
112
V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
113
V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
114
V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
115
V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
116
V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
117
V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
118
V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
119
V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
120
V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
121
V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
122
V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
123
V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
124
V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
125
V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
126
V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
127
V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
128
V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
129
V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
130
V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
131
V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
132
V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
133
V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
134
V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
135
V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
136
V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
137
V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
138
V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
139
V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
140
V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
141
V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
142
V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
143
V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
144
V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
145
V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
146
V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
147
V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
148
V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
149
V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
150
V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
151
V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
152
V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
153
V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
154
V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
155
V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
156
V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
157
V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
158
V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
159
V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
160
V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
161
V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
162
V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
163
V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
164
V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
165
V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
166
V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
167
V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
168
V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
170
#define V(a,b,c,d) 0x##a##b##c##d
171
static const unsigned long FT0[256] = { FT };
174
#define V(a,b,c,d) 0x##b##c##d##a
175
static const unsigned long FT1[256] = { FT };
178
#define V(a,b,c,d) 0x##c##d##a##b
179
static const unsigned long FT2[256] = { FT };
182
#define V(a,b,c,d) 0x##d##a##b##c
183
static const unsigned long FT3[256] = { FT };
191
static const unsigned char RSb[256] =
193
0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
194
0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
195
0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
196
0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
197
0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
198
0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
199
0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
200
0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
201
0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
202
0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
203
0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
204
0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
205
0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
206
0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
207
0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
208
0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
209
0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
210
0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
211
0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
212
0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
213
0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
214
0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
215
0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
216
0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
217
0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
218
0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
219
0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
220
0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
221
0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
222
0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
223
0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
224
0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
232
V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
233
V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
234
V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
235
V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
236
V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
237
V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
238
V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
239
V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
240
V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
241
V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
242
V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
243
V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
244
V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
245
V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
246
V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
247
V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
248
V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
249
V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
250
V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
251
V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
252
V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
253
V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
254
V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
255
V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
256
V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
257
V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
258
V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
259
V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
260
V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
261
V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
262
V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
263
V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
264
V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
265
V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
266
V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
267
V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
268
V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
269
V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
270
V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
271
V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
272
V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
273
V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
274
V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
275
V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
276
V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
277
V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
278
V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
279
V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
280
V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
281
V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
282
V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
283
V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
284
V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
285
V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
286
V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
287
V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
288
V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
289
V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
290
V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
291
V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
292
V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
293
V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
294
V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
295
V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
297
#define V(a,b,c,d) 0x##a##b##c##d
298
static const unsigned long RT0[256] = { RT };
301
#define V(a,b,c,d) 0x##b##c##d##a
302
static const unsigned long RT1[256] = { RT };
305
#define V(a,b,c,d) 0x##c##d##a##b
306
static const unsigned long RT2[256] = { RT };
309
#define V(a,b,c,d) 0x##d##a##b##c
310
static const unsigned long RT3[256] = { RT };
318
static const unsigned long RCON[10] =
320
0x00000001, 0x00000002, 0x00000004, 0x00000008,
321
0x00000010, 0x00000020, 0x00000040, 0x00000080,
322
0x0000001B, 0x00000036
328
* Forward S-box & tables
330
static unsigned char FSb[256];
331
static unsigned long FT0[256];
332
static unsigned long FT1[256];
333
static unsigned long FT2[256];
334
static unsigned long FT3[256];
337
* Reverse S-box & tables
339
static unsigned char RSb[256];
340
static unsigned long RT0[256];
341
static unsigned long RT1[256];
342
static unsigned long RT2[256];
343
static unsigned long RT3[256];
348
static unsigned long RCON[10];
351
* Tables generation code
353
#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
354
#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
355
#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
357
static int aes_init_done = 0;
359
static void aes_gen_tables( void )
366
* compute pow and log tables over GF(2^8)
368
for( i = 0, x = 1; i < 256; i++ )
372
x = ( x ^ XTIME( x ) ) & 0xFF;
376
* calculate the round constants
378
for( i = 0, x = 1; i < 10; i++ )
380
RCON[i] = (unsigned long) x;
381
x = XTIME( x ) & 0xFF;
385
* generate the forward and reverse S-boxes
390
for( i = 1; i < 256; i++ )
392
x = pow[255 - log[i]];
394
y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
395
x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
396
x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
397
x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
400
FSb[i] = (unsigned char) x;
401
RSb[x] = (unsigned char) i;
405
* generate the forward and reverse tables
407
for( i = 0; i < 256; i++ )
410
y = XTIME( x ) & 0xFF;
411
z = ( y ^ x ) & 0xFF;
413
FT0[i] = ( (unsigned long) y ) ^
414
( (unsigned long) x << 8 ) ^
415
( (unsigned long) x << 16 ) ^
416
( (unsigned long) z << 24 );
418
FT1[i] = ROTL8( FT0[i] );
419
FT2[i] = ROTL8( FT1[i] );
420
FT3[i] = ROTL8( FT2[i] );
424
RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
425
( (unsigned long) MUL( 0x09, x ) << 8 ) ^
426
( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
427
( (unsigned long) MUL( 0x0B, x ) << 24 );
429
RT1[i] = ROTL8( RT0[i] );
430
RT2[i] = ROTL8( RT1[i] );
431
RT3[i] = ROTL8( RT2[i] );
438
* AES key schedule (encryption)
440
int aes_setkey_enc( aes_context *ctx, const unsigned char *key, int keysize )
445
#if !defined(POLARSSL_AES_ROM_TABLES)
446
if( aes_init_done == 0 )
455
case 128: ctx->nr = 10; break;
456
case 192: ctx->nr = 12; break;
457
case 256: ctx->nr = 14; break;
458
default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
461
#if defined(PADLOCK_ALIGN16)
462
ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
464
ctx->rk = RK = ctx->buf;
467
for( i = 0; i < (keysize >> 5); i++ )
469
GET_ULONG_LE( RK[i], key, i << 2 );
476
for( i = 0; i < 10; i++, RK += 4 )
478
RK[4] = RK[0] ^ RCON[i] ^
479
( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
480
( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
481
( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
482
( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
484
RK[5] = RK[1] ^ RK[4];
485
RK[6] = RK[2] ^ RK[5];
486
RK[7] = RK[3] ^ RK[6];
492
for( i = 0; i < 8; i++, RK += 6 )
494
RK[6] = RK[0] ^ RCON[i] ^
495
( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
496
( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
497
( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
498
( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
500
RK[7] = RK[1] ^ RK[6];
501
RK[8] = RK[2] ^ RK[7];
502
RK[9] = RK[3] ^ RK[8];
503
RK[10] = RK[4] ^ RK[9];
504
RK[11] = RK[5] ^ RK[10];
510
for( i = 0; i < 7; i++, RK += 8 )
512
RK[8] = RK[0] ^ RCON[i] ^
513
( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
514
( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
515
( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
516
( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
518
RK[9] = RK[1] ^ RK[8];
519
RK[10] = RK[2] ^ RK[9];
520
RK[11] = RK[3] ^ RK[10];
523
( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
524
( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
525
( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
526
( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
528
RK[13] = RK[5] ^ RK[12];
529
RK[14] = RK[6] ^ RK[13];
530
RK[15] = RK[7] ^ RK[14];
543
* AES key schedule (decryption)
545
int aes_setkey_dec( aes_context *ctx, const unsigned char *key, int keysize )
555
case 128: ctx->nr = 10; break;
556
case 192: ctx->nr = 12; break;
557
case 256: ctx->nr = 14; break;
558
default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
561
#if defined(PADLOCK_ALIGN16)
562
ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
564
ctx->rk = RK = ctx->buf;
567
ret = aes_setkey_enc( &cty, key, keysize );
571
SK = cty.rk + cty.nr * 4;
578
for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
580
for( j = 0; j < 4; j++, SK++ )
582
*RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
583
RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
584
RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
585
RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
594
memset( &cty, 0, sizeof( aes_context ) );
599
#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
601
X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
602
FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
603
FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
604
FT3[ ( Y3 >> 24 ) & 0xFF ]; \
606
X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
607
FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
608
FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
609
FT3[ ( Y0 >> 24 ) & 0xFF ]; \
611
X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
612
FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
613
FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
614
FT3[ ( Y1 >> 24 ) & 0xFF ]; \
616
X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
617
FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
618
FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
619
FT3[ ( Y2 >> 24 ) & 0xFF ]; \
622
#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
624
X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
625
RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
626
RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
627
RT3[ ( Y1 >> 24 ) & 0xFF ]; \
629
X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
630
RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
631
RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
632
RT3[ ( Y2 >> 24 ) & 0xFF ]; \
634
X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
635
RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
636
RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
637
RT3[ ( Y3 >> 24 ) & 0xFF ]; \
639
X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
640
RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
641
RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
642
RT3[ ( Y0 >> 24 ) & 0xFF ]; \
646
* AES-ECB block encryption/decryption
648
int aes_crypt_ecb( aes_context *ctx,
650
const unsigned char input[16],
651
unsigned char output[16] )
654
unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
656
#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
657
if( padlock_supports( PADLOCK_ACE ) )
659
if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
662
// If padlock data misaligned, we just fall back to
663
// unaccelerated mode
670
GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
671
GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
672
GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
673
GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
675
if( mode == AES_DECRYPT )
677
for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
679
AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
680
AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
683
AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
686
( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
687
( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
688
( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
689
( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
692
( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
693
( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
694
( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
695
( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
698
( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
699
( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
700
( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
701
( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
704
( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
705
( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
706
( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
707
( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
709
else /* AES_ENCRYPT */
711
for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
713
AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
714
AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
717
AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
720
( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
721
( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
722
( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
723
( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
726
( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
727
( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
728
( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
729
( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
732
( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
733
( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
734
( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
735
( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
738
( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
739
( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
740
( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
741
( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
744
PUT_ULONG_LE( X0, output, 0 );
745
PUT_ULONG_LE( X1, output, 4 );
746
PUT_ULONG_LE( X2, output, 8 );
747
PUT_ULONG_LE( X3, output, 12 );
753
* AES-CBC buffer encryption/decryption
755
int aes_crypt_cbc( aes_context *ctx,
758
unsigned char iv[16],
759
const unsigned char *input,
760
unsigned char *output )
763
unsigned char temp[16];
766
return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
768
#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
769
if( padlock_supports( PADLOCK_ACE ) )
771
if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
774
// If padlock data misaligned, we just fall back to
775
// unaccelerated mode
780
if( mode == AES_DECRYPT )
784
memcpy( temp, input, 16 );
785
aes_crypt_ecb( ctx, mode, input, output );
787
for( i = 0; i < 16; i++ )
788
output[i] = (unsigned char)( output[i] ^ iv[i] );
790
memcpy( iv, temp, 16 );
801
for( i = 0; i < 16; i++ )
802
output[i] = (unsigned char)( input[i] ^ iv[i] );
804
aes_crypt_ecb( ctx, mode, output, output );
805
memcpy( iv, output, 16 );
817
* AES-CFB128 buffer encryption/decryption
819
int aes_crypt_cfb128( aes_context *ctx,
823
unsigned char iv[16],
824
const unsigned char *input,
825
unsigned char *output )
829
if( mode == AES_DECRYPT )
834
aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
837
*output++ = (unsigned char)( c ^ iv[n] );
838
iv[n] = (unsigned char) c;
848
aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
850
iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
861
#if defined(POLARSSL_SELF_TEST)
866
* AES test vectors from:
868
* http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
870
static const unsigned char aes_test_ecb_dec[3][16] =
872
{ 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
873
0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
874
{ 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
875
0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
876
{ 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
877
0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
880
static const unsigned char aes_test_ecb_enc[3][16] =
882
{ 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
883
0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
884
{ 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
885
0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
886
{ 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
887
0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
890
static const unsigned char aes_test_cbc_dec[3][16] =
892
{ 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
893
0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
894
{ 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
895
0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
896
{ 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
897
0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
900
static const unsigned char aes_test_cbc_enc[3][16] =
902
{ 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
903
0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
904
{ 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
905
0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
906
{ 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
907
0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
911
* AES-CFB128 test vectors from:
913
* http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
915
static const unsigned char aes_test_cfb128_key[3][32] =
917
{ 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
918
0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
919
{ 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
920
0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
921
0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
922
{ 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
923
0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
924
0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
925
0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
928
static const unsigned char aes_test_cfb128_iv[16] =
930
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
931
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
934
static const unsigned char aes_test_cfb128_pt[64] =
936
0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
937
0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
938
0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
939
0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
940
0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
941
0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
942
0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
943
0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
946
static const unsigned char aes_test_cfb128_ct[3][64] =
948
{ 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
949
0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
950
0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
951
0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
952
0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
953
0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
954
0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
955
0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
956
{ 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
957
0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
958
0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
959
0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
960
0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
961
0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
962
0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
963
0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
964
{ 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
965
0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
966
0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
967
0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
968
0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
969
0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
970
0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
971
0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
977
int aes_self_test( int verbose )
979
int i, j, u, v, offset;
980
unsigned char key[32];
981
unsigned char buf[64];
982
unsigned char prv[16];
983
unsigned char iv[16];
986
memset( key, 0, 32 );
991
for( i = 0; i < 6; i++ )
997
printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
998
( v == AES_DECRYPT ) ? "dec" : "enc" );
1000
memset( buf, 0, 16 );
1002
if( v == AES_DECRYPT )
1004
aes_setkey_dec( &ctx, key, 128 + u * 64 );
1006
for( j = 0; j < 10000; j++ )
1007
aes_crypt_ecb( &ctx, v, buf, buf );
1009
if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1012
printf( "failed\n" );
1019
aes_setkey_enc( &ctx, key, 128 + u * 64 );
1021
for( j = 0; j < 10000; j++ )
1022
aes_crypt_ecb( &ctx, v, buf, buf );
1024
if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1027
printf( "failed\n" );
1034
printf( "passed\n" );
1043
for( i = 0; i < 6; i++ )
1049
printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1050
( v == AES_DECRYPT ) ? "dec" : "enc" );
1052
memset( iv , 0, 16 );
1053
memset( prv, 0, 16 );
1054
memset( buf, 0, 16 );
1056
if( v == AES_DECRYPT )
1058
aes_setkey_dec( &ctx, key, 128 + u * 64 );
1060
for( j = 0; j < 10000; j++ )
1061
aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1063
if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1066
printf( "failed\n" );
1073
aes_setkey_enc( &ctx, key, 128 + u * 64 );
1075
for( j = 0; j < 10000; j++ )
1077
unsigned char tmp[16];
1079
aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1081
memcpy( tmp, prv, 16 );
1082
memcpy( prv, buf, 16 );
1083
memcpy( buf, tmp, 16 );
1086
if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1089
printf( "failed\n" );
1096
printf( "passed\n" );
1105
for( i = 0; i < 6; i++ )
1111
printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1112
( v == AES_DECRYPT ) ? "dec" : "enc" );
1114
memcpy( iv, aes_test_cfb128_iv, 16 );
1115
memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1118
aes_setkey_enc( &ctx, key, 128 + u * 64 );
1120
if( v == AES_DECRYPT )
1122
memcpy( buf, aes_test_cfb128_ct[u], 64 );
1123
aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1125
if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1128
printf( "failed\n" );
1135
memcpy( buf, aes_test_cfb128_pt, 64 );
1136
aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1138
if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1141
printf( "failed\n" );
1148
printf( "passed\n" );