/src/ghostpdl/base/aes.c

Line	Count	Source (jump to first uncovered line)
1		/*
2		* FIPS-197 compliant AES implementation
3		*
4		* Copyright (C) 2006-2007 Christophe Devine
5		*
6		* Redistribution and use in source and binary forms, with or without
7		* modification, are permitted provided that the following conditions
8		* are met:
9		*
10		* * Redistributions of source code _must_ retain the above copyright
11		* notice, this list of conditions and the following disclaimer.
12		* * Redistributions in binary form may or may not reproduce the above
13		* copyright notice, this list of conditions and the following
14		* disclaimer in the documentation and/or other materials provided
15		* with the distribution.
16		* * Neither the name of XySSL nor the names of its contributors may be
17		* used to endorse or promote products derived from this software
18		* without specific prior written permission.
19		*
20		* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21		* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22		* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23		* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24		* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25		* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
26		* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27		* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
28		* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
29		* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
30		* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31		*/
32		/*
33		* The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
34		*
35		* http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
36		* http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
37		*/
38
39		/* AES block cipher implementation from XYSSL */
40
41		#include "string_.h" /* memcmp() */
42		#include "aes.h"
43
44		#define XYSSL_AES_ROM_TABLES 1 /* avoid regenerating tables each time */
45
46		/*
47		* 32-bit integer manipulation macros (little endian)
48		*/
49		#ifndef GET_ULONG_LE
50	25.2M	#define GET_ULONG_LE(n,b,i) \
51	25.2M	{ \
52	25.2M	(n) = ( (unsigned long) (b)[(i) ] ) \
53	25.2M	\| ( (unsigned long) (b)[(i) + 1] << 8 ) \
54	25.2M	\| ( (unsigned long) (b)[(i) + 2] << 16 ) \
55	25.2M	\| ( (unsigned long) (b)[(i) + 3] << 24 ); \
56	25.2M	}
57		#endif
58
59		#ifndef PUT_ULONG_LE
60	25.1M	#define PUT_ULONG_LE(n,b,i) \
61	25.1M	{ \
62	25.1M	(b)[(i) ] = (unsigned char) ( (n) ); \
63	25.1M	(b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
64	25.1M	(b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
65	25.1M	(b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
66	25.1M	}
67		#endif
68
69		#if defined(XYSSL_AES_ROM_TABLES)
70		/*
71		* Forward S-box
72		*/
73		static const unsigned char FSb[256] =
74		{
75		0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
76		0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
77		0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
78		0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
79		0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
80		0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
81		0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
82		0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
83		0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
84		0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
85		0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
86		0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
87		0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
88		0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
89		0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
90		0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
91		0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
92		0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
93		0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
94		0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
95		0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
96		0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
97		0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
98		0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
99		0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
100		0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
101		0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
102		0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
103		0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
104		0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
105		0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
106		0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
107		};
108
109		/*
110		* Forward tables
111		*/
112		#define FT \
113		\
114		V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
115		V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
116		V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
117		V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
118		V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
119		V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
120		V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
121		V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
122		V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
123		V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
124		V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
125		V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
126		V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
127		V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
128		V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
129		V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
130		V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
131		V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
132		V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
133		V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
134		V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
135		V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
136		V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
137		V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
138		V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
139		V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
140		V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
141		V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
142		V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
143		V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
144		V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
145		V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
146		V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
147		V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
148		V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
149		V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
150		V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
151		V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
152		V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
153		V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
154		V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
155		V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
156		V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
157		V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
158		V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
159		V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
160		V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
161		V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
162		V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
163		V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
164		V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
165		V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
166		V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
167		V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
168		V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
169		V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
170		V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
171		V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
172		V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
173		V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
174		V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
175		V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
176		V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
177		V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
178
179		#define V(a,b,c,d) 0x##a##b##c##d
180		static const unsigned long FT0[256] = { FT };
181		#undef V
182
183		#define V(a,b,c,d) 0x##b##c##d##a
184		static const unsigned long FT1[256] = { FT };
185		#undef V
186
187		#define V(a,b,c,d) 0x##c##d##a##b
188		static const unsigned long FT2[256] = { FT };
189		#undef V
190
191		#define V(a,b,c,d) 0x##d##a##b##c
192		static const unsigned long FT3[256] = { FT };
193		#undef V
194
195		#undef FT
196
197		/*
198		* Reverse S-box
199		*/
200		static const unsigned char RSb[256] =
201		{
202		0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
203		0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
204		0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
205		0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
206		0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
207		0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
208		0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
209		0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
210		0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
211		0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
212		0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
213		0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
214		0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
215		0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
216		0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
217		0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
218		0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
219		0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
220		0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
221		0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
222		0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
223		0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
224		0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
225		0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
226		0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
227		0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
228		0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
229		0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
230		0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
231		0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
232		0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
233		0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
234		};
235
236		/*
237		* Reverse tables
238		*/
239		#define RT \
240		\
241		V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
242		V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
243		V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
244		V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
245		V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
246		V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
247		V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
248		V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
249		V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
250		V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
251		V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
252		V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
253		V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
254		V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
255		V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
256		V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
257		V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
258		V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
259		V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
260		V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
261		V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
262		V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
263		V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
264		V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
265		V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
266		V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
267		V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
268		V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
269		V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
270		V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
271		V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
272		V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
273		V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
274		V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
275		V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
276		V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
277		V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
278		V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
279		V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
280		V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
281		V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
282		V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
283		V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
284		V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
285		V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
286		V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
287		V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
288		V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
289		V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
290		V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
291		V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
292		V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
293		V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
294		V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
295		V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
296		V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
297		V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
298		V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
299		V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
300		V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
301		V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
302		V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
303		V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
304		V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
305
306		#define V(a,b,c,d) 0x##a##b##c##d
307		static const unsigned long RT0[256] = { RT };
308		#undef V
309
310		#define V(a,b,c,d) 0x##b##c##d##a
311		static const unsigned long RT1[256] = { RT };
312		#undef V
313
314		#define V(a,b,c,d) 0x##c##d##a##b
315		static const unsigned long RT2[256] = { RT };
316		#undef V
317
318		#define V(a,b,c,d) 0x##d##a##b##c
319		static const unsigned long RT3[256] = { RT };
320		#undef V
321
322		#undef RT
323
324		/*
325		* Round constants
326		*/
327		static const unsigned long RCON[10] =
328		{
329		0x00000001, 0x00000002, 0x00000004, 0x00000008,
330		0x00000010, 0x00000020, 0x00000040, 0x00000080,
331		0x0000001B, 0x00000036
332		};
333
334		#else
335
336		/*
337		* Forward S-box & tables
338		*/
339		static unsigned char FSb[256];
340		static unsigned long FT0[256];
341		static unsigned long FT1[256];
342		static unsigned long FT2[256];
343		static unsigned long FT3[256];
344
345		/*
346		* Reverse S-box & tables
347		*/
348		static unsigned char RSb[256];
349		static unsigned long RT0[256];
350		static unsigned long RT1[256];
351		static unsigned long RT2[256];
352		static unsigned long RT3[256];
353
354		/*
355		* Round constants
356		*/
357		static unsigned long RCON[10];
358
359		/*
360		* Tables generation code
361		*/
362		#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) \| ( x >> 24 )
363		#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
364		#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
365
366		static int aes_init_done = 0;
367
368		static void aes_gen_tables( void )
369		{
370		int i, x, y, z;
371		int pow[256];
372		int log[256];
373
374		/*
375		* compute pow and log tables over GF(2^8)
376		*/
377		for( i = 0, x = 1; i < 256; i++ )
378		{
379		pow[i] = x;
380		log[x] = i;
381		x = ( x ^ XTIME( x ) ) & 0xFF;
382		}
383
384		/*
385		* calculate the round constants
386		*/
387		for( i = 0, x = 1; i < 10; i++ )
388		{
389		RCON[i] = (unsigned long) x;
390		x = XTIME( x ) & 0xFF;
391		}
392
393		/*
394		* generate the forward and reverse S-boxes
395		*/
396		FSb[0x00] = 0x63;
397		RSb[0x63] = 0x00;
398
399		for( i = 1; i < 256; i++ )
400		{
401		x = pow[255 - log[i]];
402
403		y = x; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
404		x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
405		x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
406		x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
407		x ^= y ^ 0x63;
408
409		FSb[i] = (unsigned char) x;
410		RSb[x] = (unsigned char) i;
411		}
412
413		/*
414		* generate the forward and reverse tables
415		*/
416		for( i = 0; i < 256; i++ )
417		{
418		x = FSb[i];
419		y = XTIME( x ) & 0xFF;
420		z = ( y ^ x ) & 0xFF;
421
422		FT0[i] = ( (unsigned long) y ) ^
423		( (unsigned long) x << 8 ) ^
424		( (unsigned long) x << 16 ) ^
425		( (unsigned long) z << 24 );
426
427		FT1[i] = ROTL8( FT0[i] );
428		FT2[i] = ROTL8( FT1[i] );
429		FT3[i] = ROTL8( FT2[i] );
430
431		x = RSb[i];
432
433		RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
434		( (unsigned long) MUL( 0x09, x ) << 8 ) ^
435		( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
436		( (unsigned long) MUL( 0x0B, x ) << 24 );
437
438		RT1[i] = ROTL8( RT0[i] );
439		RT2[i] = ROTL8( RT1[i] );
440		RT3[i] = ROTL8( RT2[i] );
441		}
442		}
443
444		#endif
445
446		/*
447		* AES key schedule (encryption)
448		*/
449		void aes_setkey_enc( aes_context ctx, const unsigned char key, int keysize )
450	28.3k	{
451	28.3k	int i;
452	28.3k	unsigned long *RK;
453
454		#if !defined(XYSSL_AES_ROM_TABLES)
455		if( aes_init_done == 0 )
456		{
457		aes_gen_tables();
458		aes_init_done = 1;
459		}
460		#endif
461
462	28.3k	switch( keysize )
463	28.3k	{
464	27.2k	case 128: ctx->nr = 10; break;
465	0	case 192: ctx->nr = 12; break;
466	1.13k	case 256: ctx->nr = 14; break;
467	0	default : return;
468	28.3k	}
469
470		#if defined(PADLOCK_ALIGN16)
471		ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
472		#else
473	28.3k	ctx->rk = RK = ctx->buf;
474	28.3k	#endif
475
476	146k	for( i = 0; i < (keysize >> 5); i++ )
477	117k	{
478	117k	GET_ULONG_LE( RK[i], key, i << 2 );
479	117k	}
480
481	28.3k	switch( ctx->nr )
482	28.3k	{
483	27.2k	case 10:
484
485	299k	for( i = 0; i < 10; i++, RK += 4 )
486	272k	{
487	272k	RK[4] = RK[0] ^ RCON[i] ^
488	272k	( FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
489	272k	( FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
490	272k	( FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
491	272k	( ((unsigned int)FSb[ ( RK[3] ) & 0xFF ]) << 24 );
492
493	272k	RK[5] = RK[1] ^ RK[4];
494	272k	RK[6] = RK[2] ^ RK[5];
495	272k	RK[7] = RK[3] ^ RK[6];
496	272k	}
497	27.2k	break;
498
499	0	case 12:
500
501	0	for( i = 0; i < 8; i++, RK += 6 )
502	0	{
503	0	RK[6] = RK[0] ^ RCON[i] ^
504	0	( FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
505	0	( FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
506	0	( FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
507	0	( ((unsigned int)FSb[ ( RK[5] ) & 0xFF ]) << 24 );
508
509	0	RK[7] = RK[1] ^ RK[6];
510	0	RK[8] = RK[2] ^ RK[7];
511	0	RK[9] = RK[3] ^ RK[8];
512	0	RK[10] = RK[4] ^ RK[9];
513	0	RK[11] = RK[5] ^ RK[10];
514	0	}
515	0	break;
516
517	1.13k	case 14:
518
519	9.04k	for( i = 0; i < 7; i++, RK += 8 )
520	7.91k	{
521	7.91k	RK[8] = RK[0] ^ RCON[i] ^
522	7.91k	( FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
523	7.91k	( FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
524	7.91k	( FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
525	7.91k	( ((unsigned int)FSb[ ( RK[7] ) & 0xFF ]) << 24 );
526
527	7.91k	RK[9] = RK[1] ^ RK[8];
528	7.91k	RK[10] = RK[2] ^ RK[9];
529	7.91k	RK[11] = RK[3] ^ RK[10];
530
531	7.91k	RK[12] = RK[4] ^
532	7.91k	( FSb[ ( RK[11] ) & 0xFF ] ) ^
533	7.91k	( FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
534	7.91k	( FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
535	7.91k	( ((unsigned int)FSb[ ( RK[11] >> 24 ) & 0xFF ]) << 24 );
536
537	7.91k	RK[13] = RK[5] ^ RK[12];
538	7.91k	RK[14] = RK[6] ^ RK[13];
539	7.91k	RK[15] = RK[7] ^ RK[14];
540	7.91k	}
541	1.13k	break;
542
543	0	default:
544
545	0	break;
546	28.3k	}
547	28.3k	}
548
549		/*
550		* AES key schedule (decryption)
551		*/
552		void aes_setkey_dec( aes_context ctx, const unsigned char key, int keysize )
553	5.40k	{
554	5.40k	int i, j;
555	5.40k	aes_context cty;
556	5.40k	unsigned long *RK;
557	5.40k	unsigned long *SK;
558
559	5.40k	switch( keysize )
560	5.40k	{
561	4.27k	case 128: ctx->nr = 10; break;
562	0	case 192: ctx->nr = 12; break;
563	1.13k	case 256: ctx->nr = 14; break;
564	0	default : return;
565	5.40k	}
566
567		#if defined(PADLOCK_ALIGN16)
568		ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
569		#else
570	5.40k	ctx->rk = RK = ctx->buf;
571	5.40k	#endif
572
573	5.40k	aes_setkey_enc( &cty, key, keysize );
574	5.40k	SK = cty.rk + cty.nr * 4;
575
576	5.40k	RK++ = SK++;
577	5.40k	RK++ = SK++;
578	5.40k	RK++ = SK++;
579	5.40k	RK++ = SK++;
580
581	58.5k	for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
582	53.1k	{
583	265k	for( j = 0; j < 4; j++, SK++ )
584	212k	{
585	212k	RK++ = RT0[ FSb[ ( SK ) & 0xFF ] ] ^
586	212k	RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
587	212k	RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
588	212k	RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
589	212k	}
590	53.1k	}
591
592	5.40k	RK++ = SK++;
593	5.40k	RK++ = SK++;
594	5.40k	RK++ = SK++;
595	5.40k	RK++ = SK++;
596
597	5.40k	memset( &cty, 0, sizeof( aes_context ) );
598	5.40k	}
599
600	53.9M	#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
601	53.9M	{ \
602	53.9M	X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
603	53.9M	FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
604	53.9M	FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
605	53.9M	FT3[ ( Y3 >> 24 ) & 0xFF ]; \
606	53.9M	\
607	53.9M	X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
608	53.9M	FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
609	53.9M	FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
610	53.9M	FT3[ ( Y0 >> 24 ) & 0xFF ]; \
611	53.9M	\
612	53.9M	X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
613	53.9M	FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
614	53.9M	FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
615	53.9M	FT3[ ( Y1 >> 24 ) & 0xFF ]; \
616	53.9M	\
617	53.9M	X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
618	53.9M	FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
619	53.9M	FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
620	53.9M	FT3[ ( Y2 >> 24 ) & 0xFF ]; \
621	53.9M	}
622
623	2.75M	#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
624	2.75M	{ \
625	2.75M	X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
626	2.75M	RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
627	2.75M	RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
628	2.75M	RT3[ ( Y1 >> 24 ) & 0xFF ]; \
629	2.75M	\
630	2.75M	X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
631	2.75M	RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
632	2.75M	RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
633	2.75M	RT3[ ( Y2 >> 24 ) & 0xFF ]; \
634	2.75M	\
635	2.75M	X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
636	2.75M	RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
637	2.75M	RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
638	2.75M	RT3[ ( Y3 >> 24 ) & 0xFF ]; \
639	2.75M	\
640	2.75M	X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
641	2.75M	RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
642	2.75M	RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
643	2.75M	RT3[ ( Y0 >> 24 ) & 0xFF ]; \
644	2.75M	}
645
646		/*
647		* AES-ECB block encryption/decryption
648		*/
649		void aes_crypt_ecb( aes_context *ctx,
650		int mode,
651		const unsigned char input[16],
652		unsigned char output[16] )
653	6.29M	{
654	6.29M	int i;
655	6.29M	unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
656
657		#if defined(XYSSL_PADLOCK_C) && defined(XYSSL_HAVE_X86)
658		if( padlock_supports( PADLOCK_ACE ) )
659		{
660		if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
661		return;
662		}
663		#endif
664
665	6.29M	if (ctx == NULL \|\| ctx->rk == NULL)
666	0	return;
667
668	6.29M	RK = ctx->rk;
669
670	6.29M	GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
671	6.29M	GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
672	6.29M	GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
673	6.29M	GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
674
675	6.29M	if( mode == AES_DECRYPT )
676	299k	{
677	1.52M	for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
678	1.22M	{
679	1.22M	AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
680	1.22M	AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
681	1.22M	}
682
683	299k	AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
684
685	299k	X0 = *RK++ ^ ( RSb[ ( Y0 ) & 0xFF ] ) ^
686	299k	( RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
687	299k	( RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
688	299k	( ((unsigned int)RSb[ ( Y1 >> 24 ) & 0xFF ]) << 24 );
689
690	299k	X1 = *RK++ ^ ( RSb[ ( Y1 ) & 0xFF ] ) ^
691	299k	( RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
692	299k	( RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
693	299k	( ((unsigned int)RSb[ ( Y2 >> 24 ) & 0xFF ]) << 24 );
694
695	299k	X2 = *RK++ ^ ( RSb[ ( Y2 ) & 0xFF ] ) ^
696	299k	( RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
697	299k	( RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
698	299k	( ((unsigned int)RSb[ ( Y3 >> 24 ) & 0xFF ]) << 24 );
699
700	299k	X3 = *RK++ ^ ( RSb[ ( Y3 ) & 0xFF ] ) ^
701	299k	( RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
702	299k	( RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
703	299k	( ((unsigned int)RSb[ ( Y0 >> 24 ) & 0xFF ]) << 24 );
704	299k	}
705	5.99M	else /* AES_ENCRYPT */
706	5.99M	{
707	29.9M	for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
708	23.9M	{
709	23.9M	AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
710	23.9M	AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
711	23.9M	}
712
713	5.99M	AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
714
715	5.99M	X0 = *RK++ ^ ( FSb[ ( Y0 ) & 0xFF ] ) ^
716	5.99M	( FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
717	5.99M	( FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
718	5.99M	( ((unsigned int)FSb[ ( Y3 >> 24 ) & 0xFF ]) << 24 );
719
720	5.99M	X1 = *RK++ ^ ( FSb[ ( Y1 ) & 0xFF ] ) ^
721	5.99M	( FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
722	5.99M	( FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
723	5.99M	( ((unsigned int)FSb[ ( Y0 >> 24 ) & 0xFF ]) << 24 );
724
725	5.99M	X2 = *RK++ ^ ( FSb[ ( Y2 ) & 0xFF ] ) ^
726	5.99M	( FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
727	5.99M	( FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
728	5.99M	( ((unsigned int)FSb[ ( Y1 >> 24 ) & 0xFF ]) << 24 );
729
730	5.99M	X3 = *RK++ ^ ( FSb[ ( Y3 ) & 0xFF ] ) ^
731	5.99M	( FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
732	5.99M	( FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
733	5.99M	( ((unsigned int)FSb[ ( Y2 >> 24 ) & 0xFF ]) << 24 );
734	5.99M	}
735
736	6.29M	PUT_ULONG_LE( X0, output, 0 );
737	6.29M	PUT_ULONG_LE( X1, output, 4 );
738	6.29M	PUT_ULONG_LE( X2, output, 8 );
739	6.29M	PUT_ULONG_LE( X3, output, 12 );
740	6.29M	}
741
742		/*
743		* AES-CBC buffer encryption/decryption
744		*/
745		void aes_crypt_cbc( aes_context *ctx,
746		int mode,
747		int length,
748		unsigned char iv[16],
749		const unsigned char *input,
750		unsigned char *output )
751	322k	{
752	322k	int i;
753	322k	unsigned char temp[16];
754
755		#if defined(XYSSL_PADLOCK_C) && defined(XYSSL_HAVE_X86)
756		if( padlock_supports( PADLOCK_ACE ) )
757		{
758		if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
759		return;
760		}
761		#endif
762
763	322k	if( mode == AES_DECRYPT )
764	299k	{
765	598k	while( length > 0 )
766	299k	{
767	299k	memcpy( temp, input, 16 );
768	299k	aes_crypt_ecb( ctx, mode, input, output );
769
770	5.08M	for( i = 0; i < 16; i++ )
771	4.78M	output[i] = (unsigned char)( output[i] ^ iv[i] );
772
773	299k	memcpy( iv, temp, 16 );
774
775	299k	input += 16;
776	299k	output += 16;
777	299k	length -= 16;
778	299k	}
779	299k	}
780	22.9k	else
781	22.9k	{
782	6.01M	while( length > 0 )
783	5.99M	{
784	101M	for( i = 0; i < 16; i++ )
785	95.9M	output[i] = (unsigned char)( input[i] ^ iv[i] );
786
787	5.99M	aes_crypt_ecb( ctx, mode, output, output );
788	5.99M	memcpy( iv, output, 16 );
789
790	5.99M	input += 16;
791	5.99M	output += 16;
792	5.99M	length -= 16;
793	5.99M	}
794	22.9k	}
795	322k	}
796
797		/*
798		* AES-CFB buffer encryption/decryption
799		*/
800		void aes_crypt_cfb( aes_context *ctx,
801		int mode,
802		int length,
803		int *iv_off,
804		unsigned char iv[16],
805		const unsigned char *input,
806		unsigned char *output )
807	0	{
808	0	int c, n = *iv_off;
809
810	0	if( mode == AES_DECRYPT )
811	0	{
812	0	while( length-- )
813	0	{
814	0	if( n == 0 )
815	0	aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
816
817	0	c = *input++;
818	0	*output++ = (unsigned char)( c ^ iv[n] );
819	0	iv[n] = (unsigned char) c;
820
821	0	n = (n + 1) & 0x0F;
822	0	}
823	0	}
824	0	else
825	0	{
826	0	while( length-- )
827	0	{
828	0	if( n == 0 )
829	0	aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
830
831	0	iv[n] = output++ = (unsigned char)( iv[n] ^ input++ );
832
833	0	n = (n + 1) & 0x0F;
834	0	}
835	0	}
836
837	0	*iv_off = n;
838	0	}
839
840		#if defined(XYSSL_SELF_TEST)
841
842		#include <stdio.h>
843
844		/*
845		* AES test vectors from:
846		*
847		* http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
848		*/
849		static const unsigned char aes_test_ecb_dec[3][16] =
850		{
851		{ 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
852		0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
853		{ 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
854		0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
855		{ 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
856		0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
857		};
858
859		static const unsigned char aes_test_ecb_enc[3][16] =
860		{
861		{ 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
862		0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
863		{ 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
864		0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
865		{ 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
866		0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
867		};
868
869		static const unsigned char aes_test_cbc_dec[3][16] =
870		{
871		{ 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
872		0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
873		{ 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
874		0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
875		{ 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
876		0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
877		};
878
879		static const unsigned char aes_test_cbc_enc[3][16] =
880		{
881		{ 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
882		0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
883		{ 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
884		0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
885		{ 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
886		0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
887		};
888
889		/*
890		* AES-CFB test vectors (generated on 2008-02-12)
891		*/
892		static const unsigned char aes_test_cfb_dec[3][16] =
893		{
894		{ 0xBA, 0x75, 0x0C, 0xC9, 0x77, 0xF8, 0xD4, 0xE1,
895		0x3E, 0x0F, 0xB5, 0x46, 0x2E, 0xA6, 0x33, 0xF6 },
896		{ 0xDB, 0x40, 0x4A, 0x98, 0x7B, 0xAA, 0xA3, 0xF3,
897		0x92, 0x35, 0xAD, 0x58, 0x09, 0x9B, 0xFF, 0x6E },
898		{ 0xA8, 0x17, 0x41, 0x0E, 0x76, 0x71, 0x60, 0xE5,
899		0xFD, 0x37, 0xC5, 0x43, 0xCC, 0xC8, 0xD6, 0xDA }
900		};
901
902		static const unsigned char aes_test_cfb_enc[3][16] =
903		{
904		{ 0x45, 0x62, 0xC5, 0xA1, 0xF9, 0x10, 0x8F, 0xE0,
905		0x87, 0x24, 0x25, 0x68, 0xB5, 0x12, 0xF3, 0x8B },
906		{ 0xB8, 0xD4, 0xD5, 0x09, 0xF5, 0xEE, 0x08, 0x38,
907		0x48, 0x9B, 0x9D, 0xAD, 0x11, 0xB4, 0x2E, 0xD2 },
908		{ 0xE9, 0x10, 0x80, 0xDA, 0xEE, 0x2D, 0x81, 0xD9,
909		0x41, 0x78, 0x91, 0xD5, 0x98, 0x78, 0xE1, 0xFA }
910		};
911
912		/*
913		* Checkup routine
914		*/
915		int aes_self_test( int verbose )
916		{
917		int i, j, u, v, offset;
918		unsigned char key[32];
919		unsigned char buf[16];
920		unsigned char prv[16];
921		unsigned char iv[16];
922		aes_context ctx;
923
924		memset( key, 0, 32 );
925
926		/*
927		* ECB mode
928		*/
929		for( i = 0; i < 6; i++ )
930		{
931		u = i >> 1;
932		v = i & 1;
933
934		if( verbose != 0 )
935		printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
936		( v == AES_DECRYPT ) ? "dec" : "enc" );
937
938		memset( buf, 0, 16 );
939
940		if( v == AES_DECRYPT )
941		{
942		aes_setkey_dec( &ctx, key, 128 + u * 64 );
943
944		for( j = 0; j < 10000; j++ )
945		aes_crypt_ecb( &ctx, v, buf, buf );
946
947		if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
948		{
949		if( verbose != 0 )
950		printf( "failed\n" );
951
952		return( 1 );
953		}
954		}
955		else
956		{
957		aes_setkey_enc( &ctx, key, 128 + u * 64 );
958
959		for( j = 0; j < 10000; j++ )
960		aes_crypt_ecb( &ctx, v, buf, buf );
961
962		if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
963		{
964		if( verbose != 0 )
965		printf( "failed\n" );
966
967		return( 1 );
968		}
969		}
970
971		if( verbose != 0 )
972		printf( "passed\n" );
973		}
974
975		if( verbose != 0 )
976		printf( "\n" );
977
978		/*
979		* CBC mode
980		*/
981		for( i = 0; i < 6; i++ )
982		{
983		u = i >> 1;
984		v = i & 1;
985
986		if( verbose != 0 )
987		printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
988		( v == AES_DECRYPT ) ? "dec" : "enc" );
989
990		memset( iv , 0, 16 );
991		memset( prv, 0, 16 );
992		memset( buf, 0, 16 );
993
994		if( v == AES_DECRYPT )
995		{
996		aes_setkey_dec( &ctx, key, 128 + u * 64 );
997
998		for( j = 0; j < 10000; j++ )
999		aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1000
1001		if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1002		{
1003		if( verbose != 0 )
1004		printf( "failed\n" );
1005
1006		return( 1 );
1007		}
1008		}
1009		else
1010		{
1011		aes_setkey_enc( &ctx, key, 128 + u * 64 );
1012
1013		for( j = 0; j < 10000; j++ )
1014		{
1015		unsigned char tmp[16];
1016
1017		aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1018
1019		memcpy( tmp, prv, 16 );
1020		memcpy( prv, buf, 16 );
1021		memcpy( buf, tmp, 16 );
1022		}
1023
1024		if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1025		{
1026		if( verbose != 0 )
1027		printf( "failed\n" );
1028
1029		return( 1 );
1030		}
1031		}
1032
1033		if( verbose != 0 )
1034		printf( "passed\n" );
1035		}
1036
1037		if( verbose != 0 )
1038		printf( "\n" );
1039
1040		/*
1041		* CFB mode
1042		*/
1043		for( i = 0; i < 6; i++ )
1044		{
1045		u = i >> 1;
1046		v = i & 1;
1047
1048		if( verbose != 0 )
1049		printf( " AES-CFB-%3d (%s): ", 128 + u * 64,
1050		( v == AES_DECRYPT ) ? "dec" : "enc" );
1051
1052		memset( iv , 0, 16 );
1053		memset( buf, 0, 16 );
1054		offset = 0;
1055
1056		if( v == AES_DECRYPT )
1057		{
1058		aes_setkey_dec( &ctx, key, 128 + u * 64 );
1059
1060		for( j = 0; j < 10000; j++ )
1061		aes_crypt_cfb( &ctx, v, 16, &offset, iv, buf, buf );
1062
1063		if( memcmp( buf, aes_test_cfb_dec[u], 16 ) != 0 )
1064		{
1065		if( verbose != 0 )
1066		printf( "failed\n" );
1067
1068		return( 1 );
1069		}
1070		}
1071		else
1072		{
1073		aes_setkey_enc( &ctx, key, 128 + u * 64 );
1074
1075		for( j = 0; j < 10000; j++ )
1076		aes_crypt_cfb( &ctx, v, 16, &offset, iv, buf, buf );
1077
1078		if( memcmp( buf, aes_test_cfb_enc[u], 16 ) != 0 )
1079		{
1080		if( verbose != 0 )
1081		printf( "failed\n" );
1082
1083		return( 1 );
1084		}
1085		}
1086
1087		if( verbose != 0 )
1088		printf( "passed\n" );
1089		}
1090
1091		if( verbose != 0 )
1092		printf( "\n" );
1093
1094		return( 0 );
1095		}
1096
1097		int main(int argc, char *argv[])
1098		{
1099		return aes_self_test(1);
1100		}
1101
1102		#endif /* defined(XYSSL_SELF_TEST) */

Coverage Report

Created: 2022-10-31 07:00