/src/ghostpdl/base/aes.c

Line	Count	Source (jump to first uncovered line)
1		/*
2		* FIPS-197 compliant AES implementation
3		*
4		* Copyright (C) 2006-2007 Christophe Devine
5		*
6		* Redistribution and use in source and binary forms, with or without
7		* modification, are permitted provided that the following conditions
8		* are met:
9		*
10		* * Redistributions of source code _must_ retain the above copyright
11		* notice, this list of conditions and the following disclaimer.
12		* * Redistributions in binary form may or may not reproduce the above
13		* copyright notice, this list of conditions and the following
14		* disclaimer in the documentation and/or other materials provided
15		* with the distribution.
16		* * Neither the name of XySSL nor the names of its contributors may be
17		* used to endorse or promote products derived from this software
18		* without specific prior written permission.
19		*
20		* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21		* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22		* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23		* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24		* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25		* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
26		* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27		* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
28		* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
29		* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
30		* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31		*/
32		/*
33		* The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
34		*
35		* http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
36		* http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
37		*/
38
39		/* AES block cipher implementation from XYSSL */
40
41		#include "string_.h" /* memcmp() */
42		#include "aes.h"
43
44		#define XYSSL_AES_ROM_TABLES 1 /* avoid regenerating tables each time */
45
46		/*
47		* 32-bit integer manipulation macros (little endian)
48		*/
49		#ifndef GET_ULONG_LE
50	104M	#define GET_ULONG_LE(n,b,i) \
51	104M	{ \
52	104M	(n) = ( (unsigned long) (b)[(i) ] ) \
53	104M	\| ( (unsigned long) (b)[(i) + 1] << 8 ) \
54	104M	\| ( (unsigned long) (b)[(i) + 2] << 16 ) \
55	104M	\| ( (unsigned long) (b)[(i) + 3] << 24 ); \
56	104M	}
57		#endif
58
59		#ifndef PUT_ULONG_LE
60	104M	#define PUT_ULONG_LE(n,b,i) \
61	104M	{ \
62	104M	(b)[(i) ] = (unsigned char) ( (n) ); \
63	104M	(b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
64	104M	(b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
65	104M	(b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
66	104M	}
67		#endif
68
69		#if defined(XYSSL_AES_ROM_TABLES)
70		/*
71		* Forward S-box
72		*/
73		static const unsigned char FSb[256] =
74		{
75		0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
76		0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
77		0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
78		0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
79		0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
80		0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
81		0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
82		0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
83		0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
84		0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
85		0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
86		0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
87		0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
88		0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
89		0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
90		0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
91		0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
92		0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
93		0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
94		0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
95		0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
96		0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
97		0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
98		0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
99		0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
100		0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
101		0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
102		0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
103		0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
104		0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
105		0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
106		0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
107		};
108
109		/*
110		* Forward tables
111		*/
112		#define FT \
113		\
114		V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
115		V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
116		V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
117		V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
118		V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
119		V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
120		V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
121		V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
122		V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
123		V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
124		V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
125		V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
126		V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
127		V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
128		V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
129		V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
130		V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
131		V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
132		V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
133		V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
134		V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
135		V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
136		V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
137		V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
138		V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
139		V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
140		V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
141		V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
142		V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
143		V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
144		V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
145		V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
146		V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
147		V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
148		V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
149		V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
150		V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
151		V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
152		V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
153		V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
154		V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
155		V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
156		V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
157		V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
158		V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
159		V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
160		V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
161		V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
162		V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
163		V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
164		V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
165		V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
166		V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
167		V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
168		V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
169		V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
170		V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
171		V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
172		V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
173		V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
174		V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
175		V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
176		V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
177		V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
178
179		#define V(a,b,c,d) 0x##a##b##c##d
180		static const unsigned long FT0[256] = { FT };
181		#undef V
182
183		#define V(a,b,c,d) 0x##b##c##d##a
184		static const unsigned long FT1[256] = { FT };
185		#undef V
186
187		#define V(a,b,c,d) 0x##c##d##a##b
188		static const unsigned long FT2[256] = { FT };
189		#undef V
190
191		#define V(a,b,c,d) 0x##d##a##b##c
192		static const unsigned long FT3[256] = { FT };
193		#undef V
194
195		#undef FT
196
197		/*
198		* Reverse S-box
199		*/
200		static const unsigned char RSb[256] =
201		{
202		0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
203		0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
204		0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
205		0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
206		0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
207		0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
208		0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
209		0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
210		0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
211		0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
212		0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
213		0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
214		0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
215		0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
216		0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
217		0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
218		0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
219		0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
220		0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
221		0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
222		0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
223		0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
224		0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
225		0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
226		0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
227		0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
228		0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
229		0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
230		0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
231		0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
232		0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
233		0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
234		};
235
236		/*
237		* Reverse tables
238		*/
239		#define RT \
240		\
241		V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
242		V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
243		V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
244		V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
245		V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
246		V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
247		V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
248		V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
249		V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
250		V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
251		V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
252		V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
253		V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
254		V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
255		V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
256		V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
257		V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
258		V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
259		V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
260		V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
261		V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
262		V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
263		V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
264		V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
265		V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
266		V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
267		V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
268		V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
269		V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
270		V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
271		V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
272		V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
273		V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
274		V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
275		V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
276		V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
277		V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
278		V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
279		V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
280		V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
281		V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
282		V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
283		V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
284		V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
285		V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
286		V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
287		V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
288		V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
289		V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
290		V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
291		V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
292		V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
293		V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
294		V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
295		V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
296		V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
297		V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
298		V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
299		V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
300		V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
301		V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
302		V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
303		V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
304		V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
305
306		#define V(a,b,c,d) 0x##a##b##c##d
307		static const unsigned long RT0[256] = { RT };
308		#undef V
309
310		#define V(a,b,c,d) 0x##b##c##d##a
311		static const unsigned long RT1[256] = { RT };
312		#undef V
313
314		#define V(a,b,c,d) 0x##c##d##a##b
315		static const unsigned long RT2[256] = { RT };
316		#undef V
317
318		#define V(a,b,c,d) 0x##d##a##b##c
319		static const unsigned long RT3[256] = { RT };
320		#undef V
321
322		#undef RT
323
324		/*
325		* Round constants
326		*/
327		static const unsigned long RCON[10] =
328		{
329		0x00000001, 0x00000002, 0x00000004, 0x00000008,
330		0x00000010, 0x00000020, 0x00000040, 0x00000080,
331		0x0000001B, 0x00000036
332		};
333
334		#else
335
336		/*
337		* Forward S-box & tables
338		*/
339		static unsigned char FSb[256];
340		static unsigned long FT0[256];
341		static unsigned long FT1[256];
342		static unsigned long FT2[256];
343		static unsigned long FT3[256];
344
345		/*
346		* Reverse S-box & tables
347		*/
348		static unsigned char RSb[256];
349		static unsigned long RT0[256];
350		static unsigned long RT1[256];
351		static unsigned long RT2[256];
352		static unsigned long RT3[256];
353
354		/*
355		* Round constants
356		*/
357		static unsigned long RCON[10];
358
359		/*
360		* Tables generation code
361		*/
362		#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) \| ( x >> 24 )
363		#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
364		#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
365
366		static int aes_init_done = 0;
367
368		static void aes_gen_tables( void )
369		{
370		int i, x, y, z;
371		int pow[256];
372		int log[256];
373
374		/*
375		* compute pow and log tables over GF(2^8)
376		*/
377		for( i = 0, x = 1; i < 256; i++ )
378		{
379		pow[i] = x;
380		log[x] = i;
381		x = ( x ^ XTIME( x ) ) & 0xFF;
382		}
383
384		/*
385		* calculate the round constants
386		*/
387		for( i = 0, x = 1; i < 10; i++ )
388		{
389		RCON[i] = (unsigned long) x;
390		x = XTIME( x ) & 0xFF;
391		}
392
393		/*
394		* generate the forward and reverse S-boxes
395		*/
396		FSb[0x00] = 0x63;
397		RSb[0x63] = 0x00;
398
399		for( i = 1; i < 256; i++ )
400		{
401		x = pow[255 - log[i]];
402
403		y = x; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
404		x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
405		x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
406		x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
407		x ^= y ^ 0x63;
408
409		FSb[i] = (unsigned char) x;
410		RSb[x] = (unsigned char) i;
411		}
412
413		/*
414		* generate the forward and reverse tables
415		*/
416		for( i = 0; i < 256; i++ )
417		{
418		x = FSb[i];
419		y = XTIME( x ) & 0xFF;
420		z = ( y ^ x ) & 0xFF;
421
422		FT0[i] = ( (unsigned long) y ) ^
423		( (unsigned long) x << 8 ) ^
424		( (unsigned long) x << 16 ) ^
425		( (unsigned long) z << 24 );
426
427		FT1[i] = ROTL8( FT0[i] );
428		FT2[i] = ROTL8( FT1[i] );
429		FT3[i] = ROTL8( FT2[i] );
430
431		x = RSb[i];
432
433		RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
434		( (unsigned long) MUL( 0x09, x ) << 8 ) ^
435		( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
436		( (unsigned long) MUL( 0x0B, x ) << 24 );
437
438		RT1[i] = ROTL8( RT0[i] );
439		RT2[i] = ROTL8( RT1[i] );
440		RT3[i] = ROTL8( RT2[i] );
441		}
442		}
443
444		#endif
445
446		/*
447		* AES key schedule (encryption)
448		*/
449		void aes_setkey_enc( aes_context ctx, const unsigned char key, int keysize )
450	127k	{
451	127k	int i;
452	127k	unsigned long *RK;
453
454		#if !defined(XYSSL_AES_ROM_TABLES)
455		if( aes_init_done == 0 )
456		{
457		aes_gen_tables();
458		aes_init_done = 1;
459		}
460		#endif
461
462	127k	switch( keysize )
463	127k	{
464	122k	case 128: ctx->nr = 10; break;
465	0	case 192: ctx->nr = 12; break;
466	4.90k	case 256: ctx->nr = 14; break;
467	0	default : return;
468	127k	}
469
470		#if defined(PADLOCK_ALIGN16)
471		ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
472		#else
473	127k	ctx->rk = RK = ctx->buf;
474	127k	#endif
475
476	655k	for( i = 0; i < (keysize >> 5); i++ )
477	527k	{
478	527k	GET_ULONG_LE( RK[i], key, i << 2 );
479	527k	}
480
481	127k	switch( ctx->nr )
482	127k	{
483	122k	case 10:
484
485	1.34M	for( i = 0; i < 10; i++, RK += 4 )
486	1.22M	{
487	1.22M	RK[4] = RK[0] ^ RCON[i] ^
488	1.22M	( FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
489	1.22M	( FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
490	1.22M	( FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
491	1.22M	( ((unsigned int)FSb[ ( RK[3] ) & 0xFF ]) << 24 );
492
493	1.22M	RK[5] = RK[1] ^ RK[4];
494	1.22M	RK[6] = RK[2] ^ RK[5];
495	1.22M	RK[7] = RK[3] ^ RK[6];
496	1.22M	}
497	122k	break;
498
499	0	case 12:
500
501	0	for( i = 0; i < 8; i++, RK += 6 )
502	0	{
503	0	RK[6] = RK[0] ^ RCON[i] ^
504	0	( FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
505	0	( FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
506	0	( FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
507	0	( ((unsigned int)FSb[ ( RK[5] ) & 0xFF ]) << 24 );
508
509	0	RK[7] = RK[1] ^ RK[6];
510	0	RK[8] = RK[2] ^ RK[7];
511	0	RK[9] = RK[3] ^ RK[8];
512	0	RK[10] = RK[4] ^ RK[9];
513	0	RK[11] = RK[5] ^ RK[10];
514	0	}
515	0	break;
516
517	4.90k	case 14:
518
519	39.2k	for( i = 0; i < 7; i++, RK += 8 )
520	34.3k	{
521	34.3k	RK[8] = RK[0] ^ RCON[i] ^
522	34.3k	( FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
523	34.3k	( FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
524	34.3k	( FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
525	34.3k	( ((unsigned int)FSb[ ( RK[7] ) & 0xFF ]) << 24 );
526
527	34.3k	RK[9] = RK[1] ^ RK[8];
528	34.3k	RK[10] = RK[2] ^ RK[9];
529	34.3k	RK[11] = RK[3] ^ RK[10];
530
531	34.3k	RK[12] = RK[4] ^
532	34.3k	( FSb[ ( RK[11] ) & 0xFF ] ) ^
533	34.3k	( FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
534	34.3k	( FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
535	34.3k	( ((unsigned int)FSb[ ( RK[11] >> 24 ) & 0xFF ]) << 24 );
536
537	34.3k	RK[13] = RK[5] ^ RK[12];
538	34.3k	RK[14] = RK[6] ^ RK[13];
539	34.3k	RK[15] = RK[7] ^ RK[14];
540	34.3k	}
541	4.90k	break;
542
543	0	default:
544
545	0	break;
546	127k	}
547	127k	}
548
549		/*
550		* AES key schedule (decryption)
551		*/
552		void aes_setkey_dec( aes_context ctx, const unsigned char key, int keysize )
553	42.8k	{
554	42.8k	int i, j;
555	42.8k	aes_context cty;
556	42.8k	unsigned long *RK;
557	42.8k	unsigned long *SK;
558
559	42.8k	switch( keysize )
560	42.8k	{
561	37.9k	case 128: ctx->nr = 10; break;
562	0	case 192: ctx->nr = 12; break;
563	4.90k	case 256: ctx->nr = 14; break;
564	0	default : return;
565	42.8k	}
566
567		#if defined(PADLOCK_ALIGN16)
568		ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
569		#else
570	42.8k	ctx->rk = RK = ctx->buf;
571	42.8k	#endif
572
573	42.8k	aes_setkey_enc( &cty, key, keysize );
574	42.8k	SK = cty.rk + cty.nr * 4;
575
576	42.8k	RK++ = SK++;
577	42.8k	RK++ = SK++;
578	42.8k	RK++ = SK++;
579	42.8k	RK++ = SK++;
580
581	448k	for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
582	405k	{
583	2.02M	for( j = 0; j < 4; j++, SK++ )
584	1.62M	{
585	1.62M	RK++ = RT0[ FSb[ ( SK ) & 0xFF ] ] ^
586	1.62M	RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
587	1.62M	RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
588	1.62M	RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
589	1.62M	}
590	405k	}
591
592	42.8k	RK++ = SK++;
593	42.8k	RK++ = SK++;
594	42.8k	RK++ = SK++;
595	42.8k	RK++ = SK++;
596
597	42.8k	memset( &cty, 0, sizeof( aes_context ) );
598	42.8k	}
599
600	192M	#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
601	192M	{ \
602	192M	X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
603	192M	FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
604	192M	FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
605	192M	FT3[ ( Y3 >> 24 ) & 0xFF ]; \
606	192M	\
607	192M	X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
608	192M	FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
609	192M	FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
610	192M	FT3[ ( Y0 >> 24 ) & 0xFF ]; \
611	192M	\
612	192M	X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
613	192M	FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
614	192M	FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
615	192M	FT3[ ( Y1 >> 24 ) & 0xFF ]; \
616	192M	\
617	192M	X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
618	192M	FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
619	192M	FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
620	192M	FT3[ ( Y2 >> 24 ) & 0xFF ]; \
621	192M	}
622
623	42.1M	#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
624	42.1M	{ \
625	42.1M	X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
626	42.1M	RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
627	42.1M	RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
628	42.1M	RT3[ ( Y1 >> 24 ) & 0xFF ]; \
629	42.1M	\
630	42.1M	X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
631	42.1M	RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
632	42.1M	RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
633	42.1M	RT3[ ( Y2 >> 24 ) & 0xFF ]; \
634	42.1M	\
635	42.1M	X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
636	42.1M	RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
637	42.1M	RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
638	42.1M	RT3[ ( Y3 >> 24 ) & 0xFF ]; \
639	42.1M	\
640	42.1M	X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
641	42.1M	RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
642	42.1M	RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
643	42.1M	RT3[ ( Y0 >> 24 ) & 0xFF ]; \
644	42.1M	}
645
646		/*
647		* AES-ECB block encryption/decryption
648		*/
649		void aes_crypt_ecb( aes_context *ctx,
650		int mode,
651		const unsigned char input[16],
652		unsigned char output[16] )
653	26.1M	{
654	26.1M	int i;
655	26.1M	unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
656
657		#if defined(XYSSL_PADLOCK_C) && defined(XYSSL_HAVE_X86)
658		if( padlock_supports( PADLOCK_ACE ) )
659		{
660		if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
661		return;
662		}
663		#endif
664
665	26.1M	if (ctx == NULL \|\| ctx->rk == NULL)
666	0	return;
667
668	26.1M	RK = ctx->rk;
669
670	26.1M	GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
671	26.1M	GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
672	26.1M	GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
673	26.1M	GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
674
675	26.1M	if( mode == AES_DECRYPT )
676	4.66M	{
677	23.4M	for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
678	18.7M	{
679	18.7M	AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
680	18.7M	AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
681	18.7M	}
682
683	4.66M	AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
684
685	4.66M	X0 = *RK++ ^ ( RSb[ ( Y0 ) & 0xFF ] ) ^
686	4.66M	( RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
687	4.66M	( RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
688	4.66M	( ((unsigned int)RSb[ ( Y1 >> 24 ) & 0xFF ]) << 24 );
689
690	4.66M	X1 = *RK++ ^ ( RSb[ ( Y1 ) & 0xFF ] ) ^
691	4.66M	( RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
692	4.66M	( RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
693	4.66M	( ((unsigned int)RSb[ ( Y2 >> 24 ) & 0xFF ]) << 24 );
694
695	4.66M	X2 = *RK++ ^ ( RSb[ ( Y2 ) & 0xFF ] ) ^
696	4.66M	( RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
697	4.66M	( RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
698	4.66M	( ((unsigned int)RSb[ ( Y3 >> 24 ) & 0xFF ]) << 24 );
699
700	4.66M	X3 = *RK++ ^ ( RSb[ ( Y3 ) & 0xFF ] ) ^
701	4.66M	( RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
702	4.66M	( RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
703	4.66M	( ((unsigned int)RSb[ ( Y0 >> 24 ) & 0xFF ]) << 24 );
704	4.66M	}
705	21.4M	else /* AES_ENCRYPT */
706	21.4M	{
707	107M	for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
708	85.7M	{
709	85.7M	AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
710	85.7M	AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
711	85.7M	}
712
713	21.4M	AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
714
715	21.4M	X0 = *RK++ ^ ( FSb[ ( Y0 ) & 0xFF ] ) ^
716	21.4M	( FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
717	21.4M	( FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
718	21.4M	( ((unsigned int)FSb[ ( Y3 >> 24 ) & 0xFF ]) << 24 );
719
720	21.4M	X1 = *RK++ ^ ( FSb[ ( Y1 ) & 0xFF ] ) ^
721	21.4M	( FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
722	21.4M	( FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
723	21.4M	( ((unsigned int)FSb[ ( Y0 >> 24 ) & 0xFF ]) << 24 );
724
725	21.4M	X2 = *RK++ ^ ( FSb[ ( Y2 ) & 0xFF ] ) ^
726	21.4M	( FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
727	21.4M	( FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
728	21.4M	( ((unsigned int)FSb[ ( Y1 >> 24 ) & 0xFF ]) << 24 );
729
730	21.4M	X3 = *RK++ ^ ( FSb[ ( Y3 ) & 0xFF ] ) ^
731	21.4M	( FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
732	21.4M	( FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
733	21.4M	( ((unsigned int)FSb[ ( Y2 >> 24 ) & 0xFF ]) << 24 );
734	21.4M	}
735
736	26.1M	PUT_ULONG_LE( X0, output, 0 );
737	26.1M	PUT_ULONG_LE( X1, output, 4 );
738	26.1M	PUT_ULONG_LE( X2, output, 8 );
739	26.1M	PUT_ULONG_LE( X3, output, 12 );
740	26.1M	}
741
742		/*
743		* AES-CBC buffer encryption/decryption
744		*/
745		void aes_crypt_cbc( aes_context *ctx,
746		int mode,
747		int length,
748		unsigned char iv[16],
749		const unsigned char *input,
750		unsigned char *output )
751	4.74M	{
752	4.74M	int i;
753	4.74M	unsigned char temp[16];
754
755		#if defined(XYSSL_PADLOCK_C) && defined(XYSSL_HAVE_X86)
756		if( padlock_supports( PADLOCK_ACE ) )
757		{
758		if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
759		return;
760		}
761		#endif
762
763	4.74M	if( mode == AES_DECRYPT )
764	4.66M	{
765	9.32M	while( length > 0 )
766	4.66M	{
767	4.66M	memcpy( temp, input, 16 );
768	4.66M	aes_crypt_ecb( ctx, mode, input, output );
769
770	79.2M	for( i = 0; i < 16; i++ )
771	74.6M	output[i] = (unsigned char)( output[i] ^ iv[i] );
772
773	4.66M	memcpy( iv, temp, 16 );
774
775	4.66M	input += 16;
776	4.66M	output += 16;
777	4.66M	length -= 16;
778	4.66M	}
779	4.66M	}
780	84.2k	else
781	84.2k	{
782	21.5M	while( length > 0 )
783	21.4M	{
784	364M	for( i = 0; i < 16; i++ )
785	343M	output[i] = (unsigned char)( input[i] ^ iv[i] );
786
787	21.4M	aes_crypt_ecb( ctx, mode, output, output );
788	21.4M	memcpy( iv, output, 16 );
789
790	21.4M	input += 16;
791	21.4M	output += 16;
792	21.4M	length -= 16;
793	21.4M	}
794	84.2k	}
795	4.74M	}
796
797		/*
798		* AES-CFB buffer encryption/decryption
799		*/
800		void aes_crypt_cfb( aes_context *ctx,
801		int mode,
802		int length,
803		int *iv_off,
804		unsigned char iv[16],
805		const unsigned char *input,
806		unsigned char *output )
807	0	{
808	0	int c, n = *iv_off;
809
810	0	if( mode == AES_DECRYPT )
811	0	{
812	0	while( length-- )
813	0	{
814	0	if( n == 0 )
815	0	aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
816
817	0	c = *input++;
818	0	*output++ = (unsigned char)( c ^ iv[n] );
819	0	iv[n] = (unsigned char) c;
820
821	0	n = (n + 1) & 0x0F;
822	0	}
823	0	}
824	0	else
825	0	{
826	0	while( length-- )
827	0	{
828	0	if( n == 0 )
829	0	aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
830
831	0	iv[n] = output++ = (unsigned char)( iv[n] ^ input++ );
832
833	0	n = (n + 1) & 0x0F;
834	0	}
835	0	}
836
837	0	*iv_off = n;
838	0	}
839
840		#if defined(XYSSL_SELF_TEST)
841
842		#include <stdio.h>
843
844		/*
845		* AES test vectors from:
846		*
847		* http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
848		*/
849		static const unsigned char aes_test_ecb_dec[3][16] =
850		{
851		{ 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
852		0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
853		{ 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
854		0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
855		{ 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
856		0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
857		};
858
859		static const unsigned char aes_test_ecb_enc[3][16] =
860		{
861		{ 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
862		0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
863		{ 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
864		0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
865		{ 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
866		0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
867		};
868
869		static const unsigned char aes_test_cbc_dec[3][16] =
870		{
871		{ 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
872		0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
873		{ 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
874		0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
875		{ 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
876		0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
877		};
878
879		static const unsigned char aes_test_cbc_enc[3][16] =
880		{
881		{ 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
882		0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
883		{ 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
884		0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
885		{ 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
886		0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
887		};
888
889		/*
890		* AES-CFB test vectors (generated on 2008-02-12)
891		*/
892		static const unsigned char aes_test_cfb_dec[3][16] =
893		{
894		{ 0xBA, 0x75, 0x0C, 0xC9, 0x77, 0xF8, 0xD4, 0xE1,
895		0x3E, 0x0F, 0xB5, 0x46, 0x2E, 0xA6, 0x33, 0xF6 },
896		{ 0xDB, 0x40, 0x4A, 0x98, 0x7B, 0xAA, 0xA3, 0xF3,
897		0x92, 0x35, 0xAD, 0x58, 0x09, 0x9B, 0xFF, 0x6E },
898		{ 0xA8, 0x17, 0x41, 0x0E, 0x76, 0x71, 0x60, 0xE5,
899		0xFD, 0x37, 0xC5, 0x43, 0xCC, 0xC8, 0xD6, 0xDA }
900		};
901
902		static const unsigned char aes_test_cfb_enc[3][16] =
903		{
904		{ 0x45, 0x62, 0xC5, 0xA1, 0xF9, 0x10, 0x8F, 0xE0,
905		0x87, 0x24, 0x25, 0x68, 0xB5, 0x12, 0xF3, 0x8B },
906		{ 0xB8, 0xD4, 0xD5, 0x09, 0xF5, 0xEE, 0x08, 0x38,
907		0x48, 0x9B, 0x9D, 0xAD, 0x11, 0xB4, 0x2E, 0xD2 },
908		{ 0xE9, 0x10, 0x80, 0xDA, 0xEE, 0x2D, 0x81, 0xD9,
909		0x41, 0x78, 0x91, 0xD5, 0x98, 0x78, 0xE1, 0xFA }
910		};
911
912		/*
913		* Checkup routine
914		*/
915		int aes_self_test( int verbose )
916		{
917		int i, j, u, v, offset;
918		unsigned char key[32];
919		unsigned char buf[16];
920		unsigned char prv[16];
921		unsigned char iv[16];
922		aes_context ctx;
923
924		memset( key, 0, 32 );
925
926		/*
927		* ECB mode
928		*/
929		for( i = 0; i < 6; i++ )
930		{
931		u = i >> 1;
932		v = i & 1;
933
934		if( verbose != 0 )
935		printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
936		( v == AES_DECRYPT ) ? "dec" : "enc" );
937
938		memset( buf, 0, 16 );
939
940		if( v == AES_DECRYPT )
941		{
942		aes_setkey_dec( &ctx, key, 128 + u * 64 );
943
944		for( j = 0; j < 10000; j++ )
945		aes_crypt_ecb( &ctx, v, buf, buf );
946
947		if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
948		{
949		if( verbose != 0 )
950		printf( "failed\n" );
951
952		return( 1 );
953		}
954		}
955		else
956		{
957		aes_setkey_enc( &ctx, key, 128 + u * 64 );
958
959		for( j = 0; j < 10000; j++ )
960		aes_crypt_ecb( &ctx, v, buf, buf );
961
962		if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
963		{
964		if( verbose != 0 )
965		printf( "failed\n" );
966
967		return( 1 );
968		}
969		}
970
971		if( verbose != 0 )
972		printf( "passed\n" );
973		}
974
975		if( verbose != 0 )
976		printf( "\n" );
977
978		/*
979		* CBC mode
980		*/
981		for( i = 0; i < 6; i++ )
982		{
983		u = i >> 1;
984		v = i & 1;
985
986		if( verbose != 0 )
987		printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
988		( v == AES_DECRYPT ) ? "dec" : "enc" );
989
990		memset( iv , 0, 16 );
991		memset( prv, 0, 16 );
992		memset( buf, 0, 16 );
993
994		if( v == AES_DECRYPT )
995		{
996		aes_setkey_dec( &ctx, key, 128 + u * 64 );
997
998		for( j = 0; j < 10000; j++ )
999		aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1000
1001		if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1002		{
1003		if( verbose != 0 )
1004		printf( "failed\n" );
1005
1006		return( 1 );
1007		}
1008		}
1009		else
1010		{
1011		aes_setkey_enc( &ctx, key, 128 + u * 64 );
1012
1013		for( j = 0; j < 10000; j++ )
1014		{
1015		unsigned char tmp[16];
1016
1017		aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1018
1019		memcpy( tmp, prv, 16 );
1020		memcpy( prv, buf, 16 );
1021		memcpy( buf, tmp, 16 );
1022		}
1023
1024		if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1025		{
1026		if( verbose != 0 )
1027		printf( "failed\n" );
1028
1029		return( 1 );
1030		}
1031		}
1032
1033		if( verbose != 0 )
1034		printf( "passed\n" );
1035		}
1036
1037		if( verbose != 0 )
1038		printf( "\n" );
1039
1040		/*
1041		* CFB mode
1042		*/
1043		for( i = 0; i < 6; i++ )
1044		{
1045		u = i >> 1;
1046		v = i & 1;
1047
1048		if( verbose != 0 )
1049		printf( " AES-CFB-%3d (%s): ", 128 + u * 64,
1050		( v == AES_DECRYPT ) ? "dec" : "enc" );
1051
1052		memset( iv , 0, 16 );
1053		memset( buf, 0, 16 );
1054		offset = 0;
1055
1056		if( v == AES_DECRYPT )
1057		{
1058		aes_setkey_dec( &ctx, key, 128 + u * 64 );
1059
1060		for( j = 0; j < 10000; j++ )
1061		aes_crypt_cfb( &ctx, v, 16, &offset, iv, buf, buf );
1062
1063		if( memcmp( buf, aes_test_cfb_dec[u], 16 ) != 0 )
1064		{
1065		if( verbose != 0 )
1066		printf( "failed\n" );
1067
1068		return( 1 );
1069		}
1070		}
1071		else
1072		{
1073		aes_setkey_enc( &ctx, key, 128 + u * 64 );
1074
1075		for( j = 0; j < 10000; j++ )
1076		aes_crypt_cfb( &ctx, v, 16, &offset, iv, buf, buf );
1077
1078		if( memcmp( buf, aes_test_cfb_enc[u], 16 ) != 0 )
1079		{
1080		if( verbose != 0 )
1081		printf( "failed\n" );
1082
1083		return( 1 );
1084		}
1085		}
1086
1087		if( verbose != 0 )
1088		printf( "passed\n" );
1089		}
1090
1091		if( verbose != 0 )
1092		printf( "\n" );
1093
1094		return( 0 );
1095		}
1096
1097		int main(int argc, char *argv[])
1098		{
1099		return aes_self_test(1);
1100		}
1101
1102		#endif /* defined(XYSSL_SELF_TEST) */

Coverage Report

Created: 2025-08-28 07:06