/src/ghostpdl/base/aes.c

Line	Count	Source
1		/*
2		* FIPS-197 compliant AES implementation
3		*
4		* Copyright (C) 2006-2007 Christophe Devine
5		*
6		* Redistribution and use in source and binary forms, with or without
7		* modification, are permitted provided that the following conditions
8		* are met:
9		*
10		* * Redistributions of source code _must_ retain the above copyright
11		* notice, this list of conditions and the following disclaimer.
12		* * Redistributions in binary form may or may not reproduce the above
13		* copyright notice, this list of conditions and the following
14		* disclaimer in the documentation and/or other materials provided
15		* with the distribution.
16		* * Neither the name of XySSL nor the names of its contributors may be
17		* used to endorse or promote products derived from this software
18		* without specific prior written permission.
19		*
20		* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21		* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22		* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23		* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24		* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25		* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
26		* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27		* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
28		* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
29		* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
30		* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31		*/
32		/*
33		* The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
34		*
35		* http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
36		* http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
37		*/
38
39		/* AES block cipher implementation from XYSSL */
40
41		#include "string_.h" /* memcmp() */
42		#include "aes.h"
43
44		#define XYSSL_AES_ROM_TABLES 1 /* avoid regenerating tables each time */
45
46		/*
47		* 32-bit integer manipulation macros (little endian)
48		*/
49		#ifndef GET_ULONG_LE
50	118M	#define GET_ULONG_LE(n,b,i) \
51	118M	{ \
52	118M	(n) = ( (unsigned long) (b)[(i) ] ) \
53	118M	\| ( (unsigned long) (b)[(i) + 1] << 8 ) \
54	118M	\| ( (unsigned long) (b)[(i) + 2] << 16 ) \
55	118M	\| ( (unsigned long) (b)[(i) + 3] << 24 ); \
56	118M	}
57		#endif
58
59		#ifndef PUT_ULONG_LE
60	117M	#define PUT_ULONG_LE(n,b,i) \
61	117M	{ \
62	117M	(b)[(i) ] = (unsigned char) ( (n) ); \
63	117M	(b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
64	117M	(b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
65	117M	(b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
66	117M	}
67		#endif
68
69		#if defined(XYSSL_AES_ROM_TABLES)
70		/*
71		* Forward S-box
72		*/
73		static const unsigned char FSb[256] =
74		{
75		0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
76		0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
77		0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
78		0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
79		0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
80		0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
81		0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
82		0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
83		0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
84		0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
85		0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
86		0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
87		0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
88		0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
89		0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
90		0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
91		0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
92		0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
93		0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
94		0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
95		0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
96		0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
97		0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
98		0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
99		0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
100		0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
101		0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
102		0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
103		0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
104		0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
105		0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
106		0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
107		};
108
109		/*
110		* Forward tables
111		*/
112		#define FT \
113		\
114		V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
115		V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
116		V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
117		V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
118		V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
119		V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
120		V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
121		V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
122		V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
123		V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
124		V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
125		V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
126		V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
127		V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
128		V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
129		V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
130		V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
131		V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
132		V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
133		V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
134		V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
135		V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
136		V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
137		V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
138		V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
139		V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
140		V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
141		V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
142		V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
143		V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
144		V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
145		V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
146		V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
147		V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
148		V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
149		V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
150		V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
151		V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
152		V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
153		V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
154		V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
155		V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
156		V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
157		V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
158		V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
159		V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
160		V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
161		V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
162		V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
163		V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
164		V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
165		V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
166		V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
167		V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
168		V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
169		V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
170		V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
171		V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
172		V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
173		V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
174		V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
175		V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
176		V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
177		V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
178
179		#define V(a,b,c,d) 0x##a##b##c##d
180		static const unsigned long FT0[256] = { FT };
181		#undef V
182
183		#define V(a,b,c,d) 0x##b##c##d##a
184		static const unsigned long FT1[256] = { FT };
185		#undef V
186
187		#define V(a,b,c,d) 0x##c##d##a##b
188		static const unsigned long FT2[256] = { FT };
189		#undef V
190
191		#define V(a,b,c,d) 0x##d##a##b##c
192		static const unsigned long FT3[256] = { FT };
193		#undef V
194
195		#undef FT
196
197		/*
198		* Reverse S-box
199		*/
200		static const unsigned char RSb[256] =
201		{
202		0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
203		0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
204		0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
205		0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
206		0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
207		0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
208		0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
209		0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
210		0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
211		0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
212		0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
213		0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
214		0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
215		0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
216		0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
217		0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
218		0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
219		0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
220		0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
221		0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
222		0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
223		0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
224		0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
225		0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
226		0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
227		0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
228		0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
229		0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
230		0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
231		0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
232		0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
233		0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
234		};
235
236		/*
237		* Reverse tables
238		*/
239		#define RT \
240		\
241		V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
242		V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
243		V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
244		V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
245		V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
246		V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
247		V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
248		V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
249		V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
250		V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
251		V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
252		V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
253		V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
254		V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
255		V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
256		V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
257		V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
258		V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
259		V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
260		V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
261		V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
262		V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
263		V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
264		V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
265		V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
266		V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
267		V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
268		V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
269		V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
270		V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
271		V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
272		V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
273		V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
274		V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
275		V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
276		V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
277		V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
278		V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
279		V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
280		V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
281		V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
282		V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
283		V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
284		V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
285		V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
286		V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
287		V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
288		V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
289		V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
290		V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
291		V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
292		V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
293		V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
294		V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
295		V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
296		V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
297		V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
298		V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
299		V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
300		V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
301		V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
302		V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
303		V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
304		V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
305
306		#define V(a,b,c,d) 0x##a##b##c##d
307		static const unsigned long RT0[256] = { RT };
308		#undef V
309
310		#define V(a,b,c,d) 0x##b##c##d##a
311		static const unsigned long RT1[256] = { RT };
312		#undef V
313
314		#define V(a,b,c,d) 0x##c##d##a##b
315		static const unsigned long RT2[256] = { RT };
316		#undef V
317
318		#define V(a,b,c,d) 0x##d##a##b##c
319		static const unsigned long RT3[256] = { RT };
320		#undef V
321
322		#undef RT
323
324		/*
325		* Round constants
326		*/
327		static const unsigned long RCON[10] =
328		{
329		0x00000001, 0x00000002, 0x00000004, 0x00000008,
330		0x00000010, 0x00000020, 0x00000040, 0x00000080,
331		0x0000001B, 0x00000036
332		};
333
334		#else
335
336		/*
337		* Forward S-box & tables
338		*/
339		static unsigned char FSb[256];
340		static unsigned long FT0[256];
341		static unsigned long FT1[256];
342		static unsigned long FT2[256];
343		static unsigned long FT3[256];
344
345		/*
346		* Reverse S-box & tables
347		*/
348		static unsigned char RSb[256];
349		static unsigned long RT0[256];
350		static unsigned long RT1[256];
351		static unsigned long RT2[256];
352		static unsigned long RT3[256];
353
354		/*
355		* Round constants
356		*/
357		static unsigned long RCON[10];
358
359		/*
360		* Tables generation code
361		*/
362		#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) \| ( x >> 24 )
363		#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
364		#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
365
366		static int aes_init_done = 0;
367
368		static void aes_gen_tables( void )
369		{
370		int i, x, y, z;
371		int pow[256];
372		int log[256];
373
374		/*
375		* compute pow and log tables over GF(2^8)
376		*/
377		for( i = 0, x = 1; i < 256; i++ )
378		{
379		pow[i] = x;
380		log[x] = i;
381		x = ( x ^ XTIME( x ) ) & 0xFF;
382		}
383
384		/*
385		* calculate the round constants
386		*/
387		for( i = 0, x = 1; i < 10; i++ )
388		{
389		RCON[i] = (unsigned long) x;
390		x = XTIME( x ) & 0xFF;
391		}
392
393		/*
394		* generate the forward and reverse S-boxes
395		*/
396		FSb[0x00] = 0x63;
397		RSb[0x63] = 0x00;
398
399		for( i = 1; i < 256; i++ )
400		{
401		x = pow[255 - log[i]];
402
403		y = x; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
404		x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
405		x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
406		x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
407		x ^= y ^ 0x63;
408
409		FSb[i] = (unsigned char) x;
410		RSb[x] = (unsigned char) i;
411		}
412
413		/*
414		* generate the forward and reverse tables
415		*/
416		for( i = 0; i < 256; i++ )
417		{
418		x = FSb[i];
419		y = XTIME( x ) & 0xFF;
420		z = ( y ^ x ) & 0xFF;
421
422		FT0[i] = ( (unsigned long) y ) ^
423		( (unsigned long) x << 8 ) ^
424		( (unsigned long) x << 16 ) ^
425		( (unsigned long) z << 24 );
426
427		FT1[i] = ROTL8( FT0[i] );
428		FT2[i] = ROTL8( FT1[i] );
429		FT3[i] = ROTL8( FT2[i] );
430
431		x = RSb[i];
432
433		RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
434		( (unsigned long) MUL( 0x09, x ) << 8 ) ^
435		( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
436		( (unsigned long) MUL( 0x0B, x ) << 24 );
437
438		RT1[i] = ROTL8( RT0[i] );
439		RT2[i] = ROTL8( RT1[i] );
440		RT3[i] = ROTL8( RT2[i] );
441		}
442		}
443
444		#endif
445
446		/*
447		* AES key schedule (encryption)
448		*/
449		void aes_setkey_enc( aes_context ctx, const unsigned char key, int keysize )
450	138k	{
451	138k	int i;
452	138k	unsigned long *RK;
453
454		#if !defined(XYSSL_AES_ROM_TABLES)
455		if( aes_init_done == 0 )
456		{
457		aes_gen_tables();
458		aes_init_done = 1;
459		}
460		#endif
461
462	138k	switch( keysize )
463	138k	{
464	133k	case 128: ctx->nr = 10; break;
465	0	case 192: ctx->nr = 12; break;
466	5.33k	case 256: ctx->nr = 14; break;
467	0	default : return;
468	138k	}
469
470		#if defined(PADLOCK_ALIGN16)
471		ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
472		#else
473	138k	ctx->rk = RK = ctx->buf;
474	138k	#endif
475
476	713k	for( i = 0; i < (keysize >> 5); i++ )
477	575k	{
478	575k	GET_ULONG_LE( RK[i], key, i << 2 );
479	575k	}
480
481	138k	switch( ctx->nr )
482	138k	{
483	133k	case 10:
484
485	1.46M	for( i = 0; i < 10; i++, RK += 4 )
486	1.33M	{
487	1.33M	RK[4] = RK[0] ^ RCON[i] ^
488	1.33M	( FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
489	1.33M	( FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
490	1.33M	( FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
491	1.33M	( ((unsigned int)FSb[ ( RK[3] ) & 0xFF ]) << 24 );
492
493	1.33M	RK[5] = RK[1] ^ RK[4];
494	1.33M	RK[6] = RK[2] ^ RK[5];
495	1.33M	RK[7] = RK[3] ^ RK[6];
496	1.33M	}
497	133k	break;
498
499	0	case 12:
500
501	0	for( i = 0; i < 8; i++, RK += 6 )
502	0	{
503	0	RK[6] = RK[0] ^ RCON[i] ^
504	0	( FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
505	0	( FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
506	0	( FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
507	0	( ((unsigned int)FSb[ ( RK[5] ) & 0xFF ]) << 24 );
508
509	0	RK[7] = RK[1] ^ RK[6];
510	0	RK[8] = RK[2] ^ RK[7];
511	0	RK[9] = RK[3] ^ RK[8];
512	0	RK[10] = RK[4] ^ RK[9];
513	0	RK[11] = RK[5] ^ RK[10];
514	0	}
515	0	break;
516
517	5.33k	case 14:
518
519	42.6k	for( i = 0; i < 7; i++, RK += 8 )
520	37.3k	{
521	37.3k	RK[8] = RK[0] ^ RCON[i] ^
522	37.3k	( FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
523	37.3k	( FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
524	37.3k	( FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
525	37.3k	( ((unsigned int)FSb[ ( RK[7] ) & 0xFF ]) << 24 );
526
527	37.3k	RK[9] = RK[1] ^ RK[8];
528	37.3k	RK[10] = RK[2] ^ RK[9];
529	37.3k	RK[11] = RK[3] ^ RK[10];
530
531	37.3k	RK[12] = RK[4] ^
532	37.3k	( FSb[ ( RK[11] ) & 0xFF ] ) ^
533	37.3k	( FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
534	37.3k	( FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
535	37.3k	( ((unsigned int)FSb[ ( RK[11] >> 24 ) & 0xFF ]) << 24 );
536
537	37.3k	RK[13] = RK[5] ^ RK[12];
538	37.3k	RK[14] = RK[6] ^ RK[13];
539	37.3k	RK[15] = RK[7] ^ RK[14];
540	37.3k	}
541	5.33k	break;
542
543	0	default:
544
545	0	break;
546	138k	}
547	138k	}
548
549		/*
550		* AES key schedule (decryption)
551		*/
552		void aes_setkey_dec( aes_context ctx, const unsigned char key, int keysize )
553	43.3k	{
554	43.3k	int i, j;
555	43.3k	aes_context cty;
556	43.3k	unsigned long *RK;
557	43.3k	unsigned long *SK;
558
559	43.3k	switch( keysize )
560	43.3k	{
561	37.9k	case 128: ctx->nr = 10; break;
562	0	case 192: ctx->nr = 12; break;
563	5.33k	case 256: ctx->nr = 14; break;
564	0	default : return;
565	43.3k	}
566
567		#if defined(PADLOCK_ALIGN16)
568		ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
569		#else
570	43.3k	ctx->rk = RK = ctx->buf;
571	43.3k	#endif
572
573	43.3k	aes_setkey_enc( &cty, key, keysize );
574	43.3k	SK = cty.rk + cty.nr * 4;
575
576	43.3k	RK++ = SK++;
577	43.3k	RK++ = SK++;
578	43.3k	RK++ = SK++;
579	43.3k	RK++ = SK++;
580
581	454k	for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
582	411k	{
583	2.05M	for( j = 0; j < 4; j++, SK++ )
584	1.64M	{
585	1.64M	RK++ = RT0[ FSb[ ( SK ) & 0xFF ] ] ^
586	1.64M	RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
587	1.64M	RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
588	1.64M	RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
589	1.64M	}
590	411k	}
591
592	43.3k	RK++ = SK++;
593	43.3k	RK++ = SK++;
594	43.3k	RK++ = SK++;
595	43.3k	RK++ = SK++;
596
597	43.3k	memset( &cty, 0, sizeof( aes_context ) );
598	43.3k	}
599
600	220M	#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
601	220M	{ \
602	220M	X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
603	220M	FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
604	220M	FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
605	220M	FT3[ ( Y3 >> 24 ) & 0xFF ]; \
606	220M	\
607	220M	X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
608	220M	FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
609	220M	FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
610	220M	FT3[ ( Y0 >> 24 ) & 0xFF ]; \
611	220M	\
612	220M	X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
613	220M	FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
614	220M	FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
615	220M	FT3[ ( Y1 >> 24 ) & 0xFF ]; \
616	220M	\
617	220M	X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
618	220M	FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
619	220M	FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
620	220M	FT3[ ( Y2 >> 24 ) & 0xFF ]; \
621	220M	}
622
623	44.5M	#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
624	44.5M	{ \
625	44.5M	X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
626	44.5M	RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
627	44.5M	RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
628	44.5M	RT3[ ( Y1 >> 24 ) & 0xFF ]; \
629	44.5M	\
630	44.5M	X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
631	44.5M	RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
632	44.5M	RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
633	44.5M	RT3[ ( Y2 >> 24 ) & 0xFF ]; \
634	44.5M	\
635	44.5M	X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
636	44.5M	RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
637	44.5M	RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
638	44.5M	RT3[ ( Y3 >> 24 ) & 0xFF ]; \
639	44.5M	\
640	44.5M	X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
641	44.5M	RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
642	44.5M	RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
643	44.5M	RT3[ ( Y0 >> 24 ) & 0xFF ]; \
644	44.5M	}
645
646		/*
647		* AES-ECB block encryption/decryption
648		*/
649		void aes_crypt_ecb( aes_context *ctx,
650		int mode,
651		const unsigned char input[16],
652		unsigned char output[16] )
653	29.4M	{
654	29.4M	int i;
655	29.4M	unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
656
657		#if defined(XYSSL_PADLOCK_C) && defined(XYSSL_HAVE_X86)
658		if( padlock_supports( PADLOCK_ACE ) )
659		{
660		if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
661		return;
662		}
663		#endif
664
665	29.4M	if (ctx == NULL \|\| ctx->rk == NULL)
666	0	return;
667
668	29.4M	RK = ctx->rk;
669
670	29.4M	GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
671	29.4M	GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
672	29.4M	GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
673	29.4M	GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
674
675	29.4M	if( mode == AES_DECRYPT )
676	4.92M	{
677	24.7M	for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
678	19.8M	{
679	19.8M	AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
680	19.8M	AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
681	19.8M	}
682
683	4.92M	AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
684
685	4.92M	X0 = *RK++ ^ ( RSb[ ( Y0 ) & 0xFF ] ) ^
686	4.92M	( RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
687	4.92M	( RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
688	4.92M	( ((unsigned int)RSb[ ( Y1 >> 24 ) & 0xFF ]) << 24 );
689
690	4.92M	X1 = *RK++ ^ ( RSb[ ( Y1 ) & 0xFF ] ) ^
691	4.92M	( RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
692	4.92M	( RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
693	4.92M	( ((unsigned int)RSb[ ( Y2 >> 24 ) & 0xFF ]) << 24 );
694
695	4.92M	X2 = *RK++ ^ ( RSb[ ( Y2 ) & 0xFF ] ) ^
696	4.92M	( RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
697	4.92M	( RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
698	4.92M	( ((unsigned int)RSb[ ( Y3 >> 24 ) & 0xFF ]) << 24 );
699
700	4.92M	X3 = *RK++ ^ ( RSb[ ( Y3 ) & 0xFF ] ) ^
701	4.92M	( RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
702	4.92M	( RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
703	4.92M	( ((unsigned int)RSb[ ( Y0 >> 24 ) & 0xFF ]) << 24 );
704	4.92M	}
705	24.5M	else /* AES_ENCRYPT */
706	24.5M	{
707	122M	for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
708	98.1M	{
709	98.1M	AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
710	98.1M	AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
711	98.1M	}
712
713	24.5M	AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
714
715	24.5M	X0 = *RK++ ^ ( FSb[ ( Y0 ) & 0xFF ] ) ^
716	24.5M	( FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
717	24.5M	( FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
718	24.5M	( ((unsigned int)FSb[ ( Y3 >> 24 ) & 0xFF ]) << 24 );
719
720	24.5M	X1 = *RK++ ^ ( FSb[ ( Y1 ) & 0xFF ] ) ^
721	24.5M	( FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
722	24.5M	( FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
723	24.5M	( ((unsigned int)FSb[ ( Y0 >> 24 ) & 0xFF ]) << 24 );
724
725	24.5M	X2 = *RK++ ^ ( FSb[ ( Y2 ) & 0xFF ] ) ^
726	24.5M	( FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
727	24.5M	( FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
728	24.5M	( ((unsigned int)FSb[ ( Y1 >> 24 ) & 0xFF ]) << 24 );
729
730	24.5M	X3 = *RK++ ^ ( FSb[ ( Y3 ) & 0xFF ] ) ^
731	24.5M	( FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
732	24.5M	( FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
733	24.5M	( ((unsigned int)FSb[ ( Y2 >> 24 ) & 0xFF ]) << 24 );
734	24.5M	}
735
736	29.4M	PUT_ULONG_LE( X0, output, 0 );
737	29.4M	PUT_ULONG_LE( X1, output, 4 );
738	29.4M	PUT_ULONG_LE( X2, output, 8 );
739	29.4M	PUT_ULONG_LE( X3, output, 12 );
740	29.4M	}
741
742		/*
743		* AES-CBC buffer encryption/decryption
744		*/
745		void aes_crypt_cbc( aes_context *ctx,
746		int mode,
747		int length,
748		unsigned char iv[16],
749		const unsigned char *input,
750		unsigned char *output )
751	5.02M	{
752	5.02M	int i;
753	5.02M	unsigned char temp[16];
754
755		#if defined(XYSSL_PADLOCK_C) && defined(XYSSL_HAVE_X86)
756		if( padlock_supports( PADLOCK_ACE ) )
757		{
758		if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
759		return;
760		}
761		#endif
762
763	5.02M	if( mode == AES_DECRYPT )
764	4.92M	{
765	9.85M	while( length > 0 )
766	4.92M	{
767	4.92M	memcpy( temp, input, 16 );
768	4.92M	aes_crypt_ecb( ctx, mode, input, output );
769
770	83.7M	for( i = 0; i < 16; i++ )
771	78.8M	output[i] = (unsigned char)( output[i] ^ iv[i] );
772
773	4.92M	memcpy( iv, temp, 16 );
774
775	4.92M	input += 16;
776	4.92M	output += 16;
777	4.92M	length -= 16;
778	4.92M	}
779	4.92M	}
780	95.2k	else
781	95.2k	{
782	24.6M	while( length > 0 )
783	24.5M	{
784	417M	for( i = 0; i < 16; i++ )
785	392M	output[i] = (unsigned char)( input[i] ^ iv[i] );
786
787	24.5M	aes_crypt_ecb( ctx, mode, output, output );
788	24.5M	memcpy( iv, output, 16 );
789
790	24.5M	input += 16;
791	24.5M	output += 16;
792	24.5M	length -= 16;
793	24.5M	}
794	95.2k	}
795	5.02M	}
796
797		/*
798		* AES-CFB buffer encryption/decryption
799		*/
800		void aes_crypt_cfb( aes_context *ctx,
801		int mode,
802		int length,
803		int *iv_off,
804		unsigned char iv[16],
805		const unsigned char *input,
806		unsigned char *output )
807	0	{
808	0	int c, n = *iv_off;
809
810	0	if( mode == AES_DECRYPT )
811	0	{
812	0	while( length-- )
813	0	{
814	0	if( n == 0 )
815	0	aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
816
817	0	c = *input++;
818	0	*output++ = (unsigned char)( c ^ iv[n] );
819	0	iv[n] = (unsigned char) c;
820
821	0	n = (n + 1) & 0x0F;
822	0	}
823	0	}
824	0	else
825	0	{
826	0	while( length-- )
827	0	{
828	0	if( n == 0 )
829	0	aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
830
831	0	iv[n] = output++ = (unsigned char)( iv[n] ^ input++ );
832
833	0	n = (n + 1) & 0x0F;
834	0	}
835	0	}
836
837	0	*iv_off = n;
838	0	}
839
840		#if defined(XYSSL_SELF_TEST)
841
842		#include <stdio.h>
843
844		/*
845		* AES test vectors from:
846		*
847		* http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
848		*/
849		static const unsigned char aes_test_ecb_dec[3][16] =
850		{
851		{ 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
852		0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
853		{ 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
854		0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
855		{ 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
856		0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
857		};
858
859		static const unsigned char aes_test_ecb_enc[3][16] =
860		{
861		{ 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
862		0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
863		{ 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
864		0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
865		{ 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
866		0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
867		};
868
869		static const unsigned char aes_test_cbc_dec[3][16] =
870		{
871		{ 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
872		0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
873		{ 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
874		0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
875		{ 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
876		0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
877		};
878
879		static const unsigned char aes_test_cbc_enc[3][16] =
880		{
881		{ 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
882		0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
883		{ 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
884		0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
885		{ 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
886		0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
887		};
888
889		/*
890		* AES-CFB test vectors (generated on 2008-02-12)
891		*/
892		static const unsigned char aes_test_cfb_dec[3][16] =
893		{
894		{ 0xBA, 0x75, 0x0C, 0xC9, 0x77, 0xF8, 0xD4, 0xE1,
895		0x3E, 0x0F, 0xB5, 0x46, 0x2E, 0xA6, 0x33, 0xF6 },
896		{ 0xDB, 0x40, 0x4A, 0x98, 0x7B, 0xAA, 0xA3, 0xF3,
897		0x92, 0x35, 0xAD, 0x58, 0x09, 0x9B, 0xFF, 0x6E },
898		{ 0xA8, 0x17, 0x41, 0x0E, 0x76, 0x71, 0x60, 0xE5,
899		0xFD, 0x37, 0xC5, 0x43, 0xCC, 0xC8, 0xD6, 0xDA }
900		};
901
902		static const unsigned char aes_test_cfb_enc[3][16] =
903		{
904		{ 0x45, 0x62, 0xC5, 0xA1, 0xF9, 0x10, 0x8F, 0xE0,
905		0x87, 0x24, 0x25, 0x68, 0xB5, 0x12, 0xF3, 0x8B },
906		{ 0xB8, 0xD4, 0xD5, 0x09, 0xF5, 0xEE, 0x08, 0x38,
907		0x48, 0x9B, 0x9D, 0xAD, 0x11, 0xB4, 0x2E, 0xD2 },
908		{ 0xE9, 0x10, 0x80, 0xDA, 0xEE, 0x2D, 0x81, 0xD9,
909		0x41, 0x78, 0x91, 0xD5, 0x98, 0x78, 0xE1, 0xFA }
910		};
911
912		/*
913		* Checkup routine
914		*/
915		int aes_self_test( int verbose )
916		{
917		int i, j, u, v, offset;
918		unsigned char key[32];
919		unsigned char buf[16];
920		unsigned char prv[16];
921		unsigned char iv[16];
922		aes_context ctx;
923
924		memset( key, 0, 32 );
925
926		/*
927		* ECB mode
928		*/
929		for( i = 0; i < 6; i++ )
930		{
931		u = i >> 1;
932		v = i & 1;
933
934		if( verbose != 0 )
935		printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
936		( v == AES_DECRYPT ) ? "dec" : "enc" );
937
938		memset( buf, 0, 16 );
939
940		if( v == AES_DECRYPT )
941		{
942		aes_setkey_dec( &ctx, key, 128 + u * 64 );
943
944		for( j = 0; j < 10000; j++ )
945		aes_crypt_ecb( &ctx, v, buf, buf );
946
947		if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
948		{
949		if( verbose != 0 )
950		printf( "failed\n" );
951
952		return( 1 );
953		}
954		}
955		else
956		{
957		aes_setkey_enc( &ctx, key, 128 + u * 64 );
958
959		for( j = 0; j < 10000; j++ )
960		aes_crypt_ecb( &ctx, v, buf, buf );
961
962		if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
963		{
964		if( verbose != 0 )
965		printf( "failed\n" );
966
967		return( 1 );
968		}
969		}
970
971		if( verbose != 0 )
972		printf( "passed\n" );
973		}
974
975		if( verbose != 0 )
976		printf( "\n" );
977
978		/*
979		* CBC mode
980		*/
981		for( i = 0; i < 6; i++ )
982		{
983		u = i >> 1;
984		v = i & 1;
985
986		if( verbose != 0 )
987		printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
988		( v == AES_DECRYPT ) ? "dec" : "enc" );
989
990		memset( iv , 0, 16 );
991		memset( prv, 0, 16 );
992		memset( buf, 0, 16 );
993
994		if( v == AES_DECRYPT )
995		{
996		aes_setkey_dec( &ctx, key, 128 + u * 64 );
997
998		for( j = 0; j < 10000; j++ )
999		aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1000
1001		if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1002		{
1003		if( verbose != 0 )
1004		printf( "failed\n" );
1005
1006		return( 1 );
1007		}
1008		}
1009		else
1010		{
1011		aes_setkey_enc( &ctx, key, 128 + u * 64 );
1012
1013		for( j = 0; j < 10000; j++ )
1014		{
1015		unsigned char tmp[16];
1016
1017		aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1018
1019		memcpy( tmp, prv, 16 );
1020		memcpy( prv, buf, 16 );
1021		memcpy( buf, tmp, 16 );
1022		}
1023
1024		if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1025		{
1026		if( verbose != 0 )
1027		printf( "failed\n" );
1028
1029		return( 1 );
1030		}
1031		}
1032
1033		if( verbose != 0 )
1034		printf( "passed\n" );
1035		}
1036
1037		if( verbose != 0 )
1038		printf( "\n" );
1039
1040		/*
1041		* CFB mode
1042		*/
1043		for( i = 0; i < 6; i++ )
1044		{
1045		u = i >> 1;
1046		v = i & 1;
1047
1048		if( verbose != 0 )
1049		printf( " AES-CFB-%3d (%s): ", 128 + u * 64,
1050		( v == AES_DECRYPT ) ? "dec" : "enc" );
1051
1052		memset( iv , 0, 16 );
1053		memset( buf, 0, 16 );
1054		offset = 0;
1055
1056		if( v == AES_DECRYPT )
1057		{
1058		aes_setkey_dec( &ctx, key, 128 + u * 64 );
1059
1060		for( j = 0; j < 10000; j++ )
1061		aes_crypt_cfb( &ctx, v, 16, &offset, iv, buf, buf );
1062
1063		if( memcmp( buf, aes_test_cfb_dec[u], 16 ) != 0 )
1064		{
1065		if( verbose != 0 )
1066		printf( "failed\n" );
1067
1068		return( 1 );
1069		}
1070		}
1071		else
1072		{
1073		aes_setkey_enc( &ctx, key, 128 + u * 64 );
1074
1075		for( j = 0; j < 10000; j++ )
1076		aes_crypt_cfb( &ctx, v, 16, &offset, iv, buf, buf );
1077
1078		if( memcmp( buf, aes_test_cfb_enc[u], 16 ) != 0 )
1079		{
1080		if( verbose != 0 )
1081		printf( "failed\n" );
1082
1083		return( 1 );
1084		}
1085		}
1086
1087		if( verbose != 0 )
1088		printf( "passed\n" );
1089		}
1090
1091		if( verbose != 0 )
1092		printf( "\n" );
1093
1094		return( 0 );
1095		}
1096
1097		int main(int argc, char *argv[])
1098		{
1099		return aes_self_test(1);
1100		}
1101
1102		#endif /* defined(XYSSL_SELF_TEST) */

Coverage Report

Created: 2026-02-14 07:09