/src/ghostpdl/base/aes.c

Line	Count	Source
1		/*
2		* FIPS-197 compliant AES implementation
3		*
4		* Copyright (C) 2006-2007 Christophe Devine
5		*
6		* Redistribution and use in source and binary forms, with or without
7		* modification, are permitted provided that the following conditions
8		* are met:
9		*
10		* * Redistributions of source code _must_ retain the above copyright
11		* notice, this list of conditions and the following disclaimer.
12		* * Redistributions in binary form may or may not reproduce the above
13		* copyright notice, this list of conditions and the following
14		* disclaimer in the documentation and/or other materials provided
15		* with the distribution.
16		* * Neither the name of XySSL nor the names of its contributors may be
17		* used to endorse or promote products derived from this software
18		* without specific prior written permission.
19		*
20		* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21		* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22		* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23		* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24		* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25		* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
26		* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27		* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
28		* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
29		* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
30		* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31		*/
32		/*
33		* The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
34		*
35		* http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
36		* http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
37		*/
38
39		/* AES block cipher implementation from XYSSL */
40
41		#include "string_.h" /* memcmp() */
42		#include "aes.h"
43
44		#define XYSSL_AES_ROM_TABLES 1 /* avoid regenerating tables each time */
45
46		/*
47		* 32-bit integer manipulation macros (little endian)
48		*/
49		#ifndef GET_ULONG_LE
50	103M	#define GET_ULONG_LE(n,b,i) \
51	103M	{ \
52	103M	(n) = ( (unsigned long) (b)[(i) ] ) \
53	103M	\| ( (unsigned long) (b)[(i) + 1] << 8 ) \
54	103M	\| ( (unsigned long) (b)[(i) + 2] << 16 ) \
55	103M	\| ( (unsigned long) (b)[(i) + 3] << 24 ); \
56	103M	}
57		#endif
58
59		#ifndef PUT_ULONG_LE
60	103M	#define PUT_ULONG_LE(n,b,i) \
61	103M	{ \
62	103M	(b)[(i) ] = (unsigned char) ( (n) ); \
63	103M	(b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
64	103M	(b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
65	103M	(b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
66	103M	}
67		#endif
68
69		#if defined(XYSSL_AES_ROM_TABLES)
70		/*
71		* Forward S-box
72		*/
73		static const unsigned char FSb[256] =
74		{
75		0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
76		0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
77		0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
78		0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
79		0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
80		0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
81		0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
82		0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
83		0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
84		0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
85		0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
86		0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
87		0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
88		0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
89		0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
90		0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
91		0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
92		0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
93		0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
94		0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
95		0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
96		0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
97		0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
98		0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
99		0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
100		0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
101		0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
102		0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
103		0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
104		0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
105		0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
106		0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
107		};
108
109		/*
110		* Forward tables
111		*/
112		#define FT \
113		\
114		V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
115		V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
116		V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
117		V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
118		V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
119		V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
120		V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
121		V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
122		V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
123		V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
124		V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
125		V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
126		V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
127		V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
128		V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
129		V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
130		V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
131		V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
132		V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
133		V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
134		V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
135		V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
136		V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
137		V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
138		V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
139		V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
140		V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
141		V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
142		V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
143		V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
144		V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
145		V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
146		V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
147		V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
148		V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
149		V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
150		V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
151		V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
152		V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
153		V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
154		V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
155		V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
156		V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
157		V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
158		V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
159		V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
160		V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
161		V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
162		V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
163		V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
164		V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
165		V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
166		V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
167		V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
168		V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
169		V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
170		V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
171		V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
172		V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
173		V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
174		V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
175		V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
176		V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
177		V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
178
179		#define V(a,b,c,d) 0x##a##b##c##d
180		static const unsigned long FT0[256] = { FT };
181		#undef V
182
183		#define V(a,b,c,d) 0x##b##c##d##a
184		static const unsigned long FT1[256] = { FT };
185		#undef V
186
187		#define V(a,b,c,d) 0x##c##d##a##b
188		static const unsigned long FT2[256] = { FT };
189		#undef V
190
191		#define V(a,b,c,d) 0x##d##a##b##c
192		static const unsigned long FT3[256] = { FT };
193		#undef V
194
195		#undef FT
196
197		/*
198		* Reverse S-box
199		*/
200		static const unsigned char RSb[256] =
201		{
202		0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
203		0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
204		0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
205		0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
206		0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
207		0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
208		0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
209		0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
210		0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
211		0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
212		0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
213		0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
214		0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
215		0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
216		0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
217		0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
218		0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
219		0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
220		0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
221		0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
222		0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
223		0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
224		0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
225		0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
226		0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
227		0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
228		0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
229		0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
230		0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
231		0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
232		0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
233		0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
234		};
235
236		/*
237		* Reverse tables
238		*/
239		#define RT \
240		\
241		V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
242		V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
243		V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
244		V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
245		V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
246		V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
247		V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
248		V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
249		V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
250		V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
251		V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
252		V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
253		V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
254		V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
255		V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
256		V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
257		V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
258		V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
259		V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
260		V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
261		V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
262		V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
263		V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
264		V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
265		V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
266		V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
267		V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
268		V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
269		V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
270		V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
271		V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
272		V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
273		V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
274		V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
275		V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
276		V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
277		V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
278		V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
279		V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
280		V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
281		V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
282		V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
283		V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
284		V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
285		V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
286		V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
287		V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
288		V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
289		V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
290		V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
291		V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
292		V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
293		V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
294		V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
295		V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
296		V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
297		V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
298		V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
299		V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
300		V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
301		V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
302		V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
303		V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
304		V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
305
306		#define V(a,b,c,d) 0x##a##b##c##d
307		static const unsigned long RT0[256] = { RT };
308		#undef V
309
310		#define V(a,b,c,d) 0x##b##c##d##a
311		static const unsigned long RT1[256] = { RT };
312		#undef V
313
314		#define V(a,b,c,d) 0x##c##d##a##b
315		static const unsigned long RT2[256] = { RT };
316		#undef V
317
318		#define V(a,b,c,d) 0x##d##a##b##c
319		static const unsigned long RT3[256] = { RT };
320		#undef V
321
322		#undef RT
323
324		/*
325		* Round constants
326		*/
327		static const unsigned long RCON[10] =
328		{
329		0x00000001, 0x00000002, 0x00000004, 0x00000008,
330		0x00000010, 0x00000020, 0x00000040, 0x00000080,
331		0x0000001B, 0x00000036
332		};
333
334		#else
335
336		/*
337		* Forward S-box & tables
338		*/
339		static unsigned char FSb[256];
340		static unsigned long FT0[256];
341		static unsigned long FT1[256];
342		static unsigned long FT2[256];
343		static unsigned long FT3[256];
344
345		/*
346		* Reverse S-box & tables
347		*/
348		static unsigned char RSb[256];
349		static unsigned long RT0[256];
350		static unsigned long RT1[256];
351		static unsigned long RT2[256];
352		static unsigned long RT3[256];
353
354		/*
355		* Round constants
356		*/
357		static unsigned long RCON[10];
358
359		/*
360		* Tables generation code
361		*/
362		#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) \| ( x >> 24 )
363		#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
364		#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
365
366		static int aes_init_done = 0;
367
368		static void aes_gen_tables( void )
369		{
370		int i, x, y, z;
371		int pow[256];
372		int log[256];
373
374		/*
375		* compute pow and log tables over GF(2^8)
376		*/
377		for( i = 0, x = 1; i < 256; i++ )
378		{
379		pow[i] = x;
380		log[x] = i;
381		x = ( x ^ XTIME( x ) ) & 0xFF;
382		}
383
384		/*
385		* calculate the round constants
386		*/
387		for( i = 0, x = 1; i < 10; i++ )
388		{
389		RCON[i] = (unsigned long) x;
390		x = XTIME( x ) & 0xFF;
391		}
392
393		/*
394		* generate the forward and reverse S-boxes
395		*/
396		FSb[0x00] = 0x63;
397		RSb[0x63] = 0x00;
398
399		for( i = 1; i < 256; i++ )
400		{
401		x = pow[255 - log[i]];
402
403		y = x; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
404		x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
405		x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
406		x ^= y; y = ( (y << 1) \| (y >> 7) ) & 0xFF;
407		x ^= y ^ 0x63;
408
409		FSb[i] = (unsigned char) x;
410		RSb[x] = (unsigned char) i;
411		}
412
413		/*
414		* generate the forward and reverse tables
415		*/
416		for( i = 0; i < 256; i++ )
417		{
418		x = FSb[i];
419		y = XTIME( x ) & 0xFF;
420		z = ( y ^ x ) & 0xFF;
421
422		FT0[i] = ( (unsigned long) y ) ^
423		( (unsigned long) x << 8 ) ^
424		( (unsigned long) x << 16 ) ^
425		( (unsigned long) z << 24 );
426
427		FT1[i] = ROTL8( FT0[i] );
428		FT2[i] = ROTL8( FT1[i] );
429		FT3[i] = ROTL8( FT2[i] );
430
431		x = RSb[i];
432
433		RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
434		( (unsigned long) MUL( 0x09, x ) << 8 ) ^
435		( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
436		( (unsigned long) MUL( 0x0B, x ) << 24 );
437
438		RT1[i] = ROTL8( RT0[i] );
439		RT2[i] = ROTL8( RT1[i] );
440		RT3[i] = ROTL8( RT2[i] );
441		}
442		}
443
444		#endif
445
446		/*
447		* AES key schedule (encryption)
448		*/
449		void aes_setkey_enc( aes_context ctx, const unsigned char key, int keysize )
450	121k	{
451	121k	int i;
452	121k	unsigned long *RK;
453
454		#if !defined(XYSSL_AES_ROM_TABLES)
455		if( aes_init_done == 0 )
456		{
457		aes_gen_tables();
458		aes_init_done = 1;
459		}
460		#endif
461
462	121k	switch( keysize )
463	121k	{
464	117k	case 128: ctx->nr = 10; break;
465	0	case 192: ctx->nr = 12; break;
466	4.63k	case 256: ctx->nr = 14; break;
467	0	default : return;
468	121k	}
469
470		#if defined(PADLOCK_ALIGN16)
471		ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
472		#else
473	121k	ctx->rk = RK = ctx->buf;
474	121k	#endif
475
476	628k	for( i = 0; i < (keysize >> 5); i++ )
477	506k	{
478	506k	GET_ULONG_LE( RK[i], key, i << 2 );
479	506k	}
480
481	121k	switch( ctx->nr )
482	121k	{
483	117k	case 10:
484
485	1.29M	for( i = 0; i < 10; i++, RK += 4 )
486	1.17M	{
487	1.17M	RK[4] = RK[0] ^ RCON[i] ^
488	1.17M	( FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
489	1.17M	( FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
490	1.17M	( FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
491	1.17M	( ((unsigned int)FSb[ ( RK[3] ) & 0xFF ]) << 24 );
492
493	1.17M	RK[5] = RK[1] ^ RK[4];
494	1.17M	RK[6] = RK[2] ^ RK[5];
495	1.17M	RK[7] = RK[3] ^ RK[6];
496	1.17M	}
497	117k	break;
498
499	0	case 12:
500
501	0	for( i = 0; i < 8; i++, RK += 6 )
502	0	{
503	0	RK[6] = RK[0] ^ RCON[i] ^
504	0	( FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
505	0	( FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
506	0	( FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
507	0	( ((unsigned int)FSb[ ( RK[5] ) & 0xFF ]) << 24 );
508
509	0	RK[7] = RK[1] ^ RK[6];
510	0	RK[8] = RK[2] ^ RK[7];
511	0	RK[9] = RK[3] ^ RK[8];
512	0	RK[10] = RK[4] ^ RK[9];
513	0	RK[11] = RK[5] ^ RK[10];
514	0	}
515	0	break;
516
517	4.63k	case 14:
518
519	37.0k	for( i = 0; i < 7; i++, RK += 8 )
520	32.4k	{
521	32.4k	RK[8] = RK[0] ^ RCON[i] ^
522	32.4k	( FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
523	32.4k	( FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
524	32.4k	( FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
525	32.4k	( ((unsigned int)FSb[ ( RK[7] ) & 0xFF ]) << 24 );
526
527	32.4k	RK[9] = RK[1] ^ RK[8];
528	32.4k	RK[10] = RK[2] ^ RK[9];
529	32.4k	RK[11] = RK[3] ^ RK[10];
530
531	32.4k	RK[12] = RK[4] ^
532	32.4k	( FSb[ ( RK[11] ) & 0xFF ] ) ^
533	32.4k	( FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
534	32.4k	( FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
535	32.4k	( ((unsigned int)FSb[ ( RK[11] >> 24 ) & 0xFF ]) << 24 );
536
537	32.4k	RK[13] = RK[5] ^ RK[12];
538	32.4k	RK[14] = RK[6] ^ RK[13];
539	32.4k	RK[15] = RK[7] ^ RK[14];
540	32.4k	}
541	4.63k	break;
542
543	0	default:
544
545	0	break;
546	121k	}
547	121k	}
548
549		/*
550		* AES key schedule (decryption)
551		*/
552		void aes_setkey_dec( aes_context ctx, const unsigned char key, int keysize )
553	38.0k	{
554	38.0k	int i, j;
555	38.0k	aes_context cty;
556	38.0k	unsigned long *RK;
557	38.0k	unsigned long *SK;
558
559	38.0k	switch( keysize )
560	38.0k	{
561	33.4k	case 128: ctx->nr = 10; break;
562	0	case 192: ctx->nr = 12; break;
563	4.63k	case 256: ctx->nr = 14; break;
564	0	default : return;
565	38.0k	}
566
567		#if defined(PADLOCK_ALIGN16)
568		ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
569		#else
570	38.0k	ctx->rk = RK = ctx->buf;
571	38.0k	#endif
572
573	38.0k	aes_setkey_enc( &cty, key, keysize );
574	38.0k	SK = cty.rk + cty.nr * 4;
575
576	38.0k	RK++ = SK++;
577	38.0k	RK++ = SK++;
578	38.0k	RK++ = SK++;
579	38.0k	RK++ = SK++;
580
581	399k	for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
582	361k	{
583	1.80M	for( j = 0; j < 4; j++, SK++ )
584	1.44M	{
585	1.44M	RK++ = RT0[ FSb[ ( SK ) & 0xFF ] ] ^
586	1.44M	RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
587	1.44M	RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
588	1.44M	RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
589	1.44M	}
590	361k	}
591
592	38.0k	RK++ = SK++;
593	38.0k	RK++ = SK++;
594	38.0k	RK++ = SK++;
595	38.0k	RK++ = SK++;
596
597	38.0k	memset( &cty, 0, sizeof( aes_context ) );
598	38.0k	}
599
600	194M	#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
601	194M	{ \
602	194M	X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
603	194M	FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
604	194M	FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
605	194M	FT3[ ( Y3 >> 24 ) & 0xFF ]; \
606	194M	\
607	194M	X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
608	194M	FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
609	194M	FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
610	194M	FT3[ ( Y0 >> 24 ) & 0xFF ]; \
611	194M	\
612	194M	X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
613	194M	FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
614	194M	FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
615	194M	FT3[ ( Y1 >> 24 ) & 0xFF ]; \
616	194M	\
617	194M	X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
618	194M	FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
619	194M	FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
620	194M	FT3[ ( Y2 >> 24 ) & 0xFF ]; \
621	194M	}
622
623	37.7M	#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
624	37.7M	{ \
625	37.7M	X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
626	37.7M	RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
627	37.7M	RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
628	37.7M	RT3[ ( Y1 >> 24 ) & 0xFF ]; \
629	37.7M	\
630	37.7M	X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
631	37.7M	RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
632	37.7M	RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
633	37.7M	RT3[ ( Y2 >> 24 ) & 0xFF ]; \
634	37.7M	\
635	37.7M	X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
636	37.7M	RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
637	37.7M	RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
638	37.7M	RT3[ ( Y3 >> 24 ) & 0xFF ]; \
639	37.7M	\
640	37.7M	X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
641	37.7M	RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
642	37.7M	RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
643	37.7M	RT3[ ( Y0 >> 24 ) & 0xFF ]; \
644	37.7M	}
645
646		/*
647		* AES-ECB block encryption/decryption
648		*/
649		void aes_crypt_ecb( aes_context *ctx,
650		int mode,
651		const unsigned char input[16],
652		unsigned char output[16] )
653	25.8M	{
654	25.8M	int i;
655	25.8M	unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
656
657		#if defined(XYSSL_PADLOCK_C) && defined(XYSSL_HAVE_X86)
658		if( padlock_supports( PADLOCK_ACE ) )
659		{
660		if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
661		return;
662		}
663		#endif
664
665	25.8M	if (ctx == NULL \|\| ctx->rk == NULL)
666	0	return;
667
668	25.8M	RK = ctx->rk;
669
670	25.8M	GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
671	25.8M	GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
672	25.8M	GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
673	25.8M	GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
674
675	25.8M	if( mode == AES_DECRYPT )
676	4.17M	{
677	20.9M	for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
678	16.8M	{
679	16.8M	AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
680	16.8M	AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
681	16.8M	}
682
683	4.17M	AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
684
685	4.17M	X0 = *RK++ ^ ( RSb[ ( Y0 ) & 0xFF ] ) ^
686	4.17M	( RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
687	4.17M	( RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
688	4.17M	( ((unsigned int)RSb[ ( Y1 >> 24 ) & 0xFF ]) << 24 );
689
690	4.17M	X1 = *RK++ ^ ( RSb[ ( Y1 ) & 0xFF ] ) ^
691	4.17M	( RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
692	4.17M	( RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
693	4.17M	( ((unsigned int)RSb[ ( Y2 >> 24 ) & 0xFF ]) << 24 );
694
695	4.17M	X2 = *RK++ ^ ( RSb[ ( Y2 ) & 0xFF ] ) ^
696	4.17M	( RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
697	4.17M	( RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
698	4.17M	( ((unsigned int)RSb[ ( Y3 >> 24 ) & 0xFF ]) << 24 );
699
700	4.17M	X3 = *RK++ ^ ( RSb[ ( Y3 ) & 0xFF ] ) ^
701	4.17M	( RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
702	4.17M	( RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
703	4.17M	( ((unsigned int)RSb[ ( Y0 >> 24 ) & 0xFF ]) << 24 );
704	4.17M	}
705	21.6M	else /* AES_ENCRYPT */
706	21.6M	{
707	108M	for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
708	86.5M	{
709	86.5M	AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
710	86.5M	AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
711	86.5M	}
712
713	21.6M	AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
714
715	21.6M	X0 = *RK++ ^ ( FSb[ ( Y0 ) & 0xFF ] ) ^
716	21.6M	( FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
717	21.6M	( FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
718	21.6M	( ((unsigned int)FSb[ ( Y3 >> 24 ) & 0xFF ]) << 24 );
719
720	21.6M	X1 = *RK++ ^ ( FSb[ ( Y1 ) & 0xFF ] ) ^
721	21.6M	( FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
722	21.6M	( FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
723	21.6M	( ((unsigned int)FSb[ ( Y0 >> 24 ) & 0xFF ]) << 24 );
724
725	21.6M	X2 = *RK++ ^ ( FSb[ ( Y2 ) & 0xFF ] ) ^
726	21.6M	( FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
727	21.6M	( FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
728	21.6M	( ((unsigned int)FSb[ ( Y1 >> 24 ) & 0xFF ]) << 24 );
729
730	21.6M	X3 = *RK++ ^ ( FSb[ ( Y3 ) & 0xFF ] ) ^
731	21.6M	( FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
732	21.6M	( FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
733	21.6M	( ((unsigned int)FSb[ ( Y2 >> 24 ) & 0xFF ]) << 24 );
734	21.6M	}
735
736	25.8M	PUT_ULONG_LE( X0, output, 0 );
737	25.8M	PUT_ULONG_LE( X1, output, 4 );
738	25.8M	PUT_ULONG_LE( X2, output, 8 );
739	25.8M	PUT_ULONG_LE( X3, output, 12 );
740	25.8M	}
741
742		/*
743		* AES-CBC buffer encryption/decryption
744		*/
745		void aes_crypt_cbc( aes_context *ctx,
746		int mode,
747		int length,
748		unsigned char iv[16],
749		const unsigned char *input,
750		unsigned char *output )
751	4.26M	{
752	4.26M	int i;
753	4.26M	unsigned char temp[16];
754
755		#if defined(XYSSL_PADLOCK_C) && defined(XYSSL_HAVE_X86)
756		if( padlock_supports( PADLOCK_ACE ) )
757		{
758		if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
759		return;
760		}
761		#endif
762
763	4.26M	if( mode == AES_DECRYPT )
764	4.17M	{
765	8.35M	while( length > 0 )
766	4.17M	{
767	4.17M	memcpy( temp, input, 16 );
768	4.17M	aes_crypt_ecb( ctx, mode, input, output );
769
770	71.0M	for( i = 0; i < 16; i++ )
771	66.8M	output[i] = (unsigned char)( output[i] ^ iv[i] );
772
773	4.17M	memcpy( iv, temp, 16 );
774
775	4.17M	input += 16;
776	4.17M	output += 16;
777	4.17M	length -= 16;
778	4.17M	}
779	4.17M	}
780	83.8k	else
781	83.8k	{
782	21.7M	while( length > 0 )
783	21.6M	{
784	367M	for( i = 0; i < 16; i++ )
785	346M	output[i] = (unsigned char)( input[i] ^ iv[i] );
786
787	21.6M	aes_crypt_ecb( ctx, mode, output, output );
788	21.6M	memcpy( iv, output, 16 );
789
790	21.6M	input += 16;
791	21.6M	output += 16;
792	21.6M	length -= 16;
793	21.6M	}
794	83.8k	}
795	4.26M	}
796
797		/*
798		* AES-CFB buffer encryption/decryption
799		*/
800		void aes_crypt_cfb( aes_context *ctx,
801		int mode,
802		int length,
803		int *iv_off,
804		unsigned char iv[16],
805		const unsigned char *input,
806		unsigned char *output )
807	0	{
808	0	int c, n = *iv_off;
809
810	0	if( mode == AES_DECRYPT )
811	0	{
812	0	while( length-- )
813	0	{
814	0	if( n == 0 )
815	0	aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
816
817	0	c = *input++;
818	0	*output++ = (unsigned char)( c ^ iv[n] );
819	0	iv[n] = (unsigned char) c;
820
821	0	n = (n + 1) & 0x0F;
822	0	}
823	0	}
824	0	else
825	0	{
826	0	while( length-- )
827	0	{
828	0	if( n == 0 )
829	0	aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
830
831	0	iv[n] = output++ = (unsigned char)( iv[n] ^ input++ );
832
833	0	n = (n + 1) & 0x0F;
834	0	}
835	0	}
836
837	0	*iv_off = n;
838	0	}
839
840		#if defined(XYSSL_SELF_TEST)
841
842		#include <stdio.h>
843
844		/*
845		* AES test vectors from:
846		*
847		* http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
848		*/
849		static const unsigned char aes_test_ecb_dec[3][16] =
850		{
851		{ 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
852		0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
853		{ 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
854		0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
855		{ 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
856		0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
857		};
858
859		static const unsigned char aes_test_ecb_enc[3][16] =
860		{
861		{ 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
862		0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
863		{ 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
864		0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
865		{ 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
866		0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
867		};
868
869		static const unsigned char aes_test_cbc_dec[3][16] =
870		{
871		{ 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
872		0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
873		{ 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
874		0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
875		{ 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
876		0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
877		};
878
879		static const unsigned char aes_test_cbc_enc[3][16] =
880		{
881		{ 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
882		0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
883		{ 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
884		0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
885		{ 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
886		0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
887		};
888
889		/*
890		* AES-CFB test vectors (generated on 2008-02-12)
891		*/
892		static const unsigned char aes_test_cfb_dec[3][16] =
893		{
894		{ 0xBA, 0x75, 0x0C, 0xC9, 0x77, 0xF8, 0xD4, 0xE1,
895		0x3E, 0x0F, 0xB5, 0x46, 0x2E, 0xA6, 0x33, 0xF6 },
896		{ 0xDB, 0x40, 0x4A, 0x98, 0x7B, 0xAA, 0xA3, 0xF3,
897		0x92, 0x35, 0xAD, 0x58, 0x09, 0x9B, 0xFF, 0x6E },
898		{ 0xA8, 0x17, 0x41, 0x0E, 0x76, 0x71, 0x60, 0xE5,
899		0xFD, 0x37, 0xC5, 0x43, 0xCC, 0xC8, 0xD6, 0xDA }
900		};
901
902		static const unsigned char aes_test_cfb_enc[3][16] =
903		{
904		{ 0x45, 0x62, 0xC5, 0xA1, 0xF9, 0x10, 0x8F, 0xE0,
905		0x87, 0x24, 0x25, 0x68, 0xB5, 0x12, 0xF3, 0x8B },
906		{ 0xB8, 0xD4, 0xD5, 0x09, 0xF5, 0xEE, 0x08, 0x38,
907		0x48, 0x9B, 0x9D, 0xAD, 0x11, 0xB4, 0x2E, 0xD2 },
908		{ 0xE9, 0x10, 0x80, 0xDA, 0xEE, 0x2D, 0x81, 0xD9,
909		0x41, 0x78, 0x91, 0xD5, 0x98, 0x78, 0xE1, 0xFA }
910		};
911
912		/*
913		* Checkup routine
914		*/
915		int aes_self_test( int verbose )
916		{
917		int i, j, u, v, offset;
918		unsigned char key[32];
919		unsigned char buf[16];
920		unsigned char prv[16];
921		unsigned char iv[16];
922		aes_context ctx;
923
924		memset( key, 0, 32 );
925
926		/*
927		* ECB mode
928		*/
929		for( i = 0; i < 6; i++ )
930		{
931		u = i >> 1;
932		v = i & 1;
933
934		if( verbose != 0 )
935		printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
936		( v == AES_DECRYPT ) ? "dec" : "enc" );
937
938		memset( buf, 0, 16 );
939
940		if( v == AES_DECRYPT )
941		{
942		aes_setkey_dec( &ctx, key, 128 + u * 64 );
943
944		for( j = 0; j < 10000; j++ )
945		aes_crypt_ecb( &ctx, v, buf, buf );
946
947		if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
948		{
949		if( verbose != 0 )
950		printf( "failed\n" );
951
952		return( 1 );
953		}
954		}
955		else
956		{
957		aes_setkey_enc( &ctx, key, 128 + u * 64 );
958
959		for( j = 0; j < 10000; j++ )
960		aes_crypt_ecb( &ctx, v, buf, buf );
961
962		if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
963		{
964		if( verbose != 0 )
965		printf( "failed\n" );
966
967		return( 1 );
968		}
969		}
970
971		if( verbose != 0 )
972		printf( "passed\n" );
973		}
974
975		if( verbose != 0 )
976		printf( "\n" );
977
978		/*
979		* CBC mode
980		*/
981		for( i = 0; i < 6; i++ )
982		{
983		u = i >> 1;
984		v = i & 1;
985
986		if( verbose != 0 )
987		printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
988		( v == AES_DECRYPT ) ? "dec" : "enc" );
989
990		memset( iv , 0, 16 );
991		memset( prv, 0, 16 );
992		memset( buf, 0, 16 );
993
994		if( v == AES_DECRYPT )
995		{
996		aes_setkey_dec( &ctx, key, 128 + u * 64 );
997
998		for( j = 0; j < 10000; j++ )
999		aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1000
1001		if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1002		{
1003		if( verbose != 0 )
1004		printf( "failed\n" );
1005
1006		return( 1 );
1007		}
1008		}
1009		else
1010		{
1011		aes_setkey_enc( &ctx, key, 128 + u * 64 );
1012
1013		for( j = 0; j < 10000; j++ )
1014		{
1015		unsigned char tmp[16];
1016
1017		aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1018
1019		memcpy( tmp, prv, 16 );
1020		memcpy( prv, buf, 16 );
1021		memcpy( buf, tmp, 16 );
1022		}
1023
1024		if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1025		{
1026		if( verbose != 0 )
1027		printf( "failed\n" );
1028
1029		return( 1 );
1030		}
1031		}
1032
1033		if( verbose != 0 )
1034		printf( "passed\n" );
1035		}
1036
1037		if( verbose != 0 )
1038		printf( "\n" );
1039
1040		/*
1041		* CFB mode
1042		*/
1043		for( i = 0; i < 6; i++ )
1044		{
1045		u = i >> 1;
1046		v = i & 1;
1047
1048		if( verbose != 0 )
1049		printf( " AES-CFB-%3d (%s): ", 128 + u * 64,
1050		( v == AES_DECRYPT ) ? "dec" : "enc" );
1051
1052		memset( iv , 0, 16 );
1053		memset( buf, 0, 16 );
1054		offset = 0;
1055
1056		if( v == AES_DECRYPT )
1057		{
1058		aes_setkey_dec( &ctx, key, 128 + u * 64 );
1059
1060		for( j = 0; j < 10000; j++ )
1061		aes_crypt_cfb( &ctx, v, 16, &offset, iv, buf, buf );
1062
1063		if( memcmp( buf, aes_test_cfb_dec[u], 16 ) != 0 )
1064		{
1065		if( verbose != 0 )
1066		printf( "failed\n" );
1067
1068		return( 1 );
1069		}
1070		}
1071		else
1072		{
1073		aes_setkey_enc( &ctx, key, 128 + u * 64 );
1074
1075		for( j = 0; j < 10000; j++ )
1076		aes_crypt_cfb( &ctx, v, 16, &offset, iv, buf, buf );
1077
1078		if( memcmp( buf, aes_test_cfb_enc[u], 16 ) != 0 )
1079		{
1080		if( verbose != 0 )
1081		printf( "failed\n" );
1082
1083		return( 1 );
1084		}
1085		}
1086
1087		if( verbose != 0 )
1088		printf( "passed\n" );
1089		}
1090
1091		if( verbose != 0 )
1092		printf( "\n" );
1093
1094		return( 0 );
1095		}
1096
1097		int main(int argc, char *argv[])
1098		{
1099		return aes_self_test(1);
1100		}
1101
1102		#endif /* defined(XYSSL_SELF_TEST) */

Coverage Report

Created: 2026-04-01 07:17