search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
new polarssl
[syren.git] / src / libpolarssl / aes.c
blobc2647372efc024055ae769ff18875d02cac664d9
1 /*
2 * FIPS-197 compliant AES implementation
3 *
4 * Copyright (C) 2006-2014, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25 /*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
32 #if !defined(POLARSSL_CONFIG_FILE)
33 #include "config.h"
34 #else
35 #include POLARSSL_CONFIG_FILE
36 #endif
37
38 #if defined(POLARSSL_AES_C)
39
40 #include "aes.h"
41 #if defined(POLARSSL_PADLOCK_C)
42 #include "padlock.h"
43 #endif
44 #if defined(POLARSSL_AESNI_C)
45 #include "aesni.h"
46 #endif
47
48 #if defined(POLARSSL_PLATFORM_C)
49 #include "platform.h"
50 #else
51 #define polarssl_printf printf
52 #endif
53
54 #if !defined(POLARSSL_AES_ALT)
55
56 /*
57 * 32-bit integer manipulation macros (little endian)
58 */
59 #ifndef GET_UINT32_LE
60 #define GET_UINT32_LE(n,b,i) \
61 { \
62 (n) = ( (uint32_t) (b)[(i) ] ) \
63 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
64 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
65 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
66 }
67 #endif
68
69 #ifndef PUT_UINT32_LE
70 #define PUT_UINT32_LE(n,b,i) \
71 { \
72 (b)[(i) ] = (unsigned char) ( (n) ); \
73 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
74 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
75 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
76 }
77 #endif
78
79 #if defined(POLARSSL_PADLOCK_C) && \
80 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
81 static int aes_padlock_ace = -1;
82 #endif
83
84 #if defined(POLARSSL_AES_ROM_TABLES)
85 /*
86 * Forward S-box
87 */
88 static const unsigned char FSb[256] =
89 {
90 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
91 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
92 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
93 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
94 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
95 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
96 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
97 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
98 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
99 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
100 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
101 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
102 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
103 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
104 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
105 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
106 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
107 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
108 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
109 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
110 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
111 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
112 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
113 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
114 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
115 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
116 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
117 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
118 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
119 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
120 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
121 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
122 };
123
124 /*
125 * Forward tables
126 */
127 #define FT \
128 \
129 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
130 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
131 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
132 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
133 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
134 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
135 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
136 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
137 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
138 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
139 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
140 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
141 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
142 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
143 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
144 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
145 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
146 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
147 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
148 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
149 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
150 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
151 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
152 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
153 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
154 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
155 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
156 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
157 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
158 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
159 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
160 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
161 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
162 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
163 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
164 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
165 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
166 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
167 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
168 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
169 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
170 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
171 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
172 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
173 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
174 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
175 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
176 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
177 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
178 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
179 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
180 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
181 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
182 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
183 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
184 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
185 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
186 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
187 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
188 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
189 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
190 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
191 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
192 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
193
194 #define V(a,b,c,d) 0x##a##b##c##d
195 static const uint32_t FT0[256] = { FT };
196 #undef V
197
198 #define V(a,b,c,d) 0x##b##c##d##a
199 static const uint32_t FT1[256] = { FT };
200 #undef V
201
202 #define V(a,b,c,d) 0x##c##d##a##b
203 static const uint32_t FT2[256] = { FT };
204 #undef V
205
206 #define V(a,b,c,d) 0x##d##a##b##c
207 static const uint32_t FT3[256] = { FT };
208 #undef V
209
210 #undef FT
211
212 /*
213 * Reverse S-box
214 */
215 static const unsigned char RSb[256] =
216 {
217 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
218 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
219 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
220 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
221 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
222 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
223 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
224 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
225 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
226 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
227 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
228 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
229 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
230 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
231 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
232 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
233 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
234 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
235 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
236 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
237 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
238 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
239 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
240 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
241 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
242 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
243 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
244 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
245 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
246 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
247 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
248 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
249 };
250
251 /*
252 * Reverse tables
253 */
254 #define RT \
255 \
256 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
257 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
258 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
259 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
260 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
261 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
262 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
263 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
264 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
265 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
266 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
267 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
268 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
269 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
270 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
271 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
272 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
273 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
274 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
275 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
276 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
277 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
278 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
279 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
280 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
281 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
282 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
283 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
284 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
285 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
286 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
287 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
288 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
289 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
290 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
291 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
292 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
293 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
294 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
295 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
296 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
297 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
298 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
299 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
300 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
301 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
302 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
303 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
304 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
305 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
306 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
307 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
308 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
309 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
310 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
311 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
312 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
313 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
314 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
315 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
316 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
317 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
318 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
319 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
320
321 #define V(a,b,c,d) 0x##a##b##c##d
322 static const uint32_t RT0[256] = { RT };
323 #undef V
324
325 #define V(a,b,c,d) 0x##b##c##d##a
326 static const uint32_t RT1[256] = { RT };
327 #undef V
328
329 #define V(a,b,c,d) 0x##c##d##a##b
330 static const uint32_t RT2[256] = { RT };
331 #undef V
332
333 #define V(a,b,c,d) 0x##d##a##b##c
334 static const uint32_t RT3[256] = { RT };
335 #undef V
336
337 #undef RT
338
339 /*
340 * Round constants
341 */
342 static const uint32_t RCON[10] =
343 {
344 0x00000001, 0x00000002, 0x00000004, 0x00000008,
345 0x00000010, 0x00000020, 0x00000040, 0x00000080,
346 0x0000001B, 0x00000036
347 };
348
349 #else /* POLARSSL_AES_ROM_TABLES */
350
351 /*
352 * Forward S-box & tables
353 */
354 static unsigned char FSb[256];
355 static uint32_t FT0[256];
356 static uint32_t FT1[256];
357 static uint32_t FT2[256];
358 static uint32_t FT3[256];
359
360 /*
361 * Reverse S-box & tables
362 */
363 static unsigned char RSb[256];
364 static uint32_t RT0[256];
365 static uint32_t RT1[256];
366 static uint32_t RT2[256];
367 static uint32_t RT3[256];
368
369 /*
370 * Round constants
371 */
372 static uint32_t RCON[10];
373
374 /*
375 * Tables generation code
376 */
377 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
378 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
379 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
380
381 static int aes_init_done = 0;
382
383 static void aes_gen_tables( void )
384 {
385 int i, x, y, z;
386 int pow[256];
387 int log[256];
388
389 /*
390 * compute pow and log tables over GF(2^8)
391 */
392 for( i = 0, x = 1; i < 256; i++ )
393 {
394 pow[i] = x;
395 log[x] = i;
396 x = ( x ^ XTIME( x ) ) & 0xFF;
397 }
398
399 /*
400 * calculate the round constants
401 */
402 for( i = 0, x = 1; i < 10; i++ )
403 {
404 RCON[i] = (uint32_t) x;
405 x = XTIME( x ) & 0xFF;
406 }
407
408 /*
409 * generate the forward and reverse S-boxes
410 */
411 FSb[0x00] = 0x63;
412 RSb[0x63] = 0x00;
413
414 for( i = 1; i < 256; i++ )
415 {
416 x = pow[255 - log[i]];
417
418 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
419 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
420 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
421 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
422 x ^= y ^ 0x63;
423
424 FSb[i] = (unsigned char) x;
425 RSb[x] = (unsigned char) i;
426 }
427
428 /*
429 * generate the forward and reverse tables
430 */
431 for( i = 0; i < 256; i++ )
432 {
433 x = FSb[i];
434 y = XTIME( x ) & 0xFF;
435 z = ( y ^ x ) & 0xFF;
436
437 FT0[i] = ( (uint32_t) y ) ^
438 ( (uint32_t) x << 8 ) ^
439 ( (uint32_t) x << 16 ) ^
440 ( (uint32_t) z << 24 );
441
442 FT1[i] = ROTL8( FT0[i] );
443 FT2[i] = ROTL8( FT1[i] );
444 FT3[i] = ROTL8( FT2[i] );
445
446 x = RSb[i];
447
448 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
449 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
450 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
451 ( (uint32_t) MUL( 0x0B, x ) << 24 );
452
453 RT1[i] = ROTL8( RT0[i] );
454 RT2[i] = ROTL8( RT1[i] );
455 RT3[i] = ROTL8( RT2[i] );
456 }
457 }
458
459 #endif /* POLARSSL_AES_ROM_TABLES */
460
461 /*
462 * AES key schedule (encryption)
463 */
464 int aes_setkey_enc( aes_context *ctx, const unsigned char *key,
465 unsigned int keysize )
466 {
467 unsigned int i;
468 uint32_t *RK;
469
470 #if !defined(POLARSSL_AES_ROM_TABLES)
471 if( aes_init_done == 0 )
472 {
473 aes_gen_tables();
474 aes_init_done = 1;
475
476 }
477 #endif
478
479 switch( keysize )
480 {
481 case 128: ctx->nr = 10; break;
482 case 192: ctx->nr = 12; break;
483 case 256: ctx->nr = 14; break;
484 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
485 }
486
487 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
488 if( aes_padlock_ace == -1 )
489 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
490
491 if( aes_padlock_ace )
492 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
493 else
494 #endif
495 ctx->rk = RK = ctx->buf;
496
497 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
498 if( aesni_supports( POLARSSL_AESNI_AES ) )
499 return( aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize ) );
500 #endif
501
502 for( i = 0; i < (keysize >> 5); i++ )
503 {
504 GET_UINT32_LE( RK[i], key, i << 2 );
505 }
506
507 switch( ctx->nr )
508 {
509 case 10:
510
511 for( i = 0; i < 10; i++, RK += 4 )
512 {
513 RK[4] = RK[0] ^ RCON[i] ^
514 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
515 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
516 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
517 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
518
519 RK[5] = RK[1] ^ RK[4];
520 RK[6] = RK[2] ^ RK[5];
521 RK[7] = RK[3] ^ RK[6];
522 }
523 break;
524
525 case 12:
526
527 for( i = 0; i < 8; i++, RK += 6 )
528 {
529 RK[6] = RK[0] ^ RCON[i] ^
530 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
531 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
532 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
533 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
534
535 RK[7] = RK[1] ^ RK[6];
536 RK[8] = RK[2] ^ RK[7];
537 RK[9] = RK[3] ^ RK[8];
538 RK[10] = RK[4] ^ RK[9];
539 RK[11] = RK[5] ^ RK[10];
540 }
541 break;
542
543 case 14:
544
545 for( i = 0; i < 7; i++, RK += 8 )
546 {
547 RK[8] = RK[0] ^ RCON[i] ^
548 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
549 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
550 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
551 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
552
553 RK[9] = RK[1] ^ RK[8];
554 RK[10] = RK[2] ^ RK[9];
555 RK[11] = RK[3] ^ RK[10];
556
557 RK[12] = RK[4] ^
558 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
559 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
560 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
561 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
562
563 RK[13] = RK[5] ^ RK[12];
564 RK[14] = RK[6] ^ RK[13];
565 RK[15] = RK[7] ^ RK[14];
566 }
567 break;
568
569 default:
570
571 break;
572 }
573
574 return( 0 );
575 }
576
577 /*
578 * AES key schedule (decryption)
579 */
580 int aes_setkey_dec( aes_context *ctx, const unsigned char *key,
581 unsigned int keysize )
582 {
583 int i, j;
584 aes_context cty;
585 uint32_t *RK;
586 uint32_t *SK;
587 int ret;
588
589 switch( keysize )
590 {
591 case 128: ctx->nr = 10; break;
592 case 192: ctx->nr = 12; break;
593 case 256: ctx->nr = 14; break;
594 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
595 }
596
597 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
598 if( aes_padlock_ace == -1 )
599 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
600
601 if( aes_padlock_ace )
602 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
603 else
604 #endif
605 ctx->rk = RK = ctx->buf;
606
607 ret = aes_setkey_enc( &cty, key, keysize );
608 if( ret != 0 )
609 return( ret );
610
611 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
612 if( aesni_supports( POLARSSL_AESNI_AES ) )
613 {
614 aesni_inverse_key( (unsigned char *) ctx->rk,
615 (const unsigned char *) cty.rk, ctx->nr );
616 goto done;
617 }
618 #endif
619
620 SK = cty.rk + cty.nr * 4;
621
622 *RK++ = *SK++;
623 *RK++ = *SK++;
624 *RK++ = *SK++;
625 *RK++ = *SK++;
626
627 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
628 {
629 for( j = 0; j < 4; j++, SK++ )
630 {
631 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
632 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
633 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
634 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
635 }
636 }
637
638 *RK++ = *SK++;
639 *RK++ = *SK++;
640 *RK++ = *SK++;
641 *RK++ = *SK++;
642
643 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
644 done:
645 #endif
646 memset( &cty, 0, sizeof( aes_context ) );
647
648 return( 0 );
649 }
650
651 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
652 { \
653 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
654 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
655 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
656 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
657 \
658 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
659 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
660 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
661 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
662 \
663 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
664 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
665 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
666 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
667 \
668 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
669 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
670 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
671 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
672 }
673
674 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
675 { \
676 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
677 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
678 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
679 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
680 \
681 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
682 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
683 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
684 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
685 \
686 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
687 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
688 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
689 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
690 \
691 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
692 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
693 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
694 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
695 }
696
697 /*
698 * AES-ECB block encryption/decryption
699 */
700 int aes_crypt_ecb( aes_context *ctx,
701 int mode,
702 const unsigned char input[16],
703 unsigned char output[16] )
704 {
705 int i;
706 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
707
708 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
709 if( aesni_supports( POLARSSL_AESNI_AES ) )
710 return( aesni_crypt_ecb( ctx, mode, input, output ) );
711 #endif
712
713 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
714 if( aes_padlock_ace )
715 {
716 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
717 return( 0 );
718
719 // If padlock data misaligned, we just fall back to
720 // unaccelerated mode
721 //
722 }
723 #endif
724
725 RK = ctx->rk;
726
727 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
728 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
729 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
730 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
731
732 if( mode == AES_DECRYPT )
733 {
734 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
735 {
736 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
737 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
738 }
739
740 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
741
742 X0 = *RK++ ^ \
743 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
744 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
745 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
746 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
747
748 X1 = *RK++ ^ \
749 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
750 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
751 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
752 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
753
754 X2 = *RK++ ^ \
755 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
756 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
757 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
758 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
759
760 X3 = *RK++ ^ \
761 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
762 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
763 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
764 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
765 }
766 else /* AES_ENCRYPT */
767 {
768 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
769 {
770 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
771 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
772 }
773
774 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
775
776 X0 = *RK++ ^ \
777 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
778 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
779 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
780 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
781
782 X1 = *RK++ ^ \
783 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
784 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
785 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
786 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
787
788 X2 = *RK++ ^ \
789 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
790 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
791 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
792 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
793
794 X3 = *RK++ ^ \
795 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
796 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
797 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
798 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
799 }
800
801 PUT_UINT32_LE( X0, output, 0 );
802 PUT_UINT32_LE( X1, output, 4 );
803 PUT_UINT32_LE( X2, output, 8 );
804 PUT_UINT32_LE( X3, output, 12 );
805
806 return( 0 );
807 }
808
809 #if defined(POLARSSL_CIPHER_MODE_CBC)
810 /*
811 * AES-CBC buffer encryption/decryption
812 */
813 int aes_crypt_cbc( aes_context *ctx,
814 int mode,
815 size_t length,
816 unsigned char iv[16],
817 const unsigned char *input,
818 unsigned char *output )
819 {
820 int i;
821 unsigned char temp[16];
822
823 if( length % 16 )
824 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
825
826 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
827 if( aes_padlock_ace )
828 {
829 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
830 return( 0 );
831
832 // If padlock data misaligned, we just fall back to
833 // unaccelerated mode
834 //
835 }
836 #endif
837
838 if( mode == AES_DECRYPT )
839 {
840 while( length > 0 )
841 {
842 memcpy( temp, input, 16 );
843 aes_crypt_ecb( ctx, mode, input, output );
844
845 for( i = 0; i < 16; i++ )
846 output[i] = (unsigned char)( output[i] ^ iv[i] );
847
848 memcpy( iv, temp, 16 );
849
850 input += 16;
851 output += 16;
852 length -= 16;
853 }
854 }
855 else
856 {
857 while( length > 0 )
858 {
859 for( i = 0; i < 16; i++ )
860 output[i] = (unsigned char)( input[i] ^ iv[i] );
861
862 aes_crypt_ecb( ctx, mode, output, output );
863 memcpy( iv, output, 16 );
864
865 input += 16;
866 output += 16;
867 length -= 16;
868 }
869 }
870
871 return( 0 );
872 }
873 #endif /* POLARSSL_CIPHER_MODE_CBC */
874
875 #if defined(POLARSSL_CIPHER_MODE_CFB)
876 /*
877 * AES-CFB128 buffer encryption/decryption
878 */
879 int aes_crypt_cfb128( aes_context *ctx,
880 int mode,
881 size_t length,
882 size_t *iv_off,
883 unsigned char iv[16],
884 const unsigned char *input,
885 unsigned char *output )
886 {
887 int c;
888 size_t n = *iv_off;
889
890 if( mode == AES_DECRYPT )
891 {
892 while( length-- )
893 {
894 if( n == 0 )
895 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
896
897 c = *input++;
898 *output++ = (unsigned char)( c ^ iv[n] );
899 iv[n] = (unsigned char) c;
900
901 n = (n + 1) & 0x0F;
902 }
903 }
904 else
905 {
906 while( length-- )
907 {
908 if( n == 0 )
909 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
910
911 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
912
913 n = (n + 1) & 0x0F;
914 }
915 }
916
917 *iv_off = n;
918
919 return( 0 );
920 }
921
922 /*
923 * AES-CFB8 buffer encryption/decryption
924 */
925 #include <stdio.h>
926 int aes_crypt_cfb8( aes_context *ctx,
927 int mode,
928 size_t length,
929 unsigned char iv[16],
930 const unsigned char *input,
931 unsigned char *output )
932 {
933 unsigned char c;
934 unsigned char ov[17];
935
936 while( length-- )
937 {
938 memcpy(ov, iv, 16);
939 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
940
941 if( mode == AES_DECRYPT )
942 ov[16] = *input;
943
944 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
945
946 if( mode == AES_ENCRYPT )
947 ov[16] = c;
948
949 memcpy(iv, ov + 1, 16);
950 }
951
952 return( 0 );
953 }
954 #endif /*POLARSSL_CIPHER_MODE_CFB */
955
956 #if defined(POLARSSL_CIPHER_MODE_CTR)
957 /*
958 * AES-CTR buffer encryption/decryption
959 */
960 int aes_crypt_ctr( aes_context *ctx,
961 size_t length,
962 size_t *nc_off,
963 unsigned char nonce_counter[16],
964 unsigned char stream_block[16],
965 const unsigned char *input,
966 unsigned char *output )
967 {
968 int c, i;
969 size_t n = *nc_off;
970
971 while( length-- )
972 {
973 if( n == 0 ) {
974 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
975
976 for( i = 16; i > 0; i-- )
977 if( ++nonce_counter[i - 1] != 0 )
978 break;
979 }
980 c = *input++;
981 *output++ = (unsigned char)( c ^ stream_block[n] );
982
983 n = (n + 1) & 0x0F;
984 }
985
986 *nc_off = n;
987
988 return( 0 );
989 }
990 #endif /* POLARSSL_CIPHER_MODE_CTR */
991
992 #endif /* !POLARSSL_AES_ALT */
993
994 #if defined(POLARSSL_SELF_TEST)
995
996 #include <stdio.h>
997
998 /*
999 * AES test vectors from:
1000 *
1001 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1002 */
1003 static const unsigned char aes_test_ecb_dec[3][16] =
1004 {
1005 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1006 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1007 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1008 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1009 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1010 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1011 };
1012
1013 static const unsigned char aes_test_ecb_enc[3][16] =
1014 {
1015 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1016 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1017 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1018 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1019 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1020 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1021 };
1022
1023 #if defined(POLARSSL_CIPHER_MODE_CBC)
1024 static const unsigned char aes_test_cbc_dec[3][16] =
1025 {
1026 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1027 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1028 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1029 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1030 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1031 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1032 };
1033
1034 static const unsigned char aes_test_cbc_enc[3][16] =
1035 {
1036 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1037 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1038 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1039 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1040 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1041 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1042 };
1043 #endif /* POLARSSL_CIPHER_MODE_CBC */
1044
1045 #if defined(POLARSSL_CIPHER_MODE_CFB)
1046 /*
1047 * AES-CFB128 test vectors from:
1048 *
1049 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1050 */
1051 static const unsigned char aes_test_cfb128_key[3][32] =
1052 {
1053 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1054 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1055 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1056 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1057 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1058 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1059 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1060 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1061 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1062 };
1063
1064 static const unsigned char aes_test_cfb128_iv[16] =
1065 {
1066 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1067 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1068 };
1069
1070 static const unsigned char aes_test_cfb128_pt[64] =
1071 {
1072 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1073 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1074 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1075 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1076 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1077 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1078 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1079 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1080 };
1081
1082 static const unsigned char aes_test_cfb128_ct[3][64] =
1083 {
1084 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1085 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1086 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1087 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1088 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1089 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1090 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1091 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1092 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1093 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1094 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1095 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1096 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1097 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1098 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1099 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1100 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1101 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1102 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1103 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1104 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1105 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1106 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1107 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1108 };
1109 #endif /* POLARSSL_CIPHER_MODE_CFB */
1110
1111 #if defined(POLARSSL_CIPHER_MODE_CTR)
1112 /*
1113 * AES-CTR test vectors from:
1114 *
1115 * http://www.faqs.org/rfcs/rfc3686.html
1116 */
1117
1118 static const unsigned char aes_test_ctr_key[3][16] =
1119 {
1120 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1121 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1122 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1123 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1124 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1125 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1126 };
1127
1128 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1129 {
1130 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1131 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1132 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1133 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1134 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1135 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1136 };
1137
1138 static const unsigned char aes_test_ctr_pt[3][48] =
1139 {
1140 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1141 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1142
1143 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1144 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1145 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1146 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1147
1148 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1149 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1150 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1151 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1152 0x20, 0x21, 0x22, 0x23 }
1153 };
1154
1155 static const unsigned char aes_test_ctr_ct[3][48] =
1156 {
1157 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1158 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1159 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1160 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1161 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1162 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1163 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1164 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1165 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1166 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1167 0x25, 0xB2, 0x07, 0x2F }
1168 };
1169
1170 static const int aes_test_ctr_len[3] =
1171 { 16, 32, 36 };
1172 #endif /* POLARSSL_CIPHER_MODE_CTR */
1173
1174 /*
1175 * Checkup routine
1176 */
1177 int aes_self_test( int verbose )
1178 {
1179 int i, j, u, v;
1180 unsigned char key[32];
1181 unsigned char buf[64];
1182 unsigned char iv[16];
1183 #if defined(POLARSSL_CIPHER_MODE_CBC)
1184 unsigned char prv[16];
1185 #endif
1186 #if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
1187 size_t offset;
1188 #endif
1189 #if defined(POLARSSL_CIPHER_MODE_CTR)
1190 int len;
1191 unsigned char nonce_counter[16];
1192 unsigned char stream_block[16];
1193 #endif
1194 aes_context ctx;
1195
1196 memset( key, 0, 32 );
1197
1198 /*
1199 * ECB mode
1200 */
1201 for( i = 0; i < 6; i++ )
1202 {
1203 u = i >> 1;
1204 v = i & 1;
1205
1206 if( verbose != 0 )
1207 polarssl_printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1208 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1209
1210 memset( buf, 0, 16 );
1211
1212 if( v == AES_DECRYPT )
1213 {
1214 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1215
1216 for( j = 0; j < 10000; j++ )
1217 aes_crypt_ecb( &ctx, v, buf, buf );
1218
1219 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1220 {
1221 if( verbose != 0 )
1222 polarssl_printf( "failed\n" );
1223
1224 return( 1 );
1225 }
1226 }
1227 else
1228 {
1229 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1230
1231 for( j = 0; j < 10000; j++ )
1232 aes_crypt_ecb( &ctx, v, buf, buf );
1233
1234 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1235 {
1236 if( verbose != 0 )
1237 polarssl_printf( "failed\n" );
1238
1239 return( 1 );
1240 }
1241 }
1242
1243 if( verbose != 0 )
1244 polarssl_printf( "passed\n" );
1245 }
1246
1247 if( verbose != 0 )
1248 polarssl_printf( "\n" );
1249
1250 #if defined(POLARSSL_CIPHER_MODE_CBC)
1251 /*
1252 * CBC mode
1253 */
1254 for( i = 0; i < 6; i++ )
1255 {
1256 u = i >> 1;
1257 v = i & 1;
1258
1259 if( verbose != 0 )
1260 polarssl_printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1261 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1262
1263 memset( iv , 0, 16 );
1264 memset( prv, 0, 16 );
1265 memset( buf, 0, 16 );
1266
1267 if( v == AES_DECRYPT )
1268 {
1269 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1270
1271 for( j = 0; j < 10000; j++ )
1272 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1273
1274 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1275 {
1276 if( verbose != 0 )
1277 polarssl_printf( "failed\n" );
1278
1279 return( 1 );
1280 }
1281 }
1282 else
1283 {
1284 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1285
1286 for( j = 0; j < 10000; j++ )
1287 {
1288 unsigned char tmp[16];
1289
1290 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1291
1292 memcpy( tmp, prv, 16 );
1293 memcpy( prv, buf, 16 );
1294 memcpy( buf, tmp, 16 );
1295 }
1296
1297 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1298 {
1299 if( verbose != 0 )
1300 polarssl_printf( "failed\n" );
1301
1302 return( 1 );
1303 }
1304 }
1305
1306 if( verbose != 0 )
1307 polarssl_printf( "passed\n" );
1308 }
1309
1310 if( verbose != 0 )
1311 polarssl_printf( "\n" );
1312 #endif /* POLARSSL_CIPHER_MODE_CBC */
1313
1314 #if defined(POLARSSL_CIPHER_MODE_CFB)
1315 /*
1316 * CFB128 mode
1317 */
1318 for( i = 0; i < 6; i++ )
1319 {
1320 u = i >> 1;
1321 v = i & 1;
1322
1323 if( verbose != 0 )
1324 polarssl_printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1325 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1326
1327 memcpy( iv, aes_test_cfb128_iv, 16 );
1328 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1329
1330 offset = 0;
1331 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1332
1333 if( v == AES_DECRYPT )
1334 {
1335 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1336 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1337
1338 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1339 {
1340 if( verbose != 0 )
1341 polarssl_printf( "failed\n" );
1342
1343 return( 1 );
1344 }
1345 }
1346 else
1347 {
1348 memcpy( buf, aes_test_cfb128_pt, 64 );
1349 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1350
1351 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1352 {
1353 if( verbose != 0 )
1354 polarssl_printf( "failed\n" );
1355
1356 return( 1 );
1357 }
1358 }
1359
1360 if( verbose != 0 )
1361 polarssl_printf( "passed\n" );
1362 }
1363
1364 if( verbose != 0 )
1365 polarssl_printf( "\n" );
1366 #endif /* POLARSSL_CIPHER_MODE_CFB */
1367
1368 #if defined(POLARSSL_CIPHER_MODE_CTR)
1369 /*
1370 * CTR mode
1371 */
1372 for( i = 0; i < 6; i++ )
1373 {
1374 u = i >> 1;
1375 v = i & 1;
1376
1377 if( verbose != 0 )
1378 polarssl_printf( " AES-CTR-128 (%s): ",
1379 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1380
1381 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1382 memcpy( key, aes_test_ctr_key[u], 16 );
1383
1384 offset = 0;
1385 aes_setkey_enc( &ctx, key, 128 );
1386
1387 if( v == AES_DECRYPT )
1388 {
1389 len = aes_test_ctr_len[u];
1390 memcpy( buf, aes_test_ctr_ct[u], len );
1391
1392 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1393 buf, buf );
1394
1395 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1396 {
1397 if( verbose != 0 )
1398 polarssl_printf( "failed\n" );
1399
1400 return( 1 );
1401 }
1402 }
1403 else
1404 {
1405 len = aes_test_ctr_len[u];
1406 memcpy( buf, aes_test_ctr_pt[u], len );
1407
1408 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1409 buf, buf );
1410
1411 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1412 {
1413 if( verbose != 0 )
1414 polarssl_printf( "failed\n" );
1415
1416 return( 1 );
1417 }
1418 }
1419
1420 if( verbose != 0 )
1421 polarssl_printf( "passed\n" );
1422 }
1423
1424 if( verbose != 0 )
1425 polarssl_printf( "\n" );
1426 #endif /* POLARSSL_CIPHER_MODE_CTR */
1427
1428 return( 0 );
1429 }
1430
1431 #endif /* POLARSSL_SELF_TEST */
1432
1433 #endif /* POLARSSL_AES_C */
syren