TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / b6ecaf5276a2ef08aadc517c3c0f1c5d65df7f4e / . / library / aes.c
blob: 3a4cd150aa02f93ffc448015f2dc2bc227213e05 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
37#include "polarssl/padlock.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38
39#include <string.h>
40
41/*
42 * 32-bit integer manipulation macros (little endian)
43 */
44#ifndef GET_ULONG_LE
45#define GET_ULONG_LE(n,b,i) \
46{ \
47 (n) = ( (unsigned long) (b)[(i) ] ) \
48 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
49 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
50 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
51}
52#endif
53
54#ifndef PUT_ULONG_LE
55#define PUT_ULONG_LE(n,b,i) \
56{ \
57 (b)[(i) ] = (unsigned char) ( (n) ); \
58 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
59 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
60 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
61}
62#endif
63
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]64#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * Forward S-box
67 */
68static const unsigned char FSb[256] =
69{
70 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
71 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
72 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
73 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
74 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
75 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
76 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
77 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
78 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
79 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
80 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
81 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
82 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
83 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
84 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
85 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
86 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
87 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
88 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
89 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
90 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
91 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
92 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
93 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
94 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
95 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
96 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
97 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
98 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
99 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
100 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
101 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
102};
103
104/*
105 * Forward tables
106 */
107#define FT \
108\
109 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
110 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
111 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
112 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
113 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
114 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
115 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
116 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
117 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
118 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
119 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
120 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
121 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
122 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
123 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
124 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
125 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
126 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
127 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
128 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
129 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
130 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
131 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
132 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
133 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
134 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
135 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
136 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
137 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
138 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
139 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
140 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
141 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
142 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
143 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
144 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
145 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
146 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
147 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
148 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
149 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
150 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
151 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
152 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
153 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
154 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
155 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
156 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
157 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
158 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
159 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
160 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
161 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
162 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
163 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
164 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
165 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
166 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
167 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
168 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
169 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
170 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
171 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
172 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
173
174#define V(a,b,c,d) 0x##a##b##c##d
175static const unsigned long FT0[256] = { FT };
176#undef V
177
178#define V(a,b,c,d) 0x##b##c##d##a
179static const unsigned long FT1[256] = { FT };
180#undef V
181
182#define V(a,b,c,d) 0x##c##d##a##b
183static const unsigned long FT2[256] = { FT };
184#undef V
185
186#define V(a,b,c,d) 0x##d##a##b##c
187static const unsigned long FT3[256] = { FT };
188#undef V
189
190#undef FT
191
192/*
193 * Reverse S-box
194 */
195static const unsigned char RSb[256] =
196{
197 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
198 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
199 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
200 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
201 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
202 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
203 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
204 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
205 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
206 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
207 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
208 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
209 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
210 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
211 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
212 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
213 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
214 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
215 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
216 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
217 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
218 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
219 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
220 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
221 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
222 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
223 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
224 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
225 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
226 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
227 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
228 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
229};
230
231/*
232 * Reverse tables
233 */
234#define RT \
235\
236 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
237 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
238 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
239 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
240 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
241 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
242 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
243 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
244 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
245 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
246 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
247 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
248 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
249 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
250 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
251 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
252 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
253 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
254 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
255 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
256 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
257 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
258 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
259 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
260 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
261 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
262 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
263 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
264 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
265 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
266 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
267 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
268 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
269 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
270 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
271 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
272 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
273 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
274 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
275 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
276 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
277 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
278 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
279 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
280 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
281 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
282 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
283 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
284 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
285 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
286 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
287 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
288 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
289 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
290 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
291 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
292 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
293 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
294 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
295 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
296 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
297 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
298 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
299 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
300
301#define V(a,b,c,d) 0x##a##b##c##d
302static const unsigned long RT0[256] = { RT };
303#undef V
304
305#define V(a,b,c,d) 0x##b##c##d##a
306static const unsigned long RT1[256] = { RT };
307#undef V
308
309#define V(a,b,c,d) 0x##c##d##a##b
310static const unsigned long RT2[256] = { RT };
311#undef V
312
313#define V(a,b,c,d) 0x##d##a##b##c
314static const unsigned long RT3[256] = { RT };
315#undef V
316
317#undef RT
318
319/*
320 * Round constants
321 */
322static const unsigned long RCON[10] =
323{
324 0x00000001, 0x00000002, 0x00000004, 0x00000008,
325 0x00000010, 0x00000020, 0x00000040, 0x00000080,
326 0x0000001B, 0x00000036
327};
328
329#else
330
331/*
332 * Forward S-box & tables
333 */
334static unsigned char FSb[256];
335static unsigned long FT0[256];
336static unsigned long FT1[256];
337static unsigned long FT2[256];
338static unsigned long FT3[256];
339
340/*
341 * Reverse S-box & tables
342 */
343static unsigned char RSb[256];
344static unsigned long RT0[256];
345static unsigned long RT1[256];
346static unsigned long RT2[256];
347static unsigned long RT3[256];
348
349/*
350 * Round constants
351 */
352static unsigned long RCON[10];
353
354/*
355 * Tables generation code
356 */
357#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
358#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
359#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
360
361static int aes_init_done = 0;
362
363static void aes_gen_tables( void )
364{
365 int i, x, y, z;
366 int pow[256];
367 int log[256];
368
369 /*
370 * compute pow and log tables over GF(2^8)
371 */
372 for( i = 0, x = 1; i < 256; i++ )
373 {
374 pow[i] = x;
375 log[x] = i;
376 x = ( x ^ XTIME( x ) ) & 0xFF;
377 }
378
379 /*
380 * calculate the round constants
381 */
382 for( i = 0, x = 1; i < 10; i++ )
383 {
384 RCON[i] = (unsigned long) x;
385 x = XTIME( x ) & 0xFF;
386 }
387
388 /*
389 * generate the forward and reverse S-boxes
390 */
391 FSb[0x00] = 0x63;
392 RSb[0x63] = 0x00;
393
394 for( i = 1; i < 256; i++ )
395 {
396 x = pow[255 - log[i]];
397
398 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
399 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
400 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
401 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
402 x ^= y ^ 0x63;
403
404 FSb[i] = (unsigned char) x;
405 RSb[x] = (unsigned char) i;
406 }
407
408 /*
409 * generate the forward and reverse tables
410 */
411 for( i = 0; i < 256; i++ )
412 {
413 x = FSb[i];
414 y = XTIME( x ) & 0xFF;
415 z = ( y ^ x ) & 0xFF;
416
417 FT0[i] = ( (unsigned long) y ) ^
418 ( (unsigned long) x << 8 ) ^
419 ( (unsigned long) x << 16 ) ^
420 ( (unsigned long) z << 24 );
421
422 FT1[i] = ROTL8( FT0[i] );
423 FT2[i] = ROTL8( FT1[i] );
424 FT3[i] = ROTL8( FT2[i] );
425
426 x = RSb[i];
427
428 RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
429 ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
430 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
431 ( (unsigned long) MUL( 0x0B, x ) << 24 );
432
433 RT1[i] = ROTL8( RT0[i] );
434 RT2[i] = ROTL8( RT1[i] );
435 RT3[i] = ROTL8( RT2[i] );
436 }
437}
438
439#endif
440
441/*
442 * AES key schedule (encryption)
443 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]444int aes_setkey_enc( aes_context *ctx, const unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]445{
446 int i;
447 unsigned long *RK;
448
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]449#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]450 if( aes_init_done == 0 )
451 {
452 aes_gen_tables();
453 aes_init_done = 1;
454 }
455#endif
456
457 switch( keysize )
458 {
459 case 128: ctx->nr = 10; break;
460 case 192: ctx->nr = 12; break;
461 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]462 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463 }
464
465#if defined(PADLOCK_ALIGN16)
466 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
467#else
468 ctx->rk = RK = ctx->buf;
469#endif
470
471 for( i = 0; i < (keysize >> 5); i++ )
472 {
473 GET_ULONG_LE( RK[i], key, i << 2 );
474 }
475
476 switch( ctx->nr )
477 {
478 case 10:
479
480 for( i = 0; i < 10; i++, RK += 4 )
481 {
482 RK[4] = RK[0] ^ RCON[i] ^
483 ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
484 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
485 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
486 ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
487
488 RK[5] = RK[1] ^ RK[4];
489 RK[6] = RK[2] ^ RK[5];
490 RK[7] = RK[3] ^ RK[6];
491 }
492 break;
493
494 case 12:
495
496 for( i = 0; i < 8; i++, RK += 6 )
497 {
498 RK[6] = RK[0] ^ RCON[i] ^
499 ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
500 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
501 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
502 ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
503
504 RK[7] = RK[1] ^ RK[6];
505 RK[8] = RK[2] ^ RK[7];
506 RK[9] = RK[3] ^ RK[8];
507 RK[10] = RK[4] ^ RK[9];
508 RK[11] = RK[5] ^ RK[10];
509 }
510 break;
511
512 case 14:
513
514 for( i = 0; i < 7; i++, RK += 8 )
515 {
516 RK[8] = RK[0] ^ RCON[i] ^
517 ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
518 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
519 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
520 ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
521
522 RK[9] = RK[1] ^ RK[8];
523 RK[10] = RK[2] ^ RK[9];
524 RK[11] = RK[3] ^ RK[10];
525
526 RK[12] = RK[4] ^
527 ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
528 ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
529 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
530 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
531
532 RK[13] = RK[5] ^ RK[12];
533 RK[14] = RK[6] ^ RK[13];
534 RK[15] = RK[7] ^ RK[14];
535 }
536 break;
537
538 default:
539
540 break;
541 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]542
543 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]544}
545
546/*
547 * AES key schedule (decryption)
548 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]549int aes_setkey_dec( aes_context *ctx, const unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]550{
551 int i, j;
552 aes_context cty;
553 unsigned long *RK;
554 unsigned long *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]555 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556
557 switch( keysize )
558 {
559 case 128: ctx->nr = 10; break;
560 case 192: ctx->nr = 12; break;
561 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]562 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]563 }
564
565#if defined(PADLOCK_ALIGN16)
566 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
567#else
568 ctx->rk = RK = ctx->buf;
569#endif
570
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]571 ret = aes_setkey_enc( &cty, key, keysize );
572 if( ret != 0 )
573 return( ret );
574
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]575 SK = cty.rk + cty.nr * 4;
576
577 *RK++ = *SK++;
578 *RK++ = *SK++;
579 *RK++ = *SK++;
580 *RK++ = *SK++;
581
582 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
583 {
584 for( j = 0; j < 4; j++, SK++ )
585 {
586 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
587 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
588 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
589 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
590 }
591 }
592
593 *RK++ = *SK++;
594 *RK++ = *SK++;
595 *RK++ = *SK++;
596 *RK++ = *SK++;
597
598 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]599
600 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]601}
602
603#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
604{ \
605 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
606 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
607 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
608 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
609 \
610 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
611 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
612 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
613 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
614 \
615 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
616 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
617 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
618 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
619 \
620 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
621 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
622 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
623 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
624}
625
626#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
627{ \
628 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
629 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
630 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
631 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
632 \
633 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
634 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
635 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
636 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
637 \
638 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
639 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
640 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
641 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
642 \
643 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
644 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
645 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
646 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
647}
648
649/*
650 * AES-ECB block encryption/decryption
651 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]652int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]654 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]655 unsigned char output[16] )
656{
657 int i;
658 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
659
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]660#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]661 if( padlock_supports( PADLOCK_ACE ) )
662 {
663 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]664 return( 0 );
665
666 // If padlock data misaligned, we just fall back to
667 // unaccelerated mode
668 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669 }
670#endif
671
672 RK = ctx->rk;
673
674 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
675 GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
676 GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
677 GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
678
679 if( mode == AES_DECRYPT )
680 {
681 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
682 {
683 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
684 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
685 }
686
687 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
688
689 X0 = *RK++ ^ \
690 ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
691 ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
692 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
693 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
694
695 X1 = *RK++ ^ \
696 ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
697 ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
698 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
699 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
700
701 X2 = *RK++ ^ \
702 ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
703 ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
704 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
705 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
706
707 X3 = *RK++ ^ \
708 ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
709 ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
710 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
711 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
712 }
713 else /* AES_ENCRYPT */
714 {
715 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
716 {
717 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
718 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
719 }
720
721 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
722
723 X0 = *RK++ ^ \
724 ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
725 ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
726 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
727 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
728
729 X1 = *RK++ ^ \
730 ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
731 ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
732 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
733 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
734
735 X2 = *RK++ ^ \
736 ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
737 ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
738 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
739 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
740
741 X3 = *RK++ ^ \
742 ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
743 ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
744 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
745 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
746 }
747
748 PUT_ULONG_LE( X0, output, 0 );
749 PUT_ULONG_LE( X1, output, 4 );
750 PUT_ULONG_LE( X2, output, 8 );
751 PUT_ULONG_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]752
753 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]754}
755
756/*
757 * AES-CBC buffer encryption/decryption
758 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]759int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]760 int mode,
761 int length,
762 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]763 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]764 unsigned char *output )
765{
766 int i;
767 unsigned char temp[16];
768
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]769 if( length % 16 )
770 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
771
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]772#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]773 if( padlock_supports( PADLOCK_ACE ) )
774 {
775 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]776 return( 0 );
777
778 // If padlock data misaligned, we just fall back to
779 // unaccelerated mode
780 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]781 }
782#endif
783
784 if( mode == AES_DECRYPT )
785 {
786 while( length > 0 )
787 {
788 memcpy( temp, input, 16 );
789 aes_crypt_ecb( ctx, mode, input, output );
790
791 for( i = 0; i < 16; i++ )
792 output[i] = (unsigned char)( output[i] ^ iv[i] );
793
794 memcpy( iv, temp, 16 );
795
796 input += 16;
797 output += 16;
798 length -= 16;
799 }
800 }
801 else
802 {
803 while( length > 0 )
804 {
805 for( i = 0; i < 16; i++ )
806 output[i] = (unsigned char)( input[i] ^ iv[i] );
807
808 aes_crypt_ecb( ctx, mode, output, output );
809 memcpy( iv, output, 16 );
810
811 input += 16;
812 output += 16;
813 length -= 16;
814 }
815 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]816
817 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]818}
819
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame^]820#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]821/*
822 * AES-CFB128 buffer encryption/decryption
823 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]824int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]825 int mode,
826 int length,
827 int *iv_off,
828 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]829 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]830 unsigned char *output )
831{
832 int c, n = *iv_off;
833
834 if( mode == AES_DECRYPT )
835 {
836 while( length-- )
837 {
838 if( n == 0 )
839 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
840
841 c = *input++;
842 *output++ = (unsigned char)( c ^ iv[n] );
843 iv[n] = (unsigned char) c;
844
845 n = (n + 1) & 0x0F;
846 }
847 }
848 else
849 {
850 while( length-- )
851 {
852 if( n == 0 )
853 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
854
855 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
856
857 n = (n + 1) & 0x0F;
858 }
859 }
860
861 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]862
863 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame^]865#endif /*POLARSSL_CIPHER_MODE_CFB */
866
867#if defined(POLARSSL_CIPHER_MODE_CTR)
868/*
869 * AES-CTR buffer encryption/decryption
870 */
871int aes_crypt_ctr( aes_context *ctx,
872 int length,
873 int *nc_off,
874 unsigned char nonce_counter[16],
875 unsigned char stream_block[16],
876 const unsigned char *input,
877 unsigned char *output )
878{
879 int c, n = *nc_off, i, cb;
880
881 while( length-- )
882 {
883 if( n == 0 ) {
884 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
885
886 i = 15;
887 do {
888 nonce_counter[i]++;
889 cb = nonce_counter[i] == 0;
890 } while( i-- && cb );
891
892 }
893 c = *input++;
894 *output++ = (unsigned char)( c ^ stream_block[n] );
895
896 n = (n + 1) & 0x0F;
897 }
898
899 *nc_off = n;
900
901 return( 0 );
902}
903#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]904
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]905#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]906
907#include <stdio.h>
908
909/*
910 * AES test vectors from:
911 *
912 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
913 */
914static const unsigned char aes_test_ecb_dec[3][16] =
915{
916 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
917 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
918 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
919 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
920 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
921 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
922};
923
924static const unsigned char aes_test_ecb_enc[3][16] =
925{
926 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
927 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
928 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
929 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
930 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
931 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
932};
933
934static const unsigned char aes_test_cbc_dec[3][16] =
935{
936 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
937 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
938 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
939 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
940 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
941 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
942};
943
944static const unsigned char aes_test_cbc_enc[3][16] =
945{
946 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
947 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
948 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
949 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
950 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
951 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
952};
953
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame^]954#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]955/*
956 * AES-CFB128 test vectors from:
957 *
958 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
959 */
960static const unsigned char aes_test_cfb128_key[3][32] =
961{
962 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
963 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
964 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
965 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
966 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
967 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
968 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
969 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
970 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
971};
972
973static const unsigned char aes_test_cfb128_iv[16] =
974{
975 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
976 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
977};
978
979static const unsigned char aes_test_cfb128_pt[64] =
980{
981 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
982 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
983 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
984 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
985 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
986 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
987 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
988 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
989};
990
991static const unsigned char aes_test_cfb128_ct[3][64] =
992{
993 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
994 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
995 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
996 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
997 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
998 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
999 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1000 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1001 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1002 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1003 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1004 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1005 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1006 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1007 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1008 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1009 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1010 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1011 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1012 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1013 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1014 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1015 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1016 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1017};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame^]1018#endif /* POLARSSL_CIPHER_MODE_CFB */
1019
1020#if defined(POLARSSL_CIPHER_MODE_CTR)
1021/*
1022 * AES-CTR test vectors from:
1023 *
1024 * http://www.faqs.org/rfcs/rfc3686.html
1025 */
1026
1027static const unsigned char aes_test_ctr_key[3][16] =
1028{
1029 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1030 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1031 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1032 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1033 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1034 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1035};
1036
1037static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1038{
1039 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1040 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1041 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1042 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1043 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1044 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1045};
1046
1047static const unsigned char aes_test_ctr_pt[3][48] =
1048{
1049 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1050 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1051
1052 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1053 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1054 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1055 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1056
1057 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1058 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1059 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1060 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1061 0x20, 0x21, 0x22, 0x23 }
1062};
1063
1064static const unsigned char aes_test_ctr_ct[3][48] =
1065{
1066 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1067 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1068 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1069 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1070 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1071 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1072 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1073 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1074 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1075 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1076 0x25, 0xB2, 0x07, 0x2F }
1077};
1078
1079static const int aes_test_ctr_len[3] =
1080 { 16, 32, 36 };
1081#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1082
1083/*
1084 * Checkup routine
1085 */
1086int aes_self_test( int verbose )
1087{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame^]1088 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1089 unsigned char key[32];
1090 unsigned char buf[64];
1091 unsigned char prv[16];
1092 unsigned char iv[16];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame^]1093#if defined(POLARSSL_CIPHER_MODE_CTR)
1094 int offset, len;
1095 unsigned char nonce_counter[16];
1096 unsigned char stream_block[16];
1097#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1098 aes_context ctx;
1099
1100 memset( key, 0, 32 );
1101
1102 /*
1103 * ECB mode
1104 */
1105 for( i = 0; i < 6; i++ )
1106 {
1107 u = i >> 1;
1108 v = i & 1;
1109
1110 if( verbose != 0 )
1111 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1112 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1113
1114 memset( buf, 0, 16 );
1115
1116 if( v == AES_DECRYPT )
1117 {
1118 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1119
1120 for( j = 0; j < 10000; j++ )
1121 aes_crypt_ecb( &ctx, v, buf, buf );
1122
1123 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1124 {
1125 if( verbose != 0 )
1126 printf( "failed\n" );
1127
1128 return( 1 );
1129 }
1130 }
1131 else
1132 {
1133 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1134
1135 for( j = 0; j < 10000; j++ )
1136 aes_crypt_ecb( &ctx, v, buf, buf );
1137
1138 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1139 {
1140 if( verbose != 0 )
1141 printf( "failed\n" );
1142
1143 return( 1 );
1144 }
1145 }
1146
1147 if( verbose != 0 )
1148 printf( "passed\n" );
1149 }
1150
1151 if( verbose != 0 )
1152 printf( "\n" );
1153
1154 /*
1155 * CBC mode
1156 */
1157 for( i = 0; i < 6; i++ )
1158 {
1159 u = i >> 1;
1160 v = i & 1;
1161
1162 if( verbose != 0 )
1163 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1164 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1165
1166 memset( iv , 0, 16 );
1167 memset( prv, 0, 16 );
1168 memset( buf, 0, 16 );
1169
1170 if( v == AES_DECRYPT )
1171 {
1172 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1173
1174 for( j = 0; j < 10000; j++ )
1175 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1176
1177 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1178 {
1179 if( verbose != 0 )
1180 printf( "failed\n" );
1181
1182 return( 1 );
1183 }
1184 }
1185 else
1186 {
1187 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1188
1189 for( j = 0; j < 10000; j++ )
1190 {
1191 unsigned char tmp[16];
1192
1193 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1194
1195 memcpy( tmp, prv, 16 );
1196 memcpy( prv, buf, 16 );
1197 memcpy( buf, tmp, 16 );
1198 }
1199
1200 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1201 {
1202 if( verbose != 0 )
1203 printf( "failed\n" );
1204
1205 return( 1 );
1206 }
1207 }
1208
1209 if( verbose != 0 )
1210 printf( "passed\n" );
1211 }
1212
1213 if( verbose != 0 )
1214 printf( "\n" );
1215
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame^]1216#if defined(POLARSSL_CIPHERY_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1217 /*
1218 * CFB128 mode
1219 */
1220 for( i = 0; i < 6; i++ )
1221 {
1222 u = i >> 1;
1223 v = i & 1;
1224
1225 if( verbose != 0 )
1226 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1227 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1228
1229 memcpy( iv, aes_test_cfb128_iv, 16 );
1230 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1231
1232 offset = 0;
1233 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1234
1235 if( v == AES_DECRYPT )
1236 {
1237 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1238 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1239
1240 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1241 {
1242 if( verbose != 0 )
1243 printf( "failed\n" );
1244
1245 return( 1 );
1246 }
1247 }
1248 else
1249 {
1250 memcpy( buf, aes_test_cfb128_pt, 64 );
1251 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1252
1253 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1254 {
1255 if( verbose != 0 )
1256 printf( "failed\n" );
1257
1258 return( 1 );
1259 }
1260 }
1261
1262 if( verbose != 0 )
1263 printf( "passed\n" );
1264 }
1265
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame^]1266 if( verbose != 0 )
1267 printf( "\n" );
1268#endif /* POLARSSL_CIPHER_MODE_CFB */
1269
1270#if defined(POLARSSL_CIPHER_MODE_CTR)
1271 /*
1272 * CTR mode
1273 */
1274 for( i = 0; i < 6; i++ )
1275 {
1276 u = i >> 1;
1277 v = i & 1;
1278
1279 if( verbose != 0 )
1280 printf( " AES-CTR-128 (%s): ",
1281 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1282
1283 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1284 memcpy( key, aes_test_ctr_key[u], 16 );
1285
1286 offset = 0;
1287 aes_setkey_enc( &ctx, key, 128 );
1288
1289 if( v == AES_DECRYPT )
1290 {
1291 len = aes_test_ctr_len[u];
1292 memcpy( buf, aes_test_ctr_ct[u], len );
1293
1294 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1295
1296 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1297 {
1298 if( verbose != 0 )
1299 printf( "failed\n" );
1300
1301 return( 1 );
1302 }
1303 }
1304 else
1305 {
1306 len = aes_test_ctr_len[u];
1307 memcpy( buf, aes_test_ctr_pt[u], len );
1308
1309 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1310
1311 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1312 {
1313 if( verbose != 0 )
1314 printf( "failed\n" );
1315
1316 return( 1 );
1317 }
1318 }
1319
1320 if( verbose != 0 )
1321 printf( "passed\n" );
1322 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1323
1324 if( verbose != 0 )
1325 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame^]1326#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1327
1328 return( 0 );
1329}
1330
1331#endif
1332
1333#endif