TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 0464dd93573240789388e3f37d4f43fee6ae0979 / . / library / aes.c
blob: a90cefff5e911828eecfe68bb6ed53cccfa598a2 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]4 * Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]34#else
35#include POLARSSL_CONFIG_FILE
36#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]39
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]40#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]41#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]42#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]44#if defined(POLARSSL_AESNI_C)
45#include "polarssl/aesni.h"
46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]48#if defined(POLARSSL_PLATFORM_C)
49#include "polarssl/platform.h"
50#else
51#define polarssl_printf printf
52#endif
53
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]54#if !defined(POLARSSL_AES_ALT)
55
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]56/* Implementation that should never be optimized out by the compiler */
57static void polarssl_zeroize( void *v, size_t n ) {
58 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
59}
60
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]61/*
62 * 32-bit integer manipulation macros (little endian)
63 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]64#ifndef GET_UINT32_LE
65#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]66{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]67 (n) = ( (uint32_t) (b)[(i) ] ) \
68 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
69 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
70 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]71}
72#endif
73
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]74#ifndef PUT_UINT32_LE
75#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]76{ \
77 (b)[(i) ] = (unsigned char) ( (n) ); \
78 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
79 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
80 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
81}
82#endif
83
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]84#if defined(POLARSSL_PADLOCK_C) && \
85 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]86static int aes_padlock_ace = -1;
87#endif
88
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]89#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]90/*
91 * Forward S-box
92 */
93static const unsigned char FSb[256] =
94{
95 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
96 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
97 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
98 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
99 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
100 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
101 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
102 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
103 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
104 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
105 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
106 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
107 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
108 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
109 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
110 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
111 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
112 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
113 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
114 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
115 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
116 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
117 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
118 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
119 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
120 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
121 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
122 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
123 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
124 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
125 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
126 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
127};
128
129/*
130 * Forward tables
131 */
132#define FT \
133\
134 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
135 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
136 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
137 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
138 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
139 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
140 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
141 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
142 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
143 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
144 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
145 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
146 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
147 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
148 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
149 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
150 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
151 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
152 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
153 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
154 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
155 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
156 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
157 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
158 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
159 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
160 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
161 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
162 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
163 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
164 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
165 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
166 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
167 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
168 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
169 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
170 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
171 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
172 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
173 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
174 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
175 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
176 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
177 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
178 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
179 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
180 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
181 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
182 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
183 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
184 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
185 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
186 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
187 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
188 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
189 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
190 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
191 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
192 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
193 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
194 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
195 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
196 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
197 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
198
199#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]200static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]201#undef V
202
203#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]204static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205#undef V
206
207#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]208static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]209#undef V
210
211#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]212static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]213#undef V
214
215#undef FT
216
217/*
218 * Reverse S-box
219 */
220static const unsigned char RSb[256] =
221{
222 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
223 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
224 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
225 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
226 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
227 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
228 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
229 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
230 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
231 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
232 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
233 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
234 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
235 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
236 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
237 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
238 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
239 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
240 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
241 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
242 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
243 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
244 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
245 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
246 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
247 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
248 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
249 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
250 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
251 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
252 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
253 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
254};
255
256/*
257 * Reverse tables
258 */
259#define RT \
260\
261 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
262 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
263 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
264 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
265 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
266 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
267 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
268 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
269 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
270 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
271 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
272 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
273 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
274 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
275 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
276 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
277 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
278 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
279 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
280 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
281 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
282 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
283 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
284 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
285 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
286 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
287 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
288 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
289 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
290 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
291 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
292 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
293 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
294 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
295 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
296 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
297 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
298 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
299 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
300 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
301 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
302 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
303 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
304 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
305 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
306 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
307 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
308 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
309 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
310 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
311 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
312 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
313 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
314 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
315 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
316 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
317 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
318 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
319 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
320 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
321 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
322 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
323 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
324 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
325
326#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]327static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]328#undef V
329
330#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]331static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]332#undef V
333
334#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]335static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]336#undef V
337
338#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]339static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]340#undef V
341
342#undef RT
343
344/*
345 * Round constants
346 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]347static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]348{
349 0x00000001, 0x00000002, 0x00000004, 0x00000008,
350 0x00000010, 0x00000020, 0x00000040, 0x00000080,
351 0x0000001B, 0x00000036
352};
353
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]354#else /* POLARSSL_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355
356/*
357 * Forward S-box & tables
358 */
359static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]360static uint32_t FT0[256];
361static uint32_t FT1[256];
362static uint32_t FT2[256];
363static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364
365/*
366 * Reverse S-box & tables
367 */
368static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]369static uint32_t RT0[256];
370static uint32_t RT1[256];
371static uint32_t RT2[256];
372static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373
374/*
375 * Round constants
376 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]377static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]378
379/*
380 * Tables generation code
381 */
382#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
383#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
384#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
385
386static int aes_init_done = 0;
387
388static void aes_gen_tables( void )
389{
390 int i, x, y, z;
391 int pow[256];
392 int log[256];
393
394 /*
395 * compute pow and log tables over GF(2^8)
396 */
397 for( i = 0, x = 1; i < 256; i++ )
398 {
399 pow[i] = x;
400 log[x] = i;
401 x = ( x ^ XTIME( x ) ) & 0xFF;
402 }
403
404 /*
405 * calculate the round constants
406 */
407 for( i = 0, x = 1; i < 10; i++ )
408 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]409 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]410 x = XTIME( x ) & 0xFF;
411 }
412
413 /*
414 * generate the forward and reverse S-boxes
415 */
416 FSb[0x00] = 0x63;
417 RSb[0x63] = 0x00;
418
419 for( i = 1; i < 256; i++ )
420 {
421 x = pow[255 - log[i]];
422
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]423 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
424 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
425 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
426 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]427 x ^= y ^ 0x63;
428
429 FSb[i] = (unsigned char) x;
430 RSb[x] = (unsigned char) i;
431 }
432
433 /*
434 * generate the forward and reverse tables
435 */
436 for( i = 0; i < 256; i++ )
437 {
438 x = FSb[i];
439 y = XTIME( x ) & 0xFF;
440 z = ( y ^ x ) & 0xFF;
441
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]442 FT0[i] = ( (uint32_t) y ) ^
443 ( (uint32_t) x << 8 ) ^
444 ( (uint32_t) x << 16 ) ^
445 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]446
447 FT1[i] = ROTL8( FT0[i] );
448 FT2[i] = ROTL8( FT1[i] );
449 FT3[i] = ROTL8( FT2[i] );
450
451 x = RSb[i];
452
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]453 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
454 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
455 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
456 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457
458 RT1[i] = ROTL8( RT0[i] );
459 RT2[i] = ROTL8( RT1[i] );
460 RT3[i] = ROTL8( RT2[i] );
461 }
462}
463
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]464#endif /* POLARSSL_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]465
466/*
467 * AES key schedule (encryption)
468 */
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]469int aes_setkey_enc( aes_context *ctx, const unsigned char *key,
470 unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]471{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]472 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]473 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]475#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476 if( aes_init_done == 0 )
477 {
478 aes_gen_tables();
479 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]480
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]481 }
482#endif
483
484 switch( keysize )
485 {
486 case 128: ctx->nr = 10; break;
487 case 192: ctx->nr = 12; break;
488 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]489 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]490 }
491
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]492#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
493 if( aes_padlock_ace == -1 )
494 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
495
496 if( aes_padlock_ace )
497 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
498 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]499#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]500 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]501
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]502#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
503 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnardbfa3c9a2013-12-30 13:53:58 +0100[diff] [blame]504 return( aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]505#endif
506
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]507 for( i = 0; i < ( keysize >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]508 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]509 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]510 }
511
512 switch( ctx->nr )
513 {
514 case 10:
515
516 for( i = 0; i < 10; i++, RK += 4 )
517 {
518 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]519 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
520 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
521 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
522 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]523
524 RK[5] = RK[1] ^ RK[4];
525 RK[6] = RK[2] ^ RK[5];
526 RK[7] = RK[3] ^ RK[6];
527 }
528 break;
529
530 case 12:
531
532 for( i = 0; i < 8; i++, RK += 6 )
533 {
534 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]535 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
536 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
537 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
538 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]539
540 RK[7] = RK[1] ^ RK[6];
541 RK[8] = RK[2] ^ RK[7];
542 RK[9] = RK[3] ^ RK[8];
543 RK[10] = RK[4] ^ RK[9];
544 RK[11] = RK[5] ^ RK[10];
545 }
546 break;
547
548 case 14:
549
550 for( i = 0; i < 7; i++, RK += 8 )
551 {
552 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]553 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
554 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
555 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
556 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]557
558 RK[9] = RK[1] ^ RK[8];
559 RK[10] = RK[2] ^ RK[9];
560 RK[11] = RK[3] ^ RK[10];
561
562 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]563 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
564 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
565 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
566 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]567
568 RK[13] = RK[5] ^ RK[12];
569 RK[14] = RK[6] ^ RK[13];
570 RK[15] = RK[7] ^ RK[14];
571 }
572 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]573 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]574
575 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]576}
577
578/*
579 * AES key schedule (decryption)
580 */
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]581int aes_setkey_dec( aes_context *ctx, const unsigned char *key,
582 unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583{
584 int i, j;
585 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]586 uint32_t *RK;
587 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]588 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]590#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
591 if( aes_padlock_ace == -1 )
592 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
593
594 if( aes_padlock_ace )
595 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
596 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]597#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]598 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]600 /* Also checks keysize */
601 if( ( ret = aes_setkey_enc( &cty, key, keysize ) ) != 0 )
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]602 return( ret );
603
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]604 ctx->nr = cty.nr;
605
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]606#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
607 if( aesni_supports( POLARSSL_AESNI_AES ) )
608 {
609 aesni_inverse_key( (unsigned char *) ctx->rk,
610 (const unsigned char *) cty.rk, ctx->nr );
611 goto done;
612 }
613#endif
614
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]615 SK = cty.rk + cty.nr * 4;
616
617 *RK++ = *SK++;
618 *RK++ = *SK++;
619 *RK++ = *SK++;
620 *RK++ = *SK++;
621
622 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
623 {
624 for( j = 0; j < 4; j++, SK++ )
625 {
626 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
627 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
628 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
629 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
630 }
631 }
632
633 *RK++ = *SK++;
634 *RK++ = *SK++;
635 *RK++ = *SK++;
636 *RK++ = *SK++;
637
Paul Bakker0d0de922013-12-30 15:29:04 +0100[diff] [blame]638#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]639done:
Paul Bakker0d0de922013-12-30 15:29:04 +0100[diff] [blame]640#endif
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]641 polarssl_zeroize( &cty, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]642
643 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]644}
645
646#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
647{ \
648 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
649 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
650 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
651 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
652 \
653 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
654 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
655 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
656 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
657 \
658 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
659 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
660 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
661 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
662 \
663 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
664 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
665 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
666 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
667}
668
669#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
670{ \
671 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
672 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
673 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
674 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
675 \
676 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
677 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
678 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
679 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
680 \
681 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
682 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
683 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
684 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
685 \
686 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
687 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
688 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
689 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
690}
691
692/*
693 * AES-ECB block encryption/decryption
694 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]695int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]696 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]697 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]698 unsigned char output[16] )
699{
700 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]701 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]702
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]703#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard8eaf20b2013-12-18 19:14:53 +0100[diff] [blame]704 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]705 return( aesni_crypt_ecb( ctx, mode, input, output ) );
706#endif
707
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]708#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]709 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]710 {
711 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]712 return( 0 );
713
714 // If padlock data misaligned, we just fall back to
715 // unaccelerated mode
716 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]717 }
718#endif
719
720 RK = ctx->rk;
721
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]722 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
723 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
724 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
725 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]726
727 if( mode == AES_DECRYPT )
728 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]729 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]730 {
731 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
732 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
733 }
734
735 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
736
737 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]738 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
739 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
740 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
741 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]742
743 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]744 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
745 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
746 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
747 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]748
749 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]750 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
751 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
752 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
753 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]754
755 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]756 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
757 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
758 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
759 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]760 }
761 else /* AES_ENCRYPT */
762 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]763 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]764 {
765 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
766 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
767 }
768
769 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
770
771 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]772 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
773 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
774 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
775 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]776
777 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]778 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
779 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
780 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
781 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]782
783 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]784 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
785 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
786 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
787 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]788
789 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]790 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
791 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
792 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
793 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]794 }
795
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]796 PUT_UINT32_LE( X0, output, 0 );
797 PUT_UINT32_LE( X1, output, 4 );
798 PUT_UINT32_LE( X2, output, 8 );
799 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]800
801 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]802}
803
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]804#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]805/*
806 * AES-CBC buffer encryption/decryption
807 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]808int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]809 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]810 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]811 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]812 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]813 unsigned char *output )
814{
815 int i;
816 unsigned char temp[16];
817
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]818 if( length % 16 )
819 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
820
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]821#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]822 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]823 {
824 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]825 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]826
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]827 // If padlock data misaligned, we just fall back to
828 // unaccelerated mode
829 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]830 }
831#endif
832
833 if( mode == AES_DECRYPT )
834 {
835 while( length > 0 )
836 {
837 memcpy( temp, input, 16 );
838 aes_crypt_ecb( ctx, mode, input, output );
839
840 for( i = 0; i < 16; i++ )
841 output[i] = (unsigned char)( output[i] ^ iv[i] );
842
843 memcpy( iv, temp, 16 );
844
845 input += 16;
846 output += 16;
847 length -= 16;
848 }
849 }
850 else
851 {
852 while( length > 0 )
853 {
854 for( i = 0; i < 16; i++ )
855 output[i] = (unsigned char)( input[i] ^ iv[i] );
856
857 aes_crypt_ecb( ctx, mode, output, output );
858 memcpy( iv, output, 16 );
859
860 input += 16;
861 output += 16;
862 length -= 16;
863 }
864 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]865
866 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]867}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]868#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]869
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]870#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]871/*
872 * AES-CFB128 buffer encryption/decryption
873 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]874int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]875 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]876 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]877 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]878 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]879 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]880 unsigned char *output )
881{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]882 int c;
883 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]884
885 if( mode == AES_DECRYPT )
886 {
887 while( length-- )
888 {
889 if( n == 0 )
890 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
891
892 c = *input++;
893 *output++ = (unsigned char)( c ^ iv[n] );
894 iv[n] = (unsigned char) c;
895
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]896 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]897 }
898 }
899 else
900 {
901 while( length-- )
902 {
903 if( n == 0 )
904 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
905
906 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
907
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]908 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]909 }
910 }
911
912 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]913
914 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]915}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]916
917/*
918 * AES-CFB8 buffer encryption/decryption
919 */
920#include <stdio.h>
921int aes_crypt_cfb8( aes_context *ctx,
922 int mode,
923 size_t length,
924 unsigned char iv[16],
925 const unsigned char *input,
926 unsigned char *output )
927{
928 unsigned char c;
929 unsigned char ov[17];
930
931 while( length-- )
932 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]933 memcpy( ov, iv, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]934 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
935
936 if( mode == AES_DECRYPT )
937 ov[16] = *input;
938
939 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
940
941 if( mode == AES_ENCRYPT )
942 ov[16] = c;
943
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]944 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]945 }
946
947 return( 0 );
948}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]949#endif /*POLARSSL_CIPHER_MODE_CFB */
950
951#if defined(POLARSSL_CIPHER_MODE_CTR)
952/*
953 * AES-CTR buffer encryption/decryption
954 */
955int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]956 size_t length,
957 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]958 unsigned char nonce_counter[16],
959 unsigned char stream_block[16],
960 const unsigned char *input,
961 unsigned char *output )
962{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]963 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]964 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]965
966 while( length-- )
967 {
968 if( n == 0 ) {
969 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
970
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]971 for( i = 16; i > 0; i-- )
972 if( ++nonce_counter[i - 1] != 0 )
973 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]974 }
975 c = *input++;
976 *output++ = (unsigned char)( c ^ stream_block[n] );
977
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]978 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]979 }
980
981 *nc_off = n;
982
983 return( 0 );
984}
985#endif /* POLARSSL_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]986
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]987#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]988
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]989#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]990
991#include <stdio.h>
992
993/*
994 * AES test vectors from:
995 *
996 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
997 */
998static const unsigned char aes_test_ecb_dec[3][16] =
999{
1000 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1001 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1002 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1003 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1004 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1005 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1006};
1007
1008static const unsigned char aes_test_ecb_enc[3][16] =
1009{
1010 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1011 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1012 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1013 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1014 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1015 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1016};
1017
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1018#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1019static const unsigned char aes_test_cbc_dec[3][16] =
1020{
1021 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1022 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1023 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1024 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1025 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1026 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1027};
1028
1029static const unsigned char aes_test_cbc_enc[3][16] =
1030{
1031 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1032 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1033 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1034 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1035 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1036 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1037};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1038#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1039
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1040#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1041/*
1042 * AES-CFB128 test vectors from:
1043 *
1044 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1045 */
1046static const unsigned char aes_test_cfb128_key[3][32] =
1047{
1048 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1049 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1050 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1051 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1052 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1053 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1054 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1055 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1056 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1057};
1058
1059static const unsigned char aes_test_cfb128_iv[16] =
1060{
1061 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1062 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1063};
1064
1065static const unsigned char aes_test_cfb128_pt[64] =
1066{
1067 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1068 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1069 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1070 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1071 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1072 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1073 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1074 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1075};
1076
1077static const unsigned char aes_test_cfb128_ct[3][64] =
1078{
1079 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1080 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1081 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1082 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1083 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1084 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1085 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1086 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1087 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1088 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1089 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1090 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1091 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1092 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1093 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1094 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1095 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1096 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1097 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1098 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1099 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1100 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1101 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1102 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1103};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1104#endif /* POLARSSL_CIPHER_MODE_CFB */
1105
1106#if defined(POLARSSL_CIPHER_MODE_CTR)
1107/*
1108 * AES-CTR test vectors from:
1109 *
1110 * http://www.faqs.org/rfcs/rfc3686.html
1111 */
1112
1113static const unsigned char aes_test_ctr_key[3][16] =
1114{
1115 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1116 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1117 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1118 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1119 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1120 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1121};
1122
1123static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1124{
1125 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1126 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1127 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1128 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1129 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1130 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1131};
1132
1133static const unsigned char aes_test_ctr_pt[3][48] =
1134{
1135 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1136 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1137
1138 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1139 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1140 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1141 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1142
1143 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1144 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1145 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1146 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1147 0x20, 0x21, 0x22, 0x23 }
1148};
1149
1150static const unsigned char aes_test_ctr_ct[3][48] =
1151{
1152 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1153 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1154 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1155 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1156 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1157 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1158 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1159 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1160 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1161 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1162 0x25, 0xB2, 0x07, 0x2F }
1163};
1164
1165static const int aes_test_ctr_len[3] =
1166 { 16, 32, 36 };
1167#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1168
1169/*
1170 * Checkup routine
1171 */
1172int aes_self_test( int verbose )
1173{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1174 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1175 unsigned char key[32];
1176 unsigned char buf[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1177 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1178#if defined(POLARSSL_CIPHER_MODE_CBC)
1179 unsigned char prv[16];
1180#endif
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1181#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1182 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1183#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1184#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1185 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1186 unsigned char nonce_counter[16];
1187 unsigned char stream_block[16];
1188#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1189 aes_context ctx;
1190
1191 memset( key, 0, 32 );
1192
1193 /*
1194 * ECB mode
1195 */
1196 for( i = 0; i < 6; i++ )
1197 {
1198 u = i >> 1;
1199 v = i & 1;
1200
1201 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1202 polarssl_printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1203 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1204
1205 memset( buf, 0, 16 );
1206
1207 if( v == AES_DECRYPT )
1208 {
1209 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1210
1211 for( j = 0; j < 10000; j++ )
1212 aes_crypt_ecb( &ctx, v, buf, buf );
1213
1214 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1215 {
1216 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1217 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1218
1219 return( 1 );
1220 }
1221 }
1222 else
1223 {
1224 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1225
1226 for( j = 0; j < 10000; j++ )
1227 aes_crypt_ecb( &ctx, v, buf, buf );
1228
1229 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1230 {
1231 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1232 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1233
1234 return( 1 );
1235 }
1236 }
1237
1238 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1239 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1240 }
1241
1242 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1243 polarssl_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1244
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1245#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1246 /*
1247 * CBC mode
1248 */
1249 for( i = 0; i < 6; i++ )
1250 {
1251 u = i >> 1;
1252 v = i & 1;
1253
1254 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1255 polarssl_printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1256 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1257
1258 memset( iv , 0, 16 );
1259 memset( prv, 0, 16 );
1260 memset( buf, 0, 16 );
1261
1262 if( v == AES_DECRYPT )
1263 {
1264 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1265
1266 for( j = 0; j < 10000; j++ )
1267 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1268
1269 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1270 {
1271 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1272 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1273
1274 return( 1 );
1275 }
1276 }
1277 else
1278 {
1279 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1280
1281 for( j = 0; j < 10000; j++ )
1282 {
1283 unsigned char tmp[16];
1284
1285 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1286
1287 memcpy( tmp, prv, 16 );
1288 memcpy( prv, buf, 16 );
1289 memcpy( buf, tmp, 16 );
1290 }
1291
1292 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1293 {
1294 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1295 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1296
1297 return( 1 );
1298 }
1299 }
1300
1301 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1302 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1303 }
1304
1305 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1306 polarssl_printf( "\n" );
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1307#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1308
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1309#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1310 /*
1311 * CFB128 mode
1312 */
1313 for( i = 0; i < 6; i++ )
1314 {
1315 u = i >> 1;
1316 v = i & 1;
1317
1318 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1319 polarssl_printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1320 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1321
1322 memcpy( iv, aes_test_cfb128_iv, 16 );
1323 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1324
1325 offset = 0;
1326 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1327
1328 if( v == AES_DECRYPT )
1329 {
1330 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1331 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1332
1333 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1334 {
1335 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1336 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1337
1338 return( 1 );
1339 }
1340 }
1341 else
1342 {
1343 memcpy( buf, aes_test_cfb128_pt, 64 );
1344 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1345
1346 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1347 {
1348 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1349 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1350
1351 return( 1 );
1352 }
1353 }
1354
1355 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1356 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1357 }
1358
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1359 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1360 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1361#endif /* POLARSSL_CIPHER_MODE_CFB */
1362
1363#if defined(POLARSSL_CIPHER_MODE_CTR)
1364 /*
1365 * CTR mode
1366 */
1367 for( i = 0; i < 6; i++ )
1368 {
1369 u = i >> 1;
1370 v = i & 1;
1371
1372 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1373 polarssl_printf( " AES-CTR-128 (%s): ",
1374 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1375
1376 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1377 memcpy( key, aes_test_ctr_key[u], 16 );
1378
1379 offset = 0;
1380 aes_setkey_enc( &ctx, key, 128 );
1381
1382 if( v == AES_DECRYPT )
1383 {
1384 len = aes_test_ctr_len[u];
1385 memcpy( buf, aes_test_ctr_ct[u], len );
1386
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1387 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1388 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1389
1390 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1391 {
1392 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1393 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1394
1395 return( 1 );
1396 }
1397 }
1398 else
1399 {
1400 len = aes_test_ctr_len[u];
1401 memcpy( buf, aes_test_ctr_pt[u], len );
1402
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1403 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1404 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1405
1406 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1407 {
1408 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1409 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1410
1411 return( 1 );
1412 }
1413 }
1414
1415 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1416 polarssl_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1417 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1418
1419 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1420 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1421#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1422
1423 return( 0 );
1424}
1425
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1426#endif /* POLARSSL_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1427
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1428#endif /* POLARSSL_AES_C */