TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 1be81a4e5feca5b46aa886b55a0096f2dfb33c1b / . / library / aes.c
blob: 7e768e0f46b80556c6a7ea5b20a8fb0328d27f28 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
37#include "polarssl/padlock.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38
39#include <string.h>
40
41/*
42 * 32-bit integer manipulation macros (little endian)
43 */
44#ifndef GET_ULONG_LE
45#define GET_ULONG_LE(n,b,i) \
46{ \
47 (n) = ( (unsigned long) (b)[(i) ] ) \
48 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
49 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
50 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
51}
52#endif
53
54#ifndef PUT_ULONG_LE
55#define PUT_ULONG_LE(n,b,i) \
56{ \
57 (b)[(i) ] = (unsigned char) ( (n) ); \
58 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
59 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
60 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
61}
62#endif
63
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]64#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * Forward S-box
67 */
68static const unsigned char FSb[256] =
69{
70 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
71 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
72 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
73 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
74 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
75 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
76 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
77 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
78 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
79 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
80 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
81 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
82 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
83 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
84 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
85 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
86 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
87 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
88 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
89 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
90 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
91 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
92 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
93 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
94 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
95 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
96 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
97 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
98 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
99 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
100 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
101 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
102};
103
104/*
105 * Forward tables
106 */
107#define FT \
108\
109 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
110 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
111 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
112 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
113 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
114 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
115 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
116 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
117 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
118 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
119 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
120 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
121 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
122 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
123 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
124 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
125 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
126 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
127 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
128 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
129 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
130 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
131 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
132 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
133 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
134 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
135 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
136 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
137 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
138 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
139 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
140 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
141 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
142 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
143 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
144 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
145 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
146 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
147 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
148 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
149 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
150 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
151 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
152 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
153 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
154 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
155 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
156 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
157 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
158 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
159 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
160 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
161 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
162 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
163 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
164 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
165 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
166 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
167 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
168 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
169 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
170 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
171 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
172 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
173
174#define V(a,b,c,d) 0x##a##b##c##d
175static const unsigned long FT0[256] = { FT };
176#undef V
177
178#define V(a,b,c,d) 0x##b##c##d##a
179static const unsigned long FT1[256] = { FT };
180#undef V
181
182#define V(a,b,c,d) 0x##c##d##a##b
183static const unsigned long FT2[256] = { FT };
184#undef V
185
186#define V(a,b,c,d) 0x##d##a##b##c
187static const unsigned long FT3[256] = { FT };
188#undef V
189
190#undef FT
191
192/*
193 * Reverse S-box
194 */
195static const unsigned char RSb[256] =
196{
197 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
198 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
199 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
200 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
201 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
202 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
203 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
204 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
205 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
206 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
207 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
208 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
209 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
210 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
211 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
212 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
213 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
214 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
215 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
216 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
217 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
218 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
219 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
220 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
221 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
222 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
223 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
224 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
225 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
226 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
227 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
228 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
229};
230
231/*
232 * Reverse tables
233 */
234#define RT \
235\
236 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
237 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
238 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
239 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
240 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
241 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
242 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
243 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
244 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
245 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
246 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
247 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
248 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
249 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
250 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
251 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
252 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
253 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
254 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
255 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
256 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
257 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
258 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
259 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
260 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
261 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
262 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
263 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
264 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
265 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
266 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
267 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
268 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
269 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
270 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
271 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
272 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
273 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
274 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
275 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
276 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
277 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
278 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
279 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
280 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
281 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
282 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
283 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
284 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
285 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
286 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
287 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
288 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
289 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
290 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
291 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
292 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
293 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
294 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
295 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
296 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
297 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
298 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
299 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
300
301#define V(a,b,c,d) 0x##a##b##c##d
302static const unsigned long RT0[256] = { RT };
303#undef V
304
305#define V(a,b,c,d) 0x##b##c##d##a
306static const unsigned long RT1[256] = { RT };
307#undef V
308
309#define V(a,b,c,d) 0x##c##d##a##b
310static const unsigned long RT2[256] = { RT };
311#undef V
312
313#define V(a,b,c,d) 0x##d##a##b##c
314static const unsigned long RT3[256] = { RT };
315#undef V
316
317#undef RT
318
319/*
320 * Round constants
321 */
322static const unsigned long RCON[10] =
323{
324 0x00000001, 0x00000002, 0x00000004, 0x00000008,
325 0x00000010, 0x00000020, 0x00000040, 0x00000080,
326 0x0000001B, 0x00000036
327};
328
329#else
330
331/*
332 * Forward S-box & tables
333 */
334static unsigned char FSb[256];
335static unsigned long FT0[256];
336static unsigned long FT1[256];
337static unsigned long FT2[256];
338static unsigned long FT3[256];
339
340/*
341 * Reverse S-box & tables
342 */
343static unsigned char RSb[256];
344static unsigned long RT0[256];
345static unsigned long RT1[256];
346static unsigned long RT2[256];
347static unsigned long RT3[256];
348
349/*
350 * Round constants
351 */
352static unsigned long RCON[10];
353
354/*
355 * Tables generation code
356 */
357#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
358#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
359#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
360
361static int aes_init_done = 0;
362
363static void aes_gen_tables( void )
364{
365 int i, x, y, z;
366 int pow[256];
367 int log[256];
368
369 /*
370 * compute pow and log tables over GF(2^8)
371 */
372 for( i = 0, x = 1; i < 256; i++ )
373 {
374 pow[i] = x;
375 log[x] = i;
376 x = ( x ^ XTIME( x ) ) & 0xFF;
377 }
378
379 /*
380 * calculate the round constants
381 */
382 for( i = 0, x = 1; i < 10; i++ )
383 {
384 RCON[i] = (unsigned long) x;
385 x = XTIME( x ) & 0xFF;
386 }
387
388 /*
389 * generate the forward and reverse S-boxes
390 */
391 FSb[0x00] = 0x63;
392 RSb[0x63] = 0x00;
393
394 for( i = 1; i < 256; i++ )
395 {
396 x = pow[255 - log[i]];
397
398 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
399 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
400 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
401 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
402 x ^= y ^ 0x63;
403
404 FSb[i] = (unsigned char) x;
405 RSb[x] = (unsigned char) i;
406 }
407
408 /*
409 * generate the forward and reverse tables
410 */
411 for( i = 0; i < 256; i++ )
412 {
413 x = FSb[i];
414 y = XTIME( x ) & 0xFF;
415 z = ( y ^ x ) & 0xFF;
416
417 FT0[i] = ( (unsigned long) y ) ^
418 ( (unsigned long) x << 8 ) ^
419 ( (unsigned long) x << 16 ) ^
420 ( (unsigned long) z << 24 );
421
422 FT1[i] = ROTL8( FT0[i] );
423 FT2[i] = ROTL8( FT1[i] );
424 FT3[i] = ROTL8( FT2[i] );
425
426 x = RSb[i];
427
428 RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
429 ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
430 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
431 ( (unsigned long) MUL( 0x0B, x ) << 24 );
432
433 RT1[i] = ROTL8( RT0[i] );
434 RT2[i] = ROTL8( RT1[i] );
435 RT3[i] = ROTL8( RT2[i] );
436 }
437}
438
439#endif
440
441/*
442 * AES key schedule (encryption)
443 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]444int aes_setkey_enc( aes_context *ctx, const unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]445{
446 int i;
447 unsigned long *RK;
448
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]449#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]450 if( aes_init_done == 0 )
451 {
452 aes_gen_tables();
453 aes_init_done = 1;
454 }
455#endif
456
457 switch( keysize )
458 {
459 case 128: ctx->nr = 10; break;
460 case 192: ctx->nr = 12; break;
461 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]462 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463 }
464
465#if defined(PADLOCK_ALIGN16)
466 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
467#else
468 ctx->rk = RK = ctx->buf;
469#endif
470
471 for( i = 0; i < (keysize >> 5); i++ )
472 {
473 GET_ULONG_LE( RK[i], key, i << 2 );
474 }
475
476 switch( ctx->nr )
477 {
478 case 10:
479
480 for( i = 0; i < 10; i++, RK += 4 )
481 {
482 RK[4] = RK[0] ^ RCON[i] ^
483 ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
484 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
485 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
486 ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
487
488 RK[5] = RK[1] ^ RK[4];
489 RK[6] = RK[2] ^ RK[5];
490 RK[7] = RK[3] ^ RK[6];
491 }
492 break;
493
494 case 12:
495
496 for( i = 0; i < 8; i++, RK += 6 )
497 {
498 RK[6] = RK[0] ^ RCON[i] ^
499 ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
500 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
501 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
502 ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
503
504 RK[7] = RK[1] ^ RK[6];
505 RK[8] = RK[2] ^ RK[7];
506 RK[9] = RK[3] ^ RK[8];
507 RK[10] = RK[4] ^ RK[9];
508 RK[11] = RK[5] ^ RK[10];
509 }
510 break;
511
512 case 14:
513
514 for( i = 0; i < 7; i++, RK += 8 )
515 {
516 RK[8] = RK[0] ^ RCON[i] ^
517 ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
518 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
519 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
520 ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
521
522 RK[9] = RK[1] ^ RK[8];
523 RK[10] = RK[2] ^ RK[9];
524 RK[11] = RK[3] ^ RK[10];
525
526 RK[12] = RK[4] ^
527 ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
528 ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
529 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
530 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
531
532 RK[13] = RK[5] ^ RK[12];
533 RK[14] = RK[6] ^ RK[13];
534 RK[15] = RK[7] ^ RK[14];
535 }
536 break;
537
538 default:
539
540 break;
541 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]542
543 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]544}
545
546/*
547 * AES key schedule (decryption)
548 */
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]549int aes_setkey_dec( aes_context *ctx, const unsigned char *key, int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]550{
551 int i, j;
552 aes_context cty;
553 unsigned long *RK;
554 unsigned long *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]555 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556
557 switch( keysize )
558 {
559 case 128: ctx->nr = 10; break;
560 case 192: ctx->nr = 12; break;
561 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]562 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]563 }
564
565#if defined(PADLOCK_ALIGN16)
566 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
567#else
568 ctx->rk = RK = ctx->buf;
569#endif
570
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]571 ret = aes_setkey_enc( &cty, key, keysize );
572 if( ret != 0 )
573 return( ret );
574
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]575 SK = cty.rk + cty.nr * 4;
576
577 *RK++ = *SK++;
578 *RK++ = *SK++;
579 *RK++ = *SK++;
580 *RK++ = *SK++;
581
582 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
583 {
584 for( j = 0; j < 4; j++, SK++ )
585 {
586 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
587 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
588 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
589 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
590 }
591 }
592
593 *RK++ = *SK++;
594 *RK++ = *SK++;
595 *RK++ = *SK++;
596 *RK++ = *SK++;
597
598 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]599
600 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]601}
602
603#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
604{ \
605 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
606 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
607 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
608 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
609 \
610 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
611 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
612 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
613 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
614 \
615 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
616 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
617 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
618 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
619 \
620 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
621 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
622 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
623 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
624}
625
626#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
627{ \
628 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
629 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
630 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
631 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
632 \
633 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
634 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
635 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
636 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
637 \
638 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
639 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
640 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
641 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
642 \
643 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
644 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
645 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
646 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
647}
648
649/*
650 * AES-ECB block encryption/decryption
651 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]652int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]654 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]655 unsigned char output[16] )
656{
657 int i;
658 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
659
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]660#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]661 if( padlock_supports( PADLOCK_ACE ) )
662 {
663 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]664 return( 0 );
665
666 // If padlock data misaligned, we just fall back to
667 // unaccelerated mode
668 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669 }
670#endif
671
672 RK = ctx->rk;
673
674 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
675 GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
676 GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
677 GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
678
679 if( mode == AES_DECRYPT )
680 {
681 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
682 {
683 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
684 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
685 }
686
687 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
688
689 X0 = *RK++ ^ \
690 ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
691 ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
692 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
693 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
694
695 X1 = *RK++ ^ \
696 ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
697 ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
698 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
699 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
700
701 X2 = *RK++ ^ \
702 ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
703 ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
704 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
705 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
706
707 X3 = *RK++ ^ \
708 ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
709 ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
710 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
711 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
712 }
713 else /* AES_ENCRYPT */
714 {
715 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
716 {
717 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
718 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
719 }
720
721 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
722
723 X0 = *RK++ ^ \
724 ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
725 ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
726 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
727 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
728
729 X1 = *RK++ ^ \
730 ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
731 ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
732 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
733 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
734
735 X2 = *RK++ ^ \
736 ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
737 ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
738 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
739 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
740
741 X3 = *RK++ ^ \
742 ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
743 ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
744 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
745 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
746 }
747
748 PUT_ULONG_LE( X0, output, 0 );
749 PUT_ULONG_LE( X1, output, 4 );
750 PUT_ULONG_LE( X2, output, 8 );
751 PUT_ULONG_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]752
753 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]754}
755
756/*
757 * AES-CBC buffer encryption/decryption
758 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]759int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]760 int mode,
761 int length,
762 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]763 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]764 unsigned char *output )
765{
766 int i;
767 unsigned char temp[16];
768
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]769 if( length % 16 )
770 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
771
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]772#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]773 if( padlock_supports( PADLOCK_ACE ) )
774 {
775 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]776 return( 0 );
777
778 // If padlock data misaligned, we just fall back to
779 // unaccelerated mode
780 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]781 }
782#endif
783
784 if( mode == AES_DECRYPT )
785 {
786 while( length > 0 )
787 {
788 memcpy( temp, input, 16 );
789 aes_crypt_ecb( ctx, mode, input, output );
790
791 for( i = 0; i < 16; i++ )
792 output[i] = (unsigned char)( output[i] ^ iv[i] );
793
794 memcpy( iv, temp, 16 );
795
796 input += 16;
797 output += 16;
798 length -= 16;
799 }
800 }
801 else
802 {
803 while( length > 0 )
804 {
805 for( i = 0; i < 16; i++ )
806 output[i] = (unsigned char)( input[i] ^ iv[i] );
807
808 aes_crypt_ecb( ctx, mode, output, output );
809 memcpy( iv, output, 16 );
810
811 input += 16;
812 output += 16;
813 length -= 16;
814 }
815 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]816
817 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]818}
819
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]820#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]821/*
822 * AES-CFB128 buffer encryption/decryption
823 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]824int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]825 int mode,
826 int length,
827 int *iv_off,
828 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]829 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]830 unsigned char *output )
831{
832 int c, n = *iv_off;
833
834 if( mode == AES_DECRYPT )
835 {
836 while( length-- )
837 {
838 if( n == 0 )
839 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
840
841 c = *input++;
842 *output++ = (unsigned char)( c ^ iv[n] );
843 iv[n] = (unsigned char) c;
844
845 n = (n + 1) & 0x0F;
846 }
847 }
848 else
849 {
850 while( length-- )
851 {
852 if( n == 0 )
853 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
854
855 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
856
857 n = (n + 1) & 0x0F;
858 }
859 }
860
861 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]862
863 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]865#endif /*POLARSSL_CIPHER_MODE_CFB */
866
867#if defined(POLARSSL_CIPHER_MODE_CTR)
868/*
869 * AES-CTR buffer encryption/decryption
870 */
871int aes_crypt_ctr( aes_context *ctx,
872 int length,
873 int *nc_off,
874 unsigned char nonce_counter[16],
875 unsigned char stream_block[16],
876 const unsigned char *input,
877 unsigned char *output )
878{
879 int c, n = *nc_off, i, cb;
880
881 while( length-- )
882 {
883 if( n == 0 ) {
884 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
885
886 i = 15;
887 do {
888 nonce_counter[i]++;
889 cb = nonce_counter[i] == 0;
890 } while( i-- && cb );
891
892 }
893 c = *input++;
894 *output++ = (unsigned char)( c ^ stream_block[n] );
895
896 n = (n + 1) & 0x0F;
897 }
898
899 *nc_off = n;
900
901 return( 0 );
902}
903#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]904
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]905#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]906
907#include <stdio.h>
908
909/*
910 * AES test vectors from:
911 *
912 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
913 */
914static const unsigned char aes_test_ecb_dec[3][16] =
915{
916 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
917 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
918 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
919 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
920 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
921 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
922};
923
924static const unsigned char aes_test_ecb_enc[3][16] =
925{
926 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
927 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
928 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
929 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
930 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
931 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
932};
933
934static const unsigned char aes_test_cbc_dec[3][16] =
935{
936 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
937 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
938 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
939 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
940 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
941 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
942};
943
944static const unsigned char aes_test_cbc_enc[3][16] =
945{
946 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
947 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
948 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
949 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
950 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
951 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
952};
953
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]954#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]955/*
956 * AES-CFB128 test vectors from:
957 *
958 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
959 */
960static const unsigned char aes_test_cfb128_key[3][32] =
961{
962 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
963 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
964 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
965 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
966 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
967 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
968 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
969 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
970 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
971};
972
973static const unsigned char aes_test_cfb128_iv[16] =
974{
975 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
976 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
977};
978
979static const unsigned char aes_test_cfb128_pt[64] =
980{
981 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
982 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
983 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
984 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
985 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
986 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
987 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
988 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
989};
990
991static const unsigned char aes_test_cfb128_ct[3][64] =
992{
993 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
994 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
995 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
996 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
997 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
998 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
999 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1000 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1001 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1002 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1003 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1004 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1005 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1006 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1007 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1008 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1009 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1010 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1011 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1012 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1013 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1014 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1015 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1016 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1017};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1018#endif /* POLARSSL_CIPHER_MODE_CFB */
1019
1020#if defined(POLARSSL_CIPHER_MODE_CTR)
1021/*
1022 * AES-CTR test vectors from:
1023 *
1024 * http://www.faqs.org/rfcs/rfc3686.html
1025 */
1026
1027static const unsigned char aes_test_ctr_key[3][16] =
1028{
1029 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1030 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1031 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1032 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1033 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1034 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1035};
1036
1037static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1038{
1039 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1040 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1041 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1042 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1043 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1044 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1045};
1046
1047static const unsigned char aes_test_ctr_pt[3][48] =
1048{
1049 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1050 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1051
1052 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1053 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1054 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1055 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1056
1057 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1058 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1059 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1060 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1061 0x20, 0x21, 0x22, 0x23 }
1062};
1063
1064static const unsigned char aes_test_ctr_ct[3][48] =
1065{
1066 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1067 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1068 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1069 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1070 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1071 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1072 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1073 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1074 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1075 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1076 0x25, 0xB2, 0x07, 0x2F }
1077};
1078
1079static const int aes_test_ctr_len[3] =
1080 { 16, 32, 36 };
1081#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1082
1083/*
1084 * Checkup routine
1085 */
1086int aes_self_test( int verbose )
1087{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1088 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1089 unsigned char key[32];
1090 unsigned char buf[64];
1091 unsigned char prv[16];
1092 unsigned char iv[16];
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1093#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
1094 int offset;
1095#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1096#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1097 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1098 unsigned char nonce_counter[16];
1099 unsigned char stream_block[16];
1100#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1101 aes_context ctx;
1102
1103 memset( key, 0, 32 );
1104
1105 /*
1106 * ECB mode
1107 */
1108 for( i = 0; i < 6; i++ )
1109 {
1110 u = i >> 1;
1111 v = i & 1;
1112
1113 if( verbose != 0 )
1114 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1115 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1116
1117 memset( buf, 0, 16 );
1118
1119 if( v == AES_DECRYPT )
1120 {
1121 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1122
1123 for( j = 0; j < 10000; j++ )
1124 aes_crypt_ecb( &ctx, v, buf, buf );
1125
1126 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1127 {
1128 if( verbose != 0 )
1129 printf( "failed\n" );
1130
1131 return( 1 );
1132 }
1133 }
1134 else
1135 {
1136 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1137
1138 for( j = 0; j < 10000; j++ )
1139 aes_crypt_ecb( &ctx, v, buf, buf );
1140
1141 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1142 {
1143 if( verbose != 0 )
1144 printf( "failed\n" );
1145
1146 return( 1 );
1147 }
1148 }
1149
1150 if( verbose != 0 )
1151 printf( "passed\n" );
1152 }
1153
1154 if( verbose != 0 )
1155 printf( "\n" );
1156
1157 /*
1158 * CBC mode
1159 */
1160 for( i = 0; i < 6; i++ )
1161 {
1162 u = i >> 1;
1163 v = i & 1;
1164
1165 if( verbose != 0 )
1166 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1167 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1168
1169 memset( iv , 0, 16 );
1170 memset( prv, 0, 16 );
1171 memset( buf, 0, 16 );
1172
1173 if( v == AES_DECRYPT )
1174 {
1175 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1176
1177 for( j = 0; j < 10000; j++ )
1178 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1179
1180 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1181 {
1182 if( verbose != 0 )
1183 printf( "failed\n" );
1184
1185 return( 1 );
1186 }
1187 }
1188 else
1189 {
1190 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1191
1192 for( j = 0; j < 10000; j++ )
1193 {
1194 unsigned char tmp[16];
1195
1196 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1197
1198 memcpy( tmp, prv, 16 );
1199 memcpy( prv, buf, 16 );
1200 memcpy( buf, tmp, 16 );
1201 }
1202
1203 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1204 {
1205 if( verbose != 0 )
1206 printf( "failed\n" );
1207
1208 return( 1 );
1209 }
1210 }
1211
1212 if( verbose != 0 )
1213 printf( "passed\n" );
1214 }
1215
1216 if( verbose != 0 )
1217 printf( "\n" );
1218
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1219#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1220 /*
1221 * CFB128 mode
1222 */
1223 for( i = 0; i < 6; i++ )
1224 {
1225 u = i >> 1;
1226 v = i & 1;
1227
1228 if( verbose != 0 )
1229 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1230 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1231
1232 memcpy( iv, aes_test_cfb128_iv, 16 );
1233 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1234
1235 offset = 0;
1236 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1237
1238 if( v == AES_DECRYPT )
1239 {
1240 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1241 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1242
1243 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1244 {
1245 if( verbose != 0 )
1246 printf( "failed\n" );
1247
1248 return( 1 );
1249 }
1250 }
1251 else
1252 {
1253 memcpy( buf, aes_test_cfb128_pt, 64 );
1254 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1255
1256 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1257 {
1258 if( verbose != 0 )
1259 printf( "failed\n" );
1260
1261 return( 1 );
1262 }
1263 }
1264
1265 if( verbose != 0 )
1266 printf( "passed\n" );
1267 }
1268
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1269 if( verbose != 0 )
1270 printf( "\n" );
1271#endif /* POLARSSL_CIPHER_MODE_CFB */
1272
1273#if defined(POLARSSL_CIPHER_MODE_CTR)
1274 /*
1275 * CTR mode
1276 */
1277 for( i = 0; i < 6; i++ )
1278 {
1279 u = i >> 1;
1280 v = i & 1;
1281
1282 if( verbose != 0 )
1283 printf( " AES-CTR-128 (%s): ",
1284 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1285
1286 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1287 memcpy( key, aes_test_ctr_key[u], 16 );
1288
1289 offset = 0;
1290 aes_setkey_enc( &ctx, key, 128 );
1291
1292 if( v == AES_DECRYPT )
1293 {
1294 len = aes_test_ctr_len[u];
1295 memcpy( buf, aes_test_ctr_ct[u], len );
1296
1297 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1298
1299 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1300 {
1301 if( verbose != 0 )
1302 printf( "failed\n" );
1303
1304 return( 1 );
1305 }
1306 }
1307 else
1308 {
1309 len = aes_test_ctr_len[u];
1310 memcpy( buf, aes_test_ctr_pt[u], len );
1311
1312 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1313
1314 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1315 {
1316 if( verbose != 0 )
1317 printf( "failed\n" );
1318
1319 return( 1 );
1320 }
1321 }
1322
1323 if( verbose != 0 )
1324 printf( "passed\n" );
1325 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1326
1327 if( verbose != 0 )
1328 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1329#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1330
1331 return( 0 );
1332}
1333
1334#endif
1335
1336#endif