TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / afd5a08e33b51b8f86d4ecf980a92238daeecce7 / . / library / aes.c
blob: c03cbbe83bfe5b058a11706331c731809836274c [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]4 * Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]34#else
35#include POLARSSL_CONFIG_FILE
36#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]39
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]40#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]41#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]42#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]44#if defined(POLARSSL_AESNI_C)
45#include "polarssl/aesni.h"
46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]48#if defined(POLARSSL_PLATFORM_C)
49#include "polarssl/platform.h"
50#else
51#define polarssl_printf printf
52#endif
53
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]54#if !defined(POLARSSL_AES_ALT)
55
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56/*
57 * 32-bit integer manipulation macros (little endian)
58 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]59#ifndef GET_UINT32_LE
60#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]61{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]62 (n) = ( (uint32_t) (b)[(i) ] ) \
63 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
64 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
65 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]66}
67#endif
68
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]69#ifndef PUT_UINT32_LE
70#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]71{ \
72 (b)[(i) ] = (unsigned char) ( (n) ); \
73 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
74 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
75 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
76}
77#endif
78
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]79#if defined(POLARSSL_PADLOCK_C) && \
80 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]81static int aes_padlock_ace = -1;
82#endif
83
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]84#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85/*
86 * Forward S-box
87 */
88static const unsigned char FSb[256] =
89{
90 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
91 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
92 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
93 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
94 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
95 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
96 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
97 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
98 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
99 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
100 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
101 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
102 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
103 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
104 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
105 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
106 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
107 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
108 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
109 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
110 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
111 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
112 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
113 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
114 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
115 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
116 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
117 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
118 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
119 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
120 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
121 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
122};
123
124/*
125 * Forward tables
126 */
127#define FT \
128\
129 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
130 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
131 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
132 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
133 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
134 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
135 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
136 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
137 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
138 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
139 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
140 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
141 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
142 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
143 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
144 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
145 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
146 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
147 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
148 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
149 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
150 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
151 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
152 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
153 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
154 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
155 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
156 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
157 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
158 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
159 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
160 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
161 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
162 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
163 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
164 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
165 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
166 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
167 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
168 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
169 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
170 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
171 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
172 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
173 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
174 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
175 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
176 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
177 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
178 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
179 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
180 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
181 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
182 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
183 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
184 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
185 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
186 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
187 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
188 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
189 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
190 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
191 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
192 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
193
194#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]195static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]196#undef V
197
198#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]199static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]200#undef V
201
202#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]203static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204#undef V
205
206#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]207static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]208#undef V
209
210#undef FT
211
212/*
213 * Reverse S-box
214 */
215static const unsigned char RSb[256] =
216{
217 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
218 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
219 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
220 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
221 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
222 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
223 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
224 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
225 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
226 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
227 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
228 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
229 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
230 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
231 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
232 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
233 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
234 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
235 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
236 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
237 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
238 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
239 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
240 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
241 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
242 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
243 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
244 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
245 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
246 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
247 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
248 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
249};
250
251/*
252 * Reverse tables
253 */
254#define RT \
255\
256 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
257 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
258 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
259 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
260 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
261 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
262 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
263 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
264 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
265 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
266 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
267 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
268 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
269 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
270 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
271 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
272 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
273 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
274 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
275 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
276 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
277 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
278 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
279 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
280 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
281 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
282 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
283 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
284 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
285 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
286 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
287 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
288 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
289 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
290 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
291 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
292 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
293 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
294 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
295 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
296 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
297 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
298 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
299 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
300 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
301 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
302 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
303 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
304 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
305 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
306 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
307 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
308 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
309 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
310 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
311 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
312 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
313 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
314 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
315 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
316 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
317 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
318 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
319 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
320
321#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]322static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]323#undef V
324
325#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]326static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]327#undef V
328
329#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]330static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]331#undef V
332
333#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]334static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335#undef V
336
337#undef RT
338
339/*
340 * Round constants
341 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343{
344 0x00000001, 0x00000002, 0x00000004, 0x00000008,
345 0x00000010, 0x00000020, 0x00000040, 0x00000080,
346 0x0000001B, 0x00000036
347};
348
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]349#else /* POLARSSL_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350
351/*
352 * Forward S-box & tables
353 */
354static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]355static uint32_t FT0[256];
356static uint32_t FT1[256];
357static uint32_t FT2[256];
358static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]359
360/*
361 * Reverse S-box & tables
362 */
363static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]364static uint32_t RT0[256];
365static uint32_t RT1[256];
366static uint32_t RT2[256];
367static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]368
369/*
370 * Round constants
371 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]372static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373
374/*
375 * Tables generation code
376 */
377#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
378#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
379#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
380
381static int aes_init_done = 0;
382
383static void aes_gen_tables( void )
384{
385 int i, x, y, z;
386 int pow[256];
387 int log[256];
388
389 /*
390 * compute pow and log tables over GF(2^8)
391 */
392 for( i = 0, x = 1; i < 256; i++ )
393 {
394 pow[i] = x;
395 log[x] = i;
396 x = ( x ^ XTIME( x ) ) & 0xFF;
397 }
398
399 /*
400 * calculate the round constants
401 */
402 for( i = 0, x = 1; i < 10; i++ )
403 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]404 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]405 x = XTIME( x ) & 0xFF;
406 }
407
408 /*
409 * generate the forward and reverse S-boxes
410 */
411 FSb[0x00] = 0x63;
412 RSb[0x63] = 0x00;
413
414 for( i = 1; i < 256; i++ )
415 {
416 x = pow[255 - log[i]];
417
418 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
419 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
420 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
421 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
422 x ^= y ^ 0x63;
423
424 FSb[i] = (unsigned char) x;
425 RSb[x] = (unsigned char) i;
426 }
427
428 /*
429 * generate the forward and reverse tables
430 */
431 for( i = 0; i < 256; i++ )
432 {
433 x = FSb[i];
434 y = XTIME( x ) & 0xFF;
435 z = ( y ^ x ) & 0xFF;
436
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]437 FT0[i] = ( (uint32_t) y ) ^
438 ( (uint32_t) x << 8 ) ^
439 ( (uint32_t) x << 16 ) ^
440 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]441
442 FT1[i] = ROTL8( FT0[i] );
443 FT2[i] = ROTL8( FT1[i] );
444 FT3[i] = ROTL8( FT2[i] );
445
446 x = RSb[i];
447
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]448 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
449 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
450 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
451 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]452
453 RT1[i] = ROTL8( RT0[i] );
454 RT2[i] = ROTL8( RT1[i] );
455 RT3[i] = ROTL8( RT2[i] );
456 }
457}
458
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]459#endif /* POLARSSL_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460
461/*
462 * AES key schedule (encryption)
463 */
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]464int aes_setkey_enc( aes_context *ctx, const unsigned char *key,
465 unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]467 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]468 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]469
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]470#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]471 if( aes_init_done == 0 )
472 {
473 aes_gen_tables();
474 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]475
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476 }
477#endif
478
479 switch( keysize )
480 {
481 case 128: ctx->nr = 10; break;
482 case 192: ctx->nr = 12; break;
483 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]484 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]485 }
486
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]487#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
488 if( aes_padlock_ace == -1 )
489 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
490
491 if( aes_padlock_ace )
492 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
493 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]494#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]495 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]496
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]497#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
498 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnardbfa3c9a2013-12-30 13:53:58 +0100[diff] [blame]499 return( aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]500#endif
501
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]502 for( i = 0; i < (keysize >> 5); i++ )
503 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]504 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]505 }
506
507 switch( ctx->nr )
508 {
509 case 10:
510
511 for( i = 0; i < 10; i++, RK += 4 )
512 {
513 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]514 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
515 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
516 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
517 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]518
519 RK[5] = RK[1] ^ RK[4];
520 RK[6] = RK[2] ^ RK[5];
521 RK[7] = RK[3] ^ RK[6];
522 }
523 break;
524
525 case 12:
526
527 for( i = 0; i < 8; i++, RK += 6 )
528 {
529 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]530 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
531 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
532 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
533 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]534
535 RK[7] = RK[1] ^ RK[6];
536 RK[8] = RK[2] ^ RK[7];
537 RK[9] = RK[3] ^ RK[8];
538 RK[10] = RK[4] ^ RK[9];
539 RK[11] = RK[5] ^ RK[10];
540 }
541 break;
542
543 case 14:
544
545 for( i = 0; i < 7; i++, RK += 8 )
546 {
547 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]548 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
549 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
550 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
551 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552
553 RK[9] = RK[1] ^ RK[8];
554 RK[10] = RK[2] ^ RK[9];
555 RK[11] = RK[3] ^ RK[10];
556
557 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]558 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
559 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
560 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
561 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562
563 RK[13] = RK[5] ^ RK[12];
564 RK[14] = RK[6] ^ RK[13];
565 RK[15] = RK[7] ^ RK[14];
566 }
567 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]568 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]569
570 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571}
572
573/*
574 * AES key schedule (decryption)
575 */
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]576int aes_setkey_dec( aes_context *ctx, const unsigned char *key,
577 unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]578{
579 int i, j;
580 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]581 uint32_t *RK;
582 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]583 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]584
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]585#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
586 if( aes_padlock_ace == -1 )
587 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
588
589 if( aes_padlock_ace )
590 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
591 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]592#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]593 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame^]595 /* Also checks keysize */
596 if( ( ret = aes_setkey_enc( &cty, key, keysize ) ) != 0 )
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]597 return( ret );
598
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame^]599 ctx->nr = cty.nr;
600
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]601#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
602 if( aesni_supports( POLARSSL_AESNI_AES ) )
603 {
604 aesni_inverse_key( (unsigned char *) ctx->rk,
605 (const unsigned char *) cty.rk, ctx->nr );
606 goto done;
607 }
608#endif
609
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]610 SK = cty.rk + cty.nr * 4;
611
612 *RK++ = *SK++;
613 *RK++ = *SK++;
614 *RK++ = *SK++;
615 *RK++ = *SK++;
616
617 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
618 {
619 for( j = 0; j < 4; j++, SK++ )
620 {
621 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
622 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
623 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
624 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
625 }
626 }
627
628 *RK++ = *SK++;
629 *RK++ = *SK++;
630 *RK++ = *SK++;
631 *RK++ = *SK++;
632
Paul Bakker0d0de922013-12-30 15:29:04 +0100[diff] [blame]633#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]634done:
Paul Bakker0d0de922013-12-30 15:29:04 +0100[diff] [blame]635#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]636 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]637
638 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]639}
640
641#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
642{ \
643 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
644 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
645 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
646 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
647 \
648 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
649 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
650 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
651 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
652 \
653 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
654 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
655 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
656 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
657 \
658 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
659 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
660 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
661 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
662}
663
664#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
665{ \
666 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
667 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
668 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
669 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
670 \
671 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
672 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
673 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
674 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
675 \
676 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
677 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
678 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
679 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
680 \
681 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
682 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
683 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
684 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
685}
686
687/*
688 * AES-ECB block encryption/decryption
689 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]690int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]691 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]692 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]693 unsigned char output[16] )
694{
695 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]696 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]697
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]698#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard8eaf20b2013-12-18 19:14:53 +0100[diff] [blame]699 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]700 return( aesni_crypt_ecb( ctx, mode, input, output ) );
701#endif
702
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]703#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]704 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]705 {
706 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]707 return( 0 );
708
709 // If padlock data misaligned, we just fall back to
710 // unaccelerated mode
711 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]712 }
713#endif
714
715 RK = ctx->rk;
716
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]717 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
718 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
719 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
720 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]721
722 if( mode == AES_DECRYPT )
723 {
724 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
725 {
726 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
727 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
728 }
729
730 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
731
732 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]733 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
734 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
735 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
736 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]737
738 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]739 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
740 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
741 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
742 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]743
744 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]745 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
746 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
747 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
748 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]749
750 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]751 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
752 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
753 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
754 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]755 }
756 else /* AES_ENCRYPT */
757 {
758 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
759 {
760 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
761 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
762 }
763
764 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
765
766 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]767 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
768 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
769 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
770 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]771
772 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]773 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
774 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
775 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
776 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]777
778 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]779 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
780 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
781 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
782 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]783
784 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]785 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
786 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
787 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
788 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]789 }
790
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]791 PUT_UINT32_LE( X0, output, 0 );
792 PUT_UINT32_LE( X1, output, 4 );
793 PUT_UINT32_LE( X2, output, 8 );
794 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]795
796 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]797}
798
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]799#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]800/*
801 * AES-CBC buffer encryption/decryption
802 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]803int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]804 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]805 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]806 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]807 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]808 unsigned char *output )
809{
810 int i;
811 unsigned char temp[16];
812
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]813 if( length % 16 )
814 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
815
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]816#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]817 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]818 {
819 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]820 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]821
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]822 // If padlock data misaligned, we just fall back to
823 // unaccelerated mode
824 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]825 }
826#endif
827
828 if( mode == AES_DECRYPT )
829 {
830 while( length > 0 )
831 {
832 memcpy( temp, input, 16 );
833 aes_crypt_ecb( ctx, mode, input, output );
834
835 for( i = 0; i < 16; i++ )
836 output[i] = (unsigned char)( output[i] ^ iv[i] );
837
838 memcpy( iv, temp, 16 );
839
840 input += 16;
841 output += 16;
842 length -= 16;
843 }
844 }
845 else
846 {
847 while( length > 0 )
848 {
849 for( i = 0; i < 16; i++ )
850 output[i] = (unsigned char)( input[i] ^ iv[i] );
851
852 aes_crypt_ecb( ctx, mode, output, output );
853 memcpy( iv, output, 16 );
854
855 input += 16;
856 output += 16;
857 length -= 16;
858 }
859 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]860
861 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]862}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]863#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]865#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866/*
867 * AES-CFB128 buffer encryption/decryption
868 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]869int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]870 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]871 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]872 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]873 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]874 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]875 unsigned char *output )
876{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]877 int c;
878 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]879
880 if( mode == AES_DECRYPT )
881 {
882 while( length-- )
883 {
884 if( n == 0 )
885 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
886
887 c = *input++;
888 *output++ = (unsigned char)( c ^ iv[n] );
889 iv[n] = (unsigned char) c;
890
891 n = (n + 1) & 0x0F;
892 }
893 }
894 else
895 {
896 while( length-- )
897 {
898 if( n == 0 )
899 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
900
901 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
902
903 n = (n + 1) & 0x0F;
904 }
905 }
906
907 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]908
909 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]910}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]911
912/*
913 * AES-CFB8 buffer encryption/decryption
914 */
915#include <stdio.h>
916int aes_crypt_cfb8( aes_context *ctx,
917 int mode,
918 size_t length,
919 unsigned char iv[16],
920 const unsigned char *input,
921 unsigned char *output )
922{
923 unsigned char c;
924 unsigned char ov[17];
925
926 while( length-- )
927 {
928 memcpy(ov, iv, 16);
929 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
930
931 if( mode == AES_DECRYPT )
932 ov[16] = *input;
933
934 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
935
936 if( mode == AES_ENCRYPT )
937 ov[16] = c;
938
939 memcpy(iv, ov + 1, 16);
940 }
941
942 return( 0 );
943}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]944#endif /*POLARSSL_CIPHER_MODE_CFB */
945
946#if defined(POLARSSL_CIPHER_MODE_CTR)
947/*
948 * AES-CTR buffer encryption/decryption
949 */
950int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]951 size_t length,
952 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]953 unsigned char nonce_counter[16],
954 unsigned char stream_block[16],
955 const unsigned char *input,
956 unsigned char *output )
957{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]958 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]959 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]960
961 while( length-- )
962 {
963 if( n == 0 ) {
964 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
965
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]966 for( i = 16; i > 0; i-- )
967 if( ++nonce_counter[i - 1] != 0 )
968 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]969 }
970 c = *input++;
971 *output++ = (unsigned char)( c ^ stream_block[n] );
972
973 n = (n + 1) & 0x0F;
974 }
975
976 *nc_off = n;
977
978 return( 0 );
979}
980#endif /* POLARSSL_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]981
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]982#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]983
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]984#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]985
986#include <stdio.h>
987
988/*
989 * AES test vectors from:
990 *
991 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
992 */
993static const unsigned char aes_test_ecb_dec[3][16] =
994{
995 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
996 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
997 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
998 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
999 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1000 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1001};
1002
1003static const unsigned char aes_test_ecb_enc[3][16] =
1004{
1005 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1006 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1007 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1008 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1009 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1010 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1011};
1012
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1013#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1014static const unsigned char aes_test_cbc_dec[3][16] =
1015{
1016 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1017 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1018 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1019 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1020 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1021 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1022};
1023
1024static const unsigned char aes_test_cbc_enc[3][16] =
1025{
1026 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1027 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1028 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1029 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1030 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1031 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1032};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1033#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1034
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1035#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1036/*
1037 * AES-CFB128 test vectors from:
1038 *
1039 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1040 */
1041static const unsigned char aes_test_cfb128_key[3][32] =
1042{
1043 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1044 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1045 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1046 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1047 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1048 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1049 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1050 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1051 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1052};
1053
1054static const unsigned char aes_test_cfb128_iv[16] =
1055{
1056 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1057 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1058};
1059
1060static const unsigned char aes_test_cfb128_pt[64] =
1061{
1062 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1063 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1064 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1065 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1066 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1067 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1068 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1069 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1070};
1071
1072static const unsigned char aes_test_cfb128_ct[3][64] =
1073{
1074 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1075 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1076 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1077 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1078 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1079 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1080 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1081 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1082 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1083 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1084 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1085 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1086 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1087 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1088 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1089 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1090 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1091 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1092 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1093 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1094 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1095 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1096 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1097 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1098};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1099#endif /* POLARSSL_CIPHER_MODE_CFB */
1100
1101#if defined(POLARSSL_CIPHER_MODE_CTR)
1102/*
1103 * AES-CTR test vectors from:
1104 *
1105 * http://www.faqs.org/rfcs/rfc3686.html
1106 */
1107
1108static const unsigned char aes_test_ctr_key[3][16] =
1109{
1110 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1111 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1112 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1113 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1114 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1115 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1116};
1117
1118static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1119{
1120 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1121 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1122 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1123 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1124 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1125 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1126};
1127
1128static const unsigned char aes_test_ctr_pt[3][48] =
1129{
1130 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1131 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1132
1133 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1134 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1135 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1136 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1137
1138 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1139 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1140 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1141 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1142 0x20, 0x21, 0x22, 0x23 }
1143};
1144
1145static const unsigned char aes_test_ctr_ct[3][48] =
1146{
1147 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1148 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1149 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1150 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1151 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1152 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1153 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1154 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1155 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1156 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1157 0x25, 0xB2, 0x07, 0x2F }
1158};
1159
1160static const int aes_test_ctr_len[3] =
1161 { 16, 32, 36 };
1162#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1163
1164/*
1165 * Checkup routine
1166 */
1167int aes_self_test( int verbose )
1168{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1169 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1170 unsigned char key[32];
1171 unsigned char buf[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1172 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1173#if defined(POLARSSL_CIPHER_MODE_CBC)
1174 unsigned char prv[16];
1175#endif
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1176#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1177 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1178#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1179#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1180 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1181 unsigned char nonce_counter[16];
1182 unsigned char stream_block[16];
1183#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1184 aes_context ctx;
1185
1186 memset( key, 0, 32 );
1187
1188 /*
1189 * ECB mode
1190 */
1191 for( i = 0; i < 6; i++ )
1192 {
1193 u = i >> 1;
1194 v = i & 1;
1195
1196 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1197 polarssl_printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1198 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1199
1200 memset( buf, 0, 16 );
1201
1202 if( v == AES_DECRYPT )
1203 {
1204 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1205
1206 for( j = 0; j < 10000; j++ )
1207 aes_crypt_ecb( &ctx, v, buf, buf );
1208
1209 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1210 {
1211 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1212 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1213
1214 return( 1 );
1215 }
1216 }
1217 else
1218 {
1219 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1220
1221 for( j = 0; j < 10000; j++ )
1222 aes_crypt_ecb( &ctx, v, buf, buf );
1223
1224 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1225 {
1226 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1227 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1228
1229 return( 1 );
1230 }
1231 }
1232
1233 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1234 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1235 }
1236
1237 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1238 polarssl_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1239
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1240#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1241 /*
1242 * CBC mode
1243 */
1244 for( i = 0; i < 6; i++ )
1245 {
1246 u = i >> 1;
1247 v = i & 1;
1248
1249 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1250 polarssl_printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1251 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1252
1253 memset( iv , 0, 16 );
1254 memset( prv, 0, 16 );
1255 memset( buf, 0, 16 );
1256
1257 if( v == AES_DECRYPT )
1258 {
1259 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1260
1261 for( j = 0; j < 10000; j++ )
1262 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1263
1264 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1265 {
1266 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1267 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1268
1269 return( 1 );
1270 }
1271 }
1272 else
1273 {
1274 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1275
1276 for( j = 0; j < 10000; j++ )
1277 {
1278 unsigned char tmp[16];
1279
1280 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1281
1282 memcpy( tmp, prv, 16 );
1283 memcpy( prv, buf, 16 );
1284 memcpy( buf, tmp, 16 );
1285 }
1286
1287 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1288 {
1289 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1290 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1291
1292 return( 1 );
1293 }
1294 }
1295
1296 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1297 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1298 }
1299
1300 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1301 polarssl_printf( "\n" );
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1302#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1303
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1304#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1305 /*
1306 * CFB128 mode
1307 */
1308 for( i = 0; i < 6; i++ )
1309 {
1310 u = i >> 1;
1311 v = i & 1;
1312
1313 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1314 polarssl_printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1315 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1316
1317 memcpy( iv, aes_test_cfb128_iv, 16 );
1318 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1319
1320 offset = 0;
1321 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1322
1323 if( v == AES_DECRYPT )
1324 {
1325 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1326 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1327
1328 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1329 {
1330 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1331 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1332
1333 return( 1 );
1334 }
1335 }
1336 else
1337 {
1338 memcpy( buf, aes_test_cfb128_pt, 64 );
1339 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1340
1341 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1342 {
1343 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1344 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1345
1346 return( 1 );
1347 }
1348 }
1349
1350 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1351 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1352 }
1353
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1354 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1355 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1356#endif /* POLARSSL_CIPHER_MODE_CFB */
1357
1358#if defined(POLARSSL_CIPHER_MODE_CTR)
1359 /*
1360 * CTR mode
1361 */
1362 for( i = 0; i < 6; i++ )
1363 {
1364 u = i >> 1;
1365 v = i & 1;
1366
1367 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1368 polarssl_printf( " AES-CTR-128 (%s): ",
1369 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1370
1371 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1372 memcpy( key, aes_test_ctr_key[u], 16 );
1373
1374 offset = 0;
1375 aes_setkey_enc( &ctx, key, 128 );
1376
1377 if( v == AES_DECRYPT )
1378 {
1379 len = aes_test_ctr_len[u];
1380 memcpy( buf, aes_test_ctr_ct[u], len );
1381
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1382 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1383 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1384
1385 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1386 {
1387 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1388 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1389
1390 return( 1 );
1391 }
1392 }
1393 else
1394 {
1395 len = aes_test_ctr_len[u];
1396 memcpy( buf, aes_test_ctr_pt[u], len );
1397
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1398 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1399 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1400
1401 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1402 {
1403 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1404 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1405
1406 return( 1 );
1407 }
1408 }
1409
1410 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1411 polarssl_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1412 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1413
1414 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1415 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1416#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1417
1418 return( 0 );
1419}
1420
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1421#endif /* POLARSSL_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1422
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1423#endif /* POLARSSL_AES_C */