PolarSSL v1.3.3
aes.c
Go to the documentation of this file.
1 /*
2  * FIPS-197 compliant AES implementation
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27  *
28  * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29  * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30  */
31 
32 #include "polarssl/config.h"
33 
34 #if defined(POLARSSL_AES_C)
35 
36 #include "polarssl/aes.h"
37 #if defined(POLARSSL_PADLOCK_C)
38 #include "polarssl/padlock.h"
39 #endif
40 #if defined(POLARSSL_AESNI_C)
41 #include "polarssl/aesni.h"
42 #endif
43 
44 #if !defined(POLARSSL_AES_ALT)
45 
46 /*
47  * 32-bit integer manipulation macros (little endian)
48  */
49 #ifndef GET_UINT32_LE
50 #define GET_UINT32_LE(n,b,i) \
51 { \
52  (n) = ( (uint32_t) (b)[(i) ] ) \
53  | ( (uint32_t) (b)[(i) + 1] << 8 ) \
54  | ( (uint32_t) (b)[(i) + 2] << 16 ) \
55  | ( (uint32_t) (b)[(i) + 3] << 24 ); \
56 }
57 #endif
58 
59 #ifndef PUT_UINT32_LE
60 #define PUT_UINT32_LE(n,b,i) \
61 { \
62  (b)[(i) ] = (unsigned char) ( (n) ); \
63  (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
64  (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
65  (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
66 }
67 #endif
68 
69 #if defined(POLARSSL_PADLOCK_C) && \
70  ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
71 static int aes_padlock_ace = -1;
72 #endif
73 
74 #if defined(POLARSSL_AES_ROM_TABLES)
75 /*
76  * Forward S-box
77  */
78 static const unsigned char FSb[256] =
79 {
80  0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
81  0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
82  0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
83  0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
84  0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
85  0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
86  0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
87  0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
88  0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
89  0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
90  0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
91  0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
92  0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
93  0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
94  0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
95  0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
96  0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
97  0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
98  0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
99  0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
100  0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
101  0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
102  0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
103  0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
104  0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
105  0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
106  0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
107  0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
108  0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
109  0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
110  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
111  0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
112 };
113 
114 /*
115  * Forward tables
116  */
117 #define FT \
118 \
119  V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
120  V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
121  V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
122  V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
123  V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
124  V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
125  V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
126  V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
127  V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
128  V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
129  V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
130  V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
131  V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
132  V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
133  V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
134  V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
135  V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
136  V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
137  V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
138  V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
139  V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
140  V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
141  V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
142  V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
143  V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
144  V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
145  V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
146  V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
147  V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
148  V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
149  V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
150  V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
151  V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
152  V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
153  V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
154  V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
155  V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
156  V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
157  V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
158  V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
159  V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
160  V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
161  V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
162  V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
163  V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
164  V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
165  V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
166  V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
167  V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
168  V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
169  V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
170  V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
171  V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
172  V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
173  V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
174  V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
175  V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
176  V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
177  V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
178  V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
179  V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
180  V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
181  V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
182  V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
183 
184 #define V(a,b,c,d) 0x##a##b##c##d
185 static const uint32_t FT0[256] = { FT };
186 #undef V
187 
188 #define V(a,b,c,d) 0x##b##c##d##a
189 static const uint32_t FT1[256] = { FT };
190 #undef V
191 
192 #define V(a,b,c,d) 0x##c##d##a##b
193 static const uint32_t FT2[256] = { FT };
194 #undef V
195 
196 #define V(a,b,c,d) 0x##d##a##b##c
197 static const uint32_t FT3[256] = { FT };
198 #undef V
199 
200 #undef FT
201 
202 /*
203  * Reverse S-box
204  */
205 static const unsigned char RSb[256] =
206 {
207  0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
208  0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
209  0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
210  0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
211  0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
212  0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
213  0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
214  0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
215  0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
216  0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
217  0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
218  0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
219  0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
220  0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
221  0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
222  0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
223  0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
224  0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
225  0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
226  0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
227  0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
228  0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
229  0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
230  0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
231  0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
232  0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
233  0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
234  0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
235  0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
236  0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
237  0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
238  0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
239 };
240 
241 /*
242  * Reverse tables
243  */
244 #define RT \
245 \
246  V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
247  V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
248  V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
249  V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
250  V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
251  V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
252  V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
253  V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
254  V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
255  V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
256  V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
257  V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
258  V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
259  V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
260  V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
261  V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
262  V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
263  V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
264  V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
265  V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
266  V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
267  V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
268  V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
269  V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
270  V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
271  V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
272  V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
273  V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
274  V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
275  V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
276  V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
277  V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
278  V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
279  V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
280  V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
281  V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
282  V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
283  V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
284  V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
285  V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
286  V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
287  V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
288  V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
289  V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
290  V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
291  V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
292  V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
293  V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
294  V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
295  V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
296  V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
297  V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
298  V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
299  V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
300  V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
301  V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
302  V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
303  V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
304  V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
305  V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
306  V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
307  V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
308  V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
309  V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
310 
311 #define V(a,b,c,d) 0x##a##b##c##d
312 static const uint32_t RT0[256] = { RT };
313 #undef V
314 
315 #define V(a,b,c,d) 0x##b##c##d##a
316 static const uint32_t RT1[256] = { RT };
317 #undef V
318 
319 #define V(a,b,c,d) 0x##c##d##a##b
320 static const uint32_t RT2[256] = { RT };
321 #undef V
322 
323 #define V(a,b,c,d) 0x##d##a##b##c
324 static const uint32_t RT3[256] = { RT };
325 #undef V
326 
327 #undef RT
328 
329 /*
330  * Round constants
331  */
332 static const uint32_t RCON[10] =
333 {
334  0x00000001, 0x00000002, 0x00000004, 0x00000008,
335  0x00000010, 0x00000020, 0x00000040, 0x00000080,
336  0x0000001B, 0x00000036
337 };
338 
339 #else
340 
341 /*
342  * Forward S-box & tables
343  */
344 static unsigned char FSb[256];
345 static uint32_t FT0[256];
346 static uint32_t FT1[256];
347 static uint32_t FT2[256];
348 static uint32_t FT3[256];
349 
350 /*
351  * Reverse S-box & tables
352  */
353 static unsigned char RSb[256];
354 static uint32_t RT0[256];
355 static uint32_t RT1[256];
356 static uint32_t RT2[256];
357 static uint32_t RT3[256];
358 
359 /*
360  * Round constants
361  */
362 static uint32_t RCON[10];
363 
364 /*
365  * Tables generation code
366  */
367 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
368 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
369 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
370 
371 static int aes_init_done = 0;
372 
373 static void aes_gen_tables( void )
374 {
375  int i, x, y, z;
376  int pow[256];
377  int log[256];
378 
379  /*
380  * compute pow and log tables over GF(2^8)
381  */
382  for( i = 0, x = 1; i < 256; i++ )
383  {
384  pow[i] = x;
385  log[x] = i;
386  x = ( x ^ XTIME( x ) ) & 0xFF;
387  }
388 
389  /*
390  * calculate the round constants
391  */
392  for( i = 0, x = 1; i < 10; i++ )
393  {
394  RCON[i] = (uint32_t) x;
395  x = XTIME( x ) & 0xFF;
396  }
397 
398  /*
399  * generate the forward and reverse S-boxes
400  */
401  FSb[0x00] = 0x63;
402  RSb[0x63] = 0x00;
403 
404  for( i = 1; i < 256; i++ )
405  {
406  x = pow[255 - log[i]];
407 
408  y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
409  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
410  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
411  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
412  x ^= y ^ 0x63;
413 
414  FSb[i] = (unsigned char) x;
415  RSb[x] = (unsigned char) i;
416  }
417 
418  /*
419  * generate the forward and reverse tables
420  */
421  for( i = 0; i < 256; i++ )
422  {
423  x = FSb[i];
424  y = XTIME( x ) & 0xFF;
425  z = ( y ^ x ) & 0xFF;
426 
427  FT0[i] = ( (uint32_t) y ) ^
428  ( (uint32_t) x << 8 ) ^
429  ( (uint32_t) x << 16 ) ^
430  ( (uint32_t) z << 24 );
431 
432  FT1[i] = ROTL8( FT0[i] );
433  FT2[i] = ROTL8( FT1[i] );
434  FT3[i] = ROTL8( FT2[i] );
435 
436  x = RSb[i];
437 
438  RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
439  ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
440  ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
441  ( (uint32_t) MUL( 0x0B, x ) << 24 );
442 
443  RT1[i] = ROTL8( RT0[i] );
444  RT2[i] = ROTL8( RT1[i] );
445  RT3[i] = ROTL8( RT2[i] );
446  }
447 }
448 
449 #endif
450 
451 /*
452  * AES key schedule (encryption)
453  */
454 int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
455 {
456  unsigned int i;
457  uint32_t *RK;
458 
459 #if !defined(POLARSSL_AES_ROM_TABLES)
460  if( aes_init_done == 0 )
461  {
462  aes_gen_tables();
463  aes_init_done = 1;
464 
465  }
466 #endif
467 
468  switch( keysize )
469  {
470  case 128: ctx->nr = 10; break;
471  case 192: ctx->nr = 12; break;
472  case 256: ctx->nr = 14; break;
473  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
474  }
475 
476 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
477  if( aes_padlock_ace == -1 )
478  aes_padlock_ace = padlock_supports( PADLOCK_ACE );
479 
480  if( aes_padlock_ace )
481  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
482  else
483 #endif
484  ctx->rk = RK = ctx->buf;
485 
486 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
487  if( aesni_supports( POLARSSL_AESNI_AES ) )
488  return( aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize ) );
489 #endif
490 
491  for( i = 0; i < (keysize >> 5); i++ )
492  {
493  GET_UINT32_LE( RK[i], key, i << 2 );
494  }
495 
496  switch( ctx->nr )
497  {
498  case 10:
499 
500  for( i = 0; i < 10; i++, RK += 4 )
501  {
502  RK[4] = RK[0] ^ RCON[i] ^
503  ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
504  ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
505  ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
506  ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
507 
508  RK[5] = RK[1] ^ RK[4];
509  RK[6] = RK[2] ^ RK[5];
510  RK[7] = RK[3] ^ RK[6];
511  }
512  break;
513 
514  case 12:
515 
516  for( i = 0; i < 8; i++, RK += 6 )
517  {
518  RK[6] = RK[0] ^ RCON[i] ^
519  ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
520  ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
521  ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
522  ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
523 
524  RK[7] = RK[1] ^ RK[6];
525  RK[8] = RK[2] ^ RK[7];
526  RK[9] = RK[3] ^ RK[8];
527  RK[10] = RK[4] ^ RK[9];
528  RK[11] = RK[5] ^ RK[10];
529  }
530  break;
531 
532  case 14:
533 
534  for( i = 0; i < 7; i++, RK += 8 )
535  {
536  RK[8] = RK[0] ^ RCON[i] ^
537  ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
538  ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
539  ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
540  ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
541 
542  RK[9] = RK[1] ^ RK[8];
543  RK[10] = RK[2] ^ RK[9];
544  RK[11] = RK[3] ^ RK[10];
545 
546  RK[12] = RK[4] ^
547  ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
548  ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
549  ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
550  ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
551 
552  RK[13] = RK[5] ^ RK[12];
553  RK[14] = RK[6] ^ RK[13];
554  RK[15] = RK[7] ^ RK[14];
555  }
556  break;
557 
558  default:
559 
560  break;
561  }
562 
563  return( 0 );
564 }
565 
566 /*
567  * AES key schedule (decryption)
568  */
569 int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
570 {
571  int i, j;
572  aes_context cty;
573  uint32_t *RK;
574  uint32_t *SK;
575  int ret;
576 
577  switch( keysize )
578  {
579  case 128: ctx->nr = 10; break;
580  case 192: ctx->nr = 12; break;
581  case 256: ctx->nr = 14; break;
582  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
583  }
584 
585 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
586  if( aes_padlock_ace == -1 )
587  aes_padlock_ace = padlock_supports( PADLOCK_ACE );
588 
589  if( aes_padlock_ace )
590  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
591  else
592 #endif
593  ctx->rk = RK = ctx->buf;
594 
595  ret = aes_setkey_enc( &cty, key, keysize );
596  if( ret != 0 )
597  return( ret );
598 
599 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
600  if( aesni_supports( POLARSSL_AESNI_AES ) )
601  {
602  aesni_inverse_key( (unsigned char *) ctx->rk,
603  (const unsigned char *) cty.rk, ctx->nr );
604  goto done;
605  }
606 #endif
607 
608  SK = cty.rk + cty.nr * 4;
609 
610  *RK++ = *SK++;
611  *RK++ = *SK++;
612  *RK++ = *SK++;
613  *RK++ = *SK++;
614 
615  for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
616  {
617  for( j = 0; j < 4; j++, SK++ )
618  {
619  *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
620  RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
621  RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
622  RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
623  }
624  }
625 
626  *RK++ = *SK++;
627  *RK++ = *SK++;
628  *RK++ = *SK++;
629  *RK++ = *SK++;
630 
631 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
632 done:
633 #endif
634  memset( &cty, 0, sizeof( aes_context ) );
635 
636  return( 0 );
637 }
638 
639 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
640 { \
641  X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
642  FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
643  FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
644  FT3[ ( Y3 >> 24 ) & 0xFF ]; \
645  \
646  X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
647  FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
648  FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
649  FT3[ ( Y0 >> 24 ) & 0xFF ]; \
650  \
651  X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
652  FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
653  FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
654  FT3[ ( Y1 >> 24 ) & 0xFF ]; \
655  \
656  X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
657  FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
658  FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
659  FT3[ ( Y2 >> 24 ) & 0xFF ]; \
660 }
661 
662 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
663 { \
664  X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
665  RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
666  RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
667  RT3[ ( Y1 >> 24 ) & 0xFF ]; \
668  \
669  X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
670  RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
671  RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
672  RT3[ ( Y2 >> 24 ) & 0xFF ]; \
673  \
674  X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
675  RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
676  RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
677  RT3[ ( Y3 >> 24 ) & 0xFF ]; \
678  \
679  X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
680  RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
681  RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
682  RT3[ ( Y0 >> 24 ) & 0xFF ]; \
683 }
684 
685 /*
686  * AES-ECB block encryption/decryption
687  */
688 int aes_crypt_ecb( aes_context *ctx,
689  int mode,
690  const unsigned char input[16],
691  unsigned char output[16] )
692 {
693  int i;
694  uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
695 
696 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
697  if( aesni_supports( POLARSSL_AESNI_AES ) )
698  return( aesni_crypt_ecb( ctx, mode, input, output ) );
699 #endif
700 
701 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
702  if( aes_padlock_ace )
703  {
704  if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
705  return( 0 );
706 
707  // If padlock data misaligned, we just fall back to
708  // unaccelerated mode
709  //
710  }
711 #endif
712 
713  RK = ctx->rk;
714 
715  GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
716  GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
717  GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
718  GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
719 
720  if( mode == AES_DECRYPT )
721  {
722  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
723  {
724  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
725  AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
726  }
727 
728  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
729 
730  X0 = *RK++ ^ \
731  ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
732  ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
733  ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
734  ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
735 
736  X1 = *RK++ ^ \
737  ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
738  ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
739  ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
740  ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
741 
742  X2 = *RK++ ^ \
743  ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
744  ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
745  ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
746  ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
747 
748  X3 = *RK++ ^ \
749  ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
750  ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
751  ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
752  ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
753  }
754  else /* AES_ENCRYPT */
755  {
756  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
757  {
758  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
759  AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
760  }
761 
762  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
763 
764  X0 = *RK++ ^ \
765  ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
766  ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
767  ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
768  ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
769 
770  X1 = *RK++ ^ \
771  ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
772  ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
773  ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
774  ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
775 
776  X2 = *RK++ ^ \
777  ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
778  ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
779  ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
780  ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
781 
782  X3 = *RK++ ^ \
783  ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
784  ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
785  ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
786  ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
787  }
788 
789  PUT_UINT32_LE( X0, output, 0 );
790  PUT_UINT32_LE( X1, output, 4 );
791  PUT_UINT32_LE( X2, output, 8 );
792  PUT_UINT32_LE( X3, output, 12 );
793 
794  return( 0 );
795 }
796 
797 #if defined(POLARSSL_CIPHER_MODE_CBC)
798 /*
799  * AES-CBC buffer encryption/decryption
800  */
801 int aes_crypt_cbc( aes_context *ctx,
802  int mode,
803  size_t length,
804  unsigned char iv[16],
805  const unsigned char *input,
806  unsigned char *output )
807 {
808  int i;
809  unsigned char temp[16];
810 
811  if( length % 16 )
813 
814 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
815  if( aes_padlock_ace )
816  {
817  if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
818  return( 0 );
819 
820  // If padlock data misaligned, we just fall back to
821  // unaccelerated mode
822  //
823  }
824 #endif
825 
826  if( mode == AES_DECRYPT )
827  {
828  while( length > 0 )
829  {
830  memcpy( temp, input, 16 );
831  aes_crypt_ecb( ctx, mode, input, output );
832 
833  for( i = 0; i < 16; i++ )
834  output[i] = (unsigned char)( output[i] ^ iv[i] );
835 
836  memcpy( iv, temp, 16 );
837 
838  input += 16;
839  output += 16;
840  length -= 16;
841  }
842  }
843  else
844  {
845  while( length > 0 )
846  {
847  for( i = 0; i < 16; i++ )
848  output[i] = (unsigned char)( input[i] ^ iv[i] );
849 
850  aes_crypt_ecb( ctx, mode, output, output );
851  memcpy( iv, output, 16 );
852 
853  input += 16;
854  output += 16;
855  length -= 16;
856  }
857  }
858 
859  return( 0 );
860 }
861 #endif /* POLARSSL_CIPHER_MODE_CBC */
862 
863 #if defined(POLARSSL_CIPHER_MODE_CFB)
864 /*
865  * AES-CFB128 buffer encryption/decryption
866  */
867 int aes_crypt_cfb128( aes_context *ctx,
868  int mode,
869  size_t length,
870  size_t *iv_off,
871  unsigned char iv[16],
872  const unsigned char *input,
873  unsigned char *output )
874 {
875  int c;
876  size_t n = *iv_off;
877 
878  if( mode == AES_DECRYPT )
879  {
880  while( length-- )
881  {
882  if( n == 0 )
883  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
884 
885  c = *input++;
886  *output++ = (unsigned char)( c ^ iv[n] );
887  iv[n] = (unsigned char) c;
888 
889  n = (n + 1) & 0x0F;
890  }
891  }
892  else
893  {
894  while( length-- )
895  {
896  if( n == 0 )
897  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
898 
899  iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
900 
901  n = (n + 1) & 0x0F;
902  }
903  }
904 
905  *iv_off = n;
906 
907  return( 0 );
908 }
909 #endif /*POLARSSL_CIPHER_MODE_CFB */
910 
911 #if defined(POLARSSL_CIPHER_MODE_CTR)
912 /*
913  * AES-CTR buffer encryption/decryption
914  */
915 int aes_crypt_ctr( aes_context *ctx,
916  size_t length,
917  size_t *nc_off,
918  unsigned char nonce_counter[16],
919  unsigned char stream_block[16],
920  const unsigned char *input,
921  unsigned char *output )
922 {
923  int c, i;
924  size_t n = *nc_off;
925 
926  while( length-- )
927  {
928  if( n == 0 ) {
929  aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
930 
931  for( i = 16; i > 0; i-- )
932  if( ++nonce_counter[i - 1] != 0 )
933  break;
934  }
935  c = *input++;
936  *output++ = (unsigned char)( c ^ stream_block[n] );
937 
938  n = (n + 1) & 0x0F;
939  }
940 
941  *nc_off = n;
942 
943  return( 0 );
944 }
945 #endif /* POLARSSL_CIPHER_MODE_CTR */
946 #endif /* !POLARSSL_AES_ALT */
947 
948 #if defined(POLARSSL_SELF_TEST)
949 
950 #include <stdio.h>
951 
952 /*
953  * AES test vectors from:
954  *
955  * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
956  */
957 static const unsigned char aes_test_ecb_dec[3][16] =
958 {
959  { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
960  0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
961  { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
962  0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
963  { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
964  0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
965 };
966 
967 static const unsigned char aes_test_ecb_enc[3][16] =
968 {
969  { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
970  0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
971  { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
972  0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
973  { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
974  0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
975 };
976 
977 #if defined(POLARSSL_CIPHER_MODE_CBC)
978 static const unsigned char aes_test_cbc_dec[3][16] =
979 {
980  { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
981  0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
982  { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
983  0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
984  { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
985  0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
986 };
987 
988 static const unsigned char aes_test_cbc_enc[3][16] =
989 {
990  { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
991  0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
992  { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
993  0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
994  { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
995  0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
996 };
997 #endif /* POLARSSL_CIPHER_MODE_CBC */
998 
999 #if defined(POLARSSL_CIPHER_MODE_CFB)
1000 /*
1001  * AES-CFB128 test vectors from:
1002  *
1003  * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1004  */
1005 static const unsigned char aes_test_cfb128_key[3][32] =
1006 {
1007  { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1008  0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1009  { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1010  0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1011  0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1012  { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1013  0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1014  0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1015  0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1016 };
1017 
1018 static const unsigned char aes_test_cfb128_iv[16] =
1019 {
1020  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1021  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1022 };
1023 
1024 static const unsigned char aes_test_cfb128_pt[64] =
1025 {
1026  0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1027  0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1028  0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1029  0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1030  0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1031  0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1032  0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1033  0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1034 };
1035 
1036 static const unsigned char aes_test_cfb128_ct[3][64] =
1037 {
1038  { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1039  0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1040  0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1041  0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1042  0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1043  0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1044  0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1045  0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1046  { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1047  0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1048  0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1049  0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1050  0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1051  0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1052  0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1053  0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1054  { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1055  0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1056  0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1057  0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1058  0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1059  0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1060  0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1061  0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1062 };
1063 #endif /* POLARSSL_CIPHER_MODE_CFB */
1064 
1065 #if defined(POLARSSL_CIPHER_MODE_CTR)
1066 /*
1067  * AES-CTR test vectors from:
1068  *
1069  * http://www.faqs.org/rfcs/rfc3686.html
1070  */
1071 
1072 static const unsigned char aes_test_ctr_key[3][16] =
1073 {
1074  { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1075  0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1076  { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1077  0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1078  { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1079  0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1080 };
1081 
1082 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1083 {
1084  { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1085  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1086  { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1087  0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1088  { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1089  0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1090 };
1091 
1092 static const unsigned char aes_test_ctr_pt[3][48] =
1093 {
1094  { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1095  0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1096 
1097  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1098  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1099  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1100  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1101 
1102  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1103  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1104  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1105  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1106  0x20, 0x21, 0x22, 0x23 }
1107 };
1108 
1109 static const unsigned char aes_test_ctr_ct[3][48] =
1110 {
1111  { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1112  0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1113  { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1114  0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1115  0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1116  0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1117  { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1118  0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1119  0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1120  0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1121  0x25, 0xB2, 0x07, 0x2F }
1122 };
1123 
1124 static const int aes_test_ctr_len[3] =
1125  { 16, 32, 36 };
1126 #endif /* POLARSSL_CIPHER_MODE_CTR */
1127 
1128 /*
1129  * Checkup routine
1130  */
1131 int aes_self_test( int verbose )
1132 {
1133  int i, j, u, v;
1134  unsigned char key[32];
1135  unsigned char buf[64];
1136  unsigned char iv[16];
1137 #if defined(POLARSSL_CIPHER_MODE_CBC)
1138  unsigned char prv[16];
1139 #endif
1140 #if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
1141  size_t offset;
1142 #endif
1143 #if defined(POLARSSL_CIPHER_MODE_CTR)
1144  int len;
1145  unsigned char nonce_counter[16];
1146  unsigned char stream_block[16];
1147 #endif
1148  aes_context ctx;
1149 
1150  memset( key, 0, 32 );
1151 
1152  /*
1153  * ECB mode
1154  */
1155  for( i = 0; i < 6; i++ )
1156  {
1157  u = i >> 1;
1158  v = i & 1;
1159 
1160  if( verbose != 0 )
1161  printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1162  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1163 
1164  memset( buf, 0, 16 );
1165 
1166  if( v == AES_DECRYPT )
1167  {
1168  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1169 
1170  for( j = 0; j < 10000; j++ )
1171  aes_crypt_ecb( &ctx, v, buf, buf );
1172 
1173  if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1174  {
1175  if( verbose != 0 )
1176  printf( "failed\n" );
1177 
1178  return( 1 );
1179  }
1180  }
1181  else
1182  {
1183  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1184 
1185  for( j = 0; j < 10000; j++ )
1186  aes_crypt_ecb( &ctx, v, buf, buf );
1187 
1188  if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1189  {
1190  if( verbose != 0 )
1191  printf( "failed\n" );
1192 
1193  return( 1 );
1194  }
1195  }
1196 
1197  if( verbose != 0 )
1198  printf( "passed\n" );
1199  }
1200 
1201  if( verbose != 0 )
1202  printf( "\n" );
1203 
1204 #if defined(POLARSSL_CIPHER_MODE_CBC)
1205  /*
1206  * CBC mode
1207  */
1208  for( i = 0; i < 6; i++ )
1209  {
1210  u = i >> 1;
1211  v = i & 1;
1212 
1213  if( verbose != 0 )
1214  printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1215  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1216 
1217  memset( iv , 0, 16 );
1218  memset( prv, 0, 16 );
1219  memset( buf, 0, 16 );
1220 
1221  if( v == AES_DECRYPT )
1222  {
1223  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1224 
1225  for( j = 0; j < 10000; j++ )
1226  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1227 
1228  if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1229  {
1230  if( verbose != 0 )
1231  printf( "failed\n" );
1232 
1233  return( 1 );
1234  }
1235  }
1236  else
1237  {
1238  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1239 
1240  for( j = 0; j < 10000; j++ )
1241  {
1242  unsigned char tmp[16];
1243 
1244  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1245 
1246  memcpy( tmp, prv, 16 );
1247  memcpy( prv, buf, 16 );
1248  memcpy( buf, tmp, 16 );
1249  }
1250 
1251  if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1252  {
1253  if( verbose != 0 )
1254  printf( "failed\n" );
1255 
1256  return( 1 );
1257  }
1258  }
1259 
1260  if( verbose != 0 )
1261  printf( "passed\n" );
1262  }
1263 
1264  if( verbose != 0 )
1265  printf( "\n" );
1266 #endif /* POLARSSL_CIPHER_MODE_CBC */
1267 
1268 #if defined(POLARSSL_CIPHER_MODE_CFB)
1269  /*
1270  * CFB128 mode
1271  */
1272  for( i = 0; i < 6; i++ )
1273  {
1274  u = i >> 1;
1275  v = i & 1;
1276 
1277  if( verbose != 0 )
1278  printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1279  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1280 
1281  memcpy( iv, aes_test_cfb128_iv, 16 );
1282  memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1283 
1284  offset = 0;
1285  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1286 
1287  if( v == AES_DECRYPT )
1288  {
1289  memcpy( buf, aes_test_cfb128_ct[u], 64 );
1290  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1291 
1292  if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1293  {
1294  if( verbose != 0 )
1295  printf( "failed\n" );
1296 
1297  return( 1 );
1298  }
1299  }
1300  else
1301  {
1302  memcpy( buf, aes_test_cfb128_pt, 64 );
1303  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1304 
1305  if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1306  {
1307  if( verbose != 0 )
1308  printf( "failed\n" );
1309 
1310  return( 1 );
1311  }
1312  }
1313 
1314  if( verbose != 0 )
1315  printf( "passed\n" );
1316  }
1317 
1318  if( verbose != 0 )
1319  printf( "\n" );
1320 #endif /* POLARSSL_CIPHER_MODE_CFB */
1321 
1322 #if defined(POLARSSL_CIPHER_MODE_CTR)
1323  /*
1324  * CTR mode
1325  */
1326  for( i = 0; i < 6; i++ )
1327  {
1328  u = i >> 1;
1329  v = i & 1;
1330 
1331  if( verbose != 0 )
1332  printf( " AES-CTR-128 (%s): ",
1333  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1334 
1335  memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1336  memcpy( key, aes_test_ctr_key[u], 16 );
1337 
1338  offset = 0;
1339  aes_setkey_enc( &ctx, key, 128 );
1340 
1341  if( v == AES_DECRYPT )
1342  {
1343  len = aes_test_ctr_len[u];
1344  memcpy( buf, aes_test_ctr_ct[u], len );
1345 
1346  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1347 
1348  if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1349  {
1350  if( verbose != 0 )
1351  printf( "failed\n" );
1352 
1353  return( 1 );
1354  }
1355  }
1356  else
1357  {
1358  len = aes_test_ctr_len[u];
1359  memcpy( buf, aes_test_ctr_pt[u], len );
1360 
1361  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1362 
1363  if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1364  {
1365  if( verbose != 0 )
1366  printf( "failed\n" );
1367 
1368  return( 1 );
1369  }
1370  }
1371 
1372  if( verbose != 0 )
1373  printf( "passed\n" );
1374  }
1375 
1376  if( verbose != 0 )
1377  printf( "\n" );
1378 #endif /* POLARSSL_CIPHER_MODE_CTR */
1379 
1380  return( 0 );
1381 }
1382 
1383 #endif
1384 
1385 #endif
#define POLARSSL_AESNI_AES
Definition: aesni.h:32
int aes_crypt_cfb128(aes_context *ctx, int mode, size_t length, size_t *iv_off, unsigned char iv[16], const unsigned char *input, unsigned char *output)
AES-CFB128 buffer encryption/decryption.
uint32_t buf[68]
Definition: aes.h:68
#define AES_DECRYPT
Definition: aes.h:43
AES context structure.
Definition: aes.h:64
Configuration options (set of defines)
int aes_setkey_dec(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (decryption)
AES-NI for hardware AES acceleration on some Intel processors.
int aes_crypt_cbc(aes_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output)
AES-CBC buffer encryption/decryption Length should be a multiple of the block size (16 bytes) ...
AES block cipher.
int aes_self_test(int verbose)
Checkup routine.
#define POLARSSL_ERR_AES_INVALID_KEY_LENGTH
Invalid key length.
Definition: aes.h:45
#define AES_ENCRYPT
Definition: aes.h:42
uint32_t * rk
Definition: aes.h:67
VIA PadLock ACE for HW encryption/decryption supported by some processors.
int nr
Definition: aes.h:66
#define POLARSSL_ERR_AES_INVALID_INPUT_LENGTH
Invalid data input length.
Definition: aes.h:46
int aes_setkey_enc(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (encryption)
int aes_crypt_ecb(aes_context *ctx, int mode, const unsigned char input[16], unsigned char output[16])
AES-ECB block encryption/decryption.
int aes_crypt_ctr(aes_context *ctx, size_t length, size_t *nc_off, unsigned char nonce_counter[16], unsigned char stream_block[16], const unsigned char *input, unsigned char *output)
AES-CTR buffer encryption/decryption.