PolarSSL v1.3.4
aes.c
Go to the documentation of this file.
1 /*
2  * FIPS-197 compliant AES implementation
3  *
4  * Copyright (C) 2006-2013, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27  *
28  * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29  * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30  */
31 
32 #include "polarssl/config.h"
33 
34 #if defined(POLARSSL_AES_C)
35 
36 #include "polarssl/aes.h"
37 #if defined(POLARSSL_PADLOCK_C)
38 #include "polarssl/padlock.h"
39 #endif
40 #if defined(POLARSSL_AESNI_C)
41 #include "polarssl/aesni.h"
42 #endif
43 
44 #if !defined(POLARSSL_AES_ALT)
45 
46 /*
47  * 32-bit integer manipulation macros (little endian)
48  */
49 #ifndef GET_UINT32_LE
50 #define GET_UINT32_LE(n,b,i) \
51 { \
52  (n) = ( (uint32_t) (b)[(i) ] ) \
53  | ( (uint32_t) (b)[(i) + 1] << 8 ) \
54  | ( (uint32_t) (b)[(i) + 2] << 16 ) \
55  | ( (uint32_t) (b)[(i) + 3] << 24 ); \
56 }
57 #endif
58 
59 #ifndef PUT_UINT32_LE
60 #define PUT_UINT32_LE(n,b,i) \
61 { \
62  (b)[(i) ] = (unsigned char) ( (n) ); \
63  (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
64  (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
65  (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
66 }
67 #endif
68 
69 #if defined(POLARSSL_PADLOCK_C) && \
70  ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
71 static int aes_padlock_ace = -1;
72 #endif
73 
74 #if defined(POLARSSL_AES_ROM_TABLES)
75 /*
76  * Forward S-box
77  */
78 static const unsigned char FSb[256] =
79 {
80  0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
81  0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
82  0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
83  0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
84  0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
85  0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
86  0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
87  0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
88  0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
89  0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
90  0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
91  0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
92  0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
93  0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
94  0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
95  0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
96  0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
97  0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
98  0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
99  0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
100  0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
101  0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
102  0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
103  0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
104  0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
105  0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
106  0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
107  0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
108  0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
109  0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
110  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
111  0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
112 };
113 
114 /*
115  * Forward tables
116  */
117 #define FT \
118 \
119  V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
120  V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
121  V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
122  V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
123  V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
124  V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
125  V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
126  V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
127  V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
128  V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
129  V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
130  V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
131  V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
132  V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
133  V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
134  V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
135  V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
136  V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
137  V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
138  V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
139  V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
140  V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
141  V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
142  V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
143  V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
144  V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
145  V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
146  V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
147  V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
148  V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
149  V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
150  V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
151  V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
152  V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
153  V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
154  V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
155  V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
156  V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
157  V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
158  V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
159  V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
160  V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
161  V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
162  V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
163  V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
164  V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
165  V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
166  V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
167  V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
168  V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
169  V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
170  V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
171  V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
172  V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
173  V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
174  V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
175  V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
176  V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
177  V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
178  V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
179  V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
180  V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
181  V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
182  V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
183 
184 #define V(a,b,c,d) 0x##a##b##c##d
185 static const uint32_t FT0[256] = { FT };
186 #undef V
187 
188 #define V(a,b,c,d) 0x##b##c##d##a
189 static const uint32_t FT1[256] = { FT };
190 #undef V
191 
192 #define V(a,b,c,d) 0x##c##d##a##b
193 static const uint32_t FT2[256] = { FT };
194 #undef V
195 
196 #define V(a,b,c,d) 0x##d##a##b##c
197 static const uint32_t FT3[256] = { FT };
198 #undef V
199 
200 #undef FT
201 
202 /*
203  * Reverse S-box
204  */
205 static const unsigned char RSb[256] =
206 {
207  0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
208  0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
209  0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
210  0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
211  0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
212  0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
213  0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
214  0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
215  0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
216  0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
217  0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
218  0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
219  0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
220  0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
221  0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
222  0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
223  0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
224  0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
225  0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
226  0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
227  0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
228  0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
229  0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
230  0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
231  0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
232  0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
233  0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
234  0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
235  0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
236  0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
237  0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
238  0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
239 };
240 
241 /*
242  * Reverse tables
243  */
244 #define RT \
245 \
246  V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
247  V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
248  V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
249  V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
250  V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
251  V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
252  V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
253  V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
254  V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
255  V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
256  V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
257  V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
258  V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
259  V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
260  V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
261  V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
262  V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
263  V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
264  V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
265  V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
266  V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
267  V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
268  V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
269  V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
270  V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
271  V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
272  V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
273  V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
274  V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
275  V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
276  V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
277  V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
278  V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
279  V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
280  V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
281  V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
282  V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
283  V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
284  V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
285  V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
286  V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
287  V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
288  V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
289  V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
290  V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
291  V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
292  V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
293  V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
294  V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
295  V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
296  V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
297  V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
298  V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
299  V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
300  V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
301  V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
302  V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
303  V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
304  V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
305  V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
306  V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
307  V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
308  V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
309  V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
310 
311 #define V(a,b,c,d) 0x##a##b##c##d
312 static const uint32_t RT0[256] = { RT };
313 #undef V
314 
315 #define V(a,b,c,d) 0x##b##c##d##a
316 static const uint32_t RT1[256] = { RT };
317 #undef V
318 
319 #define V(a,b,c,d) 0x##c##d##a##b
320 static const uint32_t RT2[256] = { RT };
321 #undef V
322 
323 #define V(a,b,c,d) 0x##d##a##b##c
324 static const uint32_t RT3[256] = { RT };
325 #undef V
326 
327 #undef RT
328 
329 /*
330  * Round constants
331  */
332 static const uint32_t RCON[10] =
333 {
334  0x00000001, 0x00000002, 0x00000004, 0x00000008,
335  0x00000010, 0x00000020, 0x00000040, 0x00000080,
336  0x0000001B, 0x00000036
337 };
338 
339 #else
340 
341 /*
342  * Forward S-box & tables
343  */
344 static unsigned char FSb[256];
345 static uint32_t FT0[256];
346 static uint32_t FT1[256];
347 static uint32_t FT2[256];
348 static uint32_t FT3[256];
349 
350 /*
351  * Reverse S-box & tables
352  */
353 static unsigned char RSb[256];
354 static uint32_t RT0[256];
355 static uint32_t RT1[256];
356 static uint32_t RT2[256];
357 static uint32_t RT3[256];
358 
359 /*
360  * Round constants
361  */
362 static uint32_t RCON[10];
363 
364 /*
365  * Tables generation code
366  */
367 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
368 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
369 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
370 
371 static int aes_init_done = 0;
372 
373 static void aes_gen_tables( void )
374 {
375  int i, x, y, z;
376  int pow[256];
377  int log[256];
378 
379  /*
380  * compute pow and log tables over GF(2^8)
381  */
382  for( i = 0, x = 1; i < 256; i++ )
383  {
384  pow[i] = x;
385  log[x] = i;
386  x = ( x ^ XTIME( x ) ) & 0xFF;
387  }
388 
389  /*
390  * calculate the round constants
391  */
392  for( i = 0, x = 1; i < 10; i++ )
393  {
394  RCON[i] = (uint32_t) x;
395  x = XTIME( x ) & 0xFF;
396  }
397 
398  /*
399  * generate the forward and reverse S-boxes
400  */
401  FSb[0x00] = 0x63;
402  RSb[0x63] = 0x00;
403 
404  for( i = 1; i < 256; i++ )
405  {
406  x = pow[255 - log[i]];
407 
408  y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
409  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
410  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
411  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
412  x ^= y ^ 0x63;
413 
414  FSb[i] = (unsigned char) x;
415  RSb[x] = (unsigned char) i;
416  }
417 
418  /*
419  * generate the forward and reverse tables
420  */
421  for( i = 0; i < 256; i++ )
422  {
423  x = FSb[i];
424  y = XTIME( x ) & 0xFF;
425  z = ( y ^ x ) & 0xFF;
426 
427  FT0[i] = ( (uint32_t) y ) ^
428  ( (uint32_t) x << 8 ) ^
429  ( (uint32_t) x << 16 ) ^
430  ( (uint32_t) z << 24 );
431 
432  FT1[i] = ROTL8( FT0[i] );
433  FT2[i] = ROTL8( FT1[i] );
434  FT3[i] = ROTL8( FT2[i] );
435 
436  x = RSb[i];
437 
438  RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
439  ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
440  ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
441  ( (uint32_t) MUL( 0x0B, x ) << 24 );
442 
443  RT1[i] = ROTL8( RT0[i] );
444  RT2[i] = ROTL8( RT1[i] );
445  RT3[i] = ROTL8( RT2[i] );
446  }
447 }
448 
449 #endif
450 
451 /*
452  * AES key schedule (encryption)
453  */
454 int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
455 {
456  unsigned int i;
457  uint32_t *RK;
458 
459 #if !defined(POLARSSL_AES_ROM_TABLES)
460  if( aes_init_done == 0 )
461  {
462  aes_gen_tables();
463  aes_init_done = 1;
464 
465  }
466 #endif
467 
468  switch( keysize )
469  {
470  case 128: ctx->nr = 10; break;
471  case 192: ctx->nr = 12; break;
472  case 256: ctx->nr = 14; break;
473  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
474  }
475 
476 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
477  if( aes_padlock_ace == -1 )
478  aes_padlock_ace = padlock_supports( PADLOCK_ACE );
479 
480  if( aes_padlock_ace )
481  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
482  else
483 #endif
484  ctx->rk = RK = ctx->buf;
485 
486 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
487  if( aesni_supports( POLARSSL_AESNI_AES ) )
488  return( aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize ) );
489 #endif
490 
491  for( i = 0; i < (keysize >> 5); i++ )
492  {
493  GET_UINT32_LE( RK[i], key, i << 2 );
494  }
495 
496  switch( ctx->nr )
497  {
498  case 10:
499 
500  for( i = 0; i < 10; i++, RK += 4 )
501  {
502  RK[4] = RK[0] ^ RCON[i] ^
503  ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
504  ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
505  ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
506  ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
507 
508  RK[5] = RK[1] ^ RK[4];
509  RK[6] = RK[2] ^ RK[5];
510  RK[7] = RK[3] ^ RK[6];
511  }
512  break;
513 
514  case 12:
515 
516  for( i = 0; i < 8; i++, RK += 6 )
517  {
518  RK[6] = RK[0] ^ RCON[i] ^
519  ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
520  ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
521  ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
522  ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
523 
524  RK[7] = RK[1] ^ RK[6];
525  RK[8] = RK[2] ^ RK[7];
526  RK[9] = RK[3] ^ RK[8];
527  RK[10] = RK[4] ^ RK[9];
528  RK[11] = RK[5] ^ RK[10];
529  }
530  break;
531 
532  case 14:
533 
534  for( i = 0; i < 7; i++, RK += 8 )
535  {
536  RK[8] = RK[0] ^ RCON[i] ^
537  ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
538  ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
539  ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
540  ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
541 
542  RK[9] = RK[1] ^ RK[8];
543  RK[10] = RK[2] ^ RK[9];
544  RK[11] = RK[3] ^ RK[10];
545 
546  RK[12] = RK[4] ^
547  ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
548  ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
549  ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
550  ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
551 
552  RK[13] = RK[5] ^ RK[12];
553  RK[14] = RK[6] ^ RK[13];
554  RK[15] = RK[7] ^ RK[14];
555  }
556  break;
557 
558  default:
559 
560  break;
561  }
562 
563  return( 0 );
564 }
565 
566 /*
567  * AES key schedule (decryption)
568  */
569 int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
570 {
571  int i, j;
572  aes_context cty;
573  uint32_t *RK;
574  uint32_t *SK;
575  int ret;
576 
577  switch( keysize )
578  {
579  case 128: ctx->nr = 10; break;
580  case 192: ctx->nr = 12; break;
581  case 256: ctx->nr = 14; break;
582  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
583  }
584 
585 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
586  if( aes_padlock_ace == -1 )
587  aes_padlock_ace = padlock_supports( PADLOCK_ACE );
588 
589  if( aes_padlock_ace )
590  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
591  else
592 #endif
593  ctx->rk = RK = ctx->buf;
594 
595  ret = aes_setkey_enc( &cty, key, keysize );
596  if( ret != 0 )
597  return( ret );
598 
599 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
600  if( aesni_supports( POLARSSL_AESNI_AES ) )
601  {
602  aesni_inverse_key( (unsigned char *) ctx->rk,
603  (const unsigned char *) cty.rk, ctx->nr );
604  goto done;
605  }
606 #endif
607 
608  SK = cty.rk + cty.nr * 4;
609 
610  *RK++ = *SK++;
611  *RK++ = *SK++;
612  *RK++ = *SK++;
613  *RK++ = *SK++;
614 
615  for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
616  {
617  for( j = 0; j < 4; j++, SK++ )
618  {
619  *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
620  RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
621  RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
622  RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
623  }
624  }
625 
626  *RK++ = *SK++;
627  *RK++ = *SK++;
628  *RK++ = *SK++;
629  *RK++ = *SK++;
630 
631 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
632 done:
633 #endif
634  memset( &cty, 0, sizeof( aes_context ) );
635 
636  return( 0 );
637 }
638 
639 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
640 { \
641  X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
642  FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
643  FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
644  FT3[ ( Y3 >> 24 ) & 0xFF ]; \
645  \
646  X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
647  FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
648  FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
649  FT3[ ( Y0 >> 24 ) & 0xFF ]; \
650  \
651  X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
652  FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
653  FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
654  FT3[ ( Y1 >> 24 ) & 0xFF ]; \
655  \
656  X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
657  FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
658  FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
659  FT3[ ( Y2 >> 24 ) & 0xFF ]; \
660 }
661 
662 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
663 { \
664  X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
665  RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
666  RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
667  RT3[ ( Y1 >> 24 ) & 0xFF ]; \
668  \
669  X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
670  RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
671  RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
672  RT3[ ( Y2 >> 24 ) & 0xFF ]; \
673  \
674  X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
675  RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
676  RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
677  RT3[ ( Y3 >> 24 ) & 0xFF ]; \
678  \
679  X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
680  RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
681  RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
682  RT3[ ( Y0 >> 24 ) & 0xFF ]; \
683 }
684 
685 /*
686  * AES-ECB block encryption/decryption
687  */
688 int aes_crypt_ecb( aes_context *ctx,
689  int mode,
690  const unsigned char input[16],
691  unsigned char output[16] )
692 {
693  int i;
694  uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
695 
696 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
697  if( aesni_supports( POLARSSL_AESNI_AES ) )
698  return( aesni_crypt_ecb( ctx, mode, input, output ) );
699 #endif
700 
701 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
702  if( aes_padlock_ace )
703  {
704  if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
705  return( 0 );
706 
707  // If padlock data misaligned, we just fall back to
708  // unaccelerated mode
709  //
710  }
711 #endif
712 
713  RK = ctx->rk;
714 
715  GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
716  GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
717  GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
718  GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
719 
720  if( mode == AES_DECRYPT )
721  {
722  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
723  {
724  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
725  AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
726  }
727 
728  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
729 
730  X0 = *RK++ ^ \
731  ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
732  ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
733  ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
734  ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
735 
736  X1 = *RK++ ^ \
737  ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
738  ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
739  ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
740  ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
741 
742  X2 = *RK++ ^ \
743  ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
744  ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
745  ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
746  ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
747 
748  X3 = *RK++ ^ \
749  ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
750  ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
751  ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
752  ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
753  }
754  else /* AES_ENCRYPT */
755  {
756  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
757  {
758  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
759  AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
760  }
761 
762  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
763 
764  X0 = *RK++ ^ \
765  ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
766  ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
767  ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
768  ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
769 
770  X1 = *RK++ ^ \
771  ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
772  ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
773  ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
774  ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
775 
776  X2 = *RK++ ^ \
777  ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
778  ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
779  ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
780  ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
781 
782  X3 = *RK++ ^ \
783  ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
784  ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
785  ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
786  ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
787  }
788 
789  PUT_UINT32_LE( X0, output, 0 );
790  PUT_UINT32_LE( X1, output, 4 );
791  PUT_UINT32_LE( X2, output, 8 );
792  PUT_UINT32_LE( X3, output, 12 );
793 
794  return( 0 );
795 }
796 
797 #if defined(POLARSSL_CIPHER_MODE_CBC)
798 /*
799  * AES-CBC buffer encryption/decryption
800  */
801 int aes_crypt_cbc( aes_context *ctx,
802  int mode,
803  size_t length,
804  unsigned char iv[16],
805  const unsigned char *input,
806  unsigned char *output )
807 {
808  int i;
809  unsigned char temp[16];
810 
811  if( length % 16 )
813 
814 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
815  if( aes_padlock_ace )
816  {
817  if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
818  return( 0 );
819 
820  // If padlock data misaligned, we just fall back to
821  // unaccelerated mode
822  //
823  }
824 #endif
825 
826  if( mode == AES_DECRYPT )
827  {
828  while( length > 0 )
829  {
830  memcpy( temp, input, 16 );
831  aes_crypt_ecb( ctx, mode, input, output );
832 
833  for( i = 0; i < 16; i++ )
834  output[i] = (unsigned char)( output[i] ^ iv[i] );
835 
836  memcpy( iv, temp, 16 );
837 
838  input += 16;
839  output += 16;
840  length -= 16;
841  }
842  }
843  else
844  {
845  while( length > 0 )
846  {
847  for( i = 0; i < 16; i++ )
848  output[i] = (unsigned char)( input[i] ^ iv[i] );
849 
850  aes_crypt_ecb( ctx, mode, output, output );
851  memcpy( iv, output, 16 );
852 
853  input += 16;
854  output += 16;
855  length -= 16;
856  }
857  }
858 
859  return( 0 );
860 }
861 #endif /* POLARSSL_CIPHER_MODE_CBC */
862 
863 #if defined(POLARSSL_CIPHER_MODE_CFB)
864 /*
865  * AES-CFB128 buffer encryption/decryption
866  */
867 int aes_crypt_cfb128( aes_context *ctx,
868  int mode,
869  size_t length,
870  size_t *iv_off,
871  unsigned char iv[16],
872  const unsigned char *input,
873  unsigned char *output )
874 {
875  int c;
876  size_t n = *iv_off;
877 
878  if( mode == AES_DECRYPT )
879  {
880  while( length-- )
881  {
882  if( n == 0 )
883  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
884 
885  c = *input++;
886  *output++ = (unsigned char)( c ^ iv[n] );
887  iv[n] = (unsigned char) c;
888 
889  n = (n + 1) & 0x0F;
890  }
891  }
892  else
893  {
894  while( length-- )
895  {
896  if( n == 0 )
897  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
898 
899  iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
900 
901  n = (n + 1) & 0x0F;
902  }
903  }
904 
905  *iv_off = n;
906 
907  return( 0 );
908 }
909 
910 /*
911  * AES-CFB8 buffer encryption/decryption
912  */
913 #include <stdio.h>
914 int aes_crypt_cfb8( aes_context *ctx,
915  int mode,
916  size_t length,
917  unsigned char iv[16],
918  const unsigned char *input,
919  unsigned char *output )
920 {
921  unsigned char c;
922  unsigned char ov[17];
923 
924  while( length-- )
925  {
926  memcpy(ov, iv, 16);
927  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
928 
929  if( mode == AES_DECRYPT )
930  ov[16] = *input;
931 
932  c = *output++ = (unsigned char)( iv[0] ^ *input++ );
933 
934  if( mode == AES_ENCRYPT )
935  ov[16] = c;
936 
937  memcpy(iv, ov + 1, 16);
938  }
939 
940  return( 0 );
941 }
942 #endif /*POLARSSL_CIPHER_MODE_CFB */
943 
944 #if defined(POLARSSL_CIPHER_MODE_CTR)
945 /*
946  * AES-CTR buffer encryption/decryption
947  */
948 int aes_crypt_ctr( aes_context *ctx,
949  size_t length,
950  size_t *nc_off,
951  unsigned char nonce_counter[16],
952  unsigned char stream_block[16],
953  const unsigned char *input,
954  unsigned char *output )
955 {
956  int c, i;
957  size_t n = *nc_off;
958 
959  while( length-- )
960  {
961  if( n == 0 ) {
962  aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
963 
964  for( i = 16; i > 0; i-- )
965  if( ++nonce_counter[i - 1] != 0 )
966  break;
967  }
968  c = *input++;
969  *output++ = (unsigned char)( c ^ stream_block[n] );
970 
971  n = (n + 1) & 0x0F;
972  }
973 
974  *nc_off = n;
975 
976  return( 0 );
977 }
978 #endif /* POLARSSL_CIPHER_MODE_CTR */
979 #endif /* !POLARSSL_AES_ALT */
980 
981 #if defined(POLARSSL_SELF_TEST)
982 
983 #include <stdio.h>
984 
985 /*
986  * AES test vectors from:
987  *
988  * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
989  */
990 static const unsigned char aes_test_ecb_dec[3][16] =
991 {
992  { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
993  0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
994  { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
995  0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
996  { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
997  0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
998 };
999 
1000 static const unsigned char aes_test_ecb_enc[3][16] =
1001 {
1002  { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1003  0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1004  { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1005  0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1006  { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1007  0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1008 };
1009 
1010 #if defined(POLARSSL_CIPHER_MODE_CBC)
1011 static const unsigned char aes_test_cbc_dec[3][16] =
1012 {
1013  { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1014  0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1015  { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1016  0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1017  { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1018  0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1019 };
1020 
1021 static const unsigned char aes_test_cbc_enc[3][16] =
1022 {
1023  { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1024  0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1025  { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1026  0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1027  { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1028  0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1029 };
1030 #endif /* POLARSSL_CIPHER_MODE_CBC */
1031 
1032 #if defined(POLARSSL_CIPHER_MODE_CFB)
1033 /*
1034  * AES-CFB128 test vectors from:
1035  *
1036  * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1037  */
1038 static const unsigned char aes_test_cfb128_key[3][32] =
1039 {
1040  { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1041  0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1042  { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1043  0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1044  0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1045  { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1046  0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1047  0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1048  0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1049 };
1050 
1051 static const unsigned char aes_test_cfb128_iv[16] =
1052 {
1053  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1054  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1055 };
1056 
1057 static const unsigned char aes_test_cfb128_pt[64] =
1058 {
1059  0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1060  0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1061  0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1062  0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1063  0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1064  0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1065  0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1066  0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1067 };
1068 
1069 static const unsigned char aes_test_cfb128_ct[3][64] =
1070 {
1071  { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1072  0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1073  0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1074  0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1075  0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1076  0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1077  0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1078  0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1079  { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1080  0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1081  0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1082  0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1083  0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1084  0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1085  0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1086  0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1087  { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1088  0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1089  0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1090  0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1091  0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1092  0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1093  0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1094  0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1095 };
1096 #endif /* POLARSSL_CIPHER_MODE_CFB */
1097 
1098 #if defined(POLARSSL_CIPHER_MODE_CTR)
1099 /*
1100  * AES-CTR test vectors from:
1101  *
1102  * http://www.faqs.org/rfcs/rfc3686.html
1103  */
1104 
1105 static const unsigned char aes_test_ctr_key[3][16] =
1106 {
1107  { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1108  0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1109  { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1110  0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1111  { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1112  0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1113 };
1114 
1115 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1116 {
1117  { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1118  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1119  { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1120  0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1121  { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1122  0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1123 };
1124 
1125 static const unsigned char aes_test_ctr_pt[3][48] =
1126 {
1127  { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1128  0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1129 
1130  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1131  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1132  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1133  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1134 
1135  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1136  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1137  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1138  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1139  0x20, 0x21, 0x22, 0x23 }
1140 };
1141 
1142 static const unsigned char aes_test_ctr_ct[3][48] =
1143 {
1144  { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1145  0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1146  { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1147  0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1148  0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1149  0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1150  { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1151  0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1152  0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1153  0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1154  0x25, 0xB2, 0x07, 0x2F }
1155 };
1156 
1157 static const int aes_test_ctr_len[3] =
1158  { 16, 32, 36 };
1159 #endif /* POLARSSL_CIPHER_MODE_CTR */
1160 
1161 /*
1162  * Checkup routine
1163  */
1164 int aes_self_test( int verbose )
1165 {
1166  int i, j, u, v;
1167  unsigned char key[32];
1168  unsigned char buf[64];
1169  unsigned char iv[16];
1170 #if defined(POLARSSL_CIPHER_MODE_CBC)
1171  unsigned char prv[16];
1172 #endif
1173 #if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
1174  size_t offset;
1175 #endif
1176 #if defined(POLARSSL_CIPHER_MODE_CTR)
1177  int len;
1178  unsigned char nonce_counter[16];
1179  unsigned char stream_block[16];
1180 #endif
1181  aes_context ctx;
1182 
1183  memset( key, 0, 32 );
1184 
1185  /*
1186  * ECB mode
1187  */
1188  for( i = 0; i < 6; i++ )
1189  {
1190  u = i >> 1;
1191  v = i & 1;
1192 
1193  if( verbose != 0 )
1194  printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1195  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1196 
1197  memset( buf, 0, 16 );
1198 
1199  if( v == AES_DECRYPT )
1200  {
1201  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1202 
1203  for( j = 0; j < 10000; j++ )
1204  aes_crypt_ecb( &ctx, v, buf, buf );
1205 
1206  if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1207  {
1208  if( verbose != 0 )
1209  printf( "failed\n" );
1210 
1211  return( 1 );
1212  }
1213  }
1214  else
1215  {
1216  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1217 
1218  for( j = 0; j < 10000; j++ )
1219  aes_crypt_ecb( &ctx, v, buf, buf );
1220 
1221  if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1222  {
1223  if( verbose != 0 )
1224  printf( "failed\n" );
1225 
1226  return( 1 );
1227  }
1228  }
1229 
1230  if( verbose != 0 )
1231  printf( "passed\n" );
1232  }
1233 
1234  if( verbose != 0 )
1235  printf( "\n" );
1236 
1237 #if defined(POLARSSL_CIPHER_MODE_CBC)
1238  /*
1239  * CBC mode
1240  */
1241  for( i = 0; i < 6; i++ )
1242  {
1243  u = i >> 1;
1244  v = i & 1;
1245 
1246  if( verbose != 0 )
1247  printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1248  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1249 
1250  memset( iv , 0, 16 );
1251  memset( prv, 0, 16 );
1252  memset( buf, 0, 16 );
1253 
1254  if( v == AES_DECRYPT )
1255  {
1256  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1257 
1258  for( j = 0; j < 10000; j++ )
1259  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1260 
1261  if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1262  {
1263  if( verbose != 0 )
1264  printf( "failed\n" );
1265 
1266  return( 1 );
1267  }
1268  }
1269  else
1270  {
1271  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1272 
1273  for( j = 0; j < 10000; j++ )
1274  {
1275  unsigned char tmp[16];
1276 
1277  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1278 
1279  memcpy( tmp, prv, 16 );
1280  memcpy( prv, buf, 16 );
1281  memcpy( buf, tmp, 16 );
1282  }
1283 
1284  if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1285  {
1286  if( verbose != 0 )
1287  printf( "failed\n" );
1288 
1289  return( 1 );
1290  }
1291  }
1292 
1293  if( verbose != 0 )
1294  printf( "passed\n" );
1295  }
1296 
1297  if( verbose != 0 )
1298  printf( "\n" );
1299 #endif /* POLARSSL_CIPHER_MODE_CBC */
1300 
1301 #if defined(POLARSSL_CIPHER_MODE_CFB)
1302  /*
1303  * CFB128 mode
1304  */
1305  for( i = 0; i < 6; i++ )
1306  {
1307  u = i >> 1;
1308  v = i & 1;
1309 
1310  if( verbose != 0 )
1311  printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1312  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1313 
1314  memcpy( iv, aes_test_cfb128_iv, 16 );
1315  memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1316 
1317  offset = 0;
1318  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1319 
1320  if( v == AES_DECRYPT )
1321  {
1322  memcpy( buf, aes_test_cfb128_ct[u], 64 );
1323  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1324 
1325  if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1326  {
1327  if( verbose != 0 )
1328  printf( "failed\n" );
1329 
1330  return( 1 );
1331  }
1332  }
1333  else
1334  {
1335  memcpy( buf, aes_test_cfb128_pt, 64 );
1336  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1337 
1338  if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1339  {
1340  if( verbose != 0 )
1341  printf( "failed\n" );
1342 
1343  return( 1 );
1344  }
1345  }
1346 
1347  if( verbose != 0 )
1348  printf( "passed\n" );
1349  }
1350 
1351  if( verbose != 0 )
1352  printf( "\n" );
1353 #endif /* POLARSSL_CIPHER_MODE_CFB */
1354 
1355 #if defined(POLARSSL_CIPHER_MODE_CTR)
1356  /*
1357  * CTR mode
1358  */
1359  for( i = 0; i < 6; i++ )
1360  {
1361  u = i >> 1;
1362  v = i & 1;
1363 
1364  if( verbose != 0 )
1365  printf( " AES-CTR-128 (%s): ",
1366  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1367 
1368  memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1369  memcpy( key, aes_test_ctr_key[u], 16 );
1370 
1371  offset = 0;
1372  aes_setkey_enc( &ctx, key, 128 );
1373 
1374  if( v == AES_DECRYPT )
1375  {
1376  len = aes_test_ctr_len[u];
1377  memcpy( buf, aes_test_ctr_ct[u], len );
1378 
1379  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1380 
1381  if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1382  {
1383  if( verbose != 0 )
1384  printf( "failed\n" );
1385 
1386  return( 1 );
1387  }
1388  }
1389  else
1390  {
1391  len = aes_test_ctr_len[u];
1392  memcpy( buf, aes_test_ctr_pt[u], len );
1393 
1394  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1395 
1396  if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1397  {
1398  if( verbose != 0 )
1399  printf( "failed\n" );
1400 
1401  return( 1 );
1402  }
1403  }
1404 
1405  if( verbose != 0 )
1406  printf( "passed\n" );
1407  }
1408 
1409  if( verbose != 0 )
1410  printf( "\n" );
1411 #endif /* POLARSSL_CIPHER_MODE_CTR */
1412 
1413  return( 0 );
1414 }
1415 
1416 #endif
1417 
1418 #endif
#define POLARSSL_AESNI_AES
Definition: aesni.h:32
int aes_crypt_cfb128(aes_context *ctx, int mode, size_t length, size_t *iv_off, unsigned char iv[16], const unsigned char *input, unsigned char *output)
AES-CFB128 buffer encryption/decryption.
uint32_t buf[68]
Definition: aes.h:68
#define AES_DECRYPT
Definition: aes.h:43
AES context structure.
Definition: aes.h:64
Configuration options (set of defines)
int aes_setkey_dec(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (decryption)
AES-NI for hardware AES acceleration on some Intel processors.
int aes_crypt_cbc(aes_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output)
AES-CBC buffer encryption/decryption Length should be a multiple of the block size (16 bytes) ...
AES block cipher.
int aes_self_test(int verbose)
Checkup routine.
#define POLARSSL_ERR_AES_INVALID_KEY_LENGTH
Invalid key length.
Definition: aes.h:45
int aes_crypt_cfb8(aes_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output)
AES-CFB8 buffer encryption/decryption.
#define AES_ENCRYPT
Definition: aes.h:42
uint32_t * rk
Definition: aes.h:67
VIA PadLock ACE for HW encryption/decryption supported by some processors.
int nr
Definition: aes.h:66
#define POLARSSL_ERR_AES_INVALID_INPUT_LENGTH
Invalid data input length.
Definition: aes.h:46
int aes_setkey_enc(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (encryption)
int aes_crypt_ecb(aes_context *ctx, int mode, const unsigned char input[16], unsigned char output[16])
AES-ECB block encryption/decryption.
int aes_crypt_ctr(aes_context *ctx, size_t length, size_t *nc_off, unsigned char nonce_counter[16], unsigned char stream_block[16], const unsigned char *input, unsigned char *output)
AES-CTR buffer encryption/decryption.