PolarSSL v1.3.7
aes.c
Go to the documentation of this file.
1 /*
2  * FIPS-197 compliant AES implementation
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27  *
28  * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29  * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30  */
31 
32 #if !defined(POLARSSL_CONFIG_FILE)
33 #include "polarssl/config.h"
34 #else
35 #include POLARSSL_CONFIG_FILE
36 #endif
37 
38 #if defined(POLARSSL_AES_C)
39 
40 #include "polarssl/aes.h"
41 #if defined(POLARSSL_PADLOCK_C)
42 #include "polarssl/padlock.h"
43 #endif
44 #if defined(POLARSSL_AESNI_C)
45 #include "polarssl/aesni.h"
46 #endif
47 
48 #if defined(POLARSSL_PLATFORM_C)
49 #include "polarssl/platform.h"
50 #else
51 #define polarssl_printf printf
52 #endif
53 
54 #if !defined(POLARSSL_AES_ALT)
55 
56 /*
57  * 32-bit integer manipulation macros (little endian)
58  */
59 #ifndef GET_UINT32_LE
60 #define GET_UINT32_LE(n,b,i) \
61 { \
62  (n) = ( (uint32_t) (b)[(i) ] ) \
63  | ( (uint32_t) (b)[(i) + 1] << 8 ) \
64  | ( (uint32_t) (b)[(i) + 2] << 16 ) \
65  | ( (uint32_t) (b)[(i) + 3] << 24 ); \
66 }
67 #endif
68 
69 #ifndef PUT_UINT32_LE
70 #define PUT_UINT32_LE(n,b,i) \
71 { \
72  (b)[(i) ] = (unsigned char) ( (n) ); \
73  (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
74  (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
75  (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
76 }
77 #endif
78 
79 #if defined(POLARSSL_PADLOCK_C) && \
80  ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
81 static int aes_padlock_ace = -1;
82 #endif
83 
84 #if defined(POLARSSL_AES_ROM_TABLES)
85 /*
86  * Forward S-box
87  */
88 static const unsigned char FSb[256] =
89 {
90  0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
91  0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
92  0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
93  0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
94  0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
95  0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
96  0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
97  0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
98  0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
99  0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
100  0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
101  0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
102  0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
103  0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
104  0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
105  0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
106  0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
107  0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
108  0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
109  0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
110  0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
111  0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
112  0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
113  0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
114  0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
115  0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
116  0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
117  0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
118  0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
119  0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
120  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
121  0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
122 };
123 
124 /*
125  * Forward tables
126  */
127 #define FT \
128 \
129  V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
130  V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
131  V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
132  V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
133  V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
134  V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
135  V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
136  V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
137  V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
138  V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
139  V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
140  V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
141  V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
142  V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
143  V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
144  V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
145  V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
146  V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
147  V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
148  V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
149  V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
150  V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
151  V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
152  V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
153  V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
154  V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
155  V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
156  V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
157  V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
158  V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
159  V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
160  V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
161  V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
162  V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
163  V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
164  V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
165  V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
166  V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
167  V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
168  V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
169  V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
170  V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
171  V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
172  V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
173  V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
174  V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
175  V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
176  V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
177  V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
178  V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
179  V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
180  V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
181  V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
182  V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
183  V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
184  V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
185  V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
186  V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
187  V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
188  V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
189  V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
190  V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
191  V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
192  V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
193 
194 #define V(a,b,c,d) 0x##a##b##c##d
195 static const uint32_t FT0[256] = { FT };
196 #undef V
197 
198 #define V(a,b,c,d) 0x##b##c##d##a
199 static const uint32_t FT1[256] = { FT };
200 #undef V
201 
202 #define V(a,b,c,d) 0x##c##d##a##b
203 static const uint32_t FT2[256] = { FT };
204 #undef V
205 
206 #define V(a,b,c,d) 0x##d##a##b##c
207 static const uint32_t FT3[256] = { FT };
208 #undef V
209 
210 #undef FT
211 
212 /*
213  * Reverse S-box
214  */
215 static const unsigned char RSb[256] =
216 {
217  0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
218  0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
219  0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
220  0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
221  0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
222  0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
223  0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
224  0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
225  0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
226  0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
227  0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
228  0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
229  0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
230  0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
231  0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
232  0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
233  0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
234  0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
235  0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
236  0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
237  0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
238  0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
239  0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
240  0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
241  0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
242  0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
243  0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
244  0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
245  0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
246  0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
247  0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
248  0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
249 };
250 
251 /*
252  * Reverse tables
253  */
254 #define RT \
255 \
256  V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
257  V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
258  V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
259  V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
260  V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
261  V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
262  V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
263  V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
264  V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
265  V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
266  V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
267  V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
268  V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
269  V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
270  V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
271  V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
272  V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
273  V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
274  V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
275  V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
276  V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
277  V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
278  V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
279  V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
280  V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
281  V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
282  V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
283  V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
284  V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
285  V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
286  V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
287  V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
288  V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
289  V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
290  V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
291  V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
292  V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
293  V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
294  V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
295  V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
296  V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
297  V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
298  V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
299  V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
300  V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
301  V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
302  V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
303  V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
304  V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
305  V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
306  V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
307  V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
308  V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
309  V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
310  V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
311  V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
312  V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
313  V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
314  V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
315  V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
316  V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
317  V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
318  V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
319  V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
320 
321 #define V(a,b,c,d) 0x##a##b##c##d
322 static const uint32_t RT0[256] = { RT };
323 #undef V
324 
325 #define V(a,b,c,d) 0x##b##c##d##a
326 static const uint32_t RT1[256] = { RT };
327 #undef V
328 
329 #define V(a,b,c,d) 0x##c##d##a##b
330 static const uint32_t RT2[256] = { RT };
331 #undef V
332 
333 #define V(a,b,c,d) 0x##d##a##b##c
334 static const uint32_t RT3[256] = { RT };
335 #undef V
336 
337 #undef RT
338 
339 /*
340  * Round constants
341  */
342 static const uint32_t RCON[10] =
343 {
344  0x00000001, 0x00000002, 0x00000004, 0x00000008,
345  0x00000010, 0x00000020, 0x00000040, 0x00000080,
346  0x0000001B, 0x00000036
347 };
348 
349 #else /* POLARSSL_AES_ROM_TABLES */
350 
351 /*
352  * Forward S-box & tables
353  */
354 static unsigned char FSb[256];
355 static uint32_t FT0[256];
356 static uint32_t FT1[256];
357 static uint32_t FT2[256];
358 static uint32_t FT3[256];
359 
360 /*
361  * Reverse S-box & tables
362  */
363 static unsigned char RSb[256];
364 static uint32_t RT0[256];
365 static uint32_t RT1[256];
366 static uint32_t RT2[256];
367 static uint32_t RT3[256];
368 
369 /*
370  * Round constants
371  */
372 static uint32_t RCON[10];
373 
374 /*
375  * Tables generation code
376  */
377 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
378 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
379 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
380 
381 static int aes_init_done = 0;
382 
383 static void aes_gen_tables( void )
384 {
385  int i, x, y, z;
386  int pow[256];
387  int log[256];
388 
389  /*
390  * compute pow and log tables over GF(2^8)
391  */
392  for( i = 0, x = 1; i < 256; i++ )
393  {
394  pow[i] = x;
395  log[x] = i;
396  x = ( x ^ XTIME( x ) ) & 0xFF;
397  }
398 
399  /*
400  * calculate the round constants
401  */
402  for( i = 0, x = 1; i < 10; i++ )
403  {
404  RCON[i] = (uint32_t) x;
405  x = XTIME( x ) & 0xFF;
406  }
407 
408  /*
409  * generate the forward and reverse S-boxes
410  */
411  FSb[0x00] = 0x63;
412  RSb[0x63] = 0x00;
413 
414  for( i = 1; i < 256; i++ )
415  {
416  x = pow[255 - log[i]];
417 
418  y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
419  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
420  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
421  x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
422  x ^= y ^ 0x63;
423 
424  FSb[i] = (unsigned char) x;
425  RSb[x] = (unsigned char) i;
426  }
427 
428  /*
429  * generate the forward and reverse tables
430  */
431  for( i = 0; i < 256; i++ )
432  {
433  x = FSb[i];
434  y = XTIME( x ) & 0xFF;
435  z = ( y ^ x ) & 0xFF;
436 
437  FT0[i] = ( (uint32_t) y ) ^
438  ( (uint32_t) x << 8 ) ^
439  ( (uint32_t) x << 16 ) ^
440  ( (uint32_t) z << 24 );
441 
442  FT1[i] = ROTL8( FT0[i] );
443  FT2[i] = ROTL8( FT1[i] );
444  FT3[i] = ROTL8( FT2[i] );
445 
446  x = RSb[i];
447 
448  RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
449  ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
450  ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
451  ( (uint32_t) MUL( 0x0B, x ) << 24 );
452 
453  RT1[i] = ROTL8( RT0[i] );
454  RT2[i] = ROTL8( RT1[i] );
455  RT3[i] = ROTL8( RT2[i] );
456  }
457 }
458 
459 #endif /* POLARSSL_AES_ROM_TABLES */
460 
461 /*
462  * AES key schedule (encryption)
463  */
464 int aes_setkey_enc( aes_context *ctx, const unsigned char *key,
465  unsigned int keysize )
466 {
467  unsigned int i;
468  uint32_t *RK;
469 
470 #if !defined(POLARSSL_AES_ROM_TABLES)
471  if( aes_init_done == 0 )
472  {
473  aes_gen_tables();
474  aes_init_done = 1;
475 
476  }
477 #endif
478 
479  switch( keysize )
480  {
481  case 128: ctx->nr = 10; break;
482  case 192: ctx->nr = 12; break;
483  case 256: ctx->nr = 14; break;
484  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
485  }
486 
487 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
488  if( aes_padlock_ace == -1 )
489  aes_padlock_ace = padlock_supports( PADLOCK_ACE );
490 
491  if( aes_padlock_ace )
492  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
493  else
494 #endif
495  ctx->rk = RK = ctx->buf;
496 
497 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
498  if( aesni_supports( POLARSSL_AESNI_AES ) )
499  return( aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize ) );
500 #endif
501 
502  for( i = 0; i < (keysize >> 5); i++ )
503  {
504  GET_UINT32_LE( RK[i], key, i << 2 );
505  }
506 
507  switch( ctx->nr )
508  {
509  case 10:
510 
511  for( i = 0; i < 10; i++, RK += 4 )
512  {
513  RK[4] = RK[0] ^ RCON[i] ^
514  ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
515  ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
516  ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
517  ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
518 
519  RK[5] = RK[1] ^ RK[4];
520  RK[6] = RK[2] ^ RK[5];
521  RK[7] = RK[3] ^ RK[6];
522  }
523  break;
524 
525  case 12:
526 
527  for( i = 0; i < 8; i++, RK += 6 )
528  {
529  RK[6] = RK[0] ^ RCON[i] ^
530  ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
531  ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
532  ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
533  ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
534 
535  RK[7] = RK[1] ^ RK[6];
536  RK[8] = RK[2] ^ RK[7];
537  RK[9] = RK[3] ^ RK[8];
538  RK[10] = RK[4] ^ RK[9];
539  RK[11] = RK[5] ^ RK[10];
540  }
541  break;
542 
543  case 14:
544 
545  for( i = 0; i < 7; i++, RK += 8 )
546  {
547  RK[8] = RK[0] ^ RCON[i] ^
548  ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
549  ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
550  ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
551  ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
552 
553  RK[9] = RK[1] ^ RK[8];
554  RK[10] = RK[2] ^ RK[9];
555  RK[11] = RK[3] ^ RK[10];
556 
557  RK[12] = RK[4] ^
558  ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
559  ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
560  ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
561  ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
562 
563  RK[13] = RK[5] ^ RK[12];
564  RK[14] = RK[6] ^ RK[13];
565  RK[15] = RK[7] ^ RK[14];
566  }
567  break;
568 
569  default:
570 
571  break;
572  }
573 
574  return( 0 );
575 }
576 
577 /*
578  * AES key schedule (decryption)
579  */
580 int aes_setkey_dec( aes_context *ctx, const unsigned char *key,
581  unsigned int keysize )
582 {
583  int i, j;
584  aes_context cty;
585  uint32_t *RK;
586  uint32_t *SK;
587  int ret;
588 
589  switch( keysize )
590  {
591  case 128: ctx->nr = 10; break;
592  case 192: ctx->nr = 12; break;
593  case 256: ctx->nr = 14; break;
594  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
595  }
596 
597 #if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
598  if( aes_padlock_ace == -1 )
599  aes_padlock_ace = padlock_supports( PADLOCK_ACE );
600 
601  if( aes_padlock_ace )
602  ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
603  else
604 #endif
605  ctx->rk = RK = ctx->buf;
606 
607  ret = aes_setkey_enc( &cty, key, keysize );
608  if( ret != 0 )
609  return( ret );
610 
611 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
612  if( aesni_supports( POLARSSL_AESNI_AES ) )
613  {
614  aesni_inverse_key( (unsigned char *) ctx->rk,
615  (const unsigned char *) cty.rk, ctx->nr );
616  goto done;
617  }
618 #endif
619 
620  SK = cty.rk + cty.nr * 4;
621 
622  *RK++ = *SK++;
623  *RK++ = *SK++;
624  *RK++ = *SK++;
625  *RK++ = *SK++;
626 
627  for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
628  {
629  for( j = 0; j < 4; j++, SK++ )
630  {
631  *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
632  RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
633  RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
634  RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
635  }
636  }
637 
638  *RK++ = *SK++;
639  *RK++ = *SK++;
640  *RK++ = *SK++;
641  *RK++ = *SK++;
642 
643 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
644 done:
645 #endif
646  memset( &cty, 0, sizeof( aes_context ) );
647 
648  return( 0 );
649 }
650 
651 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
652 { \
653  X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
654  FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
655  FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
656  FT3[ ( Y3 >> 24 ) & 0xFF ]; \
657  \
658  X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
659  FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
660  FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
661  FT3[ ( Y0 >> 24 ) & 0xFF ]; \
662  \
663  X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
664  FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
665  FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
666  FT3[ ( Y1 >> 24 ) & 0xFF ]; \
667  \
668  X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
669  FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
670  FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
671  FT3[ ( Y2 >> 24 ) & 0xFF ]; \
672 }
673 
674 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
675 { \
676  X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
677  RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
678  RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
679  RT3[ ( Y1 >> 24 ) & 0xFF ]; \
680  \
681  X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
682  RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
683  RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
684  RT3[ ( Y2 >> 24 ) & 0xFF ]; \
685  \
686  X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
687  RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
688  RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
689  RT3[ ( Y3 >> 24 ) & 0xFF ]; \
690  \
691  X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
692  RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
693  RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
694  RT3[ ( Y0 >> 24 ) & 0xFF ]; \
695 }
696 
697 /*
698  * AES-ECB block encryption/decryption
699  */
700 int aes_crypt_ecb( aes_context *ctx,
701  int mode,
702  const unsigned char input[16],
703  unsigned char output[16] )
704 {
705  int i;
706  uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
707 
708 #if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
709  if( aesni_supports( POLARSSL_AESNI_AES ) )
710  return( aesni_crypt_ecb( ctx, mode, input, output ) );
711 #endif
712 
713 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
714  if( aes_padlock_ace )
715  {
716  if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
717  return( 0 );
718 
719  // If padlock data misaligned, we just fall back to
720  // unaccelerated mode
721  //
722  }
723 #endif
724 
725  RK = ctx->rk;
726 
727  GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
728  GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
729  GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
730  GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
731 
732  if( mode == AES_DECRYPT )
733  {
734  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
735  {
736  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
737  AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
738  }
739 
740  AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
741 
742  X0 = *RK++ ^ \
743  ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
744  ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
745  ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
746  ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
747 
748  X1 = *RK++ ^ \
749  ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
750  ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
751  ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
752  ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
753 
754  X2 = *RK++ ^ \
755  ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
756  ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
757  ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
758  ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
759 
760  X3 = *RK++ ^ \
761  ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
762  ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
763  ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
764  ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
765  }
766  else /* AES_ENCRYPT */
767  {
768  for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
769  {
770  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
771  AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
772  }
773 
774  AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
775 
776  X0 = *RK++ ^ \
777  ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
778  ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
779  ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
780  ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
781 
782  X1 = *RK++ ^ \
783  ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
784  ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
785  ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
786  ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
787 
788  X2 = *RK++ ^ \
789  ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
790  ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
791  ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
792  ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
793 
794  X3 = *RK++ ^ \
795  ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
796  ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
797  ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
798  ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
799  }
800 
801  PUT_UINT32_LE( X0, output, 0 );
802  PUT_UINT32_LE( X1, output, 4 );
803  PUT_UINT32_LE( X2, output, 8 );
804  PUT_UINT32_LE( X3, output, 12 );
805 
806  return( 0 );
807 }
808 
809 #if defined(POLARSSL_CIPHER_MODE_CBC)
810 /*
811  * AES-CBC buffer encryption/decryption
812  */
813 int aes_crypt_cbc( aes_context *ctx,
814  int mode,
815  size_t length,
816  unsigned char iv[16],
817  const unsigned char *input,
818  unsigned char *output )
819 {
820  int i;
821  unsigned char temp[16];
822 
823  if( length % 16 )
825 
826 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
827  if( aes_padlock_ace )
828  {
829  if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
830  return( 0 );
831 
832  // If padlock data misaligned, we just fall back to
833  // unaccelerated mode
834  //
835  }
836 #endif
837 
838  if( mode == AES_DECRYPT )
839  {
840  while( length > 0 )
841  {
842  memcpy( temp, input, 16 );
843  aes_crypt_ecb( ctx, mode, input, output );
844 
845  for( i = 0; i < 16; i++ )
846  output[i] = (unsigned char)( output[i] ^ iv[i] );
847 
848  memcpy( iv, temp, 16 );
849 
850  input += 16;
851  output += 16;
852  length -= 16;
853  }
854  }
855  else
856  {
857  while( length > 0 )
858  {
859  for( i = 0; i < 16; i++ )
860  output[i] = (unsigned char)( input[i] ^ iv[i] );
861 
862  aes_crypt_ecb( ctx, mode, output, output );
863  memcpy( iv, output, 16 );
864 
865  input += 16;
866  output += 16;
867  length -= 16;
868  }
869  }
870 
871  return( 0 );
872 }
873 #endif /* POLARSSL_CIPHER_MODE_CBC */
874 
875 #if defined(POLARSSL_CIPHER_MODE_CFB)
876 /*
877  * AES-CFB128 buffer encryption/decryption
878  */
879 int aes_crypt_cfb128( aes_context *ctx,
880  int mode,
881  size_t length,
882  size_t *iv_off,
883  unsigned char iv[16],
884  const unsigned char *input,
885  unsigned char *output )
886 {
887  int c;
888  size_t n = *iv_off;
889 
890  if( mode == AES_DECRYPT )
891  {
892  while( length-- )
893  {
894  if( n == 0 )
895  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
896 
897  c = *input++;
898  *output++ = (unsigned char)( c ^ iv[n] );
899  iv[n] = (unsigned char) c;
900 
901  n = (n + 1) & 0x0F;
902  }
903  }
904  else
905  {
906  while( length-- )
907  {
908  if( n == 0 )
909  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
910 
911  iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
912 
913  n = (n + 1) & 0x0F;
914  }
915  }
916 
917  *iv_off = n;
918 
919  return( 0 );
920 }
921 
922 /*
923  * AES-CFB8 buffer encryption/decryption
924  */
925 #include <stdio.h>
926 int aes_crypt_cfb8( aes_context *ctx,
927  int mode,
928  size_t length,
929  unsigned char iv[16],
930  const unsigned char *input,
931  unsigned char *output )
932 {
933  unsigned char c;
934  unsigned char ov[17];
935 
936  while( length-- )
937  {
938  memcpy(ov, iv, 16);
939  aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
940 
941  if( mode == AES_DECRYPT )
942  ov[16] = *input;
943 
944  c = *output++ = (unsigned char)( iv[0] ^ *input++ );
945 
946  if( mode == AES_ENCRYPT )
947  ov[16] = c;
948 
949  memcpy(iv, ov + 1, 16);
950  }
951 
952  return( 0 );
953 }
954 #endif /*POLARSSL_CIPHER_MODE_CFB */
955 
956 #if defined(POLARSSL_CIPHER_MODE_CTR)
957 /*
958  * AES-CTR buffer encryption/decryption
959  */
960 int aes_crypt_ctr( aes_context *ctx,
961  size_t length,
962  size_t *nc_off,
963  unsigned char nonce_counter[16],
964  unsigned char stream_block[16],
965  const unsigned char *input,
966  unsigned char *output )
967 {
968  int c, i;
969  size_t n = *nc_off;
970 
971  while( length-- )
972  {
973  if( n == 0 ) {
974  aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
975 
976  for( i = 16; i > 0; i-- )
977  if( ++nonce_counter[i - 1] != 0 )
978  break;
979  }
980  c = *input++;
981  *output++ = (unsigned char)( c ^ stream_block[n] );
982 
983  n = (n + 1) & 0x0F;
984  }
985 
986  *nc_off = n;
987 
988  return( 0 );
989 }
990 #endif /* POLARSSL_CIPHER_MODE_CTR */
991 
992 #endif /* !POLARSSL_AES_ALT */
993 
994 #if defined(POLARSSL_SELF_TEST)
995 
996 #include <stdio.h>
997 
998 /*
999  * AES test vectors from:
1000  *
1001  * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1002  */
1003 static const unsigned char aes_test_ecb_dec[3][16] =
1004 {
1005  { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1006  0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1007  { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1008  0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1009  { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1010  0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1011 };
1012 
1013 static const unsigned char aes_test_ecb_enc[3][16] =
1014 {
1015  { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1016  0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1017  { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1018  0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1019  { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1020  0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1021 };
1022 
1023 #if defined(POLARSSL_CIPHER_MODE_CBC)
1024 static const unsigned char aes_test_cbc_dec[3][16] =
1025 {
1026  { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1027  0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1028  { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1029  0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1030  { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1031  0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1032 };
1033 
1034 static const unsigned char aes_test_cbc_enc[3][16] =
1035 {
1036  { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1037  0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1038  { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1039  0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1040  { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1041  0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1042 };
1043 #endif /* POLARSSL_CIPHER_MODE_CBC */
1044 
1045 #if defined(POLARSSL_CIPHER_MODE_CFB)
1046 /*
1047  * AES-CFB128 test vectors from:
1048  *
1049  * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1050  */
1051 static const unsigned char aes_test_cfb128_key[3][32] =
1052 {
1053  { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1054  0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1055  { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1056  0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1057  0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1058  { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1059  0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1060  0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1061  0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1062 };
1063 
1064 static const unsigned char aes_test_cfb128_iv[16] =
1065 {
1066  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1067  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1068 };
1069 
1070 static const unsigned char aes_test_cfb128_pt[64] =
1071 {
1072  0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1073  0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1074  0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1075  0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1076  0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1077  0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1078  0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1079  0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1080 };
1081 
1082 static const unsigned char aes_test_cfb128_ct[3][64] =
1083 {
1084  { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1085  0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1086  0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1087  0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1088  0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1089  0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1090  0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1091  0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1092  { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1093  0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1094  0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1095  0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1096  0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1097  0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1098  0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1099  0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1100  { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1101  0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1102  0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1103  0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1104  0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1105  0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1106  0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1107  0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1108 };
1109 #endif /* POLARSSL_CIPHER_MODE_CFB */
1110 
1111 #if defined(POLARSSL_CIPHER_MODE_CTR)
1112 /*
1113  * AES-CTR test vectors from:
1114  *
1115  * http://www.faqs.org/rfcs/rfc3686.html
1116  */
1117 
1118 static const unsigned char aes_test_ctr_key[3][16] =
1119 {
1120  { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1121  0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1122  { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1123  0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1124  { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1125  0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1126 };
1127 
1128 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1129 {
1130  { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1131  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1132  { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1133  0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1134  { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1135  0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1136 };
1137 
1138 static const unsigned char aes_test_ctr_pt[3][48] =
1139 {
1140  { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1141  0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1142 
1143  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1144  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1145  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1146  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1147 
1148  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1149  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1150  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1151  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1152  0x20, 0x21, 0x22, 0x23 }
1153 };
1154 
1155 static const unsigned char aes_test_ctr_ct[3][48] =
1156 {
1157  { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1158  0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1159  { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1160  0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1161  0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1162  0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1163  { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1164  0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1165  0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1166  0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1167  0x25, 0xB2, 0x07, 0x2F }
1168 };
1169 
1170 static const int aes_test_ctr_len[3] =
1171  { 16, 32, 36 };
1172 #endif /* POLARSSL_CIPHER_MODE_CTR */
1173 
1174 /*
1175  * Checkup routine
1176  */
1177 int aes_self_test( int verbose )
1178 {
1179  int i, j, u, v;
1180  unsigned char key[32];
1181  unsigned char buf[64];
1182  unsigned char iv[16];
1183 #if defined(POLARSSL_CIPHER_MODE_CBC)
1184  unsigned char prv[16];
1185 #endif
1186 #if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
1187  size_t offset;
1188 #endif
1189 #if defined(POLARSSL_CIPHER_MODE_CTR)
1190  int len;
1191  unsigned char nonce_counter[16];
1192  unsigned char stream_block[16];
1193 #endif
1194  aes_context ctx;
1195 
1196  memset( key, 0, 32 );
1197 
1198  /*
1199  * ECB mode
1200  */
1201  for( i = 0; i < 6; i++ )
1202  {
1203  u = i >> 1;
1204  v = i & 1;
1205 
1206  if( verbose != 0 )
1207  polarssl_printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1208  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1209 
1210  memset( buf, 0, 16 );
1211 
1212  if( v == AES_DECRYPT )
1213  {
1214  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1215 
1216  for( j = 0; j < 10000; j++ )
1217  aes_crypt_ecb( &ctx, v, buf, buf );
1218 
1219  if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1220  {
1221  if( verbose != 0 )
1222  polarssl_printf( "failed\n" );
1223 
1224  return( 1 );
1225  }
1226  }
1227  else
1228  {
1229  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1230 
1231  for( j = 0; j < 10000; j++ )
1232  aes_crypt_ecb( &ctx, v, buf, buf );
1233 
1234  if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1235  {
1236  if( verbose != 0 )
1237  polarssl_printf( "failed\n" );
1238 
1239  return( 1 );
1240  }
1241  }
1242 
1243  if( verbose != 0 )
1244  polarssl_printf( "passed\n" );
1245  }
1246 
1247  if( verbose != 0 )
1248  polarssl_printf( "\n" );
1249 
1250 #if defined(POLARSSL_CIPHER_MODE_CBC)
1251  /*
1252  * CBC mode
1253  */
1254  for( i = 0; i < 6; i++ )
1255  {
1256  u = i >> 1;
1257  v = i & 1;
1258 
1259  if( verbose != 0 )
1260  polarssl_printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1261  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1262 
1263  memset( iv , 0, 16 );
1264  memset( prv, 0, 16 );
1265  memset( buf, 0, 16 );
1266 
1267  if( v == AES_DECRYPT )
1268  {
1269  aes_setkey_dec( &ctx, key, 128 + u * 64 );
1270 
1271  for( j = 0; j < 10000; j++ )
1272  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1273 
1274  if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1275  {
1276  if( verbose != 0 )
1277  polarssl_printf( "failed\n" );
1278 
1279  return( 1 );
1280  }
1281  }
1282  else
1283  {
1284  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1285 
1286  for( j = 0; j < 10000; j++ )
1287  {
1288  unsigned char tmp[16];
1289 
1290  aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1291 
1292  memcpy( tmp, prv, 16 );
1293  memcpy( prv, buf, 16 );
1294  memcpy( buf, tmp, 16 );
1295  }
1296 
1297  if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1298  {
1299  if( verbose != 0 )
1300  polarssl_printf( "failed\n" );
1301 
1302  return( 1 );
1303  }
1304  }
1305 
1306  if( verbose != 0 )
1307  polarssl_printf( "passed\n" );
1308  }
1309 
1310  if( verbose != 0 )
1311  polarssl_printf( "\n" );
1312 #endif /* POLARSSL_CIPHER_MODE_CBC */
1313 
1314 #if defined(POLARSSL_CIPHER_MODE_CFB)
1315  /*
1316  * CFB128 mode
1317  */
1318  for( i = 0; i < 6; i++ )
1319  {
1320  u = i >> 1;
1321  v = i & 1;
1322 
1323  if( verbose != 0 )
1324  polarssl_printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1325  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1326 
1327  memcpy( iv, aes_test_cfb128_iv, 16 );
1328  memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1329 
1330  offset = 0;
1331  aes_setkey_enc( &ctx, key, 128 + u * 64 );
1332 
1333  if( v == AES_DECRYPT )
1334  {
1335  memcpy( buf, aes_test_cfb128_ct[u], 64 );
1336  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1337 
1338  if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1339  {
1340  if( verbose != 0 )
1341  polarssl_printf( "failed\n" );
1342 
1343  return( 1 );
1344  }
1345  }
1346  else
1347  {
1348  memcpy( buf, aes_test_cfb128_pt, 64 );
1349  aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1350 
1351  if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1352  {
1353  if( verbose != 0 )
1354  polarssl_printf( "failed\n" );
1355 
1356  return( 1 );
1357  }
1358  }
1359 
1360  if( verbose != 0 )
1361  polarssl_printf( "passed\n" );
1362  }
1363 
1364  if( verbose != 0 )
1365  polarssl_printf( "\n" );
1366 #endif /* POLARSSL_CIPHER_MODE_CFB */
1367 
1368 #if defined(POLARSSL_CIPHER_MODE_CTR)
1369  /*
1370  * CTR mode
1371  */
1372  for( i = 0; i < 6; i++ )
1373  {
1374  u = i >> 1;
1375  v = i & 1;
1376 
1377  if( verbose != 0 )
1378  polarssl_printf( " AES-CTR-128 (%s): ",
1379  ( v == AES_DECRYPT ) ? "dec" : "enc" );
1380 
1381  memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1382  memcpy( key, aes_test_ctr_key[u], 16 );
1383 
1384  offset = 0;
1385  aes_setkey_enc( &ctx, key, 128 );
1386 
1387  if( v == AES_DECRYPT )
1388  {
1389  len = aes_test_ctr_len[u];
1390  memcpy( buf, aes_test_ctr_ct[u], len );
1391 
1392  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1393  buf, buf );
1394 
1395  if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1396  {
1397  if( verbose != 0 )
1398  polarssl_printf( "failed\n" );
1399 
1400  return( 1 );
1401  }
1402  }
1403  else
1404  {
1405  len = aes_test_ctr_len[u];
1406  memcpy( buf, aes_test_ctr_pt[u], len );
1407 
1408  aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1409  buf, buf );
1410 
1411  if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1412  {
1413  if( verbose != 0 )
1414  polarssl_printf( "failed\n" );
1415 
1416  return( 1 );
1417  }
1418  }
1419 
1420  if( verbose != 0 )
1421  polarssl_printf( "passed\n" );
1422  }
1423 
1424  if( verbose != 0 )
1425  polarssl_printf( "\n" );
1426 #endif /* POLARSSL_CIPHER_MODE_CTR */
1427 
1428  return( 0 );
1429 }
1430 
1431 #endif /* POLARSSL_SELF_TEST */
1432 
1433 #endif /* POLARSSL_AES_C */
#define POLARSSL_AESNI_AES
Definition: aesni.h:32
int aes_crypt_cfb128(aes_context *ctx, int mode, size_t length, size_t *iv_off, unsigned char iv[16], const unsigned char *input, unsigned char *output)
AES-CFB128 buffer encryption/decryption.
uint32_t buf[68]
Definition: aes.h:72
#define AES_DECRYPT
Definition: aes.h:47
AES context structure.
Definition: aes.h:68
Configuration options (set of defines)
int aes_setkey_dec(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (decryption)
PolarSSL Platform abstraction layer.
AES-NI for hardware AES acceleration on some Intel processors.
int aes_crypt_cbc(aes_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output)
AES-CBC buffer encryption/decryption Length should be a multiple of the block size (16 bytes) ...
AES block cipher.
int aes_self_test(int verbose)
Checkup routine.
#define POLARSSL_ERR_AES_INVALID_KEY_LENGTH
Invalid key length.
Definition: aes.h:49
int aes_crypt_cfb8(aes_context *ctx, int mode, size_t length, unsigned char iv[16], const unsigned char *input, unsigned char *output)
AES-CFB8 buffer encryption/decryption.
#define AES_ENCRYPT
Definition: aes.h:46
#define polarssl_printf
Definition: platform.h:109
uint32_t * rk
Definition: aes.h:71
VIA PadLock ACE for HW encryption/decryption supported by some processors.
int nr
Definition: aes.h:70
#define POLARSSL_ERR_AES_INVALID_INPUT_LENGTH
Invalid data input length.
Definition: aes.h:50
int aes_setkey_enc(aes_context *ctx, const unsigned char *key, unsigned int keysize)
AES key schedule (encryption)
int aes_crypt_ecb(aes_context *ctx, int mode, const unsigned char input[16], unsigned char output[16])
AES-ECB block encryption/decryption.
int aes_crypt_ctr(aes_context *ctx, size_t length, size_t *nc_off, unsigned char nonce_counter[16], unsigned char stream_block[16], const unsigned char *input, unsigned char *output)
AES-CTR buffer encryption/decryption.