Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / 887bd502d2f2052816adbb21be254b254ad8d9a0 / . / library / aes.c
blob: ce418d679b09a021f5f496008f0fd314472f3bac [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/aes.h"
37#include "polarssl/padlock.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]39/*
40 * 32-bit integer manipulation macros (little endian)
41 */
42#ifndef GET_ULONG_LE
43#define GET_ULONG_LE(n,b,i) \
44{ \
45 (n) = ( (unsigned long) (b)[(i) ] ) \
46 | ( (unsigned long) (b)[(i) + 1] << 8 ) \
47 | ( (unsigned long) (b)[(i) + 2] << 16 ) \
48 | ( (unsigned long) (b)[(i) + 3] << 24 ); \
49}
50#endif
51
52#ifndef PUT_ULONG_LE
53#define PUT_ULONG_LE(n,b,i) \
54{ \
55 (b)[(i) ] = (unsigned char) ( (n) ); \
56 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
57 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
58 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
59}
60#endif
61
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]62#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]63/*
64 * Forward S-box
65 */
66static const unsigned char FSb[256] =
67{
68 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
69 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
70 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
71 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
72 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
73 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
74 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
75 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
76 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
77 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
78 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
79 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
80 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
81 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
82 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
83 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
84 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
85 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
86 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
87 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
88 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
89 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
90 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
91 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
92 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
93 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
94 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
95 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
96 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
97 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
98 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
99 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
100};
101
102/*
103 * Forward tables
104 */
105#define FT \
106\
107 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
108 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
109 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
110 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
111 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
112 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
113 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
114 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
115 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
116 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
117 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
118 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
119 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
120 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
121 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
122 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
123 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
124 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
125 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
126 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
127 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
128 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
129 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
130 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
131 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
132 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
133 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
134 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
135 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
136 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
137 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
138 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
139 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
140 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
141 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
142 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
143 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
144 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
145 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
146 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
147 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
148 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
149 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
150 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
151 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
152 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
153 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
154 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
155 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
156 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
157 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
158 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
159 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
160 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
161 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
162 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
163 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
164 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
165 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
166 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
167 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
168 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
169 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
170 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
171
172#define V(a,b,c,d) 0x##a##b##c##d
173static const unsigned long FT0[256] = { FT };
174#undef V
175
176#define V(a,b,c,d) 0x##b##c##d##a
177static const unsigned long FT1[256] = { FT };
178#undef V
179
180#define V(a,b,c,d) 0x##c##d##a##b
181static const unsigned long FT2[256] = { FT };
182#undef V
183
184#define V(a,b,c,d) 0x##d##a##b##c
185static const unsigned long FT3[256] = { FT };
186#undef V
187
188#undef FT
189
190/*
191 * Reverse S-box
192 */
193static const unsigned char RSb[256] =
194{
195 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
196 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
197 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
198 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
199 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
200 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
201 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
202 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
203 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
204 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
205 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
206 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
207 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
208 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
209 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
210 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
211 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
212 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
213 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
214 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
215 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
216 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
217 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
218 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
219 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
220 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
221 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
222 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
223 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
224 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
225 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
226 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
227};
228
229/*
230 * Reverse tables
231 */
232#define RT \
233\
234 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
235 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
236 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
237 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
238 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
239 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
240 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
241 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
242 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
243 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
244 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
245 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
246 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
247 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
248 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
249 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
250 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
251 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
252 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
253 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
254 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
255 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
256 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
257 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
258 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
259 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
260 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
261 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
262 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
263 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
264 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
265 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
266 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
267 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
268 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
269 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
270 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
271 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
272 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
273 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
274 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
275 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
276 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
277 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
278 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
279 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
280 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
281 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
282 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
283 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
284 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
285 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
286 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
287 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
288 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
289 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
290 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
291 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
292 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
293 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
294 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
295 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
296 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
297 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
298
299#define V(a,b,c,d) 0x##a##b##c##d
300static const unsigned long RT0[256] = { RT };
301#undef V
302
303#define V(a,b,c,d) 0x##b##c##d##a
304static const unsigned long RT1[256] = { RT };
305#undef V
306
307#define V(a,b,c,d) 0x##c##d##a##b
308static const unsigned long RT2[256] = { RT };
309#undef V
310
311#define V(a,b,c,d) 0x##d##a##b##c
312static const unsigned long RT3[256] = { RT };
313#undef V
314
315#undef RT
316
317/*
318 * Round constants
319 */
320static const unsigned long RCON[10] =
321{
322 0x00000001, 0x00000002, 0x00000004, 0x00000008,
323 0x00000010, 0x00000020, 0x00000040, 0x00000080,
324 0x0000001B, 0x00000036
325};
326
327#else
328
329/*
330 * Forward S-box & tables
331 */
332static unsigned char FSb[256];
333static unsigned long FT0[256];
334static unsigned long FT1[256];
335static unsigned long FT2[256];
336static unsigned long FT3[256];
337
338/*
339 * Reverse S-box & tables
340 */
341static unsigned char RSb[256];
342static unsigned long RT0[256];
343static unsigned long RT1[256];
344static unsigned long RT2[256];
345static unsigned long RT3[256];
346
347/*
348 * Round constants
349 */
350static unsigned long RCON[10];
351
352/*
353 * Tables generation code
354 */
355#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
356#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
357#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
358
359static int aes_init_done = 0;
360
361static void aes_gen_tables( void )
362{
363 int i, x, y, z;
364 int pow[256];
365 int log[256];
366
367 /*
368 * compute pow and log tables over GF(2^8)
369 */
370 for( i = 0, x = 1; i < 256; i++ )
371 {
372 pow[i] = x;
373 log[x] = i;
374 x = ( x ^ XTIME( x ) ) & 0xFF;
375 }
376
377 /*
378 * calculate the round constants
379 */
380 for( i = 0, x = 1; i < 10; i++ )
381 {
382 RCON[i] = (unsigned long) x;
383 x = XTIME( x ) & 0xFF;
384 }
385
386 /*
387 * generate the forward and reverse S-boxes
388 */
389 FSb[0x00] = 0x63;
390 RSb[0x63] = 0x00;
391
392 for( i = 1; i < 256; i++ )
393 {
394 x = pow[255 - log[i]];
395
396 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
397 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
398 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
399 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
400 x ^= y ^ 0x63;
401
402 FSb[i] = (unsigned char) x;
403 RSb[x] = (unsigned char) i;
404 }
405
406 /*
407 * generate the forward and reverse tables
408 */
409 for( i = 0; i < 256; i++ )
410 {
411 x = FSb[i];
412 y = XTIME( x ) & 0xFF;
413 z = ( y ^ x ) & 0xFF;
414
415 FT0[i] = ( (unsigned long) y ) ^
416 ( (unsigned long) x << 8 ) ^
417 ( (unsigned long) x << 16 ) ^
418 ( (unsigned long) z << 24 );
419
420 FT1[i] = ROTL8( FT0[i] );
421 FT2[i] = ROTL8( FT1[i] );
422 FT3[i] = ROTL8( FT2[i] );
423
424 x = RSb[i];
425
426 RT0[i] = ( (unsigned long) MUL( 0x0E, x ) ) ^
427 ( (unsigned long) MUL( 0x09, x ) << 8 ) ^
428 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
429 ( (unsigned long) MUL( 0x0B, x ) << 24 );
430
431 RT1[i] = ROTL8( RT0[i] );
432 RT2[i] = ROTL8( RT1[i] );
433 RT3[i] = ROTL8( RT2[i] );
434 }
435}
436
437#endif
438
439/*
440 * AES key schedule (encryption)
441 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]442int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]444 unsigned int i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]445 unsigned long *RK;
446
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]447#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]448 if( aes_init_done == 0 )
449 {
450 aes_gen_tables();
451 aes_init_done = 1;
452 }
453#endif
454
455 switch( keysize )
456 {
457 case 128: ctx->nr = 10; break;
458 case 192: ctx->nr = 12; break;
459 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]460 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]461 }
462
463#if defined(PADLOCK_ALIGN16)
464 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
465#else
466 ctx->rk = RK = ctx->buf;
467#endif
468
469 for( i = 0; i < (keysize >> 5); i++ )
470 {
471 GET_ULONG_LE( RK[i], key, i << 2 );
472 }
473
474 switch( ctx->nr )
475 {
476 case 10:
477
478 for( i = 0; i < 10; i++, RK += 4 )
479 {
480 RK[4] = RK[0] ^ RCON[i] ^
481 ( (unsigned long) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
482 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
483 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
484 ( (unsigned long) FSb[ ( RK[3] ) & 0xFF ] << 24 );
485
486 RK[5] = RK[1] ^ RK[4];
487 RK[6] = RK[2] ^ RK[5];
488 RK[7] = RK[3] ^ RK[6];
489 }
490 break;
491
492 case 12:
493
494 for( i = 0; i < 8; i++, RK += 6 )
495 {
496 RK[6] = RK[0] ^ RCON[i] ^
497 ( (unsigned long) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
498 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
499 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
500 ( (unsigned long) FSb[ ( RK[5] ) & 0xFF ] << 24 );
501
502 RK[7] = RK[1] ^ RK[6];
503 RK[8] = RK[2] ^ RK[7];
504 RK[9] = RK[3] ^ RK[8];
505 RK[10] = RK[4] ^ RK[9];
506 RK[11] = RK[5] ^ RK[10];
507 }
508 break;
509
510 case 14:
511
512 for( i = 0; i < 7; i++, RK += 8 )
513 {
514 RK[8] = RK[0] ^ RCON[i] ^
515 ( (unsigned long) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
516 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
517 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
518 ( (unsigned long) FSb[ ( RK[7] ) & 0xFF ] << 24 );
519
520 RK[9] = RK[1] ^ RK[8];
521 RK[10] = RK[2] ^ RK[9];
522 RK[11] = RK[3] ^ RK[10];
523
524 RK[12] = RK[4] ^
525 ( (unsigned long) FSb[ ( RK[11] ) & 0xFF ] ) ^
526 ( (unsigned long) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
527 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
528 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
529
530 RK[13] = RK[5] ^ RK[12];
531 RK[14] = RK[6] ^ RK[13];
532 RK[15] = RK[7] ^ RK[14];
533 }
534 break;
535
536 default:
537
538 break;
539 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]540
541 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]542}
543
544/*
545 * AES key schedule (decryption)
546 */
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]547int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]548{
549 int i, j;
550 aes_context cty;
551 unsigned long *RK;
552 unsigned long *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]553 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554
555 switch( keysize )
556 {
557 case 128: ctx->nr = 10; break;
558 case 192: ctx->nr = 12; break;
559 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]560 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561 }
562
563#if defined(PADLOCK_ALIGN16)
564 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
565#else
566 ctx->rk = RK = ctx->buf;
567#endif
568
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]569 ret = aes_setkey_enc( &cty, key, keysize );
570 if( ret != 0 )
571 return( ret );
572
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]573 SK = cty.rk + cty.nr * 4;
574
575 *RK++ = *SK++;
576 *RK++ = *SK++;
577 *RK++ = *SK++;
578 *RK++ = *SK++;
579
580 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
581 {
582 for( j = 0; j < 4; j++, SK++ )
583 {
584 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
585 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
586 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
587 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
588 }
589 }
590
591 *RK++ = *SK++;
592 *RK++ = *SK++;
593 *RK++ = *SK++;
594 *RK++ = *SK++;
595
596 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]597
598 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599}
600
601#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
602{ \
603 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
604 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
605 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
606 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
607 \
608 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
609 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
610 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
611 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
612 \
613 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
614 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
615 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
616 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
617 \
618 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
619 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
620 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
621 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
622}
623
624#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
625{ \
626 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
627 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
628 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
629 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
630 \
631 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
632 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
633 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
634 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
635 \
636 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
637 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
638 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
639 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
640 \
641 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
642 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
643 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
644 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
645}
646
647/*
648 * AES-ECB block encryption/decryption
649 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]650int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]652 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653 unsigned char output[16] )
654{
655 int i;
656 unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
657
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]658#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]659 if( padlock_supports( PADLOCK_ACE ) )
660 {
661 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]662 return( 0 );
663
664 // If padlock data misaligned, we just fall back to
665 // unaccelerated mode
666 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667 }
668#endif
669
670 RK = ctx->rk;
671
672 GET_ULONG_LE( X0, input, 0 ); X0 ^= *RK++;
673 GET_ULONG_LE( X1, input, 4 ); X1 ^= *RK++;
674 GET_ULONG_LE( X2, input, 8 ); X2 ^= *RK++;
675 GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
676
677 if( mode == AES_DECRYPT )
678 {
679 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
680 {
681 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
682 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
683 }
684
685 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
686
687 X0 = *RK++ ^ \
688 ( (unsigned long) RSb[ ( Y0 ) & 0xFF ] ) ^
689 ( (unsigned long) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
690 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
691 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
692
693 X1 = *RK++ ^ \
694 ( (unsigned long) RSb[ ( Y1 ) & 0xFF ] ) ^
695 ( (unsigned long) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
696 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
697 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
698
699 X2 = *RK++ ^ \
700 ( (unsigned long) RSb[ ( Y2 ) & 0xFF ] ) ^
701 ( (unsigned long) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
702 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
703 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
704
705 X3 = *RK++ ^ \
706 ( (unsigned long) RSb[ ( Y3 ) & 0xFF ] ) ^
707 ( (unsigned long) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
708 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
709 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
710 }
711 else /* AES_ENCRYPT */
712 {
713 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
714 {
715 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
716 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
717 }
718
719 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
720
721 X0 = *RK++ ^ \
722 ( (unsigned long) FSb[ ( Y0 ) & 0xFF ] ) ^
723 ( (unsigned long) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
724 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
725 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
726
727 X1 = *RK++ ^ \
728 ( (unsigned long) FSb[ ( Y1 ) & 0xFF ] ) ^
729 ( (unsigned long) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
730 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
731 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
732
733 X2 = *RK++ ^ \
734 ( (unsigned long) FSb[ ( Y2 ) & 0xFF ] ) ^
735 ( (unsigned long) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
736 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
737 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
738
739 X3 = *RK++ ^ \
740 ( (unsigned long) FSb[ ( Y3 ) & 0xFF ] ) ^
741 ( (unsigned long) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
742 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
743 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
744 }
745
746 PUT_ULONG_LE( X0, output, 0 );
747 PUT_ULONG_LE( X1, output, 4 );
748 PUT_ULONG_LE( X2, output, 8 );
749 PUT_ULONG_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]750
751 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]752}
753
754/*
755 * AES-CBC buffer encryption/decryption
756 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]757int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]758 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]759 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]760 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]761 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]762 unsigned char *output )
763{
764 int i;
765 unsigned char temp[16];
766
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]767 if( length % 16 )
768 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
769
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]770#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]771 if( padlock_supports( PADLOCK_ACE ) )
772 {
773 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]774 return( 0 );
775
776 // If padlock data misaligned, we just fall back to
777 // unaccelerated mode
778 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]779 }
780#endif
781
782 if( mode == AES_DECRYPT )
783 {
784 while( length > 0 )
785 {
786 memcpy( temp, input, 16 );
787 aes_crypt_ecb( ctx, mode, input, output );
788
789 for( i = 0; i < 16; i++ )
790 output[i] = (unsigned char)( output[i] ^ iv[i] );
791
792 memcpy( iv, temp, 16 );
793
794 input += 16;
795 output += 16;
796 length -= 16;
797 }
798 }
799 else
800 {
801 while( length > 0 )
802 {
803 for( i = 0; i < 16; i++ )
804 output[i] = (unsigned char)( input[i] ^ iv[i] );
805
806 aes_crypt_ecb( ctx, mode, output, output );
807 memcpy( iv, output, 16 );
808
809 input += 16;
810 output += 16;
811 length -= 16;
812 }
813 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]814
815 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]816}
817
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]818#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]819/*
820 * AES-CFB128 buffer encryption/decryption
821 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]822int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]823 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]824 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]825 int *iv_off,
826 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]827 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]828 unsigned char *output )
829{
830 int c, n = *iv_off;
831
832 if( mode == AES_DECRYPT )
833 {
834 while( length-- )
835 {
836 if( n == 0 )
837 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
838
839 c = *input++;
840 *output++ = (unsigned char)( c ^ iv[n] );
841 iv[n] = (unsigned char) c;
842
843 n = (n + 1) & 0x0F;
844 }
845 }
846 else
847 {
848 while( length-- )
849 {
850 if( n == 0 )
851 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
852
853 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
854
855 n = (n + 1) & 0x0F;
856 }
857 }
858
859 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]860
861 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]862}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]863#endif /*POLARSSL_CIPHER_MODE_CFB */
864
865#if defined(POLARSSL_CIPHER_MODE_CTR)
866/*
867 * AES-CTR buffer encryption/decryption
868 */
869int aes_crypt_ctr( aes_context *ctx,
870 int length,
871 int *nc_off,
872 unsigned char nonce_counter[16],
873 unsigned char stream_block[16],
874 const unsigned char *input,
875 unsigned char *output )
876{
877 int c, n = *nc_off, i, cb;
878
879 while( length-- )
880 {
881 if( n == 0 ) {
882 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
883
884 i = 15;
885 do {
886 nonce_counter[i]++;
887 cb = nonce_counter[i] == 0;
888 } while( i-- && cb );
889
890 }
891 c = *input++;
892 *output++ = (unsigned char)( c ^ stream_block[n] );
893
894 n = (n + 1) & 0x0F;
895 }
896
897 *nc_off = n;
898
899 return( 0 );
900}
901#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]902
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]903#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]904
905#include <stdio.h>
906
907/*
908 * AES test vectors from:
909 *
910 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
911 */
912static const unsigned char aes_test_ecb_dec[3][16] =
913{
914 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
915 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
916 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
917 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
918 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
919 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
920};
921
922static const unsigned char aes_test_ecb_enc[3][16] =
923{
924 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
925 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
926 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
927 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
928 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
929 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
930};
931
932static const unsigned char aes_test_cbc_dec[3][16] =
933{
934 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
935 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
936 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
937 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
938 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
939 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
940};
941
942static const unsigned char aes_test_cbc_enc[3][16] =
943{
944 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
945 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
946 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
947 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
948 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
949 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
950};
951
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]952#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]953/*
954 * AES-CFB128 test vectors from:
955 *
956 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
957 */
958static const unsigned char aes_test_cfb128_key[3][32] =
959{
960 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
961 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
962 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
963 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
964 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
965 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
966 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
967 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
968 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
969};
970
971static const unsigned char aes_test_cfb128_iv[16] =
972{
973 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
974 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
975};
976
977static const unsigned char aes_test_cfb128_pt[64] =
978{
979 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
980 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
981 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
982 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
983 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
984 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
985 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
986 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
987};
988
989static const unsigned char aes_test_cfb128_ct[3][64] =
990{
991 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
992 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
993 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
994 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
995 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
996 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
997 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
998 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
999 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1000 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1001 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1002 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1003 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1004 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1005 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1006 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1007 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1008 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1009 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1010 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1011 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1012 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1013 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1014 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1015};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1016#endif /* POLARSSL_CIPHER_MODE_CFB */
1017
1018#if defined(POLARSSL_CIPHER_MODE_CTR)
1019/*
1020 * AES-CTR test vectors from:
1021 *
1022 * http://www.faqs.org/rfcs/rfc3686.html
1023 */
1024
1025static const unsigned char aes_test_ctr_key[3][16] =
1026{
1027 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1028 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1029 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1030 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1031 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1032 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1033};
1034
1035static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1036{
1037 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1038 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1039 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1040 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1041 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1042 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1043};
1044
1045static const unsigned char aes_test_ctr_pt[3][48] =
1046{
1047 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1048 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1049
1050 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1051 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1052 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1053 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1054
1055 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1056 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1057 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1058 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1059 0x20, 0x21, 0x22, 0x23 }
1060};
1061
1062static const unsigned char aes_test_ctr_ct[3][48] =
1063{
1064 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1065 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1066 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1067 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1068 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1069 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1070 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1071 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1072 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1073 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1074 0x25, 0xB2, 0x07, 0x2F }
1075};
1076
1077static const int aes_test_ctr_len[3] =
1078 { 16, 32, 36 };
1079#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1080
1081/*
1082 * Checkup routine
1083 */
1084int aes_self_test( int verbose )
1085{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1086 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1087 unsigned char key[32];
1088 unsigned char buf[64];
1089 unsigned char prv[16];
1090 unsigned char iv[16];
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1091#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
1092 int offset;
1093#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1094#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1095 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1096 unsigned char nonce_counter[16];
1097 unsigned char stream_block[16];
1098#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1099 aes_context ctx;
1100
1101 memset( key, 0, 32 );
1102
1103 /*
1104 * ECB mode
1105 */
1106 for( i = 0; i < 6; i++ )
1107 {
1108 u = i >> 1;
1109 v = i & 1;
1110
1111 if( verbose != 0 )
1112 printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1113 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1114
1115 memset( buf, 0, 16 );
1116
1117 if( v == AES_DECRYPT )
1118 {
1119 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1120
1121 for( j = 0; j < 10000; j++ )
1122 aes_crypt_ecb( &ctx, v, buf, buf );
1123
1124 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1125 {
1126 if( verbose != 0 )
1127 printf( "failed\n" );
1128
1129 return( 1 );
1130 }
1131 }
1132 else
1133 {
1134 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1135
1136 for( j = 0; j < 10000; j++ )
1137 aes_crypt_ecb( &ctx, v, buf, buf );
1138
1139 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1140 {
1141 if( verbose != 0 )
1142 printf( "failed\n" );
1143
1144 return( 1 );
1145 }
1146 }
1147
1148 if( verbose != 0 )
1149 printf( "passed\n" );
1150 }
1151
1152 if( verbose != 0 )
1153 printf( "\n" );
1154
1155 /*
1156 * CBC mode
1157 */
1158 for( i = 0; i < 6; i++ )
1159 {
1160 u = i >> 1;
1161 v = i & 1;
1162
1163 if( verbose != 0 )
1164 printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1165 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1166
1167 memset( iv , 0, 16 );
1168 memset( prv, 0, 16 );
1169 memset( buf, 0, 16 );
1170
1171 if( v == AES_DECRYPT )
1172 {
1173 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1174
1175 for( j = 0; j < 10000; j++ )
1176 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1177
1178 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1179 {
1180 if( verbose != 0 )
1181 printf( "failed\n" );
1182
1183 return( 1 );
1184 }
1185 }
1186 else
1187 {
1188 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1189
1190 for( j = 0; j < 10000; j++ )
1191 {
1192 unsigned char tmp[16];
1193
1194 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1195
1196 memcpy( tmp, prv, 16 );
1197 memcpy( prv, buf, 16 );
1198 memcpy( buf, tmp, 16 );
1199 }
1200
1201 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1202 {
1203 if( verbose != 0 )
1204 printf( "failed\n" );
1205
1206 return( 1 );
1207 }
1208 }
1209
1210 if( verbose != 0 )
1211 printf( "passed\n" );
1212 }
1213
1214 if( verbose != 0 )
1215 printf( "\n" );
1216
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1217#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1218 /*
1219 * CFB128 mode
1220 */
1221 for( i = 0; i < 6; i++ )
1222 {
1223 u = i >> 1;
1224 v = i & 1;
1225
1226 if( verbose != 0 )
1227 printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1228 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1229
1230 memcpy( iv, aes_test_cfb128_iv, 16 );
1231 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1232
1233 offset = 0;
1234 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1235
1236 if( v == AES_DECRYPT )
1237 {
1238 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1239 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1240
1241 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1242 {
1243 if( verbose != 0 )
1244 printf( "failed\n" );
1245
1246 return( 1 );
1247 }
1248 }
1249 else
1250 {
1251 memcpy( buf, aes_test_cfb128_pt, 64 );
1252 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1253
1254 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1255 {
1256 if( verbose != 0 )
1257 printf( "failed\n" );
1258
1259 return( 1 );
1260 }
1261 }
1262
1263 if( verbose != 0 )
1264 printf( "passed\n" );
1265 }
1266
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1267 if( verbose != 0 )
1268 printf( "\n" );
1269#endif /* POLARSSL_CIPHER_MODE_CFB */
1270
1271#if defined(POLARSSL_CIPHER_MODE_CTR)
1272 /*
1273 * CTR mode
1274 */
1275 for( i = 0; i < 6; i++ )
1276 {
1277 u = i >> 1;
1278 v = i & 1;
1279
1280 if( verbose != 0 )
1281 printf( " AES-CTR-128 (%s): ",
1282 ( v == AES_DECRYPT ) ? "dec" : "enc" );
1283
1284 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1285 memcpy( key, aes_test_ctr_key[u], 16 );
1286
1287 offset = 0;
1288 aes_setkey_enc( &ctx, key, 128 );
1289
1290 if( v == AES_DECRYPT )
1291 {
1292 len = aes_test_ctr_len[u];
1293 memcpy( buf, aes_test_ctr_ct[u], len );
1294
1295 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1296
1297 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1298 {
1299 if( verbose != 0 )
1300 printf( "failed\n" );
1301
1302 return( 1 );
1303 }
1304 }
1305 else
1306 {
1307 len = aes_test_ctr_len[u];
1308 memcpy( buf, aes_test_ctr_pt[u], len );
1309
1310 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
1311
1312 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1313 {
1314 if( verbose != 0 )
1315 printf( "failed\n" );
1316
1317 return( 1 );
1318 }
1319 }
1320
1321 if( verbose != 0 )
1322 printf( "passed\n" );
1323 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1324
1325 if( verbose != 0 )
1326 printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1327#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1328
1329 return( 0 );
1330}
1331
1332#endif
1333
1334#endif