Blame - library/aes.c - third_party/github/ARMmbed/mbedtls

blob: 38683ee33317bac7d9cc86b05d5c5c3f1a9131d0 [file] [log] [blame]

Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1	/*
				2	* FIPS-197 compliant AES implementation
				3	*
Manuel Pégourié-Gonnard	a658a40	2015-01-23 09:45:19 +0000	[diff] [blame]	4	* Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakker	b96f154	2010-07-18 20:36:00 +0000	[diff] [blame]	5	*
Manuel Pégourié-Gonnard	085ab04	2015-01-23 11:06:27 +0000	[diff] [blame]	6	* This file is part of mbed TLS (https://www.polarssl.org)
Paul Bakker	b96f154	2010-07-18 20:36:00 +0000	[diff] [blame]	7	*
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	8	* This program is free software; you can redistribute it and/or modify
				9	* it under the terms of the GNU General Public License as published by
				10	* the Free Software Foundation; either version 2 of the License, or
				11	* (at your option) any later version.
				12	*
				13	* This program is distributed in the hope that it will be useful,
				14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
				15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
				16	* GNU General Public License for more details.
				17	*
				18	* You should have received a copy of the GNU General Public License along
				19	* with this program; if not, write to the Free Software Foundation, Inc.,
				20	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
				21	*/
				22	/*
				23	* The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
				24	*
				25	* http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
				26	* http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
				27	*/
				28
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	29	#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	30	#include "polarssl/config.h"
Manuel Pégourié-Gonnard	cef4ad2	2014-04-29 12:39:06 +0200	[diff] [blame]	31	#else
				32	#include POLARSSL_CONFIG_FILE
				33	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	34
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	35	#if defined(POLARSSL_AES_C)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	36
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	37	#include "polarssl/aes.h"
Paul Bakker	67820bd	2012-06-04 12:47:23 +0000	[diff] [blame]	38	#if defined(POLARSSL_PADLOCK_C)
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	39	#include "polarssl/padlock.h"
Paul Bakker	67820bd	2012-06-04 12:47:23 +0000	[diff] [blame]	40	#endif
Manuel Pégourié-Gonnard	5b68565	2013-12-18 11:45:21 +0100	[diff] [blame]	41	#if defined(POLARSSL_AESNI_C)
				42	#include "polarssl/aesni.h"
				43	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	44
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	45	#if defined(POLARSSL_PLATFORM_C)
				46	#include "polarssl/platform.h"
				47	#else
				48	#define polarssl_printf printf
				49	#endif
				50
Paul Bakker	90995b5	2013-06-24 19:20:35 +0200	[diff] [blame]	51	#if !defined(POLARSSL_AES_ALT)
				52
Paul Bakker	3461772	2014-06-13 17:20:13 +0200	[diff] [blame]	53	/* Implementation that should never be optimized out by the compiler */
				54	static void polarssl_zeroize( void *v, size_t n ) {
				55	volatile unsigned char p = v; while( n-- ) p++ = 0;
				56	}
				57
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	58	/*
				59	* 32-bit integer manipulation macros (little endian)
				60	*/
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	61	#ifndef GET_UINT32_LE
				62	#define GET_UINT32_LE(n,b,i) \
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	63	{ \
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	64	(n) = ( (uint32_t) (b)[(i) ] ) \
				65	\| ( (uint32_t) (b)[(i) + 1] << 8 ) \
				66	\| ( (uint32_t) (b)[(i) + 2] << 16 ) \
				67	\| ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	68	}
				69	#endif
				70
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	71	#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnard	ceedb82	2015-01-23 15:02:43 +0000	[diff] [blame]	72	#define PUT_UINT32_LE(n,b,i) \
				73	{ \
				74	(b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
				75	(b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
				76	(b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
				77	(b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	78	}
				79	#endif
				80
Paul Bakker	0e19e9f	2012-10-01 11:02:48 +0000	[diff] [blame]	81	#if defined(POLARSSL_PADLOCK_C) && \
				82	( defined(POLARSSL_HAVE_X86) \|\| defined(PADLOCK_ALIGN16) )
Paul Bakker	048d04e	2012-02-12 17:31:04 +0000	[diff] [blame]	83	static int aes_padlock_ace = -1;
				84	#endif
				85
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	86	#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	87	/*
				88	* Forward S-box
				89	*/
				90	static const unsigned char FSb[256] =
				91	{
				92	0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
				93	0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
				94	0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
				95	0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
				96	0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
				97	0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
				98	0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
				99	0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
				100	0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
				101	0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
				102	0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
				103	0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
				104	0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
				105	0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
				106	0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
				107	0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
				108	0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
				109	0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
				110	0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
				111	0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
				112	0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
				113	0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
				114	0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
				115	0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
				116	0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
				117	0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
				118	0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
				119	0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
				120	0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
				121	0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
				122	0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
				123	0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
				124	};
				125
				126	/*
				127	* Forward tables
				128	*/
				129	#define FT \
				130	\
				131	V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
				132	V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
				133	V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
				134	V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
				135	V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
				136	V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
				137	V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
				138	V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
				139	V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
				140	V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
				141	V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
				142	V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
				143	V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
				144	V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
				145	V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
				146	V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
				147	V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
				148	V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
				149	V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
				150	V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
				151	V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
				152	V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
				153	V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
				154	V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
				155	V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
				156	V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
				157	V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
				158	V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
				159	V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
				160	V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
				161	V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
				162	V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
				163	V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
				164	V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
				165	V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
				166	V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
				167	V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
				168	V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
				169	V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
				170	V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
				171	V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
				172	V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
				173	V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
				174	V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
				175	V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
				176	V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
				177	V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
				178	V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
				179	V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
				180	V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
				181	V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
				182	V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
				183	V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
				184	V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
				185	V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
				186	V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
				187	V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
				188	V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
				189	V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
				190	V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
				191	V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
				192	V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
				193	V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
				194	V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
				195
				196	#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	197	static const uint32_t FT0[256] = { FT };
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	198	#undef V
				199
				200	#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	201	static const uint32_t FT1[256] = { FT };
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	202	#undef V
				203
				204	#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	205	static const uint32_t FT2[256] = { FT };
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	206	#undef V
				207
				208	#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	209	static const uint32_t FT3[256] = { FT };
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	210	#undef V
				211
				212	#undef FT
				213
				214	/*
				215	* Reverse S-box
				216	*/
				217	static const unsigned char RSb[256] =
				218	{
				219	0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
				220	0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
				221	0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
				222	0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
				223	0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
				224	0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
				225	0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
				226	0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
				227	0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
				228	0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
				229	0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
				230	0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
				231	0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
				232	0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
				233	0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
				234	0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
				235	0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
				236	0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
				237	0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
				238	0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
				239	0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
				240	0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
				241	0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
				242	0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
				243	0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
				244	0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
				245	0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
				246	0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
				247	0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
				248	0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
				249	0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
				250	0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
				251	};
				252
				253	/*
				254	* Reverse tables
				255	*/
				256	#define RT \
				257	\
				258	V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
				259	V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
				260	V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
				261	V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
				262	V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
				263	V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
				264	V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
				265	V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
				266	V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
				267	V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
				268	V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
				269	V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
				270	V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
				271	V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
				272	V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
				273	V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
				274	V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
				275	V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
				276	V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
				277	V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
				278	V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
				279	V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
				280	V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
				281	V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
				282	V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
				283	V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
				284	V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
				285	V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
				286	V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
				287	V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
				288	V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
				289	V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
				290	V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
				291	V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
				292	V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
				293	V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
				294	V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
				295	V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
				296	V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
				297	V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
				298	V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
				299	V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
				300	V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
				301	V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
				302	V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
				303	V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
				304	V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
				305	V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
				306	V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
				307	V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
				308	V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
				309	V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
				310	V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
				311	V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
				312	V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
				313	V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
				314	V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
				315	V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
				316	V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
				317	V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
				318	V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
				319	V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
				320	V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
				321	V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
				322
				323	#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	324	static const uint32_t RT0[256] = { RT };
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	325	#undef V
				326
				327	#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	328	static const uint32_t RT1[256] = { RT };
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	329	#undef V
				330
				331	#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	332	static const uint32_t RT2[256] = { RT };
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	333	#undef V
				334
				335	#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	336	static const uint32_t RT3[256] = { RT };
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	337	#undef V
				338
				339	#undef RT
				340
				341	/*
				342	* Round constants
				343	*/
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	344	static const uint32_t RCON[10] =
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	345	{
				346	0x00000001, 0x00000002, 0x00000004, 0x00000008,
				347	0x00000010, 0x00000020, 0x00000040, 0x00000080,
				348	0x0000001B, 0x00000036
				349	};
				350
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	351	#else /* POLARSSL_AES_ROM_TABLES */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	352
				353	/*
				354	* Forward S-box & tables
				355	*/
				356	static unsigned char FSb[256];
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	357	static uint32_t FT0[256];
				358	static uint32_t FT1[256];
				359	static uint32_t FT2[256];
				360	static uint32_t FT3[256];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	361
				362	/*
				363	* Reverse S-box & tables
				364	*/
				365	static unsigned char RSb[256];
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	366	static uint32_t RT0[256];
				367	static uint32_t RT1[256];
				368	static uint32_t RT2[256];
				369	static uint32_t RT3[256];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	370
				371	/*
				372	* Round constants
				373	*/
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	374	static uint32_t RCON[10];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	375
				376	/*
				377	* Tables generation code
				378	*/
				379	#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) \| ( x >> 24 )
				380	#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
				381	#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
				382
				383	static int aes_init_done = 0;
				384
				385	static void aes_gen_tables( void )
				386	{
				387	int i, x, y, z;
				388	int pow[256];
				389	int log[256];
				390
				391	/*
				392	* compute pow and log tables over GF(2^8)
				393	*/
				394	for( i = 0, x = 1; i < 256; i++ )
				395	{
				396	pow[i] = x;
				397	log[x] = i;
				398	x = ( x ^ XTIME( x ) ) & 0xFF;
				399	}
				400
				401	/*
				402	* calculate the round constants
				403	*/
				404	for( i = 0, x = 1; i < 10; i++ )
				405	{
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	406	RCON[i] = (uint32_t) x;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	407	x = XTIME( x ) & 0xFF;
				408	}
				409
				410	/*
				411	* generate the forward and reverse S-boxes
				412	*/
				413	FSb[0x00] = 0x63;
				414	RSb[0x63] = 0x00;
				415
				416	for( i = 1; i < 256; i++ )
				417	{
				418	x = pow[255 - log[i]];
				419
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	420	y = x; y = ( ( y << 1 ) \| ( y >> 7 ) ) & 0xFF;
				421	x ^= y; y = ( ( y << 1 ) \| ( y >> 7 ) ) & 0xFF;
				422	x ^= y; y = ( ( y << 1 ) \| ( y >> 7 ) ) & 0xFF;
				423	x ^= y; y = ( ( y << 1 ) \| ( y >> 7 ) ) & 0xFF;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	424	x ^= y ^ 0x63;
				425
				426	FSb[i] = (unsigned char) x;
				427	RSb[x] = (unsigned char) i;
				428	}
				429
				430	/*
				431	* generate the forward and reverse tables
				432	*/
				433	for( i = 0; i < 256; i++ )
				434	{
				435	x = FSb[i];
				436	y = XTIME( x ) & 0xFF;
				437	z = ( y ^ x ) & 0xFF;
				438
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	439	FT0[i] = ( (uint32_t) y ) ^
				440	( (uint32_t) x << 8 ) ^
				441	( (uint32_t) x << 16 ) ^
				442	( (uint32_t) z << 24 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	443
				444	FT1[i] = ROTL8( FT0[i] );
				445	FT2[i] = ROTL8( FT1[i] );
				446	FT3[i] = ROTL8( FT2[i] );
				447
				448	x = RSb[i];
				449
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	450	RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
				451	( (uint32_t) MUL( 0x09, x ) << 8 ) ^
				452	( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
				453	( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	454
				455	RT1[i] = ROTL8( RT0[i] );
				456	RT2[i] = ROTL8( RT1[i] );
				457	RT3[i] = ROTL8( RT2[i] );
				458	}
				459	}
				460
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	461	#endif /* POLARSSL_AES_ROM_TABLES */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	462
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	463	void aes_init( aes_context *ctx )
				464	{
				465	memset( ctx, 0, sizeof( aes_context ) );
				466	}
				467
				468	void aes_free( aes_context *ctx )
				469	{
				470	if( ctx == NULL )
				471	return;
				472
				473	polarssl_zeroize( ctx, sizeof( aes_context ) );
				474	}
				475
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	476	/*
				477	* AES key schedule (encryption)
				478	*/
Paul Bakker	b9e4e2c	2014-05-01 14:18:25 +0200	[diff] [blame]	479	int aes_setkey_enc( aes_context ctx, const unsigned char key,
				480	unsigned int keysize )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	481	{
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	482	unsigned int i;
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	483	uint32_t *RK;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	484
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	485	#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	486	if( aes_init_done == 0 )
				487	{
				488	aes_gen_tables();
				489	aes_init_done = 1;
Paul Bakker	048d04e	2012-02-12 17:31:04 +0000	[diff] [blame]	490
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	491	}
				492	#endif
				493
				494	switch( keysize )
				495	{
				496	case 128: ctx->nr = 10; break;
				497	case 192: ctx->nr = 12; break;
				498	case 256: ctx->nr = 14; break;
Paul Bakker	2b222c8	2009-07-27 21:03:45 +0000	[diff] [blame]	499	default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	500	}
				501
Paul Bakker	048d04e	2012-02-12 17:31:04 +0000	[diff] [blame]	502	#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
				503	if( aes_padlock_ace == -1 )
				504	aes_padlock_ace = padlock_supports( PADLOCK_ACE );
				505
				506	if( aes_padlock_ace )
				507	ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
				508	else
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	509	#endif
Paul Bakker	048d04e	2012-02-12 17:31:04 +0000	[diff] [blame]	510	ctx->rk = RK = ctx->buf;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	511
Manuel Pégourié-Gonnard	47a3536	2013-12-28 20:45:04 +0100	[diff] [blame]	512	#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
				513	if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnard	bfa3c9a	2013-12-30 13:53:58 +0100	[diff] [blame]	514	return( aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize ) );
Manuel Pégourié-Gonnard	47a3536	2013-12-28 20:45:04 +0100	[diff] [blame]	515	#endif
				516
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	517	for( i = 0; i < ( keysize >> 5 ); i++ )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	518	{
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	519	GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	520	}
				521
				522	switch( ctx->nr )
				523	{
				524	case 10:
				525
				526	for( i = 0; i < 10; i++, RK += 4 )
				527	{
				528	RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	529	( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
				530	( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
				531	( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
				532	( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	533
				534	RK[5] = RK[1] ^ RK[4];
				535	RK[6] = RK[2] ^ RK[5];
				536	RK[7] = RK[3] ^ RK[6];
				537	}
				538	break;
				539
				540	case 12:
				541
				542	for( i = 0; i < 8; i++, RK += 6 )
				543	{
				544	RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	545	( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
				546	( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
				547	( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
				548	( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	549
				550	RK[7] = RK[1] ^ RK[6];
				551	RK[8] = RK[2] ^ RK[7];
				552	RK[9] = RK[3] ^ RK[8];
				553	RK[10] = RK[4] ^ RK[9];
				554	RK[11] = RK[5] ^ RK[10];
				555	}
				556	break;
				557
				558	case 14:
				559
				560	for( i = 0; i < 7; i++, RK += 8 )
				561	{
				562	RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	563	( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
				564	( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
				565	( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
				566	( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	567
				568	RK[9] = RK[1] ^ RK[8];
				569	RK[10] = RK[2] ^ RK[9];
				570	RK[11] = RK[3] ^ RK[10];
				571
				572	RK[12] = RK[4] ^
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	573	( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
				574	( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
				575	( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
				576	( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	577
				578	RK[13] = RK[5] ^ RK[12];
				579	RK[14] = RK[6] ^ RK[13];
				580	RK[15] = RK[7] ^ RK[14];
				581	}
				582	break;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	583	}
Paul Bakker	2b222c8	2009-07-27 21:03:45 +0000	[diff] [blame]	584
				585	return( 0 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	586	}
				587
				588	/*
				589	* AES key schedule (decryption)
				590	*/
Paul Bakker	b9e4e2c	2014-05-01 14:18:25 +0200	[diff] [blame]	591	int aes_setkey_dec( aes_context ctx, const unsigned char key,
				592	unsigned int keysize )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	593	{
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	594	int i, j, ret;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	595	aes_context cty;
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	596	uint32_t *RK;
				597	uint32_t *SK;
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	598
				599	aes_init( &cty );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	600
Paul Bakker	048d04e	2012-02-12 17:31:04 +0000	[diff] [blame]	601	#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
				602	if( aes_padlock_ace == -1 )
				603	aes_padlock_ace = padlock_supports( PADLOCK_ACE );
				604
				605	if( aes_padlock_ace )
				606	ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
				607	else
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	608	#endif
Paul Bakker	048d04e	2012-02-12 17:31:04 +0000	[diff] [blame]	609	ctx->rk = RK = ctx->buf;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	610
Manuel Pégourié-Gonnard	afd5a08	2014-05-28 21:52:59 +0200	[diff] [blame]	611	/* Also checks keysize */
				612	if( ( ret = aes_setkey_enc( &cty, key, keysize ) ) != 0 )
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	613	goto exit;
Paul Bakker	2b222c8	2009-07-27 21:03:45 +0000	[diff] [blame]	614
Manuel Pégourié-Gonnard	afd5a08	2014-05-28 21:52:59 +0200	[diff] [blame]	615	ctx->nr = cty.nr;
				616
Manuel Pégourié-Gonnard	01e31bb	2013-12-28 15:58:30 +0100	[diff] [blame]	617	#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
				618	if( aesni_supports( POLARSSL_AESNI_AES ) )
				619	{
				620	aesni_inverse_key( (unsigned char *) ctx->rk,
				621	(const unsigned char *) cty.rk, ctx->nr );
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	622	goto exit;
Manuel Pégourié-Gonnard	01e31bb	2013-12-28 15:58:30 +0100	[diff] [blame]	623	}
				624	#endif
				625
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	626	SK = cty.rk + cty.nr * 4;
				627
				628	RK++ = SK++;
				629	RK++ = SK++;
				630	RK++ = SK++;
				631	RK++ = SK++;
				632
				633	for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
				634	{
				635	for( j = 0; j < 4; j++, SK++ )
				636	{
				637	RK++ = RT0[ FSb[ ( SK ) & 0xFF ] ] ^
				638	RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
				639	RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
				640	RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
				641	}
				642	}
				643
				644	RK++ = SK++;
				645	RK++ = SK++;
				646	RK++ = SK++;
				647	RK++ = SK++;
				648
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	649	exit:
				650	aes_free( &cty );
Paul Bakker	2b222c8	2009-07-27 21:03:45 +0000	[diff] [blame]	651
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	652	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	653	}
				654
				655	#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
				656	{ \
				657	X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
				658	FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
				659	FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
				660	FT3[ ( Y3 >> 24 ) & 0xFF ]; \
				661	\
				662	X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
				663	FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
				664	FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
				665	FT3[ ( Y0 >> 24 ) & 0xFF ]; \
				666	\
				667	X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
				668	FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
				669	FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
				670	FT3[ ( Y1 >> 24 ) & 0xFF ]; \
				671	\
				672	X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
				673	FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
				674	FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
				675	FT3[ ( Y2 >> 24 ) & 0xFF ]; \
				676	}
				677
				678	#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
				679	{ \
				680	X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
				681	RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
				682	RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
				683	RT3[ ( Y1 >> 24 ) & 0xFF ]; \
				684	\
				685	X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
				686	RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
				687	RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
				688	RT3[ ( Y2 >> 24 ) & 0xFF ]; \
				689	\
				690	X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
				691	RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
				692	RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
				693	RT3[ ( Y3 >> 24 ) & 0xFF ]; \
				694	\
				695	X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
				696	RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
				697	RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
				698	RT3[ ( Y0 >> 24 ) & 0xFF ]; \
				699	}
				700
				701	/*
				702	* AES-ECB block encryption/decryption
				703	*/
Paul Bakker	f3ccc68	2010-03-18 21:21:02 +0000	[diff] [blame]	704	int aes_crypt_ecb( aes_context *ctx,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	705	int mode,
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	706	const unsigned char input[16],
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	707	unsigned char output[16] )
				708	{
				709	int i;
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	710	uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	711
Manuel Pégourié-Gonnard	5b68565	2013-12-18 11:45:21 +0100	[diff] [blame]	712	#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard	8eaf20b	2013-12-18 19:14:53 +0100	[diff] [blame]	713	if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnard	5b68565	2013-12-18 11:45:21 +0100	[diff] [blame]	714	return( aesni_crypt_ecb( ctx, mode, input, output ) );
				715	#endif
				716
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	717	#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker	048d04e	2012-02-12 17:31:04 +0000	[diff] [blame]	718	if( aes_padlock_ace )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	719	{
				720	if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakker	f3ccc68	2010-03-18 21:21:02 +0000	[diff] [blame]	721	return( 0 );
				722
				723	// If padlock data misaligned, we just fall back to
				724	// unaccelerated mode
				725	//
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	726	}
				727	#endif
				728
				729	RK = ctx->rk;
				730
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	731	GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
				732	GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
				733	GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
				734	GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	735
				736	if( mode == AES_DECRYPT )
				737	{
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	738	for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	739	{
				740	AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
				741	AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
				742	}
				743
				744	AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
				745
				746	X0 = *RK++ ^ \
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	747	( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
				748	( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
				749	( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
				750	( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	751
				752	X1 = *RK++ ^ \
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	753	( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
				754	( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
				755	( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
				756	( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	757
				758	X2 = *RK++ ^ \
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	759	( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
				760	( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
				761	( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
				762	( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	763
				764	X3 = *RK++ ^ \
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	765	( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
				766	( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
				767	( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
				768	( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	769	}
				770	else /* AES_ENCRYPT */
				771	{
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	772	for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	773	{
				774	AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
				775	AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
				776	}
				777
				778	AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
				779
				780	X0 = *RK++ ^ \
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	781	( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
				782	( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
				783	( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
				784	( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	785
				786	X1 = *RK++ ^ \
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	787	( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
				788	( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
				789	( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
				790	( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	791
				792	X2 = *RK++ ^ \
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	793	( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
				794	( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
				795	( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
				796	( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	797
				798	X3 = *RK++ ^ \
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	799	( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
				800	( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
				801	( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
				802	( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	803	}
				804
Paul Bakker	5c2364c	2012-10-01 14:41:15 +0000	[diff] [blame]	805	PUT_UINT32_LE( X0, output, 0 );
				806	PUT_UINT32_LE( X1, output, 4 );
				807	PUT_UINT32_LE( X2, output, 8 );
				808	PUT_UINT32_LE( X3, output, 12 );
Paul Bakker	f3ccc68	2010-03-18 21:21:02 +0000	[diff] [blame]	809
				810	return( 0 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	811	}
				812
Manuel Pégourié-Gonnard	92cb1d3	2013-09-13 16:24:20 +0200	[diff] [blame]	813	#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	814	/*
				815	* AES-CBC buffer encryption/decryption
				816	*/
Paul Bakker	f3ccc68	2010-03-18 21:21:02 +0000	[diff] [blame]	817	int aes_crypt_cbc( aes_context *ctx,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	818	int mode,
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	819	size_t length,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	820	unsigned char iv[16],
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	821	const unsigned char *input,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	822	unsigned char *output )
				823	{
				824	int i;
				825	unsigned char temp[16];
				826
Paul Bakker	f3ccc68	2010-03-18 21:21:02 +0000	[diff] [blame]	827	if( length % 16 )
				828	return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
				829
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	830	#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker	048d04e	2012-02-12 17:31:04 +0000	[diff] [blame]	831	if( aes_padlock_ace )
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	832	{
				833	if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakker	f3ccc68	2010-03-18 21:21:02 +0000	[diff] [blame]	834	return( 0 );
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	835
Paul Bakker	f3ccc68	2010-03-18 21:21:02 +0000	[diff] [blame]	836	// If padlock data misaligned, we just fall back to
				837	// unaccelerated mode
				838	//
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	839	}
				840	#endif
				841
				842	if( mode == AES_DECRYPT )
				843	{
				844	while( length > 0 )
				845	{
				846	memcpy( temp, input, 16 );
				847	aes_crypt_ecb( ctx, mode, input, output );
				848
				849	for( i = 0; i < 16; i++ )
				850	output[i] = (unsigned char)( output[i] ^ iv[i] );
				851
				852	memcpy( iv, temp, 16 );
				853
				854	input += 16;
				855	output += 16;
				856	length -= 16;
				857	}
				858	}
				859	else
				860	{
				861	while( length > 0 )
				862	{
				863	for( i = 0; i < 16; i++ )
				864	output[i] = (unsigned char)( input[i] ^ iv[i] );
				865
				866	aes_crypt_ecb( ctx, mode, output, output );
				867	memcpy( iv, output, 16 );
				868
				869	input += 16;
				870	output += 16;
				871	length -= 16;
				872	}
				873	}
Paul Bakker	f3ccc68	2010-03-18 21:21:02 +0000	[diff] [blame]	874
				875	return( 0 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	876	}
Manuel Pégourié-Gonnard	92cb1d3	2013-09-13 16:24:20 +0200	[diff] [blame]	877	#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	878
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	879	#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	880	/*
				881	* AES-CFB128 buffer encryption/decryption
				882	*/
Paul Bakker	f3ccc68	2010-03-18 21:21:02 +0000	[diff] [blame]	883	int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	884	int mode,
Paul Bakker	23986e5	2011-04-24 08:57:21 +0000	[diff] [blame]	885	size_t length,
Paul Bakker	27fdf46	2011-06-09 13:55:13 +0000	[diff] [blame]	886	size_t *iv_off,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	887	unsigned char iv[16],
Paul Bakker	ff60ee6	2010-03-16 21:09:09 +0000	[diff] [blame]	888	const unsigned char *input,
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	889	unsigned char *output )
				890	{
Paul Bakker	27fdf46	2011-06-09 13:55:13 +0000	[diff] [blame]	891	int c;
				892	size_t n = *iv_off;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	893
				894	if( mode == AES_DECRYPT )
				895	{
				896	while( length-- )
				897	{
				898	if( n == 0 )
				899	aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
				900
				901	c = *input++;
				902	*output++ = (unsigned char)( c ^ iv[n] );
				903	iv[n] = (unsigned char) c;
				904
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	905	n = ( n + 1 ) & 0x0F;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	906	}
				907	}
				908	else
				909	{
				910	while( length-- )
				911	{
				912	if( n == 0 )
				913	aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
				914
				915	iv[n] = output++ = (unsigned char)( iv[n] ^ input++ );
				916
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	917	n = ( n + 1 ) & 0x0F;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	918	}
				919	}
				920
				921	*iv_off = n;
Paul Bakker	f3ccc68	2010-03-18 21:21:02 +0000	[diff] [blame]	922
				923	return( 0 );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	924	}
Paul Bakker	556efba	2014-01-24 15:38:12 +0100	[diff] [blame]	925
				926	/*
				927	* AES-CFB8 buffer encryption/decryption
				928	*/
				929	#include <stdio.h>
				930	int aes_crypt_cfb8( aes_context *ctx,
				931	int mode,
				932	size_t length,
				933	unsigned char iv[16],
				934	const unsigned char *input,
				935	unsigned char *output )
				936	{
				937	unsigned char c;
				938	unsigned char ov[17];
				939
				940	while( length-- )
				941	{
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	942	memcpy( ov, iv, 16 );
Paul Bakker	556efba	2014-01-24 15:38:12 +0100	[diff] [blame]	943	aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
				944
				945	if( mode == AES_DECRYPT )
				946	ov[16] = *input;
				947
				948	c = output++ = (unsigned char)( iv[0] ^ input++ );
				949
				950	if( mode == AES_ENCRYPT )
				951	ov[16] = c;
				952
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	953	memcpy( iv, ov + 1, 16 );
Paul Bakker	556efba	2014-01-24 15:38:12 +0100	[diff] [blame]	954	}
				955
				956	return( 0 );
				957	}
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	958	#endif /POLARSSL_CIPHER_MODE_CFB /
				959
				960	#if defined(POLARSSL_CIPHER_MODE_CTR)
				961	/*
				962	* AES-CTR buffer encryption/decryption
				963	*/
				964	int aes_crypt_ctr( aes_context *ctx,
Paul Bakker	27fdf46	2011-06-09 13:55:13 +0000	[diff] [blame]	965	size_t length,
				966	size_t *nc_off,
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	967	unsigned char nonce_counter[16],
				968	unsigned char stream_block[16],
				969	const unsigned char *input,
				970	unsigned char *output )
				971	{
Paul Bakker	369e14b	2012-04-18 14:16:09 +0000	[diff] [blame]	972	int c, i;
Paul Bakker	27fdf46	2011-06-09 13:55:13 +0000	[diff] [blame]	973	size_t n = *nc_off;
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	974
				975	while( length-- )
				976	{
				977	if( n == 0 ) {
				978	aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
				979
Paul Bakker	369e14b	2012-04-18 14:16:09 +0000	[diff] [blame]	980	for( i = 16; i > 0; i-- )
				981	if( ++nonce_counter[i - 1] != 0 )
				982	break;
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	983	}
				984	c = *input++;
				985	*output++ = (unsigned char)( c ^ stream_block[n] );
				986
Paul Bakker	66d5d07	2014-06-17 16:39:18 +0200	[diff] [blame]	987	n = ( n + 1 ) & 0x0F;
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	988	}
				989
				990	*nc_off = n;
				991
				992	return( 0 );
				993	}
				994	#endif /* POLARSSL_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard	1ec220b	2014-03-10 11:20:17 +0100	[diff] [blame]	995
Paul Bakker	90995b5	2013-06-24 19:20:35 +0200	[diff] [blame]	996	#endif /* !POLARSSL_AES_ALT */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	997
Paul Bakker	40e4694	2009-01-03 21:51:57 +0000	[diff] [blame]	998	#if defined(POLARSSL_SELF_TEST)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	999
				1000	#include <stdio.h>
				1001
				1002	/*
				1003	* AES test vectors from:
				1004	*
				1005	* http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
				1006	*/
				1007	static const unsigned char aes_test_ecb_dec[3][16] =
				1008	{
				1009	{ 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
				1010	0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
				1011	{ 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
				1012	0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
				1013	{ 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
				1014	0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
				1015	};
				1016
				1017	static const unsigned char aes_test_ecb_enc[3][16] =
				1018	{
				1019	{ 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
				1020	0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
				1021	{ 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
				1022	0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
				1023	{ 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
				1024	0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
				1025	};
				1026
Manuel Pégourié-Gonnard	92cb1d3	2013-09-13 16:24:20 +0200	[diff] [blame]	1027	#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1028	static const unsigned char aes_test_cbc_dec[3][16] =
				1029	{
				1030	{ 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
				1031	0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
				1032	{ 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
				1033	0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
				1034	{ 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
				1035	0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
				1036	};
				1037
				1038	static const unsigned char aes_test_cbc_enc[3][16] =
				1039	{
				1040	{ 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
				1041	0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
				1042	{ 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
				1043	0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
				1044	{ 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
				1045	0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
				1046	};
Manuel Pégourié-Gonnard	92cb1d3	2013-09-13 16:24:20 +0200	[diff] [blame]	1047	#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1048
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	1049	#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1050	/*
				1051	* AES-CFB128 test vectors from:
				1052	*
				1053	* http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
				1054	*/
				1055	static const unsigned char aes_test_cfb128_key[3][32] =
				1056	{
				1057	{ 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
				1058	0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
				1059	{ 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
				1060	0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
				1061	0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
				1062	{ 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
				1063	0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
				1064	0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
				1065	0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
				1066	};
				1067
				1068	static const unsigned char aes_test_cfb128_iv[16] =
				1069	{
				1070	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
				1071	0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
				1072	};
				1073
				1074	static const unsigned char aes_test_cfb128_pt[64] =
				1075	{
				1076	0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
				1077	0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
				1078	0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
				1079	0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
				1080	0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
				1081	0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
				1082	0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
				1083	0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
				1084	};
				1085
				1086	static const unsigned char aes_test_cfb128_ct[3][64] =
				1087	{
				1088	{ 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
				1089	0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
				1090	0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
				1091	0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
				1092	0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
				1093	0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
				1094	0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
				1095	0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
				1096	{ 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
				1097	0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
				1098	0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
				1099	0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
				1100	0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
				1101	0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
				1102	0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
				1103	0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
				1104	{ 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
				1105	0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
				1106	0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
				1107	0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
				1108	0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
				1109	0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
				1110	0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
				1111	0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
				1112	};
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	1113	#endif /* POLARSSL_CIPHER_MODE_CFB */
				1114
				1115	#if defined(POLARSSL_CIPHER_MODE_CTR)
				1116	/*
				1117	* AES-CTR test vectors from:
				1118	*
				1119	* http://www.faqs.org/rfcs/rfc3686.html
				1120	*/
				1121
				1122	static const unsigned char aes_test_ctr_key[3][16] =
				1123	{
				1124	{ 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
				1125	0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
				1126	{ 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
				1127	0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
				1128	{ 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
				1129	0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
				1130	};
				1131
				1132	static const unsigned char aes_test_ctr_nonce_counter[3][16] =
				1133	{
				1134	{ 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
				1135	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
				1136	{ 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
				1137	0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
				1138	{ 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
				1139	0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
				1140	};
				1141
				1142	static const unsigned char aes_test_ctr_pt[3][48] =
				1143	{
				1144	{ 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
				1145	0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
				1146
				1147	{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
				1148	0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
				1149	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
				1150	0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
				1151
				1152	{ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
				1153	0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
				1154	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
				1155	0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
				1156	0x20, 0x21, 0x22, 0x23 }
				1157	};
				1158
				1159	static const unsigned char aes_test_ctr_ct[3][48] =
				1160	{
				1161	{ 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
				1162	0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
				1163	{ 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
				1164	0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
				1165	0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
				1166	0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
				1167	{ 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
				1168	0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
				1169	0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
				1170	0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
				1171	0x25, 0xB2, 0x07, 0x2F }
				1172	};
				1173
				1174	static const int aes_test_ctr_len[3] =
				1175	{ 16, 32, 36 };
				1176	#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1177
				1178	/*
				1179	* Checkup routine
				1180	*/
				1181	int aes_self_test( int verbose )
				1182	{
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	1183	int ret = 0, i, j, u, v;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1184	unsigned char key[32];
				1185	unsigned char buf[64];
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1186	unsigned char iv[16];
Manuel Pégourié-Gonnard	92cb1d3	2013-09-13 16:24:20 +0200	[diff] [blame]	1187	#if defined(POLARSSL_CIPHER_MODE_CBC)
				1188	unsigned char prv[16];
				1189	#endif
Paul Bakker	e91d01e	2011-04-19 15:55:50 +0000	[diff] [blame]	1190	#if defined(POLARSSL_CIPHER_MODE_CTR) \|\| defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker	27fdf46	2011-06-09 13:55:13 +0000	[diff] [blame]	1191	size_t offset;
Paul Bakker	e91d01e	2011-04-19 15:55:50 +0000	[diff] [blame]	1192	#endif
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	1193	#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakker	e91d01e	2011-04-19 15:55:50 +0000	[diff] [blame]	1194	int len;
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	1195	unsigned char nonce_counter[16];
				1196	unsigned char stream_block[16];
				1197	#endif
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1198	aes_context ctx;
				1199
				1200	memset( key, 0, 32 );
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	1201	aes_init( &ctx );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1202
				1203	/*
				1204	* ECB mode
				1205	*/
				1206	for( i = 0; i < 6; i++ )
				1207	{
				1208	u = i >> 1;
				1209	v = i & 1;
				1210
				1211	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1212	polarssl_printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
				1213	( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1214
				1215	memset( buf, 0, 16 );
				1216
				1217	if( v == AES_DECRYPT )
				1218	{
				1219	aes_setkey_dec( &ctx, key, 128 + u * 64 );
				1220
				1221	for( j = 0; j < 10000; j++ )
				1222	aes_crypt_ecb( &ctx, v, buf, buf );
				1223
				1224	if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
				1225	{
				1226	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1227	polarssl_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1228
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	1229	ret = 1;
				1230	goto exit;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1231	}
				1232	}
				1233	else
				1234	{
				1235	aes_setkey_enc( &ctx, key, 128 + u * 64 );
				1236
				1237	for( j = 0; j < 10000; j++ )
				1238	aes_crypt_ecb( &ctx, v, buf, buf );
				1239
				1240	if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
				1241	{
				1242	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1243	polarssl_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1244
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	1245	ret = 1;
				1246	goto exit;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1247	}
				1248	}
				1249
				1250	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1251	polarssl_printf( "passed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1252	}
				1253
				1254	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1255	polarssl_printf( "\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1256
Manuel Pégourié-Gonnard	92cb1d3	2013-09-13 16:24:20 +0200	[diff] [blame]	1257	#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1258	/*
				1259	* CBC mode
				1260	*/
				1261	for( i = 0; i < 6; i++ )
				1262	{
				1263	u = i >> 1;
				1264	v = i & 1;
				1265
				1266	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1267	polarssl_printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
				1268	( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1269
				1270	memset( iv , 0, 16 );
				1271	memset( prv, 0, 16 );
				1272	memset( buf, 0, 16 );
				1273
				1274	if( v == AES_DECRYPT )
				1275	{
				1276	aes_setkey_dec( &ctx, key, 128 + u * 64 );
				1277
				1278	for( j = 0; j < 10000; j++ )
				1279	aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
				1280
				1281	if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
				1282	{
				1283	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1284	polarssl_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1285
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	1286	ret = 1;
				1287	goto exit;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1288	}
				1289	}
				1290	else
				1291	{
				1292	aes_setkey_enc( &ctx, key, 128 + u * 64 );
				1293
				1294	for( j = 0; j < 10000; j++ )
				1295	{
				1296	unsigned char tmp[16];
				1297
				1298	aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
				1299
				1300	memcpy( tmp, prv, 16 );
				1301	memcpy( prv, buf, 16 );
				1302	memcpy( buf, tmp, 16 );
				1303	}
				1304
				1305	if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
				1306	{
				1307	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1308	polarssl_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1309
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	1310	ret = 1;
				1311	goto exit;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1312	}
				1313	}
				1314
				1315	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1316	polarssl_printf( "passed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1317	}
				1318
				1319	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1320	polarssl_printf( "\n" );
Manuel Pégourié-Gonnard	92cb1d3	2013-09-13 16:24:20 +0200	[diff] [blame]	1321	#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1322
Paul Bakker	e91d01e	2011-04-19 15:55:50 +0000	[diff] [blame]	1323	#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1324	/*
				1325	* CFB128 mode
				1326	*/
				1327	for( i = 0; i < 6; i++ )
				1328	{
				1329	u = i >> 1;
				1330	v = i & 1;
				1331
				1332	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1333	polarssl_printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
				1334	( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1335
				1336	memcpy( iv, aes_test_cfb128_iv, 16 );
				1337	memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
				1338
				1339	offset = 0;
				1340	aes_setkey_enc( &ctx, key, 128 + u * 64 );
				1341
				1342	if( v == AES_DECRYPT )
				1343	{
				1344	memcpy( buf, aes_test_cfb128_ct[u], 64 );
				1345	aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
				1346
				1347	if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
				1348	{
				1349	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1350	polarssl_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1351
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	1352	ret = 1;
				1353	goto exit;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1354	}
				1355	}
				1356	else
				1357	{
				1358	memcpy( buf, aes_test_cfb128_pt, 64 );
				1359	aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
				1360
				1361	if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
				1362	{
				1363	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1364	polarssl_printf( "failed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1365
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	1366	ret = 1;
				1367	goto exit;
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1368	}
				1369	}
				1370
				1371	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1372	polarssl_printf( "passed\n" );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1373	}
				1374
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	1375	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1376	polarssl_printf( "\n" );
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	1377	#endif /* POLARSSL_CIPHER_MODE_CFB */
				1378
				1379	#if defined(POLARSSL_CIPHER_MODE_CTR)
				1380	/*
				1381	* CTR mode
				1382	*/
				1383	for( i = 0; i < 6; i++ )
				1384	{
				1385	u = i >> 1;
				1386	v = i & 1;
				1387
				1388	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1389	polarssl_printf( " AES-CTR-128 (%s): ",
				1390	( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	1391
				1392	memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
				1393	memcpy( key, aes_test_ctr_key[u], 16 );
				1394
				1395	offset = 0;
				1396	aes_setkey_enc( &ctx, key, 128 );
				1397
				1398	if( v == AES_DECRYPT )
				1399	{
				1400	len = aes_test_ctr_len[u];
				1401	memcpy( buf, aes_test_ctr_ct[u], len );
				1402
Paul Bakker	b9e4e2c	2014-05-01 14:18:25 +0200	[diff] [blame]	1403	aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
				1404	buf, buf );
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	1405
				1406	if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
				1407	{
				1408	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1409	polarssl_printf( "failed\n" );
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	1410
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	1411	ret = 1;
				1412	goto exit;
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	1413	}
				1414	}
				1415	else
				1416	{
				1417	len = aes_test_ctr_len[u];
				1418	memcpy( buf, aes_test_ctr_pt[u], len );
				1419
Paul Bakker	b9e4e2c	2014-05-01 14:18:25 +0200	[diff] [blame]	1420	aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
				1421	buf, buf );
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	1422
				1423	if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
				1424	{
				1425	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1426	polarssl_printf( "failed\n" );
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	1427
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	1428	ret = 1;
				1429	goto exit;
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	1430	}
				1431	}
				1432
				1433	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1434	polarssl_printf( "passed\n" );
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	1435	}
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1436
				1437	if( verbose != 0 )
Paul Bakker	7dc4c44	2014-02-01 22:50:26 +0100	[diff] [blame]	1438	polarssl_printf( "\n" );
Paul Bakker	b6ecaf5	2011-04-19 14:29:23 +0000	[diff] [blame]	1439	#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1440
Paul Bakker	c7ea99a	2014-06-18 11:12:03 +0200	[diff] [blame]	1441	ret = 0;
				1442
				1443	exit:
				1444	aes_free( &ctx );
				1445
				1446	return( ret );
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1447	}
				1448
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	1449	#endif /* POLARSSL_SELF_TEST */
Paul Bakker	5121ce5	2009-01-03 21:22:43 +0000	[diff] [blame]	1450
Paul Bakker	9af723c	2014-05-01 13:03:14 +0200	[diff] [blame]	1451	#endif /* POLARSSL_AES_C */